456 files changed, 158315 insertions, 0 deletions

diff --git a/source3/lib/access.c b/source3/lib/access.c
new file mode 100644
index 0000000000..6a445f8139
--- /dev/null
+++ b/source3/lib/access.c
@@ -0,0 +1,415 @@
+/*
+   This module is an adaption of code from the tcpd-1.4 package written
+   by Wietse Venema, Eindhoven University of Technology, The Netherlands.
+
+   The code is used here with permission.
+
+   The code has been considerably changed from the original. Bug reports
+   should be sent to samba@samba.org
+
+   Updated for IPv6 by Jeremy Allison (C) 2007.
+*/
+
+#include "includes.h"
+
+#define NAME_INDEX 0
+#define ADDR_INDEX 1
+
+/* masked_match - match address against netnumber/netmask */
+static bool masked_match(const char *tok, const char *slash, const char *s)
+{
+	struct sockaddr_storage ss_mask;
+	struct sockaddr_storage ss_tok;
+	struct sockaddr_storage ss_host;
+	char *tok_copy = NULL;
+
+	if (!interpret_string_addr(&ss_host, s, 0)) {
+		return false;
+	}
+
+	if (*tok == '[') {
+		/* IPv6 address - remove braces. */
+		tok_copy = SMB_STRDUP(tok+1);
+		if (!tok_copy) {
+			return false;
+		}
+		/* Remove the terminating ']' */
+		tok_copy[PTR_DIFF(slash,tok)-1] = '\0';
+	} else {
+		tok_copy = SMB_STRDUP(tok);
+		if (!tok_copy) {
+			return false;
+		}
+		/* Remove the terminating '/' */
+		tok_copy[PTR_DIFF(slash,tok)] = '\0';
+	}
+
+	if (!interpret_string_addr(&ss_tok, tok_copy, 0)) {
+		SAFE_FREE(tok_copy);
+		return false;
+	}
+
+	SAFE_FREE(tok_copy);
+
+        if (strlen(slash + 1) > 2) {
+		if (!interpret_string_addr(&ss_mask, slash+1, 0)) {
+			return false;
+		}
+        } else {
+		char *endp = NULL;
+		unsigned long val = strtoul(slash+1, &endp, 0);
+		if (slash+1 == endp || (endp && *endp != '\0')) {
+			return false;
+		}
+		if (!make_netmask(&ss_mask, &ss_tok, val)) {
+			return false;
+		}
+        }
+
+	return same_net(&ss_host, &ss_tok, &ss_mask);
+}
+
+/* string_match - match string s against token tok */
+static bool string_match(const char *tok,const char *s)
+{
+	size_t     tok_len;
+	size_t     str_len;
+	const char   *cut;
+
+	/* Return true if a token has the magic value "ALL". Return
+	 * true if the token is "FAIL". If the token starts with a "."
+	 * (domain name), return true if it matches the last fields of
+	 * the string. If the token has the magic value "LOCAL",
+	 * return true if the string does not contain a "."
+	 * character. If the token ends on a "." (network number),
+	 * return true if it matches the first fields of the
+	 * string. If the token begins with a "@" (netgroup name),
+	 * return true if the string is a (host) member of the
+	 * netgroup. Return true if the token fully matches the
+	 * string. If the token is a netnumber/netmask pair, return
+	 * true if the address is a member of the specified subnet.
+	 */
+
+	if (tok[0] == '.') {			/* domain: match last fields */
+		if ((str_len = strlen(s)) > (tok_len = strlen(tok))
+		    && strequal(tok, s + str_len - tok_len)) {
+			return true;
+		}
+	} else if (tok[0] == '@') { /* netgroup: look it up */
+#ifdef	HAVE_NETGROUP
+		DATA_BLOB tmp;
+		char *mydomain = NULL;
+		char *hostname = NULL;
+		bool netgroup_ok = false;
+
+		if (memcache_lookup(
+			    NULL, SINGLETON_CACHE,
+			    data_blob_string_const("yp_default_domain"),
+			    &tmp)) {
+
+			SMB_ASSERT(tmp.length > 0);
+			mydomain = (tmp.data[0] == '\0')
+				? NULL : (char *)tmp.data;
+		}
+		else {
+			yp_get_default_domain(&mydomain);
+
+			memcache_add(
+				NULL, SINGLETON_CACHE,
+				data_blob_string_const("yp_default_domain"),
+				data_blob_string_const(mydomain?mydomain:""));
+		}
+
+		if (!mydomain) {
+			DEBUG(0,("Unable to get default yp domain. "
+				"Try without it.\n"));
+		}
+		if (!(hostname = SMB_STRDUP(s))) {
+			DEBUG(1,("out of memory for strdup!\n"));
+			return false;
+		}
+
+		netgroup_ok = innetgr(tok + 1, hostname, (char *) 0, mydomain);
+
+		DEBUG(5,("looking for %s of domain %s in netgroup %s gave %s\n",
+			 hostname,
+			 mydomain?mydomain:"(ANY)",
+			 tok+1,
+			 BOOLSTR(netgroup_ok)));
+
+		SAFE_FREE(hostname);
+
+		if (netgroup_ok)
+			return true;
+#else
+		DEBUG(0,("access: netgroup support is not configured\n"));
+		return false;
+#endif
+	} else if (strequal(tok, "ALL")) {	/* all: match any */
+		return true;
+	} else if (strequal(tok, "FAIL")) {	/* fail: match any */
+		return true;
+	} else if (strequal(tok, "LOCAL")) {	/* local: no dots */
+		if (strchr_m(s, '.') == 0 && !strequal(s, "unknown")) {
+			return true;
+		}
+	} else if (strequal(tok, s)) {   /* match host name or address */
+		return true;
+	} else if (tok[(tok_len = strlen(tok)) - 1] == '.') {	/* network */
+		if (strncmp(tok, s, tok_len) == 0) {
+			return true;
+		}
+	} else if ((cut = strchr_m(tok, '/')) != 0) {	/* netnumber/netmask */
+		if ((isdigit(s[0]) && strchr_m(tok, '.') != NULL) ||
+			(tok[0] == '[' && cut > tok && cut[-1] == ']') ||
+			((isxdigit(s[0]) || s[0] == ':') &&
+				strchr_m(tok, ':') != NULL)) {
+			/* IPv4/netmask or
+			 * [IPv6:addr]/netmask or IPv6:addr/netmask */
+			return masked_match(tok, cut, s);
+		}
+	} else if (strchr_m(tok, '*') != 0 || strchr_m(tok, '?')) {
+		return unix_wild_match(tok, s);
+	}
+	return false;
+}
+
+/* client_match - match host name and address against token */
+bool client_match(const char *tok, const void *item)
+{
+	const char **client = (const char **)item;
+
+	/*
+	 * Try to match the address first. If that fails, try to match the host
+	 * name if available.
+	 */
+
+	if (string_match(tok, client[ADDR_INDEX])) {
+		return true;
+	}
+
+	if (strnequal(client[ADDR_INDEX],"::ffff:",7) &&
+			!strnequal(tok, "::ffff:",7)) {
+		/* client[ADDR_INDEX] is an IPv4 mapped to IPv6, but
+ 		 * the list item is not. Try and match the IPv4 part of
+ 		 * address only. This will happen a lot on IPv6 enabled
+ 		 * systems with IPv4 allow/deny lists in smb.conf.
+ 		 * Bug #5311. JRA.
+ 		 */
+		if (string_match(tok, (client[ADDR_INDEX])+7)) {
+			return true;
+		}
+	}
+
+	if (client[NAME_INDEX][0] != 0) {
+		if (string_match(tok, client[NAME_INDEX])) {
+			return true;
+		}
+	}
+
+	return false;
+}
+
+/* list_match - match an item against a list of tokens with exceptions */
+bool list_match(const char **list,const void *item,
+		bool (*match_fn)(const char *, const void *))
+{
+	bool match = false;
+
+	if (!list) {
+		return false;
+	}
+
+	/*
+	 * Process tokens one at a time. We have exhausted all possible matches
+	 * when we reach an "EXCEPT" token or the end of the list. If we do find
+	 * a match, look for an "EXCEPT" list and recurse to determine whether
+	 * the match is affected by any exceptions.
+	 */
+
+	for (; *list ; list++) {
+		if (strequal(*list, "EXCEPT")) {
+			/* EXCEPT: give up */
+			break;
+		}
+		if ((match = (*match_fn) (*list, item))) {
+			/* true or FAIL */
+			break;
+		}
+	}
+	/* Process exceptions to true or FAIL matches. */
+
+	if (match != false) {
+		while (*list  && !strequal(*list, "EXCEPT")) {
+			list++;
+		}
+
+		for (; *list; list++) {
+			if ((*match_fn) (*list, item)) {
+				/* Exception Found */
+				return false;
+			}
+		}
+	}
+
+	return match;
+}
+
+/* return true if access should be allowed */
+static bool allow_access_internal(const char **deny_list,
+				const char **allow_list,
+				const char *cname,
+				const char *caddr)
+{
+	const char *client[2];
+
+	client[NAME_INDEX] = cname;
+	client[ADDR_INDEX] = caddr;
+
+	/* if it is loopback then always allow unless specifically denied */
+	if (strcmp(caddr, "127.0.0.1") == 0 || strcmp(caddr, "::1") == 0) {
+		/*
+		 * If 127.0.0.1 matches both allow and deny then allow.
+		 * Patch from Steve Langasek vorlon@netexpress.net.
+		 */
+		if (deny_list &&
+			list_match(deny_list,client,client_match) &&
+				(!allow_list ||
+				!list_match(allow_list,client, client_match))) {
+			return false;
+		}
+		return true;
+	}
+
+	/* if theres no deny list and no allow list then allow access */
+	if ((!deny_list || *deny_list == 0) &&
+	    (!allow_list || *allow_list == 0)) {
+		return true;
+	}
+
+	/* if there is an allow list but no deny list then allow only hosts
+	   on the allow list */
+	if (!deny_list || *deny_list == 0) {
+		return(list_match(allow_list,client,client_match));
+	}
+
+	/* if theres a deny list but no allow list then allow
+	   all hosts not on the deny list */
+	if (!allow_list || *allow_list == 0) {
+		return(!list_match(deny_list,client,client_match));
+	}
+
+	/* if there are both types of list then allow all hosts on the
+           allow list */
+	if (list_match(allow_list,(const char *)client,client_match)) {
+		return true;
+	}
+
+	/* if there are both types of list and it's not on the allow then
+	   allow it if its not on the deny */
+	if (list_match(deny_list,(const char *)client,client_match)) {
+		return false;
+	}
+
+	return true;
+}
+
+/* return true if access should be allowed */
+bool allow_access(const char **deny_list,
+		const char **allow_list,
+		const char *cname,
+		const char *caddr)
+{
+	bool ret;
+	char *nc_cname = smb_xstrdup(cname);
+	char *nc_caddr = smb_xstrdup(caddr);
+
+	ret = allow_access_internal(deny_list, allow_list, nc_cname, nc_caddr);
+
+	SAFE_FREE(nc_cname);
+	SAFE_FREE(nc_caddr);
+	return ret;
+}
+
+/* return true if the char* contains ip addrs only.  Used to avoid
+name lookup calls */
+
+static bool only_ipaddrs_in_list(const char **list)
+{
+	bool only_ip = true;
+
+	if (!list) {
+		return true;
+	}
+
+	for (; *list ; list++) {
+		/* factor out the special strings */
+		if (strequal(*list, "ALL") || strequal(*list, "FAIL") ||
+		    strequal(*list, "EXCEPT")) {
+			continue;
+		}
+
+		if (!is_ipaddress(*list)) {
+			/*
+			 * If we failed, make sure that it was not because
+			 * the token was a network/netmask pair. Only
+			 * network/netmask pairs have a '/' in them.
+			 */
+			if ((strchr_m(*list, '/')) == NULL) {
+				only_ip = false;
+				DEBUG(3,("only_ipaddrs_in_list: list has "
+					"non-ip address (%s)\n",
+					*list));
+				break;
+			}
+		}
+	}
+
+	return only_ip;
+}
+
+/* return true if access should be allowed to a service for a socket */
+bool check_access(int sock, const char **allow_list, const char **deny_list)
+{
+	bool ret = false;
+	bool only_ip = false;
+
+	if ((!deny_list || *deny_list==0) && (!allow_list || *allow_list==0))
+		ret = true;
+
+	if (!ret) {
+		char addr[INET6_ADDRSTRLEN];
+
+		/* Bypass name resolution calls if the lists
+		 * only contain IP addrs */
+		if (only_ipaddrs_in_list(allow_list) &&
+				only_ipaddrs_in_list(deny_list)) {
+			only_ip = true;
+			DEBUG (3, ("check_access: no hostnames "
+				"in host allow/deny list.\n"));
+			ret = allow_access(deny_list,
+					allow_list,
+					"",
+					get_peer_addr(sock,addr,sizeof(addr)));
+		} else {
+			DEBUG (3, ("check_access: hostnames in "
+				"host allow/deny list.\n"));
+			ret = allow_access(deny_list,
+					allow_list,
+					get_peer_name(sock,true),
+					get_peer_addr(sock,addr,sizeof(addr)));
+		}
+
+		if (ret) {
+			DEBUG(2,("Allowed connection from %s (%s)\n",
+				 only_ip ? "" : get_peer_name(sock,true),
+				 get_peer_addr(sock,addr,sizeof(addr))));
+		} else {
+			DEBUG(0,("Denied connection from %s (%s)\n",
+				 only_ip ? "" : get_peer_name(sock,true),
+				 get_peer_addr(sock,addr,sizeof(addr))));
+		}
+	}
+
+	return(ret);
+}
diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c
new file mode 100644
index 0000000000..1e435ca53e
--- /dev/null
+++ b/source3/lib/account_pol.c
@@ -0,0 +1,454 @@
+/* 
+ *  Unix SMB/CIFS implementation.
+ *  account policy storage
+ *  Copyright (C) Jean François Micouleau      1998-2001.
+ *  Copyright (C) Andrew Bartlett              2002
+ *  Copyright (C) Guenther Deschner            2004-2005
+ *  
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+static struct db_context *db;
+
+/* cache all entries for 60 seconds for to save ldap-queries (cache is updated
+ * after this period if admins do not use pdbedit or usermanager but manipulate
+ * ldap directly) - gd */
+
+#define DATABASE_VERSION 	3
+#define AP_TTL			60
+
+
+struct ap_table {
+	int field;
+	const char *string;
+	uint32 default_val;
+	const char *description;
+	const char *ldap_attr;
+};
+
+static const struct ap_table account_policy_names[] = {
+	{AP_MIN_PASSWORD_LEN, "min password length", MINPASSWDLENGTH, 
+		"Minimal password length (default: 5)", 
+		"sambaMinPwdLength" },
+
+	{AP_PASSWORD_HISTORY, "password history", 0,
+		"Length of Password History Entries (default: 0 => off)", 
+		"sambaPwdHistoryLength" },
+		
+	{AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password", 0,
+		"Force Users to logon for password change (default: 0 => off, 2 => on)",
+		"sambaLogonToChgPwd" },
+	
+	{AP_MAX_PASSWORD_AGE, "maximum password age", (uint32) -1,
+		"Maximum password age, in seconds (default: -1 => never expire passwords)", 
+		"sambaMaxPwdAge" },
+		
+	{AP_MIN_PASSWORD_AGE,"minimum password age", 0,
+		"Minimal password age, in seconds (default: 0 => allow immediate password change)", 
+		"sambaMinPwdAge" },
+		
+	{AP_LOCK_ACCOUNT_DURATION, "lockout duration", 30,
+		"Lockout duration in minutes (default: 30, -1 => forever)",
+		"sambaLockoutDuration" },
+		
+	{AP_RESET_COUNT_TIME, "reset count minutes", 30,
+		"Reset time after lockout in minutes (default: 30)", 
+		"sambaLockoutObservationWindow" },
+		
+	{AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt", 0,
+		"Lockout users after bad logon attempts (default: 0 => off)", 
+		"sambaLockoutThreshold" },
+		
+	{AP_TIME_TO_LOGOUT, "disconnect time", (uint32) -1,
+		"Disconnect Users outside logon hours (default: -1 => off, 0 => on)", 
+		"sambaForceLogoff" }, 
+		
+	{AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change", 0,
+		"Allow Machine Password changes (default: 0 => off)",
+		"sambaRefuseMachinePwdChange" },
+		
+	{0, NULL, 0, "", NULL}
+};
+
+void account_policy_names_list(const char ***names, int *num_names)
+{	
+	const char **nl;
+	int i, count;
+
+	for (count=0; account_policy_names[count].string; count++) {
+	}
+	nl = SMB_MALLOC_ARRAY(const char *, count);
+	if (!nl) {
+		*num_names = 0;
+		return;
+	}
+	for (i=0; account_policy_names[i].string; i++) {
+		nl[i] = account_policy_names[i].string;
+	}
+	*num_names = count;
+	*names = nl;
+	return;
+}
+
+/****************************************************************************
+Get the account policy name as a string from its #define'ed number
+****************************************************************************/
+
+const char *decode_account_policy_name(int field)
+{
+	int i;
+	for (i=0; account_policy_names[i].string; i++) {
+		if (field == account_policy_names[i].field) {
+			return account_policy_names[i].string;
+		}
+	}
+	return NULL;
+}
+
+/****************************************************************************
+Get the account policy LDAP attribute as a string from its #define'ed number
+****************************************************************************/
+
+const char *get_account_policy_attr(int field)
+{
+	int i;
+	for (i=0; account_policy_names[i].field; i++) {
+		if (field == account_policy_names[i].field) {
+			return account_policy_names[i].ldap_attr;
+		}
+	}
+	return NULL;
+}
+
+/****************************************************************************
+Get the account policy description as a string from its #define'ed number
+****************************************************************************/
+
+const char *account_policy_get_desc(int field)
+{
+	int i;
+	for (i=0; account_policy_names[i].string; i++) {
+		if (field == account_policy_names[i].field) {
+			return account_policy_names[i].description;
+		}
+	}
+	return NULL;
+}
+
+/****************************************************************************
+Get the account policy name as a string from its #define'ed number
+****************************************************************************/
+
+int account_policy_name_to_fieldnum(const char *name)
+{
+	int i;
+	for (i=0; account_policy_names[i].string; i++) {
+		if (strcmp(name, account_policy_names[i].string) == 0) {
+			return account_policy_names[i].field;
+		}
+	}
+	return 0;
+}
+
+/*****************************************************************************
+Get default value for account policy
+*****************************************************************************/
+
+bool account_policy_get_default(int account_policy, uint32 *val)
+{
+	int i;
+	for (i=0; account_policy_names[i].field; i++) {
+		if (account_policy_names[i].field == account_policy) {
+			*val = account_policy_names[i].default_val;
+			return True;
+		}
+	}
+	DEBUG(0,("no default for account_policy index %d found. This should never happen\n", 
+		account_policy));
+	return False;
+}
+
+/*****************************************************************************
+ Set default for a field if it is empty
+*****************************************************************************/
+
+static bool account_policy_set_default_on_empty(int account_policy)
+{
+
+	uint32 value;
+
+	if (!account_policy_get(account_policy, &value) && 
+	    !account_policy_get_default(account_policy, &value)) {
+		return False;
+	}
+
+	return account_policy_set(account_policy, value);
+}
+
+/*****************************************************************************
+ Open the account policy tdb.
+***`*************************************************************************/
+
+bool init_account_policy(void)
+{
+
+	const char *vstring = "INFO/version";
+	uint32 version;
+	int i;
+
+	if (db != NULL) {
+		return True;
+	}
+
+	db = db_open(NULL, state_path("account_policy.tdb"), 0, TDB_DEFAULT,
+		     O_RDWR, 0600);
+
+	if (db == NULL) { /* the account policies files does not exist or open
+			   * failed, try to create a new one */
+		db = db_open(NULL, state_path("account_policy.tdb"), 0,
+			     TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
+		if (db == NULL) {
+			DEBUG(0,("Failed to open account policy database\n"));
+			return False;
+		}
+	}
+
+	version = dbwrap_fetch_int32(db, vstring);
+	if (version == DATABASE_VERSION) {
+		return true;
+	}
+
+	/* handle a Samba upgrade */
+
+	if (db->transaction_start(db) != 0) {
+		DEBUG(0, ("transaction_start failed\n"));
+		TALLOC_FREE(db);
+		return false;
+	}
+
+	version = dbwrap_fetch_int32(db, vstring);
+	if (version == DATABASE_VERSION) {
+		/*
+		 * Race condition
+		 */
+		if (db->transaction_cancel(db)) {
+			smb_panic("transaction_cancel failed");
+		}
+		return true;
+	}
+
+	if (version != DATABASE_VERSION) {
+		if (dbwrap_store_uint32(db, vstring, DATABASE_VERSION) != 0) {
+			DEBUG(0, ("dbwrap_store_uint32 failed\n"));
+			goto cancel;
+		}
+
+		for (i=0; account_policy_names[i].field; i++) {
+
+			if (!account_policy_set_default_on_empty(account_policy_names[i].field)) {
+				DEBUG(0,("failed to set default value in account policy tdb\n"));
+				goto cancel;
+			}
+		}
+	}
+
+	/* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */
+
+	privilege_create_account( &global_sid_World );
+	privilege_create_account( &global_sid_Builtin_Account_Operators );
+	privilege_create_account( &global_sid_Builtin_Server_Operators );
+	privilege_create_account( &global_sid_Builtin_Print_Operators );
+	privilege_create_account( &global_sid_Builtin_Backup_Operators );
+
+	/* BUILTIN\Administrators get everything -- *always* */
+
+	if ( lp_enable_privileges() ) {
+		if ( !grant_all_privileges( &global_sid_Builtin_Administrators ) ) {
+			DEBUG(1,("init_account_policy: Failed to grant privileges "
+				"to BUILTIN\\Administrators!\n"));
+		}
+	}
+
+	if (db->transaction_commit(db) != 0) {
+		DEBUG(0, ("transaction_commit failed\n"));
+		TALLOC_FREE(db);
+		return false;
+	}
+
+	return True;
+
+ cancel:
+	if (db->transaction_cancel(db)) {
+		smb_panic("transaction_cancel failed");
+	}
+	TALLOC_FREE(db);
+
+	return false;
+}
+
+/*****************************************************************************
+Get an account policy (from tdb) 
+*****************************************************************************/
+
+bool account_policy_get(int field, uint32 *value)
+{
+	const char *name;
+	uint32 regval;
+
+	if (!init_account_policy()) {
+		return False;
+	}
+
+	if (value) {
+		*value = 0;
+	}
+
+	name = decode_account_policy_name(field);
+	if (name == NULL) {
+		DEBUG(1, ("account_policy_get: Field %d is not a valid account policy type!  Cannot get, returning 0.\n", field));
+		return False;
+	}
+	
+	if (!dbwrap_fetch_uint32(db, name, &regval)) {
+		DEBUG(1, ("account_policy_get: tdb_fetch_uint32 failed for field %d (%s), returning 0\n", field, name));
+		return False;
+	}
+	
+	if (value) {
+		*value = regval;
+	}
+
+	DEBUG(10,("account_policy_get: name: %s, val: %d\n", name, regval));
+	return True;
+}
+
+
+/****************************************************************************
+Set an account policy (in tdb) 
+****************************************************************************/
+
+bool account_policy_set(int field, uint32 value)
+{
+	const char *name;
+	NTSTATUS status;
+
+	if (!init_account_policy()) {
+		return False;
+	}
+
+	name = decode_account_policy_name(field);
+	if (name == NULL) {
+		DEBUG(1, ("Field %d is not a valid account policy type!  Cannot set.\n", field));
+		return False;
+	}
+
+	status = dbwrap_trans_store_uint32(db, name, value);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(1, ("store_uint32 failed for field %d (%s) on value "
+			  "%u: %s\n", field, name, value, nt_errstr(status)));
+		return False;
+	}
+
+	DEBUG(10,("account_policy_set: name: %s, value: %d\n", name, value));
+	
+	return True;
+}
+
+/****************************************************************************
+Set an account policy in the cache 
+****************************************************************************/
+
+bool cache_account_policy_set(int field, uint32 value)
+{
+	const char *policy_name = NULL;
+	char *cache_key = NULL;
+	char *cache_value = NULL;
+	bool ret = False;
+
+	policy_name = decode_account_policy_name(field);
+	if (policy_name == NULL) {
+		DEBUG(0,("cache_account_policy_set: no policy found\n"));
+		return False;
+	}
+
+	if (asprintf(&cache_key, "ACCT_POL/%s", policy_name) < 0) {
+		DEBUG(0, ("asprintf failed\n"));
+		goto done;
+	}
+
+	if (asprintf(&cache_value, "%lu\n", (unsigned long)value) < 0) {
+		DEBUG(0, ("asprintf failed\n"));
+		goto done;
+	}
+
+	DEBUG(10,("cache_account_policy_set: updating account pol cache\n"));
+
+	ret = gencache_set(cache_key, cache_value, time(NULL)+AP_TTL);
+
+ done:
+	SAFE_FREE(cache_key);
+	SAFE_FREE(cache_value);
+	return ret;
+}
+
+/*****************************************************************************
+Get an account policy from the cache 
+*****************************************************************************/
+
+bool cache_account_policy_get(int field, uint32 *value)
+{
+	const char *policy_name = NULL;
+	char *cache_key = NULL;
+	char *cache_value = NULL;
+	bool ret = False;
+
+	policy_name = decode_account_policy_name(field);
+	if (policy_name == NULL) {
+		DEBUG(0,("cache_account_policy_set: no policy found\n"));
+		return False;
+	}
+
+	if (asprintf(&cache_key, "ACCT_POL/%s", policy_name) < 0) {
+		DEBUG(0, ("asprintf failed\n"));
+		goto done;
+	}
+
+	if (gencache_get(cache_key, &cache_value, NULL)) {
+		uint32 tmp = strtoul(cache_value, NULL, 10);
+		*value = tmp;
+		ret = True;
+	}
+
+ done:
+	SAFE_FREE(cache_key);
+	SAFE_FREE(cache_value);
+	return ret;
+}
+
+/****************************************************************************
+****************************************************************************/
+
+struct db_context *get_account_pol_db( void )
+{
+
+	if ( db == NULL ) {
+		if ( !init_account_policy() ) {
+			return NULL;
+		}
+	}
+
+	return db;
+}
+
diff --git a/source3/lib/adt_tree.c b/source3/lib/adt_tree.c
new file mode 100644
index 0000000000..6ac498d9e6
--- /dev/null
+++ b/source3/lib/adt_tree.c
@@ -0,0 +1,430 @@
+/* 
+ *  Unix SMB/CIFS implementation.
+ *  Generic Abstract Data Types
+ *  Copyright (C) Gerald Carter                     2002.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "adt_tree.h"
+
+
+/**************************************************************************
+ *************************************************************************/
+
+static bool trim_tree_keypath( char *path, char **base, char **new_path )
+{
+	char *p;
+	
+	*new_path = *base = NULL;
+	
+	if ( !path )
+		return False;
+	
+	*base = path;
+	
+	p = strchr( path, '/' );
+	
+	if ( p ) {
+		*p = '\0';
+		*new_path = p+1;
+	}
+	
+	return True;
+}
+
+ 
+/**************************************************************************
+ Initialize the tree's root.  The cmp_fn is a callback function used
+ for comparision of two children
+ *************************************************************************/
+
+ SORTED_TREE* pathtree_init( void *data_p, int (cmp_fn)(void*, void*) )
+{
+	SORTED_TREE *tree = NULL;
+	
+	if ( !(tree = TALLOC_ZERO_P(NULL, SORTED_TREE)) )
+		return NULL;
+		
+	tree->compare = cmp_fn;
+	
+	if ( !(tree->root = TALLOC_ZERO_P(tree, TREE_NODE)) ) {
+		TALLOC_FREE( tree );
+		return NULL;
+	}
+	
+	tree->root->data_p = data_p;
+	
+	return tree;
+}
+
+
+/**************************************************************************
+ Find the next child given a key string
+ *************************************************************************/
+
+static TREE_NODE* pathtree_birth_child( TREE_NODE *node, char* key )
+{
+	TREE_NODE *infant = NULL;
+	TREE_NODE **siblings;
+	int i;
+	
+	if ( !(infant = TALLOC_ZERO_P( node, TREE_NODE)) )
+		return NULL;
+	
+	infant->key = talloc_strdup( infant, key );
+	infant->parent = node;
+	
+	siblings = TALLOC_REALLOC_ARRAY( node, node->children, TREE_NODE *, node->num_children+1 );
+	
+	if ( siblings )
+		node->children = siblings;
+	
+	node->num_children++;
+	
+	/* first child */
+	
+	if ( node->num_children == 1 ) {
+		DEBUG(11,("pathtree_birth_child: First child of node [%s]! [%s]\n", 
+			node->key ? node->key : "NULL", infant->key ));
+		node->children[0] = infant;
+	}
+	else 
+	{
+		/* 
+		 * multiple siblings .... (at least 2 children)
+		 * 
+		 * work from the end of the list forward 
+		 * The last child is not set at this point 
+		 * Insert the new infanct in ascending order 
+		 * from left to right
+		 */
+	
+		for ( i = node->num_children-1; i>=1; i-- )
+		{
+			DEBUG(11,("pathtree_birth_child: Looking for crib; infant -> [%s], child -> [%s]\n",
+				infant->key, node->children[i-1]->key));
+			
+			/* the strings should never match assuming that we 
+			   have called pathtree_find_child() first */
+		
+			if ( StrCaseCmp( infant->key, node->children[i-1]->key ) > 0 ) {
+				DEBUG(11,("pathtree_birth_child: storing infant in i == [%d]\n", 
+					i));
+				node->children[i] = infant;
+				break;
+			}
+			
+			/* bump everything towards the end on slot */
+			
+			node->children[i] = node->children[i-1];
+		}
+
+		DEBUG(11,("pathtree_birth_child: Exiting loop (i == [%d])\n", i ));
+		
+		/* if we haven't found the correct slot yet, the child 
+		   will be first in the list */
+		   
+		if ( i == 0 )
+			node->children[0] = infant;
+	}
+
+	return infant;
+}
+
+/**************************************************************************
+ Find the next child given a key string
+ *************************************************************************/
+
+static TREE_NODE* pathtree_find_child( TREE_NODE *node, char* key )
+{
+	TREE_NODE *next = NULL;
+	int i, result;
+	
+	if ( !node ) {
+		DEBUG(0,("pathtree_find_child: NULL node passed into function!\n"));
+		return NULL;
+	}
+	
+	if ( !key ) {
+		DEBUG(0,("pathtree_find_child: NULL key string passed into function!\n"));
+		return NULL;
+	}
+	
+	for ( i=0; i<node->num_children; i++ )
+	{	
+		DEBUG(11,("pathtree_find_child: child key => [%s]\n",
+			node->children[i]->key));
+			
+		result = StrCaseCmp( node->children[i]->key, key );
+		
+		if ( result == 0 )
+			next = node->children[i];
+		
+		/* if result > 0 then we've gone to far because
+		   the list of children is sorted by key name 
+		   If result == 0, then we have a match         */
+		   
+		if ( result > 0 )
+			break;
+	}
+
+	DEBUG(11,("pathtree_find_child: %s [%s]\n",
+		next ? "Found" : "Did not find", key ));	
+	
+	return next;
+}
+
+/**************************************************************************
+ Add a new node into the tree given a key path and a blob of data
+ *************************************************************************/
+
+ WERROR pathtree_add( SORTED_TREE *tree, const char *path, void *data_p )
+{
+	char *str, *base, *path2;
+	TREE_NODE *current, *next;
+	WERROR ret = WERR_OK;
+	
+	DEBUG(8,("pathtree_add: Enter\n"));
+		
+	if ( !path || *path != '/' ) {
+		DEBUG(0,("pathtree_add: Attempt to add a node with a bad path [%s]\n",
+			path ? path : "NULL" ));
+		return WERR_INVALID_PARAM;
+	}
+	
+	if ( !tree ) {
+		DEBUG(0,("pathtree_add: Attempt to add a node to an uninitialized tree!\n"));
+		return WERR_INVALID_PARAM;
+	}
+	
+	/* move past the first '/' */
+	
+	path++;	
+	path2 = SMB_STRDUP( path );
+	if ( !path2 ) {
+		DEBUG(0,("pathtree_add: strdup() failed on string [%s]!?!?!\n", path));
+		return WERR_NOMEM;
+	}
+	
+
+	/* 
+	 * this works sort of like a 'mkdir -p'	call, possibly 
+	 * creating an entire path to the new node at once
+	 * The path should be of the form /<key1>/<key2>/...
+	 */
+	
+	base = path2;
+	str  = path2;
+	current = tree->root;
+	
+	do {
+		/* break off the remaining part of the path */
+		
+		str = strchr( str, '/' );
+		if ( str )
+			*str = '\0';
+			
+		/* iterate to the next child--birth it if necessary */
+		
+		next = pathtree_find_child( current, base );
+		if ( !next ) {
+			next = pathtree_birth_child( current, base );
+			if ( !next ) {
+				DEBUG(0,("pathtree_add: Failed to create new child!\n"));
+				ret = WERR_NOMEM;
+				goto done;
+			}
+		}
+		current = next;
+		
+		/* setup the next part of the path */
+		
+		base = str;
+		if ( base ) {
+			*base = '/';
+			base++;
+			str = base;
+		}
+	
+	} while ( base != NULL );
+	
+	current->data_p = data_p;
+	
+	DEBUG(10,("pathtree_add: Successfully added node [%s] to tree\n",
+		path ));
+
+	DEBUG(8,("pathtree_add: Exit\n"));
+
+done:
+	SAFE_FREE( path2 );
+	return ret;
+}
+
+
+/**************************************************************************
+ Recursive routine to print out all children of a TREE_NODE
+ *************************************************************************/
+
+static void pathtree_print_children(TALLOC_CTX *ctx,
+				TREE_NODE *node,
+				int debug,
+				const char *path )
+{
+	int i;
+	int num_children;
+	char *path2 = NULL;
+
+	if ( !node )
+		return;
+
+	if ( node->key )
+		DEBUG(debug,("%s: [%s] (%s)\n", path ? path : "NULL", node->key,
+			node->data_p ? "data" : "NULL" ));
+
+	if ( path ) {
+		path2 = talloc_strdup(ctx, path);
+		if (!path2) {
+			return;
+		}
+	}
+
+	path2 = talloc_asprintf(ctx,
+			"%s%s/",
+			path ? path : "",
+			node->key ? node->key : "NULL");
+	if (!path2) {
+		return;
+	}
+
+	num_children = node->num_children;
+	for ( i=0; i<num_children; i++ ) {
+		pathtree_print_children(ctx, node->children[i], debug, path2 );
+	}
+}
+
+/**************************************************************************
+ Dump the kys for a tree to the log file
+ *************************************************************************/
+
+ void pathtree_print_keys( SORTED_TREE *tree, int debug )
+{
+	int i;
+	int num_children = tree->root->num_children;
+
+	if ( tree->root->key )
+		DEBUG(debug,("ROOT/: [%s] (%s)\n", tree->root->key,
+			tree->root->data_p ? "data" : "NULL" ));
+
+	for ( i=0; i<num_children; i++ ) {
+		TALLOC_CTX *ctx = talloc_stackframe();
+		pathtree_print_children(ctx, tree->root->children[i], debug,
+			tree->root->key ? tree->root->key : "ROOT/" );
+		TALLOC_FREE(ctx);
+	}
+
+}
+
+/**************************************************************************
+ return the data_p for for the node in tree matching the key string
+ The key string is the full path.  We must break it apart and walk
+ the tree
+ *************************************************************************/
+
+ void* pathtree_find( SORTED_TREE *tree, char *key )
+{
+	char *keystr, *base = NULL, *str = NULL, *p;
+	TREE_NODE *current;
+	void *result = NULL;
+	
+	DEBUG(10,("pathtree_find: Enter [%s]\n", key ? key : "NULL" ));
+
+	/* sanity checks first */
+	
+	if ( !key ) {
+		DEBUG(0,("pathtree_find: Attempt to search tree using NULL search string!\n"));
+		return NULL;
+	}
+	
+	if ( !tree ) {
+		DEBUG(0,("pathtree_find: Attempt to search an uninitialized tree using string [%s]!\n",
+			key ? key : "NULL" ));
+		return NULL;
+	}
+	
+	if ( !tree->root )
+		return NULL;
+	
+	/* make a copy to play with */
+	
+	if ( *key == '/' )
+		keystr = SMB_STRDUP( key+1 );
+	else
+		keystr = SMB_STRDUP( key );
+	
+	if ( !keystr ) {
+		DEBUG(0,("pathtree_find: strdup() failed on string [%s]!?!?!\n", key));
+		return NULL;
+	}
+
+	/* start breaking the path apart */
+	
+	p = keystr;
+	current = tree->root;
+	
+	if ( tree->root->data_p )
+		result = tree->root->data_p;
+		
+	do
+	{
+		/* break off the remaining part of the path */
+
+		trim_tree_keypath( p, &base, &str );
+			
+		DEBUG(11,("pathtree_find: [loop] base => [%s], new_path => [%s]\n", 
+			base ? base : "",
+			str ? str : ""));
+
+		/* iterate to the next child */
+		
+		current = pathtree_find_child( current, base );
+	
+		/* 
+		 * the idea is that the data_p for a parent should 
+		 * be inherited by all children, but allow it to be 
+		 * overridden farther down
+		 */
+		
+		if ( current && current->data_p )
+			result = current->data_p;
+
+		/* reset the path pointer 'p' to the remaining part of the key string */
+
+		p = str;
+	   
+	} while ( str && current );
+	
+	/* result should be the data_p from the lowest match node in the tree */
+	if ( result )
+		DEBUG(11,("pathtree_find: Found data_p!\n"));
+	
+	SAFE_FREE( keystr );
+	
+	DEBUG(10,("pathtree_find: Exit\n"));
+	
+	return result;
+}
+
+
diff --git a/source3/lib/afs.c b/source3/lib/afs.c
new file mode 100644
index 0000000000..7193f0e46d
--- /dev/null
+++ b/source3/lib/afs.c
@@ -0,0 +1,298 @@
+/* 
+ *  Unix SMB/CIFS implementation.
+ *  Generate AFS tickets
+ *  Copyright (C) Volker Lendecke 2003
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+#ifdef WITH_FAKE_KASERVER
+
+#define NO_ASN1_TYPEDEFS 1
+
+#include <afs/stds.h>
+#include <afs/afs.h>
+#include <afs/auth.h>
+#include <afs/venus.h>
+#include <asm/unistd.h>
+#include <openssl/des.h>
+
+struct ClearToken {
+	uint32 AuthHandle;
+	char HandShakeKey[8];
+	uint32 ViceId;
+	uint32 BeginTimestamp;
+	uint32 EndTimestamp;
+};
+
+static char *afs_encode_token(const char *cell, const DATA_BLOB ticket,
+			      const struct ClearToken *ct)
+{
+	char *base64_ticket;
+	char *result = NULL;
+
+	DATA_BLOB key = data_blob(ct->HandShakeKey, 8);
+	char *base64_key;
+	TALLOC_CTX *mem_ctx;
+
+	mem_ctx = talloc_stackframe();
+	if (mem_ctx == NULL)
+		goto done;
+
+	base64_ticket = base64_encode_data_blob(mem_ctx, ticket);
+	if (base64_ticket == NULL)
+		goto done;
+
+	base64_key = base64_encode_data_blob(mem_ctx, key);
+	if (base64_key == NULL)
+		goto done;
+
+	asprintf(&result, "%s\n%u\n%s\n%u\n%u\n%u\n%s\n", cell,
+		 ct->AuthHandle, base64_key, ct->ViceId, ct->BeginTimestamp,
+		 ct->EndTimestamp, base64_ticket);
+
+	DEBUG(10, ("Got ticket string:\n%s\n", result));
+
+done:
+	TALLOC_FREE(mem_ctx);
+
+	return result;
+}
+
+/* Create a ClearToken and an encrypted ticket. ClearToken has not yet the
+ * ViceId set, this should be set by the caller. */
+
+static bool afs_createtoken(const char *username, const char *cell,
+			    DATA_BLOB *ticket, struct ClearToken *ct)
+{
+	fstring clear_ticket;
+	char *p = clear_ticket;
+	uint32 len;
+	uint32 now;
+
+	struct afs_key key;
+	des_key_schedule key_schedule;
+
+	if (!secrets_init()) 
+		return False;
+
+	if (!secrets_fetch_afs_key(cell, &key)) {
+		DEBUG(1, ("Could not fetch AFS service key\n"));
+		return False;
+	}
+
+	ct->AuthHandle = key.kvno;
+
+	/* Build the ticket. This is going to be encrypted, so in our
+           way we fill in ct while we still have the unencrypted
+           form. */
+
+	p = clear_ticket;
+
+	/* The byte-order */
+	*p = 1;
+	p += 1;
+
+	/* "Alice", the client username */
+	strncpy(p, username, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+	p += strlen(p)+1;
+	strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+	p += strlen(p)+1;
+	strncpy(p, cell, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+	p += strlen(p)+1;
+
+	/* Alice's network layer address. At least Openafs-1.2.10
+           ignores this, so we fill in a dummy value here. */
+	SIVAL(p, 0, 0);
+	p += 4;
+
+	/* We need to create a session key */
+	generate_random_buffer(p, 8);
+
+	/* Our client code needs the the key in the clear, it does not
+           know the server-key ... */
+	memcpy(ct->HandShakeKey, p, 8);
+
+	p += 8;
+
+	/* This is a kerberos 4 life time. The life time is expressed
+	 * in units of 5 minute intervals up to 38400 seconds, after
+	 * that a table is used up to lifetime 0xBF. Values between
+	 * 0xC0 and 0xFF is undefined. 0xFF is defined to be the
+	 * infinite time that never expire.
+	 *
+	 * So here we cheat and use the infinite time */
+	*p = 255;
+	p += 1;
+
+	/* Ticket creation time */
+	now = time(NULL);
+	SIVAL(p, 0, now);
+	ct->BeginTimestamp = now;
+
+	if(lp_afs_token_lifetime() == 0)
+		ct->EndTimestamp = NEVERDATE;
+	else
+		ct->EndTimestamp = now + lp_afs_token_lifetime();
+
+	if (((ct->EndTimestamp - ct->BeginTimestamp) & 1) == 1) {
+		ct->BeginTimestamp += 1; /* Lifetime must be even */
+	}
+	p += 4;
+
+	/* And here comes Bob's name and instance, in this case the
+           AFS server. */
+	strncpy(p, "afs", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+	p += strlen(p)+1;
+	strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
+	p += strlen(p)+1;
+
+	/* And zero-pad to a multiple of 8 bytes */
+	len = PTR_DIFF(p, clear_ticket);
+	if (len & 7) {
+		uint32 extra_space = 8-(len & 7);
+		memset(p, 0, extra_space);
+		p+=extra_space;
+	}
+	len = PTR_DIFF(p, clear_ticket);
+
+	des_key_sched((const_des_cblock *)key.key, key_schedule);
+	des_pcbc_encrypt(clear_ticket, clear_ticket,
+			 len, key_schedule, (C_Block *)key.key, 1);
+
+	ZERO_STRUCT(key);
+
+	*ticket = data_blob(clear_ticket, len);
+
+	return True;
+}
+
+char *afs_createtoken_str(const char *username, const char *cell)
+{
+	DATA_BLOB ticket;
+	struct ClearToken ct;
+	char *result;
+
+	if (!afs_createtoken(username, cell, &ticket, &ct))
+		return NULL;
+
+	result = afs_encode_token(cell, ticket, &ct);
+
+	data_blob_free(&ticket);
+
+	return result;
+}
+
+/*
+  This routine takes a radical approach completely bypassing the
+  Kerberos idea of security and using AFS simply as an intelligent
+  file backend. Samba has persuaded itself somehow that the user is
+  actually correctly identified and then we create a ticket that the
+  AFS server hopefully accepts using its KeyFile that the admin has
+  kindly stored to our secrets.tdb.
+
+  Thanks to the book "Network Security -- PRIVATE Communication in a
+  PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner
+  Kerberos 4 tickets are not really hard to construct.
+
+  For the comments "Alice" is the User to be auth'ed, and "Bob" is the
+  AFS server.  */
+
+bool afs_login(connection_struct *conn)
+{
+	DATA_BLOB ticket;
+	char *afs_username = NULL;
+	char *cell = NULL;
+	bool result;
+	char *ticket_str = NULL;
+	const DOM_SID *user_sid;
+	TALLOC_CTX *ctx = talloc_tos();
+
+	struct ClearToken ct;
+
+	afs_username = talloc_strdup(ctx,
+				lp_afs_username_map());
+	if (!afs_username) {
+		return false;
+	}
+
+	afs_username = talloc_sub_advanced(ctx,
+				SNUM(conn), conn->user,
+				conn->connectpath, conn->gid,
+				conn->server_info->sanitized_username,
+				pdb_get_domain(conn->server_info->sam_account),
+				afs_username);
+	if (!afs_username) {
+		return false;
+	}
+
+	user_sid = &conn->server_info->ptok->user_sids[0];
+	afs_username = talloc_string_sub(talloc_tos(),
+					afs_username,
+					"%s",
+					sid_string_tos(user_sid));
+	if (!afs_username) {
+		return false;
+	}
+
+	/* The pts command always generates completely lower-case user
+	 * names. */
+	strlower_m(afs_username);
+
+	cell = strchr(afs_username, '@');
+
+	if (cell == NULL) {
+		DEBUG(1, ("AFS username doesn't contain a @, "
+			  "could not find cell\n"));
+		return false;
+	}
+
+	*cell = '\0';
+	cell += 1;
+
+	DEBUG(10, ("Trying to log into AFS for user %s@%s\n",
+		   afs_username, cell));
+
+	if (!afs_createtoken(afs_username, cell, &ticket, &ct))
+		return False;
+
+	/* For which Unix-UID do we want to set the token? */
+	ct.ViceId = getuid();
+
+	ticket_str = afs_encode_token(cell, ticket, &ct);
+
+	result = afs_settoken_str(ticket_str);
+
+	SAFE_FREE(ticket_str);
+
+	data_blob_free(&ticket);
+
+	return result;
+}
+
+#else
+
+bool afs_login(connection_struct *conn)
+{
+	return True;
+}
+
+char *afs_createtoken_str(const char *username, const char *cell)
+{
+	return NULL;
+}
+
+#endif /* WITH_FAKE_KASERVER */
diff --git a/source3/lib/afs_settoken.c b/source3/lib/afs_settoken.c
new file mode 100644
index 0000000000..444f09efca
--- /dev/null
+++ b/source3/lib/afs_settoken.c
@@ -0,0 +1,239 @@
+/* 
+ *  Unix SMB/CIFS implementation.
+ *  Generate AFS tickets
+ *  Copyright (C) Volker Lendecke 2004
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+#ifdef WITH_FAKE_KASERVER
+
+#define NO_ASN1_TYPEDEFS 1
+
+#include <afs/stds.h>
+#include <afs/afs.h>
+#include <afs/auth.h>
+#include <afs/venus.h>
+#include <asm/unistd.h>
+#include <openssl/des.h>
+#include <sys/syscall.h>
+
+int afs_syscall( int subcall,
+	  char * path,
+	  int cmd,
+	  char * cmarg,
+	  int follow)
+{
+	return( syscall( SYS_afs_syscall, subcall, path, cmd, cmarg, follow));
+}
+
+struct ClearToken {
+	uint32 AuthHandle;
+	char HandShakeKey[8];
+	uint32 ViceId;
+	uint32 BeginTimestamp;
+	uint32 EndTimestamp;
+};
+
+static bool afs_decode_token(const char *string, char **cell,
+			     DATA_BLOB *ticket, struct ClearToken *ct)
+{
+	DATA_BLOB blob;
+	struct ClearToken result_ct;
+	char *saveptr;
+
+	char *s = SMB_STRDUP(string);
+
+	char *t;
+
+	if ((t = strtok_r(s, "\n", &saveptr)) == NULL) {
+		DEBUG(10, ("strtok_r failed\n"));
+		return False;
+	}
+
+	*cell = SMB_STRDUP(t);
+
+	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+		DEBUG(10, ("strtok_r failed\n"));
+		return False;
+	}
+
+	if (sscanf(t, "%u", &result_ct.AuthHandle) != 1) {
+		DEBUG(10, ("sscanf AuthHandle failed\n"));
+		return False;
+	}
+		
+	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+		DEBUG(10, ("strtok_r failed\n"));
+		return False;
+	}
+
+	blob = base64_decode_data_blob(t);
+
+	if ( (blob.data == NULL) ||
+	     (blob.length != sizeof(result_ct.HandShakeKey) )) {
+		DEBUG(10, ("invalid key: %x/%d\n", (uint32)blob.data,
+			   blob.length));
+		return False;
+	}
+
+	memcpy(result_ct.HandShakeKey, blob.data, blob.length);
+
+	data_blob_free(&blob);
+
+	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+		DEBUG(10, ("strtok_r failed\n"));
+		return False;
+	}
+
+	if (sscanf(t, "%u", &result_ct.ViceId) != 1) {
+		DEBUG(10, ("sscanf ViceId failed\n"));
+		return False;
+	}
+		
+	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+		DEBUG(10, ("strtok_r failed\n"));
+		return False;
+	}
+
+	if (sscanf(t, "%u", &result_ct.BeginTimestamp) != 1) {
+		DEBUG(10, ("sscanf BeginTimestamp failed\n"));
+		return False;
+	}
+		
+	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+		DEBUG(10, ("strtok_r failed\n"));
+		return False;
+	}
+
+	if (sscanf(t, "%u", &result_ct.EndTimestamp) != 1) {
+		DEBUG(10, ("sscanf EndTimestamp failed\n"));
+		return False;
+	}
+		
+	if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) {
+		DEBUG(10, ("strtok_r failed\n"));
+		return False;
+	}
+
+	blob = base64_decode_data_blob(t);
+
+	if (blob.data == NULL) {
+		DEBUG(10, ("Could not get ticket\n"));
+		return False;
+	}
+
+	*ticket = blob;
+	*ct = result_ct;
+
+	return True;
+}
+
+/*
+  Put an AFS token into the Kernel so that it can authenticate against
+  the AFS server. This assumes correct local uid settings.
+
+  This is currently highly Linux and OpenAFS-specific. The correct API
+  call for this would be ktc_SetToken. But to do that we would have to
+  import a REALLY big bunch of libraries which I would currently like
+  to avoid. 
+*/
+
+static bool afs_settoken(const char *cell,
+			 const struct ClearToken *ctok,
+			 DATA_BLOB ticket)
+{
+	int ret;
+	struct {
+		char *in, *out;
+		uint16 in_size, out_size;
+	} iob;
+
+	char buf[1024];
+	char *p = buf;
+	int tmp;
+
+	memcpy(p, &ticket.length, sizeof(uint32));
+	p += sizeof(uint32);
+	memcpy(p, ticket.data, ticket.length);
+	p += ticket.length;
+
+	tmp = sizeof(struct ClearToken);
+	memcpy(p, &tmp, sizeof(uint32));
+	p += sizeof(uint32);
+	memcpy(p, ctok, tmp);
+	p += tmp;
+
+	tmp = 0;
+
+	memcpy(p, &tmp, sizeof(uint32));
+	p += sizeof(uint32);
+
+	tmp = strlen(cell);
+	if (tmp >= MAXKTCREALMLEN) {
+		DEBUG(1, ("Realm too long\n"));
+		return False;
+	}
+
+	strncpy(p, cell, tmp);
+	p += tmp;
+	*p = 0;
+	p +=1;
+
+	iob.in = buf;
+	iob.in_size = PTR_DIFF(p,buf);
+	iob.out = buf;
+	iob.out_size = sizeof(buf);
+
+#if 0
+	file_save("/tmp/ioctlbuf", iob.in, iob.in_size);
+#endif
+
+	ret = afs_syscall(AFSCALL_PIOCTL, 0, VIOCSETTOK, (char *)&iob, 0);
+
+	DEBUG(10, ("afs VIOCSETTOK returned %d\n", ret));
+	return (ret == 0);
+}
+
+bool afs_settoken_str(const char *token_string)
+{
+	DATA_BLOB ticket;
+	struct ClearToken ct;
+	bool result;
+	char *cell;
+
+	if (!afs_decode_token(token_string, &cell, &ticket, &ct))
+		return False;
+
+	if (geteuid() != 0)
+		ct.ViceId = getuid();
+
+	result = afs_settoken(cell, &ct, ticket);
+
+	SAFE_FREE(cell);
+	data_blob_free(&ticket);
+
+	return result;
+}
+
+#else
+
+bool afs_settoken_str(const char *token_string)
+{
+	return False;
+}
+
+#endif
diff --git a/source3/lib/arc4.c b/source3/lib/arc4.c
new file mode 100644
index 0000000000..af2564b6c0
--- /dev/null
+++ b/source3/lib/arc4.c
@@ -0,0 +1,79 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   An implementation of arc4.
+
+   Copyright (C) Jeremy Allison 2005.
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/*****************************************************************
+ Initialize state for an arc4 crypt/decrpyt.
+ arc4 state is 258 bytes - last 2 bytes are the index bytes.
+*****************************************************************/
+
+void smb_arc4_init(unsigned char arc4_state_out[258], const unsigned char *key, size_t keylen)
+{
+	size_t ind;
+	unsigned char j = 0;
+
+	for (ind = 0; ind < 256; ind++) {
+		arc4_state_out[ind] = (unsigned char)ind;
+	}
+
+	for( ind = 0; ind < 256; ind++) {
+		unsigned char tc;
+
+		j += (arc4_state_out[ind] + key[ind%keylen]);
+
+		tc = arc4_state_out[ind];
+		arc4_state_out[ind] = arc4_state_out[j];
+		arc4_state_out[j] = tc;
+	}
+	arc4_state_out[256] = 0;
+	arc4_state_out[257] = 0;
+}
+
+/*****************************************************************
+ Do the arc4 crypt/decrpyt.
+ arc4 state is 258 bytes - last 2 bytes are the index bytes.
+*****************************************************************/
+
+void smb_arc4_crypt(unsigned char arc4_state_inout[258], unsigned char *data, size_t len)
+{
+	unsigned char index_i = arc4_state_inout[256];
+	unsigned char index_j = arc4_state_inout[257];
+        size_t ind;
+
+	for( ind = 0; ind < len; ind++) {
+		unsigned char tc;
+		unsigned char t;
+
+		index_i++;
+		index_j += arc4_state_inout[index_i];
+
+		tc = arc4_state_inout[index_i];
+		arc4_state_inout[index_i] = arc4_state_inout[index_j];
+		arc4_state_inout[index_j] = tc;
+
+		t = arc4_state_inout[index_i] + arc4_state_inout[index_j];
+		data[ind] = data[ind] ^ arc4_state_inout[t];
+	}
+
+	arc4_state_inout[256] = index_i;
+	arc4_state_inout[257] = index_j;
+}
diff --git a/source3/lib/async_req.c b/source3/lib/async_req.c
new file mode 100644
index 0000000000..501a6b5524
--- /dev/null
+++ b/source3/lib/async_req.c
@@ -0,0 +1,174 @@
+/*
+   Unix SMB/CIFS implementation.
+   Infrastructure for async requests
+   Copyright (C) Volker Lendecke 2008
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/**
+ * @brief Print an async_req structure
+ * @param[in] mem_ctx	The memory context for the result
+ * @param[in] req	The request to be printed
+ * @retval		Text representation of req
+ *
+ * This is a default print function for async requests. Implementations should
+ * override this with more specific information.
+ *
+ * This function should not be used by async API users, this is non-static
+ * only to allow implementations to easily provide default information in
+ * their specific functions.
+ */
+
+char *async_req_print(TALLOC_CTX *mem_ctx, struct async_req *req)
+{
+	return talloc_asprintf(mem_ctx, "async_req: state=%d, status=%s, "
+			       "priv=%s", req->state, nt_errstr(req->status),
+			       talloc_get_name(req->private_data));
+}
+
+/**
+ * @brief Create an async request
+ * @param[in] mem_ctx	The memory context for the result
+ * @param[in] ev	The event context this async request will be driven by
+ * @retval		A new async request
+ *
+ * The new async request will be initialized in state ASYNC_REQ_IN_PROGRESS
+ */
+
+struct async_req *async_req_new(TALLOC_CTX *mem_ctx, struct event_context *ev)
+{
+	struct async_req *result;
+
+	result = TALLOC_ZERO_P(mem_ctx, struct async_req);
+	if (result == NULL) {
+		return NULL;
+	}
+	result->state = ASYNC_REQ_IN_PROGRESS;
+	result->event_ctx = ev;
+	result->print = async_req_print;
+	return result;
+}
+
+/**
+ * @brief An async request has successfully finished
+ * @param[in] req	The finished request
+ *
+ * async_req_done is to be used by implementors of async requests. When a
+ * request is successfully finished, this function calls the user's completion
+ * function.
+ */
+
+void async_req_done(struct async_req *req)
+{
+	req->status = NT_STATUS_OK;
+	req->state = ASYNC_REQ_DONE;
+	if (req->async.fn != NULL) {
+		req->async.fn(req);
+	}
+}
+
+/**
+ * @brief An async request has seen an error
+ * @param[in] req	The request with an error
+ * @param[in] status	The error code
+ *
+ * async_req_done is to be used by implementors of async requests. When a
+ * request can not successfully completed, the implementation should call this
+ * function with the appropriate status code.
+ */
+
+void async_req_error(struct async_req *req, NTSTATUS status)
+{
+	req->status = status;
+	req->state = ASYNC_REQ_ERROR;
+	if (req->async.fn != NULL) {
+		req->async.fn(req);
+	}
+}
+
+/**
+ * @brief Timed event callback
+ * @param[in] ev	Event context
+ * @param[in] te	The timed event
+ * @param[in] now	current time
+ * @param[in] priv	The async request to be finished
+ */
+
+static void async_trigger(struct event_context *ev, struct timed_event *te,
+			  const struct timeval *now, void *priv)
+{
+	struct async_req *req = talloc_get_type_abort(priv, struct async_req);
+
+	TALLOC_FREE(te);
+	if (NT_STATUS_IS_OK(req->status)) {
+		async_req_done(req);
+	}
+	else {
+		async_req_error(req, req->status);
+	}
+}
+
+/**
+ * @brief Finish a request before it started processing
+ * @param[in] req	The finished request
+ * @param[in] status	The success code
+ *
+ * An implementation of an async request might find that it can either finish
+ * the request without waiting for an external event, or it can't even start
+ * the engine. To present the illusion of a callback to the user of the API,
+ * the implementation can call this helper function which triggers an
+ * immediate timed event. This way the caller can use the same calling
+ * conventions, independent of whether the request was actually deferred.
+ */
+
+bool async_post_status(struct async_req *req, NTSTATUS status)
+{
+	req->status = status;
+
+	if (event_add_timed(req->event_ctx, req, timeval_zero(),
+			    "async_trigger",
+			    async_trigger, req) == NULL) {
+		return false;
+	}
+	return true;
+}
+
+/**
+ * @brief Helper function for nomem check
+ * @param[in] p		The pointer to be checked
+ * @param[in] req	The request being processed
+ *
+ * Convenience helper to easily check alloc failure within a callback
+ * implementing the next step of an async request.
+ *
+ * Call pattern would be
+ * \code
+ * p = talloc(mem_ctx, bla);
+ * if (async_req_nomem(p, req)) {
+ *	return;
+ * }
+ * \endcode
+ */
+
+bool async_req_nomem(const void *p, struct async_req *req)
+{
+	if (p != NULL) {
+		return false;
+	}
+	async_req_error(req, NT_STATUS_NO_MEMORY);
+	return true;
+}
diff --git a/source3/lib/async_sock.c b/source3/lib/async_sock.c
new file mode 100644
index 0000000000..1a4c27ba20
--- /dev/null
+++ b/source3/lib/async_sock.c
@@ -0,0 +1,674 @@
+/*
+   Unix SMB/CIFS implementation.
+   async socket syscalls
+   Copyright (C) Volker Lendecke 2008
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/**
+ * Discriminator for async_syscall_state
+ */
+enum async_syscall_type {
+	ASYNC_SYSCALL_SEND,
+	ASYNC_SYSCALL_SENDALL,
+	ASYNC_SYSCALL_RECV,
+	ASYNC_SYSCALL_RECVALL,
+	ASYNC_SYSCALL_CONNECT
+};
+
+/**
+ * Holder for syscall arguments and the result
+ */
+
+struct async_syscall_state {
+	enum async_syscall_type syscall_type;
+	struct fd_event *fde;
+
+	union {
+		struct param_send {
+			int fd;
+			const void *buffer;
+			size_t length;
+			int flags;
+		} param_send;
+		struct param_sendall {
+			int fd;
+			const void *buffer;
+			size_t length;
+			int flags;
+			size_t sent;
+		} param_sendall;
+		struct param_recv {
+			int fd;
+			void *buffer;
+			size_t length;
+			int flags;
+		} param_recv;
+		struct param_recvall {
+			int fd;
+			void *buffer;
+			size_t length;
+			int flags;
+			size_t received;
+		} param_recvall;
+		struct param_connect {
+			/**
+			 * connect needs to be done on a nonblocking
+			 * socket. Keep the old flags around
+			 */
+			long old_sockflags;
+			int fd;
+			const struct sockaddr *address;
+			socklen_t address_len;
+		} param_connect;
+	} param;
+
+	union {
+		ssize_t result_ssize_t;
+		size_t result_size_t;
+		int result_int;
+	} result;
+	int sys_errno;
+};
+
+/**
+ * @brief Create a new async syscall req
+ * @param[in] mem_ctx	The memory context to hang the result off
+ * @param[in] ev	The event context to work from
+ * @param[in] type	Which syscall will this be
+ * @param[in] pstate	Where to put the newly created private_data state
+ * @retval The new request
+ *
+ * This is a helper function to prepare a new struct async_req with an
+ * associated struct async_syscall_state. The async_syscall_state will be put
+ * into the async_req as private_data.
+ */
+
+static struct async_req *async_syscall_new(TALLOC_CTX *mem_ctx,
+					   struct event_context *ev,
+					   enum async_syscall_type type,
+					   struct async_syscall_state **pstate)
+{
+	struct async_req *result;
+	struct async_syscall_state *state;
+
+	result = async_req_new(mem_ctx, ev);
+	if (result == NULL) {
+		return NULL;
+	}
+
+	state = talloc(result, struct async_syscall_state);
+	if (state == NULL) {
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	state->syscall_type = type;
+
+	result->private_data = state;
+
+	*pstate = state;
+
+	return result;
+}
+
+/**
+ * @brief Create a new async syscall req based on a fd
+ * @param[in] mem_ctx	The memory context to hang the result off
+ * @param[in] ev	The event context to work from
+ * @param[in] type	Which syscall will this be
+ * @param[in] fd	The file descriptor we work on
+ * @param[in] fde_flags EVENT_FD_READ/WRITE -- what are we interested in?
+ * @param[in] fde_cb	The callback function for the file descriptor event
+ * @param[in] pstate	Where to put the newly created private_data state
+ * @retval The new request
+ *
+ * This is a helper function to prepare a new struct async_req with an
+ * associated struct async_syscall_state and an associated file descriptor
+ * event.
+ */
+
+static struct async_req *async_fde_syscall_new(
+	TALLOC_CTX *mem_ctx,
+	struct event_context *ev,
+	enum async_syscall_type type,
+	int fd,
+	uint16_t fde_flags,
+	void (*fde_cb)(struct event_context *ev,
+		       struct fd_event *fde, uint16_t flags,
+		       void *priv),
+	struct async_syscall_state **pstate)
+{
+	struct async_req *result;
+	struct async_syscall_state *state;
+
+	result = async_syscall_new(mem_ctx, ev, type, &state);
+	if (result == NULL) {
+		return NULL;
+	}
+
+	state->fde = event_add_fd(ev, state, fd, fde_flags, fde_cb, result);
+	if (state->fde == NULL) {
+		TALLOC_FREE(result);
+		return NULL;
+	}
+	*pstate = state;
+	return result;
+}
+
+/**
+ * Retrieve a ssize_t typed result from an async syscall
+ * @param[in] req	The syscall that has just finished
+ * @param[out] perrno	Where to put the syscall's errno
+ * @retval The return value from the asynchronously called syscall
+ */
+
+ssize_t async_syscall_result_ssize_t(struct async_req **req, int *perrno)
+{
+	struct async_syscall_state *state = talloc_get_type_abort(
+		(*req)->private_data, struct async_syscall_state);
+
+	int sys_errno = state->sys_errno;
+	ssize_t result = state->result.result_ssize_t;
+
+	TALLOC_FREE(*req);
+
+	*perrno = sys_errno;
+	return result;
+}
+
+/**
+ * Retrieve a size_t typed result from an async syscall
+ * @param[in] req	The syscall that has just finished
+ * @param[out] perrno	Where to put the syscall's errno
+ * @retval The return value from the asynchronously called syscall
+ */
+
+size_t async_syscall_result_size_t(struct async_req **req, int *perrno)
+{
+	struct async_syscall_state *state = talloc_get_type_abort(
+		(*req)->private_data, struct async_syscall_state);
+
+	int sys_errno = state->sys_errno;
+	size_t result = state->result.result_ssize_t;
+
+	TALLOC_FREE(*req);
+
+	*perrno = sys_errno;
+	return result;
+}
+
+/**
+ * Retrieve a int typed result from an async syscall
+ * @param[in] req	The syscall that has just finished
+ * @param[out] perrno	Where to put the syscall's errno
+ * @retval The return value from the asynchronously called syscall
+ */
+
+ssize_t async_syscall_result_int(struct async_req **req, int *perrno)
+{
+	struct async_syscall_state *state = talloc_get_type_abort(
+		(*req)->private_data, struct async_syscall_state);
+
+	int sys_errno = state->sys_errno;
+	int result = state->result.result_ssize_t;
+
+	TALLOC_FREE(*req);
+
+	*perrno = sys_errno;
+	return result;
+}
+
+/**
+ * fde event handler for the "send" syscall
+ * @param[in] ev	The event context that sent us here
+ * @param[in] fde	The file descriptor event associated with the send
+ * @param[in] flags	Can only be EVENT_FD_WRITE here
+ * @param[in] priv	private data, "struct async_req *" in this case
+ */
+
+static void async_send_callback(struct event_context *ev,
+				struct fd_event *fde, uint16_t flags,
+				void *priv)
+{
+	struct async_req *req = talloc_get_type_abort(
+		priv, struct async_req);
+	struct async_syscall_state *state = talloc_get_type_abort(
+		req->private_data, struct async_syscall_state);
+	struct param_send *p = &state->param.param_send;
+
+	SMB_ASSERT(state->syscall_type == ASYNC_SYSCALL_SEND);
+
+	state->result.result_ssize_t = send(p->fd, p->buffer, p->length,
+					    p->flags);
+	state->sys_errno = errno;
+
+	TALLOC_FREE(state->fde);
+
+	async_req_done(req);
+}
+
+/**
+ * Async version of send(2)
+ * @param[in] mem_ctx	The memory context to hang the result off
+ * @param[in] ev	The event context to work from
+ * @param[in] fd	The socket to send to
+ * @param[in] buffer	The buffer to send
+ * @param[in] length	How many bytes to send
+ * @param[in] flags	flags passed to send(2)
+ *
+ * This function is a direct counterpart of send(2)
+ */
+
+struct async_req *async_send(TALLOC_CTX *mem_ctx, struct event_context *ev,
+			     int fd, const void *buffer, size_t length,
+			     int flags)
+{
+	struct async_req *result;
+	struct async_syscall_state *state;
+
+	result = async_fde_syscall_new(
+		mem_ctx, ev, ASYNC_SYSCALL_SEND,
+		fd, EVENT_FD_WRITE, async_send_callback,
+		&state);
+	if (result == NULL) {
+		return NULL;
+	}
+
+	state->param.param_send.fd = fd;
+	state->param.param_send.buffer = buffer;
+	state->param.param_send.length = length;
+	state->param.param_send.flags = flags;
+
+	return result;
+}
+
+/**
+ * fde event handler for the "sendall" syscall group
+ * @param[in] ev	The event context that sent us here
+ * @param[in] fde	The file descriptor event associated with the send
+ * @param[in] flags	Can only be EVENT_FD_WRITE here
+ * @param[in] priv	private data, "struct async_req *" in this case
+ */
+
+static void async_sendall_callback(struct event_context *ev,
+				   struct fd_event *fde, uint16_t flags,
+				   void *priv)
+{
+	struct async_req *req = talloc_get_type_abort(
+		priv, struct async_req);
+	struct async_syscall_state *state = talloc_get_type_abort(
+		req->private_data, struct async_syscall_state);
+	struct param_sendall *p = &state->param.param_sendall;
+
+	SMB_ASSERT(state->syscall_type == ASYNC_SYSCALL_SENDALL);
+
+	state->result.result_ssize_t = send(p->fd, (char *)p->buffer + p->sent,
+					    p->length - p->sent, p->flags);
+	state->sys_errno = errno;
+
+	if (state->result.result_ssize_t == -1) {
+		async_req_error(req, map_nt_error_from_unix(state->sys_errno));
+		return;
+	}
+
+	if (state->result.result_ssize_t == 0) {
+		async_req_error(req, NT_STATUS_END_OF_FILE);
+		return;
+	}
+
+	p->sent += state->result.result_ssize_t;
+	SMB_ASSERT(p->sent <= p->length);
+
+	if (p->sent == p->length) {
+		TALLOC_FREE(state->fde);
+		async_req_done(req);
+	}
+}
+
+/**
+ * @brief Send all bytes to a socket
+ * @param[in] mem_ctx	The memory context to hang the result off
+ * @param[in] ev	The event context to work from
+ * @param[in] fd	The socket to send to
+ * @param[in] buffer	The buffer to send
+ * @param[in] length	How many bytes to send
+ * @param[in] flags	flags passed to send(2)
+ *
+ * async_sendall calls send(2) as long as it is necessary to send all of the
+ * "length" bytes
+ */
+
+struct async_req *async_sendall(TALLOC_CTX *mem_ctx, struct event_context *ev,
+				int fd, const void *buffer, size_t length,
+				int flags)
+{
+	struct async_req *result;
+	struct async_syscall_state *state;
+
+	result = async_fde_syscall_new(
+		mem_ctx, ev, ASYNC_SYSCALL_SENDALL,
+		fd, EVENT_FD_WRITE, async_sendall_callback,
+		&state);
+	if (result == NULL) {
+		return NULL;
+	}
+
+	state->param.param_sendall.fd = fd;
+	state->param.param_sendall.buffer = buffer;
+	state->param.param_sendall.length = length;
+	state->param.param_sendall.flags = flags;
+	state->param.param_sendall.sent = 0;
+
+	return result;
+}
+
+/**
+ * fde event handler for the "recv" syscall
+ * @param[in] ev	The event context that sent us here
+ * @param[in] fde	The file descriptor event associated with the recv
+ * @param[in] flags	Can only be EVENT_FD_READ here
+ * @param[in] priv	private data, "struct async_req *" in this case
+ */
+
+static void async_recv_callback(struct event_context *ev,
+				struct fd_event *fde, uint16_t flags,
+				void *priv)
+{
+	struct async_req *req = talloc_get_type_abort(
+		priv, struct async_req);
+	struct async_syscall_state *state = talloc_get_type_abort(
+		req->private_data, struct async_syscall_state);
+	struct param_recv *p = &state->param.param_recv;
+
+	SMB_ASSERT(state->syscall_type == ASYNC_SYSCALL_RECV);
+
+	state->result.result_ssize_t = recv(p->fd, p->buffer, p->length,
+					    p->flags);
+	state->sys_errno = errno;
+
+	TALLOC_FREE(state->fde);
+
+	async_req_done(req);
+}
+
+/**
+ * Async version of recv(2)
+ * @param[in] mem_ctx	The memory context to hang the result off
+ * @param[in] ev	The event context to work from
+ * @param[in] fd	The socket to recv from
+ * @param[in] buffer	The buffer to recv into
+ * @param[in] length	How many bytes to recv
+ * @param[in] flags	flags passed to recv(2)
+ *
+ * This function is a direct counterpart of recv(2)
+ */
+
+struct async_req *async_recv(TALLOC_CTX *mem_ctx, struct event_context *ev,
+			     int fd, void *buffer, size_t length,
+			     int flags)
+{
+	struct async_req *result;
+	struct async_syscall_state *state;
+
+	result = async_fde_syscall_new(
+		mem_ctx, ev, ASYNC_SYSCALL_RECV,
+		fd, EVENT_FD_READ, async_recv_callback,
+		&state);
+
+	if (result == NULL) {
+		return NULL;
+	}
+
+	state->param.param_recv.fd = fd;
+	state->param.param_recv.buffer = buffer;
+	state->param.param_recv.length = length;
+	state->param.param_recv.flags = flags;
+
+	return result;
+}
+
+/**
+ * fde event handler for the "recvall" syscall group
+ * @param[in] ev	The event context that sent us here
+ * @param[in] fde	The file descriptor event associated with the recv
+ * @param[in] flags	Can only be EVENT_FD_READ here
+ * @param[in] priv	private data, "struct async_req *" in this case
+ */
+
+static void async_recvall_callback(struct event_context *ev,
+				   struct fd_event *fde, uint16_t flags,
+				   void *priv)
+{
+	struct async_req *req = talloc_get_type_abort(
+		priv, struct async_req);
+	struct async_syscall_state *state = talloc_get_type_abort(
+		req->private_data, struct async_syscall_state);
+	struct param_recvall *p = &state->param.param_recvall;
+
+	SMB_ASSERT(state->syscall_type == ASYNC_SYSCALL_RECVALL);
+
+	state->result.result_ssize_t = recv(p->fd,
+					    (char *)p->buffer + p->received,
+					    p->length - p->received, p->flags);
+	state->sys_errno = errno;
+
+	if (state->result.result_ssize_t == -1) {
+		async_req_error(req, map_nt_error_from_unix(state->sys_errno));
+		return;
+	}
+
+	if (state->result.result_ssize_t == 0) {
+		async_req_error(req, NT_STATUS_END_OF_FILE);
+		return;
+	}
+
+	p->received += state->result.result_ssize_t;
+	SMB_ASSERT(p->received <= p->length);
+
+	if (p->received == p->length) {
+		TALLOC_FREE(state->fde);
+		async_req_done(req);
+	}
+}
+
+/**
+ * Receive a specified number of bytes from a socket
+ * @param[in] mem_ctx	The memory context to hang the result off
+ * @param[in] ev	The event context to work from
+ * @param[in] fd	The socket to recv from
+ * @param[in] buffer	The buffer to recv into
+ * @param[in] length	How many bytes to recv
+ * @param[in] flags	flags passed to recv(2)
+ *
+ * async_recvall will call recv(2) until "length" bytes are received
+ */
+
+struct async_req *async_recvall(TALLOC_CTX *mem_ctx, struct event_context *ev,
+				int fd, void *buffer, size_t length,
+				int flags)
+{
+	struct async_req *result;
+	struct async_syscall_state *state;
+
+	result = async_fde_syscall_new(
+		mem_ctx, ev, ASYNC_SYSCALL_RECVALL,
+		fd, EVENT_FD_READ, async_recvall_callback,
+		&state);
+	if (result == NULL) {
+		return NULL;
+	}
+
+	state->param.param_recvall.fd = fd;
+	state->param.param_recvall.buffer = buffer;
+	state->param.param_recvall.length = length;
+	state->param.param_recvall.flags = flags;
+	state->param.param_recvall.received = 0;
+
+	return result;
+}
+
+/**
+ * fde event handler for connect(2)
+ * @param[in] ev	The event context that sent us here
+ * @param[in] fde	The file descriptor event associated with the connect
+ * @param[in] flags	Indicate read/writeability of the socket
+ * @param[in] priv	private data, "struct async_req *" in this case
+ */
+
+static void async_connect_callback(struct event_context *ev,
+				   struct fd_event *fde, uint16_t flags,
+				   void *priv)
+{
+	struct async_req *req = talloc_get_type_abort(
+		priv, struct async_req);
+	struct async_syscall_state *state = talloc_get_type_abort(
+		req->private_data, struct async_syscall_state);
+	struct param_connect *p = &state->param.param_connect;
+
+	SMB_ASSERT(state->syscall_type == ASYNC_SYSCALL_CONNECT);
+
+	TALLOC_FREE(state->fde);
+
+	/*
+	 * Stevens, Network Programming says that if there's a
+	 * successful connect, the socket is only writable. Upon an
+	 * error, it's both readable and writable.
+	 */
+	if ((flags & (EVENT_FD_READ|EVENT_FD_WRITE))
+	    == (EVENT_FD_READ|EVENT_FD_WRITE)) {
+		int sockerr;
+		socklen_t err_len = sizeof(sockerr);
+
+		if (getsockopt(p->fd, SOL_SOCKET, SO_ERROR,
+			       (void *)&sockerr, &err_len) == 0) {
+			errno = sockerr;
+		}
+
+		state->sys_errno = errno;
+
+		DEBUG(10, ("connect returned %s\n", strerror(errno)));
+
+		sys_fcntl_long(p->fd, F_SETFL, p->old_sockflags);
+
+		async_req_error(req, map_nt_error_from_unix(state->sys_errno));
+		return;
+	}
+
+	sys_fcntl_long(p->fd, F_SETFL, p->old_sockflags);
+
+	state->result.result_int = 0;
+	state->sys_errno = 0;
+
+	async_req_done(req);
+}
+
+/**
+ * @brief async version of connect(2)
+ * @param[in] mem_ctx	The memory context to hang the result off
+ * @param[in] ev	The event context to work from
+ * @param[in] fd	The socket to recv from
+ * @param[in] address	Where to connect?
+ * @param[in] address_len Length of *address
+ * @retval The async request
+ *
+ * This function sets the socket into non-blocking state to be able to call
+ * connect in an async state. This will be reset when the request is finished.
+ */
+
+struct async_req *async_connect(TALLOC_CTX *mem_ctx, struct event_context *ev,
+				int fd, const struct sockaddr *address,
+				socklen_t address_len)
+{
+	struct async_req *result;
+	struct async_syscall_state *state;
+	struct param_connect *p;
+
+	result = async_syscall_new(mem_ctx, ev, ASYNC_SYSCALL_CONNECT, &state);
+	if (result == NULL) {
+		return NULL;
+	}
+	p = &state->param.param_connect;
+
+	/**
+	 * We have to set the socket to nonblocking for async connect(2). Keep
+	 * the old sockflags around.
+	 */
+
+	p->old_sockflags = sys_fcntl_long(fd, F_GETFL, 0);
+
+	if (p->old_sockflags == -1) {
+		if (async_post_status(result, map_nt_error_from_unix(errno))) {
+			return result;
+		}
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	set_blocking(fd, true);
+
+	state->result.result_int = connect(fd, address, address_len);
+
+	if (state->result.result_int == 0) {
+		state->sys_errno = 0;
+		if (async_post_status(result, NT_STATUS_OK)) {
+			return result;
+		}
+		sys_fcntl_long(fd, F_SETFL, p->old_sockflags);
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	/**
+	 * A number of error messages show that something good is progressing
+	 * and that we have to wait for readability.
+	 *
+	 * If none of them are present, bail out.
+	 */
+
+	if (!(errno == EINPROGRESS || errno == EALREADY ||
+#ifdef EISCONN
+	      errno == EISCONN ||
+#endif
+	      errno == EAGAIN || errno == EINTR)) {
+
+		state->sys_errno = errno;
+
+		if (async_post_status(result, map_nt_error_from_unix(errno))) {
+			return result;
+		}
+		sys_fcntl_long(fd, F_SETFL, p->old_sockflags);
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	state->fde = event_add_fd(ev, state, fd,
+				  EVENT_FD_READ | EVENT_FD_WRITE,
+				  async_connect_callback, state);
+	if (state->fde == NULL) {
+		sys_fcntl_long(fd, F_SETFL, p->old_sockflags);
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	state->param.param_connect.fd = fd;
+	state->param.param_connect.address = address;
+	state->param.param_connect.address_len = address_len;
+
+	return result;
+}
+
diff --git a/source3/lib/audit.c b/source3/lib/audit.c
new file mode 100644
index 0000000000..0eb12a95e6
--- /dev/null
+++ b/source3/lib/audit.c
@@ -0,0 +1,148 @@
+/*
+   Unix SMB/CIFS implementation.
+   Auditing helper functions.
+   Copyright (C) Guenther Deschner 2006
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+static const struct audit_category_tab {
+	uint32 category;
+	const char *category_str;
+	const char *param_str;
+	const char *description;
+} audit_category_tab [] = {
+	{ LSA_AUDIT_CATEGORY_LOGON, 
+	 "LSA_AUDIT_CATEGORY_LOGON", 
+	 "LOGON", "Logon events" },
+	{ LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS, 
+	 "LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS", 
+	 "PRIVILEGE", "Privilege Use" },
+	{ LSA_AUDIT_CATEGORY_SYSTEM, 
+	 "LSA_AUDIT_CATEGORY_SYSTEM", 
+	 "SYSTEM", "System Events" },
+	{ LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES, 
+	 "LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES", 
+	 "POLICY", "Policy Change" },
+	{ LSA_AUDIT_CATEGORY_PROCCESS_TRACKING, 
+	 "LSA_AUDIT_CATEGORY_PROCCESS_TRACKING", 
+	 "PROCESS", "Process Tracking" },
+	{ LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS, 
+	 "LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS", 
+	 "OBJECT", "Object Access" },
+	{ LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT, 
+	 "LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT", 
+	 "SAM", "Account Management" },
+	{ LSA_AUDIT_CATEGORY_DIRECTORY_SERVICE_ACCESS, 
+	 "LSA_AUDIT_CATEGORY_DIRECTORY_SERVICE_ACCESS", 
+	 "DIRECTORY", "Directory service access" },
+	{ LSA_AUDIT_CATEGORY_ACCOUNT_LOGON, 
+	 "LSA_AUDIT_CATEGORY_ACCOUNT_LOGON", 
+	 "ACCOUNT", "Account logon events" },
+	{ 0, NULL, NULL }
+};
+
+const char *audit_category_str(uint32 category)
+{
+	int i;
+	for (i=0; audit_category_tab[i].category_str; i++) {
+		if (category == audit_category_tab[i].category) {
+			return audit_category_tab[i].category_str;
+		}
+	}
+	return NULL;
+}
+
+const char *audit_param_str(uint32 category)
+{
+	int i;
+	for (i=0; audit_category_tab[i].param_str; i++) {
+		if (category == audit_category_tab[i].category) {
+			return audit_category_tab[i].param_str;
+		}
+	}
+	return NULL;
+}
+
+const char *audit_description_str(uint32 category)
+{
+	int i;
+	for (i=0; audit_category_tab[i].description; i++) {
+		if (category == audit_category_tab[i].category) {
+			return audit_category_tab[i].description;
+		}
+	}
+	return NULL;
+}
+
+bool get_audit_category_from_param(const char *param, uint32 *audit_category)
+{
+	*audit_category = Undefined;
+
+	if (strequal(param, "SYSTEM")) {
+		*audit_category = LSA_AUDIT_CATEGORY_SYSTEM;
+	} else if (strequal(param, "LOGON")) {
+		*audit_category = LSA_AUDIT_CATEGORY_LOGON;
+	} else if (strequal(param, "OBJECT")) {
+		*audit_category = LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS;
+	} else if (strequal(param, "PRIVILEGE")) {
+		*audit_category = LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS;
+	} else if (strequal(param, "PROCESS")) {
+		*audit_category = LSA_AUDIT_CATEGORY_PROCCESS_TRACKING;
+	} else if (strequal(param, "POLICY")) {
+		*audit_category = LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES;
+	} else if (strequal(param, "SAM")) {
+		*audit_category = LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT;
+	} else if (strequal(param, "DIRECTORY")) {
+		*audit_category = LSA_AUDIT_CATEGORY_DIRECTORY_SERVICE_ACCESS;
+	} else if (strequal(param, "ACCOUNT")) {
+		*audit_category = LSA_AUDIT_CATEGORY_ACCOUNT_LOGON;
+	} else {
+		DEBUG(0,("unknown parameter: %s\n", param));
+		return False;
+	}
+
+	return True;
+}
+
+const char *audit_policy_str(TALLOC_CTX *mem_ctx, uint32 policy)
+{
+	const char *ret = NULL;
+
+	if (policy == LSA_AUDIT_POLICY_NONE) {
+		return talloc_strdup(mem_ctx, "None");
+	}
+
+	if (policy & LSA_AUDIT_POLICY_SUCCESS) {
+		ret = talloc_strdup(mem_ctx, "Success");
+		if (ret == NULL) {
+			return NULL;
+		}
+	}
+
+	if (policy & LSA_AUDIT_POLICY_FAILURE) {
+		if (ret) {
+			ret = talloc_asprintf(mem_ctx, "%s, %s", ret, "Failure");
+			if (ret == NULL) {
+				return NULL;
+			}
+		} else {
+			return talloc_strdup(mem_ctx, "Failure");
+		}
+	}
+
+	return ret;
+}
diff --git a/source3/lib/bitmap.c b/source3/lib/bitmap.c
new file mode 100644
index 0000000000..5e623f474a
--- /dev/null
+++ b/source3/lib/bitmap.c
@@ -0,0 +1,176 @@
+/*
+   Unix SMB/CIFS implementation.
+   simple bitmap functions
+   Copyright (C) Andrew Tridgell 1992-1998
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/* these functions provide a simple way to allocate integers from a
+   pool without repetition */
+
+/****************************************************************************
+allocate a bitmap of the specified size
+****************************************************************************/
+struct bitmap *bitmap_allocate(int n)
+{
+	struct bitmap *bm;
+
+	bm = SMB_MALLOC_P(struct bitmap);
+
+	if (!bm) return NULL;
+	
+	bm->n = n;
+	bm->b = SMB_MALLOC_ARRAY(uint32, (n+31)/32);
+	if (!bm->b) {
+		SAFE_FREE(bm);
+		return NULL;
+	}
+
+	memset(bm->b, 0, sizeof(uint32)*((n+31)/32));
+
+	return bm;
+}
+
+/****************************************************************************
+free a bitmap.
+****************************************************************************/
+
+void bitmap_free(struct bitmap *bm)
+{
+	if (!bm)
+		return;
+
+	SAFE_FREE(bm->b);
+	SAFE_FREE(bm);
+}
+
+/****************************************************************************
+talloc a bitmap
+****************************************************************************/
+struct bitmap *bitmap_talloc(TALLOC_CTX *mem_ctx, int n)
+{
+	struct bitmap *bm;
+
+	if (!mem_ctx) return NULL;
+
+	bm = TALLOC_P(mem_ctx, struct bitmap);
+
+	if (!bm) return NULL;
+	
+	bm->n = n;
+	bm->b = TALLOC_ARRAY(mem_ctx, uint32, (n+31)/32);
+	if (!bm->b) {
+		return NULL;
+	}
+
+	memset(bm->b, 0, sizeof(uint32)*((n+31)/32));
+
+	return bm;
+}
+
+/****************************************************************************
+copy as much of the source bitmap as will fit in the destination bitmap.
+****************************************************************************/
+
+int bitmap_copy(struct bitmap * const dst, const struct bitmap * const src)
+{
+        int count = MIN(dst->n, src->n);
+
+        SMB_ASSERT(dst->b != src->b);
+	memcpy(dst->b, src->b, sizeof(uint32)*((count+31)/32));
+
+        return count;
+}
+
+/****************************************************************************
+set a bit in a bitmap
+****************************************************************************/
+bool bitmap_set(struct bitmap *bm, unsigned i)
+{
+	if (i >= bm->n) {
+		DEBUG(0,("Setting invalid bitmap entry %d (of %d)\n",
+		      i, bm->n));
+		return False;
+	}
+	bm->b[i/32] |= (1<<(i%32));
+	return True;
+}
+
+/****************************************************************************
+clear a bit in a bitmap
+****************************************************************************/
+bool bitmap_clear(struct bitmap *bm, unsigned i)
+{
+	if (i >= bm->n) {
+		DEBUG(0,("clearing invalid bitmap entry %d (of %d)\n",
+		      i, bm->n));
+		return False;
+	}
+	bm->b[i/32] &= ~(1<<(i%32));
+	return True;
+}
+
+/****************************************************************************
+query a bit in a bitmap
+****************************************************************************/
+bool bitmap_query(struct bitmap *bm, unsigned i)
+{
+	if (i >= bm->n) return False;
+	if (bm->b[i/32] & (1<<(i%32))) {
+		return True;
+	}
+	return False;
+}
+
+/****************************************************************************
+find a zero bit in a bitmap starting at the specified offset, with
+wraparound
+****************************************************************************/
+int bitmap_find(struct bitmap *bm, unsigned ofs)
+{
+	unsigned int i, j;
+
+	if (ofs > bm->n) ofs = 0;
+
+	i = ofs;
+	while (i < bm->n) {
+		if (~(bm->b[i/32])) {
+			j = i;
+			do {
+				if (!bitmap_query(bm, j)) return j;
+				j++;
+			} while (j & 31 && j < bm->n);
+		}
+		i += 32;
+		i &= ~31;
+	}
+
+	i = 0;
+	while (i < ofs) {
+		if (~(bm->b[i/32])) {
+			j = i;
+			do {
+				if (!bitmap_query(bm, j)) return j;
+				j++;
+			} while (j & 31 && j < bm->n);
+		}
+		i += 32;
+		i &= ~31;
+	}
+
+	return -1;
+}
diff --git a/source3/lib/charcnv.c b/source3/lib/charcnv.c
new file mode 100644
index 0000000000..485212b100
--- /dev/null
+++ b/source3/lib/charcnv.c
@@ -0,0 +1,1937 @@
+/*
+   Unix SMB/CIFS implementation.
+   Character set conversion Extensions
+   Copyright (C) Igor Vergeichik <iverg@mail.ru> 2001
+   Copyright (C) Andrew Tridgell 2001
+   Copyright (C) Simo Sorce 2001
+   Copyright (C) Martin Pool 2003
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+*/
+#include "includes.h"
+
+/* We can parameterize this if someone complains.... JRA. */
+
+char lp_failed_convert_char(void)
+{
+	return '_';
+}
+
+/**
+ * @file
+ *
+ * @brief Character-set conversion routines built on our iconv.
+ *
+ * @note Samba's internal character set (at least in the 3.0 series)
+ * is always the same as the one for the Unix filesystem.  It is
+ * <b>not</b> necessarily UTF-8 and may be different on machines that
+ * need i18n filenames to be compatible with Unix software.  It does
+ * have to be a superset of ASCII.  All multibyte sequences must start
+ * with a byte with the high bit set.
+ *
+ * @sa lib/iconv.c
+ */
+
+
+static smb_iconv_t conv_handles[NUM_CHARSETS][NUM_CHARSETS];
+static bool conv_silent; /* Should we do a debug if the conversion fails ? */
+static bool initialized;
+
+/**
+ * Return the name of a charset to give to iconv().
+ **/
+static const char *charset_name(charset_t ch)
+{
+	const char *ret = NULL;
+
+	if (ch == CH_UTF16LE) ret = "UTF-16LE";
+	else if (ch == CH_UTF16BE) ret = "UTF-16BE";
+	else if (ch == CH_UNIX) ret = lp_unix_charset();
+	else if (ch == CH_DOS) ret = lp_dos_charset();
+	else if (ch == CH_DISPLAY) ret = lp_display_charset();
+	else if (ch == CH_UTF8) ret = "UTF8";
+
+#if defined(HAVE_NL_LANGINFO) && defined(CODESET)
+	if (ret && !strcmp(ret, "LOCALE")) {
+		const char *ln = NULL;
+
+#ifdef HAVE_SETLOCALE
+		setlocale(LC_ALL, "");
+#endif
+		ln = nl_langinfo(CODESET);
+		if (ln) {
+			/* Check whether the charset name is supported
+			   by iconv */
+			smb_iconv_t handle = smb_iconv_open(ln,"UCS-2LE");
+			if (handle == (smb_iconv_t) -1) {
+				DEBUG(5,("Locale charset '%s' unsupported, using ASCII instead\n", ln));
+				ln = NULL;
+			} else {
+				DEBUG(5,("Substituting charset '%s' for LOCALE\n", ln));
+				smb_iconv_close(handle);
+			}
+		}
+		ret = ln;
+	}
+#endif
+
+	if (!ret || !*ret) ret = "ASCII";
+	return ret;
+}
+
+void lazy_initialize_conv(void)
+{
+	if (!initialized) {
+		load_case_tables();
+		init_iconv();
+		initialized = true;
+	}
+}
+
+/**
+ * Destroy global objects allocated by init_iconv()
+ **/
+void gfree_charcnv(void)
+{
+	int c1, c2;
+
+	for (c1=0;c1<NUM_CHARSETS;c1++) {
+		for (c2=0;c2<NUM_CHARSETS;c2++) {
+			if ( conv_handles[c1][c2] ) {
+				smb_iconv_close( conv_handles[c1][c2] );
+				conv_handles[c1][c2] = 0;
+			}
+		}
+	}
+	initialized = false;
+}
+
+/**
+ * Initialize iconv conversion descriptors.
+ *
+ * This is called the first time it is needed, and also called again
+ * every time the configuration is reloaded, because the charset or
+ * codepage might have changed.
+ **/
+void init_iconv(void)
+{
+	int c1, c2;
+	bool did_reload = False;
+
+	/* so that charset_name() works we need to get the UNIX<->UCS2 going
+	   first */
+	if (!conv_handles[CH_UNIX][CH_UTF16LE])
+		conv_handles[CH_UNIX][CH_UTF16LE] = smb_iconv_open(charset_name(CH_UTF16LE), "ASCII");
+
+	if (!conv_handles[CH_UTF16LE][CH_UNIX])
+		conv_handles[CH_UTF16LE][CH_UNIX] = smb_iconv_open("ASCII", charset_name(CH_UTF16LE));
+
+	for (c1=0;c1<NUM_CHARSETS;c1++) {
+		for (c2=0;c2<NUM_CHARSETS;c2++) {
+			const char *n1 = charset_name((charset_t)c1);
+			const char *n2 = charset_name((charset_t)c2);
+			if (conv_handles[c1][c2] &&
+			    strcmp(n1, conv_handles[c1][c2]->from_name) == 0 &&
+			    strcmp(n2, conv_handles[c1][c2]->to_name) == 0)
+				continue;
+
+			did_reload = True;
+
+			if (conv_handles[c1][c2])
+				smb_iconv_close(conv_handles[c1][c2]);
+
+			conv_handles[c1][c2] = smb_iconv_open(n2,n1);
+			if (conv_handles[c1][c2] == (smb_iconv_t)-1) {
+				DEBUG(0,("init_iconv: Conversion from %s to %s not supported\n",
+					 charset_name((charset_t)c1), charset_name((charset_t)c2)));
+				if (c1 != CH_UTF16LE && c1 != CH_UTF16BE) {
+					n1 = "ASCII";
+				}
+				if (c2 != CH_UTF16LE && c2 != CH_UTF16BE) {
+					n2 = "ASCII";
+				}
+				DEBUG(0,("init_iconv: Attempting to replace with conversion from %s to %s\n",
+					n1, n2 ));
+				conv_handles[c1][c2] = smb_iconv_open(n2,n1);
+				if (!conv_handles[c1][c2]) {
+					DEBUG(0,("init_iconv: Conversion from %s to %s failed", n1, n2));
+					smb_panic("init_iconv: conv_handle initialization failed");
+				}
+			}
+		}
+	}
+
+	if (did_reload) {
+		/* XXX: Does this really get called every time the dos
+		 * codepage changes? */
+		/* XXX: Is the did_reload test too strict? */
+		conv_silent = True;
+		init_valid_table();
+		conv_silent = False;
+	}
+}
+
+/**
+ * Convert string from one encoding to another, making error checking etc
+ * Slow path version - uses (slow) iconv.
+ *
+ * @param src pointer to source string (multibyte or singlebyte)
+ * @param srclen length of the source string in bytes
+ * @param dest pointer to destination string (multibyte or singlebyte)
+ * @param destlen maximal length allowed for string
+ * @param allow_bad_conv determines if a "best effort" conversion is acceptable (never returns errors)
+ * @returns the number of bytes occupied in the destination
+ *
+ * Ensure the srclen contains the terminating zero.
+ *
+ **/
+
+static size_t convert_string_internal(charset_t from, charset_t to,
+		      void const *src, size_t srclen, 
+		      void *dest, size_t destlen, bool allow_bad_conv)
+{
+	size_t i_len, o_len;
+	size_t retval;
+	const char* inbuf = (const char*)src;
+	char* outbuf = (char*)dest;
+	smb_iconv_t descriptor;
+
+	lazy_initialize_conv();
+
+	descriptor = conv_handles[from][to];
+
+	if (srclen == (size_t)-1) {
+		if (from == CH_UTF16LE || from == CH_UTF16BE) {
+			srclen = (strlen_w((const smb_ucs2_t *)src)+1) * 2;
+		} else {
+			srclen = strlen((const char *)src)+1;
+		}
+	}
+
+
+	if (descriptor == (smb_iconv_t)-1 || descriptor == (smb_iconv_t)0) {
+		if (!conv_silent)
+			DEBUG(0,("convert_string_internal: Conversion not supported.\n"));
+		return (size_t)-1;
+	}
+
+	i_len=srclen;
+	o_len=destlen;
+
+ again:
+
+	retval = smb_iconv(descriptor, &inbuf, &i_len, &outbuf, &o_len);
+	if(retval==(size_t)-1) {
+	    	const char *reason="unknown error";
+		switch(errno) {
+			case EINVAL:
+				reason="Incomplete multibyte sequence";
+				if (!conv_silent)
+					DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n",reason,inbuf));
+				if (allow_bad_conv)
+					goto use_as_is;
+				break;
+			case E2BIG:
+				reason="No more room"; 
+				if (!conv_silent) {
+					if (from == CH_UNIX) {
+						DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u - '%s'\n",
+							charset_name(from), charset_name(to),
+							(unsigned int)srclen, (unsigned int)destlen, (const char *)src));
+					} else {
+						DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u\n",
+							charset_name(from), charset_name(to),
+							(unsigned int)srclen, (unsigned int)destlen));
+					}
+				}
+				break;
+			case EILSEQ:
+				reason="Illegal multibyte sequence";
+				if (!conv_silent)
+					DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n",reason,inbuf));
+				if (allow_bad_conv)
+					goto use_as_is;
+				break;
+			default:
+				if (!conv_silent)
+					DEBUG(0,("convert_string_internal: Conversion error: %s(%s)\n",reason,inbuf));
+				break;
+		}
+		/* smb_panic(reason); */
+	}
+	return destlen-o_len;
+
+ use_as_is:
+
+	/* 
+	 * Conversion not supported. This is actually an error, but there are so
+	 * many misconfigured iconv systems and smb.conf's out there we can't just
+	 * fail. Do a very bad conversion instead.... JRA.
+	 */
+
+	{
+		if (o_len == 0 || i_len == 0)
+			return destlen - o_len;
+
+		if (((from == CH_UTF16LE)||(from == CH_UTF16BE)) &&
+				((to != CH_UTF16LE)||(to != CH_UTF16BE))) {
+			/* Can't convert from utf16 any endian to multibyte.
+			   Replace with the default fail char.
+			*/
+			if (i_len < 2)
+				return destlen - o_len;
+			if (i_len >= 2) {
+				*outbuf = lp_failed_convert_char();
+
+				outbuf++;
+				o_len--;
+
+				inbuf += 2;
+				i_len -= 2;
+			}
+
+			if (o_len == 0 || i_len == 0)
+				return destlen - o_len;
+
+			/* Keep trying with the next char... */
+			goto again;
+
+		} else if (from != CH_UTF16LE && from != CH_UTF16BE && to == CH_UTF16LE) {
+			/* Can't convert to UTF16LE - just widen by adding the
+			   default fail char then zero.
+			*/
+			if (o_len < 2)
+				return destlen - o_len;
+
+			outbuf[0] = lp_failed_convert_char();
+			outbuf[1] = '\0';
+
+			inbuf++;
+			i_len--;
+
+			outbuf += 2;
+			o_len -= 2;
+
+			if (o_len == 0 || i_len == 0)
+				return destlen - o_len;
+
+			/* Keep trying with the next char... */
+			goto again;
+
+		} else if (from != CH_UTF16LE && from != CH_UTF16BE &&
+				to != CH_UTF16LE && to != CH_UTF16BE) {
+			/* Failed multibyte to multibyte. Just copy the default fail char and
+				try again. */
+			outbuf[0] = lp_failed_convert_char();
+
+			inbuf++;
+			i_len--;
+
+			outbuf++;
+			o_len--;
+
+			if (o_len == 0 || i_len == 0)
+				return destlen - o_len;
+
+			/* Keep trying with the next char... */
+			goto again;
+
+		} else {
+			/* Keep compiler happy.... */
+			return destlen - o_len;
+		}
+	}
+}
+
+/**
+ * Convert string from one encoding to another, making error checking etc
+ * Fast path version - handles ASCII first.
+ *
+ * @param src pointer to source string (multibyte or singlebyte)
+ * @param srclen length of the source string in bytes, or -1 for nul terminated.
+ * @param dest pointer to destination string (multibyte or singlebyte)
+ * @param destlen maximal length allowed for string - *NEVER* -1.
+ * @param allow_bad_conv determines if a "best effort" conversion is acceptable (never returns errors)
+ * @returns the number of bytes occupied in the destination
+ *
+ * Ensure the srclen contains the terminating zero.
+ *
+ * This function has been hand-tuned to provide a fast path.
+ * Don't change unless you really know what you are doing. JRA.
+ **/
+
+size_t convert_string(charset_t from, charset_t to,
+		      void const *src, size_t srclen, 
+		      void *dest, size_t destlen, bool allow_bad_conv)
+{
+	/*
+	 * NB. We deliberately don't do a strlen here if srclen == -1.
+	 * This is very expensive over millions of calls and is taken
+	 * care of in the slow path in convert_string_internal. JRA.
+	 */
+
+#ifdef DEVELOPER
+	SMB_ASSERT(destlen != (size_t)-1);
+#endif
+
+	if (srclen == 0)
+		return 0;
+
+	if (from != CH_UTF16LE && from != CH_UTF16BE && to != CH_UTF16LE && to != CH_UTF16BE) {
+		const unsigned char *p = (const unsigned char *)src;
+		unsigned char *q = (unsigned char *)dest;
+		size_t slen = srclen;
+		size_t dlen = destlen;
+		unsigned char lastp = '\0';
+		size_t retval = 0;
+
+		/* If all characters are ascii, fast path here. */
+		while (slen && dlen) {
+			if ((lastp = *p) <= 0x7f) {
+				*q++ = *p++;
+				if (slen != (size_t)-1) {
+					slen--;
+				}
+				dlen--;
+				retval++;
+				if (!lastp)
+					break;
+			} else {
+#ifdef BROKEN_UNICODE_COMPOSE_CHARACTERS
+				goto general_case;
+#else
+				return retval + convert_string_internal(from, to, p, slen, q, dlen, allow_bad_conv);
+#endif
+			}
+		}
+		if (!dlen) {
+			/* Even if we fast path we should note if we ran out of room. */
+			if (((slen != (size_t)-1) && slen) ||
+					((slen == (size_t)-1) && lastp)) {
+				errno = E2BIG;
+			}
+		}
+		return retval;
+	} else if (from == CH_UTF16LE && to != CH_UTF16LE) {
+		const unsigned char *p = (const unsigned char *)src;
+		unsigned char *q = (unsigned char *)dest;
+		size_t retval = 0;
+		size_t slen = srclen;
+		size_t dlen = destlen;
+		unsigned char lastp = '\0';
+
+		/* If all characters are ascii, fast path here. */
+		while (((slen == (size_t)-1) || (slen >= 2)) && dlen) {
+			if (((lastp = *p) <= 0x7f) && (p[1] == 0)) {
+				*q++ = *p;
+				if (slen != (size_t)-1) {
+					slen -= 2;
+				}
+				p += 2;
+				dlen--;
+				retval++;
+				if (!lastp)
+					break;
+			} else {
+#ifdef BROKEN_UNICODE_COMPOSE_CHARACTERS
+				goto general_case;
+#else
+				return retval + convert_string_internal(from, to, p, slen, q, dlen, allow_bad_conv);
+#endif
+			}
+		}
+		if (!dlen) {
+			/* Even if we fast path we should note if we ran out of room. */
+			if (((slen != (size_t)-1) && slen) ||
+					((slen == (size_t)-1) && lastp)) {
+				errno = E2BIG;
+			}
+		}
+		return retval;
+	} else if (from != CH_UTF16LE && from != CH_UTF16BE && to == CH_UTF16LE) {
+		const unsigned char *p = (const unsigned char *)src;
+		unsigned char *q = (unsigned char *)dest;
+		size_t retval = 0;
+		size_t slen = srclen;
+		size_t dlen = destlen;
+		unsigned char lastp = '\0';
+
+		/* If all characters are ascii, fast path here. */
+		while (slen && (dlen >= 2)) {
+			if ((lastp = *p) <= 0x7F) {
+				*q++ = *p++;
+				*q++ = '\0';
+				if (slen != (size_t)-1) {
+					slen--;
+				}
+				dlen -= 2;
+				retval += 2;
+				if (!lastp)
+					break;
+			} else {
+#ifdef BROKEN_UNICODE_COMPOSE_CHARACTERS
+				goto general_case;
+#else
+				return retval + convert_string_internal(from, to, p, slen, q, dlen, allow_bad_conv);
+#endif
+			}
+		}
+		if (!dlen) {
+			/* Even if we fast path we should note if we ran out of room. */
+			if (((slen != (size_t)-1) && slen) ||
+					((slen == (size_t)-1) && lastp)) {
+				errno = E2BIG;
+			}
+		}
+		return retval;
+	}
+
+#ifdef BROKEN_UNICODE_COMPOSE_CHARACTERS
+  general_case:
+#endif
+	return convert_string_internal(from, to, src, srclen, dest, destlen, allow_bad_conv);
+}
+
+/**
+ * Convert between character sets, allocating a new buffer for the result.
+ *
+ * @param ctx TALLOC_CTX to use to allocate with. If NULL use malloc.
+ * (this is a bad interface and needs fixing. JRA).
+ * @param srclen length of source buffer.
+ * @param dest always set at least to NULL
+ * @param converted_size set to the size of the allocated buffer on return
+ * true
+ * @note -1 is not accepted for srclen.
+ *
+ * @return true if new buffer was correctly allocated, and string was
+ * converted.
+ *
+ * Ensure the srclen contains the terminating zero.
+ *
+ * I hate the goto's in this function. It's embarressing.....
+ * There has to be a cleaner way to do this. JRA.
+ **/
+
+bool convert_string_allocate(TALLOC_CTX *ctx, charset_t from, charset_t to,
+			     void const *src, size_t srclen, void *dst,
+			     size_t *converted_size, bool allow_bad_conv)
+{
+	size_t i_len, o_len, destlen = (srclen * 3) / 2;
+	size_t retval;
+	const char *inbuf = (const char *)src;
+	char *outbuf = NULL, *ob = NULL;
+	smb_iconv_t descriptor;
+	void **dest = (void **)dst;
+
+	*dest = NULL;
+
+	if (!converted_size) {
+		errno = EINVAL;
+		return false;
+	}
+
+	if (src == NULL || srclen == (size_t)-1) {
+		errno = EINVAL;
+		return false;
+	}
+	if (srclen == 0) {
+		*converted_size = 0;
+		return true;
+	}
+
+	lazy_initialize_conv();
+
+	descriptor = conv_handles[from][to];
+
+	if (descriptor == (smb_iconv_t)-1 || descriptor == (smb_iconv_t)0) {
+		if (!conv_silent)
+			DEBUG(0,("convert_string_allocate: Conversion not supported.\n"));
+		errno = EOPNOTSUPP;
+		return false;
+	}
+
+  convert:
+
+	/* +2 is for ucs2 null termination. */
+	if ((destlen*2)+2 < destlen) {
+		/* wrapped ! abort. */
+		if (!conv_silent)
+			DEBUG(0, ("convert_string_allocate: destlen wrapped !\n"));
+		if (!ctx)
+			SAFE_FREE(outbuf);
+		errno = EOPNOTSUPP;
+		return false;
+	} else {
+		destlen = destlen * 2;
+	}
+
+	/* +2 is for ucs2 null termination. */
+	if (ctx) {
+		ob = (char *)TALLOC_REALLOC(ctx, ob, destlen + 2);
+	} else {
+		ob = (char *)SMB_REALLOC(ob, destlen + 2);
+	}
+
+	if (!ob) {
+		DEBUG(0, ("convert_string_allocate: realloc failed!\n"));
+		errno = ENOMEM;
+		return false;
+	}
+	outbuf = ob;
+	i_len = srclen;
+	o_len = destlen;
+
+ again:
+
+	retval = smb_iconv(descriptor,
+			   &inbuf, &i_len,
+			   &outbuf, &o_len);
+	if(retval == (size_t)-1) 		{
+	    	const char *reason="unknown error";
+		switch(errno) {
+			case EINVAL:
+				reason="Incomplete multibyte sequence";
+				if (!conv_silent)
+					DEBUG(3,("convert_string_allocate: Conversion error: %s(%s)\n",reason,inbuf));
+				if (allow_bad_conv)
+					goto use_as_is;
+				break;
+			case E2BIG:
+				goto convert;
+			case EILSEQ:
+				reason="Illegal multibyte sequence";
+				if (!conv_silent)
+					DEBUG(3,("convert_string_allocate: Conversion error: %s(%s)\n",reason,inbuf));
+				if (allow_bad_conv)
+					goto use_as_is;
+				break;
+		}
+		if (!conv_silent)
+			DEBUG(0,("Conversion error: %s(%s)\n",reason,inbuf));
+		/* smb_panic(reason); */
+		if (ctx) {
+			TALLOC_FREE(ob);
+		} else {
+			SAFE_FREE(ob);
+		}
+		return false;
+	}
+
+  out:
+
+	destlen = destlen - o_len;
+	/* Don't shrink unless we're reclaiming a lot of
+	 * space. This is in the hot codepath and these
+	 * reallocs *cost*. JRA.
+	 */
+	if (o_len > 1024) {
+		/* We're shrinking here so we know the +2 is safe from wrap. */
+		if (ctx) {
+			ob = (char *)TALLOC_REALLOC(ctx,ob,destlen + 2);
+		} else {
+			ob = (char *)SMB_REALLOC(ob,destlen + 2);
+		}
+	}
+
+	if (destlen && !ob) {
+		DEBUG(0, ("convert_string_allocate: out of memory!\n"));
+		errno = ENOMEM;
+		return false;
+	}
+
+	*dest = ob;
+
+	/* Must ucs2 null terminate in the extra space we allocated. */
+	ob[destlen] = '\0';
+	ob[destlen+1] = '\0';
+
+	*converted_size = destlen;
+	return true;
+
+ use_as_is:
+
+	/* 
+	 * Conversion not supported. This is actually an error, but there are so
+	 * many misconfigured iconv systems and smb.conf's out there we can't just
+	 * fail. Do a very bad conversion instead.... JRA.
+	 */
+
+	{
+		if (o_len == 0 || i_len == 0)
+			goto out;
+
+		if (((from == CH_UTF16LE)||(from == CH_UTF16BE)) &&
+				((to != CH_UTF16LE)||(to != CH_UTF16BE))) {
+			/* Can't convert from utf16 any endian to multibyte.
+			   Replace with the default fail char.
+			*/
+
+			if (i_len < 2)
+				goto out;
+
+			if (i_len >= 2) {
+				*outbuf = lp_failed_convert_char();
+
+				outbuf++;
+				o_len--;
+
+				inbuf += 2;
+				i_len -= 2;
+			}
+
+			if (o_len == 0 || i_len == 0)
+				goto out;
+
+			/* Keep trying with the next char... */
+			goto again;
+
+		} else if (from != CH_UTF16LE && from != CH_UTF16BE && to == CH_UTF16LE) {
+			/* Can't convert to UTF16LE - just widen by adding the
+			   default fail char then zero.
+			*/
+			if (o_len < 2)
+				goto out;
+
+			outbuf[0] = lp_failed_convert_char();
+			outbuf[1] = '\0';
+
+			inbuf++;
+			i_len--;
+
+			outbuf += 2;
+			o_len -= 2;
+
+			if (o_len == 0 || i_len == 0)
+				goto out;
+
+			/* Keep trying with the next char... */
+			goto again;
+
+		} else if (from != CH_UTF16LE && from != CH_UTF16BE &&
+				to != CH_UTF16LE && to != CH_UTF16BE) {
+			/* Failed multibyte to multibyte. Just copy the default fail char and
+			   try again. */
+			outbuf[0] = lp_failed_convert_char();
+
+			inbuf++;
+			i_len--;
+
+			outbuf++;
+			o_len--;
+
+			if (o_len == 0 || i_len == 0)
+				goto out;
+
+			/* Keep trying with the next char... */
+			goto again;
+
+		} else {
+			/* Keep compiler happy.... */
+			goto out;
+		}
+	}
+}
+
+/**
+ * Convert between character sets, allocating a new buffer using talloc for the result.
+ *
+ * @param srclen length of source buffer.
+ * @param dest always set at least to NULL
+ * @parm converted_size set to the number of bytes occupied by the string in
+ * the destination on success.
+ * @note -1 is not accepted for srclen.
+ *
+ * @return true if new buffer was correctly allocated, and string was
+ * converted.
+ */
+bool convert_string_talloc(TALLOC_CTX *ctx, charset_t from, charset_t to,
+			   void const *src, size_t srclen, void *dst,
+			   size_t *converted_size, bool allow_bad_conv)
+{
+	void **dest = (void **)dst;
+
+	*dest = NULL;
+	return convert_string_allocate(ctx, from, to, src, srclen, dest,
+				       converted_size, allow_bad_conv);
+}
+
+size_t unix_strupper(const char *src, size_t srclen, char *dest, size_t destlen)
+{
+	size_t size;
+	smb_ucs2_t *buffer;
+
+	if (!push_ucs2_allocate(&buffer, src, &size)) {
+		return (size_t)-1;
+	}
+
+	if (!strupper_w(buffer) && (dest == src)) {
+		free(buffer);
+		return srclen;
+	}
+
+	size = convert_string(CH_UTF16LE, CH_UNIX, buffer, size, dest, destlen, True);
+	free(buffer);
+	return size;
+}
+
+/**
+ strdup() a unix string to upper case.
+**/
+
+char *strdup_upper(const char *s)
+{
+	char *out_buffer = SMB_STRDUP(s);
+	const unsigned char *p = (const unsigned char *)s;
+	unsigned char *q = (unsigned char *)out_buffer;
+
+	if (!q) {
+		return NULL;
+	}
+
+	/* this is quite a common operation, so we want it to be
+	   fast. We optimise for the ascii case, knowing that all our
+	   supported multi-byte character sets are ascii-compatible
+	   (ie. they match for the first 128 chars) */
+
+	while (*p) {
+		if (*p & 0x80)
+			break;
+		*q++ = toupper_ascii_fast(*p);
+		p++;
+	}
+
+	if (*p) {
+		/* MB case. */
+		size_t converted_size, converted_size2;
+		smb_ucs2_t *buffer = NULL;
+
+		SAFE_FREE(out_buffer);
+		if (!convert_string_allocate(NULL, CH_UNIX, CH_UTF16LE, s,
+					     strlen(s) + 1,
+					     (void **)(void *)&buffer,
+					     &converted_size, True))
+		{
+			return NULL;
+		}
+
+		strupper_w(buffer);
+
+		if (!convert_string_allocate(NULL, CH_UTF16LE, CH_UNIX, buffer,
+					     converted_size,
+					     (void **)(void *)&out_buffer,
+					     &converted_size2, True))
+		{
+			TALLOC_FREE(buffer);
+			return NULL;
+		}
+
+		/* Don't need the intermediate buffer
+ 		 * anymore.
+ 		 */
+		TALLOC_FREE(buffer);
+	}
+
+	return out_buffer;
+}
+
+/**
+ talloc_strdup() a unix string to upper case.
+**/
+
+char *talloc_strdup_upper(TALLOC_CTX *ctx, const char *s)
+{
+	char *out_buffer = talloc_strdup(ctx,s);
+	const unsigned char *p = (const unsigned char *)s;
+	unsigned char *q = (unsigned char *)out_buffer;
+
+	if (!q) {
+		return NULL;
+	}
+
+	/* this is quite a common operation, so we want it to be
+	   fast. We optimise for the ascii case, knowing that all our
+	   supported multi-byte character sets are ascii-compatible
+	   (ie. they match for the first 128 chars) */
+
+	while (*p) {
+		if (*p & 0x80)
+			break;
+		*q++ = toupper_ascii_fast(*p);
+		p++;
+	}
+
+	if (*p) {
+		/* MB case. */
+		size_t converted_size, converted_size2;
+		smb_ucs2_t *ubuf = NULL;
+
+		/* We're not using the ascii buffer above. */
+		TALLOC_FREE(out_buffer);
+
+		if (!convert_string_talloc(ctx, CH_UNIX, CH_UTF16LE, s,
+					   strlen(s)+1, (void *)&ubuf,
+					   &converted_size, True))
+		{
+			return NULL;
+		}
+
+		strupper_w(ubuf);
+
+		if (!convert_string_talloc(ctx, CH_UTF16LE, CH_UNIX, ubuf,
+					   converted_size, (void *)&out_buffer,
+					   &converted_size2, True))
+		{
+			TALLOC_FREE(ubuf);
+			return NULL;
+		}
+
+		/* Don't need the intermediate buffer
+ 		 * anymore.
+ 		 */
+		TALLOC_FREE(ubuf);
+	}
+
+	return out_buffer;
+}
+
+size_t unix_strlower(const char *src, size_t srclen, char *dest, size_t destlen)
+{
+	size_t size;
+	smb_ucs2_t *buffer = NULL;
+
+	if (!convert_string_allocate(NULL, CH_UNIX, CH_UTF16LE, src, srclen,
+				     (void **)(void *)&buffer, &size,
+				     True))
+	{
+		smb_panic("failed to create UCS2 buffer");
+	}
+	if (!strlower_w(buffer) && (dest == src)) {
+		SAFE_FREE(buffer);
+		return srclen;
+	}
+	size = convert_string(CH_UTF16LE, CH_UNIX, buffer, size, dest, destlen, True);
+	SAFE_FREE(buffer);
+	return size;
+}
+
+/**
+ strdup() a unix string to lower case.
+**/
+
+char *strdup_lower(const char *s)
+{
+	size_t converted_size;
+	smb_ucs2_t *buffer = NULL;
+	char *out_buffer;
+
+	if (!push_ucs2_allocate(&buffer, s, &converted_size)) {
+		return NULL;
+	}
+
+	strlower_w(buffer);
+
+	if (!pull_ucs2_allocate(&out_buffer, buffer, &converted_size)) {
+		SAFE_FREE(buffer);
+		return NULL;
+	}
+
+	SAFE_FREE(buffer);
+
+	return out_buffer;
+}
+
+char *talloc_strdup_lower(TALLOC_CTX *ctx, const char *s)
+{
+	size_t converted_size;
+	smb_ucs2_t *buffer = NULL;
+	char *out_buffer;
+
+	if (!push_ucs2_talloc(ctx, &buffer, s, &converted_size)) {
+		return NULL;
+	}
+
+	strlower_w(buffer);
+
+	if (!pull_ucs2_talloc(ctx, &out_buffer, buffer, &converted_size)) {
+		TALLOC_FREE(buffer);
+		return NULL;
+	}
+
+	TALLOC_FREE(buffer);
+
+	return out_buffer;
+}
+
+
+size_t ucs2_align(const void *base_ptr, const void *p, int flags)
+{
+	if (flags & (STR_NOALIGN|STR_ASCII))
+		return 0;
+	return PTR_DIFF(p, base_ptr) & 1;
+}
+
+
+/**
+ * Copy a string from a char* unix src to a dos codepage string destination.
+ *
+ * @return the number of bytes occupied by the string in the destination.
+ *
+ * @param flags can include
+ * <dl>
+ * <dt>STR_TERMINATE</dt> <dd>means include the null termination</dd>
+ * <dt>STR_UPPER</dt> <dd>means uppercase in the destination</dd>
+ * </dl>
+ *
+ * @param dest_len the maximum length in bytes allowed in the
+ * destination.
+ **/
+size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
+{
+	size_t src_len = strlen(src);
+	char *tmpbuf = NULL;
+	size_t ret;
+
+	/* No longer allow a length of -1. */
+	if (dest_len == (size_t)-1) {
+		smb_panic("push_ascii - dest_len == -1");
+	}
+
+	if (flags & STR_UPPER) {
+		tmpbuf = SMB_STRDUP(src);
+		if (!tmpbuf) {
+			smb_panic("malloc fail");
+		}
+		strupper_m(tmpbuf);
+		src = tmpbuf;
+	}
+
+	if (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) {
+		src_len++;
+	}
+
+	ret = convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, True);
+	if (ret == (size_t)-1 &&
+			(flags & (STR_TERMINATE | STR_TERMINATE_ASCII))
+			&& dest_len > 0) {
+		((char *)dest)[0] = '\0';
+	}
+	SAFE_FREE(tmpbuf);
+	return ret;
+}
+
+size_t push_ascii_fstring(void *dest, const char *src)
+{
+	return push_ascii(dest, src, sizeof(fstring), STR_TERMINATE);
+}
+
+/********************************************************************
+ Push an nstring - ensure null terminated. Written by
+ moriyama@miraclelinux.com (MORIYAMA Masayuki).
+********************************************************************/
+
+size_t push_ascii_nstring(void *dest, const char *src)
+{
+	size_t i, buffer_len, dest_len;
+	smb_ucs2_t *buffer;
+
+	conv_silent = True;
+	if (!push_ucs2_allocate(&buffer, src, &buffer_len)) {
+		smb_panic("failed to create UCS2 buffer");
+	}
+
+	/* We're using buffer_len below to count ucs2 characters, not bytes. */
+	buffer_len /= sizeof(smb_ucs2_t);
+
+	dest_len = 0;
+	for (i = 0; buffer[i] != 0 && (i < buffer_len); i++) {
+		unsigned char mb[10];
+		/* Convert one smb_ucs2_t character at a time. */
+		size_t mb_len = convert_string(CH_UTF16LE, CH_DOS, buffer+i, sizeof(smb_ucs2_t), mb, sizeof(mb), False);
+		if ((mb_len != (size_t)-1) && (dest_len + mb_len <= MAX_NETBIOSNAME_LEN - 1)) {
+			memcpy((char *)dest + dest_len, mb, mb_len);
+			dest_len += mb_len;
+		} else {
+			errno = E2BIG;
+			break;
+		}
+	}
+	((char *)dest)[dest_len] = '\0';
+
+	SAFE_FREE(buffer);
+	conv_silent = False;
+	return dest_len;
+}
+
+/********************************************************************
+ Push and malloc an ascii string. src and dest null terminated.
+********************************************************************/
+
+bool push_ascii_allocate(char **dest, const char *src, size_t *converted_size)
+{
+	size_t src_len = strlen(src)+1;
+
+	*dest = NULL;
+	return convert_string_allocate(NULL, CH_UNIX, CH_DOS, src, src_len,
+				       (void **)dest, converted_size, True);
+}
+
+/**
+ * Copy a string from a dos codepage source to a unix char* destination.
+ *
+ * The resulting string in "dest" is always null terminated.
+ *
+ * @param flags can have:
+ * <dl>
+ * <dt>STR_TERMINATE</dt>
+ * <dd>STR_TERMINATE means the string in @p src
+ * is null terminated, and src_len is ignored.</dd>
+ * </dl>
+ *
+ * @param src_len is the length of the source area in bytes.
+ * @returns the number of bytes occupied by the string in @p src.
+ **/
+size_t pull_ascii(char *dest, const void *src, size_t dest_len, size_t src_len, int flags)
+{
+	size_t ret;
+
+	if (dest_len == (size_t)-1) {
+		/* No longer allow dest_len of -1. */
+		smb_panic("pull_ascii - invalid dest_len of -1");
+	}
+
+	if (flags & STR_TERMINATE) {
+		if (src_len == (size_t)-1) {
+			src_len = strlen((const char *)src) + 1;
+		} else {
+			size_t len = strnlen((const char *)src, src_len);
+			if (len < src_len)
+				len++;
+			src_len = len;
+		}
+	}
+
+	ret = convert_string(CH_DOS, CH_UNIX, src, src_len, dest, dest_len, True);
+	if (ret == (size_t)-1) {
+		ret = 0;
+		dest_len = 0;
+	}
+
+	if (dest_len && ret) {
+		/* Did we already process the terminating zero ? */
+		if (dest[MIN(ret-1, dest_len-1)] != 0) {
+			dest[MIN(ret, dest_len-1)] = 0;
+		}
+	} else  {
+		dest[0] = 0;
+	}
+
+	return src_len;
+}
+
+/**
+ * Copy a string from a dos codepage source to a unix char* destination.
+ Talloc version.
+ Uses malloc if TALLOC_CTX is NULL (this is a bad interface and
+ needs fixing. JRA).
+ *
+ * The resulting string in "dest" is always null terminated.
+ *
+ * @param flags can have:
+ * <dl>
+ * <dt>STR_TERMINATE</dt>
+ * <dd>STR_TERMINATE means the string in @p src
+ * is null terminated, and src_len is ignored.</dd>
+ * </dl>
+ *
+ * @param src_len is the length of the source area in bytes.
+ * @returns the number of bytes occupied by the string in @p src.
+ **/
+
+static size_t pull_ascii_base_talloc(TALLOC_CTX *ctx,
+					char **ppdest,
+					const void *src,
+					size_t src_len,
+					int flags)
+{
+	char *dest = NULL;
+	size_t converted_size;
+
+#ifdef DEVELOPER
+	/* Ensure we never use the braindead "malloc" varient. */
+	if (ctx == NULL) {
+		smb_panic("NULL talloc CTX in pull_ascii_base_talloc\n");
+	}
+#endif
+
+	*ppdest = NULL;
+
+	if (flags & STR_TERMINATE) {
+		if (src_len == (size_t)-1) {
+			src_len = strlen((const char *)src) + 1;
+		} else {
+			size_t len = strnlen((const char *)src, src_len);
+			if (len < src_len)
+				len++;
+			src_len = len;
+		}
+		/* Ensure we don't use an insane length from the client. */
+		if (src_len >= 1024*1024) {
+			char *msg = talloc_asprintf(ctx,
+					"Bad src length (%u) in "
+					"pull_ascii_base_talloc",
+					(unsigned int)src_len);
+			smb_panic(msg);
+		}
+	}
+
+	if (!convert_string_allocate(ctx, CH_DOS, CH_UNIX, src, src_len, &dest,
+				     &converted_size, True))
+	{
+		converted_size = 0;
+	}
+
+	if (converted_size && dest) {
+		/* Did we already process the terminating zero ? */
+		if (dest[converted_size - 1] != 0) {
+			dest[converted_size - 1] = 0;
+		}
+	} else if (dest) {
+		dest[0] = 0;
+	}
+
+	*ppdest = dest;
+	return src_len;
+}
+
+size_t pull_ascii_fstring(char *dest, const void *src)
+{
+	return pull_ascii(dest, src, sizeof(fstring), -1, STR_TERMINATE);
+}
+
+/* When pulling an nstring it can expand into a larger size (dos cp -> utf8). Cope with this. */
+
+size_t pull_ascii_nstring(char *dest, size_t dest_len, const void *src)
+{
+	return pull_ascii(dest, src, dest_len, sizeof(nstring)-1, STR_TERMINATE);
+}
+
+/**
+ * Copy a string from a char* src to a unicode destination.
+ *
+ * @returns the number of bytes occupied by the string in the destination.
+ *
+ * @param flags can have:
+ *
+ * <dl>
+ * <dt>STR_TERMINATE <dd>means include the null termination.
+ * <dt>STR_UPPER     <dd>means uppercase in the destination.
+ * <dt>STR_NOALIGN   <dd>means don't do alignment.
+ * </dl>
+ *
+ * @param dest_len is the maximum length allowed in the
+ * destination.
+ **/
+
+size_t push_ucs2(const void *base_ptr, void *dest, const char *src, size_t dest_len, int flags)
+{
+	size_t len=0;
+	size_t src_len;
+	size_t ret;
+
+	if (dest_len == (size_t)-1) {
+		/* No longer allow dest_len of -1. */
+		smb_panic("push_ucs2 - invalid dest_len of -1");
+	}
+
+	if (flags & STR_TERMINATE)
+		src_len = (size_t)-1;
+	else
+		src_len = strlen(src);
+
+	if (ucs2_align(base_ptr, dest, flags)) {
+		*(char *)dest = 0;
+		dest = (void *)((char *)dest + 1);
+		if (dest_len)
+			dest_len--;
+		len++;
+	}
+
+	/* ucs2 is always a multiple of 2 bytes */
+	dest_len &= ~1;
+
+	ret =  convert_string(CH_UNIX, CH_UTF16LE, src, src_len, dest, dest_len, True);
+	if (ret == (size_t)-1) {
+		if ((flags & STR_TERMINATE) &&
+				dest &&
+				dest_len) {
+			*(char *)dest = 0;
+		}
+		return len;
+	}
+
+	len += ret;
+
+	if (flags & STR_UPPER) {
+		smb_ucs2_t *dest_ucs2 = (smb_ucs2_t *)dest;
+		size_t i;
+
+		/* We check for i < (ret / 2) below as the dest string isn't null
+		   terminated if STR_TERMINATE isn't set. */
+
+		for (i = 0; i < (ret / 2) && i < (dest_len / 2) && dest_ucs2[i]; i++) {
+			smb_ucs2_t v = toupper_w(dest_ucs2[i]);
+			if (v != dest_ucs2[i]) {
+				dest_ucs2[i] = v;
+			}
+		}
+	}
+
+	return len;
+}
+
+
+/**
+ * Copy a string from a unix char* src to a UCS2 destination,
+ * allocating a buffer using talloc().
+ *
+ * @param dest always set at least to NULL 
+ * @parm converted_size set to the number of bytes occupied by the string in
+ * the destination on success.
+ *
+ * @return true if new buffer was correctly allocated, and string was
+ * converted.
+ **/
+bool push_ucs2_talloc(TALLOC_CTX *ctx, smb_ucs2_t **dest, const char *src,
+		      size_t *converted_size)
+{
+	size_t src_len = strlen(src)+1;
+
+	*dest = NULL;
+	return convert_string_talloc(ctx, CH_UNIX, CH_UTF16LE, src, src_len,
+				     (void **)dest, converted_size, True);
+}
+
+
+/**
+ * Copy a string from a unix char* src to a UCS2 destination, allocating a buffer
+ *
+ * @param dest always set at least to NULL 
+ * @parm converted_size set to the number of bytes occupied by the string in
+ * the destination on success.
+ *
+ * @return true if new buffer was correctly allocated, and string was
+ * converted.
+ **/
+
+bool push_ucs2_allocate(smb_ucs2_t **dest, const char *src,
+			size_t *converted_size)
+{
+	size_t src_len = strlen(src)+1;
+
+	*dest = NULL;
+	return convert_string_allocate(NULL, CH_UNIX, CH_UTF16LE, src, src_len,
+				       (void **)dest, converted_size, True);
+}
+
+/**
+ Copy a string from a char* src to a UTF-8 destination.
+ Return the number of bytes occupied by the string in the destination
+ Flags can have:
+  STR_TERMINATE means include the null termination
+  STR_UPPER     means uppercase in the destination
+ dest_len is the maximum length allowed in the destination. If dest_len
+ is -1 then no maxiumum is used.
+**/
+
+static size_t push_utf8(void *dest, const char *src, size_t dest_len, int flags)
+{
+	size_t src_len = 0;
+	size_t ret;
+	char *tmpbuf = NULL;
+
+	if (dest_len == (size_t)-1) {
+		/* No longer allow dest_len of -1. */
+		smb_panic("push_utf8 - invalid dest_len of -1");
+	}
+
+	if (flags & STR_UPPER) {
+		tmpbuf = strdup_upper(src);
+		if (!tmpbuf) {
+			return (size_t)-1;
+		}
+		src = tmpbuf;
+		src_len = strlen(src);
+	}
+
+	src_len = strlen(src);
+	if (flags & STR_TERMINATE) {
+		src_len++;
+	}
+
+	ret = convert_string(CH_UNIX, CH_UTF8, src, src_len, dest, dest_len, True);
+	SAFE_FREE(tmpbuf);
+	return ret;
+}
+
+size_t push_utf8_fstring(void *dest, const char *src)
+{
+	return push_utf8(dest, src, sizeof(fstring), STR_TERMINATE);
+}
+
+/**
+ * Copy a string from a unix char* src to a UTF-8 destination, allocating a buffer using talloc
+ *
+ * @param dest always set at least to NULL 
+ * @parm converted_size set to the number of bytes occupied by the string in
+ * the destination on success.
+ *
+ * @return true if new buffer was correctly allocated, and string was
+ * converted.
+ **/
+
+bool push_utf8_talloc(TALLOC_CTX *ctx, char **dest, const char *src,
+		      size_t *converted_size)
+{
+	size_t src_len = strlen(src)+1;
+
+	*dest = NULL;
+	return convert_string_talloc(ctx, CH_UNIX, CH_UTF8, src, src_len,
+				     (void**)dest, converted_size, True);
+}
+
+/**
+ * Copy a string from a unix char* src to a UTF-8 destination, allocating a buffer
+ *
+ * @param dest always set at least to NULL 
+ * @parm converted_size set to the number of bytes occupied by the string in
+ * the destination on success.
+ *
+ * @return true if new buffer was correctly allocated, and string was
+ * converted.
+ **/
+
+bool push_utf8_allocate(char **dest, const char *src, size_t *converted_size)
+{
+	size_t src_len = strlen(src)+1;
+
+	*dest = NULL;
+	return convert_string_allocate(NULL, CH_UNIX, CH_UTF8, src, src_len,
+				       (void **)dest, converted_size, True);
+}
+
+/**
+ Copy a string from a ucs2 source to a unix char* destination.
+ Flags can have:
+  STR_TERMINATE means the string in src is null terminated.
+  STR_NOALIGN   means don't try to align.
+ if STR_TERMINATE is set then src_len is ignored if it is -1.
+ src_len is the length of the source area in bytes
+ Return the number of bytes occupied by the string in src.
+ The resulting string in "dest" is always null terminated.
+**/
+
+size_t pull_ucs2(const void *base_ptr, char *dest, const void *src, size_t dest_len, size_t src_len, int flags)
+{
+	size_t ret;
+
+	if (dest_len == (size_t)-1) {
+		/* No longer allow dest_len of -1. */
+		smb_panic("pull_ucs2 - invalid dest_len of -1");
+	}
+
+	if (!src_len) {
+		if (dest && dest_len > 0) {
+			dest[0] = '\0';
+		}
+		return 0;
+	}
+
+	if (ucs2_align(base_ptr, src, flags)) {
+		src = (const void *)((const char *)src + 1);
+		if (src_len != (size_t)-1)
+			src_len--;
+	}
+
+	if (flags & STR_TERMINATE) {
+		/* src_len -1 is the default for null terminated strings. */
+		if (src_len != (size_t)-1) {
+			size_t len = strnlen_w((const smb_ucs2_t *)src,
+						src_len/2);
+			if (len < src_len/2)
+				len++;
+			src_len = len*2;
+		}
+	}
+
+	/* ucs2 is always a multiple of 2 bytes */
+	if (src_len != (size_t)-1)
+		src_len &= ~1;
+
+	ret = convert_string(CH_UTF16LE, CH_UNIX, src, src_len, dest, dest_len, True);
+	if (ret == (size_t)-1) {
+		ret = 0;
+		dest_len = 0;
+	}
+
+	if (src_len == (size_t)-1)
+		src_len = ret*2;
+
+	if (dest_len && ret) {
+		/* Did we already process the terminating zero ? */
+		if (dest[MIN(ret-1, dest_len-1)] != 0) {
+			dest[MIN(ret, dest_len-1)] = 0;
+		}
+	} else {
+		dest[0] = 0;
+	}
+
+	return src_len;
+}
+
+/**
+ Copy a string from a ucs2 source to a unix char* destination.
+ Talloc version with a base pointer.
+ Uses malloc if TALLOC_CTX is NULL (this is a bad interface and
+ needs fixing. JRA).
+ Flags can have:
+  STR_TERMINATE means the string in src is null terminated.
+  STR_NOALIGN   means don't try to align.
+ if STR_TERMINATE is set then src_len is ignored if it is -1.
+ src_len is the length of the source area in bytes
+ Return the number of bytes occupied by the string in src.
+ The resulting string in "dest" is always null terminated.
+**/
+
+size_t pull_ucs2_base_talloc(TALLOC_CTX *ctx,
+			const void *base_ptr,
+			char **ppdest,
+			const void *src,
+			size_t src_len,
+			int flags)
+{
+	char *dest;
+	size_t dest_len;
+
+	*ppdest = NULL;
+
+#ifdef DEVELOPER
+	/* Ensure we never use the braindead "malloc" varient. */
+	if (ctx == NULL) {
+		smb_panic("NULL talloc CTX in pull_ucs2_base_talloc\n");
+	}
+#endif
+
+	if (!src_len) {
+		return 0;
+	}
+
+	if (ucs2_align(base_ptr, src, flags)) {
+		src = (const void *)((const char *)src + 1);
+		if (src_len != (size_t)-1)
+			src_len--;
+	}
+
+	if (flags & STR_TERMINATE) {
+		/* src_len -1 is the default for null terminated strings. */
+		if (src_len != (size_t)-1) {
+			size_t len = strnlen_w((const smb_ucs2_t *)src,
+						src_len/2);
+			if (len < src_len/2)
+				len++;
+			src_len = len*2;
+		} else {
+			/*
+			 * src_len == -1 - alloc interface won't take this
+			 * so we must calculate.
+			 */
+			src_len = (strlen_w((const smb_ucs2_t *)src)+1)*sizeof(smb_ucs2_t);
+		}
+		/* Ensure we don't use an insane length from the client. */
+		if (src_len >= 1024*1024) {
+			smb_panic("Bad src length in pull_ucs2_base_talloc\n");
+		}
+	}
+
+	/* ucs2 is always a multiple of 2 bytes */
+	if (src_len != (size_t)-1) {
+		src_len &= ~1;
+	}
+
+	if (!convert_string_talloc(ctx, CH_UTF16LE, CH_UNIX, src, src_len,
+				   (void *)&dest, &dest_len, True)) {
+		dest_len = 0;
+	}
+
+	if (src_len == (size_t)-1)
+		src_len = dest_len*2;
+
+	if (dest_len) {
+		/* Did we already process the terminating zero ? */
+		if (dest[dest_len-1] != 0) {
+			size_t size = talloc_get_size(dest);
+			/* Have we got space to append the '\0' ? */
+			if (size <= dest_len) {
+				/* No, realloc. */
+				dest = TALLOC_REALLOC_ARRAY(ctx, dest, char,
+						dest_len+1);
+				if (!dest) {
+					/* talloc fail. */
+					dest_len = (size_t)-1;
+					return 0;
+				}
+			}
+			/* Yay - space ! */
+			dest[dest_len] = '\0';
+			dest_len++;
+		}
+	} else if (dest) {
+		dest[0] = 0;
+	}
+
+	*ppdest = dest;
+	return src_len;
+}
+
+size_t pull_ucs2_fstring(char *dest, const void *src)
+{
+	return pull_ucs2(NULL, dest, src, sizeof(fstring), -1, STR_TERMINATE);
+}
+
+/**
+ * Copy a string from a UCS2 src to a unix char * destination, allocating a buffer using talloc
+ *
+ * @param dest always set at least to NULL 
+ * @parm converted_size set to the number of bytes occupied by the string in
+ * the destination on success.
+ *
+ * @return true if new buffer was correctly allocated, and string was
+ * converted.
+ **/
+
+bool pull_ucs2_talloc(TALLOC_CTX *ctx, char **dest, const smb_ucs2_t *src,
+		      size_t *converted_size)
+{
+	size_t src_len = (strlen_w(src)+1) * sizeof(smb_ucs2_t);
+
+	*dest = NULL;
+	return convert_string_talloc(ctx, CH_UTF16LE, CH_UNIX, src, src_len,
+				     (void **)dest, converted_size, True);
+}
+
+/**
+ * Copy a string from a UCS2 src to a unix char * destination, allocating a buffer
+ *
+ * @param dest always set at least to NULL 
+ * @parm converted_size set to the number of bytes occupied by the string in
+ * the destination on success.
+ * @return true if new buffer was correctly allocated, and string was
+ * converted.
+ **/
+
+bool pull_ucs2_allocate(char **dest, const smb_ucs2_t *src,
+			size_t *converted_size)
+{
+	size_t src_len = (strlen_w(src)+1) * sizeof(smb_ucs2_t);
+
+	*dest = NULL;
+	return convert_string_allocate(NULL, CH_UTF16LE, CH_UNIX, src, src_len,
+				       (void **)dest, converted_size, True);
+}
+
+/**
+ * Copy a string from a UTF-8 src to a unix char * destination, allocating a buffer using talloc
+ *
+ * @param dest always set at least to NULL 
+ * @parm converted_size set to the number of bytes occupied by the string in
+ * the destination on success.
+ *
+ * @return true if new buffer was correctly allocated, and string was
+ * converted.
+ **/
+
+bool pull_utf8_talloc(TALLOC_CTX *ctx, char **dest, const char *src,
+		      size_t *converted_size)
+{
+	size_t src_len = strlen(src)+1;
+
+	*dest = NULL;
+	return convert_string_talloc(ctx, CH_UTF8, CH_UNIX, src, src_len,
+				     (void **)dest, converted_size, True);
+}
+
+/**
+ * Copy a string from a UTF-8 src to a unix char * destination, allocating a buffer
+ *
+ * @param dest always set at least to NULL 
+ * @parm converted_size set to the number of bytes occupied by the string in
+ * the destination on success.
+ *
+ * @return true if new buffer was correctly allocated, and string was
+ * converted.
+ **/
+
+bool pull_utf8_allocate(char **dest, const char *src, size_t *converted_size)
+{
+	size_t src_len = strlen(src)+1;
+
+	*dest = NULL;
+	return convert_string_allocate(NULL, CH_UTF8, CH_UNIX, src, src_len,
+				       (void **)dest, converted_size, True);
+}
+ 
+/**
+ * Copy a string from a DOS src to a unix char * destination, allocating a buffer using talloc
+ *
+ * @param dest always set at least to NULL 
+ * @parm converted_size set to the number of bytes occupied by the string in
+ * the destination on success.
+ *
+ * @return true if new buffer was correctly allocated, and string was
+ * converted.
+ **/
+
+bool pull_ascii_talloc(TALLOC_CTX *ctx, char **dest, const char *src,
+		       size_t *converted_size)
+{
+	size_t src_len = strlen(src)+1;
+
+	*dest = NULL;
+	return convert_string_talloc(ctx, CH_DOS, CH_UNIX, src, src_len,
+				     (void **)dest, converted_size, True);
+}
+
+/**
+ Copy a string from a char* src to a unicode or ascii
+ dos codepage destination choosing unicode or ascii based on the 
+ flags in the SMB buffer starting at base_ptr.
+ Return the number of bytes occupied by the string in the destination.
+ flags can have:
+  STR_TERMINATE means include the null termination.
+  STR_UPPER     means uppercase in the destination.
+  STR_ASCII     use ascii even with unicode packet.
+  STR_NOALIGN   means don't do alignment.
+ dest_len is the maximum length allowed in the destination. If dest_len
+ is -1 then no maxiumum is used.
+**/
+
+size_t push_string_fn(const char *function, unsigned int line,
+		      const void *base_ptr, uint16 flags2,
+		      void *dest, const char *src,
+		      size_t dest_len, int flags)
+{
+#ifdef DEVELOPER
+	/* We really need to zero fill here, not clobber
+	 * region, as we want to ensure that valgrind thinks
+	 * all of the outgoing buffer has been written to
+	 * so a send() or write() won't trap an error.
+	 * JRA.
+	 */
+#if 0
+	clobber_region(function, line, dest, dest_len);
+#else
+	memset(dest, '\0', dest_len);
+#endif
+#endif
+
+	if (!(flags & STR_ASCII) && \
+	    ((flags & STR_UNICODE || \
+	      (flags2 & FLAGS2_UNICODE_STRINGS)))) {
+		return push_ucs2(base_ptr, dest, src, dest_len, flags);
+	}
+	return push_ascii(dest, src, dest_len, flags);
+}
+
+
+/**
+ Copy a string from a unicode or ascii source (depending on
+ the packet flags) to a char* destination.
+ Flags can have:
+  STR_TERMINATE means the string in src is null terminated.
+  STR_UNICODE   means to force as unicode.
+  STR_ASCII     use ascii even with unicode packet.
+  STR_NOALIGN   means don't do alignment.
+ if STR_TERMINATE is set then src_len is ignored is it is -1
+ src_len is the length of the source area in bytes.
+ Return the number of bytes occupied by the string in src.
+ The resulting string in "dest" is always null terminated.
+**/
+
+size_t pull_string_fn(const char *function,
+			unsigned int line,
+			const void *base_ptr,
+			uint16 smb_flags2,
+			char *dest,
+			const void *src,
+			size_t dest_len,
+			size_t src_len,
+			int flags)
+{
+#ifdef DEVELOPER
+	clobber_region(function, line, dest, dest_len);
+#endif
+
+	if ((base_ptr == NULL) && ((flags & (STR_ASCII|STR_UNICODE)) == 0)) {
+		smb_panic("No base ptr to get flg2 and neither ASCII nor "
+			  "UNICODE defined");
+	}
+
+	if (!(flags & STR_ASCII) && \
+	    ((flags & STR_UNICODE || \
+	      (smb_flags2 & FLAGS2_UNICODE_STRINGS)))) {
+		return pull_ucs2(base_ptr, dest, src, dest_len, src_len, flags);
+	}
+	return pull_ascii(dest, src, dest_len, src_len, flags);
+}
+
+/**
+ Copy a string from a unicode or ascii source (depending on
+ the packet flags) to a char* destination.
+ Variant that uses talloc.
+ Flags can have:
+  STR_TERMINATE means the string in src is null terminated.
+  STR_UNICODE   means to force as unicode.
+  STR_ASCII     use ascii even with unicode packet.
+  STR_NOALIGN   means don't do alignment.
+ if STR_TERMINATE is set then src_len is ignored is it is -1
+ src_len is the length of the source area in bytes.
+ Return the number of bytes occupied by the string in src.
+ The resulting string in "dest" is always null terminated.
+**/
+
+size_t pull_string_talloc_fn(const char *function,
+			unsigned int line,
+			TALLOC_CTX *ctx,
+			const void *base_ptr,
+			uint16 smb_flags2,
+			char **ppdest,
+			const void *src,
+			size_t src_len,
+			int flags)
+{
+	if ((base_ptr == NULL) && ((flags & (STR_ASCII|STR_UNICODE)) == 0)) {
+		smb_panic("No base ptr to get flg2 and neither ASCII nor "
+			  "UNICODE defined");
+	}
+
+	if (!(flags & STR_ASCII) && \
+	    ((flags & STR_UNICODE || \
+	      (smb_flags2 & FLAGS2_UNICODE_STRINGS)))) {
+		return pull_ucs2_base_talloc(ctx,
+					base_ptr,
+					ppdest,
+					src,
+					src_len,
+					flags);
+	}
+	return pull_ascii_base_talloc(ctx,
+					ppdest,
+					src,
+					src_len,
+					flags);
+}
+
+
+size_t align_string(const void *base_ptr, const char *p, int flags)
+{
+	if (!(flags & STR_ASCII) && \
+	    ((flags & STR_UNICODE || \
+	      (SVAL(base_ptr, smb_flg2) & FLAGS2_UNICODE_STRINGS)))) {
+		return ucs2_align(base_ptr, p, flags);
+	}
+	return 0;
+}
+
+/*
+  Return the unicode codepoint for the next multi-byte CH_UNIX character
+  in the string. The unicode codepoint (codepoint_t) is an unsinged 32 bit value.
+
+  Also return the number of bytes consumed (which tells the caller
+  how many bytes to skip to get to the next CH_UNIX character).
+
+  Return INVALID_CODEPOINT if the next character cannot be converted.
+*/
+
+codepoint_t next_codepoint(const char *str, size_t *size)
+{
+	/* It cannot occupy more than 4 bytes in UTF16 format */
+	uint8_t buf[4];
+	smb_iconv_t descriptor;
+	size_t ilen_orig;
+	size_t ilen;
+	size_t olen;
+	char *outbuf;
+
+	if ((str[0] & 0x80) == 0) {
+		*size = 1;
+		return (codepoint_t)str[0];
+	}
+
+	/* We assume that no multi-byte character can take
+	   more than 5 bytes. This is OK as we only
+	   support codepoints up to 1M */
+
+	ilen_orig = strnlen(str, 5);
+	ilen = ilen_orig;
+
+        lazy_initialize_conv();
+
+        descriptor = conv_handles[CH_UNIX][CH_UTF16LE];
+	if (descriptor == (smb_iconv_t)-1 || descriptor == (smb_iconv_t)0) {
+		*size = 1;
+		return INVALID_CODEPOINT;
+	}
+
+	/* This looks a little strange, but it is needed to cope
+	   with codepoints above 64k which are encoded as per RFC2781. */
+	olen = 2;
+	outbuf = (char *)buf;
+	smb_iconv(descriptor, &str, &ilen, &outbuf, &olen);
+	if (olen == 2) {
+		/* We failed to convert to a 2 byte character.
+		   See if we can convert to a 4 UTF16-LE byte char encoding.
+		*/
+		olen = 4;
+		outbuf = (char *)buf;
+		smb_iconv(descriptor,  &str, &ilen, &outbuf, &olen);
+		if (olen == 4) {
+			/* We didn't convert any bytes */
+			*size = 1;
+			return INVALID_CODEPOINT;
+		}
+		olen = 4 - olen;
+	} else {
+		olen = 2 - olen;
+	}
+
+	*size = ilen_orig - ilen;
+
+	if (olen == 2) {
+		/* 2 byte, UTF16-LE encoded value. */
+		return (codepoint_t)SVAL(buf, 0);
+	}
+	if (olen == 4) {
+		/* Decode a 4 byte UTF16-LE character manually.
+		   See RFC2871 for the encoding machanism.
+		*/
+		codepoint_t w1 = SVAL(buf,0) & ~0xD800;
+		codepoint_t w2 = SVAL(buf,2) & ~0xDC00;
+
+		return (codepoint_t)0x10000 +
+				(w1 << 10) + w2;
+	}
+
+	/* no other length is valid */
+	return INVALID_CODEPOINT;
+}
diff --git a/source3/lib/clobber.c b/source3/lib/clobber.c
new file mode 100644
index 0000000000..e77e786fb5
--- /dev/null
+++ b/source3/lib/clobber.c
@@ -0,0 +1,63 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba utility functions
+   Copyright (C) Martin Pool     2003
+   Copyright (C) Andrew Bartlett 2003
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#ifdef DEVELOPER
+const char *global_clobber_region_function;
+unsigned int global_clobber_region_line;
+#endif
+
+/**
+ * In developer builds, clobber a region of memory.
+ *
+ * If we think a string buffer is longer than it really is, this ought
+ * to make the failure obvious, by segfaulting (if in the heap) or by
+ * killing the return address (on the stack), or by trapping under a
+ * memory debugger.
+ *
+ * This is meant to catch possible string overflows, even if the
+ * actual string copied is not big enough to cause an overflow.
+ *
+ * In addition, under Valgrind the buffer is marked as uninitialized.
+ **/
+void clobber_region(const char *fn, unsigned int line, char *dest, size_t len)
+{
+#ifdef DEVELOPER
+	global_clobber_region_function = fn;
+	global_clobber_region_line = line;
+
+	/* F1 is odd and 0xf1f1f1f1 shouldn't be a valid pointer */
+	memset(dest, 0xF1, len);
+#ifdef VALGRIND
+	/* Even though we just wrote to this, from the application's
+	 * point of view it is not initialized.
+	 *
+	 * (This is not redundant with the clobbering above.  The
+	 * marking might not actually take effect if we're not running
+	 * under valgrind.) */
+#if defined(VALGRIND_MAKE_MEM_UNDEFINED)
+	VALGRIND_MAKE_MEM_UNDEFINED(dest, len);
+#elif defined(VALGRIND_MAKE_WRITABLE)
+	VALGRIND_MAKE_WRITABLE(dest, len);
+#endif
+#endif /* VALGRIND */
+#endif /* DEVELOPER */
+}
diff --git a/source3/lib/compression/mszip.c b/source3/lib/compression/mszip.c
new file mode 100644
index 0000000000..aeeb2d8afd
--- /dev/null
+++ b/source3/lib/compression/mszip.c
@@ -0,0 +1,676 @@
+/* mszip decompression - based on cabextract.c code from
+ * Stuart Caie
+ *
+ * adapted for Samba by Andrew Tridgell and Stefan Metzmacher 2005
+ *
+ * (C) 2000-2001 Stuart Caie <kyzer@4u.net>
+ * reaktivate-specifics by Malte Starostik <malte@kde.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "lib/compression/mszip.h"
+
+/*--------------------------------------------------------------------------*/
+/* our archiver information / state */
+
+/* MSZIP stuff */
+#define ZIPWSIZE 	0x8000  /* window size */
+#define ZIPLBITS	9	/* bits in base literal/length lookup table */
+#define ZIPDBITS	6	/* bits in base distance lookup table */
+#define ZIPBMAX		16      /* maximum bit length of any code */
+#define ZIPN_MAX	288     /* maximum number of codes in any set */
+
+struct Ziphuft {
+  uint8_t e;                /* number of extra bits or operation */
+  uint8_t b;                /* number of bits in this code or subcode */
+  union {
+    uint16_t n;              /* literal, length base, or distance base */
+    struct Ziphuft *t;    /* pointer to next level of table */
+  } v;
+};
+
+struct ZIPstate {
+    uint32_t window_posn;     /* current offset within the window        */
+    uint32_t bb;              /* bit buffer */
+    uint32_t bk;              /* bits in bit buffer */
+    uint32_t ll[288+32];	   /* literal/length and distance code lengths */
+    uint32_t c[ZIPBMAX+1];    /* bit length count table */
+    int32_t  lx[ZIPBMAX+1];   /* memory for l[-1..ZIPBMAX-1] */
+    struct Ziphuft *u[ZIPBMAX];         	/* table stack */
+    uint32_t v[ZIPN_MAX];     /* values in order of bit length */
+    uint32_t x[ZIPBMAX+1];    /* bit offsets, then code stack */
+    uint8_t *inpos;
+};
+
+/* generic stuff */
+#define CAB(x) (decomp_state->x)
+#define ZIP(x) (decomp_state->methods.zip.x)
+
+/* CAB data blocks are <= 32768 bytes in uncompressed form. Uncompressed
+ * blocks have zero growth. MSZIP guarantees that it won't grow above
+ * uncompressed size by more than 12 bytes. LZX guarantees it won't grow
+ * more than 6144 bytes.
+ */
+#define CAB_BLOCKMAX (32768)
+#define CAB_INPUTMAX (CAB_BLOCKMAX+6144)
+
+struct decomp_state {
+  struct folder *current; /* current folder we're extracting from  */
+  uint32_t offset;           /* uncompressed offset within folder     */
+  uint8_t *outpos;          /* (high level) start of data to use up  */
+  uint16_t outlen;           /* (high level) amount of data to use up */
+  uint16_t split;            /* at which split in current folder?     */
+  int (*decompress)(int, int); /* the chosen compression func      */
+  uint8_t inbuf[CAB_INPUTMAX+2]; /* +2 for lzx bitbuffer overflows!  */
+  uint8_t outbuf[CAB_BLOCKMAX];
+  union {
+    struct ZIPstate zip;
+  } methods;
+};
+
+
+/* MSZIP decruncher */
+
+/* Dirk Stoecker wrote the ZIP decoder, based on the InfoZip deflate code */
+
+/* Tables for deflate from PKZIP's appnote.txt. */
+static const uint8_t Zipborder[] = /* Order of the bit length code lengths */
+{ 16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15};
+static const uint16_t Zipcplens[] = /* Copy lengths for literal codes 257..285 */
+{ 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51,
+ 59, 67, 83, 99, 115, 131, 163, 195, 227, 258, 0, 0};
+static const uint16_t Zipcplext[] = /* Extra bits for literal codes 257..285 */
+{ 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4,
+  4, 5, 5, 5, 5, 0, 99, 99}; /* 99==invalid */
+static const uint16_t Zipcpdist[] = /* Copy offsets for distance codes 0..29 */
+{ 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385,
+513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577};
+static const uint16_t Zipcpdext[] = /* Extra bits for distance codes */
+{ 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10,
+10, 11, 11, 12, 12, 13, 13};
+
+/* And'ing with Zipmask[n] masks the lower n bits */
+static const uint16_t Zipmask[17] = {
+ 0x0000, 0x0001, 0x0003, 0x0007, 0x000f, 0x001f, 0x003f, 0x007f, 0x00ff,
+ 0x01ff, 0x03ff, 0x07ff, 0x0fff, 0x1fff, 0x3fff, 0x7fff, 0xffff
+};
+
+#define ZIPNEEDBITS(n) {while(k<(n)){int32_t c=*(ZIP(inpos)++);\
+    b|=((uint32_t)c)<<k;k+=8;}}
+#define ZIPDUMPBITS(n) {b>>=(n);k-=(n);}
+
+static void Ziphuft_free(struct Ziphuft *t)
+{
+  register struct Ziphuft *p, *q;
+
+  /* Go through linked list, freeing from the allocated (t[-1]) address. */
+  p = t;
+  while (p != (struct Ziphuft *)NULL)
+  {
+    q = (--p)->v.t;
+    free(p);
+    p = q;
+  }
+}
+
+static int32_t Ziphuft_build(struct decomp_state *decomp_state,
+			  uint32_t *b, uint32_t n, uint32_t s, const uint16_t *d, const uint16_t *e,
+			  struct Ziphuft **t, int32_t *m)
+{
+  uint32_t a;                   	/* counter for codes of length k */
+  uint32_t el;                  	/* length of EOB code (value 256) */
+  uint32_t f;                   	/* i repeats in table every f entries */
+  int32_t g;                    	/* maximum code length */
+  int32_t h;                    	/* table level */
+  register uint32_t i;          	/* counter, current code */
+  register uint32_t j;          	/* counter */
+  register int32_t k;           	/* number of bits in current code */
+  int32_t *l;               	/* stack of bits per table */
+  register uint32_t *p;         	/* pointer into ZIP(c)[],ZIP(b)[],ZIP(v)[] */
+  register struct Ziphuft *q;   /* points to current table */
+  struct Ziphuft r;             /* table entry for structure assignment */
+  register int32_t w;              /* bits before this table == (l * h) */
+  uint32_t *xp;                 	/* pointer into x */
+  int32_t y;                       /* number of dummy codes added */
+  uint32_t z;                   	/* number of entries in current table */
+
+  l = ZIP(lx)+1;
+
+  /* Generate counts for each bit length */
+  el = n > 256 ? b[256] : ZIPBMAX; /* set length of EOB code, if any */
+
+  for(i = 0; i < ZIPBMAX+1; ++i)
+    ZIP(c)[i] = 0;
+  p = b;  i = n;
+  do
+  {
+    ZIP(c)[*p]++; p++;               /* assume all entries <= ZIPBMAX */
+  } while (--i);
+  if (ZIP(c)[0] == n)                /* null input--all zero length codes */
+  {
+    *t = (struct Ziphuft *)NULL;
+    *m = 0;
+    return 0;
+  }
+
+  /* Find minimum and maximum length, bound *m by those */
+  for (j = 1; j <= ZIPBMAX; j++)
+    if (ZIP(c)[j])
+      break;
+  k = j;                        /* minimum code length */
+  if ((uint32_t)*m < j)
+    *m = j;
+  for (i = ZIPBMAX; i; i--)
+    if (ZIP(c)[i])
+      break;
+  g = i;                        /* maximum code length */
+  if ((uint32_t)*m > i)
+    *m = i;
+
+  /* Adjust last length count to fill out codes, if needed */
+  for (y = 1 << j; j < i; j++, y <<= 1)
+    if ((y -= ZIP(c)[j]) < 0)
+      return 2;                 /* bad input: more codes than bits */
+  if ((y -= ZIP(c)[i]) < 0)
+    return 2;
+  ZIP(c)[i] += y;
+
+  /* Generate starting offsets int32_to the value table for each length */
+  ZIP(x)[1] = j = 0;
+  p = ZIP(c) + 1;  xp = ZIP(x) + 2;
+  while (--i)
+  {                 /* note that i == g from above */
+    *xp++ = (j += *p++);
+  }
+
+  /* Make a table of values in order of bit lengths */
+  p = b;  i = 0;
+  do{
+    if ((j = *p++) != 0)
+      ZIP(v)[ZIP(x)[j]++] = i;
+  } while (++i < n);
+
+
+  /* Generate the Huffman codes and for each, make the table entries */
+  ZIP(x)[0] = i = 0;                 /* first Huffman code is zero */
+  p = ZIP(v);                        /* grab values in bit order */
+  h = -1;                       /* no tables yet--level -1 */
+  w = l[-1] = 0;                /* no bits decoded yet */
+  ZIP(u)[0] = (struct Ziphuft *)NULL;   /* just to keep compilers happy */
+  q = (struct Ziphuft *)NULL;      /* ditto */
+  z = 0;                        /* ditto */
+
+  /* go through the bit lengths (k already is bits in shortest code) */
+  for (; k <= g; k++)
+  {
+    a = ZIP(c)[k];
+    while (a--)
+    {
+      /* here i is the Huffman code of length k bits for value *p */
+      /* make tables up to required level */
+      while (k > w + l[h])
+      {
+        w += l[h++];            /* add bits already decoded */
+
+        /* compute minimum size table less than or equal to *m bits */
+        z = (z = g - w) > (uint32_t)*m ? *m : z;        /* upper limit */
+        if ((f = 1 << (j = k - w)) > a + 1)     /* try a k-w bit table */
+        {                       /* too few codes for k-w bit table */
+          f -= a + 1;           /* deduct codes from patterns left */
+          xp = ZIP(c) + k;
+          while (++j < z)       /* try smaller tables up to z bits */
+          {
+            if ((f <<= 1) <= *++xp)
+              break;            /* enough codes to use up j bits */
+            f -= *xp;           /* else deduct codes from patterns */
+          }
+        }
+        if ((uint32_t)w + j > el && (uint32_t)w < el)
+          j = el - w;           /* make EOB code end at table */
+        z = 1 << j;             /* table entries for j-bit table */
+        l[h] = j;               /* set table size in stack */
+
+        /* allocate and link in new table */
+        if (!(q = (struct Ziphuft *)SMB_MALLOC((z + 1)*sizeof(struct Ziphuft))))
+        {
+          if(h)
+            Ziphuft_free(ZIP(u)[0]);
+          return 3;             /* not enough memory */
+        }
+        *t = q + 1;             /* link to list for Ziphuft_free() */
+        *(t = &(q->v.t)) = (struct Ziphuft *)NULL;
+        ZIP(u)[h] = ++q;             /* table starts after link */
+
+        /* connect to last table, if there is one */
+        if (h)
+        {
+          ZIP(x)[h] = i;             /* save pattern for backing up */
+          r.b = (uint8_t)l[h-1];    /* bits to dump before this table */
+          r.e = (uint8_t)(16 + j);  /* bits in this table */
+          r.v.t = q;            /* pointer to this table */
+          j = (i & ((1 << w) - 1)) >> (w - l[h-1]);
+          ZIP(u)[h-1][j] = r;        /* connect to last table */
+        }
+      }
+
+      /* set up table entry in r */
+      r.b = (uint8_t)(k - w);
+      if (p >= ZIP(v) + n)
+        r.e = 99;               /* out of values--invalid code */
+      else if (*p < s)
+      {
+        r.e = (uint8_t)(*p < 256 ? 16 : 15);    /* 256 is end-of-block code */
+        r.v.n = *p++;           /* simple code is just the value */
+      }
+      else
+      {
+        r.e = (uint8_t)e[*p - s];   /* non-simple--look up in lists */
+        r.v.n = d[*p++ - s];
+      }
+
+      /* fill code-like entries with r */
+      f = 1 << (k - w);
+      for (j = i >> w; j < z; j += f)
+        q[j] = r;
+
+      /* backwards increment the k-bit code i */
+      for (j = 1 << (k - 1); i & j; j >>= 1)
+        i ^= j;
+      i ^= j;
+
+      /* backup over finished tables */
+      while ((i & ((1 << w) - 1)) != ZIP(x)[h])
+        w -= l[--h];            /* don't need to update q */
+    }
+  }
+
+  /* return actual size of base table */
+  *m = l[0];
+
+  /* Return true (1) if we were given an incomplete table */
+  return y != 0 && g != 1;
+}
+
+static int32_t Zipinflate_codes(struct decomp_state *decomp_state,
+			     struct Ziphuft *tl, struct Ziphuft *td,
+			     int32_t bl, int32_t bd)
+{
+  register uint32_t e;  /* table entry flag/number of extra bits */
+  uint32_t n, d;        /* length and index for copy */
+  uint32_t w;           /* current window position */
+  struct Ziphuft *t; /* pointer to table entry */
+  uint32_t ml, md;      /* masks for bl and bd bits */
+  register uint32_t b;  /* bit buffer */
+  register uint32_t k;  /* number of bits in bit buffer */
+
+  DEBUG(10,("Zipinflate_codes\n"));
+
+  /* make local copies of globals */
+  b = ZIP(bb);                       /* initialize bit buffer */
+  k = ZIP(bk);
+  w = ZIP(window_posn);                       /* initialize window position */
+
+  /* inflate the coded data */
+  ml = Zipmask[bl];           	/* precompute masks for speed */
+  md = Zipmask[bd];
+
+  for(;;)
+  {
+    ZIPNEEDBITS((uint32_t)bl)
+    if((e = (t = tl + ((uint32_t)b & ml))->e) > 16)
+      do
+      {
+        if (e == 99)
+          return 1;
+        ZIPDUMPBITS(t->b)
+        e -= 16;
+        ZIPNEEDBITS(e)
+      } while ((e = (t = t->v.t + ((uint32_t)b & Zipmask[e]))->e) > 16);
+    ZIPDUMPBITS(t->b)
+    if (w >= CAB_BLOCKMAX) break;
+    if (e == 16)                /* then it's a literal */
+      CAB(outbuf)[w++] = (uint8_t)t->v.n;
+    else                        /* it's an EOB or a length */
+    {
+      /* exit if end of block */
+      if(e == 15)
+        break;
+
+      /* get length of block to copy */
+      ZIPNEEDBITS(e)
+      n = t->v.n + ((uint32_t)b & Zipmask[e]);
+      ZIPDUMPBITS(e);
+
+      /* decode distance of block to copy */
+      ZIPNEEDBITS((uint32_t)bd)
+      if ((e = (t = td + ((uint32_t)b & md))->e) > 16)
+        do {
+          if (e == 99)
+            return 1;
+          ZIPDUMPBITS(t->b)
+          e -= 16;
+          ZIPNEEDBITS(e)
+        } while ((e = (t = t->v.t + ((uint32_t)b & Zipmask[e]))->e) > 16);
+      ZIPDUMPBITS(t->b)
+      ZIPNEEDBITS(e)
+      d = w - t->v.n - ((uint32_t)b & Zipmask[e]);
+      ZIPDUMPBITS(e)
+      do
+      {
+        n -= (e = (e = ZIPWSIZE - ((d &= ZIPWSIZE-1) > w ? d : w)) > n ?n:e);
+        do
+        {
+          CAB(outbuf)[w++] = CAB(outbuf)[d++];
+        } while (--e);
+      } while (n);
+    }
+  }
+
+  /* restore the globals from the locals */
+  ZIP(window_posn) = w;              /* restore global window pointer */
+  ZIP(bb) = b;                       /* restore global bit buffer */
+  ZIP(bk) = k;
+
+  /* done */
+  return 0;
+}
+
+/* "decompress" an inflated type 0 (stored) block. */
+static int32_t Zipinflate_stored(struct decomp_state *decomp_state)
+{
+  uint32_t n;           /* number of bytes in block */
+  uint32_t w;           /* current window position */
+  register uint32_t b;  /* bit buffer */
+  register uint32_t k;  /* number of bits in bit buffer */
+
+  /* make local copies of globals */
+  b = ZIP(bb);                       /* initialize bit buffer */
+  k = ZIP(bk);
+  w = ZIP(window_posn);              /* initialize window position */
+
+  /* go to byte boundary */
+  n = k & 7;
+  ZIPDUMPBITS(n);
+
+  /* get the length and its complement */
+  ZIPNEEDBITS(16)
+  n = ((uint32_t)b & 0xffff);
+  ZIPDUMPBITS(16)
+  ZIPNEEDBITS(16)
+  if (n != (uint32_t)((~b) & 0xffff))
+    return 1;                   /* error in compressed data */
+  ZIPDUMPBITS(16)
+
+  /* read and output the compressed data */
+  while(n--)
+  {
+    ZIPNEEDBITS(8)
+    CAB(outbuf)[w++] = (uint8_t)b;
+    ZIPDUMPBITS(8)
+  }
+
+  /* restore the globals from the locals */
+  ZIP(window_posn) = w;              /* restore global window pointer */
+  ZIP(bb) = b;                       /* restore global bit buffer */
+  ZIP(bk) = k;
+  return 0;
+}
+
+static int32_t Zipinflate_fixed(struct decomp_state *decomp_state)
+{
+  struct Ziphuft *fixed_tl;
+  struct Ziphuft *fixed_td;
+  int32_t fixed_bl, fixed_bd;
+  int32_t i;                /* temporary variable */
+  uint32_t *l;
+
+  l = ZIP(ll);
+
+  /* literal table */
+  for(i = 0; i < 144; i++)
+    l[i] = 8;
+  for(; i < 256; i++)
+    l[i] = 9;
+  for(; i < 280; i++)
+    l[i] = 7;
+  for(; i < 288; i++)          /* make a complete, but wrong code set */
+    l[i] = 8;
+  fixed_bl = 7;
+  if((i = Ziphuft_build(decomp_state, l, 288, 257, Zipcplens, Zipcplext, &fixed_tl, &fixed_bl)))
+    return i;
+
+  /* distance table */
+  for(i = 0; i < 30; i++)      /* make an incomplete code set */
+    l[i] = 5;
+  fixed_bd = 5;
+  if((i = Ziphuft_build(decomp_state, l, 30, 0, Zipcpdist, Zipcpdext, &fixed_td, &fixed_bd)) > 1)
+  {
+    Ziphuft_free(fixed_tl);
+    return i;
+  }
+
+  /* decompress until an end-of-block code */
+  i = Zipinflate_codes(decomp_state, fixed_tl, fixed_td, fixed_bl, fixed_bd);
+
+  Ziphuft_free(fixed_td);
+  Ziphuft_free(fixed_tl);
+  return i;
+}
+
+/* decompress an inflated type 2 (dynamic Huffman codes) block. */
+static int32_t Zipinflate_dynamic(struct decomp_state *decomp_state)
+{
+  int32_t i;          	/* temporary variables */
+  uint32_t j;
+  uint32_t *ll;
+  uint32_t l;           	/* last length */
+  uint32_t m;           	/* mask for bit lengths table */
+  uint32_t n;           	/* number of lengths to get */
+  struct Ziphuft *tl;      /* literal/length code table */
+  struct Ziphuft *td;      /* distance code table */
+  int32_t bl;              /* lookup bits for tl */
+  int32_t bd;              /* lookup bits for td */
+  uint32_t nb;          	/* number of bit length codes */
+  uint32_t nl;          	/* number of literal/length codes */
+  uint32_t nd;          	/* number of distance codes */
+  register uint32_t b;     /* bit buffer */
+  register uint32_t k;	/* number of bits in bit buffer */
+
+  /* make local bit buffer */
+  b = ZIP(bb);
+  k = ZIP(bk);
+  ll = ZIP(ll);
+
+  /* read in table lengths */
+  ZIPNEEDBITS(5)
+  nl = 257 + ((uint32_t)b & 0x1f);      /* number of literal/length codes */
+  ZIPDUMPBITS(5)
+  ZIPNEEDBITS(5)
+  nd = 1 + ((uint32_t)b & 0x1f);        /* number of distance codes */
+  ZIPDUMPBITS(5)
+  ZIPNEEDBITS(4)
+  nb = 4 + ((uint32_t)b & 0xf);         /* number of bit length codes */
+  ZIPDUMPBITS(4)
+  if(nl > 288 || nd > 32)
+    return 1;                   /* bad lengths */
+
+  /* read in bit-length-code lengths */
+  for(j = 0; j < nb; j++)
+  {
+    ZIPNEEDBITS(3)
+    ll[Zipborder[j]] = (uint32_t)b & 7;
+    ZIPDUMPBITS(3)
+  }
+  for(; j < 19; j++)
+    ll[Zipborder[j]] = 0;
+
+  /* build decoding table for trees--single level, 7 bit lookup */
+  bl = 7;
+  if((i = Ziphuft_build(decomp_state, ll, 19, 19, NULL, NULL, &tl, &bl)) != 0)
+  {
+    if(i == 1)
+      Ziphuft_free(tl);
+    return i;                   /* incomplete code set */
+  }
+
+  /* read in literal and distance code lengths */
+  n = nl + nd;
+  m = Zipmask[bl];
+  i = l = 0;
+  while((uint32_t)i < n)
+  {
+    ZIPNEEDBITS((uint32_t)bl)
+    j = (td = tl + ((uint32_t)b & m))->b;
+    ZIPDUMPBITS(j)
+    j = td->v.n;
+    if (j < 16)                 /* length of code in bits (0..15) */
+      ll[i++] = l = j;          /* save last length in l */
+    else if (j == 16)           /* repeat last length 3 to 6 times */
+    {
+      ZIPNEEDBITS(2)
+      j = 3 + ((uint32_t)b & 3);
+      ZIPDUMPBITS(2)
+      if((uint32_t)i + j > n)
+        return 1;
+      while (j--)
+        ll[i++] = l;
+    }
+    else if (j == 17)           /* 3 to 10 zero length codes */
+    {
+      ZIPNEEDBITS(3)
+      j = 3 + ((uint32_t)b & 7);
+      ZIPDUMPBITS(3)
+      if ((uint32_t)i + j > n)
+        return 1;
+      while (j--)
+        ll[i++] = 0;
+      l = 0;
+    }
+    else                        /* j == 18: 11 to 138 zero length codes */
+    {
+      ZIPNEEDBITS(7)
+      j = 11 + ((uint32_t)b & 0x7f);
+      ZIPDUMPBITS(7)
+      if ((uint32_t)i + j > n)
+        return 1;
+      while (j--)
+        ll[i++] = 0;
+      l = 0;
+    }
+  }
+
+  /* free decoding table for trees */
+  Ziphuft_free(tl);
+
+  /* restore the global bit buffer */
+  ZIP(bb) = b;
+  ZIP(bk) = k;
+
+  /* build the decoding tables for literal/length and distance codes */
+  bl = ZIPLBITS;
+  if((i = Ziphuft_build(decomp_state, ll, nl, 257, Zipcplens, Zipcplext, &tl, &bl)) != 0)
+  {
+    if(i == 1)
+      Ziphuft_free(tl);
+    return i;                   /* incomplete code set */
+  }
+  bd = ZIPDBITS;
+  Ziphuft_build(decomp_state, ll + nl, nd, 0, Zipcpdist, Zipcpdext, &td, &bd);
+
+  /* decompress until an end-of-block code */
+  if(Zipinflate_codes(decomp_state, tl, td, bl, bd))
+    return 1;
+
+  /* free the decoding tables, return */
+  Ziphuft_free(tl);
+  Ziphuft_free(td);
+  return 0;
+}
+
+/* e == last block flag */
+static int32_t Zipinflate_block(struct decomp_state *decomp_state, int32_t *e)
+{ /* decompress an inflated block */
+  uint32_t t;           	/* block type */
+  register uint32_t b;     /* bit buffer */
+  register uint32_t k;     /* number of bits in bit buffer */
+
+  DEBUG(10,("Zipinflate_block\n"));
+
+  /* make local bit buffer */
+  b = ZIP(bb);
+  k = ZIP(bk);
+
+  /* read in last block bit */
+  ZIPNEEDBITS(1)
+  *e = (int32_t)b & 1;
+  ZIPDUMPBITS(1)
+
+  /* read in block type */
+  ZIPNEEDBITS(2)
+  t = (uint32_t)b & 3;
+  ZIPDUMPBITS(2)
+
+  /* restore the global bit buffer */
+  ZIP(bb) = b;
+  ZIP(bk) = k;
+
+  DEBUG(10,("inflate type %d\n", t));
+
+  /* inflate that block type */
+  if(t == 2)
+    return Zipinflate_dynamic(decomp_state);
+  if(t == 0)
+    return Zipinflate_stored(decomp_state);
+  if(t == 1)
+    return Zipinflate_fixed(decomp_state);
+  /* bad block type */
+  return 2;
+}
+
+_PUBLIC_ struct decomp_state *ZIPdecomp_state(TALLOC_CTX *mem_ctx)
+{
+	return talloc_zero(mem_ctx, struct decomp_state);
+}
+
+int ZIPdecompress(struct decomp_state *decomp_state, DATA_BLOB *inbuf, DATA_BLOB *outbuf)
+{
+	int32_t e = 0;/* last block flag */
+
+	ZIP(inpos) = CAB(inbuf);
+	ZIP(bb) = ZIP(bk) = ZIP(window_posn) = 0;
+
+	if (inbuf->length > sizeof(decomp_state->inbuf)) return DECR_INPUT;
+
+	if (outbuf->length > sizeof(decomp_state->outbuf)) return DECR_OUTPUT;
+
+	if (outbuf->length > ZIPWSIZE) return DECR_DATAFORMAT;
+
+	memcpy(decomp_state->inbuf, inbuf->data, inbuf->length);
+
+	/* CK = Chris Kirmse, official Microsoft purloiner */
+	if (ZIP(inpos)[0] != 'C' || ZIP(inpos)[1] != 'K') return DECR_ILLEGALDATA;
+	ZIP(inpos) += 2;
+
+	while (!e) {
+		if (Zipinflate_block(decomp_state, &e)) {
+			return DECR_ILLEGALDATA;
+		}
+	}
+
+	memcpy(outbuf->data, decomp_state->outbuf, outbuf->length);
+
+	return DECR_OK;
+}
diff --git a/source3/lib/compression/mszip.h b/source3/lib/compression/mszip.h
new file mode 100644
index 0000000000..bb835f2595
--- /dev/null
+++ b/source3/lib/compression/mszip.h
@@ -0,0 +1,33 @@
+/* mszip decompression - based on cabextract.c code from
+ * Stuart Caie
+ *
+ * adapted for Samba by Andrew Tridgell and Stefan Metzmacher 2005
+ *
+ * (C) 2000-2001 Stuart Caie <kyzer@4u.net>
+ * reaktivate-specifics by Malte Starostik <malte@kde.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+struct decomp_state;
+struct decomp_state *ZIPdecomp_state(TALLOC_CTX *mem_ctx);
+
+#define DECR_OK           (0)
+#define DECR_DATAFORMAT   (1)
+#define DECR_ILLEGALDATA  (2)
+#define DECR_NOMEMORY     (3)
+#define DECR_CHECKSUM     (4)
+#define DECR_INPUT        (5)
+#define DECR_OUTPUT       (6)
+int ZIPdecompress(struct decomp_state *decomp_state, DATA_BLOB *inbuf, DATA_BLOB *outbuf);
diff --git a/source3/lib/conn_tdb.c b/source3/lib/conn_tdb.c
new file mode 100644
index 0000000000..22d85c873d
--- /dev/null
+++ b/source3/lib/conn_tdb.c
@@ -0,0 +1,126 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Low-level connections.tdb access functions
+   Copyright (C) Volker Lendecke 2007
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+static struct db_context *connections_db_ctx(bool rw)
+{
+	static struct db_context *db_ctx;
+
+	if (db_ctx != NULL) {
+		return db_ctx;
+	}
+
+	if (rw) {
+		db_ctx = db_open(NULL, lock_path("connections.tdb"), 0,
+				 TDB_CLEAR_IF_FIRST|TDB_DEFAULT, 
+				 O_RDWR | O_CREAT, 0644);
+	}
+	else {
+		db_ctx = db_open(NULL, lock_path("connections.tdb"), 0,
+				 TDB_CLEAR_IF_FIRST|TDB_DEFAULT, O_RDONLY, 0);
+	}
+
+	return db_ctx;
+}
+
+struct db_record *connections_fetch_record(TALLOC_CTX *mem_ctx,
+					   TDB_DATA key)
+{
+	struct db_context *ctx = connections_db_ctx(True);
+
+	if (ctx == NULL) {
+		return NULL;
+	}
+
+	return ctx->fetch_locked(ctx, mem_ctx, key);
+}
+
+struct db_record *connections_fetch_entry(TALLOC_CTX *mem_ctx,
+					  connection_struct *conn,
+					  const char *name)
+{
+	struct connections_key ckey;
+	TDB_DATA key;
+
+	ZERO_STRUCT(ckey);
+	ckey.pid = procid_self();
+	ckey.cnum = conn ? conn->cnum : -1;
+	strlcpy(ckey.name, name, sizeof(ckey.name));
+
+	key.dsize = sizeof(ckey);
+	key.dptr = (uint8 *)&ckey;
+
+	return connections_fetch_record(mem_ctx, key);
+}
+
+struct conn_traverse_state {
+	int (*fn)(struct db_record *rec,
+		  const struct connections_key *key,
+		  const struct connections_data *data,
+		  void *private_data);
+	void *private_data;
+};
+
+static int conn_traverse_fn(struct db_record *rec, void *private_data)
+{
+	struct conn_traverse_state *state =
+		(struct conn_traverse_state *)private_data;
+
+	if ((rec->key.dsize != sizeof(struct connections_key))
+	    || (rec->value.dsize != sizeof(struct connections_data))) {
+		return 0;
+	}
+
+	return state->fn(rec, (const struct connections_key *)rec->key.dptr,
+			 (const struct connections_data *)rec->value.dptr,
+			 state->private_data);
+}
+
+int connections_traverse(int (*fn)(struct db_record *rec,
+				   void *private_data),
+			 void *private_data)
+{
+	struct db_context *ctx = connections_db_ctx(False);
+
+	if (ctx == NULL) {
+		return -1;
+	}
+
+	return ctx->traverse(ctx, fn, private_data);
+}
+
+int connections_forall(int (*fn)(struct db_record *rec,
+				 const struct connections_key *key,
+				 const struct connections_data *data,
+				 void *private_data),
+		       void *private_data)
+{
+	struct conn_traverse_state state;
+
+	state.fn = fn;
+	state.private_data = private_data;
+
+	return connections_traverse(conn_traverse_fn, (void *)&state);
+}
+
+bool connections_init(bool rw)
+{
+	return (connections_db_ctx(rw) != NULL);
+}
diff --git a/source3/lib/crc32.c b/source3/lib/crc32.c
new file mode 100644
index 0000000000..a4ae90c469
--- /dev/null
+++ b/source3/lib/crc32.c
@@ -0,0 +1,103 @@
+/*-
+ *  COPYRIGHT (C) 1986 Gary S. Brown.  You may use this program, or
+ *  code or tables extracted from it, as desired without restriction.
+ *
+ *  First, the polynomial itself and its table of feedback terms.  The
+ *  polynomial is
+ *  X^32+X^26+X^23+X^22+X^16+X^12+X^11+X^10+X^8+X^7+X^5+X^4+X^2+X^1+X^0
+ *
+ *  Note that we take it "backwards" and put the highest-order term in
+ *  the lowest-order bit.  The X^32 term is "implied"; the LSB is the
+ *  X^31 term, etc.  The X^0 term (usually shown as "+1") results in
+ *  the MSB being 1
+ *
+ *  Note that the usual hardware shift register implementation, which
+ *  is what we're using (we're merely optimizing it by doing eight-bit
+ *  chunks at a time) shifts bits into the lowest-order term.  In our
+ *  implementation, that means shifting towards the right.  Why do we
+ *  do it this way?  Because the calculated CRC must be transmitted in
+ *  order from highest-order term to lowest-order term.  UARTs transmit
+ *  characters in order from LSB to MSB.  By storing the CRC this way
+ *  we hand it to the UART in the order low-byte to high-byte; the UART
+ *  sends each low-bit to hight-bit; and the result is transmission bit
+ *  by bit from highest- to lowest-order term without requiring any bit
+ *  shuffling on our part.  Reception works similarly
+ *
+ *  The feedback terms table consists of 256, 32-bit entries.  Notes
+ *
+ *      The table can be generated at runtime if desired; code to do so
+ *      is shown later.  It might not be obvious, but the feedback
+ *      terms simply represent the results of eight shift/xor opera
+ *      tions for all combinations of data and CRC register values
+ *
+ *      The values must be right-shifted by eight bits by the "updcrc
+ *      logic; the shift must be unsigned (bring in zeroes).  On some
+ *      hardware you could probably optimize the shift in assembler by
+ *      using byte-swap instructions
+ *      polynomial $edb88320
+ *
+ *
+ * CRC32 code derived from work by Gary S. Brown.
+ */
+
+#include "includes.h"
+
+static const uint32 crc32_tab[] = {
+	0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f,
+	0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988,
+	0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2,
+	0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7,
+	0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9,
+	0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172,
+	0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c,
+	0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59,
+	0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423,
+	0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,
+	0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106,
+	0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433,
+	0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d,
+	0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e,
+	0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950,
+	0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65,
+	0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7,
+	0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0,
+	0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa,
+	0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,
+	0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81,
+	0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a,
+	0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84,
+	0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1,
+	0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb,
+	0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc,
+	0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e,
+	0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b,
+	0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55,
+	0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,
+	0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28,
+	0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d,
+	0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f,
+	0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38,
+	0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242,
+	0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777,
+	0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69,
+	0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2,
+	0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc,
+	0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,
+	0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693,
+	0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94,
+	0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d
+};
+
+uint32 crc32_calc_buffer(const char *buf, size_t size)
+{
+	const unsigned char *p;
+	uint32 crc;
+
+	p = (const unsigned char *)buf;
+	crc = ~0U;
+
+	while (size--)
+		crc = crc32_tab[(crc ^ *p++) & 0xFF] ^ (crc >> 8);
+
+	return crc ^ ~0U;
+}
diff --git a/source3/lib/ctdbd_conn.c b/source3/lib/ctdbd_conn.c
new file mode 100644
index 0000000000..1ae23bcf82
--- /dev/null
+++ b/source3/lib/ctdbd_conn.c
@@ -0,0 +1,1247 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba internal messaging functions
+   Copyright (C) 2007 by Volker Lendecke
+   Copyright (C) 2007 by Andrew Tridgell
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#ifdef CLUSTER_SUPPORT
+
+#include "librpc/gen_ndr/messaging.h"
+#include "librpc/gen_ndr/ndr_messaging.h"
+
+/* paths to these include files come from --with-ctdb= in configure */
+#include "ctdb.h"
+#include "ctdb_private.h"
+
+struct ctdbd_connection {
+	struct messaging_context *msg_ctx;
+	uint32 reqid;
+	uint32 our_vnn;
+	uint64 rand_srvid;
+	struct packet_context *pkt;
+	struct fd_event *fde;
+	
+	void (*release_ip_handler)(const char *ip_addr, void *private_data);
+	void *release_ip_priv;
+};
+
+static NTSTATUS ctdbd_control(struct ctdbd_connection *conn,
+			      uint32_t vnn, uint32 opcode, 
+			      uint64_t srvid, uint32_t flags, TDB_DATA data, 
+			      TALLOC_CTX *mem_ctx, TDB_DATA *outdata,
+			      int *cstatus);
+
+/*
+ * exit on fatal communications errors with the ctdbd daemon
+ */
+static void cluster_fatal(const char *why)
+{
+	DEBUG(0,("cluster fatal event: %s - exiting immediately\n", why));
+	/* we don't use smb_panic() as we don't want to delay to write
+	   a core file. We need to release this process id immediately
+	   so that someone else can take over without getting sharing
+	   violations */
+	_exit(0);
+}
+
+/*
+ *
+ */
+static void ctdb_packet_dump(struct ctdb_req_header *hdr)
+{
+	if (DEBUGLEVEL < 10) {
+		return;
+	}
+	DEBUGADD(10, ("len=%d, magic=%x, vers=%d, gen=%d, op=%d, reqid=%d\n",
+		      (int)hdr->length, (int)hdr->ctdb_magic,
+		      (int)hdr->ctdb_version, (int)hdr->generation,
+		      (int)hdr->operation, (int)hdr->reqid));
+}
+
+/*
+ * Register a srvid with ctdbd
+ */
+static NTSTATUS register_with_ctdbd(struct ctdbd_connection *conn,
+				    uint64_t srvid)
+{
+
+	int cstatus;
+	return ctdbd_control(conn, CTDB_CURRENT_NODE,
+			     CTDB_CONTROL_REGISTER_SRVID, srvid, 0,
+			     tdb_null, NULL, NULL, &cstatus);
+}
+
+/*
+ * get our vnn from the cluster
+ */
+static NTSTATUS get_cluster_vnn(struct ctdbd_connection *conn, uint32 *vnn)
+{
+	int32_t cstatus=-1;
+	NTSTATUS status;
+	status = ctdbd_control(conn,
+			       CTDB_CURRENT_NODE, CTDB_CONTROL_GET_PNN, 0, 0,
+			       tdb_null, NULL, NULL, &cstatus);
+	if (!NT_STATUS_IS_OK(status)) {
+		cluster_fatal("ctdbd_control failed\n");
+	}
+	*vnn = (uint32_t)cstatus;
+	return status;
+}
+
+uint32 ctdbd_vnn(const struct ctdbd_connection *conn)
+{
+	return conn->our_vnn;
+}
+
+/*
+ * Get us a ctdb connection
+ */
+
+static NTSTATUS ctdbd_connect(TALLOC_CTX *mem_ctx,
+			      struct packet_context **presult)
+{
+	struct packet_context *result;
+	const char *sockname = lp_ctdbd_socket();
+	struct sockaddr_un addr;
+	int fd;
+
+	if (!sockname || !*sockname) {
+		sockname = CTDB_PATH;
+	}
+
+	fd = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (fd == -1) {
+		DEBUG(3, ("Could not create socket: %s\n", strerror(errno)));
+		return map_nt_error_from_unix(errno);
+	}
+
+	ZERO_STRUCT(addr);
+	addr.sun_family = AF_UNIX;
+	strncpy(addr.sun_path, sockname, sizeof(addr.sun_path));
+
+	if (sys_connect(fd, (struct sockaddr *)&addr) == -1) {
+		DEBUG(1, ("connect(%s) failed: %s\n", sockname,
+			  strerror(errno)));
+		close(fd);
+		return map_nt_error_from_unix(errno);
+	}
+
+	if (!(result = packet_init(mem_ctx, fd))) {
+		close(fd);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	*presult = result;
+	return NT_STATUS_OK;
+}
+
+/*
+ * Do we have a complete ctdb packet in the queue?
+ */
+
+static bool ctdb_req_complete(const struct data_blob *data,
+			      size_t *length,
+			      void *private_data)
+{
+	uint32 msglen;
+
+	if (data->length < sizeof(msglen)) {
+		return False;
+	}
+
+	msglen = *((uint32 *)data->data);
+
+	DEBUG(10, ("msglen = %d\n", msglen));
+
+	if (msglen < sizeof(struct ctdb_req_header)) {
+		DEBUG(0, ("Got invalid msglen: %d, expected at least %d for "
+			  "the req_header\n", (int)msglen,
+			  (int)sizeof(struct ctdb_req_header)));
+		cluster_fatal("ctdbd protocol error\n");
+	}
+
+	if (data->length >= msglen) {
+		*length = msglen;
+		return True;
+	}
+
+	return False;
+}
+
+/*
+ * State necessary to defer an incoming message while we are waiting for a
+ * ctdb reply.
+ */
+
+struct deferred_msg_state {
+	struct messaging_context *msg_ctx;
+	struct messaging_rec *rec;
+};
+
+/*
+ * Timed event handler for the deferred message
+ */
+
+static void deferred_message_dispatch(struct event_context *event_ctx,
+				      struct timed_event *te,
+				      const struct timeval *now,
+				      void *private_data)
+{
+	struct deferred_msg_state *state = talloc_get_type_abort(
+		private_data, struct deferred_msg_state);
+
+	messaging_dispatch_rec(state->msg_ctx, state->rec);
+	TALLOC_FREE(state);
+	TALLOC_FREE(te);
+}
+
+struct req_pull_state {
+	TALLOC_CTX *mem_ctx;
+	DATA_BLOB req;
+};
+
+/*
+ * Pull a ctdb request out of the incoming packet queue
+ */
+
+static NTSTATUS ctdb_req_pull(const struct data_blob *data,
+			      void *private_data)
+{
+	struct req_pull_state *state = (struct req_pull_state *)private_data;
+
+	state->req = data_blob_talloc(state->mem_ctx, data->data,
+				      data->length);
+	if (state->req.data == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	return NT_STATUS_OK;
+}
+
+/*
+ * Fetch a messaging_rec from an incoming ctdb style message
+ */
+
+static struct messaging_rec *ctdb_pull_messaging_rec(TALLOC_CTX *mem_ctx,
+						     size_t overall_length,
+						     struct ctdb_req_message *msg)
+{
+	struct messaging_rec *result;
+	DATA_BLOB blob;
+	enum ndr_err_code ndr_err;
+
+	if ((overall_length < offsetof(struct ctdb_req_message, data))
+	    || (overall_length
+		< offsetof(struct ctdb_req_message, data) + msg->datalen)) {
+
+		cluster_fatal("got invalid msg length");
+	}
+
+	if (!(result = TALLOC_P(mem_ctx, struct messaging_rec))) {
+		DEBUG(0, ("talloc failed\n"));
+		return NULL;
+	}
+
+	blob = data_blob_const(msg->data, msg->datalen);
+
+	ndr_err = ndr_pull_struct_blob(
+		&blob, result, result,
+		(ndr_pull_flags_fn_t)ndr_pull_messaging_rec);
+
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		DEBUG(0, ("ndr_pull_struct_blob failed: %s\n",
+			  ndr_errstr(ndr_err)));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	if (DEBUGLEVEL >= 10) {
+		DEBUG(10, ("ctdb_pull_messaging_rec:\n"));
+		NDR_PRINT_DEBUG(messaging_rec, result);
+	}
+
+	return result;
+}
+
+/*
+ * Read a full ctdbd request. If we have a messaging context, defer incoming
+ * messages that might come in between.
+ */
+
+static NTSTATUS ctdb_read_req(struct ctdbd_connection *conn, uint32 reqid,
+			      TALLOC_CTX *mem_ctx, void *result)
+{
+	struct ctdb_req_header *hdr;
+	struct req_pull_state state;
+	NTSTATUS status;
+
+ again:
+
+	status = packet_fd_read_sync(conn->pkt);
+
+	if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_BUSY)) {
+		/* EAGAIN */
+		goto again;
+	} else if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
+		/* EAGAIN */
+		goto again;
+	}
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("packet_fd_read failed: %s\n", nt_errstr(status)));
+		cluster_fatal("ctdbd died\n");
+	}
+
+ next_pkt:
+
+	ZERO_STRUCT(state);
+	state.mem_ctx = mem_ctx;
+
+	if (!packet_handler(conn->pkt, ctdb_req_complete, ctdb_req_pull,
+			    &state, &status)) {
+		/*
+		 * Not enough data
+		 */
+		DEBUG(10, ("not enough data from ctdb socket, retrying\n"));
+		goto again;
+	}
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("Could not read packet: %s\n", nt_errstr(status)));
+		cluster_fatal("ctdbd died\n");
+	}
+
+	hdr = (struct ctdb_req_header *)state.req.data;
+
+	DEBUG(10, ("Received ctdb packet\n"));
+	ctdb_packet_dump(hdr);
+
+	if (hdr->operation == CTDB_REQ_MESSAGE) {
+		struct timed_event *evt;
+		struct deferred_msg_state *msg_state;
+		struct ctdb_req_message *msg = (struct ctdb_req_message *)hdr;
+
+		if (conn->msg_ctx == NULL) {
+			DEBUG(1, ("Got a message without having a msg ctx, "
+				  "dropping msg %llu\n",
+				  (long long unsigned)msg->srvid));
+			goto next_pkt;
+		}
+		
+		if ((conn->release_ip_handler != NULL)
+		    && (msg->srvid == CTDB_SRVID_RELEASE_IP)) {
+			/* must be dispatched immediately */
+			DEBUG(10, ("received CTDB_SRVID_RELEASE_IP\n"));
+			conn->release_ip_handler((const char *)msg->data,
+						 conn->release_ip_priv);
+			TALLOC_FREE(hdr);
+			goto next_pkt;
+		}
+
+		if (msg->srvid == CTDB_SRVID_RECONFIGURE) {
+			DEBUG(0,("Got cluster reconfigure message in ctdb_read_req\n"));
+			messaging_send(conn->msg_ctx, procid_self(),
+				       MSG_SMB_BRL_VALIDATE, &data_blob_null);
+			TALLOC_FREE(hdr);
+			goto next_pkt;
+		}
+
+		if (!(msg_state = TALLOC_P(NULL, struct deferred_msg_state))) {
+			DEBUG(0, ("talloc failed\n"));
+			TALLOC_FREE(hdr);
+			goto next_pkt;
+		}
+
+		if (!(msg_state->rec = ctdb_pull_messaging_rec(
+			      msg_state, state.req.length, msg))) {
+			DEBUG(0, ("ctdbd_pull_messaging_rec failed\n"));
+			TALLOC_FREE(msg_state);
+			TALLOC_FREE(hdr);
+			goto next_pkt;
+		}
+
+		TALLOC_FREE(hdr);
+
+		msg_state->msg_ctx = conn->msg_ctx;
+		
+		/*
+		 * We're waiting for a call reply, but an async message has
+		 * crossed. Defer dispatching to the toplevel event loop.
+		 */
+		evt = event_add_timed(conn->msg_ctx->event_ctx,
+				      conn->msg_ctx->event_ctx,
+				      timeval_zero(),
+				      "deferred_message_dispatch",
+				      deferred_message_dispatch,
+				      msg_state);
+		if (evt == NULL) {
+			DEBUG(0, ("event_add_timed failed\n"));
+			TALLOC_FREE(msg_state);
+			TALLOC_FREE(hdr);
+			goto next_pkt;
+		}
+		
+		goto next_pkt;
+	}
+
+	if (hdr->reqid != reqid) {
+		/* we got the wrong reply */
+		DEBUG(0,("Discarding mismatched ctdb reqid %u should have "
+			 "been %u\n", hdr->reqid, reqid));
+		TALLOC_FREE(hdr);
+		goto again;
+	}
+
+	*((void **)result) = talloc_move(mem_ctx, &hdr);
+
+	return NT_STATUS_OK;
+}
+
+/*
+ * Get us a ctdbd connection
+ */
+
+NTSTATUS ctdbd_init_connection(TALLOC_CTX *mem_ctx,
+			       struct ctdbd_connection **pconn)
+{
+	struct ctdbd_connection *conn;
+	NTSTATUS status;
+
+	if (!(conn = TALLOC_ZERO_P(mem_ctx, struct ctdbd_connection))) {
+		DEBUG(0, ("talloc failed\n"));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	status = ctdbd_connect(conn, &conn->pkt);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10, ("ctdbd_connect failed: %s\n", nt_errstr(status)));
+		goto fail;
+	}
+
+	status = get_cluster_vnn(conn, &conn->our_vnn);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10, ("get_cluster_vnn failed: %s\n", nt_errstr(status)));
+		goto fail;
+	}
+
+	generate_random_buffer((unsigned char *)&conn->rand_srvid,
+			       sizeof(conn->rand_srvid));
+
+	status = register_with_ctdbd(conn, conn->rand_srvid);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(5, ("Could not register random srvid: %s\n",
+			  nt_errstr(status)));
+		goto fail;
+	}
+
+	*pconn = conn;
+	return NT_STATUS_OK;
+
+ fail:
+	TALLOC_FREE(conn);
+	return status;
+}
+
+/*
+ * Get us a ctdbd connection and register us as a process
+ */
+
+NTSTATUS ctdbd_messaging_connection(TALLOC_CTX *mem_ctx,
+				    struct ctdbd_connection **pconn)
+{
+        struct ctdbd_connection *conn;
+	NTSTATUS status;
+
+	status = ctdbd_init_connection(mem_ctx, &conn);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	status = register_with_ctdbd(conn, (uint64_t)sys_getpid());
+	if (!NT_STATUS_IS_OK(status)) {
+		goto fail;
+	}
+
+	status = register_with_ctdbd(conn, MSG_SRVID_SAMBA);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto fail;
+	}
+
+	*pconn = conn;
+	return NT_STATUS_OK;
+
+ fail:
+	TALLOC_FREE(conn);
+	return status;
+}
+
+/*
+ * Packet handler to receive and handle a ctdb message
+ */
+static NTSTATUS ctdb_handle_message(const struct data_blob *data,
+				    void *private_data)
+{
+	struct ctdbd_connection *conn = talloc_get_type_abort(
+		private_data, struct ctdbd_connection);
+	struct ctdb_req_message *msg;
+	struct messaging_rec *msg_rec;
+
+	msg = (struct ctdb_req_message *)data->data;
+
+	if (msg->hdr.operation != CTDB_REQ_MESSAGE) {
+		DEBUG(0, ("Received async msg of type %u, discarding\n",
+			  msg->hdr.operation));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if ((conn->release_ip_handler != NULL)
+	    && (msg->srvid == CTDB_SRVID_RELEASE_IP)) {
+		/* must be dispatched immediately */
+		DEBUG(10, ("received CTDB_SRVID_RELEASE_IP\n"));
+		conn->release_ip_handler((const char *)msg->data,
+					 conn->release_ip_priv);
+		return NT_STATUS_OK;
+	}
+
+	SMB_ASSERT(conn->msg_ctx != NULL);
+
+	if (msg->srvid == CTDB_SRVID_RECONFIGURE) {
+		DEBUG(0,("Got cluster reconfigure message\n"));
+		/*
+		 * when the cluster is reconfigured, we need to clean the brl
+		 * database
+		 */
+		messaging_send(conn->msg_ctx, procid_self(),
+			       MSG_SMB_BRL_VALIDATE, &data_blob_null);
+
+		/*
+		 * it's possible that we have just rejoined the cluster after
+		 * an outage. In that case our pending locks could have been
+		 * removed from the lockdb, so retry them once more
+		 */
+		message_send_all(conn->msg_ctx, MSG_SMB_UNLOCK, NULL, 0, NULL);
+
+		return NT_STATUS_OK;
+		
+	}
+
+	/* only messages to our pid or the broadcast are valid here */
+	if (msg->srvid != sys_getpid() && msg->srvid != MSG_SRVID_SAMBA) {
+		DEBUG(0,("Got unexpected message with srvid=%llu\n", 
+			 (unsigned long long)msg->srvid));
+		return NT_STATUS_OK;
+	}
+
+	if (!(msg_rec = ctdb_pull_messaging_rec(NULL, data->length, msg))) {
+		DEBUG(10, ("ctdb_pull_messaging_rec failed\n"));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	messaging_dispatch_rec(conn->msg_ctx, msg_rec);
+
+	TALLOC_FREE(msg_rec);
+	return NT_STATUS_OK;
+}
+
+/*
+ * The ctdbd socket is readable asynchronuously
+ */
+
+static void ctdbd_socket_handler(struct event_context *event_ctx,
+				 struct fd_event *event,
+				 uint16 flags,
+				 void *private_data)
+{
+	struct ctdbd_connection *conn = talloc_get_type_abort(
+		private_data, struct ctdbd_connection);
+
+	NTSTATUS status;
+
+	status = packet_fd_read(conn->pkt);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("packet_fd_read failed: %s\n", nt_errstr(status)));
+		cluster_fatal("ctdbd died\n");
+	}
+
+	while (packet_handler(conn->pkt, ctdb_req_complete,
+			      ctdb_handle_message, conn, &status)) {
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(10, ("could not handle incoming message: %s\n",
+				   nt_errstr(status)));
+		}
+	}
+}
+
+/*
+ * Prepare a ctdbd connection to receive messages
+ */
+
+NTSTATUS ctdbd_register_msg_ctx(struct ctdbd_connection *conn,
+				struct messaging_context *msg_ctx)
+{
+	SMB_ASSERT(conn->msg_ctx == NULL);
+	SMB_ASSERT(conn->fde == NULL);
+
+	if (!(conn->fde = event_add_fd(msg_ctx->event_ctx, conn,
+				       packet_get_fd(conn->pkt),
+				       EVENT_FD_READ,
+				       ctdbd_socket_handler,
+				       conn))) {
+		DEBUG(0, ("event_add_fd failed\n"));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	conn->msg_ctx = msg_ctx;
+
+	return NT_STATUS_OK;
+}
+
+/*
+ * Send a messaging message across a ctdbd
+ */
+
+NTSTATUS ctdbd_messaging_send(struct ctdbd_connection *conn,
+			      uint32 dst_vnn, uint64 dst_srvid,
+			      struct messaging_rec *msg)
+{
+	struct ctdb_req_message r;
+	TALLOC_CTX *mem_ctx;
+	DATA_BLOB blob;
+	NTSTATUS status;
+	enum ndr_err_code ndr_err;
+
+	if (!(mem_ctx = talloc_init("ctdbd_messaging_send"))) {
+		DEBUG(0, ("talloc failed\n"));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	ndr_err = ndr_push_struct_blob(
+		&blob, mem_ctx, msg,
+		(ndr_push_flags_fn_t)ndr_push_messaging_rec);
+
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		DEBUG(0, ("ndr_push_struct_blob failed: %s\n",
+			  ndr_errstr(ndr_err)));
+		status = ndr_map_error2ntstatus(ndr_err);
+		goto fail;
+	}
+
+	r.hdr.length = offsetof(struct ctdb_req_message, data) + blob.length;
+	r.hdr.ctdb_magic = CTDB_MAGIC;
+	r.hdr.ctdb_version = CTDB_VERSION;
+	r.hdr.generation = 1;
+	r.hdr.operation  = CTDB_REQ_MESSAGE;
+	r.hdr.destnode   = dst_vnn;
+	r.hdr.srcnode    = conn->our_vnn;
+	r.hdr.reqid      = 0;
+	r.srvid          = dst_srvid;
+	r.datalen        = blob.length;
+
+	DEBUG(10, ("ctdbd_messaging_send: Sending ctdb packet\n"));
+	ctdb_packet_dump(&r.hdr);
+
+	status = packet_send(
+		conn->pkt, 2,
+		data_blob_const(&r, offsetof(struct ctdb_req_message, data)),
+		blob);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("packet_send failed: %s\n", nt_errstr(status)));
+		goto fail;
+	}
+
+	status = packet_flush(conn->pkt);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(3, ("write to ctdbd failed: %s\n", nt_errstr(status)));
+		cluster_fatal("cluster dispatch daemon msg write error\n");
+	}
+
+	status = NT_STATUS_OK;
+ fail:
+	TALLOC_FREE(mem_ctx);
+	return status;
+}
+
+/*
+ * send/recv a generic ctdb control message
+ */
+static NTSTATUS ctdbd_control(struct ctdbd_connection *conn,
+			      uint32_t vnn, uint32 opcode, 
+			      uint64_t srvid, uint32_t flags, 
+			      TDB_DATA data, 
+			      TALLOC_CTX *mem_ctx, TDB_DATA *outdata,
+			      int *cstatus)
+{
+	struct ctdb_req_control req;
+	struct ctdb_reply_control *reply = NULL;
+	struct ctdbd_connection *new_conn = NULL;
+	NTSTATUS status;
+
+	/* the samba3 ctdb code can't handle NOREPLY yet */
+	flags &= ~CTDB_CTRL_FLAG_NOREPLY;
+
+	if (conn == NULL) {
+		status = ctdbd_init_connection(NULL, &new_conn);
+
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(10, ("Could not init temp connection: %s\n",
+				   nt_errstr(status)));
+			goto fail;
+		}
+
+		conn = new_conn;
+	}
+
+	ZERO_STRUCT(req);
+	req.hdr.length = offsetof(struct ctdb_req_control, data) + data.dsize;
+	req.hdr.ctdb_magic   = CTDB_MAGIC;
+	req.hdr.ctdb_version = CTDB_VERSION;
+	req.hdr.operation    = CTDB_REQ_CONTROL;
+	req.hdr.reqid        = ++conn->reqid;
+	req.hdr.destnode     = vnn;
+	req.opcode           = opcode;
+	req.srvid            = srvid;
+	req.datalen          = data.dsize;
+
+	DEBUG(10, ("ctdbd_control: Sending ctdb packet\n"));
+	ctdb_packet_dump(&req.hdr);
+
+	status = packet_send(
+		conn->pkt, 2,
+		data_blob_const(&req, offsetof(struct ctdb_req_control, data)),
+		data_blob_const(data.dptr, data.dsize));
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(3, ("packet_send failed: %s\n", nt_errstr(status)));
+		goto fail;
+	}
+
+	status = packet_flush(conn->pkt);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(3, ("write to ctdbd failed: %s\n", nt_errstr(status)));
+		cluster_fatal("cluster dispatch daemon control write error\n");
+	}
+
+	if (flags & CTDB_CTRL_FLAG_NOREPLY) {
+		TALLOC_FREE(new_conn);
+		return NT_STATUS_OK;
+	}
+
+	status = ctdb_read_req(conn, req.hdr.reqid, NULL, (void *)&reply);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10, ("ctdb_read_req failed: %s\n", nt_errstr(status)));
+		goto fail;
+	}
+
+	if (reply->hdr.operation != CTDB_REPLY_CONTROL) {
+		DEBUG(0, ("received invalid reply\n"));
+		goto fail;
+	}
+
+	if (outdata) {
+		if (!(outdata->dptr = (uint8 *)talloc_memdup(
+			      mem_ctx, reply->data, reply->datalen))) {
+			TALLOC_FREE(reply);
+			return NT_STATUS_NO_MEMORY;
+		}
+		outdata->dsize = reply->datalen;
+	}
+	if (cstatus) {
+		(*cstatus) = reply->status;
+	}
+
+	status = NT_STATUS_OK;
+
+ fail:
+	TALLOC_FREE(new_conn);
+	TALLOC_FREE(reply);
+	return status;
+}
+
+/*
+ * see if a remote process exists
+ */
+bool ctdbd_process_exists(struct ctdbd_connection *conn, uint32 vnn, pid_t pid)
+{
+	NTSTATUS status;
+	TDB_DATA data;
+	int32_t cstatus;
+
+	data.dptr = (uint8_t*)&pid;
+	data.dsize = sizeof(pid);
+
+	status = ctdbd_control(conn, vnn, CTDB_CONTROL_PROCESS_EXISTS, 0, 0,
+			       data, NULL, NULL, &cstatus);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, (__location__ " ctdb_control for process_exists "
+			  "failed\n"));
+		return False;
+	}
+
+	return cstatus == 0;
+}
+
+/*
+ * Get a db path
+ */
+char *ctdbd_dbpath(struct ctdbd_connection *conn,
+		   TALLOC_CTX *mem_ctx, uint32_t db_id)
+{
+	NTSTATUS status;
+	TDB_DATA data;
+	int32_t cstatus;
+
+	data.dptr = (uint8_t*)&db_id;
+	data.dsize = sizeof(db_id);
+
+	status = ctdbd_control(conn, CTDB_CURRENT_NODE,
+			       CTDB_CONTROL_GETDBPATH, 0, 0, data, 
+			       mem_ctx, &data, &cstatus);
+	if (!NT_STATUS_IS_OK(status) || cstatus != 0) {
+		DEBUG(0,(__location__ " ctdb_control for getdbpath failed\n"));
+		return NULL;
+	}
+
+	return (char *)data.dptr;
+}
+
+/*
+ * attach to a ctdb database
+ */
+NTSTATUS ctdbd_db_attach(struct ctdbd_connection *conn,
+			 const char *name, uint32_t *db_id, int tdb_flags)
+{
+	NTSTATUS status;
+	TDB_DATA data;
+	int32_t cstatus;
+	bool persistent = (tdb_flags & TDB_CLEAR_IF_FIRST) == 0;
+
+	data.dptr = (uint8_t*)name;
+	data.dsize = strlen(name)+1;
+
+	status = ctdbd_control(conn, CTDB_CURRENT_NODE,
+			       persistent
+			       ? CTDB_CONTROL_DB_ATTACH_PERSISTENT
+			       : CTDB_CONTROL_DB_ATTACH,
+			       0, 0, data, NULL, &data, &cstatus);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, (__location__ " ctdb_control for db_attach "
+			  "failed: %s\n", nt_errstr(status)));
+		return status;
+	}
+
+	if (cstatus != 0 || data.dsize != sizeof(uint32_t)) {
+		DEBUG(0,(__location__ " ctdb_control for db_attach failed\n"));
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	*db_id = *(uint32_t *)data.dptr;
+	talloc_free(data.dptr);
+
+	if (!(tdb_flags & TDB_SEQNUM)) {
+		return NT_STATUS_OK;
+	}
+
+	data.dptr = (uint8_t *)db_id;
+	data.dsize = sizeof(*db_id);
+
+	status = ctdbd_control(conn, CTDB_CURRENT_NODE,
+			       CTDB_CONTROL_ENABLE_SEQNUM, 0, 0, data, 
+			       NULL, NULL, &cstatus);
+	if (!NT_STATUS_IS_OK(status) || cstatus != 0) {
+		DEBUG(0,(__location__ " ctdb_control for enable seqnum "
+			 "failed\n"));
+		return NT_STATUS_IS_OK(status) ? NT_STATUS_INTERNAL_ERROR :
+			status;
+	}
+
+	return NT_STATUS_OK;
+}
+
+/*
+ * force the migration of a record to this node
+ */
+NTSTATUS ctdbd_migrate(struct ctdbd_connection *conn, uint32 db_id,
+		       TDB_DATA key)
+{
+	struct ctdb_req_call req;
+	struct ctdb_reply_call *reply;
+	NTSTATUS status;
+
+	ZERO_STRUCT(req);
+	
+	req.hdr.length = offsetof(struct ctdb_req_call, data) + key.dsize;
+	req.hdr.ctdb_magic   = CTDB_MAGIC;
+	req.hdr.ctdb_version = CTDB_VERSION;
+	req.hdr.operation    = CTDB_REQ_CALL;
+	req.hdr.reqid        = ++conn->reqid;
+	req.flags            = CTDB_IMMEDIATE_MIGRATION;
+	req.callid           = CTDB_NULL_FUNC;
+	req.db_id            = db_id;
+	req.keylen           = key.dsize;
+
+	DEBUG(10, ("ctdbd_migrate: Sending ctdb packet\n"));
+	ctdb_packet_dump(&req.hdr);
+
+	status = packet_send(
+		conn->pkt, 2,
+		data_blob_const(&req, offsetof(struct ctdb_req_call, data)),
+		data_blob_const(key.dptr, key.dsize));
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(3, ("packet_send failed: %s\n", nt_errstr(status)));
+		return status;
+	}
+
+	status = packet_flush(conn->pkt);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(3, ("write to ctdbd failed: %s\n", nt_errstr(status)));
+		cluster_fatal("cluster dispatch daemon control write error\n");
+	}
+
+	status = ctdb_read_req(conn, req.hdr.reqid, NULL, (void *)&reply);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("ctdb_read_req failed: %s\n", nt_errstr(status)));
+		goto fail;
+	}
+
+	if (reply->hdr.operation != CTDB_REPLY_CALL) {
+		DEBUG(0, ("received invalid reply\n"));
+		status = NT_STATUS_INTERNAL_ERROR;
+		goto fail;
+	}
+
+	status = NT_STATUS_OK;
+ fail:
+
+	TALLOC_FREE(reply);
+	return status;
+}
+
+/*
+ * remotely fetch a record without locking it or forcing a migration
+ */
+NTSTATUS ctdbd_fetch(struct ctdbd_connection *conn, uint32 db_id,
+		     TDB_DATA key, TALLOC_CTX *mem_ctx, TDB_DATA *data)
+{
+	struct ctdb_req_call req;
+	struct ctdb_reply_call *reply;
+	NTSTATUS status;
+
+	ZERO_STRUCT(req);
+	
+	req.hdr.length = offsetof(struct ctdb_req_call, data) + key.dsize;
+	req.hdr.ctdb_magic   = CTDB_MAGIC;
+	req.hdr.ctdb_version = CTDB_VERSION;
+	req.hdr.operation    = CTDB_REQ_CALL;
+	req.hdr.reqid        = ++conn->reqid;
+	req.flags            = 0;
+	req.callid           = CTDB_FETCH_FUNC;
+	req.db_id            = db_id;
+	req.keylen           = key.dsize;
+
+	status = packet_send(
+		conn->pkt, 2,
+		data_blob_const(&req, offsetof(struct ctdb_req_call, data)),
+		data_blob_const(key.dptr, key.dsize));
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(3, ("packet_send failed: %s\n", nt_errstr(status)));
+		return status;
+	}
+
+	status = packet_flush(conn->pkt);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(3, ("write to ctdbd failed: %s\n", nt_errstr(status)));
+		cluster_fatal("cluster dispatch daemon control write error\n");
+	}
+
+	status = ctdb_read_req(conn, req.hdr.reqid, NULL, (void *)&reply);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("ctdb_read_req failed: %s\n", nt_errstr(status)));
+		goto fail;
+	}
+
+	if (reply->hdr.operation != CTDB_REPLY_CALL) {
+		DEBUG(0, ("received invalid reply\n"));
+		status = NT_STATUS_INTERNAL_ERROR;
+		goto fail;
+	}
+
+	data->dsize = reply->datalen;
+	if (data->dsize == 0) {
+		data->dptr = NULL;
+		goto done;
+	}
+
+	data->dptr = (uint8 *)talloc_memdup(mem_ctx, &reply->data[0],
+					    reply->datalen);
+	if (data->dptr == NULL) {
+		DEBUG(0, ("talloc failed\n"));
+		status = NT_STATUS_NO_MEMORY;
+		goto fail;
+	}
+
+ done:
+	status = NT_STATUS_OK;
+ fail:
+	TALLOC_FREE(reply);
+	return status;
+}
+
+struct ctdbd_traverse_state {
+	void (*fn)(TDB_DATA key, TDB_DATA data, void *private_data);
+	void *private_data;
+};
+
+/*
+ * Handle a traverse record coming in on the ctdbd connection
+ */
+
+static NTSTATUS ctdb_traverse_handler(const struct data_blob *blob,
+				      void *private_data)
+{
+	struct ctdbd_traverse_state *state =
+		(struct ctdbd_traverse_state *)private_data;
+
+	struct ctdb_req_message *m;
+	struct ctdb_rec_data *d;
+	TDB_DATA key, data;
+
+	m = (struct ctdb_req_message *)blob->data;
+
+	if (blob->length < sizeof(*m) || m->hdr.length != blob->length) {
+		DEBUG(0, ("Got invalid message of length %d\n",
+			  (int)blob->length));
+		return NT_STATUS_UNEXPECTED_IO_ERROR;
+	}
+
+	d = (struct ctdb_rec_data *)&m->data[0];
+	if (m->datalen < sizeof(uint32_t) || m->datalen != d->length) {
+		DEBUG(0, ("Got invalid traverse data of length %d\n",
+			  (int)m->datalen));
+		return NT_STATUS_UNEXPECTED_IO_ERROR;
+	}
+
+	key.dsize = d->keylen;
+	key.dptr  = &d->data[0];
+	data.dsize = d->datalen;
+	data.dptr = &d->data[d->keylen];		
+
+	if (key.dsize == 0 && data.dsize == 0) {
+		/* end of traverse */
+		return NT_STATUS_END_OF_FILE;
+	}
+
+	if (data.dsize < sizeof(struct ctdb_ltdb_header)) {
+		DEBUG(0, ("Got invalid ltdb header length %d\n",
+			  (int)data.dsize));
+		return NT_STATUS_UNEXPECTED_IO_ERROR;
+	}
+	data.dsize -= sizeof(struct ctdb_ltdb_header);
+	data.dptr += sizeof(struct ctdb_ltdb_header);
+
+	if (state->fn) {
+		state->fn(key, data, state->private_data);
+	}
+
+	return NT_STATUS_OK;
+}
+
+/*
+  Traverse a ctdb database. This uses a kind-of hackish way to open a second
+  connection to ctdbd to avoid the hairy recursive and async problems with
+  everything in-line.
