r13316: Let the carnage begin....

Sync with trunk as off r13315
(This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)

11 files changed, 418 insertions, 64 deletions

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 7c15c8d19f..6f32fb1b5d 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -756,7 +756,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 			int ret;
 			
 			use_in_memory_ccache();
-			ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL, NULL);
+			ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL, NULL, NULL, False, 0);
 			
 			if (ret){
 				SAFE_FREE(principal);
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index 51f21397f7..c5cf75783b 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -682,12 +682,15 @@ BOOL cli_check_msdfs_proxy( struct cli_state *cli, const char *sharename,
 	CLIENT_DFS_REFERRAL *refs = NULL;
 	size_t num_refs;
 	uint16 consumed;
-	struct cli_state *cli_ipc;
 	pstring fullpath;
+	BOOL res;
+	uint16 cnum;
 	
 	if ( !cli || !sharename )
 		return False;
 
+	cnum = cli->cnum;
+
 	/* special case.  never check for a referral on the IPC$ share */
 
 	if ( strequal( sharename, "IPC$" ) )
@@ -699,12 +702,19 @@ BOOL cli_check_msdfs_proxy( struct cli_state *cli, const char *sharename,
 
 	/* check for the referral */
 
-	if ( !(cli_ipc = cli_cm_open( cli->desthost, "IPC$", False )) )
+	if (!cli_send_tconX(cli, "IPC$", "IPC", NULL, 0)) {
 		return False;
-	
-	if ( !cli_dfs_get_referral(cli_ipc, fullpath, &refs, &num_refs, &consumed) 
-		|| !num_refs )
-	{
+	}
+
+	res = cli_dfs_get_referral(cli, fullpath, &refs, &num_refs, &consumed);
+
+	if (!cli_tdis(cli)) {
+		return False;
+	}
+
+	cli->cnum = cnum;
+		
+	if (!res || !num_refs ) {
 		return False;
 	}
 	
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index 2f980adcf8..55addd44a6 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -353,11 +353,14 @@ struct cli_state *cli_initialise(struct cli_state *cli)
 /****************************************************************************
  External interface.
  Close an open named pipe over SMB. Free any authentication data.
+ Returns False if the cli_close call failed.
  ****************************************************************************/
 
-void cli_rpc_pipe_close(struct rpc_pipe_client *cli)
+BOOL cli_rpc_pipe_close(struct rpc_pipe_client *cli)
 {
-	if (!cli_close(cli->cli, cli->fnum)) {
+	BOOL ret = cli_close(cli->cli, cli->fnum);
+
+	if (!ret) {
 		DEBUG(0,("cli_rpc_pipe_close: cli_close failed on pipe %s, "
                          "fnum 0x%x "
                          "to machine %s.  Error was %s\n",
@@ -376,6 +379,7 @@ void cli_rpc_pipe_close(struct rpc_pipe_client *cli)
 
 	DLIST_REMOVE(cli->cli->pipe_list, cli);
 	talloc_destroy(cli->mem_ctx);
+	return ret;
 }
 
 /****************************************************************************
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index e0dcefeb1d..55a705d7f0 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -409,9 +409,10 @@ static BOOL ads_cleanup_expired_creds(krb5_context context,
 				      krb5_creds  *credsp)
 {
 	krb5_error_code retval;
+	const char *cc_type = krb5_cc_get_type(context, ccache);
 
-	DEBUG(3, ("Ticket in ccache[%s] expiration %s\n",
-		  krb5_cc_default_name(context),
+	DEBUG(3, ("ads_cleanup_expired_creds: Ticket in ccache[%s:%s] expiration %s\n",
+		  cc_type, krb5_cc_get_name(context, ccache),
 		  http_timestring(credsp->times.endtime)));
 
