Merge branch 'master' of git://git.samba.org/samba

14 files changed, 341 insertions, 343 deletions

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index c31ed2f5fd..fa2329df32 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -135,7 +135,7 @@ struct auth_operations {
 	 * security=server, and makes a number of compromises to allow
 	 * that.  It is not compatible with being a PDC.  */
 
-	NTSTATUS (*get_challenge)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge);
+	NTSTATUS (*get_challenge)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, uint8_t chal[8]);
 
 	/* Given the user supplied info, check if this backend want to handle the password checking */
 
@@ -190,7 +190,7 @@ struct auth_context {
 				   const struct auth_usersupplied_info *user_info, 
 				   struct auth_serversupplied_info **server_info);
 	
-	NTSTATUS (*get_challenge)(struct auth_context *auth_ctx, const uint8_t **_chal);
+	NTSTATUS (*get_challenge)(struct auth_context *auth_ctx, uint8_t chal[8]);
 
 	bool (*challenge_may_be_modified)(struct auth_context *auth_ctx);
 
@@ -226,7 +226,7 @@ struct ldb_context;
 struct ldb_dn;
 struct gensec_security;
 
-NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, const uint8_t **_chal);
+NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, uint8_t chal[8]);
 NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 			    struct ldb_context *sam_ctx,
 			    uint32_t logon_parameters,
@@ -275,16 +275,23 @@ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
 					   const char *nt4_username,
 					   const char *password,
 					   struct auth_session_info **session_info);
-NTSTATUS auth_check_password_recv(struct auth_check_password_request *req,
+
+struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
+					    struct tevent_context *ev,
+					    struct auth_context *auth_ctx,
+					    const struct auth_usersupplied_info *user_info);
+NTSTATUS auth_check_password_recv(struct tevent_req *req,
 				  TALLOC_CTX *mem_ctx,
 				  struct auth_serversupplied_info **server_info);
 
-void auth_check_password_send(struct auth_context *auth_ctx,
-			      const struct auth_usersupplied_info *user_info,
-			      void (*callback)(struct auth_check_password_request *req, void *private_data),
-			      void *private_data);
+bool auth_challenge_may_be_modified(struct auth_context *auth_ctx);
 NTSTATUS auth_context_set_challenge(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by);
 
+NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx,
+					struct auth_context *auth_ctx,
+					const char *principal,
+					struct auth_serversupplied_info **server_info);
+
 NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx,
 				   struct tevent_context *event_ctx,
 				   struct messaging_context *msg_ctx,
diff --git a/source4/auth/credentials/config.mk b/source4/auth/credentials/config.mk
index 6b051ef46c..32f415a8bf 100644
--- a/source4/auth/credentials/config.mk
+++ b/source4/auth/credentials/config.mk
@@ -4,7 +4,7 @@
 PUBLIC_DEPENDENCIES = \
 		LIBCLI_AUTH SECRETS LIBCRYPTO KERBEROS UTIL_LDB HEIMDAL_GSSAPI 
 PRIVATE_DEPENDENCIES = \
-		SECRETS
+		SECRETS SAMDB
 
 
 CREDENTIALS_OBJ_FILES = $(addprefix $(authsrcdir)/credentials/, credentials.o credentials_files.o credentials_ntlm.o credentials_krb5.o ../kerberos/kerberos_util.o)
diff --git a/source4/auth/gensec/config.mk b/source4/auth/gensec/config.mk
index f7cbd5b197..947a91e852 100644
--- a/source4/auth/gensec/config.mk
+++ b/source4/auth/gensec/config.mk
@@ -2,7 +2,7 @@
 # Start SUBSYSTEM gensec
 [LIBRARY::gensec]
 PUBLIC_DEPENDENCIES = \
-		CREDENTIALS LIBSAMBA-UTIL LIBCRYPTO ASN1_UTIL samba_socket LIBPACKET LIBTSOCKET
+		CREDENTIALS LIBSAMBA-UTIL LIBCRYPTO ASN1_UTIL samba_socket LIBPACKET LIBTSOCKET UTIL_TEVENT
 # End SUBSYSTEM gensec
 #################################
 
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index ecd0778ee6..3de0e1c935 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -25,6 +25,7 @@
 #include "lib/events/events.h"
 #include "lib/socket/socket.h"
 #include "lib/tsocket/tsocket.h"
+#include "../lib/util/tevent_ntstatus.h"
 #include "librpc/rpc/dcerpc.h"
 #include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
@@ -982,71 +983,105 @@ _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_
 	return gensec_security->ops->update(gensec_security, out_mem_ctx, in, out);
 }
 
-static void gensec_update_async_timed_handler(struct tevent_context *ev, struct tevent_timer *te,
-					      struct timeval t, void *ptr)
-{
-	struct gensec_update_request *req = talloc_get_type(ptr, struct gensec_update_request);
-	req->status = req->gensec_security->ops->update(req->gensec_security, req, req->in, &req->out);
-	req->callback.fn(req, req->callback.private_data);
-}
+struct gensec_update_state {
+	struct tevent_immediate *im;
+	struct gensec_security *gensec_security;
+	DATA_BLOB in;
+	DATA_BLOB out;
+};
 
+static void gensec_update_async_trigger(struct tevent_context *ctx,
+					struct tevent_immediate *im,
+					void *private_data);
 /**
  * Next state function for the GENSEC state machine async version
- * 
+ *
+ * @param mem_ctx The memory context for the request
+ * @param ev The event context for the request
  * @param gensec_security GENSEC State
  * @param in The request, as a DATA_BLOB
- * @param callback The function that will be called when the operation is
- *                 finished, it should return gensec_update_recv() to get output
- * @param private_data A private pointer that will be passed to the callback function
+ *
+ * @return The request handle or NULL on no memory failure
  */
 