+*/
+
+NTSTATUS ctdbd_traverse(uint32 db_id,
+			void (*fn)(TDB_DATA key, TDB_DATA data,
+				   void *private_data),
+			void *private_data)
+{
+	struct ctdbd_connection *conn;
+	NTSTATUS status;
+
+	TDB_DATA data;
+	struct ctdb_traverse_start t;
+	int cstatus;
+	struct ctdbd_traverse_state state;
+
+	status = ctdbd_init_connection(NULL, &conn);
+
+	t.db_id = db_id;
+	t.srvid = conn->rand_srvid;
+	t.reqid = ++conn->reqid;
+
+	data.dptr = (uint8_t *)&t;
+	data.dsize = sizeof(t);
+
+	status = ctdbd_control(conn, CTDB_CURRENT_NODE,
+			       CTDB_CONTROL_TRAVERSE_START, conn->rand_srvid, 0,
+			       data, NULL, NULL, &cstatus);
+
+	if (!NT_STATUS_IS_OK(status) || (cstatus != 0)) {
+
+		DEBUG(0,("ctdbd_control failed: %s, %d\n", nt_errstr(status),
+			 cstatus));
+
+		if (NT_STATUS_IS_OK(status)) {
+			/*
+			 * We need a mapping here
+			 */
+			status = NT_STATUS_UNSUCCESSFUL;
+		}
+		goto done;
+	}
+
+	state.fn = fn;
+	state.private_data = private_data;
+
+	while (True) {
+
+		status = NT_STATUS_OK;
+
+		if (packet_handler(conn->pkt, ctdb_req_complete,
+				   ctdb_traverse_handler, &state, &status)) {
+
+			if (NT_STATUS_EQUAL(status, NT_STATUS_END_OF_FILE)) {
+				status = NT_STATUS_OK;
+				break;
+			}
+
+			/*
+			 * There might be more in the queue
+			 */
+			continue;
+		}
+
+		if (!NT_STATUS_IS_OK(status)) {
+			break;
+		}
+
+		status = packet_fd_read_sync(conn->pkt);
+
+		if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
+			/*
+			 * There might be more in the queue
+			 */
+			continue;
+		}
+
+		if (NT_STATUS_EQUAL(status, NT_STATUS_END_OF_FILE)) {
+			status = NT_STATUS_OK;
+		}
+
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(0, ("packet_fd_read_sync failed: %s\n", nt_errstr(status)));
+			cluster_fatal("ctdbd died\n");
+		}
+	}
+
+ done:
+	TALLOC_FREE(conn);
+	return status;
+}
+
+/*
+ * Register us as a server for a particular tcp connection
+ */
+
+NTSTATUS ctdbd_register_ips(struct ctdbd_connection *conn,
+			    const struct sockaddr_in *server,
+			    const struct sockaddr_in *client,
+			    void (*release_ip_handler)(const char *ip_addr,
+						       void *private_data),
+			    void *private_data)
+{
+	struct ctdb_control_tcp p;
+	TDB_DATA data;
+	NTSTATUS status;
+
+	/*
+	 * Only one connection so far
+	 */
+	SMB_ASSERT(conn->release_ip_handler == NULL);
+
+	conn->release_ip_handler = release_ip_handler;
+
+	/*
+	 * We want to be told about IP releases
+	 */
+
+	status = register_with_ctdbd(conn, CTDB_SRVID_RELEASE_IP);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	p.dest = *server;
+	p.src = *client;
+
+	/*
+	 * inform ctdb of our tcp connection, so if IP takeover happens ctdb
+	 * can send an extra ack to trigger a reset for our client, so it
+	 * immediately reconnects
+	 */
+	data.dptr = (uint8_t *)&p;
+	data.dsize = sizeof(p);
+
+	return ctdbd_control(conn, CTDB_CURRENT_NODE, 
+			     CTDB_CONTROL_TCP_CLIENT, 0,
+			     CTDB_CTRL_FLAG_NOREPLY, data, NULL, NULL, NULL);
+}
+
+/*
+ * We want to handle reconfigure events
+ */
+NTSTATUS ctdbd_register_reconfigure(struct ctdbd_connection *conn)
+{
+	return register_with_ctdbd(conn, CTDB_SRVID_RECONFIGURE);
+}
+
+/*
+  call a control on the local node
+ */
+NTSTATUS ctdbd_control_local(struct ctdbd_connection *conn, uint32 opcode, 
+			     uint64_t srvid, uint32_t flags, TDB_DATA data, 
+			     TALLOC_CTX *mem_ctx, TDB_DATA *outdata,
+			     int *cstatus)
+{
+	return ctdbd_control(conn, CTDB_CURRENT_NODE, opcode, srvid, flags, data, mem_ctx, outdata, cstatus);
+}
+
+#else
+
+NTSTATUS ctdbd_init_connection(TALLOC_CTX *mem_ctx,
+			       struct ctdbd_connection **pconn)
+{
+	return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+#endif
diff --git a/source3/lib/data_blob.c b/source3/lib/data_blob.c
new file mode 100644
index 0000000000..66c5daf363
--- /dev/null
+++ b/source3/lib/data_blob.c
@@ -0,0 +1,180 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Easy management of byte-length data
+   Copyright (C) Andrew Tridgell 2001
+   Copyright (C) Andrew Bartlett 2001
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+const DATA_BLOB data_blob_null = { NULL, 0, NULL };
+
+/*******************************************************************
+ Free() a data blob.
+*******************************************************************/
+
+static void free_data_blob(DATA_BLOB *d)
+{
+	if ((d) && (d->free)) {
+		SAFE_FREE(d->data);
+	}
+}
+
+/*******************************************************************
+ Construct a data blob, must be freed with data_blob_free().
+ You can pass NULL for p and get a blank data blob
+*******************************************************************/
+
+DATA_BLOB data_blob(const void *p, size_t length)
+{
+	DATA_BLOB ret;
+
+	if (!length) {
+		ZERO_STRUCT(ret);
+		return ret;
+	}
+
+	if (p) {
+		ret.data = (uint8 *)smb_xmemdup(p, length);
+	} else {
+		ret.data = SMB_XMALLOC_ARRAY(uint8, length);
+	}
+	ret.length = length;
+	ret.free = free_data_blob;
+	return ret;
+}
+
+/*******************************************************************
+ Construct a data blob, using supplied TALLOC_CTX.
+*******************************************************************/
+
+DATA_BLOB data_blob_talloc(TALLOC_CTX *mem_ctx, const void *p, size_t length)
+{
+	DATA_BLOB ret;
+
+	if (!length) {
+		ZERO_STRUCT(ret);
+		return ret;
+	}
+
+	if (p) {
+		ret.data = (uint8 *)TALLOC_MEMDUP(mem_ctx, p, length);
+		if (ret.data == NULL)
+			smb_panic("data_blob_talloc: TALLOC_MEMDUP failed");
+	} else {
+		ret.data = (uint8 *)TALLOC(mem_ctx, length);
+		if (ret.data == NULL)
+			smb_panic("data_blob_talloc: TALLOC failed");
+	}
+
+	ret.length = length;
+	ret.free = NULL;
+	return ret;
+}
+
+/*******************************************************************
+ Free a data blob.
+*******************************************************************/
+
+void data_blob_free(DATA_BLOB *d)
+{
+	if (d) {
+		if (d->free) {
+			(d->free)(d);
+		}
+		d->length = 0;
+	}
+}
+
+/*******************************************************************
+ Clear a DATA_BLOB's contents
+*******************************************************************/
+
+void data_blob_clear(DATA_BLOB *d)
+{
+	if (d->data) {
+		memset(d->data, 0, d->length);
+	}
+}
+
+/*******************************************************************
+ Free a data blob and clear its contents
+*******************************************************************/
+
+void data_blob_clear_free(DATA_BLOB *d)
+{
+	data_blob_clear(d);
+	data_blob_free(d);
+}
+
+/**
+  useful for constructing data blobs in test suites, while
+  avoiding const warnings
+**/
+DATA_BLOB data_blob_string_const(const char *str)
+{
+	DATA_BLOB blob;
+	blob.data = CONST_DISCARD(uint8 *, str);
+	blob.length = strlen(str) + 1;
+	blob.free = NULL;
+	return blob;
+}
+
+/**
+ * Create a new data blob from const data 
+ */
+DATA_BLOB data_blob_const(const void *p, size_t length)
+{
+	DATA_BLOB blob;
+	blob.data = CONST_DISCARD(uint8 *, p);
+	blob.length = length;
+	blob.free = NULL;
+	return blob;
+}
+
+/**
+ construct a zero data blob, using supplied TALLOC_CTX.
+ use this sparingly as it initialises data - better to initialise
+ yourself if you want specific data in the blob
+**/
+DATA_BLOB data_blob_talloc_zero(TALLOC_CTX *mem_ctx, size_t length)
+{
+	DATA_BLOB blob = data_blob_talloc(mem_ctx, NULL, length);
+	data_blob_clear(&blob);
+	return blob;
+}
+
+/**
+print the data_blob as hex string
+**/
+_PUBLIC_ char *data_blob_hex_string(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob)
+{
+	int i;
+	char *hex_string;
+
+	hex_string = talloc_array(mem_ctx, char, (blob->length*2)+1);
+	if (!hex_string) {
+		return NULL;
+	}
+
+	for (i = 0; i < blob->length; i++)
+		slprintf(&hex_string[i*2], 3, "%02X", blob->data[i]);
+
+	hex_string[(blob->length*2)] = '\0';
+	return hex_string;
+}
+
+
diff --git a/source3/lib/dbwrap.c b/source3/lib/dbwrap.c
new file mode 100644
index 0000000000..73c2761a1b
--- /dev/null
+++ b/source3/lib/dbwrap.c
@@ -0,0 +1,148 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Database interface wrapper
+   Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2006
+
+   Major code contributions from Aleksey Fedoseev (fedoseev@ru.ibm.com)
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#ifdef CLUSTER_SUPPORT
+#include "ctdb_private.h"
+#endif
+/*
+ * Fall back using fetch_locked if no genuine fetch operation is provided
+ */
+
+static int dbwrap_fallback_fetch(struct db_context *db, TALLOC_CTX *mem_ctx,
+				 TDB_DATA key, TDB_DATA *data)
+{
+	struct db_record *rec;
+
+	if (!(rec = db->fetch_locked(db, mem_ctx, key))) {
+		return -1;
+	}
+
+	data->dsize = rec->value.dsize;
+	data->dptr = talloc_move(mem_ctx, &rec->value.dptr);
+	TALLOC_FREE(rec);
+	return 0;
+}
+
+/**
+ * open a database
+ */
+struct db_context *db_open(TALLOC_CTX *mem_ctx,
+			   const char *name,
+			   int hash_size, int tdb_flags,
+			   int open_flags, mode_t mode)
+{
+	struct db_context *result = NULL;
+#ifdef CLUSTER_SUPPORT
+	const char *sockname = lp_ctdbd_socket();
+#endif
+
+#ifdef CLUSTER_SUPPORT
+	if(!sockname || !*sockname) {
+		sockname = CTDB_PATH;
+	}
+
+	if (lp_clustering()) {
+		const char *partname;
+
+		if (!socket_exist(sockname)) {
+			DEBUG(1, ("ctdb socket does not exist - is ctdb not "
+				  "running?\n"));
+			return NULL;
+		}
+
+		/* ctdb only wants the file part of the name */
+		partname = strrchr(name, '/');
+		if (partname) {
+			partname++;
+		} else {
+			partname = name;
+		}
+		/* allow ctdb for individual databases to be disabled */
+		if (lp_parm_bool(-1, "ctdb", partname, True)) {
+			result = db_open_ctdb(mem_ctx, partname, hash_size,
+					      tdb_flags, open_flags, mode);
+			if (result == NULL) {
+				DEBUG(0,("failed to attach to ctdb %s\n",
+					 partname));
+				if (errno == 0) {
+					errno = EIO;
+				}
+				return NULL;
+			}
+		}
+	}
+
+#endif
+
+	if (result == NULL) {
+		result = db_open_tdb(mem_ctx, name, hash_size,
+				     tdb_flags, open_flags, mode);
+	}
+
+	if ((result != NULL) && (result->fetch == NULL)) {
+		result->fetch = dbwrap_fallback_fetch;
+	}
+
+	return result;
+}
+
+NTSTATUS dbwrap_delete_bystring(struct db_context *db, const char *key)
+{
+	struct db_record *rec;
+	NTSTATUS status;
+
+	rec = db->fetch_locked(db, talloc_tos(), string_term_tdb_data(key));
+	if (rec == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	status = rec->delete_rec(rec);
+	TALLOC_FREE(rec);
+	return status;
+}
+
+NTSTATUS dbwrap_store_bystring(struct db_context *db, const char *key,
+			       TDB_DATA data, int flags)
+{
+	struct db_record *rec;
+	NTSTATUS status;
+
+	rec = db->fetch_locked(db, talloc_tos(), string_term_tdb_data(key));
+	if (rec == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	status = rec->store(rec, data, flags);
+	TALLOC_FREE(rec);
+	return status;
+}
+
+TDB_DATA dbwrap_fetch_bystring(struct db_context *db, TALLOC_CTX *mem_ctx,
+			       const char *key)
+{
+	TDB_DATA result;
+
+	if (db->fetch(db, mem_ctx, string_term_tdb_data(key), &result) == -1) {
+		return make_tdb_data(NULL, 0);
+	}
+
+	return result;
+}
diff --git a/source3/lib/dbwrap_ctdb.c b/source3/lib/dbwrap_ctdb.c
new file mode 100644
index 0000000000..63a5ce4de6
--- /dev/null
+++ b/source3/lib/dbwrap_ctdb.c
@@ -0,0 +1,1223 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Database interface wrapper around ctdbd
+   Copyright (C) Volker Lendecke 2007
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#ifdef CLUSTER_SUPPORT
+#include "ctdb.h"
+#include "ctdb_private.h"
+#include "ctdbd_conn.h"
+
+struct db_ctdb_transaction_handle {
+	struct db_ctdb_ctx *ctx;
+	bool in_replay;
+	/* we store the reads and writes done under a transaction one
+	   list stores both reads and writes, the other just writes
+	*/
+	struct ctdb_marshall_buffer *m_all;
+	struct ctdb_marshall_buffer *m_write;
+	uint32_t nesting;
+	bool nested_cancel;
+};
+
+struct db_ctdb_ctx {
+	struct db_context *db;
+	struct tdb_wrap *wtdb;
+	uint32 db_id;
+	struct db_ctdb_transaction_handle *transaction;
+};
+
+struct db_ctdb_rec {
+	struct db_ctdb_ctx *ctdb_ctx;
+	struct ctdb_ltdb_header header;
+};
+
+static struct db_record *fetch_locked_internal(struct db_ctdb_ctx *ctx,
+					       TALLOC_CTX *mem_ctx,
+					       TDB_DATA key,
+					       bool persistent);
+
+static NTSTATUS tdb_error_to_ntstatus(struct tdb_context *tdb)
+{
+	NTSTATUS status;
+	enum TDB_ERROR tret = tdb_error(tdb);
+
+	switch (tret) {
+	case TDB_ERR_EXISTS:
+		status = NT_STATUS_OBJECT_NAME_COLLISION;
+		break;
+	case TDB_ERR_NOEXIST:
+		status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
+		break;
+	default:
+		status = NT_STATUS_INTERNAL_DB_CORRUPTION;
+		break;
+	}
+
+	return status;
+}
+
+
+
+/*
+  form a ctdb_rec_data record from a key/data pair
+
+  note that header may be NULL. If not NULL then it is included in the data portion
+  of the record
+ */
+static struct ctdb_rec_data *db_ctdb_marshall_record(TALLOC_CTX *mem_ctx, uint32_t reqid,	
+						  TDB_DATA key, 
+						  struct ctdb_ltdb_header *header,
+						  TDB_DATA data)
+{
+	size_t length;
+	struct ctdb_rec_data *d;
+
+	length = offsetof(struct ctdb_rec_data, data) + key.dsize + 
+		data.dsize + (header?sizeof(*header):0);
+	d = (struct ctdb_rec_data *)talloc_size(mem_ctx, length);
+	if (d == NULL) {
+		return NULL;
+	}
+	d->length = length;
+	d->reqid = reqid;
+	d->keylen = key.dsize;
+	memcpy(&d->data[0], key.dptr, key.dsize);
+	if (header) {
+		d->datalen = data.dsize + sizeof(*header);
+		memcpy(&d->data[key.dsize], header, sizeof(*header));
+		memcpy(&d->data[key.dsize+sizeof(*header)], data.dptr, data.dsize);
+	} else {
+		d->datalen = data.dsize;
+		memcpy(&d->data[key.dsize], data.dptr, data.dsize);
+	}
+	return d;
+}
+
+
+/* helper function for marshalling multiple records */
+static struct ctdb_marshall_buffer *db_ctdb_marshall_add(TALLOC_CTX *mem_ctx, 
+					       struct ctdb_marshall_buffer *m,
+					       uint64_t db_id,
+					       uint32_t reqid,
+					       TDB_DATA key,
+					       struct ctdb_ltdb_header *header,
+					       TDB_DATA data)
+{
+	struct ctdb_rec_data *r;
+	size_t m_size, r_size;
+	struct ctdb_marshall_buffer *m2;
+
+	r = db_ctdb_marshall_record(mem_ctx, reqid, key, header, data);
+	if (r == NULL) {
+		talloc_free(m);
+		return NULL;
+	}
+
+	if (m == NULL) {
+		m = (struct ctdb_marshall_buffer *)talloc_zero_size(
+			mem_ctx, offsetof(struct ctdb_marshall_buffer, data));
+		if (m == NULL) {
+			return NULL;
+		}
+		m->db_id = db_id;
+	}
+
+	m_size = talloc_get_size(m);
+	r_size = talloc_get_size(r);
+
+	m2 = (struct ctdb_marshall_buffer *)talloc_realloc_size(
+		mem_ctx, m,  m_size + r_size);
+	if (m2 == NULL) {
+		talloc_free(m);
+		return NULL;
+	}
+
+	memcpy(m_size + (uint8_t *)m2, r, r_size);
+
+	talloc_free(r);
+
+	m2->count++;
+
+	return m2;
+}
+
+/* we've finished marshalling, return a data blob with the marshalled records */
+static TDB_DATA db_ctdb_marshall_finish(struct ctdb_marshall_buffer *m)
+{
+	TDB_DATA data;
+	data.dptr = (uint8_t *)m;
+	data.dsize = talloc_get_size(m);
+	return data;
+}
+
+/* 
+   loop over a marshalling buffer 
+
+     - pass r==NULL to start
+     - loop the number of times indicated by m->count
+*/
+static struct ctdb_rec_data *db_ctdb_marshall_loop_next(struct ctdb_marshall_buffer *m, struct ctdb_rec_data *r,
+						     uint32_t *reqid,
+						     struct ctdb_ltdb_header *header,
+						     TDB_DATA *key, TDB_DATA *data)
+{
+	if (r == NULL) {
+		r = (struct ctdb_rec_data *)&m->data[0];
+	} else {
+		r = (struct ctdb_rec_data *)(r->length + (uint8_t *)r);
+	}
+
+	if (reqid != NULL) {
+		*reqid = r->reqid;
+	}
+
+	if (key != NULL) {
+		key->dptr   = &r->data[0];
+		key->dsize  = r->keylen;
+	}
+	if (data != NULL) {
+		data->dptr  = &r->data[r->keylen];
+		data->dsize = r->datalen;
+		if (header != NULL) {
+			data->dptr += sizeof(*header);
+			data->dsize -= sizeof(*header);
+		}
+	}
+
+	if (header != NULL) {
+		if (r->datalen < sizeof(*header)) {
+			return NULL;
+		}
+		*header = *(struct ctdb_ltdb_header *)&r->data[r->keylen];
+	}
+
+	return r;
+}
+
+
+
+/* start a transaction on a database */
+static int db_ctdb_transaction_destructor(struct db_ctdb_transaction_handle *h)
+{
+	tdb_transaction_cancel(h->ctx->wtdb->tdb);
+	return 0;
+}
+
+/* start a transaction on a database */
+static int db_ctdb_transaction_fetch_start(struct db_ctdb_transaction_handle *h)
+{
+	struct db_record *rh;
+	TDB_DATA key;
+	TALLOC_CTX *tmp_ctx;
+	const char *keyname = CTDB_TRANSACTION_LOCK_KEY;
+	int ret;
+	struct db_ctdb_ctx *ctx = h->ctx;
+	TDB_DATA data;
+
+	key.dptr = (uint8_t *)discard_const(keyname);
+	key.dsize = strlen(keyname);
+
+again:
+	tmp_ctx = talloc_new(h);
+
+	rh = fetch_locked_internal(ctx, tmp_ctx, key, true);
+	if (rh == NULL) {
+		DEBUG(0,(__location__ " Failed to fetch_lock database\n"));		
+		talloc_free(tmp_ctx);
+		return -1;
+	}
+	talloc_free(rh);
+
+	ret = tdb_transaction_start(ctx->wtdb->tdb);
+	if (ret != 0) {
+		DEBUG(0,(__location__ " Failed to start tdb transaction\n"));
+		talloc_free(tmp_ctx);
+		return -1;
+	}
+
+	data = tdb_fetch(ctx->wtdb->tdb, key);
+	if ((data.dptr == NULL) ||
+	    (data.dsize < sizeof(struct ctdb_ltdb_header)) ||
+	    ((struct ctdb_ltdb_header *)data.dptr)->dmaster != get_my_vnn()) {
+		SAFE_FREE(data.dptr);
+		tdb_transaction_cancel(ctx->wtdb->tdb);
+		talloc_free(tmp_ctx);
+		goto again;
+	}
+
+	SAFE_FREE(data.dptr);
+	talloc_free(tmp_ctx);
+
+	return 0;
+}
+
+
+/* start a transaction on a database */
+static int db_ctdb_transaction_start(struct db_context *db)
+{
+	struct db_ctdb_transaction_handle *h;
+	int ret;
+	struct db_ctdb_ctx *ctx = talloc_get_type_abort(db->private_data,
+							struct db_ctdb_ctx);
+
+	if (!db->persistent) {
+		DEBUG(0,("transactions not supported on non-persistent database 0x%08x\n", 
+			 ctx->db_id));
+		return -1;
+	}
+
+	if (ctx->transaction) {
+		ctx->transaction->nesting++;
+		return 0;
+	}
+
+	h = talloc_zero(db, struct db_ctdb_transaction_handle);
+	if (h == NULL) {
+		DEBUG(0,(__location__ " oom for transaction handle\n"));		
+		return -1;
+	}
+
+	h->ctx = ctx;
+
+	ret = db_ctdb_transaction_fetch_start(h);
+	if (ret != 0) {
+		talloc_free(h);
+		return -1;
+	}
+
+	talloc_set_destructor(h, db_ctdb_transaction_destructor);
+
+	ctx->transaction = h;
+
+	DEBUG(5,(__location__ " Started transaction on db 0x%08x\n", ctx->db_id));
+
+	return 0;
+}
+
+
+
+/*
+  fetch a record inside a transaction
+ */
+static int db_ctdb_transaction_fetch(struct db_ctdb_ctx *db, 
+				     TALLOC_CTX *mem_ctx, 
+				     TDB_DATA key, TDB_DATA *data)
+{
+	struct db_ctdb_transaction_handle *h = db->transaction;
+
+	*data = tdb_fetch(h->ctx->wtdb->tdb, key);
+
+	if (data->dptr != NULL) {
+		uint8_t *oldptr = (uint8_t *)data->dptr;
+		data->dsize -= sizeof(struct ctdb_ltdb_header);
+		if (data->dsize == 0) {
+			data->dptr = NULL;
+		} else {
+			data->dptr = (uint8 *)
+				talloc_memdup(
+					mem_ctx, data->dptr+sizeof(struct ctdb_ltdb_header),
+					data->dsize);
+		}
+		SAFE_FREE(oldptr);
+		if (data->dptr == NULL && data->dsize != 0) {
+			return -1;
+		}
+	}
+
+	if (!h->in_replay) {
+		h->m_all = db_ctdb_marshall_add(h, h->m_all, h->ctx->db_id, 1, key, NULL, *data);
+		if (h->m_all == NULL) {
+			DEBUG(0,(__location__ " Failed to add to marshalling record\n"));
+			data->dsize = 0;
+			talloc_free(data->dptr);
+			return -1;
+		}
+	}
+
+	return 0;
+}
+
+
+static NTSTATUS db_ctdb_store_transaction(struct db_record *rec, TDB_DATA data, int flag);
+static NTSTATUS db_ctdb_delete_transaction(struct db_record *rec);
+
+static struct db_record *db_ctdb_fetch_locked_transaction(struct db_ctdb_ctx *ctx,
+							  TALLOC_CTX *mem_ctx,
+							  TDB_DATA key)
+{
+	struct db_record *result;
+	TDB_DATA ctdb_data;
+
+	if (!(result = talloc(mem_ctx, struct db_record))) {
+		DEBUG(0, ("talloc failed\n"));
+		return NULL;
+	}
+
+	result->private_data = ctx->transaction;
+
+	result->key.dsize = key.dsize;
+	result->key.dptr = (uint8 *)talloc_memdup(result, key.dptr, key.dsize);
+	if (result->key.dptr == NULL) {
+		DEBUG(0, ("talloc failed\n"));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	result->store = db_ctdb_store_transaction;
+	result->delete_rec = db_ctdb_delete_transaction;
+
+	ctdb_data = tdb_fetch(ctx->wtdb->tdb, key);
+	if (ctdb_data.dptr == NULL) {
+		/* create the record */
+		result->value = tdb_null;
+		return result;
+	}
+
+	result->value.dsize = ctdb_data.dsize - sizeof(struct ctdb_ltdb_header);
+	result->value.dptr = NULL;
+
+	if ((result->value.dsize != 0)
+	    && !(result->value.dptr = (uint8 *)talloc_memdup(
+			 result, ctdb_data.dptr + sizeof(struct ctdb_ltdb_header),
+			 result->value.dsize))) {
+		DEBUG(0, ("talloc failed\n"));
+		TALLOC_FREE(result);
+	}
+
+	SAFE_FREE(ctdb_data.dptr);
+
+	return result;
+}
+
+static int db_ctdb_record_destructor(struct db_record *rec)
+{
+	struct db_ctdb_transaction_handle *h = talloc_get_type_abort(
+		rec->private_data, struct db_ctdb_transaction_handle);
+	int ret = h->ctx->db->transaction_commit(h->ctx->db);
+	if (ret != 0) {
+		DEBUG(0,(__location__ " transaction_commit failed\n"));
+	}
+	return 0;
+}
+
+/*
+  auto-create a transaction for persistent databases
+ */
+static struct db_record *db_ctdb_fetch_locked_persistent(struct db_ctdb_ctx *ctx,
+							 TALLOC_CTX *mem_ctx,
+							 TDB_DATA key)
+{
+	int res;
+	struct db_record *rec;
+
+	res = db_ctdb_transaction_start(ctx->db);
+	if (res == -1) {
+		return NULL;
+	}
+
+	rec = db_ctdb_fetch_locked_transaction(ctx, mem_ctx, key);
+	if (rec == NULL) {
+		ctx->db->transaction_cancel(ctx->db);		
+		return NULL;
+	}
+
+	/* destroy this transaction when we release the lock */
+	talloc_set_destructor((struct db_record *)talloc_new(rec), db_ctdb_record_destructor);
+	return rec;
+}
+
+
+/*
+  stores a record inside a transaction
+ */
+static int db_ctdb_transaction_store(struct db_ctdb_transaction_handle *h, 
+				     TDB_DATA key, TDB_DATA data)
+{
+	TALLOC_CTX *tmp_ctx = talloc_new(h);
+	int ret;
+	TDB_DATA rec;
+	struct ctdb_ltdb_header header;
+
+	/* we need the header so we can update the RSN */
+	rec = tdb_fetch(h->ctx->wtdb->tdb, key);
+	if (rec.dptr == NULL) {
+		/* the record doesn't exist - create one with us as dmaster.
+		   This is only safe because we are in a transaction and this
+		   is a persistent database */
+		ZERO_STRUCT(header);
+		header.dmaster = get_my_vnn();
+	} else {
+		memcpy(&header, rec.dptr, sizeof(struct ctdb_ltdb_header));
+		rec.dsize -= sizeof(struct ctdb_ltdb_header);
+		/* a special case, we are writing the same data that is there now */
+		if (data.dsize == rec.dsize &&
+		    memcmp(data.dptr, rec.dptr + sizeof(struct ctdb_ltdb_header), data.dsize) == 0) {
+			SAFE_FREE(rec.dptr);
+			talloc_free(tmp_ctx);
+			return 0;
+		}
+		SAFE_FREE(rec.dptr);
+	}
+
+	header.rsn++;
+
+	if (!h->in_replay) {
+		h->m_all = db_ctdb_marshall_add(h, h->m_all, h->ctx->db_id, 0, key, NULL, data);
+		if (h->m_all == NULL) {
+			DEBUG(0,(__location__ " Failed to add to marshalling record\n"));
+			talloc_free(tmp_ctx);
+			return -1;
+		}
+	}
+
+	h->m_write = db_ctdb_marshall_add(h, h->m_write, h->ctx->db_id, 0, key, &header, data);
+	if (h->m_write == NULL) {
+		DEBUG(0,(__location__ " Failed to add to marshalling record\n"));
+		talloc_free(tmp_ctx);
+		return -1;
+	}
+
+	rec.dsize = data.dsize + sizeof(struct ctdb_ltdb_header);
+	rec.dptr = (uint8_t *)talloc_size(tmp_ctx, rec.dsize);
+	if (rec.dptr == NULL) {
+		DEBUG(0,(__location__ " Failed to alloc record\n"));
+		talloc_free(tmp_ctx);
+		return -1;
+	}
+	memcpy(rec.dptr, &header, sizeof(struct ctdb_ltdb_header));
+	memcpy(sizeof(struct ctdb_ltdb_header) + (uint8_t *)rec.dptr, data.dptr, data.dsize);
+
+	ret = tdb_store(h->ctx->wtdb->tdb, key, rec, TDB_REPLACE);
+
+	talloc_free(tmp_ctx);
+
+	return ret;
+}
+
+
+/* 
+   a record store inside a transaction
+ */
+static NTSTATUS db_ctdb_store_transaction(struct db_record *rec, TDB_DATA data, int flag)
+{
+	struct db_ctdb_transaction_handle *h = talloc_get_type_abort(
+		rec->private_data, struct db_ctdb_transaction_handle);
+	int ret;
+
+	ret = db_ctdb_transaction_store(h, rec->key, data);
+	if (ret != 0) {
+		return tdb_error_to_ntstatus(h->ctx->wtdb->tdb);
+	}
+	return NT_STATUS_OK;
+}
+
+/* 
+   a record delete inside a transaction
+ */
+static NTSTATUS db_ctdb_delete_transaction(struct db_record *rec)
+{
+	struct db_ctdb_transaction_handle *h = talloc_get_type_abort(
+		rec->private_data, struct db_ctdb_transaction_handle);
+	int ret;
+
+	ret = db_ctdb_transaction_store(h, rec->key, tdb_null);
+	if (ret != 0) {
+		return tdb_error_to_ntstatus(h->ctx->wtdb->tdb);
+	}
+	return NT_STATUS_OK;
+}
+
+
+/*
+  replay a transaction
+ */
+static int ctdb_replay_transaction(struct db_ctdb_transaction_handle *h)
+{
+	int ret, i;
+	struct ctdb_rec_data *rec = NULL;
+
+	h->in_replay = true;
+	talloc_free(h->m_write);
+	h->m_write = NULL;
+
+	ret = db_ctdb_transaction_fetch_start(h);
+	if (ret != 0) {
+		return ret;
+	}
+
+	for (i=0;i<h->m_all->count;i++) {
+		TDB_DATA key, data;
+
+		rec = db_ctdb_marshall_loop_next(h->m_all, rec, NULL, NULL, &key, &data);
+		if (rec == NULL) {
+			DEBUG(0, (__location__ " Out of records in ctdb_replay_transaction?\n"));
+			goto failed;
+		}
+
+		if (rec->reqid == 0) {
+			/* its a store */
+			if (db_ctdb_transaction_store(h, key, data) != 0) {
+				goto failed;
+			}
+		} else {
+			TDB_DATA data2;
+			TALLOC_CTX *tmp_ctx = talloc_new(h);
+
+			if (db_ctdb_transaction_fetch(h->ctx, tmp_ctx, key, &data2) != 0) {
+				talloc_free(tmp_ctx);
+				goto failed;
+			}
+			if (data2.dsize != data.dsize ||
+			    memcmp(data2.dptr, data.dptr, data.dsize) != 0) {
+				/* the record has changed on us - we have to give up */
+				talloc_free(tmp_ctx);
+				goto failed;
+			}
+			talloc_free(tmp_ctx);
+		}
+	}
+
+	return 0;
+
+failed:
+	tdb_transaction_cancel(h->ctx->wtdb->tdb);
+	return -1;
+}
+
+
+/*
+  commit a transaction
+ */
+static int db_ctdb_transaction_commit(struct db_context *db)
+{
+	struct db_ctdb_ctx *ctx = talloc_get_type_abort(db->private_data,
+							struct db_ctdb_ctx);
+	NTSTATUS rets;
+	int ret;
+	int status;
+	int retries = 0;
+	struct db_ctdb_transaction_handle *h = ctx->transaction;
+	enum ctdb_controls failure_control = CTDB_CONTROL_TRANS2_ERROR;
+
+	if (h == NULL) {
+		DEBUG(0,(__location__ " transaction commit with no open transaction on db 0x%08x\n", ctx->db_id));
+		return -1;
+	}
+
+	if (h->nested_cancel) {
+		db->transaction_cancel(db);
+		DEBUG(5,(__location__ " Failed transaction commit after nested cancel\n"));
+		return -1;
+	}
+
+	if (h->nesting != 0) {
+		h->nesting--;
+		return 0;
+	}
+
+	DEBUG(5,(__location__ " Commit transaction on db 0x%08x\n", ctx->db_id));
+
+	talloc_set_destructor(h, NULL);
+
+	/* our commit strategy is quite complex.
+
+	   - we first try to commit the changes to all other nodes
+
+	   - if that works, then we commit locally and we are done
+
+	   - if a commit on another node fails, then we need to cancel
+	     the transaction, then restart the transaction (thus
+	     opening a window of time for a pending recovery to
+	     complete), then replay the transaction, checking all the
+	     reads and writes (checking that reads give the same data,
+	     and writes succeed). Then we retry the transaction to the
+	     other nodes
+	*/
+
+again:
+	if (h->m_write == NULL) {
+		/* no changes were made, potentially after a retry */
+		tdb_transaction_cancel(h->ctx->wtdb->tdb);
+		talloc_free(h);
+		ctx->transaction = NULL;
+		return 0;
+	}
+
+	/* tell ctdbd to commit to the other nodes */
+	rets = ctdbd_control_local(messaging_ctdbd_connection(), 
+				   retries==0?CTDB_CONTROL_TRANS2_COMMIT:CTDB_CONTROL_TRANS2_COMMIT_RETRY, 
+				   h->ctx->db_id, 0,
+				   db_ctdb_marshall_finish(h->m_write), NULL, NULL, &status);
+	if (!NT_STATUS_IS_OK(rets) || status != 0) {
+		tdb_transaction_cancel(h->ctx->wtdb->tdb);
+		sleep(1);
+
+		if (!NT_STATUS_IS_OK(rets)) {
+			failure_control = CTDB_CONTROL_TRANS2_ERROR;			
+		} else {
+			/* work out what error code we will give if we 
+			   have to fail the operation */
+			switch ((enum ctdb_trans2_commit_error)status) {
+			case CTDB_TRANS2_COMMIT_SUCCESS:
+			case CTDB_TRANS2_COMMIT_SOMEFAIL:
+			case CTDB_TRANS2_COMMIT_TIMEOUT:
+				failure_control = CTDB_CONTROL_TRANS2_ERROR;
+				break;
+			case CTDB_TRANS2_COMMIT_ALLFAIL:
+				failure_control = CTDB_CONTROL_TRANS2_FINISHED;
+				break;
+			}
+		}
+
+		if (++retries == 5) {
+			DEBUG(0,(__location__ " Giving up transaction on db 0x%08x after %d retries failure_control=%u\n", 
+				 h->ctx->db_id, retries, (unsigned)failure_control));
+			ctdbd_control_local(messaging_ctdbd_connection(), failure_control,
+					    h->ctx->db_id, CTDB_CTRL_FLAG_NOREPLY, 
+					    tdb_null, NULL, NULL, NULL);
+			h->ctx->transaction = NULL;
+			talloc_free(h);
+			ctx->transaction = NULL;
+			return -1;			
+		}
+
+		if (ctdb_replay_transaction(h) != 0) {
+			DEBUG(0,(__location__ " Failed to replay transaction failure_control=%u\n",
+				 (unsigned)failure_control));
+			ctdbd_control_local(messaging_ctdbd_connection(), failure_control,
+					    h->ctx->db_id, CTDB_CTRL_FLAG_NOREPLY, 
+					    tdb_null, NULL, NULL, NULL);
+			h->ctx->transaction = NULL;
+			talloc_free(h);
+			ctx->transaction = NULL;
+			return -1;
+		}
+		goto again;
+	} else {
+		failure_control = CTDB_CONTROL_TRANS2_ERROR;
+	}
+
+	/* do the real commit locally */
+	ret = tdb_transaction_commit(h->ctx->wtdb->tdb);
+	if (ret != 0) {
+		DEBUG(0,(__location__ " Failed to commit transaction failure_control=%u\n",
+			 (unsigned)failure_control));
+		ctdbd_control_local(messaging_ctdbd_connection(), failure_control, h->ctx->db_id, 
+				    CTDB_CTRL_FLAG_NOREPLY, tdb_null, NULL, NULL, NULL);
+		h->ctx->transaction = NULL;
+		talloc_free(h);
+		return ret;
+	}
+
+	/* tell ctdbd that we are finished with our local commit */
+	ctdbd_control_local(messaging_ctdbd_connection(), CTDB_CONTROL_TRANS2_FINISHED, 
+			    h->ctx->db_id, CTDB_CTRL_FLAG_NOREPLY, 
+			    tdb_null, NULL, NULL, NULL);
+	h->ctx->transaction = NULL;
+	talloc_free(h);
+	return 0;
+}
+
+
+/*
+  cancel a transaction
+ */
+static int db_ctdb_transaction_cancel(struct db_context *db)
+{
+	struct db_ctdb_ctx *ctx = talloc_get_type_abort(db->private_data,
+							struct db_ctdb_ctx);
+	struct db_ctdb_transaction_handle *h = ctx->transaction;
+
+	if (h == NULL) {
+		DEBUG(0,(__location__ " transaction cancel with no open transaction on db 0x%08x\n", ctx->db_id));
+		return -1;
+	}
+
+	if (h->nesting != 0) {
+		h->nesting--;
+		h->nested_cancel = true;
+		return 0;
+	}
+
+	DEBUG(5,(__location__ " Cancel transaction on db 0x%08x\n", ctx->db_id));
+
+	ctx->transaction = NULL;
+	talloc_free(h);
+	return 0;
+}
+
+
+static NTSTATUS db_ctdb_store(struct db_record *rec, TDB_DATA data, int flag)
+{
+	struct db_ctdb_rec *crec = talloc_get_type_abort(
+		rec->private_data, struct db_ctdb_rec);
+	TDB_DATA cdata;
+	int ret;
+
+	cdata.dsize = sizeof(crec->header) + data.dsize;
+
+	if (!(cdata.dptr = SMB_MALLOC_ARRAY(uint8, cdata.dsize))) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	memcpy(cdata.dptr, &crec->header, sizeof(crec->header));
+	memcpy(cdata.dptr + sizeof(crec->header), data.dptr, data.dsize);
+
+	ret = tdb_store(crec->ctdb_ctx->wtdb->tdb, rec->key, cdata, TDB_REPLACE);
+
+	SAFE_FREE(cdata.dptr);
+
+	return (ret == 0) ? NT_STATUS_OK
+			  : tdb_error_to_ntstatus(crec->ctdb_ctx->wtdb->tdb);
+}
+
+
+
+static NTSTATUS db_ctdb_delete(struct db_record *rec)
+{
+	TDB_DATA data;
+
+	/*
+	 * We have to store the header with empty data. TODO: Fix the
+	 * tdb-level cleanup
+	 */
+
+	ZERO_STRUCT(data);
+
+	return db_ctdb_store(rec, data, 0);
+
+}
+
+static int db_ctdb_record_destr(struct db_record* data)
+{
+	struct db_ctdb_rec *crec = talloc_get_type_abort(
+		data->private_data, struct db_ctdb_rec);
+
+	DEBUG(10, (DEBUGLEVEL > 10
+		   ? "Unlocking db %u key %s\n"
+		   : "Unlocking db %u key %.20s\n",
+		   (int)crec->ctdb_ctx->db_id,
+		   hex_encode(data, (unsigned char *)data->key.dptr,
+			      data->key.dsize)));
+
+	if (tdb_chainunlock(crec->ctdb_ctx->wtdb->tdb, data->key) != 0) {
+		DEBUG(0, ("tdb_chainunlock failed\n"));
+		return -1;
+	}
+
+	return 0;
+}
+
+static struct db_record *fetch_locked_internal(struct db_ctdb_ctx *ctx,
+					       TALLOC_CTX *mem_ctx,
+					       TDB_DATA key,
+					       bool persistent)
+{
+	struct db_record *result;
+	struct db_ctdb_rec *crec;
+	NTSTATUS status;
+	TDB_DATA ctdb_data;
+	int migrate_attempts = 0;
+
+	if (!(result = talloc(mem_ctx, struct db_record))) {
+		DEBUG(0, ("talloc failed\n"));
+		return NULL;
+	}
+
+	if (!(crec = TALLOC_ZERO_P(result, struct db_ctdb_rec))) {
+		DEBUG(0, ("talloc failed\n"));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	result->private_data = (void *)crec;
+	crec->ctdb_ctx = ctx;
+
+	result->key.dsize = key.dsize;
+	result->key.dptr = (uint8 *)talloc_memdup(result, key.dptr, key.dsize);
+	if (result->key.dptr == NULL) {
+		DEBUG(0, ("talloc failed\n"));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	/*
+	 * Do a blocking lock on the record
+	 */
+again:
+
+	if (DEBUGLEVEL >= 10) {
+		char *keystr = hex_encode(result, key.dptr, key.dsize);
+		DEBUG(10, (DEBUGLEVEL > 10
+			   ? "Locking db %u key %s\n"
+			   : "Locking db %u key %.20s\n",
+			   (int)crec->ctdb_ctx->db_id, keystr));
+		TALLOC_FREE(keystr);
+	}
+
+	if (tdb_chainlock(ctx->wtdb->tdb, key) != 0) {
+		DEBUG(3, ("tdb_chainlock failed\n"));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	result->store = db_ctdb_store;
+	result->delete_rec = db_ctdb_delete;
+	talloc_set_destructor(result, db_ctdb_record_destr);
+
+	ctdb_data = tdb_fetch(ctx->wtdb->tdb, key);
+
+	/*
+	 * See if we have a valid record and we are the dmaster. If so, we can
+	 * take the shortcut and just return it.
+	 */
+
+	if ((ctdb_data.dptr == NULL) ||
+	    (ctdb_data.dsize < sizeof(struct ctdb_ltdb_header)) ||
+	    ((struct ctdb_ltdb_header *)ctdb_data.dptr)->dmaster != get_my_vnn()
+#if 0
+	    || (random() % 2 != 0)
+#endif
+) {
+		SAFE_FREE(ctdb_data.dptr);
+		tdb_chainunlock(ctx->wtdb->tdb, key);
+		talloc_set_destructor(result, NULL);
+
+		migrate_attempts += 1;
+
+		DEBUG(10, ("ctdb_data.dptr = %p, dmaster = %u (%u)\n",
+			   ctdb_data.dptr, ctdb_data.dptr ?
+			   ((struct ctdb_ltdb_header *)ctdb_data.dptr)->dmaster : -1,
+			   get_my_vnn()));
+
+		status = ctdbd_migrate(messaging_ctdbd_connection(),ctx->db_id, key);
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(5, ("ctdb_migrate failed: %s\n",
+				  nt_errstr(status)));
+			TALLOC_FREE(result);
+			return NULL;
+		}
+		/* now its migrated, try again */
+		goto again;
+	}
+
+	if (migrate_attempts > 10) {
+		DEBUG(0, ("db_ctdb_fetch_locked needed %d attempts\n",
+			  migrate_attempts));
+	}
+
+	memcpy(&crec->header, ctdb_data.dptr, sizeof(crec->header));
+
+	result->value.dsize = ctdb_data.dsize - sizeof(crec->header);
+	result->value.dptr = NULL;
+
+	if ((result->value.dsize != 0)
+	    && !(result->value.dptr = (uint8 *)talloc_memdup(
+			 result, ctdb_data.dptr + sizeof(crec->header),
+			 result->value.dsize))) {
+		DEBUG(0, ("talloc failed\n"));
+		TALLOC_FREE(result);
+	}
+
+	SAFE_FREE(ctdb_data.dptr);
+
+	return result;
+}
+
+static struct db_record *db_ctdb_fetch_locked(struct db_context *db,
+					      TALLOC_CTX *mem_ctx,
+					      TDB_DATA key)
+{
+	struct db_ctdb_ctx *ctx = talloc_get_type_abort(db->private_data,
+							struct db_ctdb_ctx);
+
+	if (ctx->transaction != NULL) {
+		return db_ctdb_fetch_locked_transaction(ctx, mem_ctx, key);
+	}
+
+	if (db->persistent) {
+		return db_ctdb_fetch_locked_persistent(ctx, mem_ctx, key);
+	}
+
+	return fetch_locked_internal(ctx, mem_ctx, key, db->persistent);
+}
+
+/*
+  fetch (unlocked, no migration) operation on ctdb
+ */
+static int db_ctdb_fetch(struct db_context *db, TALLOC_CTX *mem_ctx,
+			 TDB_DATA key, TDB_DATA *data)
+{
+	struct db_ctdb_ctx *ctx = talloc_get_type_abort(db->private_data,
+							struct db_ctdb_ctx);
+	NTSTATUS status;
+	TDB_DATA ctdb_data;
+
+	if (ctx->transaction) {
+		return db_ctdb_transaction_fetch(ctx, mem_ctx, key, data);
+	}
+
+	/* try a direct fetch */
+	ctdb_data = tdb_fetch(ctx->wtdb->tdb, key);
+
+	/*
+	 * See if we have a valid record and we are the dmaster. If so, we can
+	 * take the shortcut and just return it.
+	 * we bypass the dmaster check for persistent databases
+	 */
+	if ((ctdb_data.dptr != NULL) &&
+	    (ctdb_data.dsize >= sizeof(struct ctdb_ltdb_header)) &&
+	    (db->persistent ||
+	     ((struct ctdb_ltdb_header *)ctdb_data.dptr)->dmaster == get_my_vnn())) {
+		/* we are the dmaster - avoid the ctdb protocol op */
+
+		data->dsize = ctdb_data.dsize - sizeof(struct ctdb_ltdb_header);
+		if (data->dsize == 0) {
+			SAFE_FREE(ctdb_data.dptr);
+			data->dptr = NULL;
+			return 0;
+		}
+
+		data->dptr = (uint8 *)talloc_memdup(
+			mem_ctx, ctdb_data.dptr+sizeof(struct ctdb_ltdb_header),
+			data->dsize);
+
+		SAFE_FREE(ctdb_data.dptr);
+
+		if (data->dptr == NULL) {
+			return -1;
+		}
+		return 0;
+	}
+
+	SAFE_FREE(ctdb_data.dptr);
+
+	/* we weren't able to get it locally - ask ctdb to fetch it for us */
+	status = ctdbd_fetch(messaging_ctdbd_connection(),ctx->db_id, key, mem_ctx, data);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(5, ("ctdbd_fetch failed: %s\n", nt_errstr(status)));
+		return -1;
+	}
+
+	return 0;
+}
+
+struct traverse_state {
+	struct db_context *db;
+	int (*fn)(struct db_record *rec, void *private_data);
+	void *private_data;
+};
+
+static void traverse_callback(TDB_DATA key, TDB_DATA data, void *private_data)
+{
+	struct traverse_state *state = (struct traverse_state *)private_data;
+	struct db_record *rec;
+	TALLOC_CTX *tmp_ctx = talloc_new(state->db);
+	/* we have to give them a locked record to prevent races */
+	rec = db_ctdb_fetch_locked(state->db, tmp_ctx, key);
+	if (rec && rec->value.dsize > 0) {
+		state->fn(rec, state->private_data);
+	}
+	talloc_free(tmp_ctx);
+}
+
+static int traverse_persistent_callback(TDB_CONTEXT *tdb, TDB_DATA kbuf, TDB_DATA dbuf,
+					void *private_data)
+{
+	struct traverse_state *state = (struct traverse_state *)private_data;
+	struct db_record *rec;
+	TALLOC_CTX *tmp_ctx = talloc_new(state->db);
+	int ret = 0;
+	/* we have to give them a locked record to prevent races */
+	rec = db_ctdb_fetch_locked(state->db, tmp_ctx, kbuf);
+	if (rec && rec->value.dsize > 0) {
+		ret = state->fn(rec, state->private_data);
+	}
+	talloc_free(tmp_ctx);
+	return ret;
+}
+
+static int db_ctdb_traverse(struct db_context *db,
+			    int (*fn)(struct db_record *rec,
+				      void *private_data),
+			    void *private_data)
+{
+        struct db_ctdb_ctx *ctx = talloc_get_type_abort(db->private_data,
+                                                        struct db_ctdb_ctx);
+	struct traverse_state state;
+
+	state.db = db;
+	state.fn = fn;
+	state.private_data = private_data;
+
+	if (db->persistent) {
+		/* for persistent databases we don't need to do a ctdb traverse,
+		   we can do a faster local traverse */
+		return tdb_traverse(ctx->wtdb->tdb, traverse_persistent_callback, &state);
+	}
+
+
+	ctdbd_traverse(ctx->db_id, traverse_callback, &state);
+	return 0;
+}
+
+static NTSTATUS db_ctdb_store_deny(struct db_record *rec, TDB_DATA data, int flag)
+{
+	return NT_STATUS_MEDIA_WRITE_PROTECTED;
+}
+
+static NTSTATUS db_ctdb_delete_deny(struct db_record *rec)
+{
+	return NT_STATUS_MEDIA_WRITE_PROTECTED;
+}
+
+static void traverse_read_callback(TDB_DATA key, TDB_DATA data, void *private_data)
+{
+	struct traverse_state *state = (struct traverse_state *)private_data;
+	struct db_record rec;
+	rec.key = key;
+	rec.value = data;
+	rec.store = db_ctdb_store_deny;
+	rec.delete_rec = db_ctdb_delete_deny;
+	rec.private_data = state->db;
+	state->fn(&rec, state->private_data);
+}
+
+static int traverse_persistent_callback_read(TDB_CONTEXT *tdb, TDB_DATA kbuf, TDB_DATA dbuf,
+					void *private_data)
+{
+	struct traverse_state *state = (struct traverse_state *)private_data;
+	struct db_record rec;
+	rec.key = kbuf;
+	rec.value = dbuf;
+	rec.store = db_ctdb_store_deny;
+	rec.delete_rec = db_ctdb_delete_deny;
+	rec.private_data = state->db;
+
+	if (rec.value.dsize <= sizeof(struct ctdb_ltdb_header)) {
+		/* a deleted record */
+		return 0;
+	}
+	rec.value.dsize -= sizeof(struct ctdb_ltdb_header);
+	rec.value.dptr += sizeof(struct ctdb_ltdb_header);
+
+	return state->fn(&rec, state->private_data);
+}
+
+static int db_ctdb_traverse_read(struct db_context *db,
+				 int (*fn)(struct db_record *rec,
+					   void *private_data),
+				 void *private_data)
+{
+        struct db_ctdb_ctx *ctx = talloc_get_type_abort(db->private_data,
+                                                        struct db_ctdb_ctx);
+	struct traverse_state state;
+
+	state.db = db;
+	state.fn = fn;
+	state.private_data = private_data;
+
+	if (db->persistent) {
+		/* for persistent databases we don't need to do a ctdb traverse,
+		   we can do a faster local traverse */
+		return tdb_traverse_read(ctx->wtdb->tdb, traverse_persistent_callback_read, &state);
+	}
+
+	ctdbd_traverse(ctx->db_id, traverse_read_callback, &state);
+	return 0;
+}
+
+static int db_ctdb_get_seqnum(struct db_context *db)
+{
+        struct db_ctdb_ctx *ctx = talloc_get_type_abort(db->private_data,
+                                                        struct db_ctdb_ctx);
+	return tdb_get_seqnum(ctx->wtdb->tdb);
+}
+
+struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
+				const char *name,
+				int hash_size, int tdb_flags,
+				int open_flags, mode_t mode)
+{
+	struct db_context *result;
+	struct db_ctdb_ctx *db_ctdb;
+	char *db_path;
+
+	if (!lp_clustering()) {
+		DEBUG(10, ("Clustering disabled -- no ctdb\n"));
+		return NULL;
+	}
+
+	if (!(result = TALLOC_ZERO_P(mem_ctx, struct db_context))) {
+		DEBUG(0, ("talloc failed\n"));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	if (!(db_ctdb = TALLOC_P(result, struct db_ctdb_ctx))) {
+		DEBUG(0, ("talloc failed\n"));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	db_ctdb->transaction = NULL;
+	db_ctdb->db = result;
+
+	if (!NT_STATUS_IS_OK(ctdbd_db_attach(messaging_ctdbd_connection(),name, &db_ctdb->db_id, tdb_flags))) {
+		DEBUG(0, ("ctdbd_db_attach failed for %s\n", name));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	db_path = ctdbd_dbpath(messaging_ctdbd_connection(), db_ctdb, db_ctdb->db_id);
+
+	result->persistent = ((tdb_flags & TDB_CLEAR_IF_FIRST) == 0);
+
+	/* only pass through specific flags */
+	tdb_flags &= TDB_SEQNUM;
+
+	/* honor permissions if user has specified O_CREAT */
+	if (open_flags & O_CREAT) {
+		chmod(db_path, mode);
+	}
+
+	db_ctdb->wtdb = tdb_wrap_open(db_ctdb, db_path, hash_size, tdb_flags, O_RDWR, 0);
+	if (db_ctdb->wtdb == NULL) {
+		DEBUG(0, ("Could not open tdb %s: %s\n", db_path, strerror(errno)));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+	talloc_free(db_path);
+
+	result->private_data = (void *)db_ctdb;
+	result->fetch_locked = db_ctdb_fetch_locked;
+	result->fetch = db_ctdb_fetch;
+	result->traverse = db_ctdb_traverse;
+	result->traverse_read = db_ctdb_traverse_read;
+	result->get_seqnum = db_ctdb_get_seqnum;
+	result->transaction_start = db_ctdb_transaction_start;
+	result->transaction_commit = db_ctdb_transaction_commit;
+	result->transaction_cancel = db_ctdb_transaction_cancel;
+
+	DEBUG(3,("db_open_ctdb: opened database '%s' with dbid 0x%x\n",
+		 name, db_ctdb->db_id));
+
+	return result;
+}
+#endif
diff --git a/source3/lib/dbwrap_file.c b/source3/lib/dbwrap_file.c
new file mode 100644
index 0000000000..e3779de1e4
--- /dev/null
+++ b/source3/lib/dbwrap_file.c
@@ -0,0 +1,410 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Database interface using a file per record
+   Copyright (C) Volker Lendecke 2005
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+struct db_file_ctx {
+	const char *dirname;
+
+	/* We only support one locked record at a time -- everything else
+	 * would lead to a potential deadlock anyway! */
+	struct db_record *locked_record;
+};
+
+struct db_locked_file {
+	int fd;
+	uint8 hash;
+	const char *name;
+	const char *path;
+	struct db_file_ctx *parent;
+};
+
+/* Copy from statcache.c... */
+
+static uint32 fsh(const uint8 *p, int len)
+{
+        uint32 n = 0;
+	int i;
+        for (i=0; i<len; i++) {
+                n = ((n << 5) + n) ^ (uint32)(p[i]);
+        }
+        return n;
+}
+
+static int db_locked_file_destr(struct db_locked_file *data)
+{
+	if (data->parent != NULL) {
+		data->parent->locked_record = NULL;
+	}
+
+	if (close(data->fd) != 0) {
+		DEBUG(3, ("close failed: %s\n", strerror(errno)));
+		return -1;
+	}
+
+	return 0;
+}
+
+static NTSTATUS db_file_store(struct db_record *rec, TDB_DATA data, int flag);
+static NTSTATUS db_file_delete(struct db_record *rec);
+
+static struct db_record *db_file_fetch_locked(struct db_context *db,
+					      TALLOC_CTX *mem_ctx,
+					      TDB_DATA key)
+{
+	struct db_file_ctx *ctx = talloc_get_type_abort(db->private_data,
+							struct db_file_ctx);
+	struct db_record *result;
+	struct db_locked_file *file;
+	struct flock fl;
+	SMB_STRUCT_STAT statbuf;
+	ssize_t nread;
+	int ret;
+
+	SMB_ASSERT(ctx->locked_record == NULL);
+
+ again:
+	if (!(result = TALLOC_P(mem_ctx, struct db_record))) {
+		DEBUG(0, ("talloc failed\n"));
+		return NULL;
+	}
+
+	if (!(file = TALLOC_P(result, struct db_locked_file))) {
+		DEBUG(0, ("talloc failed\n"));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	result->private_data = file;
+	result->store = db_file_store;
+	result->delete_rec = db_file_delete;
+
+	result->key.dsize = key.dsize;
+	result->key.dptr = (uint8 *)talloc_memdup(result, key.dptr, key.dsize);
+	if (result->key.dptr == NULL) {
+		DEBUG(0, ("talloc failed\n"));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	/* Cut to 8 bits */
+	file->hash = fsh(key.dptr, key.dsize);
+	file->name = hex_encode(file, (unsigned char *)key.dptr, key.dsize);
+	if (file->name == NULL) {
+		DEBUG(0, ("hex_encode failed\n"));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	file->path = talloc_asprintf(file, "%s/%2.2X/%s", ctx->dirname,
+				     file->hash, file->name);
+	if (file->path == NULL) {
+		DEBUG(0, ("talloc_asprintf failed\n"));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	become_root();
+	file->fd = open(file->path, O_RDWR|O_CREAT, 0644);
+	unbecome_root();
+
+	if (file->fd < 0) {
+		DEBUG(3, ("Could not open/create %s: %s\n",
+			  file->path, strerror(errno)));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	talloc_set_destructor(file, db_locked_file_destr);
+
+	fl.l_type = F_WRLCK;
+	fl.l_whence = SEEK_SET;
+	fl.l_start = 0;
+	fl.l_len = 1;
+	fl.l_pid = 0;
+
+	do {
+		ret = fcntl(file->fd, F_SETLKW, &fl);
+	} while ((ret == -1) && (errno == EINTR));
+
+	if (ret == -1) {
+		DEBUG(3, ("Could not get lock on %s: %s\n",
+			  file->path, strerror(errno)));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	if (sys_fstat(file->fd, &statbuf) != 0) {
+		DEBUG(3, ("Could not fstat %s: %s\n",
+			  file->path, strerror(errno)));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	if (statbuf.st_nlink == 0) {
+		/* Someone has deleted it under the lock, retry */
+		TALLOC_FREE(result);
+		goto again;
+	}
+
+	result->value.dsize = 0;
+	result->value.dptr = NULL;
+
+	if (statbuf.st_size != 0) {
+		result->value.dsize = statbuf.st_size;
+		result->value.dptr = TALLOC_ARRAY(result, uint8,
+						  statbuf.st_size);
+		if (result->value.dptr == NULL) {
+			DEBUG(1, ("talloc failed\n"));
+			TALLOC_FREE(result);
+			return NULL;
+		}
+
+		nread = read_data(file->fd, (char *)result->value.dptr,
+				  result->value.dsize);
+		if (nread != result->value.dsize) {
+			DEBUG(3, ("read_data failed: %s\n", strerror(errno)));
+			TALLOC_FREE(result);
+			return NULL;
+		}
+	}
+
+	ctx->locked_record = result;
+	file->parent = (struct db_file_ctx *)talloc_reference(file, ctx);
+
+	return result;
+}
+
+static NTSTATUS db_file_store_root(int fd, TDB_DATA data)
+{
+	if (sys_lseek(fd, 0, SEEK_SET) != 0) {
+		DEBUG(0, ("sys_lseek failed: %s\n", strerror(errno)));
+		return map_nt_error_from_unix(errno);
+	}
+
+	if (write_data(fd, (char *)data.dptr, data.dsize) != data.dsize) {
+		DEBUG(3, ("write_data failed: %s\n", strerror(errno)));
+		return map_nt_error_from_unix(errno);
+	}
+
+	if (sys_ftruncate(fd, data.dsize) != 0) {
+		DEBUG(3, ("sys_ftruncate failed: %s\n", strerror(errno)));
+		return map_nt_error_from_unix(errno);
+	}
+
+	return NT_STATUS_OK;
+}
+
+static NTSTATUS db_file_store(struct db_record *rec, TDB_DATA data, int flag)
+{
+	struct db_locked_file *file =
+		talloc_get_type_abort(rec->private_data,
+				      struct db_locked_file);
+	NTSTATUS status;
+
+	become_root();
+	status = db_file_store_root(file->fd, data);
+	unbecome_root();
+
+	return status;
+}
+
+static NTSTATUS db_file_delete(struct db_record *rec)
+{
+	struct db_locked_file *file =
+		talloc_get_type_abort(rec->private_data,
+				      struct db_locked_file);
+	int res;
+
+	become_root();
+	res = unlink(file->path);
+	unbecome_root();
+
+	if (res == -1) {
+		DEBUG(3, ("unlink(%s) failed: %s\n", file->path,
+			  strerror(errno)));
+		return map_nt_error_from_unix(errno);
+	}
+
+	return NT_STATUS_OK;
+}
+
+static int db_file_traverse(struct db_context *db,
+			    int (*fn)(struct db_record *rec,
+				      void *private_data),
+			    void *private_data)
+{
+	struct db_file_ctx *ctx = talloc_get_type_abort(db->private_data,
+							struct db_file_ctx);
+	TALLOC_CTX *mem_ctx = talloc_init("traversal %s\n", ctx->dirname);
+	
+	int i;
+	int count = 0;
+
+	for (i=0; i<256; i++) {
+		const char *dirname = talloc_asprintf(mem_ctx, "%s/%2.2X",
+						      ctx->dirname, i);
+		DIR *dir;
+		struct dirent *dirent;
+
+		if (dirname == NULL) {
+			DEBUG(0, ("talloc failed\n"));
+			TALLOC_FREE(mem_ctx);
+			return -1;
+		}
+
+		dir = opendir(dirname);
+		if (dir == NULL) {
+			DEBUG(3, ("Could not open dir %s: %s\n", dirname,
+				  strerror(errno)));
+			TALLOC_FREE(mem_ctx);
+			return -1;
+		}
+
+		while ((dirent = readdir(dir)) != NULL) {
+			DATA_BLOB keyblob;
+			TDB_DATA key;
+			struct db_record *rec;
+
+			if ((dirent->d_name[0] == '.') &&
+			    ((dirent->d_name[1] == '\0') ||
+			     ((dirent->d_name[1] == '.') &&
+			      (dirent->d_name[2] == '\0')))) {
+				continue;
+			}
+
+			keyblob = strhex_to_data_blob(mem_ctx, dirent->d_name);
+			if (keyblob.data == NULL) {
+				DEBUG(5, ("strhex_to_data_blob failed\n"));
+				continue;
+			}
+
+			key.dptr = keyblob.data;
+			key.dsize = keyblob.length;
+
+			if ((ctx->locked_record != NULL) &&
+			    (key.dsize == ctx->locked_record->key.dsize) &&
+			    (memcmp(key.dptr, ctx->locked_record->key.dptr,
+				    key.dsize) == 0)) {
+				count += 1;
+				if (fn(ctx->locked_record,
+				       private_data) != 0) {
+					TALLOC_FREE(mem_ctx);
+					closedir(dir);
+					return count;
+				}
+			}
+
+			rec = db_file_fetch_locked(db, mem_ctx, key);
+			if (rec == NULL) {
+				/* Someone might have deleted it */
+				continue;
+			}
+
+			if (rec->value.dptr == NULL) {
+				TALLOC_FREE(rec);
+				continue;
+			}
+
+			count += 1;
+
+			if (fn(rec, private_data) != 0) {
+				TALLOC_FREE(mem_ctx);
+				closedir(dir);
+				return count;
+			}
+			TALLOC_FREE(rec);
+		}
+
+		closedir(dir);
+	}
+
+	TALLOC_FREE(mem_ctx);
+	return count;
+}
+
+struct db_context *db_open_file(TALLOC_CTX *mem_ctx,
+				struct messaging_context *msg_ctx,
+				const char *name,
+				int hash_size, int tdb_flags,
+				int open_flags, mode_t mode)
+{
+	struct db_context *result = NULL;
+	struct db_file_ctx *ctx;
+
+	if (!(result = TALLOC_ZERO_P(mem_ctx, struct db_context))) {
+		DEBUG(0, ("talloc failed\n"));
+		return NULL;
+	}
+
+	if (!(ctx = TALLOC_P(result, struct db_file_ctx))) {
+		DEBUG(0, ("talloc failed\n"));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	result->private_data = ctx;
+	result->fetch_locked = db_file_fetch_locked;
+	result->traverse = db_file_traverse;
+	result->traverse_read = db_file_traverse;
+	result->persistent = ((tdb_flags & TDB_CLEAR_IF_FIRST) == 0);
+
+	ctx->locked_record = NULL;
+	if (!(ctx->dirname = talloc_strdup(ctx, name))) {
+		DEBUG(0, ("talloc failed\n"));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	if (open_flags & O_CREAT) {
+		int ret, i;
+
+		mode |= (mode & S_IRUSR) ? S_IXUSR : 0;
+		mode |= (mode & S_IRGRP) ? S_IXGRP : 0;
+		mode |= (mode & S_IROTH) ? S_IXOTH : 0;
+
+		ret = mkdir(name, mode);
+		if ((ret != 0) && (errno != EEXIST)) {
+			DEBUG(5, ("mkdir(%s,%o) failed: %s\n", name, mode,
+				  strerror(errno)));
+			TALLOC_FREE(result);
+			return NULL;
+		}
+
+		for (i=0; i<256; i++) {
+			char *path;
+			path = talloc_asprintf(result, "%s/%2.2X", name, i);
+			if (path == NULL) {
+				DEBUG(0, ("asprintf failed\n"));
+				TALLOC_FREE(result);
+				return NULL;
+			}
+			ret = mkdir(path, mode);
+			if ((ret != 0) && (errno != EEXIST)) {
+				DEBUG(5, ("mkdir(%s,%o) failed: %s\n", path,
+					  mode, strerror(errno)));
+				TALLOC_FREE(result);
+				return NULL;
+			}
+			TALLOC_FREE(path);
+		}
+	}
+
+	return result;
+}
diff --git a/source3/lib/dbwrap_rbt.c b/source3/lib/dbwrap_rbt.c
new file mode 100644
index 0000000000..b70ce3dfa0
--- /dev/null
+++ b/source3/lib/dbwrap_rbt.c
@@ -0,0 +1,390 @@
+/*
+   Unix SMB/CIFS implementation.
+   Database interface wrapper around red-black trees
+   Copyright (C) Volker Lendecke 2007, 2008
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "rbtree.h"
+
+#define DBWRAP_RBT_ALIGN(_size_) (((_size_)+15)&~15)
+
+struct db_rbt_ctx {
+	struct rb_root tree;
+};
+
+struct db_rbt_rec {
+	struct db_rbt_ctx *db_ctx;
+	struct db_rbt_node *node;
+};
+
+/* The structure that ends up in the tree */
+
+struct db_rbt_node {
+	struct rb_node rb_node;
+	size_t keysize, valuesize;
+
+	/*
+	 * key and value are appended implicitly, "data" is only here as a
+	 * target for offsetof()
+	 */
+
+	char data[1];
+};
+
+/*
+ * Hide the ugly pointer calculations in a function
+ */
+
+static struct db_rbt_node *db_rbt2node(struct rb_node *node)
+{
+	return (struct db_rbt_node *)
+		((char *)node - offsetof(struct db_rbt_node, rb_node));
+}
+
+/*
+ * Compare two keys
+ */
+
+static int db_rbt_compare(TDB_DATA a, TDB_DATA b)
+{
+	int res;
+
+	res = memcmp(a.dptr, b.dptr, MIN(a.dsize, b.dsize));
+
+	if ((res < 0) || ((res == 0) && (a.dsize < b.dsize))) {
+		return -1;
+	}
+	if ((res > 0) || ((res == 0) && (a.dsize > b.dsize))) {
+		return 1;
+	}
+	return 0;
+}
+
+/*
+ * dissect a db_rbt_node into its implicit key and value parts
+ */
+
+static void db_rbt_parse_node(struct db_rbt_node *node,
+			      TDB_DATA *key, TDB_DATA *value)
+{
+	key->dptr = ((uint8 *)node) + offsetof(struct db_rbt_node, data);
+	key->dsize = node->keysize;
+	value->dptr = key->dptr + node->keysize;
+	value->dsize = node->valuesize;
+}
+
+static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag)
+{
+	struct db_rbt_rec *rec_priv = (struct db_rbt_rec *)rec->private_data;
+	struct db_rbt_node *node;
+
+	struct rb_node ** p;
+	struct rb_node * parent;
+
+	TDB_DATA this_key, this_val;
+
+	if (rec_priv->node != NULL) {
+
+		/*
+		 * The record was around previously
+		 */
+
+		db_rbt_parse_node(rec_priv->node, &this_key, &this_val);
+
+		SMB_ASSERT(this_key.dsize == rec->key.dsize);
+		SMB_ASSERT(memcmp(this_key.dptr, rec->key.dptr,
+				  this_key.dsize) == 0);
+
+		if (this_val.dsize >= data.dsize) {
+			/*
+			 * The new value fits into the old space
+			 */
+			memcpy(this_val.dptr, data.dptr, data.dsize);
+			rec_priv->node->valuesize = data.dsize;
+			return NT_STATUS_OK;
+		}
+
+		/*
+		 * We need to delete the key from the tree and start fresh,
+		 * there's not enough space in the existing record
+		 */
+
+		rb_erase(&rec_priv->node->rb_node, &rec_priv->db_ctx->tree);
+
+		/*
+		 * Keep the existing node around for a while: If the record
+		 * existed before, we reference the key data in there.
+		 */
+	}
+
+	node = (struct db_rbt_node *)SMB_MALLOC(
+		offsetof(struct db_rbt_node, data) + rec->key.dsize
+		+ data.dsize);
+
+	if (node == NULL) {
+		SAFE_FREE(rec_priv->node);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	ZERO_STRUCT(node->rb_node);
+
+	node->keysize = rec->key.dsize;
+	node->valuesize = data.dsize;
+
+	db_rbt_parse_node(node, &this_key, &this_val);
+
+	memcpy(this_key.dptr, rec->key.dptr, node->keysize);
+	SAFE_FREE(rec_priv->node);
+
+	memcpy(this_val.dptr, data.dptr, node->valuesize);
+
+	parent = NULL;
+	p = &rec_priv->db_ctx->tree.rb_node;
+
+	while (*p) {
+		struct db_rbt_node *r;
+		TDB_DATA search_key, search_val;
+		int res;
+
+		parent = (*p);
+
+		r = db_rbt2node(*p);
+
+		db_rbt_parse_node(r, &search_key, &search_val);
+
+		res = db_rbt_compare(this_key, search_key);
+
+		if (res == -1) {
+			p = &(*p)->rb_left;
+		}
+		else if (res == 1) {
+			p = &(*p)->rb_right;
+		}
+		else {
+			smb_panic("someone messed with the tree");
+		}
+	}
+
+	rb_link_node(&node->rb_node, parent, p);
+	rb_insert_color(&node->rb_node, &rec_priv->db_ctx->tree);
+
+	return NT_STATUS_OK;
+}
+
+static NTSTATUS db_rbt_delete(struct db_record *rec)
+{
+	struct db_rbt_rec *rec_priv = (struct db_rbt_rec *)rec->private_data;
+
+	if (rec_priv->node == NULL) {
+		return NT_STATUS_OK;
+	}
+
+	rb_erase(&rec_priv->node->rb_node, &rec_priv->db_ctx->tree);
+	SAFE_FREE(rec_priv->node);
+
+	return NT_STATUS_OK;
+}
+
+static struct db_record *db_rbt_fetch_locked(struct db_context *db_ctx,
+					     TALLOC_CTX *mem_ctx,
+					     TDB_DATA key)
+{
+	struct db_rbt_ctx *ctx = talloc_get_type_abort(
+		db_ctx->private_data, struct db_rbt_ctx);
+
+	struct db_rbt_rec *rec_priv;
+	struct db_record *result;
+	struct rb_node *n;
+	size_t size;
+	bool found = false;
+	struct db_rbt_node *r = NULL;
+	TDB_DATA search_key = tdb_null, search_val = tdb_null;
+
+	n = ctx->tree.rb_node;
+
+	while (n != NULL) {
+		int res;
+
+		r = db_rbt2node(n);
+
+		db_rbt_parse_node(r, &search_key, &search_val);
+
+		res = db_rbt_compare(key, search_key);
+
+		if (res == -1) {
+			n = n->rb_left;
+		}
+		else if (res == 1) {
+			n = n->rb_right;
+		}
+		else {
+			found = true;
+			break;
+		}
+	}
+
+	/*
+	 * In this low-level routine, play tricks to reduce the number of
+	 * tallocs to one. Not recommened for general use, but here it pays
+	 * off.
+	 */
+
+	size = DBWRAP_RBT_ALIGN(sizeof(struct db_record))
+		+ sizeof(struct db_rbt_rec);
+
+	if (!found) {
+		/*
+		 * We need to keep the key around for later store
+		 */
+		size += key.dsize;
+	}
+
+	result = (struct db_record *)talloc_size(mem_ctx, size);
+	if (result == NULL) {
+		return NULL;
+	}
+
+	rec_priv = (struct db_rbt_rec *)
+		((char *)result + DBWRAP_RBT_ALIGN(sizeof(struct db_record)));
+	rec_priv->db_ctx = ctx;
+
+	result->store = db_rbt_store;
+	result->delete_rec = db_rbt_delete;
+	result->private_data = rec_priv;
+
+	if (found) {
+		rec_priv->node = r;
+		result->key = search_key;
+		result->value = search_val;
+	}
+	else {
+		rec_priv->node = NULL;
+		result->key.dptr = (uint8 *)
+			((char *)rec_priv + sizeof(*rec_priv));
+		result->key.dsize = key.dsize;
+		memcpy(result->key.dptr, key.dptr, key.dsize);
+
+		result->value = tdb_null;
+	}
+
+	return result;
+}
+
+static int db_rbt_fetch(struct db_context *db, TALLOC_CTX *mem_ctx,
+			TDB_DATA key, TDB_DATA *data)
+{
+	struct db_rbt_ctx *ctx = talloc_get_type_abort(
+		db->private_data, struct db_rbt_ctx);
+
+	struct rb_node *n;
+	bool found = false;
+	struct db_rbt_node *r = NULL;
+	TDB_DATA search_key, search_val;
+	uint8_t *result;
+
+	n = ctx->tree.rb_node;
+
+	while (n != NULL) {
+		int res;
+
+		r = db_rbt2node(n);
+
+		db_rbt_parse_node(r, &search_key, &search_val);
+
+		res = db_rbt_compare(key, search_key);
+
+		if (res == -1) {
+			n = n->rb_left;
+		}
+		else if (res == 1) {
+			n = n->rb_right;
+		}
+		else {
+			found = true;
+			break;
+		}
+	}
+
+	if (!found) {
+		*data = tdb_null;
+		return 0;
+	}
+
+	result = (uint8 *)talloc_memdup(mem_ctx, search_val.dptr,
+					search_val.dsize);
+	if (result == NULL) {
+		return -1;
+	}
+
+	data->dptr = result;
+	data->dsize = search_val.dsize;
+	return 0;
+}
+
+
+static int db_rbt_traverse(struct db_context *db,
+			   int (*f)(struct db_record *db,
+				    void *private_data),
+			   void *private_data)
+{
+	/*
+	 * Nobody uses this so far, and unused code is broken code :-)
+	 */
+	return -1;
+}
+
+static int db_rbt_get_seqnum(struct db_context *db)
+{
+	return 0;
+}
+
+static int db_rbt_trans_dummy(struct db_context *db)
+{
+	/*
+	 * Transactions are pretty pointless in-memory, just return success.
+	 */
+	return 0;
+}
+
+struct db_context *db_open_rbt(TALLOC_CTX *mem_ctx)
+{
+	struct db_context *result;
+
+	result = talloc(mem_ctx, struct db_context);
+
+	if (result == NULL) {
+		return NULL;
+	}
+
+	result->private_data = TALLOC_ZERO_P(result, struct db_rbt_ctx);
+
+	if (result->private_data == NULL) {
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	result->fetch_locked = db_rbt_fetch_locked;
+	result->fetch = db_rbt_fetch;
+	result->traverse = db_rbt_traverse;
+	result->traverse_read = db_rbt_traverse;
+	result->get_seqnum = db_rbt_get_seqnum;
+	result->transaction_start = db_rbt_trans_dummy;
+	result->transaction_commit = db_rbt_trans_dummy;
+	result->transaction_cancel = db_rbt_trans_dummy;
+
+	return result;
+}
diff --git a/source3/lib/dbwrap_tdb.c b/source3/lib/dbwrap_tdb.c
new file mode 100644
index 0000000000..7bdadd3770
--- /dev/null
+++ b/source3/lib/dbwrap_tdb.c
@@ -0,0 +1,358 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Database interface wrapper around tdb
+   Copyright (C) Volker Lendecke 2005-2007
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+struct db_tdb_ctx {
+	struct tdb_wrap *wtdb;
+};
+
+static NTSTATUS db_tdb_store(struct db_record *rec, TDB_DATA data, int flag);
+static NTSTATUS db_tdb_delete(struct db_record *rec);
+
+static int db_tdb_record_destr(struct db_record* data)
+{
+	struct db_tdb_ctx *ctx =
+		talloc_get_type_abort(data->private_data, struct db_tdb_ctx);
+
+	/* This hex_encode() call allocates memory on data context. By way how current 
+	   __talloc_free() code works, it is OK to allocate in the destructor as 
+	   the children of data will be freed after call to the destructor and this 
+	   new 'child' will be caught and freed correctly.
+	 */
+	DEBUG(10, (DEBUGLEVEL > 10
+		   ? "Unlocking key %s\n" : "Unlocking key %.20s\n",
+		   hex_encode(data, (unsigned char *)data->key.dptr,
+			      data->key.dsize)));
+
+	if (tdb_chainunlock(ctx->wtdb->tdb, data->key) != 0) {
+		DEBUG(0, ("tdb_chainunlock failed\n"));
+		return -1;
+	}
+	return 0;
+}
+
+struct tdb_fetch_locked_state {
+	TALLOC_CTX *mem_ctx;
+	struct db_record *result;
+};
+
+static int db_tdb_fetchlock_parse(TDB_DATA key, TDB_DATA data,
+				  void *private_data)
+{
+	struct tdb_fetch_locked_state *state =
+		(struct tdb_fetch_locked_state *)private_data;
+
+	state->result = (struct db_record *)talloc_size(
+		state->mem_ctx,
+		sizeof(struct db_record) + key.dsize + data.dsize);
+
+	if (state->result == NULL) {
+		return 0;
+	}
+
+	state->result->key.dsize = key.dsize;
+	state->result->key.dptr = ((uint8 *)state->result)
+		+ sizeof(struct db_record);
+	memcpy(state->result->key.dptr, key.dptr, key.dsize);
+
+	state->result->value.dsize = data.dsize;
+
+	if (data.dsize > 0) {
+		state->result->value.dptr = state->result->key.dptr+key.dsize;
+		memcpy(state->result->value.dptr, data.dptr, data.dsize);
+	}
+	else {
+		state->result->value.dptr = NULL;
+	}
+
+	return 0;
+}
+
+static struct db_record *db_tdb_fetch_locked(struct db_context *db,
+				     TALLOC_CTX *mem_ctx, TDB_DATA key)
+{
+	struct db_tdb_ctx *ctx = talloc_get_type_abort(db->private_data,
+						       struct db_tdb_ctx);
+	struct tdb_fetch_locked_state state;
+
+	/* Do not accidently allocate/deallocate w/o need when debug level is lower than needed */
+	if(DEBUGLEVEL >= 10) {
+		char *keystr = hex_encode(NULL, (unsigned char*)key.dptr, key.dsize);
+		DEBUG(10, (DEBUGLEVEL > 10
+			   ? "Locking key %s\n" : "Locking key %.20s\n",
+			   keystr));
+		TALLOC_FREE(keystr);
+	}
+
+	if (tdb_chainlock(ctx->wtdb->tdb, key) != 0) {
+		DEBUG(3, ("tdb_chainlock failed\n"));
+		return NULL;
+	}
+
+	state.mem_ctx = mem_ctx;
+	state.result = NULL;
+
+	tdb_parse_record(ctx->wtdb->tdb, key, db_tdb_fetchlock_parse, &state);
+
+	if (state.result == NULL) {
+		db_tdb_fetchlock_parse(key, tdb_null, &state);
+	}
+
+	if (state.result == NULL) {
+		tdb_chainunlock(ctx->wtdb->tdb, key);
+		return NULL;
+	}
+
+	talloc_set_destructor(state.result, db_tdb_record_destr);
+
+	state.result->private_data = talloc_reference(state.result, ctx);
+	state.result->store = db_tdb_store;
+	state.result->delete_rec = db_tdb_delete;
+
+	DEBUG(10, ("Allocated locked data 0x%p\n", state.result));
+
+	return state.result;
+}
+
+struct tdb_fetch_state {
+	TALLOC_CTX *mem_ctx;
+	int result;
+	TDB_DATA data;
+};
+
+static int db_tdb_fetch_parse(TDB_DATA key, TDB_DATA data,
+			      void *private_data)
+{
+	struct tdb_fetch_state *state =
+		(struct tdb_fetch_state *)private_data;
+
+	state->data.dptr = (uint8 *)talloc_memdup(state->mem_ctx, data.dptr,
+						  data.dsize);
+	if (state->data.dptr == NULL) {
+		state->result = -1;
+		return 0;
+	}
+
+	state->data.dsize = data.dsize;
+	return 0;
+}
+
+static int db_tdb_fetch(struct db_context *db, TALLOC_CTX *mem_ctx,
+			TDB_DATA key, TDB_DATA *pdata)
+{
+	struct db_tdb_ctx *ctx = talloc_get_type_abort(
+		db->private_data, struct db_tdb_ctx);
+
+	struct tdb_fetch_state state;
+
+	state.mem_ctx = mem_ctx;
+	state.result = 0;
+	state.data = tdb_null;
+
+	tdb_parse_record(ctx->wtdb->tdb, key, db_tdb_fetch_parse, &state);
+
+	if (state.result == -1) {
+		return -1;
+	}
+
+	*pdata = state.data;
+	return 0;
+}
+
+static NTSTATUS db_tdb_store(struct db_record *rec, TDB_DATA data, int flag)
+{
+	struct db_tdb_ctx *ctx = talloc_get_type_abort(rec->private_data,
+						       struct db_tdb_ctx);
+
+	/*
+	 * This has a bug: We need to replace rec->value for correct
+	 * operation, but right now brlock and locking don't use the value
+	 * anymore after it was stored.
+	 */
+
+	return (tdb_store(ctx->wtdb->tdb, rec->key, data, flag) == 0) ?
+		NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
+}
+
+static NTSTATUS db_tdb_delete(struct db_record *rec)
+{
+	struct db_tdb_ctx *ctx = talloc_get_type_abort(rec->private_data,
+						       struct db_tdb_ctx);
+
+	if (tdb_delete(ctx->wtdb->tdb, rec->key) == 0) {
+		return NT_STATUS_OK;
+	}
+
+	if (tdb_error(ctx->wtdb->tdb) == TDB_ERR_NOEXIST) {
+		return NT_STATUS_NOT_FOUND;
+	}
+
+	return NT_STATUS_UNSUCCESSFUL;
+}
+
+struct db_tdb_traverse_ctx {
+	struct db_context *db;
+	int (*f)(struct db_record *rec, void *private_data);
+	void *private_data;
+};
+
+static int db_tdb_traverse_func(TDB_CONTEXT *tdb, TDB_DATA kbuf, TDB_DATA dbuf,
+				void *private_data)
+{
+	struct db_tdb_traverse_ctx *ctx =
+		(struct db_tdb_traverse_ctx *)private_data;
+	struct db_record rec;
+
+	rec.key = kbuf;
+	rec.value = dbuf;
+	rec.store = db_tdb_store;
+	rec.delete_rec = db_tdb_delete;
+	rec.private_data = ctx->db->private_data;
+
+	return ctx->f(&rec, ctx->private_data);
+}
+
+static int db_tdb_traverse(struct db_context *db,
+			   int (*f)(struct db_record *rec, void *private_data),
+			   void *private_data)
+{
+	struct db_tdb_ctx *db_ctx =
+		talloc_get_type_abort(db->private_data, struct db_tdb_ctx);
+	struct db_tdb_traverse_ctx ctx;
+
+	ctx.db = db;
+	ctx.f = f;
+	ctx.private_data = private_data;
+	return tdb_traverse(db_ctx->wtdb->tdb, db_tdb_traverse_func, &ctx);
+}
+
+static NTSTATUS db_tdb_store_deny(struct db_record *rec, TDB_DATA data, int flag)
+{
+	return NT_STATUS_MEDIA_WRITE_PROTECTED;
+}
+
+static NTSTATUS db_tdb_delete_deny(struct db_record *rec)
+{
+	return NT_STATUS_MEDIA_WRITE_PROTECTED;
+}
+
+static int db_tdb_traverse_read_func(TDB_CONTEXT *tdb, TDB_DATA kbuf, TDB_DATA dbuf,
+				void *private_data)
+{
+	struct db_tdb_traverse_ctx *ctx =
+		(struct db_tdb_traverse_ctx *)private_data;
+	struct db_record rec;
+
+	rec.key = kbuf;
+	rec.value = dbuf;
+	rec.store = db_tdb_store_deny;
+	rec.delete_rec = db_tdb_delete_deny;
+	rec.private_data = ctx->db->private_data;
+
+	return ctx->f(&rec, ctx->private_data);
+}
+
+static int db_tdb_traverse_read(struct db_context *db,
+			   int (*f)(struct db_record *rec, void *private_data),
+			   void *private_data)
+{
+	struct db_tdb_ctx *db_ctx =
+		talloc_get_type_abort(db->private_data, struct db_tdb_ctx);
+	struct db_tdb_traverse_ctx ctx;
+
+	ctx.db = db;
+	ctx.f = f;
+	ctx.private_data = private_data;
+	return tdb_traverse_read(db_ctx->wtdb->tdb, db_tdb_traverse_read_func, &ctx);
+}
+
+static int db_tdb_get_seqnum(struct db_context *db)
+
+{
+	struct db_tdb_ctx *db_ctx =
+		talloc_get_type_abort(db->private_data, struct db_tdb_ctx);
+	return tdb_get_seqnum(db_ctx->wtdb->tdb);
+}
+
+static int db_tdb_transaction_start(struct db_context *db)
+{
+	struct db_tdb_ctx *db_ctx =
+		talloc_get_type_abort(db->private_data, struct db_tdb_ctx);
+	return tdb_transaction_start(db_ctx->wtdb->tdb);
+}
+
+static int db_tdb_transaction_commit(struct db_context *db)
+{
+	struct db_tdb_ctx *db_ctx =
+		talloc_get_type_abort(db->private_data, struct db_tdb_ctx);
+	return tdb_transaction_commit(db_ctx->wtdb->tdb);
+}
+
+static int db_tdb_transaction_cancel(struct db_context *db)
+{
+	struct db_tdb_ctx *db_ctx =
+		talloc_get_type_abort(db->private_data, struct db_tdb_ctx);
+	return tdb_transaction_cancel(db_ctx->wtdb->tdb);
+}
+
+struct db_context *db_open_tdb(TALLOC_CTX *mem_ctx,
+			       const char *name,
+			       int hash_size, int tdb_flags,
+			       int open_flags, mode_t mode)
+{
+	struct db_context *result = NULL;
+	struct db_tdb_ctx *db_tdb;
+
+	result = TALLOC_ZERO_P(mem_ctx, struct db_context);
+	if (result == NULL) {
+		DEBUG(0, ("talloc failed\n"));
+		goto fail;
+	}
+
+	result->private_data = db_tdb = TALLOC_P(result, struct db_tdb_ctx);
+	if (db_tdb == NULL) {
+		DEBUG(0, ("talloc failed\n"));
+		goto fail;
+	}
+
+	db_tdb->wtdb = tdb_wrap_open(db_tdb, name, hash_size, tdb_flags,
+				     open_flags, mode);
+	if (db_tdb->wtdb == NULL) {
+		DEBUG(3, ("Could not open tdb: %s\n", strerror(errno)));
+		goto fail;
+	}
+
+	result->fetch_locked = db_tdb_fetch_locked;
+	result->fetch = db_tdb_fetch;
+	result->traverse = db_tdb_traverse;
+	result->traverse_read = db_tdb_traverse_read;
+	result->get_seqnum = db_tdb_get_seqnum;
+	result->persistent = ((tdb_flags & TDB_CLEAR_IF_FIRST) == 0);
+	result->transaction_start = db_tdb_transaction_start;
+	result->transaction_commit = db_tdb_transaction_commit;
+	result->transaction_cancel = db_tdb_transaction_cancel;
+	return result;
+
+ fail:
+	if (result != NULL) {
+		TALLOC_FREE(result);
+	}
+	return NULL;
+}
diff --git a/source3/lib/dbwrap_util.c b/source3/lib/dbwrap_util.c
new file mode 100644
index 0000000000..ddc613150b
--- /dev/null
+++ b/source3/lib/dbwrap_util.c
@@ -0,0 +1,309 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Utility functions for the dbwrap API
+   Copyright (C) Volker Lendecke 2007
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+int32_t dbwrap_fetch_int32(struct db_context *db, const char *keystr)
+{
+	TDB_DATA dbuf;
+	int32 ret;
+
+	if (db->fetch(db, NULL, string_term_tdb_data(keystr), &dbuf) != 0) {
+		return -1;
+	}
+
+	if ((dbuf.dptr == NULL) || (dbuf.dsize != sizeof(int32_t))) {
+		TALLOC_FREE(dbuf.dptr);
+		return -1;
+	}
+
+	ret = IVAL(dbuf.dptr, 0);
+	TALLOC_FREE(dbuf.dptr);
+	return ret;
+}
+
+int dbwrap_store_int32(struct db_context *db, const char *keystr, int32_t v)
+{
+	struct db_record *rec;
+	int32 v_store;
+	NTSTATUS status;
+
+	rec = db->fetch_locked(db, NULL, string_term_tdb_data(keystr));
+	if (rec == NULL) {
+		return -1;
+	}
+
+	SIVAL(&v_store, 0, v);
+
+	status = rec->store(rec, make_tdb_data((const uint8 *)&v_store,
+					       sizeof(v_store)),
+			    TDB_REPLACE);
+	TALLOC_FREE(rec);
+	return NT_STATUS_IS_OK(status) ? 0 : -1;
+}
+
+bool dbwrap_fetch_uint32(struct db_context *db, const char *keystr,
+			 uint32_t *val)
+{
+	TDB_DATA dbuf;
+
+	if (db->fetch(db, NULL, string_term_tdb_data(keystr), &dbuf) != 0) {
+		return false;
+	}
+
+	if ((dbuf.dptr == NULL) || (dbuf.dsize != sizeof(uint32_t))) {
+		TALLOC_FREE(dbuf.dptr);
+		return false;
+	}
+
+	*val = IVAL(dbuf.dptr, 0);
+	TALLOC_FREE(dbuf.dptr);
+	return true;
+}
+
+bool dbwrap_store_uint32(struct db_context *db, const char *keystr, uint32_t v)
+{
+	struct db_record *rec;
+	uint32 v_store;
+	NTSTATUS status;
+
+	rec = db->fetch_locked(db, NULL, string_term_tdb_data(keystr));
+	if (rec == NULL) {
+		return false;
+	}
+
+	SIVAL(&v_store, 0, v);
+
+	status = rec->store(rec, make_tdb_data((const uint8 *)&v_store,
+					       sizeof(v_store)),
+			    TDB_REPLACE);
+	TALLOC_FREE(rec);
+	return NT_STATUS_IS_OK(status) ? 0 : -1;
+}
+
+/**
+ * Atomic unsigned integer change (addition):
+ *
+ * if value does not exist yet in the db, use *oldval as initial old value.
+ * return old value in *oldval.
+ * store *oldval + change_val to db.
+ */
+uint32_t dbwrap_change_uint32_atomic(struct db_context *db, const char *keystr,
+				     uint32_t *oldval, uint32_t change_val)
+{
+	struct db_record *rec;
+	uint32 val = -1;
+	TDB_DATA data;
+
+	if (!(rec = db->fetch_locked(db, NULL,
+				     string_term_tdb_data(keystr)))) {
+		return -1;
+	}
+
+	if (rec->value.dptr == NULL) {
+		val = *oldval;
+	} else if (rec->value.dsize == sizeof(val)) {
+		val = IVAL(rec->value.dptr, 0);
+		*oldval = val;
+	} else {
+		return -1;
+	}
+
+	val += change_val;
+
+	data.dsize = sizeof(val);
+	data.dptr = (uint8 *)&val;
+
+	rec->store(rec, data, TDB_REPLACE);
+
+	TALLOC_FREE(rec);
+
+	return 0;
+}
+
+/**
+ * Atomic integer change (addition):
+ *
+ * if value does not exist yet in the db, use *oldval as initial old value.
+ * return old value in *oldval.
+ * store *oldval + change_val to db.
+ */
+int32 dbwrap_change_int32_atomic(struct db_context *db, const char *keystr,
+				 int32 *oldval, int32 change_val)
+{
+	struct db_record *rec;
+	int32 val = -1;
+	TDB_DATA data;
+
+	if (!(rec = db->fetch_locked(db, NULL,
+				     string_term_tdb_data(keystr)))) {
+		return -1;
+	}
+
+	if (rec->value.dptr == NULL) {
+		val = *oldval;
+	} else if (rec->value.dsize == sizeof(val)) {
+		val = IVAL(rec->value.dptr, 0);
+		*oldval = val;
+	} else {
+		return -1;
+	}
+
+	val += change_val;
+
+	data.dsize = sizeof(val);
+	data.dptr = (uint8 *)&val;
+
+	rec->store(rec, data, TDB_REPLACE);
+
+	TALLOC_FREE(rec);
+
+	return 0;
+}
+
+NTSTATUS dbwrap_trans_store(struct db_context *db, TDB_DATA key, TDB_DATA dbuf,
+			    int flag)
+{
+	int res;
+	struct db_record *rec = NULL;
+	NTSTATUS status;
+
+	res = db->transaction_start(db);
+	if (res != 0) {
+		DEBUG(5, ("transaction_start failed\n"));
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+
+	rec = db->fetch_locked(db, talloc_tos(), key);
+	if (rec == NULL) {
+		DEBUG(5, ("fetch_locked failed\n"));
+		status = NT_STATUS_NO_MEMORY;
+		goto cancel;
+	}
+
+	status = rec->store(rec, dbuf, flag);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(5, ("store returned %s\n", nt_errstr(status)));
+		goto cancel;
+	}
+
+	TALLOC_FREE(rec);
+
+	res = db->transaction_commit(db);
+	if (res != 0) {
+		DEBUG(5, ("tdb_transaction_commit failed\n"));
+		status = NT_STATUS_INTERNAL_DB_CORRUPTION;
+		TALLOC_FREE(rec);
+		return status;
+	}
+
+	return NT_STATUS_OK;
+
+ cancel:
+	TALLOC_FREE(rec);
+
+	if (db->transaction_cancel(db) != 0) {
+		smb_panic("Cancelling transaction failed");
+	}
+	return status;
+}
+
+NTSTATUS dbwrap_trans_delete(struct db_context *db, TDB_DATA key)
+{
+	int res;
+	struct db_record *rec = NULL;
+	NTSTATUS status;
+
+	res = db->transaction_start(db);
+	if (res != 0) {
+		DEBUG(5, ("transaction_start failed\n"));
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+
+	rec = db->fetch_locked(db, talloc_tos(), key);
+	if (rec == NULL) {
+		DEBUG(5, ("fetch_locked failed\n"));
+		status = NT_STATUS_NO_MEMORY;
+		goto cancel;
+	}
+
+	status = rec->delete_rec(rec);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(5, ("delete_rec returned %s\n", nt_errstr(status)));
+		goto cancel;
+	}
+
+	TALLOC_FREE(rec);
+
+	res = db->transaction_commit(db);
+	if (res != 0) {
+		DEBUG(5, ("tdb_transaction_commit failed\n"));
+		status = NT_STATUS_INTERNAL_DB_CORRUPTION;
+		TALLOC_FREE(rec);
+		return status;		
+	}
+
+	return NT_STATUS_OK;
+
+ cancel:
+	TALLOC_FREE(rec);
+
+	if (db->transaction_cancel(db) != 0) {
+		smb_panic("Cancelling transaction failed");
+	}
+	return status;
+}
+
+NTSTATUS dbwrap_trans_store_int32(struct db_context *db, const char *keystr,
+				  int32_t v)
+{
+	int32 v_store;
+
+	SIVAL(&v_store, 0, v);
+
+	return dbwrap_trans_store(db, string_term_tdb_data(keystr),
+				  make_tdb_data((const uint8 *)&v_store,
+						sizeof(v_store)),
+				  TDB_REPLACE);
+}
+
+NTSTATUS dbwrap_trans_store_uint32(struct db_context *db, const char *keystr,
+				   uint32_t v)
+{
+	uint32 v_store;
+
+	SIVAL(&v_store, 0, v);
+
+	return dbwrap_trans_store(db, string_term_tdb_data(keystr),
+				  make_tdb_data((const uint8 *)&v_store,
+						sizeof(v_store)),
+				  TDB_REPLACE);
+}
+
+NTSTATUS dbwrap_trans_store_bystring(struct db_context *db, const char *key,
+				     TDB_DATA data, int flags)
+{
+	return dbwrap_trans_store(db, string_term_tdb_data(key), data, flags);
+}
+
+NTSTATUS dbwrap_trans_delete_bystring(struct db_context *db, const char *key)
+{
+	return dbwrap_trans_delete(db, string_term_tdb_data(key));
+}
diff --git a/source3/lib/debug.c b/source3/lib/debug.c
new file mode 100644
index 0000000000..d835ea7c17
--- /dev/null
+++ b/source3/lib/debug.c
@@ -0,0 +1,1100 @@
+/*
+   Unix SMB/CIFS implementation.
+   Samba utility functions
+   Copyright (C) Andrew Tridgell 1992-1998
+   Copyright (C) Elrond               2002
+   Copyright (C) Simo Sorce           2002
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/* -------------------------------------------------------------------------- **
+ * Defines...
+ *
+ *  FORMAT_BUFR_MAX - Index of the last byte of the format buffer;
+ *                    format_bufr[FORMAT_BUFR_MAX] should always be reserved
+ *                    for a terminating null byte.
+ */
+
+#define FORMAT_BUFR_SIZE 1024
+#define FORMAT_BUFR_MAX (FORMAT_BUFR_SIZE - 1)
+
+/* -------------------------------------------------------------------------- **
+ * This module implements Samba's debugging utility.
+ *
+ * The syntax of a debugging log file is represented as:
+ *
+ *  <debugfile> :== { <debugmsg> }
+ *
+ *  <debugmsg>  :== <debughdr> '\n' <debugtext>
+ *
+ *  <debughdr>  :== '[' TIME ',' LEVEL ']' [ [FILENAME ':'] [FUNCTION '()'] ]
+ *
+ *  <debugtext> :== { <debugline> }
+ *
+ *  <debugline> :== TEXT '\n'
+ *
+ * TEXT     is a string of characters excluding the newline character.
+ * LEVEL    is the DEBUG level of the message (an integer in the range 0..10).
+ * TIME     is a timestamp.
+ * FILENAME is the name of the file from which the debug message was generated.
+ * FUNCTION is the function from which the debug message was generated.
+ *
+ * Basically, what that all means is:
+ *
+ * - A debugging log file is made up of debug messages.
+ *
+ * - Each debug message is made up of a header and text.  The header is
+ *   separated from the text by a newline.
+ *
+ * - The header begins with the timestamp and debug level of the message
+ *   enclosed in brackets.  The filename and function from which the
+ *   message was generated may follow.  The filename is terminated by a
+ *   colon, and the function name is terminated by parenthesis.
+ *
+ * - The message text is made up of zero or more lines, each terminated by
+ *   a newline.
+ */
+
+/* -------------------------------------------------------------------------- **
+ * External variables.
+ *
+ *  dbf           - Global debug file handle.
+ *  debugf        - Debug file name.
+ *  DEBUGLEVEL    - System-wide debug message limit.  Messages with message-
+ *                  levels higher than DEBUGLEVEL will not be processed.
+ */
+
+XFILE   *dbf        = NULL;
+static char *debugf = NULL;
+bool    debug_warn_unknown_class = True;
+bool    debug_auto_add_unknown_class = True;
+bool    AllowDebugChange = True;
+
+/*
+   used to check if the user specified a
+   logfile on the command line
+*/
+bool    override_logfile;
+
+static TALLOC_CTX *tmp_debug_ctx;
+
+/*
+ * This is to allow assignment to DEBUGLEVEL before the debug
+ * system has been initialized.
+ */
+static int debug_all_class_hack = 1;
+static bool debug_all_class_isset_hack = True;
+
+static int debug_num_classes = 0;
+int     *DEBUGLEVEL_CLASS = &debug_all_class_hack;
+bool    *DEBUGLEVEL_CLASS_ISSET = &debug_all_class_isset_hack;
+
+/* DEBUGLEVEL is #defined to *debug_level */
+int     DEBUGLEVEL = &debug_all_class_hack;
+
+
+/* -------------------------------------------------------------------------- **
+ * Internal variables.
+ *
+ *  stdout_logging  - Default False, if set to True then dbf will be set to
+ *                    stdout and debug output will go to dbf only, and not
+ *                    to syslog.  Set in setup_logging() and read in Debug1().
+ *
+ *  debug_count     - Number of debug messages that have been output.
+ *                    Used to check log size.
+ *
+ *  syslog_level    - Internal copy of the message debug level.  Written by
+ *                    dbghdr() and read by Debug1().
+ *
+ *  format_bufr     - Used to format debug messages.  The dbgtext() function
+ *                    prints debug messages to a string, and then passes the
+ *                    string to format_debug_text(), which uses format_bufr
+ *                    to build the formatted output.
+ *
+ *  format_pos      - Marks the first free byte of the format_bufr.
+ * 
+ *
+ *  log_overflow    - When this variable is True, never attempt to check the
+ *                    size of the log. This is a hack, so that we can write
+ *                    a message using DEBUG, from open_logs() when we
+ *                    are unable to open a new log file for some reason.
+ */
+
+static bool    stdout_logging = False;
+static int     debug_count    = 0;
+#ifdef WITH_SYSLOG
+static int     syslog_level   = 0;
+#endif
+static char *format_bufr = NULL;
+static size_t     format_pos     = 0;
+static bool    log_overflow   = False;
+
+/*
+ * Define all the debug class selection names here. Names *MUST NOT* contain 
+ * white space. There must be one name for each DBGC_<class name>, and they 
+ * must be in the table in the order of DBGC_<class name>.. 
+ */
+static const char *default_classname_table[] = {
+	"all",               /* DBGC_ALL; index refs traditional DEBUGLEVEL */
+	"tdb",               /* DBGC_TDB	  */
+	"printdrivers",      /* DBGC_PRINTDRIVERS */
+	"lanman",            /* DBGC_LANMAN       */
+	"smb",               /* DBGC_SMB          */
+	"rpc_parse",         /* DBGC_RPC_PARSE    */
+	"rpc_srv",           /* DBGC_RPC_SRV      */
+	"rpc_cli",           /* DBGC_RPC_CLI      */
+	"passdb",            /* DBGC_PASSDB       */
+	"sam",               /* DBGC_SAM          */
+	"auth",              /* DBGC_AUTH         */
+	"winbind",           /* DBGC_WINBIND      */
+	"vfs",		     /* DBGC_VFS	  */
+	"idmap",	     /* DBGC_IDMAP	  */
+	"quota",	     /* DBGC_QUOTA	  */
+	"acls",		     /* DBGC_ACLS	  */
+	"locking",	     /* DBGC_LOCKING	  */
+	"msdfs",	     /* DBGC_MSDFS	  */
+	"dmapi",	     /* DBGC_DMAPI	  */
+	"registry",          /* DBGC_REGISTRY     */
+	NULL
+};
+
+static char **classname_table = NULL;
+
+
+/* -------------------------------------------------------------------------- **
+ * Functions...
+ */
+
+/***************************************************************************
+ Free memory pointed to by global pointers.
+****************************************************************************/
+
+static bool initialized;
+
+void gfree_debugsyms(void)
+{
+	int i;
+
+	if ( classname_table ) {
+		for ( i = 0; i < debug_num_classes; i++ ) {
+			SAFE_FREE( classname_table[i] );
+		}
+		SAFE_FREE( classname_table );
+	}
+
+	if ( DEBUGLEVEL_CLASS != &debug_all_class_hack ) {
+		SAFE_FREE( DEBUGLEVEL_CLASS );
+		DEBUGLEVEL_CLASS = &debug_all_class_hack;
+	}
+
+	if ( DEBUGLEVEL_CLASS_ISSET != &debug_all_class_isset_hack ) {
+		SAFE_FREE( DEBUGLEVEL_CLASS_ISSET );
+		DEBUGLEVEL_CLASS_ISSET = &debug_all_class_isset_hack;
+	}
+
+	SAFE_FREE(format_bufr);
+
+	debug_num_classes = 0;
+
+	debug_level = DEBUGLEVEL_CLASS;
+
+	initialized = false;
+}
+
+/****************************************************************************
+utility lists registered debug class names's
+****************************************************************************/
+
+#define MAX_CLASS_NAME_SIZE 1024
+
+static char *debug_list_class_names_and_levels(void)
+{
+	int i, dim;
+	char **list;
+	char *buf = NULL;
+	char *b;
+	bool err = False;
+
+	if (DEBUGLEVEL_CLASS == &debug_all_class_hack) {
+		return NULL;
+	}
+
+	list = SMB_CALLOC_ARRAY(char *, debug_num_classes + 1);
+	if (!list) {
+		return NULL;
+	}
+
+	/* prepare strings */
+	for (i = 0, dim = 0; i < debug_num_classes; i++) {
+		int l = asprintf(&list[i],
+				"%s:%d ",
+				classname_table[i],
+				DEBUGLEVEL_CLASS_ISSET[i]?DEBUGLEVEL_CLASS[i]:DEBUGLEVEL);
+		if (l < 0 || l > MAX_CLASS_NAME_SIZE) {
+			err = True;
+			goto done;
+		}
+		dim += l;
+	}
+
+	/* create single string list - add space for newline */
+	b = buf = (char *)SMB_MALLOC(dim+1);
+	if (!buf) {
+		err = True;
+		goto done;
+	}
+	for (i = 0; i < debug_num_classes; i++) {
+		int l = strlen(list[i]);
+		strncpy(b, list[i], l);
+		b = b + l;
+	}
+	b[-1] = '\n'; /* replace last space with newline */
+	b[0] = '\0';  /* null terminate string */
+
+done:
+	/* free strings list */
+	for (i = 0; i < debug_num_classes; i++) {
+		SAFE_FREE(list[i]);
+	}
+	SAFE_FREE(list);
+
+	if (err) {
+		return NULL;
+	} else {
+		return buf;
+	}
+}
+
+/****************************************************************************
+ Utility access to debug class names's.
+****************************************************************************/
+
+const char *debug_classname_from_index(int ndx)
+{
+	if (ndx < 0 || ndx >= debug_num_classes)
+		return NULL;
+	else
+		return classname_table[ndx];
+}
+
+/****************************************************************************
+ Utility to translate names to debug class index's (internal version).
+****************************************************************************/
+
+static int debug_lookup_classname_int(const char* classname)
+{
+	int i;
+
+	if (!classname) return -1;
+
+	for (i=0; i < debug_num_classes; i++) {
+		if (strcmp(classname, classname_table[i])==0)
+			return i;
+	}
+	return -1;
+}
+
+/****************************************************************************
+ Add a new debug class to the system.
+****************************************************************************/
+
+int debug_add_class(const char *classname)
+{
+	int ndx;
+	void *new_ptr;
+
+	if (!classname)
+		return -1;
+
+	/* check the init has yet been called */
+	debug_init();
+
+	ndx = debug_lookup_classname_int(classname);
+	if (ndx >= 0)
+		return ndx;
+	ndx = debug_num_classes;
+
+	new_ptr = DEBUGLEVEL_CLASS;
+	if (DEBUGLEVEL_CLASS == &debug_all_class_hack) {
+		/* Initial loading... */
+		new_ptr = NULL;
+	}
+	new_ptr = SMB_REALLOC_ARRAY(new_ptr, int, debug_num_classes + 1);
+	if (!new_ptr)
+		return -1;
+	DEBUGLEVEL_CLASS = (int *)new_ptr;
+	DEBUGLEVEL_CLASS[ndx] = 0;
+
+	/* debug_level is the pointer used for the DEBUGLEVEL-thingy */
+	if (ndx==0) {
+		/* Transfer the initial level from debug_all_class_hack */
+		DEBUGLEVEL_CLASS[ndx] = DEBUGLEVEL;
+	}
+	debug_level = DEBUGLEVEL_CLASS;
+
+	new_ptr = DEBUGLEVEL_CLASS_ISSET;
+	if (new_ptr == &debug_all_class_isset_hack) {
+		new_ptr = NULL;
+	}
+	new_ptr = SMB_REALLOC_ARRAY(new_ptr, bool, debug_num_classes + 1);
+	if (!new_ptr)
+		return -1;
+	DEBUGLEVEL_CLASS_ISSET = (bool *)new_ptr;
+	DEBUGLEVEL_CLASS_ISSET[ndx] = False;
+
+	new_ptr = SMB_REALLOC_ARRAY(classname_table, char *, debug_num_classes + 1);
+	if (!new_ptr)
+		return -1;
+	classname_table = (char **)new_ptr;
+
+	classname_table[ndx] = SMB_STRDUP(classname);
+	if (! classname_table[ndx])
+		return -1;
+	
+	debug_num_classes++;
+
+	return ndx;
+}
+
+/****************************************************************************
+ Utility to translate names to debug class index's (public version).
+****************************************************************************/
+
+int debug_lookup_classname(const char *classname)
+{
+	int ndx;
+       
+	if (!classname || !*classname)
+		return -1;
+
+	ndx = debug_lookup_classname_int(classname);
+
+	if (ndx != -1)
+		return ndx;
+
+	if (debug_warn_unknown_class) {
+		DEBUG(0, ("debug_lookup_classname(%s): Unknown class\n",
+			  classname));
+	}
+	if (debug_auto_add_unknown_class) {
+		return debug_add_class(classname);
+	}
+	return -1;
+}
+
+/****************************************************************************
+ Dump the current registered debug levels.
+****************************************************************************/
+
+static void debug_dump_status(int level)
+{
+	int q;
+
+	DEBUG(level, ("INFO: Current debug levels:\n"));
+	for (q = 0; q < debug_num_classes; q++) {
+		DEBUGADD(level, ("  %s: %s/%d\n",
+				 classname_table[q],
+				 (DEBUGLEVEL_CLASS_ISSET[q]
+				  ? "True" : "False"),
+				 DEBUGLEVEL_CLASS[q]));
+	}
+}
+
+/****************************************************************************
+ parse the debug levels from smbcontrol. Example debug level parameter:
+ printdrivers:7
+****************************************************************************/
+
+static bool debug_parse_params(char **params)
+{
+	int   i, ndx;
+	char *class_name;
+	char *class_level;
+
+	if (!params)
+		return False;
+
+	/* Allow DBGC_ALL to be specified w/o requiring its class name e.g."10"  
+	 * v.s. "all:10", this is the traditional way to set DEBUGLEVEL 
+	 */
+	if (isdigit((int)params[0][0])) {
+		DEBUGLEVEL_CLASS[DBGC_ALL] = atoi(params[0]);
+		DEBUGLEVEL_CLASS_ISSET[DBGC_ALL] = True;
+		i = 1; /* start processing at the next params */
+	} else {
+		i = 0; /* DBGC_ALL not specified OR class name was included */
+	}
+
+	/* Fill in new debug class levels */
+	for (; i < debug_num_classes && params[i]; i++) {
+		char *saveptr;
+		if ((class_name = strtok_r(params[i],":", &saveptr)) &&
+			(class_level = strtok_r(NULL, "\0", &saveptr)) &&
+            ((ndx = debug_lookup_classname(class_name)) != -1)) {
+				DEBUGLEVEL_CLASS[ndx] = atoi(class_level);
+				DEBUGLEVEL_CLASS_ISSET[ndx] = True;
+		} else {
+			DEBUG(0,("debug_parse_params: unrecognized debug class name or format [%s]\n", params[i]));
+			return False;
+		}
+	}
+
+	return True;
+}
+
+/****************************************************************************
+ Parse the debug levels from smb.conf. Example debug level string:
+  3 tdb:5 printdrivers:7
+ Note: the 1st param has no "name:" preceeding it.
+****************************************************************************/
+
+bool debug_parse_levels(const char *params_str)
+{
+	char **params;
+
+	/* Just in case */
+	debug_init();
+
+	if (AllowDebugChange == False)
+		return True;
+
+	params = str_list_make(talloc_tos(), params_str, NULL);
+
+	if (debug_parse_params(params)) {
+		debug_dump_status(5);
+		TALLOC_FREE(params);
+		return True;
+	} else {
+		TALLOC_FREE(params);
+		return False;
+	}
+}
+
+/****************************************************************************
+ Receive a "set debug level" message.
+****************************************************************************/
+
+void debug_message(struct messaging_context *msg_ctx,
+			  void *private_data, 
+			  uint32_t msg_type, 
+			  struct server_id src,
+			  DATA_BLOB *data)
+{
+	const char *params_str = (const char *)data->data;
+
+	/* Check, it's a proper string! */
+	if (params_str[(data->length)-1] != '\0') {
+		DEBUG(1, ("Invalid debug message from pid %u to pid %u\n",
+			  (unsigned int)procid_to_pid(&src),
+			  (unsigned int)getpid()));
+		return;
+	}
+
+	DEBUG(3, ("INFO: Remote set of debug to `%s'  (pid %u from pid %u)\n",
+		  params_str, (unsigned int)getpid(),
+		  (unsigned int)procid_to_pid(&src)));
+
+	debug_parse_levels(params_str);
+}
+
+/****************************************************************************
+ Return current debug level.
+****************************************************************************/
+
+static void debuglevel_message(struct messaging_context *msg_ctx,
+			       void *private_data, 
+			       uint32_t msg_type, 
+			       struct server_id src,
+			       DATA_BLOB *data)
+{
+	char *message = debug_list_class_names_and_levels();
+
+	if (!message) {
+		DEBUG(0,("debuglevel_message - debug_list_class_names_and_levels returned NULL\n"));
+		return;
+	}
+
+	DEBUG(1,("INFO: Received REQ_DEBUGLEVEL message from PID %s\n",
+		 procid_str_static(&src)));
+	messaging_send_buf(msg_ctx, src, MSG_DEBUGLEVEL,
+			   (uint8 *)message, strlen(message) + 1);
+
+	SAFE_FREE(message);
+}
+
+/****************************************************************************
+Init debugging (one time stuff)
+****************************************************************************/
+
+void debug_init(void)
+{
+	const char **p;
+
+	if (initialized)
+		return;
+
+	initialized = true;
+
+	for(p = default_classname_table; *p; p++) {
+		debug_add_class(*p);
+	}
+	format_bufr = (char *)SMB_MALLOC(FORMAT_BUFR_SIZE);
+	if (!format_bufr) {
+		smb_panic("debug_init: unable to create buffer");
+	}
+}
+
+void debug_register_msgs(struct messaging_context *msg_ctx)
+{
+	messaging_register(msg_ctx, NULL, MSG_DEBUG, debug_message);
+	messaging_register(msg_ctx, NULL, MSG_REQ_DEBUGLEVEL,
+			   debuglevel_message);
+}
+
+/***************************************************************************
+ Get ready for syslog stuff
+**************************************************************************/
+
+void setup_logging(const char *pname, bool interactive)
+{
+	debug_init();
+
+	/* reset to allow multiple setup calls, going from interactive to
+	   non-interactive */
+	stdout_logging = False;
+	if (dbf) {
+		x_fflush(dbf);
+		(void) x_fclose(dbf);
+	}
+
+	dbf = NULL;
+
+	if (interactive) {
+		stdout_logging = True;
+		dbf = x_stdout;
+		x_setbuf( x_stdout, NULL );
+	}
+#ifdef WITH_SYSLOG
+	else {
+		const char *p = strrchr_m( pname,'/' );
+		if (p)
+			pname = p + 1;
+#ifdef LOG_DAEMON
+		openlog( pname, LOG_PID, SYSLOG_FACILITY );
+#else
+		/* for old systems that have no facility codes. */
+		openlog( pname, LOG_PID );
+#endif
+	}
+#endif
+}
+
+/***************************************************************************
+ Set the logfile name.
+**************************************************************************/
+
+void debug_set_logfile(const char *name)
+{
+	SAFE_FREE(debugf);
+	debugf = SMB_STRDUP(name);
+}
+
+/**************************************************************************
+ reopen the log files
+ note that we now do this unconditionally
+ We attempt to open the new debug fp before closing the old. This means
+ if we run out of fd's we just keep using the old fd rather than aborting.
+ Fix from dgibson@linuxcare.com.
+**************************************************************************/
+
+bool reopen_logs( void )
+{
+	char *fname = NULL;
+	mode_t oldumask;
+	XFILE *new_dbf = NULL;
+	XFILE *old_dbf = NULL;
+	bool ret = True;
+
+	if (stdout_logging)
+		return True;
+
+	oldumask = umask( 022 );
+
+	fname = debugf;
+	if (!fname) {
+		return false;
+	}
+	debugf = NULL;
+
+	if (lp_loaded()) {
+		char *logfname;
+
+		logfname = lp_logfile();
+		if (*logfname) {
+			SAFE_FREE(fname);
+			fname = SMB_STRDUP(logfname);
+			if (!fname) {
+				return false;
+			}
+		}
+	}
+
+	debugf = fname;
+	new_dbf = x_fopen( debugf, O_WRONLY|O_APPEND|O_CREAT, 0644);
+
+	if (!new_dbf) {
+		log_overflow = True;
+		DEBUG(0, ("Unable to open new log file %s: %s\n", debugf, strerror(errno)));
+		log_overflow = False;
+		if (dbf)
+			x_fflush(dbf);
+		ret = False;
+	} else {
+		x_setbuf(new_dbf, NULL);
+		old_dbf = dbf;
+		dbf = new_dbf;
+		if (old_dbf)
+			(void) x_fclose(old_dbf);
+	}
+
+	/* Fix from klausr@ITAP.Physik.Uni-Stuttgart.De
+	 * to fix problem where smbd's that generate less
+	 * than 100 messages keep growing the log.
+	 */
+	force_check_log_size();
+	(void)umask(oldumask);
+
+	/* Take over stderr to catch ouput into logs */
+	if (dbf && sys_dup2(x_fileno(dbf), 2) == -1) {
+		close_low_fds(True); /* Close stderr too, if dup2 can't point it
+					at the logfile */
+	}
+
+	return ret;
+}
+
+/**************************************************************************
+ Force a check of the log size.
+ ***************************************************************************/
+
+void force_check_log_size( void )
+{
+	debug_count = 100;
+}
+
+/***************************************************************************
+ Check to see if there is any need to check if the logfile has grown too big.
+**************************************************************************/
+
+bool need_to_check_log_size( void )
+{
+	int maxlog;
+
+	if( debug_count < 100 )
+		return( False );
+
+	maxlog = lp_max_log_size() * 1024;
+	if( !dbf || maxlog <= 0 ) {
+		debug_count = 0;
+		return(False);
+	}
+	return( True );
+}
+
+/**************************************************************************
+ Check to see if the log has grown to be too big.
+ **************************************************************************/
+
+void check_log_size( void )
+{
+	int         maxlog;
+	SMB_STRUCT_STAT st;
+
+	/*
+	 *  We need to be root to check/change log-file, skip this and let the main
+	 *  loop check do a new check as root.
+	 */
+
+	if( geteuid() != 0 )
+		return;
+
+	if(log_overflow || !need_to_check_log_size() )
+		return;
+
+	maxlog = lp_max_log_size() * 1024;
+
+	if( sys_fstat( x_fileno( dbf ), &st ) == 0 && st.st_size > maxlog ) {
+		(void)reopen_logs();
+		if( dbf && get_file_size( debugf ) > maxlog ) {
+			char *name = NULL;
+
+			if (asprintf(&name, "%s.old", debugf ) < 0) {
+				return;
+			}
+			(void)rename(debugf, name);
+
+			if (!reopen_logs()) {
+				/* We failed to reopen a log - continue using the old name. */
+				(void)rename(name, debugf);
+			}
+			SAFE_FREE(name);
+		}
+	}
+
+	/*
+	 * Here's where we need to panic if dbf == NULL..
+	 */
+
+	if(dbf == NULL) {
+		/* This code should only be reached in very strange
+		 * circumstances. If we merely fail to open the new log we
+		 * should stick with the old one. ergo this should only be
+		 * reached when opening the logs for the first time: at
+		 * startup or when the log level is increased from zero.
+		 * -dwg 6 June 2000
+		 */
+		dbf = x_fopen( "/dev/console", O_WRONLY, 0);
+		if(dbf) {
+			DEBUG(0,("check_log_size: open of debug file %s failed - using console.\n",
+					debugf ));
+		} else {
+			/*
+			 * We cannot continue without a debug file handle.
+			 */
+			abort();
+		}
+	}
+	debug_count = 0;
+}
+
+/*************************************************************************
+ Write an debug message on the debugfile.
+ This is called by dbghdr() and format_debug_text().
+************************************************************************/
+
+ int Debug1( const char *format_str, ... )
+{
+	va_list ap;
+	int old_errno = errno;
+
+	debug_count++;
+
+	if( stdout_logging ) {
+		va_start( ap, format_str );
+		if(dbf)
+			(void)x_vfprintf( dbf, format_str, ap );
+		va_end( ap );
+		errno = old_errno;
+		goto done;
+	}
+
+	/* prevent recursion by checking if reopen_logs() has temporaily
+	   set the debugf string to NULL */
+	if( debugf == NULL)
+		goto done;
+
+#ifdef WITH_SYSLOG
+	if( !lp_syslog_only() )
+#endif
+	{
+		if( !dbf ) {
+			mode_t oldumask = umask( 022 );
+
+			dbf = x_fopen( debugf, O_WRONLY|O_APPEND|O_CREAT, 0644 );
+			(void)umask( oldumask );
+			if( dbf ) {
+				x_setbuf( dbf, NULL );
+			} else {
+				errno = old_errno;
+				goto done;
+			}
+		}
+	}
+
+#ifdef WITH_SYSLOG
+	if( syslog_level < lp_syslog() ) {
+		/* map debug levels to syslog() priorities
+		 * note that not all DEBUG(0, ...) calls are
+		 * necessarily errors */
+		static int priority_map[] = {
+			LOG_ERR,     /* 0 */
+			LOG_WARNING, /* 1 */
+			LOG_NOTICE,  /* 2 */
+			LOG_INFO,    /* 3 */
+		};
+		int     priority;
+		char *msgbuf = NULL;
+		int ret;
+
+		if( syslog_level >= ( sizeof(priority_map) / sizeof(priority_map[0]) ) || syslog_level < 0)
+			priority = LOG_DEBUG;
+		else
+			priority = priority_map[syslog_level];
+
+		va_start(ap, format_str);
+		ret = vasprintf(&msgbuf, format_str, ap);
+		va_end(ap);
+
+		if (ret == -1) {
+			syslog(priority, "%s", msgbuf);
+		}
+		SAFE_FREE(msgbuf);
+	}
+#endif
+
+	check_log_size();
+
+#ifdef WITH_SYSLOG
+	if( !lp_syslog_only() )
+#endif
+	{
+		va_start( ap, format_str );
+		if(dbf)
+			(void)x_vfprintf( dbf, format_str, ap );
+		va_end( ap );
+		if(dbf)
+			(void)x_fflush( dbf );
+	}
+
+ done:
+	TALLOC_FREE(tmp_debug_ctx);
+
+	errno = old_errno;
+
+	return( 0 );
+}
+
+
+/**************************************************************************
+ Print the buffer content via Debug1(), then reset the buffer.
+ Input:  none
+ Output: none
+****************************************************************************/
+
+static void bufr_print( void )
+{
+	format_bufr[format_pos] = '\0';
+	(void)Debug1( "%s", format_bufr );
+	format_pos = 0;
+}
+
+/***************************************************************************
+ Format the debug message text.
+
+ Input:  msg - Text to be added to the "current" debug message text.
+
+ Output: none.
+
+ Notes:  The purpose of this is two-fold.  First, each call to syslog()
+         (used by Debug1(), see above) generates a new line of syslog
+         output.  This is fixed by storing the partial lines until the
+         newline character is encountered.  Second, printing the debug
+         message lines when a newline is encountered allows us to add
+         spaces, thus indenting the body of the message and making it
+         more readable.
+**************************************************************************/
+
+static void format_debug_text( const char *msg )
+{
+	size_t i;
+	bool timestamp = (!stdout_logging && (lp_timestamp_logs() || !(lp_loaded())));
+
+	if (!format_bufr) {
+		debug_init();
+	}
+
+	for( i = 0; msg[i]; i++ ) {
+		/* Indent two spaces at each new line. */
+		if(timestamp && 0 == format_pos) {
+			format_bufr[0] = format_bufr[1] = ' ';
+			format_pos = 2;
+		}
+
+		/* If there's room, copy the character to the format buffer. */
+		if( format_pos < FORMAT_BUFR_MAX )
+			format_bufr[format_pos++] = msg[i];
+
+		/* If a newline is encountered, print & restart. */
+		if( '\n' == msg[i] )
+			bufr_print();
+
+		/* If the buffer is full dump it out, reset it, and put out a line
+		 * continuation indicator.
+		 */
+		if( format_pos >= FORMAT_BUFR_MAX ) {
+			bufr_print();
+			(void)Debug1( " +>\n" );
+		}
+	}
+
+	/* Just to be safe... */
+	format_bufr[format_pos] = '\0';
+}
+
+/***************************************************************************
+ Flush debug output, including the format buffer content.
+
+ Input:  none
+ Output: none
+***************************************************************************/
+
+void dbgflush( void )
+{
+	bufr_print();
+	if(dbf)
+		(void)x_fflush( dbf );
+}
+
+/***************************************************************************
+ Print a Debug Header.
+
+ Input:  level - Debug level of the message (not the system-wide debug
+                  level. )
+	  cls   - Debuglevel class of the calling module.
+          file  - Pointer to a string containing the name of the file
+                  from which this function was called, or an empty string
+                  if the __FILE__ macro is not implemented.
+          func  - Pointer to a string containing the name of the function
+                  from which this function was called, or an empty string
+                  if the __FUNCTION__ macro is not implemented.
+         line  - line number of the call to dbghdr, assuming __LINE__
+                 works.
+
+  Output: Always True.  This makes it easy to fudge a call to dbghdr()
+          in a macro, since the function can be called as part of a test.
+          Eg: ( (level <= DEBUGLEVEL) && (dbghdr(level,"",line)) )
+
+  Notes:  This function takes care of setting syslog_level.
+
+****************************************************************************/
+
+bool dbghdr(int level, int cls, const char *file, const char *func, int line)
+{
+	/* Ensure we don't lose any real errno value. */
+	int old_errno = errno;
+
+	if( format_pos ) {
+		/* This is a fudge.  If there is stuff sitting in the format_bufr, then
+		 * the *right* thing to do is to call
+		 *   format_debug_text( "\n" );
+		 * to write the remainder, and then proceed with the new header.
+		 * Unfortunately, there are several places in the code at which
+		 * the DEBUG() macro is used to build partial lines.  That in mind,
+		 * we'll work under the assumption that an incomplete line indicates
+		 * that a new header is *not* desired.
+		 */
+		return( True );
+	}
+
+#ifdef WITH_SYSLOG
+	/* Set syslog_level. */
+	syslog_level = level;
+#endif
+
+	/* Don't print a header if we're logging to stdout. */
+	if( stdout_logging )
+		return( True );
+
+	/* Print the header if timestamps are turned on.  If parameters are
+	 * not yet loaded, then default to timestamps on.
+	 */
+	if( lp_timestamp_logs() || lp_debug_prefix_timestamp() || !(lp_loaded()) ) {
+		char header_str[200];
+
+		header_str[0] = '\0';
+
+		if( lp_debug_pid())
+			slprintf(header_str,sizeof(header_str)-1,", pid=%u",(unsigned int)sys_getpid());
+
+		if( lp_debug_uid()) {
+			size_t hs_len = strlen(header_str);
+			slprintf(header_str + hs_len,
+			sizeof(header_str) - 1 - hs_len,
+				", effective(%u, %u), real(%u, %u)",
+				(unsigned int)geteuid(), (unsigned int)getegid(),
+				(unsigned int)getuid(), (unsigned int)getgid()); 
+		}
+
+		if (lp_debug_class() && (cls != DBGC_ALL)) {
+			size_t hs_len = strlen(header_str);
+			slprintf(header_str + hs_len,
+				 sizeof(header_str) -1 - hs_len,
+				 ", class=%s",
+				 default_classname_table[cls]);
+		}
+  
+		/* Print it all out at once to prevent split syslog output. */
+		if( lp_debug_prefix_timestamp() ) {
+		    (void)Debug1( "[%s, %2d%s] ",
+			current_timestring(debug_ctx(),
+					   lp_debug_hires_timestamp()),
+			level, header_str);
+		} else {
+		    (void)Debug1( "[%s, %2d%s] %s:%s(%d)\n",
+			current_timestring(debug_ctx(),
+					   lp_debug_hires_timestamp()),
+			level, header_str, file, func, line );
+		}
+	}
+
+	errno = old_errno;
+	return( True );
+}
+
+/***************************************************************************
+ Add text to the body of the "current" debug message via the format buffer.
+
+  Input:  format_str  - Format string, as used in printf(), et. al.
+          ...         - Variable argument list.
+
+  ..or..  va_alist    - Old style variable parameter list starting point.
+
+  Output: Always True.  See dbghdr() for more info, though this is not
+          likely to be used in the same way.
+
+***************************************************************************/
+
+ bool dbgtext( const char *format_str, ... )
+{
+	va_list ap;
+	char *msgbuf = NULL;
+	bool ret = true;
+	int res;
+
+	va_start(ap, format_str);
+	res = vasprintf(&msgbuf, format_str, ap);
+	va_end(ap);
+
+	if (res != -1) {
+		format_debug_text(msgbuf);
+	} else {
+		ret = false;
+	}
+	SAFE_FREE(msgbuf);
+	return ret;
+}
+
+/*
+ * Get us a temporary talloc context usable just for DEBUG arguments
+ */
+TALLOC_CTX *debug_ctx(void)
+{
+        if (tmp_debug_ctx == NULL) {
+                tmp_debug_ctx = talloc_named_const(NULL, 0, "debug_ctx");
+        }
+        return tmp_debug_ctx;
+}
diff --git a/source3/lib/display_sec.c b/source3/lib/display_sec.c
new file mode 100644
index 0000000000..67392e4568
--- /dev/null
+++ b/source3/lib/display_sec.c
@@ -0,0 +1,317 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba utility functions
+   Copyright (C) Andrew Tridgell 1992-1999
+   Copyright (C) Luke Kenneth Casson Leighton 1996 - 1999
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful, 
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/****************************************************************************
+convert a security permissions into a string
+****************************************************************************/
+
+char *get_sec_mask_str(TALLOC_CTX *ctx, uint32 type)
+{
+	char *typestr = talloc_strdup(ctx, "");
+
+	if (!typestr) {
+		return NULL;
+	}
+
+	if (type & GENERIC_ALL_ACCESS) {
+		typestr = talloc_asprintf_append(typestr,
+				"Generic all access ");
+		if (!typestr) {
+			return NULL;
+		}
+	}
+	if (type & GENERIC_EXECUTE_ACCESS) {
+		typestr = talloc_asprintf_append(typestr,
+				"Generic execute access");
+		if (!typestr) {
+			return NULL;
+		}
+	}
+	if (type & GENERIC_WRITE_ACCESS) {
+		typestr = talloc_asprintf_append(typestr,
+				"Generic write access ");
+		if (!typestr) {
+			return NULL;
+		}
+	}
+	if (type & GENERIC_READ_ACCESS) {
+		typestr = talloc_asprintf_append(typestr,
+				"Generic read access ");
+		if (!typestr) {
+			return NULL;
+		}
+	}
+	if (type & MAXIMUM_ALLOWED_ACCESS) {
+		typestr = talloc_asprintf_append(typestr,
+				"MAXIMUM_ALLOWED_ACCESS ");
+		if (!typestr) {
+			return NULL;
+		}
+	}
+	if (type & SYSTEM_SECURITY_ACCESS) {
+		typestr = talloc_asprintf_append(typestr,
+				"SYSTEM_SECURITY_ACCESS ");
+		if (!typestr) {
+			return NULL;
+		}
+	}
+	if (type & SYNCHRONIZE_ACCESS) {
+		typestr = talloc_asprintf_append(typestr,
+				"SYNCHRONIZE_ACCESS ");
+		if (!typestr) {
+			return NULL;
+		}
+	}
+	if (type & WRITE_OWNER_ACCESS) {
+		typestr = talloc_asprintf_append(typestr,
+				"WRITE_OWNER_ACCESS ");
+		if (!typestr) {
+			return NULL;
+		}
+	}
+	if (type & WRITE_DAC_ACCESS) {
+		typestr = talloc_asprintf_append(typestr,
+				"WRITE_DAC_ACCESS ");
+		if (!typestr) {
+			return NULL;
+		}
+	}
+	if (type & READ_CONTROL_ACCESS) {
+		typestr = talloc_asprintf_append(typestr,
+				"READ_CONTROL_ACCESS ");
+		if (!typestr) {
+			return NULL;
+		}
+	}
+	if (type & DELETE_ACCESS) {
+		typestr = talloc_asprintf_append(typestr,
+				"DELETE_ACCESS ");
+		if (!typestr) {
+			return NULL;
+		}
+	}
+
+	printf("\t\tSpecific bits: 0x%lx\n", (unsigned long)type&SPECIFIC_RIGHTS_MASK);
+
+	return typestr;
+}
+
+/****************************************************************************
+ display sec_access structure
+ ****************************************************************************/
+void display_sec_access(SEC_ACCESS *info)
+{
+	char *mask_str = get_sec_mask_str(NULL, *info);
+	printf("\t\tPermissions: 0x%x: %s\n", *info, mask_str ? mask_str : "");
+	TALLOC_FREE(mask_str);
+}
+
+/****************************************************************************
+ display sec_ace flags
+ ****************************************************************************/
+void display_sec_ace_flags(uint8_t flags)
+{
+	if (flags & SEC_ACE_FLAG_OBJECT_INHERIT)
+		printf("SEC_ACE_FLAG_OBJECT_INHERIT ");
+	if (flags & SEC_ACE_FLAG_CONTAINER_INHERIT)
+		printf(" SEC_ACE_FLAG_CONTAINER_INHERIT ");
+	if (flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)
+		printf("SEC_ACE_FLAG_NO_PROPAGATE_INHERIT ");
+	if (flags & SEC_ACE_FLAG_INHERIT_ONLY)
+		printf("SEC_ACE_FLAG_INHERIT_ONLY ");
+	if (flags & SEC_ACE_FLAG_INHERITED_ACE)
+		printf("SEC_ACE_FLAG_INHERITED_ACE ");
+/*	if (flags & SEC_ACE_FLAG_VALID_INHERIT)
+		printf("SEC_ACE_FLAG_VALID_INHERIT "); */
+	if (flags & SEC_ACE_FLAG_SUCCESSFUL_ACCESS)
+		printf("SEC_ACE_FLAG_SUCCESSFUL_ACCESS ");
+	if (flags & SEC_ACE_FLAG_FAILED_ACCESS)
+		printf("SEC_ACE_FLAG_FAILED_ACCESS ");
+
+	printf("\n");
+}
+
+/****************************************************************************
+ display sec_ace object
+ ****************************************************************************/
+static void disp_sec_ace_object(struct security_ace_object *object)
+{
+	if (object->flags & SEC_ACE_OBJECT_PRESENT) {
+		printf("Object type: SEC_ACE_OBJECT_PRESENT\n");
+		printf("Object GUID: %s\n", smb_uuid_string(talloc_tos(),
+			object->type.type));
+	}
+	if (object->flags & SEC_ACE_OBJECT_INHERITED_PRESENT) {
+		printf("Object type: SEC_ACE_OBJECT_INHERITED_PRESENT\n");
+		printf("Object GUID: %s\n", smb_uuid_string(talloc_tos(), 
+			object->inherited_type.inherited_type));
+	}
+}
+
+/****************************************************************************
+ display sec_ace structure
+ ****************************************************************************/
+void display_sec_ace(SEC_ACE *ace)
+{
+	fstring sid_str;
+
+	printf("\tACE\n\t\ttype: ");
+	switch (ace->type) {
+		case SEC_ACE_TYPE_ACCESS_ALLOWED:
+			printf("ACCESS ALLOWED");
+			break;
+		case SEC_ACE_TYPE_ACCESS_DENIED:
+			printf("ACCESS DENIED");
+			break;
+		case SEC_ACE_TYPE_SYSTEM_AUDIT:
+			printf("SYSTEM AUDIT");
+			break;
+		case SEC_ACE_TYPE_SYSTEM_ALARM:
+			printf("SYSTEM ALARM");
+			break;
+		case SEC_ACE_TYPE_ALLOWED_COMPOUND:
+			printf("SEC_ACE_TYPE_ALLOWED_COMPOUND");
+			break;
+		case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
+			printf("SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT");
+			break;
+		case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
+			printf("SEC_ACE_TYPE_ACCESS_DENIED_OBJECT");
+			break;
+		case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
+			printf("SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT");
+			break;
+		case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
+			printf("SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT");
+			break;
+		default:
+			printf("????");
+			break;
+	}
+
+	printf(" (%d) flags: 0x%02x ", ace->type, ace->flags);
+	display_sec_ace_flags(ace->flags);
+	display_sec_access(&ace->access_mask);
+	sid_to_fstring(sid_str, &ace->trustee);
+	printf("\t\tSID: %s\n\n", sid_str);
+
+	if (sec_ace_object(ace->type)) {
+		disp_sec_ace_object(&ace->object.object);
+	}
+
+}
+
+/****************************************************************************
+ display sec_acl structure
+ ****************************************************************************/
+void display_sec_acl(SEC_ACL *sec_acl)
+{
+	int i;
+
+	printf("\tACL\tNum ACEs:\t%d\trevision:\t%x\n",
+			 sec_acl->num_aces, sec_acl->revision); 
+	printf("\t---\n");
+
+	if (sec_acl->size != 0 && sec_acl->num_aces != 0) {
+		for (i = 0; i < sec_acl->num_aces; i++) {
+			display_sec_ace(&sec_acl->aces[i]);
+		}
+	}
+}
+
+void display_acl_type(uint16 type)
+{
+	static fstring typestr="";
+
+	typestr[0] = 0;
+
+	if (type & SEC_DESC_OWNER_DEFAULTED)	/* 0x0001 */
+		fstrcat(typestr, "SEC_DESC_OWNER_DEFAULTED ");
+	if (type & SEC_DESC_GROUP_DEFAULTED)	/* 0x0002 */
+		fstrcat(typestr, "SEC_DESC_GROUP_DEFAULTED ");
+	if (type & SEC_DESC_DACL_PRESENT) 	/* 0x0004 */
+		fstrcat(typestr, "SEC_DESC_DACL_PRESENT ");
+	if (type & SEC_DESC_DACL_DEFAULTED)	/* 0x0008 */
+		fstrcat(typestr, "SEC_DESC_DACL_DEFAULTED ");
+	if (type & SEC_DESC_SACL_PRESENT)	/* 0x0010 */
+		fstrcat(typestr, "SEC_DESC_SACL_PRESENT ");
+	if (type & SEC_DESC_SACL_DEFAULTED)	/* 0x0020 */
+		fstrcat(typestr, "SEC_DESC_SACL_DEFAULTED ");
+	if (type & SEC_DESC_DACL_TRUSTED)	/* 0x0040 */
+		fstrcat(typestr, "SEC_DESC_DACL_TRUSTED ");
+	if (type & SEC_DESC_SERVER_SECURITY)	/* 0x0080 */
+		fstrcat(typestr, "SEC_DESC_SERVER_SECURITY ");
+	if (type & SEC_DESC_DACL_AUTO_INHERIT_REQ) /* 0x0100 */
+		fstrcat(typestr, "SEC_DESC_DACL_AUTO_INHERIT_REQ ");
+	if (type & SEC_DESC_SACL_AUTO_INHERIT_REQ) /* 0x0200 */
+		fstrcat(typestr, "SEC_DESC_SACL_AUTO_INHERIT_REQ ");
+	if (type & SEC_DESC_DACL_AUTO_INHERITED) /* 0x0400 */
+		fstrcat(typestr, "SEC_DESC_DACL_AUTO_INHERITED ");
+	if (type & SEC_DESC_SACL_AUTO_INHERITED) /* 0x0800 */
+		fstrcat(typestr, "SEC_DESC_SACL_AUTO_INHERITED ");
+	if (type & SEC_DESC_DACL_PROTECTED)	/* 0x1000 */
+		fstrcat(typestr, "SEC_DESC_DACL_PROTECTED ");
+	if (type & SEC_DESC_SACL_PROTECTED)	/* 0x2000 */
+		fstrcat(typestr, "SEC_DESC_SACL_PROTECTED ");
+	if (type & SEC_DESC_RM_CONTROL_VALID)	/* 0x4000 */
+		fstrcat(typestr, "SEC_DESC_RM_CONTROL_VALID ");
+	if (type & SEC_DESC_SELF_RELATIVE)	/* 0x8000 */
+		fstrcat(typestr, "SEC_DESC_SELF_RELATIVE ");
+	
+	printf("type: 0x%04x: %s\n", type, typestr);
+}
+
+/****************************************************************************
+ display sec_desc structure
+ ****************************************************************************/
+void display_sec_desc(SEC_DESC *sec)
+{
+	fstring sid_str;
+
+	if (!sec) {
+		printf("NULL\n");
+		return;
+	}
+
+	printf("revision: %d\n", sec->revision);
+	display_acl_type(sec->type);
+
+	if (sec->sacl) {
+		printf("SACL\n");
+		display_sec_acl(sec->sacl);
+	}
+
+	if (sec->dacl) {
+		printf("DACL\n");
+		display_sec_acl(sec->dacl);
+	}
+
+	if (sec->owner_sid) {
+		sid_to_fstring(sid_str, sec->owner_sid);
+		printf("\tOwner SID:\t%s\n", sid_str);
+	}
+
+	if (sec->group_sid) {
+		sid_to_fstring(sid_str, sec->group_sid);
+		printf("\tGroup SID:\t%s\n", sid_str);
+	}
+}
diff --git a/source3/lib/dmallocmsg.c b/source3/lib/dmallocmsg.c
new file mode 100644
index 0000000000..935fc1de1a
--- /dev/null
+++ b/source3/lib/dmallocmsg.c
@@ -0,0 +1,78 @@
+/* 
+   samba -- Unix SMB/CIFS implementation.
+   Copyright (C) 2002 by Martin Pool
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/**
+ * @file dmallocmsg.c
+ *
+ * Glue code to cause dmalloc info to come out when we receive a prod
+ * over samba messaging.
+ **/
+
+#ifdef ENABLE_DMALLOC
+static unsigned long our_dm_mark = 0;
+#endif /* ENABLE_DMALLOC */
+
+
+/**
+ * Respond to a POOL_USAGE message by sending back string form of memory
+ * usage stats.
+ **/
+static void msg_req_dmalloc_mark(struct messaging_context *msg,
+				 void *private_data,
+				 uint32_t msg_type,
+				 struct server_id server_id,
+				 DATA_BLOB *data)
+{
+#ifdef ENABLE_DMALLOC
+	our_dm_mark = dmalloc_mark();
+	DEBUG(2,("Got MSG_REQ_DMALLOC_MARK: mark set\n"));
+#else
+	DEBUG(2,("Got MSG_REQ_DMALLOC_MARK but dmalloc not in this process\n"));
+#endif
+}
+
+
+
+static void msg_req_dmalloc_log_changed(struct messaging_context *msg,
+					void *private_data,
+					uint32_t msg_type,
+					struct server_id server_id,
+					DATA_BLOB *data)
+{
+#ifdef ENABLE_DMALLOC
+	dmalloc_log_changed(our_dm_mark, True, True, True);
+	DEBUG(2,("Got MSG_REQ_DMALLOC_LOG_CHANGED: done\n"));
+#else
+	DEBUG(2,("Got MSG_REQ_DMALLOC_LOG_CHANGED but dmalloc not in this process\n"));
+#endif
+}
+
+
+/**
+ * Register handler for MSG_REQ_POOL_USAGE
+ **/
+void register_dmalloc_msgs(struct messaging_context *msg_ctx)
+{
+	messaging_register(msg_ctx, NULL, MSG_REQ_DMALLOC_MARK,
+			   msg_req_dmalloc_mark);
+	messaging_register(msg_ctx, NULL, MSG_REQ_DMALLOC_LOG_CHANGED,
+			   msg_req_dmalloc_log_changed);
+	DEBUG(2, ("Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED\n"));
+}	
diff --git a/source3/lib/dprintf.c b/source3/lib/dprintf.c
new file mode 100644
index 0000000000..a3bb5be43a
--- /dev/null
+++ b/source3/lib/dprintf.c
@@ -0,0 +1,118 @@
+/* 
+   Unix SMB/CIFS implementation.
+   display print functions
+   Copyright (C) Andrew Tridgell 2001
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+
+/*
+  this module provides functions for printing internal strings in the "display charset"
+  This charset may be quite different from the chosen unix charset
+
+  Eventually these functions will need to take care of column count constraints
+
+  The d_ prefix on print functions in Samba refers to the display character set
+  conversion
+*/
+
+#include "includes.h"
+
+ int d_vfprintf(FILE *f, const char *format, va_list ap)
+{
+	char *p, *p2;
+	int ret, maxlen, clen;
+	const char *msgstr;
+	va_list ap2;
+
+	/* do any message translations */
+	msgstr = lang_msg(format);
+	if (!msgstr) return -1;
+
+	VA_COPY(ap2, ap);
+
+	ret = vasprintf(&p, msgstr, ap2);
+
+	lang_msg_free(msgstr);
+
+	if (ret <= 0) {
+	  va_end(ap2);
+	  return ret;
+	}
+
+	/* now we have the string in unix format, convert it to the display
+	   charset, but beware of it growing */
+	maxlen = ret*2;
+again:
+	p2 = (char *)SMB_MALLOC(maxlen);
+	if (!p2) {
+		SAFE_FREE(p);
+		va_end(ap2);
+		return -1;
+	}
+	clen = convert_string(CH_UNIX, CH_DISPLAY, p, ret, p2, maxlen, True);
+
+	if (clen >= maxlen) {
+		/* it didn't fit - try a larger buffer */
+		maxlen *= 2;
+		SAFE_FREE(p2);
+		goto again;
+	}
+
+	/* good, its converted OK */
+	SAFE_FREE(p);
+	ret = fwrite(p2, 1, clen, f);
+	SAFE_FREE(p2);
+
+	va_end(ap2);
+
+	return ret;
+}
+
+
+ int d_fprintf(FILE *f, const char *format, ...)
+{
+	int ret;
+	va_list ap;
+
+	va_start(ap, format);
+	ret = d_vfprintf(f, format, ap);
+	va_end(ap);
+
+	return ret;
+}
+
+static FILE *outfile;
+
+ int d_printf(const char *format, ...)
+{
+	int ret;
+	va_list ap;
+
+	if (!outfile) outfile = stdout;
+	
+	va_start(ap, format);
+	ret = d_vfprintf(outfile, format, ap);
+	va_end(ap);
+
+	return ret;
+}
+
+/* interactive programs need a way of tell d_*() to write to stderr instead
+   of stdout */
+void display_set_stderr(void)
+{
+	outfile = stderr;
+}
diff --git a/source3/lib/dummyroot.c b/source3/lib/dummyroot.c
new file mode 100644
index 0000000000..64ea75814a
--- /dev/null
+++ b/source3/lib/dummyroot.c
@@ -0,0 +1,34 @@
+/* 
+   Unix SMB/CIFS implementation.
+   RPC pipe client
+
+   Copyright (C) Tim Potter 2003
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/* Stupid dummy functions required due to the horrible dependency mess
+   in Samba. */
+
+#include "includes.h"
+
+void become_root(void)
+{
+        return;
+}
+
+void unbecome_root(void)
+{
+        return;
+}
diff --git a/source3/lib/dummysmbd.c b/source3/lib/dummysmbd.c
new file mode 100644
index 0000000000..dbe886e3d1
--- /dev/null
+++ b/source3/lib/dummysmbd.c
@@ -0,0 +1,53 @@
+/*
+   Unix SMB/CIFS implementation.
+   RPC pipe client
+
+   Copyright (C) Gerald (Jerry) Carter          2004.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/* Stupid dummy functions required due to the horrible dependency mess
+   in Samba. */
+
+#include "includes.h"
+
+int get_client_fd(void)
+{
+	return -1;
+}
+
+int find_service(fstring service)
+{
+	return -1;
+}
+
+bool conn_snum_used(int snum)
+{
+	return False;
+}
+
+void cancel_pending_lock_requests_by_fid(files_struct *fsp, struct byte_range_lock *br_lck)
+{
+}
+
+void send_stat_cache_delete_message(const char *name)
+{
+}
+
+NTSTATUS can_delete_directory(struct connection_struct *conn,
+				const char *dirname)
+{
+	return NT_STATUS_OK;
+}
diff --git a/source3/lib/errmap_unix.c b/source3/lib/errmap_unix.c
new file mode 100644
index 0000000000..2cd2386c5c
--- /dev/null
+++ b/source3/lib/errmap_unix.c
@@ -0,0 +1,130 @@
+/* 
+ *  Unix SMB/CIFS implementation.
+ *  map unix to NT errors, an excerpt of libsmb/errormap.c
+ *  Copyright (C) Andrew Tridgell 2001
+ *  Copyright (C) Andrew Bartlett 2001
+ *  Copyright (C) Tim Potter 2000
+ *  Copyright (C) Jeremy Allison 2007
+ *  
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+/* Mapping from Unix, to NT error numbers */
+
+const struct unix_error_map unix_dos_nt_errmap[] = {
+	{ EPERM, ERRDOS, ERRnoaccess, NT_STATUS_ACCESS_DENIED },
+	{ EACCES, ERRDOS, ERRnoaccess, NT_STATUS_ACCESS_DENIED },
+	{ ENOENT, ERRDOS, ERRbadfile, NT_STATUS_OBJECT_NAME_NOT_FOUND },
+	{ ENOTDIR, ERRDOS, ERRbadpath,  NT_STATUS_NOT_A_DIRECTORY },
+	{ EIO, ERRHRD, ERRgeneral, NT_STATUS_IO_DEVICE_ERROR },
+	{ EBADF, ERRSRV, ERRsrverror, NT_STATUS_INVALID_HANDLE },
+	{ EINVAL, ERRSRV, ERRsrverror, NT_STATUS_INVALID_HANDLE },
+	{ EEXIST, ERRDOS, ERRfilexists, NT_STATUS_OBJECT_NAME_COLLISION},
+	{ ENFILE, ERRDOS, ERRnofids, NT_STATUS_TOO_MANY_OPENED_FILES },
+	{ EMFILE, ERRDOS, ERRnofids, NT_STATUS_TOO_MANY_OPENED_FILES },
+	{ ENOSPC, ERRHRD, ERRdiskfull, NT_STATUS_DISK_FULL },
+	{ ENOMEM, ERRDOS, ERRnomem, NT_STATUS_NO_MEMORY },
+	{ EISDIR, ERRDOS, ERRnoaccess, NT_STATUS_FILE_IS_A_DIRECTORY},
+	{ EMLINK, ERRDOS, ERRgeneral, NT_STATUS_TOO_MANY_LINKS },
+	{ EINTR,  ERRHRD, ERRgeneral, NT_STATUS_RETRY },
+#ifdef ELOOP
+	{ ELOOP, ERRDOS, ERRbadpath, NT_STATUS_OBJECT_PATH_NOT_FOUND },
+#endif
+#ifdef EDQUOT
+	{ EDQUOT, ERRHRD, ERRdiskfull, NT_STATUS_DISK_FULL }, /* Windows apps need this, not NT_STATUS_QUOTA_EXCEEDED */
+#endif
+#ifdef ENOTEMPTY
+	{ ENOTEMPTY, ERRDOS, ERRnoaccess, NT_STATUS_DIRECTORY_NOT_EMPTY },
+#endif
+#ifdef EXDEV
+	{ EXDEV, ERRDOS, ERRdiffdevice, NT_STATUS_NOT_SAME_DEVICE },
+#endif
+#ifdef EROFS
+	{ EROFS, ERRHRD, ERRnowrite, NT_STATUS_ACCESS_DENIED },
+#endif
+#ifdef ENAMETOOLONG
+	{ ENAMETOOLONG, ERRDOS, 206, NT_STATUS_OBJECT_NAME_INVALID },
+#endif
+#ifdef EFBIG
+	{ EFBIG, ERRHRD, ERRdiskfull, NT_STATUS_DISK_FULL },
+#endif
+#ifdef ENOBUFS
+	{ ENOBUFS, ERRDOS, ERRnomem, NT_STATUS_INSUFFICIENT_RESOURCES },
+#endif
+	{ EAGAIN, ERRDOS, 111, NT_STATUS_NETWORK_BUSY },
+#ifdef EADDRINUSE
+	{ EADDRINUSE, ERRDOS, 52, NT_STATUS_ADDRESS_ALREADY_ASSOCIATED},
+#endif
+#ifdef ENETUNREACH
+	{ ENETUNREACH, ERRHRD, ERRgeneral, NT_STATUS_NETWORK_UNREACHABLE},
+#endif
+#ifdef EHOSTUNREACH
+		{ EHOSTUNREACH, ERRHRD, ERRgeneral, NT_STATUS_HOST_UNREACHABLE},
+#endif
+#ifdef ECONNREFUSED
+	{ ECONNREFUSED, ERRHRD, ERRgeneral, NT_STATUS_CONNECTION_REFUSED},
+#endif
+#ifdef ETIMEDOUT
+	{ ETIMEDOUT, ERRHRD, 121, NT_STATUS_IO_TIMEOUT},
+#endif
+#ifdef ECONNABORTED
+	{ ECONNABORTED, ERRHRD, ERRgeneral, NT_STATUS_CONNECTION_ABORTED},
+#endif
+#ifdef ENODEV
+	{ ENODEV, ERRDOS, 55, NT_STATUS_DEVICE_DOES_NOT_EXIST},
+#endif
+#ifdef EPIPE
+	{ EPIPE, ERRDOS, 109, NT_STATUS_PIPE_BROKEN},
+#endif
+#ifdef EWOULDBLOCK
+	{ EWOULDBLOCK, ERRDOS, 111, NT_STATUS_NETWORK_BUSY },
+#endif
+#ifdef ENOATTR
+	{ ENOATTR, ERRDOS, ERRbadfile, NT_STATUS_NOT_FOUND },
+#endif
+
+	{ 0, 0, 0, NT_STATUS_OK }
+};
+
+/*********************************************************************
+ Map an NT error code from a Unix error code.
+*********************************************************************/
+
+NTSTATUS map_nt_error_from_unix(int unix_error)
+{
+	int i = 0;
+
+	if (unix_error == 0) {
+		/* we map this to an error, not success, as this
+		   function is only called in an error path. Lots of
+		   our virtualised functions may fail without making a
+		   unix system call that fails (such as when they are
+		   checking for some handle existing), so unix_error
+		   may be unset
+		*/
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	/* Look through list */
+	while(unix_dos_nt_errmap[i].unix_error != 0) {
+		if (unix_dos_nt_errmap[i].unix_error == unix_error)
+			return unix_dos_nt_errmap[i].nt_error;
+		i++;
+	}
+
+	/* Default return */
+	return NT_STATUS_ACCESS_DENIED;
+}
diff --git a/source3/lib/events.c b/source3/lib/events.c
new file mode 100644
index 0000000000..f03138708b
--- /dev/null
+++ b/source3/lib/events.c
@@ -0,0 +1,449 @@
+/*
+   Unix SMB/CIFS implementation.
+   Timed event library.
+   Copyright (C) Andrew Tridgell 1992-1998
+   Copyright (C) Volker Lendecke 2005
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+struct timed_event {
+	struct timed_event *next, *prev;
+	struct event_context *event_ctx;
+	struct timeval when;
+	const char *event_name;
+	void (*handler)(struct event_context *event_ctx,
+			struct timed_event *te,
+			const struct timeval *now,
+			void *private_data);
+	void *private_data;
+};
+
+struct fd_event {
+	struct fd_event *prev, *next;
+	struct event_context *event_ctx;
+	int fd;
+	uint16_t flags; /* see EVENT_FD_* flags */
+	void (*handler)(struct event_context *event_ctx,
+			struct fd_event *event,
+			uint16 flags,
+			void *private_data);
+	void *private_data;
+};
+
+#define EVENT_FD_WRITEABLE(fde) \
+	event_set_fd_flags(fde, event_get_fd_flags(fde) | EVENT_FD_WRITE)
+#define EVENT_FD_READABLE(fde) \
+	event_set_fd_flags(fde, event_get_fd_flags(fde) | EVENT_FD_READ)
+
+#define EVENT_FD_NOT_WRITEABLE(fde) \
+	event_set_fd_flags(fde, event_get_fd_flags(fde) & ~EVENT_FD_WRITE)
+#define EVENT_FD_NOT_READABLE(fde) \
+	event_set_fd_flags(fde, event_get_fd_flags(fde) & ~EVENT_FD_READ)
+
+struct event_context {
+	struct timed_event *timed_events;
+	struct fd_event *fd_events;
+};
+
+static int timed_event_destructor(struct timed_event *te)
+{
+	DEBUG(10, ("Destroying timed event %lx \"%s\"\n", (unsigned long)te,
+		te->event_name));
+	if (te->event_ctx != NULL) {
+		DLIST_REMOVE(te->event_ctx->timed_events, te);
+	}
+	return 0;
+}
+
+/****************************************************************************
+ Add te by time.
+****************************************************************************/
+
+static void add_event_by_time(struct timed_event *te)
+{
+	struct event_context *ctx = te->event_ctx;
+	struct timed_event *last_te, *cur_te;
+
+	/* Keep the list ordered by time. We must preserve this. */
+	last_te = NULL;
+	for (cur_te = ctx->timed_events; cur_te; cur_te = cur_te->next) {
+		/* if the new event comes before the current one break */
+		if (!timeval_is_zero(&cur_te->when) &&
+				timeval_compare(&te->when, &cur_te->when) < 0) {
+			break;
+		}
+		last_te = cur_te;
+	}
+
+	DLIST_ADD_AFTER(ctx->timed_events, te, last_te);
+}
+
+/****************************************************************************
+ Schedule a function for future calling, cancel with TALLOC_FREE().
+ It's the responsibility of the handler to call TALLOC_FREE() on the event
+ handed to it.
+****************************************************************************/
+
+struct timed_event *event_add_timed(struct event_context *event_ctx,
+				TALLOC_CTX *mem_ctx,
+				struct timeval when,
+				const char *event_name,
+				void (*handler)(struct event_context *event_ctx,
+						struct timed_event *te,
+						const struct timeval *now,
+						void *private_data),
+				void *private_data)
+{
+	struct timed_event *te;
+
+	te = TALLOC_P(mem_ctx, struct timed_event);
+	if (te == NULL) {
+		DEBUG(0, ("talloc failed\n"));
+		return NULL;
+	}
+
+	te->event_ctx = event_ctx;
+	te->when = when;
+	te->event_name = event_name;
+	te->handler = handler;
+	te->private_data = private_data;
+
+	add_event_by_time(te);
+
+	talloc_set_destructor(te, timed_event_destructor);
+
+	DEBUG(10, ("Added timed event \"%s\": %lx\n", event_name,
+			(unsigned long)te));
+	return te;
+}
+
+static int fd_event_destructor(struct fd_event *fde)
+{
+	if (fde->event_ctx != NULL) {
+		DLIST_REMOVE(fde->event_ctx->fd_events, fde);
+	}
+	return 0;
+}
+
+struct fd_event *event_add_fd(struct event_context *event_ctx,
+			      TALLOC_CTX *mem_ctx,
+			      int fd, uint16_t flags,
+			      void (*handler)(struct event_context *event_ctx,
+					      struct fd_event *event,
+					      uint16 flags,
+					      void *private_data),
+			      void *private_data)
+{
+	struct fd_event *fde;
+
+	if (!(fde = TALLOC_P(mem_ctx, struct fd_event))) {
+		return NULL;
+	}
+
+	fde->event_ctx = event_ctx;
+	fde->fd = fd;
+	fde->flags = flags;
+	fde->handler = handler;
+	fde->private_data = private_data;
+
+	DLIST_ADD(event_ctx->fd_events, fde);
+
+	talloc_set_destructor(fde, fd_event_destructor);
+	return fde;
+}
+
+void event_fd_set_writeable(struct fd_event *fde)
+{
+	fde->flags |= EVENT_FD_WRITE;
+}
+
+void event_fd_set_not_writeable(struct fd_event *fde)
+{
+	fde->flags &= ~EVENT_FD_WRITE;
+}
+
+void event_fd_set_readable(struct fd_event *fde)
+{
+	fde->flags |= EVENT_FD_READ;
+}
+
+void event_fd_set_not_readable(struct fd_event *fde)
+{
+	fde->flags &= ~EVENT_FD_READ;
+}
+
+/*
+ * Return if there's something in the queue
+ */
+
+bool event_add_to_select_args(struct event_context *event_ctx,
+			      const struct timeval *now,
+			      fd_set *read_fds, fd_set *write_fds,
+			      struct timeval *timeout, int *maxfd)
+{
+	struct fd_event *fde;
+	struct timeval diff;
+	bool ret = False;
+
+	for (fde = event_ctx->fd_events; fde; fde = fde->next) {
+		if (fde->flags & EVENT_FD_READ) {
+			FD_SET(fde->fd, read_fds);
+			ret = True;
+		}
+		if (fde->flags & EVENT_FD_WRITE) {
+			FD_SET(fde->fd, write_fds);
+			ret = True;
+		}
+
+		if ((fde->flags & (EVENT_FD_READ|EVENT_FD_WRITE))
+		    && (fde->fd > *maxfd)) {
+			*maxfd = fde->fd;
+		}
+	}
+
+	if (event_ctx->timed_events == NULL) {
+		return ret;
+	}
+
+	diff = timeval_until(now, &event_ctx->timed_events->when);
+	*timeout = timeval_min(timeout, &diff);
+
+	return True;
+}
+
+bool events_pending(struct event_context *event_ctx)
+{
+	struct fd_event *fde;
+
+	if (event_ctx->timed_events != NULL) {
+		return True;
+	}
+	for (fde = event_ctx->fd_events; fde; fde = fde->next) {
+		if (fde->flags & (EVENT_FD_READ|EVENT_FD_WRITE)) {
+			return True;
+		}
+	}
+	return False;
+}
+
+bool run_events(struct event_context *event_ctx,
+		int selrtn, fd_set *read_fds, fd_set *write_fds)
+{
+	bool fired = False;
+	struct fd_event *fde, *next;
+
+	/* Run all events that are pending, not just one (as we
+	   did previously. */
+
+	while (event_ctx->timed_events) {
+		struct timeval now;
+		GetTimeOfDay(&now);
+
+		if (timeval_compare(
+			    &now, &event_ctx->timed_events->when) < 0) {
+			/* Nothing to do yet */
+			DEBUG(11, ("run_events: Nothing to do\n"));
+			break;
+		}
+
+		DEBUG(10, ("Running event \"%s\" %lx\n",
+			   event_ctx->timed_events->event_name,
+			   (unsigned long)event_ctx->timed_events));
+
+		event_ctx->timed_events->handler(
+			event_ctx,
+			event_ctx->timed_events, &now,
+			event_ctx->timed_events->private_data);
+
+		fired = True;
+	}
+
+	if (fired) {
+		/*
+		 * We might have changed the socket status during the timed
+		 * events, return to run select again.
+		 */
+		return True;
+	}
+
+	if (selrtn == 0) {
+		/*
+		 * No fd ready
+		 */
+		return fired;
+	}
+
+	for (fde = event_ctx->fd_events; fde; fde = next) {
+		uint16 flags = 0;
+
+		next = fde->next;
+		if (FD_ISSET(fde->fd, read_fds)) flags |= EVENT_FD_READ;
+		if (FD_ISSET(fde->fd, write_fds)) flags |= EVENT_FD_WRITE;
+
+		if (flags & fde->flags) {
+			fde->handler(event_ctx, fde, flags, fde->private_data);
+			fired = True;
+		}
+	}
+
+	return fired;
+}
+
+
+struct timeval *get_timed_events_timeout(struct event_context *event_ctx,
+					 struct timeval *to_ret)
+{
+	struct timeval now;
+
+	if (event_ctx->timed_events == NULL) {
+		return NULL;
+	}
+
+	now = timeval_current();
+	*to_ret = timeval_until(&now, &event_ctx->timed_events->when);
+
+	DEBUG(10, ("timed_events_timeout: %d/%d\n", (int)to_ret->tv_sec,
+		(int)to_ret->tv_usec));
+
+	return to_ret;
+}
+
+int event_loop_once(struct event_context *ev)
+{
+	struct timeval now, to;
+	fd_set r_fds, w_fds;
+	int maxfd = 0;
+	int ret;
+
+	FD_ZERO(&r_fds);
+	FD_ZERO(&w_fds);
+
+	to.tv_sec = 9999;	/* Max timeout */
+	to.tv_usec = 0;
+
+	GetTimeOfDay(&now);
+
+	if (!event_add_to_select_args(ev, &now, &r_fds, &w_fds, &to, &maxfd)) {
+		return -1;
+	}
+
+	if (timeval_is_zero(&to)) {
+		run_events(ev, 0, NULL, NULL);
+		return 0;
+	}
+
+	ret = sys_select(maxfd+1, &r_fds, &w_fds, NULL, &to);
+
+	if (ret == -1 && errno != EINTR) {
+		return -1;
+	}
+
+	run_events(ev, ret, &r_fds, &w_fds);
+	return 0;
+}
+
+static int event_context_destructor(struct event_context *ev)
+{
+	while (ev->fd_events != NULL) {
+		ev->fd_events->event_ctx = NULL;
+		DLIST_REMOVE(ev->fd_events, ev->fd_events);
+	}
+	while (ev->timed_events != NULL) {
+		ev->timed_events->event_ctx = NULL;
+		DLIST_REMOVE(ev->timed_events, ev->timed_events);
+	}
+	return 0;
+}
+
+struct event_context *event_context_init(TALLOC_CTX *mem_ctx)
+{
+	struct event_context *result;
+
+	result = TALLOC_ZERO_P(mem_ctx, struct event_context);
+	if (result == NULL) {
+		return NULL;
+	}
+
+	talloc_set_destructor(result, event_context_destructor);
+	return result;
+}
+
+int set_event_dispatch_time(struct event_context *event_ctx,
+			    const char *event_name, struct timeval when)
+{
+	struct timed_event *te;
+
+	for (te = event_ctx->timed_events; te; te = te->next) {
+		if (strcmp(event_name, te->event_name) == 0) {
+			DLIST_REMOVE(event_ctx->timed_events, te);
+			te->when = when;
+			add_event_by_time(te);
+			return 1;
+		}
+	}
+	return 0;
+}
+
+/* Returns 1 if event was found and cancelled, 0 otherwise. */
+
+int cancel_named_event(struct event_context *event_ctx,
+		       const char *event_name)
+{
+	struct timed_event *te;
+
+	for (te = event_ctx->timed_events; te; te = te->next) {
+		if (strcmp(event_name, te->event_name) == 0) {
+			TALLOC_FREE(te);
+			return 1;
+		}
+	}
+	return 0;
+}
+
+void dump_event_list(struct event_context *event_ctx)
+{
+	struct timed_event *te;
+	struct fd_event *fe;
+	struct timeval evt, now;
+
+	if (!event_ctx) {
+		return;
+	}
+
+	now = timeval_current();
+
+	DEBUG(10,("dump_event_list:\n"));
+
+	for (te = event_ctx->timed_events; te; te = te->next) {
+
+		evt = timeval_until(&now, &te->when);
+
+		DEBUGADD(10,("Timed Event \"%s\" %lx handled in %d seconds (at %s)\n",
+			   te->event_name,
+			   (unsigned long)te,
+			   (int)evt.tv_sec,
+			   http_timestring(te->when.tv_sec)));
+	}
+
+	for (fe = event_ctx->fd_events; fe; fe = fe->next) {
+
+		DEBUGADD(10,("FD Event %d %lx, flags: 0x%04x\n",
+			   fe->fd,
+			   (unsigned long)fe,
+			   fe->flags));
+	}
+}
diff --git a/source3/lib/fault.c b/source3/lib/fault.c
new file mode 100644
index 0000000000..d4c1142937
--- /dev/null
+++ b/source3/lib/fault.c
@@ -0,0 +1,223 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Critical Fault handling
+   Copyright (C) Andrew Tridgell 1992-1998
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#ifdef HAVE_SYS_PRCTL_H
+#include <sys/prctl.h>
+#endif
+
+static void (*cont_fn)(void *);
+static char *corepath;
+
+/*******************************************************************
+report a fault
+********************************************************************/
+static void fault_report(int sig)
+{
+	static int counter;
+
+	if (counter) _exit(1);
+
+	counter++;
+
+	DEBUGSEP(0);
+	DEBUG(0,("INTERNAL ERROR: Signal %d in pid %d (%s)",sig,(int)sys_getpid(),SAMBA_VERSION_STRING));
+	DEBUG(0,("\nPlease read the Trouble-Shooting section of the Samba3-HOWTO\n"));
+	DEBUG(0,("\nFrom: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf\n"));
+	DEBUGSEP(0);
+  
+	smb_panic("internal error");
+
+	if (cont_fn) {
+		cont_fn(NULL);
+#ifdef SIGSEGV
+		CatchSignal(SIGSEGV,SIGNAL_CAST SIG_DFL);
+#endif
+#ifdef SIGBUS
+		CatchSignal(SIGBUS,SIGNAL_CAST SIG_DFL);
+#endif
+#ifdef SIGABRT
+		CatchSignal(SIGABRT,SIGNAL_CAST SIG_DFL);
+#endif
+		return; /* this should cause a core dump */
+	}
+	exit(1);
+}
+
+/****************************************************************************
+catch serious errors
+****************************************************************************/
+static void sig_fault(int sig)
+{
+	fault_report(sig);
+}
+
+/*******************************************************************
+setup our fault handlers
+********************************************************************/
+void fault_setup(void (*fn)(void *))
+{
+	cont_fn = fn;
+
+#ifdef SIGSEGV
+	CatchSignal(SIGSEGV,SIGNAL_CAST sig_fault);
+#endif
+#ifdef SIGBUS
+	CatchSignal(SIGBUS,SIGNAL_CAST sig_fault);
+#endif
+#ifdef SIGABRT
+	CatchSignal(SIGABRT,SIGNAL_CAST sig_fault);
+#endif
+}
+
+/*******************************************************************
+make all the preparations to safely dump a core file
+********************************************************************/
+
+void dump_core_setup(const char *progname)
+{
+	char *logbase = NULL;
+	char *end = NULL;
+
+	if (lp_logfile() && *lp_logfile()) {
+		if (asprintf(&logbase, "%s", lp_logfile()) < 0) {
+			return;
+		}
+		if ((end = strrchr_m(logbase, '/'))) {
+			*end = '\0';
+		}
+	} else {
+		/* We will end up here is the log file is given on the command
+		 * line by the -l option but the "log file" option is not set
+		 * in smb.conf.
+		 */
+		if (asprintf(&logbase, "%s", get_dyn_LOGFILEBASE()) < 0) {
+			return;
+		}
+	}
+
+	SMB_ASSERT(progname != NULL);
+
+	if (asprintf(&corepath, "%s/cores", logbase) < 0) {
+		SAFE_FREE(logbase);
+		return;
+	}
+	mkdir(corepath,0700);
+
+	SAFE_FREE(corepath);
+	if (asprintf(&corepath, "%s/cores/%s",
+			logbase, progname) < 0) {
+		SAFE_FREE(logbase);
+		return;
+	}
+	mkdir(corepath,0700);
+
+	sys_chown(corepath,getuid(),getgid());
+	chmod(corepath,0700);
+
+	SAFE_FREE(logbase);
+
+#ifdef HAVE_GETRLIMIT
+#ifdef RLIMIT_CORE
+	{
+		struct rlimit rlp;
+		getrlimit(RLIMIT_CORE, &rlp);
+		rlp.rlim_cur = MAX(16*1024*1024,rlp.rlim_cur);
+		setrlimit(RLIMIT_CORE, &rlp);
+		getrlimit(RLIMIT_CORE, &rlp);
+		DEBUG(3,("Maximum core file size limits now %d(soft) %d(hard)\n",
+			 (int)rlp.rlim_cur,(int)rlp.rlim_max));
+	}
+#endif
+#endif
+
+#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+	/* On Linux we lose the ability to dump core when we change our user
+	 * ID. We know how to dump core safely, so let's make sure we have our
+	 * dumpable flag set.
+	 */
+	prctl(PR_SET_DUMPABLE, 1);
+#endif
+
+	/* FIXME: if we have a core-plus-pid facility, configurably set
+	 * this up here.
+	 */
+}
+
+ void dump_core(void)
+{
+	static bool called;
+
+	if (called) {
+		DEBUG(0, ("dump_core() called recursive\n"));
+		exit(1);
+	}
+	called = true;
+
+	/* Note that even if core dumping has been disabled, we still set up
+	 * the core path. This is to handle the case where core dumping is
+	 * turned on in smb.conf and the relevant daemon is not restarted.
+	 */
+	if (!lp_enable_core_files()) {
+		DEBUG(0, ("Exiting on internal error (core file administratively disabled)\n"));
+		exit(1);
+	}
+
+#if DUMP_CORE
+	/* If we're running as non root we might not be able to dump the core
+	 * file to the corepath.  There must not be an unbecome_root() before
+	 * we call abort(). */
+	if (geteuid() != 0) {
+		become_root();
+	}
+
+	if (corepath == NULL) {
+		DEBUG(0, ("Can not dump core: corepath not set up\n"));
+		exit(1);
+	}
+
+	if (*corepath != '\0') {
+		/* The chdir might fail if we dump core before we finish
+		 * processing the config file.
+		 */
+		if (chdir(corepath) != 0) {
+			DEBUG(0, ("unable to change to %s\n", corepath));
+			DEBUGADD(0, ("refusing to dump core\n"));
+			exit(1);
+		}
+
+		DEBUG(0,("dumping core in %s\n", corepath));
+	}
+
+	umask(~(0700));
+	dbgflush();
+
+	/* Ensure we don't have a signal handler for abort. */
+#ifdef SIGABRT
+	CatchSignal(SIGABRT,SIGNAL_CAST SIG_DFL);
+#endif
+
+	abort();
+
+#else /* DUMP_CORE */
+	exit(1);
+#endif /* DUMP_CORE */
+}
+
diff --git a/source3/lib/file_id.c b/source3/lib/file_id.c
new file mode 100644
index 0000000000..0633d4b88d
--- /dev/null
+++ b/source3/lib/file_id.c
@@ -0,0 +1,88 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   file_id structure handling
+
+   Copyright (C) Andrew Tridgell 2007
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/*
+  return a file_id which gives a unique ID for a file given the device and
+  inode numbers
+ */
+struct file_id file_id_create_dev(SMB_DEV_T dev, SMB_INO_T inode)
+{
+	struct file_id key;
+	/* the ZERO_STRUCT ensures padding doesn't break using the key as a
+	 * blob */
+	ZERO_STRUCT(key);
+	key.devid = dev;
+	key.inode = inode;
+	return key;
+}
+
+/*
+  generate a file_id from a stat structure
+ */
+struct file_id vfs_file_id_from_sbuf(connection_struct *conn, const SMB_STRUCT_STAT *sbuf)
+{
+	return SMB_VFS_FILE_ID_CREATE(conn, sbuf->st_dev, sbuf->st_ino);
+}
+
+/*
+  return True if two file_id structures are equal
+ */
+bool file_id_equal(const struct file_id *id1, const struct file_id *id2)
+{
+	return id1->inode == id2->inode && id1->devid == id2->devid;
+}
+
+/*
+  a static string for a file_id structure
+ */
+const char *file_id_string_tos(const struct file_id *id)
+{
+	char *result = talloc_asprintf(talloc_tos(), "%llx:%llx", 
+				       (unsigned long long)id->devid, 
+				       (unsigned long long)id->inode);
+	SMB_ASSERT(result != NULL);
+	return result;
+}
+
+/*
+  push a 16 byte version of a file id into a buffer
+ */
+void push_file_id_16(char *buf, const struct file_id *id)
+{
+	SIVAL(buf,  0, id->devid&0xFFFFFFFF);
+	SIVAL(buf,  4, id->devid>>32);
+	SIVAL(buf,  8, id->inode&0xFFFFFFFF);
+	SIVAL(buf, 12, id->inode>>32);
+}
+
+/*
+  pul a 16 byte version of a file id from a buffer
+ */
+void pull_file_id_16(char *buf, struct file_id *id)
+{
+	ZERO_STRUCTP(id);
+	id->devid  = IVAL(buf,  0);
+	id->devid |= ((uint64_t)IVAL(buf,4))<<32;
+	id->inode  = IVAL(buf,  8);
+	id->inode |= ((uint64_t)IVAL(buf,12))<<32;
+}
diff --git a/source3/lib/fsusage.c b/source3/lib/fsusage.c
new file mode 100644
index 0000000000..66ffb9f442
--- /dev/null
+++ b/source3/lib/fsusage.c
@@ -0,0 +1,157 @@
+/* 
+   Unix SMB/CIFS implementation.
+   functions to calculate the free disk space
+   Copyright (C) Andrew Tridgell 1998-2000
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+
+/* Return the number of TOSIZE-byte blocks used by
+   BLOCKS FROMSIZE-byte blocks, rounding away from zero.
+*/
+static SMB_BIG_UINT adjust_blocks(SMB_BIG_UINT blocks, SMB_BIG_UINT fromsize, SMB_BIG_UINT tosize)
+{
+	if (fromsize == tosize)	{ /* e.g., from 512 to 512 */
+		return blocks;
+	} else if (fromsize > tosize) { /* e.g., from 2048 to 512 */
+		return blocks * (fromsize / tosize);
+	} else { /* e.g., from 256 to 512 */
+		/* Protect against broken filesystems... */
+		if (fromsize == 0) {
+			fromsize = tosize;
+		}
+		return (blocks + 1) / (tosize / fromsize);
+	}
+}
+
+/* this does all of the system specific guff to get the free disk space.
+   It is derived from code in the GNU fileutils package, but has been
+   considerably mangled for use here 
+
+   results are returned in *dfree and *dsize, in 512 byte units
+*/
+int sys_fsusage(const char *path, SMB_BIG_UINT *dfree, SMB_BIG_UINT *dsize)
+{
+#ifdef STAT_STATFS3_OSF1
+#define CONVERT_BLOCKS(B) adjust_blocks ((SMB_BIG_UINT)(B), (SMB_BIG_UINT)fsd.f_fsize, (SMB_BIG_UINT)512)
+	struct statfs fsd;
+
+	if (statfs (path, &fsd, sizeof (struct statfs)) != 0)
+		return -1;
+#endif /* STAT_STATFS3_OSF1 */
+	
+#ifdef STAT_STATFS2_FS_DATA	/* Ultrix */
+#define CONVERT_BLOCKS(B) adjust_blocks ((SMB_BIG_UINT)(B), (SMB_BIG_UINT)1024, (SMB_BIG_UINT)512)	
+	struct fs_data fsd;
+	
+	if (statfs (path, &fsd) != 1)
+		return -1;
+	
+	(*dsize) = CONVERT_BLOCKS (fsd.fd_req.btot);
+	(*dfree) = CONVERT_BLOCKS (fsd.fd_req.bfreen);
+#endif /* STAT_STATFS2_FS_DATA */
+	
+#ifdef STAT_STATFS2_BSIZE	/* 4.3BSD, SunOS 4, HP-UX, AIX */
+#define CONVERT_BLOCKS(B) adjust_blocks ((SMB_BIG_UINT)(B), (SMB_BIG_UINT)fsd.f_bsize, (SMB_BIG_UINT)512)
+	struct statfs fsd;
+	
+	if (statfs (path, &fsd) < 0)
+		return -1;
+	
+#ifdef STATFS_TRUNCATES_BLOCK_COUNTS
+	/* In SunOS 4.1.2, 4.1.3, and 4.1.3_U1, the block counts in the
+	   struct statfs are truncated to 2GB.  These conditions detect that
+	   truncation, presumably without botching the 4.1.1 case, in which
+	   the values are not truncated.  The correct counts are stored in
+	   undocumented spare fields.  */
+	if (fsd.f_blocks == 0x1fffff && fsd.f_spare[0] > 0) {
+		fsd.f_blocks = fsd.f_spare[0];
+		fsd.f_bfree = fsd.f_spare[1];
+		fsd.f_bavail = fsd.f_spare[2];
+	}
+#endif /* STATFS_TRUNCATES_BLOCK_COUNTS */
+#endif /* STAT_STATFS2_BSIZE */
+	
+
+#ifdef STAT_STATFS2_FSIZE	/* 4.4BSD */
+#define CONVERT_BLOCKS(B) adjust_blocks ((SMB_BIG_UINT)(B), (SMB_BIG_UINT)fsd.f_fsize, (SMB_BIG_UINT)512)
+	
+	struct statfs fsd;
+	
+	if (statfs (path, &fsd) < 0)
+		return -1;
+#endif /* STAT_STATFS2_FSIZE */
+	
+#ifdef STAT_STATFS4		/* SVR3, Dynix, Irix, AIX */
+# if _AIX || defined(_CRAY)
+#  define CONVERT_BLOCKS(B) adjust_blocks ((SMB_BIG_UINT)(B), (SMB_BIG_UINT)fsd.f_bsize, (SMB_BIG_UINT)512)
+#  ifdef _CRAY
+#   define f_bavail f_bfree
+#  endif
+# else
+#  define CONVERT_BLOCKS(B) ((SMB_BIG_UINT)B)
+#  ifndef _SEQUENT_		/* _SEQUENT_ is DYNIX/ptx */
+#   ifndef DOLPHIN		/* DOLPHIN 3.8.alfa/7.18 has f_bavail */
+#    define f_bavail f_bfree
+#   endif
+#  endif
+# endif
+	
+	struct statfs fsd;
+
+	if (statfs (path, &fsd, sizeof fsd, 0) < 0)
+		return -1;
+	/* Empirically, the block counts on most SVR3 and SVR3-derived
+	   systems seem to always be in terms of 512-byte blocks,
+	   no matter what value f_bsize has.  */
+
+#endif /* STAT_STATFS4 */
+
+#if defined(STAT_STATVFS) || defined(STAT_STATVFS64)		/* SVR4 */
+#if defined HAVE_FRSIZE
+# define CONVERT_BLOCKS(B) \
+	adjust_blocks ((SMB_BIG_UINT)(B), fsd.f_frsize ? (SMB_BIG_UINT)fsd.f_frsize : (SMB_BIG_UINT)fsd.f_bsize, (SMB_BIG_UINT)512)
+#else
+# define CONVERT_BLOCKS(B) \
+	adjust_blocks ((SMB_BIG_UINT)(B), (SMB_BIG_UINT)fsd.f_bsize, (SMB_BIG_UINT)512)
+#endif
+
+#ifdef STAT_STATVFS64
+	struct statvfs64 fsd;
+	if (statvfs64(path, &fsd) < 0) return -1;
+#else
+	struct statvfs fsd;
+	if (statvfs(path, &fsd) < 0) return -1;
+#endif
+
+	/* f_frsize isn't guaranteed to be supported.  */
+
+#endif /* STAT_STATVFS */
+
+#ifndef CONVERT_BLOCKS
+	/* we don't have any dfree code! */
+	return -1;
+#else
+#if !defined(STAT_STATFS2_FS_DATA)
+	/* !Ultrix */
+	(*dsize) = CONVERT_BLOCKS (fsd.f_blocks);
+	(*dfree) = CONVERT_BLOCKS (fsd.f_bavail);
+#endif /* not STAT_STATFS2_FS_DATA */
+#endif
+
+	return 0;
+}
diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c
new file mode 100644
index 0000000000..b773f83c58
--- /dev/null
+++ b/source3/lib/gencache.c
@@ -0,0 +1,506 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   Generic, persistent and shared between processes cache mechanism for use
+   by various parts of the Samba code
+
+   Copyright (C) Rafal Szczesniak    2002
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#undef  DBGC_CLASS
+#define DBGC_CLASS DBGC_TDB
+
+#define TIMEOUT_LEN 12
+#define CACHE_DATA_FMT	"%12u/%s"
+#define READ_CACHE_DATA_FMT_TEMPLATE "%%12u/%%%us"
+#define BLOB_TYPE "DATA_BLOB"
+#define BLOB_TYPE_LEN 9
+
+static TDB_CONTEXT *cache;
+
+/**
+ * @file gencache.c
+ * @brief Generic, persistent and shared between processes cache mechanism
+ *        for use by various parts of the Samba code
+ *
+ **/
+
+
+/**
+ * Cache initialisation function. Opens cache tdb file or creates
+ * it if does not exist.
+ *
+ * @return true on successful initialisation of the cache or
+ *         false on failure
+ **/
+
+bool gencache_init(void)
+{
+	char* cache_fname = NULL;
+	
+	/* skip file open if it's already opened */
+	if (cache) return True;
+
+	cache_fname = lock_path("gencache.tdb");
+
+	DEBUG(5, ("Opening cache file at %s\n", cache_fname));
+
+	cache = tdb_open_log(cache_fname, 0, TDB_DEFAULT,
+	                     O_RDWR|O_CREAT, 0644);
+
+	if (!cache && (errno == EACCES)) {
+		cache = tdb_open_log(cache_fname, 0, TDB_DEFAULT, O_RDONLY, 0644);
+		if (cache) {
+			DEBUG(5, ("gencache_init: Opening cache file %s read-only.\n", cache_fname));
+		}
+	}
+
+	if (!cache) {
+		DEBUG(5, ("Attempt to open gencache.tdb has failed.\n"));
+		return False;
+	}
+	return True;
+}
+
+
+/**
+ * Cache shutdown function. Closes opened cache tdb file.
+ *
+ * @return true on successful closing the cache or
+ *         false on failure during cache shutdown
+ **/
+ 
+bool gencache_shutdown(void)
+{
+	int ret;
+	/* tdb_close routine returns -1 on error */
+	if (!cache) return False;
+	DEBUG(5, ("Closing cache file\n"));
+	ret = tdb_close(cache);
+	cache = NULL;
+	return ret != -1;
+}
+
+
+/**
+ * Set an entry in the cache file. If there's no such
+ * one, then add it.
+ *
+ * @param keystr string that represents a key of this entry
+ * @param value text representation value being cached
+ * @param timeout time when the value is expired
+ *
+ * @retval true when entry is successfuly stored
+ * @retval false on failure
+ **/
+ 
+bool gencache_set(const char *keystr, const char *value, time_t timeout)
+{
+	int ret;
+	TDB_DATA databuf;
+	char* valstr = NULL;
+	
+	/* fail completely if get null pointers passed */
+	SMB_ASSERT(keystr && value);
+
+	if (!gencache_init()) return False;
+	
+	if (asprintf(&valstr, CACHE_DATA_FMT, (int)timeout, value) == -1) {
+		return False;
+	}
+
+	databuf = string_term_tdb_data(valstr);
+	DEBUG(10, ("Adding cache entry with key = %s; value = %s and timeout ="
+	           " %s (%d seconds %s)\n", keystr, value,ctime(&timeout),
+		   (int)(timeout - time(NULL)), 
+		   timeout > time(NULL) ? "ahead" : "in the past"));
+
+	ret = tdb_store_bystring(cache, keystr, databuf, 0);
+	SAFE_FREE(valstr);
+	
+	return ret == 0;
+}
+
+/**
+ * Delete one entry from the cache file.
+ *
+ * @param keystr string that represents a key of this entry
+ *
+ * @retval true upon successful deletion
+ * @retval false in case of failure
+ **/
+
+bool gencache_del(const char *keystr)
+{
+	int ret;
+	
+	/* fail completely if get null pointers passed */
+	SMB_ASSERT(keystr);
+
+	if (!gencache_init()) return False;	
+	
+	DEBUG(10, ("Deleting cache entry (key = %s)\n", keystr));
+	ret = tdb_delete_bystring(cache, keystr);
+	
+	return ret == 0;
+}
+
+
+/**
+ * Get existing entry from the cache file.
+ *
+ * @param keystr string that represents a key of this entry
+ * @param valstr buffer that is allocated and filled with the entry value
+ *        buffer's disposing must be done outside
+ * @param timeout pointer to a time_t that is filled with entry's
+ *        timeout
+ *
+ * @retval true when entry is successfuly fetched
+ * @retval False for failure
+ **/
+
+bool gencache_get(const char *keystr, char **valstr, time_t *timeout)
+{
+	TDB_DATA databuf;
+	time_t t;
+	char *endptr;
+
+	/* fail completely if get null pointers passed */
+	SMB_ASSERT(keystr);
+
+	if (!gencache_init()) {
+		return False;
+	}
+
+	databuf = tdb_fetch_bystring(cache, keystr);
+
+	if (databuf.dptr == NULL) {
+		DEBUG(10, ("Cache entry with key = %s couldn't be found\n",
+			   keystr));
+		return False;
+	}
+
+	t = strtol((const char *)databuf.dptr, &endptr, 10);
+
+	if ((endptr == NULL) || (*endptr != '/')) {
+		DEBUG(2, ("Invalid gencache data format: %s\n", databuf.dptr));
+		SAFE_FREE(databuf.dptr);
+		return False;
+	}
+
+	DEBUG(10, ("Returning %s cache entry: key = %s, value = %s, "
+		   "timeout = %s", t > time(NULL) ? "valid" :
+		   "expired", keystr, endptr+1, ctime(&t)));
+
+	if (t <= time(NULL)) {
+
+		/* We're expired, delete the entry */
+		tdb_delete_bystring(cache, keystr);
+
+		SAFE_FREE(databuf.dptr);
+		return False;
+	}
+
+	if (valstr) {
+		*valstr = SMB_STRDUP(endptr+1);
+		if (*valstr == NULL) {
+			SAFE_FREE(databuf.dptr);
+			DEBUG(0, ("strdup failed\n"));
+			return False;
+		}
+	}
+	
+	SAFE_FREE(databuf.dptr);
+
+	if (timeout) {
+		*timeout = t;
+	}
+
+	return True;
+} 
+
+/**
+ * Get existing entry from the cache file.
+ *
+ * @param keystr string that represents a key of this entry
+ * @param blob DATA_BLOB that is filled with entry's blob
+ * @param expired pointer to a bool that indicates whether the entry is expired
+ *
+ * @retval true when entry is successfuly fetched
+ * @retval False for failure
+ **/
+
+bool gencache_get_data_blob(const char *keystr, DATA_BLOB *blob, bool *expired)
+{
+	TDB_DATA databuf;
+	time_t t;
+	char *blob_type;
+	unsigned char *buf = NULL;
+	bool ret = False;
+	fstring valstr;
+	int buflen = 0, len = 0, blob_len = 0;
+	unsigned char *blob_buf = NULL;
+
+	/* fail completely if get null pointers passed */
+	SMB_ASSERT(keystr);
+
+	if (!gencache_init()) {
+		return False;
+	}
+
+	databuf = tdb_fetch_bystring(cache, keystr);
+	if (!databuf.dptr) {
+		DEBUG(10,("Cache entry with key = %s couldn't be found\n",
+			  keystr));
+		return False;
+	}
+
+	buf = (unsigned char *)databuf.dptr;
+	buflen = databuf.dsize;
+
+	len += tdb_unpack(buf+len, buflen-len, "fB",
+			  &valstr,
+			  &blob_len, &blob_buf);
+	if (len == -1) {
+		goto out;
+	}
+
+	t = strtol(valstr, &blob_type, 10);
+
+	if (strcmp(blob_type+1, BLOB_TYPE) != 0) {
+		goto out;
+	}
+
+	DEBUG(10,("Returning %s cache entry: key = %s, "
+		  "timeout = %s", t > time(NULL) ? "valid" :
+		  "expired", keystr, ctime(&t)));
+
+	if (t <= time(NULL)) {
+		/* We're expired */
+		if (expired) {
+			*expired = True;
+		}
+	}
+
+	if (blob) {
+		*blob = data_blob(blob_buf, blob_len);
+		if (!blob->data) {
+			goto out;
+		}
+	}
+
+	ret = True;
+ out:
+	SAFE_FREE(blob_buf);
+	SAFE_FREE(databuf.dptr);
+
+	return ret;
+}
+
+/**
+ * Set an entry in the cache file. If there's no such
+ * one, then add it.
+ *
+ * @param keystr string that represents a key of this entry
+ * @param blob DATA_BLOB value being cached
+ * @param timeout time when the value is expired
+ *
+ * @retval true when entry is successfuly stored
+ * @retval false on failure
+ **/
+
+bool gencache_set_data_blob(const char *keystr, const DATA_BLOB *blob, time_t timeout)
+{
+	bool ret = False;
+	int tdb_ret;
+	TDB_DATA databuf;
+	char *valstr = NULL;
+	unsigned char *buf = NULL;
+	int len = 0, buflen = 0;
+
+	/* fail completely if get null pointers passed */
+	SMB_ASSERT(keystr && blob);
+
+	if (!gencache_init()) {
+		return False;
+	}
+
+	if (asprintf(&valstr, "%12u/%s", (int)timeout, BLOB_TYPE) == -1) {
+		return False;
+	}
+
+ again:
+	len = 0;
+
+	len += tdb_pack(buf+len, buflen-len, "fB",
+			valstr,
+			blob->length, blob->data);
+
+	if (len == -1) {
+		goto out;
+	}
+
+	if (buflen < len) {
+		SAFE_FREE(buf);
+		buf = SMB_MALLOC_ARRAY(unsigned char, len);
+		if (!buf) {
+			goto out;
+		}
+		buflen = len;
+		goto again;
+	}
+
+	databuf = make_tdb_data(buf, len);
+
+	DEBUG(10,("Adding cache entry with key = %s; "
+		  "blob size = %d and timeout = %s"
+		  "(%d seconds %s)\n", keystr, (int)databuf.dsize,
+		  ctime(&timeout), (int)(timeout - time(NULL)),
+		  timeout > time(NULL) ? "ahead" : "in the past"));
+
+	tdb_ret = tdb_store_bystring(cache, keystr, databuf, 0);
+	if (tdb_ret == 0) {
+		ret = True;
+	}
+
+ out:
+	SAFE_FREE(valstr);
+	SAFE_FREE(buf);
+
+	return ret;
+}
+
+/**
+ * Iterate through all entries which key matches to specified pattern
+ *
+ * @param fn pointer to the function that will be supplied with each single
+ *        matching cache entry (key, value and timeout) as an arguments
+ * @param data void pointer to an arbitrary data that is passed directly to the fn
+ *        function on each call
+ * @param keystr_pattern pattern the existing entries' keys are matched to
+ *
+ **/
+
+void gencache_iterate(void (*fn)(const char* key, const char *value, time_t timeout, void* dptr),
+                      void* data, const char* keystr_pattern)
+{
+	TDB_LIST_NODE *node, *first_node;
+	TDB_DATA databuf;
+	char *keystr = NULL, *valstr = NULL, *entry = NULL;
+	time_t timeout = 0;
+	int status;
+	unsigned u;
+
+	/* fail completely if get null pointers passed */
+	SMB_ASSERT(fn && keystr_pattern);
+
+	if (!gencache_init()) return;
+
+	DEBUG(5, ("Searching cache keys with pattern %s\n", keystr_pattern));
+	node = tdb_search_keys(cache, keystr_pattern);
+	first_node = node;
+	
+	while (node) {
+		char *fmt;
+
+		/* ensure null termination of the key string */
+		keystr = SMB_STRNDUP((const char *)node->node_key.dptr, node->node_key.dsize);
+		if (!keystr) {
+			break;
+		}
+		
+		/* 
+		 * We don't use gencache_get function, because we need to iterate through
+		 * all of the entries. Validity verification is up to fn routine.
+		 */
+		databuf = tdb_fetch(cache, node->node_key);
+		if (!databuf.dptr || databuf.dsize <= TIMEOUT_LEN) {
+			SAFE_FREE(databuf.dptr);
+			SAFE_FREE(keystr);
+			node = node->next;
+			continue;
+		}
+		entry = SMB_STRNDUP((const char *)databuf.dptr, databuf.dsize);
+		if (!entry) {
+			SAFE_FREE(databuf.dptr);
+			SAFE_FREE(keystr);
+			break;
+		}
+
+		SAFE_FREE(databuf.dptr);
+
+		valstr = (char *)SMB_MALLOC(databuf.dsize + 1 - TIMEOUT_LEN);
+		if (!valstr) {
+			SAFE_FREE(entry);
+			SAFE_FREE(keystr);
+			break;
+		}
+
+		if (asprintf(&fmt, READ_CACHE_DATA_FMT_TEMPLATE,
+			     (unsigned int)databuf.dsize - TIMEOUT_LEN)
+		    == -1) {
+			SAFE_FREE(valstr);
+			SAFE_FREE(entry);
+			SAFE_FREE(keystr);
+			break;
+		}
+		status = sscanf(entry, fmt, &u, valstr);
+		SAFE_FREE(fmt);
+
+		if ( status != 2 ) {
+			DEBUG(0,("gencache_iterate: invalid return from sscanf %d\n",status));
+		}
+		timeout = u;
+		
+		DEBUG(10, ("Calling function with arguments (key = %s, value = %s, timeout = %s)\n",
+		           keystr, valstr, ctime(&timeout)));
+		fn(keystr, valstr, timeout, data);
+		
+		SAFE_FREE(valstr);
+		SAFE_FREE(entry);
+		SAFE_FREE(keystr);
+		node = node->next;
+	}
+	
+	tdb_search_list_free(first_node);
+}
+
+/********************************************************************
+ lock a key
+********************************************************************/
+
+int gencache_lock_entry( const char *key )
+{
+	if (!gencache_init())
+		return -1;
+	
+	return tdb_lock_bystring(cache, key);
+}
+
+/********************************************************************
+ unlock a key
+********************************************************************/
+
+void gencache_unlock_entry( const char *key )
+{
+	if (!gencache_init())
+		return;
+	
+	tdb_unlock_bystring(cache, key);
+	return;
+}
diff --git a/source3/lib/genrand.c b/source3/lib/genrand.c
new file mode 100644
index 0000000000..4590b812c5
--- /dev/null
+++ b/source3/lib/genrand.c
@@ -0,0 +1,223 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   Functions to create reasonable random numbers for crypto use.
+
+   Copyright (C) Jeremy Allison 2001
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+static unsigned char smb_arc4_state[258];
+static uint32 counter;
+
+static bool done_reseed = False;
+static void (*reseed_callback)(int *newseed);
+
+/**************************************************************** 
+ Copy any user given reseed data.
+*****************************************************************/
+
+void set_rand_reseed_callback(void (*fn)(int *))
+{
+	reseed_callback = fn;
+	set_need_random_reseed();
+}
+
+void set_need_random_reseed(void)
+{
+	done_reseed = False;
+}
+
+static void get_rand_reseed_data(int *reseed_data)
+{
+	if (reseed_callback) {
+		reseed_callback(reseed_data);
+	} else {
+		*reseed_data = 0;
+	}
+}
+
+/****************************************************************
+ Get a 16 byte hash from the contents of a file.
+ Note that the hash is not initialised.
+*****************************************************************/
+
+static void do_filehash(const char *fname, unsigned char *the_hash)
+{
+	unsigned char buf[1011]; /* deliberate weird size */
+	unsigned char tmp_md4[16];
+	int fd, n;
+
+	fd = sys_open(fname,O_RDONLY,0);
+	if (fd == -1)
+		return;
+
+	while ((n = read(fd, (char *)buf, sizeof(buf))) > 0) {
+		mdfour(tmp_md4, buf, n);
+		for (n=0;n<16;n++)
+			the_hash[n] ^= tmp_md4[n];
+	}
+	close(fd);
+}
+
+/**************************************************************
+ Try and get a good random number seed. Try a number of
+ different factors. Firstly, try /dev/urandom - use if exists.
+
+ We use /dev/urandom as a read of /dev/random can block if
+ the entropy pool dries up. This leads clients to timeout
+ or be very slow on connect.
+
+ If we can't use /dev/urandom then seed the stream random generator
+ above...
+**************************************************************/
+
+static int do_reseed(bool use_fd, int fd)
+{
+	unsigned char seed_inbuf[40];
+	uint32 v1, v2; struct timeval tval; pid_t mypid;
+	struct passwd *pw;
+	int reseed_data = 0;
+
+	if (use_fd) {
+		if (fd != -1)
+			return fd;
+
+		fd = sys_open( "/dev/urandom", O_RDONLY,0);
+		if(fd >= 0)
+			return fd;
+	}
+
+	/* Add in some secret file contents */
+
+	do_filehash("/etc/shadow", &seed_inbuf[0]);
+	do_filehash(lp_smb_passwd_file(), &seed_inbuf[16]);
+
+	/*
+	 * Add in the root encrypted password.
+	 * On any system where security is taken
+	 * seriously this will be secret.
+	 */
+
+	pw = getpwnam_alloc(NULL, "root");
+	if (pw && pw->pw_passwd) {
+		size_t i;
+		unsigned char md4_tmp[16];
+		mdfour(md4_tmp, (unsigned char *)pw->pw_passwd, strlen(pw->pw_passwd));
+		for (i=0;i<16;i++)
+			seed_inbuf[8+i] ^= md4_tmp[i];
+		TALLOC_FREE(pw);
+	}
+
+	/*
+	 * Add the counter, time of day, and pid.