 	/* we will probably need new tickets if the current ones
@@ -425,11 +426,11 @@ static BOOL ads_cleanup_expired_creds(krb5_context context,
 	   use memory ccaches, and a FILE one probably means that
 	   we're using creds obtained outside of our exectuable
 	*/
-	if (StrCaseCmp(krb5_cc_get_type(context, ccache), "FILE") == 0) {
-		DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a FILE ccache\n"));
+	if (strequal(cc_type, "KCM") || strequal(cc_type, "FILE")) {
+		DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a %s ccache\n", cc_type));
 		return False;
 	}
-	
+
 	retval = krb5_cc_remove_cred(context, ccache, 0, credsp);
 	if (retval) {
 		DEBUG(1, ("ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err %s\n",
@@ -467,7 +468,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
 	/* obtain ticket & session key */
 	ZERO_STRUCT(creds);
 	if ((retval = krb5_copy_principal(context, server, &creds.server))) {
-		DEBUG(1,("krb5_copy_principal failed (%s)\n", 
+		DEBUG(1,("ads_krb5_mk_req: krb5_copy_principal failed (%s)\n", 
 			 error_message(retval)));
 		goto cleanup_princ;
 	}
@@ -502,8 +503,8 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
 		i++;
 	}
 
-	DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s) is valid until: (%s - %u)\n",
-		  principal, krb5_cc_default_name(context),
+	DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s:%s) is valid until: (%s - %u)\n",
+		  principal, krb5_cc_get_type(context, ccache), krb5_cc_get_name(context, ccache),
 		  http_timestring((unsigned)credsp->times.endtime), 
 		  (unsigned)credsp->times.endtime));
 
@@ -530,7 +531,8 @@ cleanup_princ:
   get a kerberos5 ticket for the given service 
 */
 int cli_krb5_get_ticket(const char *principal, time_t time_offset, 
-			DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts)
+			DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, 
+			uint32 extra_ap_opts, const char *ccname)
 {
 	krb5_error_code retval;
 	krb5_data packet;
@@ -544,7 +546,7 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset,
 		ENCTYPE_DES_CBC_MD5, 
 		ENCTYPE_DES_CBC_CRC, 
 		ENCTYPE_NULL};
-	
+
 	initialize_krb5_error_table();
 	retval = krb5_init_context(&context);
 	if (retval) {
@@ -557,7 +559,8 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset,
 		krb5_set_real_time(context, time(NULL) + time_offset, 0);
 	}
 
-	if ((retval = krb5_cc_default(context, &ccdef))) {
+	if ((retval = krb5_cc_resolve(context, ccname ?
+			ccname : krb5_cc_default_name(context), &ccdef))) {
 		DEBUG(1,("cli_krb5_get_ticket: krb5_cc_default failed (%s)\n",
 			 error_message(retval)));
 		goto failed;
@@ -991,10 +994,154 @@ out:
 #endif
 }
 
+ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,	/* FILE:/tmp/krb5cc_0 */
+				       const char *client_string,	/* gd@BER.SUSE.DE */
+				       const char *service_string,	/* krbtgt/BER.SUSE.DE@BER.SUSE.DE */
+				       time_t *new_start_time)
+{
+	krb5_error_code ret;
+	krb5_context context = NULL;
+	krb5_ccache ccache = NULL;
+	krb5_principal client = NULL;
+
+	initialize_krb5_error_table();
+	ret = krb5_init_context(&context);
+	if (ret) {
+		goto done;
+	}
+
+	if (!ccache_string) {
+		ccache_string = krb5_cc_default_name(context);
+	}
+
+	DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
+
+	/* FIXME: we should not fall back to defaults */
+	ret = krb5_cc_resolve(context, CONST_DISCARD(char *, ccache_string), &ccache);
+	if (ret) {
+		goto done;
+	}
+
+#ifdef HAVE_KRB5_GET_RENEWED_CREDS	/* MIT */
+	{
+		krb5_creds creds;
+	
+		if (client_string) {
+			ret = krb5_parse_name(context, client_string, &client);
+			if (ret) {
+				goto done;
+			}
+		} else {
+			ret = krb5_cc_get_principal(context, ccache, &client);
+			if (ret) {
+				goto done;
+			}
+		}
+	
+		ret = krb5_get_renewed_creds(context, &creds, client, ccache, CONST_DISCARD(char *, service_string));
+		if (ret) {
+			DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
+			goto done;
+		}
+
+		/* hm, doesn't that create a new one if the old one wasn't there? - Guenther */
+		ret = krb5_cc_initialize(context, ccache, client);
+		if (ret) {
+			goto done;
+		}
+	
+		ret = krb5_cc_store_cred(context, ccache, &creds);
+
+		if (new_start_time) {
+			*new_start_time = (time_t) creds.times.renew_till;
+		}
+
+		krb5_free_cred_contents(context, &creds);
+	}
+#elif defined(HAVE_KRB5_GET_KDC_CRED)	/* Heimdal */
+	{
+		krb5_kdc_flags flags;
+		krb5_creds creds_in;
+		krb5_realm *client_realm;
+		krb5_creds *creds;
+
+		memset(&creds_in, 0, sizeof(creds_in));
+
+		if (client_string) {
+			ret = krb5_parse_name(context, client_string, &creds_in.client);
+			if (ret) {
+				goto done;
+			}
+		} else {
+			ret = krb5_cc_get_principal(context, ccache, &creds_in.client);
+			if (ret) {
+				goto done;
+			}
+		}
+
+		if (service_string) {
+			ret = krb5_parse_name(context, service_string, &creds_in.server);
+			if (ret) { 
+				goto done;
+			}
+		} else {
+			/* build tgt service by default */
+			client_realm = krb5_princ_realm(context, client);
+			ret = krb5_make_principal(context, &creds_in.server, *client_realm, KRB5_TGS_NAME, *client_realm, NULL);
+			if (ret) {
+				goto done;
+			}
+		}
+
+		flags.i = 0;
+		flags.b.renewable = flags.b.renew = True;
+
+		ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &creds_in, &creds);
+		if (ret) {
+			DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
+			goto done;
+		}
+		
+		/* hm, doesn't that create a new one if the old one wasn't there? - Guenther */
+		ret = krb5_cc_initialize(context, ccache, creds_in.client);
+		if (ret) {
+			goto done;
+		}
+	
+		ret = krb5_cc_store_cred(context, ccache, creds);
+
+		if (new_start_time) {
+			*new_start_time = (time_t) creds->times.renew_till;
+		}
+						
+		krb5_free_cred_contents(context, &creds_in);
+		krb5_free_creds(context, creds);
+	}
+#else
+#error No suitable krb5 ticket renew function available
+#endif
+
+
+done:
+	if (client) {
+		krb5_free_principal(context, client);
+	}
+	if (context) {
+		krb5_free_context(context);
+	}
+	if (ccache) {
+		krb5_cc_close(context, ccache);
+	}
+
+	return ret;
+    
+}
+
 #else /* HAVE_KRB5 */
  /* this saves a few linking headaches */
  int cli_krb5_get_ticket(const char *principal, time_t time_offset, 
-			DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts) 
+			DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts,
+			const char *ccname) 
 {
 	 DEBUG(0,("NO KERBEROS SUPPORT\n"));
 	 return 1;
diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c
index 48780e28df..252dafcfa8 100644
--- a/source3/libsmb/clilist.c
+++ b/source3/libsmb/clilist.c
@@ -169,7 +169,11 @@ static size_t interpret_long_filename(struct cli_state *cli, int level,char *p,f
 int cli_list_new(struct cli_state *cli,const char *Mask,uint16 attribute, 
 		 void (*fn)(const char *, file_info *, const char *, void *), void *state)
 {
-        int max_matches = 1366;
+#if 1
+	int max_matches = 1366; /* Match W2k - was 512. */
+#else
+	int max_matches = 512;
+#endif
 	int info_level;
 	char *p, *p2;
 	pstring mask;
diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index cc481a066a..13bf1a866c 100644
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -333,7 +333,7 @@ int spnego_gen_negTokenTarg(const char *principal, int time_offset,
 
 	/* get a kerberos ticket for the service and extract the session key */
 	retval = cli_krb5_get_ticket(principal, time_offset,
-					&tkt, session_key_krb5, extra_ap_opts);
+					&tkt, session_key_krb5, extra_ap_opts, NULL);
 
 	if (retval)
 		return retval;
diff --git a/source3/libsmb/conncache.c b/source3/libsmb/conncache.c
index 2af4d57b80..49512d7a2e 100644
--- a/source3/libsmb/conncache.c
+++ b/source3/libsmb/conncache.c
@@ -25,8 +25,6 @@
 