-_PUBLIC_ void gensec_update_send(struct gensec_security *gensec_security, const DATA_BLOB in,
-				 void (*callback)(struct gensec_update_request *req, void *private_data),
-				 void *private_data)
+_PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
+					       struct tevent_context *ev,
+					       struct gensec_security *gensec_security,
+					       const DATA_BLOB in)
+{
+	struct tevent_req *req;
+	struct gensec_update_state *state = NULL;
+
+	req = tevent_req_create(mem_ctx, &state,
+				struct gensec_update_state);
+	if (req == NULL) {
+		return NULL;
+	}
+
+	state->gensec_security		= gensec_security;
+	state->in			= in;
+	state->out			= data_blob(NULL, 0);
+	state->im			= tevent_create_immediate(state);
+	if (tevent_req_nomem(state->im, req)) {
+		return tevent_req_post(req, ev);
+	}
+
+	tevent_schedule_immediate(state->im, ev,
+				  gensec_update_async_trigger,
+				  req);
+
+	return req;
+}
+
+static void gensec_update_async_trigger(struct tevent_context *ctx,
+					struct tevent_immediate *im,
+					void *private_data)
 {
-	struct gensec_update_request *req = NULL;
-	struct tevent_timer *te = NULL;
-
-	req = talloc(gensec_security, struct gensec_update_request);
-	if (!req) goto failed;
-	req->gensec_security		= gensec_security;
-	req->in				= in;
-	req->out			= data_blob(NULL, 0);
-	req->callback.fn		= callback;
-	req->callback.private_data	= private_data;
-
-	te = event_add_timed(gensec_security->event_ctx, req,
-			     timeval_zero(),
-			     gensec_update_async_timed_handler, req);
-	if (!te) goto failed;
-
-	return;
-
-failed:
-	talloc_free(req);
-	callback(NULL, private_data);
+	struct tevent_req *req =
+		talloc_get_type_abort(private_data, struct tevent_req);
+	struct gensec_update_state *state =
+		tevent_req_data(req, struct gensec_update_state);
+	NTSTATUS status;
+
+	status = gensec_update(state->gensec_security, state,
+			       state->in, &state->out);
+	if (tevent_req_nterror(req, status)) {
+		return;
+	}
+
+	tevent_req_done(req);
 }
 
 /**
  * Next state function for the GENSEC state machine
  * 
- * @param req GENSEC update request state
+ * @param req request state
  * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
  * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
  * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, 
  *                or NT_STATUS_OK if the user is authenticated. 
  */
-_PUBLIC_ NTSTATUS gensec_update_recv(struct gensec_update_request *req, TALLOC_CTX *out_mem_ctx, DATA_BLOB *out)
+_PUBLIC_ NTSTATUS gensec_update_recv(struct tevent_req *req,
+				     TALLOC_CTX *out_mem_ctx,
+				     DATA_BLOB *out)
 {
+	struct gensec_update_state *state =
+		tevent_req_data(req, struct gensec_update_state);
 	NTSTATUS status;
 
-	NT_STATUS_HAVE_NO_MEMORY(req);
+	if (tevent_req_is_nterror(req, &status)) {
+		if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+			tevent_req_received(req);
+			return status;
+		}
+	} else {
+		status = NT_STATUS_OK;
+	}
 
-	*out = req->out;
+	*out = state->out;
 	talloc_steal(out_mem_ctx, out->data);
-	status = req->status;
 
-	talloc_free(req);
+	tevent_req_received(req);
 	return status;
 }
 
diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h
index 2ea2402064..232f1a4500 100644
--- a/source4/auth/gensec/gensec.h
+++ b/source4/auth/gensec/gensec.h
@@ -69,18 +69,7 @@ struct auth_session_info;
 struct cli_credentials;
 struct gensec_settings;
 struct tevent_context;
-
-struct gensec_update_request {
-	struct gensec_security *gensec_security;
-	void *private_data;
-	DATA_BLOB in;
-	DATA_BLOB out;
-	NTSTATUS status;
-	struct {
-		void (*fn)(struct gensec_update_request *req, void *private_data);
-		void *private_data;
-	} callback;
-};
+struct tevent_req;
 
 struct gensec_settings {
 	struct loadparm_context *lp_ctx;
@@ -231,10 +220,11 @@ NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security,
 						 const char **sasl_names);
 NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, 
 		       const DATA_BLOB in, DATA_BLOB *out);
-void gensec_update_send(struct gensec_security *gensec_security, const DATA_BLOB in,
-				 void (*callback)(struct gensec_update_request *req, void *private_data),
-				 void *private_data);
-NTSTATUS gensec_update_recv(struct gensec_update_request *req, TALLOC_CTX *out_mem_ctx, DATA_BLOB *out);
+struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
+				      struct tevent_context *ev,
+				      struct gensec_security *gensec_security,
+				      const DATA_BLOB in);
+NTSTATUS gensec_update_recv(struct tevent_req *req, TALLOC_CTX *out_mem_ctx, DATA_BLOB *out);
 void gensec_want_feature(struct gensec_security *gensec_security,
 			 uint32_t feature);
 bool gensec_have_feature(struct gensec_security *gensec_security,
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 5520c9d01f..d5df387d80 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -19,10 +19,11 @@
 */
 
 #include "includes.h"
+#include <tevent.h>
+#include "../lib/util/tevent_ntstatus.h"
 #include "../lib/util/dlinklist.h"
 #include "auth/auth.h"
 #include "auth/ntlm/auth_proto.h"
-#include "lib/events/events.h"
 #include "param/param.h"
 
 /***************************************************************************
@@ -42,7 +43,7 @@ _PUBLIC_ NTSTATUS auth_context_set_challenge(struct auth_context *auth_ctx, cons
 /***************************************************************************
  Set a fixed challenge
 ***************************************************************************/
-bool auth_challenge_may_be_modified(struct auth_context *auth_ctx) 
+_PUBLIC_ bool auth_challenge_may_be_modified(struct auth_context *auth_ctx)
 {
 	return auth_ctx->challenge.may_be_modified;
 }
@@ -51,42 +52,34 @@ bool auth_challenge_may_be_modified(struct auth_context *auth_ctx)
  Try to get a challenge out of the various authentication modules.
  Returns a const char of length 8 bytes.
 ****************************************************************************/
-_PUBLIC_ NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, const uint8_t **_chal)
+_PUBLIC_ NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, uint8_t chal[8])
 {
 	NTSTATUS nt_status;
 	struct auth_method_context *method;
 
-	if (auth_ctx->challenge.data.length) {
+	if (auth_ctx->challenge.data.length == 8) {
 		DEBUG(5, ("auth_get_challenge: returning previous challenge by module %s (normal)\n", 
 			  auth_ctx->challenge.set_by));
-		*_chal = auth_ctx->challenge.data.data;
+		memcpy(chal, auth_ctx->challenge.data.data, 8);
 		return NT_STATUS_OK;
 	}
 
 	for (method = auth_ctx->methods; method; method = method->next) {
-		DATA_BLOB challenge = data_blob(NULL,0);
-
-		nt_status = method->ops->get_challenge(method, auth_ctx, &challenge);
+		nt_status = method->ops->get_challenge(method, auth_ctx, chal);
 		if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
 			continue;
 		}
 
 		NT_STATUS_NOT_OK_RETURN(nt_status);
 
-		if (challenge.length != 8) {
-			DEBUG(0, ("auth_get_challenge: invalid challenge (length %u) by mothod [%s]\n",
-				(unsigned)challenge.length, method->ops->name));
-			return NT_STATUS_INTERNAL_ERROR;
-		}
-
-		auth_ctx->challenge.data	= challenge;
+		auth_ctx->challenge.data	= data_blob_talloc(auth_ctx, chal, 8);
+		NT_STATUS_HAVE_NO_MEMORY(auth_ctx->challenge.data.data);
 		auth_ctx->challenge.set_by	= method->ops->name;
 
 		break;
 	}
 
 	if (!auth_ctx->challenge.set_by) {
-		uint8_t chal[8];
 		generate_random_buffer(chal, 8);
 
 		auth_ctx->challenge.data		= data_blob_talloc(auth_ctx, chal, 8);
@@ -99,7 +92,6 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, const uint8_
 	DEBUG(10,("auth_get_challenge: challenge set by %s\n",
 		 auth_ctx->challenge.set_by));
 