+	 */
+
+	GetTimeOfDay(&tval);
+	mypid = sys_getpid();
+	v1 = (counter++) + mypid + tval.tv_sec;
+	v2 = (counter++) * mypid + tval.tv_usec;
+
+	SIVAL(seed_inbuf, 32, v1 ^ IVAL(seed_inbuf, 32));
+	SIVAL(seed_inbuf, 36, v2 ^ IVAL(seed_inbuf, 36));
+
+	/*
+	 * Add any user-given reseed data.
+	 */
+
+	get_rand_reseed_data(&reseed_data);
+	if (reseed_data) {
+		size_t i;
+		for (i = 0; i < sizeof(seed_inbuf); i++)
+			seed_inbuf[i] ^= ((char *)(&reseed_data))[i % sizeof(reseed_data)];
+	}
+
+	smb_arc4_init(smb_arc4_state, seed_inbuf, sizeof(seed_inbuf));
+
+	return -1;
+}
+
+/*******************************************************************
+ Interface to the (hopefully) good crypto random number generator.
+********************************************************************/
+
+void generate_random_buffer( unsigned char *out, int len)
+{
+	static int urand_fd = -1;
+	unsigned char md4_buf[64];
+	unsigned char tmp_buf[16];
+	unsigned char *p;
+
+	if(!done_reseed) {
+		urand_fd = do_reseed(True, urand_fd);
+		done_reseed = True;
+	}
+
+	if (urand_fd != -1 && len > 0) {
+
+		if (read(urand_fd, out, len) == len)
+			return; /* len bytes of random data read from urandom. */
+
+		/* Read of urand error, drop back to non urand method. */
+		close(urand_fd);
+		urand_fd = -1;
+		do_reseed(False, -1);
+		done_reseed = True;
+	}
+
+	/*
+	 * Generate random numbers in chunks of 64 bytes,
+	 * then md4 them & copy to the output buffer.
+	 * This way the raw state of the stream is never externally
+	 * seen.
+	 */
+
+	p = out;
+	while(len > 0) {
+		int copy_len = len > 16 ? 16 : len;
+
+		smb_arc4_crypt(smb_arc4_state, md4_buf, sizeof(md4_buf));
+		mdfour(tmp_buf, md4_buf, sizeof(md4_buf));
+		memcpy(p, tmp_buf, copy_len);
+		p += copy_len;
+		len -= copy_len;
+	}
+}
+
+/*******************************************************************
+ Use the random number generator to generate a random string.
+********************************************************************/
+
+static char c_list[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+_-#.,";
+
+char *generate_random_str(size_t len)
+{
+	static unsigned char retstr[256];
+	size_t i;
+
+	memset(retstr, '\0', sizeof(retstr));
+
+	if (len > sizeof(retstr)-1)
+		len = sizeof(retstr) -1;
+	generate_random_buffer( retstr, len);
+	for (i = 0; i < len; i++)
+		retstr[i] = c_list[ retstr[i] % (sizeof(c_list)-1) ];
+
+	retstr[i] = '\0';
+
+	return (char *)retstr;
+}
diff --git a/source3/lib/hmacmd5.c b/source3/lib/hmacmd5.c
new file mode 100644
index 0000000000..86db3aa236
--- /dev/null
+++ b/source3/lib/hmacmd5.c
@@ -0,0 +1,135 @@
+/* 
+   Unix SMB/CIFS implementation.
+   HMAC MD5 code for use in NTLMv2
+   Copyright (C) Luke Kenneth Casson Leighton 1996-2000
+   Copyright (C) Andrew Tridgell 1992-2000
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/* taken direct from rfc2104 implementation and modified for suitable use
+ * for ntlmv2.
+ */
+
+#include "includes.h"
+
+/***********************************************************************
+ the rfc 2104 version of hmac_md5 initialisation.
+***********************************************************************/
+
+void hmac_md5_init_rfc2104(const unsigned char *key, int key_len, HMACMD5Context *ctx)
+{
+        int i;
+	unsigned char tk[16];
+
+        /* if key is longer than 64 bytes reset it to key=MD5(key) */
+        if (key_len > 64) {
+                struct MD5Context tctx;
+
+                MD5Init(&tctx);
+                MD5Update(&tctx, key, key_len);
+                MD5Final(tk, &tctx);
+
+                key = tk;
+                key_len = 16;
+        }
+
+        /* start out by storing key in pads */
+        ZERO_STRUCT(ctx->k_ipad);
+        ZERO_STRUCT(ctx->k_opad);
+        memcpy( ctx->k_ipad, key, key_len);
+        memcpy( ctx->k_opad, key, key_len);
+
+        /* XOR key with ipad and opad values */
+        for (i=0; i<64; i++) {
+                ctx->k_ipad[i] ^= 0x36;
+                ctx->k_opad[i] ^= 0x5c;
+        }
+
+        MD5Init(&ctx->ctx);
+        MD5Update(&ctx->ctx, ctx->k_ipad, 64);  
+}
+
+/***********************************************************************
+ the microsoft version of hmac_md5 initialisation.
+***********************************************************************/
+
+void hmac_md5_init_limK_to_64(const unsigned char* key, int key_len,
+			HMACMD5Context *ctx)
+{
+        int i;
+
+        /* if key is longer than 64 bytes truncate it */
+        if (key_len > 64) {
+                key_len = 64;
+        }
+
+        /* start out by storing key in pads */
+        ZERO_STRUCT(ctx->k_ipad);
+        ZERO_STRUCT(ctx->k_opad);
+        memcpy( ctx->k_ipad, key, key_len);
+        memcpy( ctx->k_opad, key, key_len);
+
+        /* XOR key with ipad and opad values */
+        for (i=0; i<64; i++) {
+                ctx->k_ipad[i] ^= 0x36;
+                ctx->k_opad[i] ^= 0x5c;
+        }
+
+        MD5Init(&ctx->ctx);
+        MD5Update(&ctx->ctx, ctx->k_ipad, 64);  
+}
+
+/***********************************************************************
+ update hmac_md5 "inner" buffer
+***********************************************************************/
+
+void hmac_md5_update(const unsigned char *text, int text_len, HMACMD5Context *ctx)
+{
+        MD5Update(&ctx->ctx, text, text_len); /* then text of datagram */
+}
+
+/***********************************************************************
+ finish off hmac_md5 "inner" buffer and generate outer one.
+***********************************************************************/
+void hmac_md5_final(unsigned char *digest, HMACMD5Context *ctx)
+
+{
+        struct MD5Context ctx_o;
+
+        MD5Final(digest, &ctx->ctx);          
+
+        MD5Init(&ctx_o);
+        MD5Update(&ctx_o, ctx->k_opad, 64);   
+        MD5Update(&ctx_o, digest, 16); 
+        MD5Final(digest, &ctx_o);
+}
+
+/***********************************************************
+ single function to calculate an HMAC MD5 digest from data.
+ use the microsoft hmacmd5 init method because the key is 16 bytes.
+************************************************************/
+
+void hmac_md5( unsigned char key[16], const unsigned char *data, int data_len,
+	       unsigned char *digest)
+{
+	HMACMD5Context ctx;
+	hmac_md5_init_limK_to_64(key, 16, &ctx);
+	if (data_len != 0)
+	{
+		hmac_md5_update(data, data_len, &ctx);
+	}
+	hmac_md5_final(digest, &ctx);
+}
+
diff --git a/source3/lib/iconv.c b/source3/lib/iconv.c
new file mode 100644
index 0000000000..3ceb637b8e
--- /dev/null
+++ b/source3/lib/iconv.c
@@ -0,0 +1,775 @@
+/* 
+   Unix SMB/CIFS implementation.
+   minimal iconv implementation
+   Copyright (C) Andrew Tridgell 2001
+   Copyright (C) Jelmer Vernooij 2002,2003
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/*
+ * We have to use strcasecmp here as the character conversions
+ * haven't been initialised yet. JRA.
+ */
+
+#undef strcasecmp
+
+/**
+ * @file
+ *
+ * @brief Samba wrapper/stub for iconv character set conversion.
+ *
+ * iconv is the XPG2 interface for converting between character
+ * encodings.  This file provides a Samba wrapper around it, and also
+ * a simple reimplementation that is used if the system does not
+ * implement iconv.
+ *
+ * Samba only works with encodings that are supersets of ASCII: ascii
+ * characters like whitespace can be tested for directly, multibyte
+ * sequences start with a byte with the high bit set, and strings are
+ * terminated by a nul byte.
+ *
+ * Note that the only function provided by iconv is conversion between
+ * characters.  It doesn't directly support operations like
+ * uppercasing or comparison.  We have to convert to UCS-2 and compare
+ * there.
+ *
+ * @sa Samba Developers Guide
+ **/
+
+static_decl_charset;
+
+static size_t ascii_pull(void *,const char **, size_t *, char **, size_t *);
+static size_t ascii_push(void *,const char **, size_t *, char **, size_t *);
+static size_t latin1_push(void *,const char **, size_t *, char **, size_t *);
+static size_t  utf8_pull(void *,const char **, size_t *, char **, size_t *);
+static size_t  utf8_push(void *,const char **, size_t *, char **, size_t *);
+static size_t ucs2hex_pull(void *,const char **, size_t *, char **, size_t *);
+static size_t ucs2hex_push(void *,const char **, size_t *, char **, size_t *);
+static size_t iconv_copy(void *,const char **, size_t *, char **, size_t *);
+static size_t iconv_swab  (void *,const char **, size_t *, char **, size_t *);
+
+static struct charset_functions builtin_functions[] = {
+	/* windows is really neither UCS-2 not UTF-16 */
+	{"UCS-2LE",  iconv_copy, iconv_copy},
+	{"UTF-16LE",  iconv_copy, iconv_copy},
+	{"UCS-2BE",  iconv_swab, iconv_swab},
+	{"UTF-16BE",  iconv_swab, iconv_swab},
+
+	/* we include the UTF-8 alias to cope with differing locale settings */
+	{"UTF8",   utf8_pull,  utf8_push},
+	{"UTF-8",   utf8_pull,  utf8_push},
+	{"ASCII", ascii_pull, ascii_push},
+	{"646", ascii_pull, ascii_push},
+	{"ISO-8859-1", ascii_pull, latin1_push},
+	{"UCS2-HEX", ucs2hex_pull, ucs2hex_push},
+	{NULL, NULL, NULL}
+};
+
+static struct charset_functions *charsets = NULL;
+
+static struct charset_functions *find_charset_functions(const char *name) 
+{
+	struct charset_functions *c = charsets;
+
+	while(c) {
+		if (strcasecmp(name, c->name) == 0) {
+			return c;
+		}
+		c = c->next;
+	}
+
+	return NULL;
+}
+
+NTSTATUS smb_register_charset(struct charset_functions *funcs) 
+{
+	if (!funcs) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	DEBUG(5, ("Attempting to register new charset %s\n", funcs->name));
+	/* Check whether we already have this charset... */
+	if (find_charset_functions(funcs->name)) {
+		DEBUG(0, ("Duplicate charset %s, not registering\n", funcs->name));
+		return NT_STATUS_OBJECT_NAME_COLLISION;
+	}
+
+	funcs->next = funcs->prev = NULL;
+	DEBUG(5, ("Registered charset %s\n", funcs->name));
+	DLIST_ADD(charsets, funcs);
+	return NT_STATUS_OK;
+}
+
+static void lazy_initialize_iconv(void)
+{
+	static bool initialized;
+	int i;
+
+	if (!initialized) {
+		initialized = True;
+		for(i = 0; builtin_functions[i].name; i++) 
+			smb_register_charset(&builtin_functions[i]);
+		static_init_charset;
+	}
+}
+
+#ifdef HAVE_NATIVE_ICONV
+/* if there was an error then reset the internal state,
+   this ensures that we don't have a shift state remaining for
+   character sets like SJIS */
+static size_t sys_iconv(void *cd, 
+			const char **inbuf, size_t *inbytesleft,
+			char **outbuf, size_t *outbytesleft)
+{
+	size_t ret = iconv((iconv_t)cd, 
+			   (void *)inbuf, inbytesleft,
+			   outbuf, outbytesleft);
+	if (ret == (size_t)-1) {
+		int saved_errno = errno;
+		iconv(cd, NULL, NULL, NULL, NULL);
+		errno = saved_errno;
+	}
+	return ret;
+}
+#endif
+
+/**
+ * This is a simple portable iconv() implementaion.
+ *
+ * It only knows about a very small number of character sets - just
+ * enough that Samba works on systems that don't have iconv.
+ **/
+size_t smb_iconv(smb_iconv_t cd, 
+		 const char **inbuf, size_t *inbytesleft,
+		 char **outbuf, size_t *outbytesleft)
+{
+	char cvtbuf[2048];
+	char *bufp = cvtbuf;
+	size_t bufsize;
+
+	/* in many cases we can go direct */
+	if (cd->direct) {
+		return cd->direct(cd->cd_direct, 
+				  inbuf, inbytesleft, outbuf, outbytesleft);
+	}
+
+
+	/* otherwise we have to do it chunks at a time */
+	while (*inbytesleft > 0) {
+		bufp = cvtbuf;
+		bufsize = sizeof(cvtbuf);
+		
+		if (cd->pull(cd->cd_pull, 
+			     inbuf, inbytesleft, &bufp, &bufsize) == -1
+		    && errno != E2BIG) return -1;
+
+		bufp = cvtbuf;
+		bufsize = sizeof(cvtbuf) - bufsize;
+
+		if (cd->push(cd->cd_push, 
+			     (const char **)&bufp, &bufsize, 
+			     outbuf, outbytesleft) == -1) return -1;
+	}
+
+	return 0;
+}
+
+
+static bool is_utf16(const char *name)
+{
+	return strcasecmp(name, "UCS-2LE") == 0 ||
+		strcasecmp(name, "UTF-16LE") == 0;
+}
+
+/*
+  simple iconv_open() wrapper
+ */
+smb_iconv_t smb_iconv_open(const char *tocode, const char *fromcode)
+{
+	smb_iconv_t ret;
+	struct charset_functions *from, *to;
+	
+	lazy_initialize_iconv();
+	from = charsets;
+	to = charsets;
+
+	ret = SMB_MALLOC_P(struct _smb_iconv_t);
+	if (!ret) {
+		errno = ENOMEM;
+		return (smb_iconv_t)-1;
+	}
+	memset(ret, 0, sizeof(struct _smb_iconv_t));
+
+	ret->from_name = SMB_STRDUP(fromcode);
+	ret->to_name = SMB_STRDUP(tocode);
+
+	/* check for the simplest null conversion */
+	if (strcasecmp(fromcode, tocode) == 0) {
+		ret->direct = iconv_copy;
+		return ret;
+	}
+
+	/* check if we have a builtin function for this conversion */
+	from = find_charset_functions(fromcode);
+	if(from)ret->pull = from->pull;
+	
+	to = find_charset_functions(tocode);
+	if(to)ret->push = to->push;
+
+	/* check if we can use iconv for this conversion */
+#ifdef HAVE_NATIVE_ICONV
+	if (!ret->pull) {
+		ret->cd_pull = iconv_open("UTF-16LE", fromcode);
+		if (ret->cd_pull == (iconv_t)-1)
+			ret->cd_pull = iconv_open("UCS-2LE", fromcode);
+		if (ret->cd_pull != (iconv_t)-1)
+			ret->pull = sys_iconv;
+	}
+
+	if (!ret->push) {
+		ret->cd_push = iconv_open(tocode, "UTF-16LE");
+		if (ret->cd_push == (iconv_t)-1)
+			ret->cd_push = iconv_open(tocode, "UCS-2LE");
+		if (ret->cd_push != (iconv_t)-1)
+			ret->push = sys_iconv;
+	}
+#endif
+	
+	/* check if there is a module available that can do this conversion */
+	if (!ret->pull && NT_STATUS_IS_OK(smb_probe_module("charset", fromcode))) {
+		if(!(from = find_charset_functions(fromcode)))
+			DEBUG(0, ("Module %s doesn't provide charset %s!\n", fromcode, fromcode));
+		else 
+			ret->pull = from->pull;
+	}
+
+	if (!ret->push && NT_STATUS_IS_OK(smb_probe_module("charset", tocode))) {
+		if(!(to = find_charset_functions(tocode)))
+			DEBUG(0, ("Module %s doesn't provide charset %s!\n", tocode, tocode));
+		else 
+			ret->push = to->push;
+	}
+
+	if (!ret->push || !ret->pull) {
+		SAFE_FREE(ret->from_name);
+		SAFE_FREE(ret->to_name);
+		SAFE_FREE(ret);
+		errno = EINVAL;
+		return (smb_iconv_t)-1;
+	}
+
+	/* check for conversion to/from ucs2 */
+	if (is_utf16(fromcode) && to) {
+		ret->direct = to->push;
+		ret->push = ret->pull = NULL;
+		return ret;
+	}
+
+	if (is_utf16(tocode) && from) {
+		ret->direct = from->pull;
+		ret->push = ret->pull = NULL;
+		return ret;
+	}
+
+	/* Check if we can do the conversion direct */
+#ifdef HAVE_NATIVE_ICONV
+	if (is_utf16(fromcode)) {
+		ret->direct = sys_iconv;
+		ret->cd_direct = ret->cd_push;
+		ret->cd_push = NULL;
+		return ret;
+	}
+	if (is_utf16(tocode)) {
+		ret->direct = sys_iconv;
+		ret->cd_direct = ret->cd_pull;
+		ret->cd_pull = NULL;
+		return ret;
+	}
+#endif
+
+	return ret;
+}
+
+/*
+  simple iconv_close() wrapper
+*/
+int smb_iconv_close (smb_iconv_t cd)
+{
+#ifdef HAVE_NATIVE_ICONV
+	if (cd->cd_direct) iconv_close((iconv_t)cd->cd_direct);
+	if (cd->cd_pull) iconv_close((iconv_t)cd->cd_pull);
+	if (cd->cd_push) iconv_close((iconv_t)cd->cd_push);
+#endif
+
+	SAFE_FREE(cd->from_name);
+	SAFE_FREE(cd->to_name);
+
+	memset(cd, 0, sizeof(*cd));
+	SAFE_FREE(cd);
+	return 0;
+}
+
+
+/**********************************************************************
+ the following functions implement the builtin character sets in Samba
+ and also the "test" character sets that are designed to test
+ multi-byte character set support for english users
+***********************************************************************/
+
+static size_t ascii_pull(void *cd, const char **inbuf, size_t *inbytesleft,
+			 char **outbuf, size_t *outbytesleft)
+{
+	while (*inbytesleft >= 1 && *outbytesleft >= 2) {
+		(*outbuf)[0] = (*inbuf)[0];
+		(*outbuf)[1] = 0;
+		(*inbytesleft)  -= 1;
+		(*outbytesleft) -= 2;
+		(*inbuf)  += 1;
+		(*outbuf) += 2;
+	}
+
+	if (*inbytesleft > 0) {
+		errno = E2BIG;
+		return -1;
+	}
+	
+	return 0;
+}
+
+static size_t ascii_push(void *cd, const char **inbuf, size_t *inbytesleft,
+			 char **outbuf, size_t *outbytesleft)
+{
+	int ir_count=0;
+
+	while (*inbytesleft >= 2 && *outbytesleft >= 1) {
+		(*outbuf)[0] = (*inbuf)[0] & 0x7F;
+		if ((*inbuf)[1]) ir_count++;
+		(*inbytesleft)  -= 2;
+		(*outbytesleft) -= 1;
+		(*inbuf)  += 2;
+		(*outbuf) += 1;
+	}
+
+	if (*inbytesleft == 1) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (*inbytesleft > 1) {
+		errno = E2BIG;
+		return -1;
+	}
+	
+	return ir_count;
+}
+
+static size_t latin1_push(void *cd, const char **inbuf, size_t *inbytesleft,
+			 char **outbuf, size_t *outbytesleft)
+{
+	int ir_count=0;
+
+	while (*inbytesleft >= 2 && *outbytesleft >= 1) {
+		(*outbuf)[0] = (*inbuf)[0];
+		if ((*inbuf)[1]) ir_count++;
+		(*inbytesleft)  -= 2;
+		(*outbytesleft) -= 1;
+		(*inbuf)  += 2;
+		(*outbuf) += 1;
+	}
+
+	if (*inbytesleft == 1) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (*inbytesleft > 1) {
+		errno = E2BIG;
+		return -1;
+	}
+	
+	return ir_count;
+}
+
+static size_t ucs2hex_pull(void *cd, const char **inbuf, size_t *inbytesleft,
+			 char **outbuf, size_t *outbytesleft)
+{
+	while (*inbytesleft >= 1 && *outbytesleft >= 2) {
+		unsigned v;
+
+		if ((*inbuf)[0] != '@') {
+			/* seven bit ascii case */
+			(*outbuf)[0] = (*inbuf)[0];
+			(*outbuf)[1] = 0;
+			(*inbytesleft)  -= 1;
+			(*outbytesleft) -= 2;
+			(*inbuf)  += 1;
+			(*outbuf) += 2;
+			continue;
+		}
+		/* it's a hex character */
+		if (*inbytesleft < 5) {
+			errno = EINVAL;
+			return -1;
+		}
+		
+		if (sscanf(&(*inbuf)[1], "%04x", &v) != 1) {
+			errno = EILSEQ;
+			return -1;
+		}
+
+		(*outbuf)[0] = v&0xff;
+		(*outbuf)[1] = v>>8;
+		(*inbytesleft)  -= 5;
+		(*outbytesleft) -= 2;
+		(*inbuf)  += 5;
+		(*outbuf) += 2;
+	}
+
+	if (*inbytesleft > 0) {
+		errno = E2BIG;
+		return -1;
+	}
+	
+	return 0;
+}
+
+static size_t ucs2hex_push(void *cd, const char **inbuf, size_t *inbytesleft,
+			   char **outbuf, size_t *outbytesleft)
+{
+	while (*inbytesleft >= 2 && *outbytesleft >= 1) {
+		char buf[6];
+
+		if ((*inbuf)[1] == 0 && 
+		    ((*inbuf)[0] & 0x80) == 0 &&
+		    (*inbuf)[0] != '@') {
+			(*outbuf)[0] = (*inbuf)[0];
+			(*inbytesleft)  -= 2;
+			(*outbytesleft) -= 1;
+			(*inbuf)  += 2;
+			(*outbuf) += 1;
+			continue;
+		}
+		if (*outbytesleft < 5) {
+			errno = E2BIG;
+			return -1;
+		}
+		snprintf(buf, 6, "@%04x", SVAL(*inbuf, 0));
+		memcpy(*outbuf, buf, 5);
+		(*inbytesleft)  -= 2;
+		(*outbytesleft) -= 5;
+		(*inbuf)  += 2;
+		(*outbuf) += 5;
+	}
+
+	if (*inbytesleft == 1) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (*inbytesleft > 1) {
+		errno = E2BIG;
+		return -1;
+	}
+	
+	return 0;
+}
+
+static size_t iconv_swab(void *cd, const char **inbuf, size_t *inbytesleft,
+			 char **outbuf, size_t *outbytesleft)
+{
+	int n;
+
+	n = MIN(*inbytesleft, *outbytesleft);
+
+	swab(*inbuf, *outbuf, (n&~1));
+	if (n&1) {
+		(*outbuf)[n-1] = 0;
+	}
+
+	(*inbytesleft) -= n;
+	(*outbytesleft) -= n;
+	(*inbuf) += n;
+	(*outbuf) += n;
+
+	if (*inbytesleft > 0) {
+		errno = E2BIG;
+		return -1;
+	}
+
+	return 0;
+}
+
+static size_t iconv_copy(void *cd, const char **inbuf, size_t *inbytesleft,
+			 char **outbuf, size_t *outbytesleft)
+{
+	int n;
+
+	n = MIN(*inbytesleft, *outbytesleft);
+
+	memmove(*outbuf, *inbuf, n);
+
+	(*inbytesleft) -= n;
+	(*outbytesleft) -= n;
+	(*inbuf) += n;
+	(*outbuf) += n;
+
+	if (*inbytesleft > 0) {
+		errno = E2BIG;
+		return -1;
+	}
+
+	return 0;
+}
+
+static size_t utf8_pull(void *cd, const char **inbuf, size_t *inbytesleft,
+			 char **outbuf, size_t *outbytesleft)
+{
+	size_t in_left=*inbytesleft, out_left=*outbytesleft;
+	const uint8 *c = (const uint8 *)*inbuf;
+	uint8 *uc = (uint8 *)*outbuf;
+
+	while (in_left >= 1 && out_left >= 2) {
+		unsigned int codepoint;
+
+		if ((c[0] & 0x80) == 0) {
+			uc[0] = c[0];
+			uc[1] = 0;
+			c  += 1;
+			in_left  -= 1;
+			out_left -= 2;
+			uc += 2;
+			continue;
+		}
+
+		if ((c[0] & 0xe0) == 0xc0) {
+			if (in_left < 2 ||
+			    (c[1] & 0xc0) != 0x80) {
+				errno = EILSEQ;
+				goto error;
+			}
+			codepoint = (c[1]&0x3f) | ((c[0]&0x1f)<<6);
+			if (codepoint < 0x80) {
+				/* don't accept UTF-8 characters that are not minimally packed */
+				errno = EILSEQ;
+				goto error;
+			}
+			uc[1] = codepoint >> 8;
+			uc[0] = codepoint & 0xff;
+			c  += 2;
+			in_left  -= 2;
+			out_left -= 2;
+			uc += 2;
+			continue;
+		}
+
+		if ((c[0] & 0xf0) == 0xe0) {
+			if (in_left < 3 ||
+			    (c[1] & 0xc0) != 0x80 || 
+			    (c[2] & 0xc0) != 0x80) {
+				errno = EILSEQ;
+				goto error;
+			}
+			codepoint = (c[2]&0x3f) | ((c[1]&0x3f)<<6) | ((c[0]&0xf)<<12);
+			if (codepoint < 0x800) {
+				/* don't accept UTF-8 characters that are not minimally packed */
+				errno = EILSEQ;
+				goto error;
+			}
+			uc[1] = codepoint >> 8;
+			uc[0] = codepoint & 0xff;
+			c  += 3;
+			in_left  -= 3;
+			out_left -= 2;
+			uc += 2;
+			continue;
+		}
+
+		if ((c[0] & 0xf8) == 0xf0) {
+			if (in_left < 4 ||
+			    (c[1] & 0xc0) != 0x80 || 
+			    (c[2] & 0xc0) != 0x80 ||
+			    (c[3] & 0xc0) != 0x80) {
+				errno = EILSEQ;
+				goto error;
+			}
+			codepoint = 
+				(c[3]&0x3f) | 
+				((c[2]&0x3f)<<6) | 
+				((c[1]&0x3f)<<12) |
+				((c[0]&0x7)<<18);
+			if (codepoint < 0x10000 || codepoint > 0x10ffff) {
+				/* don't accept UTF-8 characters that are not minimally packed */
+				errno = EILSEQ;
+				goto error;
+			}
+
+			codepoint -= 0x10000;
+
+			if (out_left < 4) {
+				errno = E2BIG;
+				goto error;
+			}
+
+			uc[0] = (codepoint>>10) & 0xFF;
+			uc[1] = (codepoint>>18) | 0xd8;
+			uc[2] = codepoint & 0xFF;
+			uc[3] = ((codepoint>>8) & 0x3) | 0xdc;
+			c  += 4;
+			in_left  -= 4;
+			out_left -= 4;
+			uc += 4;
+			continue;
+		}
+
+		/* we don't handle 5 byte sequences */
+		errno = EINVAL;
+		goto error;
+	}
+
+	if (in_left > 0) {
+		errno = E2BIG;
+		goto error;
+	}
+
+	*inbytesleft = in_left;
+	*outbytesleft = out_left;
+	*inbuf = (char *)c;
+	*outbuf = (char *)uc;	
+	return 0;
+
+error:
+	*inbytesleft = in_left;
+	*outbytesleft = out_left;
+	*inbuf = (char *)c;
+	*outbuf = (char *)uc;
+	return -1;
+}
+
+static size_t utf8_push(void *cd, const char **inbuf, size_t *inbytesleft,
+			char **outbuf, size_t *outbytesleft)
+{
+	size_t in_left=*inbytesleft, out_left=*outbytesleft;
+	uint8 *c = (uint8 *)*outbuf;
+	const uint8 *uc = (const uint8 *)*inbuf;
+
+	while (in_left >= 2 && out_left >= 1) {
+		unsigned int codepoint;
+
+		if (uc[1] == 0 && !(uc[0] & 0x80)) {
+			/* simplest case */
+			c[0] = uc[0];
+			in_left  -= 2;
+			out_left -= 1;
+			uc += 2;
+			c  += 1;
+			continue;
+		}
+
+		if ((uc[1]&0xf8) == 0) {
+			/* next simplest case */
+			if (out_left < 2) {
+				errno = E2BIG;
+				goto error;
+			}
+			c[0] = 0xc0 | (uc[0]>>6) | (uc[1]<<2);
+			c[1] = 0x80 | (uc[0] & 0x3f);
+			in_left  -= 2;
+			out_left -= 2;
+			uc += 2;
+			c  += 2;
+			continue;
+		}
+
+		if ((uc[1] & 0xfc) == 0xdc) {
+			/* its the second part of a 4 byte sequence. Illegal */
+			if (in_left < 4) {
+				errno = EINVAL;
+			} else {
+				errno = EILSEQ;
+			}
+			goto error;
+		}
+
+		if ((uc[1] & 0xfc) != 0xd8) {
+			codepoint = uc[0] | (uc[1]<<8);
+			if (out_left < 3) {
+				errno = E2BIG;
+				goto error;
+			}
+			c[0] = 0xe0 | (codepoint >> 12);
+			c[1] = 0x80 | ((codepoint >> 6) & 0x3f);
+			c[2] = 0x80 | (codepoint & 0x3f);
+			
+			in_left  -= 2;
+			out_left -= 3;
+			uc  += 2;
+			c   += 3;
+			continue;
+		}
+
+		/* its the first part of a 4 byte sequence */
+		if (in_left < 4) {
+			errno = EINVAL;
+			goto error;
+		}
+		if ((uc[3] & 0xfc) != 0xdc) {
+			errno = EILSEQ;
+			goto error;
+		}
+		codepoint = 0x10000 + (uc[2] | ((uc[3] & 0x3)<<8) | 
+				       (uc[0]<<10) | ((uc[1] & 0x3)<<18));
+		
+		if (out_left < 4) {
+			errno = E2BIG;
+			goto error;
+		}
+		c[0] = 0xf0 | (codepoint >> 18);
+		c[1] = 0x80 | ((codepoint >> 12) & 0x3f);
+		c[2] = 0x80 | ((codepoint >> 6) & 0x3f);
+		c[3] = 0x80 | (codepoint & 0x3f);
+		
+		in_left  -= 4;
+		out_left -= 4;
+		uc       += 4;
+		c        += 4;
+	}
+
+	if (in_left == 1) {
+		errno = EINVAL;
+		goto error;
+	}
+
+	if (in_left > 1) {
+		errno = E2BIG;
+		goto error;
+	}
+
+	*inbytesleft = in_left;
+	*outbytesleft = out_left;
+	*inbuf  = (char *)uc;
+	*outbuf = (char *)c;
+	
+	return 0;
+
+error:
+	*inbytesleft = in_left;
+	*outbytesleft = out_left;
+	*inbuf  = (char *)uc;
+	*outbuf = (char *)c;
+	return -1;
+}
+
diff --git a/source3/lib/idmap_cache.c b/source3/lib/idmap_cache.c
new file mode 100644
index 0000000000..6377635a65
--- /dev/null
+++ b/source3/lib/idmap_cache.c
@@ -0,0 +1,260 @@
+/*
+   Unix SMB/CIFS implementation.
+   ID Mapping Cache
+
+   Copyright (C) Volker Lendecke	2008
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.*/
+
+#include "includes.h"
+
+/**
+ * Find a sid2uid mapping
+ * @param[in] sid		the sid to map
+ * @param[out] puid		where to put the result
+ * @param[out] expired		is the cache entry expired?
+ * @retval Was anything in the cache at all?
+ *
+ * If *puid == -1 this was a negative mapping.
+ */
+
+bool idmap_cache_find_sid2uid(const struct dom_sid *sid, uid_t *puid,
+			      bool *expired)
+{
+	fstring sidstr;
+	char *key;
+	char *value;
+	char *endptr;
+	time_t timeout;
+	uid_t uid;
+	bool ret;
+
+	key = talloc_asprintf(talloc_tos(), "IDMAP/SID2UID/%s",
+			      sid_to_fstring(sidstr, sid));
+	if (key == NULL) {
+		return false;
+	}
+	ret = gencache_get(key, &value, &timeout);
+	TALLOC_FREE(key);
+	if (!ret) {
+		return false;
+	}
+	uid = strtol(value, &endptr, 10);
+	ret = (*endptr == '\0');
+	SAFE_FREE(value);
+	if (ret) {
+		*puid = uid;
+		*expired = (timeout <= time(NULL));
+	}
+	return ret;
+}
+
+/**
+ * Find a uid2sid mapping
+ * @param[in] uid		the uid to map
+ * @param[out] sid		where to put the result
+ * @param[out] expired		is the cache entry expired?
+ * @retval Was anything in the cache at all?
+ *
+ * If "is_null_sid(sid)", this was a negative mapping.
+ */
+
+bool idmap_cache_find_uid2sid(uid_t uid, struct dom_sid *sid, bool *expired)
+{
+	char *key;
+	char *value;
+	time_t timeout;
+	bool ret = true;
+
+	key = talloc_asprintf(talloc_tos(), "IDMAP/UID2SID/%d", (int)uid);
+	if (key == NULL) {
+		return false;
+	}
+	ret = gencache_get(key, &value, &timeout);
+	TALLOC_FREE(key);
+	if (!ret) {
+		return false;
+	}
+	ZERO_STRUCTP(sid);
+	if (value[0] != '-') {
+		ret = string_to_sid(sid, value);
+	}
+	SAFE_FREE(value);
+	if (ret) {
+		*expired = (timeout <= time(NULL));
+	}
+	return ret;
+}
+
+/**
+ * Store a mapping in the idmap cache
+ * @param[in] sid		the sid to map
+ * @param[in] uid		the uid to map
+ *
+ * If both parameters are valid values, then a positive mapping in both
+ * directions is stored. If "is_null_sid(sid)" is true, then this will be a
+ * negative mapping of uid, we want to cache that for this uid we could not
+ * find anything. Likewise if "uid==-1", then we want to cache that we did not
+ * find a mapping for the sid passed here.
+ */
+
+void idmap_cache_set_sid2uid(const struct dom_sid *sid, uid_t uid)
+{
+	time_t now = time(NULL);
+	time_t timeout;
+	fstring sidstr, key, value;
+
+	if (!is_null_sid(sid)) {
+		fstr_sprintf(key, "IDMAP/SID2UID/%s",
+			     sid_to_fstring(sidstr, sid));
+		fstr_sprintf(value, "%d", (int)uid);
+		timeout = (uid == -1)
+			? lp_idmap_negative_cache_time()
+			: lp_idmap_cache_time();
+		gencache_set(key, value, now + timeout);
+	}
+	if (uid != -1) {
+		fstr_sprintf(key, "IDMAP/UID2SID/%d", (int)uid);
+		if (is_null_sid(sid)) {
+			/* negative uid mapping */
+			fstrcpy(value, "-");
+			timeout = lp_idmap_negative_cache_time();
+		}
+		else {
+			sid_to_fstring(value, sid);
+			timeout = lp_idmap_cache_time();
+		}
+		gencache_set(key, value, now + timeout);
+	}
+}
+
+/**
+ * Find a sid2gid mapping
+ * @param[in] sid		the sid to map
+ * @param[out] pgid		where to put the result
+ * @param[out] expired		is the cache entry expired?
+ * @retval Was anything in the cache at all?
+ *
+ * If *pgid == -1 this was a negative mapping.
+ */
+
+bool idmap_cache_find_sid2gid(const struct dom_sid *sid, gid_t *pgid,
+			      bool *expired)
+{
+	fstring sidstr;
+	char *key;
+	char *value;
+	char *endptr;
+	time_t timeout;
+	gid_t gid;
+	bool ret;
+
+	key = talloc_asprintf(talloc_tos(), "IDMAP/SID2GID/%s",
+			      sid_to_fstring(sidstr, sid));
+	if (key == NULL) {
+		return false;
+	}
+	ret = gencache_get(key, &value, &timeout);
+	TALLOC_FREE(key);
+	if (!ret) {
+		return false;
+	}
+	gid = strtol(value, &endptr, 10);
+	ret = (*endptr == '\0');
+	SAFE_FREE(value);
+	if (ret) {
+		*pgid = gid;
+		*expired = (timeout <= time(NULL));
+	}
+	return ret;
+}
+
+/**
+ * Find a gid2sid mapping
+ * @param[in] gid		the gid to map
+ * @param[out] sid		where to put the result
+ * @param[out] expired		is the cache entry expired?
+ * @retval Was anything in the cache at all?
+ *
+ * If "is_null_sid(sid)", this was a negative mapping.
+ */
+
+bool idmap_cache_find_gid2sid(gid_t gid, struct dom_sid *sid, bool *expired)
+{
+	char *key;
+	char *value;
+	time_t timeout;
+	bool ret = true;
+
+	key = talloc_asprintf(talloc_tos(), "IDMAP/GID2SID/%d", (int)gid);
+	if (key == NULL) {
+		return false;
+	}
+	ret = gencache_get(key, &value, &timeout);
+	TALLOC_FREE(key);
+	if (!ret) {
+		return false;
+	}
+	ZERO_STRUCTP(sid);
+	if (value[0] != '-') {
+		ret = string_to_sid(sid, value);
+	}
+	SAFE_FREE(value);
+	if (ret) {
+		*expired = (timeout <= time(NULL));
+	}
+	return ret;
+}
+
+/**
+ * Store a mapping in the idmap cache
+ * @param[in] sid		the sid to map
+ * @param[in] gid		the gid to map
+ *
+ * If both parameters are valid values, then a positive mapping in both
+ * directions is stored. If "is_null_sid(sid)" is true, then this will be a
+ * negative mapping of gid, we want to cache that for this gid we could not
+ * find anything. Likewise if "gid==-1", then we want to cache that we did not
+ * find a mapping for the sid passed here.
+ */
+
+void idmap_cache_set_sid2gid(const struct dom_sid *sid, gid_t gid)
+{
+	time_t now = time(NULL);
+	time_t timeout;
+	fstring sidstr, key, value;
+
+	if (!is_null_sid(sid)) {
+		fstr_sprintf(key, "IDMAP/SID2GID/%s",
+			     sid_to_fstring(sidstr, sid));
+		fstr_sprintf(value, "%d", (int)gid);
+		timeout = (gid == -1)
+			? lp_idmap_negative_cache_time()
+			: lp_idmap_cache_time();
+		gencache_set(key, value, now + timeout);
+	}
+	if (gid != -1) {
+		fstr_sprintf(key, "IDMAP/GID2SID/%d", (int)gid);
+		if (is_null_sid(sid)) {
+			/* negative gid mapping */
+			fstrcpy(value, "-");
+			timeout = lp_idmap_negative_cache_time();
+		}
+		else {
+			sid_to_fstring(value, sid);
+			timeout = lp_idmap_cache_time();
+		}
+		gencache_set(key, value, now + timeout);
+	}
+}
diff --git a/source3/lib/interface.c b/source3/lib/interface.c
new file mode 100644
index 0000000000..2e7c2706a0
--- /dev/null
+++ b/source3/lib/interface.c
@@ -0,0 +1,577 @@
+/*
+   Unix SMB/CIFS implementation.
+   multiple interface handling
+   Copyright (C) Andrew Tridgell 1992-1998
+   Copyright (C) Jeremy Allison 2007
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+static struct iface_struct *probed_ifaces;
+static int total_probed;
+
+static struct interface *local_interfaces;
+
+/****************************************************************************
+ Check if an IP is one of mine.
+**************************************************************************/
+
+bool ismyaddr(const struct sockaddr_storage *ip)
+{
+	struct interface *i;
+	for (i=local_interfaces;i;i=i->next) {
+		if (addr_equal(&i->ip,ip)) {
+			return true;
+		}
+	}
+	return false;
+}
+
+bool ismyip_v4(struct in_addr ip)
+{
+	struct sockaddr_storage ss;
+	in_addr_to_sockaddr_storage(&ss, ip);
+	return ismyaddr(&ss);
+}
+
+/****************************************************************************
+ Try and find an interface that matches an ip. If we cannot, return NULL.
+**************************************************************************/
+
+static struct interface *iface_find(const struct sockaddr_storage *ip,
+				bool check_mask)
+{
+	struct interface *i;
+
+	if (is_address_any(ip)) {
+		return local_interfaces;
+	}
+
+	for (i=local_interfaces;i;i=i->next) {
+		if (check_mask) {
+			if (same_net(ip, &i->ip, &i->netmask)) {
+				return i;
+			}
+		} else if (addr_equal(&i->ip, ip)) {
+			return i;
+		}
+	}
+
+	return NULL;
+}
+
+/****************************************************************************
+ Check if a packet is from a local (known) net.
+**************************************************************************/
+
+bool is_local_net(const struct sockaddr_storage *from)
+{
+	struct interface *i;
+	for (i=local_interfaces;i;i=i->next) {
+		if (same_net(from, &i->ip, &i->netmask)) {
+			return true;
+		}
+	}
+	return false;
+}
+
+#if defined(HAVE_IPV6)
+void setup_linklocal_scope_id(struct sockaddr_storage *pss)
+{
+	struct interface *i;
+	for (i=local_interfaces;i;i=i->next) {
+		if (addr_equal(&i->ip,pss)) {
+			struct sockaddr_in6 *psa6 =
+				(struct sockaddr_in6 *)pss;
+			psa6->sin6_scope_id = if_nametoindex(i->name);
+			return;
+		}
+	}
+}
+#endif
+
+/****************************************************************************
+ Check if a packet is from a local (known) net.
+**************************************************************************/
+
+bool is_local_net_v4(struct in_addr from)
+{
+	struct sockaddr_storage ss;
+
+	in_addr_to_sockaddr_storage(&ss, from);
+	return is_local_net(&ss);
+}
+
+/****************************************************************************
+ How many interfaces do we have ?
+**************************************************************************/
+
+int iface_count(void)
+{
+	int ret = 0;
+	struct interface *i;
+
+	for (i=local_interfaces;i;i=i->next) {
+		ret++;
+	}
+	return ret;
+}
+
+/****************************************************************************
+ How many non-loopback IPv4 interfaces do we have ?
+**************************************************************************/
+
+int iface_count_v4_nl(void)
+{
+	int ret = 0;
+	struct interface *i;
+
+	for (i=local_interfaces;i;i=i->next) {
+		if (is_loopback_addr(&i->ip)) {
+			continue;
+		}
+		if (i->ip.ss_family == AF_INET) {
+			ret++;
+		}
+	}
+	return ret;
+}
+
+/****************************************************************************
+ Return a pointer to the in_addr of the first IPv4 interface.
+**************************************************************************/
+
+const struct in_addr *first_ipv4_iface(void)
+{
+	struct interface *i;
+
+	for (i=local_interfaces;i ;i=i->next) {
+		if (i->ip.ss_family == AF_INET) {
+			break;
+		}
+	}
+
+	if (!i) {
+		return NULL;
+	}
+	return &((const struct sockaddr_in *)&i->ip)->sin_addr;
+}
+
+/****************************************************************************
+ Return the Nth interface.
+**************************************************************************/
+
+struct interface *get_interface(int n)
+{
+	struct interface *i;
+
+	for (i=local_interfaces;i && n;i=i->next) {
+		n--;
+	}
+
+	if (i) {
+		return i;
+	}
+	return NULL;
+}
+
+/****************************************************************************
+ Return IP sockaddr_storage of the Nth interface.
+**************************************************************************/
+
+const struct sockaddr_storage *iface_n_sockaddr_storage(int n)
+{
+	struct interface *i;
+
+	for (i=local_interfaces;i && n;i=i->next) {
+		n--;
+	}
+
+	if (i) {
+		return &i->ip;
+	}
+	return NULL;
+}
+
+/****************************************************************************
+ Return IPv4 of the Nth interface (if a v4 address). NULL otherwise.
+**************************************************************************/
+
+const struct in_addr *iface_n_ip_v4(int n)
+{
+	struct interface *i;
+
+	for (i=local_interfaces;i && n;i=i->next) {
+		n--;
+	}
+
+	if (i && i->ip.ss_family == AF_INET) {
+		return &((const struct sockaddr_in *)&i->ip)->sin_addr;
+	}
+	return NULL;
+}
+
+/****************************************************************************
+ Return IPv4 bcast of the Nth interface (if a v4 address). NULL otherwise.
+**************************************************************************/
+
+const struct in_addr *iface_n_bcast_v4(int n)
+{
+	struct interface *i;
+
+	for (i=local_interfaces;i && n;i=i->next) {
+		n--;
+	}
+
+	if (i && i->ip.ss_family == AF_INET) {
+		return &((const struct sockaddr_in *)&i->bcast)->sin_addr;
+	}
+	return NULL;
+}
+
+/****************************************************************************
+ Return bcast of the Nth interface.
+**************************************************************************/
+
+const struct sockaddr_storage *iface_n_bcast(int n)
+{
+	struct interface *i;
+
+	for (i=local_interfaces;i && n;i=i->next) {
+		n--;
+	}
+
+	if (i) {
+		return &i->bcast;
+	}
+	return NULL;
+}
+
+/* these 3 functions return the ip/bcast/nmask for the interface
+   most appropriate for the given ip address. If they can't find
+   an appropriate interface they return the requested field of the
+   first known interface. */
+
+const struct sockaddr_storage *iface_ip(const struct sockaddr_storage *ip)
+{
+	struct interface *i = iface_find(ip, true);
+	if (i) {
+		return &i->ip;
+	}
+
+	/* Search for the first interface with
+	 * matching address family. */
+
+	for (i=local_interfaces;i;i=i->next) {
+		if (i->ip.ss_family == ip->ss_family) {
+			return &i->ip;
+		}
+	}
+	return NULL;
+}
+
+/*
+  return True if a IP is directly reachable on one of our interfaces
+*/
+
+bool iface_local(const struct sockaddr_storage *ip)
+{
+	return iface_find(ip, True) ? true : false;
+}
+
+/****************************************************************************
+ Add an interface to the linked list of interfaces.
+****************************************************************************/
+
+static void add_interface(const struct iface_struct *ifs)
+{
+	char addr[INET6_ADDRSTRLEN];
+	struct interface *iface;
+
+	if (iface_find(&ifs->ip, False)) {
+		DEBUG(3,("add_interface: not adding duplicate interface %s\n",
+			print_sockaddr(addr, sizeof(addr), &ifs->ip) ));
+		return;
+	}
+
+	if (!(ifs->flags & (IFF_BROADCAST|IFF_LOOPBACK))) {
+		DEBUG(3,("not adding non-broadcast interface %s\n",
+					ifs->name ));
+		return;
+	}
+
+	iface = SMB_MALLOC_P(struct interface);
+	if (!iface) {
+		return;
+	}
+
+	ZERO_STRUCTPN(iface);
+
+	iface->name = SMB_STRDUP(ifs->name);
+	if (!iface->name) {
+		SAFE_FREE(iface);
+		return;
+	}
+	iface->flags = ifs->flags;
+	iface->ip = ifs->ip;
+	iface->netmask = ifs->netmask;
+	iface->bcast = ifs->bcast;
+
+	DLIST_ADD(local_interfaces, iface);
+
+	DEBUG(2,("added interface %s ip=%s ",
+		iface->name,
+		print_sockaddr(addr, sizeof(addr), &iface->ip) ));
+	DEBUG(2,("bcast=%s ",
+		print_sockaddr(addr, sizeof(addr),
+			&iface->bcast) ));
+	DEBUG(2,("netmask=%s\n",
+		print_sockaddr(addr, sizeof(addr),
+			&iface->netmask) ));
+}
+
+/****************************************************************************
+ Interpret a single element from a interfaces= config line.
+
+ This handles the following different forms:
+
+ 1) wildcard interface name
+ 2) DNS name
+ 3) IP/masklen
+ 4) ip/mask
+ 5) bcast/mask
+****************************************************************************/
+
+static void interpret_interface(char *token)
+{
+	struct sockaddr_storage ss;
+	struct sockaddr_storage ss_mask;
+	struct sockaddr_storage ss_net;
+	struct sockaddr_storage ss_bcast;
+	struct iface_struct ifs;
+	char *p;
+	int i;
+	bool added=false;
+	bool goodaddr = false;
+
+	/* first check if it is an interface name */
+	for (i=0;i<total_probed;i++) {
+		if (gen_fnmatch(token, probed_ifaces[i].name) == 0) {
+			add_interface(&probed_ifaces[i]);
+			added = true;
+		}
+	}
+	if (added) {
+		return;
+	}
+
+	/* maybe it is a DNS name */
+	p = strchr_m(token,'/');
+	if (p == NULL) {
+		if (!interpret_string_addr(&ss, token, 0)) {
+			DEBUG(2, ("interpret_interface: Can't find address "
+				  "for %s\n", token));
+			return;
+		}
+
+		for (i=0;i<total_probed;i++) {
+			if (addr_equal(&ss, &probed_ifaces[i].ip)) {
+				add_interface(&probed_ifaces[i]);
+				return;
+			}
+		}
+		DEBUG(2,("interpret_interface: "
+			"can't determine interface for %s\n",
+			token));
+		return;
+	}
+
+	/* parse it into an IP address/netmasklength pair */
+	*p = 0;
+	goodaddr = interpret_string_addr(&ss, token, 0);
+	*p++ = '/';
+
+	if (!goodaddr) {
+		DEBUG(2,("interpret_interface: "
+			"can't determine interface for %s\n",
+			token));
+		return;
+	}
+
+	if (strlen(p) > 2) {
+		goodaddr = interpret_string_addr(&ss_mask, p, 0);
+		if (!goodaddr) {
+			DEBUG(2,("interpret_interface: "
+				"can't determine netmask from %s\n",
+				p));
+			return;
+		}
+	} else {
+		char *endp = NULL;
+		unsigned long val = strtoul(p, &endp, 0);
+		if (p == endp || (endp && *endp != '\0')) {
+			DEBUG(2,("interpret_interface: "
+				"can't determine netmask value from %s\n",
+				p));
+			return;
+		}
+		if (!make_netmask(&ss_mask, &ss, val)) {
+			DEBUG(2,("interpret_interface: "
+				"can't apply netmask value %lu from %s\n",
+				val,
+				p));
+			return;
+		}
+	}
+
+	make_bcast(&ss_bcast, &ss, &ss_mask);
+	make_net(&ss_net, &ss, &ss_mask);
+
+	/* Maybe the first component was a broadcast address. */
+	if (addr_equal(&ss_bcast, &ss) || addr_equal(&ss_net, &ss)) {
+		for (i=0;i<total_probed;i++) {
+			if (same_net(&ss, &probed_ifaces[i].ip, &ss_mask)) {
+				/* Temporarily replace netmask on
+				 * the detected interface - user knows
+				 * best.... */
+				struct sockaddr_storage saved_mask =
+					probed_ifaces[i].netmask;
+				probed_ifaces[i].netmask = ss_mask;
+				DEBUG(2,("interpret_interface: "
+					"using netmask value %s from "
+					"config file on interface %s\n",
+					p,
+					probed_ifaces[i].name));
+				add_interface(&probed_ifaces[i]);
+				probed_ifaces[i].netmask = saved_mask;
+				return;
+			}
+		}
+		DEBUG(2,("interpret_interface: Can't determine ip for "
+			"broadcast address %s\n",
+			token));
+		return;
+	}
+
+	/* Just fake up the interface definition. User knows best. */
+
+	DEBUG(2,("interpret_interface: Adding interface %s\n",
+		token));
+
+	ZERO_STRUCT(ifs);
+	(void)strlcpy(ifs.name, token, sizeof(ifs.name));
+	ifs.flags = IFF_BROADCAST;
+	ifs.ip = ss;
+	ifs.netmask = ss_mask;
+	ifs.bcast = ss_bcast;
+	add_interface(&ifs);
+}
+
+/****************************************************************************
+ Load the list of network interfaces.
+****************************************************************************/
+
+void load_interfaces(void)
+{
+	struct iface_struct ifaces[MAX_INTERFACES];
+	const char **ptr = lp_interfaces();
+	int i;
+
+	SAFE_FREE(probed_ifaces);
+
+	/* dump the current interfaces if any */
+	while (local_interfaces) {
+		struct interface *iface = local_interfaces;
+		DLIST_REMOVE(local_interfaces, local_interfaces);
+		SAFE_FREE(iface->name);
+		SAFE_FREE(iface);
+	}
+
+	/* Probe the kernel for interfaces */
+	total_probed = get_interfaces(ifaces, MAX_INTERFACES);
+
+	if (total_probed > 0) {
+		probed_ifaces = (struct iface_struct *)memdup(ifaces,
+				sizeof(ifaces[0])*total_probed);
+		if (!probed_ifaces) {
+			DEBUG(0,("ERROR: memdup failed\n"));
+			exit(1);
+		}
+	}
+
+	/* if we don't have a interfaces line then use all broadcast capable
+	   interfaces except loopback */
+	if (!ptr || !*ptr || !**ptr) {
+		if (total_probed <= 0) {
+			DEBUG(0,("ERROR: Could not determine network "
+			"interfaces, you must use a interfaces config line\n"));
+			exit(1);
+		}
+		for (i=0;i<total_probed;i++) {
+			if (probed_ifaces[i].flags & IFF_BROADCAST) {
+				add_interface(&probed_ifaces[i]);
+			}
+		}
+		return;
+	}
+
+	if (ptr) {
+		while (*ptr) {
+			char *ptr_cpy = SMB_STRDUP(*ptr);
+			if (ptr_cpy) {
+				interpret_interface(ptr_cpy);
+				free(ptr_cpy);
+			}
+			ptr++;
+		}
+	}
+
+	if (!local_interfaces) {
+		DEBUG(0,("WARNING: no network interfaces found\n"));
+	}
+}
+
+
+void gfree_interfaces(void)
+{
+	while (local_interfaces) {
+		struct interface *iface = local_interfaces;
+		DLIST_REMOVE(local_interfaces, local_interfaces);
+		SAFE_FREE(iface->name);
+		SAFE_FREE(iface);
+	}
+
+	SAFE_FREE(probed_ifaces);
+}
+
+/****************************************************************************
+ Return True if the list of probed interfaces has changed.
+****************************************************************************/
+
+bool interfaces_changed(void)
+{
+	int n;
+	struct iface_struct ifaces[MAX_INTERFACES];
+
+	n = get_interfaces(ifaces, MAX_INTERFACES);
+
+	if ((n > 0 )&& (n != total_probed ||
+			memcmp(ifaces, probed_ifaces, sizeof(ifaces[0])*n))) {
+		return true;
+	}
+
+	return false;
+}
diff --git a/source3/lib/interfaces.c b/source3/lib/interfaces.c
new file mode 100644
index 0000000000..dd857ae672
--- /dev/null
+++ b/source3/lib/interfaces.c
@@ -0,0 +1,351 @@
+/*
+   Unix SMB/CIFS implementation.
+   return a list of network interfaces
+   Copyright (C) Andrew Tridgell 1998
+   Copyright (C) Jeremy Allison 2007
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+
+/* working out the interfaces for a OS is an incredibly non-portable
+   thing. We have several possible implementations below, and autoconf
+   tries each of them to see what works
+
+   Note that this file does _not_ include includes.h. That is so this code
+   can be called directly from the autoconf tests. That also means
+   this code cannot use any of the normal Samba debug stuff or defines.
+   This is standalone code.
+
+*/
+
+#ifndef AUTOCONF_TEST
+#include "config.h"
+#endif
+
+#include <unistd.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <netdb.h>
+#include <sys/ioctl.h>
+#include <netdb.h>
+#include <sys/ioctl.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#ifdef HAVE_IFADDRS_H
+#include <ifaddrs.h>
+#endif
+
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+
+#ifndef SIOCGIFCONF
+#ifdef HAVE_SYS_SOCKIO_H
+#include <sys/sockio.h>
+#endif
+#endif
+
+#ifdef HAVE_STDLIB_H
+#include <stdlib.h>
+#endif
+
+#ifdef HAVE_STRING_H
+#include <string.h>
+#endif
+
+#ifdef HAVE_STRINGS_H
+#include <strings.h>
+#endif
+
+#ifdef __COMPAR_FN_T
+#define QSORT_CAST (__compar_fn_t)
+#endif
+
+#ifndef QSORT_CAST
+#define QSORT_CAST (int (*)(const void *, const void *))
+#endif
+
+#ifdef HAVE_NET_IF_H
+#include <net/if.h>
+#endif
+
+#define SOCKET_WRAPPER_NOT_REPLACE
+#include "interfaces.h"
+#include "lib/replace/replace.h"
+
+/****************************************************************************
+ Utility functions.
+****************************************************************************/
+
+/****************************************************************************
+ Create a struct sockaddr_storage with the netmask bits set to 1.
+****************************************************************************/
+
+bool make_netmask(struct sockaddr_storage *pss_out,
+			const struct sockaddr_storage *pss_in,
+			unsigned long masklen)
+{
+	*pss_out = *pss_in;
+	/* Now apply masklen bits of mask. */
+#if defined(HAVE_IPV6)
+	if (pss_in->ss_family == AF_INET6) {
+		char *p = (char *)&((struct sockaddr_in6 *)pss_out)->sin6_addr;
+		unsigned int i;
+
+		if (masklen > 128) {
+			return false;
+		}
+		for (i = 0; masklen >= 8; masklen -= 8, i++) {
+			*p++ = 0xff;
+		}
+		/* Deal with the partial byte. */
+		*p++ &= (0xff & ~(0xff>>masklen));
+		i++;
+		for (;i < sizeof(struct in6_addr); i++) {
+			*p++ = '\0';
+		}
+		return true;
+	}
+#endif
+	if (pss_in->ss_family == AF_INET) {
+		if (masklen > 32) {
+			return false;
+		}
+		((struct sockaddr_in *)pss_out)->sin_addr.s_addr =
+			htonl(((0xFFFFFFFFL >> masklen) ^ 0xFFFFFFFFL));
+		return true;
+	}
+	return false;
+}
+
+/****************************************************************************
+ Create a struct sockaddr_storage set to the broadcast or network adress from
+ an incoming sockaddr_storage.
+****************************************************************************/
+
+static void make_bcast_or_net(struct sockaddr_storage *pss_out,
+			const struct sockaddr_storage *pss_in,
+			const struct sockaddr_storage *nmask,
+			bool make_bcast_p)
+{
+	unsigned int i = 0, len = 0;
+	char *pmask = NULL;
+	char *p = NULL;
+	*pss_out = *pss_in;
+
+	/* Set all zero netmask bits to 1. */
+#if defined(HAVE_IPV6)
+	if (pss_in->ss_family == AF_INET6) {
+		p = (char *)&((struct sockaddr_in6 *)pss_out)->sin6_addr;
+		pmask = (char *)&((struct sockaddr_in6 *)nmask)->sin6_addr;
+		len = 16;
+	}
+#endif
+	if (pss_in->ss_family == AF_INET) {
+		p = (char *)&((struct sockaddr_in *)pss_out)->sin_addr;
+		pmask = (char *)&((struct sockaddr_in *)nmask)->sin_addr;
+		len = 4;
+	}
+
+	for (i = 0; i < len; i++, p++, pmask++) {
+		if (make_bcast_p) {
+			*p = (*p & *pmask) | (*pmask ^ 0xff);
+		} else {
+			/* make_net */
+			*p = (*p & *pmask);
+		}
+	}
+}
+
+void make_bcast(struct sockaddr_storage *pss_out,
+			const struct sockaddr_storage *pss_in,
+			const struct sockaddr_storage *nmask)
+{
+	make_bcast_or_net(pss_out, pss_in, nmask, true);
+}
+
+void make_net(struct sockaddr_storage *pss_out,
+			const struct sockaddr_storage *pss_in,
+			const struct sockaddr_storage *nmask)
+{
+	make_bcast_or_net(pss_out, pss_in, nmask, false);
+}
+
+/****************************************************************************
+ Try the "standard" getifaddrs/freeifaddrs interfaces.
+ Also gets IPv6 interfaces.
+****************************************************************************/
+
+/****************************************************************************
+ Get the netmask address for a local interface.
+****************************************************************************/
+
+static int _get_interfaces(struct iface_struct *ifaces, int max_interfaces)
+{
+	struct ifaddrs *iflist = NULL;
+	struct ifaddrs *ifptr = NULL;
+	int total = 0;
+	size_t copy_size;
+
+	if (getifaddrs(&iflist) < 0) {
+		return -1;
+	}
+
+	/* Loop through interfaces, looking for given IP address */
+	for (ifptr = iflist, total = 0;
+			ifptr != NULL && total < max_interfaces;
+			ifptr = ifptr->ifa_next) {
+
+		memset(&ifaces[total], '\0', sizeof(ifaces[total]));
+
+		copy_size = sizeof(struct sockaddr_in);
+
+		if (!ifptr->ifa_addr || !ifptr->ifa_netmask) {
+			continue;
+		}
+
+		ifaces[total].flags = ifptr->ifa_flags;
+
+		/* Check the interface is up. */
+		if (!(ifaces[total].flags & IFF_UP)) {
+			continue;
+		}
+
+#if defined(HAVE_IPV6)
+		if (ifptr->ifa_addr->sa_family == AF_INET6) {
+			copy_size = sizeof(struct sockaddr_in6);
+		}
+#endif
+
+		memcpy(&ifaces[total].ip, ifptr->ifa_addr, copy_size);
+		memcpy(&ifaces[total].netmask, ifptr->ifa_netmask, copy_size);
+
+		if (ifaces[total].flags & (IFF_BROADCAST|IFF_LOOPBACK)) {
+			make_bcast(&ifaces[total].bcast,
+				&ifaces[total].ip,
+				&ifaces[total].netmask);
+		} else if ((ifaces[total].flags & IFF_POINTOPOINT) &&
+			       ifptr->ifa_dstaddr ) {
+			memcpy(&ifaces[total].bcast,
+				ifptr->ifa_dstaddr,
+				copy_size);
+		} else {
+			continue;
+		}
+
+		strlcpy(ifaces[total].name, ifptr->ifa_name,
+			sizeof(ifaces[total].name));
+		total++;
+	}
+
+	freeifaddrs(iflist);
+
+	return total;
+}
+
+static int iface_comp(struct iface_struct *i1, struct iface_struct *i2)
+{
+	int r;
+
+#if defined(HAVE_IPV6)
+	/*
+	 * If we have IPv6 - sort these interfaces lower
+	 * than any IPv4 ones.
+	 */
+	if (i1->ip.ss_family == AF_INET6 &&
+			i2->ip.ss_family == AF_INET) {
+		return -1;
+	} else if (i1->ip.ss_family == AF_INET &&
+			i2->ip.ss_family == AF_INET6) {
+		return 1;
+	}
+
+	if (i1->ip.ss_family == AF_INET6) {
+		struct sockaddr_in6 *s1 = (struct sockaddr_in6 *)&i1->ip;
+		struct sockaddr_in6 *s2 = (struct sockaddr_in6 *)&i2->ip;
+
+		r = memcmp(&s1->sin6_addr,
+				&s2->sin6_addr,
+				sizeof(struct in6_addr));
+		if (r) {
+			return r;
+		}
+
+		s1 = (struct sockaddr_in6 *)&i1->netmask;
+		s2 = (struct sockaddr_in6 *)&i2->netmask;
+
+		r = memcmp(&s1->sin6_addr,
+				&s2->sin6_addr,
+				sizeof(struct in6_addr));
+		if (r) {
+			return r;
+		}
+	}
+#endif
+
+	/* AIX uses __ss_family instead of ss_family inside of
+	   sockaddr_storage. Instead of trying to figure out which field to
+	   use, we can just cast it to a sockaddr.
+	 */
+
+	if (((struct sockaddr *)&i1->ip)->sa_family == AF_INET) {
+		struct sockaddr_in *s1 = (struct sockaddr_in *)&i1->ip;
+		struct sockaddr_in *s2 = (struct sockaddr_in *)&i2->ip;
+
+		r = ntohl(s1->sin_addr.s_addr) -
+			ntohl(s2->sin_addr.s_addr);
+		if (r) {
+			return r;
+		}
+
+		s1 = (struct sockaddr_in *)&i1->netmask;
+		s2 = (struct sockaddr_in *)&i2->netmask;
+
+		return ntohl(s1->sin_addr.s_addr) -
+			ntohl(s2->sin_addr.s_addr);
+	}
+	return 0;
+}
+
+int get_interfaces(struct iface_struct *ifaces, int max_interfaces);
+/* this wrapper is used to remove duplicates from the interface list generated
+   above */
+int get_interfaces(struct iface_struct *ifaces, int max_interfaces)
+{
+	int total, i, j;
+
+	total = _get_interfaces(ifaces, max_interfaces);
+	if (total <= 0) return total;
+
+	/* now we need to remove duplicates */
+	qsort(ifaces, total, sizeof(ifaces[0]), QSORT_CAST iface_comp);
+
+	for (i=1;i<total;) {
+		if (iface_comp(&ifaces[i-1], &ifaces[i]) == 0) {
+			for (j=i-1;j<total-1;j++) {
+				ifaces[j] = ifaces[j+1];
+			}
+			total--;
+		} else {
+			i++;
+		}
+	}
+
+	return total;
+}
+
diff --git a/source3/lib/ldap_debug_handler.c b/source3/lib/ldap_debug_handler.c
new file mode 100644
index 0000000000..2181ff014d
--- /dev/null
+++ b/source3/lib/ldap_debug_handler.c
@@ -0,0 +1,52 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Intercept libldap debug output.
+ * Copyright (C) Michael Adam 2008
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 3 of the License, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+#if HAVE_LDAP
+
+static void samba_ldap_log_print_fn(LDAP_CONST char *data)
+{
+	DEBUG(lp_ldap_debug_threshold(), ("[LDAP] %s", data));
+}
+
+#endif
+
+void init_ldap_debugging(void)
+{
+#if defined(HAVE_LDAP) && defined(HAVE_LBER_LOG_PRINT_FN)
+	int ret;
+	int ldap_debug_level = lp_ldap_debug_level();
+
+	ret = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldap_debug_level);
+	if (ret != LDAP_OPT_SUCCESS) {
+		DEBUG(10, ("Error setting LDAP debug level.\n"));
+	}
+
+	if (ldap_debug_level == 0) {
+		return;
+	}
+
+	ret = ber_set_option(NULL, LBER_OPT_LOG_PRINT_FN,
+			     (void *)samba_ldap_log_print_fn);
+	if (ret != LBER_OPT_SUCCESS) {
+		DEBUG(10, ("Error setting LBER log print function.\n"));
+	}
+#endif /* HAVE_LDAP && HAVE_LBER_LOG_PRINT_FN */
+}
diff --git a/source3/lib/ldap_escape.c b/source3/lib/ldap_escape.c
new file mode 100644
index 0000000000..d101bc5ecd
--- /dev/null
+++ b/source3/lib/ldap_escape.c
@@ -0,0 +1,134 @@
+/* 
+   Unix SMB/CIFS implementation.
+   ldap filter argument escaping
+
+   Copyright (C) 1998, 1999, 2000 Luke Howard <lukeh@padl.com>,
+   Copyright (C) 2003 Andrew Bartlett <abartlet@samba.org>
+
+  
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/**
+ * Escape a parameter to an LDAP filter string, so they cannot contain
+ * embeded ( ) * or \ chars which may cause it not to parse correctly. 
+ *
+ * @param s The input string
+ *
+ * @return A string allocated with malloc(), containing the escaped string, 
+ * and to be free()ed by the caller.
+ **/
+
+char *escape_ldap_string_alloc(const char *s)
+{
+	size_t len = strlen(s)+1;
+	char *output = (char *)SMB_MALLOC(len);
+	const char *sub;
+	int i = 0;
+	char *p = output;
+
+	if (output == NULL) {
+		return NULL;
+	}
+	
+	while (*s)
+	{
+		switch (*s)
+		{
+		case '*':
+			sub = "\\2a";
+			break;
+		case '(':
+			sub = "\\28";
+			break;
+		case ')':
+			sub = "\\29";
+			break;
+		case '\\':
+			sub = "\\5c";
+			break;
+		default:
+			sub = NULL;
+			break;
+		}
+		
+		if (sub) {
+			len = len + 3;
+			output = (char *)SMB_REALLOC(output, len);
+			if (!output) { 
+				return NULL;
+			}
+			
+			p = &output[i];
+			strncpy (p, sub, 3);
+			p += 3;
+			i += 3;
+
+		} else {
+			*p = *s;
+			p++;
+			i++;
+		}
+		s++;
+	}
+	
+	*p = '\0';
+	return output;
+}
+
+char *escape_rdn_val_string_alloc(const char *s)
+{
+	char *output, *p;
+
+	/* The maximum size of the escaped string can be twice the actual size */
+	output = (char *)SMB_MALLOC(2*strlen(s) + 1);
+
+	if (output == NULL) {
+		return NULL;
+	}
+
+	p = output;
+	
+	while (*s)
+	{
+		switch (*s)
+		{
+		case ',':
+		case '=':
+		case '+':
+		case '<':
+		case '>':
+		case '#':
+		case ';':
+		case '\\':
+		case '\"':
+			*p++ = '\\';
+			*p++ = *s;
+			break;
+		default:
+			*p = *s;
+			p++;
+		}
+		
+		s++;
+	}
+	
+	*p = '\0';
+
+	/* resize the string to the actual final size */
+	output = (char *)SMB_REALLOC(output, strlen(output) + 1);
+	return output;
+}
diff --git a/source3/lib/ldb/Doxyfile b/source3/lib/ldb/Doxyfile
new file mode 100644
index 0000000000..07b12b516a
--- /dev/null
+++ b/source3/lib/ldb/Doxyfile
@@ -0,0 +1,26 @@
+PROJECT_NAME           = LDB
+OUTPUT_DIRECTORY       = apidocs
+REPEAT_BRIEF           = YES
+OPTIMIZE_OUTPUT_FOR_C  = YES
+SORT_MEMBER_DOCS       = YES
+SORT_BRIEF_DOCS        = NO
+GENERATE_TODOLIST      = YES
+GENERATE_BUGLIST       = YES
+GENERATE_DEPRECATEDLIST= YES
+SHOW_USED_FILES        = NO
+SHOW_DIRECTORIES       = NO
+WARNINGS               = YES
+WARN_IF_UNDOCUMENTED   = YES
+WARN_IF_DOC_ERROR      = YES
+WARN_NO_PARAMDOC       = NO
+WARN_FORMAT            = "$file:$line: $text"
+INPUT                  = include .
+FILE_PATTERNS          = *.h *.dox
+EXCLUDE                = include/config.h include/dlinklist.h \
+			include/includes.h
+EXAMPLE_PATH           = examples
+GENERATE_HTML          = YES
+HTML_OUTPUT            = html
+GENERATE_MAN           = YES
+ALWAYS_DETAILED_SEC	   = YES
+JAVADOC_AUTOBRIEF	   = YES
diff --git a/source3/lib/ldb/Makefile.in b/source3/lib/ldb/Makefile.in
new file mode 100644
index 0000000000..a091b4832e
--- /dev/null
+++ b/source3/lib/ldb/Makefile.in
@@ -0,0 +1,173 @@
+#!gmake
+#
+CC = @CC@
+GCOV = @GCOV@
+XSLTPROC = @XSLTPROC@
+DOXYGEN = @DOXYGEN@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+datarootdir = @datarootdir@
+includedir = @includedir@
+libdir = @libdir@
+bindir = @bindir@
+mandir = @mandir@
+VPATH = @srcdir@:@tdbdir@:@tallocdir@:@libreplacedir@:@poptdir@
+srcdir = @srcdir@
+builddir = @builddir@
+SLAPD = @SLAPD@
+EXTRA_OBJ=@EXTRA_OBJ@
+TESTS=test-tdb.sh @TESTS@
+
+CFLAGS=-g -I$(srcdir)/include -Iinclude -I$(srcdir) -I$(srcdir)/.. \
+       @POPT_CFLAGS@ -I@tallocdir@ -I@tdbdir@/include -I@libreplacedir@ \
+	-DLIBDIR=\"$(libdir)\" -DSHLIBEXT=\"@SHLIBEXT@\" -DUSE_MMAP=1 @CFLAGS@
+
+LIB_FLAGS=@LDFLAGS@ -Llib -lldb @LIBS@ @POPT_LIBS@
+
+LDB_TDB_DIR=ldb_tdb
+LDB_TDB_OBJ=$(LDB_TDB_DIR)/ldb_tdb.o \
+	$(LDB_TDB_DIR)/ldb_pack.o $(LDB_TDB_DIR)/ldb_search.o $(LDB_TDB_DIR)/ldb_index.o \
+	$(LDB_TDB_DIR)/ldb_cache.o $(LDB_TDB_DIR)/ldb_tdb_wrap.o
+
+COMDIR=common
+COMMON_OBJ=$(COMDIR)/ldb.o $(COMDIR)/ldb_ldif.o \
+	   $(COMDIR)/ldb_parse.o $(COMDIR)/ldb_msg.o $(COMDIR)/ldb_utf8.o \
+	   $(COMDIR)/ldb_debug.o $(COMDIR)/ldb_modules.o \
+	   $(COMDIR)/ldb_dn.o $(COMDIR)/ldb_match.o $(COMDIR)/ldb_attributes.o \
+	   $(COMDIR)/attrib_handlers.o $(COMDIR)/ldb_controls.o $(COMDIR)/qsort.o
+
+MODDIR=modules
+MODULES_OBJ=$(MODDIR)/operational.o $(MODDIR)/rdn_name.o \
+	   $(MODDIR)/objectclass.o \
+	   $(MODDIR)/paged_results.o $(MODDIR)/sort.o $(MODDIR)/asq.o
+
+NSSDIR=nssldb
+NSS_OBJ= $(NSSDIR)/ldb-nss.o $(NSSDIR)/ldb-pwd.o $(NSSDIR)/ldb-grp.o
+NSS_LIB = lib/libnss_ldb.so.2
+
+OBJS = $(MODULES_OBJ) $(COMMON_OBJ) $(LDB_TDB_OBJ) @TDBOBJ@ @TALLOCOBJ@ @POPTOBJ@ @LIBREPLACEOBJ@ $(EXTRA_OBJ) 
+
+LDB_LIB = lib/libldb.a
+
+BINS = bin/ldbadd bin/ldbsearch bin/ldbdel bin/ldbmodify bin/ldbedit bin/ldbrename bin/ldbtest bin/oLschema2ldif
+
+LIBS = $(LDB_LIB)
+
+EXAMPLES = examples/ldbreader examples/ldifreader
+
+DIRS = lib bin common ldb_tdb ldb_ldap ldb_sqlite3 modules tools examples
+
+default: all
+
+nss: nssdir all $(NSS_LIB)
+
+nssdir:
+	@mkdir -p $(NSSDIR)
+
+all: showflags dirs $(OBJS) $(LDB_LIB) $(BINS) $(EXAMPLES) manpages
+
+showflags:
+	@echo 'ldb will be compiled with flags:'
+	@echo '  CFLAGS = $(CFLAGS)'
+	@echo '  LIBS = $(LIBS)'
+
+.c.o:
+	@echo Compiling $*.c
+	@mkdir -p `dirname $@`
+	@$(CC) $(CFLAGS) -c $< -o $@
+
+dirs:
+	@mkdir -p $(DIRS)
+
+lib/libldb.a: $(OBJS)
+	ar -rv $@ $(OBJS)
+	@-ranlib $@
+
+lib/libnss_ldb.so.2: $(NSS_OBJ) $(LIBS)
+	$(CC) -shared -Wl,-soname,libnss_ldb.so.2 -o lib/libnss_ldb.so.2 $(NSS_OBJ) $(OBJS) $(LIB_FLAGS)
+
+bin/ldbadd: tools/ldbadd.o tools/cmdline.o $(LIBS)
+	$(CC) -o bin/ldbadd tools/ldbadd.o tools/cmdline.o $(LIB_FLAGS)
+
+bin/ldbsearch: tools/ldbsearch.o tools/cmdline.o $(LIBS)
+	$(CC) -o bin/ldbsearch tools/ldbsearch.o tools/cmdline.o $(LIB_FLAGS)
+
+bin/ldbdel: tools/ldbdel.o tools/cmdline.o $(LIBS)
+	$(CC) -o bin/ldbdel tools/ldbdel.o tools/cmdline.o $(LIB_FLAGS)
+
+bin/ldbmodify: tools/ldbmodify.o tools/cmdline.o $(LIBS)
+	$(CC) -o bin/ldbmodify tools/ldbmodify.o tools/cmdline.o $(LIB_FLAGS)
+
+bin/ldbedit: tools/ldbedit.o tools/cmdline.o $(LIBS)
+	$(CC) -o bin/ldbedit tools/ldbedit.o tools/cmdline.o $(LIB_FLAGS)
+
+bin/ldbrename: tools/ldbrename.o tools/cmdline.o $(LIBS)
+	$(CC) -o bin/ldbrename tools/ldbrename.o tools/cmdline.o $(LIB_FLAGS)
+
+bin/ldbtest: tools/ldbtest.o tools/cmdline.o $(LIBS)
+	$(CC) -o bin/ldbtest tools/ldbtest.o tools/cmdline.o $(LIB_FLAGS)
+
+bin/oLschema2ldif: tools/oLschema2ldif.o tools/cmdline.o tools/convert.o $(LIBS)
+	$(CC) -o bin/oLschema2ldif tools/oLschema2ldif.o tools/cmdline.o tools/convert.o $(LIB_FLAGS)
+
+examples/ldbreader: examples/ldbreader.o $(LIBS)
+	$(CC) -o examples/ldbreader examples/ldbreader.o $(LIB_FLAGS)
+
+examples/ldifreader: examples/ldifreader.o $(LIBS)
+	$(CC) -o examples/ldifreader examples/ldifreader.o $(LIB_FLAGS)
+
+.SUFFIXES: .1 .1.xml .3 .3.xml .xml .html
+
+manpages:
+	@$(srcdir)/docs/builddocs.sh "$(XSLTPROC)" "$(srcdir)"
+
+doxygen:
+	test -z "$(DOXYGEN)" || (cd $(srcdir) && "$(DOXYGEN)")
+
+clean:
+	rm -f *.o */*.o *.gcov */*.gc?? tdbtest.ldb*
+	rm -f $(BINS) $(TDB_OBJ) $(TALLOC_OBJ) $(LDB_LIB) $(NSS_LIB)
+	rm -f man/*.1 man/*.3 man/*.html
+	rm -f $(EXAMPLES)
+	rm -rf apidocs/
+	rm -rf tests/schema/
+
+distclean: clean
+	rm -f *~ */*~
+	rm -rf bin lib
+	rm -f config.log config.status config.cache include/config.h
+	rm -f ldb.pc
+	rm -f Makefile
+
+realdistclean: distclean
+	rm -f configure.in include/config.h.in
+
+test: all
+	for t in $(TESTS); do echo STARTING $${t}; $(srcdir)/tests/$${t} || exit 1; done
+
+valgrindtest: all
+	for t in $(TESTS); do echo STARTING $${t}; VALGRIND="valgrind -q --db-attach=yes --num-callers=30" $(srcdir)/tests/$${t} || exit 1; done
+
+installcheck: install test
+
+install: all
+	mkdir -p $(includedir) $(libdir)/pkgconfig $(libdir) $(bindir)
+	cp $(srcdir)/include/ldb.h $(srcdir)/include/ldb_errors.h $(includedir)
+	cp $(LDB_LIB) $(libdir)
+	cp $(BINS) $(bindir)
+	cp ldb.pc $(libdir)/pkgconfig
+	$(srcdir)/docs/installdocs.sh $(mandir)
+
+gcov:
+	$(GCOV) -po ldb_sqlite3 $(srcdir)/ldb_sqlite3/*.c 2| tee ldb_sqlite3.report.gcov
+	$(GCOV) -po ldb_ldap $(srcdir)/ldb_ldap/*.c 2| tee ldb_ldap.report.gcov
+	$(GCOV) -po ldb_tdb $(srcdir)/ldb_tdb/*.c 2| tee ldb_tdb.report.gcov
+	$(GCOV) -po common $(srcdir)/common/*.c 2| tee common.report.gcov
+	$(GCOV) -po modules $(srcdir)/modules/*.c 2| tee modules.report.gcov
+	$(GCOV) -po tools $(srcdir)/tools/*.c 2| tee tools.report.gcov
+
+etags:
+	etags `find $(srcdir) -name "*.[ch]"`
+
+ctags:
+	ctags `find $(srcdir) -name "*.[ch]"`
diff --git a/source3/lib/ldb/README_gcov.txt b/source3/lib/ldb/README_gcov.txt
new file mode 100644
index 0000000000..2abd9378f4
--- /dev/null
+++ b/source3/lib/ldb/README_gcov.txt
@@ -0,0 +1,29 @@
+Here is how to use gcov to test code coverage in ldb.
+
+Step 1: build ldb with gcov enabled
+
+     make clean all WITH_GCOV=1
+
+Step 3: run the test suite
+     make test-tdb
+
+Step 4: produce the gcov report
+     make gcov
+
+Step 5: read the summary reports
+     less *.report.gcov
+
+Step 6: examine the per-file reports
+     less ldb_tdb\#ldb_tdb.c.gcov
+
+You can also combine steps 2 to 4 like this:
+
+     make clean all test-tdb gcov WITH_GCOV=1
+
+Note that you should not expect 100% coverage, as some error paths
+(such as memory allocation failures) are very hard to trigger. There
+are ways of working around this, but they are quite tricky (they
+involve allocation wrappers that "fork and fail on malloc").
+
+The lines to look for in the per-file reports are the ones starting
+with "#####". Those are lines that are never executed. 
diff --git a/source3/lib/ldb/aclocal.m4 b/source3/lib/ldb/aclocal.m4
new file mode 100644
index 0000000000..5605e476ba
--- /dev/null
+++ b/source3/lib/ldb/aclocal.m4
@@ -0,0 +1 @@
+m4_include(libreplace.m4)
diff --git a/source3/lib/ldb/autogen.sh b/source3/lib/ldb/autogen.sh
new file mode 100755
index 0000000000..500cab87d5
--- /dev/null
+++ b/source3/lib/ldb/autogen.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+rm -rf autom4te.cache
+rm -f configure config.h.in
+
+IPATHS="-I libreplace -I lib/replace -I ../libreplace -I ../replace"
+IPATHS="$IPATHS -I lib/talloc -I talloc -I ../talloc"
+IPATHS="$IPATHS -I lib/tdb -I tdb -I ../tdb"
+IPATHS="$IPATHS -I lib/popt -I popt -I ../popt"
+autoheader $IPATHS || exit 1
+autoconf $IPATHS || exit 1
+
+rm -rf autom4te.cache
+
+echo "Now run ./configure and then make."
+exit 0
+
diff --git a/source3/lib/ldb/common/attrib_handlers.c b/source3/lib/ldb/common/attrib_handlers.c
new file mode 100644
index 0000000000..5f26db6776
--- /dev/null
+++ b/source3/lib/ldb/common/attrib_handlers.c
@@ -0,0 +1,405 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2005
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+/*
+  attribute handlers for well known attribute types, selected by syntax OID
+  see rfc2252
+*/
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+#include "system/locale.h"
+
+/*
+  default handler that just copies a ldb_val.
+*/
+int ldb_handler_copy(struct ldb_context *ldb, void *mem_ctx,
+		     const struct ldb_val *in, struct ldb_val *out)
+{
+	*out = ldb_val_dup(mem_ctx, in);
+	if (in->length > 0 && out->data == NULL) {
+		ldb_oom(ldb);
+		return -1;
+	}
+	return 0;
+}
+
+/*
+  a case folding copy handler, removing leading and trailing spaces and
+  multiple internal spaces
+
+  We exploit the fact that utf8 never uses the space octet except for
+  the space itself
+*/
+static int ldb_handler_fold(struct ldb_context *ldb, void *mem_ctx,
+			    const struct ldb_val *in, struct ldb_val *out)
+{
+	char *s, *t;
+	int l;
+	if (!in || !out || !(in->data)) {
+		return -1;
+	}
+
+	out->data = (uint8_t *)ldb_casefold(ldb, mem_ctx, (const char *)(in->data));
+	if (out->data == NULL) {
+		ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb_handler_fold: unable to casefold string [%s]", in->data);
+		return -1;
+	}
+
+	s = (char *)(out->data);
+	
+	/* remove trailing spaces if any */
+	l = strlen(s);
+	while (l > 0 && s[l - 1] == ' ') l--;
+	s[l] = '\0';
+	
+	/* remove leading spaces if any */
+	if (*s == ' ') {
+		for (t = s; *s == ' '; s++) ;
+
+		/* remove leading spaces by moving down the string */
+		memmove(t, s, l);
+
+		s = t;
+	}
+
+	/* check middle spaces */
+	while ((t = strchr(s, ' ')) != NULL) {
+		for (s = t; *s == ' '; s++) ;
+
+		if ((s - t) > 1) {
+			l = strlen(s);
+
+			/* remove all spaces but one by moving down the string */
+			memmove(t + 1, s, l);
+		}
+	}
+
+	out->length = strlen((char *)out->data);
+	return 0;
+}
+
+
+
+/*
+  canonicalise a ldap Integer
+  rfc2252 specifies it should be in decimal form
+*/
+static int ldb_canonicalise_Integer(struct ldb_context *ldb, void *mem_ctx,
+				    const struct ldb_val *in, struct ldb_val *out)
+{
+	char *end;
+	long long i = strtoll((char *)in->data, &end, 0);
+	if (*end != 0) {
+		return -1;
+	}
+	out->data = (uint8_t *)talloc_asprintf(mem_ctx, "%lld", i);
+	if (out->data == NULL) {
+		return -1;
+	}
+	out->length = strlen((char *)out->data);
+	return 0;
+}
+
+/*
+  compare two Integers
+*/
+static int ldb_comparison_Integer(struct ldb_context *ldb, void *mem_ctx,
+				  const struct ldb_val *v1, const struct ldb_val *v2)
+{
+	return strtoll((char *)v1->data, NULL, 0) - strtoll((char *)v2->data, NULL, 0);
+}
+
+/*
+  compare two binary blobs
+*/
+int ldb_comparison_binary(struct ldb_context *ldb, void *mem_ctx,
+			  const struct ldb_val *v1, const struct ldb_val *v2)
+{
+	if (v1->length != v2->length) {
+		return v1->length - v2->length;
+	}
+	return memcmp(v1->data, v2->data, v1->length);
+}
+
+/*
+  compare two case insensitive strings, ignoring multiple whitespaces
+  and leading and trailing whitespaces
+  see rfc2252 section 8.1
+	
+  try to optimize for the ascii case,
+  but if we find out an utf8 codepoint revert to slower but correct function
+*/
+static int ldb_comparison_fold(struct ldb_context *ldb, void *mem_ctx,
+			       const struct ldb_val *v1, const struct ldb_val *v2)
+{
+	const char *s1=(const char *)v1->data, *s2=(const char *)v2->data;
+	const char *u1, *u2;
+	char *b1, *b2;
+	int ret;
+	while (*s1 == ' ') s1++;
+	while (*s2 == ' ') s2++;
+	/* TODO: make utf8 safe, possibly with helper function from application */
+	while (*s1 && *s2) {
+		/* the first 127 (0x7F) chars are ascii and utf8 guarantes they
+		 * never appear in multibyte sequences */
+		if (((unsigned char)s1[0]) & 0x80) goto utf8str;
+		if (((unsigned char)s2[0]) & 0x80) goto utf8str;
+		if (toupper((unsigned char)*s1) != toupper((unsigned char)*s2))
+			break;
+		if (*s1 == ' ') {
+			while (s1[0] == s1[1]) s1++;
+			while (s2[0] == s2[1]) s2++;
+		}
+		s1++; s2++;
+	}
+	if (! (*s1 && *s2)) {
+		/* check for trailing spaces only if one of the pointers
+		 * has reached the end of the strings otherwise we
+		 * can mistakenly match.
+		 * ex. "domain users" <-> "domainUpdates"
+		 */
+		while (*s1 == ' ') s1++;
+		while (*s2 == ' ') s2++;
+	}
+	return (int)(toupper(*s1)) - (int)(toupper(*s2));
+
+utf8str:
+	/* no need to recheck from the start, just from the first utf8 char found */
+	b1 = ldb_casefold(ldb, mem_ctx, s1);
+	b2 = ldb_casefold(ldb, mem_ctx, s2);
+
+	if (b1 && b2) {
+		/* Both strings converted correctly */
+
+		u1 = b1;
+		u2 = b2;
+	} else {
+		/* One of the strings was not UTF8, so we have no options but to do a binary compare */
+
+		u1 = s1;
+		u2 = s2;
+	}
+
+	while (*u1 & *u2) {
+		if (*u1 != *u2)
+			break;
+		if (*u1 == ' ') {
+			while (u1[0] == u1[1]) u1++;
+			while (u2[0] == u2[1]) u2++;
+		}
+		u1++; u2++;
+	}
+	if (! (*u1 && *u2)) {
+		while (*u1 == ' ') u1++;
+		while (*u2 == ' ') u2++;
+	}
+	ret = (int)(*u1 - *u2);
+
+	talloc_free(b1);
+	talloc_free(b2);
+	
+	return ret;
+}
+
+/*
+  canonicalise a attribute in DN format
+*/
+static int ldb_canonicalise_dn(struct ldb_context *ldb, void *mem_ctx,
+			       const struct ldb_val *in, struct ldb_val *out)
+{
+	struct ldb_dn *dn;
+	int ret = -1;
+
+	out->length = 0;
+	out->data = NULL;
+
+	dn = ldb_dn_explode_casefold(ldb, mem_ctx, (char *)in->data);
+	if (dn == NULL) {
+		return -1;
+	}
+
+	out->data = (uint8_t *)ldb_dn_linearize(mem_ctx, dn);
+	if (out->data == NULL) {
+		goto done;
+	}
+	out->length = strlen((char *)out->data);
+
+	ret = 0;
+
+done:
+	talloc_free(dn);
+
+	return ret;
+}
+
+/*
+  compare two dns
+*/
+static int ldb_comparison_dn(struct ldb_context *ldb, void *mem_ctx,
+			     const struct ldb_val *v1, const struct ldb_val *v2)
+{
+	struct ldb_dn *dn1 = NULL, *dn2 = NULL;
+	int ret;
+
+	dn1 = ldb_dn_explode_casefold(ldb, mem_ctx, (char *)v1->data);
+	if (dn1 == NULL) return -1;
+
+	dn2 = ldb_dn_explode_casefold(ldb, mem_ctx, (char *)v2->data);
+	if (dn2 == NULL) {
+		talloc_free(dn1);
+		return -1;
+	} 
+
+	ret = ldb_dn_compare(ldb, dn1, dn2);
+
+	talloc_free(dn1);
+	talloc_free(dn2);
+	return ret;
+}
+
+/*
+  compare two objectclasses, looking at subclasses
+*/
+static int ldb_comparison_objectclass(struct ldb_context *ldb, void *mem_ctx,
+				      const struct ldb_val *v1, const struct ldb_val *v2)
+{
+	int ret, i;
+	const char **subclasses;
+	ret = ldb_comparison_fold(ldb, mem_ctx, v1, v2);
+	if (ret == 0) {
+		return 0;
+	}
+	subclasses = ldb_subclass_list(ldb, (char *)v1->data);
+	if (subclasses == NULL) {
+		return ret;
+	}
+	for (i=0;subclasses[i];i++) {
+		struct ldb_val vs;
+		vs.data = discard_const_p(uint8_t, subclasses[i]);
+		vs.length = strlen(subclasses[i]);
+		if (ldb_comparison_objectclass(ldb, mem_ctx, &vs, v2) == 0) {
+			return 0;
+		}
+	}
+	return ret;
+}
+
+/*
+  compare two utc time values. 1 second resolution
+*/
+static int ldb_comparison_utctime(struct ldb_context *ldb, void *mem_ctx,
+				  const struct ldb_val *v1, const struct ldb_val *v2)
+{
+	time_t t1, t2;
+	t1 = ldb_string_to_time((char *)v1->data);
+	t2 = ldb_string_to_time((char *)v2->data);
+	return (int)t2 - (int)t1;
+}
+
+/*
+  canonicalise a utc time
+*/
+static int ldb_canonicalise_utctime(struct ldb_context *ldb, void *mem_ctx,
+				    const struct ldb_val *in, struct ldb_val *out)
+{
+	time_t t = ldb_string_to_time((char *)in->data);
+	out->data = (uint8_t *)ldb_timestring(mem_ctx, t);
+	if (out->data == NULL) {
+		return -1;
+	}
+	out->length = strlen((char *)out->data);
+	return 0;
+}
+
+/*
+  table of standard attribute handlers
+*/
+static const struct ldb_attrib_handler ldb_standard_attribs[] = {
+	{ 
+		.attr            = LDB_SYNTAX_INTEGER,
+		.flags           = 0,
+		.ldif_read_fn    = ldb_handler_copy,
+		.ldif_write_fn   = ldb_handler_copy,
+		.canonicalise_fn = ldb_canonicalise_Integer,
+		.comparison_fn   = ldb_comparison_Integer
+	},
+	{ 
+		.attr            = LDB_SYNTAX_OCTET_STRING,
+		.flags           = 0,
+		.ldif_read_fn    = ldb_handler_copy,
+		.ldif_write_fn   = ldb_handler_copy,
+		.canonicalise_fn = ldb_handler_copy,
+		.comparison_fn   = ldb_comparison_binary
+	},
+	{ 
+		.attr            = LDB_SYNTAX_DIRECTORY_STRING,
+		.flags           = 0,
+		.ldif_read_fn    = ldb_handler_copy,
+		.ldif_write_fn   = ldb_handler_copy,
+		.canonicalise_fn = ldb_handler_fold,
+		.comparison_fn   = ldb_comparison_fold
+	},
+	{ 
+		.attr            = LDB_SYNTAX_DN,
+		.flags           = 0,
+		.ldif_read_fn    = ldb_handler_copy,
+		.ldif_write_fn   = ldb_handler_copy,
+		.canonicalise_fn = ldb_canonicalise_dn,
+		.comparison_fn   = ldb_comparison_dn
+	},
+	{ 
+		.attr            = LDB_SYNTAX_OBJECTCLASS,
+		.flags           = 0,
+		.ldif_read_fn    = ldb_handler_copy,
+		.ldif_write_fn   = ldb_handler_copy,
+		.canonicalise_fn = ldb_handler_fold,
+		.comparison_fn   = ldb_comparison_objectclass
+	},
+	{ 
+		.attr            = LDB_SYNTAX_UTC_TIME,
+		.flags           = 0,
+		.ldif_read_fn    = ldb_handler_copy,
+		.ldif_write_fn   = ldb_handler_copy,
+		.canonicalise_fn = ldb_canonicalise_utctime,
+		.comparison_fn   = ldb_comparison_utctime
+	}
+};
+
+
+/*
+  return the attribute handlers for a given syntax name
+*/
+const struct ldb_attrib_handler *ldb_attrib_handler_syntax(struct ldb_context *ldb,
+							   const char *syntax)
+{
+	int i;
+	unsigned num_handlers = sizeof(ldb_standard_attribs)/sizeof(ldb_standard_attribs[0]);
+	/* TODO: should be replaced with a binary search */
+	for (i=0;i<num_handlers;i++) {
+		if (strcmp(ldb_standard_attribs[i].attr, syntax) == 0) {
+			return &ldb_standard_attribs[i];
+		}
+	}
+	return NULL;
+}
+
diff --git a/source3/lib/ldb/common/ldb.c b/source3/lib/ldb/common/ldb.c
new file mode 100644
index 0000000000..743711b967
--- /dev/null
+++ b/source3/lib/ldb/common/ldb.c
@@ -0,0 +1,1132 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+   Copyright (C) Simo Sorce  2005-2006
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldb core API
+ *
+ *  Description: core API routines interfacing to ldb backends
+ *
+ *  Author: Andrew Tridgell
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+/* 
+   initialise a ldb context
+   The mem_ctx is optional
+*/
+struct ldb_context *ldb_init(void *mem_ctx)
+{
+	struct ldb_context *ldb = talloc_zero(mem_ctx, struct ldb_context);
+	int ret;
+
+	ret = ldb_setup_wellknown_attributes(ldb);
+	if (ret != 0) {
+		talloc_free(ldb);
+		return NULL;
+	}
+
+	ldb_set_utf8_default(ldb);
+	ldb_set_create_perms(ldb, 0600);
+
+	return ldb;
+}
+
+static struct ldb_backend {
+	const char *name;
+	ldb_connect_fn connect_fn;
+	struct ldb_backend *prev, *next;
+} *ldb_backends = NULL;
+
+
+static ldb_connect_fn ldb_find_backend(const char *url)
+{
+	struct ldb_backend *backend;
+
+	for (backend = ldb_backends; backend; backend = backend->next) {
+		if (strncmp(backend->name, url, strlen(backend->name)) == 0) {
+			return backend->connect_fn;
+		}
+	}
+
+	return NULL;
+}
+
+/*
+ register a new ldb backend
+*/
+int ldb_register_backend(const char *url_prefix, ldb_connect_fn connectfn)
+{
+	struct ldb_backend *backend = talloc(talloc_autofree_context(), struct ldb_backend);
+
+	if (ldb_find_backend(url_prefix)) {
+		return LDB_SUCCESS;
+	}
+
+	/* Maybe check for duplicity here later on? */
+
+	backend->name = talloc_strdup(backend, url_prefix);
+	backend->connect_fn = connectfn;
+	DLIST_ADD(ldb_backends, backend);
+
+	return LDB_SUCCESS;
+}
+
+/* 
+   Return the ldb module form of a database. The URL can either be one of the following forms
+   ldb://path
+   ldapi://path
+
+   flags is made up of LDB_FLG_*
+
+   the options are passed uninterpreted to the backend, and are
+   backend specific.
+
+  This allows modules to get at only the backend module, for example where a module 
+  may wish to direct certain requests at a particular backend.
+*/
+int ldb_connect_backend(struct ldb_context *ldb, const char *url, const char *options[],
+			struct ldb_module **backend_module)
+{
+	int ret;
+	char *backend;
+	ldb_connect_fn fn;
+
+	if (strchr(url, ':') != NULL) {
+		backend = talloc_strndup(ldb, url, strchr(url, ':')-url);
+	} else {
+		/* Default to tdb */
+		backend = talloc_strdup(ldb, "tdb");
+	}
+
+	fn = ldb_find_backend(backend);
+
+	if (fn == NULL) {
+		if (ldb_try_load_dso(ldb, backend) == 0) {
+			fn = ldb_find_backend(backend);
+		}
+	}
+
+	talloc_free(backend);
+
+	if (fn == NULL) {
+		ldb_debug(ldb, LDB_DEBUG_FATAL, "Unable to find backend for '%s'\n", url);
+		return LDB_ERR_OTHER;
+	}
+
+	ret = fn(ldb, url, ldb->flags, options, backend_module);
+
+	if (ret != LDB_SUCCESS) {
+		ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to connect to '%s'\n", url);
+		return ret;
+	}
+	return ret;
+}
+
+/*
+  try to autodetect a basedn if none specified. This fixes one of my
+  pet hates about ldapsearch, which is that you have to get a long,
+  complex basedn right to make any use of it.
+*/
+static const struct ldb_dn *ldb_set_default_basedn(struct ldb_context *ldb)
+{
+	TALLOC_CTX *tmp_ctx;
+	int ret;
+	static const char *attrs[] = { "defaultNamingContext", NULL };
+	struct ldb_result *res;
+	struct ldb_dn *basedn=NULL;
+
+	basedn = (struct ldb_dn *)ldb_get_opaque(ldb, "default_baseDN");
+	if (basedn) {
+		return basedn;
+	}
+
+	tmp_ctx = talloc_new(ldb);
+	ret = ldb_search(ldb, ldb_dn_new(tmp_ctx), LDB_SCOPE_BASE, 
+			 "(objectClass=*)", attrs, &res);
+	if (ret == LDB_SUCCESS) {
+		if (res->count == 1) {
+			basedn = ldb_msg_find_attr_as_dn(ldb, res->msgs[0], "defaultNamingContext");
+			ldb_set_opaque(ldb, "default_baseDN", basedn);
+		}
+		talloc_free(res);
+	}
+
+	talloc_free(tmp_ctx);
+	return basedn;
+}
+
+const struct ldb_dn *ldb_get_default_basedn(struct ldb_context *ldb)
+{
+	return (const struct ldb_dn *)ldb_get_opaque(ldb, "default_baseDN");
+}
+
+/* 
+ connect to a database. The URL can either be one of the following forms
+   ldb://path
+   ldapi://path
+
+   flags is made up of LDB_FLG_*
+
+   the options are passed uninterpreted to the backend, and are
+   backend specific
+*/
+int ldb_connect(struct ldb_context *ldb, const char *url, unsigned int flags, const char *options[])
+{
+	int ret;
+
+	ldb->flags = flags;
+
+	ret = ldb_connect_backend(ldb, url, options, &ldb->modules);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	if (ldb_load_modules(ldb, options) != LDB_SUCCESS) {
+		ldb_debug(ldb, LDB_DEBUG_FATAL, "Unable to load modules for %s: %s\n",
+			  url, ldb_errstring(ldb));
+		return LDB_ERR_OTHER;
+	}
+
+	/* TODO: get timeout from options if available there */
+	ldb->default_timeout = 300; /* set default to 5 minutes */
+
+	/* set the default base dn */
+	ldb_set_default_basedn(ldb);
+
+	return LDB_SUCCESS;
+}
+
+void ldb_set_errstring(struct ldb_context *ldb, const char *err_string)
+{
+	if (ldb->err_string) {
+		talloc_free(ldb->err_string);
+	}
+	ldb->err_string = talloc_strdup(ldb, err_string);
+}
+
+void ldb_asprintf_errstring(struct ldb_context *ldb, const char *format, ...)
+{
+	va_list ap;
+
+	if (ldb->err_string) {
+		talloc_free(ldb->err_string);
+	}
+
+	va_start(ap, format);
+	ldb->err_string = talloc_vasprintf(ldb, format, ap);
+	va_end(ap);
+}
+
+void ldb_reset_err_string(struct ldb_context *ldb)
+{
+	if (ldb->err_string) {
+		talloc_free(ldb->err_string);
+		ldb->err_string = NULL;
+	}
+}
+
+#define FIRST_OP(ldb, op) do { \
+	module = ldb->modules;					\
+	while (module && module->ops->op == NULL) module = module->next; \
+	if (module == NULL) {						\
+		ldb_asprintf_errstring(ldb, "unable to find module or backend to handle operation: " #op); \
+		return LDB_ERR_OPERATIONS_ERROR;			\
+	} \
+} while (0)
+
+/*
+  start a transaction
+*/
+static int ldb_transaction_start_internal(struct ldb_context *ldb)
+{
+	struct ldb_module *module;
+	int status;
+	FIRST_OP(ldb, start_transaction);
+
+	ldb_reset_err_string(ldb);
+
+	status = module->ops->start_transaction(module);
+	if (status != LDB_SUCCESS) {
+		if (ldb->err_string == NULL) {
+			/* no error string was setup by the backend */
+			ldb_asprintf_errstring(ldb,
+						"ldb transaction start: %s (%d)", 
+						ldb_strerror(status), 
+						status);
+		}
+	}
+	return status;
+}
+
+/*
+  commit a transaction
+*/
+static int ldb_transaction_commit_internal(struct ldb_context *ldb)
+{
+	struct ldb_module *module;
+	int status;
+	FIRST_OP(ldb, end_transaction);
+
+	ldb_reset_err_string(ldb);
+
+	status = module->ops->end_transaction(module);
+	if (status != LDB_SUCCESS) {
+		if (ldb->err_string == NULL) {
+			/* no error string was setup by the backend */
+			ldb_asprintf_errstring(ldb, 
+						"ldb transaction commit: %s (%d)", 
+						ldb_strerror(status), 
+						status);
+		}
+	}
+	return status;
+}
+
+/*
+  cancel a transaction
+*/
+static int ldb_transaction_cancel_internal(struct ldb_context *ldb)
+{
+	struct ldb_module *module;
+	int status;
+	FIRST_OP(ldb, del_transaction);
+
+	status = module->ops->del_transaction(module);
+	if (status != LDB_SUCCESS) {
+		if (ldb->err_string == NULL) {
+			/* no error string was setup by the backend */
+			ldb_asprintf_errstring(ldb, 
+						"ldb transaction cancel: %s (%d)", 
+						ldb_strerror(status), 
+						status);
+		}
+	}
+	return status;
+}
+
+int ldb_transaction_start(struct ldb_context *ldb)
+{
+	/* disable autotransactions */
+	ldb->transaction_active++;
+
+	return ldb_transaction_start_internal(ldb);
+}
+
+int ldb_transaction_commit(struct ldb_context *ldb)
+{
+	/* renable autotransactions (when we reach 0) */
+	if (ldb->transaction_active > 0)
+		ldb->transaction_active--;
+
+	return ldb_transaction_commit_internal(ldb);
+}
+
+int ldb_transaction_cancel(struct ldb_context *ldb)
+{
+	/* renable autotransactions (when we reach 0) */
+	if (ldb->transaction_active > 0)
+		ldb->transaction_active--;
+
+	return ldb_transaction_cancel_internal(ldb);
+}
+
+static int ldb_autotransaction_start(struct ldb_context *ldb)
+{
+	/* explicit transaction active, ignore autotransaction request */
+	if (ldb->transaction_active)
+		return LDB_SUCCESS;
+
+	return ldb_transaction_start_internal(ldb);
+}
+
+static int ldb_autotransaction_commit(struct ldb_context *ldb)
+{
+	/* explicit transaction active, ignore autotransaction request */
+	if (ldb->transaction_active)
+		return LDB_SUCCESS;
+
+	return ldb_transaction_commit_internal(ldb);
+}
+
+static int ldb_autotransaction_cancel(struct ldb_context *ldb)
+{
+	/* explicit transaction active, ignore autotransaction request */
+	if (ldb->transaction_active)
+		return LDB_SUCCESS;
+
+	return ldb_transaction_cancel_internal(ldb);
+}
+
+/* autostarts a transacion if none active */
+static int ldb_autotransaction_request(struct ldb_context *ldb, struct ldb_request *req)
+{
+	int ret;
+
+	ret = ldb_autotransaction_start(ldb);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	ret = ldb_request(ldb, req);
+	if (ret == LDB_SUCCESS) {
+		ret = ldb_wait(req->handle, LDB_WAIT_ALL);
+	}
+
+	if (ret == LDB_SUCCESS) {
+		return ldb_autotransaction_commit(ldb);
+	}
+	ldb_autotransaction_cancel(ldb);
+
+	if (ldb->err_string == NULL) {
+		/* no error string was setup by the backend */
+		ldb_asprintf_errstring(ldb, "%s (%d)", ldb_strerror(ret), ret);
+	}
+
+	return ret;
+}
+
+int ldb_wait(struct ldb_handle *handle, enum ldb_wait_type type)
+{
+	if (!handle) {
+		return LDB_SUCCESS;
+	}
+
+	return handle->module->ops->wait(handle, type);
+}
+
+/* set the specified timeout or, if timeout is 0 set the default timeout */
+/* timeout == -1 means no timeout */
+int ldb_set_timeout(struct ldb_context *ldb, struct ldb_request *req, int timeout)
+{
+	if (req == NULL) return LDB_ERR_OPERATIONS_ERROR;
+	
+	if (timeout != 0) {
+		req->timeout = timeout;
+	} else {
+		req->timeout = ldb->default_timeout;
+	}
+	req->starttime = time(NULL);
+
+	return LDB_SUCCESS;
+}
+
+/* calculates the new timeout based on the previous starttime and timeout */
+int ldb_set_timeout_from_prev_req(struct ldb_context *ldb, struct ldb_request *oldreq, struct ldb_request *newreq)
+{
+	time_t now;
+
+	if (newreq == NULL) return LDB_ERR_OPERATIONS_ERROR;
+
+	now = time(NULL);
+
+	if (oldreq == NULL)
+		return ldb_set_timeout(ldb, newreq, 0);
+
+	if ((now - oldreq->starttime) > oldreq->timeout) {
+		return LDB_ERR_TIME_LIMIT_EXCEEDED;
+	}
+	newreq->starttime = oldreq->starttime;
+	newreq->timeout = oldreq->timeout - (now - oldreq->starttime);
+
+	return LDB_SUCCESS;
+}
+
+
+/* 
+   set the permissions for new files to be passed to open() in
+   backends that use local files
+ */
+void ldb_set_create_perms(struct ldb_context *ldb, unsigned int perms)
+{
+	ldb->create_perms = perms;
+}
+
+/*
+  start an ldb request
+  NOTE: the request must be a talloc context.
+  returns LDB_ERR_* on errors.
+*/
+int ldb_request(struct ldb_context *ldb, struct ldb_request *req)
+{
+	struct ldb_module *module;
+	int ret;
+
+	ldb_reset_err_string(ldb);
+
+	/* call the first module in the chain */
+	switch (req->operation) {
+	case LDB_SEARCH:
+		FIRST_OP(ldb, search);
+		ret = module->ops->search(module, req);
+		break;
+	case LDB_ADD:
+		FIRST_OP(ldb, add);
+		ret = module->ops->add(module, req);
+		break;
+	case LDB_MODIFY:
+		FIRST_OP(ldb, modify);
+		ret = module->ops->modify(module, req);
+		break;
+	case LDB_DELETE:
+		FIRST_OP(ldb, del);
+		ret = module->ops->del(module, req);
+		break;
+	case LDB_RENAME:
+		FIRST_OP(ldb, rename);
+		ret = module->ops->rename(module, req);
+		break;
+	case LDB_SEQUENCE_NUMBER:
+		FIRST_OP(ldb, sequence_number);
+		ret = module->ops->sequence_number(module, req);
+		break;
+	default:
+		FIRST_OP(ldb, request);
+		ret = module->ops->request(module, req);
+		break;
+	}
+
+	return ret;
+}
+
+/*
+  search the database given a LDAP-like search expression
+
+  returns an LDB error code
+
+  Use talloc_free to free the ldb_message returned in 'res', if successful
+
+*/
+int ldb_search_default_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
+{
+	struct ldb_result *res;
+	int n;
+	
+ 	if (!context) {
+		ldb_set_errstring(ldb, "NULL Context in callback");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}	
+
+	res = talloc_get_type(context, struct ldb_result);
+
+	if (!res || !ares) {
+		ldb_set_errstring(ldb, "NULL res or ares in callback");
+		goto error;
+	}
+
+	switch (ares->type) {
+	case LDB_REPLY_ENTRY:
+		res->msgs = talloc_realloc(res, res->msgs, struct ldb_message *, res->count + 2);
+		if (! res->msgs) {
+			goto error;
+		}
+
+		res->msgs[res->count + 1] = NULL;
+
+		res->msgs[res->count] = talloc_move(res->msgs, &ares->message);
+		res->count++;
+		break;
+	case LDB_REPLY_REFERRAL:
+		if (res->refs) {
+			for (n = 0; res->refs[n]; n++) /*noop*/ ;
+		} else {
+			n = 0;
+		}
+
+		res->refs = talloc_realloc(res, res->refs, char *, n + 2);
+		if (! res->refs) {
+			goto error;
+		}
+
+		res->refs[n] = talloc_move(res->refs, &ares->referral);
+		res->refs[n + 1] = NULL;
+	case LDB_REPLY_EXTENDED:
+	case LDB_REPLY_DONE:
+		/* TODO: we should really support controls on entries and referrals too! */
+		res->controls = talloc_move(res, &ares->controls);
+		break;		
+	}
+	talloc_free(ares);
+	return LDB_SUCCESS;
+
+error:
+	talloc_free(ares);
+	return LDB_ERR_OPERATIONS_ERROR;
+}
+
+int ldb_build_search_req(struct ldb_request **ret_req,
+			struct ldb_context *ldb,
+			void *mem_ctx,
+			const struct ldb_dn *base,
+	       		enum ldb_scope scope,
+			const char *expression,
+			const char * const *attrs,
+			struct ldb_control **controls,
+			void *context,
+			ldb_request_callback_t callback)
+{
+	struct ldb_request *req;
+
+	*ret_req = NULL;
+
+	req = talloc(mem_ctx, struct ldb_request);
+	if (req == NULL) {
+		ldb_set_errstring(ldb, "Out of Memory");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	req->operation = LDB_SEARCH;
+	if (base == NULL) {
+		req->op.search.base = ldb_dn_new(req);
+	} else {
+		req->op.search.base = base;
+	}
+	req->op.search.scope = scope;
+
+	req->op.search.tree = ldb_parse_tree(req, expression);
+	if (req->op.search.tree == NULL) {
+		ldb_set_errstring(ldb, "Unable to parse search expression");
+		talloc_free(req);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	req->op.search.attrs = attrs;
+	req->controls = controls;
+	req->context = context;
+	req->callback = callback;
+
+	*ret_req = req;
+	return LDB_SUCCESS;
+}
+
+int ldb_build_add_req(struct ldb_request **ret_req,
+			struct ldb_context *ldb,
+			void *mem_ctx,
+			const struct ldb_message *message,
+			struct ldb_control **controls,
+			void *context,
+			ldb_request_callback_t callback)
+{
+	struct ldb_request *req;
+
+	*ret_req = NULL;
+
+	req = talloc(mem_ctx, struct ldb_request);
+	if (req == NULL) {
+		ldb_set_errstring(ldb, "Out of Memory");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	req->operation = LDB_ADD;
+	req->op.add.message = message;
+	req->controls = controls;
+	req->context = context;
+	req->callback = callback;
+
+	*ret_req = req;
+
+	return LDB_SUCCESS;
+}
+
+int ldb_build_mod_req(struct ldb_request **ret_req,
+			struct ldb_context *ldb,
+			void *mem_ctx,
+			const struct ldb_message *message,
+			struct ldb_control **controls,
+			void *context,
+			ldb_request_callback_t callback)
+{
+	struct ldb_request *req;
+
+	*ret_req = NULL;
+
+	req = talloc(mem_ctx, struct ldb_request);
+	if (req == NULL) {
+		ldb_set_errstring(ldb, "Out of Memory");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	req->operation = LDB_MODIFY;
+	req->op.mod.message = message;
+	req->controls = controls;
+	req->context = context;
+	req->callback = callback;
+
+	*ret_req = req;
+
+	return LDB_SUCCESS;
+}
+
+int ldb_build_del_req(struct ldb_request **ret_req,
+			struct ldb_context *ldb,
+			void *mem_ctx,
+			const struct ldb_dn *dn,
+			struct ldb_control **controls,
+			void *context,
+			ldb_request_callback_t callback)
+{
+	struct ldb_request *req;
+
+	*ret_req = NULL;
+
+	req = talloc(mem_ctx, struct ldb_request);
+	if (req == NULL) {
+		ldb_set_errstring(ldb, "Out of Memory");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	req->operation = LDB_DELETE;
+	req->op.del.dn = dn;
+	req->controls = controls;
+	req->context = context;
+	req->callback = callback;
+
+	*ret_req = req;
+
+	return LDB_SUCCESS;
+}
+
+int ldb_build_rename_req(struct ldb_request **ret_req,
+			struct ldb_context *ldb,
+			void *mem_ctx,
+			const struct ldb_dn *olddn,
+			const struct ldb_dn *newdn,
+			struct ldb_control **controls,
+			void *context,
+			ldb_request_callback_t callback)
+{
+	struct ldb_request *req;
+
+	*ret_req = NULL;
+
+	req = talloc(mem_ctx, struct ldb_request);
+	if (req == NULL) {
+		ldb_set_errstring(ldb, "Out of Memory");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	req->operation = LDB_RENAME;
+	req->op.rename.olddn = olddn;
+	req->op.rename.newdn = newdn;
+	req->controls = controls;
+	req->context = context;
+	req->callback = callback;
+
+	*ret_req = req;
+
+	return LDB_SUCCESS;
+}
+
+/*
+  note that ldb_search() will automatically replace a NULL 'base' value with the 
+  defaultNamingContext from the rootDSE if available.
+*/
+int ldb_search(struct ldb_context *ldb, 
+	       const struct ldb_dn *base,
+	       enum ldb_scope scope,
+	       const char *expression,
+	       const char * const *attrs, 
+	       struct ldb_result **_res)
+{
+	struct ldb_request *req;
+	int ret;
+	struct ldb_result *res;
+
+	*_res = NULL;
+
+	res = talloc_zero(ldb, struct ldb_result);
+	if (!res) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ret = ldb_build_search_req(&req, ldb, ldb,
+					base?base:ldb_get_default_basedn(ldb),
+	       				scope,
+					expression,
+					attrs,
+					NULL,
+					res,
+					ldb_search_default_callback);
+
+	if (ret != LDB_SUCCESS) goto done;
+
+	ldb_set_timeout(ldb, req, 0); /* use default timeout */
+
+	ret = ldb_request(ldb, req);
+	
+	if (ret == LDB_SUCCESS) {
+		ret = ldb_wait(req->handle, LDB_WAIT_ALL);
+	}
+
+	talloc_free(req);
+
+done:
+	if (ret != LDB_SUCCESS) {
+		talloc_free(res);
+	}
+
+	*_res = res;
+	return ret;
+}
+
+/*
+ a useful search function where you can easily define the expression and that
+ takes a memory context where results are allocated
+*/
+
+int ldb_search_exp_fmt(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_result **result,
+                        struct ldb_dn *base, enum ldb_scope scope, const char * const *attrs,
+                        const char *exp_fmt, ...)
+{
+	struct ldb_result *res;
+	char *expression;
+	va_list ap;
+	int ret;
+
+	res = NULL;
+	*result = NULL;
+
+	va_start(ap, exp_fmt);
+	expression = talloc_vasprintf(mem_ctx, exp_fmt, ap);
+	va_end(ap);
+
+	if ( ! expression) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ret = ldb_search(ldb, base, scope, expression, attrs, &res);
+
+	if (ret == LDB_SUCCESS) {
+		talloc_steal(mem_ctx, res);
+		*result = res;
+	} else {
+		talloc_free(res);
+	}
+
+	talloc_free(expression);
+
+	return ret;
+}
+
+/*
+  add a record to the database. Will fail if a record with the given class and key
+  already exists
+*/
+int ldb_add(struct ldb_context *ldb, 
+	    const struct ldb_message *message)
+{
+	struct ldb_request *req;
+	int ret;
+
+	ret = ldb_msg_sanity_check(ldb, message);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	ret = ldb_build_add_req(&req, ldb, ldb,
+					message,
+					NULL,
+					NULL,
+					NULL);
+
+	if (ret != LDB_SUCCESS) return ret;
+
+	ldb_set_timeout(ldb, req, 0); /* use default timeout */
+
+	/* do request and autostart a transaction */
+	ret = ldb_autotransaction_request(ldb, req);
+
+	talloc_free(req);
+	return ret;
+}
+
+/*
+  modify the specified attributes of a record
+*/
+int ldb_modify(struct ldb_context *ldb, 
+	       const struct ldb_message *message)
+{
+	struct ldb_request *req;
+	int ret;
+
+	ret = ldb_msg_sanity_check(ldb, message);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	ret = ldb_build_mod_req(&req, ldb, ldb,
+					message,
+					NULL,
+					NULL,
+					NULL);
+
+	if (ret != LDB_SUCCESS) return ret;
+
+	ldb_set_timeout(ldb, req, 0); /* use default timeout */
+
+	/* do request and autostart a transaction */
+	ret = ldb_autotransaction_request(ldb, req);
+
+	talloc_free(req);
+	return ret;
+}
+
+
+/*
+  delete a record from the database
+*/
+int ldb_delete(struct ldb_context *ldb, const struct ldb_dn *dn)
+{
+	struct ldb_request *req;
+	int ret;
+
+	ret = ldb_build_del_req(&req, ldb, ldb,
+					dn,
+					NULL,
+					NULL,
+					NULL);
+
+	if (ret != LDB_SUCCESS) return ret;
+
+	ldb_set_timeout(ldb, req, 0); /* use default timeout */
+
+	/* do request and autostart a transaction */
+	ret = ldb_autotransaction_request(ldb, req);
+
+	talloc_free(req);
+	return ret;
+}
+
+/*
+  rename a record in the database
+*/
+int ldb_rename(struct ldb_context *ldb, const struct ldb_dn *olddn, const struct ldb_dn *newdn)
+{
+	struct ldb_request *req;
+	int ret;
+
+	ret = ldb_build_rename_req(&req, ldb, ldb,
+					olddn,
+					newdn,
+					NULL,
+					NULL,
+					NULL);
+
+	if (ret != LDB_SUCCESS) return ret;
+
+	ldb_set_timeout(ldb, req, 0); /* use default timeout */
+
+	/* do request and autostart a transaction */
+	ret = ldb_autotransaction_request(ldb, req);
+
+	talloc_free(req);
+	return ret;
+}
+
+
+/*
+  return the global sequence number
+*/
+int ldb_sequence_number(struct ldb_context *ldb, enum ldb_sequence_type type, uint64_t *seq_num)
+{
+	struct ldb_request *req;
+	int ret;
+
+	req = talloc(ldb, struct ldb_request);
+	if (req == NULL) {
+		ldb_set_errstring(ldb, "Out of Memory");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	req->operation = LDB_SEQUENCE_NUMBER;
+	req->controls = NULL;
+	req->context = NULL;
+	req->callback = NULL;
+	ldb_set_timeout(ldb, req, 0); /* use default timeout */
+
+	req->op.seq_num.type = type;
+	/* do request and autostart a transaction */
+	ret = ldb_request(ldb, req);
+	
+	if (ret == LDB_SUCCESS) {
+		*seq_num = req->op.seq_num.seq_num;
+	}
+
+	talloc_free(req);
+	return ret;
+}
+
+
+
+/*
+  return extended error information 
+*/
+const char *ldb_errstring(struct ldb_context *ldb)
+{
+	if (ldb->err_string) {
+		return ldb->err_string;
+	}
+
+	return NULL;
+}
+
+/*
+  return a string explaining what a ldb error constant meancs
+*/
+const char *ldb_strerror(int ldb_err)
+{
+	switch (ldb_err) {
+	case LDB_SUCCESS:
+		return "Success";
+	case LDB_ERR_OPERATIONS_ERROR:
+		return "Operations error";
+	case LDB_ERR_PROTOCOL_ERROR:
+		return "Protocol error";
+	case LDB_ERR_TIME_LIMIT_EXCEEDED:
+		return "Time limit exceeded";
+	case LDB_ERR_SIZE_LIMIT_EXCEEDED:
+		return "Size limit exceeded";
+	case LDB_ERR_COMPARE_FALSE:
+		return "Compare false";
+	case LDB_ERR_COMPARE_TRUE:
+		return "Compare true";
+	case LDB_ERR_AUTH_METHOD_NOT_SUPPORTED:
+		return "Auth method not supported";
+	case LDB_ERR_STRONG_AUTH_REQUIRED:
+		return "Strong auth required";
+/* 9 RESERVED */
+	case LDB_ERR_REFERRAL:
+		return "Referral error";
+	case LDB_ERR_ADMIN_LIMIT_EXCEEDED:
+		return "Admin limit exceeded";
+	case LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION:
+		return "Unsupported critical extension";
+	case LDB_ERR_CONFIDENTIALITY_REQUIRED:
+		return "Confidentiality required";
+	case LDB_ERR_SASL_BIND_IN_PROGRESS:
+		return "SASL bind in progress";
+	case LDB_ERR_NO_SUCH_ATTRIBUTE:
+		return "No such attribute";
+	case LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE:
+		return "Undefined attribute type";
+	case LDB_ERR_INAPPROPRIATE_MATCHING:
+		return "Inappropriate matching";
+	case LDB_ERR_CONSTRAINT_VIOLATION:
+		return "Constraint violation";
+	case LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS:
+		return "Attribute or value exists";
+	case LDB_ERR_INVALID_ATTRIBUTE_SYNTAX:
+		return "Invalid attribute syntax";
+/* 22-31 unused */
+	case LDB_ERR_NO_SUCH_OBJECT:
+		return "No such object";
+	case LDB_ERR_ALIAS_PROBLEM:
+		return "Alias problem";
+	case LDB_ERR_INVALID_DN_SYNTAX:
+		return "Invalid DN syntax";
+/* 35 RESERVED */
+	case LDB_ERR_ALIAS_DEREFERENCING_PROBLEM:
+		return "Alias dereferencing problem";
+/* 37-47 unused */
+	case LDB_ERR_INAPPROPRIATE_AUTHENTICATION:
+		return "Inappropriate authentication";
+	case LDB_ERR_INVALID_CREDENTIALS:
+		return "Invalid credentials";
+	case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
+		return "insufficient access rights";
+	case LDB_ERR_BUSY:
+		return "Busy";
+	case LDB_ERR_UNAVAILABLE:
+		return "Unavailable";
+	case LDB_ERR_UNWILLING_TO_PERFORM:
+		return "Unwilling to perform";
+	case LDB_ERR_LOOP_DETECT:
+		return "Loop detect";
+/* 55-63 unused */
+	case LDB_ERR_NAMING_VIOLATION:
+		return "Naming violation";
+	case LDB_ERR_OBJECT_CLASS_VIOLATION:
+		return "Object class violation";
+	case LDB_ERR_NOT_ALLOWED_ON_NON_LEAF:
+		return "Not allowed on non-leaf";
+	case LDB_ERR_NOT_ALLOWED_ON_RDN:
+		return "Not allowed on RDN";
+	case LDB_ERR_ENTRY_ALREADY_EXISTS:
+		return "Entry already exists";
+	case LDB_ERR_OBJECT_CLASS_MODS_PROHIBITED:
+		return "Object class mods prohibited";
+/* 70 RESERVED FOR CLDAP */
+	case LDB_ERR_AFFECTS_MULTIPLE_DSAS:
+		return "Affects multiple DSAs";
+/* 72-79 unused */
+	case LDB_ERR_OTHER:
+		return "Other";
+	}
+
+	return "Unknown error";
+}
+
+/*
+  set backend specific opaque parameters
+*/
+int ldb_set_opaque(struct ldb_context *ldb, const char *name, void *value)
+{
+	struct ldb_opaque *o;
+
+	/* allow updating an existing value */
+	for (o=ldb->opaque;o;o=o->next) {
+		if (strcmp(o->name, name) == 0) {
+			o->value = value;
+			return LDB_SUCCESS;
+		}
+	}
+
+	o = talloc(ldb, struct ldb_opaque);
+	if (o == NULL) {
+		ldb_oom(ldb);
+		return LDB_ERR_OTHER;
+	}
+	o->next = ldb->opaque;
+	o->name = name;
+	o->value = value;
+	ldb->opaque = o;
+	return LDB_SUCCESS;
+}
+
+/*
+  get a previously set opaque value
+*/
+void *ldb_get_opaque(struct ldb_context *ldb, const char *name)
+{
+	struct ldb_opaque *o;
+	for (o=ldb->opaque;o;o=o->next) {
+		if (strcmp(o->name, name) == 0) {
+			return o->value;
+		}
+	}
+	return NULL;
+}
diff --git a/source3/lib/ldb/common/ldb_attributes.c b/source3/lib/ldb/common/ldb_attributes.c
new file mode 100644
index 0000000000..5ecbdc7940
--- /dev/null
+++ b/source3/lib/ldb/common/ldb_attributes.c
@@ -0,0 +1,308 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2005
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+/*
+  register handlers for specific attributes and objectclass relationships
+
+  this allows a backend to store its schema information in any format
+  it likes (or to not have any schema information at all) while keeping the 
+  message matching logic generic
+*/
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+/*
+  add to the list of ldif handlers for this ldb context
+*/
+int ldb_set_attrib_handlers(struct ldb_context *ldb, 
+			    const struct ldb_attrib_handler *handlers, 
+			    unsigned num_handlers)
+{
+	int i;
+	struct ldb_attrib_handler *h;
+	h = talloc_realloc(ldb, ldb->schema.attrib_handlers,
+			   struct ldb_attrib_handler,
+			   ldb->schema.num_attrib_handlers + num_handlers);
+	if (h == NULL) {
+		ldb_oom(ldb);
+		return -1;
+	}
+	ldb->schema.attrib_handlers = h;
+	memcpy(h + ldb->schema.num_attrib_handlers, 
+	       handlers, sizeof(*h) * num_handlers);
+	for (i=0;i<num_handlers;i++) {
+		if (h[ldb->schema.num_attrib_handlers+i].flags & LDB_ATTR_FLAG_ALLOCATED) {
+			h[ldb->schema.num_attrib_handlers+i].attr = talloc_strdup(ldb->schema.attrib_handlers,
+										  h[ldb->schema.num_attrib_handlers+i].attr);
+			if (h[ldb->schema.num_attrib_handlers+i].attr == NULL) {
+				ldb_oom(ldb);
+				return -1;
+			}
+		}
+	}
+	ldb->schema.num_attrib_handlers += num_handlers;
+	return 0;
+}
+			  
+
+/*
+  default function for read/write/canonicalise
+*/
+static int ldb_default_copy(struct ldb_context *ldb, 
+			    void *mem_ctx,
+			    const struct ldb_val *in, 
+			    struct ldb_val *out)
+{
+	*out = ldb_val_dup(mem_ctx, in);
+
+	if (out->data == NULL && in->data != NULL) {
+		return -1;
+	}
+
+	return 0;
+}
+
+/*
+  default function for comparison
+*/
+static int ldb_default_cmp(struct ldb_context *ldb, 
+			    void *mem_ctx,
+			   const struct ldb_val *v1, 
+			   const struct ldb_val *v2)
+{
+	if (v1->length != v2->length) {
+		return v1->length - v2->length;
+	}
+	return memcmp(v1->data, v2->data, v1->length);
+}
+
+/*
+  default handler function pointers
+*/
+static const struct ldb_attrib_handler ldb_default_attrib_handler = {
+	.attr = NULL,
+	.ldif_read_fn    = ldb_default_copy,
+	.ldif_write_fn   = ldb_default_copy,
+	.canonicalise_fn = ldb_default_copy,
+	.comparison_fn   = ldb_default_cmp,
+};
+
+/*
+  return the attribute handlers for a given attribute
+*/
+const struct ldb_attrib_handler *ldb_attrib_handler(struct ldb_context *ldb,
+						    const char *attrib)
+{
+	int i;
+	const struct ldb_attrib_handler *def = &ldb_default_attrib_handler;
+	/* TODO: should be replaced with a binary search, with a sort on add */
+	for (i=0;i<ldb->schema.num_attrib_handlers;i++) {
+		if (strcmp(ldb->schema.attrib_handlers[i].attr, "*") == 0) {
+			def = &ldb->schema.attrib_handlers[i];
+		}
+		if (ldb_attr_cmp(attrib, ldb->schema.attrib_handlers[i].attr) == 0) {
+			return &ldb->schema.attrib_handlers[i];
+		}
+	}
+	return def;
+}
+
+
+/*
+  add to the list of ldif handlers for this ldb context
+*/
+void ldb_remove_attrib_handler(struct ldb_context *ldb, const char *attrib)
+{
+	const struct ldb_attrib_handler *h;
+	int i;
+	h = ldb_attrib_handler(ldb, attrib);
+	if (h == &ldb_default_attrib_handler) {
+		return;
+	}
+	if (h->flags & LDB_ATTR_FLAG_ALLOCATED) {
+		talloc_free(discard_const_p(char, h->attr));
+	}
+	i = h - ldb->schema.attrib_handlers;
+	if (i < ldb->schema.num_attrib_handlers - 1) {
+		memmove(&ldb->schema.attrib_handlers[i], 
+			h+1, sizeof(*h) * (ldb->schema.num_attrib_handlers-(i+1)));
+	}
+	ldb->schema.num_attrib_handlers--;
+}
+
+/*
+  setup a attribute handler using a standard syntax
+*/
+int ldb_set_attrib_handler_syntax(struct ldb_context *ldb, 
+				  const char *attr, const char *syntax)
+{
+	const struct ldb_attrib_handler *h = ldb_attrib_handler_syntax(ldb, syntax);
+	struct ldb_attrib_handler h2;
+	if (h == NULL) {
+		ldb_debug(ldb, LDB_DEBUG_ERROR, "Unknown syntax '%s'\n", syntax);
+		return -1;
+	}
+	h2 = *h;
+	h2.attr = attr;
+	return ldb_set_attrib_handlers(ldb, &h2, 1);
+}
+
+/*
+  setup the attribute handles for well known attributes
+*/
+int ldb_setup_wellknown_attributes(struct ldb_context *ldb)
+{
+	const struct {
+		const char *attr;
+		const char *syntax;
+	} wellknown[] = {
+		{ "dn", LDB_SYNTAX_DN },
+		{ "ncName", LDB_SYNTAX_DN },
+		{ "distinguishedName", LDB_SYNTAX_DN },
+		{ "cn", LDB_SYNTAX_DIRECTORY_STRING },
+		{ "dc", LDB_SYNTAX_DIRECTORY_STRING },
+		{ "ou", LDB_SYNTAX_DIRECTORY_STRING },
+		{ "objectClass", LDB_SYNTAX_OBJECTCLASS }
+	};
+	int i;
+	for (i=0;i<ARRAY_SIZE(wellknown);i++) {
+		if (ldb_set_attrib_handler_syntax(ldb, wellknown[i].attr, 
+						  wellknown[i].syntax) != 0) {
+			return -1;
+		}
+	}
+	return 0;
+}
+
+
+/*
+  return the list of subclasses for a class
+*/
+const char **ldb_subclass_list(struct ldb_context *ldb, const char *classname)
+{
+	int i;
+	for (i=0;i<ldb->schema.num_classes;i++) {
+		if (ldb_attr_cmp(classname, ldb->schema.classes[i].name) == 0) {
+			return (const char **)ldb->schema.classes[i].subclasses;
+		}
+	}
+	return NULL;
+}
+
+
+/*
+  add a new subclass
+*/
+static int ldb_subclass_new(struct ldb_context *ldb, const char *classname, const char *subclass)
+{
+	struct ldb_subclass *s, *c;
+	s = talloc_realloc(ldb, ldb->schema.classes, struct ldb_subclass, ldb->schema.num_classes+1);
+	if (s == NULL) goto failed;
+
+	ldb->schema.classes = s;
+	c = &s[ldb->schema.num_classes];
+	c->name = talloc_strdup(s, classname);
+	if (c->name == NULL) goto failed;
+
+	c->subclasses = talloc_array(s, char *, 2);
+	if (c->subclasses == NULL) goto failed;
+
+	c->subclasses[0] = talloc_strdup(c->subclasses, subclass);
+	if (c->subclasses[0] == NULL) goto failed;
+	c->subclasses[1] = NULL;
+
+	ldb->schema.num_classes++;
+
+	return 0;
+failed:
+	ldb_oom(ldb);
+	return -1;
+}
+
+/*
+  add a subclass
+*/
+int ldb_subclass_add(struct ldb_context *ldb, const char *classname, const char *subclass)
+{
+	int i, n;
+	struct ldb_subclass *c;
+	char **s;
+
+	for (i=0;i<ldb->schema.num_classes;i++) {
+		if (ldb_attr_cmp(classname, ldb->schema.classes[i].name) == 0) {
+			break;
+		}
+	}
+	if (i == ldb->schema.num_classes) {
+		return ldb_subclass_new(ldb, classname, subclass);
+	}
+	c = &ldb->schema.classes[i];
+	
+	for (n=0;c->subclasses[n];n++) /* noop */;
+
+	s = talloc_realloc(ldb->schema.classes, c->subclasses, char *, n+2);
+	if (s == NULL) {
+		ldb_oom(ldb);
+		return -1;
+	}
+
+	c->subclasses = s;
+	s[n] = talloc_strdup(s, subclass);
+	if (s[n] == NULL) {
+		ldb_oom(ldb);
+		return -1;
+	}
+	s[n+1] = NULL;
+
+	return 0;
+}
+
+/*
+  remove a set of subclasses for a class
+*/
+void ldb_subclass_remove(struct ldb_context *ldb, const char *classname)
+{
+	int i;
+	struct ldb_subclass *c;
+
+	for (i=0;i<ldb->schema.num_classes;i++) {
+		if (ldb_attr_cmp(classname, ldb->schema.classes[i].name) == 0) {
+			break;
+		}
+	}
+	if (i == ldb->schema.num_classes) {
+		return;
+	}
+
+	c = &ldb->schema.classes[i];
+	talloc_free(c->name);
+	talloc_free(c->subclasses);
+	if (ldb->schema.num_classes-(i+1) > 0) {
+		memmove(c, c+1, sizeof(*c) * (ldb->schema.num_classes-(i+1)));
+	}
+	ldb->schema.num_classes--;
+	if (ldb->schema.num_classes == 0) {
+		talloc_free(ldb->schema.classes);
+		ldb->schema.classes = NULL;
+	}
+}
diff --git a/source3/lib/ldb/common/ldb_controls.c b/source3/lib/ldb/common/ldb_controls.c
new file mode 100644
index 0000000000..9b49470941
--- /dev/null
+++ b/source3/lib/ldb/common/ldb_controls.c
@@ -0,0 +1,105 @@
+/* 
+   ldb database library
+
+   Copyright (C) Simo Sorce  2005
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb_controls.c
+ *
+ *  Component: ldb controls utility functions
+ *
+ *  Description: helper functions for control modules
+ *
+ *  Author: Simo Sorce
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+/* check if a control with the specified "oid" exist and return it */
+/* returns NULL if not found */
+struct ldb_control *get_control_from_list(struct ldb_control **controls, const char *oid)
+{
+	int i;
+
+	/* check if there's a paged request control */
+	if (controls != NULL) {
+		for (i = 0; controls[i]; i++) {
+			if (strcmp(oid, controls[i]->oid) == 0) {
+				break;
+			}
+		}
+
+		return controls[i];
+	}
+
+	return NULL;
+}
+
+/* saves the current controls list into the "saver" and replace the one in req with a new one excluding
+the "exclude" control */
+/* returns False on error */
+int save_controls(struct ldb_control *exclude, struct ldb_request *req, struct ldb_control ***saver)
+{
+	struct ldb_control **lcs;
+	int i, j;
+
+	*saver = req->controls;
+	for (i = 0; req->controls[i]; i++);
+	if (i == 1) {
+		req->controls = NULL;
+		return 1;
+	}
+
+	lcs = talloc_array(req, struct ldb_control *, i);
+	if (!lcs) {
+		return 0;
+	}
+
+	for (i = 0, j = 0; (*saver)[i]; i++) {
+		if (exclude == (*saver)[i]) continue;
+		lcs[j] = (*saver)[i];
+		j++;
+	}
+	lcs[j] = NULL;
+
+	req->controls = lcs;
+	return 1;
+}
+
+/* check if there's any control marked as critical in the list */
+/* return True if any, False if none */
+int check_critical_controls(struct ldb_control **controls)
+{
+	int i;
+
+	if (controls == NULL) {
+		return 0;
+	}
+
+	for (i = 0; controls[i]; i++) {
+		if (controls[i]->critical) {
+			return 1;
+		}
+	}
+
+	return 0;
+}
diff --git a/source3/lib/ldb/common/ldb_debug.c b/source3/lib/ldb/common/ldb_debug.c
new file mode 100644
index 0000000000..3c9442ea9c
--- /dev/null
+++ b/source3/lib/ldb/common/ldb_debug.c
@@ -0,0 +1,104 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldb debug
+ *
+ *  Description: functions for printing debug messages
+ *
+ *  Author: Andrew Tridgell
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+/*
+  this allows the user to choose their own debug function
+*/
+int ldb_set_debug(struct ldb_context *ldb,
+		  void (*debug)(void *context, enum ldb_debug_level level, 
+				const char *fmt, va_list ap),
+		  void *context)
+{
+	ldb->debug_ops.debug = debug;
+	ldb->debug_ops.context = context;
+	return 0;
+}
+
+/*
+  debug function for ldb_set_debug_stderr
+*/
+static void ldb_debug_stderr(void *context, enum ldb_debug_level level, 
+			     const char *fmt, va_list ap) PRINTF_ATTRIBUTE(3,0);
+static void ldb_debug_stderr(void *context, enum ldb_debug_level level, 
+			     const char *fmt, va_list ap)
+{
+	if (level <= LDB_DEBUG_WARNING) {
+		vfprintf(stderr, fmt, ap);
+	}
+}
+
+/*
+  convenience function to setup debug messages on stderr
+  messages of level LDB_DEBUG_WARNING and higher are printed
+*/
+int ldb_set_debug_stderr(struct ldb_context *ldb)
+{
+	return ldb_set_debug(ldb, ldb_debug_stderr, ldb);
+}
+
+/*
+  log a message
+*/
+void ldb_debug(struct ldb_context *ldb, enum ldb_debug_level level, const char *fmt, ...)
+{
+	va_list ap;
+	if (ldb->debug_ops.debug == NULL) {
+		ldb_set_debug_stderr(ldb);
+	}
+	va_start(ap, fmt);
+	ldb->debug_ops.debug(ldb->debug_ops.context, level, fmt, ap);
+	va_end(ap);
+}
+
+
+/*
+  log a message, and set the ldb error string to the same message
+*/
+void ldb_debug_set(struct ldb_context *ldb, enum ldb_debug_level level, 
+		   const char *fmt, ...)
+{
+	va_list ap;
+	char *msg;
+	va_start(ap, fmt);
+	msg = talloc_vasprintf(ldb, fmt, ap);
+	va_end(ap);
+	if (msg != NULL) {
+		ldb_set_errstring(ldb, msg);
+		ldb_debug(ldb, level, "%s", msg);
+	}
+	talloc_free(msg);
+}
+
diff --git a/source3/lib/ldb/common/ldb_dn.c b/source3/lib/ldb/common/ldb_dn.c
new file mode 100644
index 0000000000..7ef3c38024
--- /dev/null
+++ b/source3/lib/ldb/common/ldb_dn.c
@@ -0,0 +1,1027 @@
+/* 
+   ldb database library
+
+   Copyright (C) Simo Sorce 2005
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldb dn explode and utility functions
+ *
+ *  Description: - explode a dn into its own basic elements
+ *                 and put them in a structure
+ *               - manipulate ldb_dn structures
+ *
+ *  Author: Simo Sorce
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+#define LDB_DN_NULL_FAILED(x) if (!(x)) goto failed
+
+#define LDB_SPECIAL "@SPECIAL"
+
+/**
+   internal ldb exploded dn structures
+*/
+struct ldb_dn_component {
+	char *name;  
+	struct ldb_val value;
+};
+
+struct ldb_dn {
+	int comp_num;
+	struct ldb_dn_component *components;
+};
+
+int ldb_dn_is_special(const struct ldb_dn *dn)
+{
+	if (dn == NULL || dn->comp_num != 1) return 0;
+
+	return ! strcmp(dn->components[0].name, LDB_SPECIAL);
+}
+
+int ldb_dn_check_special(const struct ldb_dn *dn, const char *check)
+{
+	if (dn == NULL || dn->comp_num != 1) return 0;
+
+	return ! strcmp((char *)dn->components[0].value.data, check);
+}
+
+char *ldb_dn_escape_value(void *mem_ctx, struct ldb_val value)
+{
+	const char *p, *s, *src;
+	char *d, *dst;
+	int len;
+
+	if (!value.length)
+		return NULL;
+
+	p = s = src = (const char *)value.data;
+	len = value.length;
+
+	/* allocate destination string, it will be at most 3 times the source */
+	dst = d = talloc_array(mem_ctx, char, len * 3 + 1);
+	LDB_DN_NULL_FAILED(dst);
+
+	while (p - src < len) {
+
+		p += strcspn(p, ",=\n+<>#;\\\"");
+
+		if (p - src == len) /* found no escapable chars */
+			break;
+
+		memcpy(d, s, p - s); /* copy the part of the string before the stop */
+		d += (p - s); /* move to current position */
+
+		if (*p) { /* it is a normal escapable character */
+			*d++ = '\\';
+			*d++ = *p++;
+		} else { /* we have a zero byte in the string */
+			strncpy(d, "\00", 3); /* escape the zero */
+			d = d + 3;
+			p++; /* skip the zero */
+		}
+		s = p; /* move forward */
+	}
+
+	/* copy the last part (with zero) and return */
+	memcpy(d, s, &src[len] - s + 1);
+
+	return dst;
+
+failed:
+	talloc_free(dst);
+	return NULL;
+}
+
+static struct ldb_val ldb_dn_unescape_value(void *mem_ctx, const char *src)
+{
+	struct ldb_val value;
+	unsigned x;
+	char *p, *dst = NULL, *end;
+
+	memset(&value, 0, sizeof(value));
+
+	LDB_DN_NULL_FAILED(src);
+
+	dst = p = (char *)talloc_memdup(mem_ctx, src, strlen(src) + 1);
+	LDB_DN_NULL_FAILED(dst);
+
+	end = &dst[strlen(dst)];
+
+	while (*p) {
+		p += strcspn(p, ",=\n+<>#;\\\"");
+
+		if (*p == '\\') {
+			if (strchr(",=\n+<>#;\\\"", p[1])) {
+				memmove(p, p + 1, end - (p + 1) + 1);
+				end--;
+				p++;
+				continue;
+			}
+
+			if (sscanf(p + 1, "%02x", &x) == 1) {
+				*p = (unsigned char)x;
+				memmove(p + 1, p + 3, end - (p + 3) + 1);
+				end -= 2;
+				p++;
+				continue;
+			}
+		}
+
+		/* a string with not escaped specials is invalid (tested) */
+		if (*p != '\0') {
+			goto failed;
+		}
+	}
+
+	value.length = end - dst;
+	value.data = (uint8_t *)dst;
+	return value;
+
+failed:
+	talloc_free(dst);
+	return value;
+}
+
+/* check if the string contains quotes
+ * skips leading and trailing spaces
+ * - returns 0 if no quotes found
+ * - returns 1 if quotes are found and put their position
+ *   in *quote_start and *quote_end parameters
+ * - return -1 if there are open quotes
+ */
+
+static int get_quotes_position(const char *source, int *quote_start, int *quote_end)
+{
+	const char *p;
+
+	if (source == NULL || quote_start == NULL || quote_end == NULL) return -1;
+
+	p = source;
+
+	/* check if there are quotes surrounding the value */
+	p += strspn(p, " \n"); /* skip white spaces */
+
+	if (*p == '\"') {
+		*quote_start = p - source;
+
+		p++;
+		while (*p != '\"') {
+			p = strchr(p, '\"');
+			LDB_DN_NULL_FAILED(p);
+
+			if (*(p - 1) == '\\')
+				p++;
+		}
+
+		*quote_end = p - source;
+		return 1;
+	}
+
+	return 0;
+
+failed:
+	return -1;
+}
+
+static char *seek_to_separator(char *string, const char *separators)
+{
+	char *p, *q;
+	int ret, qs, qe, escaped;
+
+	if (string == NULL || separators == NULL) return NULL;
+
+	p = strchr(string, '=');
+	LDB_DN_NULL_FAILED(p);
+
+	p++;
+
+	/* check if there are quotes surrounding the value */
+
+	ret = get_quotes_position(p, &qs, &qe);
+	if (ret == -1)
+		return NULL;
+
+	if (ret == 1) { /* quotes found */
+
+		p += qe; /* positioning after quotes */
+		p += strspn(p, " \n"); /* skip white spaces after the quote */
+
+		if (strcspn(p, separators) != 0) /* if there are characters between quotes */
+			return NULL;	    /* and separators, the dn is invalid */
+
+		return p; /* return on the separator */
+	}
+
+	/* no quotes found seek to separators */
+	q = p;
+	do {
+		escaped = 0;
+		ret = strcspn(q, separators);
+		
+		if (q[ret - 1] == '\\') {
+			escaped = 1;
+			q = q + ret + 1;
+		}
+	} while (escaped);
+
+	if (ret == 0 && p == q) /* no separators ?! bail out */
+		return NULL;
+
+	return q + ret;
+
+failed:
+	return NULL;
+}
+
+static char *ldb_dn_trim_string(char *string, const char *edge)
+{
+	char *s, *p;
+
+	/* seek out edge from start of string */
+	s = string + strspn(string, edge);
+
+	/* backwards skip from end of string */
+	p = &s[strlen(s) - 1];
+	while (p > s && strchr(edge, *p)) {
+		*p = '\0';
+		p--;
+	}
+
+	return s;
+}
+
+/* we choosed to not support multpile valued components */
+static struct ldb_dn_component ldb_dn_explode_component(void *mem_ctx, char *raw_component)
+{
+	struct ldb_dn_component dc;
+	char *p;
+	int ret, qs, qe;
+
+	memset(&dc, 0, sizeof(dc));
+
+	if (raw_component == NULL) {
+		return dc;
+	}
+
+	/* find attribute type/value separator */
+	p = strchr(raw_component, '=');
+	LDB_DN_NULL_FAILED(p);
+
+	*p++ = '\0'; /* terminate name and point to value */
+
+	/* copy and trim name in the component */
+	dc.name = talloc_strdup(mem_ctx, ldb_dn_trim_string(raw_component, " \n"));
+	if (!dc.name)
+		return dc;
+
+	if (! ldb_valid_attr_name(dc.name)) {
+		goto failed;
+	}
+
+	ret = get_quotes_position(p, &qs, &qe);
+
+	switch (ret) {
+	case 0: /* no quotes trim the string */
+		p = ldb_dn_trim_string(p, " \n");
+		dc.value = ldb_dn_unescape_value(mem_ctx, p);
+		break;
+
+	case 1: /* quotes found get the unquoted string */
+		p[qe] = '\0';
+		p = p + qs + 1;
+		dc.value.length = strlen(p);
+		dc.value.data = (uint8_t *)talloc_memdup(mem_ctx, p,
+							 dc.value.length + 1);
+		break;
+
+	default: /* mismatched quotes ot other error, bail out */
+		goto failed;
+	}
+
+	if (dc.value.length == 0) {
+		goto failed;
+	}
+
+	return dc;
+
+failed:
+	talloc_free(dc.name);
+	dc.name = NULL;
+	return dc;
+}
+
+struct ldb_dn *ldb_dn_new(void *mem_ctx)
+{
+	struct ldb_dn *edn;
+
+	edn = talloc(mem_ctx, struct ldb_dn);
+	LDB_DN_NULL_FAILED(edn);
+
+	/* Initially there are no components */
+	edn->comp_num = 0;
+	edn->components = NULL;
+
+	return edn;
+
+failed:
+	return NULL;
+}
+
+/*
+  explode a DN string into a ldb_dn structure
+*/
+struct ldb_dn *ldb_dn_explode(void *mem_ctx, const char *dn)
+{
+	struct ldb_dn *edn; /* the exploded dn */
+	char *pdn, *p;
+
+	if (dn == NULL) return NULL;
+
+	/* Allocate a structure to hold the exploded DN */
+	edn = ldb_dn_new(mem_ctx);
+	if (edn == NULL) {
+		return NULL;
+	}
+
+	pdn = NULL;
+
+	/* Empty DNs */
+	if (dn[0] == '\0') {
+		return edn;
+	}
+
+	/* Special DNs case */
+	if (dn[0] == '@') {
+		edn->comp_num = 1;
+		edn->components = talloc(edn, struct ldb_dn_component);
+		if (edn->components == NULL) goto failed;
+		edn->components[0].name = talloc_strdup(edn->components, LDB_SPECIAL);
+		if (edn->components[0].name == NULL) goto failed;
+		edn->components[0].value.data = (uint8_t *)talloc_strdup(edn->components, dn);
+		if (edn->components[0].value.data== NULL) goto failed;
+		edn->components[0].value.length = strlen(dn);
+		return edn;
+	}
+
+	pdn = p = talloc_strdup(edn, dn);
+	LDB_DN_NULL_FAILED(pdn);
+
+	/* get the components */
+	do {
+		char *t;
+
+		/* terminate the current component and return pointer to the next one */
+		t = seek_to_separator(p, ",;");
+		LDB_DN_NULL_FAILED(t);
+
+		if (*t) { /* here there is a separator */
+			*t = '\0'; /*terminate */
+			t++; /* a separtor means another component follows */
+		}
+
+		/* allocate space to hold the dn component */
+		edn->components = talloc_realloc(edn, edn->components,
+						 struct ldb_dn_component,
+						 edn->comp_num + 1);
+		if (edn->components == NULL)
+			goto failed;
+
+		/* store the exploded component in the main structure */
+		edn->components[edn->comp_num] = ldb_dn_explode_component(edn, p);
+		LDB_DN_NULL_FAILED(edn->components[edn->comp_num].name);
+
+		edn->comp_num++;
+
+		/* jump to the next component if any */
+		p = t;
+
+	} while(*p);
+
+	talloc_free(pdn);
+	return edn;
+
+failed:
+	talloc_free(pdn);
+	talloc_free(edn);
+	return NULL;
+}
+
+struct ldb_dn *ldb_dn_explode_or_special(void *mem_ctx, const char *dn)
+{
+	struct ldb_dn *edn; /* the exploded dn */
+
+	if (dn == NULL) return NULL;
+
+	if (strncasecmp(dn, "<GUID=", 6) == 0) {
+		/* this is special DN returned when the
+		 * exploded_dn control is used
+		 */
+
+		/* Allocate a structure to hold the exploded DN */
+		if (!(edn = ldb_dn_new(mem_ctx))) {
+			return NULL;
+		}
+
+		edn->comp_num = 1;
+		edn->components = talloc(edn, struct ldb_dn_component);
+		if (edn->components == NULL) goto failed;
+		edn->components[0].name = talloc_strdup(edn->components, LDB_SPECIAL);
+		if (edn->components[0].name == NULL) goto failed;
+		edn->components[0].value.data = (uint8_t *)talloc_strdup(edn->components, dn);
+		if (edn->components[0].value.data== NULL) goto failed;
+		edn->components[0].value.length = strlen(dn);
+		return edn;
+
+	}
+	
+	return ldb_dn_explode(mem_ctx, dn);
+
+failed:
+	talloc_free(edn);
+	return NULL;
+}
+
+char *ldb_dn_linearize(void *mem_ctx, const struct ldb_dn *edn)
+{
+	char *dn, *value;
+	int i;
+
+	if (edn == NULL) return NULL;
+
+	/* Special DNs */
+	if (ldb_dn_is_special(edn)) {
+		dn = talloc_strdup(mem_ctx, (char *)edn->components[0].value.data);
+		return dn;
+	}
+
+	dn = talloc_strdup(mem_ctx, "");
+	LDB_DN_NULL_FAILED(dn);
+
+	for (i = 0; i < edn->comp_num; i++) {
+		value = ldb_dn_escape_value(dn, edn->components[i].value);
+		LDB_DN_NULL_FAILED(value);
+
+		if (i == 0) {
+			dn = talloc_asprintf_append(dn, "%s=%s", edn->components[i].name, value);
+		} else {
+			dn = talloc_asprintf_append(dn, ",%s=%s", edn->components[i].name, value);
+		}
+		LDB_DN_NULL_FAILED(dn);
+
+		talloc_free(value);
+	}
+
+	return dn;
+
+failed:
+	talloc_free(dn);
+	return NULL;
+}
+
+/* Determine if dn is below base, in the ldap tree.  Used for
+ * evaluating a subtree search.
+ * 0 if they match, otherwise non-zero
+ */
+
+int ldb_dn_compare_base(struct ldb_context *ldb,
+			const struct ldb_dn *base,
+			const struct ldb_dn *dn)
+{
+	int ret;
+	int n0, n1;
+
+	if (base == NULL || base->comp_num == 0) return 0;
+	if (dn == NULL || dn->comp_num == 0) return -1;
+
+	/* if the base has more componts than the dn, then they differ */
+	if (base->comp_num > dn->comp_num) {
+		return (dn->comp_num - base->comp_num);
+	}
+
+	n0 = base->comp_num - 1;
+	n1 = dn->comp_num - 1;
+	while (n0 >= 0 && n1 >= 0) {
+		const struct ldb_attrib_handler *h;
+
+		/* compare names (attribute names are guaranteed to be ASCII only) */
+		ret = ldb_attr_cmp(base->components[n0].name,
+				   dn->components[n1].name);
+		if (ret) {
+			return ret;
+		}
+
+		/* names match, compare values */
+		h = ldb_attrib_handler(ldb, base->components[n0].name);
+		ret = h->comparison_fn(ldb, ldb, &(base->components[n0].value),
+						  &(dn->components[n1].value));
+		if (ret) {
+			return ret;
+		}
+		n1--;
+		n0--;
+	}
+
+	return 0;
+}
+
+/* compare DNs using casefolding compare functions.  
+
+   If they match, then return 0
+ */
+
+int ldb_dn_compare(struct ldb_context *ldb,
+		   const struct ldb_dn *edn0,
+		   const struct ldb_dn *edn1)
+{
+	if (edn0 == NULL || edn1 == NULL) return edn1 - edn0;
+
+	if (edn0->comp_num != edn1->comp_num)
+		return (edn1->comp_num - edn0->comp_num);
+
+	return ldb_dn_compare_base(ldb, edn0, edn1);
+}
+
+int ldb_dn_cmp(struct ldb_context *ldb, const char *dn0, const char *dn1)
+{
+	struct ldb_dn *edn0;
+	struct ldb_dn *edn1;
+	int ret;
+
+	if (dn0 == NULL || dn1 == NULL) return dn1 - dn0;
+
+	edn0 = ldb_dn_explode_casefold(ldb, ldb, dn0);
+	if (edn0 == NULL) return 1;
+
+	edn1 = ldb_dn_explode_casefold(ldb, ldb, dn1);
+	if (edn1 == NULL) {
+		talloc_free(edn0);
+		return -1;
+	}
+
+	ret = ldb_dn_compare(ldb, edn0, edn1);
+
+	talloc_free(edn0);
+	talloc_free(edn1);
+
+	return ret;
+}
+
+/*
+  casefold a dn. We need to casefold the attribute names, and canonicalize 
+  attribute values of case insensitive attributes.
+*/
+struct ldb_dn *ldb_dn_casefold(struct ldb_context *ldb, void *mem_ctx, const struct ldb_dn *edn)
+{
+	struct ldb_dn *cedn;
+	int i, ret;
+
+	if (edn == NULL) return NULL;
+
+	cedn = ldb_dn_new(mem_ctx);
+	if (!cedn) {
+		return NULL;
+	}
+
+	cedn->comp_num = edn->comp_num;
+	cedn->components = talloc_array(cedn, struct ldb_dn_component, edn->comp_num);
+	if (!cedn->components) {
+		talloc_free(cedn);
+		return NULL;
+	}
+
+	for (i = 0; i < edn->comp_num; i++) {
+		struct ldb_dn_component dc;
+		const struct ldb_attrib_handler *h;
+
+		memset(&dc, 0, sizeof(dc));
+		dc.name = ldb_attr_casefold(cedn->components, edn->components[i].name);
+		if (!dc.name) {
+			talloc_free(cedn);
+			return NULL;
+		}
+
+		h = ldb_attrib_handler(ldb, dc.name);
+		ret = h->canonicalise_fn(ldb, cedn->components,
+					 &(edn->components[i].value),
+					 &(dc.value));
+		if (ret != 0) {
+			talloc_free(cedn);
+			return NULL;
+		}
+
+		cedn->components[i] = dc;
+	}
+
+	return cedn;
+}
+
+struct ldb_dn *ldb_dn_explode_casefold(struct ldb_context *ldb, void *mem_ctx, const char *dn)
+{
+	struct ldb_dn *edn, *cdn;
+
+	if (dn == NULL) return NULL;
+
+	edn = ldb_dn_explode(ldb, dn);
+	if (edn == NULL) return NULL;
+
+	cdn = ldb_dn_casefold(ldb, mem_ctx, edn);
+	
+	talloc_free(edn);
+	return cdn;
+}
+
+char *ldb_dn_linearize_casefold(struct ldb_context *ldb, void *mem_ctx, const struct ldb_dn *edn)
+{
+	struct ldb_dn *cdn;
+	char *dn;
+
+	if (edn == NULL) return NULL;
+
+	/* Special DNs */
+	if (ldb_dn_is_special(edn)) {
+		dn = talloc_strdup(mem_ctx, (char *)edn->components[0].value.data);
+		return dn;
+	}
+
+	cdn = ldb_dn_casefold(ldb, mem_ctx, edn);
+	if (cdn == NULL) return NULL;
+
+	dn = ldb_dn_linearize(ldb, cdn);
+	if (dn == NULL) {
+		talloc_free(cdn);
+		return NULL;
+	}
+
+	talloc_free(cdn);
+	return dn;
+}
+
+static struct ldb_dn_component ldb_dn_copy_component(void *mem_ctx, struct ldb_dn_component *src)
+{
+	struct ldb_dn_component dst;
+
+	memset(&dst, 0, sizeof(dst));
+
+	if (src == NULL) {
+		return dst;
+	}
+
+	dst.value = ldb_val_dup(mem_ctx, &(src->value));
+	if (dst.value.data == NULL) {
+		return dst;
+	}
+
+	dst.name = talloc_strdup(mem_ctx, src->name);
+	if (dst.name == NULL) {
+		talloc_free(dst.value.data);
+		dst.value.data = NULL;
+	}
+
+	return dst;
+}
+
+/* Copy a DN but replace the old with the new base DN. */
+struct ldb_dn *ldb_dn_copy_rebase(void *mem_ctx, const struct ldb_dn *old, const struct ldb_dn *old_base, const struct ldb_dn *new_base)
+{
+	struct ldb_dn *new_dn;
+	int i, offset;
+
+	/* Perhaps we don't need to rebase at all? */
+	if (!old_base || !new_base) {
+		return ldb_dn_copy(mem_ctx, old);
+	}
+
+	offset = old->comp_num - old_base->comp_num;
+	if (!(new_dn = ldb_dn_copy_partial(mem_ctx, new_base,
+					   offset + new_base->comp_num))) {
+		return NULL;
+	}
+	for (i = 0; i < offset; i++) {
+		new_dn->components[i] = ldb_dn_copy_component(new_dn->components, &(old->components[i]));
+	}
+
+	return new_dn;
+}
+
+/* copy specified number of elements of a dn into a new one
+   element are copied from top level up to the unique rdn
+   num_el may be greater than dn->comp_num (see ldb_dn_make_child)
+*/
+struct ldb_dn *ldb_dn_copy_partial(void *mem_ctx, const struct ldb_dn *dn, int num_el)
+{
+	struct ldb_dn *newdn;
+	int i, n, e;
+
+	if (dn == NULL) return NULL;
+	if (num_el <= 0) return NULL;
+
+	newdn = ldb_dn_new(mem_ctx);
+	LDB_DN_NULL_FAILED(newdn);
+
+	newdn->comp_num = num_el;
+	n = newdn->comp_num - 1;
+	newdn->components = talloc_array(newdn, struct ldb_dn_component, newdn->comp_num);
+	if (newdn->components == NULL) goto failed;
+
+	if (dn->comp_num == 0) return newdn;
+	e = dn->comp_num - 1;
+
+	for (i = 0; i < newdn->comp_num; i++) {
+		newdn->components[n - i] = ldb_dn_copy_component(newdn->components,
+								&(dn->components[e - i]));
+		if ((e - i) == 0) {
+			return newdn;
+		}
+	}
+
+	return newdn;
+
+failed:
+	talloc_free(newdn);
+	return NULL;
+}
+
+struct ldb_dn *ldb_dn_copy(void *mem_ctx, const struct ldb_dn *dn)
+{
+	if (dn == NULL) return NULL;
+	return ldb_dn_copy_partial(mem_ctx, dn, dn->comp_num);
+}
+
+struct ldb_dn *ldb_dn_get_parent(void *mem_ctx, const struct ldb_dn *dn)
+{
+	if (dn == NULL) return NULL;
+	return ldb_dn_copy_partial(mem_ctx, dn, dn->comp_num - 1);
+}
+
+struct ldb_dn_component *ldb_dn_build_component(void *mem_ctx, const char *attr,
+						const char *val)
+{
+	struct ldb_dn_component *dc;
+
+	if (attr == NULL || val == NULL) return NULL;
+
+	dc = talloc(mem_ctx, struct ldb_dn_component);
+	if (dc == NULL) return NULL;
+
+	dc->name = talloc_strdup(dc, attr);
+	if (dc->name ==  NULL) {
+		talloc_free(dc);
+		return NULL;
+	}
+
+	dc->value.data = (uint8_t *)talloc_strdup(dc, val);
+	if (dc->value.data ==  NULL) {
+		talloc_free(dc);
+		return NULL;
+	}
+
+	dc->value.length = strlen(val);
+
+	return dc;
+}
+
+struct ldb_dn *ldb_dn_build_child(void *mem_ctx, const char *attr,
+						 const char * value,
+						 const struct ldb_dn *base)
+{
+	struct ldb_dn *newdn;
+	if (! ldb_valid_attr_name(attr)) return NULL;
+	if (value == NULL || value == '\0') return NULL; 
+
+	if (base != NULL) {
+		newdn = ldb_dn_copy_partial(mem_ctx, base, base->comp_num + 1);
+		LDB_DN_NULL_FAILED(newdn);
+	} else {
+		newdn = ldb_dn_new(mem_ctx);
+		LDB_DN_NULL_FAILED(newdn);
+
+		newdn->comp_num = 1;
+		newdn->components = talloc_array(newdn, struct ldb_dn_component, newdn->comp_num);
+		LDB_DN_NULL_FAILED(newdn->components);
+	}
+
+	newdn->components[0].name = talloc_strdup(newdn->components, attr);
+	LDB_DN_NULL_FAILED(newdn->components[0].name);
+
+	newdn->components[0].value.data = (uint8_t *)talloc_strdup(newdn->components, value);
+	LDB_DN_NULL_FAILED(newdn->components[0].value.data);
+	newdn->components[0].value.length = strlen((char *)newdn->components[0].value.data);
+
+	return newdn;
+
+failed:
+	talloc_free(newdn);
+	return NULL;
+
+}
+
+struct ldb_dn *ldb_dn_compose(void *mem_ctx, const struct ldb_dn *dn1, const struct ldb_dn *dn2)
+{
+	int i;
+	struct ldb_dn *newdn;
+
+	if (dn2 == NULL && dn1 == NULL) {
+		return NULL;
+	}
+
+	if (dn2 == NULL) {
+		newdn = ldb_dn_new(mem_ctx);
+		LDB_DN_NULL_FAILED(newdn);
+
+		newdn->comp_num = dn1->comp_num;
+		newdn->components = talloc_array(newdn, struct ldb_dn_component, newdn->comp_num);
+		LDB_DN_NULL_FAILED(newdn->components);
+	} else {
+		int comp_num = dn2->comp_num;
+		if (dn1 != NULL) comp_num += dn1->comp_num;
+		newdn = ldb_dn_copy_partial(mem_ctx, dn2, comp_num);
+		LDB_DN_NULL_FAILED(newdn);
+	}
+
+	if (dn1 == NULL) {
+		return newdn;
+	}
+
+	for (i = 0; i < dn1->comp_num; i++) {
+		newdn->components[i] = ldb_dn_copy_component(newdn->components,
+							   &(dn1->components[i]));
+		if (newdn->components[i].value.data == NULL) {
+			goto failed;
+		}
+	}
+
+	return newdn;
+
+failed:
+	talloc_free(newdn);
+	return NULL;
+}
+
+struct ldb_dn *ldb_dn_string_compose(void *mem_ctx, const struct ldb_dn *base, const char *child_fmt, ...)
+{
+	struct ldb_dn *dn, *dn1;
+	char *child_str;
+	va_list ap;
+	
+	if (child_fmt == NULL) return NULL;
+
+	va_start(ap, child_fmt);
+	child_str = talloc_vasprintf(mem_ctx, child_fmt, ap);
+	va_end(ap);
+
+	if (child_str == NULL) return NULL;
+
+	dn1 = ldb_dn_explode(mem_ctx, child_str);
+	dn = ldb_dn_compose(mem_ctx, dn1, base);
+
+	talloc_free(child_str);
+	talloc_free(dn1);
+
+	return dn;
+}
+
+/* Create a 'canonical name' string from a DN:
+
+   ie dc=samba,dc=org -> samba.org/
+      uid=administrator,ou=users,dc=samba,dc=org = samba.org/users/administrator
+
+   There are two formats, the EX format has the last / replaced with a newline (\n).
+
+*/
+static char *ldb_dn_canonical(void *mem_ctx, const struct ldb_dn *dn, int ex_format) {
+	int i;
+	char *cracked = NULL;
+
+	/* Walk backwards down the DN, grabbing 'dc' components at first */
+	for (i = dn->comp_num - 1 ; i >= 0; i--) {
+		if (ldb_attr_cmp(dn->components[i].name, "dc") != 0) {
+			break;
+		}
+		if (cracked) {
+			cracked = talloc_asprintf(mem_ctx, "%s.%s",
+						  ldb_dn_escape_value(mem_ctx, dn->components[i].value),
+						  cracked);
+		} else {
+			cracked = ldb_dn_escape_value(mem_ctx, dn->components[i].value);
+		}
+		if (!cracked) {
+			return NULL;
+		}
+	}
+
+	/* Only domain components?  Finish here */
+	if (i < 0) {
+		if (ex_format) {
+			cracked = talloc_asprintf(mem_ctx, "%s\n", cracked);
+		} else {
+			cracked = talloc_asprintf(mem_ctx, "%s/", cracked);
+		}
+		return cracked;
+	}
+
+	/* Now walk backwards appending remaining components */
+	for (; i > 0; i--) {
+		cracked = talloc_asprintf(mem_ctx, "%s/%s", cracked, 
+					  ldb_dn_escape_value(mem_ctx, dn->components[i].value));
+		if (!cracked) {
+			return NULL;
+		}
+	}
+
+	/* Last one, possibly a newline for the 'ex' format */
+	if (ex_format) {
+		cracked = talloc_asprintf(mem_ctx, "%s\n%s", cracked, 
+					  ldb_dn_escape_value(mem_ctx, dn->components[i].value));
+	} else {
+		cracked = talloc_asprintf(mem_ctx, "%s/%s", cracked, 
+					  ldb_dn_escape_value(mem_ctx, dn->components[i].value));
+	}
+	return cracked;
+}
+
+/* Wrapper functions for the above, for the two different string formats */
+char *ldb_dn_canonical_string(void *mem_ctx, const struct ldb_dn *dn) {
+	return ldb_dn_canonical(mem_ctx, dn, 0);
+
+}
+
+char *ldb_dn_canonical_ex_string(void *mem_ctx, const struct ldb_dn *dn) {
+	return ldb_dn_canonical(mem_ctx, dn, 1);
+}
+
+int ldb_dn_get_comp_num(const struct ldb_dn *dn)
+{
+	return dn->comp_num;
+}
+
+const char *ldb_dn_get_component_name(const struct ldb_dn *dn, unsigned int num)
+{
+	if (num >= dn->comp_num) return NULL;
+	return dn->components[num].name;
+}
+
+const struct ldb_val *ldb_dn_get_component_val(const struct ldb_dn *dn, unsigned int num)
+{
+	if (num >= dn->comp_num) return NULL;
+	return &dn->components[num].value;
+}
+
+const char *ldb_dn_get_rdn_name(const struct ldb_dn *dn) {
+	if (dn->comp_num == 0) return NULL;
+	return dn->components[0].name;
+}
+
+const struct ldb_val *ldb_dn_get_rdn_val(const struct ldb_dn *dn) {
+	if (dn->comp_num == 0) return NULL;
+	return &dn->components[0].value;
+}
+
+int ldb_dn_set_component(struct ldb_dn *dn, int num, const char *name, const struct ldb_val val)
+{
+	char *n;
+	struct ldb_val v;
+
+	if (num >= dn->comp_num) {
+		return LDB_ERR_OTHER;
+	}
+
+	n = talloc_strdup(dn, name);
+	if ( ! n) {
+		return LDB_ERR_OTHER;
+	}
+
+	v.length = val.length;
+	v.data = (uint8_t *)talloc_memdup(dn, val.data, v.length+1);
+	if ( ! v.data) {
+		return LDB_ERR_OTHER;
+	}
+
+	talloc_free(dn->components[num].name);
+	talloc_free(dn->components[num].value.data);
+	dn->components[num].name = n;
+	dn->components[num].value = v;
+
+	return LDB_SUCCESS;
+}
diff --git a/source3/lib/ldb/common/ldb_ldif.c b/source3/lib/ldb/common/ldb_ldif.c
new file mode 100644
index 0000000000..a6ed1b6055
--- /dev/null
+++ b/source3/lib/ldb/common/ldb_ldif.c
@@ -0,0 +1,760 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldif routines
+ *
+ *  Description: ldif pack/unpack routines
+ *
+ *  Author: Andrew Tridgell
+ */
+
+/*
+  see RFC2849 for the LDIF format definition
+*/
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+#include "system/locale.h"
+
+/*
+  
+*/
+static int ldb_read_data_file(void *mem_ctx, struct ldb_val *value)
+{
+	struct stat statbuf;
+	char *buf;
+	int count, size, bytes;
+	int ret;
+	int f;
+	const char *fname = (const char *)value->data;
+
+	if (strncmp(fname, "file://", 7) != 0) {
+		return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
+	}
+	fname += 7;
+
+	f = open(fname, O_RDONLY);
+	if (f == -1) {
+		return -1;
+	}
+
+	if (fstat(f, &statbuf) != 0) {
+		ret = -1;
+		goto done;
+	}
+
+	if (statbuf.st_size == 0) {
+		ret = -1;
+		goto done;
+	}
+
+	value->data = (uint8_t *)talloc_size(mem_ctx, statbuf.st_size + 1);
+	if (value->data == NULL) {
+		ret = -1;
+		goto done;
+	}
+	value->data[statbuf.st_size] = 0;
+
+	count = 0;
+	size = statbuf.st_size;
+	buf = (char *)value->data;
+	while (count < statbuf.st_size) {
+		bytes = read(f, buf, size);
+		if (bytes == -1) {
+			talloc_free(value->data);
+			ret = -1;
+			goto done;
+		}
+		count += bytes;
+		buf += bytes;
+		size -= bytes;
+	}
+
+	value->length = statbuf.st_size;
+	ret = statbuf.st_size;
+
+done:
+	close(f);
+	return ret;
+}
+
+/*
+  this base64 decoder was taken from jitterbug (written by tridge).
+  we might need to replace it with a new version
+*/
+int ldb_base64_decode(char *s)
+{
+	const char *b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+	int bit_offset=0, byte_offset, idx, i, n;
+	uint8_t *d = (uint8_t *)s;
+	char *p=NULL;
+
+	n=i=0;
+
+	while (*s && (p=strchr(b64,*s))) {
+		idx = (int)(p - b64);
+		byte_offset = (i*6)/8;
+		bit_offset = (i*6)%8;
+		d[byte_offset] &= ~((1<<(8-bit_offset))-1);
+		if (bit_offset < 3) {
+			d[byte_offset] |= (idx << (2-bit_offset));
+			n = byte_offset+1;
+		} else {
+			d[byte_offset] |= (idx >> (bit_offset-2));
+			d[byte_offset+1] = 0;
+			d[byte_offset+1] |= (idx << (8-(bit_offset-2))) & 0xFF;
+			n = byte_offset+2;
+		}
+		s++; i++;
+	}
+	if (bit_offset >= 3) {
+		n--;
+	}
+
+	if (*s && !p) {
+		/* the only termination allowed */
+		if (*s != '=') {
+			return -1;
+		}
+	}
+
+	/* null terminate */
+	d[n] = 0;
+	return n;
+}
+
+
+/*
+  encode as base64
+  caller frees
+*/
+char *ldb_base64_encode(void *mem_ctx, const char *buf, int len)
+{
+	const char *b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+	int bit_offset, byte_offset, idx, i;
+	const uint8_t *d = (const uint8_t *)buf;
+	int bytes = (len*8 + 5)/6, pad_bytes = (bytes % 4) ? 4 - (bytes % 4) : 0;
+	char *out;
+
+	out = talloc_array(mem_ctx, char, bytes+pad_bytes+1);
+	if (!out) return NULL;
+
+	for (i=0;i<bytes;i++) {
+		byte_offset = (i*6)/8;
+		bit_offset = (i*6)%8;
+		if (bit_offset < 3) {
+			idx = (d[byte_offset] >> (2-bit_offset)) & 0x3F;
+		} else {
+			idx = (d[byte_offset] << (bit_offset-2)) & 0x3F;
+			if (byte_offset+1 < len) {
+				idx |= (d[byte_offset+1] >> (8-(bit_offset-2)));
+			}
+		}
+		out[i] = b64[idx];
+	}
+
+	for (;i<bytes+pad_bytes;i++)
+		out[i] = '=';
+	out[i] = 0;
+
+	return out;
+}
+
+/*
+  see if a buffer should be base64 encoded
+*/
+int ldb_should_b64_encode(const struct ldb_val *val)
+{
+	unsigned int i;
+	uint8_t *p = val->data;
+
+	if (val->length == 0) {
+		return 0;
+	}
+
+	if (p[0] == ' ' || p[0] == ':') {
+		return 1;
+	}
+
+	for (i=0; i<val->length; i++) {
+		if (!isprint(p[i]) || p[i] == '\n') {
+			return 1;
+		}
+	}
+	return 0;
+}
+
+/* this macro is used to handle the return checking on fprintf_fn() */
+#define CHECK_RET do { if (ret < 0) return ret; total += ret; } while (0)
+
+/*
+  write a line folded string onto a file
+*/
+static int fold_string(int (*fprintf_fn)(void *, const char *, ...), void *private_data,
+			const char *buf, size_t length, int start_pos)
+{
+	unsigned int i;
+	int total=0, ret;
+
+	for (i=0;i<length;i++) {
+		ret = fprintf_fn(private_data, "%c", buf[i]);
+		CHECK_RET;
+		if (i != (length-1) && (i + start_pos) % 77 == 0) {
+			ret = fprintf_fn(private_data, "\n ");
+			CHECK_RET;
+		}
+	}
+
+	return total;
+}
+
+#undef CHECK_RET
+
+/*
+  encode as base64 to a file
+*/
+static int base64_encode_f(struct ldb_context *ldb,
+			   int (*fprintf_fn)(void *, const char *, ...), 
+			   void *private_data,
+			   const char *buf, int len, int start_pos)
+{
+	char *b = ldb_base64_encode(ldb, buf, len);
+	int ret;
+
+	if (!b) {
+		return -1;
+	}
+
+	ret = fold_string(fprintf_fn, private_data, b, strlen(b), start_pos);
+
+	talloc_free(b);
+	return ret;
+}
+
+
+static const struct {
+	const char *name;
+	enum ldb_changetype changetype;
+} ldb_changetypes[] = {
+	{"add",    LDB_CHANGETYPE_ADD},
+	{"delete", LDB_CHANGETYPE_DELETE},
+	{"modify", LDB_CHANGETYPE_MODIFY},
+	{NULL, 0}
+};
+
+/* this macro is used to handle the return checking on fprintf_fn() */
+#define CHECK_RET do { if (ret < 0) { talloc_free(mem_ctx); return ret; } total += ret; } while (0)
+
+/*
+  write to ldif, using a caller supplied write method
+*/
+int ldb_ldif_write(struct ldb_context *ldb,
+		   int (*fprintf_fn)(void *, const char *, ...), 
+		   void *private_data,
+		   const struct ldb_ldif *ldif)
+{
+	TALLOC_CTX *mem_ctx;
+	unsigned int i, j;
+	int total=0, ret;
+	const struct ldb_message *msg;
+
+	mem_ctx = talloc_named_const(NULL, 0, "ldb_ldif_write");
+
+	msg = ldif->msg;
+
+	ret = fprintf_fn(private_data, "dn: %s\n", ldb_dn_linearize(msg->dn, msg->dn));
+	CHECK_RET;
+
+	if (ldif->changetype != LDB_CHANGETYPE_NONE) {
+		for (i=0;ldb_changetypes[i].name;i++) {
+			if (ldb_changetypes[i].changetype == ldif->changetype) {
+				break;
+			}
+		}
+		if (!ldb_changetypes[i].name) {
+			ldb_debug(ldb, LDB_DEBUG_ERROR, "Error: Invalid ldif changetype %d\n",
+				  ldif->changetype);
+			talloc_free(mem_ctx);
+			return -1;
+		}
+		ret = fprintf_fn(private_data, "changetype: %s\n", ldb_changetypes[i].name);
+		CHECK_RET;
+	}
+
+	for (i=0;i<msg->num_elements;i++) {
+		const struct ldb_attrib_handler *h;
+
+		h = ldb_attrib_handler(ldb, msg->elements[i].name);
+
+		if (ldif->changetype == LDB_CHANGETYPE_MODIFY) {
+			switch (msg->elements[i].flags & LDB_FLAG_MOD_MASK) {
+			case LDB_FLAG_MOD_ADD:
+				fprintf_fn(private_data, "add: %s\n", 
+					   msg->elements[i].name);
+				break;
+			case LDB_FLAG_MOD_DELETE:
+				fprintf_fn(private_data, "delete: %s\n", 
+					   msg->elements[i].name);
+				break;
+			case LDB_FLAG_MOD_REPLACE:
+				fprintf_fn(private_data, "replace: %s\n", 
+					   msg->elements[i].name);
+				break;
+			}
+		}
+
+		for (j=0;j<msg->elements[i].num_values;j++) {
+			struct ldb_val v;
+			ret = h->ldif_write_fn(ldb, mem_ctx, &msg->elements[i].values[j], &v);
+			CHECK_RET;
+			if (ldb_should_b64_encode(&v)) {
+				ret = fprintf_fn(private_data, "%s:: ", 
+						 msg->elements[i].name);
+				CHECK_RET;
+				ret = base64_encode_f(ldb, fprintf_fn, private_data, 
+						      (char *)v.data, v.length,
+						      strlen(msg->elements[i].name)+3);
+				CHECK_RET;
+				ret = fprintf_fn(private_data, "\n");
+				CHECK_RET;
+			} else {
+				ret = fprintf_fn(private_data, "%s: ", msg->elements[i].name);
+				CHECK_RET;
+				ret = fold_string(fprintf_fn, private_data,
+						  (char *)v.data, v.length,
+						  strlen(msg->elements[i].name)+2);
+				CHECK_RET;
+				ret = fprintf_fn(private_data, "\n");
+				CHECK_RET;
+			}
+			if (v.data != msg->elements[i].values[j].data) {
+				talloc_free(v.data);
+			}
+		}
+		if (ldif->changetype == LDB_CHANGETYPE_MODIFY) {
+			fprintf_fn(private_data, "-\n");
+		}
+	}
+	ret = fprintf_fn(private_data,"\n");
+	CHECK_RET;
+
+	return total;
+}
+
+#undef CHECK_RET
+
+
+/*
+  pull a ldif chunk, which is defined as a piece of data ending in \n\n or EOF
+  this routine removes any RFC2849 continuations and comments
+
+  caller frees
+*/
+static char *next_chunk(struct ldb_context *ldb, 
+			int (*fgetc_fn)(void *), void *private_data)
+{
+	size_t alloc_size=0, chunk_size = 0;
+	char *chunk = NULL;
+	int c;
+	int in_comment = 0;
+
+	while ((c = fgetc_fn(private_data)) != EOF) {
+		if (chunk_size+1 >= alloc_size) {
+			char *c2;
+			alloc_size += 1024;
+			c2 = talloc_realloc(ldb, chunk, char, alloc_size);
+			if (!c2) {
+				talloc_free(chunk);
+				errno = ENOMEM;
+				return NULL;
+			}
+			chunk = c2;
+		}
+
+		if (in_comment) {
+			if (c == '\n') {
+				in_comment = 0;
+			}
+			continue;			
+		}
+		
+		/* handle continuation lines - see RFC2849 */
+		if (c == ' ' && chunk_size > 1 && chunk[chunk_size-1] == '\n') {
+			chunk_size--;
+			continue;
+		}
+		
+		/* chunks are terminated by a double line-feed */
+		if (c == '\n' && chunk_size > 0 && chunk[chunk_size-1] == '\n') {
+			chunk[chunk_size-1] = 0;
+			return chunk;
+		}
+
+		if (c == '#' && (chunk_size == 0 || chunk[chunk_size-1] == '\n')) {
+			in_comment = 1;
+			continue;
+		}
+
+		/* ignore leading blank lines */
+		if (chunk_size == 0 && c == '\n') {
+			continue;
+		}
+
+		chunk[chunk_size++] = c;
+	}
+
+	if (chunk) {
+		chunk[chunk_size] = 0;
+	}
+
+	return chunk;
+}
+
+
+/* simple ldif attribute parser */
+static int next_attr(void *mem_ctx, char **s, const char **attr, struct ldb_val *value)
+{
+	char *p;
+	int base64_encoded = 0;
+	int binary_file = 0;
+
+	if (strncmp(*s, "-\n", 2) == 0) {
+		value->length = 0;
+		*attr = "-";
+		*s += 2;
+		return 0;
+	}
+
+	p = strchr(*s, ':');
+	if (!p) {
+		return -1;
+	}
+
+	*p++ = 0;
+
+	if (*p == ':') {
+		base64_encoded = 1;
+		p++;
+	}
+
+	if (*p == '<') {
+		binary_file = 1;
+		p++;
+	}
+
+	*attr = *s;
+
+	while (*p == ' ' || *p == '\t') {
+		p++;
+	}
+
+	value->data = (uint8_t *)p;
+
+	p = strchr(p, '\n');
+
+	if (!p) {
+		value->length = strlen((char *)value->data);
+		*s = ((char *)value->data) + value->length;
+	} else {
+		value->length = p - (char *)value->data;
+		*s = p+1;
+		*p = 0;
+	}
+
+	if (base64_encoded) {
+		int len = ldb_base64_decode((char *)value->data);
+		if (len == -1) {
+			/* it wasn't valid base64 data */
+			return -1;
+		}
+		value->length = len;
+	}
+
+	if (binary_file) {
+		int len = ldb_read_data_file(mem_ctx, value);
+		if (len == -1) {
+			/* an error occured hile trying to retrieve the file */
+			return -1;
+		}
+	}
+
+	return 0;
+}
+
+
+/*
+  free a message from a ldif_read
+*/
+void ldb_ldif_read_free(struct ldb_context *ldb, struct ldb_ldif *ldif)
+{
+	talloc_free(ldif);
+}
+
+/*
+ read from a LDIF source, creating a ldb_message
+*/
+struct ldb_ldif *ldb_ldif_read(struct ldb_context *ldb,
+			       int (*fgetc_fn)(void *), void *private_data)
+{
+	struct ldb_ldif *ldif;
+	struct ldb_message *msg;
+	const char *attr=NULL;
+	char *chunk=NULL, *s;
+	struct ldb_val value;
+	unsigned flags = 0;
+
+	value.data = NULL;
+
+	ldif = talloc(ldb, struct ldb_ldif);
+	if (!ldif) return NULL;
+
+	ldif->msg = talloc(ldif, struct ldb_message);
+	if (ldif->msg == NULL) {
+		talloc_free(ldif);
+		return NULL;
+	}
+
+	ldif->changetype = LDB_CHANGETYPE_NONE;
+	msg = ldif->msg;
+
+	msg->dn = NULL;
+	msg->elements = NULL;
+	msg->num_elements = 0;
+	msg->private_data = NULL;
+
+	chunk = next_chunk(ldb, fgetc_fn, private_data);
+	if (!chunk) {
+		goto failed;
+	}
+	talloc_steal(ldif, chunk);
+
+	msg->private_data = chunk;
+	s = chunk;
+
+	if (next_attr(ldif, &s, &attr, &value) != 0) {
+		goto failed;
+	}
+	
+	/* first line must be a dn */
+	if (ldb_attr_cmp(attr, "dn") != 0) {
+		ldb_debug(ldb, LDB_DEBUG_ERROR, "Error: First line of ldif must be a dn not '%s'\n", 
+			  attr);
+		goto failed;
+	}
+
+	msg->dn = ldb_dn_explode(msg, (char *)value.data);
+
+	if (msg->dn == NULL) {
+		ldb_debug(ldb, LDB_DEBUG_ERROR, "Error: Unable to parse dn '%s'\n", 
+				  value.data);
+		goto failed;
+	}
+
+	while (next_attr(ldif, &s, &attr, &value) == 0) {
+		const struct ldb_attrib_handler *h;		
+		struct ldb_message_element *el;
+		int ret, empty = 0;
+
+		if (ldb_attr_cmp(attr, "changetype") == 0) {
+			int i;
+			for (i=0;ldb_changetypes[i].name;i++) {
+				if (ldb_attr_cmp((char *)value.data, ldb_changetypes[i].name) == 0) {
+					ldif->changetype = ldb_changetypes[i].changetype;
+					break;
+				}
+			}
+			if (!ldb_changetypes[i].name) {
+				ldb_debug(ldb, LDB_DEBUG_ERROR, 
+					  "Error: Bad ldif changetype '%s'\n",(char *)value.data);
+			}
+			flags = 0;
+			continue;
+		}
+
+		if (ldb_attr_cmp(attr, "add") == 0) {
+			flags = LDB_FLAG_MOD_ADD;
+			empty = 1;
+		}
+		if (ldb_attr_cmp(attr, "delete") == 0) {
+			flags = LDB_FLAG_MOD_DELETE;
+			empty = 1;
+		}
+		if (ldb_attr_cmp(attr, "replace") == 0) {
+			flags = LDB_FLAG_MOD_REPLACE;
+			empty = 1;
+		}
+		if (ldb_attr_cmp(attr, "-") == 0) {
+			flags = 0;
+			continue;
+		}
+
+		if (empty) {
+			if (ldb_msg_add_empty(msg, (char *)value.data, flags, NULL) != 0) {
+				goto failed;
+			}
+			continue;
+		}
+		
+		el = &msg->elements[msg->num_elements-1];
+
+		h = ldb_attrib_handler(ldb, attr);
+
+		if (msg->num_elements > 0 && ldb_attr_cmp(attr, el->name) == 0 &&
+		    flags == el->flags) {
+			/* its a continuation */
+			el->values = 
+				talloc_realloc(msg->elements, el->values, 
+						 struct ldb_val, el->num_values+1);
+			if (!el->values) {
+				goto failed;
+			}
+			ret = h->ldif_read_fn(ldb, ldif, &value, &el->values[el->num_values]);
+			if (ret != 0) {
+				goto failed;
+			}
+			if (value.length == 0) {
+				ldb_debug(ldb, LDB_DEBUG_ERROR,
+					  "Error: Attribute value cannot be empty for attribute '%s'\n", el->name);
+				goto failed;
+			}
+			if (value.data != el->values[el->num_values].data) {
+				talloc_steal(el->values, el->values[el->num_values].data);
+			}
+			el->num_values++;
+		} else {
+			/* its a new attribute */
+			msg->elements = talloc_realloc(ldif, msg->elements, 
+							 struct ldb_message_element, 
+							 msg->num_elements+1);
+			if (!msg->elements) {
+				goto failed;
+			}
+			el = &msg->elements[msg->num_elements];
+			el->flags = flags;
+			el->name = talloc_strdup(msg->elements, attr);
+			el->values = talloc(msg->elements, struct ldb_val);
+			if (!el->values || !el->name) {
+				goto failed;
+			}
+			el->num_values = 1;
+			ret = h->ldif_read_fn(ldb, ldif, &value, &el->values[0]);
+			if (ret != 0) {
+				goto failed;
+			}
+			if (value.data != el->values[0].data) {
+				talloc_steal(el->values, el->values[0].data);
+			}
+			msg->num_elements++;
+		}
+	}
+
+	return ldif;
+
+failed:
+	talloc_free(ldif);
+	return NULL;
+}
+
+
+
+/*
+  a wrapper around ldif_read() for reading from FILE*
+*/
+struct ldif_read_file_state {
+	FILE *f;
+};
+
+static int fgetc_file(void *private_data)
+{
+	struct ldif_read_file_state *state =
+		(struct ldif_read_file_state *)private_data;
+	return fgetc(state->f);
+}
+
+struct ldb_ldif *ldb_ldif_read_file(struct ldb_context *ldb, FILE *f)
+{
+	struct ldif_read_file_state state;
+	state.f = f;
+	return ldb_ldif_read(ldb, fgetc_file, &state);
+}
+
+
+/*
+  a wrapper around ldif_read() for reading from const char*
+*/
+struct ldif_read_string_state {
+	const char *s;
+};
+
+static int fgetc_string(void *private_data)
+{
+	struct ldif_read_string_state *state =
+		(struct ldif_read_string_state *)private_data;
+	if (state->s[0] != 0) {
+		return *state->s++;
+	}
+	return EOF;
+}
+
+struct ldb_ldif *ldb_ldif_read_string(struct ldb_context *ldb, const char **s)
+{
+	struct ldif_read_string_state state;
+	struct ldb_ldif *ldif;
+	state.s = *s;
+	ldif = ldb_ldif_read(ldb, fgetc_string, &state);
+	*s = state.s;
+	return ldif;
+}
+
+
+/*
+  wrapper around ldif_write() for a file
+*/
+struct ldif_write_file_state {
+	FILE *f;
+};
+
+static int fprintf_file(void *private_data, const char *fmt, ...) PRINTF_ATTRIBUTE(2, 3);
+
+static int fprintf_file(void *private_data, const char *fmt, ...)
+{
+	struct ldif_write_file_state *state =
+		(struct ldif_write_file_state *)private_data;
+	int ret;
+	va_list ap;
+
+	va_start(ap, fmt);
+	ret = vfprintf(state->f, fmt, ap);
+	va_end(ap);
+	return ret;
+}
+
+int ldb_ldif_write_file(struct ldb_context *ldb, FILE *f, const struct ldb_ldif *ldif)
+{
+	struct ldif_write_file_state state;
+	state.f = f;
+	return ldb_ldif_write(ldb, fprintf_file, &state, ldif);
+}
diff --git a/source3/lib/ldb/common/ldb_match.c b/source3/lib/ldb/common/ldb_match.c
new file mode 100644
index 0000000000..066c997cee
--- /dev/null
+++ b/source3/lib/ldb/common/ldb_match.c
@@ -0,0 +1,430 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004-2005
+   Copyright (C) Simo Sorce            2005
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldb expression matching
+ *
+ *  Description: ldb expression matching 
+ *
+ *  Author: Andrew Tridgell
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+/*
+  check if the scope matches in a search result
+*/
+static int ldb_match_scope(struct ldb_context *ldb,
+			   const struct ldb_dn *base,
+			   const struct ldb_dn *dn,
+			   enum ldb_scope scope)
+{
+	int ret = 0;
+
+	if (base == NULL || dn == NULL) {
+		return 1;
+	}
+
+	switch (scope) {
+	case LDB_SCOPE_BASE:
+		if (ldb_dn_compare(ldb, base, dn) == 0) {
+			ret = 1;
+		}
+		break;
+
+	case LDB_SCOPE_ONELEVEL:
+		if (ldb_dn_get_comp_num(dn) == (ldb_dn_get_comp_num(base) + 1)) {
+			if (ldb_dn_compare_base(ldb, base, dn) == 0) {
+				ret = 1;
+			}
+		}
+		break;
+		
+	case LDB_SCOPE_SUBTREE:
+	default:
+		if (ldb_dn_compare_base(ldb, base, dn) == 0) {
+			ret = 1;
+		}
+		break;
+	}
+
+	return ret;
+}
+
+
+/*
+  match if node is present
+*/
+static int ldb_match_present(struct ldb_context *ldb, 
+			     const struct ldb_message *msg,
+			     const struct ldb_parse_tree *tree,
+			     enum ldb_scope scope)
+{
+	if (ldb_attr_dn(tree->u.present.attr) == 0) {
+		return 1;
+	}
+
+	if (ldb_msg_find_element(msg, tree->u.present.attr)) {
+		return 1;
+	}
+
+	return 0;
+}
+
+static int ldb_match_comparison(struct ldb_context *ldb, 
+				const struct ldb_message *msg,
+				const struct ldb_parse_tree *tree,
+				enum ldb_scope scope,
+				enum ldb_parse_op comp_op)
+{
+	unsigned int i;
+	struct ldb_message_element *el;
+	const struct ldb_attrib_handler *h;
+	int ret;
+
+	/* FIXME: APPROX comparison not handled yet */
+	if (comp_op == LDB_OP_APPROX) return 0;
+
+	el = ldb_msg_find_element(msg, tree->u.comparison.attr);
+	if (el == NULL) {
+		return 0;
+	}
+
+	h = ldb_attrib_handler(ldb, el->name);
+
+	for (i = 0; i < el->num_values; i++) {
+		ret = h->comparison_fn(ldb, ldb, &el->values[i], &tree->u.comparison.value);
+
+		if (ret == 0) {
+			return 1;
+		}
+		if (ret > 0 && comp_op == LDB_OP_GREATER) {
+			return 1;
+		}
+		if (ret < 0 && comp_op == LDB_OP_LESS) {
+			return 1;
+		}
+	}
+
+	return 0;
+}
+
+/*
+  match a simple leaf node
+*/
+static int ldb_match_equality(struct ldb_context *ldb, 
+			      const struct ldb_message *msg,
+			      const struct ldb_parse_tree *tree,
+			      enum ldb_scope scope)
+{
+	unsigned int i;
+	struct ldb_message_element *el;
+	const struct ldb_attrib_handler *h;
+	struct ldb_dn *valuedn;
+	int ret;
+
+	if (ldb_attr_dn(tree->u.equality.attr) == 0) {
+		valuedn = ldb_dn_explode_casefold(ldb, ldb,
+						  (char *)tree->u.equality.value.data);
+		if (valuedn == NULL) {
+			return 0;
+		}
+
+		ret = ldb_dn_compare(ldb, msg->dn, valuedn);
+
+		talloc_free(valuedn);
+
+		if (ret == 0) return 1;
+		return 0;
+	}
+
+	/* TODO: handle the "*" case derived from an extended search
+	   operation without the attibute type defined */
+	el = ldb_msg_find_element(msg, tree->u.equality.attr);
+	if (el == NULL) {
+		return 0;
+	}
+
+	h = ldb_attrib_handler(ldb, el->name);
+
+	for (i=0;i<el->num_values;i++) {
+		if (h->comparison_fn(ldb, ldb, &tree->u.equality.value, 
+				     &el->values[i]) == 0) {
+			return 1;
+		}
+	}
+
+	return 0;
+}
+
+static int ldb_wildcard_compare(struct ldb_context *ldb,
+				const struct ldb_parse_tree *tree,
+				const struct ldb_val value)
+{
+	const struct ldb_attrib_handler *h;
+	struct ldb_val val;
+	struct ldb_val cnk;
+	struct ldb_val *chunk;
+	char *p, *g;
+	uint8_t *save_p = NULL;
+	int c = 0;
+
+	h = ldb_attrib_handler(ldb, tree->u.substring.attr);
+
+	if(h->canonicalise_fn(ldb, ldb, &value, &val) != 0)
+		return -1;
+
+	save_p = val.data;
+	cnk.data = NULL;
+
+	if ( ! tree->u.substring.start_with_wildcard ) {
+
+		chunk = tree->u.substring.chunks[c];
+		if(h->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) goto failed;
+
+		/* This deals with wildcard prefix searches on binary attributes (eg objectGUID) */
+		if (cnk.length > val.length) {
+			goto failed;
+		}
+		if (memcmp((char *)val.data, (char *)cnk.data, cnk.length) != 0) goto failed;
+		val.length -= cnk.length;
+		val.data += cnk.length;
+		c++;
+		talloc_free(cnk.data);
+		cnk.data = NULL;
+	}
+
+	while (tree->u.substring.chunks[c]) {
+
+		chunk = tree->u.substring.chunks[c];
+		if(h->canonicalise_fn(ldb, ldb, chunk, &cnk) != 0) goto failed;
+
+		/* FIXME: case of embedded nulls */
+		p = strstr((char *)val.data, (char *)cnk.data);
+		if (p == NULL) goto failed;
+		if ( (! tree->u.substring.chunks[c + 1]) && (! tree->u.substring.end_with_wildcard) ) {
+			do { /* greedy */
+				g = strstr((char *)p + cnk.length, (char *)cnk.data);
+				if (g) p = g;
+			} while(g);
+		}
+		val.length = val.length - (p - (char *)(val.data)) - cnk.length;
+		val.data = (uint8_t *)(p + cnk.length);
+		c++;
+		talloc_free(cnk.data);
+		cnk.data = NULL;
+	}
+
+	if ( (! tree->u.substring.end_with_wildcard) && (*(val.data) != 0) ) goto failed; /* last chunk have not reached end of string */
+	talloc_free(save_p);
+	return 1;
+
+failed:
+	talloc_free(save_p);
+	talloc_free(cnk.data);
+	return 0;
+}
+
+/*
+  match a simple leaf node
+*/
+static int ldb_match_substring(struct ldb_context *ldb, 
+			       const struct ldb_message *msg,
+			       const struct ldb_parse_tree *tree,
+			       enum ldb_scope scope)
+{
+	unsigned int i;
+	struct ldb_message_element *el;
+
+	el = ldb_msg_find_element(msg, tree->u.substring.attr);
+	if (el == NULL) {
+		return 0;
+	}
+
+	for (i = 0; i < el->num_values; i++) {
+		if (ldb_wildcard_compare(ldb, tree, el->values[i]) == 1) {
+			return 1;
+		}
+	}
+
+	return 0;
+}
+
+
+/*
+  bitwise-and comparator
+*/
+static int ldb_comparator_and(const struct ldb_val *v1, const struct ldb_val *v2)
+{
+	uint64_t i1, i2;
+	i1 = strtoull((char *)v1->data, NULL, 0);
+	i2 = strtoull((char *)v2->data, NULL, 0);
+	return ((i1 & i2) == i2);
+}
+
+/*
+  bitwise-or comparator
+*/
+static int ldb_comparator_or(const struct ldb_val *v1, const struct ldb_val *v2)
+{
+	uint64_t i1, i2;
+	i1 = strtoull((char *)v1->data, NULL, 0);
+	i2 = strtoull((char *)v2->data, NULL, 0);
+	return ((i1 & i2) != 0);
+}
+
+
+/*
+  extended match, handles things like bitops
+*/
+static int ldb_match_extended(struct ldb_context *ldb, 
+			      const struct ldb_message *msg,
+			      const struct ldb_parse_tree *tree,
+			      enum ldb_scope scope)
+{
+	int i;
+	const struct {
+		const char *oid;
+		int (*comparator)(const struct ldb_val *, const struct ldb_val *);
+	} rules[] = {
+		{ LDB_OID_COMPARATOR_AND, ldb_comparator_and},
+		{ LDB_OID_COMPARATOR_OR, ldb_comparator_or}
+	};
+	int (*comp)(const struct ldb_val *, const struct ldb_val *) = NULL;
+	struct ldb_message_element *el;
+
+	if (tree->u.extended.dnAttributes) {
+		ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb: dnAttributes extended match not supported yet");
+		return -1;
+	}
+	if (tree->u.extended.rule_id == NULL) {
+		ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb: no-rule extended matches not supported yet");
+		return -1;
+	}
+	if (tree->u.extended.attr == NULL) {
+		ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb: no-attribute extended matches not supported yet");
+		return -1;
+	}
+
+	for (i=0;i<ARRAY_SIZE(rules);i++) {
+		if (strcmp(rules[i].oid, tree->u.extended.rule_id) == 0) {
+			comp = rules[i].comparator;
+			break;
+		}
+	}
+	if (comp == NULL) {
+		ldb_debug(ldb, LDB_DEBUG_ERROR, "ldb: unknown extended rule_id %s\n",
+			  tree->u.extended.rule_id);
+		return -1;
+	}
+
+	/* find the message element */
+	el = ldb_msg_find_element(msg, tree->u.extended.attr);
+	if (el == NULL) {
+		return 0;
+	}
+
+	for (i=0;i<el->num_values;i++) {
+		int ret = comp(&el->values[i], &tree->u.extended.value);
+		if (ret == -1 || ret == 1) return ret;
+	}
+
+	return 0;
+}
+
+/*
+  return 0 if the given parse tree matches the given message. Assumes
+  the message is in sorted order
+
+  return 1 if it matches, and 0 if it doesn't match
+
+  this is a recursive function, and does short-circuit evaluation
+ */
+static int ldb_match_message(struct ldb_context *ldb, 
+			     const struct ldb_message *msg,
+			     const struct ldb_parse_tree *tree,
+			     enum ldb_scope scope)
+{
+	unsigned int i;
+	int v;
+
+	switch (tree->operation) {
+	case LDB_OP_AND:
+		for (i=0;i<tree->u.list.num_elements;i++) {
+			v = ldb_match_message(ldb, msg, tree->u.list.elements[i], scope);
+			if (!v) return 0;
+		}
+		return 1;
+
+	case LDB_OP_OR:
+		for (i=0;i<tree->u.list.num_elements;i++) {
+			v = ldb_match_message(ldb, msg, tree->u.list.elements[i], scope);
+			if (v) return 1;
+		}
+		return 0;
+
+	case LDB_OP_NOT:
+		return ! ldb_match_message(ldb, msg, tree->u.isnot.child, scope);
+
+	case LDB_OP_EQUALITY:
+		return ldb_match_equality(ldb, msg, tree, scope);
+
+	case LDB_OP_SUBSTRING:
+		return ldb_match_substring(ldb, msg, tree, scope);
+
+	case LDB_OP_GREATER:
+		return ldb_match_comparison(ldb, msg, tree, scope, LDB_OP_GREATER);
+
+	case LDB_OP_LESS:
+		return ldb_match_comparison(ldb, msg, tree, scope, LDB_OP_LESS);
+
+	case LDB_OP_PRESENT:
+		return ldb_match_present(ldb, msg, tree, scope);
+
+	case LDB_OP_APPROX:
+		return ldb_match_comparison(ldb, msg, tree, scope, LDB_OP_APPROX);
+
+	case LDB_OP_EXTENDED:
+		return ldb_match_extended(ldb, msg, tree, scope);
+
+	}
+
+	return 0;
+}
+
+int ldb_match_msg(struct ldb_context *ldb,
+		  const struct ldb_message *msg,
+		  const struct ldb_parse_tree *tree,
+		  const struct ldb_dn *base,
+		  enum ldb_scope scope)
+{
+	if ( ! ldb_match_scope(ldb, base, msg->dn, scope) ) {
+		return 0;
+	}
+
+	return ldb_match_message(ldb, msg, tree, scope);
+}
diff --git a/source3/lib/ldb/common/ldb_modules.c b/source3/lib/ldb/common/ldb_modules.c
new file mode 100644
index 0000000000..fa7f685d97
--- /dev/null
+++ b/source3/lib/ldb/common/ldb_modules.c
@@ -0,0 +1,459 @@
+
+/* 
+   ldb database library
+
+   Copyright (C) Simo Sorce  2004
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldb modules core
+ *
+ *  Description: core modules routines
+ *
+ *  Author: Simo Sorce
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+#if (_SAMBA_BUILD_ >= 4)
+#include "build.h"
+#include "dynconfig.h"
+#endif
+
+#define LDB_MODULE_PREFIX	"modules:"
+#define LDB_MODULE_PREFIX_LEN	8
+
+static char *ldb_modules_strdup_no_spaces(TALLOC_CTX *mem_ctx, const char *string)
+{
+	int i, len;
+	char *trimmed;
+
+	trimmed = talloc_strdup(mem_ctx, string);
+	if (!trimmed) {
+		return NULL;
+	}
+
+	len = strlen(trimmed);
+	for (i = 0; trimmed[i] != '\0'; i++) {
+		switch (trimmed[i]) {
+		case ' ':
+		case '\t':
+		case '\n':
+			memmove(&trimmed[i], &trimmed[i + 1], len -i -1);
+			break;
+		}
+	}
+
+	return trimmed;
+}
+
+
+/* modules are called in inverse order on the stack.
+   Lets place them as an admin would think the right order is.