 #include "includes.h"
 
-#define FAILED_CONNECTION_CACHE_TIMEOUT 30 /* Seconds between attempts */
-
 #define CONNCACHE_ADDR		1
 #define CONNCACHE_NAME		2
 
@@ -44,10 +42,13 @@ struct failed_connection_cache {
 static struct failed_connection_cache *failed_connection_cache;
 
 /**********************************************************************
- Check for a previously failed connection
+ Check for a previously failed connection.
+ failed_cache_timeout is an a absolute number of seconds after which
+ we should time this out. If failed_cache_timeout == 0 then time out
+ immediately. If failed_cache_timeout == -1 then never time out.
 **********************************************************************/
 
-NTSTATUS check_negative_conn_cache( const char *domain, const char *server )
+NTSTATUS check_negative_conn_cache_timeout( const char *domain, const char *server, unsigned int failed_cache_timeout )
 {
 	struct failed_connection_cache *fcc;
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
@@ -59,22 +60,24 @@ NTSTATUS check_negative_conn_cache( const char *domain, const char *server )
 
 	for (fcc = failed_connection_cache; fcc; fcc = fcc->next) {
 	
-		if ( !(strequal(domain, fcc->domain_name) && strequal(server, fcc->controller)) )
+		if (!(strequal(domain, fcc->domain_name) && strequal(server, fcc->controller))) {
 			continue; /* no match; check the next entry */
+		}
 		
 		/* we have a match so see if it is still current */
+		if (failed_cache_timeout != (unsigned int)-1) {
+			if (failed_cache_timeout == 0 ||
+					(time(NULL) - fcc->lookup_time) > (time_t)failed_cache_timeout) {
+				/* Cache entry has expired, delete it */
 
-		if ((time(NULL) - fcc->lookup_time) > FAILED_CONNECTION_CACHE_TIMEOUT) 
-		{
-			/* Cache entry has expired, delete it */
-
-			DEBUG(10, ("check_negative_conn_cache: cache entry expired for %s, %s\n", 
-				domain, server ));
+				DEBUG(10, ("check_negative_conn_cache: cache entry expired for %s, %s\n", 
+					domain, server ));
 
-			DLIST_REMOVE(failed_connection_cache, fcc);
-			SAFE_FREE(fcc);
+				DLIST_REMOVE(failed_connection_cache, fcc);
+				SAFE_FREE(fcc);
 
-			return NT_STATUS_OK;
+				return NT_STATUS_OK;
+			}
 		}
 
 		/* The timeout hasn't expired yet so return false */
@@ -90,6 +93,11 @@ NTSTATUS check_negative_conn_cache( const char *domain, const char *server )
 	return NT_STATUS_OK;
 }
 
+NTSTATUS check_negative_conn_cache( const char *domain, const char *server)
+{
+	return check_negative_conn_cache_timeout(domain, server, FAILED_CONNECTION_CACHE_TIMEOUT);
+}
+
 /**********************************************************************
  Add an entry to the failed conneciton cache (aither a name of dotted 
  decimal IP
diff --git a/source3/libsmb/errormap.c b/source3/libsmb/errormap.c
index 3c0b13ad6f..f6b5af068a 100644
--- a/source3/libsmb/errormap.c
+++ b/source3/libsmb/errormap.c
@@ -1411,6 +1411,13 @@ static const struct {
 	{NT_STATUS(0x80000289), W_ERROR(0x48e)},
 	{NT_STATUS_OK, WERR_OK}};
 
+static const struct {
+	WERROR werror;
+	NTSTATUS ntstatus;
+} werror_to_ntstatus_map[] = {
+	{ W_ERROR(0x5), NT_STATUS_ACCESS_DENIED },
+	{ WERR_OK, NT_STATUS_OK }
+};
 
