[8/9] samba: update to 4.13.0

Message ID 20201005201711.4259-8-arne_f@ipfire.org
State Accepted
Headers show
Series [1/9] samba.cgi: remove unsupported security = share | expand

Commit Message

Arne Fitzenreiter Oct. 5, 2020, 8:17 p.m. UTC
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---
 config/rootfiles/packages/aarch64/samba       |  820 ++
 config/rootfiles/packages/armv5tel/samba      |  820 ++
 config/rootfiles/packages/i586/samba          |  820 ++
 config/rootfiles/packages/samba               |  229 -
 config/rootfiles/packages/x86_64/samba        |  820 ++
 lfs/samba                                     |  115 +-
 .../samba/CVE-2015-5252-v3-6-bso11395.patch   |   44 -
 .../samba/CVE-2015-5296-v3-6-bso11536.patch   |  113 -
 .../samba/CVE-2015-5299-v3-6-bso11529.patch   |   98 -
 .../samba/CVE-2015-5330-v3-6-bso11599.patch   |  214 -
 src/patches/samba/CVE-2015-5370-v3-6.patch    | 3080 --------
 src/patches/samba/CVE-2015-7560-v3-6.patch    |  341 -
 src/patches/samba/CVE-2016-2110-v3-6.patch    |  670 --
 src/patches/samba/CVE-2016-2111-v3-6.patch    | 1058 ---
 src/patches/samba/CVE-2016-2112-v3-6.patch    |  184 -
 src/patches/samba/CVE-2016-2115-v3-6.patch    |  359 -
 src/patches/samba/CVE-2016-2118-v3-6.patch    |  629 --
 src/patches/samba/CVE-2016-2125-v3.6.patch    |   46 -
 src/patches/samba/CVE-2016-2126-v3.6.patch    |   80 -
 src/patches/samba/CVE-2017-12150-v3-6.patch   |  102 -
 src/patches/samba/CVE-2017-12163.patch        |  141 -
 src/patches/samba/CVE-2017-15275.patch        |   45 -
 src/patches/samba/CVE-2017-2619.patch         | 1328 ----
 src/patches/samba/CVE-2017-7494-v3-6.patch    |   32 -
 src/patches/samba/CVE-preparation-v3-6.patch  | 6976 -----------------
 src/patches/samba/doc-update.patch            | 2538 ------
 .../samba/samba-3.2.0pre1-grouppwd.patch      |   13 -
 .../samba/samba-3.2.0pre1-pipedir.patch       |   13 -
 src/patches/samba/samba-3.2.5-inotify.patch   |   49 -
 src/patches/samba/samba-3.5.11-docs.patch     |   70 -
 .../samba/samba-3.5.11-idmapdebug.patch       |   26 -
 .../samba/samba-3.5.11-nss_info_doc.patch     |   75 -
 .../samba/samba-3.5.11-wbinfo_manpage.patch   |   65 -
 src/patches/samba/samba-3.5.12-dns.patch      |   27 -
 .../samba/samba-3.5.12-pam_radio_type.patch   |   31 -
 ...mba-3.6.18-fix_net_ads_join_segfault.patch |   40 -
 .../samba/samba-3.6.19-valid_users_doc.patch  |   53 -
 .../samba-3.6.23-fix_libads_krb5_ipv6.patch   |  788 --
 src/patches/samba/samba-3.6.23-gecos.patch    |   42 -
 .../samba/samba-3.6.23-glusterfs.patch        | 2318 ------
 .../samba/samba-3.6.23-libsmbclient.patch     |   36 -
 .../samba-3.6.26-smb2_case_sensitive.patch    |  118 -
 ....6.99-2110-ntlmssp-session-setup-nas.patch |   39 -
 .../samba-3.6.99-add_spoolss_os_version.patch |   53 -
 ...6.99-add_timeout_option_to_smbclient.patch |  147 -
 ....6.99-asserted_identity_sid-S-1-18-1.patch |  223 -
 .../samba/samba-3.6.99-bug-1117059.patch      |   86 -
 .../samba/samba-3.6.99-bug-1192211.patch      |   42 -
 ...3.6.99-doc_netbios_name_length_limit.patch |  257 -
 .../samba-3.6.99-fix_dirsort_ea-support.patch |  314 -
 .../samba-3.6.99-fix_dropbox_share.patch      |  271 -
 .../samba/samba-3.6.99-fix_force_group.patch  |   68 -
 ...ix_force_user_winbind_default_domain.patch |   58 -
 ....99-fix_force_user_with_security_ads.patch | 1292 ---
 .../samba-3.6.99-fix_gecos_interactive.patch  |  922 ---
 ...-fix_group_expansion_in_service_path.patch |   46 -
 ...x_group_expansion_with_nss_templates.patch |  376 -
 ...a-3.6.99-fix_keytab_null_termination.patch |   37 -
 ...6.99-fix_lookups_with_one_way_trusts.patch |   37 -
 ...ba-3.6.99-fix_mangling_hash_segfault.patch |   38 -
 ...amba-3.6.99-fix_map_to_guest_bad_uid.patch |   76 -
 ...fix_member_auth_after_changed_secret.patch |   89 -
 ...a-3.6.99-fix_memleak_in_printer_list.patch |   34 -
 ....99-fix_memleak_winbind_cached_creds.patch |   46 -
 ...9-fix_nbt_query_with_many_components.patch |   35 -
 ....99-fix_pam_winbind_parsing_segfault.patch |  112 -
 ...-3.6.99-fix_printcap_cpu_utilization.patch |  958 ---
 ...samba-3.6.99-fix_rpc_query_user_list.patch |   37 -
 ...3.6.99-fix_rpcclient_timeout_command.patch |   73 -
 ....99-fix_security_server_share_access.patch |   70 -
 ...-3.6.99-fix_setup_domain_child_logic.patch |  186 -
 .../samba/samba-3.6.99-fix_smb_conf_doc.patch |   51 -
 ...mba-3.6.99-fix_smbclient_ntlmv2_auth.patch |  116 -
 ...-fix_stale_printer_entries_on_rename.patch |   55 -
 ...amba-3.6.99-fix_symlink_verification.patch |  111 -
 ...ba-3.6.99-fix_usergroup_cache_lookup.patch |  397 -
 ...3.6.99-fix_winbind_cache_memory_leak.patch |   29 -
 .../samba/samba-3.6.99-idmap_ad_memleak.patch |   28 -
 ...ba-3.6.99-libsmb_fix_dfs_connections.patch |   47 -
 ...a-3.6.99-net_ads_join_no_dns_updates.patch |  101 -
 ...samba-3.6.99-nt_printer_publish_guid.patch |  620 --
 ...amba-3.6.99-nt_printer_unpublish_fix.patch |   75 -
 ...-winbind_fix_trusted_domain_handling.patch |  432 -
 .../samba-3.6.x-winbind_tevent_poll.patch     |  308 -
 84 files changed, 3293 insertions(+), 30565 deletions(-)
 create mode 100644 config/rootfiles/packages/aarch64/samba
 create mode 100644 config/rootfiles/packages/armv5tel/samba
 create mode 100644 config/rootfiles/packages/i586/samba
 delete mode 100644 config/rootfiles/packages/samba
 create mode 100644 config/rootfiles/packages/x86_64/samba
 delete mode 100644 src/patches/samba/CVE-2015-5252-v3-6-bso11395.patch
 delete mode 100644 src/patches/samba/CVE-2015-5296-v3-6-bso11536.patch
 delete mode 100644 src/patches/samba/CVE-2015-5299-v3-6-bso11529.patch
 delete mode 100644 src/patches/samba/CVE-2015-5330-v3-6-bso11599.patch
 delete mode 100644 src/patches/samba/CVE-2015-5370-v3-6.patch
 delete mode 100644 src/patches/samba/CVE-2015-7560-v3-6.patch
 delete mode 100644 src/patches/samba/CVE-2016-2110-v3-6.patch
 delete mode 100644 src/patches/samba/CVE-2016-2111-v3-6.patch
 delete mode 100644 src/patches/samba/CVE-2016-2112-v3-6.patch
 delete mode 100644 src/patches/samba/CVE-2016-2115-v3-6.patch
 delete mode 100644 src/patches/samba/CVE-2016-2118-v3-6.patch
 delete mode 100644 src/patches/samba/CVE-2016-2125-v3.6.patch
 delete mode 100644 src/patches/samba/CVE-2016-2126-v3.6.patch
 delete mode 100644 src/patches/samba/CVE-2017-12150-v3-6.patch
 delete mode 100644 src/patches/samba/CVE-2017-12163.patch
 delete mode 100644 src/patches/samba/CVE-2017-15275.patch
 delete mode 100644 src/patches/samba/CVE-2017-2619.patch
 delete mode 100644 src/patches/samba/CVE-2017-7494-v3-6.patch
 delete mode 100644 src/patches/samba/CVE-preparation-v3-6.patch
 delete mode 100644 src/patches/samba/doc-update.patch
 delete mode 100644 src/patches/samba/samba-3.2.0pre1-grouppwd.patch
 delete mode 100644 src/patches/samba/samba-3.2.0pre1-pipedir.patch
 delete mode 100644 src/patches/samba/samba-3.2.5-inotify.patch
 delete mode 100644 src/patches/samba/samba-3.5.11-docs.patch
 delete mode 100644 src/patches/samba/samba-3.5.11-idmapdebug.patch
 delete mode 100644 src/patches/samba/samba-3.5.11-nss_info_doc.patch
 delete mode 100644 src/patches/samba/samba-3.5.11-wbinfo_manpage.patch
 delete mode 100644 src/patches/samba/samba-3.5.12-dns.patch
 delete mode 100644 src/patches/samba/samba-3.5.12-pam_radio_type.patch
 delete mode 100644 src/patches/samba/samba-3.6.18-fix_net_ads_join_segfault.patch
 delete mode 100644 src/patches/samba/samba-3.6.19-valid_users_doc.patch
 delete mode 100644 src/patches/samba/samba-3.6.23-fix_libads_krb5_ipv6.patch
 delete mode 100644 src/patches/samba/samba-3.6.23-gecos.patch
 delete mode 100644 src/patches/samba/samba-3.6.23-glusterfs.patch
 delete mode 100644 src/patches/samba/samba-3.6.23-libsmbclient.patch
 delete mode 100644 src/patches/samba/samba-3.6.26-smb2_case_sensitive.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-2110-ntlmssp-session-setup-nas.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-add_spoolss_os_version.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-add_timeout_option_to_smbclient.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-asserted_identity_sid-S-1-18-1.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-bug-1117059.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-bug-1192211.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-doc_netbios_name_length_limit.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_dirsort_ea-support.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_dropbox_share.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_force_group.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_force_user_winbind_default_domain.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_force_user_with_security_ads.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_gecos_interactive.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_group_expansion_in_service_path.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_group_expansion_with_nss_templates.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_keytab_null_termination.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_lookups_with_one_way_trusts.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_mangling_hash_segfault.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_map_to_guest_bad_uid.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_member_auth_after_changed_secret.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_memleak_in_printer_list.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_memleak_winbind_cached_creds.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_nbt_query_with_many_components.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_pam_winbind_parsing_segfault.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_printcap_cpu_utilization.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_rpc_query_user_list.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_rpcclient_timeout_command.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_security_server_share_access.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_setup_domain_child_logic.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_smb_conf_doc.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_smbclient_ntlmv2_auth.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_stale_printer_entries_on_rename.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_symlink_verification.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_usergroup_cache_lookup.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-fix_winbind_cache_memory_leak.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-idmap_ad_memleak.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-libsmb_fix_dfs_connections.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-net_ads_join_no_dns_updates.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-nt_printer_publish_guid.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-nt_printer_unpublish_fix.patch
 delete mode 100644 src/patches/samba/samba-3.6.99-winbind_fix_trusted_domain_handling.patch
 delete mode 100644 src/patches/samba/samba-3.6.x-winbind_tevent_poll.patch

Patch

diff --git a/config/rootfiles/packages/aarch64/samba b/config/rootfiles/packages/aarch64/samba
new file mode 100644
index 000000000..630ec9da8
--- /dev/null
+++ b/config/rootfiles/packages/aarch64/samba
@@ -0,0 +1,820 @@ 
+etc/rc.d/init.d/samba
+usr/bin/cifsdd
+usr/bin/dbwrap_tool
+usr/bin/findsmb
+usr/bin/gentest
+usr/bin/ldbadd
+usr/bin/ldbdel
+usr/bin/ldbedit
+usr/bin/ldbmodify
+usr/bin/ldbrename
+usr/bin/ldbsearch
+usr/bin/locktest
+usr/bin/masktest
+usr/bin/mdfind
+usr/bin/mvxattr
+usr/bin/ndrdump
+usr/bin/net
+usr/bin/nmblookup
+usr/bin/ntlm_auth
+usr/bin/oLschema2ldif
+usr/bin/pdbedit
+usr/bin/profiles
+usr/bin/regdiff
+usr/bin/regpatch
+usr/bin/regshell
+usr/bin/regtree
+usr/bin/rpcclient
+usr/bin/samba-regedit
+usr/bin/sharesec
+usr/bin/smbcacls
+usr/bin/smbclient
+usr/bin/smbcontrol
+usr/bin/smbcquotas
+usr/bin/smbget
+usr/bin/smbpasswd
+usr/bin/smbspool
+usr/bin/smbstatus
+usr/bin/smbtar
+usr/bin/smbtorture
+usr/bin/smbtree
+usr/bin/tdbbackup
+usr/bin/tdbdump
+usr/bin/tdbrestore
+usr/bin/tdbtool
+usr/bin/testparm
+usr/bin/wbinfo
+#usr/include/samba-4.0
+#usr/include/samba-4.0/charset.h
+#usr/include/samba-4.0/core
+#usr/include/samba-4.0/core/doserr.h
+#usr/include/samba-4.0/core/error.h
+#usr/include/samba-4.0/core/hresult.h
+#usr/include/samba-4.0/core/ntstatus.h
+#usr/include/samba-4.0/core/ntstatus_gen.h
+#usr/include/samba-4.0/core/werror.h
+#usr/include/samba-4.0/core/werror_gen.h
+#usr/include/samba-4.0/credentials.h
+#usr/include/samba-4.0/dcerpc.h
+#usr/include/samba-4.0/dcesrv_core.h
+#usr/include/samba-4.0/domain_credentials.h
+#usr/include/samba-4.0/gen_ndr
+#usr/include/samba-4.0/gen_ndr/atsvc.h
+#usr/include/samba-4.0/gen_ndr/auth.h
+#usr/include/samba-4.0/gen_ndr/dcerpc.h
+#usr/include/samba-4.0/gen_ndr/drsblobs.h
+#usr/include/samba-4.0/gen_ndr/drsuapi.h
+#usr/include/samba-4.0/gen_ndr/krb5pac.h
+#usr/include/samba-4.0/gen_ndr/lsa.h
+#usr/include/samba-4.0/gen_ndr/misc.h
+#usr/include/samba-4.0/gen_ndr/nbt.h
+#usr/include/samba-4.0/gen_ndr/ndr_atsvc.h
+#usr/include/samba-4.0/gen_ndr/ndr_dcerpc.h
+#usr/include/samba-4.0/gen_ndr/ndr_drsblobs.h
+#usr/include/samba-4.0/gen_ndr/ndr_drsuapi.h
+#usr/include/samba-4.0/gen_ndr/ndr_krb5pac.h
+#usr/include/samba-4.0/gen_ndr/ndr_misc.h
+#usr/include/samba-4.0/gen_ndr/ndr_nbt.h
+#usr/include/samba-4.0/gen_ndr/ndr_samr.h
+#usr/include/samba-4.0/gen_ndr/ndr_samr_c.h
+#usr/include/samba-4.0/gen_ndr/ndr_svcctl.h
+#usr/include/samba-4.0/gen_ndr/ndr_svcctl_c.h
+#usr/include/samba-4.0/gen_ndr/netlogon.h
+#usr/include/samba-4.0/gen_ndr/samr.h
+#usr/include/samba-4.0/gen_ndr/security.h
+#usr/include/samba-4.0/gen_ndr/server_id.h
+#usr/include/samba-4.0/gen_ndr/svcctl.h
+#usr/include/samba-4.0/ldb_wrap.h
+#usr/include/samba-4.0/libsmbclient.h
+#usr/include/samba-4.0/lookup_sid.h
+#usr/include/samba-4.0/machine_sid.h
+#usr/include/samba-4.0/ndr
+#usr/include/samba-4.0/ndr.h
+#usr/include/samba-4.0/ndr/ndr_dcerpc.h
+#usr/include/samba-4.0/ndr/ndr_drsblobs.h
+#usr/include/samba-4.0/ndr/ndr_drsuapi.h
+#usr/include/samba-4.0/ndr/ndr_krb5pac.h
+#usr/include/samba-4.0/ndr/ndr_nbt.h
+#usr/include/samba-4.0/ndr/ndr_svcctl.h
+#usr/include/samba-4.0/netapi.h
+#usr/include/samba-4.0/param.h
+#usr/include/samba-4.0/passdb.h
+#usr/include/samba-4.0/policy.h
+#usr/include/samba-4.0/rpc_common.h
+#usr/include/samba-4.0/samba
+#usr/include/samba-4.0/samba/session.h
+#usr/include/samba-4.0/samba/version.h
+#usr/include/samba-4.0/share.h
+#usr/include/samba-4.0/smb2_lease_struct.h
+#usr/include/samba-4.0/smb_ldap.h
+#usr/include/samba-4.0/smbconf.h
+#usr/include/samba-4.0/smbldap.h
+#usr/include/samba-4.0/tdr.h
+#usr/include/samba-4.0/tsocket.h
+#usr/include/samba-4.0/tsocket_internal.h
+#usr/include/samba-4.0/util
+#usr/include/samba-4.0/util/attr.h
+#usr/include/samba-4.0/util/blocking.h
+#usr/include/samba-4.0/util/data_blob.h
+#usr/include/samba-4.0/util/debug.h
+#usr/include/samba-4.0/util/discard.h
+#usr/include/samba-4.0/util/fault.h
+#usr/include/samba-4.0/util/genrand.h
+#usr/include/samba-4.0/util/idtree.h
+#usr/include/samba-4.0/util/idtree_random.h
+#usr/include/samba-4.0/util/signal.h
+#usr/include/samba-4.0/util/string_wrappers.h
+#usr/include/samba-4.0/util/substitute.h
+#usr/include/samba-4.0/util/tevent_ntstatus.h
+#usr/include/samba-4.0/util/tevent_unix.h
+#usr/include/samba-4.0/util/tevent_werror.h
+#usr/include/samba-4.0/util/tfork.h
+#usr/include/samba-4.0/util/time.h
+#usr/include/samba-4.0/util_ldb.h
+#usr/include/samba-4.0/wbclient.h
+usr/lib/libdcerpc-binding.so
+usr/lib/libdcerpc-binding.so.0
+usr/lib/libdcerpc-binding.so.0.0.1
+usr/lib/libdcerpc-samr.so
+usr/lib/libdcerpc-samr.so.0
+usr/lib/libdcerpc-samr.so.0.0.1
+usr/lib/libdcerpc-server-core.so
+usr/lib/libdcerpc-server-core.so.0
+usr/lib/libdcerpc-server-core.so.0.0.1
+usr/lib/libdcerpc.so
+usr/lib/libdcerpc.so.0
+usr/lib/libdcerpc.so.0.0.1
+usr/lib/libndr-krb5pac.so
+usr/lib/libndr-krb5pac.so.0
+usr/lib/libndr-krb5pac.so.0.0.1
+usr/lib/libndr-nbt.so
+usr/lib/libndr-nbt.so.0
+usr/lib/libndr-nbt.so.0.0.1
+usr/lib/libndr-standard.so
+usr/lib/libndr-standard.so.0
+usr/lib/libndr-standard.so.0.0.1
+usr/lib/libndr.so
+usr/lib/libndr.so.1
+usr/lib/libndr.so.1.0.0
+usr/lib/libnetapi.so
+usr/lib/libnetapi.so.0
+usr/lib/libnss_winbind.so
+usr/lib/libnss_winbind.so.2
+usr/lib/libnss_wins.so
+usr/lib/libnss_wins.so.2
+usr/lib/libsamba-credentials.so
+usr/lib/libsamba-credentials.so.0
+usr/lib/libsamba-credentials.so.0.0.1
+usr/lib/libsamba-errors.so
+usr/lib/libsamba-errors.so.1
+usr/lib/libsamba-hostconfig.so
+usr/lib/libsamba-hostconfig.so.0
+usr/lib/libsamba-hostconfig.so.0.0.1
+usr/lib/libsamba-passdb.so
+usr/lib/libsamba-passdb.so.0
+usr/lib/libsamba-passdb.so.0.28.0
+usr/lib/libsamba-policy.cpython-38-aarch64-linux-gnu.so
+usr/lib/libsamba-policy.cpython-38-aarch64-linux-gnu.so.0
+usr/lib/libsamba-policy.cpython-38-aarch64-linux-gnu.so.0.0.1
+usr/lib/libsamba-util.so
+usr/lib/libsamba-util.so.0
+usr/lib/libsamba-util.so.0.0.1
+usr/lib/libsamdb.so
+usr/lib/libsamdb.so.0
+usr/lib/libsamdb.so.0.0.1
+usr/lib/libsmbclient.so
+usr/lib/libsmbclient.so.0
+usr/lib/libsmbclient.so.0.6.0
+usr/lib/libsmbconf.so
+usr/lib/libsmbconf.so.0
+usr/lib/libsmbldap.so
+usr/lib/libsmbldap.so.2
+usr/lib/libtevent-util.so
+usr/lib/libtevent-util.so.0
+usr/lib/libtevent-util.so.0.0.1
+usr/lib/libwbclient.so
+usr/lib/libwbclient.so.0
+usr/lib/libwbclient.so.0.15
+#usr/lib/pkgconfig/dcerpc.pc
+#usr/lib/pkgconfig/dcerpc_samr.pc
+#usr/lib/pkgconfig/ndr.pc
+#usr/lib/pkgconfig/ndr_krb5pac.pc
+#usr/lib/pkgconfig/ndr_nbt.pc
+#usr/lib/pkgconfig/ndr_standard.pc
+#usr/lib/pkgconfig/netapi.pc
+#usr/lib/pkgconfig/samba-credentials.pc
+#usr/lib/pkgconfig/samba-hostconfig.pc
+#usr/lib/pkgconfig/samba-policy.cpython-38-aarch64-linux-gnu.pc
+#usr/lib/pkgconfig/samba-util.pc
+#usr/lib/pkgconfig/samdb.pc
+#usr/lib/pkgconfig/smbclient.pc
+#usr/lib/pkgconfig/wbclient.pc
+usr/lib/python3.8/site-packages/_ldb_text.py
+usr/lib/python3.8/site-packages/_tdb_text.py
+usr/lib/python3.8/site-packages/_tevent.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/ldb.cpython-38-aarch64-linux-gnu.so
+#usr/lib/python3.8/site-packages/samba
+usr/lib/python3.8/site-packages/samba/__init__.py
+usr/lib/python3.8/site-packages/samba/_glue.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/_ldb.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/auth.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/auth_util.py
+usr/lib/python3.8/site-packages/samba/colour.py
+usr/lib/python3.8/site-packages/samba/common.py
+usr/lib/python3.8/site-packages/samba/compat.py
+usr/lib/python3.8/site-packages/samba/credentials.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/crypto.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dbchecker.py
+#usr/lib/python3.8/site-packages/samba/dcerpc
+usr/lib/python3.8/site-packages/samba/dcerpc/__init__.py
+usr/lib/python3.8/site-packages/samba/dcerpc/atsvc.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/auth.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/base.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dcerpc.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dfs.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dns.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dnsp.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dnsserver.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/drsblobs.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/drsuapi.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/echo.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/epmapper.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/idmap.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/initshutdown.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/irpc.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/krb5pac.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/lsa.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/mdssvc.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/messaging.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/mgmt.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/misc.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/nbt.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/netlogon.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/ntlmssp.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/preg.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/samr.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/security.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/server_id.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/smb_acl.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/spoolss.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/srvsvc.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/svcctl.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/unixinfo.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/winbind.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/windows_event_ids.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/winreg.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/winspool.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/witness.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/wkssvc.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/xattr.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/descriptor.py
+usr/lib/python3.8/site-packages/samba/dnsserver.py
+usr/lib/python3.8/site-packages/samba/domain_update.py
+usr/lib/python3.8/site-packages/samba/drs_utils.py
+#usr/lib/python3.8/site-packages/samba/emulate
+usr/lib/python3.8/site-packages/samba/emulate/__init__.py
+usr/lib/python3.8/site-packages/samba/emulate/traffic.py
+usr/lib/python3.8/site-packages/samba/emulate/traffic_packets.py
+usr/lib/python3.8/site-packages/samba/forest_update.py
+usr/lib/python3.8/site-packages/samba/gensec.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/getopt.py
+usr/lib/python3.8/site-packages/samba/gp_ext_loader.py
+#usr/lib/python3.8/site-packages/samba/gp_parse
+usr/lib/python3.8/site-packages/samba/gp_parse/__init__.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_aas.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_csv.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_inf.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_ini.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_pol.py
+usr/lib/python3.8/site-packages/samba/gp_scripts_ext.py
+usr/lib/python3.8/site-packages/samba/gp_sec_ext.py
+usr/lib/python3.8/site-packages/samba/gpclass.py
+usr/lib/python3.8/site-packages/samba/gpo.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/graph.py
+usr/lib/python3.8/site-packages/samba/hostconfig.py
+usr/lib/python3.8/site-packages/samba/idmap.py
+usr/lib/python3.8/site-packages/samba/join.py
+#usr/lib/python3.8/site-packages/samba/kcc
+usr/lib/python3.8/site-packages/samba/kcc/__init__.py
+usr/lib/python3.8/site-packages/samba/kcc/debug.py
+usr/lib/python3.8/site-packages/samba/kcc/graph.py
+usr/lib/python3.8/site-packages/samba/kcc/graph_utils.py
+usr/lib/python3.8/site-packages/samba/kcc/kcc_utils.py
+usr/lib/python3.8/site-packages/samba/kcc/ldif_import_export.py
+usr/lib/python3.8/site-packages/samba/logger.py
+usr/lib/python3.8/site-packages/samba/mdb_util.py
+usr/lib/python3.8/site-packages/samba/messaging.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/ms_display_specifiers.py
+usr/lib/python3.8/site-packages/samba/ms_forest_updates_markdown.py
+usr/lib/python3.8/site-packages/samba/ms_schema.py
+usr/lib/python3.8/site-packages/samba/ms_schema_markdown.py
+usr/lib/python3.8/site-packages/samba/ndr.py
+usr/lib/python3.8/site-packages/samba/net.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/netbios.cpython-38-aarch64-linux-gnu.so
+#usr/lib/python3.8/site-packages/samba/netcmd
+usr/lib/python3.8/site-packages/samba/netcmd/__init__.py
+usr/lib/python3.8/site-packages/samba/netcmd/common.py
+usr/lib/python3.8/site-packages/samba/netcmd/computer.py
+usr/lib/python3.8/site-packages/samba/netcmd/contact.py
+usr/lib/python3.8/site-packages/samba/netcmd/dbcheck.py
+usr/lib/python3.8/site-packages/samba/netcmd/delegation.py
+usr/lib/python3.8/site-packages/samba/netcmd/dns.py
+usr/lib/python3.8/site-packages/samba/netcmd/domain.py
+usr/lib/python3.8/site-packages/samba/netcmd/domain_backup.py
+usr/lib/python3.8/site-packages/samba/netcmd/drs.py
+usr/lib/python3.8/site-packages/samba/netcmd/dsacl.py
+usr/lib/python3.8/site-packages/samba/netcmd/forest.py
+usr/lib/python3.8/site-packages/samba/netcmd/fsmo.py
+usr/lib/python3.8/site-packages/samba/netcmd/gpo.py
+usr/lib/python3.8/site-packages/samba/netcmd/group.py
+usr/lib/python3.8/site-packages/samba/netcmd/ldapcmp.py
+usr/lib/python3.8/site-packages/samba/netcmd/main.py
+usr/lib/python3.8/site-packages/samba/netcmd/nettime.py
+usr/lib/python3.8/site-packages/samba/netcmd/ntacl.py
+usr/lib/python3.8/site-packages/samba/netcmd/ou.py
+usr/lib/python3.8/site-packages/samba/netcmd/processes.py
+usr/lib/python3.8/site-packages/samba/netcmd/pso.py
+usr/lib/python3.8/site-packages/samba/netcmd/rodc.py
+usr/lib/python3.8/site-packages/samba/netcmd/schema.py
+usr/lib/python3.8/site-packages/samba/netcmd/sites.py
+usr/lib/python3.8/site-packages/samba/netcmd/spn.py
+usr/lib/python3.8/site-packages/samba/netcmd/testparm.py
+usr/lib/python3.8/site-packages/samba/netcmd/user.py
+usr/lib/python3.8/site-packages/samba/netcmd/visualize.py
+usr/lib/python3.8/site-packages/samba/ntacls.py
+usr/lib/python3.8/site-packages/samba/ntstatus.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/param.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/policy.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/posix_eadb.cpython-38-aarch64-linux-gnu.so
+#usr/lib/python3.8/site-packages/samba/provision
+usr/lib/python3.8/site-packages/samba/provision/__init__.py
+usr/lib/python3.8/site-packages/samba/provision/backend.py
+usr/lib/python3.8/site-packages/samba/provision/common.py
+usr/lib/python3.8/site-packages/samba/provision/kerberos.py
+usr/lib/python3.8/site-packages/samba/provision/kerberos_implementation.py
+usr/lib/python3.8/site-packages/samba/provision/sambadns.py
+usr/lib/python3.8/site-packages/samba/registry.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/remove_dc.py
+#usr/lib/python3.8/site-packages/samba/samba3
+usr/lib/python3.8/site-packages/samba/samba3/__init__.py
+usr/lib/python3.8/site-packages/samba/samba3/libsmb_samba_internal.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/samba3/mdscli.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/samba3/param.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/samba3/passdb.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/samba3/smbd.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/samdb.py
+usr/lib/python3.8/site-packages/samba/schema.py
+usr/lib/python3.8/site-packages/samba/sd_utils.py
+usr/lib/python3.8/site-packages/samba/security.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/sites.py
+usr/lib/python3.8/site-packages/samba/subnets.py
+#usr/lib/python3.8/site-packages/samba/subunit
+usr/lib/python3.8/site-packages/samba/subunit/__init__.py
+usr/lib/python3.8/site-packages/samba/subunit/run.py
+usr/lib/python3.8/site-packages/samba/tdb_util.py
+#usr/lib/python3.8/site-packages/samba/tests
+#usr/lib/python3.8/site-packages/samba/tests/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/audit_log_base.py
+#usr/lib/python3.8/site-packages/samba/tests/audit_log_dsdb.py
+#usr/lib/python3.8/site-packages/samba/tests/audit_log_pass_change.py
+#usr/lib/python3.8/site-packages/samba/tests/auth.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_base.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_ncalrpc.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_netlogon.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_netlogon_bad_creds.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_pass_change.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_samlogon.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_winbind.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/bug13653.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/check_output.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/downgradedatabase.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/mdfind.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/ndrdump.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/netads_json.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/samba_dnsupdate.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/smbcacls.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/smbcacls_basic.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/smbcontrol.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/smbcontrol_process.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/traffic_learner.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/traffic_replay.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/traffic_summary.py
+#usr/lib/python3.8/site-packages/samba/tests/common.py
+#usr/lib/python3.8/site-packages/samba/tests/complex_expressions.py
+#usr/lib/python3.8/site-packages/samba/tests/core.py
+#usr/lib/python3.8/site-packages/samba/tests/credentials.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/array.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/bare.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/dnsserver.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/integer.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/mdssvc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/misc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/raw_protocol.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/raw_testcase.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/registry.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/rpc_talloc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/rpcecho.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/sam.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/srvsvc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/string_tests.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/testrpc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/unix.py
+#usr/lib/python3.8/site-packages/samba/tests/dckeytab.py
+#usr/lib/python3.8/site-packages/samba/tests/dns.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_base.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_forwarder.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_forwarder_helpers
+#usr/lib/python3.8/site-packages/samba/tests/dns_forwarder_helpers/server.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_invalid.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_packet.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_tkey.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_wildcard.py
+#usr/lib/python3.8/site-packages/samba/tests/docs.py
+#usr/lib/python3.8/site-packages/samba/tests/domain_backup.py
+#usr/lib/python3.8/site-packages/samba/tests/domain_backup_offline.py
+#usr/lib/python3.8/site-packages/samba/tests/dsdb.py
+#usr/lib/python3.8/site-packages/samba/tests/dsdb_lock.py
+#usr/lib/python3.8/site-packages/samba/tests/dsdb_schema_attributes.py
+#usr/lib/python3.8/site-packages/samba/tests/emulate
+#usr/lib/python3.8/site-packages/samba/tests/emulate/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/emulate/traffic.py
+#usr/lib/python3.8/site-packages/samba/tests/emulate/traffic_packet.py
+#usr/lib/python3.8/site-packages/samba/tests/encrypted_secrets.py
+#usr/lib/python3.8/site-packages/samba/tests/gensec.py
+#usr/lib/python3.8/site-packages/samba/tests/get_opt.py
+#usr/lib/python3.8/site-packages/samba/tests/getdcname.py
+#usr/lib/python3.8/site-packages/samba/tests/glue.py
+#usr/lib/python3.8/site-packages/samba/tests/gpo.py
+#usr/lib/python3.8/site-packages/samba/tests/graph.py
+#usr/lib/python3.8/site-packages/samba/tests/group_audit.py
+#usr/lib/python3.8/site-packages/samba/tests/hostconfig.py
+#usr/lib/python3.8/site-packages/samba/tests/join.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc
+#usr/lib/python3.8/site-packages/samba/tests/kcc/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc/graph.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc/graph_utils.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc/kcc_utils.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc/ldif_import_export.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5
+#usr/lib/python3.8/site-packages/samba/tests/krb5/kcrypto.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/raw_testcase.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/rfc4120_pyasn1.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/s4u_tests.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/simple_tests.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/xrealm_tests.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5_credentials.py
+#usr/lib/python3.8/site-packages/samba/tests/ldap_raw.py
+#usr/lib/python3.8/site-packages/samba/tests/ldap_referrals.py
+#usr/lib/python3.8/site-packages/samba/tests/libsmb.py
+#usr/lib/python3.8/site-packages/samba/tests/loadparm.py
+#usr/lib/python3.8/site-packages/samba/tests/lsa_string.py
+#usr/lib/python3.8/site-packages/samba/tests/messaging.py
+#usr/lib/python3.8/site-packages/samba/tests/net_join.py
+#usr/lib/python3.8/site-packages/samba/tests/net_join_no_spnego.py
+#usr/lib/python3.8/site-packages/samba/tests/netbios.py
+#usr/lib/python3.8/site-packages/samba/tests/netcmd.py
+#usr/lib/python3.8/site-packages/samba/tests/netlogonsvc.py
+#usr/lib/python3.8/site-packages/samba/tests/ntacls.py
+#usr/lib/python3.8/site-packages/samba/tests/ntacls_backup.py
+#usr/lib/python3.8/site-packages/samba/tests/ntlm_auth.py
+#usr/lib/python3.8/site-packages/samba/tests/ntlm_auth_base.py
+#usr/lib/python3.8/site-packages/samba/tests/ntlm_auth_krb5.py
+#usr/lib/python3.8/site-packages/samba/tests/ntlmdisabled.py
+#usr/lib/python3.8/site-packages/samba/tests/pam_winbind.py
+#usr/lib/python3.8/site-packages/samba/tests/pam_winbind_chauthtok.py
+#usr/lib/python3.8/site-packages/samba/tests/pam_winbind_warn_pwd_expire.py
+#usr/lib/python3.8/site-packages/samba/tests/param.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash_fl2003.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash_fl2008.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash_gpgme.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash_ldap.py
+#usr/lib/python3.8/site-packages/samba/tests/password_quality.py
+#usr/lib/python3.8/site-packages/samba/tests/password_test.py
+#usr/lib/python3.8/site-packages/samba/tests/policy.py
+#usr/lib/python3.8/site-packages/samba/tests/posixacl.py
+#usr/lib/python3.8/site-packages/samba/tests/prefork_restart.py
+#usr/lib/python3.8/site-packages/samba/tests/process_limits.py
+#usr/lib/python3.8/site-packages/samba/tests/provision.py
+#usr/lib/python3.8/site-packages/samba/tests/pso.py
+#usr/lib/python3.8/site-packages/samba/tests/py_credentials.py
+#usr/lib/python3.8/site-packages/samba/tests/registry.py
+#usr/lib/python3.8/site-packages/samba/tests/s3idmapdb.py
+#usr/lib/python3.8/site-packages/samba/tests/s3param.py
+#usr/lib/python3.8/site-packages/samba/tests/s3passdb.py
+#usr/lib/python3.8/site-packages/samba/tests/s3registry.py
+#usr/lib/python3.8/site-packages/samba/tests/s3windb.py
+#usr/lib/python3.8/site-packages/samba/tests/samba3sam.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/base.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/computer.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/contact.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/demote.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/dnscmd.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/drs_clone_dc_data_lmdb_size.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/dsacl.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/forest.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/fsmo.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/gpo.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/group.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/help.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/join.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/join_lmdb_size.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/ntacl.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/ou.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/passwordsettings.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/processes.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/promote_dc_lmdb_size.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/provision_lmdb_size.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/provision_password_check.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/rodc.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/schema.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/sites.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/timecmd.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_check_password_script.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_virtualCryptSHA.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_virtualCryptSHA_base.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_wdigest.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/visualize.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/visualize_drs.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_upgradedns_lmdb.py
+#usr/lib/python3.8/site-packages/samba/tests/samdb.py
+#usr/lib/python3.8/site-packages/samba/tests/samdb_api.py
+#usr/lib/python3.8/site-packages/samba/tests/security.py
+#usr/lib/python3.8/site-packages/samba/tests/segfault.py
+#usr/lib/python3.8/site-packages/samba/tests/smb.py
+#usr/lib/python3.8/site-packages/samba/tests/smbd_base.py
+#usr/lib/python3.8/site-packages/samba/tests/smbd_fuzztest.py
+#usr/lib/python3.8/site-packages/samba/tests/source.py
+#usr/lib/python3.8/site-packages/samba/tests/strings.py
+#usr/lib/python3.8/site-packages/samba/tests/subunitrun.py
+#usr/lib/python3.8/site-packages/samba/tests/tdb_util.py
+#usr/lib/python3.8/site-packages/samba/tests/upgrade.py
+#usr/lib/python3.8/site-packages/samba/tests/upgradeprovision.py
+#usr/lib/python3.8/site-packages/samba/tests/upgradeprovisionneeddc.py
+#usr/lib/python3.8/site-packages/samba/tests/usage.py
+#usr/lib/python3.8/site-packages/samba/tests/xattr.py
+#usr/lib/python3.8/site-packages/samba/third_party
+usr/lib/python3.8/site-packages/samba/third_party/__init__.py
+usr/lib/python3.8/site-packages/samba/third_party/iso8601
+usr/lib/python3.8/site-packages/samba/third_party/iso8601/__init__.py
+usr/lib/python3.8/site-packages/samba/third_party/iso8601/iso8601.py
+usr/lib/python3.8/site-packages/samba/third_party/iso8601/test_iso8601.py
+usr/lib/python3.8/site-packages/samba/upgrade.py
+usr/lib/python3.8/site-packages/samba/upgradehelpers.py
+usr/lib/python3.8/site-packages/samba/uptodateness.py
+usr/lib/python3.8/site-packages/samba/werror.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/xattr.py
+usr/lib/python3.8/site-packages/samba/xattr_native.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/xattr_tdb.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/talloc.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/tdb.cpython-38-aarch64-linux-gnu.so
+usr/lib/python3.8/site-packages/tevent.py
+#usr/lib/samba
+usr/lib/samba/idmap
+usr/lib/samba/idmap/ad.so
+usr/lib/samba/idmap/autorid.so
+usr/lib/samba/idmap/hash.so
+usr/lib/samba/idmap/rfc2307.so
+usr/lib/samba/idmap/rid.so
+usr/lib/samba/idmap/script.so
+usr/lib/samba/idmap/tdb2.so
+#usr/lib/samba/krb5
+usr/lib/samba/krb5/winbind_krb5_locator.so
+#usr/lib/samba/ldb
+usr/lib/samba/ldb/asq.so
+usr/lib/samba/ldb/ildap.so
+usr/lib/samba/ldb/ldb.so
+usr/lib/samba/ldb/ldbsamba_extensions.so
+usr/lib/samba/ldb/paged_searches.so
+usr/lib/samba/ldb/rdn_name.so
+usr/lib/samba/ldb/sample.so
+usr/lib/samba/ldb/server_sort.so
+usr/lib/samba/ldb/skel.so
+usr/lib/samba/ldb/tdb.so
+usr/lib/samba/libCHARSET3-samba4.so
+usr/lib/samba/libLIBWBCLIENT-OLD-samba4.so
+usr/lib/samba/libMESSAGING-SEND-samba4.so
+usr/lib/samba/libMESSAGING-samba4.so
+usr/lib/samba/libaddns-samba4.so
+usr/lib/samba/libads-samba4.so
+usr/lib/samba/libasn1-samba4.so.8
+usr/lib/samba/libasn1-samba4.so.8.0.0
+usr/lib/samba/libasn1util-samba4.so
+usr/lib/samba/libauth-samba4.so
+usr/lib/samba/libauth-unix-token-samba4.so
+usr/lib/samba/libauth4-samba4.so
+usr/lib/samba/libauthkrb5-samba4.so
+usr/lib/samba/libcli-cldap-samba4.so
+usr/lib/samba/libcli-ldap-common-samba4.so
+usr/lib/samba/libcli-ldap-samba4.so
+usr/lib/samba/libcli-nbt-samba4.so
+usr/lib/samba/libcli-smb-common-samba4.so
+usr/lib/samba/libcli-spoolss-samba4.so
+usr/lib/samba/libcliauth-samba4.so
+usr/lib/samba/libclidns-samba4.so
+usr/lib/samba/libcluster-samba4.so
+usr/lib/samba/libcmdline-contexts-samba4.so
+usr/lib/samba/libcmdline-credentials-samba4.so
+usr/lib/samba/libcmocka-samba4.so
+usr/lib/samba/libcom_err-samba4.so.0
+usr/lib/samba/libcom_err-samba4.so.0.25
+usr/lib/samba/libcommon-auth-samba4.so
+usr/lib/samba/libdbwrap-samba4.so
+usr/lib/samba/libdcerpc-samba-samba4.so
+usr/lib/samba/libdcerpc-samba4.so
+usr/lib/samba/libdsdb-module-samba4.so
+usr/lib/samba/libevents-samba4.so
+usr/lib/samba/libflag-mapping-samba4.so
+usr/lib/samba/libgenrand-samba4.so
+usr/lib/samba/libgensec-samba4.so
+usr/lib/samba/libgpext-samba4.so
+usr/lib/samba/libgpo-samba4.so
+usr/lib/samba/libgse-samba4.so
+usr/lib/samba/libgssapi-samba4.so.2
+usr/lib/samba/libgssapi-samba4.so.2.0.0
+usr/lib/samba/libhcrypto-samba4.so.5
+usr/lib/samba/libhcrypto-samba4.so.5.0.1
+usr/lib/samba/libhdb-samba4.so.11
+usr/lib/samba/libhdb-samba4.so.11.0.2
+usr/lib/samba/libheimbase-samba4.so.1
+usr/lib/samba/libheimbase-samba4.so.1.0.0
+usr/lib/samba/libheimntlm-samba4.so.1
+usr/lib/samba/libheimntlm-samba4.so.1.0.1
+usr/lib/samba/libhttp-samba4.so
+usr/lib/samba/libhx509-samba4.so.5
+usr/lib/samba/libhx509-samba4.so.5.0.0
+usr/lib/samba/libidmap-samba4.so
+usr/lib/samba/libinterfaces-samba4.so
+usr/lib/samba/libiov-buf-samba4.so
+usr/lib/samba/libkdc-samba4.so.2
+usr/lib/samba/libkdc-samba4.so.2.0.0
+usr/lib/samba/libkrb5-samba4.so.26
+usr/lib/samba/libkrb5-samba4.so.26.0.0
+usr/lib/samba/libkrb5samba-samba4.so
+usr/lib/samba/libldb-cmdline-samba4.so
+usr/lib/samba/libldb-key-value-samba4.so
+usr/lib/samba/libldb-tdb-err-map-samba4.so
+usr/lib/samba/libldb-tdb-int-samba4.so
+usr/lib/samba/libldb.so.2
+usr/lib/samba/libldb.so.2.2.0
+usr/lib/samba/libldbsamba-samba4.so
+usr/lib/samba/liblibcli-lsa3-samba4.so
+usr/lib/samba/liblibcli-netlogon3-samba4.so
+usr/lib/samba/liblibsmb-samba4.so
+usr/lib/samba/libmessages-dgm-samba4.so
+usr/lib/samba/libmessages-util-samba4.so
+usr/lib/samba/libmsghdr-samba4.so
+usr/lib/samba/libmsrpc3-samba4.so
+usr/lib/samba/libndr-samba-samba4.so
+usr/lib/samba/libndr-samba4.so
+usr/lib/samba/libnet-keytab-samba4.so
+usr/lib/samba/libnetif-samba4.so
+usr/lib/samba/libnpa-tstream-samba4.so
+usr/lib/samba/libnss-info-samba4.so
+usr/lib/samba/libpopt-samba3-cmdline-samba4.so
+usr/lib/samba/libpopt-samba3-samba4.so
+usr/lib/samba/libposix-eadb-samba4.so
+usr/lib/samba/libprinter-driver-samba4.so
+usr/lib/samba/libprinting-migrate-samba4.so
+usr/lib/samba/libpyldb-util.cpython-38-aarch64-linux-gnu.so.2
+usr/lib/samba/libpyldb-util.cpython-38-aarch64-linux-gnu.so.2.2.0
+usr/lib/samba/libpytalloc-util.cpython-38-aarch64-linux-gnu.so.2
+usr/lib/samba/libpytalloc-util.cpython-38-aarch64-linux-gnu.so.2.3.1
+usr/lib/samba/libregistry-samba4.so
+usr/lib/samba/libreplace-samba4.so
+usr/lib/samba/libroken-samba4.so.19
+usr/lib/samba/libroken-samba4.so.19.0.1
+usr/lib/samba/libsamba-cluster-support-samba4.so
+usr/lib/samba/libsamba-debug-samba4.so
+usr/lib/samba/libsamba-modules-samba4.so
+usr/lib/samba/libsamba-net.cpython-38-aarch64-linux-gnu-samba4.so
+usr/lib/samba/libsamba-python.cpython-38-aarch64-linux-gnu-samba4.so
+usr/lib/samba/libsamba-security-samba4.so
+usr/lib/samba/libsamba-sockets-samba4.so
+usr/lib/samba/libsamba3-util-samba4.so
+usr/lib/samba/libsamdb-common-samba4.so
+usr/lib/samba/libsecrets3-samba4.so
+usr/lib/samba/libserver-id-db-samba4.so
+usr/lib/samba/libserver-role-samba4.so
+usr/lib/samba/libshares-samba4.so
+usr/lib/samba/libsmb-transport-samba4.so
+usr/lib/samba/libsmbclient-raw-samba4.so
+usr/lib/samba/libsmbd-base-samba4.so
+usr/lib/samba/libsmbd-conn-samba4.so
+usr/lib/samba/libsmbd-shim-samba4.so
+usr/lib/samba/libsmbldaphelper-samba4.so
+usr/lib/samba/libsmbpasswdparser-samba4.so
+usr/lib/samba/libsocket-blocking-samba4.so
+usr/lib/samba/libsys-rw-samba4.so
+usr/lib/samba/libtalloc-report-printf-samba4.so
+usr/lib/samba/libtalloc-report-samba4.so
+usr/lib/samba/libtalloc.so.2
+usr/lib/samba/libtalloc.so.2.3.1
+usr/lib/samba/libtdb-wrap-samba4.so
+usr/lib/samba/libtdb.so.1
+usr/lib/samba/libtdb.so.1.4.3
+usr/lib/samba/libtevent.so.0
+usr/lib/samba/libtevent.so.0.10.2
+usr/lib/samba/libtime-basic-samba4.so
+usr/lib/samba/libtorture-samba4.so
+usr/lib/samba/libtrusts-util-samba4.so
+usr/lib/samba/libutil-cmdline-samba4.so
+usr/lib/samba/libutil-reg-samba4.so
+usr/lib/samba/libutil-setid-samba4.so
+usr/lib/samba/libutil-tdb-samba4.so
+usr/lib/samba/libwinbind-client-samba4.so
+usr/lib/samba/libwind-samba4.so.0
+usr/lib/samba/libwind-samba4.so.0.0.0
+usr/lib/samba/libxattr-tdb-samba4.so
+usr/lib/samba/nss_info
+usr/lib/samba/nss_info/hash.so
+usr/lib/samba/nss_info/rfc2307.so
+usr/lib/samba/nss_info/sfu.so
+usr/lib/samba/nss_info/sfu20.so
+#usr/lib/samba/vfs
+usr/lib/samba/vfs/acl_tdb.so
+usr/lib/samba/vfs/acl_xattr.so
+usr/lib/samba/vfs/aio_fork.so
+usr/lib/samba/vfs/aio_pthread.so
+usr/lib/samba/vfs/audit.so
+usr/lib/samba/vfs/btrfs.so
+usr/lib/samba/vfs/cap.so
+usr/lib/samba/vfs/catia.so
+usr/lib/samba/vfs/commit.so
+usr/lib/samba/vfs/crossrename.so
+usr/lib/samba/vfs/default_quota.so
+usr/lib/samba/vfs/dirsort.so
+usr/lib/samba/vfs/expand_msdfs.so
+usr/lib/samba/vfs/extd_audit.so
+usr/lib/samba/vfs/fake_perms.so
+usr/lib/samba/vfs/fileid.so
+usr/lib/samba/vfs/fruit.so
+usr/lib/samba/vfs/full_audit.so
+usr/lib/samba/vfs/glusterfs_fuse.so
+usr/lib/samba/vfs/gpfs.so
+usr/lib/samba/vfs/linux_xfs_sgid.so
+usr/lib/samba/vfs/media_harmony.so
+usr/lib/samba/vfs/offline.so
+usr/lib/samba/vfs/preopen.so
+usr/lib/samba/vfs/readahead.so
+usr/lib/samba/vfs/readonly.so
+usr/lib/samba/vfs/recycle.so
+usr/lib/samba/vfs/shadow_copy.so
+usr/lib/samba/vfs/shadow_copy2.so
+usr/lib/samba/vfs/shell_snap.so
+usr/lib/samba/vfs/snapper.so
+usr/lib/samba/vfs/streams_depot.so
+usr/lib/samba/vfs/streams_xattr.so
+usr/lib/samba/vfs/syncops.so
+usr/lib/samba/vfs/time_audit.so
+usr/lib/samba/vfs/unityed_media.so
+usr/lib/samba/vfs/virusfilter.so
+usr/lib/samba/vfs/widelinks.so
+usr/lib/samba/vfs/worm.so
+usr/lib/samba/vfs/xattr_tdb.so
+usr/lib/security
+usr/lib/security/pam_winbind.so
+#usr/libexec/samba
+usr/libexec/samba/smbspool_krb5_wrapper
+usr/sbin/eventlogadm
+usr/sbin/nmbd
+usr/sbin/samba-gpupdate
+usr/sbin/smbd
+usr/sbin/winbindd
+var/ipfire/backup/addons/includes/samba
+#var/ipfire/samba
+var/ipfire/samba/default.global
+var/ipfire/samba/default.pdc
+var/ipfire/samba/default.printer
+var/ipfire/samba/default.settings
+var/ipfire/samba/default.shares
+var/ipfire/samba/global
+var/ipfire/samba/pdc
+var/ipfire/samba/printer
+#var/ipfire/samba/private
+var/ipfire/samba/private/secrets.tdb
+var/ipfire/samba/private/smbpasswd
+var/ipfire/samba/settings
+var/ipfire/samba/shares
+var/ipfire/samba/smb.conf
+var/ipfire/samba/smb.conf.default
+var/lib/samba
+var/lib/samba/bind-dns
+var/lib/samba/private
+var/lib/samba/winbindd_privileged
+var/log/samba
+var/nmbd
+srv/web/ipfire/cgi-bin/samba.cgi
+srv/web/ipfire/cgi-bin/sambahlp.cgi
+var/ipfire/menu.d/EX-samba.menu
+usr/local/bin/sambactrl
diff --git a/config/rootfiles/packages/armv5tel/samba b/config/rootfiles/packages/armv5tel/samba
new file mode 100644
index 000000000..51349093b
--- /dev/null
+++ b/config/rootfiles/packages/armv5tel/samba
@@ -0,0 +1,820 @@ 
+etc/rc.d/init.d/samba
+usr/bin/cifsdd
+usr/bin/dbwrap_tool
+usr/bin/findsmb
+usr/bin/gentest
+usr/bin/ldbadd
+usr/bin/ldbdel
+usr/bin/ldbedit
+usr/bin/ldbmodify
+usr/bin/ldbrename
+usr/bin/ldbsearch
+usr/bin/locktest
+usr/bin/masktest
+usr/bin/mdfind
+usr/bin/mvxattr
+usr/bin/ndrdump
+usr/bin/net
+usr/bin/nmblookup
+usr/bin/ntlm_auth
+usr/bin/oLschema2ldif
+usr/bin/pdbedit
+usr/bin/profiles
+usr/bin/regdiff
+usr/bin/regpatch
+usr/bin/regshell
+usr/bin/regtree
+usr/bin/rpcclient
+usr/bin/samba-regedit
+usr/bin/sharesec
+usr/bin/smbcacls
+usr/bin/smbclient
+usr/bin/smbcontrol
+usr/bin/smbcquotas
+usr/bin/smbget
+usr/bin/smbpasswd
+usr/bin/smbspool
+usr/bin/smbstatus
+usr/bin/smbtar
+usr/bin/smbtorture
+usr/bin/smbtree
+usr/bin/tdbbackup
+usr/bin/tdbdump
+usr/bin/tdbrestore
+usr/bin/tdbtool
+usr/bin/testparm
+usr/bin/wbinfo
+#usr/include/samba-4.0
+#usr/include/samba-4.0/charset.h
+#usr/include/samba-4.0/core
+#usr/include/samba-4.0/core/doserr.h
+#usr/include/samba-4.0/core/error.h
+#usr/include/samba-4.0/core/hresult.h
+#usr/include/samba-4.0/core/ntstatus.h
+#usr/include/samba-4.0/core/ntstatus_gen.h
+#usr/include/samba-4.0/core/werror.h
+#usr/include/samba-4.0/core/werror_gen.h
+#usr/include/samba-4.0/credentials.h
+#usr/include/samba-4.0/dcerpc.h
+#usr/include/samba-4.0/dcesrv_core.h
+#usr/include/samba-4.0/domain_credentials.h
+#usr/include/samba-4.0/gen_ndr
+#usr/include/samba-4.0/gen_ndr/atsvc.h
+#usr/include/samba-4.0/gen_ndr/auth.h
+#usr/include/samba-4.0/gen_ndr/dcerpc.h
+#usr/include/samba-4.0/gen_ndr/drsblobs.h
+#usr/include/samba-4.0/gen_ndr/drsuapi.h
+#usr/include/samba-4.0/gen_ndr/krb5pac.h
+#usr/include/samba-4.0/gen_ndr/lsa.h
+#usr/include/samba-4.0/gen_ndr/misc.h
+#usr/include/samba-4.0/gen_ndr/nbt.h
+#usr/include/samba-4.0/gen_ndr/ndr_atsvc.h
+#usr/include/samba-4.0/gen_ndr/ndr_dcerpc.h
+#usr/include/samba-4.0/gen_ndr/ndr_drsblobs.h
+#usr/include/samba-4.0/gen_ndr/ndr_drsuapi.h
+#usr/include/samba-4.0/gen_ndr/ndr_krb5pac.h
+#usr/include/samba-4.0/gen_ndr/ndr_misc.h
+#usr/include/samba-4.0/gen_ndr/ndr_nbt.h
+#usr/include/samba-4.0/gen_ndr/ndr_samr.h
+#usr/include/samba-4.0/gen_ndr/ndr_samr_c.h
+#usr/include/samba-4.0/gen_ndr/ndr_svcctl.h
+#usr/include/samba-4.0/gen_ndr/ndr_svcctl_c.h
+#usr/include/samba-4.0/gen_ndr/netlogon.h
+#usr/include/samba-4.0/gen_ndr/samr.h
+#usr/include/samba-4.0/gen_ndr/security.h
+#usr/include/samba-4.0/gen_ndr/server_id.h
+#usr/include/samba-4.0/gen_ndr/svcctl.h
+#usr/include/samba-4.0/ldb_wrap.h
+#usr/include/samba-4.0/libsmbclient.h
+#usr/include/samba-4.0/lookup_sid.h
+#usr/include/samba-4.0/machine_sid.h
+#usr/include/samba-4.0/ndr
+#usr/include/samba-4.0/ndr.h
+#usr/include/samba-4.0/ndr/ndr_dcerpc.h
+#usr/include/samba-4.0/ndr/ndr_drsblobs.h
+#usr/include/samba-4.0/ndr/ndr_drsuapi.h
+#usr/include/samba-4.0/ndr/ndr_krb5pac.h
+#usr/include/samba-4.0/ndr/ndr_nbt.h
+#usr/include/samba-4.0/ndr/ndr_svcctl.h
+#usr/include/samba-4.0/netapi.h
+#usr/include/samba-4.0/param.h
+#usr/include/samba-4.0/passdb.h
+#usr/include/samba-4.0/policy.h
+#usr/include/samba-4.0/rpc_common.h
+#usr/include/samba-4.0/samba
+#usr/include/samba-4.0/samba/session.h
+#usr/include/samba-4.0/samba/version.h
+#usr/include/samba-4.0/share.h
+#usr/include/samba-4.0/smb2_lease_struct.h
+#usr/include/samba-4.0/smb_ldap.h
+#usr/include/samba-4.0/smbconf.h
+#usr/include/samba-4.0/smbldap.h
+#usr/include/samba-4.0/tdr.h
+#usr/include/samba-4.0/tsocket.h
+#usr/include/samba-4.0/tsocket_internal.h
+#usr/include/samba-4.0/util
+#usr/include/samba-4.0/util/attr.h
+#usr/include/samba-4.0/util/blocking.h
+#usr/include/samba-4.0/util/data_blob.h
+#usr/include/samba-4.0/util/debug.h
+#usr/include/samba-4.0/util/discard.h
+#usr/include/samba-4.0/util/fault.h
+#usr/include/samba-4.0/util/genrand.h
+#usr/include/samba-4.0/util/idtree.h
+#usr/include/samba-4.0/util/idtree_random.h
+#usr/include/samba-4.0/util/signal.h
+#usr/include/samba-4.0/util/string_wrappers.h
+#usr/include/samba-4.0/util/substitute.h
+#usr/include/samba-4.0/util/tevent_ntstatus.h
+#usr/include/samba-4.0/util/tevent_unix.h
+#usr/include/samba-4.0/util/tevent_werror.h
+#usr/include/samba-4.0/util/tfork.h
+#usr/include/samba-4.0/util/time.h
+#usr/include/samba-4.0/util_ldb.h
+#usr/include/samba-4.0/wbclient.h
+usr/lib/libdcerpc-binding.so
+usr/lib/libdcerpc-binding.so.0
+usr/lib/libdcerpc-binding.so.0.0.1
+usr/lib/libdcerpc-samr.so
+usr/lib/libdcerpc-samr.so.0
+usr/lib/libdcerpc-samr.so.0.0.1
+usr/lib/libdcerpc-server-core.so
+usr/lib/libdcerpc-server-core.so.0
+usr/lib/libdcerpc-server-core.so.0.0.1
+usr/lib/libdcerpc.so
+usr/lib/libdcerpc.so.0
+usr/lib/libdcerpc.so.0.0.1
+usr/lib/libndr-krb5pac.so
+usr/lib/libndr-krb5pac.so.0
+usr/lib/libndr-krb5pac.so.0.0.1
+usr/lib/libndr-nbt.so
+usr/lib/libndr-nbt.so.0
+usr/lib/libndr-nbt.so.0.0.1
+usr/lib/libndr-standard.so
+usr/lib/libndr-standard.so.0
+usr/lib/libndr-standard.so.0.0.1
+usr/lib/libndr.so
+usr/lib/libndr.so.1
+usr/lib/libndr.so.1.0.0
+usr/lib/libnetapi.so
+usr/lib/libnetapi.so.0
+usr/lib/libnss_winbind.so
+usr/lib/libnss_winbind.so.2
+usr/lib/libnss_wins.so
+usr/lib/libnss_wins.so.2
+usr/lib/libsamba-credentials.so
+usr/lib/libsamba-credentials.so.0
+usr/lib/libsamba-credentials.so.0.0.1
+usr/lib/libsamba-errors.so
+usr/lib/libsamba-errors.so.1
+usr/lib/libsamba-hostconfig.so
+usr/lib/libsamba-hostconfig.so.0
+usr/lib/libsamba-hostconfig.so.0.0.1
+usr/lib/libsamba-passdb.so
+usr/lib/libsamba-passdb.so.0
+usr/lib/libsamba-passdb.so.0.28.0
+usr/lib/libsamba-policy.cpython-38-arm-linux-gnueabi.so
+usr/lib/libsamba-policy.cpython-38-arm-linux-gnueabi.so.0
+usr/lib/libsamba-policy.cpython-38-arm-linux-gnueabi.so.0.0.1
+usr/lib/libsamba-util.so
+usr/lib/libsamba-util.so.0
+usr/lib/libsamba-util.so.0.0.1
+usr/lib/libsamdb.so
+usr/lib/libsamdb.so.0
+usr/lib/libsamdb.so.0.0.1
+usr/lib/libsmbclient.so
+usr/lib/libsmbclient.so.0
+usr/lib/libsmbclient.so.0.6.0
+usr/lib/libsmbconf.so
+usr/lib/libsmbconf.so.0
+usr/lib/libsmbldap.so
+usr/lib/libsmbldap.so.2
+usr/lib/libtevent-util.so
+usr/lib/libtevent-util.so.0
+usr/lib/libtevent-util.so.0.0.1
+usr/lib/libwbclient.so
+usr/lib/libwbclient.so.0
+usr/lib/libwbclient.so.0.15
+#usr/lib/pkgconfig/dcerpc.pc
+#usr/lib/pkgconfig/dcerpc_samr.pc
+#usr/lib/pkgconfig/ndr.pc
+#usr/lib/pkgconfig/ndr_krb5pac.pc
+#usr/lib/pkgconfig/ndr_nbt.pc
+#usr/lib/pkgconfig/ndr_standard.pc
+#usr/lib/pkgconfig/netapi.pc
+#usr/lib/pkgconfig/samba-credentials.pc
+#usr/lib/pkgconfig/samba-hostconfig.pc
+#usr/lib/pkgconfig/samba-policy.cpython-38-arm-linux-gnueabi.pc
+#usr/lib/pkgconfig/samba-util.pc
+#usr/lib/pkgconfig/samdb.pc
+#usr/lib/pkgconfig/smbclient.pc
+#usr/lib/pkgconfig/wbclient.pc
+usr/lib/python3.8/site-packages/_ldb_text.py
+usr/lib/python3.8/site-packages/_tdb_text.py
+usr/lib/python3.8/site-packages/_tevent.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/ldb.cpython-38-arm-linux-gnueabi.so
+#usr/lib/python3.8/site-packages/samba
+usr/lib/python3.8/site-packages/samba/__init__.py
+usr/lib/python3.8/site-packages/samba/_glue.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/_ldb.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/auth.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/auth_util.py
+usr/lib/python3.8/site-packages/samba/colour.py
+usr/lib/python3.8/site-packages/samba/common.py
+usr/lib/python3.8/site-packages/samba/compat.py
+usr/lib/python3.8/site-packages/samba/credentials.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/crypto.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dbchecker.py
+#usr/lib/python3.8/site-packages/samba/dcerpc
+usr/lib/python3.8/site-packages/samba/dcerpc/__init__.py
+usr/lib/python3.8/site-packages/samba/dcerpc/atsvc.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/auth.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/base.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dcerpc.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dfs.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dns.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dnsp.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dnsserver.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/drsblobs.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/drsuapi.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/echo.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/epmapper.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/idmap.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/initshutdown.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/irpc.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/krb5pac.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/lsa.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/mdssvc.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/messaging.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/mgmt.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/misc.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/nbt.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/netlogon.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/ntlmssp.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/preg.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/samr.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/security.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/server_id.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/smb_acl.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/spoolss.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/srvsvc.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/svcctl.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/unixinfo.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/winbind.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/windows_event_ids.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/winreg.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/winspool.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/witness.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/wkssvc.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/dcerpc/xattr.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/descriptor.py
+usr/lib/python3.8/site-packages/samba/dnsserver.py
+usr/lib/python3.8/site-packages/samba/domain_update.py
+usr/lib/python3.8/site-packages/samba/drs_utils.py
+#usr/lib/python3.8/site-packages/samba/emulate
+usr/lib/python3.8/site-packages/samba/emulate/__init__.py
+usr/lib/python3.8/site-packages/samba/emulate/traffic.py
+usr/lib/python3.8/site-packages/samba/emulate/traffic_packets.py
+usr/lib/python3.8/site-packages/samba/forest_update.py
+usr/lib/python3.8/site-packages/samba/gensec.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/getopt.py
+usr/lib/python3.8/site-packages/samba/gp_ext_loader.py
+#usr/lib/python3.8/site-packages/samba/gp_parse
+usr/lib/python3.8/site-packages/samba/gp_parse/__init__.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_aas.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_csv.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_inf.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_ini.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_pol.py
+usr/lib/python3.8/site-packages/samba/gp_scripts_ext.py
+usr/lib/python3.8/site-packages/samba/gp_sec_ext.py
+usr/lib/python3.8/site-packages/samba/gpclass.py
+usr/lib/python3.8/site-packages/samba/gpo.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/graph.py
+usr/lib/python3.8/site-packages/samba/hostconfig.py
+usr/lib/python3.8/site-packages/samba/idmap.py
+usr/lib/python3.8/site-packages/samba/join.py
+#usr/lib/python3.8/site-packages/samba/kcc
+usr/lib/python3.8/site-packages/samba/kcc/__init__.py
+usr/lib/python3.8/site-packages/samba/kcc/debug.py
+usr/lib/python3.8/site-packages/samba/kcc/graph.py
+usr/lib/python3.8/site-packages/samba/kcc/graph_utils.py
+usr/lib/python3.8/site-packages/samba/kcc/kcc_utils.py
+usr/lib/python3.8/site-packages/samba/kcc/ldif_import_export.py
+usr/lib/python3.8/site-packages/samba/logger.py
+usr/lib/python3.8/site-packages/samba/mdb_util.py
+usr/lib/python3.8/site-packages/samba/messaging.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/ms_display_specifiers.py
+usr/lib/python3.8/site-packages/samba/ms_forest_updates_markdown.py
+usr/lib/python3.8/site-packages/samba/ms_schema.py
+usr/lib/python3.8/site-packages/samba/ms_schema_markdown.py
+usr/lib/python3.8/site-packages/samba/ndr.py
+usr/lib/python3.8/site-packages/samba/net.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/netbios.cpython-38-arm-linux-gnueabi.so
+#usr/lib/python3.8/site-packages/samba/netcmd
+usr/lib/python3.8/site-packages/samba/netcmd/__init__.py
+usr/lib/python3.8/site-packages/samba/netcmd/common.py
+usr/lib/python3.8/site-packages/samba/netcmd/computer.py
+usr/lib/python3.8/site-packages/samba/netcmd/contact.py
+usr/lib/python3.8/site-packages/samba/netcmd/dbcheck.py
+usr/lib/python3.8/site-packages/samba/netcmd/delegation.py
+usr/lib/python3.8/site-packages/samba/netcmd/dns.py
+usr/lib/python3.8/site-packages/samba/netcmd/domain.py
+usr/lib/python3.8/site-packages/samba/netcmd/domain_backup.py
+usr/lib/python3.8/site-packages/samba/netcmd/drs.py
+usr/lib/python3.8/site-packages/samba/netcmd/dsacl.py
+usr/lib/python3.8/site-packages/samba/netcmd/forest.py
+usr/lib/python3.8/site-packages/samba/netcmd/fsmo.py
+usr/lib/python3.8/site-packages/samba/netcmd/gpo.py
+usr/lib/python3.8/site-packages/samba/netcmd/group.py
+usr/lib/python3.8/site-packages/samba/netcmd/ldapcmp.py
+usr/lib/python3.8/site-packages/samba/netcmd/main.py
+usr/lib/python3.8/site-packages/samba/netcmd/nettime.py
+usr/lib/python3.8/site-packages/samba/netcmd/ntacl.py
+usr/lib/python3.8/site-packages/samba/netcmd/ou.py
+usr/lib/python3.8/site-packages/samba/netcmd/processes.py
+usr/lib/python3.8/site-packages/samba/netcmd/pso.py
+usr/lib/python3.8/site-packages/samba/netcmd/rodc.py
+usr/lib/python3.8/site-packages/samba/netcmd/schema.py
+usr/lib/python3.8/site-packages/samba/netcmd/sites.py
+usr/lib/python3.8/site-packages/samba/netcmd/spn.py
+usr/lib/python3.8/site-packages/samba/netcmd/testparm.py
+usr/lib/python3.8/site-packages/samba/netcmd/user.py
+usr/lib/python3.8/site-packages/samba/netcmd/visualize.py
+usr/lib/python3.8/site-packages/samba/ntacls.py
+usr/lib/python3.8/site-packages/samba/ntstatus.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/param.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/policy.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/posix_eadb.cpython-38-arm-linux-gnueabi.so
+#usr/lib/python3.8/site-packages/samba/provision
+usr/lib/python3.8/site-packages/samba/provision/__init__.py
+usr/lib/python3.8/site-packages/samba/provision/backend.py
+usr/lib/python3.8/site-packages/samba/provision/common.py
+usr/lib/python3.8/site-packages/samba/provision/kerberos.py
+usr/lib/python3.8/site-packages/samba/provision/kerberos_implementation.py
+usr/lib/python3.8/site-packages/samba/provision/sambadns.py
+usr/lib/python3.8/site-packages/samba/registry.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/remove_dc.py
+#usr/lib/python3.8/site-packages/samba/samba3
+usr/lib/python3.8/site-packages/samba/samba3/__init__.py
+usr/lib/python3.8/site-packages/samba/samba3/libsmb_samba_internal.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/samba3/mdscli.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/samba3/param.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/samba3/passdb.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/samba3/smbd.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/samdb.py
+usr/lib/python3.8/site-packages/samba/schema.py
+usr/lib/python3.8/site-packages/samba/sd_utils.py
+usr/lib/python3.8/site-packages/samba/security.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/sites.py
+usr/lib/python3.8/site-packages/samba/subnets.py
+#usr/lib/python3.8/site-packages/samba/subunit
+usr/lib/python3.8/site-packages/samba/subunit/__init__.py
+usr/lib/python3.8/site-packages/samba/subunit/run.py
+usr/lib/python3.8/site-packages/samba/tdb_util.py
+#usr/lib/python3.8/site-packages/samba/tests
+#usr/lib/python3.8/site-packages/samba/tests/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/audit_log_base.py
+#usr/lib/python3.8/site-packages/samba/tests/audit_log_dsdb.py
+#usr/lib/python3.8/site-packages/samba/tests/audit_log_pass_change.py
+#usr/lib/python3.8/site-packages/samba/tests/auth.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_base.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_ncalrpc.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_netlogon.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_netlogon_bad_creds.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_pass_change.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_samlogon.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_winbind.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/bug13653.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/check_output.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/downgradedatabase.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/mdfind.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/ndrdump.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/netads_json.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/samba_dnsupdate.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/smbcacls.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/smbcacls_basic.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/smbcontrol.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/smbcontrol_process.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/traffic_learner.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/traffic_replay.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/traffic_summary.py
+#usr/lib/python3.8/site-packages/samba/tests/common.py
+#usr/lib/python3.8/site-packages/samba/tests/complex_expressions.py
+#usr/lib/python3.8/site-packages/samba/tests/core.py
+#usr/lib/python3.8/site-packages/samba/tests/credentials.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/array.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/bare.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/dnsserver.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/integer.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/mdssvc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/misc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/raw_protocol.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/raw_testcase.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/registry.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/rpc_talloc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/rpcecho.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/sam.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/srvsvc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/string_tests.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/testrpc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/unix.py
+#usr/lib/python3.8/site-packages/samba/tests/dckeytab.py
+#usr/lib/python3.8/site-packages/samba/tests/dns.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_base.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_forwarder.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_forwarder_helpers
+#usr/lib/python3.8/site-packages/samba/tests/dns_forwarder_helpers/server.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_invalid.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_packet.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_tkey.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_wildcard.py
+#usr/lib/python3.8/site-packages/samba/tests/docs.py
+#usr/lib/python3.8/site-packages/samba/tests/domain_backup.py
+#usr/lib/python3.8/site-packages/samba/tests/domain_backup_offline.py
+#usr/lib/python3.8/site-packages/samba/tests/dsdb.py
+#usr/lib/python3.8/site-packages/samba/tests/dsdb_lock.py
+#usr/lib/python3.8/site-packages/samba/tests/dsdb_schema_attributes.py
+#usr/lib/python3.8/site-packages/samba/tests/emulate
+#usr/lib/python3.8/site-packages/samba/tests/emulate/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/emulate/traffic.py
+#usr/lib/python3.8/site-packages/samba/tests/emulate/traffic_packet.py
+#usr/lib/python3.8/site-packages/samba/tests/encrypted_secrets.py
+#usr/lib/python3.8/site-packages/samba/tests/gensec.py
+#usr/lib/python3.8/site-packages/samba/tests/get_opt.py
+#usr/lib/python3.8/site-packages/samba/tests/getdcname.py
+#usr/lib/python3.8/site-packages/samba/tests/glue.py
+#usr/lib/python3.8/site-packages/samba/tests/gpo.py
+#usr/lib/python3.8/site-packages/samba/tests/graph.py
+#usr/lib/python3.8/site-packages/samba/tests/group_audit.py
+#usr/lib/python3.8/site-packages/samba/tests/hostconfig.py
+#usr/lib/python3.8/site-packages/samba/tests/join.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc
+#usr/lib/python3.8/site-packages/samba/tests/kcc/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc/graph.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc/graph_utils.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc/kcc_utils.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc/ldif_import_export.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5
+#usr/lib/python3.8/site-packages/samba/tests/krb5/kcrypto.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/raw_testcase.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/rfc4120_pyasn1.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/s4u_tests.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/simple_tests.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/xrealm_tests.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5_credentials.py
+#usr/lib/python3.8/site-packages/samba/tests/ldap_raw.py
+#usr/lib/python3.8/site-packages/samba/tests/ldap_referrals.py
+#usr/lib/python3.8/site-packages/samba/tests/libsmb.py
+#usr/lib/python3.8/site-packages/samba/tests/loadparm.py
+#usr/lib/python3.8/site-packages/samba/tests/lsa_string.py
+#usr/lib/python3.8/site-packages/samba/tests/messaging.py
+#usr/lib/python3.8/site-packages/samba/tests/net_join.py
+#usr/lib/python3.8/site-packages/samba/tests/net_join_no_spnego.py
+#usr/lib/python3.8/site-packages/samba/tests/netbios.py
+#usr/lib/python3.8/site-packages/samba/tests/netcmd.py
+#usr/lib/python3.8/site-packages/samba/tests/netlogonsvc.py
+#usr/lib/python3.8/site-packages/samba/tests/ntacls.py
+#usr/lib/python3.8/site-packages/samba/tests/ntacls_backup.py
+#usr/lib/python3.8/site-packages/samba/tests/ntlm_auth.py
+#usr/lib/python3.8/site-packages/samba/tests/ntlm_auth_base.py
+#usr/lib/python3.8/site-packages/samba/tests/ntlm_auth_krb5.py
+#usr/lib/python3.8/site-packages/samba/tests/ntlmdisabled.py
+#usr/lib/python3.8/site-packages/samba/tests/pam_winbind.py
+#usr/lib/python3.8/site-packages/samba/tests/pam_winbind_chauthtok.py