+   Modules order is important */
+const char **ldb_modules_list_from_string(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const char *string)
+{
+	char **modules = NULL;
+	const char **m;
+	char *modstr, *p;
+	int i;
+
+	/* spaces not admitted */
+	modstr = ldb_modules_strdup_no_spaces(mem_ctx, string);
+	if ( ! modstr) {
+		ldb_debug(ldb, LDB_DEBUG_FATAL, "Out of Memory in ldb_modules_strdup_no_spaces()\n");
+		return NULL;
+	}
+
+	modules = talloc_realloc(mem_ctx, modules, char *, 2);
+	if ( ! modules ) {
+		ldb_debug(ldb, LDB_DEBUG_FATAL, "Out of Memory in ldb_modules_list_from_string()\n");
+		talloc_free(modstr);
+		return NULL;
+	}
+	talloc_steal(modules, modstr);
+
+	i = 0;
+	/* The str*r*chr walks backwards:  This is how we get the inverse order mentioned above */
+	while ((p = strrchr(modstr, ',')) != NULL) {
+		*p = '\0';
+		p++;
+		modules[i] = p;
+
+		i++;
+		modules = talloc_realloc(mem_ctx, modules, char *, i + 2);
+		if ( ! modules ) {
+			ldb_debug(ldb, LDB_DEBUG_FATAL, "Out of Memory in ldb_modules_list_from_string()\n");
+			return NULL;
+		}
+
+	}
+	modules[i] = modstr;
+
+	modules[i + 1] = NULL;
+
+	m = (const char **)modules;
+
+	return m;
+}
+
+static struct ops_list_entry {
+	const struct ldb_module_ops *ops;
+	struct ops_list_entry *next;	
+} *registered_modules = NULL;
+
+static const struct ldb_module_ops *ldb_find_module_ops(const char *name)
+{
+	struct ops_list_entry *e;
+ 
+	for (e = registered_modules; e; e = e->next) {
+ 		if (strcmp(e->ops->name, name) == 0) 
+			return e->ops;
+	}
+
+	return NULL;
+}
+
+#ifndef STATIC_ldb_MODULES
+
+#ifdef HAVE_LDB_LDAP
+#define LDAP_INIT ldb_ldap_init,
+#else
+#define LDAP_INIT
+#endif
+
+#ifdef HAVE_LDB_SQLITE3
+#define SQLITE3_INIT ldb_sqlite3_init,
+#else
+#define SQLITE3_INIT
+#endif
+
+#define STATIC_ldb_MODULES \
+	{	\
+		LDAP_INIT \
+		SQLITE3_INIT \
+		ldb_tdb_init, 	\
+		ldb_operational_init,	\
+		ldb_rdn_name_init,	\
+		ldb_objectclass_init,	\
+		ldb_paged_results_init,	\
+		ldb_sort_init,		\
+		ldb_asq_init,		\
+		NULL			\
+	}
+#endif
+
+int ldb_global_init(void)
+{
+	static int (*static_init_fns[])(void) = STATIC_ldb_MODULES;
+
+	static int initialized = 0;
+	int ret = 0, i;
+
+	if (initialized) 
+		return 0;
+
+	initialized = 1;
+	
+	for (i = 0; static_init_fns[i]; i++) {
+		if (static_init_fns[i]() == -1)
+			ret = -1;
+	}
+
+	return ret;
+}
+
+int ldb_register_module(const struct ldb_module_ops *ops)
+{
+	struct ops_list_entry *entry = talloc(talloc_autofree_context(), struct ops_list_entry);
+
+	if (ldb_find_module_ops(ops->name) != NULL)
+		return -1;
+
+	if (entry == NULL)
+		return -1;
+
+	entry->ops = ops;
+	entry->next = registered_modules;
+	registered_modules = entry;
+
+	return 0;
+}
+
+int ldb_try_load_dso(struct ldb_context *ldb, const char *name)
+{
+	char *path;
+	void *handle;
+	int (*init_fn) (void);
+	char *modulesdir;
+	int ret;
+
+#ifdef HAVE_DLOPEN
+	if (getenv("LD_LDB_MODULE_PATH") != NULL) {
+		modulesdir = talloc_strdup(ldb, getenv("LD_LDB_MODULE_PATH"));
+	} else {
+#ifdef _SAMBA_BUILD_
+		modulesdir = talloc_asprintf(ldb, "%s/ldb", get_dyn_LIBDIR());
+#else
+		modulesdir = talloc_strdup(ldb, MODULESDIR);
+#endif
+	}
+
+	path = talloc_asprintf(ldb, "%s/%s.%s", modulesdir, name, SHLIBEXT);
+
+	talloc_free(modulesdir);
+
+	ldb_debug(ldb, LDB_DEBUG_TRACE, "trying to load %s from %s\n", name, path);
+
+	handle = dlopen(path, RTLD_NOW);
+	if (handle == NULL) {
+		ldb_debug(ldb, LDB_DEBUG_WARNING, "unable to load %s from %s: %s\n", name, path, dlerror());
+		return -1;
+	}
+
+	init_fn = (int (*)(void))dlsym(handle, "init_samba_module");
+
+	if (init_fn == NULL) {
+		ldb_debug(ldb, LDB_DEBUG_ERROR, "no symbol "
+			  "`init_samba_module' found in %s: %s\n", path,
+			  dlerror());
+		dlclose(handle);
+		return -1;
+	}
+
+	talloc_free(path);
+
+	ret = init_fn();
+	if (ret == -1) {
+		dlclose(handle);
+	}
+	return ret;
+#else
+	ldb_debug(ldb, LDB_DEBUG_TRACE, "no dlopen() - not trying to load %s module\n", name);
+	return -1;
+#endif
+}
+
+int ldb_load_modules_list(struct ldb_context *ldb, const char **module_list, struct ldb_module *backend, struct ldb_module **out)
+{
+	struct ldb_module *module;
+	int i;
+	
+	module = backend;
+
+	for (i = 0; module_list[i] != NULL; i++) {
+		struct ldb_module *current;
+		const struct ldb_module_ops *ops;
+		
+		ops = ldb_find_module_ops(module_list[i]);
+		if (ops == NULL) {
+			if (ldb_try_load_dso(ldb, module_list[i]) == 0) {
+				ops = ldb_find_module_ops(module_list[i]);
+			}
+		}
+		
+		if (ops == NULL) {
+			ldb_debug(ldb, LDB_DEBUG_WARNING, "WARNING: Module [%s] not found\n", 
+				  module_list[i]);
+			continue;
+		}
+		
+		current = talloc_zero(ldb, struct ldb_module);
+		if (current == NULL) {
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+		talloc_set_name(current, "ldb_module: %s", module_list[i]);
+		
+		current->ldb = ldb;
+		current->ops = ops;
+		
+		DLIST_ADD(module, current);
+	}
+	*out = module;
+	return LDB_SUCCESS;
+}
+
+int ldb_init_module_chain(struct ldb_context *ldb, struct ldb_module *module) 
+{
+	while (module && module->ops->init_context == NULL) 
+		module = module->next;
+
+	if (module && module->ops->init_context &&
+		module->ops->init_context(module) != LDB_SUCCESS) {
+		ldb_debug(ldb, LDB_DEBUG_FATAL, "module initialization failed\n");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	return LDB_SUCCESS;
+}
+
+int ldb_load_modules(struct ldb_context *ldb, const char *options[])
+{
+	const char **modules = NULL;
+	int i;
+	int ret;
+	TALLOC_CTX *mem_ctx = talloc_new(ldb);
+	if (!mem_ctx) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	/* find out which modules we are requested to activate */
+
+	/* check if we have a custom module list passd as ldb option */
+	if (options) {
+		for (i = 0; options[i] != NULL; i++) {
+			if (strncmp(options[i], LDB_MODULE_PREFIX, LDB_MODULE_PREFIX_LEN) == 0) {
+				modules = ldb_modules_list_from_string(ldb, mem_ctx, &options[i][LDB_MODULE_PREFIX_LEN]);
+			}
+		}
+	}
+
+	/* if not overloaded by options and the backend is not ldap try to load the modules list from ldb */
+	if ((modules == NULL) && (strcmp("ldap", ldb->modules->ops->name) != 0)) { 
+		const char * const attrs[] = { "@LIST" , NULL};
+		struct ldb_result *res = NULL;
+		struct ldb_dn *mods_dn;
+
+		mods_dn = ldb_dn_explode(mem_ctx, "@MODULES");
+		if (mods_dn == NULL) {
+			talloc_free(mem_ctx);
+			return -1;
+		}
+
+		ret = ldb_search(ldb, mods_dn, LDB_SCOPE_BASE, "", attrs, &res);
+		talloc_steal(mods_dn, res);
+		if (ret == LDB_SUCCESS && (res->count == 0 || res->msgs[0]->num_elements == 0)) {
+			ldb_debug(ldb, LDB_DEBUG_TRACE, "no modules required by the db\n");
+		} else {
+			if (ret != LDB_SUCCESS) {
+				ldb_debug(ldb, LDB_DEBUG_FATAL, "ldb error (%s) occurred searching for modules, bailing out\n", ldb_errstring(ldb));
+				talloc_free(mem_ctx);
+				return -1;
+			}
+			if (res->count > 1) {
+				ldb_debug(ldb, LDB_DEBUG_FATAL, "Too many records found (%d), bailing out\n", res->count);
+				talloc_free(mem_ctx);
+				return -1;
+			}
+
+			modules = ldb_modules_list_from_string(ldb, mem_ctx,
+							       (const char *)res->msgs[0]->elements[0].values[0].data);
+
+		}
+
+		talloc_free(mods_dn);
+	}
+
+	if (modules != NULL) {
+		ret = ldb_load_modules_list(ldb, modules, ldb->modules, &ldb->modules);
+		talloc_free(modules);
+		if (ret != LDB_SUCCESS) {
+			return ret;
+		}
+	} else {
+		ldb_debug(ldb, LDB_DEBUG_TRACE, "No modules specified for this database\n");
+	}
+
+	return ldb_init_module_chain(ldb, ldb->modules);
+}
+
+/*
+  by using this we allow ldb modules to only implement the functions they care about,
+  which makes writing a module simpler, and makes it more likely to keep working
+  when ldb is extended
+*/
+#define FIND_OP(module, op) do { \
+	struct ldb_context *ldb = module->ldb; \
+	module = module->next; \
+	while (module && module->ops->op == NULL) module = module->next; \
+	if (module == NULL) { \
+		ldb_asprintf_errstring(ldb, "Unable to find backend operation for " #op ); \
+		return LDB_ERR_OPERATIONS_ERROR;	\
+	}						\
+} while (0)
+
+
+/*
+   helper functions to call the next module in chain
+*/
+
+int ldb_next_request(struct ldb_module *module, struct ldb_request *request)
+{
+	switch (request->operation) {
+	case LDB_SEARCH:
+		FIND_OP(module, search);
+		return module->ops->search(module, request);
+	case LDB_ADD:
+		FIND_OP(module, add);
+		return module->ops->add(module, request);
+	case LDB_MODIFY:
+		FIND_OP(module, modify);
+		return module->ops->modify(module, request);
+	case LDB_DELETE:
+		FIND_OP(module, del);
+		return module->ops->del(module, request);
+	case LDB_RENAME:
+		FIND_OP(module, rename);
+		return module->ops->rename(module, request);
+	case LDB_SEQUENCE_NUMBER:
+		FIND_OP(module, sequence_number);
+		return module->ops->sequence_number(module, request);
+	default:
+		FIND_OP(module, request);
+		return module->ops->request(module, request);
+	}
+}
+
+int ldb_next_init(struct ldb_module *module)
+{
+	/* init is different in that it is not an error if modules
+	 * do not require initialization */
+
+	module = module->next;
+
+	while (module && module->ops->init_context == NULL) 
+		module = module->next;
+
+	if (module == NULL) 
+		return LDB_SUCCESS;
+
+	return module->ops->init_context(module);
+}
+
+int ldb_next_start_trans(struct ldb_module *module)
+{
+	FIND_OP(module, start_transaction);
+	return module->ops->start_transaction(module);
+}
+
+int ldb_next_end_trans(struct ldb_module *module)
+{
+	FIND_OP(module, end_transaction);
+	return module->ops->end_transaction(module);
+}
+
+int ldb_next_del_trans(struct ldb_module *module)
+{
+	FIND_OP(module, del_transaction);
+	return module->ops->del_transaction(module);
+}
diff --git a/source3/lib/ldb/common/ldb_msg.c b/source3/lib/ldb/common/ldb_msg.c
new file mode 100644
index 0000000000..a8a6e93f12
--- /dev/null
+++ b/source3/lib/ldb/common/ldb_msg.c
@@ -0,0 +1,829 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldb message component utility functions
+ *
+ *  Description: functions for manipulating ldb_message structures
+ *
+ *  Author: Andrew Tridgell
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+void ldb_dump_results(struct ldb_context *ldb, struct ldb_result *result, FILE *f);
+int ldb_msg_element_compare_name(struct ldb_message_element *el1, 
+				 struct ldb_message_element *el2);
+
+/*
+  create a new ldb_message in a given memory context (NULL for top level)
+*/
+struct ldb_message *ldb_msg_new(void *mem_ctx)
+{
+	return talloc_zero(mem_ctx, struct ldb_message);
+}
+
+/*
+  find an element in a message by attribute name
+*/
+struct ldb_message_element *ldb_msg_find_element(const struct ldb_message *msg, 
+						 const char *attr_name)
+{
+	unsigned int i;
+	for (i=0;i<msg->num_elements;i++) {
+		if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) {
+			return &msg->elements[i];
+		}
+	}
+	return NULL;
+}
+
+/*
+  see if two ldb_val structures contain exactly the same data
+  return 1 for a match, 0 for a mis-match
+*/
+int ldb_val_equal_exact(const struct ldb_val *v1, const struct ldb_val *v2)
+{
+	if (v1->length != v2->length) return 0;
+
+	if (v1->length == 0) return 1;
+
+	if (memcmp(v1->data, v2->data, v1->length) == 0) {
+		return 1;
+	}
+
+	return 0;
+}
+
+/*
+  find a value in an element
+  assumes case sensitive comparison
+*/
+struct ldb_val *ldb_msg_find_val(const struct ldb_message_element *el, 
+				 struct ldb_val *val)
+{
+	unsigned int i;
+	for (i=0;i<el->num_values;i++) {
+		if (ldb_val_equal_exact(val, &el->values[i])) {
+			return &el->values[i];
+		}
+	}
+	return NULL;
+}
+
+/*
+  duplicate a ldb_val structure
+*/
+struct ldb_val ldb_val_dup(void *mem_ctx, const struct ldb_val *v)
+{
+	struct ldb_val v2;
+	v2.length = v->length;
+	if (v->data == NULL) {
+		v2.data = NULL;
+		return v2;
+	}
+
+	/* the +1 is to cope with buggy C library routines like strndup
+	   that look one byte beyond */
+	v2.data = talloc_array(mem_ctx, uint8_t, v->length+1);
+	if (!v2.data) {
+		v2.length = 0;
+		return v2;
+	}
+
+	memcpy(v2.data, v->data, v->length);
+	((char *)v2.data)[v->length] = 0;
+	return v2;
+}
+
+/*
+  add an empty element to a message
+*/
+int ldb_msg_add_empty(	struct ldb_message *msg,
+			const char *attr_name,
+			int flags,
+			struct ldb_message_element **return_el)
+{
+	struct ldb_message_element *els;
+
+	if (! ldb_valid_attr_name(attr_name)) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	els = talloc_realloc(msg, msg->elements, 
+			     struct ldb_message_element, msg->num_elements+1);
+	if (!els) {
+		errno = ENOMEM;
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	els[msg->num_elements].values = NULL;
+	els[msg->num_elements].num_values = 0;
+	els[msg->num_elements].flags = flags;
+	els[msg->num_elements].name = talloc_strdup(els, attr_name);
+	if (!els[msg->num_elements].name) {
+		errno = ENOMEM;
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	msg->elements = els;
+	msg->num_elements++;
+
+	if (return_el) {
+		*return_el = &els[msg->num_elements-1];
+	}
+
+	return LDB_SUCCESS;
+}
+
+/*
+  add an empty element to a message
+*/
+int ldb_msg_add(struct ldb_message *msg, 
+		const struct ldb_message_element *el, 
+		int flags)
+{
+	if (ldb_msg_add_empty(msg, el->name, flags, NULL) != 0) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	msg->elements[msg->num_elements-1] = *el;
+	msg->elements[msg->num_elements-1].flags = flags;
+
+	return LDB_SUCCESS;
+}
+
+/*
+  add a value to a message
+*/
+int ldb_msg_add_value(struct ldb_message *msg, 
+		      const char *attr_name,
+		      const struct ldb_val *val,
+		      struct ldb_message_element **return_el)
+{
+	struct ldb_message_element *el;
+	struct ldb_val *vals;
+	int ret;
+
+	el = ldb_msg_find_element(msg, attr_name);
+	if (!el) {
+		ret = ldb_msg_add_empty(msg, attr_name, 0, &el);
+		if (ret != LDB_SUCCESS) {
+			return ret;
+		}
+	}
+
+	vals = talloc_realloc(msg, el->values, struct ldb_val, el->num_values+1);
+	if (!vals) {
+		errno = ENOMEM;
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	el->values = vals;
+	el->values[el->num_values] = *val;
+	el->num_values++;
+
+	if (return_el) {
+		*return_el = el;
+	}
+
+	return LDB_SUCCESS;
+}
+
+
+/*
+  add a value to a message, stealing it into the 'right' place
+*/
+int ldb_msg_add_steal_value(struct ldb_message *msg, 
+			    const char *attr_name,
+			    struct ldb_val *val)
+{
+	int ret;
+	struct ldb_message_element *el;
+
+	ret = ldb_msg_add_value(msg, attr_name, val, &el);
+	if (ret == LDB_SUCCESS) {
+		talloc_steal(el->values, val->data);
+	}
+	return ret;
+}
+
+
+/*
+  add a string element to a message
+*/
+int ldb_msg_add_string(struct ldb_message *msg, 
+		       const char *attr_name, const char *str)
+{
+	struct ldb_val val;
+
+	val.data = discard_const_p(uint8_t, str);
+	val.length = strlen(str);
+
+	if (val.length == 0) {
+		/* allow empty strings as non-existant attributes */
+		return LDB_SUCCESS;
+	}
+
+	return ldb_msg_add_value(msg, attr_name, &val, NULL);
+}
+
+/*
+  add a string element to a message, stealing it into the 'right' place
+*/
+int ldb_msg_add_steal_string(struct ldb_message *msg, 
+			     const char *attr_name, char *str)
+{
+	struct ldb_val val;
+
+	val.data = (uint8_t *)str;
+	val.length = strlen(str);
+
+	return ldb_msg_add_steal_value(msg, attr_name, &val);
+}
+
+/*
+  add a printf formatted element to a message
+*/
+int ldb_msg_add_fmt(struct ldb_message *msg, 
+		    const char *attr_name, const char *fmt, ...)
+{
+	struct ldb_val val;
+	va_list ap;
+	char *str;
+
+	va_start(ap, fmt);
+	str = talloc_vasprintf(msg, fmt, ap);
+	va_end(ap);
+
+	if (str == NULL) return LDB_ERR_OPERATIONS_ERROR;
+
+	val.data   = (uint8_t *)str;
+	val.length = strlen(str);
+
+	return ldb_msg_add_steal_value(msg, attr_name, &val);
+}
+
+/*
+  compare two ldb_message_element structures
+  assumes case senistive comparison
+*/
+int ldb_msg_element_compare(struct ldb_message_element *el1, 
+			    struct ldb_message_element *el2)
+{
+	unsigned int i;
+
+	if (el1->num_values != el2->num_values) {
+		return el1->num_values - el2->num_values;
+	}
+
+	for (i=0;i<el1->num_values;i++) {
+		if (!ldb_msg_find_val(el2, &el1->values[i])) {
+			return -1;
+		}
+	}
+
+	return 0;
+}
+
+/*
+  compare two ldb_message_element structures
+  comparing by element name
+*/
+int ldb_msg_element_compare_name(struct ldb_message_element *el1, 
+				 struct ldb_message_element *el2)
+{
+	return ldb_attr_cmp(el1->name, el2->name);
+}
+
+/*
+  convenience functions to return common types from a message
+  these return the first value if the attribute is multi-valued
+*/
+const struct ldb_val *ldb_msg_find_ldb_val(const struct ldb_message *msg, const char *attr_name)
+{
+	struct ldb_message_element *el = ldb_msg_find_element(msg, attr_name);
+	if (!el || el->num_values == 0) {
+		return NULL;
+	}
+	return &el->values[0];
+}
+
+int ldb_msg_find_attr_as_int(const struct ldb_message *msg, 
+			     const char *attr_name,
+			     int default_value)
+{
+	const struct ldb_val *v = ldb_msg_find_ldb_val(msg, attr_name);
+	if (!v || !v->data) {
+		return default_value;
+	}
+	return strtol((const char *)v->data, NULL, 0);
+}
+
+unsigned int ldb_msg_find_attr_as_uint(const struct ldb_message *msg, 
+				       const char *attr_name,
+				       unsigned int default_value)
+{
+	const struct ldb_val *v = ldb_msg_find_ldb_val(msg, attr_name);
+	if (!v || !v->data) {
+		return default_value;
+	}
+	return strtoul((const char *)v->data, NULL, 0);
+}
+
+int64_t ldb_msg_find_attr_as_int64(const struct ldb_message *msg, 
+				   const char *attr_name,
+				   int64_t default_value)
+{
+	const struct ldb_val *v = ldb_msg_find_ldb_val(msg, attr_name);
+	if (!v || !v->data) {
+		return default_value;
+	}
+	return strtoll((const char *)v->data, NULL, 0);
+}
+
+uint64_t ldb_msg_find_attr_as_uint64(const struct ldb_message *msg, 
+				     const char *attr_name,
+				     uint64_t default_value)
+{
+	const struct ldb_val *v = ldb_msg_find_ldb_val(msg, attr_name);
+	if (!v || !v->data) {
+		return default_value;
+	}
+	return strtoull((const char *)v->data, NULL, 0);
+}
+
+double ldb_msg_find_attr_as_double(const struct ldb_message *msg, 
+				   const char *attr_name,
+				   double default_value)
+{
+	const struct ldb_val *v = ldb_msg_find_ldb_val(msg, attr_name);
+	if (!v || !v->data) {
+		return default_value;
+	}
+	return strtod((const char *)v->data, NULL);
+}
+
+int ldb_msg_find_attr_as_bool(const struct ldb_message *msg, 
+			      const char *attr_name,
+			      int default_value)
+{
+	const struct ldb_val *v = ldb_msg_find_ldb_val(msg, attr_name);
+	if (!v || !v->data) {
+		return default_value;
+	}
+	if (strcasecmp((const char *)v->data, "FALSE") == 0) {
+		return 0;
+	}
+	if (strcasecmp((const char *)v->data, "TRUE") == 0) {
+		return 1;
+	}
+	return default_value;
+}
+
+const char *ldb_msg_find_attr_as_string(const struct ldb_message *msg, 
+					const char *attr_name,
+					const char *default_value)
+{
+	const struct ldb_val *v = ldb_msg_find_ldb_val(msg, attr_name);
+	if (!v || !v->data) {
+		return default_value;
+	}
+	return (const char *)v->data;
+}
+
+struct ldb_dn *ldb_msg_find_attr_as_dn(void *mem_ctx,
+				       const struct ldb_message *msg,
+				       const char *attr_name)
+{
+	const struct ldb_val *v;
+
+	v = ldb_msg_find_ldb_val(msg, attr_name);
+	if (!v || !v->data) {
+		return NULL;
+	}
+	return ldb_dn_explode(mem_ctx, (const char *)v->data);
+}
+
+/*
+  sort the elements of a message by name
+*/
+void ldb_msg_sort_elements(struct ldb_message *msg)
+{
+	qsort(msg->elements, msg->num_elements, sizeof(struct ldb_message_element), 
+	      (comparison_fn_t)ldb_msg_element_compare_name);
+}
+
+/*
+  shallow copy a message - copying only the elements array so that the caller
+  can safely add new elements without changing the message
+*/
+struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx, 
+					 const struct ldb_message *msg)
+{
+	struct ldb_message *msg2;
+	int i;
+
+	msg2 = talloc(mem_ctx, struct ldb_message);
+	if (msg2 == NULL) return NULL;
+
+	*msg2 = *msg;
+	msg2->private_data = NULL;
+
+	msg2->elements = talloc_array(msg2, struct ldb_message_element, 
+				      msg2->num_elements);
+	if (msg2->elements == NULL) goto failed;
+
+	for (i=0;i<msg2->num_elements;i++) {
+		msg2->elements[i] = msg->elements[i];
+	}
+
+	return msg2;
+
+failed:
+	talloc_free(msg2);
+	return NULL;
+}
+
+
+/*
+  copy a message, allocating new memory for all parts
+*/
+struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx, 
+				 const struct ldb_message *msg)
+{
+	struct ldb_message *msg2;
+	int i, j;
+
+	msg2 = ldb_msg_copy_shallow(mem_ctx, msg);
+	if (msg2 == NULL) return NULL;
+
+	msg2->dn = ldb_dn_copy(msg2, msg2->dn);
+	if (msg2->dn == NULL) goto failed;
+
+	for (i=0;i<msg2->num_elements;i++) {
+		struct ldb_message_element *el = &msg2->elements[i];
+		struct ldb_val *values = el->values;
+		el->name = talloc_strdup(msg2->elements, el->name);
+		if (el->name == NULL) goto failed;
+		el->values = talloc_array(msg2->elements, struct ldb_val, el->num_values);
+		for (j=0;j<el->num_values;j++) {
+			el->values[j] = ldb_val_dup(el->values, &values[j]);
+			if (el->values[j].data == NULL && values[j].length != 0) {
+				goto failed;
+			}
+		}
+	}
+
+	return msg2;
+
+failed:
+	talloc_free(msg2);
+	return NULL;
+}
+
+
+/*
+  canonicalise a message, merging elements of the same name
+*/
+struct ldb_message *ldb_msg_canonicalize(struct ldb_context *ldb, 
+					 const struct ldb_message *msg)
+{
+	int i;
+	struct ldb_message *msg2;
+
+	msg2 = ldb_msg_copy(ldb, msg);
+	if (msg2 == NULL) return NULL;
+
+	ldb_msg_sort_elements(msg2);
+
+	for (i=1;i<msg2->num_elements;i++) {
+		struct ldb_message_element *el1 = &msg2->elements[i-1];
+		struct ldb_message_element *el2 = &msg2->elements[i];
+		if (ldb_msg_element_compare_name(el1, el2) == 0) {
+			el1->values = talloc_realloc(msg2->elements, el1->values, struct ldb_val, 
+						       el1->num_values + el2->num_values);
+			if (el1->values == NULL) {
+				return NULL;
+			}
+			memcpy(el1->values + el1->num_values,
+			       el2->values,
+			       sizeof(struct ldb_val) * el2->num_values);
+			el1->num_values += el2->num_values;
+			talloc_free(discard_const_p(char, el2->name));
+			if (i+1<msg2->num_elements) {
+				memmove(el2, el2+1, sizeof(struct ldb_message_element) * 
+					(msg2->num_elements - (i+1)));
+			}
+			msg2->num_elements--;
+			i--;
+		}
+	}
+
+	return msg2;
+}
+
+
+/*
+  return a ldb_message representing the differences between msg1 and msg2. If you
+  then use this in a ldb_modify() call it can be used to save edits to a message
+*/
+struct ldb_message *ldb_msg_diff(struct ldb_context *ldb, 
+				 struct ldb_message *msg1,
+				 struct ldb_message *msg2)
+{
+	struct ldb_message *mod;
+	struct ldb_message_element *el;
+	unsigned int i;
+
+	mod = ldb_msg_new(ldb);
+
+	mod->dn = msg1->dn;
+	mod->num_elements = 0;
+	mod->elements = NULL;
+
+	msg2 = ldb_msg_canonicalize(ldb, msg2);
+	if (msg2 == NULL) {
+		return NULL;
+	}
+	
+	/* look in msg2 to find elements that need to be added
+	   or modified */
+	for (i=0;i<msg2->num_elements;i++) {
+		el = ldb_msg_find_element(msg1, msg2->elements[i].name);
+
+		if (el && ldb_msg_element_compare(el, &msg2->elements[i]) == 0) {
+			continue;
+		}
+
+		if (ldb_msg_add(mod, 
+				&msg2->elements[i],
+				el?LDB_FLAG_MOD_REPLACE:LDB_FLAG_MOD_ADD) != 0) {
+			return NULL;
+		}
+	}
+
+	/* look in msg1 to find elements that need to be deleted */
+	for (i=0;i<msg1->num_elements;i++) {
+		el = ldb_msg_find_element(msg2, msg1->elements[i].name);
+		if (!el) {
+			if (ldb_msg_add_empty(mod, 
+					      msg1->elements[i].name,
+					      LDB_FLAG_MOD_DELETE, NULL) != 0) {
+				return NULL;
+			}
+		}
+	}
+
+	return mod;
+}
+
+int ldb_msg_sanity_check(struct ldb_context *ldb, 
+			 const struct ldb_message *msg)
+{
+	int i, j;
+
+	/* basic check on DN */
+	if (msg->dn == NULL) {
+		/* TODO: return also an error string */
+		ldb_set_errstring(ldb, "ldb message lacks a DN!");
+		return LDB_ERR_INVALID_DN_SYNTAX;
+	}
+
+	/* basic syntax checks */
+	for (i = 0; i < msg->num_elements; i++) {
+		for (j = 0; j < msg->elements[i].num_values; j++) {
+			if (msg->elements[i].values[j].length == 0) {
+				TALLOC_CTX *mem_ctx = talloc_new(ldb);
+				/* an attribute cannot be empty */
+				/* TODO: return also an error string */
+				ldb_asprintf_errstring(ldb, "Element %s has empty attribute in ldb message (%s)!",
+							    msg->elements[i].name, 
+							    ldb_dn_linearize(mem_ctx, msg->dn));
+				talloc_free(mem_ctx);
+				return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
+			}
+		}
+	}
+
+	return LDB_SUCCESS;
+}
+
+
+
+
+/*
+  copy an attribute list. This only copies the array, not the elements
+  (ie. the elements are left as the same pointers)
+*/
+const char **ldb_attr_list_copy(TALLOC_CTX *mem_ctx, const char * const *attrs)
+{
+	const char **ret;
+	int i;
+	for (i=0;attrs[i];i++) /* noop */ ;
+	ret = talloc_array(mem_ctx, const char *, i+1);
+	if (ret == NULL) {
+		return NULL;
+	}
+	for (i=0;attrs[i];i++) {
+		ret[i] = attrs[i];
+	}
+	ret[i] = attrs[i];
+	return ret;
+}
+
+
+/*
+  copy an attribute list. This only copies the array, not the elements
+  (ie. the elements are left as the same pointers).  The new attribute is added to the list.
+*/
+const char **ldb_attr_list_copy_add(TALLOC_CTX *mem_ctx, const char * const *attrs, const char *new_attr)
+{
+	const char **ret;
+	int i;
+	for (i=0;attrs[i];i++) /* noop */ ;
+	ret = talloc_array(mem_ctx, const char *, i+2);
+	if (ret == NULL) {
+		return NULL;
+	}
+	for (i=0;attrs[i];i++) {
+		ret[i] = attrs[i];
+	}
+	ret[i] = new_attr;
+	ret[i+1] = NULL;
+	return ret;
+}
+
+
+/*
+  return 1 if an attribute is in a list of attributes, or 0 otherwise
+*/
+int ldb_attr_in_list(const char * const *attrs, const char *attr)
+{
+	int i;
+	for (i=0;attrs[i];i++) {
+		if (ldb_attr_cmp(attrs[i], attr) == 0) {
+			return 1;
+		}
+	}
+	return 0;
+}
+
+
+/*
+  rename the specified attribute in a search result
+*/
+int ldb_msg_rename_attr(struct ldb_message *msg, const char *attr, const char *replace)
+{
+	struct ldb_message_element *el = ldb_msg_find_element(msg, attr);
+	if (el == NULL) {
+		return LDB_SUCCESS;
+	}
+	el->name = talloc_strdup(msg->elements, replace);
+	if (el->name == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	return LDB_SUCCESS;
+}
+
+
+/*
+  copy the specified attribute in a search result to a new attribute
+*/
+int ldb_msg_copy_attr(struct ldb_message *msg, const char *attr, const char *replace)
+{
+	struct ldb_message_element *el = ldb_msg_find_element(msg, attr);
+	if (el == NULL) {
+		return LDB_SUCCESS;
+	}
+	if (ldb_msg_add(msg, el, 0) != 0) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	return ldb_msg_rename_attr(msg, attr, replace);
+}
+
+
+/*
+  remove the specified attribute in a search result
+*/
+void ldb_msg_remove_attr(struct ldb_message *msg, const char *attr)
+{
+	struct ldb_message_element *el = ldb_msg_find_element(msg, attr);
+	if (el) {
+		int n = (el - msg->elements);
+		if (n != msg->num_elements-1) {
+			memmove(el, el+1, ((msg->num_elements-1) - n)*sizeof(*el));
+		}
+		msg->num_elements--;
+	}
+}
+
+/*
+  remove the specified element in a search result
+*/
+void ldb_msg_remove_element(struct ldb_message *msg, struct ldb_message_element *el)
+{
+	int n = (el - msg->elements);
+	if (n != msg->num_elements-1) {
+		memmove(el, el+1, ((msg->num_elements-1) - n)*sizeof(*el));
+	}
+	msg->num_elements--;
+}
+
+/*
+  return a LDAP formatted time string
+*/
+char *ldb_timestring(TALLOC_CTX *mem_ctx, time_t t)
+{
+	struct tm *tm = gmtime(&t);
+
+	if (!tm) {
+		return NULL;
+	}
+
+	/* formatted like: 20040408072012.0Z */
+	return talloc_asprintf(mem_ctx, 
+			       "%04u%02u%02u%02u%02u%02u.0Z",
+			       tm->tm_year+1900, tm->tm_mon+1,
+			       tm->tm_mday, tm->tm_hour, tm->tm_min,
+			       tm->tm_sec);
+}
+
+
+/*
+  convert a LDAP time string to a time_t. Return 0 if unable to convert
+*/
+time_t ldb_string_to_time(const char *s)
+{
+	struct tm tm;
+	
+	if (s == NULL) return 0;
+	
+	memset(&tm, 0, sizeof(tm));
+	if (sscanf(s, "%04u%02u%02u%02u%02u%02u", 
+		   &tm.tm_year, &tm.tm_mon, &tm.tm_mday, 
+		   &tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) {
+		return 0;
+	}
+	tm.tm_year -= 1900;
+	tm.tm_mon -= 1;
+	
+	return timegm(&tm);
+}
+
+
+/*
+  dump a set of results to a file. Useful from within gdb
+*/
+void ldb_dump_results(struct ldb_context *ldb, struct ldb_result *result, FILE *f)
+{
+	int i;
+
+	for (i = 0; i < result->count; i++) {
+		struct ldb_ldif ldif;
+		fprintf(f, "# record %d\n", i+1);
+		ldif.changetype = LDB_CHANGETYPE_NONE;
+		ldif.msg = result->msgs[i];
+		ldb_ldif_write_file(ldb, f, &ldif);
+	}
+}
+
+int ldb_msg_check_string_attribute(const struct ldb_message *msg, const char *name, const char *value)
+{
+	struct ldb_message_element *el;
+	struct ldb_val val;
+	
+	el = ldb_msg_find_element(msg, name);
+	if (el == NULL)
+		return 0;
+
+	val.data = discard_const_p(uint8_t, value);
+	val.length = strlen(value);
+
+	if (ldb_msg_find_val(el, &val))
+		return 1;
+
+	return 0;
+}
diff --git a/source3/lib/ldb/common/ldb_parse.c b/source3/lib/ldb/common/ldb_parse.c
new file mode 100644
index 0000000000..bcc92c5b5c
--- /dev/null
+++ b/source3/lib/ldb/common/ldb_parse.c
@@ -0,0 +1,818 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldb expression parsing
+ *
+ *  Description: parse LDAP-like search expressions
+ *
+ *  Author: Andrew Tridgell
+ */
+
+/*
+  TODO:
+      - add RFC2254 binary string handling
+      - possibly add ~=, <= and >= handling
+      - expand the test suite
+      - add better parse error handling
+
+*/
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+#include "system/locale.h"
+
+struct ldb_val ldb_binary_decode(void *mem_ctx, const char *str);
+
+/*
+a filter is defined by:
+               <filter> ::= '(' <filtercomp> ')'
+               <filtercomp> ::= <and> | <or> | <not> | <simple>
+               <and> ::= '&' <filterlist>
+               <or> ::= '|' <filterlist>
+               <not> ::= '!' <filter>
+               <filterlist> ::= <filter> | <filter> <filterlist>
+               <simple> ::= <attributetype> <filtertype> <attributevalue>
+               <filtertype> ::= '=' | '~=' | '<=' | '>='
+*/
+
+/*
+   decode a RFC2254 binary string representation of a buffer.
+   Used in LDAP filters.
+*/
+struct ldb_val ldb_binary_decode(void *mem_ctx, const char *str)
+{
+	int i, j;
+	struct ldb_val ret;
+	int slen = str?strlen(str):0;
+
+	ret.data = (uint8_t *)talloc_size(mem_ctx, slen+1);
+	ret.length = 0;
+	if (ret.data == NULL) return ret;
+
+	for (i=j=0;i<slen;i++) {
+		if (str[i] == '\\') {
+			unsigned c;
+			if (sscanf(&str[i+1], "%02X", &c) != 1) {
+				talloc_free(ret.data);
+				memset(&ret, 0, sizeof(ret));
+				return ret;
+			}
+			((uint8_t *)ret.data)[j++] = c;
+			i += 2;
+		} else {
+			((uint8_t *)ret.data)[j++] = str[i];
+		}
+	}
+	ret.length = j;
+	((uint8_t *)ret.data)[j] = 0;
+
+	return ret;
+}
+
+
+/*
+   encode a blob as a RFC2254 binary string, escaping any
+   non-printable or '\' characters
+*/
+char *ldb_binary_encode(void *mem_ctx, struct ldb_val val)
+{
+	int i;
+	char *ret;
+	int len = val.length;
+	unsigned char *buf = val.data;
+
+	for (i=0;i<val.length;i++) {
+		if (!isprint(buf[i]) || strchr(" *()\\&|!\"", buf[i])) {
+			len += 2;
+		}
+	}
+	ret = talloc_array(mem_ctx, char, len+1);
+	if (ret == NULL) return NULL;
+
+	len = 0;
+	for (i=0;i<val.length;i++) {
+		if (!isprint(buf[i]) || strchr(" *()\\&|!\"", buf[i])) {
+			snprintf(ret+len, 4, "\\%02X", buf[i]);
+			len += 3;
+		} else {
+			ret[len++] = buf[i];
+		}
+	}
+
+	ret[len] = 0;
+
+	return ret;	
+}
+
+/*
+   encode a string as a RFC2254 binary string, escaping any
+   non-printable or '\' characters.  This routine is suitable for use
+   in escaping user data in ldap filters.
+*/
+char *ldb_binary_encode_string(void *mem_ctx, const char *string)
+{
+	struct ldb_val val;
+	val.data = discard_const_p(uint8_t, string);
+	val.length = strlen(string);
+	return ldb_binary_encode(mem_ctx, val);
+}
+
+/* find the first matching wildcard */
+static char *ldb_parse_find_wildcard(char *value)
+{
+	while (*value) {
+		value = strpbrk(value, "\\*");
+		if (value == NULL) return NULL;
+
+		if (value[0] == '\\') {
+			if (value[1] == '\0') return NULL;
+			value += 2;
+			continue;
+		}
+
+		if (value[0] == '*') return value;
+	}
+
+	return NULL;
+}
+
+/* return a NULL terminated list of binary strings representing the value
+   chunks separated by wildcards that makes the value portion of the filter
+*/
+static struct ldb_val **ldb_wildcard_decode(void *mem_ctx, const char *string)
+{
+	struct ldb_val **ret = NULL;
+	int val = 0;
+	char *wc, *str;
+
+	wc = talloc_strdup(mem_ctx, string);
+	if (wc == NULL) return NULL;
+
+	while (wc && *wc) {
+		str = wc;
+		wc = ldb_parse_find_wildcard(str);
+		if (wc && *wc) {
+			if (wc == str) {
+				wc++;
+				continue;
+			}
+			*wc = 0;
+			wc++;
+		}
+
+		ret = talloc_realloc(mem_ctx, ret, struct ldb_val *, val + 2);
+		if (ret == NULL) return NULL;
+
+		ret[val] = talloc(mem_ctx, struct ldb_val);
+		if (ret[val] == NULL) return NULL;
+
+		*(ret[val]) = ldb_binary_decode(mem_ctx, str);
+		if ((ret[val])->data == NULL) return NULL;
+
+		val++;
+	}
+
+	if (ret != NULL) {
+		ret[val] = NULL;
+	}
+
+	return ret;
+}
+
+static struct ldb_parse_tree *ldb_parse_filter(void *mem_ctx, const char **s);
+
+
+/*
+  parse an extended match
+
+  possible forms:
+        (attr:oid:=value)
+        (attr:dn:oid:=value)
+        (attr:dn:=value)
+        (:dn:oid:=value)
+
+  the ':dn' part sets the dnAttributes boolean if present
+  the oid sets the rule_id string
+  
+*/
+static struct ldb_parse_tree *ldb_parse_extended(struct ldb_parse_tree *ret, 
+						 char *attr, char *value)
+{
+	char *p1, *p2;
+
+	ret->operation = LDB_OP_EXTENDED;
+	ret->u.extended.value = ldb_binary_decode(ret, value);
+	if (ret->u.extended.value.data == NULL) goto failed;
+
+	p1 = strchr(attr, ':');
+	if (p1 == NULL) goto failed;
+	p2 = strchr(p1+1, ':');
+
+	*p1 = 0;
+	if (p2) *p2 = 0;
+
+	ret->u.extended.attr = attr;
+	if (strcmp(p1+1, "dn") == 0) {
+		ret->u.extended.dnAttributes = 1;
+		if (p2) {
+			ret->u.extended.rule_id = talloc_strdup(ret, p2+1);
+			if (ret->u.extended.rule_id == NULL) goto failed;
+		} else {
+			ret->u.extended.rule_id = NULL;
+		}
+	} else {
+		ret->u.extended.dnAttributes = 0;
+		ret->u.extended.rule_id = talloc_strdup(ret, p1+1);
+		if (ret->u.extended.rule_id == NULL) goto failed;
+	}
+
+	return ret;
+
+failed:
+	talloc_free(ret);
+	return NULL;
+}
+
+static enum ldb_parse_op ldb_parse_filtertype(void *mem_ctx, char **type, char **value, const char **s)
+{
+	enum ldb_parse_op filter = 0;
+	char *name, *val, *k;
+	const char *p = *s;
+	const char *t, *t1;
+
+	/* retrieve attributetype name */
+	t = p;
+
+	while ((isascii(*p) && isalnum((unsigned char)*p)) || (*p == '-')) { /* attribute names can only be alphanums */
+		p++;
+	}
+
+	if (*p == ':') { /* but extended searches have : and . chars too */
+		p = strstr(p, ":=");
+		if (p == NULL) { /* malformed attribute name */
+			return 0;
+		}
+	}
+
+	t1 = p;
+
+	while (isspace((unsigned char)*p)) p++;
+
+	if (!strchr("=<>~:", *p)) {
+		return 0;
+	}
+
+	/* save name */
+	name = (char *)talloc_memdup(mem_ctx, t, t1 - t + 1);
+	if (name == NULL) return 0;
+	name[t1 - t] = '\0';
+
+	/* retrieve filtertype */
+
+	if (*p == '=') {
+		filter = LDB_OP_EQUALITY;
+	} else if (*(p + 1) == '=') {
+		switch (*p) {
+		case '<':
+			filter = LDB_OP_LESS;
+			p++;
+			break;
+		case '>':
+			filter = LDB_OP_GREATER;
+			p++;
+			break;
+		case '~':
+			filter = LDB_OP_APPROX;
+			p++;
+			break;
+		case ':':
+			filter = LDB_OP_EXTENDED;
+			p++;
+			break;
+		}
+	}
+	if (!filter) {
+		talloc_free(name);
+		return filter;
+	}
+	p++;
+
+	while (isspace((unsigned char)*p)) p++;
+
+	/* retrieve value */
+	t = p;
+
+	while (*p && ((*p != ')') || ((*p == ')') && (*(p - 1) == '\\')))) p++;
+
+	val = (char *)talloc_memdup(mem_ctx, t, p - t + 1);
+	if (val == NULL) {
+		talloc_free(name);
+		return 0;
+	}
+	val[p - t] = '\0';
+
+	k = &(val[p - t]);
+
+	/* remove trailing spaces from value */
+	while ((k > val) && (isspace((unsigned char)*(k - 1)))) k--;
+	*k = '\0';
+
+	*type = name;
+	*value = val;
+	*s = p;
+	return filter;
+}
+
+/*
+  <simple> ::= <attributetype> <filtertype> <attributevalue>
+*/
+static struct ldb_parse_tree *ldb_parse_simple(void *mem_ctx, const char **s)
+{
+	char *attr, *value;
+	struct ldb_parse_tree *ret;
+	enum ldb_parse_op filtertype;
+
+	ret = talloc(mem_ctx, struct ldb_parse_tree);
+	if (!ret) {
+		errno = ENOMEM;
+		return NULL;
+	}
+
+	filtertype = ldb_parse_filtertype(ret, &attr, &value, s);
+	if (!filtertype) {
+		talloc_free(ret);
+		return NULL;
+	}
+
+	switch (filtertype) {
+
+		case LDB_OP_PRESENT:
+			ret->operation = LDB_OP_PRESENT;
+			ret->u.present.attr = attr;
+			break;
+
+		case LDB_OP_EQUALITY:
+
+			if (strcmp(value, "*") == 0) {
+				ret->operation = LDB_OP_PRESENT;
+				ret->u.present.attr = attr;
+				break;
+			}
+
+			if (ldb_parse_find_wildcard(value) != NULL) {
+				ret->operation = LDB_OP_SUBSTRING;
+				ret->u.substring.attr = attr;
+				ret->u.substring.start_with_wildcard = 0;
+				ret->u.substring.end_with_wildcard = 0;
+				ret->u.substring.chunks = ldb_wildcard_decode(ret, value);
+				if (ret->u.substring.chunks == NULL){
+					talloc_free(ret);
+					return NULL;
+				}
+				if (value[0] == '*')
+					ret->u.substring.start_with_wildcard = 1;
+				if (value[strlen(value) - 1] == '*')
+					ret->u.substring.end_with_wildcard = 1;
+				talloc_free(value);
+
+				break;
+			}
+
+			ret->operation = LDB_OP_EQUALITY;
+			ret->u.equality.attr = attr;
+			ret->u.equality.value = ldb_binary_decode(ret, value);
+			if (ret->u.equality.value.data == NULL) {
+				talloc_free(ret);
+				return NULL;
+			}
+			talloc_free(value);
+			break;
+
+		case LDB_OP_GREATER:
+			ret->operation = LDB_OP_GREATER;
+			ret->u.comparison.attr = attr;
+			ret->u.comparison.value = ldb_binary_decode(ret, value);
+			if (ret->u.comparison.value.data == NULL) {
+				talloc_free(ret);
+				return NULL;
+			}
+			talloc_free(value);
+			break;
+
+		case LDB_OP_LESS:
+			ret->operation = LDB_OP_LESS;
+			ret->u.comparison.attr = attr;
+			ret->u.comparison.value = ldb_binary_decode(ret, value);
+			if (ret->u.comparison.value.data == NULL) {
+				talloc_free(ret);
+				return NULL;
+			}
+			talloc_free(value);
+			break;
+
+		case LDB_OP_APPROX:
+			ret->operation = LDB_OP_APPROX;
+			ret->u.comparison.attr = attr;
+			ret->u.comparison.value = ldb_binary_decode(ret, value);
+			if (ret->u.comparison.value.data == NULL) {
+				talloc_free(ret);
+				return NULL;
+			}
+			talloc_free(value);
+			break;
+
+		case LDB_OP_EXTENDED:
+
+			ret = ldb_parse_extended(ret, attr, value);
+			break;
+
+		default:
+			talloc_free(ret);
+			return NULL;
+	}
+
+	return ret;
+}
+
+
+/*
+  parse a filterlist
+  <and> ::= '&' <filterlist>
+  <or> ::= '|' <filterlist>
+  <filterlist> ::= <filter> | <filter> <filterlist>
+*/
+static struct ldb_parse_tree *ldb_parse_filterlist(void *mem_ctx, const char **s)
+{
+	struct ldb_parse_tree *ret, *next;
+	enum ldb_parse_op op;
+	const char *p = *s;
+
+	switch (*p) {
+		case '&':
+			op = LDB_OP_AND;
+			break;
+		case '|':
+			op = LDB_OP_OR;
+			break;
+		default:
+			return NULL;
+	}
+	p++;
+
+	while (isspace((unsigned char)*p)) p++;
+
+	ret = talloc(mem_ctx, struct ldb_parse_tree);
+	if (!ret) {
+		errno = ENOMEM;
+		return NULL;
+	}
+
+	ret->operation = op;
+	ret->u.list.num_elements = 1;
+	ret->u.list.elements = talloc(ret, struct ldb_parse_tree *);
+	if (!ret->u.list.elements) {
+		errno = ENOMEM;
+		talloc_free(ret);
+		return NULL;
+	}
+
+	ret->u.list.elements[0] = ldb_parse_filter(ret->u.list.elements, &p);
+	if (!ret->u.list.elements[0]) {
+		talloc_free(ret);
+		return NULL;
+	}
+
+	while (isspace((unsigned char)*p)) p++;
+
+	while (*p && (next = ldb_parse_filter(ret->u.list.elements, &p))) {
+		struct ldb_parse_tree **e;
+		e = talloc_realloc(ret, ret->u.list.elements, 
+				     struct ldb_parse_tree *, 
+				     ret->u.list.num_elements + 1);
+		if (!e) {
+			errno = ENOMEM;
+			talloc_free(ret);
+			return NULL;
+		}
+		ret->u.list.elements = e;
+		ret->u.list.elements[ret->u.list.num_elements] = next;
+		ret->u.list.num_elements++;
+		while (isspace((unsigned char)*p)) p++;
+	}
+
+	*s = p;
+
+	return ret;
+}
+
+
+/*
+  <not> ::= '!' <filter>
+*/
+static struct ldb_parse_tree *ldb_parse_not(void *mem_ctx, const char **s)
+{
+	struct ldb_parse_tree *ret;
+	const char *p = *s;
+
+	if (*p != '!') {
+		return NULL;
+	}
+	p++;
+
+	ret = talloc(mem_ctx, struct ldb_parse_tree);
+	if (!ret) {
+		errno = ENOMEM;
+		return NULL;
+	}
+
+	ret->operation = LDB_OP_NOT;
+	ret->u.isnot.child = ldb_parse_filter(ret, &p);
+	if (!ret->u.isnot.child) {
+		talloc_free(ret);
+		return NULL;
+	}
+
+	*s = p;
+
+	return ret;
+}
+
+/*
+  parse a filtercomp
+  <filtercomp> ::= <and> | <or> | <not> | <simple>
+*/
+static struct ldb_parse_tree *ldb_parse_filtercomp(void *mem_ctx, const char **s)
+{
+	struct ldb_parse_tree *ret;
+	const char *p = *s;
+
+	while (isspace((unsigned char)*p)) p++;
+
+	switch (*p) {
+	case '&':
+		ret = ldb_parse_filterlist(mem_ctx, &p);
+		break;
+
+	case '|':
+		ret = ldb_parse_filterlist(mem_ctx, &p);
+		break;
+
+	case '!':
+		ret = ldb_parse_not(mem_ctx, &p);
+		break;
+
+	case '(':
+	case ')':
+		return NULL;
+
+	default:
+		ret = ldb_parse_simple(mem_ctx, &p);
+
+	}
+
+	*s = p;
+	return ret;
+}
+
+
+/*
+  <filter> ::= '(' <filtercomp> ')'
+*/
+static struct ldb_parse_tree *ldb_parse_filter(void *mem_ctx, const char **s)
+{
+	struct ldb_parse_tree *ret;
+	const char *p = *s;
+
+	if (*p != '(') {
+		return NULL;
+	}
+	p++;
+
+	ret = ldb_parse_filtercomp(mem_ctx, &p);
+
+	if (*p != ')') {
+		return NULL;
+	}
+	p++;
+
+	while (isspace((unsigned char)*p)) {
+		p++;
+	}
+
+	*s = p;
+
+	return ret;
+}
+
+
+/*
+  main parser entry point. Takes a search string and returns a parse tree
+
+  expression ::= <simple> | <filter>
+*/
+struct ldb_parse_tree *ldb_parse_tree(void *mem_ctx, const char *s)
+{
+	if (s == NULL || *s == 0) {
+		s = "(|(objectClass=*)(distinguishedName=*))";
+	}
+
+	while (isspace((unsigned char)*s)) s++;
+
+	if (*s == '(') {
+		return ldb_parse_filter(mem_ctx, &s);
+	}
+
+	return ldb_parse_simple(mem_ctx, &s);
+}
+
+
+/*
+  construct a ldap parse filter given a parse tree
+*/
+char *ldb_filter_from_tree(void *mem_ctx, struct ldb_parse_tree *tree)
+{
+	char *s, *s2, *ret;
+	int i;
+
+	if (tree == NULL) {
+		return NULL;
+	}
+
+	switch (tree->operation) {
+	case LDB_OP_AND:
+	case LDB_OP_OR:
+		ret = talloc_asprintf(mem_ctx, "(%c", tree->operation==LDB_OP_AND?'&':'|');
+		if (ret == NULL) return NULL;
+		for (i=0;i<tree->u.list.num_elements;i++) {
+			s = ldb_filter_from_tree(mem_ctx, tree->u.list.elements[i]);
+			if (s == NULL) {
+				talloc_free(ret);
+				return NULL;
+			}
+			s2 = talloc_asprintf_append(ret, "%s", s);
+			talloc_free(s);
+			if (s2 == NULL) {
+				talloc_free(ret);
+				return NULL;
+			}
+			ret = s2;
+		}
+		s = talloc_asprintf_append(ret, ")");
+		if (s == NULL) {
+			talloc_free(ret);
+			return NULL;
+		}
+		return s;
+	case LDB_OP_NOT:
+		s = ldb_filter_from_tree(mem_ctx, tree->u.isnot.child);
+		if (s == NULL) return NULL;
+
+		ret = talloc_asprintf(mem_ctx, "(!%s)", s);
+		talloc_free(s);
+		return ret;
+	case LDB_OP_EQUALITY:
+		s = ldb_binary_encode(mem_ctx, tree->u.equality.value);
+		if (s == NULL) return NULL;
+		ret = talloc_asprintf(mem_ctx, "(%s=%s)", 
+				      tree->u.equality.attr, s);
+		talloc_free(s);
+		return ret;
+	case LDB_OP_SUBSTRING:
+		ret = talloc_asprintf(mem_ctx, "(%s=%s", tree->u.substring.attr,
+				      tree->u.substring.start_with_wildcard?"*":"");
+		if (ret == NULL) return NULL;
+		for (i = 0; tree->u.substring.chunks[i]; i++) {
+			s2 = ldb_binary_encode(mem_ctx, *(tree->u.substring.chunks[i]));
+			if (s2 == NULL) {
+				talloc_free(ret);
+				return NULL;
+			}
+			if (tree->u.substring.chunks[i+1] ||
+			    tree->u.substring.end_with_wildcard) {
+				s = talloc_asprintf_append(ret, "%s*", s2);
+			} else {
+				s = talloc_asprintf_append(ret, "%s", s2);
+			}
+			if (s == NULL) {
+				talloc_free(ret);
+				return NULL;
+			}
+			ret = s;
+		}
+		s = talloc_asprintf_append(ret, ")");
+		if (s == NULL) {
+			talloc_free(ret);
+			return NULL;
+		}
+		ret = s;
+		return ret;
+	case LDB_OP_GREATER:
+		s = ldb_binary_encode(mem_ctx, tree->u.equality.value);
+		if (s == NULL) return NULL;
+		ret = talloc_asprintf(mem_ctx, "(%s>=%s)", 
+				      tree->u.equality.attr, s);
+		talloc_free(s);
+		return ret;
+	case LDB_OP_LESS:
+		s = ldb_binary_encode(mem_ctx, tree->u.equality.value);
+		if (s == NULL) return NULL;
+		ret = talloc_asprintf(mem_ctx, "(%s<=%s)", 
+				      tree->u.equality.attr, s);
+		talloc_free(s);
+		return ret;
+	case LDB_OP_PRESENT:
+		ret = talloc_asprintf(mem_ctx, "(%s=*)", tree->u.present.attr);
+		return ret;
+	case LDB_OP_APPROX:
+		s = ldb_binary_encode(mem_ctx, tree->u.equality.value);
+		if (s == NULL) return NULL;
+		ret = talloc_asprintf(mem_ctx, "(%s~=%s)", 
+				      tree->u.equality.attr, s);
+		talloc_free(s);
+		return ret;
+	case LDB_OP_EXTENDED:
+		s = ldb_binary_encode(mem_ctx, tree->u.extended.value);
+		if (s == NULL) return NULL;
+		ret = talloc_asprintf(mem_ctx, "(%s%s%s%s:=%s)", 
+				      tree->u.extended.attr?tree->u.extended.attr:"", 
+				      tree->u.extended.dnAttributes?":dn":"",
+				      tree->u.extended.rule_id?":":"", 
+				      tree->u.extended.rule_id?tree->u.extended.rule_id:"", 
+				      s);
+		talloc_free(s);
+		return ret;
+	}
+	
+	return NULL;
+}
+
+
+/*
+  replace any occurances of an attribute name in the parse tree with a
+  new name
+*/
+void ldb_parse_tree_attr_replace(struct ldb_parse_tree *tree, 
+				 const char *attr, 
+				 const char *replace)
+{
+	int i;
+	switch (tree->operation) {
+	case LDB_OP_AND:
+	case LDB_OP_OR:
+		for (i=0;i<tree->u.list.num_elements;i++) {
+			ldb_parse_tree_attr_replace(tree->u.list.elements[i],
+						    attr, replace);
+		}
+		break;
+	case LDB_OP_NOT:
+		ldb_parse_tree_attr_replace(tree->u.isnot.child, attr, replace);
+		break;
+	case LDB_OP_EQUALITY:
+	case LDB_OP_GREATER:
+	case LDB_OP_LESS:
+	case LDB_OP_APPROX:
+		if (ldb_attr_cmp(tree->u.equality.attr, attr) == 0) {
+			tree->u.equality.attr = replace;
+		}
+		break;
+	case LDB_OP_SUBSTRING:
+		if (ldb_attr_cmp(tree->u.substring.attr, attr) == 0) {
+			tree->u.substring.attr = replace;
+		}
+		break;
+	case LDB_OP_PRESENT:
+		if (ldb_attr_cmp(tree->u.present.attr, attr) == 0) {
+			tree->u.present.attr = replace;
+		}
+		break;
+	case LDB_OP_EXTENDED:
+		if (tree->u.extended.attr &&
+		    ldb_attr_cmp(tree->u.extended.attr, attr) == 0) {
+			tree->u.extended.attr = replace;
+		}
+		break;
+	}
+}
diff --git a/source3/lib/ldb/common/ldb_utf8.c b/source3/lib/ldb/common/ldb_utf8.c
new file mode 100644
index 0000000000..c576453b27
--- /dev/null
+++ b/source3/lib/ldb/common/ldb_utf8.c
@@ -0,0 +1,148 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldb utf8 handling
+ *
+ *  Description: case folding and case comparison for UTF8 strings
+ *
+ *  Author: Andrew Tridgell
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+#include "system/locale.h"
+
+
+/*
+  this allow the user to pass in a caseless comparison
+  function to handle utf8 caseless comparisons
+ */
+void ldb_set_utf8_fns(struct ldb_context *ldb,
+			void *context,
+			char *(*casefold)(void *, void *, const char *))
+{
+	if (context)
+		ldb->utf8_fns.context = context;
+	if (casefold)
+		ldb->utf8_fns.casefold = casefold;
+}
+
+/*
+  a simple case folding function
+  NOTE: does not handle UTF8
+*/
+char *ldb_casefold_default(void *context, void *mem_ctx, const char *s)
+{
+	int i;
+	char *ret = talloc_strdup(mem_ctx, s);
+	if (!s) {
+		errno = ENOMEM;
+		return NULL;
+	}
+	for (i=0;ret[i];i++) {
+		ret[i] = toupper((unsigned char)ret[i]);
+	}
+	return ret;
+}
+
+void ldb_set_utf8_default(struct ldb_context *ldb)
+{
+	ldb_set_utf8_fns(ldb, NULL, ldb_casefold_default);
+}
+
+char *ldb_casefold(struct ldb_context *ldb, void *mem_ctx, const char *s)
+{
+	return ldb->utf8_fns.casefold(ldb->utf8_fns.context, mem_ctx, s);
+}
+
+/*
+  check the attribute name is valid according to rfc2251
+  returns 1 if the name is ok
+ */
+
+int ldb_valid_attr_name(const char *s)
+{
+	int i;
+
+	if (!s || !s[0])
+		return 0;
+
+	/* handle special ldb_tdb wildcard */
+	if (strcmp(s, "*") == 0) return 1;
+
+	for (i = 0; s[i]; i++) {
+		if (! isascii(s[i])) {
+			return 0;
+		}
+		if (i == 0) { /* first char must be an alpha (or our special '@' identifier) */
+			if (! (isalpha(s[i]) || (s[i] == '@'))) {
+				return 0;
+			}
+		} else {
+			if (! (isalnum(s[i]) || (s[i] == '-'))) {
+				return 0;
+			}
+		}
+	}
+	return 1;
+}
+
+/*
+  compare two attribute names
+  attribute names are restricted by rfc2251 so using
+  strcasecmp and toupper here is ok.
+  return 0 for match
+*/
+int ldb_attr_cmp(const char *attr1, const char *attr2)
+{
+	return strcasecmp(attr1, attr2);
+}
+
+char *ldb_attr_casefold(void *mem_ctx, const char *s)
+{
+	int i;
+	char *ret = talloc_strdup(mem_ctx, s);
+	if (!ret) {
+		errno = ENOMEM;
+		return NULL;
+	}
+	for (i = 0; ret[i]; i++) {
+		ret[i] = toupper((unsigned char)ret[i]);
+	}
+	return ret;
+}
+
+/*
+  we accept either 'dn' or 'distinguishedName' for a distinguishedName
+*/
+int ldb_attr_dn(const char *attr)
+{
+	if (ldb_attr_cmp(attr, "dn") == 0 ||
+	    ldb_attr_cmp(attr, "distinguishedName") == 0) {
+		return 0;
+	}
+	return -1;
+}
diff --git a/source3/lib/ldb/common/qsort.c b/source3/lib/ldb/common/qsort.c
new file mode 100644
index 0000000000..79dd64128f
--- /dev/null
+++ b/source3/lib/ldb/common/qsort.c
@@ -0,0 +1,252 @@
+/* Copyright (C) 1991,1992,1996,1997,1999,2004 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+   Written by Douglas C. Schmidt (schmidt@ics.uci.edu).
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see <http://www.gnu.org/licenses/>. */
+
+/* If you consider tuning this algorithm, you should consult first:
+   Engineering a sort function; Jon Bentley and M. Douglas McIlroy;
+   Software - Practice and Experience; Vol. 23 (11), 1249-1265, 1993.  */
+
+/* Modified to be used in samba4 by
+ * Simo Sorce <idra@samba.org>		2005
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+/* Byte-wise swap two items of size SIZE. */
+#define SWAP(a, b, size)						      \
+  do									      \
+    {									      \
+      register size_t __size = (size);					      \
+      register char *__a = (a), *__b = (b);				      \
+      do								      \
+	{								      \
+	  char __tmp = *__a;						      \
+	  *__a++ = *__b;						      \
+	  *__b++ = __tmp;						      \
+	} while (--__size > 0);						      \
+    } while (0)
+
+/* Discontinue quicksort algorithm when partition gets below this size.
+   This particular magic number was chosen to work best on a Sun 4/260. */
+#define MAX_THRESH 4
+
+/* Stack node declarations used to store unfulfilled partition obligations. */
+typedef struct
+  {
+    char *lo;
+    char *hi;
+  } stack_node;
+
+/* The next 4 #defines implement a very fast in-line stack abstraction. */
+/* The stack needs log (total_elements) entries (we could even subtract
+   log(MAX_THRESH)).  Since total_elements has type size_t, we get as
+   upper bound for log (total_elements):
+   bits per byte (CHAR_BIT) * sizeof(size_t).  */
+#ifndef CHAR_BIT
+#define CHAR_BIT 8
+#endif
+#define STACK_SIZE	(CHAR_BIT * sizeof(size_t))
+#define PUSH(low, high)	((void) ((top->lo = (low)), (top->hi = (high)), ++top))
+#define	POP(low, high)	((void) (--top, (low = top->lo), (high = top->hi)))
+#define	STACK_NOT_EMPTY	(stack < top)
+
+
+/* Order size using quicksort.  This implementation incorporates
+   four optimizations discussed in Sedgewick:
+
+   1. Non-recursive, using an explicit stack of pointer that store the
+      next array partition to sort.  To save time, this maximum amount
+      of space required to store an array of SIZE_MAX is allocated on the
+      stack.  Assuming a 32-bit (64 bit) integer for size_t, this needs
+      only 32 * sizeof(stack_node) == 256 bytes (for 64 bit: 1024 bytes).
+      Pretty cheap, actually.
+
+   2. Chose the pivot element using a median-of-three decision tree.
+      This reduces the probability of selecting a bad pivot value and
+      eliminates certain extraneous comparisons.
+
+   3. Only quicksorts TOTAL_ELEMS / MAX_THRESH partitions, leaving
+      insertion sort to order the MAX_THRESH items within each partition.
+      This is a big win, since insertion sort is faster for small, mostly
+      sorted array segments.
+
+   4. The larger of the two sub-partitions is always pushed onto the
+      stack first, with the algorithm then concentrating on the
+      smaller partition.  This *guarantees* no more than log (total_elems)
+      stack size is needed (actually O(1) in this case)!  */
+
+void ldb_qsort (void *const pbase, size_t total_elems, size_t size,
+		void *opaque, ldb_qsort_cmp_fn_t cmp)
+{
+  register char *base_ptr = (char *) pbase;
+
+  const size_t max_thresh = MAX_THRESH * size;
+
+  if (total_elems == 0)
+    /* Avoid lossage with unsigned arithmetic below.  */
+    return;
+
+  if (total_elems > MAX_THRESH)
+    {
+      char *lo = base_ptr;
+      char *hi = &lo[size * (total_elems - 1)];
+      stack_node stack[STACK_SIZE];
+      stack_node *top = stack;
+
+      PUSH (NULL, NULL);
+
+      while (STACK_NOT_EMPTY)
+        {
+          char *left_ptr;
+          char *right_ptr;
+
+	  /* Select median value from among LO, MID, and HI. Rearrange
+	     LO and HI so the three values are sorted. This lowers the
+	     probability of picking a pathological pivot value and
+	     skips a comparison for both the LEFT_PTR and RIGHT_PTR in
+	     the while loops. */
+
+	  char *mid = lo + size * ((hi - lo) / size >> 1);
+
+	  if ((*cmp) ((void *) mid, (void *) lo, opaque) < 0)
+	    SWAP (mid, lo, size);
+	  if ((*cmp) ((void *) hi, (void *) mid, opaque) < 0)
+	    SWAP (mid, hi, size);
+	  else
+	    goto jump_over;
+	  if ((*cmp) ((void *) mid, (void *) lo, opaque) < 0)
+	    SWAP (mid, lo, size);
+	jump_over:;
+
+	  left_ptr  = lo + size;
+	  right_ptr = hi - size;
+
+	  /* Here's the famous ``collapse the walls'' section of quicksort.
+	     Gotta like those tight inner loops!  They are the main reason
+	     that this algorithm runs much faster than others. */
+	  do
+	    {
+	      while ((*cmp) ((void *) left_ptr, (void *) mid, opaque) < 0)
+		left_ptr += size;
+
+	      while ((*cmp) ((void *) mid, (void *) right_ptr, opaque) < 0)
+		right_ptr -= size;
+
+	      if (left_ptr < right_ptr)
+		{
+		  SWAP (left_ptr, right_ptr, size);
+		  if (mid == left_ptr)
+		    mid = right_ptr;
+		  else if (mid == right_ptr)
+		    mid = left_ptr;
+		  left_ptr += size;
+		  right_ptr -= size;
+		}
+	      else if (left_ptr == right_ptr)
+		{
+		  left_ptr += size;
+		  right_ptr -= size;
+		  break;
+		}
+	    }
+	  while (left_ptr <= right_ptr);
+
+          /* Set up pointers for next iteration.  First determine whether
+             left and right partitions are below the threshold size.  If so,
+             ignore one or both.  Otherwise, push the larger partition's
+             bounds on the stack and continue sorting the smaller one. */
+
+          if ((size_t) (right_ptr - lo) <= max_thresh)
+            {
+              if ((size_t) (hi - left_ptr) <= max_thresh)
+		/* Ignore both small partitions. */
+                POP (lo, hi);
+              else
+		/* Ignore small left partition. */
+                lo = left_ptr;
+            }
+          else if ((size_t) (hi - left_ptr) <= max_thresh)
+	    /* Ignore small right partition. */
+            hi = right_ptr;
+          else if ((right_ptr - lo) > (hi - left_ptr))
+            {
+	      /* Push larger left partition indices. */
+              PUSH (lo, right_ptr);
+              lo = left_ptr;
+            }
+          else
+            {
+	      /* Push larger right partition indices. */
+              PUSH (left_ptr, hi);
+              hi = right_ptr;
+            }
+        }
+    }
+
+  /* Once the BASE_PTR array is partially sorted by quicksort the rest
+     is completely sorted using insertion sort, since this is efficient
+     for partitions below MAX_THRESH size. BASE_PTR points to the beginning
+     of the array to sort, and END_PTR points at the very last element in
+     the array (*not* one beyond it!). */
+
+#define min(x, y) ((x) < (y) ? (x) : (y))
+
+  {
+    char *const end_ptr = &base_ptr[size * (total_elems - 1)];
+    char *tmp_ptr = base_ptr;
+    char *thresh = min(end_ptr, base_ptr + max_thresh);
+    register char *run_ptr;
+
+    /* Find smallest element in first threshold and place it at the
+       array's beginning.  This is the smallest array element,
+       and the operation speeds up insertion sort's inner loop. */
+
+    for (run_ptr = tmp_ptr + size; run_ptr <= thresh; run_ptr += size)
+      if ((*cmp) ((void *) run_ptr, (void *) tmp_ptr, opaque) < 0)
+        tmp_ptr = run_ptr;
+
+    if (tmp_ptr != base_ptr)
+      SWAP (tmp_ptr, base_ptr, size);
+
+    /* Insertion sort, running from left-hand-side up to right-hand-side.  */
+
+    run_ptr = base_ptr + size;
+    while ((run_ptr += size) <= end_ptr)
+      {
+	tmp_ptr = run_ptr - size;
+	while ((*cmp) ((void *) run_ptr, (void *) tmp_ptr, opaque) < 0)
+	  tmp_ptr -= size;
+
+	tmp_ptr += size;
+        if (tmp_ptr != run_ptr)
+          {
+            char *trav;
+
+	    trav = run_ptr + size;
+	    while (--trav >= run_ptr)
+              {
+                char c = *trav;
+                char *hi, *lo;
+
+                for (hi = lo = trav; (lo -= size) >= tmp_ptr; hi = lo)
+                  *hi = *lo;
+                *hi = c;
+              }
+          }
+      }
+  }
+}
diff --git a/source3/lib/ldb/config.guess b/source3/lib/ldb/config.guess
new file mode 100755
index 0000000000..354dbe175a
--- /dev/null
+++ b/source3/lib/ldb/config.guess
@@ -0,0 +1,1464 @@
+#! /bin/sh
+# Attempt to guess a canonical system name.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
+#   2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
+
+timestamp='2005-08-03'
+
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+
+# Originally written by Per Bothner <per@bothner.com>.
+# Please send patches to <config-patches@gnu.org>.  Submit a context
+# diff and a properly formatted ChangeLog entry.
+#
+# This script attempts to guess a canonical system name similar to
+# config.sub.  If it succeeds, it prints the system name on stdout, and
+# exits with 0.  Otherwise, it exits with 1.
+#
+# The plan is that this can be called by configure scripts if you
+# don't specify an explicit build system type.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION]
+
+Output the configuration name of the system \`$me' is run on.
+
+Operation modes:
+  -h, --help         print this help, then exit
+  -t, --time-stamp   print date of last modification, then exit
+  -v, --version      print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.guess ($timestamp)
+
+Originally written by Per Bothner.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
+Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case $1 in
+    --time-stamp | --time* | -t )
+       echo "$timestamp" ; exit ;;
+    --version | -v )
+       echo "$version" ; exit ;;
+    --help | --h* | -h )
+       echo "$usage"; exit ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       echo "$me: invalid option $1$help" >&2
+       exit 1 ;;
+    * )
+       break ;;
+  esac
+done
+
+if test $# != 0; then
+  echo "$me: too many arguments$help" >&2
+  exit 1
+fi
+
+trap 'exit 1' 1 2 15
+
+# CC_FOR_BUILD -- compiler used by this script. Note that the use of a
+# compiler to aid in system detection is discouraged as it requires
+# temporary files to be created and, as you can see below, it is a
+# headache to deal with in a portable fashion.
+
+# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
+# use `HOST_CC' if defined, but it is deprecated.
+
+# Portable tmp directory creation inspired by the Autoconf team.
+
+set_cc_for_build='
+trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ;
+trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
+: ${TMPDIR=/tmp} ;
+ { tmp=`(umask 077 && mktemp -d -q "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
+ { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } ||
+ { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } ||
+ { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ;
+dummy=$tmp/dummy ;
+tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ;
+case $CC_FOR_BUILD,$HOST_CC,$CC in
+ ,,)    echo "int x;" > $dummy.c ;
+	for c in cc gcc c89 c99 ; do
+	  if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then
+	     CC_FOR_BUILD="$c"; break ;
+	  fi ;
+	done ;
+	if test x"$CC_FOR_BUILD" = x ; then
+	  CC_FOR_BUILD=no_compiler_found ;
+	fi
+	;;
+ ,,*)   CC_FOR_BUILD=$CC ;;
+ ,*,*)  CC_FOR_BUILD=$HOST_CC ;;
+esac ; set_cc_for_build= ;'
+
+# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
+# (ghazi@noc.rutgers.edu 1994-08-24)
+if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
+	PATH=$PATH:/.attbin ; export PATH
+fi
+
+UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
+UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
+UNAME_SYSTEM=`(uname -s) 2>/dev/null`  || UNAME_SYSTEM=unknown
+UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
+
+# Note: order is significant - the case branches are not exclusive.
+
+case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
+    *:NetBSD:*:*)
+	# NetBSD (nbsd) targets should (where applicable) match one or
+	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
+	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
+	# switched to ELF, *-*-netbsd* would select the old
+	# object file format.  This provides both forward
+	# compatibility and a consistent mechanism for selecting the
+	# object file format.
+	#
+	# Note: NetBSD doesn't particularly care about the vendor
+	# portion of the name.  We always set it to "unknown".
+	sysctl="sysctl -n hw.machine_arch"
+	UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
+	    /usr/sbin/$sysctl 2>/dev/null || echo unknown)`
+	case "${UNAME_MACHINE_ARCH}" in
+	    armeb) machine=armeb-unknown ;;
+	    arm*) machine=arm-unknown ;;
+	    sh3el) machine=shl-unknown ;;
+	    sh3eb) machine=sh-unknown ;;
+	    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
+	esac
+	# The Operating System including object format, if it has switched
+	# to ELF recently, or will in the future.
+	case "${UNAME_MACHINE_ARCH}" in
+	    arm*|i386|m68k|ns32k|sh3*|sparc|vax)
+		eval $set_cc_for_build
+		if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
+			| grep __ELF__ >/dev/null
+		then
+		    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
+		    # Return netbsd for either.  FIX?
+		    os=netbsd
+		else
+		    os=netbsdelf
+		fi
+		;;
+	    *)
+	        os=netbsd
+		;;
+	esac
+	# The OS release
+	# Debian GNU/NetBSD machines have a different userland, and
+	# thus, need a distinct triplet. However, they do not need
+	# kernel version information, so it can be replaced with a
+	# suitable tag, in the style of linux-gnu.
+	case "${UNAME_VERSION}" in
+	    Debian*)
+		release='-gnu'
+		;;
+	    *)
+		release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+		;;
+	esac
+	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
+	# contains redundant information, the shorter form:
+	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
+	echo "${machine}-${os}${release}"
+	exit ;;
+    *:OpenBSD:*:*)
+	UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
+	echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
+	exit ;;
+    *:ekkoBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
+	exit ;;
+    macppc:MirBSD:*:*)
+	echo powerppc-unknown-mirbsd${UNAME_RELEASE}
+	exit ;;
+    *:MirBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
+	exit ;;
+    alpha:OSF1:*:*)
+	case $UNAME_RELEASE in
+	*4.0)
+		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
+		;;
+	*5.*)
+	        UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
+		;;
+	esac
+	# According to Compaq, /usr/sbin/psrinfo has been available on
+	# OSF/1 and Tru64 systems produced since 1995.  I hope that
+	# covers most systems running today.  This code pipes the CPU
+	# types through head -n 1, so we only detect the type of CPU 0.
+	ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^  The alpha \(.*\) processor.*$/\1/p' | head -n 1`
+	case "$ALPHA_CPU_TYPE" in
+	    "EV4 (21064)")
+		UNAME_MACHINE="alpha" ;;
+	    "EV4.5 (21064)")
+		UNAME_MACHINE="alpha" ;;
+	    "LCA4 (21066/21068)")
+		UNAME_MACHINE="alpha" ;;
+	    "EV5 (21164)")
+		UNAME_MACHINE="alphaev5" ;;
+	    "EV5.6 (21164A)")
+		UNAME_MACHINE="alphaev56" ;;
+	    "EV5.6 (21164PC)")
+		UNAME_MACHINE="alphapca56" ;;
+	    "EV5.7 (21164PC)")
+		UNAME_MACHINE="alphapca57" ;;
+	    "EV6 (21264)")
+		UNAME_MACHINE="alphaev6" ;;
+	    "EV6.7 (21264A)")
+		UNAME_MACHINE="alphaev67" ;;
+	    "EV6.8CB (21264C)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.8AL (21264B)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.8CX (21264D)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.9A (21264/EV69A)")
+		UNAME_MACHINE="alphaev69" ;;
+	    "EV7 (21364)")
+		UNAME_MACHINE="alphaev7" ;;
+	    "EV7.9 (21364A)")
+		UNAME_MACHINE="alphaev79" ;;
+	esac
+	# A Pn.n version is a patched version.
+	# A Vn.n version is a released version.
+	# A Tn.n version is a released field test version.
+	# A Xn.n version is an unreleased experimental baselevel.
+	# 1.2 uses "1.2" for uname -r.
+	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+	exit ;;
+    Alpha\ *:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# Should we change UNAME_MACHINE based on the output of uname instead
+	# of the specific Alpha model?
+	echo alpha-pc-interix
+	exit ;;
+    21064:Windows_NT:50:3)
+	echo alpha-dec-winnt3.5
+	exit ;;
+    Amiga*:UNIX_System_V:4.0:*)
+	echo m68k-unknown-sysv4
+	exit ;;
+    *:[Aa]miga[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-amigaos
+	exit ;;
+    *:[Mm]orph[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-morphos
+	exit ;;
+    *:OS/390:*:*)
+	echo i370-ibm-openedition
+	exit ;;
+    *:z/VM:*:*)
+	echo s390-ibm-zvmoe
+	exit ;;
+    *:OS400:*:*)
+        echo powerpc-ibm-os400
+	exit ;;
+    arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
+	echo arm-acorn-riscix${UNAME_RELEASE}
+	exit ;;
+    arm:riscos:*:*|arm:RISCOS:*:*)
+	echo arm-unknown-riscos
+	exit ;;
+    SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
+	echo hppa1.1-hitachi-hiuxmpp
+	exit ;;
+    Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
+	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
+	if test "`(/bin/universe) 2>/dev/null`" = att ; then
+		echo pyramid-pyramid-sysv3
+	else
+		echo pyramid-pyramid-bsd
+	fi
+	exit ;;
+    NILE*:*:*:dcosx)
+	echo pyramid-pyramid-svr4
+	exit ;;
+    DRS?6000:unix:4.0:6*)
+	echo sparc-icl-nx6
+	exit ;;
+    DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*)
+	case `/usr/bin/uname -p` in
+	    sparc) echo sparc-icl-nx7; exit ;;
+	esac ;;
+    sun4H:SunOS:5.*:*)
+	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
+	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    i86pc:SunOS:5.*:*)
+	echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:6*:*)
+	# According to config.sub, this is the proper way to canonicalize
+	# SunOS6.  Hard to guess exactly what SunOS6 will be like, but
+	# it's likely to be more like Solaris than SunOS4.
+	echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:*:*)
+	case "`/usr/bin/arch -k`" in
+	    Series*|S4*)
+		UNAME_RELEASE=`uname -v`
+		;;
+	esac
+	# Japanese Language versions have a version number like `4.1.3-JL'.
+	echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
+	exit ;;
+    sun3*:SunOS:*:*)
+	echo m68k-sun-sunos${UNAME_RELEASE}
+	exit ;;
+    sun*:*:4.2BSD:*)
+	UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
+	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
+	case "`/bin/arch`" in
+	    sun3)
+		echo m68k-sun-sunos${UNAME_RELEASE}
+		;;
+	    sun4)
+		echo sparc-sun-sunos${UNAME_RELEASE}
+		;;
+	esac
+	exit ;;
+    aushp:SunOS:*:*)
+	echo sparc-auspex-sunos${UNAME_RELEASE}
+	exit ;;
+    # The situation for MiNT is a little confusing.  The machine name
+    # can be virtually everything (everything which is not
+    # "atarist" or "atariste" at least should have a processor
+    # > m68000).  The system name ranges from "MiNT" over "FreeMiNT"
+    # to the lowercase version "mint" (or "freemint").  Finally
+    # the system name "TOS" denotes a system which is actually not
+    # MiNT.  But MiNT is downward compatible to TOS, so this should
+    # be no problem.
+    atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit ;;
+    atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
+	echo m68k-atari-mint${UNAME_RELEASE}
+        exit ;;
+    *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit ;;
+    milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
+        echo m68k-milan-mint${UNAME_RELEASE}
+        exit ;;
+    hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
+        echo m68k-hades-mint${UNAME_RELEASE}
+        exit ;;
+    *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
+        echo m68k-unknown-mint${UNAME_RELEASE}
+        exit ;;
+    m68k:machten:*:*)
+	echo m68k-apple-machten${UNAME_RELEASE}
+	exit ;;
+    powerpc:machten:*:*)
+	echo powerpc-apple-machten${UNAME_RELEASE}
+	exit ;;
+    RISC*:Mach:*:*)
+	echo mips-dec-mach_bsd4.3
+	exit ;;
+    RISC*:ULTRIX:*:*)
+	echo mips-dec-ultrix${UNAME_RELEASE}
+	exit ;;
+    VAX*:ULTRIX*:*:*)
+	echo vax-dec-ultrix${UNAME_RELEASE}
+	exit ;;
+    2020:CLIX:*:* | 2430:CLIX:*:*)
+	echo clipper-intergraph-clix${UNAME_RELEASE}
+	exit ;;
+    mips:*:*:UMIPS | mips:*:*:RISCos)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
+	#if defined (host_mips) && defined (MIPSEB)
+	#if defined (SYSTYPE_SYSV)
+	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_SVR4)
+	  printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
+	  printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
+	#endif
+	#endif
+	  exit (-1);
+	}
+EOF
+	$CC_FOR_BUILD -o $dummy $dummy.c &&
+	  dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` &&
+	  SYSTEM_NAME=`$dummy $dummyarg` &&
+	    { echo "$SYSTEM_NAME"; exit; }
+	echo mips-mips-riscos${UNAME_RELEASE}
+	exit ;;
+    Motorola:PowerMAX_OS:*:*)
+	echo powerpc-motorola-powermax
+	exit ;;
+    Motorola:*:4.3:PL8-*)
+	echo powerpc-harris-powermax
+	exit ;;
+    Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*)
+	echo powerpc-harris-powermax
+	exit ;;
+    Night_Hawk:Power_UNIX:*:*)
+	echo powerpc-harris-powerunix
+	exit ;;
+    m88k:CX/UX:7*:*)
+	echo m88k-harris-cxux7
+	exit ;;
+    m88k:*:4*:R4*)
+	echo m88k-motorola-sysv4
+	exit ;;
+    m88k:*:3*:R3*)
+	echo m88k-motorola-sysv3
+	exit ;;
+    AViiON:dgux:*:*)
+        # DG/UX returns AViiON for all architectures
+        UNAME_PROCESSOR=`/usr/bin/uname -p`
+	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
+	then
+	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
+	       [ ${TARGET_BINARY_INTERFACE}x = x ]
+	    then
+		echo m88k-dg-dgux${UNAME_RELEASE}
+	    else
+		echo m88k-dg-dguxbcs${UNAME_RELEASE}
+	    fi
+	else
+	    echo i586-dg-dgux${UNAME_RELEASE}
+	fi
+ 	exit ;;
+    M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
+	echo m88k-dolphin-sysv3
+	exit ;;
+    M88*:*:R3*:*)
+	# Delta 88k system running SVR3
+	echo m88k-motorola-sysv3
+	exit ;;
+    XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
+	echo m88k-tektronix-sysv3
+	exit ;;
+    Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
+	echo m68k-tektronix-bsd
+	exit ;;
+    *:IRIX*:*:*)
+	echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
+	exit ;;
+    ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
+	echo romp-ibm-aix     # uname -m gives an 8 hex-code CPU id
+	exit ;;               # Note that: echo "'`uname -s`'" gives 'AIX '
+    i*86:AIX:*:*)
+	echo i386-ibm-aix
+	exit ;;
+    ia64:AIX:*:*)
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+	fi
+	echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
+	exit ;;
+    *:AIX:2:3)
+	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
+		eval $set_cc_for_build
+		sed 's/^		//' << EOF >$dummy.c
+		#include <sys/systemcfg.h>
+
+		main()
+			{
+			if (!__power_pc())
+				exit(1);
+			puts("powerpc-ibm-aix3.2.5");
+			exit(0);
+			}
+EOF
+		if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy`
+		then
+			echo "$SYSTEM_NAME"
+		else
+			echo rs6000-ibm-aix3.2.5
+		fi
+	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
+		echo rs6000-ibm-aix3.2.4
+	else
+		echo rs6000-ibm-aix3.2
+	fi
+	exit ;;
+    *:AIX:*:[45])
+	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
+	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
+		IBM_ARCH=rs6000
+	else
+		IBM_ARCH=powerpc
+	fi
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+	fi
+	echo ${IBM_ARCH}-ibm-aix${IBM_REV}
+	exit ;;
+    *:AIX:*:*)
+	echo rs6000-ibm-aix
+	exit ;;
+    ibmrt:4.4BSD:*|romp-ibm:BSD:*)
+	echo romp-ibm-bsd4.4
+	exit ;;
+    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
+	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
+	exit ;;                             # report: romp-ibm BSD 4.3
+    *:BOSX:*:*)
+	echo rs6000-bull-bosx
+	exit ;;
+    DPX/2?00:B.O.S.:*:*)
+	echo m68k-bull-sysv3
+	exit ;;
+    9000/[34]??:4.3bsd:1.*:*)
+	echo m68k-hp-bsd
+	exit ;;
+    hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
+	echo m68k-hp-bsd4.4
+	exit ;;
+    9000/[34678]??:HP-UX:*:*)
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	case "${UNAME_MACHINE}" in
+	    9000/31? )            HP_ARCH=m68000 ;;
+	    9000/[34]?? )         HP_ARCH=m68k ;;
+	    9000/[678][0-9][0-9])
+		if [ -x /usr/bin/getconf ]; then
+		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
+                    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
+                    case "${sc_cpu_version}" in
+                      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
+                      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
+                      532)                      # CPU_PA_RISC2_0
+                        case "${sc_kernel_bits}" in
+                          32) HP_ARCH="hppa2.0n" ;;
+                          64) HP_ARCH="hppa2.0w" ;;
+			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
+                        esac ;;
+                    esac
+		fi
+		if [ "${HP_ARCH}" = "" ]; then
+		    eval $set_cc_for_build
+		    sed 's/^              //' << EOF >$dummy.c
+
+              #define _HPUX_SOURCE
+              #include <stdlib.h>
+              #include <unistd.h>
+
+              int main ()
+              {
+              #if defined(_SC_KERNEL_BITS)
+                  long bits = sysconf(_SC_KERNEL_BITS);
+              #endif
+                  long cpu  = sysconf (_SC_CPU_VERSION);
+
+                  switch (cpu)
+              	{
+              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
+              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
+              	case CPU_PA_RISC2_0:
+              #if defined(_SC_KERNEL_BITS)
+              	    switch (bits)
+              		{
+              		case 64: puts ("hppa2.0w"); break;
+              		case 32: puts ("hppa2.0n"); break;
+              		default: puts ("hppa2.0"); break;
+              		} break;
+              #else  /* !defined(_SC_KERNEL_BITS) */
+              	    puts ("hppa2.0"); break;
+              #endif
+              	default: puts ("hppa1.0"); break;
+              	}
+                  exit (0);
+              }
+EOF
+		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
+		    test -z "$HP_ARCH" && HP_ARCH=hppa
+		fi ;;
+	esac
+	if [ ${HP_ARCH} = "hppa2.0w" ]
+	then
+	    eval $set_cc_for_build
+
+	    # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating
+	    # 32-bit code.  hppa64-hp-hpux* has the same kernel and a compiler
+	    # generating 64-bit code.  GNU and HP use different nomenclature:
+	    #
+	    # $ CC_FOR_BUILD=cc ./config.guess
+	    # => hppa2.0w-hp-hpux11.23
+	    # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
+	    # => hppa64-hp-hpux11.23
+
+	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
+		grep __LP64__ >/dev/null
+	    then
+		HP_ARCH="hppa2.0w"
+	    else
+		HP_ARCH="hppa64"
+	    fi
+	fi
+	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
+	exit ;;
+    ia64:HP-UX:*:*)
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	echo ia64-hp-hpux${HPUX_REV}
+	exit ;;
+    3050*:HI-UX:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <unistd.h>
+	int
+	main ()
+	{
+	  long cpu = sysconf (_SC_CPU_VERSION);
+	  /* The order matters, because CPU_IS_HP_MC68K erroneously returns
+	     true for CPU_PA_RISC1_0.  CPU_IS_PA_RISC returns correct
+	     results, however.  */
+	  if (CPU_IS_PA_RISC (cpu))
+	    {
+	      switch (cpu)
+		{
+		  case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
+		  default: puts ("hppa-hitachi-hiuxwe2"); break;
+		}
+	    }
+	  else if (CPU_IS_HP_MC68K (cpu))
+	    puts ("m68k-hitachi-hiuxwe2");
+	  else puts ("unknown-hitachi-hiuxwe2");
+	  exit (0);
+	}
+EOF
+	$CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` &&
+		{ echo "$SYSTEM_NAME"; exit; }
+	echo unknown-hitachi-hiuxwe2
+	exit ;;
+    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
+	echo hppa1.1-hp-bsd
+	exit ;;
+    9000/8??:4.3bsd:*:*)
+	echo hppa1.0-hp-bsd
+	exit ;;
+    *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
+	echo hppa1.0-hp-mpeix
+	exit ;;
+    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
+	echo hppa1.1-hp-osf
+	exit ;;
+    hp8??:OSF1:*:*)
+	echo hppa1.0-hp-osf
+	exit ;;
+    i*86:OSF1:*:*)
+	if [ -x /usr/sbin/sysversion ] ; then
+	    echo ${UNAME_MACHINE}-unknown-osf1mk
+	else
+	    echo ${UNAME_MACHINE}-unknown-osf1
+	fi
+	exit ;;
+    parisc*:Lites*:*:*)
+	echo hppa1.1-hp-lites
+	exit ;;
+    C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
+	echo c1-convex-bsd
+        exit ;;
+    C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+        exit ;;
+    C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
+	echo c34-convex-bsd
+        exit ;;
+    C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
+	echo c38-convex-bsd
+        exit ;;
+    C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
+	echo c4-convex-bsd
+        exit ;;
+    CRAY*Y-MP:*:*:*)
+	echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*[A-Z]90:*:*:*)
+	echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
+	| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
+	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
+	      -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*TS:*:*:*)
+	echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*T3E:*:*:*)
+	echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*SV1:*:*:*)
+	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    *:UNICOS/mp:*:*)
+	echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
+	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
+        echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+        exit ;;
+    5000:UNIX_System_V:4.*:*)
+        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+        FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
+        echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+	exit ;;
+    i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
+	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
+	exit ;;
+    sparc*:BSD/OS:*:*)
+	echo sparc-unknown-bsdi${UNAME_RELEASE}
+	exit ;;
+    *:BSD/OS:*:*)
+	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
+	exit ;;
+    *:FreeBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+	exit ;;
+    i*:CYGWIN*:*)
+	echo ${UNAME_MACHINE}-pc-cygwin
+	exit ;;
+    i*:MINGW*:*)
+	echo ${UNAME_MACHINE}-pc-mingw32
+	exit ;;
+    i*:windows32*:*)
+    	# uname -m includes "-pc" on this system.
+    	echo ${UNAME_MACHINE}-mingw32
+	exit ;;
+    i*:PW*:*)
+	echo ${UNAME_MACHINE}-pc-pw32
+	exit ;;
+    x86:Interix*:[34]*)
+	echo i586-pc-interix${UNAME_RELEASE}|sed -e 's/\..*//'
+	exit ;;
+    [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
+	echo i${UNAME_MACHINE}-pc-mks
+	exit ;;
+    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
+	# UNAME_MACHINE based on the output of uname instead of i386?
+	echo i586-pc-interix
+	exit ;;
+    i*:UWIN*:*)
+	echo ${UNAME_MACHINE}-pc-uwin
+	exit ;;
+    amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*)
+	echo x86_64-unknown-cygwin
+	exit ;;
+    p*:CYGWIN*:*)
+	echo powerpcle-unknown-cygwin
+	exit ;;
+    prep*:SunOS:5.*:*)
+	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    *:GNU:*:*)
+	# the GNU system
+	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
+	exit ;;
+    *:GNU/*:*:*)
+	# other systems with GNU libc and userland
+	echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
+	exit ;;
+    i*86:Minix:*:*)
+	echo ${UNAME_MACHINE}-pc-minix
+	exit ;;
+    arm*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    cris:Linux:*:*)
+	echo cris-axis-linux-gnu
+	exit ;;
+    crisv32:Linux:*:*)
+	echo crisv32-axis-linux-gnu
+	exit ;;
+    frv:Linux:*:*)
+    	echo frv-unknown-linux-gnu
+	exit ;;
+    ia64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    m32r*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    m68*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    mips:Linux:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#undef CPU
+	#undef mips
+	#undef mipsel
+	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
+	CPU=mipsel
+	#else
+	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
+	CPU=mips
+	#else
+	CPU=
+	#endif
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
+	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
+	;;
+    mips64:Linux:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#undef CPU
+	#undef mips64
+	#undef mips64el
+	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
+	CPU=mips64el
+	#else
+	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
+	CPU=mips64
+	#else
+	CPU=
+	#endif
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
+	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
+	;;
+    or32:Linux:*:*)
+	echo or32-unknown-linux-gnu
+	exit ;;
+    ppc:Linux:*:*)
+	echo powerpc-unknown-linux-gnu
+	exit ;;
+    ppc64:Linux:*:*)
+	echo powerpc64-unknown-linux-gnu
+	exit ;;
+    alpha:Linux:*:*)
+	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
+	  EV5)   UNAME_MACHINE=alphaev5 ;;
+	  EV56)  UNAME_MACHINE=alphaev56 ;;
+	  PCA56) UNAME_MACHINE=alphapca56 ;;
+	  PCA57) UNAME_MACHINE=alphapca56 ;;
+	  EV6)   UNAME_MACHINE=alphaev6 ;;
+	  EV67)  UNAME_MACHINE=alphaev67 ;;
+	  EV68*) UNAME_MACHINE=alphaev68 ;;
+        esac
+	objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null
+	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
+	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
+	exit ;;
+    parisc:Linux:*:* | hppa:Linux:*:*)
+	# Look for CPU level
+	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
+	  PA7*) echo hppa1.1-unknown-linux-gnu ;;
+	  PA8*) echo hppa2.0-unknown-linux-gnu ;;
+	  *)    echo hppa-unknown-linux-gnu ;;
+	esac
+	exit ;;
+    parisc64:Linux:*:* | hppa64:Linux:*:*)
+	echo hppa64-unknown-linux-gnu
+	exit ;;
+    s390:Linux:*:* | s390x:Linux:*:*)
+	echo ${UNAME_MACHINE}-ibm-linux
+	exit ;;
+    sh64*:Linux:*:*)
+    	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    sh*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    sparc:Linux:*:* | sparc64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    x86_64:Linux:*:*)
+	echo x86_64-unknown-linux-gnu
+	exit ;;
+    i*86:Linux:*:*)
+	# The BFD linker knows what the default object file format is, so
+	# first see if it will tell us. cd to the root directory to prevent
+	# problems with other programs or directories called `ld' in the path.
+	# Set LC_ALL=C to ensure ld outputs messages in English.
+	ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \
+			 | sed -ne '/supported targets:/!d
+				    s/[ 	][ 	]*/ /g
+				    s/.*supported targets: *//
+				    s/ .*//
+				    p'`
+        case "$ld_supported_targets" in
+	  elf32-i386)
+		TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
+		;;
+	  a.out-i386-linux)
+		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
+		exit ;;
+	  coff-i386)
+		echo "${UNAME_MACHINE}-pc-linux-gnucoff"
+		exit ;;
+	  "")
+		# Either a pre-BFD a.out linker (linux-gnuoldld) or
+		# one that does not give us useful --help.
+		echo "${UNAME_MACHINE}-pc-linux-gnuoldld"
+		exit ;;
+	esac
+	# Determine whether the default compiler is a.out or elf
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <features.h>
+	#ifdef __ELF__
+	# ifdef __GLIBC__
+	#  if __GLIBC__ >= 2
+	LIBC=gnu
+	#  else
+	LIBC=gnulibc1
+	#  endif
+	# else
+	LIBC=gnulibc1
+	# endif
+	#else
+	#ifdef __INTEL_COMPILER
+	LIBC=gnu
+	#else
+	LIBC=gnuaout
+	#endif
+	#endif
+	#ifdef __dietlibc__
+	LIBC=dietlibc
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
+	test x"${LIBC}" != x && {
+		echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
+		exit
+	}
+	test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; }
+	;;
+    i*86:DYNIX/ptx:4*:*)
+	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
+	# earlier versions are messed up and put the nodename in both
+	# sysname and nodename.
+	echo i386-sequent-sysv4
+	exit ;;
+    i*86:UNIX_SV:4.2MP:2.*)
+        # Unixware is an offshoot of SVR4, but it has its own version
+        # number series starting with 2...
+        # I am not positive that other SVR4 systems won't match this,
+	# I just have to hope.  -- rms.
+        # Use sysv4.2uw... so that sysv4* matches it.
+	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
+	exit ;;
+    i*86:OS/2:*:*)
+	# If we were able to find `uname', then EMX Unix compatibility
+	# is probably installed.
+	echo ${UNAME_MACHINE}-pc-os2-emx
+	exit ;;
+    i*86:XTS-300:*:STOP)
+	echo ${UNAME_MACHINE}-unknown-stop
+	exit ;;
+    i*86:atheos:*:*)
+	echo ${UNAME_MACHINE}-unknown-atheos
+	exit ;;
+    i*86:syllable:*:*)
+	echo ${UNAME_MACHINE}-pc-syllable
+	exit ;;
+    i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*)
+	echo i386-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    i*86:*DOS:*:*)
+	echo ${UNAME_MACHINE}-pc-msdosdjgpp
+	exit ;;
+    i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
+	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
+	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
+		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
+	else
+		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
+	fi
+	exit ;;
+    i*86:*:5:[678]*)
+    	# UnixWare 7.x, OpenUNIX and OpenServer 6.
+	case `/bin/uname -X | grep "^Machine"` in
+	    *486*)	     UNAME_MACHINE=i486 ;;
+	    *Pentium)	     UNAME_MACHINE=i586 ;;
+	    *Pent*|*Celeron) UNAME_MACHINE=i686 ;;
+	esac
+	echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
+	exit ;;
+    i*86:*:3.2:*)
+	if test -f /usr/options/cb.name; then
+		UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
+		echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
+	elif /bin/uname -X 2>/dev/null >/dev/null ; then
+		UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')`
+		(/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486
+		(/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \
+			&& UNAME_MACHINE=i586
+		(/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		(/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
+	else
+		echo ${UNAME_MACHINE}-pc-sysv32
+	fi
+	exit ;;
+    pc:*:*:*)
+	# Left here for compatibility:
+        # uname -m prints for DJGPP always 'pc', but it prints nothing about
+        # the processor, so we play safe by assuming i386.
+	echo i386-pc-msdosdjgpp
+        exit ;;
+    Intel:Mach:3*:*)
+	echo i386-pc-mach3
+	exit ;;
+    paragon:*:*:*)
+	echo i860-intel-osf1
+	exit ;;
+    i860:*:4.*:*) # i860-SVR4
+	if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
+	  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
+	else # Add other i860-SVR4 vendors below as they are discovered.
+	  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
+	fi
+	exit ;;
+    mini*:CTIX:SYS*5:*)
+	# "miniframe"
+	echo m68010-convergent-sysv
+	exit ;;
+    mc68k:UNIX:SYSTEM5:3.51m)
+	echo m68k-convergent-sysv
+	exit ;;
+    M680?0:D-NIX:5.3:*)
+	echo m68k-diab-dnix
+	exit ;;
+    M68*:*:R3V[5678]*:*)
+	test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;;
+    3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0)
+	OS_REL=''
+	test -r /etc/.relid \
+	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
+	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+	  && { echo i486-ncr-sysv4.3${OS_REL}; exit; }
+	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
+	  && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
+    3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
+        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+          && { echo i486-ncr-sysv4; exit; } ;;
+    m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
+	echo m68k-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    mc68030:UNIX_System_V:4.*:*)
+	echo m68k-atari-sysv4
+	exit ;;
+    TSUNAMI:LynxOS:2.*:*)
+	echo sparc-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    rs6000:LynxOS:2.*:*)
+	echo rs6000-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*)
+	echo powerpc-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    SM[BE]S:UNIX_SV:*:*)
+	echo mips-dde-sysv${UNAME_RELEASE}
+	exit ;;
+    RM*:ReliantUNIX-*:*:*)
+	echo mips-sni-sysv4
+	exit ;;
+    RM*:SINIX-*:*:*)
+	echo mips-sni-sysv4
+	exit ;;
+    *:SINIX-*:*:*)
+	if uname -p 2>/dev/null >/dev/null ; then
+		UNAME_MACHINE=`(uname -p) 2>/dev/null`
+		echo ${UNAME_MACHINE}-sni-sysv4
+	else
+		echo ns32k-sni-sysv
+	fi
+	exit ;;
+    PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
+                      # says <Richard.M.Bartel@ccMail.Census.GOV>
+        echo i586-unisys-sysv4
+        exit ;;
+    *:UNIX_System_V:4*:FTX*)
+	# From Gerald Hewes <hewes@openmarket.com>.
+	# How about differentiating between stratus architectures? -djm
+	echo hppa1.1-stratus-sysv4
+	exit ;;
+    *:*:*:FTX*)
+	# From seanf@swdc.stratus.com.
+	echo i860-stratus-sysv4
+	exit ;;
+    i*86:VOS:*:*)
+	# From Paul.Green@stratus.com.
+	echo ${UNAME_MACHINE}-stratus-vos
+	exit ;;
+    *:VOS:*:*)
+	# From Paul.Green@stratus.com.
+	echo hppa1.1-stratus-vos
+	exit ;;
+    mc68*:A/UX:*:*)
+	echo m68k-apple-aux${UNAME_RELEASE}
+	exit ;;
+    news*:NEWS-OS:6*:*)
+	echo mips-sony-newsos6
+	exit ;;
+    R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
+	if [ -d /usr/nec ]; then
+	        echo mips-nec-sysv${UNAME_RELEASE}
+	else
+	        echo mips-unknown-sysv${UNAME_RELEASE}
+	fi
+        exit ;;
+    BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
+	echo powerpc-be-beos
+	exit ;;
+    BeMac:BeOS:*:*)	# BeOS running on Mac or Mac clone, PPC only.
+	echo powerpc-apple-beos
+	exit ;;
+    BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
+	echo i586-pc-beos
+	exit ;;
+    SX-4:SUPER-UX:*:*)
+	echo sx4-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-5:SUPER-UX:*:*)
+	echo sx5-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-6:SUPER-UX:*:*)
+	echo sx6-nec-superux${UNAME_RELEASE}
+	exit ;;
+    Power*:Rhapsody:*:*)
+	echo powerpc-apple-rhapsody${UNAME_RELEASE}
+	exit ;;
+    *:Rhapsody:*:*)
+	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
+	exit ;;
+    *:Darwin:*:*)
+	UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
+	case $UNAME_PROCESSOR in
+	    *86) UNAME_PROCESSOR=i686 ;;
+	    unknown) UNAME_PROCESSOR=powerpc ;;
+	esac
+	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
+	exit ;;
+    *:procnto*:*:* | *:QNX:[0123456789]*:*)
+	UNAME_PROCESSOR=`uname -p`
+	if test "$UNAME_PROCESSOR" = "x86"; then
+		UNAME_PROCESSOR=i386
+		UNAME_MACHINE=pc
+	fi
+	echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
+	exit ;;
+    *:QNX:*:4*)
+	echo i386-pc-qnx
+	exit ;;
+    NSE-?:NONSTOP_KERNEL:*:*)
+	echo nse-tandem-nsk${UNAME_RELEASE}
+	exit ;;
+    NSR-?:NONSTOP_KERNEL:*:*)
+	echo nsr-tandem-nsk${UNAME_RELEASE}
+	exit ;;
+    *:NonStop-UX:*:*)
+	echo mips-compaq-nonstopux
+	exit ;;
+    BS2000:POSIX*:*:*)
+	echo bs2000-siemens-sysv
+	exit ;;
+    DS/*:UNIX_System_V:*:*)
+	echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
+	exit ;;
+    *:Plan9:*:*)
+	# "uname -m" is not consistent, so use $cputype instead. 386
+	# is converted to i386 for consistency with other x86
+	# operating systems.
+	if test "$cputype" = "386"; then
+	    UNAME_MACHINE=i386
+	else
+	    UNAME_MACHINE="$cputype"
+	fi
+	echo ${UNAME_MACHINE}-unknown-plan9
+	exit ;;
+    *:TOPS-10:*:*)
+	echo pdp10-unknown-tops10
+	exit ;;
+    *:TENEX:*:*)
+	echo pdp10-unknown-tenex
+	exit ;;
+    KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*)
+	echo pdp10-dec-tops20
+	exit ;;
+    XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*)
+	echo pdp10-xkl-tops20
+	exit ;;
+    *:TOPS-20:*:*)
+	echo pdp10-unknown-tops20
+	exit ;;
+    *:ITS:*:*)
+	echo pdp10-unknown-its
+	exit ;;
+    SEI:*:*:SEIUX)
+        echo mips-sei-seiux${UNAME_RELEASE}
+	exit ;;
+    *:DragonFly:*:*)
+	echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+	exit ;;
+    *:*VMS:*:*)
+    	UNAME_MACHINE=`(uname -p) 2>/dev/null`
+	case "${UNAME_MACHINE}" in
+	    A*) echo alpha-dec-vms ; exit ;;
+	    I*) echo ia64-dec-vms ; exit ;;
+	    V*) echo vax-dec-vms ; exit ;;
+	esac ;;
+    *:XENIX:*:SysV)
+	echo i386-pc-xenix
+	exit ;;
+    i*86:skyos:*:*)
+	echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//'
+	exit ;;
+esac
+
+#echo '(No uname command or uname output not recognized.)' 1>&2
+#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
+
+eval $set_cc_for_build
+cat >$dummy.c <<EOF
+#ifdef _SEQUENT_
+# include <sys/types.h>
+# include <sys/utsname.h>
+#endif
+main ()
+{
+#if defined (sony)
+#if defined (MIPSEB)
+  /* BFD wants "bsd" instead of "newsos".  Perhaps BFD should be changed,
+     I don't know....  */
+  printf ("mips-sony-bsd\n"); exit (0);
+#else
+#include <sys/param.h>
+  printf ("m68k-sony-newsos%s\n",
+#ifdef NEWSOS4
+          "4"
+#else
+	  ""
+#endif
+         ); exit (0);
+#endif
+#endif
+
+#if defined (__arm) && defined (__acorn) && defined (__unix)
+  printf ("arm-acorn-riscix\n"); exit (0);
+#endif
+
+#if defined (hp300) && !defined (hpux)
+  printf ("m68k-hp-bsd\n"); exit (0);
+#endif
+
+#if defined (NeXT)
+#if !defined (__ARCHITECTURE__)
+#define __ARCHITECTURE__ "m68k"
+#endif
+  int version;
+  version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
+  if (version < 4)
+    printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
+  else
+    printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
+  exit (0);
+#endif
+
+#if defined (MULTIMAX) || defined (n16)
+#if defined (UMAXV)
+  printf ("ns32k-encore-sysv\n"); exit (0);
+#else
+#if defined (CMU)
+  printf ("ns32k-encore-mach\n"); exit (0);
+#else
+  printf ("ns32k-encore-bsd\n"); exit (0);
+#endif
+#endif
+#endif
+
+#if defined (__386BSD__)
+  printf ("i386-pc-bsd\n"); exit (0);
+#endif
+
+#if defined (sequent)
+#if defined (i386)
+  printf ("i386-sequent-dynix\n"); exit (0);
+#endif
+#if defined (ns32000)
+  printf ("ns32k-sequent-dynix\n"); exit (0);
+#endif
+#endif
+
+#if defined (_SEQUENT_)
+    struct utsname un;
+
+    uname(&un);
+
+    if (strncmp(un.version, "V2", 2) == 0) {
+	printf ("i386-sequent-ptx2\n"); exit (0);
+    }
+    if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
+	printf ("i386-sequent-ptx1\n"); exit (0);
+    }
+    printf ("i386-sequent-ptx\n"); exit (0);
+
+#endif
+
+#if defined (vax)
+# if !defined (ultrix)
+#  include <sys/param.h>
+#  if defined (BSD)
+#   if BSD == 43
+      printf ("vax-dec-bsd4.3\n"); exit (0);
+#   else
+#    if BSD == 199006
+      printf ("vax-dec-bsd4.3reno\n"); exit (0);
+#    else
+      printf ("vax-dec-bsd\n"); exit (0);
+#    endif
+#   endif
+#  else
+    printf ("vax-dec-bsd\n"); exit (0);
+#  endif
+# else
+    printf ("vax-dec-ultrix\n"); exit (0);
+# endif
+#endif
+
+#if defined (alliant) && defined (i860)
+  printf ("i860-alliant-bsd\n"); exit (0);
+#endif
+
+  exit (1);
+}
+EOF
+
+$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
+	{ echo "$SYSTEM_NAME"; exit; }
+
+# Apollos put the system type in the environment.
+
+test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
+
+# Convex versions that predate uname can use getsysinfo(1)
+
+if [ -x /usr/convex/getsysinfo ]
+then
+    case `getsysinfo -f cpu_type` in
+    c1*)
+	echo c1-convex-bsd
+	exit ;;
+    c2*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+	exit ;;
+    c34*)
+	echo c34-convex-bsd
+	exit ;;
+    c38*)
+	echo c38-convex-bsd
+	exit ;;
+    c4*)
+	echo c4-convex-bsd
+	exit ;;
+    esac
+fi
+
+cat >&2 <<EOF
+$0: unable to guess system type
+
+This script, last modified $timestamp, has failed to recognize
+the operating system you are using. It is advised that you
+download the most up to date version of the config scripts from
+
+  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.guess
+and
+  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.sub
+
+If the version you run ($0) is already up to date, please
+send the following data and any information you think might be
+pertinent to <config-patches@gnu.org> in order to provide the needed
+information to handle your system.
+
+config.guess timestamp = $timestamp
+
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null`
+
+hostinfo               = `(hostinfo) 2>/dev/null`
+/bin/universe          = `(/bin/universe) 2>/dev/null`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null`
+/bin/arch              = `(/bin/arch) 2>/dev/null`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
+
+UNAME_MACHINE = ${UNAME_MACHINE}
+UNAME_RELEASE = ${UNAME_RELEASE}
+UNAME_SYSTEM  = ${UNAME_SYSTEM}
+UNAME_VERSION = ${UNAME_VERSION}
+EOF
+
+exit 1
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/source3/lib/ldb/config.mk b/source3/lib/ldb/config.mk
new file mode 100644
index 0000000000..cd80adf721
--- /dev/null
+++ b/source3/lib/ldb/config.mk
@@ -0,0 +1,315 @@
+################################################
+# Start MODULE ldb_asq
+[MODULE::ldb_asq]
+PRIVATE_DEPENDENCIES = LIBTALLOC
+INIT_FUNCTION = ldb_asq_init
+SUBSYSTEM = ldb
+OBJ_FILES = \
+		modules/asq.o
+# End MODULE ldb_asq
+################################################
+
+################################################
+# Start MODULE ldb_server_sort
+[MODULE::ldb_server_sort]
+PRIVATE_DEPENDENCIES = LIBTALLOC
+INIT_FUNCTION = ldb_sort_init
+SUBSYSTEM = ldb
+OBJ_FILES = \
+		modules/sort.o
+# End MODULE ldb_sort
+################################################
+
+################################################
+# Start MODULE ldb_paged_results
+[MODULE::ldb_paged_results]
+INIT_FUNCTION = ldb_paged_results_init
+PRIVATE_DEPENDENCIES = LIBTALLOC
+SUBSYSTEM = ldb
+OBJ_FILES = \
+		modules/paged_results.o
+# End MODULE ldb_paged_results
+################################################
+
+################################################
+# Start MODULE ldb_paged_results
+[MODULE::ldb_paged_searches]
+INIT_FUNCTION = ldb_paged_searches_init
+PRIVATE_DEPENDENCIES = LIBTALLOC
+SUBSYSTEM = ldb
+OBJ_FILES = \
+		modules/paged_searches.o
+# End MODULE ldb_paged_results
+################################################
+
+################################################
+# Start MODULE ldb_operational
+[MODULE::ldb_operational]
+SUBSYSTEM = ldb
+PRIVATE_DEPENDENCIES = LIBTALLOC
+INIT_FUNCTION = ldb_operational_init
+OBJ_FILES = \
+		modules/operational.o
+# End MODULE ldb_operational
+################################################
+
+################################################
+# Start MODULE ldb_objectclass
+[MODULE::ldb_objectclass]
+INIT_FUNCTION = ldb_objectclass_init
+PRIVATE_DEPENDENCIES = LIBTALLOC
+SUBSYSTEM = ldb
+OBJ_FILES = \
+		modules/objectclass.o
+# End MODULE ldb_objectclass
+################################################
+
+################################################
+# Start MODULE ldb_rdn_name
+[MODULE::ldb_rdn_name]
+SUBSYSTEM = ldb
+PRIVATE_DEPENDENCIES = LIBTALLOC
+INIT_FUNCTION = ldb_rdn_name_init
+OBJ_FILES = \
+		modules/rdn_name.o
+# End MODULE ldb_rdn_name
+################################################
+
+################################################
+# Start MODULE ldb_ildap
+[MODULE::ldb_ildap]
+SUBSYSTEM = ldb
+PRIVATE_DEPENDENCIES = LIBTALLOC
+INIT_FUNCTION = ldb_ildap_init
+ALIASES = ldapi ldaps ldap
+OBJ_FILES = \
+		ldb_ildap/ldb_ildap.o
+PUBLIC_DEPENDENCIES = \
+		LIBCLI_LDAP
+# End MODULE ldb_ildap
+################################################
+
+################################################
+# Start MODULE ldb_map
+[MODULE::ldb_map]
+PRIVATE_DEPENDENCIES = LIBTALLOC
+SUBSYSTEM = ldb
+OBJ_FILES = \
+		modules/ldb_map_inbound.o \
+		modules/ldb_map_outbound.o \
+		modules/ldb_map.o
+# End MODULE ldb_map
+################################################
+
+################################################
+# Start MODULE ldb_skel
+[MODULE::ldb_skel]
+SUBSYSTEM = ldb
+PRIVATE_DEPENDENCIES = LIBTALLOC
+INIT_FUNCTION = ldb_skel_init
+OBJ_FILES = modules/skel.o
+# End MODULE ldb_skel
+################################################
+
+################################################
+# Start MODULE ldb_sqlite3
+[MODULE::ldb_sqlite3]
+SUBSYSTEM = ldb
+PRIVATE_DEPENDENCIES = LIBTALLOC
+INIT_FUNCTION = ldb_sqlite3_init
+OBJ_FILES = \
+		ldb_sqlite3/ldb_sqlite3.o
+PUBLIC_DEPENDENCIES = \
+		SQLITE3 LIBTALLOC
+# End MODULE ldb_sqlite3
+################################################
+
+################################################
+# Start MODULE ldb_tdb
+[MODULE::ldb_tdb]
+SUBSYSTEM = ldb
+INIT_FUNCTION = ldb_tdb_init
+OBJ_FILES = \
+		ldb_tdb/ldb_tdb.o \
+		ldb_tdb/ldb_search.o \
+		ldb_tdb/ldb_pack.o \
+		ldb_tdb/ldb_index.o \
+		ldb_tdb/ldb_cache.o \
+		ldb_tdb/ldb_tdb_wrap.o
+PUBLIC_DEPENDENCIES = \
+		LIBTDB LIBTALLOC
+# End MODULE ldb_tdb
+################################################
+
+./lib/ldb/common/ldb_modules.o: lib/ldb/common/ldb_modules.c Makefile
+	@echo Compiling $<
+	@$(CC) -Iinclude $(CFLAGS) -Ilib/replace -Ilib/talloc -Ilib/ldb $(PICFLAG) -DLDBMODULESDIR=\"$(MODULESDIR)/ldb\" -DSHLIBEXT=\"$(SHLIBEXT)\" -c $< -o $@
+
+################################################
+# Start SUBSYSTEM ldb
+[LIBRARY::ldb]
+VERSION = 0.0.1
+SO_VERSION = 0
+DESCRIPTION = LDAP-like embedded database library
+INIT_FUNCTION_TYPE = int (*) (void)
+OBJ_FILES = \
+		common/ldb.o \
+		common/ldb_ldif.o \
+		common/ldb_parse.o \
+		common/ldb_msg.o \
+		common/ldb_utf8.o \
+		common/ldb_debug.o \
+		common/ldb_modules.o \
+		common/ldb_match.o \
+		common/ldb_attributes.o \
+		common/attrib_handlers.o \
+		common/ldb_dn.o \
+		common/ldb_controls.o \
+		common/qsort.o
+PUBLIC_DEPENDENCIES = \
+		LIBTALLOC \
+		DYNCONFIG \
+																		SOCKET_WRAPPER
+MANPAGE = man/ldb.3
+PUBLIC_HEADERS = include/ldb.h include/ldb_errors.h
+#
+# End SUBSYSTEM ldb
+################################################
+
+################################################
+# Start SUBSYSTEM LDBSAMBA
+[SUBSYSTEM::LDBSAMBA]
+PRIVATE_DEPENDENCIES = ldb
+PRIVATE_PROTO_HEADER = samba/ldif_handlers.h
+PUBLIC_DEPENDENCIES = LIBSECURITY SAMDB
+OBJ_FILES = \
+		samba/ldif_handlers.o
+# End SUBSYSTEM LDBSAMBA
+################################################
+
+################################################
+# Start SUBSYSTEM LIBLDB_CMDLINE
+[SUBSYSTEM::LIBLDB_CMDLINE]
+OBJ_FILES= \
+		tools/cmdline.o
+PUBLIC_DEPENDENCIES = ldb LIBSAMBA-UTIL LIBPOPT POPT_SAMBA POPT_CREDENTIALS
+PRIVATE_DEPENDENCIES = gensec 
+# End SUBSYSTEM LIBLDB_CMDLINE
+################################################
+
+################################################
+# Start BINARY ldbadd
+[BINARY::ldbadd]
+INSTALLDIR = BINDIR
+OBJ_FILES = \
+		tools/ldbadd.o
+PRIVATE_DEPENDENCIES = \
+		LIBLDB_CMDLINE LIBCLI_RESOLVE
+MANPAGE = man/ldbadd.1
+# End BINARY ldbadd
+################################################
+
+################################################
+# Start BINARY ldbdel
+[BINARY::ldbdel]
+INSTALLDIR = BINDIR
+OBJ_FILES= \
+		tools/ldbdel.o
+PRIVATE_DEPENDENCIES = \
+		LIBLDB_CMDLINE
+MANPAGE = man/ldbdel.1
+# End BINARY ldbdel
+################################################
+
+################################################
+# Start BINARY ldbmodify
+[BINARY::ldbmodify]
+INSTALLDIR = BINDIR
+OBJ_FILES= \
+		tools/ldbmodify.o
+PRIVATE_DEPENDENCIES = \
+		LIBLDB_CMDLINE
+MANPAGE = man/ldbmodify.1
+# End BINARY ldbmodify
+################################################
+
+################################################
+# Start BINARY ldbsearch
+[BINARY::ldbsearch]
+INSTALLDIR = BINDIR
+OBJ_FILES= \
+		tools/ldbsearch.o
+PRIVATE_DEPENDENCIES = \
+		LIBLDB_CMDLINE 
+MANPAGE = man/ldbsearch.1
+# End BINARY ldbsearch
+################################################
+
+################################################
+# Start BINARY ldbedit
+[BINARY::ldbedit]
+INSTALLDIR = BINDIR
+OBJ_FILES= \
+		tools/ldbedit.o
+PRIVATE_DEPENDENCIES = \
+		LIBLDB_CMDLINE
+MANPAGE = man/ldbedit.1
+# End BINARY ldbedit
+################################################
+
+################################################
+# Start BINARY ldbrename
+[BINARY::ldbrename]
+INSTALLDIR = BINDIR
+OBJ_FILES= \
+		tools/ldbrename.o
+PRIVATE_DEPENDENCIES = \
+		LIBLDB_CMDLINE
+MANPAGE = man/ldbrename.1
+# End BINARY ldbrename
+################################################
+
+################################################
+# Start BINARY ldbtest
+[BINARY::ldbtest]
+OBJ_FILES= \
+		tools/ldbtest.o
+PRIVATE_DEPENDENCIES = \
+		LIBLDB_CMDLINE
+# End BINARY ldbtest
+################################################
+
+################################################
+# Start BINARY oLschema2ldif
+[BINARY::oLschema2ldif]
+INSTALLDIR = BINDIR
+MANPAGE = man/oLschema2ldif.1
+OBJ_FILES= \
+		tools/convert.o \
+		tools/oLschema2ldif.o
+PRIVATE_DEPENDENCIES = \
+		LIBLDB_CMDLINE
+# End BINARY oLschema2ldif
+################################################
+
+################################################
+# Start BINARY  ad2oLschema
+[BINARY::ad2oLschema]
+INSTALLDIR = BINDIR
+MANPAGE = man/ad2oLschema.1
+OBJ_FILES= \
+		tools/convert.o \
+		tools/ad2oLschema.o
+PRIVATE_DEPENDENCIES = \
+		LIBLDB_CMDLINE
+# End BINARY ad2oLschema
+################################################
+
+#######################
+# Start LIBRARY swig_ldb
+[LIBRARY::swig_ldb]
+PUBLIC_DEPENDENCIES = ldb DYNCONFIG
+LIBRARY_REALNAME = swig/_ldb.$(SHLIBEXT)
+OBJ_FILES = swig/ldb_wrap.o
+# End LIBRARY swig_ldb
+#######################
diff --git a/source3/lib/ldb/config.sub b/source3/lib/ldb/config.sub
new file mode 100755
index 0000000000..23cd6fd75c
--- /dev/null
+++ b/source3/lib/ldb/config.sub
@@ -0,0 +1,1577 @@
+#! /bin/sh
+# Configuration validation subroutine script.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
+#   2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
+
+timestamp='2005-07-08'
+
+# This file is (in principle) common to ALL GNU software.
+# The presence of a machine in this file suggests that SOME GNU software
+# can handle that machine.  It does not imply ALL GNU software can.
+#
+# This file is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+
+# Please send patches to <config-patches@gnu.org>.  Submit a context
+# diff and a properly formatted ChangeLog entry.
+#
+# Configuration subroutine to validate and canonicalize a configuration type.
+# Supply the specified configuration type as an argument.
+# If it is invalid, we print an error message on stderr and exit with code 1.
+# Otherwise, we print the canonical config type on stdout and succeed.
+
+# This file is supposed to be the same for all GNU packages
+# and recognize all the CPU types, system types and aliases
+# that are meaningful with *any* GNU software.
+# Each package is responsible for reporting which valid configurations
+# it does not support.  The user should be able to distinguish
+# a failure to support a valid configuration from a meaningless
+# configuration.
+
+# The goal of this file is to map all the various variations of a given
+# machine specification into a single specification in the form:
+#	CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
+# or in some cases, the newer four-part form:
+#	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
+# It is wrong to echo any other type of specification.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION] CPU-MFR-OPSYS
+       $0 [OPTION] ALIAS
+
+Canonicalize a configuration name.
+
+Operation modes:
+  -h, --help         print this help, then exit
+  -t, --time-stamp   print date of last modification, then exit
+  -v, --version      print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.sub ($timestamp)
+
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
+Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case $1 in
+    --time-stamp | --time* | -t )
+       echo "$timestamp" ; exit ;;
+    --version | -v )
+       echo "$version" ; exit ;;
+    --help | --h* | -h )
+       echo "$usage"; exit ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       echo "$me: invalid option $1$help"
+       exit 1 ;;
+
+    *local*)
+       # First pass through any local machine types.
+       echo $1
+       exit ;;
+
+    * )
+       break ;;
+  esac
+done
+
+case $# in
+ 0) echo "$me: missing argument$help" >&2
+    exit 1;;
+ 1) ;;
+ *) echo "$me: too many arguments$help" >&2
+    exit 1;;
+esac
+
+# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
+# Here we must recognize all the valid KERNEL-OS combinations.
+maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
+case $maybe_os in
+  nto-qnx* | linux-gnu* | linux-dietlibc | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | \
+  kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*)
+    os=-$maybe_os
+    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
+    ;;
+  *)
+    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
+    if [ $basic_machine != $1 ]
+    then os=`echo $1 | sed 's/.*-/-/'`
+    else os=; fi
+    ;;
+esac
+
+### Let's recognize common machines as not being operating systems so
+### that things like config.sub decstation-3100 work.  We also
+### recognize some manufacturers as not being operating systems, so we
+### can provide default operating systems below.
+case $os in
+	-sun*os*)
+		# Prevent following clause from handling this invalid input.
+		;;
+	-dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \
+	-att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \
+	-unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \
+	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
+	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
+	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
+	-apple | -axis | -knuth | -cray)
+		os=
+		basic_machine=$1
+		;;
+	-sim | -cisco | -oki | -wec | -winbond)
+		os=
+		basic_machine=$1
+		;;
+	-scout)
+		;;
+	-wrs)
+		os=-vxworks
+		basic_machine=$1
+		;;
+	-chorusos*)
+		os=-chorusos
+		basic_machine=$1
+		;;
+ 	-chorusrdb)
+ 		os=-chorusrdb
+		basic_machine=$1
+ 		;;
+	-hiux*)
+		os=-hiuxwe2
+		;;
+	-sco5)
+		os=-sco3.2v5
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco4)
+		os=-sco3.2v4
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2.[4-9]*)
+		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2v[4-9]*)
+		# Don't forget version if it is 3.2v4 or newer.
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco*)
+		os=-sco3.2v2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-udk*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-isc)
+		os=-isc2.2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-clix*)
+		basic_machine=clipper-intergraph
+		;;
+	-isc*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-lynx*)
+		os=-lynxos
+		;;
+	-ptx*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
+		;;
+	-windowsnt*)
+		os=`echo $os | sed -e 's/windowsnt/winnt/'`
+		;;
+	-psos*)
+		os=-psos
+		;;
+	-mint | -mint[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+esac
+
+# Decode aliases for certain CPU-COMPANY combinations.
+case $basic_machine in
+	# Recognize the basic CPU types without company name.
+	# Some are omitted here because they have special meanings below.
+	1750a | 580 \
+	| a29k \
+	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
+	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
+	| am33_2.0 \
+	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \
+	| bfin \
+	| c4x | clipper \
+	| d10v | d30v | dlx | dsp16xx \
+	| fr30 | frv \
+	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
+	| i370 | i860 | i960 | ia64 \
+	| ip2k | iq2000 \
+	| m32r | m32rle | m68000 | m68k | m88k | maxq | mcore \
+	| mips | mipsbe | mipseb | mipsel | mipsle \
+	| mips16 \
+	| mips64 | mips64el \
+	| mips64vr | mips64vrel \
+	| mips64orion | mips64orionel \
+	| mips64vr4100 | mips64vr4100el \
+	| mips64vr4300 | mips64vr4300el \
+	| mips64vr5000 | mips64vr5000el \
+	| mips64vr5900 | mips64vr5900el \
+	| mipsisa32 | mipsisa32el \
+	| mipsisa32r2 | mipsisa32r2el \
+	| mipsisa64 | mipsisa64el \
+	| mipsisa64r2 | mipsisa64r2el \
+	| mipsisa64sb1 | mipsisa64sb1el \
+	| mipsisa64sr71k | mipsisa64sr71kel \
+	| mipstx39 | mipstx39el \
+	| mn10200 | mn10300 \
+	| ms1 \
+	| msp430 \
+	| ns16k | ns32k \
+	| or32 \
+	| pdp10 | pdp11 | pj | pjl \
+	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
+	| pyramid \
+	| sh | sh[1234] | sh[24]a | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \
+	| sh64 | sh64le \
+	| sparc | sparc64 | sparc64b | sparc86x | sparclet | sparclite \
+	| sparcv8 | sparcv9 | sparcv9b \
+	| strongarm \
+	| tahoe | thumb | tic4x | tic80 | tron \
+	| v850 | v850e \
+	| we32k \
+	| x86 | xscale | xscalee[bl] | xstormy16 | xtensa \
+	| z8k)
+		basic_machine=$basic_machine-unknown
+		;;
+	m32c)
+		basic_machine=$basic_machine-unknown
+		;;
+	m6811 | m68hc11 | m6812 | m68hc12)
+		# Motorola 68HC11/12.
+		basic_machine=$basic_machine-unknown
+		os=-none
+		;;
+	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
+		;;
+
+	# We use `pc' rather than `unknown'
+	# because (1) that's what they normally are, and
+	# (2) the word "unknown" tends to confuse beginning users.
+	i*86 | x86_64)
+	  basic_machine=$basic_machine-pc
+	  ;;
+	# Object if more than one company name word.
+	*-*-*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+	# Recognize the basic CPU types with company name.
+	580-* \
+	| a29k-* \
+	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
+	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
+	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
+	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
+	| avr-* \
+	| bfin-* | bs2000-* \
+	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
+	| clipper-* | craynv-* | cydra-* \
+	| d10v-* | d30v-* | dlx-* \
+	| elxsi-* \
+	| f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
+	| h8300-* | h8500-* \
+	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
+	| i*86-* | i860-* | i960-* | ia64-* \
+	| ip2k-* | iq2000-* \
+	| m32r-* | m32rle-* \
+	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
+	| m88110-* | m88k-* | maxq-* | mcore-* \
+	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
+	| mips16-* \
+	| mips64-* | mips64el-* \
+	| mips64vr-* | mips64vrel-* \
+	| mips64orion-* | mips64orionel-* \
+	| mips64vr4100-* | mips64vr4100el-* \
+	| mips64vr4300-* | mips64vr4300el-* \
+	| mips64vr5000-* | mips64vr5000el-* \
+	| mips64vr5900-* | mips64vr5900el-* \
+	| mipsisa32-* | mipsisa32el-* \
+	| mipsisa32r2-* | mipsisa32r2el-* \
+	| mipsisa64-* | mipsisa64el-* \
+	| mipsisa64r2-* | mipsisa64r2el-* \
+	| mipsisa64sb1-* | mipsisa64sb1el-* \
+	| mipsisa64sr71k-* | mipsisa64sr71kel-* \
+	| mipstx39-* | mipstx39el-* \
+	| mmix-* \
+	| ms1-* \
+	| msp430-* \
+	| none-* | np1-* | ns16k-* | ns32k-* \
+	| orion-* \
+	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
+	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
+	| pyramid-* \
+	| romp-* | rs6000-* \
+	| sh-* | sh[1234]-* | sh[24]a-* | sh[23]e-* | sh[34]eb-* | shbe-* \
+	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
+	| sparc-* | sparc64-* | sparc64b-* | sparc86x-* | sparclet-* \
+	| sparclite-* \
+	| sparcv8-* | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
+	| tahoe-* | thumb-* \
+	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
+	| tron-* \
+	| v850-* | v850e-* | vax-* \
+	| we32k-* \
+	| x86-* | x86_64-* | xps100-* | xscale-* | xscalee[bl]-* \
+	| xstormy16-* | xtensa-* \
+	| ymp-* \
+	| z8k-*)
+		;;
+	m32c-*)
+		;;
+	# Recognize the various machine names and aliases which stand
+	# for a CPU type and a company and sometimes even an OS.
+	386bsd)
+		basic_machine=i386-unknown
+		os=-bsd
+		;;
+	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
+		basic_machine=m68000-att
+		;;
+	3b*)
+		basic_machine=we32k-att
+		;;
+	a29khif)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+    	abacus)
+		basic_machine=abacus-unknown
+		;;
+	adobe68k)
+		basic_machine=m68010-adobe
+		os=-scout
+		;;
+	alliant | fx80)
+		basic_machine=fx80-alliant
+		;;
+	altos | altos3068)
+		basic_machine=m68k-altos
+		;;
+	am29k)
+		basic_machine=a29k-none
+		os=-bsd
+		;;
+	amd64)
+		basic_machine=x86_64-pc
+		;;
+	amd64-*)
+		basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	amdahl)
+		basic_machine=580-amdahl
+		os=-sysv
+		;;
+	amiga | amiga-*)
+		basic_machine=m68k-unknown
+		;;
+	amigaos | amigados)
+		basic_machine=m68k-unknown
+		os=-amigaos
+		;;
+	amigaunix | amix)
+		basic_machine=m68k-unknown
+		os=-sysv4
+		;;
+	apollo68)
+		basic_machine=m68k-apollo
+		os=-sysv
+		;;
+	apollo68bsd)
+		basic_machine=m68k-apollo
+		os=-bsd
+		;;
+	aux)
+		basic_machine=m68k-apple
+		os=-aux
+		;;
+	balance)
+		basic_machine=ns32k-sequent
+		os=-dynix
+		;;
+	c90)
+		basic_machine=c90-cray
+		os=-unicos
+		;;
+	convex-c1)
+		basic_machine=c1-convex
+		os=-bsd
+		;;
+	convex-c2)
+		basic_machine=c2-convex
+		os=-bsd
+		;;
+	convex-c32)
+		basic_machine=c32-convex
+		os=-bsd
+		;;
+	convex-c34)
+		basic_machine=c34-convex
+		os=-bsd
+		;;
+	convex-c38)
+		basic_machine=c38-convex
+		os=-bsd
+		;;
+	cray | j90)
+		basic_machine=j90-cray
+		os=-unicos
+		;;
+	craynv)
+		basic_machine=craynv-cray
+		os=-unicosmp
+		;;
+	cr16c)
+		basic_machine=cr16c-unknown
+		os=-elf
+		;;
+	crds | unos)
+		basic_machine=m68k-crds
+		;;
+	crisv32 | crisv32-* | etraxfs*)
+		basic_machine=crisv32-axis
+		;;
+	cris | cris-* | etrax*)
+		basic_machine=cris-axis
+		;;
+	crx)
+		basic_machine=crx-unknown
+		os=-elf
+		;;
+	da30 | da30-*)
+		basic_machine=m68k-da30
+		;;
+	decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
+		basic_machine=mips-dec
+		;;
+	decsystem10* | dec10*)
+		basic_machine=pdp10-dec
+		os=-tops10
+		;;
+	decsystem20* | dec20*)
+		basic_machine=pdp10-dec
+		os=-tops20
+		;;
+	delta | 3300 | motorola-3300 | motorola-delta \
+	      | 3300-motorola | delta-motorola)
+		basic_machine=m68k-motorola
+		;;
+	delta88)
+		basic_machine=m88k-motorola
+		os=-sysv3
+		;;
+	djgpp)
+		basic_machine=i586-pc
+		os=-msdosdjgpp
+		;;
+	dpx20 | dpx20-*)
+		basic_machine=rs6000-bull
+		os=-bosx
+		;;
+	dpx2* | dpx2*-bull)
+		basic_machine=m68k-bull
+		os=-sysv3
+		;;
+	ebmon29k)
+		basic_machine=a29k-amd
+		os=-ebmon
+		;;
+	elxsi)
+		basic_machine=elxsi-elxsi
+		os=-bsd
+		;;
+	encore | umax | mmax)
+		basic_machine=ns32k-encore
+		;;
+	es1800 | OSE68k | ose68k | ose | OSE)
+		basic_machine=m68k-ericsson
+		os=-ose
+		;;
+	fx2800)
+		basic_machine=i860-alliant
+		;;
+	genix)
+		basic_machine=ns32k-ns
+		;;
+	gmicro)
+		basic_machine=tron-gmicro
+		os=-sysv
+		;;
+	go32)
+		basic_machine=i386-pc
+		os=-go32
+		;;
+	h3050r* | hiux*)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	h8300hms)
+		basic_machine=h8300-hitachi
+		os=-hms
+		;;
+	h8300xray)
+		basic_machine=h8300-hitachi
+		os=-xray
+		;;
+	h8500hms)
+		basic_machine=h8500-hitachi
+		os=-hms
+		;;
+	harris)
+		basic_machine=m88k-harris
+		os=-sysv3
+		;;
+	hp300-*)
+		basic_machine=m68k-hp
+		;;
+	hp300bsd)
+		basic_machine=m68k-hp
+		os=-bsd
+		;;
+	hp300hpux)
+		basic_machine=m68k-hp
+		os=-hpux
+		;;
+	hp3k9[0-9][0-9] | hp9[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k2[0-9][0-9] | hp9k31[0-9])
+		basic_machine=m68000-hp
+		;;
+	hp9k3[2-9][0-9])
+		basic_machine=m68k-hp
+		;;
+	hp9k6[0-9][0-9] | hp6[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k7[0-79][0-9] | hp7[0-79][0-9])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k78[0-9] | hp78[0-9])
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][13679] | hp8[0-9][13679])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][0-9] | hp8[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hppa-next)
+		os=-nextstep3
+		;;
+	hppaosf)
+		basic_machine=hppa1.1-hp
+		os=-osf
+		;;
+	hppro)
+		basic_machine=hppa1.1-hp
+		os=-proelf
+		;;
+	i370-ibm* | ibm*)
+		basic_machine=i370-ibm
+		;;
+# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
+	i*86v32)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv32
+		;;
+	i*86v4*)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv4
+		;;
+	i*86v)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv
+		;;
+	i*86sol2)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-solaris2
+		;;
+	i386mach)
+		basic_machine=i386-mach
+		os=-mach
+		;;
+	i386-vsta | vsta)
+		basic_machine=i386-unknown
+		os=-vsta
+		;;
+	iris | iris4d)
+		basic_machine=mips-sgi
+		case $os in
+		    -irix*)
+			;;
+		    *)
+			os=-irix4
+			;;
+		esac
+		;;
+	isi68 | isi)
+		basic_machine=m68k-isi
+		os=-sysv
+		;;
+	m88k-omron*)
+		basic_machine=m88k-omron
+		;;
+	magnum | m3230)
+		basic_machine=mips-mips
+		os=-sysv
+		;;
+	merlin)
+		basic_machine=ns32k-utek
+		os=-sysv
+		;;
+	mingw32)
+		basic_machine=i386-pc
+		os=-mingw32
+		;;
+	miniframe)
+		basic_machine=m68000-convergent
+		;;
+	*mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+	mips3*-*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
+		;;
+	mips3*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
+		;;
+	monitor)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	morphos)
+		basic_machine=powerpc-unknown
+		os=-morphos
+		;;
+	msdos)
+		basic_machine=i386-pc
+		os=-msdos
+		;;
+	mvs)
+		basic_machine=i370-ibm
+		os=-mvs
+		;;
+	ncr3000)
+		basic_machine=i486-ncr
+		os=-sysv4
+		;;
+	netbsd386)
+		basic_machine=i386-unknown
+		os=-netbsd
+		;;
+	netwinder)
+		basic_machine=armv4l-rebel
+		os=-linux
+		;;
+	news | news700 | news800 | news900)
+		basic_machine=m68k-sony
+		os=-newsos
+		;;
+	news1000)
+		basic_machine=m68030-sony
+		os=-newsos
+		;;
+	news-3600 | risc-news)
+		basic_machine=mips-sony
+		os=-newsos
+		;;
+	necv70)
+		basic_machine=v70-nec
+		os=-sysv
+		;;
+	next | m*-next )
+		basic_machine=m68k-next
+		case $os in
+		    -nextstep* )
+			;;
+		    -ns2*)
+		      os=-nextstep2
+			;;
+		    *)
+		      os=-nextstep3
+			;;
+		esac
+		;;
+	nh3000)
+		basic_machine=m68k-harris
+		os=-cxux
+		;;
+	nh[45]000)
+		basic_machine=m88k-harris
+		os=-cxux
+		;;
+	nindy960)
+		basic_machine=i960-intel
+		os=-nindy
+		;;
+	mon960)
+		basic_machine=i960-intel
+		os=-mon960
+		;;
+	nonstopux)
+		basic_machine=mips-compaq
+		os=-nonstopux
+		;;
+	np1)
+		basic_machine=np1-gould
+		;;
+	nsr-tandem)
+		basic_machine=nsr-tandem
+		;;
+	op50n-* | op60c-*)
+		basic_machine=hppa1.1-oki
+		os=-proelf
+		;;
+	openrisc | openrisc-*)
+		basic_machine=or32-unknown
+		;;
+	os400)
+		basic_machine=powerpc-ibm
+		os=-os400
+		;;
+	OSE68000 | ose68000)
+		basic_machine=m68000-ericsson
+		os=-ose
+		;;
+	os68k)
+		basic_machine=m68k-none
+		os=-os68k
+		;;
+	pa-hitachi)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	paragon)
+		basic_machine=i860-intel
+		os=-osf
+		;;
+	pbd)
+		basic_machine=sparc-tti
+		;;
+	pbb)
+		basic_machine=m68k-tti
+		;;
+	pc532 | pc532-*)
+		basic_machine=ns32k-pc532
+		;;
+	pentium | p5 | k5 | k6 | nexgen | viac3)
+		basic_machine=i586-pc
+		;;
+	pentiumpro | p6 | 6x86 | athlon | athlon_*)
+		basic_machine=i686-pc
+		;;
+	pentiumii | pentium2 | pentiumiii | pentium3)
+		basic_machine=i686-pc
+		;;
+	pentium4)
+		basic_machine=i786-pc
+		;;
+	pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
+		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumpro-* | p6-* | 6x86-* | athlon-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentium4-*)
+		basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pn)
+		basic_machine=pn-gould
+		;;
+	power)	basic_machine=power-ibm
+		;;
+	ppc)	basic_machine=powerpc-unknown
+		;;
+	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppcle | powerpclittle | ppc-le | powerpc-little)
+		basic_machine=powerpcle-unknown
+		;;
+	ppcle-* | powerpclittle-*)
+		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppc64)	basic_machine=powerpc64-unknown
+		;;
+	ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppc64le | powerpc64little | ppc64-le | powerpc64-little)
+		basic_machine=powerpc64le-unknown
+		;;
+	ppc64le-* | powerpc64little-*)
+		basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ps2)
+		basic_machine=i386-ibm
+		;;
+	pw32)
+		basic_machine=i586-unknown
+		os=-pw32
+		;;
+	rom68k)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	rm[46]00)
+		basic_machine=mips-siemens
+		;;
+	rtpc | rtpc-*)
+		basic_machine=romp-ibm
+		;;
+	s390 | s390-*)
+		basic_machine=s390-ibm
+		;;
+	s390x | s390x-*)
+		basic_machine=s390x-ibm
+		;;
+	sa29200)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	sb1)
+		basic_machine=mipsisa64sb1-unknown
+		;;
+	sb1el)
+		basic_machine=mipsisa64sb1el-unknown
+		;;
+	sei)
+		basic_machine=mips-sei
+		os=-seiux
+		;;
+	sequent)
+		basic_machine=i386-sequent
+		;;
+	sh)
+		basic_machine=sh-hitachi
+		os=-hms
+		;;
+	sh64)
+		basic_machine=sh64-unknown
+		;;
+	sparclite-wrs | simso-wrs)
+		basic_machine=sparclite-wrs
+		os=-vxworks
+		;;
+	sps7)
+		basic_machine=m68k-bull
+		os=-sysv2
+		;;
+	spur)
+		basic_machine=spur-unknown
+		;;
+	st2000)
+		basic_machine=m68k-tandem
+		;;
+	stratus)
+		basic_machine=i860-stratus
+		os=-sysv4
+		;;
+	sun2)
+		basic_machine=m68000-sun
+		;;
+	sun2os3)
+		basic_machine=m68000-sun
+		os=-sunos3
+		;;
+	sun2os4)
+		basic_machine=m68000-sun
+		os=-sunos4
+		;;
+	sun3os3)
+		basic_machine=m68k-sun
+		os=-sunos3
+		;;
+	sun3os4)
+		basic_machine=m68k-sun
+		os=-sunos4
+		;;
+	sun4os3)
+		basic_machine=sparc-sun
+		os=-sunos3
+		;;
+	sun4os4)
+		basic_machine=sparc-sun
+		os=-sunos4
+		;;
+	sun4sol2)
+		basic_machine=sparc-sun
+		os=-solaris2
+		;;
+	sun3 | sun3-*)
+		basic_machine=m68k-sun
+		;;
+	sun4)
+		basic_machine=sparc-sun
+		;;
+	sun386 | sun386i | roadrunner)
+		basic_machine=i386-sun
+		;;
+	sv1)
+		basic_machine=sv1-cray
+		os=-unicos
+		;;
+	symmetry)
+		basic_machine=i386-sequent
+		os=-dynix
+		;;
+	t3e)
+		basic_machine=alphaev5-cray
+		os=-unicos
+		;;
+	t90)
+		basic_machine=t90-cray
+		os=-unicos
+		;;
+	tic54x | c54x*)
+		basic_machine=tic54x-unknown
+		os=-coff
+		;;
+	tic55x | c55x*)
+		basic_machine=tic55x-unknown
+		os=-coff
+		;;
+	tic6x | c6x*)
+		basic_machine=tic6x-unknown
+		os=-coff
+		;;
+	tx39)
+		basic_machine=mipstx39-unknown
+		;;
+	tx39el)
+		basic_machine=mipstx39el-unknown
+		;;
+	toad1)
+		basic_machine=pdp10-xkl
+		os=-tops20
+		;;
+	tower | tower-32)
+		basic_machine=m68k-ncr
+		;;
+	tpf)
+		basic_machine=s390x-ibm
+		os=-tpf
+		;;
+	udi29k)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	ultra3)
+		basic_machine=a29k-nyu
+		os=-sym1
+		;;
+	v810 | necv810)
+		basic_machine=v810-nec
+		os=-none
+		;;
+	vaxv)
+		basic_machine=vax-dec
+		os=-sysv
+		;;
+	vms)
+		basic_machine=vax-dec
+		os=-vms
+		;;
+	vpp*|vx|vx-*)
+		basic_machine=f301-fujitsu
+		;;
+	vxworks960)
+		basic_machine=i960-wrs
+		os=-vxworks
+		;;
+	vxworks68)
+		basic_machine=m68k-wrs
+		os=-vxworks
+		;;
+	vxworks29k)
+		basic_machine=a29k-wrs
+		os=-vxworks
+		;;
+	w65*)
+		basic_machine=w65-wdc
+		os=-none
+		;;
+	w89k-*)
+		basic_machine=hppa1.1-winbond
+		os=-proelf
+		;;
+	xbox)
+		basic_machine=i686-pc
+		os=-mingw32
+		;;
+	xps | xps100)
+		basic_machine=xps100-honeywell
+		;;
+	ymp)
+		basic_machine=ymp-cray
+		os=-unicos
+		;;
+	z8k-*-coff)
+		basic_machine=z8k-unknown
+		os=-sim
+		;;
+	none)
+		basic_machine=none-none
+		os=-none
+		;;
+
+# Here we handle the default manufacturer of certain CPU types.  It is in
+# some cases the only manufacturer, in others, it is the most popular.
+	w89k)
+		basic_machine=hppa1.1-winbond
+		;;
+	op50n)
+		basic_machine=hppa1.1-oki
+		;;
+	op60c)
+		basic_machine=hppa1.1-oki
+		;;
+	romp)
+		basic_machine=romp-ibm
+		;;
+	mmix)
+		basic_machine=mmix-knuth
+		;;
+	rs6000)
+		basic_machine=rs6000-ibm
+		;;
+	vax)
+		basic_machine=vax-dec
+		;;
+	pdp10)
+		# there are many clones, so DEC is not a safe bet
+		basic_machine=pdp10-unknown
+		;;
+	pdp11)
+		basic_machine=pdp11-dec
+		;;
+	we32k)
+		basic_machine=we32k-att
+		;;
+	sh[1234] | sh[24]a | sh[34]eb | sh[1234]le | sh[23]ele)
+		basic_machine=sh-unknown
+		;;
+	sparc | sparcv8 | sparcv9 | sparcv9b)
+		basic_machine=sparc-sun
+		;;
+	cydra)
+		basic_machine=cydra-cydrome
+		;;
+	orion)
+		basic_machine=orion-highlevel
+		;;
+	orion105)
+		basic_machine=clipper-highlevel
+		;;
+	mac | mpw | mac-mpw)
+		basic_machine=m68k-apple
+		;;
+	pmac | pmac-mpw)
+		basic_machine=powerpc-apple
+		;;
+	*-unknown)
+		# Make sure to match an already-canonicalized machine name.
+		;;
+	*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+esac
+
+# Here we canonicalize certain aliases for manufacturers.
+case $basic_machine in
+	*-digital*)
+		basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
+		;;
+	*-commodore*)
+		basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
+		;;
+	*)
+		;;
+esac
+
+# Decode manufacturer-specific aliases for certain operating systems.
+
+if [ x"$os" != x"" ]
+then
+case $os in
+        # First match some system type aliases
+        # that might get confused with valid system types.
+	# -solaris* is a basic system type, with this one exception.
+	-solaris1 | -solaris1.*)
+		os=`echo $os | sed -e 's|solaris1|sunos4|'`
+		;;
+	-solaris)
+		os=-solaris2
+		;;
+	-svr4*)
+		os=-sysv4
+		;;
+	-unixware*)
+		os=-sysv4.2uw
+		;;
+	-gnu/linux*)
+		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
+		;;
+	# First accept the basic system types.
+	# The portable systems comes first.
+	# Each alternative MUST END IN A *, to match a version number.
+	# -sysv* is not here because it comes later, after sysvr4.
+	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
+	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
+	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
+	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
+	      | -aos* \
+	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
+	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
+	      | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* | -openbsd* \
+	      | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
+	      | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
+	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
+	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
+	      | -chorusos* | -chorusrdb* \
+	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
+	      | -mingw32* | -linux-gnu* | -linux-uclibc* | -uxpv* | -beos* | -mpeix* | -udk* \
+	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
+	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
+	      | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
+	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
+	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
+	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
+	      | -skyos* | -haiku*)
+	# Remember, each alternative MUST END IN *, to match a version number.
+		;;
+	-qnx*)
+		case $basic_machine in
+		    x86-* | i*86-*)
+			;;
+		    *)
+			os=-nto$os
+			;;
+		esac
+		;;
+	-nto-qnx*)
+		;;
+	-nto*)
+		os=`echo $os | sed -e 's|nto|nto-qnx|'`
+		;;
+	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
+	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \
+	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
+		;;
+	-mac*)
+		os=`echo $os | sed -e 's|mac|macos|'`
+		;;
+	-linux-dietlibc)
+		os=-linux-dietlibc
+		;;
+	-linux*)
+		os=`echo $os | sed -e 's|linux|linux-gnu|'`
+		;;
+	-sunos5*)
+		os=`echo $os | sed -e 's|sunos5|solaris2|'`
+		;;
+	-sunos6*)
+		os=`echo $os | sed -e 's|sunos6|solaris3|'`
+		;;
+	-opened*)
+		os=-openedition
+		;;
+        -os400*)
+		os=-os400
+		;;
+	-wince*)
+		os=-wince
+		;;
+	-osfrose*)
+		os=-osfrose
+		;;
+	-osf*)
+		os=-osf
+		;;
+	-utek*)
+		os=-bsd
+		;;
+	-dynix*)
+		os=-bsd
+		;;
+	-acis*)
+		os=-aos
+		;;
+	-atheos*)
+		os=-atheos
+		;;
+	-syllable*)
+		os=-syllable
+		;;
+	-386bsd)
+		os=-bsd
+		;;
+	-ctix* | -uts*)
+		os=-sysv
+		;;
+	-nova*)
+		os=-rtmk-nova
+		;;
+	-ns2 )
+		os=-nextstep2
+		;;
+	-nsk*)
+		os=-nsk
+		;;
+	# Preserve the version number of sinix5.
+	-sinix5.*)
+		os=`echo $os | sed -e 's|sinix|sysv|'`
+		;;
+	-sinix*)
+		os=-sysv4
+		;;
+        -tpf*)
+		os=-tpf
+		;;
+	-triton*)
+		os=-sysv3
+		;;
+	-oss*)
+		os=-sysv3
+		;;
+	-svr4)
+		os=-sysv4
+		;;
+	-svr3)
+		os=-sysv3
+		;;
+	-sysvr4)
+		os=-sysv4
+		;;
+	# This must come after -sysvr4.
+	-sysv*)
+		;;
+	-ose*)
+		os=-ose
+		;;
+	-es1800*)
+		os=-ose
+		;;
+	-xenix)
+		os=-xenix
+		;;
+	-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+		os=-mint
+		;;
+	-aros*)
+		os=-aros
+		;;
+	-kaos*)
+		os=-kaos
+		;;
+	-zvmoe)
+		os=-zvmoe
+		;;
+	-none)
+		;;
+	*)
+		# Get rid of the `-' at the beginning of $os.
+		os=`echo $os | sed 's/[^-]*-//'`
+		echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
+		exit 1
+		;;
+esac
+else
+
+# Here we handle the default operating systems that come with various machines.
+# The value should be what the vendor currently ships out the door with their
+# machine or put another way, the most popular os provided with the machine.
+
+# Note that if you're going to try to match "-MANUFACTURER" here (say,
+# "-sun"), then you have to tell the case statement up towards the top
+# that MANUFACTURER isn't an operating system.  Otherwise, code above
+# will signal an error saying that MANUFACTURER isn't an operating
+# system, and we'll never get to this point.
+
+case $basic_machine in
+	*-acorn)
+		os=-riscix1.2
+		;;
+	arm*-rebel)
+		os=-linux
+		;;
+	arm*-semi)
+		os=-aout
+		;;
+    c4x-* | tic4x-*)
+        os=-coff
+        ;;
+	# This must come before the *-dec entry.
+	pdp10-*)
+		os=-tops20
+		;;
+	pdp11-*)
+		os=-none
+		;;
+	*-dec | vax-*)
+		os=-ultrix4.2
+		;;
+	m68*-apollo)
+		os=-domain
+		;;
+	i386-sun)
+		os=-sunos4.0.2
+		;;
+	m68000-sun)
+		os=-sunos3
+		# This also exists in the configure program, but was not the
+		# default.
+		# os=-sunos4
+		;;
+	m68*-cisco)
+		os=-aout
+		;;
+	mips*-cisco)
+		os=-elf
+		;;
+	mips*-*)
+		os=-elf
+		;;
+	or32-*)
+		os=-coff
+		;;
+	*-tti)	# must be before sparc entry or we get the wrong os.
+		os=-sysv3
+		;;
+	sparc-* | *-sun)
+		os=-sunos4.1.1
+		;;
+	*-be)
+		os=-beos
+		;;
+	*-haiku)
+		os=-haiku
+		;;
+	*-ibm)
+		os=-aix
+		;;
+    	*-knuth)
+		os=-mmixware
+		;;
+	*-wec)
+		os=-proelf
+		;;
+	*-winbond)
+		os=-proelf
+		;;
+	*-oki)
+		os=-proelf
+		;;
+	*-hp)
+		os=-hpux
+		;;
+	*-hitachi)
+		os=-hiux
+		;;
+	i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent)
+		os=-sysv
+		;;
+	*-cbm)
+		os=-amigaos
+		;;
+	*-dg)
+		os=-dgux
+		;;
+	*-dolphin)
+		os=-sysv3
+		;;
+	m68k-ccur)
+		os=-rtu
+		;;
+	m88k-omron*)
+		os=-luna
+		;;
+	*-next )
+		os=-nextstep
+		;;
+	*-sequent)
+		os=-ptx
+		;;
+	*-crds)
+		os=-unos
+		;;
+	*-ns)
+		os=-genix
+		;;
+	i370-*)
+		os=-mvs
+		;;
+	*-next)
+		os=-nextstep3
+		;;
+	*-gould)
+		os=-sysv
+		;;
+	*-highlevel)
+		os=-bsd
+		;;
+	*-encore)
+		os=-bsd
+		;;
+	*-sgi)
+		os=-irix
+		;;
+	*-siemens)
+		os=-sysv4
+		;;
+	*-masscomp)
+		os=-rtu
+		;;
+	f30[01]-fujitsu | f700-fujitsu)
+		os=-uxpv
+		;;
+	*-rom68k)
+		os=-coff
+		;;
+	*-*bug)
+		os=-coff
+		;;
+	*-apple)
+		os=-macos
+		;;
+	*-atari*)
+		os=-mint
+		;;
+	*)
+		os=-none
+		;;
+esac
+fi
+
+# Here we handle the case where we know the os, and the CPU type, but not the
+# manufacturer.  We pick the logical manufacturer.
+vendor=unknown
+case $basic_machine in
+	*-unknown)
+		case $os in
+			-riscix*)
+				vendor=acorn
+				;;
+			-sunos*)
+				vendor=sun
+				;;
+			-aix*)
+				vendor=ibm
+				;;
+			-beos*)
+				vendor=be
+				;;
+			-hpux*)
+				vendor=hp
+				;;
+			-mpeix*)
+				vendor=hp
+				;;
+			-hiux*)
+				vendor=hitachi
+				;;
+			-unos*)
+				vendor=crds
+				;;
+			-dgux*)
+				vendor=dg
+				;;
+			-luna*)
+				vendor=omron
+				;;
+			-genix*)
+				vendor=ns
+				;;
+			-mvs* | -opened*)
+				vendor=ibm
+				;;
+			-os400*)
+				vendor=ibm
+				;;
+			-ptx*)
+				vendor=sequent
+				;;
+			-tpf*)
+				vendor=ibm
+				;;
+			-vxsim* | -vxworks* | -windiss*)
+				vendor=wrs
+				;;
+			-aux*)
+				vendor=apple
+				;;
+			-hms*)
+				vendor=hitachi
+				;;
+			-mpw* | -macos*)
+				vendor=apple
+				;;
+			-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+				vendor=atari
+				;;
+			-vos*)
+				vendor=stratus
+				;;
+		esac
+		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
+		;;
+esac
+
+echo $basic_machine$os
+exit
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/source3/lib/ldb/configure.ac b/source3/lib/ldb/configure.ac
new file mode 100644
index 0000000000..e1e9d49cee
--- /dev/null
+++ b/source3/lib/ldb/configure.ac
@@ -0,0 +1,74 @@
+AC_PREREQ(2.50)
+AC_DEFUN([AC_CHECK_LIB_EXT], [
+	AC_CHECK_LIB([$1],[$3],[$4],[$5],[$7])
+	ac_cv_lib_ext_$1_$3=$ac_cv_lib_$1_$3
+])
+AC_DEFUN([AC_CHECK_FUNC_EXT], [
+	AC_CHECK_FUNC([$1],[$3],[$4])
+	ac_cv_func_ext_$1=$ac_cv_func_$1
+])
+AC_DEFUN([SMB_MODULE_DEFAULT], [echo -n ""])
+AC_DEFUN([SMB_LIBRARY_ENABLE], [echo -n ""])
+AC_DEFUN([SMB_EXT_LIB], [echo -n ""])
+AC_DEFUN([SMB_ENABLE], [echo -n ""])
+AC_INIT(include/ldb.h)
+AC_CONFIG_SRCDIR([common/ldb.c])
+
+AC_LIBREPLACE_ALL_CHECKS
+
+if test "$ac_cv_prog_gcc" = yes; then
+   CFLAGS="$CFLAGS -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings"
+fi
+
+WITH_GCOV=0
+AC_ARG_ENABLE(gcov,
+	AS_HELP_STRING([--enable-gcov],[enable GCOV code coverage tests]),
+	[ WITH_GCOV=1])
+AC_SUBST(WITH_GCOV)
+if test x"$with_gcov_support" = x"yes"; then
+   CFLAGS="$CFLAGS -ftest-coverage -fprofile-arcs"
+   LIBS="$LIBS -lgcov"
+fi
+
+AC_PATH_PROG(XSLTPROC,xsltproc)
+AC_PATH_PROG(DOXYGEN,doxygen)
+AC_PATH_PROG(GCOV,gcov)
+AC_PATH_PROG(SLAPD,slapd)
+AC_CHECK_HEADERS(stdint.h dlfcn.h)
+AC_CONFIG_HEADER(include/config.h)
+AC_SEARCH_LIBS(dlopen, dl, AC_DEFINE(HAVE_DLOPEN, [1], [have dlopen]))
+
+SHLIBEXT="so" # Should be set based on OS later on
+AC_SUBST(SHLIBEXT)
+
+AC_DEFINE_UNQUOTED(MODULESDIR, LIBDIR "/ldb" , [Modules directory] )
+AC_SUBST(MODULESDIR)
+
+TESTS=""
+EXTRA_OBJ=""
+
+m4_include(libpopt.m4)
+m4_include(libtalloc.m4)
+m4_include(libtdb.m4)
+
+m4_include(ldap.m4)
+if test x"$with_ldap_support" = x"yes"; then
+   LIBS="$LIBS -llber -lldap"
+   CFLAGS="$CFLAGS -DHAVE_LDB_LDAP=1"
+   EXTRA_OBJ="$EXTRA_OBJ ldb_ldap/ldb_ldap.o"
+   TESTS="$TESTS test-ldap.sh"
+fi
+
+m4_include(sqlite3.m4)
+if test x"$with_sqlite3_support" = x"yes"; then
+   LIBS="$LIBS -lsqlite3"
+   CFLAGS="$CFLAGS -DHAVE_LDB_SQLITE3=1"
+   EXTRA_OBJ="$EXTRA_OBJ ldb_sqlite3/ldb_sqlite3.o"
+   TESTS="$TESTS test-sqlite3.sh"
+fi
+
+AC_SUBST(TESTS)
+AC_SUBST(EXTRA_OBJ)
+
+m4_include(libldb.m4)
+AC_OUTPUT(Makefile ldb.pc)
diff --git a/source3/lib/ldb/docs/builddocs.sh b/source3/lib/ldb/docs/builddocs.sh
new file mode 100755
index 0000000000..449dcb2681
--- /dev/null
+++ b/source3/lib/ldb/docs/builddocs.sh
@@ -0,0 +1,52 @@
+#!/bin/sh
+# build ldb docs
+# tridge@samba.org August 2006
+
+XSLTPROC="$1"
+SRCDIR="$2"
+
+if [ -z "$XSLTPROC" ] || [ ! -x "$XSLTPROC" ]; then
+    echo "xsltproc not installed"
+    exit 0
+fi
+
+MANXSL="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"
+HTMLXSL="http://docbook.sourceforge.net/release/xsl/current/html/docbook.xsl"
+
+mkdir -p man
+
+for f in $SRCDIR/man/*.xml; do
+    base=`basename $f .xml`
+    out=man/"`basename $base`"
+    if [ ! -f "$out" ] || [ "$f" -nt "$out" ]; then
+	echo Processing manpage $f
+	$XSLTPROC --nonet -o "$out" "$MANXSL" $f
+	ret=$?
+	if [ "$ret" = "4" ]; then
+	    echo "ignoring stylesheet error 4 for $MANXSL"
+	    exit 0
+	fi
+	if [ "$ret" != "0" ]; then
+	    echo "xsltproc failed with error $ret"
+	    exit $ret
+	fi
+    fi
+done
+
+for f in $SRCDIR/man/*.xml; do
+    base=`basename $f .xml`
+    out=man/"`basename $base`".html
+    if [ ! -f "$out" ] || [ "$f" -nt "$out" ]; then
+	echo Processing html $f
+	$XSLTPROC --nonet -o "$out" "$HTMLXSL" $f
+	ret=$?
+	if [ "$ret" = "4" ]; then
+	    echo "ignoring stylesheet error 4 for $HTMLXSL"
+	    exit 0
+	fi
+	if [ "$ret" != "0" ]; then
+	    echo "xsltproc failed with error $ret"
+	    exit $ret
+	fi
+    fi
+done
diff --git a/source3/lib/ldb/docs/design.txt b/source3/lib/ldb/docs/design.txt
new file mode 100644
index 0000000000..0bb278b5b4
--- /dev/null
+++ b/source3/lib/ldb/docs/design.txt
@@ -0,0 +1,41 @@
+The list of indexed fields
+--------------------------
+
+dn=@INDEXLIST
+	list of field names that are indexed
+
+	contains fields of type @IDXATTR which contain attriute names
+	of indexed fields
+
+
+Data records
+------------
+
+for each user record in the db there is:
+    main record
+	 key: DN=dn
+	 data: packed attribute/value list
+
+    a index record for each indexed field in the record
+
+
+Index Records
+-------------
+
+The index records contain the list of dn's that contain records
+matching the index key
+
+All index records are of the form:
+      dn=@INDEX:field:value
+
+and contain fields of type @IDX which are the dns of the records
+that have that value for some attribute
+
+
+Search Expressions
+------------------
+
+Very similar to LDAP search expressions, but does not allow ~=, <= or >=
+
+	attrib0 := (field=value)
+	attrib := attrib0 | (attrib&&attrib) | (attrib||attrib) | !attrib
diff --git a/source3/lib/ldb/docs/installdocs.sh b/source3/lib/ldb/docs/installdocs.sh
new file mode 100755
index 0000000000..6cc7b74ad5
--- /dev/null
+++ b/source3/lib/ldb/docs/installdocs.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+# install ldb docs
+# tridge@samba.org August 2006
+
+MANDIR="$1"
+
+MAN1="`/bin/ls man/*.1`"
+MAN3="`/bin/ls man/*.3`"
+
+if [ -z "$MAN1" ] && [ -z "$MAN3" ]; then
+    echo "No manpages have been built"
+    exit 0
+fi
+
+mkdir -p "$MANDIR/man1" "$MANDIR/man3" 
+cp $MAN1 "$MANDIR/man1/" || exit 1
+cp $MAN3 "$MANDIR/man3/" || exit 1
diff --git a/source3/lib/ldb/examples.dox b/source3/lib/ldb/examples.dox
new file mode 100644
index 0000000000..ef4b4f0a40
--- /dev/null
+++ b/source3/lib/ldb/examples.dox
@@ -0,0 +1,16 @@
+/** \example ldbreader.c
+
+The code below shows a simple LDB application.
+
+It lists / dumps the records in a LDB database to standard output.
+
+*/
+
+
+/** \example ldifreader.c
+
+The code below shows a simple LDB application.
+
+It lists / dumps the entries in an LDIF file to standard output.
+
+*/
diff --git a/source3/lib/ldb/examples/ldbreader.c b/source3/lib/ldb/examples/ldbreader.c
new file mode 100644
index 0000000000..baf0e9ab65
--- /dev/null
+++ b/source3/lib/ldb/examples/ldbreader.c
@@ -0,0 +1,123 @@
+/* 
+   example code for the ldb database library
+
+   Copyright (C) Brad Hards (bradh@frogmouth.net) 2005-2006
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/** \example ldbreader.c
+
+The code below shows a simple LDB application.
+
+It lists / dumps the records in a LDB database to standard output.
+
+*/
+
+#include "includes.h"
+#include "ldb/include/ldb.h"
+#include "ldb/include/ldb_errors.h"
+
+/*
+  ldb_ldif_write takes a function pointer to a custom output
+  function. This version is about as simple as the output function can
+  be. In a more complex example, you'd likely be doing something with
+  the private data function (e.g. holding a file handle).
+*/
+static int vprintf_fn(void *private_data, const char *fmt, ...)
+{
+	int retval;
+	va_list ap;
+
+	va_start(ap, fmt);
+	/* We just write to standard output */
+	retval = vprintf(fmt, ap);
+	va_end(ap);
+	/* Note that the function should return the number of 
+	   bytes written, or a negative error code */
+	return retval;
+}
+  
+int main(int argc, const char **argv)
+{
+	struct ldb_context *ldb;
+	const char *expression = "(dn=*)";
+	struct ldb_result *resultMsg;
+	int i;
+
+	/*
+	  This is the always the first thing you want to do in an LDB
+	  application - initialise up the context structure.
+
+	  Note that you can use the context structure as a parent
+	  for talloc allocations as well
+	*/
+	ldb = ldb_init(NULL);
+
+	/*
+	  We now open the database. In this example we just hard code the connection path.
+
+	  Also note that the database is being opened read-only. This means that the 
+	  call will fail unless the database already exists. 
+	*/
+	if (LDB_SUCCESS != ldb_connect(ldb, "tdb://tdbtest.ldb", LDB_FLG_RDONLY, NULL) ){
+		printf("Problem on connection\n");
+		exit(-1);
+	}
+
+	/*
+	  At this stage we have an open database, and can start using it. It is opened
+	  read-only, so a query is possible. 
+
+	  We construct a search that just returns all the (sensible) contents. You can do
+	  quite fine grained results with the LDAP search syntax, however it is a bit
+	  confusing to start with. See RFC2254.
+	*/
+	if (LDB_SUCCESS != ldb_search(ldb, NULL, LDB_SCOPE_DEFAULT,
+				      expression, NULL, &resultMsg) ) {
+		printf("Problem in search\n");
+		exit(-1);
+	}
+	
+	printf("%i records returned\n", resultMsg->count);
+
+	/*
+	  We can now iterate through the results, writing them out
+	  (to standard output) with our custom output routine as defined
+	  at the top of this file
+	*/
+	for (i = 0; i < resultMsg->count; ++i) {
+		struct ldb_ldif ldifMsg;
+
+		printf("Message: %i\n", i+1);
+		
+		ldifMsg.changetype = LDB_CHANGETYPE_NONE;
+		ldifMsg.msg = resultMsg->msgs[i];
+		ldb_ldif_write(ldb, vprintf_fn, NULL, &ldifMsg);
+	}
+
+	/*
+	  There are two objects to clean up - the result from the 
+	  ldb_search() query, and the original ldb context.
+	*/
+	talloc_free(resultMsg);
+
+	talloc_free(ldb);
+
+	return 0;
+}
diff --git a/source3/lib/ldb/examples/ldifreader.c b/source3/lib/ldb/examples/ldifreader.c
new file mode 100644
index 0000000000..0c7e876465
--- /dev/null
+++ b/source3/lib/ldb/examples/ldifreader.c
@@ -0,0 +1,127 @@
+/* 
+   example code for the ldb database library
+
+   Copyright (C) Brad Hards (bradh@frogmouth.net) 2005-2006
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/** \example ldifreader.c
+
+The code below shows a simple LDB application.
+
+It lists / dumps the entries in an LDIF file to standard output.
+
+*/
+
+#include "includes.h"
+#include "ldb/include/ldb.h"
+#include "ldb/include/ldb_errors.h"
+
+/*
+  ldb_ldif_write takes a function pointer to a custom output
+  function. This version is about as simple as the output function can
+  be. In a more complex example, you'd likely be doing something with
+  the private data function (e.g. holding a file handle).
+*/
+static int vprintf_fn(void *private_data, const char *fmt, ...)
+{
+	int retval;
+	va_list ap;
+
+	va_start(ap, fmt);
+	/* We just write to standard output */
+	retval = vprintf(fmt, ap);
+	va_end(ap);
+	/* Note that the function should return the number of 
+	   bytes written, or a negative error code */
+	return retval;
+}
+  
+int main(int argc, const char **argv)
+{
+	struct ldb_context *ldb;
+	FILE *fileStream;
+	struct ldb_ldif *ldifMsg;
+
+	if (argc != 2) {
+		printf("Usage %s filename.ldif\n", argv[0]);
+		exit(1);
+	}
+
+	/*
+	  This is the always the first thing you want to do in an LDB
+	  application - initialise up the context structure.
+
+	  Note that you can use the context structure as a parent
+	  for talloc allocations as well
+	*/
+	ldb = ldb_init(NULL);
+
+	fileStream = fopen(argv[1], "r");
+	if (0 == fileStream) {
+		perror(argv[1]);
+		exit(1);
+	}
+
+	/*
+	  We now work through the filestream to get each entry.
+	*/
+	while ( (ldifMsg = ldb_ldif_read_file(ldb, fileStream)) ) {
+		/*
+		  Each message has a particular change type. For Add,
+		  Modify and Delete, this will also appear in the
+		  output listing (as changetype: add, changetype:
+		  modify or changetype:delete, respectively).
+		*/
+		switch (ldifMsg->changetype) {
+		case LDB_CHANGETYPE_NONE:
+			printf("ChangeType: None\n");
+			break;
+		case LDB_CHANGETYPE_ADD:
+			printf("ChangeType: Add\n");
+			break;
+		case LDB_CHANGETYPE_MODIFY:
+			printf("ChangeType: Modify\n");
+			break;
+		case LDB_CHANGETYPE_DELETE:
+			printf("ChangeType: Delete\n");
+			break;
+		default:
+			printf("ChangeType: Unknown\n");
+		}
+
+		/*
+		  We can now write out the results, using our custom
+		  output routine as defined at the top of this file. 
+		*/
+		ldb_ldif_write(ldb, vprintf_fn, NULL, ldifMsg);
+
+		/*
+		  Clean up the message
+		*/
+		ldb_ldif_read_free(ldb, ldifMsg);
+	}
+
+	/*
+	  Clean up the context
+	*/
+	talloc_free(ldb);
+
+	return 0;
+}
diff --git a/source3/lib/ldb/include/dlinklist.h b/source3/lib/ldb/include/dlinklist.h
new file mode 100644
index 0000000000..d3252751db
--- /dev/null
+++ b/source3/lib/ldb/include/dlinklist.h
@@ -0,0 +1,110 @@
+/* 
+   Unix SMB/CIFS implementation.
+   some simple double linked list macros
+   Copyright (C) Andrew Tridgell 1998
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/* To use these macros you must have a structure containing a next and
+   prev pointer */
+
+
+/* hook into the front of the list */
+#define DLIST_ADD(list, p) \
+do { \
+        if (!(list)) { \
+		(list) = (p); \
+		(p)->next = (p)->prev = NULL; \
+	} else { \
+		(list)->prev = (p); \
+		(p)->next = (list); \
+		(p)->prev = NULL; \
+		(list) = (p); \
+	}\
+} while (0)
+
+/* remove an element from a list - element doesn't have to be in list. */
+#ifndef DLIST_REMOVE
+#define DLIST_REMOVE(list, p) \
+do { \
+	if ((p) == (list)) { \
+		(list) = (p)->next; \
+		if (list) (list)->prev = NULL; \
+	} else { \
+		if ((p)->prev) (p)->prev->next = (p)->next; \
+		if ((p)->next) (p)->next->prev = (p)->prev; \
+	} \
+	if ((p) && ((p) != (list))) (p)->next = (p)->prev = NULL; \
+} while (0)
+#endif
+
+/* promote an element to the top of the list */
+#define DLIST_PROMOTE(list, p) \
+do { \
+          DLIST_REMOVE(list, p); \
+          DLIST_ADD(list, p); \
+} while (0)
+
+/* hook into the end of the list - needs a tmp pointer */
+#define DLIST_ADD_END(list, p, type) \
+do { \
+		if (!(list)) { \
+			(list) = (p); \
+			(p)->next = (p)->prev = NULL; \
+		} else { \
+			type tmp; \
+			for (tmp = (list); tmp->next; tmp = tmp->next) ; \
+			tmp->next = (p); \
+			(p)->next = NULL; \
+			(p)->prev = tmp; \
+		} \
+} while (0)
+
+/* insert 'p' after the given element 'el' in a list. If el is NULL then
+   this is the same as a DLIST_ADD() */
+#define DLIST_ADD_AFTER(list, p, el) \
+do { \
+        if (!(list) || !(el)) { \
+		DLIST_ADD(list, p); \
+	} else { \
+		p->prev = el; \
+		p->next = el->next; \
+		el->next = p; \
+		if (p->next) p->next->prev = p; \
+	}\
+} while (0)
+
+/* demote an element to the end of the list, needs a tmp pointer */
+#define DLIST_DEMOTE(list, p, tmp) \
+do { \
+		DLIST_REMOVE(list, p); \
+		DLIST_ADD_END(list, p, tmp); \
+} while (0)
+
+/* concatenate two lists - putting all elements of the 2nd list at the
+   end of the first list */
+#define DLIST_CONCATENATE(list1, list2, type) \
+do { \
+		if (!(list1)) { \
+			(list1) = (list2); \
+		} else { \
+			type tmp; \
+			for (tmp = (list1); tmp->next; tmp = tmp->next) ; \
+			tmp->next = (list2); \
+			if (list2) { \
+				(list2)->prev = tmp;	\
+			} \
+		} \
+} while (0)
diff --git a/source3/lib/ldb/include/includes.h b/source3/lib/ldb/include/includes.h
new file mode 100644
index 0000000000..e2bcca2b04
--- /dev/null
+++ b/source3/lib/ldb/include/includes.h
@@ -0,0 +1,29 @@
+#ifndef _LDB_PRIVATE_INCLUDES_H_
+#define _LDB_PRIVATE_INCLUDES_H_
+/*
+  a temporary includes file until I work on the ldb build system
+*/
+
+#if (_SAMBA_BUILD_ >= 4)
+/* tell ldb we have the internal ldap code */
+#define HAVE_ILDAP 1
+#endif
+
+#if (_SAMBA_BUILD_ <= 3)
+/* allow forbidden string functions - should be replaced with _m functions */
+#undef strcasecmp
+#undef strncasecmp
+#define dyn_MODULESDIR dyn_LIBDIR
+#endif
+
+#include "replace.h"
+#include "system/filesys.h"
+#include "system/network.h"
+#include "system/time.h"
+#include "talloc.h"
+#include "ldb.h"
+#include "ldb_errors.h"
+#include "ldb_private.h"
+#include "dlinklist.h"
+
+#endif /*_LDB_PRIVATE_INCLUDES_H_*/
diff --git a/source3/lib/ldb/include/ldb.h b/source3/lib/ldb/include/ldb.h
new file mode 100644
index 0000000000..0a745742d9
--- /dev/null
+++ b/source3/lib/ldb/include/ldb.h
@@ -0,0 +1,1560 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+   Copyright (C) Stefan Metzmacher  2004
+   Copyright (C) Simo Sorce  2005-2006
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldb header
+ *
+ *  Description: defines for base ldb API
+ *
+ *  Author: Andrew Tridgell
+ *  Author: Stefan Metzmacher
+ */
+
+/**
+   \file ldb.h Samba's ldb database
+
+   This header file provides the main API for ldb.
+*/
+
+#ifndef _LDB_H_
+
+/*! \cond DOXYGEN_IGNORE */
+#define _LDB_H_ 1
+/*! \endcond */
+
+/*
+  major restrictions as compared to normal LDAP:
+
+     - no async calls.
+     - each record must have a unique key field
+     - the key must be representable as a NULL terminated C string and may not 
+       contain a comma or braces
+
+  major restrictions as compared to tdb:
+
+     - no explicit locking calls
+     UPDATE: we have transactions now, better than locking --SSS.
+
+*/
+
+#ifndef ldb_val
+/**
+   Result value
+
+   An individual lump of data in a result comes in this format. The
+   pointer will usually be to a UTF-8 string if the application is
+   sensible, but it can be to anything you like, including binary data
+   blobs of arbitrary size.
+
+   \note the data is null (0x00) terminated, but the length does not
+   include the terminator. 
+*/
+struct ldb_val {
+	uint8_t *data; /*!< result data */
+	size_t length; /*!< length of data */
+};
+#endif
+
+/*! \cond DOXYGEN_IGNORE */
+#ifndef PRINTF_ATTRIBUTE
+#define PRINTF_ATTRIBUTE(a,b)
+#endif
+/*! \endcond */
+
+/* opaque ldb_dn structures, see ldb_dn.c for internals */
+struct ldb_dn_component;
+struct ldb_dn;
+
+/**
+ There are a number of flags that are used with ldap_modify() in
+ ldb_message_element.flags fields. The LDA_FLAGS_MOD_ADD,
+ LDA_FLAGS_MOD_DELETE and LDA_FLAGS_MOD_REPLACE flags are used in
+ ldap_modify() calls to specify whether attributes are being added,
+ deleted or modified respectively.
+*/
+#define LDB_FLAG_MOD_MASK  0x3
+
+/**
+   Flag value used in ldap_modify() to indicate that attributes are
+   being added.
+
+   \sa LDB_FLAG_MOD_MASK
+*/
+#define LDB_FLAG_MOD_ADD     1
+
+/**
+   Flag value used in ldap_modify() to indicate that attributes are
+   being replaced.
+
+   \sa LDB_FLAG_MOD_MASK
+*/
+#define LDB_FLAG_MOD_REPLACE 2
+
+/**
+   Flag value used in ldap_modify() to indicate that attributes are
+   being deleted.
+
+   \sa LDB_FLAG_MOD_MASK
+*/
+#define LDB_FLAG_MOD_DELETE  3
+
+/**
+  OID for logic AND comaprison.
+
+  This is the well known object ID for a logical AND comparitor.
+*/
+#define LDB_OID_COMPARATOR_AND  "1.2.840.113556.1.4.803"
+
+/**
+  OID for logic OR comparison.
+
+  This is the well known object ID for a logical OR comparitor.
+*/
+#define LDB_OID_COMPARATOR_OR   "1.2.840.113556.1.4.804"
+
+/**
+  results are given back as arrays of ldb_message_element
+*/
+struct ldb_message_element {
+	unsigned int flags;
+	const char *name;
+	unsigned int num_values;
+	struct ldb_val *values;
+};
+
+
+/**
+  a ldb_message represents all or part of a record. It can contain an arbitrary
+  number of elements. 
+*/
+struct ldb_message {
+	struct ldb_dn *dn;
+	unsigned int num_elements;
+	struct ldb_message_element *elements;
+	void *private_data; /* private to the backend */
+};
+
+enum ldb_changetype {
+	LDB_CHANGETYPE_NONE=0,
+	LDB_CHANGETYPE_ADD,
+	LDB_CHANGETYPE_DELETE,
+	LDB_CHANGETYPE_MODIFY
+};
+
+/**
+  LDIF record
+
+  This structure contains a LDIF record, as returned from ldif_read()
+  and equivalent functions.
+*/
+struct ldb_ldif {
+	enum ldb_changetype changetype; /*!< The type of change */
+	struct ldb_message *msg;  /*!< The changes */
+};
+
+enum ldb_scope {LDB_SCOPE_DEFAULT=-1, 
+		LDB_SCOPE_BASE=0, 
+		LDB_SCOPE_ONELEVEL=1,
+		LDB_SCOPE_SUBTREE=2};
+
+struct ldb_context;
+
+/* debugging uses one of the following levels */
+enum ldb_debug_level {LDB_DEBUG_FATAL, LDB_DEBUG_ERROR, 
+		      LDB_DEBUG_WARNING, LDB_DEBUG_TRACE};
+
+/**
+  the user can optionally supply a debug function. The function
+  is based on the vfprintf() style of interface, but with the addition
+  of a severity level
+*/
+struct ldb_debug_ops {
+	void (*debug)(void *context, enum ldb_debug_level level, 
+		      const char *fmt, va_list ap) PRINTF_ATTRIBUTE(3,0);
+	void *context;
+};
+
+/**
+  The user can optionally supply a custom utf8 functions,
+  to handle comparisons and casefolding.
+*/
+struct ldb_utf8_fns {
+	void *context;
+	char *(*casefold)(void *context, void *mem_ctx, const char *s);
+};
+
+/**
+   Flag value for database connection mode.
+
+   If LDB_FLG_RDONLY is used in ldb_connect, then the database will be
+   opened read-only, if possible.
+*/
+#define LDB_FLG_RDONLY 1
+
+/**
+   Flag value for database connection mode.
+
+   If LDB_FLG_NOSYNC is used in ldb_connect, then the database will be
+   opened without synchronous operations, if possible.
+*/
+#define LDB_FLG_NOSYNC 2
+
+/**
+   Flag value to specify autoreconnect mode.
+
+   If LDB_FLG_RECONNECT is used in ldb_connect, then the backend will
+   be opened in a way that makes it try to auto reconnect if the
+   connection is dropped (actually make sense only with ldap).
+*/
+#define LDB_FLG_RECONNECT 4
+
+/**
+   Flag to tell backends not to use mmap
+*/
+#define LDB_FLG_NOMMAP 8
+
+/*
+   structures for ldb_parse_tree handling code
+*/
+enum ldb_parse_op { LDB_OP_AND=1, LDB_OP_OR=2, LDB_OP_NOT=3,
+		    LDB_OP_EQUALITY=4, LDB_OP_SUBSTRING=5,
+		    LDB_OP_GREATER=6, LDB_OP_LESS=7, LDB_OP_PRESENT=8,
+		    LDB_OP_APPROX=9, LDB_OP_EXTENDED=10 };
+
+struct ldb_parse_tree {
+	enum ldb_parse_op operation;
+	union {
+		struct {
+			struct ldb_parse_tree *child;
+		} isnot;
+		struct {
+			const char *attr;
+			struct ldb_val value;
+		} equality;
+		struct {
+			const char *attr;
+			int start_with_wildcard;
+			int end_with_wildcard;
+			struct ldb_val **chunks;
+		} substring;
+		struct {
+			const char *attr;
+		} present;
+		struct {
+			const char *attr;
+			struct ldb_val value;
+		} comparison;
+		struct {
+			const char *attr;
+			int dnAttributes;
+			char *rule_id;
+			struct ldb_val value;
+		} extended;
+		struct {
+			unsigned int num_elements;
+			struct ldb_parse_tree **elements;
+		} list;
+	} u;
+};
+
+struct ldb_parse_tree *ldb_parse_tree(void *mem_ctx, const char *s);
+char *ldb_filter_from_tree(void *mem_ctx, struct ldb_parse_tree *tree);
+
+/**
+   Encode a binary blob
+
+   This function encodes a binary blob using the encoding rules in RFC
+   2254 (Section 4). This function also escapes any non-printable
+   characters.
+
+   \param ctx the memory context to allocate the return string in.
+   \param val the (potentially) binary data to be encoded
+
+   \return the encoded data as a null terminated string
+
+   \sa <a href="http://www.ietf.org/rfc/rfc2252.txt">RFC 2252</a>.
+*/
+char *ldb_binary_encode(void *ctx, struct ldb_val val);
+
+/**
+   Encode a string
+
+   This function encodes a string using the encoding rules in RFC 2254
+   (Section 4). This function also escapes any non-printable
+   characters.
+
+   \param mem_ctx the memory context to allocate the return string in.
+   \param string the string to be encoded
+
+   \return the encoded data as a null terminated string
+
+   \sa <a href="http://www.ietf.org/rfc/rfc2252.txt">RFC 2252</a>.
+*/
+char *ldb_binary_encode_string(void *mem_ctx, const char *string);
+
+/*
+  functions for controlling attribute handling
+*/
+typedef int (*ldb_attr_handler_t)(struct ldb_context *, void *mem_ctx, const struct ldb_val *, struct ldb_val *);
+typedef int (*ldb_attr_comparison_t)(struct ldb_context *, void *mem_ctx, const struct ldb_val *, const struct ldb_val *);
+
+/*
+  attribute handler structure
+
+  attr			-> The attribute name
+  flags			-> LDB_ATTR_FLAG_*
+  ldif_read_fn		-> convert from ldif to binary format
+  ldif_write_fn		-> convert from binary to ldif format
+  canonicalise_fn	-> canonicalise a value, for use by indexing and dn construction
+  comparison_fn		-> compare two values
+*/
+
+struct ldb_attrib_handler {
+
+	const char *attr;
+	unsigned flags;
+
+	ldb_attr_handler_t ldif_read_fn;
+	ldb_attr_handler_t ldif_write_fn;
+	ldb_attr_handler_t canonicalise_fn;
+	ldb_attr_comparison_t comparison_fn;
+};
+
+/**
+   The attribute is not returned by default
+*/
+#define LDB_ATTR_FLAG_HIDDEN       (1<<0) 
+
+/* the attribute handler name should be freed when released */
+#define LDB_ATTR_FLAG_ALLOCATED    (1<<1) 
+
+/**
+   The attribute is constructed from other attributes
+*/
+#define LDB_ATTR_FLAG_CONSTRUCTED  (1<<1) 
+
+/**
+  LDAP attribute syntax for a DN
+
+  This is the well-known LDAP attribute syntax for a DN.
+
+  See <a href="http://www.ietf.org/rfc/rfc2252.txt">RFC 2252</a>, Section 4.3.2 
+*/
+#define LDB_SYNTAX_DN                   "1.3.6.1.4.1.1466.115.121.1.12"
+
+/**
+  LDAP attribute syntax for a Directory String
+
+  This is the well-known LDAP attribute syntax for a Directory String.
+
+  \sa <a href="http://www.ietf.org/rfc/rfc2252.txt">RFC 2252</a>, Section 4.3.2 
+*/
+#define LDB_SYNTAX_DIRECTORY_STRING     "1.3.6.1.4.1.1466.115.121.1.15"
+
+/**
+  LDAP attribute syntax for an integer
+
+  This is the well-known LDAP attribute syntax for an integer.
+
+  See <a href="http://www.ietf.org/rfc/rfc2252.txt">RFC 2252</a>, Section 4.3.2 
+*/
+#define LDB_SYNTAX_INTEGER              "1.3.6.1.4.1.1466.115.121.1.27"
+
+/**
+  LDAP attribute syntax for an octet string
+
+  This is the well-known LDAP attribute syntax for an octet string.
+
+  See <a href="http://www.ietf.org/rfc/rfc2252.txt">RFC 2252</a>, Section 4.3.2 
+*/
+#define LDB_SYNTAX_OCTET_STRING         "1.3.6.1.4.1.1466.115.121.1.40"
+
+/**
+  LDAP attribute syntax for UTC time.
+
+  This is the well-known LDAP attribute syntax for a UTC time.
+
+  See <a href="http://www.ietf.org/rfc/rfc2252.txt">RFC 2252</a>, Section 4.3.2 
+*/
+#define LDB_SYNTAX_UTC_TIME             "1.3.6.1.4.1.1466.115.121.1.53"
+
+#define LDB_SYNTAX_OBJECTCLASS          "LDB_SYNTAX_OBJECTCLASS"
+
+/* sorting helpers */
+typedef int (*ldb_qsort_cmp_fn_t) (void *v1, void *v2, void *opaque);
+
+/**
+   OID for the paged results control. This control is included in the
+   searchRequest and searchResultDone messages as part of the controls
+   field of the LDAPMessage, as defined in Section 4.1.12 of
+   LDAP v3. 
+
+   \sa <a href="http://www.ietf.org/rfc/rfc2696.txt">RFC 2696</a>.
+*/
+#define LDB_CONTROL_PAGED_RESULTS_OID	"1.2.840.113556.1.4.319"
+
+/**
+   OID for specifying the returned elements of the ntSecurityDescriptor
+
+   \sa <a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ldap_server_sd_flags_oid.asp">Microsoft documentation of this OID</a>
+*/
+#define LDB_CONTROL_SD_FLAGS_OID	"1.2.840.113556.1.4.801"
+
+/**
+   OID for specifying an advanced scope for the search (one partition)
+
+   \sa <a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ldap_server_domain_scope_oid.asp">Microsoft documentation of this OID</a>
+*/
+#define LDB_CONTROL_DOMAIN_SCOPE_OID	"1.2.840.113556.1.4.1339"
+
+/**
+   OID for specifying an advanced scope for a search
+
+   \sa <a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ldap_server_search_options_oid.asp">Microsoft documentation of this OID</a>
+*/
+#define LDB_CONTROL_SEARCH_OPTIONS_OID	"1.2.840.113556.1.4.1340"
+
+/**
+   OID for notification
+
+   \sa <a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ldap_server_notification_oid.asp">Microsoft documentation of this OID</a>
+*/
+#define LDB_CONTROL_NOTIFICATION_OID	"1.2.840.113556.1.4.528"
+
+/**
+   OID for getting deleted objects
+
+   \sa <a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ldap_server_show_deleted_oid.asp">Microsoft documentation of this OID</a>
+*/
+#define LDB_CONTROL_SHOW_DELETED_OID	"1.2.840.113556.1.4.417"
+
+/**
+   OID for extended DN
+
+   \sa <a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ldap_server_extended_dn_oid.asp">Microsoft documentation of this OID</a>
+*/
+#define LDB_CONTROL_EXTENDED_DN_OID	"1.2.840.113556.1.4.529"
+
+/**
+   OID for LDAP server sort result extension.
+
+   This control is included in the searchRequest message as part of
+   the controls field of the LDAPMessage, as defined in Section 4.1.12
+   of LDAP v3. The controlType is set to
+   "1.2.840.113556.1.4.473". The criticality MAY be either TRUE or
+   FALSE (where absent is also equivalent to FALSE) at the client's
+   option.
+
+   \sa <a href="http://www.ietf.org/rfc/rfc2891.txt">RFC 2891</a>.
+*/
+#define LDB_CONTROL_SERVER_SORT_OID	"1.2.840.113556.1.4.473"
+
+/**
+   OID for LDAP server sort result response extension.
+
+   This control is included in the searchResultDone message as part of
+   the controls field of the LDAPMessage, as defined in Section 4.1.12 of
+   LDAP v3.
+
+   \sa <a href="http://www.ietf.org/rfc/rfc2891.txt">RFC 2891</a>.
+*/
+#define LDB_CONTROL_SORT_RESP_OID	"1.2.840.113556.1.4.474"
+
+/**
+   OID for LDAP Attribute Scoped Query extension.
+
+   This control is included in SearchRequest or SearchResponse
+   messages as part of the controls field of the LDAPMessage.
+*/
+#define LDB_CONTROL_ASQ_OID		"1.2.840.113556.1.4.1504"
+
+/**
+   OID for LDAP Directory Sync extension. 
+
+   This control is included in SearchRequest or SearchResponse
+   messages as part of the controls field of the LDAPMessage.
+*/
+#define LDB_CONTROL_DIRSYNC_OID		"1.2.840.113556.1.4.841"
+
+
+/**
+   OID for LDAP Virtual List View Request extension.
+
+   This control is included in SearchRequest messages
+   as part of the controls field of the LDAPMessage.
+*/
+#define LDB_CONTROL_VLV_REQ_OID		"2.16.840.1.113730.3.4.9"
+
+/**
+   OID for LDAP Virtual List View Response extension.
+
+   This control is included in SearchResponse messages
+   as part of the controls field of the LDAPMessage.
+*/
+#define LDB_CONTROL_VLV_RESP_OID	"2.16.840.1.113730.3.4.10"
+
+/**
+   OID to let modifies don't give an error when adding an existing
+   attribute with the same value or deleting an nonexisting one attribute
+
+   \sa <a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ldap_server_permissive_modify_oid.asp">Microsoft documentation of this OID</a>
+*/
+#define LDB_CONTROL_PERMISSIVE_MODIFY_OID	"1.2.840.113556.1.4.1413"
+
+/**
+   OID for LDAP Extended Operation START_TLS.
+
+   This Extended operation is used to start a new TLS
+   channel on top of a clear text channel.
+*/
+#define LDB_EXTENDED_START_TLS_OID	"1.3.6.1.4.1.1466.20037"
+
+/**
+   OID for LDAP Extended Operation START_TLS.
+
+   This Extended operation is used to start a new TLS
+   channel on top of a clear text channel.
+*/
+#define LDB_EXTENDED_DYNAMIC_OID	"1.3.6.1.4.1.1466.101.119.1"
+
+/**
+   OID for LDAP Extended Operation START_TLS.
+
+   This Extended operation is used to start a new TLS
+   channel on top of a clear text channel.
+*/
+#define LDB_EXTENDED_FAST_BIND_OID	"1.2.840.113556.1.4.1781"
+
+struct ldb_sd_flags_control {
+	/*
+	 * request the owner	0x00000001
+	 * request the group	0x00000002
+	 * request the DACL	0x00000004
+	 * request the SACL	0x00000008
+	 */
+	unsigned secinfo_flags;
+};
+
+struct ldb_search_options_control {
+	/*
+	 * DOMAIN_SCOPE		0x00000001
+	 * this limits the search to one partition,
+	 * and no referrals will be returned.
+	 * (Note this doesn't limit the entries by there
+	 *  objectSid belonging to a domain! Builtin and Foreign Sids
+	 *  are still returned)
+	 *
+	 * PHANTOM_ROOT		0x00000002
+	 * this search on the whole tree on a domain controller
+	 * over multiple partitions without referrals.
+	 * (This is the default behavior on the Global Catalog Port)
+	 */
+	unsigned search_options;
+};
+
+struct ldb_paged_control {
+	int size;
+	int cookie_len;
+	char *cookie;
+};
+
+struct ldb_extended_dn_control {
+	int type;
+};
+
+struct ldb_server_sort_control {
+	char *attributeName;
+	char *orderingRule;
+	int reverse;
+};
+
+struct ldb_sort_resp_control {
+	int result;
+	char *attr_desc;
+};
+
+struct ldb_asq_control {
+	int request;
+	char *source_attribute;
+	int src_attr_len;
+	int result;
+};
+
+struct ldb_dirsync_control {
+	int flags;
+	int max_attributes;
+	int cookie_len;
+	char *cookie;
+};
+
+struct ldb_vlv_req_control {
+	int beforeCount;
+	int afterCount;
+	int type;
+	union {
+		struct {
+			int offset;
+			int contentCount;
+		} byOffset;
+		struct {
+			int value_len;
+			char *value;
+		} gtOrEq;
+	} match;
+	int ctxid_len;
+	char *contextId;
+};
+
+struct ldb_vlv_resp_control {
+	int targetPosition;
+	int contentCount;
+	int vlv_result;
+	int ctxid_len;
+	char *contextId;
+};
+
+struct ldb_control {
+	const char *oid;
+	int critical;
+	void *data;
+};
+
+enum ldb_request_type {
+	LDB_SEARCH,
+	LDB_ADD,
+	LDB_MODIFY,
+	LDB_DELETE,
+	LDB_RENAME,
+	LDB_EXTENDED,
+	LDB_REQ_REGISTER_CONTROL,
+	LDB_REQ_REGISTER_PARTITION,
+	LDB_SEQUENCE_NUMBER
+};
+
+enum ldb_reply_type {
+	LDB_REPLY_ENTRY,
+	LDB_REPLY_REFERRAL,
+	LDB_REPLY_EXTENDED,
+	LDB_REPLY_DONE
+};
+
+enum ldb_wait_type {
+	LDB_WAIT_ALL,
+	LDB_WAIT_NONE
+};
+
+enum ldb_state {
+	LDB_ASYNC_INIT,
+	LDB_ASYNC_PENDING,
+	LDB_ASYNC_DONE
+};
+
+struct ldb_result {
+	unsigned int count;
+	struct ldb_message **msgs;
+	char **refs;
+	struct ldb_control **controls;
+};
+
+struct ldb_extended {
+	const char *oid;
+	const char *value;
+	int value_len;
+};
+
+struct ldb_reply {
+	enum ldb_reply_type type;
+	struct ldb_message *message;
+	struct ldb_extended *response;
+	char *referral;
+	struct ldb_control **controls;
+};
+
+struct ldb_handle {
+	int status;
+	enum ldb_state state;
+	void *private_data;
+	struct ldb_module *module;
+};
+
+struct ldb_search {
+	const struct ldb_dn *base;
+	enum ldb_scope scope;
+	const struct ldb_parse_tree *tree;
+	const char * const *attrs;
+	struct ldb_result *res;
+};
+
+struct ldb_add {
+	const struct ldb_message *message;
+};
+
+struct  ldb_modify {
+	const struct ldb_message *message;
+};
+
+struct ldb_delete {
+	const struct ldb_dn *dn;
+};
+
+struct ldb_rename {
+	const struct ldb_dn *olddn;
+	const struct ldb_dn *newdn;
+};
+
+struct ldb_register_control {
+	const char *oid;
+};
+
+struct ldb_register_partition {
+	const struct ldb_dn *dn;
+};
+
+struct ldb_sequence_number {
+	enum ldb_sequence_type {
+		LDB_SEQ_HIGHEST_SEQ,
+		LDB_SEQ_HIGHEST_TIMESTAMP,
+		LDB_SEQ_NEXT
+	} type;
+	uint64_t seq_num;
+	uint32_t flags;
+};
+
+typedef int (*ldb_request_callback_t)(struct ldb_context *, void *, struct ldb_reply *);
+struct ldb_request {
+
+	enum ldb_request_type operation;
+
+	union {
+		struct ldb_search search;
+		struct ldb_add    add;
+		struct ldb_modify mod;
+		struct ldb_delete del;
+		struct ldb_rename rename;
+		struct ldb_register_control reg_control;
+		struct ldb_register_partition reg_partition;
+		struct ldb_sequence_number seq_num;
+	} op;
+
+	struct ldb_control **controls;
+
+	void *context;
+	ldb_request_callback_t callback;
+
+	int timeout;
+	time_t starttime;
+	struct ldb_handle *handle;
+};
+
+int ldb_request(struct ldb_context *ldb, struct ldb_request *request);
+
+int ldb_wait(struct ldb_handle *handle, enum ldb_wait_type type);
+
+int ldb_set_timeout(struct ldb_context *ldb, struct ldb_request *req, int timeout);
+int ldb_set_timeout_from_prev_req(struct ldb_context *ldb, struct ldb_request *oldreq, struct ldb_request *newreq);
+void ldb_set_create_perms(struct ldb_context *ldb, unsigned int perms);
+
+/**
+  Initialise ldbs' global information
+
+  This is required before any other LDB call
+
+  \return 0 if initialisation succeeded, -1 otherwise
+*/
+int ldb_global_init(void);
+
+/**
+  Initialise an ldb context
+
+  This is required before any other LDB call.
+
+  \param mem_ctx pointer to a talloc memory context. Pass NULL if there is
+  no suitable context available.
+
+  \return pointer to ldb_context that should be free'd (using talloc_free())
+  at the end of the program.
+*/
+struct ldb_context *ldb_init(void *mem_ctx);
+
+/**
+   Connect to a database.
+
+   This is typically called soon after ldb_init(), and is required prior to
+   any search or database modification operations.
+
+   The URL can be one of the following forms:
+    - tdb://path
+    - ldapi://path
+    - ldap://host
+    - sqlite://path
+
+   \param ldb the context associated with the database (from ldb_init())
+   \param url the URL of the database to connect to, as noted above
+   \param flags a combination of LDB_FLG_* to modify the connection behaviour
+   \param options backend specific options - passed uninterpreted to the backend
+
+   \return result code (LDB_SUCCESS on success, or a failure code)
+
+   \note It is an error to connect to a database that does not exist in readonly mode
+   (that is, with LDB_FLG_RDONLY). However in read-write mode, the database will be
+   created if it does not exist.
+*/
+int ldb_connect(struct ldb_context *ldb, const char *url, unsigned int flags, const char *options[]);
+
+/*
+  return an automatic baseDN from the defaultNamingContext of the rootDSE
+  This value have been set in an opaque pointer at connection time
+*/
+const struct ldb_dn *ldb_get_default_basedn(struct ldb_context *ldb);
+
+
+/**
+  The Default iasync search callback function 
+
+  \param ldb the context associated with the database (from ldb_init())
+  \param context the callback context
+  \param ares a single reply from the async core
+
+  \return result code (LDB_SUCCESS on success, or a failure code)
+
+  \note this function expects the context to always be an struct ldb_result pointer
+  AND a talloc context, this function will steal on the context each message
+  from the ares reply passed on by the async core so that in the end all the
+  messages will be in the context (ldb_result)  memory tree.
+  Freeing the passed context (ldb_result tree) will free all the resources
+  (the request need to be freed separately and the result doe not depend on the
+  request that can be freed as sson as the search request is finished)
+*/
+
+int ldb_search_default_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares);
+
+/**
+  Helper function to build a search request
+
+  \param ret_req the request structure is returned here (talloced on mem_ctx)
+  \param ldb the context associated with the database (from ldb_init())
+  \param mem_ctx a talloc emmory context (used as parent of ret_req)
+  \param base the Base Distinguished Name for the query (use ldb_dn_new() for an empty one)
+  \param scope the search scope for the query
+  \param expression the search expression to use for this query
+  \param attrs the search attributes for the query (pass NULL if none required)
+  \param controls an array of controls
+  \param context the callback function context
+  \param the callback function to handle the async replies
+
+  \return result code (LDB_SUCCESS on success, or a failure code)
+*/
+
+int ldb_build_search_req(struct ldb_request **ret_req,
+			struct ldb_context *ldb,
+			void *mem_ctx,
+			const struct ldb_dn *base,
+	       		enum ldb_scope scope,
+			const char *expression,
+			const char * const *attrs,
+			struct ldb_control **controls,
+			void *context,
+			ldb_request_callback_t callback);
+
+/**
+  Helper function to build an add request
+
+  \param ret_req the request structure is returned here (talloced on mem_ctx)
+  \param ldb the context associated with the database (from ldb_init())
+  \param mem_ctx a talloc emmory context (used as parent of ret_req)
+  \param message contains the entry to be added 
+  \param controls an array of controls
+  \param context the callback function context
+  \param the callback function to handle the async replies
+
+  \return result code (LDB_SUCCESS on success, or a failure code)
+*/
+
+int ldb_build_add_req(struct ldb_request **ret_req,
+			struct ldb_context *ldb,
+			void *mem_ctx,
+			const struct ldb_message *message,
+			struct ldb_control **controls,
+			void *context,
+			ldb_request_callback_t callback);
+
+/**
+  Helper function to build a modify request
+
+  \param ret_req the request structure is returned here (talloced on mem_ctx)
+  \param ldb the context associated with the database (from ldb_init())
+  \param mem_ctx a talloc emmory context (used as parent of ret_req)
+  \param message contains the entry to be modified
+  \param controls an array of controls
+  \param context the callback function context
+  \param the callback function to handle the async replies
+
+  \return result code (LDB_SUCCESS on success, or a failure code)
+*/
+
+int ldb_build_mod_req(struct ldb_request **ret_req,
+			struct ldb_context *ldb,
+			void *mem_ctx,
+			const struct ldb_message *message,
+			struct ldb_control **controls,
+			void *context,
+			ldb_request_callback_t callback);
+
+/**
+  Helper function to build a delete request
+
+  \param ret_req the request structure is returned here (talloced on mem_ctx)
+  \param ldb the context associated with the database (from ldb_init())
+  \param mem_ctx a talloc emmory context (used as parent of ret_req)
+  \param dn the DN to be deleted
+  \param controls an array of controls
+  \param context the callback function context
+  \param the callback function to handle the async replies
+
+  \return result code (LDB_SUCCESS on success, or a failure code)
+*/
+
+int ldb_build_del_req(struct ldb_request **ret_req,
+			struct ldb_context *ldb,
+			void *mem_ctx,
+			const struct ldb_dn *dn,
+			struct ldb_control **controls,
+			void *context,
+			ldb_request_callback_t callback);
+
+/**
+  Helper function to build a rename request
+
+  \param ret_req the request structure is returned here (talloced on mem_ctx)
+  \param ldb the context associated with the database (from ldb_init())
+  \param mem_ctx a talloc emmory context (used as parent of ret_req)
+  \param olddn the old DN
+  \param newdn the new DN
+  \param controls an array of controls
+  \param context the callback function context
+  \param the callback function to handle the async replies
+
+  \return result code (LDB_SUCCESS on success, or a failure code)
+*/
+
+int ldb_build_rename_req(struct ldb_request **ret_req,
+			struct ldb_context *ldb,
+			void *mem_ctx,
+			const struct ldb_dn *olddn,
+			const struct ldb_dn *newdn,
+			struct ldb_control **controls,
+			void *context,
+			ldb_request_callback_t callback);
+
+/**
+  Search the database
+
+  This function searches the database, and returns 
+  records that match an LDAP-like search expression
+
+  \param ldb the context associated with the database (from ldb_init())
+  \param base the Base Distinguished Name for the query (use ldb_dn_new() for an empty one)
+  \param scope the search scope for the query
+  \param expression the search expression to use for this query
+  \param attrs the search attributes for the query (pass NULL if none required)
+  \param res the return result
+
+  \return result code (LDB_SUCCESS on success, or a failure code)
+
+  \note use talloc_free() to free the ldb_result returned
+*/
+int ldb_search(struct ldb_context *ldb, 
+	       const struct ldb_dn *base,
+	       enum ldb_scope scope,
+	       const char *expression,
+	       const char * const *attrs, struct ldb_result **res);
+
+/*
+ * a useful search function where you can easily define the expression and
+ * that takes a memory context where results are allocated
+*/
+
+int ldb_search_exp_fmt(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
+		       struct ldb_result **result, struct ldb_dn *base,
+		       enum ldb_scope scope, const char * const *attrs,
+		       const char *exp_fmt, ...);
+
+/*
+  like ldb_search() but takes a parse tree
+*/
+int ldb_search_bytree(struct ldb_context *ldb, 
+		      const struct ldb_dn *base,
+		      enum ldb_scope scope,
+		      struct ldb_parse_tree *tree,
+		      const char * const *attrs, struct ldb_result **res);
+
+/**
+  Add a record to the database.
+
+  This function adds a record to the database. This function will fail
+  if a record with the specified class and key already exists in the
+  database. 
+
+  \param ldb the context associated with the database (from
+  ldb_init())
+  \param message the message containing the record to add.
+
+  \return result code (LDB_SUCCESS if the record was added, otherwise
+  a failure code)
+*/
+int ldb_add(struct ldb_context *ldb, 
+	    const struct ldb_message *message);
+
+/**
+  Modify the specified attributes of a record
+
+  This function modifies a record that is in the database.
+
+  \param ldb the context associated with the database (from
+  ldb_init())
+  \param message the message containing the changes required.
+
+  \return result code (LDB_SUCCESS if the record was modified as
+  requested, otherwise a failure code)
+*/
+int ldb_modify(struct ldb_context *ldb, 
+	       const struct ldb_message *message);
+
+/**
+  Rename a record in the database
+
+  This function renames a record in the database.
+
+  \param ldb the context associated with the database (from
+  ldb_init())
+  \param olddn the DN for the record to be renamed.
+  \param newdn the new DN 
+
+  \return result code (LDB_SUCCESS if the record was renamed as
+  requested, otherwise a failure code)
+*/
+int ldb_rename(struct ldb_context *ldb, const struct ldb_dn *olddn, const struct ldb_dn *newdn);
+
+/**
+  Delete a record from the database
+
+  This function deletes a record from the database.
+
+  \param ldb the context associated with the database (from
+  ldb_init())
+  \param dn the DN for the record to be deleted.
+
+  \return result code (LDB_SUCCESS if the record was deleted,
+  otherwise a failure code)
+*/
+int ldb_delete(struct ldb_context *ldb, const struct ldb_dn *dn);
+
+/**
+  start a transaction
+*/
+int ldb_transaction_start(struct ldb_context *ldb);
+
+/**
+  commit a transaction
+*/
+int ldb_transaction_commit(struct ldb_context *ldb);
+
+/**
+  cancel a transaction
+*/
+int ldb_transaction_cancel(struct ldb_context *ldb);
+
+
+/**
+  return extended error information from the last call
+*/
+const char *ldb_errstring(struct ldb_context *ldb);
+
+/**
+  return a string explaining what a ldb error constant meancs
+*/
+const char *ldb_strerror(int ldb_err);
+
+/**
+  setup the default utf8 functions
+  FIXME: these functions do not yet handle utf8
+*/
+void ldb_set_utf8_default(struct ldb_context *ldb);
+
+/**
+   Casefold a string
+
+   \param ldb the ldb context
+   \param mem_ctx the memory context to allocate the result string
+   memory from. 
+   \param s the string that is to be folded
+   \return a copy of the string, converted to upper case
+
+   \note The default function is not yet UTF8 aware. Provide your own
+         set of functions through ldb_set_utf8_fns()
+*/
+char *ldb_casefold(struct ldb_context *ldb, void *mem_ctx, const char *s);
+
+/**
+   Check the attribute name is valid according to rfc2251
+   \param s tthe string to check
+
+   \return 1 if the name is ok
+*/
+int ldb_valid_attr_name(const char *s);
+
+/*
+  ldif manipulation functions
+*/
+/**
+   Write an LDIF message
+
+   This function writes an LDIF message using a caller supplied  write
+   function.
+
+   \param ldb the ldb context (from ldb_init())
+   \param fprintf_fn a function pointer for the write function. This must take
+   a private data pointer, followed by a format string, and then a variable argument
+   list. 
+   \param private_data pointer that will be provided back to the write
+   function. This is useful for maintaining state or context.
+   \param ldif the message to write out
+
+   \return the total number of bytes written, or an error code as returned
+   from the write function.
+
+   \sa ldb_ldif_write_file for a more convenient way to write to a
+   file stream.
+
+   \sa ldb_ldif_read for the reader equivalent to this function.
+*/
+int ldb_ldif_write(struct ldb_context *ldb,
+		   int (*fprintf_fn)(void *, const char *, ...) PRINTF_ATTRIBUTE(2,3), 
+		   void *private_data,
+		   const struct ldb_ldif *ldif);
+
+/**
+   Clean up an LDIF message
+
+   This function cleans up a LDIF message read using ldb_ldif_read()
+   or related functions (such as ldb_ldif_read_string() and
+   ldb_ldif_read_file().
+
+   \param ldb the ldb context (from ldb_init())
+   \param msg the message to clean up and free
+
+*/
+void ldb_ldif_read_free(struct ldb_context *ldb, struct ldb_ldif *msg);
+
+/**
+   Read an LDIF message
+
+   This function creates an LDIF message using a caller supplied read
+   function. 
+
+   \param ldb the ldb context (from ldb_init())
+   \param fgetc_fn a function pointer for the read function. This must
+   take a private data pointer, and must return a pointer to an
+   integer corresponding to the next byte read (or EOF if there is no
+   more data to be read).