 /*****************************************************************************
 convert a dos eclas/ecode to a NT status32 code
@@ -1460,6 +1467,14 @@ NTSTATUS werror_to_ntstatus(WERROR error)
 {
 	int i;
 	if (W_ERROR_IS_OK(error)) return NT_STATUS_OK;
+
+	for (i=0; !W_ERROR_IS_OK(werror_to_ntstatus_map[i].werror); i++) {
+		if (W_ERROR_V(error) == 
+		    W_ERROR_V(werror_to_ntstatus_map[i].werror)) {
+			return werror_to_ntstatus_map[i].ntstatus;
+		}
+	}
+
 	for (i=0; NT_STATUS_V(ntstatus_to_werror_map[i].ntstatus); i++) {
 		if (W_ERROR_V(error) == 
 		    W_ERROR_V(ntstatus_to_werror_map[i].werror)) {
diff --git a/source3/libsmb/gpo.c b/source3/libsmb/gpo.c
new file mode 100644
index 0000000000..0257138ece
--- /dev/null
+++ b/source3/libsmb/gpo.c
@@ -0,0 +1,167 @@
+/* 
+ *  Unix SMB/CIFS implementation.
+ *  Group Policy Object Support
+ *  Copyright (C) Guenther Deschner 2005
+ *  
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "includes.h"
+
+#define GPT_INI_SECTION_GENERAL "General"
+#define GPT_INI_PARAMETER_VERSION "Version"
+#define GPT_INI_PARAMETER_DISPLAYNAME "displayName"
+
+struct gpt_ini {
+	uint32 version;
+	const char *display_name;
+};
+
+static uint32 version;
+
+static BOOL do_section(const char *section)
+{
+	DEBUG(10,("do_section: %s\n", section));
+
+	return True;
+}
+
+static BOOL do_parameter(const char *parameter, const char *value)
+{
+	DEBUG(10,("do_parameter: %s, %s\n", parameter, value));
+	
+	if (strequal(parameter, GPT_INI_PARAMETER_VERSION)) {
+		version = atoi(value);
+	}
+	return True;
+}
+
+NTSTATUS ads_gpo_get_sysvol_gpt_version(ADS_STRUCT *ads, 
+					TALLOC_CTX *mem_ctx, 
+					const char *filesyspath, 
+					uint32 *sysvol_version)
+{
+	NTSTATUS status;
+	const char *path;
+	struct cli_state *cli;
+	int fnum;
+	fstring tok;
+	static int io_bufsize = 64512;
+	int read_size = io_bufsize;
+	char *data = NULL;
+	off_t start = 0;
+	off_t nread = 0;
+	int handle = 0;
+	const char *local_file;
+
+	*sysvol_version = 0;
+
+	next_token(&filesyspath, tok, "\\", sizeof(tok));
+	next_token(&filesyspath, tok, "\\", sizeof(tok));
+
+	path = talloc_asprintf(mem_ctx, "\\%s\\gpt.ini", filesyspath);
+	if (path == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	local_file = talloc_asprintf(mem_ctx, "%s/%s", lock_path("gpo_cache"), "gpt.ini");
+	if (local_file == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	/* FIXME: walk down the dfs tree instead */
+	status = cli_full_connection(&cli, global_myname(), 
+				     ads->config.ldap_server_name,
+				     NULL, 0,
+				     "SYSVOL", "A:",
+				     ads->auth.user_name, NULL, ads->auth.password,
+				     CLI_FULL_CONNECTION_USE_KERBEROS,
+				     Undefined, NULL);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	fnum = cli_open(cli, path, O_RDONLY, DENY_NONE);
+	if (fnum == -1) {
+		return NT_STATUS_NO_SUCH_FILE;
+	}
+
+
+	data = (char *)SMB_MALLOC(read_size);
+	if (data == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	handle = sys_open(local_file, O_WRONLY|O_CREAT|O_TRUNC, 0644);
+
+	if (handle == -1) {
+		return NT_STATUS_NO_SUCH_FILE;
+	}
+	 
+	while (1) {
+
+		int n = cli_read(cli, fnum, data, nread + start, read_size);
+
+		if (n <= 0)
+			break;
+
+		if (write(handle, data, n) != n) {
+			break;
+		}
+
+		nread += n;
+	}
+
+	cli_close(cli, fnum);
+
+	if (!pm_process(local_file, do_section, do_parameter)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	*sysvol_version = version;
+
+	SAFE_FREE(data);
+
+	cli_shutdown(cli);
+
+	return NT_STATUS_OK;
+}
+
+/*
+
+perfectly parseable with pm_process() :))
+
+[Unicode]
+Unicode=yes
+[System Access]
+MinimumPasswordAge = 1
+MaximumPasswordAge = 42
+MinimumPasswordLength = 7
+PasswordComplexity = 1
+PasswordHistorySize = 24
+LockoutBadCount = 0
+RequireLogonToChangePassword = 0
+ForceLogoffWhenHourExpire = 0
+ClearTextPassword = 0
+[Kerberos Policy]
+MaxTicketAge = 10
+MaxRenewAge = 7
+MaxServiceAge = 600
+MaxClockSkew = 5
+TicketValidateClient = 1
+[Version]
+signature="$CHICAGO$"
+Revision=1
+*/
diff --git a/source3/libsmb/libsmbclient.c b/source3/libsmb/libsmbclient.c
index 44cb43c285..03dbd71e93 100644
--- a/source3/libsmb/libsmbclient.c
+++ b/source3/libsmb/libsmbclient.c
@@ -3734,7 +3734,7 @@ convert_string_to_sid(struct cli_state *ipc_cli,
         }
 