-	*_chal = auth_ctx->challenge.data.data;
 	return NT_STATUS_OK;
 }
 
@@ -133,22 +125,6 @@ _PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
-struct auth_check_password_sync_state {
-	bool finished;
-	NTSTATUS status;
-	struct auth_serversupplied_info *server_info;
-};
-
-static void auth_check_password_sync_callback(struct auth_check_password_request *req,
-					      void *private_data)
-{
-	struct auth_check_password_sync_state *s = talloc_get_type(private_data,
-						   struct auth_check_password_sync_state);
-
-	s->finished = true;
-	s->status = auth_check_password_recv(req, s, &s->server_info);
-}
-
 /**
  * Check a user's Plaintext, LM or NTLM password.
  * (sync version)
@@ -181,48 +157,43 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth_context *auth_ctx,
 			     const struct auth_usersupplied_info *user_info, 
 			     struct auth_serversupplied_info **server_info)
 {
-	struct auth_check_password_sync_state *sync_state;
+	struct tevent_req *subreq;
+	struct tevent_context *ev;
+	bool ok;
 	NTSTATUS status;
 
-	sync_state = talloc_zero(auth_ctx, struct auth_check_password_sync_state);
-	NT_STATUS_HAVE_NO_MEMORY(sync_state);
-
-	auth_check_password_send(auth_ctx, user_info, auth_check_password_sync_callback, sync_state);
+	/*TODO: create a new event context here! */
+	ev = auth_ctx->event_ctx;
 
-	while (!sync_state->finished) {
-		event_loop_once(auth_ctx->event_ctx);
+	subreq = auth_check_password_send(mem_ctx,
+					  ev,
+					  auth_ctx,
+					  user_info);
+	if (subreq == NULL) {
+		return NT_STATUS_NO_MEMORY;
 	}
 
-	status = sync_state->status;
-
-	if (NT_STATUS_IS_OK(status)) {
-		*server_info = talloc_steal(mem_ctx, sync_state->server_info);
+	ok = tevent_req_poll(subreq, ev);
+	if (!ok) {
+		return NT_STATUS_INTERNAL_ERROR;
 	}
 
-	talloc_free(sync_state);
+	status = auth_check_password_recv(subreq, mem_ctx, server_info);
+	TALLOC_FREE(subreq);
+
 	return status;
 }
 
-struct auth_check_password_request {
+struct auth_check_password_state {
 	struct auth_context *auth_ctx;
 	const struct auth_usersupplied_info *user_info;
 	struct auth_serversupplied_info *server_info;
 	struct auth_method_context *method;
-	NTSTATUS status;
-	struct {
-		void (*fn)(struct auth_check_password_request *req, void *private_data);
-		void *private_data;
-	} callback;
 };
 
-static void auth_check_password_async_timed_handler(struct tevent_context *ev, struct tevent_timer *te,
-						    struct timeval t, void *ptr)
-{
-	struct auth_check_password_request *req = talloc_get_type(ptr, struct auth_check_password_request);
-	req->status = req->method->ops->check_password(req->method, req, req->user_info, &req->server_info);
-	req->callback.fn(req, req->callback.private_data);
-}
-
+static void auth_check_password_async_trigger(struct tevent_context *ev,
+					      struct tevent_immediate *im,
+					      void *private_data);
 /**
  * Check a user's Plaintext, LM or NTLM password.
  * async send hook
@@ -234,6 +205,10 @@ static void auth_check_password_async_timed_handler(struct tevent_context *ev, s
  * struct.  When the return is other than NT_STATUS_OK the contents 
  * of that structure is undefined.
  *
+ * @param mem_ctx The memory context the request should operate on
+ *
+ * @param ev The tevent context the request should operate on
+ *
  * @param auth_ctx Supplies the challenges and some other data. 
  *                  Must be created with make_auth_context(), and the challenges should be 
  *                  filled in, either at creation or by calling the challenge geneation 
@@ -241,93 +216,131 @@ static void auth_check_password_async_timed_handler(struct tevent_context *ev, s
  *
  * @param user_info Contains the user supplied components, including the passwords.
  *
- * @param callback A callback function which will be called when the operation is finished.
- *                 The callback function needs to call auth_check_password_recv() to get the return values
- *
- * @param private_data A private pointer which will ba passed to the callback function
+ * @return The request handle or NULL on no memory error.
  *
  **/
 
-_PUBLIC_ void auth_check_password_send(struct auth_context *auth_ctx,
-			      const struct auth_usersupplied_info *user_info,
-			      void (*callback)(struct auth_check_password_request *req, void *private_data),
-			      void *private_data)
+_PUBLIC_ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
+				struct tevent_context *ev,
+				struct auth_context *auth_ctx,
+				const struct auth_usersupplied_info *user_info)
 {
+	struct tevent_req *req;
+	struct auth_check_password_state *state;
 	/* if all the modules say 'not for me' this is reasonable */
 	NTSTATUS nt_status;
 	struct auth_method_context *method;
-	const uint8_t *challenge;
+	uint8_t chal[8];
 	struct auth_usersupplied_info *user_info_tmp;
-	struct auth_check_password_request *req = NULL;
+	struct tevent_immediate *im;
 
-	DEBUG(3,   ("auth_check_password_send:  Checking password for unmapped user [%s]\\[%s]@[%s]\n", 
-		    user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
+	DEBUG(3,("auth_check_password_send: "
+		 "Checking password for unmapped user [%s]\\[%s]@[%s]\n",
+		 user_info->client.domain_name, user_info->client.account_name,
+		 user_info->workstation_name));
 
-	req = talloc_zero(auth_ctx, struct auth_check_password_request);
-	if (!req) {
-		callback(NULL, private_data);
-		return;
+	req = tevent_req_create(mem_ctx, &state,
+				struct auth_check_password_state);
+	if (req == NULL) {
+		return NULL;
 	}
-	req->auth_ctx			= auth_ctx;
-	req->user_info			= user_info;
-	req->callback.fn		= callback;
-	req->callback.private_data	= private_data;
+
+	state->auth_ctx		= auth_ctx;
+	state->user_info	= user_info;
+	state->method		= NULL;
 
 	if (!user_info->mapped_state) {
-		nt_status = map_user_info(req, lp_workgroup(auth_ctx->lp_ctx), user_info, &user_info_tmp);
-		if (!NT_STATUS_IS_OK(nt_status)) goto failed;
+		nt_status = map_user_info(req, lp_workgroup(auth_ctx->lp_ctx),
+					  user_info, &user_info_tmp);
+		if (tevent_req_nterror(req, nt_status)) {
+			return tevent_req_post(req, ev);
+		}
 		user_info = user_info_tmp;
-		req->user_info	= user_info_tmp;
+		state->user_info = user_info_tmp;
 	}
 