+   \param private_data pointer that will be provided back to the read
+   function. This is udeful for maintaining state or context.
+
+   \return the LDIF message that has been read in
+
+   \note You must free the LDIF message when no longer required, using
+   ldb_ldif_read_free().
+
+   \sa ldb_ldif_read_file for a more convenient way to read from a
+   file stream.
+
+   \sa ldb_ldif_read_string for a more convenient way to read from a
+   string (char array).
+
+   \sa ldb_ldif_write for the writer equivalent to this function.
+*/
+struct ldb_ldif *ldb_ldif_read(struct ldb_context *ldb, 
+			       int (*fgetc_fn)(void *), void *private_data);
+
+/**
+   Read an LDIF message from a file
+
+   This function reads the next LDIF message from the contents of a
+   file stream. If you want to get all of the LDIF messages, you will
+   need to repeatedly call this function, until it returns NULL.
+
+   \param ldb the ldb context (from ldb_init())
+   \param f the file stream to read from (typically from fdopen())
+
+   \sa ldb_ldif_read_string for an equivalent function that will read
+   from a string (char array).
+
+   \sa ldb_ldif_write_file for the writer equivalent to this function.
+
+*/
+struct ldb_ldif *ldb_ldif_read_file(struct ldb_context *ldb, FILE *f);
+
+/**
+   Read an LDIF message from a string
+
+   This function reads the next LDIF message from the contents of a char
+   array. If you want to get all of the LDIF messages, you will need
+   to repeatedly call this function, until it returns NULL.
+
+   \param ldb the ldb context (from ldb_init())
+   \param s pointer to the char array to read from
+
+   \sa ldb_ldif_read_file for an equivalent function that will read
+   from a file stream.
+
+   \sa ldb_ldif_write for a more general (arbitrary read function)
+   version of this function.
+*/
+struct ldb_ldif *ldb_ldif_read_string(struct ldb_context *ldb, const char **s);
+
+/**
+   Write an LDIF message to a file
+
+   \param ldb the ldb context (from ldb_init())
+   \param f the file stream to write to (typically from fdopen())
+   \param msg the message to write out
+
+   \return the total number of bytes written, or a negative error code
+
+   \sa ldb_ldif_read_file for the reader equivalent to this function.
+*/
+int ldb_ldif_write_file(struct ldb_context *ldb, FILE *f, const struct ldb_ldif *msg);
+
+/**
+   Base64 encode a buffer
+
+   \param mem_ctx the memory context that the result is allocated
+   from. 
+   \param buf pointer to the array that is to be encoded
+   \param len the number of elements in the array to be encoded
+
+   \return pointer to an array containing the encoded data
+
+   \note The caller is responsible for freeing the result
+*/
+char *ldb_base64_encode(void *mem_ctx, const char *buf, int len);
+
+/**
+   Base64 decode a buffer
+
+   This function decodes a base64 encoded string in place.
+
+   \param s the string to decode.
+
+   \return the length of the returned (decoded) string.
+
+   \note the string is null terminated, but the null terminator is not
+   included in the length.
+*/
+int ldb_base64_decode(char *s);
+
+int ldb_attrib_add_handlers(struct ldb_context *ldb, 
+			    const struct ldb_attrib_handler *handlers, 
+			    unsigned num_handlers);
+
+/* The following definitions come from lib/ldb/common/ldb_dn.c  */
+
+int ldb_dn_is_special(const struct ldb_dn *dn);
+int ldb_dn_check_special(const struct ldb_dn *dn, const char *check);
+char *ldb_dn_escape_value(void *mem_ctx, struct ldb_val value);
+struct ldb_dn *ldb_dn_new(void *mem_ctx);
+struct ldb_dn *ldb_dn_explode(void *mem_ctx, const char *dn);
+struct ldb_dn *ldb_dn_explode_or_special(void *mem_ctx, const char *dn);
+char *ldb_dn_linearize(void *mem_ctx, const struct ldb_dn *edn);
+char *ldb_dn_linearize_casefold(struct ldb_context *ldb, void *mem_ctx, const struct ldb_dn *edn);
+int ldb_dn_compare_base(struct ldb_context *ldb, const struct ldb_dn *base, const struct ldb_dn *dn);
+int ldb_dn_compare(struct ldb_context *ldb, const struct ldb_dn *edn0, const struct ldb_dn *edn1);
+struct ldb_dn *ldb_dn_casefold(struct ldb_context *ldb, void *mem_ctx, const struct ldb_dn *edn);
+struct ldb_dn *ldb_dn_explode_casefold(struct ldb_context *ldb, void *mem_ctx, const char *dn);
+struct ldb_dn *ldb_dn_copy_partial(void *mem_ctx, const struct ldb_dn *dn, int num_el);
+struct ldb_dn *ldb_dn_copy(void *mem_ctx, const struct ldb_dn *dn);
+struct ldb_dn *ldb_dn_copy_rebase(void *mem_ctx, const struct ldb_dn *old, const struct ldb_dn *old_base, const struct ldb_dn *new_base);
+struct ldb_dn *ldb_dn_get_parent(void *mem_ctx, const struct ldb_dn *dn);
+struct ldb_dn_component *ldb_dn_build_component(void *mem_ctx, const char *attr,
+							       const char *val);
+struct ldb_dn *ldb_dn_build_child(void *mem_ctx, const char *attr,
+						 const char * value,
+						 const struct ldb_dn *base);
+struct ldb_dn *ldb_dn_compose(void *mem_ctx, const struct ldb_dn *dn1, const struct ldb_dn *dn2);
+struct ldb_dn *ldb_dn_string_compose(void *mem_ctx, const struct ldb_dn *base, const char *child_fmt, ...) PRINTF_ATTRIBUTE(3,4);
+char *ldb_dn_canonical_string(void *mem_ctx, const struct ldb_dn *dn);
+char *ldb_dn_canonical_ex_string(void *mem_ctx, const struct ldb_dn *dn);
+int ldb_dn_get_comp_num(const struct ldb_dn *dn);
+const char *ldb_dn_get_component_name(const struct ldb_dn *dn, unsigned int num);
+const struct ldb_val *ldb_dn_get_component_val(const struct ldb_dn *dn, unsigned int num);
+const char *ldb_dn_get_rdn_name(const struct ldb_dn *dn);
+const struct ldb_val *ldb_dn_get_rdn_val(const struct ldb_dn *dn);
+int ldb_dn_set_component(struct ldb_dn *dn, int num, const char *name, const struct ldb_val val);
+
+
+
+/* useful functions for ldb_message structure manipulation */
+int ldb_dn_cmp(struct ldb_context *ldb, const char *dn1, const char *dn2);
+
+/**
+   Compare two attributes
+
+   This function compares to attribute names. Note that this is a
+   case-insensitive comparison.
+
+   \param attr1 the first attribute name to compare
+   \param attr2 the second attribute name to compare
+
+   \return 0 if the attribute names are the same, or only differ in
+   case; non-zero if there are any differences
+*/
+int ldb_attr_cmp(const char *attr1, const char *attr2);
+char *ldb_attr_casefold(void *mem_ctx, const char *s);
+int ldb_attr_dn(const char *attr);
+
+/**
+   Create an empty message
+
+   \param mem_ctx the memory context to create in. You can pass NULL
+   to get the top level context, however the ldb context (from
+   ldb_init()) may be a better choice
+*/
+struct ldb_message *ldb_msg_new(void *mem_ctx);
+
+/**
+   Find an element within an message
+*/
+struct ldb_message_element *ldb_msg_find_element(const struct ldb_message *msg, 
+						 const char *attr_name);
+
+/**
+   Compare two ldb_val values
+
+   \param v1 first ldb_val structure to be tested
+   \param v2 second ldb_val structure to be tested
+
+   \return 1 for a match, 0 if there is any difference
+*/
+int ldb_val_equal_exact(const struct ldb_val *v1, const struct ldb_val *v2);
+
+/**
+   find a value within an ldb_message_element
+
+   \param el the element to search
+   \param val the value to search for
+
+   \note This search is case sensitive
+*/
+struct ldb_val *ldb_msg_find_val(const struct ldb_message_element *el, 
+				 struct ldb_val *val);
+
+/**
+   add a new empty element to a ldb_message
+*/
+int ldb_msg_add_empty(struct ldb_message *msg,
+		const char *attr_name,
+		int flags,
+		struct ldb_message_element **return_el);
+
+/**
+   add a element to a ldb_message
+*/
+int ldb_msg_add(struct ldb_message *msg, 
+		const struct ldb_message_element *el, 
+		int flags);
+int ldb_msg_add_value(struct ldb_message *msg, 
+		const char *attr_name,
+		const struct ldb_val *val,
+		struct ldb_message_element **return_el);
+int ldb_msg_add_steal_value(struct ldb_message *msg, 
+		      const char *attr_name,
+		      struct ldb_val *val);
+int ldb_msg_add_steal_string(struct ldb_message *msg, 
+			     const char *attr_name, char *str);
+int ldb_msg_add_string(struct ldb_message *msg, 
+		       const char *attr_name, const char *str);
+int ldb_msg_add_fmt(struct ldb_message *msg, 
+		    const char *attr_name, const char *fmt, ...) PRINTF_ATTRIBUTE(3,4);
+
+/**
+   compare two message elements - return 0 on match
+*/
+int ldb_msg_element_compare(struct ldb_message_element *el1, 
+			    struct ldb_message_element *el2);
+
+/**
+   Find elements in a message.
+
+   This function finds elements and converts to a specific type, with
+   a give default value if not found. Assumes that elements are
+   single valued.
+*/
+const struct ldb_val *ldb_msg_find_ldb_val(const struct ldb_message *msg, const char *attr_name);
+int ldb_msg_find_attr_as_int(const struct ldb_message *msg, 
+			     const char *attr_name,
+			     int default_value);
+unsigned int ldb_msg_find_attr_as_uint(const struct ldb_message *msg, 
+				       const char *attr_name,
+				       unsigned int default_value);
+int64_t ldb_msg_find_attr_as_int64(const struct ldb_message *msg, 
+				   const char *attr_name,
+				   int64_t default_value);
+uint64_t ldb_msg_find_attr_as_uint64(const struct ldb_message *msg, 
+				     const char *attr_name,
+				     uint64_t default_value);
+double ldb_msg_find_attr_as_double(const struct ldb_message *msg, 
+				   const char *attr_name,
+				   double default_value);
+int ldb_msg_find_attr_as_bool(const struct ldb_message *msg, 
+			      const char *attr_name,
+			      int default_value);
+const char *ldb_msg_find_attr_as_string(const struct ldb_message *msg, 
+					const char *attr_name,
+					const char *default_value);
+
+struct ldb_dn *ldb_msg_find_attr_as_dn(void *mem_ctx,
+				       const struct ldb_message *msg,
+				        const char *attr_name);
+
+void ldb_msg_sort_elements(struct ldb_message *msg);
+
+struct ldb_message *ldb_msg_copy_shallow(void *mem_ctx, 
+					 const struct ldb_message *msg);
+struct ldb_message *ldb_msg_copy(void *mem_ctx, 
+				 const struct ldb_message *msg);
+
+struct ldb_message *ldb_msg_canonicalize(struct ldb_context *ldb, 
+					 const struct ldb_message *msg);
+
+
+struct ldb_message *ldb_msg_diff(struct ldb_context *ldb, 
+				 struct ldb_message *msg1,
+				 struct ldb_message *msg2);
+
+int ldb_msg_check_string_attribute(const struct ldb_message *msg,
+				   const char *name,
+				   const char *value);
+
+/**
+   Integrity check an ldb_message
+
+   This function performs basic sanity / integrity checks on an
+   ldb_message.
+
+   \param msg the message to check
+
+   \return LDB_SUCCESS if the message is OK, or a non-zero error code
+   (one of LDB_ERR_INVALID_DN_SYNTAX, LDB_ERR_ENTRY_ALREADY_EXISTS or
+   LDB_ERR_INVALID_ATTRIBUTE_SYNTAX) if there is a problem with a
+   message.
+*/
+int ldb_msg_sanity_check(struct ldb_context *ldb,
+			 const struct ldb_message *msg);
+
+/**
+   Duplicate an ldb_val structure
+
+   This function copies an ldb value structure. 
+
+   \param mem_ctx the memory context that the duplicated value will be
+   allocated from
+   \param v the ldb_val to be duplicated.
+
+   \return the duplicated ldb_val structure.
+*/
+struct ldb_val ldb_val_dup(void *mem_ctx, const struct ldb_val *v);
+
+/**
+  this allows the user to set a debug function for error reporting
+*/
+int ldb_set_debug(struct ldb_context *ldb,
+		  void (*debug)(void *context, enum ldb_debug_level level, 
+				const char *fmt, va_list ap) PRINTF_ATTRIBUTE(3,0),
+		  void *context);
+
+/**
+  this allows the user to set custom utf8 function for error reporting
+*/
+void ldb_set_utf8_fns(struct ldb_context *ldb,
+			void *context,
+			char *(*casefold)(void *, void *, const char *));
+
+/**
+   this sets up debug to print messages on stderr
+*/
+int ldb_set_debug_stderr(struct ldb_context *ldb);
+
+/* control backend specific opaque values */
+int ldb_set_opaque(struct ldb_context *ldb, const char *name, void *value);
+void *ldb_get_opaque(struct ldb_context *ldb, const char *name);
+
+const struct ldb_attrib_handler *ldb_attrib_handler(struct ldb_context *ldb,
+						    const char *attrib);
+
+
+const char **ldb_attr_list_copy(void *mem_ctx, const char * const *attrs);
+const char **ldb_attr_list_copy_add(void *mem_ctx, const char * const *attrs, const char *new_attr);
+int ldb_attr_in_list(const char * const *attrs, const char *attr);
+
+
+void ldb_parse_tree_attr_replace(struct ldb_parse_tree *tree, 
+				 const char *attr, 
+				 const char *replace);
+
+int ldb_msg_rename_attr(struct ldb_message *msg, const char *attr, const char *replace);
+int ldb_msg_copy_attr(struct ldb_message *msg, const char *attr, const char *replace);
+void ldb_msg_remove_attr(struct ldb_message *msg, const char *attr);
+
+/**
+   Convert a time structure to a string
+
+   This function converts a time_t structure to an LDAP formatted time
+   string.
+
+   \param mem_ctx the memory context to allocate the return string in
+   \param t the time structure to convert
+
+   \return the formatted string, or NULL if the time structure could
+   not be converted
+*/
+char *ldb_timestring(void *mem_ctx, time_t t);
+
+/**
+   Convert a string to a time structure
+
+   This function converts an LDAP formatted time string to a time_t
+   structure.
+
+   \param s the string to convert
+
+   \return the time structure, or 0 if the string cannot be converted
+*/
+time_t ldb_string_to_time(const char *s);
+
+
+void ldb_qsort (void *const pbase, size_t total_elems, size_t size, void *opaque, ldb_qsort_cmp_fn_t cmp);
+#endif
diff --git a/source3/lib/ldb/include/ldb_errors.h b/source3/lib/ldb/include/ldb_errors.h
new file mode 100644
index 0000000000..9362233fd5
--- /dev/null
+++ b/source3/lib/ldb/include/ldb_errors.h
@@ -0,0 +1,310 @@
+/* 
+   ldb database library
+
+   Copyright (C) Simo Sorce  2005
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldb header
+ *
+ *  Description: defines error codes following RFC 2251 ldap error codes
+ *
+ *  Author: Simo Sorce
+ */
+
+#ifndef _LDB_ERRORS_H_
+
+/*! \cond DOXYGEN_IGNORE */
+#define _LDB_ERRORS_H_ 1
+/*! \endcond */
+
+/** 
+   \file ldb_errors.h
+
+   This header provides a set of result codes for LDB function calls.
+
+   Many LDB function calls return an integer value (int). As shown in
+   the function documentation, those return values may indicate
+   whether the function call worked correctly (in which case it
+   returns LDB_SUCCESS) or some problem occurred (in which case some
+   other value will be returned). As a special case,
+   LDB_ERR_COMPARE_FALSE or LDB_ERR_COMPARE_TRUE may be returned,
+   which does not indicate an error.
+
+   \note Not all error codes make sense for LDB, however they are
+   based on the LDAP error codes, and are kept for reference and to
+   avoid overlap.
+
+   \note Some of this documentation is based on information in
+   the OpenLDAP documentation, as developed and maintained by the
+   <a href="http://www.openldap.org/">The OpenLDAP Project</a>.
+ */
+
+/**
+   The function call succeeded.
+
+   If a function returns LDB_SUCCESS, then that function, and the
+   underlying transactions that may have been required, completed
+   successfully.
+*/
+#define LDB_SUCCESS				0
+
+/**
+   The function call failed for some non-specific reason.
+*/
+#define LDB_ERR_OPERATIONS_ERROR		1
+
+/**
+   The function call failed because of a protocol violation.
+*/
+#define LDB_ERR_PROTOCOL_ERROR			2
+
+/**
+   The function call failed because a time limit was exceeded.
+*/
+#define LDB_ERR_TIME_LIMIT_EXCEEDED		3
+
+/**
+   The function call failed because a size limit was exceeded.
+*/
+#define LDB_ERR_SIZE_LIMIT_EXCEEDED		4
+
+/**
+   The function was for value comparison, and the comparison operation
+   returned false.
+
+   \note This is a status value, and doesn't normally indicate an
+   error.
+*/
+#define LDB_ERR_COMPARE_FALSE			5
+
+/**
+   The function was for value comparison, and the comparison operation
+   returned true.
+
+   \note This is a status value, and doesn't normally indicate an
+   error.
+*/
+#define LDB_ERR_COMPARE_TRUE			6
+
+/**
+   The function used an authentication method that is not supported by
+   the database.
+*/
+#define LDB_ERR_AUTH_METHOD_NOT_SUPPORTED	7
+
+/**
+   The function call required a underlying operation that required
+   strong authentication.
+
+   This will normally only occur if you are using LDB with a LDAP
+   backend.
+*/
+#define LDB_ERR_STRONG_AUTH_REQUIRED		8
+/* 9 RESERVED */
+
+/**
+   The function resulted in a referral to another server.
+*/
+#define LDB_ERR_REFERRAL			10
+
+/**
+   The function failed because an administrative / policy limit was
+   exceeded.
+*/
+#define LDB_ERR_ADMIN_LIMIT_EXCEEDED		11
+
+/**
+   The function required an extension or capability that the
+   database cannot provide.
+*/
+#define LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION	12
+
+/**
+   The function involved a transaction or database operation that
+   could not be performed without a secure link.
+*/
+#define LDB_ERR_CONFIDENTIALITY_REQUIRED	13
+
+/**
+   This is an intermediate result code for SASL bind operations that
+   have more than one step.
+
+   \note This is a result code that does not normally indicate an
+   error has occurred.
+*/
+#define LDB_ERR_SASL_BIND_IN_PROGRESS		14
+
+/**
+   The function referred to an attribute type that is not present in
+   the entry.
+*/
+#define LDB_ERR_NO_SUCH_ATTRIBUTE		16
+
+/**
+   The function referred to an attribute type that is invalid
+*/
+#define LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE	17
+
+/**
+   The function required a filter type that is not available for the
+   specified attribute.
+*/
+#define LDB_ERR_INAPPROPRIATE_MATCHING		18
+
+/**
+   The function would have violated an attribute constraint.
+*/
+#define LDB_ERR_CONSTRAINT_VIOLATION		19
+
+/**
+   The function involved an attribute type or attribute value that
+   already exists in the entry.
+*/
+#define LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS	20
+/**
+   The function used an invalid (incorrect syntax) attribute value.
+*/
+#define LDB_ERR_INVALID_ATTRIBUTE_SYNTAX	21
+
+/* 22-31 unused */
+
+/**
+   The function referred to an object that does not exist in the
+   database.
+*/
+#define LDB_ERR_NO_SUCH_OBJECT			32
+
+/**
+   The function referred to an alias which points to a non-existant
+   object in the database.
+*/
+#define LDB_ERR_ALIAS_PROBLEM			33
+
+/**
+   The function used a DN which was invalid (incorrect syntax).
+*/
+#define LDB_ERR_INVALID_DN_SYNTAX		34
+
+/* 35 RESERVED */
+
+/**
+   The function required dereferencing of an alias, and something went
+   wrong during the dereferencing process.
+*/
+#define LDB_ERR_ALIAS_DEREFERENCING_PROBLEM	36
+
+/* 37-47 unused */
+
+/**
+   The function passed in the wrong authentication method.
+*/
+#define LDB_ERR_INAPPROPRIATE_AUTHENTICATION	48
+
+/**
+   The function passed in or referenced incorrect credentials during
+   authentication. 
+*/
+#define LDB_ERR_INVALID_CREDENTIALS		49
+
+/**
+   The function required access permissions that the user does not
+   possess. 
+*/
+#define LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS	50
+
+/**
+   The function required a transaction or call that the database could
+   not perform because it is busy.
+*/
+#define LDB_ERR_BUSY				51
+
+/**
+   The function required a transaction or call to a database that is
+   not available.
+*/
+#define LDB_ERR_UNAVAILABLE			52
+
+/**
+   The function required a transaction or call to a database that the
+   database declined to perform.
+*/
+#define LDB_ERR_UNWILLING_TO_PERFORM		53
+
+/**
+   The function failed because it resulted in a loop being detected.
+*/
+#define LDB_ERR_LOOP_DETECT			54
+
+/* 55-63 unused */
+
+/**
+   The function failed because it would have violated a naming rule.
+*/
+#define LDB_ERR_NAMING_VIOLATION		64
+
+/**
+   The function failed because it would have violated the schema.
+*/
+#define LDB_ERR_OBJECT_CLASS_VIOLATION		65
+
+/**
+   The function required an operation that is only allowed on leaf
+   objects, but the object is not a leaf.
+*/
+#define LDB_ERR_NOT_ALLOWED_ON_NON_LEAF		66
+
+/**
+   The function required an operation that cannot be performed on a
+   Relative DN, but the object is a Relative DN.
+*/
+#define LDB_ERR_NOT_ALLOWED_ON_RDN		67
+
+/**
+   The function failed because the entry already exists.
+*/
+#define LDB_ERR_ENTRY_ALREADY_EXISTS		68
+
+/**
+   The function failed because modifications to an object class are
+   not allowable.
+*/
+#define LDB_ERR_OBJECT_CLASS_MODS_PROHIBITED	69
+
+/* 70 RESERVED FOR CLDAP */
+
+/**
+   The function failed because it needed to be applied to multiple
+   databases.
+*/
+#define LDB_ERR_AFFECTS_MULTIPLE_DSAS		71
+
+/* 72-79 unused */
+
+/**
+   The function failed for unknown reasons.
+*/
+#define LDB_ERR_OTHER				80
+
+/* 81-90 RESERVED for APIs */
+
+#endif /* _LDB_ERRORS_H_ */
diff --git a/source3/lib/ldb/include/ldb_private.h b/source3/lib/ldb/include/ldb_private.h
new file mode 100644
index 0000000000..368a903f2d
--- /dev/null
+++ b/source3/lib/ldb/include/ldb_private.h
@@ -0,0 +1,224 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell    2004
+   Copyright (C) Stefan Metzmacher  2004
+   Copyright (C) Simo Sorce         2004-2005
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldb private header
+ *
+ *  Description: defines internal ldb structures used by the subsystem and modules
+ *
+ *  Author: Andrew Tridgell
+ *  Author: Stefan Metzmacher
+ */
+
+#ifndef _LDB_PRIVATE_H_
+#define _LDB_PRIVATE_H_ 1
+
+struct ldb_context;
+
+struct ldb_module_ops;
+
+/* basic module structure */
+struct ldb_module {
+	struct ldb_module *prev, *next;
+	struct ldb_context *ldb;
+	void *private_data;
+	const struct ldb_module_ops *ops;
+};
+
+/* 
+   these function pointers define the operations that a ldb module must perform
+   they correspond exactly to the ldb_*() interface 
+*/
+struct ldb_module_ops {
+	const char *name;
+	int (*init_context) (struct ldb_module *);
+	int (*search)(struct ldb_module *, struct ldb_request *); /* search */
+	int (*add)(struct ldb_module *, struct ldb_request *); /* add */
+	int (*modify)(struct ldb_module *, struct ldb_request *); /* modify */
+	int (*del)(struct ldb_module *, struct ldb_request *); /* delete */
+	int (*rename)(struct ldb_module *, struct ldb_request *); /* rename */
+	int (*request)(struct ldb_module *, struct ldb_request *); /* match any other operation */
+	int (*extended)(struct ldb_module *, struct ldb_request *); /* extended operations */
+	int (*start_transaction)(struct ldb_module *);
+	int (*end_transaction)(struct ldb_module *);
+	int (*del_transaction)(struct ldb_module *);
+	int (*wait)(struct ldb_handle *, enum ldb_wait_type);
+	int (*sequence_number)(struct ldb_module *, struct ldb_request *);
+};
+
+typedef int (*ldb_connect_fn) (struct ldb_context *ldb, const char *url, unsigned int flags, const char *options[],
+			       struct ldb_module **module);
+
+/*
+  schema related information needed for matching rules
+*/
+struct ldb_schema {
+	/* attribute handling table */
+	unsigned num_attrib_handlers;
+	struct ldb_attrib_handler *attrib_handlers;
+
+	/* objectclass information */
+	unsigned num_classes;
+	struct ldb_subclass {
+		char *name;
+		char **subclasses;
+	} *classes;
+};
+
+/*
+  every ldb connection is started by establishing a ldb_context
+*/
+struct ldb_context {
+	/* the operations provided by the backend */
+	struct ldb_module *modules;
+
+	/* debugging operations */
+	struct ldb_debug_ops debug_ops;
+
+	/* custom utf8 functions */
+	struct ldb_utf8_fns utf8_fns;
+
+	/* backend specific opaque parameters */
+	struct ldb_opaque {
+		struct ldb_opaque *next;
+		const char *name;
+		void *value;
+	} *opaque;
+
+	struct ldb_schema schema;
+
+	char *err_string;
+
+	int transaction_active;
+
+	int default_timeout;
+
+	unsigned int flags;
+
+	unsigned int create_perms;
+};
+
+#ifndef ARRAY_SIZE
+#define ARRAY_SIZE(a) (sizeof(a)/sizeof(a[0]))
+#endif
+
+/*
+  simplify out of memory handling
+*/
+#define ldb_oom(ldb) ldb_debug_set(ldb, LDB_DEBUG_FATAL, "ldb out of memory at %s:%d\n", __FILE__, __LINE__)
+
+/* The following definitions come from lib/ldb/common/ldb.c  */
+
+int ldb_connect_backend(struct ldb_context *ldb, const char *url, const char *options[],
+			struct ldb_module **backend_module);
+
+/* The following definitions come from lib/ldb/common/ldb_modules.c  */
+
+const char **ldb_modules_list_from_string(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const char *string);
+int ldb_load_modules_list(struct ldb_context *ldb, const char **module_list, struct ldb_module *backend, struct ldb_module **out);
+int ldb_load_modules(struct ldb_context *ldb, const char *options[]);
+int ldb_init_module_chain(struct ldb_context *ldb, struct ldb_module *module);
+int ldb_next_request(struct ldb_module *module, struct ldb_request *request);
+int ldb_next_start_trans(struct ldb_module *module);
+int ldb_next_end_trans(struct ldb_module *module);
+int ldb_next_del_trans(struct ldb_module *module);
+int ldb_next_init(struct ldb_module *module);
+
+void ldb_set_errstring(struct ldb_context *ldb, const char *err_string);
+void ldb_asprintf_errstring(struct ldb_context *ldb, const char *format, ...) PRINTF_ATTRIBUTE(2,3);
+void ldb_reset_err_string(struct ldb_context *ldb);
+
+int ldb_register_module(const struct ldb_module_ops *);
+int ldb_register_backend(const char *url_prefix, ldb_connect_fn);
+int ldb_try_load_dso(struct ldb_context *ldb, const char *name);
+
+/* The following definitions come from lib/ldb/common/ldb_debug.c  */
+void ldb_debug(struct ldb_context *ldb, enum ldb_debug_level level, const char *fmt, ...) PRINTF_ATTRIBUTE(3, 4);
+void ldb_debug_set(struct ldb_context *ldb, enum ldb_debug_level level, 
+		   const char *fmt, ...) PRINTF_ATTRIBUTE(3, 4);
+
+/* The following definitions come from lib/ldb/common/ldb_ldif.c  */
+int ldb_should_b64_encode(const struct ldb_val *val);
+
+int ldb_objectclass_init(void);
+int ldb_operational_init(void);
+int ldb_paged_results_init(void);
+int ldb_rdn_name_init(void);
+int ldb_schema_init(void);
+int ldb_asq_init(void);
+int ldb_sort_init(void);
+int ldb_ldap_init(void);
+int ldb_ildap_init(void);
+int ldb_tdb_init(void);
+int ldb_sqlite3_init(void);
+
+int ldb_match_msg(struct ldb_context *ldb,
+		  const struct ldb_message *msg,
+		  const struct ldb_parse_tree *tree,
+		  const struct ldb_dn *base,
+		  enum ldb_scope scope);
+
+void ldb_remove_attrib_handler(struct ldb_context *ldb, const char *attrib);
+const struct ldb_attrib_handler *ldb_attrib_handler_syntax(struct ldb_context *ldb,
+							   const char *syntax);
+int ldb_set_attrib_handlers(struct ldb_context *ldb, 
+			    const struct ldb_attrib_handler *handlers, 
+			    unsigned num_handlers);
+int ldb_setup_wellknown_attributes(struct ldb_context *ldb);
+int ldb_set_attrib_handler_syntax(struct ldb_context *ldb, 
+				  const char *attr, const char *syntax);
+
+/* The following definitions come from lib/ldb/common/ldb_attributes.c  */
+const char **ldb_subclass_list(struct ldb_context *ldb, const char *classname);
+void ldb_subclass_remove(struct ldb_context *ldb, const char *classname);
+int ldb_subclass_add(struct ldb_context *ldb, const char *classname, const char *subclass);
+
+int ldb_handler_copy(struct ldb_context *ldb, void *mem_ctx,
+		     const struct ldb_val *in, struct ldb_val *out);
+int ldb_comparison_binary(struct ldb_context *ldb, void *mem_ctx,
+			  const struct ldb_val *v1, const struct ldb_val *v2);
+
+/* The following definitions come from lib/ldb/common/ldb_controls.c  */
+struct ldb_control *get_control_from_list(struct ldb_control **controls, const char *oid);
+int save_controls(struct ldb_control *exclude, struct ldb_request *req, struct ldb_control ***saver);
+int check_critical_controls(struct ldb_control **controls);
+
+/* The following definitions come from lib/ldb/common/ldb_utf8.c */
+char *ldb_casefold_default(void *context, void *mem_ctx, const char *s);
+
+void ldb_msg_remove_element(struct ldb_message *msg, struct ldb_message_element *el);
+
+/**
+  Obtain current/next database sequence number
+*/
+int ldb_sequence_number(struct ldb_context *ldb, enum ldb_sequence_type type, uint64_t *seq_num);
+
+#define LDB_SEQ_GLOBAL_SEQUENCE    0x01
+#define LDB_SEQ_TIMESTAMP_SEQUENCE 0x02
+
+
+#endif
diff --git a/source3/lib/ldb/install-sh b/source3/lib/ldb/install-sh
new file mode 100755
index 0000000000..58719246f0
--- /dev/null
+++ b/source3/lib/ldb/install-sh
@@ -0,0 +1,238 @@
+#! /bin/sh
+#
+# install - install a program, script, or datafile
+# This comes from X11R5.
+#
+# Calling this script install-sh is preferred over install.sh, to prevent
+# `make' implicit rules from creating a file called install from it
+# when there is no Makefile.
+#
+# This script is compatible with the BSD install script, but was written
+# from scratch.
+#
+
+
+# set DOITPROG to echo to test this script
+
+# Don't use :- since 4.3BSD and earlier shells don't like it.
+doit="${DOITPROG-}"
+
+
+# put in absolute paths if you don't have them in your path; or use env. vars.
+
+mvprog="${MVPROG-mv}"
+cpprog="${CPPROG-cp}"
+chmodprog="${CHMODPROG-chmod}"
+chownprog="${CHOWNPROG-chown}"
+chgrpprog="${CHGRPPROG-chgrp}"
+stripprog="${STRIPPROG-strip}"
+rmprog="${RMPROG-rm}"
+mkdirprog="${MKDIRPROG-mkdir}"
+
+transformbasename=""
+transform_arg=""
+instcmd="$mvprog"
+chmodcmd="$chmodprog 0755"
+chowncmd=""
+chgrpcmd=""
+stripcmd=""
+rmcmd="$rmprog -f"
+mvcmd="$mvprog"
+src=""
+dst=""
+dir_arg=""
+
+while [ x"$1" != x ]; do
+    case $1 in
+	-c) instcmd="$cpprog"
+	    shift
+	    continue;;
+
+	-d) dir_arg=true
+	    shift
+	    continue;;
+
+	-m) chmodcmd="$chmodprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-o) chowncmd="$chownprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-g) chgrpcmd="$chgrpprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-s) stripcmd="$stripprog"
+	    shift
+	    continue;;
+
+	-t=*) transformarg=`echo $1 | sed 's/-t=//'`
+	    shift
+	    continue;;
+
+	-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
+	    shift
+	    continue;;
+
+	*)  if [ x"$src" = x ]
+	    then
+		src=$1
+	    else
+		# this colon is to work around a 386BSD /bin/sh bug
+		:
+		dst=$1
+	    fi
+	    shift
+	    continue;;
+    esac
+done
+
+if [ x"$src" = x ]
+then
+	echo "install:	no input file specified"
+	exit 1
+else
+	true
+fi
+
+if [ x"$dir_arg" != x ]; then
+	dst=$src
+	src=""
+	
+	if [ -d $dst ]; then
+		instcmd=:
+	else
+		instcmd=mkdir
+	fi
+else
+
+# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
+# might cause directories to be created, which would be especially bad 
+# if $src (and thus $dsttmp) contains '*'.
+
+	if [ -f $src -o -d $src ]
+	then
+		true
+	else
+		echo "install:  $src does not exist"
+		exit 1
+	fi
+	
+	if [ x"$dst" = x ]
+	then
+		echo "install:	no destination specified"
+		exit 1
+	else
+		true
+	fi
+
+# If destination is a directory, append the input filename; if your system
+# does not like double slashes in filenames, you may need to add some logic
+
+	if [ -d $dst ]
+	then
+		dst="$dst"/`basename $src`
+	else
+		true
+	fi
+fi
+
+## this sed command emulates the dirname command
+dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
+
+# Make sure that the destination directory exists.
+#  this part is taken from Noah Friedman's mkinstalldirs script
+
+# Skip lots of stat calls in the usual case.
+if [ ! -d "$dstdir" ]; then
+defaultIFS='	
+'
+IFS="${IFS-${defaultIFS}}"
+
+oIFS="${IFS}"
+# Some sh's can't handle IFS=/ for some reason.
+IFS='%'
+set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
+IFS="${oIFS}"
+
+pathcomp=''
+
+while [ $# -ne 0 ] ; do
+	pathcomp="${pathcomp}${1}"
+	shift
+
+	if [ ! -d "${pathcomp}" ] ;
+        then
+		$mkdirprog "${pathcomp}"
+	else
+		true
+	fi
+
+	pathcomp="${pathcomp}/"
+done
+fi
+
+if [ x"$dir_arg" != x ]
+then
+	$doit $instcmd $dst &&
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
+else
+
+# If we're going to rename the final executable, determine the name now.
+
+	if [ x"$transformarg" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		dstfile=`basename $dst $transformbasename | 
+			sed $transformarg`$transformbasename
+	fi
+
+# don't allow the sed command to completely eliminate the filename
+
+	if [ x"$dstfile" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		true
+	fi
+
+# Make a temp file name in the proper directory.
+
+	dsttmp=$dstdir/#inst.$$#
+
+# Move or copy the file name to the temp name
+
+	$doit $instcmd $src $dsttmp &&
+
+	trap "rm -f ${dsttmp}" 0 &&
+
+# and set any options; do chmod last to preserve setuid bits
+
+# If any of these fail, we abort the whole thing.  If we want to
+# ignore errors from any of these, just make sure not to ignore
+# errors from the above "$doit $instcmd $src $dsttmp" command.
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
+
+# Now rename the file to the real destination.
+
+	$doit $rmcmd -f $dstdir/$dstfile &&
+	$doit $mvcmd $dsttmp $dstdir/$dstfile 
+
+fi &&
+
+
+exit 0
diff --git a/source3/lib/ldb/ldap.m4 b/source3/lib/ldb/ldap.m4
new file mode 100644
index 0000000000..417083ed61
--- /dev/null
+++ b/source3/lib/ldb/ldap.m4
@@ -0,0 +1,90 @@
+########################################################
+# Compile with LDAP support?
+
+LDAP_LIBS=""
+with_ldap_support=auto
+AC_MSG_CHECKING([for LDAP support])
+
+AC_ARG_WITH(ldap,
+AS_HELP_STRING([--with-ldap],[LDAP backend support (default=yes)]),
+[ case "$withval" in
+    yes|no)
+	with_ldap_support=$withval
+	;;
+  esac ])
+
+AC_MSG_RESULT($with_ldap_support)
+
+if test x"$with_ldap_support" != x"no"; then
+
+  ##################################################################
+  # first test for ldap.h and lber.h
+  # (ldap.h is required for this test)
+  AC_CHECK_HEADERS(ldap.h lber.h)
+  
+  if test x"$ac_cv_header_ldap_h" != x"yes"; then
+	if test x"$with_ldap_support" = x"yes"; then
+	 AC_MSG_ERROR(ldap.h is needed for LDAP support)
+	else
+	 AC_MSG_WARN(ldap.h is needed for LDAP support)
+	fi
+	
+	with_ldap_support=no
+  fi
+fi
+
+if test x"$with_ldap_support" != x"no"; then
+  ac_save_LIBS=$LIBS
+
+  ##################################################################
+  # we might need the lber lib on some systems. To avoid link errors
+  # this test must be before the libldap test
+  AC_CHECK_LIB_EXT(lber, LDAP_LIBS, ber_scanf)
+
+  ########################################################
+  # now see if we can find the ldap libs in standard paths
+  AC_CHECK_LIB_EXT(ldap, LDAP_LIBS, ldap_init)
+
+  AC_CHECK_FUNC_EXT(ldap_domain2hostlist,$LDAP_LIBS)
+  
+  ########################################################
+  # If we have LDAP, does it's rebind procedure take 2 or 3 arguments?
+  # Check found in pam_ldap 145.
+  AC_CHECK_FUNC_EXT(ldap_set_rebind_proc,$LDAP_LIBS)
+
+  LIBS="$LIBS $LDAP_LIBS"
+  AC_CACHE_CHECK(whether ldap_set_rebind_proc takes 3 arguments, smb_ldap_cv_ldap_set_rebind_proc, [
+    AC_TRY_COMPILE([
+	#include <lber.h>
+	#include <ldap.h>], 
+	[ldap_set_rebind_proc(0, 0, 0);], 
+	[smb_ldap_cv_ldap_set_rebind_proc=3], 
+	[smb_ldap_cv_ldap_set_rebind_proc=2]
+    ) 
+  ])
+  
+  AC_DEFINE_UNQUOTED(LDAP_SET_REBIND_PROC_ARGS, $smb_ldap_cv_ldap_set_rebind_proc, [Number of arguments to ldap_set_rebind_proc])
+
+  AC_CHECK_FUNC_EXT(ldap_initialize,$LDAP_LIBS)	
+  
+  if test x"$ac_cv_lib_ext_ldap_ldap_init" = x"yes" -a x"$ac_cv_func_ext_ldap_domain2hostlist" = x"yes"; then
+    AC_DEFINE(HAVE_LDAP,1,[Whether ldap is available])
+    AC_DEFINE(HAVE_LDB_LDAP,1,[Whether ldb_ldap is available])
+    with_ldap_support=yes
+    AC_MSG_CHECKING(whether LDAP support is used)
+    AC_MSG_RESULT(yes)
+    SMB_ENABLE(LDAP,YES)
+  else
+    if test x"$with_ldap_support" = x"yes"; then
+	AC_MSG_ERROR(libldap is needed for LDAP support)
+    else
+	AC_MSG_WARN(libldap is needed for LDAP support)
+    fi
+    
+    LDAP_LIBS=""
+    with_ldap_support=no
+  fi
+  LIBS=$ac_save_LIBS
+fi
+
+SMB_EXT_LIB(LDAP,[${LDAP_LIBS}],[${LDAP_CFLAGS}],[${LDAP_CPPFLAGS}],[${LDAP_LDFLAGS}])
diff --git a/source3/lib/ldb/ldb.pc.in b/source3/lib/ldb/ldb.pc.in
new file mode 100644
index 0000000000..815d663a7c
--- /dev/null
+++ b/source3/lib/ldb/ldb.pc.in
@@ -0,0 +1,15 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+modulesdir=@modulesdir@
+
+Name: ldb
+Description: An LDAP-like embedded database
+Version: 4.0
+Requires.private: tdb
+Requires: talloc
+Libs: -L${libdir} -lldb
+Cflags: -I${includedir} @CFLAGS@
+Modulesdir: ${modulesdir}
+URL: http://ldb.samba.org/
diff --git a/source3/lib/ldb/ldb_ildap/ldb_ildap.c b/source3/lib/ldb/ldb_ildap/ldb_ildap.c
new file mode 100644
index 0000000000..bc0fe66a1a
--- /dev/null
+++ b/source3/lib/ldb/ldb_ildap/ldb_ildap.c
@@ -0,0 +1,827 @@
+/* 
+   ldb database library - ildap backend
+
+   Copyright (C) Andrew Tridgell  2005
+   Copyright (C) Simo Sorce       2006
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb_ildap
+ *
+ *  Component: ldb ildap backend
+ *
+ *  Description: This is a ldb backend for the internal ldap
+ *  client library in Samba4. By using this backend we are
+ *  independent of a system ldap library
+ *
+ *  Author: Andrew Tridgell
+ *
+ *  Modifications:
+ *
+ *  - description: make the module use asyncronous calls
+ *    date: Feb 2006
+ *    author: Simo Sorce
+ */
+
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+#include "lib/events/events.h"
+#include "libcli/ldap/ldap.h"
+#include "libcli/ldap/ldap_client.h"
+#include "auth/auth.h"
+#include "auth/credentials/credentials.h"
+
+struct ildb_private {
+	struct ldap_connection *ldap;
+	struct ldb_context *ldb;
+};
+
+struct ildb_context {
+	struct ldb_module *module;
+	struct ldap_request *req;
+	void *context;
+	int (*callback)(struct ldb_context *, void *, struct ldb_reply *);
+};
+
+/*
+  convert a ldb_message structure to a list of ldap_mod structures
+  ready for ildap_add() or ildap_modify()
+*/
+static struct ldap_mod **ildb_msg_to_mods(void *mem_ctx, int *num_mods,
+					  const struct ldb_message *msg, int use_flags)
+{
+	struct ldap_mod **mods;
+	unsigned int i;
+	int n = 0;
+
+	/* allocate maximum number of elements needed */
+	mods = talloc_array(mem_ctx, struct ldap_mod *, msg->num_elements+1);
+	if (!mods) {
+		errno = ENOMEM;
+		return NULL;
+	}
+	mods[0] = NULL;
+
+	for (i = 0; i < msg->num_elements; i++) {
+		const struct ldb_message_element *el = &msg->elements[i];
+
+		mods[n] = talloc(mods, struct ldap_mod);
+		if (!mods[n]) {
+			goto failed;
+		}
+		mods[n + 1] = NULL;
+		mods[n]->type = 0;
+		mods[n]->attrib = *el;
+		if (use_flags) {
+			switch (el->flags & LDB_FLAG_MOD_MASK) {
+			case LDB_FLAG_MOD_ADD:
+				mods[n]->type = LDAP_MODIFY_ADD;
+				break;
+			case LDB_FLAG_MOD_DELETE:
+				mods[n]->type = LDAP_MODIFY_DELETE;
+				break;
+			case LDB_FLAG_MOD_REPLACE:
+				mods[n]->type = LDAP_MODIFY_REPLACE;
+				break;
+			}
+		}
+		n++;
+	}
+
+	*num_mods = n;
+	return mods;
+
+failed:
+	talloc_free(mods);
+	return NULL;
+}
+
+
+/*
+  map an ildap NTSTATUS to a ldb error code
+*/
+static int ildb_map_error(struct ildb_private *ildb, NTSTATUS status)
+{
+	if (NT_STATUS_IS_OK(status)) {
+		return LDB_SUCCESS;
+	}
+	ldb_set_errstring(ildb->ldb, ldap_errstr(ildb->ldap, status));
+	if (NT_STATUS_IS_LDAP(status)) {
+		return NT_STATUS_LDAP_CODE(status);
+	}
+	return LDB_ERR_OPERATIONS_ERROR;
+}
+
+static void ildb_request_timeout(struct event_context *ev, struct timed_event *te,
+				 struct timeval t, void *private_data)
+{
+	struct ldb_handle *handle = talloc_get_type(private_data, struct ldb_handle);
+	struct ildb_context *ac = talloc_get_type(handle->private_data, struct ildb_context);
+
+	if (ac->req->state == LDAP_REQUEST_PENDING) {
+		DLIST_REMOVE(ac->req->conn->pending, ac->req);
+	}
+
+	handle->status = LDB_ERR_TIME_LIMIT_EXCEEDED;
+
+	return;
+}
+
+static void ildb_callback(struct ldap_request *req)
+{
+	struct ldb_handle *handle = talloc_get_type(req->async.private_data, struct ldb_handle);
+	struct ildb_context *ac = talloc_get_type(handle->private_data, struct ildb_context);
+	struct ildb_private *ildb = talloc_get_type(ac->module->private_data, struct ildb_private);
+	NTSTATUS status;
+	int i;
+
+	handle->status = LDB_SUCCESS;
+
+	if (!NT_STATUS_IS_OK(req->status)) {
+		handle->status = ildb_map_error(ildb, req->status);
+		return;
+	}
+
+	if (req->num_replies < 1) {
+		handle->status = LDB_ERR_OPERATIONS_ERROR;
+		return;
+	} 
+		
+	switch (req->type) {
+
+	case LDAP_TAG_ModifyRequest:
+		if (req->replies[0]->type != LDAP_TAG_ModifyResponse) {
+			handle->status = LDB_ERR_PROTOCOL_ERROR;
+			return;
+		}
+		status = ldap_check_response(req->conn, &req->replies[0]->r.GeneralResult);
+		handle->status = ildb_map_error(ildb, status);
+		if (ac->callback && handle->status == LDB_SUCCESS) {
+			/* FIXME: build a corresponding ares to pass on */
+			handle->status = ac->callback(ac->module->ldb, ac->context, NULL);
+		}
+		handle->state = LDB_ASYNC_DONE;
+		break;
+
+	case LDAP_TAG_AddRequest:
+		if (req->replies[0]->type != LDAP_TAG_AddResponse) {
+			handle->status = LDB_ERR_PROTOCOL_ERROR;
+			return;
+		}
+		status = ldap_check_response(req->conn, &req->replies[0]->r.GeneralResult);
+		handle->status = ildb_map_error(ildb, status);
+		if (ac->callback && handle->status == LDB_SUCCESS) {
+			/* FIXME: build a corresponding ares to pass on */
+			handle->status = ac->callback(ac->module->ldb, ac->context, NULL);
+		}
+		handle->state = LDB_ASYNC_DONE;
+		break;
+
+	case LDAP_TAG_DelRequest:
+		if (req->replies[0]->type != LDAP_TAG_DelResponse) {
+			handle->status = LDB_ERR_PROTOCOL_ERROR;
+			return;
+		}
+		status = ldap_check_response(req->conn, &req->replies[0]->r.GeneralResult);
+		handle->status = ildb_map_error(ildb, status);
+		if (ac->callback && handle->status == LDB_SUCCESS) {
+			/* FIXME: build a corresponding ares to pass on */
+			handle->status = ac->callback(ac->module->ldb, ac->context, NULL);
+		}
+		handle->state = LDB_ASYNC_DONE;
+		break;
+
+	case LDAP_TAG_ModifyDNRequest:
+		if (req->replies[0]->type != LDAP_TAG_ModifyDNResponse) {
+			handle->status = LDB_ERR_PROTOCOL_ERROR;
+			return;
+		}
+		status = ldap_check_response(req->conn, &req->replies[0]->r.GeneralResult);
+		handle->status = ildb_map_error(ildb, status);
+		if (ac->callback && handle->status == LDB_SUCCESS) {
+			/* FIXME: build a corresponding ares to pass on */
+			handle->status = ac->callback(ac->module->ldb, ac->context, NULL);
+		}
+		handle->state = LDB_ASYNC_DONE;
+		break;
+
+	case LDAP_TAG_SearchRequest:
+		/* loop over all messages */
+		for (i = 0; i < req->num_replies; i++) {
+			struct ldap_SearchResEntry *search;
+			struct ldb_reply *ares = NULL;
+			struct ldap_message *msg;
+			int ret;
+
+			ares = talloc_zero(ac, struct ldb_reply);
+			if (!ares) {
+				handle->status = LDB_ERR_OPERATIONS_ERROR;
+				return;
+			}
+
+			msg = req->replies[i];
+			switch (msg->type) {
+
+			case LDAP_TAG_SearchResultDone:
+
+				status = ldap_check_response(req->conn, &msg->r.GeneralResult);
+				if (!NT_STATUS_IS_OK(status)) {
+					handle->status = ildb_map_error(ildb, status);
+					return;
+				}
+				
+				ares->controls = talloc_move(ares, &msg->controls);
+				if (msg->r.SearchResultDone.resultcode) {
+					if (msg->r.SearchResultDone.errormessage) {
+						ldb_set_errstring(ac->module->ldb, msg->r.SearchResultDone.errormessage);
+					}
+				}
+
+				handle->status = msg->r.SearchResultDone.resultcode;
+				handle->state = LDB_ASYNC_DONE;
+				ares->type = LDB_REPLY_DONE;
+				break;
+
+			case LDAP_TAG_SearchResultEntry:
+
+
+				ares->message = ldb_msg_new(ares);
+				if (!ares->message) {
+					handle->status = LDB_ERR_OPERATIONS_ERROR;
+					return;
+				}
+
+				search = &(msg->r.SearchResultEntry);
+		
+				ares->message->dn = ldb_dn_explode_or_special(ares->message, search->dn);
+				if (ares->message->dn == NULL) {
+					handle->status = LDB_ERR_OPERATIONS_ERROR;
+					return;
+				}
+				ares->message->num_elements = search->num_attributes;
+				ares->message->elements = talloc_move(ares->message,
+								      &search->attributes);
+
+				handle->status = LDB_SUCCESS;
+				handle->state = LDB_ASYNC_PENDING;
+				ares->type = LDB_REPLY_ENTRY;
+				break;
+
+			case LDAP_TAG_SearchResultReference:
+
+				ares->referral = talloc_strdup(ares, msg->r.SearchResultReference.referral);
+				
+				handle->status = LDB_SUCCESS;
+				handle->state = LDB_ASYNC_PENDING;
+				ares->type = LDB_REPLY_REFERRAL;
+				break;
+
+			default:
+				/* TAG not handled, fail ! */
+				handle->status = LDB_ERR_PROTOCOL_ERROR;
+				return;
+			}
+
+			ret = ac->callback(ac->module->ldb, ac->context, ares);
+			if (ret) {
+				handle->status = ret;
+			}
+		}
+
+		talloc_free(req->replies);
+		req->replies = NULL;
+		req->num_replies = 0;
+
+		break;
+		
+	default:
+		handle->status = LDB_ERR_PROTOCOL_ERROR;
+		return;
+	}
+}
+
+static struct ldb_handle *init_ildb_handle(struct ldb_module *module, 
+					   void *context,
+					   int (*callback)(struct ldb_context *, void *, struct ldb_reply *))
+{
+	struct ildb_private *ildb = talloc_get_type(module->private_data, struct ildb_private);
+	struct ildb_context *ildb_ac;
+	struct ldb_handle *h;
+
+	h = talloc_zero(ildb->ldap, struct ldb_handle);
+	if (h == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		return NULL;
+	}
+
+	h->module = module;
+
+	ildb_ac = talloc(h, struct ildb_context);
+	if (ildb_ac == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		talloc_free(h);
+		return NULL;
+	}
+
+	h->private_data = (void *)ildb_ac;
+
+	h->state = LDB_ASYNC_INIT;
+	h->status = LDB_SUCCESS;
+
+	ildb_ac->module = module;
+	ildb_ac->context = context;
+	ildb_ac->callback = callback;
+
+	return h;
+}
+
+static int ildb_request_send(struct ldb_module *module, struct ldap_message *msg,
+			     void *context,
+			     int (*callback)(struct ldb_context *, void *, struct ldb_reply *),
+			     int timeout,
+			     struct ldb_handle **handle)
+{
+	struct ildb_private *ildb = talloc_get_type(module->private_data, struct ildb_private);
+	struct ldb_handle *h = init_ildb_handle(module, context, callback);
+	struct ildb_context *ildb_ac;
+	struct ldap_request *req;
+
+	if (!h) {
+		return LDB_ERR_OPERATIONS_ERROR;		
+	}
+
+	ildb_ac = talloc_get_type(h->private_data, struct ildb_context);
+
+	req = ldap_request_send(ildb->ldap, msg);
+	if (req == NULL) {
+		ldb_set_errstring(module->ldb, "async send request failed");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	if (!req->conn) {
+		ldb_set_errstring(module->ldb, "connection to remote LDAP server dropped?");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	talloc_free(req->time_event);
+	req->time_event = NULL;
+	if (timeout) {
+		req->time_event = event_add_timed(req->conn->event.event_ctx, h, 
+						  timeval_current_ofs(timeout, 0),
+						  ildb_request_timeout, h);
+	}
+
+	req->async.fn = ildb_callback;
+	req->async.private_data = (void *)h;
+	ildb_ac->req = talloc_move(ildb_ac, &req);
+
+	*handle = h;
+	return LDB_SUCCESS;
+}
+
+static int ildb_request_noop(struct ldb_module *module, struct ldb_request *req) 
+{
+	struct ldb_handle *h = init_ildb_handle(module, req->context, req->callback);
+	struct ildb_context *ildb_ac;
+	int ret = LDB_SUCCESS;
+
+	if (!h) {
+		return LDB_ERR_OPERATIONS_ERROR;		
+	}
+
+	ildb_ac = talloc_get_type(h->private_data, struct ildb_context);
+	
+	req->handle = h;
+
+	if (ildb_ac->callback) {
+		ret = ildb_ac->callback(module->ldb, ildb_ac->context, NULL);
+	}
+	req->handle->state = LDB_ASYNC_DONE;
+	return ret;
+}
+
+/*
+  search for matching records using an asynchronous function
+ */
+static int ildb_search(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ildb_private *ildb = talloc_get_type(module->private_data, struct ildb_private);
+	struct ldap_message *msg;
+	int n;
+
+	req->handle = NULL;
+
+	if (!req->callback || !req->context) {
+		ldb_set_errstring(module->ldb, "Async interface called with NULL callback function or NULL context");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	
+	if (req->op.search.tree == NULL) {
+		ldb_set_errstring(module->ldb, "Invalid expression parse tree");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	msg = new_ldap_message(ildb);
+	if (msg == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	msg->type = LDAP_TAG_SearchRequest;
+
+	if (req->op.search.base == NULL) {
+		msg->r.SearchRequest.basedn = talloc_strdup(msg, "");
+	} else {
+		msg->r.SearchRequest.basedn  = ldb_dn_linearize(msg, req->op.search.base);
+	}
+	if (msg->r.SearchRequest.basedn == NULL) {
+		ldb_set_errstring(module->ldb, "Unable to determine baseDN");
+		talloc_free(msg);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	if (req->op.search.scope == LDB_SCOPE_DEFAULT) {
+		msg->r.SearchRequest.scope = LDB_SCOPE_SUBTREE;
+	} else {
+		msg->r.SearchRequest.scope = req->op.search.scope;
+	}
+	
+	msg->r.SearchRequest.deref  = LDAP_DEREFERENCE_NEVER;
+	msg->r.SearchRequest.timelimit = 0;
+	msg->r.SearchRequest.sizelimit = 0;
+	msg->r.SearchRequest.attributesonly = 0;
+	msg->r.SearchRequest.tree = discard_const_p(struct ldb_parse_tree, req->op.search.tree);
+	
+	for (n = 0; req->op.search.attrs && req->op.search.attrs[n]; n++) /* noop */ ;
+	msg->r.SearchRequest.num_attributes = n;
+	msg->r.SearchRequest.attributes = discard_const_p(char *, req->op.search.attrs), 
+
+	msg->controls = req->controls;
+
+	return ildb_request_send(module, msg, req->context, req->callback, req->timeout, &(req->handle));
+}
+
+/*
+  add a record
+*/
+static int ildb_add(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ildb_private *ildb = talloc_get_type(module->private_data, struct ildb_private);
+	struct ldap_message *msg;
+	struct ldap_mod **mods;
+	int i,n;
+
+	req->handle = NULL;
+
+	/* ignore ltdb specials */
+	if (ldb_dn_is_special(req->op.add.message->dn)) {
+		return ildb_request_noop(module, req);
+	}
+
+	msg = new_ldap_message(ildb->ldap);
+	if (msg == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	msg->type = LDAP_TAG_AddRequest;
+
+	msg->r.AddRequest.dn = ldb_dn_linearize(msg, req->op.add.message->dn);
+	if (msg->r.AddRequest.dn == NULL) {
+		talloc_free(msg);
+		return LDB_ERR_INVALID_DN_SYNTAX;
+	}
+
+	mods = ildb_msg_to_mods(msg, &n, req->op.add.message, 0);
+	if (mods == NULL) {
+		talloc_free(msg);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	msg->r.AddRequest.num_attributes = n;
+	msg->r.AddRequest.attributes = talloc_array(msg, struct ldb_message_element, n);
+	if (msg->r.AddRequest.attributes == NULL) {
+		talloc_free(msg);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	for (i = 0; i < n; i++) {
+		msg->r.AddRequest.attributes[i] = mods[i]->attrib;
+	}
+
+	return ildb_request_send(module, msg, req->context, req->callback, req->timeout, &(req->handle));
+}
+
+/*
+  modify a record
+*/
+static int ildb_modify(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ildb_private *ildb = talloc_get_type(module->private_data, struct ildb_private);
+	struct ldap_message *msg;
+	struct ldap_mod **mods;
+	int i,n;
+
+	req->handle = NULL;
+
+	/* ignore ltdb specials */
+	if (ldb_dn_is_special(req->op.mod.message->dn)) {
+		return ildb_request_noop(module, req);
+	}
+
+	msg = new_ldap_message(ildb->ldap);
+	if (msg == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	msg->type = LDAP_TAG_ModifyRequest;
+
+	msg->r.ModifyRequest.dn = ldb_dn_linearize(msg, req->op.mod.message->dn);
+	if (msg->r.ModifyRequest.dn == NULL) {
+		talloc_free(msg);
+		return LDB_ERR_INVALID_DN_SYNTAX;
+	}
+
+	mods = ildb_msg_to_mods(msg, &n, req->op.mod.message, 1);
+	if (mods == NULL) {
+		talloc_free(msg);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	msg->r.ModifyRequest.num_mods = n;
+	msg->r.ModifyRequest.mods = talloc_array(msg, struct ldap_mod, n);
+	if (msg->r.ModifyRequest.mods == NULL) {
+		talloc_free(msg);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	for (i = 0; i < n; i++) {
+		msg->r.ModifyRequest.mods[i] = *mods[i];
+	}
+
+	return ildb_request_send(module, msg, req->context, req->callback, req->timeout, &(req->handle));
+}
+
+/*
+  delete a record
+*/
+static int ildb_delete(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ildb_private *ildb = talloc_get_type(module->private_data, struct ildb_private);
+	struct ldap_message *msg;
+
+	req->handle = NULL;
+
+	/* ignore ltdb specials */
+	if (ldb_dn_is_special(req->op.del.dn)) {
+		return ildb_request_noop(module, req);
+	}
+
+	msg = new_ldap_message(ildb->ldap);
+	if (msg == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	msg->type = LDAP_TAG_DelRequest;
+	
+	msg->r.DelRequest.dn = ldb_dn_linearize(msg, req->op.del.dn);
+	if (msg->r.DelRequest.dn == NULL) {
+		talloc_free(msg);
+		return LDB_ERR_INVALID_DN_SYNTAX;
+	}
+
+	return ildb_request_send(module, msg, req->context, req->callback, req->timeout, &(req->handle));
+}
+
+/*
+  rename a record
+*/
+static int ildb_rename(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ildb_private *ildb = talloc_get_type(module->private_data, struct ildb_private);
+	struct ldap_message *msg;
+
+	req->handle = NULL;
+
+	/* ignore ltdb specials */
+	if (ldb_dn_is_special(req->op.rename.olddn) || ldb_dn_is_special(req->op.rename.newdn)) {
+		return ildb_request_noop(module, req);
+	}
+
+	msg = new_ldap_message(ildb->ldap);
+	if (msg == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	msg->type = LDAP_TAG_ModifyDNRequest;
+	msg->r.ModifyDNRequest.dn = ldb_dn_linearize(msg, req->op.rename.olddn);
+	if (msg->r.ModifyDNRequest.dn == NULL) {
+		talloc_free(msg);
+		return LDB_ERR_INVALID_DN_SYNTAX;
+	}
+
+	msg->r.ModifyDNRequest.newrdn = 
+		talloc_asprintf(msg, "%s=%s",
+				ldb_dn_get_rdn_name(req->op.rename.newdn),
+				ldb_dn_escape_value(msg, *ldb_dn_get_rdn_val(req->op.rename.newdn)));
+	if (msg->r.ModifyDNRequest.newrdn == NULL) {
+		talloc_free(msg);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	msg->r.ModifyDNRequest.newsuperior =
+		ldb_dn_linearize(msg,
+				 ldb_dn_get_parent(msg, req->op.rename.newdn));
+	if (msg->r.ModifyDNRequest.newsuperior == NULL) {
+		talloc_free(msg);
+		return LDB_ERR_INVALID_DN_SYNTAX;
+	}
+
+	msg->r.ModifyDNRequest.deleteolddn = True;
+
+	return ildb_request_send(module, msg, req->context, req->callback, req->timeout, &(req->handle));
+}
+
+static int ildb_start_trans(struct ldb_module *module)
+{
+	/* TODO implement a local locking mechanism here */
+
+	return LDB_SUCCESS;
+}
+
+static int ildb_end_trans(struct ldb_module *module)
+{
+	/* TODO implement a local transaction mechanism here */
+
+	return LDB_SUCCESS;
+}
+
+static int ildb_del_trans(struct ldb_module *module)
+{
+	/* TODO implement a local locking mechanism here */
+
+	return LDB_SUCCESS;
+}
+
+static int ildb_request(struct ldb_module *module, struct ldb_request *req)
+{
+	return LDB_ERR_OPERATIONS_ERROR;
+}
+
+static int ildb_wait(struct ldb_handle *handle, enum ldb_wait_type type)
+{
+	struct ildb_context *ac = talloc_get_type(handle->private_data, struct ildb_context);
+
+	if (handle->state == LDB_ASYNC_DONE) {
+		return handle->status;
+	}
+
+	if (!ac) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	handle->state = LDB_ASYNC_INIT;
+
+	switch(type) {
+	case LDB_WAIT_NONE:
+		if (event_loop_once(ac->req->conn->event.event_ctx) != 0) {
+			return LDB_ERR_OTHER;
+		}
+		break;
+	case LDB_WAIT_ALL:
+		while (handle->status == LDB_SUCCESS && handle->state != LDB_ASYNC_DONE) {
+			if (event_loop_once(ac->req->conn->event.event_ctx) != 0) {
+				return LDB_ERR_OTHER;
+			}
+		}
+		break;
+	default:
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	
+	return handle->status;
+}
+
+static const struct ldb_module_ops ildb_ops = {
+	.name              = "ldap",
+	.search            = ildb_search,
+	.add               = ildb_add,
+	.modify            = ildb_modify,
+	.del               = ildb_delete,
+	.rename            = ildb_rename,
+	.request           = ildb_request,
+	.start_transaction = ildb_start_trans,
+	.end_transaction   = ildb_end_trans,
+	.del_transaction   = ildb_del_trans,
+	.wait              = ildb_wait
+};
+
+/*
+  connect to the database
+*/
+static int ildb_connect(struct ldb_context *ldb, const char *url, 
+			unsigned int flags, const char *options[],
+			struct ldb_module **module)
+{
+	struct ildb_private *ildb = NULL;
+	NTSTATUS status;
+	struct cli_credentials *creds;
+
+	ildb = talloc(ldb, struct ildb_private);
+	if (!ildb) {
+		ldb_oom(ldb);
+		goto failed;
+	}
+
+	ildb->ldb     = ldb;
+
+	ildb->ldap = ldap4_new_connection(ildb, ldb_get_opaque(ldb, "EventContext"));
+	if (!ildb->ldap) {
+		ldb_oom(ldb);
+		goto failed;
+	}
+
+	if (flags & LDB_FLG_RECONNECT) {
+		ldap_set_reconn_params(ildb->ldap, 10);
+	}
+
+	status = ldap_connect(ildb->ldap, url);
+	if (!NT_STATUS_IS_OK(status)) {
+		ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to connect to ldap URL '%s' - %s\n",
+			  url, ldap_errstr(ildb->ldap, status));
+		goto failed;
+	}
+
+
+	*module = talloc(ldb, struct ldb_module);
+	if (!module) {
+		ldb_oom(ldb);
+		talloc_free(ildb);
+		return -1;
+	}
+	talloc_set_name_const(*module, "ldb_ildap backend");
+	(*module)->ldb = ldb;
+	(*module)->prev = (*module)->next = NULL;
+	(*module)->private_data = ildb;
+	(*module)->ops = &ildb_ops;
+
+	/* caller can optionally setup credentials using the opaque token 'credentials' */
+	creds = talloc_get_type(ldb_get_opaque(ldb, "credentials"), struct cli_credentials);
+	if (creds == NULL) {
+		struct auth_session_info *session_info = talloc_get_type(ldb_get_opaque(ldb, "sessionInfo"), struct auth_session_info);
+		if (session_info) {
+			creds = session_info->credentials;
+		}
+	}
+
+	if (creds != NULL && cli_credentials_authentication_requested(creds)) {
+		const char *bind_dn = cli_credentials_get_bind_dn(creds);
+		if (bind_dn) {
+			const char *password = cli_credentials_get_password(creds);
+			status = ldap_bind_simple(ildb->ldap, bind_dn, password);
+			if (!NT_STATUS_IS_OK(status)) {
+				ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to bind - %s\n",
+					  ldap_errstr(ildb->ldap, status));
+				goto failed;
+			}
+		} else {
+			status = ldap_bind_sasl(ildb->ldap, creds);
+			if (!NT_STATUS_IS_OK(status)) {
+				ldb_debug(ldb, LDB_DEBUG_ERROR, "Failed to bind - %s\n",
+					  ldap_errstr(ildb->ldap, status));
+				goto failed;
+			}
+		}
+	}
+
+	return 0;
+
+failed:
+	talloc_free(ildb);
+	return -1;
+}
+
+int ldb_ildap_init(void)
+{
+	return ldb_register_backend("ldap", ildb_connect) + 
+		   ldb_register_backend("ldapi", ildb_connect) + 
+		   ldb_register_backend("ldaps", ildb_connect);
+}
diff --git a/source3/lib/ldb/ldb_ldap/ldb_ldap.c b/source3/lib/ldb/ldb_ldap/ldb_ldap.c
new file mode 100644
index 0000000000..51445d651f
--- /dev/null
+++ b/source3/lib/ldb/ldb_ldap/ldb_ldap.c
@@ -0,0 +1,846 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+   Copyright (C) Simo Sorce       2006
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb_ldap
+ *
+ *  Component: ldb ldap backend
+ *
+ *  Description: core files for LDAP backend
+ *
+ *  Author: Andrew Tridgell
+ *
+ *  Modifications:
+ *
+ *  - description: make the module use asyncronous calls
+ *    date: Feb 2006
+ *    author: Simo Sorce
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+#define LDAP_DEPRECATED 1
+#include <ldap.h>
+
+struct lldb_private {
+	LDAP *ldap;
+};
+
+struct lldb_context {
+	struct ldb_module *module;
+	int msgid;
+	int timeout;
+	time_t starttime;
+	void *context;
+	int (*callback)(struct ldb_context *, void *, struct ldb_reply *);
+};
+
+static int lldb_ldap_to_ldb(int err) {
+	/* Ldap errors and ldb errors are defined to the same values */
+	return err;
+}
+
+static struct ldb_handle *init_handle(struct lldb_private *lldb, struct ldb_module *module,
+					    void *context,
+					    int (*callback)(struct ldb_context *, void *, struct ldb_reply *),
+					    int timeout, time_t starttime)
+{
+	struct lldb_context *ac;
+	struct ldb_handle *h;
+
+	h = talloc_zero(lldb, struct ldb_handle);
+	if (h == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		return NULL;
+	}
+
+	h->module = module;
+
+	ac = talloc(h, struct lldb_context);
+	if (ac == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		talloc_free(h);
+		return NULL;
+	}
+
+	h->private_data = (void *)ac;
+
+	h->state = LDB_ASYNC_INIT;
+	h->status = LDB_SUCCESS;
+
+	ac->module = module;
+	ac->context = context;
+	ac->callback = callback;
+	ac->timeout = timeout;
+	ac->starttime = starttime;
+	ac->msgid = 0;
+
+	return h;
+}
+/*
+  convert a ldb_message structure to a list of LDAPMod structures
+  ready for ldap_add() or ldap_modify()
+*/
+static LDAPMod **lldb_msg_to_mods(void *mem_ctx, const struct ldb_message *msg, int use_flags)
+{
+	LDAPMod **mods;
+	unsigned int i, j;
+	int num_mods = 0;
+
+	/* allocate maximum number of elements needed */
+	mods = talloc_array(mem_ctx, LDAPMod *, msg->num_elements+1);
+	if (!mods) {
+		errno = ENOMEM;
+		return NULL;
+	}
+	mods[0] = NULL;
+
+	for (i=0;i<msg->num_elements;i++) {
+		const struct ldb_message_element *el = &msg->elements[i];
+
+		mods[num_mods] = talloc(mods, LDAPMod);
+		if (!mods[num_mods]) {
+			goto failed;
+		}
+		mods[num_mods+1] = NULL;
+		mods[num_mods]->mod_op = LDAP_MOD_BVALUES;
+		if (use_flags) {
+			switch (el->flags & LDB_FLAG_MOD_MASK) {
+			case LDB_FLAG_MOD_ADD:
+				mods[num_mods]->mod_op |= LDAP_MOD_ADD;
+				break;
+			case LDB_FLAG_MOD_DELETE:
+				mods[num_mods]->mod_op |= LDAP_MOD_DELETE;
+				break;
+			case LDB_FLAG_MOD_REPLACE:
+				mods[num_mods]->mod_op |= LDAP_MOD_REPLACE;
+				break;
+			}
+		}
+		mods[num_mods]->mod_type = discard_const_p(char, el->name);
+		mods[num_mods]->mod_vals.modv_bvals = talloc_array(mods[num_mods], 
+								   struct berval *,
+								   1+el->num_values);
+		if (!mods[num_mods]->mod_vals.modv_bvals) {
+			goto failed;
+		}
+
+		for (j=0;j<el->num_values;j++) {
+			mods[num_mods]->mod_vals.modv_bvals[j] = talloc(mods[num_mods]->mod_vals.modv_bvals,
+									struct berval);
+			if (!mods[num_mods]->mod_vals.modv_bvals[j]) {
+				goto failed;
+			}
+			mods[num_mods]->mod_vals.modv_bvals[j]->bv_val =
+				(char *)el->values[j].data;
+			mods[num_mods]->mod_vals.modv_bvals[j]->bv_len = el->values[j].length;
+		}
+		mods[num_mods]->mod_vals.modv_bvals[j] = NULL;
+		num_mods++;
+	}
+
+	return mods;
+
+failed:
+	talloc_free(mods);
+	return NULL;
+}
+
+/*
+  add a single set of ldap message values to a ldb_message
+*/
+static int lldb_add_msg_attr(struct ldb_context *ldb,
+			     struct ldb_message *msg, 
+			     const char *attr, struct berval **bval)
+{
+	int count, i;
+	struct ldb_message_element *el;
+
+	count = ldap_count_values_len(bval);
+
+	if (count <= 0) {
+		return -1;
+	}
+
+	el = talloc_realloc(msg, msg->elements, struct ldb_message_element, 
+			      msg->num_elements + 1);
+	if (!el) {
+		errno = ENOMEM;
+		return -1;
+	}
+
+	msg->elements = el;
+
+	el = &msg->elements[msg->num_elements];
+
+	el->name = talloc_strdup(msg->elements, attr);
+	if (!el->name) {
+		errno = ENOMEM;
+		return -1;
+	}
+	el->flags = 0;
+
+	el->num_values = 0;
+	el->values = talloc_array(msg->elements, struct ldb_val, count);
+	if (!el->values) {
+		errno = ENOMEM;
+		return -1;
+	}
+
+	for (i=0;i<count;i++) {
+		/* we have to ensure this is null terminated so that
+		   ldb_msg_find_attr_as_string() can work */
+		el->values[i].data =
+			(uint8_t *)talloc_size(el->values, bval[i]->bv_len+1);
+		if (!el->values[i].data) {
+			errno = ENOMEM;
+			return -1;
+		}
+		memcpy(el->values[i].data, bval[i]->bv_val, bval[i]->bv_len);
+		el->values[i].data[bval[i]->bv_len] = 0;
+		el->values[i].length = bval[i]->bv_len;
+		el->num_values++;
+	}
+
+	msg->num_elements++;
+
+	return 0;
+}
+
+/*
+  search for matching records
+*/
+static int lldb_search(struct ldb_module *module, struct ldb_request *req)
+{
+	struct lldb_private *lldb = talloc_get_type(module->private_data, struct lldb_private);
+	struct lldb_context *lldb_ac;
+	struct timeval tv;
+	int ldap_scope;
+	char *search_base;
+	char *expression;
+	int ret;
+
+	if (!req->callback || !req->context) {
+		ldb_set_errstring(module->ldb, "Async interface called with NULL callback function or NULL context");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	if (req->op.search.tree == NULL) {
+		ldb_set_errstring(module->ldb, "Invalid expression parse tree");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	if (req->controls != NULL) {
+		ldb_debug(module->ldb, LDB_DEBUG_WARNING, "Controls are not yet supported by ldb_ldap backend!\n");
+	}
+
+	req->handle = init_handle(lldb, module, req->context, req->callback, req->timeout, req->starttime);
+	if (req->handle == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	lldb_ac = talloc_get_type(req->handle->private_data, struct lldb_context);
+
+	search_base = ldb_dn_linearize(lldb_ac, req->op.search.base);
+	if (req->op.search.base == NULL) {
+		search_base = talloc_strdup(lldb_ac, "");
+	}
+	if (search_base == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	expression = ldb_filter_from_tree(
+		lldb_ac,
+		discard_const_p(struct ldb_parse_tree, req->op.search.tree));
+	if (expression == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	switch (req->op.search.scope) {
+	case LDB_SCOPE_BASE:
+		ldap_scope = LDAP_SCOPE_BASE;
+		break;
+	case LDB_SCOPE_ONELEVEL:
+		ldap_scope = LDAP_SCOPE_ONELEVEL;
+		break;
+	default:
+		ldap_scope = LDAP_SCOPE_SUBTREE;
+		break;
+	}
+
+	tv.tv_sec = req->timeout;
+	tv.tv_usec = 0;
+
+	ret = ldap_search_ext(lldb->ldap, search_base, ldap_scope, 
+			    expression, 
+			    discard_const_p(char *, req->op.search.attrs), 
+			    0,
+			    NULL,
+			    NULL,
+			    &tv,
+			    LDAP_NO_LIMIT,
+			    &lldb_ac->msgid);
+
+	if (ret != LDAP_SUCCESS) {
+		ldb_set_errstring(module->ldb, ldap_err2string(ret));
+	}
+
+	return lldb_ldap_to_ldb(ret);
+}
+
+/*
+  add a record
+*/
+static int lldb_add(struct ldb_module *module, struct ldb_request *req)
+{
+	struct lldb_private *lldb = talloc_get_type(module->private_data, struct lldb_private);
+	struct lldb_context *lldb_ac;
+	LDAPMod **mods;
+	char *dn;
+	int ret;
+
+	/* ltdb specials should not reach this point */
+	if (ldb_dn_is_special(req->op.add.message->dn)) {
+		return LDB_ERR_INVALID_DN_SYNTAX;
+	}
+
+	req->handle = init_handle(lldb, module, req->context, req->callback, req->timeout, req->starttime);
+	if (req->handle == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	lldb_ac = talloc_get_type(req->handle->private_data, struct lldb_context);
+
+	mods = lldb_msg_to_mods(lldb_ac, req->op.add.message, 0);
+	if (mods == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	dn = ldb_dn_linearize(lldb_ac, req->op.add.message->dn);
+	if (dn == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ret = ldap_add_ext(lldb->ldap, dn, mods,
+			   NULL,
+			   NULL,
+			   &lldb_ac->msgid);
+
+	if (ret != LDAP_SUCCESS) {
+		ldb_set_errstring(module->ldb, ldap_err2string(ret));
+	}
+
+	return lldb_ldap_to_ldb(ret);
+}
+
+/*
+  modify a record
+*/
+static int lldb_modify(struct ldb_module *module, struct ldb_request *req)
+{
+	struct lldb_private *lldb = talloc_get_type(module->private_data, struct lldb_private);
+	struct lldb_context *lldb_ac;
+	LDAPMod **mods;
+	char *dn;
+	int ret;
+
+	/* ltdb specials should not reach this point */
+	if (ldb_dn_is_special(req->op.mod.message->dn)) {
+		return LDB_ERR_INVALID_DN_SYNTAX;
+	}
+
+	req->handle = init_handle(lldb, module, req->context, req->callback, req->timeout, req->starttime);
+	if (req->handle == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	lldb_ac = talloc_get_type(req->handle->private_data, struct lldb_context);
+
+	mods = lldb_msg_to_mods(lldb_ac, req->op.mod.message, 1);
+	if (mods == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	dn = ldb_dn_linearize(lldb_ac, req->op.mod.message->dn);
+	if (dn == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ret = ldap_modify_ext(lldb->ldap, dn, mods,
+			      NULL,
+			      NULL,
+			      &lldb_ac->msgid);
+
+	if (ret != LDAP_SUCCESS) {
+		ldb_set_errstring(module->ldb, ldap_err2string(ret));
+	}
+
+	return lldb_ldap_to_ldb(ret);
+}
+
+/*
+  delete a record
+*/
+static int lldb_delete(struct ldb_module *module, struct ldb_request *req)
+{
+	struct lldb_private *lldb = talloc_get_type(module->private_data, struct lldb_private);
+	struct lldb_context *lldb_ac;
+	char *dnstr;
+	int ret;
+	
+	/* ltdb specials should not reach this point */
+	if (ldb_dn_is_special(req->op.del.dn)) {
+		return LDB_ERR_INVALID_DN_SYNTAX;
+	}
+
+	req->handle = init_handle(lldb, module, req->context, req->callback, req->timeout, req->starttime);
+	if (req->handle == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	lldb_ac = talloc_get_type(req->handle->private_data, struct lldb_context);
+
+	dnstr = ldb_dn_linearize(lldb_ac, req->op.del.dn);
+
+	ret = ldap_delete_ext(lldb->ldap, dnstr,
+			      NULL,
+			      NULL,
+			      &lldb_ac->msgid);
+
+	if (ret != LDAP_SUCCESS) {
+		ldb_set_errstring(module->ldb, ldap_err2string(ret));
+	}
+
+	return lldb_ldap_to_ldb(ret);
+}
+
+/*
+  rename a record
+*/
+static int lldb_rename(struct ldb_module *module, struct ldb_request *req)
+{
+	struct lldb_private *lldb = talloc_get_type(module->private_data, struct lldb_private);
+	struct lldb_context *lldb_ac;
+	char *old_dn;
+       	char *newrdn;
+	char *parentdn;
+	int ret;
+	
+	/* ltdb specials should not reach this point */
+	if (ldb_dn_is_special(req->op.rename.olddn) || ldb_dn_is_special(req->op.rename.newdn)) {
+		return LDB_ERR_INVALID_DN_SYNTAX;
+	}
+
+	req->handle = init_handle(lldb, module, req->context, req->callback, req->timeout, req->starttime);
+	if (req->handle == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	lldb_ac = talloc_get_type(req->handle->private_data, struct lldb_context);
+
+	old_dn = ldb_dn_linearize(lldb_ac, req->op.rename.olddn);
+	if (old_dn == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	newrdn = talloc_asprintf(lldb_ac, "%s=%s",
+				 ldb_dn_get_rdn_name(req->op.rename.newdn),
+				 ldb_dn_escape_value(lldb, *(ldb_dn_get_rdn_val(req->op.rename.newdn))));
+	if (!newrdn) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	parentdn = ldb_dn_linearize(lldb_ac, ldb_dn_get_parent(lldb_ac, req->op.rename.newdn));
+	if (!parentdn) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ret = ldap_rename(lldb->ldap, old_dn, newrdn, parentdn,
+			  1, NULL, NULL,
+			  &lldb_ac->msgid);
+
+	if (ret != LDAP_SUCCESS) {
+		ldb_set_errstring(module->ldb, ldap_err2string(ret));
+	}
+
+	return lldb_ldap_to_ldb(ret);
+}
+
+static int lldb_parse_result(struct ldb_handle *handle, LDAPMessage *result)
+{
+	struct lldb_context *ac = talloc_get_type(handle->private_data, struct lldb_context);
+	struct lldb_private *lldb = talloc_get_type(ac->module->private_data, struct lldb_private);
+	struct ldb_reply *ares = NULL;
+	LDAPMessage *msg;
+	int type;
+	char *matcheddnp = NULL;
+	char *errmsgp = NULL;
+	char **referralsp = NULL;
+	LDAPControl **serverctrlsp = NULL;
+	int ret = LDB_SUCCESS;
+	
+	type = ldap_msgtype(result);
+
+	handle->status = 0;
+
+	switch (type) {
+
+	case LDAP_RES_SEARCH_ENTRY:
+		msg = ldap_first_entry(lldb->ldap, result);
+	       	if (msg != NULL) {
+			BerElement *berptr = NULL;
+			char *attr, *dn;
+
+			ares = talloc_zero(ac, struct ldb_reply);
+			if (!ares) {
+				ret = LDB_ERR_OPERATIONS_ERROR;
+				goto error;
+			}
+
+			ares->message = ldb_msg_new(ares);
+			if (!ares->message) {
+				ret = LDB_ERR_OPERATIONS_ERROR;
+				goto error;
+			}
+
+			dn = ldap_get_dn(lldb->ldap, msg);
+			if (!dn) {
+				ret = LDB_ERR_OPERATIONS_ERROR;
+				goto error;
+			}
+			ares->message->dn = ldb_dn_explode_or_special(ares->message, dn);
+			if (ares->message->dn == NULL) {
+				ret = LDB_ERR_OPERATIONS_ERROR;
+				goto error;
+			}
+			ldap_memfree(dn);
+
+			ares->message->num_elements = 0;
+			ares->message->elements = NULL;
+			ares->message->private_data = NULL;
+
+			/* loop over all attributes */
+			for (attr=ldap_first_attribute(lldb->ldap, msg, &berptr);
+			     attr;
+			     attr=ldap_next_attribute(lldb->ldap, msg, berptr)) {
+				struct berval **bval;
+				bval = ldap_get_values_len(lldb->ldap, msg, attr);
+
+				if (bval) {
+					lldb_add_msg_attr(ac->module->ldb, ares->message, attr, bval);
+					ldap_value_free_len(bval);
+				}					  
+			}
+			if (berptr) ber_free(berptr, 0);
+
+
+			ares->type = LDB_REPLY_ENTRY;
+			ret = ac->callback(ac->module->ldb, ac->context, ares);
+		} else {
+			handle->status = LDB_ERR_PROTOCOL_ERROR;
+			handle->state = LDB_ASYNC_DONE;
+		}
+		break;
+
+	case LDAP_RES_SEARCH_REFERENCE:
+		if (ldap_parse_result(lldb->ldap, result, &handle->status,
+					&matcheddnp, &errmsgp,
+					&referralsp, &serverctrlsp, 0) != LDAP_SUCCESS) {
+			ret = LDB_ERR_OPERATIONS_ERROR;
+			goto error;
+		}
+		if (referralsp == NULL) {
+			handle->status = LDB_ERR_PROTOCOL_ERROR;
+			goto error;
+		}
+
+		ares = talloc_zero(ac, struct ldb_reply);
+		if (!ares) {
+			ret = LDB_ERR_OPERATIONS_ERROR;
+			goto error;
+		}
+
+		ares->referral = talloc_strdup(ares, *referralsp);
+		ares->type = LDB_REPLY_REFERRAL;
+		ret = ac->callback(ac->module->ldb, ac->context, ares);
+
+		break;
+
+	case LDAP_RES_SEARCH_RESULT:
+		if (ldap_parse_result(lldb->ldap, result, &handle->status,
+					&matcheddnp, &errmsgp,
+					&referralsp, &serverctrlsp, 0) != LDAP_SUCCESS) {
+			handle->status = LDB_ERR_OPERATIONS_ERROR;
+			goto error;
+		}
+
+		ares = talloc_zero(ac, struct ldb_reply);
+		if (!ares) {
+			ret = LDB_ERR_OPERATIONS_ERROR;
+			goto error;
+		}
+
+		if (serverctrlsp != NULL) {
+			/* FIXME: transform the LDAPControl list into an ldb_control one */
+			ares->controls = NULL;
+		}
+		
+		ares->type = LDB_REPLY_DONE;
+		handle->state = LDB_ASYNC_DONE;
+		ret = ac->callback(ac->module->ldb, ac->context, ares);
+
+		break;
+
+	case LDAP_RES_MODIFY:
+	case LDAP_RES_ADD:
+	case LDAP_RES_DELETE:
+	case LDAP_RES_MODDN:
+		if (ldap_parse_result(lldb->ldap, result, &handle->status,
+					&matcheddnp, &errmsgp,
+					&referralsp, &serverctrlsp, 0) != LDAP_SUCCESS) {
+			handle->status = LDB_ERR_OPERATIONS_ERROR;
+			goto error;
+		}
+		if (ac->callback && handle->status == LDB_SUCCESS) {
+			ares = NULL; /* FIXME: build a corresponding ares to pass on */
+			ret = ac->callback(ac->module->ldb, ac->context, ares);
+		}
+		handle->state = LDB_ASYNC_DONE;
+		break;
+
+	default:
+		ret = LDB_ERR_PROTOCOL_ERROR;
+		goto error;
+	}
+
+	if (matcheddnp) ldap_memfree(matcheddnp);
+	if (errmsgp && *errmsgp) {
+		ldb_set_errstring(ac->module->ldb, errmsgp);
+	} else if (handle->status) {
+		ldb_set_errstring(ac->module->ldb, ldap_err2string(handle->status));
+	}
+	if (errmsgp) {
+		ldap_memfree(errmsgp);
+	}
+	if (referralsp) ldap_value_free(referralsp);
+	if (serverctrlsp) ldap_controls_free(serverctrlsp);
+
+	ldap_msgfree(result);
+	return lldb_ldap_to_ldb(handle->status);
+
+error:
+	handle->state = LDB_ASYNC_DONE;
+	ldap_msgfree(result);
+	return ret;
+}
+
+static int lldb_wait(struct ldb_handle *handle, enum ldb_wait_type type)
+{
+	struct lldb_context *ac = talloc_get_type(handle->private_data, struct lldb_context);
+	struct lldb_private *lldb = talloc_get_type(handle->module->private_data, struct lldb_private);
+	struct timeval timeout;
+	LDAPMessage *result;
+	int ret, lret;
+
+	if (handle->state == LDB_ASYNC_DONE) {
+		return handle->status;
+	}
+
+	if (!ac || !ac->msgid) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	handle->state = LDB_ASYNC_PENDING;
+	handle->status = LDB_SUCCESS;
+
+	switch(type) {
+	case LDB_WAIT_NONE:
+
+		if ((ac->timeout != -1) &&
+		    ((ac->starttime + ac->timeout) > time(NULL))) {
+			return LDB_ERR_TIME_LIMIT_EXCEEDED;
+		}
+
+		timeout.tv_sec = 0;
+		timeout.tv_usec = 0;
+
+		lret = ldap_result(lldb->ldap, ac->msgid, 0, &timeout, &result);
+		if (lret == -1) {
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+		if (lret == 0) {
+			ret = LDB_SUCCESS;
+			goto done;
+		}
+
+		return lldb_parse_result(handle, result);
+
+	case LDB_WAIT_ALL:
+		timeout.tv_usec = 0;
+		ret = LDB_ERR_OPERATIONS_ERROR;
+
+		while (handle->status == LDB_SUCCESS && handle->state != LDB_ASYNC_DONE) {
+
+			if (ac->timeout == -1) {
+				lret = ldap_result(lldb->ldap, ac->msgid, 0, NULL, &result);
+			} else {
+				timeout.tv_sec = ac->timeout - (time(NULL) - ac->starttime);
+				if (timeout.tv_sec <= 0)
+					return LDB_ERR_TIME_LIMIT_EXCEEDED;
+				lret = ldap_result(lldb->ldap, ac->msgid, 0, &timeout, &result);
+			}
+			if (lret == -1) {
+				return LDB_ERR_OPERATIONS_ERROR;
+			}
+			if (lret == 0) {
+				return LDB_ERR_TIME_LIMIT_EXCEEDED;
+			}
+
+			ret = lldb_parse_result(handle, result);
+			if (ret != LDB_SUCCESS) {
+				return ret;
+			}
+		}
+
+		break;
+		
+	default:
+		handle->state = LDB_ASYNC_DONE;
+		ret = LDB_ERR_OPERATIONS_ERROR;
+	}
+
+done:
+	return ret;
+}
+
+static int lldb_start_trans(struct ldb_module *module)
+{
+	/* TODO implement a local transaction mechanism here */
+
+	return LDB_SUCCESS;
+}
+
+static int lldb_end_trans(struct ldb_module *module)
+{
+	/* TODO implement a local transaction mechanism here */
+
+	return LDB_SUCCESS;
+}
+
+static int lldb_del_trans(struct ldb_module *module)
+{
+	/* TODO implement a local transaction mechanism here */
+
+	return LDB_SUCCESS;
+}
+
+static int lldb_request(struct ldb_module *module, struct ldb_request *req)
+{
+	return LDB_ERR_OPERATIONS_ERROR;
+}
+
+static const struct ldb_module_ops lldb_ops = {
+	.name              = "ldap",
+	.search            = lldb_search,
+	.add               = lldb_add,
+	.modify            = lldb_modify,
+	.del               = lldb_delete,
+	.rename            = lldb_rename,
+	.request           = lldb_request,
+	.start_transaction = lldb_start_trans,
+	.end_transaction   = lldb_end_trans,
+	.del_transaction   = lldb_del_trans,
+	.wait              = lldb_wait
+};
+
+
+static int lldb_destructor(struct lldb_private *lldb)
+{
+	ldap_unbind(lldb->ldap);
+	return 0;
+}
+
+/*
+  connect to the database
+*/
+static int lldb_connect(struct ldb_context *ldb,
+			const char *url, 
+			unsigned int flags, 
+			const char *options[],
+			struct ldb_module **module)
+{
+	struct lldb_private *lldb = NULL;
+	int version = 3;
+	int ret;
+
+	lldb = talloc(ldb, struct lldb_private);
+	if (!lldb) {
+		ldb_oom(ldb);
+		goto failed;
+	}
+
+	lldb->ldap = NULL;
+
+	ret = ldap_initialize(&lldb->ldap, url);
+	if (ret != LDAP_SUCCESS) {
+		ldb_debug(ldb, LDB_DEBUG_FATAL, "ldap_initialize failed for URL '%s' - %s\n",
+			  url, ldap_err2string(ret));
+		goto failed;
+	}
+
+	talloc_set_destructor(lldb, lldb_destructor);
+
+	ret = ldap_set_option(lldb->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
+	if (ret != LDAP_SUCCESS) {
+		ldb_debug(ldb, LDB_DEBUG_FATAL, "ldap_set_option failed - %s\n",
+			  ldap_err2string(ret));
+		goto failed;
+	}
+
+	*module = talloc(ldb, struct ldb_module);
+	if (*module == NULL) {
+		ldb_oom(ldb);
+		talloc_free(lldb);
+		return -1;
+	}
+	talloc_set_name_const(*module, "ldb_ldap backend");
+	(*module)->ldb = ldb;
+	(*module)->prev = (*module)->next = NULL;
+	(*module)->private_data = lldb;
+	(*module)->ops = &lldb_ops;
+
+	return 0;
+
+failed:
+	talloc_free(lldb);
+	return -1;
+}
+
+int ldb_ldap_init(void)
+{
+	return ldb_register_backend("ldap", lldb_connect) +
+		   ldb_register_backend("ldapi", lldb_connect) + 
+		   ldb_register_backend("ldaps", lldb_connect);
+}
diff --git a/source3/lib/ldb/ldb_sqlite3/README b/source3/lib/ldb/ldb_sqlite3/README
new file mode 100644
index 0000000000..6cda0a7759
--- /dev/null
+++ b/source3/lib/ldb/ldb_sqlite3/README
@@ -0,0 +1,7 @@
+trees.ps contains an explanation of the Genealogical Representation of Trees
+in Databases which is being used in ldb_sqlite3.  Note that we use fgID
+representation with 4 bytes per level, so we can represent 6.5E+08 subclasses
+of any object class.  This should be adequate for our purposes. :-)
+
+The following document is the primary basis for the schema currently being
+used here:  http://www.research.ibm.com/journal/sj/392/shi.html
diff --git a/source3/lib/ldb/ldb_sqlite3/base160.c b/source3/lib/ldb/ldb_sqlite3/base160.c
new file mode 100644
index 0000000000..423e2b6841
--- /dev/null
+++ b/source3/lib/ldb/ldb_sqlite3/base160.c
@@ -0,0 +1,154 @@
+/* 
+   base160 code used by ldb_sqlite3
+
+   Copyright (C) 2004 Derrell Lipman
+
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+
+/*
+ * ldb_sqlite3_base160()
+ *
+ * Convert an integer value to a string containing the base 160 representation
+ * of the integer.  We always convert to a string representation that is 4
+ * bytes in length, and we always null terminate.
+ *
+ * Parameters:
+ *   val --
+ *     The value to be converted
+ *
+ *   result --
+ *     Buffer in which the result is to be placed
+ *
+ * Returns:
+ *   nothing
+ */
+static unsigned char        base160tab[161] =
+{
+    48 , 49 , 50 , 51 , 52 , 53 , 54 , 55 , 56 , 57 , /* 0-9 */
+    58 , 59 , 65 , 66 , 67 , 68 , 69 , 70 , 71 , 72 , /* : ; A-H */
+    73 , 74 , 75 , 76 , 77 , 78 , 79 , 80 , 81 , 82 , /* I-R */
+    83 , 84 , 85 , 86 , 87 , 88 , 89 , 90 , 97 , 98 , /* S-Z , a-b */
+    99 , 100, 101, 102, 103, 104, 105, 106, 107, 108, /* c-l */
+    109, 110, 111, 112, 113, 114, 115, 116, 117, 118, /* m-v */
+    119, 120, 121, 122, 160, 161, 162, 163, 164, 165, /* w-z, latin1 */
+    166, 167, 168, 169, 170, 171, 172, 173, 174, 175, /* latin1 */
+    176, 177, 178, 179, 180, 181, 182, 183, 184, 185, /* latin1 */
+    186, 187, 188, 189, 190, 191, 192, 193, 194, 195, /* latin1 */
+    196, 197, 198, 199, 200, 201, 202, 203, 204, 205, /* latin1 */
+    206, 207, 208, 209, 210, 211, 212, 213, 214, 215, /* latin1 */
+    216, 217, 218, 219, 220, 221, 222, 223, 224, 225, /* latin1 */
+    226, 227, 228, 229, 230, 231, 232, 233, 234, 235, /* latin1 */
+    236, 237, 238, 239, 240, 241, 242, 243, 244, 245, /* latin1 */
+    246, 247, 248, 249, 250, 251, 252, 253, 254, 255, /* latin1 */
+    '\0'
+};
+
+
+/*
+ * lsqlite3_base160()
+ *
+ * Convert an unsigned long integer into a base160 representation of the
+ * number.
+ *
+ * Parameters:
+ *   val --
+ *     value to be converted
+ *
+ *   result --
+ *     character array, 5 bytes long, into which the base160 representation
+ *     will be placed.  The result will be a four-digit representation of the
+ *     number (with leading zeros prepended as necessary), and null
+ *     terminated.
+ *
+ * Returns:
+ *   Nothing
+ */
+void
+lsqlite3_base160(unsigned long val,
+                 unsigned char result[5])
+{
+    int             i;
+
+    for (i = 3; i >= 0; i--) {
+        
+        result[i] = base160tab[val % 160];
+        val /= 160;
+    }
+
+    result[4] = '\0';
+}
+
+
+/*
+ * lsqlite3_base160Next()
+ *
+ * Retrieve the next-greater number in the base160 sequence for the terminal
+ * tree node (the last four digits).  Only one tree level (four digits) are
+ * operated on.
+ *
+ * Parameters:
+ *   base160 -- a character array containing either an empty string (in which
+ *              case no operation is performed), or a string of base160 digits
+ *              with a length of a multiple of four digits.
+ *
+ *              Upon return, the trailing four digits (one tree level) will
+ *              have been incremented by 1.
+ *
+ * Returns:
+ *   base160 -- the modified array
+ */
+char *
+lsqlite3_base160Next(char base160[])
+{
+    int             i;
+    int             len;
+    unsigned char * pTab;
+    char *          pBase160 = base160;
+
+    /*
+     * We need a minimum of four digits, and we will always get a multiple of
+     * four digits.
+     */
+    if (len = strlen(pBase160)) >= 4)
+    {
+        pBase160 += strlen(pBase160) - 1;
+
+        /* We only carry through four digits: one level in the tree */
+        for (i = 0; i < 4; i++) {
+
+            /* What base160 value does this digit have? */
+            pTab = strchr(base160tab, *pBase160);
+
+            /* Is there a carry? */
+            if (pTab < base160tab + sizeof(base160tab) - 1) {
+
+                /* Nope.  Just increment this value and we're done. */
+                *pBase160 = *++pTab;
+                break;
+            } else {
+
+                /*
+                 * There's a carry.  This value gets base160tab[0], we
+                 * decrement the buffer pointer to get the next higher-order
+                 * digit, and continue in the loop.
+                 */
+                *pBase160-- = base160tab[0];
+            }
+        }
+    }
+
+    return base160;
+}
diff --git a/source3/lib/ldb/ldb_sqlite3/ldb_sqlite3.c b/source3/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
new file mode 100644
index 0000000000..cb516b6e75
--- /dev/null
+++ b/source3/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
@@ -0,0 +1,1911 @@
+/* 
+   ldb database library
+   
+   Copyright (C) Derrell Lipman  2005
+   Copyright (C) Simo Sorce 2005-2006
+   
+   ** NOTE! The following LGPL license applies to the ldb
+   ** library. This does NOT imply that all of Samba is released
+   ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+   
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+   
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldb sqlite3 backend
+ *
+ *  Description: core files for SQLITE3 backend
+ *
+ *  Author: Derrell Lipman (based on Andrew Tridgell's LDAP backend)
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+#include <sqlite3.h>
+
+struct lsqlite3_private {
+	int trans_count;
+	char **options;
+        sqlite3 *sqlite;
+};
+
+struct lsql_context {
+	struct ldb_module *module;
+
+	/* search stuff */
+	long long current_eid;
+	const char * const * attrs;
+	struct ldb_reply *ares;
+
+	/* async stuff */
+	void *context;
+	int (*callback)(struct ldb_context *, void *, struct ldb_reply *);
+};
+
+static struct ldb_handle *init_handle(struct lsqlite3_private *lsqlite3,
+					struct ldb_module *module,
+					struct ldb_request *req)
+{
+	struct lsql_context *ac;
+	struct ldb_handle *h;
+
+	h = talloc_zero(lsqlite3, struct ldb_handle);
+	if (h == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		return NULL;
+	}
+
+	h->module = module;
+
+	ac = talloc(h, struct lsql_context);
+	if (ac == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		talloc_free(h);
+		return NULL;
+	}
+
+	h->private_data = (void *)ac;
+
+	h->state = LDB_ASYNC_INIT;
+	h->status = LDB_SUCCESS;
+
+	ac->module = module;
+	ac->context = req->context;
+	ac->callback = req->callback;
+
+	return h;
+}
+
+/*
+ * Macros used throughout
+ */
+
+#ifndef FALSE
+# define FALSE  (0)
+# define TRUE   (! FALSE)
+#endif
+
+#define RESULT_ATTR_TABLE       "temp_result_attrs"
+
+//#define TEMPTAB                 /* for testing, create non-temporary table */
+#define TEMPTAB                 "TEMPORARY"
+
+/*
+ * Static variables
+ */
+sqlite3_stmt *  stmtGetEID = NULL;
+
+static char *lsqlite3_tprintf(TALLOC_CTX *mem_ctx, const char *fmt, ...)
+{
+	char *str, *ret;
+	va_list ap;
+
+	va_start(ap, fmt);
+        str = sqlite3_vmprintf(fmt, ap);
+	va_end(ap);
+
+	if (str == NULL) return NULL;
+
+	ret = talloc_strdup(mem_ctx, str);
+	if (ret == NULL) {
+		sqlite3_free(str);
+		return NULL;
+	}
+
+	sqlite3_free(str);
+	return ret;
+}
+
+static char base160tab[161] = {
+        48 ,49 ,50 ,51 ,52 ,53 ,54 ,55 ,56 ,57 , /* 0-9 */
+        58 ,59 ,65 ,66 ,67 ,68 ,69 ,70 ,71 ,72 , /* : ; A-H */
+        73 ,74 ,75 ,76 ,77 ,78 ,79 ,80 ,81 ,82 , /* I-R */
+        83 ,84 ,85 ,86 ,87 ,88 ,89 ,90 ,97 ,98 , /* S-Z , a-b */
+        99 ,100,101,102,103,104,105,106,107,108, /* c-l */
+        109,110,111,112,113,114,115,116,117,118, /* m-v */
+        119,120,121,122,160,161,162,163,164,165, /* w-z, latin1 */
+        166,167,168,169,170,171,172,173,174,175, /* latin1 */
+        176,177,178,179,180,181,182,183,184,185, /* latin1 */
+        186,187,188,189,190,191,192,193,194,195, /* latin1 */
+        196,197,198,199,200,201,202,203,204,205, /* latin1 */
+        206,207,208,209,210,211,212,213,214,215, /* latin1 */
+        216,217,218,219,220,221,222,223,224,225, /* latin1 */
+        226,227,228,229,230,231,232,233,234,235, /* latin1 */
+        236,237,238,239,240,241,242,243,244,245, /* latin1 */
+        246,247,248,249,250,251,252,253,254,255, /* latin1 */
+        '\0'
+};
+
+
+/*
+ * base160()
+ *
+ * Convert an unsigned long integer into a base160 representation of the
+ * number.
+ *
+ * Parameters:
+ *   val --
+ *     value to be converted
+ *
+ *   result --
+ *     character array, 5 bytes long, into which the base160 representation
+ *     will be placed.  The result will be a four-digit representation of the
+ *     number (with leading zeros prepended as necessary), and null
+ *     terminated.
+ *
+ * Returns:
+ *   Nothing
+ */
+static void
+base160_sql(sqlite3_context * hContext,
+            int argc,
+            sqlite3_value ** argv)
+{
+    int             i;
+    long long       val;
+    char            result[5];
+
+    val = sqlite3_value_int64(argv[0]);
+
+    for (i = 3; i >= 0; i--) {
+        
+        result[i] = base160tab[val % 160];
+        val /= 160;
+    }
+
+    result[4] = '\0';
+
+    sqlite3_result_text(hContext, result, -1, SQLITE_TRANSIENT);
+}
+
+
+/*
+ * base160next_sql()
+ *
+ * This function enhances sqlite by adding a "base160_next()" function which is
+ * accessible via queries.
+ *
+ * Retrieve the next-greater number in the base160 sequence for the terminal
+ * tree node (the last four digits).  Only one tree level (four digits) is
+ * operated on.
+ *
+ * Input:
+ *   A character string: either an empty string (in which case no operation is
+ *   performed), or a string of base160 digits with a length of a multiple of
+ *   four digits.
+ *
+ * Output:
+ *   Upon return, the trailing four digits (one tree level) will have been
+ *   incremented by 1.
+ */
+static void
+base160next_sql(sqlite3_context * hContext,
+                int argc,
+                sqlite3_value ** argv)
+{
+        int                         i;
+        int                         len;
+        char *             pTab;
+        char *             pBase160 = strdup((const char *)sqlite3_value_text(argv[0]));
+        char *             pStart = pBase160;
+
+        /*
+         * We need a minimum of four digits, and we will always get a multiple
+         * of four digits.
+         */
+        if (pBase160 != NULL &&
+            (len = strlen(pBase160)) >= 4 &&
+            len % 4 == 0) {
+
+                if (pBase160 == NULL) {
+
+                        sqlite3_result_null(hContext);
+                        return;
+                }
+
+                pBase160 += strlen(pBase160) - 1;
+
+                /* We only carry through four digits: one level in the tree */
+                for (i = 0; i < 4; i++) {
+
+                        /* What base160 value does this digit have? */
+                        pTab = strchr(base160tab, *pBase160);
+
+                        /* Is there a carry? */
+                        if (pTab < base160tab + sizeof(base160tab) - 1) {
+
+                                /*
+                                 * Nope.  Just increment this value and we're
+                                 * done.
+                                 */
+                                *pBase160 = *++pTab;
+                                break;
+                        } else {
+
+                                /*
+                                 * There's a carry.  This value gets
+                                 * base160tab[0], we decrement the buffer
+                                 * pointer to get the next higher-order digit,
+                                 * and continue in the loop.
+                                 */
+                                *pBase160-- = base160tab[0];
+                        }
+                }
+
+                sqlite3_result_text(hContext,
+                                    pStart,
+                                    strlen(pStart),
+                                    free);
+        } else {
+                sqlite3_result_value(hContext, argv[0]);
+                if (pBase160 != NULL) {
+                        free(pBase160);
+                }
+        }
+}
+
+static char *parsetree_to_sql(struct ldb_module *module,
+			      void *mem_ctx,
+			      const struct ldb_parse_tree *t)
+{
+	const struct ldb_attrib_handler *h;
+	struct ldb_val value, subval;
+	char *wild_card_string;
+	char *child, *tmp;
+	char *ret = NULL;
+	char *attr;
+	int i;
+
+
+	switch(t->operation) {
+	case LDB_OP_AND:
+
+		tmp = parsetree_to_sql(module, mem_ctx, t->u.list.elements[0]);
+		if (tmp == NULL) return NULL;
+
+		for (i = 1; i < t->u.list.num_elements; i++) {
+
+			child = parsetree_to_sql(module, mem_ctx, t->u.list.elements[i]);
+			if (child == NULL) return NULL;
+
+			tmp = talloc_asprintf_append(tmp, " INTERSECT %s ", child);
+			if (tmp == NULL) return NULL;
+		}
+
+		ret = talloc_asprintf(mem_ctx, "SELECT * FROM ( %s )\n", tmp);
+
+		return ret;
+                
+	case LDB_OP_OR:
+
+		tmp = parsetree_to_sql(module, mem_ctx, t->u.list.elements[0]);
+		if (tmp == NULL) return NULL;
+
+		for (i = 1; i < t->u.list.num_elements; i++) {
+
+			child = parsetree_to_sql(module, mem_ctx, t->u.list.elements[i]);
+			if (child == NULL) return NULL;
+
+			tmp = talloc_asprintf_append(tmp, " UNION %s ", child);
+			if (tmp == NULL) return NULL;
+		}
+
+		return talloc_asprintf(mem_ctx, "SELECT * FROM ( %s ) ", tmp);
+
+	case LDB_OP_NOT:
+
+		child = parsetree_to_sql(module, mem_ctx, t->u.isnot.child);
+		if (child == NULL) return NULL;
+
+		return talloc_asprintf(mem_ctx,
+					"SELECT eid FROM ldb_entry "
+					"WHERE eid NOT IN ( %s ) ", child);
+
+	case LDB_OP_EQUALITY:
+		/*
+		 * For simple searches, we want to retrieve the list of EIDs that
+		 * match the criteria.
+		*/
+		attr = ldb_attr_casefold(mem_ctx, t->u.equality.attr);
+		if (attr == NULL) return NULL;
+		h = ldb_attrib_handler(module->ldb, attr);
+
+		/* Get a canonicalised copy of the data */
+		h->canonicalise_fn(module->ldb, mem_ctx, &(t->u.equality.value), &value);
+		if (value.data == NULL) {
+			return NULL;
+		}
+
+		if (strcasecmp(t->u.equality.attr, "objectclass") == 0) {
+		/*
+		 * For object classes, we want to search for all objectclasses
+		 * that are subclasses as well.
+		*/
+			return lsqlite3_tprintf(mem_ctx,
+					"SELECT eid  FROM ldb_attribute_values\n"
+					"WHERE norm_attr_name = 'OBJECTCLASS' "
+					"AND norm_attr_value IN\n"
+					"  (SELECT class_name FROM ldb_object_classes\n"
+					"   WHERE tree_key GLOB\n"
+					"     (SELECT tree_key FROM ldb_object_classes\n"
+					"      WHERE class_name = '%q'\n"
+					"     ) || '*'\n"
+					"  )\n", value.data);
+
+		} else if (strcasecmp(t->u.equality.attr, "dn") == 0) {
+			/* DN query is a special ldb case */
+		 	char *cdn = ldb_dn_linearize_casefold(module->ldb,
+							      mem_ctx,
+							      ldb_dn_explode(module->ldb,
+							      (const char *)value.data));
+
+			return lsqlite3_tprintf(mem_ctx,
+						"SELECT eid FROM ldb_entry "
+						"WHERE norm_dn = '%q'", cdn);
+
+		} else {
+			/* A normal query. */
+			return lsqlite3_tprintf(mem_ctx,
+						"SELECT eid FROM ldb_attribute_values "
+						"WHERE norm_attr_name = '%q' "
+						"AND norm_attr_value = '%q'",
+						attr,
+						value.data);
+
+		}
+
+	case LDB_OP_SUBSTRING:
+
+		wild_card_string = talloc_strdup(mem_ctx,
+					(t->u.substring.start_with_wildcard)?"*":"");
+		if (wild_card_string == NULL) return NULL;
+
+		for (i = 0; t->u.substring.chunks[i]; i++) {
+			wild_card_string = talloc_asprintf_append(wild_card_string, "%s*",
+							t->u.substring.chunks[i]->data);
+			if (wild_card_string == NULL) return NULL;
+		}
+
+		if ( ! t->u.substring.end_with_wildcard ) {
+			/* remove last wildcard */
+			wild_card_string[strlen(wild_card_string) - 1] = '\0';
+		}
+
+		attr = ldb_attr_casefold(mem_ctx, t->u.substring.attr);
+		if (attr == NULL) return NULL;
+		h = ldb_attrib_handler(module->ldb, attr);
+
+		subval.data = (void *)wild_card_string;
+		subval.length = strlen(wild_card_string) + 1;
+
+		/* Get a canonicalised copy of the data */
+		h->canonicalise_fn(module->ldb, mem_ctx, &(subval), &value);
+		if (value.data == NULL) {
+			return NULL;
+		}
+
+		return lsqlite3_tprintf(mem_ctx,
+					"SELECT eid FROM ldb_attribute_values "
+					"WHERE norm_attr_name = '%q' "
+					"AND norm_attr_value GLOB '%q'",
+					attr,
+					value.data);
+
+	case LDB_OP_GREATER:
+		attr = ldb_attr_casefold(mem_ctx, t->u.equality.attr);
+		if (attr == NULL) return NULL;
+		h = ldb_attrib_handler(module->ldb, attr);
+
+		/* Get a canonicalised copy of the data */
+		h->canonicalise_fn(module->ldb, mem_ctx, &(t->u.equality.value), &value);
+		if (value.data == NULL) {
+			return NULL;
+		}
+
+		return lsqlite3_tprintf(mem_ctx,
+					"SELECT eid FROM ldb_attribute_values "
+					"WHERE norm_attr_name = '%q' "
+					"AND ldap_compare(norm_attr_value, '>=', '%q', '%q') ",
+					attr,
+					value.data,
+					attr);
+
+	case LDB_OP_LESS:
+		attr = ldb_attr_casefold(mem_ctx, t->u.equality.attr);
+		if (attr == NULL) return NULL;
+		h = ldb_attrib_handler(module->ldb, attr);
+
+		/* Get a canonicalised copy of the data */
+		h->canonicalise_fn(module->ldb, mem_ctx, &(t->u.equality.value), &value);
+		if (value.data == NULL) {
+			return NULL;
+		}
+
+		return lsqlite3_tprintf(mem_ctx,
+					"SELECT eid FROM ldb_attribute_values "
+					"WHERE norm_attr_name = '%q' "
+					"AND ldap_compare(norm_attr_value, '<=', '%q', '%q') ",
+					attr,
+					value.data,
+					attr);
+
+	case LDB_OP_PRESENT:
+		if (strcasecmp(t->u.present.attr, "dn") == 0) {
+			return talloc_strdup(mem_ctx, "SELECT eid FROM ldb_entry");
+		}
+
+		attr = ldb_attr_casefold(mem_ctx, t->u.present.attr);
+		if (attr == NULL) return NULL;
+
+		return lsqlite3_tprintf(mem_ctx,
+					"SELECT eid FROM ldb_attribute_values "
+					"WHERE norm_attr_name = '%q' ",
+					attr);
+
+	case LDB_OP_APPROX:
+		attr = ldb_attr_casefold(mem_ctx, t->u.equality.attr);
+		if (attr == NULL) return NULL;
+		h = ldb_attrib_handler(module->ldb, attr);
+
+		/* Get a canonicalised copy of the data */
+		h->canonicalise_fn(module->ldb, mem_ctx, &(t->u.equality.value), &value);
+		if (value.data == NULL) {
+			return NULL;
+		}
+
+		return lsqlite3_tprintf(mem_ctx,
+					"SELECT eid FROM ldb_attribute_values "
+					"WHERE norm_attr_name = '%q' "
+					"AND ldap_compare(norm_attr_value, '~%', 'q', '%q') ",
+					attr,
+					value.data,
+					attr);
+		
+	case LDB_OP_EXTENDED:
+#warning  "work out how to handle bitops"
+		return NULL;
+
+	default:
+		break;
+	};
+
+	/* should never occur */
+	abort();
+	return NULL;
+}
+
+/*
+ * query_int()
+ *
+ * This function is used for the common case of queries that return a single
+ * integer value.
+ *
+ * NOTE: If more than one value is returned by the query, all but the first
+ * one will be ignored.
+ */
+static int
+query_int(const struct lsqlite3_private * lsqlite3,
+          long long * pRet,
+          const char * pSql,
+          ...)
+{
+        int             ret;
+        int             bLoop;
+        char *          p;
+        sqlite3_stmt *  pStmt;
+        va_list         args;
+        
+        /* Begin access to variable argument list */
+        va_start(args, pSql);
+        
+        /* Format the query */
+        if ((p = sqlite3_vmprintf(pSql, args)) == NULL) {
+                return SQLITE_NOMEM;
+        }
+        
+        /*
+         * Prepare and execute the SQL statement.  Loop allows retrying on
+         * certain errors, e.g. SQLITE_SCHEMA occurs if the schema changes,
+         * requiring retrying the operation.
+         */
+        for (bLoop = TRUE; bLoop; ) {
+                
+                /* Compile the SQL statement into sqlite virtual machine */
+                if ((ret = sqlite3_prepare(lsqlite3->sqlite,
+                                           p,
+                                           -1,
+                                           &pStmt,
+                                           NULL)) == SQLITE_SCHEMA) {
+                        if (stmtGetEID != NULL) {
+                                sqlite3_finalize(stmtGetEID);
+                                stmtGetEID = NULL;
+                        }
+                        continue;
+                } else if (ret != SQLITE_OK) {
+                        break;
+                }
+                
+                /* One row expected */
+                if ((ret = sqlite3_step(pStmt)) == SQLITE_SCHEMA) {
+                        if (stmtGetEID != NULL) {
+                                sqlite3_finalize(stmtGetEID);
+                                stmtGetEID = NULL;
+                        }
+                        (void) sqlite3_finalize(pStmt);
+                        continue;
+                } else if (ret != SQLITE_ROW) {
+                        (void) sqlite3_finalize(pStmt);
+                        break;
+                }
+                
+                /* Get the value to be returned */
+                *pRet = sqlite3_column_int64(pStmt, 0);
+                
+                /* Free the virtual machine */
+                if ((ret = sqlite3_finalize(pStmt)) == SQLITE_SCHEMA) {
+                        if (stmtGetEID != NULL) {
+                                sqlite3_finalize(stmtGetEID);
+                                stmtGetEID = NULL;
+                        }
+                        continue;
+                } else if (ret != SQLITE_OK) {
+                        (void) sqlite3_finalize(pStmt);
+                        break;
+                }
+                
+                /*
+                 * Normal condition is only one time through loop.  Loop is
+                 * rerun in error conditions, via "continue", above.
+                 */
+                bLoop = FALSE;
+        }
+        
+        /* All done with variable argument list */
+        va_end(args);
+        
+
+        /* Free the memory we allocated for our query string */
+        sqlite3_free(p);
+        
+        return ret;
+}
+
+/*
+ * This is a bad hack to support ldap style comparisons whithin sqlite.
+ * val is the attribute in the row currently under test
+ * func is the desired test "<=" ">=" "~" ":"
+ * cmp is the value to compare against (eg: "test")
+ * attr is the attribute name the value of which we want to test
+ */
+
+static void lsqlite3_compare(sqlite3_context *ctx, int argc,
+					sqlite3_value **argv)
+{
+	struct ldb_context *ldb = (struct ldb_context *)sqlite3_user_data(ctx);
+	const char *val = (const char *)sqlite3_value_text(argv[0]);
+	const char *func = (const char *)sqlite3_value_text(argv[1]);
+	const char *cmp = (const char *)sqlite3_value_text(argv[2]);
+	const char *attr = (const char *)sqlite3_value_text(argv[3]);
+	const struct ldb_attrib_handler *h;
+	struct ldb_val valX;
+	struct ldb_val valY;
+	int ret;
+
+	switch (func[0]) {
+	/* greater */
+	case '>': /* >= */
+		h = ldb_attrib_handler(ldb, attr);
+		valX.data = (void *)cmp;
+		valX.length = strlen(cmp);
+		valY.data = (void *)val;
+		valY.length = strlen(val);
+		ret = h->comparison_fn(ldb, ldb, &valY, &valX);
+		if (ret >= 0)
+			sqlite3_result_int(ctx, 1);
+		else
+			sqlite3_result_int(ctx, 0);
+		return;
+
+	/* lesser */
+	case '<': /* <= */
+		h = ldb_attrib_handler(ldb, attr);
+		valX.data = (void *)cmp;
+		valX.length = strlen(cmp);
+		valY.data = (void *)val;
+		valY.length = strlen(val);
+		ret = h->comparison_fn(ldb, ldb, &valY, &valX);
+		if (ret <= 0)
+			sqlite3_result_int(ctx, 1);
+		else
+			sqlite3_result_int(ctx, 0);
+		return;
+
+	/* approx */
+	case '~':
+		/* TODO */
+		sqlite3_result_int(ctx, 0);
+		return;
+
+	/* bitops */
+	case ':':
+		/* TODO */
+		sqlite3_result_int(ctx, 0);
+		return;
+
+	default:
+		break;
+	}
+
+	sqlite3_result_error(ctx, "Value must start with a special operation char (<>~:)!", -1);
+	return;
+}
+
+
+/* rename a record */
+static int lsqlite3_safe_rollback(sqlite3 *sqlite)
+{
+	char *errmsg;
+	int ret;
+
+	/* execute */
+	ret = sqlite3_exec(sqlite, "ROLLBACK;", NULL, NULL, &errmsg);
+	if (ret != SQLITE_OK) {
+		if (errmsg) {
+			printf("lsqlite3_safe_rollback: Error: %s\n", errmsg);
+			free(errmsg);
+		}
+		return -1;
+	}
+
+        return 0;
+}
+
+/* return an eid as result */
+static int lsqlite3_eid_callback(void *result, int col_num, char **cols, char **names)
+{
+	long long *eid = (long long *)result;
+
+	if (col_num != 1) return SQLITE_ABORT;
+	if (strcasecmp(names[0], "eid") != 0) return SQLITE_ABORT;
+
+	*eid = atoll(cols[0]);
+	return SQLITE_OK;
+}
+
+/*
+ * add a single set of ldap message values to a ldb_message
+ */
+static int lsqlite3_search_callback(void *result, int col_num, char **cols, char **names)
+{
+	struct ldb_handle *handle = talloc_get_type(result, struct ldb_handle);
+	struct lsql_context *ac = talloc_get_type(handle->private_data, struct lsql_context);
+	struct ldb_message *msg;
+	long long eid;
+	int i;
+
+	/* eid, dn, attr_name, attr_value */
+	if (col_num != 4)
+		return SQLITE_ABORT;
+
+	eid = atoll(cols[0]);
+
+	if (eid != ac->current_eid) { /* here begin a new entry */
+
+		/* call the async callback for the last entry
+		 * except the first time */
+		if (ac->current_eid != 0) {
+			ac->ares->message = ldb_msg_canonicalize(ac->module->ldb, ac->ares->message);
+			if (ac->ares->message == NULL)
+				return SQLITE_ABORT;
+			
+			handle->status = ac->callback(ac->module->ldb, ac->context, ac->ares);
+			if (handle->status != LDB_SUCCESS)
+				return SQLITE_ABORT;
+		}
+
+		/* start over */
+		ac->ares = talloc_zero(ac, struct ldb_reply);
+		if (!ac->ares)
+			return SQLITE_ABORT;
+
+		ac->ares->message = ldb_msg_new(ac->ares);
+		if (!ac->ares->message)
+			return SQLITE_ABORT;
+
+		ac->ares->type = LDB_REPLY_ENTRY;
+		ac->current_eid = eid;
+	}
+
+	msg = ac->ares->message;
+
+	if (msg->dn == NULL) {
+		msg->dn = ldb_dn_explode(msg, cols[1]);
+		if (msg->dn == NULL)
+			return SQLITE_ABORT;
+	}
+
+	if (ac->attrs) {
+		int found = 0;
+		for (i = 0; ac->attrs[i]; i++) {
+			if (strcasecmp(cols[2], ac->attrs[i]) == 0) {
+				found = 1;
+				break;
+			}
+		}
+		if (!found) return SQLITE_OK;
+	}
+
+	if (ldb_msg_add_string(msg, cols[2], cols[3]) != 0) {
+		return SQLITE_ABORT;
+	}
+
+	return SQLITE_OK;
+}
+
+
+/*
+ * lsqlite3_get_eid()
+ * lsqlite3_get_eid_ndn()
+ *
+ * These functions are used for the very common case of retrieving an EID value
+ * given a (normalized) DN.
+ */
+
+static long long lsqlite3_get_eid_ndn(sqlite3 *sqlite, void *mem_ctx, const char *norm_dn)
+{
+	char *errmsg;
+	char *query;
+	long long eid = -1;
+	long long ret;
+
+	/* get object eid */
+	query = lsqlite3_tprintf(mem_ctx, "SELECT eid "
+					  "FROM ldb_entry "
+					  "WHERE norm_dn = '%q';", norm_dn);
+	if (query == NULL) return -1;
+
+	ret = sqlite3_exec(sqlite, query, lsqlite3_eid_callback, &eid, &errmsg);
+	if (ret != SQLITE_OK) {
+		if (errmsg) {
+			printf("lsqlite3_get_eid: Fatal Error: %s\n", errmsg);
+			free(errmsg);
+		}
+		return -1;
+	}
+
+	return eid;
+}
+
+static long long lsqlite3_get_eid(struct ldb_module *module, const struct ldb_dn *dn)
+{
+	TALLOC_CTX *local_ctx;
+	struct lsqlite3_private *lsqlite3 = module->private_data;
+	long long eid = -1;
+	char *cdn;
+
+	/* ignore ltdb specials */
+	if (ldb_dn_is_special(dn)) {
+		return -1;
+	}
+
+	/* create a local ctx */
+	local_ctx = talloc_named(lsqlite3, 0, "lsqlite3_get_eid local context");
+	if (local_ctx == NULL) {
+		return -1;
+	}
+
+	cdn = ldb_dn_linearize(local_ctx, ldb_dn_casefold(module->ldb, local_ctx, dn));
+	if (!cdn) goto done;
+
+	eid = lsqlite3_get_eid_ndn(lsqlite3->sqlite, local_ctx, cdn);
+
+done:
+	talloc_free(local_ctx);
+	return eid;
+}
+
+/*
+ * Interface functions referenced by lsqlite3_ops
+ */
+
+/* search for matching records, by tree */
+int lsql_search(struct ldb_module *module, struct ldb_request *req)
+{
+	struct lsqlite3_private *lsqlite3 = talloc_get_type(module->private_data, struct lsqlite3_private);
+	struct lsql_context *lsql_ac;
+	char *norm_basedn;
+	char *sqlfilter;
+	char *errmsg;
+	char *query = NULL;
+        int ret;
+
+	req->handle = init_handle(lsqlite3, module, req);
+	if (req->handle == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	lsql_ac = talloc_get_type(req->handle->private_data, struct lsql_context);
+
+	if ((req->op.search.base == NULL || req->op.search.base->comp_num == 0) &&
+	    (req->op.search.scope == LDB_SCOPE_BASE || req->op.search.scope == LDB_SCOPE_ONELEVEL))
+		return LDB_ERR_OPERATIONS_ERROR;
+
+	if (req->op.search.base) {
+		norm_basedn = ldb_dn_linearize(lsql_ac, ldb_dn_casefold(module->ldb, lsql_ac, req->op.search.base));
+		if (norm_basedn == NULL) {
+			ret = LDB_ERR_INVALID_DN_SYNTAX;
+			goto failed;
+		}
+	} else norm_basedn = talloc_strdup(lsql_ac, "");
+
+        /* Convert filter into a series of SQL conditions (constraints) */
+	sqlfilter = parsetree_to_sql(module, lsql_ac, req->op.search.tree);
+        
+        switch(req->op.search.scope) {
+        case LDB_SCOPE_DEFAULT:
+        case LDB_SCOPE_SUBTREE:
+		if (*norm_basedn != '\0') {
+			query = lsqlite3_tprintf(lsql_ac,
+				"SELECT entry.eid,\n"
+				"       entry.dn,\n"
+				"       av.attr_name,\n"
+				"       av.attr_value\n"
+				"  FROM ldb_entry AS entry\n"
+
+				"  LEFT OUTER JOIN ldb_attribute_values AS av\n"
+				"    ON av.eid = entry.eid\n"
+
+				"  WHERE entry.eid IN\n"
+				"    (SELECT DISTINCT ldb_entry.eid\n"
+				"       FROM ldb_entry\n"
+				"       WHERE (ldb_entry.norm_dn GLOB('*,%q')\n"
+				"       OR ldb_entry.norm_dn = '%q')\n"
+				"       AND ldb_entry.eid IN\n"
+				"         (%s)\n"
+				"    )\n"
+
+				"  ORDER BY entry.eid ASC;",
+				norm_basedn,
+				norm_basedn,
+				sqlfilter);
+		} else {
+			query = lsqlite3_tprintf(lsql_ac,
+				"SELECT entry.eid,\n"
+				"       entry.dn,\n"
+				"       av.attr_name,\n"
+				"       av.attr_value\n"
+				"  FROM ldb_entry AS entry\n"
+
+				"  LEFT OUTER JOIN ldb_attribute_values AS av\n"
+				"    ON av.eid = entry.eid\n"
+
+				"  WHERE entry.eid IN\n"
+				"    (SELECT DISTINCT ldb_entry.eid\n"
+				"       FROM ldb_entry\n"
+				"       WHERE ldb_entry.eid IN\n"
+				"         (%s)\n"
+				"    )\n"
+
+				"  ORDER BY entry.eid ASC;",
+				sqlfilter);
+		}
+
+		break;
+                
+        case LDB_SCOPE_BASE:
+                query = lsqlite3_tprintf(lsql_ac,
+                        "SELECT entry.eid,\n"
+                        "       entry.dn,\n"
+                        "       av.attr_name,\n"
+                        "       av.attr_value\n"
+                        "  FROM ldb_entry AS entry\n"
+
+                        "  LEFT OUTER JOIN ldb_attribute_values AS av\n"
+                        "    ON av.eid = entry.eid\n"
+
+                        "  WHERE entry.eid IN\n"
+                        "    (SELECT DISTINCT ldb_entry.eid\n"
+                        "       FROM ldb_entry\n"
+                        "       WHERE ldb_entry.norm_dn = '%q'\n"
+                        "         AND ldb_entry.eid IN\n"
+			"           (%s)\n"
+                        "    )\n"
+
+                        "  ORDER BY entry.eid ASC;",
+			norm_basedn,
+                        sqlfilter);
+                break;
+                
+        case LDB_SCOPE_ONELEVEL:
+                query = lsqlite3_tprintf(lsql_ac,
+                        "SELECT entry.eid,\n"
+                        "       entry.dn,\n"
+                        "       av.attr_name,\n"
+                        "       av.attr_value\n"
+                        "  FROM ldb_entry AS entry\n"
+
+                        "  LEFT OUTER JOIN ldb_attribute_values AS av\n"
+                        "    ON av.eid = entry.eid\n"
+
+                        "  WHERE entry.eid IN\n"
+                        "    (SELECT DISTINCT ldb_entry.eid\n"
+                        "       FROM ldb_entry\n"
+			"       WHERE norm_dn GLOB('*,%q')\n"
+			"         AND NOT norm_dn GLOB('*,*,%q')\n"
+                        "         AND ldb_entry.eid IN\n(%s)\n"
+                        "    )\n"
+
+                        "  ORDER BY entry.eid ASC;",
+                        norm_basedn,
+                        norm_basedn,
+                        sqlfilter);
+                break;
+        }
+
+        if (query == NULL) {
+                goto failed;
+        }
+
+	/* * /
+	printf ("%s\n", query);
+	/ * */
+
+	lsql_ac->current_eid = 0;
+	lsql_ac->attrs = req->op.search.attrs;
+	lsql_ac->ares = NULL;
+
+	req->handle->state = LDB_ASYNC_PENDING;
+
+	ret = sqlite3_exec(lsqlite3->sqlite, query, lsqlite3_search_callback, req->handle, &errmsg);
+	if (ret != SQLITE_OK) {
+		if (errmsg) {
+			ldb_set_errstring(module->ldb, errmsg);
+			free(errmsg);
+		}
+		goto failed;
+	}
+
+	/* complete the last message if any */
+	if (lsql_ac->ares) {
+		lsql_ac->ares->message = ldb_msg_canonicalize(module->ldb, lsql_ac->ares->message);
+		if (lsql_ac->ares->message == NULL)
+			goto failed;
+			
+		req->handle->status = lsql_ac->callback(module->ldb, lsql_ac->context, lsql_ac->ares);
+		if (req->handle->status != LDB_SUCCESS)
+			goto failed;
+	}
+
+	req->handle->state = LDB_ASYNC_DONE;
+
+	return LDB_SUCCESS;
+
+failed:
+	return LDB_ERR_OPERATIONS_ERROR;
+}
+
+/* add a record */
+static int lsql_add(struct ldb_module *module, struct ldb_request *req)
+{
+	struct lsqlite3_private *lsqlite3 = talloc_get_type(module->private_data, struct lsqlite3_private);
+	struct lsql_context *lsql_ac;
+	struct ldb_message *msg = req->op.add.message;
+        long long eid;
+	char *dn, *ndn;
+	char *errmsg;
+	char *query;
+	int i;
+	int ret = LDB_SUCCESS;
+
+	req->handle = init_handle(lsqlite3, module, req);
+	if (req->handle == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	lsql_ac = talloc_get_type(req->handle->private_data, struct lsql_context);
+	req->handle->state = LDB_ASYNC_DONE;
+	req->handle->status = LDB_SUCCESS;
+
+        /* See if this is an ltdb special */
+	if (ldb_dn_is_special(msg->dn)) {
+		struct ldb_dn *c;
+
+		c = ldb_dn_explode(lsql_ac, "@SUBCLASSES");
+		if (ldb_dn_compare(module->ldb, msg->dn, c) == 0) {
+#warning "insert subclasses into object class tree"
+			ret = LDB_ERR_UNWILLING_TO_PERFORM;
+			goto done;
+		}
+
+/*
+		c = ldb_dn_explode(local_ctx, "@INDEXLIST");
+		if (ldb_dn_compare(module->ldb, msg->dn, c) == 0) {
+#warning "should we handle indexes somehow ?"
+			ret = LDB_ERR_UNWILLING_TO_PERFORM;
+			goto done;
+		}
+*/
+                /* Others return an error */
+		ret = LDB_ERR_UNWILLING_TO_PERFORM;
+		goto done;
+	}
+
+	/* create linearized and normalized dns */
+	dn = ldb_dn_linearize(lsql_ac, msg->dn);
+	ndn = ldb_dn_linearize(lsql_ac, ldb_dn_casefold(module->ldb, lsql_ac, msg->dn));
+	if (dn == NULL || ndn == NULL) {
+		ret = LDB_ERR_OTHER;
+		goto done;
+	}
+
+	query = lsqlite3_tprintf(lsql_ac,
+				   /* Add new entry */
+				   "INSERT OR ABORT INTO ldb_entry "
+				   "('dn', 'norm_dn') "
+				   "VALUES ('%q', '%q');",
+				dn, ndn);
+	if (query == NULL) {
+		ret = LDB_ERR_OTHER;
+		goto done;
+	}
+
+	ret = sqlite3_exec(lsqlite3->sqlite, query, NULL, NULL, &errmsg);
+	if (ret != SQLITE_OK) {
+		if (errmsg) {
+			ldb_set_errstring(module->ldb, errmsg);
+			free(errmsg);
+		}
+		ret = LDB_ERR_OTHER;
+		goto done;
+	}
+
+	eid = lsqlite3_get_eid_ndn(lsqlite3->sqlite, lsql_ac, ndn);
+	if (eid == -1) {
+		ret = LDB_ERR_OTHER;
+		goto done;
+	}
+
+	for (i = 0; i < msg->num_elements; i++) {
+		const struct ldb_message_element *el = &msg->elements[i];
+		const struct ldb_attrib_handler *h;
+		char *attr;
+		int j;
+
+		/* Get a case-folded copy of the attribute name */
+		attr = ldb_attr_casefold(lsql_ac, el->name);
+		if (attr == NULL) {
+			ret = LDB_ERR_OTHER;
+			goto done;
+		}
+
+		h = ldb_attrib_handler(module->ldb, el->name);
+
+		/* For each value of the specified attribute name... */
+		for (j = 0; j < el->num_values; j++) {
+			struct ldb_val value;
+			char *insert;
+
+			/* Get a canonicalised copy of the data */
+			h->canonicalise_fn(module->ldb, lsql_ac, &(el->values[j]), &value);
+			if (value.data == NULL) {
+				ret = LDB_ERR_OTHER;
+				goto done;
+			}
+
+			insert = lsqlite3_tprintf(lsql_ac,
+					"INSERT OR ROLLBACK INTO ldb_attribute_values "
+					"('eid', 'attr_name', 'norm_attr_name',"
+					" 'attr_value', 'norm_attr_value') "
+					"VALUES ('%lld', '%q', '%q', '%q', '%q');",
+					eid, el->name, attr,
+					el->values[j].data, value.data);
+			if (insert == NULL) {
+				ret = LDB_ERR_OTHER;
+				goto done;
+			}
+
+			ret = sqlite3_exec(lsqlite3->sqlite, insert, NULL, NULL, &errmsg);
+			if (ret != SQLITE_OK) {
+				if (errmsg) {
+					ldb_set_errstring(module->ldb, errmsg);
+					free(errmsg);
+				}
+				ret = LDB_ERR_OTHER;
+				goto done;
+			}
+		}
+	}
+
+	if (lsql_ac->callback) {
+		req->handle->status = lsql_ac->callback(module->ldb, lsql_ac->context, NULL);
+	}
+	
+done:
+	req->handle->state = LDB_ASYNC_DONE;
+	return ret;
+}
+
+/* modify a record */
+static int lsql_modify(struct ldb_module *module, struct ldb_request *req)
+{
+	struct lsqlite3_private *lsqlite3 = talloc_get_type(module->private_data, struct lsqlite3_private);
+	struct lsql_context *lsql_ac;
+	struct ldb_message *msg = req->op.mod.message;
+        long long eid;
+	char *errmsg;
+	int i;
+	int ret = LDB_SUCCESS;
+
+	req->handle = init_handle(lsqlite3, module, req);
+	if (req->handle == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	lsql_ac = talloc_get_type(req->handle->private_data, struct lsql_context);
+	req->handle->state = LDB_ASYNC_DONE;
+	req->handle->status = LDB_SUCCESS;
+
+        /* See if this is an ltdb special */
+	if (ldb_dn_is_special(msg->dn)) {
+		struct ldb_dn *c;
+
+		c = ldb_dn_explode(lsql_ac, "@SUBCLASSES");
+		if (ldb_dn_compare(module->ldb, msg->dn, c) == 0) {
+#warning "modify subclasses into object class tree"
+			ret = LDB_ERR_UNWILLING_TO_PERFORM;
+			goto done;
+		}
+
+                /* Others return an error */
+		ret = LDB_ERR_UNWILLING_TO_PERFORM;
+                goto done;
+	}
+
+	eid = lsqlite3_get_eid(module, msg->dn);
+	if (eid == -1) {
+		ret = LDB_ERR_OTHER;
+		goto done;
+	}
+
+	for (i = 0; i < msg->num_elements; i++) {
+		const struct ldb_message_element *el = &msg->elements[i];
+		const struct ldb_attrib_handler *h;
+		int flags = el->flags & LDB_FLAG_MOD_MASK;
+		char *attr;
+		char *mod;
+		int j;
+
+		/* Get a case-folded copy of the attribute name */
+		attr = ldb_attr_casefold(lsql_ac, el->name);
+		if (attr == NULL) {
+			ret = LDB_ERR_OTHER;
+			goto done;
+		}
+
+		h = ldb_attrib_handler(module->ldb, el->name);
+
+		switch (flags) {
+
+		case LDB_FLAG_MOD_REPLACE:
+			
+			/* remove all attributes before adding the replacements */
+			mod = lsqlite3_tprintf(lsql_ac,
+						"DELETE FROM ldb_attribute_values "
+						"WHERE eid = '%lld' "
+						"AND norm_attr_name = '%q';",
+						eid, attr);
+			if (mod == NULL) {
+				ret = LDB_ERR_OTHER;
+				goto done;
+			}
+
+			ret = sqlite3_exec(lsqlite3->sqlite, mod, NULL, NULL, &errmsg);
+			if (ret != SQLITE_OK) {
+				if (errmsg) {
+					ldb_set_errstring(module->ldb, errmsg);
+					free(errmsg);
+				}
+				ret = LDB_ERR_OTHER;
+				goto done;
+                        }
+
+			/* MISSING break is INTENTIONAL */
+
+		case LDB_FLAG_MOD_ADD:
+#warning "We should throw an error if no value is provided!"
+			/* For each value of the specified attribute name... */
+			for (j = 0; j < el->num_values; j++) {
+				struct ldb_val value;
+
+				/* Get a canonicalised copy of the data */
+				h->canonicalise_fn(module->ldb, lsql_ac, &(el->values[j]), &value);
+				if (value.data == NULL) {
+					ret = LDB_ERR_OTHER;
+					goto done;
+				}
+
+				mod = lsqlite3_tprintf(lsql_ac,
+					"INSERT OR ROLLBACK INTO ldb_attribute_values "
+					"('eid', 'attr_name', 'norm_attr_name',"
+					" 'attr_value', 'norm_attr_value') "
+					"VALUES ('%lld', '%q', '%q', '%q', '%q');",
+					eid, el->name, attr,
+					el->values[j].data, value.data);
+
+				if (mod == NULL) {
+					ret = LDB_ERR_OTHER;
+					goto done;
+				}
+
+				ret = sqlite3_exec(lsqlite3->sqlite, mod, NULL, NULL, &errmsg);
+				if (ret != SQLITE_OK) {
+					if (errmsg) {
+						ldb_set_errstring(module->ldb, errmsg);
+						free(errmsg);
+					}
+					ret = LDB_ERR_OTHER;
+					goto done;
+				}
+			}
+
+			break;
+
+		case LDB_FLAG_MOD_DELETE:
+#warning "We should throw an error if the attribute we are trying to delete does not exist!"
+			if (el->num_values == 0) {
+				mod = lsqlite3_tprintf(lsql_ac,
+							"DELETE FROM ldb_attribute_values "
+							"WHERE eid = '%lld' "
+							"AND norm_attr_name = '%q';",
+							eid, attr);
+				if (mod == NULL) {
+					ret = LDB_ERR_OTHER;
+					goto done;
+				}
+
+				ret = sqlite3_exec(lsqlite3->sqlite, mod, NULL, NULL, &errmsg);
+				if (ret != SQLITE_OK) {
+					if (errmsg) {
+						ldb_set_errstring(module->ldb, errmsg);
+						free(errmsg);
+					}
+					ret = LDB_ERR_OTHER;
+					goto done;
+                        	}
+			}
+
+			/* For each value of the specified attribute name... */
+			for (j = 0; j < el->num_values; j++) {
+				struct ldb_val value;
+
+				/* Get a canonicalised copy of the data */
+				h->canonicalise_fn(module->ldb, lsql_ac, &(el->values[j]), &value);
+				if (value.data == NULL) {
+					ret = LDB_ERR_OTHER;
+					goto done;
+				}
+
+				mod = lsqlite3_tprintf(lsql_ac,
+					"DELETE FROM ldb_attribute_values "
+					"WHERE eid = '%lld' "
+					"AND norm_attr_name = '%q' "
+					"AND norm_attr_value = '%q';",
+					eid, attr, value.data);
+
+				if (mod == NULL) {
+					ret = LDB_ERR_OTHER;
+					goto done;
+				}
+
+				ret = sqlite3_exec(lsqlite3->sqlite, mod, NULL, NULL, &errmsg);
+				if (ret != SQLITE_OK) {
+					if (errmsg) {
+						ldb_set_errstring(module->ldb, errmsg);
+						free(errmsg);
+					}
+					ret = LDB_ERR_OTHER;
+					goto done;
+				}
+			}
+
+			break;
+		}
+	}
+
+	if (lsql_ac->callback) {
+		req->handle->status = lsql_ac->callback(module->ldb, lsql_ac->context, NULL);
+	}
+	
+done:
+	req->handle->state = LDB_ASYNC_DONE;
+	return ret;
+}
+
+/* delete a record */
+static int lsql_delete(struct ldb_module *module, struct ldb_request *req)
+{
+	struct lsqlite3_private *lsqlite3 = talloc_get_type(module->private_data, struct lsqlite3_private);
+	struct lsql_context *lsql_ac;
+        long long eid;
+	char *errmsg;
+	char *query;
+	int ret = LDB_SUCCESS;
+
+
+	req->handle = init_handle(lsqlite3, module, req);
+	if (req->handle == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	lsql_ac = talloc_get_type(req->handle->private_data, struct lsql_context);
+	req->handle->state = LDB_ASYNC_DONE;
+	req->handle->status = LDB_SUCCESS;
+
+	eid = lsqlite3_get_eid(module, req->op.del.dn);
+	if (eid == -1) {
+		goto done;
+	}
+
+	query = lsqlite3_tprintf(lsql_ac,
+				   /* Delete entry */
+				   "DELETE FROM ldb_entry WHERE eid = %lld; "
+				   /* Delete attributes */
+				   "DELETE FROM ldb_attribute_values WHERE eid = %lld; ",
+				eid, eid);
+	if (query == NULL) {
+		ret = LDB_ERR_OTHER;
+		goto done;
+	}
+
+	ret = sqlite3_exec(lsqlite3->sqlite, query, NULL, NULL, &errmsg);
+	if (ret != SQLITE_OK) {
+		if (errmsg) {
+			ldb_set_errstring(module->ldb, errmsg);
+			free(errmsg);
+		}
+		req->handle->status = LDB_ERR_OPERATIONS_ERROR;
+		goto done;
+	}
+
+	if (lsql_ac->callback) {
+		ret = lsql_ac->callback(module->ldb, lsql_ac->context, NULL);
+	}
+	
+done:
+	req->handle->state = LDB_ASYNC_DONE;
+	return ret;
+}
+
+/* rename a record */
+static int lsql_rename(struct ldb_module *module, struct ldb_request *req)
+{
+	struct lsqlite3_private *lsqlite3 = talloc_get_type(module->private_data, struct lsqlite3_private);
+	struct lsql_context *lsql_ac;
+	char *new_dn, *new_cdn, *old_cdn;
+	char *errmsg;
+	char *query;
+	int ret = LDB_SUCCESS;
+
+	req->handle = init_handle(lsqlite3, module, req);
+	if (req->handle == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	lsql_ac = talloc_get_type(req->handle->private_data, struct lsql_context);
+	req->handle->state = LDB_ASYNC_DONE;
+	req->handle->status = LDB_SUCCESS;
+
+	/* create linearized and normalized dns */
+	old_cdn = ldb_dn_linearize(lsql_ac, ldb_dn_casefold(module->ldb, lsql_ac, req->op.rename.olddn));
+	new_cdn = ldb_dn_linearize(lsql_ac, ldb_dn_casefold(module->ldb, lsql_ac, req->op.rename.newdn));
+	new_dn = ldb_dn_linearize(lsql_ac, req->op.rename.newdn);
+	if (old_cdn == NULL || new_cdn == NULL || new_dn == NULL) {
+		goto done;
+	}
+
+	/* build the SQL query */
+	query = lsqlite3_tprintf(lsql_ac,
+				 "UPDATE ldb_entry SET dn = '%q', norm_dn = '%q' "
+				 "WHERE norm_dn = '%q';",
+				 new_dn, new_cdn, old_cdn);
+	if (query == NULL) {
+		goto done;
+	}
+
+	/* execute */
+	ret = sqlite3_exec(lsqlite3->sqlite, query, NULL, NULL, &errmsg);
+	if (ret != SQLITE_OK) {
+		if (errmsg) {
+			ldb_set_errstring(module->ldb, errmsg);
+			free(errmsg);
+		}
+		ret = LDB_ERR_OPERATIONS_ERROR;
+		goto done;
+	}
+
+	if (lsql_ac->callback) {
+		ret = lsql_ac->callback(module->ldb, lsql_ac->context, NULL);
+	}
+
+done:
+	req->handle->state = LDB_ASYNC_DONE;
+	return ret;
+}
+
+static int lsql_start_trans(struct ldb_module * module)
+{
+	int ret;
+	char *errmsg;
+	struct lsqlite3_private *   lsqlite3 = module->private_data;
+
+	if (lsqlite3->trans_count == 0) {
+		ret = sqlite3_exec(lsqlite3->sqlite, "BEGIN IMMEDIATE;", NULL, NULL, &errmsg);
+		if (ret != SQLITE_OK) {
+			if (errmsg) {
+				printf("lsqlite3_start_trans: error: %s\n", errmsg);
+				free(errmsg);
+			}
+			return -1;
+		}
+	};
+
+	lsqlite3->trans_count++;
+
+	return 0;
+}
+
+static int lsql_end_trans(struct ldb_module *module)
+{
+	int ret;
+	char *errmsg;
+	struct lsqlite3_private *lsqlite3 = module->private_data;
+
+	if (lsqlite3->trans_count > 0) {
+		lsqlite3->trans_count--;
+	} else return -1;
+
+	if (lsqlite3->trans_count == 0) {
+		ret = sqlite3_exec(lsqlite3->sqlite, "COMMIT;", NULL, NULL, &errmsg);
+		if (ret != SQLITE_OK) {
+			if (errmsg) {
+				printf("lsqlite3_end_trans: error: %s\n", errmsg);
+				free(errmsg);
+			}
+			return -1;
+		}
+	}
+
+        return 0;
+}
+
+static int lsql_del_trans(struct ldb_module *module)
+{
+	struct lsqlite3_private *lsqlite3 = module->private_data;
+
+	if (lsqlite3->trans_count > 0) {
+		lsqlite3->trans_count--;
+	} else return -1;
+
+	if (lsqlite3->trans_count == 0) {
+		return lsqlite3_safe_rollback(lsqlite3->sqlite);
+	}
+
+	return -1;
+}
+
+static int destructor(struct lsqlite3_private *lsqlite3)
+{        
+	if (lsqlite3->sqlite) {
+		sqlite3_close(lsqlite3->sqlite);
+	}
+	return 0;
+}
+
+static int lsql_request(struct ldb_module *module, struct ldb_request *req)
+{
+	return LDB_ERR_OPERATIONS_ERROR;
+}
+
+static int lsql_wait(struct ldb_handle *handle, enum ldb_wait_type type)
+{
+	return handle->status;
+}
+
+/*
+ * Table of operations for the sqlite3 backend
+ */
+static const struct ldb_module_ops lsqlite3_ops = {
+	.name              = "sqlite",
+	.search            = lsql_search,
+	.add               = lsql_add,
+        .modify            = lsql_modify,
+        .del               = lsql_delete,
+        .rename            = lsql_rename,
+	.request           = lsql_request,
+	.start_transaction = lsql_start_trans,
+	.end_transaction   = lsql_end_trans,
+	.del_transaction   = lsql_del_trans,
+	.wait              = lsql_wait,
+};
+
+/*
+ * Static functions
+ */
+
+static int initialize(struct lsqlite3_private *lsqlite3,
+		      struct ldb_context *ldb, const char *url, int flags)
+{
+	TALLOC_CTX *local_ctx;
+        long long queryInt;
+	int rollback = 0;
+	char *errmsg;
+        char *schema;
+        int ret;
+
+	/* create a local ctx */
+	local_ctx = talloc_named(lsqlite3, 0, "lsqlite3_rename local context");
+	if (local_ctx == NULL) {
+		return -1;
+	}
+
+	schema = lsqlite3_tprintf(local_ctx,
+                
+                
+                "CREATE TABLE ldb_info AS "
+                "  SELECT 'LDB' AS database_type,"
+                "         '1.0' AS version;"
+                
+                /*
+                 * The entry table holds the information about an entry. 
+                 * This table is used to obtain the EID of the entry and to 
+                 * support scope=one and scope=base.  The parent and child
+                 * table is included in the entry table since all the other
+                 * attributes are dependent on EID.
+                 */
+                "CREATE TABLE ldb_entry "
+                "("
+                "  eid     INTEGER PRIMARY KEY AUTOINCREMENT,"
+                "  dn      TEXT UNIQUE NOT NULL,"
+		"  norm_dn TEXT UNIQUE NOT NULL"
+                ");"
+                
+
+                "CREATE TABLE ldb_object_classes"
+                "("
+                "  class_name            TEXT PRIMARY KEY,"
+                "  parent_class_name     TEXT,"
+                "  tree_key              TEXT UNIQUE,"
+                "  max_child_num         INTEGER DEFAULT 0"
+                ");"
+                
+                /*
+                 * We keep a full listing of attribute/value pairs here
+                 */
+                "CREATE TABLE ldb_attribute_values"
+                "("
+                "  eid             INTEGER REFERENCES ldb_entry,"
+                "  attr_name       TEXT,"
+                "  norm_attr_name  TEXT,"
+                "  attr_value      TEXT,"
+                "  norm_attr_value TEXT "
+                ");"
+                
+               
+                /*
+                 * Indexes
+                 */
+                "CREATE INDEX ldb_attribute_values_eid_idx "
+                "  ON ldb_attribute_values (eid);"
+                
+                "CREATE INDEX ldb_attribute_values_name_value_idx "
+                "  ON ldb_attribute_values (attr_name, norm_attr_value);"
+                
+                
+
+                /*
+                 * Triggers
+                 */
+ 
+                "CREATE TRIGGER ldb_object_classes_insert_tr"
+                "  AFTER INSERT"
+                "  ON ldb_object_classes"
+                "  FOR EACH ROW"
+                "    BEGIN"
+                "      UPDATE ldb_object_classes"
+                "        SET tree_key = COALESCE(tree_key, "
+                "              ("
+                "                SELECT tree_key || "
+                "                       (SELECT base160(max_child_num + 1)"
+                "                                FROM ldb_object_classes"
+                "                                WHERE class_name = "
+                "                                      new.parent_class_name)"
+                "                  FROM ldb_object_classes "
+                "                  WHERE class_name = new.parent_class_name "
+                "              ));"
+                "      UPDATE ldb_object_classes "
+                "        SET max_child_num = max_child_num + 1"
+                "        WHERE class_name = new.parent_class_name;"
+                "    END;"
+
+                /*
+                 * Table initialization
+                 */
+
+                "INSERT INTO ldb_object_classes "
+                "    (class_name, tree_key) "
+                "  VALUES "
+                "    ('TOP', '0001');");
+        
+        /* Skip protocol indicator of url  */
+        if (strncmp(url, "sqlite3://", 10) != 0) {
+                return SQLITE_MISUSE;
+        }
+        
+        /* Update pointer to just after the protocol indicator */
+        url += 10;
+        
+        /* Try to open the (possibly empty/non-existent) database */
+        if ((ret = sqlite3_open(url, &lsqlite3->sqlite)) != SQLITE_OK) {
+                return ret;
+        }
+        
+        /* In case this is a new database, enable auto_vacuum */
+	ret = sqlite3_exec(lsqlite3->sqlite, "PRAGMA auto_vacuum = 1;", NULL, NULL, &errmsg);
+	if (ret != SQLITE_OK) {
+		if (errmsg) {
+			printf("lsqlite3 initializaion error: %s\n", errmsg);
+			free(errmsg);
+		}
+		goto failed;
+	}
+        
+	if (flags & LDB_FLG_NOSYNC) {
+		/* DANGEROUS */
+		ret = sqlite3_exec(lsqlite3->sqlite, "PRAGMA synchronous = OFF;", NULL, NULL, &errmsg);
+		if (ret != SQLITE_OK) {
+			if (errmsg) {
+				printf("lsqlite3 initializaion error: %s\n", errmsg);
+				free(errmsg);
+			}
+			goto failed;
+		}
+	}
+        
+	/* */
+        
+        /* Establish a busy timeout of 30 seconds */
+        if ((ret = sqlite3_busy_timeout(lsqlite3->sqlite,
+                                        30000)) != SQLITE_OK) {
+                return ret;
+        }
+
+        /* Create a function, callable from sql, to increment a tree_key */
+        if ((ret =
+             sqlite3_create_function(lsqlite3->sqlite,/* handle */
+                                     "base160_next",  /* function name */
+                                     1,               /* number of args */
+                                     SQLITE_ANY,      /* preferred text type */
+                                     NULL,            /* user data */
+                                     base160next_sql, /* called func */
+                                     NULL,            /* step func */
+                                     NULL             /* final func */
+                     )) != SQLITE_OK) {
+                return ret;
+        }
+
+        /* Create a function, callable from sql, to convert int to base160 */
+        if ((ret =
+             sqlite3_create_function(lsqlite3->sqlite,/* handle */
+                                     "base160",       /* function name */
+                                     1,               /* number of args */
+                                     SQLITE_ANY,      /* preferred text type */
+                                     NULL,            /* user data */
+                                     base160_sql,     /* called func */
+                                     NULL,            /* step func */
+                                     NULL             /* final func */
+                     )) != SQLITE_OK) {
+                return ret;
+        }
+
+        /* Create a function, callable from sql, to perform various comparisons */
+        if ((ret =
+             sqlite3_create_function(lsqlite3->sqlite, /* handle */
+                                     "ldap_compare",   /* function name */
+                                     4,                /* number of args */
+                                     SQLITE_ANY,       /* preferred text type */
+                                     ldb  ,            /* user data */
+                                     lsqlite3_compare, /* called func */
+                                     NULL,             /* step func */
+                                     NULL              /* final func */
+                     )) != SQLITE_OK) {
+                return ret;
+        }
+
+        /* Begin a transaction */
+	ret = sqlite3_exec(lsqlite3->sqlite, "BEGIN EXCLUSIVE;", NULL, NULL, &errmsg);
+	if (ret != SQLITE_OK) {
+		if (errmsg) {
+			printf("lsqlite3: initialization error: %s\n", errmsg);
+			free(errmsg);
+		}
+		goto failed;
+	}
+	rollback = 1;
+ 
+        /* Determine if this is a new database.  No tables means it is. */
+        if (query_int(lsqlite3,
+                      &queryInt,
+                      "SELECT COUNT(*)\n"
+                      "  FROM sqlite_master\n"
+                      "  WHERE type = 'table';") != 0) {
+		goto failed;
+        }
+        
+        if (queryInt == 0) {
+                /*
+                 * Create the database schema
+                 */
+		ret = sqlite3_exec(lsqlite3->sqlite, schema, NULL, NULL, &errmsg);
+		if (ret != SQLITE_OK) {
+			if (errmsg) {
+				printf("lsqlite3 initializaion error: %s\n", errmsg);
+				free(errmsg);
+			}
+			goto failed;
+		}
+        } else {
+                /*
+                 * Ensure that the database we opened is one of ours
+                 */
+                if (query_int(lsqlite3,
+                              &queryInt,
+                              "SELECT "
+                              "  (SELECT COUNT(*) = 2"
+                              "     FROM sqlite_master "
+                              "     WHERE type = 'table' "
+                              "       AND name IN "
+                              "         ("
+                              "           'ldb_entry', "
+                              "           'ldb_object_classes' "
+                              "         ) "
+                              "  ) "
+                              "  AND "
+                              "  (SELECT 1 "
+                              "     FROM ldb_info "
+                              "     WHERE database_type = 'LDB' "
+                              "       AND version = '1.0'"
+                              "  );") != 0 ||
+                    queryInt != 1) {
+                        
+                        /* It's not one that we created.  See ya! */
+			goto failed;
+                }
+        }
+        
+        /* Commit the transaction */
+	ret = sqlite3_exec(lsqlite3->sqlite, "COMMIT;", NULL, NULL, &errmsg);
+	if (ret != SQLITE_OK) {
+		if (errmsg) {
+			printf("lsqlite3: iniialization error: %s\n", errmsg);
+			free(errmsg);
+		}
+		goto failed;
+	}
+ 
+        return SQLITE_OK;
+
+failed:
+	if (rollback) lsqlite3_safe_rollback(lsqlite3->sqlite); 
+	sqlite3_close(lsqlite3->sqlite);
+	return -1;
+}
+
+/*
+ * connect to the database
+ */
+static int lsqlite3_connect(struct ldb_context *ldb,
+			    const char *url, 
+			    unsigned int flags, 
+			    const char *options[],
+			    struct ldb_module **module)
+{
+	int                         i;
+        int                         ret;
+	struct lsqlite3_private *   lsqlite3 = NULL;
+        
+	lsqlite3 = talloc(ldb, struct lsqlite3_private);
+	if (!lsqlite3) {
+		goto failed;
+	}
+        
+	lsqlite3->sqlite = NULL;
+	lsqlite3->options = NULL;
+	lsqlite3->trans_count = 0;
+        
+	ret = initialize(lsqlite3, ldb, url, flags);
+	if (ret != SQLITE_OK) {
+		goto failed;
+	}
+        
+	talloc_set_destructor(lsqlite3, destructor);
+        
+
+
+	*module = talloc(ldb, struct ldb_module);
+	if (!module) {
+		ldb_oom(ldb);
+		goto failed;
+	}
+	talloc_set_name_const(*module, "ldb_sqlite3 backend");
+	(*module)->ldb = ldb;
+	(*module)->prev = (*module)->next = NULL;
+	(*module)->private_data = lsqlite3;
+	(*module)->ops = &lsqlite3_ops;
+
+	if (options) {
+		/*
+                 * take a copy of the options array, so we don't have to rely
+                 * on the caller keeping it around (it might be dynamic)
+                 */
+		for (i=0;options[i];i++) ;
+                
+		lsqlite3->options = talloc_array(lsqlite3, char *, i+1);
+		if (!lsqlite3->options) {
+			goto failed;
+		}
+                
+		for (i=0;options[i];i++) {
+                        
+			lsqlite3->options[i+1] = NULL;
+			lsqlite3->options[i] =
+                                talloc_strdup(lsqlite3->options, options[i]);
+			if (!lsqlite3->options[i]) {
+				goto failed;
+			}
+		}
+	}
+        
+	return 0;
+        
+failed:
+        if (lsqlite3->sqlite != NULL) {
+                (void) sqlite3_close(lsqlite3->sqlite);
+        }
+	talloc_free(lsqlite3);
+	return -1;
+}
+
+int ldb_sqlite3_init(void)
+{
+	return ldb_register_backend("sqlite3", lsqlite3_connect);
+}
diff --git a/source3/lib/ldb/ldb_sqlite3/schema b/source3/lib/ldb/ldb_sqlite3/schema
new file mode 100644
index 0000000000..08dc50de08
--- /dev/null
+++ b/source3/lib/ldb/ldb_sqlite3/schema
@@ -0,0 +1,363 @@
+                -- ------------------------------------------------------
+
+                PRAGMA auto_vacuum=1;
+
+                -- ------------------------------------------------------
+
+                BEGIN EXCLUSIVE;
+
+                -- ------------------------------------------------------
+
+                CREATE TABLE ldb_info AS 
+                  SELECT 'LDB' AS database_type, 
+                         '1.0' AS version;
+
+                /*
+                 * Get the next USN value with:
+                 *   BEGIN EXCLUSIVE;
+                 *   UPDATE usn SET value = value + 1;
+                 *   SELECT value FROM usn;
+                 *   COMMIT;
+                 */
+                CREATE TABLE usn
+                (
+                  value           INTEGER
+                );
+
+                CREATE TABLE ldb_object
+                (
+                  /* tree_key is auto-generated by the insert trigger */
+                  tree_key        TEXT PRIMARY KEY,
+
+                  parent_tree_key TEXT,
+                  dn              TEXT,
+
+                  attr_name       TEXT REFERENCES ldb_attributes,
+                  attr_value      TEXT,
+
+                  /*
+                   * object_type can take on these values (to date):
+                   *   1: object is a node of a DN
+                   *   2: object is an attribute/value pair of its parent DN
+                   */
+                  object_type     INTEGER,
+
+                  /*
+                   * if object_type is 1, the node can have children.
+                   * this tracks the maximum previously assigned child
+                   * number so we can generate a new unique tree key for
+                   * a new child object.  note that this is always incremented,
+                   * so if children are deleted, this will not represent
+                   * the _number_ of children.
+                   */
+                  max_child_num   INTEGER,
+
+                  /*
+                   * Automatically maintained meta-data (a gift for metze)
+                   */
+                  object_guid     TEXT UNIQUE,
+                  timestamp       INTEGER,  -- originating_time
+                  invoke_id       TEXT,     -- GUID: originating_invocation_id
+                  usn             INTEGER,  -- hyper: originating_usn
+
+                  /* do not allow duplicate name/value pairs */
+                  UNIQUE (parent_tree_key, attr_name, attr_value, object_type)
+                );
+
+                CREATE TABLE ldb_attributes
+                (
+                  attr_name             TEXT PRIMARY KEY,
+                  parent_tree_key       TEXT,
+
+                  objectclass_p         BOOLEAN DEFAULT 0,
+
+                  case_insensitive_p    BOOLEAN DEFAULT 0,
+                  wildcard_p            BOOLEAN DEFAULT 0,
+                  hidden_p              BOOLEAN DEFAULT 0,
+                  integer_p             BOOLEAN DEFAULT 0,
+
+                  /* tree_key is auto-generated by the insert trigger */
+                  tree_key              TEXT, -- null if not a object/sub class
+                                              -- level 1 if an objectclass
+                                              -- level 1-n if a subclass
+                  max_child_num         INTEGER
+                );
+
+                -- ------------------------------------------------------
+
+                CREATE INDEX ldb_object_dn_idx
+                  ON ldb_object (dn);
+
+                CREATE INDEX ldb_attributes_tree_key_ids
+                  ON ldb_attributes (tree_key);
+
+                -- ------------------------------------------------------
+
+                /* Gifts for metze.  Automatically updated meta-data */
+                CREATE TRIGGER ldb_object_insert_tr
+                  AFTER INSERT
+                  ON ldb_object
+                  FOR EACH ROW
+                    BEGIN
+                      UPDATE ldb_object
+                        SET max_child_num = max_child_num + 1
+                        WHERE tree_key = new.parent_tree_key;
+                      UPDATE usn SET value = value + 1;
+                      UPDATE ldb_object
+                        SET tree_key =
+                              (SELECT
+                                 new.tree_key ||
+                                 base160(SELECT max_child_num
+                                           FROM ldb_object
+                                           WHERE tree_key =
+                                                 new.parent_tree_key));
+                            max_child_num = 0,
+                            object_guid = random_guid(),
+                            timestamp = strftime('%s', 'now'),
+                            usn = (SELECT value FROM usn);
+                        WHERE tree_key = new.tree_key;
+                    END;
+
+                CREATE TRIGGER ldb_object_update_tr
+                  AFTER UPDATE
+                  ON ldb_object
+                  FOR EACH ROW
+                    BEGIN
+                      UPDATE usn SET value = value + 1;
+                      UPDATE ldb_object
+                        SET timestamp = strftime('%s', 'now'),
+                            usn = (SELECT value FROM usn);
+                        WHERE tree_key = new.tree_key;
+                    END;
+
+                CREATE TRIGGER ldb_attributes_insert_tr
+                  AFTER INSERT
+                  ON ldb_attributes
+                  FOR EACH ROW
+                    BEGIN
+                      UPDATE ldb_attributes
+                        SET max_child_num = max_child_num + 1
+                        WHERE tree_key = new.parent_tree_key;
+                      UPDATE ldb_attributes
+                        SET tree_key =
+                              (SELECT
+                                 new.tree_key ||
+                                 base160(SELECT max_child_num
+                                           FROM ldb_attributes
+                                           WHERE tree_key =
+                                                 new.parent_tree_key));
+                            max_child_num = 0
+                        WHERE tree_key = new.tree_key;
+                    END;
+
+
+                -- ------------------------------------------------------
+
+                /* Initialize usn */
+                INSERT INTO usn (value) VALUES (0);
+
+                /* Create root object */
+                INSERT INTO ldb_object
+                    (tree_key, parent_tree_key,
+                     dn,
+                     object_type, max_child_num)
+                  VALUES ('', NULL,
+                          '',
+                          1, 0);
+
+                /* We need an implicit "top" level object class */
+                INSERT INTO ldb_attributes (attr_name,
+                                            parent_tree_key)
+                  SELECT 'top', '';
+
+                -- ------------------------------------------------------
+
+                COMMIT;
+
+                -- ------------------------------------------------------
+
+/*
+ * dn: o=University of Michigan,c=US
+ * objectclass: organization
+ * objectclass: domainRelatedObject
+ */
+-- newDN
+BEGIN;
+
+INSERT OR IGNORE INTO ldb_object
+    (parent_tree_key
+     dn,
+     attr_name, attr_value, object_type, max_child_num)
+  VALUES ('',
+          'c=US',
+          'c', 'US', 1, 0);
+
+INSERT INTO ldb_object
+    (parent_tree_key,
+     dn,
+     attr_name, attr_value, object_type, max_child_num)
+  VALUES ('0001',
+          'o=University of Michigan,c=US',
+          'o', 'University of Michigan', 1, 0);
+
+-- newObjectClass
+INSERT OR IGNORE INTO ldb_attributes
+    (attr_name, parent_tree_key, objectclass_p)
+  VALUES
+    ('objectclass', '', 1);
+
+INSERT INTO ldb_object
+    (parent_tree_key,
+     dn,
+     attr_name, attr_value, object_type, max_child_num)
+  VALUES ('00010001',
+          NULL,
+          'objectclass', 'organization', 2, 0);
+
+INSERT OR IGNORE INTO ldb_attributes
+    (attr_name, parent_tree_key, objectclass_p)
+  VALUES
+    ('objectclass', '', 1);
+
+INSERT INTO ldb_object
+    (parent_tree_key,
+     dn,
+     attr_name, attr_value, object_type, max_child_num)
+  VALUES ('00010001',
+          NULL,
+          'objectclass', 'domainRelatedObject', 2, 0);
+
+COMMIT;
+
+
+/*
+ * dn: o=University of Michigan,c=US
+ * l: Ann Arbor, Michigan
+ * st: Michigan
+ * o: University of Michigan
+ * o: UMICH
+ * seeAlso:
+ * telephonenumber: +1 313 764-1817
+ */
+-- addAttrValuePair
+BEGIN;
+
+INSERT INTO ldb_object
+    (parent_tree_key, dn,
+     attr_name, attr_value, object_type, max_child_num)
+  VALUES ('00010001', NULL,
+          'l', 'Ann Arbor, Michigan', 2, 0);
+
+INSERT INTO ldb_object
+    (parent_tree_key, dn,
+     attr_name, attr_value, object_type, max_child_num)
+  VALUES ('00010001', NULL,
+          'st', 'Michigan', 2, 0);
+
+INSERT INTO ldb_object
+    (parent_tree_key, dn,
+     attr_name, attr_value, object_type, max_child_num)
+  VALUES ('00010001', NULL,
+          'o', 'University of Michigan', 2, 0);
+
+INSERT INTO ldb_object
+    (parent_tree_key, dn,
+     attr_name, attr_value, object_type, max_child_num)
+  VALUES ('00010001', NULL,
+          'o', 'UMICH', 2, 0);
+
+INSERT INTO ldb_object
+    (parent_tree_key, dn,
+     attr_name, attr_value, object_type, max_child_num)
+  VALUES ('00010001', NULL,
+          'seeAlso', '', 2, 0);
+
+INSERT INTO ldb_object
+    (parent_tree_key, dn,
+     attr_name, attr_value, object_type, max_child_num)
+  VALUES ('00010001', NULL,
+          'telephonenumber', '+1 313 764-1817', 2, 0);
+
+COMMIT;
+
+-- ----------------------------------------------------------------------
+
+/*
+ * dn: @ATTRIBUTES
+ * uid: CASE_INSENSITIVE WILDCARD
+ * cn: CASE_INSENSITIVE
+ * ou: CASE_INSENSITIVE
+ * dn: CASE_INSENSITIVE
+ */
+-- newAttribute
+
+BEGIN;
+
+INSERT OR IGNORE INTO ldb_attributes
+    (attr_name, parent_tree_key, objectclass_p)
+  VALUES
+    ('uid', '', 0);
+
+UPDATE ldb_attributes
+  SET case_insensitive_p = 1,
+      wildcard_p = 1,
+      hidden_p = 0,
+      integer_p = 0
+  WHERE attr_name = 'uid'
+
+UPDATE ldb_attributes
+  SET case_insensitive_p = 1,
+      wildcard_p = 0,
+      hidden_p = 0,
+      integer_p = 0
+  WHERE attr_name = 'cn'
+
+UPDATE ldb_attributes
+  SET case_insensitive_p = 1,
+      wildcard_p = 0,
+      hidden_p = 0,
+      integer_p = 0
+  WHERE attr_name = 'ou'
+
+UPDATE ldb_attributes
+  SET case_insensitive_p = 1,
+      wildcard_p = 0,
+      hidden_p = 0,
+      integer_p = 0
+  WHERE attr_name = 'dn'
+
+-- ----------------------------------------------------------------------
+
+/*
+ * dn: @SUBCLASSES
+ * top: domain
+ * top: person
+ * domain: domainDNS
+ * person: organizationalPerson
+ * person: fooPerson
+ * organizationalPerson: user
+ * organizationalPerson: OpenLDAPperson
+ * user: computer
+ */
+-- insertSubclass
+
+/* NOT YET UPDATED!!! *
+
+
+INSERT OR REPLACE INTO ldb_object_classes (class_name, tree_key)
+  SELECT 'domain', /* next_tree_key('top') */ '00010001';
+INSERT OR REPLACE INTO ldb_object_classes (class_name, tree_key)
+  SELECT 'person', /* next_tree_key('top') */ '00010002';
+INSERT OR REPLACE INTO ldb_object_classes (class_name, tree_key)
+  SELECT 'domainDNS', /* next_tree_key('domain') */ '000100010001';
+INSERT OR REPLACE INTO ldb_object_classes (class_name, tree_key)
+  SELECT 'organizationalPerson', /* next_tree_key('person') */ '000100020001';
+INSERT OR REPLACE INTO ldb_object_classes (class_name, tree_key)
+  SELECT 'fooPerson', /* next_tree_key('person') */ '000100020002';
+INSERT OR REPLACE INTO ldb_object_classes (class_name, tree_key)
+  SELECT 'user', /* next_tree_key('organizationalPerson') */ '0001000200010001';
+INSERT OR REPLACE INTO ldb_object_classes (class_name, tree_key)
+  SELECT 'OpenLDAPperson', /* next_tree_key('organizationPerson') */ '0001000200010002';
+INSERT OR REPLACE INTO ldb_object_classes (class_name, tree_key)
+  SELECT 'computer', /* next_tree_key('user') */ '0001000200010001';
+ 
diff --git a/source3/lib/ldb/ldb_sqlite3/trees.ps b/source3/lib/ldb/ldb_sqlite3/trees.ps
new file mode 100644
index 0000000000..433a064816
--- /dev/null
+++ b/source3/lib/ldb/ldb_sqlite3/trees.ps
@@ -0,0 +1,1760 @@
+%!PS-Adobe-2.0
+%%Creator: dvips(k) 5.86 Copyright 1999 Radical Eye Software
+%%Title: trees.dvi
+%%Pages: 7
+%%PageOrder: Ascend
+%%BoundingBox: 0 0 596 842
+%%EndComments
+%DVIPSWebPage: (www.radicaleye.com)
+%DVIPSCommandLine: dvips -f trees.dvi
+%DVIPSParameters: dpi=600, compressed
+%DVIPSSource:  TeX output 2000.05.06:2055
+%%BeginProcSet: texc.pro
+%!