 	if (!NT_STATUS_IS_OK(rpccli_lsa_lookup_names(pipe_hnd, ipc_cli->mem_ctx, 
-						  pol, 1, &str, &sids, 
+						  pol, 1, &str, NULL, &sids, 
 						  &types))) {
 		result = False;
 		goto done;
@@ -5927,22 +5927,14 @@ smbc_free_context(SMBCCTX *context,
 void
 smbc_option_set(SMBCCTX *context,
                 char *option_name,
-                ...)
+                void *option_value)
 {
-        va_list args;
-
-        va_start(args, option_name);
-
         if (strcmp(option_name, "debug_stderr") == 0) {
                 /*
                  * Log to standard error instead of standard output.
-                 *
-                 *  optional parameters: none (it can't be turned off once on)
                  */
                 context->internal->_debug_stderr = True;
         }
-
-        va_end(args);
 }
 
 
@@ -5991,6 +5983,7 @@ smbc_init_context(SMBCCTX *context)
                 DEBUGLEVEL = context->debug;
                 
                 load_case_tables();
+                setup_logging( "libsmbclient", True);
 
                 setup_logging("libsmbclient", True);
                 if (context->internal->_debug_stderr) {
diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
index 8b811b06ea..673671d28d 100644
--- a/source3/libsmb/passchange.c
+++ b/source3/libsmb/passchange.c
@@ -24,7 +24,7 @@
  Change a password on a remote machine using IPC calls.
 *************************************************************/
 
-BOOL remote_password_change(const char *remote_machine, const char *user_name, 
+NTSTATUS remote_password_change(const char *remote_machine, const char *user_name, 
 			    const char *old_passwd, const char *new_passwd,
 			    char *err_str, size_t err_str_len)
 {
@@ -41,7 +41,7 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
 	if(!resolve_name( remote_machine, &ip, 0x20)) {
 		slprintf(err_str, err_str_len-1, "unable to find an IP address for machine %s.\n",
 			remote_machine );
-		return False;
+		return NT_STATUS_UNSUCCESSFUL;
 	}
  
 	ZERO_STRUCT(cli);
@@ -49,7 +49,7 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
 	if (!cli_initialise(&cli) || !cli_connect(&cli, remote_machine, &ip)) {
 		slprintf(err_str, err_str_len-1, "unable to connect to SMB server on machine %s. Error was : %s.\n",
 			remote_machine, cli_errstr(&cli) );
-		return False;
+		return NT_STATUS_UNSUCCESSFUL;
 	}
   
 	make_nmb_name(&calling, global_myname() , 0x0);
@@ -59,7 +59,7 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
 		slprintf(err_str, err_str_len-1, "machine %s rejected the session setup. Error was : %s.\n",
 			remote_machine, cli_errstr(&cli) );
 		cli_shutdown(&cli);
-		return False;
+		return NT_STATUS_UNSUCCESSFUL;
 	}
   
 	cli.protocol = PROTOCOL_NT1;
@@ -67,8 +67,9 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
 	if (!cli_negprot(&cli)) {
 		slprintf(err_str, err_str_len-1, "machine %s rejected the negotiate protocol. Error was : %s.\n",        
 			remote_machine, cli_errstr(&cli) );
+		result = cli_nt_error(&cli);
 		cli_shutdown(&cli);
-		return False;
+		return result;
 	}
   