+#usr/lib/python3.8/site-packages/samba/tests/pam_winbind_warn_pwd_expire.py
+#usr/lib/python3.8/site-packages/samba/tests/param.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash_fl2003.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash_fl2008.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash_gpgme.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash_ldap.py
+#usr/lib/python3.8/site-packages/samba/tests/password_quality.py
+#usr/lib/python3.8/site-packages/samba/tests/password_test.py
+#usr/lib/python3.8/site-packages/samba/tests/policy.py
+#usr/lib/python3.8/site-packages/samba/tests/posixacl.py
+#usr/lib/python3.8/site-packages/samba/tests/prefork_restart.py
+#usr/lib/python3.8/site-packages/samba/tests/process_limits.py
+#usr/lib/python3.8/site-packages/samba/tests/provision.py
+#usr/lib/python3.8/site-packages/samba/tests/pso.py
+#usr/lib/python3.8/site-packages/samba/tests/py_credentials.py
+#usr/lib/python3.8/site-packages/samba/tests/registry.py
+#usr/lib/python3.8/site-packages/samba/tests/s3idmapdb.py
+#usr/lib/python3.8/site-packages/samba/tests/s3param.py
+#usr/lib/python3.8/site-packages/samba/tests/s3passdb.py
+#usr/lib/python3.8/site-packages/samba/tests/s3registry.py
+#usr/lib/python3.8/site-packages/samba/tests/s3windb.py
+#usr/lib/python3.8/site-packages/samba/tests/samba3sam.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/base.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/computer.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/contact.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/demote.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/dnscmd.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/drs_clone_dc_data_lmdb_size.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/dsacl.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/forest.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/fsmo.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/gpo.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/group.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/help.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/join.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/join_lmdb_size.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/ntacl.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/ou.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/passwordsettings.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/processes.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/promote_dc_lmdb_size.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/provision_lmdb_size.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/provision_password_check.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/rodc.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/schema.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/sites.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/timecmd.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_check_password_script.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_virtualCryptSHA.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_virtualCryptSHA_base.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_wdigest.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/visualize.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/visualize_drs.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_upgradedns_lmdb.py
+#usr/lib/python3.8/site-packages/samba/tests/samdb.py
+#usr/lib/python3.8/site-packages/samba/tests/samdb_api.py
+#usr/lib/python3.8/site-packages/samba/tests/security.py
+#usr/lib/python3.8/site-packages/samba/tests/segfault.py
+#usr/lib/python3.8/site-packages/samba/tests/smb.py
+#usr/lib/python3.8/site-packages/samba/tests/smbd_base.py
+#usr/lib/python3.8/site-packages/samba/tests/smbd_fuzztest.py
+#usr/lib/python3.8/site-packages/samba/tests/source.py
+#usr/lib/python3.8/site-packages/samba/tests/strings.py
+#usr/lib/python3.8/site-packages/samba/tests/subunitrun.py
+#usr/lib/python3.8/site-packages/samba/tests/tdb_util.py
+#usr/lib/python3.8/site-packages/samba/tests/upgrade.py
+#usr/lib/python3.8/site-packages/samba/tests/upgradeprovision.py
+#usr/lib/python3.8/site-packages/samba/tests/upgradeprovisionneeddc.py
+#usr/lib/python3.8/site-packages/samba/tests/usage.py
+#usr/lib/python3.8/site-packages/samba/tests/xattr.py
+#usr/lib/python3.8/site-packages/samba/third_party
+usr/lib/python3.8/site-packages/samba/third_party/__init__.py
+usr/lib/python3.8/site-packages/samba/third_party/iso8601
+usr/lib/python3.8/site-packages/samba/third_party/iso8601/__init__.py
+usr/lib/python3.8/site-packages/samba/third_party/iso8601/iso8601.py
+usr/lib/python3.8/site-packages/samba/third_party/iso8601/test_iso8601.py
+usr/lib/python3.8/site-packages/samba/upgrade.py
+usr/lib/python3.8/site-packages/samba/upgradehelpers.py
+usr/lib/python3.8/site-packages/samba/uptodateness.py
+usr/lib/python3.8/site-packages/samba/werror.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/xattr.py
+usr/lib/python3.8/site-packages/samba/xattr_native.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/samba/xattr_tdb.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/talloc.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/tdb.cpython-38-arm-linux-gnueabi.so
+usr/lib/python3.8/site-packages/tevent.py
+#usr/lib/samba
+usr/lib/samba/idmap
+usr/lib/samba/idmap/ad.so
+usr/lib/samba/idmap/autorid.so
+usr/lib/samba/idmap/hash.so
+usr/lib/samba/idmap/rfc2307.so
+usr/lib/samba/idmap/rid.so
+usr/lib/samba/idmap/script.so
+usr/lib/samba/idmap/tdb2.so
+#usr/lib/samba/krb5
+usr/lib/samba/krb5/winbind_krb5_locator.so
+#usr/lib/samba/ldb
+usr/lib/samba/ldb/asq.so
+usr/lib/samba/ldb/ildap.so
+usr/lib/samba/ldb/ldb.so
+usr/lib/samba/ldb/ldbsamba_extensions.so
+usr/lib/samba/ldb/paged_searches.so
+usr/lib/samba/ldb/rdn_name.so
+usr/lib/samba/ldb/sample.so
+usr/lib/samba/ldb/server_sort.so
+usr/lib/samba/ldb/skel.so
+usr/lib/samba/ldb/tdb.so
+usr/lib/samba/libCHARSET3-samba4.so
+usr/lib/samba/libLIBWBCLIENT-OLD-samba4.so
+usr/lib/samba/libMESSAGING-SEND-samba4.so
+usr/lib/samba/libMESSAGING-samba4.so
+usr/lib/samba/libaddns-samba4.so
+usr/lib/samba/libads-samba4.so
+usr/lib/samba/libasn1-samba4.so.8
+usr/lib/samba/libasn1-samba4.so.8.0.0
+usr/lib/samba/libasn1util-samba4.so
+usr/lib/samba/libauth-samba4.so
+usr/lib/samba/libauth-unix-token-samba4.so
+usr/lib/samba/libauth4-samba4.so
+usr/lib/samba/libauthkrb5-samba4.so
+usr/lib/samba/libcli-cldap-samba4.so
+usr/lib/samba/libcli-ldap-common-samba4.so
+usr/lib/samba/libcli-ldap-samba4.so
+usr/lib/samba/libcli-nbt-samba4.so
+usr/lib/samba/libcli-smb-common-samba4.so
+usr/lib/samba/libcli-spoolss-samba4.so
+usr/lib/samba/libcliauth-samba4.so
+usr/lib/samba/libclidns-samba4.so
+usr/lib/samba/libcluster-samba4.so
+usr/lib/samba/libcmdline-contexts-samba4.so
+usr/lib/samba/libcmdline-credentials-samba4.so
+usr/lib/samba/libcmocka-samba4.so
+usr/lib/samba/libcom_err-samba4.so.0
+usr/lib/samba/libcom_err-samba4.so.0.25
+usr/lib/samba/libcommon-auth-samba4.so
+usr/lib/samba/libdbwrap-samba4.so
+usr/lib/samba/libdcerpc-samba-samba4.so
+usr/lib/samba/libdcerpc-samba4.so
+usr/lib/samba/libdsdb-module-samba4.so
+usr/lib/samba/libevents-samba4.so
+usr/lib/samba/libflag-mapping-samba4.so
+usr/lib/samba/libgenrand-samba4.so
+usr/lib/samba/libgensec-samba4.so
+usr/lib/samba/libgpext-samba4.so
+usr/lib/samba/libgpo-samba4.so
+usr/lib/samba/libgse-samba4.so
+usr/lib/samba/libgssapi-samba4.so.2
+usr/lib/samba/libgssapi-samba4.so.2.0.0
+usr/lib/samba/libhcrypto-samba4.so.5
+usr/lib/samba/libhcrypto-samba4.so.5.0.1
+usr/lib/samba/libhdb-samba4.so.11
+usr/lib/samba/libhdb-samba4.so.11.0.2
+usr/lib/samba/libheimbase-samba4.so.1
+usr/lib/samba/libheimbase-samba4.so.1.0.0
+usr/lib/samba/libheimntlm-samba4.so.1
+usr/lib/samba/libheimntlm-samba4.so.1.0.1
+usr/lib/samba/libhttp-samba4.so
+usr/lib/samba/libhx509-samba4.so.5
+usr/lib/samba/libhx509-samba4.so.5.0.0
+usr/lib/samba/libidmap-samba4.so
+usr/lib/samba/libinterfaces-samba4.so
+usr/lib/samba/libiov-buf-samba4.so
+usr/lib/samba/libkdc-samba4.so.2
+usr/lib/samba/libkdc-samba4.so.2.0.0
+usr/lib/samba/libkrb5-samba4.so.26
+usr/lib/samba/libkrb5-samba4.so.26.0.0
+usr/lib/samba/libkrb5samba-samba4.so
+usr/lib/samba/libldb-cmdline-samba4.so
+usr/lib/samba/libldb-key-value-samba4.so
+usr/lib/samba/libldb-tdb-err-map-samba4.so
+usr/lib/samba/libldb-tdb-int-samba4.so
+usr/lib/samba/libldb.so.2
+usr/lib/samba/libldb.so.2.2.0
+usr/lib/samba/libldbsamba-samba4.so
+usr/lib/samba/liblibcli-lsa3-samba4.so
+usr/lib/samba/liblibcli-netlogon3-samba4.so
+usr/lib/samba/liblibsmb-samba4.so
+usr/lib/samba/libmessages-dgm-samba4.so
+usr/lib/samba/libmessages-util-samba4.so
+usr/lib/samba/libmsghdr-samba4.so
+usr/lib/samba/libmsrpc3-samba4.so
+usr/lib/samba/libndr-samba-samba4.so
+usr/lib/samba/libndr-samba4.so
+usr/lib/samba/libnet-keytab-samba4.so
+usr/lib/samba/libnetif-samba4.so
+usr/lib/samba/libnpa-tstream-samba4.so
+usr/lib/samba/libnss-info-samba4.so
+usr/lib/samba/libpopt-samba3-cmdline-samba4.so
+usr/lib/samba/libpopt-samba3-samba4.so
+usr/lib/samba/libposix-eadb-samba4.so
+usr/lib/samba/libprinter-driver-samba4.so
+usr/lib/samba/libprinting-migrate-samba4.so
+usr/lib/samba/libpyldb-util.cpython-38-arm-linux-gnueabi.so.2
+usr/lib/samba/libpyldb-util.cpython-38-arm-linux-gnueabi.so.2.2.0
+usr/lib/samba/libpytalloc-util.cpython-38-arm-linux-gnueabi.so.2
+usr/lib/samba/libpytalloc-util.cpython-38-arm-linux-gnueabi.so.2.3.1
+usr/lib/samba/libregistry-samba4.so
+usr/lib/samba/libreplace-samba4.so
+usr/lib/samba/libroken-samba4.so.19
+usr/lib/samba/libroken-samba4.so.19.0.1
+usr/lib/samba/libsamba-cluster-support-samba4.so
+usr/lib/samba/libsamba-debug-samba4.so
+usr/lib/samba/libsamba-modules-samba4.so
+usr/lib/samba/libsamba-net.cpython-38-arm-linux-gnueabi-samba4.so
+usr/lib/samba/libsamba-python.cpython-38-arm-linux-gnueabi-samba4.so
+usr/lib/samba/libsamba-security-samba4.so
+usr/lib/samba/libsamba-sockets-samba4.so
+usr/lib/samba/libsamba3-util-samba4.so
+usr/lib/samba/libsamdb-common-samba4.so
+usr/lib/samba/libsecrets3-samba4.so
+usr/lib/samba/libserver-id-db-samba4.so
+usr/lib/samba/libserver-role-samba4.so
+usr/lib/samba/libshares-samba4.so
+usr/lib/samba/libsmb-transport-samba4.so
+usr/lib/samba/libsmbclient-raw-samba4.so
+usr/lib/samba/libsmbd-base-samba4.so
+usr/lib/samba/libsmbd-conn-samba4.so
+usr/lib/samba/libsmbd-shim-samba4.so
+usr/lib/samba/libsmbldaphelper-samba4.so
+usr/lib/samba/libsmbpasswdparser-samba4.so
+usr/lib/samba/libsocket-blocking-samba4.so
+usr/lib/samba/libsys-rw-samba4.so
+usr/lib/samba/libtalloc-report-printf-samba4.so
+usr/lib/samba/libtalloc-report-samba4.so
+usr/lib/samba/libtalloc.so.2
+usr/lib/samba/libtalloc.so.2.3.1
+usr/lib/samba/libtdb-wrap-samba4.so
+usr/lib/samba/libtdb.so.1
+usr/lib/samba/libtdb.so.1.4.3
+usr/lib/samba/libtevent.so.0
+usr/lib/samba/libtevent.so.0.10.2
+usr/lib/samba/libtime-basic-samba4.so
+usr/lib/samba/libtorture-samba4.so
+usr/lib/samba/libtrusts-util-samba4.so
+usr/lib/samba/libutil-cmdline-samba4.so
+usr/lib/samba/libutil-reg-samba4.so
+usr/lib/samba/libutil-setid-samba4.so
+usr/lib/samba/libutil-tdb-samba4.so
+usr/lib/samba/libwinbind-client-samba4.so
+usr/lib/samba/libwind-samba4.so.0
+usr/lib/samba/libwind-samba4.so.0.0.0
+usr/lib/samba/libxattr-tdb-samba4.so
+usr/lib/samba/nss_info
+usr/lib/samba/nss_info/hash.so
+usr/lib/samba/nss_info/rfc2307.so
+usr/lib/samba/nss_info/sfu.so
+usr/lib/samba/nss_info/sfu20.so
+#usr/lib/samba/vfs
+usr/lib/samba/vfs/acl_tdb.so
+usr/lib/samba/vfs/acl_xattr.so
+usr/lib/samba/vfs/aio_fork.so
+usr/lib/samba/vfs/aio_pthread.so
+usr/lib/samba/vfs/audit.so
+usr/lib/samba/vfs/btrfs.so
+usr/lib/samba/vfs/cap.so
+usr/lib/samba/vfs/catia.so
+usr/lib/samba/vfs/commit.so
+usr/lib/samba/vfs/crossrename.so
+usr/lib/samba/vfs/default_quota.so
+usr/lib/samba/vfs/dirsort.so
+usr/lib/samba/vfs/expand_msdfs.so
+usr/lib/samba/vfs/extd_audit.so
+usr/lib/samba/vfs/fake_perms.so
+usr/lib/samba/vfs/fileid.so
+usr/lib/samba/vfs/fruit.so
+usr/lib/samba/vfs/full_audit.so
+usr/lib/samba/vfs/glusterfs_fuse.so
+usr/lib/samba/vfs/gpfs.so
+usr/lib/samba/vfs/linux_xfs_sgid.so
+usr/lib/samba/vfs/media_harmony.so
+usr/lib/samba/vfs/offline.so
+usr/lib/samba/vfs/preopen.so
+usr/lib/samba/vfs/readahead.so
+usr/lib/samba/vfs/readonly.so
+usr/lib/samba/vfs/recycle.so
+usr/lib/samba/vfs/shadow_copy.so
+usr/lib/samba/vfs/shadow_copy2.so
+usr/lib/samba/vfs/shell_snap.so
+usr/lib/samba/vfs/snapper.so
+usr/lib/samba/vfs/streams_depot.so
+usr/lib/samba/vfs/streams_xattr.so
+usr/lib/samba/vfs/syncops.so
+usr/lib/samba/vfs/time_audit.so
+usr/lib/samba/vfs/unityed_media.so
+usr/lib/samba/vfs/virusfilter.so
+usr/lib/samba/vfs/widelinks.so
+usr/lib/samba/vfs/worm.so
+usr/lib/samba/vfs/xattr_tdb.so
+usr/lib/security
+usr/lib/security/pam_winbind.so
+#usr/libexec/samba
+usr/libexec/samba/smbspool_krb5_wrapper
+usr/sbin/eventlogadm
+usr/sbin/nmbd
+usr/sbin/samba-gpupdate
+usr/sbin/smbd
+usr/sbin/winbindd
+var/ipfire/backup/addons/includes/samba
+#var/ipfire/samba
+var/ipfire/samba/default.global
+var/ipfire/samba/default.pdc
+var/ipfire/samba/default.printer
+var/ipfire/samba/default.settings
+var/ipfire/samba/default.shares
+var/ipfire/samba/global
+var/ipfire/samba/pdc
+var/ipfire/samba/printer
+#var/ipfire/samba/private
+var/ipfire/samba/private/secrets.tdb
+var/ipfire/samba/private/smbpasswd
+var/ipfire/samba/settings
+var/ipfire/samba/shares
+var/ipfire/samba/smb.conf
+var/ipfire/samba/smb.conf.default
+var/lib/samba
+var/lib/samba/bind-dns
+var/lib/samba/private
+var/lib/samba/winbindd_privileged
+var/log/samba
+var/nmbd
+srv/web/ipfire/cgi-bin/samba.cgi
+srv/web/ipfire/cgi-bin/sambahlp.cgi
+var/ipfire/menu.d/EX-samba.menu
+usr/local/bin/sambactrl
diff --git a/config/rootfiles/packages/i586/samba b/config/rootfiles/packages/i586/samba
new file mode 100644
index 000000000..089f6981d
--- /dev/null
+++ b/config/rootfiles/packages/i586/samba
@@ -0,0 +1,820 @@ 
+etc/rc.d/init.d/samba
+usr/bin/cifsdd
+usr/bin/dbwrap_tool
+usr/bin/findsmb
+usr/bin/gentest
+usr/bin/ldbadd
+usr/bin/ldbdel
+usr/bin/ldbedit
+usr/bin/ldbmodify
+usr/bin/ldbrename
+usr/bin/ldbsearch
+usr/bin/locktest
+usr/bin/masktest
+usr/bin/mdfind
+usr/bin/mvxattr
+usr/bin/ndrdump
+usr/bin/net
+usr/bin/nmblookup
+usr/bin/ntlm_auth
+usr/bin/oLschema2ldif
+usr/bin/pdbedit
+usr/bin/profiles
+usr/bin/regdiff
+usr/bin/regpatch
+usr/bin/regshell
+usr/bin/regtree
+usr/bin/rpcclient
+usr/bin/samba-regedit
+usr/bin/sharesec
+usr/bin/smbcacls
+usr/bin/smbclient
+usr/bin/smbcontrol
+usr/bin/smbcquotas
+usr/bin/smbget
+usr/bin/smbpasswd
+usr/bin/smbspool
+usr/bin/smbstatus
+usr/bin/smbtar
+usr/bin/smbtorture
+usr/bin/smbtree
+usr/bin/tdbbackup
+usr/bin/tdbdump
+usr/bin/tdbrestore
+usr/bin/tdbtool
+usr/bin/testparm
+usr/bin/wbinfo
+#usr/include/samba-4.0
+#usr/include/samba-4.0/charset.h
+#usr/include/samba-4.0/core
+#usr/include/samba-4.0/core/doserr.h
+#usr/include/samba-4.0/core/error.h
+#usr/include/samba-4.0/core/hresult.h
+#usr/include/samba-4.0/core/ntstatus.h
+#usr/include/samba-4.0/core/ntstatus_gen.h
+#usr/include/samba-4.0/core/werror.h
+#usr/include/samba-4.0/core/werror_gen.h
+#usr/include/samba-4.0/credentials.h
+#usr/include/samba-4.0/dcerpc.h
+#usr/include/samba-4.0/dcesrv_core.h
+#usr/include/samba-4.0/domain_credentials.h
+#usr/include/samba-4.0/gen_ndr
+#usr/include/samba-4.0/gen_ndr/atsvc.h
+#usr/include/samba-4.0/gen_ndr/auth.h
+#usr/include/samba-4.0/gen_ndr/dcerpc.h
+#usr/include/samba-4.0/gen_ndr/drsblobs.h
+#usr/include/samba-4.0/gen_ndr/drsuapi.h
+#usr/include/samba-4.0/gen_ndr/krb5pac.h
+#usr/include/samba-4.0/gen_ndr/lsa.h
+#usr/include/samba-4.0/gen_ndr/misc.h
+#usr/include/samba-4.0/gen_ndr/nbt.h
+#usr/include/samba-4.0/gen_ndr/ndr_atsvc.h
+#usr/include/samba-4.0/gen_ndr/ndr_dcerpc.h
+#usr/include/samba-4.0/gen_ndr/ndr_drsblobs.h
+#usr/include/samba-4.0/gen_ndr/ndr_drsuapi.h
+#usr/include/samba-4.0/gen_ndr/ndr_krb5pac.h
+#usr/include/samba-4.0/gen_ndr/ndr_misc.h
+#usr/include/samba-4.0/gen_ndr/ndr_nbt.h
+#usr/include/samba-4.0/gen_ndr/ndr_samr.h
+#usr/include/samba-4.0/gen_ndr/ndr_samr_c.h
+#usr/include/samba-4.0/gen_ndr/ndr_svcctl.h
+#usr/include/samba-4.0/gen_ndr/ndr_svcctl_c.h
+#usr/include/samba-4.0/gen_ndr/netlogon.h
+#usr/include/samba-4.0/gen_ndr/samr.h
+#usr/include/samba-4.0/gen_ndr/security.h
+#usr/include/samba-4.0/gen_ndr/server_id.h
+#usr/include/samba-4.0/gen_ndr/svcctl.h
+#usr/include/samba-4.0/ldb_wrap.h
+#usr/include/samba-4.0/libsmbclient.h
+#usr/include/samba-4.0/lookup_sid.h
+#usr/include/samba-4.0/machine_sid.h
+#usr/include/samba-4.0/ndr
+#usr/include/samba-4.0/ndr.h
+#usr/include/samba-4.0/ndr/ndr_dcerpc.h
+#usr/include/samba-4.0/ndr/ndr_drsblobs.h
+#usr/include/samba-4.0/ndr/ndr_drsuapi.h
+#usr/include/samba-4.0/ndr/ndr_krb5pac.h
+#usr/include/samba-4.0/ndr/ndr_nbt.h
+#usr/include/samba-4.0/ndr/ndr_svcctl.h
+#usr/include/samba-4.0/netapi.h
+#usr/include/samba-4.0/param.h
+#usr/include/samba-4.0/passdb.h
+#usr/include/samba-4.0/policy.h
+#usr/include/samba-4.0/rpc_common.h
+#usr/include/samba-4.0/samba
+#usr/include/samba-4.0/samba/session.h
+#usr/include/samba-4.0/samba/version.h
+#usr/include/samba-4.0/share.h
+#usr/include/samba-4.0/smb2_lease_struct.h
+#usr/include/samba-4.0/smb_ldap.h
+#usr/include/samba-4.0/smbconf.h
+#usr/include/samba-4.0/smbldap.h
+#usr/include/samba-4.0/tdr.h
+#usr/include/samba-4.0/tsocket.h
+#usr/include/samba-4.0/tsocket_internal.h
+#usr/include/samba-4.0/util
+#usr/include/samba-4.0/util/attr.h
+#usr/include/samba-4.0/util/blocking.h
+#usr/include/samba-4.0/util/data_blob.h
+#usr/include/samba-4.0/util/debug.h
+#usr/include/samba-4.0/util/discard.h
+#usr/include/samba-4.0/util/fault.h
+#usr/include/samba-4.0/util/genrand.h
+#usr/include/samba-4.0/util/idtree.h
+#usr/include/samba-4.0/util/idtree_random.h
+#usr/include/samba-4.0/util/signal.h
+#usr/include/samba-4.0/util/string_wrappers.h
+#usr/include/samba-4.0/util/substitute.h
+#usr/include/samba-4.0/util/tevent_ntstatus.h
+#usr/include/samba-4.0/util/tevent_unix.h
+#usr/include/samba-4.0/util/tevent_werror.h
+#usr/include/samba-4.0/util/tfork.h
+#usr/include/samba-4.0/util/time.h
+#usr/include/samba-4.0/util_ldb.h
+#usr/include/samba-4.0/wbclient.h
+usr/lib/libdcerpc-binding.so
+usr/lib/libdcerpc-binding.so.0
+usr/lib/libdcerpc-binding.so.0.0.1
+usr/lib/libdcerpc-samr.so
+usr/lib/libdcerpc-samr.so.0
+usr/lib/libdcerpc-samr.so.0.0.1
+usr/lib/libdcerpc-server-core.so
+usr/lib/libdcerpc-server-core.so.0
+usr/lib/libdcerpc-server-core.so.0.0.1
+usr/lib/libdcerpc.so
+usr/lib/libdcerpc.so.0
+usr/lib/libdcerpc.so.0.0.1
+usr/lib/libndr-krb5pac.so
+usr/lib/libndr-krb5pac.so.0
+usr/lib/libndr-krb5pac.so.0.0.1
+usr/lib/libndr-nbt.so
+usr/lib/libndr-nbt.so.0
+usr/lib/libndr-nbt.so.0.0.1
+usr/lib/libndr-standard.so
+usr/lib/libndr-standard.so.0
+usr/lib/libndr-standard.so.0.0.1
+usr/lib/libndr.so
+usr/lib/libndr.so.1
+usr/lib/libndr.so.1.0.0
+usr/lib/libnetapi.so
+usr/lib/libnetapi.so.0
+usr/lib/libnss_winbind.so
+usr/lib/libnss_winbind.so.2
+usr/lib/libnss_wins.so
+usr/lib/libnss_wins.so.2
+usr/lib/libsamba-credentials.so
+usr/lib/libsamba-credentials.so.0
+usr/lib/libsamba-credentials.so.0.0.1
+usr/lib/libsamba-errors.so
+usr/lib/libsamba-errors.so.1
+usr/lib/libsamba-hostconfig.so
+usr/lib/libsamba-hostconfig.so.0
+usr/lib/libsamba-hostconfig.so.0.0.1
+usr/lib/libsamba-passdb.so
+usr/lib/libsamba-passdb.so.0
+usr/lib/libsamba-passdb.so.0.28.0
+usr/lib/libsamba-policy.cpython-38-i386-linux-gnu.so
+usr/lib/libsamba-policy.cpython-38-i386-linux-gnu.so.0
+usr/lib/libsamba-policy.cpython-38-i386-linux-gnu.so.0.0.1
+usr/lib/libsamba-util.so
+usr/lib/libsamba-util.so.0
+usr/lib/libsamba-util.so.0.0.1
+usr/lib/libsamdb.so
+usr/lib/libsamdb.so.0
+usr/lib/libsamdb.so.0.0.1
+usr/lib/libsmbclient.so
+usr/lib/libsmbclient.so.0
+usr/lib/libsmbclient.so.0.6.0
+usr/lib/libsmbconf.so
+usr/lib/libsmbconf.so.0
+usr/lib/libsmbldap.so
+usr/lib/libsmbldap.so.2
+usr/lib/libtevent-util.so
+usr/lib/libtevent-util.so.0
+usr/lib/libtevent-util.so.0.0.1
+usr/lib/libwbclient.so
+usr/lib/libwbclient.so.0
+usr/lib/libwbclient.so.0.15
+#usr/lib/pkgconfig/dcerpc.pc
+#usr/lib/pkgconfig/dcerpc_samr.pc
+#usr/lib/pkgconfig/ndr.pc
+#usr/lib/pkgconfig/ndr_krb5pac.pc
+#usr/lib/pkgconfig/ndr_nbt.pc
+#usr/lib/pkgconfig/ndr_standard.pc
+#usr/lib/pkgconfig/netapi.pc
+#usr/lib/pkgconfig/samba-credentials.pc
+#usr/lib/pkgconfig/samba-hostconfig.pc
+#usr/lib/pkgconfig/samba-policy.cpython-38-i386-linux-gnu.pc
+#usr/lib/pkgconfig/samba-util.pc
+#usr/lib/pkgconfig/samdb.pc
+#usr/lib/pkgconfig/smbclient.pc
+#usr/lib/pkgconfig/wbclient.pc
+usr/lib/python3.8/site-packages/_ldb_text.py
+usr/lib/python3.8/site-packages/_tdb_text.py
+usr/lib/python3.8/site-packages/_tevent.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/ldb.cpython-38-i386-linux-gnu.so
+#usr/lib/python3.8/site-packages/samba
+usr/lib/python3.8/site-packages/samba/__init__.py
+usr/lib/python3.8/site-packages/samba/_glue.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/_ldb.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/auth.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/auth_util.py
+usr/lib/python3.8/site-packages/samba/colour.py
+usr/lib/python3.8/site-packages/samba/common.py
+usr/lib/python3.8/site-packages/samba/compat.py
+usr/lib/python3.8/site-packages/samba/credentials.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/crypto.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dbchecker.py
+#usr/lib/python3.8/site-packages/samba/dcerpc
+usr/lib/python3.8/site-packages/samba/dcerpc/__init__.py
+usr/lib/python3.8/site-packages/samba/dcerpc/atsvc.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/auth.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/base.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dcerpc.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dfs.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dns.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dnsp.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dnsserver.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/drsblobs.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/drsuapi.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/echo.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/epmapper.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/idmap.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/initshutdown.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/irpc.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/krb5pac.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/lsa.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/mdssvc.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/messaging.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/mgmt.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/misc.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/nbt.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/netlogon.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/ntlmssp.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/preg.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/samr.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/security.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/server_id.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/smb_acl.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/spoolss.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/srvsvc.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/svcctl.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/unixinfo.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/winbind.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/windows_event_ids.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/winreg.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/winspool.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/witness.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/wkssvc.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/xattr.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/descriptor.py
+usr/lib/python3.8/site-packages/samba/dnsserver.py
+usr/lib/python3.8/site-packages/samba/domain_update.py
+usr/lib/python3.8/site-packages/samba/drs_utils.py
+#usr/lib/python3.8/site-packages/samba/emulate
+usr/lib/python3.8/site-packages/samba/emulate/__init__.py
+usr/lib/python3.8/site-packages/samba/emulate/traffic.py
+usr/lib/python3.8/site-packages/samba/emulate/traffic_packets.py
+usr/lib/python3.8/site-packages/samba/forest_update.py
+usr/lib/python3.8/site-packages/samba/gensec.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/getopt.py
+usr/lib/python3.8/site-packages/samba/gp_ext_loader.py
+#usr/lib/python3.8/site-packages/samba/gp_parse
+usr/lib/python3.8/site-packages/samba/gp_parse/__init__.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_aas.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_csv.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_inf.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_ini.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_pol.py
+usr/lib/python3.8/site-packages/samba/gp_scripts_ext.py
+usr/lib/python3.8/site-packages/samba/gp_sec_ext.py
+usr/lib/python3.8/site-packages/samba/gpclass.py
+usr/lib/python3.8/site-packages/samba/gpo.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/graph.py
+usr/lib/python3.8/site-packages/samba/hostconfig.py
+usr/lib/python3.8/site-packages/samba/idmap.py
+usr/lib/python3.8/site-packages/samba/join.py
+#usr/lib/python3.8/site-packages/samba/kcc
+usr/lib/python3.8/site-packages/samba/kcc/__init__.py
+usr/lib/python3.8/site-packages/samba/kcc/debug.py
+usr/lib/python3.8/site-packages/samba/kcc/graph.py
+usr/lib/python3.8/site-packages/samba/kcc/graph_utils.py
+usr/lib/python3.8/site-packages/samba/kcc/kcc_utils.py
+usr/lib/python3.8/site-packages/samba/kcc/ldif_import_export.py
+usr/lib/python3.8/site-packages/samba/logger.py
+usr/lib/python3.8/site-packages/samba/mdb_util.py
+usr/lib/python3.8/site-packages/samba/messaging.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/ms_display_specifiers.py
+usr/lib/python3.8/site-packages/samba/ms_forest_updates_markdown.py
+usr/lib/python3.8/site-packages/samba/ms_schema.py
+usr/lib/python3.8/site-packages/samba/ms_schema_markdown.py
+usr/lib/python3.8/site-packages/samba/ndr.py
+usr/lib/python3.8/site-packages/samba/net.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/netbios.cpython-38-i386-linux-gnu.so
+#usr/lib/python3.8/site-packages/samba/netcmd
+usr/lib/python3.8/site-packages/samba/netcmd/__init__.py
+usr/lib/python3.8/site-packages/samba/netcmd/common.py
+usr/lib/python3.8/site-packages/samba/netcmd/computer.py
+usr/lib/python3.8/site-packages/samba/netcmd/contact.py
+usr/lib/python3.8/site-packages/samba/netcmd/dbcheck.py
+usr/lib/python3.8/site-packages/samba/netcmd/delegation.py
+usr/lib/python3.8/site-packages/samba/netcmd/dns.py
+usr/lib/python3.8/site-packages/samba/netcmd/domain.py
+usr/lib/python3.8/site-packages/samba/netcmd/domain_backup.py
+usr/lib/python3.8/site-packages/samba/netcmd/drs.py
+usr/lib/python3.8/site-packages/samba/netcmd/dsacl.py
+usr/lib/python3.8/site-packages/samba/netcmd/forest.py
+usr/lib/python3.8/site-packages/samba/netcmd/fsmo.py
+usr/lib/python3.8/site-packages/samba/netcmd/gpo.py
+usr/lib/python3.8/site-packages/samba/netcmd/group.py
+usr/lib/python3.8/site-packages/samba/netcmd/ldapcmp.py
+usr/lib/python3.8/site-packages/samba/netcmd/main.py
+usr/lib/python3.8/site-packages/samba/netcmd/nettime.py
+usr/lib/python3.8/site-packages/samba/netcmd/ntacl.py
+usr/lib/python3.8/site-packages/samba/netcmd/ou.py
+usr/lib/python3.8/site-packages/samba/netcmd/processes.py
+usr/lib/python3.8/site-packages/samba/netcmd/pso.py
+usr/lib/python3.8/site-packages/samba/netcmd/rodc.py
+usr/lib/python3.8/site-packages/samba/netcmd/schema.py
+usr/lib/python3.8/site-packages/samba/netcmd/sites.py
+usr/lib/python3.8/site-packages/samba/netcmd/spn.py
+usr/lib/python3.8/site-packages/samba/netcmd/testparm.py
+usr/lib/python3.8/site-packages/samba/netcmd/user.py
+usr/lib/python3.8/site-packages/samba/netcmd/visualize.py
+usr/lib/python3.8/site-packages/samba/ntacls.py
+usr/lib/python3.8/site-packages/samba/ntstatus.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/param.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/policy.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/posix_eadb.cpython-38-i386-linux-gnu.so
+#usr/lib/python3.8/site-packages/samba/provision
+usr/lib/python3.8/site-packages/samba/provision/__init__.py
+usr/lib/python3.8/site-packages/samba/provision/backend.py
+usr/lib/python3.8/site-packages/samba/provision/common.py
+usr/lib/python3.8/site-packages/samba/provision/kerberos.py
+usr/lib/python3.8/site-packages/samba/provision/kerberos_implementation.py
+usr/lib/python3.8/site-packages/samba/provision/sambadns.py
+usr/lib/python3.8/site-packages/samba/registry.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/remove_dc.py
+#usr/lib/python3.8/site-packages/samba/samba3
+usr/lib/python3.8/site-packages/samba/samba3/__init__.py
+usr/lib/python3.8/site-packages/samba/samba3/libsmb_samba_internal.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/samba3/mdscli.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/samba3/param.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/samba3/passdb.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/samba3/smbd.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/samdb.py
+usr/lib/python3.8/site-packages/samba/schema.py
+usr/lib/python3.8/site-packages/samba/sd_utils.py
+usr/lib/python3.8/site-packages/samba/security.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/sites.py
+usr/lib/python3.8/site-packages/samba/subnets.py
+#usr/lib/python3.8/site-packages/samba/subunit
+usr/lib/python3.8/site-packages/samba/subunit/__init__.py
+usr/lib/python3.8/site-packages/samba/subunit/run.py
+usr/lib/python3.8/site-packages/samba/tdb_util.py
+#usr/lib/python3.8/site-packages/samba/tests
+#usr/lib/python3.8/site-packages/samba/tests/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/audit_log_base.py
+#usr/lib/python3.8/site-packages/samba/tests/audit_log_dsdb.py
+#usr/lib/python3.8/site-packages/samba/tests/audit_log_pass_change.py
+#usr/lib/python3.8/site-packages/samba/tests/auth.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_base.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_ncalrpc.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_netlogon.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_netlogon_bad_creds.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_pass_change.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_samlogon.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_winbind.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/bug13653.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/check_output.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/downgradedatabase.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/mdfind.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/ndrdump.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/netads_json.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/samba_dnsupdate.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/smbcacls.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/smbcacls_basic.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/smbcontrol.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/smbcontrol_process.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/traffic_learner.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/traffic_replay.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/traffic_summary.py
+#usr/lib/python3.8/site-packages/samba/tests/common.py
+#usr/lib/python3.8/site-packages/samba/tests/complex_expressions.py
+#usr/lib/python3.8/site-packages/samba/tests/core.py
+#usr/lib/python3.8/site-packages/samba/tests/credentials.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/array.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/bare.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/dnsserver.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/integer.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/mdssvc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/misc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/raw_protocol.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/raw_testcase.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/registry.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/rpc_talloc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/rpcecho.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/sam.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/srvsvc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/string_tests.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/testrpc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/unix.py
+#usr/lib/python3.8/site-packages/samba/tests/dckeytab.py
+#usr/lib/python3.8/site-packages/samba/tests/dns.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_base.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_forwarder.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_forwarder_helpers
+#usr/lib/python3.8/site-packages/samba/tests/dns_forwarder_helpers/server.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_invalid.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_packet.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_tkey.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_wildcard.py
+#usr/lib/python3.8/site-packages/samba/tests/docs.py
+#usr/lib/python3.8/site-packages/samba/tests/domain_backup.py
+#usr/lib/python3.8/site-packages/samba/tests/domain_backup_offline.py
+#usr/lib/python3.8/site-packages/samba/tests/dsdb.py
+#usr/lib/python3.8/site-packages/samba/tests/dsdb_lock.py
+#usr/lib/python3.8/site-packages/samba/tests/dsdb_schema_attributes.py
+#usr/lib/python3.8/site-packages/samba/tests/emulate
+#usr/lib/python3.8/site-packages/samba/tests/emulate/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/emulate/traffic.py
+#usr/lib/python3.8/site-packages/samba/tests/emulate/traffic_packet.py
+#usr/lib/python3.8/site-packages/samba/tests/encrypted_secrets.py
+#usr/lib/python3.8/site-packages/samba/tests/gensec.py
+#usr/lib/python3.8/site-packages/samba/tests/get_opt.py
+#usr/lib/python3.8/site-packages/samba/tests/getdcname.py
+#usr/lib/python3.8/site-packages/samba/tests/glue.py
+#usr/lib/python3.8/site-packages/samba/tests/gpo.py
+#usr/lib/python3.8/site-packages/samba/tests/graph.py
+#usr/lib/python3.8/site-packages/samba/tests/group_audit.py
+#usr/lib/python3.8/site-packages/samba/tests/hostconfig.py
+#usr/lib/python3.8/site-packages/samba/tests/join.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc
+#usr/lib/python3.8/site-packages/samba/tests/kcc/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc/graph.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc/graph_utils.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc/kcc_utils.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc/ldif_import_export.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5
+#usr/lib/python3.8/site-packages/samba/tests/krb5/kcrypto.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/raw_testcase.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/rfc4120_pyasn1.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/s4u_tests.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/simple_tests.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/xrealm_tests.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5_credentials.py
+#usr/lib/python3.8/site-packages/samba/tests/ldap_raw.py
+#usr/lib/python3.8/site-packages/samba/tests/ldap_referrals.py
+#usr/lib/python3.8/site-packages/samba/tests/libsmb.py
+#usr/lib/python3.8/site-packages/samba/tests/loadparm.py
+#usr/lib/python3.8/site-packages/samba/tests/lsa_string.py
+#usr/lib/python3.8/site-packages/samba/tests/messaging.py
+#usr/lib/python3.8/site-packages/samba/tests/net_join.py
+#usr/lib/python3.8/site-packages/samba/tests/net_join_no_spnego.py
+#usr/lib/python3.8/site-packages/samba/tests/netbios.py
+#usr/lib/python3.8/site-packages/samba/tests/netcmd.py
+#usr/lib/python3.8/site-packages/samba/tests/netlogonsvc.py
+#usr/lib/python3.8/site-packages/samba/tests/ntacls.py
+#usr/lib/python3.8/site-packages/samba/tests/ntacls_backup.py
+#usr/lib/python3.8/site-packages/samba/tests/ntlm_auth.py
+#usr/lib/python3.8/site-packages/samba/tests/ntlm_auth_base.py
+#usr/lib/python3.8/site-packages/samba/tests/ntlm_auth_krb5.py
+#usr/lib/python3.8/site-packages/samba/tests/ntlmdisabled.py
+#usr/lib/python3.8/site-packages/samba/tests/pam_winbind.py
+#usr/lib/python3.8/site-packages/samba/tests/pam_winbind_chauthtok.py
+#usr/lib/python3.8/site-packages/samba/tests/pam_winbind_warn_pwd_expire.py
+#usr/lib/python3.8/site-packages/samba/tests/param.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash_fl2003.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash_fl2008.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash_gpgme.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash_ldap.py
+#usr/lib/python3.8/site-packages/samba/tests/password_quality.py
+#usr/lib/python3.8/site-packages/samba/tests/password_test.py
+#usr/lib/python3.8/site-packages/samba/tests/policy.py
+#usr/lib/python3.8/site-packages/samba/tests/posixacl.py
+#usr/lib/python3.8/site-packages/samba/tests/prefork_restart.py
+#usr/lib/python3.8/site-packages/samba/tests/process_limits.py
+#usr/lib/python3.8/site-packages/samba/tests/provision.py
+#usr/lib/python3.8/site-packages/samba/tests/pso.py
+#usr/lib/python3.8/site-packages/samba/tests/py_credentials.py
+#usr/lib/python3.8/site-packages/samba/tests/registry.py
+#usr/lib/python3.8/site-packages/samba/tests/s3idmapdb.py
+#usr/lib/python3.8/site-packages/samba/tests/s3param.py
+#usr/lib/python3.8/site-packages/samba/tests/s3passdb.py
+#usr/lib/python3.8/site-packages/samba/tests/s3registry.py
+#usr/lib/python3.8/site-packages/samba/tests/s3windb.py
+#usr/lib/python3.8/site-packages/samba/tests/samba3sam.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/base.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/computer.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/contact.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/demote.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/dnscmd.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/drs_clone_dc_data_lmdb_size.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/dsacl.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/forest.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/fsmo.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/gpo.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/group.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/help.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/join.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/join_lmdb_size.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/ntacl.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/ou.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/passwordsettings.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/processes.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/promote_dc_lmdb_size.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/provision_lmdb_size.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/provision_password_check.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/rodc.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/schema.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/sites.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/timecmd.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_check_password_script.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_virtualCryptSHA.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_virtualCryptSHA_base.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_wdigest.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/visualize.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/visualize_drs.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_upgradedns_lmdb.py
+#usr/lib/python3.8/site-packages/samba/tests/samdb.py
+#usr/lib/python3.8/site-packages/samba/tests/samdb_api.py
+#usr/lib/python3.8/site-packages/samba/tests/security.py
+#usr/lib/python3.8/site-packages/samba/tests/segfault.py
+#usr/lib/python3.8/site-packages/samba/tests/smb.py
+#usr/lib/python3.8/site-packages/samba/tests/smbd_base.py
+#usr/lib/python3.8/site-packages/samba/tests/smbd_fuzztest.py
+#usr/lib/python3.8/site-packages/samba/tests/source.py
+#usr/lib/python3.8/site-packages/samba/tests/strings.py
+#usr/lib/python3.8/site-packages/samba/tests/subunitrun.py
+#usr/lib/python3.8/site-packages/samba/tests/tdb_util.py
+#usr/lib/python3.8/site-packages/samba/tests/upgrade.py
+#usr/lib/python3.8/site-packages/samba/tests/upgradeprovision.py
+#usr/lib/python3.8/site-packages/samba/tests/upgradeprovisionneeddc.py
+#usr/lib/python3.8/site-packages/samba/tests/usage.py
+#usr/lib/python3.8/site-packages/samba/tests/xattr.py
+#usr/lib/python3.8/site-packages/samba/third_party
+usr/lib/python3.8/site-packages/samba/third_party/__init__.py
+usr/lib/python3.8/site-packages/samba/third_party/iso8601
+usr/lib/python3.8/site-packages/samba/third_party/iso8601/__init__.py
+usr/lib/python3.8/site-packages/samba/third_party/iso8601/iso8601.py
+usr/lib/python3.8/site-packages/samba/third_party/iso8601/test_iso8601.py
+usr/lib/python3.8/site-packages/samba/upgrade.py
+usr/lib/python3.8/site-packages/samba/upgradehelpers.py
+usr/lib/python3.8/site-packages/samba/uptodateness.py
+usr/lib/python3.8/site-packages/samba/werror.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/xattr.py
+usr/lib/python3.8/site-packages/samba/xattr_native.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/xattr_tdb.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/talloc.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/tdb.cpython-38-i386-linux-gnu.so
+usr/lib/python3.8/site-packages/tevent.py
+#usr/lib/samba
+usr/lib/samba/idmap
+usr/lib/samba/idmap/ad.so
+usr/lib/samba/idmap/autorid.so
+usr/lib/samba/idmap/hash.so
+usr/lib/samba/idmap/rfc2307.so
+usr/lib/samba/idmap/rid.so
+usr/lib/samba/idmap/script.so
+usr/lib/samba/idmap/tdb2.so
+#usr/lib/samba/krb5
+usr/lib/samba/krb5/winbind_krb5_locator.so
+#usr/lib/samba/ldb
+usr/lib/samba/ldb/asq.so
+usr/lib/samba/ldb/ildap.so
+usr/lib/samba/ldb/ldb.so
+usr/lib/samba/ldb/ldbsamba_extensions.so
+usr/lib/samba/ldb/paged_searches.so
+usr/lib/samba/ldb/rdn_name.so
+usr/lib/samba/ldb/sample.so
+usr/lib/samba/ldb/server_sort.so
+usr/lib/samba/ldb/skel.so
+usr/lib/samba/ldb/tdb.so
+usr/lib/samba/libCHARSET3-samba4.so
+usr/lib/samba/libLIBWBCLIENT-OLD-samba4.so
+usr/lib/samba/libMESSAGING-SEND-samba4.so
+usr/lib/samba/libMESSAGING-samba4.so
+usr/lib/samba/libaddns-samba4.so
+usr/lib/samba/libads-samba4.so
+usr/lib/samba/libasn1-samba4.so.8
+usr/lib/samba/libasn1-samba4.so.8.0.0
+usr/lib/samba/libasn1util-samba4.so
+usr/lib/samba/libauth-samba4.so
+usr/lib/samba/libauth-unix-token-samba4.so
+usr/lib/samba/libauth4-samba4.so
+usr/lib/samba/libauthkrb5-samba4.so
+usr/lib/samba/libcli-cldap-samba4.so
+usr/lib/samba/libcli-ldap-common-samba4.so
+usr/lib/samba/libcli-ldap-samba4.so
+usr/lib/samba/libcli-nbt-samba4.so
+usr/lib/samba/libcli-smb-common-samba4.so
+usr/lib/samba/libcli-spoolss-samba4.so
+usr/lib/samba/libcliauth-samba4.so
+usr/lib/samba/libclidns-samba4.so
+usr/lib/samba/libcluster-samba4.so
+usr/lib/samba/libcmdline-contexts-samba4.so
+usr/lib/samba/libcmdline-credentials-samba4.so
+usr/lib/samba/libcmocka-samba4.so
+usr/lib/samba/libcom_err-samba4.so.0
+usr/lib/samba/libcom_err-samba4.so.0.25
+usr/lib/samba/libcommon-auth-samba4.so
+usr/lib/samba/libdbwrap-samba4.so
+usr/lib/samba/libdcerpc-samba-samba4.so
+usr/lib/samba/libdcerpc-samba4.so
+usr/lib/samba/libdsdb-module-samba4.so
+usr/lib/samba/libevents-samba4.so
+usr/lib/samba/libflag-mapping-samba4.so
+usr/lib/samba/libgenrand-samba4.so
+usr/lib/samba/libgensec-samba4.so
+usr/lib/samba/libgpext-samba4.so
+usr/lib/samba/libgpo-samba4.so
+usr/lib/samba/libgse-samba4.so
+usr/lib/samba/libgssapi-samba4.so.2
+usr/lib/samba/libgssapi-samba4.so.2.0.0
+usr/lib/samba/libhcrypto-samba4.so.5
+usr/lib/samba/libhcrypto-samba4.so.5.0.1
+usr/lib/samba/libhdb-samba4.so.11
+usr/lib/samba/libhdb-samba4.so.11.0.2
+usr/lib/samba/libheimbase-samba4.so.1
+usr/lib/samba/libheimbase-samba4.so.1.0.0
+usr/lib/samba/libheimntlm-samba4.so.1
+usr/lib/samba/libheimntlm-samba4.so.1.0.1
+usr/lib/samba/libhttp-samba4.so
+usr/lib/samba/libhx509-samba4.so.5
+usr/lib/samba/libhx509-samba4.so.5.0.0
+usr/lib/samba/libidmap-samba4.so
+usr/lib/samba/libinterfaces-samba4.so
+usr/lib/samba/libiov-buf-samba4.so
+usr/lib/samba/libkdc-samba4.so.2
+usr/lib/samba/libkdc-samba4.so.2.0.0
+usr/lib/samba/libkrb5-samba4.so.26
+usr/lib/samba/libkrb5-samba4.so.26.0.0
+usr/lib/samba/libkrb5samba-samba4.so
+usr/lib/samba/libldb-cmdline-samba4.so
+usr/lib/samba/libldb-key-value-samba4.so
+usr/lib/samba/libldb-tdb-err-map-samba4.so
+usr/lib/samba/libldb-tdb-int-samba4.so
+usr/lib/samba/libldb.so.2
+usr/lib/samba/libldb.so.2.2.0
+usr/lib/samba/libldbsamba-samba4.so
+usr/lib/samba/liblibcli-lsa3-samba4.so
+usr/lib/samba/liblibcli-netlogon3-samba4.so
+usr/lib/samba/liblibsmb-samba4.so
+usr/lib/samba/libmessages-dgm-samba4.so
+usr/lib/samba/libmessages-util-samba4.so
+usr/lib/samba/libmsghdr-samba4.so
+usr/lib/samba/libmsrpc3-samba4.so
+usr/lib/samba/libndr-samba-samba4.so
+usr/lib/samba/libndr-samba4.so
+usr/lib/samba/libnet-keytab-samba4.so
+usr/lib/samba/libnetif-samba4.so
+usr/lib/samba/libnpa-tstream-samba4.so
+usr/lib/samba/libnss-info-samba4.so
+usr/lib/samba/libpopt-samba3-cmdline-samba4.so
+usr/lib/samba/libpopt-samba3-samba4.so
+usr/lib/samba/libposix-eadb-samba4.so
+usr/lib/samba/libprinter-driver-samba4.so
+usr/lib/samba/libprinting-migrate-samba4.so
+usr/lib/samba/libpyldb-util.cpython-38-i386-linux-gnu.so.2
+usr/lib/samba/libpyldb-util.cpython-38-i386-linux-gnu.so.2.2.0
+usr/lib/samba/libpytalloc-util.cpython-38-i386-linux-gnu.so.2
+usr/lib/samba/libpytalloc-util.cpython-38-i386-linux-gnu.so.2.3.1
+usr/lib/samba/libregistry-samba4.so
+usr/lib/samba/libreplace-samba4.so
+usr/lib/samba/libroken-samba4.so.19
+usr/lib/samba/libroken-samba4.so.19.0.1
+usr/lib/samba/libsamba-cluster-support-samba4.so
+usr/lib/samba/libsamba-debug-samba4.so
+usr/lib/samba/libsamba-modules-samba4.so
+usr/lib/samba/libsamba-net.cpython-38-i386-linux-gnu-samba4.so
+usr/lib/samba/libsamba-python.cpython-38-i386-linux-gnu-samba4.so
+usr/lib/samba/libsamba-security-samba4.so
+usr/lib/samba/libsamba-sockets-samba4.so
+usr/lib/samba/libsamba3-util-samba4.so
+usr/lib/samba/libsamdb-common-samba4.so
+usr/lib/samba/libsecrets3-samba4.so
+usr/lib/samba/libserver-id-db-samba4.so
+usr/lib/samba/libserver-role-samba4.so
+usr/lib/samba/libshares-samba4.so
+usr/lib/samba/libsmb-transport-samba4.so
+usr/lib/samba/libsmbclient-raw-samba4.so
+usr/lib/samba/libsmbd-base-samba4.so
+usr/lib/samba/libsmbd-conn-samba4.so
+usr/lib/samba/libsmbd-shim-samba4.so
+usr/lib/samba/libsmbldaphelper-samba4.so
+usr/lib/samba/libsmbpasswdparser-samba4.so
+usr/lib/samba/libsocket-blocking-samba4.so
+usr/lib/samba/libsys-rw-samba4.so
+usr/lib/samba/libtalloc-report-printf-samba4.so
+usr/lib/samba/libtalloc-report-samba4.so
+usr/lib/samba/libtalloc.so.2
+usr/lib/samba/libtalloc.so.2.3.1
+usr/lib/samba/libtdb-wrap-samba4.so
+usr/lib/samba/libtdb.so.1
+usr/lib/samba/libtdb.so.1.4.3
+usr/lib/samba/libtevent.so.0
+usr/lib/samba/libtevent.so.0.10.2
+usr/lib/samba/libtime-basic-samba4.so
+usr/lib/samba/libtorture-samba4.so
+usr/lib/samba/libtrusts-util-samba4.so
+usr/lib/samba/libutil-cmdline-samba4.so
+usr/lib/samba/libutil-reg-samba4.so
+usr/lib/samba/libutil-setid-samba4.so
+usr/lib/samba/libutil-tdb-samba4.so
+usr/lib/samba/libwinbind-client-samba4.so
+usr/lib/samba/libwind-samba4.so.0
+usr/lib/samba/libwind-samba4.so.0.0.0
+usr/lib/samba/libxattr-tdb-samba4.so
+usr/lib/samba/nss_info
+usr/lib/samba/nss_info/hash.so
+usr/lib/samba/nss_info/rfc2307.so
+usr/lib/samba/nss_info/sfu.so
+usr/lib/samba/nss_info/sfu20.so
+#usr/lib/samba/vfs
+usr/lib/samba/vfs/acl_tdb.so
+usr/lib/samba/vfs/acl_xattr.so
+usr/lib/samba/vfs/aio_fork.so
+usr/lib/samba/vfs/aio_pthread.so
+usr/lib/samba/vfs/audit.so
+usr/lib/samba/vfs/btrfs.so
+usr/lib/samba/vfs/cap.so
+usr/lib/samba/vfs/catia.so
+usr/lib/samba/vfs/commit.so
+usr/lib/samba/vfs/crossrename.so
+usr/lib/samba/vfs/default_quota.so
+usr/lib/samba/vfs/dirsort.so
+usr/lib/samba/vfs/expand_msdfs.so
+usr/lib/samba/vfs/extd_audit.so
+usr/lib/samba/vfs/fake_perms.so
+usr/lib/samba/vfs/fileid.so
+usr/lib/samba/vfs/fruit.so
+usr/lib/samba/vfs/full_audit.so
+usr/lib/samba/vfs/glusterfs_fuse.so
+usr/lib/samba/vfs/gpfs.so
+usr/lib/samba/vfs/linux_xfs_sgid.so
+usr/lib/samba/vfs/media_harmony.so
+usr/lib/samba/vfs/offline.so
+usr/lib/samba/vfs/preopen.so
+usr/lib/samba/vfs/readahead.so
+usr/lib/samba/vfs/readonly.so
+usr/lib/samba/vfs/recycle.so
+usr/lib/samba/vfs/shadow_copy.so
+usr/lib/samba/vfs/shadow_copy2.so
+usr/lib/samba/vfs/shell_snap.so
+usr/lib/samba/vfs/snapper.so
+usr/lib/samba/vfs/streams_depot.so
+usr/lib/samba/vfs/streams_xattr.so
+usr/lib/samba/vfs/syncops.so
+usr/lib/samba/vfs/time_audit.so
+usr/lib/samba/vfs/unityed_media.so
+usr/lib/samba/vfs/virusfilter.so
+usr/lib/samba/vfs/widelinks.so
+usr/lib/samba/vfs/worm.so
+usr/lib/samba/vfs/xattr_tdb.so
+usr/lib/security
+usr/lib/security/pam_winbind.so
+#usr/libexec/samba
+usr/libexec/samba/smbspool_krb5_wrapper
+usr/sbin/eventlogadm
+usr/sbin/nmbd
+usr/sbin/samba-gpupdate
+usr/sbin/smbd
+usr/sbin/winbindd
+var/ipfire/backup/addons/includes/samba
+#var/ipfire/samba
+var/ipfire/samba/default.global
+var/ipfire/samba/default.pdc
+var/ipfire/samba/default.printer
+var/ipfire/samba/default.settings
+var/ipfire/samba/default.shares
+var/ipfire/samba/global
+var/ipfire/samba/pdc
+var/ipfire/samba/printer
+#var/ipfire/samba/private
+var/ipfire/samba/private/secrets.tdb
+var/ipfire/samba/private/smbpasswd
+var/ipfire/samba/settings
+var/ipfire/samba/shares
+var/ipfire/samba/smb.conf
+var/ipfire/samba/smb.conf.default
+var/lib/samba
+var/lib/samba/bind-dns
+var/lib/samba/private
+var/lib/samba/winbindd_privileged
+var/log/samba
+var/nmbd
+srv/web/ipfire/cgi-bin/samba.cgi
+srv/web/ipfire/cgi-bin/sambahlp.cgi
+var/ipfire/menu.d/EX-samba.menu
+usr/local/bin/sambactrl
diff --git a/config/rootfiles/packages/samba b/config/rootfiles/packages/samba
deleted file mode 100644
index aafa112ac..000000000
--- a/config/rootfiles/packages/samba
+++ /dev/null
@@ -1,229 +0,0 @@ 
-usr/bin/eventlogadm
-usr/bin/findsmb
-usr/bin/net
-usr/bin/nmblookup
-usr/bin/ntlm_auth
-usr/bin/pdbedit
-usr/bin/profiles
-usr/bin/rpcclient
-usr/bin/sharesec
-usr/bin/smbcacls
-usr/bin/smbclient
-usr/bin/smbcontrol
-usr/bin/smbcquotas
-usr/bin/smbget
-usr/bin/smbpasswd
-usr/bin/smbspool
-usr/bin/smbstatus
-usr/bin/smbta-util
-usr/bin/smbtar
-usr/bin/smbtree
-usr/bin/tdbbackup
-usr/bin/tdbdump
-usr/bin/tdbrestore
-usr/bin/tdbtool
-usr/bin/testparm
-usr/bin/wbinfo
-#usr/include/libsmbclient.h
-#usr/include/netapi.h
-#usr/include/smb_share_modes.h
-#usr/include/talloc.h
-#usr/include/tdb.h
-#usr/include/tevent.h
-#usr/include/tevent_internal.h
-#usr/include/wbclient.h
-usr/lib/libnetapi.so
-usr/lib/libnetapi.so.0
-usr/lib/libsmbclient.so
-usr/lib/libsmbclient.so.0
-usr/lib/libsmbsharemodes.so
-usr/lib/libsmbsharemodes.so.0
-usr/lib/libtalloc.so
-usr/lib/libtalloc.so.2
-usr/lib/libtalloc.so.2.0.5
-usr/lib/libtdb.so
-usr/lib/libtdb.so.1
-usr/lib/libtdb.so.1.2.9
-usr/lib/libtevent.so
-usr/lib/libtevent.so.0
-usr/lib/libtevent.so.0.9.11
-usr/lib/libwbclient.so
-usr/lib/libwbclient.so.0
-#usr/lib/samba
-#usr/lib/samba/auth
-usr/lib/samba/auth/script.so
-#usr/lib/samba/charset
-usr/lib/samba/charset/CP437.so
-usr/lib/samba/charset/CP850.so
-usr/lib/samba/gpext
-usr/lib/samba/idmap
-usr/lib/samba/idmap/autorid.so
-usr/lib/samba/lowcase.dat
-usr/lib/samba/nss_info
-usr/lib/samba/pdb
-usr/lib/samba/perfcount
-usr/lib/samba/upcase.dat
-usr/lib/samba/valid.dat
-#usr/lib/samba/vfs
-usr/lib/samba/vfs/acl_tdb.so
-usr/lib/samba/vfs/acl_xattr.so
-usr/lib/samba/vfs/audit.so
-usr/lib/samba/vfs/cap.so
-usr/lib/samba/vfs/catia.so
-usr/lib/samba/vfs/crossrename.so
-usr/lib/samba/vfs/default_quota.so
-usr/lib/samba/vfs/dirsort.so
-usr/lib/samba/vfs/expand_msdfs.so
-usr/lib/samba/vfs/extd_audit.so
-usr/lib/samba/vfs/fake_perms.so
-usr/lib/samba/vfs/fileid.so
-usr/lib/samba/vfs/full_audit.so
-usr/lib/samba/vfs/linux_xfs_sgid.so
-usr/lib/samba/vfs/netatalk.so
-usr/lib/samba/vfs/preopen.so
-usr/lib/samba/vfs/readahead.so
-usr/lib/samba/vfs/readonly.so
-usr/lib/samba/vfs/recycle.so
-usr/lib/samba/vfs/scannedonly.so
-usr/lib/samba/vfs/shadow_copy.so
-usr/lib/samba/vfs/shadow_copy2.so
-usr/lib/samba/vfs/smb_traffic_analyzer.so
-usr/lib/samba/vfs/streams_depot.so
-usr/lib/samba/vfs/streams_xattr.so
-usr/lib/samba/vfs/syncops.so
-usr/lib/samba/vfs/time_audit.so
-usr/lib/samba/vfs/xattr_tdb.so
-usr/lib/security
-usr/lib/security/pam_smbpass.so
-usr/lib/security/pam_winbind.so
-usr/sbin/nmbd
-usr/sbin/smbd
-usr/sbin/winbindd
-#usr/share/locale/ar/LC_MESSAGES/pam_winbind.mo
-#usr/share/locale/cs/LC_MESSAGES/pam_winbind.mo
-#usr/share/locale/da/LC_MESSAGES/pam_winbind.mo
-#usr/share/locale/de/LC_MESSAGES/net.mo
-#usr/share/locale/de/LC_MESSAGES/pam_winbind.mo
-#usr/share/locale/es/LC_MESSAGES/pam_winbind.mo
-#usr/share/locale/fi/LC_MESSAGES/pam_winbind.mo
-#usr/share/locale/fr/LC_MESSAGES/pam_winbind.mo
-#usr/share/locale/hu/LC_MESSAGES/pam_winbind.mo
-#usr/share/locale/it/LC_MESSAGES/pam_winbind.mo
-#usr/share/locale/ja/LC_MESSAGES/pam_winbind.mo
-#usr/share/locale/ko/LC_MESSAGES/pam_winbind.mo
-#usr/share/locale/nb/LC_MESSAGES/pam_winbind.mo
-#usr/share/locale/nl/LC_MESSAGES/pam_winbind.mo
-#usr/share/locale/pl/LC_MESSAGES/pam_winbind.mo
-#usr/share/locale/pt_BR/LC_MESSAGES/pam_winbind.mo
-#usr/share/locale/ru/LC_MESSAGES/pam_winbind.mo
-#usr/share/locale/sv/LC_MESSAGES/pam_winbind.mo
-#usr/share/locale/zh_CN/LC_MESSAGES/pam_winbind.mo
-#usr/share/locale/zh_TW/LC_MESSAGES/pam_winbind.mo
-#usr/share/man/man1/dbwrap_tool.1
-#usr/share/man/man1/findsmb.1
-#usr/share/man/man1/log2pcap.1
-#usr/share/man/man1/nmblookup.1
-#usr/share/man/man1/ntlm_auth.1
-#usr/share/man/man1/profiles.1
-#usr/share/man/man1/rpcclient.1
-#usr/share/man/man1/sharesec.1
-#usr/share/man/man1/smbcacls.1
-#usr/share/man/man1/smbclient.1
-#usr/share/man/man1/smbcontrol.1
-#usr/share/man/man1/smbcquotas.1
-#usr/share/man/man1/smbget.1
-#usr/share/man/man1/smbstatus.1
-#usr/share/man/man1/smbtar.1
-#usr/share/man/man1/smbtree.1
-#usr/share/man/man1/testparm.1
-#usr/share/man/man1/vfstest.1
-#usr/share/man/man1/wbinfo.1
-#usr/share/man/man5/lmhosts.5
-#usr/share/man/man5/pam_winbind.conf.5
-#usr/share/man/man5/smb.conf.5
-#usr/share/man/man5/smbgetrc.5
-#usr/share/man/man5/smbpasswd.5
-#usr/share/man/man7/libsmbclient.7
-#usr/share/man/man7/samba.7
-#usr/share/man/man7/winbind_krb5_locator.7
-#usr/share/man/man8/eventlogadm.8
-#usr/share/man/man8/idmap_ad.8
-#usr/share/man/man8/idmap_adex.8
-#usr/share/man/man8/idmap_autorid.8
-#usr/share/man/man8/idmap_hash.8
-#usr/share/man/man8/idmap_ldap.8
-#usr/share/man/man8/idmap_nss.8
-#usr/share/man/man8/idmap_rid.8
-#usr/share/man/man8/idmap_tdb.8
-#usr/share/man/man8/idmap_tdb2.8
-#usr/share/man/man8/net.8
-#usr/share/man/man8/nmbd.8
-#usr/share/man/man8/pam_winbind.8
-#usr/share/man/man8/pdbedit.8
-#usr/share/man/man8/smbd.8
-#usr/share/man/man8/smbpasswd.8
-#usr/share/man/man8/smbspool.8
-#usr/share/man/man8/smbta-util.8
-#usr/share/man/man8/swat.8
-#usr/share/man/man8/tdbbackup.8
-#usr/share/man/man8/tdbdump.8
-#usr/share/man/man8/tdbtool.8
-#usr/share/man/man8/vfs_acl_tdb.8
-#usr/share/man/man8/vfs_acl_xattr.8
-#usr/share/man/man8/vfs_aio_fork.8
-#usr/share/man/man8/vfs_aio_pthread.8
-#usr/share/man/man8/vfs_audit.8
-#usr/share/man/man8/vfs_cacheprime.8
-#usr/share/man/man8/vfs_cap.8
-#usr/share/man/man8/vfs_catia.8
-#usr/share/man/man8/vfs_commit.8
-#usr/share/man/man8/vfs_crossrename.8
-#usr/share/man/man8/vfs_default_quota.8
-#usr/share/man/man8/vfs_dirsort.8
-#usr/share/man/man8/vfs_extd_audit.8
-#usr/share/man/man8/vfs_fake_perms.8
-#usr/share/man/man8/vfs_fileid.8
-#usr/share/man/man8/vfs_full_audit.8
-#usr/share/man/man8/vfs_gpfs.8
-#usr/share/man/man8/vfs_netatalk.8
-#usr/share/man/man8/vfs_notify_fam.8
-#usr/share/man/man8/vfs_prealloc.8
-#usr/share/man/man8/vfs_preopen.8
-#usr/share/man/man8/vfs_readahead.8
-#usr/share/man/man8/vfs_readonly.8
-#usr/share/man/man8/vfs_recycle.8
-#usr/share/man/man8/vfs_scannedonly.8
-#usr/share/man/man8/vfs_shadow_copy.8
-#usr/share/man/man8/vfs_shadow_copy2.8
-#usr/share/man/man8/vfs_smb_traffic_analyzer.8
-#usr/share/man/man8/vfs_streams_depot.8
-#usr/share/man/man8/vfs_streams_xattr.8
-#usr/share/man/man8/vfs_time_audit.8
-#usr/share/man/man8/vfs_xattr_tdb.8
-#usr/share/man/man8/winbindd.8
-var/ipfire/backup/addons/includes/samba
-#var/ipfire/samba
-var/ipfire/samba/default.global
-var/ipfire/samba/default.pdc
-var/ipfire/samba/default.printer
-var/ipfire/samba/default.settings
-var/ipfire/samba/default.shares
-var/ipfire/samba/global
-var/ipfire/samba/pdc
-var/ipfire/samba/printer
-#var/ipfire/samba/private
-var/ipfire/samba/private/secrets.tdb
-var/ipfire/samba/private/smbpasswd
-var/ipfire/samba/settings
-var/ipfire/samba/shares
-var/ipfire/samba/smb.conf
-var/ipfire/samba/smb.conf.default
-var/lib/samba
-var/lib/samba/winbindd_privileged
-var/log/samba
-var/nmbd
-etc/rc.d/init.d/samba
-srv/web/ipfire/cgi-bin/samba.cgi
-srv/web/ipfire/cgi-bin/sambahlp.cgi
-var/ipfire/menu.d/EX-samba.menu
-usr/local/bin/sambactrl
diff --git a/config/rootfiles/packages/x86_64/samba b/config/rootfiles/packages/x86_64/samba
new file mode 100644
index 000000000..ff2b7d5c3
--- /dev/null
+++ b/config/rootfiles/packages/x86_64/samba
@@ -0,0 +1,820 @@ 
+etc/rc.d/init.d/samba
+usr/bin/cifsdd
+usr/bin/dbwrap_tool
+usr/bin/findsmb
+usr/bin/gentest
+usr/bin/ldbadd
+usr/bin/ldbdel
+usr/bin/ldbedit
+usr/bin/ldbmodify
+usr/bin/ldbrename
+usr/bin/ldbsearch
+usr/bin/locktest
+usr/bin/masktest
+usr/bin/mdfind
+usr/bin/mvxattr
+usr/bin/ndrdump
+usr/bin/net
+usr/bin/nmblookup
+usr/bin/ntlm_auth
+usr/bin/oLschema2ldif
+usr/bin/pdbedit
+usr/bin/profiles
+usr/bin/regdiff
+usr/bin/regpatch
+usr/bin/regshell
+usr/bin/regtree
+usr/bin/rpcclient
+usr/bin/samba-regedit
+usr/bin/sharesec
+usr/bin/smbcacls
+usr/bin/smbclient
+usr/bin/smbcontrol
+usr/bin/smbcquotas
+usr/bin/smbget
+usr/bin/smbpasswd
+usr/bin/smbspool
+usr/bin/smbstatus
+usr/bin/smbtar
+usr/bin/smbtorture
+usr/bin/smbtree
+usr/bin/tdbbackup
+usr/bin/tdbdump
+usr/bin/tdbrestore
+usr/bin/tdbtool
+usr/bin/testparm
+usr/bin/wbinfo
+#usr/include/samba-4.0
+#usr/include/samba-4.0/charset.h
+#usr/include/samba-4.0/core
+#usr/include/samba-4.0/core/doserr.h
+#usr/include/samba-4.0/core/error.h
+#usr/include/samba-4.0/core/hresult.h
+#usr/include/samba-4.0/core/ntstatus.h
+#usr/include/samba-4.0/core/ntstatus_gen.h
+#usr/include/samba-4.0/core/werror.h
+#usr/include/samba-4.0/core/werror_gen.h
+#usr/include/samba-4.0/credentials.h
+#usr/include/samba-4.0/dcerpc.h
+#usr/include/samba-4.0/dcesrv_core.h
+#usr/include/samba-4.0/domain_credentials.h
+#usr/include/samba-4.0/gen_ndr
+#usr/include/samba-4.0/gen_ndr/atsvc.h
+#usr/include/samba-4.0/gen_ndr/auth.h
+#usr/include/samba-4.0/gen_ndr/dcerpc.h
+#usr/include/samba-4.0/gen_ndr/drsblobs.h
+#usr/include/samba-4.0/gen_ndr/drsuapi.h
+#usr/include/samba-4.0/gen_ndr/krb5pac.h
+#usr/include/samba-4.0/gen_ndr/lsa.h
+#usr/include/samba-4.0/gen_ndr/misc.h
+#usr/include/samba-4.0/gen_ndr/nbt.h
+#usr/include/samba-4.0/gen_ndr/ndr_atsvc.h
+#usr/include/samba-4.0/gen_ndr/ndr_dcerpc.h
+#usr/include/samba-4.0/gen_ndr/ndr_drsblobs.h
+#usr/include/samba-4.0/gen_ndr/ndr_drsuapi.h
+#usr/include/samba-4.0/gen_ndr/ndr_krb5pac.h
+#usr/include/samba-4.0/gen_ndr/ndr_misc.h
+#usr/include/samba-4.0/gen_ndr/ndr_nbt.h
+#usr/include/samba-4.0/gen_ndr/ndr_samr.h
+#usr/include/samba-4.0/gen_ndr/ndr_samr_c.h
+#usr/include/samba-4.0/gen_ndr/ndr_svcctl.h
+#usr/include/samba-4.0/gen_ndr/ndr_svcctl_c.h
+#usr/include/samba-4.0/gen_ndr/netlogon.h
+#usr/include/samba-4.0/gen_ndr/samr.h
+#usr/include/samba-4.0/gen_ndr/security.h
+#usr/include/samba-4.0/gen_ndr/server_id.h
+#usr/include/samba-4.0/gen_ndr/svcctl.h
+#usr/include/samba-4.0/ldb_wrap.h
+#usr/include/samba-4.0/libsmbclient.h
+#usr/include/samba-4.0/lookup_sid.h
+#usr/include/samba-4.0/machine_sid.h
+#usr/include/samba-4.0/ndr
+#usr/include/samba-4.0/ndr.h
+#usr/include/samba-4.0/ndr/ndr_dcerpc.h
+#usr/include/samba-4.0/ndr/ndr_drsblobs.h
+#usr/include/samba-4.0/ndr/ndr_drsuapi.h
+#usr/include/samba-4.0/ndr/ndr_krb5pac.h
+#usr/include/samba-4.0/ndr/ndr_nbt.h
+#usr/include/samba-4.0/ndr/ndr_svcctl.h
+#usr/include/samba-4.0/netapi.h
+#usr/include/samba-4.0/param.h
+#usr/include/samba-4.0/passdb.h
+#usr/include/samba-4.0/policy.h
+#usr/include/samba-4.0/rpc_common.h
+#usr/include/samba-4.0/samba
+#usr/include/samba-4.0/samba/session.h
+#usr/include/samba-4.0/samba/version.h
+#usr/include/samba-4.0/share.h
+#usr/include/samba-4.0/smb2_lease_struct.h
+#usr/include/samba-4.0/smb_ldap.h
+#usr/include/samba-4.0/smbconf.h
+#usr/include/samba-4.0/smbldap.h
+#usr/include/samba-4.0/tdr.h
+#usr/include/samba-4.0/tsocket.h
+#usr/include/samba-4.0/tsocket_internal.h
+#usr/include/samba-4.0/util
+#usr/include/samba-4.0/util/attr.h
+#usr/include/samba-4.0/util/blocking.h
+#usr/include/samba-4.0/util/data_blob.h
+#usr/include/samba-4.0/util/debug.h
+#usr/include/samba-4.0/util/discard.h
+#usr/include/samba-4.0/util/fault.h
+#usr/include/samba-4.0/util/genrand.h
+#usr/include/samba-4.0/util/idtree.h
+#usr/include/samba-4.0/util/idtree_random.h
+#usr/include/samba-4.0/util/signal.h
+#usr/include/samba-4.0/util/string_wrappers.h
+#usr/include/samba-4.0/util/substitute.h
+#usr/include/samba-4.0/util/tevent_ntstatus.h
+#usr/include/samba-4.0/util/tevent_unix.h
+#usr/include/samba-4.0/util/tevent_werror.h
+#usr/include/samba-4.0/util/tfork.h
+#usr/include/samba-4.0/util/time.h
+#usr/include/samba-4.0/util_ldb.h
+#usr/include/samba-4.0/wbclient.h
+usr/lib/libdcerpc-binding.so
+usr/lib/libdcerpc-binding.so.0
+usr/lib/libdcerpc-binding.so.0.0.1
+usr/lib/libdcerpc-samr.so
+usr/lib/libdcerpc-samr.so.0
+usr/lib/libdcerpc-samr.so.0.0.1
+usr/lib/libdcerpc-server-core.so
+usr/lib/libdcerpc-server-core.so.0
+usr/lib/libdcerpc-server-core.so.0.0.1
+usr/lib/libdcerpc.so
+usr/lib/libdcerpc.so.0
+usr/lib/libdcerpc.so.0.0.1
+usr/lib/libndr-krb5pac.so
+usr/lib/libndr-krb5pac.so.0
+usr/lib/libndr-krb5pac.so.0.0.1
+usr/lib/libndr-nbt.so
+usr/lib/libndr-nbt.so.0
+usr/lib/libndr-nbt.so.0.0.1
+usr/lib/libndr-standard.so
+usr/lib/libndr-standard.so.0
+usr/lib/libndr-standard.so.0.0.1
+usr/lib/libndr.so
+usr/lib/libndr.so.1
+usr/lib/libndr.so.1.0.0
+usr/lib/libnetapi.so
+usr/lib/libnetapi.so.0
+usr/lib/libnss_winbind.so
+usr/lib/libnss_winbind.so.2
+usr/lib/libnss_wins.so
+usr/lib/libnss_wins.so.2
+usr/lib/libsamba-credentials.so
+usr/lib/libsamba-credentials.so.0
+usr/lib/libsamba-credentials.so.0.0.1
+usr/lib/libsamba-errors.so
+usr/lib/libsamba-errors.so.1
+usr/lib/libsamba-hostconfig.so
+usr/lib/libsamba-hostconfig.so.0
+usr/lib/libsamba-hostconfig.so.0.0.1
+usr/lib/libsamba-passdb.so
+usr/lib/libsamba-passdb.so.0
+usr/lib/libsamba-passdb.so.0.28.0
+usr/lib/libsamba-policy.cpython-38-x86-64-linux-gnu.so
+usr/lib/libsamba-policy.cpython-38-x86-64-linux-gnu.so.0
+usr/lib/libsamba-policy.cpython-38-x86-64-linux-gnu.so.0.0.1
+usr/lib/libsamba-util.so
+usr/lib/libsamba-util.so.0
+usr/lib/libsamba-util.so.0.0.1
+usr/lib/libsamdb.so
+usr/lib/libsamdb.so.0
+usr/lib/libsamdb.so.0.0.1
+usr/lib/libsmbclient.so
+usr/lib/libsmbclient.so.0
+usr/lib/libsmbclient.so.0.6.0
+usr/lib/libsmbconf.so
+usr/lib/libsmbconf.so.0
+usr/lib/libsmbldap.so
+usr/lib/libsmbldap.so.2
+usr/lib/libtevent-util.so
+usr/lib/libtevent-util.so.0
+usr/lib/libtevent-util.so.0.0.1
+usr/lib/libwbclient.so
+usr/lib/libwbclient.so.0
+usr/lib/libwbclient.so.0.15
+#usr/lib/pkgconfig/dcerpc.pc
+#usr/lib/pkgconfig/dcerpc_samr.pc
+#usr/lib/pkgconfig/ndr.pc
+#usr/lib/pkgconfig/ndr_krb5pac.pc
+#usr/lib/pkgconfig/ndr_nbt.pc
+#usr/lib/pkgconfig/ndr_standard.pc
+#usr/lib/pkgconfig/netapi.pc
+#usr/lib/pkgconfig/samba-credentials.pc
+#usr/lib/pkgconfig/samba-hostconfig.pc
+#usr/lib/pkgconfig/samba-policy.cpython-38-x86_64-linux-gnu.pc
+#usr/lib/pkgconfig/samba-util.pc
+#usr/lib/pkgconfig/samdb.pc
+#usr/lib/pkgconfig/smbclient.pc
+#usr/lib/pkgconfig/wbclient.pc
+usr/lib/python3.8/site-packages/_ldb_text.py
+usr/lib/python3.8/site-packages/_tdb_text.py
+usr/lib/python3.8/site-packages/_tevent.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/ldb.cpython-38-x86_64-linux-gnu.so
+#usr/lib/python3.8/site-packages/samba
+usr/lib/python3.8/site-packages/samba/__init__.py
+usr/lib/python3.8/site-packages/samba/_glue.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/_ldb.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/auth.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/auth_util.py
+usr/lib/python3.8/site-packages/samba/colour.py
+usr/lib/python3.8/site-packages/samba/common.py
+usr/lib/python3.8/site-packages/samba/compat.py
+usr/lib/python3.8/site-packages/samba/credentials.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/crypto.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dbchecker.py
+#usr/lib/python3.8/site-packages/samba/dcerpc
+usr/lib/python3.8/site-packages/samba/dcerpc/__init__.py
+usr/lib/python3.8/site-packages/samba/dcerpc/atsvc.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/auth.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/base.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dcerpc.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dfs.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dns.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dnsp.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/dnsserver.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/drsblobs.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/drsuapi.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/echo.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/epmapper.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/idmap.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/initshutdown.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/irpc.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/krb5pac.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/lsa.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/mdssvc.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/messaging.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/mgmt.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/misc.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/nbt.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/netlogon.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/ntlmssp.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/preg.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/samr.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/security.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/server_id.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/smb_acl.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/spoolss.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/srvsvc.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/svcctl.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/unixinfo.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/winbind.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/windows_event_ids.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/winreg.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/winspool.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/witness.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/wkssvc.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/dcerpc/xattr.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/descriptor.py
+usr/lib/python3.8/site-packages/samba/dnsserver.py
+usr/lib/python3.8/site-packages/samba/domain_update.py
+usr/lib/python3.8/site-packages/samba/drs_utils.py
+#usr/lib/python3.8/site-packages/samba/emulate
+usr/lib/python3.8/site-packages/samba/emulate/__init__.py
+usr/lib/python3.8/site-packages/samba/emulate/traffic.py
+usr/lib/python3.8/site-packages/samba/emulate/traffic_packets.py
+usr/lib/python3.8/site-packages/samba/forest_update.py
+usr/lib/python3.8/site-packages/samba/gensec.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/getopt.py
+usr/lib/python3.8/site-packages/samba/gp_ext_loader.py
+#usr/lib/python3.8/site-packages/samba/gp_parse
+usr/lib/python3.8/site-packages/samba/gp_parse/__init__.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_aas.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_csv.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_inf.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_ini.py
+usr/lib/python3.8/site-packages/samba/gp_parse/gp_pol.py
+usr/lib/python3.8/site-packages/samba/gp_scripts_ext.py
+usr/lib/python3.8/site-packages/samba/gp_sec_ext.py
+usr/lib/python3.8/site-packages/samba/gpclass.py
+usr/lib/python3.8/site-packages/samba/gpo.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/graph.py
+usr/lib/python3.8/site-packages/samba/hostconfig.py
+usr/lib/python3.8/site-packages/samba/idmap.py
+usr/lib/python3.8/site-packages/samba/join.py
+#usr/lib/python3.8/site-packages/samba/kcc
+usr/lib/python3.8/site-packages/samba/kcc/__init__.py
+usr/lib/python3.8/site-packages/samba/kcc/debug.py
+usr/lib/python3.8/site-packages/samba/kcc/graph.py
+usr/lib/python3.8/site-packages/samba/kcc/graph_utils.py
+usr/lib/python3.8/site-packages/samba/kcc/kcc_utils.py
+usr/lib/python3.8/site-packages/samba/kcc/ldif_import_export.py
+usr/lib/python3.8/site-packages/samba/logger.py
+usr/lib/python3.8/site-packages/samba/mdb_util.py
+usr/lib/python3.8/site-packages/samba/messaging.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/ms_display_specifiers.py
+usr/lib/python3.8/site-packages/samba/ms_forest_updates_markdown.py
+usr/lib/python3.8/site-packages/samba/ms_schema.py
+usr/lib/python3.8/site-packages/samba/ms_schema_markdown.py
+usr/lib/python3.8/site-packages/samba/ndr.py
+usr/lib/python3.8/site-packages/samba/net.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/netbios.cpython-38-x86_64-linux-gnu.so
+#usr/lib/python3.8/site-packages/samba/netcmd
+usr/lib/python3.8/site-packages/samba/netcmd/__init__.py
+usr/lib/python3.8/site-packages/samba/netcmd/common.py
+usr/lib/python3.8/site-packages/samba/netcmd/computer.py
+usr/lib/python3.8/site-packages/samba/netcmd/contact.py
+usr/lib/python3.8/site-packages/samba/netcmd/dbcheck.py
+usr/lib/python3.8/site-packages/samba/netcmd/delegation.py
+usr/lib/python3.8/site-packages/samba/netcmd/dns.py
+usr/lib/python3.8/site-packages/samba/netcmd/domain.py
+usr/lib/python3.8/site-packages/samba/netcmd/domain_backup.py