+/TeXDict 300 dict def TeXDict begin/N{def}def/B{bind def}N/S{exch}N/X{S
+N}B/A{dup}B/TR{translate}N/isls false N/vsize 11 72 mul N/hsize 8.5 72
+mul N/landplus90{false}def/@rigin{isls{[0 landplus90{1 -1}{-1 1}ifelse 0
+0 0]concat}if 72 Resolution div 72 VResolution div neg scale isls{
+landplus90{VResolution 72 div vsize mul 0 exch}{Resolution -72 div hsize
+mul 0}ifelse TR}if Resolution VResolution vsize -72 div 1 add mul TR[
+matrix currentmatrix{A A round sub abs 0.00001 lt{round}if}forall round
+exch round exch]setmatrix}N/@landscape{/isls true N}B/@manualfeed{
+statusdict/manualfeed true put}B/@copies{/#copies X}B/FMat[1 0 0 -1 0 0]
+N/FBB[0 0 0 0]N/nn 0 N/IEn 0 N/ctr 0 N/df-tail{/nn 8 dict N nn begin
+/FontType 3 N/FontMatrix fntrx N/FontBBox FBB N string/base X array
+/BitMaps X/BuildChar{CharBuilder}N/Encoding IEn N end A{/foo setfont}2
+array copy cvx N load 0 nn put/ctr 0 N[}B/sf 0 N/df{/sf 1 N/fntrx FMat N
+df-tail}B/dfs{div/sf X/fntrx[sf 0 0 sf neg 0 0]N df-tail}B/E{pop nn A
+definefont setfont}B/Cw{Cd A length 5 sub get}B/Ch{Cd A length 4 sub get
+}B/Cx{128 Cd A length 3 sub get sub}B/Cy{Cd A length 2 sub get 127 sub}
+B/Cdx{Cd A length 1 sub get}B/Ci{Cd A type/stringtype ne{ctr get/ctr ctr
+1 add N}if}B/id 0 N/rw 0 N/rc 0 N/gp 0 N/cp 0 N/G 0 N/CharBuilder{save 3
+1 roll S A/base get 2 index get S/BitMaps get S get/Cd X pop/ctr 0 N Cdx
+0 Cx Cy Ch sub Cx Cw add Cy setcachedevice Cw Ch true[1 0 0 -1 -.1 Cx
+sub Cy .1 sub]/id Ci N/rw Cw 7 add 8 idiv string N/rc 0 N/gp 0 N/cp 0 N{
+rc 0 ne{rc 1 sub/rc X rw}{G}ifelse}imagemask restore}B/G{{id gp get/gp
+gp 1 add N A 18 mod S 18 idiv pl S get exec}loop}B/adv{cp add/cp X}B
+/chg{rw cp id gp 4 index getinterval putinterval A gp add/gp X adv}B/nd{
+/cp 0 N rw exit}B/lsh{rw cp 2 copy get A 0 eq{pop 1}{A 255 eq{pop 254}{
+A A add 255 and S 1 and or}ifelse}ifelse put 1 adv}B/rsh{rw cp 2 copy
+get A 0 eq{pop 128}{A 255 eq{pop 127}{A 2 idiv S 128 and or}ifelse}
+ifelse put 1 adv}B/clr{rw cp 2 index string putinterval adv}B/set{rw cp
+fillstr 0 4 index getinterval putinterval adv}B/fillstr 18 string 0 1 17
+{2 copy 255 put pop}for N/pl[{adv 1 chg}{adv 1 chg nd}{1 add chg}{1 add
+chg nd}{adv lsh}{adv lsh nd}{adv rsh}{adv rsh nd}{1 add adv}{/rc X nd}{
+1 add set}{1 add clr}{adv 2 chg}{adv 2 chg nd}{pop nd}]A{bind pop}
+forall N/D{/cc X A type/stringtype ne{]}if nn/base get cc ctr put nn
+/BitMaps get S ctr S sf 1 ne{A A length 1 sub A 2 index S get sf div put
+}if put/ctr ctr 1 add N}B/I{cc 1 add D}B/bop{userdict/bop-hook known{
+bop-hook}if/SI save N @rigin 0 0 moveto/V matrix currentmatrix A 1 get A
+mul exch 0 get A mul add .99 lt{/QV}{/RV}ifelse load def pop pop}N/eop{
+SI restore userdict/eop-hook known{eop-hook}if showpage}N/@start{
+userdict/start-hook known{start-hook}if pop/VResolution X/Resolution X
+1000 div/DVImag X/IEn 256 array N 2 string 0 1 255{IEn S A 360 add 36 4
+index cvrs cvn put}for pop 65781.76 div/vsize X 65781.76 div/hsize X}N
+/p{show}N/RMat[1 0 0 -1 0 0]N/BDot 260 string N/Rx 0 N/Ry 0 N/V{}B/RV/v{
+/Ry X/Rx X V}B statusdict begin/product where{pop false[(Display)(NeXT)
+(LaserWriter 16/600)]{A length product length le{A length product exch 0
+exch getinterval eq{pop true exit}if}{pop}ifelse}forall}{false}ifelse
+end{{gsave TR -.1 .1 TR 1 1 scale Rx Ry false RMat{BDot}imagemask
+grestore}}{{gsave TR -.1 .1 TR Rx Ry scale 1 1 false RMat{BDot}
+imagemask grestore}}ifelse B/QV{gsave newpath transform round exch round
+exch itransform moveto Rx 0 rlineto 0 Ry neg rlineto Rx neg 0 rlineto
+fill grestore}B/a{moveto}B/delta 0 N/tail{A/delta X 0 rmoveto}B/M{S p
+delta add tail}B/b{S p tail}B/c{-4 M}B/d{-3 M}B/e{-2 M}B/f{-1 M}B/g{0 M}
+B/h{1 M}B/i{2 M}B/j{3 M}B/k{4 M}B/w{0 rmoveto}B/l{p -4 w}B/m{p -3 w}B/n{
+p -2 w}B/o{p -1 w}B/q{p 1 w}B/r{p 2 w}B/s{p 3 w}B/t{p 4 w}B/x{0 S
+rmoveto}B/y{3 2 roll p a}B/bos{/SS save N}B/eos{SS restore}B end
+
+%%EndProcSet
+TeXDict begin 39158280 55380996 1000 600 600 (trees.dvi)
+@start
+%DVIPSBitmapFont: Fa cmr10 10 6
+/Fa 6 55 df<146014E0EB01C0EB0380EB0700130E131E5B5BA25B485AA2485AA212075B
+120F90C7FCA25A121EA2123EA35AA65AB2127CA67EA3121EA2121F7EA27F12077F1203A2
+6C7EA26C7E1378A27F7F130E7FEB0380EB01C0EB00E01460135278BD20>40
+D<12C07E12707E7E7E120F6C7E6C7EA26C7E6C7EA21378A2137C133C133E131EA2131F7F
+A21480A3EB07C0A6EB03E0B2EB07C0A6EB0F80A31400A25B131EA2133E133C137C1378A2
+5BA2485A485AA2485A48C7FC120E5A5A5A5A5A13527CBD20>I<15301578B3A6007FB812
+F8B912FCA26C17F8C80078C8FCB3A6153036367BAF41>43 D<EB03F8EB1FFF90387E0FC0
+9038F803E03901E000F0484813780007147C48487FA248C77EA2481580A3007EEC0FC0A6
+00FE15E0B3007E15C0A4007F141F6C1580A36C15006D5B000F143EA26C6C5B6C6C5B6C6C
+485A6C6C485A90387E0FC0D91FFFC7FCEB03F8233A7DB72A>48 D<EB01C013031307131F
+13FFB5FCA2131F1200B3B3A8497E007FB512F0A31C3879B72A>I<EC3FC0903801FFF001
+0713FC90380FE03E90383F800790387E001F49EB3F804848137F485AA2485A000FEC3F00
+49131E001F91C7FCA2485AA3127F90C9FCEB01FC903807FF8039FF1E07E090383801F049
+6C7E01607F01E0137E497FA249148016C0151FA290C713E0A57EA56C7E16C0A2121FED3F
+807F000F15006C6C5B15FE6C6C5B6C6C485A3900FE07F090383FFFC06D90C7FCEB03FC23
+3A7DB72A>54 D E
+%EndDVIPSBitmapFont
+%DVIPSBitmapFont: Fb cmr7 7 3
+/Fb 3 55 df<EB3F803801FFF03803E0F83807803C48487E001E7F003E1480A2003C1307
+007C14C0A400FC14E0AE007C14C0A36CEB0F80A36CEB1F006C131E6C6C5A3803E0F86CB4
+5A38003F801B277EA521>48 D<13381378EA01F8121F12FE12E01200B3AB487EB512F8A2
+15267BA521>I<EB0FE0EB3FF8EBF81C3801E0063803C01F48485AEA0F005A121E003E13
+1E91C7FC5AA21304EB3FC038FCFFF038FDC078EB003CB4133E48131E141FA2481480A412
+7CA4003C1400123E001E131E143E6C133C6C6C5A3803C1F03801FFC06C6CC7FC19277DA5
+21>54 D E
+%EndDVIPSBitmapFont
+%DVIPSBitmapFont: Fc cmmi10 10 1
+/Fc 1 69 df<0103B7FC4916E018F8903B0007F80007FE4BEB00FFF03F80020FED1FC018
+0F4B15E0F007F0021F1503A24B15F81801143F19FC5DA2147FA292C8FCA25C18035CA213
+0119F84A1507A2130319F04A150FA2010717E0181F4A16C0A2010FEE3F80A24AED7F0018
+7E011F16FE4D5A4A5D4D5A013F4B5A4D5A4A4A5A057FC7FC017F15FEEE03FC91C7EA0FF0
+49EC7FC0B8C8FC16FC16C03E397DB845>68 D E
+%EndDVIPSBitmapFont
+%DVIPSBitmapFont: Fd ectt1000 10 73
+/Fd 73 126 df<D807801307D81FE0EB0F80151F487E486C133F1600007C5CD8FCFC137E
+EAF87C15FE5D14015DA21403D8FCFC5BEA7CF8007F13075D383FF00FD81FE05BA2380780
+1FC75B143F92C7FCA25C147E14FE5CA213015CA213035C13075CA2130F5C131FEC800FED
+3FC0013FEB7FE0140049EBFFF0017E13F9A2D9FE0113F801FC13F0A2120113F8120313F0
+15F90007010013F05B000F14FF49EB7FE0A20007EC3FC06C48EB0F0025417DB92C>37
+D<EA0F80EA1FE0EA3FF0127F13F8A213FCA2123F121F120FEA007CA313FC13F8A2120113
+F01203EA07E0A2EA0FC0EA3F80127FEAFF005A12F812700E1D71B22C>39
+D<143814FC13011303EB07F8EB0FF0EB1FC0EB3F80EB7F0013FE485A485A5B12075B120F
+5B485AA2123F90C7FCA25A127EA312FE5AAC7E127EA3127F7EA27F121FA26C7E7F12077F
+12037F6C7E6C7E137FEB3F80EB1FC0EB0FF0EB07F8EB03FC130113001438164272B92C>
+I<127012FC7E7E6C7E6C7EEA0FE06C7E6C7E6C7E6C7E137F7F1480131F14C0130FEB07E0
+A214F01303A214F81301A314FC1300AC130114F8A3130314F0A2130714E0A2EB0FC0131F
+1480133F14005B13FE485A485A485A485AEA3FC0485A48C7FC5A5A1270164279B92C>I<
+EB0380497EA60020140800F8143E00FE14FE00FF13C1EBC7C7EBE7CF003FB512F8000F14
+E0000314806C140038007FFCA248B5FC481480000F14E0003F14F839FFE7CFFEEBC7C7EB
+07C100FE13C000F8143E0020140800001400A66D5A1F247AAA2C>I<147014F8AF003FB6
+12E0B712F8A4C700F8C7FCB0147025267DAB2C>I<EA0F80EA1FE0EA3FF0EA7FF8A213FC
+A3123F121F120F120013F8A21201EA03F01207EA1FE0EA7FC0EAFF80130012FC12700E17
+718A2C>I<121FEA3F80EA7FC0EAFFE0A5EA7FC0EA3F80EA1F000B0B708A2C>46
+D<1507ED0F80A2151F16005D153E157E157CA215FC5D14015D14035D14075D140F5D141F
+92C7FC5C143EA2147E147C14FC5C13015C13035C13075C130F5C131F91C8FC5B133EA213
+7E137C13FC5B12015B12035B12075B120F5B121F90C9FCA25A123E127E127C12FC5AA212
+7021417BB92C>I<EB03F8EB0FFE90383FFF80497F90B57E3901FE0FF03903F803F84848
+6C7EEBE0004848137EA248487FA248C7EA1F80A2003E140F007E15C0A3007C140700FC15
+E0AC6C140F007E15C0A46CEC1F80A36C6CEB3F00A26C6C137E6D13FE00075CEBF0016C6C
+485A3901FE0FF06CB55A6D5B6D5BD90FFEC7FCEB03F823357CB32C>I<1307497EA2131F
+A2133F137F13FF5A1207127FB5FC13DF139FEA7C1F1200B3AE007FB512E0B612F0A36C14
+E01C3477B32C>I<EB0FF890387FFF8048B512E00007804814FC391FF80FFE393FE001FF
+903880007F48C7EA3F80007E141F00FE15C0150F6C15E01507A3127E123CC8FCA2150F16
+C0151F1680153F16005D15FE4A5A14034A5A4A5A4A5A4A5AECFF804948C7FC495A495A49
+5AEB3FE0EB7F8049C8FC485A4848EB03C04848EB07E0EA1FE0485A48B6FCB7FCA36C15C0
+23347CB32C>I<000FB512FE4880A35D0180C8FCADEB83FE90389FFF8090B512E015F881
+9038FE03FE9038F000FF01C07F49EB3F8090C7121F6C15C0C8120FA2ED07E0A4123C127E
+B4FC150F16C0A248141F007EEC3F80007FEC7F006C6C5B6D485A391FF80FFC6CB55A6C5C
+000114C06C6C90C7FCEB0FF823347CB22C>53 D<EC3FC0903801FFF801077F011F7F497F
+90387FE07F9039FF003F804848137FEA03F8485A5B000FEC3F004848131E4990C7FC123F
+90C9FCA25A127EEB03FE90381FFF80D8FC7F13E000FDB57EB67E9038FE07FC9038F001FE
+9038C0007F49EB3F8090C7121F16C048140F16E01507A3127EA47E150F6D14C0001F141F
+6D1480000F143F6DEB7F003907F801FE3903FE07FC6CB55A6C5C6D5B011F1380D907FCC7
+FC23357CB32C>I<1278B712C016E0A316C000FCC7EA3F80ED7F0015FE00785CC712014A
+5A4A5A5D140F5D4A5A143F92C7FC5C147E14FE5C13015CA2495AA213075CA3495AA4495A
+A5133F91C8FCAA131E23357CB32C>I<EA0F80EA1FC0EA3FE0EA7FF0A5EA3FE0EA1FC0EA
+0F80C7FCAEEA0F80EA1FE0EA3FF0EA7FF8A213FCA3123F121F120F120013F8A21201EA03
+F01207EA1FE0EA7FC0EAFF80130012FC12700E3071A32C>59 D<1502ED0F80151F157F15
+FF913803FE00EC0FFCEC1FF0EC7FE0ECFF80D903FEC7FC495AEB1FF0495AEBFF80000390
+C8FCEA07FCEA1FF8EA3FE0EAFF8090C9FCA27FEA3FE0EA1FF8EA07FC6CB4FCC67FEB3FE0
+6D7EEB07FC6D7E903800FF80EC7FE0EC1FF0EC0FFCEC03FE913800FF80157F151F150FED
+0200212A7BAD2C>I<007FB612F0B712F8A36C15F0CAFCA8007FB612F0B712F8A36C15F0
+25127DA12C>I<122012F87EB4FC7FEA3FE0EA1FF8EA07FC6CB4FCC67FEB3FE06D7EEB07
+FC6D7E903800FF80EC7FE0EC1FF0EC0FFCEC03FE913800FF80157FA215FF913803FE00EC
+0FFCEC1FF0EC7FE0ECFF80D903FEC7FC495AEB1FF0495AEBFF80000390C8FCEA07FCEA1F
+F8EA3FE0EAFF8090C9FC12FC5A1220212A7BAD2C>I<14FE497EA4497FA214EFA2130781
+A214C7A2010F7FA314C390381F83F0A590383F01F8A490387E00FCA549137E90B512FEA3
+4880A29038F8003FA34848EB1F80A4000715C049130FD87FFEEBFFFC6D5AB514FE6C15FC
+497E27347EB32C>65 D<007FB512E015F8B612FE6C8016C03903F0003FED0FE0ED07F015
+03A2ED01F8A6ED03F0A21507ED0FE0ED1FC0EDFF8090B612005D5D15FF16C09039F0001F
+E0ED07F0ED03F81501ED00FCA216FE167EA616FE16FC1501ED03F8150FED3FF0007FB612
+E016C0B712806CECFE0015F027337FB22C>I<02FF13700107EBE0F84913F9013F13FD49
+13FFEBFF813901FE007F4848131FD807F0130F1507485A491303485A150148C7FCA25A00
+7EEC00F01600A212FE5AAB7E127EA3007F15F06CEC01F8A26C7EA26C6C13036D14F06C6C
+130716E0D803FC131F6C6CEB3FC03A00FF81FF806DB512006D5B010F5B6D13F001001380
+25357DB32C>I<007FB5FCB612C015F0816C803907E003FEEC00FFED7F80153FED1FC0ED
+0FE0A2150716F0150316F81501A4ED00FCACED01F8A3150316F0A2150716E0150FED1FC0
+153FED7F80EDFF00EC03FE007FB55AB65A5D15C06C91C7FC26337EB22C>I<007FB612F0
+B712F8A37E3903F00001A7ED00F01600A4EC01E04A7EA490B5FCA5EBF003A46E5A91C8FC
+A5163C167EA8007FB612FEB7FCA36C15FC27337EB22C>I<007FB612F8B712FCA37ED803
+F0C7FCA716781600A515F04A7EA490B5FCA5EBF001A46E5A92C7FCAD387FFFE0B5FC805C
+7E26337EB22C>I<903901FC038090390FFF87C04913EF017F13FF90B6FC4813073803FC
+01497E4848137F4848133F49131F121F5B003F140F90C7FCA2127EED078092C7FCA212FE
+5AA8913803FFF84A13FCA27E007E6D13F89138000FC0A36C141FA27F121F6D133F120F6D
+137F6C7E6C6C13FF6D5A3801FF076C90B5FC6D13EF011F13CF6DEB0780D901FCC7FC2635
+7DB32C>I<D87FFEEBFFFCB54813FEA36C486C13FCD807E0EB0FC0B190B6FCA59038E000
+0FB3D87FFEEBFFFCB54813FEA36C486C13FC27337EB22C>I<007FB512F8B612FCA36C14
+F839000FC000B3B3A5007FB512F8B612FCA36C14F81E3379B22C>I<D87FFCEB7FF8486C
+EBFFFCA36C48EB7FF8D807C0EB1F80153FED7F00157E5D4A5A14034A5A5D4A5A4A5A143F
+4AC7FC147E5CEBC1F813C3EBC7FCA2EBCFFEEBDFBEEBFFBF141F01FE7F496C7E13F86E7E
+EBF00301E07FEBC001816E7EA2157E153E153F811680ED0FC0A2ED07E0D87FFCEB1FFC48
+6CEB3FFEA36C48EB1FFC27337EB22C>75 D<387FFFE0B57EA36C5BD803F0C8FCB3AE16F0
+ED01F8A8007FB6FCB7FCA36C15F025337DB22C>I<D87FE0EB0FFC486CEB1FFEA26D133F
+007F15FC000F15E001BC137BA4019E13F3A3EB9F01A2018F13E3A21483A2018713C314C7
+A201831383A214EFA201811303A214FFEB80FEA3147C14381400ACD87FF0EB1FFC486CEB
+3FFEA36C48EB1FFC27337EB22C>I<D87FF0EB7FFC486CEBFFFEA27F007FEC7FFCD807FE
+EB07C013DEA213DF13CFA2148013C714C0A213C314E0A213C114F0A213C014F8A2147CA3
+143EA2141E141FA2140F1587A2140715C7A2140315E71401A215F71400A215FFD87FFC13
+7F487E153FA26C48EB1F8027337EB22C>I<EB7FFF0003B512E0000F14F848804880EBE0
+03EB800048C7127FA2007E80A300FE158048141FB3A86C143FA2007E1500A3007F5CA26C
+6C13FEEBF00790B5FC6C5C6C5C000314E0C66C90C7FC21357BB32C>I<007FB512C0B612
+F88115FF6C15802603F00013C0153FED0FE0ED07F0A2150316F81501A6150316F01507A2
+ED0FE0ED3FC015FF90B61280160015FC5D15C001F0C8FCB0387FFF80B57EA36C5B25337E
+B22C>I<EB7FFF0003B512E0000F14F848804880EBF007EB800048C7127FA2007E80A300
+FE158048141FB3A7EB01F0EB03F800FE143F267E01FC1300A2EB00FE007F5C147FD83F80
+13FEEBF03F90B5FC6C5C6C5C000314E0C67E90380007F0A26E7EA26E7EA26E7EA2157FA2
+153E21407BB32C>I<387FFFFCB67E15E015F86C803907E007FE1401EC007F6F7E151FA2
+6F7EA64B5AA2153F4BC7FCEC01FE140790B55A5D15E081819038E007FCEC01FE1400157F
+81A8160FEE1F80A5D87FFEEB1FBFB5ECFF00815E6C486D5AC8EA01F029347EB22C>I<90
+381FF80790B5EA0F804814CF000714FF5A381FF01F383FC003497E48C7FC007E147F00FE
+143F5A151FA46CEC0F00007E91C7FC127F7FEA3FE0EA1FFCEBFFC06C13FC0003EBFFC06C
+14F06C6C7F01077F9038007FFEEC07FF02001380153FED1FC0A2ED0FE0A20078140712FC
+A56CEC0FC0A26CEC1F806D133F01E0EB7F009038FE01FF90B55A5D00F914F0D8F83F13C0
+D8700790C7FC23357CB32C>I<007FB612FCB712FEA43AFC007E007EA70078153CC71400
+B3AF90383FFFFCA2497F6D5BA227337EB22C>I<3B7FFF803FFFC0B56C4813E0A36C496C
+13C03B03F00001F800B3AF6D130300015DA26D130700005D6D130F017F495A6D6C485AEC
+E0FF6DB5C7FC6D5B010313F86D5B9038003F802B3480B22C>I<D87FFCEB7FFC486CEBFF
+FEA36C48EB7FFCD80FC0EB07E06D130F000715C0A36D131F00031580A36D133F00011500
+A36D5B0000147EA4017E5BA46D485AA490381F83F0A4010F5B14C7A301075BA214EFA201
+035BA214FFA26D90C7FCA46D5A27347EB22C>I<D87FF0EB07FF486C491380A36C486D13
+00001FC8127CA46C6C5CA76C6C495AA4143E147FA33A03E0FF83E0A214F7A201E113C3A3
+000101E35BA201F113C701F313E7A314C1A200005DA201F713F71480A301FF13FF017F91
+C7FC4A7EA4013E133E29347FB22C>I<3A3FFF03FFE0484913F0148714076C6D13E03A01
+F800FE007F0000495A13FE017E5BEB7F03013F5B1487011F5B14CF010F5B14FF6D5BA26D
+90C7FCA26D5AA26D5AA2497EA2497EA2497F81EB0FCF81EB1FC7EC87F0EB3F83EC03F8EB
+7F01017E7FEBFE00497F0001147E49137F000380491480151FD87FFEEBFFFC6D5AB514FE
+6C15FC497E27337EB22C>I<D87FFCEB7FFC486CEBFFFEA36C48EB7FFCD807F0EB0FC015
+1F000315806D133F12016DEB7F0012006D137E017E13FE017F5BEB3F01EC81F8131FEC83
+F0EB0FC314C7903807E7E0A201035B14EF6DB45AA292C7FC7F5C147EB0903807FFE0497F
+A36D5B27337EB22C>I<387FFFFCB512FEA314FC00FCC7FCB3B3B3B512FC14FEA36C13FC
+17416FB92C>91 D<127012F8A27E127C127E123E123F7EA27F120F7F12077F12037F1201
+7F12007F137C137E133EA2133F7F80130F80130780130380130180130080147C147E143E
+A2143F8081140F81140781140381140181140081157CA2157E153E153F811680150FA2ED
+070021417BB92C>I<387FFFFCB512FEA37EC7127EB3B3B3387FFFFEB5FCA36C13FC1741
+7DB92C>I<EB07C0EB1FF0EB7FFC48B5FC000714C0001F14F0397FFC7FFC39FFF01FFEEB
+C007EB0001007CEB007C003014181F0C7AAE2C>I<007FB6FCB71280A46C150021067B7D
+2C>I<1338137CEA01FC1203EA07F813F0EA0FC0EA1F80A2EA3F00123E127E127CA212FC
+5AA3EAFFC013E013F013F8A2127FA2123F13F0EA1FE0EA07C00E1D72B82C>I<3801FFF0
+000713FE001F6D7E15E048809038C01FF81407EC01FC381F80000006C77EC8127EA3ECFF
+FE131F90B5FC1203120F48EB807E383FF800EA7FC090C7FC12FE5AA47E007F14FEEB8003
+383FE01F6CB612FC6C15FE6C14BF0001EBFE1F3A003FF007FC27247CA32C>I<EA7FF048
+7EA3127F1201AAEC1FE0ECFFF801FB13FE90B6FC16809138F07FC09138801FE091380007
+F049EB03F85BED01FC491300A216FE167EA816FE6D14FCA2ED01F86D13036DEB07F0150F
+9138801FE09138E07FC091B51280160001FB5B01F813F83900F03FC027337FB22C>I<90
+3803FFE0011F13F8017F13FE48B5FC48804848C6FCEA0FF0485A49137E4848131890C9FC
+5A127EA25AA8127EA2127F6C140F6DEB1F806C7E6D133F6C6CEB7F003907FE03FF6CB55A
+6C5C6C6C5B011F13E0010390C7FC21247AA32C>I<EC0FFE4A7EA380EC003FAAEB07F8EB
+3FFE90B512BF4814FF5A3807FC0F380FF00348487E497E48487F90C7FC007E80A212FE5A
+A87E007E5CA2007F5C6C7E5C6C6C5A380FF0073807FC1F6CB612FC6CECBFFE6C143FEB3F
+FC90390FF01FFC27337DB22C>I<EB03FE90381FFFC0017F13F048B57E48803907FE03FE
+390FF800FFD81FE0EB3F805B4848EB1FC090C7120F5A007E15E015075AB7FCA416C000FC
+C9FC7E127EA2127F6CEC03C06DEB07E06C7ED80FF0130F6C6CEB3FC001FF13FF000190B5
+12806C1500013F13FC010F13F00101138023247CA32C>I<ED03F8903907F80FFC90391F
+FE3FFE017FB6FC48B7FC48ECFE7F9038FC0FF82607F003133E3A0FE001FC1CD9C0001300
+001F8049137EA66D13FE000F5CEBE0016C6C485A3903FC0FF048B5FC5D481480D99FFEC7
+FCEB87F80180C8FCA37F6C7E90B512F06C14FE48ECFF804815E04815F03A3FC0001FF848
+C7EA03FC007E1400007C157C00FC157E48153EA46C157E007E15FCD87F801303D83FE0EB
+0FF8D81FFCEB7FF06CB612E0000315806C1500D8003F13F8010713C028387EA42C>103
+D<EA7FF0487EA3127F1201AAEC1FE0EC7FFC9038F9FFFE01FB7F90B6FC9138F03F80ECC0
+1F02807FEC000F5B5BA25BB3267FFFE0B5FCB500F11480A36C01E0140029337FB22C>I<
+1307EB1FC0A2497EA36D5AA20107C7FC90C8FCA7387FFFC080B5FC7EA2EA0007B3A8007F
+B512FCB612FEA36C14FC1F3479B32C>I<EA7FE0487EA3127F1201AA91381FFFF04A13F8
+A36E13F0913800FE004A5A4A5A4A5A4A5A4A5A4A5A4AC7FC14FEEBF1FC13F3EBF7FE90B5
+FCA2EC9F80EC0FC001FE7FEBFC07496C7E496C7E811400157E811680151F3A7FFFC0FFFC
+B500E113FEA36C01C013FC27337EB22C>107 D<387FFFE0B57EA37EEA0003B3B3A5007F
+B61280B712C0A36C158022337BB22C>I<3A7F83F007E09039CFFC1FF83AFFDFFE3FFCD8
+7FFF13FF91B57E3A07FE1FFC3E01FCEBF83F496C487E01F013E001E013C0A301C01380B3
+3B7FFC3FF87FF0027F13FFD8FFFE6D13F8D87FFC4913F0023F137F2D2481A32C>I<397F
+F01FE039FFF87FFC9038F9FFFE01FB7F6CB6FC00019038F03F80ECC01F02807FEC000F5B
+5BA25BB3267FFFE0B5FCB500F11480A36C01E0140029247FA32C>I<EB07FCEB1FFF017F
+13C048B512F048803907FC07FC390FF001FE48486C7E0180133F003F158090C7121F007E
+EC0FC0A348EC07E0A76C140F007E15C0A2007F141F6C15806D133F6C6CEB7F006D5B6C6C
+485A3907FC07FC6CB55A6C5C6C6C13C0011F90C7FCEB07FC23247CA32C>I<397FF01FE0
+39FFF8FFF801FB13FE90B6FC6C158000019038F07FC09138801FE091380007F049EB03F8
+5BED01FC491300A216FE167EA816FE6D14FCA2ED01F86D13036DEB07F0150F9138801FE0
+9138E07FC091B51280160001FB5B01F813F8EC3FC091C8FCAD387FFFE0B57EA36C5B2736
+7FA32C>I<903903FC078090391FFF0FC0017F13CF48B512EF4814FF3807FE07380FF001
+48487E49137F4848133F90C7FC48141F127E150F5AA87E007E141FA26C143F7F6C6C137F
+6D13FF380FF0033807FC0F6CB6FC6C14EF6C6C138F6D130FEB07F890C7FCAD0203B5FC4A
+1480A36E140029367DA32C>I<D87FFEEB3FC0B53801FFF0020713F8021F13FC6C5B3900
+3F7FE1ECFF019138FC00F84A13704A13005CA25C5CA391C8FCAF007FB512E0B67EA36C5C
+26247EA32C>I<90387FF8700003B512F8120F5A5A387FC00F387E00034813015AA36CEB
+00F0007F140013F0383FFFC06C13FE6CEBFF80000314E0C66C13F8010113FCEB0007EC00
+FE0078147F00FC143F151F7EA26C143F6D133E6D13FE9038F007FC90B5FC15F815E000F8
+148039701FFC0020247AA32C>I<131E133FA9007FB6FCB71280A36C1500D8003FC8FCB1
+ED03C0ED07E0A5EC800F011FEB1FC0ECE07F6DB51280160001035B6D13F89038003FE023
+2E7EAD2C>I<3A7FF003FF80486C487FA3007F7F0001EB000FB3A3151FA2153F6D137F39
+00FE03FF90B7FC6D15807F6D13CF902603FE07130029247FA32C>I<3A3FFF03FFF04801
+8713F8A36C010313F03A00FC007E005D90387E01F8013F5BEB1F83EC87E090380FCFC090
+3807EF80EB03FF6D90C7FC5C6D5A147C14FE130180903803EF80903807CFC0EB0FC7EC83
+E090381F01F0013F7FEB7E00017C137C49137E0001803A7FFF01FFFC1483B514FE6C15FC
+140127247EA32C>120 D<3A7FFF01FFFCB5008113FE148314816C010113FC3A03E0000F
+806C7E151F6D140012005D6D133E137C017E137E013E137CA2013F13FC6D5BA2EB0F815D
+A2EB07C1ECC3E0A2EB03E3ECE7C0130114F75DEB00FFA292C7FC80A2143EA2147E147CA2
+14FC5CA2EA0C01003F5BEA7F83EB87E0EA7E0F495A387FFF806C90C8FC6C5A6C5AEA07E0
+27367EA32C>I<15FF02071380141F147F91B512004913C04AC7FCEB03F85CB31307EB1F
+E013FF007F5BB55A49C8FC6D7E6C7FC67F131FEB07F01303B380EB01FEECFFC06D13FF6E
+1380141F14070200130021417BB92C>123 D<127812FCB3B3B3A9127806416DB92C>I<EA
+7FC0EAFFF813FE6D7E6C7FC67F131FEB07F01303B380EB01FEECFFC06D13FF6E1380141F
+147F91B512004913C04AC7FCEB03F85CB31307EB1FE013FF007F5BB55A49C8FC13F8EA7F
+C021417BB92C>I E
+%EndDVIPSBitmapFont
+%DVIPSBitmapFont: Fe ecti1000 10 33
+/Fe 33 122 df<EE3FFC4BB51280923907E007C092391F8001E0DB3F0013F0037E13034B
+1307A24A5A18E04A48EB038094C7FCA314075DA4140F5DA3010FB7FCA25F903A001F8000
+7EA217FE023F5C92C7FCA216015F5C147E16035FA214FE4A13075FA30101140F5F4AECC1
+C0A2161F1783010316805CA2EF870013074A5CEE0F8EEE079EEE03FC010FEC00F04A91C7
+FCA35C131FA2001C90CAFC127E5BEAFE3E133C137CEAF878EA78F0EA3FE0EA0F80344C82
+BA2F>28 D<150C151C153815F0EC01E0EC03C0EC0780EC0F00141E5C147C5C5C495A1303
+495A5C130F49C7FCA2133EA25BA25BA2485AA212035B12075BA2120F5BA2121FA290C8FC
+A25AA2123EA2127EA2127CA412FC5AAD1278A57EA3121C121EA2120E7EA26C7E6C7EA212
+001E5274BD22>40 D<140C140E80EC0380A2EC01C015E0A2140015F0A21578A4157C153C
+AB157CA715FCA215F8A21401A215F0A21403A215E0A21407A215C0140F1580A2141F1500
+A2143EA25CA25CA2495AA2495A5C1307495A91C7FC5B133E133C5B5B485A12035B48C8FC
+120E5A12785A12C01E527FBD22>I<4B7EA3150393C8FCA35D1506A3150E150CA3151C15
+18A315381530A31570B912E0A2C80060C8FC15E05DA314015DA3140392C9FCA35C1406A3
+140E140CA3141C1418A2333275AD40>43 D<EA03C0EA07F0120F121F13F8A313F0EA07B0
+EA003013701360A213E013C01201EA038013005A120E5A5A5A5A5A0D197A8819>I<120E
+EA3F80127F12FFA31300127E123C0909778819>46 D<0103B612FEEFFFC018F0903B0007
+F8000FF84BEB03FCEF00FE020F157FF03F804B141F19C0021F150F19E05D1807143F19F0
+5DA2147FA292C8FCA25C180F5CA2130119E04A151FA2130319C04A153FA201071780187F
+4A1600A2010F16FEA24A4A5A60011F15034D5A4A5D4D5A013F4B5A173F4A4AC7FC17FC01
+7FEC03F84C5A91C7EA1FC04949B45A007F90B548C8FCB712F016803C397CB83F>68
+D<0103B512F8A390390007F8005DA2140FA25DA2141FA25DA2143FA25DA2147FA292C7FC
+A25CA25CA21301A25CA21303A25CA21307A25CA2130FA25CA2131FA25CA2133FA25CA213
+7FA291C8FC497EB6FCA25C25397CB820>73 D<0107B512FCA25E9026000FF8C7FC5D5D14
+1FA25DA2143FA25DA2147FA292C8FCA25CA25CA21301A25CA21303A25CA21307A25CA213
+0F170C4A141CA2011F153C17384A1478A2013F157017F04A14E01601017F140317C091C7
+1207160F49EC1F80163F4914FF000102071300B8FCA25E2E397BB834>76
+D<ED03FE92383FFFC09238FC07F0913903E001F891390F80007C023FC77E027E8002F815
+804948EC0FC0EB07E04948EC07E0131F4A15F049C81203137E01FE16F8485AA2485AA248
+5AA2120F5B001F16075B123FA34848ED0FF0A448C9EA1FE0A3EF3FC0A21880177F18005F
+5F16015F6C4B5A4C5AA24C5A6C4B5A6D4A5A001F93C7FC6D147E000F5D6C6CEB03F06C6C
+495A6C6CEB0F806C6C013FC8FC90383F01FC90381FFFE0010190C9FC353D74BA40>79
+D<ED03FE92383FFFC09238FC07F0913903E001F891390FC0007C023FC77E027E804A1580
+D901F0EC0FC013074948EC07E0495A4A15F049C8FC49150301FE16F8485AA2485AA2485A
+A2120F491507121FA2485AA34848ED0FF0A448C9EA1FE0A3EF3FC0A21880177F4817005F
+5F16015F007F4B5A5F91380F800791393FE00FE06C903970601FC0902680E0305B261F81
+C049C7FC913880187ED80FC35C3A07E30019F00003EC1FE0D801FB14806CB46C48C8FC90
+263F81FC13186DB45A01010138133890C7003C1330177017F05FED3E03ED3F07EEFFC05F
+A294C7FC5E6F5A6F5AED07E0354B74BA40>81 D<92383FC00E913901FFF01C020713FC91
+391FC07E3C91393F001F7C027CEB0FF84A130749481303495A4948EB01F0A2495AA2011F
+15E091C7FCA34915C0A36E90C7FCA2806D7E14FCECFF806D13F015FE6D6D7E6D14E00100
+80023F7F14079138007FFC150F15031501A21500A2167C120EA3001E15FC5EA3003E4A5A
+A24B5AA2007F4A5A4B5A6D49C7FC6D133ED8F9F013FC39F8FC03F839F07FFFE0D8E01F13
+8026C003FCC8FC2F3D7ABA2F>83 D<0007B812E0A25AD9F800EB001F01C049EB07C0485A
+D900011403121E001C5C003C17801403123800785C00701607140700F01700485CA2140F
+C792C7FC5DA2141FA25DA2143FA25DA2147FA292C9FCA25CA25CA21301A25CA21303A25C
+A21307A25CA2130FA25CEB3FF0007FB512F8B6FCA2333971B83B>I<14F8EB07FE90381F
+871C90383E03FE137CEBF801120148486C5A485A120FEBC001001F5CA2EA3F801403007F
+5C1300A21407485C5AA2140F5D48ECC1C0A2141F15831680143F1587007C017F1300ECFF
+076C485B9038038F8E391F0F079E3907FE03FC3901F000F0222677A42A>97
+D<133FEA1FFFA3C67E137EA313FE5BA312015BA312035BA31207EBE0F8EBE7FE9038EF0F
+80390FFC07C013F89038F003E013E0D81FC013F0A21380A2123F1300A214075A127EA214
+0F12FE4814E0A2141F15C05AEC3F80A215005C147E5C387801F8007C5B383C03E0383E07
+C0381E1F80D80FFEC7FCEA01F01C3B77B926>I<147F903803FFC090380FC1E090381F00
+70017E13784913383901F801F83803F003120713E0120FD81FC013F091C7FC485AA2127F
+90C8FCA35A5AA45AA3153015381578007C14F0007EEB01E0003EEB03C0EC0F806CEB3E00
+380F81F83803FFE0C690C7FC1D2677A426>I<ED01F815FFA3150316F0A21507A216E0A2
+150FA216C0A2151FA21680A2153FA202F81300EB07FE90381F877F90383E03FF017C5BEB
+F80112013803F00048485B120FEBC001121F5DEA3F801403127F01005BA214075A485CA2
+140FA248ECC1C0A2141F15C3ED8380143F1587007C017F1300ECFF076C485B9038038F8E
+391F0F079E3907FE03FC3901F000F0253B77B92A>I<147F903803FFC090380FC1E09038
+3F00F0017E13785B485A485A485A120F4913F8001F14F0383F8001EC07E0EC1F80397F81
+FF00EBFFF8148090C8FC5A5AA55AA21530007C14381578007E14F0003EEB01E0EC03C06C
+EB0F806CEB3E00380781F83803FFE0C690C7FC1D2677A426>I<ED07C0ED1FF0ED3E38ED
+7C3CEDF8FC15F9140115F1020313F8EDF0F0160014075DA4140F5DA4141F5D010FB512C0
+5B16809039003F800092C7FCA45C147EA414FE5CA413015CA413035CA413075CA4130F5C
+A3131F5CA391C8FC5B121CEA7E3EA2EAFE3C137C1378EAF8F01278EA3FC0EA0F80264C82
+BA19>I<EC07C0EC3FF09138FC38E0903901F01FF0EB03E0903807C00FEB0F80011F1307
+D93F0013E05B017E130F13FE4914C01201151F1203491480A2153F1207491400A25DA249
+137EA215FEA25D00031301140314076C6C485A0000131FEB787BEB3FF390380FC3F0EB00
+031407A25DA2140F5D121C007E131F5D00FE49C7FC147E5C387801F8387C07E0381FFF80
+D803FEC8FC24367CA426>I<EB03F0EA01FFA3EA00075CA3130F5CA3131F5CA3133F91C8
+FCA35B90387E07F0EC1FFCEC783E9038FFE01F02C01380EC800F1400485A16C05B49EB1F
+8012035BA2153F000715005BA25D000F147E5B15FE5D121FD98001131C15F8163C003F01
+031338010013F0A216704814E0007E15F016E0EDE1C000FE903801E38048903800FF0000
+38143C263B7BB92A>I<EB01C0EB07E014F0130F14E01307EB038090C7FCAB13F0EA03FC
+EA071EEA0E1F121CA212385B1270A25BEAF07E12E013FEC65AA212015B1203A25B12075B
+A2000F13E013C013C1001F13C01381A2EB83801303EB0700A2130E6C5AEA07F8EA01E014
+3879B619>I<EB0FC0EA07FFA3EA001F1480A2133FA21400A25BA2137EA213FEA25BA212
+01A25BA21203A25BA21207A25BA2120FA25BA2121FA25BA2123FA290C7FCA25AA2EA7E0E
+A212FE131EEAFC1CA2133C133812F81378EA7870EA7CE0121FEA0F80123B79B915>108
+D<D801E001FEEB07F03C07F803FF801FFC3C0E3C0F07C0783E3C1E3E3C03E1E01F261C1F
+78D9F3C013803C383FF001F7800F02E01400007801C013FE007018C002805B4A4848EB1F
+80EAF07FD8E07E5CA200000207143F01FE1700495CA2030F5C0001177E495C18FE031F5C
+120349DA8001131C18F8033F153C00070403133849020013F0A24B1570000F17E049017E
+15F019E003FEECE1C0001FEE01E34949903800FF000007C70038143C3E2679A444>I<D8
+01E013FE3A07F803FF803A0E3C0F07C03A1E3E3C03E0261C1F787F39383FF00114E00078
+13C000708114804A485AEAF07FEAE07EA20000140701FE5C5BA2150F00015D5B151F5E12
+034990383F8380160316070007027F130049137EA2160E000F147C49141E161C5E001FEC
+3C7849EB1FE00007C7EA0780292679A42F>I<147F903803FFC090380FC1F090381F00F8
+017E137C5B4848137E4848133E0007143F5B120F485AA2485A157F127F90C7FCA215FF5A
+4814FEA2140115FC5AEC03F8A2EC07F015E0140F007C14C0007EEB1F80003EEB3F00147E
+6C13F8380F83F03803FFC0C648C7FC202677A42A>I<9039078007C090391FE03FF09039
+3CF0787C903938F8E03E9038787FC00170497EECFF00D9F0FE148013E05CEA01E113C15C
+A2D80003143FA25CA20107147FA24A1400A2010F5C5E5C4B5A131F5EEC80035E013F495A
+6E485A5E6E48C7FC017F133EEC70FC90387E3FF0EC0F8001FEC9FCA25BA21201A25BA212
+03A25B1207B512C0A3293580A42A>I<3903C003F0390FF01FFC391E783C0F381C7C703A
+3C3EE03F8038383FC0EB7F800078150000701300151CD8F07E90C7FCEAE0FE5BA2120012
+015BA312035BA312075BA3120F5BA3121F5BA3123F90C9FC120E212679A423>114
+D<14FE903807FF8090380F83C090383E00E04913F00178137001F813F00001130313F0A2
+15E00003EB01C06DC7FC7FEBFFC06C13F814FE6C7F6D13807F010F13C01300143F141F14
+0F123E127E00FE1480A348EB1F0012E06C133E00705B6C5B381E03E06CB45AD801FEC7FC
+1C267AA422>I<EB0380EB07C0130FA4131F1480A3133F1400A35B137E007FB5FCA2B6FC
+3800FC00A312015BA312035BA312075BA3120F5BA3121FEB801CA2143C003F1338EB0078
+147014F014E0EB01C0EA3E03381F0780380F0F00EA07FCEA01F0183579B31C>I<01F013
+0ED803FC133FD8071EEB7F80EA0E1F121C123C0038143F49131F0070140FA25BD8F07E14
+0000E08013FEC6485B150E12015B151E0003141C5BA2153C000714385B5DA35DA24A5A14
+0300035C6D48C7FC0001130E3800F83CEB7FF8EB0FC0212679A426>118
+D<903907E007C090391FF81FF89039787C383C9038F03E703A01E01EE0FE3803C01F0180
+13C0D8070014FC481480000E1570023F1300001E91C7FC121CA2C75AA2147EA214FEA25C
+A21301A24A1370A2010314F016E0001C5B007E1401010714C000FEEC0380010F1307010E
+EB0F0039781CF81E9038387C3C393FF03FF03907C00FC027267CA427>120
+D<13F0D803FCEB01C0D8071EEB03E0D80E1F1307121C123C0038140F4914C01270A24913
+1FD8F07E148012E013FEC648133F160012015B5D0003147E5BA215FE00075C5BA214015D
+A314035D14070003130FEBF01F3901F87FE038007FF7EB1FC7EB000F5DA2141F003F5C48
+133F92C7FC147E147C007E13FC387001F8EB03E06C485A383C1F80D80FFEC8FCEA03F023
+3679A428>I E
+%EndDVIPSBitmapFont
+%DVIPSBitmapFont: Ff cmsy10 10 1
+/Ff 1 16 df<EB1FF0EBFFFE487F000714C04814E04814F04814F8A24814FCA3B612FEA9
+6C14FCA36C14F8A26C14F06C14E06C14C0000114006C5BEB1FF01F1F7BA42A>15
+D E
+%EndDVIPSBitmapFont
+%DVIPSBitmapFont: Fg ecbx1000 10 36
+/Fg 36 119 df<913803FFC0027F13F00103B512FC010FEB00FED93FF8133FD97FE0EBFF
+8049485A5A1480484A13C04A6C1380A36F1300167E93C7FCA592383FFFC0B8FCA4000390
+C7FCB3ABB5D8FC3F13FFA4303A7EB935>28 D<B61280A819087F9620>45
+D<EA0F80EA3FE0EA7FF0A2EAFFF8A5EA7FF0A2EA3FE0EA0F800D0D798C1B>I<141E143E
+14FE1307137FB5FCA3138FEA000FB3B3A5007FB61280A4213679B530>49
+D<EB0FFE90387FFFC048B512F0000714FC390FE03FFF261F800F1380263F000313C0D87F
+8014E0EBE00100FF6D13F07FA2ED7FF8A46C5A6C5A0006C7FCC8FCEDFFF0A216E05C16C0
+4A138016004A5A4A5AEC1FF05D4A5A4AC7FC14FE495AD903F01378495A495A495A49C712
+F8017C14F05B49130148B6FC5A5A5A5A5A4815E0B7FCA425367BB530>I<EC0FF8ECFFFE
+0103EBFF8090390FF80FC090393FE003E090397F8001F09038FF000F48EC1FF84848133F
+485A120F5B121FA2003FEC1FF0ED0FE0484890C7FCA31408EC7FF039FFF1FFFC01F313FF
+D9F78013809039FF007FC049EB3FE04914F0ED1FF85B16FCA34914FEA4127FA5123F16FC
+A26C7E16F8000F143F6D14F0000715E06C6CEB7FC03A01FF81FF806C90B51200013F13FC
+010F13F00101138027377CB530>54 D<EA0F80EA3FE0EA7FF0A2EAFFF8A5EA7FF0A2EA3F
+E0EA0F80C7FCABEA0F80EA3FE0EA7FF0A2EAFFF8A5EA7FF0A2EA3FE0EA0F800D2579A41B
+>58 D<B812C017FC17FF18C028007FF000037F04007F717E717E171F84A2717EA74D5AA2
+60173F4D5A4D5A4C13C0040F5B91B600FCC7FCA2EFFF8002F0C713F0EF3FF8717E717E71
+7E19807113C0A319E0A719C0A25F4D138019005FEF7FFE4C485AB912F018C095C7FC17F0
+3B397DB844>66 D<DB3FFCEB01C00203B5EAC003021FECF00791B6EAFC0F01039039FC00
+FF3F4901C0EB1FFFD91FFEC77E49481403D97FF080494880485B48177F4849153F4890C9
+FC181F485A180F123F5B1807127FA24993C7FC12FFAD127F7FF003C0123FA27F001F1707
+A26C6C1780180F6C6D16006C6D5D6C173E6C6D157ED97FF85D6D6C4A5A6DB44A5A010701
+C0EB0FE06D01FCEBFF80010090B548C7FC021F14F8020314E09126003FFEC8FC3A3B7BB9
+45>I<B87E17F817FF18C028007FF8000713F09338007FF8EF1FFE717E050313807113C0
+A27113E0F07FF0A2F03FF8A219FC181FA219FEA419FFAC19FEA419FC183FA219F8187F19
+F0F0FFE0A24D13C04D13804D1300EF1FFEEF7FFC933807FFF0B912C095C7FC17FC178040
+397DB849>I<B612FCA439007FF800B3B3ADB612FCA41E397DB824>73
+D<B7FCA426007FF8C9FCB3ACEF0780A5170F1800A35FA25FA25F5F5E5EEE0FFE167FB8FC
+A431397DB839>76 D<B500F80403B512F06E5EA26E5ED8007FF1E000A2D97BFF161EA201
+796D5DA201786D5DA26E6C5DA36E6C4A5AA26E6C4A5AA26E6C4A5AA26E6C4A5AA26E6C14
+1EA36E6D5BA26E6D5BA26F6C5BA26F6C485AA36F6C485AA26F6C485AA26F6C48C7FCA292
+3803FF1EA36F13BCA26F13F8A2705AA2705AA213FCB500FC6D4848B612F0A2EE0F80EE07
+0054397DB85B>I<B500FC0203B512F0A28080C66C6D90390003F0006F6E5A81017B7F13
+798101787F6E7E6E7E6E7F6E7FA26E7F6E7F6E7F6E7F6F7E153F826F13806F13C06F13E0
+6F13F06F13F88117FCEE7FFEEE3FFF7013817013C17013E18218F17013F97013FDEF7FFF
+8383A28383838383187FA2183F181F01FC160FB500FC150718031801A244397DB84B>I<
+EDFFF8020FEBFF80027F14F0903A01FFC01FFC010790380007FFD91FFC010113C0D93FF0
+6D6C7E49486E7E49486E7E48496E7E48834890C86C7EA248486F1380A248486F13C0A200
+3F18E0A348486F13F0A400FF18F8AC007F18F06D5DA3003F18E0A26D5D001F18C0A26C6C
+4B13806C18006E5C6C6D4A5A6C5F6C6D4A5A6D6C4A5AD93FFC49485A6DB401075B0107D9
+C01F90C7FC010190B512FC6D6C14F0020F1480020001F8C8FC3D3B7BB948>I<B8FC17F0
+17FEEFFF8028007FF8000F13C0040113E07013F0EF7FF8EF3FFCA2EF1FFEA218FFA818FE
+A2EF3FFCA2EF7FF8EFFFF04C13E0040F13C091B7120017FC17E002F8C9FCB3A4B612FCA4
+38397DB841>I<EDFFF8020FEBFF80027F14F0903A01FFE03FFC010790380007FFD91FFC
+010113C049486D7FD97FE0EC3FF049486E7E488348496E7E4890C86C7EA248486F1380A2
+001F18C04981003F18E0A3007F18F04981A300FF18F8AC007F18F0A36D5D003F18E0A36C
+6C4B13C0A2000FDA1FC014806C6C90267FF0071300EDFFF86C903A81F07C0FFE6C903AC3
+C01E1FFC6CDA800F5BD97FE3ECBFF0D93FF36DB45AD91FFF5D010701C091C7FC01019038
+F01FFC6D6CB500F01308020F6E131C0200EBF9FC92260001FE133C9438FF80FC18FF8219
+F8A28319F0A27113E0A27113C0711380711300EF01FC3E4A7BB948>I<D907FF130E013F
+EBE01E90B5EAF83E0003ECFE7E3A07FC01FFFE390FF0001F4848130F4848130349130100
+7F140090C8FC167E5A163EA27F161E7F7F6D91C7FC13FC387FFFE014FEECFFF06C14FE6F
+7E6C816C15F06C816C81C681133F010F801301D9000F1480EC007F030F13C01503818100
+F0157FA3163FA27E17807E167F6C16007E6D14FE01E0495A01F813039039FF801FF800FC
+90B512E0D8F83F5CD8F00749C7FC39E0007FF02A3B7BB935>83 D<B600FC011FB512C0A4
+26007FF8C8381FC000725AB3B3181F013F94C7FC8060011F163E6D6C157E187C6D6C15FC
+6D6D495A6D6DEB07F06D01F0EB1FE0DA7FFEEBFFC0021FB6C8FC02075C020014F0030F13
+80423A7DB849>85 D<B600F00103B512E0A4C601F0C83807F0006E5E017F5F6E150FA201
+3F5F6E151F011F94C7FC6E5D6D163E6F147E6D167CA26F14FC6D5E6F13016D5E6F13036D
+5E811707027F5D6F130F023F5D6F131F021F92C8FC815F6E143EEE807E6E147CEEC0FC6E
+5C16E016E16E5C16F36E5C16FF6F5BA36F5BA26F90C9FCA26F5AA36F5AA26F5AA26F5A43
+3A7EB848>I<B6D8E01FB500FC90383FFFFCA4000101F0C7D83FFCC8EA7E006C71153C17
+1F6E197C017F701578836E7014F8013F6F5E6E1801011F4B6D5CA26E18036D4B6D5CA26D
+6D496D495A173C6F170F6D037C6D91C7FCEF787F6F5F6D4B6C6C131E816D02016E5BEFE0
+1F03F8177C027F01036E13784D7E03FCEE80F8023F49486C5C15FE021F010FEDC1E04D7E
+03FF16C36E49EDE3C0041E7F049E15F76E01BC6D5C04FC15FF6E95C8FC4C80A26E5F4C14
+3F6E5F4C141FA2037F5E4C140FA26F486E5AA2031F5E93C812036F5E5E3A7EB863>I<13
+FFB5FCA412077EAF4AB47E020F13F0023F13FC9138FE03FFDAF00013804AEB7FC00280EB
+3FE091C713F0EE1FF8A217FC160FA217FEAA17FCA3EE1FF8A217F06E133F6EEB7FE06E14
+C0903AFDF001FF80903AF8FC07FE009039F03FFFF8D9E00F13E0D9C00390C7FC2F3A7EB9
+35>98 D<EE7F80ED7FFFA4150381AF903801FF81010F13F1013F13FD9038FFC07F0003EB
+001FD807FC1307000F8048487F5B123FA2485AA312FFAA127FA27F123FA26C6C5B000F5C
+6C6C5B6C6C4913C02701FF80FD13FE39007FFFF9011F13E1010113012F3A7DB935>100
+D<903803FF80011F13F0017F13FC3901FF83FE3A03FE007F804848133F484814C0001FEC
+1FE05B003FEC0FF0A2485A16F8150712FFA290B6FCA301E0C8FCA4127FA36C7E1678121F
+6C6C14F86D14F000071403D801FFEB0FE06C9038C07FC06DB51200010F13FC010113E025
+257DA42C>I<EC1FF0903801FFFC010713FF90391FF87F8090383FE0FFD9FFC113C0A248
+1381A24813016E1380A2ED3E0092C7FCA8B6FCA4000390C8FCB3ABB512FEA4223A7DB91D
+>I<161FD907FEEBFFC090387FFFE348B6EAEFE02607FE07138F260FF801131F48486C13
+8F003F15CF4990387FC7C0EEC000007F81A6003F5DA26D13FF001F5D6C6C4890C7FC3907
+FE07FE48B512F86D13E0261E07FEC8FC90CAFCA2123E123F7F6C7E90B512F8EDFF8016E0
+6C15F86C816C815A001F81393FC0000F48C8138048157F5A163FA36C157F6C16006D5C6C
+6C495AD81FF0EB07FCD807FEEB3FF00001B612C06C6C91C7FC010713F02B377DA530>I<
+EA01F0EA07FC487EA2487EA56C5AA26C5AEA01F0C8FCA913FF127FA412077EB3A9B512F8
+A4153B7DBA1B>105 D<13FFB5FCA412077EAF92380FFFE0A4923803FC0016F0ED0FE0ED
+1F804BC7FC157E5DEC03F8EC07E04A5A141FEC7FE04A7E8181A2ECCFFEEC0FFF496C7F80
+6E7F6E7F82157F6F7E6F7E82150F82B5D8F83F13F8A42D3A7EB932>107
+D<13FFB5FCA412077EB3B3ACB512FCA4163A7DB91B>I<01FED97FE0EB0FFC00FF902601
+FFFC90383FFF80020701FF90B512E0DA1F81903983F03FF0DA3C00903887801F000749DA
+CF007F00034914DE6D48D97FFC6D7E4A5CA24A5CA291C75BB3A3B5D8FC1FB50083B512F0
+A44C257DA451>I<01FEEB7FC000FF903803FFF8020F13FE91381F03FFDA3C0113800007
+13780003497E6D4814C05CA25CA291C7FCB3A3B5D8FC3F13FFA430257DA435>I<903801
+FFC0010F13F8017F13FFD9FF807F3A03FE003FE048486D7E48486D7E48486D7EA2003F81
+491303007F81A300FF1680A9007F1600A3003F5D6D1307001F5DA26C6C495A6C6C495A6C
+6C495A6C6C6CB45A6C6CB5C7FC011F13FC010113C029257DA430>I<9038FE03F000FFEB
+0FFEEC3FFF91387C7F809138F8FFC000075B6C6C5A5CA29138807F80ED3F00150C92C7FC
+91C8FCB3A2B512FEA422257EA427>114 D<90383FF0383903FFFEF8000F13FF381FC00F
+383F0003007E1301007C130012FC15787E7E6D130013FCEBFFE06C13FCECFF806C14C06C
+14F06C14F81203C614FC131F9038007FFE140700F0130114007E157E7E157C6C14FC6C14
+F8EB80019038F007F090B512C000F8140038E01FF81F257DA426>I<130FA55BA45BA25B
+5BA25A1207001FEBFFE0B6FCA3000390C7FCB21578A815F86CEB80F014816CEBC3E09038
+3FFFC06D1380903803FE001D357EB425>I<B539F001FFF8A4000390C7EA1F00161E6E13
+3E6C153C6E137C6C15786E13F8017F5CECF001013F5C14F8011F495AA2ECFC07010F5CEC
+FE0F010791C7FC6E5A6D131E15BE6D13BC15FC6D5BA36E5AA26E5AA26E5AA26E5AA22D25
+7EA432>118 D E
+%EndDVIPSBitmapFont
+%DVIPSBitmapFont: Fh ecrm1000 10 89
+/Fh 89 126 df<486C1360000314E039070001C0000EEB038048EB070000181306003813
+0E0030130C0070131C00601318A200E01338481330A400CEEB338039FF803FE001C013F0
+A3007F131FA2393F800FE0390E0003801C1981B91C>16 D<001C1307007FEB1FC039FF80
+3FE0A201C013F0A3007F131F001CEB073000001300A400011470491360A2000314E090C7
+12C048130100061480000E130348EB070048130E485B006013181C1980B91C>I<B81280
+A2290280962A>21 D<DA0FF813FC91397FFF07FF903B01F807DF83C0903A07E001FF0F90
+3B1F8007FE1FE090393F000FFC137E16F85B9338F007804848010790C7FC1503ACB812F8
+A32801F80003F0C7FCB3AB486C497E267FFFE0B512F0A3333B7FBA30>27
+D<EC0FF8EC7FFE903901F80780903907E001C090391F8000E090383F0007017E497EA25B
+A2485A6F5AED018092C8FCA9ED03F0B7FCA33901F8000F1503B3AA486C497E267FFFE0B5
+12C0A32A3B7FBA2E>I<DA0FF0EB1FF0DA7FFEEBFFFC903B01F80F83F00F903C07E001CF
+C00380903C1F8000FF0001C090273F0007FE130F017E4948497EA2495CA248485C03076E
+5A03030203C7FC95C8FCA9F007E0BAFCA33C01F80003F0001F1807B3AA486C496C497E26
+7FFFE0B500C1B51280A3413B7FBA45>30 D<EB0380A3EB0FF0EB7FFE48B512803903F38F
+C03907C381E0390F8380F0D81F031338123E003C141C007C140C150E0078143E00F814FE
+1481A400FCEB80FC157800FE140012FF127F13C313E3EA3FFF6C7F14F86C13FE6CEBFF80
+000114C06C14E0013F13F01303ECBFF8148FEC83FC1481A2EC80FE157E123C12FF153EA4
+12FE00F8143C00E0147C12600070147815F8003814F0003C1381001EEB83E0000FEB87C0
+3907E39F803901FFFE006C5BEB1FE0EB0380A41F437BBD2A>36 D<141FEC7FC0903801F0
+E0903803C0600107137090380F803090381F00381518A25BA2133E133F15381530A21570
+5D5D140190381F838092CAFC1487148E02DC49B51280EB0FF85C4A9039003FF8000107ED
+0FC06E5D71C7FC6E140E010F150CD91DFC141C01391518D970FE143801E015302601C07F
+1470D803805D00076D6C5BD80F00EBC00148011F5C4890380FE003003E6E48C8FC007E90
+3807F8060203130E00FE6E5A6E6C5A1400ED7F706C4B13036F5A6F7E6C6C6D6C5B701306
+6C6C496C130E6DD979FE5B281FF001F07F133C3C07F80FE03FC0F86CB539800FFFF0C690
+26FE000313C0D91FF0D9007FC7FC393E7DBB41>38 D<121C127FEAFF80A213C0A3127F12
+1C1200A412011380A2120313005A1206120E5A5A5A12600A1979B917>I<146014E0EB01
+C0EB0380EB0700130E131E5B5BA25B485AA2485AA212075B120F90C7FCA25A121EA2123E
+A35AA65AB2127CA67EA3121EA2121F7EA27F12077F1203A26C7EA26C7E1378A27F7F130E
+7FEB0380EB01C0EB00E01460135278BD20>I<12C07E12707E7E7E120F6C7E6C7EA26C7E
+6C7EA21378A2137C133C133E131EA2131F7FA21480A3EB07C0A6EB03E0B2EB07C0A6EB0F
+80A31400A25B131EA2133E133C137C1378A25BA2485A485AA2485A48C7FC120E5A5A5A5A
+5A13527CBD20>I<1530B3A8B912FCA2C80030C8FCB3A836367BAF41>43
+D<121C127FEAFF80A213C0A3127F121C1200A412011380A2120313005A1206120E5A5A5A
+12600A19798817>I<B512FCA516057F941C>I<121C127FEAFF80A5EA7F00121C09097988
+17>I<1506A2150E150CA2151C151815381530A215701560A215E015C0A214011580A214
+0315005C1406A2140E140CA2141C1418A214381430A21470146014E05CA213015CA21303
+91C7FCA25B1306A2130E130C131C1318A213381330A213701360A213E05BA212015B1203
+90C8FCA25A1206A2120E120CA2121C1218A21238123012701260A212E05AA21F537BBD2A
+>I<EB03F8EB1FFF90387E0FC09038F803E03901E000F0484813780007147C48487FA248
+C77EA2481580A3007EEC0FC0A500FE15E0B3007E15C0A4007F141F6C1580A36C1500A26C
+6C133EA26C6C5B6C6C5BEBF0013900F803E090387E0FC0D91FFFC7FCEB03F823397DB62A
+>I<EB01C013031307131F13FFB5FCA2131F1200B3B3A7497E007FB512F0A31C3779B62A>
+I<EB0FF0EB7FFE48B57E3903E03FE0390F000FF0001E6D7E001C6D7E486D7E5A6E7E1260
+12FE6CEC7F807FA56CC7FC121CC8FCEDFF00A25D14015D14035D4A5A4A5A5D4A5A4AC7FC
+147E5C495A14E0495A495A49C8FC011EEB01805B5B49130348481400485A485A90C75A48
+B6FC5A5A485CB6FCA321377CB62A>I<EB07F8EB3FFF90B512C03901F80FF03903C007F8
+48486C7E390E0001FEEA0F80391FE000FF7FA56C5A6C5AC7485AA25D14035D4A5A5DEC0F
+80027FC7FCEB1FFCECFF809038000FE06E7EEC01FC816E7EED7F80A216C0A2153F16E0A2
+121EEA7F80A2487EA316C0157F491480007EC7FC0070ECFF006C495A121E390F8003F839
+07F00FF00001B512C06C6C90C7FCEB0FF823397DB62A>I<1538A2157815F8A214011403
+1407A2140F141F141B14331473146314C313011483EB030313071306130C131C13181330
+1370136013C01201EA038013005A120E120C5A123812305A12E0B712F8A3C73803F800AA
+4A7E0103B512F8A325387EB72A>I<0006140CD80780133C9038F003F890B5FC5D5D1580
+92C7FC14FC38067FE090C9FCAAEB07F8EB1FFE9038780F809038E007E03907C003F0496C
+7E130000066D7E81C8FC8181A21680A4121C127F5A7FA390C713005D12FC00605C12704A
+5A6C5C6C1303001E495A6C6C485A3907E03F800001B5C7FC38007FFCEB1FE021397CB62A
+>I<EC3FC0903801FFF0010713FC90380FE03E90383F800790387E001F49EB3F80484813
+7F485A12075B000FEC3F0049131E001F91C7FC5B123FA3127F90C9FCEB01FC903807FF80
+39FF1E07E090383801F0496C7E01607F01E0137E497F16805BED1FC0A390C713E0A57EA4
+7F123F16C0A2001FEC3F807F000F15006D5B000714FE6C6C5B6C6C485A3900FE07F09038
+7FFFC0011F90C7FCEB03FC23397DB62A>I<12301238123E003FB612E0A316C05A168016
+000070C712060060140E5D5D00E014304814705D5DC712014A5A4AC7FC1406140E5CA25C
+1478147014F05C1301A213035C1307A2130FA3131F5CA2133FA5137FA96DC8FC131E233A
+7BB72A>I<EB03F8EB1FFF017F13C09038FC07F03901E001F83903C0007C4848133C90C7
+123E48141E000E141F001E80A3121FA26D5B6D131E7FD80FF85B6D137C01FF13786C6D5A
+6CEBE3E0ECF780C601FFC7FC6D5A6D6C7E010F13E0013F7F01F97F3901E07FFE48486C7E
+380F800F48486C1380001E010113C0487F007C143F0078EC1FE0150F00F81407481403A2
+1501A36C15C0A200781403007C15806C14076CEC0F006C6C131ED807E0137C3903F803F0
+C6B55A013F1380D907FCC7FC23397DB62A>I<EB03F8EB1FFF017F13C03901FC07E04848
+6C7E3907E001F8000F6D7E4848137E5B003F80A248C71380A25AED1FC0A516E0A56C143F
+A36C7E157F121F6C6C13FF6C6C13DF000313013901F0039F3900FC0F1FD93FFC13C0EB07
+F090C7FCA2153F1680A216005D120F486C137E486C5BA24A5A4A5A49485A381F000F001C
+EB1F80260F807FC7FC3807FFFE000113F838003FC023397DB62A>I<121C127FEAFF80A5
+EA7F00121CC7FCB2121C127FEAFF80A5EA7F00121C092479A317>I<121C127FEAFF80A5
+EA7F00121CC7FCB2121C127FEAFF80A213C0A3127F121C1200A412011380A2120313005A
+1206120E5A5A5A12600A3479A317>I<EF01C0EF0780EF1E0017F8EE03E0040FC7FC163C
+16F0ED03C0030FC8FC153CEC01F0EC07C0021EC9FC1478EB01E0EB0780011ECAFC13F8EA
+03E0000FCBFC123C12F0A2123C120FEA03E0EA00F8131EEB0780EB01E0EB0078141EEC07
+C0EC01F0EC003C150FED03C0ED00F0163C160FEE03E0EE00F8171EEF0780EF01C0322E79
+AB41>I<007FB812F8B912FCCCFCB0B912FC6C17F836147B9E41>I<12E01278121EEA07C0
+EA01F0EA003C130FEB03C0EB00F0143C140FEC03E0EC00F8151EED0780ED01E0ED007816
+1EEE07C0EE01F0EE003C170FEF03C0A2EF0F00173CEE01F0EE07C0041EC7FC1678ED01E0
+ED0780031EC8FC15F8EC03E0020FC9FC143C14F0EB03C0010FCAFC133CEA01F0EA07C000
+1ECBFC127812E0322E79AB41>I<EB3FE03801FFFE3907C03F80390E000FC0003CEB07F0
+00301303007014F8007C130100FE14FC7EA4127E003CEB03F8C7FCEC07F0A2EC0FE0EC1F
+80EC3F00147E147C5C495A5C495A5CA249C7FCA31306AA90C8FCA8130EEB3F80497EA56D
+5A010EC7FC1E3B7CBA27>I<1538A3157CA315FEA34A7EA34A6C7EA202077FEC063FA202
+0E7FEC0C1FA2021C7FEC180FA202387FEC3007A202707FEC6003A202C07F1501A2D90180
+7F81A249C77F167FA20106810107B6FCA24981010CC7121FA2496E7EA3496E7EA3496E7E
+A213E0707E1201486C81D80FFC02071380B56C90B512FEA3373C7DBB3E>65
+D<B712E016FC16FF0001903980007FC06C90C7EA1FE0707E707E707EA2707EA283A75F16
+035F4C5A4C5A4C5A4C5AEEFF8091B500FCC7FCA291C7EA7F80EE1FE0EE07F0707E707E83
+707EA21880177F18C0A7188017FFA24C13005F16034C5AEE1FF8486DEB7FF0B812C094C7
+FC16F832397DB83B>I<913A01FF800180020FEBE003027F13F8903A01FF807E07903A03
+FC000F0FD90FF0EB039F4948EB01DFD93F80EB00FF49C8127F01FE153F12014848151F48
+48150FA248481507A2485A1703123F5B007F1601A35B00FF93C7FCAD127F6DED0180A312
+3F7F001F160318006C7E5F6C7E17066C6C150E6C6C5D00001618017F15386D6C5CD91FE0
+5C6D6CEB03C0D903FCEB0F80902701FF803FC7FC9039007FFFFC020F13F002011380313D
+7BBA3C>I<B712C016F816FE000190398001FF806C90C7EA3FE0EE0FF0EE03F8707E707E
+177FA2EF3F8018C0171F18E0170F18F0A3EF07F8A418FCAC18F8A4EF0FF0A218E0A2171F
+18C0EF3F80A2EF7F0017FE4C5A4C5AEE0FF0EE3FE0486DEBFF80B8C7FC16F816C036397D
+B83F>I<B812FEA3000190388000076C90C8FC173F838383A383A31880170116C0A394C7
+FCA31501A21503150F91B5FCA3EC000F15031501A21500A21860A318E093C712C0A41701
+A3EF0380A21707A2170F173F177F486D903807FF00B9FCA333397EB838>I<B812F8A300
+01903880001F6C90C71201EE00FC177C173C171CA2170CA4170E1706A2ED0180A21700A4
+1503A21507151F91B5FCA3EC001F15071503A21501A692C8FCAD4813C0B612C0A32F397D
+B836>I<DBFF8013C0020FEBF001023F13FC9139FF803F03903A03FC000787D90FF0EB03
+CF4948EB00EF4948147F4948143F49C8121F485A4848150F48481507A248481503A2485A
+1701123F5B007F1600A448481600AB93B6FCA26C7E9338007FE0EF3FC0A2123F7F121FA2
+6C7EA26C7EA26C7E6C7E6C6C157F6D7E6D6C14FF6D6C14EFD90FF8EB03C7D903FEEB0783
+903A00FFC03F0191393FFFFC00020F01F0130002001380383D7CBA41>I<B648B512FEA3
+0001902680000313006C90C76C5AB3A491B6FCA391C71201B3A6486D497EB648B512FEA3
+37397DB83E>I<B612C0A3C6EBC0006D5AB3B3AD497EB612C0A31A397EB81E>I<013FB512
+E0A39039001FFC00EC07F8B3B3A3123FEA7F80EAFFC0A44A5A1380D87F005B0070131F6C
+5C6C495A6C49C7FC380781FC3801FFF038007F80233B7DB82B>I<B649B5FCA300010180
+9038007FF06C90C8EA3F80053EC7FC173C17385F5F4C5A4C5A4CC8FC160E5E5E5E5E4B5A
+ED0780030EC9FC5D153E157E15FF5C4A7F4A6C7E140E4A6C7E4A6C7E14704A6C7E4A6C7E
+14804A6C7E6F7EA26F7F707EA2707E707EA2707EA2707E707EA2707E707F8484486D497F
+B6011FEBFF80A339397DB841>I<B612E0A3000101C0C8FC6C90C9FCB3AD1718A5173817
+30A31770A317F0A216011603160FEE1FE0486D13FFB8FCA32D397DB834>I<B5933807FF
+F86E5DA20001F0FC002600DFC0ED1BF8A2D9CFE01533A3D9C7F01563A3D9C3F815C3A2D9
+C1FCEC0183A3D9C0FEEC0303A2027F1406A36E6C130CA36E6C1318A26E6C1330A36E6C13
+60A26E6C13C0A3913901FC0180A3913900FE0300A2ED7F06A3ED3F8CA2ED1FD8A3ED0FF0
+A3486C6D5A487ED80FFC6D48497EB500C00203B512F8A2ED018045397DB84C>I<B59138
+07FFFE8080C69238007FE06EEC1F80D9DFF0EC0F001706EBCFF8EBC7FCA2EBC3FEEBC1FF
+A201C07F6E7EA26E7E6E7E81140F6E7E8114036E7E168080ED7FC016E0153FED1FF0ED0F
+F8A2ED07FCED03FEA2ED01FF6F1386A2EE7FC6EE3FE6A2EE1FF6EE0FFEA216071603A216
+011600A2177E486C153E487ED80FFC151EB500C0140EA2170637397DB83E>I<EC03FF02
+1F13E09138FE01FC903901F8007ED907E0EB1F8049486D7ED93F80EB07F049C76C7E01FE
+6E7E48486E7E49157E0003167F4848ED3F80A24848ED1FC0A2001F17E049150F003F17F0
+A3007F17F8491507A300FF17FCAC007F17F86D150FA3003F17F0A26C6CED1FE0A36C6CED
+3FC0000717806D157F000317006C6C15FEA26C6C4A5A017F4A5A6D6C495A6D6C495AD907
+E0EB1F80D903F8017FC7FC903900FE01FC91381FFFE0020390C8FC363D7BBA41>I<B712
+C016FC16FF0001D9800013C06C90C7EA1FE0707EEE03F883707EA2707EA21880A71800A2
+4C5AA24C5A5FEE0FF04C5AEEFF8091B548C7FC16F091CAFCB3A5487FB6FCA331397EB838
+>I<EC03FF021F13E09138FE01FC903901F8007ED907E0EB1F8049486D7ED93F80EB07F0
+49C76C7E01FE6E7E48486E7EA24848157F0007178049153F000F17C049151F001F17E0A2
+4848ED0FF0A3007F17F8A2491507A200FF17FCAC007F17F8A26D150FA2003F17F0A26C6C
+ED1FE0A36C6CED3FC00007027C14804AB4FC3C03F80383807F003B01FC0701C0FEEC0E00
+2600FE0CEBE1FC017FEC63F8D93F8CEB77F0D91FCCEB3FE0D907EE14806DB449C7FC0100
+D981FC130CEC1FFF0203131C91C7001E131C161F183CEF807CEFC0F8EE0FFFA318F08218
+E07013C07013809338007E00364B7BBA41>I<B612FEEDFFE016F8000190388007FE6C90
+C76C7EEE3FC0707E707E707EA2707EA283A65FA24C5AA24C5A4C5AEE3F8004FFC8FCED07
+FC91B512E05E9138000FF0ED03F8ED00FE82707E707EA2161F83A583A6F00180A217F816
+0F1803486D01071400B66D6C5A04011306933800FE0ECAEA3FFCEF07F0393B7DB83D>I<
+D90FF813C090383FFE0190B512813903F807E33907E000F74848137F4848133F48C7121F
+003E140F007E1407A2007C140312FC1501A36C1400A37E6D14006C7E7F13F86CB47E6C13
+F8ECFF806C14E06C14F86C14FEC680013F1480010714C0EB007F020713E0EC007FED3FF0
+151F150FED07F8A200C01403A21501A37EA216F07E15036C15E06C14076C15C06C140F6D
+EB1F80D8FBF0EB3F00D8F0FE13FE39E03FFFF8010F13E0D8C00190C7FC253D7CBA2E>I<
+003FB812E0A3D9C003EB001F273E0001FE130348EE01F00078160000701770A300601730
+A400E01738481718A4C71600B3B0913807FF80011FB612E0A335397DB83C>I<B6903807
+FFFEA3000101809038007FE06C90C8EA1F80EF0F001706B3B2170E6D150C80171C133F17
+186D6C14385F6D6C14F06D6C5C6D6C495A6D6CEB07806D6C49C7FC91387F807E91381FFF
+F8020713E09138007F80373B7DB83E>I<B500FC91387FFF80A30003018091380FFC006C
+90C8EA07E0715A6C705A6E1403017F93C7FCA280013F1506A26E140E011F150C80010F5D
+A28001075DA26E147001031560A26D6C5CA2806D4A5AA2ED8003027F91C8FCA291383FC0
+06A215E0021F5BA2EDF01C020F1318A26E6C5AA215FC02035BA2EDFEE002015BA26E6C5A
+A36FC9FCA3153EA2151CA3393B7EB83E>I<B5D8FC07B5D8F001B5FCA30007902780001F
+FEC7EA1FF86C48C7D80FF8EC07E000010307ED03C01B807F6C6F6C1500A26E5F017F6E6C
+1406A280013F4A6C5CA280011F4A6D5BEE067FA26D6C010E6D5BEE0C3FA26D6C011C6D5B
+EE181FA26D6C6F5BEE300FA26D6C6F485AEE6007A26D6C4CC7FC9338C003FCA203805D91
+3B7F818001FE06A203C1150EDA3FC3C7EAFF0CA203E3151CDA1FE6EC7F98A215F6DA0FFC
+EC3FF0A302075E4B141FA202035E4B140FA202015E4B1407A2020093C8FC4B80503B7EB8
+55>I<B500FE91383FFFE0A3000301E0913807FE00C649EC03F0017F6F5A606D6C5D6D6C
+140395C7FC6D6C1406A26D6C5C6D6C141C17186D6C143817306D6D5B6E6C13E05F91383F
+E0015F91381FF003DA0FF890C8FC1606913807FC0E160C913803FE1C913801FF185E6E13
+B016E0157F6F5AB3A24B7E023FB512C0A33B397FB83E>89 D<003FB7FCA39039FC0001FE
+01C0130349495A003EC7FC003C4A5A5E0038141F00784A5A12704B5A5E006014FF4A90C7
+FCA24A5A5DC712074A5AA24A5A5D143F4A5AA24A5A92C8FC5B495AA2495A5C130F4948EB
+0180A2495A5C137F495A16034890C7FC5B1203485AEE0700485A495C001F5D48485C5E48
+48495A49130FB8FCA329397BB833>I<EAFFFCA2EAFC00B3B3B3B3A7EAFFFCA20E5379BD
+17>I<EAFFFCA21200B3B3B3B3A712FFA20E537FBD17>93 D<007FB81280B912C0A26C17
+803204797041>95 D<EB1FE0EBFFFC3803E03F3907000F80390F8007E0486C6C7E13E06E
+7EA26E7E6C5A6C5AC8FCA4147FEB07FFEB3FE0EBFE00EA03F8EA0FF0EA1FC0123F485A90
+C7FC160C12FEA31401A26C13036CEB077C903980063E18383FC01E3A0FE0781FF03A03FF
+F00FE03A007F8007C026277DA52A>97 D<EA03F012FFA3120F1203B0EC1FE0EC7FF89038
+F1E03E9039F3801F809039F7000FC001FEEB07E049EB03F049EB01F85BED00FCA216FEA2
+167E167FAA167E16FEA216FC15016D14F8ED03F07F01EEEB07E001C6EB0FC09039C7801F
+00903881E07E903800FFF8C7EA1FC0283B7EB92E>I<EB03FC90381FFF8090387E03E039
+01F80070484813F83907E001FC380FC003A2EA1F80123F90380001F848EB00F01500A212
+7E12FEAA127E127FA26C14067F001F140E6D130C000F141C6C6C13386C6C13706C6C13E0
+39007C07C090381FFF00EB07F81F277DA525>I<ED0FC0EC03FFA3EC003F150FB0EB03F8
+EB1FFF90387E078F9038F801EF3903F0007F4848133F4848131FA24848130F123F90C7FC
+5AA2127E12FEAA127E127FA27EA26C6C131FA26C6C133F6C6C137F6C6CEBEFF03A01F801
+CFFF39007C078F90381FFE0FD907F813C0283B7DB92E>I<EB07F8EB1FFF90387C0FC039
+01F803E03903F001F0D807E013F8380FC0004848137CA248C7127E153E5A153F127E12FE
+A3B7FCA248C8FCA5127EA2127FA26C14037F001F14076C6C13060007140E6D131CD801F0
+13386C6C137090387E03E090381FFF80903803FC0020277EA525>I<147E903803FF8090
+380FC1E0EB1F8790383F0FF0137EA213FCA23901F803C091C7FCADB512FCA3D801F8C7FC
+B3AB487E387FFFF8A31C3B7FBA19>I<ED03F090390FF00FF890393FFC3C3C9039F81F70
+7C3901F00FE03903E007C03A07C003E010000FECF000A248486C7EA86C6C485AA200075C
+6C6C485A6D485A6D48C7FC38073FFC38060FF0000EC9FCA4120FA213C06CB512C015F86C
+14FE6CECFF804815C03A0F80007FE048C7EA0FF0003E140348140116F8481400A56C1401
+007C15F06CEC03E0003F1407D80F80EB0F80D807E0EB3F003901FC01FC39007FFFF00107
+90C7FC26387EA52A>I<EA03F012FFA3120F1203B0EC0FF0EC3FFCECF03F9039F1C01F80
+9039F3800FC0EBF70013FE496D7EA25BA35BB3A3486C497EB500C1B51280A3293A7EB92E
+>I<EA0380EA0FE0487EA56C5AEA0380C8FCAAEA03F012FFA312071203B3AA487EB512C0
+A312387EB717>I<EB01C0EB07F0EB0FF8A5EB07F0EB01C090C7FCAAEB01F813FFA31307
+1301B3B3A2123C127E00FF13F01303A214E038FE07C0127C383C0F00EA0FFEEA03F81549
+84B719>I<EA03F012FFA3120F1203B1913801FFFCA39138007FC01600157C15705D4A5A
+4A5A4AC7FC141E1438147814FC13F1EBF3FEEBF73F01FE7FEBF81F496C7E8114076E7E6E
+7E811400157E157F811680ED1FC0486CEB3FF0B500C0B5FCA3283A7EB92C>I<EA03F012
+FFA3120F1203B3B3AD487EB512C0A3123A7EB917>I<2703F00FF0EB1FE000FFD93FFCEB
+7FF8913AF03F01E07E903BF1C01F83803F3D0FF3800FC7001F802603F70013CE01FE14DC
+49D907F8EB0FC0A2495CA3495CB3A3486C496CEB1FE0B500C1B50083B5FCA340257EA445
+>I<3903F00FF000FFEB3FFCECF03F9039F1C01F803A0FF3800FC03803F70013FE496D7E
+A25BA35BB3A3486C497EB500C1B51280A329257EA42E>I<EB03FE90380FFF8090383E03
+E09038F800F84848137C48487F48487F4848EB0F80001F15C090C712074815E0A2007EEC
+03F0A400FE15F8A9007E15F0A2007F14076C15E0A26C6CEB0FC0000F15806D131F6C6CEB
+3F006C6C137EC66C13F890387E03F090381FFFC0D903FEC7FC25277EA52A>I<3903F01F
+E000FFEB7FF89038F1E07E9039F3801F803A07F7000FC0D803FEEB07E049EB03F04914F8
+49130116FC150016FEA3167FAA16FEA3ED01FCA26DEB03F816F06D13076DEB0FE001F614
+C09039F7803F009038F1E07E9038F0FFF8EC1FC091C8FCAB487EB512C0A328357EA42E>
+I<D903F813C090381FFE0190387E07819038FC01C33903F000E300071477484813374913
+3F001F141F485A150F48C7FCA312FEAA127FA37E6D131F121F6D133F120F6C6C137F6C6C
+13EF3901F801CF39007E078F90381FFE0FEB07F890C7FCABED1FE00203B5FCA328357DA4
+2C>I<3807E01F00FFEB7FC09038E1E3E09038E387F0380FE707EA03E613EE9038EC03E0
+9038FC0080491300A45BB3A2487EB512F0A31C257EA421>I<EBFF03000313E7380F80FF
+381E003F487F487F00707F12F0A2807EA27EB490C7FCEA7FE013FF6C13E06C13F86C7F00
+037FC67F01071380EB007F141F00C0EB0FC01407A26C1303A37E15806C13077EEC0F00B4
+131E38F3C07C38E1FFF038C03F801A277DA521>I<1318A51338A31378A313F812011203
+1207001FB5FCB6FCA2D801F8C7FCB215C0A93800FC011580EB7C03017E13006D5AEB0FFE
+EB01F81A347FB220>I<D803F0EB07E000FFEB01FFA3000FEB001F00031407B3A4150FA3
+151F12016D133F0000EC77F86D9038E7FF8090383F03C790381FFF87903A03FC07E00029
+267EA42E>I<B538803FFEA33A0FF8000FF06C48EB07E00003EC03C06D148000011500A2
+6C6C1306A26D130E017E130CA26D5BA2EC8038011F1330A26D6C5AA214E001075BA29038
+03F180A3D901FBC7FCA214FF6D5AA2147CA31438A227257EA32C>I<B53A1FFFE03FFEA3
+260FF8009038000FF86C48017EEB03E018C00003023EEB0180A26C6C013FEB0300A36C6C
+EC8006156FA2017E9038EFC00C15C7171CD93F01EBE01815830281EBF038D91F83143015
+0102C3EBF87090260FC6001360A2D907E66D5A02EC137CA2D903FCEB7F804A133FA20101
+92C7FC4A7FA20100141E4A130E0260130C37257EA33C>I<B538807FFFA33A03FE003FF0
+0001EC1F80000092C7FC017E131C6D13186D6C5AECC070010F5B6D6C5AECF180EB03FB6D
+B4C8FC6D5AA2147F804A7E8114CF903801C7E090380383F090380703F8EB0601496C7E01
+1C137E49137F01787F496D7E486C80000FEC3FF0D8FFFE90B51280A329247FA32C>I<B5
+38803FFEA33A0FF8000FF06C48EB07C00003EC03806C7E16007F00001406A2017E5BA213
+7F6D5BA26D6C5AA2ECC070010F1360A26D6C5AA214F101035BA2D901FBC7FCA214FF6D5A
+A2147CA31438A21430A214701460A25CA2EA7C0100FE5B130391C8FC1306EAFC0EEA701C
+6C5AEA1FF0EA0FC027357EA32C>I<003FB512FCA2EB8003D83E0013F8003CEB07F00038
+EB0FE012300070EB1FC0EC3F800060137F150014FE495AA2C6485A495AA2495A495A495A
+A290387F000613FEA2485A485A0007140E5B4848130C4848131CA24848133C48C7127C48
+EB03FC90B5FCA21F247EA325>I<EC01F8140FEC3F80ECFC00495A495A495AA2130F5CB3
+A7131F5C133F49C7FC13FEEA03F8EA7FE048C8FCEA7FE0EA03F8EA00FE137F6D7E131F80
+130FB3A7801307A26D7E6D7E6D7EEC3F80EC0FF814011D537ABD2A>I<126012F0B3B3B3
+B3A91260045377BD17>I<12FCEAFFC0EA07F0EA01FCEA007E7F80131F80130FB3A78013
+07806D7E6D7EEB007EEC1FF0EC07F8EC1FF0EC7E00495A495A495A5C130F5CB3A7131F5C
+133F91C7FC137E485AEA07F0EAFFC000FCC8FC1D537ABD2A>I E
+%EndDVIPSBitmapFont
+%DVIPSBitmapFont: Fi ecbx1440 14.4 34
+/Fi 34 118 df<EE7FFC031FB57E4AB612E0020715F8023F9038C00FFC913AFFFC0001FE
+4901F0EB007F010701C0EB03FF4949497F4990C75A5B5C495A4D7F01FF6F5B5CA27190C7
+FC715AEF00F895C8FCAA0407B512C0BAFCA5C601F8C7120F83B3B3A6B6D8F807B612C0A5
+42547DD349>28 D<B712E0AB230B7F9F2C>45 D<151E153E15FE1403140F147FEB07FF00
+03B5FCB6FCA3EBF87FEAFC00C7FCB3B3B3A6007FB712FCA52E4E76CD42>49
+D<EC1FFE49B512F0010F14FC013FECFF804915E02701FF803F7F2703FC000713FCD807F0
+01017F48486D7FD81F806E138048C87E7013C0D87FE016E001F8806D16F000FF817F7013
+F8A56C5AA26C5A6C5AEA0380C914F05EA218E05E18C05E18804C13005F4C5A4C5A5F4B5B
+4B5B4B5B94C7FCED0FFC4B5A4B5AED7FC04B5A4A90C8FCEC03FC4A5A4A4814F84A5A4A5A
+4AC8FC02FEEC01F0495A495A495A5CD90F80140349C8FC013E1507017FB7FC90B812E05A
+5A5A5A5A5A5AB9FC18C0A4354E7ACD42>I<913807FFC0027F13FC0103B67E010F15E090
+261FF80313F890267FC0007F01FEC7EA3FFE48488148486E138013FE486C6C6D13C08048
+17E080A66C5B18C06C5B6C90C75AD80038168090C8FC4C1300A24C5A5F4C5A4B5B4B13C0
+030F5BDB7FFEC7FC91387FFFF816C016FCEEFF80DA000313E09238007FF8EE3FFE707E70
+138018C07013E018F07013F8A218FC82A218FEA3EA03C0EA0FF0EA3FFC487EA2B5FCA218
+FCA25E18F8A26C4816F0495C4916E0D83FE04A13C06C485CD80FF04A1380D807FE91387F
+FE003B03FFE003FFFC6C90B65A6C6C15E0010F92C7FC010114FCD9001F1380374F7BCD42
+>I<17FC1601A216031607160FA2161F163F167FA216FF5D5DA25D5D5D167F153E157E15
+FC15F8EC01F01403EC07E015C0EC0F80141FEC3F00143E5C14FC495A5C495A1307495A5C
+49C7FC5B137E137C5B1201485A5B485A120F485A90C8FC123E127E5ABA1280A5C901FCC7
+FCAF021FB71280A5394F7CCE42>I<486C150601F0153E01FEEC01FED9FFF0133F91B65A
+5F5F5F5F5F94C7FC16FC5E16E093C8FC15FC01F0138091CAFCAC913807FF80023F13F891
+B512FE01F36E7E9026FFFC0113E09139E0007FF891C76C7E496E7E01F86E7E5B70138049
+16C0C9FC18E08218F0A418F8A31203EA0FE0EA3FF8487EA212FF7FA218F0A25B5E6C4816
+E05B01C016C06CC85A18806C6C4A13007FD80FF04A5A6C6CECFFFCD803FE4913F02701FF
+E00F5B6C6CB612806D92C7FC010F14F8010114C09026003FFCC8FC354F7ACD42>I<EA07
+E0EA1FF8EA3FFCEA7FFEA2B5FCA6EA7FFEA2EA3FFCEA1FF8EA07E0C7FCB3A3EA07E0EA1F
+F8EA3FFCEA7FFEA2B5FCA6EA7FFEA2EA3FFCEA1FF8EA07E0103576B425>58
+D<932603FFF01407047F01FF5C0307B600E05B033F03F85B92B700FE5B02039126C003FF
+5B020F01F8C7EA3FC1023F01C0EC0FE391B5C80003B5FC4901FC814949814901E082011F
+498249498292CA7E4948834948835A4A83485B4885A2484984A2485B87A2485B87A25AA2
+98C8FC91CFFCA2B5FCAE7E067FB7128080A37E95C76C90C7FC807EA36C7FA26C7FA26C7F
+7E806C7F137F6D7E816D6D93B5FC01077F6D01F85D6D7F6D01FF5D023F01E0EC0FEF020F
+01FCEC3FE30203903AFFE001FF81020091B6C6FC033F03FC133F030703F0130FDB007F02
+801303040301F8CAFC595479D267>71 D<B81280A5D8000701F0C7FCB3B3B3B2B81280A5
+29527DD130>73 D<B812E0A5D8000F01E0CAFCB3B3A91AF8A419011AF0A51903A31907A2
+190F1AE0191FA2193F197F19FF60180760187F0503B5FCBB12C0A545527CD14F>76
+D<B600F84BB612FC818181A2D800076E91C7383FE00070EE0F80828214DF02CF7F02C77F
+8202C37F14C102C0806F7F836F7F816F7F6F7F83816F7F6F80707F8482707F707F707F84
+82707F7080717F8583717F717F85717F83717F7114801AC07213E0847213F07213F81AFC
+7213FE847213FF72148F1BCF7313EF857313FF85A285858585A286868686A286868686EB
+1FF0B600FE177F1B3F1B1F1B0FA25E527CD167>78 D<B912FCF0FFE019FE737E1AE0D800
+0F01E0C7003F7F060313FC06007F737E7313807313C07313E0851BF0A21BF885A21BFCA9
+1BF8A3611BF0A21BE04F13C0614F13804F13004F5A060713F8063F5B92B812C097C7FC19
+F8198003E0CBFCB3AEB712FEA54E527CD15A>80 D<93381FFF800303B512FC033FECFFC0
+92B712F00207D9F80113FE021F903AC0003FFF804A48C700077FDAFFF8020113F049496E
+7F49496F7E49496F7E49496F7E4990C96C7F4948707F4948707F01FF854849707F4A8248
+86A24849717E48864A83A2481B80A248497113C0A4481BE0A291CB7EA3B51AF0AF6C1BE0
+A36E5FA26C1BC0A36C1B806E5FA26C1B006E5F6C62A26C6DD903FC4A5A6CDB0FFF5D6E49
+EBC0016C4B01E05C6D6C90277E07F0035B6E9039F801F807902A3FFF01F000780F5B6D04
+7C5C6DD981E06D4890C7FC6D01E191381F7FFE010101F1EDFFF86DD9F9F06D5BDA3FFF16
+C06E6D013F5B02079027FE01FFFEC8FC020190B612F8DA003F4B141003071838DB001FEB
+83F893C7EA03FC1C7885726C14F8F2C003F2F01F97B512F084A31CE085A27314C01C8085
+1C00735B735B735B735B9638003FC0556A79D263>I<B912E018FF19F019FE737ED80007
+01F0C714E0060F7F060313FC06007F737E737F8587737FA28785A287A863A26163636163
+4F90C8FC4F5A4F5A06035B060F13E095B5128092B748C9FC19F019C019F09226F0000713
+FC050013FF063F7F727F727F727F727FA2727FA28486A886A71D707513F8A2851C017301
+C013F0A273EBE003B86C6D9038F007E0739038FC1FC0070190B51280736C1400080F5BCE
+13F85D537CD162>I<DA0FFE141C91B500F0133C010702FC137C011F02FF13FC017F15C1
+9026FFF00113E148903980001FFB4890C7EA07FFD807FC14014848804848153F171F4848
+150FA2007F1607491503A2170112FFA217007FA26D167CA27F7F6D93C7FC6C7E14C014F8
+ECFF806C14F8EDFFC06C15FC6CEDFF8017F06C16FC6C826C707E6C836D82011F82010782
+13016D6C81020781EC007F030380ED003F040314801600173F837113C0838312F883A383
+7EA319807EA26C5E19007F6D4B5A7F6D4B5A01FC4B5A6D151FD9FFC04A5AD97FF8ECFFE0
+28FE1FFF80075B010790B6C7FCD8FC0115FC486C6C14F048010F14C0489026007FFCC8FC
+3A5479D249>I<003FBB12FCA59126C0007FEB000301FCC7ED003FD87FF0F00FFE491807
+49180349180190C81600A2007E1A7EA3007C1A3EA500FC1A3F481A1FA6C91700B3B3AC49
+B912C0A550517BD05B>I<EC3FFE0107B512E0011F14FC017F14FF2701FFC00F13C02703
+FE00037F486C01007F6E6D7E486D80707EA2707EA3707F6C5B6C90C7FC6C5AC9FCA60307
+B5FC0203B6FC147F0103B7FC011FEBF00F017F1300EBFFFC000313F04813C0485B4890C7
+FC5A5B485AF081F012FF5BA35EA26D5C127F6D5C003F03F713C36DD901E314E06CD9C007
+14FF00079026F01F8114C06C90B5C61480C602FC6D1300011F01F0EB3FFC01010180EB07
+F03C387CB642>97 D<913803FFE0023F13FE91B67E010315E0010F9038003FF8D93FFCEB
+07FC4948497E4948131F4849497E485B485BA24890C7FC5A5B003F6F5A705A705A007F92
+C8FC5BA312FFAD127F7FA3123F7F6CEE0F80A26C6D141F18006C6D5C6C6D143E6C6D147E
+6C6D5C6D6C495A6DB4EB07F0010F9038C01FE06D90B5128001014AC7FCD9003F13F80203
+138031387CB63A>99 D<943803FF80040FB5FCA5EE003F170FB3A4913803FF80023F13F8
+49B512FE0107ECFF8F011F9038C03FEF90273FFE0007B5FCD97FF8130149487F48498048
+4980484980488291C8FC5A5B123FA2127F5BA312FFAD127FA37F123FA3121F7F6C5E6C6D
+5C5F6C6D91B5FC6C6D5B6C6D4914E0D97FFCD90FEFEBFF80D91FFFEB7F8F010790B5120F
+010114FC6D6C13E00207010049C7FC41547CD249>I<913807FF80027F13F849B512FE01
+076E7E011F010313E0903A3FFC007FF0D97FF06D7E49486D7E4849130F48496D7E488248
+90C77E1880485A82003F17C0A3485A18E082A212FFA290B8FCA401FCCAFCA6127FA37F12
+3FA2EF03E06C7E17076C17C06C6D140F18806C6D141F6C6DEC3F006C6D147ED97FFC495A
+D91FFFEB07F86D9038E03FF0010390B512C001005D023F01FCC7FC020113E033387CB63C
+>I<ED1FF8913803FFFE020FEBFF80023F14C09139FFF83FE001039038E0FFF049138049
+010113F85BEB3FFEA2EB7FFCA26F13F0495AEE7FE0EE1F8093C7FCAEB712C0A5C601F8C8
+FCB3B3A7B612FEA52D547CD328>I<DA1FFE14FE49B539E007FF80010FDAFC1F13C0013F
+DAFF7F13E090267FF807EBFF072701FFE001EBF07F48497E484990387FF83F91C7003F14
+C048EEFC1F489338FE070049021F90C7FCA2003F82A9001F5EA26D143F6C5E6C5E6E137F
+6C6D495A6C6D485B6CD9F80713804890B6C8FCD803EF14FC01C114E02707C01FFEC9FC49
+CBFCA2487EA37FA27F13FC90B612FE6CEDFFF017FCEFFF806C8318F06C836C837F48B87E
+1207D80FFCC700037F4848EC003F4848150F48486F138083485A83A56D5D007F18006D5D
+003F5F6C6C4B5A01FE153FD807FFED7FF06C01C049485AC601FC011F1380013FB648C7FC
+010F15F8010115C0D9000F01F8C8FC3B4F7CB542>I<EB3FF8B5FCA51203C6FCB3A4EE1F
+FC93B57E030314E0030F14F892391FC07FFC92397E003FFE03F86D7EECF9F04B6D7FECFB
+C0ECFF8092C76C7FA25CA25CA45CB3ACB6D8F807B612C0A542537CD249>I<133FEBFFC0
+487F487FA2487FA66C5BA26C5B6C5B013FC7FC90C8FCAEEB1FF8B5FCA512017EB3B3A6B6
+12F0A51C547CD324>I<EB3FF8B5FCA51203C6FCB3B3B3B1B612F8A51D537CD224>108
+D<D93FF0D91FF84AB47EB591B56C010F13F8030302E0013F13FE030F6E90B6FCDB3F8090
+27F803F80F7F922A7E007FFC07E0077F000302F890283FFE0F80037FC6D9F1F0011F4948
+7EDAF3E0DAFF3E814B153CDAF7805D92C76C496D7F14FF4A5EA24A5EA34A5EB3ADB6D8F8
+0FB66CB612F8A565367BB56E>I<D93FF0EB1FFCB591B57E030314E0030F14F892391FC0
+7FFC92397E003FFE000302F86D7EC6EBF1F04B6D7FECF3C0ECF78092C76C7F14FF5CA25C
+A45CB3ACB6D8F807B612C0A542367CB549>I<913801FFC0023F13FE91B67E010315E001
+0F018013F8903A3FFC001FFED97FF0EB07FF49486D7F48496D7F48496D7F91C8127F4883
+488349153F001F83A2003F8349151FA2007F83A400FF1880AC007F1800A3003F5F6D153F
+A2001F5FA26C6C4B5AA26C6D4A5A6C5F6C6D495B6C6D495B6D6C4990C7FCD93FFCEB1FFE
+6DB46CB45A010790B512F0010115C0D9003F49C8FC020313E039387CB642>I<D93FF8EB
+7FF0B50107B5FC031F14C0037F14F09126F9FF0013FCDAFFF8EB3FFF000302E0010F7FC6
+02806D7F92C76C7F4A824A804A6E7F85187F85A2183F85A4721380AD4E1300A44E5AA261
+18FF616E5C616E4A5B6E4A5B6F495B03E04990C7FC6FEB7FFE913AF9FE01FFF802F8B65A
+033F14C0030749C8FC030013E093CAFCB1B612F8A5414D7DB549>I<90393FF001FCB590
+380FFF804B13E0037F13F09238FE1FF89138F1F83F00019138F07FFC6CEBF3E015C0ECF7
+80A2ECFF00EE3FF84AEB1FF0EE0FE093C7FC5CA45CB3ABB612FEA52E367DB535>114
+D<903903FFC00E011FEBFC1E90B6127E000315FE3907FE003FD80FF0130F484813034848
+1301491300127F90C8127EA248153EA27FA27F01F091C7FC13FCEBFF806C13FEECFFF06C
+14FE6F7E6C15E06C816C15FC6C81C681133F010F15801301D9000F14C0EC003F030713E0
+150100F880167F6C153FA2161F7EA217C07E6D143F17807F6DEC7F0001F85C6DEB03FE90
+39FF801FFC486CB512F0D8F81F14C0D8F00791C7FC39E0007FF02B387CB634>I<147CA6
+14FCA41301A31303A21307A2130F131F133F137F13FF1203000F90B512FEB7FCA426007F
+FCC8FCB3A9EE0F80ABEE1F006D7EA2011F143E806D6D5A6DEBC1F86DEBFFF001005C023F
+1380DA03FEC7FC294D7ECB33>I<D93FF8913801FFC0B50207B5FCA50003ED001FC61607
+B3AE5FA35FA25F137F5F6D6C14F7DC01E713F06D6CD907C7EBFFC0903A0FFF801F876D90
+B51207010114FC6D6C13F0020701C091C7FC42377CB549>I E
+%EndDVIPSBitmapFont
+%DVIPSBitmapFont: Fj ecrm0900 9 5
+/Fj 5 109 df<123C127E12FFA4127E123C08087A8715>46 D<EB7F803803FFF0380F80
+FC381C003E003F133F6D6C7E6E7EA26E7EEA1F00C7FCA4EB01FF131FEBFF873803FC07EA
+0FF0EA1FC0EA3F80127F13004815C05AA3140FA26C131F6C133B3A3F8071F180391FC1E1
+FF2607FFC013003900FE003C22237DA126>97 D<EA03F012FFA312071203AEEC3F80ECFF
+E09038F3C0F89038F7007E01FE7F49EB1F8049EB0FC05BED07E016F0A2150316F8AA16F0
+150716E0A2ED0FC07F6DEB1F8001ECEB3F0001CF137C90388381F8903801FFE0C76CC7FC
+25357EB32B>I<EA03F012FFA312071203AEEC1FC0EC7FF09038F1E0FC9038F3807C9038
+F7007E13FE497FA25BA25BB3486CEB7F80B538C7FFFCA326347EB32B>104
+D<EA07E012FFA3120F1207B3B3A7EA0FF0B5FCA310347EB315>108
+D E
+%EndDVIPSBitmapFont
+%DVIPSBitmapFont: Fk ecbx0900 9 7
+/Fk 7 117 df<ED1F80A24B7EA24B7EA34B7EA24A7FA34A7FA24A7F15CFA2020F7F1587
+021F801503023F80EC3E01A2027E80EC7C0002FC804A137FA20101814A133F0103814A13
+1FA249B67EA24981A290271F8000077F91C77EA24982013E80017E82017C80A201FC8249
+157FB500F0013FB512F0A43C347DB343>65 D<EB7FFE0003B512E04814F8390FF00FFC39
+1FF803FF806E138016C0157F6C5A6C5AEA0180C8FCEC7FFF010FB5FC90B6FC0003EBF07F
+000F1300EA1FF8485A485A485A5BA315FF7F007F5B6D4813E03A3FF80FBFFF000FB5121F
+0003EBFC0F39007FE00728217EA02B>97 D<EA01FC12FFA4120F1207ADEC0FF8EC7FFF01
+FDB512C09039FFF01FF09138800FF84A6C7E496D7E496D7EA2178081A217C0A91780A25D
+1700A26D495A6D495A6E485A9039F7E03FF001E1B512C0D9C07F90C7FC9038801FF02A34
+7DB331>I<903807FF80013F13F090B512FC3903FE01FE4848487EEA0FF8EA1FF0EA3FE0
+A2007F6D5A496C5A153000FF91C7FCA9127F7FA2003FEC07807F6C6C130F000FEC1F00D8
+07FE133E3903FF80FCC6EBFFF8013F13E0010790C7FC21217DA027>I<3901F81F8000FF
+EB7FF0ECFFF89038F9E3FC9038FBC7FE380FFF876C1307A213FEEC03FCEC01F8EC006049
+1300B1B512F0A41F217EA024>114 D<9038FFE1C0000713FF5A383F803F387E000F1407
+5A14037EA26C6CC7FC13FCEBFFE06C13FC806CEBFF80000F14C06C14E0C6FC010F13F0EB
+007F140F00F0130714037EA26C14E06C13076CEB0FC09038C01F8090B5120000F913FC38
+E03FE01C217DA023>I<133CA5137CA313FCA21201A212031207001FB51280B6FCA3D807
+FCC7FCB0EC03C0A79038FE078012033901FF0F006C13FEEB3FFCEB0FF01A2F7EAE22>I
+E
+%EndDVIPSBitmapFont
+%DVIPSBitmapFont: Fl ecrm1200 12 25
+/Fl 25 122 df<121EEA7F8012FF13C0A213E0A3127FEA1E601200A413E013C0A3120113
+80120313005A1206120E5A5A5A12600B1D78891B>44 D<14FF010713E090381F81F89038
+3E007C01FC133F4848EB1F8049130F4848EB07C04848EB03E0A2000F15F0491301001F15
+F8A2003F15FCA390C8FC4815FEA54815FFB3A46C15FEA56D1301003F15FCA3001F15F8A2
+6C6CEB03F0A36C6CEB07E0000315C06D130F6C6CEB1F806C6CEB3F00013E137C90381F81
+F8903807FFE0010090C7FC28447CC131>48 D<EB03FE90381FFFC0017F13F03901F80FFC
+3903C001FE48486C7E000EC7EA7F8048EC3FC0ED1FE04815F00030140F007015F8006014
+07126CB415FC7F7F1503A46C4813076CC7FCC8FC16F8A2150F16F0151F16E0A2ED3FC0ED
+7F8016005D5D4A5A4A5A4A5A5D4A5A4A5A4AC7FC147C5C5C495A495A495A49C7120C131E
+5B013814185B5B485A4848143848C81230000E1570001FB612F0A25A5AB712E0A326427B
+C131>50 D<EC07FCEC3FFF91B512C0903903FC03E0903907E000F0D91FC0133849C71258
+017EEB01FC01FE1303491307485A485AA24848EB03F8000FEC01F092C7FC485AA3485AA3
+127FA29038007F80903801FFF090380780FC39FF0E003E49EB1F8049EB0FC049EB07E013
+6001E0EB03F04914F8150116FC5BED00FEA390C812FFA47EA57F123FA216FE121F15016D
+14FC120FED03F86C7EED07F06C6C14E06C6CEB0FC06C6CEB1F80017EEB3F0090383F80FE
+90380FFFF8010313E00100138028447CC131>54 D<16C04B7EA34B7EA34B7EA34B7EA3ED
+19FEA3ED30FFA203707FED607FA203E07FEDC03FA2020180ED801FA2DA03007F160FA202
+06801607A24A6D7EA34A6D7EA34A6D7EA20270810260147FA202E08191B7FCA249820280
+C7121FA249C87F170FA20106821707A2496F7EA3496F7EA3496F7EA201788313F8486C83
+D80FFF03037FB500E0027FEBFFC0A342477DC649>65 D<B8FC17E017FC00019039C00003
+FF6C6C4801007FEF3FC0717E717E717E84170384170184A760A21703601707604D5A4D5A
+EF7FC04DC7FCEE03FEEE3FF091B65A17FC0280C7B47EEF1FC0EF0FF0717E717E717E717E
+1980187F19C0A2183F19E0A8F07FC0A2198018FF4D1300A24D5AEF0FFC4D5AEF7FE04848
+6C903803FFC0B9C7FC17FC17C03B447CC345>I<B712FEEEFFE017F800019039C00007FE
+6C6C48903800FF80EF3FC0EF0FF0717E717EEF00FE8484F03F80F01FC0A2F00FE019F018
+0719F8A2180319FCA3F001FEA419FFAD19FEA3180319FCA319F8180719F0180F19E0A2F0
+1FC0F03F80A2F07F0018FE4D5A4D5AEF0FF0EF3FE0EFFF8048486C010790C7FCB812FC17
+E04CC8FC40447CC34A>68 D<B56C933807FFFC6E5EA20001F1FE0026006FE0EE1BF8A3D9
+67F01633A2D963F81663A3D961FC16C3A3D960FEED0183A2027FED0303A36E6C1406A36E
+6C140CA26E6C1418A36E6C1430A36E6C1460A26E6C14C0A36E6CEB0180A3037FEB0300A2
+92383F8006A36F6C5AA36F6C5AA26F6C5AA36F6C5AA36F6C5AA26FB45AA370C7FC13F0A2
+486C143ED80FFFEF0FFEB500F0011C0107B512FCA34E447BC359>77
+D<003FB912F8A3903BF0001FF8001F01806D481303003EC7150048187C0078183CA20070
+181CA30060180CA5481806A5C81600B3B3A54B7EED7FFE49B77EA33F447DC346>84
+D<B600C0010FB5FCA3000101E0C813F026007F80ED1F80F00F00A21806B3B3A7180E6D6C
+150CA2181C131F6E1518010F163818306D6C1570606D6C14016D6C5D6D6CEC0780027F4A
+C7FC6E6C131EDA1FE0137C913907FC03F00201B55A6E6C1380DB07FCC8FC40467CC349>
+I<EB07FC90383FFF809038F80FE03903C003F048C66C7E000E6D7ED80FC0137E486C137F
+6D6D7EA36F7EA26C5AEA0380C8FCA4EC0FFF49B5FC90380FFE1FEB3FC0EBFF00EA03FC48
+5A485A485A485A127F5B176048C7FCA3153FA36D137F007F14EF6D9038C7E0C0003F1301
+3A1FE00783F13B07F81E03FF802701FFFC0113003A001FE0007C2B2E7CAC31>97
+D<EC7F80903803FFF090380FC07C90383F000F01FCEB03804848EB01C00003140F4848EB
+1FE049133F120F485AA2485AED1FC0007FEC070092C7FCA290C9FC5AAB7E7FA2123F1630
+7F001F15706C6C146016E06C6C14C06C6C13010001EC03806C6CEB0700013F131E90381F
+C078903807FFF001001380242E7DAC2B>99 D<167FED3FFFA315018182B3EC7F80903803
+FFF090380FC07C90383F000E017E1307496D5AD803F87F48487F5B000F81485AA2485AA2
+127FA290C8FC5AAB7E7FA2123FA26C7EA2000F5D7F6C6C5B00035C6C6C9038077F806C6C
+010E13C0013F011C13FE90380FC0F8903803FFE09026007F0013002F467DC436>I<EB01
+FE903807FFC090381F03F090387E00FC49137E48487F485A4848EB1F80000F15C049130F
+121F484814E01507A2007F15F090C7FCA25AA390B6FCA290C9FCA67EA27FA2123F16306C
+7E1670000F15606D14E06C6C14C0000314016C6CEB03806C6CEB0700013E131E90381F80
+F8903803FFE0010090C7FC242E7DAC2B>I<EE0F80D901FCEB7FE0903A0FFF81F0F09039
+3F07E3819039FC01FF033A01F800FE014848017E13E00007027FC7FC497F000F8149131F
+001F81A9000F5D6D133F000792C7FC6D5B0003147E6C6C5B6D485A3903BF07E090380FFF
+80260701FCC8FC90CAFCA25AA37F6C7E7F90B512F86C14FF16E06C15F86C6C8048B67E3A
+07C0000FFF48481300003FC8EA3F80003E151F48ED0FC0A2481507A56C150F007C168000
+7E151F003E16006C153E6C6C5CD807E0495AD801F8EB07E0D8007FEB3F8090261FFFFEC7
+FC010113E02C427DAC31>103 D<EA01E0EA07F8A2487EA46C5AA2EA01E0C8FCADEA01FC
+12FFA3120712031201B3B0487EB512F8A315437DC21C>105 D<EA01FC12FFA312071203
+1201B3B3B3A5487EB512F8A315457DC41C>108 D<3901FC01FE00FF903807FFC091381E
+07F091383801F8000701707F0003EBE0002601FDC07F5C01FF147F91C7FCA25BA35BB3A8
+486CECFF80B5D8F83F13FEA32F2C7DAB36>110 D<EC7F80903803FFF090380FC0FC9038
+3E001F496D7E496D7E48486D7E48486D7E48486D7E000F81A24848147E003F157FA290C8
+7E481680A44816C0AA6C1680A26D147F003F1600A2001F157E6D14FE000F5D6D13010007
+5D6C6C495A6C6C495A6C6C495A013E49C7FC90381FC0FE903807FFF89038007F802A2E7D
+AC31>I<3903F803F000FFEB1FFCEC3C3EEC707F0007EBE0FF3803F9C000015B13FBEC00
+7E153C01FF13005BA45BB3A748B4FCB512FEA3202C7DAB26>114
+D<90383FE0183901FFFC383907E01F78390F0003F8001E1301481300007C1478127800F8
+1438A21518A27EA27E6C6C13006C7E13FC383FFFE06C13FC6C13FF6C14C06C14E0C614F0
+011F13F81300EC0FFC140300C0EB01FE1400157E7E153EA27EA36C143C6C147C15786C14
+F86CEB01F039F38003E039F1F00F8039E07FFE0038C00FF01F2E7DAC26>I<1306A5130E
+A4131EA3133E137EA213FE12011207001FB512F0B6FCA2C648C7FCB3A4150CAA017E131C
+017F1318A26D133890381F8030ECC070903807E0E0903801FFC09038007F001E3E7EBC26
+>I<D801FC147F00FFEC3FFFA300071401000380000181B3A85EA35DA212006D5B017E90
+38077F80017F010E13C06D011C13FE90380FC078903803FFF09026007F8013002F2D7DAB
+36>I<B539F001FFFCA3000790C7EA7FE06C48EC1F8000011600160E1200160C017F5CA2
+80013F5CA26E1370011F146080010F5CA2ECF00101075CA26D6C48C7FCA26E5A01011306
+A26D6C5AA214FF6E5AA215B8EC3FB015F06E5AA36E5AA26E5AA36EC8FC2E2C7EAA33>I<
+B539F001FFFCA3000790C7EA7FE06C48EC1F8000011600160E0000150C6D141C6D1418A2
+6E1338013F1430A26D6C5BA26E13E0010F5CA26D6C485AA2ECF803010391C7FCA2903801
+FC06A2ECFE0E0100130CA2EC7F18A215B8EC3FB0A2EC1FE0A36E5AA26E5AA36EC8FCA214
+06A35CA25CA2123C007E5BB4FC5CA25CEAFE01387C0380D87007C9FCEA3C1EEA0FFCEA03
+F02E3F7EAA33>121 D E
+%EndDVIPSBitmapFont
+%DVIPSBitmapFont: Fm ecbx1200 12 47
+/Fm 47 123 df<0118140C017C143E01FC147E48485C4848495A495C4848495A4848495A
+001F140F90C75B003E4AC7FCA2003C141E007C143E0078143CA200F8147CA2481478D8F1
+F014F8D8F7FCEB7BFEB46CEB7FFF6D1580028014C0A36C80A36C806C496C13806C486D13
+006C486D5AD801F0EB00F82A2283C427>16 D<D807C0EB03E0D81FF0EB0FF8486C497E48
+6C497E486C497E6D1580A3028014C0A36C806C80D81FF7EB0FFBD807C7EB03E3D80007EB
+0003010F1407A291C71380A249140F011E1500013E5CA249143E01FC147E49147C48485C
+4848495A000714034848495A4848495A90C75B000C0206C7FC2A2281C427>I<ED0FFF4A
+B512C0020F14F0027F80903A01FFF803FC499038C000FE010FEB00034948497E49485B5C
+495A4C138001FF6E13005CA3705AEE01F893C8FCA74BB51280B9FCA5C69038E00003B3B0
+007FD9FFC1B6FCA538467EC53E>28 D<EA07C0EA1FF0EA3FF8EA7FFCEAFFFEA7EA7FFCEA
+3FF8EA1FF0EA07C00F0F788E1F>46 D<EC3FF849B5FC010F14E0013F14F890397FF01FFC
+9039FFC007FE4890380001FF48486D1380000716C049147F000F16E049143F001F16F0A2
+003F16F8A249141F007F16FCA600FF16FEB3A3007F16FCA56C6CEC3FF8A3001F16F0A200
+0F16E06D147F000716C06D14FF6C6C4913806C6D4813006C6D485A90397FF01FFC6DB55A
+010F14E0010314809026003FF8C7FC2F427CC038>48 D<EC03C01407141F147FEB03FF13
+3FB6FCA413C3EA0003B3B3ADB712FCA5264177C038>I<ECFFE0010F13FE013F6D7E90B6
+12E0000315F82607FC0313FE3A0FE0007FFFD81F806D138048C7000F13C0488001C015E0
+01F07F00FF6E13F07F17F881A46C5A6C5A6C5AC9FC17F05DA217E05D17C04B13804B1300
+A2ED1FFC4B5A5E4B5A4B5A4A90C7FC4A5A4A5AEC0FF04A5AEC3F804AC7127814FE495A49
+4814F8D907E014F0495A495A49C8FC017C140149140348B7FC4816E05A5A5A5A5AB8FC17
+C0A42D417BC038>I<ECFFF0010713FF011F14C0017F14F049C66C7ED803F8EB3FFED807
+E06D7E81D80FF86D138013FE001F16C07FA66C5A6C4815806C485BC814005D5E4B5A4B5A
+4B5A4A5B020F1380902607FFFEC7FC15F815FF16C090C713F0ED3FFCED0FFEEEFF80816F
+13C017E0A26F13F0A217F8A3EA0FC0EA3FF0487EA2487EA217F0A25D17E06C5A494913C0
+5BD83F80491380D81FF0491300D80FFEEBFFFE6CB612F800015D6C6C14C0011F49C7FC01
+0113E02D427BC038>I<163FA25E5E5D5DA25D5D5D5DA25D92B5FCEC01F7EC03E7140715
+C7EC0F87EC1F07143E147E147C14F8EB01F0EB03E0130714C0EB0F80EB1F00133E5BA25B
+485A485A485A120F5B48C7FC123E5A12FCB91280A5C8000F90C7FCAC027FB61280A53141
+7DC038>I<0007150301E0143F01FFEB07FF91B6FC5E5E5E5E5E16804BC7FC5D15E092C8
+FC01C0C9FCAAEC3FF001C1B5FC01C714C001DF14F09039FFE03FFC9138000FFE01FC6D7E
+01F06D13804915C0497F6C4815E0C8FC6F13F0A317F8A4EA0F80EA3FE0487E12FF7FA317
+F05B5D6C4815E05B007EC74813C0123E003F4A1380D81FC0491300D80FF0495AD807FEEB
+FFFC6CB612F0C65D013F1480010F01FCC7FC010113C02D427BC038>I<4AB47E021F13F0
+027F13FC49B6FC01079038807F8090390FFC001FD93FF014C04948137F4948EBFFE04849
+5A5A1400485A120FA248486D13C0EE7F80EE1E00003F92C7FCA25B127FA2EC07FC91381F
+FF8000FF017F13E091B512F89039F9F01FFC9039FBC007FE9039FF8003FF17804A6C13C0
+5B6F13E0A24915F0A317F85BA4127FA5123FA217F07F121FA2000F4A13E0A26C6C15C06D
+4913806C018014006C6D485A6C9038E01FFC6DB55A011F5C010714C0010191C7FC903800
+3FF02D427BC038>I<121E121F13FC90B712FEA45A17FC17F817F017E017C0A248168000
+7EC8EA3F00007C157E5E00785D15014B5A00F84A5A484A5A5E151FC848C7FC157E5DA24A
+5A14035D14074A5AA2141F5D143FA2147F5D14FFA25BA35B92C8FCA35BA55BAA6D5A6D5A
+6D5A2F447AC238>I<EA07C0EA1FF0EA3FF8EA7FFCEAFFFEA7EA7FFCEA3FF8EA1FF0EA07
+C0C7FCAEEA07C0EA1FF0EA3FF8EA7FFCEAFFFEA7EA7FFCEA3FF8EA1FF0EA07C00F2C78AB
+1F>58 D<1A60F101F01907191FF17FC0953801FF00F007FCF01FF0F07FC04D48C7FCEF07
+FCEF3FF0EFFFC0040390C8FCEE0FFCEE3FE0EEFF80DB03FEC9FCED0FF8ED3FE0EDFF80DA
+07FECAFCEC1FF8EC7FE0903801FF80D907FCCBFCEB1FF0EB7FC04848CCFCEA07FCEA1FF0
+EA7FC048CDFCA2EA7FC0EA1FF0EA07FCEA01FF38007FC0EB1FF0EB07FC903801FF809038
+007FE0EC1FF8EC07FE913800FF80ED3FE0ED0FF8ED03FE923800FF80EE3FE0EE0FFCEE03
+FF040013C0EF3FF0EF07FCEF01FF9438007FC0F01FF0F007FCF001FF9538007FC0F11FF0
+19071901F10060444277B957>60 D<126012F812FE6C7EEA3FE0EA0FF8EA03FEC66C7EEB
+3FE0EB0FF8EB03FE903800FFC0EC3FF0EC0FFCEC03FF9138007FC0ED1FF0ED07FCED01FF
+9238007FC0EE1FF0EE07FE933801FF809338007FE0EF1FF8EF03FE943800FF80F03FE0F0
+0FF8F003FE953800FF80F13FE0F10FF0A2F13FE0F1FF80953803FE00F00FF8F03FE0F0FF
+80DD03FEC7FCEF1FF8EF7FE0933801FF80DC07FEC8FCEE1FF0EE7FC04B48C9FCED07FCED
+1FF0ED7FC0DA03FFCAFCEC0FFCEC3FF0ECFFC0D903FECBFCEB0FF8EB3FE0EBFF80D803FE
+CCFCEA0FF8EA3FE0EAFF8048CDFC12F81260444277B957>62 D<923803FFF0037FEBFF80
+0203B612F0020F15FC913A3FFC000FFFDAFFC0010013C0D903FEC8EA1FF0D907F0ED03F8
+D91FC0ED00FE4948167F017ECAEA1F8049717E4848717E49DAFF8013034848010F01F06D
+7E4848013F01FC6D7E92B6FC4848489026C07F80137C49489026001FC0133C484948D907
+E0133E001E49486D6C131E003E49480101141F023F913800FFE0003C4A82007C017F1880
+007819074A5AA300F81AC04848491603AB6C6C7F12781B801A076E7E127C003C133F003E
+6E1700021F4A5C001E6D6C5B001F6D6C49EBF01E6C6D6C011F143E6D6CD9C07F6D5A6C6C
+6C90B5383FFFF8033FD9FC0F5B6C6C010FD9F0035B6C6C0100903980007F806D91CBFC6C
+7E137E6D7E6D6CEF7FC0D907F0EE03FFD903FE043F1300902600FFC0913803FFF8DA3FFC
+49B512C0020FB748C7FC020316E0DA007F02FCC8FC030349C9FC4A477AC557>64
+D<EE1F80A24C7EA24C7EA34C7EA24B7FA34B7FA24B7FA34B7F169F031F80161F82033F80
+ED3E07037E80157C8203FC804B7E02018115F0820203814B137F0207815D173F020F814B
+7F021F8292C77EA24A82023E80027E82027FB7FCA291B87EA2498302F0C8FCA20103834A
+157F0107834A153FA249488284011F8491C97E4984133E017E82B6020FB612F0A54C457C
+C455>I<B9FC18F018FE727E19E026003FFCC700077F05017F716C7E727E727EA2721380
+A37213C0A74E1380A24E1300A24E5A4E5A4E5A4D5B05075B94B5128091B700FCC7FC18F0
+18FF19E002FCC7000113F8716C7EF01FFE727E7213801AC07213E0A27213F0A31AF8A71A
+F0A2601AE0604E13C0604E138095B5120005075BBA12F86119C04EC7FC18E045447CC350
+>I<DCFFF01470031F01FF14F04AB6EAE0010207EDF803023FEDFE0791B539E001FF0F49
+49C7EA3F9F010701F0EC0FFF4901C0804990C87E4948814948814948167F4849163F4849
+161F5A4A160F485B19074890CAFC19035A5BA2007F1801A34994C7FC12FFAE127F7F1AF0
+A2123FA27F6C18011AE06C7F19036C6D17C06E16077E6C6DEE0F806C6DEE1F006D6C5E6D
+6C167E6D6C6C5D6D6D4A5A6D01F0EC07F0010101FEEC1FE06D903AFFF001FF80023F90B6
+C7FC020715FC020115F0DA001F1480030001F8C8FC44467AC451>I<B9FC18F018FE727E
+19E026003FFEC7001F13F805017F9438003FFF060F7F727F727F727F84737E737EA2737E
+A2737EA21B80A2851BC0A51BE0AD1BC0A51B8061A21B006162193F624F5A19FF624E5B06
+075B4E5B063F90C7FC4DB45A050F13F8BA5A19C04EC8FC18F095C9FC4B447CC356>I<B7
+12E0A5D8001F90C7FCB3B3B3A4B712E0A523447DC32A>73 D<B500FE067FB512806E95B6
+FCA26F5EA2D8003F50C7FC013D6DEE03DFA2013C6DEE079FA26E6CEE0F1FA26E6C161EA2
+6E6C163CA36E6C1678A26E6C16F0A26E6DEC01E0A26E6DEC03C0A36E6DEC0780A26F6CEC
+0F00A26F6C141EA26F6C5CA36F6C5CA26F6C5CA26F6D485AA26F6D485AA26F6D485AA370
+6C48C7FCA293383FF81EA2706C5AA2706C5AA3706C5AA2705BA2705BA2705BA2B6057FB6
+128071C7FCA2173E171C61447CC36A>77 D<923807FFC092B512FE0207ECFFC0021F15F0
+91267FFE0013FC902601FFF0EB1FFF01070180010313C04990C76C7FD91FFC6E6C7E4948
+6F7E49486F7E01FF8348496F7E48496F1380A248496F13C0A24890C96C13E0A24819F049
+82003F19F8A3007F19FC49177FA400FF19FEAD007F19FC6D17FFA3003F19F8A26D5E6C19
+F0A26E5D6C19E0A26C6D4B13C06C19806E5D6C6D4B13006C6D4B5A6D6C4B5A6D6C4B5A6D
+6C4A5B6D01C001075B6D01F0011F5B010101FE90B5C7FC6D90B65A023F15F8020715C002
+004AC8FC030713C047467AC454>79 D<DAFFE0131C010701FE133C013F9038FF807C90B6
+EAE0FC4815F9489038801FFF3907FC00014848EB007F4848143F4848140F491407007F15
+035B1601160012FF177CA27FA26D153C7F7F6D92C7FC6C7EEBFFE014FE6CEBFFF015FF6C
+15E016FC6C816C6F7E6C826C826C6C81011F810107811300020F80140003077FED007F82
+040F1380828212F082A282A27EA218007EA26C5D6C5E6D14036D5D6D140701F84A5A01FF
+EC3FF002F8EBFFE0486CB65AD8FC1F92C7FCD8F80714FC48C614F0480107138031467AC4
+3E>83 D<007FBA12E0BB12F0A46C19E04406776757>95 D<903801FFE0011F13FE017F6D
+7E48B612E03A03FE007FF84848EB1FFC6D6D7E486C6D7EA26F7FA36F7F6C5A6C5AEA00F0
+90C7FCA40203B5FC91B6FC1307013F13F19038FFFC01000313E0481380381FFE00485A5B
+127F5B12FF5BA35DA26D5B6C6C5B4B13F0D83FFE013EEBFFC03A1FFF80FC7F0007EBFFF8
+6CECE01FC66CEB8007D90FFCC9FC322F7DAD36>97 D<EB7FC0B5FCA512037EB1ED0FF892
+B57E02C314E002CF14F89139DFC03FFC9139FF000FFE02FCEB03FF4A6D13804A15C04A6D
+13E05CEF7FF0A218F8173FA318FCAC18F8A2177F18F0A3EFFFE06E15C06E5B6E49138002
+7C491300496C495A903AFC1FC07FFC496CB512F0D9F00314C049C691C7FCC8EA1FF03646
+7DC43E>I<EC3FFC49B512C0010F14F0013F14FC90397FF003FE9039FFC001FF0003495A
+48494813805B120F485AA2485A6F1300007F6E5AED00784991C7FCA212FFAC6C7EA3123F
+6DEC03C0A26C6C1407000F16806D140F6C6DEB1F006C6D133E6C01F05B3A007FFC03F86D
+B55A010F14C0010391C7FC9038003FF82A2F7CAD32>I<EE03FEED07FFA5ED001F160FB1
+EC3FE0903803FFFC010FEBFF8F013F14CF9039FFF807FF48EBC00148903880007F4890C7
+123F4848141F49140F121F485AA3127F5BA212FFAC127FA37F123FA26C6C141FA26C6C14
+3F0007157F6C6C91B5FC6CD9C00314FC6C9038F01FEF6DB5128F011FEBFE0F010713F890
+26007FC0EBF80036467CC43E>I<EC3FF80103B57E010F14E0013F8090397FF83FF89039
+FFC007FC48496C7E48496C7E48486D1380485A001FED7FC05B003FED3FE0A2127F5B17F0
+161F12FFA290B7FCA401F0C9FCA5127FA27FA2123F17F06C7E16016C6C15E06C6C14036C
+6DEB07C06C6DEB0F806C01F0EB3F0090397FFE01FE011FB55A010714F0010114C0902600
+1FFEC7FC2C2F7DAD33>I<EDFF80020F13E0027F13F049B512F849EB8FFC90390FFE0FFE
+90381FFC1F14F8133FEB7FF0A2ED0FFCEBFFE0ED03F0ED00C01600ABB612F8A5C601E0C7
+FCB3B0007FEBFFE0A527467DC522>I<DAFFE0137E010F9039FE03FF80013FEBFF8F90B8
+12C048D9C07F133F489038001FF84848EB0FFC4848903907FE1F80001F9238FF0F00496D
+90C7FCA2003F82A8001F93C7FCA26D5B000F5D6C6C495A6C6C495A6C9038C07FF04890B5
+5A1680D8078F49C8FC018013E0000F90CAFCA47F7F7F90B612C016FC6CEDFF8017E06C82
+6C16FC7E000382000F82D81FF0C77ED83FC014074848020113808248C9FC177FA46D15FF
+007F17006D5C6C6C4A5A6C6C4A5AD80FFEEC3FF83B07FFC001FFF0000190B612C06C6C92
+C7FC010F14F8D9007F90C8FC32427DAC38>I<EB7FC0B5FCA512037EB1ED07FE92383FFF
+8092B512E002C114F89139C7F03FFC9138CF801F9139DF000FFE14DE14FC4A6D7E5CA25C
+A35CB3A7B60083B512FEA537457CC43E>I<137C48B4FC4813804813C0A24813E0A56C13
+C0A26C13806C1300EA007C90C7FCAAEB7FC0EA7FFFA512037EB3AFB6FCA518467CC520>
+I<EB7FC0B5FCA512037EB3B3B3A3B61280A519457CC420>108 D<90277F8007FEEC0FFC
+B590263FFFC090387FFF8092B5D8F001B512E002816E4880913D87F01FFC0FE03FF8913D
+8FC00FFE1F801FFC0003D99F009026FF3E007F6C019E6D013C130F02BC5D02F86D496D7E
+A24A5D4A5DA34A5DB3A7B60081B60003B512FEA5572D7CAC5E>I<90397F8007FEB59038
+3FFF8092B512E0028114F8913987F03FFC91388F801F000390399F000FFE6C139E14BC02
+F86D7E5CA25CA35CB3A7B60083B512FEA5372D7CAC3E>I<EC1FFC49B512C0010714F001
+1F14FC90397FF80FFF9026FFC0017F48496C7F4848C7EA3FE000078248486E7E49140F00
+1F82A2003F82491407007F82A400FF1780AA007F1700A46C6C4A5AA2001F5E6D141F000F
+5E6C6C4A5AA26C6C6CEBFFE06C6D485B27007FF80F90C7FC6DB55A010F14F8010114C090
+26001FFCC8FC312F7DAD38>I<90397FC00FF8B590B57E02C314E002CF14F89139DFC03F
+FC9139FF001FFE000301FCEB07FF6C496D13804A15C04A6D13E05C7013F0A2EF7FF8A4EF
+3FFCACEF7FF8A318F017FFA24C13E06E15C06E5B6E4913806E4913006E495A9139DFC07F
+FC02CFB512F002C314C002C091C7FCED1FF092C9FCADB67EA536407DAC3E>I<DA3FE013
+1E902603FFFC133E010F01FF137E013F1480903AFFF80FE0FE489038E003F148EBC00148
+90388000FB4890C7127F49143F001F151F485A160F5B127FA3485AAC6C7EA46C7EA26C6C
+141F163F6C6C147F6C15FF6C6D5A6C9038E003EF6C9038F01FCF6DB5128F011FEBFE0F01
+0313F89038007FC091C7FCAD0307B512FCA536407CAC3B>I<90387F807FB53881FFE002
+8313F0028F13F8ED8FFC91389F1FFE000313BE6C13BC14F8A214F0ED0FFC9138E007F8ED
+01E092C7FCA35CB3A5B612E0A5272D7DAC2E>I<90391FFC038090B51287000314FF120F
+381FF003383FC00049133F48C7121F127E00FE140FA215077EA27F01E090C7FC13FE387F
+FFF014FF6C14C015F06C14FC6C800003806C15806C7E010F14C0EB003F020313E0140000
+F0143FA26C141F150FA27EA26C15C06C141FA26DEB3F8001E0EB7F009038F803FE90B55A
+00FC5CD8F03F13E026E007FEC7FC232F7CAD2C>I<EB01E0A51303A41307A2130FA2131F
+A2133F137F13FF1203000F90B51280B7FCA4C601E0C7FCB3A3ED01E0A9150302F013C013
+7F150790393FF80F8090391FFC1F006DB5FC6D13FC01015B9038003FE023407EBE2C>I<
+D97FC049B4FCB50103B5FCA50003EC000F6C81B3A85EA25EA25E7E6E491380017FD901F7
+13FE9138F807E76DB512C7010F1407010313FE9026007FF0EBFC00372E7CAC3E>I<B690
+3803FFFCA5000101E09038003E006C163C80017F5D8017F8013F5D6E1301011F5D6E1303
+010F5D6E13076D5DED800F6D92C7FC15C05E6DEBE01E163E6D143CEDF07C027F1378EDF8
+F8023F5B15FD021F5B15FF6E5BA36E5BA26E90C8FCA26E5AA26E5AA21578362C7EAB3B>
+I<B500FE90383FFFF0A5C601F0903803E0006D6C495A6D6C495A011F4AC7FC6E5B6D6C13
+7E6DEB807C6D6D5A6DEBC1F0EDE3E06DEBF7C06EB45A806E90C8FC5D6E7E6E7F6E7FA24A
+7F4A7F8291381F3FFCEC3E1F027C7F4A6C7E49486C7F01036D7F49487E02C08049486C7F
+49C76C7E013E6E7E017E141FB500E090B512FCA5362C7EAB3B>120
+D<001FB71280A49026FC001F130001E0495A5B49495A90C7485A48495B123E4A5B4A5B00
+3C495BA24A90C7FC4A5A4A5AC7FC4A5A495B495BA2495B499038800780491300A2495A49
+48130F49481400A2485B48495B485BA248495B4890C75A48485C15034848EB1FFEB7FCA4
+292C7DAB32>122 D E
+%EndDVIPSBitmapFont
+%DVIPSBitmapFont: Fn ecrm1728 17.28 8
+/Fn 8 117 df<B912F018FF19E019F8C601FCC8EA7FFED93FF892380FFF80011F04017F
+9538007FF0F11FF8737EF103FE737E737F747E747E747E1A0F87747E1A0387747EA27413
+80A2F37FC0A21CE01B3FA21CF0A21B1F1CF8A31CFCA21B0FA41CFEAF1CFCA51B1F1CF8A4
+F33FF0A21CE0A21B7F1CC01BFF1C80A2501300A2505A505AA2505A505A505A505A1AFF4F
+5B4F90C7FCF107FCF11FF8F17FF0953801FFC0013F04075BD9FFFCDB7FFEC8FCBA12F819
+E096C9FC18F0576278E167>68 D<BB12FCA4C601FCC8120FD93FF89238007FFE011F171F
+190719031900A21A7E1A3EA21A1EA21A1F86A486A6F20380A318E0A297C7FCA61701A417
+031707170F171F17FF91B7FCA402F8C7FC171F170F170717031701A41700A895C9FCB3A5
+80133F90B57EB712E0A4496278E158>70 D<EC3FE0903803FFFE010F6D7E90393FC03FE0
+90397C000FF801F0EB03FC48486D7E48486D7E48486E7E48C86C7E7F01F06E7E487E6D6E
+7EA3707EA36C5AEA03E0C9FCA6167FED7FFF020FB5FC91387FF807903801FF80903807FC
+00EB1FF0EB7FC0495AD803FEC7FC485A120F5B485A485AA24848EE01C0A312FF5BA2160F
+A3161F6D141B007F153B16736D17806C6C9138E1FC03001FEC03C16C6C903A0780FE0700
+D807FE49486C5A2701FF807CEB7FFE6C6CB4486D5A011F01E06D5A010390C7EA07E03A41
+79BF43>97 D<ED1FE0EDFFF8020313FE91380FF03F91391FC01F8091383F807F91397F00
+FFC014FE1301495A5C0107EC7F80A24948EB1E0093C7FCA2495AB3A5B712E0A426001FE0
+C8FCB3B3B0497EEB7FFC003FB512FEA42A657DE429>102 D<1378EA01FE487E487FA66C
+90C7FC6C5AEA007890C8FCB3A2EB0780EA0FFFB5FCA41203C6FCA2137FB3B3AC497E487F
+B61280A4195F7BDE25>105 D<010FEB07F8D80FFFEB1FFEB590387FFF809238F81FC091
+3801E03F913903C07FE00003EB0780C6EB0F00140E6D5A0218EB3FC00238EB1F800230EB
+0600027090C7FCA2146014E0A25CA55CB3B0497E4813F0B612F8A42B3F7BBE34>114
+D<9138FFC003010FEBF807017FEBFE0F3A01FF003F9FD803F0EB07DF48486DB4FCD80F80
+1300001F8148C8FC003E81007E81127C00FC81A4827EA27E7F6C7E6D91C7FC13F8EA3FFE
+381FFFE06C13FF15F0000314FE6C6E7E6C6C14E0011F14F801078001008002077FDA003F
+13801507030113C0ED007F00E0ED3FE0161F17F06C150F1607A36C1503A37EA26C16E016
+077E17C06D140F6D15806D141FD8FDF0EC3F00D8F8F8147E017C495A3AF01F801FF06DB5
+12C0D8E00391C7FC39C0007FF02C417CBF35>I<1470A714F0A51301A31303A21307A213
+0FA2131F133F137F13FF1203000F90B6FCB8FCA326000FF0C8FCB3AEEE01C0AE6D6CEB03
+80A316076D6C14005E6D6C130E6D6C131E6E6C5A91383FE0F86EB45A020713C0020090C7
+FC2A597ED734>I E
+%EndDVIPSBitmapFont
+%DVIPSBitmapFont: Fo ecbx1728 17.28 18
+/Fo 18 117 df<BB7E1AFCF2FFC01BF01BFED8000191C8001F6D7E070014E0081F7F0807
+13FC08017F747F093F7F757F757F757F757F757F757FA2767E1E80881EC0881EE0881EF0
+A2881EF8A31EFC88A31EFEA61EFFB01EFEA61EFCA2641EF8A31EF064A21EE0641EC0641E
+80521300A2525A515B515BA2515B515B093F5B515B504848C7FC08075B081F5B97B512E0
+070F1480BC48C8FC1BF81BC008FCC9FC1A8068627BE177>68 D<942603FFF8151C94B66C
+143C040F03F0147C047F03FC14FC0303B81301030FDAC00113C0033F01F8C7381FF00392
+B500C0913807F807020349C83801FE0F020F01F89238007F1F4A01E0EE3FBF4A49EE0FFF
+91B5CA7E494983494983494983495B4949187F4B183F491A1F495B90B5CC120FA2484919
+075A4A19035A4A19015AA24A19005AA348491A7CA35A9AC8FCA35CA2B5FCB07EA26E043F
+B81280A47E96C7000701FCC7FCA26C7FA37E80A27E807E807E6C7FA26D7F6D7F7F816D7F
+6D6D5F6D7F6D6D5F6D6D7E023F6D5E6E01F05E6E6DEEFE7F020301FF923801FC3F020002
+C0913807F80F033F01FC91381FF007030F903BFFE001FFC001030391B6EA8000DB007F4B
+C7123C040F03F8140C040003C091C8FC050301F8CBFC696677E37A>71
+D<BA12E0F1FF801AF81AFF1BC0D8000191C7000114F0DE000F13FC070313FF070080083F
+7F747F747F747F747FA2747F88A28986A389A865A35091C8FCA26462646462505B505B50
+138097B5C9FC070313FC070F5B4EB512C093B8CAFC1AF81AC01AF893C7000713FE06006D
+7E073F7F7313F007077F737F87737F85888688A2747FAA88A91F707614F8A286A2746D13
+011FF086746D13037614E0B800FE6EED07C0746CEBC00F759038F07F80090F90B5120009
+035CCF6C13F80A0313E06D647BE173>82 D<001FBD12F0A59126F8000191C7123F4801C0
+060713F849C71700491A7F01F01A1F491A0F491A07A2491A03A290C81801A2007EF300FC
+A4007C1C7CA7481C3EA5C91900B3B3B3A5023FB912F8A55F617AE06C>84
+D<913803FFF0027F13FF0103B612E0010F15F890263FFC0013FED97FC090381FFF8049C7
+6C7F4801C06D7F486D6D7F6E6D7F48836E7F84177F84A36C496E7FA26C5B6C5B013FC8FC
+90C9FCA75F0307B6FC4AB7FC141F91B5EAF03F0103EBFE00010F13F0013F1380D9FFFEC7
+FC485B485B485B485B485B485BA24890C8FC1A7CA2485AA35FA394B5FC7F6C5D6EEB03DF
+6CDB07CFEBC0F86C6DEB0F8F6C6DD91F07EBF3F06C01F8017E14FF6C9027FE01FC0314E0
+C690B5D8F00114C0013F9126C0007F1380010791C7383FFE009026003FF8EC07F846437B
+C14D>97 D<903807FF80B6FCA5C6FC7F7FB3A9933801FFE0041F13FE047FEBFFC00381B6
+12F0922687FC0113FC923A9FE0003FFEDBBF8090380FFF8003FEC76C7F4B6E7F4B6E7F4B
+6E7F4B824B157F4B82737EA21B80851BC0A31BE085A41BF0AE1BE0A44F13C0A31B80A24F
+1300A262197F6F5E6F4B5A4E5B6F4A5BDAFCF84A5BDAF87E4A5B4A6C4A90C7FC9126E01F
+C0EB7FFC913BC00FF803FFF8DA8003B612E091C71580013E023F01FCC8FC90C800031380
+4C657CE356>I<ED1FFF4AB512F8020F14FF027F15C0902701FFF80013F04901E0EB0FF8
+010F0180EB03FC4990C7EA0FFE49484A7E49485C4948168048495C5A5C5A485BA2487013
+005C48705A715AEF03F04893C8FC91CBFCA4B5FCAE7EA280A27EA36C7FF003E07E6E1507
+6C18C06E150F6C18806C6D151F6C6DED3F006D6C157E6D6C15FE6D6D495A6D6D495A6D01
+F0EB0FE0010101FEEB7FC06D6CB6C7FC021F14FC020314E09126001FFEC8FC3B437BC145
+>I<ED3FFE0203B512E0021F14FC027F14FF902701FFF80F13C00107D9C0037F4990C77F
+49486E7E49486E7E49486E7E49486E7E5A48496E13805A4A16C0488219E0485B834818F0
+A34890C8FCA27113F8A3B5FCA391B8FCA491CBFCA67EA4807EA27E19F8806C17016C18F0
+806C17036C6DED07E06E16C06C170F6D6CED1F806D6CED3F006D6C6C14FE01076DEB03FC
+6D01F8EB0FF8010001FFEB7FE0023F90B51280020F4AC7FC020114F8DA000F13803D437C
+C146>101 D<EEFFE0031F13FC92B6FC02031580020F9038E03FC04A903800FFE091267F
+FE0113F04A485A49494813F84913F04913E0A25B15C05B7013F04913807013E09338007F
+80EF1E0094C7FCB1B8FCA5D8003F0180C8FCB3B3B2B712F8A535657CE42F>I<F13F8091
+2601FFF0903801FFE0021F01FF010713F091B6D8E01F13F801039238F87FCF010F903BC0
+7FFEFC0FFC903B1FFE000FFFF0D97FFC6DEBE01F49486D140F48496D13F01AF848496DEB
+F807489438FC01E096C7FC48496E7EA44883A96C5FA46C6D4A5AA26C5F6C6D495BA26C6D
+495B6D6C495B6D6C4990C8FC903A7FFFC07FFE017B90B512F801F015E0021F91C9FC0001
+010113F049CCFC1203A27FA37FA27F7F6D7E91B612FCEFFFE06C17FCF0FF806C18E0856D
+17FC6D836D837F017F188048BA12C000070180C712074848C96C13E04848160F48481603
+4982007F19F084485A197FA56D17FF007F19E0A26D5E6C6C4C13C0001F19806D5E6C6C4C
+1300000301C0ED3FFC6C01F0EDFFF826007FFC020313E090261FFFE0017F1380010790B6
+48C7FC010116F8D9001F1580DA007F01E0C8FC46607CC14D>I<EB0FE0EB3FF8497E497E
+487FA24880A76C91C7FCA26C5B6D5A6D5AEB0FE090C9FCB1903807FF80007FB5FCA5C6FC
+7F7FB3B3B0B712C0A522657CE42A>105 D<903807FF80B6FCA5C6FC7F7FB3B3B3B3AFB7
+12E0A523647CE32A>108 D<D90FFFEC7FF8B60103B5FC040F14E0043F80DC7F0113FC92
+2601F8007FC6DA03E06D7E6D49487F6D49488193C77E031E825D153803788003708215F0
+5DA35DA35DB3B3A2B7D8E03FB612F8A54D417BC056>110 D<92381FFF804AB512F8020F
+14FF023F15C09126FFFC0313F001039039E0007FFC490180EB1FFED91FFEC73807FF8049
+486E7F49486E7F49486E7F48496F7EA248496F7E4884A248496F7EA2481980A24819C091
+C97EA24819E0A5B518F0AD6C19E0A46C6D4B13C0A36C1980A26C6D4B1300A26C606E157F
+6C606C6D4B5A6C606D6C4A5B6D6C4A5B6D6C4A5B6D6C6C011F90C7FC010301E0EB7FFC6D
+9039FC03FFF86D6CB612E0020F92C8FC020114F8DA001F138044437CC14D>I<903B07FF
+8001FFE0B6011F13FE047FEBFFC00381B612F0922687FC0313FC923A9FE0007FFEC6DABF
+806D6C7E6D01FEC7000F7F6D496E7F4B824B6E7F4B6E7F4B804B82737EA21B80851BC0A2
+851BE0A4851BF0AE4F13E0A41BC061A21B80A24F1300A24F5AA26F4A5B6F4A5B626F4A5B
+6F4A5B03FE4A5B03BF027F90C7FCDB9FC0EBFFFC92268FF8075B0383B612E00380158004
+3F01FCC8FC0403138093CBFCB3A4B712E0A54C5D7CC056>I<D90FFFEB07F8B6EB3FFF4C
+13804BB512E0923903F83FF0923907E07FF8C691380F80FF6D020113FC6D131E153E153C
+1578A21570DBF00013F8EF7FF04BEB3FE0EF0F8094C7FC5DA65DB3B1B712F8A536417DC0
+3E>114 D<DA7FFC131C0107B5EAC03C011FECF0FC90B612FD489038C003FFD807FEC712
+7FD80FF8143F49140F4848140748481403A248481401A2160012FFA26D157CA27F7F7F6D
+92C7FCEBFF806C13F0ECFFC015FE6CECFFC016F86C15FE6C6F7E6C826C826C826C82013F
+81010F81010181EB003F02011580EC000F1500041F13C000F88182826C8182A26C167FA3
+7E18807F17FF6D16007F6D4A5A7F6D4A5A6DEC0FF86D6C495A3BFE1FF001FFE0486CB612
+80D8F8034AC7FC48C614F048010F90C8FC32437BC13D>I<EC07C0A6140FA5141FA3143F
+A2147FA214FF5BA25B5B5B5B137F48B5FC000F91B512F8B8FCA4D8001F01C0C7FCB3B017
+1FAD6D153E81A26D157C816D15F86D7F6D9038FC01F091397FFF07E06EEBFFC0020F1480
+0203EBFE009138003FF8305C7DDA3C>I E
+%EndDVIPSBitmapFont
+end
+%%EndProlog
+%%BeginSetup
+%%Feature: *Resolution 600dpi
+TeXDict begin
+%%PaperSize: A4
+
+%%EndSetup
+%%Page: 1 1
+1 0 bop 290 639 a Fo(Genealogical)56 b(Represen)l(tation)e(of)f(T)-13
+b(rees)52 b(in)g(Databases)1686 822 y Fn(First)46 b(Draft)1247
+1063 y Fm(Miguel)36 b(Sofer)i(<mig@utdt.edu>)1359 1179
+y Fl(Univ)m(ersidad)33 b(T)-8 b(orcuato)33 b(Di)f(T)-8
+b(ella)1728 1295 y(Buenos)33 b(Aires)1797 1411 y(Argen)m(tina)1746
+1606 y(Ma)m(y)h(6,)e(2000)1839 1905 y Fk(Abstract)441
+2035 y Fj(blah)25 b(blah)h(.)13 b(.)g(.)118 2310 y Fi(1)131
+b(In)l(tro)t(duction)118 2491 y Fh(T)-7 b(rees)28 b(are)h(a)g(v)n(ery)f
+(frequen)n(t)h(data)f(structure.)41 b(They)30 b(are)e(the)h(natural)g
+(represen)n(tation)e(for)i(instance)g(for)f(organiza-)118
+2591 y(tional)f(c)n(harts,)g(threaded)g(discussion)g(groups,)f(some)h
+(bills)g(of)h(materials,)e(.)14 b(.)g(.)243 2691 y(A)n(t)28
+b(least)f(t)n(w)n(o)f(alternativ)n(e)h(represen)n(tations)e(for)i
+(trees)g(in)h(RDBMs)g(are)e(kno)n(wn)h(and)h(used:)220
+2857 y(1.)41 b Fg(P)m(oin)m(ters:)k Fh(a)31 b(\034eld)h(in)h(the)f(c)n
+(hild)g(record)e(references)h(the)h(paren)n(t)f(no)r(de.)50
+b(This)32 b(seems)g(to)f(b)r(e)i(the)f(canonical)326
+2956 y(represen)n(tation.)38 b(Some)29 b(DB)g(engines)f(pro)n(vide)g
+(sp)r(ecial)g(SQL)g(extensions)g(to)h(simplify)g(tree)g(searc)n(hes;)e
+(Oracle)326 3056 y(tree)d(extensions)g(are)g(an)h(example)f(\(see)h
+(for)f(instance)g([1]\);)i(DB2's)f(WITH)g(can)f(b)r(e)i(used)e(for)h
+(this)g(purp)r(ose)f(to)r(o)326 3156 y(\(see)j([3],)g(pp)h(139-162\).)
+220 3322 y(2.)41 b Fg(Nested)35 b(Sets:)43 b Fh(t)n(w)n(o)30
+b(n)n(umeric)h(\034elds)g(in)g(ev)n(ery)f(no)r(de)h(record)f(co)r(de)h
+(the)g(tree)g(structure.)47 b(I)31 b(can't)g(pro)n(vide)f(a)326
+3421 y(b)r(etter)e(or)e(briefer)h(description)g(of)h(this)g(metho)r(d)g
+(than)f(the)h(four)f(articles)g([2].)118 3587 y(These)g(t)n(w)n(o)g
+(metho)r(ds)h(o\033er)f(di\033eren)n(t)h(adv)-5 b(an)n(tages)25
+b(and)j(disadv)-5 b(an)n(tages:)243 3753 y Ff(\017)41
+b Fh(P)n(oin)n(ters)30 b(are)g(extremely)g(e\036cien)n(t)h(for)f(no)r
+(de)h(insertion)f(and/or)g(deletion,)h(but)h(require)e(recursiv)n(e)f
+(table)i(ac-)326 3853 y(cesses)e(to)h(searc)n(h)f(the)h(tree)g(\(I)h
+(do)f(not)g(kno)n(w)f(the)i(implemen)n(tation)f(details)g(of)g(the)h
+(Oracle)e(tree)g(extensions,)326 3953 y(whic)n(h)e(as)g(far)g(as)g(I)g
+(kno)n(w)g(ma)n(y)g(solv)n(e)f(this)i(problem)f(in)n(ternally;)g(they)g
+(de\034nitely)h(solv)n(e)f(it)g(for)g(the)h(end)g(user\).)243
+4119 y Ff(\017)41 b Fh(Nested)30 b(sets)g(are)f(v)n(ery)f(e\036cien)n
+(t)i(for)g(tree)f(searc)n(hes,)g(but)i(are)e(rather)f(exp)r(ensiv)n(e)i
+(for)f(no)r(de)h(insertion)f(and/or)326 4218 y(deletion:)37
+b(they)27 b(require)g(up)r(dating)g(p)r(oten)n(tially)h(man)n(y)f(no)r
+(des.)243 4384 y(W)-7 b(e)30 b(prop)r(ose)f(here)h(a)g(di\033eren)n(t)h
+(represen)n(tation,)e(based)g(on)i(no)r(de)f(iden)n(ti\034ers)g(whic)n
+(h)g(are)f(\020genealogical)f(iden)n(ti-)118 4484 y(\034ers\021:)44
+b(they)32 b(con)n(tain)f(the)h(complete)f(genealogy)f(of)h(the)h(no)r
+(de,)h(i.e.,)g(the)f(list)g(of)g(ancestors)d(up)j(to)g(the)g(ro)r(ot)f
+(of)g(the)118 4584 y(tree.)243 4683 y(This)j(allo)n(ws)f(to)i(replace)e
+(man)n(y)h(searc)n(hes)f(in)h(database)g(tables)g(with)h(string)f(op)r
+(erations)f(on)h(the)h(index.)58 b(The)118 4783 y(result,)24
+b(as)f(explained)h(in)g(Section)g(3)f(is)h(that)g(tree)f(searc)n(hes)f
+(pro)r(ceed)h(at)h(\020nested)f(sets\021)30 b(sp)r(eed,)25
+b(while)f(no)r(de)g(insertions)118 4882 y(and)k(deletions)f(are)f(as)h
+(fast)h(as)f(with)h(p)r(oin)n(ters.)243 4982 y(The)i(ob)n(vious)f(do)n
+(wnside)h(of)h(the)g(metho)r(d)g(is)f(that)h(the)g(primary)f(k)n(ey)f
+(in)i(the)g(tree)f(needs)h(to)f(b)r(e)h(a)g(v)-5 b(ariable)29
+b(size)118 5082 y(text)j(\034eld,)h(and)f(that)g(the)g(iden)n
+(ti\034ers)f(ma)n(y)g(b)r(e)i(extremelly)e(long)g(for)g(deep)h(trees.)
+49 b(W)-7 b(e)32 b(will)g(pro)n(vide)e(estimates)i(of)118
+5181 y(the)c(size)f(required)g(as)g(a)g(function)h(of)g(the)f
+(magnitude)h(of)f(the)h(tree.)1987 5653 y(1)p eop
+%%Page: 2 2
+2 1 bop 118 291 a Fi(2)131 b(Genealogical)45 b(iden)l(ti\034ers)g(for)f
+(trees)118 489 y Fm(2.1)112 b(De\034nition)118 642 y
+Fh(W)-7 b(e)28 b(de\034ne)g Fe(gene)l(alo)l(gic)l(al)k(identi\034ers)j
+Fh(recursiv)n(ely)25 b(as)i(follo)n(ws:)326 808 y Fg(De\034nition:)59
+b Fe(The)42 b(gene)l(alo)l(gic)l(al)h(identi\034er)f(\(gID\))e(of)i(a)f
+(no)l(de)h(is)f(obtaine)l(d)h(by)g(app)l(ending)g(a)f(child)326
+908 y(identi\034er)30 b(to)g(the)g(gene)l(alo)l(gic)l(al)h
+(identi\034er)g(of)f(the)g(p)l(ar)l(ent)f(no)l(de.)243
+1074 y Fh(Remark)40 b(that)h(genealogical)e(iden)n(ti\034ers)i(are)f
+(rather)g(w)n(ell)h(kno)n(wn)f(and)h(used;)48 b(common)41
+b(examples)f(are)g(the)118 1174 y(\020path+\034le-name\021)33
+b(in)28 b(a)f(computer)g(\034le)h(system)f(and)h(the)f(URLs)h(within)g
+(a)f(WWW.)243 1273 y(The)d(name)g(\020genealogical)e(iden)n
+(ti\034er\021)30 b(is)24 b(suggested)g(b)n(y)g(the)g(fact)h(that)f(the)
+h(v)-5 b(alue)24 b(of)g(the)h(iden)n(ti\034er)f(con)n(tains)f(the)118
+1373 y(complete)30 b(genealogy)d(of)j(the)g(no)r(de:)41
+b(it)30 b(con)n(tains)e(as)h(a)h(substring)f(the)h(gID)f(of)h(its)g
+(father,)g(whic)n(h)f(in)h(turn)g(con)n(tains)118 1472
+y(as)d(a)g(substring)g(the)h(gID)g(of)f(the)h(grandfather,)e(.)14
+b(.)g(.)243 1572 y(The)27 b(ro)r(ot)g(no)r(de)h(of)f(the)h(tree)f(has)g
+(a)h(gID)f(with)h(v)-5 b(alue)28 b(\021)34 b(\(the)28
+b(empt)n(y)g(string\),)f(as)g(it)h(has)f(no)g(paren)n(t.)118
+1804 y Fm(2.2)112 b(Child)36 b(iden)m(ti\034ers)118 1958
+y Fh(The)26 b(ob)n(vious)e(c)n(hild)i(iden)n(ti\034er)g(is)f(a)h
+(zero-based)d(coun)n(ter:)35 b(iden)n(tify)26 b(the)h(c)n(hild)e(b)n(y)
+h(the)g(n)n(um)n(b)r(er)f(of)h(older)f(brethren)g(it)118
+2057 y(has.)243 2157 y(W)-7 b(e)25 b(could)f(represen)n(t)g(the)h(coun)
+n(ter)f(in)h(base)f(10;)h(this)g(ho)n(w)n(ev)n(er)e(is)i(extremely)f(w)
+n(asteful)g(of)h(resources.)34 b(It)25 b(is)g(m)n(uc)n(h)118
+2257 y(b)r(etter)33 b(to)f(represen)n(t)f(the)h(coun)n(ter)g(in)g(as)g
+(large)e(a)i(base)g(as)f(p)r(ossible:)46 b(in)n(terpret)32
+b(as)f(n)n(um)n(b)r(ers)h(a)g(set)g(of)g(c)n(haracters)118
+2356 y(larger)26 b(than)h({0,1,.)14 b(.)g(.)g(9}.)243
+2456 y(As)26 b(tree)f(op)r(erations)f(will)i(in)n(v)n(olv)n(e)f(string)
+g(op)r(erations)f(on)i(the)g(indices,)g(in)g(order)f(to)g(a)n(v)n(oid)g
+(a)g(\020quoting)g(hell\021)33 b(it)26 b(is)118 2555
+y(desirable)d(to)h(a)n(v)n(oid)e(using)h(an)n(y)g(c)n(haracter)f(with)i
+(a)g(sp)r(ecial)f(meaning)h(in)g(LIKE)g(expressions)e(or)g(regular)g
+(expressions;)118 2655 y(i.e.,)28 b(w)n(e)f(will)h(not)f(use)h(an)n(y)f
+(of)g(the)h(sym)n(b)r(ols)70 b Fd(.)44 b(*)f(^)g(\\)g([)g(])g({)h(})f
+(\()g(\))g(<)g(>)71 b Fh(?)37 b(|)28 b(&)f($)243 2755
+y(W)-7 b(e)28 b(prop)r(ose)e(to)h(reserv)n(e)f(also)g(/)i(as)f(a)g
+(separator)e(\(see)i(\020V)-7 b(ariable)27 b(Sized)g(gID\021)34
+b(b)r(elo)n(w\).)243 2854 y(If)g(w)n(e)f(limit)i(ourselv)n(es)d(to)i
+(ascii)f(c)n(haracters,)g(and)h(a)n(v)n(oid)e(to)i(b)r(e)g(safe)f(a)h
+(lot)g(of)g(other)f(c)n(haracters,)g(w)n(e)g(can)h(use)118
+2954 y(n)n(um)n(b)r(ers)27 b(in)h(base)f(64)g(b)n(y)g(represen)n(ting)
+243 3120 y Ff(\017)41 b Fh(0-9)26 b(with)i('0'-'9')f(\(dec)g(ascii)g
+(co)r(de)h(48-57\))243 3286 y Ff(\017)41 b Fh(10)26 b(with)i(':')37
+b(\(dec)28 b(ascii)f(co)r(de)h(58\))243 3452 y Ff(\017)41
+b Fh(11)26 b(with)i(';')g(\(dec)g(ascii)f(co)r(de)g(59\))243
+3618 y Ff(\017)41 b Fh(12-37)25 b(with)j('A'-'Z')g(\(dec)f(ascii)g(co)r
+(de)h(65-90\))243 3784 y Ff(\017)41 b Fh(38-63)25 b(with)j('a'-'z')f
+(\(dec)h(ascii)f(co)r(de)g(97-122\))118 3950 y(By)g(using)g(base)f(64,)
+h(up)g(to)h(4096)d(c)n(hildren)i(can)f(b)r(e)i(represen)n(ted)e(using)h
+(t)n(w)n(o)f(suc)n(h)h(digits,)g(up)h(to)f(262144)d(with)k(three)118
+4050 y(digits,)g(and)f(up)h(to)f(16777216)d(with)k(four)f(digits.)243
+4149 y(If)37 b(the)g(RDBMs)g(supp)r(orts)f(in)n(ternational)g(c)n
+(haracters,)h(it)g(is)g(p)r(ossible)f(to)h(further)f(increase)g(the)h
+(base;)k(as)36 b(an)118 4249 y(example,)30 b(b)n(y)f(using)g(the)h(95)f
+(additional)g(c)n(haracters)e(of)i(the)h(latin-1)f(c)n(haracter)e(set,)
+k(w)n(e)e(could)g(co)r(de)g(n)n(um)n(b)r(ers)g(in)h(a)118
+4349 y(base)f(up)g(to)g(160)f(\025)g(remark)g(that)h(ev)n(ery)f(single)
+h(digit)g(is)g(still)h(one)e(b)n(yte)h(in)h(this)f(represen)n(tation.)
+40 b(This)29 b(means)f(that)118 4448 y(w)n(e)f(expand)h(the)f(sym)n(b)r
+(ols)g(ab)r(o)n(v)n(e)f(b)n(y)i(represen)n(ting)243 4614
+y Ff(\017)41 b Fh(64-159)25 b(with)j(dec)f(latin1)g(co)r(de)h(160-255)
+243 4780 y(In)23 b(base)g(160,)g(up)g(to)h(25600)d(c)n(hildren)i(can)f
+(b)r(e)i(represen)n(ted)e(using)h(t)n(w)n(o)g(digits,)h(up)g(to)f
+(4096000)d(with)k(three)f(digits,)118 4880 y(and)28 b(up)f(to)h
+(6.5E+08)e(with)i(four)f(digits.)243 4980 y(Remark)g(that)h(base)f(con)
+n(v)n(ersions)f(only)h(need)i(to)e(b)r(e)i(p)r(erformed)e(at)h
+(insertion)g(time,)g(when)h(the)f(index)g(of)g(a)g(new)118
+5079 y(no)r(de)g(is)f(computed.)37 b(They)28 b(will)f(therefore)g(only)
+g(ha)n(v)n(e)f(an)i(impact)f(on)h(insertion)f(timings.)1987
+5653 y(2)p eop
+%%Page: 3 3
+3 2 bop 118 291 a Fm(2.3)112 b(Coun)m(ters:)50 b(\020delimited\021)44
+b(vs.)51 b(\020\034xed)38 b(size\021)118 444 y Fh(The)33
+b(standard)g(represen)n(tation)e(of)i(gID)h(uses)e(a)h(v)-5
+b(ariable)32 b(size)h(c)n(hild)h(iden)n(ti\034er,)g(and)f(delimiters)g
+(to)h(separate)d(the)118 543 y(gID)f(of)g(the)h(c)n(hild)f(no)r(de)g
+(from)f(the)i(gID)f(of)g(its)g(paren)n(t.)43 b(F)-7 b(or)30
+b(example,)g(w)n(e)g(can)f(represen)n(t)g(the)i(\034fth)g(c)n(hild)f
+(of)g(no)r(de)118 643 y('/23/27/1')24 b(as)j('/23/27/1/4'.)32
+b(Let)c(us)f(call)g(this)h(a)f Fg(vgID)h Fh(represen)n(tation)e(\(V)-7
+b(ariable)27 b(Size)h(Genealogical)d(ID\).)243 743 y(This)30
+b(represen)n(tation)f(allo)n(ws)f(for)i(an)n(y)g(n)n(um)n(b)r(er)g(of)g
+(c)n(hildren)g(of)h(a)f(no)r(de,)h(sub)5 b(ject)30 b(only)g(to)g(the)h
+(limitations)f(the)118 842 y(RDBMS)e(ma)n(y)f(ha)n(v)n(e)f(as)h(to)h
+(the)g(length)f(of)h(a)f(v)-5 b(ariable)27 b(sized)g(string.)243
+942 y(Alternativ)n(ely)-7 b(,)24 b(w)n(e)f(could)h(c)n(ho)r(ose)f(to)h
+(limit)g(from)g(the)g(outset)g(the)g(quan)n(tit)n(y)g(of)f(c)n(hildren)
+h(that)g(a)g(no)r(de)g(ma)n(y)f(ha)n(v)n(e;)118 1042
+y(this)28 b(limit)g(w)n(ould)f(dep)r(end)i(of)e(course)f(on)i(the)g
+(application.)36 b(Let)27 b(us)h(call)f(this)h(a)f Fg(fgID)h
+Fh(represen)n(tation.)243 1141 y(F)-7 b(or)25 b(example,)h(if)g(no)g
+(no)r(de)f(is)h(allo)n(w)n(ed)f(to)g(ha)n(v)n(e)g(more)g(than)h(25600)d
+(c)n(hildren,)j(w)n(e)g(could)f(represen)n(t)g(the)h(coun)n(ters)118
+1241 y(alw)n(a)n(ys)36 b(with)i(2)f(digits.)67 b(The)38
+b(no)r(de)f(whic)n(h)h(w)n(as)f(previously)f('/23/27/1/4')d(is)k(no)n
+(w)g('23270104'.)64 b(If)38 b(w)n(e)f(require)118 1340
+y(a)g(three)g(digit)h(represen)n(tation)d(of)i(no)r(des)g(\(up)h(to)f
+(ab)r(out)h(4)f(million)g(c)n(hildren\),)j(then)d(it)h(will)g(b)r(e)f
+(represen)n(ted)f(as)118 1440 y('023027001004'.)118 1672
+y Fm(2.4)112 b(Ordering)37 b(of)h(no)s(des)118 1825 y
+Fh(F)-7 b(or)35 b(some)g(applications)g(it)h(is)f(necessary)f(to)i
+(obtain)f(subtrees)g(ordered)f(according)g(to)i(some)f(sp)r(ecial)g
+(rules.)60 b(F)-7 b(or)118 1925 y(instance:)220 2090
+y(1.)41 b(the)34 b(complete)g(subtree)f(starting)g(at)h(a)f(no)r(de)h
+(is)g(listed)g(immediately)g(after)f(the)i(no)r(de)f(in)g(question)f
+(\(\020depth)326 2189 y(\034rst\021\))220 2354 y(2.)41
+b(no)r(des)27 b(with)h(a)f(common)g(paren)n(t)g(are)g(listed)g(c)n
+(hronologically)243 2519 y(F)-7 b(or)39 b(instance,)k(the)d(displa)n(y)
+f(of)h(an)f(organization)f(c)n(hart)h(is)g(usually)h(required)e(to)i
+(satisfy)g(at)f(least)h(the)g(\034rst)118 2619 y(condition.)h(In)29
+b(a)g(threaded)f(discussion)h(group)e(one)i(wishes)g(to)f(satisfy)h(b)r
+(oth)h(conditions)e(to)h(displa)n(y)f(the)h(messages)118
+2718 y(in)20 b(a)g(thread)g(\025)f(the)i(threads)e(themselv)n(es)h
+(\(i.e.,)i(c)n(hildren)e(of)g(the)g(ro)r(ot)f(no)r(de\))i(are)e
+(usually)g(listed)i(in)f(in)n(v)n(erse)f(c)n(hronolical)118
+2818 y(order.)243 2917 y(T)-7 b(o)35 b(mak)n(e)f(a)h(particular)f
+(ordering)g(e\036cien)n(t,)j(it)f(w)n(ould)f(b)r(e)h(a)f(nice)g
+(feature)g(if)h(it)g(could)f(b)r(e)h(made)f(to)g(coincide)118
+3017 y(with)28 b(a)f(lexicographic)f(ordering)f(of)j(the)g(indices)f
+(\025i.e.,)g(as)g(pro)r(duced)g(b)n(y)h(an)f(\020ORDER)h(BY)f(id)h
+(ASC\021)35 b(in)27 b(SQL.)h(The)118 3117 y(lexicographic)d(ordering)h
+(of)h(fgID)h(satis\034es)e(b)r(oth)i(conditions.)36 b(The)27
+b(lexicographic)f(ordering)f(of)i(vgID)g(as)g(describ)r(ed)118
+3216 y(ab)r(o)n(v)n(e)34 b(satis\034es)g(the)h(\034rst)g(requisite)f
+(if)i(the)f(separator)d(has)j(the)g(minimal)g(binary)g(represen)n
+(tation)e(of)i(all)f(allo)n(w)n(ed)118 3316 y(sym)n(b)r(ols)c(in)h(an)f
+(index)h(\025)f(this)h(is)g(wh)n(y)f(w)n(e)g(reserv)n(ed)f(/)h(for)g
+(the)i(separator.)43 b(But)31 b(the)g(second)f(prop)r(ert)n(y)g(is)g
+(missing:)118 3416 y(for)d(instance,)g(the)h(index)g('/1/10')d(is)j
+(lexicographically)d(b)r(efore)i('/1/2'.)243 3515 y(If)c(the)h(second)e
+(prop)r(ert)n(y)g(is)i(also)e(required)g(for)h(vgID,)g(w)n(e)f(can)h
+(sp)r(ecify)h(the)f(c)n(hild)h(iden)n(ti\034ers)e(with)i(coun)n(ters)e
+(built)118 3615 y(in)28 b(the)g(follo)n(wing)e(w)n(a)n(y:)36
+b(represen)n(t)26 b(a)h(n)n(um)n(b)r(er)h(b)n(y)f(a)g(string)g(of)g
+(digits,)h(where)243 3779 y Ff(\017)41 b Fh(the)25 b(\034rst)g(digit)h
+Fc(D)896 3791 y Fb(0)958 3779 y Fh(represen)n(ts)e(the)i(length)f(in)h
+(digits)f(of)g(the)h(decimal)f(expansion)f(of)i(the)f(n)n(um)n(b)r(er,)
+h(min)n(us)f(one)243 3945 y Ff(\017)41 b Fh(the)28 b(follo)n(wing)e
+Fa(\()p Fc(D)920 3957 y Fb(0)976 3945 y Fa(+)18 b(1\))27
+b Fh(digits)h(are)e(the)i(decimal)g(expansion)e(of)i(the)g(n)n(um)n(b)r
+(er)118 4109 y(Let)g(us)f(call)h(these)f(iden)n(ti\034ers)g
+Fg(m-vgID)p Fh(,)g(\020m\021)34 b(for)27 b(mo)r(di\034ed.)243
+4209 y(As)e(an)f(example,)h(the)g(no)r(de)g(whic)n(h)g(w)n(as)f
+(previously)f(represen)n(ted)h(b)n(y)g(/15/3/182)d(will,)k(after)g
+(this)g(mo)r(di\034cation,)118 4309 y(ha)n(v)n(e)h(the)i(index)g
+(/115/03/2182.)243 4408 y(The)37 b(lexicographic)f(ordering)g(of)i
+(m-vgID)f(is)h(the)g(desired)f(ordering)f(of)h(the)h(tree)g(no)r(des.)
+67 b(The)38 b(cost)f(of)g(this)118 4508 y(prop)r(ert)n(y)31
+b(is)i(that)f(\(a\))h(the)g(ID)f(are)g(no)n(w)g(longer,)g(\(b\))h(no)f
+(no)r(de)g(can)g(ha)n(v)n(e)g(more)f(than)i Fa(160)3106
+4478 y Fb(160)3240 4508 y Fh(c)n(hildren)f(\(actually)-7
+b(,)118 4607 y(this)32 b(is)g(a)f(non-issue\),)h(and)f(\(c\))h(the)g
+(index)g(structure)f(is)h(redundan)n(t,)g(some)f(formally)f(correct)h
+(indices)g(are)g(in)n(v)-5 b(alid)118 4707 y(\025e.g.,)24
+b(/316/013/11.)30 b(The)24 b(third)g(issue)g(can)g(b)r(e)g(addressed)f
+(b)n(y)g(k)n(eeping)g(a)h(strict)g(con)n(trol)e(on)i(the)g(generation)f
+(of)h(new)118 4807 y(indices)k(to)f(insure)g(that)h(all)f(indices)h
+(are)e(formally)h(correct.)243 4906 y(The)32 b(issue)f(of)h(the)g(rev)n
+(erse)e(c)n(hronological)f(indexing)j(of)f(threads)h(in)g(threaded)f
+(discussion)g(groups)g(can)g(b)r(e)h(ad-)118 5006 y(dressed)d(easily)f
+(enough)h(in)h(fgID:)f(coun)n(t)g(\020do)n(wn\021)36
+b(instead)29 b(of)g(\020up\021)36 b(the)30 b(c)n(hildren)f(of)g(the)h
+(ro)r(ot)e(no)r(de)i(\025)f(this)h(implies)118 5106 y(only)e(an)g
+(inconsequen)n(tial)f(mo)r(di\034cation)h(of)g(the)g(no)r(de)h
+(insertion)e(routine,)h(as)g(sho)n(wn)f(b)r(elo)n(w.)38
+b(The)29 b(problem)e(is)h(less)118 5205 y(trivial)i(with)g(vgID;)h(in)f
+(this)h(case,)f(ma)n(yb)r(e)f(a)h(thread)g(iden)n(ti\034er)g(should)g
+(b)r(e)h(k)n(ept)f(in)g(a)g(di\033eren)n(t)g(\034eld)h(-)f(i.e.,)h
+(repre-)118 5305 y(sen)n(ting)h(the)h(structure)f(as)g(a)h(forest)f
+(rather)f(than)i(a)f(tree,)i(where)e(the)h(thread_id)f(\034eld)h
+(selects)f(the)h(\020tree\021)38 b(in)33 b(the)118 5404
+y(forest.)1987 5653 y(3)p eop
+%%Page: 4 4
+4 3 bop 118 291 a Fi(3)131 b(T)-11 b(ree)45 b(op)t(erations)e(using)h
+(genealogical)g(indices)118 472 y Fh(In)32 b(this)f(section)g(w)n(e)g
+(sho)n(w)g(ho)n(w)g(to)g(implemen)n(t)h(v)-5 b(arious)30
+b(tree)h(op)r(erations)f(using)h(gID)g(as)g(the)h(primary)e(k)n(ey)h
+(in)g(the)118 572 y(no)r(de)d(table.)243 672 y(Some)h(implemen)n
+(tation)h(issues)g(are)f(relev)-5 b(an)n(t)29 b(here,)h(esp)r(ecially)f
+(concerning)g(the)h(utilisation)g(of)g(indices)g(b)n(y)f(the)118
+771 y(DB)f(engine.)243 871 y(W)-7 b(e)28 b(discuss)f(a)g(tree)g
+(represen)n(ted)f(in)i(a)f(table)h(of)f(the)h(form)326
+1034 y Fd(CREATE)41 b(TABLE)g(tree)h(\()456 1134 y(gid)304
+b(text)42 b(PRIMARY)f(KEY,)456 1234 y(nchildren)f(integer)h(DEFAULT)f
+(0,)456 1333 y(\\ldots)h(the)i(actual)e(node)h(data)326
+1433 y(\);)118 1597 y Fh(The)26 b(\034eld)g(\020nc)n(hildren\021)32
+b(is)26 b(a)f(coun)n(ter)g(for)g(the)i(n)n(um)n(b)r(er)e(of)h(c)n
+(hildren)f(that)h(the)h(no)r(de)f(has)f Fe(ever)35 b
+Fh(had;)27 b(w)n(e)e(assume)g(here)118 1696 y(it)j(is)g(not)f(up)r
+(dated)h(when)g(no)r(des)f(or)g(subtrees)g(are)f(deleted.)243
+1796 y(Section)h(4)g(pro)n(vides)f(a)i(complete)f(implemen)n(tation)h
+(of)f(these)h(op)r(erations)e(for)h(fgID)h(in)g(P)n(ostgreSQL.)118
+2028 y Fm(3.1)112 b(Computing)37 b(the)g(lev)m(el)f(of)h(a)h(no)s(de)
+118 2181 y Fg(Cost:)f Fe(string)30 b(op)l(er)l(ations)g(\(no)g(table)g
+(ac)l(c)l(ess\))243 2280 y Fh(This)d(is)h(a)f(pure)g(string)g(op)r
+(eration,)f(no)i(table)f(access)g(is)g(required.)243
+2460 y Ff(\017)41 b Fg(vgID:)27 b Fh(coun)n(t)h(the)g(n)n(um)n(b)r(er)f
+(of)g(separators)e(\('/'\))j(in)g(the)g(PK)243 2625 y
+Ff(\017)41 b Fg(fgID:)27 b Fh(coun)n(t)g(the)h(n)n(um)n(b)r(er)g(of)f
+(c)n(haracters)e(in)j(the)g(PK,)g(divide)g(b)n(y)f(the)h(\034xed)f
+(size)h(of)f(the)h(coun)n(ters.)118 2857 y Fm(3.2)112
+b(Selecting)36 b(or)h(deleting)f(a)i(subtree)118 3010
+y Fg(Cost:)f Fe(index)30 b(sc)l(an)g(of)g(the)g(tr)l(e)l(e)243
+3173 y Ff(\017)41 b Fg(vgID:)27 b Fh(The)h(subtree)f(ro)r(oted)g(at)g
+(/26/5/7)e(is)i(selected)g(b)n(y)508 3338 y Fd(...)43
+b(WHERE)e(id)i(LIKE)f('/26/5/7\045')d(AND)j(id)h(<)g('/26/5/70')243
+3503 y Ff(\017)e Fg(m-vgID:)26 b Fh(The)h(subtree)h(ro)r(oted)e(at)i
+(/126/05/07)22 b(is)28 b(selected)f(b)n(y)508 3668 y
+Fd(...)43 b(WHERE)e(id)i(LIKE)f('/126/06/07\045')243
+3833 y Ff(\017)f Fg(fgID:)27 b Fh(The)h(subtree)f(ro)r(oted)g(at)g
+(260507)e(is)i(selected)h(b)n(y)508 3997 y Fd(...)43
+b(WHERE)e(id)i(LIKE)f('260507\045')118 4229 y Fm(3.3)112
+b(Selecting)36 b(the)h(direct)f(c)m(hildren)g(of)i(a)g(no)s(de)118
+4382 y Fg(Cost:)f Fe(index)30 b(sc)l(an)g(of)g(the)g(tr)l(e)l(e)243
+4562 y Ff(\017)41 b Fg(vgID:)27 b Fh(The)h(direct)f(c)n(hildren)g(of)h
+(/26/5/7)c(are)j(selected)g(b)n(y)508 4727 y Fd(...)43
+b(WHERE)e(id)i(LIKE)f('/26/5/7/\045')d(AND)j(id)h(NOT)f(LIKE)g
+('26/5/7/\045/\045')243 4892 y Ff(\017)f Fg(m-vgID:)26
+b Fh(The)h(direct)h(c)n(hildren)f(of)g(/26/5/7)e(are)h(selected)i(b)n
+(y)508 5056 y Fd(...)43 b(WHERE)e(id)i(LIKE)f('/126/06/07/\045')37
+b(AND)43 b(id)f(NOT)h(LIKE)f('/126/05/07/\045/\045)o(')243
+5221 y Ff(\017)f Fg(fgID:)27 b Fh(The)h(direct)f(c)n(hildren)g(of)h
+(260507)c(are)j(selected)g(b)n(y)508 5386 y Fd(...)43
+b(WHERE)e(id)i(LIKE)f('260507\045')d(AND)k(char_length\(id\))37
+b(=)43 b(\(char_length\('26)o(05)o(07')o(\)+)o(2\))1987
+5653 y Fh(4)p eop
+%%Page: 5 5
+5 4 bop 118 291 a Fm(3.4)112 b(Inserting)37 b(a)h(no)s(de)g(or)f(a)h
+(subtree)118 444 y Fg(Cost:)f Fe(index)30 b(sc)l(an)g(of)g(the)g(tr)l
+(e)l(e)f(+)h(string)f(and)h(math)g(op)l(er)l(ations)243
+543 y Fh(Insertion)f(is)g(a)h(pro)r(cedural)e(op)r(eration.)42
+b(As)30 b(eac)n(h)f(RDBMS)h(has)f(a)h(di\033eren)n(t)f(w)n(a)n(y)g(of)g
+(de\034ning)h(pro)r(cedures,)f(w)n(e)118 643 y(will)f(just)g(describ)r
+(e)f(here)g(the)h(necessary)e(steps.)37 b(Examples)27
+b(for)g(P)n(ostgreSQL)f(are)h(pro)n(vided)f(in)i(4.)243
+743 y(In)22 b(order)f(to)h(insert)g(a)g(new)g(c)n(hild)h(of)f
+(\020daddy\021)28 b(\(either)23 b(one)f(of)g(/26/5/7,)e(/126/05/07)d
+(or)22 b(260507)d(in)k(the)f(examples)118 842 y(ab)r(o)n(v)n(e\))27
+b(y)n(ou)f(ha)n(v)n(e)h(to)220 1008 y(1.)41 b(add)27
+b(one)g(to)h(the)g(n)n(um)n(b)r(er)f(of)g(c)n(hildren)h(of)f
+(\020daddy\021)508 1174 y Fd(UPDATE)41 b(tree)h(SET)h(nchildren)c(=)k
+(\(nchildren)d(+)j(1\))g(WHERE)e(ID)i(=)g(``daddy'';)220
+1340 y Fh(2.)e(enco)r(de)27 b(the)h(n)n(um)n(b)r(er)f(of)g(c)n(hildren)
+g(of)h(\020daddy\021)33 b(in)28 b(base)f(160,)f(bring)h(it)h(to)f(the)h
+(correct)e(format)h(dep)r(ending)h(on)326 1440 y(the)c(v)-5
+b(arian)n(t)23 b(of)h(gID)g(\(pad)g(with)h(0)e(or)g(not,)i(prep)r(end)f
+(a)g(digit)g(coun)n(ter)f(or)g(not,)i(prep)r(end)f(/)g(or)f(not,)i
+(coun)n(t)e(do)n(wn)326 1540 y(or)j(up,)i(.)14 b(.)g(.)g(\))37
+b(and)28 b(app)r(end)f(it)h(to)g(daddy's)f(gID)g(to)h(obtain)f(the)h
+(new)g(no)r(de's)f(gID.)220 1706 y(3.)41 b(insert)27
+b(the)h(new)f(no)r(de)243 1872 y(When)35 b(inserting)g(a)f(subtree,)j
+(the)e(index)g(of)g(the)h(ro)r(ot)e(of)h(the)g(subtree)g(has)f(to)h(b)r
+(e)h(computed)f(as)f(ab)r(o)n(v)n(e,)i(and)118 1971 y(prep)r(ended)28
+b(to)f(the)h(index)g(of)f(eac)n(h)g(no)r(de)h(of)f(the)h(subtree)f(b)r
+(efore)h(insertion.)243 2071 y(Remark)e(that)i(only)f(the)h(paren)n(t)f
+(no)r(de)h(has)f(to)g(b)r(e)h(up)r(dated)g(on)f(insertion.)118
+2303 y Fm(3.5)112 b(Selecting)36 b(the)h(ancestors)h(of)g(a)g(no)s(de)
+118 2457 y Fg(Cost:)f Fe(index)30 b(sc)l(an)g(of)g(the)g(tr)l(e)l(e)243
+2556 y Fh(Y)-7 b(ou)27 b(can)g(sp)r(ecify)h(all)g(ancestors)d(of)j(a)f
+(no)r(de)h(in)f(a)h(single)f(SQL)g(statemen)n(t;)g(for)g(instance)h
+(for)f(vgID)326 2722 y Fd(...)42 b(WHERE)f('/25/6/7')f(LIKE)i(\(id)g
+(||)h('/\045'\))f(AND)g(id)h(<)g('/25/6/7')118 2888 y
+Fh(The)31 b(second)e(part)h(of)h(the)g(clause,)f(while)h(logically)e
+(redundan)n(t,)h(is)h(a)f(\020hin)n(t\021)37 b(to)30
+b(the)h(optimizer.)45 b(A)n(t)31 b(least)f(in)g(P)n(ost-)118
+2988 y(greSQL,)c(without)i(it)g(the)g(optimizer)f(will)h(c)n(ho)r(ose)e
+(a)i(sequen)n(tial)e(scan)h(of)h(the)g(table)f(and)h(disregard)d(the)j
+(index.)118 3220 y Fm(3.6)112 b(Selecting)36 b(all)g(lea)m(v)m(es)118
+3374 y Fg(Cost:)h Fe(sc)l(an)30 b(of)g(the)g(tr)l(e)l(e)243
+3473 y Fh(A)e(leaf)f(is)g(a)h(no)r(de)f(without)h(descendan)n(ts:)36
+b(it)28 b(has)f(0)g(c)n(hildren.)37 b(Hence)326 3639
+y Fd(...)42 b(WHERE)f(nchildren)f(=)j(0)118 3805 y Fh(If)28
+b(this)g(t)n(yp)r(e)g(of)f(query)g(is)h(often)f(necessary)-7
+b(,)26 b(y)n(ou)h(ma)n(y)g(b)r(e)h(w)n(ell)f(advised)g(to)g(k)n(eep)g
+(an)h(index)f(on)h(tree\(nc)n(hildren\).)118 4038 y Fm(3.7)112
+b(Determining)35 b(if)i(A)g(is)g(a)h(descendan)m(t)g(of)g(B)118
+4191 y Fg(Cost:)f Fe(string)30 b(op)l(er)l(ations,)h(no)f(table)g(ac)l
+(c)l(ess)243 4291 y Fh(This)d(is)h(a)f(pure)g(string)g(op)r(eration)f
+(on)i(the)g(indices,)f(no)g(table)h(access)e(is)i(necessary)-7
+b(.)118 4565 y Fi(4)131 b(Putting)45 b(it)f(all)h(together:)57
+b(a)44 b(P)l(ostgreSQL)f(implemen)l(tation)118 4747 y
+Fh(h)n(ttp://www.p)r(ostgresql.org/mhonarc/pgsq)o(l-sql/)o(20)o(00)o
+(-0)o(4/)o(msg0)o(02)o(67)o(.h)n(tml)243 4847 y(W)-7
+b(e)30 b(describ)r(e)g(here)g(a)g(small)f(pac)n(k)-5
+b(age)29 b(that)i(can)e(b)r(e)i(used)f(for)g(implemen)n(ting)g(gID)g
+(on)g(P)n(ostgreSQL.)f(It)i(can)e(b)r(e)118 4946 y(found)f(at)f(<h)n
+(ttp://...>)243 5046 y(The)21 b(pac)n(k)-5 b(age)21 b(uses)g(the)h(pro)
+r(cedural)e(language)h(PL/PGsql.)35 b(A)22 b(b)r(etter)g(implemen)n
+(tation)g(w)n(ould)f(probably)g(de\034ne)118 5145 y(the)28
+b(gID)g(as)f(new)g(P)n(ostgres)f(t)n(yp)r(es,)i(and)f(co)r(de)g(all)h
+(this)g(in)f(C.)243 5245 y(The)g(\034les)h(should)f(b)r(e)h(loaded)f
+(in)h(alphab)r(etical)f(order.)1987 5653 y(5)p eop
+%%Page: 6 6
+6 5 bop 118 291 a Fm(4.1)112 b(tree0_enco)s(ding.sql)118
+444 y Fh(This)28 b(\034le)f(de\034nes)h(and)f(p)r(opulates)h(the)f
+(table)h(_b160_digits)d(of)j(\020digits\021)33 b(in)28
+b(base)f(160,)326 604 y Fd(CREATE)41 b(TABLE)g(\\_b160\\_digits)d
+(\(deci)j(integer,)f(code)i(char\);)118 764 y Fh(and)28
+b(the)f(t)n(w)n(o)g(functions)326 924 y Fd(CREATE)41
+b(FUNCTION)f(\\_b160\\_encode\(i)o(nt)o(eg)o(er\))d(RETURNS)j(string)
+413 1024 y(AS)j('....')e(LANGUAGE)f('plpgsql';)326 1124
+y(CREATE)h(FUNCTION)f(\\_b160\\_encode\(i)o(nt)o(eg)o(er,)o(in)o(te)o
+(ger)o(\))d(RETURNS)k(string)413 1223 y(AS)i('....')e(LANGUAGE)f
+('plpgsql';)118 1384 y Fh(The)22 b(\034rst)h(function)f(returns)g(a)g
+(v)-5 b(ariable)21 b(size)h(enco)r(ding;)i(the)f(second)e(a)h(\034xed)h
+(size)f(enco)r(ding)g(\(the)h(second)e(parameter)118
+1483 y(is)g(the)h(size\),)g(and)f(raises)e(an)i(exception)g(if)h(the)f
+(n)n(um)n(b)r(er)g(is)g(to)r(o)g(large)e(to)i(b)r(e)h(represen)n(ted)e
+(with)h(the)h(requested)e(n)n(um)n(b)r(er)118 1583 y(of)28
+b(digits.)118 1814 y Fm(4.2)112 b(tree1_de\034ne.sql)118
+1967 y Fh(This)28 b(\034le)f(pro)n(vides)f(a)i(function)326
+2127 y Fd(CREATE)41 b(FUNCTION)f(_tree_create\(tex)o(t,)o(in)o(teg)o
+(er)o(,t)o(ext)o(,t)o(ex)o(t\))d(RETURNS)k(bpchar)413
+2227 y(AS)i('....')e(LANGUAGE)f('plpgsql';)118 2387 y
+Fh(that)e(creates)f(a)h(tree)f(infrastructure)g(of)h(either)g(fgID)g
+(or)f(vgID.)h(Assuming)f(y)n(ou)g(ha)n(v)n(e)g(a)h(table)f(\020m)n
+(ytable\021)44 b(with)118 2487 y(primary)26 b(k)n(ey)h(\020m)n
+(yid\021,)g(then)h(calling)326 2647 y Fd(SELECT)41 b(_tree_create\('m)o
+(yt)o(ree)o(',)o(2,')o(my)o(ta)o(ble)o(',)o('m)o(yid)o('\))o(;)118
+2807 y Fh(will)28 b(cause:)220 2967 y(1.)41 b(the)28
+b(creation)e(of)i(a)f(table)508 3131 y Fd(CREATE)41 b(TABLE)h
+(mytree_bkg\()683 3230 y(gid)g(text)g(PRIMARY)e(KEY,)683
+3330 y(nchildren)f(int,)683 3429 y(sid)j(integer)f(REFERENCES)e
+(mytable\(myid\))508 3529 y(\);)508 3629 y(CREATE)i(UNIQUE)g(INDEX)h
+(mytree_bkg_sid)37 b(ON)43 b(mytree_bkg\(sid\);)326 3792
+y Fh(for)27 b(the)h(tree)f(structure.)220 3955 y(2.)41
+b(the)28 b(creation)e(of)i(a)f(view)508 4118 y Fd(CREATE)41
+b(VIEW)h(mytree)f(AS)639 4218 y(SELECT)g(t.gid,n.*)900
+4317 y(FROM)h(mytable)f(n,)i(mytree_bkg)c(t)900 4417
+y(WHERE)j(t.sid=n.myid;)326 4580 y Fh(with:)35 b(a)23
+b(trigger)e(on)i(UPD)n(A)-7 b(TE)25 b(that)e(blo)r(c)n(ks)g(up)r
+(dating)g(the)h(gid)f(and)g(allo)n(ws)f(up)r(dating)h(the)g(no)r(de)h
+(data,)f(a)g(rule)326 4680 y(on)k(DELETE)i(that)f(deletes)f(the)h
+(corresp)r(onding)e(en)n(try)h(b)r(oth)h(in)g(m)n(ytree_bkg)d(and)j(m)n
+(ytable,)f(and)g(a)g(trigger)326 4779 y(ON)h(INSER)-7
+b(T)30 b(that)f(raises)e(an)h(exception)g(and)g(informs)h(the)f(user)g
+(to)h(use)f(the)h(insertion)f(function)h(describ)r(ed)326
+4879 y(b)r(elo)n(w.)220 5042 y(3.)41 b(t)n(w)n(o)26 b(insertion)h
+(functions)h(that)g(compute)g(automatically)e(the)i(gID)g(of)f(the)h
+(new)g(no)r(de:)425 5205 y Ff(\017)41 b Fh(a)27 b(function)i(m)n
+(ytree_insert\(text,text,in)n(teger,text\))d(for)h(insertion)g(sim)n
+(ultaneosly)f(in)i(b)r(oth)g(tables:)508 5305 y(m)n
+(ytree_insert\('2201','hello',0,'not)15 b(m)n(uc)n(h'\))j(inserts)g(a)g
+(new)g(c)n(hild)h(of)f(2201)f(with)h(data1='hello',)h(data2=0)508
+5404 y(and)28 b(data3='not)e(m)n(uc)n(h')1987 5653 y(6)p
+eop
+%%Page: 7 7
+7 6 bop 425 291 a Ff(\017)41 b Fh(a)27 b(function)i(m)n
+(ytree_insert_no)r(de\(text,in)n(teger\))c(for)i(insertion)g(in)h(m)n
+(ytree_bkg)508 390 y(m)n(ytree_insert\('2201',25\))c(inserts)j(in)h(m)n
+(ytree_bkg)e(a)h(new)h(c)n(hild)f(of)h(2201)d(with)j(sid=25)220
+556 y(4.)41 b(a)27 b(function)h(m)n(ytree_mo)n(v)n(e\(text,text\))e
+(that)i(mo)n(v)n(es)e(subtrees:)326 656 y(m)n(ytree_mo)n(v)n
+(e\('2201','23'\))d(mo)n(v)n(es)j(the)i(subtree)f(ro)r(oted)g(at)g
+(2201)f(to)h(a)h(place)f(b)r(elo)n(w)g(23)f(\(ma)n(yb)r(e)i(2307\))220
+822 y(5.)41 b(a)c(function)g(m)n(ytree_len\(\))g(that)h(returns)e(the)i
+(length)f(of)g(the)h(enco)r(dings)f(used)g(in)h(the)f(gID)g(\(2)h
+(here;)j(0)c(if)326 922 y(v)-5 b(ariable)26 b(size\).)118
+1196 y Fi(5)131 b(Non-tree)44 b(hierarc)l(hies)118 1378
+y Fh(sequence)22 b(as)f(id,)j(table)e(with)h(\(id,g-index\))f(with)g(p)
+r(ossibly)g(man)n(y)g(g-indices)f(for)h(eac)n(h)f(id)h(\(if)h(TOO)f
+(man)n(y)-7 b(,)23 b(bad)f(mo)r(del:)118 1478 y(list)28
+b(all)f(genealogies,)f(i.e.,)h(paths)h(from)f(the)h(ro)r(ot\))118
+1752 y Fi(References)160 1934 y Fh([1])41 b(Philip)28
+b(Greenspun,)g Fe(T)-6 b(r)l(e)l(es)29 b(in)h(Or)l(acle)g(SQL)p
+Fh(,)d(in)h Fg(SQL)k(for)g(W)-8 b(eb)31 b(Nerds)289 2033
+y Fh(<h)n(ttp://photo.net/sql/trees.h)n(tml>)160 2200
+y([2])41 b(Jo)r(e)27 b(Celk)n(o,)f Fe(SQL)j(for)i(Smarties)p
+Fh(,)d(in)g Fg(DBMS)j(Online)p Fh(,)26 b(Marc)n(h)h(to)g(June)h(1996)
+289 2299 y(<h)n(ttp://www.dbmsmag.com/9603d06.h)n(tml>)289
+2399 y(<h)n(ttp://www.dbmsmag.com/9604d06.h)n(tml>)289
+2498 y(<h)n(ttp://www.dbmsmag.com/9605d06.h)n(tml>)289
+2598 y(<h)n(ttp://www.dbmsmag.com/9606d06.h)n(tml>)160
+2764 y([3])41 b(Graeme)26 b(Birc)n(hall,)h Fg(DB2)32
+b(UDB)g(V6.1)f(SQL)h(Co)s(okb)s(o)s(ok)p Fh(,)289 2864
+y(<h)n(ttp://ourw)n(orld.compuserv)n(e.com/homepag)o(es/)o(Gra)o
+(eme_Bir)o(c)n(ha)o(ll/HTM_CO)o(OK)o(.HTM>)1987 5653
+y(7)p eop
+%%Trailer
+end
+userdict /end-hook known{end-hook}if
+%%EOF
diff --git a/source3/lib/ldb/ldb_tdb/ldb_cache.c b/source3/lib/ldb/ldb_tdb/ldb_cache.c
new file mode 100644
index 0000000000..16e8c55aec
--- /dev/null
+++ b/source3/lib/ldb/ldb_tdb/ldb_cache.c
@@ -0,0 +1,560 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldb tdb cache functions
+ *
+ *  Description: cache special records in a ldb/tdb
+ *
+ *  Author: Andrew Tridgell
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+#include "ldb/ldb_tdb/ldb_tdb.h"
+
+#define LTDB_FLAG_CASE_INSENSITIVE (1<<0)
+#define LTDB_FLAG_INTEGER          (1<<1)
+#define LTDB_FLAG_HIDDEN           (1<<2)
+#define LTDB_FLAG_OBJECTCLASS      (1<<3)
+
+int ltdb_attribute_flags(struct ldb_module *module, const char *attr_name);
+
+/* valid attribute flags */
+static const struct {
+	const char *name;
+	int value;
+} ltdb_valid_attr_flags[] = {
+	{ "CASE_INSENSITIVE", LTDB_FLAG_CASE_INSENSITIVE },
+	{ "INTEGER", LTDB_FLAG_INTEGER },
+	{ "HIDDEN", LTDB_FLAG_HIDDEN },
+	{ "NONE", 0 },
+	{ NULL, 0 }
+};
+
+
+/*
+  de-register any special handlers for @ATTRIBUTES
+*/
+static void ltdb_attributes_unload(struct ldb_module *module)
+{
+	struct ltdb_private *ltdb =
+		(struct ltdb_private *)module->private_data;
+	struct ldb_message *msg;
+	int i;
+
+	if (ltdb->cache->attributes == NULL) {
+		/* no previously loaded attributes */
+		return;
+	}
+
+	msg = ltdb->cache->attributes;
+	for (i=0;i<msg->num_elements;i++) {
+		ldb_remove_attrib_handler(module->ldb, msg->elements[i].name);
+	}
+
+	talloc_free(ltdb->cache->attributes);
+	ltdb->cache->attributes = NULL;
+}
+
+/*
+  add up the attrib flags for a @ATTRIBUTES element
+*/
+static int ltdb_attributes_flags(struct ldb_message_element *el, unsigned *v)
+{
+	int i;
+	unsigned value = 0;
+	for (i=0;i<el->num_values;i++) {
+		int j;
+		for (j=0;ltdb_valid_attr_flags[j].name;j++) {
+			if (strcmp(ltdb_valid_attr_flags[j].name, 
+				   (char *)el->values[i].data) == 0) {
+				value |= ltdb_valid_attr_flags[j].value;
+				break;
+			}
+		}
+		if (ltdb_valid_attr_flags[j].name == NULL) {
+			return -1;
+		}
+	}
+	*v = value;
+	return 0;
+}
+
+/*
+  register any special handlers from @ATTRIBUTES
+*/
+static int ltdb_attributes_load(struct ldb_module *module)
+{
+	struct ltdb_private *ltdb =
+		(struct ltdb_private *)module->private_data;
+	struct ldb_message *msg = ltdb->cache->attributes;
+	struct ldb_dn *dn;
+	int i;
+
+	dn = ldb_dn_explode(module->ldb, LTDB_ATTRIBUTES);
+	if (dn == NULL) goto failed;
+
+	if (ltdb_search_dn1(module, dn, msg) == -1) {
+		talloc_free(dn);
+		goto failed;
+	}
+	talloc_free(dn);
+	/* mapping these flags onto ldap 'syntaxes' isn't strictly correct,
+	   but its close enough for now */
+	for (i=0;i<msg->num_elements;i++) {
+		unsigned flags;
+		const char *syntax;
+		const struct ldb_attrib_handler *h;
+		struct ldb_attrib_handler h2;
+
+		if (ltdb_attributes_flags(&msg->elements[i], &flags) != 0) {
+			ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Invalid @ATTRIBUTES element for '%s'\n", msg->elements[i].name);
+			goto failed;
+		}
+		switch (flags & ~LTDB_FLAG_HIDDEN) {
+		case 0:
+			syntax = LDB_SYNTAX_OCTET_STRING;
+			break;
+		case LTDB_FLAG_CASE_INSENSITIVE:
+			syntax = LDB_SYNTAX_DIRECTORY_STRING;
+			break;
+		case LTDB_FLAG_INTEGER:
+			syntax = LDB_SYNTAX_INTEGER;
+			break;
+		default:
+			ldb_debug(module->ldb, LDB_DEBUG_ERROR, 
+				  "Invalid flag combination 0x%x for '%s' in @ATTRIBUTES\n",
+				  flags, msg->elements[i].name);
+			goto failed;
+		}
+
+		h = ldb_attrib_handler_syntax(module->ldb, syntax);
+		if (h == NULL) {
+			ldb_debug(module->ldb, LDB_DEBUG_ERROR, 
+				  "Invalid attribute syntax '%s' for '%s' in @ATTRIBUTES\n",
+				  syntax, msg->elements[i].name);
+			goto failed;
+		}
+		h2 = *h;
+		h2.attr = msg->elements[i].name;
+		h2.flags |= LDB_ATTR_FLAG_ALLOCATED;
+		if (ldb_set_attrib_handlers(module->ldb, &h2, 1) != 0) {
+			goto failed;
+		}
+	}
+
+	return 0;
+failed:
+	return -1;
+}
+
+
+/*
+  register any subclasses from @SUBCLASSES
+*/
+static int ltdb_subclasses_load(struct ldb_module *module)
+{
+	struct ltdb_private *ltdb =
+		(struct ltdb_private *)module->private_data;
+	struct ldb_message *msg = ltdb->cache->subclasses;
+	struct ldb_dn *dn;
+	int i, j;
+
+	dn = ldb_dn_explode(module->ldb, LTDB_SUBCLASSES);
+	if (dn == NULL) goto failed;
+
+	if (ltdb_search_dn1(module, dn, msg) == -1) {
+		talloc_free(dn);
+		goto failed;
+	}
+	talloc_free(dn);
+
+	for (i=0;i<msg->num_elements;i++) {
+		struct ldb_message_element *el = &msg->elements[i];
+		for (j=0;j<el->num_values;j++) {
+			if (ldb_subclass_add(module->ldb, el->name, 
+					     (char *)el->values[j].data) != 0) {
+				goto failed;
+			}
+		}
+	}
+
+	return 0;
+failed:
+	return -1;
+}
+
+
+/*
+  de-register any @SUBCLASSES
+*/
+static void ltdb_subclasses_unload(struct ldb_module *module)
+{
+	struct ltdb_private *ltdb =
+		(struct ltdb_private *)module->private_data;
+	struct ldb_message *msg;
+	int i;
+
+	if (ltdb->cache->subclasses == NULL) {
+		/* no previously loaded subclasses */
+		return;
+	}
+
+	msg = ltdb->cache->subclasses;
+	for (i=0;i<msg->num_elements;i++) {
+		ldb_subclass_remove(module->ldb, msg->elements[i].name);
+	}
+
+	talloc_free(ltdb->cache->subclasses);
+	ltdb->cache->subclasses = NULL;
+}
+
+
+/*
+  initialise the baseinfo record
+*/
+static int ltdb_baseinfo_init(struct ldb_module *module)
+{
+	struct ltdb_private *ltdb =
+		(struct ltdb_private *)module->private_data;
+	struct ldb_message *msg;
+	struct ldb_message_element el;
+	struct ldb_val val;
+	int ret;
+	/* the initial sequence number must be different from the one
+	   set in ltdb_cache_free(). Thanks to Jon for pointing this
+	   out. */
+	const char *initial_sequence_number = "1";
+
+	ltdb->sequence_number = atof(initial_sequence_number);
+
+	msg = talloc(ltdb, struct ldb_message);
+	if (msg == NULL) {
+		goto failed;
+	}
+
+	msg->num_elements = 1;
+	msg->elements = &el;
+	msg->dn = ldb_dn_explode(msg, LTDB_BASEINFO);
+	if (!msg->dn) {
+		goto failed;
+	}
+	el.name = talloc_strdup(msg, LTDB_SEQUENCE_NUMBER);
+	if (!el.name) {
+		goto failed;
+	}
+	el.values = &val;
+	el.num_values = 1;
+	el.flags = 0;
+	val.data = (uint8_t *)talloc_strdup(msg, initial_sequence_number);
+	if (!val.data) {
+		goto failed;
+	}
+	val.length = 1;
+	
+	ret = ltdb_store(module, msg, TDB_INSERT);
+
+	talloc_free(msg);
+
+	return ret;
+
+failed:
+	talloc_free(msg);
+	errno = ENOMEM;
+	return -1;
+}
+
+/*
+  free any cache records
+ */
+static void ltdb_cache_free(struct ldb_module *module)
+{
+	struct ltdb_private *ltdb =
+		(struct ltdb_private *)module->private_data;
+
+	ltdb->sequence_number = 0;
+	talloc_free(ltdb->cache);
+	ltdb->cache = NULL;
+}
+
+/*
+  force a cache reload
+*/
+int ltdb_cache_reload(struct ldb_module *module)
+{
+	ltdb_attributes_unload(module);
+	ltdb_subclasses_unload(module);
+	ltdb_cache_free(module);
+	return ltdb_cache_load(module);
+}
+
+/*
+  load the cache records
+*/
+int ltdb_cache_load(struct ldb_module *module)
+{
+	struct ltdb_private *ltdb =
+		(struct ltdb_private *)module->private_data;
+	struct ldb_dn *baseinfo_dn = NULL;
+	struct ldb_dn *indexlist_dn = NULL;
+	uint64_t seq;
+	struct ldb_message *baseinfo = NULL;
+
+	/* a very fast check to avoid extra database reads */
+	if (ltdb->cache != NULL && 
+	    tdb_get_seqnum(ltdb->tdb) == ltdb->tdb_seqnum) {
+		return 0;
+	}
+
+	if (ltdb->cache == NULL) {
+		ltdb->cache = talloc_zero(ltdb, struct ltdb_cache);
+		if (ltdb->cache == NULL) goto failed;
+		ltdb->cache->indexlist = talloc_zero(ltdb->cache, struct ldb_message);
+		ltdb->cache->subclasses = talloc_zero(ltdb->cache, struct ldb_message);
+		ltdb->cache->attributes = talloc_zero(ltdb->cache, struct ldb_message);
+		if (ltdb->cache->indexlist == NULL ||
+		    ltdb->cache->subclasses == NULL ||
+		    ltdb->cache->attributes == NULL) {
+			goto failed;
+		}
+	}
+
+	baseinfo = talloc(ltdb->cache, struct ldb_message);
+	if (baseinfo == NULL) goto failed;
+
+	baseinfo_dn = ldb_dn_explode(module->ldb, LTDB_BASEINFO);
+	if (baseinfo_dn == NULL) goto failed;
+
+	if (ltdb_search_dn1(module, baseinfo_dn, baseinfo) == -1) {
+		goto failed;
+	}
+	
+	/* possibly initialise the baseinfo */
+	if (!baseinfo->dn) {
+		if (ltdb_baseinfo_init(module) != 0) {
+			goto failed;
+		}
+		if (ltdb_search_dn1(module, baseinfo_dn, baseinfo) != 1) {
+			goto failed;
+		}
+	}
+
+	ltdb->tdb_seqnum = tdb_get_seqnum(ltdb->tdb);
+
+	/* if the current internal sequence number is the same as the one
+	   in the database then assume the rest of the cache is OK */
+	seq = ldb_msg_find_attr_as_uint64(baseinfo, LTDB_SEQUENCE_NUMBER, 0);
+	if (seq == ltdb->sequence_number) {
+		goto done;
+	}
+	ltdb->sequence_number = seq;
+
+	talloc_free(ltdb->cache->last_attribute.name);
+	memset(&ltdb->cache->last_attribute, 0, sizeof(ltdb->cache->last_attribute));
+
+	ltdb_attributes_unload(module);
+	ltdb_subclasses_unload(module);
+
+	talloc_free(ltdb->cache->indexlist);
+	talloc_free(ltdb->cache->subclasses);
+
+	ltdb->cache->indexlist = talloc_zero(ltdb->cache, struct ldb_message);
+	ltdb->cache->subclasses = talloc_zero(ltdb->cache, struct ldb_message);
+	ltdb->cache->attributes = talloc_zero(ltdb->cache, struct ldb_message);
+	if (ltdb->cache->indexlist == NULL ||
+	    ltdb->cache->subclasses == NULL ||
+	    ltdb->cache->attributes == NULL) {
+		goto failed;
+	}
+	    
+	indexlist_dn = ldb_dn_explode(module->ldb, LTDB_INDEXLIST);
+	if (indexlist_dn == NULL) goto failed;
+
+	if (ltdb_search_dn1(module, indexlist_dn, ltdb->cache->indexlist) == -1) {
+		goto failed;
+	}
+
+	if (ltdb_attributes_load(module) == -1) {
+		goto failed;
+	}
+	if (ltdb_subclasses_load(module) == -1) {
+		goto failed;
+	}
+
+done:
+	talloc_free(baseinfo);
+	talloc_free(baseinfo_dn);
+	talloc_free(indexlist_dn);
+	return 0;
+
+failed:
+	talloc_free(baseinfo);
+	talloc_free(baseinfo_dn);
+	talloc_free(indexlist_dn);
+	return -1;
+}
+
+
+/*
+  increase the sequence number to indicate a database change
+*/
+int ltdb_increase_sequence_number(struct ldb_module *module)
+{
+	struct ltdb_private *ltdb =
+		(struct ltdb_private *)module->private_data;
+	struct ldb_message *msg;
+	struct ldb_message_element el[2];
+	struct ldb_val val;
+	struct ldb_val val_time;
+	time_t t = time(NULL);
+	char *s = NULL;
+	int ret;
+
+	msg = talloc(ltdb, struct ldb_message);
+	if (msg == NULL) {
+		errno = ENOMEM;
+		return -1;
+	}
+
+	s = talloc_asprintf(msg, "%llu", ltdb->sequence_number+1);
+	if (!s) {
+		errno = ENOMEM;
+		return -1;
+	}
+
+	msg->num_elements = ARRAY_SIZE(el);
+	msg->elements = el;
+	msg->dn = ldb_dn_explode(msg, LTDB_BASEINFO);
+	if (msg->dn == NULL) {
+		talloc_free(msg);
+		errno = ENOMEM;
+		return -1;
+	}
+	el[0].name = talloc_strdup(msg, LTDB_SEQUENCE_NUMBER);
+	if (el[0].name == NULL) {
+		talloc_free(msg);
+		errno = ENOMEM;
+		return -1;
+	}
+	el[0].values = &val;
+	el[0].num_values = 1;
+	el[0].flags = LDB_FLAG_MOD_REPLACE;
+	val.data = (uint8_t *)s;
+	val.length = strlen(s);
+
+	el[1].name = talloc_strdup(msg, LTDB_MOD_TIMESTAMP);
+	if (el[1].name == NULL) {
+		talloc_free(msg);
+		errno = ENOMEM;
+		return -1;
+	}
+	el[1].values = &val_time;
+	el[1].num_values = 1;
+	el[1].flags = LDB_FLAG_MOD_REPLACE;
+
+	s = ldb_timestring(msg, t);
+	if (s == NULL) {
+		return -1;
+	}
+
+	val_time.data = (uint8_t *)s;
+	val_time.length = strlen(s);
+
+	ret = ltdb_modify_internal(module, msg);
+
+	talloc_free(msg);
+
+	if (ret == 0) {
+		ltdb->sequence_number += 1;
+	}
+
+	return ret;
+}
+
+
+/*
+  return the attribute flags from the @ATTRIBUTES record 
+  for the given attribute
+*/
+int ltdb_attribute_flags(struct ldb_module *module, const char *attr_name)
+{
+	struct ltdb_private *ltdb =
+		(struct ltdb_private *)module->private_data;
+	const struct ldb_message_element *attr_el;
+	int i, j, ret=0;
+
+	if (ltdb->cache->last_attribute.name &&
+	    ldb_attr_cmp(ltdb->cache->last_attribute.name, attr_name) == 0) {
+		return ltdb->cache->last_attribute.flags;
+	}
+
+	/* objectclass is a special default case */
+	if (ldb_attr_cmp(attr_name, LTDB_OBJECTCLASS) == 0) {
+		ret = LTDB_FLAG_OBJECTCLASS | LTDB_FLAG_CASE_INSENSITIVE;
+	}
+
+	attr_el = ldb_msg_find_element(ltdb->cache->attributes, attr_name);
+
+	if (!attr_el) {
+		/* check if theres a wildcard attribute */
+		attr_el = ldb_msg_find_element(ltdb->cache->attributes, "*");
+
+		if (!attr_el) {
+			return ret;
+		}
+	}
+
+	for (i = 0; i < attr_el->num_values; i++) {
+		for (j=0; ltdb_valid_attr_flags[j].name; j++) {
+			if (strcmp(ltdb_valid_attr_flags[j].name, 
+				   (char *)attr_el->values[i].data) == 0) {
+				ret |= ltdb_valid_attr_flags[j].value;
+			}
+		}
+	}
+
+	talloc_free(ltdb->cache->last_attribute.name);
+
+	ltdb->cache->last_attribute.name = talloc_strdup(ltdb->cache, attr_name);
+	ltdb->cache->last_attribute.flags = ret;
+
+	return ret;
+}
+
+int ltdb_check_at_attributes_values(const struct ldb_val *value)
+{
+	int i;
+
+	for (i = 0; ltdb_valid_attr_flags[i].name != NULL; i++) {
+		if ((strcmp(ltdb_valid_attr_flags[i].name, (char *)value->data) == 0)) {
+			return 0;
+		}
+	}
+
+	return -1;
+}
+
diff --git a/source3/lib/ldb/ldb_tdb/ldb_index.c b/source3/lib/ldb/ldb_tdb/ldb_index.c
new file mode 100644
index 0000000000..5545661f7a
--- /dev/null
+++ b/source3/lib/ldb/ldb_tdb/ldb_index.c
@@ -0,0 +1,1178 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldb tdb backend - indexing
+ *
+ *  Description: indexing routines for ldb tdb backend
+ *
+ *  Author: Andrew Tridgell
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+#include "ldb/ldb_tdb/ldb_tdb.h"
+
+/*
+  find an element in a list, using the given comparison function and
+  assuming that the list is already sorted using comp_fn
+
+  return -1 if not found, or the index of the first occurance of needle if found
+*/
+static int ldb_list_find(const void *needle, 
+			 const void *base, size_t nmemb, size_t size, 
+			 comparison_fn_t comp_fn)
+{
+	const char *base_p = (const char *)base;
+	size_t min_i, max_i, test_i;
+
+	if (nmemb == 0) {
+		return -1;
+	}
+
+	min_i = 0;
+	max_i = nmemb-1;
+
+	while (min_i < max_i) {
+		int r;
+
+		test_i = (min_i + max_i) / 2;
+		/* the following cast looks strange, but is
+		 correct. The key to understanding it is that base_p
+		 is a pointer to an array of pointers, so we have to
+		 dereference it after casting to void **. The strange
+		 const in the middle gives us the right type of pointer
+		 after the dereference  (tridge) */
+		r = comp_fn(needle, *(void * const *)(base_p + (size * test_i)));
+		if (r == 0) {
+			/* scan back for first element */
+			while (test_i > 0 &&
+			       comp_fn(needle, *(void * const *)(base_p + (size * (test_i-1)))) == 0) {
+				test_i--;
+			}
+			return test_i;
+		}
+		if (r < 0) {
+			if (test_i == 0) {
+				return -1;
+			}
+			max_i = test_i - 1;
+		}
+		if (r > 0) {
+			min_i = test_i + 1;
+		}
+	}
+
+	if (comp_fn(needle, *(void * const *)(base_p + (size * min_i))) == 0) {
+		return min_i;
+	}
+
+	return -1;
+}
+
+struct dn_list {
+	unsigned int count;
+	char **dn;
+};
+
+/*
+  return the dn key to be used for an index
+  caller frees
+*/
+static struct ldb_dn *ldb_dn_key(struct ldb_context *ldb,
+			const char *attr, const struct ldb_val *value)
+{
+	struct ldb_dn *ret;
+	char *dn;
+	struct ldb_val v;
+	const struct ldb_attrib_handler *h;
+	char *attr_folded;
+
+	attr_folded = ldb_attr_casefold(ldb, attr);
+	if (!attr_folded) {
+		return NULL;
+	}
+
+	h = ldb_attrib_handler(ldb, attr);
+	if (h->canonicalise_fn(ldb, ldb, value, &v) != 0) {
+		/* canonicalisation can be refused. For example, 
+		   a attribute that takes wildcards will refuse to canonicalise
+		   if the value contains a wildcard */
+		talloc_free(attr_folded);
+		return NULL;
+	}
+	if (ldb_should_b64_encode(&v)) {
+		char *vstr = ldb_base64_encode(ldb, (char *)v.data, v.length);
+		if (!vstr) return NULL;
+		dn = talloc_asprintf(ldb, "%s:%s::%s", LTDB_INDEX, attr_folded, vstr);
+		talloc_free(vstr);
+		if (v.data != value->data) {
+			talloc_free(v.data);
+		}
+		talloc_free(attr_folded);
+		if (dn == NULL) return NULL;
+		goto done;
+	}
+
+	dn = talloc_asprintf(ldb, "%s:%s:%.*s", 
+			      LTDB_INDEX, attr_folded, (int)v.length, (char *)v.data);
+
+	if (v.data != value->data) {
+		talloc_free(v.data);
+	}
+	talloc_free(attr_folded);
+
+done:
+	ret = ldb_dn_explode(ldb, dn);
+	talloc_free(dn);
+	return ret;
+}
+
+/*
+  see if a attribute value is in the list of indexed attributes
+*/
+static int ldb_msg_find_idx(const struct ldb_message *msg, const char *attr,
+			    unsigned int *v_idx, const char *key)
+{
+	unsigned int i, j;
+	for (i=0;i<msg->num_elements;i++) {
+		if (ldb_attr_cmp(msg->elements[i].name, key) == 0) {
+			const struct ldb_message_element *el = 
+				&msg->elements[i];
+			for (j=0;j<el->num_values;j++) {
+				if (ldb_attr_cmp((char *)el->values[j].data, attr) == 0) {
+					if (v_idx) {
+						*v_idx = j;
+					}
+					return i;
+				}
+			}
+		}
+	}
+	return -1;
+}
+
+/* used in sorting dn lists */
+static int list_cmp(const char **s1, const char **s2)
+{
+	return strcmp(*s1, *s2);
+}
+
+/*
+  return a list of dn's that might match a simple indexed search or
+ */
+static int ltdb_index_dn_simple(struct ldb_module *module, 
+				const struct ldb_parse_tree *tree,
+				const struct ldb_message *index_list,
+				struct dn_list *list)
+{
+	struct ldb_context *ldb = module->ldb;
+	struct ldb_dn *dn;
+	int ret;
+	unsigned int i, j;
+	struct ldb_message *msg;
+
+	list->count = 0;
+	list->dn = NULL;
+
+	/* if the attribute isn't in the list of indexed attributes then
+	   this node needs a full search */
+	if (ldb_msg_find_idx(index_list, tree->u.equality.attr, NULL, LTDB_IDXATTR) == -1) {
+		return -1;
+	}
+
+	/* the attribute is indexed. Pull the list of DNs that match the 
+	   search criterion */
+	dn = ldb_dn_key(ldb, tree->u.equality.attr, &tree->u.equality.value);
+	if (!dn) return -1;
+
+	msg = talloc(list, struct ldb_message);
+	if (msg == NULL) {
+		return -1;
+	}
+
+	ret = ltdb_search_dn1(module, dn, msg);
+	talloc_free(dn);
+	if (ret == 0 || ret == -1) {
+		return ret;
+	}
+
+	for (i=0;i<msg->num_elements;i++) {
+		struct ldb_message_element *el;
+
+		if (strcmp(msg->elements[i].name, LTDB_IDX) != 0) {
+			continue;
+		}
+
+		el = &msg->elements[i];
+
+		list->dn = talloc_array(list, char *, el->num_values);
+		if (!list->dn) {
+			talloc_free(msg);
+			return -1;
+		}
+
+		for (j=0;j<el->num_values;j++) {
+			list->dn[list->count] = 
+				talloc_strdup(list->dn, (char *)el->values[j].data);
+			if (!list->dn[list->count]) {
+				talloc_free(msg);
+				return -1;
+			}
+			list->count++;
+		}
+	}
+
+	talloc_free(msg);
+
+	if (list->count > 1) {
+		qsort(list->dn, list->count, sizeof(char *), (comparison_fn_t) list_cmp);
+	}
+
+	return 1;
+}
+
+
+static int list_union(struct ldb_context *, struct dn_list *, const struct dn_list *);
+
+/*
+  return a list of dn's that might match a simple indexed search on
+  the special objectclass attribute
+ */
+static int ltdb_index_dn_objectclass(struct ldb_module *module, 
+				     const struct ldb_parse_tree *tree,
+				     const struct ldb_message *index_list,
+				     struct dn_list *list)
+{
+	struct ldb_context *ldb = module->ldb;
+	unsigned int i;
+	int ret;
+	const char *target = (const char *)tree->u.equality.value.data;
+	const char **subclasses;
+
+	list->count = 0;
+	list->dn = NULL;
+
+	ret = ltdb_index_dn_simple(module, tree, index_list, list);
+
+	subclasses = ldb_subclass_list(module->ldb, target);
+
+	if (subclasses == NULL) {
+		return ret;
+	}
+
+	for (i=0;subclasses[i];i++) {
+		struct ldb_parse_tree tree2;
+		struct dn_list *list2;
+		tree2.operation = LDB_OP_EQUALITY;
+		tree2.u.equality.attr = LTDB_OBJECTCLASS;
+		if (!tree2.u.equality.attr) {
+			return -1;
+		}
+		tree2.u.equality.value.data = 
+			(uint8_t *)talloc_strdup(list, subclasses[i]);
+		if (tree2.u.equality.value.data == NULL) {
+			return -1;			
+		}
+		tree2.u.equality.value.length = strlen(subclasses[i]);
+		list2 = talloc(list, struct dn_list);
+		if (list2 == NULL) {
+			talloc_free(tree2.u.equality.value.data);
+			return -1;
+		}
+		if (ltdb_index_dn_objectclass(module, &tree2, 
+					      index_list, list2) == 1) {
+			if (list->count == 0) {
+				*list = *list2;
+				ret = 1;
+			} else {
+				list_union(ldb, list, list2);
+				talloc_free(list2);
+			}
+		}
+		talloc_free(tree2.u.equality.value.data);
+	}
+
+	return ret;
+}
+
+/*
+  return a list of dn's that might match a leaf indexed search
+ */
+static int ltdb_index_dn_leaf(struct ldb_module *module, 
+			      const struct ldb_parse_tree *tree,
+			      const struct ldb_message *index_list,
+			      struct dn_list *list)
+{
+	if (ldb_attr_cmp(tree->u.equality.attr, LTDB_OBJECTCLASS) == 0) {
+		return ltdb_index_dn_objectclass(module, tree, index_list, list);
+	}
+	if (ldb_attr_dn(tree->u.equality.attr) == 0) {
+		list->dn = talloc_array(list, char *, 1);
+		if (list->dn == NULL) {
+			ldb_oom(module->ldb);
+			return -1;
+		}
+		list->dn[0] = talloc_strdup(list->dn, (char *)tree->u.equality.value.data);
+		if (list->dn[0] == NULL) {
+			ldb_oom(module->ldb);
+			return -1;
+		}
+		list->count = 1;
+		return 1;
+	}
+	return ltdb_index_dn_simple(module, tree, index_list, list);
+}
+
+
+/*
+  list intersection
+  list = list & list2
+  relies on the lists being sorted
+*/
+static int list_intersect(struct ldb_context *ldb,
+			  struct dn_list *list, const struct dn_list *list2)
+{
+	struct dn_list *list3;
+	unsigned int i;
+
+	if (list->count == 0 || list2->count == 0) {
+		/* 0 & X == 0 */
+		return 0;
+	}
+
+	list3 = talloc(ldb, struct dn_list);
+	if (list3 == NULL) {
+		return -1;
+	}
+
+	list3->dn = talloc_array(list3, char *, list->count);
+	if (!list3->dn) {
+		talloc_free(list3);
+		return -1;
+	}
+	list3->count = 0;
+
+	for (i=0;i<list->count;i++) {
+		if (ldb_list_find(list->dn[i], list2->dn, list2->count, 
+			      sizeof(char *), (comparison_fn_t)strcmp) != -1) {
+			list3->dn[list3->count] = talloc_move(list3->dn, &list->dn[i]);
+			list3->count++;
+		} else {
+			talloc_free(list->dn[i]);
+		}		
+	}
+
+	talloc_free(list->dn);
+	list->dn = talloc_move(list, &list3->dn);
+	list->count = list3->count;
+	talloc_free(list3);
+
+	return 0;
+}
+
+
+/*
+  list union
+  list = list | list2
+  relies on the lists being sorted
+*/
+static int list_union(struct ldb_context *ldb, 
+		      struct dn_list *list, const struct dn_list *list2)
+{
+	unsigned int i;
+	char **d;
+	unsigned int count = list->count;
+
+	if (list->count == 0 && list2->count == 0) {
+		/* 0 | 0 == 0 */
+		return 0;
+	}
+
+	d = talloc_realloc(list, list->dn, char *, list->count + list2->count);
+	if (!d) {
+		return -1;
+	}
+	list->dn = d;
+
+	for (i=0;i<list2->count;i++) {
+		if (ldb_list_find(list2->dn[i], list->dn, count, 
+			      sizeof(char *), (comparison_fn_t)strcmp) == -1) {
+			list->dn[list->count] = talloc_strdup(list->dn, list2->dn[i]);
+			if (!list->dn[list->count]) {
+				return -1;
+			}
+			list->count++;
+		}		
+	}
+
+	if (list->count != count) {
+		qsort(list->dn, list->count, sizeof(char *), (comparison_fn_t)list_cmp);
+	}
+
+	return 0;
+}
+
+static int ltdb_index_dn(struct ldb_module *module, 
+			 const struct ldb_parse_tree *tree,
+			 const struct ldb_message *index_list,
+			 struct dn_list *list);
+
+
+/*
+  OR two index results
+ */
+static int ltdb_index_dn_or(struct ldb_module *module, 
+			    const struct ldb_parse_tree *tree,
+			    const struct ldb_message *index_list,
+			    struct dn_list *list)
+{
+	struct ldb_context *ldb = module->ldb;
+	unsigned int i;
+	int ret;
+	
+	ret = -1;
+	list->dn = NULL;
+	list->count = 0;
+
+	for (i=0;i<tree->u.list.num_elements;i++) {
+		struct dn_list *list2;
+		int v;
+
+		list2 = talloc(module, struct dn_list);
+		if (list2 == NULL) {
+			return -1;
+		}
+
+		v = ltdb_index_dn(module, tree->u.list.elements[i], index_list, list2);
+
+		if (v == 0) {
+			/* 0 || X == X */
+			if (ret == -1) {
+				ret = 0;
+			}
+			talloc_free(list2);
+			continue;
+		}
+
+		if (v == -1) {
+			/* 1 || X == 1 */
+			talloc_free(list->dn);
+			talloc_free(list2);
+			return -1;
+		}
+
+		if (ret == -1) {
+			ret = 1;
+			list->dn = talloc_move(list, &list2->dn);
+			list->count = list2->count;
+		} else {
+			if (list_union(ldb, list, list2) == -1) {
+				talloc_free(list2);
+				return -1;
+			}
+			ret = 1;
+		}
+		talloc_free(list2);
+	}
+
+	if (list->count == 0) {
+		return 0;
+	}
+
+	return ret;
+}
+
+
+/*
+  NOT an index results
+ */
+static int ltdb_index_dn_not(struct ldb_module *module, 
+			     const struct ldb_parse_tree *tree,
+			     const struct ldb_message *index_list,
+			     struct dn_list *list)
+{
+	/* the only way to do an indexed not would be if we could
+	   negate the not via another not or if we knew the total
+	   number of database elements so we could know that the
+	   existing expression covered the whole database. 