-	DEBUGADD(3,("auth_check_password_send:  mapped user is: [%s]\\[%s]@[%s]\n", 
-		    user_info->mapped.domain_name, user_info->mapped.account_name, user_info->workstation_name));
-
-	nt_status = auth_get_challenge(auth_ctx, &challenge);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		DEBUG(0, ("auth_check_password_send:  Invalid challenge (length %u) stored for this auth context set_by %s - cannot continue: %s\n",
-			(unsigned)auth_ctx->challenge.data.length, auth_ctx->challenge.set_by, nt_errstr(nt_status)));
-		goto failed;
+	DEBUGADD(3,("auth_check_password_send: "
+		    "mapped user is: [%s]\\[%s]@[%s]\n",
+		    user_info->mapped.domain_name,
+		    user_info->mapped.account_name,
+		    user_info->workstation_name));
+
+	nt_status = auth_get_challenge(auth_ctx, chal);
+	if (tevent_req_nterror(req, nt_status)) {
+		DEBUG(0,("auth_check_password_send: "
+			 "Invalid challenge (length %u) stored for "
+			 "this auth context set_by %s - cannot continue: %s\n",
+			(unsigned)auth_ctx->challenge.data.length,
+			auth_ctx->challenge.set_by,
+			nt_errstr(nt_status)));
+		return tevent_req_post(req, ev);
 	}
 
 	if (auth_ctx->challenge.set_by) {
-		DEBUG(10, ("auth_check_password_send: auth_context challenge created by %s\n",
-					auth_ctx->challenge.set_by));
+		DEBUG(10,("auth_check_password_send: "
+			  "auth_context challenge created by %s\n",
+			  auth_ctx->challenge.set_by));
 	}
 
 	DEBUG(10, ("auth_check_password_send: challenge is: \n"));
-	dump_data(5, auth_ctx->challenge.data.data, auth_ctx->challenge.data.length);
+	dump_data(5, auth_ctx->challenge.data.data,
+		  auth_ctx->challenge.data.length);
+
+	im = tevent_create_immediate(state);
+	if (tevent_req_nomem(im, req)) {
+		return tevent_req_post(req, ev);
+	}
 
-	nt_status = NT_STATUS_NO_SUCH_USER; /* If all the modules say 'not for me', then this is reasonable */
 	for (method = auth_ctx->methods; method; method = method->next) {
 		NTSTATUS result;
-		struct tevent_timer *te = NULL;
 
 		/* check if the module wants to chek the password */
 		result = method->ops->want_check(method, req, user_info);
 		if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
-			DEBUG(11,("auth_check_password_send: %s had nothing to say\n", method->ops->name));
+			DEBUG(11,("auth_check_password_send: "
+				  "%s had nothing to say\n",
+				  method->ops->name));
 			continue;
 		}
 
-		nt_status = result;
-		req->method	= method;
-
-		if (!NT_STATUS_IS_OK(nt_status)) break;
+		state->method = method;
 
-		te = event_add_timed(auth_ctx->event_ctx, req,
-				     timeval_zero(),
-				     auth_check_password_async_timed_handler, req);
-		if (!te) {
-			nt_status = NT_STATUS_NO_MEMORY;
-			goto failed;
+		if (tevent_req_nterror(req, result)) {
+			return tevent_req_post(req, ev);
 		}
+
+		tevent_schedule_immediate(im,
+					  auth_ctx->event_ctx,
+					  auth_check_password_async_trigger,
+					  req);
+
+		return req;
+	}
+
+	/* If all the modules say 'not for me', then this is reasonable */
+	tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
+	return tevent_req_post(req, ev);
+}
+
+static void auth_check_password_async_trigger(struct tevent_context *ev,
+					      struct tevent_immediate *im,
+					      void *private_data)
+{
+	struct tevent_req *req =
+		talloc_get_type_abort(private_data, struct tevent_req);
+	struct auth_check_password_state *state =
+		tevent_req_data(req, struct auth_check_password_state);
+	NTSTATUS status;
+
+	status = state->method->ops->check_password(state->method,
+						    state,
+						    state->user_info,
+						    &state->server_info);
+	if (tevent_req_nterror(req, status)) {
 		return;
 	}
 
-failed:
-	req->status = nt_status;
-	req->callback.fn(req, req->callback.private_data);
+	tevent_req_done(req);
 }
 
 /**
@@ -339,7 +352,7 @@ failed:
  * of that structure is undefined.
  *
  *
- * @param req The async auth_check_password state, passes to the callers callback function
+ * @param req The async request state
  *
  * @param mem_ctx The parent memory context for the server_info structure
  *
@@ -350,30 +363,36 @@ failed:
  *
  **/
 
-_PUBLIC_ NTSTATUS auth_check_password_recv(struct auth_check_password_request *req,
+_PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
 				  TALLOC_CTX *mem_ctx,
 				  struct auth_serversupplied_info **server_info)
 {
+	struct auth_check_password_state *state =
+		tevent_req_data(req, struct auth_check_password_state);
 	NTSTATUS status;
 
-	NT_STATUS_HAVE_NO_MEMORY(req);
+	if (tevent_req_is_nterror(req, &status)) {
+		DEBUG(2,("auth_check_password_recv: "
+			 "%s authentication for user [%s\\%s]"
+			 "FAILED with error %s\n",
+			 (state->method ? state->method->ops->name : "NO_METHOD"),
+			 state->user_info->mapped.domain_name,
+			 state->user_info->mapped.account_name,
+			 nt_errstr(status)));
+		tevent_req_received(req);
+		return status;
+	}
 
-	if (NT_STATUS_IS_OK(req->status)) {
-		DEBUG(5,("auth_check_password_recv: %s authentication for user [%s\\%s] succeeded\n",
-			 req->method->ops->name, req->server_info->domain_name, req->server_info->account_name));
+	DEBUG(5,("auth_check_password_recv: "
+		 "%s authentication for user [%s\\%s] succeeded\n",
+		 state->method->ops->name,
+		 state->server_info->domain_name,
+		 state->server_info->account_name));
 
-		*server_info = talloc_steal(mem_ctx, req->server_info);
-	} else {
-		DEBUG(2,("auth_check_password_recv: %s authentication for user [%s\\%s] FAILED with error %s\n", 
-			 (req->method ? req->method->ops->name : "NO_METHOD"),
-			 req->user_info->mapped.domain_name,
-			 req->user_info->mapped.account_name, 
-			 nt_errstr(req->status)));
-	}
+	*server_info = talloc_move(mem_ctx, &state->server_info);
 