 	/* Given things like SMB signing, restrict anonymous and the like, 
@@ -90,7 +91,7 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
 					 "connect to machine %s: %s\n",
 					 remote_machine, cli_errstr(&cli));
 				cli_shutdown(&cli);
-				return False;
+				return result;
 			}
 
 			pass_must_change = True;
@@ -105,8 +106,9 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
 		if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) {
 			slprintf(err_str, err_str_len-1, "machine %s rejected the session setup. Error was : %s.\n",        
 				 remote_machine, cli_errstr(&cli) );
+			result = cli_nt_error(&cli);
 			cli_shutdown(&cli);
-			return False;
+			return result;
 		}
 
 		cli_init_creds(&cli, "", "", NULL);
@@ -117,8 +119,9 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
 	if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
 		slprintf(err_str, err_str_len-1, "machine %s rejected the tconX on the IPC$ share. Error was : %s.\n",
 			remote_machine, cli_errstr(&cli) );
+		result = cli_nt_error(&cli);
 		cli_shutdown(&cli);
-		return False;
+		return result;
 	}
 
 	/* Try not to give the password away too easily */
@@ -149,16 +152,18 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
 			if (!cli_oem_change_password(&cli, user_name, new_passwd, old_passwd)) {
 				slprintf(err_str, err_str_len-1, "machine %s rejected the password change: Error was : %s.\n",
 					 remote_machine, cli_errstr(&cli) );
+				result = cli_nt_error(&cli);
 				cli_shutdown(&cli);
-				return False;
+				return result;
 			}
 		} else {
 			slprintf(err_str, err_str_len-1,
 				"SAMR connection to machine %s failed. Error was %s, "
 				"but LANMAN password changed are disabled\n",
 				nt_errstr(result), remote_machine);
+			result = cli_nt_error(&cli);
 			cli_shutdown(&cli);
-			return False;
+			return result;
 		}
 	}
 
@@ -166,7 +171,7 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
 							     new_passwd, old_passwd))) {
 		/* Great - it all worked! */
 		cli_shutdown(&cli);
-		return True;
+		return NT_STATUS_OK;
 
 	} else if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) 
 		     || NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) {
@@ -175,7 +180,7 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
 		slprintf(err_str, err_str_len-1, "machine %s rejected the password change: Error was : %s.\n",
 			 remote_machine, get_friendly_nt_error_msg(result));
 		cli_shutdown(&cli);
-		return False;
+		return result;
 	}
 
 	/* OK, that failed, so try again... */
@@ -197,7 +202,7 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
 						old_passwd)))) {
 		/* Great - it all worked! */
 		cli_shutdown(&cli);
-		return True;
+		return NT_STATUS_OK;
 	} else {
 		if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) 
 		      || NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) {
@@ -207,7 +212,7 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
 				 "machine %s rejected the (anonymous) password change: Error was : %s.\n",
 				 remote_machine, get_friendly_nt_error_msg(result));
 			cli_shutdown(&cli);
-			return False;
+			return result;
 		}
 		
 		/* We have failed to change the user's password, and we think the server
@@ -219,20 +224,21 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
 				/* SAMR failed, but the old LanMan protocol worked! */
 
 				cli_shutdown(&cli);
-				return True;
+				return NT_STATUS_OK;
 			}
 			slprintf(err_str, err_str_len-1, 
 				 "machine %s rejected the password change: Error was : %s.\n",
 				 remote_machine, cli_errstr(&cli) );
+			result = cli_nt_error(&cli);
 			cli_shutdown(&cli);
-			return False;
+			return result;
 		} else {
 			slprintf(err_str, err_str_len-1,
 				"SAMR connection to machine %s failed. Error was %s, "
 				"but LANMAN password changed are disabled\n",
 				nt_errstr(result), remote_machine);
 			cli_shutdown(&cli);
-			return False;
+			return NT_STATUS_UNSUCCESSFUL;
 		}
 	}
 }