+	   
+	   instead, we just give up, and rely on a full index scan
+	   (unless an outer & manages to reduce the list)
+	*/
+	return -1;
+}
+
+/*
+  AND two index results
+ */
+static int ltdb_index_dn_and(struct ldb_module *module, 
+			     const struct ldb_parse_tree *tree,
+			     const struct ldb_message *index_list,
+			     struct dn_list *list)
+{
+	struct ldb_context *ldb = module->ldb;
+	unsigned int i;
+	int ret;
+	
+	ret = -1;
+	list->dn = NULL;
+	list->count = 0;
+
+	for (i=0;i<tree->u.list.num_elements;i++) {
+		struct dn_list *list2;
+		int v;
+
+		list2 = talloc(module, struct dn_list);
+		if (list2 == NULL) {
+			return -1;
+		}
+
+		v = ltdb_index_dn(module, tree->u.list.elements[i], index_list, list2);
+
+		if (v == 0) {
+			/* 0 && X == 0 */
+			talloc_free(list->dn);
+			talloc_free(list2);
+			return 0;
+		}
+
+		if (v == -1) {
+			talloc_free(list2);
+			continue;
+		}
+
+		if (ret == -1) {
+			ret = 1;
+			talloc_free(list->dn);
+			list->dn = talloc_move(list, &list2->dn);
+			list->count = list2->count;
+		} else {
+			if (list_intersect(ldb, list, list2) == -1) {
+				talloc_free(list2);
+				return -1;
+			}
+		}
+
+		talloc_free(list2);
+
+		if (list->count == 0) {
+			talloc_free(list->dn);
+			return 0;
+		}
+	}
+
+	return ret;
+}
+
+/*
+  return a list of dn's that might match a indexed search or
+  -1 if an error. return 0 for no matches, or 1 for matches
+ */
+static int ltdb_index_dn(struct ldb_module *module, 
+			 const struct ldb_parse_tree *tree,
+			 const struct ldb_message *index_list,
+			 struct dn_list *list)
+{
+	int ret = -1;
+
+	switch (tree->operation) {
+	case LDB_OP_AND:
+		ret = ltdb_index_dn_and(module, tree, index_list, list);
+		break;
+
+	case LDB_OP_OR:
+		ret = ltdb_index_dn_or(module, tree, index_list, list);
+		break;
+
+	case LDB_OP_NOT:
+		ret = ltdb_index_dn_not(module, tree, index_list, list);
+		break;
+
+	case LDB_OP_EQUALITY:
+		ret = ltdb_index_dn_leaf(module, tree, index_list, list);
+		break;
+
+	case LDB_OP_SUBSTRING:
+	case LDB_OP_GREATER:
+	case LDB_OP_LESS:
+	case LDB_OP_PRESENT:
+	case LDB_OP_APPROX:
+	case LDB_OP_EXTENDED:
+		/* we can't index with fancy bitops yet */
+		ret = -1;
+		break;
+	}
+
+	return ret;
+}
+
+/*
+  filter a candidate dn_list from an indexed search into a set of results
+  extracting just the given attributes
+*/
+static int ltdb_index_filter(const struct dn_list *dn_list, 
+			     struct ldb_handle *handle)
+{
+	struct ltdb_context *ac = talloc_get_type(handle->private_data, struct ltdb_context);
+	struct ldb_reply *ares = NULL;
+	unsigned int i;
+
+	if (!ac) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	for (i = 0; i < dn_list->count; i++) {
+		struct ldb_dn *dn;
+		int ret;
+
+		ares = talloc_zero(ac, struct ldb_reply);
+		if (!ares) {
+			handle->status = LDB_ERR_OPERATIONS_ERROR;
+			handle->state = LDB_ASYNC_DONE;
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+
+		ares->message = ldb_msg_new(ares);
+		if (!ares->message) {
+			handle->status = LDB_ERR_OPERATIONS_ERROR;
+			handle->state = LDB_ASYNC_DONE;
+			talloc_free(ares);
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+
+
+		dn = ldb_dn_explode(ares->message, dn_list->dn[i]);
+		if (dn == NULL) {
+			talloc_free(ares);
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+
+		ret = ltdb_search_dn1(ac->module, dn, ares->message);
+		talloc_free(dn);
+		if (ret == 0) {
+			/* the record has disappeared? yes, this can happen */
+			talloc_free(ares);
+			continue;
+		}
+
+		if (ret == -1) {
+			/* an internal error */
+			talloc_free(ares);
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+
+		if (!ldb_match_msg(ac->module->ldb, ares->message, ac->tree, ac->base, ac->scope)) {
+			talloc_free(ares);
+			continue;
+		}
+
+		/* filter the attributes that the user wants */
+		ret = ltdb_filter_attrs(ares->message, ac->attrs);
+
+		if (ret == -1) {
+			handle->status = LDB_ERR_OPERATIONS_ERROR;
+			handle->state = LDB_ASYNC_DONE;
+			talloc_free(ares);
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+
+		ares->type = LDB_REPLY_ENTRY;
+        	handle->state = LDB_ASYNC_PENDING;
+		handle->status = ac->callback(ac->module->ldb, ac->context, ares);
+
+		if (handle->status != LDB_SUCCESS) {
+			handle->state = LDB_ASYNC_DONE;
+			return handle->status;
+		}
+	}
+
+	return LDB_SUCCESS;
+}
+
+/*
+  search the database with a LDAP-like expression using indexes
+  returns -1 if an indexed search is not possible, in which
+  case the caller should call ltdb_search_full() 
+*/
+int ltdb_search_indexed(struct ldb_handle *handle)
+{
+	struct ltdb_context *ac;
+	struct ltdb_private *ltdb;
+	struct dn_list *dn_list;
+	int ret;
+
+	if (!(ac = talloc_get_type(handle->private_data,
+				   struct ltdb_context)) ||
+	    !(ltdb = talloc_get_type(ac->module->private_data,
+				     struct ltdb_private))) {
+		return -1;
+	}
+
+	if (ltdb->cache->indexlist->num_elements == 0 && 
+	    ac->scope != LDB_SCOPE_BASE) {
+		/* no index list? must do full search */
+		return -1;
+	}
+
+	dn_list = talloc(handle, struct dn_list);
+	if (dn_list == NULL) {
+		return -1;
+	}
+
+	if (ac->scope == LDB_SCOPE_BASE) {
+		/* with BASE searches only one DN can match */
+		dn_list->dn = talloc_array(dn_list, char *, 1);
+		if (dn_list->dn == NULL) {
+			ldb_oom(ac->module->ldb);
+			return -1;
+		}
+		dn_list->dn[0] = ldb_dn_linearize(dn_list, ac->base);
+		if (dn_list->dn[0] == NULL) {
+			ldb_oom(ac->module->ldb);
+			return -1;
+		}
+		dn_list->count = 1;
+		ret = 1;
+	} else {
+		ret = ltdb_index_dn(ac->module, ac->tree, ltdb->cache->indexlist, dn_list);
+	}
+
+	if (ret == 1) {
+		/* we've got a candidate list - now filter by the full tree
+		   and extract the needed attributes */
+		ret = ltdb_index_filter(dn_list, handle);
+		handle->status = ret;
+		handle->state = LDB_ASYNC_DONE;
+	}
+
+	talloc_free(dn_list);
+
+	return ret;
+}
+
+/*
+  add a index element where this is the first indexed DN for this value
+*/
+static int ltdb_index_add1_new(struct ldb_context *ldb, 
+			       struct ldb_message *msg,
+			       struct ldb_message_element *el,
+			       const char *dn)
+{
+	struct ldb_message_element *el2;
+
+	/* add another entry */
+	el2 = talloc_realloc(msg, msg->elements, 
+			       struct ldb_message_element, msg->num_elements+1);
+	if (!el2) {
+		return -1;
+	}
+
+	msg->elements = el2;
+	msg->elements[msg->num_elements].name = talloc_strdup(msg->elements, LTDB_IDX);
+	if (!msg->elements[msg->num_elements].name) {
+		return -1;
+	}
+	msg->elements[msg->num_elements].num_values = 0;
+	msg->elements[msg->num_elements].values = talloc(msg->elements, struct ldb_val);
+	if (!msg->elements[msg->num_elements].values) {
+		return -1;
+	}
+	msg->elements[msg->num_elements].values[0].length = strlen(dn);
+	msg->elements[msg->num_elements].values[0].data = discard_const_p(uint8_t, dn);
+	msg->elements[msg->num_elements].num_values = 1;
+	msg->num_elements++;
+
+	return 0;
+}
+
+
+/*
+  add a index element where this is not the first indexed DN for this
+  value
+*/
+static int ltdb_index_add1_add(struct ldb_context *ldb, 
+			       struct ldb_message *msg,
+			       struct ldb_message_element *el,
+			       int idx,
+			       const char *dn)
+{
+	struct ldb_val *v2;
+	unsigned int i;
+
+	/* for multi-valued attributes we can end up with repeats */
+	for (i=0;i<msg->elements[idx].num_values;i++) {
+		if (strcmp(dn, (char *)msg->elements[idx].values[i].data) == 0) {
+			return 0;
+		}
+	}
+
+	v2 = talloc_realloc(msg->elements, msg->elements[idx].values,
+			      struct ldb_val, 
+			      msg->elements[idx].num_values+1);
+	if (!v2) {
+		return -1;
+	}
+	msg->elements[idx].values = v2;
+
+	msg->elements[idx].values[msg->elements[idx].num_values].length = strlen(dn);
+	msg->elements[idx].values[msg->elements[idx].num_values].data = discard_const_p(uint8_t, dn);
+	msg->elements[idx].num_values++;
+
+	return 0;
+}
+
+/*
+  add an index entry for one message element
+*/
+static int ltdb_index_add1(struct ldb_module *module, const char *dn, 
+			   struct ldb_message_element *el, int v_idx)
+{
+	struct ldb_context *ldb = module->ldb;
+	struct ldb_message *msg;
+	struct ldb_dn *dn_key;
+	int ret;
+	unsigned int i;
+
+	msg = talloc(module, struct ldb_message);
+	if (msg == NULL) {
+		errno = ENOMEM;
+		return -1;
+	}
+
+	dn_key = ldb_dn_key(ldb, el->name, &el->values[v_idx]);
+	if (!dn_key) {
+		talloc_free(msg);
+		errno = ENOMEM;
+		return -1;
+	}
+	talloc_steal(msg, dn_key);
+
+	ret = ltdb_search_dn1(module, dn_key, msg);
+	if (ret == -1) {
+		talloc_free(msg);
+		return -1;
+	}
+
+	if (ret == 0) {
+		msg->dn = dn_key;
+		msg->num_elements = 0;
+		msg->elements = NULL;
+	}
+
+	for (i=0;i<msg->num_elements;i++) {
+		if (strcmp(LTDB_IDX, msg->elements[i].name) == 0) {
+			break;
+		}
+	}
+
+	if (i == msg->num_elements) {
+		ret = ltdb_index_add1_new(ldb, msg, el, dn);
+	} else {
+		ret = ltdb_index_add1_add(ldb, msg, el, i, dn);
+	}
+
+	if (ret == 0) {
+		ret = ltdb_store(module, msg, TDB_REPLACE);
+	}
+
+	talloc_free(msg);
+
+	return ret;
+}
+
+static int ltdb_index_add0(struct ldb_module *module, const char *dn,
+			   struct ldb_message_element *elements, int num_el)
+{
+	struct ltdb_private *ltdb =
+		(struct ltdb_private *)module->private_data;
+	int ret;
+	unsigned int i, j;
+
+	if (dn[0] == '@') {
+		return 0;
+	}
+
+	if (ltdb->cache->indexlist->num_elements == 0) {
+		/* no indexed fields */
+		return 0;
+	}
+
+	for (i = 0; i < num_el; i++) {
+		ret = ldb_msg_find_idx(ltdb->cache->indexlist, elements[i].name, 
+				       NULL, LTDB_IDXATTR);
+		if (ret == -1) {
+			continue;
+		}
+		for (j = 0; j < elements[i].num_values; j++) {
+			ret = ltdb_index_add1(module, dn, &elements[i], j);
+			if (ret == -1) {
+				return -1;
+			}
+		}
+	}
+
+	return 0;
+}
+
+/*
+  add the index entries for a new record
+  return -1 on failure
+*/
+int ltdb_index_add(struct ldb_module *module, const struct ldb_message *msg)
+{
+	struct ltdb_private *ltdb =
+		(struct ltdb_private *)module->private_data;
+	char *dn;
+	int ret;
+
+	dn = ldb_dn_linearize(ltdb, msg->dn);
+	if (dn == NULL) {
+		return -1;
+	}
+
+	ret = ltdb_index_add0(module, dn, msg->elements, msg->num_elements);
+
+	talloc_free(dn);
+
+	return ret;
+}
+
+
+/*
+  delete an index entry for one message element
+*/
+int ltdb_index_del_value(struct ldb_module *module, const char *dn, 
+			 struct ldb_message_element *el, int v_idx)
+{
+	struct ldb_context *ldb = module->ldb;
+	struct ldb_message *msg;
+	struct ldb_dn *dn_key;
+	int ret, i;
+	unsigned int j;
+
+	if (dn[0] == '@') {
+		return 0;
+	}
+
+	dn_key = ldb_dn_key(ldb, el->name, &el->values[v_idx]);
+	if (!dn_key) {
+		return -1;
+	}
+
+	msg = talloc(dn_key, struct ldb_message);
+	if (msg == NULL) {
+		talloc_free(dn_key);
+		return -1;
+	}
+
+	ret = ltdb_search_dn1(module, dn_key, msg);
+	if (ret == -1) {
+		talloc_free(dn_key);
+		return -1;
+	}
+
+	if (ret == 0) {
+		/* it wasn't indexed. Did we have an earlier error? If we did then
+		   its gone now */
+		talloc_free(dn_key);
+		return 0;
+	}
+
+	i = ldb_msg_find_idx(msg, dn, &j, LTDB_IDX);
+	if (i == -1) {
+		ldb_debug(ldb, LDB_DEBUG_ERROR,
+				"ERROR: dn %s not found in %s\n", dn,
+				ldb_dn_linearize(dn_key, dn_key));
+		/* it ain't there. hmmm */
+		talloc_free(dn_key);
+		return 0;
+	}
+
+	if (j != msg->elements[i].num_values - 1) {
+		memmove(&msg->elements[i].values[j], 
+			&msg->elements[i].values[j+1], 
+			(msg->elements[i].num_values-(j+1)) * 
+			sizeof(msg->elements[i].values[0]));
+	}
+	msg->elements[i].num_values--;
+
+	if (msg->elements[i].num_values == 0) {
+		ret = ltdb_delete_noindex(module, dn_key);
+	} else {
+		ret = ltdb_store(module, msg, TDB_REPLACE);
+	}
+
+	talloc_free(dn_key);
+
+	return ret;
+}
+
+/*
+  delete the index entries for a record
+  return -1 on failure
+*/
+int ltdb_index_del(struct ldb_module *module, const struct ldb_message *msg)
+{
+	struct ltdb_private *ltdb =
+		(struct ltdb_private *)module->private_data;
+	int ret;
+	char *dn;
+	unsigned int i, j;
+
+	/* find the list of indexed fields */	
+	if (ltdb->cache->indexlist->num_elements == 0) {
+		/* no indexed fields */
+		return 0;
+	}
+
+	if (ldb_dn_is_special(msg->dn)) {
+		return 0;
+	}
+
+	dn = ldb_dn_linearize(ltdb, msg->dn);
+	if (dn == NULL) {
+		return -1;
+	}
+
+	for (i = 0; i < msg->num_elements; i++) {
+		ret = ldb_msg_find_idx(ltdb->cache->indexlist, msg->elements[i].name, 
+				       NULL, LTDB_IDXATTR);
+		if (ret == -1) {
+			continue;
+		}
+		for (j = 0; j < msg->elements[i].num_values; j++) {
+			ret = ltdb_index_del_value(module, dn, &msg->elements[i], j);
+			if (ret == -1) {
+				talloc_free(dn);
+				return -1;
+			}
+		}
+	}
+
+	talloc_free(dn);
+	return 0;
+}
+
+
+/*
+  traversal function that deletes all @INDEX records
+*/
+static int delete_index(struct tdb_context *tdb, TDB_DATA key, TDB_DATA data, void *state)
+{
+	const char *dn = "DN=" LTDB_INDEX ":";
+	if (strncmp((char *)key.dptr, dn, strlen(dn)) == 0) {
+		return tdb_delete(tdb, key);
+	}
+	return 0;
+}
+
+/*
+  traversal function that adds @INDEX records during a re index
+*/
+static int re_index(struct tdb_context *tdb, TDB_DATA key, TDB_DATA data, void *state)
+{
+	struct ldb_module *module = (struct ldb_module *)state;
+	struct ldb_message *msg;
+	char *dn = NULL;
+	int ret;
+	TDB_DATA key2;
+
+	if (strncmp((char *)key.dptr, "DN=@", 4) == 0 ||
+	    strncmp((char *)key.dptr, "DN=", 3) != 0) {
+		return 0;
+	}
+
+	msg = talloc(module, struct ldb_message);
+	if (msg == NULL) {
+		return -1;
+	}
+
+	ret = ltdb_unpack_data(module, &data, msg);
+	if (ret != 0) {
+		talloc_free(msg);
+		return -1;
+	}
+
+	/* check if the DN key has changed, perhaps due to the 
+	   case insensitivity of an element changing */
+	key2 = ltdb_key(module, msg->dn);
+	if (key2.dptr == NULL) {
+		/* probably a corrupt record ... darn */
+		ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Invalid DN in re_index: %s\n",
+							ldb_dn_linearize(msg, msg->dn));
+		talloc_free(msg);
+		return 0;
+	}
+	if (strcmp((char *)key2.dptr, (char *)key.dptr) != 0) {
+		tdb_delete(tdb, key);
+		tdb_store(tdb, key2, data, 0);
+	}
+	talloc_free(key2.dptr);
+
+	if (msg->dn == NULL) {
+		dn = (char *)key.dptr + 3;
+	} else {
+		if (!(dn = ldb_dn_linearize(msg->dn, msg->dn))) {
+			talloc_free(msg);
+			return -1;
+		}
+	}
+
+	ret = ltdb_index_add0(module, dn, msg->elements, msg->num_elements);
+
+	talloc_free(msg);
+
+	return ret;
+}
+
+/*
+  force a complete reindex of the database
+*/
+int ltdb_reindex(struct ldb_module *module)
+{
+	struct ltdb_private *ltdb =
+		(struct ltdb_private *)module->private_data;
+	int ret;
+
+	if (ltdb_cache_reload(module) != 0) {
+		return -1;
+	}
+
+	/* first traverse the database deleting any @INDEX records */
+	ret = tdb_traverse(ltdb->tdb, delete_index, NULL);
+	if (ret == -1) {
+		return -1;
+	}
+
+	/* now traverse adding any indexes for normal LDB records */
+	ret = tdb_traverse(ltdb->tdb, re_index, module);
+	if (ret == -1) {
+		return -1;
+	}
+
+	return 0;
+}
diff --git a/source3/lib/ldb/ldb_tdb/ldb_pack.c b/source3/lib/ldb/ldb_tdb/ldb_pack.c
new file mode 100644
index 0000000000..3f3d1ccca7
--- /dev/null
+++ b/source3/lib/ldb/ldb_tdb/ldb_pack.c
@@ -0,0 +1,293 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldb pack/unpack
+ *
+ *  Description: pack/unpack routines for ldb messages as key/value blobs
+ *
+ *  Author: Andrew Tridgell
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+#include "ldb/ldb_tdb/ldb_tdb.h"
+
+/* change this if the data format ever changes */
+#define LTDB_PACKING_FORMAT 0x26011967
+
+/* old packing formats */
+#define LTDB_PACKING_FORMAT_NODN 0x26011966
+
+/* use a portable integer format */
+static void put_uint32(uint8_t *p, int ofs, unsigned int val)
+{
+	p += ofs;
+	p[0] = val&0xFF;
+	p[1] = (val>>8)  & 0xFF;
+	p[2] = (val>>16) & 0xFF;
+	p[3] = (val>>24) & 0xFF;
+}
+
+static unsigned int pull_uint32(uint8_t *p, int ofs)
+{
+	p += ofs;
+	return p[0] | (p[1]<<8) | (p[2]<<16) | (p[3]<<24);
+}
+
+static int attribute_storable_values(const struct ldb_message_element *el)
+{
+	if (el->num_values == 0) return 0;
+
+	if (ldb_attr_cmp(el->name, "dn") == 0) return 0;
+
+	if (ldb_attr_cmp(el->name, "distinguishedName") == 0) return 0;
+
+	return el->num_values;
+}
+
+/*
+  pack a ldb message into a linear buffer in a TDB_DATA
+
+  note that this routine avoids saving elements with zero values,
+  as these are equivalent to having no element
+
+  caller frees the data buffer after use
+*/
+int ltdb_pack_data(struct ldb_module *module,
+		   const struct ldb_message *message,
+		   struct TDB_DATA *data)
+{
+	struct ldb_context *ldb = module->ldb;
+	unsigned int i, j, real_elements=0;
+	size_t size;
+	char *dn;
+	uint8_t *p;
+	size_t len;
+
+	dn = ldb_dn_linearize(ldb, message->dn);
+	if (dn == NULL) {
+		errno = ENOMEM;
+		return -1;
+	}
+
+	/* work out how big it needs to be */
+	size = 8;
+
+	size += 1 + strlen(dn);
+
+	for (i=0;i<message->num_elements;i++) {
+		if (attribute_storable_values(&message->elements[i]) == 0) {
+			continue;
+		}
+
+		real_elements++;
+
+		size += 1 + strlen(message->elements[i].name) + 4;
+		for (j=0;j<message->elements[i].num_values;j++) {
+			size += 4 + message->elements[i].values[j].length + 1;
+		}
+	}
+
+	/* allocate it */
+	data->dptr = talloc_array(ldb, uint8_t, size);
+	if (!data->dptr) {
+		talloc_free(dn);
+		errno = ENOMEM;
+		return -1;
+	}
+	data->dsize = size;
+
+	p = (uint8_t *)data->dptr;
+	put_uint32(p, 0, LTDB_PACKING_FORMAT); 
+	put_uint32(p, 4, real_elements); 
+	p += 8;
+
+	/* the dn needs to be packed so we can be case preserving
+	   while hashing on a case folded dn */
+	len = strlen(dn);
+	memcpy(p, dn, len+1);
+	p += len + 1;
+	
+	for (i=0;i<message->num_elements;i++) {
+		if (attribute_storable_values(&message->elements[i]) == 0) {
+			continue;
+		}
+		len = strlen(message->elements[i].name);
+		memcpy(p, message->elements[i].name, len+1);
+		p += len + 1;
+		put_uint32(p, 0, message->elements[i].num_values);
+		p += 4;
+		for (j=0;j<message->elements[i].num_values;j++) {
+			put_uint32(p, 0, message->elements[i].values[j].length);
+			memcpy(p+4, message->elements[i].values[j].data, 
+			       message->elements[i].values[j].length);
+			p[4+message->elements[i].values[j].length] = 0;
+			p += 4 + message->elements[i].values[j].length + 1;
+		}
+	}
+
+	talloc_free(dn);
+	return 0;
+}
+
+/*
+  unpack a ldb message from a linear buffer in TDB_DATA
+
+  Free with ltdb_unpack_data_free()
+*/
+int ltdb_unpack_data(struct ldb_module *module,
+		     const struct TDB_DATA *data,
+		     struct ldb_message *message)
+{
+	struct ldb_context *ldb = module->ldb;
+	uint8_t *p;
+	unsigned int remaining;
+	unsigned int i, j;
+	unsigned format;
+	size_t len;
+
+	message->elements = NULL;
+
+	p = (uint8_t *)data->dptr;
+	if (data->dsize < 8) {
+		errno = EIO;
+		goto failed;
+	}
+
+	format = pull_uint32(p, 0);
+	message->num_elements = pull_uint32(p, 4);
+	p += 8;
+
+	remaining = data->dsize - 8;
+
+	switch (format) {
+	case LTDB_PACKING_FORMAT_NODN:
+		message->dn = NULL;
+		break;
+
+	case LTDB_PACKING_FORMAT:
+		len = strnlen((char *)p, remaining);
+		if (len == remaining) {
+			errno = EIO;
+			goto failed;
+		}
+		message->dn = ldb_dn_explode(message, (char *)p);
+		if (message->dn == NULL) {
+			errno = ENOMEM;
+			goto failed;
+		}
+		remaining -= len + 1;
+		p += len + 1;
+		break;
+
+	default:
+		errno = EIO;
+		goto failed;
+	}
+
+	if (message->num_elements == 0) {
+		message->elements = NULL;
+		return 0;
+	}
+	
+	if (message->num_elements > remaining / 6) {
+		errno = EIO;
+		goto failed;
+	}
+
+	message->elements = talloc_array(message, struct ldb_message_element, message->num_elements);
+	if (!message->elements) {
+		errno = ENOMEM;
+		goto failed;
+	}
+
+	memset(message->elements, 0, 
+	       message->num_elements * sizeof(struct ldb_message_element));
+
+	for (i=0;i<message->num_elements;i++) {
+		if (remaining < 10) {
+			errno = EIO;
+			goto failed;
+		}
+		len = strnlen((char *)p, remaining-6);
+		if (len == remaining-6) {
+			errno = EIO;
+			goto failed;
+		}
+		message->elements[i].flags = 0;
+		message->elements[i].name = talloc_strndup(message->elements, (char *)p, len);
+		if (message->elements[i].name == NULL) {
+			errno = ENOMEM;
+			goto failed;
+		}
+		remaining -= len + 1;
+		p += len + 1;
+		message->elements[i].num_values = pull_uint32(p, 0);
+		message->elements[i].values = NULL;
+		if (message->elements[i].num_values != 0) {
+			message->elements[i].values = talloc_array(message->elements,
+								     struct ldb_val, 
+								     message->elements[i].num_values);
+			if (!message->elements[i].values) {
+				errno = ENOMEM;
+				goto failed;
+			}
+		}
+		p += 4;
+		remaining -= 4;
+		for (j=0;j<message->elements[i].num_values;j++) {
+			len = pull_uint32(p, 0);
+			if (len > remaining-5) {
+				errno = EIO;
+				goto failed;
+			}
+
+			message->elements[i].values[j].length = len;
+			message->elements[i].values[j].data = (uint8_t *)talloc_size(message->elements[i].values, len+1);
+			if (message->elements[i].values[j].data == NULL) {
+				errno = ENOMEM;
+				goto failed;
+			}
+			memcpy(message->elements[i].values[j].data, p+4, len);
+			message->elements[i].values[j].data[len] = 0;
+	
+			remaining -= len+4+1;
+			p += len+4+1;
+		}
+	}
+
+	if (remaining != 0) {
+		ldb_debug(ldb, LDB_DEBUG_ERROR, 
+			  "Error: %d bytes unread in ltdb_unpack_data\n", remaining);
+	}
+
+	return 0;
+
+failed:
+	talloc_free(message->elements);
+	return -1;
+}
diff --git a/source3/lib/ldb/ldb_tdb/ldb_search.c b/source3/lib/ldb/ldb_tdb/ldb_search.c
new file mode 100644
index 0000000000..9ef8eb9295
--- /dev/null
+++ b/source3/lib/ldb/ldb_tdb/ldb_search.c
@@ -0,0 +1,527 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldb search functions
+ *
+ *  Description: functions to search ldb+tdb databases
+ *
+ *  Author: Andrew Tridgell
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+#include "ldb/ldb_tdb/ldb_tdb.h"
+
+/*
+  add one element to a message
+*/
+static int msg_add_element(struct ldb_message *ret, 
+			   const struct ldb_message_element *el,
+			   int check_duplicates)
+{
+	unsigned int i;
+	struct ldb_message_element *e2, *elnew;
+
+	if (check_duplicates && ldb_msg_find_element(ret, el->name)) {
+		/* its already there */
+		return 0;
+	}
+
+	e2 = talloc_realloc(ret, ret->elements, struct ldb_message_element, ret->num_elements+1);
+	if (!e2) {
+		return -1;
+	}
+	ret->elements = e2;
+	
+	elnew = &e2[ret->num_elements];
+
+	elnew->name = talloc_strdup(ret->elements, el->name);
+	if (!elnew->name) {
+		return -1;
+	}
+
+	if (el->num_values) {
+		elnew->values = talloc_array(ret->elements, struct ldb_val, el->num_values);
+		if (!elnew->values) {
+			return -1;
+		}
+	} else {
+		elnew->values = NULL;
+	}
+
+	for (i=0;i<el->num_values;i++) {
+		elnew->values[i] = ldb_val_dup(elnew->values, &el->values[i]);
+		if (elnew->values[i].length != el->values[i].length) {
+			return -1;
+		}
+	}
+
+	elnew->num_values = el->num_values;
+
+	ret->num_elements++;
+
+	return 0;
+}
+
+/*
+  add the special distinguishedName element
+*/
+static int msg_add_distinguished_name(struct ldb_message *msg)
+{
+	struct ldb_message_element el;
+	struct ldb_val val;
+	int ret;
+
+	el.flags = 0;
+	el.name = "distinguishedName";
+	el.num_values = 1;
+	el.values = &val;
+	val.data = (uint8_t *)ldb_dn_linearize(msg, msg->dn);
+	val.length = strlen((char *)val.data);
+	
+	ret = msg_add_element(msg, &el, 1);
+	return ret;
+}
+
+/*
+  add all elements from one message into another
+ */
+static int msg_add_all_elements(struct ldb_module *module, struct ldb_message *ret,
+				const struct ldb_message *msg)
+{
+	struct ldb_context *ldb = module->ldb;
+	unsigned int i;
+	int check_duplicates = (ret->num_elements != 0);
+
+	if (msg_add_distinguished_name(ret) != 0) {
+		return -1;
+	}
+
+	for (i=0;i<msg->num_elements;i++) {
+		const struct ldb_attrib_handler *h;
+		h = ldb_attrib_handler(ldb, msg->elements[i].name);
+		if (h->flags & LDB_ATTR_FLAG_HIDDEN) {
+			continue;
+		}
+		if (msg_add_element(ret, &msg->elements[i],
+				    check_duplicates) != 0) {
+			return -1;
+		}
+	}
+
+	return 0;
+}
+
+
+/*
+  pull the specified list of attributes from a message
+ */
+static struct ldb_message *ltdb_pull_attrs(struct ldb_module *module, 
+					   TALLOC_CTX *mem_ctx, 
+					   const struct ldb_message *msg, 
+					   const char * const *attrs)
+{
+	struct ldb_message *ret;
+	int i;
+
+	ret = talloc(mem_ctx, struct ldb_message);
+	if (!ret) {
+		return NULL;
+	}
+
+	ret->dn = ldb_dn_copy(ret, msg->dn);
+	if (!ret->dn) {
+		talloc_free(ret);
+		return NULL;
+	}
+
+	ret->num_elements = 0;
+	ret->elements = NULL;
+
+	if (!attrs) {
+		if (msg_add_all_elements(module, ret, msg) != 0) {
+			talloc_free(ret);
+			return NULL;
+		}
+		return ret;
+	}
+
+	for (i=0;attrs[i];i++) {
+		struct ldb_message_element *el;
+
+		if (strcmp(attrs[i], "*") == 0) {
+			if (msg_add_all_elements(module, ret, msg) != 0) {
+				talloc_free(ret);
+				return NULL;
+			}
+			continue;
+		}
+
+		if (ldb_attr_cmp(attrs[i], "distinguishedName") == 0) {
+			if (msg_add_distinguished_name(ret) != 0) {
+				return NULL;
+			}
+			continue;
+		}
+
+		el = ldb_msg_find_element(msg, attrs[i]);
+		if (!el) {
+			continue;
+		}
+		if (msg_add_element(ret, el, 1) != 0) {
+			talloc_free(ret);
+			return NULL;				
+		}
+	}
+
+	return ret;
+}
+
+
+/*
+  search the database for a single simple dn, returning all attributes
+  in a single message
+
+  return 1 on success, 0 on record-not-found and -1 on error
+*/
+int ltdb_search_dn1(struct ldb_module *module, const struct ldb_dn *dn, struct ldb_message *msg)
+{
+	struct ltdb_private *ltdb =
+		(struct ltdb_private *)module->private_data;
+	int ret;
+	TDB_DATA tdb_key, tdb_data;
+
+	memset(msg, 0, sizeof(*msg));
+
+	/* form the key */
+	tdb_key = ltdb_key(module, dn);
+	if (!tdb_key.dptr) {
+		return -1;
+	}
+
+	tdb_data = tdb_fetch(ltdb->tdb, tdb_key);
+	talloc_free(tdb_key.dptr);
+	if (!tdb_data.dptr) {
+		return 0;
+	}
+
+	msg->num_elements = 0;
+	msg->elements = NULL;
+
+	ret = ltdb_unpack_data(module, &tdb_data, msg);
+	free(tdb_data.dptr);
+	if (ret == -1) {
+		return -1;		
+	}
+
+	if (!msg->dn) {
+		msg->dn = ldb_dn_copy(msg, dn);
+	}
+	if (!msg->dn) {
+		return -1;
+	}
+
+	return 1;
+}
+
+/*
+  lock the database for read - use by ltdb_search
+*/
+static int ltdb_lock_read(struct ldb_module *module)
+{
+	struct ltdb_private *ltdb =
+		(struct ltdb_private *)module->private_data;
+	return tdb_lockall_read(ltdb->tdb);
+}
+
+/*
+  unlock the database after a ltdb_lock_read()
+*/
+static int ltdb_unlock_read(struct ldb_module *module)
+{
+	struct ltdb_private *ltdb =
+		(struct ltdb_private *)module->private_data;
+	return tdb_unlockall_read(ltdb->tdb);
+}
+
+/*
+  add a set of attributes from a record to a set of results
+  return 0 on success, -1 on failure
+*/
+int ltdb_add_attr_results(struct ldb_module *module, 
+			  TALLOC_CTX *mem_ctx, 
+			  struct ldb_message *msg,
+			  const char * const attrs[], 
+			  unsigned int *count, 
+			  struct ldb_message ***res)
+{
+	struct ldb_message *msg2;
+	struct ldb_message **res2;
+
+	/* pull the attributes that the user wants */
+	msg2 = ltdb_pull_attrs(module, mem_ctx, msg, attrs);
+	if (!msg2) {
+		return -1;
+	}
+
+	/* add to the results list */
+	res2 = talloc_realloc(mem_ctx, *res, struct ldb_message *, (*count)+2);
+	if (!res2) {
+		talloc_free(msg2);
+		return -1;
+	}
+
+	(*res) = res2;
+
+	(*res)[*count] = talloc_move(*res, &msg2);
+	(*res)[(*count)+1] = NULL;
+	(*count)++;
+
+	return 0;
+}
+
+
+
+/*
+  filter the specified list of attributes from a message
+  removing not requested attrs.
+ */
+int ltdb_filter_attrs(struct ldb_message *msg, const char * const *attrs)
+{
+	int i, keep_all = 0;
+
+	if (attrs) {
+		/* check for special attrs */
+		for (i = 0; attrs[i]; i++) {
+			if (strcmp(attrs[i], "*") == 0) {
+				keep_all = 1;
+				break;
+			}
+
+			if (ldb_attr_cmp(attrs[i], "distinguishedName") == 0) {
+				if (msg_add_distinguished_name(msg) != 0) {
+					return -1;
+				}
+			}
+		}
+	} else {
+		keep_all = 1;
+	}
+	
+	if (keep_all) {
+		if (msg_add_distinguished_name(msg) != 0) {
+			return -1;
+		}
+		return 0;
+	}
+
+	for (i = 0; i < msg->num_elements; i++) {
+		int j, found;
+		
+		for (j = 0, found = 0; attrs[j]; j++) {
+			if (ldb_attr_cmp(msg->elements[i].name, attrs[j]) == 0) {
+				found = 1;
+				break;
+			}
+		}
+
+		if (!found) {
+			ldb_msg_remove_attr(msg, msg->elements[i].name);
+			i--;
+		}
+	}
+
+	return 0;
+}
+
+/*
+  search function for a non-indexed search
+ */
+static int search_func(struct tdb_context *tdb, TDB_DATA key, TDB_DATA data, void *state)
+{
+	struct ldb_handle *handle = talloc_get_type(state, struct ldb_handle);
+	struct ltdb_context *ac = talloc_get_type(handle->private_data, struct ltdb_context);
+	struct ldb_reply *ares = NULL;
+	int ret;
+
+	if (key.dsize < 4 || 
+	    strncmp((char *)key.dptr, "DN=", 3) != 0) {
+		return 0;
+	}
+
+	ares = talloc_zero(ac, struct ldb_reply);
+	if (!ares) {
+		handle->status = LDB_ERR_OPERATIONS_ERROR;
+		handle->state = LDB_ASYNC_DONE;
+		return -1;
+	}
+
+	ares->message = ldb_msg_new(ares);
+	if (!ares->message) {
+		handle->status = LDB_ERR_OPERATIONS_ERROR;
+		handle->state = LDB_ASYNC_DONE;
+		talloc_free(ares);
+		return -1;
+	}
+
+	/* unpack the record */
+	ret = ltdb_unpack_data(ac->module, &data, ares->message);
+	if (ret == -1) {
+		talloc_free(ares);
+		return -1;
+	}
+
+	if (!ares->message->dn) {
+		ares->message->dn = ldb_dn_explode(ares->message, (char *)key.dptr + 3);
+		if (ares->message->dn == NULL) {
+			handle->status = LDB_ERR_OPERATIONS_ERROR;
+			handle->state = LDB_ASYNC_DONE;
+			talloc_free(ares);
+			return -1;
+		}
+	}
+
+	/* see if it matches the given expression */
+	if (!ldb_match_msg(ac->module->ldb, ares->message, ac->tree, 
+			       ac->base, ac->scope)) {
+		talloc_free(ares);
+		return 0;
+	}
+
+	/* filter the attributes that the user wants */
+	ret = ltdb_filter_attrs(ares->message, ac->attrs);
+
+	if (ret == -1) {
+		handle->status = LDB_ERR_OPERATIONS_ERROR;
+		handle->state = LDB_ASYNC_DONE;
+		talloc_free(ares);
+		return -1;
+	}
+
+	ares->type = LDB_REPLY_ENTRY;
+        handle->state = LDB_ASYNC_PENDING;
+	handle->status = ac->callback(ac->module->ldb, ac->context, ares);
+
+	if (handle->status != LDB_SUCCESS) {
+		/* don't try to free ares here, the callback is in charge of that */
+		return -1;
+	}	
+
+	return 0;
+}
+
+
+/*
+  search the database with a LDAP-like expression.
+  this is the "full search" non-indexed variant
+*/
+static int ltdb_search_full(struct ldb_handle *handle)
+{
+	struct ltdb_context *ac = talloc_get_type(handle->private_data, struct ltdb_context);
+	struct ltdb_private *ltdb = talloc_get_type(ac->module->private_data, struct ltdb_private);
+	int ret;
+
+	ret = tdb_traverse_read(ltdb->tdb, search_func, handle);
+
+	if (ret == -1) {
+		handle->status = LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	handle->state = LDB_ASYNC_DONE;
+	return LDB_SUCCESS;
+}
+
+/*
+  search the database with a LDAP-like expression.
+  choses a search method
+*/
+int ltdb_search(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ltdb_private *ltdb = talloc_get_type(module->private_data, struct ltdb_private);
+	struct ltdb_context *ltdb_ac;
+	struct ldb_reply *ares;
+	int ret;
+
+	if ((req->op.search.base == NULL || ldb_dn_get_comp_num(req->op.search.base) == 0) &&
+	    (req->op.search.scope == LDB_SCOPE_BASE || req->op.search.scope == LDB_SCOPE_ONELEVEL))
+		return LDB_ERR_OPERATIONS_ERROR;
+
+	if (ltdb_lock_read(module) != 0) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	if (ltdb_cache_load(module) != 0) {
+		ltdb_unlock_read(module);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	if (req->op.search.tree == NULL) {
+		ltdb_unlock_read(module);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	req->handle = init_ltdb_handle(ltdb, module, req);
+	if (req->handle == NULL) {
+		ltdb_unlock_read(module);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	ltdb_ac = talloc_get_type(req->handle->private_data, struct ltdb_context);
+
+	ltdb_ac->tree = req->op.search.tree;
+	ltdb_ac->scope = req->op.search.scope;
+	ltdb_ac->base = req->op.search.base;
+	ltdb_ac->attrs = req->op.search.attrs;
+
+	ret = ltdb_search_indexed(req->handle);
+	if (ret == -1) {
+		ret = ltdb_search_full(req->handle);
+	}
+	if (ret != LDB_SUCCESS) {
+		ldb_set_errstring(module->ldb, "Indexed and full searches both failed!\n");
+		req->handle->state = LDB_ASYNC_DONE;
+		req->handle->status = ret;
+	}
+
+	/* Finally send an LDB_REPLY_DONE packet when searching is finished */
+
+	ares = talloc_zero(req, struct ldb_reply);
+	if (!ares) {
+		ltdb_unlock_read(module);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	req->handle->state = LDB_ASYNC_DONE;
+	ares->type = LDB_REPLY_DONE;
+
+	ret = req->callback(module->ldb, req->context, ares);
+	req->handle->status = ret;
+
+	ltdb_unlock_read(module);
+
+	return LDB_SUCCESS;
+}
+
diff --git a/source3/lib/ldb/ldb_tdb/ldb_tdb.c b/source3/lib/ldb/ldb_tdb/ldb_tdb.c
new file mode 100644
index 0000000000..27cc0c69c6
--- /dev/null
+++ b/source3/lib/ldb/ldb_tdb/ldb_tdb.c
@@ -0,0 +1,1084 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+   Copyright (C) Stefan Metzmacher  2004
+   Copyright (C) Simo Sorce       2006
+   
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb_tdb
+ *
+ *  Component: ldb tdb backend
+ *
+ *  Description: core functions for tdb backend
+ *
+ *  Author: Andrew Tridgell
+ *  Author: Stefan Metzmacher
+ *
+ *  Modifications:
+ *
+ *  - description: make the module use asyncronous calls
+ *    date: Feb 2006
+ *    Author: Simo Sorce
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+#include "ldb/ldb_tdb/ldb_tdb.h"
+
+int ltdb_check_special_dn(struct ldb_module *module, const struct ldb_message *msg);
+
+/*
+  map a tdb error code to a ldb error code
+*/
+static int ltdb_err_map(enum TDB_ERROR tdb_code)
+{
+	switch (tdb_code) {
+	case TDB_SUCCESS:
+		return LDB_SUCCESS;
+	case TDB_ERR_CORRUPT:
+	case TDB_ERR_OOM:
+	case TDB_ERR_EINVAL:
+		return LDB_ERR_OPERATIONS_ERROR;
+	case TDB_ERR_IO:
+		return LDB_ERR_PROTOCOL_ERROR;
+	case TDB_ERR_LOCK:
+	case TDB_ERR_NOLOCK:
+		return LDB_ERR_BUSY;
+	case TDB_ERR_LOCK_TIMEOUT:
+		return LDB_ERR_TIME_LIMIT_EXCEEDED;
+	case TDB_ERR_EXISTS:
+		return LDB_ERR_ENTRY_ALREADY_EXISTS;
+	case TDB_ERR_NOEXIST:
+		return LDB_ERR_NO_SUCH_OBJECT;
+	case TDB_ERR_RDONLY:
+		return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+	}
+	return LDB_ERR_OTHER;
+}
+
+
+struct ldb_handle *init_ltdb_handle(struct ltdb_private *ltdb, struct ldb_module *module,
+				    struct ldb_request *req)
+{
+	struct ltdb_context *ac;
+	struct ldb_handle *h;
+
+	h = talloc_zero(req, struct ldb_handle);
+	if (h == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		return NULL;
+	}
+
+	h->module = module;
+
+	ac = talloc_zero(h, struct ltdb_context);
+	if (ac == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		talloc_free(h);
+		return NULL;
+	}
+
+	h->private_data = (void *)ac;
+
+	h->state = LDB_ASYNC_INIT;
+	h->status = LDB_SUCCESS;
+
+	ac->module = module;
+	ac->context = req->context;
+	ac->callback = req->callback;
+
+	return h;
+}
+
+/*
+  form a TDB_DATA for a record key
+  caller frees
+
+  note that the key for a record can depend on whether the 
+  dn refers to a case sensitive index record or not
+*/
+struct TDB_DATA ltdb_key(struct ldb_module *module, const struct ldb_dn *dn)
+{
+	struct ldb_context *ldb = module->ldb;
+	TDB_DATA key;
+	char *key_str = NULL;
+	char *dn_folded = NULL;
+
+	/*
+	  most DNs are case insensitive. The exception is index DNs for
+	  case sensitive attributes
+
+	  there are 3 cases dealt with in this code:
+
+	  1) if the dn doesn't start with @ then uppercase the attribute
+             names and the attributes values of case insensitive attributes
+	  2) if the dn starts with @ then leave it alone - the indexing code handles
+	     the rest
+	*/
+
+	dn_folded = ldb_dn_linearize_casefold(ldb, ldb, dn);
+	if (!dn_folded) {
+		goto failed;
+	}
+
+	key_str = talloc_asprintf(ldb, "DN=%s", dn_folded);
+
+	talloc_free(dn_folded);
+
+	if (!key_str) {
+		goto failed;
+	}
+
+	key.dptr = (uint8_t *)key_str;
+	key.dsize = strlen(key_str) + 1;
+
+	return key;
+
+failed:
+	errno = ENOMEM;
+	key.dptr = NULL;
+	key.dsize = 0;
+	return key;
+}
+
+/*
+  check special dn's have valid attributes
+  currently only @ATTRIBUTES is checked
+*/
+int ltdb_check_special_dn(struct ldb_module *module, const struct ldb_message *msg)
+{
+	int i, j;
+ 
+	if (! ldb_dn_is_special(msg->dn) ||
+	    ! ldb_dn_check_special(msg->dn, LTDB_ATTRIBUTES)) {
+		return 0;
+	}
+
+	/* we have @ATTRIBUTES, let's check attributes are fine */
+	/* should we check that we deny multivalued attributes ? */
+	for (i = 0; i < msg->num_elements; i++) {
+		for (j = 0; j < msg->elements[i].num_values; j++) {
+			if (ltdb_check_at_attributes_values(&msg->elements[i].values[j]) != 0) {
+				ldb_set_errstring(module->ldb, "Invalid attribute value in an @ATTRIBUTES entry");
+				return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
+			}
+		}
+	}
+
+	return 0;
+}
+
+
+/*
+  we've made a modification to a dn - possibly reindex and 
+  update sequence number
+*/
+static int ltdb_modified(struct ldb_module *module, const struct ldb_dn *dn)
+{
+	int ret = 0;
+
+	if (ldb_dn_is_special(dn) &&
+	    (ldb_dn_check_special(dn, LTDB_INDEXLIST) ||
+	     ldb_dn_check_special(dn, LTDB_ATTRIBUTES)) ) {
+		ret = ltdb_reindex(module);
+	}
+
+	if (ret == 0 &&
+	    !(ldb_dn_is_special(dn) &&
+	      ldb_dn_check_special(dn, LTDB_BASEINFO)) ) {
+		ret = ltdb_increase_sequence_number(module);
+	}
+
+	return ret;
+}
+
+/*
+  store a record into the db
+*/
+int ltdb_store(struct ldb_module *module, const struct ldb_message *msg, int flgs)
+{
+	struct ltdb_private *ltdb =
+		talloc_get_type(module->private_data, struct ltdb_private);
+	TDB_DATA tdb_key, tdb_data;
+	int ret;
+
+	tdb_key = ltdb_key(module, msg->dn);
+	if (!tdb_key.dptr) {
+		return LDB_ERR_OTHER;
+	}
+
+	ret = ltdb_pack_data(module, msg, &tdb_data);
+	if (ret == -1) {
+		talloc_free(tdb_key.dptr);
+		return LDB_ERR_OTHER;
+	}
+
+	ret = tdb_store(ltdb->tdb, tdb_key, tdb_data, flgs);
+	if (ret == -1) {
+		ret = ltdb_err_map(tdb_error(ltdb->tdb));
+		goto done;
+	}
+	
+	ret = ltdb_index_add(module, msg);
+	if (ret == -1) {
+		tdb_delete(ltdb->tdb, tdb_key);
+	}
+
+done:
+	talloc_free(tdb_key.dptr);
+	talloc_free(tdb_data.dptr);
+
+	return ret;
+}
+
+
+static int ltdb_add_internal(struct ldb_module *module, const struct ldb_message *msg)
+{
+	int ret;
+	
+	ret = ltdb_check_special_dn(module, msg);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+	
+	if (ltdb_cache_load(module) != 0) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ret = ltdb_store(module, msg, TDB_INSERT);
+
+	if (ret == LDB_ERR_ENTRY_ALREADY_EXISTS) {
+		char *dn;
+
+		dn = ldb_dn_linearize(module, msg->dn);
+		if (!dn) {
+			return ret;
+		}
+		ldb_asprintf_errstring(module->ldb, "Entry %s already exists", dn);
+		talloc_free(dn);
+		return ret;
+	}
+	
+	if (ret == LDB_SUCCESS) {
+		ret = ltdb_modified(module, msg->dn);
+		if (ret != LDB_SUCCESS) {
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+	}
+
+	return ret;
+}
+
+/*
+  add a record to the database
+*/
+static int ltdb_add(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ltdb_private *ltdb = talloc_get_type(module->private_data, struct ltdb_private);
+	struct ltdb_context *ltdb_ac;
+	int tret, ret = LDB_SUCCESS;
+
+	if (req->controls != NULL) {
+		ldb_debug(module->ldb, LDB_DEBUG_WARNING, "Controls should not reach the ldb_tdb backend!\n");
+		if (check_critical_controls(req->controls)) {
+			return LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION;
+		}
+	}
+	
+	req->handle = init_ltdb_handle(ltdb, module, req);
+	if (req->handle == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	ltdb_ac = talloc_get_type(req->handle->private_data, struct ltdb_context);
+
+	tret = ltdb_add_internal(module, req->op.add.message);
+	if (tret != LDB_SUCCESS) {
+		req->handle->status = tret;
+		goto done;
+	}
+	
+	if (ltdb_ac->callback) {
+		ret = ltdb_ac->callback(module->ldb, ltdb_ac->context, NULL);
+	}
+done:
+	req->handle->state = LDB_ASYNC_DONE;
+	return ret;
+}
+
+/*
+  delete a record from the database, not updating indexes (used for deleting
+  index records)
+*/
+int ltdb_delete_noindex(struct ldb_module *module, const struct ldb_dn *dn)
+{
+	struct ltdb_private *ltdb =
+		talloc_get_type(module->private_data, struct ltdb_private);
+	TDB_DATA tdb_key;
+	int ret;
+
+	tdb_key = ltdb_key(module, dn);
+	if (!tdb_key.dptr) {
+		return LDB_ERR_OTHER;
+	}
+
+	ret = tdb_delete(ltdb->tdb, tdb_key);
+	talloc_free(tdb_key.dptr);
+
+	if (ret != 0) {
+		ret = ltdb_err_map(tdb_error(ltdb->tdb));
+	}
+
+	return ret;
+}
+
+static int ltdb_delete_internal(struct ldb_module *module, const struct ldb_dn *dn)
+{
+	struct ldb_message *msg;
+	int ret;
+
+	msg = talloc(module, struct ldb_message);
+	if (msg == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	/* in case any attribute of the message was indexed, we need
+	   to fetch the old record */
+	ret = ltdb_search_dn1(module, dn, msg);
+	if (ret != 1) {
+		/* not finding the old record is an error */
+		talloc_free(msg);
+		return LDB_ERR_NO_SUCH_OBJECT;
+	}
+
+	ret = ltdb_delete_noindex(module, dn);
+	if (ret != LDB_SUCCESS) {
+		talloc_free(msg);
+		return LDB_ERR_NO_SUCH_OBJECT;
+	}
+
+	/* remove any indexed attributes */
+	ret = ltdb_index_del(module, msg);
+	if (ret != LDB_SUCCESS) {
+		talloc_free(msg);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ret = ltdb_modified(module, dn);
+	if (ret != LDB_SUCCESS) {
+		talloc_free(msg);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	talloc_free(msg);
+	return LDB_SUCCESS;
+}
+
+/*
+  delete a record from the database
+*/
+static int ltdb_delete(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ltdb_private *ltdb = talloc_get_type(module->private_data, struct ltdb_private);
+	struct ltdb_context *ltdb_ac;
+	int tret, ret = LDB_SUCCESS;
+
+	if (req->controls != NULL) {
+		ldb_debug(module->ldb, LDB_DEBUG_WARNING, "Controls should not reach the ldb_tdb backend!\n");
+		if (check_critical_controls(req->controls)) {
+			return LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION;
+		}
+	}
+	
+	req->handle = NULL;
+
+	if (ltdb_cache_load(module) != 0) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	req->handle = init_ltdb_handle(ltdb, module, req);
+	if (req->handle == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	ltdb_ac = talloc_get_type(req->handle->private_data, struct ltdb_context);
+
+	tret = ltdb_delete_internal(module, req->op.del.dn);
+	if (tret != LDB_SUCCESS) {
+		req->handle->status = tret; 
+		goto done;
+	}
+
+	if (ltdb_ac->callback) {
+		ret = ltdb_ac->callback(module->ldb, ltdb_ac->context, NULL);
+	}
+done:
+	req->handle->state = LDB_ASYNC_DONE;
+	return ret;
+}
+
+/*
+  find an element by attribute name. At the moment this does a linear search, it should
+  be re-coded to use a binary search once all places that modify records guarantee
+  sorted order
+
+  return the index of the first matching element if found, otherwise -1
+*/
+static int find_element(const struct ldb_message *msg, const char *name)
+{
+	unsigned int i;
+	for (i=0;i<msg->num_elements;i++) {
+		if (ldb_attr_cmp(msg->elements[i].name, name) == 0) {
+			return i;
+		}
+	}
+	return -1;
+}
+
+
+/*
+  add an element to an existing record. Assumes a elements array that we
+  can call re-alloc on, and assumed that we can re-use the data pointers from the 
+  passed in additional values. Use with care!
+
+  returns 0 on success, -1 on failure (and sets errno)
+*/
+static int msg_add_element(struct ldb_context *ldb,
+			   struct ldb_message *msg, struct ldb_message_element *el)
+{
+	struct ldb_message_element *e2;
+	unsigned int i;
+
+	e2 = talloc_realloc(msg, msg->elements, struct ldb_message_element, 
+			      msg->num_elements+1);
+	if (!e2) {
+		errno = ENOMEM;
+		return -1;
+	}
+
+	msg->elements = e2;
+
+	e2 = &msg->elements[msg->num_elements];
+
+	e2->name = el->name;
+	e2->flags = el->flags;
+	e2->values = NULL;
+	if (el->num_values != 0) {
+		e2->values = talloc_array(msg->elements, struct ldb_val, el->num_values);
+		if (!e2->values) {
+			errno = ENOMEM;
+			return -1;
+		}
+	}
+	for (i=0;i<el->num_values;i++) {
+		e2->values[i] = el->values[i];
+	}
+	e2->num_values = el->num_values;
+
+	msg->num_elements++;
+
+	return 0;
+}
+
+/*
+  delete all elements having a specified attribute name
+*/
+static int msg_delete_attribute(struct ldb_module *module,
+				struct ldb_context *ldb,
+				struct ldb_message *msg, const char *name)
+{
+	char *dn;
+	unsigned int i, j;
+
+	dn = ldb_dn_linearize(ldb, msg->dn);
+	if (dn == NULL) {
+		return -1;
+	}
+
+	for (i=0;i<msg->num_elements;i++) {
+		if (ldb_attr_cmp(msg->elements[i].name, name) == 0) {
+			for (j=0;j<msg->elements[i].num_values;j++) {
+				ltdb_index_del_value(module, dn, &msg->elements[i], j);
+			}
+			talloc_free(msg->elements[i].values);
+			if (msg->num_elements > (i+1)) {
+				memmove(&msg->elements[i], 
+					&msg->elements[i+1], 
+					sizeof(struct ldb_message_element)*
+					(msg->num_elements - (i+1)));
+			}
+			msg->num_elements--;
+			i--;
+			msg->elements = talloc_realloc(msg, msg->elements, 
+							 struct ldb_message_element, 
+							 msg->num_elements);
+		}
+	}
+
+	talloc_free(dn);
+	return 0;
+}
+
+/*
+  delete all elements matching an attribute name/value 
+
+  return 0 on success, -1 on failure
+*/
+static int msg_delete_element(struct ldb_module *module,
+			      struct ldb_message *msg, 
+			      const char *name,
+			      const struct ldb_val *val)
+{
+	struct ldb_context *ldb = module->ldb;
+	unsigned int i;
+	int found;
+	struct ldb_message_element *el;
+	const struct ldb_attrib_handler *h;
+
+	found = find_element(msg, name);
+	if (found == -1) {
+		return -1;
+	}
+
+	el = &msg->elements[found];
+
+	h = ldb_attrib_handler(ldb, el->name);
+
+	for (i=0;i<el->num_values;i++) {
+		if (h->comparison_fn(ldb, ldb, &el->values[i], val) == 0) {
+			if (i<el->num_values-1) {
+				memmove(&el->values[i], &el->values[i+1],
+					sizeof(el->values[i])*(el->num_values-(i+1)));
+			}
+			el->num_values--;
+			if (el->num_values == 0) {
+				return msg_delete_attribute(module, ldb, msg, name);
+			}
+			return 0;
+		}
+	}
+
+	return -1;
+}
+
+
+/*
+  modify a record - internal interface
+
+  yuck - this is O(n^2). Luckily n is usually small so we probably
+  get away with it, but if we ever have really large attribute lists 
+  then we'll need to look at this again
+*/
+int ltdb_modify_internal(struct ldb_module *module, const struct ldb_message *msg)
+{
+	struct ldb_context *ldb = module->ldb;
+	struct ltdb_private *ltdb =
+		talloc_get_type(module->private_data, struct ltdb_private);
+	TDB_DATA tdb_key, tdb_data;
+	struct ldb_message *msg2;
+	unsigned i, j;
+	int ret;
+
+	tdb_key = ltdb_key(module, msg->dn);
+	if (!tdb_key.dptr) {
+		return LDB_ERR_OTHER;
+	}
+
+	tdb_data = tdb_fetch(ltdb->tdb, tdb_key);
+	if (!tdb_data.dptr) {
+		talloc_free(tdb_key.dptr);
+		return ltdb_err_map(tdb_error(ltdb->tdb));
+	}
+
+	msg2 = talloc(tdb_key.dptr, struct ldb_message);
+	if (msg2 == NULL) {
+		talloc_free(tdb_key.dptr);
+		return LDB_ERR_OTHER;
+	}
+
+	ret = ltdb_unpack_data(module, &tdb_data, msg2);
+	if (ret == -1) {
+		ret = LDB_ERR_OTHER;
+		goto failed;
+	}
+
+	if (!msg2->dn) {
+		msg2->dn = msg->dn;
+	}
+
+	for (i=0;i<msg->num_elements;i++) {
+		struct ldb_message_element *el = &msg->elements[i];
+		struct ldb_message_element *el2;
+		struct ldb_val *vals;
+		char *dn;
+
+		switch (msg->elements[i].flags & LDB_FLAG_MOD_MASK) {
+
+		case LDB_FLAG_MOD_ADD:
+			/* add this element to the message. fail if it
+			   already exists */
+			ret = find_element(msg2, el->name);
+
+			if (ret == -1) {
+				if (msg_add_element(ldb, msg2, el) != 0) {
+					ret = LDB_ERR_OTHER;
+					goto failed;
+				}
+				continue;
+			}
+
+			el2 = &msg2->elements[ret];
+
+			/* An attribute with this name already exists, add all
+			 * values if they don't already exist. */
+
+			for (j=0;j<el->num_values;j++) {
+				if (ldb_msg_find_val(el2, &el->values[j])) {
+					ldb_set_errstring(module->ldb, "Type or value exists");
+					ret = LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
+					goto failed;
+				}
+			}
+
+		        vals = talloc_realloc(msg2->elements, el2->values, struct ldb_val,
+						el2->num_values + el->num_values);
+
+			if (vals == NULL) {
+				ret = LDB_ERR_OTHER;
+				goto failed;
+			}
+
+			for (j=0;j<el->num_values;j++) {
+				vals[el2->num_values + j] =
+					ldb_val_dup(vals, &el->values[j]);
+			}
+
+			el2->values = vals;
+			el2->num_values += el->num_values;
+
+			break;
+
+		case LDB_FLAG_MOD_REPLACE:
+			/* replace all elements of this attribute name with the elements
+			   listed. The attribute not existing is not an error */
+			msg_delete_attribute(module, ldb, msg2, msg->elements[i].name);
+
+			/* add the replacement element, if not empty */
+			if (msg->elements[i].num_values != 0 &&
+			    msg_add_element(ldb, msg2, &msg->elements[i]) != 0) {
+				ret = LDB_ERR_OTHER;
+				goto failed;
+			}
+			break;
+
+		case LDB_FLAG_MOD_DELETE:
+
+			dn = ldb_dn_linearize(msg2, msg->dn);
+			if (dn == NULL) {
+				ret = LDB_ERR_OTHER;
+				goto failed;
+			}
+
+			/* we could be being asked to delete all
+			   values or just some values */
+			if (msg->elements[i].num_values == 0) {
+				if (msg_delete_attribute(module, ldb, msg2, 
+							 msg->elements[i].name) != 0) {
+					ldb_asprintf_errstring(module->ldb, "No such attribute: %s for delete on %s", msg->elements[i].name, dn);
+					ret = LDB_ERR_NO_SUCH_ATTRIBUTE;
+					goto failed;
+				}
+				break;
+			}
+			for (j=0;j<msg->elements[i].num_values;j++) {
+				if (msg_delete_element(module,
+						       msg2, 
+						       msg->elements[i].name,
+						       &msg->elements[i].values[j]) != 0) {
+					ldb_asprintf_errstring(module->ldb, "No matching attribute value when deleting attribute: %s on %s", msg->elements[i].name, dn);
+					ret = LDB_ERR_NO_SUCH_ATTRIBUTE;
+					goto failed;
+				}
+				if (ltdb_index_del_value(module, dn, &msg->elements[i], j) != 0) {
+					ret = LDB_ERR_OTHER;
+					goto failed;
+				}
+			}
+			break;
+		default:
+			ldb_asprintf_errstring(module->ldb, "Invalid ldb_modify flags on %s: 0x%x", 
+							     msg->elements[i].name, 
+							     msg->elements[i].flags & LDB_FLAG_MOD_MASK);
+			ret = LDB_ERR_PROTOCOL_ERROR;
+			goto failed;
+		}
+	}
+
+	/* we've made all the mods - save the modified record back into the database */
+	ret = ltdb_store(module, msg2, TDB_MODIFY);
+	if (ret != LDB_SUCCESS) {
+		goto failed;
+	}
+
+	if (ltdb_modified(module, msg->dn) != LDB_SUCCESS) {
+		ret = LDB_ERR_OPERATIONS_ERROR;
+		goto failed;
+	}
+
+	talloc_free(tdb_key.dptr);
+	free(tdb_data.dptr);
+	return ret;
+
+failed:
+	talloc_free(tdb_key.dptr);
+	free(tdb_data.dptr);
+	return ret;
+}
+
+/*
+  modify a record
+*/
+static int ltdb_modify(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ltdb_private *ltdb = talloc_get_type(module->private_data, struct ltdb_private);
+	struct ltdb_context *ltdb_ac;
+	int tret, ret = LDB_SUCCESS;
+
+	if (req->controls != NULL) {
+		ldb_debug(module->ldb, LDB_DEBUG_WARNING, "Controls should not reach the ldb_tdb backend!\n");
+		if (check_critical_controls(req->controls)) {
+			return LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION;
+		}
+	}
+	
+	req->handle = NULL;
+
+	req->handle = init_ltdb_handle(ltdb, module, req);
+	if (req->handle == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	ltdb_ac = talloc_get_type(req->handle->private_data, struct ltdb_context);
+
+	tret = ltdb_check_special_dn(module, req->op.mod.message);
+	if (tret != LDB_SUCCESS) {
+		req->handle->status = tret;
+		goto done;
+	}
+	
+	if (ltdb_cache_load(module) != 0) {
+		ret = LDB_ERR_OPERATIONS_ERROR;
+		goto done;
+	}
+
+	tret = ltdb_modify_internal(module, req->op.mod.message);
+	if (tret != LDB_SUCCESS) {
+		req->handle->status = tret;
+		goto done;
+	}
+
+	if (ltdb_ac->callback) {
+		ret = ltdb_ac->callback(module->ldb, ltdb_ac->context, NULL);
+	}
+done:
+	req->handle->state = LDB_ASYNC_DONE;
+	return ret;
+}
+
+/*
+  rename a record
+*/
+static int ltdb_rename(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ltdb_private *ltdb = talloc_get_type(module->private_data, struct ltdb_private);
+	struct ltdb_context *ltdb_ac;
+	struct ldb_message *msg;
+	int tret, ret = LDB_SUCCESS;
+
+	if (req->controls != NULL) {
+		ldb_debug(module->ldb, LDB_DEBUG_WARNING, "Controls should not reach the ldb_tdb backend!\n");
+		if (check_critical_controls(req->controls)) {
+			return LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION;
+		}
+	}
+	
+	req->handle = NULL;
+
+	if (ltdb_cache_load(module) != 0) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	req->handle = init_ltdb_handle(ltdb, module, req);
+	if (req->handle == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	ltdb_ac = talloc_get_type(req->handle->private_data, struct ltdb_context);
+
+	msg = talloc(ltdb_ac, struct ldb_message);
+	if (msg == NULL) {
+		ret = LDB_ERR_OPERATIONS_ERROR;
+		goto done;
+	}
+
+	/* in case any attribute of the message was indexed, we need
+	   to fetch the old record */
+	tret = ltdb_search_dn1(module, req->op.rename.olddn, msg);
+	if (tret != 1) {
+		/* not finding the old record is an error */
+		req->handle->status = LDB_ERR_NO_SUCH_OBJECT;
+		goto done;
+	}
+
+	msg->dn = ldb_dn_copy(msg, req->op.rename.newdn);
+	if (!msg->dn) {
+		ret = LDB_ERR_OPERATIONS_ERROR;
+		goto done;
+	}
+
+	tret = ltdb_add_internal(module, msg);
+	if (tret != LDB_SUCCESS) {
+		ret = LDB_ERR_OPERATIONS_ERROR;
+		goto done;
+	}
+
+	tret = ltdb_delete_internal(module, req->op.rename.olddn);
+	if (tret != LDB_SUCCESS) {
+		ltdb_delete_internal(module, req->op.rename.newdn);
+		ret = LDB_ERR_OPERATIONS_ERROR;
+		goto done;
+	}
+
+	if (ltdb_ac->callback) {
+		ret = ltdb_ac->callback(module->ldb, ltdb_ac->context, NULL);
+	}
+done:
+	req->handle->state = LDB_ASYNC_DONE;
+	return ret;
+}
+
+static int ltdb_start_trans(struct ldb_module *module)
+{
+	struct ltdb_private *ltdb =
+		talloc_get_type(module->private_data, struct ltdb_private);
+
+	if (tdb_transaction_start(ltdb->tdb) != 0) {
+		return ltdb_err_map(tdb_error(ltdb->tdb));
+	}
+
+	return LDB_SUCCESS;
+}
+
+static int ltdb_end_trans(struct ldb_module *module)
+{
+	struct ltdb_private *ltdb =
+		talloc_get_type(module->private_data, struct ltdb_private);
+
+	if (tdb_transaction_commit(ltdb->tdb) != 0) {
+		return ltdb_err_map(tdb_error(ltdb->tdb));
+	}
+
+	return LDB_SUCCESS;
+}
+
+static int ltdb_del_trans(struct ldb_module *module)
+{
+	struct ltdb_private *ltdb =
+		talloc_get_type(module->private_data, struct ltdb_private);
+
+	if (tdb_transaction_cancel(ltdb->tdb) != 0) {
+		return ltdb_err_map(tdb_error(ltdb->tdb));
+	}
+
+	return LDB_SUCCESS;
+}
+
+static int ltdb_wait(struct ldb_handle *handle, enum ldb_wait_type type)
+{
+	return handle->status;
+}
+
+static int ltdb_request(struct ldb_module *module, struct ldb_request *req)
+{
+	/* check for oustanding critical controls and return an error if found */
+	if (req->controls != NULL) {
+		ldb_debug(module->ldb, LDB_DEBUG_WARNING, "Controls should not reach the ldb_tdb backend!\n");
+		if (check_critical_controls(req->controls)) {
+			return LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION;
+		}
+	}
+	
+	/* search, add, modify, delete, rename are handled by their own, no other op supported */
+	return LDB_ERR_OPERATIONS_ERROR;
+}
+
+/*
+  return sequenceNumber from @BASEINFO
+*/
+static int ltdb_sequence_number(struct ldb_module *module, struct ldb_request *req)
+{
+	TALLOC_CTX *tmp_ctx = talloc_new(req);
+	struct ldb_message *msg = NULL;
+	struct ldb_dn *dn = ldb_dn_explode(tmp_ctx, LTDB_BASEINFO);
+	int tret;
+
+	if (tmp_ctx == NULL) {
+		talloc_free(tmp_ctx);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	msg = talloc(tmp_ctx, struct ldb_message);
+	if (msg == NULL) {
+		talloc_free(tmp_ctx);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	req->op.seq_num.flags = 0;
+
+	tret = ltdb_search_dn1(module, dn, msg);
+	if (tret != 1) {
+		talloc_free(tmp_ctx);
+		req->op.seq_num.seq_num = 0;
+		/* zero is as good as anything when we don't know */
+		return LDB_SUCCESS;
+	}
+
+	switch (req->op.seq_num.type) {
+	case LDB_SEQ_HIGHEST_SEQ:
+		req->op.seq_num.seq_num = ldb_msg_find_attr_as_uint64(msg, LTDB_SEQUENCE_NUMBER, 0);
+		break;
+	case LDB_SEQ_NEXT:
+		req->op.seq_num.seq_num = ldb_msg_find_attr_as_uint64(msg, LTDB_SEQUENCE_NUMBER, 0);
+		req->op.seq_num.seq_num++;
+		break;
+	case LDB_SEQ_HIGHEST_TIMESTAMP:
+	{
+		const char *date = ldb_msg_find_attr_as_string(msg, LTDB_MOD_TIMESTAMP, NULL);
+		if (date) {
+			req->op.seq_num.seq_num = ldb_string_to_time(date);
+		} else {
+			req->op.seq_num.seq_num = 0;
+			/* zero is as good as anything when we don't know */
+		}
+		break;
+	}
+	}
+	talloc_free(tmp_ctx);
+	return LDB_SUCCESS;
+}
+
+static const struct ldb_module_ops ltdb_ops = {
+	.name              = "tdb",
+	.search            = ltdb_search,
+	.add               = ltdb_add,
+	.modify            = ltdb_modify,
+	.del               = ltdb_delete,
+	.rename            = ltdb_rename,
+	.request           = ltdb_request,
+	.start_transaction = ltdb_start_trans,
+	.end_transaction   = ltdb_end_trans,
+	.del_transaction   = ltdb_del_trans,
+	.wait              = ltdb_wait,
+	.sequence_number   = ltdb_sequence_number
+};
+
+/*
+  connect to the database
+*/
+static int ltdb_connect(struct ldb_context *ldb, const char *url, 
+			unsigned int flags, const char *options[],
+			struct ldb_module **module)
+{
+	const char *path;
+	int tdb_flags, open_flags;
+	struct ltdb_private *ltdb;
+
+	/* parse the url */
+	if (strchr(url, ':')) {
+		if (strncmp(url, "tdb://", 6) != 0) {
+			ldb_debug(ldb, LDB_DEBUG_ERROR, "Invalid tdb URL '%s'", url);
+			return -1;
+		}
+		path = url+6;
+	} else {
+		path = url;
+	}
+
+	tdb_flags = TDB_DEFAULT | TDB_SEQNUM;
+
+	/* check for the 'nosync' option */
+	if (flags & LDB_FLG_NOSYNC) {
+		tdb_flags |= TDB_NOSYNC;
+	}
+
+	/* and nommap option */
+	if (flags & LDB_FLG_NOMMAP) {
+		tdb_flags |= TDB_NOMMAP;
+	}
+
+	if (flags & LDB_FLG_RDONLY) {
+		open_flags = O_RDONLY;
+	} else {
+		open_flags = O_CREAT | O_RDWR;
+	}
+
+	ltdb = talloc_zero(ldb, struct ltdb_private);
+	if (!ltdb) {
+		ldb_oom(ldb);
+		return -1;
+	}
+
+	/* note that we use quite a large default hash size */
+	ltdb->tdb = ltdb_wrap_open(ltdb, path, 10000, 
+				   tdb_flags, open_flags, 
+				   ldb->create_perms, ldb);
+	if (!ltdb->tdb) {
+		ldb_debug(ldb, LDB_DEBUG_ERROR, "Unable to open tdb '%s'\n", path);
+		talloc_free(ltdb);
+		return -1;
+	}
+
+	ltdb->sequence_number = 0;
+
+	*module = talloc(ldb, struct ldb_module);
+	if ((*module) == NULL) {
+		ldb_oom(ldb);
+		talloc_free(ltdb);
+		return -1;
+	}
+	talloc_set_name_const(*module, "ldb_tdb backend");
+	(*module)->ldb = ldb;
+	(*module)->prev = (*module)->next = NULL;
+	(*module)->private_data = ltdb;
+	(*module)->ops = &ltdb_ops;
+
+	if (ltdb_cache_load(*module) != 0) {
+		talloc_free(*module);
+		talloc_free(ltdb);
+		return -1;
+	}
+
+	return 0;
+}
+
+int ldb_tdb_init(void)
+{
+	return ldb_register_backend("tdb", ltdb_connect);
+}
diff --git a/source3/lib/ldb/ldb_tdb/ldb_tdb.h b/source3/lib/ldb/ldb_tdb/ldb_tdb.h
new file mode 100644
index 0000000000..42f3dc2421
--- /dev/null
+++ b/source3/lib/ldb/ldb_tdb/ldb_tdb.h
@@ -0,0 +1,129 @@
+
+#ifdef _SAMBA_BUILD_
+#include "system/filesys.h"
+#endif
+
+#if (_SAMBA_BUILD_ >= 4)
+#include "lib/tdb/include/tdb.h"
+#elif defined(_SAMBA_BUILD_)
+#include "tdb/include/tdb.h"
+#else
+#include "tdb.h"
+#endif
+
+/* this private structure is used by the ltdb backend in the
+   ldb_context */
+struct ltdb_private {
+	TDB_CONTEXT *tdb;
+	unsigned int connect_flags;
+	
+	/* a double is used for portability and ease of string
+	   handling. It has plenty of digits of precision */
+	unsigned long long sequence_number;
+
+	/* the low level tdb seqnum - used to avoid loading BASEINFO when
+	   possible */
+	int tdb_seqnum;
+
+	struct ltdb_cache {
+		struct ldb_message *indexlist;
+		struct ldb_message *attributes;
+		struct ldb_message *subclasses;
+
+		struct {
+			char *name;
+			int flags;
+		} last_attribute;
+	} *cache;
+};
+
+/*
+  the async local context
+  holds also internal search state during a full db search
+*/
+struct ltdb_context {
+	struct ldb_module *module;
+
+	/* search stuff */
+	const struct ldb_parse_tree *tree;
+	const struct ldb_dn *base;
+	enum ldb_scope scope;
+	const char * const *attrs;
+
+	/* async stuff */
+	void *context;
+	int (*callback)(struct ldb_context *, void *, struct ldb_reply *);
+};
+
+/* special record types */
+#define LTDB_INDEX      "@INDEX"
+#define LTDB_INDEXLIST  "@INDEXLIST"
+#define LTDB_IDX        "@IDX"
+#define LTDB_IDXATTR    "@IDXATTR"
+#define LTDB_BASEINFO   "@BASEINFO"
+#define LTDB_ATTRIBUTES "@ATTRIBUTES"
+#define LTDB_SUBCLASSES "@SUBCLASSES"
+
+/* special attribute types */
+#define LTDB_SEQUENCE_NUMBER "sequenceNumber"
+#define LTDB_MOD_TIMESTAMP "whenChanged"
+#define LTDB_OBJECTCLASS "objectClass"
+
+/* The following definitions come from lib/ldb/ldb_tdb/ldb_cache.c  */
+
+int ltdb_cache_reload(struct ldb_module *module);
+int ltdb_cache_load(struct ldb_module *module);
+int ltdb_increase_sequence_number(struct ldb_module *module);
+int ltdb_check_at_attributes_values(const struct ldb_val *value);
+
+/* The following definitions come from lib/ldb/ldb_tdb/ldb_index.c  */
+
+struct ldb_parse_tree;
+
+int ltdb_search_indexed(struct ldb_handle *handle);
+int ltdb_index_add(struct ldb_module *module, const struct ldb_message *msg);
+int ltdb_index_del(struct ldb_module *module, const struct ldb_message *msg);
+int ltdb_reindex(struct ldb_module *module);
+
+/* The following definitions come from lib/ldb/ldb_tdb/ldb_pack.c  */
+
+int ltdb_pack_data(struct ldb_module *module,
+		   const struct ldb_message *message,
+		   struct TDB_DATA *data);
+void ltdb_unpack_data_free(struct ldb_module *module,
+			   struct ldb_message *message);
+int ltdb_unpack_data(struct ldb_module *module,
+		     const struct TDB_DATA *data,
+		     struct ldb_message *message);
+
+/* The following definitions come from lib/ldb/ldb_tdb/ldb_search.c  */
+
+int ltdb_has_wildcard(struct ldb_module *module, const char *attr_name, 
+		      const struct ldb_val *val);
+void ltdb_search_dn1_free(struct ldb_module *module, struct ldb_message *msg);
+int ltdb_search_dn1(struct ldb_module *module, const struct ldb_dn *dn, struct ldb_message *msg);
+int ltdb_add_attr_results(struct ldb_module *module,
+ 			  TALLOC_CTX *mem_ctx, 
+			  struct ldb_message *msg,
+			  const char * const attrs[], 
+			  unsigned int *count, 
+			  struct ldb_message ***res);
+int ltdb_filter_attrs(struct ldb_message *msg, const char * const *attrs);
+int ltdb_search(struct ldb_module *module, struct ldb_request *req);
+
+/* The following definitions come from lib/ldb/ldb_tdb/ldb_tdb.c  */
+struct ldb_handle *init_ltdb_handle(struct ltdb_private *ltdb, struct ldb_module *module,
+				    struct ldb_request *req);
+struct TDB_DATA ltdb_key(struct ldb_module *module, const struct ldb_dn *dn);
+int ltdb_store(struct ldb_module *module, const struct ldb_message *msg, int flgs);
+int ltdb_delete_noindex(struct ldb_module *module, const struct ldb_dn *dn);
+int ltdb_modify_internal(struct ldb_module *module, const struct ldb_message *msg);
+
+int ltdb_index_del_value(struct ldb_module *module, const char *dn, 
+			 struct ldb_message_element *el, int v_idx);
+
+struct tdb_context *ltdb_wrap_open(TALLOC_CTX *mem_ctx,
+				   const char *path, int hash_size, int tdb_flags,
+				   int open_flags, mode_t mode,
+				   struct ldb_context *ldb);
+
diff --git a/source3/lib/ldb/ldb_tdb/ldb_tdb_wrap.c b/source3/lib/ldb/ldb_tdb/ldb_tdb_wrap.c
new file mode 100644
index 0000000000..2fff74d59a
--- /dev/null
+++ b/source3/lib/ldb/ldb_tdb/ldb_tdb_wrap.c
@@ -0,0 +1,154 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2005
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+#include "ldb/ldb_tdb/ldb_tdb.h"
+
+/*
+  the purpose of this code is to work around the braindead posix locking
+  rules, to allow us to have a ldb open more than once while allowing 
+  locking to work
+*/
+
+struct ltdb_wrap {
+	struct ltdb_wrap *next, *prev;
+	struct tdb_context *tdb;
+	dev_t device;
+	ino_t inode;
+};
+
+static struct ltdb_wrap *tdb_list;
+
+/* destroy the last connection to a tdb */
+static int ltdb_wrap_destructor(struct ltdb_wrap *w)
+{
+	tdb_close(w->tdb);
+	if (w->next) {
+		w->next->prev = w->prev;
+	}
+	if (w->prev) {
+		w->prev->next = w->next;
+	}
+	if (w == tdb_list) {
+		tdb_list = w->next;
+	}
+	return 0;
+}				 
+
+static void ltdb_log_fn(struct tdb_context *tdb, enum tdb_debug_level level, const char *fmt, ...) PRINTF_ATTRIBUTE(3, 4);
+static void ltdb_log_fn(struct tdb_context *tdb, enum tdb_debug_level level, const char *fmt, ...)
+{
+	va_list ap;
+	const char *name = tdb_name(tdb);
+	struct ldb_context *ldb = talloc_get_type(tdb_get_logging_private(tdb), struct ldb_context);
+	enum ldb_debug_level ldb_level;
+	char *message; 
+	va_start(ap, fmt);
+	message = talloc_vasprintf(ldb, fmt, ap);
+	va_end(ap);
+
+	switch (level) {
+	case TDB_DEBUG_FATAL:
+		ldb_level = LDB_DEBUG_FATAL;
+		break;
+	case TDB_DEBUG_ERROR:
+		ldb_level = LDB_DEBUG_ERROR;
+		break;
+	case TDB_DEBUG_WARNING:
+		ldb_level = LDB_DEBUG_WARNING;
+		break;
+	case TDB_DEBUG_TRACE:
+		ldb_level = LDB_DEBUG_TRACE;
+		break;
+	default:
+		ldb_level = LDB_DEBUG_FATAL;
+	}
+
+	ldb_debug(ldb, ldb_level, "ltdb: tdb(%s): %s", name, message);
+	talloc_free(message);
+}
+
+/*
+  wrapped connection to a tdb database. The caller should _not_ free
+  this as it is not a talloc structure (as tdb does not use talloc
+  yet). It will auto-close when the caller frees the mem_ctx that is
+  passed to this call
+ */
+struct tdb_context *ltdb_wrap_open(TALLOC_CTX *mem_ctx,
+				   const char *path, int hash_size, 
+				   int tdb_flags,
+				   int open_flags, mode_t mode, 
+				   struct ldb_context *ldb)
+{
+	struct ltdb_wrap *w;
+	struct stat st;
+	struct tdb_logging_context log_ctx;
+
+	log_ctx.log_fn = ltdb_log_fn;
+	log_ctx.log_private = ldb;
+
+	if (stat(path, &st) == 0) {
+		for (w=tdb_list;w;w=w->next) {
+			if (st.st_dev == w->device && st.st_ino == w->inode) {
+				if (!talloc_reference(mem_ctx, w)) {
+					return NULL;
+				}
+				return w->tdb;
+			}
+		}
+	}
+
+	w = talloc(mem_ctx, struct ltdb_wrap);
+	if (w == NULL) {
+		return NULL;
+	}
+
+	w->tdb = tdb_open_ex(path, hash_size, tdb_flags, open_flags, mode, &log_ctx, NULL);
+	if (w->tdb == NULL) {
+		talloc_free(w);
+		return NULL;
+	}
+
+	if (fstat(tdb_fd(w->tdb), &st) != 0) {
+		tdb_close(w->tdb);
+		talloc_free(w);
+		return NULL;
+	}
+
+	w->device = st.st_dev;
+	w->inode  = st.st_ino;
+
+	talloc_set_destructor(w, ltdb_wrap_destructor);
+
+	w->next = tdb_list;
+	w->prev = NULL;
+	if (tdb_list) {
+		tdb_list->prev = w;
+	}
+	tdb_list = w;
+	
+	return w->tdb;
+}
+
diff --git a/source3/lib/ldb/libldb.m4 b/source3/lib/ldb/libldb.m4
new file mode 100644
index 0000000000..845563b4a1
--- /dev/null
+++ b/source3/lib/ldb/libldb.m4
@@ -0,0 +1,33 @@
+SMB_ENABLE(ldb_sqlite3,$with_sqlite3_support)
+
+AC_MSG_CHECKING([for Python])
+
+PYTHON=
+ 
+AC_ARG_WITH(python,
+[  --with-python=PYTHONNAME  build Python libraries],
+[ case "${withval-python}" in
+  yes)
+        PYTHON=python
+        ;;
+  no)
+        PYTHON=
+        ;;
+  *)
+        PYTHON=${withval-python}
+        ;;
+  esac ])
+
+if test x"$PYTHON" != "x"; then
+	incdir=`python -c 'import sys; print "%s/include/python%d.%d" % (sys.prefix, sys.version_info[[0]], sys.version_info[[1]])'`
+	CPPFLAGS="$CPPFLAGS -I $incdir"
+fi
+
+if test x"$PYTHON" != "x"; then
+	AC_MSG_RESULT([${withval-python}])
+else
+	AC_MSG_RESULT(no)
+	SMB_ENABLE(swig_ldb, NO)
+fi
+
+AC_SUBST(PYTHON)
diff --git a/source3/lib/ldb/mainpage.dox b/source3/lib/ldb/mainpage.dox
new file mode 100644
index 0000000000..bbd8d9c502
--- /dev/null
+++ b/source3/lib/ldb/mainpage.dox
@@ -0,0 +1,80 @@
+/**
+
+\mainpage ldb
+
+\section Overview
+
+ldb is a LDAP-like embedded database. It is not at all LDAP standards
+compliant, so if you want a standards compliant database then please
+see the excellent <a href="http://www.openldap.org/">OpenLDAP</a>
+project.<p>
+
+What ldb does is provide a fast database with an LDAP-like API
+designed to be used within an application. In some ways it can be seen
+as a intermediate solution between key-value pair databases and a real
+LDAP database.<p>
+
+ldb is the database engine used in Samba4.
+
+\section Features
+
+The main features that separate ldb from other solutions are:
+ - Safe multi-reader, multi-writer, using byte range locking
+ - LDAP-like API
+ - fast operation
+ - choice of local tdb, local sqlite3 or remote LDAP backends
+ - integration with <a href="http://talloc.samba.org">talloc</a>
+ - schema-less operation, for trivial setup
+ - modules for extensions (such as schema support)
+ - easy setup of indexes and attribute properties
+ - ldbedit tool for database editing (reminiscent of 'vipw')
+ - ldif for import/export
+
+\section Documentation
+
+ldb has limited programmer and administrator documentation:
+ - a list of <a href="globals_func.html">functions</a>
+ - a list of <a href="examples.html">examples</a>
+ - a list of <a href="annotated.html">data structures</a>
+ - a list of <a href="globals_defs.html">constants</a>
+
+If you need more information than is presented in this document, you
+may wish to look at the source code, especially the source code in the
+<a href="http://samba.org/ftp/unpacked/samba4/source/lib/ldb/tools/">tools directory</a>. 
+
+ldb makes use of the LDAP Data Interchange Format (LDIF), which is
+documented in <a href="http://www.ietf.org/rfc/rfc2849.txt">RFC
+2849</a>. 
+
+\section Support
+
+ldb does not currently have its own mailing list or bug tracking
+system. For now, please use the <a
+href="https://lists.samba.org/mailman/listinfo/samba-technical">samba-technical</a>
+mailing list, and the <a href="http://bugzilla.samba.org/">Samba
+bugzilla</a> bug tracking system.
+
+\section Download
+
+You can download the latest release either via rsync or anonymous
+svn. To fetch via svn use the following commands:
+
+\verbatim
+  svn co svn://svnanon.samba.org/samba/branches/SAMBA_4_0/source/lib/ldb ldb
+  svn co svn://svnanon.samba.org/samba/branches/SAMBA_4_0/source/lib/tdb tdb
+  svn co svn://svnanon.samba.org/samba/branches/SAMBA_4_0/source/lib/talloc talloc
+\endverbatim
+
+To fetch via rsync use these commands:
+
+\verbatim
+  rsync -Pavz samba.org::ftp/unpacked/samba4/source/lib/ldb .
+  rsync -Pavz samba.org::ftp/unpacked/samba4/source/lib/tdb .
+  rsync -Pavz samba.org::ftp/unpacked/samba4/source/lib/talloc .
+\endverbatim
+
+\section Credits
+
+ldb is another product of the prolific <a href="http://samba.org/~tridge/">Andrew Tridgell</a>.
+
+*/
diff --git a/source3/lib/ldb/man/ad2oLschema.1.xml b/source3/lib/ldb/man/ad2oLschema.1.xml
new file mode 100644
index 0000000000..6ae8996477
--- /dev/null
+++ b/source3/lib/ldb/man/ad2oLschema.1.xml
@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<refentry id="ad2oLschema.1">
+
+<refmeta>
+	<refentrytitle>ad2oLschema</refentrytitle>
+	<manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+	<refname>ad2oLschema</refname>
+	<refpurpose>Converts AC-like LDAP schemas to OpenLDAP
+	compatible schema files</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+	<cmdsynopsis>
+		<command>ad2oLschema</command>
+		<arg choice="opt">-I INPUT-FILE</arg>
+		<arg choice="opt">-O OUTPUT-FILE</arg>
+	</cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+	<title>DESCRIPTION</title>
+
+	<para>ad2oLschema is a simple tool that converts AD-like LDIF
+	schema files into OpenLDAP schema files.</para>
+</refsect1>
+
+
+<refsect1>
+	<title>OPTIONS</title>
+
+	<variablelist>
+		<varlistentry>
+		<term>-H url</term>
+		<listitem><para>URL to an LDB or LDAP server with an AD schema to read. 		</para></listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>-I input-file</term> <listitem><para>AD schema
+		to read. If neither this nor -H is specified, the
+		schema file will be read from standard input.
+		</para></listitem>
+		</varlistentry>
+
+	<varlistentry>
+		<term>-O output-file</term>
+		<listitem><para>File to write OpenLDAP version of schema to.
+		</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect1>
+
+<refsect1>
+	<title>VERSION</title>
+
+	<para>This man page is correct for version 4.0 of the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+	<title>SEE ALSO</title>
+
+	<para>ldb(7), ldbmodify, ldbdel, ldif(5)</para>
+
+</refsect1>
+
+<refsect1>
+	<title>AUTHOR</title>
+
+	<para> ldb was written by 
+		 <ulink url="http://samba.org/~tridge/">Andrew Tridgell</ulink>.
+		ad2oLschema was written by <ulink
+		 url="http://samba.org/~abartlet/">Andrew Bartlett</ulink>.
+	</para>
+
+	<para>
+If you wish to report a problem or make a suggestion then please see
+the <ulink url="http://ldb.samba.org/"/> web site for
+current contact and maintainer information.
+	</para>
+
+</refsect1>
+
+</refentry>
diff --git a/source3/lib/ldb/man/ldb.3.xml b/source3/lib/ldb/man/ldb.3.xml
new file mode 100644
index 0000000000..19d9a89e10
--- /dev/null
+++ b/source3/lib/ldb/man/ldb.3.xml
@@ -0,0 +1,262 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<refentry id="ldb.3">
+
+<refmeta>
+	<refentrytitle>ldb</refentrytitle>
+	<manvolnum>3</manvolnum>
+</refmeta>
+
+<refnamediv>
+	<refname>ldb</refname>
+	<refclass>The Samba Project</refclass>
+	<refpurpose>A light-weight database library</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+	<synopsis>#include &lt;ldb.h&gt;</synopsis>
+</refsynopsisdiv>
+
+<refsect1>
+	<title>description</title>
+
+	<para>
+ldb is a light weight embedded database library and API. With a
+programming interface that is very similar to LDAP, ldb can store its
+data either in a tdb(3) database or in a real LDAP database.
+	</para>
+
+	<para>
+When used with the tdb backend ldb does not require any database
+daemon. Instead, ldb function calls are processed immediately by the
+ldb library, which does IO directly on the database, while allowing
+multiple readers/writers using operating system byte range locks. This
+leads to an API with very low overheads, often resulting in speeds of
+more than 10x what can be achieved with a more traditional LDAP
+architecture.
+	</para>
+
+	<para>
+In a taxonomy of databases ldb would sit half way between key/value
+pair databases (such as berkley db or tdb) and a full LDAP
+database. With a structured attribute oriented API like LDAP and good
+indexing capabilities, ldb can be used for quite sophisticated
+applications that need a light weight database, without the
+administrative overhead of a full LDAP installation.
+	</para>
+
+	<para>
+Included with ldb are a number of useful command line tools for
+manipulating a ldb database. These tools are similar in style to the
+equivalent ldap command line tools.
+	</para>
+
+	<para>
+In its default mode of operation with a tdb backend, ldb can also be
+seen as a "schema-less LDAP". By default ldb does not require a
+schema, which greatly reduces the complexity of getting started with
+ldb databases. As the complexity of you application grows you can take
+advantage of some of the optional schema-like attributes that ldb
+offers, or you can migrate to using the full LDAP api while keeping
+your exiting ldb code.
+	</para>
+
+	<para>
+If you are new to ldb, then I suggest starting with the manual pages
+for ldbsearch(1) and ldbedit(1), and experimenting with a local
+database. Then I suggest you look at the ldb_connect(3) and
+ldb_search(3) manual pages.
+	</para>
+</refsect1>
+
+<refsect1>
+	<title>TOOLS</title>
+
+	<itemizedlist>
+		<listitem><para>
+			<application>ldbsearch(1)</application>
+			  - command line ldb search utility
+		</para></listitem>
+
+		<listitem><para>
+			<application>ldbedit(1)</application>
+			 - edit all or part of a ldb database using your favourite editor
+		</para></listitem>
+
+		<listitem><para>
+			<application>ldbadd(1)</application>
+			 - add records to a ldb database using LDIF formatted input
+		</para></listitem>
+
+		<listitem><para>
+			<application>ldbdel(1)</application>
+			 - delete records from a ldb database
+		</para></listitem>
+
+		<listitem><para>
+			<application>ldbmodify(1)</application>
+			 - modify records in a ldb database using LDIF formatted input
+		</para></listitem>
+	</itemizedlist>
+</refsect1>
+
+<refsect1>
+	<title>FUNCTIONS</title>
+
+	<itemizedlist>
+		<listitem><para>
+			<function>ldb_connect(3)</function>
+			 - connect to a ldb backend
+		</para></listitem>
+
+		<listitem><para>
+			<function>ldb_search(3)</function>
+			 - perform a database search
+		</para></listitem>
+
+		<listitem><para>
+			<function>ldb_add(3)</function>
+			 - add a record to the database
+		</para></listitem>
+
+		<listitem><para>
+			<function>ldb_delete(3)</function>
+			 - delete a record from the database
+		</para></listitem>
+
+		<listitem><para>
+			<function>ldb_modify(3)</function>
+			 - modify a record in the database
+		</para></listitem>
+
+		<listitem><para>
+			<function>ldb_errstring(3)</function>
+			 - retrieve extended error information from the last operation
+		</para></listitem>
+
+		<listitem><para>
+			<function>ldb_ldif_write(3)</function>
+			 - write a LDIF formatted message
+		</para></listitem>
+
+		<listitem><para>
+			<function>ldb_ldif_write_file(3)</function>
+			 - write a LDIF formatted message to a file
+		</para></listitem>
+
+		<listitem><para>
+			<function>ldb_ldif_read(3)</function>
+			 - read a LDIF formatted message
+		</para></listitem>
+
+		<listitem><para>
+			<function>ldb_ldif_read_free(3)</function>
+			 - free the result of a ldb_ldif_read()
+		</para></listitem>
+
+		<listitem><para>
+			<function>ldb_ldif_read_file(3)</function>
+			 - read a LDIF message from a file
+		</para></listitem>
+
+		<listitem><para>
+			<function>ldb_ldif_read_string(3)</function>
+			 - read a LDIF message from a string
+		</para></listitem>
+
+		<listitem><para>
+			<function>ldb_msg_find_element(3)</function>
+			 - find an element in a ldb_message
+		</para></listitem>
+
+		<listitem><para>
+			<function>ldb_val_equal_exact(3)</function>
+			 - compare two ldb_val structures
+		</para></listitem>
+
+		<listitem><para>
+			<function>ldb_msg_find_val(3)</function>
+			 - find an element by value
+		</para></listitem>
+
+		<listitem><para>
+			<function>ldb_msg_add_empty(3)</function>
+			 - add an empty message element to a ldb_message
+		</para></listitem>
+
+
+		<listitem><para>
+			<function>ldb_msg_add(3)</function>
+			 - add a non-empty message element to a ldb_message
+		</para></listitem>
+
+
+		<listitem><para>
+			<function>ldb_msg_element_compare(3)</function>
+			 - compare two ldb_message_element structures
+		</para></listitem>
+
+
+		<listitem><para>
+			<function>ldb_msg_find_int(3)</function>
+			 - return an integer value from a ldb_message
+		</para></listitem>
+
+
+		<listitem><para>
+			<function>ldb_msg_find_uint(3)</function>
+			 - return an unsigned integer value from a ldb_message
+		</para></listitem>
+
+
+		<listitem><para>
+			<function>ldb_msg_find_double(3)</function>
+			 - return a double value from a ldb_message
+		</para></listitem>
+
+
+		<listitem><para>
+			<function>ldb_msg_find_string(3)</function>
+			 - return a string value from a ldb_message
+		</para></listitem>
+
+
+		<listitem><para>
+			<function>ldb_set_alloc(3)</function>
+			 - set the memory allocation function to be used by ldb
+		</para></listitem>
+
+
+		<listitem><para>
+			<function>ldb_set_debug(3)</function>
+			 - set a debug handler to be used by ldb
+		</para></listitem>
+
+
+		<listitem><para>
+			<function>ldb_set_debug_stderr(3)</function>
+			 - set a debug handler for stderr output
+		</para></listitem>
+	</itemizedlist>
+</refsect1>
+
+<refsect1>
+	<title>Author</title>
+
+	<para>
+		ldb was written by 
+		 <ulink url="http://samba.org/~tridge/">Andrew Tridgell</ulink>.
+	</para>
+
+	<para>
+If you wish to report a problem or make a suggestion then please see
+the <ulink url="http://ldb.samba.org/"/> web site for
+current contact and maintainer information.
+	</para>
+
+	<para>
+ldb is released under the GNU Lesser General Public License version 2
+or later. Please see the file COPYING for license details.
+	</para>
+</refsect1>
+</refentry>
diff --git a/source3/lib/ldb/man/ldbadd.1.xml b/source3/lib/ldb/man/ldbadd.1.xml
new file mode 100644
index 0000000000..7ad0f835d0
--- /dev/null
+++ b/source3/lib/ldb/man/ldbadd.1.xml
@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<refentry id="ldbadd.1">
+
+<refmeta>
+	<refentrytitle>ldbadd</refentrytitle>
+	<manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+	<refname>ldbadd</refname>
+	<refpurpose>Command-line utility for adding records to an LDB</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+	<cmdsynopsis>
+		<command>ldbadd</command>
+		<arg choice="opt">-h</arg>
+		<arg choice="opt">-H LDB-URL</arg>
+		<arg choice="opt">ldif-file1</arg>
+		<arg choice="opt">ldif-file2</arg>
+		<arg choice="opt">...</arg>
+	</cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+	<title>DESCRIPTION</title>
+
+	<para>ldbadd adds records to an ldb(7) database. It reads 
+		the ldif(5) files specified on the command line and adds 
+		the records from these files to the LDB database, which is specified 
+		by the -H option or the LDB_URL environment variable.
+	</para>
+
+	<para>If - is specified as a ldb file, the ldif input is read from 
+		standard input.</para>
+
+</refsect1>
+
+
+<refsect1>
+	<title>OPTIONS</title>
+
+	<variablelist>
+		<varlistentry>
+		<term>-h</term>
+		<listitem><para>
+		Show list of available options.</para></listitem>
+		</varlistentry>
+
+		<varlistentry>
+			<term>-H &lt;ldb-url&gt;</term>
+			<listitem><para>
+				LDB URL to connect to. See ldb(7) for details.
+			</para></listitem>
+		</varlistentry>
+		
+	</variablelist>
+	
+</refsect1>
+
+<refsect1>
+	<title>ENVIRONMENT</title>
+
+	<variablelist>
+		<varlistentry><term>LDB_URL</term>
+			<listitem><para>LDB URL to connect to (can be overrided by using the 
+					-H command-line option.)</para></listitem>
+		</varlistentry>
+	</variablelist>
+	
+</refsect1>
+
+<refsect1>
+	<title>VERSION</title>
+
+	<para>This man page is correct for version 4.0 of the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+	<title>SEE ALSO</title>
+
+	<para>ldb(7), ldbmodify, ldbdel, ldif(5)</para>
+
+</refsect1>
+
+<refsect1>
+	<title>AUTHOR</title>
+
+	<para> ldb was written by 
+		 <ulink url="http://samba.org/~tridge/">Andrew Tridgell</ulink>.
+	</para>
+
+	<para>
+If you wish to report a problem or make a suggestion then please see
+the <ulink url="http://ldb.samba.org/"/> web site for
+current contact and maintainer information.
+	</para>
+
+	<para>This manpage was written by Jelmer Vernooij.</para>
+	
+</refsect1>
+
+</refentry>
diff --git a/source3/lib/ldb/man/ldbdel.1.xml b/source3/lib/ldb/man/ldbdel.1.xml
new file mode 100644
index 0000000000..7dfc7366f6
--- /dev/null
+++ b/source3/lib/ldb/man/ldbdel.1.xml
@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<refentry id="ldbdel.1">
+
+<refmeta>
+	<refentrytitle>ldbdel</refentrytitle>
+	<manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+	<refname>ldbdel</refname>
+	<refpurpose>Command-line program for deleting LDB records</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+	<cmdsynopsis>
+		<command>ldbdel</command>
+		<arg choice="opt">-h</arg>
+		<arg choice="opt">-H LDB-URL</arg>
+		<arg choice="opt">dn</arg>
+		<arg choice="opt">...</arg>
+	</cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+	<title>DESCRIPTION</title>
+
+	<para>ldbdel deletes records from an ldb(7) database. 
+		It deletes the records identified by the dn's specified 
+		on the command-line. </para>
+
+	<para>ldbdel uses either the database that is specified with 
+		the -H option or the database specified by the LDB_URL environment
+		variable.</para>
+
+</refsect1>
+
+
+<refsect1>
+	<title>OPTIONS</title>
+
+	<variablelist>
+		<varlistentry>
+		<term>-h</term>
+		<listitem><para>
+		Show list of available options.</para></listitem>
+		</varlistentry>
+
+		<varlistentry>
+			<term>-H &lt;ldb-url&gt;</term>
+			<listitem><para>
+				LDB URL to connect to. See ldb(7) for details.
+			</para></listitem>
+		</varlistentry>
+		
+	</variablelist>
+	
+</refsect1>
+
+<refsect1>
+	<title>ENVIRONMENT</title>
+
+	<variablelist>
+		<varlistentry><term>LDB_URL</term>
+			<listitem><para>LDB URL to connect to (can be overrided by using the 
+					-H command-line option.)</para></listitem>
+		</varlistentry>
+	</variablelist>
+	
+</refsect1>
+
+<refsect1>
+	<title>VERSION</title>
+
+	<para>This man page is correct for version 4.0 of the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+	<title>SEE ALSO</title>
+
+	<para>ldb(7), ldbmodify, ldbadd, ldif(5)</para>
+
+</refsect1>
+
+<refsect1>
+	<title>AUTHOR</title>
+
+		<para> ldb was written by 
+		 <ulink url="http://samba.org/~tridge/">Andrew Tridgell</ulink>.
+	</para>
+
+	<para>
+If you wish to report a problem or make a suggestion then please see
+the <ulink url="http://ldb.samba.org/"/> web site for
+current contact and maintainer information.
+	</para>
+
+	<para>ldbdel was written by Andrew Tridgell.</para>
+
+	<para>This manpage was written by Jelmer Vernooij.</para>
+	
+</refsect1>
+
+</refentry>
diff --git a/source3/lib/ldb/man/ldbedit.1.xml b/source3/lib/ldb/man/ldbedit.1.xml
new file mode 100644
index 0000000000..15c69b1b25
--- /dev/null
+++ b/source3/lib/ldb/man/ldbedit.1.xml
@@ -0,0 +1,200 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<refentry id="ldbedit.1">
+
+    <refmeta>
+	<refentrytitle>ldbedit</refentrytitle>
+	<manvolnum>1</manvolnum>
+    </refmeta>
+
+
+    <refnamediv>
+	<refname>ldbedit</refname>
+	<refpurpose>Edit LDB databases using your preferred editor</refpurpose>
+    </refnamediv>
+
+    <refsynopsisdiv>
+	<cmdsynopsis>
+	    <command>ldbedit</command>
+	    <arg choice="opt">-?</arg>
+	    <arg choice="opt">--usage</arg>
+	    <arg choice="opt">-s base|one|sub</arg>
+	    <arg choice="opt">-b basedn</arg>
+	    <arg choice="opt">-a</arg>
+	    <arg choice="opt">-e editor</arg>
+	    <arg choice="opt">-H LDB-URL</arg>
+	    <arg choice="opt">expression</arg>
+	    <arg rep="repeat" choice="opt">attributes</arg>
+	</cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+	<title>DESCRIPTION</title>
+
+	<para>ldbedit is a utility that allows you to edit LDB entries (in 
+	    tdb files, sqlite files or LDAP servers) using your preferred editor.
+	    ldbedit generates an LDIF file based on your query, allows you to edit
+	    the LDIF, and then merges that LDIF back into the LDB backend.
+	</para>
+
+</refsect1>
+
+
+    <refsect1>
+	<title>OPTIONS</title>
+	
+	<variablelist>
+	    <varlistentry>
+		<term>-?</term>
+		<term>--help</term>
+		<listitem>
+		    <para>
+			Show list of available options, and a phrase describing what that option
+			does.
+		    </para>
+		</listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+		<term>--usage</term>
+		<listitem>
+		    <para>
+			Show list of available options. This is similar to the help option, 
+			however it does not provide any description, and is hence shorter.
+		    </para>
+		</listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+		<term>-H &lt;ldb-url&gt;</term>
+		<listitem>
+		    <para>
+			LDB URL to connect to. For a tdb database,
+			this will be of the form
+			tdb://<replaceable>filename</replaceable>.
+			For a LDAP connection over unix domain
+			sockets, this will be of the form
+			ldapi://<replaceable>socket</replaceable>. For
+			a (potentially remote) LDAP connection over
+			TCP, this will be of the form
+			ldap://<replaceable>hostname</replaceable>. For
+			an SQLite database, this will be of the form
+			sqlite://<replaceable>filename</replaceable>.
+		    </para>
+		</listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+		<term>-s one|sub|base</term>
+		<listitem><para>Search scope to use. One-level, subtree or base.</para></listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+		<term>-a</term>
+		<term>-all</term>
+		<listitem>
+		    <para>Edit all records. This allows you to
+			apply the same change to a number of records
+			at once. You probably want to combine this
+			with an expression of the form
+			"objectclass=*".
+		    </para>
+		</listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+		<term>-e editor</term>
+		<term>--editor editor</term>
+		<listitem>
+		    <para>Specify the editor that should be used (overrides 
+			the VISUAL and EDITOR environment
+			variables). If this option is not used, and
+			neither VISUAL nor EDITOR environment variables
+			are set, then the vi editor will be used.
+		    </para>
+		</listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+		<term>-b basedn</term>
+		<listitem><para>Specify Base Distinguished Name to use.</para></listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+		<term>-v</term>
+		<term>--verbose</term>
+		<listitem>
+		    <para>Make ldbedit more verbose about the
+			operations that are being performed. Without
+			this option, ldbedit will only provide a
+			summary change line.
+		    </para>
+		</listitem>
+	    </varlistentry>
+		
+	</variablelist>
+	
+    </refsect1>
+
+    <refsect1>
+	<title>ENVIRONMENT</title>
+
+	<variablelist>
+	    <varlistentry>
+		<term>LDB_URL</term>
+		<listitem>
+		    <para>LDB URL to connect to. This can be
+		    overridden by using the -H command-line option.)
+		    </para>
+		</listitem>
+	    </varlistentry>
+	    <varlistentry>
+		<term>VISUAL and EDITOR</term>
+		<listitem>
+		    <para>
+			Environment variables used to determine what 
+			editor to use. VISUAL takes precedence over
+			EDITOR, and both are overridden by the
+			-e command-line option.
+		    </para>
+		</listitem>
+	    </varlistentry>
+	</variablelist>
+	
+    </refsect1>
+
+    <refsect1>
+	<title>VERSION</title>
+	
+	<para>This man page is correct for version 4.0 of the Samba suite.</para>
+    </refsect1>
+
+    <refsect1>
+	<title>SEE ALSO</title>
+	
+	<para>ldb(7), ldbmodify(1), ldbdel(1), ldif(5), vi(1)</para>
+
+    </refsect1>
+
+    <refsect1>
+	<title>AUTHOR</title>
+
+	<para>
+	    ldb was written by 
+	    <ulink url="http://samba.org/~tridge/">Andrew Tridgell</ulink>.
+	</para>
+
+	<para>
+	    If you wish to report a problem or make a suggestion then please see
+	    the <ulink url="http://ldb.samba.org/"/> web site for
+	    current contact and maintainer information.
+	</para>
+
+	<para>
+	    This manpage was written by Jelmer Vernooij and updated
+	    by Brad Hards.
+	</para>
+	
+    </refsect1>
+
+</refentry>
diff --git a/source3/lib/ldb/man/ldbmodify.1.xml b/source3/lib/ldb/man/ldbmodify.1.xml
new file mode 100644
index 0000000000..bc19647785
--- /dev/null
+++ b/source3/lib/ldb/man/ldbmodify.1.xml
@@ -0,0 +1,93 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<refentry id="ldbmodify.1">
+
+<refmeta>
+	<refentrytitle>ldbmodify</refentrytitle>
+	<manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+	<refname>ldbmodify</refname>
+	<refpurpose>Modify records in a LDB database</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+	<cmdsynopsis>
+		<command>ldbmodify</command>
+		<arg choice="opt">-H LDB-URL</arg>
+		<arg choice="opt">ldif-file</arg>
+	</cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+	<title>DESCRIPTION</title>
+
+	<para>
+		ldbmodify changes, adds and deletes records in a LDB database. 
+		The changes that should be made to the LDB database are read from 
+		the specified LDIF-file. If - is specified as the filename, input is read from stdin.
+	</para>
+
+	<para>For now, see ldapmodify(1) for details on the LDIF file format.</para>
+
+</refsect1>
+
+
+<refsect1>
+	<title>OPTIONS</title>
+
+	<variablelist>
+		<varlistentry>
+			<term>-H &lt;ldb-url&gt;</term>
+			<listitem><para>
+				LDB URL to connect to. See ldb(7) for details.
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect1>
+
+<refsect1>
+	<title>ENVIRONMENT</title>
+
+	<variablelist>
+		<varlistentry><term>LDB_URL</term>
+			<listitem><para>LDB URL to connect to (can be overrided by using the 
+					-H command-line option.)</para></listitem>
+		</varlistentry>
+	</variablelist>
+	
+</refsect1>
+
+<refsect1>
+	<title>VERSION</title>
+
+	<para>This man page is correct for version 4.0 of the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+	<title>SEE ALSO</title>
+
+	<para>ldb(7), ldbedit</para>
+
+</refsect1>
+
+<refsect1>
+	<title>AUTHOR</title>
+
+	<para> ldb was written by 
+		 <ulink url="http://samba.org/~tridge/">Andrew Tridgell</ulink>.
+	</para>
+
+	<para>
+If you wish to report a problem or make a suggestion then please see
+the <ulink url="http://ldb.samba.org/"/> web site for
+current contact and maintainer information.
+	</para>
+
+	<para>This manpage was written by Jelmer Vernooij.</para>
+	
+</refsect1>
+
+</refentry>
diff --git a/source3/lib/ldb/man/ldbrename.1.xml b/source3/lib/ldb/man/ldbrename.1.xml
new file mode 100644
index 0000000000..391ec84ccc
--- /dev/null
+++ b/source3/lib/ldb/man/ldbrename.1.xml
@@ -0,0 +1,107 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<refentry id="ldbrename.1">
+
+<refmeta>
+	<refentrytitle>ldbrename</refentrytitle>
+	<manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+	<refname>ldbrename</refname>
+	<refpurpose>Edit LDB databases using your favorite editor</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+	<cmdsynopsis>
+		<command>ldbrename</command>
+		<arg choice="opt">-h</arg>
+		<arg choice="opt">-o options</arg>
+		<arg choice="req">olddn</arg>
+		<arg choice="req">newdb</arg>
+	</cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+	<title>DESCRIPTION</title>
+
+	<para>ldbrename is a utility that allows you to rename trees in 
+		an LDB database based by DN. This utility takes 
+		two arguments: the original 
+		DN name of the top element and the DN to change it to.
+	</para>
+
+</refsect1>
+
+
+<refsect1>
+	<title>OPTIONS</title>
+
+	<variablelist>
+		<varlistentry>
+		<term>-h</term>
+		<listitem><para>
+		Show list of available options.</para></listitem>
+		</varlistentry>
+
+		<varlistentry>
+			<term>-H &lt;ldb-url&gt;</term>
+			<listitem><para>
+				LDB URL to connect to. See ldb(7) for details.
+			</para></listitem>
+		</varlistentry>
+
+		<varlistentry>
+			<term>-o options</term>
+			<listitem><para>Extra ldb options, such as 
+			modules.</para></listitem>
+		</varlistentry>
+		
+	</variablelist>
+	
+</refsect1>
+
+<refsect1>
+	<title>ENVIRONMENT</title>
+
+	<variablelist>
+		<varlistentry><term>LDB_URL</term>
+			<listitem><para>LDB URL to connect to (can be overrided by using the 
+					-H command-line option.)</para></listitem>
+		</varlistentry>
+	</variablelist>
+	
+</refsect1>
+
+<refsect1>
+	<title>VERSION</title>
+
+	<para>This man page is correct for version 4.0 of the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+	<title>SEE ALSO</title>
+
+	<para>ldb(7), ldbmodify, ldbdel, ldif(5)</para>
+
+</refsect1>
+
+<refsect1>
+	<title>AUTHOR</title>
+
+	<para> ldb was written by 
+		 <ulink url="http://samba.org/~tridge/">Andrew Tridgell</ulink>.
+	</para>
+
+	<para>
+If you wish to report a problem or make a suggestion then please see
+the <ulink url="http://ldb.samba.org/"/> web site for
+current contact and maintainer information.
+	</para>
+
+	<para>This manpage was written by Jelmer Vernooij.</para>
+	
+</refsect1>
+
+</refentry>
diff --git a/source3/lib/ldb/man/ldbsearch.1.xml b/source3/lib/ldb/man/ldbsearch.1.xml
new file mode 100644
index 0000000000..ed3749b920
--- /dev/null
+++ b/source3/lib/ldb/man/ldbsearch.1.xml
@@ -0,0 +1,119 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<refentry id="ldbsearch.1">
+
+<refmeta>
+	<refentrytitle>ldbsearch</refentrytitle>
+	<manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+	<refname>ldbsearch</refname>
+	<refpurpose>Search for records in a LDB database</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+	<cmdsynopsis>
+		<command>ldbsearch</command>
+		<arg choice="opt">-h</arg>
+		<arg choice="opt">-s base|one|sub</arg>
+		<arg choice="opt">-b basedn</arg>
+		<arg chioce="opt">-i</arg>
+		<arg choice="opt">-H LDB-URL</arg>
+		<arg choice="opt">expression</arg>
+		<arg choice="opt">attributes</arg>
+	</cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+	<title>DESCRIPTION</title>
+
+	<para>ldbsearch searches a LDB database for records matching the 
+		specified expression (see the ldapsearch(1) manpage for 
+		a description of the expression format). For each 
+		record, the specified attributes are printed.
+	</para>
+
+</refsect1>
+
+
+<refsect1>
+	<title>OPTIONS</title>
+
+	<variablelist>
+		<varlistentry>
+		<term>-h</term>
+		<listitem><para>
+		Show list of available options.</para></listitem>
+		</varlistentry>
+
+		<varlistentry>
+			<term>-H &lt;ldb-url&gt;</term>
+			<listitem><para>
+				LDB URL to connect to. See ldb(7) for details.
+			</para></listitem>
+		</varlistentry>
+
+		<varlistentry>
+			<term>-s one|sub|base</term>
+			<listitem><para>Search scope to use. One-level, subtree or base.</para></listitem>
+		</varlistentry>
+
+		<varlistentry>
+			<term>-i</term>
+			<listitem><para>Read search expressions from stdin. </para></listitem>
+		</varlistentry>
+
+		<varlistentry>
+			<term>-b basedn</term>
+			<listitem><para>Specify Base DN to use.</para></listitem>
+		</varlistentry>
+		
+	</variablelist>
+	
+</refsect1>
+
+<refsect1>
+	<title>ENVIRONMENT</title>
+
+	<variablelist>
+		<varlistentry><term>LDB_URL</term>
+			<listitem><para>LDB URL to connect to (can be overrided by using the 
+					-H command-line option.)</para></listitem>
+		</varlistentry>
+	</variablelist>
+	
+</refsect1>
+
+<refsect1>
+	<title>VERSION</title>
+
+	<para>This man page is correct for version 4.0 of the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+	<title>SEE ALSO</title>
+
+	<para>ldb(7), ldbedit(1)</para>
+
+</refsect1>
+
+<refsect1>
+	<title>AUTHOR</title>
+
+	<para> ldb was written by 
+		 <ulink url="http://samba.org/~tridge/">Andrew Tridgell</ulink>.
+	</para>
+
+	<para>
+If you wish to report a problem or make a suggestion then please see
+the <ulink url="http://ldb.samba.org/"/> web site for
+current contact and maintainer information.
+	</para>
+
+	<para>This manpage was written by Jelmer Vernooij.</para>
+	
+</refsect1>
+
+</refentry>
diff --git a/source3/lib/ldb/man/oLschema2ldif.1.xml b/source3/lib/ldb/man/oLschema2ldif.1.xml
new file mode 100644
index 0000000000..b1e681be4e
--- /dev/null
+++ b/source3/lib/ldb/man/oLschema2ldif.1.xml
@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<refentry id="oLschema2ldif.1">
+
+<refmeta>
+	<refentrytitle>oLschema2ldif</refentrytitle>
+	<manvolnum>1</manvolnum>
+</refmeta>
+
+
+<refnamediv>
+	<refname>oLschema2ldif</refname>
+	<refpurpose>Converts LDAP schema's to LDB-compatible LDIF</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+	<cmdsynopsis>
+		<command>oLschema2ldif</command>
+		<arg choice="opt">-I INPUT-FILE</arg>
+		<arg choice="opt">-O OUTPUT-FILE</arg>
+	</cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+	<title>DESCRIPTION</title>
+
+	<para>oLschema2ldif is a simple tool that converts standard OpenLDAP schema files to a LDIF format that is understood by LDB.</para>
+</refsect1>
+
+
+<refsect1>
+	<title>OPTIONS</title>
+
+	<variablelist>
+		<varlistentry>
+		<term>-I input-file</term>
+		<listitem><para>OpenLDAP schema to read. If none are specified, 
+the schema file will be read from standard input.
+		</para></listitem>
+		</varlistentry>
+
+	<varlistentry>
+		<term>-O output-file</term>
+		<listitem><para>File to write ldif version of schema to.
+		</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect1>
+
+<refsect1>
+	<title>VERSION</title>
+
+	<para>This man page is correct for version 4.0 of the Samba suite.</para>
+</refsect1>
+
+<refsect1>
+	<title>SEE ALSO</title>
+
+	<para>ldb(7), ldbmodify, ldbdel, ldif(5)</para>
+
+</refsect1>
+
+<refsect1>
+	<title>AUTHOR</title>
+
+	<para> ldb was written by 
+		 <ulink url="http://samba.org/~tridge/">Andrew Tridgell</ulink>.
+		oLschema2ldif was written by <ulink url="mailto:idra@samba.org">Simo Sorce</ulink>.
+	</para>
+
+	<para>
+If you wish to report a problem or make a suggestion then please see
+the <ulink url="http://ldb.samba.org/"/> web site for
+current contact and maintainer information.
+	</para>
+
+</refsect1>
+
+</refentry>
diff --git a/source3/lib/ldb/modules/asq.c b/source3/lib/ldb/modules/asq.c
new file mode 100644
index 0000000000..413257f20a
--- /dev/null
+++ b/source3/lib/ldb/modules/asq.c
@@ -0,0 +1,488 @@
+/* 
+   ldb database library
+
+   Copyright (C) Simo Sorce  2005
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldb attribute scoped query control module
+ *
+ *  Description: this module searches all the the objects pointed
+ *  		 by the DNs contained in the references attribute
+ *
+ *  Author: Simo Sorce
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+struct asq_context {
+
+	enum {ASQ_SEARCH_BASE, ASQ_SEARCH_MULTI} step;
+
+	struct ldb_module *module;
+	void *up_context;
+	int (*up_callback)(struct ldb_context *, void *, struct ldb_reply *);
+
+	const char * const *req_attrs;
+	char *req_attribute;
+	enum {
+		ASQ_CTRL_SUCCESS			= 0,
+		ASQ_CTRL_INVALID_ATTRIBUTE_SYNTAX	= 21,
+		ASQ_CTRL_UNWILLING_TO_PERFORM		= 53,
+		ASQ_CTRL_AFFECTS_MULTIPLE_DSA		= 71
+	} asq_ret;
+
+	struct ldb_request *base_req;
+	struct ldb_reply *base_res;
+
+	struct ldb_request **reqs;
+	int num_reqs;
+	int cur_req;
+
+	struct ldb_control **controls;
+};
+
+static struct ldb_handle *init_handle(void *mem_ctx, struct ldb_module *module,
+					    void *context,
+					    int (*callback)(struct ldb_context *, void *, struct ldb_reply *))
+{
+	struct asq_context *ac;
+	struct ldb_handle *h;
+
+	h = talloc_zero(mem_ctx, struct ldb_handle);
+	if (h == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		return NULL;
+	}
+
+	h->module = module;
+
+	ac = talloc_zero(h, struct asq_context);
+	if (ac == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		talloc_free(h);
+		return NULL;
+	}
+
+	h->private_data = (void *)ac;
+
+	h->state = LDB_ASYNC_INIT;
+	h->status = LDB_SUCCESS;
+
+	ac->module = module;
+	ac->up_context = context;
+	ac->up_callback = callback;
+
+	return h;
+}
+
+static int asq_terminate(struct ldb_handle *handle)
+{
+	struct asq_context *ac;
+	struct ldb_reply *ares;
+	struct ldb_asq_control *asq;
+	int i;
+
+	ac = talloc_get_type(handle->private_data, struct asq_context);
+	if (ac == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	handle->status = LDB_SUCCESS;
+	handle->state = LDB_ASYNC_DONE;
+
+	ares = talloc_zero(ac, struct ldb_reply);
+	if (ares == NULL)
+		return LDB_ERR_OPERATIONS_ERROR;
+
+	ares->type = LDB_REPLY_DONE;
+
+	if (ac->controls) {
+		for (i = 0; ac->controls[i]; i++);
+		ares->controls = talloc_move(ares, &ac->controls);
+	} else {
+		i = 0;
+	}
+
+	ares->controls = talloc_realloc(ares, ares->controls, struct ldb_control *, i + 2);
+	
+	if (ares->controls == NULL)
+		return LDB_ERR_OPERATIONS_ERROR;
+
+	ares->controls[i] = talloc(ares->controls, struct ldb_control);
+	if (ares->controls[i] == NULL)
+		return LDB_ERR_OPERATIONS_ERROR;
+
+	ares->controls[i]->oid = LDB_CONTROL_ASQ_OID;
+	ares->controls[i]->critical = 0;
+
+	asq = talloc_zero(ares->controls[i], struct ldb_asq_control);
+	if (asq == NULL)
+		return LDB_ERR_OPERATIONS_ERROR;
+
+	asq->result = ac->asq_ret;
+	
+	ares->controls[i]->data = asq;
+
+	ares->controls[i + 1] = NULL;
+
+	ac->up_callback(ac->module->ldb, ac->up_context, ares);
+
+	return LDB_SUCCESS;
+}
+
+static int asq_base_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
+{
+	struct asq_context *ac;
+
+	if (!context || !ares) {
+		ldb_set_errstring(ldb, "NULL Context or Result in callback");
+		goto error;
+	}
+
+	if (!(ac = talloc_get_type(context, struct asq_context))) {
+		goto error;
+	}
+
+	/* we are interested only in the single reply (base search) we receive here */
+	if (ares->type == LDB_REPLY_ENTRY) {
+		ac->base_res = talloc_move(ac, &ares);
+	} else {
+		talloc_free(ares);
+	}
+
+	return LDB_SUCCESS;
+error:
+	talloc_free(ares);
+	return LDB_ERR_OPERATIONS_ERROR;
+}
+
+static int asq_reqs_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
+{
+	struct asq_context *ac;
+
+	if (!context || !ares) {
+		ldb_set_errstring(ldb, "NULL Context or Result in callback");
+		goto error;
+	}
+
+	if (!(ac = talloc_get_type(context, struct asq_context))) {
+		goto error;
+	}
+
+	/* we are interested only in the single reply (base search) we receive here */
+	if (ares->type == LDB_REPLY_ENTRY) {
+
+		/* pass the message up to the original callback as we
+		 * do not have to elaborate on it any further */
+		return ac->up_callback(ac->module->ldb, ac->up_context, ares);
+		
+	} else { /* ignore any REFERRAL or DONE reply */
+		talloc_free(ares);
+	}
+
+	return LDB_SUCCESS;
+error:
+	talloc_free(ares);
+	return LDB_ERR_OPERATIONS_ERROR;
+}
+
+static int asq_search(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ldb_control *control;
+	struct ldb_asq_control *asq_ctrl;
+	struct asq_context *ac;
+	struct ldb_handle *h;
+	char **base_attrs;
+	int ret;
+
+	/* check if there's a paged request control */
+	control = get_control_from_list(req->controls, LDB_CONTROL_ASQ_OID);
+	if (control == NULL) {
+		/* not found go on */
+		return ldb_next_request(module, req);
+	}
+
+	req->handle = NULL;
+
+	if (!req->callback || !req->context) {
+		ldb_set_errstring(module->ldb,
+				  "Async interface called with NULL callback function or NULL context");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	
+	asq_ctrl = talloc_get_type(control->data, struct ldb_asq_control);
+	if (!asq_ctrl) {
+		return LDB_ERR_PROTOCOL_ERROR;
+	}
+
+	h = init_handle(req, module, req->context, req->callback);
+	if (!h) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	if (!(ac = talloc_get_type(h->private_data, struct asq_context))) {
+
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	req->handle = h;
+
+	/* check the search is well formed */
+	if (req->op.search.scope != LDB_SCOPE_BASE) {
+		ac->asq_ret = ASQ_CTRL_UNWILLING_TO_PERFORM;
+		return asq_terminate(h);
+	}
+
+	ac->req_attrs = req->op.search.attrs;
+	ac->req_attribute = talloc_strdup(ac, asq_ctrl->source_attribute);
+	if (ac->req_attribute == NULL)
+		return LDB_ERR_OPERATIONS_ERROR;
+
+	/* get the object to retrieve the DNs to search */
+	ac->base_req = talloc_zero(req, struct ldb_request);
+	if (ac->base_req == NULL)
+		return LDB_ERR_OPERATIONS_ERROR;
+	ac->base_req->operation = req->operation;
+	ac->base_req->op.search.base = req->op.search.base;
+	ac->base_req->op.search.scope = LDB_SCOPE_BASE;
+	ac->base_req->op.search.tree = req->op.search.tree;
+	base_attrs = talloc_array(ac->base_req, char *, 2);
+	if (base_attrs == NULL)
+		return LDB_ERR_OPERATIONS_ERROR;
+	base_attrs[0] = talloc_strdup(base_attrs, asq_ctrl->source_attribute);
+	if (base_attrs[0] == NULL)
+		return LDB_ERR_OPERATIONS_ERROR;
+	base_attrs[1] = NULL;
+	ac->base_req->op.search.attrs = (const char * const *)base_attrs;
+
+	ac->base_req->context = ac;
+	ac->base_req->callback = asq_base_callback;
+	ldb_set_timeout_from_prev_req(module->ldb, req, ac->base_req);
+
+	ac->step = ASQ_SEARCH_BASE;
+
+	ret = ldb_request(module->ldb, ac->base_req);
+
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	return LDB_SUCCESS;
+}
+
+static int asq_requests(struct ldb_handle *handle) {
+	struct asq_context *ac;
+	struct ldb_message_element *el;
+	int i;
+
+	if (!(ac = talloc_get_type(handle->private_data,
+				   struct asq_context))) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	/* look up the DNs */
+	if (ac->base_res == NULL) {
+		return LDB_ERR_NO_SUCH_OBJECT;
+	}
+	el = ldb_msg_find_element(ac->base_res->message, ac->req_attribute);
+	/* no values found */
+	if (el == NULL) {
+		ac->asq_ret = ASQ_CTRL_SUCCESS;
+		return asq_terminate(handle);
+	}
+
+	/* build up the requests call chain */
+	ac->num_reqs = el->num_values;
+	ac->cur_req = 0;
+	ac->reqs = talloc_array(ac, struct ldb_request *, ac->num_reqs);
+	if (ac->reqs == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	for (i = 0; i < el->num_values; i++) {
+
+		ac->reqs[i] = talloc_zero(ac->reqs, struct ldb_request);
+		if (ac->reqs[i] == NULL)
+			return LDB_ERR_OPERATIONS_ERROR;
+		ac->reqs[i]->operation = LDB_SEARCH;
+		ac->reqs[i]->op.search.base = ldb_dn_explode(ac->reqs[i], (const char *)el->values[i].data);
+		if (ac->reqs[i]->op.search.base == NULL) {
+			ac->asq_ret = ASQ_CTRL_INVALID_ATTRIBUTE_SYNTAX;
+			return asq_terminate(handle);
+		}
+		ac->reqs[i]->op.search.scope = LDB_SCOPE_BASE;
+		ac->reqs[i]->op.search.tree = ac->base_req->op.search.tree;
+		ac->reqs[i]->op.search.attrs = ac->req_attrs;
+
+		ac->reqs[i]->context = ac;
+		ac->reqs[i]->callback = asq_reqs_callback;
+		ldb_set_timeout_from_prev_req(ac->module->ldb, ac->base_req, ac->reqs[i]);
+	}
+
+	ac->step = ASQ_SEARCH_MULTI;
+
+	return LDB_SUCCESS;
+}
+
+static int asq_wait_none(struct ldb_handle *handle)
+{
+	struct asq_context *ac;
+	int ret;
+    
+	if (!handle || !handle->private_data) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	if (handle->state == LDB_ASYNC_DONE) {
+		return handle->status;
+	}
+
+	handle->state = LDB_ASYNC_PENDING;
+	handle->status = LDB_SUCCESS;
+
+	if (!(ac = talloc_get_type(handle->private_data,
+				   struct asq_context))) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	switch (ac->step) {
+	case ASQ_SEARCH_BASE:
+		ret = ldb_wait(ac->base_req->handle, LDB_WAIT_NONE);
+		
+		if (ret != LDB_SUCCESS) {
+			handle->status = ret;
+			goto done;
+		}
+
+		if (ac->base_req->handle->status != LDB_SUCCESS) {
+			handle->status = ac->base_req->handle->status;
+			goto done;
+		}
+		if (ac->base_req->handle->state != LDB_ASYNC_DONE) {
+			return LDB_SUCCESS;
+		}
+
+		ret = asq_requests(handle);
+
+		/* no break nor return,
+		 * the set of requests is performed in ASQ_SEARCH_MULTI
+		 */
+		
+	case ASQ_SEARCH_MULTI:
+
+		if (ac->reqs[ac->cur_req]->handle == NULL) {
+			ret = ldb_request(ac->module->ldb, ac->reqs[ac->cur_req]);
+			if (ret != LDB_SUCCESS) {
+				return ret;
+			}
+		}
+
+		ret = ldb_wait(ac->reqs[ac->cur_req]->handle, LDB_WAIT_NONE);
+		
+		if (ret != LDB_SUCCESS) {
+			handle->status = ret;
+			goto done;
+		}
+		if (ac->reqs[ac->cur_req]->handle->status != LDB_SUCCESS) {
+			handle->status = ac->reqs[ac->cur_req]->handle->status;
+		}
+
+		if (ac->reqs[ac->cur_req]->handle->state == LDB_ASYNC_DONE) {
+			ac->cur_req++;
+		}
+
+		if (ac->cur_req < ac->num_reqs) {
+			return LDB_SUCCESS;
+		}
+
+		return asq_terminate(handle);
+
+	default:
+		ret = LDB_ERR_OPERATIONS_ERROR;
+		goto done;
+	}
+
+	ret = LDB_SUCCESS;
+
+done:
+	handle->state = LDB_ASYNC_DONE;
+	return ret;
+}
+
+static int asq_wait_all(struct ldb_handle *handle)
+{
+	int ret;
+
+	while (handle->state != LDB_ASYNC_DONE) {
+		ret = asq_wait_none(handle);
+		if (ret != LDB_SUCCESS) {
+			return ret;
+		}
+	}
+
+	return handle->status;
+}
+
+static int asq_wait(struct ldb_handle *handle, enum ldb_wait_type type)
+{
+	if (type == LDB_WAIT_ALL) {
+		return asq_wait_all(handle);
+	} else {
+		return asq_wait_none(handle);
+	}
+}
+
+static int asq_init(struct ldb_module *module)
+{
+	struct ldb_request *req;
+	int ret;
+
+	req = talloc_zero(module, struct ldb_request);
+	if (req == NULL) {
+		ldb_debug(module->ldb, LDB_DEBUG_ERROR, "asq: Out of memory!\n");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	req->operation = LDB_REQ_REGISTER_CONTROL;
+	req->op.reg_control.oid = LDB_CONTROL_ASQ_OID;
+
+	ret = ldb_request(module->ldb, req);
+	if (ret != LDB_SUCCESS) {
+		ldb_debug(module->ldb, LDB_DEBUG_WARNING, "asq: Unable to register control with rootdse!\n");
+	}
+
+	return ldb_next_init(module);
+}
+
+
+static const struct ldb_module_ops asq_ops = {
+	.name		   = "asq",
+	.search		   = asq_search,
+	.wait              = asq_wait,
+	.init_context	   = asq_init
+};
+
+int ldb_asq_init(void)
+{
+	return ldb_register_module(&asq_ops);
+}
diff --git a/source3/lib/ldb/modules/ldb_map.c b/source3/lib/ldb/modules/ldb_map.c
new file mode 100644
index 0000000000..54e1758c1e
--- /dev/null
+++ b/source3/lib/ldb/modules/ldb_map.c
@@ -0,0 +1,1337 @@
+/*
+   ldb database mapping module
+
+   Copyright (C) Jelmer Vernooij 2005
+   Copyright (C) Martin Kuehl <mkhl@samba.org> 2006
+
+   * NOTICE: this module is NOT released under the GNU LGPL license as
+   * other ldb code. This module is release under the GNU GPL v2 or
+   * later license.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/* 
+ *  Name: ldb
+ *
+ *  Component: ldb ldb_map module
+ *
+ *  Description: Map portions of data into a different format on a
+ *  remote partition.
+ *
+ *  Author: Jelmer Vernooij, Martin Kuehl
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+#include "ldb/modules/ldb_map.h"
+#include "ldb/modules/ldb_map_private.h"
+
+/* Description of the provided ldb requests:
+ - special attribute 'isMapped'
+
+ - search:
+     - if parse tree can be split
+         - search remote records w/ remote attrs and parse tree
+     - otherwise
+         - enumerate all remote records
+     - for each remote result
+         - map remote result to local message
+         - search local result
+         - is present
+             - merge local into remote result
+             - run callback on merged result
+         - otherwise
+             - run callback on remote result
+
+ - add:
+     - split message into local and remote part
+     - if local message is not empty
+         - add isMapped to local message
+         - add local message
+     - add remote message
+
+ - modify:
+     - split message into local and remote part
+     - if local message is not empty
+         - add isMapped to local message
+         - search for local record
+         - if present
+             - modify local record
+         - otherwise
+             - add local message
+     - modify remote record
+
+ - delete:
+     - search for local record
+     - if present
+         - delete local record
+     - delete remote record
+
+ - rename:
+     - search for local record
+     - if present
+         - rename local record
+         - modify local isMapped
+     - rename remote record
+*/
+
+
+
+/* Private data structures
+ * ======================= */
+
+/* Global private data */
+/* Extract mappings from private data. */
+const struct ldb_map_context *map_get_context(struct ldb_module *module)
+{
+	const struct map_private *data = talloc_get_type(module->private_data, struct map_private);
+	return data->context;
+}
+
+/* Create a generic request context. */
+static struct map_context *map_init_context(struct ldb_handle *h, struct ldb_request *req)
+{
+	struct map_context *ac;
+
+	ac = talloc_zero(h, struct map_context);
+	if (ac == NULL) {
+		map_oom(h->module);
+		return NULL;
+	}
+
+	ac->module = h->module;
+	ac->orig_req = req;
+
+	return ac;
+}
+
+/* Create a search request context. */
+struct map_search_context *map_init_search_context(struct map_context *ac, struct ldb_reply *ares)
+{
+	struct map_search_context *sc;
+
+	sc = talloc_zero(ac, struct map_search_context);
+	if (sc == NULL) {
+		map_oom(ac->module);
+		return NULL;
+	}
+
+	sc->ac = ac;
+	sc->local_res = NULL;
+	sc->remote_res = ares;
+
+	return sc;
+}
+
+/* Create a request context and handle. */
+struct ldb_handle *map_init_handle(struct ldb_request *req, struct ldb_module *module)
+{
+	struct map_context *ac;
+	struct ldb_handle *h;
+
+	h = talloc_zero(req, struct ldb_handle);
+	if (h == NULL) {
+		map_oom(module);
+		return NULL;
+	}
+
+	h->module = module;
+
+	ac = map_init_context(h, req);
+	if (ac == NULL) {
+		talloc_free(h);
+		return NULL;
+	}
+
+	h->private_data = (void *)ac;
+
+	h->state = LDB_ASYNC_INIT;
+	h->status = LDB_SUCCESS;
+
+	return h;
+}
+
+
+/* Dealing with DNs for different partitions
+ * ========================================= */
+
+/* Check whether any data should be stored in the local partition. */
+BOOL map_check_local_db(struct ldb_module *module)
+{
+	const struct ldb_map_context *data = map_get_context(module);
+
+	if (!data->remote_base_dn || !data->local_base_dn) {
+		return False;
+	}
+
+	return True;
+}
+
+/* Copy a DN with the base DN of the local partition. */
+static struct ldb_dn *ldb_dn_rebase_local(void *mem_ctx, const struct ldb_map_context *data, const struct ldb_dn *dn)
+{
+	return ldb_dn_copy_rebase(mem_ctx, dn, data->remote_base_dn, data->local_base_dn);
+}
+
+/* Copy a DN with the base DN of the remote partition. */
+static struct ldb_dn *ldb_dn_rebase_remote(void *mem_ctx, const struct ldb_map_context *data, const struct ldb_dn *dn)
+{
+	return ldb_dn_copy_rebase(mem_ctx, dn, data->local_base_dn, data->remote_base_dn);
+}
+
+/* Run a request and make sure it targets the remote partition. */
+/* TODO: free old DNs and messages? */
+int ldb_next_remote_request(struct ldb_module *module, struct ldb_request *request)
+{
+	const struct ldb_map_context *data = map_get_context(module);
+	struct ldb_message *msg;
+
+	switch (request->operation) {
+	case LDB_SEARCH:
+		if (request->op.search.base) {
+			request->op.search.base = ldb_dn_rebase_remote(request, data, request->op.search.base);
+		} else {
+			request->op.search.base = data->remote_base_dn;
+			/* TODO: adjust scope? */
+		}
+		break;
+
+	case LDB_ADD:
+		msg = ldb_msg_copy_shallow(request, request->op.add.message);
+		msg->dn = ldb_dn_rebase_remote(msg, data, msg->dn);
+		request->op.add.message = msg;
+		break;
+
+	case LDB_MODIFY:
+		msg = ldb_msg_copy_shallow(request, request->op.mod.message);
+		msg->dn = ldb_dn_rebase_remote(msg, data, msg->dn);
+		request->op.mod.message = msg;
+		break;
+
+	case LDB_DELETE:
+		request->op.del.dn = ldb_dn_rebase_remote(request, data, request->op.del.dn);
+		break;
+
+	case LDB_RENAME:
+		request->op.rename.olddn = ldb_dn_rebase_remote(request, data, request->op.rename.olddn);
+		request->op.rename.newdn = ldb_dn_rebase_remote(request, data, request->op.rename.newdn);
+		break;
+
+	default:
+		ldb_debug(module->ldb, LDB_DEBUG_ERROR, "ldb_map: "
+			  "Invalid remote request!\n");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	return ldb_next_request(module, request);
+}
+
+
+/* Finding mappings for attributes and objectClasses
+ * ================================================= */
+
+/* Find an objectClass mapping by the local name. */
+static const struct ldb_map_objectclass *map_objectclass_find_local(const struct ldb_map_context *data, const char *name)
+{
+	int i;
+
+	for (i = 0; data->objectclass_maps && data->objectclass_maps[i].local_name; i++) {
+		if (ldb_attr_cmp(data->objectclass_maps[i].local_name, name) == 0) {
+			return &data->objectclass_maps[i];
+		}
+	}
+
+	return NULL;
+}
+
+/* Find an objectClass mapping by the remote name. */
+static const struct ldb_map_objectclass *map_objectclass_find_remote(const struct ldb_map_context *data, const char *name)
+{
+	int i;
+
+	for (i = 0; data->objectclass_maps && data->objectclass_maps[i].remote_name; i++) {
+		if (ldb_attr_cmp(data->objectclass_maps[i].remote_name, name) == 0) {
+			return &data->objectclass_maps[i];
+		}
+	}
+
+	return NULL;
+}
+
+/* Find an attribute mapping by the local name. */
+const struct ldb_map_attribute *map_attr_find_local(const struct ldb_map_context *data, const char *name)
+{
+	int i;
+
+	for (i = 0; data->attribute_maps[i].local_name; i++) {
+		if (ldb_attr_cmp(data->attribute_maps[i].local_name, name) == 0) {
+			return &data->attribute_maps[i];
+		}
+	}
+	for (i = 0; data->attribute_maps[i].local_name; i++) {
+		if (ldb_attr_cmp(data->attribute_maps[i].local_name, "*") == 0) {
+			return &data->attribute_maps[i];
+		}
+	}
+
+	return NULL;
+}
+
+/* Find an attribute mapping by the remote name. */
+const struct ldb_map_attribute *map_attr_find_remote(const struct ldb_map_context *data, const char *name)
+{
+	const struct ldb_map_attribute *map;
+	const struct ldb_map_attribute *wildcard = NULL;
+	int i, j;
+
+	for (i = 0; data->attribute_maps[i].local_name; i++) {
+		map = &data->attribute_maps[i];
+		if (ldb_attr_cmp(map->local_name, "*") == 0) {
+			wildcard = &data->attribute_maps[i];
+		}
+
+		switch (map->type) {
+		case MAP_IGNORE:
+			break;
+
+		case MAP_KEEP:
+			if (ldb_attr_cmp(map->local_name, name) == 0) {
+				return map;
+			}
+			break;
+
+		case MAP_RENAME:
+		case MAP_CONVERT:
+			if (ldb_attr_cmp(map->u.rename.remote_name, name) == 0) {
+				return map;
+			}
+			break;
+
+		case MAP_GENERATE:
+			for (j = 0; map->u.generate.remote_names && map->u.generate.remote_names[j]; j++) {
+				if (ldb_attr_cmp(map->u.generate.remote_names[j], name) == 0) {
+					return map;
+				}
+			}
+			break;
+		}
+	}
+
+	/* We didn't find it, so return the wildcard record if one was configured */
+	return wildcard;
+}
+
+
+/* Mapping attributes
+ * ================== */
+
+/* Check whether an attribute will be mapped into the remote partition. */
+BOOL map_attr_check_remote(const struct ldb_map_context *data, const char *attr)
+{
+	const struct ldb_map_attribute *map = map_attr_find_local(data, attr);
+
+	if (map == NULL) {
+		return False;
+	}
+	if (map->type == MAP_IGNORE) {
+		return False;
+	}
+
+	return True;
+}
+
+/* Map an attribute name into the remote partition. */
+const char *map_attr_map_local(void *mem_ctx, const struct ldb_map_attribute *map, const char *attr)
+{
+	if (map == NULL) {
+		return talloc_strdup(mem_ctx, attr);
+	}
+
+	switch (map->type) {
+	case MAP_KEEP:
+		return talloc_strdup(mem_ctx, attr);
+
+	case MAP_RENAME:
+	case MAP_CONVERT:
+		return talloc_strdup(mem_ctx, map->u.rename.remote_name);
+
+	default:
+		return NULL;
+	}
+}
+
+/* Map an attribute name back into the local partition. */
+const char *map_attr_map_remote(void *mem_ctx, const struct ldb_map_attribute *map, const char *attr)
+{
+	if (map == NULL) {
+		return talloc_strdup(mem_ctx, attr);
+	}
+
+	if (map->type == MAP_KEEP) {
+		return talloc_strdup(mem_ctx, attr);
+	}
+
+	return talloc_strdup(mem_ctx, map->local_name);
+}
+
+
+/* Merge two lists of attributes into a single one. */
+int map_attrs_merge(struct ldb_module *module, void *mem_ctx, 
+		    const char ***attrs, const char * const *more_attrs)
+{
+	int i, j, k;
+
+	for (i = 0; *attrs && (*attrs)[i]; i++) /* noop */ ;
+	for (j = 0; more_attrs && more_attrs[j]; j++) /* noop */ ;
+	
+	*attrs = talloc_realloc(mem_ctx, *attrs, const char *, i+j+1);
+	if (*attrs == NULL) {
+		map_oom(module);
+		return -1;
+	}
+
+	for (k = 0; k < j; k++) {
+		(*attrs)[i + k] = more_attrs[k];
+	}
+
+	(*attrs)[i+k] = NULL;
+
+	return 0;
+}
+
+/* Mapping ldb values
+ * ================== */
+
+/* Map an ldb value into the remote partition. */
+struct ldb_val ldb_val_map_local(struct ldb_module *module, void *mem_ctx, 
+				 const struct ldb_map_attribute *map, const struct ldb_val *val)
+{
+	if (map && (map->type == MAP_CONVERT) && (map->u.convert.convert_local)) {
+		return map->u.convert.convert_local(module, mem_ctx, val);
+	}
+
+	return ldb_val_dup(mem_ctx, val);
+}
+
+/* Map an ldb value back into the local partition. */
+struct ldb_val ldb_val_map_remote(struct ldb_module *module, void *mem_ctx, 
+				  const struct ldb_map_attribute *map, const struct ldb_val *val)
+{
+	if (map && (map->type == MAP_CONVERT) && (map->u.convert.convert_remote)) {
+		return map->u.convert.convert_remote(module, mem_ctx, val);
+	}
+
+	return ldb_val_dup(mem_ctx, val);
+}
+
+
+/* Mapping DNs
+ * =========== */
+
+/* Check whether a DN is below the local baseDN. */
+BOOL ldb_dn_check_local(struct ldb_module *module, const struct ldb_dn *dn)
+{
+	const struct ldb_map_context *data = map_get_context(module);
+
+	if (!data->local_base_dn) {
+		return True;
+	}
+
+	return ldb_dn_compare_base(module->ldb, data->local_base_dn, dn) == 0;
+}
+
+/* Map a DN into the remote partition. */
+struct ldb_dn *ldb_dn_map_local(struct ldb_module *module, void *mem_ctx, const struct ldb_dn *dn)
+{
+	const struct ldb_map_context *data = map_get_context(module);
+	struct ldb_dn *newdn;
+	const struct ldb_map_attribute *map;
+	enum ldb_map_attr_type map_type;
+	const char *name;
+	struct ldb_val value;
+	int i, ret;
+
+	if (dn == NULL) {
+		return NULL;
+	}
+
+	newdn = ldb_dn_copy(mem_ctx, dn);
+	if (newdn == NULL) {
+		map_oom(module);
+		return NULL;
+	}
+
+	/* For each RDN, map the component name and possibly the value */
+	for (i = 0; i < ldb_dn_get_comp_num(newdn); i++) {
+		map = map_attr_find_local(data, ldb_dn_get_component_name(dn, i));
+
+		/* Unknown attribute - leave this RDN as is and hope the best... */
+		if (map == NULL) {
+			map_type = MAP_KEEP;
+		} else {
+			map_type = map->type;
+		}
+
+		switch (map_type) {
+		case MAP_IGNORE:
+		case MAP_GENERATE:
+			ldb_debug(module->ldb, LDB_DEBUG_ERROR, "ldb_map: "
+				  "MAP_IGNORE/MAP_GENERATE attribute '%s' "
+				  "used in DN!\n", ldb_dn_get_component_name(dn, i));
+			goto failed;
+
+		case MAP_CONVERT:
+			if (map->u.convert.convert_local == NULL) {
+				ldb_debug(module->ldb, LDB_DEBUG_ERROR, "ldb_map: "
+					  "'convert_local' not set for attribute '%s' "
+					  "used in DN!\n", ldb_dn_get_component_name(dn, i));
+				goto failed;
+			}
+			/* fall through */
+		case MAP_KEEP:
+		case MAP_RENAME:
+			name = map_attr_map_local(newdn, map, ldb_dn_get_component_name(dn, i));
+			if (name == NULL) goto failed;
+
+			value = ldb_val_map_local(module, newdn, map, ldb_dn_get_component_val(dn, i));
+			if (value.data == NULL) goto failed;
+
+			ret = ldb_dn_set_component(newdn, i, name, value);
+			if (ret != LDB_SUCCESS) {
+				goto failed;
+			}
+
+			break;
+		}
+	}
+
+	return newdn;
+
+failed:
+	talloc_free(newdn);
+	return NULL;
+}
+
+/* Map a DN into the local partition. */
+struct ldb_dn *ldb_dn_map_remote(struct ldb_module *module, void *mem_ctx, const struct ldb_dn *dn)
+{
+	const struct ldb_map_context *data = map_get_context(module);
+	struct ldb_dn *newdn;
+	const struct ldb_map_attribute *map;
+	enum ldb_map_attr_type map_type;
+	const char *name;
+	struct ldb_val value;
+	int i, ret;
+
+	if (dn == NULL) {
+		return NULL;
+	}
+
+	newdn = ldb_dn_copy(mem_ctx, dn);
+	if (newdn == NULL) {
+		map_oom(module);
+		return NULL;
+	}
+
+	/* For each RDN, map the component name and possibly the value */
+	for (i = 0; i < ldb_dn_get_comp_num(newdn); i++) {
+		map = map_attr_find_remote(data, ldb_dn_get_component_name(dn, i));
+
+		/* Unknown attribute - leave this RDN as is and hope the best... */
+		if (map == NULL) {
+			map_type = MAP_KEEP;
+		} else {
+			map_type = map->type;
+		}
+
+		switch (map_type) {
+		case MAP_IGNORE:
+		case MAP_GENERATE:
+			ldb_debug(module->ldb, LDB_DEBUG_ERROR, "ldb_map: "
+				  "MAP_IGNORE/MAP_GENERATE attribute '%s' "
+				  "used in DN!\n", ldb_dn_get_component_name(dn, i));
+			goto failed;
+
+		case MAP_CONVERT:
+			if (map->u.convert.convert_remote == NULL) {
+				ldb_debug(module->ldb, LDB_DEBUG_ERROR, "ldb_map: "
+					  "'convert_remote' not set for attribute '%s' "
+					  "used in DN!\n", ldb_dn_get_component_name(dn, i));
+				goto failed;
+			}
+			/* fall through */
+		case MAP_KEEP:
+		case MAP_RENAME:
+			name = map_attr_map_remote(newdn, map, ldb_dn_get_component_name(dn, i));
+			if (name == NULL) goto failed;
+
+			value = ldb_val_map_remote(module, newdn, map, ldb_dn_get_component_val(dn, i));
+			if (value.data == NULL) goto failed;
+
+			ret = ldb_dn_set_component(newdn, i, name, value);
+			if (ret != LDB_SUCCESS) {
+				goto failed;
+			}
+
+			break;
+		}
+	}
+
+	return newdn;
+
+failed:
+	talloc_free(newdn);
+	return NULL;
+}
+
+/* Map a DN and its base into the local partition. */
+/* TODO: This should not be required with GUIDs. */
+struct ldb_dn *ldb_dn_map_rebase_remote(struct ldb_module *module, void *mem_ctx, const struct ldb_dn *dn)
+{
+	const struct ldb_map_context *data = map_get_context(module);
+	struct ldb_dn *dn1, *dn2;
+
+	dn1 = ldb_dn_rebase_local(mem_ctx, data, dn);
+	dn2 = ldb_dn_map_remote(module, mem_ctx, dn1);
+
+	talloc_free(dn1);
+	return dn2;
+}
+
+
+/* Converting DNs and objectClasses (as ldb values)
+ * ================================================ */
+
+/* Map a DN contained in an ldb value into the remote partition. */
+static struct ldb_val ldb_dn_convert_local(struct ldb_module *module, void *mem_ctx, const struct ldb_val *val)
+{
+	struct ldb_dn *dn, *newdn;
+	struct ldb_val newval;
+
+	dn = ldb_dn_explode(mem_ctx, (char *)val->data);
+	newdn = ldb_dn_map_local(module, mem_ctx, dn);
+	talloc_free(dn);
+
+	newval.length = 0;
+	newval.data = (uint8_t *)ldb_dn_linearize(mem_ctx, newdn);
+	if (newval.data) {
+		newval.length = strlen((char *)newval.data);
+	}
+	talloc_free(newdn);
+
+	return newval;
+}
+
+/* Map a DN contained in an ldb value into the local partition. */
+static struct ldb_val ldb_dn_convert_remote(struct ldb_module *module, void *mem_ctx, const struct ldb_val *val)
+{
+	struct ldb_dn *dn, *newdn;
+	struct ldb_val newval;
+
+	dn = ldb_dn_explode(mem_ctx, (char *)val->data);
+	newdn = ldb_dn_map_remote(module, mem_ctx, dn);
+	talloc_free(dn);
+
+	newval.length = 0;
+	newval.data = (uint8_t *)ldb_dn_linearize(mem_ctx, newdn);
+	if (newval.data) {
+		newval.length = strlen((char *)newval.data);
+	}
+	talloc_free(newdn);
+
+	return newval;
+}
+
+/* Map an objectClass into the remote partition. */
+static struct ldb_val map_objectclass_convert_local(struct ldb_module *module, void *mem_ctx, const struct ldb_val *val)
+{
+	const struct ldb_map_context *data = map_get_context(module);
+	const char *name = (char *)val->data;
+	const struct ldb_map_objectclass *map = map_objectclass_find_local(data, name);
+	struct ldb_val newval;
+
+	if (map) {
+		newval.data = (uint8_t*)talloc_strdup(mem_ctx, map->remote_name);
+		newval.length = strlen((char *)newval.data);
+		return newval;
+	}
+
+	return ldb_val_dup(mem_ctx, val);
+}
+
+/* Generate a remote message with a mapped objectClass. */
+static void map_objectclass_generate_remote(struct ldb_module *module, const char *local_attr, const struct ldb_message *old, struct ldb_message *remote, struct ldb_message *local)
+{
+	struct ldb_message_element *el, *oc;
+	struct ldb_val val;
+	BOOL found_extensibleObject = False;
+	int i;
+
+	/* Find old local objectClass */
+	oc = ldb_msg_find_element(old, "objectClass");
+	if (oc == NULL) {
+		return;
+	}
+
+	/* Prepare new element */
+	el = talloc_zero(remote, struct ldb_message_element);
+	if (el == NULL) {
+		ldb_oom(module->ldb);
+		return;			/* TODO: fail? */
+	}
+
+	/* Copy local objectClass element, reverse space for an extra value */
+	el->num_values = oc->num_values + 1;
+	el->values = talloc_array(el, struct ldb_val, el->num_values);
+	if (el->values == NULL) {
+		talloc_free(el);
+		ldb_oom(module->ldb);
+		return;			/* TODO: fail? */
+	}
+
+	/* Copy local element name "objectClass" */
+	el->name = talloc_strdup(el, local_attr);
+
+	/* Convert all local objectClasses */
+	for (i = 0; i < el->num_values - 1; i++) {
+		el->values[i] = map_objectclass_convert_local(module, el->values, &oc->values[i]);
+		if (ldb_attr_cmp((char *)el->values[i].data, "extensibleObject") == 0) {
+			found_extensibleObject = True;
+		}
+	}
+
+	if (!found_extensibleObject) {
+		val.data = (uint8_t *)talloc_strdup(el->values, "extensibleObject");
+		val.length = strlen((char *)val.data);
+
+		/* Append additional objectClass "extensibleObject" */
+		el->values[i] = val;
+	} else {
+		el->num_values--;
+	}
+
+	/* Add new objectClass to remote message */
+	ldb_msg_add(remote, el, 0);
+}
+
+/* Map an objectClass into the local partition. */
+static struct ldb_val map_objectclass_convert_remote(struct ldb_module *module, void *mem_ctx, const struct ldb_val *val)
+{
+	const struct ldb_map_context *data = map_get_context(module);
+	const char *name = (char *)val->data;
+	const struct ldb_map_objectclass *map = map_objectclass_find_remote(data, name);
+	struct ldb_val newval;
+
+	if (map) {
+		newval.data = (uint8_t*)talloc_strdup(mem_ctx, map->local_name);
+		newval.length = strlen((char *)newval.data);
+		return newval;
+	}
+
+	return ldb_val_dup(mem_ctx, val);
+}
+
+/* Generate a local message with a mapped objectClass. */
+static struct ldb_message_element *map_objectclass_generate_local(struct ldb_module *module, void *mem_ctx, const char *local_attr, const struct ldb_message *remote)
+{
+	struct ldb_message_element *el, *oc;
+	struct ldb_val val;
+	int i;
+
+	/* Find old remote objectClass */
+	oc = ldb_msg_find_element(remote, "objectClass");
+	if (oc == NULL) {
+		return NULL;
+	}
+
+	/* Prepare new element */
+	el = talloc_zero(mem_ctx, struct ldb_message_element);
+	if (el == NULL) {
+		ldb_oom(module->ldb);
+		return NULL;
+	}
+
+	/* Copy remote objectClass element */
+	el->num_values = oc->num_values;
+	el->values = talloc_array(el, struct ldb_val, el->num_values);
+	if (el->values == NULL) {
+		talloc_free(el);
+		ldb_oom(module->ldb);
+		return NULL;
+	}
+
+	/* Copy remote element name "objectClass" */
+	el->name = talloc_strdup(el, local_attr);
+
+	/* Convert all remote objectClasses */
+	for (i = 0; i < el->num_values; i++) {
+		el->values[i] = map_objectclass_convert_remote(module, el->values, &oc->values[i]);
+	}
+
+	val.data = (uint8_t *)talloc_strdup(el->values, "extensibleObject");
+	val.length = strlen((char *)val.data);
+
+	/* Remove last value if it was "extensibleObject" */
+	if (ldb_val_equal_exact(&val, &el->values[i-1])) {
+		el->num_values--;
+		el->values = talloc_realloc(el, el->values, struct ldb_val, el->num_values);
+		if (el->values == NULL) {
+			talloc_free(el);
+			ldb_oom(module->ldb);
+			return NULL;
+		}
+	}
+
+	return el;
+}
+
+/* Mappings for searches on objectClass= assuming a one-to-one
+ * mapping.  Needed because this is a generate operator for the
+ * add/modify code */
+static int map_objectclass_convert_operator(struct ldb_module *module, void *mem_ctx, 
+					    struct ldb_parse_tree **new, const struct ldb_parse_tree *tree) 
+{
+	
+	static const struct ldb_map_attribute objectclass_map = {
+		.local_name = "objectClass",
+		.type = MAP_CONVERT,
+		.u = {
+			.convert = {
+				 .remote_name = "objectClass",
+				 .convert_local = map_objectclass_convert_local,
+				 .convert_remote = map_objectclass_convert_remote,
+			 },
+		},
+	};
+
+	return map_subtree_collect_remote_simple(module, mem_ctx, new, tree, &objectclass_map);
+}
+
+/* Auxiliary request construction
+ * ============================== */
+
+/* Store the DN of a single search result in context. */
+static int map_search_self_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
+{
+	struct map_context *ac;
+
+	if (context == NULL || ares == NULL) {
+		ldb_set_errstring(ldb, talloc_asprintf(ldb, "NULL Context or Result in callback"));
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ac = talloc_get_type(context, struct map_context);
+
+	/* We are interested only in the single reply */
+	if (ares->type != LDB_REPLY_ENTRY) {
+		talloc_free(ares);
+		return LDB_SUCCESS;
+	}
+
+	/* We have already found a remote DN */
+	if (ac->local_dn) {
+		ldb_set_errstring(ldb, talloc_asprintf(ldb, "Too many results to base search"));
+		talloc_free(ares);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	/* Store local DN */
+	ac->local_dn = ares->message->dn;
+
+	return LDB_SUCCESS;
+}
+
+/* Build a request to search a record by its DN. */
+struct ldb_request *map_search_base_req(struct map_context *ac, const struct ldb_dn *dn, const char * const *attrs, const struct ldb_parse_tree *tree, void *context, ldb_search_callback callback)
+{
+	struct ldb_request *req;
+
+	req = talloc_zero(ac, struct ldb_request);
+	if (req == NULL) {
+		map_oom(ac->module);
+		return NULL;
+	}
+
+	req->operation = LDB_SEARCH;
+	req->op.search.base = dn;
+	req->op.search.scope = LDB_SCOPE_BASE;
+	req->op.search.attrs = attrs;
+
+	if (tree) {
+		req->op.search.tree = tree;
+	} else {
+		req->op.search.tree = ldb_parse_tree(req, NULL);
+		if (req->op.search.tree == NULL) {
+			talloc_free(req);
+			return NULL;
+		}
+	}
+
+	req->controls = NULL;
+	req->context = context;
+	req->callback = callback;
+	ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, req);
+
+	return req;
+}
+
+/* Build a request to search the local record by its DN. */
+struct ldb_request *map_search_self_req(struct map_context *ac, const struct ldb_dn *dn)
+{
+	/* attrs[] is returned from this function in
+	 * ac->search_req->op.search.attrs, so it must be static, as
+	 * otherwise the compiler can put it on the stack */
+	static const char * const attrs[] = { IS_MAPPED, NULL };
+	struct ldb_parse_tree *tree;
+
+	/* Limit search to records with 'IS_MAPPED' present */
+	/* TODO: `tree = ldb_parse_tree(ac, IS_MAPPED);' won't do. */
+	tree = talloc_zero(ac, struct ldb_parse_tree);
+	if (tree == NULL) {
+		map_oom(ac->module);
+		return NULL;
+	}
+
+	tree->operation = LDB_OP_PRESENT;
+	tree->u.present.attr = talloc_strdup(tree, IS_MAPPED);
+
+	return map_search_base_req(ac, dn, attrs, tree, ac, map_search_self_callback);
+}
+
+/* Build a request to update the 'IS_MAPPED' attribute */
+struct ldb_request *map_build_fixup_req(struct map_context *ac, const struct ldb_dn *olddn, const struct ldb_dn *newdn)
+{
+	struct ldb_request *req;
+	struct ldb_message *msg;
+	const char *dn;
+
+	/* Prepare request */
+	req = talloc_zero(ac, struct ldb_request);
+	if (req == NULL) {
+		map_oom(ac->module);
+		return NULL;
+	}
+
+	/* Prepare message */
+	msg = ldb_msg_new(req);
+	if (msg == NULL) {
+		map_oom(ac->module);
+		goto failed;
+	}
+
+	/* Update local 'IS_MAPPED' to the new remote DN */
+	msg->dn = discard_const_p(struct ldb_dn, olddn);
+	dn = ldb_dn_linearize(msg, newdn);
+	if (dn == NULL) {
+		goto failed;
+	}
+	if (ldb_msg_add_empty(msg, IS_MAPPED, LDB_FLAG_MOD_REPLACE, NULL) != 0) {
+		goto failed;
+	}
+	if (ldb_msg_add_string(msg, IS_MAPPED, dn) != 0) {
+		goto failed;
+	}
+
+	req->operation = LDB_MODIFY;
+	req->op.mod.message = msg;
+	req->controls = NULL;
+	req->handle = NULL;
+	req->context = NULL;
+	req->callback = NULL;
+
+	return req;
+
+failed:
+	talloc_free(req);
+	return NULL;
+}
+
+
+/* Asynchronous call structure
+ * =========================== */
+
+/* Figure out which request is currently pending. */
+static struct ldb_request *map_get_req(struct map_context *ac)
+{
+	switch (ac->step) {
+	case MAP_SEARCH_SELF_MODIFY:
+	case MAP_SEARCH_SELF_DELETE:
+	case MAP_SEARCH_SELF_RENAME:
+		return ac->search_req;
+
+	case MAP_ADD_REMOTE:
+	case MAP_MODIFY_REMOTE:
+	case MAP_DELETE_REMOTE:
+	case MAP_RENAME_REMOTE:
+		return ac->remote_req;
+
+	case MAP_RENAME_FIXUP:
+		return ac->down_req;
+
+	case MAP_ADD_LOCAL:
+	case MAP_MODIFY_LOCAL:
+	case MAP_DELETE_LOCAL:
+	case MAP_RENAME_LOCAL:
+		return ac->local_req;
+
+	case MAP_SEARCH_REMOTE:
+		/* Can't happen */
+		break;
+	}
+
+	return NULL;		/* unreachable; silences a warning */
+}
+
+typedef int (*map_next_function)(struct ldb_handle *handle);
+
+/* Figure out the next request to run. */
+static map_next_function map_get_next(struct map_context *ac)
+{
+	switch (ac->step) {
+	case MAP_SEARCH_REMOTE:
+		return NULL;
+
+	case MAP_ADD_LOCAL:
+		return map_add_do_remote;
+	case MAP_ADD_REMOTE:
+		return NULL;
+
+	case MAP_SEARCH_SELF_MODIFY:
+		return map_modify_do_local;
+	case MAP_MODIFY_LOCAL:
+		return map_modify_do_remote;
+	case MAP_MODIFY_REMOTE:
+		return NULL;
+
+	case MAP_SEARCH_SELF_DELETE:
+		return map_delete_do_local;
+	case MAP_DELETE_LOCAL:
+		return map_delete_do_remote;
+	case MAP_DELETE_REMOTE:
+		return NULL;
+
+	case MAP_SEARCH_SELF_RENAME:
+		return map_rename_do_local;
+	case MAP_RENAME_LOCAL:
+		return map_rename_do_fixup;
+	case MAP_RENAME_FIXUP:
+		return map_rename_do_remote;
+	case MAP_RENAME_REMOTE:
+		return NULL;
+	}
+
+	return NULL;		/* unreachable; silences a warning */
+}
+
+/* Wait for the current pending request to finish and continue with the next. */
+static int map_wait_next(struct ldb_handle *handle)
+{
+	struct map_context *ac;
+	struct ldb_request *req;
+	map_next_function next;
+	int ret;
+
+	if (handle == NULL || handle->private_data == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	if (handle->state == LDB_ASYNC_DONE) {
+		return handle->status;
+	}
+
+	handle->state = LDB_ASYNC_PENDING;
+	handle->status = LDB_SUCCESS;
+
+	ac = talloc_get_type(handle->private_data, struct map_context);
+
+	if (ac->step == MAP_SEARCH_REMOTE) {
+		int i;
+		for (i = 0; i < ac->num_searches; i++) {
+			req = ac->search_reqs[i];
+			ret = ldb_wait(req->handle, LDB_WAIT_NONE);
+
+			if (ret != LDB_SUCCESS) {
+				handle->status = ret;
+				goto done;
+			}
+			if (req->handle->status != LDB_SUCCESS) {
+				handle->status = req->handle->status;
+				goto done;
+			}
+			if (req->handle->state != LDB_ASYNC_DONE) {
+				return LDB_SUCCESS;
+			}
+		}
+	} else {
+
+		req = map_get_req(ac);
+
+		ret = ldb_wait(req->handle, LDB_WAIT_NONE);
+
+		if (ret != LDB_SUCCESS) {
+			handle->status = ret;
+			goto done;
+		}
+		if (req->handle->status != LDB_SUCCESS) {
+			handle->status = req->handle->status;
+			goto done;
+		}
+		if (req->handle->state != LDB_ASYNC_DONE) {
+			return LDB_SUCCESS;
+		}
+
+		next = map_get_next(ac);
+		if (next) {
+			return next(handle);
+		}
+	}
+
+	ret = LDB_SUCCESS;
+
+done:
+	handle->state = LDB_ASYNC_DONE;
+	return ret;
+}
+
+/* Wait for all current pending requests to finish. */
+static int map_wait_all(struct ldb_handle *handle)
+{
+	int ret;
+
+	while (handle->state != LDB_ASYNC_DONE) {
+		ret = map_wait_next(handle);
+		if (ret != LDB_SUCCESS) {
+			return ret;
+		}
+	}
+
+	return handle->status;
+}
+
+/* Wait for pending requests to finish. */
+static int map_wait(struct ldb_handle *handle, enum ldb_wait_type type)
+{
+	if (type == LDB_WAIT_ALL) {
+		return map_wait_all(handle);
+	} else {
+		return map_wait_next(handle);
+	}
+}
+
+
+/* Module initialization
+ * ===================== */
+
+/* Provided module operations */
+static const struct ldb_module_ops map_ops = {
+	.name		= "ldb_map",
+	.add		= map_add,
+	.modify		= map_modify,
+	.del		= map_delete,
+	.rename		= map_rename,
+	.search		= map_search,
+	.wait		= map_wait,
+};
+
+/* Builtin mappings for DNs and objectClasses */
+static const struct ldb_map_attribute builtin_attribute_maps[] = {
+	{
+		.local_name = "dn",
+		.type = MAP_CONVERT,
+		.u = {
+			.convert = {
+				 .remote_name = "dn",
+				 .convert_local = ldb_dn_convert_local,
+				 .convert_remote = ldb_dn_convert_remote,
+			 },
+		},
+	},
+	{
+		.local_name = "objectClass",
+		.type = MAP_GENERATE,
+		.convert_operator = map_objectclass_convert_operator,
+		.u = {
+			.generate = {
+				 .remote_names = { "objectClass", NULL },
+				 .generate_local = map_objectclass_generate_local,
+				 .generate_remote = map_objectclass_generate_remote,
+			 },
+		},
+	},
+	{
+		.local_name = NULL,
+	}
+};
+
+/* Find the special 'MAP_DN_NAME' record and store local and remote
+ * base DNs in private data. */
+static int map_init_dns(struct ldb_module *module, struct ldb_map_context *data, const char *name)
+{
+	static const char * const attrs[] = { MAP_DN_FROM, MAP_DN_TO, NULL };
+	struct ldb_dn *dn;
+	struct ldb_message *msg;
+	struct ldb_result *res;
+	int ret;
+
+	if (!name) {
+		data->local_base_dn = NULL;
+		data->remote_base_dn = NULL;
+		return LDB_SUCCESS;
+	}
+
+	dn = ldb_dn_string_compose(data, NULL, "%s=%s", MAP_DN_NAME, name);
+	if (dn == NULL) {
+		ldb_debug(module->ldb, LDB_DEBUG_ERROR, "ldb_map: "
+			  "Failed to construct '%s' DN!\n", MAP_DN_NAME);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ret = ldb_search(module->ldb, dn, LDB_SCOPE_BASE, NULL, attrs, &res);
+	talloc_free(dn);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+	if (res->count == 0) {
+		ldb_debug(module->ldb, LDB_DEBUG_ERROR, "ldb_map: "
+			  "No results for '%s=%s'!\n", MAP_DN_NAME, name);
+		talloc_free(res);
+		return LDB_ERR_CONSTRAINT_VIOLATION;
+	}
+	if (res->count > 1) {
+		ldb_debug(module->ldb, LDB_DEBUG_ERROR, "ldb_map: "
+			  "Too many results for '%s=%s'!\n", MAP_DN_NAME, name);
+		talloc_free(res);
+		return LDB_ERR_CONSTRAINT_VIOLATION;
+	}
+
+	msg = res->msgs[0];
+	data->local_base_dn = ldb_msg_find_attr_as_dn(data, msg, MAP_DN_FROM);
+	data->remote_base_dn = ldb_msg_find_attr_as_dn(data, msg, MAP_DN_TO);
+	talloc_free(res);
+
+	return LDB_SUCCESS;
+}
+
+/* Store attribute maps and objectClass maps in private data. */
+static int map_init_maps(struct ldb_module *module, struct ldb_map_context *data, 
+			 const struct ldb_map_attribute *attrs, 
+			 const struct ldb_map_objectclass *ocls, 
+			 const char * const *wildcard_attributes)
+{
+	int i, j, last;
+	last = 0;
+
+	/* Count specified attribute maps */
+	for (i = 0; attrs[i].local_name; i++) /* noop */ ;
+	/* Count built-in attribute maps */
+	for (j = 0; builtin_attribute_maps[j].local_name; j++) /* noop */ ;
+
+	/* Store list of attribute maps */
+	data->attribute_maps = talloc_array(data, struct ldb_map_attribute, i+j+1);
+	if (data->attribute_maps == NULL) {
+		map_oom(module);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	/* Specified ones go first */
+	for (i = 0; attrs[i].local_name; i++) {
+		data->attribute_maps[last] = attrs[i];
+		last++;
+	}
+
+	/* Built-in ones go last */
+	for (i = 0; builtin_attribute_maps[i].local_name; i++) {
+		data->attribute_maps[last] = builtin_attribute_maps[i];
+		last++;
+	}
+
+	/* Ensure 'local_name == NULL' for the last entry */
+	memset(&data->attribute_maps[last], 0, sizeof(struct ldb_map_attribute));
+
+	/* Store list of objectClass maps */
+	data->objectclass_maps = ocls;
+
+	data->wildcard_attributes = wildcard_attributes;
+
+	return LDB_SUCCESS;
+}
+
+/* Copy the list of provided module operations. */
+_PUBLIC_ struct ldb_module_ops ldb_map_get_ops(void)
+{
+	return map_ops;
+}
+
+/* Initialize global private data. */
+_PUBLIC_ int ldb_map_init(struct ldb_module *module, const struct ldb_map_attribute *attrs, 
+		 const struct ldb_map_objectclass *ocls,
+		 const char * const *wildcard_attributes,
+		 const char *name)
+{
+	struct map_private *data;
+	int ret;
+
+	/* Prepare private data */
+	data = talloc_zero(module, struct map_private);
+	if (data == NULL) {
+		map_oom(module);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	module->private_data = data;
+
+	data->context = talloc_zero(data, struct ldb_map_context);
+	if (!data->context) {
+		map_oom(module);
+		return LDB_ERR_OPERATIONS_ERROR;		
+	}
+
+	/* Store local and remote baseDNs */
+	ret = map_init_dns(module, data->context, name);
+	if (ret != LDB_SUCCESS) {
+		talloc_free(data);
+		return ret;
+	}
+
+	/* Store list of attribute and objectClass maps */
+	ret = map_init_maps(module, data->context, attrs, ocls, wildcard_attributes);
+	if (ret != LDB_SUCCESS) {
+		talloc_free(data);
+		return ret;
+	}
+
+	return LDB_SUCCESS;
+}
+
+/* Usage note for initialization of this module:
+ *
+ * ldb_map is meant to be used from a different module that sets up
+ * the mappings and gets registered in ldb.
+ *
+ * 'ldb_map_init' initializes the private data of this module and
+ * stores the attribute and objectClass maps in there.	It also looks
+ * up the '@MAP' special DN so requests can be redirected to the
+ * remote partition.
+ *
+ * This function should be called from the 'init_context' op of the
+ * module using ldb_map.
+ *
+ * 'ldb_map_get_ops' returns a copy of ldb_maps module operations.
+ *
+ * It should be called from the initialize function of the using
+ * module, which should then override the 'init_context' op with a
+ * function making the appropriate calls to 'ldb_map_init'.
+ */
diff --git a/source3/lib/ldb/modules/ldb_map.h b/source3/lib/ldb/modules/ldb_map.h
new file mode 100644
index 0000000000..4457c6fc1d
--- /dev/null
+++ b/source3/lib/ldb/modules/ldb_map.h
@@ -0,0 +1,157 @@
+/*
+   ldb database mapping module
+
+   Copyright (C) Jelmer Vernooij 2005
+   Copyright (C) Martin Kuehl <mkhl@samba.org> 2006
+
+   * NOTICE: this module is NOT released under the GNU LGPL license as
+   * other ldb code. This module is release under the GNU GPL v2 or
+   * later license.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef __LDB_MAP_H__
+#define __LDB_MAP_H__
+
+/* ldb_map is a skeleton LDB module that can be used for any other modules
+ * that need to map attributes.
+ *
+ * The term 'remote' in this header refers to the connection where the 
+ * original schema is used on while 'local' means the local connection 
+ * that any upper layers will use.
+ *
+ * All local attributes will have to have a definition. Not all remote 
+ * attributes need a definition as LDB is a lot less strict than LDAP 
+ * (in other words, sending unknown attributes to an LDAP server hurts us, 
+ * while returning too many attributes in ldb_search() doesn't)
+ */
+
+
+/* Name of the internal attribute pointing from the local to the
+ * remote part of a record */
+#define IS_MAPPED "isMapped"
+
+
+struct ldb_map_context;
+
+/* convert a local ldb_val to a remote ldb_val */
+typedef struct ldb_val (*ldb_map_convert_func) (struct ldb_module *module, void *mem_ctx, const struct ldb_val *val);
+
+#define LDB_MAP_MAX_REMOTE_NAMES 10
+
+/* map from local to remote attribute */
+struct ldb_map_attribute {
+	const char *local_name; /* local name */
+
+	enum ldb_map_attr_type { 
+		MAP_IGNORE, /* Ignore this local attribute. Doesn't exist remotely.  */
+		MAP_KEEP,   /* Keep as is. Same name locally and remotely. */
+		MAP_RENAME, /* Simply rename the attribute. Name changes, data is the same */
+		MAP_CONVERT, /* Rename + convert data */
+		MAP_GENERATE /* Use generate function for generating new name/data. 
+						Used for generating attributes based on 
+						multiple remote attributes. */
+	} type;
+	
+	/* if set, will be called for search expressions that contain this attribute */
+	int (*convert_operator)(struct ldb_module *, TALLOC_CTX *ctx, struct ldb_parse_tree **new, const struct ldb_parse_tree *);
+
+	union { 
+		struct {
+			const char *remote_name;
+		} rename;
+		
+		struct {
+			const char *remote_name;
+
+			/* Convert local to remote data */
+			ldb_map_convert_func convert_local;
+
+			/* Convert remote to local data */
+			/* an entry can have convert_remote set to NULL, as long as there as an entry with the same local_name 
+			 * that is non-NULL before it. */
+			ldb_map_convert_func convert_remote;
+		} convert;
+	
+		struct {
+			/* Generate the local attribute from remote message */
+			struct ldb_message_element *(*generate_local)(struct ldb_module *, TALLOC_CTX *mem_ctx, const char *remote_attr, const struct ldb_message *remote);
+
+			/* Update remote message with information from local message */
+			void (*generate_remote)(struct ldb_module *, const char *local_attr, const struct ldb_message *old, struct ldb_message *remote, struct ldb_message *local);
+
+			/* Name(s) for this attribute on the remote server. This is an array since 
+			 * one local attribute's data can be split up into several attributes 
+			 * remotely */
+			const char *remote_names[LDB_MAP_MAX_REMOTE_NAMES];
+
+			/* Names of additional remote attributes
+			 * required for the generation.	 NULL
+			 * indicates that `local_attr' suffices. */
+			/*
+#define LDB_MAP_MAX_SELF_ATTRIBUTES 10
+			const char *self_attrs[LDB_MAP_MAX_SELF_ATTRIBUTES];
+			*/
+		} generate;
+	} u;
+};
+
+
+#define LDB_MAP_MAX_SUBCLASSES	10
+#define LDB_MAP_MAX_MUSTS		10
+#define LDB_MAP_MAX_MAYS		50
+
+/* map from local to remote objectClass */
+struct ldb_map_objectclass {
+	const char *local_name;
+	const char *remote_name;
+	const char *base_classes[LDB_MAP_MAX_SUBCLASSES];
+	const char *musts[LDB_MAP_MAX_MUSTS];
+	const char *mays[LDB_MAP_MAX_MAYS];
+};
+
+
+/* private context data */
+struct ldb_map_context {
+	struct ldb_map_attribute *attribute_maps;
+	/* NOTE: Always declare base classes first here */
+	const struct ldb_map_objectclass *objectclass_maps;
+
+	/* Remote (often operational) attributes that should be added
+	 * to any wildcard search */
+	const char * const *wildcard_attributes;
+
+	/* struct ldb_context *mapped_ldb; */
+	const struct ldb_dn *local_base_dn;
+	const struct ldb_dn *remote_base_dn;
+};
+
+/* Global private data */
+struct map_private {
+	void *caller_private;
+	struct ldb_map_context *context;
+};
+
+/* Initialize global private data. */
+int ldb_map_init(struct ldb_module *module, const struct ldb_map_attribute *attrs, 
+		 const struct ldb_map_objectclass *ocls,
+		 const char * const *wildcard_attributes,
+		 const char *name);
+
+/* get copy of map_ops */
+struct ldb_module_ops
+ldb_map_get_ops(void);
+
+#endif /* __LDB_MAP_H__ */
diff --git a/source3/lib/ldb/modules/ldb_map_inbound.c b/source3/lib/ldb/modules/ldb_map_inbound.c
new file mode 100644
index 0000000000..0508e724ab
--- /dev/null
+++ b/source3/lib/ldb/modules/ldb_map_inbound.c
@@ -0,0 +1,723 @@
+/*
+   ldb database mapping module
+
+   Copyright (C) Jelmer Vernooij 2005
+   Copyright (C) Martin Kuehl <mkhl@samba.org> 2006
+
+   * NOTICE: this module is NOT released under the GNU LGPL license as
+   * other ldb code. This module is release under the GNU GPL v2 or
+   * later license.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+#include "ldb/modules/ldb_map.h"
+#include "ldb/modules/ldb_map_private.h"
+
+
+/* Mapping message elements
+ * ======================== */
+
+/* Map a message element into the remote partition. */
+static struct ldb_message_element *ldb_msg_el_map_local(struct ldb_module *module, void *mem_ctx, const struct ldb_map_attribute *map, const struct ldb_message_element *old)
+{
+	struct ldb_message_element *el;
+	int i;
+
+	el = talloc_zero(mem_ctx, struct ldb_message_element);
+	if (el == NULL) {
+		map_oom(module);
+		return NULL;
+	}
+
+	el->num_values = old->num_values;
+	el->values = talloc_array(el, struct ldb_val, el->num_values);
+	if (el->values == NULL) {
+		talloc_free(el);
+		map_oom(module);
+		return NULL;
+	}
+
+	el->name = map_attr_map_local(el, map, old->name);
+
+	for (i = 0; i < el->num_values; i++) {
+		el->values[i] = ldb_val_map_local(module, el->values, map, &old->values[i]);
+	}
+
+	return el;
+}
+
+/* Add a message element either to a local or to a remote message,
+ * depending on whether it goes into the local or remote partition. */
+static int ldb_msg_el_partition(struct ldb_module *module, struct ldb_message *local, struct ldb_message *remote, const struct ldb_message *msg, const char *attr_name, /* const char * const names[], */ const struct ldb_message_element *old)
+{
+	const struct ldb_map_context *data = map_get_context(module);
+	const struct ldb_map_attribute *map = map_attr_find_local(data, attr_name);
+	struct ldb_message_element *el=NULL;
+
+	/* Unknown attribute: ignore */
+	if (map == NULL) {
+		ldb_debug(module->ldb, LDB_DEBUG_WARNING, "ldb_map: "
+			  "Not mapping attribute '%s': no mapping found\n",
+			  old->name);
+		goto local;
+	}
+
+	switch (map->type) {
+	case MAP_IGNORE:
+		goto local;
+
+	case MAP_CONVERT:
+		if (map->u.convert.convert_local == NULL) {
+			ldb_debug(module->ldb, LDB_DEBUG_WARNING, "ldb_map: "
+				  "Not mapping attribute '%s': "
+				  "'convert_local' not set\n",
+				  map->local_name);
+			goto local;
+		}
+		/* fall through */
+	case MAP_KEEP:
+	case MAP_RENAME:
+		el = ldb_msg_el_map_local(module, remote, map, old);
+		break;
+
+	case MAP_GENERATE:
+		if (map->u.generate.generate_remote == NULL) {
+			ldb_debug(module->ldb, LDB_DEBUG_WARNING, "ldb_map: "
+				  "Not mapping attribute '%s': "
+				  "'generate_remote' not set\n",
+				  map->local_name);
+			goto local;
+		}
+
+		/* TODO: if this attr requires context:
+		 *	 make sure all context attrs are mappable (in 'names')
+		 *	 make sure all context attrs have already been mapped?
+		 *	 maybe postpone generation until they have been mapped?
+		 */
+
+		map->u.generate.generate_remote(module, map->local_name, msg, remote, local);
+		return 0;
+	}
+
+	if (el == NULL) {
+		return -1;
+	}
+
+	return ldb_msg_add(remote, el, old->flags);
+
+local:
+	el = talloc(local, struct ldb_message_element);
+	if (el == NULL) {
+		map_oom(module);
+		return -1;
+	}
+
+	*el = *old;			/* copy the old element */
+
+	return ldb_msg_add(local, el, old->flags);
+}
+
+/* Mapping messages
+ * ================ */
+
+/* Check whether a message will be (partially) mapped into the remote partition. */
+static BOOL ldb_msg_check_remote(struct ldb_module *module, const struct ldb_message *msg)
+{
+	const struct ldb_map_context *data = map_get_context(module);
+	BOOL ret;
+	int i;
+
+	for (i = 0; i < msg->num_elements; i++) {
+		ret = map_attr_check_remote(data, msg->elements[i].name);
+		if (ret) {
+			return ret;
+		}
+	}
+
+	return False;
+}
+
+/* Split message elements that stay in the local partition from those
+ * that are mapped into the remote partition. */
+static int ldb_msg_partition(struct ldb_module *module, struct ldb_message *local, struct ldb_message *remote, const struct ldb_message *msg)
+{
+	/* const char * const names[]; */
+	int i, ret;
+
+	for (i = 0; i < msg->num_elements; i++) {
+		/* Skip 'IS_MAPPED' */
+		if (ldb_attr_cmp(msg->elements[i].name, IS_MAPPED) == 0) {
+			ldb_debug(module->ldb, LDB_DEBUG_WARNING, "ldb_map: "
+				  "Skipping attribute '%s'\n",
+				  msg->elements[i].name);
+			continue;
+		}
+
+		ret = ldb_msg_el_partition(module, local, remote, msg, msg->elements[i].name, &msg->elements[i]);
+		if (ret) {
+			return ret;
+		}
+	}
+
+	return 0;
+}
+
+
+/* Inbound requests: add, modify, rename, delete
+ * ============================================= */
+
+/* Add the remote record. */
+int map_add_do_remote(struct ldb_handle *handle)
+{
+	struct map_context *ac;
+
+	ac = talloc_get_type(handle->private_data, struct map_context);
+
+	ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->remote_req);
+
+	ac->step = MAP_ADD_REMOTE;
+
+	handle->state = LDB_ASYNC_INIT;
+	handle->status = LDB_SUCCESS;
+
+	return ldb_next_remote_request(ac->module, ac->remote_req);
+}
+
+/* Add the local record. */
+int map_add_do_local(struct ldb_handle *handle)
+{
+	struct map_context *ac;
+
+	ac = talloc_get_type(handle->private_data, struct map_context);
+
+	ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->local_req);
+
+	ac->step = MAP_ADD_LOCAL;
+
+	handle->state = LDB_ASYNC_INIT;
+	handle->status = LDB_SUCCESS;
+
+	return ldb_next_request(ac->module, ac->local_req);
+}
+
+/* Add a record. */
+int map_add(struct ldb_module *module, struct ldb_request *req)
+{
+	const struct ldb_message *msg = req->op.add.message;
+	struct ldb_handle *h;
+	struct map_context *ac;
+	struct ldb_message *local, *remote;
+	const char *dn;
+
+	/* Do not manipulate our control entries */
+	if (ldb_dn_is_special(msg->dn)) {
+		return ldb_next_request(module, req);
+	}
+
+	/* No mapping requested (perhaps no DN mapping specified), skip to next module */
+	if (!ldb_dn_check_local(module, msg->dn)) {
+		return ldb_next_request(module, req);
+	}
+
+	/* No mapping needed, fail */
+	if (!ldb_msg_check_remote(module, msg)) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	/* Prepare context and handle */
+	h = map_init_handle(req, module);
+	if (h == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	ac = talloc_get_type(h->private_data, struct map_context);
+
+	/* Prepare the local operation */
+	ac->local_req = talloc(ac, struct ldb_request);
+	if (ac->local_req == NULL) {
+		goto oom;
+	}
+
+	*(ac->local_req) = *req;	/* copy the request */
+
+	ac->local_req->context = NULL;
+	ac->local_req->callback = NULL;
+
+	/* Prepare the remote operation */
+	ac->remote_req = talloc(ac, struct ldb_request);
+	if (ac->remote_req == NULL) {
+		goto oom;
+	}
+
+	*(ac->remote_req) = *req;	/* copy the request */
+
+	ac->remote_req->context = NULL;
+	ac->remote_req->callback = NULL;
+
+	/* Prepare the local message */
+	local = ldb_msg_new(ac->local_req);
+	if (local == NULL) {
+		goto oom;
+	}
+	local->dn = msg->dn;
+
+	/* Prepare the remote message */
+	remote = ldb_msg_new(ac->remote_req);
+	if (remote == NULL) {
+		goto oom;
+	}
+	remote->dn = ldb_dn_map_local(ac->module, remote, msg->dn);
+
+	/* Split local from remote message */
+	ldb_msg_partition(module, local, remote, msg);
+	ac->local_req->op.add.message = local;
+	ac->remote_req->op.add.message = remote;
+
+	if ((local->num_elements == 0) || (!map_check_local_db(ac->module))) {
+		/* No local data or db, just run the remote request */
+		talloc_free(ac->local_req);
+		req->handle = h;	/* return our own handle to deal with this call */
+		return map_add_do_remote(h);
+	}
+
+	/* Store remote DN in 'IS_MAPPED' */
+	/* TODO: use GUIDs here instead */
+	dn = ldb_dn_linearize(local, remote->dn);
+	if (ldb_msg_add_string(local, IS_MAPPED, dn) != 0) {
+		goto failed;
+	}
+
+	req->handle = h;		/* return our own handle to deal with this call */
+	return map_add_do_local(h);
+
+oom:
+	map_oom(module);
+failed:
+	talloc_free(h);
+	return LDB_ERR_OPERATIONS_ERROR;
+}
+
+/* Modify the remote record. */
+int map_modify_do_remote(struct ldb_handle *handle)
+{
+	struct map_context *ac;
+
+	ac = talloc_get_type(handle->private_data, struct map_context);
+
+	ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->remote_req);
+
+	ac->step = MAP_MODIFY_REMOTE;
+
+	handle->state = LDB_ASYNC_INIT;
+	handle->status = LDB_SUCCESS;
+
+	return ldb_next_remote_request(ac->module, ac->remote_req);
+}
+
+/* Modify the local record. */
+int map_modify_do_local(struct ldb_handle *handle)
+{
+	struct map_context *ac;
+	struct ldb_message *msg;
+	char *dn;
+
+	ac = talloc_get_type(handle->private_data, struct map_context);
+
+	if (ac->local_dn == NULL) {
+		/* No local record present, add it instead */
+		msg = discard_const_p(struct ldb_message, ac->local_req->op.mod.message);
+
+		/* Add local 'IS_MAPPED' */
+		/* TODO: use GUIDs here instead */
+		dn = ldb_dn_linearize(msg, ac->remote_req->op.mod.message->dn);
+		if (ldb_msg_add_empty(msg, IS_MAPPED, LDB_FLAG_MOD_ADD, NULL) != 0) {
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+		if (ldb_msg_add_string(msg, IS_MAPPED, dn) != 0) {
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+
+		/* Turn request into 'add' */
+		ac->local_req->operation = LDB_ADD;
+		ac->local_req->op.add.message = msg;
+		/* TODO: Could I just leave msg in there?  I think so,
+		 *	 but it looks clearer this way. */
+	}
+
+	ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->local_req);
+
+	ac->step = MAP_MODIFY_LOCAL;
+
+	handle->state = LDB_ASYNC_INIT;
+	handle->status = LDB_SUCCESS;
+
+	return ldb_next_request(ac->module, ac->local_req);
+}
+
+/* Modify a record. */
+int map_modify(struct ldb_module *module, struct ldb_request *req)
+{
+	const struct ldb_message *msg = req->op.mod.message;
+	struct ldb_handle *h;
+	struct map_context *ac;
+	struct ldb_message *local, *remote;
+
+	/* Do not manipulate our control entries */
+	if (ldb_dn_is_special(msg->dn)) {
+		return ldb_next_request(module, req);
+	}
+
+	/* No mapping requested (perhaps no DN mapping specified), skip to next module */
+	if (!ldb_dn_check_local(module, msg->dn)) {
+		return ldb_next_request(module, req);
+	}
+
+	/* No mapping needed, skip to next module */
+	/* TODO: What if the remote part exists, the local doesn't,
+	 *	 and this request wants to modify local data and thus
+	 *	 add the local record? */
+	if (!ldb_msg_check_remote(module, msg)) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	/* Prepare context and handle */
+	h = map_init_handle(req, module);
+	if (h == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	ac = talloc_get_type(h->private_data, struct map_context);
+
+	/* Prepare the local operation */
+	ac->local_req = talloc(ac, struct ldb_request);
+	if (ac->local_req == NULL) {
+		goto oom;
+	}
+
+	*(ac->local_req) = *req;	/* copy the request */
+
+	ac->local_req->context = NULL;
+	ac->local_req->callback = NULL;
+
+	/* Prepare the remote operation */
+	ac->remote_req = talloc(ac, struct ldb_request);
+	if (ac->remote_req == NULL) {
+		goto oom;
+	}
+
+	*(ac->remote_req) = *req;	/* copy the request */
+
+	ac->remote_req->context = NULL;
+	ac->remote_req->callback = NULL;
+
+	/* Prepare the local message */
+	local = ldb_msg_new(ac->local_req);
+	if (local == NULL) {
+		goto oom;
+	}
+	local->dn = msg->dn;
+
+	/* Prepare the remote message */
+	remote = ldb_msg_new(ac->remote_req);
+	if (remote == NULL) {
+		goto oom;
+	}
+	remote->dn = ldb_dn_map_local(ac->module, remote, msg->dn);
+
+	/* Split local from remote message */
+	ldb_msg_partition(module, local, remote, msg);
+	ac->local_req->op.mod.message = local;
+	ac->remote_req->op.mod.message = remote;
+
+	if ((local->num_elements == 0) || (!map_check_local_db(ac->module))) {
+		/* No local data or db, just run the remote request */
+		talloc_free(ac->local_req);
+		req->handle = h;	/* return our own handle to deal with this call */
+		return map_modify_do_remote(h);
+	}
+
+	/* prepare the search operation */
+	ac->search_req = map_search_self_req(ac, msg->dn);
+	if (ac->search_req == NULL) {
+		goto failed;
+	}
+
+	ac->step = MAP_SEARCH_SELF_MODIFY;
+
+	req->handle = h;		/* return our own handle to deal with this call */
+	return ldb_next_request(module, ac->search_req);
+
+oom:
+	map_oom(module);
+failed:
+	talloc_free(h);
+	return LDB_ERR_OPERATIONS_ERROR;
+}
+
+/* Delete the remote record. */
+int map_delete_do_remote(struct ldb_handle *handle)
+{
+	struct map_context *ac;
+
+	ac = talloc_get_type(handle->private_data, struct map_context);
+
+	ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->remote_req);
+
+	ac->step = MAP_DELETE_REMOTE;
+
+	handle->state = LDB_ASYNC_INIT;
+	handle->status = LDB_SUCCESS;
+
+	return ldb_next_remote_request(ac->module, ac->remote_req);
+}
+
+/* Delete the local record. */
+int map_delete_do_local(struct ldb_handle *handle)
+{
+	struct map_context *ac;
+
+	ac = talloc_get_type(handle->private_data, struct map_context);
+
+	/* No local record, continue remotely */
+	if (ac->local_dn == NULL) {
+		return map_delete_do_remote(handle);
+	}
+
+	ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->local_req);
+
+	ac->step = MAP_DELETE_LOCAL;
+
+	handle->state = LDB_ASYNC_INIT;
+	handle->status = LDB_SUCCESS;
+
+	return ldb_next_request(ac->module, ac->local_req);
+}
+
+/* Delete a record. */
+int map_delete(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ldb_handle *h;
+	struct map_context *ac;
+
+	/* Do not manipulate our control entries */
+	if (ldb_dn_is_special(req->op.del.dn)) {
+		return ldb_next_request(module, req);
+	}
+
+	/* No mapping requested (perhaps no DN mapping specified), skip to next module */
+	if (!ldb_dn_check_local(module, req->op.del.dn)) {
+		return ldb_next_request(module, req);
+	}
+
+	/* Prepare context and handle */
+	h = map_init_handle(req, module);
+	if (h == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	ac = talloc_get_type(h->private_data, struct map_context);
+
+	/* Prepare the local operation */
+	ac->local_req = talloc(ac, struct ldb_request);
+	if (ac->local_req == NULL) {
+		goto oom;
+	}
+
+	*(ac->local_req) = *req;	/* copy the request */
+	ac->local_req->op.del.dn = req->op.del.dn;
+
+	ac->local_req->context = NULL;
+	ac->local_req->callback = NULL;
+
+	/* Prepare the remote operation */
+	ac->remote_req = talloc(ac, struct ldb_request);
+	if (ac->remote_req == NULL) {
+		goto oom;
+	}
+
+	*(ac->remote_req) = *req;	/* copy the request */
+	ac->remote_req->op.del.dn = ldb_dn_map_local(module, ac->remote_req, req->op.del.dn);
+
+	/* No local db, just run the remote request */
+	if (!map_check_local_db(ac->module)) {
+		req->handle = h;	/* return our own handle to deal with this call */
+		return map_delete_do_remote(h);
+	}
+
+	ac->remote_req->context = NULL;
+	ac->remote_req->callback = NULL;
+
+	/* Prepare the search operation */
+	ac->search_req = map_search_self_req(ac, req->op.del.dn);
+	if (ac->search_req == NULL) {
+		goto failed;
+	}
+
+	req->handle = h;		/* return our own handle to deal with this call */
+
+	ac->step = MAP_SEARCH_SELF_DELETE;
+
+	return ldb_next_request(module, ac->search_req);
+
+oom:
+	map_oom(module);
+failed:
+	talloc_free(h);
+	return LDB_ERR_OPERATIONS_ERROR;
+}
+
+/* Rename the remote record. */
+int map_rename_do_remote(struct ldb_handle *handle)
+{
+	struct map_context *ac;
+
+	ac = talloc_get_type(handle->private_data, struct map_context);
+
+	ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->remote_req);
+
+	ac->step = MAP_RENAME_REMOTE;
+
+	handle->state = LDB_ASYNC_INIT;
+	handle->status = LDB_SUCCESS;
+
+	return ldb_next_remote_request(ac->module, ac->remote_req);
+}
+
+/* Update the local 'IS_MAPPED' attribute. */
+int map_rename_do_fixup(struct ldb_handle *handle)
+{
+	struct map_context *ac;
+
+	ac = talloc_get_type(handle->private_data, struct map_context);
+
+	ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->down_req);
+
+	ac->step = MAP_RENAME_FIXUP;
+
+	handle->state = LDB_ASYNC_INIT;
+	handle->status = LDB_SUCCESS;
+
+	return ldb_next_request(ac->module, ac->down_req);
+}
+
+/* Rename the local record. */
+int map_rename_do_local(struct ldb_handle *handle)
+{
+	struct map_context *ac;
+
+	ac = talloc_get_type(handle->private_data, struct map_context);
+
+	/* No local record, continue remotely */
+	if (ac->local_dn == NULL) {
+		return map_rename_do_remote(handle);
+	}
+
+	ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->local_req);
+
+	ac->step = MAP_RENAME_LOCAL;
+
+	handle->state = LDB_ASYNC_INIT;
+	handle->status = LDB_SUCCESS;
+
+	return ldb_next_request(ac->module, ac->local_req);
+}
+
+/* Rename a record. */
+int map_rename(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ldb_handle *h;
+	struct map_context *ac;
+
+	/* Do not manipulate our control entries */
+	if (ldb_dn_is_special(req->op.rename.olddn)) {
+		return ldb_next_request(module, req);
+	}
+
+	/* No mapping requested (perhaps no DN mapping specified), skip to next module */
+	if ((!ldb_dn_check_local(module, req->op.rename.olddn)) &&
+	    (!ldb_dn_check_local(module, req->op.rename.newdn))) {
+		return ldb_next_request(module, req);
+	}
+
+	/* Rename into/out of the mapped partition requested, bail out */
+	if (!ldb_dn_check_local(module, req->op.rename.olddn) ||
+	    !ldb_dn_check_local(module, req->op.rename.newdn)) {
+		return LDB_ERR_AFFECTS_MULTIPLE_DSAS;
+	}
+
+	/* Prepare context and handle */
+	h = map_init_handle(req, module);
+	if (h == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	ac = talloc_get_type(h->private_data, struct map_context);
+
+	/* Prepare the local operation */
+	ac->local_req = talloc(ac, struct ldb_request);
+	if (ac->local_req == NULL) {
+		goto oom;
+	}
+
+	*(ac->local_req) = *req;	/* copy the request */
+	ac->local_req->op.rename.olddn = req->op.rename.olddn;
+	ac->local_req->op.rename.newdn = req->op.rename.newdn;
+
+	ac->local_req->context = NULL;
+	ac->local_req->callback = NULL;
+
+	/* Prepare the remote operation */
+	ac->remote_req = talloc(ac, struct ldb_request);
+	if (ac->remote_req == NULL) {
+		goto oom;
+	}
+
+	*(ac->remote_req) = *req;	/* copy the request */
+	ac->remote_req->op.rename.olddn = ldb_dn_map_local(module, ac->remote_req, req->op.rename.olddn);
+	ac->remote_req->op.rename.newdn = ldb_dn_map_local(module, ac->remote_req, req->op.rename.newdn);
+
+	ac->remote_req->context = NULL;
+	ac->remote_req->callback = NULL;
+
+	/* No local db, just run the remote request */
+	if (!map_check_local_db(ac->module)) {
+		req->handle = h;	/* return our own handle to deal with this call */
+		return map_rename_do_remote(h);
+	}
+
+	/* Prepare the fixup operation */
+	/* TODO: use GUIDs here instead -- or skip it when GUIDs are used. */
+	ac->down_req = map_build_fixup_req(ac, req->op.rename.newdn, ac->remote_req->op.rename.newdn);
+	if (ac->down_req == NULL) {
+		goto failed;
+	}
+
+	/* Prepare the search operation */
+	ac->search_req = map_search_self_req(ac, req->op.rename.olddn);
+	if (ac->search_req == NULL) {
+		goto failed;
+	}
+
+	req->handle = h;		/* return our own handle to deal with this call */
+
+	ac->step = MAP_SEARCH_SELF_RENAME;
+
+	return ldb_next_request(module, ac->search_req);
+
+oom:
+	map_oom(module);
+failed:
+	talloc_free(h);
+	return LDB_ERR_OPERATIONS_ERROR;
+}
diff --git a/source3/lib/ldb/modules/ldb_map_outbound.c b/source3/lib/ldb/modules/ldb_map_outbound.c
new file mode 100644
index 0000000000..a02d26dcea
--- /dev/null
+++ b/source3/lib/ldb/modules/ldb_map_outbound.c
@@ -0,0 +1,1285 @@
+/*
+   ldb database mapping module
+
+   Copyright (C) Jelmer Vernooij 2005
+   Copyright (C) Martin Kuehl <mkhl@samba.org> 2006
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006
+
+   * NOTICE: this module is NOT released under the GNU LGPL license as
+   * other ldb code. This module is release under the GNU GPL v2 or
+   * later license.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+#include "ldb/modules/ldb_map.h"
+#include "ldb/modules/ldb_map_private.h"
+
+
+/* Mapping attributes
+ * ================== */
+
+/* Select attributes that stay in the local partition. */
+static const char **map_attrs_select_local(struct ldb_module *module, void *mem_ctx, const char * const *attrs)
+{
+	const struct ldb_map_context *data = map_get_context(module);
+	const char **result;
+	int i, last;
+
+	if (attrs == NULL)
+		return NULL;
+
+	last = 0;
+	result = talloc_array(mem_ctx, const char *, 1);
+	if (result == NULL) {
+		goto failed;
+	}
+	result[0] = NULL;
+
+	for (i = 0; attrs[i]; i++) {
+		/* Wildcards and ignored attributes are kept locally */
+		if ((ldb_attr_cmp(attrs[i], "*") == 0) ||
+		    (!map_attr_check_remote(data, attrs[i]))) {
+			result = talloc_realloc(mem_ctx, result, const char *, last+2);
+			if (result == NULL) {
+				goto failed;
+			}
+
+			result[last] = talloc_strdup(result, attrs[i]);
+			result[last+1] = NULL;
+			last++;
+		}
+	}
+
+	return result;
+
+failed:
+	talloc_free(result);
+	map_oom(module);
+	return NULL;
+}
+
+/* Collect attributes that are mapped into the remote partition. */
+static const char **map_attrs_collect_remote(struct ldb_module *module, void *mem_ctx, 
+					     const char * const *attrs)
+{
+	const struct ldb_map_context *data = map_get_context(module);
+	const char **result;
+	const struct ldb_map_attribute *map;
+	const char *name=NULL;
+	int i, j, last;
+	int ret;
+
+	last = 0;
+	result = talloc_array(mem_ctx, const char *, 1);
+	if (result == NULL) {
+		goto failed;
+	}
+	result[0] = NULL;
+
+	for (i = 0; attrs[i]; i++) {
+		/* Wildcards are kept remotely, too */
+		if (ldb_attr_cmp(attrs[i], "*") == 0) {
+			const char **new_attrs = NULL;
+			ret = map_attrs_merge(module, mem_ctx, &new_attrs, attrs);
+			if (ret != LDB_SUCCESS) {
+				goto failed;
+			}
+			ret = map_attrs_merge(module, mem_ctx, &new_attrs, data->wildcard_attributes);
+			if (ret != LDB_SUCCESS) {
+				goto failed;
+			}
+
+			attrs = new_attrs;
+			break;
+		}
+	}
+
+	for (i = 0; attrs[i]; i++) {
+		/* Wildcards are kept remotely, too */
+		if (ldb_attr_cmp(attrs[i], "*") == 0) {
+			/* Add all 'include in wildcard' attributes */
+			name = attrs[i];
+			goto named;
+		}
+
+		/* Add remote names of mapped attrs */
+		map = map_attr_find_local(data, attrs[i]);
+		if (map == NULL) {
+			continue;
+		}
+
+		switch (map->type) {
+		case MAP_IGNORE:
+			continue;
+
+		case MAP_KEEP:
+			name = attrs[i];
+			goto named;
+
+		case MAP_RENAME:
+		case MAP_CONVERT:
+			name = map->u.rename.remote_name;
+			goto named;
+
+		case MAP_GENERATE:
+			/* Add all remote names of "generate" attrs */
+			for (j = 0; map->u.generate.remote_names[j]; j++) {
+				result = talloc_realloc(mem_ctx, result, const char *, last+2);
+				if (result == NULL) {
+					goto failed;
+				}
+
+				result[last] = talloc_strdup(result, map->u.generate.remote_names[j]);
+				result[last+1] = NULL;
+				last++;
+			}
+			continue;
+		}
+
+	named:	/* We found a single remote name, add that */
+		result = talloc_realloc(mem_ctx, result, const char *, last+2);
+		if (result == NULL) {
+			goto failed;
+		}
+
+		result[last] = talloc_strdup(result, name);
+		result[last+1] = NULL;
+		last++;
+	}
+
+	return result;
+
+failed:
+	talloc_free(result);
+	map_oom(module);
+	return NULL;
+}
+
+/* Split attributes that stay in the local partition from those that
+ * are mapped into the remote partition. */
+static int map_attrs_partition(struct ldb_module *module, void *mem_ctx, const char ***local_attrs, const char ***remote_attrs, const char * const *attrs)
+{
+	*local_attrs = map_attrs_select_local(module, mem_ctx, attrs);
+	*remote_attrs = map_attrs_collect_remote(module, mem_ctx, attrs);
+
+	return 0;
+}
+
+/* Mapping message elements
+ * ======================== */
+
+/* Add an element to a message, overwriting any old identically named elements. */
+static int ldb_msg_replace(struct ldb_message *msg, const struct ldb_message_element *el)
+{
+	struct ldb_message_element *old;
+
+	old = ldb_msg_find_element(msg, el->name);
+
+	/* no local result, add as new element */
+	if (old == NULL) {
+		if (ldb_msg_add_empty(msg, el->name, 0, &old) != 0) {
+			return -1;
+		}
+		talloc_free(old->name);
+	}
+
+	/* copy new element */
+	*old = *el;
+
+	/* and make sure we reference the contents */
+	if (!talloc_reference(msg->elements, el->name)) {
+		return -1;
+	}
+	if (!talloc_reference(msg->elements, el->values)) {
+		return -1;
+	}
+
+	return 0;
+}
+
+/* Map a message element back into the local partition. */
+static struct ldb_message_element *ldb_msg_el_map_remote(struct ldb_module *module, 
+							 void *mem_ctx, 
+							 const struct ldb_map_attribute *map, 
+							 const char *attr_name,
+							 const struct ldb_message_element *old)
+{
+	struct ldb_message_element *el;
+	int i;
+
+	el = talloc_zero(mem_ctx, struct ldb_message_element);
+	if (el == NULL) {
+		map_oom(module);
+		return NULL;
+	}
+
+	el->num_values = old->num_values;
+	el->values = talloc_array(el, struct ldb_val, el->num_values);
+	if (el->values == NULL) {
+		talloc_free(el);
+		map_oom(module);
+		return NULL;
+	}
+
+	el->name = talloc_strdup(el, attr_name);
+	if (el->name == NULL) {
+		talloc_free(el);
+		map_oom(module);
+		return NULL;
+	}
+
+	for (i = 0; i < el->num_values; i++) {
+		el->values[i] = ldb_val_map_remote(module, el->values, map, &old->values[i]);
+	}
+
+	return el;
+}
+
+/* Merge a remote message element into a local message. */
+static int ldb_msg_el_merge(struct ldb_module *module, struct ldb_message *local, 
+			    struct ldb_message *remote, const char *attr_name)
+{
+	const struct ldb_map_context *data = map_get_context(module);
+	const struct ldb_map_attribute *map;
+	struct ldb_message_element *old, *el=NULL;
+	const char *remote_name = NULL;
+
+	/* We handle wildcards in ldb_msg_el_merge_wildcard */
+	if (ldb_attr_cmp(attr_name, "*") == 0) {
+		return 0;
+	}
+
+	map = map_attr_find_local(data, attr_name);
+
+	/* Unknown attribute in remote message:
+	 * skip, attribute was probably auto-generated */
+	if (map == NULL) {
+		return 0;
+	}
+
+	switch (map->type) {
+	case MAP_IGNORE:
+		break;
+	case MAP_CONVERT:
+		remote_name = map->u.convert.remote_name;
+		break;
+	case MAP_KEEP:
+		remote_name = attr_name;
+		break;
+	case MAP_RENAME:
+		remote_name = map->u.rename.remote_name;
+		break;
+	case MAP_GENERATE:
+		break;
+	}
+
+	switch (map->type) {
+	case MAP_IGNORE:
+		return 0;
+
+	case MAP_CONVERT:
+		if (map->u.convert.convert_remote == NULL) {
+			ldb_debug(module->ldb, LDB_DEBUG_ERROR, "ldb_map: "
+				  "Skipping attribute '%s': "
+				  "'convert_remote' not set\n",
+				  attr_name);
+			return 0;
+		}
+		/* fall through */
+	case MAP_KEEP:
+	case MAP_RENAME:
+		old = ldb_msg_find_element(remote, remote_name);
+		if (old) {
+			el = ldb_msg_el_map_remote(module, local, map, attr_name, old);
+		} else {
+			return LDB_ERR_NO_SUCH_ATTRIBUTE;
+		}
+		break;
+
+	case MAP_GENERATE:
+		if (map->u.generate.generate_local == NULL) {
+			ldb_debug(module->ldb, LDB_DEBUG_ERROR, "ldb_map: "
+				  "Skipping attribute '%s': "
+				  "'generate_local' not set\n",
+				  attr_name);
+			return 0;
+		}
+
+		el = map->u.generate.generate_local(module, local, attr_name, remote);
+		if (!el) {
+			/* Generation failure is probably due to lack of source attributes */
+			return LDB_ERR_NO_SUCH_ATTRIBUTE;
+		}
+		break;
+	}
+
+	if (el == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	return ldb_msg_replace(local, el);
+}
+
+/* Handle wildcard parts of merging a remote message element into a local message. */
+static int ldb_msg_el_merge_wildcard(struct ldb_module *module, struct ldb_message *local, 
+				     struct ldb_message *remote)
+{
+	const struct ldb_map_context *data = map_get_context(module);
+	const struct ldb_map_attribute *map = map_attr_find_local(data, "*");
+	struct ldb_message_element *el=NULL;
+	int i, ret;
+
+	/* Perhaps we have a mapping for "*" */
+	if (map && map->type == MAP_KEEP) {
+		/* We copy everything over, and hope that anything with a 
+		   more specific rule is overwritten */
+		for (i = 0; i < remote->num_elements; i++) {
+			el = ldb_msg_el_map_remote(module, local, map, remote->elements[i].name,
+						   &remote->elements[i]);
+			if (el == NULL) {
+				return LDB_ERR_OPERATIONS_ERROR;
+			}
+			
+			ret = ldb_msg_replace(local, el);
+			if (ret) {
+				return ret;
+			}
+		}
+	}
+	
+	/* Now walk the list of possible mappings, and apply each */
+	for (i = 0; data->attribute_maps[i].local_name; i++) {
+		ret = ldb_msg_el_merge(module, local, remote, 
+				       data->attribute_maps[i].local_name);
+		if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE) {
+			continue;
+		} else if (ret) {
+			return ret;
+		} else {
+			continue;
+		}
+	}
+
+	return 0;
+}
+
+/* Mapping messages
+ * ================ */
+
+/* Merge two local messages into a single one. */
+static int ldb_msg_merge_local(struct ldb_module *module, struct ldb_message *msg1, struct ldb_message *msg2)
+{
+	int i, ret;
+
+	for (i = 0; i < msg2->num_elements; i++) {
+		ret = ldb_msg_replace(msg1, &msg2->elements[i]);
+		if (ret) {
+			return ret;
+		}
+	}
+
+	return 0;
+}
+
+/* Merge a local and a remote message into a single local one. */
+static int ldb_msg_merge_remote(struct map_context *ac, struct ldb_message *local, 
+				struct ldb_message *remote)
+{
+	int i, ret;
+	const char * const *attrs = ac->all_attrs;
+	if (!attrs) {
+		ret = ldb_msg_el_merge_wildcard(ac->module, local, remote);
+		if (ret) {
+			return ret;
+		}
+	}
+
+	for (i = 0; attrs && attrs[i]; i++) {
+		if (ldb_attr_cmp(attrs[i], "*") == 0) {
+			ret = ldb_msg_el_merge_wildcard(ac->module, local, remote);
+			if (ret) {
+				return ret;
+			}
+			break;
+		}
+	}
+
+	/* Try to map each attribute back;
+	 * Add to local message is possible,
+	 * Overwrite old local attribute if necessary */
+	for (i = 0; attrs && attrs[i]; i++) {
+		ret = ldb_msg_el_merge(ac->module, local, remote, 
+				       attrs[i]);
+		if (ret == LDB_ERR_NO_SUCH_ATTRIBUTE) {
+		} else if (ret) {
+			return ret;
+		}
+	}
+
+	return 0;
+}
+
+/* Mapping search results
+ * ====================== */
+
+/* Map a search result back into the local partition. */
+static int map_reply_remote(struct map_context *ac, struct ldb_reply *ares)
+{
+	struct ldb_message *msg;
+	struct ldb_dn *dn;
+	int ret;
+
+	/* There is no result message, skip */
+	if (ares->type != LDB_REPLY_ENTRY) {
+		return 0;
+	}
+
+	/* Create a new result message */
+	msg = ldb_msg_new(ares);
+	if (msg == NULL) {
+		map_oom(ac->module);
+		return -1;
+	}
+
+	/* Merge remote message into new message */
+	ret = ldb_msg_merge_remote(ac, msg, ares->message);
+	if (ret) {
+		talloc_free(msg);
+		return ret;
+	}
+
+	/* Create corresponding local DN */
+	dn = ldb_dn_map_rebase_remote(ac->module, msg, ares->message->dn);
+	if (dn == NULL) {
+		talloc_free(msg);
+		return -1;
+	}
+	msg->dn = dn;
+
+	/* Store new message with new DN as the result */
+	talloc_free(ares->message);
+	ares->message = msg;
+
+	return 0;
+}
+
+/* Mapping parse trees
+ * =================== */
+
+/* Check whether a parse tree can safely be split in two. */
+static BOOL ldb_parse_tree_check_splittable(const struct ldb_parse_tree *tree)
+{
+	const struct ldb_parse_tree *subtree = tree;
+	BOOL negate = False;
+
+	while (subtree) {
+		switch (subtree->operation) {
+		case LDB_OP_NOT:
+			negate = !negate;
+			subtree = subtree->u.isnot.child;
+			continue;
+
+		case LDB_OP_AND:
+			return !negate;	/* if negate: False */
+
+		case LDB_OP_OR:
+			return negate;	/* if negate: True */
+
+		default:
+			return True;	/* simple parse tree */
+		}
+	}
+
+	return True;			/* no parse tree */
+}
+
+/* Collect a list of attributes required to match a given parse tree. */
+static int ldb_parse_tree_collect_attrs(struct ldb_module *module, void *mem_ctx, const char ***attrs, const struct ldb_parse_tree *tree)
+{
+	const char **new_attrs;
+	int i, ret;
+
+	if (tree == NULL) {
+		return 0;
+	}
+
+	switch (tree->operation) {
+	case LDB_OP_OR:
+	case LDB_OP_AND:		/* attributes stored in list of subtrees */
+		for (i = 0; i < tree->u.list.num_elements; i++) {
+			ret = ldb_parse_tree_collect_attrs(module, mem_ctx, 
+							   attrs, tree->u.list.elements[i]);
+			if (ret) {
+				return ret;
+			}
+		}
+		return 0;
+
+	case LDB_OP_NOT:		/* attributes stored in single subtree */
+		return ldb_parse_tree_collect_attrs(module, mem_ctx, attrs, tree->u.isnot.child);
+
+	default:			/* single attribute in tree */
+		new_attrs = ldb_attr_list_copy_add(mem_ctx, *attrs, tree->u.equality.attr);
+		talloc_free(*attrs);
+		*attrs = new_attrs;
+		return 0;
+	}
+
+	return -1;
+}
+
+static int map_subtree_select_local(struct ldb_module *module, void *mem_ctx, struct ldb_parse_tree **new, const struct ldb_parse_tree *tree);
+
+/* Select a negated subtree that queries attributes in the local partition */
+static int map_subtree_select_local_not(struct ldb_module *module, void *mem_ctx, struct ldb_parse_tree **new, const struct ldb_parse_tree *tree)
+{
+	struct ldb_parse_tree *child;
+	int ret;
+
+	/* Prepare new tree */
+	*new = talloc_memdup(mem_ctx, tree, sizeof(struct ldb_parse_tree));
+	if (*new == NULL) {
+		map_oom(module);
+		return -1;
+	}
+
+	/* Generate new subtree */
+	ret = map_subtree_select_local(module, *new, &child, tree->u.isnot.child);
+	if (ret) {
+		talloc_free(*new);
+		return ret;
+	}
+
+	/* Prune tree without subtree */
+	if (child == NULL) {
+		talloc_free(*new);
+		*new = NULL;
+		return 0;
+	}
+
+	(*new)->u.isnot.child = child;
+
+	return ret;
+}
+
+/* Select a list of subtrees that query attributes in the local partition */
+static int map_subtree_select_local_list(struct ldb_module *module, void *mem_ctx, struct ldb_parse_tree **new, const struct ldb_parse_tree *tree)
+{
+	int i, j, ret=0;
+
+	/* Prepare new tree */
+	*new = talloc_memdup(mem_ctx, tree, sizeof(struct ldb_parse_tree));
+	if (*new == NULL) {
+		map_oom(module);
+		return -1;
+	}
+
+	/* Prepare list of subtrees */
+	(*new)->u.list.num_elements = 0;
+	(*new)->u.list.elements = talloc_array(*new, struct ldb_parse_tree *, tree->u.list.num_elements);
+	if ((*new)->u.list.elements == NULL) {
+		map_oom(module);
+		talloc_free(*new);
+		return -1;
+	}
+
+	/* Generate new list of subtrees */
+	j = 0;
+	for (i = 0; i < tree->u.list.num_elements; i++) {
+		struct ldb_parse_tree *child;
+		ret = map_subtree_select_local(module, *new, &child, tree->u.list.elements[i]);
+		if (ret) {
+			talloc_free(*new);
+			return ret;
+		}
+
+		if (child) {
+			(*new)->u.list.elements[j] = child;
+			j++;
+		}
+	}
+
+	/* Prune tree without subtrees */
+	if (j == 0) {
+		talloc_free(*new);
+		*new = NULL;
+		return 0;
+	}
+
+	/* Fix subtree list size */
+	(*new)->u.list.num_elements = j;
+	(*new)->u.list.elements = talloc_realloc(*new, (*new)->u.list.elements, struct ldb_parse_tree *, (*new)->u.list.num_elements);
+
+	return ret;
+}
+
+/* Select a simple subtree that queries attributes in the local partition */
+static int map_subtree_select_local_simple(struct ldb_module *module, void *mem_ctx, struct ldb_parse_tree **new, const struct ldb_parse_tree *tree)
+{
+	/* Prepare new tree */
+	*new = talloc_memdup(mem_ctx, tree, sizeof(struct ldb_parse_tree));
+	if (*new == NULL) {
+		map_oom(module);
+		return -1;
+	}
+
+	return 0;
+}
+
+/* Select subtrees that query attributes in the local partition */
+static int map_subtree_select_local(struct ldb_module *module, void *mem_ctx, struct ldb_parse_tree **new, const struct ldb_parse_tree *tree)
+{
+	const struct ldb_map_context *data = map_get_context(module);
+
+	if (tree == NULL) {
+		return 0;
+	}
+
+	if (tree->operation == LDB_OP_NOT) {
+		return map_subtree_select_local_not(module, mem_ctx, new, tree);
+	}
+
+	if (tree->operation == LDB_OP_AND || tree->operation == LDB_OP_OR) {
+		return map_subtree_select_local_list(module, mem_ctx, new, tree);
+	}
+
+	if (map_attr_check_remote(data, tree->u.equality.attr)) {
+		*new = NULL;
+		return 0;
+	}
+
+	return map_subtree_select_local_simple(module, mem_ctx, new, tree);
+}
+
+static int map_subtree_collect_remote(struct ldb_module *module, void *mem_ctx, struct ldb_parse_tree **new, const struct ldb_parse_tree *tree);
+
+/* Collect a negated subtree that queries attributes in the remote partition */
+static int map_subtree_collect_remote_not(struct ldb_module *module, void *mem_ctx, struct ldb_parse_tree **new, const struct ldb_parse_tree *tree)
+{
+	struct ldb_parse_tree *child;
+	int ret;
+
+	/* Prepare new tree */
+	*new = talloc_memdup(mem_ctx, tree, sizeof(struct ldb_parse_tree));
+	if (*new == NULL) {
+		map_oom(module);
+		return -1;
+	}
+
+	/* Generate new subtree */
+	ret = map_subtree_collect_remote(module, *new, &child, tree->u.isnot.child);
+	if (ret) {
+		talloc_free(*new);
+		return ret;
+	}
+
+	/* Prune tree without subtree */
+	if (child == NULL) {
+		talloc_free(*new);
+		*new = NULL;
+		return 0;
+	}
+
+	(*new)->u.isnot.child = child;
+
+	return ret;
+}
+
+/* Collect a list of subtrees that query attributes in the remote partition */
+static int map_subtree_collect_remote_list(struct ldb_module *module, void *mem_ctx, struct ldb_parse_tree **new, const struct ldb_parse_tree *tree)
+{
+	int i, j, ret=0;
+
+	/* Prepare new tree */
+	*new = talloc_memdup(mem_ctx, tree, sizeof(struct ldb_parse_tree));
+	if (*new == NULL) {
+		map_oom(module);
+		return -1;
+	}
+
+	/* Prepare list of subtrees */
+	(*new)->u.list.num_elements = 0;
+	(*new)->u.list.elements = talloc_array(*new, struct ldb_parse_tree *, tree->u.list.num_elements);
+	if ((*new)->u.list.elements == NULL) {
+		map_oom(module);
+		talloc_free(*new);
+		return -1;
+	}
+
+	/* Generate new list of subtrees */
+	j = 0;
+	for (i = 0; i < tree->u.list.num_elements; i++) {
+		struct ldb_parse_tree *child;
+		ret = map_subtree_collect_remote(module, *new, &child, tree->u.list.elements[i]);
+		if (ret) {
+			talloc_free(*new);
+			return ret;
+		}
+
+		if (child) {
+			(*new)->u.list.elements[j] = child;
+			j++;
+		}
+	}
+
+	/* Prune tree without subtrees */
+	if (j == 0) {
+		talloc_free(*new);
+		*new = NULL;
+		return 0;
+	}
+
+	/* Fix subtree list size */
+	(*new)->u.list.num_elements = j;
+	(*new)->u.list.elements = talloc_realloc(*new, (*new)->u.list.elements, struct ldb_parse_tree *, (*new)->u.list.num_elements);
+
+	return ret;
+}
+
+/* Collect a simple subtree that queries attributes in the remote partition */
+int map_subtree_collect_remote_simple(struct ldb_module *module, void *mem_ctx, struct ldb_parse_tree **new, const struct ldb_parse_tree *tree, const struct ldb_map_attribute *map)
+{
+	const char *attr;
+
+	/* Prepare new tree */
+	*new = talloc(mem_ctx, struct ldb_parse_tree);
+	if (*new == NULL) {
+		map_oom(module);
+		return -1;
+	}
+	**new = *tree;
+	
+	if (map->type == MAP_KEEP) {
+		/* Nothing to do here */
+		return 0;
+	}
+
+	/* Store attribute and value in new tree */
+	switch (tree->operation) {
+	case LDB_OP_PRESENT:
+		attr = map_attr_map_local(*new, map, tree->u.present.attr);
+		(*new)->u.present.attr = attr;
+		break;
+	case LDB_OP_SUBSTRING:
+	{
+		attr = map_attr_map_local(*new, map, tree->u.substring.attr);
+		(*new)->u.substring.attr = attr;
+		break;
+	}
+	case LDB_OP_EQUALITY:
+		attr = map_attr_map_local(*new, map, tree->u.equality.attr);
+		(*new)->u.equality.attr = attr;
+		break;
+	case LDB_OP_LESS:
+	case LDB_OP_GREATER:
+	case LDB_OP_APPROX:
+		attr = map_attr_map_local(*new, map, tree->u.comparison.attr);
+		(*new)->u.comparison.attr = attr;
+		break;
+	case LDB_OP_EXTENDED:
+		attr = map_attr_map_local(*new, map, tree->u.extended.attr);
+		(*new)->u.extended.attr = attr;
+		break;
+	default:			/* unknown kind of simple subtree */
+		talloc_free(*new);
+		return -1;
+	}
+
+	if (attr == NULL) {
+		talloc_free(*new);
+		*new = NULL;
+		return 0;
+	}
+
+	if (map->type == MAP_RENAME) {
+		/* Nothing more to do here, the attribute has been renamed */
+		return 0;
+	}
+
+	/* Store attribute and value in new tree */
+	switch (tree->operation) {
+	case LDB_OP_PRESENT:
+		break;
+	case LDB_OP_SUBSTRING:
+	{
+		int i;
+		/* Map value */
+		(*new)->u.substring.chunks = NULL;
+		for (i=0; tree->u.substring.chunks[i]; i++) {
+			(*new)->u.substring.chunks = talloc_realloc(*new, (*new)->u.substring.chunks, struct ldb_val *, i+2);
+			if (!(*new)->u.substring.chunks) {
+				talloc_free(*new);
+				*new = NULL;
+				return 0;
+			}
+			(*new)->u.substring.chunks[i] = talloc(*new, struct ldb_val);
+			if (!(*new)->u.substring.chunks[i]) {
+				talloc_free(*new);
+				*new = NULL;
+				return 0;
+			}
+			*(*new)->u.substring.chunks[i] = ldb_val_map_local(module, *new, map, tree->u.substring.chunks[i]);
+			(*new)->u.substring.chunks[i+1] = NULL;
+		}
+		break;
+	}
+	case LDB_OP_EQUALITY:
+		(*new)->u.equality.value = ldb_val_map_local(module, *new, map, &tree->u.equality.value);
+		break;
+	case LDB_OP_LESS:
+	case LDB_OP_GREATER:
+	case LDB_OP_APPROX:
+		(*new)->u.comparison.value = ldb_val_map_local(module, *new, map, &tree->u.comparison.value);
+		break;
+	case LDB_OP_EXTENDED:
+		(*new)->u.extended.value = ldb_val_map_local(module, *new, map, &tree->u.extended.value);
+		(*new)->u.extended.rule_id = talloc_strdup(*new, tree->u.extended.rule_id);
+		break;
+	default:			/* unknown kind of simple subtree */
+		talloc_free(*new);
+		return -1;
+	}
+
+	return 0;
+}
+
+/* Collect subtrees that query attributes in the remote partition */
+static int map_subtree_collect_remote(struct ldb_module *module, void *mem_ctx, struct ldb_parse_tree **new, const struct ldb_parse_tree *tree)
+{
+	const struct ldb_map_context *data = map_get_context(module);
+	const struct ldb_map_attribute *map;
+
+	if (tree == NULL) {
+		return 0;
+	}
+
+	if (tree->operation == LDB_OP_NOT) {
+		return map_subtree_collect_remote_not(module, mem_ctx, new, tree);
+	}
+
+	if ((tree->operation == LDB_OP_AND) || (tree->operation == LDB_OP_OR)) {
+		return map_subtree_collect_remote_list(module, mem_ctx, new, tree);
+	}
+
+	if (!map_attr_check_remote(data, tree->u.equality.attr)) {
+		*new = NULL;
+		return 0;
+	}
+
+	map = map_attr_find_local(data, tree->u.equality.attr);
+	if (map->convert_operator) {
+		return map->convert_operator(module, mem_ctx, new, tree);
+	}
+
+	if (map->type == MAP_GENERATE) {
+		ldb_debug(module->ldb, LDB_DEBUG_WARNING, "ldb_map: "
+			  "Skipping attribute '%s': "
+			  "'convert_operator' not set\n",
+			  tree->u.equality.attr);
+		*new = NULL;
+		return 0;
+	}
+
+	return map_subtree_collect_remote_simple(module, mem_ctx, new, tree, map);
+}
+
+/* Split subtrees that query attributes in the local partition from
+ * those that query the remote partition. */
+static int ldb_parse_tree_partition(struct ldb_module *module, void *local_ctx, void *remote_ctx, struct ldb_parse_tree **local_tree, struct ldb_parse_tree **remote_tree, const struct ldb_parse_tree *tree)
+{
+	int ret;
+
+	*local_tree = NULL;
+	*remote_tree = NULL;
+
+	/* No original tree */
+	if (tree == NULL) {
+		return 0;
+	}
+
+	/* Generate local tree */
+	ret = map_subtree_select_local(module, local_ctx, local_tree, tree);
+	if (ret) {
+		return ret;
+	}
+
+	/* Generate remote tree */
+	ret = map_subtree_collect_remote(module, remote_ctx, remote_tree, tree);
+	if (ret) {
+		talloc_free(*local_tree);
+		return ret;
+	}
+
+	return 0;
+}
+
+/* Collect a list of attributes required either explicitly from a
+ * given list or implicitly  from a given parse tree; split the
+ * collected list into local and remote parts. */
+static int map_attrs_collect_and_partition(struct ldb_module *module, struct map_context *ac,
+					   const char * const *search_attrs, 
+					   const struct ldb_parse_tree *tree)
+{
+	void *tmp_ctx;
+	const char **tree_attrs;
+	const char **remote_attrs;
+	const char **local_attrs;
+	int ret;
+
+	/* Clear initial lists of partitioned attributes */
+
+	/* Clear initial lists of partitioned attributes */
+
+	/* There is no tree, just partition the searched attributes */
+	if (tree == NULL) {
+		ret = map_attrs_partition(module, ac, 
+					  &local_attrs, &remote_attrs, search_attrs);
+		if (ret == 0) {
+			ac->local_attrs = local_attrs;
+			ac->remote_attrs = remote_attrs;
+			ac->all_attrs = search_attrs;
+		}
+		return ret; 
+	}
+
+	/* Create context for temporary memory */
+	tmp_ctx = talloc_new(ac);
+	if (tmp_ctx == NULL) {
+		goto oom;
+	}
+
+	/* Prepare list of attributes from tree */
+	tree_attrs = talloc_array(tmp_ctx, const char *, 1);
+	if (tree_attrs == NULL) {
+		talloc_free(tmp_ctx);
+		goto oom;
+	}
+	tree_attrs[0] = NULL;
+
+	/* Collect attributes from tree */
+	ret = ldb_parse_tree_collect_attrs(module, tmp_ctx, &tree_attrs, tree);
+	if (ret) {
+		goto done;
+	}
+
+	/* Merge attributes from search operation */
+	ret = map_attrs_merge(module, tmp_ctx, &tree_attrs, search_attrs);
+	if (ret) {
+		goto done;
+	}
+
+	/* Split local from remote attributes */
+	ret = map_attrs_partition(module, ac, &local_attrs, 
+				  &remote_attrs, tree_attrs);
+	
+	if (ret == 0) {
+		ac->local_attrs = local_attrs;
+		ac->remote_attrs = remote_attrs;
+		talloc_steal(ac, tree_attrs);
+		ac->all_attrs = tree_attrs;
+	}
+done:
+	/* Free temporary memory */
+	talloc_free(tmp_ctx);
+	return ret;
+
+oom:
+	map_oom(module);
+	return -1;
+}
+
+
+/* Outbound requests: search
+ * ========================= */
+
+/* Pass a merged search result up the callback chain. */
+int map_up_callback(struct ldb_context *ldb, const struct ldb_request *req, struct ldb_reply *ares)
+{
+	int i;
+
+	/* No callback registered, stop */
+	if (req->callback == NULL) {
+		return LDB_SUCCESS;
+	}
+
+	/* Only records need special treatment */
+	if (ares->type != LDB_REPLY_ENTRY) {
+		return req->callback(ldb, req->context, ares);
+	}
+
+	/* Merged result doesn't match original query, skip */
+	if (!ldb_match_msg(ldb, ares->message, req->op.search.tree, req->op.search.base, req->op.search.scope)) {
+		ldb_debug(ldb, LDB_DEBUG_TRACE, "ldb_map: "
+			  "Skipping record '%s': "
+			  "doesn't match original search\n",
+			  ldb_dn_linearize(ldb, ares->message->dn));
+		return LDB_SUCCESS;
+	}
+
+	/* Limit result to requested attrs */
+	if ((req->op.search.attrs) && (!ldb_attr_in_list(req->op.search.attrs, "*"))) {
+		for (i = 0; i < ares->message->num_elements; ) {
+			struct ldb_message_element *el = &ares->message->elements[i];
+			if (!ldb_attr_in_list(req->op.search.attrs, el->name)) {
+				ldb_msg_remove_element(ares->message, el);
+			} else {
+				i++;
+			}
+		}
+	}
+
+	return req->callback(ldb, req->context, ares);
+}
+
+/* Merge the remote and local parts of a search result. */
+int map_local_merge_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
+{
+	struct map_search_context *sc;
+	int ret;
+
+	if (context == NULL || ares == NULL) {
+		ldb_set_errstring(ldb, talloc_asprintf(ldb, "ldb_map: "
+						       "NULL Context or Result in `map_local_merge_callback`"));
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	sc = talloc_get_type(context, struct map_search_context);
+
+	switch (ares->type) {
+	case LDB_REPLY_ENTRY:
+		/* We have already found a local record */
+		if (sc->local_res) {
+			ldb_set_errstring(ldb, talloc_asprintf(ldb, "ldb_map: "
+							       "Too many results to base search for local entry"));
+			talloc_free(ares);
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+
+		/* Store local result */
+		sc->local_res = ares;
+
+		/* Merge remote into local message */
+		ret = ldb_msg_merge_local(sc->ac->module, ares->message, sc->remote_res->message);
+		if (ret) {
+			talloc_free(ares);
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+
+		return map_up_callback(ldb, sc->ac->orig_req, ares);
+
+	case LDB_REPLY_DONE:
+		/* No local record found, continue with remote record */
+		if (sc->local_res == NULL) {
+			return map_up_callback(ldb, sc->ac->orig_req, sc->remote_res);
+		}
+		return LDB_SUCCESS;
+
+	default:
+		ldb_set_errstring(ldb, talloc_asprintf(ldb, "ldb_map: "
+						       "Unexpected result type in base search for local entry"));
+		talloc_free(ares);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+}
+
+/* Search the local part of a remote search result. */
+int map_remote_search_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
+{
+	struct map_context *ac;
+	struct map_search_context *sc;
+	struct ldb_request *req;
+	int ret;
+
+	if (context == NULL || ares == NULL) {
+		ldb_set_errstring(ldb, talloc_asprintf(ldb, "ldb_map: "
+						       "NULL Context or Result in `map_remote_search_callback`"));
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ac = talloc_get_type(context, struct map_context);
+
+	/* It's not a record, stop searching */
+	if (ares->type != LDB_REPLY_ENTRY) {
+		return map_up_callback(ldb, ac->orig_req, ares);
+	}
+
+	/* Map result record into a local message */
+	ret = map_reply_remote(ac, ares);
+	if (ret) {
+		talloc_free(ares);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	/* There is no local db, stop searching */
+	if (!map_check_local_db(ac->module)) {
+		return map_up_callback(ldb, ac->orig_req, ares);
+	}
+
+	/* Prepare local search context */
+	sc = map_init_search_context(ac, ares);
+	if (sc == NULL) {
+		talloc_free(ares);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	/* Prepare local search request */
+	/* TODO: use GUIDs here instead? */
+
+	ac->search_reqs = talloc_realloc(ac, ac->search_reqs, struct ldb_request *, ac->num_searches + 2);
+	if (ac->search_reqs == NULL) {
+		talloc_free(ares);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ac->search_reqs[ac->num_searches]
+		= req = map_search_base_req(ac, ares->message->dn, 
+					    NULL, NULL, sc, map_local_merge_callback);
+	if (req == NULL) {
+		talloc_free(sc);
+		talloc_free(ares);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	ac->num_searches++;
+	ac->search_reqs[ac->num_searches] = NULL;
+
+	return ldb_next_request(ac->module, req);
+}
+
+/* Search a record. */
+int map_search(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ldb_handle *h;
+	struct map_context *ac;
+	struct ldb_parse_tree *local_tree, *remote_tree;
+	int ret;
+
+	const char *wildcard[] = { "*", NULL };
+	const char * const *attrs;
+
+	/* Do not manipulate our control entries */
+	if (ldb_dn_is_special(req->op.search.base))
+		return ldb_next_request(module, req);
+
+	/* No mapping requested, skip to next module */
+	if ((req->op.search.base) && (!ldb_dn_check_local(module, req->op.search.base))) {
+		return ldb_next_request(module, req);
+	}
+
+	/* TODO: How can we be sure about which partition we are
+	 *	 targetting when there is no search base? */
+
+	/* Prepare context and handle */
+	h = map_init_handle(req, module);
+	if (h == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	ac = talloc_get_type(h->private_data, struct map_context);
+
+	ac->search_reqs = talloc_array(ac, struct ldb_request *, 2);
+	if (ac->search_reqs == NULL) {
+		talloc_free(h);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	ac->num_searches = 1;
+	ac->search_reqs[1] = NULL;
+
+	/* Prepare the remote operation */
+	ac->search_reqs[0] = talloc(ac, struct ldb_request);
+	if (ac->search_reqs[0] == NULL) {
+		goto oom;
+	}
+
+	*(ac->search_reqs[0]) = *req;	/* copy the request */
+
+	ac->search_reqs[0]->handle = h;	/* return our own handle to deal with this call */
+
+	ac->search_reqs[0]->context = ac;
+	ac->search_reqs[0]->callback = map_remote_search_callback;
+
+	/* It is easier to deal with the two different ways of
+	 * expressing the wildcard in the same codepath */
+	attrs = req->op.search.attrs;
+	if (attrs == NULL) {
+		attrs = wildcard;
+	}
+
+	/* Split local from remote attrs */
+	ret = map_attrs_collect_and_partition(module, ac, 
+					      attrs, req->op.search.tree);
+	if (ret) {
+		goto failed;
+	}
+
+	ac->search_reqs[0]->op.search.attrs = ac->remote_attrs;
+
+	/* Split local from remote tree */
+	ret = ldb_parse_tree_partition(module, ac, ac->search_reqs[0], 
+				       &local_tree, &remote_tree, 
+				       req->op.search.tree);
+	if (ret) {
+		goto failed;
+	}
+
+	if (((local_tree != NULL) && (remote_tree != NULL)) &&
+	    (!ldb_parse_tree_check_splittable(req->op.search.tree))) {
+		/* The query can't safely be split, enumerate the remote partition */
+		local_tree = NULL;
+		remote_tree = NULL;
+	}
+
+	if (local_tree == NULL) {
+		/* Construct default local parse tree */
+		local_tree = talloc_zero(ac, struct ldb_parse_tree);
+		if (local_tree == NULL) {
+			map_oom(ac->module);
+			goto failed;
+		}
+
+		local_tree->operation = LDB_OP_PRESENT;
+		local_tree->u.present.attr = talloc_strdup(local_tree, IS_MAPPED);
+	}
+	if (remote_tree == NULL) {
+		/* Construct default remote parse tree */
+		remote_tree = ldb_parse_tree(ac->search_reqs[0], NULL);
+		if (remote_tree == NULL) {
+			goto failed;
+		}
+	}
+
+	ac->local_tree = local_tree;
+	ac->search_reqs[0]->op.search.tree = remote_tree;
+
+	ldb_set_timeout_from_prev_req(module->ldb, req, ac->search_reqs[0]);
+
+	h->state = LDB_ASYNC_INIT;
+	h->status = LDB_SUCCESS;
+
+	ac->step = MAP_SEARCH_REMOTE;
+
+	ret = ldb_next_remote_request(module, ac->search_reqs[0]);
+	if (ret == LDB_SUCCESS) {
+		req->handle = h;
+	}
+	return ret;
+
+oom:
+	map_oom(module);
+failed:
+	talloc_free(h);
+	return LDB_ERR_OPERATIONS_ERROR;
+}
diff --git a/source3/lib/ldb/modules/ldb_map_private.h b/source3/lib/ldb/modules/ldb_map_private.h
new file mode 100644
index 0000000000..8a08d0a5b6
--- /dev/null
+++ b/source3/lib/ldb/modules/ldb_map_private.h
@@ -0,0 +1,117 @@
+
+/* A handy macro to report Out of Memory conditions */
+#define map_oom(module) ldb_set_errstring(module->ldb, talloc_asprintf(module, "Out of Memory"));
+
+/* The type of search callback functions */
+typedef int (*ldb_search_callback)(struct ldb_context *, void *, struct ldb_reply *);
+
+/* The special DN from which the local and remote base DNs are fetched */
+#define MAP_DN_NAME	"@MAP"
+#define MAP_DN_FROM	"@FROM"
+#define MAP_DN_TO	"@TO"
+
+/* Private data structures
+ * ======================= */
+
+/* Context data for mapped requests */
+struct map_context {
+	enum map_step {
+		MAP_SEARCH_REMOTE,
+		MAP_ADD_REMOTE,
+		MAP_ADD_LOCAL,
+		MAP_SEARCH_SELF_MODIFY,
+		MAP_MODIFY_REMOTE,
+		MAP_MODIFY_LOCAL,
+		MAP_SEARCH_SELF_DELETE,
+		MAP_DELETE_REMOTE,
+		MAP_DELETE_LOCAL,
+		MAP_SEARCH_SELF_RENAME,
+		MAP_RENAME_REMOTE,
+		MAP_RENAME_FIXUP,
+		MAP_RENAME_LOCAL
+	} step;
+
+	struct ldb_module *module;
+
+	const struct ldb_dn *local_dn;
+	const struct ldb_parse_tree *local_tree;
+	const char * const *local_attrs;
+	const char * const *remote_attrs;
+	const char * const *all_attrs;
+
+	struct ldb_request *orig_req;
+	struct ldb_request *local_req;
+	struct ldb_request *remote_req;
+	struct ldb_request *down_req;
+	struct ldb_request *search_req;
+
+	/* for search, we may have a lot of contexts */
+	int num_searches;
+	struct ldb_request **search_reqs;
+};
+
+/* Context data for mapped search requests */
+struct map_search_context {
+	struct map_context *ac;
+	struct ldb_reply *local_res;
+	struct ldb_reply *remote_res;
+};
+
+
+/* Common operations
+ * ================= */
+
+/* The following definitions come from lib/ldb/modules/ldb_map.c */
+const struct ldb_map_context *map_get_context(struct ldb_module *module);
+struct map_search_context *map_init_search_context(struct map_context *ac, struct ldb_reply *ares);
+struct ldb_handle *map_init_handle(struct ldb_request *req, struct ldb_module *module);
+
+int ldb_next_remote_request(struct ldb_module *module, struct ldb_request *request);
+
+BOOL map_check_local_db(struct ldb_module *module);
+BOOL map_attr_check_remote(const struct ldb_map_context *data, const char *attr);
+BOOL ldb_dn_check_local(struct ldb_module *module, const struct ldb_dn *dn);
+
+const struct ldb_map_attribute *map_attr_find_local(const struct ldb_map_context *data, const char *name);
+const struct ldb_map_attribute *map_attr_find_remote(const struct ldb_map_context *data, const char *name);
+
+const char *map_attr_map_local(void *mem_ctx, const struct ldb_map_attribute *map, const char *attr);
+const char *map_attr_map_remote(void *mem_ctx, const struct ldb_map_attribute *map, const char *attr);
+int map_attrs_merge(struct ldb_module *module, void *mem_ctx, const char ***attrs, const char * const *more_attrs);
+
+struct ldb_val ldb_val_map_local(struct ldb_module *module, void *mem_ctx, const struct ldb_map_attribute *map, const struct ldb_val *val);
+struct ldb_val ldb_val_map_remote(struct ldb_module *module, void *mem_ctx, const struct ldb_map_attribute *map, const struct ldb_val *val);
+
+struct ldb_dn *ldb_dn_map_local(struct ldb_module *module, void *mem_ctx, const struct ldb_dn *dn);
+struct ldb_dn *ldb_dn_map_remote(struct ldb_module *module, void *mem_ctx, const struct ldb_dn *dn);
+struct ldb_dn *ldb_dn_map_rebase_remote(struct ldb_module *module, void *mem_ctx, const struct ldb_dn *dn);
+
+struct ldb_request *map_search_base_req(struct map_context *ac, const struct ldb_dn *dn, const char * const *attrs, const struct ldb_parse_tree *tree, void *context, ldb_search_callback callback);
+struct ldb_request *map_search_self_req(struct map_context *ac, const struct ldb_dn *dn);
+struct ldb_request *map_build_fixup_req(struct map_context *ac, const struct ldb_dn *olddn, const struct ldb_dn *newdn);
+
+int map_subtree_collect_remote_simple(struct ldb_module *module, void *mem_ctx, struct ldb_parse_tree **new, const struct ldb_parse_tree *tree, const struct ldb_map_attribute *map);
+
+/* LDB Requests
+ * ============ */
+
+/* The following definitions come from lib/ldb/modules/ldb_map_inbound.c */
+int map_add_do_remote(struct ldb_handle *handle);
+int map_add_do_local(struct ldb_handle *handle);
+int map_add(struct ldb_module *module, struct ldb_request *req);
+
+int map_modify_do_remote(struct ldb_handle *handle);
+int map_modify_do_local(struct ldb_handle *handle);
+int map_modify(struct ldb_module *module, struct ldb_request *req);
+
+int map_delete_do_remote(struct ldb_handle *handle);
+int map_delete_do_local(struct ldb_handle *handle);
+int map_delete(struct ldb_module *module, struct ldb_request *req);
+
+int map_rename_do_remote(struct ldb_handle *handle);
+int map_rename_do_fixup(struct ldb_handle *handle);
+int map_rename_do_local(struct ldb_handle *handle);
+int map_rename(struct ldb_module *module, struct ldb_request *req);
+
+/* The following definitions come from lib/ldb/modules/ldb_map_outbound.c */
+int map_search(struct ldb_module *module, struct ldb_request *req);
diff --git a/source3/lib/ldb/modules/objectclass.c b/source3/lib/ldb/modules/objectclass.c
new file mode 100644
index 0000000000..03e0967f0e
--- /dev/null
+++ b/source3/lib/ldb/modules/objectclass.c
@@ -0,0 +1,693 @@
+/* 
+   ldb database library
+
+   Copyright (C) Simo Sorce  2006
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2006
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: objectClass sorting module
+ *
+ *  Description: sort the objectClass attribute into the class hierarchy
+ *
+ *  Author: Andrew Bartlett
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+struct oc_context {
+
+	enum oc_step {OC_DO_REQ, OC_SEARCH_SELF, OC_DO_MOD} step;
+
+	struct ldb_module *module;
+	struct ldb_request *orig_req;
+
+	struct ldb_request *down_req;
+
+	struct ldb_request *search_req;
+	struct ldb_reply *search_res;
+
+	struct ldb_request *mod_req;
+};
+
+struct class_list {
+	struct class_list *prev, *next;
+	const char *objectclass;
+};
+
+static struct ldb_handle *oc_init_handle(struct ldb_request *req, struct ldb_module *module)
+{
+	struct oc_context *ac;
+	struct ldb_handle *h;
+
+	h = talloc_zero(req, struct ldb_handle);
+	if (h == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		return NULL;
+	}
+
+	h->module = module;
+
+	ac = talloc_zero(h, struct oc_context);
+	if (ac == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		talloc_free(h);
+		return NULL;
+	}
+
+	h->private_data = (void *)ac;
+
+	h->state = LDB_ASYNC_INIT;
+	h->status = LDB_SUCCESS;
+
+	ac->module = module;
+	ac->orig_req = req;
+
+	return h;
+}
+
+static int objectclass_sort(struct ldb_module *module,
+			    TALLOC_CTX *mem_ctx,
+			    struct ldb_message_element *objectclass_element,
+			    struct class_list **sorted_out) 
+{
+	int i;
+	int layer;
+	struct class_list *sorted = NULL, *parent_class = NULL,
+		*subclass = NULL, *unsorted = NULL, *current, *poss_subclass;
+	/* DESIGN:
+	 *
+	 * We work on 4 different 'bins' (implemented here as linked lists):
+	 *
+	 * * sorted:       the eventual list, in the order we wish to push
+	 *                 into the database.  This is the only ordered list.