-	status = req->status;
-	talloc_free(req);
-	return status;
+	tevent_req_received(req);
+	return NT_STATUS_OK;
 }
 
 /***************************************************************************
diff --git a/source4/auth/ntlm/auth_proto.h b/source4/auth/ntlm/auth_proto.h
deleted file mode 100644
index 572c1a4ca7..0000000000
--- a/source4/auth/ntlm/auth_proto.h
+++ /dev/null
@@ -1,50 +0,0 @@
-#ifndef __AUTH_NTLM_AUTH_PROTO_H__
-#define __AUTH_NTLM_AUTH_PROTO_H__
-
-#undef _PRINTF_ATTRIBUTE
-#define _PRINTF_ATTRIBUTE(a1, a2) PRINTF_ATTRIBUTE(a1, a2)
-/* This file was automatically generated by mkproto.pl. DO NOT EDIT */
-
-/* this file contains prototypes for functions that are private 
- * to this subsystem or library. These functions should not be 
- * used outside this particular subsystem! */
-
-
-/* The following definitions come from auth/ntlm/auth.c  */
-
-
-/***************************************************************************
- Set a fixed challenge
-***************************************************************************/
-bool auth_challenge_may_be_modified(struct auth_context *auth_ctx) ;
-const struct auth_operations *auth_backend_byname(const char *name);
-const struct auth_critical_sizes *auth_interface_version(void);
-NTSTATUS server_service_auth_init(void);
-
-/* The following definitions come from auth/ntlm/auth_util.c  */
-
-NTSTATUS auth_get_challenge_not_implemented(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge);
-
-/****************************************************************************
- Create an auth_usersupplied_data structure after appropriate mapping.
-****************************************************************************/
-NTSTATUS map_user_info(TALLOC_CTX *mem_ctx,
-		       const char *default_domain,
-		       const struct auth_usersupplied_info *user_info,
-		       struct auth_usersupplied_info **user_info_mapped);
-
-/****************************************************************************
- Create an auth_usersupplied_data structure after appropriate mapping.
-****************************************************************************/
-NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_context, 
-			   enum auth_password_state to_state,
-			   const struct auth_usersupplied_info *user_info_in,
-			   const struct auth_usersupplied_info **user_info_encrypted);
-
-/* The following definitions come from auth/ntlm/auth_simple.c  */
-
-#undef _PRINTF_ATTRIBUTE
-#define _PRINTF_ATTRIBUTE(a1, a2)
-
-#endif /* __AUTH_NTLM_AUTH_PROTO_H__ */
-
diff --git a/source4/auth/ntlm/auth_server.c b/source4/auth/ntlm/auth_server.c
index 12849aa420..ae7b7dd3a8 100644
--- a/source4/auth/ntlm/auth_server.c
+++ b/source4/auth/ntlm/auth_server.c
@@ -40,7 +40,7 @@ static NTSTATUS server_want_check(struct auth_method_context *ctx,
 /** 
  * The challenge from the target server, when operating in security=server
  **/
-static NTSTATUS server_get_challenge(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *_blob)
+static NTSTATUS server_get_challenge(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, uint8_t chal[8])
 {
 	struct smb_composite_connect io;
 	struct smbcli_options smb_options;
@@ -88,7 +88,10 @@ static NTSTATUS server_get_challenge(struct auth_method_context *ctx, TALLOC_CTX
 				       ctx->auth_ctx->event_ctx);
 	NT_STATUS_NOT_OK_RETURN(status);
 
-	*_blob = io.out.tree->session->transport->negotiate.secblob;
+	if (io.out.tree->session->transport->negotiate.secblob.length != 8) {
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+	memcpy(chal, io.out.tree->session->transport->negotiate.secblob.data, 8);
 	ctx->private_data = talloc_steal(ctx, io.out.tree->session);
 	return NT_STATUS_OK;
 }
diff --git a/source4/auth/ntlm/auth_util.c b/source4/auth/ntlm/auth_util.c
index 5543cbebea..92df0bfe80 100644
--- a/source4/auth/ntlm/auth_util.c
+++ b/source4/auth/ntlm/auth_util.c
@@ -29,7 +29,7 @@
 /* this default function can be used by mostly all backends
  * which don't want to set a challenge
  */
-NTSTATUS auth_get_challenge_not_implemented(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge)
+NTSTATUS auth_get_challenge_not_implemented(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, uint8_t chal[8])
 {
 	/* we don't want to set a challenge */
 	return NT_STATUS_NOT_IMPLEMENTED;
@@ -122,7 +122,7 @@ NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_contex
 		}
 		case AUTH_PASSWORD_HASH:
 		{
-			const uint8_t *challenge;
+			uint8_t chal[8];
 			DATA_BLOB chall_blob;
 			user_info_temp = talloc(mem_ctx, struct auth_usersupplied_info);
 			if (!user_info_temp) {
@@ -134,12 +134,12 @@ NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_contex
 			*user_info_temp = *user_info_in;
 			user_info_temp->mapped_state = to_state;
 			
-			nt_status = auth_get_challenge(auth_context, &challenge);
+			nt_status = auth_get_challenge(auth_context, chal);
 			if (!NT_STATUS_IS_OK(nt_status)) {
 				return nt_status;
 			}
 			
-			chall_blob = data_blob_talloc(mem_ctx, challenge, 8);
+			chall_blob = data_blob_talloc(mem_ctx, chal, 8);
 			if (lp_client_ntlmv2_auth(auth_context->lp_ctx)) {
 				DATA_BLOB names_blob = NTLMv2_generate_names_blob(mem_ctx,  lp_netbios_name(auth_context->lp_ctx), lp_workgroup(auth_context->lp_ctx));
 				DATA_BLOB lmv2_response, ntlmv2_response, lmv2_session_key, ntlmv2_session_key;
@@ -162,12 +162,12 @@ NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_contex
 				data_blob_free(&ntlmv2_session_key);
 			} else {
 				DATA_BLOB blob = data_blob_talloc(mem_ctx, NULL, 24);
-				SMBOWFencrypt(user_info_in->password.hash.nt->hash, challenge, blob.data);
+				SMBOWFencrypt(user_info_in->password.hash.nt->hash, chal, blob.data);
 
 				user_info_temp->password.response.nt = blob;
 				if (lp_client_lanman_auth(auth_context->lp_ctx) && user_info_in->password.hash.lanman) {
 					DATA_BLOB lm_blob = data_blob_talloc(mem_ctx, NULL, 24);
-					SMBOWFencrypt(user_info_in->password.hash.lanman->hash, challenge, blob.data);
+					SMBOWFencrypt(user_info_in->password.hash.lanman->hash, chal, blob.data);
 					user_info_temp->password.response.lanman = lm_blob;
 				} else {
 					/* if not sending the LM password, send the NT password twice */
diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c
index 568226dd87..173a895390 100644
--- a/source4/auth/ntlm/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -271,7 +271,7 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
 		s->req.in.logon.password= password_info;
 	} else {
 		struct netr_NetworkInfo *network_info;
-		const uint8_t *challenge;
+		uint8_t chal[8];
 
 		status = encrypt_user_info(s, ctx->auth_ctx, AUTH_PASSWORD_RESPONSE,
 					   user_info, &user_info_new);
@@ -281,10 +281,10 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
 		network_info = talloc(s, struct netr_NetworkInfo);
 		NT_STATUS_HAVE_NO_MEMORY(network_info);
 