+usr/lib/python3.8/site-packages/samba/netcmd/drs.py
+usr/lib/python3.8/site-packages/samba/netcmd/dsacl.py
+usr/lib/python3.8/site-packages/samba/netcmd/forest.py
+usr/lib/python3.8/site-packages/samba/netcmd/fsmo.py
+usr/lib/python3.8/site-packages/samba/netcmd/gpo.py
+usr/lib/python3.8/site-packages/samba/netcmd/group.py
+usr/lib/python3.8/site-packages/samba/netcmd/ldapcmp.py
+usr/lib/python3.8/site-packages/samba/netcmd/main.py
+usr/lib/python3.8/site-packages/samba/netcmd/nettime.py
+usr/lib/python3.8/site-packages/samba/netcmd/ntacl.py
+usr/lib/python3.8/site-packages/samba/netcmd/ou.py
+usr/lib/python3.8/site-packages/samba/netcmd/processes.py
+usr/lib/python3.8/site-packages/samba/netcmd/pso.py
+usr/lib/python3.8/site-packages/samba/netcmd/rodc.py
+usr/lib/python3.8/site-packages/samba/netcmd/schema.py
+usr/lib/python3.8/site-packages/samba/netcmd/sites.py
+usr/lib/python3.8/site-packages/samba/netcmd/spn.py
+usr/lib/python3.8/site-packages/samba/netcmd/testparm.py
+usr/lib/python3.8/site-packages/samba/netcmd/user.py
+usr/lib/python3.8/site-packages/samba/netcmd/visualize.py
+usr/lib/python3.8/site-packages/samba/ntacls.py
+usr/lib/python3.8/site-packages/samba/ntstatus.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/param.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/policy.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/posix_eadb.cpython-38-x86_64-linux-gnu.so
+#usr/lib/python3.8/site-packages/samba/provision
+usr/lib/python3.8/site-packages/samba/provision/__init__.py
+usr/lib/python3.8/site-packages/samba/provision/backend.py
+usr/lib/python3.8/site-packages/samba/provision/common.py
+usr/lib/python3.8/site-packages/samba/provision/kerberos.py
+usr/lib/python3.8/site-packages/samba/provision/kerberos_implementation.py
+usr/lib/python3.8/site-packages/samba/provision/sambadns.py
+usr/lib/python3.8/site-packages/samba/registry.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/remove_dc.py
+#usr/lib/python3.8/site-packages/samba/samba3
+usr/lib/python3.8/site-packages/samba/samba3/__init__.py
+usr/lib/python3.8/site-packages/samba/samba3/libsmb_samba_internal.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/samba3/mdscli.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/samba3/param.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/samba3/passdb.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/samba3/smbd.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/samdb.py
+usr/lib/python3.8/site-packages/samba/schema.py
+usr/lib/python3.8/site-packages/samba/sd_utils.py
+usr/lib/python3.8/site-packages/samba/security.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/sites.py
+usr/lib/python3.8/site-packages/samba/subnets.py
+#usr/lib/python3.8/site-packages/samba/subunit
+usr/lib/python3.8/site-packages/samba/subunit/__init__.py
+usr/lib/python3.8/site-packages/samba/subunit/run.py
+usr/lib/python3.8/site-packages/samba/tdb_util.py
+#usr/lib/python3.8/site-packages/samba/tests
+#usr/lib/python3.8/site-packages/samba/tests/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/audit_log_base.py
+#usr/lib/python3.8/site-packages/samba/tests/audit_log_dsdb.py
+#usr/lib/python3.8/site-packages/samba/tests/audit_log_pass_change.py
+#usr/lib/python3.8/site-packages/samba/tests/auth.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_base.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_ncalrpc.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_netlogon.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_netlogon_bad_creds.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_pass_change.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_samlogon.py
+#usr/lib/python3.8/site-packages/samba/tests/auth_log_winbind.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/bug13653.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/check_output.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/downgradedatabase.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/mdfind.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/ndrdump.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/netads_json.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/samba_dnsupdate.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/smbcacls.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/smbcacls_basic.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/smbcontrol.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/smbcontrol_process.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/traffic_learner.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/traffic_replay.py
+#usr/lib/python3.8/site-packages/samba/tests/blackbox/traffic_summary.py
+#usr/lib/python3.8/site-packages/samba/tests/common.py
+#usr/lib/python3.8/site-packages/samba/tests/complex_expressions.py
+#usr/lib/python3.8/site-packages/samba/tests/core.py
+#usr/lib/python3.8/site-packages/samba/tests/credentials.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/array.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/bare.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/dnsserver.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/integer.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/mdssvc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/misc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/raw_protocol.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/raw_testcase.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/registry.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/rpc_talloc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/rpcecho.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/sam.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/srvsvc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/string_tests.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/testrpc.py
+#usr/lib/python3.8/site-packages/samba/tests/dcerpc/unix.py
+#usr/lib/python3.8/site-packages/samba/tests/dckeytab.py
+#usr/lib/python3.8/site-packages/samba/tests/dns.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_base.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_forwarder.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_forwarder_helpers
+#usr/lib/python3.8/site-packages/samba/tests/dns_forwarder_helpers/server.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_invalid.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_packet.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_tkey.py
+#usr/lib/python3.8/site-packages/samba/tests/dns_wildcard.py
+#usr/lib/python3.8/site-packages/samba/tests/docs.py
+#usr/lib/python3.8/site-packages/samba/tests/domain_backup.py
+#usr/lib/python3.8/site-packages/samba/tests/domain_backup_offline.py
+#usr/lib/python3.8/site-packages/samba/tests/dsdb.py
+#usr/lib/python3.8/site-packages/samba/tests/dsdb_lock.py
+#usr/lib/python3.8/site-packages/samba/tests/dsdb_schema_attributes.py
+#usr/lib/python3.8/site-packages/samba/tests/emulate
+#usr/lib/python3.8/site-packages/samba/tests/emulate/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/emulate/traffic.py
+#usr/lib/python3.8/site-packages/samba/tests/emulate/traffic_packet.py
+#usr/lib/python3.8/site-packages/samba/tests/encrypted_secrets.py
+#usr/lib/python3.8/site-packages/samba/tests/gensec.py
+#usr/lib/python3.8/site-packages/samba/tests/get_opt.py
+#usr/lib/python3.8/site-packages/samba/tests/getdcname.py
+#usr/lib/python3.8/site-packages/samba/tests/glue.py
+#usr/lib/python3.8/site-packages/samba/tests/gpo.py
+#usr/lib/python3.8/site-packages/samba/tests/graph.py
+#usr/lib/python3.8/site-packages/samba/tests/group_audit.py
+#usr/lib/python3.8/site-packages/samba/tests/hostconfig.py
+#usr/lib/python3.8/site-packages/samba/tests/join.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc
+#usr/lib/python3.8/site-packages/samba/tests/kcc/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc/graph.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc/graph_utils.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc/kcc_utils.py
+#usr/lib/python3.8/site-packages/samba/tests/kcc/ldif_import_export.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5
+#usr/lib/python3.8/site-packages/samba/tests/krb5/kcrypto.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/raw_testcase.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/rfc4120_pyasn1.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/s4u_tests.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/simple_tests.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5/xrealm_tests.py
+#usr/lib/python3.8/site-packages/samba/tests/krb5_credentials.py
+#usr/lib/python3.8/site-packages/samba/tests/ldap_raw.py
+#usr/lib/python3.8/site-packages/samba/tests/ldap_referrals.py
+#usr/lib/python3.8/site-packages/samba/tests/libsmb.py
+#usr/lib/python3.8/site-packages/samba/tests/loadparm.py
+#usr/lib/python3.8/site-packages/samba/tests/lsa_string.py
+#usr/lib/python3.8/site-packages/samba/tests/messaging.py
+#usr/lib/python3.8/site-packages/samba/tests/net_join.py
+#usr/lib/python3.8/site-packages/samba/tests/net_join_no_spnego.py
+#usr/lib/python3.8/site-packages/samba/tests/netbios.py
+#usr/lib/python3.8/site-packages/samba/tests/netcmd.py
+#usr/lib/python3.8/site-packages/samba/tests/netlogonsvc.py
+#usr/lib/python3.8/site-packages/samba/tests/ntacls.py
+#usr/lib/python3.8/site-packages/samba/tests/ntacls_backup.py
+#usr/lib/python3.8/site-packages/samba/tests/ntlm_auth.py
+#usr/lib/python3.8/site-packages/samba/tests/ntlm_auth_base.py
+#usr/lib/python3.8/site-packages/samba/tests/ntlm_auth_krb5.py
+#usr/lib/python3.8/site-packages/samba/tests/ntlmdisabled.py
+#usr/lib/python3.8/site-packages/samba/tests/pam_winbind.py
+#usr/lib/python3.8/site-packages/samba/tests/pam_winbind_chauthtok.py
+#usr/lib/python3.8/site-packages/samba/tests/pam_winbind_warn_pwd_expire.py
+#usr/lib/python3.8/site-packages/samba/tests/param.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash_fl2003.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash_fl2008.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash_gpgme.py
+#usr/lib/python3.8/site-packages/samba/tests/password_hash_ldap.py
+#usr/lib/python3.8/site-packages/samba/tests/password_quality.py
+#usr/lib/python3.8/site-packages/samba/tests/password_test.py
+#usr/lib/python3.8/site-packages/samba/tests/policy.py
+#usr/lib/python3.8/site-packages/samba/tests/posixacl.py
+#usr/lib/python3.8/site-packages/samba/tests/prefork_restart.py
+#usr/lib/python3.8/site-packages/samba/tests/process_limits.py
+#usr/lib/python3.8/site-packages/samba/tests/provision.py
+#usr/lib/python3.8/site-packages/samba/tests/pso.py
+#usr/lib/python3.8/site-packages/samba/tests/py_credentials.py
+#usr/lib/python3.8/site-packages/samba/tests/registry.py
+#usr/lib/python3.8/site-packages/samba/tests/s3idmapdb.py
+#usr/lib/python3.8/site-packages/samba/tests/s3param.py
+#usr/lib/python3.8/site-packages/samba/tests/s3passdb.py
+#usr/lib/python3.8/site-packages/samba/tests/s3registry.py
+#usr/lib/python3.8/site-packages/samba/tests/s3windb.py
+#usr/lib/python3.8/site-packages/samba/tests/samba3sam.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/__init__.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/base.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/computer.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/contact.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/demote.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/dnscmd.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/drs_clone_dc_data_lmdb_size.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/dsacl.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/forest.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/fsmo.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/gpo.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/group.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/help.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/join.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/join_lmdb_size.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/ntacl.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/ou.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/passwordsettings.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/processes.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/promote_dc_lmdb_size.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/provision_lmdb_size.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/provision_password_check.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/rodc.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/schema.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/sites.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/timecmd.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_check_password_script.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_virtualCryptSHA.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_virtualCryptSHA_base.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/user_wdigest.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/visualize.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_tool/visualize_drs.py
+#usr/lib/python3.8/site-packages/samba/tests/samba_upgradedns_lmdb.py
+#usr/lib/python3.8/site-packages/samba/tests/samdb.py
+#usr/lib/python3.8/site-packages/samba/tests/samdb_api.py
+#usr/lib/python3.8/site-packages/samba/tests/security.py
+#usr/lib/python3.8/site-packages/samba/tests/segfault.py
+#usr/lib/python3.8/site-packages/samba/tests/smb.py
+#usr/lib/python3.8/site-packages/samba/tests/smbd_base.py
+#usr/lib/python3.8/site-packages/samba/tests/smbd_fuzztest.py
+#usr/lib/python3.8/site-packages/samba/tests/source.py
+#usr/lib/python3.8/site-packages/samba/tests/strings.py
+#usr/lib/python3.8/site-packages/samba/tests/subunitrun.py
+#usr/lib/python3.8/site-packages/samba/tests/tdb_util.py
+#usr/lib/python3.8/site-packages/samba/tests/upgrade.py
+#usr/lib/python3.8/site-packages/samba/tests/upgradeprovision.py
+#usr/lib/python3.8/site-packages/samba/tests/upgradeprovisionneeddc.py
+#usr/lib/python3.8/site-packages/samba/tests/usage.py
+#usr/lib/python3.8/site-packages/samba/tests/xattr.py
+#usr/lib/python3.8/site-packages/samba/third_party
+usr/lib/python3.8/site-packages/samba/third_party/__init__.py
+usr/lib/python3.8/site-packages/samba/third_party/iso8601
+usr/lib/python3.8/site-packages/samba/third_party/iso8601/__init__.py
+usr/lib/python3.8/site-packages/samba/third_party/iso8601/iso8601.py
+usr/lib/python3.8/site-packages/samba/third_party/iso8601/test_iso8601.py
+usr/lib/python3.8/site-packages/samba/upgrade.py
+usr/lib/python3.8/site-packages/samba/upgradehelpers.py
+usr/lib/python3.8/site-packages/samba/uptodateness.py
+usr/lib/python3.8/site-packages/samba/werror.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/xattr.py
+usr/lib/python3.8/site-packages/samba/xattr_native.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/samba/xattr_tdb.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/talloc.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/tdb.cpython-38-x86_64-linux-gnu.so
+usr/lib/python3.8/site-packages/tevent.py
+#usr/lib/samba
+usr/lib/samba/idmap
+usr/lib/samba/idmap/ad.so
+usr/lib/samba/idmap/autorid.so
+usr/lib/samba/idmap/hash.so
+usr/lib/samba/idmap/rfc2307.so
+usr/lib/samba/idmap/rid.so
+usr/lib/samba/idmap/script.so
+usr/lib/samba/idmap/tdb2.so
+#usr/lib/samba/krb5
+usr/lib/samba/krb5/winbind_krb5_locator.so
+#usr/lib/samba/ldb
+usr/lib/samba/ldb/asq.so
+usr/lib/samba/ldb/ildap.so
+usr/lib/samba/ldb/ldb.so
+usr/lib/samba/ldb/ldbsamba_extensions.so
+usr/lib/samba/ldb/paged_searches.so
+usr/lib/samba/ldb/rdn_name.so
+usr/lib/samba/ldb/sample.so
+usr/lib/samba/ldb/server_sort.so
+usr/lib/samba/ldb/skel.so
+usr/lib/samba/ldb/tdb.so
+usr/lib/samba/libCHARSET3-samba4.so
+usr/lib/samba/libLIBWBCLIENT-OLD-samba4.so
+usr/lib/samba/libMESSAGING-SEND-samba4.so
+usr/lib/samba/libMESSAGING-samba4.so
+usr/lib/samba/libaddns-samba4.so
+usr/lib/samba/libads-samba4.so
+usr/lib/samba/libasn1-samba4.so.8
+usr/lib/samba/libasn1-samba4.so.8.0.0
+usr/lib/samba/libasn1util-samba4.so
+usr/lib/samba/libauth-samba4.so
+usr/lib/samba/libauth-unix-token-samba4.so
+usr/lib/samba/libauth4-samba4.so
+usr/lib/samba/libauthkrb5-samba4.so
+usr/lib/samba/libcli-cldap-samba4.so
+usr/lib/samba/libcli-ldap-common-samba4.so
+usr/lib/samba/libcli-ldap-samba4.so
+usr/lib/samba/libcli-nbt-samba4.so
+usr/lib/samba/libcli-smb-common-samba4.so
+usr/lib/samba/libcli-spoolss-samba4.so
+usr/lib/samba/libcliauth-samba4.so
+usr/lib/samba/libclidns-samba4.so
+usr/lib/samba/libcluster-samba4.so
+usr/lib/samba/libcmdline-contexts-samba4.so
+usr/lib/samba/libcmdline-credentials-samba4.so
+usr/lib/samba/libcmocka-samba4.so
+usr/lib/samba/libcom_err-samba4.so.0
+usr/lib/samba/libcom_err-samba4.so.0.25
+usr/lib/samba/libcommon-auth-samba4.so
+usr/lib/samba/libdbwrap-samba4.so
+usr/lib/samba/libdcerpc-samba-samba4.so
+usr/lib/samba/libdcerpc-samba4.so
+usr/lib/samba/libdsdb-module-samba4.so
+usr/lib/samba/libevents-samba4.so
+usr/lib/samba/libflag-mapping-samba4.so
+usr/lib/samba/libgenrand-samba4.so
+usr/lib/samba/libgensec-samba4.so
+usr/lib/samba/libgpext-samba4.so
+usr/lib/samba/libgpo-samba4.so
+usr/lib/samba/libgse-samba4.so
+usr/lib/samba/libgssapi-samba4.so.2
+usr/lib/samba/libgssapi-samba4.so.2.0.0
+usr/lib/samba/libhcrypto-samba4.so.5
+usr/lib/samba/libhcrypto-samba4.so.5.0.1
+usr/lib/samba/libhdb-samba4.so.11
+usr/lib/samba/libhdb-samba4.so.11.0.2
+usr/lib/samba/libheimbase-samba4.so.1
+usr/lib/samba/libheimbase-samba4.so.1.0.0
+usr/lib/samba/libheimntlm-samba4.so.1
+usr/lib/samba/libheimntlm-samba4.so.1.0.1
+usr/lib/samba/libhttp-samba4.so
+usr/lib/samba/libhx509-samba4.so.5
+usr/lib/samba/libhx509-samba4.so.5.0.0
+usr/lib/samba/libidmap-samba4.so
+usr/lib/samba/libinterfaces-samba4.so
+usr/lib/samba/libiov-buf-samba4.so
+usr/lib/samba/libkdc-samba4.so.2
+usr/lib/samba/libkdc-samba4.so.2.0.0
+usr/lib/samba/libkrb5-samba4.so.26
+usr/lib/samba/libkrb5-samba4.so.26.0.0
+usr/lib/samba/libkrb5samba-samba4.so
+usr/lib/samba/libldb-cmdline-samba4.so
+usr/lib/samba/libldb-key-value-samba4.so
+usr/lib/samba/libldb-tdb-err-map-samba4.so
+usr/lib/samba/libldb-tdb-int-samba4.so
+usr/lib/samba/libldb.so.2
+usr/lib/samba/libldb.so.2.2.0
+usr/lib/samba/libldbsamba-samba4.so
+usr/lib/samba/liblibcli-lsa3-samba4.so
+usr/lib/samba/liblibcli-netlogon3-samba4.so
+usr/lib/samba/liblibsmb-samba4.so
+usr/lib/samba/libmessages-dgm-samba4.so
+usr/lib/samba/libmessages-util-samba4.so
+usr/lib/samba/libmsghdr-samba4.so
+usr/lib/samba/libmsrpc3-samba4.so
+usr/lib/samba/libndr-samba-samba4.so
+usr/lib/samba/libndr-samba4.so
+usr/lib/samba/libnet-keytab-samba4.so
+usr/lib/samba/libnetif-samba4.so
+usr/lib/samba/libnpa-tstream-samba4.so
+usr/lib/samba/libnss-info-samba4.so
+usr/lib/samba/libpopt-samba3-cmdline-samba4.so
+usr/lib/samba/libpopt-samba3-samba4.so
+usr/lib/samba/libposix-eadb-samba4.so
+usr/lib/samba/libprinter-driver-samba4.so
+usr/lib/samba/libprinting-migrate-samba4.so
+usr/lib/samba/libpyldb-util.cpython-38-x86-64-linux-gnu.so.2
+usr/lib/samba/libpyldb-util.cpython-38-x86-64-linux-gnu.so.2.2.0
+usr/lib/samba/libpytalloc-util.cpython-38-x86-64-linux-gnu.so.2
+usr/lib/samba/libpytalloc-util.cpython-38-x86-64-linux-gnu.so.2.3.1
+usr/lib/samba/libregistry-samba4.so
+usr/lib/samba/libreplace-samba4.so
+usr/lib/samba/libroken-samba4.so.19
+usr/lib/samba/libroken-samba4.so.19.0.1
+usr/lib/samba/libsamba-cluster-support-samba4.so
+usr/lib/samba/libsamba-debug-samba4.so
+usr/lib/samba/libsamba-modules-samba4.so
+usr/lib/samba/libsamba-net.cpython-38-x86-64-linux-gnu-samba4.so
+usr/lib/samba/libsamba-python.cpython-38-x86-64-linux-gnu-samba4.so
+usr/lib/samba/libsamba-security-samba4.so
+usr/lib/samba/libsamba-sockets-samba4.so
+usr/lib/samba/libsamba3-util-samba4.so
+usr/lib/samba/libsamdb-common-samba4.so
+usr/lib/samba/libsecrets3-samba4.so
+usr/lib/samba/libserver-id-db-samba4.so
+usr/lib/samba/libserver-role-samba4.so
+usr/lib/samba/libshares-samba4.so
+usr/lib/samba/libsmb-transport-samba4.so
+usr/lib/samba/libsmbclient-raw-samba4.so
+usr/lib/samba/libsmbd-base-samba4.so
+usr/lib/samba/libsmbd-conn-samba4.so
+usr/lib/samba/libsmbd-shim-samba4.so
+usr/lib/samba/libsmbldaphelper-samba4.so
+usr/lib/samba/libsmbpasswdparser-samba4.so
+usr/lib/samba/libsocket-blocking-samba4.so
+usr/lib/samba/libsys-rw-samba4.so
+usr/lib/samba/libtalloc-report-printf-samba4.so
+usr/lib/samba/libtalloc-report-samba4.so
+usr/lib/samba/libtalloc.so.2
+usr/lib/samba/libtalloc.so.2.3.1
+usr/lib/samba/libtdb-wrap-samba4.so
+usr/lib/samba/libtdb.so.1
+usr/lib/samba/libtdb.so.1.4.3
+usr/lib/samba/libtevent.so.0
+usr/lib/samba/libtevent.so.0.10.2
+usr/lib/samba/libtime-basic-samba4.so
+usr/lib/samba/libtorture-samba4.so
+usr/lib/samba/libtrusts-util-samba4.so
+usr/lib/samba/libutil-cmdline-samba4.so
+usr/lib/samba/libutil-reg-samba4.so
+usr/lib/samba/libutil-setid-samba4.so
+usr/lib/samba/libutil-tdb-samba4.so
+usr/lib/samba/libwinbind-client-samba4.so
+usr/lib/samba/libwind-samba4.so.0
+usr/lib/samba/libwind-samba4.so.0.0.0
+usr/lib/samba/libxattr-tdb-samba4.so
+usr/lib/samba/nss_info
+usr/lib/samba/nss_info/hash.so
+usr/lib/samba/nss_info/rfc2307.so
+usr/lib/samba/nss_info/sfu.so
+usr/lib/samba/nss_info/sfu20.so
+#usr/lib/samba/vfs
+usr/lib/samba/vfs/acl_tdb.so
+usr/lib/samba/vfs/acl_xattr.so
+usr/lib/samba/vfs/aio_fork.so
+usr/lib/samba/vfs/aio_pthread.so
+usr/lib/samba/vfs/audit.so
+usr/lib/samba/vfs/btrfs.so
+usr/lib/samba/vfs/cap.so
+usr/lib/samba/vfs/catia.so
+usr/lib/samba/vfs/commit.so
+usr/lib/samba/vfs/crossrename.so
+usr/lib/samba/vfs/default_quota.so
+usr/lib/samba/vfs/dirsort.so
+usr/lib/samba/vfs/expand_msdfs.so
+usr/lib/samba/vfs/extd_audit.so
+usr/lib/samba/vfs/fake_perms.so
+usr/lib/samba/vfs/fileid.so
+usr/lib/samba/vfs/fruit.so
+usr/lib/samba/vfs/full_audit.so
+usr/lib/samba/vfs/glusterfs_fuse.so
+usr/lib/samba/vfs/gpfs.so
+usr/lib/samba/vfs/linux_xfs_sgid.so
+usr/lib/samba/vfs/media_harmony.so
+usr/lib/samba/vfs/offline.so
+usr/lib/samba/vfs/preopen.so
+usr/lib/samba/vfs/readahead.so
+usr/lib/samba/vfs/readonly.so
+usr/lib/samba/vfs/recycle.so
+usr/lib/samba/vfs/shadow_copy.so
+usr/lib/samba/vfs/shadow_copy2.so
+usr/lib/samba/vfs/shell_snap.so
+usr/lib/samba/vfs/snapper.so
+usr/lib/samba/vfs/streams_depot.so
+usr/lib/samba/vfs/streams_xattr.so
+usr/lib/samba/vfs/syncops.so
+usr/lib/samba/vfs/time_audit.so
+usr/lib/samba/vfs/unityed_media.so
+usr/lib/samba/vfs/virusfilter.so
+usr/lib/samba/vfs/widelinks.so
+usr/lib/samba/vfs/worm.so
+usr/lib/samba/vfs/xattr_tdb.so
+usr/lib/security
+usr/lib/security/pam_winbind.so
+#usr/libexec/samba
+usr/libexec/samba/smbspool_krb5_wrapper
+usr/sbin/eventlogadm
+usr/sbin/nmbd
+usr/sbin/samba-gpupdate
+usr/sbin/smbd
+usr/sbin/winbindd
+var/ipfire/backup/addons/includes/samba
+#var/ipfire/samba
+var/ipfire/samba/default.global
+var/ipfire/samba/default.pdc
+var/ipfire/samba/default.printer
+var/ipfire/samba/default.settings
+var/ipfire/samba/default.shares
+var/ipfire/samba/global
+var/ipfire/samba/pdc
+var/ipfire/samba/printer
+#var/ipfire/samba/private
+var/ipfire/samba/private/secrets.tdb
+var/ipfire/samba/private/smbpasswd
+var/ipfire/samba/settings
+var/ipfire/samba/shares
+var/ipfire/samba/smb.conf
+var/ipfire/samba/smb.conf.default
+var/lib/samba
+var/lib/samba/bind-dns
+var/lib/samba/private
+var/lib/samba/winbindd_privileged
+var/log/samba
+var/nmbd
+srv/web/ipfire/cgi-bin/samba.cgi
+srv/web/ipfire/cgi-bin/sambahlp.cgi
+var/ipfire/menu.d/EX-samba.menu
+usr/local/bin/sambactrl
diff --git a/lfs/samba b/lfs/samba
index aa6f1fd62..dcc3ee051 100644
--- a/lfs/samba
+++ b/lfs/samba
@@ -1,7 +1,7 @@ 
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2018  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2020  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@ 
 
 include Config
 
-VER        = 3.6.25
+VER        = 4.13.0
 
 THISAPP    = samba-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -32,9 +32,9 @@  DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = samba
-PAK_VER    = 68
+PAK_VER    = 69
 
-DEPS       = cups krb5
+DEPS       = cups libtirpc krb5 perl-Parse-Yapp
 
 ###############################################################################
 # Top-level Rules
@@ -44,7 +44,7 @@  objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 76da2fa64edd94a0188531e7ecb27c4e
+$(DL_FILE)_MD5 = a7f5cccac09d638b3bd11204003b7e7b
 
 install : $(TARGET)
 
@@ -77,117 +77,26 @@  $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
-	$(UPDATE_AUTOMAKE)
-
-	# Apply patches from RHEL6
-	# Upstream patches
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_nbt_query_with_many_components.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_group_expansion_with_nss_templates.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_group_expansion_in_service_path.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_memleak_in_printer_list.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_lookups_with_one_way_trusts.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_setup_domain_child_logic.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_force_user_with_security_ads.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-add_timeout_option_to_smbclient.patch
-	# Additional Red Hat patches
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.2.0pre1-pipedir.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.2.0pre1-grouppwd.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.2.5-inotify.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.5.11-idmapdebug.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.5.11-docs.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.5.11-nss_info_doc.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.5.11-wbinfo_manpage.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.5.12-dns.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.5.12-pam_radio_type.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.18-fix_net_ads_join_segfault.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.19-valid_users_doc.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.23-gecos.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.23-glusterfs.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.23-libsmbclient.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.23-fix_libads_krb5_ipv6.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.26-smb2_case_sensitive.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_gecos_interactive.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_dropbox_share.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-add_spoolss_os_version.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-nt_printer_publish_guid.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_keytab_null_termination.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_printcap_cpu_utilization.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_smbclient_ntlmv2_auth.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_smb_conf_doc.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-bug-1117059.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-bug-1192211.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_usergroup_cache_lookup.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_force_user_winbind_default_domain.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_rpcclient_timeout_command.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_force_group.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_pam_winbind_parsing_segfault.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_mangling_hash_segfault.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-doc_netbios_name_length_limit.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_map_to_guest_bad_uid.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_security_server_share_access.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_stale_printer_entries_on_rename.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2015-5299-v3-6-bso11529.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2015-5296-v3-6-bso11536.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2015-5252-v3-6-bso11395.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2015-5330-v3-6-bso11599.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-net_ads_join_no_dns_updates.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-asserted_identity_sid-S-1-18-1.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2015-7560-v3-6.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_symlink_verification.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-preparation-v3-6.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2016-2110-v3-6.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2016-2111-v3-6.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2016-2112-v3-6.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2016-2115-v3-6.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2016-2118-v3-6.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2015-5370-v3-6.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_winbind_cache_memory_leak.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_memleak_winbind_cached_creds.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-idmap_ad_memleak.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-libsmb_fix_dfs_connections.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-2110-ntlmssp-session-setup-nas.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_rpc_query_user_list.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-nt_printer_unpublish_fix.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2016-2126-v3.6.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2016-2125-v3.6.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_member_auth_after_changed_secret.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-fix_dirsort_ea-support.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2017-7494-v3-6.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/samba-3.6.99-winbind_fix_trusted_domain_handling.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2017-2619.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2017-12150-v3-6.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2017-12163.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2017-15275.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/doc-update.patch
-
-	cd $(DIR_APP)/source3 && ./autogen.sh
-	cd $(DIR_APP)/source3 && ./configure \
+	cd $(DIR_APP) && ./configure \
 		--prefix=/usr \
 		--libdir=/usr/lib/ \
 		--sysconfdir=/var/ipfire \
 		--localstatedir=/var \
+		--without-ad-dc \
 		--with-cachedir=/var/lib/samba \
 		--with-lockdir=/var/lib/samba \
 		--with-piddir=/var/run \
 		--with-ads \
 		--with-acl-support \
-		--with-libsmbclient \
-		--with-libsmbsharemodes \
 		--with-sendfile-support \
-		--with-fhs \
 		--with-winbind \
-		--disable-swat \
+		--enable-fhs \
 		--enable-cups \
 		--disable-avahi \
 		--with-syslog
-	cd $(DIR_APP)/source3 && make $(MAKETUNING) idl_full
-	cd $(DIR_APP)/source3 && make $(MAKETUNING) proto && make all $(MAKETUNING) $(EXTRA_MAKE)
-	cd $(DIR_APP)/source3 && make install
-	cd $(DIR_APP)/source3 && chmod -v 644 /usr/include/libsmbclient.h
-	#cd $(DIR_APP)/source3 && install -v -m755 nsswitch/libnss_wins.so /lib
-	#cd $(DIR_APP)/source3 && install -v -m755 nsswitch/libnss_winbind.so /lib
-	#cd $(DIR_APP)/source3 && ln -v -sf libnss_winbind.so /lib/libnss_winbind.so.2
-	#cd $(DIR_APP)/source3 && ln -v -sf libnss_wins.so /lib/libnss_wins.so.2
+	cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE)
+	cd $(DIR_APP) && make install
+
 	-mkdir -p /var/ipfire/samba
 	cd $(DIR_APP)/source3 && install -v -m644 ../examples/smb.conf.default /var/ipfire/samba
 	cp -vrf $(DIR_SRC)/config/samba/* /var/ipfire/samba/
@@ -198,6 +107,8 @@  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cp -vfp /var/ipfire/samba/default.shares /var/ipfire/samba/shares
 	cp -vfp /var/ipfire/samba/default.printer /var/ipfire/samba/printer
 	cat /var/ipfire/samba/global /var/ipfire/samba/shares > /var/ipfire/samba/smb.conf
+	rm -rf /var/lib/samba/private
+	ln -s /var/ipfire/samba/private /var/lib/samba/private
 	-mkdir -p /var/log/samba
 	install -v -m 644 $(DIR_SRC)/config/backup/includes/samba /var/ipfire/backup/addons/includes/samba
 
diff --git a/src/patches/samba/CVE-2015-5252-v3-6-bso11395.patch b/src/patches/samba/CVE-2015-5252-v3-6-bso11395.patch
deleted file mode 100644
index b7580fba3..000000000
--- a/src/patches/samba/CVE-2015-5252-v3-6-bso11395.patch
+++ /dev/null
@@ -1,44 +0,0 @@ 
-From 2e94b6ec10f1d15e24867bab3063bb85f173406a Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Thu, 9 Jul 2015 10:58:11 -0700
-Subject: [PATCH] CVE-2015-5252: s3: smbd: Fix symlink verification (file
- access outside the share).
-
-Ensure matching component ends in '/' or '\0'.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Volker Lendecke <vl@samba.org>
----
- source3/smbd/vfs.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c
-index 6c56964..bd93b7f 100644
---- a/source3/smbd/vfs.c
-+++ b/source3/smbd/vfs.c
-@@ -982,6 +982,7 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
- 	if (!allow_widelinks || !allow_symlinks) {
- 		const char *conn_rootdir;
- 		size_t rootdir_len;
-+		bool matched;
- 
- 		conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname);
- 		if (conn_rootdir == NULL) {
-@@ -992,8 +993,10 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
- 		}
- 
- 		rootdir_len = strlen(conn_rootdir);
--		if (strncmp(conn_rootdir, resolved_name,
--				rootdir_len) != 0) {
-+		matched = (strncmp(conn_rootdir, resolved_name,
-+				rootdir_len) == 0);
-+		if (!matched || (resolved_name[rootdir_len] != '/' &&
-+				 resolved_name[rootdir_len] != '\0')) {
- 			DEBUG(2, ("check_reduced_name: Bad access "
- 				"attempt: %s is a symlink outside the "
- 				"share path\n", fname));
--- 
-2.5.0
-
diff --git a/src/patches/samba/CVE-2015-5296-v3-6-bso11536.patch b/src/patches/samba/CVE-2015-5296-v3-6-bso11536.patch
deleted file mode 100644
index 4b722a56a..000000000
--- a/src/patches/samba/CVE-2015-5296-v3-6-bso11536.patch
+++ /dev/null
@@ -1,113 +0,0 @@ 
-From 25139116756cc285a3a5534834cc276ef1b7baaa Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 30 Sep 2015 21:17:02 +0200
-Subject: [PATCH 1/2] CVE-2015-5296: s3:libsmb: force signing when requiring
- encryption in do_connect()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
----
- source3/libsmb/clidfs.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
-index 23e1471..f153b6b 100644
---- a/source3/libsmb/clidfs.c
-+++ b/source3/libsmb/clidfs.c
-@@ -98,6 +98,11 @@ static struct cli_state *do_connect(TALLOC_CTX *ctx,
- 	const char *username;
- 	const char *password;
- 	NTSTATUS status;
-+	int signing_state = get_cmdline_auth_info_signing_state(auth_info);
-+
-+	if (force_encrypt) {
-+		signing_state = Required;
-+	}
- 
- 	/* make a copy so we don't modify the global string 'service' */
- 	servicename = talloc_strdup(ctx,share);
-@@ -132,7 +137,7 @@ static struct cli_state *do_connect(TALLOC_CTX *ctx,
- 	zero_sockaddr(&ss);
- 
- 	/* have to open a new connection */
--	c = cli_initialise_ex(get_cmdline_auth_info_signing_state(auth_info));
-+	c = cli_initialise_ex(signing_state);
- 	if (c == NULL) {
- 		d_printf("Connection to %s failed\n", server_n);
- 		return NULL;
--- 
-2.5.0
-
-
-From 060adb0abdeda51b8b622c6020b5dea0c8dde1cf Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 30 Sep 2015 21:17:02 +0200
-Subject: [PATCH 2/2] CVE-2015-5296: s3:libsmb: force signing when requiring
- encryption in SMBC_server_internal()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
----
- source3/libsmb/libsmb_server.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
-index 45be660..167f2c9 100644
---- a/source3/libsmb/libsmb_server.c
-+++ b/source3/libsmb/libsmb_server.c
-@@ -258,6 +258,7 @@ SMBC_server_internal(TALLOC_CTX *ctx,
-         const char *username_used;
-  	NTSTATUS status;
- 	char *newserver, *newshare;
-+	int signing_state = Undefined;
- 
- 	zero_sockaddr(&ss);
- 	ZERO_STRUCT(c);
-@@ -404,8 +405,12 @@ again:
- 
- 	zero_sockaddr(&ss);
- 
-+	if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
-+		signing_state = Required;
-+	}
-+
- 	/* have to open a new connection */
--	if ((c = cli_initialise()) == NULL) {
-+	if ((c = cli_initialise_ex(signing_state)) == NULL) {
- 		errno = ENOMEM;
- 		return NULL;
- 	}
-@@ -750,6 +755,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
-         ipc_srv = SMBC_find_server(ctx, context, server, "*IPC$",
-                                    pp_workgroup, pp_username, pp_password);
-         if (!ipc_srv) {
-+		int signing_state = Undefined;
- 
-                 /* We didn't find a cached connection.  Get the password */
- 		if (!*pp_password || (*pp_password)[0] == '\0') {
-@@ -771,6 +777,9 @@ SMBC_attr_server(TALLOC_CTX *ctx,
-                 if (smbc_getOptionUseCCache(context)) {
-                         flags |= CLI_FULL_CONNECTION_USE_CCACHE;
-                 }
-+		if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
-+			signing_state = Required;
-+		}
- 
-                 zero_sockaddr(&ss);
-                 nt_status = cli_full_connection(&ipc_cli,
-@@ -780,7 +789,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
- 						*pp_workgroup,
- 						*pp_password,
- 						flags,
--						Undefined);
-+						signing_state);
-                 if (! NT_STATUS_IS_OK(nt_status)) {
-                         DEBUG(1,("cli_full_connection failed! (%s)\n",
-                                  nt_errstr(nt_status)));
--- 
-2.5.0
-
diff --git a/src/patches/samba/CVE-2015-5299-v3-6-bso11529.patch b/src/patches/samba/CVE-2015-5299-v3-6-bso11529.patch
deleted file mode 100644
index 38936bb91..000000000
--- a/src/patches/samba/CVE-2015-5299-v3-6-bso11529.patch
+++ /dev/null
@@ -1,98 +0,0 @@ 
-From 8e49de7754f7171a58a1f94dee0f1138dbee3c60 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Fri, 23 Oct 2015 14:54:31 -0700
-Subject: [PATCH] CVE-2015-5299: s3-shadow-copy2: fix missing access check on
- snapdir
-
-Fix originally from <partha@exablox.com>
-
-https://bugzilla.samba.org/show_bug.cgi?id=11529
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: David Disseldorp <ddiss@samba.org>
----
- source3/modules/vfs_shadow_copy2.c | 47 ++++++++++++++++++++++++++++++++++++++
- 1 file changed, 47 insertions(+)
-
-diff --git a/source3/modules/vfs_shadow_copy2.c b/source3/modules/vfs_shadow_copy2.c
-index fedfb53..16c1ed7 100644
---- a/source3/modules/vfs_shadow_copy2.c
-+++ b/source3/modules/vfs_shadow_copy2.c
-@@ -21,6 +21,8 @@
- 
- #include "includes.h"
- #include "smbd/smbd.h"
-+#include "smbd/globals.h"
-+#include "../libcli/security/security.h"
- #include "system/filesys.h"
- #include "ntioctl.h"
- 
-@@ -764,6 +766,43 @@ static int shadow_copy2_mkdir(vfs_handle_struct *handle,  const char *fname, mod
-         SHADOW2_NEXT(MKDIR, (handle, name, mode), int, -1);
- }
- 
-+static bool check_access_snapdir(struct vfs_handle_struct *handle,
-+				const char *path)
-+{
-+	struct smb_filename smb_fname;
-+	int ret;
-+	NTSTATUS status;
-+	uint32_t access_granted = 0;
-+
-+	ZERO_STRUCT(smb_fname);
-+	smb_fname.base_name = talloc_asprintf(talloc_tos(),
-+						"%s",
-+						path);
-+	if (smb_fname.base_name == NULL) {
-+		return false;
-+	}
-+
-+	ret = SMB_VFS_NEXT_STAT(handle, &smb_fname);
-+	if (ret != 0 || !S_ISDIR(smb_fname.st.st_ex_mode)) {
-+		TALLOC_FREE(smb_fname.base_name);
-+		return false;
-+	}
-+
-+	status = smbd_check_open_rights(handle->conn,
-+					&smb_fname,
-+					SEC_DIR_LIST,
-+					&access_granted);
-+	if (!NT_STATUS_IS_OK(status)) {
-+		DEBUG(0,("user does not have list permission "
-+			"on snapdir %s\n",
-+			smb_fname.base_name));
-+		TALLOC_FREE(smb_fname.base_name);
-+		return false;
-+	}
-+	TALLOC_FREE(smb_fname.base_name);
-+	return true;
-+}
-+
- static int shadow_copy2_rmdir(vfs_handle_struct *handle,  const char *fname)
- {
-         SHADOW2_NEXT(RMDIR, (handle, name), int, -1);
-@@ -877,6 +916,7 @@ static int shadow_copy2_get_shadow_copy2_data(vfs_handle_struct *handle,
- 	SMB_STRUCT_DIRENT *d;
- 	TALLOC_CTX *tmp_ctx = talloc_new(handle->data);
- 	char *snapshot;
-+	bool ret;
- 
- 	snapdir = shadow_copy2_find_snapdir(tmp_ctx, handle);
- 	if (snapdir == NULL) {
-@@ -886,6 +926,13 @@ static int shadow_copy2_get_shadow_copy2_data(vfs_handle_struct *handle,
- 		talloc_free(tmp_ctx);
- 		return -1;
- 	}
-+	ret = check_access_snapdir(handle, snapdir);
-+	if (!ret) {
-+		DEBUG(0,("access denied on listing snapdir %s\n", snapdir));
-+		errno = EACCES;
-+		talloc_free(tmp_ctx);
-+		return -1;
-+	}
- 
- 	p = SMB_VFS_NEXT_OPENDIR(handle, snapdir, NULL, 0);
- 
--- 
-2.5.0
-
diff --git a/src/patches/samba/CVE-2015-5330-v3-6-bso11599.patch b/src/patches/samba/CVE-2015-5330-v3-6-bso11599.patch
deleted file mode 100644
index 4ae1473bc..000000000
--- a/src/patches/samba/CVE-2015-5330-v3-6-bso11599.patch
+++ /dev/null
@@ -1,214 +0,0 @@ 
-From a96c0528c68093d155b674269a9c8bf48315fc01 Mon Sep 17 00:00:00 2001
-From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
-Date: Tue, 24 Nov 2015 13:47:16 +1300
-Subject: [PATCH 1/3] CVE-2015-5330: Fix handling of unicode near string
- endings
-
-Until now next_codepoint_ext() and next_codepoint_handle_ext() were
-using strnlen(str, 5) to determine how much string they should try to
-decode. This ended up looking past the end of the string when it was not
-null terminated and the final character looked like a multi-byte encoding.
-The fix is to let the caller say how long the string can be.
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
-
-Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
-Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
----
- lib/util/charset/charset.h     |  9 +++++----
- lib/util/charset/codepoints.c  | 19 +++++++++++++------
- lib/util/charset/util_unistr.c |  5 ++++-
- source3/lib/util_str.c         |  2 +-
- 4 files changed, 23 insertions(+), 12 deletions(-)
-
-diff --git a/lib/util/charset/charset.h b/lib/util/charset/charset.h
-index 474d77e..b70aa61 100644
---- a/lib/util/charset/charset.h
-+++ b/lib/util/charset/charset.h
-@@ -175,15 +175,16 @@ smb_iconv_t get_conv_handle(struct smb_iconv_convenience *ic,
- 			    charset_t from, charset_t to);
- const char *charset_name(struct smb_iconv_convenience *ic, charset_t ch);
- 
--codepoint_t next_codepoint_ext(const char *str, charset_t src_charset,
--			       size_t *size);
-+codepoint_t next_codepoint_ext(const char *str, size_t len,
-+			       charset_t src_charset, size_t *size);
- codepoint_t next_codepoint(const char *str, size_t *size);
- ssize_t push_codepoint(char *str, codepoint_t c);
- 
- /* codepoints */
- codepoint_t next_codepoint_convenience_ext(struct smb_iconv_convenience *ic,
--			    const char *str, charset_t src_charset,
--			    size_t *size);
-+					   const char *str, size_t len,
-+					   charset_t src_charset,
-+					   size_t *size);
- codepoint_t next_codepoint_convenience(struct smb_iconv_convenience *ic, 
- 			    const char *str, size_t *size);
- ssize_t push_codepoint_convenience(struct smb_iconv_convenience *ic, 
-diff --git a/lib/util/charset/codepoints.c b/lib/util/charset/codepoints.c
-index 5ee95a8..8dd647e 100644
---- a/lib/util/charset/codepoints.c
-+++ b/lib/util/charset/codepoints.c
-@@ -346,7 +346,8 @@ smb_iconv_t get_conv_handle(struct smb_iconv_convenience *ic,
-  */
- _PUBLIC_ codepoint_t next_codepoint_convenience_ext(
- 			struct smb_iconv_convenience *ic,
--			const char *str, charset_t src_charset,
-+			const char *str, size_t len,
-+			charset_t src_charset,
- 			size_t *bytes_consumed)
- {
- 	/* it cannot occupy more than 4 bytes in UTF16 format */
-@@ -366,7 +367,7 @@ _PUBLIC_ codepoint_t next_codepoint_convenience_ext(
- 	 * we assume that no multi-byte character can take more than 5 bytes.
- 	 * This is OK as we only support codepoints up to 1M (U+100000)
- 	 */
--	ilen_orig = strnlen(str, 5);
-+	ilen_orig = MIN(len, 5);
- 	ilen = ilen_orig;
- 
- 	descriptor = get_conv_handle(ic, src_charset, CH_UTF16);
-@@ -424,7 +425,13 @@ _PUBLIC_ codepoint_t next_codepoint_convenience_ext(
- _PUBLIC_ codepoint_t next_codepoint_convenience(struct smb_iconv_convenience *ic,
- 				    const char *str, size_t *size)
- {
--	return next_codepoint_convenience_ext(ic, str, CH_UNIX, size);
-+	/*
-+	 * We assume that no multi-byte character can take more than 5 bytes
-+	 * thus avoiding walking all the way down a long string. This is OK as
-+	 * Unicode codepoints only go up to (U+10ffff), which can always be
-+	 * encoded in 4 bytes or less.
-+	 */
-+	return next_codepoint_convenience_ext(ic, str, strnlen(str, 5), CH_UNIX, size);
- }
- 
- /*
-@@ -486,10 +493,10 @@ _PUBLIC_ ssize_t push_codepoint_convenience(struct smb_iconv_convenience *ic,
- 	return 5 - olen;
- }
- 
--_PUBLIC_ codepoint_t next_codepoint_ext(const char *str, charset_t src_charset,
--					size_t *size)
-+_PUBLIC_ codepoint_t next_codepoint_ext(const char *str, size_t len,
-+					charset_t src_charset, size_t *size)
- {
--	return next_codepoint_convenience_ext(get_iconv_convenience(), str,
-+	return next_codepoint_convenience_ext(get_iconv_convenience(), str, len,
- 					      src_charset, size);
- }
- 
-diff --git a/lib/util/charset/util_unistr.c b/lib/util/charset/util_unistr.c
-index 760be77..d9e9b34 100644
---- a/lib/util/charset/util_unistr.c
-+++ b/lib/util/charset/util_unistr.c
-@@ -485,7 +485,10 @@ _PUBLIC_ char *strupper_talloc_n(TALLOC_CTX *ctx, const char *src, size_t n)
- 
- 	while (n-- && *src) {
- 		size_t c_size;
--		codepoint_t c = next_codepoint_convenience(iconv_convenience, src, &c_size);
-+		codepoint_t c = next_codepoint_convenience_ext(iconv_convenience,
-+							       src,
-+							       n,
-+							       &c_size);
- 		src += c_size;
- 
- 		c = toupper_m(c);
-diff --git a/source3/lib/util_str.c b/source3/lib/util_str.c
-index 4701528..f8a5160 100644
---- a/source3/lib/util_str.c
-+++ b/source3/lib/util_str.c
-@@ -1486,7 +1486,7 @@ size_t strlen_m_ext(const char *s, const charset_t src_charset,
- 
- 	while (*s) {
- 		size_t c_size;
--		codepoint_t c = next_codepoint_ext(s, src_charset, &c_size);
-+		codepoint_t c = next_codepoint_ext(s, strnlen(s, 5), src_charset, &c_size);
- 		s += c_size;
- 
- 		switch (dst_charset) {
--- 
-2.5.0
-
-
-From 8298252a1ba9c014f7ceb76736abb38132181f79 Mon Sep 17 00:00:00 2001
-From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
-Date: Tue, 24 Nov 2015 13:54:09 +1300
-Subject: [PATCH 2/3] CVE-2015-5330: next_codepoint_handle_ext: don't
- short-circuit UTF16 low bytes
-
-UTF16 contains zero bytes when it is encoding ASCII (for example), so we
-can't assume the absense of the 0x80 bit means a one byte encoding. No
-current callers use UTF16.
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
-
-Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
-Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
----
- lib/util/charset/codepoints.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/lib/util/charset/codepoints.c b/lib/util/charset/codepoints.c
-index 8dd647e..cf5f3e6 100644
---- a/lib/util/charset/codepoints.c
-+++ b/lib/util/charset/codepoints.c
-@@ -358,7 +358,10 @@ _PUBLIC_ codepoint_t next_codepoint_convenience_ext(
- 	size_t olen;
- 	char *outbuf;
- 
--	if ((str[0] & 0x80) == 0) {
-+
-+	if (((str[0] & 0x80) == 0) && (src_charset == CH_DOS ||
-+				       src_charset == CH_UNIX ||
-+				       src_charset == CH_UTF8)) {
- 		*bytes_consumed = 1;
- 		return (codepoint_t)str[0];
- 	}
--- 
-2.5.0
-
-
-From 0988b7cb606a7e4cd73fd8db02806abbc9d8f2e0 Mon Sep 17 00:00:00 2001
-From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
-Date: Tue, 24 Nov 2015 13:49:09 +1300
-Subject: [PATCH 3/3] CVE-2015-5330: strupper_talloc_n_handle(): properly count
- characters
-
-When a codepoint eats more than one byte we really want to know,
-especially if the string is not NUL terminated.
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=11599
-
-Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
-Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
----
- lib/util/charset/util_unistr.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/lib/util/charset/util_unistr.c b/lib/util/charset/util_unistr.c
-index d9e9b34..6dad43f 100644
---- a/lib/util/charset/util_unistr.c
-+++ b/lib/util/charset/util_unistr.c
-@@ -483,13 +483,14 @@ _PUBLIC_ char *strupper_talloc_n(TALLOC_CTX *ctx, const char *src, size_t n)
- 		return NULL;
- 	}
- 
--	while (n-- && *src) {
-+	while (n && *src) {
- 		size_t c_size;
- 		codepoint_t c = next_codepoint_convenience_ext(iconv_convenience,
- 							       src,
- 							       n,
- 							       &c_size);
- 		src += c_size;
-+		n -= c_size;
- 
- 		c = toupper_m(c);
- 
--- 
-2.5.0
-
diff --git a/src/patches/samba/CVE-2015-5370-v3-6.patch b/src/patches/samba/CVE-2015-5370-v3-6.patch
deleted file mode 100644
index 7af1dd362..000000000
--- a/src/patches/samba/CVE-2015-5370-v3-6.patch
+++ /dev/null
@@ -1,3080 +0,0 @@ 
-From 8368c32cb69da82c8df36404ec8042c3046866ca Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 16 Jul 2015 22:46:05 +0200
-Subject: [PATCH 01/40] CVE-2015-5370: dcerpc.idl: add
- DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- librpc/idl/dcerpc.idl | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
-index 75ef2ec..bbb42d1 100644
---- a/librpc/idl/dcerpc.idl
-+++ b/librpc/idl/dcerpc.idl
-@@ -475,9 +475,11 @@ interface dcerpc
- 	const uint8 DCERPC_PFC_OFFSET      =  3;
- 	const uint8 DCERPC_DREP_OFFSET     =  4;
- 	const uint8 DCERPC_FRAG_LEN_OFFSET =  8;
-+	const uint32 DCERPC_FRAG_MAX_SIZE  = 5840;
- 	const uint8 DCERPC_AUTH_LEN_OFFSET = 10;
- 	const uint8 DCERPC_CALL_ID_OFFSET  = 12;
- 	const uint8 DCERPC_NCACN_PAYLOAD_OFFSET = 16;
-+	const uint32 DCERPC_NCACN_PAYLOAD_MAX_SIZE = 0x400000; /* 4 MByte */
- 
- 	/* little-endian flag */
- 	const uint8 DCERPC_DREP_LE  = 0x10;
--- 
-2.8.1
-
-
-From e3043ba5aafdb0605ab14b11917d497b59d82bec Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sun, 28 Jun 2015 01:19:57 +0200
-Subject: [PATCH 02/40] CVE-2015-5370: librpc/rpc: simplify and harden
- dcerpc_pull_auth_trailer()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- librpc/rpc/dcerpc_util.c | 63 ++++++++++++++++++++++++++++++++++++------------
- librpc/rpc/rpc_common.h  |  4 +--
- 2 files changed, 49 insertions(+), 18 deletions(-)
-
-diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
-index 97ef798..f936ef4 100644
---- a/librpc/rpc/dcerpc_util.c
-+++ b/librpc/rpc/dcerpc_util.c
-@@ -92,31 +92,44 @@ uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob)
- *
- * @return		- A NTSTATUS error code.
- */
--NTSTATUS dcerpc_pull_auth_trailer(struct ncacn_packet *pkt,
-+NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
- 				  TALLOC_CTX *mem_ctx,
--				  DATA_BLOB *pkt_trailer,
-+				  const DATA_BLOB *pkt_trailer,
- 				  struct dcerpc_auth *auth,
--				  uint32_t *auth_length,
-+				  uint32_t *_auth_length,
- 				  bool auth_data_only)
- {
- 	struct ndr_pull *ndr;
- 	enum ndr_err_code ndr_err;
--	uint32_t data_and_pad;
-+	uint16_t data_and_pad;
-+	uint16_t auth_length;
-+	uint32_t tmp_length;
- 
--	data_and_pad = pkt_trailer->length
--			- (DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length);
-+	ZERO_STRUCTP(auth);
-+	if (_auth_length != NULL) {
-+		*_auth_length = 0;
-+	}
- 
--	/* paranoia check for pad size. This would be caught anyway by
--	   the ndr_pull_advance() a few lines down, but it scared
--	   Jeremy enough for him to call me, so we might as well check
--	   it now, just to prevent someone posting a bogus YouTube
--	   video in the future.
--	*/
--	if (data_and_pad > pkt_trailer->length) {
--		return NT_STATUS_INFO_LENGTH_MISMATCH;
-+	/* Paranoia checks for auth_length. The caller should check this... */
-+	if (pkt->auth_length > pkt->frag_length) {
-+		return NT_STATUS_INTERNAL_ERROR;
-+	}
-+	tmp_length = DCERPC_NCACN_PAYLOAD_OFFSET;
-+	tmp_length += DCERPC_AUTH_TRAILER_LENGTH;
-+	tmp_length += pkt->auth_length;
-+	if (tmp_length > pkt->frag_length) {
-+		return NT_STATUS_INTERNAL_ERROR;
-+	}
-+	if (pkt_trailer->length > UINT16_MAX) {
-+		return NT_STATUS_INTERNAL_ERROR;
- 	}
- 
--	*auth_length = pkt_trailer->length - data_and_pad;
-+	auth_length = DCERPC_AUTH_TRAILER_LENGTH + pkt->auth_length;
-+	if (pkt_trailer->length < auth_length) {
-+		return NT_STATUS_RPC_PROTOCOL_ERROR;
-+	}
-+
-+	data_and_pad = pkt_trailer->length - auth_length;
- 
- 	ndr = ndr_pull_init_blob(pkt_trailer, mem_ctx);
- 	if (!ndr) {
-@@ -136,14 +149,28 @@ NTSTATUS dcerpc_pull_auth_trailer(struct ncacn_packet *pkt,
- 	ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, auth);
- 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- 		talloc_free(ndr);
-+		ZERO_STRUCTP(auth);
- 		return ndr_map_error2ntstatus(ndr_err);
- 	}
- 
-+	if (data_and_pad < auth->auth_pad_length) {
-+		DEBUG(1, (__location__ ": ERROR: pad length mismatch. "
-+			  "Calculated %u  got %u\n",
-+			  (unsigned)data_and_pad,
-+			  (unsigned)auth->auth_pad_length));
-+		talloc_free(ndr);
-+		ZERO_STRUCTP(auth);
-+		return NT_STATUS_RPC_PROTOCOL_ERROR;
-+	}
-+
- 	if (auth_data_only && data_and_pad != auth->auth_pad_length) {
--		DEBUG(1, (__location__ ": WARNING: pad length mismatch. "
-+		DEBUG(1, (__location__ ": ERROR: pad length mismatch. "
- 			  "Calculated %u  got %u\n",
- 			  (unsigned)data_and_pad,
- 			  (unsigned)auth->auth_pad_length));
-+		talloc_free(ndr);
-+		ZERO_STRUCTP(auth);
-+		return NT_STATUS_RPC_PROTOCOL_ERROR;
- 	}
- 
- 	DEBUG(6,(__location__ ": auth_pad_length %u\n",
-@@ -152,6 +179,10 @@ NTSTATUS dcerpc_pull_auth_trailer(struct ncacn_packet *pkt,
- 	talloc_steal(mem_ctx, auth->credentials.data);
- 	talloc_free(ndr);
- 
-+	if (_auth_length != NULL) {
-+		*_auth_length = auth_length;
-+	}
-+
- 	return NT_STATUS_OK;
- }
- 
-diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
-index fe8129d..98a2e95 100644
---- a/librpc/rpc/rpc_common.h
-+++ b/librpc/rpc/rpc_common.h
-@@ -158,9 +158,9 @@ uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob);
- *
- * @return		- A NTSTATUS error code.
- */
--NTSTATUS dcerpc_pull_auth_trailer(struct ncacn_packet *pkt,
-+NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
- 				  TALLOC_CTX *mem_ctx,
--				  DATA_BLOB *pkt_trailer,
-+				  const DATA_BLOB *pkt_trailer,
- 				  struct dcerpc_auth *auth,
- 				  uint32_t *auth_length,
- 				  bool auth_data_only);
--- 
-2.8.1
-
-
-From 397300d996299400842938131691fbbeb88c2c82 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 29 Jun 2015 10:24:45 +0200
-Subject: [PATCH 03/40] CVE-2015-5370: s3:librpc/rpc: don't call
- dcerpc_pull_auth_trailer() if auth_length is 0
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-All other paranoia checks are done within dcerpc_pull_auth_trailer()
-now.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- source3/librpc/rpc/dcerpc_helpers.c | 12 ++----------
- 1 file changed, 2 insertions(+), 10 deletions(-)
-
-diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
-index 24f2f52..76f2acc 100644
---- a/source3/librpc/rpc/dcerpc_helpers.c
-+++ b/source3/librpc/rpc/dcerpc_helpers.c
-@@ -899,16 +899,8 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
- 		return NT_STATUS_INVALID_PARAMETER;
- 	}
- 
--	/* Paranioa checks for auth_length. */
--	if (pkt->auth_length > pkt->frag_length) {
--		return NT_STATUS_INFO_LENGTH_MISMATCH;
--	}
--	if (((unsigned int)pkt->auth_length
--	     + DCERPC_AUTH_TRAILER_LENGTH < (unsigned int)pkt->auth_length) ||
--	    ((unsigned int)pkt->auth_length
--	     + DCERPC_AUTH_TRAILER_LENGTH < DCERPC_AUTH_TRAILER_LENGTH)) {
--		/* Integer wrap attempt. */
--		return NT_STATUS_INFO_LENGTH_MISMATCH;
-+	if (pkt->auth_length == 0) {
-+		return NT_STATUS_INVALID_PARAMETER;
- 	}
- 
- 	status = dcerpc_pull_auth_trailer(pkt, pkt, pkt_trailer,
--- 
-2.8.1
-
-
-From faa20091b4a456a5e29f852561f6f5e9863860e0 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 26 Jun 2015 08:10:46 +0200
-Subject: [PATCH 04/40] CVE-2015-5370: librpc/rpc: add a
- dcerpc_verify_ncacn_packet_header() helper function
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 8266be48f455a5e541d0f7f62a1c8c38e0835976)
----
- librpc/rpc/dcerpc_util.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++
- librpc/rpc/rpc_common.h  |  5 ++++
- 2 files changed, 78 insertions(+)
-
-diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
-index f936ef4..2f599d5 100644
---- a/librpc/rpc/dcerpc_util.c
-+++ b/librpc/rpc/dcerpc_util.c
-@@ -186,6 +186,79 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
- 	return NT_STATUS_OK;
- }
- 
-+/**
-+* @brief	Verify the fields in ncacn_packet header.
-+*
-+* @param pkt		- The ncacn_packet strcuture
-+* @param ptype		- The expected PDU type
-+* @param max_auth_info	- The maximum size of a possible auth trailer
-+* @param required_flags	- The required flags for the pdu.
-+* @param optional_flags	- The possible optional flags for the pdu.
-+*
-+* @return		- A NTSTATUS error code.
-+*/
-+NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt,
-+					   enum dcerpc_pkt_type ptype,
-+					   size_t max_auth_info,
-+					   uint8_t required_flags,
-+					   uint8_t optional_flags)
-+{
-+	if (pkt->rpc_vers != 5) {
-+		return NT_STATUS_RPC_PROTOCOL_ERROR;
-+	}
-+
-+	if (pkt->rpc_vers_minor != 0) {
-+		return NT_STATUS_RPC_PROTOCOL_ERROR;
-+	}
-+
-+	if (pkt->auth_length > pkt->frag_length) {
-+		return NT_STATUS_RPC_PROTOCOL_ERROR;
-+	}
-+
-+	if (pkt->ptype != ptype) {
-+		return NT_STATUS_RPC_PROTOCOL_ERROR;
-+	}
-+
-+	if (max_auth_info > UINT16_MAX) {
-+		return NT_STATUS_INTERNAL_ERROR;
-+	}
-+
-+	if (pkt->auth_length > 0) {
-+		size_t max_auth_length;
-+
-+		if (max_auth_info <= DCERPC_AUTH_TRAILER_LENGTH) {
-+			return NT_STATUS_RPC_PROTOCOL_ERROR;
-+		}
-+		max_auth_length = max_auth_info - DCERPC_AUTH_TRAILER_LENGTH;
-+
-+		if (pkt->auth_length > max_auth_length) {
-+			return NT_STATUS_RPC_PROTOCOL_ERROR;
-+		}
-+	}
-+
-+	if ((pkt->pfc_flags & required_flags) != required_flags) {
-+		return NT_STATUS_RPC_PROTOCOL_ERROR;
-+	}
-+	if (pkt->pfc_flags & ~(optional_flags|required_flags)) {
-+		return NT_STATUS_RPC_PROTOCOL_ERROR;
-+	}
-+
-+	if (pkt->drep[0] & ~DCERPC_DREP_LE) {
-+		return NT_STATUS_RPC_PROTOCOL_ERROR;
-+	}
-+	if (pkt->drep[1] != 0) {
-+		return NT_STATUS_RPC_PROTOCOL_ERROR;
-+	}
-+	if (pkt->drep[2] != 0) {
-+		return NT_STATUS_RPC_PROTOCOL_ERROR;
-+	}
-+	if (pkt->drep[3] != 0) {
-+		return NT_STATUS_RPC_PROTOCOL_ERROR;
-+	}
-+
-+	return NT_STATUS_OK;
-+}
-+
- struct dcerpc_read_ncacn_packet_state {
- #if 0
- 	struct {
-diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
-index 98a2e95..b3ae5b2 100644
---- a/librpc/rpc/rpc_common.h
-+++ b/librpc/rpc/rpc_common.h
-@@ -164,6 +164,11 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
- 				  struct dcerpc_auth *auth,
- 				  uint32_t *auth_length,
- 				  bool auth_data_only);
-+NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt,
-+					   enum dcerpc_pkt_type ptype,
-+					   size_t max_auth_info,
-+					   uint8_t required_flags,
-+					   uint8_t optional_flags);
- struct tevent_req *dcerpc_read_ncacn_packet_send(TALLOC_CTX *mem_ctx,
- 						 struct tevent_context *ev,
- 						 struct tstream_context *stream);
--- 
-2.8.1
-
-
-From c176174588c1119a11066b6188ac50cd3c9603f4 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 7 Jul 2015 13:05:01 +0200
-Subject: [PATCH 05/40] CVE-2015-5370: s3:rpc_client: move AS/U hack to the top
- of cli_pipe_validate_current_pdu()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 665b874b6022bfcdec3f13a9f5a844e5d1784aba)
----
- source3/rpc_client/cli_pipe.c | 24 +++++++++++++-----------
- 1 file changed, 13 insertions(+), 11 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 5ddabb7..295b88f 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -414,6 +414,19 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
- 	 */
- 	*rdata = *pdu;
- 
-+	if ((pkt->ptype == DCERPC_PKT_BIND_ACK) &&
-+	    !(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) {
-+		/*
-+		 * TODO: do we still need this hack which was introduced
-+		 * in commit a42afcdcc7ab9aa9ed193ae36d3dbb10843447f0.
-+		 *
-+		 * I don't even know what AS/U might be...
-+		 */
-+		DEBUG(5, (__location__ ": bug in server (AS/U?), setting "
-+			  "fragment first/last ON.\n"));
-+		pkt->pfc_flags |= DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
-+	}
-+
- 	/* Ensure we have the correct type. */
- 	switch (pkt->ptype) {
- 	case DCERPC_PKT_ALTER_RESP:
-@@ -518,17 +531,6 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
- 		return NT_STATUS_RPC_PROTOCOL_ERROR;
- 	}
- 
--	/* Do this just before return - we don't want to modify any rpc header
--	   data before now as we may have needed to do cryptographic actions on
--	   it before. */
--
--	if ((pkt->ptype == DCERPC_PKT_BIND_ACK) &&
--	    !(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) {
--		DEBUG(5, (__location__ ": bug in server (AS/U?), setting "
--			  "fragment first/last ON.\n"));
--		pkt->pfc_flags |= DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
--	}
--
- 	return NT_STATUS_OK;
- }
- 
--- 
-2.8.1
-
-
-From b9ae0068be4dfc6f7d09144c353689ab01955b93 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 7 Jul 2015 13:05:01 +0200
-Subject: [PATCH 06/40] CVE-2015-5370: s3:rpc_client: remove useless
- frag_length check in rpc_api_pipe_got_pdu()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-dcerpc_pull_ncacn_packet() already verifies this.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 9a3f045244b12ff9f77d2664396137c390042297)
----
- source3/rpc_client/cli_pipe.c | 8 --------
- 1 file changed, 8 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 295b88f..2787fbc 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -898,14 +898,6 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
- 		return;
- 	}
- 
--	if (state->incoming_frag.length != state->pkt->frag_length) {
--		DEBUG(5, ("Incorrect pdu length %u, expected %u\n",
--			  (unsigned int)state->incoming_frag.length,
--			  (unsigned int)state->pkt->frag_length));
--		tevent_req_nterror(req,  NT_STATUS_INVALID_PARAMETER);
--		return;
--	}
--
- 	status = cli_pipe_validate_current_pdu(state,
- 						state->cli, state->pkt,
- 						&state->incoming_frag,
--- 
-2.8.1
-
-
-From 05688274f03e6086e3ba4d7b4cb4409f9c4d9cb1 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 26 Jun 2015 08:10:46 +0200
-Subject: [PATCH 07/40] CVE-2015-5370: s4:rpc_server: no authentication is
- indicated by pkt->auth_length == 0
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-pkt->u.*.auth_info.length is not the correct thing to check.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(packported from commit c0236de09e542dbb168969d8ae9f0c150a75198e)
----
- source4/rpc_server/dcesrv_auth.c | 23 ++++++++++++++---------
- 1 file changed, 14 insertions(+), 9 deletions(-)
-
-diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
-index 1e6aa24..61f2176 100644
---- a/source4/rpc_server/dcesrv_auth.c
-+++ b/source4/rpc_server/dcesrv_auth.c
-@@ -46,7 +46,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
- 	NTSTATUS status;
- 	uint32_t auth_length;
- 
--	if (pkt->u.bind.auth_info.length == 0) {
-+	if (pkt->auth_length == 0) {
- 		dce_conn->auth_state.auth_info = NULL;
- 		return true;
- 	}
-@@ -108,7 +108,7 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
- 	struct dcesrv_connection *dce_conn = call->conn;
- 	NTSTATUS status;
- 
--	if (!call->conn->auth_state.gensec_security) {
-+	if (call->pkt.auth_length == 0) {
- 		return NT_STATUS_OK;
- 	}
- 
-@@ -155,10 +155,16 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call)
- 	NTSTATUS status;
- 	uint32_t auth_length;
- 
--	/* We can't work without an existing gensec state, and an new blob to feed it */
--	if (!dce_conn->auth_state.auth_info ||
--	    !dce_conn->auth_state.gensec_security ||
--	    pkt->u.auth3.auth_info.length == 0) {
-+	if (pkt->auth_length == 0) {
-+		return false;
-+	}
-+
-+	if (!dce_conn->auth_state.auth_info) {
-+		return false;
-+	}
-+
-+	/* We can't work without an existing gensec state */
-+	if (!dce_conn->auth_state.gensec_security) {
- 		return false;
- 	}
- 
-@@ -203,7 +209,7 @@ bool dcesrv_auth_alter(struct dcesrv_call_state *call)
- 	uint32_t auth_length;
- 
- 	/* on a pure interface change there is no auth blob */
--	if (pkt->u.alter.auth_info.length == 0) {
-+	if (pkt->auth_length == 0) {
- 		return true;
- 	}
- 
-@@ -238,8 +244,7 @@ NTSTATUS dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_pack
- 
- 	/* on a pure interface change there is no auth_info structure
- 	   setup */
--	if (!call->conn->auth_state.auth_info ||
--	    dce_conn->auth_state.auth_info->credentials.length == 0) {
-+	if (call->pkt.auth_length == 0) {
- 		return NT_STATUS_OK;
- 	}
- 
--- 
-2.8.1
-
-
-From 57230961cee9e82ab060b54b5fb8c2b19f672111 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 27 Jun 2015 10:31:48 +0200
-Subject: [PATCH 08/40] CVE-2015-5370: s4:librpc/rpc: check pkt->auth_length
- before calling dcerpc_pull_auth_trailer
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-(backported from 630dcb55ad7a3a89bcd8643c98a5cdbfb8735ef7)
----
- source4/librpc/rpc/dcerpc.c      | 13 ++++++++++---
- source4/rpc_server/dcesrv_auth.c |  5 +++++
- 2 files changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
-index 742d710..cfbccd6 100644
---- a/source4/librpc/rpc/dcerpc.c
-+++ b/source4/librpc/rpc/dcerpc.c
-@@ -701,6 +701,14 @@ static NTSTATUS ncacn_pull_request_auth(struct dcecli_connection *c, TALLOC_CTX
- 		return NT_STATUS_INVALID_LEVEL;
- 	}
- 
-+	if (pkt->auth_length == 0) {
-+		return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+	}
-+
-+	if (c->security_state.generic_state == NULL) {
-+		return NT_STATUS_INTERNAL_ERROR;
-+	}
-+
- 	status = dcerpc_pull_auth_trailer(pkt, mem_ctx,
- 					  &pkt->u.response.stub_and_verifier,
- 					  &auth, &auth_length, false);
-@@ -1074,7 +1082,7 @@ static void dcerpc_bind_recv_handler(struct rpc_request *req,
- 	}
- 
- 	/* the bind_ack might contain a reply set of credentials */
--	if (conn->security_state.auth_info && pkt->u.bind_ack.auth_info.length) {
-+	if (conn->security_state.auth_info && pkt->auth_length) {
- 		NTSTATUS status;
- 		uint32_t auth_length;
- 		status = dcerpc_pull_auth_trailer(pkt, conn, &pkt->u.bind_ack.auth_info,
-@@ -1847,8 +1855,7 @@ static void dcerpc_alter_recv_handler(struct rpc_request *req,
- 	}
- 
- 	/* the alter_resp might contain a reply set of credentials */
--	if (recv_pipe->conn->security_state.auth_info &&
--	    pkt->u.alter_resp.auth_info.length) {
-+	if (recv_pipe->conn->security_state.auth_info && pkt->auth_length) {
- 		struct dcecli_connection *conn = recv_pipe->conn;
- 		NTSTATUS status;
- 		uint32_t auth_length;
-diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
-index 61f2176..3051c1c 100644
---- a/source4/rpc_server/dcesrv_auth.c
-+++ b/source4/rpc_server/dcesrv_auth.c
-@@ -320,6 +320,11 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
- 		return false;
- 	}
- 
-+	if (pkt->auth_length == 0) {
-+		DEBUG(1,("dcesrv_auth_request: unexpected auth_length of 0\n"));
-+		return false;
-+	}
-+
- 	status = dcerpc_pull_auth_trailer(pkt, call,
- 					  &pkt->u.request.stub_and_verifier,
- 					  &auth, &auth_length, false);
--- 
-2.8.1
-
-
-From c35b0e37f7d37459f55d67a5037c08bea4d33acf Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sun, 28 Jun 2015 01:19:57 +0200
-Subject: [PATCH 09/40] CVE-2015-5370: librpc/rpc: don't allow pkt->auth_length
- == 0 in dcerpc_pull_auth_trailer()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-All callers should have already checked that.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 1ed83c7657a3b405db1928db06c29f41d2738186)
----
- librpc/rpc/dcerpc_util.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
-index 2f599d5..89b7597 100644
---- a/librpc/rpc/dcerpc_util.c
-+++ b/librpc/rpc/dcerpc_util.c
-@@ -111,6 +111,11 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
- 	}
- 
- 	/* Paranoia checks for auth_length. The caller should check this... */
-+	if (pkt->auth_length == 0) {
-+		return NT_STATUS_INTERNAL_ERROR;
-+	}
-+
-+	/* Paranoia checks for auth_length. The caller should check this... */
- 	if (pkt->auth_length > pkt->frag_length) {
- 		return NT_STATUS_INTERNAL_ERROR;
- 	}
--- 
-2.8.1
-
-
-From 2341eb0cf8395b1fed628ee6779207d916827a5d Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 9 Jul 2015 07:59:24 +0200
-Subject: [PATCH 10/40] CVE-2015-5370: s3:librpc/rpc: remove auth trailer and
- possible padding within dcerpc_check_auth()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This simplifies the callers a lot.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit df3cdf072d1c1e6fd0a58e0374348758f5c65a49)
----
- source3/librpc/rpc/dcerpc.h         |  5 ++---
- source3/librpc/rpc/dcerpc_helpers.c | 31 ++++++++++++++++++++-----------
- source3/rpc_client/cli_pipe.c       | 33 ++++++++++-----------------------
- source3/rpc_server/srv_pipe.c       | 17 +----------------
- 4 files changed, 33 insertions(+), 53 deletions(-)
-
-diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
-index d14d8e0..e7cca9e 100644
---- a/source3/librpc/rpc/dcerpc.h
-+++ b/source3/librpc/rpc/dcerpc.h
-@@ -85,9 +85,8 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
- NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
- 			   struct ncacn_packet *pkt,
- 			   DATA_BLOB *pkt_trailer,
--			   size_t header_size,
--			   DATA_BLOB *raw_pkt,
--			   size_t *pad_len);
-+			   uint8_t header_size,
-+			   DATA_BLOB *raw_pkt);
- 
- /* The following definitions come from librpc/rpc/rpc_common.c  */
- 
-diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
-index 76f2acc..d871339 100644
---- a/source3/librpc/rpc/dcerpc_helpers.c
-+++ b/source3/librpc/rpc/dcerpc_helpers.c
-@@ -844,19 +844,18 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
- *
- * @param auth		The auth data for the connection
- * @param pkt		The actual ncacn_packet
--* @param pkt_trailer	The stub_and_verifier part of the packet
-+* @param pkt_trailer [in][out]	The stub_and_verifier part of the packet,
-+* 			the auth_trailer and padding will be removed.
- * @param header_size	The header size
- * @param raw_pkt	The whole raw packet data blob
--* @param pad_len	[out] The padding length used in the packet
- *
- * @return A NTSTATUS error code
- */
- NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
- 			   struct ncacn_packet *pkt,
- 			   DATA_BLOB *pkt_trailer,
--			   size_t header_size,
--			   DATA_BLOB *raw_pkt,
--			   size_t *pad_len)
-+			   uint8_t header_size,
-+			   DATA_BLOB *raw_pkt)
- {
- 	struct schannel_state *schannel_auth;
- 	struct auth_ntlmssp_state *ntlmssp_ctx;
-@@ -868,6 +867,14 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
- 	DATA_BLOB full_pkt;
- 	DATA_BLOB data;
- 
-+	/*
-+	 * These check should be done in the caller.