-		status = auth_get_challenge(ctx->auth_ctx, &challenge);
+		status = auth_get_challenge(ctx->auth_ctx, chal);
 		NT_STATUS_NOT_OK_RETURN(status);
 
-		memcpy(network_info->challenge, challenge, sizeof(network_info->challenge));
+		memcpy(network_info->challenge, chal, sizeof(network_info->challenge));
 
 		network_info->nt.length = user_info->password.response.nt.length;
 		network_info->nt.data	= user_info->password.response.nt.data;
diff --git a/source4/auth/ntlm/config.mk b/source4/auth/ntlm/config.mk
index a0d668f748..6c75ae842d 100644
--- a/source4/auth/ntlm/config.mk
+++ b/source4/auth/ntlm/config.mk
@@ -71,10 +71,10 @@ PAM_ERRORS_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, pam_errors.o)
 INIT_FUNCTION = server_service_auth_init
 SUBSYSTEM = service
 OUTPUT_TYPE = MERGED_OBJ
-PRIVATE_DEPENDENCIES = LIBSAMBA-UTIL LIBSECURITY SAMDB CREDENTIALS 
+PRIVATE_DEPENDENCIES = LIBSAMBA-UTIL LIBSECURITY SAMDB CREDENTIALS UTIL_TEVENT
 
 auth_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth.o auth_util.o auth_simple.o)
-$(eval $(call proto_header_template,$(authsrcdir)/auth_proto.h,$(auth_OBJ_FILES:.o=.c)))
+$(eval $(call proto_header_template,$(authsrcdir)/ntlm/auth_proto.h,$(auth_OBJ_FILES:.o=.c)))
 
 # PUBLIC_HEADERS += auth/auth.h
 
diff --git a/source4/auth/ntlmssp/ntlmssp.h b/source4/auth/ntlmssp/ntlmssp.h
index 7743e7697e..7bed54d6d8 100644
--- a/source4/auth/ntlmssp/ntlmssp.h
+++ b/source4/auth/ntlmssp/ntlmssp.h
@@ -1,20 +1,20 @@
-/* 
+/*
    Unix SMB/CIFS implementation.
    SMB parameters and setup
    Copyright (C) Andrew Tridgell 1992-1997
    Copyright (C) Luke Kenneth Casson Leighton 1996-1997
    Copyright (C) Paul Ashton 1997
-   
+
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
-   
+
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
-   
+
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
@@ -37,7 +37,7 @@ enum ntlmssp_message_type
 	NTLMSSP_CHALLENGE = 2,
 	NTLMSSP_AUTH      = 3,
 	NTLMSSP_UNKNOWN   = 4,
-	NTLMSSP_DONE   = 5 /* samba final state */
+	NTLMSSP_DONE      = 5 /* samba final state */
 };
 
 struct gensec_ntlmssp_state
@@ -65,29 +65,30 @@ struct gensec_ntlmssp_state
 	DATA_BLOB internal_chal; /* Random challenge as supplied to the client for NTLM authentication */
 
 	DATA_BLOB chal; /* Random challenge as input into the actual NTLM (or NTLM2) authentication */
- 	DATA_BLOB lm_resp;
+	DATA_BLOB lm_resp;
 	DATA_BLOB nt_resp;
 	DATA_BLOB session_key;
-	
+
 	uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */
 
 	/* internal variables used by KEY_EXCH (client-supplied user session key */
 	DATA_BLOB encrypted_session_key;
 	
 	/**
-	 * Callback to get the 'challenge' used for NTLM authentication.  
+	 * Callback to get the 'challenge' used for NTLM authentication.
 	 *
 	 * @param ntlmssp_state This structure
 	 * @return 8 bytes of challenge data, determined by the server to be the challenge for NTLM authentication
 	 *
 	 */
-	const uint8_t *(*get_challenge)(const struct gensec_ntlmssp_state *);
+	NTSTATUS (*get_challenge)(const struct gensec_ntlmssp_state *,
+				  uint8_t challenge[8]);
 
 	/**
-	 * Callback to find if the challenge used by NTLM authentication may be modified 
+	 * Callback to find if the challenge used by NTLM authentication may be modified
 	 *
 	 * The NTLM2 authentication scheme modifies the effective challenge, but this is not compatiable with the
-	 * current 'security=server' implementation..  
+	 * current 'security=server' implementation..
 	 *
 	 * @param ntlmssp_state This structure
 	 * @return Can the challenge be set to arbitary values?
@@ -96,7 +97,7 @@ struct gensec_ntlmssp_state
 	bool (*may_set_challenge)(const struct gensec_ntlmssp_state *);
 
 	/**
-	 * Callback to set the 'challenge' used for NTLM authentication.  
+	 * Callback to set the 'challenge' used for NTLM authentication.
 	 *
 	 * The callback may use the void *auth_context to store state information, but the same value is always available
 	 * from the DATA_BLOB chal on this structure.
@@ -108,21 +109,20 @@ struct gensec_ntlmssp_state
 	NTSTATUS (*set_challenge)(struct gensec_ntlmssp_state *, DATA_BLOB *challenge);
 
 	/**
-	 * Callback to check the user's password.  
+	 * Callback to check the user's password.
 	 *
-	 * The callback must reads the feilds of this structure for the information it needs on the user 
+	 * The callback must reads the feilds of this structure for the information it needs on the user
 	 * @param ntlmssp_state This structure
 	 * @param nt_session_key If an NT session key is returned by the authentication process, return it here
 	 * @param lm_session_key If an LM session key is returned by the authentication process, return it here
 	 *
 	 */
-	NTSTATUS (*check_password)(struct gensec_ntlmssp_state *, 
-				   TALLOC_CTX *mem_ctx, 
+	NTSTATUS (*check_password)(struct gensec_ntlmssp_state *,
 				   DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key);
 
 	const char *server_name;
 
-	bool doing_ntlm2; 
+	bool doing_ntlm2;
 
 	union {
 		/* NTLM */
diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c
index 94de920772..c49bf2fea7 100644
--- a/source4/auth/ntlmssp/ntlmssp_server.c
+++ b/source4/auth/ntlmssp/ntlmssp_server.c
@@ -124,8 +124,9 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security,
 	DATA_BLOB struct_blob;
 	uint32_t neg_flags = 0;
 	uint32_t ntlmssp_command, chal_flags;
-	const uint8_t *cryptkey;
+	uint8_t cryptkey[8];
 	const char *target_name;
+	NTSTATUS status;
 
 	/* parse the NTLMSSP packet */
 #if 0
@@ -150,10 +151,11 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security,
 	ntlmssp_handle_neg_flags(gensec_ntlmssp_state, neg_flags, gensec_ntlmssp_state->allow_lm_key);
 
 	/* Ask our caller what challenge they would like in the packet */
-	cryptkey = gensec_ntlmssp_state->get_challenge(gensec_ntlmssp_state);
-	if (!cryptkey) {
-		DEBUG(1, ("ntlmssp_server_negotiate: backend doesn't give a challenge\n"));
-		return NT_STATUS_INTERNAL_ERROR;
+	status = gensec_ntlmssp_state->get_challenge(gensec_ntlmssp_state, cryptkey);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(1, ("ntlmssp_server_negotiate: backend doesn't give a challenge: %s\n",
+			  nt_errstr(status)));
+		return status;
 	}
 
 	/* Check if we may set the challenge */
@@ -180,7 +182,6 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security,
 	/* This creates the 'blob' of names that appears at the end of the packet */
 	if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
 		char dnsdomname[MAXHOSTNAMELEN], dnsname[MAXHOSTNAMELEN];
-		const char *target_name_dns = "";
 
 		/* Find out the DNS domain name */
 		dnsdomname[0] = '\0';
@@ -194,12 +195,6 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security,
 		}
 		strlower_m(dnsname);
 
-		if (chal_flags |= NTLMSSP_TARGET_TYPE_DOMAIN) {
-			target_name_dns = dnsdomname;
-		} else if (chal_flags |= NTLMSSP_TARGET_TYPE_SERVER) {
-			target_name_dns = dnsname;
-		}
-
 		msrpc_gen(out_mem_ctx, 
 			  &struct_blob, "aaaaa",
 			  MsvAvNbDomainName, target_name,
@@ -268,6 +263,7 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_ntlmssp_state *gensec_ntlms
 	}
 
 	/* zero these out */
+	data_blob_free(&gensec_ntlmssp_state->session_key);
 	data_blob_free(&gensec_ntlmssp_state->lm_resp);
 	data_blob_free(&gensec_ntlmssp_state->nt_resp);
 	data_blob_free(&gensec_ntlmssp_state->encrypted_session_key);
@@ -406,6 +402,11 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
 	NTSTATUS nt_status;
 	DATA_BLOB session_key = data_blob(NULL, 0);
 
+	if (!(gensec_security->want_features
+	      & (GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL|GENSEC_FEATURE_SESSION_KEY))) {
+		return NT_STATUS_OK;
+	}
+
 	if (user_session_key)
 		dump_data_pw("USER session key:\n", user_session_key->data, user_session_key->length);
 
@@ -548,20 +549,15 @@ NTSTATUS ntlmssp_server_auth(struct gensec_security *gensec_security,
 			     const DATA_BLOB in, DATA_BLOB *out) 
 {	
 	struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data;
-	DATA_BLOB user_session_key = data_blob(NULL, 0);
-	DATA_BLOB lm_session_key = data_blob(NULL, 0);
+	DATA_BLOB user_session_key = data_blob_null;
+	DATA_BLOB lm_session_key = data_blob_null;
 	NTSTATUS nt_status;
 
-	TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx);
-	if (!mem_ctx) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
 	/* zero the outbound NTLMSSP packet */
-	*out = data_blob_talloc(out_mem_ctx, NULL, 0);
+	*out = data_blob_null;
 
-	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_server_preauth(gensec_ntlmssp_state, in))) {
-		talloc_free(mem_ctx);
+	nt_status = ntlmssp_server_preauth(gensec_ntlmssp_state, in);
+	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
 	}
 
@@ -573,23 +569,21 @@ NTSTATUS ntlmssp_server_auth(struct gensec_security *gensec_security,
 	 */
 
 	/* Finally, actually ask if the password is OK */
-
-	if (!NT_STATUS_IS_OK(nt_status = gensec_ntlmssp_state->check_password(gensec_ntlmssp_state, mem_ctx,
-									      &user_session_key, &lm_session_key))) {
-		talloc_free(mem_ctx);
+	nt_status = gensec_ntlmssp_state->check_password(gensec_ntlmssp_state,
+							 &user_session_key,
+							 &lm_session_key);
+	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
 	}
-	
-	if (gensec_security->want_features
-	    & (GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL|GENSEC_FEATURE_SESSION_KEY)) {
-		nt_status = ntlmssp_server_postauth(gensec_security, &user_session_key, &lm_session_key);
-		talloc_free(mem_ctx);
+
+	nt_status = ntlmssp_server_postauth(gensec_security,
+					    &user_session_key,
+					    &lm_session_key);
+	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
-	} else {
-		gensec_ntlmssp_state->session_key = data_blob(NULL, 0);
-		talloc_free(mem_ctx);
-		return NT_STATUS_OK;
 	}
+
+	return NT_STATUS_OK;
 }
 
 /**
@@ -597,19 +591,19 @@ NTSTATUS ntlmssp_server_auth(struct gensec_security *gensec_security,
  * @return an 8 byte random challenge
  */
 
-static const uint8_t *auth_ntlmssp_get_challenge(const struct gensec_ntlmssp_state *gensec_ntlmssp_state)
+static NTSTATUS auth_ntlmssp_get_challenge(const struct gensec_ntlmssp_state *gensec_ntlmssp_state,
+					   uint8_t chal[8])
 {
 	NTSTATUS status;
-	const uint8_t *chal;
 
-	status = gensec_ntlmssp_state->auth_context->get_challenge(gensec_ntlmssp_state->auth_context, &chal);
+	status = gensec_ntlmssp_state->auth_context->get_challenge(gensec_ntlmssp_state->auth_context, chal);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge: %s\n",
 			nt_errstr(status)));
-		return NULL;
+		return status;
 	}
 
-	return chal;
+	return NT_STATUS_OK;
 }
 
 /**
@@ -651,12 +645,13 @@ static NTSTATUS auth_ntlmssp_set_challenge(struct gensec_ntlmssp_state *gensec_n
  * Return the session keys used on the connection.
  */
 