-+	 */
-+	SMB_ASSERT(raw_pkt->length == pkt->frag_length);
-+	SMB_ASSERT(header_size <= pkt->frag_length);
-+	SMB_ASSERT(pkt_trailer->length < pkt->frag_length);
-+	SMB_ASSERT((pkt_trailer->length + header_size) <= pkt->frag_length);
-+
- 	switch (auth->auth_level) {
- 	case DCERPC_AUTH_LEVEL_PRIVACY:
- 		DEBUG(10, ("Requested Privacy.\n"));
-@@ -881,7 +888,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
- 		if (pkt->auth_length != 0) {
- 			break;
- 		}
--		*pad_len = 0;
- 		return NT_STATUS_OK;
- 
- 	case DCERPC_AUTH_LEVEL_NONE:
-@@ -890,7 +896,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
- 				  "authenticated connection!\n"));
- 			return NT_STATUS_INVALID_PARAMETER;
- 		}
--		*pad_len = 0;
- 		return NT_STATUS_OK;
- 
- 	default:
-@@ -909,10 +914,11 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
- 		return status;
- 	}
- 
-+	pkt_trailer->length -= auth_length;
- 	data = data_blob_const(raw_pkt->data + header_size,
--				pkt_trailer->length - auth_length);
--	full_pkt = data_blob_const(raw_pkt->data,
--				raw_pkt->length - auth_info.credentials.length);
-+			       pkt_trailer->length);
-+	full_pkt = data_blob_const(raw_pkt->data, raw_pkt->length);
-+	full_pkt.length -= auth_info.credentials.length;
- 
- 	switch (auth->auth_type) {
- 	case DCERPC_AUTH_TYPE_NONE:
-@@ -988,10 +994,13 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
- 	 * pkt_trailer actually has a copy of the raw data, and they
- 	 * are still both used in later calls */
- 	if (auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
-+		if (pkt_trailer->length != data.length) {
-+			return NT_STATUS_INVALID_PARAMETER;
-+		}
- 		memcpy(pkt_trailer->data, data.data, data.length);
- 	}
- 
--	*pad_len = auth_info.auth_pad_length;
-+	pkt_trailer->length -= auth_info.auth_pad_length;
- 	data_blob_free(&auth_info.credentials);
- 	return NT_STATUS_OK;
- }
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 2787fbc..776e2bf 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -404,9 +404,9 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
- 						DATA_BLOB *rdata,
- 						DATA_BLOB *reply_pdu)
- {
--	struct dcerpc_response *r;
-+	const struct dcerpc_response *r = NULL;
-+	DATA_BLOB tmp_stub = data_blob_null;
- 	NTSTATUS ret = NT_STATUS_OK;
--	size_t pad_len = 0;
- 
- 	/*
- 	 * Point the return values at the real data including the RPC
-@@ -440,37 +440,24 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
- 
- 		r = &pkt->u.response;
- 
-+		tmp_stub.data = r->stub_and_verifier.data;
-+		tmp_stub.length = r->stub_and_verifier.length;
-+
- 		/* Here's where we deal with incoming sign/seal. */
- 		ret = dcerpc_check_auth(cli->auth, pkt,
--					&r->stub_and_verifier,
-+					&tmp_stub,
- 					DCERPC_RESPONSE_LENGTH,
--					pdu, &pad_len);
-+					pdu);
- 		if (!NT_STATUS_IS_OK(ret)) {
- 			return ret;
- 		}
- 
--		if (pkt->frag_length < DCERPC_RESPONSE_LENGTH + pad_len) {
--			return NT_STATUS_BUFFER_TOO_SMALL;
--		}
--
- 		/* Point the return values at the NDR data. */
--		rdata->data = r->stub_and_verifier.data;
--
--		if (pkt->auth_length) {
--			/* We've already done integer wrap tests in
--			 * dcerpc_check_auth(). */
--			rdata->length = r->stub_and_verifier.length
--					 - pad_len
--					 - DCERPC_AUTH_TRAILER_LENGTH
--					 - pkt->auth_length;
--		} else {
--			rdata->length = r->stub_and_verifier.length;
--		}
-+		*rdata = tmp_stub;
- 
--		DEBUG(10, ("Got pdu len %lu, data_len %lu, ss_len %u\n",
-+		DEBUG(10, ("Got pdu len %lu, data_len %lu\n",
- 			   (long unsigned int)pdu->length,
--			   (long unsigned int)rdata->length,
--			   (unsigned int)pad_len));
-+			   (long unsigned int)rdata->length));
- 
- 		/*
- 		 * If this is the first reply, and the allocation hint is
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 964b843..0ab7dc6 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -1848,7 +1848,6 @@ static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth,
- {
- 	NTSTATUS status;
- 	size_t hdr_size = DCERPC_REQUEST_LENGTH;
--	size_t pad_len;
- 
- 	DEBUG(10, ("Checking request auth.\n"));
- 
-@@ -1859,25 +1858,11 @@ static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth,
- 	/* in case of sealing this function will unseal the data in place */
- 	status = dcerpc_check_auth(auth, pkt,
- 				   &pkt->u.request.stub_and_verifier,
--				   hdr_size, raw_pkt,
--				   &pad_len);
-+				   hdr_size, raw_pkt);
- 	if (!NT_STATUS_IS_OK(status)) {
- 		return status;
- 	}
- 
--
--	/* remove padding and auth trailer,
--	 * this way the caller will get just the data */
--	if (pkt->auth_length) {
--		size_t trail_len = pad_len
--					+ DCERPC_AUTH_TRAILER_LENGTH
--					+ pkt->auth_length;
--		if (pkt->u.request.stub_and_verifier.length < trail_len) {
--			return NT_STATUS_INFO_LENGTH_MISMATCH;
--		}
--		pkt->u.request.stub_and_verifier.length -= trail_len;
--	}
--
- 	return NT_STATUS_OK;
- }
- 
--- 
-2.8.1
-
-
-From 9ecba8f4635aa5dbd42e4838ce124a92395b64ab Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 9 Jul 2015 07:59:24 +0200
-Subject: [PATCH 11/40] CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth()
- auth_{type,level} against the expected values.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 19f489d32c03ff5fafd34fe86a075d782af1989a)
----
- source3/librpc/rpc/dcerpc_helpers.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
-index d871339..c07835f 100644
---- a/source3/librpc/rpc/dcerpc_helpers.c
-+++ b/source3/librpc/rpc/dcerpc_helpers.c
-@@ -914,6 +914,14 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
- 		return status;
- 	}
- 
-+	if (auth_info.auth_type != auth->auth_type) {
-+		return NT_STATUS_INVALID_PARAMETER;
-+	}
-+
-+	if (auth_info.auth_level != auth->auth_level) {
-+		return NT_STATUS_INVALID_PARAMETER;
-+	}
-+
- 	pkt_trailer->length -= auth_length;
- 	data = data_blob_const(raw_pkt->data + header_size,
- 			       pkt_trailer->length);
--- 
-2.8.1
-
-
-From 765c10dacf39a3c06c6b12651c205ac270e7fcea Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 7 Jul 2015 13:05:01 +0200
-Subject: [PATCH 12/40] CVE-2015-5370: s3:rpc_client: make use of
- dcerpc_pull_auth_trailer()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The does much more validation than dcerpc_pull_dcerpc_auth().
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit acea87f158f02c3240abff45c3e54c7d5fa60b29)
----
- source3/rpc_client/cli_pipe.c | 20 ++++++--------------
- 1 file changed, 6 insertions(+), 14 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 776e2bf..27e37f8 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -1938,20 +1938,15 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
- 		rpc_pipe_bind_step_two_trigger(req);
- 		return;
- 
--	case DCERPC_AUTH_TYPE_NTLMSSP:
--	case DCERPC_AUTH_TYPE_SPNEGO:
--	case DCERPC_AUTH_TYPE_KRB5:
--		/* Paranoid lenght checks */
--		if (pkt->frag_length < DCERPC_AUTH_TRAILER_LENGTH
--						+ pkt->auth_length) {
--			tevent_req_nterror(req,
--					NT_STATUS_INFO_LENGTH_MISMATCH);
-+	default:
-+		if (pkt->auth_length == 0) {
-+			tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
- 			return;
- 		}
- 		/* get auth credentials */
--		status = dcerpc_pull_dcerpc_auth(talloc_tos(),
--						 &pkt->u.bind_ack.auth_info,
--						 &auth, false);
-+		status = dcerpc_pull_auth_trailer(pkt, talloc_tos(),
-+						  &pkt->u.bind_ack.auth_info,
-+						  &auth, NULL, true);
- 		if (!NT_STATUS_IS_OK(status)) {
- 			DEBUG(0, ("Failed to pull dcerpc auth: %s.\n",
- 				  nt_errstr(status)));
-@@ -1959,9 +1954,6 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
- 			return;
- 		}
- 		break;
--
--	default:
--		goto err_out;
- 	}
- 
- 	/*
--- 
-2.8.1
-
-
-From b58616bbcc810b076e5fd9dd976272847f832b06 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 7 Jul 2015 13:05:01 +0200
-Subject: [PATCH 13/40] CVE-2015-5370: s3:rpc_client: make use of
- dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 81bbffa14f5f6faa9801a3bf2d564d2762d49bb6)
----
- source3/rpc_client/cli_pipe.c | 111 ++++++++++++++++++++++++++++++++++++------
- 1 file changed, 96 insertions(+), 15 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 27e37f8..6a22d38 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -429,17 +429,89 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
- 
- 	/* Ensure we have the correct type. */
- 	switch (pkt->ptype) {
--	case DCERPC_PKT_ALTER_RESP:
-+	case DCERPC_PKT_BIND_NAK:
-+		DEBUG(1, (__location__ ": Bind NACK received from %s!\n",
-+			  rpccli_pipe_txt(talloc_tos(), cli)));
-+
-+		ret = dcerpc_verify_ncacn_packet_header(pkt,
-+						DCERPC_PKT_BIND_NAK,
-+						0, /* max_auth_info */
-+						DCERPC_PFC_FLAG_FIRST |
-+						DCERPC_PFC_FLAG_LAST,
-+						0); /* optional flags */
-+		if (!NT_STATUS_IS_OK(ret)) {
-+			DEBUG(1, (__location__ ": Connection to %s got an unexpected "
-+				  "RPC packet type - %u, expected %u: %s\n",
-+				  rpccli_pipe_txt(talloc_tos(), cli),
-+				  pkt->ptype, expected_pkt_type,
-+				  nt_errstr(ret)));
-+			NDR_PRINT_DEBUG(ncacn_packet, pkt);
-+			return ret;
-+		}
-+
-+		/* Use this for now... */
-+		return NT_STATUS_NETWORK_ACCESS_DENIED;
-+
- 	case DCERPC_PKT_BIND_ACK:
-+		ret = dcerpc_verify_ncacn_packet_header(pkt,
-+					expected_pkt_type,
-+					pkt->u.bind_ack.auth_info.length,
-+					DCERPC_PFC_FLAG_FIRST |
-+					DCERPC_PFC_FLAG_LAST,
-+					DCERPC_PFC_FLAG_CONC_MPX |
-+					DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN);
-+		if (!NT_STATUS_IS_OK(ret)) {
-+			DEBUG(1, (__location__ ": Connection to %s got an unexpected "
-+				  "RPC packet type - %u, expected %u: %s\n",
-+				  rpccli_pipe_txt(talloc_tos(), cli),
-+				  pkt->ptype, expected_pkt_type,
-+				  nt_errstr(ret)));
-+			NDR_PRINT_DEBUG(ncacn_packet, pkt);
-+			return ret;
-+		}
- 
--		/* Client code never receives this kind of packets */
- 		break;
- 
-+	case DCERPC_PKT_ALTER_RESP:
-+		ret = dcerpc_verify_ncacn_packet_header(pkt,
-+					expected_pkt_type,
-+					pkt->u.alter_resp.auth_info.length,
-+					DCERPC_PFC_FLAG_FIRST |
-+					DCERPC_PFC_FLAG_LAST,
-+					DCERPC_PFC_FLAG_CONC_MPX |
-+					DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN);
-+		if (!NT_STATUS_IS_OK(ret)) {
-+			DEBUG(1, (__location__ ": Connection to %s got an unexpected "
-+				  "RPC packet type - %u, expected %u: %s\n",
-+				  rpccli_pipe_txt(talloc_tos(), cli),
-+				  pkt->ptype, expected_pkt_type,
-+				  nt_errstr(ret)));
-+			NDR_PRINT_DEBUG(ncacn_packet, pkt);
-+			return ret;
-+		}
-+
-+		break;
- 
- 	case DCERPC_PKT_RESPONSE:
- 
- 		r = &pkt->u.response;
- 
-+		ret = dcerpc_verify_ncacn_packet_header(pkt,
-+						expected_pkt_type,
-+						r->stub_and_verifier.length,
-+						0, /* required_flags */
-+						DCERPC_PFC_FLAG_FIRST |
-+						DCERPC_PFC_FLAG_LAST);
-+		if (!NT_STATUS_IS_OK(ret)) {
-+			DEBUG(1, (__location__ ": Connection to %s got an unexpected "
-+				  "RPC packet type - %u, expected %u: %s\n",
-+				  rpccli_pipe_txt(talloc_tos(), cli),
-+				  pkt->ptype, expected_pkt_type,
-+				  nt_errstr(ret)));
-+			NDR_PRINT_DEBUG(ncacn_packet, pkt);
-+			return ret;
-+		}
-+
- 		tmp_stub.data = r->stub_and_verifier.data;
- 		tmp_stub.length = r->stub_and_verifier.length;
- 
-@@ -449,6 +521,12 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
- 					DCERPC_RESPONSE_LENGTH,
- 					pdu);
- 		if (!NT_STATUS_IS_OK(ret)) {
-+			DEBUG(1, (__location__ ": Connection to %s got an unexpected "
-+				  "RPC packet type - %u, expected %u: %s\n",
-+				  rpccli_pipe_txt(talloc_tos(), cli),
-+				  pkt->ptype, expected_pkt_type,
-+				  nt_errstr(ret)));
-+			NDR_PRINT_DEBUG(ncacn_packet, pkt);
- 			return ret;
- 		}
- 
-@@ -478,14 +556,24 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
- 
- 		break;
- 
--	case DCERPC_PKT_BIND_NAK:
--		DEBUG(1, (__location__ ": Bind NACK received from %s!\n",
--			  rpccli_pipe_txt(talloc_tos(), cli)));
--		/* Use this for now... */
--		return NT_STATUS_NETWORK_ACCESS_DENIED;
--
- 	case DCERPC_PKT_FAULT:
- 
-+		ret = dcerpc_verify_ncacn_packet_header(pkt,
-+						DCERPC_PKT_FAULT,
-+						0, /* max_auth_info */
-+						DCERPC_PFC_FLAG_FIRST |
-+						DCERPC_PFC_FLAG_LAST,
-+						DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
-+		if (!NT_STATUS_IS_OK(ret)) {
-+			DEBUG(1, (__location__ ": Connection to %s got an unexpected "
-+				  "RPC packet type - %u, expected %u: %s\n",
-+				  rpccli_pipe_txt(talloc_tos(), cli),
-+				  pkt->ptype, expected_pkt_type,
-+				  nt_errstr(ret)));
-+			NDR_PRINT_DEBUG(ncacn_packet, pkt);
-+			return ret;
-+		}
-+
- 		DEBUG(1, (__location__ ": RPC fault code %s received "
- 			  "from %s!\n",
- 			  dcerpc_errstr(talloc_tos(),
-@@ -502,13 +590,6 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
- 		return NT_STATUS_RPC_PROTOCOL_ERROR;
- 	}
- 
--	if (pkt->ptype != expected_pkt_type) {
--		DEBUG(3, (__location__ ": Connection to %s got an unexpected "
--			  "RPC packet type - %u, not %u\n",
--			  rpccli_pipe_txt(talloc_tos(), cli),
--			  pkt->ptype, expected_pkt_type));
--		return NT_STATUS_RPC_PROTOCOL_ERROR;
--	}
- 
- 	if (pkt->call_id != call_id) {
- 		DEBUG(3, (__location__ ": Connection to %s got an unexpected "
--- 
-2.8.1
-
-
-From 3e03b1e6d5b20c14d53763f22442bf510a8d6dcd Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 10 Jul 2015 14:48:38 +0200
-Subject: [PATCH 14/40] CVE-2015-5370: s3:rpc_client: protect
- rpc_api_pipe_got_pdu() against too large payloads
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 98182969e761429e577064e1a0fd5cbc6b50d7d9)
----
- source3/rpc_client/cli_pipe.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 6a22d38..755b458 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -1007,6 +1007,11 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
- 		return;
- 	}
- 
-+	if (state->reply_pdu_offset + rdata.length > MAX_RPC_DATA_SIZE) {
-+		tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
-+		return;
-+	}
-+
- 	/* Now copy the data portion out of the pdu into rbuf. */
- 	if (state->reply_pdu.length < state->reply_pdu_offset + rdata.length) {
- 		if (!data_blob_realloc(NULL, &state->reply_pdu,
--- 
-2.8.1
-
-
-From fa884c266be5d808d19955f92921417f435b2957 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 7 Jul 2015 22:51:18 +0200
-Subject: [PATCH 15/40] CVE-2015-5370: s3:rpc_client: verify auth_{type,level}
- in rpc_pipe_bind_step_one_done()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit df51c22bea7fbf906613ceb160f16f298b2e3106)
----
- source3/rpc_client/cli_pipe.c | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 755b458..1c4ff01 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -2039,6 +2039,21 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
- 			tevent_req_nterror(req, status);
- 			return;
- 		}
-+
-+		if (auth.auth_type != pauth->auth_type) {
-+			DEBUG(0, (__location__ " Auth type %u mismatch expected %u.\n",
-+				  auth.auth_type, pauth->auth_type));
-+			tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
-+			return;
-+		}
-+
-+		if (auth.auth_level != pauth->auth_level) {
-+			DEBUG(0, (__location__ " Auth level %u mismatch expected %u.\n",
-+				  auth.auth_level, pauth->auth_level));
-+			tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
-+			return;
-+		}
-+
- 		break;
- 	}
- 
--- 
-2.8.1
-
-
-From 6d2767ad8b084590c572e90d1985ca6d7d36b188 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 7 Jul 2015 13:05:01 +0200
-Subject: [PATCH 16/40] CVE-2015-5370: s3:rpc_server: make use of
- dcerpc_pull_auth_trailer() in api_pipe_{bind_req,alter_context,bind_auth3}()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 2a92546590a78760d2fe0e63067a3888dbce53be)
----
- source3/rpc_server/srv_pipe.c | 62 +++++++++----------------------------------
- 1 file changed, 13 insertions(+), 49 deletions(-)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 0ab7dc6..40b1b8e 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -1012,25 +1012,12 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
- 	 * Check if this is an authenticated bind request.
- 	 */
- 	if (pkt->auth_length) {
--		/* Quick length check. Won't catch a bad auth footer,
--		 * prevents overrun. */
--
--		if (pkt->frag_length < RPC_HEADER_LEN +
--					DCERPC_AUTH_TRAILER_LENGTH +
--					pkt->auth_length) {
--			DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
--				"too long for fragment %u.\n",
--				(unsigned int)pkt->auth_length,
--				(unsigned int)pkt->frag_length));
--			goto err_exit;
--		}
--
- 		/*
- 		 * Decode the authentication verifier.
- 		 */
--		status = dcerpc_pull_dcerpc_auth(pkt,
--						 &pkt->u.bind.auth_info,
--						 &auth_info, p->endian);
-+		status = dcerpc_pull_auth_trailer(pkt, pkt,
-+						  &pkt->u.bind.auth_info,
-+						  &auth_info, NULL, true);
- 		if (!NT_STATUS_IS_OK(status)) {
- 			DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
- 			goto err_exit;
-@@ -1233,23 +1220,13 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
- 		goto err;
- 	}
- 
--	/* Ensure there's enough data for an authenticated request. */
--	if (pkt->frag_length < RPC_HEADER_LEN
--				+ DCERPC_AUTH_TRAILER_LENGTH
--				+ pkt->auth_length) {
--			DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
--				"%u is too large.\n",
--                        (unsigned int)pkt->auth_length));
--		goto err;
--	}
--
- 	/*
- 	 * Decode the authentication verifier response.
- 	 */
- 
--	status = dcerpc_pull_dcerpc_auth(pkt,
--					 &pkt->u.auth3.auth_info,
--					 &auth_info, p->endian);
-+	status = dcerpc_pull_auth_trailer(pkt, pkt,
-+					  &pkt->u.auth3.auth_info,
-+					  &auth_info, NULL, true);
- 	if (!NT_STATUS_IS_OK(status)) {
- 		DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n"));
- 		goto err;
-@@ -1382,34 +1359,21 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
- 	 * Check if this is an authenticated alter context request.
- 	 */
- 	if (pkt->auth_length) {
--		/* Quick length check. Won't catch a bad auth footer,
--		 * prevents overrun. */
--
--		if (pkt->frag_length < RPC_HEADER_LEN +
--					DCERPC_AUTH_TRAILER_LENGTH +
--					pkt->auth_length) {
--			DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
--				"too long for fragment %u.\n",
--				(unsigned int)pkt->auth_length,
--				(unsigned int)pkt->frag_length ));
-+		/* We can only finish if the pipe is unbound for now */
-+		if (p->pipe_bound) {
-+			DEBUG(0, (__location__ ": Pipe already bound, "
-+				  "Altering Context not yet supported!\n"));
- 			goto err_exit;
- 		}
- 
--		status = dcerpc_pull_dcerpc_auth(pkt,
--						 &pkt->u.bind.auth_info,
--						 &auth_info, p->endian);
-+		status = dcerpc_pull_auth_trailer(pkt, pkt,
-+						  &pkt->u.bind.auth_info,
-+						  &auth_info, NULL, true);
- 		if (!NT_STATUS_IS_OK(status)) {
- 			DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
- 			goto err_exit;
- 		}
- 
--		/* We can only finish if the pipe is unbound for now */
--		if (p->pipe_bound) {
--			DEBUG(0, (__location__ ": Pipe already bound, "
--				  "Altering Context not yet supported!\n"));
--			goto err_exit;
--		}
--
- 		if (auth_info.auth_type != p->auth.auth_type) {
- 			DEBUG(0, ("Auth type mismatch! Client sent %d, "
- 				  "but auth was started as type %d!\n",
--- 
-2.8.1
-
-
-From 7400ac11282d540d4f5f80d0f58ec99beabb7d8e Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 23 Dec 2015 12:38:55 +0100
-Subject: [PATCH 17/40] CVE-2015-5370: s3:rpc_server: let a failing
- sec_verification_trailer mark the connection as broken
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 189c0fbb7a3405f0893f23e5b8d755d259f98eaf)
----
- source3/rpc_server/srv_pipe.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 40b1b8e..da9b91c 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -1663,6 +1663,7 @@ static bool api_pipe_request(struct pipes_struct *p,
- 
- 	if (!srv_pipe_check_verification_trailer(p, pkt, pipe_fns)) {
- 		DEBUG(1, ("srv_pipe_check_verification_trailer: failed\n"));
-+		set_incoming_fault(p);
- 		setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED));
- 		data_blob_free(&p->out_data.rdata);
- 		TALLOC_FREE(frame);
--- 
-2.8.1
-
-
-From 55da4653f5986989e46be6320f96590f8ebb4ef7 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 7 Jul 2015 13:05:01 +0200
-Subject: [PATCH 18/40] CVE-2015-5370: s3:rpc_server: don't ignore failures of
- dcerpc_push_ncacn_packet()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 25bf597124f217c55b5ca71a5ea9cb0ea83943e5)
----
- source3/rpc_server/srv_pipe.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index da9b91c..71b4665 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -1152,6 +1152,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
- 	if (!NT_STATUS_IS_OK(status)) {
- 		DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
- 			  nt_errstr(status)));
-+		goto err_exit;
- 	}
- 
- 	if (auth_resp.length) {
-@@ -1469,6 +1470,7 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
- 	if (!NT_STATUS_IS_OK(status)) {
- 		DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
- 			  nt_errstr(status)));
-+		goto err_exit;
- 	}
- 
- 	if (auth_resp.length) {
--- 
-2.8.1
-
-
-From 893c840a1aac6711a081eb8e25f2c2a6078fc373 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 7 Jul 2015 13:05:01 +0200
-Subject: [PATCH 19/40] CVE-2015-5370: s3:rpc_server: don't allow auth3 if the
- authentication was already finished
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 69280e6acef7c3941407d4308b659c5e90ed702d)
----
- source3/rpc_server/srv_pipe.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 71b4665..4e5b50d4 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -1216,8 +1216,15 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
- 
- 	DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
- 
-+	/* We can only finish if the pipe is unbound for now */
-+	if (p->pipe_bound) {
-+		DEBUG(0, (__location__ ": Pipe already bound, "
-+			  "AUTH3 not supported!\n"));
-+		goto err;
-+	}
-+
- 	if (pkt->auth_length == 0) {
--		DEBUG(0, ("No auth field sent for bind request!\n"));
-+		DEBUG(1, ("No auth field sent for auth3 request!\n"));
- 		goto err;
- 	}
- 
--- 
-2.8.1
-
-
-From a66baed0c65b7acb4d76ef9ea3ae1248a6b5773a Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 14 Jul 2015 16:18:45 +0200
-Subject: [PATCH 20/40] CVE-2015-5370: s3:rpc_server: let a failing auth3 mark
- the authentication as invalid
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 8c96ef7b4fbd925607b26d351b14ad9a95febd88)
----
- source3/rpc_server/srv_pipe.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 4e5b50d4..d28ba8e 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -1304,7 +1304,7 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
- 	return true;
- 
- err:
--
-+	p->pipe_bound = false;
- 	TALLOC_FREE(p->auth.auth_ctx);
- 	return false;
- }
--- 
-2.8.1
-
-
-From e47becdf2c03d68662ab998c4608adb371ca2f08 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 7 Jul 2015 13:05:01 +0200
-Subject: [PATCH 21/40] CVE-2015-5370: s3:rpc_server: make sure auth_level
- isn't changed by alter_context or auth3
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 63d21d2546a1064be73582a499ec15b0e11e2708)
----
- source3/rpc_server/srv_pipe.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index d28ba8e..1b81a4c 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -1252,6 +1252,13 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
- 		goto err;
- 	}
- 
-+	if (auth_info.auth_level != p->auth.auth_level) {
-+		DEBUG(1, ("Auth level mismatch! Client sent %d, "
-+			  "but auth was started as level %d!\n",
-+			  auth_info.auth_level, p->auth.auth_level));
-+		goto err;
-+	}
-+
- 	switch (auth_info.auth_type) {
- 	case DCERPC_AUTH_TYPE_NTLMSSP:
- 		ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
-@@ -1389,6 +1396,12 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
- 			goto err_exit;
- 		}
- 
-+		if (auth_info.auth_level != p->auth.auth_level) {
-+			DEBUG(0, ("Auth level mismatch! Client sent %d, "
-+				  "but auth was started as level %d!\n",
-+				  auth_info.auth_level, p->auth.auth_level));
-+			goto err_exit;
-+		}
- 
- 		switch (auth_info.auth_type) {
- 		case DCERPC_AUTH_TYPE_SPNEGO:
--- 
-2.8.1
-
-
-From 687a4801391c946a62d07a7bdad096a97da0d432 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 7 Jul 2015 09:15:39 +0200
-Subject: [PATCH 22/40] CVE-2015-5370: s3:rpc_server: ensure that the message
- ordering doesn't violate the spec
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The first pdu is always a BIND.
-
-REQUEST pdus are only allowed once the authentication
-is finished.
-
-A simple anonymous authentication is finished after the BIND.
-Real authentication may need additional ALTER or AUTH3 exchanges.
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 0239bfa562ee303c4ac204375b3c66ca287f6cb0)
----
- source3/include/ntdomain.h        |  7 ++++++
- source3/rpc_server/rpc_ncacn_np.c |  1 +
- source3/rpc_server/rpc_server.c   |  1 +
- source3/rpc_server/srv_pipe.c     | 51 ++++++++++++++++++++++++++++++++++-----
- 4 files changed, 54 insertions(+), 6 deletions(-)
-
-diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h
-index 650f1d0..b3c5451 100644
---- a/source3/include/ntdomain.h
-+++ b/source3/include/ntdomain.h
-@@ -139,6 +139,13 @@ struct pipes_struct {
- 	bool pipe_bound;
- 
- 	/*
-+	 * States we can be in.
-+	 */
-+	bool allow_alter;
-+	bool allow_bind;
-+	bool allow_auth3;
-+
-+	/*
- 	 * Set the DCERPC_FAULT to return.
- 	 */
- 
-diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
-index efdee27..f2e9d10 100644
---- a/source3/rpc_server/rpc_ncacn_np.c
-+++ b/source3/rpc_server/rpc_ncacn_np.c
-@@ -171,6 +171,7 @@ struct pipes_struct *make_internal_rpc_pipe_p(TALLOC_CTX *mem_ctx,
- 
- 	p->syntax = *syntax;
- 	p->transport = NCALRPC;
-+	p->allow_bind = true;
- 
- 	DEBUG(4,("Created internal pipe %s (pipes_open=%d)\n",
- 		 get_pipe_name_from_syntax(talloc_tos(), syntax), pipes_open));
-diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
-index 8ec55bb..376d26a 100644
---- a/source3/rpc_server/rpc_server.c
-+++ b/source3/rpc_server/rpc_server.c
-@@ -102,6 +102,7 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
- 	p->syntax = id;
- 	p->transport = transport;
- 	p->ncalrpc_as_system = ncalrpc_as_system;
-+	p->allow_bind = true;
- 
- 	p->mem_ctx = talloc_named(p, 0, "pipe %s %p", pipe_name, p);
- 	if (!p->mem_ctx) {
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 1b81a4c..41111aa 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -279,6 +279,9 @@ static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt)
- 	p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
- 	p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
- 	p->pipe_bound = False;
-+	p->allow_bind = false;
-+	p->allow_alter = false;
-+	p->allow_auth3 = false;
- 
- 	return True;
- }
-@@ -828,6 +831,11 @@ static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
- 	void *mech_ctx;
- 	NTSTATUS status;
- 
-+	if (p->auth.auth_type == DCERPC_AUTH_TYPE_NONE) {
-+		p->pipe_bound = true;
-+		return NT_STATUS_OK;
-+	}
-+
- 	switch (p->auth.auth_type) {
- 	case DCERPC_AUTH_TYPE_NTLMSSP:
- 		ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
-@@ -919,13 +927,11 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
- 	DATA_BLOB auth_resp = data_blob_null;
- 	DATA_BLOB auth_blob = data_blob_null;
- 
--	/* No rebinds on a bound pipe - use alter context. */
--	if (p->pipe_bound) {
--		DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
--			 "pipe %s.\n",
--			 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
-+	if (!p->allow_bind) {
-+		DEBUG(2,("Pipe not in allow bind state\n"));
- 		return setup_bind_nak(p, pkt);
- 	}
-+	p->allow_bind = false;
- 
- 	if (pkt->u.bind.num_contexts == 0) {
- 		DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
-@@ -1192,6 +1198,22 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
- 	p->out_data.current_pdu_sent = 0;
- 
- 	TALLOC_FREE(auth_blob.data);
-+
-+	if (bind_ack_ctx.result == 0) {
-+		p->allow_alter = true;
-+		p->allow_auth3 = true;
-+		if (p->auth.auth_type == DCERPC_AUTH_TYPE_NONE) {
-+			status = pipe_auth_verify_final(p);
-+			if (!NT_STATUS_IS_OK(status)) {
-+				DEBUG(0, ("pipe_auth_verify_final failed: %s\n",
-+					  nt_errstr(status)));
-+				goto err_exit;
-+			}
-+		}
-+	} else {
-+		goto err_exit;
-+	}
-+
- 	return True;
- 
-   err_exit:
-@@ -1216,6 +1238,11 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
- 
- 	DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
- 
-+	if (!p->allow_auth3) {
-+		DEBUG(1, ("Pipe not in allow auth3 state.\n"));
-+		goto err;
-+	}
-+
- 	/* We can only finish if the pipe is unbound for now */
- 	if (p->pipe_bound) {
- 		DEBUG(0, (__location__ ": Pipe already bound, "
-@@ -1312,6 +1339,10 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
- 
- err:
- 	p->pipe_bound = false;
-+	p->allow_bind = false;
-+	p->allow_alter = false;
-+	p->allow_auth3 = false;
-+
- 	TALLOC_FREE(p->auth.auth_ctx);
- 	return false;
- }
-@@ -1338,6 +1369,11 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
- 
- 	DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
- 
-+	if (!p->allow_alter) {
-+		DEBUG(1, ("Pipe not in allow alter state.\n"));
-+		goto err_exit;
-+	}
-+
- 	if (pkt->u.bind.assoc_group_id != 0) {
- 		assoc_gid = pkt->u.bind.assoc_group_id;
- 	} else {
-@@ -1363,7 +1399,6 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
- 		bind_ack_ctx.reason = 0;
- 		bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
- 	} else {
--		p->pipe_bound = False;
- 		/* Rejection reason: abstract syntax not supported */
- 		bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
- 		bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
-@@ -1826,6 +1861,10 @@ void set_incoming_fault(struct pipes_struct *p)
- 	p->in_data.pdu.length = 0;
- 	p->fault_state = DCERPC_FAULT_CANT_PERFORM;
- 
-+	p->allow_alter = false;
-+	p->allow_auth3 = false;
-+	p->pipe_bound = false;
-+
- 	DEBUG(10, ("Setting fault state\n"));
- }
- 
--- 
-2.8.1
-
-
-From 45701966d49ec1003f19c137a548c26915f75a99 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 7 Jul 2015 16:06:59 +0200
-Subject: [PATCH 23/40] CVE-2015-5370: s3:rpc_server: use 'alter' instead of
- 'bind' for variables in api_pipe_alter_context()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit cdefee174d2f8920323e9e62966df4f4ced49ed3)
----
- source3/rpc_server/srv_pipe.c | 32 ++++++++++++++++----------------
- 1 file changed, 16 insertions(+), 16 deletions(-)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 41111aa..382d94a 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -1359,7 +1359,7 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
- 	uint16 assoc_gid;
- 	NTSTATUS status;
- 	union dcerpc_payload u;
--	struct dcerpc_ack_ctx bind_ack_ctx;
-+	struct dcerpc_ack_ctx alter_ack_ctx;
- 	DATA_BLOB auth_resp = data_blob_null;
- 	DATA_BLOB auth_blob = data_blob_null;
- 	int pad_len = 0;
-@@ -1374,8 +1374,8 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
- 		goto err_exit;
- 	}
- 
--	if (pkt->u.bind.assoc_group_id != 0) {
--		assoc_gid = pkt->u.bind.assoc_group_id;
-+	if (pkt->u.alter.assoc_group_id != 0) {
-+		assoc_gid = pkt->u.alter.assoc_group_id;
- 	} else {
- 		assoc_gid = 0x53f0;
- 	}
-@@ -1385,24 +1385,24 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
- 	 */
- 
- 	/* If the requested abstract synt uuid doesn't match our client pipe,
--		reject the bind_ack & set the transfer interface synt to all 0's,
-+		reject the alter_ack & set the transfer interface synt to all 0's,
- 		ver 0 (observed when NT5 attempts to bind to abstract interfaces
- 		unknown to NT4)
- 		Needed when adding entries to a DACL from NT5 - SK */
- 
- 	if (check_bind_req(p,
--			&pkt->u.bind.ctx_list[0].abstract_syntax,
--			&pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
--			pkt->u.bind.ctx_list[0].context_id)) {
-+			&pkt->u.alter.ctx_list[0].abstract_syntax,
-+			&pkt->u.alter.ctx_list[0].transfer_syntaxes[0],
-+			pkt->u.alter.ctx_list[0].context_id)) {
- 
--		bind_ack_ctx.result = 0;
--		bind_ack_ctx.reason = 0;
--		bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
-+		alter_ack_ctx.result = 0;
-+		alter_ack_ctx.reason = 0;
-+		alter_ack_ctx.syntax = pkt->u.alter.ctx_list[0].transfer_syntaxes[0];
- 	} else {
- 		/* Rejection reason: abstract syntax not supported */
--		bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
--		bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
--		bind_ack_ctx.syntax = null_ndr_syntax_id;
-+		alter_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
-+		alter_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
-+		alter_ack_ctx.syntax = null_ndr_syntax_id;
- 	}
- 
- 	/*
-@@ -1417,7 +1417,7 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
- 		}
- 
- 		status = dcerpc_pull_auth_trailer(pkt, pkt,
--						  &pkt->u.bind.auth_info,
-+						  &pkt->u.alter.auth_info,
- 						  &auth_info, NULL, true);
- 		if (!NT_STATUS_IS_OK(status)) {
- 			DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
-@@ -1503,7 +1503,7 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
- 	u.alter_resp.secondary_address_size = 1;
- 
- 	u.alter_resp.num_results = 1;
--	u.alter_resp.ctx_list = &bind_ack_ctx;
-+	u.alter_resp.ctx_list = &alter_ack_ctx;
- 
- 	/* NOTE: We leave the auth_info empty so we can calculate the padding
- 	 * later and then append the auth_info --simo */
-@@ -1523,7 +1523,7 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
- 					  &u,
- 					  &p->out_data.frag);
- 	if (!NT_STATUS_IS_OK(status)) {
--		DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
-+		DEBUG(0, ("Failed to marshall alter_resp packet. (%s)\n",
- 			  nt_errstr(status)));
- 		goto err_exit;
- 	}
--- 
-2.8.1
-
-
-From 62b936e134a53662601b0f614f95dbca5ff7a369 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 7 Jul 2015 16:06:59 +0200
-Subject: [PATCH 24/40] CVE-2015-5370: s3:rpc_server: verify presentation
- context arrays
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 1e6b4abac14840e4cee1afc5d4811b0f0277eade)
----
- source3/rpc_server/srv_pipe.c | 17 ++++++++++++++++-
- 1 file changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 382d94a..335af2a 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -934,7 +934,12 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
- 	p->allow_bind = false;
- 
- 	if (pkt->u.bind.num_contexts == 0) {
--		DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
-+		DEBUG(1, ("api_pipe_bind_req: no rpc contexts around\n"));
-+		goto err_exit;
-+	}
-+
-+	if (pkt->u.bind.ctx_list[0].num_transfer_syntaxes == 0) {
-+		DEBUG(1, ("api_pipe_bind_req: no transfer syntaxes around\n"));
- 		goto err_exit;
- 	}
- 
-@@ -1374,6 +1379,16 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
- 		goto err_exit;
- 	}
- 
-+	if (pkt->u.alter.num_contexts == 0) {
-+		DEBUG(1, ("api_pipe_alter_context: no rpc contexts around\n"));
-+		goto err_exit;
-+	}
-+
-+	if (pkt->u.alter.ctx_list[0].num_transfer_syntaxes == 0) {
-+		DEBUG(1, ("api_pipe_alter_context: no transfer syntaxes around\n"));
-+		goto err_exit;
-+	}
-+
- 	if (pkt->u.alter.assoc_group_id != 0) {
- 		assoc_gid = pkt->u.alter.assoc_group_id;
- 	} else {
--- 
-2.8.1
-
-
-From 585e8aefafcb5f8c501cdf4454b375ebda82f7a6 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 7 Jul 2015 16:06:59 +0200
-Subject: [PATCH 25/40] CVE-2015-5370: s3:rpc_server: make use of
- dcerpc_verify_ncacn_packet_header() to verify incoming pdus
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit e39fdceb25fc75b6f8c77c097bf8dbd2f4286618)
----
- source3/rpc_server/srv_pipe.c | 81 +++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 81 insertions(+)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 335af2a..2f404b4 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -42,6 +42,7 @@
- #include "auth.h"
- #include "ntdomain.h"
- #include "rpc_server/srv_pipe.h"
-+#include "../librpc/gen_ndr/ndr_dcerpc.h"
- #include "../librpc/ndr/ndr_dcerpc.h"
- #include "../librpc/gen_ndr/ndr_samr.h"
- #include "../librpc/gen_ndr/ndr_lsa.h"
-@@ -933,6 +934,25 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
- 	}
- 	p->allow_bind = false;
- 
-+	status = dcerpc_verify_ncacn_packet_header(pkt,
-+			DCERPC_PKT_BIND,
-+			pkt->u.bind.auth_info.length,
-+			0, /* required flags */
-+			DCERPC_PFC_FLAG_FIRST |
-+			DCERPC_PFC_FLAG_LAST |
-+			DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
-+			0x08 | /* this is not defined, but should be ignored */
-+			DCERPC_PFC_FLAG_CONC_MPX |
-+			DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
-+			DCERPC_PFC_FLAG_MAYBE |
-+			DCERPC_PFC_FLAG_OBJECT_UUID);
-+	if (!NT_STATUS_IS_OK(status)) {
-+		DEBUG(1, ("api_pipe_bind_req: invalid pdu: %s\n",
-+			  nt_errstr(status)));
-+		NDR_PRINT_DEBUG(ncacn_packet, pkt);
-+		goto err_exit;
-+	}
-+
- 	if (pkt->u.bind.num_contexts == 0) {
- 		DEBUG(1, ("api_pipe_bind_req: no rpc contexts around\n"));
- 		goto err_exit;
-@@ -1248,6 +1268,25 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
- 		goto err;
- 	}
- 
-+	status = dcerpc_verify_ncacn_packet_header(pkt,
-+			DCERPC_PKT_AUTH3,
-+			pkt->u.auth3.auth_info.length,
-+			0, /* required flags */
-+			DCERPC_PFC_FLAG_FIRST |
-+			DCERPC_PFC_FLAG_LAST |
-+			DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
-+			0x08 | /* this is not defined, but should be ignored */
-+			DCERPC_PFC_FLAG_CONC_MPX |
-+			DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
-+			DCERPC_PFC_FLAG_MAYBE |
-+			DCERPC_PFC_FLAG_OBJECT_UUID);
-+	if (!NT_STATUS_IS_OK(status)) {
-+		DEBUG(1, ("api_pipe_bind_auth3: invalid pdu: %s\n",
-+			  nt_errstr(status)));
-+		NDR_PRINT_DEBUG(ncacn_packet, pkt);
-+		goto err;
-+	}
-+
- 	/* We can only finish if the pipe is unbound for now */
- 	if (p->pipe_bound) {
- 		DEBUG(0, (__location__ ": Pipe already bound, "
-@@ -1379,6 +1418,25 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
- 		goto err_exit;
- 	}
- 
-+	status = dcerpc_verify_ncacn_packet_header(pkt,
-+			DCERPC_PKT_ALTER,
-+			pkt->u.alter.auth_info.length,
-+			0, /* required flags */
-+			DCERPC_PFC_FLAG_FIRST |
-+			DCERPC_PFC_FLAG_LAST |
-+			DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
-+			0x08 | /* this is not defined, but should be ignored */
-+			DCERPC_PFC_FLAG_CONC_MPX |
-+			DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
-+			DCERPC_PFC_FLAG_MAYBE |
-+			DCERPC_PFC_FLAG_OBJECT_UUID);
-+	if (!NT_STATUS_IS_OK(status)) {
-+		DEBUG(1, ("api_pipe_alter_context: invalid pdu: %s\n",
-+			  nt_errstr(status)));
-+		NDR_PRINT_DEBUG(ncacn_packet, pkt);
-+		goto err_exit;
-+	}
-+
- 	if (pkt->u.alter.num_contexts == 0) {
- 		DEBUG(1, ("api_pipe_alter_context: no rpc contexts around\n"));
- 		goto err_exit;
-@@ -1923,6 +1981,29 @@ static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt
- 		return False;
- 	}
- 
-+	/*
-+	 * We don't ignore DCERPC_PFC_FLAG_PENDING_CANCEL.
-+	 * TODO: we can reject it with DCERPC_FAULT_NO_CALL_ACTIVE later.
-+	 */
-+	status = dcerpc_verify_ncacn_packet_header(pkt,
-+			DCERPC_PKT_REQUEST,
-+			pkt->u.request.stub_and_verifier.length,
-+			0, /* required_flags */
-+			DCERPC_PFC_FLAG_FIRST |
-+			DCERPC_PFC_FLAG_LAST |
-+			0x08 | /* this is not defined, but should be ignored */
-+			DCERPC_PFC_FLAG_CONC_MPX |
-+			DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
-+			DCERPC_PFC_FLAG_MAYBE |
-+			DCERPC_PFC_FLAG_OBJECT_UUID);
-+	if (!NT_STATUS_IS_OK(status)) {
-+		DEBUG(1, ("process_request_pdu: invalid pdu: %s\n",
-+			  nt_errstr(status)));
-+		NDR_PRINT_DEBUG(ncacn_packet, pkt);
-+		set_incoming_fault(p);
-+		return false;
-+	}
-+
- 	/* Store the opnum */
- 	p->opnum = pkt->u.request.opnum;
- 
--- 
-2.8.1
-
-
-From b16b1a5f331adc3bb2f3d0bee586ec084935a202 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 23 Dec 2015 12:40:58 +0100
-Subject: [PATCH 26/40] CVE-2015-5370: s3:rpc_server: disconnect the connection
- after a fatal FAULT pdu
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 664d7ace0e68b42d2de99583757e0a985647eb4b)
----
- source3/rpc_server/rpc_server.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
-index 376d26a..3ba83e0 100644
---- a/source3/rpc_server/rpc_server.c
-+++ b/source3/rpc_server/rpc_server.c
-@@ -664,6 +664,12 @@ static void named_pipe_packet_done(struct tevent_req *subreq)
- 		goto fail;
- 	}
- 
-+	if (npc->p->fault_state != 0) {
-+		DEBUG(2, ("Disconnect after fault\n"));
-+		sys_errno = EINVAL;
-+		goto fail;
-+	}
-+
- 	/* clear out any data that may have been left around */
- 	npc->count = 0;
- 	TALLOC_FREE(npc->iov);
-@@ -1392,6 +1398,12 @@ static void dcerpc_ncacn_packet_done(struct tevent_req *subreq)
- 		goto fail;
- 	}
- 
-+	if (ncacn_conn->p->fault_state != 0) {
-+		DEBUG(2, ("Disconnect after fault\n"));
-+		sys_errno = EINVAL;
-+		goto fail;
-+	}
-+
- 	/* clear out any data that may have been left around */
- 	ncacn_conn->count = 0;
- 	TALLOC_FREE(ncacn_conn->iov);
--- 
-2.8.1
-
-
-From 642d2b7090e46a87bc94cabf29eccb09e329c125 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 23 Dec 2015 12:38:55 +0100
-Subject: [PATCH 27/40] CVE-2015-5370: s3:rpc_server: let a failing BIND mark
- the connection as broken
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 8d97085efd8782e48d0f1162e3f56756acb99472)
----
- source3/rpc_server/srv_pipe.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 2f404b4..6275190 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -276,6 +276,7 @@ static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt)
- 	p->out_data.data_sent_length = 0;
- 	p->out_data.current_pdu_sent = 0;
- 
-+	set_incoming_fault(p);
- 	TALLOC_FREE(p->auth.auth_ctx);
- 	p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
- 	p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
--- 
-2.8.1
-
-
-From f4aa07176636982d9be3c0ce2452fc43a8781d47 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 23 Dec 2015 12:38:55 +0100
-Subject: [PATCH 28/40] CVE-2015-5370: s3:rpc_server: use
- DCERPC_NCA_S_PROTO_ERROR FAULTs for protocol errors
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit d30363f08efb81b22055d4445977c96df3737adf)
----
- source3/rpc_server/srv_pipe.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 6275190..3fb8855 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -1933,7 +1933,7 @@ void set_incoming_fault(struct pipes_struct *p)
- 	data_blob_free(&p->in_data.data);
- 	p->in_data.pdu_needed_len = 0;
- 	p->in_data.pdu.length = 0;
--	p->fault_state = DCERPC_FAULT_CANT_PERFORM;
-+	p->fault_state = DCERPC_NCA_S_PROTO_ERROR;
- 
- 	p->allow_alter = false;
- 	p->allow_auth3 = false;
-@@ -2254,7 +2254,7 @@ done:
- 			 "pipe %s\n", get_pipe_name_from_syntax(talloc_tos(),
- 								&p->syntax)));
- 		set_incoming_fault(p);
--		setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
-+		setup_fault_pdu(p, NT_STATUS(DCERPC_NCA_S_PROTO_ERROR));
- 		TALLOC_FREE(pkt);
- 	} else {
- 		/*
--- 
-2.8.1
-
-
-From ef175975f587d73092461c36b10e4c9cf1805727 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 11 Jul 2015 10:58:07 +0200
-Subject: [PATCH 29/40] CVE-2015-5370: s3:librpc/rpc: remove unused
- dcerpc_pull_dcerpc_auth()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 02aef978ff8f16009a52c2d981d414d019bc8dd9)
----
- source3/librpc/rpc/dcerpc.h         |  4 ----
- source3/librpc/rpc/dcerpc_helpers.c | 41 -------------------------------------
- 2 files changed, 45 deletions(-)
-
-diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
-index e7cca9e..9452e85 100644
---- a/source3/librpc/rpc/dcerpc.h
-+++ b/source3/librpc/rpc/dcerpc.h
-@@ -71,10 +71,6 @@ NTSTATUS dcerpc_push_dcerpc_auth(TALLOC_CTX *mem_ctx,
- 				 uint32_t auth_context_id,
- 				 const DATA_BLOB *credentials,
- 				 DATA_BLOB *blob);
--NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
--				 const DATA_BLOB *blob,
--				 struct dcerpc_auth *r,
--				 bool bigendian);
- NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
- 			    size_t header_len, size_t data_left,
- 			    size_t max_xmit_frag, size_t pad_alignment,
-diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
-index c07835f..e4d0e3a 100644
---- a/source3/librpc/rpc/dcerpc_helpers.c
-+++ b/source3/librpc/rpc/dcerpc_helpers.c
-@@ -210,47 +210,6 @@ NTSTATUS dcerpc_push_dcerpc_auth(TALLOC_CTX *mem_ctx,
- }
- 
- /**
--* @brief Decodes a dcerpc_auth blob
--*
--* @param mem_ctx	The memory context on which to allocate the packet
--*			elements
--* @param blob		The blob of data to decode
--* @param r		An empty dcerpc_auth structure, must not be NULL
--*
--* @return a NTSTATUS error code
--*/
--NTSTATUS dcerpc_pull_dcerpc_auth(TALLOC_CTX *mem_ctx,
--				 const DATA_BLOB *blob,
--				 struct dcerpc_auth *r,
--				 bool bigendian)
--{
--	enum ndr_err_code ndr_err;
--	struct ndr_pull *ndr;
--
--	ndr = ndr_pull_init_blob(blob, mem_ctx);
--	if (!ndr) {
--		return NT_STATUS_NO_MEMORY;
--	}
--	if (bigendian) {
--		ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
--	}
--
--	ndr_err = ndr_pull_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, r);
--
--	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
--		talloc_free(ndr);
--		return ndr_map_error2ntstatus(ndr_err);
--	}
--	talloc_free(ndr);
--
--	if (DEBUGLEVEL >= 10) {
--		NDR_PRINT_DEBUG(dcerpc_auth, r);
--	}
--
--	return NT_STATUS_OK;
--}
--
--/**
- * @brief Calculate how much data we can in a packet, including calculating
- *	 auth token and pad lengths.
- *
--- 
-2.8.1
-
-
-From 49d0e60d28d3b615d4ee368cd3f260b3a6386858 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 7 Jul 2015 13:05:01 +0200
-Subject: [PATCH 30/40] CVE-2015-5370: s3:rpc_server: check the transfer syntax
- in check_bind_req() first
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 9464684010461947fa98d8ee084069e9cf362625)
----
- source3/rpc_server/srv_pipe.c | 20 ++++++++++++++------
- 1 file changed, 14 insertions(+), 6 deletions(-)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 3fb8855..0e6b073 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -351,16 +351,24 @@ static bool check_bind_req(struct pipes_struct *p,
- 	DEBUG(3,("check_bind_req for %s\n",
- 		 get_pipe_name_from_syntax(talloc_tos(), abstract)));
- 
-+	ok = ndr_syntax_id_equal(transfer, &ndr_transfer_syntax);
-+	if (!ok) {
-+		DEBUG(1,("check_bind_req unknown transfer syntax for "
-+			 "%s context_id=%u\n",
-+			 get_pipe_name_from_syntax(talloc_tos(), abstract),
-+			 (unsigned)context_id));
-+		return false;
-+	}
-+
- 	/* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
--	if (rpc_srv_pipe_exists_by_id(abstract) &&
--	   ndr_syntax_id_equal(transfer, &ndr_transfer_syntax)) {
--		DEBUG(3, ("check_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
--			rpc_srv_get_pipe_cli_name(abstract),
--			rpc_srv_get_pipe_srv_name(abstract)));
--	} else {
-+	if (!rpc_srv_pipe_exists_by_id(abstract)) {
- 		return false;
- 	}
- 
-+	DEBUG(3, ("check_bind_req: %s -> %s rpc service\n",
-+		  rpc_srv_get_pipe_cli_name(abstract),
-+		  rpc_srv_get_pipe_srv_name(abstract)));
-+
- 	context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
- 	if (context_fns == NULL) {
- 		DEBUG(0,("check_bind_req: malloc() failed!\n"));
--- 
-2.8.1
-
-
-From 7ee6698f706e51568f53347f422ac6671cdba9a4 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 7 Jul 2015 13:05:01 +0200
-Subject: [PATCH 31/40] CVE-2015-5370: s3:rpc_server: don't allow an existing
- context to be changed in check_bind_req()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-An alter context can't change the syntax of an existing context,
-a new context_id will be used for that.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit a995740d4e7fbd8fbb5c8c6280b73eaceae53574)
----
- source3/rpc_server/srv_pipe.c | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 0e6b073..4263a91 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -360,6 +360,28 @@ static bool check_bind_req(struct pipes_struct *p,
- 		return false;
- 	}
- 
-+	for (context_fns = p->contexts;
-+	     context_fns != NULL;
-+	     context_fns = context_fns->next)
-+	{
-+		if (context_fns->context_id != context_id) {
-+			continue;
-+		}
-+
-+		ok = ndr_syntax_id_equal(&context_fns->syntax,
-+					 abstract);
-+		if (ok) {
-+			return true;
-+		}
-+
-+		DEBUG(1,("check_bind_req: changing abstract syntax for "
-+			 "%s context_id=%u into %s not supported\n",
-+			 get_pipe_name_from_syntax(talloc_tos(), &context_fns->syntax),
-+			 (unsigned)context_id,
-+			 get_pipe_name_from_syntax(talloc_tos(), abstract)));
-+		return false;
-+	}
-+
- 	/* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
- 	if (!rpc_srv_pipe_exists_by_id(abstract)) {
- 		return false;
--- 
-2.8.1
-
-
-From 79a238d0c868c7e182f49637b66f544dc1dd86da Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 8 Jul 2015 00:01:37 +0200
-Subject: [PATCH 32/40] CVE-2015-5370: s3:rpc_client: pass struct
- pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit f556d9245c13d018d4e772f06d013ebe558703d9)
----
- source3/rpc_client/cli_pipe.c | 26 ++++++++++----------------
- 1 file changed, 10 insertions(+), 16 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 1c4ff01..3af3d8f 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -1816,9 +1816,8 @@ static bool check_bind_response(const struct dcerpc_bind_ack *r,
- 
- static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
- 				struct rpc_pipe_client *cli,
--				uint32 rpc_call_id,
--				enum dcerpc_AuthType auth_type,
--				enum dcerpc_AuthLevel auth_level,
-+				struct pipe_auth_data *auth,
-+				uint32_t rpc_call_id,
- 				DATA_BLOB *pauth_blob,
- 				DATA_BLOB *rpc_out)
- {
-@@ -1828,8 +1827,8 @@ static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
- 	u.auth3._pad = 0;
- 
- 	status = dcerpc_push_dcerpc_auth(mem_ctx,
--					 auth_type,
--					 auth_level,
-+					 auth->auth_type,
-+					 auth->auth_level,
- 					 0, /* auth_pad_length */
- 					 1, /* auth_context_id */
- 					 pauth_blob,
-@@ -1861,9 +1860,8 @@ static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
-  ********************************************************************/
- 
- static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
--					enum dcerpc_AuthType auth_type,
--					enum dcerpc_AuthLevel auth_level,
--					uint32 rpc_call_id,
-+					struct pipe_auth_data *auth,
-+					uint32_t rpc_call_id,
- 					const struct ndr_syntax_id *abstract,
- 					const struct ndr_syntax_id *transfer,
- 					const DATA_BLOB *pauth_blob, /* spnego auth blob already created. */
-@@ -1873,8 +1871,8 @@ static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
- 	NTSTATUS status;
- 
- 	status = dcerpc_push_dcerpc_auth(mem_ctx,
--					 auth_type,
--					 auth_level,
-+					 auth->auth_type,
-+					 auth->auth_level,
- 					 0, /* auth_pad_length */
- 					 1, /* auth_context_id */
- 					 pauth_blob,
-@@ -2300,9 +2298,7 @@ static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
- 	/* Now prepare the alter context pdu. */
- 	data_blob_free(&state->rpc_out);
- 
--	status = create_rpc_alter_context(state,
--					  auth->auth_type,
--					  auth->auth_level,
-+	status = create_rpc_alter_context(state, auth,
- 					  state->rpc_call_id,
- 					  &state->cli->abstract_syntax,
- 					  &state->cli->transfer_syntax,
-@@ -2335,10 +2331,8 @@ static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,
- 	/* Now prepare the auth3 context pdu. */
- 	data_blob_free(&state->rpc_out);
- 
--	status = create_rpc_bind_auth3(state, state->cli,
-+	status = create_rpc_bind_auth3(state, state->cli, auth,
- 					state->rpc_call_id,
--					auth->auth_type,
--					auth->auth_level,
- 					auth_token,
- 					&state->rpc_out);
- 	if (!NT_STATUS_IS_OK(status)) {
--- 
-2.8.1
-
-
-From 18a50ed6ead11287ff72cb38f100d0f2641c3e7d Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 8 Jul 2015 00:01:37 +0200
-Subject: [PATCH 33/40] CVE-2015-5370: s3:librpc/rpc: add auth_context_id to
- struct pipe_auth_data
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit cbf20b43d7b40e3b6ccf044f6f51a5adff1f5e6d)
----
- source3/librpc/rpc/dcerpc.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
-index 9452e85..c25b0f5 100644
---- a/source3/librpc/rpc/dcerpc.h
-+++ b/source3/librpc/rpc/dcerpc.h
-@@ -42,6 +42,7 @@ struct pipe_auth_data {
- 	bool verified_bitmask1;
- 
- 	void *auth_ctx;
-+	uint32_t auth_context_id;
- 
- 	/* Only the client code uses these 3 for now */
- 	char *domain;
--- 
-2.8.1
-
-
-From 7dbaaca2a638406331d4653e1afdc18f7c8502f6 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 8 Jul 2015 00:01:37 +0200
-Subject: [PATCH 34/40] CVE-2015-5370: s3:rpc_client: make use of
- pipe_auth_data->auth_context_id
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is better than using hardcoded values.
-We need to use auth_context_id = 1 for authenticated
-connections, as old Samba server (before this patchset)
-will use a hardcoded value of 1.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit ae68d3f325c3880144b80385779c9445897646e6)
----
- source3/rpc_client/cli_pipe.c | 13 ++++++++++---
- 1 file changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 3af3d8f..755d676 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -1314,7 +1314,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
- 						auth->auth_type,
- 						auth->auth_level,
- 						0, /* auth_pad_length */
--						1, /* auth_context_id */
-+						auth->auth_context_id,
- 						&auth_token,
- 						&auth_info);
- 		if (!NT_STATUS_IS_OK(ret)) {
-@@ -1830,7 +1830,7 @@ static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
- 					 auth->auth_type,
- 					 auth->auth_level,
- 					 0, /* auth_pad_length */
--					 1, /* auth_context_id */
-+					 auth->auth_context_id,
- 					 pauth_blob,
- 					 &u.auth3.auth_info);
- 	if (!NT_STATUS_IS_OK(status)) {
-@@ -1874,7 +1874,7 @@ static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
- 					 auth->auth_type,
- 					 auth->auth_level,
- 					 0, /* auth_pad_length */
--					 1, /* auth_context_id */
-+					 auth->auth_context_id,
- 					 pauth_blob,
- 					 &auth_info);
- 	if (!NT_STATUS_IS_OK(status)) {
-@@ -2704,6 +2704,7 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
- 
- 	result->auth_type = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM;
- 	result->auth_level = DCERPC_AUTH_LEVEL_CONNECT;
-+	result->auth_context_id = 1;
- 
- 	result->user_name = talloc_strdup(result, "");
- 	result->domain = talloc_strdup(result, "");
-@@ -2728,6 +2729,7 @@ NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
- 
- 	result->auth_type = DCERPC_AUTH_TYPE_NONE;
- 	result->auth_level = DCERPC_AUTH_LEVEL_NONE;
-+	result->auth_context_id = 0;
- 
- 	result->user_name = talloc_strdup(result, "");
- 	result->domain = talloc_strdup(result, "");
-@@ -2765,6 +2767,7 @@ static NTSTATUS rpccli_ntlmssp_bind_data(TALLOC_CTX *mem_ctx,
- 
- 	result->auth_type = auth_type;
- 	result->auth_level = auth_level;
-+	result->auth_context_id = 1;
- 
- 	result->user_name = talloc_strdup(result, username);
- 	result->domain = talloc_strdup(result, domain);
-@@ -2836,6 +2839,7 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
- 
- 	result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
- 	result->auth_level = auth_level;
-+	result->auth_context_id = 1;
- 
- 	result->user_name = talloc_strdup(result, "");
- 	result->domain = talloc_strdup(result, domain);
-@@ -3500,6 +3504,7 @@ NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
- 	}
- 	auth->auth_type = DCERPC_AUTH_TYPE_KRB5;
- 	auth->auth_level = auth_level;
-+	auth->auth_context_id = 1;
- 
- 	if (!username) {
- 		username = "";
-@@ -3570,6 +3575,7 @@ NTSTATUS cli_rpc_pipe_open_spnego_krb5(struct cli_state *cli,
- 	}
- 	auth->auth_type = DCERPC_AUTH_TYPE_SPNEGO;
- 	auth->auth_level = auth_level;
-+	auth->auth_context_id = 1;
- 
- 	if (!username) {
- 		username = "";
-@@ -3644,6 +3650,7 @@ NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli,
- 	}
- 	auth->auth_type = DCERPC_AUTH_TYPE_SPNEGO;
- 	auth->auth_level = auth_level;
-+	auth->auth_context_id = 1;
- 
- 	if (!username) {
- 		username = "";
--- 
-2.8.1
-
-
-From 82cd4e90c70d1ababd5fa1ee61206e37edbf40e4 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 8 Jul 2015 00:01:37 +0200
-Subject: [PATCH 35/40] CVE-2015-5370: s3:rpc_server: make use of
- pipe_auth_data->auth_context_id
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is better than using hardcoded values.
-We need to use the value the client used in the BIND request.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 2bc617293a5d8652e484af69660b3646f3d48690)
----
- source3/rpc_server/rpc_ncacn_np.c |  1 +
- source3/rpc_server/srv_pipe.c     | 11 +++++++----
- 2 files changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
-index f2e9d10..c0f24a6 100644
---- a/source3/rpc_server/rpc_ncacn_np.c
-+++ b/source3/rpc_server/rpc_ncacn_np.c
-@@ -781,6 +781,7 @@ static NTSTATUS rpc_pipe_open_external(TALLOC_CTX *mem_ctx,
- 	}
- 	result->auth->auth_type = DCERPC_AUTH_TYPE_NONE;
- 	result->auth->auth_level = DCERPC_AUTH_LEVEL_NONE;
-+	result->auth->auth_context_id = 0;
- 
- 	status = rpccli_anon_bind_data(result, &auth);
- 	if (!NT_STATUS_IS_OK(status)) {
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 4263a91..d6c4118 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -534,6 +534,7 @@ static bool pipe_spnego_auth_bind(struct pipes_struct *p,
- 
- 	p->auth.auth_ctx = spnego_ctx;
- 	p->auth.auth_type = DCERPC_AUTH_TYPE_SPNEGO;
-+	p->auth.auth_context_id = auth_info->auth_context_id;
- 
- 	DEBUG(10, ("SPNEGO auth started\n"));
- 
-@@ -644,6 +645,7 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
- 	/* We're finished with this bind - no more packets. */
- 	p->auth.auth_ctx = schannel_auth;
- 	p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
-+	p->auth.auth_context_id = auth_info->auth_context_id;
- 
- 	p->pipe_bound = True;
- 
-@@ -688,6 +690,7 @@ static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
- 
- 	p->auth.auth_ctx = ntlmssp_state;
- 	p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
-+	p->auth.auth_context_id = auth_info->auth_context_id;
- 
- 	DEBUG(10, (__location__ ": NTLMSSP auth started\n"));
- 
-@@ -1173,6 +1176,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
- 		p->pipe_bound = True;
- 		/* The session key was initialized from the SMB
- 		 * session in make_internal_rpc_pipe_p */
-+		p->auth.auth_context_id = 0;
- 	}
- 
- 	ZERO_STRUCT(u.bind_ack);
-@@ -1218,12 +1222,11 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
- 	}
- 
- 	if (auth_resp.length) {
--
- 		status = dcerpc_push_dcerpc_auth(pkt,
- 						 auth_type,
- 						 auth_info.auth_level,
--						 0,
--						 1, /* auth_context_id */
-+						 0, /* pad_len */
-+						 p->auth.auth_context_id,
- 						 &auth_resp,
- 						 &auth_blob);
- 		if (!NT_STATUS_IS_OK(status)) {
-@@ -1646,7 +1649,7 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
- 						 auth_info.auth_type,
- 						 auth_info.auth_level,
- 						 pad_len,
--						 1, /* auth_context_id */
-+						 p->auth.auth_context_id,
- 						 &auth_resp,
- 						 &auth_blob);
- 		if (!NT_STATUS_IS_OK(status)) {
--- 
-2.8.1
-
-
-From 8d1fb1fcf58b08cbf27579382ea648aefb9e7dc6 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 8 Jul 2015 00:01:37 +0200
-Subject: [PATCH 36/40] CVE-2015-5370: s3:librpc/rpc: make use of
- auth->auth_context_id in dcerpc_add_auth_footer()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 61faaa63e7e610308c72ae4c41a5c7b5b7312685)
----
- source3/librpc/rpc/dcerpc_helpers.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
-index e4d0e3a..977a372 100644
---- a/source3/librpc/rpc/dcerpc_helpers.c
-+++ b/source3/librpc/rpc/dcerpc_helpers.c
-@@ -741,7 +741,7 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
- 					 auth->auth_type,
- 					 auth->auth_level,
- 					 pad_len,
--					 1 /* context id. */,
-+					 auth->auth_context_id,
- 					 &auth_blob,
- 					 &auth_info);
- 	if (!NT_STATUS_IS_OK(status)) {
--- 
-2.8.1
-
-
-From 2a44cfc65f7dc1ccfd2d6a5abe5d26e94a085aa9 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 8 Jul 2015 00:01:37 +0200
-Subject: [PATCH 37/40] CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in
- dcerpc_check_auth()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 0cf3151c843e2c779b534743b455e630d89e2ba9)
----
- source3/librpc/rpc/dcerpc_helpers.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
-index 977a372..b00cf1bf 100644
---- a/source3/librpc/rpc/dcerpc_helpers.c
-+++ b/source3/librpc/rpc/dcerpc_helpers.c
-@@ -881,6 +881,10 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
- 		return NT_STATUS_INVALID_PARAMETER;
- 	}
- 
-+	if (auth_info.auth_context_id != auth->auth_context_id) {
-+		return NT_STATUS_INVALID_PARAMETER;
-+	}
-+
- 	pkt_trailer->length -= auth_length;
- 	data = data_blob_const(raw_pkt->data + header_size,
- 			       pkt_trailer->length);
--- 
-2.8.1
-
-
-From 68dcc277d5af506706d3fdac43891e43ccb4ceea Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 7 Jul 2015 22:51:18 +0200
-Subject: [PATCH 38/40] CVE-2015-5370: s3:rpc_client: verify auth_context_id in
- rpc_pipe_bind_step_one_done()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 93a0f92b8ebecb38f92d3b2c9a946b486ee91d3c)
----
- source3/rpc_client/cli_pipe.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 755d676..ee33e80 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -2052,6 +2052,14 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
- 			return;
- 		}
- 
-+		if (auth.auth_context_id != pauth->auth_context_id) {
-+			DEBUG(0, (__location__ " Auth context id %u mismatch expected %u.\n",
-+				  (unsigned)auth.auth_context_id,
-+				  (unsigned)pauth->auth_context_id));
-+			tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
-+			return;
-+		}
-+
- 		break;
- 	}
- 
--- 
-2.8.1
-
-
-From 8787dd5053974c1f42ae85a310e9522795f4ccfe Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 8 Jul 2015 00:01:37 +0200
-Subject: [PATCH 39/40] CVE-2015-5370: s3:rpc_server: verify auth_context_id in
- api_pipe_{bind_auth3,alter_context}
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 3ef461d8304ee36184cd7a3963676eedff4ef1eb)
----
- source3/rpc_server/srv_pipe.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index d6c4118..26c4ee0 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -1364,6 +1364,14 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
- 		goto err;
- 	}
- 
-+	if (auth_info.auth_context_id != p->auth.auth_context_id) {
-+		DEBUG(0, ("Auth context id mismatch! Client sent %u, "
-+			  "but auth was started as level %u!\n",
-+			  (unsigned)auth_info.auth_context_id,
-+			  (unsigned)p->auth.auth_context_id));
-+		goto err;
-+	}
-+
- 	switch (auth_info.auth_type) {
- 	case DCERPC_AUTH_TYPE_NTLMSSP:
- 		ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
-@@ -1545,6 +1553,14 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
- 			goto err_exit;
- 		}
- 
-+		if (auth_info.auth_context_id != p->auth.auth_context_id) {
-+			DEBUG(0, ("Auth context id mismatch! Client sent %u, "
-+				  "but auth was started as level %u!\n",
-+				  (unsigned)auth_info.auth_context_id,
-+				  (unsigned)p->auth.auth_context_id));
-+			goto err_exit;
-+		}
-+
- 		switch (auth_info.auth_type) {
- 		case DCERPC_AUTH_TYPE_SPNEGO:
- 			spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
--- 
-2.8.1
-
-
-From bf0040fb860527cb0c54ab0ef301153bdad650c0 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 22 Dec 2015 21:23:14 +0100
-Subject: [PATCH 40/40] CVE-2015-5370: s3:rpc_client: disconnect connection on
- protocol errors
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 024d3b263a2879cee4fb7794d70f253c948cc043)
----
- source3/rpc_client/cli_pipe.c | 67 +++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 64 insertions(+), 3 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index ee33e80..a3810f0 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -953,6 +953,12 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
- 
- 	state->pkt = talloc(state, struct ncacn_packet);
- 	if (!state->pkt) {
-+		/*
-+		 * TODO: do a real async disconnect ...
-+		 *
-+		 * For now do it sync...
-+		 */
-+		TALLOC_FREE(state->cli->transport);
- 		tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
- 		return;
- 	}
-@@ -962,6 +968,12 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
- 					  state->pkt,
- 					  !state->endianess);
- 	if (!NT_STATUS_IS_OK(status)) {
-+		/*
-+		 * TODO: do a real async disconnect ...
-+		 *
-+		 * For now do it sync...
-+		 */
-+		TALLOC_FREE(state->cli->transport);
- 		tevent_req_nterror(req, status);
- 		return;
- 	}
-@@ -979,6 +991,28 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
- 		  (unsigned)state->reply_pdu_offset,
- 		  nt_errstr(status)));
- 
-+	if (state->pkt->ptype != DCERPC_PKT_FAULT && !NT_STATUS_IS_OK(status)) {
-+		/*
-+		 * TODO: do a real async disconnect ...
-+		 *
-+		 * For now do it sync...
-+		 */
-+		TALLOC_FREE(state->cli->transport);
-+	} else if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR)) {
-+		/*
-+		 * TODO: do a real async disconnect ...
-+		 *
-+		 * For now do it sync...
-+		 */
-+		TALLOC_FREE(state->cli->transport);
-+	} else if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
-+		/*
-+		 * TODO: do a real async disconnect ...
-+		 *
-+		 * For now do it sync...
-+		 */
-+		TALLOC_FREE(state->cli->transport);
-+	}
- 	if (!NT_STATUS_IS_OK(status)) {
- 		tevent_req_nterror(req, status);
- 		return;
-@@ -1003,12 +1037,24 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
- 			 "%s\n",
- 			 state->endianess?"little":"big",
- 			 state->pkt->drep[0]?"little":"big"));
--		tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
-+		/*
-+		 * TODO: do a real async disconnect ...
-+		 *
-+		 * For now do it sync...
-+		 */
-+		TALLOC_FREE(state->cli->transport);
-+		tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
- 		return;
- 	}
- 
- 	if (state->reply_pdu_offset + rdata.length > MAX_RPC_DATA_SIZE) {
--		tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
-+		/*
-+		 * TODO: do a real async disconnect ...
-+		 *
-+		 * For now do it sync...
-+		 */
-+		TALLOC_FREE(state->cli->transport);
-+		tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
- 		return;
- 	}
- 
-@@ -1016,6 +1062,12 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
- 	if (state->reply_pdu.length < state->reply_pdu_offset + rdata.length) {
- 		if (!data_blob_realloc(NULL, &state->reply_pdu,
- 				state->reply_pdu_offset + rdata.length)) {
-+			/*
-+			 * TODO: do a real async disconnect ...
-+			 *
-+			 * For now do it sync...
-+			 */
-+			TALLOC_FREE(state->cli->transport);
- 			tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
- 			return;
- 		}
-@@ -1045,6 +1097,14 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
- 	subreq = get_complete_frag_send(state, state->ev, state->cli,
- 					state->call_id,
- 					&state->incoming_frag);
-+	if (subreq == NULL) {
-+		/*
-+		 * TODO: do a real async disconnect ...
-+		 *
-+		 * For now do it sync...
-+		 */
-+		TALLOC_FREE(state->cli->transport);
-+	}
- 	if (tevent_req_nomem(subreq, req)) {
- 		return;
- 	}
-@@ -2574,8 +2634,9 @@ static struct tevent_req *rpccli_bh_disconnect_send(TALLOC_CTX *mem_ctx,
- 	/*
- 	 * TODO: do a real async disconnect ...
- 	 *
--	 * For now the caller needs to free rpc_cli
-+	 * For now we do it sync...
- 	 */
-+	TALLOC_FREE(hs->rpc_cli->transport);
- 	hs->rpc_cli = NULL;
- 
- 	tevent_req_done(req);
--- 
-2.8.1
-
diff --git a/src/patches/samba/CVE-2015-7560-v3-6.patch b/src/patches/samba/CVE-2015-7560-v3-6.patch
deleted file mode 100644
index 1cf30aeca..000000000
--- a/src/patches/samba/CVE-2015-7560-v3-6.patch
+++ /dev/null
@@ -1,341 +0,0 @@ 
-From eb27f9b7bf9c1dc902d9545eecf805831bd4e46c Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 5 Jan 2016 11:18:12 -0800
-Subject: [PATCH 1/8] CVE-2015-7560: s3: smbd: Add refuse_symlink() function
- that can be used to prevent operations on a symlink.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Michael Adam <obnox@samba.org>
----
- source3/smbd/trans2.c | 28 ++++++++++++++++++++++++++++
- 1 file changed, 28 insertions(+)
-
-diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
-index 26b6523..7f47579 100644
---- a/source3/smbd/trans2.c
-+++ b/source3/smbd/trans2.c
-@@ -51,6 +51,34 @@ static char *store_file_unix_basic_info2(connection_struct *conn,
- 				files_struct *fsp,
- 				const SMB_STRUCT_STAT *psbuf);
- 
-+/****************************************************************************
-+ Check if an open file handle or pathname is a symlink.
-+****************************************************************************/
-+
-+static NTSTATUS refuse_symlink(connection_struct *conn,
-+			const files_struct *fsp,
-+			const char *name)
-+{
-+	SMB_STRUCT_STAT sbuf;
-+	const SMB_STRUCT_STAT *pst = NULL;
-+
-+	if (fsp) {
-+		pst = &fsp->fsp_name->st;
-+	} else {
-+		int ret = vfs_stat_smb_fname(conn,
-+				name,
-+				&sbuf);
-+		if (ret == -1) {
-+			return map_nt_error_from_unix(errno);
-+		}
-+		pst = &sbuf;
-+	}
-+	if (S_ISLNK(pst->st_ex_mode)) {
-+		return NT_STATUS_ACCESS_DENIED;
-+	}
-+	return NT_STATUS_OK;
-+}
-+
- /********************************************************************
-  Roundup a value to the nearest allocation roundup size boundary.
-  Only do this for Windows clients.
--- 
-2.5.0
-
-
-From f5b1bcc51e18bc85f376701bb4ae6894d97addfd Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 5 Jan 2016 10:38:28 -0800
-Subject: [PATCH 2/8] CVE-2015-7560: s3: smbd: Refuse to get an ACL from a
- POSIX file handle on a symlink.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Michael Adam <obnox@samba.org>
----
- source3/smbd/nttrans.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
-index 4c145e0..7255600 100644
---- a/source3/smbd/nttrans.c
-+++ b/source3/smbd/nttrans.c
-@@ -1925,6 +1925,12 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
- 		return NT_STATUS_ACCESS_DENIED;
- 	}
- 
-+	if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
-+		DEBUG(10, ("ACL get on symlink %s denied.\n",
-+			fsp_str_dbg(fsp)));
-+		return NT_STATUS_ACCESS_DENIED;
-+	}
-+
- 	if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
- 			SECINFO_GROUP|SECINFO_SACL)) {
- 		/* Don't return SECINFO_LABEL if anything else was
--- 
-2.5.0
-
-
-From 8bdbe1c90c98efbd08fc70d773d236c4ba00b1ae Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 5 Jan 2016 10:52:50 -0800
-Subject: [PATCH 3/8] CVE-2015-7560: s3: smbd: Refuse to set an ACL from a
- POSIX file handle on a symlink.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Michael Adam <obnox@samba.org>
----
- source3/smbd/nttrans.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
-index 7255600..d2102ca 100644
---- a/source3/smbd/nttrans.c
-+++ b/source3/smbd/nttrans.c
-@@ -877,6 +877,12 @@ NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
- 		return NT_STATUS_OK;
- 	}
- 
-+	if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
-+		DEBUG(10, ("ACL set on symlink %s denied.\n",
-+			fsp_str_dbg(fsp)));
-+		return NT_STATUS_ACCESS_DENIED;
-+	}
-+
- 	if (psd->owner_sid == NULL) {
- 		security_info_sent &= ~SECINFO_OWNER;
- 	}
--- 
-2.5.0
-
-
-From 612b032e2dedd3e07bbe79718ecbb3b68ffbb7a5 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 5 Jan 2016 11:22:12 -0800
-Subject: [PATCH 4/8] CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a
- symlink.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Michael Adam <obnox@samba.org>
----
- source3/smbd/trans2.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
-index 7f47579..2f01e87 100644
---- a/source3/smbd/trans2.c
-+++ b/source3/smbd/trans2.c
-@@ -6480,6 +6480,7 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn,
- 	uint16 num_def_acls;
- 	bool valid_file_acls = True;
- 	bool valid_def_acls = True;
-+	NTSTATUS status;
- 
- 	if (total_data < SMB_POSIX_ACL_HEADER_SIZE) {
- 		return NT_STATUS_INVALID_PARAMETER;
-@@ -6507,6 +6508,11 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn,
- 		return NT_STATUS_INVALID_PARAMETER;
- 	}
- 
-+	status = refuse_symlink(conn, fsp, smb_fname->base_name);
-+	if (!NT_STATUS_IS_OK(status)) {
-+		return status;
-+	}
-+
- 	DEBUG(10,("smb_set_posix_acl: file %s num_file_acls = %u, num_def_acls = %u\n",
- 		smb_fname ? smb_fname_str_dbg(smb_fname) : fsp_str_dbg(fsp),
- 		(unsigned int)num_file_acls,
--- 
-2.5.0
-
-
-From 28e6120d14e5a942df386db0444abaa93a764207 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 5 Jan 2016 11:24:36 -0800
-Subject: [PATCH 5/8] CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a
- symlink.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Michael Adam <obnox@samba.org>
----
- source3/smbd/trans2.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
-index 2f01e87..3a098d1 100644
---- a/source3/smbd/trans2.c
-+++ b/source3/smbd/trans2.c
-@@ -4959,6 +4959,13 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn,
- 				uint16 num_file_acls = 0;
- 				uint16 num_def_acls = 0;
- 
-+				status = refuse_symlink(conn,
-+						fsp,
-+						smb_fname->base_name);
-+				if (!NT_STATUS_IS_OK(status)) {
-+					return status;
-+				}
-+
- 				if (fsp && fsp->fh->fd != -1) {
- 					file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
- 				} else {
--- 
-2.5.0
-
-
-From 659bdb80aa65c02cf4f44377cc3bcffb2a817ee0 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 5 Jan 2016 11:05:48 -0800
-Subject: [PATCH 6/8] CVE-2015-7560: s3: smbd: Set return values early, allows
- removal of code duplication.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Michael Adam <obnox@samba.org>
----
- source3/smbd/trans2.c | 13 +++++--------
- 1 file changed, 5 insertions(+), 8 deletions(-)
-
-diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
-index 3a098d1..6fdd1da 100644
---- a/source3/smbd/trans2.c
-+++ b/source3/smbd/trans2.c
-@@ -210,11 +210,12 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
- 	size_t num_names;
- 	ssize_t sizeret = -1;
- 
-+	if (pnames) {
-+		*pnames = NULL;
-+	}
-+	*pnum_names = 0;
-+
- 	if (!lp_ea_support(SNUM(conn))) {
--		if (pnames) {
--			*pnames = NULL;
--		}
--		*pnum_names = 0;
- 		return NT_STATUS_OK;
- 	}
- 
-@@ -264,10 +265,6 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
- 
- 	if (sizeret == 0) {
- 		TALLOC_FREE(names);
--		if (pnames) {
--			*pnames = NULL;
--		}
--		*pnum_names = 0;
- 		return NT_STATUS_OK;
- 	}
- 
--- 
-2.5.0
-
-
-From 4ba5e7cf01b8074b0313ecb7e218355d771df1cc Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 5 Jan 2016 11:29:38 -0800
-Subject: [PATCH 7/8] CVE-2015-7560: s3: smbd: Silently return no EA's
- available on a symlink.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Michael Adam <obnox@samba.org>
----
- source3/smbd/trans2.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
-index 6fdd1da..8b6e4b2 100644
---- a/source3/smbd/trans2.c
-+++ b/source3/smbd/trans2.c
-@@ -209,6 +209,7 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
- 	char **names, **tmp;
- 	size_t num_names;
- 	ssize_t sizeret = -1;
-+	NTSTATUS status;
- 
- 	if (pnames) {
- 		*pnames = NULL;
-@@ -219,6 +220,14 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
- 		return NT_STATUS_OK;
- 	}
- 
-+	status = refuse_symlink(conn, fsp, fname);
-+	if (!NT_STATUS_IS_OK(status)) {
-+		/*
-+		 * Just return no EA's on a symlink.
-+		 */
-+		return NT_STATUS_OK;
-+	}
-+
- 	/*
- 	 * TALLOC the result early to get the talloc hierarchy right.
- 	 */
--- 
-2.5.0
-
-
-From 9d8c7274ab87a0c07367e872ca1db7fd72886fde Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 5 Jan 2016 11:33:48 -0800
-Subject: [PATCH 8/8] CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Michael Adam <obnox@samba.org>
----
- source3/smbd/trans2.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
-index 8b6e4b2..98fd2af 100644
---- a/source3/smbd/trans2.c
-+++ b/source3/smbd/trans2.c
-@@ -584,6 +584,7 @@ NTSTATUS set_ea(connection_struct *conn, files_struct *fsp,
- 		const struct smb_filename *smb_fname, struct ea_list *ea_list)
- {
- 	char *fname = NULL;
-+	NTSTATUS status;
- 
- 	if (!lp_ea_support(SNUM(conn))) {
- 		return NT_STATUS_EAS_NOT_SUPPORTED;
-@@ -593,6 +594,12 @@ NTSTATUS set_ea(connection_struct *conn, files_struct *fsp,
- 		return NT_STATUS_ACCESS_DENIED;
- 	}
- 
-+	status = refuse_symlink(conn, fsp, smb_fname->base_name);
-+	if (!NT_STATUS_IS_OK(status)) {
-+		return status;
-+	}
-+
-+
- 	/* For now setting EAs on streams isn't supported. */
- 	fname = smb_fname->base_name;
- 
--- 
-2.5.0
-
diff --git a/src/patches/samba/CVE-2016-2110-v3-6.patch b/src/patches/samba/CVE-2016-2110-v3-6.patch
deleted file mode 100644
index 1f454bec8..000000000
--- a/src/patches/samba/CVE-2016-2110-v3-6.patch
+++ /dev/null
@@ -1,670 +0,0 @@ 
-From 202d69267c8550b850438877fb51c3d2c992949d Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 1 Dec 2015 08:46:45 +0100
-Subject: [PATCH 01/10] CVE-2016-2110: s3:ntlmssp: set and use
- ntlmssp_state->allow_lm_key
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- source3/libsmb/ntlmssp.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index 1de6189..20a5987 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -530,7 +530,8 @@ noccache:
- 	DEBUG(3, ("Got challenge flags:\n"));
- 	debug_ntlmssp_flags(chal_flags);
- 
--	ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth());
-+	ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags,
-+				 ntlmssp_state->allow_lm_key);
- 
- 	if (ntlmssp_state->unicode) {
- 		if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
-@@ -769,6 +770,7 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx,
- 	ntlmssp_state->unicode = True;
- 
- 	ntlmssp_state->use_ntlmv2 = use_ntlmv2;
-+	ntlmssp_state->allow_lm_key = lp_client_lanman_auth();
- 
- 	ntlmssp_state->expected_state = NTLMSSP_INITIAL;
- 
--- 
-2.8.1
-
-
-From a701bc5f8a76584a2e0680b2c3dd9afb77f12430 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 11 Dec 2015 14:50:23 +0100
-Subject: [PATCH 02/10] CVE-2016-2110: s3:ntlmssp: add
- ntlmssp3_handle_neg_flags()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is a copy of ntlmssp_handle_neg_flags(), which will be changed
-in an incompatible way in the following commits.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- source3/libsmb/ntlmssp.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 56 insertions(+), 2 deletions(-)
-
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index 20a5987..ad09f9f 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -422,6 +422,60 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
- 	return NT_STATUS_MORE_PROCESSING_REQUIRED;
- }
- 
-+static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
-+				      uint32_t neg_flags, bool allow_lm)
-+{
-+	if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
-+		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
-+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
-+		ntlmssp_state->unicode = true;
-+	} else {
-+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
-+		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
-+		ntlmssp_state->unicode = false;
-+	}
-+
-+	if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) {
-+		/* other end forcing us to use LM */
-+		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
-+		ntlmssp_state->use_ntlmv2 = false;
-+	} else {
-+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
-+	}
-+
-+	if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
-+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
-+	}
-+
-+	if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
-+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
-+	}
-+
-+	if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
-+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
-+	}
-+
-+	if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
-+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
-+	}
-+
-+	if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
-+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
-+	}
-+
-+	if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
-+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
-+	}
-+
-+	if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
-+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
-+	}
-+
-+	if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
-+		ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
-+	}
-+}
-+
- /**
-  * Next state function for the Challenge Packet.  Generate an auth packet.
-  *
-@@ -530,8 +584,8 @@ noccache:
- 	DEBUG(3, ("Got challenge flags:\n"));
- 	debug_ntlmssp_flags(chal_flags);
- 
--	ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags,
--				 ntlmssp_state->allow_lm_key);
-+	ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags,
-+				  ntlmssp_state->allow_lm_key);
- 
- 	if (ntlmssp_state->unicode) {
- 		if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
--- 
-2.8.1
-
-
-From 92b2f5315d135b7b83a3ae106b43d18181be2f02 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@cryptomilk.org>
-Date: Thu, 31 Mar 2016 12:39:50 +0200
-Subject: [PATCH 03/10] CVE-2016-2110: s3:ntlmssp: let
- ntlmssp3_handle_neg_flags() return NTSTATUS
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In future we can do a more fine granted negotiation
-and assert specific security features.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- source3/libsmb/ntlmssp.c | 33 +++++++++++++++++++--------------
- 1 file changed, 19 insertions(+), 14 deletions(-)
-
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index ad09f9f..81a85ce 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -422,10 +422,10 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
- 	return NT_STATUS_MORE_PROCESSING_REQUIRED;
- }
- 
--static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
--				      uint32_t neg_flags, bool allow_lm)
-+static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
-+					  uint32_t flags)
- {
--	if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
-+	if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
- 		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
- 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
- 		ntlmssp_state->unicode = true;
-@@ -435,7 +435,7 @@ static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
- 		ntlmssp_state->unicode = false;
- 	}
- 
--	if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) {
-+	if ((flags & NTLMSSP_NEGOTIATE_LM_KEY) && ntlmssp_state->allow_lm_key) {
- 		/* other end forcing us to use LM */
- 		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
- 		ntlmssp_state->use_ntlmv2 = false;
-@@ -443,37 +443,39 @@ static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
- 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
- 	}
- 
--	if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
-+	if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
- 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
- 	}
- 
--	if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
-+	if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
- 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
- 	}
- 
--	if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
-+	if (!(flags & NTLMSSP_NEGOTIATE_128)) {
- 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
- 	}
- 
--	if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
-+	if (!(flags & NTLMSSP_NEGOTIATE_56)) {
- 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
- 	}
- 
--	if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
-+	if (!(flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
- 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
- 	}
- 
--	if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
-+	if (!(flags & NTLMSSP_NEGOTIATE_SIGN)) {
- 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
- 	}
- 
--	if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
-+	if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) {
- 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
- 	}
- 
--	if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
-+	if ((flags & NTLMSSP_REQUEST_TARGET)) {
- 		ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
- 	}
-+
-+	return NT_STATUS_OK;
- }
- 
- /**
-@@ -584,8 +586,11 @@ noccache:
- 	DEBUG(3, ("Got challenge flags:\n"));
- 	debug_ntlmssp_flags(chal_flags);
- 
--	ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags,
--				  ntlmssp_state->allow_lm_key);
-+	nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
-+	if (!NT_STATUS_IS_OK(nt_status)) {
-+		return nt_status;
-+	}
-+
- 
- 	if (ntlmssp_state->unicode) {
- 		if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
--- 
-2.8.1
-
-
-From a239a337e3c0081af1a41aaac8957bb1aa0771f8 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 1 Dec 2015 15:01:09 +0100
-Subject: [PATCH 04/10] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from
- NTLMv2 to LM_AUTH
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-man smb.conf says "client ntlmv2 auth = yes" the default disables,
-"client lanman auth = yes":
-
-  ...
-  Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2
-  logins will be attempted.
-  ...
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- source3/libsmb/ntlmssp.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index 81a85ce..23a5e5d 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -841,6 +841,10 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx,
- 		NTLMSSP_NEGOTIATE_KEY_EXCH |
- 		NTLMSSP_REQUEST_TARGET;
- 
-+	if (ntlmssp_state->use_ntlmv2) {
-+		ntlmssp_state->allow_lm_key = false;
-+	}
-+
- 	ntlmssp_state->client.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
- 	if (!ntlmssp_state->client.netbios_name) {
- 		talloc_free(ntlmssp_state);
--- 
-2.8.1
-
-
-From e11dc9aa90420947f9fc82365b55ecb08353451c Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 31 Mar 2016 12:59:05 +0200
-Subject: [PATCH 05/10] CVE-2016-2110: s3:ntlmssp: maintain a required_flags
- variable
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We now give an error when required flags are missing.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- libcli/auth/ntlmssp.h    |  1 +
- source3/libsmb/ntlmssp.c | 20 ++++++++++++++++++++
- 2 files changed, 21 insertions(+)
-
-diff --git a/libcli/auth/ntlmssp.h b/libcli/auth/ntlmssp.h
-index 495d94f..88a049b 100644
---- a/libcli/auth/ntlmssp.h
-+++ b/libcli/auth/ntlmssp.h
-@@ -83,6 +83,7 @@ struct ntlmssp_state
- 	DATA_BLOB nt_resp;
- 	DATA_BLOB session_key;
- 
-+	uint32_t required_flags;
- 	uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */
- 
- 	/**
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index 23a5e5d..48d7d45 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -425,6 +425,8 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
- static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
- 					  uint32_t flags)
- {
-+	uint32_t missing_flags = ntlmssp_state->required_flags;
-+
- 	if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
- 		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
- 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
-@@ -475,6 +477,24 @@ static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
- 		ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
- 	}
- 
-+	missing_flags &= ~ntlmssp_state->neg_flags;
-+	if (missing_flags != 0) {
-+		NTSTATUS status = NT_STATUS_RPC_SEC_PKG_ERROR;
-+		DEBUG(1, ("%s: Got challenge flags[0x%08x] "
-+			  "- possible downgrade detected! "
-+			  "missing_flags[0x%08x] - %s\n",
-+			  __func__,
-+			  (unsigned)flags,
-+			  (unsigned)missing_flags,
-+			  nt_errstr(status)));
-+		debug_ntlmssp_flags(missing_flags);
-+		DEBUGADD(4, ("neg_flags[0x%08x]\n",
-+			     (unsigned)ntlmssp_state->neg_flags));
-+		debug_ntlmssp_flags(ntlmssp_state->neg_flags);
-+
-+		return status;
-+	}
-+
- 	return NT_STATUS_OK;
- }
- 
--- 
-2.8.1
-
-
-From 06ca5b7655e577ff6e2d5817cf221c05f9bb5c86 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 31 Mar 2016 13:03:24 +0200
-Subject: [PATCH 06/10] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from
- NTLMv2 to LM_AUTH
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-man smb.conf says "client ntlmv2 auth = yes" the default disables,
-"client lanman auth = yes":
-
-  ...
-  Likewise, if the client ntlmv2 auth parameter is enabled, then only
-  NTLMv2 logins will be attempted.
-  ...
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- source3/libsmb/ntlmssp.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index 48d7d45..bf40404 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -388,6 +388,7 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
- 
- 	if (ntlmssp_state->use_ntlmv2) {
- 		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
-+		ntlmssp_state->allow_lm_key = false;
- 	}
- 
- 	/* generate the ntlmssp negotiate packet */
--- 
-2.8.1
-
-
-From f99d4469a8b09dd93eb7124f2814e15869915671 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 11 Apr 2016 16:18:44 +0200
-Subject: [PATCH 07/10] CVE-2016-2110: auth/ntlmssp: don't let
- ntlmssp3_handle_neg_flags() change ntlmssp_state->use_ntlmv2
-
-ntlmssp_handle_neg_flags() can only disable flags, but not
-set them. All supported flags are set at start time.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
----
- source3/libsmb/ntlmssp.c | 26 +++++++++++++++++---------
- 1 file changed, 17 insertions(+), 9 deletions(-)
-
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index bf40404..7b17a43 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -391,6 +391,10 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
- 		ntlmssp_state->allow_lm_key = false;
- 	}
- 
-+	if (ntlmssp_state->allow_lm_key) {
-+		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
-+	}
-+
- 	/* generate the ntlmssp negotiate packet */
- 	status = msrpc_gen(ntlmssp_state, next_request, "CddAA",
- 		  "NTLMSSP",
-@@ -438,20 +442,24 @@ static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
- 		ntlmssp_state->unicode = false;
- 	}
- 
--	if ((flags & NTLMSSP_NEGOTIATE_LM_KEY) && ntlmssp_state->allow_lm_key) {
--		/* other end forcing us to use LM */
--		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
--		ntlmssp_state->use_ntlmv2 = false;
--	} else {
-+	/*
-+	 * NTLMSSP_NEGOTIATE_NTLM2 (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
-+	 * has priority over NTLMSSP_NEGOTIATE_LM_KEY
-+	 */
-+	if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
-+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
-+	}
-+
-+	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
- 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
- 	}
- 
--	if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
--		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
-+	if (!(flags & NTLMSSP_NEGOTIATE_LM_KEY)) {
-+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
- 	}
- 
--	if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
--		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
-+	if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
-+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
- 	}
- 
- 	if (!(flags & NTLMSSP_NEGOTIATE_128)) {
--- 
-2.8.1
-
-
-From 71dda1c57c36a9816af7873f169306a766e0284a Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 31 Mar 2016 14:21:12 +0200
-Subject: [PATCH 08/10] CVE-2016-2110: s3:ntlmssp: let ntlmssp3_client_initial
- require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- source3/libsmb/ntlmssp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index 7b17a43..d5c83fd 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -387,7 +387,7 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
- 	}
- 
- 	if (ntlmssp_state->use_ntlmv2) {
--		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
-+		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_NTLM2;
- 		ntlmssp_state->allow_lm_key = false;
- 	}
- 
--- 
-2.8.1
-
-
-From 911e171bd6fc66e2960cbcdf8c48f2f97d19313b Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@cryptomilk.org>
-Date: Thu, 31 Mar 2016 14:30:05 +0200
-Subject: [PATCH 09/10] CVE-2016-2110: s3:ntlmssp: Change want_fetures to
- require flags
-
-Pair-Programmed-With: Ralph Boehme <slow@samba.org>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Ralph Boehme <slow@samba.org>
----
- source3/libsmb/ntlmssp.c | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index d5c83fd..309175b 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -176,17 +176,19 @@ void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *featur
- 	 * also add  NTLMSSP_NEGOTIATE_SEAL here. JRA.
- 	 */
- 	if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
--		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
-+		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
- 	}
- 	if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
--		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
-+		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
- 	}
- 	if(in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) {
--		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
-+		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
- 	}
- 	if (in_list("NTLMSSP_FEATURE_CCACHE", feature_list, true)) {
- 		ntlmssp_state->use_ccache = true;
- 	}
-+
-+	ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
- }
- 
- /**
-@@ -199,17 +201,20 @@ void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature)
- {
- 	/* As per JRA's comment above */
- 	if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
--		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
-+		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
- 	}
- 	if (feature & NTLMSSP_FEATURE_SIGN) {
--		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
-+		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
- 	}
- 	if (feature & NTLMSSP_FEATURE_SEAL) {
--		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
-+		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
-+		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
- 	}
- 	if (feature & NTLMSSP_FEATURE_CCACHE) {
- 		ntlmssp_state->use_ccache = true;
- 	}
-+
-+	ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
- }
- 
- /**
--- 
-2.8.1
-
-
-From a95a44eff90cdbd42d683567e0d511e9d52026ad Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 31 Mar 2016 15:02:11 +0200
-Subject: [PATCH 10/10] CVE-2016-2110: s3:ntlmssp: Fix downgrade also for the
- ntlmssp creds cache case
-
-Pair-Programmed-With: Ralph Boehme <slow@samba.org>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Ralph Boehme <slow@samba.org>
----
- source3/libsmb/ntlmssp.c | 42 ++++++++++++++++++++----------------------
- 1 file changed, 20 insertions(+), 22 deletions(-)
-
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index 309175b..045dc87 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -538,6 +538,26 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
- 	DATA_BLOB encrypted_session_key = data_blob_null;
- 	NTSTATUS nt_status = NT_STATUS_OK;
- 
-+	if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
-+			 "NTLMSSP",
-+			 &ntlmssp_command,
-+			 &server_domain_blob,
-+			 &chal_flags)) {
-+		DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
-+		dump_data(2, reply.data, reply.length);
-+
-+		return NT_STATUS_INVALID_PARAMETER;
-+	}
-+	data_blob_free(&server_domain_blob);
-+
-+	DEBUG(3, ("Got challenge flags:\n"));
-+	debug_ntlmssp_flags(chal_flags);
-+
-+	nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
-+	if (!NT_STATUS_IS_OK(nt_status)) {
-+		return nt_status;
-+	}
-+
- 	if (ntlmssp_state->use_ccache) {
- 		struct wbcCredentialCacheParams params;
- 		struct wbcCredentialCacheInfo *info = NULL;
-@@ -588,17 +608,6 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
- 
- noccache:
- 
--	if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
--			 "NTLMSSP",
--			 &ntlmssp_command,
--			 &server_domain_blob,
--			 &chal_flags)) {
--		DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
--		dump_data(2, reply.data, reply.length);
--
--		return NT_STATUS_INVALID_PARAMETER;
--	}
--
- 	if (DEBUGLEVEL >= 10) {
- 		struct CHALLENGE_MESSAGE *challenge = talloc(
- 			talloc_tos(), struct CHALLENGE_MESSAGE);
-@@ -615,17 +624,6 @@ noccache:
- 		}
- 	}
- 
--	data_blob_free(&server_domain_blob);
--
--	DEBUG(3, ("Got challenge flags:\n"));
--	debug_ntlmssp_flags(chal_flags);
--
--	nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
--	if (!NT_STATUS_IS_OK(nt_status)) {
--		return nt_status;
--	}
--
--
- 	if (ntlmssp_state->unicode) {
- 		if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
- 			chal_parse_string = "CdUdbddB";
--- 
-2.8.1
-
diff --git a/src/patches/samba/CVE-2016-2111-v3-6.patch b/src/patches/samba/CVE-2016-2111-v3-6.patch
deleted file mode 100644
index 981736783..000000000
--- a/src/patches/samba/CVE-2016-2111-v3-6.patch
+++ /dev/null
@@ -1,1058 +0,0 @@ 
-From ee105156fa151ebfd34b8febc2928e144b3b7b0e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Sat, 26 Sep 2015 01:29:10 +0200
-Subject: [PATCH 01/15] CVE-2016-2111: s3:rpc_server/netlogon: always go
- through netr_creds_server_step_check()
-
-The ensures we apply the "server schannel = yes" restrictions.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/rpc_server/netlogon/srv_netlog_nt.c | 24 ++++++++++++++----------
- 1 file changed, 14 insertions(+), 10 deletions(-)
-
-diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
-index 4734bfe..54b8c5c 100644
---- a/source3/rpc_server/netlogon/srv_netlog_nt.c
-+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
-@@ -2271,11 +2271,13 @@ NTSTATUS _netr_GetForestTrustInformation(struct pipes_struct *p,
- 
- 	/* TODO: check server name */
- 
--	status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
--					    r->in.computer_name,
--					    r->in.credential,
--					    r->out.return_authenticator,
--					    &creds);
-+	become_root();
-+	status = netr_creds_server_step_check(p, p->mem_ctx,
-+					      r->in.computer_name,
-+					      r->in.credential,
-+					      r->out.return_authenticator,
-+					      &creds);
-+	unbecome_root();
- 	if (!NT_STATUS_IS_OK(status)) {
- 		return status;
- 	}
-@@ -2371,11 +2373,13 @@ NTSTATUS _netr_ServerGetTrustInfo(struct pipes_struct *p,
- 
- 	/* TODO: check server name */
- 
--	status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
--					    r->in.computer_name,
--					    r->in.credential,
--					    r->out.return_authenticator,
--					    &creds);
-+	become_root();
-+	status = netr_creds_server_step_check(p, p->mem_ctx,
-+					      r->in.computer_name,
-+					      r->in.credential,
-+					      r->out.return_authenticator,
-+					      &creds);
-+	unbecome_root();
- 	if (!NT_STATUS_IS_OK(status)) {
- 		return status;
- 	}
--- 
-2.8.1
-
-
-From f93668be5dffea9b67c5ec2d49ebf7495b74c7fc Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 7 Aug 2015 13:33:17 +0200
-Subject: [PATCH 02/15] CVE-2016-2111: s3:rpc_server/netlogon: require
- DCERPC_AUTH_LEVEL_PRIVACY for validation level 6
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- source3/rpc_server/netlogon/srv_netlog_nt.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
-index 54b8c5c..30e1bc0 100644
---- a/source3/rpc_server/netlogon/srv_netlog_nt.c
-+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
-@@ -1636,6 +1636,14 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
- 						r->out.validation->sam3);
- 		break;
- 	case 6:
-+		/* Only allow this if the pipe is protected. */
-+		if (p->auth.auth_level < DCERPC_AUTH_LEVEL_PRIVACY) {
-+			DEBUG(0,("netr_Validation6: client %s not using privacy for netlogon\n",
-+				get_remote_machine_name()));
-+			status = NT_STATUS_INVALID_PARAMETER;
-+			break;
-+		}
-+
- 		status = serverinfo_to_SamInfo6(server_info, pipe_session_key, 16,
- 						r->out.validation->sam6);
- 		break;
--- 
-2.8.1
-
-
-From 70f12940ef563f83310d5c82cf0a3fc5876d98ac Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 12 Dec 2015 22:23:18 +0100
-Subject: [PATCH 03/15] CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon
- ntlmv2 test
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The computer name of the NTLMv2 blob needs to match
-the schannel connection.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- source4/torture/rpc/samba3rpc.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
-index 26bed19..d39cf55 100644
---- a/source4/torture/rpc/samba3rpc.c
-+++ b/source4/torture/rpc/samba3rpc.c
-@@ -1122,8 +1122,8 @@ static bool schan(struct torture_context *tctx,
- 		generate_random_buffer(chal.data, chal.length);
- 		names_blob = NTLMv2_generate_names_blob(
- 			mem_ctx,
--			cli_credentials_get_workstation(user_creds),
--			cli_credentials_get_domain(user_creds));
-+			cli_credentials_get_workstation(wks_creds),
-+			cli_credentials_get_domain(wks_creds));
- 		status = cli_credentials_get_ntlm_response(
- 			user_creds, mem_ctx, &flags, chal, names_blob,
- 			&lm_resp, &nt_resp, NULL, NULL);
--- 
-2.8.1
-
-
-From d8e061a1bcbb88ab6ba0f0dffbcac16a5e1db4f9 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 23 Feb 2016 19:08:31 +0100
-Subject: [PATCH 04/15] CVE-2016-2111: libcli/auth: add
- NTLMv2_RESPONSE_verify_netlogon_creds() helper function
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is the function that prevents spoofing like
-Microsoft's CVE-2015-0005.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- libcli/auth/proto.h       |   5 ++
- libcli/auth/smbencrypt.c  | 142 +++++++++++++++++++++++++++++++++++++++++++++-
- libcli/auth/wscript_build |   2 +-
- source3/Makefile.in       |  27 +++++----
- 4 files changed, 163 insertions(+), 13 deletions(-)
-
-diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
-index 11b720df..558a6eb 100644
---- a/libcli/auth/proto.h
-+++ b/libcli/auth/proto.h
-@@ -139,6 +139,11 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx,
- 		      const DATA_BLOB *names_blob,
- 		      DATA_BLOB *lm_response, DATA_BLOB *nt_response, 
- 		      DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) ;
-+NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
-+			const char *account_domain,
-+			const DATA_BLOB response,
-+			const struct netlogon_creds_CredentialState *creds,
-+			const char *workgroup);
- 
- /***********************************************************
-  encode a password buffer with a unicode password.  The buffer
-diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
-index 8fe606e..7c3142c 100644
---- a/libcli/auth/smbencrypt.c
-+++ b/libcli/auth/smbencrypt.c
-@@ -26,7 +26,7 @@
- #include "../libcli/auth/msrpc_parse.h"
- #include "../lib/crypto/crypto.h"
- #include "../libcli/auth/libcli_auth.h"
--#include "../librpc/gen_ndr/ntlmssp.h"
-+#include "../librpc/gen_ndr/ndr_ntlmssp.h"
- 
- void SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24])
- {
-@@ -522,6 +522,146 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx,
- 				     lm_response, nt_response, lm_session_key, user_session_key);
- }
- 
-+NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
-+			const char *account_domain,
-+			const DATA_BLOB response,
-+			const struct netlogon_creds_CredentialState *creds,
-+			const char *workgroup)
-+{
-+	TALLOC_CTX *frame = NULL;
-+	/* RespType + HiRespType */
-+	static const char *magic = "\x01\x01";
-+	int cmp;
-+	struct NTLMv2_RESPONSE v2_resp;
-+	enum ndr_err_code err;
-+	const struct AV_PAIR *av_nb_cn = NULL;
-+	const struct AV_PAIR *av_nb_dn = NULL;
-+
-+	if (response.length < 48) {
-+		/*
-+		 * NTLMv2_RESPONSE has at least 48 bytes.
-+		 */
-+		return NT_STATUS_OK;
-+	}
-+
-+	cmp = memcmp(response.data + 16, magic, 2);
-+	if (cmp != 0) {
-+		/*
-+		 * It doesn't look like a valid NTLMv2_RESPONSE
-+		 */
-+		return NT_STATUS_OK;
-+	}
-+
-+	frame = talloc_stackframe();
-+
-+	err = ndr_pull_struct_blob(&response, frame, &v2_resp,
-+		(ndr_pull_flags_fn_t)ndr_pull_NTLMv2_RESPONSE);
-+	if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
-+		NTSTATUS status;
-+		status = ndr_map_error2ntstatus(err);
-+		DEBUG(2,("Failed to parse NTLMv2_RESPONSE "
-+			 "length %u - %s - %s\n",
-+			 (unsigned)response.length,
-+			 ndr_map_error2string(err),
-+			 nt_errstr(status)));
-+		dump_data(2, response.data, response.length);
-+		TALLOC_FREE(frame);
-+		return status;
-+	}
-+
-+	if (DEBUGLVL(10)) {
-+		NDR_PRINT_DEBUG(NTLMv2_RESPONSE, &v2_resp);
-+	}
-+
-+	/*
-+	 * Make sure the netbios computer name in the
-+	 * NTLMv2_RESPONSE matches the computer name
-+	 * in the secure channel credentials for workstation
-+	 * trusts.
-+	 *
-+	 * And the netbios domain name matches our
-+	 * workgroup.
-+	 *
-+	 * This prevents workstations from requesting
-+	 * the session key of NTLMSSP sessions of clients
-+	 * to other hosts.
-+	 */
-+	if (creds->secure_channel_type == SEC_CHAN_WKSTA) {
-+		av_nb_cn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
-+					       MsvAvNbComputerName);
-+		av_nb_dn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
-+					       MsvAvNbDomainName);
-+	}
-+
-+	if (av_nb_cn != NULL) {
-+		const char *v = NULL;
-+		char *a = NULL;
-+		size_t len;
-+
-+		v = av_nb_cn->Value.AvNbComputerName;
-+
-+		a = talloc_strdup(frame, creds->account_name);
-+		if (a == NULL) {
-+			TALLOC_FREE(frame);
-+			return NT_STATUS_NO_MEMORY;
-+		}
-+		len = strlen(a);
-+		if (len > 0 && a[len - 1] == '$') {
-+			a[len - 1] = '\0';
-+		}
-+
-+#ifdef SAMBA4_INTERNAL_HEIMDAL /* smbtorture4 for make test */
-+		cmp = strcasecmp_m(a, v);
-+#else /* smbd */
-+		cmp = StrCaseCmp(a, v);
-+#endif
-+		if (cmp != 0) {
-+			DEBUG(2,("%s: NTLMv2_RESPONSE with "
-+				 "NbComputerName[%s] rejected "
-+				 "for user[%s\\%s] "
-+				 "against SEC_CHAN_WKSTA[%s/%s] "
-+				 "in workgroup[%s]\n",
-+				 __func__, v,
-+				 account_domain,
-+				 account_name,
-+				 creds->computer_name,
-+				 creds->account_name,
-+				 workgroup));
-+			TALLOC_FREE(frame);
-+			return NT_STATUS_LOGON_FAILURE;
-+		}
-+	}
-+	if (av_nb_dn != NULL) {
-+		const char *v = NULL;
-+
-+		v = av_nb_dn->Value.AvNbDomainName;
-+
-+#ifdef SAMBA4_INTERNAL_HEIMDAL /* smbtorture4 for make test */
-+		cmp = strcasecmp_m(workgroup, v);
-+#else /* smbd */
-+		cmp = StrCaseCmp(workgroup, v);
-+#endif
-+		if (cmp != 0) {
-+			DEBUG(2,("%s: NTLMv2_RESPONSE with "
-+				 "NbDomainName[%s] rejected "
-+				 "for user[%s\\%s] "
-+				 "against SEC_CHAN_WKSTA[%s/%s] "
-+				 "in workgroup[%s]\n",
-+				 __func__, v,
-+				 account_domain,
-+				 account_name,
-+				 creds->computer_name,
-+				 creds->account_name,
-+				 workgroup));
-+			TALLOC_FREE(frame);
-+			return NT_STATUS_LOGON_FAILURE;
-+		}
-+	}
-+
-+	TALLOC_FREE(frame);
-+	return NT_STATUS_OK;
-+}
-+
- /***********************************************************
-  encode a password buffer with a unicode password.  The buffer
-  is filled with random data to make it harder to attack.
-diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
-index 0f0e22b..dce6c80 100644
---- a/libcli/auth/wscript_build
-+++ b/libcli/auth/wscript_build
-@@ -19,7 +19,7 @@ bld.SAMBA_SUBSYSTEM('MSRPC_PARSE',
- 
- bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
- 	source='credentials.c session.c smbencrypt.c smbdes.c',
--	public_deps='MSRPC_PARSE',
-+	public_deps='MSRPC_PARSE NDR_NTLMSSP',
- 	public_headers='credentials.h:domain_credentials.h'
- 	)
- 
-diff --git a/source3/Makefile.in b/source3/Makefile.in
-index 2668a6b..d562d17 100644
---- a/source3/Makefile.in
-+++ b/source3/Makefile.in
-@@ -783,6 +783,7 @@ GROUPDB_OBJ = groupdb/mapping.o groupdb/mapping_tdb.o
- PROFILE_OBJ = profile/profile.o
- PROFILES_OBJ = utils/profiles.o \
- 	       $(LIBSMB_ERR_OBJ) \
-+	       $(LIBNDR_NTLMSSP_OBJ) \
- 	       $(PARAM_OBJ) \
-                $(LIB_OBJ) $(LIB_DUMMY_OBJ) \
-                $(POPT_LIB_OBJ) \
-@@ -995,10 +996,10 @@ SWAT_OBJ = $(SWAT_OBJ1) $(PARAM_OBJ) $(PRINTING_OBJ) $(PRINTBASE_OBJ) $(LIBSMB_O
- STATUS_OBJ = utils/status.o utils/status_profile.o \
- 	     $(LOCKING_OBJ) $(PARAM_OBJ) \
-              $(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
--	     $(LIBSMB_ERR_OBJ) $(FNAME_UTIL_OBJ)
-+	     $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(FNAME_UTIL_OBJ)
- 
- SMBCONTROL_OBJ = utils/smbcontrol.o $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
--	$(LIBSMB_ERR_OBJ) $(POPT_LIB_OBJ) $(PRINTBASE_OBJ)
-+	$(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(POPT_LIB_OBJ) $(PRINTBASE_OBJ)
- 
- SMBTREE_OBJ = utils/smbtree.o $(PARAM_OBJ) \
-              $(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_OBJ) \
-@@ -1012,11 +1013,11 @@ SMBTREE_OBJ = utils/smbtree.o $(PARAM_OBJ) \
- 
- TESTPARM_OBJ = utils/testparm.o \
-                $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
--	       $(LIBSMB_ERR_OBJ)
-+	       $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
- 
- SMBTA_UTIL_OBJ = utils/smbta-util.o $(PARAM_OBJ) $(POPT_LIB_OBJ) \
- 	$(LIB_NONSMBD_OBJ) \
--	$(LIBSMB_ERR_OBJ) $(FNAME_UTIL_OBJ)
-+	$(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(FNAME_UTIL_OBJ)
- 
- TEST_LP_LOAD_OBJ = param/test_lp_load.o \
- 		   $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
-@@ -1146,6 +1147,7 @@ SMBCONFTORT_OBJ = $(SMBCONFTORT_OBJ0) \
- 		  $(LIB_NONSMBD_OBJ) \
- 		  $(PARAM_OBJ) \
- 		  $(LIBSMB_ERR_OBJ) \
-+		  $(LIBNDR_NTLMSSP_OBJ) \
- 		  $(POPT_LIB_OBJ)
- 
- PTHREADPOOLTEST_OBJ = lib/pthreadpool/pthreadpool.o \
-@@ -1229,7 +1231,7 @@ CUPS_OBJ = client/smbspool.o $(PARAM_OBJ) $(LIBSMB_OBJ) \
- 	  $(LIBNDR_GEN_OBJ0)
- 
- NMBLOOKUP_OBJ = utils/nmblookup.o $(PARAM_OBJ) $(LIBNMB_OBJ) \
--               $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ)
-+               $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
- 
- SMBTORTURE_OBJ1 = torture/torture.o torture/nbio.o torture/scanner.o torture/utable.o \
- 		torture/denytest.o torture/mangle_test.o \
-@@ -1253,6 +1255,7 @@ MASKTEST_OBJ = torture/masktest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
- 		 $(LIBNDR_GEN_OBJ0)
- 
- MSGTEST_OBJ = torture/msgtest.o $(PARAM_OBJ) $(LIBSMB_ERR_OBJ) \
-+		 $(LIBNDR_NTLMSSP_OBJ) \
-                  $(LIB_NONSMBD_OBJ) \
- 		 $(LIBNDR_GEN_OBJ0)
- 
-@@ -1269,7 +1272,7 @@ PDBTEST_OBJ = torture/pdbtest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
- 
- VFSTEST_OBJ = torture/cmd_vfs.o torture/vfstest.o $(SMBD_OBJ_BASE) $(READLINE_OBJ)
- 
--SMBICONV_OBJ = $(PARAM_OBJ) torture/smbiconv.o $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ)
-+SMBICONV_OBJ = $(PARAM_OBJ) torture/smbiconv.o $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
- 
- LOG2PCAP_OBJ = utils/log2pcaphex.o
- 
-@@ -1297,17 +1300,17 @@ SMBCQUOTAS_OBJ = utils/smbcquotas.o $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
- EVTLOGADM_OBJ0	= utils/eventlogadm.o
- 
- EVTLOGADM_OBJ	= $(EVTLOGADM_OBJ0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
--		$(LIBSMB_ERR_OBJ) $(LIB_EVENTLOG_OBJ) \
-+		$(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(LIB_EVENTLOG_OBJ) \
- 		librpc/gen_ndr/ndr_eventlog.o \
- 		librpc/gen_ndr/ndr_lsa.o
- 
- SHARESEC_OBJ0 = utils/sharesec.o
- SHARESEC_OBJ  = $(SHARESEC_OBJ0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
--		$(LIBSMB_ERR_OBJ) \
-+		$(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) \
-                 $(POPT_LIB_OBJ)
- 
- TALLOCTORT_OBJ = @tallocdir@/testsuite.o @tallocdir@/testsuite_main.o \
--		$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ)
-+		$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
- 
- REPLACETORT_OBJ = @libreplacedir@/test/testsuite.o \
- 		@libreplacedir@/test/getifaddrs.o \
-@@ -1323,7 +1326,7 @@ SMBFILTER_OBJ = utils/smbfilter.o $(PARAM_OBJ) $(LIBSMB_OBJ) \
- 		 $(LIBNDR_GEN_OBJ0)
- 
- WINBIND_WINS_NSS_OBJ = ../nsswitch/wins.o $(PARAM_OBJ) \
--	$(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNMB_OBJ)
-+	$(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(LIBNMB_OBJ)
- 
- PAM_SMBPASS_OBJ_0 = pam_smbpass/pam_smb_auth.o pam_smbpass/pam_smb_passwd.o \
- 		pam_smbpass/pam_smb_acct.o pam_smbpass/support.o ../lib/util/asn1.o
-@@ -1531,12 +1534,14 @@ RPC_OPEN_TCP_OBJ = torture/rpc_open_tcp.o \
- DBWRAP_TOOL_OBJ = utils/dbwrap_tool.o \
- 		  $(PARAM_OBJ) \
- 		  $(LIB_NONSMBD_OBJ) \
--		  $(LIBSMB_ERR_OBJ)
-+		  $(LIBSMB_ERR_OBJ) \
-+		  $(LIBNDR_NTLMSSP_OBJ)
- 
- DBWRAP_TORTURE_OBJ = utils/dbwrap_torture.o \
- 		     $(PARAM_OBJ) \
- 		     $(LIB_NONSMBD_OBJ) \
- 		     $(LIBSMB_ERR_OBJ) \
-+		     $(LIBNDR_NTLMSSP_OBJ) \
- 		     $(POPT_LIB_OBJ)
- 
- SPLIT_TOKENS_OBJ = utils/split_tokens.o \
--- 
-2.8.1
-
-
-From d49e3329a639a570db8e99a13796713fb5a23616 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 9 Dec 2015 13:12:43 +0100
-Subject: [PATCH 05/15] CVE-2016-2111: s3:rpc_server/netlogon: check
- NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This prevents spoofing like Microsoft's CVE-2015-0005.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- source3/rpc_server/netlogon/srv_netlog_nt.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
-index 30e1bc0..a630b47 100644
---- a/source3/rpc_server/netlogon/srv_netlog_nt.c
-+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
-@@ -1508,6 +1508,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
- 	case NetlogonNetworkTransitiveInformation:
- 	{
- 		const char *wksname = nt_workstation;
-+		const char *workgroup = lp_workgroup();
- 
- 		status = make_auth_context_fixed(talloc_tos(), &auth_context,
- 						 logon->network->challenge);
-@@ -1532,6 +1533,14 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
- 						     logon->network->nt.length)) {
- 			status = NT_STATUS_NO_MEMORY;
- 		}
-+
-+		if (NT_STATUS_IS_OK(status)) {
-+			status = NTLMv2_RESPONSE_verify_netlogon_creds(
-+						user_info->client.account_name,
-+						user_info->client.domain_name,
-+						user_info->password.response.nt,
-+						creds, workgroup);
-+		}
- 		break;
- 	}
- 	case NetlogonInteractiveInformation:
--- 
-2.8.1
-
-
-From bded435d42be34099d28db69258b1b5ef95ced48 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 26 Mar 2016 22:24:23 +0100
-Subject: [PATCH 06/15] CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos
- connection in raw.samba3badpath
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
----
- source4/torture/raw/samba3misc.c | 20 ++++++++++++--------
- 1 file changed, 12 insertions(+), 8 deletions(-)
-
-diff --git a/source4/torture/raw/samba3misc.c b/source4/torture/raw/samba3misc.c
-index a603111..b99d40f 100644
---- a/source4/torture/raw/samba3misc.c
-+++ b/source4/torture/raw/samba3misc.c
-@@ -340,6 +340,7 @@ bool torture_samba3_badpath(struct torture_context *torture)
- 	bool ret = true;
- 	TALLOC_CTX *mem_ctx;
- 	bool nt_status_support;
-+	bool client_ntlmv2_auth;
- 
- 	if (!(mem_ctx = talloc_init("torture_samba3_badpath"))) {
- 		d_printf("talloc_init failed\n");
-@@ -347,20 +348,17 @@ bool torture_samba3_badpath(struct torture_context *torture)
- 	}
- 
- 	nt_status_support = lpcfg_nt_status_support(torture->lp_ctx);
-+	client_ntlmv2_auth = lpcfg_client_ntlmv2_auth(torture->lp_ctx);
- 
--	if (!lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "yes")) {
--		printf("Could not set 'nt status support = yes'\n");
--		goto fail;
--	}
-+	torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "yes"), ret, fail, "Could not set 'nt status support = yes'\n");
-+	torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth", "yes"), ret, fail, "Could not set 'client ntlmv2 auth = yes'\n");
- 
- 	if (!torture_open_connection(&cli_nt, torture, 0)) {
- 		goto fail;
- 	}
- 
--	if (!lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "no")) {
--		printf("Could not set 'nt status support = yes'\n");
--		goto fail;
--	}
-+	torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "no"), ret, fail, "Could not set 'nt status support = no'\n");
-+	torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth", "no"), ret, fail, "Could not set 'client ntlmv2 auth = no'\n");
- 
- 	if (!torture_open_connection(&cli_dos, torture, 1)) {
- 		goto fail;
-@@ -373,6 +371,12 @@ bool torture_samba3_badpath(struct torture_context *torture)
- 	}
- 
- 	smbcli_deltree(cli_nt->tree, dirname);
-+	torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support",
-+						       nt_status_support ? "yes":"no"),
-+			    ret, fail, "Could not set 'nt status support' back to where it was\n");
-+	torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth",
-+						       client_ntlmv2_auth ? "yes":"no"),
-+			    ret, fail, "Could not set 'client ntlmv2 auth' back to where it was\n");
- 
- 	status = smbcli_mkdir(cli_nt->tree, dirname);
- 	if (!NT_STATUS_IS_OK(status)) {
--- 
-2.8.1
-
-
-From 12c908158213b1b82aca5c4485961da89299b6cf Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 26 Mar 2016 22:24:23 +0100
-Subject: [PATCH 07/15] CVE-2016-2111: s4:torture/base: don't use ntlmv2 for
- dos connection in base.samba3error
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
----
- source4/torture/basic/base.c | 19 +++++++++++++++++--
- 1 file changed, 17 insertions(+), 2 deletions(-)
-
-diff --git a/source4/torture/basic/base.c b/source4/torture/basic/base.c
-index d7bac45..7f74bb9 100644
---- a/source4/torture/basic/base.c
-+++ b/source4/torture/basic/base.c
-@@ -1476,6 +1476,7 @@ static bool torture_chkpath_test(struct torture_context *tctx,
- static bool torture_samba3_errorpaths(struct torture_context *tctx)
- {
- 	bool nt_status_support;
-+	bool client_ntlmv2_auth;
- 	struct smbcli_state *cli_nt = NULL, *cli_dos = NULL;
- 	bool result = false;
- 	int fnum;
-@@ -1485,18 +1486,27 @@ static bool torture_samba3_errorpaths(struct torture_context *tctx)
- 	NTSTATUS status;
- 
- 	nt_status_support = lpcfg_nt_status_support(tctx->lp_ctx);
-+	client_ntlmv2_auth = lpcfg_client_ntlmv2_auth(tctx->lp_ctx);
- 
- 	if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support", "yes")) {
- 		torture_comment(tctx, "Could not set 'nt status support = yes'\n");
- 		goto fail;
- 	}
-+	if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth", "yes")) {
-+		torture_result(tctx, TORTURE_FAIL, "Could not set 'client ntlmv2 auth = yes'\n");
-+		goto fail;
-+	}
- 
- 	if (!torture_open_connection(&cli_nt, tctx, 0)) {
- 		goto fail;
- 	}
- 
- 	if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support", "no")) {
--		torture_comment(tctx, "Could not set 'nt status support = yes'\n");
-+		torture_result(tctx, TORTURE_FAIL, "Could not set 'nt status support = no'\n");
-+		goto fail;
-+	}
-+	if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth", "no")) {
-+		torture_result(tctx, TORTURE_FAIL, "Could not set 'client ntlmv2 auth = no'\n");
- 		goto fail;
- 	}
- 
-@@ -1506,7 +1516,12 @@ static bool torture_samba3_errorpaths(struct torture_context *tctx)
- 
- 	if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support",
- 			    nt_status_support ? "yes":"no")) {
--		torture_comment(tctx, "Could not reset 'nt status support = yes'");
-+		torture_result(tctx, TORTURE_FAIL, "Could not reset 'nt status support'");
-+		goto fail;
-+	}
-+	if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth",
-+			       client_ntlmv2_auth ? "yes":"no")) {
-+		torture_result(tctx, TORTURE_FAIL, "Could not reset 'client ntlmv2 auth'");
- 		goto fail;
- 	}
- 
--- 
-2.8.1
-
-
-From 0b659fd0d7b684244c9791e01cc1370c0696e3f7 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 26 Mar 2016 18:08:16 +0100
-Subject: [PATCH 08/15] CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2
- response when we want to use spnego
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
----
- source3/libsmb/cliconnect.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
-index 8653ba7..4c0abdf 100644
---- a/source3/libsmb/cliconnect.c
-+++ b/source3/libsmb/cliconnect.c
-@@ -2077,6 +2077,17 @@ NTSTATUS cli_session_setup(struct cli_state *cli,
- 		NTSTATUS status;
- 
- 		/* otherwise do a NT1 style session setup */
-+		if (lp_client_ntlmv2_auth() && lp_client_use_spnego()) {
-+			/*
-+			 * Don't send an NTLMv2 response without NTLMSSP
-+			 * if we want to use spnego support
-+			 */
-+			DEBUG(1, ("Server does not support EXTENDED_SECURITY "
-+				  " but 'client use spnego = yes"
-+				  " and 'client ntlmv2 auth = yes'\n"));
-+			return NT_STATUS_ACCESS_DENIED;
-+		}
-+
- 		status = cli_session_setup_nt1(cli, user, pass, passlen,
- 					       ntpass, ntpasslen, workgroup);
- 		if (!NT_STATUS_IS_OK(status)) {
--- 
-2.8.1
-
-
-From 5ed1b3a84a1e3d9707a788a89698aa28769a79be Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sun, 27 Mar 2016 01:09:05 +0100
-Subject: [PATCH 09/15] CVE-2016-2111: docs-xml: document the new "client
- NTLMv2 auth" and "client use spnego" interaction
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
----
- docs-xml/smbdotconf/protocol/clientusespnego.xml  | 5 +++++
- docs-xml/smbdotconf/security/clientntlmv2auth.xml | 5 +++++
- 2 files changed, 10 insertions(+)
-
-diff --git a/docs-xml/smbdotconf/protocol/clientusespnego.xml b/docs-xml/smbdotconf/protocol/clientusespnego.xml
-index c688a65..e538745 100644
---- a/docs-xml/smbdotconf/protocol/clientusespnego.xml
-+++ b/docs-xml/smbdotconf/protocol/clientusespnego.xml
-@@ -9,6 +9,11 @@
-     supporting servers (including WindowsXP, Windows2000 and Samba
-     3.0) to agree upon an authentication
-     mechanism.  This enables Kerberos authentication in particular.</para>
-+
-+    <para>When <smbconfoption name="client NTLMv2 auth"/> is also set to
-+    <constant>yes</constant> extended security (SPNEGO) is required
-+    in order to use NTLMv2 only within NTLMSSP. This behavior was
-+    introduced with the patches for CVE-2016-2111.</para>
- </description>
- 
- <value type="default">yes</value>
-diff --git a/docs-xml/smbdotconf/security/clientntlmv2auth.xml b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
-index b151df2..1b6d887 100644
---- a/docs-xml/smbdotconf/security/clientntlmv2auth.xml
-+++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
-@@ -28,6 +28,11 @@
-     NTLMv2 by default, and some sites (particularly those following
-     'best practice' security polices) only allow NTLMv2 responses, and
-     not the weaker LM or NTLM.</para>
-+
-+    <para>When <smbconfoption name="client use spnego"/> is also set to
-+    <constant>yes</constant> extended security (SPNEGO) is required
-+    in order to use NTLMv2 only within NTLMSSP. This behavior was
-+    introduced with the patches for CVE-2016-2111.</para>
- </description>
- <value type="default">yes</value>
- </samba:parameter>
--- 
-2.8.1
-
-
-From 8ac4cd75a89732938b1e3161a884f9d5df68ffaf Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 15 Mar 2016 21:02:34 +0100
-Subject: [PATCH 10/15] CVE-2016-2111: docs-xml: add "raw NTLMv2 auth"
- defaulting to "yes"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- docs-xml/smbdotconf/security/rawntlmv2auth.xml | 20 ++++++++++++++++++++
- source3/include/proto.h                        |  1 +
- source3/param/loadparm.c                       |  3 +++
- 3 files changed, 24 insertions(+)
- create mode 100644 docs-xml/smbdotconf/security/rawntlmv2auth.xml
-
-diff --git a/docs-xml/smbdotconf/security/rawntlmv2auth.xml b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
-new file mode 100644
-index 0000000..ef26297
---- /dev/null
-+++ b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
-@@ -0,0 +1,20 @@
-+<samba:parameter name="raw NTLMv2 auth"
-+                 context="G"
-+                 type="boolean"
-+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-+<description>
-+    <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
-+    <manvolnum>8</manvolnum></citerefentry> will allow SMB1 clients without
-+    extended security (without SPNEGO) to use NTLMv2 authentication.</para>
-+
-+    <para>If this option, <command moreinfo="none">lanman auth</command>
-+    and <command moreinfo="none">ntlm auth</command> are all disabled,
-+    then only clients with SPNEGO support will be permitted.
-+    That means NTLMv2 is only supported within NTLMSSP.</para>
-+
-+    <para>Note that the default will change to "no" with Samba 4.5.</para>
-+</description>
-+
-+<value type="default">yes</value>
-+<value type="example">no</value>
-+</samba:parameter>
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index 8491d54..32b4e3d 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -1489,6 +1489,7 @@ bool lp_map_untrusted_to_domain(void);
- int lp_restrict_anonymous(void);
- bool lp_lanman_auth(void);
- bool lp_ntlm_auth(void);
-+bool lp_raw_ntlmv2_auth(void);
- bool lp_client_plaintext_auth(void);
- bool lp_client_lanman_auth(void);
- bool lp_client_ntlmv2_auth(void);
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index 753252a..42ddcf5 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -336,6 +336,7 @@ struct global {
- 	bool bAllowTrustedDomains;
- 	bool bLanmanAuth;
- 	bool bNTLMAuth;
-+	bool bRawNTLMv2Auth;
- 	bool bUseSpnego;
- 	bool bClientLanManAuth;
- 	bool bClientNTLMv2Auth;
-@@ -5337,6 +5338,7 @@ static void init_globals(bool reinit_globals)
- 	Globals.bClientPlaintextAuth = False;	/* Do NOT use a plaintext password even if is requested by the server */
- 	Globals.bLanmanAuth = False;	/* Do NOT use the LanMan hash, even if it is supplied */
- 	Globals.bNTLMAuth = True;	/* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
-+	Globals.bRawNTLMv2Auth = true;	/* Allow NTLMv2 without NTLMSSP */
- 	Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
- 	/* Note, that we will also use NTLM2 session security (which is different), if it is available */
- 
-@@ -5819,6 +5821,7 @@ FN_GLOBAL_BOOL(lp_map_untrusted_to_domain, &Globals.bMapUntrustedToDomain)
- FN_GLOBAL_INTEGER(lp_restrict_anonymous, &Globals.restrict_anonymous)
- FN_GLOBAL_BOOL(lp_lanman_auth, &Globals.bLanmanAuth)
- FN_GLOBAL_BOOL(lp_ntlm_auth, &Globals.bNTLMAuth)
-+FN_GLOBAL_BOOL(lp_raw_ntlmv2_auth, &Globals.bRawNTLMv2Auth)
- FN_GLOBAL_BOOL(lp_client_plaintext_auth, &Globals.bClientPlaintextAuth)
- FN_GLOBAL_BOOL(lp_client_lanman_auth, &Globals.bClientLanManAuth)
- FN_GLOBAL_BOOL(lp_client_ntlmv2_auth, &Globals.bClientNTLMv2Auth)
--- 
-2.8.1
-
-
-From de2ba16834dece138d8c0761cc3c834da42dfd33 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 15 Mar 2016 21:02:34 +0100
-Subject: [PATCH 11/15] CVE-2016-2111(<=4.3): loadparm: add "raw NTLMv2 auth"
- to param_table
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
----
- source3/param/loadparm.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index 42ddcf5..f806788 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -1384,6 +1384,15 @@ static struct parm_struct parm_table[] = {
- 		.flags		= FLAG_ADVANCED,
- 	},
- 	{
-+		.label		= "raw NTLMv2 auth",
-+		.type		= P_BOOL,
-+		.p_class	= P_GLOBAL,
-+		.ptr		= &Globals.bRawNTLMv2Auth,
-+		.special	= NULL,
-+		.enum_list	= NULL,
-+		.flags		= FLAG_ADVANCED,
-+	},
-+	{
- 		.label		= "client NTLMv2 auth",
- 		.type		= P_BOOL,
- 		.p_class	= P_GLOBAL,
--- 
-2.8.1
-
-
-From 094fb71d1dda38894be501674c7ec3e4ec03078e Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 1 Mar 2016 10:25:54 +0100
-Subject: [PATCH 12/15] CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth"
- checks
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- source3/auth/auth_util.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
-index 288f461..98bbbef 100644
---- a/source3/auth/auth_util.c
-+++ b/source3/auth/auth_util.c
-@@ -30,6 +30,7 @@
- #include "../lib/util/util_pw.h"
- #include "lib/winbind_util.h"
- #include "passdb.h"
-+#include "../lib/tsocket/tsocket.h"
- 
- #undef DBGC_CLASS
- #define DBGC_CLASS DBGC_AUTH
-@@ -367,6 +368,19 @@ NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
-                                       const char *client_domain, 
-                                       DATA_BLOB lm_resp, DATA_BLOB nt_resp)
- {
-+	bool allow_raw = lp_raw_ntlmv2_auth();
-+
-+	if (!allow_raw && nt_resp.length >= 48) {
-+		/*
-+		 * NTLMv2_RESPONSE has at least 48 bytes
-+		 * and should only be supported via NTLMSSP.
-+		 */
-+		DEBUG(2,("Rejecting raw NTLMv2 authentication with "
-+			 "user [%s\\%s]\n",
-+			 client_domain, smb_name));
-+		return NT_STATUS_INVALID_PARAMETER;
-+	}
-+
- 	return make_user_info_map(user_info, smb_name, 
- 				  client_domain, 
- 				  get_remote_machine_name(), 
--- 
-2.8.1
-
-
-From a2ef1fb0cf0b83a2799b95795d31b8fb03da11bb Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 26 Mar 2016 22:08:38 +0100
-Subject: [PATCH 13/15] CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth =
- yes" for s3dc
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
----
- selftest/target/Samba3.pm | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index 01a1c47..ee3696e 100644
---- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -127,6 +127,7 @@ sub setup_dc($$)
- 	domain master = yes
- 	domain logons = yes
- 	lanman auth = yes
-+	raw NTLMv2 auth = yes
- ";
- 
- 	my $vars = $self->provision($path,
--- 
-2.8.1
-
-
-From 74da0e00f3b817dd20d6429f7ba7748f66b9b6a4 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 15 Mar 2016 21:59:42 +0100
-Subject: [PATCH 14/15] CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2
- auth" to "no"
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
----
- docs-xml/smbdotconf/security/rawntlmv2auth.xml | 7 +++----
- source3/param/loadparm.c                       | 2 +-
- 2 files changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/docs-xml/smbdotconf/security/rawntlmv2auth.xml b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
-index ef26297..30e7280 100644
---- a/docs-xml/smbdotconf/security/rawntlmv2auth.xml
-+++ b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
-@@ -11,10 +11,9 @@
-     and <command moreinfo="none">ntlm auth</command> are all disabled,
-     then only clients with SPNEGO support will be permitted.
-     That means NTLMv2 is only supported within NTLMSSP.</para>
--
--    <para>Note that the default will change to "no" with Samba 4.5.</para>
- </description>
- 
--<value type="default">yes</value>
--<value type="example">no</value>
-+<related>lanman auth</related>
-+<related>ntlm auth</related>
-+<value type="default">no</value>
- </samba:parameter>
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index f806788..7065cf6 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -5347,7 +5347,7 @@ static void init_globals(bool reinit_globals)
- 	Globals.bClientPlaintextAuth = False;	/* Do NOT use a plaintext password even if is requested by the server */
- 	Globals.bLanmanAuth = False;	/* Do NOT use the LanMan hash, even if it is supplied */
- 	Globals.bNTLMAuth = True;	/* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
--	Globals.bRawNTLMv2Auth = true;	/* Allow NTLMv2 without NTLMSSP */
-+	Globals.bRawNTLMv2Auth = false;	/* Allow NTLMv2 without NTLMSSP */
- 	Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
- 	/* Note, that we will also use NTLM2 session security (which is different), if it is available */
- 
--- 
-2.8.1
-
-
-From 44530ad870745f8d649aff9cc18480aaeeccf01a Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 4 Apr 2016 16:44:39 +0200
-Subject: [PATCH 15/15] CVE-2016-2111: s3:selftest: Disable client ntlmv2 auth
- for secserver
-
-The client connects with ntlmv1 to the secserver (server with
-security = share). So the secserver needs to allow to connect with
-NTLMv1 to the password server to verify the user or it will fail.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- selftest/target/Samba3.pm | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index ee3696e..7326b22 100644
---- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -231,6 +231,7 @@ sub setup_secserver($$$)
- 	my $secserver_options = "
- 	security = server
-         password server = $s3dcvars->{SERVER_IP}
-+	client ntlmv2 auth = no
- ";
- 
- 	my $ret = $self->provision($prefix,
--- 
-2.8.1
-
diff --git a/src/patches/samba/CVE-2016-2112-v3-6.patch b/src/patches/samba/CVE-2016-2112-v3-6.patch
deleted file mode 100644
index 57c6f680a..000000000
--- a/src/patches/samba/CVE-2016-2112-v3-6.patch
+++ /dev/null
@@ -1,184 +0,0 @@ 
-From 126e3e992bed7174d60ee19212db9b717647ab2e Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@cryptomilk.org>
-Date: Wed, 30 Mar 2016 16:55:44 +0200
-Subject: [PATCH 1/3] CVE-2016-2112: s3:ntlmssp: Implement missing
- ntlmssp_have_feature()
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- source3/include/proto.h  |  1 +
- source3/libsmb/ntlmssp.c | 30 ++++++++++++++++++++++++++++++
- 2 files changed, 31 insertions(+)
-
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index 32b4e3d..43008ea 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -1260,6 +1260,7 @@ NTSTATUS ntlmssp_set_password(struct ntlmssp_state *ntlmssp_state, const char *p
- NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *domain) ;
- void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *feature_list);
- void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
-+bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
- NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state,
- 			const DATA_BLOB in, DATA_BLOB *out) ;
- NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index 045dc87..7e58990 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -162,6 +162,36 @@ NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *dom
- 	return NT_STATUS_OK;
- }
- 
-+bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state,
-+			  uint32_t feature)
-+{
-+	if (feature & NTLMSSP_FEATURE_SIGN) {
-+		if (ntlmssp_state->session_key.length == 0) {
-+			return false;
-+		}
-+		if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
-+			return true;
-+		}
-+	}
-+
-+	if (feature & NTLMSSP_FEATURE_SEAL) {
-+		if (ntlmssp_state->session_key.length == 0) {
-+			return false;
-+		}
-+		if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
-+			return true;
-+		}
-+	}
-+
-+	if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
-+		if (ntlmssp_state->session_key.length > 0) {
-+			return true;
-+		}
-+	}
-+
-+	return false;
-+}
-+
- /**
-  * Request features for the NTLMSSP negotiation
-  *
--- 
-2.8.1
-
-
-From 15338742e0c7304aeecce0e8368f0dad85e8075b Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Thu, 24 Mar 2016 16:22:36 +0100
-Subject: [PATCH 2/3] CVE-2016-2112: s3:libads: make sure we detect downgrade
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Pair-programmed-with: Ralph Boehme <slow@samba.org>
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Ralph Boehme <slow@samba.org>
----
- source3/libads/sasl.c | 31 +++++++++++++++++++++++++++++++
- 1 file changed, 31 insertions(+)
-
-diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
-index e7daa8a..6690f83 100644
---- a/source3/libads/sasl.c
-+++ b/source3/libads/sasl.c
-@@ -261,6 +261,37 @@ static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads)
- 	/* we have a reference conter on ntlmssp_state, if we are signing
- 	   then the state will be kept by the signing engine */
- 
-+	if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SEAL) {
-+		bool ok;
-+
-+		ok = ntlmssp_have_feature(ntlmssp_state,
-+					  NTLMSSP_FEATURE_SEAL);
-+		if (!ok) {
-+			DEBUG(0,("The ntlmssp feature sealing request, but unavailable\n"));
-+			TALLOC_FREE(ntlmssp_state);
-+			return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
-+		}
-+
-+		ok = ntlmssp_have_feature(ntlmssp_state,
-+					  NTLMSSP_FEATURE_SIGN);
-+		if (!ok) {
-+			DEBUG(0,("The ntlmssp feature signing request, but unavailable\n"));
-+			TALLOC_FREE(ntlmssp_state);
-+			return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
-+		}
-+
-+	} else if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SIGN) {
-+		bool ok;
-+
-+		ok = ntlmssp_have_feature(ntlmssp_state,
-+					  NTLMSSP_FEATURE_SIGN);
-+		if (!ok) {
-+			DEBUG(0,("The gensec feature signing request, but unavailable\n"));
-+			TALLOC_FREE(ntlmssp_state);
-+			return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
-+		}
-+	}
-+
- 	if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
- 		ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - NTLMSSP_SIG_SIZE;
- 		ads->ldap.out.sig_size = NTLMSSP_SIG_SIZE;
--- 
-2.8.1
-
-
-From b020ae88f9024bcc868ed2d85879d14901db32e5 Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet@samba.org>
-Date: Fri, 5 Sep 2014 17:38:38 +1200
-Subject: [PATCH 3/3] CVE-2016-2112: winbindd: Change value of "ldap sasl
- wrapping" to sign
-
-This is to disrupt MITM attacks between us and our DC
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
-Signed-off-by: Garming Sam <garming@catalyst.net.nz>
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-(backported from commit afe02d12f444ad9a6abf31a61f578320520263a9)
----
- docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml | 8 +++-----
- source3/param/loadparm.c                            | 2 ++
- 2 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
-index a926cec..a7c4395 100644
---- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
-+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
-@@ -34,11 +34,9 @@
- 	</para>
- 
- 	<para>
--	The default value is <emphasis>plain</emphasis> which is not irritable 
--	to KRB5 clock skew errors. That implies synchronizing the time
--	with the KDC in the case of using <emphasis>sign</emphasis> or 
--	<emphasis>seal</emphasis>.
-+	The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
-+	with the KDC in the case of using <emphasis>Kerberos</emphasis>.
- 	</para>
- </description>
--<value type="default">plain</value>
-+<value type="default">sign</value>
- </samba:parameter>
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index 7065cf6..c5249b7 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -5392,6 +5392,8 @@ static void init_globals(bool reinit_globals)
- 	Globals.ldap_debug_level = 0;
- 	Globals.ldap_debug_threshold = 10;
- 
-+	Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
-+
- 	/* This is what we tell the afs client. in reality we set the token 
- 	 * to never expire, though, when this runs out the afs client will 
- 	 * forget the token. Set to 0 to get NEVERDATE.*/
--- 
-2.8.1
-
diff --git a/src/patches/samba/CVE-2016-2115-v3-6.patch b/src/patches/samba/CVE-2016-2115-v3-6.patch
deleted file mode 100644
index 6167d35a3..000000000
--- a/src/patches/samba/CVE-2016-2115-v3-6.patch
+++ /dev/null
@@ -1,359 +0,0 @@ 
-From 513bd34e4523e49e742487be32a7239111486a12 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 27 Feb 2016 03:43:58 +0100
-Subject: [PATCH 1/4] CVE-2016-2115: docs-xml: add "client ipc signing" option
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
----
- docs-xml/smbdotconf/security/clientipcsigning.xml | 23 +++++++++++++++++++++++
- docs-xml/smbdotconf/security/clientsigning.xml    |  3 +++
- source3/include/proto.h                           |  1 +
- source3/param/loadparm.c                          | 12 ++++++++++++
- 4 files changed, 39 insertions(+)
- create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
-
-diff --git a/docs-xml/smbdotconf/security/clientipcsigning.xml b/docs-xml/smbdotconf/security/clientipcsigning.xml
-new file mode 100644
-index 0000000..1897fc6
---- /dev/null
-+++ b/docs-xml/smbdotconf/security/clientipcsigning.xml
-@@ -0,0 +1,23 @@
-+<samba:parameter name="client ipc signing"
-+                 context="G"
-+                 type="enum"
-+                 enumlist="enum_smb_signing_vals"
-+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-+<description>
-+    <para>This controls whether the client is allowed or required to use SMB signing for IPC$
-+    connections as DCERPC transport inside of winbind. Possible values
-+    are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
-+    and <emphasis>disabled</emphasis>.
-+    </para>
-+
-+    <para>When set to auto, SMB signing is offered, but not enforced and if set
-+    to disabled, SMB signing is not offered either.</para>
-+
-+    <para>Connections from winbindd to Active Directory Domain Controllers
-+    always enforce signing.</para>
-+</description>
-+
-+<related>client signing</related>
-+
-+<value type="default">mandatory</value>
-+</samba:parameter>
-diff --git a/docs-xml/smbdotconf/security/clientsigning.xml b/docs-xml/smbdotconf/security/clientsigning.xml
-index c657e05..189a7ae 100644
---- a/docs-xml/smbdotconf/security/clientsigning.xml
-+++ b/docs-xml/smbdotconf/security/clientsigning.xml
-@@ -12,6 +12,9 @@
-     <para>When set to auto, SMB signing is offered, but not enforced. 
-     When set to mandatory, SMB signing is required and if set 
- 	to disabled, SMB signing is not offered either.
-+
-+    <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
-+    <smbconfoption name="client ipc signing"/> option.</para>
- </para>
- </description>
- 
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index 43008ea..af950aa 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -1693,6 +1693,7 @@ const char **lp_winbind_nss_info(void);
- int lp_algorithmic_rid_base(void);
- int lp_name_cache_timeout(void);
- int lp_client_signing(void);
-+int lp_client_ipc_signing(void);
- int lp_server_signing(void);
- int lp_client_ldap_sasl_wrapping(void);
- char *lp_parm_talloc_string(int snum, const char *type, const char *option, const char *def);
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index c5249b7..a612e5a3 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -366,6 +366,7 @@ struct global {
- 	int restrict_anonymous;
- 	int name_cache_timeout;
- 	int client_signing;
-+	int client_ipc_signing;
- 	int server_signing;
- 	int client_ldap_sasl_wrapping;
- 	int iUsershareMaxShares;
-@@ -2319,6 +2320,15 @@ static struct parm_struct parm_table[] = {
- 		.flags		= FLAG_ADVANCED,
- 	},
- 	{
-+		.label		= "client ipc signing",
-+		.type		= P_ENUM,
-+		.p_class	= P_GLOBAL,
-+		.ptr		= &Globals.client_ipc_signing,
-+		.special	= NULL,
-+		.enum_list	= enum_smb_signing_vals,
-+		.flags		= FLAG_ADVANCED,
-+	},
-+	{
- 		.label		= "server signing",
- 		.type		= P_ENUM,
- 		.p_class	= P_GLOBAL,
-@@ -5470,6 +5480,7 @@ static void init_globals(bool reinit_globals)
- 	Globals.bClientUseSpnego = True;
- 
- 	Globals.client_signing = Auto;
-+	Globals.client_ipc_signing = Required;
- 	Globals.server_signing = False;
- 
- 	Globals.bDeferSharingViolations = True;
-@@ -6071,6 +6082,7 @@ FN_GLOBAL_LIST(lp_winbind_nss_info, &Globals.szWinbindNssInfo)
- FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase)
- FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout)
- FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing)
-+FN_GLOBAL_INTEGER(lp_client_ipc_signing, &Globals.client_ipc_signing)
- FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing)
- FN_GLOBAL_INTEGER(lp_client_ldap_sasl_wrapping, &Globals.client_ldap_sasl_wrapping)
- 
--- 
-2.8.1
-
-
-From 633fcce5f7f488738ef8f45393aa8990e01118f4 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 5 Apr 2016 10:46:53 +0200
-Subject: [PATCH 2/4] CVE-2016-2115: s3: Use lp_client_ipc_signing() if we are
- not an smb client
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
-
-Pair-Programmed-With: Ralph Boehme <slow@samba.org>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Ralph Boehme <slow@samba.org>
----
- source3/param/loadparm.c                    | 14 ++++++++++++++
- source3/rpc_server/spoolss/srv_spoolss_nt.c |  2 +-
- 2 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index a612e5a3..c58f860 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -9712,6 +9712,20 @@ static bool lp_load_ex(const char *pszFname,
- 		lp_do_parameter(GLOBAL_SECTION_SNUM, "wins server", "127.0.0.1");
- 	}
- 
-+	if (!lp_is_in_client()) {
-+		switch (lp_client_ipc_signing()) {
-+		case Required:
-+			lp_set_cmdline("client signing", "mandatory");
-+			break;
-+		case Auto:
-+			lp_set_cmdline("client signing", "auto");
-+			break;
-+		case False:
-+			lp_set_cmdline("client signing", "disabled");
-+			break;
-+		}
-+	}
-+
- 	init_iconv();
- 
- 	bAllowIncludeRegistry = true;
-diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
-index 181a7b5..a0fcf27 100644
---- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
-+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
-@@ -2480,7 +2480,7 @@ static bool spoolss_connect_to_client(struct rpc_pipe_client **pp_pipe,
- 		"", /* username */
- 		"", /* domain */
- 		"", /* password */
--		0, lp_client_signing());
-+		0, False);
- 
- 	if ( !NT_STATUS_IS_OK( ret ) ) {
- 		DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n",
--- 
-2.8.1
-
-
-From e319838866bdd3f5f1602b441516d07a1171ab24 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Thu, 31 Mar 2016 11:30:03 +0200
-Subject: [PATCH 3/4] CVE-2016-2115: s3/param: pick up s4 option "winbind
- sealed pipes"
-
-This will be used in the next commit to prevent mitm attacks on on lsa,
-samr and netlogon in winbindd.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | 15 +++++++++++++++
- source3/include/proto.h                            |  1 +
- source3/param/loadparm.c                           | 12 ++++++++++++
- 3 files changed, 28 insertions(+)
- create mode 100644 docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
-
-diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
-new file mode 100644
-index 0000000..016ac9b
---- /dev/null
-+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
-@@ -0,0 +1,15 @@
-+<samba:parameter name="winbind sealed pipes"
-+                 context="G"
-+                 type="boolean"
-+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-+<description>
-+	<para>This option controls whether any requests from winbindd to domain controllers
-+		pipe will be sealed. Disabling sealing can be useful for debugging
-+		purposes.</para>
-+
-+	<para>The behavior can be controlled per netbios domain
-+	by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
-+</description>
-+
-+<value type="default">yes</value>
-+</samba:parameter>
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index af950aa..ac1540f 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -1690,6 +1690,7 @@ int lp_winbind_cache_time(void);
- int lp_winbind_reconnect_delay(void);
- int lp_winbind_max_clients(void);
- const char **lp_winbind_nss_info(void);
-+bool lp_winbind_sealed_pipes(void);
- int lp_algorithmic_rid_base(void);
- int lp_name_cache_timeout(void);
- int lp_client_signing(void);
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index c58f860..fdc9407 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -215,6 +215,7 @@ struct global {
- 	int  winbind_expand_groups;
- 	bool bWinbindRefreshTickets;
- 	bool bWinbindOfflineLogon;
-+	bool bWinbindSealedPipes;
- 	bool bWinbindNormalizeNames;
- 	bool bWinbindRpcOnly;
- 	bool bCreateKrb5Conf;
-@@ -4775,6 +4776,15 @@ static struct parm_struct parm_table[] = {
- 		.flags		= FLAG_ADVANCED,
- 	},
- 	{
-+		.label		= "winbind sealed pipes",
-+		.type		= P_BOOL,
-+		.p_class	= P_GLOBAL,
-+		.ptr		= &Globals.bWinbindSealedPipes,
-+		.special	= NULL,
-+		.enum_list	= NULL,
-+		.flags		= FLAG_ADVANCED,
-+	},
-+	{
- 		.label		= "winbind normalize names",
- 		.type		= P_BOOL,
- 		.p_class	= P_GLOBAL,
-@@ -5468,6 +5478,7 @@ static void init_globals(bool reinit_globals)
- 	Globals.szWinbindNssInfo = str_list_make_v3(NULL, "template", NULL);
- 	Globals.bWinbindRefreshTickets = False;
- 	Globals.bWinbindOfflineLogon = False;
-+	Globals.bWinbindSealedPipes = True;
- 
- 	Globals.iIdmapCacheTime = 86400 * 7; /* a week by default */
- 	Globals.iIdmapNegativeCacheTime = 120; /* 2 minutes by default */
-@@ -5747,6 +5758,7 @@ FN_GLOBAL_BOOL(lp_winbind_nested_groups, &Globals.bWinbindNestedGroups)
- FN_GLOBAL_INTEGER(lp_winbind_expand_groups, &Globals.winbind_expand_groups)
- FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets)
- FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
-+FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, &Globals.bWinbindSealedPipes)
- FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames)
- FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly)
- FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf)
--- 
-2.8.1
-
-
-From b47d8644e6a826f01dae3911fc510a7b2ff60273 Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet@samba.org>
-Date: Fri, 5 Sep 2014 17:00:31 +1200
-Subject: [PATCH 4/4] CVE-2016-2115: winbindd: Do not make anonymous
- connections by default
-
-The requirement is that we have "winbind sealed pipes = false" and
-"require strong key = false" before we make anonymous connections.
-These are a security risk as we cannot prevent MITM attacks.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796
-
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(backported from commit e2cd3257141bd4a88cda1fff5bde9df60b253a97)
----
- source3/winbindd/winbindd_cm.c | 32 +++++++++++++++++++++++++++++++-
- 1 file changed, 31 insertions(+), 1 deletion(-)
-
-diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
-index 8271279..50a341e 100644
---- a/source3/winbindd/winbindd_cm.c
-+++ b/source3/winbindd/winbindd_cm.c
-@@ -2384,6 +2384,15 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
- 	TALLOC_FREE(conn->samr_pipe);
- 
-  anonymous:
-+	if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
-+		status = NT_STATUS_DOWNGRADE_DETECTED;
-+		DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
-+			  "without connection level security, "
-+			  "must set 'winbind sealed pipes = false' "
-+			  "to proceed: %s\n",
-+			  domain->name, nt_errstr(status)));
-+		goto done;
-+	}
- 
- 	/* Finally fall back to anonymous. */
- 	status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
-@@ -2610,6 +2619,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
- 
-  anonymous:
- 
-+	if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
-+		result = NT_STATUS_DOWNGRADE_DETECTED;
-+		DEBUG(1, ("Unwilling to make LSA connection to domain %s "
-+			  "without connection level security, "
-+			  "must set 'winbind sealed pipes = false' "
-+			  "to proceed: %s\n",
-+			  domain->name, nt_errstr(result)));
-+		goto done;
-+	}
-+
- 	result = cli_rpc_pipe_open_noauth(conn->cli,
- 					  &ndr_table_lsarpc.syntax_id,
- 					  &conn->lsa_pipe);
-@@ -2749,7 +2768,18 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
- 
-  no_schannel:
- 	if ((lp_client_schannel() == False) ||
--			((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
-+		((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
-+		if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
-+			result = NT_STATUS_DOWNGRADE_DETECTED;
-+			DEBUG(1, ("Unwilling to make connection to domain %s "
-+				  "without connection level security, "
-+				  "must set 'winbind sealed pipes = false' "
-+				  "to proceed: %s\n",
-+				  domain->name, nt_errstr(result)));
-+			TALLOC_FREE(netlogon_pipe);
-+			invalidate_cm_connection(conn);
-+			return result;
-+		}
- 		/*
- 		 * NetSamLogonEx only works for schannel
- 		 */
--- 
-2.8.1
-
diff --git a/src/patches/samba/CVE-2016-2118-v3-6.patch b/src/patches/samba/CVE-2016-2118-v3-6.patch
deleted file mode 100644
index e354155e8..000000000
--- a/src/patches/samba/CVE-2016-2118-v3-6.patch
+++ /dev/null
@@ -1,629 +0,0 @@ 
-From 9519f8f5123be055a4e845f87badef8b80ab2ee4 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 15 Dec 2015 14:49:36 +0100
-Subject: [PATCH 01/10] CVE-2016-2118: s3: rpcclient: change the default auth
- level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
-
-ncacn_ip_tcp:server should get the same protection as ncacn_np:server
-if authentication and smb signing is used.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-
-(cherry picked from commit dab41dee8a4fb27dbf3913b0e44a4cc726e3ac98)
----
- source3/rpcclient/rpcclient.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
-index 949e14c..81c5f42 100644
---- a/source3/rpcclient/rpcclient.c
-+++ b/source3/rpcclient/rpcclient.c
-@@ -1062,10 +1062,9 @@ out_free:
- 		}
- 	}
- 	if (pipe_default_auth_type != DCERPC_AUTH_TYPE_NONE) {
--		/* If neither Integrity or Privacy are requested then
--		 * Use just Connect level */
-+		/* If nothing is requested then default to integrity */
- 		if (pipe_default_auth_level == DCERPC_AUTH_LEVEL_NONE) {
--			pipe_default_auth_level = DCERPC_AUTH_LEVEL_CONNECT;
-+			pipe_default_auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
- 		}
- 	}
- 
--- 
-2.8.1
-
-
-From 0e00f6da40e6f76d9bd56187e74841c85ea86c55 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 11 Mar 2016 16:02:25 +0100
-Subject: [PATCH 02/10] CVE-2016-2118: s4:librpc: use integrity by default for
- authenticated binds
-
-ncacn_ip_tcp:server should get the same protection as ncacn_np:server
-if authentication and smb signing is used.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 7847ee85d278adb9ce4fc7da7cf171917227c93f)
----
- source4/librpc/rpc/dcerpc_util.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
-index 2cd9499..a6d0df5 100644
---- a/source4/librpc/rpc/dcerpc_util.c
-+++ b/source4/librpc/rpc/dcerpc_util.c
-@@ -593,15 +593,15 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
- 
- 	/* Perform an authenticated DCE-RPC bind
- 	 */
--	if (!(conn->flags & (DCERPC_SIGN|DCERPC_SEAL))) {
-+	if (!(conn->flags & (DCERPC_CONNECT|DCERPC_SEAL))) {
- 		/*
- 		  we are doing an authenticated connection,
--		  but not using sign or seal. We must force
--		  the CONNECT dcerpc auth type as a NONE auth
--		  type doesn't allow authentication
--		  information to be passed.