-static NTSTATUS auth_ntlmssp_check_password(struct gensec_ntlmssp_state *gensec_ntlmssp_state, 
-					    TALLOC_CTX *mem_ctx, 
-					    DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) 
+static NTSTATUS auth_ntlmssp_check_password(struct gensec_ntlmssp_state *gensec_ntlmssp_state,
+					    DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
 {
 	NTSTATUS nt_status;
-	struct auth_usersupplied_info *user_info = talloc(mem_ctx, struct auth_usersupplied_info);
+	struct auth_usersupplied_info *user_info;
+
+	user_info = talloc(gensec_ntlmssp_state, struct auth_usersupplied_info);
 	if (!user_info) {
 		return NT_STATUS_NO_MEMORY;
 	}
@@ -675,31 +670,21 @@ static NTSTATUS auth_ntlmssp_check_password(struct gensec_ntlmssp_state *gensec_
 	user_info->password.response.nt = gensec_ntlmssp_state->nt_resp;
 	user_info->password.response.nt.data = talloc_steal(user_info, gensec_ntlmssp_state->nt_resp.data);
 
-	nt_status = gensec_ntlmssp_state->auth_context->check_password(gensec_ntlmssp_state->auth_context, 
-								       mem_ctx,
-								       user_info, 
+	nt_status = gensec_ntlmssp_state->auth_context->check_password(gensec_ntlmssp_state->auth_context,
+								       gensec_ntlmssp_state,
+								       user_info,
 								       &gensec_ntlmssp_state->server_info);
 	talloc_free(user_info);
 	NT_STATUS_NOT_OK_RETURN(nt_status);
 
-	talloc_steal(gensec_ntlmssp_state, gensec_ntlmssp_state->server_info);
-
 	if (gensec_ntlmssp_state->server_info->user_session_key.length) {
-		DEBUG(10, ("Got NT session key of length %u\n", 
+		DEBUG(10, ("Got NT session key of length %u\n",
 			   (unsigned)gensec_ntlmssp_state->server_info->user_session_key.length));
-		if (!talloc_reference(mem_ctx, gensec_ntlmssp_state->server_info->user_session_key.data)) {
-			return NT_STATUS_NO_MEMORY;
-		}
-
 		*user_session_key = gensec_ntlmssp_state->server_info->user_session_key;
 	}
 	if (gensec_ntlmssp_state->server_info->lm_session_key.length) {
-		DEBUG(10, ("Got LM session key of length %u\n", 
+		DEBUG(10, ("Got LM session key of length %u\n",
 			   (unsigned)gensec_ntlmssp_state->server_info->lm_session_key.length));
-		if (!talloc_reference(mem_ctx, gensec_ntlmssp_state->server_info->lm_session_key.data)) {
-			return NT_STATUS_NO_MEMORY;
-		}
-
 		*lm_session_key = gensec_ntlmssp_state->server_info->lm_session_key;
 	}
 	return nt_status;
diff --git a/source4/auth/ntlmssp/ntlmssp_sign.c b/source4/auth/ntlmssp/ntlmssp_sign.c
index 957d0a8fbc..9e0d80f788 100644
--- a/source4/auth/ntlmssp/ntlmssp_sign.c
+++ b/source4/auth/ntlmssp/ntlmssp_sign.c
@@ -171,7 +171,7 @@ NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security,
 						  NTLMSSP_RECEIVE, &local_sig, true);
 	
 	if (!NT_STATUS_IS_OK(nt_status)) {
-		DEBUG(0, ("NTLMSSP packet check failed with %s\n", nt_errstr(nt_status)));
+		DEBUG(0, ("NTLMSSP packet sig creation failed with %s\n", nt_errstr(nt_status)));
 		return nt_status;
 	}
 
@@ -179,26 +179,25 @@ NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security,
 		if (local_sig.length != sig->length ||
 		    memcmp(local_sig.data, 
 			   sig->data, sig->length) != 0) {
-			DEBUG(5, ("BAD SIG NTLM2: wanted signature over %llu bytes of input:\n", (unsigned long long)pdu_length));
-			dump_data(5, local_sig.data, local_sig.length);
+
+			DEBUG(10, ("BAD SIG NTLM2: wanted signature over %llu bytes of input:\n", (unsigned long long)pdu_length));
+			dump_data(10, local_sig.data, local_sig.length);
 			
-			DEBUG(5, ("BAD SIG: got signature over %llu bytes of input:\n", (unsigned long long)pdu_length));
-			dump_data(5, sig->data, sig->length);
+			DEBUG(10, ("BAD SIG: got signature over %llu bytes of input:\n", (unsigned long long)pdu_length));
+			dump_data(10, sig->data, sig->length);
 			
-			DEBUG(1, ("NTLMSSP NTLM2 packet check failed due to invalid signature on %llu bytes of input!\n", (unsigned long long)pdu_length));
 			return NT_STATUS_ACCESS_DENIED;
 		}
 	} else {
 		if (local_sig.length != sig->length ||
 		    memcmp(local_sig.data + 8, 
 			   sig->data + 8, sig->length - 8) != 0) {
-			DEBUG(5, ("BAD SIG NTLM1: wanted signature of %llu bytes of input:\n", (unsigned long long)length));
+			DEBUG(10, ("BAD SIG NTLM1: wanted signature of %llu bytes of input:\n", (unsigned long long)length));
 			dump_data(5, local_sig.data, local_sig.length);
 			
-			DEBUG(5, ("BAD SIG: got signature of %llu bytes of input:\n", (unsigned long long)length));
-			dump_data(5, sig->data, sig->length);
+			DEBUG(10, ("BAD SIG: got signature of %llu bytes of input:\n", (unsigned long long)length));
+			dump_data(10, sig->data, sig->length);
 			
-			DEBUG(1, ("NTLMSSP NTLM1 packet check failed due to invalid signature on %llu bytes of input:\n", (unsigned long long)length));
 			return NT_STATUS_ACCESS_DENIED;
 		}
 	}
@@ -281,6 +280,7 @@ NTSTATUS gensec_ntlmssp_unseal_packet(struct gensec_security *gensec_security,
 				      const uint8_t *whole_pdu, size_t pdu_length, 
 				      const DATA_BLOB *sig)
 {
+	NTSTATUS status;
 	struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data;
 	if (!gensec_ntlmssp_state->session_key.length) {
 		DEBUG(3, ("NO session key, cannot unseal packet\n"));
@@ -294,7 +294,12 @@ NTSTATUS gensec_ntlmssp_unseal_packet(struct gensec_security *gensec_security,
 		arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm.arcfour_state, data, length);
 	}
 	dump_data_pw("ntlmssp clear data\n", data, length);
-	return gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
+	status = gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(1, ("NTLMSSP packet check for unseal failed due to invalid signature on %llu bytes of input:\n", (unsigned long long)length));
+	}
+	return status;
 }
 
 /**
@@ -585,6 +590,10 @@ NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security,
 				status = check_status;
 			}
 		}
+
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(1, ("NTLMSSP packet check for unwrap failed due to invalid signature\n"));
+		}
 		return status;
 	} else {
 		*out = *in;