-+		  which needs to use [connect], [sign] or [seal].
-+		  If nothing is specified, we default to [sign] now.
-+		  This give roughly the same protection as
-+		  ncacn_np with smb signing.
- 		*/
--		conn->flags |= DCERPC_CONNECT;
-+		conn->flags |= DCERPC_SIGN;
- 	}
- 
- 	if (s->binding->flags & DCERPC_AUTH_SPNEGO) {
--- 
-2.8.1
-
-
-From 8d53761dbcbea6439f4bfaef86ff79f42b682b22 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 10 Mar 2016 17:03:59 +0100
-Subject: [PATCH 03/10] CVE-2016-2118: docs-xml: add "allow dcerpc auth level
- connect" defaulting to "yes"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We sadly need to allow this for now by default.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(backported from commit 56baca8619ba9ae1734c3d77524fc705ebcbd8d2)
----
- .../security/allowdcerpcauthlevelconnect.xml       | 24 ++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
- create mode 100644 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
-
-diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
-new file mode 100644
-index 0000000..5552112
---- /dev/null
-+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
-@@ -0,0 +1,24 @@
-+<samba:parameter name="allow dcerpc auth level connect"
-+                 context="G"
-+                 type="boolean"
-+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-+<description>
-+	<para>This option controls whether DCERPC services are allowed to
-+	be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication,
-+	but no per message integrity nor privacy protection.</para>
-+
-+	<para>The behavior can be controlled per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
-+	winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = no' as option.</para>
-+
-+	<para>This option yields precedence to the implentation specific restrictions.
-+	E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
-+	While others like samr and lsarpc have a hardcoded default of <constant>no</constant>.
-+	</para>
-+
-+	<para>Note the default will very likely change to <constant>no</constant> for Samba 4.5.</para>
-+</description>
-+
-+<value type="default">yes</value>
-+<value type="example">no</value>
-+
-+</samba:parameter>
--- 
-2.8.1
-
-
-From 9a0e8182314c631681f2dd47da5d790168066279 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Fri, 18 Mar 2016 08:45:11 +0100
-Subject: [PATCH 04/10] CVE-2016-2118: param: add "allow dcerpc auth level
- connect" defaulting to "yes"
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(backported from commit 6e3ada2c36f527077d77a8278bd41bbc030f48cd)
-
-(cherry picked from commit 74172d061597c96f0e733c11daee6cb15f3277dc)
-Signed-off-by: Aurelien Aptel <aaptel@suse.com>
----
- source3/include/proto.h  |  1 +
- source3/param/loadparm.c | 13 +++++++++++++
- 2 files changed, 14 insertions(+)
-
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index ac1540f..2ed6547 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -1821,6 +1821,7 @@ char* lp_perfcount_module(void);
- void lp_set_passdb_backend(const char *backend);
- void widelinks_warning(int snum);
- char *lp_ncalrpc_dir(void);
-+bool lp_allow_dcerpc_auth_level_connect(void);
- 
- /* The following definitions come from param/loadparm_server_role.c  */
- 
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index fdc9407..87d33c5 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -355,6 +355,7 @@ struct global {
- 	bool bUseMmap;
- 	bool bHostnameLookups;
- 	bool bUnixExtensions;
-+	bool bAllowDcerpcAuthLevelConnect;
- 	bool bDisableNetbios;
- 	char * szDedicatedKeytabFile;
- 	int  iKerberosMethod;
-@@ -2303,6 +2304,15 @@ static struct parm_struct parm_table[] = {
- 		.flags		= FLAG_ADVANCED,
- 	},
- 	{
-+		.label		= "allow dcerpc auth level connect",
-+		.type		= P_BOOL,
-+		.p_class	= P_GLOBAL,
-+		.ptr		= &Globals.bAllowDcerpcAuthLevelConnect,
-+		.special	= NULL,
-+		.enum_list	= NULL,
-+		.flags		= FLAG_ADVANCED,
-+	},
-+	{
- 		.label		= "use spnego",
- 		.type		= P_BOOL,
- 		.p_class	= P_GLOBAL,
-@@ -5371,6 +5381,8 @@ static void init_globals(bool reinit_globals)
- 	Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
- 	/* Note, that we will also use NTLM2 session security (which is different), if it is available */
- 
-+	Globals.bAllowDcerpcAuthLevelConnect = true; /* we need to allow this for now by default */
-+
- 	Globals.map_to_guest = 0;	/* By Default, "Never" */
- 	Globals.oplock_break_wait_time = 0;	/* By Default, 0 msecs. */
- 	Globals.enhanced_browsing = true;
-@@ -5745,6 +5757,7 @@ FN_GLOBAL_INTEGER(lp_username_map_cache_time, &Globals.iUsernameMapCacheTime)
- 
- FN_GLOBAL_STRING(lp_check_password_script, &Globals.szCheckPasswordScript)
- 
-+FN_GLOBAL_BOOL(lp_allow_dcerpc_auth_level_connect, &Globals.bAllowDcerpcAuthLevelConnect)
- FN_GLOBAL_STRING(lp_wins_hook, &Globals.szWINSHook)
- FN_GLOBAL_CONST_STRING(lp_template_homedir, &Globals.szTemplateHomedir)
- FN_GLOBAL_CONST_STRING(lp_template_shell, &Globals.szTemplateShell)
--- 
-2.8.1
-
-
-From 82a245ff842ea33c050a8fbe415a531497232d3d Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 18 Mar 2016 04:40:30 +0100
-Subject: [PATCH 05/10] CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc
- auth level connect"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-With this option turned off we only allow DCERPC_AUTH_LEVEL_{NONE,INTEGRITY,PRIVACY},
-this means the reject any request with AUTH_LEVEL_CONNECT with ACCESS_DENIED.
-
-We sadly need to keep this enabled by default for now.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Pair-Programmed-With: Günther Deschner <gd@samba.org>
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 1fa0bad3da921fca1d34971062522b4cc3e6db2c)
-(cherry picked from commit 46744bbe5e3616613b2dbee7cf6fdf0d8d5caab3)
-Signed-off-by: Aurelien Aptel <aaptel@suse.com>
----
- source3/include/ntdomain.h    |  4 ++++
- source3/rpc_server/srv_pipe.c | 49 ++++++++++++++++++++++++++++++++++++++++++-
- 2 files changed, 52 insertions(+), 1 deletion(-)
-
-diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h
-index 2fbeabc..650f1d0 100644
---- a/source3/include/ntdomain.h
-+++ b/source3/include/ntdomain.h
-@@ -89,6 +89,10 @@ typedef struct pipe_rpc_fns {
- 	uint32 context_id;
- 	struct ndr_syntax_id syntax;
- 
-+	/*
-+	 * shall we allow "connect" auth level for this interface ?
-+	 */
-+	bool allow_connect;
- } PIPE_RPC_FNS;
- 
- /*
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index d659705..c462dcf 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -335,6 +335,7 @@ static bool check_bind_req(struct pipes_struct *p,
- 			   uint32 context_id)
- {
- 	struct pipe_rpc_fns *context_fns;
-+	const char *interface_name = NULL;
- 
- 	DEBUG(3,("check_bind_req for %s\n",
- 		 get_pipe_name_from_syntax(talloc_tos(), abstract)));
-@@ -355,12 +356,29 @@ static bool check_bind_req(struct pipes_struct *p,
- 		return False;
- 	}
- 
-+	interface_name = get_pipe_name_from_syntax(talloc_tos(),
-+						   abstract);
-+
-+	SMB_ASSERT(interface_name != NULL);
-+
- 	context_fns->next = context_fns->prev = NULL;
- 	context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
- 	context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
- 	context_fns->context_id = context_id;
- 	context_fns->syntax = *abstract;
- 
-+	context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect();
-+	/*
-+	 * every interface can be modified to allow "connect" auth_level by
-+	 * using a parametric option like:
-+	 * allow dcerpc auth level connect:<interface>
-+	 * e.g.
-+	 * allow dcerpc auth level connect:samr = yes
-+	 */
-+	context_fns->allow_connect = lp_parm_bool(-1,
-+		"allow dcerpc auth level connect",
-+		interface_name, context_fns->allow_connect);
-+
- 	/* add to the list of open contexts */
- 
- 	DLIST_ADD( p->contexts, context_fns );
-@@ -1592,6 +1610,7 @@ static bool api_pipe_request(struct pipes_struct *p,
- 	TALLOC_CTX *frame = talloc_stackframe();
- 	bool ret = False;
- 	PIPE_RPC_FNS *pipe_fns;
-+	const char *interface_name = NULL;
- 
- 	if (!p->pipe_bound) {
- 		DEBUG(1, ("Pipe not bound!\n"));
-@@ -1613,8 +1632,36 @@ static bool api_pipe_request(struct pipes_struct *p,
- 		return false;
- 	}
- 
-+	interface_name = get_pipe_name_from_syntax(talloc_tos(),
-+						   &pipe_fns->syntax);
-+
-+	SMB_ASSERT(interface_name != NULL);
-+
- 	DEBUG(5, ("Requested \\PIPE\\%s\n",
--		  get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
-+		  interface_name));
-+
-+	switch (p->auth.auth_level) {
-+	case DCERPC_AUTH_LEVEL_NONE:
-+	case DCERPC_AUTH_LEVEL_INTEGRITY:
-+	case DCERPC_AUTH_LEVEL_PRIVACY:
-+		break;
-+	default:
-+		if (!pipe_fns->allow_connect) {
-+			DEBUG(1, ("%s: restrict auth_level_connect access "
-+				  "to [%s] with auth[type=0x%x,level=0x%x] "
-+				  "on [%s] from [%s]\n",
-+				  __func__, interface_name,
-+				  p->auth.auth_type,
-+				  p->auth.auth_level,
-+				  derpc_transport_string_by_transport(p->transport),
-+				  p->client_id->name));
-+
-+			setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED));
-+			TALLOC_FREE(frame);
-+			return true;
-+		}
-+		break;
-+	}
- 
- 	if (!srv_pipe_check_verification_trailer(p, pkt, pipe_fns)) {
- 		DEBUG(1, ("srv_pipe_check_verification_trailer: failed\n"));
--- 
-2.8.1
-
-
-From b68b204307e0b24bc2879ea667a706e11925166d Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 7 Aug 2015 09:50:30 +0200
-Subject: [PATCH 06/10] CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}:
- reject DCERPC_AUTH_LEVEL_CONNECT by default
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This prevents man in the middle downgrade attacks.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Pair-Programmed-With: Günther Deschner <gd@samba.org>
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 51dd08951eb4ab9d297678f96cde61f508937721)
-Signed-off-by: Aurelien Aptel <aaptel@suse.com>
-
-Conflicts:
-	selftest/knownfail
-	source3/rpc_server/srv_pipe.c
-
-selftest/knownfail is ignored in 3.6
----
- source3/rpc_server/srv_pipe.c | 20 ++++++++++++++++++++
- source3/selftest/knownfail    |  1 +
- source3/selftest/tests.py     |  2 ++
- 3 files changed, 23 insertions(+)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index c462dcf..3086b9e 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -43,6 +43,9 @@
- #include "ntdomain.h"
- #include "rpc_server/srv_pipe.h"
- #include "../librpc/ndr/ndr_dcerpc.h"
-+#include "../librpc/gen_ndr/ndr_samr.h"
-+#include "../librpc/gen_ndr/ndr_lsa.h"
-+#include "../librpc/gen_ndr/ndr_netlogon.h"
- 
- #undef DBGC_CLASS
- #define DBGC_CLASS DBGC_RPC_SRV
-@@ -336,6 +339,7 @@ static bool check_bind_req(struct pipes_struct *p,
- {
- 	struct pipe_rpc_fns *context_fns;
- 	const char *interface_name = NULL;
-+	bool ok;
- 
- 	DEBUG(3,("check_bind_req for %s\n",
- 		 get_pipe_name_from_syntax(talloc_tos(), abstract)));
-@@ -369,6 +373,22 @@ static bool check_bind_req(struct pipes_struct *p,
- 
- 	context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect();
- 	/*
-+	 * for the samr and the lsarpc interfaces we don't allow "connect"
-+	 * auth_level by default.
-+	 */
-+	ok = ndr_syntax_id_equal(abstract, &ndr_table_samr.syntax_id);
-+	if (ok) {
-+		context_fns->allow_connect = false;
-+	}
-+	ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id);
-+	if (ok) {
-+		context_fns->allow_connect = false;
-+	}
-+	ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
-+	if (ok) {
-+		context_fns->allow_connect = false;
-+	}
-+	/*
- 	 * every interface can be modified to allow "connect" auth_level by
- 	 * using a parametric option like:
- 	 * allow dcerpc auth level connect:<interface>
-diff --git a/source3/selftest/knownfail b/source3/selftest/knownfail
-index bda1fe0..8717a4d 100644
---- a/source3/selftest/knownfail
-+++ b/source3/selftest/knownfail
-@@ -18,3 +18,4 @@ samba3.posix_s3.nbt.dgram.*netlogon2
- samba3.*rap.sam.*.useradd # Not provided by Samba 3
- samba3.*rap.sam.*.userdelete # Not provided by Samba 3
- samba3.*rap.basic.*.netsessiongetinfo # Not provided by Samba 3
-+samba3.blackbox.rpcclient.over.ncacn_np.with.*connect.* # we don't allow auth_level_connect anymore
-diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
-index a733f14..8dfbf1e 100755
---- a/source3/selftest/tests.py
-+++ b/source3/selftest/tests.py
-@@ -201,6 +201,8 @@ if sub.returncode == 0:
-             plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD')
-         elif t == "raw.samba3posixtimedlock":
-             plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/dc/share')
-+        elif t == "rpc.samr.passwords.validate":
-+            plansmbtorturetestsuite(t, "s3dc", 'ncacn_np:$SERVER_IP[seal] -U$USERNAME%$PASSWORD', 'over ncacn_np ')
-         else:
-             plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
- 
--- 
-2.8.1
-
-
-From 720b9f861322c5fe804c53eb74e7d2d6a4d8b876 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 5 Apr 2016 09:54:38 +0200
-Subject: [PATCH 07/10] CVE-2016-2118: s3:selftest: The lsa tests which use
- connect need to fail
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- source3/selftest/knownfail | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/source3/selftest/knownfail b/source3/selftest/knownfail
-index 8717a4d..7d9275e 100644
---- a/source3/selftest/knownfail
-+++ b/source3/selftest/knownfail
-@@ -19,3 +19,4 @@ samba3.*rap.sam.*.useradd # Not provided by Samba 3
- samba3.*rap.sam.*.userdelete # Not provided by Samba 3
- samba3.*rap.basic.*.netsessiongetinfo # Not provided by Samba 3
- samba3.blackbox.rpcclient.over.ncacn_np.with.*connect.* # we don't allow auth_level_connect anymore
-+samba3.posix_s3.rpc.lsa.lookupsids.*ncacn_ip_tcp.*connect.* # we don't allow auth_level_connect anymore
--- 
-2.8.1
-
-
-From 9b2b563a1f8247f5ec7efde52d70efc666e30f56 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 26 Mar 2016 08:47:42 +0100
-Subject: [PATCH 08/10] CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow
- DCERPC_AUTH_LEVEL_CONNECT by default
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-(cherry picked from commit 98f1a85f23d3d2a4f1c665746588688574261d90)
----
- source3/rpc_server/srv_pipe.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 3086b9e..964b843 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -46,6 +46,8 @@
- #include "../librpc/gen_ndr/ndr_samr.h"
- #include "../librpc/gen_ndr/ndr_lsa.h"
- #include "../librpc/gen_ndr/ndr_netlogon.h"
-+#include "../librpc/gen_ndr/ndr_epmapper.h"
-+#include "../librpc/gen_ndr/ndr_echo.h"
- 
- #undef DBGC_CLASS
- #define DBGC_CLASS DBGC_RPC_SRV
-@@ -389,6 +391,18 @@ static bool check_bind_req(struct pipes_struct *p,
- 		context_fns->allow_connect = false;
- 	}
- 	/*
-+	 * for the epmapper and echo interfaces we allow "connect"
-+	 * auth_level by default.
-+	 */
-+	ok = ndr_syntax_id_equal(abstract, &ndr_table_epmapper.syntax_id);
-+	if (ok) {
-+		context_fns->allow_connect = true;
-+	}
-+	ok = ndr_syntax_id_equal(abstract, &ndr_table_rpcecho.syntax_id);
-+	if (ok) {
-+		context_fns->allow_connect = true;
-+	}
-+	/*
- 	 * every interface can be modified to allow "connect" auth_level by
- 	 * using a parametric option like:
- 	 * allow dcerpc auth level connect:<interface>
--- 
-2.8.1
-
-
-From 21453f6887569b162be44faaf43e1b9a81423210 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 10 Mar 2016 17:03:59 +0100
-Subject: [PATCH 09/10] CVE-2016-2118: docs-xml/param: default "allow dcerpc
- auth level connect" to "no"
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-(backported from commit 6469e21af32a2a405dd4f43e7d96a2f87c4a9902)
-
-Conflicts:
-	lib/param/loadparm.c
-	source3/param/loadparm.c
----
- docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | 6 ++----
- source3/param/loadparm.c                                     | 2 +-
- 2 files changed, 3 insertions(+), 5 deletions(-)
-
-diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
-index 5552112..c8e9d18 100644
---- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
-+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
-@@ -14,11 +14,9 @@
- 	E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
- 	While others like samr and lsarpc have a hardcoded default of <constant>no</constant>.
- 	</para>
--
--	<para>Note the default will very likely change to <constant>no</constant> for Samba 4.5.</para>
- </description>
- 
--<value type="default">yes</value>
--<value type="example">no</value>
-+<value type="default">no</value>
-+<value type="example">yes</value>
- 
- </samba:parameter>
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index 87d33c5..a514727 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -5381,7 +5381,7 @@ static void init_globals(bool reinit_globals)
- 	Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
- 	/* Note, that we will also use NTLM2 session security (which is different), if it is available */
- 
--	Globals.bAllowDcerpcAuthLevelConnect = true; /* we need to allow this for now by default */
-+	Globals.bAllowDcerpcAuthLevelConnect = false; /* we don't allow this by default */
- 
- 	Globals.map_to_guest = 0;	/* By Default, "Never" */
- 	Globals.oplock_break_wait_time = 0;	/* By Default, 0 msecs. */
--- 
-2.8.1
-
-
-From a5aebec4ff2f1d3b824dfcc05091da712639220d Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sun, 28 Feb 2016 22:48:11 +0100
-Subject: [PATCH 10/10] CVE-2016-2118: s3:rpc_server/samr: allow
- _samr_ValidatePassword only with PRIVACY...
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This requires transport encryption.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit d7c2f1e12544ee0f80438dcc1586e2d30c23b54a)
----
- source3/rpc_server/samr/srv_samr_nt.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
-index 0984984..37e2e4f 100644
---- a/source3/rpc_server/samr/srv_samr_nt.c
-+++ b/source3/rpc_server/samr/srv_samr_nt.c
-@@ -6628,6 +6628,11 @@ NTSTATUS _samr_ValidatePassword(struct pipes_struct *p,
- 	struct samr_GetDomPwInfo pw;
- 	struct samr_PwInfo dom_pw_info;
- 
-+	if (p->auth.auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
-+		p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
-+		return NT_STATUS_ACCESS_DENIED;
-+	}
-+
- 	if (r->in.level < 1 || r->in.level > 3) {
- 		return NT_STATUS_INVALID_INFO_CLASS;
- 	}
--- 
-2.8.1
-
diff --git a/src/patches/samba/CVE-2016-2125-v3.6.patch b/src/patches/samba/CVE-2016-2125-v3.6.patch
deleted file mode 100644
index f67b5d08f..000000000
--- a/src/patches/samba/CVE-2016-2125-v3.6.patch
+++ /dev/null
@@ -1,46 +0,0 @@ 
-From 7cc3b25f4bf9e89e326d04b83bc7365f3cc29265 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 7 Dec 2016 10:58:35 +0100
-Subject: [PATCH] CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
-
-We should only use GSS_C_DELEG_POLICY_FLAG in order to let
-the KDC decide if we should send delegated credentials to
-a remote server.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Backported-by: Andreas Schneider <asn@samba.org>
----
- source3/librpc/crypto/gse.c | 1 -
- source3/libsmb/clifsinfo.c  | 2 +-
- 2 files changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
-index 02fb0f6141d..211ca7774be 100644
---- a/source3/librpc/crypto/gse.c
-+++ b/source3/librpc/crypto/gse.c
-@@ -162,7 +162,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
- 	memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
- 
- 	gse_ctx->gss_c_flags = GSS_C_MUTUAL_FLAG |
--				GSS_C_DELEG_FLAG |
- 				GSS_C_DELEG_POLICY_FLAG |
- 				GSS_C_REPLAY_FLAG |
- 				GSS_C_SEQUENCE_FLAG;
-diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c
-index 1d66eb4c6b8..34ebc208db0 100644
---- a/source3/libsmb/clifsinfo.c
-+++ b/source3/libsmb/clifsinfo.c
-@@ -726,7 +726,7 @@ static NTSTATUS make_cli_gss_blob(TALLOC_CTX *ctx,
- 				&es->s.gss_state->gss_ctx,
- 				srv_name,
- 				GSS_C_NO_OID, /* default OID. */
--				GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG,
-+				GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_POLICY_FLAG,
- 				GSS_C_INDEFINITE,	/* requested ticket lifetime. */
- 				NULL,   /* no channel bindings */
- 				p_tok_in,
--- 
-2.11.0
-
diff --git a/src/patches/samba/CVE-2016-2126-v3.6.patch b/src/patches/samba/CVE-2016-2126-v3.6.patch
deleted file mode 100644
index 8de651e8c..000000000
--- a/src/patches/samba/CVE-2016-2126-v3.6.patch
+++ /dev/null
@@ -1,80 +0,0 @@ 
-From 4e47b5d703c54215804d595980be028f47a87cbf Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 7 Dec 2016 11:18:59 +0100
-Subject: [PATCH] CVE-2016-2126: auth/kerberos: only allow known checksum types
- in check_pac_checksum()
-
-AES based checksums can only be checked with the corresponding AES based
-keytype.
-
-Otherwise we may trigger an undefined code path deep in the kerberos
-libraries, which can leed to segmentation faults.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Backported-by: Andreas Schneider <asn@samba.org>
----
- source3/include/smb_krb5.h | 12 ++++++++++++
- source3/libads/authdata.c  | 22 ++++++++++++++++++++++
- 2 files changed, 34 insertions(+)
-
-diff --git a/source3/include/smb_krb5.h b/source3/include/smb_krb5.h
-index 5a55d3040d5..2780622f512 100644
---- a/source3/include/smb_krb5.h
-+++ b/source3/include/smb_krb5.h
-@@ -61,6 +61,18 @@
- #define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
- #endif
- 
-+#if !defined(CKSUMTYPE_HMAC_MD5_ARCFOUR) && defined(CKSUMTYPE_HMAC_MD5)
-+#define CKSUMTYPE_HMAC_MD5_ARCFOUR CKSUMTYPE_HMAC_MD5
-+#endif
-+
-+#if !defined(CKSUMTYPE_HMAC_SHA1_96_AES256) && defined(CKSUMTYPE_HMAC_SHA1_96_AES_256)
-+#define CKSUMTYPE_HMAC_SHA1_96_AES256 CKSUMTYPE_HMAC_SHA1_96_AES_256
-+#endif
-+
-+#if !defined(CKSUMTYPE_HMAC_SHA1_96_AES128) && defined(CKSUMTYPE_HMAC_SHA1_96_AES_128)
-+#define CKSUMTYPE_HMAC_SHA1_96_AES128 CKSUMTYPE_HMAC_SHA1_96_AES_128
-+#endif
-+
- /* The older versions of heimdal that don't have this
-    define don't seem to use it anyway.  I'm told they
-    always use a subkey */
-diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
-index 0d877ddef89..30622843f1d 100644
---- a/source3/libads/authdata.c
-+++ b/source3/libads/authdata.c
-@@ -42,6 +42,28 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
- 	krb5_checksum cksum;
- 	krb5_keyusage usage = 0;
- 
-+	switch (sig->type) {
-+	case CKSUMTYPE_HMAC_MD5_ARCFOUR:
-+		/* ignores the key type */
-+		break;
-+	case CKSUMTYPE_HMAC_SHA1_96_AES256:
-+		if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
-+			return EINVAL;
-+		}
-+		/* ok */
-+		break;
-+	case CKSUMTYPE_HMAC_SHA1_96_AES128:
-+		if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
-+			return EINVAL;
-+		}
-+		/* ok */
-+		break;
-+	default:
-+		DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
-+			(int)sig->type));
-+		return EINVAL;
-+	}
-+
- 	smb_krb5_checksum_from_pac_sig(&cksum, sig);
- 
- #ifdef HAVE_KRB5_KU_OTHER_CKSUM /* Heimdal */
--- 
-2.11.0
-
diff --git a/src/patches/samba/CVE-2017-12150-v3-6.patch b/src/patches/samba/CVE-2017-12150-v3-6.patch
deleted file mode 100644
index b221a840c..000000000
--- a/src/patches/samba/CVE-2017-12150-v3-6.patch
+++ /dev/null
@@ -1,102 +0,0 @@ 
-From d3198caa7a8910a9ce1eb4104d5b410ef29ac2bb Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 3 Nov 2016 17:16:43 +0100
-Subject: [PATCH 1/3] CVE-2017-12150: s3:lib:
- get_cmdline_auth_info_signing_state use Required for smb_encrypt
-
-This is an addition to the fixes for CVE-2015-5296.
-
-It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Backported-by: Andreas Schneider <asn@samba.org>
----
- source3/lib/util_cmdline.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
-index cb0b79a5d30..3178c848b63 100644
---- a/source3/lib/util_cmdline.c
-+++ b/source3/lib/util_cmdline.c
-@@ -122,6 +122,9 @@ bool set_cmdline_auth_info_signing_state(struct user_auth_info *auth_info,
- 
- int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
- {
-+	if (auth_info->smb_encrypt) {
-+		return Required;
-+	}
- 	return auth_info->signing_state;
- }
- 
--- 
-2.14.1
-
-
-From bb762a74c81159633f904f8fb67b49bab74a0b9c Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 12 Dec 2016 05:49:46 +0100
-Subject: [PATCH 2/3] CVE-2017-12150: libgpo: make use of Required for SMB
- signing in gpo_connect_server()
-
-It's important that we use a signed connection to get the GPOs!
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Backported-by: Andreas Schneider <asn@samba.org>
----
- libgpo/gpo_fetch.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c
-index 3cfe1d5b942..af012e01336 100644
---- a/libgpo/gpo_fetch.c
-+++ b/libgpo/gpo_fetch.c
-@@ -151,7 +151,7 @@ static NTSTATUS gpo_connect_server(ADS_STRUCT *ads, struct loadparm_context *lp_
- 			ads->auth.password,
- 			CLI_FULL_CONNECTION_USE_KERBEROS |
- 			CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
--			Undefined);
-+			Required);
- 	if (!NT_STATUS_IS_OK(result)) {
- 		DEBUG(10,("check_refresh_gpo: "
- 				"failed to connect: %s\n",
--- 
-2.14.1
-
-
-From 070b0fb9ebb57cdbc2b82e335de021fb46bc543c Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Mon, 12 Dec 2016 06:07:56 +0100
-Subject: [PATCH 3/3] CVE-2017-12150: s3:libsmb: only fallback to anonymous if
- authentication was not requested
-
-With forced encryption or required signing we should also don't fallback.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Backported-by: Andreas Schneider <asn@samba.org>
----
- source3/libsmb/clidfs.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
-index 23e147120f1..120a2c999ce 100644
---- a/source3/libsmb/clidfs.c
-+++ b/source3/libsmb/clidfs.c
-@@ -197,7 +197,9 @@ static struct cli_state *do_connect(TALLOC_CTX *ctx,
- 		/* If a password was not supplied then
- 		 * try again with a null username. */
- 		if (password[0] || !username[0] ||
-+			force_encrypt || client_is_signing_mandatory(c) ||
- 			get_cmdline_auth_info_use_kerberos(auth_info) ||
-+			get_cmdline_auth_info_use_ccache(auth_info) ||
- 			!NT_STATUS_IS_OK(cli_session_setup(c, "",
- 				    		"", 0,
- 						"", 0,
--- 
-2.14.1
-
diff --git a/src/patches/samba/CVE-2017-12163.patch b/src/patches/samba/CVE-2017-12163.patch
deleted file mode 100644
index 93fe2cec2..000000000
--- a/src/patches/samba/CVE-2017-12163.patch
+++ /dev/null
@@ -1,141 +0,0 @@ 
-From 9f1a51917649795123bedbefdea678317d392b48 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Fri, 8 Sep 2017 10:13:14 -0700
-Subject: [PATCH] CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
- writing server memory to file.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 50 insertions(+)
-
-diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
-index 1583c2358bb..9625670d653 100644
---- a/source3/smbd/reply.c
-+++ b/source3/smbd/reply.c
-@@ -3977,6 +3977,9 @@ void reply_writebraw(struct smb_request *req)
- 	}
- 
- 	/* Ensure we don't write bytes past the end of this packet. */
-+	/*
-+	 * This already protects us against CVE-2017-12163.
-+	 */
- 	if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
- 		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
- 		error_to_writebrawerr(req);
-@@ -4078,6 +4081,11 @@ void reply_writebraw(struct smb_request *req)
- 			exit_server_cleanly("secondary writebraw failed");
- 		}
- 
-+		/*
-+		 * We are not vulnerable to CVE-2017-12163
-+		 * here as we are guarenteed to have numtowrite
-+		 * bytes available - we just read from the client.
-+		 */
- 		nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
- 		if (nwritten == -1) {
- 			TALLOC_FREE(buf);
-@@ -4159,6 +4167,7 @@ void reply_writeunlock(struct smb_request *req)
- 	connection_struct *conn = req->conn;
- 	ssize_t nwritten = -1;
- 	size_t numtowrite;
-+	size_t remaining;
- 	SMB_OFF_T startpos;
- 	const char *data;
- 	NTSTATUS status = NT_STATUS_OK;
-@@ -4191,6 +4200,17 @@ void reply_writeunlock(struct smb_request *req)
- 	startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
- 	data = (const char *)req->buf + 3;
- 
-+	/*
-+	 * Ensure client isn't asking us to write more than
-+	 * they sent. CVE-2017-12163.
-+	 */
-+	remaining = smbreq_bufrem(req, data);
-+	if (numtowrite > remaining) {
-+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
-+		END_PROFILE(SMBwriteunlock);
-+		return;
-+	}
-+
- 	if (!fsp->print_file && numtowrite > 0) {
- 		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
- 		    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
-@@ -4272,6 +4292,7 @@ void reply_write(struct smb_request *req)
- {
- 	connection_struct *conn = req->conn;
- 	size_t numtowrite;
-+	size_t remaining;
- 	ssize_t nwritten = -1;
- 	SMB_OFF_T startpos;
- 	const char *data;
-@@ -4312,6 +4333,17 @@ void reply_write(struct smb_request *req)
- 	startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
- 	data = (const char *)req->buf + 3;
- 
-+	/*
-+	 * Ensure client isn't asking us to write more than
-+	 * they sent. CVE-2017-12163.
-+	 */
-+	remaining = smbreq_bufrem(req, data);
-+	if (numtowrite > remaining) {
-+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
-+		END_PROFILE(SMBwrite);
-+		return;
-+	}
-+
- 	if (!fsp->print_file) {
- 		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
- 			(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
-@@ -4523,6 +4555,9 @@ void reply_write_and_X(struct smb_request *req)
- 			return;
- 		}
- 	} else {
-+		/*
-+		 * This already protects us against CVE-2017-12163.
-+		 */
- 		if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
- 				smb_doff + numtowrite > smblen) {
- 			reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
-@@ -4892,6 +4927,7 @@ void reply_writeclose(struct smb_request *req)
- {
- 	connection_struct *conn = req->conn;
- 	size_t numtowrite;
-+	size_t remaining;
- 	ssize_t nwritten = -1;
- 	NTSTATUS close_status = NT_STATUS_OK;
- 	SMB_OFF_T startpos;
-@@ -4925,6 +4961,17 @@ void reply_writeclose(struct smb_request *req)
- 	mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
- 	data = (const char *)req->buf + 1;
- 
-+	/*
-+	 * Ensure client isn't asking us to write more than
-+	 * they sent. CVE-2017-12163.
-+	 */
-+	remaining = smbreq_bufrem(req, data);
-+	if (numtowrite > remaining) {
-+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
-+		END_PROFILE(SMBwriteclose);
-+		return;
-+	}
-+
- 	if (!fsp->print_file) {
- 		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
- 		    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
-@@ -5495,6 +5542,9 @@ void reply_printwrite(struct smb_request *req)
- 
- 	numtowrite = SVAL(req->buf, 1);
- 
-+	/*
-+	 * This already protects us against CVE-2017-12163.
-+	 */
- 	if (req->buflen < numtowrite + 3) {
- 		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
- 		END_PROFILE(SMBsplwr);
--- 
-2.13.5
-
diff --git a/src/patches/samba/CVE-2017-15275.patch b/src/patches/samba/CVE-2017-15275.patch
deleted file mode 100644
index 758672e02..000000000
--- a/src/patches/samba/CVE-2017-15275.patch
+++ /dev/null
@@ -1,45 +0,0 @@ 
-From c1a22e59f87783d88dfbaeeb132b89be166b2754 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Wed, 20 Sep 2017 11:04:50 -0700
-Subject: [PATCH 2/2] s3: smbd: Chain code can return uninitialized memory when
- talloc buffer is grown.
-
-Ensure we zero out unused grown area.
-
-CVE-2017-15275
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/smbd/srvstr.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
-index 56dceba8c6c..c2d70b32c32 100644
---- a/source3/smbd/srvstr.c
-+++ b/source3/smbd/srvstr.c
-@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
- 		DEBUG(0, ("srvstr_push failed\n"));
- 		return -1;
- 	}
-+
-+	/*
-+	 * Ensure we clear out the extra data we have
-+	 * grown the buffer by, but not written to.
-+	 */
-+	if (buf_size + result < buf_size) {
-+		return -1;
-+	}
-+	if (grow_size < result) {
-+		return -1;
-+	}
-+
-+	memset(tmp + buf_size + result, '\0', grow_size - result);
-+
- 	set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
- 
- 	*outbuf = tmp;
--- 
-2.11.0
-
diff --git a/src/patches/samba/CVE-2017-2619.patch b/src/patches/samba/CVE-2017-2619.patch
deleted file mode 100644
index 149e085fe..000000000
--- a/src/patches/samba/CVE-2017-2619.patch
+++ /dev/null
@@ -1,1328 +0,0 @@ 
-From a398754c9bb1639f762979765de6c540c714b5cb Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 20 Mar 2017 11:32:19 -0700
-Subject: [PATCH 01/15] CVE-2017-2619: s3/smbd: re-open directory after
- dptr_CloseDir()
-
-dptr_CloseDir() will close and invalidate the fsp's file descriptor, we
-have to reopen it.
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Ralph Bohme <slow@samba.org>
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/smbd/open.c      |  2 +-
- source3/smbd/proto.h     |  2 ++
- source3/smbd/smb2_find.c | 17 +++++++++++++++++
- 3 files changed, 20 insertions(+), 1 deletion(-)
-
-diff --git a/source3/smbd/open.c b/source3/smbd/open.c
-index 441b8cd4362..35eee0a1485 100644
---- a/source3/smbd/open.c
-+++ b/source3/smbd/open.c
-@@ -197,7 +197,7 @@ static NTSTATUS check_base_file_access(struct connection_struct *conn,
-  fd support routines - attempt to do a dos_open.
- ****************************************************************************/
- 
--static NTSTATUS fd_open(struct connection_struct *conn,
-+NTSTATUS fd_open(struct connection_struct *conn,
- 		    files_struct *fsp,
- 		    int flags,
- 		    mode_t mode)
-diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
-index f5fad2bbb50..594edfa1e98 100644
---- a/source3/smbd/proto.h
-+++ b/source3/smbd/proto.h
-@@ -603,6 +603,8 @@ NTSTATUS smb1_file_se_access_check(connection_struct *conn,
- 				const struct security_token *token,
- 				uint32_t access_desired,
- 				uint32_t *access_granted);
-+NTSTATUS fd_open(struct connection_struct *conn, files_struct *fsp,
-+		int flags, mode_t mode);
- NTSTATUS fd_close(files_struct *fsp);
- void change_file_owner_to_parent(connection_struct *conn,
- 				 const char *inherit_from_dir,
-diff --git a/source3/smbd/smb2_find.c b/source3/smbd/smb2_find.c
-index 6fe6545c128..9dd3176497b 100644
---- a/source3/smbd/smb2_find.c
-+++ b/source3/smbd/smb2_find.c
-@@ -24,6 +24,7 @@
- #include "../libcli/smb/smb_common.h"
- #include "trans2.h"
- #include "../lib/util/tevent_ntstatus.h"
-+#include "system/filesys.h"
- 
- static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
- 					      struct tevent_context *ev,
-@@ -301,7 +302,23 @@ static struct tevent_req *smbd_smb2_find_send(TALLOC_CTX *mem_ctx,
- 	}
- 
- 	if (in_flags & SMB2_CONTINUE_FLAG_REOPEN) {
-+		int flags;
-+
- 		dptr_CloseDir(fsp);
-+
-+		/*
-+		 * dptr_CloseDir() will close and invalidate the fsp's file
-+		 * descriptor, we have to reopen it.
-+		 */
-+
-+		flags = O_RDONLY;
-+#ifdef O_DIRECTORY
-+		flags |= O_DIRECTORY;
-+#endif
-+		status = fd_open(conn, fsp, flags, 0);
-+		if (tevent_req_nterror(req, status)) {
-+			return tevent_req_post(req, ev);
-+		}
- 	}
- 
- 	wcard_has_wild = ms_has_wild(in_file_name);
--- 
-2.13.5
-
-
-From a35fa98b99aa60132eb2c083d6393c28905e2045 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 28 Feb 2017 09:24:07 -0800
-Subject: [PATCH 02/15] s3: vfs: dirsort doesn't handle opendir of "."
- correctly.
-
-Needs to store $cwd path for correct sorting.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12499
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/modules/vfs_dirsort.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/source3/modules/vfs_dirsort.c b/source3/modules/vfs_dirsort.c
-index 66582e67890..dbcf0b16ed3 100644
---- a/source3/modules/vfs_dirsort.c
-+++ b/source3/modules/vfs_dirsort.c
-@@ -153,6 +153,10 @@ static SMB_STRUCT_DIR *dirsort_opendir(vfs_handle_struct *handle,
- 		return NULL;
- 	}
- 
-+	if (ISDOT(data->smb_fname->base_name)) {
-+		data->smb_fname->base_name = vfs_GetWd(data, handle->conn);
-+	}
-+
- 	/* Open the underlying directory and count the number of entries */
- 	data->source_directory = SMB_VFS_NEXT_OPENDIR(handle, fname, mask,
- 						      attr);
--- 
-2.13.5
-
-
-From 23d2849d724a0f5bdf51dc7d7db438ed9fb4c2a9 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 13 Mar 2017 13:44:42 -0700
-Subject: [PATCH 03/15] s3: VFS: vfs_streams_xattr.c: Make streams_xattr_open()
- store the same path as streams_xattr_recheck().
-
-If the open is changing directories, fsp->fsp_name->base_name
-will be the full path from the share root, whilst
-smb_fname will be relative to the $cwd.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12546
-
-Back-ported from a24ba3e4083200ec9885363efc5769f43183fb6b
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/modules/vfs_streams_xattr.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/source3/modules/vfs_streams_xattr.c b/source3/modules/vfs_streams_xattr.c
-index 731c813f4d7..be46f8dc1e6 100644
---- a/source3/modules/vfs_streams_xattr.c
-+++ b/source3/modules/vfs_streams_xattr.c
-@@ -511,8 +511,15 @@ static int streams_xattr_open(vfs_handle_struct *handle,
- 
-         sio->xattr_name = talloc_strdup(VFS_MEMCTX_FSP_EXTENSION(handle, fsp),
- 					xattr_name);
-+	/*
-+	 * sio->base needs to be a copy of fsp->fsp_name->base_name,
-+	 * making it identical to streams_xattr_recheck(). If the
-+	 * open is changing directories, fsp->fsp_name->base_name
-+	 * will be the full path from the share root, whilst
-+	 * smb_fname will be relative to the $cwd.
-+	 */
-         sio->base = talloc_strdup(VFS_MEMCTX_FSP_EXTENSION(handle, fsp),
--				  smb_fname->base_name);
-+				  fsp->fsp_name->base_name);
- 	sio->fsp_name_ptr = fsp->fsp_name;
- 	sio->handle = handle;
- 	sio->fsp = fsp;
--- 
-2.13.5
-
-
-From 91935aaf77c70e3e2436af1d6e4a538d29fd4276 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 13 Mar 2017 13:54:04 -0700
-Subject: [PATCH 04/15] vfs_streams_xattr: use fsp, not base_fsp
-
-The base_fsp's fd is always -1 as it's closed after being openend in
-create_file_unixpath().
-
-Additionally in streams_xattr_open force using of SMB_VFS_FSETXATTR() by
-sticking the just created fd into the fsp (and removing it afterwards).
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12591
-
-Back-ported from 021189e32ba507832b5e821e5cda8a2889225955.
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/modules/vfs_streams_xattr.c | 205 +++++++++++++++++-------------------
- 1 file changed, 99 insertions(+), 106 deletions(-)
-
-diff --git a/source3/modules/vfs_streams_xattr.c b/source3/modules/vfs_streams_xattr.c
-index be46f8dc1e6..a4ab84bba71 100644
---- a/source3/modules/vfs_streams_xattr.c
-+++ b/source3/modules/vfs_streams_xattr.c
-@@ -229,7 +229,7 @@ static int streams_xattr_fstat(vfs_handle_struct *handle, files_struct *fsp,
- 		return -1;
- 	}
- 
--	sbuf->st_ex_size = get_xattr_size(handle->conn, fsp->base_fsp,
-+	sbuf->st_ex_size = get_xattr_size(handle->conn, fsp,
- 					io->base, io->xattr_name);
- 	if (sbuf->st_ex_size == -1) {
- 		return -1;
-@@ -364,6 +364,7 @@ static int streams_xattr_open(vfs_handle_struct *handle,
- 	char *xattr_name = NULL;
- 	int baseflags;
- 	int hostfd = -1;
-+	int ret;
- 
- 	DEBUG(10, ("streams_xattr_open called for %s\n",
- 		   smb_fname_str_dbg(smb_fname)));
-@@ -375,133 +376,125 @@ static int streams_xattr_open(vfs_handle_struct *handle,
- 	/* If the default stream is requested, just open the base file. */
- 	if (is_ntfs_default_stream_smb_fname(smb_fname)) {
- 		char *tmp_stream_name;
--		int ret;
- 
- 		tmp_stream_name = smb_fname->stream_name;
- 		smb_fname->stream_name = NULL;
- 
- 		ret = SMB_VFS_NEXT_OPEN(handle, smb_fname, fsp, flags, mode);
- 
--		smb_fname->stream_name = tmp_stream_name;
--
--		return ret;
--	}
-+			smb_fname->stream_name = tmp_stream_name;
- 
--	status = streams_xattr_get_name(talloc_tos(), smb_fname->stream_name,
--					&xattr_name);
--	if (!NT_STATUS_IS_OK(status)) {
--		errno = map_errno_from_nt_status(status);
--		goto fail;
--	}
-+			return ret;
-+		}
- 
--	/* Create an smb_filename with stream_name == NULL. */
--	status = create_synthetic_smb_fname(talloc_tos(),
--					    smb_fname->base_name,
--					    NULL, NULL,
--					    &smb_fname_base);
--	if (!NT_STATUS_IS_OK(status)) {
--		errno = map_errno_from_nt_status(status);
--		goto fail;
--	}
-+		status = streams_xattr_get_name(talloc_tos(), smb_fname->stream_name,
-+						&xattr_name);
-+		if (!NT_STATUS_IS_OK(status)) {
-+			errno = map_errno_from_nt_status(status);
-+			goto fail;
-+		}
- 
--	/*
--	 * We use baseflags to turn off nasty side-effects when opening the
--	 * underlying file.
--         */
--        baseflags = flags;
--        baseflags &= ~O_TRUNC;
--        baseflags &= ~O_EXCL;
--        baseflags &= ~O_CREAT;
-+		/* Create an smb_filename with stream_name == NULL. */
-+		status = create_synthetic_smb_fname(talloc_tos(),
-+						    smb_fname->base_name,
-+						    NULL, NULL,
-+						    &smb_fname_base);
-+		if (!NT_STATUS_IS_OK(status)) {
-+			errno = map_errno_from_nt_status(status);
-+			goto fail;
-+		}
- 
--        hostfd = SMB_VFS_OPEN(handle->conn, smb_fname_base, fsp,
--			      baseflags, mode);
-+		/*
-+		 * We use baseflags to turn off nasty side-effects when opening the
-+		 * underlying file.
-+		 */
-+		baseflags = flags;
-+		baseflags &= ~O_TRUNC;
-+		baseflags &= ~O_EXCL;
-+		baseflags &= ~O_CREAT;
- 
--	TALLOC_FREE(smb_fname_base);
-+		hostfd = SMB_VFS_OPEN(handle->conn, smb_fname_base, fsp,
-+				      baseflags, mode);
- 
--        /* It is legit to open a stream on a directory, but the base
--         * fd has to be read-only.
--         */
--        if ((hostfd == -1) && (errno == EISDIR)) {
--                baseflags &= ~O_ACCMODE;
--                baseflags |= O_RDONLY;
--                hostfd = SMB_VFS_OPEN(handle->conn, smb_fname, fsp, baseflags,
--				      mode);
--        }
-+		TALLOC_FREE(smb_fname_base);
- 
--        if (hostfd == -1) {
--		goto fail;
--        }
-+		/* It is legit to open a stream on a directory, but the base
-+		 * fd has to be read-only.
-+		 */
-+		if ((hostfd == -1) && (errno == EISDIR)) {
-+			baseflags &= ~O_ACCMODE;
-+			baseflags |= O_RDONLY;
-+			hostfd = SMB_VFS_OPEN(handle->conn, smb_fname, fsp, baseflags,
-+					      mode);
-+		}
- 
--	status = get_ea_value(talloc_tos(), handle->conn, NULL,
--			      smb_fname->base_name, xattr_name, &ea);
-+		if (hostfd == -1) {
-+			goto fail;
-+		}
- 
--	DEBUG(10, ("get_ea_value returned %s\n", nt_errstr(status)));
-+		status = get_ea_value(talloc_tos(), handle->conn, NULL,
-+				      smb_fname->base_name, xattr_name, &ea);
- 
--	if (!NT_STATUS_IS_OK(status)
--	    && !NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
--		/*
--		 * The base file is not there. This is an error even if we got
--		 * O_CREAT, the higher levels should have created the base
--		 * file for us.
--		 */
--		DEBUG(10, ("streams_xattr_open: base file %s not around, "
--			   "returning ENOENT\n", smb_fname->base_name));
--		errno = ENOENT;
--		goto fail;
--	}
-+		DEBUG(10, ("get_ea_value returned %s\n", nt_errstr(status)));
- 
--	if (!NT_STATUS_IS_OK(status)) {
--		/*
--		 * The attribute does not exist
--		 */
-+		if (!NT_STATUS_IS_OK(status)
-+		    && !NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
-+			/*
-+			 * The base file is not there. This is an error even if we got
-+			 * O_CREAT, the higher levels should have created the base
-+			 * file for us.
-+			 */
-+			DEBUG(10, ("streams_xattr_open: base file %s not around, "
-+				   "returning ENOENT\n", smb_fname->base_name));
-+			errno = ENOENT;
-+			goto fail;
-+		}
- 
--                if (flags & O_CREAT) {
-+		if (!NT_STATUS_IS_OK(status)) {
- 			/*
--			 * Darn, xattrs need at least 1 byte
-+			 * The attribute does not exist
- 			 */
--                        char null = '\0';
- 
--			DEBUG(10, ("creating attribute %s on file %s\n",
--				   xattr_name, smb_fname->base_name));
-+			if (flags & O_CREAT) {
-+				/*
-+				 * Darn, xattrs need at least 1 byte
-+				 */
-+				char null = '\0';
-+
-+				DEBUG(10, ("creating attribute %s on file %s\n",
-+					   xattr_name, smb_fname->base_name));
-+
-+				fsp->fh->fd = hostfd;
-+				ret = SMB_VFS_FSETXATTR(fsp, xattr_name,
-+						&null, sizeof(null),
-+						flags & O_EXCL ? XATTR_CREATE : 0);
-+				fsp->fh->fd = -1;
-+				if (ret != 0) {
-+					goto fail;
-+				}
-+			}
-+		}
- 
-+		if (flags & O_TRUNC) {
-+			char null = '\0';
- 			if (fsp->base_fsp->fh->fd != -1) {
--                        	if (SMB_VFS_FSETXATTR(
--					fsp->base_fsp, xattr_name,
--					&null, sizeof(null),
--					flags & O_EXCL ? XATTR_CREATE : 0) == -1) {
-+				if (SMB_VFS_FSETXATTR(
-+						fsp->base_fsp, xattr_name,
-+						&null, sizeof(null),
-+						flags & O_EXCL ? XATTR_CREATE : 0) == -1) {
- 					goto fail;
- 				}
- 			} else {
--	                        if (SMB_VFS_SETXATTR(
--					handle->conn, smb_fname->base_name,
--					xattr_name, &null, sizeof(null),
--					flags & O_EXCL ? XATTR_CREATE : 0) == -1) {
-+				if (SMB_VFS_SETXATTR(
-+						handle->conn, smb_fname->base_name,
-+						xattr_name, &null, sizeof(null),
-+						flags & O_EXCL ? XATTR_CREATE : 0) == -1) {
- 					goto fail;
- 				}
- 			}
- 		}
--	}
--
--	if (flags & O_TRUNC) {
--		char null = '\0';
--		if (fsp->base_fsp->fh->fd != -1) {
--			if (SMB_VFS_FSETXATTR(
--					fsp->base_fsp, xattr_name,
--					&null, sizeof(null),
--					flags & O_EXCL ? XATTR_CREATE : 0) == -1) {
--				goto fail;
--			}
--		} else {
--			if (SMB_VFS_SETXATTR(
--					handle->conn, smb_fname->base_name,
--					xattr_name, &null, sizeof(null),
--					flags & O_EXCL ? XATTR_CREATE : 0) == -1) {
--				goto fail;
--			}
--		}
--	}
- 
--        sio = (struct stream_io *)VFS_ADD_FSP_EXTENSION(handle, fsp,
-+		sio = (struct stream_io *)VFS_ADD_FSP_EXTENSION(handle, fsp,
- 							struct stream_io,
- 							NULL);
-         if (sio == NULL) {
-@@ -868,7 +861,7 @@ static ssize_t streams_xattr_pwrite(vfs_handle_struct *handle,
- 		return -1;
- 	}
- 
--	status = get_ea_value(talloc_tos(), handle->conn, fsp->base_fsp,
-+	status = get_ea_value(talloc_tos(), handle->conn, fsp,
- 			      sio->base, sio->xattr_name, &ea);
- 	if (!NT_STATUS_IS_OK(status)) {
- 		return -1;
-@@ -892,13 +885,13 @@ static ssize_t streams_xattr_pwrite(vfs_handle_struct *handle,
- 
-         memcpy(ea.value.data + offset, data, n);
- 
--	if (fsp->base_fsp->fh->fd != -1) {
--		ret = SMB_VFS_FSETXATTR(fsp->base_fsp,
-+	if (fsp->fh->fd != -1) {
-+		ret = SMB_VFS_FSETXATTR(fsp,
- 				sio->xattr_name,
- 				ea.value.data, ea.value.length, 0);
- 	} else {
- 		ret = SMB_VFS_SETXATTR(fsp->conn,
--				       fsp->base_fsp->fsp_name->base_name,
-+				       fsp->fsp_name->base_name,
- 				sio->xattr_name,
- 				ea.value.data, ea.value.length, 0);
- 	}
-@@ -932,7 +925,7 @@ static ssize_t streams_xattr_pread(vfs_handle_struct *handle,
- 		return -1;
- 	}
- 
--	status = get_ea_value(talloc_tos(), handle->conn, fsp->base_fsp,
-+	status = get_ea_value(talloc_tos(), handle->conn, fsp,
- 			      sio->base, sio->xattr_name, &ea);
- 	if (!NT_STATUS_IS_OK(status)) {
- 		return -1;
-@@ -977,7 +970,7 @@ static int streams_xattr_ftruncate(struct vfs_handle_struct *handle,
- 		return -1;
- 	}
- 
--	status = get_ea_value(talloc_tos(), handle->conn, fsp->base_fsp,
-+	status = get_ea_value(talloc_tos(), handle->conn, fsp,
- 			      sio->base, sio->xattr_name, &ea);
- 	if (!NT_STATUS_IS_OK(status)) {
- 		return -1;
-@@ -1002,13 +995,13 @@ static int streams_xattr_ftruncate(struct vfs_handle_struct *handle,
- 	ea.value.length = offset + 1;
- 	ea.value.data[offset] = 0;
- 
--	if (fsp->base_fsp->fh->fd != -1) {
--		ret = SMB_VFS_FSETXATTR(fsp->base_fsp,
-+	if (fsp->fh->fd != -1) {
-+		ret = SMB_VFS_FSETXATTR(fsp,
- 				sio->xattr_name,
- 				ea.value.data, ea.value.length, 0);
- 	} else {
- 		ret = SMB_VFS_SETXATTR(fsp->conn,
--				       fsp->base_fsp->fsp_name->base_name,
-+			        fsp->fsp_name->base_name,
- 				sio->xattr_name,
- 				ea.value.data, ea.value.length, 0);
- 	}
--- 
-2.13.5
-
-
-From 3f3c731faaa59f4d3ce7e49c12795c40e048d29f Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 19 Dec 2016 11:55:56 -0800
-Subject: [PATCH 05/15] s3: smbd: Create wrapper function for OpenDir in
- preparation for making robust.
-
-CVE-2017-2619
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/smbd/dir.c | 15 ++++++++++++++-
- 1 file changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
-index 18ecf066824..ebe2641f813 100644
---- a/source3/smbd/dir.c
-+++ b/source3/smbd/dir.c
-@@ -1367,7 +1367,8 @@ static int smb_Dir_destructor(struct smb_Dir *dirp)
-  Open a directory.
- ********************************************************************/
- 
--struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
-+static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
-+			connection_struct *conn,
- 			const char *name,
- 			const char *mask,
- 			uint32 attr)
-@@ -1407,6 +1408,18 @@ struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
- 	return NULL;
- }
- 
-+struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
-+			const char *name,
-+			const char *mask,
-+			uint32_t attr)
-+{
-+	return OpenDir_internal(mem_ctx,
-+				conn,
-+				name,
-+				mask,
-+				attr);
-+}
-+
- /*******************************************************************
-  Open a directory from an fsp.
- ********************************************************************/
--- 
-2.13.5
-
-
-From 7efeb067c1586e0f1cfbb775b1efcb3b92005140 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 19 Dec 2016 16:25:26 -0800
-Subject: [PATCH 06/15] s3: smbd: Opendir_internal() early return if
- SMB_VFS_OPENDIR failed.
-
-CVE-2017-2619
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/smbd/dir.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
-index ebe2641f813..65327dd0dd1 100644
---- a/source3/smbd/dir.c
-+++ b/source3/smbd/dir.c
-@@ -1380,6 +1380,13 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
- 		return NULL;
- 	}
- 
-+	dirp->dir = SMB_VFS_OPENDIR(conn, name, mask, attr);
-+	if (!dirp->dir) {
-+		DEBUG(5,("OpenDir: Can't open %s. %s\n", name,
-+			 strerror(errno) ));
-+		goto fail;
-+	}
-+
- 	dirp->conn = conn;
- 	dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn));
- 
-@@ -1394,13 +1401,6 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
- 	}
- 	talloc_set_destructor(dirp, smb_Dir_destructor);
- 
--	dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_path, mask, attr);
--	if (!dirp->dir) {
--		DEBUG(5,("OpenDir: Can't open %s. %s\n", dirp->dir_path,
--			 strerror(errno) ));
--		goto fail;
--	}
--
- 	return dirp;
- 
-   fail:
--- 
-2.13.5
-
-
-From 49d22a0c51ef1f78f0488a7c35131887704e987b Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 19 Dec 2016 16:35:00 -0800
-Subject: [PATCH 07/15] s3: smbd: Create and use open_dir_safely(). Use from
- OpenDir().
-
-Hardens OpenDir against TOC/TOU races.
-
-CVE-2017-2619
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/smbd/dir.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++------
- 1 file changed, 59 insertions(+), 7 deletions(-)
-
-diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
-index 65327dd0dd1..2d168c3ba9f 100644
---- a/source3/smbd/dir.c
-+++ b/source3/smbd/dir.c
-@@ -1390,12 +1390,6 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
- 	dirp->conn = conn;
- 	dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn));
- 
--	dirp->dir_path = talloc_strdup(dirp, name);
--	if (!dirp->dir_path) {
--		errno = ENOMEM;
--		goto fail;
--	}
--
- 	if (sconn && !sconn->using_smb2) {
- 		sconn->searches.dirhandles_open++;
- 	}
-@@ -1408,12 +1402,70 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
- 	return NULL;
- }
- 
-+/****************************************************************************
-+ Open a directory handle by pathname, ensuring it's under the share path.
-+****************************************************************************/
-+
-+static struct smb_Dir *open_dir_safely(TALLOC_CTX *ctx,
-+					connection_struct *conn,
-+					const char *name,
-+					const char *wcard,
-+					uint32_t attr)
-+{
-+	struct smb_Dir *dir_hnd = NULL;
-+	char *saved_dir = vfs_GetWd(ctx, conn);
-+	NTSTATUS status;
-+
-+	if (saved_dir == NULL) {
-+		return NULL;
-+	}
-+
-+	if (vfs_ChDir(conn, name) == -1) {
-+		goto out;
-+	}
-+
-+	/*
-+	 * Now the directory is pinned, use
-+	 * REALPATH to ensure we can access it.
-+	 */
-+	status = check_name(conn, ".");
-+	if (!NT_STATUS_IS_OK(status)) {
-+		goto out;
-+	}
-+
-+	dir_hnd = OpenDir_internal(ctx,
-+				conn,
-+				".",
-+				wcard,
-+				attr);
-+
-+	if (dir_hnd == NULL) {
-+		goto out;
-+	}
-+
-+	/*
-+	 * OpenDir_internal only gets "." as the dir name.
-+	 * Store the real dir name here.
-+	 */
-+
-+	dir_hnd->dir_path = talloc_strdup(dir_hnd, name);
-+	if (!dir_hnd->dir_path) {
-+		errno = ENOMEM;
-+	}
-+
-+  out:
-+
-+	vfs_ChDir(conn, saved_dir);
-+	TALLOC_FREE(saved_dir);
-+	return dir_hnd;
-+}
-+
- struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
- 			const char *name,
- 			const char *mask,
- 			uint32_t attr)
- {
--	return OpenDir_internal(mem_ctx,
-+	return open_dir_safely(mem_ctx,
- 				conn,
- 				name,
- 				mask,
--- 
-2.13.5
-
-
-From 6426ae1f9ef53158a6fbe1912dfec40d834115fe Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 19 Dec 2016 12:13:20 -0800
-Subject: [PATCH 08/15] s3: smbd: OpenDir_fsp() use early returns.
-
-CVE-2017-2619
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/smbd/dir.c | 34 +++++++++++++++++++++-------------
- 1 file changed, 21 insertions(+), 13 deletions(-)
-
-diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
-index 2d168c3ba9f..6aed4a6da46 100644
---- a/source3/smbd/dir.c
-+++ b/source3/smbd/dir.c
-@@ -1485,7 +1485,17 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
- 	struct smbd_server_connection *sconn = conn->sconn;
- 
- 	if (!dirp) {
--		return NULL;
-+		goto fail;
-+	}
-+
-+	if (!fsp->is_directory) {
-+		errno = EBADF;
-+		goto fail;
-+	}
-+
-+	if (fsp->fh->fd == -1) {
-+		errno = EBADF;
-+		goto fail;
- 	}
- 
- 	dirp->conn = conn;
-@@ -1502,18 +1512,16 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
- 	}
- 	talloc_set_destructor(dirp, smb_Dir_destructor);
- 
--	if (fsp->is_directory && fsp->fh->fd != -1) {
--		dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
--		if (dirp->dir != NULL) {
--			dirp->fsp = fsp;
--		} else {
--			DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
--				"NULL (%s)\n",
--				dirp->dir_path,
--				strerror(errno)));
--			if (errno != ENOSYS) {
--				return NULL;
--			}
-+	dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
-+	if (dirp->dir != NULL) {
-+		dirp->fsp = fsp;
-+	} else {
-+		DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
-+			"NULL (%s)\n",
-+			dirp->dir_path,
-+			strerror(errno)));
-+		if (errno != ENOSYS) {
-+			return NULL;
- 		}
- 	}
- 
--- 
-2.13.5
-
-
-From f6581858ce665b880c5fea465ec61b1b0c504d89 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 19 Dec 2016 12:15:59 -0800
-Subject: [PATCH 09/15] s3: smbd: OpenDir_fsp() - Fix memory leak on error.
-
-CVE-2017-2619
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/smbd/dir.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
-index 6aed4a6da46..efd1a73aab6 100644
---- a/source3/smbd/dir.c
-+++ b/source3/smbd/dir.c
-@@ -1521,7 +1521,7 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
- 			dirp->dir_path,
- 			strerror(errno)));
- 		if (errno != ENOSYS) {
--			return NULL;
-+			goto fail;
- 		}
- 	}
- 
--- 
-2.13.5
-
-
-From bacba6987e58d44886d04b1dd5e36f7781dcd9b0 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 19 Dec 2016 12:32:07 -0800
-Subject: [PATCH 10/15] s3: smbd: Move the reference counting and destructor
- setup to just before retuning success.
-
-CVE-2017-2619
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/smbd/dir.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
-index efd1a73aab6..5eca128c033 100644
---- a/source3/smbd/dir.c
-+++ b/source3/smbd/dir.c
-@@ -1507,11 +1507,6 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
- 		goto fail;
- 	}
- 
--	if (sconn && !sconn->using_smb2) {
--		sconn->searches.dirhandles_open++;
--	}
--	talloc_set_destructor(dirp, smb_Dir_destructor);
--
- 	dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
- 	if (dirp->dir != NULL) {
- 		dirp->fsp = fsp;
-@@ -1536,6 +1531,11 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
- 		goto fail;
- 	}
- 
-+	if (sconn && !sconn->using_smb2) {
-+		sconn->searches.dirhandles_open++;
-+	}
-+	talloc_set_destructor(dirp, smb_Dir_destructor);
-+
- 	return dirp;
- 
-   fail:
--- 
-2.13.5
-
-
-From 34b3d05b55f5c40de76ba65d6b028818518a519f Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 19 Dec 2016 12:35:32 -0800
-Subject: [PATCH 11/15] s3: smbd: Correctly fallback to open_dir_safely if
- FDOPENDIR not supported on system.
-
-CVE-2017-2619
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/smbd/dir.c | 15 +++++++--------
- 1 file changed, 7 insertions(+), 8 deletions(-)
-
-diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
-index 5eca128c033..7690cb18c1a 100644
---- a/source3/smbd/dir.c
-+++ b/source3/smbd/dir.c
-@@ -1521,14 +1521,13 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
- 	}
- 
- 	if (dirp->dir == NULL) {
--		/* FDOPENDIR didn't work. Use OPENDIR instead. */
--		dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_path, mask, attr);
--	}
--
--	if (!dirp->dir) {
--		DEBUG(5,("OpenDir_fsp: Can't open %s. %s\n", dirp->dir_path,
--			 strerror(errno) ));
--		goto fail;
-+		/* FDOPENDIR is not supported. Use OPENDIR instead. */
-+		TALLOC_FREE(dirp);
-+		return open_dir_safely(mem_ctx,
-+					conn,
-+					fsp->fsp_name->base_name,
-+					mask,
-+					attr);
- 	}
- 
- 	if (sconn && !sconn->using_smb2) {
--- 
-2.13.5
-
-
-From 84bc8b232a4495bff270b7800833ef6785937576 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Thu, 15 Dec 2016 12:52:13 -0800
-Subject: [PATCH 12/15] s3: smbd: Remove O_NOFOLLOW guards. We insist on
- O_NOFOLLOW existing.
-
-CVE-2017-2619
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/smbd/open.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/source3/smbd/open.c b/source3/smbd/open.c
-index 35eee0a1485..8417f8aca4a 100644
---- a/source3/smbd/open.c
-+++ b/source3/smbd/open.c
-@@ -205,8 +205,7 @@ NTSTATUS fd_open(struct connection_struct *conn,
- 	struct smb_filename *smb_fname = fsp->fsp_name;
- 	NTSTATUS status = NT_STATUS_OK;
- 
--#ifdef O_NOFOLLOW
--	/* 
-+	/*
- 	 * Never follow symlinks on a POSIX client. The
- 	 * client should be doing this.
- 	 */
-@@ -214,7 +213,6 @@ NTSTATUS fd_open(struct connection_struct *conn,
- 	if (fsp->posix_open || !lp_symlinks(SNUM(conn))) {
- 		flags |= O_NOFOLLOW;
- 	}
--#endif
- 
- 	fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
- 	if (fsp->fh->fd == -1) {
--- 
-2.13.5
-
-
-From af0c5a266ae65ad2a638fe48a7ad7d77417f97d7 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Thu, 15 Dec 2016 12:56:08 -0800
-Subject: [PATCH 13/15] s3: smbd: Move special handling of symlink errno's into
- a utility function.
-
-CVE-2017-2619
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/smbd/open.c | 30 ++++++++++++++++++++++++++++--
- 1 file changed, 28 insertions(+), 2 deletions(-)
-
-diff --git a/source3/smbd/open.c b/source3/smbd/open.c
-index 8417f8aca4a..e727e89e9d8 100644
---- a/source3/smbd/open.c
-+++ b/source3/smbd/open.c
-@@ -194,6 +194,31 @@ static NTSTATUS check_base_file_access(struct connection_struct *conn,
- }
- 
- /****************************************************************************
-+ Handle differing symlink errno's
-+****************************************************************************/
-+
-+static int link_errno_convert(int err)
-+{
-+#if defined(ENOTSUP) && defined(OSF1)
-+	/* handle special Tru64 errno */
-+	if (err == ENOTSUP) {
-+		err = ELOOP;
-+	}
-+#endif /* ENOTSUP */
-+#ifdef EFTYPE
-+	/* fix broken NetBSD errno */
-+	if (err == EFTYPE) {
-+		err = ELOOP;
-+	}
-+#endif /* EFTYPE */
-+	/* fix broken FreeBSD errno */
-+	if (err == EMLINK) {
-+		err = ELOOP;
-+	}
-+	return err;
-+}
-+
-+/****************************************************************************
-  fd support routines - attempt to do a dos_open.
- ****************************************************************************/
- 
-@@ -216,8 +241,9 @@ NTSTATUS fd_open(struct connection_struct *conn,
- 
- 	fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
- 	if (fsp->fh->fd == -1) {
--		status = map_nt_error_from_unix(errno);
--		if (errno == EMFILE) {
-+		int posix_errno = link_errno_convert(errno);
-+		status = map_nt_error_from_unix(posix_errno);
-+		if (posix_errno == EMFILE) {
- 			static time_t last_warned = 0L;
- 
- 			if (time((time_t *) NULL) > last_warned) {
--- 
-2.13.5
-
-
-From c3bc4ff0367d7a3ebfd64db6defddea0bc3a5f4a Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Thu, 15 Dec 2016 13:04:46 -0800
-Subject: [PATCH 14/15] s3: smbd: Add the core functions to prevent symlink
- open races.
-
-CVE-2017-2619
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/smbd/open.c | 242 ++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 242 insertions(+)
-
-diff --git a/source3/smbd/open.c b/source3/smbd/open.c
-index e727e89e9d8..0998adc416a 100644
---- a/source3/smbd/open.c
-+++ b/source3/smbd/open.c
-@@ -218,6 +218,248 @@ static int link_errno_convert(int err)
- 	return err;
- }
- 
-+static int non_widelink_open(struct connection_struct *conn,
-+			const char *conn_rootdir,
-+			files_struct *fsp,
-+			struct smb_filename *smb_fname,
-+			int flags,
-+			mode_t mode,
-+			unsigned int link_depth);
-+
-+/****************************************************************************
-+ Follow a symlink in userspace.
-+****************************************************************************/
-+
-+static int process_symlink_open(struct connection_struct *conn,
-+			const char *conn_rootdir,
-+			files_struct *fsp,
-+			struct smb_filename *smb_fname,
-+			int flags,
-+			mode_t mode,
-+			unsigned int link_depth)
-+{
-+	int fd = -1;
-+	char *link_target = NULL;
-+	int link_len = -1;
-+	char *oldwd = NULL;
-+	size_t rootdir_len = 0;
-+	char *resolved_name = NULL;
-+	bool matched = false;
-+	int saved_errno = 0;
-+
-+	/*
-+	 * Ensure we don't get stuck in a symlink loop.
-+	 */
-+	link_depth++;
-+	if (link_depth >= 20) {
-+		errno = ELOOP;
-+		goto out;
-+	}
-+
-+	/* Allocate space for the link target. */
-+	link_target = talloc_array(talloc_tos(), char, PATH_MAX);
-+	if (link_target == NULL) {
-+		errno = ENOMEM;
-+		goto out;
-+	}
-+
-+	/* Read the link target. */
-+	link_len = SMB_VFS_READLINK(conn,
-+				smb_fname->base_name,
-+				link_target,
-+				PATH_MAX - 1);
-+	if (link_len == -1) {
-+		goto out;
-+	}
-+
-+	/* Ensure it's at least null terminated. */
-+	link_target[link_len] = '\0';
-+
-+	/* Convert to an absolute path. */
-+	resolved_name = SMB_VFS_REALPATH(conn, link_target);
-+	if (resolved_name == NULL) {
-+		goto out;
-+	}
-+
-+	/*
-+	 * We know conn_rootdir starts with '/' and
-+	 * does not end in '/'. FIXME ! Should we
-+	 * smb_assert this ?
-+	 */
-+	rootdir_len = strlen(conn_rootdir);
-+
-+	matched = (strncmp(conn_rootdir, resolved_name, rootdir_len) == 0);
-+	if (!matched) {
-+		errno = EACCES;
-+		goto out;
-+	}
-+
-+	/*
-+	 * Turn into a path relative to the share root.
-+	 */
-+	if (resolved_name[rootdir_len] == '\0') {
-+		/* Link to the root of the share. */
-+		smb_fname->base_name = talloc_strdup(talloc_tos(), ".");
-+		if (smb_fname->base_name == NULL) {
-+			errno = ENOMEM;
-+			goto out;
-+		}
-+	} else if (resolved_name[rootdir_len] == '/') {
-+		smb_fname->base_name = &resolved_name[rootdir_len+1];
-+	} else {
-+		errno = EACCES;
-+		goto out;
-+	}
-+
-+	oldwd = vfs_GetWd(talloc_tos(), conn);
-+	if (oldwd == NULL) {
-+		goto out;
-+	}
-+
-+	/* Ensure we operate from the root of the share. */
-+	if (vfs_ChDir(conn, conn_rootdir) == -1) {
-+		goto out;
-+	}
-+
-+	/* And do it all again.. */
-+	fd = non_widelink_open(conn,
-+				conn_rootdir,
-+				fsp,
-+				smb_fname,
-+				flags,
-+				mode,
-+				link_depth);
-+	if (fd == -1) {
-+		saved_errno = errno;
-+	}
-+
-+  out:
-+
-+	SAFE_FREE(resolved_name);
-+	TALLOC_FREE(link_target);
-+	if (oldwd != NULL) {
-+		int ret = vfs_ChDir(conn, oldwd);
-+		if (ret == -1) {
-+			smb_panic("unable to get back to old directory\n");
-+		}
-+		TALLOC_FREE(oldwd);
-+	}
-+	if (saved_errno != 0) {
-+		errno = saved_errno;
-+	}
-+	return fd;
-+}
-+
-+/****************************************************************************
-+ Non-widelink open.
-+****************************************************************************/
-+
-+static int non_widelink_open(struct connection_struct *conn,
-+			const char *conn_rootdir,
-+			files_struct *fsp,
-+			struct smb_filename *smb_fname,
-+			int flags,
-+			mode_t mode,
-+			unsigned int link_depth)
-+{
-+	NTSTATUS status;
-+	int fd = -1;
-+	struct smb_filename *smb_fname_rel = NULL;
-+	int saved_errno = 0;
-+	char *oldwd = NULL;
-+	char *parent_dir = NULL;
-+	const char *final_component = NULL;
-+
-+	if (!parent_dirname(talloc_tos(),
-+			smb_fname->base_name,
-+			&parent_dir,
-+			&final_component)) {
-+		goto out;
-+	}
-+
-+	oldwd = vfs_GetWd(talloc_tos(), conn);
-+	if (oldwd == NULL) {
-+		goto out;
-+	}
-+
-+	/* Pin parent directory in place. */
-+	if (vfs_ChDir(conn, parent_dir) == -1) {
-+		goto out;
-+	}
-+
-+	/* Ensure the relative path is below the share. */
-+	status = check_reduced_name(conn, final_component);
-+	if (!NT_STATUS_IS_OK(status)) {
-+		saved_errno = map_errno_from_nt_status(status);
-+		goto out;
-+	}
-+
-+	status = create_synthetic_smb_fname(talloc_tos(),
-+				final_component,
-+				smb_fname->stream_name,
-+				&smb_fname->st,
-+				&smb_fname_rel);
-+	if (!NT_STATUS_IS_OK(status)) {
-+		saved_errno = map_errno_from_nt_status(status);
-+		goto out;
-+	}
-+
-+	flags |= O_NOFOLLOW;
-+
-+	{
-+		struct smb_filename *tmp_name = fsp->fsp_name;
-+		fsp->fsp_name = smb_fname_rel;
-+		fd = SMB_VFS_OPEN(conn, smb_fname_rel, fsp, flags, mode);
-+		fsp->fsp_name = tmp_name;
-+	}
-+
-+	if (fd == -1) {
-+		saved_errno = link_errno_convert(errno);
-+		if (saved_errno == ELOOP) {
-+			if (fsp->posix_open) {
-+				/* Never follow symlinks on posix open. */
-+				goto out;
-+			}
-+			if (!lp_symlinks(SNUM(conn))) {
-+				/* Explicitly no symlinks. */
-+				goto out;
-+			}
-+			/*
-+			 * We have a symlink. Follow in userspace
-+			 * to ensure it's under the share definition.
-+			 */
-+			fd = process_symlink_open(conn,
-+					conn_rootdir,
-+					fsp,
-+					smb_fname_rel,
-+					flags,
-+					mode,
-+					link_depth);
-+			if (fd == -1) {
-+				saved_errno =
-+					link_errno_convert(errno);
-+			}
-+		}
-+	}
-+
-+  out:
-+
-+	TALLOC_FREE(parent_dir);
-+	TALLOC_FREE(smb_fname_rel);
-+
-+	if (oldwd != NULL) {
-+		int ret = vfs_ChDir(conn, oldwd);
-+		if (ret == -1) {
-+			smb_panic("unable to get back to old directory\n");
-+		}
-+		TALLOC_FREE(oldwd);
-+	}
-+	if (saved_errno != 0) {
-+		errno = saved_errno;
-+	}
-+	return fd;
-+}
-+
- /****************************************************************************
-  fd support routines - attempt to do a dos_open.
- ****************************************************************************/
--- 
-2.13.5
-
-
-From 6a88d1cf3deb54a784f50c8eba3b9a24a65c1b34 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Thu, 15 Dec 2016 13:06:31 -0800
-Subject: [PATCH 15/15] s3: smbd: Use the new non_widelink_open() function.
-
-CVE-2017-2619
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/smbd/open.c | 23 ++++++++++++++++++++++-
- 1 file changed, 22 insertions(+), 1 deletion(-)
-
-diff --git a/source3/smbd/open.c b/source3/smbd/open.c
-index 0998adc416a..65ca14ec8b8 100644
---- a/source3/smbd/open.c
-+++ b/source3/smbd/open.c
-@@ -481,7 +481,28 @@ NTSTATUS fd_open(struct connection_struct *conn,
- 		flags |= O_NOFOLLOW;
- 	}
- 
--	fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
-+	/* Ensure path is below share definition. */
-+	if (!lp_widelinks(SNUM(conn))) {
-+		const char *conn_rootdir = SMB_VFS_CONNECTPATH(conn,
-+						smb_fname->base_name);
-+		if (conn_rootdir == NULL) {
-+			return NT_STATUS_NO_MEMORY;
-+		}
-+		/*
-+		 * Only follow symlinks within a share
-+		 * definition.
-+		 */
-+		fsp->fh->fd = non_widelink_open(conn,
-+					conn_rootdir,
-+					fsp,
-+					smb_fname,
-+					flags,
-+					mode,
-+					0);
-+	} else {
-+		fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
-+	}
-+
- 	if (fsp->fh->fd == -1) {
- 		int posix_errno = link_errno_convert(errno);
- 		status = map_nt_error_from_unix(posix_errno);
--- 
-2.13.5
-
diff --git a/src/patches/samba/CVE-2017-7494-v3-6.patch b/src/patches/samba/CVE-2017-7494-v3-6.patch
deleted file mode 100644
index 3b0d94cbd..000000000
--- a/src/patches/samba/CVE-2017-7494-v3-6.patch
+++ /dev/null
@@ -1,32 +0,0 @@ 
-From b719a4d53fc6d590f4fac340d956344a5246de4e Mon Sep 17 00:00:00 2001
-From: Volker Lendecke <vl@samba.org>
-Date: Mon, 8 May 2017 21:40:40 +0200
-Subject: [PATCH] CVE-2017-7494: Refuse to open pipe names with / inside
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=12780
-
-Signed-off-by: Volker Lendecke <vl@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/rpc_server/srv_pipe.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index ec24fe7..b80e3f5 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -473,6 +473,11 @@ bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
- 		pipename += 1;
- 	}
- 
-+	if (strchr(pipename, '/')) {
-+		DEBUG(1,("Refusing open on pipe %s\n", pipename));
-+		return false;
-+	}
-+
- 	if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
- 		DEBUG(10, ("refusing spoolss access\n"));
- 		return false;
--- 
-2.9.4
-
diff --git a/src/patches/samba/CVE-preparation-v3-6.patch b/src/patches/samba/CVE-preparation-v3-6.patch
deleted file mode 100644
index c4891d6a5..000000000
--- a/src/patches/samba/CVE-preparation-v3-6.patch
+++ /dev/null
@@ -1,6976 +0,0 @@ 
-From 39a3fa39967faaf216be8e108ca57d07de1aa95a Mon Sep 17 00:00:00 2001
-From: Vadim Zhukov <persgray@gmail.com>
-Date: Sat, 25 May 2013 15:19:24 +0100
-Subject: [PATCH 01/44] pidl: Recent Perl warns about "defined(@var)"
- constructs.
-
-Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
-
-Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
-Autobuild-Date(master): Sat May 25 18:10:53 CEST 2013 on sn-devel-104
-
-(cherry picked from commit 92254d09e0ee5a7d9d0cd91fe1803f54e64d9a5f)
----
- pidl/lib/Parse/Pidl/ODL.pm | 2 +-
- pidl/pidl                  | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-Index: samba-3.6.23/pidl/lib/Parse/Pidl/ODL.pm
-===================================================================
---- samba-3.6.23.orig/pidl/lib/Parse/Pidl/ODL.pm
-+++ samba-3.6.23/pidl/lib/Parse/Pidl/ODL.pm
-@@ -70,7 +70,7 @@ sub ODL2IDL
- 					next;
- 				}
- 				my $podl = Parse::Pidl::IDL::parse_file($idl_path, $opt_incdirs);
--				if (defined(@$podl)) {
-+				if (defined($podl)) {
- 					require Parse::Pidl::Typelist;
- 					my $basename = basename($idl_path, ".idl");
- 
-Index: samba-3.6.23/pidl/pidl
-===================================================================
---- samba-3.6.23.orig/pidl/pidl
-+++ samba-3.6.23/pidl/pidl
-@@ -605,7 +605,7 @@ sub process_file($)
- 		require Parse::Pidl::IDL;
- 
- 		$pidl = Parse::Pidl::IDL::parse_file($idl_file, \@opt_incdirs);
--		defined @$pidl || die "Failed to parse $idl_file";
-+		defined $pidl || die "Failed to parse $idl_file";
- 	}
- 
- 	require Parse::Pidl::Typelist;
-Index: samba-3.6.23/source4/heimdal/cf/make-proto.pl
-===================================================================
---- samba-3.6.23.orig/source4/heimdal/cf/make-proto.pl
-+++ samba-3.6.23/source4/heimdal/cf/make-proto.pl
-@@ -1,8 +1,8 @@
- # Make prototypes from .c files
- # $Id$
- 
--##use Getopt::Std;
--require 'getopts.pl';
-+use Getopt::Std;
-+#require 'getopts.pl';
- 
- my $comment = 0;
- my $if_0 = 0;
-@@ -12,7 +12,7 @@ my $debug = 0;
- my $oproto = 1;
- my $private_func_re = "^_";
- 
--Getopts('x:m:o:p:dqE:R:P:') || die "foo";
-+getopts('x:m:o:p:dqE:R:P:') || die "foo";
- 
- if($opt_d) {
-     $debug = 1;
-Index: samba-3.6.23/source3/Makefile-smbtorture4
-===================================================================
---- samba-3.6.23.orig/source3/Makefile-smbtorture4
-+++ samba-3.6.23/source3/Makefile-smbtorture4
-@@ -6,7 +6,7 @@ SAMBA4_BINARIES="smbtorture,ndrdump"
- samba4-configure:
- 	@(cd .. && \
- 		CFLAGS='' $(WAF) reconfigure || \
--		CFLAGS='' $(WAF) configure --enable-socket-wrapper --enable-nss-wrapper --enable-uid-wrapper --nonshared-binary=$(SAMBA4_BINARIES) --enable-auto-reconfigure )
-+		CFLAGS='' $(WAF) configure --enable-socket-wrapper --enable-nss-wrapper --enable-uid-wrapper --nonshared-binary=$(SAMBA4_BINARIES) --enable-auto-reconfigure --bundled-libraries=ALL --disable-gnutls )
- 
- .PHONY: samba4-configure
- 
-Index: samba-3.6.23/source4/lib/ldb/wscript
-===================================================================
---- samba-3.6.23.orig/source4/lib/ldb/wscript
-+++ samba-3.6.23/source4/lib/ldb/wscript
-@@ -135,9 +135,7 @@ def build(bld):
-                           pc_files=ldb_pc_files,
-                           vnum=VERSION,
-                           private_library=private_library,
--                          manpages='man/ldb.3',
--                          abi_directory = 'ABI',
--                          abi_match = abi_match)
-+                          manpages='man/ldb.3')
- 
-         # generate a include/ldb_version.h
-         t = bld.SAMBA_GENERATOR('ldb_version.h',
-Index: samba-3.6.23/source3/selftest/skip
-===================================================================
---- samba-3.6.23.orig/source3/selftest/skip
-+++ samba-3.6.23/source3/selftest/skip
-@@ -22,3 +22,8 @@ samba3.*raw.ioctl
- samba3.*raw.qfileinfo
- samba3.*raw.qfsinfo
- samba3.*raw.sfileinfo.base
-+# skip, don't work for badlock backports
-+samba3.posix_s3.raw.eas
-+samba3.posix_s3.raw.rename
-+samba3.posix_s3.raw.search
-+samba3.posix_s3.raw.streams
-Index: samba-3.6.23/librpc/ndr/ndr_ntlmssp.c
-===================================================================
---- samba-3.6.23.orig/librpc/ndr/ndr_ntlmssp.c
-+++ samba-3.6.23/librpc/ndr/ndr_ntlmssp.c
-@@ -176,4 +176,20 @@ _PUBLIC_ void ndr_print_ntlmssp_Version(
- 	}
- }
- 
-+_PUBLIC_ struct AV_PAIR *ndr_ntlmssp_find_av(const struct AV_PAIR_LIST *av_list,
-+					     enum ntlmssp_AvId AvId)
-+{
-+	struct AV_PAIR *res = NULL;
-+	uint32_t i = 0;
- 
-+	for (i = 0; i < av_list->count; i++) {
-+		if (av_list->pair[i].AvId != AvId) {
-+			continue;
-+		}
-+
-+		res = discard_const_p(struct AV_PAIR, &av_list->pair[i]);
-+		break;
-+	}
-+
-+	return res;
-+}
-Index: samba-3.6.23/librpc/ndr/ndr_ntlmssp.h
-===================================================================
---- samba-3.6.23.orig/librpc/ndr/ndr_ntlmssp.h
-+++ samba-3.6.23/librpc/ndr/ndr_ntlmssp.h
-@@ -31,3 +31,5 @@ _PUBLIC_ void ndr_print_ntlmssp_lm_respo
- 					    bool ntlmv2);
- _PUBLIC_ void ndr_print_ntlmssp_Version(struct ndr_print *ndr, const char *name, const union ntlmssp_Version *r);
- 
-+_PUBLIC_ struct AV_PAIR *ndr_ntlmssp_find_av(const struct AV_PAIR_LIST *av_list,
-+					     enum ntlmssp_AvId AvId);
-Index: samba-3.6.23/librpc/ABI/ndr-0.0.2.sigs
-===================================================================
---- /dev/null
-+++ samba-3.6.23/librpc/ABI/ndr-0.0.2.sigs
-@@ -0,0 +1,247 @@
-+GUID_all_zero: bool (const struct GUID *)
-+GUID_compare: int (const struct GUID *, const struct GUID *)
-+GUID_equal: bool (const struct GUID *, const struct GUID *)
-+GUID_from_data_blob: NTSTATUS (const DATA_BLOB *, struct GUID *)
-+GUID_from_ndr_blob: NTSTATUS (const DATA_BLOB *, struct GUID *)
-+GUID_from_string: NTSTATUS (const char *, struct GUID *)
-+GUID_hexstring: char *(TALLOC_CTX *, const struct GUID *)
-+GUID_random: struct GUID (void)
-+GUID_string: char *(TALLOC_CTX *, const struct GUID *)
-+GUID_string2: char *(TALLOC_CTX *, const struct GUID *)
-+GUID_to_ndr_blob: NTSTATUS (const struct GUID *, TALLOC_CTX *, DATA_BLOB *)
-+GUID_zero: struct GUID (void)
-+ndr_align_size: size_t (uint32_t, size_t)
-+ndr_charset_length: uint32_t (const void *, charset_t)
-+ndr_check_array_length: enum ndr_err_code (struct ndr_pull *, void *, uint32_t)
-+ndr_check_array_size: enum ndr_err_code (struct ndr_pull *, void *, uint32_t)
-+ndr_check_padding: void (struct ndr_pull *, size_t)
-+ndr_check_pipe_chunk_trailer: enum ndr_err_code (struct ndr_pull *, int, uint32_t)
-+ndr_check_string_terminator: enum ndr_err_code (struct ndr_pull *, uint32_t, uint32_t)
-+ndr_get_array_length: uint32_t (struct ndr_pull *, const void *)
-+ndr_get_array_size: uint32_t (struct ndr_pull *, const void *)
-+ndr_map_error2errno: int (enum ndr_err_code)
-+ndr_map_error2ntstatus: NTSTATUS (enum ndr_err_code)
-+ndr_map_error2string: const char *(enum ndr_err_code)
-+ndr_policy_handle_empty: bool (const struct policy_handle *)
-+ndr_policy_handle_equal: bool (const struct policy_handle *, const struct policy_handle *)
-+ndr_print_DATA_BLOB: void (struct ndr_print *, const char *, DATA_BLOB)
-+ndr_print_GUID: void (struct ndr_print *, const char *, const struct GUID *)
-+ndr_print_KRB5_EDATA_NTSTATUS: void (struct ndr_print *, const char *, const struct KRB5_EDATA_NTSTATUS *)
-+ndr_print_NTSTATUS: void (struct ndr_print *, const char *, NTSTATUS)
-+ndr_print_NTTIME: void (struct ndr_print *, const char *, NTTIME)
-+ndr_print_NTTIME_1sec: void (struct ndr_print *, const char *, NTTIME)
-+ndr_print_NTTIME_hyper: void (struct ndr_print *, const char *, NTTIME)
-+ndr_print_WERROR: void (struct ndr_print *, const char *, WERROR)
-+ndr_print_array_uint8: void (struct ndr_print *, const char *, const uint8_t *, uint32_t)
-+ndr_print_bad_level: void (struct ndr_print *, const char *, uint16_t)
-+ndr_print_bitmap_flag: void (struct ndr_print *, size_t, const char *, uint32_t, uint32_t)
-+ndr_print_bool: void (struct ndr_print *, const char *, const bool)
-+ndr_print_debug: void (ndr_print_fn_t, const char *, void *)
-+ndr_print_debug_helper: void (struct ndr_print *, const char *, ...)
-+ndr_print_debugc: void (int, ndr_print_fn_t, const char *, void *)
-+ndr_print_debugc_helper: void (struct ndr_print *, const char *, ...)
-+ndr_print_dlong: void (struct ndr_print *, const char *, int64_t)
-+ndr_print_double: void (struct ndr_print *, const char *, double)
-+ndr_print_enum: void (struct ndr_print *, const char *, const char *, const char *, uint32_t)
-+ndr_print_function_debug: void (ndr_print_function_t, const char *, int, void *)
-+ndr_print_function_string: char *(TALLOC_CTX *, ndr_print_function_t, const char *, int, void *)
-+ndr_print_get_switch_value: uint32_t (struct ndr_print *, const void *)
-+ndr_print_gid_t: void (struct ndr_print *, const char *, gid_t)
-+ndr_print_hyper: void (struct ndr_print *, const char *, uint64_t)
-+ndr_print_int16: void (struct ndr_print *, const char *, int16_t)
-+ndr_print_int32: void (struct ndr_print *, const char *, int32_t)
-+ndr_print_int3264: void (struct ndr_print *, const char *, int32_t)
-+ndr_print_int8: void (struct ndr_print *, const char *, int8_t)
-+ndr_print_ipv4address: void (struct ndr_print *, const char *, const char *)
-+ndr_print_ipv6address: void (struct ndr_print *, const char *, const char *)
-+ndr_print_ndr_syntax_id: void (struct ndr_print *, const char *, const struct ndr_syntax_id *)
-+ndr_print_netr_SamDatabaseID: void (struct ndr_print *, const char *, enum netr_SamDatabaseID)
-+ndr_print_netr_SchannelType: void (struct ndr_print *, const char *, enum netr_SchannelType)
-+ndr_print_null: void (struct ndr_print *)
-+ndr_print_pointer: void (struct ndr_print *, const char *, void *)
-+ndr_print_policy_handle: void (struct ndr_print *, const char *, const struct policy_handle *)
-+ndr_print_printf_helper: void (struct ndr_print *, const char *, ...)
-+ndr_print_ptr: void (struct ndr_print *, const char *, const void *)
-+ndr_print_set_switch_value: enum ndr_err_code (struct ndr_print *, const void *, uint32_t)
-+ndr_print_sockaddr_storage: void (struct ndr_print *, const char *, const struct sockaddr_storage *)
-+ndr_print_string: void (struct ndr_print *, const char *, const char *)
-+ndr_print_string_array: void (struct ndr_print *, const char *, const char **)
-+ndr_print_string_helper: void (struct ndr_print *, const char *, ...)
-+ndr_print_struct: void (struct ndr_print *, const char *, const char *)
-+ndr_print_struct_string: char *(TALLOC_CTX *, ndr_print_fn_t, const char *, void *)
-+ndr_print_svcctl_ServerType: void (struct ndr_print *, const char *, uint32_t)
-+ndr_print_time_t: void (struct ndr_print *, const char *, time_t)
-+ndr_print_timespec: void (struct ndr_print *, const char *, const struct timespec *)
-+ndr_print_timeval: void (struct ndr_print *, const char *, const struct timeval *)
-+ndr_print_udlong: void (struct ndr_print *, const char *, uint64_t)
-+ndr_print_udlongr: void (struct ndr_print *, const char *, uint64_t)
-+ndr_print_uid_t: void (struct ndr_print *, const char *, uid_t)
-+ndr_print_uint16: void (struct ndr_print *, const char *, uint16_t)
-+ndr_print_uint32: void (struct ndr_print *, const char *, uint32_t)
-+ndr_print_uint3264: void (struct ndr_print *, const char *, uint32_t)
-+ndr_print_uint8: void (struct ndr_print *, const char *, uint8_t)
-+ndr_print_union: void (struct ndr_print *, const char *, int, const char *)
-+ndr_print_union_debug: void (ndr_print_fn_t, const char *, uint32_t, void *)
-+ndr_print_union_string: char *(TALLOC_CTX *, ndr_print_fn_t, const char *, uint32_t, void *)
-+ndr_print_winreg_Data: void (struct ndr_print *, const char *, const union winreg_Data *)
-+ndr_print_winreg_Type: void (struct ndr_print *, const char *, enum winreg_Type)
-+ndr_pull_DATA_BLOB: enum ndr_err_code (struct ndr_pull *, int, DATA_BLOB *)
-+ndr_pull_GUID: enum ndr_err_code (struct ndr_pull *, int, struct GUID *)
-+ndr_pull_KRB5_EDATA_NTSTATUS: enum ndr_err_code (struct ndr_pull *, int, struct KRB5_EDATA_NTSTATUS *)
-+ndr_pull_NTSTATUS: enum ndr_err_code (struct ndr_pull *, int, NTSTATUS *)
-+ndr_pull_NTTIME: enum ndr_err_code (struct ndr_pull *, int, NTTIME *)
-+ndr_pull_NTTIME_1sec: enum ndr_err_code (struct ndr_pull *, int, NTTIME *)
-+ndr_pull_NTTIME_hyper: enum ndr_err_code (struct ndr_pull *, int, NTTIME *)
-+ndr_pull_WERROR: enum ndr_err_code (struct ndr_pull *, int, WERROR *)
-+ndr_pull_advance: enum ndr_err_code (struct ndr_pull *, uint32_t)
-+ndr_pull_align: enum ndr_err_code (struct ndr_pull *, size_t)
-+ndr_pull_array_length: enum ndr_err_code (struct ndr_pull *, const void *)
-+ndr_pull_array_size: enum ndr_err_code (struct ndr_pull *, const void *)
-+ndr_pull_array_uint8: enum ndr_err_code (struct ndr_pull *, int, uint8_t *, uint32_t)
-+ndr_pull_bytes: enum ndr_err_code (struct ndr_pull *, uint8_t *, uint32_t)
-+ndr_pull_charset: enum ndr_err_code (struct ndr_pull *, int, const char **, uint32_t, uint8_t, charset_t)
-+ndr_pull_charset_to_null: enum ndr_err_code (struct ndr_pull *, int, const char **, uint32_t, uint8_t, charset_t)
-+ndr_pull_dlong: enum ndr_err_code (struct ndr_pull *, int, int64_t *)
-+ndr_pull_double: enum ndr_err_code (struct ndr_pull *, int, double *)
-+ndr_pull_enum_uint16: enum ndr_err_code (struct ndr_pull *, int, uint16_t *)
-+ndr_pull_enum_uint1632: enum ndr_err_code (struct ndr_pull *, int, uint16_t *)
-+ndr_pull_enum_uint32: enum ndr_err_code (struct ndr_pull *, int, uint32_t *)
-+ndr_pull_enum_uint8: enum ndr_err_code (struct ndr_pull *, int, uint8_t *)
-+ndr_pull_error: enum ndr_err_code (struct ndr_pull *, enum ndr_err_code, const char *, ...)
-+ndr_pull_generic_ptr: enum ndr_err_code (struct ndr_pull *, uint32_t *)
-+ndr_pull_get_relative_base_offset: uint32_t (struct ndr_pull *)
-+ndr_pull_get_switch_value: uint32_t (struct ndr_pull *, const void *)
-+ndr_pull_gid_t: enum ndr_err_code (struct ndr_pull *, int, gid_t *)
-+ndr_pull_hyper: enum ndr_err_code (struct ndr_pull *, int, uint64_t *)
-+ndr_pull_init_blob: struct ndr_pull *(const DATA_BLOB *, TALLOC_CTX *)
-+ndr_pull_int16: enum ndr_err_code (struct ndr_pull *, int, int16_t *)
-+ndr_pull_int32: enum ndr_err_code (struct ndr_pull *, int, int32_t *)
-+ndr_pull_int8: enum ndr_err_code (struct ndr_pull *, int, int8_t *)
-+ndr_pull_ipv4address: enum ndr_err_code (struct ndr_pull *, int, const char **)
-+ndr_pull_ipv6address: enum ndr_err_code (struct ndr_pull *, int, const char **)
-+ndr_pull_ndr_syntax_id: enum ndr_err_code (struct ndr_pull *, int, struct ndr_syntax_id *)
-+ndr_pull_netr_SamDatabaseID: enum ndr_err_code (struct ndr_pull *, int, enum netr_SamDatabaseID *)
-+ndr_pull_netr_SchannelType: enum ndr_err_code (struct ndr_pull *, int, enum netr_SchannelType *)
-+ndr_pull_pointer: enum ndr_err_code (struct ndr_pull *, int, void **)
-+ndr_pull_policy_handle: enum ndr_err_code (struct ndr_pull *, int, struct policy_handle *)
-+ndr_pull_ref_ptr: enum ndr_err_code (struct ndr_pull *, uint32_t *)
-+ndr_pull_relative_ptr1: enum ndr_err_code (struct ndr_pull *, const void *, uint32_t)
-+ndr_pull_relative_ptr2: enum ndr_err_code (struct ndr_pull *, const void *)
-+ndr_pull_relative_ptr_short: enum ndr_err_code (struct ndr_pull *, uint16_t *)
-+ndr_pull_restore_relative_base_offset: void (struct ndr_pull *, uint32_t)
-+ndr_pull_set_switch_value: enum ndr_err_code (struct ndr_pull *, const void *, uint32_t)
-+ndr_pull_setup_relative_base_offset1: enum ndr_err_code (struct ndr_pull *, const void *, uint32_t)
-+ndr_pull_setup_relative_base_offset2: enum ndr_err_code (struct ndr_pull *, const void *)
-+ndr_pull_string: enum ndr_err_code (struct ndr_pull *, int, const char **)
-+ndr_pull_string_array: enum ndr_err_code (struct ndr_pull *, int, const char ***)
-+ndr_pull_struct_blob: enum ndr_err_code (const DATA_BLOB *, TALLOC_CTX *, void *, ndr_pull_flags_fn_t)
-+ndr_pull_struct_blob_all: enum ndr_err_code (const DATA_BLOB *, TALLOC_CTX *, void *, ndr_pull_flags_fn_t)
-+ndr_pull_subcontext_end: enum ndr_err_code (struct ndr_pull *, struct ndr_pull *, size_t, ssize_t)
-+ndr_pull_subcontext_start: enum ndr_err_code (struct ndr_pull *, struct ndr_pull **, size_t, ssize_t)
-+ndr_pull_svcctl_ServerType: enum ndr_err_code (struct ndr_pull *, int, uint32_t *)
-+ndr_pull_time_t: enum ndr_err_code (struct ndr_pull *, int, time_t *)
-+ndr_pull_timespec: enum ndr_err_code (struct ndr_pull *, int, struct timespec *)
-+ndr_pull_timeval: enum ndr_err_code (struct ndr_pull *, int, struct timeval *)
-+ndr_pull_trailer_align: enum ndr_err_code (struct ndr_pull *, size_t)
-+ndr_pull_udlong: enum ndr_err_code (struct ndr_pull *, int, uint64_t *)
-+ndr_pull_udlongr: enum ndr_err_code (struct ndr_pull *, int, uint64_t *)
-+ndr_pull_uid_t: enum ndr_err_code (struct ndr_pull *, int, uid_t *)
-+ndr_pull_uint16: enum ndr_err_code (struct ndr_pull *, int, uint16_t *)
-+ndr_pull_uint1632: enum ndr_err_code (struct ndr_pull *, int, uint16_t *)
-+ndr_pull_uint32: enum ndr_err_code (struct ndr_pull *, int, uint32_t *)
-+ndr_pull_uint3264: enum ndr_err_code (struct ndr_pull *, int, uint32_t *)
-+ndr_pull_uint8: enum ndr_err_code (struct ndr_pull *, int, uint8_t *)
-+ndr_pull_union_align: enum ndr_err_code (struct ndr_pull *, size_t)
-+ndr_pull_union_blob: enum ndr_err_code (const DATA_BLOB *, TALLOC_CTX *, void *, uint32_t, ndr_pull_flags_fn_t)
-+ndr_pull_union_blob_all: enum ndr_err_code (const DATA_BLOB *, TALLOC_CTX *, void *, uint32_t, ndr_pull_flags_fn_t)
-+ndr_pull_winreg_Data: enum ndr_err_code (struct ndr_pull *, int, union winreg_Data *)
-+ndr_pull_winreg_Type: enum ndr_err_code (struct ndr_pull *, int, enum winreg_Type *)
-+ndr_push_DATA_BLOB: enum ndr_err_code (struct ndr_push *, int, DATA_BLOB)
-+ndr_push_GUID: enum ndr_err_code (struct ndr_push *, int, const struct GUID *)
-+ndr_push_KRB5_EDATA_NTSTATUS: enum ndr_err_code (struct ndr_push *, int, const struct KRB5_EDATA_NTSTATUS *)
-+ndr_push_NTSTATUS: enum ndr_err_code (struct ndr_push *, int, NTSTATUS)
-+ndr_push_NTTIME: enum ndr_err_code (struct ndr_push *, int, NTTIME)
-+ndr_push_NTTIME_1sec: enum ndr_err_code (struct ndr_push *, int, NTTIME)
-+ndr_push_NTTIME_hyper: enum ndr_err_code (struct ndr_push *, int, NTTIME)
-+ndr_push_WERROR: enum ndr_err_code (struct ndr_push *, int, WERROR)
-+ndr_push_align: enum ndr_err_code (struct ndr_push *, size_t)
-+ndr_push_array_uint8: enum ndr_err_code (struct ndr_push *, int, const uint8_t *, uint32_t)
-+ndr_push_blob: DATA_BLOB (struct ndr_push *)
-+ndr_push_bytes: enum ndr_err_code (struct ndr_push *, const uint8_t *, uint32_t)
-+ndr_push_charset: enum ndr_err_code (struct ndr_push *, int, const char *, uint32_t, uint8_t, charset_t)
-+ndr_push_dlong: enum ndr_err_code (struct ndr_push *, int, int64_t)
-+ndr_push_double: enum ndr_err_code (struct ndr_push *, int, double)
-+ndr_push_enum_uint16: enum ndr_err_code (struct ndr_push *, int, uint16_t)
-+ndr_push_enum_uint1632: enum ndr_err_code (struct ndr_push *, int, uint16_t)
-+ndr_push_enum_uint32: enum ndr_err_code (struct ndr_push *, int, uint32_t)
-+ndr_push_enum_uint8: enum ndr_err_code (struct ndr_push *, int, uint8_t)
-+ndr_push_error: enum ndr_err_code (struct ndr_push *, enum ndr_err_code, const char *, ...)
-+ndr_push_expand: enum ndr_err_code (struct ndr_push *, uint32_t)
-+ndr_push_full_ptr: enum ndr_err_code (struct ndr_push *, const void *)
-+ndr_push_get_relative_base_offset: uint32_t (struct ndr_push *)
-+ndr_push_get_switch_value: uint32_t (struct ndr_push *, const void *)
-+ndr_push_gid_t: enum ndr_err_code (struct ndr_push *, int, gid_t)
-+ndr_push_hyper: enum ndr_err_code (struct ndr_push *, int, uint64_t)
-+ndr_push_init_ctx: struct ndr_push *(TALLOC_CTX *)
-+ndr_push_int16: enum ndr_err_code (struct ndr_push *, int, int16_t)
-+ndr_push_int32: enum ndr_err_code (struct ndr_push *, int, int32_t)
-+ndr_push_int8: enum ndr_err_code (struct ndr_push *, int, int8_t)
-+ndr_push_ipv4address: enum ndr_err_code (struct ndr_push *, int, const char *)
-+ndr_push_ipv6address: enum ndr_err_code (struct ndr_push *, int, const char *)
-+ndr_push_ndr_syntax_id: enum ndr_err_code (struct ndr_push *, int, const struct ndr_syntax_id *)
-+ndr_push_netr_SamDatabaseID: enum ndr_err_code (struct ndr_push *, int, enum netr_SamDatabaseID)
-+ndr_push_netr_SchannelType: enum ndr_err_code (struct ndr_push *, int, enum netr_SchannelType)
-+ndr_push_pipe_chunk_trailer: enum ndr_err_code (struct ndr_push *, int, uint32_t)
-+ndr_push_pointer: enum ndr_err_code (struct ndr_push *, int, void *)
-+ndr_push_policy_handle: enum ndr_err_code (struct ndr_push *, int, const struct policy_handle *)
-+ndr_push_ref_ptr: enum ndr_err_code (struct ndr_push *)
-+ndr_push_relative_ptr1: enum ndr_err_code (struct ndr_push *, const void *)
-+ndr_push_relative_ptr2_end: enum ndr_err_code (struct ndr_push *, const void *)
-+ndr_push_relative_ptr2_start: enum ndr_err_code (struct ndr_push *, const void *)
-+ndr_push_restore_relative_base_offset: void (struct ndr_push *, uint32_t)
-+ndr_push_set_switch_value: enum ndr_err_code (struct ndr_push *, const void *, uint32_t)
-+ndr_push_setup_relative_base_offset1: enum ndr_err_code (struct ndr_push *, const void *, uint32_t)
-+ndr_push_setup_relative_base_offset2: enum ndr_err_code (struct ndr_push *, const void *)
-+ndr_push_short_relative_ptr1: enum ndr_err_code (struct ndr_push *, const void *)
-+ndr_push_short_relative_ptr2: enum ndr_err_code (struct ndr_push *, const void *)
-+ndr_push_string: enum ndr_err_code (struct ndr_push *, int, const char *)
-+ndr_push_string_array: enum ndr_err_code (struct ndr_push *, int, const char **)
-+ndr_push_struct_blob: enum ndr_err_code (DATA_BLOB *, TALLOC_CTX *, const void *, ndr_push_flags_fn_t)
-+ndr_push_subcontext_end: enum ndr_err_code (struct ndr_push *, struct ndr_push *, size_t, ssize_t)
-+ndr_push_subcontext_start: enum ndr_err_code (struct ndr_push *, struct ndr_push **, size_t, ssize_t)
-+ndr_push_svcctl_ServerType: enum ndr_err_code (struct ndr_push *, int, uint32_t)
-+ndr_push_time_t: enum ndr_err_code (struct ndr_push *, int, time_t)
-+ndr_push_timespec: enum ndr_err_code (struct ndr_push *, int, const struct timespec *)
-+ndr_push_timeval: enum ndr_err_code (struct ndr_push *, int, const struct timeval *)
-+ndr_push_trailer_align: enum ndr_err_code (struct ndr_push *, size_t)
-+ndr_push_udlong: enum ndr_err_code (struct ndr_push *, int, uint64_t)
-+ndr_push_udlongr: enum ndr_err_code (struct ndr_push *, int, uint64_t)
-+ndr_push_uid_t: enum ndr_err_code (struct ndr_push *, int, uid_t)
-+ndr_push_uint16: enum ndr_err_code (struct ndr_push *, int, uint16_t)
-+ndr_push_uint1632: enum ndr_err_code (struct ndr_push *, int, uint16_t)
-+ndr_push_uint32: enum ndr_err_code (struct ndr_push *, int, uint32_t)
-+ndr_push_uint3264: enum ndr_err_code (struct ndr_push *, int, uint32_t)
-+ndr_push_uint8: enum ndr_err_code (struct ndr_push *, int, uint8_t)
-+ndr_push_union_align: enum ndr_err_code (struct ndr_push *, size_t)
-+ndr_push_union_blob: enum ndr_err_code (DATA_BLOB *, TALLOC_CTX *, void *, uint32_t, ndr_push_flags_fn_t)
-+ndr_push_unique_ptr: enum ndr_err_code (struct ndr_push *, const void *)
-+ndr_push_winreg_Data: enum ndr_err_code (struct ndr_push *, int, const union winreg_Data *)
-+ndr_push_winreg_Type: enum ndr_err_code (struct ndr_push *, int, enum winreg_Type)
-+ndr_push_zero: enum ndr_err_code (struct ndr_push *, uint32_t)
-+ndr_set_flags: void (uint32_t *, uint32_t)
-+ndr_size_DATA_BLOB: uint32_t (int, const DATA_BLOB *, int)
-+ndr_size_GUID: size_t (const struct GUID *, int)
-+ndr_size_string: uint32_t (int, const char * const *, int)
-+ndr_size_string_array: size_t (const char **, uint32_t, int)
-+ndr_size_struct: size_t (const void *, int, ndr_push_flags_fn_t)
-+ndr_size_union: size_t (const void *, int, uint32_t, ndr_push_flags_fn_t)
-+ndr_string_array_size: size_t (struct ndr_push *, const char *)
-+ndr_string_length: uint32_t (const void *, uint32_t)
-+ndr_syntax_id_equal: bool (const struct ndr_syntax_id *, const struct ndr_syntax_id *)
-+ndr_syntax_id_null: uuid = {time_low = 0, time_mid = 0, time_hi_and_version = 0, clock_seq = "\000", node = "\000\000\000\000\000"}, if_version = 0
-+ndr_token_peek: uint32_t (struct ndr_token_list **, const void *)
-+ndr_token_retrieve: enum ndr_err_code (struct ndr_token_list **, const void *, uint32_t *)
-+ndr_token_retrieve_cmp_fn: enum ndr_err_code (struct ndr_token_list **, const void *, uint32_t *, comparison_fn_t, bool)
-+ndr_token_store: enum ndr_err_code (TALLOC_CTX *, struct ndr_token_list **, const void *, uint32_t)
-+ndr_transfer_syntax_ndr: uuid = {time_low = 2324192516, time_mid = 7403, time_hi_and_version = 4553, clock_seq = "\237\350", node = "\b\000+\020H`"}, if_version = 2
-+ndr_transfer_syntax_ndr64: uuid = {time_low = 1903232307, time_mid = 48826, time_hi_and_version = 18743, clock_seq = "\203\031", node = "\265\333\357\234\314\066"}, if_version = 1
-Index: samba-3.6.23/librpc/ndr/libndr.h
-===================================================================
---- samba-3.6.23.orig/librpc/ndr/libndr.h
-+++ samba-3.6.23/librpc/ndr/libndr.h
-@@ -124,6 +124,20 @@ struct ndr_print {
- #define LIBNDR_FLAG_STR_UTF8		(1<<12)
- #define LIBNDR_STRING_FLAGS		(0x7FFC)
- 
-+/*
-+ * don't debug NDR_ERR_BUFSIZE failures,
-+ * as the available buffer might be incomplete.
-+ *
-+ * return NDR_ERR_INCOMPLETE_BUFFER instead.
-+ */
-+#define LIBNDR_FLAG_INCOMPLETE_BUFFER (1<<16)
-+
-+/*
-+ * This lets ndr_pull_subcontext_end() return
-+ * NDR_ERR_UNREAD_BYTES.
-+ */
-+#define LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES (1<<17)
-+
- /* set if relative pointers should *not* be marshalled in reverse order */
- #define LIBNDR_FLAG_NO_RELATIVE_REVERSE	(1<<18)
- 
-@@ -163,6 +177,7 @@ struct ndr_print {
- 
- /* useful macro for debugging */
- #define NDR_PRINT_DEBUG(type, p) ndr_print_debug((ndr_print_fn_t)ndr_print_ ##type, #p, p)
-+#define NDR_PRINT_DEBUGC(dbgc_class, type, p) ndr_print_debugc(dbgc_class, (ndr_print_fn_t)ndr_print_ ##type, #p, p)
- #define NDR_PRINT_UNION_DEBUG(type, level, p) ndr_print_union_debug((ndr_print_fn_t)ndr_print_ ##type, #p, level, p)
- #define NDR_PRINT_FUNCTION_DEBUG(type, flags, p) ndr_print_function_debug((ndr_print_function_t)ndr_print_ ##type, #type, flags, p)
- #define NDR_PRINT_BOTH_DEBUG(type, p) NDR_PRINT_FUNCTION_DEBUG(type, NDR_BOTH, p)
-@@ -199,7 +214,9 @@ enum ndr_err_code {
- 	NDR_ERR_IPV6ADDRESS,
- 	NDR_ERR_INVALID_POINTER,
- 	NDR_ERR_UNREAD_BYTES,
--	NDR_ERR_NDR64
-+	NDR_ERR_NDR64,
-+	NDR_ERR_FLAGS,
-+	NDR_ERR_INCOMPLETE_BUFFER
- };
- 
- #define NDR_ERR_CODE_IS_SUCCESS(x) (x == NDR_ERR_SUCCESS)
-@@ -217,20 +234,52 @@ enum ndr_compression_alg {
- 
- /*
-   flags passed to control parse flow
-+  These are deliberately in a different range to the NDR_IN/NDR_OUT
-+  flags to catch mixups
- */
--#define NDR_SCALARS 1
--#define NDR_BUFFERS 2
-+#define NDR_SCALARS    0x100
-+#define NDR_BUFFERS    0x200
- 
- /*
--  flags passed to ndr_print_*()
-+  flags passed to ndr_print_*() and ndr pull/push for functions
-+  These are deliberately in a different range to the NDR_SCALARS/NDR_BUFFERS
-+  flags to catch mixups
- */
--#define NDR_IN 1
--#define NDR_OUT 2
--#define NDR_BOTH 3
--#define NDR_SET_VALUES 4
-+#define NDR_IN         0x10
-+#define NDR_OUT        0x20
-+#define NDR_BOTH       0x30
-+#define NDR_SET_VALUES 0x40
-+
-+
-+#define NDR_PULL_CHECK_FLAGS(ndr, ndr_flags) do { \
-+	if ((ndr_flags) & ~(NDR_SCALARS|NDR_BUFFERS)) { \
-+		return ndr_pull_error(ndr, NDR_ERR_FLAGS, "Invalid pull struct ndr_flags 0x%x", ndr_flags); \
-+	} \
-+} while (0)
-+
-+#define NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags) do { \
-+	if ((ndr_flags) & ~(NDR_SCALARS|NDR_BUFFERS)) \
-+		return ndr_push_error(ndr, NDR_ERR_FLAGS, "Invalid push struct ndr_flags 0x%x", ndr_flags); \
-+} while (0)
-+
-+#define NDR_PULL_CHECK_FN_FLAGS(ndr, flags) do { \
-+	if ((flags) & ~(NDR_BOTH|NDR_SET_VALUES)) { \
-+		return ndr_pull_error(ndr, NDR_ERR_FLAGS, "Invalid fn pull flags 0x%x", flags); \
-+	} \
-+} while (0)
-+
-+#define NDR_PUSH_CHECK_FN_FLAGS(ndr, flags) do { \
-+	if ((flags) & ~(NDR_BOTH|NDR_SET_VALUES)) \
-+		return ndr_push_error(ndr, NDR_ERR_FLAGS, "Invalid fn push flags 0x%x", flags); \
-+} while (0)
- 
- #define NDR_PULL_NEED_BYTES(ndr, n) do { \
- 	if (unlikely((n) > ndr->data_size || ndr->offset + (n) > ndr->data_size)) { \
-+		if (ndr->flags & LIBNDR_FLAG_INCOMPLETE_BUFFER) { \
-+			uint32_t _available = ndr->data_size - ndr->offset; \
-+			uint32_t _missing = n - _available; \
-+			ndr->relative_highest_offset = _missing; \
-+		} \
- 		return ndr_pull_error(ndr, NDR_ERR_BUFSIZE, "Pull bytes %u (%s)", (unsigned)n, __location__); \
- 	} \
- } while(0)
-@@ -247,6 +296,10 @@ enum ndr_compression_alg {
- 		ndr->offset = (ndr->offset + (n-1)) & ~(n-1); \
- 	} \
- 	if (unlikely(ndr->offset > ndr->data_size)) {			\
-+		if (ndr->flags & LIBNDR_FLAG_INCOMPLETE_BUFFER) { \
-+			uint32_t _missing = ndr->offset - ndr->data_size; \
-+			ndr->relative_highest_offset = _missing; \
-+		} \
- 		return ndr_pull_error(ndr, NDR_ERR_BUFSIZE, "Pull align %u", (unsigned)n); \
- 	} \
- } while(0)
-@@ -402,6 +455,8 @@ void ndr_print_dom_sid0(struct ndr_print
- size_t ndr_size_dom_sid0(const struct dom_sid *sid, int flags);
- void ndr_print_GUID(struct ndr_print *ndr, const char *name, const struct GUID *guid);
- bool ndr_syntax_id_equal(const struct ndr_syntax_id *i1, const struct ndr_syntax_id *i2); 
-+char *ndr_syntax_id_to_string(TALLOC_CTX *mem_ctx, const struct ndr_syntax_id *id);
-+bool ndr_syntax_id_from_string(const char *s, struct ndr_syntax_id *id);
- enum ndr_err_code ndr_push_struct_blob(DATA_BLOB *blob, TALLOC_CTX *mem_ctx, const void *p, ndr_push_flags_fn_t fn);
- enum ndr_err_code ndr_push_union_blob(DATA_BLOB *blob, TALLOC_CTX *mem_ctx, void *p, uint32_t level, ndr_push_flags_fn_t fn);
- size_t ndr_size_struct(const void *p, int flags, ndr_push_flags_fn_t push);
-@@ -424,14 +479,18 @@ enum ndr_err_code ndr_pull_relative_ptr2
- enum ndr_err_code ndr_pull_relative_ptr_short(struct ndr_pull *ndr, uint16_t *v);
- size_t ndr_align_size(uint32_t offset, size_t n);
- struct ndr_pull *ndr_pull_init_blob(const DATA_BLOB *blob, TALLOC_CTX *mem_ctx);
-+enum ndr_err_code ndr_pull_append(struct ndr_pull *ndr, DATA_BLOB *blob);
-+enum ndr_err_code ndr_pull_pop(struct ndr_pull *ndr);
- enum ndr_err_code ndr_pull_advance(struct ndr_pull *ndr, uint32_t size);
- struct ndr_push *ndr_push_init_ctx(TALLOC_CTX *mem_ctx);
- DATA_BLOB ndr_push_blob(struct ndr_push *ndr);
- enum ndr_err_code ndr_push_expand(struct ndr_push *ndr, uint32_t extra_size);
- void ndr_print_debug_helper(struct ndr_print *ndr, const char *format, ...) PRINTF_ATTRIBUTE(2,3);
-+void ndr_print_debugc_helper(struct ndr_print *ndr, const char *format, ...) PRINTF_ATTRIBUTE(2,3);
- void ndr_print_printf_helper(struct ndr_print *ndr, const char *format, ...) PRINTF_ATTRIBUTE(2,3);
- void ndr_print_string_helper(struct ndr_print *ndr, const char *format, ...) PRINTF_ATTRIBUTE(2,3);
- void ndr_print_debug(ndr_print_fn_t fn, const char *name, void *ptr);
-+void ndr_print_debugc(int dbgc_class, ndr_print_fn_t fn, const char *name, void *ptr);
- void ndr_print_union_debug(ndr_print_fn_t fn, const char *name, uint32_t level, void *ptr);
- void ndr_print_function_debug(ndr_print_function_t fn, const char *name, int flags, void *ptr);
- char *ndr_print_struct_string(TALLOC_CTX *mem_ctx, ndr_print_fn_t fn, const char *name, void *ptr);
-Index: samba-3.6.23/librpc/ndr/ndr.c
-===================================================================
---- samba-3.6.23.orig/librpc/ndr/ndr.c
-+++ samba-3.6.23/librpc/ndr/ndr.c
-@@ -77,6 +77,111 @@ _PUBLIC_ struct ndr_pull *ndr_pull_init_
- 	return ndr;
- }
- 
-+_PUBLIC_ enum ndr_err_code ndr_pull_append(struct ndr_pull *ndr, DATA_BLOB *blob)
-+{
-+	enum ndr_err_code ndr_err;
-+	DATA_BLOB b;
-+	uint32_t append = 0;
-+	bool ok;
-+
-+	if (blob->length == 0) {
-+		return NDR_ERR_SUCCESS;
-+	}
-+
-+	ndr_err = ndr_token_retrieve(&ndr->array_size_list, ndr, &append);
-+	if (ndr_err == NDR_ERR_TOKEN) {
-+		append = 0;
-+		ndr_err = NDR_ERR_SUCCESS;
-+	}
-+	NDR_CHECK(ndr_err);
-+
-+	if (ndr->data_size == 0) {
-+		ndr->data = NULL;
-+		append = UINT32_MAX;
-+	}
-+
-+	if (append == UINT32_MAX) {
-+		/*
-+		 * append == UINT32_MAX means that
-+		 * ndr->data is either NULL or a valid
-+		 * talloc child of ndr, which means
-+		 * we can use data_blob_append() without
-+		 * data_blob_talloc() of the existing callers data
-+		 */
-+		b = data_blob_const(ndr->data, ndr->data_size);
-+	} else {
-+		b = data_blob_talloc(ndr, ndr->data, ndr->data_size);
-+		if (b.data == NULL) {
-+			return ndr_pull_error(ndr, NDR_ERR_ALLOC, "%s", __location__);
-+		}
-+	}
-+
-+	ok = data_blob_append(ndr, &b, blob->data, blob->length);
-+	if (!ok) {
-+		return ndr_pull_error(ndr, NDR_ERR_ALLOC, "%s", __location__);
-+	}
-+
-+	ndr->data = b.data;
-+	ndr->data_size = b.length;
-+
-+	return ndr_token_store(ndr, &ndr->array_size_list, ndr, UINT32_MAX);
-+}
-+
-+_PUBLIC_ enum ndr_err_code ndr_pull_pop(struct ndr_pull *ndr)
-+{
-+	uint32_t skip = 0;
-+	uint32_t append = 0;
-+
-+	if (ndr->relative_base_offset != 0) {
-+		return ndr_pull_error(ndr, NDR_ERR_RELATIVE,
-+				      "%s", __location__);
-+	}
-+	if (ndr->relative_highest_offset != 0) {
-+		return ndr_pull_error(ndr, NDR_ERR_RELATIVE,
-+				      "%s", __location__);
-+	}
-+	if (ndr->relative_list != NULL) {
-+		return ndr_pull_error(ndr, NDR_ERR_RELATIVE,
-+				      "%s", __location__);
-+	}
-+	if (ndr->relative_base_list != NULL) {
-+		return ndr_pull_error(ndr, NDR_ERR_RELATIVE,
-+				      "%s", __location__);
-+	}
-+
-+	/*
-+	 * we need to keep up to 7 bytes
-+	 * in order to get the aligment right.
-+	 */
-+	skip = ndr->offset & 0xFFFFFFF8;
-+
-+	if (skip == 0) {
-+		return NDR_ERR_SUCCESS;
-+	}
-+
-+	ndr->offset -= skip;
-+	ndr->data_size -= skip;
-+
-+	append = ndr_token_peek(&ndr->array_size_list, ndr);
-+	if (append != UINT32_MAX) {
-+		/*
-+		 * here we assume, that ndr->data is not a
-+		 * talloc child of ndr.
-+		 */
-+		ndr->data += skip;
-+		return NDR_ERR_SUCCESS;
-+	}
-+
-+	memmove(ndr->data, ndr->data + skip, ndr->data_size);
-+
-+	ndr->data = talloc_realloc(ndr, ndr->data, uint8_t, ndr->data_size);
-+	if (ndr->data_size != 0 && ndr->data == NULL) {
-+		return ndr_pull_error(ndr, NDR_ERR_ALLOC, "%s", __location__);
-+	}
-+
-+	return NDR_ERR_SUCCESS;
-+}
-+
- /*
-   advance by 'size' bytes
- */
-@@ -167,6 +272,38 @@ _PUBLIC_ enum ndr_err_code ndr_push_expa
- 	return NDR_ERR_SUCCESS;
- }
- 
-+_PUBLIC_ void ndr_print_debugc_helper(struct ndr_print *ndr, const char *format, ...)
-+{
-+	va_list ap;
-+	char *s = NULL;
-+	uint32_t i;
-+	int ret;
-+	int dbgc_class;
-+
-+	va_start(ap, format);
-+	ret = vasprintf(&s, format, ap);
-+	va_end(ap);
-+
-+	if (ret == -1) {
-+		return;
-+	}
-+
-+	dbgc_class = *(int *)ndr->private_data;
-+
-+	if (ndr->no_newline) {
-+		DEBUGADDC(dbgc_class, 1,("%s", s));
-+		free(s);
-+		return;
-+	}
-+
-+	for (i=0;i<ndr->depth;i++) {
-+		DEBUGADDC(dbgc_class, 1,("    "));
-+	}
-+
-+	DEBUGADDC(dbgc_class, 1,("%s\n", s));
-+	free(s);
-+}
-+
- _PUBLIC_ void ndr_print_debug_helper(struct ndr_print *ndr, const char *format, ...) 
- {
- 	va_list ap;
-@@ -238,6 +375,25 @@ _PUBLIC_ void ndr_print_string_helper(st
- }
- 
- /*
-+  a useful helper function for printing idl structures via DEBUGC()
-+*/
-+_PUBLIC_ void ndr_print_debugc(int dbgc_class, ndr_print_fn_t fn, const char *name, void *ptr)
-+{
-+	struct ndr_print *ndr;
-+
-+	DEBUGC(dbgc_class, 1,(" "));
-+
-+	ndr = talloc_zero(NULL, struct ndr_print);
-+	if (!ndr) return;
-+	ndr->private_data = &dbgc_class;
-+	ndr->print = ndr_print_debugc_helper;
-+	ndr->depth = 1;
-+	ndr->flags = 0;
-+	fn(ndr, name, ptr);
-+	talloc_free(ndr);
-+}
-+
-+/*
-   a useful helper function for printing idl structures via DEBUG()
- */
- _PUBLIC_ void ndr_print_debug(ndr_print_fn_t fn, const char *name, void *ptr)
-@@ -403,6 +559,15 @@ _PUBLIC_ enum ndr_err_code ndr_pull_erro
- 	va_list ap;
- 	int ret;
- 
-+	if (ndr->flags & LIBNDR_FLAG_INCOMPLETE_BUFFER) {
-+		switch (ndr_err) {
-+		case NDR_ERR_BUFSIZE:
-+			return NDR_ERR_INCOMPLETE_BUFFER;
-+		default:
-+			break;
-+		}
-+	}
-+
- 	va_start(ap, format);
- 	ret = vasprintf(&s, format, ap);
- 	va_end(ap);
-@@ -557,6 +722,23 @@ _PUBLIC_ enum ndr_err_code ndr_pull_subc
- 		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &reserved));
- 		break;
- 	}
-+	case 0xFFFFFFFF:
-+		/*
-+		 * a shallow copy like subcontext
-+		 * useful for DCERPC pipe chunks.
-+		 */
-+		subndr = talloc_zero(ndr, struct ndr_pull);
-+		NDR_ERR_HAVE_NO_MEMORY(subndr);
-+
-+		subndr->flags		= ndr->flags;
-+		subndr->current_mem_ctx	= ndr->current_mem_ctx;
-+		subndr->data		= ndr->data;
-+		subndr->offset		= ndr->offset;
-+		subndr->data_size	= ndr->data_size;
-+
-+		*_subndr = subndr;
-+		return NDR_ERR_SUCCESS;
-+
- 	default:
- 		return ndr_pull_error(ndr, NDR_ERR_SUBCONTEXT, "Bad subcontext (PULL) header_size %d", 
- 				      (int)header_size);
-@@ -589,13 +771,35 @@ _PUBLIC_ enum ndr_err_code ndr_pull_subc
- 				 ssize_t size_is)
- {
- 	uint32_t advance;
--	if (size_is >= 0) {
-+	uint32_t highest_ofs;
-+
-+	if (header_size == 0xFFFFFFFF) {
-+		advance = subndr->offset - ndr->offset;
-+	} else if (size_is >= 0) {
- 		advance = size_is;
- 	} else if (header_size > 0) {
- 		advance = subndr->data_size;
- 	} else {
- 		advance = subndr->offset;
- 	}
-+
-+	if (subndr->offset > ndr->relative_highest_offset) {
-+		highest_ofs = subndr->offset;
-+	} else {
-+		highest_ofs = subndr->relative_highest_offset;
-+	}
-+	if (!(subndr->flags & LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES)) {
-+		/*
-+		 * avoid an error unless SUBCONTEXT_NO_UNREAD_BYTES is specified
-+		 */
-+		highest_ofs = advance;
-+	}
-+	if (highest_ofs < advance) {
-+		return ndr_pull_error(subndr, NDR_ERR_UNREAD_BYTES,
-+				      "not all bytes consumed ofs[%u] advance[%u]",
-+				      highest_ofs, advance);
-+	}
-+
- 	NDR_CHECK(ndr_pull_advance(ndr, advance));
- 	return NDR_ERR_SUCCESS;
- }
-@@ -1440,6 +1644,7 @@ const static struct {
- 	{ NDR_ERR_INVALID_POINTER, "Invalid Pointer" },
- 	{ NDR_ERR_UNREAD_BYTES, "Unread Bytes" },
- 	{ NDR_ERR_NDR64, "NDR64 assertion error" },
-+	{ NDR_ERR_INCOMPLETE_BUFFER, "Incomplete Buffer" },
- 	{ 0, NULL }
- };
- 
-Index: samba-3.6.23/librpc/idl/idl_types.h
-===================================================================
---- samba-3.6.23.orig/librpc/idl/idl_types.h
-+++ samba-3.6.23/librpc/idl/idl_types.h
-@@ -47,3 +47,5 @@
- 
- #define NDR_RELATIVE_REVERSE LIBNDR_FLAG_RELATIVE_REVERSE
- #define NDR_NO_RELATIVE_REVERSE LIBNDR_FLAG_NO_RELATIVE_REVERSE
-+
-+#define NDR_SUBCONTEXT_NO_UNREAD_BYTES LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES
-Index: samba-3.6.23/librpc/idl/dcerpc.idl
-===================================================================
---- samba-3.6.23.orig/librpc/idl/dcerpc.idl
-+++ samba-3.6.23/librpc/idl/dcerpc.idl
-@@ -10,6 +10,8 @@
- */
- import "misc.idl";
- 
-+cpp_quote("extern const uint8_t DCERPC_SEC_VT_MAGIC[8];")
-+
- interface dcerpc
- {
- 	typedef struct {
-@@ -453,14 +455,21 @@ interface dcerpc
- 	} dcerpc_payload;
- 
- 	/* pfc_flags values */
--	const uint8 DCERPC_PFC_FLAG_FIRST		= 0x01; /* First fragment */
--	const uint8 DCERPC_PFC_FLAG_LAST		= 0x02; /* Last fragment */
--	const uint8 DCERPC_PFC_FLAG_PENDING_CANCEL	= 0x04; /* Cancel was pending at sender */
--	const uint8 DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN	= DCERPC_PFC_FLAG_PENDING_CANCEL; /* depends on the pdu type */
--	const uint8 DCERPC_PFC_FLAG_CONC_MPX		= 0x10; /* supports concurrent multiplexing of a single connection. */
--	const uint8 DCERPC_PFC_FLAG_DID_NOT_EXECUTE	= 0x20; /* on a fault it means the server hasn't done anything */
--	const uint8 DCERPC_PFC_FLAG_MAYBE		= 0x40; /* `maybe' call semantics requested */
--	const uint8 DCERPC_PFC_FLAG_OBJECT_UUID		= 0x80; /* on valid guid is in the optional object field */
-+	typedef [bitmap8bit] bitmap {
-+		DCERPC_PFC_FLAG_FIRST		= 0x01, /* First fragment */
-+		DCERPC_PFC_FLAG_LAST		= 0x02, /* Last fragment */
-+		DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING = 0x04, /* depends on the pdu type */
-+		DCERPC_PFC_FLAG_CONC_MPX	= 0x10, /* supports concurrent multiplexing of a single connection. */
-+		DCERPC_PFC_FLAG_DID_NOT_EXECUTE	= 0x20, /* on a fault it means the server hasn't done anything */
-+		DCERPC_PFC_FLAG_MAYBE		= 0x40, /* `maybe' call semantics requested */
-+		DCERPC_PFC_FLAG_OBJECT_UUID	= 0x80 /* on valid guid is in the optional object field */
-+	} dcerpc_pfc_flags;
-+
-+	/* Cancel was pending at sender */
-+	const int DCERPC_PFC_FLAG_PENDING_CANCEL =
-+		DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING;
-+	const ist DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN =
-+		DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING;
- 
- 	/* these offsets are needed by the signing code */
- 	const uint8 DCERPC_PFC_OFFSET      =  3;
-@@ -468,6 +477,7 @@ interface dcerpc
- 	const uint8 DCERPC_FRAG_LEN_OFFSET =  8;
- 	const uint8 DCERPC_AUTH_LEN_OFFSET = 10;
- 	const uint8 DCERPC_CALL_ID_OFFSET  = 12;
-+	const uint8 DCERPC_NCACN_PAYLOAD_OFFSET = 16;
- 
- 	/* little-endian flag */
- 	const uint8 DCERPC_DREP_LE  = 0x10;
-@@ -476,7 +486,7 @@ interface dcerpc
- 		uint8 rpc_vers;	        /* RPC version */
- 		uint8 rpc_vers_minor;   /* Minor version */
- 		dcerpc_pkt_type ptype;  /* Packet type */
--		uint8 pfc_flags;        /* Fragmentation flags */
-+		dcerpc_pfc_flags pfc_flags; /* Fragmentation flags */
- 		uint8 drep[4];	        /* NDR data representation */
- 		uint16 frag_length;     /* Total length of fragment */
- 		uint16 auth_length;     /* authenticator length */
-@@ -506,4 +516,69 @@ interface dcerpc
- 		uint8 serial_low;
- 		[switch_is(ptype)] dcerpc_payload u;
- 	} ncadg_packet;
-+
-+	typedef [bitmap16bit] bitmap {
-+		DCERPC_SEC_VT_COMMAND_ENUM  = 0x3FFF,
-+		DCERPC_SEC_VT_COMMAND_END   = 0x4000,
-+		DCERPC_SEC_VT_MUST_PROCESS  = 0x8000
-+	} dcerpc_sec_vt_command;
-+
-+	typedef [enum16bit] enum {
-+		DCERPC_SEC_VT_COMMAND_BITMASK1  = 0x0001,
-+		DCERPC_SEC_VT_COMMAND_PCONTEXT  = 0x0002,
-+		DCERPC_SEC_VT_COMMAND_HEADER2   = 0x0003
-+	} dcerpc_sec_vt_command_enum;
-+
-+	typedef [bitmap32bit] bitmap {
-+		DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING = 0x00000001
-+	} dcerpc_sec_vt_bitmask1;
-+
-+	typedef struct {
-+		ndr_syntax_id abstract_syntax;
-+		ndr_syntax_id transfer_syntax;
-+	} dcerpc_sec_vt_pcontext;
-+
-+	typedef struct {
-+		dcerpc_pkt_type ptype;  /* Packet type */
-+		[value(0)] uint8 reserved1;
-+		[value(0)] uint16 reserved2;
-+		uint8 drep[4];          /* NDR data representation */
-+		uint32 call_id;         /* Call identifier */
-+		uint16 context_id;
-+		uint16 opnum;
-+	} dcerpc_sec_vt_header2;
-+
-+	typedef [switch_type(dcerpc_sec_vt_command_enum),nodiscriminant] union {
-+	[case(DCERPC_SEC_VT_COMMAND_BITMASK1)] dcerpc_sec_vt_bitmask1 bitmask1;
-+	[case(DCERPC_SEC_VT_COMMAND_PCONTEXT)] dcerpc_sec_vt_pcontext pcontext;
-+	[case(DCERPC_SEC_VT_COMMAND_HEADER2)] dcerpc_sec_vt_header2 header2;
-+	[default,flag(NDR_REMAINING)] DATA_BLOB _unknown;
-+	} dcerpc_sec_vt_union;
-+
-+	typedef struct {
-+		dcerpc_sec_vt_command command;
-+		[switch_is(command & DCERPC_SEC_VT_COMMAND_ENUM)]
-+			[subcontext(2),flag(NDR_SUBCONTEXT_NO_UNREAD_BYTES)]
-+			dcerpc_sec_vt_union u;
-+	} dcerpc_sec_vt;
-+
-+	typedef [public,nopush,nopull] struct {
-+		uint16 count;
-+	} dcerpc_sec_vt_count;
-+
-+	/*
-+	 * We assume that the whole verification trailer fits into
-+	 * the last 1024 bytes after the stub data.
-+	 *
-+	 * There're currently only 3 commands defined and each should
-+	 * only be used once.
-+	 */
-+	const uint16 DCERPC_SEC_VT_MAX_SIZE = 1024;
-+
-+	typedef [public,flag(NDR_PAHEX)] struct {
-+		[flag(NDR_ALIGN4)] DATA_BLOB _pad;
-+		[value(DCERPC_SEC_VT_MAGIC)] uint8 magic[8];
-+		dcerpc_sec_vt_count count;
-+		dcerpc_sec_vt commands[count.count];
-+	} dcerpc_sec_verification_trailer;
- }
-Index: samba-3.6.23/librpc/ndr/ndr_dcerpc.c
-===================================================================
---- /dev/null
-+++ samba-3.6.23/librpc/ndr/ndr_dcerpc.c
-@@ -0,0 +1,187 @@
-+/*
-+   Unix SMB/CIFS implementation.
-+
-+   Manually parsed structures found in the DCERPC protocol
-+
-+   Copyright (C) Stefan Metzmacher 2014
-+   Copyright (C) Gregor Beck 2014
-+
-+   This program is free software; you can redistribute it and/or modify
-+   it under the terms of the GNU General Public License as published by
-+   the Free Software Foundation; either version 3 of the License, or
-+   (at your option) any later version.
-+
-+   This program is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+   GNU General Public License for more details.
-+
-+   You should have received a copy of the GNU General Public License
-+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+#include "includes.h"
-+#include "librpc/gen_ndr/ndr_dcerpc.h"
-+
-+#include "librpc/gen_ndr/ndr_misc.h"
-+#include "lib/util/bitmap.h"
-+
-+const uint8_t DCERPC_SEC_VT_MAGIC[] = {0x8a,0xe3,0x13,0x71,0x02,0xf4,0x36,0x71};
-+
-+_PUBLIC_ enum ndr_err_code ndr_push_dcerpc_sec_vt_count(struct ndr_push *ndr, int ndr_flags, const struct dcerpc_sec_vt_count *r)
-+{
-+	NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
-+	/* nothing */
-+	return NDR_ERR_SUCCESS;
-+}
-+
-+_PUBLIC_ enum ndr_err_code ndr_pull_dcerpc_sec_vt_count(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_sec_vt_count *r)
-+{
-+	uint32_t _saved_ofs = ndr->offset;
-+
-+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
-+
-+	if (!(ndr_flags & NDR_SCALARS)) {
-+		return NDR_ERR_SUCCESS;
-+	}
-+
-+	r->count = 0;
-+
-+	while (true) {
-+		uint16_t command;
-+		uint16_t length;
-+
-+		NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &command));
-+		NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &length));
-+		NDR_CHECK(ndr_pull_advance(ndr, length));
-+
-+		r->count += 1;
-+
-+		if (command & DCERPC_SEC_VT_COMMAND_END) {
-+			break;
-+		}
-+	}
-+
-+	ndr->offset = _saved_ofs;
-+	return NDR_ERR_SUCCESS;
-+}
-+
-+_PUBLIC_ enum ndr_err_code ndr_pop_dcerpc_sec_verification_trailer(
-+	struct ndr_pull *ndr, TALLOC_CTX *mem_ctx,
-+	struct dcerpc_sec_verification_trailer **_r)
-+{
-+	enum ndr_err_code ndr_err;
-+	uint32_t ofs;
-+	uint32_t min_ofs = 0;
-+	struct dcerpc_sec_verification_trailer *r;
-+	DATA_BLOB sub_blob = data_blob_null;
-+	struct ndr_pull *sub_ndr = NULL;
-+	uint32_t remaining;
-+
-+	*_r = NULL;
-+
-+	r = talloc_zero(mem_ctx, struct dcerpc_sec_verification_trailer);
-+	if (r == NULL) {
-+		return NDR_ERR_ALLOC;
-+	}
-+
-+	if (ndr->data_size < sizeof(DCERPC_SEC_VT_MAGIC)) {
-+		/*
-+		 * we return with r->count = 0
-+		 */
-+		*_r = r;
-+		return NDR_ERR_SUCCESS;
-+	}
-+
-+	ofs = ndr->data_size - sizeof(DCERPC_SEC_VT_MAGIC);
-+	/* the magic is 4 byte aligned */
-+	ofs &= ~3;
-+
-+	if (ofs > DCERPC_SEC_VT_MAX_SIZE) {
-+		/*
-+		 * We just scan the last 1024 bytes.
-+		 */
-+		min_ofs = ofs - DCERPC_SEC_VT_MAX_SIZE;
-+	} else {
-+		min_ofs = 0;
-+	}
-+
-+	while (true) {
-+		int ret;
-+
-+		ret = memcmp(&ndr->data[ofs],
-+			     DCERPC_SEC_VT_MAGIC,
-+			     sizeof(DCERPC_SEC_VT_MAGIC));
-+		if (ret == 0) {
-+			sub_blob = data_blob_const(&ndr->data[ofs],
-+						   ndr->data_size - ofs);
-+			break;
-+		}
-+
-+		if (ofs <= min_ofs) {
-+			break;
-+		}
-+
-+		ofs -= 4;
-+	}
-+
-+	if (sub_blob.length == 0) {
-+		/*
-+		 * we return with r->count = 0
-+		 */
-+		*_r = r;
-+		return NDR_ERR_SUCCESS;
-+	}
-+
-+	sub_ndr = ndr_pull_init_blob(&sub_blob, r);
-+	if (sub_ndr == NULL) {
-+		TALLOC_FREE(r);
-+		return NDR_ERR_ALLOC;
-+	}
-+
-+	ndr_err = ndr_pull_dcerpc_sec_verification_trailer(sub_ndr,
-+							   NDR_SCALARS | NDR_BUFFERS,
-+							   r);
-+	if (ndr_err == NDR_ERR_ALLOC) {
-+		TALLOC_FREE(r);
-+		return NDR_ERR_ALLOC;
-+	}
-+
-+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-+		goto ignore_error;
-+	}
-+
-+	remaining = sub_ndr->data_size - sub_ndr->offset;
-+	if (remaining > 16) {
-+		/*
-+		 * we expect not more than 16 byte of additional
-+		 * padding after the verification trailer.
-+		 */
-+		goto ignore_error;
-+	}
-+
-+	/*
-+	 * We assume that we got a real verification trailer.
-+	 *
-+	 * We remove it from the available stub data.
-+	 */
-+	ndr->data_size = ofs;
-+
-+	TALLOC_FREE(sub_ndr);
-+
-+	*_r = r;
-+	return NDR_ERR_SUCCESS;
-+
-+ignore_error:
-+	TALLOC_FREE(sub_ndr);
-+	/*
-+	 * just ignore the error, it's likely
-+	 * that the magic we found belongs to
-+	 * the stub data.
-+	 *
-+	 * we return with r->count = 0
-+	 */
-+	ZERO_STRUCTP(r);
-+	*_r = r;
-+	return NDR_ERR_SUCCESS;
-+}
-Index: samba-3.6.23/librpc/wscript_build
-===================================================================
---- samba-3.6.23.orig/librpc/wscript_build
-+++ samba-3.6.23/librpc/wscript_build
-@@ -274,8 +274,9 @@ bld.SAMBA_SUBSYSTEM('NDR_COMPRESSION',
- 	)
- 
- bld.SAMBA_SUBSYSTEM('NDR_DCERPC',
--	source='gen_ndr/ndr_dcerpc.c',
-+	source='gen_ndr/ndr_dcerpc.c ndr/ndr_dcerpc.c',
- 	public_deps='ndr',
-+	deps='bitmap',
- 	public_headers='gen_ndr/ndr_dcerpc.h gen_ndr/dcerpc.h',
- 	header_path= [ ('*gen_ndr*', 'gen_ndr') ],
- 	)
-Index: samba-3.6.23/source3/Makefile.in
-===================================================================
---- samba-3.6.23.orig/source3/Makefile.in
-+++ samba-3.6.23/source3/Makefile.in
-@@ -323,7 +323,8 @@ LIBNDR_OBJ = ../librpc/ndr/ndr_basic.o \
- 	     ../librpc/ndr/uuid.o \
- 	     librpc/ndr/util.o \
- 	     librpc/gen_ndr/ndr_server_id.o \
--	     librpc/gen_ndr/ndr_dcerpc.o
-+	     librpc/gen_ndr/ndr_dcerpc.o \
-+	     ../librpc/ndr/ndr_dcerpc.o
- 
- LIBNDR_GEN_OBJ0 = librpc/gen_ndr/ndr_samr.o \
- 		  librpc/gen_ndr/ndr_lsa.o
-@@ -454,7 +455,7 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ
- 	  lib/username.o \
- 	  ../libds/common/flag_mapping.o \
- 	  lib/access.o lib/smbrun.o \
--	  lib/bitmap.o lib/dprintf.o $(UTIL_REG_OBJ) \
-+	  ../lib/util/bitmap.o lib/dprintf.o $(UTIL_REG_OBJ) \
- 	  lib/wins_srv.o \
- 	  lib/util_str.o lib/clobber.o lib/util_sid.o lib/util_specialsids.o \
- 	  lib/util_unistr.o ../lib/util/charset/codepoints.o lib/util_file.o \
-@@ -988,7 +989,9 @@ SWAT_OBJ = $(SWAT_OBJ1) $(PARAM_OBJ) $(P
- 	   $(POPT_LIB_OBJ) $(SMBLDAP_OBJ) $(LIBMSRPC_GEN_OBJ) $(LIBMSRPC_OBJ) \
-            $(PASSCHANGE_OBJ) $(FNAME_UTIL_OBJ) \
- 	   $(LIBCLI_SAMR_OBJ) \
--	   rpc_client/init_lsa.o
-+	   $(LIBCLI_NETLOGON_OBJ) \
-+	   rpc_client/init_lsa.o \
-+	   rpc_client/init_netlogon.o
- 
- STATUS_OBJ = utils/status.o utils/status_profile.o \
- 	     $(LOCKING_OBJ) $(PARAM_OBJ) \
-@@ -1004,7 +1007,9 @@ SMBTREE_OBJ = utils/smbtree.o $(PARAM_OB
- 	     $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) \
- 	     $(LIBMSRPC_GEN_OBJ) \
- 	     $(LIBMSRPC_OBJ) \
--	     $(LIBCLI_SRVSVC_OBJ)
-+	     $(LIBCLI_SRVSVC_OBJ) \
-+	     $(LIBCLI_NETLOGON_OBJ) \
-+	     rpc_client/init_netlogon.o
- 
- TESTPARM_OBJ = utils/testparm.o \
-                $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
-@@ -1026,7 +1031,9 @@ SMBPASSWD_OBJ = utils/smbpasswd.o $(PASS
- 		$(POPT_LIB_OBJ) $(SMBLDAP_OBJ) \
- 		$(LIBMSRPC_GEN_OBJ) $(LIBMSRPC_OBJ) \
- 		$(LIBCLI_SAMR_OBJ) \
--		rpc_client/init_lsa.o
-+		$(LIBCLI_NETLOGON_OBJ) \
-+		rpc_client/init_lsa.o \
-+		rpc_client/init_netlogon.o
- 
- PDBEDIT_OBJ = utils/pdbedit.o $(PASSWD_UTIL_OBJ) $(PARAM_OBJ) $(PASSDB_OBJ) \
- 		$(LIBSAMBA_OBJ) $(LIBTSOCKET_OBJ) \
-@@ -1099,7 +1106,9 @@ LIBSMBCLIENT_OBJ1 = $(LIBSMBCLIENT_OBJ0)
- 		    $(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ) \
- 		    $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) \
- 		    $(LIBCLI_SRVSVC_OBJ) \
--		    $(LIBCLI_LSA_OBJ)
-+		    $(LIBCLI_LSA_OBJ) \
-+		    $(LIBCLI_NETLOGON_OBJ) \
-+		    rpc_client/init_netlogon.o
- 
- LIBSMBCLIENT_OBJ = $(LIBSMBCLIENT_OBJ1)
- 
-@@ -1122,7 +1131,9 @@ CLIENT_OBJ = $(CLIENT_OBJ1) $(PARAM_OBJ)
-              $(READLINE_OBJ) $(POPT_LIB_OBJ) \
-              $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) \
- 	     $(DISPLAY_SEC_OBJ) \
--	     $(LIBCLI_SRVSVC_OBJ)
-+	     $(LIBCLI_SRVSVC_OBJ) \
-+	     $(LIBCLI_NETLOGON_OBJ) \
-+	     rpc_client/init_netlogon.o
- 
- LIBSMBCONF_OBJ = ../lib/smbconf/smbconf.o \
- 		 ../lib/smbconf/smbconf_util.o \
-@@ -1234,7 +1245,9 @@ SMBTORTURE_OBJ = $(SMBTORTURE_OBJ1) $(PA
- 	@LIBWBCLIENT_STATIC@ \
-         torture/wbc_async.o \
-         ../nsswitch/wb_reqtrans.o \
--	$(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ) $(LIBCLI_ECHO_OBJ)
-+	$(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ) $(LIBCLI_ECHO_OBJ) \
-+	$(LIBCLI_NETLOGON_OBJ) rpc_client/init_netlogon.o
-+
- 
- MASKTEST_OBJ = torture/masktest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
-                  $(LIB_NONSMBD_OBJ) \
-@@ -1269,14 +1282,18 @@ SMBCACLS_OBJ = utils/smbcacls.o $(PARAM_
- 		$(KRBCLIENT_OBJ) $(LIB_NONSMBD_OBJ) \
- 		$(PASSDB_OBJ) $(GROUPDB_OBJ) $(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ) \
- 		$(POPT_LIB_OBJ) $(SMBLDAP_OBJ) \
--		$(LIBCLI_LSA_OBJ)
-+		$(LIBCLI_LSA_OBJ) \
-+		$(LIBCLI_NETLOGON_OBJ) \
-+		rpc_client/init_netlogon.o
- 
- SMBCQUOTAS_OBJ = utils/smbcquotas.o $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
- 		$(PARAM_OBJ) \
- 		$(LIB_NONSMBD_OBJ) \
- 		$(LIBMSRPC_OBJ) $(LIBMSRPC_GEN_OBJ) $(POPT_LIB_OBJ) \
- 		$(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) \
--		$(LIBCLI_LSA_OBJ)
-+		$(LIBCLI_LSA_OBJ) \
-+		$(LIBCLI_NETLOGON_OBJ) \
-+		rpc_client/init_netlogon.o
- 
- EVTLOGADM_OBJ0	= utils/eventlogadm.o
- 
-Index: samba-3.6.23/librpc/ndr/ndr_basic.c
-===================================================================
---- samba-3.6.23.orig/librpc/ndr/ndr_basic.c
-+++ samba-3.6.23/librpc/ndr/ndr_basic.c
-@@ -61,6 +61,7 @@ _PUBLIC_ void ndr_check_padding(struct n
- */
- _PUBLIC_ enum ndr_err_code ndr_pull_int8(struct ndr_pull *ndr, int ndr_flags, int8_t *v)
- {
-+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PULL_NEED_BYTES(ndr, 1);
- 	*v = (int8_t)CVAL(ndr->data, ndr->offset);
- 	ndr->offset += 1;
-@@ -72,6 +73,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_int8
- */
- _PUBLIC_ enum ndr_err_code ndr_pull_uint8(struct ndr_pull *ndr, int ndr_flags, uint8_t *v)
- {
-+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PULL_NEED_BYTES(ndr, 1);
- 	*v = CVAL(ndr->data, ndr->offset);
- 	ndr->offset += 1;
-@@ -83,6 +85,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_uint
- */
- _PUBLIC_ enum ndr_err_code ndr_pull_int16(struct ndr_pull *ndr, int ndr_flags, int16_t *v)
- {
-+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PULL_ALIGN(ndr, 2);
- 	NDR_PULL_NEED_BYTES(ndr, 2);
- 	*v = (uint16_t)NDR_SVAL(ndr, ndr->offset);
-@@ -95,6 +98,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_int1
- */
- _PUBLIC_ enum ndr_err_code ndr_pull_uint16(struct ndr_pull *ndr, int ndr_flags, uint16_t *v)
- {
-+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PULL_ALIGN(ndr, 2);
- 	NDR_PULL_NEED_BYTES(ndr, 2);
- 	*v = NDR_SVAL(ndr, ndr->offset);
-@@ -107,6 +111,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_uint
- */
- _PUBLIC_ enum ndr_err_code ndr_pull_uint1632(struct ndr_pull *ndr, int ndr_flags, uint16_t *v)
- {
-+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
- 	if (unlikely(ndr->flags & LIBNDR_FLAG_NDR64)) {
- 		uint32_t v32 = 0;
- 		enum ndr_err_code err = ndr_pull_uint32(ndr, ndr_flags, &v32);
-@@ -125,6 +130,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_uint
- */
- _PUBLIC_ enum ndr_err_code ndr_pull_int32(struct ndr_pull *ndr, int ndr_flags, int32_t *v)
- {
-+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PULL_ALIGN(ndr, 4);
- 	NDR_PULL_NEED_BYTES(ndr, 4);
- 	*v = NDR_IVALS(ndr, ndr->offset);
-@@ -137,6 +143,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_int3
- */
- _PUBLIC_ enum ndr_err_code ndr_pull_uint32(struct ndr_pull *ndr, int ndr_flags, uint32_t *v)
- {
-+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PULL_ALIGN(ndr, 4);
- 	NDR_PULL_NEED_BYTES(ndr, 4);
- 	*v = NDR_IVAL(ndr, ndr->offset);
-@@ -151,6 +158,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_uint
- {
- 	uint64_t v64;
- 	enum ndr_err_code err;
-+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
- 	if (likely(!(ndr->flags & LIBNDR_FLAG_NDR64))) {
- 		return ndr_pull_uint32(ndr, ndr_flags, v);
- 	}
-@@ -169,6 +177,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_uint
- */
- _PUBLIC_ enum ndr_err_code ndr_pull_double(struct ndr_pull *ndr, int ndr_flags, double *v)
- {
-+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PULL_ALIGN(ndr, 8);
- 	NDR_PULL_NEED_BYTES(ndr, 8);
- 	memcpy(v, ndr->data+ndr->offset, 8);
-@@ -217,6 +226,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_ref_
- */
- _PUBLIC_ enum ndr_err_code ndr_pull_udlong(struct ndr_pull *ndr, int ndr_flags, uint64_t *v)
- {
-+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PULL_ALIGN(ndr, 4);
- 	NDR_PULL_NEED_BYTES(ndr, 8);
- 	*v = NDR_IVAL(ndr, ndr->offset);
-@@ -230,6 +240,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_udlo
- */
- _PUBLIC_ enum ndr_err_code ndr_pull_udlongr(struct ndr_pull *ndr, int ndr_flags, uint64_t *v)
- {
-+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PULL_ALIGN(ndr, 4);
- 	NDR_PULL_NEED_BYTES(ndr, 8);
- 	*v = ((uint64_t)NDR_IVAL(ndr, ndr->offset)) << 32;
-@@ -264,6 +275,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_hype
- _PUBLIC_ enum ndr_err_code ndr_pull_pointer(struct ndr_pull *ndr, int ndr_flags, void* *v)
- {
- 	uintptr_t h;
-+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PULL_ALIGN(ndr, sizeof(h));
- 	NDR_PULL_NEED_BYTES(ndr, sizeof(h));
- 	memcpy(&h, ndr->data+ndr->offset, sizeof(h));
-@@ -278,6 +290,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_poin
- _PUBLIC_ enum ndr_err_code ndr_pull_NTSTATUS(struct ndr_pull *ndr, int ndr_flags, NTSTATUS *status)
- {
- 	uint32_t v;
-+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &v));
- 	*status = NT_STATUS(v);
- 	return NDR_ERR_SUCCESS;
-@@ -302,6 +315,7 @@ _PUBLIC_ void ndr_print_NTSTATUS(struct
- _PUBLIC_ enum ndr_err_code ndr_pull_WERROR(struct ndr_pull *ndr, int ndr_flags, WERROR *status)
- {
- 	uint32_t v;
-+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &v));
- 	*status = W_ERROR(v);
- 	return NDR_ERR_SUCCESS;
-@@ -414,6 +428,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_byte
- */
- _PUBLIC_ enum ndr_err_code ndr_pull_array_uint8(struct ndr_pull *ndr, int ndr_flags, uint8_t *data, uint32_t n)
- {
-+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
- 	if (!(ndr_flags & NDR_SCALARS)) {
- 		return NDR_ERR_SUCCESS;
- 	}
-@@ -425,6 +440,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_arra
- */
- _PUBLIC_ enum ndr_err_code ndr_push_int8(struct ndr_push *ndr, int ndr_flags, int8_t v)
- {
-+	NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PUSH_NEED_BYTES(ndr, 1);
- 	SCVAL(ndr->data, ndr->offset, (uint8_t)v);
- 	ndr->offset += 1;
-@@ -436,6 +452,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_int8
- */
- _PUBLIC_ enum ndr_err_code ndr_push_uint8(struct ndr_push *ndr, int ndr_flags, uint8_t v)
- {
-+	NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PUSH_NEED_BYTES(ndr, 1);
- 	SCVAL(ndr->data, ndr->offset, v);
- 	ndr->offset += 1;
-@@ -447,6 +464,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_uint
- */
- _PUBLIC_ enum ndr_err_code ndr_push_int16(struct ndr_push *ndr, int ndr_flags, int16_t v)
- {
-+	NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PUSH_ALIGN(ndr, 2);
- 	NDR_PUSH_NEED_BYTES(ndr, 2);
- 	NDR_SSVAL(ndr, ndr->offset, (uint16_t)v);
-@@ -459,6 +477,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_int1
- */
- _PUBLIC_ enum ndr_err_code ndr_push_uint16(struct ndr_push *ndr, int ndr_flags, uint16_t v)
- {
-+	NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PUSH_ALIGN(ndr, 2);
- 	NDR_PUSH_NEED_BYTES(ndr, 2);
- 	NDR_SSVAL(ndr, ndr->offset, v);
-@@ -482,6 +501,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_uint
- */
- _PUBLIC_ enum ndr_err_code ndr_push_int32(struct ndr_push *ndr, int ndr_flags, int32_t v)
- {
-+	NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PUSH_ALIGN(ndr, 4);
- 	NDR_PUSH_NEED_BYTES(ndr, 4);
- 	NDR_SIVALS(ndr, ndr->offset, v);
-@@ -494,6 +514,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_int3
- */
- _PUBLIC_ enum ndr_err_code ndr_push_uint32(struct ndr_push *ndr, int ndr_flags, uint32_t v)
- {
-+	NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PUSH_ALIGN(ndr, 4);
- 	NDR_PUSH_NEED_BYTES(ndr, 4);
- 	NDR_SIVAL(ndr, ndr->offset, v);
-@@ -517,6 +538,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_uint
- */
- _PUBLIC_ enum ndr_err_code ndr_push_udlong(struct ndr_push *ndr, int ndr_flags, uint64_t v)
- {
-+	NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PUSH_ALIGN(ndr, 4);
- 	NDR_PUSH_NEED_BYTES(ndr, 8);
- 	NDR_SIVAL(ndr, ndr->offset, (v & 0xFFFFFFFF));
-@@ -530,6 +552,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_udlo
- */
- _PUBLIC_ enum ndr_err_code ndr_push_udlongr(struct ndr_push *ndr, int ndr_flags, uint64_t v)
- {
-+	NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PUSH_ALIGN(ndr, 4);
- 	NDR_PUSH_NEED_BYTES(ndr, 8);
- 	NDR_SIVAL(ndr, ndr->offset, (v>>32));
-@@ -563,6 +586,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_hype
- */
- _PUBLIC_ enum ndr_err_code ndr_push_double(struct ndr_push *ndr, int ndr_flags, double v)
- {
-+	NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PUSH_ALIGN(ndr, 8);
- 	NDR_PUSH_NEED_BYTES(ndr, 8);
- 	memcpy(ndr->data+ndr->offset, &v, 8);
-@@ -576,6 +600,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_doub
- _PUBLIC_ enum ndr_err_code ndr_push_pointer(struct ndr_push *ndr, int ndr_flags, void* v)
- {
- 	uintptr_t h = (intptr_t)v;
-+	NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_PUSH_ALIGN(ndr, sizeof(h));
- 	NDR_PUSH_NEED_BYTES(ndr, sizeof(h));
- 	memcpy(ndr->data+ndr->offset, &h, sizeof(h));
-@@ -686,6 +711,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_zero
- */
- _PUBLIC_ enum ndr_err_code ndr_push_array_uint8(struct ndr_push *ndr, int ndr_flags, const uint8_t *data, uint32_t n)
- {
-+	NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
- 	if (!(ndr_flags & NDR_SCALARS)) {
- 		return NDR_ERR_SUCCESS;
- 	}
-@@ -738,6 +764,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_ref_
- */
- _PUBLIC_ enum ndr_err_code ndr_push_NTTIME(struct ndr_push *ndr, int ndr_flags, NTTIME t)
- {
-+	NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_CHECK(ndr_push_udlong(ndr, ndr_flags, t));
- 	return NDR_ERR_SUCCESS;
- }
-@@ -747,6 +774,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_NTTI
- */
- _PUBLIC_ enum ndr_err_code ndr_pull_NTTIME(struct ndr_pull *ndr, int ndr_flags, NTTIME *t)
- {
-+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_CHECK(ndr_pull_udlong(ndr, ndr_flags, t));
- 	return NDR_ERR_SUCCESS;
- }
-@@ -756,6 +784,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_NTTI
- */
- _PUBLIC_ enum ndr_err_code ndr_push_NTTIME_1sec(struct ndr_push *ndr, int ndr_flags, NTTIME t)
- {
-+	NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
- 	t /= 10000000;
- 	NDR_CHECK(ndr_push_hyper(ndr, ndr_flags, t));
- 	return NDR_ERR_SUCCESS;
-@@ -766,6 +795,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_NTTI
- */
- _PUBLIC_ enum ndr_err_code ndr_pull_NTTIME_1sec(struct ndr_pull *ndr, int ndr_flags, NTTIME *t)
- {
-+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_CHECK(ndr_pull_hyper(ndr, ndr_flags, t));
- 	(*t) *= 10000000;
- 	return NDR_ERR_SUCCESS;
-@@ -776,6 +806,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_NTTI
- */
- _PUBLIC_ enum ndr_err_code ndr_pull_NTTIME_hyper(struct ndr_pull *ndr, int ndr_flags, NTTIME *t)
- {
-+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_CHECK(ndr_pull_hyper(ndr, ndr_flags, t));
- 	return NDR_ERR_SUCCESS;
- }
-@@ -785,6 +816,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_NTTI
- */
- _PUBLIC_ enum ndr_err_code ndr_push_NTTIME_hyper(struct ndr_push *ndr, int ndr_flags, NTTIME t)
- {
-+	NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
- 	NDR_CHECK(ndr_push_hyper(ndr, ndr_flags, t));
- 	return NDR_ERR_SUCCESS;
- }
-@@ -814,6 +846,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_time
- */
- _PUBLIC_ enum ndr_err_code ndr_push_uid_t(struct ndr_push *ndr, int ndr_flags, uid_t u)
- {
-+	NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
- 	return ndr_push_hyper(ndr, NDR_SCALARS, (uint64_t)u);
- }
- 
-@@ -839,6 +872,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_uid_
- */
- _PUBLIC_ enum ndr_err_code ndr_push_gid_t(struct ndr_push *ndr, int ndr_flags, gid_t g)
- {
-+	NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
- 	return ndr_push_hyper(ndr, NDR_SCALARS, (uint64_t)g);
- }
- 
-Index: samba-3.6.23/source3/lib/bitmap.c
-===================================================================
---- samba-3.6.23.orig/source3/lib/bitmap.c
-+++ /dev/null
-@@ -1,136 +0,0 @@
--/*
--   Unix SMB/CIFS implementation.
--   simple bitmap functions
--   Copyright (C) Andrew Tridgell 1992-1998
--
--   This program is free software; you can redistribute it and/or modify
--   it under the terms of the GNU General Public License as published by
--   the Free Software Foundation; either version 3 of the License, or
--   (at your option) any later version.
--
--   This program is distributed in the hope that it will be useful,
--   but WITHOUT ANY WARRANTY; without even the implied warranty of
--   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--   GNU General Public License for more details.
--
--   You should have received a copy of the GNU General Public License
--   along with this program.  If not, see <http://www.gnu.org/licenses/>.
--*/
--
--#include "includes.h"
--
--/* these functions provide a simple way to allocate integers from a
--   pool without repetition */
--
--/****************************************************************************
--talloc a bitmap
--****************************************************************************/
--struct bitmap *bitmap_talloc(TALLOC_CTX *mem_ctx, int n)
--{
--	struct bitmap *bm;
--
--	bm = TALLOC_P(mem_ctx, struct bitmap);
--
--	if (!bm) return NULL;
--
--	bm->n = n;
--	bm->b = TALLOC_ZERO_ARRAY(bm, uint32, (n+31)/32);
--	if (!bm->b) {
--		TALLOC_FREE(bm);
--		return NULL;
--	}
--	return bm;
--}
--
--/****************************************************************************
--copy as much of the source bitmap as will fit in the destination bitmap.
--****************************************************************************/
--
--int bitmap_copy(struct bitmap * const dst, const struct bitmap * const src)
--{
--        int count = MIN(dst->n, src->n);
--
--        SMB_ASSERT(dst->b != src->b);
--	memcpy(dst->b, src->b, sizeof(uint32)*((count+31)/32));
--
--        return count;
--}
--
--/****************************************************************************
--set a bit in a bitmap
--****************************************************************************/
--bool bitmap_set(struct bitmap *bm, unsigned i)
--{
--	if (i >= bm->n) {
--		DEBUG(0,("Setting invalid bitmap entry %d (of %d)\n",
--		      i, bm->n));
--		return False;
--	}
--	bm->b[i/32] |= (1<<(i%32));
--	return True;
--}
--
--/****************************************************************************
--clear a bit in a bitmap
--****************************************************************************/
--bool bitmap_clear(struct bitmap *bm, unsigned i)
--{
--	if (i >= bm->n) {
--		DEBUG(0,("clearing invalid bitmap entry %d (of %d)\n",
--		      i, bm->n));
--		return False;
--	}
--	bm->b[i/32] &= ~(1<<(i%32));
--	return True;
--}
--
--/****************************************************************************
--query a bit in a bitmap
--****************************************************************************/
--bool bitmap_query(struct bitmap *bm, unsigned i)
--{
--	if (i >= bm->n) return False;
--	if (bm->b[i/32] & (1<<(i%32))) {
--		return True;
--	}
--	return False;
--}
--
--/****************************************************************************
--find a zero bit in a bitmap starting at the specified offset, with
--wraparound
--****************************************************************************/
--int bitmap_find(struct bitmap *bm, unsigned ofs)
--{
--	unsigned int i, j;
--
--	if (ofs > bm->n) ofs = 0;
--
--	i = ofs;
--	while (i < bm->n) {
--		if (~(bm->b[i/32])) {
--			j = i;
--			do {
--				if (!bitmap_query(bm, j)) return j;
--				j++;
--			} while (j & 31 && j < bm->n);
--		}
--		i += 32;
--		i &= ~31;
--	}
--
--	i = 0;
--	while (i < ofs) {
--		if (~(bm->b[i/32])) {
--			j = i;
--			do {
--				if (!bitmap_query(bm, j)) return j;
--				j++;
--			} while (j & 31 && j < bm->n);
--		}
--		i += 32;
--		i &= ~31;
--	}
--
--	return -1;
--}
-Index: samba-3.6.23/lib/util/bitmap.c
-===================================================================
---- /dev/null
-+++ samba-3.6.23/lib/util/bitmap.c
-@@ -0,0 +1,137 @@
-+/*
-+   Unix SMB/CIFS implementation.
-+   simple bitmap functions
-+   Copyright (C) Andrew Tridgell 1992-1998
-+
-+   This program is free software; you can redistribute it and/or modify
-+   it under the terms of the GNU General Public License as published by
-+   the Free Software Foundation; either version 3 of the License, or
-+   (at your option) any later version.
-+
-+   This program is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+   GNU General Public License for more details.
-+
-+   You should have received a copy of the GNU General Public License
-+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+#include "includes.h"
-+#include "lib/util/bitmap.h"
-+
-+/* these functions provide a simple way to allocate integers from a
-+   pool without repetition */
-+
-+/****************************************************************************
-+talloc a bitmap
-+****************************************************************************/
-+struct bitmap *bitmap_talloc(TALLOC_CTX *mem_ctx, int n)
-+{
-+	struct bitmap *bm;
-+
-+	bm = talloc_zero(mem_ctx, struct bitmap);
-+
-+	if (!bm) return NULL;
-+
-+	bm->n = n;
-+	bm->b = talloc_zero_array(bm, uint32_t, (n+31)/32);
-+	if (!bm->b) {
-+		TALLOC_FREE(bm);
-+		return NULL;
-+	}
-+	return bm;
-+}
-+
-+/****************************************************************************
-+copy as much of the source bitmap as will fit in the destination bitmap.
-+****************************************************************************/
-+
-+int bitmap_copy(struct bitmap * const dst, const struct bitmap * const src)
-+{
-+        int count = MIN(dst->n, src->n);
-+
-+        SMB_ASSERT(dst->b != src->b);
-+	memcpy(dst->b, src->b, sizeof(uint32_t)*((count+31)/32));
-+
-+        return count;
-+}
-+
-+/****************************************************************************
-+set a bit in a bitmap
-+****************************************************************************/
-+bool bitmap_set(struct bitmap *bm, unsigned i)
-+{
-+	if (i >= bm->n) {
-+		DEBUG(0,("Setting invalid bitmap entry %d (of %d)\n",
-+		      i, bm->n));
-+		return false;
-+	}
-+	bm->b[i/32] |= (1<<(i%32));
-+	return true;
-+}
-+
-+/****************************************************************************
-+clear a bit in a bitmap
-+****************************************************************************/
-+bool bitmap_clear(struct bitmap *bm, unsigned i)
-+{
-+	if (i >= bm->n) {
-+		DEBUG(0,("clearing invalid bitmap entry %d (of %d)\n",
-+		      i, bm->n));
-+		return false;
-+	}
-+	bm->b[i/32] &= ~(1<<(i%32));
-+	return true;
-+}
-+
-+/****************************************************************************
-+query a bit in a bitmap
-+****************************************************************************/
-+bool bitmap_query(struct bitmap *bm, unsigned i)
-+{
-+	if (i >= bm->n) return false;
-+	if (bm->b[i/32] & (1<<(i%32))) {
-+		return true;
-+	}
-+	return false;
-+}
-+
-+/****************************************************************************
-+find a zero bit in a bitmap starting at the specified offset, with
-+wraparound
-+****************************************************************************/
-+int bitmap_find(struct bitmap *bm, unsigned ofs)
-+{
-+	unsigned int i, j;
-+
-+	if (ofs > bm->n) ofs = 0;
-+
-+	i = ofs;
-+	while (i < bm->n) {
-+		if (~(bm->b[i/32])) {
-+			j = i;
-+			do {
-+				if (!bitmap_query(bm, j)) return j;
-+				j++;
-+			} while (j & 31 && j < bm->n);
-+		}
-+		i += 32;
-+		i &= ~31;
-+	}
-+
-+	i = 0;
-+	while (i < ofs) {
-+		if (~(bm->b[i/32])) {
-+			j = i;
-+			do {
-+				if (!bitmap_query(bm, j)) return j;
-+				j++;
-+			} while (j & 31 && j < bm->n);
-+		}
-+		i += 32;
-+		i &= ~31;
-+	}
-+
-+	return -1;
-+}
-Index: samba-3.6.23/lib/util/bitmap.h
-===================================================================
---- /dev/null
-+++ samba-3.6.23/lib/util/bitmap.h
-@@ -0,0 +1,32 @@
-+/*
-+   Unix SMB/CIFS implementation.
-+   simple bitmap functions
-+   Copyright (C) Andrew Tridgell 1992-1998
-+
-+   This program is free software; you can redistribute it and/or modify
-+   it under the terms of the GNU General Public License as published by
-+   the Free Software Foundation; either version 3 of the License, or
-+   (at your option) any later version.
-+
-+   This program is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+   GNU General Public License for more details.
-+
-+   You should have received a copy of the GNU General Public License
-+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+/* The following definitions come from lib/bitmap.c  */
-+
-+struct bitmap {
-+	uint32_t *b;
-+	unsigned int n;
-+};
-+
-+struct bitmap *bitmap_talloc(TALLOC_CTX *mem_ctx, int n);
-+int bitmap_copy(struct bitmap * const dst, const struct bitmap * const src);
-+bool bitmap_set(struct bitmap *bm, unsigned i);
-+bool bitmap_clear(struct bitmap *bm, unsigned i);
-+bool bitmap_query(struct bitmap *bm, unsigned i);
-+int bitmap_find(struct bitmap *bm, unsigned ofs);
-Index: samba-3.6.23/lib/util/wscript_build
-===================================================================
---- samba-3.6.23.orig/lib/util/wscript_build
-+++ samba-3.6.23/lib/util/wscript_build
-@@ -99,5 +99,11 @@ bld.SAMBA_LIBRARY('tdb-wrap',
-                   public_headers='tdb_wrap.h',
-                   private_library=True,
-                   local_include=False
--                  )
-+                 )
-+
-+bld.SAMBA_LIBRARY('bitmap',
-+		  source='bitmap.c',
-+		  deps='talloc samba-util',
-+                  local_include=False,
-+		  private_library=True)
- 
-Index: samba-3.6.23/source3/include/proto.h
-===================================================================
---- samba-3.6.23.orig/source3/include/proto.h
-+++ samba-3.6.23/source3/include/proto.h
-@@ -61,15 +61,6 @@ const char *audit_description_str(uint32
- bool get_audit_category_from_param(const char *param, uint32 *audit_category);
- const char *audit_policy_str(TALLOC_CTX *mem_ctx, uint32 policy);
- 
--/* The following definitions come from lib/bitmap.c  */
--
--struct bitmap *bitmap_talloc(TALLOC_CTX *mem_ctx, int n);
--int bitmap_copy(struct bitmap * const dst, const struct bitmap * const src);
--bool bitmap_set(struct bitmap *bm, unsigned i);
--bool bitmap_clear(struct bitmap *bm, unsigned i);
--bool bitmap_query(struct bitmap *bm, unsigned i);
--int bitmap_find(struct bitmap *bm, unsigned ofs);
--
- /* The following definitions come from lib/charcnv.c  */
- 
- char lp_failed_convert_char(void);
-Index: samba-3.6.23/source3/include/smb.h
-===================================================================
---- samba-3.6.23.orig/source3/include/smb.h
-+++ samba-3.6.23/source3/include/smb.h
-@@ -712,7 +712,6 @@ struct connections_data {
- 	uint32 unused_compatitibility_field;
- };
- 
--
- /* the following are used by loadparm for option lists */
- typedef enum {
- 	P_BOOL,P_BOOLREV,P_CHAR,P_INTEGER,P_OCTAL,P_LIST,
-@@ -759,11 +758,6 @@ struct parm_struct {
- #define FLAG_META	0x8000 /* A meta directive - not a real parameter */
- #define FLAG_CMDLINE	0x10000 /* option has been overridden */
- 
--struct bitmap {
--	uint32 *b;
--	unsigned int n;
--};
--
- /* offsets into message for common items */
- #define smb_com 8
- #define smb_rcls 9
-Index: samba-3.6.23/source3/modules/vfs_acl_common.c
-===================================================================
---- samba-3.6.23.orig/source3/modules/vfs_acl_common.c
-+++ samba-3.6.23/source3/modules/vfs_acl_common.c
-@@ -23,6 +23,7 @@
- #include "system/filesys.h"
- #include "../libcli/security/security.h"
- #include "../librpc/gen_ndr/ndr_security.h"
-+#include "../lib/util/bitmap.h"
- 
- static NTSTATUS create_acl_blob(const struct security_descriptor *psd,
- 			DATA_BLOB *pblob,
-Index: samba-3.6.23/source3/modules/vfs_full_audit.c
-===================================================================
---- samba-3.6.23.orig/source3/modules/vfs_full_audit.c
-+++ samba-3.6.23/source3/modules/vfs_full_audit.c
-@@ -64,6 +64,7 @@
- #include "../librpc/gen_ndr/ndr_netlogon.h"
- #include "auth.h"
- #include "ntioctl.h"
-+#include "lib/util/bitmap.h"
- 
- static int vfs_full_audit_debug_level = DBGC_VFS;
- 
-Index: samba-3.6.23/source3/param/loadparm.c
-===================================================================
---- samba-3.6.23.orig/source3/param/loadparm.c
-+++ samba-3.6.23/source3/param/loadparm.c
-@@ -64,6 +64,7 @@
- #include "smb_signing.h"
- #include "dbwrap.h"
- #include "smbldap.h"
-+#include "../lib/util/bitmap.h"
- 
- #ifdef HAVE_SYS_SYSCTL_H
- #include <sys/sysctl.h>
-Index: samba-3.6.23/source3/passdb/pdb_get_set.c
-===================================================================
---- samba-3.6.23.orig/source3/passdb/pdb_get_set.c
-+++ samba-3.6.23/source3/passdb/pdb_get_set.c
-@@ -25,6 +25,7 @@
- #include "passdb.h"
- #include "../libcli/auth/libcli_auth.h"
- #include "../libcli/security/security.h"
-+#include "../lib/util/bitmap.h"
- 
- #undef DBGC_CLASS
- #define DBGC_CLASS DBGC_PASSDB
-Index: samba-3.6.23/source3/smbd/conn.c
-===================================================================
---- samba-3.6.23.orig/source3/smbd/conn.c
-+++ samba-3.6.23/source3/smbd/conn.c
-@@ -23,6 +23,7 @@
- #include "smbd/smbd.h"
- #include "smbd/globals.h"
- #include "rpc_server/rpc_ncacn_np.h"
-+#include "lib/util/bitmap.h"
- 
- /* The connections bitmap is expanded in increments of BITMAP_BLOCK_SZ. The
-  * maximum size of the bitmap is the largest positive integer, but you will hit
-Index: samba-3.6.23/source3/smbd/dir.c
-===================================================================
---- samba-3.6.23.orig/source3/smbd/dir.c
-+++ samba-3.6.23/source3/smbd/dir.c
-@@ -23,6 +23,7 @@
- #include "smbd/smbd.h"
- #include "smbd/globals.h"
- #include "libcli/security/security.h"
-+#include "lib/util/bitmap.h"
- 
- /*
-    This module implements directory related functions for Samba.
-Index: samba-3.6.23/source3/smbd/files.c
-===================================================================
---- samba-3.6.23.orig/source3/smbd/files.c
-+++ samba-3.6.23/source3/smbd/files.c
-@@ -22,6 +22,7 @@
- #include "smbd/globals.h"
- #include "libcli/security/security.h"
- #include "util_tdb.h"
-+#include "lib/util/bitmap.h"
- 
- #define VALID_FNUM(fnum)   (((fnum) >= 0) && ((fnum) < real_max_open_files))
- 
-Index: samba-3.6.23/source3/smbd/smb2_server.c
-===================================================================
---- samba-3.6.23.orig/source3/smbd/smb2_server.c
-+++ samba-3.6.23/source3/smbd/smb2_server.c
-@@ -26,6 +26,7 @@
- #include "../lib/tsocket/tsocket.h"
- #include "../lib/util/tevent_ntstatus.h"
- #include "smbprofile.h"
-+#include "../lib/util/bitmap.h"
- 
- #define OUTVEC_ALLOC_SIZE (SMB2_HDR_BODY + 9)
- 
-Index: samba-3.6.23/source3/rpc_client/cli_pipe.c
-===================================================================
---- samba-3.6.23.orig/source3/rpc_client/cli_pipe.c
-+++ samba-3.6.23/source3/rpc_client/cli_pipe.c
-@@ -28,6 +28,7 @@
- #include "../libcli/auth/ntlmssp.h"
- #include "ntlmssp_wrap.h"
- #include "librpc/gen_ndr/ndr_dcerpc.h"
-+#include "librpc/gen_ndr/ndr_netlogon_c.h"
- #include "librpc/rpc/dcerpc.h"
- #include "librpc/crypto/gse.h"
- #include "librpc/crypto/spnego.h"
-@@ -399,6 +400,7 @@ static NTSTATUS cli_pipe_validate_curren
- 						struct ncacn_packet *pkt,
- 						DATA_BLOB *pdu,
- 						uint8_t expected_pkt_type,
-+						uint32_t call_id,
- 						DATA_BLOB *rdata,
- 						DATA_BLOB *reply_pdu)
- {
-@@ -497,7 +499,7 @@ static NTSTATUS cli_pipe_validate_curren
- 			  "from %s!\n",
- 			  (unsigned int)pkt->ptype,
- 			  rpccli_pipe_txt(talloc_tos(), cli)));
--		return NT_STATUS_INVALID_INFO_CLASS;
-+		return NT_STATUS_RPC_PROTOCOL_ERROR;
- 	}
- 
- 	if (pkt->ptype != expected_pkt_type) {
-@@ -505,7 +507,15 @@ static NTSTATUS cli_pipe_validate_curren
- 			  "RPC packet type - %u, not %u\n",
- 			  rpccli_pipe_txt(talloc_tos(), cli),
- 			  pkt->ptype, expected_pkt_type));
--		return NT_STATUS_INVALID_INFO_CLASS;
-+		return NT_STATUS_RPC_PROTOCOL_ERROR;
-+	}
-+
-+	if (pkt->call_id != call_id) {
-+		DEBUG(3, (__location__ ": Connection to %s got an unexpected "
-+			  "RPC call_id - %u, not %u\n",
-+			  rpccli_pipe_txt(talloc_tos(), cli),
-+			  pkt->call_id, call_id));
-+		return NT_STATUS_RPC_PROTOCOL_ERROR;
- 	}
- 
- 	/* Do this just before return - we don't want to modify any rpc header
-@@ -898,6 +908,7 @@ static void rpc_api_pipe_got_pdu(struct
- 						state->cli, state->pkt,
- 						&state->incoming_frag,
- 						state->expected_pkt_type,
-+						state->call_id,
- 						&rdata,
- 						&state->reply_pdu);
- 
-@@ -1269,12 +1280,17 @@ struct rpc_api_pipe_req_state {
- 	uint32_t call_id;
- 	DATA_BLOB *req_data;
- 	uint32_t req_data_sent;
-+	DATA_BLOB req_trailer;
-+	uint32_t req_trailer_sent;
-+	bool verify_bitmask1;
-+	bool verify_pcontext;
- 	DATA_BLOB rpc_out;
- 	DATA_BLOB reply_pdu;
- };
- 
- static void rpc_api_pipe_req_write_done(struct tevent_req *subreq);
- static void rpc_api_pipe_req_done(struct tevent_req *subreq);
-+static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state);
- static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
- 				  bool *is_last_frag);
- 
-@@ -1310,6 +1326,11 @@ struct tevent_req *rpc_api_pipe_req_send
- 		goto post_status;
- 	}
- 
-+	status = prepare_verification_trailer(state);
-+	if (!NT_STATUS_IS_OK(status)) {
-+		goto post_status;
-+	}
-+
- 	status = prepare_next_frag(state, &is_last_frag);
- 	if (!NT_STATUS_IS_OK(status)) {
- 		goto post_status;
-@@ -1344,25 +1365,161 @@ struct tevent_req *rpc_api_pipe_req_send
- 	return NULL;
- }
- 
-+static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state)
-+{
-+	struct pipe_auth_data *a = state->cli->auth;
-+	struct dcerpc_sec_verification_trailer *t;
-+	struct dcerpc_sec_vt *c = NULL;
-+	struct ndr_push *ndr = NULL;
-+	enum ndr_err_code ndr_err;
-+	size_t align = 0;
-+	size_t pad = 0;
-+
-+	if (a == NULL) {
-+		return NT_STATUS_OK;
-+	}
-+
-+	if (a->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
-+		return NT_STATUS_OK;
-+	}
-+
-+	t = talloc_zero(state, struct dcerpc_sec_verification_trailer);
-+	if (t == NULL) {
-+		return NT_STATUS_NO_MEMORY;
-+	}
-+
-+	if (!a->verified_bitmask1) {
-+		t->commands = talloc_realloc(t, t->commands,
-+					     struct dcerpc_sec_vt,
-+					     t->count.count + 1);
-+		if (t->commands == NULL) {
-+			return NT_STATUS_NO_MEMORY;
-+		}
-+		c = &t->commands[t->count.count++];
-+		ZERO_STRUCTP(c);
-+
-+		c->command = DCERPC_SEC_VT_COMMAND_BITMASK1;
-+		state->verify_bitmask1 = true;
-+	}
-+
-+	if (!state->cli->verified_pcontext) {
-+		t->commands = talloc_realloc(t, t->commands,
-+					     struct dcerpc_sec_vt,
-+					     t->count.count + 1);
-+		if (t->commands == NULL) {
-+			return NT_STATUS_NO_MEMORY;
-+		}
-+		c = &t->commands[t->count.count++];
-+		ZERO_STRUCTP(c);
-+
-+		c->command = DCERPC_SEC_VT_COMMAND_PCONTEXT;
-+		c->u.pcontext.abstract_syntax = state->cli->abstract_syntax;
-+		c->u.pcontext.transfer_syntax = state->cli->transfer_syntax;
-+
-+		state->verify_pcontext = true;
-+	}
-+
-+	if (true) { /* We do not support header signing */
-+		t->commands = talloc_realloc(t, t->commands,
-+					     struct dcerpc_sec_vt,
-+					     t->count.count + 1);
-+		if (t->commands == NULL) {
-+			return NT_STATUS_NO_MEMORY;
-+		}
-+		c = &t->commands[t->count.count++];
-+		ZERO_STRUCTP(c);
-+
-+		c->command = DCERPC_SEC_VT_COMMAND_HEADER2;
-+		c->u.header2.ptype = DCERPC_PKT_REQUEST;
-+		c->u.header2.drep[0] = DCERPC_DREP_LE;
-+		c->u.header2.drep[1] = 0;
-+		c->u.header2.drep[2] = 0;
-+		c->u.header2.drep[3] = 0;
-+		c->u.header2.call_id = state->call_id;
-+		c->u.header2.context_id = 0;
-+		c->u.header2.opnum = state->op_num;
-+	}
-+
-+	if (t->count.count == 0) {
-+		TALLOC_FREE(t);
-+		return NT_STATUS_OK;
-+	}
-+
-+	c = &t->commands[t->count.count - 1];
-+	c->command |= DCERPC_SEC_VT_COMMAND_END;
-+
-+	if (DEBUGLEVEL >= 10) {
-+		NDR_PRINT_DEBUG(dcerpc_sec_verification_trailer, t);
-+	}
-+
-+	ndr = ndr_push_init_ctx(state);
-+	if (ndr == NULL) {
-+		return NT_STATUS_NO_MEMORY;
-+	}
-+
-+	ndr_err = ndr_push_dcerpc_sec_verification_trailer(ndr,
-+						NDR_SCALARS | NDR_BUFFERS,
-+						t);
-+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-+		return ndr_map_error2ntstatus(ndr_err);
-+	}
-+	state->req_trailer = ndr_push_blob(ndr);
-+
-+	align = state->req_data->length & 0x3;
-+	if (align > 0) {
-+		pad = 4 - align;
-+	}
-+	if (pad > 0) {
-+		bool ok;
-+		uint8_t *p;
-+		const uint8_t zeros[4] = { 0, };
-+
-+		ok = data_blob_append(ndr, &state->req_trailer, zeros, pad);
-+		if (!ok) {
-+			return NT_STATUS_NO_MEMORY;
-+		}
-+
-+		/* move the padding to the start */
-+		p = state->req_trailer.data;
-+		memmove(p + pad, p, state->req_trailer.length - pad);
-+		memset(p, 0, pad);
-+	}
-+
-+	return NT_STATUS_OK;
-+}
-+
- static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
- 				  bool *is_last_frag)
- {
--	size_t data_sent_thistime;
- 	size_t auth_len;
- 	size_t frag_len;
- 	uint8_t flags = 0;
- 	size_t pad_len;
- 	size_t data_left;
-+	size_t data_thistime;
-+	size_t trailer_left;
-+	size_t trailer_thistime = 0;
-+	size_t total_left;
-+	size_t total_thistime;
- 	NTSTATUS status;
-+	bool ok;
- 	union dcerpc_payload u;
- 
- 	data_left = state->req_data->length - state->req_data_sent;
-+	trailer_left = state->req_trailer.length - state->req_trailer_sent;
-+	total_left = data_left + trailer_left;
-+	if ((total_left < data_left) || (total_left < trailer_left)) {
-+		/*
-+		 * overflow
-+		 */
-+		return NT_STATUS_INVALID_PARAMETER_MIX;
-+	}
- 
- 	status = dcerpc_guess_sizes(state->cli->auth,
--				    DCERPC_REQUEST_LENGTH, data_left,
-+				    DCERPC_REQUEST_LENGTH, total_left,
- 				    state->cli->max_xmit_frag,
- 				    CLIENT_NDR_PADDING_SIZE,
--				    &data_sent_thistime,
-+				    &total_thistime,
- 				    &frag_len, &auth_len, &pad_len);
- 	if (!NT_STATUS_IS_OK(status)) {
- 		return status;
-@@ -1372,15 +1529,20 @@ static NTSTATUS prepare_next_frag(struct
- 		flags = DCERPC_PFC_FLAG_FIRST;
- 	}
- 
--	if (data_sent_thistime == data_left) {
-+	if (total_thistime == total_left) {
- 		flags |= DCERPC_PFC_FLAG_LAST;
- 	}
- 
-+	data_thistime = MIN(total_thistime, data_left);
-+	if (data_thistime < total_thistime) {
-+		trailer_thistime = total_thistime - data_thistime;
-+	}
-+
- 	data_blob_free(&state->rpc_out);
- 
- 	ZERO_STRUCT(u.request);
- 
--	u.request.alloc_hint	= state->req_data->length;
-+	u.request.alloc_hint	= total_left;
- 	u.request.context_id	= 0;
- 	u.request.opnum		= state->op_num;
- 
-@@ -1400,11 +1562,26 @@ static NTSTATUS prepare_next_frag(struct
- 	 * at this stage */
- 	dcerpc_set_frag_length(&state->rpc_out, frag_len);
- 
--	/* Copy in the data. */
--	if (!data_blob_append(NULL, &state->rpc_out,
-+	if (data_thistime > 0) {
-+		/* Copy in the data. */
-+		ok = data_blob_append(NULL, &state->rpc_out,
- 				state->req_data->data + state->req_data_sent,
--				data_sent_thistime)) {
--		return NT_STATUS_NO_MEMORY;
-+				data_thistime);
-+		if (!ok) {
-+			return NT_STATUS_NO_MEMORY;
-+		}
-+		state->req_data_sent += data_thistime;
-+	}
-+
-+	if (trailer_thistime > 0) {
-+		/* Copy in the verification trailer. */
-+		ok = data_blob_append(NULL, &state->rpc_out,
-+				state->req_trailer.data + state->req_trailer_sent,
-+				trailer_thistime);
-+		if (!ok) {
-+			return NT_STATUS_NO_MEMORY;
-+		}
-+		state->req_trailer_sent += trailer_thistime;
- 	}
- 
- 	switch (state->cli->auth->auth_level) {
-@@ -1424,7 +1601,6 @@ static NTSTATUS prepare_next_frag(struct
- 		return NT_STATUS_INVALID_PARAMETER;
- 	}
- 
--	state->req_data_sent += data_sent_thistime;
- 	*is_last_frag = ((flags & DCERPC_PFC_FLAG_LAST) != 0);
- 
- 	return status;
-@@ -1488,6 +1664,20 @@ static void rpc_api_pipe_req_done(struct
- 		tevent_req_nterror(req, status);
- 		return;
- 	}
-+
-+	if (state->cli->auth == NULL) {
-+		tevent_req_done(req);
-+		return;
-+	}
-+
-+	if (state->verify_bitmask1) {
-+		state->cli->auth->verified_bitmask1 = true;
-+	}
-+
-+	if (state->verify_pcontext) {
-+		state->cli->verified_pcontext = true;
-+	}
-+
- 	tevent_req_done(req);
- }
- 
-@@ -1647,9 +1837,15 @@ struct rpc_pipe_bind_state {
- 	DATA_BLOB rpc_out;
- 	bool auth3;
- 	uint32_t rpc_call_id;
-+	struct netr_Authenticator auth;
-+	struct netr_Authenticator return_auth;
-+	struct netlogon_creds_CredentialState *creds;
-+	union netr_Capabilities capabilities;
-+	struct netr_LogonGetCapabilities r;
- };
- 
- static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq);
-+static void rpc_pipe_bind_step_two_trigger(struct tevent_req *req);
- static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
- 				   struct rpc_pipe_bind_state *state,
- 				   DATA_BLOB *credentials);
-@@ -1753,11 +1949,14 @@ static void rpc_pipe_bind_step_one_done(
- 
- 	case DCERPC_AUTH_TYPE_NONE:
- 	case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
--	case DCERPC_AUTH_TYPE_SCHANNEL:
- 		/* Bind complete. */
- 		tevent_req_done(req);
- 		return;
- 
-+	case DCERPC_AUTH_TYPE_SCHANNEL:
-+		rpc_pipe_bind_step_two_trigger(req);
-+		return;
-+
- 	case DCERPC_AUTH_TYPE_NTLMSSP:
- 	case DCERPC_AUTH_TYPE_SPNEGO:
- 	case DCERPC_AUTH_TYPE_KRB5:
-@@ -1869,6 +2068,150 @@ err_out:
- 	tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
- }
- 
-+static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq);
-+
-+static void rpc_pipe_bind_step_two_trigger(struct tevent_req *req)
-+{
-+	struct rpc_pipe_bind_state *state =
-+		tevent_req_data(req,
-+				struct rpc_pipe_bind_state);
-+	struct dcerpc_binding_handle *b = state->cli->binding_handle;
-+	struct schannel_state *schannel_auth =
-+		talloc_get_type_abort(state->cli->auth->auth_ctx,
-+				      struct schannel_state);
-+	struct tevent_req *subreq;
-+
-+	if (schannel_auth == NULL ||
-+	    !ndr_syntax_id_equal(&state->cli->abstract_syntax,
-+				 &ndr_table_netlogon.syntax_id)) {
-+		tevent_req_done(req);
-+		return;
-+	}
-+
-+	ZERO_STRUCT(state->return_auth);
-+
-+	state->creds = netlogon_creds_copy(state, schannel_auth->creds);
-+	if (state->creds == NULL) {
-+		tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
-+		return;
-+	}
-+
-+	netlogon_creds_client_authenticator(state->creds, &state->auth);
-+
-+	state->r.in.server_name = state->cli->srv_name_slash;
-+	state->r.in.computer_name = state->creds->computer_name;
-+	state->r.in.credential = &state->auth;
-+	state->r.in.query_level = 1;
-+	state->r.in.return_authenticator = &state->return_auth;
-+
-+	state->r.out.capabilities = &state->capabilities;
-+	state->r.out.return_authenticator = &state->return_auth;
-+
-+	subreq = dcerpc_netr_LogonGetCapabilities_r_send(talloc_tos(),
-+							 state->ev,
-+							 b,
-+							 &state->r);
-+	if (subreq == NULL) {
-+		tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
-+		return;
-+	}
-+
-+	tevent_req_set_callback(subreq, rpc_pipe_bind_step_two_done, req);
-+	return;
-+}
-+
-+static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
-+{
-+	struct tevent_req *req =
-+		tevent_req_callback_data(subreq,
-+					 struct tevent_req);
-+	struct rpc_pipe_bind_state *state =
-+		tevent_req_data(req,
-+				struct rpc_pipe_bind_state);
-+	NTSTATUS status;
-+
-+	status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
-+	TALLOC_FREE(subreq);
-+	if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
-+		if (state->cli->dc && state->cli->dc->negotiate_flags &
-+		    NETLOGON_NEG_SUPPORTS_AES) {
-+			DEBUG(5, ("AES is not supported and the error was %s\n",
-+				  nt_errstr(status)));
-+			tevent_req_nterror(req,
-+					   NT_STATUS_INVALID_NETWORK_RESPONSE);
-+			return;
-+		}
-+
-+		/* This is probably NT */
-+		DEBUG(5, ("We are checking against an NT - %s\n",
-+			  nt_errstr(status)));
-+		tevent_req_done(req);
-+		return;
-+	} else if (!NT_STATUS_IS_OK(status)) {
-+		DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
-+			  nt_errstr(status)));
-+		tevent_req_nterror(req, status);
-+		return;
-+	}
-+
-+	if (NT_STATUS_EQUAL(state->r.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
-+		if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-+			/* This means AES isn't supported. */
-+			DEBUG(5, ("AES is not supported and the error was %s\n",
-+				  nt_errstr(state->r.out.result)));
-+			tevent_req_nterror(req,
-+					   NT_STATUS_INVALID_NETWORK_RESPONSE);
-+			return;
-+		}
-+
-+		/* This is probably an old Samba version */
-+		DEBUG(5, ("We are checking against an old Samba version - %s\n",
-+			  nt_errstr(state->r.out.result)));
-+		tevent_req_done(req);
-+		return;
-+	}
-+
-+	/* We need to check the credential state here, cause win2k3 and earlier
-+	 * returns NT_STATUS_NOT_IMPLEMENTED */
-+	if (!netlogon_creds_client_check(state->creds,
-+					 &state->r.out.return_authenticator->cred)) {
-+		/*
-+		 * Server replied with bad credential. Fail.
-+		 */
-+		DEBUG(0,("rpc_pipe_bind_step_two_done: server %s "
-+			 "replied with bad credential\n",
-+			 state->cli->desthost));
-+		tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
-+		return;
-+	}
-+
-+	TALLOC_FREE(state->cli->dc);
-+	state->cli->dc = talloc_steal(state->cli, state->creds);
-+
-+	if (!NT_STATUS_IS_OK(state->r.out.result)) {
-+		DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
-+			  nt_errstr(state->r.out.result)));
-+		tevent_req_nterror(req, state->r.out.result);
-+		return;
-+	}
-+
-+	if (state->creds->negotiate_flags !=
-+	    state->r.out.capabilities->server_capabilities) {
-+		DEBUG(0, ("The client capabilities don't match the server "
-+			  "capabilities: local[0x%08X] remote[0x%08X]\n",
-+			  state->creds->negotiate_flags,
-+			  state->capabilities.server_capabilities));
-+		tevent_req_nterror(req,
-+				   NT_STATUS_INVALID_NETWORK_RESPONSE);
-+		return;
-+	}
-+
-+	/* TODO: Add downgrade dectection. */
-+
-+	tevent_req_done(req);
-+	return;
-+}
-+
- static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
- 				   struct rpc_pipe_bind_state *state,
- 				   DATA_BLOB *auth_token)
-@@ -3039,10 +3382,12 @@ NTSTATUS cli_rpc_pipe_open_schannel_with
- 	 * The credentials on a new netlogon pipe are the ones we are passed
- 	 * in - copy them over
- 	 */
--	result->dc = netlogon_creds_copy(result, *pdc);
- 	if (result->dc == NULL) {
--		TALLOC_FREE(result);
--		return NT_STATUS_NO_MEMORY;
-+		result->dc = netlogon_creds_copy(result, *pdc);
-+		if (result->dc == NULL) {
-+			TALLOC_FREE(result);
-+			return NT_STATUS_NO_MEMORY;
-+		}
- 	}
- 
- 	DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
-Index: samba-3.6.23/source3/librpc/rpc/dcerpc.h
-===================================================================
---- samba-3.6.23.orig/source3/librpc/rpc/dcerpc.h
-+++ samba-3.6.23/source3/librpc/rpc/dcerpc.h
-@@ -39,6 +39,7 @@ struct NL_AUTH_MESSAGE;
- struct pipe_auth_data {
- 	enum dcerpc_AuthType auth_type;
- 	enum dcerpc_AuthLevel auth_level;
-+	bool verified_bitmask1;
- 
- 	void *auth_ctx;
- 
-Index: samba-3.6.23/source3/rpc_client/rpc_client.h
-===================================================================
---- samba-3.6.23.orig/source3/rpc_client/rpc_client.h
-+++ samba-3.6.23/source3/rpc_client/rpc_client.h
-@@ -39,6 +39,7 @@ struct rpc_pipe_client {
- 
- 	struct ndr_syntax_id abstract_syntax;
- 	struct ndr_syntax_id transfer_syntax;
-+	bool verified_pcontext;
- 
- 	char *desthost;
- 	char *srv_name_slash;
-Index: samba-3.6.23/librpc/ndr/ndr_dcerpc.h
-===================================================================
---- /dev/null
-+++ samba-3.6.23/librpc/ndr/ndr_dcerpc.h
-@@ -0,0 +1,25 @@
-+/*
-+   Unix SMB/CIFS implementation.
-+
-+   Manually parsed structures found in the DCERPC protocol
-+
-+   Copyright (C) Stefan Metzmacher 2014
-+   Copyright (C) Gregor Beck 2014
-+
-+   This program is free software; you can redistribute it and/or modify
-+   it under the terms of the GNU General Public License as published by
-+   the Free Software Foundation; either version 3 of the License, or
-+   (at your option) any later version.
-+
-+   This program is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+   GNU General Public License for more details.
-+
-+   You should have received a copy of the GNU General Public License
-+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+*/
-+
-+enum ndr_err_code ndr_pop_dcerpc_sec_verification_trailer(
-+	struct ndr_pull *ndr, TALLOC_CTX *mem_ctx,
-+	struct dcerpc_sec_verification_trailer **_r);
-Index: samba-3.6.23/librpc/ABI/ndr-0.0.3.sigs
-===================================================================
---- /dev/null
-+++ samba-3.6.23/librpc/ABI/ndr-0.0.3.sigs
-@@ -0,0 +1,251 @@
-+GUID_all_zero: bool (const struct GUID *)
-+GUID_compare: int (const struct GUID *, const struct GUID *)
-+GUID_equal: bool (const struct GUID *, const struct GUID *)
-+GUID_from_data_blob: NTSTATUS (const DATA_BLOB *, struct GUID *)
-+GUID_from_ndr_blob: NTSTATUS (const DATA_BLOB *, struct GUID *)
-+GUID_from_string: NTSTATUS (const char *, struct GUID *)
-+GUID_hexstring: char *(TALLOC_CTX *, const struct GUID *)
-+GUID_random: struct GUID (void)
-+GUID_string: char *(TALLOC_CTX *, const struct GUID *)
-+GUID_string2: char *(TALLOC_CTX *, const struct GUID *)
-+GUID_to_ndr_blob: NTSTATUS (const struct GUID *, TALLOC_CTX *, DATA_BLOB *)
-+GUID_zero: struct GUID (void)
-+ndr_align_size: size_t (uint32_t, size_t)
-+ndr_charset_length: uint32_t (const void *, charset_t)
-+ndr_check_array_length: enum ndr_err_code (struct ndr_pull *, void *, uint32_t)
-+ndr_check_array_size: enum ndr_err_code (struct ndr_pull *, void *, uint32_t)
-+ndr_check_padding: void (struct ndr_pull *, size_t)
-+ndr_check_pipe_chunk_trailer: enum ndr_err_code (struct ndr_pull *, int, uint32_t)
-+ndr_check_string_terminator: enum ndr_err_code (struct ndr_pull *, uint32_t, uint32_t)
-+ndr_get_array_length: uint32_t (struct ndr_pull *, const void *)
-+ndr_get_array_size: uint32_t (struct ndr_pull *, const void *)
-+ndr_map_error2errno: int (enum ndr_err_code)
-+ndr_map_error2ntstatus: NTSTATUS (enum ndr_err_code)
-+ndr_map_error2string: const char *(enum ndr_err_code)
-+ndr_policy_handle_empty: bool (const struct policy_handle *)
-+ndr_policy_handle_equal: bool (const struct policy_handle *, const struct policy_handle *)
-+ndr_print_DATA_BLOB: void (struct ndr_print *, const char *, DATA_BLOB)
-+ndr_print_GUID: void (struct ndr_print *, const char *, const struct GUID *)
-+ndr_print_KRB5_EDATA_NTSTATUS: void (struct ndr_print *, const char *, const struct KRB5_EDATA_NTSTATUS *)
-+ndr_print_NTSTATUS: void (struct ndr_print *, const char *, NTSTATUS)
-+ndr_print_NTTIME: void (struct ndr_print *, const char *, NTTIME)
-+ndr_print_NTTIME_1sec: void (struct ndr_print *, const char *, NTTIME)
-+ndr_print_NTTIME_hyper: void (struct ndr_print *, const char *, NTTIME)
-+ndr_print_WERROR: void (struct ndr_print *, const char *, WERROR)
-+ndr_print_array_uint8: void (struct ndr_print *, const char *, const uint8_t *, uint32_t)
-+ndr_print_bad_level: void (struct ndr_print *, const char *, uint16_t)
-+ndr_print_bitmap_flag: void (struct ndr_print *, size_t, const char *, uint32_t, uint32_t)
-+ndr_print_bool: void (struct ndr_print *, const char *, const bool)
-+ndr_print_debug: void (ndr_print_fn_t, const char *, void *)
-+ndr_print_debug_helper: void (struct ndr_print *, const char *, ...)
-+ndr_print_debugc: void (int, ndr_print_fn_t, const char *, void *)
-+ndr_print_debugc_helper: void (struct ndr_print *, const char *, ...)
-+ndr_print_dlong: void (struct ndr_print *, const char *, int64_t)
-+ndr_print_double: void (struct ndr_print *, const char *, double)
-+ndr_print_enum: void (struct ndr_print *, const char *, const char *, const char *, uint32_t)
-+ndr_print_function_debug: void (ndr_print_function_t, const char *, int, void *)
-+ndr_print_function_string: char *(TALLOC_CTX *, ndr_print_function_t, const char *, int, void *)
-+ndr_print_get_switch_value: uint32_t (struct ndr_print *, const void *)
-+ndr_print_gid_t: void (struct ndr_print *, const char *, gid_t)
-+ndr_print_hyper: void (struct ndr_print *, const char *, uint64_t)
-+ndr_print_int16: void (struct ndr_print *, const char *, int16_t)
-+ndr_print_int32: void (struct ndr_print *, const char *, int32_t)
-+ndr_print_int3264: void (struct ndr_print *, const char *, int32_t)
-+ndr_print_int8: void (struct ndr_print *, const char *, int8_t)
-+ndr_print_ipv4address: void (struct ndr_print *, const char *, const char *)
-+ndr_print_ipv6address: void (struct ndr_print *, const char *, const char *)
-+ndr_print_ndr_syntax_id: void (struct ndr_print *, const char *, const struct ndr_syntax_id *)
-+ndr_print_netr_SamDatabaseID: void (struct ndr_print *, const char *, enum netr_SamDatabaseID)
-+ndr_print_netr_SchannelType: void (struct ndr_print *, const char *, enum netr_SchannelType)
-+ndr_print_null: void (struct ndr_print *)
-+ndr_print_pointer: void (struct ndr_print *, const char *, void *)
-+ndr_print_policy_handle: void (struct ndr_print *, const char *, const struct policy_handle *)
-+ndr_print_printf_helper: void (struct ndr_print *, const char *, ...)
-+ndr_print_ptr: void (struct ndr_print *, const char *, const void *)
-+ndr_print_set_switch_value: enum ndr_err_code (struct ndr_print *, const void *, uint32_t)
-+ndr_print_sockaddr_storage: void (struct ndr_print *, const char *, const struct sockaddr_storage *)
-+ndr_print_string: void (struct ndr_print *, const char *, const char *)
-+ndr_print_string_array: void (struct ndr_print *, const char *, const char **)
-+ndr_print_string_helper: void (struct ndr_print *, const char *, ...)
-+ndr_print_struct: void (struct ndr_print *, const char *, const char *)
-+ndr_print_struct_string: char *(TALLOC_CTX *, ndr_print_fn_t, const char *, void *)
-+ndr_print_svcctl_ServerType: void (struct ndr_print *, const char *, uint32_t)
-+ndr_print_time_t: void (struct ndr_print *, const char *, time_t)
-+ndr_print_timespec: void (struct ndr_print *, const char *, const struct timespec *)
-+ndr_print_timeval: void (struct ndr_print *, const char *, const struct timeval *)
-+ndr_print_udlong: void (struct ndr_print *, const char *, uint64_t)
-+ndr_print_udlongr: void (struct ndr_print *, const char *, uint64_t)
-+ndr_print_uid_t: void (struct ndr_print *, const char *, uid_t)
-+ndr_print_uint16: void (struct ndr_print *, const char *, uint16_t)
-+ndr_print_uint32: void (struct ndr_print *, const char *, uint32_t)
-+ndr_print_uint3264: void (struct ndr_print *, const char *, uint32_t)
-+ndr_print_uint8: void (struct ndr_print *, const char *, uint8_t)
-+ndr_print_union: void (struct ndr_print *, const char *, int, const char *)
-+ndr_print_union_debug: void (ndr_print_fn_t, const char *, uint32_t, void *)
-+ndr_print_union_string: char *(TALLOC_CTX *, ndr_print_fn_t, const char *, uint32_t, void *)
-+ndr_print_winreg_Data: void (struct ndr_print *, const char *, const union winreg_Data *)
-+ndr_print_winreg_Type: void (struct ndr_print *, const char *, enum winreg_Type)
-+ndr_pull_DATA_BLOB: enum ndr_err_code (struct ndr_pull *, int, DATA_BLOB *)
-+ndr_pull_GUID: enum ndr_err_code (struct ndr_pull *, int, struct GUID *)
-+ndr_pull_KRB5_EDATA_NTSTATUS: enum ndr_err_code (struct ndr_pull *, int, struct KRB5_EDATA_NTSTATUS *)
-+ndr_pull_NTSTATUS: enum ndr_err_code (struct ndr_pull *, int, NTSTATUS *)
-+ndr_pull_NTTIME: enum ndr_err_code (struct ndr_pull *, int, NTTIME *)
-+ndr_pull_NTTIME_1sec: enum ndr_err_code (struct ndr_pull *, int, NTTIME *)
-+ndr_pull_NTTIME_hyper: enum ndr_err_code (struct ndr_pull *, int, NTTIME *)
-+ndr_pull_WERROR: enum ndr_err_code (struct ndr_pull *, int, WERROR *)
-+ndr_pull_advance: enum ndr_err_code (struct ndr_pull *, uint32_t)
-+ndr_pull_align: enum ndr_err_code (struct ndr_pull *, size_t)
-+ndr_pull_append: enum ndr_err_code (struct ndr_pull *, DATA_BLOB *)
-+ndr_pull_array_length: enum ndr_err_code (struct ndr_pull *, const void *)
-+ndr_pull_array_size: enum ndr_err_code (struct ndr_pull *, const void *)
-+ndr_pull_array_uint8: enum ndr_err_code (struct ndr_pull *, int, uint8_t *, uint32_t)
-+ndr_pull_bytes: enum ndr_err_code (struct ndr_pull *, uint8_t *, uint32_t)
-+ndr_pull_charset: enum ndr_err_code (struct ndr_pull *, int, const char **, uint32_t, uint8_t, charset_t)
-+ndr_pull_charset_to_null: enum ndr_err_code (struct ndr_pull *, int, const char **, uint32_t, uint8_t, charset_t)
-+ndr_pull_dlong: enum ndr_err_code (struct ndr_pull *, int, int64_t *)
-+ndr_pull_double: enum ndr_err_code (struct ndr_pull *, int, double *)
-+ndr_pull_enum_uint16: enum ndr_err_code (struct ndr_pull *, int, uint16_t *)
-+ndr_pull_enum_uint1632: enum ndr_err_code (struct ndr_pull *, int, uint16_t *)
-+ndr_pull_enum_uint32: enum ndr_err_code (struct ndr_pull *, int, uint32_t *)
-+ndr_pull_enum_uint8: enum ndr_err_code (struct ndr_pull *, int, uint8_t *)
-+ndr_pull_error: enum ndr_err_code (struct ndr_pull *, enum ndr_err_code, const char *, ...)
-+ndr_pull_generic_ptr: enum ndr_err_code (struct ndr_pull *, uint32_t *)
-+ndr_pull_get_relative_base_offset: uint32_t (struct ndr_pull *)
-+ndr_pull_get_switch_value: uint32_t (struct ndr_pull *, const void *)
-+ndr_pull_gid_t: enum ndr_err_code (struct ndr_pull *, int, gid_t *)
-+ndr_pull_hyper: enum ndr_err_code (struct ndr_pull *, int, uint64_t *)
-+ndr_pull_init_blob: struct ndr_pull *(const DATA_BLOB *, TALLOC_CTX *)
-+ndr_pull_int16: enum ndr_err_code (struct ndr_pull *, int, int16_t *)
-+ndr_pull_int32: enum ndr_err_code (struct ndr_pull *, int, int32_t *)
-+ndr_pull_int8: enum ndr_err_code (struct ndr_pull *, int, int8_t *)
-+ndr_pull_ipv4address: enum ndr_err_code (struct ndr_pull *, int, const char **)
-+ndr_pull_ipv6address: enum ndr_err_code (struct ndr_pull *, int, const char **)
-+ndr_pull_ndr_syntax_id: enum ndr_err_code (struct ndr_pull *, int, struct ndr_syntax_id *)
-+ndr_pull_netr_SamDatabaseID: enum ndr_err_code (struct ndr_pull *, int, enum netr_SamDatabaseID *)
-+ndr_pull_netr_SchannelType: enum ndr_err_code (struct ndr_pull *, int, enum netr_SchannelType *)
-+ndr_pull_pointer: enum ndr_err_code (struct ndr_pull *, int, void **)
-+ndr_pull_policy_handle: enum ndr_err_code (struct ndr_pull *, int, struct policy_handle *)
-+ndr_pull_pop: enum ndr_err_code (struct ndr_pull *)
-+ndr_pull_ref_ptr: enum ndr_err_code (struct ndr_pull *, uint32_t *)
-+ndr_pull_relative_ptr1: enum ndr_err_code (struct ndr_pull *, const void *, uint32_t)
-+ndr_pull_relative_ptr2: enum ndr_err_code (struct ndr_pull *, const void *)
-+ndr_pull_relative_ptr_short: enum ndr_err_code (struct ndr_pull *, uint16_t *)
-+ndr_pull_restore_relative_base_offset: void (struct ndr_pull *, uint32_t)
-+ndr_pull_set_switch_value: enum ndr_err_code (struct ndr_pull *, const void *, uint32_t)
-+ndr_pull_setup_relative_base_offset1: enum ndr_err_code (struct ndr_pull *, const void *, uint32_t)
-+ndr_pull_setup_relative_base_offset2: enum ndr_err_code (struct ndr_pull *, const void *)
-+ndr_pull_string: enum ndr_err_code (struct ndr_pull *, int, const char **)
-+ndr_pull_string_array: enum ndr_err_code (struct ndr_pull *, int, const char ***)
-+ndr_pull_struct_blob: enum ndr_err_code (const DATA_BLOB *, TALLOC_CTX *, void *, ndr_pull_flags_fn_t)
-+ndr_pull_struct_blob_all: enum ndr_err_code (const DATA_BLOB *, TALLOC_CTX *, void *, ndr_pull_flags_fn_t)
-+ndr_pull_subcontext_end: enum ndr_err_code (struct ndr_pull *, struct ndr_pull *, size_t, ssize_t)
-+ndr_pull_subcontext_start: enum ndr_err_code (struct ndr_pull *, struct ndr_pull **, size_t, ssize_t)
-+ndr_pull_svcctl_ServerType: enum ndr_err_code (struct ndr_pull *, int, uint32_t *)
-+ndr_pull_time_t: enum ndr_err_code (struct ndr_pull *, int, time_t *)
-+ndr_pull_timespec: enum ndr_err_code (struct ndr_pull *, int, struct timespec *)
-+ndr_pull_timeval: enum ndr_err_code (struct ndr_pull *, int, struct timeval *)
-+ndr_pull_trailer_align: enum ndr_err_code (struct ndr_pull *, size_t)
-+ndr_pull_udlong: enum ndr_err_code (struct ndr_pull *, int, uint64_t *)
-+ndr_pull_udlongr: enum ndr_err_code (struct ndr_pull *, int, uint64_t *)
-+ndr_pull_uid_t: enum ndr_err_code (struct ndr_pull *, int, uid_t *)
-+ndr_pull_uint16: enum ndr_err_code (struct ndr_pull *, int, uint16_t *)
-+ndr_pull_uint1632: enum ndr_err_code (struct ndr_pull *, int, uint16_t *)
-+ndr_pull_uint32: enum ndr_err_code (struct ndr_pull *, int, uint32_t *)
-+ndr_pull_uint3264: enum ndr_err_code (struct ndr_pull *, int, uint32_t *)
-+ndr_pull_uint8: enum ndr_err_code (struct ndr_pull *, int, uint8_t *)
-+ndr_pull_union_align: enum ndr_err_code (struct ndr_pull *, size_t)
-+ndr_pull_union_blob: enum ndr_err_code (const DATA_BLOB *, TALLOC_CTX *, void *, uint32_t, ndr_pull_flags_fn_t)
-+ndr_pull_union_blob_all: enum ndr_err_code (const DATA_BLOB *, TALLOC_CTX *, void *, uint32_t, ndr_pull_flags_fn_t)
-+ndr_pull_winreg_Data: enum ndr_err_code (struct ndr_pull *, int, union winreg_Data *)
-+ndr_pull_winreg_Type: enum ndr_err_code (struct ndr_pull *, int, enum winreg_Type *)
-+ndr_push_DATA_BLOB: enum ndr_err_code (struct ndr_push *, int, DATA_BLOB)
-+ndr_push_GUID: enum ndr_err_code (struct ndr_push *, int, const struct GUID *)
-+ndr_push_KRB5_EDATA_NTSTATUS: enum ndr_err_code (struct ndr_push *, int, const struct KRB5_EDATA_NTSTATUS *)
-+ndr_push_NTSTATUS: enum ndr_err_code (struct ndr_push *, int, NTSTATUS)
-+ndr_push_NTTIME: enum ndr_err_code (struct ndr_push *, int, NTTIME)
-+ndr_push_NTTIME_1sec: enum ndr_err_code (struct ndr_push *, int, NTTIME)
-+ndr_push_NTTIME_hyper: enum ndr_err_code (struct ndr_push *, int, NTTIME)
-+ndr_push_WERROR: enum ndr_err_code (struct ndr_push *, int, WERROR)
-+ndr_push_align: enum ndr_err_code (struct ndr_push *, size_t)
-+ndr_push_array_uint8: enum ndr_err_code (struct ndr_push *, int, const uint8_t *, uint32_t)
-+ndr_push_blob: DATA_BLOB (struct ndr_push *)
-+ndr_push_bytes: enum ndr_err_code (struct ndr_push *, const uint8_t *, uint32_t)
-+ndr_push_charset: enum ndr_err_code (struct ndr_push *, int, const char *, uint32_t, uint8_t, charset_t)
-+ndr_push_dlong: enum ndr_err_code (struct ndr_push *, int, int64_t)
-+ndr_push_double: enum ndr_err_code (struct ndr_push *, int, double)
-+ndr_push_enum_uint16: enum ndr_err_code (struct ndr_push *, int, uint16_t)
-+ndr_push_enum_uint1632: enum ndr_err_code (struct ndr_push *, int, uint16_t)
-+ndr_push_enum_uint32: enum ndr_err_code (struct ndr_push *, int, uint32_t)
-+ndr_push_enum_uint8: enum ndr_err_code (struct ndr_push *, int, uint8_t)
-+ndr_push_error: enum ndr_err_code (struct ndr_push *, enum ndr_err_code, const char *, ...)
-+ndr_push_expand: enum ndr_err_code (struct ndr_push *, uint32_t)
-+ndr_push_full_ptr: enum ndr_err_code (struct ndr_push *, const void *)
-+ndr_push_get_relative_base_offset: uint32_t (struct ndr_push *)
-+ndr_push_get_switch_value: uint32_t (struct ndr_push *, const void *)
-+ndr_push_gid_t: enum ndr_err_code (struct ndr_push *, int, gid_t)
-+ndr_push_hyper: enum ndr_err_code (struct ndr_push *, int, uint64_t)
-+ndr_push_init_ctx: struct ndr_push *(TALLOC_CTX *)
-+ndr_push_int16: enum ndr_err_code (struct ndr_push *, int, int16_t)
-+ndr_push_int32: enum ndr_err_code (struct ndr_push *, int, int32_t)
-+ndr_push_int8: enum ndr_err_code (struct ndr_push *, int, int8_t)
-+ndr_push_ipv4address: enum ndr_err_code (struct ndr_push *, int, const char *)
-+ndr_push_ipv6address: enum ndr_err_code (struct ndr_push *, int, const char *)
-+ndr_push_ndr_syntax_id: enum ndr_err_code (struct ndr_push *, int, const struct ndr_syntax_id *)
-+ndr_push_netr_SamDatabaseID: enum ndr_err_code (struct ndr_push *, int, enum netr_SamDatabaseID)
-+ndr_push_netr_SchannelType: enum ndr_err_code (struct ndr_push *, int, enum netr_SchannelType)
-+ndr_push_pipe_chunk_trailer: enum ndr_err_code (struct ndr_push *, int, uint32_t)
-+ndr_push_pointer: enum ndr_err_code (struct ndr_push *, int, void *)
-+ndr_push_policy_handle: enum ndr_err_code (struct ndr_push *, int, const struct policy_handle *)
-+ndr_push_ref_ptr: enum ndr_err_code (struct ndr_push *)
-+ndr_push_relative_ptr1: enum ndr_err_code (struct ndr_push *, const void *)
-+ndr_push_relative_ptr2_end: enum ndr_err_code (struct ndr_push *, const void *)
-+ndr_push_relative_ptr2_start: enum ndr_err_code (struct ndr_push *, const void *)
-+ndr_push_restore_relative_base_offset: void (struct ndr_push *, uint32_t)
-+ndr_push_set_switch_value: enum ndr_err_code (struct ndr_push *, const void *, uint32_t)
-+ndr_push_setup_relative_base_offset1: enum ndr_err_code (struct ndr_push *, const void *, uint32_t)
-+ndr_push_setup_relative_base_offset2: enum ndr_err_code (struct ndr_push *, const void *)
-+ndr_push_short_relative_ptr1: enum ndr_err_code (struct ndr_push *, const void *)
-+ndr_push_short_relative_ptr2: enum ndr_err_code (struct ndr_push *, const void *)
-+ndr_push_string: enum ndr_err_code (struct ndr_push *, int, const char *)
-+ndr_push_string_array: enum ndr_err_code (struct ndr_push *, int, const char **)
-+ndr_push_struct_blob: enum ndr_err_code (DATA_BLOB *, TALLOC_CTX *, const void *, ndr_push_flags_fn_t)
-+ndr_push_subcontext_end: enum ndr_err_code (struct ndr_push *, struct ndr_push *, size_t, ssize_t)
-+ndr_push_subcontext_start: enum ndr_err_code (struct ndr_push *, struct ndr_push **, size_t, ssize_t)
-+ndr_push_svcctl_ServerType: enum ndr_err_code (struct ndr_push *, int, uint32_t)
-+ndr_push_time_t: enum ndr_err_code (struct ndr_push *, int, time_t)
-+ndr_push_timespec: enum ndr_err_code (struct ndr_push *, int, const struct timespec *)
-+ndr_push_timeval: enum ndr_err_code (struct ndr_push *, int, const struct timeval *)
-+ndr_push_trailer_align: enum ndr_err_code (struct ndr_push *, size_t)
-+ndr_push_udlong: enum ndr_err_code (struct ndr_push *, int, uint64_t)
-+ndr_push_udlongr: enum ndr_err_code (struct ndr_push *, int, uint64_t)
-+ndr_push_uid_t: enum ndr_err_code (struct ndr_push *, int, uid_t)
-+ndr_push_uint16: enum ndr_err_code (struct ndr_push *, int, uint16_t)
-+ndr_push_uint1632: enum ndr_err_code (struct ndr_push *, int, uint16_t)
-+ndr_push_uint32: enum ndr_err_code (struct ndr_push *, int, uint32_t)
-+ndr_push_uint3264: enum ndr_err_code (struct ndr_push *, int, uint32_t)
-+ndr_push_uint8: enum ndr_err_code (struct ndr_push *, int, uint8_t)
-+ndr_push_union_align: enum ndr_err_code (struct ndr_push *, size_t)
-+ndr_push_union_blob: enum ndr_err_code (DATA_BLOB *, TALLOC_CTX *, void *, uint32_t, ndr_push_flags_fn_t)
-+ndr_push_unique_ptr: enum ndr_err_code (struct ndr_push *, const void *)
-+ndr_push_winreg_Data: enum ndr_err_code (struct ndr_push *, int, const union winreg_Data *)
-+ndr_push_winreg_Type: enum ndr_err_code (struct ndr_push *, int, enum winreg_Type)
-+ndr_push_zero: enum ndr_err_code (struct ndr_push *, uint32_t)
-+ndr_set_flags: void (uint32_t *, uint32_t)
-+ndr_size_DATA_BLOB: uint32_t (int, const DATA_BLOB *, int)
-+ndr_size_GUID: size_t (const struct GUID *, int)
-+ndr_size_string: uint32_t (int, const char * const *, int)
-+ndr_size_string_array: size_t (const char **, uint32_t, int)
-+ndr_size_struct: size_t (const void *, int, ndr_push_flags_fn_t)
-+ndr_size_union: size_t (const void *, int, uint32_t, ndr_push_flags_fn_t)
-+ndr_string_array_size: size_t (struct ndr_push *, const char *)
-+ndr_string_length: uint32_t (const void *, uint32_t)
-+ndr_syntax_id_equal: bool (const struct ndr_syntax_id *, const struct ndr_syntax_id *)
-+ndr_syntax_id_from_string: bool (const char *, struct ndr_syntax_id *)
-+ndr_syntax_id_null: uuid = {time_low = 0, time_mid = 0, time_hi_and_version = 0, clock_seq = "\000", node = "\000\000\000\000\000"}, if_version = 0
-+ndr_syntax_id_to_string: char *(TALLOC_CTX *, const struct ndr_syntax_id *)
-+ndr_token_peek: uint32_t (struct ndr_token_list **, const void *)
-+ndr_token_retrieve: enum ndr_err_code (struct ndr_token_list **, const void *, uint32_t *)
-+ndr_token_retrieve_cmp_fn: enum ndr_err_code (struct ndr_token_list **, const void *, uint32_t *, comparison_fn_t, bool)
-+ndr_token_store: enum ndr_err_code (TALLOC_CTX *, struct ndr_token_list **, const void *, uint32_t)
-+ndr_transfer_syntax_ndr: uuid = {time_low = 2324192516, time_mid = 7403, time_hi_and_version = 4553, clock_seq = "\237\350", node = "\b\000+\020H`"}, if_version = 2
-+ndr_transfer_syntax_ndr64: uuid = {time_low = 1903232307, time_mid = 48826, time_hi_and_version = 18743, clock_seq = "\203\031", node = "\265\333\357\234\314\066"}, if_version = 1
-Index: samba-3.6.23/librpc/ndr/ndr_misc.c
-===================================================================
---- samba-3.6.23.orig/librpc/ndr/ndr_misc.c
-+++ samba-3.6.23/librpc/ndr/ndr_misc.c
-@@ -35,3 +35,50 @@ bool ndr_syntax_id_equal(const struct nd
- 	return GUID_equal(&i1->uuid, &i2->uuid)
- 		&& (i1->if_version == i2->if_version);
- }
-+
-+_PUBLIC_ char *ndr_syntax_id_to_string(TALLOC_CTX *mem_ctx, const struct ndr_syntax_id *id)
-+{
-+	return talloc_asprintf(mem_ctx,
-+			       "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x/0x%08x",
-+			       id->uuid.time_low, id->uuid.time_mid,
-+			       id->uuid.time_hi_and_version,
-+			       id->uuid.clock_seq[0],
-+			       id->uuid.clock_seq[1],
-+			       id->uuid.node[0], id->uuid.node[1],
-+			       id->uuid.node[2], id->uuid.node[3],
-+			       id->uuid.node[4], id->uuid.node[5],
-+			       (unsigned)id->if_version);
-+}
-+
-+_PUBLIC_ bool ndr_syntax_id_from_string(const char *s, struct ndr_syntax_id *id)
-+{
-+	int ret;
-+	size_t i;
-+	uint32_t time_low;
-+	uint32_t time_mid, time_hi_and_version;
-+	uint32_t clock_seq[2];
-+	uint32_t node[6];
-+	uint32_t if_version;
-+
-+	ret = sscanf(s,
-+		     "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x/0x%08x",
-+		     &time_low, &time_mid, &time_hi_and_version,
-+		     &clock_seq[0], &clock_seq[1],
-+		     &node[0], &node[1], &node[2], &node[3], &node[4], &node[5],
-+		     &if_version);
-+	if (ret != 12) {
-+		return false;
-+	}
-+
-+	id->uuid.time_low = time_low;
-+	id->uuid.time_mid = time_mid;
-+	id->uuid.time_hi_and_version = time_hi_and_version;
-+	id->uuid.clock_seq[0] = clock_seq[0];
-+	id->uuid.clock_seq[1] = clock_seq[1];
-+	for (i=0; i<6; i++) {
-+		id->uuid.node[i] = node[i];
-+	}
-+	id->if_version = if_version;
-+
-+	return true;
-+}
-Index: samba-3.6.23/librpc/rpc/dcerpc_util.c
-===================================================================
---- samba-3.6.23.orig/librpc/rpc/dcerpc_util.c
-+++ samba-3.6.23/librpc/rpc/dcerpc_util.c
-@@ -27,6 +27,7 @@
- #include "librpc/rpc/dcerpc.h"
- #include "librpc/gen_ndr/ndr_dcerpc.h"
- #include "rpc_common.h"
-+#include "lib/util/bitmap.h"
- 
- /* we need to be able to get/set the fragment length without doing a full
-    decode */
-@@ -341,3 +342,194 @@ NTSTATUS dcerpc_read_ncacn_packet_recv(s
- 	tevent_req_received(req);
- 	return NT_STATUS_OK;
- }
-+
-+struct dcerpc_sec_vt_header2 dcerpc_sec_vt_header2_from_ncacn_packet(const struct ncacn_packet *pkt)
-+{
-+	struct dcerpc_sec_vt_header2 ret;
-+
-+	ZERO_STRUCT(ret);
-+	ret.ptype = pkt->ptype;
-+	memcpy(&ret.drep, pkt->drep, sizeof(ret.drep));
-+	ret.call_id = pkt->call_id;
-+
-+	switch (pkt->ptype) {
-+	case DCERPC_PKT_REQUEST:
-+		ret.context_id = pkt->u.request.context_id;
-+		ret.opnum      = pkt->u.request.opnum;
-+		break;
-+
-+	case DCERPC_PKT_RESPONSE:
-+		ret.context_id = pkt->u.response.context_id;
-+		break;
-+
-+	case DCERPC_PKT_FAULT:
-+		ret.context_id = pkt->u.fault.context_id;
-+		break;
-+
-+	default:
-+		break;
-+	}
-+
-+	return ret;
-+}
-+
-+bool dcerpc_sec_vt_header2_equal(const struct dcerpc_sec_vt_header2 *v1,
-+				 const struct dcerpc_sec_vt_header2 *v2)
-+{
-+	if (v1->ptype != v2->ptype) {
-+		return false;
-+	}
-+
-+	if (memcmp(v1->drep, v2->drep, sizeof(v1->drep)) != 0) {
-+		return false;
-+	}
-+
-+	if (v1->call_id != v2->call_id) {
-+		return false;
-+	}
-+
-+	if (v1->context_id != v2->context_id) {
-+		return false;
-+	}
-+
-+	if (v1->opnum != v2->opnum) {
-+		return false;
-+	}
-+
-+	return true;
-+}
-+
-+static bool dcerpc_sec_vt_is_valid(const struct dcerpc_sec_verification_trailer *r)
-+{
-+	bool ret = false;
-+	TALLOC_CTX *frame = talloc_stackframe();
-+	struct bitmap *commands_seen;
-+	int i;
-+
-+	if (r->count.count == 0) {
-+		ret = true;
-+		goto done;
-+	}
-+
-+	if (memcmp(r->magic, DCERPC_SEC_VT_MAGIC, sizeof(r->magic)) != 0) {
-+		goto done;
-+	}
-+
-+	commands_seen = bitmap_talloc(frame, DCERPC_SEC_VT_COMMAND_ENUM + 1);
-+	if (commands_seen == NULL) {
-+		goto done;
-+	}
-+
-+	for (i=0; i < r->count.count; i++) {
-+		enum dcerpc_sec_vt_command_enum cmd =
-+			r->commands[i].command & DCERPC_SEC_VT_COMMAND_ENUM;
-+
-+		if (bitmap_query(commands_seen, cmd)) {
-+			/* Each command must appear at most once. */
-+			goto done;
-+		}
-+		bitmap_set(commands_seen, cmd);
-+
-+		switch (cmd) {
-+		case DCERPC_SEC_VT_COMMAND_BITMASK1:
-+		case DCERPC_SEC_VT_COMMAND_PCONTEXT:
-+		case DCERPC_SEC_VT_COMMAND_HEADER2:
-+			break;
-+		default:
-+			if ((r->commands[i].u._unknown.length % 4) != 0) {
-+				goto done;
-+			}
-+			break;
-+		}
-+	}
-+	ret = true;
-+done:
-+	TALLOC_FREE(frame);
-+	return ret;
-+}
-+
-+#define CHECK(msg, ok)						\
-+do {								\
-+	if (!ok) {						\
-+		DEBUG(10, ("SEC_VT check %s failed\n", msg));	\
-+		return false;					\
-+	}							\
-+} while(0)
-+
-+#define CHECK_SYNTAX(msg, s1, s2)					\
-+do {								\
-+	if (!ndr_syntax_id_equal(&s1, &s2)) {				\
-+		TALLOC_CTX *frame = talloc_stackframe();		\
-+		DEBUG(10, ("SEC_VT check %s failed: %s vs. %s\n", msg,	\
-+			   ndr_syntax_id_to_string(frame, &s1),		\
-+			   ndr_syntax_id_to_string(frame, &s1)));	\
-+		TALLOC_FREE(frame);					\
-+		return false;						\
-+	}								\
-+} while(0)
-+
-+
-+bool dcerpc_sec_verification_trailer_check(
-+		const struct dcerpc_sec_verification_trailer *vt,
-+		const uint32_t *bitmask1,
-+		const struct dcerpc_sec_vt_pcontext *pcontext,
-+		const struct dcerpc_sec_vt_header2 *header2)
-+{
-+	size_t i;
-+
-+	if (!dcerpc_sec_vt_is_valid(vt)) {
-+		return false;
-+	}
-+
-+	for (i=0; i < vt->count.count; i++) {
-+		struct dcerpc_sec_vt *c = &vt->commands[i];
-+
-+		switch (c->command & DCERPC_SEC_VT_COMMAND_ENUM) {
-+		case DCERPC_SEC_VT_COMMAND_BITMASK1:
-+			if (bitmask1 == NULL) {
-+				CHECK("Bitmask1 must_process_command",
-+				      !(c->command & DCERPC_SEC_VT_MUST_PROCESS));
-+				break;
-+			}
-+
-+			if (c->u.bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING) {
-+				CHECK("Bitmask1 client_header_signing",
-+				      *bitmask1 & DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING);
-+			}
-+			break;
-+
-+		case DCERPC_SEC_VT_COMMAND_PCONTEXT:
-+			if (pcontext == NULL) {
-+				CHECK("Pcontext must_process_command",
-+				      !(c->command & DCERPC_SEC_VT_MUST_PROCESS));
-+				break;
-+			}
-+
-+			CHECK_SYNTAX("Pcontect abstract_syntax",
-+				     pcontext->abstract_syntax,
-+				     c->u.pcontext.abstract_syntax);
-+			CHECK_SYNTAX("Pcontext transfer_syntax",
-+				     pcontext->transfer_syntax,
-+				     c->u.pcontext.transfer_syntax);
-+			break;
-+
-+		case DCERPC_SEC_VT_COMMAND_HEADER2: {
-+			if (header2 == NULL) {
-+				CHECK("Header2 must_process_command",
-+				      !(c->command & DCERPC_SEC_VT_MUST_PROCESS));
-+				break;
-+			}
-+
-+			CHECK("Header2", dcerpc_sec_vt_header2_equal(header2, &c->u.header2));
-+			break;
-+		}
-+
-+		default:
-+			CHECK("Unknown must_process_command",
-+			      !(c->command & DCERPC_SEC_VT_MUST_PROCESS));
-+			break;
-+		}
-+	}
-+
-+	return true;
-+}