+	 *
+	 * * parent_class: The current parent class 'bin' we are
+	 *                 trying to find subclasses for
+	 *
+	 * * subclass:     The subclasses we have found so far
+	 *
+	 * * unsorted:     The remaining objectClasses
+	 *
+	 * The process is a matter of filtering objectClasses up from
+	 * unsorted into sorted.  Order is irrelevent in the later 3 'bins'.
+	 * 
+	 * We start with 'top' (found and promoted to parent_class
+	 * initially).  Then we find (in unsorted) all the direct
+	 * subclasses of 'top'.  parent_classes is concatenated onto
+	 * the end of 'sorted', and subclass becomes the list in
+	 * parent_class.
+	 *
+	 * We then repeat, until we find no more subclasses.  Any left
+	 * over classes are added to the end.
+	 *
+	 */
+
+	/* Firstly, dump all the objectClass elements into the
+	 * unsorted bin, except for 'top', which is special */
+	for (i=0; i < objectclass_element->num_values; i++) {
+		current = talloc(mem_ctx, struct class_list);
+		if (!current) {
+			ldb_set_errstring(module->ldb, "objectclass: out of memory allocating objectclass list");
+			talloc_free(mem_ctx);
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+		current->objectclass = (const char *)objectclass_element->values[i].data;
+
+		/* this is the root of the tree.  We will start
+		 * looking for subclasses from here */
+		if (ldb_attr_cmp("top", current->objectclass) == 0) {
+			DLIST_ADD(parent_class, current);
+		} else {
+			DLIST_ADD(unsorted, current);
+		}
+	}
+
+	/* DEBUGGING aid:  how many layers are we down now? */
+	layer = 0;
+	do {
+		layer++;
+		/* Find all the subclasses of classes in the
+		 * parent_classes.  Push them onto the subclass list */
+
+		/* Ensure we don't bother if there are no unsorted entries left */
+		for (current = parent_class; unsorted && current; current = current->next) {
+			const char **subclasses = ldb_subclass_list(module->ldb, current->objectclass);
+
+			/* Walk the list of possible subclasses in unsorted */
+			for (poss_subclass = unsorted; poss_subclass; ) {
+				struct class_list *next;
+				
+				/* Save the next pointer, as the DLIST_ macros will change poss_subclass->next */
+				next = poss_subclass->next;
+
+				for (i = 0; subclasses && subclasses[i]; i++) {
+					if (ldb_attr_cmp(poss_subclass->objectclass, subclasses[i]) == 0) {
+						DLIST_REMOVE(unsorted, poss_subclass);
+						DLIST_ADD(subclass, poss_subclass);
+
+						break;
+					}
+				}
+				poss_subclass = next;
+			}
+		}
+
+		/* Now push the parent_classes as sorted, we are done with
+		these.  Add to the END of the list by concatenation */
+		DLIST_CONCATENATE(sorted, parent_class, struct class_list *);
+
+		/* and now find subclasses of these */
+		parent_class = subclass;
+		subclass = NULL;
+
+		/* If we didn't find any subclasses we will fall out
+		 * the bottom here */
+	} while (parent_class);
+
+	/* This shouldn't happen, and would break MMC, but we can't
+	 * afford to loose objectClasses.  Perhaps there was no 'top',
+	 * or some other schema error? 
+	 *
+	 * Detecting schema errors is the job of the schema module, so
+	 * at this layer we just try not to loose data
+ 	 */
+	DLIST_CONCATENATE(sorted, unsorted, struct class_list *);
+
+	*sorted_out = sorted;
+	return LDB_SUCCESS;
+}
+
+static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ldb_message_element *objectclass_element;
+	struct class_list *sorted, *current;
+	struct ldb_request *down_req;
+	struct ldb_message *msg;
+	int ret;
+	TALLOC_CTX *mem_ctx;
+
+	ldb_debug(module->ldb, LDB_DEBUG_TRACE, "objectclass_add\n");
+
+	if (ldb_dn_is_special(req->op.add.message->dn)) { /* do not manipulate our control entries */
+		return ldb_next_request(module, req);
+	}
+	
+	objectclass_element = ldb_msg_find_element(req->op.add.message, "objectClass");
+
+	/* If no part of this add has an objectClass, then we don't
+	 * need to make any changes. cn=rootdse doesn't have an objectClass */
+	if (!objectclass_element) {
+		return ldb_next_request(module, req);
+	}
+
+	mem_ctx = talloc_new(req);
+	if (mem_ctx == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ret = objectclass_sort(module, mem_ctx, objectclass_element, &sorted);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	/* prepare the first operation */
+	down_req = talloc(req, struct ldb_request);
+	if (down_req == NULL) {
+		ldb_set_errstring(module->ldb, "Out of memory!");
+		talloc_free(mem_ctx);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	*down_req = *req; /* copy the request */
+
+	down_req->op.add.message = msg = ldb_msg_copy_shallow(down_req, req->op.add.message);
+
+	if (down_req->op.add.message == NULL) {
+		talloc_free(mem_ctx);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ldb_msg_remove_attr(msg, "objectClass");
+	ret = ldb_msg_add_empty(msg, "objectClass", 0, NULL);
+	
+	if (ret != LDB_SUCCESS) {
+		talloc_free(mem_ctx);
+		return ret;
+	}
+
+	/* We must completely replace the existing objectClass entry,
+	 * because we need it sorted */
+
+	/* Move from the linked list back into an ldb msg */
+	for (current = sorted; current; current = current->next) {
+		ret = ldb_msg_add_string(msg, "objectClass", current->objectclass);
+		if (ret != LDB_SUCCESS) {
+			ldb_set_errstring(module->ldb, "objectclass: could not re-add sorted objectclass to modify msg");
+			talloc_free(mem_ctx);
+			return ret;
+		}
+	}
+
+	talloc_free(mem_ctx);
+	ret = ldb_msg_sanity_check(module->ldb, msg);
+
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	/* go on with the call chain */
+	ret = ldb_next_request(module, down_req);
+
+	/* do not free down_req as the call results may be linked to it,
+	 * it will be freed when the upper level request get freed */
+	if (ret == LDB_SUCCESS) {
+		req->handle = down_req->handle;
+	}
+	return ret;
+}
+
+static int objectclass_modify(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ldb_message_element *objectclass_element;
+	struct ldb_message *msg;
+	ldb_debug(module->ldb, LDB_DEBUG_TRACE, "objectclass_modify\n");
+
+	if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */
+		return ldb_next_request(module, req);
+	}
+	
+	objectclass_element = ldb_msg_find_element(req->op.mod.message, "objectClass");
+
+	/* If no part of this touches the objectClass, then we don't
+	 * need to make any changes.  */
+	/* If the only operation is the deletion of the objectClass then go on */
+	if (!objectclass_element) {
+		return ldb_next_request(module, req);
+	}
+
+	switch (objectclass_element->flags & LDB_FLAG_MOD_MASK) {
+	case LDB_FLAG_MOD_DELETE:
+		/* Delete everything?  Probably totally illigal, but hey! */
+		if (objectclass_element->num_values == 0) {
+			return ldb_next_request(module, req);
+		}
+		break;
+	case LDB_FLAG_MOD_REPLACE:
+	{
+		struct ldb_request *down_req;
+		struct class_list *sorted, *current;
+		TALLOC_CTX *mem_ctx;
+		int ret;
+		mem_ctx = talloc_new(req);
+		if (mem_ctx == NULL) {
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+
+		/* prepare the first operation */
+		down_req = talloc(req, struct ldb_request);
+		if (down_req == NULL) {
+			ldb_set_errstring(module->ldb, "Out of memory!");
+			talloc_free(mem_ctx);
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+		
+		*down_req = *req; /* copy the request */
+		
+		down_req->op.mod.message = msg = ldb_msg_copy_shallow(down_req, req->op.mod.message);
+		
+		if (down_req->op.add.message == NULL) {
+			talloc_free(mem_ctx);
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+		
+		ret = objectclass_sort(module, mem_ctx, objectclass_element, &sorted);
+		if (ret != LDB_SUCCESS) {
+			return ret;
+		}
+
+		/* We must completely replace the existing objectClass entry,
+		 * because we need it sorted */
+		
+		ldb_msg_remove_attr(msg, "objectClass");
+		ret = ldb_msg_add_empty(msg, "objectClass", LDB_FLAG_MOD_REPLACE, NULL);
+		
+		if (ret != LDB_SUCCESS) {
+			talloc_free(mem_ctx);
+			return ret;
+		}
+
+		/* Move from the linked list back into an ldb msg */
+		for (current = sorted; current; current = current->next) {
+			ret = ldb_msg_add_string(msg, "objectClass", current->objectclass);
+			if (ret != LDB_SUCCESS) {
+				ldb_set_errstring(module->ldb, "objectclass: could not re-add sorted objectclass to modify msg");
+				talloc_free(mem_ctx);
+				return ret;
+			}
+		}
+		
+		talloc_free(mem_ctx);
+
+		ret = ldb_msg_sanity_check(module->ldb, msg);
+		if (ret != LDB_SUCCESS) {
+			talloc_free(mem_ctx);
+			return ret;
+		}
+		
+		/* go on with the call chain */
+		ret = ldb_next_request(module, down_req);
+		
+		/* do not free down_req as the call results may be linked to it,
+		 * it will be freed when the upper level request get freed */
+		if (ret == LDB_SUCCESS) {
+			req->handle = down_req->handle;
+		}
+		return ret;
+	}
+	}
+
+	{
+		struct ldb_handle *h;
+		struct oc_context *ac;
+		
+		h = oc_init_handle(req, module);
+		if (!h) {
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+		ac = talloc_get_type(h->private_data, struct oc_context);
+		
+		/* return or own handle to deal with this call */
+		req->handle = h;
+		
+		/* prepare the first operation */
+		ac->down_req = talloc(ac, struct ldb_request);
+		if (ac->down_req == NULL) {
+			ldb_set_errstring(module->ldb, "Out of memory!");
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+		
+		*(ac->down_req) = *req; /* copy the request */
+		
+		ac->down_req->context = NULL;
+		ac->down_req->callback = NULL;
+		ldb_set_timeout_from_prev_req(module->ldb, req, ac->down_req);
+		
+		ac->step = OC_DO_REQ;
+
+		return ldb_next_request(module, ac->down_req);
+	}
+}
+
+static int get_self_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
+{
+	struct oc_context *ac;
+
+	if (!context || !ares) {
+		ldb_set_errstring(ldb, "NULL Context or Result in callback");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ac = talloc_get_type(context, struct oc_context);
+
+	/* we are interested only in the single reply (base search) we receive here */
+	if (ares->type == LDB_REPLY_ENTRY) {
+		if (ac->search_res != NULL) {
+			ldb_set_errstring(ldb, "Too many results");
+			talloc_free(ares);
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+
+		ac->search_res = talloc_move(ac, &ares);
+	} else {
+		talloc_free(ares);
+	}
+
+	return LDB_SUCCESS;
+}
+
+static int objectclass_search_self(struct ldb_handle *h) {
+
+	struct oc_context *ac;
+	static const char * const attrs[] = { "objectClass", NULL };
+
+	ac = talloc_get_type(h->private_data, struct oc_context);
+
+	/* prepare the search operation */
+	ac->search_req = talloc_zero(ac, struct ldb_request);
+	if (ac->search_req == NULL) {
+		ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ac->search_req->operation = LDB_SEARCH;
+	ac->search_req->op.search.base = ac->orig_req->op.mod.message->dn;
+	ac->search_req->op.search.scope = LDB_SCOPE_BASE;
+	ac->search_req->op.search.tree = ldb_parse_tree(ac->search_req, NULL);
+	if (ac->search_req->op.search.tree == NULL) {
+		ldb_set_errstring(ac->module->ldb, "objectclass: Internal error producing null search");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	ac->search_req->op.search.attrs = attrs;
+	ac->search_req->controls = NULL;
+	ac->search_req->context = ac;
+	ac->search_req->callback = get_self_callback;
+	ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->search_req);
+
+	ac->step = OC_SEARCH_SELF;
+
+	return ldb_next_request(ac->module, ac->search_req);
+}
+
+static int objectclass_do_mod(struct ldb_handle *h) {
+
+	struct oc_context *ac;
+	struct ldb_message_element *objectclass_element;
+	struct ldb_message *msg;
+	TALLOC_CTX *mem_ctx;
+	struct class_list *sorted, *current;
+	int ret;
+      
+	ac = talloc_get_type(h->private_data, struct oc_context);
+
+	mem_ctx = talloc_new(ac);
+	if (mem_ctx == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ac->mod_req = talloc(ac, struct ldb_request);
+	if (ac->mod_req == NULL) {
+		talloc_free(mem_ctx);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ac->mod_req->operation = LDB_MODIFY;
+	ac->mod_req->controls = NULL;
+	ac->mod_req->context = ac;
+	ac->mod_req->callback = NULL;
+	ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->mod_req);
+	
+	/* use a new message structure */
+	ac->mod_req->op.mod.message = msg = ldb_msg_new(ac->mod_req);
+	if (msg == NULL) {
+		ldb_set_errstring(ac->module->ldb, "objectclass: could not create new modify msg");
+		talloc_free(mem_ctx);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	/* This is now the objectClass list from the database */
+	objectclass_element = ldb_msg_find_element(ac->search_res->message, 
+						   "objectClass");
+	if (!objectclass_element) {
+		/* Where did it go?  Move along now, nothing to see here */
+		talloc_free(mem_ctx);
+		return LDB_SUCCESS;
+	}
+	
+	/* modify dn */
+	msg->dn = ac->orig_req->op.mod.message->dn;
+
+	ret = objectclass_sort(ac->module, mem_ctx, objectclass_element, &sorted);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	/* We must completely replace the existing objectClass entry.
+	 * We could do a constrained add/del, but we are meant to be
+	 * in a transaction... */
+
+	ret = ldb_msg_add_empty(msg, "objectClass", LDB_FLAG_MOD_REPLACE, NULL);
+	if (ret != LDB_SUCCESS) {
+		ldb_set_errstring(ac->module->ldb, "objectclass: could not clear objectclass in modify msg");
+		talloc_free(mem_ctx);
+		return ret;
+	}
+	
+	/* Move from the linked list back into an ldb msg */
+	for (current = sorted; current; current = current->next) {
+		ret = ldb_msg_add_string(msg, "objectClass", current->objectclass);
+		if (ret != LDB_SUCCESS) {
+			ldb_set_errstring(ac->module->ldb, "objectclass: could not re-add sorted objectclass to modify msg");
+			talloc_free(mem_ctx);
+			return ret;
+		}
+	}
+
+	ret = ldb_msg_sanity_check(ac->module->ldb, msg);
+	if (ret != LDB_SUCCESS) {
+		talloc_free(mem_ctx);
+		return ret;
+	}
+
+
+	h->state = LDB_ASYNC_INIT;
+	h->status = LDB_SUCCESS;
+
+	ac->step = OC_DO_MOD;
+
+	talloc_free(mem_ctx);
+	/* perform the search */
+	return ldb_next_request(ac->module, ac->mod_req);
+}
+
+static int oc_wait(struct ldb_handle *handle) {
+	struct oc_context *ac;
+	int ret;
+    
+	if (!handle || !handle->private_data) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	if (handle->state == LDB_ASYNC_DONE) {
+		return handle->status;
+	}
+
+	handle->state = LDB_ASYNC_PENDING;
+	handle->status = LDB_SUCCESS;
+
+	ac = talloc_get_type(handle->private_data, struct oc_context);
+
+	switch (ac->step) {
+	case OC_DO_REQ:
+		ret = ldb_wait(ac->down_req->handle, LDB_WAIT_NONE);
+
+		if (ret != LDB_SUCCESS) {
+			handle->status = ret;
+			goto done;
+		}
+		if (ac->down_req->handle->status != LDB_SUCCESS) {
+			handle->status = ac->down_req->handle->status;
+			goto done;
+		}
+
+		if (ac->down_req->handle->state != LDB_ASYNC_DONE) {
+			return LDB_SUCCESS;
+		}
+
+		/* mods done, go on */
+		return objectclass_search_self(handle);
+
+	case OC_SEARCH_SELF:
+		ret = ldb_wait(ac->search_req->handle, LDB_WAIT_NONE);
+
+		if (ret != LDB_SUCCESS) {
+			handle->status = ret;
+			goto done;
+		}
+		if (ac->search_req->handle->status != LDB_SUCCESS) {
+			handle->status = ac->search_req->handle->status;
+			goto done;
+		}
+
+		if (ac->search_req->handle->state != LDB_ASYNC_DONE) {
+			return LDB_SUCCESS;
+		}
+
+		/* self search done, go on */
+		return objectclass_do_mod(handle);
+
+	case OC_DO_MOD:
+		ret = ldb_wait(ac->mod_req->handle, LDB_WAIT_NONE);
+
+		if (ret != LDB_SUCCESS) {
+			handle->status = ret;
+			goto done;
+		}
+		if (ac->mod_req->handle->status != LDB_SUCCESS) {
+			handle->status = ac->mod_req->handle->status;
+			goto done;
+		}
+
+		if (ac->mod_req->handle->state != LDB_ASYNC_DONE) {
+			return LDB_SUCCESS;
+		}
+
+		break;
+		
+	default:
+		ret = LDB_ERR_OPERATIONS_ERROR;
+		goto done;
+	}
+
+	ret = LDB_SUCCESS;
+
+done:
+	handle->state = LDB_ASYNC_DONE;
+	return ret;
+}
+
+static int oc_wait_all(struct ldb_handle *handle) {
+
+	int ret;
+
+	while (handle->state != LDB_ASYNC_DONE) {
+		ret = oc_wait(handle);
+		if (ret != LDB_SUCCESS) {
+			return ret;
+		}
+	}
+
+	return handle->status;
+}
+
+static int objectclass_wait(struct ldb_handle *handle, enum ldb_wait_type type)
+{
+	if (type == LDB_WAIT_ALL) {
+		return oc_wait_all(handle);
+	} else {
+		return oc_wait(handle);
+	}
+}
+
+static const struct ldb_module_ops objectclass_ops = {
+	.name		   = "objectclass",
+	.add           = objectclass_add,
+	.modify        = objectclass_modify,
+	.wait          = objectclass_wait
+};
+
+int ldb_objectclass_init(void)
+{
+	return ldb_register_module(&objectclass_ops);
+}
+
diff --git a/source3/lib/ldb/modules/operational.c b/source3/lib/ldb/modules/operational.c
new file mode 100644
index 0000000000..7c8e03c337
--- /dev/null
+++ b/source3/lib/ldb/modules/operational.c
@@ -0,0 +1,311 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell 2005
+   Copyright (C) Simo Sorce 2006
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+/*
+  handle operational attributes
+ */
+
+/*
+  createTimestamp: HIDDEN, searchable, ldaptime, alias for whenCreated
+  modifyTimestamp: HIDDEN, searchable, ldaptime, alias for whenChanged
+
+     for the above two, we do the search as normal, and if
+     createTimestamp or modifyTimestamp is asked for, then do
+     additional searches for whenCreated and whenChanged and fill in
+     the resulting values
+
+     we also need to replace these with the whenCreated/whenChanged
+     equivalent in the search expression trees
+
+  whenCreated: not-HIDDEN, CONSTRUCTED, SEARCHABLE
+  whenChanged: not-HIDDEN, CONSTRUCTED, SEARCHABLE
+
+     on init we need to setup attribute handlers for these so
+     comparisons are done correctly. The resolution is 1 second.
+
+     on add we need to add both the above, for current time
+
+     on modify we need to change whenChanged
+
+
+  subschemaSubentry: HIDDEN, not-searchable, 
+                     points at DN CN=Aggregate,CN=Schema,CN=Configuration,$BASEDN
+
+     for this one we do the search as normal, then add the static
+     value if requested. How do we work out the $BASEDN from inside a
+     module?
+     
+
+  structuralObjectClass: HIDDEN, CONSTRUCTED, not-searchable. always same as objectclass?
+
+     for this one we do the search as normal, then if requested ask
+     for objectclass, change the attribute name, and add it
+
+  allowedAttributesEffective: HIDDEN, CONSTRUCTED, not-searchable, 
+     list of attributes that can be modified - requires schema lookup
+
+
+  attributeTypes: in schema only
+  objectClasses: in schema only
+  matchingRules: in schema only
+  matchingRuleUse: in schema only
+  creatorsName: not supported by w2k3?
+  modifiersName: not supported by w2k3?
+*/
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+/*
+  construct a canonical name from a message
+*/
+static int construct_canonical_name(struct ldb_module *module, struct ldb_message *msg)
+{
+	char *canonicalName;
+	canonicalName = ldb_dn_canonical_string(msg, msg->dn);
+	if (canonicalName == NULL) {
+		return -1;
+	}
+	return ldb_msg_add_steal_string(msg, "canonicalName", canonicalName);
+}
+
+/*
+  a list of attribute names that should be substituted in the parse
+  tree before the search is done
+*/
+static const struct {
+	const char *attr;
+	const char *replace;
+} parse_tree_sub[] = {
+	{ "createTimestamp", "whenCreated" },
+	{ "modifyTimestamp", "whenChanged" }
+};
+
+
+/*
+  a list of attribute names that are hidden, but can be searched for
+  using another (non-hidden) name to produce the correct result
+*/
+static const struct {
+	const char *attr;
+	const char *replace;
+	int (*constructor)(struct ldb_module *, struct ldb_message *);
+} search_sub[] = {
+	{ "createTimestamp", "whenCreated", NULL },
+	{ "modifyTimestamp", "whenChanged", NULL },
+	{ "structuralObjectClass", "objectClass", NULL },
+	{ "canonicalName", "distinguishedName", construct_canonical_name }
+};
+
+/*
+  post process a search result record. For any search_sub[] attributes that were
+  asked for, we need to call the appropriate copy routine to copy the result
+  into the message, then remove any attributes that we added to the search but were
+  not asked for by the user
+*/
+static int operational_search_post_process(struct ldb_module *module,
+					   struct ldb_message *msg, 
+					   const char * const *attrs)
+{
+	int i, a=0;
+
+	for (a=0;attrs && attrs[a];a++) {
+		for (i=0;i<ARRAY_SIZE(search_sub);i++) {
+			if (ldb_attr_cmp(attrs[a], search_sub[i].attr) != 0) {
+				continue;
+			}
+
+			/* construct the new attribute, using either a supplied 
+			   constructor or a simple copy */
+			if (search_sub[i].constructor) {
+				if (search_sub[i].constructor(module, msg) != 0) {
+					goto failed;
+				}
+			} else if (ldb_msg_copy_attr(msg,
+						     search_sub[i].replace,
+						     search_sub[i].attr) != 0) {
+				goto failed;
+			}
+
+			/* remove the added search attribute, unless it was asked for 
+			   by the user */
+			if (search_sub[i].replace == NULL ||
+			    ldb_attr_in_list(attrs, search_sub[i].replace) ||
+			    ldb_attr_in_list(attrs, "*")) {
+				continue;
+			}
+
+			ldb_msg_remove_attr(msg, search_sub[i].replace);
+		}
+	}
+
+	return 0;
+
+failed:
+	ldb_debug_set(module->ldb, LDB_DEBUG_WARNING, 
+		      "operational_search_post_process failed for attribute '%s'\n", 
+		      attrs[a]);
+	return -1;
+}
+
+
+/*
+  hook search operations
+*/
+
+struct operational_context {
+
+	struct ldb_module *module;
+	void *up_context;
+	int (*up_callback)(struct ldb_context *, void *, struct ldb_reply *);
+
+	const char * const *attrs;
+};
+
+static int operational_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
+{
+	struct operational_context *ac;
+
+	if (!context || !ares) {
+		ldb_set_errstring(ldb, "NULL Context or Result in callback");
+		goto error;
+	}
+
+	ac = talloc_get_type(context, struct operational_context);
+
+	if (ares->type == LDB_REPLY_ENTRY) {
+		/* for each record returned post-process to add any derived
+		   attributes that have been asked for */
+		if (operational_search_post_process(ac->module, ares->message, ac->attrs) != 0) {
+			goto error;
+		}
+	}
+
+	return ac->up_callback(ldb, ac->up_context, ares);
+
+error:
+	talloc_free(ares);
+	return LDB_ERR_OPERATIONS_ERROR;
+}
+
+static int operational_search(struct ldb_module *module, struct ldb_request *req)
+{
+	struct operational_context *ac;
+	struct ldb_request *down_req;
+	const char **search_attrs = NULL;
+	int i, a, ret;
+
+	req->handle = NULL;
+
+	ac = talloc(req, struct operational_context);
+	if (ac == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ac->module = module;
+	ac->up_context = req->context;
+	ac->up_callback = req->callback;
+	ac->attrs = req->op.search.attrs;
+
+	down_req = talloc_zero(req, struct ldb_request);
+	if (down_req == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	down_req->operation = req->operation;
+	down_req->op.search.base = req->op.search.base;
+	down_req->op.search.scope = req->op.search.scope;
+	down_req->op.search.tree = req->op.search.tree;
+
+	/*  FIXME: I hink we should copy the tree and keep the original
+	 *  unmodified. SSS */
+	/* replace any attributes in the parse tree that are
+	   searchable, but are stored using a different name in the
+	   backend */
+	for (i=0;i<ARRAY_SIZE(parse_tree_sub);i++) {
+		ldb_parse_tree_attr_replace(discard_const_p(struct ldb_parse_tree, req->op.search.tree), 
+					    parse_tree_sub[i].attr, 
+					    parse_tree_sub[i].replace);
+	}
+
+	/* in the list of attributes we are looking for, rename any
+	   attributes to the alias for any hidden attributes that can
+	   be fetched directly using non-hidden names */
+	for (a=0;ac->attrs && ac->attrs[a];a++) {
+		for (i=0;i<ARRAY_SIZE(search_sub);i++) {
+			if (ldb_attr_cmp(ac->attrs[a], search_sub[i].attr) == 0 &&
+			    search_sub[i].replace) {
+				if (!search_attrs) {
+					search_attrs = ldb_attr_list_copy(req, ac->attrs);
+					if (search_attrs == NULL) {
+						return LDB_ERR_OPERATIONS_ERROR;
+					}
+				}
+				search_attrs[a] = search_sub[i].replace;
+			}
+		}
+	}
+	
+	/* use new set of attrs if any */
+	if (search_attrs) down_req->op.search.attrs = search_attrs;
+	else down_req->op.search.attrs = req->op.search.attrs;
+	
+	down_req->controls = req->controls;
+
+	down_req->context = ac;
+	down_req->callback = operational_callback;
+	ldb_set_timeout_from_prev_req(module->ldb, req, down_req);
+
+	/* perform the search */
+	ret = ldb_next_request(module, down_req);
+
+	/* do not free down_req as the call results may be linked to it,
+	 * it will be freed when the upper level request get freed */
+	if (ret == LDB_SUCCESS) {
+		req->handle = down_req->handle;
+	}
+
+	return ret;
+}
+
+static int operational_init(struct ldb_module *ctx)
+{
+	/* setup some standard attribute handlers */
+	ldb_set_attrib_handler_syntax(ctx->ldb, "whenCreated", LDB_SYNTAX_UTC_TIME);
+	ldb_set_attrib_handler_syntax(ctx->ldb, "whenChanged", LDB_SYNTAX_UTC_TIME);
+	ldb_set_attrib_handler_syntax(ctx->ldb, "subschemaSubentry", LDB_SYNTAX_DN);
+	ldb_set_attrib_handler_syntax(ctx->ldb, "structuralObjectClass", LDB_SYNTAX_OBJECTCLASS);
+
+	return ldb_next_init(ctx);
+}
+
+static const struct ldb_module_ops operational_ops = {
+	.name              = "operational",
+	.search            = operational_search,
+	.init_context	   = operational_init
+};
+
+int ldb_operational_init(void)
+{
+	return ldb_register_module(&operational_ops);
+}
diff --git a/source3/lib/ldb/modules/paged_results.c b/source3/lib/ldb/modules/paged_results.c
new file mode 100644
index 0000000000..63f9ee6752
--- /dev/null
+++ b/source3/lib/ldb/modules/paged_results.c
@@ -0,0 +1,566 @@
+/* 
+   ldb database library
+
+   Copyright (C) Simo Sorce  2005-2006
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: paged_result
+ *
+ *  Component: ldb paged results control module
+ *
+ *  Description: this module caches a complete search and sends back
+ *  		 results in chunks as asked by the client
+ *
+ *  Author: Simo Sorce
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+struct message_store {
+	/* keep the whole ldb_reply as an optimization
+	 * instead of freeing and talloc-ing the container
+	 * on each result */
+	struct ldb_reply *r;
+	struct message_store *next;
+};
+
+struct private_data;
+
+struct results_store {
+
+	struct private_data *priv;
+
+	char *cookie;
+	time_t timestamp;
+
+	struct results_store *prev;
+	struct results_store *next;
+	
+	struct message_store *first;
+	struct message_store *last;
+	int num_entries;
+
+	struct message_store *first_ref;
+	struct message_store *last_ref;
+
+	struct ldb_control **controls;
+
+	struct ldb_request *req;
+};
+
+struct private_data {
+
+	int next_free_id;
+	struct results_store *store;
+	
+};
+
+int store_destructor(struct results_store *store);
+
+int store_destructor(struct results_store *store)
+{
+	if (store->prev) {
+		store->prev->next = store->next;
+	}
+	if (store->next) {
+		store->next->prev = store->prev;
+	}
+
+	if (store == store->priv->store) {
+		store->priv->store = NULL;
+	}
+
+	return 0;
+}
+
+static struct results_store *new_store(struct private_data *priv)
+{
+	struct results_store *newr;
+	int new_id = priv->next_free_id++;
+
+	/* TODO: we should have a limit on the number of
+	 * outstanding paged searches
+	 */
+
+	newr = talloc(priv, struct results_store);
+	if (!newr) return NULL;
+
+	newr->priv = priv;
+
+	newr->cookie = talloc_asprintf(newr, "%d", new_id);
+	if (!newr->cookie) {
+		talloc_free(newr);
+		return NULL;
+	}
+
+	newr->timestamp = time(NULL);
+
+	newr->first = NULL;
+	newr->num_entries = 0;
+	newr->first_ref = NULL;
+	newr->controls = NULL;
+
+	/* put this entry as first */
+	newr->prev = NULL;
+	newr->next = priv->store;
+	if (priv->store != NULL) priv->store->prev = newr;
+	priv->store = newr;
+
+	talloc_set_destructor(newr, store_destructor);
+
+	return newr;
+}
+
+struct paged_context {
+	struct ldb_module *module;
+	void *up_context;
+	int (*up_callback)(struct ldb_context *, void *, struct ldb_reply *);
+
+	int size;
+
+	struct results_store *store;
+};
+
+static struct ldb_handle *init_handle(void *mem_ctx, struct ldb_module *module,
+					    void *context,
+					    int (*callback)(struct ldb_context *, void *, struct ldb_reply *))
+{
+	struct paged_context *ac;
+	struct ldb_handle *h;
+
+	h = talloc_zero(mem_ctx, struct ldb_handle);
+	if (h == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		return NULL;
+	}
+
+	h->module = module;
+
+	ac = talloc_zero(h, struct paged_context);
+	if (ac == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		talloc_free(h);
+		return NULL;
+	}
+
+	h->private_data = (void *)ac;
+
+	h->state = LDB_ASYNC_INIT;
+	h->status = LDB_SUCCESS;
+
+	ac->module = module;
+	ac->up_context = context;
+	ac->up_callback = callback;
+
+	return h;
+}
+
+static int paged_search_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
+{
+	struct paged_context *ac = NULL;
+
+	if (!context || !ares) {
+		ldb_set_errstring(ldb, "NULL Context or Result in callback");
+		goto error;
+	}
+
+	ac = talloc_get_type(context, struct paged_context);
+
+	if (ares->type == LDB_REPLY_ENTRY) {
+		if (ac->store->first == NULL) {
+			ac->store->first = ac->store->last = talloc(ac->store, struct message_store);
+		} else {
+			ac->store->last->next = talloc(ac->store, struct message_store);
+			ac->store->last = ac->store->last->next;
+		}
+		if (ac->store->last == NULL) {
+			goto error;
+		}
+
+		ac->store->num_entries++;
+
+		ac->store->last->r = talloc_steal(ac->store->last, ares);
+		ac->store->last->next = NULL;
+	}
+
+	if (ares->type == LDB_REPLY_REFERRAL) {
+		if (ac->store->first_ref == NULL) {
+			ac->store->first_ref = ac->store->last_ref = talloc(ac->store, struct message_store);
+		} else {
+			ac->store->last_ref->next = talloc(ac->store, struct message_store);
+			ac->store->last_ref = ac->store->last_ref->next;
+		}
+		if (ac->store->last_ref == NULL) {
+			goto error;
+		}
+
+		ac->store->last_ref->r = talloc_steal(ac->store->last, ares);
+		ac->store->last_ref->next = NULL;
+	}
+
+	if (ares->type == LDB_REPLY_DONE) {
+		ac->store->controls = talloc_move(ac->store, &ares->controls);
+		talloc_free(ares);
+	}
+
+	return LDB_SUCCESS;
+
+error:
+	talloc_free(ares);
+	return LDB_ERR_OPERATIONS_ERROR;
+}
+
+static int paged_search(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ldb_control *control;
+	struct private_data *private_data;
+	struct ldb_paged_control *paged_ctrl;
+	struct ldb_control **saved_controls;
+	struct paged_context *ac;
+	struct ldb_handle *h;
+	int ret;
+
+	/* check if there's a paged request control */
+	control = get_control_from_list(req->controls, LDB_CONTROL_PAGED_RESULTS_OID);
+	if (control == NULL) {
+		/* not found go on */
+		return ldb_next_request(module, req);
+	}
+
+	private_data = talloc_get_type(module->private_data, struct private_data);
+
+	req->handle = NULL;
+
+	if (!req->callback || !req->context) {
+		ldb_set_errstring(module->ldb,
+				  "Async interface called with NULL callback function or NULL context");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	
+	paged_ctrl = talloc_get_type(control->data, struct ldb_paged_control);
+	if (!paged_ctrl) {
+		return LDB_ERR_PROTOCOL_ERROR;
+	}
+
+	h = init_handle(req, module, req->context, req->callback);
+	if (!h) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	ac = talloc_get_type(h->private_data, struct paged_context);
+
+	ac->size = paged_ctrl->size;
+
+	/* check if it is a continuation search the store */
+	if (paged_ctrl->cookie_len == 0) {
+		
+		ac->store = new_store(private_data);
+		if (ac->store == NULL) {
+			talloc_free(h);
+			return LDB_ERR_UNWILLING_TO_PERFORM;
+		}
+
+		ac->store->req = talloc(ac->store, struct ldb_request);
+		if (!ac->store->req)
+			return LDB_ERR_OPERATIONS_ERROR;
+
+		ac->store->req->operation = req->operation;
+		ac->store->req->op.search.base = req->op.search.base;
+		ac->store->req->op.search.scope = req->op.search.scope;
+		ac->store->req->op.search.tree = req->op.search.tree;
+		ac->store->req->op.search.attrs = req->op.search.attrs;
+		ac->store->req->controls = req->controls;
+
+		/* save it locally and remove it from the list */
+		/* we do not need to replace them later as we
+		 * are keeping the original req intact */
+		if (!save_controls(control, ac->store->req, &saved_controls)) {
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+
+		ac->store->req->context = ac;
+		ac->store->req->callback = paged_search_callback;
+		ldb_set_timeout_from_prev_req(module->ldb, req, ac->store->req);
+
+		ret = ldb_next_request(module, ac->store->req);
+
+	} else {
+		struct results_store *current = NULL;
+
+		for (current = private_data->store; current; current = current->next) {
+			if (strcmp(current->cookie, paged_ctrl->cookie) == 0) {
+				current->timestamp = time(NULL);
+				break;
+			}
+		}
+		if (current == NULL) {
+			talloc_free(h);
+			return LDB_ERR_UNWILLING_TO_PERFORM;
+		}
+
+		ac->store = current;
+		ret = LDB_SUCCESS;
+	}
+
+	req->handle = h;
+
+	/* check if it is an abandon */
+	if (ac->size == 0) {
+		talloc_free(ac->store);
+		h->status = LDB_SUCCESS;
+		h->state = LDB_ASYNC_DONE;
+		return LDB_SUCCESS;
+	}
+
+	/* TODO: age out old outstanding requests */
+
+	return ret;
+
+}
+
+static int paged_results(struct ldb_handle *handle)
+{
+	struct paged_context *ac;
+	struct ldb_paged_control *paged;
+	struct ldb_reply *ares;
+	struct message_store *msg;
+	int i, num_ctrls, ret;
+
+	ac = talloc_get_type(handle->private_data, struct paged_context);
+
+	if (ac->store == NULL)
+		return LDB_ERR_OPERATIONS_ERROR;
+
+	while (ac->store->num_entries > 0 && ac->size > 0) {
+		msg = ac->store->first;
+		ret = ac->up_callback(ac->module->ldb, ac->up_context, msg->r);
+		if (ret != LDB_SUCCESS) {
+			handle->status = ret;
+			handle->state = LDB_ASYNC_DONE;
+			return ret;
+		}
+
+		ac->store->first = msg->next;
+		talloc_free(msg);
+		ac->store->num_entries--;
+		ac->size--;
+	}
+
+	handle->state = LDB_ASYNC_DONE;
+
+	while (ac->store->first_ref != NULL) {
+		msg = ac->store->first_ref;
+		ret = ac->up_callback(ac->module->ldb, ac->up_context, msg->r);
+		if (ret != LDB_SUCCESS) {
+			handle->status = ret;
+			handle->state = LDB_ASYNC_DONE;
+			return ret;
+		}
+
+		ac->store->first_ref = msg->next;
+		talloc_free(msg);
+	}
+
+	ares = talloc_zero(ac->store, struct ldb_reply);
+	if (ares == NULL) {
+		handle->status = LDB_ERR_OPERATIONS_ERROR;
+		return handle->status;
+	}
+	num_ctrls = 2;
+	i = 0;
+
+	if (ac->store->controls != NULL) {
+		ares->controls = ac->store->controls;
+		while (ares->controls[i]) i++; /* counting */
+
+		ares->controls = talloc_move(ares, &ac->store->controls);
+		num_ctrls += i;
+	}
+
+	ares->controls = talloc_realloc(ares, ares->controls, struct ldb_control *, num_ctrls);
+	if (ares->controls == NULL) {
+		handle->status = LDB_ERR_OPERATIONS_ERROR;
+		return handle->status;
+	}
+
+	ares->controls[i] = talloc(ares->controls, struct ldb_control);
+	if (ares->controls[i] == NULL) {
+		handle->status = LDB_ERR_OPERATIONS_ERROR;
+		return handle->status;
+	}
+
+	ares->controls[i]->oid = talloc_strdup(ares->controls[i], LDB_CONTROL_PAGED_RESULTS_OID);
+	if (ares->controls[i]->oid == NULL) {
+		handle->status = LDB_ERR_OPERATIONS_ERROR;
+		return handle->status;
+	}
+		
+	ares->controls[i]->critical = 0;
+	ares->controls[i + 1] = NULL;
+
+	paged = talloc(ares->controls[i], struct ldb_paged_control);
+	if (paged == NULL) {
+		handle->status = LDB_ERR_OPERATIONS_ERROR;
+		return handle->status;
+	}
+	
+	ares->controls[i]->data = paged;
+
+	if (ac->size > 0) {
+		paged->size = 0;
+		paged->cookie = NULL;
+		paged->cookie_len = 0;
+	} else {
+		paged->size = ac->store->num_entries;
+		paged->cookie = talloc_strdup(paged, ac->store->cookie);
+		paged->cookie_len = strlen(paged->cookie) + 1;
+	}
+
+	ares->type = LDB_REPLY_DONE;
+
+	ret = ac->up_callback(ac->module->ldb, ac->up_context, ares);
+
+	handle->status = ret;
+
+	return ret;
+}
+
+static int paged_wait(struct ldb_handle *handle, enum ldb_wait_type type)
+{
+	struct paged_context *ac;
+	int ret;
+    
+	if (!handle || !handle->private_data) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	if (handle->state == LDB_ASYNC_DONE) {
+		return handle->status;
+	}
+
+	handle->state = LDB_ASYNC_PENDING;
+
+	ac = talloc_get_type(handle->private_data, struct paged_context);
+
+	if (ac->store->req->handle->state == LDB_ASYNC_DONE) {
+		/* if lower level is finished we do not need to call it anymore */
+		/* return all we have until size == 0 or we empty storage */
+		ret = paged_results(handle);
+
+		/* we are done, if num_entries is zero free the storage
+		 * as that mean we delivered the last batch */
+		if (ac->store->num_entries == 0) {
+			talloc_free(ac->store);
+		}
+
+		return ret;
+	}
+
+	if (type == LDB_WAIT_ALL) {
+		while (ac->store->req->handle->state != LDB_ASYNC_DONE) {
+			ret = ldb_wait(ac->store->req->handle, type);
+			if (ret != LDB_SUCCESS) {
+				handle->state = LDB_ASYNC_DONE;
+				handle->status = ret;
+				return ret;
+			}
+		}
+
+		ret = paged_results(handle);
+
+		/* we are done, if num_entries is zero free the storage
+		 * as that mean we delivered the last batch */
+		if (ac->store->num_entries == 0) {
+			talloc_free(ac->store);
+		}
+
+		return ret;
+	}
+
+	ret = ldb_wait(ac->store->req->handle, type);
+	if (ret != LDB_SUCCESS) {
+		handle->state = LDB_ASYNC_DONE;
+		handle->status = ret;
+		return ret;
+	}
+
+	handle->status = ret;
+
+	if (ac->store->num_entries >= ac->size ||
+	    ac->store->req->handle->state == LDB_ASYNC_DONE) {
+
+		ret = paged_results(handle);
+
+		/* we are done, if num_entries is zero free the storage
+		 * as that mean we delivered the last batch */
+		if (ac->store->num_entries == 0) {
+			talloc_free(ac->store);
+		}
+	}
+
+	return ret;
+}
+
+static int paged_request_init(struct ldb_module *module)
+{
+	struct private_data *data;
+	struct ldb_request *req;
+	int ret;
+
+	data = talloc(module, struct private_data);
+	if (data == NULL) {
+		return LDB_ERR_OTHER;
+	}
+	
+	data->next_free_id = 1;
+	data->store = NULL;
+	module->private_data = data;
+
+	req = talloc(module, struct ldb_request);
+	if (req == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	req->operation = LDB_REQ_REGISTER_CONTROL;
+	req->op.reg_control.oid = LDB_CONTROL_PAGED_RESULTS_OID;
+	req->controls = NULL;
+
+	ret = ldb_request(module->ldb, req);
+	if (ret != LDB_SUCCESS) {
+		ldb_debug(module->ldb, LDB_DEBUG_WARNING, "paged_request: Unable to register control with rootdse!\n");
+	}
+
+	talloc_free(req);
+	return ldb_next_init(module);
+}
+
+static const struct ldb_module_ops paged_ops = {
+	.name           = "paged_results",
+	.search         = paged_search,
+	.wait           = paged_wait,
+	.init_context 	= paged_request_init
+};
+
+int ldb_paged_results_init(void)
+{
+	return ldb_register_module(&paged_ops);
+}
+
diff --git a/source3/lib/ldb/modules/paged_searches.c b/source3/lib/ldb/modules/paged_searches.c
new file mode 100644
index 0000000000..99085d2764
--- /dev/null
+++ b/source3/lib/ldb/modules/paged_searches.c
@@ -0,0 +1,467 @@
+/* 
+   ldb database library
+
+   Copyright (C) Simo Sorce  2005-2006
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: paged_searches
+ *
+ *  Component: ldb paged searches module
+ *
+ *  Description: this module detects if the remote ldap server supports
+ *               paged results and use them to transparently access all objects
+ *
+ *  Author: Simo Sorce
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+#define PS_DEFAULT_PAGE_SIZE 500
+/* 500 objects per query seem to be a decent compromise
+ * the default AD limit per request is 1000 entries */
+
+struct private_data {
+
+	bool paged_supported;
+};
+
+struct ps_context {
+	struct ldb_module *module;
+	void *up_context;
+	int (*up_callback)(struct ldb_context *, void *, struct ldb_reply *);
+
+	struct ldb_request *orig_req;
+
+	struct ldb_request *new_req;
+
+	bool pending;
+
+	char **saved_referrals;
+	int num_referrals;
+};
+
+static struct ldb_handle *init_handle(void *mem_ctx, struct ldb_module *module,
+					    void *context,
+					    int (*callback)(struct ldb_context *, void *, struct ldb_reply *))
+{
+	struct ps_context *ac;
+	struct ldb_handle *h;
+
+	h = talloc_zero(mem_ctx, struct ldb_handle);
+	if (h == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		return NULL;
+	}
+
+	h->module = module;
+
+	ac = talloc_zero(h, struct ps_context);
+	if (ac == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		talloc_free(h);
+		return NULL;
+	}
+
+	h->private_data = (void *)ac;
+
+	h->state = LDB_ASYNC_INIT;
+	h->status = LDB_SUCCESS;
+
+	ac->module = module;
+	ac->up_context = context;
+	ac->up_callback = callback;
+
+	ac->pending = False;
+	ac->saved_referrals = NULL;
+	ac->num_referrals = 0;
+
+	return h;
+}
+
+static int check_ps_continuation(struct ldb_reply *ares, struct ps_context *ac)
+{
+	struct ldb_paged_control *rep_control, *req_control;
+
+	/* look up our paged control */
+	if (!ares->controls || strcmp(LDB_CONTROL_PAGED_RESULTS_OID, ares->controls[0]->oid) != 0) {
+		/* something wrong here */
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	rep_control = talloc_get_type(ares->controls[0]->data, struct ldb_paged_control);
+	if (rep_control->cookie_len == 0) {
+		/* we are done */
+		ac->pending = False;
+		return LDB_SUCCESS;
+	}
+
+	/* more processing required */
+	/* let's fill in the request control with the new cookie */
+	/* if there's a reply control we must find a request
+	 * control matching it */
+
+	if (strcmp(LDB_CONTROL_PAGED_RESULTS_OID, ac->new_req->controls[0]->oid) != 0) {
+		/* something wrong here */
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	req_control = talloc_get_type(ac->new_req->controls[0]->data, struct ldb_paged_control);
+
+	if (req_control->cookie) {
+		talloc_free(req_control->cookie);
+	}
+
+	req_control->cookie = talloc_memdup(req_control,
+					    rep_control->cookie,
+					    rep_control->cookie_len);
+	req_control->cookie_len = rep_control->cookie_len;
+
+	ac->pending = True;
+	return LDB_SUCCESS;
+}
+
+static int store_referral(char *referral, struct ps_context *ac)
+{
+	ac->saved_referrals = talloc_realloc(ac, ac->saved_referrals, char *, ac->num_referrals + 2);
+	if (!ac->saved_referrals) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ac->saved_referrals[ac->num_referrals] = talloc_strdup(ac->saved_referrals, referral);
+	if (!ac->saved_referrals[ac->num_referrals]) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ac->num_referrals++;
+	ac->saved_referrals[ac->num_referrals] = NULL;
+
+	return LDB_SUCCESS;
+}
+
+static int send_referrals(struct ldb_context *ldb, struct ps_context *ac)
+{
+	struct ldb_reply *ares;
+	int i;
+
+	for (i = 0; i < ac->num_referrals; i++) {
+		ares = talloc_zero(ac, struct ldb_reply);
+		if (!ares) {
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+
+		ares->type = LDB_REPLY_REFERRAL;
+		ares->referral = ac->saved_referrals[i];
+
+		ac->up_callback(ldb, ac->up_context, ares);
+	}
+
+	return LDB_SUCCESS;
+}
+
+static int ps_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
+{
+	struct ps_context *ac = NULL;
+	int ret = LDB_ERR_OPERATIONS_ERROR;
+
+	if (!context || !ares) {
+		ldb_set_errstring(ldb, "NULL Context or Result in callback");
+		goto error;
+	}
+
+	ac = talloc_get_type(context, struct ps_context);
+
+	switch (ares->type) {
+	case LDB_REPLY_ENTRY:
+		ac->up_callback(ldb, ac->up_context, ares);
+		break;
+
+	case LDB_REPLY_REFERRAL:
+		ret = store_referral(ares->referral, ac);
+		if (ret != LDB_SUCCESS) {
+			goto error;
+		}
+		break;
+
+	case LDB_REPLY_DONE:
+		ret = check_ps_continuation(ares, ac);
+		if (ret != LDB_SUCCESS) {
+			goto error;
+		}
+		if (!ac->pending) {
+			/* send referrals */
+			ret = send_referrals(ldb, ac);
+			if (ret != LDB_SUCCESS) {
+				goto error;
+			}
+
+			/* send REPLY_DONE */
+			ac->up_callback(ldb, ac->up_context, ares);
+		}
+		break;
+	default:
+		goto error;
+	}
+
+	return LDB_SUCCESS;
+
+error:
+	talloc_free(ares);
+	return ret;
+}
+
+static int ps_search(struct ldb_module *module, struct ldb_request *req)
+{
+	struct private_data *private_data;
+	struct ldb_paged_control *control;
+	struct ps_context *ac;
+	struct ldb_handle *h;
+
+	private_data = talloc_get_type(module->private_data, struct private_data);
+
+	/* check if paging is supported and if there is a any control */
+	if (!private_data || !private_data->paged_supported || req->controls) {
+		/* do not touch this request paged controls not
+		 * supported or explicit controls have been set or we
+		 * are just not setup yet */
+		return ldb_next_request(module, req);
+	}
+
+	if (!req->callback || !req->context) {
+		ldb_set_errstring(module->ldb,
+				  "Async interface called with NULL callback function or NULL context");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	
+	h = init_handle(req, module, req->context, req->callback);
+	if (!h) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	ac = talloc_get_type(h->private_data, struct ps_context);
+
+	ac->new_req = talloc(ac, struct ldb_request);
+	if (!ac->new_req) return LDB_ERR_OPERATIONS_ERROR;
+
+	ac->new_req->controls = talloc_array(ac->new_req, struct ldb_control *, 2);
+	if (!ac->new_req->controls) return LDB_ERR_OPERATIONS_ERROR;
+
+	ac->new_req->controls[0] = talloc(ac->new_req->controls, struct ldb_control);
+	if (!ac->new_req->controls[0]) return LDB_ERR_OPERATIONS_ERROR;
+
+	control = talloc(ac->new_req->controls[0], struct ldb_paged_control);
+	if (!control) return LDB_ERR_OPERATIONS_ERROR;
+
+	control->size = PS_DEFAULT_PAGE_SIZE;
+	control->cookie = NULL;
+	control->cookie_len = 0;
+
+	ac->new_req->controls[0]->oid = LDB_CONTROL_PAGED_RESULTS_OID;
+	ac->new_req->controls[0]->critical = 1;
+	ac->new_req->controls[0]->data = control;
+
+	ac->new_req->controls[1] = NULL;
+
+	ac->new_req->operation = req->operation;
+	ac->new_req->op.search.base = req->op.search.base;
+	ac->new_req->op.search.scope = req->op.search.scope;
+	ac->new_req->op.search.tree = req->op.search.tree;
+	ac->new_req->op.search.attrs = req->op.search.attrs;
+	ac->new_req->context = ac;
+	ac->new_req->callback = ps_callback;
+	ldb_set_timeout_from_prev_req(module->ldb, req, ac->new_req);
+
+	req->handle = h;
+
+	return ldb_next_request(module, ac->new_req);
+}
+
+static int ps_continuation(struct ldb_handle *handle)
+{
+	struct ps_context *ac;
+
+	if (!handle || !handle->private_data) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ac = talloc_get_type(handle->private_data, struct ps_context);
+
+	/* reset the requests handle */
+	ac->new_req->handle = NULL;
+
+	return ldb_next_request(handle->module, ac->new_req);
+}
+
+static int ps_wait_none(struct ldb_handle *handle)
+{
+	struct ps_context *ac;
+	int ret;
+    
+	if (!handle || !handle->private_data) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	if (handle->state == LDB_ASYNC_DONE) {
+		return handle->status;
+	}
+
+	handle->state = LDB_ASYNC_PENDING;
+	handle->status = LDB_SUCCESS;
+
+	ac = talloc_get_type(handle->private_data, struct ps_context);
+
+	ret = ldb_wait(ac->new_req->handle, LDB_WAIT_NONE);
+
+	if (ret != LDB_SUCCESS) {
+		handle->status = ret;
+		goto done;
+	}
+
+	if (ac->new_req->handle->status != LDB_SUCCESS) {
+		handle->status = ac->new_req->handle->status;
+		goto done;
+	}
+
+	if (ac->new_req->handle->state != LDB_ASYNC_DONE) {
+		return LDB_SUCCESS;
+	} 
+
+	/* see if we need to send another request for the next batch */
+	if (ac->pending) {
+		ret = ps_continuation(handle);
+		if (ret != LDB_SUCCESS) {
+			handle->status = ret;
+			goto done;
+		}
+
+		/* continue the search with the next request */
+		return LDB_SUCCESS;
+	}
+
+	ret = LDB_SUCCESS;
+
+done:
+	handle->state = LDB_ASYNC_DONE;
+	return ret;
+}
+
+static int ps_wait_all(struct ldb_handle *handle)
+{
+	int ret;
+
+	while (handle->state != LDB_ASYNC_DONE) {
+		ret = ps_wait_none(handle);
+		if (ret != LDB_SUCCESS) {
+			return ret;
+		}
+	}
+
+	return handle->status;
+}
+
+static int ps_wait(struct ldb_handle *handle, enum ldb_wait_type type)
+{
+	if (type == LDB_WAIT_ALL) {
+		return ps_wait_all(handle);
+	} else {
+		return ps_wait_none(handle);
+	}
+}
+
+static int check_supported_paged(struct ldb_context *ldb, void *context, 
+				 struct ldb_reply *ares) 
+{
+	struct private_data *data;
+	data = talloc_get_type(context,
+			       struct private_data);
+	if (ares->type == LDB_REPLY_ENTRY) {
+		if (ldb_msg_check_string_attribute(ares->message,
+						   "supportedControl",
+						   LDB_CONTROL_PAGED_RESULTS_OID)) {
+			data->paged_supported = True;
+		}
+	}
+	return LDB_SUCCESS;
+}
+
+
+static int ps_init(struct ldb_module *module)
+{
+	static const char *attrs[] = { "supportedControl", NULL };
+	struct private_data *data;
+	int ret;
+	struct ldb_request *req;
+
+	data = talloc(module, struct private_data);
+	if (data == NULL) {
+		return LDB_ERR_OTHER;
+	}
+	module->private_data = data;
+	data->paged_supported = False;
+
+	req = talloc(module, struct ldb_request);
+	if (req == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	req->operation = LDB_SEARCH;
+	req->op.search.base = ldb_dn_new(req);
+	req->op.search.scope = LDB_SCOPE_BASE;
+
+	req->op.search.tree = ldb_parse_tree(req, "objectClass=*");
+	if (req->op.search.tree == NULL) {
+		ldb_set_errstring(module->ldb, "Unable to parse search expression");
+		talloc_free(req);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	req->op.search.attrs = attrs;
+	req->controls = NULL;
+	req->context = data;
+	req->callback = check_supported_paged;
+	ldb_set_timeout(module->ldb, req, 0); /* use default timeout */
+
+	ret = ldb_next_request(module, req);
+	
+	if (ret == LDB_SUCCESS) {
+		ret = ldb_wait(req->handle, LDB_WAIT_ALL);
+	}
+	
+	talloc_free(req);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	return ldb_next_init(module);
+}
+
+static const struct ldb_module_ops ps_ops = {
+	.name           = "paged_searches",
+	.search         = ps_search,
+	.wait           = ps_wait,
+	.init_context 	= ps_init
+};
+
+int ldb_paged_searches_init(void)
+{
+	return ldb_register_module(&ps_ops);
+}
+
diff --git a/source3/lib/ldb/modules/rdn_name.c b/source3/lib/ldb/modules/rdn_name.c
new file mode 100644
index 0000000000..af2d77d41f
--- /dev/null
+++ b/source3/lib/ldb/modules/rdn_name.c
@@ -0,0 +1,342 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Bartlet 2005
+   Copyright (C) Simo Sorce     2006
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: rdb_name
+ *
+ *  Component: ldb rdn name module
+ *
+ *  Description: keep a consistent name attribute on objects manpulations
+ *
+ *  Author: Andrew Bartlet
+ *
+ *  Modifications:
+ *    - made the module async
+ *      Simo Sorce Mar 2006
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+static struct ldb_message_element *rdn_name_find_attribute(const struct ldb_message *msg, const char *name)
+{
+	int i;
+
+	for (i = 0; i < msg->num_elements; i++) {
+		if (ldb_attr_cmp(name, msg->elements[i].name) == 0) {
+			return &msg->elements[i];
+		}
+	}
+
+	return NULL;
+}
+
+static int rdn_name_add(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ldb_request *down_req;
+	struct ldb_message *msg;
+	struct ldb_message_element *attribute;
+	const char *rdn_name;
+	struct ldb_val rdn_val;
+	int i, ret;
+
+	ldb_debug(module->ldb, LDB_DEBUG_TRACE, "rdn_name_add_record\n");
+
+	/* do not manipulate our control entries */
+	if (ldb_dn_is_special(req->op.add.message->dn)) {
+		return ldb_next_request(module, req);
+	}
+
+	down_req = talloc(req, struct ldb_request);
+	if (down_req == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	*down_req = *req;
+
+	down_req->op.add.message = msg = ldb_msg_copy_shallow(down_req, req->op.add.message);
+	if (msg == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	rdn_name = ldb_dn_get_rdn_name(msg->dn);
+	if (rdn_name == NULL) {
+		talloc_free(down_req);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	
+	rdn_val = ldb_val_dup(msg, ldb_dn_get_rdn_val(msg->dn));
+	
+	/* Perhaps someone above us tried to set this? */
+	if ((attribute = rdn_name_find_attribute(msg, "name")) != NULL ) {
+		attribute->num_values = 0;
+	}
+
+	if (ldb_msg_add_value(msg, "name", &rdn_val, NULL) != 0) {
+		talloc_free(down_req);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	attribute = rdn_name_find_attribute(msg, rdn_name);
+
+	if (!attribute) {
+		if (ldb_msg_add_value(msg, rdn_name, &rdn_val, NULL) != 0) {
+			talloc_free(down_req);
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+	} else {
+		const struct ldb_attrib_handler *handler = ldb_attrib_handler(module->ldb, rdn_name);
+
+		for (i = 0; i < attribute->num_values; i++) {
+			if (handler->comparison_fn(module->ldb, msg, &rdn_val, &attribute->values[i]) == 0) {
+				/* overwrite so it matches in case */
+				attribute->values[i] = rdn_val;
+				break;
+			}
+		}
+		if (i == attribute->num_values) {
+			ldb_debug_set(module->ldb, LDB_DEBUG_FATAL, 
+				      "RDN mismatch on %s: %s (%s)", 
+				      ldb_dn_linearize(msg, msg->dn), rdn_name, rdn_val.data);
+			talloc_free(down_req);
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+	}
+
+	/* go on with the call chain */
+	ret = ldb_next_request(module, down_req);
+
+	/* do not free down_req as the call results may be linked to it,
+	 * it will be freed when the upper level request get freed */
+	if (ret == LDB_SUCCESS) {
+		req->handle = down_req->handle;
+	}
+
+	return ret;
+}
+
+struct rename_context {
+
+	enum {RENAME_RENAME, RENAME_MODIFY} step;
+	struct ldb_request *orig_req;
+	struct ldb_request *down_req;
+	struct ldb_request *mod_req;
+};
+
+static int rdn_name_rename(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ldb_handle *h;
+	struct rename_context *ac;
+
+	ldb_debug(module->ldb, LDB_DEBUG_TRACE, "rdn_name_rename\n");
+
+	/* do not manipulate our control entries */
+	if (ldb_dn_is_special(req->op.rename.newdn)) {
+		return ldb_next_request(module, req);
+	}
+
+	h = talloc_zero(req, struct ldb_handle);
+	if (h == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	h->module = module;
+
+	ac = talloc_zero(h, struct rename_context);
+	if (ac == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	h->private_data = (void *)ac;
+
+	h->state = LDB_ASYNC_INIT;
+	h->status = LDB_SUCCESS;
+
+	ac->orig_req = req;
+	ac->down_req = talloc(req, struct ldb_request);
+	if (ac->down_req == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	*(ac->down_req) = *req;
+
+	ac->step = RENAME_RENAME;
+
+	req->handle = h;
+
+	/* rename first, modify "name" if rename is ok */
+	return ldb_next_request(module, ac->down_req);
+}
+
+static int rdn_name_rename_do_mod(struct ldb_handle *h) {
+
+	struct rename_context *ac;
+	const char *rdn_name;
+	struct ldb_val rdn_val;
+	struct ldb_message *msg;
+
+	ac = talloc_get_type(h->private_data, struct rename_context);
+
+	ac->mod_req = talloc_zero(ac, struct ldb_request);
+
+	ac->mod_req->operation = LDB_MODIFY;
+	ac->mod_req->op.mod.message = msg = ldb_msg_new(ac->mod_req);
+	if (msg == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	msg->dn = ldb_dn_copy(msg, ac->orig_req->op.rename.newdn);
+	if (msg->dn == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	rdn_name = ldb_dn_get_rdn_name(ac->orig_req->op.rename.newdn);
+	if (rdn_name == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	
+	rdn_val = ldb_val_dup(msg, ldb_dn_get_rdn_val(ac->orig_req->op.rename.newdn));
+	
+	if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	if (ldb_msg_add_value(msg, rdn_name, &rdn_val, NULL) != 0) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	if (ldb_msg_add_value(msg, "name", &rdn_val, NULL) != 0) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ldb_set_timeout_from_prev_req(h->module->ldb, ac->orig_req, ac->mod_req);
+
+	ac->step = RENAME_MODIFY;
+
+	/* do the mod call */
+	return ldb_request(h->module->ldb, ac->mod_req);
+}
+
+static int rename_wait(struct ldb_handle *handle)
+{
+	struct rename_context *ac;
+	int ret;
+    
+	if (!handle || !handle->private_data) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	if (handle->state == LDB_ASYNC_DONE) {
+		return handle->status;
+	}
+
+	handle->state = LDB_ASYNC_PENDING;
+	handle->status = LDB_SUCCESS;
+
+	ac = talloc_get_type(handle->private_data, struct rename_context);
+
+	switch(ac->step) {
+	case RENAME_RENAME:
+		ret = ldb_wait(ac->down_req->handle, LDB_WAIT_NONE);
+		if (ret != LDB_SUCCESS) {
+			handle->status = ret;
+			goto done;
+		}
+		if (ac->down_req->handle->status != LDB_SUCCESS) {
+			handle->status = ac->down_req->handle->status;
+			goto done;
+		}
+
+		if (ac->down_req->handle->state != LDB_ASYNC_DONE) {
+			return LDB_SUCCESS;
+		}
+
+		/* rename operation done */
+		return rdn_name_rename_do_mod(handle);
+
+	case RENAME_MODIFY:
+		ret = ldb_wait(ac->mod_req->handle, LDB_WAIT_NONE);
+		if (ret != LDB_SUCCESS) {
+			handle->status = ret;
+			goto done;
+		}
+		if (ac->mod_req->handle->status != LDB_SUCCESS) {
+			handle->status = ac->mod_req->handle->status;
+			goto done;
+		}
+
+		if (ac->mod_req->handle->state != LDB_ASYNC_DONE) {
+			return LDB_SUCCESS;
+		}
+
+		break;
+
+	default:
+		ret = LDB_ERR_OPERATIONS_ERROR;
+		goto done;
+	}
+
+	ret = LDB_SUCCESS;
+
+done:
+	handle->state = LDB_ASYNC_DONE;
+	return ret;
+}
+
+static int rename_wait_all(struct ldb_handle *handle) {
+
+	int ret;
+
+	while (handle->state != LDB_ASYNC_DONE) {
+		ret = rename_wait(handle);
+		if (ret != LDB_SUCCESS) {
+			return ret;
+		}
+	}
+
+	return handle->status;
+}
+
+static int rdn_name_wait(struct ldb_handle *handle, enum ldb_wait_type type)
+{
+	if (type == LDB_WAIT_ALL) {
+		return rename_wait_all(handle);
+	} else {
+		return rename_wait(handle);
+	}
+}
+
+static const struct ldb_module_ops rdn_name_ops = {
+	.name              = "rdn_name",
+	.add               = rdn_name_add,
+	.rename            = rdn_name_rename,
+	.wait              = rdn_name_wait
+};
+
+
+int ldb_rdn_name_init(void)
+{
+	return ldb_register_module(&rdn_name_ops);
+}
diff --git a/source3/lib/ldb/modules/skel.c b/source3/lib/ldb/modules/skel.c
new file mode 100644
index 0000000000..be3cefc84e
--- /dev/null
+++ b/source3/lib/ldb/modules/skel.c
@@ -0,0 +1,136 @@
+/* 
+   ldb database library
+
+   Copyright (C) Simo Sorce  2004
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldb skel module
+ *
+ *  Description: example module
+ *
+ *  Author: Simo Sorce
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+struct private_data {
+
+	char *some_private_data;
+};
+
+/* search */
+static int skel_search(struct ldb_module *module, struct ldb_request *req)
+{
+	return ldb_next_request(module, req);
+}
+
+/* add */
+static int skel_add(struct ldb_module *module, struct ldb_request *req){
+	return ldb_next_request(module, req);
+}
+
+/* modify */
+static int skel_modify(struct ldb_module *module, struct ldb_request *req)
+{
+	return ldb_next_request(module, req);
+}
+
+/* delete */
+static int skel_delete(struct ldb_module *module, struct ldb_request *req)
+{
+	return ldb_next_request(module, req);
+}
+
+/* rename */
+static int skel_rename(struct ldb_module *module, struct ldb_request *req)
+{
+	return ldb_next_request(module, req);
+}
+
+/* start a transaction */
+static int skel_start_trans(struct ldb_module *module)
+{
+	return ldb_next_start_trans(module);
+}
+
+/* end a transaction */
+static int skel_end_trans(struct ldb_module *module)
+{
+	return ldb_next_end_trans(module);
+}
+
+/* delete a transaction */
+static int skel_del_trans(struct ldb_module *module)
+{
+	return ldb_next_del_trans(module);
+}
+
+static int skel_destructor(struct ldb_module *ctx)
+{
+	struct private_data *data = talloc_get_type(ctx->private_data, struct private_data);
+	/* put your clean-up functions here */
+	if (data->some_private_data) talloc_free(data->some_private_data);
+	return 0;
+}
+
+static int skel_request(struct ldb_module *module, struct ldb_request *req)
+{
+	return ldb_next_request(module, req);
+}
+
+static int skel_init(struct ldb_module *ctx)
+{
+	struct private_data *data;
+
+	data = talloc(ctx, struct private_data);
+	if (data == NULL) {
+		return 1;
+	}
+
+	data->some_private_data = NULL;
+	ctx->private_data = data;
+
+	talloc_set_destructor (ctx, skel_destructor);
+
+	return ldb_next_init(ctx);
+}
+
+static const struct ldb_module_ops skel_ops = {
+	.name		   = "skel",
+	.init_context	   = skel_init,
+	.search            = skel_search,
+	.add               = skel_add,
+	.modify            = skel_modify,
+	.del               = skel_delete,
+	.rename            = skel_rename,
+	.request      	   = skel_request,
+	.start_transaction = skel_start_trans,
+	.end_transaction   = skel_end_trans,
+	.del_transaction   = skel_del_trans,
+};
+
+int ldb_skel_init(void)
+{
+	return ldb_register_module(&skel_ops);
+}
diff --git a/source3/lib/ldb/modules/sort.c b/source3/lib/ldb/modules/sort.c
new file mode 100644
index 0000000000..9d82cae544
--- /dev/null
+++ b/source3/lib/ldb/modules/sort.c
@@ -0,0 +1,442 @@
+/* 
+   ldb database library
+
+   Copyright (C) Simo Sorce  2005
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldb server side sort control module
+ *
+ *  Description: this module sorts the results of a search
+ *
+ *  Author: Simo Sorce
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+struct opaque {
+	struct ldb_context *ldb;
+	const struct ldb_attrib_handler *h;
+	const char *attribute;
+	int reverse;
+	int result;
+};
+
+struct sort_context {
+	struct ldb_module *module;
+	void *up_context;
+	int (*up_callback)(struct ldb_context *, void *, struct ldb_reply *);
+
+	char *attributeName;
+	char *orderingRule;
+	int reverse;
+
+	struct ldb_request *req;
+	struct ldb_message **msgs;
+	char **referrals;
+	struct ldb_control **controls;
+	int num_msgs;
+	int num_refs;
+
+	const struct ldb_attrib_handler *h;
+	int sort_result;
+};
+
+static struct ldb_handle *init_handle(void *mem_ctx, struct ldb_module *module,
+					    void *context,
+					    int (*callback)(struct ldb_context *, void *, struct ldb_reply *))
+{
+	struct sort_context *ac;
+	struct ldb_handle *h;
+
+	h = talloc_zero(mem_ctx, struct ldb_handle);
+	if (h == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		return NULL;
+	}
+
+	h->module = module;
+
+	ac = talloc_zero(h, struct sort_context);
+	if (ac == NULL) {
+		ldb_set_errstring(module->ldb, "Out of Memory");
+		talloc_free(h);
+		return NULL;
+	}
+
+	h->private_data = (void *)ac;
+
+	h->state = LDB_ASYNC_INIT;
+	h->status = LDB_SUCCESS;
+
+	ac->module = module;
+	ac->up_context = context;
+	ac->up_callback = callback;
+
+	return h;
+}
+
+static int build_response(void *mem_ctx, struct ldb_control ***ctrls, int result, const char *desc)
+{
+	struct ldb_control **controls;
+	struct ldb_sort_resp_control *resp;
+	int i;
+
+	if (*ctrls) {
+		controls = *ctrls;
+		for (i = 0; controls[i]; i++);
+		controls = talloc_realloc(mem_ctx, controls, struct ldb_control *, i + 2);
+	} else {
+		i = 0;
+		controls = talloc_array(mem_ctx, struct ldb_control *, 2);
+	}
+	if (! controls )
+		return LDB_ERR_OPERATIONS_ERROR;
+
+	*ctrls = controls;
+
+	controls[i+1] = NULL;
+	controls[i] = talloc(controls, struct ldb_control);
+	if (! controls[i] )
+		return LDB_ERR_OPERATIONS_ERROR;
+
+	controls[i]->oid = LDB_CONTROL_SORT_RESP_OID;
+	controls[i]->critical = 0;
+
+	resp = talloc(controls[i], struct ldb_sort_resp_control);
+	if (! resp )
+		return LDB_ERR_OPERATIONS_ERROR;
+
+	resp->result = result;
+	resp->attr_desc = talloc_strdup(resp, desc);
+
+	if (! resp->attr_desc )
+		return LDB_ERR_OPERATIONS_ERROR;
+	
+	controls[i]->data = resp;
+
+	return LDB_SUCCESS;
+}
+
+static int sort_compare(struct ldb_message **msg1, struct ldb_message **msg2, void *opaque)
+{
+	struct sort_context *ac = talloc_get_type(opaque, struct sort_context);
+	struct ldb_message_element *el1, *el2;
+
+	if (ac->sort_result != 0) {
+		/* an error occurred previously,
+		 * let's exit the sorting by returning always 0 */
+		return 0;
+	}
+
+	el1 = ldb_msg_find_element(*msg1, ac->attributeName);
+	el2 = ldb_msg_find_element(*msg2, ac->attributeName);
+
+	if (!el1 || !el2) {
+		/* the attribute was not found return and
+		 * set an error */
+		ac->sort_result = 53;
+		return 0;
+	}
+
+	if (ac->reverse)
+		return ac->h->comparison_fn(ac->module->ldb, ac, &el2->values[0], &el1->values[0]);
+
+	return ac->h->comparison_fn(ac->module->ldb, ac, &el1->values[0], &el2->values[0]);
+}
+
+static int server_sort_search_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
+{
+	struct sort_context *ac = NULL;
+	
+ 	if (!context || !ares) {
+		ldb_set_errstring(ldb, "NULL Context or Result in callback");
+		goto error;
+	}	
+
+       	ac = talloc_get_type(context, struct sort_context);
+
+	if (ares->type == LDB_REPLY_ENTRY) {
+		ac->msgs = talloc_realloc(ac, ac->msgs, struct ldb_message *, ac->num_msgs + 2);
+		if (! ac->msgs) {
+			goto error;
+		}
+
+		ac->msgs[ac->num_msgs + 1] = NULL;
+
+		ac->msgs[ac->num_msgs] = talloc_move(ac->msgs, &ares->message);
+		ac->num_msgs++;
+	}
+
+	if (ares->type == LDB_REPLY_REFERRAL) {
+		ac->referrals = talloc_realloc(ac, ac->referrals, char *, ac->num_refs + 2);
+		if (! ac->referrals) {
+			goto error;
+		}
+
+		ac->referrals[ac->num_refs + 1] = NULL;
+		ac->referrals[ac->num_refs] = talloc_move(ac->referrals, &ares->referral);
+
+		ac->num_refs++;
+	}
+
+	if (ares->type == LDB_REPLY_DONE) {
+		ac->controls = talloc_move(ac, &ares->controls);
+	}
+
+	talloc_free(ares);
+	return LDB_SUCCESS;
+
+error:
+	talloc_free(ares);
+	return LDB_ERR_OPERATIONS_ERROR;
+}
+
+static int server_sort_search(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ldb_control *control;
+	struct ldb_server_sort_control **sort_ctrls;
+	struct ldb_control **saved_controls;
+	struct sort_context *ac;
+	struct ldb_handle *h;
+	int ret;
+
+	/* check if there's a paged request control */
+	control = get_control_from_list(req->controls, LDB_CONTROL_SERVER_SORT_OID);
+	if (control == NULL) {
+		/* not found go on */
+		return ldb_next_request(module, req);
+	}
+
+	req->handle = NULL;
+
+	if (!req->callback || !req->context) {
+		ldb_set_errstring(module->ldb,
+				  "Async interface called with NULL callback function or NULL context");
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	
+	h = init_handle(req, module, req->context, req->callback);
+	if (!h) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	ac = talloc_get_type(h->private_data, struct sort_context);
+
+	sort_ctrls = talloc_get_type(control->data, struct ldb_server_sort_control *);
+	if (!sort_ctrls) {
+		return LDB_ERR_PROTOCOL_ERROR;
+	}
+
+	/* FIXME: we do not support more than one attribute for sorting right now */
+	/* FIXME: we need to check if the attribute type exist or return an error */
+		
+	if (sort_ctrls[1] != NULL) {
+		if (control->critical) {
+			struct ldb_reply *ares;
+
+			ares = talloc_zero(req, struct ldb_reply);
+			if (!ares)
+				return LDB_ERR_OPERATIONS_ERROR;
+
+			/* 53 = unwilling to perform */
+			ares->type = LDB_REPLY_DONE;
+			if ((ret = build_response(ares, &ares->controls, 53, "sort control is not complete yet")) != LDB_SUCCESS) {
+				return ret;
+			}
+
+			h->status = LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION;
+			h->state = LDB_ASYNC_DONE;
+			ret = ac->up_callback(module->ldb, ac->up_context, ares);
+
+			return ret;
+		} else {
+			/* just pass the call down and don't do any sorting */
+			ldb_next_request(module, req);
+		}
+	}
+
+	ac->attributeName = sort_ctrls[0]->attributeName;
+	ac->orderingRule = sort_ctrls[0]->orderingRule;
+	ac->reverse = sort_ctrls[0]->reverse;
+
+	ac->req = talloc(req, struct ldb_request);
+	if (!ac->req)
+		return LDB_ERR_OPERATIONS_ERROR;
+
+	ac->req->operation = req->operation;
+	ac->req->op.search.base = req->op.search.base;
+	ac->req->op.search.scope = req->op.search.scope;
+	ac->req->op.search.tree = req->op.search.tree;
+	ac->req->op.search.attrs = req->op.search.attrs;
+	ac->req->controls = req->controls;
+
+	/* save it locally and remove it from the list */
+	/* we do not need to replace them later as we
+	 * are keeping the original req intact */
+	if (!save_controls(control, ac->req, &saved_controls)) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ac->req->context = ac;
+	ac->req->callback = server_sort_search_callback;
+	ldb_set_timeout_from_prev_req(module->ldb, req, ac->req);
+
+	req->handle = h;
+
+	return ldb_next_request(module, ac->req);
+}
+
+static int server_sort_results(struct ldb_handle *handle)
+{
+	struct sort_context *ac;
+	struct ldb_reply *ares;
+	int i, ret;
+
+	ac = talloc_get_type(handle->private_data, struct sort_context);
+
+	ac->h = ldb_attrib_handler(ac->module->ldb, ac->attributeName);
+	ac->sort_result = 0;
+
+	ldb_qsort(ac->msgs, ac->num_msgs,
+		  sizeof(struct ldb_message *),
+		  ac, (ldb_qsort_cmp_fn_t)sort_compare);
+
+	for (i = 0; i < ac->num_msgs; i++) {
+		ares = talloc_zero(ac, struct ldb_reply);
+		if (!ares) {
+			handle->status = LDB_ERR_OPERATIONS_ERROR;
+			return handle->status;
+		}
+
+		ares->type = LDB_REPLY_ENTRY;
+		ares->message = talloc_move(ares, &ac->msgs[i]);
+		
+		handle->status = ac->up_callback(ac->module->ldb, ac->up_context, ares);
+		if (handle->status != LDB_SUCCESS) {
+			return handle->status;
+		}
+	}
+
+	for (i = 0; i < ac->num_refs; i++) {
+		ares = talloc_zero(ac, struct ldb_reply);
+		if (!ares) {
+			handle->status = LDB_ERR_OPERATIONS_ERROR;
+			return handle->status;
+		}
+
+		ares->type = LDB_REPLY_REFERRAL;
+		ares->referral = talloc_move(ares, &ac->referrals[i]);
+		
+		handle->status = ac->up_callback(ac->module->ldb, ac->up_context, ares);
+		if (handle->status != LDB_SUCCESS) {
+			return handle->status;
+		}
+	}
+
+	ares = talloc_zero(ac, struct ldb_reply);
+	if (!ares) {
+		handle->status = LDB_ERR_OPERATIONS_ERROR;
+		return handle->status;
+	}
+
+	ares->type = LDB_REPLY_DONE;
+	ares->controls = talloc_move(ares, &ac->controls);
+		
+	handle->status = ac->up_callback(ac->module->ldb, ac->up_context, ares);
+	if (handle->status != LDB_SUCCESS) {
+		return handle->status;
+	}
+
+	if ((ret = build_response(ac, &ac->controls, ac->sort_result, "sort control is not complete yet")) != LDB_SUCCESS) {
+		return ret;
+	}
+
+	return LDB_SUCCESS;
+}
+
+static int server_sort_wait(struct ldb_handle *handle, enum ldb_wait_type type)
+{
+	struct sort_context *ac;
+	int ret;
+    
+	if (!handle || !handle->private_data) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ac = talloc_get_type(handle->private_data, struct sort_context);
+
+	ret = ldb_wait(ac->req->handle, type);
+
+	if (ret != LDB_SUCCESS) {
+		handle->status = ret;
+		return ret;
+	}
+		
+	handle->state = ac->req->handle->state;
+	handle->status = ac->req->handle->status;
+
+	if (handle->status != LDB_SUCCESS) {
+		return handle->status;
+	}
+
+	if (handle->state == LDB_ASYNC_DONE) {
+		ret = server_sort_results(handle);
+	}
+
+	return ret;
+}
+
+static int server_sort_init(struct ldb_module *module)
+{
+	struct ldb_request *req;
+	int ret;
+
+	req = talloc(module, struct ldb_request);
+	if (req == NULL) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	req->operation = LDB_REQ_REGISTER_CONTROL;
+	req->op.reg_control.oid = LDB_CONTROL_SERVER_SORT_OID;
+	req->controls = NULL;
+
+	ret = ldb_request(module->ldb, req);
+	if (ret != LDB_SUCCESS) {
+		ldb_debug(module->ldb, LDB_DEBUG_WARNING, "server_sort: Unable to register control with rootdse!\n");
+	}
+
+	talloc_free(req);
+	return ldb_next_init(module);
+}
+
+static const struct ldb_module_ops server_sort_ops = {
+	.name		   = "server_sort",
+	.search            = server_sort_search,
+	.wait              = server_sort_wait,
+	.init_context	   = server_sort_init
+};
+
+int ldb_sort_init(void)
+{
+	return ldb_register_module(&server_sort_ops);
+}
diff --git a/source3/lib/ldb/nssldb/README.txt b/source3/lib/ldb/nssldb/README.txt
new file mode 100644
index 0000000000..ddba62b380
--- /dev/null
+++ b/source3/lib/ldb/nssldb/README.txt
@@ -0,0 +1,34 @@
+
+This test code requires a tdb that is configured for to use the asq module.
+You can do that adding the following record to a tdb:
+
+dn: @MODULES
+@LIST: asq
+
+Other modules can be used as well (like rdn_name for example)
+
+The uidNumber 0 and the gidNumber 0 are considered invalid.
+
+The user records should contain the followin attributes:
+uid (required)			the user name
+userPassword (optional)		the user password (if not present "LDB" is
+				returned in the password field)
+uidNumber (required)		the user uid
+gidNumber (required)		the user primary gid
+gecos (optional)		the GECOS
+homeDirectory (required)	the home directory
+loginShell (required)		the login shell
+memberOf (required)		all the groups the user is member of should
+				be reported here using their DNs. The
+				primary group as well.
+
+The group accounts should contain the following attributes:
+cn (required)			the group name
+uesrPassword (optional)		the group password (if not present "LDB" is
+				returned in the password field)
+gidNumber (required)		the group gid
+member (optional)		the DNs of the member users, also the ones
+				that have this group as primary
+
+
+SSS
diff --git a/source3/lib/ldb/nssldb/ldb-grp.c b/source3/lib/ldb/nssldb/ldb-grp.c
new file mode 100644
index 0000000000..71e27a9161
--- /dev/null
+++ b/source3/lib/ldb/nssldb/ldb-grp.c
@@ -0,0 +1,425 @@
+/* 
+   LDB nsswitch module
+
+   Copyright (C) Simo Sorce 2006
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+   
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Library General Public License for more details.
+   
+   You should have received a copy of the GNU Lesser General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "ldb-nss.h"
+
+extern struct _ldb_nss_context *_ldb_nss_ctx;
+
+const char *_ldb_nss_gr_attrs[] = {
+	"cn",
+	"userPassword",
+	"gidNumber",
+	NULL
+};
+
+const char *_ldb_nss_mem_attrs[] = {
+	"uid",
+	NULL
+};
+
+#define _NSS_LDB_ENOMEM(amem) \
+	do { \
+		if ( ! amem) { \
+			errno = ENOMEM; \
+			talloc_free(memctx); \
+			return NSS_STATUS_UNAVAIL; \
+		} \
+	} while(0)
+
+/* This setgrent, getgrent, endgrent is not very efficient */
+
+NSS_STATUS _nss_ldb_setgrent(void)
+{
+	int ret;
+
+	ret = _ldb_nss_init();
+	if (ret != NSS_STATUS_SUCCESS) {
+		return ret;
+	}
+
+	_ldb_nss_ctx->gr_cur = 0;
+	if (_ldb_nss_ctx->gr_res != NULL) {
+		talloc_free(_ldb_nss_ctx->gr_res);
+		_ldb_nss_ctx->gr_res = NULL;
+	}
+
+	ret = ldb_search(_ldb_nss_ctx->ldb,
+			 _ldb_nss_ctx->base,
+			 LDB_SCOPE_SUBTREE,
+			 _LDB_NSS_GRENT_FILTER,
+			 _ldb_nss_gr_attrs,
+			 &_ldb_nss_ctx->gr_res);
+	if (ret != LDB_SUCCESS) {
+		return NSS_STATUS_UNAVAIL;
+	}
+
+	return NSS_STATUS_SUCCESS;
+}
+
+NSS_STATUS _nss_ldb_endgrent(void)
+{
+	int ret;
+
+	ret = _ldb_nss_init();
+	if (ret != NSS_STATUS_SUCCESS) {
+		return ret;
+	}
+
+	_ldb_nss_ctx->gr_cur = 0;
+	if (_ldb_nss_ctx->gr_res) {
+		talloc_free(_ldb_nss_ctx->gr_res);
+		_ldb_nss_ctx->gr_res = NULL;
+	}
+
+	return NSS_STATUS_SUCCESS;
+}
+
+NSS_STATUS _nss_ldb_getgrent_r(struct group *result_buf, char *buffer, size_t buflen, int *errnop)
+{
+	int ret;
+	struct ldb_result *res;
+
+	ret = _ldb_nss_init();
+	if (ret != NSS_STATUS_SUCCESS) {
+		return ret;
+	}
+
+	*errnop = 0;
+
+	if (_ldb_nss_ctx->gr_cur >= _ldb_nss_ctx->gr_res->count) {
+		/* already returned all entries */
+		return NSS_STATUS_NOTFOUND;
+	}
+
+	res = talloc_zero(_ldb_nss_ctx->gr_res, struct ldb_result);
+	if ( ! res) {
+		errno = *errnop = ENOMEM;
+		_ldb_nss_ctx->gr_cur++; /* skip this entry */
+		return NSS_STATUS_UNAVAIL;
+	}
+
+	ret = _ldb_nss_group_request(&res,
+				_ldb_nss_ctx->gr_res->msgs[_ldb_nss_ctx->gr_cur]->dn, 
+				_ldb_nss_mem_attrs,
+				"member");
+
+	if (ret != NSS_STATUS_SUCCESS) {
+		*errnop = errno;
+		talloc_free(res);
+		_ldb_nss_ctx->gr_cur++; /* skip this entry */
+		return ret;
+	}
+
+	ret = _ldb_nss_fill_group(result_buf,
+				buffer,
+				buflen,
+				errnop,
+				_ldb_nss_ctx->gr_res->msgs[_ldb_nss_ctx->gr_cur],
+				res);
+
+	talloc_free(res);
+
+	if (ret != NSS_STATUS_SUCCESS) {
+		if (ret != NSS_STATUS_TRYAGAIN) {
+			_ldb_nss_ctx->gr_cur++; /* skip this entry */
+		}
+		return ret;
+	}
+
+	/* this entry is ok, increment counter to nex entry */
+	_ldb_nss_ctx->gr_cur++;
+
+	return NSS_STATUS_SUCCESS;
+}
+
+NSS_STATUS _nss_ldb_getgrnam_r(const char *name, struct group *result_buf, char *buffer, size_t buflen, int *errnop)
+{
+	int ret;
+	char *filter;
+	TALLOC_CTX *ctx;
+	struct ldb_result *gr_res;
+	struct ldb_result *mem_res;
+
+	ret = _ldb_nss_init();
+	if (ret != NSS_STATUS_SUCCESS) {
+		return ret;
+	}
+
+	ctx = talloc_new(_ldb_nss_ctx->ldb);
+	if ( ! ctx) {
+		*errnop = errno = ENOMEM;
+		return NSS_STATUS_UNAVAIL;
+	}
+
+	/* build the filter for this uid */
+	filter = talloc_asprintf(ctx, _LDB_NSS_GRNAM_FILTER, name);
+	if (filter == NULL) {
+		/* this is a fatal error */
+		*errnop = errno = ENOMEM;
+		ret = NSS_STATUS_UNAVAIL;
+		goto done;
+	}
+
+	/* search the entry */
+	ret = ldb_search(_ldb_nss_ctx->ldb,
+			 _ldb_nss_ctx->base,
+			 LDB_SCOPE_SUBTREE,
+			 filter,
+			 _ldb_nss_gr_attrs,
+			 &gr_res);
+	if (ret != LDB_SUCCESS) {
+		/* this is a fatal error */
+		*errnop = errno = ENOENT;
+		ret = NSS_STATUS_UNAVAIL;
+		goto done;
+	}
+
+	talloc_steal(ctx, gr_res);
+
+	/* if none found return */
+	if (gr_res->count == 0) {
+		*errnop = errno = ENOENT;
+		ret = NSS_STATUS_NOTFOUND;
+		goto done;
+	}
+
+	if (gr_res->count != 1) {
+		/* this is a fatal error */
+		*errnop = errno = ENOENT;
+		ret = NSS_STATUS_UNAVAIL;
+		goto done;
+	}
+
+	mem_res = talloc_zero(ctx, struct ldb_result);
+	if ( ! mem_res) {
+		errno = *errnop = ENOMEM;
+		ret = NSS_STATUS_UNAVAIL;
+		goto done;
+	}
+
+	ret = _ldb_nss_group_request(&mem_res,
+					gr_res->msgs[0]->dn,
+					_ldb_nss_mem_attrs,
+					"member");
+
+	if (ret != NSS_STATUS_SUCCESS) {
+		*errnop = errno;
+		goto done;
+	}
+
+	ret = _ldb_nss_fill_group(result_buf,
+				buffer,
+				buflen,
+				errnop,
+				gr_res->msgs[0],
+				mem_res);
+
+	if (ret != NSS_STATUS_SUCCESS) {
+		goto done;
+	}
+
+	ret = NSS_STATUS_SUCCESS;
+done:
+	talloc_free(ctx);
+	return ret;
+}
+
+NSS_STATUS _nss_ldb_getgrgid_r(gid_t gid, struct group *result_buf, char *buffer, size_t buflen, int *errnop)
+{
+	int ret;
+	char *filter;
+	TALLOC_CTX *ctx;
+	struct ldb_result *gr_res;
+	struct ldb_result *mem_res;
+
+	if (gid == 0) { /* we don't serve root gid by policy */
+		*errnop = errno = ENOENT;
+		return NSS_STATUS_NOTFOUND;
+	}
+
+	ret = _ldb_nss_init();
+	if (ret != NSS_STATUS_SUCCESS) {
+		return ret;
+	}
+
+	ctx = talloc_new(_ldb_nss_ctx->ldb);
+	if ( ! ctx) {
+		*errnop = errno = ENOMEM;
+		return NSS_STATUS_UNAVAIL;
+	}
+
+	/* build the filter for this uid */
+	filter = talloc_asprintf(ctx, _LDB_NSS_GRGID_FILTER, gid);
+	if (filter == NULL) {
+		/* this is a fatal error */
+		*errnop = errno = ENOMEM;
+		ret = NSS_STATUS_UNAVAIL;
+		goto done;
+	}
+
+	/* search the entry */
+	ret = ldb_search(_ldb_nss_ctx->ldb,
+			 _ldb_nss_ctx->base,
+			 LDB_SCOPE_SUBTREE,
+			 filter,
+			 _ldb_nss_gr_attrs,
+			 &gr_res);
+	if (ret != LDB_SUCCESS) {
+		/* this is a fatal error */
+		*errnop = errno = ENOENT;
+		ret = NSS_STATUS_UNAVAIL;
+		goto done;
+	}
+
+	talloc_steal(ctx, gr_res);
+
+	/* if none found return */
+	if (gr_res->count == 0) {
+		*errnop = errno = ENOENT;
+		ret = NSS_STATUS_NOTFOUND;
+		goto done;
+	}
+
+	if (gr_res->count != 1) {
+		/* this is a fatal error */
+		*errnop = errno = ENOENT;
+		ret = NSS_STATUS_UNAVAIL;
+		goto done;
+	}
+
+	mem_res = talloc_zero(ctx, struct ldb_result);
+	if ( ! mem_res) {
+		errno = *errnop = ENOMEM;
+		ret = NSS_STATUS_UNAVAIL;
+		goto done;
+	}
+
+	ret = _ldb_nss_group_request(&mem_res,
+					gr_res->msgs[0]->dn,
+					_ldb_nss_mem_attrs,
+					"member");
+
+	if (ret != NSS_STATUS_SUCCESS) {
+		*errnop = errno;
+		goto done;
+	}
+
+	ret = _ldb_nss_fill_group(result_buf,
+				buffer,
+				buflen,
+				errnop,
+				gr_res->msgs[0],
+				mem_res);
+
+	if (ret != NSS_STATUS_SUCCESS) {
+		goto done;
+	}
+
+	ret = NSS_STATUS_SUCCESS;
+done:
+	talloc_free(ctx);
+	return ret;
+}
+
+NSS_STATUS _nss_ldb_initgroups_dyn(const char *user, gid_t group, long int *start, long int *size, gid_t **groups, long int limit, int *errnop)
+{
+	int ret;
+	char *filter;
+	const char * attrs[] = { "uidNumber", "gidNumber", NULL };
+	struct ldb_result *uid_res;
+	struct ldb_result *mem_res;
+
+	ret = _ldb_nss_init();
+	if (ret != NSS_STATUS_SUCCESS) {
+		return ret;
+	}
+
+	mem_res = talloc_zero(_ldb_nss_ctx, struct ldb_result);
+	if ( ! mem_res) {
+		errno = *errnop = ENOMEM;
+		return NSS_STATUS_UNAVAIL;
+	}
+
+	/* build the filter for this name */
+	filter = talloc_asprintf(mem_res, _LDB_NSS_PWNAM_FILTER, user);
+	if (filter == NULL) {
+		/* this is a fatal error */
+		*errnop = errno = ENOENT;
+		ret = NSS_STATUS_UNAVAIL;
+		goto done;
+	}
+
+	/* search the entry */
+	ret = ldb_search(_ldb_nss_ctx->ldb,
+			 _ldb_nss_ctx->base,
+			 LDB_SCOPE_SUBTREE,
+			 filter,
+			 attrs,
+			 &uid_res);
+	if (ret != LDB_SUCCESS) {
+		/* this is a fatal error */
+		*errnop = errno = ENOENT;
+		ret = NSS_STATUS_UNAVAIL;
+		goto done;
+	}
+
+	talloc_steal(mem_res, uid_res);
+
+	/* if none found return */
+	if (uid_res->count == 0) {
+		*errnop = errno = ENOENT;
+		ret = NSS_STATUS_NOTFOUND;
+		goto done;
+	}
+
+	if (uid_res->count != 1) {
+		/* this is a fatal error */
+		*errnop = errno = ENOENT;
+		ret = NSS_STATUS_UNAVAIL;
+		goto done;
+	}
+
+	ret = _ldb_nss_group_request(&mem_res,
+					uid_res->msgs[0]->dn,
+					attrs,
+					"memberOf");
+
+	if (ret != NSS_STATUS_SUCCESS) {
+		*errnop = errno;
+		goto done;
+	}
+
+	ret = _ldb_nss_fill_initgr(group,
+				limit,
+				start,
+				size,
+				groups,
+				errnop,
+				mem_res);
+
+	if (ret != NSS_STATUS_SUCCESS) {
+		goto done;
+	}
+
+	ret = NSS_STATUS_SUCCESS;
+
+done:
+	talloc_free(mem_res);
+	return ret;
+}
diff --git a/source3/lib/ldb/nssldb/ldb-nss.c b/source3/lib/ldb/nssldb/ldb-nss.c
new file mode 100644
index 0000000000..0e5850eab3
--- /dev/null
+++ b/source3/lib/ldb/nssldb/ldb-nss.c
@@ -0,0 +1,400 @@
+/* 
+   LDB nsswitch module
+
+   Copyright (C) Simo Sorce 2006
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+   
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Library General Public License for more details.
+   
+   You should have received a copy of the GNU Lesser General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "ldb-nss.h"
+
+struct _ldb_nss_context *_ldb_nss_ctx = NULL;
+
+NSS_STATUS _ldb_nss_init(void)
+{
+	int ret;
+
+	pid_t mypid = getpid();
+
+	if (_ldb_nss_ctx != NULL) {
+		if (_ldb_nss_ctx->pid == mypid) {
+			/* already initialized */
+			return NSS_STATUS_SUCCESS;
+		} else {
+			/* we are in a forked child now, reinitialize */
+			talloc_free(_ldb_nss_ctx);
+			_ldb_nss_ctx = NULL;
+		}
+	}
+		
+	_ldb_nss_ctx = talloc_named(NULL, 0, "_ldb_nss_ctx(%u)", mypid);
+	if (_ldb_nss_ctx == NULL) {
+		return NSS_STATUS_UNAVAIL;
+	}
+
+	_ldb_nss_ctx->pid = mypid;
+
+	ret = ldb_global_init();
+	if (ret != 0) {
+		goto failed;
+	}
+
+	_ldb_nss_ctx->ldb = ldb_init(_ldb_nss_ctx);
+	if (_ldb_nss_ctx->ldb == NULL) {
+		goto failed;
+	}
+
+	ret = ldb_connect(_ldb_nss_ctx->ldb, _LDB_NSS_URL, LDB_FLG_RDONLY, NULL);
+	if (ret != LDB_SUCCESS) {
+		goto failed;
+	}
+
+	_ldb_nss_ctx->base = ldb_dn_explode(_ldb_nss_ctx, _LDB_NSS_BASEDN);
+	if (_ldb_nss_ctx->base == NULL) {
+		goto failed;
+	}
+
+	_ldb_nss_ctx->pw_cur = 0;
+	_ldb_nss_ctx->pw_res = NULL;
+	_ldb_nss_ctx->gr_cur = 0;
+	_ldb_nss_ctx->gr_res = NULL;
+
+	return NSS_STATUS_SUCCESS;
+
+failed:
+	/* talloc_free(_ldb_nss_ctx); */
+	_ldb_nss_ctx = NULL;
+	return NSS_STATUS_UNAVAIL;
+}
+
+NSS_STATUS _ldb_nss_fill_passwd(struct passwd *result,
+				char *buffer,
+				int buflen,
+				int *errnop,
+				struct ldb_message *msg)
+{
+	int len;
+	int bufpos;
+	const char *tmp;
+
+	bufpos = 0;
+
+	/* get username */
+	tmp = ldb_msg_find_attr_as_string(msg, "uid", NULL);
+	if (tmp == NULL) {
+		/* this is a fatal error */
+		*errnop = errno = ENOENT;
+		return NSS_STATUS_UNAVAIL;
+	}
+	len = strlen(tmp)+1;
+	if (bufpos + len > buflen) {
+		/* buffer too small */
+		*errnop = errno = EAGAIN;
+		return NSS_STATUS_TRYAGAIN;
+	}
+	memcpy(&buffer[bufpos], tmp, len);
+	result->pw_name = &buffer[bufpos];
+	bufpos += len;
+
+	/* get userPassword */
+	tmp = ldb_msg_find_attr_as_string(msg, "userPassword", NULL);
+	if (tmp == NULL) {
+		tmp = "LDB";
+	}
+	len = strlen(tmp)+1;
+	if (bufpos + len > buflen) {
+		/* buffer too small */
+		*errnop = errno = EAGAIN;
+		return NSS_STATUS_TRYAGAIN;
+	}
+	memcpy(&buffer[bufpos], tmp, len);
+	result->pw_passwd = &buffer[bufpos];
+	bufpos += len;
+
+	/* this backend never serves an uid 0 user */
+	result->pw_uid = ldb_msg_find_attr_as_int(msg, "uidNumber", 0);
+	if (result->pw_uid == 0) {
+		/* this is a fatal error */
+		*errnop = errno = ENOENT;
+		return NSS_STATUS_UNAVAIL;
+	}
+
+	result->pw_gid = ldb_msg_find_attr_as_int(msg, "gidNumber", 0);
+	if (result->pw_gid == 0) {
+		/* this is a fatal error */
+		*errnop = errno = ENOENT;
+		return NSS_STATUS_UNAVAIL;
+	}
+
+	/* get gecos */
+	tmp = ldb_msg_find_attr_as_string(msg, "gecos", NULL);
+	if (tmp == NULL) {
+		tmp = "";
+	}
+	len = strlen(tmp)+1;
+	if (bufpos + len > buflen) {
+		/* buffer too small */
+		*errnop = errno = EAGAIN;
+		return NSS_STATUS_TRYAGAIN;
+	}
+	memcpy(&buffer[bufpos], tmp, len);
+	result->pw_gecos = &buffer[bufpos];
+	bufpos += len;
+
+	/* get homeDirectory */
+	tmp = ldb_msg_find_attr_as_string(msg, "homeDirectory", NULL);
+	if (tmp == NULL) {
+		tmp = "";
+	}
+	len = strlen(tmp)+1;
+	if (bufpos + len > buflen) {
+		/* buffer too small */
+		*errnop = errno = EAGAIN;
+		return NSS_STATUS_TRYAGAIN;
+	}
+	memcpy(&buffer[bufpos], tmp, len);
+	result->pw_dir = &buffer[bufpos];
+	bufpos += len;
+
+	/* get shell */
+	tmp = ldb_msg_find_attr_as_string(msg, "loginShell", NULL);
+	if (tmp == NULL) {
+		tmp = "";
+	}
+	len = strlen(tmp)+1;
+	if (bufpos + len > buflen) {
+		/* buffer too small */
+		*errnop = errno = EAGAIN;
+		return NSS_STATUS_TRYAGAIN;
+	}
+	memcpy(&buffer[bufpos], tmp, len);
+	result->pw_shell = &buffer[bufpos];
+	bufpos += len;
+
+	return NSS_STATUS_SUCCESS;
+}
+
+NSS_STATUS _ldb_nss_fill_group(struct group *result,
+				char *buffer,
+				int buflen,
+				int *errnop,
+				struct ldb_message *group,
+				struct ldb_result *members)
+{
+	const char *tmp;
+	size_t len;
+	size_t bufpos;
+	size_t lsize;
+	int i;
+
+	bufpos = 0;
+
+	/* get group name */
+	tmp = ldb_msg_find_attr_as_string(group, "cn", NULL);
+	if (tmp == NULL) {
+		/* this is a fatal error */
+		*errnop = errno = ENOENT;
+		return NSS_STATUS_UNAVAIL;
+	}
+	len = strlen(tmp)+1;
+	if (bufpos + len > buflen) {
+		/* buffer too small */
+		*errnop = errno = EAGAIN;
+		return NSS_STATUS_TRYAGAIN;
+	}
+	memcpy(&buffer[bufpos], tmp, len);
+	result->gr_name = &buffer[bufpos];
+	bufpos += len;
+
+	/* get userPassword */
+	tmp = ldb_msg_find_attr_as_string(group, "userPassword", NULL);
+	if (tmp == NULL) {
+		tmp = "LDB";
+	}
+	len = strlen(tmp)+1;
+	if (bufpos + len > buflen) {
+		/* buffer too small */
+		*errnop = errno = EAGAIN;
+		return NSS_STATUS_TRYAGAIN;
+	}
+	memcpy(&buffer[bufpos], tmp, len);
+	result->gr_passwd = &buffer[bufpos];
+	bufpos += len;
+
+	result->gr_gid = ldb_msg_find_attr_as_int(group, "gidNumber", 0);
+	if (result->gr_gid == 0) {
+		/* this is a fatal error */
+		*errnop = errno = ENOENT;
+		return NSS_STATUS_UNAVAIL;
+	}
+
+	/* check if there is enough memory for the list of pointers */
+	lsize = (members->count + 1) * sizeof(char *);
+
+	/* align buffer on pointer boundary */
+	bufpos += (sizeof(char*) - ((unsigned long)(buffer) % sizeof(char*)));
+	if ((buflen - bufpos) < lsize) {
+		/* buffer too small */
+		*errnop = errno = EAGAIN;
+		return NSS_STATUS_TRYAGAIN;
+	} 
+
+	result->gr_mem = (char **)&buffer[bufpos];
+	bufpos += lsize;
+
+	for (i = 0; i < members->count; i++) {
+		tmp = ldb_msg_find_attr_as_string(members->msgs[i], "uid", NULL);
+		if (tmp == NULL) {
+			/* this is a fatal error */
+			*errnop = errno = ENOENT;
+			return NSS_STATUS_UNAVAIL;
+		}
+		len = strlen(tmp)+1;
+		if (bufpos + len > buflen) {
+			/* buffer too small */
+			*errnop = errno = EAGAIN;
+			return NSS_STATUS_TRYAGAIN;
+		}
+		memcpy(&buffer[bufpos], tmp, len);
+		result->gr_mem[i] = &buffer[bufpos];
+		bufpos += len;
+	}
+
+	result->gr_mem[i] = NULL;
+
+	return NSS_STATUS_SUCCESS;
+}
+
+NSS_STATUS _ldb_nss_fill_initgr(gid_t group,
+				long int limit,
+				long int *start,
+				long int *size,
+				gid_t **groups,
+				int *errnop,
+				struct ldb_result *grlist)
+{
+	NSS_STATUS ret;
+	int i;
+
+	for (i = 0; i < grlist->count; i++) {
+
+		if (limit && (*start > limit)) {
+			/* TODO: warn no all groups were reported */
+			*errnop = 0;
+			ret = NSS_STATUS_SUCCESS;
+			goto done;
+		}
+
+		if (*start == *size) {
+			/* buffer full, enlarge it */
+			long int gs;
+			gid_t *gm;
+
+			gs = (*size) + 32;
+			if (limit && (gs > limit)) {
+				gs = limit;
+			}
+
+			gm = (gid_t *)realloc((*groups), gs * sizeof(gid_t));
+			if ( ! gm) {
+				*errnop = ENOMEM;
+				ret = NSS_STATUS_UNAVAIL;
+				goto done;
+			}
+
+			*groups = gm;
+			*size = gs;
+		}
+
+		(*groups)[*start] = ldb_msg_find_attr_as_int(grlist->msgs[i], "gidNumber", 0);
+		if ((*groups)[*start] == 0 || (*groups)[*start] == group) {
+			/* skip root group or primary group */
+			continue;
+		}
+		(*start)++;
+
+	}
+
+	*errnop = 0;
+	ret = NSS_STATUS_SUCCESS;
+done:
+	return ret;
+}
+
+#define _LDB_NSS_ALLOC_CHECK(mem) do { if (!mem) { errno = ENOMEM; return NSS_STATUS_UNAVAIL; } } while(0)
+
+NSS_STATUS _ldb_nss_group_request(struct ldb_result **_res,
+					struct ldb_dn *group_dn,
+					const char * const *attrs,
+					const char *mattr)
+{
+	struct ldb_control **ctrls;
+	struct ldb_control *ctrl;
+	struct ldb_asq_control *asqc;
+	struct ldb_request *req;
+	int ret;
+	struct ldb_result *res = *_res;
+
+	ctrls = talloc_array(res, struct ldb_control *, 2);
+	_LDB_NSS_ALLOC_CHECK(ctrls);
+
+	ctrl = talloc(ctrls, struct ldb_control);
+	_LDB_NSS_ALLOC_CHECK(ctrl);
+
+	asqc = talloc(ctrl, struct ldb_asq_control);
+	_LDB_NSS_ALLOC_CHECK(asqc);
+
+	asqc->source_attribute = talloc_strdup(asqc, mattr);
+	_LDB_NSS_ALLOC_CHECK(asqc->source_attribute);
+
+	asqc->request = 1;
+	asqc->src_attr_len = strlen(asqc->source_attribute);
+	ctrl->oid = LDB_CONTROL_ASQ_OID;
+	ctrl->critical = 1;
+	ctrl->data = asqc;
+	ctrls[0] = ctrl;
+	ctrls[1] = NULL;
+
+	ret = ldb_build_search_req(
+				&req,
+				_ldb_nss_ctx->ldb,
+				res,
+				group_dn,
+				LDB_SCOPE_BASE,
+				"(objectClass=*)",
+				attrs,
+				ctrls,
+				res,
+				ldb_search_default_callback);
+	
+	if (ret != LDB_SUCCESS) {
+		errno = ENOENT;
+		return NSS_STATUS_UNAVAIL;
+	}
+
+	ldb_set_timeout(_ldb_nss_ctx->ldb, req, 0);
+
+	ret = ldb_request(_ldb_nss_ctx->ldb, req);
+
+	if (ret == LDB_SUCCESS) {
+		ret = ldb_wait(req->handle, LDB_WAIT_ALL);
+	} else {
+		talloc_free(req);
+		return NSS_STATUS_UNAVAIL;
+	}
+
+	talloc_free(req);
+	return NSS_STATUS_SUCCESS;
+}
+
diff --git a/source3/lib/ldb/nssldb/ldb-nss.h b/source3/lib/ldb/nssldb/ldb-nss.h
new file mode 100644
index 0000000000..1b1866abb9
--- /dev/null
+++ b/source3/lib/ldb/nssldb/ldb-nss.h
@@ -0,0 +1,84 @@
+/* 
+   LDB nsswitch module
+
+   Copyright (C) Simo Sorce 2006
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+   
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Library General Public License for more details.
+   
+   You should have received a copy of the GNU Lesser General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _LDB_NSS
+#define _LDB_NSS
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+#include <nss.h>
+#include <pwd.h>
+#include <grp.h>
+
+#define _LDB_NSS_URL "etc/users.ldb"
+#define _LDB_NSS_BASEDN "CN=Users,CN=System"
+#define _LDB_NSS_PWENT_FILTER "(&(objectClass=posixAccount)(!(uidNumber=0))(!(gidNumber=0)))"
+#define _LDB_NSS_PWUID_FILTER "(&(objectClass=posixAccount)(uidNumber=%d)(!(gidNumber=0)))"
+#define _LDB_NSS_PWNAM_FILTER "(&(objectClass=posixAccount)(uid=%s)(!(uidNumber=0))(!(gidNumber=0)))"
+
+#define _LDB_NSS_GRENT_FILTER "(&(objectClass=posixGroup)(!(gidNumber=0)))"
+#define _LDB_NSS_GRGID_FILTER "(&(objectClass=posixGroup)(gidNumber=%d)))"
+#define _LDB_NSS_GRNAM_FILTER "(&(objectClass=posixGroup)(cn=%s)(!(gidNumber=0)))"
+
+typedef enum nss_status NSS_STATUS;
+
+struct _ldb_nss_context {
+
+	pid_t pid;
+
+	struct ldb_context *ldb;
+	const struct ldb_dn *base;
+
+	int pw_cur;
+	struct ldb_result *pw_res;
+
+	int gr_cur;
+	struct ldb_result *gr_res;
+};
+	
+NSS_STATUS _ldb_nss_init(void);
+
+NSS_STATUS _ldb_nss_fill_passwd(struct passwd *result,
+				char *buffer,
+				int buflen,
+				int *errnop,
+				struct ldb_message *msg);
+
+NSS_STATUS _ldb_nss_fill_group(struct group *result,
+				char *buffer,
+				int buflen,
+				int *errnop,
+				struct ldb_message *group,
+				struct ldb_result *members);
+
+NSS_STATUS _ldb_nss_fill_initgr(gid_t group,
+				long int limit,
+				long int *start,
+				long int *size,
+				gid_t **groups,
+				int *errnop,
+				struct ldb_result *grlist);
+
+NSS_STATUS _ldb_nss_group_request(struct ldb_result **res,
+					struct ldb_dn *group_dn,
+					const char * const *attrs,
+					const char *mattr);
+
+#endif /* _LDB_NSS */
diff --git a/source3/lib/ldb/nssldb/ldb-pwd.c b/source3/lib/ldb/nssldb/ldb-pwd.c
new file mode 100644
index 0000000000..44b0ab21ee
--- /dev/null
+++ b/source3/lib/ldb/nssldb/ldb-pwd.c
@@ -0,0 +1,239 @@
+/* 
+   LDB nsswitch module
+
+   Copyright (C) Simo Sorce 2006
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+   
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Library General Public License for more details.
+   
+   You should have received a copy of the GNU Lesser General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "ldb-nss.h"
+
+extern struct _ldb_nss_context *_ldb_nss_ctx;
+
+const char *_ldb_nss_pw_attrs[] = {
+	"uid",
+	"userPassword",
+	"uidNumber",
+	"gidNumber",
+	"gecos",
+	"homeDirectory",
+	"loginShell",
+	NULL
+};
+
+NSS_STATUS _nss_ldb_setpwent(void)
+{
+	int ret;
+	ret = _ldb_nss_init();
+	if (ret != NSS_STATUS_SUCCESS) {
+		return ret;
+	}
+
+	_ldb_nss_ctx->pw_cur = 0;
+	if (_ldb_nss_ctx->pw_res != NULL) {
+		talloc_free(_ldb_nss_ctx->pw_res);
+		_ldb_nss_ctx->pw_res = NULL;
+	}
+
+	ret = ldb_search(_ldb_nss_ctx->ldb,
+			 _ldb_nss_ctx->base,
+			 LDB_SCOPE_SUBTREE,
+			 _LDB_NSS_PWENT_FILTER,
+			 _ldb_nss_pw_attrs,
+			 &_ldb_nss_ctx->pw_res);
+	if (ret != LDB_SUCCESS) {
+		return NSS_STATUS_UNAVAIL;
+	}
+
+	return NSS_STATUS_SUCCESS;
+}
+
+NSS_STATUS _nss_ldb_endpwent(void)
+{
+	int ret;
+
+	ret = _ldb_nss_init();
+	if (ret != NSS_STATUS_SUCCESS) {
+		return ret;
+	}
+
+	_ldb_nss_ctx->pw_cur = 0;
+	if (_ldb_nss_ctx->pw_res) {
+		talloc_free(_ldb_nss_ctx->pw_res);
+		_ldb_nss_ctx->pw_res = NULL;
+	}
+
+	return NSS_STATUS_SUCCESS;
+}
+
+NSS_STATUS _nss_ldb_getpwent_r(struct passwd *result_buf,
+				char *buffer,
+				int buflen,
+				int *errnop)
+{
+	int ret;
+
+	ret = _ldb_nss_init();
+	if (ret != NSS_STATUS_SUCCESS) {
+		return ret;
+	}
+
+	*errnop = 0;
+
+	if (_ldb_nss_ctx->pw_cur >= _ldb_nss_ctx->pw_res->count) {
+		/* already returned all entries */
+		return NSS_STATUS_NOTFOUND;
+	}
+
+	ret = _ldb_nss_fill_passwd(result_buf,
+				   buffer,
+				   buflen,
+				   errnop,
+				   _ldb_nss_ctx->pw_res->msgs[_ldb_nss_ctx->pw_cur]);
+	if (ret != NSS_STATUS_SUCCESS) {
+		return ret;
+	}
+
+	_ldb_nss_ctx->pw_cur++;
+
+	return NSS_STATUS_SUCCESS;
+}
+
+NSS_STATUS _nss_ldb_getpwuid_r(uid_t uid, struct passwd *result_buf, char *buffer, size_t buflen, int *errnop)
+{
+	int ret;
+	char *filter;
+	struct ldb_result *res;
+
+	if (uid == 0) { /* we don't serve root uid by policy */
+		*errnop = errno = ENOENT;
+		return NSS_STATUS_NOTFOUND;
+	}
+
+	ret = _ldb_nss_init();
+	if (ret != NSS_STATUS_SUCCESS) {
+		return ret;
+	}
+
+	/* build the filter for this uid */
+	filter = talloc_asprintf(_ldb_nss_ctx, _LDB_NSS_PWUID_FILTER, uid);
+	if (filter == NULL) {
+		/* this is a fatal error */
+		*errnop = errno = ENOMEM;
+		ret = NSS_STATUS_UNAVAIL;
+		goto done;
+	}
+
+	/* search the entry */
+	ret = ldb_search(_ldb_nss_ctx->ldb,
+			 _ldb_nss_ctx->base,
+			 LDB_SCOPE_SUBTREE,
+			 filter,
+			 _ldb_nss_pw_attrs,
+			 &res);
+	if (ret != LDB_SUCCESS) {
+		/* this is a fatal error */
+		*errnop = errno = ENOENT;
+		ret = NSS_STATUS_UNAVAIL;
+		goto done;
+	}
+
+	/* if none found return */
+	if (res->count == 0) {
+		*errnop = errno = ENOENT;
+		ret = NSS_STATUS_NOTFOUND;
+		goto done;
+	}
+
+	if (res->count != 1) {
+		/* this is a fatal error */
+		*errnop = errno = ENOENT;
+		ret = NSS_STATUS_UNAVAIL;
+		goto done;
+	}
+
+	/* fill in the passwd struct */
+	ret = _ldb_nss_fill_passwd(result_buf,
+				   buffer,
+				   buflen,
+				   errnop,
+				   res->msgs[0]);
+
+done:
+	talloc_free(filter);
+	talloc_free(res);
+	return ret;
+}
+
+NSS_STATUS _nss_ldb_getpwnam_r(const char *name, struct passwd *result_buf, char *buffer, size_t buflen, int *errnop)
+{
+	int ret;
+	char *filter;
+	struct ldb_result *res;
+
+	ret = _ldb_nss_init();
+	if (ret != NSS_STATUS_SUCCESS) {
+		return ret;
+	}
+
+	/* build the filter for this name */
+	filter = talloc_asprintf(_ldb_nss_ctx, _LDB_NSS_PWNAM_FILTER, name);
+	if (filter == NULL) {
+		/* this is a fatal error */
+		*errnop = errno = ENOENT;
+		ret = NSS_STATUS_UNAVAIL;
+		goto done;
+	}
+
+	/* search the entry */
+	ret = ldb_search(_ldb_nss_ctx->ldb,
+			 _ldb_nss_ctx->base,
+			 LDB_SCOPE_SUBTREE,
+			 filter,
+			 _ldb_nss_pw_attrs,
+			 &res);
+	if (ret != LDB_SUCCESS) {
+		/* this is a fatal error */
+		*errnop = errno = ENOENT;
+		ret = NSS_STATUS_UNAVAIL;
+		goto done;
+	}
+
+	/* if none found return */
+	if (res->count == 0) {
+		*errnop = errno = ENOENT;
+		ret = NSS_STATUS_NOTFOUND;
+		goto done;
+	}
+
+	if (res->count != 1) {
+		/* this is a fatal error */
+		*errnop = errno = ENOENT;
+		ret = NSS_STATUS_UNAVAIL;
+		goto done;
+	}
+
+	/* fill in the passwd struct */
+	ret = _ldb_nss_fill_passwd(result_buf,
+				   buffer,
+				   buflen,
+				   errnop,
+				   res->msgs[0]);
+
+done:
+	talloc_free(filter);
+	talloc_free(res);
+	return ret;
+}
+
diff --git a/source3/lib/ldb/samba/README b/source3/lib/ldb/samba/README
new file mode 100644
index 0000000000..3fa47159ca
--- /dev/null
+++ b/source3/lib/ldb/samba/README
@@ -0,0 +1,7 @@
+This directory contains Samba specific extensions to ldb. It also
+serves as example code on how to extend ldb for your own application.
+
+The main extension Samba uses is to provide ldif encode/decode
+routines for specific attributes, so users can get nice pretty
+printing of attributes in ldbedit, while the attributes are stored in
+the standard NDR format in the database.
diff --git a/source3/lib/ldb/samba/ldif_handlers.c b/source3/lib/ldb/samba/ldif_handlers.c
new file mode 100644
index 0000000000..689a668c9e
--- /dev/null
+++ b/source3/lib/ldb/samba/ldif_handlers.c
@@ -0,0 +1,483 @@
+/* 
+   ldb database library - ldif handlers for Samba
+
+   Copyright (C) Andrew Tridgell 2005
+   Copyright (C) Andrew Bartlett 2006
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+#include "librpc/gen_ndr/ndr_security.h"
+#include "librpc/gen_ndr/ndr_misc.h"
+#include "dsdb/samdb/samdb.h"
+#include "libcli/security/security.h"
+
+/*
+  convert a ldif formatted objectSid to a NDR formatted blob
+*/
+static int ldif_read_objectSid(struct ldb_context *ldb, void *mem_ctx,
+			       const struct ldb_val *in, struct ldb_val *out)
+{
+	struct dom_sid *sid;
+	NTSTATUS status;
+	sid = dom_sid_parse_talloc(mem_ctx, (const char *)in->data);
+	if (sid == NULL) {
+		return -1;
+	}
+	status = ndr_push_struct_blob(out, mem_ctx, sid, 
+				      (ndr_push_flags_fn_t)ndr_push_dom_sid);
+	talloc_free(sid);
+	if (!NT_STATUS_IS_OK(status)) {
+		return -1;
+	}
+	return 0;
+}
+
+/*
+  convert a NDR formatted blob to a ldif formatted objectSid
+*/
+static int ldif_write_objectSid(struct ldb_context *ldb, void *mem_ctx,
+				const struct ldb_val *in, struct ldb_val *out)
+{
+	struct dom_sid *sid;
+	NTSTATUS status;
+	sid = talloc(mem_ctx, struct dom_sid);
+	if (sid == NULL) {
+		return -1;
+	}
+	status = ndr_pull_struct_blob(in, sid, sid, 
+				      (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
+	if (!NT_STATUS_IS_OK(status)) {
+		talloc_free(sid);
+		return -1;
+	}
+	out->data = (uint8_t *)dom_sid_string(mem_ctx, sid);
+	talloc_free(sid);
+	if (out->data == NULL) {
+		return -1;
+	}
+	out->length = strlen((const char *)out->data);
+	return 0;
+}
+
+static BOOL ldb_comparision_objectSid_isString(const struct ldb_val *v)
+{
+	if (v->length < 3) {
+		return False;
+	}
+
+	if (strncmp("S-", (const char *)v->data, 2) != 0) return False;
+	
+	return True;
+}
+
+/*
+  compare two objectSids
+*/
+static int ldb_comparison_objectSid(struct ldb_context *ldb, void *mem_ctx,
+				    const struct ldb_val *v1, const struct ldb_val *v2)
+{
+	if (ldb_comparision_objectSid_isString(v1) && ldb_comparision_objectSid_isString(v2)) {
+		return strcmp((const char *)v1->data, (const char *)v2->data);
+	} else if (ldb_comparision_objectSid_isString(v1)
+		   && !ldb_comparision_objectSid_isString(v2)) {
+		struct ldb_val v;
+		int ret;
+		if (ldif_read_objectSid(ldb, mem_ctx, v1, &v) != 0) {
+			return -1;
+		}
+		ret = ldb_comparison_binary(ldb, mem_ctx, &v, v2);
+		talloc_free(v.data);
+		return ret;
+	} else if (!ldb_comparision_objectSid_isString(v1)
+		   && ldb_comparision_objectSid_isString(v2)) {
+		struct ldb_val v;
+		int ret;
+		if (ldif_read_objectSid(ldb, mem_ctx, v2, &v) != 0) {
+			return -1;
+		}
+		ret = ldb_comparison_binary(ldb, mem_ctx, v1, &v);
+		talloc_free(v.data);
+		return ret;
+	}
+	return ldb_comparison_binary(ldb, mem_ctx, v1, v2);
+}
+
+/*
+  canonicalise a objectSid
+*/
+static int ldb_canonicalise_objectSid(struct ldb_context *ldb, void *mem_ctx,
+				      const struct ldb_val *in, struct ldb_val *out)
+{
+	if (ldb_comparision_objectSid_isString(in)) {
+		return ldif_read_objectSid(ldb, mem_ctx, in, out);
+	}
+	return ldb_handler_copy(ldb, mem_ctx, in, out);
+}
+
+/*
+  convert a ldif formatted objectGUID to a NDR formatted blob
+*/
+static int ldif_read_objectGUID(struct ldb_context *ldb, void *mem_ctx,
+			        const struct ldb_val *in, struct ldb_val *out)
+{
+	struct GUID guid;
+	NTSTATUS status;
+
+	status = GUID_from_string((const char *)in->data, &guid);
+	if (!NT_STATUS_IS_OK(status)) {
+		return -1;
+	}
+
+	status = ndr_push_struct_blob(out, mem_ctx, &guid,
+				      (ndr_push_flags_fn_t)ndr_push_GUID);
+	if (!NT_STATUS_IS_OK(status)) {
+		return -1;
+	}
+	return 0;
+}
+
+/*
+  convert a NDR formatted blob to a ldif formatted objectGUID
+*/
+static int ldif_write_objectGUID(struct ldb_context *ldb, void *mem_ctx,
+				 const struct ldb_val *in, struct ldb_val *out)
+{
+	struct GUID guid;
+	NTSTATUS status;
+	status = ndr_pull_struct_blob(in, mem_ctx, &guid,
+				      (ndr_pull_flags_fn_t)ndr_pull_GUID);
+	if (!NT_STATUS_IS_OK(status)) {
+		return -1;
+	}
+	out->data = (uint8_t *)GUID_string(mem_ctx, &guid);
+	if (out->data == NULL) {
+		return -1;
+	}
+	out->length = strlen((const char *)out->data);
+	return 0;
+}
+
+static BOOL ldb_comparision_objectGUID_isString(const struct ldb_val *v)
+{
+	struct GUID guid;
+	NTSTATUS status;
+
+	if (v->length < 33) return False;
+
+	/* see if the input if null-terninated (safety check for the below) */
+	if (v->data[v->length] != '\0') return False;
+
+	status = GUID_from_string((const char *)v->data, &guid);
+	if (!NT_STATUS_IS_OK(status)) {
+		return False;
+	}
+
+	return True;
+}
+
+/*
+  compare two objectGUIDs
+*/
+static int ldb_comparison_objectGUID(struct ldb_context *ldb, void *mem_ctx,
+				     const struct ldb_val *v1, const struct ldb_val *v2)
+{
+	if (ldb_comparision_objectGUID_isString(v1) && ldb_comparision_objectGUID_isString(v2)) {
+		return strcmp((const char *)v1->data, (const char *)v2->data);
+	} else if (ldb_comparision_objectGUID_isString(v1)
+		   && !ldb_comparision_objectGUID_isString(v2)) {
+		struct ldb_val v;
+		int ret;
+		if (ldif_read_objectGUID(ldb, mem_ctx, v1, &v) != 0) {
+			return -1;
+		}
+		ret = ldb_comparison_binary(ldb, mem_ctx, &v, v2);
+		talloc_free(v.data);
+		return ret;
+	} else if (!ldb_comparision_objectGUID_isString(v1)
+		   && ldb_comparision_objectGUID_isString(v2)) {
+		struct ldb_val v;
+		int ret;
+		if (ldif_read_objectGUID(ldb, mem_ctx, v2, &v) != 0) {
+			return -1;
+		}
+		ret = ldb_comparison_binary(ldb, mem_ctx, v1, &v);
+		talloc_free(v.data);
+		return ret;
+	}
+	return ldb_comparison_binary(ldb, mem_ctx, v1, v2);
+}
+
+/*
+  canonicalise a objectGUID
+*/
+static int ldb_canonicalise_objectGUID(struct ldb_context *ldb, void *mem_ctx,
+				       const struct ldb_val *in, struct ldb_val *out)
+{
+	if (ldb_comparision_objectGUID_isString(in)) {
+		return ldif_read_objectGUID(ldb, mem_ctx, in, out);
+	}
+	return ldb_handler_copy(ldb, mem_ctx, in, out);
+}
+
+
+/*
+  convert a ldif (SDDL) formatted ntSecurityDescriptor to a NDR formatted blob
+*/
+static int ldif_read_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx,
+					  const struct ldb_val *in, struct ldb_val *out)
+{
+	struct security_descriptor *sd;
+	NTSTATUS status;
+
+	sd = sddl_decode(mem_ctx, (const char *)in->data, NULL);
+	if (sd == NULL) {
+		return -1;
+	}
+	status = ndr_push_struct_blob(out, mem_ctx, sd, 
+				      (ndr_push_flags_fn_t)ndr_push_security_descriptor);
+	talloc_free(sd);
+	if (!NT_STATUS_IS_OK(status)) {
+		return -1;
+	}
+	return 0;
+}
+
+/*
+  convert a NDR formatted blob to a ldif formatted ntSecurityDescriptor (SDDL format)
+*/
+static int ldif_write_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx,
+					   const struct ldb_val *in, struct ldb_val *out)
+{
+	struct security_descriptor *sd;
+	NTSTATUS status;
+
+	sd = talloc(mem_ctx, struct security_descriptor);
+	if (sd == NULL) {
+		return -1;
+	}
+	status = ndr_pull_struct_blob(in, sd, sd, 
+				      (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
+	if (!NT_STATUS_IS_OK(status)) {
+		talloc_free(sd);
+		return -1;
+	}
+	out->data = (uint8_t *)sddl_encode(mem_ctx, sd, NULL);
+	talloc_free(sd);
+	if (out->data == NULL) {
+		return -1;
+	}
+	out->length = strlen((const char *)out->data);
+	return 0;
+}
+
+/* 
+   canonicolise an objectCategory.  We use the short form as the cannoical form:
+   cn=Person,cn=Schema,cn=Configuration,<basedn> becomes 'person'
+*/
+
+static int ldif_canonicalise_objectCategory(struct ldb_context *ldb, void *mem_ctx,
+					    const struct ldb_val *in, struct ldb_val *out)
+{
+	struct ldb_dn *dn1 = NULL;
+	char *oc1, *oc2;
+
+	dn1 = ldb_dn_explode(mem_ctx, (char *)in->data);
+	if (dn1 == NULL) {
+		oc1 = talloc_strndup(mem_ctx, (char *)in->data, in->length);
+	} else if (ldb_dn_get_comp_num(dn1) >= 1 && strcasecmp(ldb_dn_get_rdn_name(dn1), "cn") == 0) {
+		const struct ldb_val *val = ldb_dn_get_rdn_val(dn1);
+		oc1 = talloc_strndup(mem_ctx, (char *)val->data, val->length);
+	} else {
+		return -1;
+	}
+
+	oc2 = ldb_casefold(ldb, mem_ctx, oc1);
+	out->data = (void *)oc2;
+	out->length = strlen(oc2);
+	talloc_free(oc1);
+	talloc_free(dn1);
+	return 0;
+}
+
+static int ldif_comparison_objectCategory(struct ldb_context *ldb, void *mem_ctx,
+					  const struct ldb_val *v1,
+					  const struct ldb_val *v2)
+{
+	struct ldb_dn *dn1 = NULL, *dn2 = NULL;
+	const char *oc1, *oc2;
+
+	dn1 = ldb_dn_explode(mem_ctx, (char *)v1->data);
+	if (dn1 == NULL) {
+		oc1 = talloc_strndup(mem_ctx, (char *)v1->data, v1->length);
+	} else if (ldb_dn_get_comp_num(dn1) >= 1 && strcasecmp(ldb_dn_get_rdn_name(dn1), "cn") == 0) {
+		const struct ldb_val *val = ldb_dn_get_rdn_val(dn1);
+		oc1 = talloc_strndup(mem_ctx, (char *)val->data, val->length);
+	} else {
+		oc1 = NULL;
+	}
+
+	dn2 = ldb_dn_explode(mem_ctx, (char *)v2->data);
+	if (dn2 == NULL) {
+		oc2 = talloc_strndup(mem_ctx, (char *)v2->data, v2->length);
+	} else if (ldb_dn_get_comp_num(dn2) >= 2 && strcasecmp(ldb_dn_get_rdn_name(dn2), "cn") == 0) {
+		const struct ldb_val *val = ldb_dn_get_rdn_val(dn2);
+		oc2 = talloc_strndup(mem_ctx, (char *)val->data, val->length);
+	} else {
+		oc2 = NULL;
+	}
+
+	oc1 = ldb_casefold(ldb, mem_ctx, oc1);
+	oc2 = ldb_casefold(ldb, mem_ctx, oc2);
+	if (!oc1 && oc2) {
+		return -1;
+	} 
+	if (oc1 && !oc2) {
+		return 1;
+	}	
+	if (!oc1 && !oc2) {
+		return -1;
+	}
+
+	return strcmp(oc1, oc2);
+}
+
+static const struct ldb_attrib_handler samba_handlers[] = {
+	{ 
+		.attr            = "objectSid",
+		.flags           = 0,
+		.ldif_read_fn    = ldif_read_objectSid,
+		.ldif_write_fn   = ldif_write_objectSid,
+		.canonicalise_fn = ldb_canonicalise_objectSid,
+		.comparison_fn   = ldb_comparison_objectSid
+	},
+	{ 
+		.attr            = "securityIdentifier",
+		.flags           = 0,
+		.ldif_read_fn    = ldif_read_objectSid,
+		.ldif_write_fn   = ldif_write_objectSid,
+		.canonicalise_fn = ldb_canonicalise_objectSid,
+		.comparison_fn   = ldb_comparison_objectSid
+	},
+	{ 
+		.attr            = "ntSecurityDescriptor",
+		.flags           = 0,
+		.ldif_read_fn    = ldif_read_ntSecurityDescriptor,
+		.ldif_write_fn   = ldif_write_ntSecurityDescriptor,
+		.canonicalise_fn = ldb_handler_copy,
+		.comparison_fn   = ldb_comparison_binary
+	},
+	{ 
+		.attr            = "objectGUID",
+		.flags           = 0,
+		.ldif_read_fn    = ldif_read_objectGUID,
+		.ldif_write_fn   = ldif_write_objectGUID,
+		.canonicalise_fn = ldb_canonicalise_objectGUID,
+		.comparison_fn   = ldb_comparison_objectGUID
+	},
+	{ 
+		.attr            = "invocationId",
+		.flags           = 0,
+		.ldif_read_fn    = ldif_read_objectGUID,
+		.ldif_write_fn   = ldif_write_objectGUID,
+		.canonicalise_fn = ldb_canonicalise_objectGUID,
+		.comparison_fn   = ldb_comparison_objectGUID
+	},
+	{ 
+		.attr            = "schemaIDGUID",
+		.flags           = 0,
+		.ldif_read_fn    = ldif_read_objectGUID,
+		.ldif_write_fn   = ldif_write_objectGUID,
+		.canonicalise_fn = ldb_canonicalise_objectGUID,
+		.comparison_fn   = ldb_comparison_objectGUID
+	},
+	{ 
+		.attr            = "attributeSecurityGUID",
+		.flags           = 0,
+		.ldif_read_fn    = ldif_read_objectGUID,
+		.ldif_write_fn   = ldif_write_objectGUID,
+		.canonicalise_fn = ldb_canonicalise_objectGUID,
+		.comparison_fn   = ldb_comparison_objectGUID
+	},
+	{ 
+		.attr            = "parentGUID",
+		.flags           = 0,
+		.ldif_read_fn    = ldif_read_objectGUID,
+		.ldif_write_fn   = ldif_write_objectGUID,
+		.canonicalise_fn = ldb_canonicalise_objectGUID,
+		.comparison_fn   = ldb_comparison_objectGUID
+	},
+	{ 
+		.attr            = "siteGUID",
+		.flags           = 0,
+		.ldif_read_fn    = ldif_read_objectGUID,
+		.ldif_write_fn   = ldif_write_objectGUID,
+		.canonicalise_fn = ldb_canonicalise_objectGUID,
+		.comparison_fn   = ldb_comparison_objectGUID
+	},
+	{ 
+		.attr            = "pKTGUID",
+		.flags           = 0,
+		.ldif_read_fn    = ldif_read_objectGUID,
+		.ldif_write_fn   = ldif_write_objectGUID,
+		.canonicalise_fn = ldb_canonicalise_objectGUID,
+		.comparison_fn   = ldb_comparison_objectGUID
+	},
+	{ 
+		.attr            = "fRSVersionGUID",
+		.flags           = 0,
+		.ldif_read_fn    = ldif_read_objectGUID,
+		.ldif_write_fn   = ldif_write_objectGUID,
+		.canonicalise_fn = ldb_canonicalise_objectGUID,
+		.comparison_fn   = ldb_comparison_objectGUID
+	},
+	{ 
+		.attr            = "fRSReplicaSetGUID",
+		.flags           = 0,
+		.ldif_read_fn    = ldif_read_objectGUID,
+		.ldif_write_fn   = ldif_write_objectGUID,
+		.canonicalise_fn = ldb_canonicalise_objectGUID,
+		.comparison_fn   = ldb_comparison_objectGUID
+	},
+	{ 
+		.attr            = "netbootGUID",
+		.flags           = 0,
+		.ldif_read_fn    = ldif_read_objectGUID,
+		.ldif_write_fn   = ldif_write_objectGUID,
+		.canonicalise_fn = ldb_canonicalise_objectGUID,
+		.comparison_fn   = ldb_comparison_objectGUID
+	},
+	{ 
+		.attr            = "objectCategory",
+		.flags           = 0,
+		.ldif_read_fn    = ldb_handler_copy,
+		.ldif_write_fn   = ldb_handler_copy,
+		.canonicalise_fn = ldif_canonicalise_objectCategory,
+		.comparison_fn   = ldif_comparison_objectCategory,
+	}
+};
+
+/*
+  register the samba ldif handlers
+*/
+int ldb_register_samba_handlers(struct ldb_context *ldb)
+{
+	return ldb_set_attrib_handlers(ldb, samba_handlers, ARRAY_SIZE(samba_handlers));
+}
diff --git a/source3/lib/ldb/sqlite3.m4 b/source3/lib/ldb/sqlite3.m4
new file mode 100644
index 0000000000..d0a74ee53c
--- /dev/null
+++ b/source3/lib/ldb/sqlite3.m4
@@ -0,0 +1,62 @@
+########################################################
+# Compile with SQLITE3 support?
+
+SQLITE3_LIBS=""
+with_sqlite3_support=no
+AC_MSG_CHECKING([for SQLITE3 support])
+
+AC_ARG_WITH(sqlite3,
+AS_HELP_STRING([--with-sqlite3],[SQLITE3 backend support (default=no)]),
+[ case "$withval" in
+    yes|no|auto)
+	with_sqlite3_support=$withval
+	;;
+  esac ])
+
+AC_MSG_RESULT($with_sqlite3_support)
+
+if test x"$with_sqlite3_support" != x"no"; then
+  ##################################################################
+  # first test for sqlite3.h
+  AC_CHECK_HEADERS(sqlite3.h)
+  
+  if test x"$ac_cv_header_sqlite3_h" != x"yes"; then
+	if test x"$with_sqlite3_support" = x"yes"; then
+	 AC_MSG_ERROR(sqlite3.h is needed for SQLITE3 support)
+	else
+	 AC_MSG_WARN(sqlite3.h is needed for SQLITE3 support)
+	fi
+	
+	with_sqlite3_support=no
+  fi
+fi
+
+if test x"$with_sqlite3_support" != x"no"; then
+  ac_save_LIBS=$LIBS
+
+  ########################################################
+  # now see if we can find the sqlite3 libs in standard paths
+  AC_CHECK_LIB_EXT(sqlite3, SQLITE3_LIBS, sqlite3_open)
+
+  if test x"$ac_cv_lib_ext_sqlite3_sqlite3_open" = x"yes"; then
+    AC_DEFINE(HAVE_SQLITE3,1,[Whether sqlite3 is available])
+    AC_DEFINE(HAVE_LDB_SQLITE3,1,[Whether ldb_sqlite3 is available])
+    AC_MSG_CHECKING(whether SQLITE3 support is used)
+    AC_MSG_RESULT(yes)
+    with_sqlite3_support=yes
+    SMB_ENABLE(SQLITE3,YES)
+  else
+    if test x"$with_sqlite3_support" = x"yes"; then
+	AC_MSG_ERROR(libsqlite3 is needed for SQLITE3 support)
+    else
+	AC_MSG_WARN(libsqlite3 is needed for SQLITE3 support)
+    fi
+
+    SQLITE3_LIBS=""
+    with_sqlite3_support=no
+  fi
+
+  LIBS=$ac_save_LIBS;
+fi
+
+SMB_EXT_LIB(SQLITE3,[${SQLITE3_LIBS}],[${SQLITE3_CFLAGS}],[${SQLITE3_CPPFLAGS}],[${SQLITE3_LDFLAGS}])
diff --git a/source3/lib/ldb/standalone.sh b/source3/lib/ldb/standalone.sh
new file mode 100755
index 0000000000..fa1b9bafe3
--- /dev/null
+++ b/source3/lib/ldb/standalone.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+cd ../replace
+make clean
+
+cd ../talloc
+make clean
+
+cd ../tdb
+make clean
+
+cd ../ldb
+make clean
+
+./autogen.sh
+
+rm -fr build
+mkdir build
+cd build
+
+../configure $*
+make dirs
+make all
+
+cd ..
diff --git a/source3/lib/ldb/swig/Ldb.py b/source3/lib/ldb/swig/Ldb.py
new file mode 100644
index 0000000000..4be3eec704
--- /dev/null
+++ b/source3/lib/ldb/swig/Ldb.py
@@ -0,0 +1,178 @@
+"""Provide a more Pythonic and object-oriented interface to ldb."""
+
+#
+# Swig interface to Samba
+#
+# Copyright (C) Tim Potter 2006
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#   
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#   
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+
+#
+# Interface notes:
+#
+#   - should an empty dn be represented as None, or an empty string?
+#
+#   - should single-valued attributes be a string, or a list with one
+#     element?
+#
+
+from ldb import *
+
+# Global initialisation
+
+result = ldb_global_init()
+
+if result != 0:
+    raise LdbError, (result, 'ldb_global_init failed')
+
+# Ldb exceptions
+
+class LdbError(Exception):
+    """An exception raised when a ldb error occurs.
+    The exception data is a tuple consisting of the ldb number and a
+    string description of the error."""
+    pass
+
+# Ldb classes
+
+class LdbMessage:
+    """A class representing a ldb message as a Python dictionary."""
+    
+    def __init__(self):
+        self.mem_ctx = talloc_init(None)
+        self.msg = ldb_msg_new(self.mem_ctx)
+
+    def __del__(self):
+        if self.mem_ctx is not None:
+            talloc_free(self.mem_ctx)
+            self.mem_ctx = None
+            self.msg = None
+
+    # Make the dn attribute of the object dynamic
+
+    def __getattr__(self, attr):
+        if attr == 'dn':
+            return ldb_dn_linearize(None, self.msg.dn)
+        return self.__dict__[attr]
+
+    def __setattr__(self, attr, value):
+        if attr == 'dn':
+            self.msg.dn = ldb_dn_explode(self.msg, value)
+            if self.msg.dn == None:
+                err = LDB_ERR_INVALID_DN_SYNTAX
+                raise LdbError(err, ldb_strerror(err))
+            return
+        self.__dict__[attr] = value
+        
+    # Get and set individual elements
+
+    def __getitem__(self, key):
+
+        elt = ldb_msg_find_element(self.msg, key)
+
+        if elt is None:
+            raise KeyError, "No such attribute '%s'" % key
+
+        return [ldb_val_array_getitem(elt.values, i)
+                for i in range(elt.num_values)]
+
+    def __setitem__(self, key, value):
+        ldb_msg_remove_attr(self.msg, key)
+        if type(value) in (list, tuple):
+            [ldb_msg_add_value(self.msg, key, v) for v in value]
+        else:
+            ldb_msg_add_value(self.msg, key, value)
+
+    # Dictionary interface
+    # TODO: move to iterator based interface
+
+    def len(self):
+        return self.msg.num_elements
+
+    def keys(self):
+        return [ldb_message_element_array_getitem(self.msg.elements, i).name
+                for i in range(self.msg.num_elements)]
+
+    def values(self):
+        return [self[k] for k in self.keys()]
+
+    def items(self):
+        return [(k, self[k]) for k in self.keys()]
+
+    # Misc stuff
+
+    def sanity_check(self):
+        return ldb_msg_sanity_check(self.msg)
+
+class Ldb:
+    """A class representing a binding to a ldb file."""
+
+    def __init__(self, url, flags = 0):
+        """Initialise underlying ldb."""
+    
+        self.mem_ctx = talloc_init('mem_ctx for ldb 0x%x' % id(self))
+        self.ldb_ctx = ldb_init(self.mem_ctx)
+
+        result = ldb_connect(self.ldb_ctx, url, flags, None)
+
+        if result != LDB_SUCCESS:
+            raise LdbError, (result, ldb_strerror(result))
+        
+    def __del__(self):
+        """Called when the object is to be garbage collected."""
+        self.close()
+
+    def close(self):
+        """Close down a ldb."""
+        if self.mem_ctx is not None:
+            talloc_free(self.mem_ctx)
+            self.mem_ctx = None
+            self.ldb_ctx = None
+
+    def _ldb_call(self, fn, *args):
+        """Call a ldb function with args.  Raise a LdbError exception
+        if the function returns a non-zero return value."""
+        
+        result = fn(*args)
+
+        if result != LDB_SUCCESS:
+            raise LdbError, (result, ldb_strerror(result))
+
+    def search(self, expression):
+        """Search a ldb for a given expression."""
+
+        self._ldb_call(ldb_search, self.ldb_ctx, None, LDB_SCOPE_DEFAULT,
+                       expression, None);
+
+        return [LdbMessage(ldb_message_ptr_array_getitem(result.msgs, ndx))
+                for ndx in range(result.count)]
+
+    def delete(self, dn):
+        """Delete a dn."""
+
+        _dn = ldb_dn_explode(self.ldb_ctx, dn)
+
+        self._ldb_call(ldb_delete, self.ldb_ctx, _dn)
+
+    def rename(self, olddn, newdn):
+        """Rename a dn."""
+        
+        _olddn = ldb_dn_explode(self.ldb_ctx, olddn)
+        _newdn = ldb_dn_explode(self.ldb_ctx, newdn)
+        
+        self._ldb_call(ldb_rename, self.ldb_ctx, _olddn, _newdn)
+
+    def add(self, m):
+        self._ldb_call(ldb_add, self.ldb_ctx, m.msg)
diff --git a/source3/lib/ldb/swig/ldb.i b/source3/lib/ldb/swig/ldb.i
new file mode 100644
index 0000000000..fa460e3d6c
--- /dev/null
+++ b/source3/lib/ldb/swig/ldb.i
@@ -0,0 +1,239 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   Swig interface to ldb.
+
+   Copyright (C) 2005,2006 Tim Potter <tpot@samba.org>
+   Copyright (C) 2006 Simo Sorce <idra@samba.org>
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+%module ldb
+
+%{
+
+/* Some typedefs to help swig along */
+
+typedef unsigned char uint8_t;
+typedef unsigned long long uint64_t;
+typedef long long int64_t;
+
+/* Include headers */
+
+#include "lib/ldb/include/ldb.h"
+#include "lib/talloc/talloc.h"
+
+%}
+
+%include "carrays.i"
+%include "exception.i"
+
+/*
+ * Constants
+ */
+
+#define LDB_SUCCESS				0
+#define LDB_ERR_OPERATIONS_ERROR		1
+#define LDB_ERR_PROTOCOL_ERROR			2
+#define LDB_ERR_TIME_LIMIT_EXCEEDED		3
+#define LDB_ERR_SIZE_LIMIT_EXCEEDED		4
+#define LDB_ERR_COMPARE_FALSE			5
+#define LDB_ERR_COMPARE_TRUE			6
+#define LDB_ERR_AUTH_METHOD_NOT_SUPPORTED	7
+#define LDB_ERR_STRONG_AUTH_REQUIRED		8
+/* 9 RESERVED */
+#define LDB_ERR_REFERRAL			10
+#define LDB_ERR_ADMIN_LIMIT_EXCEEDED		11
+#define LDB_ERR_UNSUPPORTED_CRITICAL_EXTENSION	12
+#define LDB_ERR_CONFIDENTIALITY_REQUIRED	13
+#define LDB_ERR_SASL_BIND_IN_PROGRESS		14
+#define LDB_ERR_NO_SUCH_ATTRIBUTE		16
+#define LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE	17
+#define LDB_ERR_INAPPROPRIATE_MATCHING		18
+#define LDB_ERR_CONSTRAINT_VIOLATION		19
+#define LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS	20
+#define LDB_ERR_INVALID_ATTRIBUTE_SYNTAX	21
+/* 22-31 unused */
+#define LDB_ERR_NO_SUCH_OBJECT			32
+#define LDB_ERR_ALIAS_PROBLEM			33
+#define LDB_ERR_INVALID_DN_SYNTAX		34
+/* 35 RESERVED */
+#define LDB_ERR_ALIAS_DEREFERENCING_PROBLEM	36
+/* 37-47 unused */
+#define LDB_ERR_INAPPROPRIATE_AUTHENTICATION	48
+#define LDB_ERR_INVALID_CREDENTIALS		49
+#define LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS	50
+#define LDB_ERR_BUSY				51
+#define LDB_ERR_UNAVAILABLE			52
+#define LDB_ERR_UNWILLING_TO_PERFORM		53
+#define LDB_ERR_LOOP_DETECT			54
+/* 55-63 unused */
+#define LDB_ERR_NAMING_VIOLATION		64
+#define LDB_ERR_OBJECT_CLASS_VIOLATION		65
+#define LDB_ERR_NOT_ALLOWED_ON_NON_LEAF		66
+#define LDB_ERR_NOT_ALLOWED_ON_RDN		67
+#define LDB_ERR_ENTRY_ALREADY_EXISTS		68
+#define LDB_ERR_OBJECT_CLASS_MODS_PROHIBITED	69
+/* 70 RESERVED FOR CLDAP */
+#define LDB_ERR_AFFECTS_MULTIPLE_DSAS		71
+/* 72-79 unused */
+#define LDB_ERR_OTHER				80
+
+enum ldb_scope {LDB_SCOPE_DEFAULT=-1, 
+		LDB_SCOPE_BASE=0, 
+		LDB_SCOPE_ONELEVEL=1,
+		LDB_SCOPE_SUBTREE=2};
+
+/* 
+ * Wrap struct ldb_context
+ */
+
+/* The ldb functions will crash if a NULL ldb context is passed so
+   catch this before it happens. */
+
+%typemap(check) struct ldb_context* {
+	if ($1 == NULL)
+		SWIG_exception(SWIG_ValueError, 
+			"ldb context must be non-NULL");
+}
+
+/* 
+ * Wrap a small bit of talloc
+ */
+
+/* Use talloc_init() to create a parameter to pass to ldb_init().  Don't
+   forget to free it using talloc_free() afterwards. */
+
+TALLOC_CTX *talloc_init(char *name);
+int talloc_free(TALLOC_CTX *ptr);
+
+/*
+ * Wrap struct ldb_val
+ */
+
+%typemap(in) struct ldb_val *INPUT (struct ldb_val temp) {
+	$1 = &temp;
+	if (!PyString_Check($input)) {
+		PyErr_SetString(PyExc_TypeError, "string arg expected");
+		return NULL;
+	}
+	$1->length = PyString_Size($input);
+	$1->data = PyString_AsString($input);
+}
+
+%typemap(out) struct ldb_val {
+	$result = PyString_FromStringAndSize($1.data, $1.length);
+}
+
+/*
+ * Wrap struct ldb_result
+ */
+
+%typemap(in, numinputs=0) struct ldb_result **OUT (struct ldb_result *temp_ldb_result) {
+	$1 = &temp_ldb_result;
+}
+
+%typemap(argout) struct ldb_result ** {
+	resultobj = SWIG_NewPointerObj(*$1, SWIGTYPE_p_ldb_result, 0);
+}	
+
+%types(struct ldb_result *);
+
+/*
+ * Wrap struct ldb_message_element
+ */
+
+%array_functions(struct ldb_val, ldb_val_array);
+
+struct ldb_message_element {
+	unsigned int flags;
+	const char *name;
+	unsigned int num_values;
+	struct ldb_val *values;
+};
+
+/*
+ * Wrap struct ldb_message
+ */
+
+%array_functions(struct ldb_message_element, ldb_message_element_array);
+
+struct ldb_message {
+	struct ldb_dn *dn;
+	unsigned int num_elements;
+	struct ldb_message_element *elements;
+	void *private_data;
+};
+
+/*
+ * Wrap struct ldb_result
+ */
+
+%array_functions(struct ldb_message *, ldb_message_ptr_array);
+
+struct ldb_result {
+	unsigned int count;
+	struct ldb_message **msgs;
+	char **refs;
+	struct ldb_control **controls;
+};
+
+/*
+ * Wrap ldb functions 
+ */
+
+/* Initialisation */
+
+int ldb_global_init(void);
+struct ldb_context *ldb_init(TALLOC_CTX *mem_ctx);
+
+/* Error handling */
+
+const char *ldb_errstring(struct ldb_context *ldb);
+const char *ldb_strerror(int ldb_err);
+
+/* Top-level ldb operations */
+
+int ldb_connect(struct ldb_context *ldb, const char *url, unsigned int flags, const char *options[]);
+
+int ldb_search(struct ldb_context *ldb, const struct ldb_dn *base, enum ldb_scope scope, const char *expression, const char * const *attrs, struct ldb_result **OUT);
+
+int ldb_delete(struct ldb_context *ldb, const struct ldb_dn *dn);
+
+int ldb_rename(struct ldb_context *ldb, const struct ldb_dn *olddn, const struct ldb_dn *newdn);
+
+int ldb_add(struct ldb_context *ldb, const struct ldb_message *message);
+
+/* Ldb message operations */
+
+struct ldb_message *ldb_msg_new(void *mem_ctx);
+
+struct ldb_message_element *ldb_msg_find_element(const struct ldb_message *msg, const char *attr_name);
+
+int ldb_msg_add_value(struct ldb_message *msg, const char *attr_name, const struct ldb_val *INPUT);
+
+void ldb_msg_remove_attr(struct ldb_message *msg, const char *attr);
+
+int ldb_msg_sanity_check(struct ldb_message *msg);
+
+/* DN operations */
+
+struct ldb_dn *ldb_dn_explode(void *mem_ctx, const char *dn);
+
+char *ldb_dn_linearize(void *mem_ctx, const struct ldb_dn *dn);
diff --git a/source3/lib/ldb/tests/init.ldif b/source3/lib/ldb/tests/init.ldif
new file mode 100644
index 0000000000..2e0b83c769
--- /dev/null
+++ b/source3/lib/ldb/tests/init.ldif
@@ -0,0 +1,40 @@
+dn: o=University of Michigan,c=TEST
+objectclass: organization
+objectclass: domainRelatedObject
+l: Ann Arbor, Michigan
+st: Michigan
+o: University of Michigan
+o: UMICH
+o: UM
+o: U-M
+o: U of M
+description: The University of Michigan at Ann Arbor
+seeAlso:
+postaladdress: University of Michigan $ 535 W. William St. $ Ann Arbor, MI 481
+ 09 $ US
+telephonenumber: +1 313 764-1817
+associateddomain: example.com
+
+dn: ou=People,o=University of Michigan,c=TEST
+objectclass: organizationalUnit
+objectclass: extensibleObject
+ou: People
+uidNumber: 0
+gidNumber: 0
+
+dn: ou=Ldb Test,ou=People,o=University of Michigan,c=TEST
+objectclass: organizationalUnit
+objectclass: extensibleObject
+ou: People
+ou: Ldb Test
+uidNumber: 0
+gidNumber: 0
+
+dn: ou=LdbTspace,ou=People,o=University of Michigan,c=TEST
+objectclass: organizationalUnit
+objectclass: extensibleObject
+ou: People
+ou: LdbTspace
+description: test white space removal in comparisons
+uidNumber: 0
+gidNumber: 0
diff --git a/source3/lib/ldb/tests/init_slapd.sh b/source3/lib/ldb/tests/init_slapd.sh
new file mode 100755
index 0000000000..cf06acd08b
--- /dev/null
+++ b/source3/lib/ldb/tests/init_slapd.sh
@@ -0,0 +1,41 @@
+#!/bin/sh 
+
+if [ -z "$LDBDIR" ]; then
+    LDBDIR=`dirname $0`/..
+    export LDBDIR
+fi
+
+rm -rf tests/tmp/db
+mkdir -p tests/tmp/db
+
+if [ -f tests/tmp/slapd.pid ]; then
+    kill `cat tests/tmp/slapd.pid`
+    sleep 1
+fi
+if [ -f tests/tmp/slapd.pid ]; then
+    kill -9 `cat tests/tmp/slapd.pid`
+    rm -f tests/tmp/slapd.pid
+fi
+
+# we don't consider a slapadd failure as a test suite failure, as it
+# has nothing to do with ldb
+
+MODCONF=tests/tmp/modules.conf
+rm -f $MODCONF
+touch $MODCONF || exit 1
+
+slaptest -u -f $LDBDIR/tests/slapd.conf > /dev/null 2>&1 || {
+ echo "enabling sladp modules"
+cat > $MODCONF <<EOF
+modulepath	/usr/lib/ldap
+moduleload	back_bdb
+EOF
+}
+
+slaptest -u -f $LDBDIR/tests/slapd.conf || {
+    echo "slaptest failed - skipping ldap tests"
+    exit 0
+}
+
+slapadd -f $LDBDIR/tests/slapd.conf < $LDBDIR/tests/init.ldif || exit 0
+
diff --git a/source3/lib/ldb/tests/kill_slapd.sh b/source3/lib/ldb/tests/kill_slapd.sh
new file mode 100755
index 0000000000..91beb10814
--- /dev/null
+++ b/source3/lib/ldb/tests/kill_slapd.sh
@@ -0,0 +1,12 @@
+#!/bin/sh 
+
+if [ -z "$LDBDIR" ]; then
+    LDBDIR=`dirname $0`/..
+    export LDBDIR
+fi
+
+if [ -f tests/tmp/slapd.pid ]; then
+    echo "killing slapd process `cat tests/tmp/slapd.pid`"
+    kill -9 `cat tests/tmp/slapd.pid`
+    rm -f tests/tmp/slapd.pid
+fi
diff --git a/source3/lib/ldb/tests/ldapi_url.sh b/source3/lib/ldb/tests/ldapi_url.sh
new file mode 100755
index 0000000000..fef6c35f2b
--- /dev/null
+++ b/source3/lib/ldb/tests/ldapi_url.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# aargh, did LDAP ever have to expose this crap to users ...
+
+BASE=`pwd`
+
+TMPDIR=$BASE/tests/tmp
+
+LDAPI_ESCAPE=`echo $TMPDIR/ldapi | sed 's|/|%2F|g'`
+
+echo "ldapi://$LDAPI_ESCAPE"
diff --git a/source3/lib/ldb/tests/photo.ldif b/source3/lib/ldb/tests/photo.ldif
new file mode 100644
index 0000000000..28981b1f24
--- /dev/null
+++ b/source3/lib/ldb/tests/photo.ldif
@@ -0,0 +1,5 @@
+dn: cn=Hampster Ursula,ou=Alumni Association,ou=People,o=University of Michigan,c=TEST
+changetype: modify
+add: jpegPhoto
+jpegPhoto:< file://tests/tmp/samba4.png
+
diff --git a/source3/lib/ldb/tests/samba4.png b/source3/lib/ldb/tests/samba4.png
new file mode 100644
index 0000000000..c8096889a6
--- /dev/null
+++ b/source3/lib/ldb/tests/samba4.png
diff --git a/source3/lib/ldb/tests/schema-tests/schema-add-test.ldif b/source3/lib/ldb/tests/schema-tests/schema-add-test.ldif
new file mode 100644
index 0000000000..997b801d84
--- /dev/null
+++ b/source3/lib/ldb/tests/schema-tests/schema-add-test.ldif
@@ -0,0 +1,66 @@
+dn: CN=Users,DC=schema,DC=test
+objectClass: top
+objectClass: container
+cn: Users
+description: Default container for upgraded user accounts
+instanceType: 4
+whenCreated: 20050116175504.0Z
+whenChanged: 20050116175504.0Z
+uSNCreated: 1
+uSNChanged: 1
+showInAdvancedViewOnly: FALSE
+name: Users
+objectGUID: b847056a-9934-d87b-8a1a-99fabe0863c8
+systemFlags: 0x8c000000
+objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=schema,DC=test
+isCriticalSystemObject: TRUE
+nTSecurityDescriptor: foo
+
+dn: CN=Administrator,CN=Users,DC=schema,DC=test
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: Administrator
+description: Built-in account for administering the computer/domain
+instanceType: 4
+whenCreated: 20050116175504.0Z
+whenChanged: 20050116175504.0Z
+uSNCreated: 1
+memberOf: CN=Group Policy Creator Owners,CN=Users,DC=schema,DC=test
+memberOf: CN=Domain Admins,CN=Users,DC=schema,DC=test
+memberOf: CN=Enterprise Admins,CN=Users,DC=schema,DC=test
+memberOf: CN=Schema Admins,CN=Users,DC=schema,DC=test
+memberOf: CN=Administrators,CN=Builtin,DC=schema,DC=test
+uSNChanged: 1
+name: Administrator
+objectGUID: 6c02f98c-46c6-aa38-5f13-a510cac04e6c
+userAccountControl: 0x10200
+badPwdCount: 0
+codePage: 0
+countryCode: 0
+badPasswordTime: 0
+lastLogoff: 0
+lastLogon: 0
+pwdLastSet: 0
+primaryGroupID: 513
+objectSid: S-1-5-21-43662522-77495566-38969261-500
+adminCount: 1
+accountExpires: -1
+logonCount: 0
+sAMAccountName: Administrator
+sAMAccountType: 0x30000000
+objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=schema,DC=test
+isCriticalSystemObject: TRUE
+unicodePwd: samba
+nTSecurityDescriptor: foo
+
+dn: CN=Test,CN=Users,DC=schema,DC=test
+objectClass: top
+objectClass: test
+cn: Test
+description: This is a test
+objectCategory: CN=Test,CN=Schema,CN=Configuration,DC=schema,DC=test
+nTSecurityDescriptor: foo
+instanceType: 4
+
diff --git a/source3/lib/ldb/tests/schema-tests/schema-mod-test-1.ldif b/source3/lib/ldb/tests/schema-tests/schema-mod-test-1.ldif
new file mode 100644
index 0000000000..b976724485
--- /dev/null
+++ b/source3/lib/ldb/tests/schema-tests/schema-mod-test-1.ldif
@@ -0,0 +1,5 @@
+dn: CN=Test,CN=Users,DC=schema,DC=test
+changetype: modify
+replace: description
+description: this test must not fail
+
diff --git a/source3/lib/ldb/tests/schema-tests/schema-mod-test-2.ldif b/source3/lib/ldb/tests/schema-tests/schema-mod-test-2.ldif
new file mode 100644
index 0000000000..fa193af683
--- /dev/null
+++ b/source3/lib/ldb/tests/schema-tests/schema-mod-test-2.ldif
@@ -0,0 +1,5 @@
+dn: CN=Test,CN=Users,DC=schema,DC=test
+changetype: modify
+delete: description
+# this test must not fail
+
diff --git a/source3/lib/ldb/tests/schema-tests/schema-mod-test-3.ldif b/source3/lib/ldb/tests/schema-tests/schema-mod-test-3.ldif
new file mode 100644
index 0000000000..8ab7798f9c
--- /dev/null
+++ b/source3/lib/ldb/tests/schema-tests/schema-mod-test-3.ldif
@@ -0,0 +1,5 @@
+dn: CN=Test,CN=Users,DC=schema,DC=test
+changetype: modify
+add: description
+description: this test must not fail
+
diff --git a/source3/lib/ldb/tests/schema-tests/schema-mod-test-4.ldif b/source3/lib/ldb/tests/schema-tests/schema-mod-test-4.ldif
new file mode 100644
index 0000000000..cbf0e60bbe
--- /dev/null
+++ b/source3/lib/ldb/tests/schema-tests/schema-mod-test-4.ldif
@@ -0,0 +1,5 @@
+dn: CN=Test,CN=Users,DC=schema,DC=test
+changetype: modify
+add: foo
+foo: this test must fail
+
diff --git a/source3/lib/ldb/tests/schema-tests/schema-mod-test-5.ldif b/source3/lib/ldb/tests/schema-tests/schema-mod-test-5.ldif
new file mode 100644
index 0000000000..bc64e9edb6
--- /dev/null
+++ b/source3/lib/ldb/tests/schema-tests/schema-mod-test-5.ldif
@@ -0,0 +1,5 @@
+dn: CN=Test,CN=Users,DC=schema,DC=test
+changetype: modify
+delete: nTSecurityDescriptor
+# this test must fail
+
diff --git a/source3/lib/ldb/tests/schema-tests/schema.ldif b/source3/lib/ldb/tests/schema-tests/schema.ldif
new file mode 100644
index 0000000000..515408144a
--- /dev/null
+++ b/source3/lib/ldb/tests/schema-tests/schema.ldif
@@ -0,0 +1,112 @@
+dn: @INDEXLIST
+@IDXATTR: name
+@IDXATTR: sAMAccountName
+@IDXATTR: objectSid
+@IDXATTR: objectClass
+@IDXATTR: member
+@IDXATTR: uidNumber
+@IDXATTR: gidNumber
+@IDXATTR: unixName
+@IDXATTR: privilege
+@IDXATTR: lDAPDisplayName
+
+dn: @ATTRIBUTES
+realm: CASE_INSENSITIVE
+userPrincipalName: CASE_INSENSITIVE
+servicePrincipalName: CASE_INSENSITIVE
+name: CASE_INSENSITIVE
+dn: CASE_INSENSITIVE
+sAMAccountName: CASE_INSENSITIVE
+objectClass: CASE_INSENSITIVE
+unicodePwd: HIDDEN
+ntPwdHash: HIDDEN
+ntPwdHistory: HIDDEN
+lmPwdHash: HIDDEN
+lmPwdHistory: HIDDEN
+createTimestamp: HIDDEN
+modifyTimestamp: HIDDEN
+
+dn: @SUBCLASSES
+top: domain
+top: person
+top: group
+domain: domainDNS
+domain: builtinDomain
+person: organizationalPerson
+organizationalPerson: user
+user: computer
+template: userTemplate
+template: groupTemplate
+
+dn: @MODULES
+@LIST: timestamps,schema
+
+dn: CN=Top,CN=Schema,CN=Configuration,DC=schema,DC=test
+objectClass: top
+objectClass: classSchema
+lDAPDisplayName: top
+cn: Top
+uSNCreated: 1
+uSNChanged: 1
+subClassOf: top
+systemMustContain: objectClass
+systemMayContain: structuralObjectClass
+systemMayContain: createTimeStamp
+systemMayContain: modifyTimeStamp
+systemMayContain: creatorsName
+systemMayContain: modifiersName
+systemMayContain: hasSubordinates
+systemMayContain: subschemaSubentry
+systemMayContain: collectiveSubentry
+systemMayContain: entryUUID
+systemMayContain: entryCSN
+systemMayContain: namingCSN
+systemMayContain: superiorUUID
+systemMayContain: contextCSN
+systemMayContain: whenCreated
+systemMayContain: whenChanged
+systemMayContain: uSNCreated
+systemMayContain: uSNChanged
+systemMayContain: distinguishedName
+systemMayContain: name
+systemMayContain: cn
+systemMayContain: userPassword
+systemMayContain: labeledURI
+
+dn: CN=Class-Schema,CN=Schema,CN=Configuration,DC=schema,DC=test
+objectClass: top
+objectClass: classSchema
+lDAPDisplayName: classSchema
+cn: Class-Schema
+uSNCreated: 2
+uSNChanged: 2
+lDAPDisplayName: classSchema
+subClassOf: top
+systemMustContain: cn
+systemMustContain: subClassOf
+systemMayContain: systemPossSuperiors
+systemMayContain: systemOnly
+systemMayContain: systemMustContain
+systemMayContain: systemMayContain
+systemMayContain: systemAuxiliaryClass
+systemMayContain: possSuperiors
+systemMayContain: mustContain
+systemMayContain: mayContain
+systemMayContain: lDAPDisplayName
+systemMayContain: auxiliaryClass
+
+dn: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=schema,DC=test
+objectClass: top
+objectClass: classSchema
+cn: Attribute-Schema
+uSNCreated: 3
+uSNChanged: 3
+lDAPDisplayName: attributeSchema
+subClassOf: top
+systemMustContain: oMSyntax
+systemMustContain: lDAPDisplayName
+systemMustContain: isSingleValued
+systemMustContain: cn
+systemMustContain: attributeSyntax
+systemMustContain: attributeID
+
diff --git a/source3/lib/ldb/tests/slapd.conf b/source3/lib/ldb/tests/slapd.conf
new file mode 100644
index 0000000000..fa2789d8c1
--- /dev/null
+++ b/source3/lib/ldb/tests/slapd.conf
@@ -0,0 +1,26 @@
+loglevel 0
+
+include tests/schema/core.schema
+include tests/schema/cosine.schema
+include tests/schema/inetorgperson.schema
+include tests/schema/openldap.schema
+include tests/schema/nis.schema
+
+
+pidfile		tests/tmp/slapd.pid
+argsfile	tests/tmp/slapd.args
+
+access to * by * write
+
+allow update_anon bind_anon_dn
+
+include tests/tmp/modules.conf
+
+defaultsearchbase "o=University of Michigan,c=TEST"
+
+backend		bdb
+database        bdb
+suffix		"o=University of Michigan,c=TEST"
+directory	tests/tmp/db
+index           objectClass eq
+index           uid eq
diff --git a/source3/lib/ldb/tests/start_slapd.sh b/source3/lib/ldb/tests/start_slapd.sh
new file mode 100755
index 0000000000..22e8548791
--- /dev/null
+++ b/source3/lib/ldb/tests/start_slapd.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+if [ -z "$LDBDIR" ]; then
+    LDBDIR=`dirname $0`/..
+    export LDBDIR
+fi
+
+mkdir -p $LDBDIR/tests/tmp/db
+
+# running slapd with -d0 means it stays in the same process group, so it can be
+# killed by timelimit
+slapd -d0 -f $LDBDIR/tests/slapd.conf -h "`$LDBDIR/tests/ldapi_url.sh`" $* &
+
+sleep 2
diff --git a/source3/lib/ldb/tests/test-attribs.ldif b/source3/lib/ldb/tests/test-attribs.ldif
new file mode 100644
index 0000000000..0bb3ebead6
--- /dev/null
+++ b/source3/lib/ldb/tests/test-attribs.ldif
@@ -0,0 +1,15 @@
+dn: @ATTRIBUTES
+uid: CASE_INSENSITIVE
+cn: CASE_INSENSITIVE
+ou: CASE_INSENSITIVE
+dn: CASE_INSENSITIVE
+
+dn: @SUBCLASSES
+top: domain
+top: person
+domain: domainDNS
+person: organizationalPerson
+person: fooPerson
+organizationalPerson: user
+organizationalPerson: OpenLDAPperson
+user: computer
diff --git a/source3/lib/ldb/tests/test-config.ldif b/source3/lib/ldb/tests/test-config.ldif
new file mode 100644
index 0000000000..7926a9e3c5
--- /dev/null
+++ b/source3/lib/ldb/tests/test-config.ldif
@@ -0,0 +1,67 @@
+##############################
+# global configuration options
+dn: cn=Global,cn=Config,cn=Samba
+objectclass: globalconfig
+LocalConfigCn: cn=%U,cn=Config,cn=Samba
+LocalConfigCn;1: cn=%U,cn=Config,cn=Samba
+LocalConfigCn;2: cn=%I,cn=Config,cn=Samba
+LocalConfigCn;3: cn=%M,cn=Config,cn=Samba
+
+#############
+dn: cn=Protocol,cn=Global,cn=Config,cn=Samba
+maxXmit: 7000
+
+################################
+dn: cn=Volker,cn=Config,cn=Samba
+Workgroup: VNET3
+UnixCharset: UTF8
+Security: user
+Interfaces: vmnet* eth*
+NetbiosName: blu
+GuestAccount: tridge
+
+#################################
+dn: cn=Volker,cn=Config,cn=Samba
+Workgroup: VNET3
+UnixCharset: UTF8
+Security: user
+Interfaces: vmnet* eth*
+NetbiosName: blu
+GuestAccount: tridge
+Include: cn=%U,cn=MyConfig,cn=Config,cn=Samba
+
+####   ((objectClass=fileshare)(cn=test))
+##############################
+# [test] share
+dn: cn=test,cn=Shares,cn=Config,cn=Samba
+objectclass: fileshare
+cn: test
+Comment: a test share
+Path: /home/tridge/samba4/prefix/test
+ReadOnly: no
+
+#####################################
+# [msdn] a remote proxy share, stored
+# on \\msdn\test
+dn: cn=msdn,cn=Shares,cn=Config,cn=Samba
+objectclass: fileshare
+cn: msdn
+NtvfsHandler: cifs
+ReadOnly: no
+_CifsServer: msdn
+_CifsUser: administrator
+_CifsPassword: penguin
+_CifsDomain: winxp
+_CifsShare: test
+
+
+##############################
+# [VisualC] share
+dn: cn=visualc,cn=Shares,cn=Config,cn=Samba
+objectclass: fileshare
+cn: VisualC
+Comment: VisualC development
+Path: /home/tridge/VisualC
+ReadOnly: no
+NtvfsHandler: simple
+
diff --git a/source3/lib/ldb/tests/test-default-config.ldif b/source3/lib/ldb/tests/test-default-config.ldif
new file mode 100644
index 0000000000..87b7bcd3cc
--- /dev/null
+++ b/source3/lib/ldb/tests/test-default-config.ldif
@@ -0,0 +1,17 @@
+##############################
+# global configuration options
+dn: cn=Global,cn=DefaultConfig,cn=Samba
+objectclass: globalconfig
+Workgroup: WORKGROUP
+UnixCharset: UTF8
+Security: user
+NetbiosName: blu
+GuestAccount: nobody
+
+##############################
+# [_default_] share
+dn: cn=_default_,cn=Shares,cn=DefaultConfig,cn=Samba
+objectclass: fileshare
+cn: _default_
+Path: /tmp
+ReadOnly: yes
diff --git a/source3/lib/ldb/tests/test-extended.sh b/source3/lib/ldb/tests/test-extended.sh
new file mode 100755
index 0000000000..a84e3b78a3
--- /dev/null
+++ b/source3/lib/ldb/tests/test-extended.sh
@@ -0,0 +1,69 @@
+#!/bin/sh
+
+echo "Running extended search tests"
+
+mv $LDB_URL $LDB_URL.1
+
+cat <<EOF | bin/ldbadd || exit 1
+dn: cn=testrec1,cn=TEST
+i1: 1
+i2: 0
+i3: 1234
+i4: 0x7003004
+
+dn: cn=testrec2,cn=TEST
+i1: 0x800000
+
+dn: cn=testrec3,cn=TEST
+i1: 0x101010101
+i1: 7
+
+dn: cn=auser1,cn=TEST
+groupType: 2147483648
+samAccountType: 805306368
+
+dn: cn=auser2,cn=TEST
+groupType: 2147483648
+samAccountType: 805306369
+
+dn: cn=auser3,cn=TEST
+groupType: 2147483649
+samAccountType: 805306370
+
+dn: cn=auser4,cn=TEST
+groupType: 2147483649
+samAccountType: 805306369
+EOF
+
+checkcount() {
+    count=$1
+    expression="$2"
+    n=`bin/ldbsearch "$expression" | grep '^dn' | wc -l`
+    if [ $n != $count ]; then
+	echo "Got $n but expected $count for $expression"
+	bin/ldbsearch "$expression"
+	exit 1
+    fi
+    echo "OK: $count $expression"
+}
+
+checkcount 1 '(i3=1234)'
+checkcount 0 '(i3=12345)'
+
+checkcount 2 '(i1:1.2.840.113556.1.4.803:=1)'
+checkcount 1 '(i1:1.2.840.113556.1.4.803:=3)'
+checkcount 1 '(i1:1.2.840.113556.1.4.803:=7)'
+checkcount 0 '(i1:1.2.840.113556.1.4.803:=15)'
+checkcount 1 '(i1:1.2.840.113556.1.4.803:=0x800000)'
+checkcount 1 '(i1:1.2.840.113556.1.4.803:=8388608)'
+
+checkcount 2 '(i1:1.2.840.113556.1.4.804:=1)'
+checkcount 2 '(i1:1.2.840.113556.1.4.804:=3)'
+checkcount 2 '(i1:1.2.840.113556.1.4.804:=7)'
+checkcount 2 '(i1:1.2.840.113556.1.4.804:=15)'
+checkcount 1 '(i1:1.2.840.113556.1.4.804:=0x800000)'
+checkcount 1 '(i1:1.2.840.113556.1.4.804:=8388608)'
+
+# this is one that w2k gives
+checkcount 3 '(|(|(&(!(groupType:1.2.840.113556.1.4.803:=1))(groupType:1.2.840.113556.1.4.803:=2147483648)(groupType:1.2.840.113556.1.4.804:=10))(samAccountType=805306368))(samAccountType=805306369))'
+
diff --git a/source3/lib/ldb/tests/test-generic.sh b/source3/lib/ldb/tests/test-generic.sh
new file mode 100755
index 0000000000..14337cc135
--- /dev/null
+++ b/source3/lib/ldb/tests/test-generic.sh
@@ -0,0 +1,128 @@
+#!/bin/sh
+
+if [ -z "$LDB_SPECIALS" ]; then
+    LDB_SPECIALS=1
+    export LDB_SPECIALS
+fi
+
+echo "LDB_URL: $LDB_URL"
+
+echo "Adding base elements"
+$VALGRIND ldbadd $LDBDIR/tests/test.ldif || exit 1
+
+echo "Adding again - should fail"
+ldbadd $LDBDIR/tests/test.ldif 2> /dev/null && {
+    echo "Should have failed to add again - gave $?"
+    exit 1
+}
+
+echo "Modifying elements"
+$VALGRIND ldbmodify $LDBDIR/tests/test-modify.ldif || exit 1
+
+echo "Showing modified record"
+$VALGRIND ldbsearch '(uid=uham)'  || exit 1
+
+echo "Rename entry"
+OLDDN="cn=Ursula Hampster,ou=Alumni Association,ou=People,o=University of Michigan,c=TEST"
+NEWDN="cn=Hampster Ursula,ou=Alumni Association,ou=People,o=University of Michigan,c=TEST"
+$VALGRIND ldbrename "$OLDDN" "$NEWDN"  || exit 1
+
+echo "Showing renamed record"
+$VALGRIND ldbsearch '(uid=uham)' || exit 1
+
+echo "Starting ldbtest"
+$VALGRIND ldbtest --num-records 100 --num-searches 10  || exit 1
+
+if [ $LDB_SPECIALS = 1 ]; then
+ echo "Adding index"
+ $VALGRIND ldbadd $LDBDIR/tests/test-index.ldif  || exit 1
+fi
+
+echo "Adding bad attributes - should fail"
+$VALGRIND ldbadd $LDBDIR/tests/test-wrong_attributes.ldif && {
+    echo "Should fhave failed - gave $?"
+    exit 1
+}
+
+echo "testing indexed search"
+$VALGRIND ldbsearch '(uid=uham)'  || exit 1
+$VALGRIND ldbsearch '(&(objectclass=person)(objectclass=person)(objectclass=top))' || exit 1
+$VALGRIND ldbsearch '(&(uid=uham)(uid=uham))'  || exit 1
+$VALGRIND ldbsearch '(|(uid=uham)(uid=uham))'  || exit 1
+$VALGRIND ldbsearch '(|(uid=uham)(uid=uham)(objectclass=OpenLDAPperson))'  || exit 1
+$VALGRIND ldbsearch '(&(uid=uham)(uid=uham)(!(objectclass=xxx)))'  || exit 1
+$VALGRIND ldbsearch '(&(objectclass=person)(uid=uham)(!(uid=uhamxx)))' uid \* \+ dn  || exit 1
+$VALGRIND ldbsearch '(&(uid=uham)(uid=uha*)(title=*))' uid || exit 1
+
+# note that the "((" is treated as an attribute not an expression
+# this matches the openldap ldapsearch behaviour of looking for a '='
+# to see if the first argument is an expression or not
+$VALGRIND ldbsearch '((' uid || exit 1
+$VALGRIND ldbsearch '(objectclass=)' uid || exit 1
+$VALGRIND ldbsearch -b 'cn=Hampster Ursula,ou=Alumni Association,ou=People,o=University of Michigan,c=TEST' -s base "" sn || exit 1
+
+echo "Test wildcard match"
+$VALGRIND ldbadd $LDBDIR/tests/test-wildcard.ldif  || exit 1
+$VALGRIND ldbsearch '(cn=test*multi)'  || exit 1
+$VALGRIND ldbsearch '(cn=*test*multi*)'  || exit 1
+$VALGRIND ldbsearch '(cn=*test_multi)'  || exit 1
+$VALGRIND ldbsearch '(cn=test_multi*)'  || exit 1
+$VALGRIND ldbsearch '(cn=test*multi*test*multi)'  || exit 1
+$VALGRIND ldbsearch '(cn=test*multi*test*multi*multi_*)' || exit 1
+
+echo "Starting ldbtest indexed"
+$VALGRIND ldbtest --num-records 100 --num-searches 500  || exit 1
+
+echo "Testing one level search"
+count=`$VALGRIND ldbsearch -b 'ou=Groups,o=University of Michigan,c=TEST' -s one 'objectclass=*' none |grep '^dn' | wc -l`
+if [ $count != 3 ]; then
+    echo returned $count records - expected 3
+    exit 1
+fi
+
+echo "Testing binary file attribute value"
+mkdir -p tests/tmp
+cp $LDBDIR/tests/samba4.png tests/tmp/samba4.png
+$VALGRIND ldbmodify $LDBDIR/tests/photo.ldif || exit 1
+count=`$VALGRIND ldbsearch '(cn=Hampster Ursula)' jpegPhoto | grep '^dn' | wc -l`
+if [ $count != 1 ]; then
+    echo returned $count records - expected 1
+    exit 1
+fi
+rm -f tests/tmp/samba4.png
+
+echo "*TODO* Testing UTF8 upper lower case searches !!"
+
+echo "Testing compare"
+count=`$VALGRIND ldbsearch '(cn>=t)' cn | grep '^dn' | wc -l`
+if [ $count != 2 ]; then
+    echo returned $count records - expected 2
+    echo "this fails on openLdap ..."
+fi
+
+count=`$VALGRIND ldbsearch '(cn<=t)' cn | grep '^dn' | wc -l`
+if [ $count != 13 ]; then
+    echo returned $count records - expected 13
+    echo "this fails on opsnLdap ..."
+fi
+
+checkcount() {
+    count=$1
+    scope=$2
+    basedn=$3
+    expression="$4"
+    n=`bin/ldbsearch -s "$scope" -b "$basedn" "$expression" | grep '^dn' | wc -l`
+    if [ $n != $count ]; then
+	echo "Got $n but expected $count for $expression"
+	bin/ldbsearch "$expression"
+	exit 1
+    fi
+    echo "OK: $count $expression"
+}
+
+checkcount 0 'base' '' '(uid=uham)'
+checkcount 0 'one' '' '(uid=uham)'
+
+checkcount 1 'base' 'cn=Hampster Ursula,ou=Alumni Association,ou=People,o=University of Michigan,c=TEST' '(uid=uham)'
+checkcount 1 'one' 'ou=Alumni Association,ou=People,o=University of Michigan,c=TEST' '(uid=uham)'
+checkcount 1 'one' 'ou=People,o=University of Michigan,c=TEST' '(ou=ldb  test)'
diff --git a/source3/lib/ldb/tests/test-index.ldif b/source3/lib/ldb/tests/test-index.ldif
new file mode 100644
index 0000000000..a793537187
--- /dev/null
+++ b/source3/lib/ldb/tests/test-index.ldif
@@ -0,0 +1,11 @@
+dn: @INDEXLIST
+@IDXATTR: uid
+@IDXATTR: objectclass
+
+dn: @ATTRIBUTES
+uid: CASE_INSENSITIVE
+
+dn: @SUBCLASSES
+top: person
+person: organizationalPerson
+organizationalPerson: OpenLDAPperson
diff --git a/source3/lib/ldb/tests/test-ldap.sh b/source3/lib/ldb/tests/test-ldap.sh
new file mode 100755
index 0000000000..b9d224e0af
--- /dev/null
+++ b/source3/lib/ldb/tests/test-ldap.sh
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+PATH=/usr/local/sbin:/usr/sbin:/sbin:$PATH
+export PATH
+SCHEMA_NEEDED="core nis cosine inetorgperson openldap"
+
+# setup needed schema files
+for f in $SCHEMA_NEEDED; do
+    if [ ! -r tests/schema/$f.schema ]; then
+	mkdir -p tests/schema
+	if [ -r /etc/ldap/schema/$f.schema ]; then
+	    ln -s /etc/ldap/schema/$f.schema tests/schema/$f.schema
+	    continue;
+	fi
+	if [ -r /etc/openldap/schema/$f.schema ]; then
+	    ln -s /etc/openldap/schema/$f.schema tests/schema/$f.schema
+	    continue;
+	fi
+
+	echo "SKIPPING TESTS: you need the following OpenLDAP schema files"
+	for f in $SCHEMA_NEEDED; do
+	    echo "  $f.schema"
+	done
+	exit 0
+    fi
+done
+
+if [ -z "$LDBDIR" ]; then
+    LDBDIR=`dirname $0`/..
+    export LDBDIR
+fi
+
+LDB_URL=`$LDBDIR/tests/ldapi_url.sh`
+export LDB_URL
+
+PATH=bin:$PATH
+export PATH
+
+LDB_SPECIALS=0
+export LDB_SPECIALS
+
+if $LDBDIR/tests/init_slapd.sh && 
+   $LDBDIR/tests/start_slapd.sh &&
+   $LDBDIR/tests/test-generic.sh; then
+    echo "ldap tests passed";
+    ret=0
+else
+    echo "ldap tests failed";
+    ret=$?
+fi
+
+$LDBDIR/tests/kill_slapd.sh
+
+exit $ret
diff --git a/source3/lib/ldb/tests/test-modify.ldif b/source3/lib/ldb/tests/test-modify.ldif
new file mode 100644
index 0000000000..e5b9ca4086
--- /dev/null
+++ b/source3/lib/ldb/tests/test-modify.ldif
@@ -0,0 +1,23 @@
+dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=University of Michiga
+ n,c=TEST
+changetype: modify
+add: drink
+drink: mango lassi
+-
+add: drink
+drink: lemonade
+-
+delete: pager
+-
+replace: telephonenumber
+telephonenumber: +61 2 6260 6012
+telephonenumber: +61 412 666 929
+-
+delete: telephonenumber
+telephonenumber: +61 2 6260 6012
+-
+delete: telephonenumber
+telephonenumber: +61 412 666 929
+-
+add: telephonenumber
+telephonenumber: +61 412 666 929
diff --git a/source3/lib/ldb/tests/test-schema.sh b/source3/lib/ldb/tests/test-schema.sh
new file mode 100755
index 0000000000..2f10fb45e2
--- /dev/null
+++ b/source3/lib/ldb/tests/test-schema.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+LDB_URL="tdb://schema.ldb"
+export LDB_URL
+
+rm -f schema.ldb
+
+echo "LDB_URL: $LDB_URL"
+
+echo "Adding schema"
+$VALGRIND bin/ldbadd $LDBDIR/tests/schema-tests/schema.ldif || exit 1
+
+echo "Adding few test elements (no failure expected here)"
+$VALGRIND bin/ldbadd $LDBDIR/tests/schema-tests/schema-add-test.ldif || exit 1
+
+echo "Modifying elements (2 failures expected here)"
+
+$VALGRIND bin/ldbmodify $LDBDIR/tests/schema-tests/schema-mod-test-1.ldif || exit 1
+$VALGRIND bin/ldbmodify $LDBDIR/tests/schema-tests/schema-mod-test-2.ldif || exit 1
+$VALGRIND bin/ldbmodify $LDBDIR/tests/schema-tests/schema-mod-test-3.ldif || exit 1
+$VALGRIND bin/ldbmodify $LDBDIR/tests/schema-tests/schema-mod-test-4.ldif
+if [ "$?" == "0" ]; then
+	echo "test failed!"
+	exit 1
+fi
+$VALGRIND bin/ldbmodify $LDBDIR/tests/schema-tests/schema-mod-test-5.ldif
+if [ "$?" == "0" ]; then
+	echo "test failed!"
+	exit 1
+fi
+
+echo "Showing modified record"
+$VALGRIND bin/ldbsearch '(cn=Test)'  || exit 1
+
diff --git a/source3/lib/ldb/tests/test-sqlite3.sh b/source3/lib/ldb/tests/test-sqlite3.sh
new file mode 100755
index 0000000000..0cef318d98
--- /dev/null
+++ b/source3/lib/ldb/tests/test-sqlite3.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+
+LDB_URL="sqlite3://sqltest.ldb"
+export LDB_URL
+
+rm -f sqltest.ldb
+
+if [ -z "$LDBDIR" ]; then
+    LDBDIR=`dirname $0`/..
+    export LDBDIR
+fi
+
+PATH=bin:$PATH
+export PATH
+
+LDB_SPECIALS=0
+export LDB_SPECIALS
+
+$LDBDIR/tests/test-generic.sh
+
+#. $LDBDIR/tests/test-extended.sh
+
+#. $LDBDIR/tests/test-tdb-features.sh
+
diff --git a/source3/lib/ldb/tests/test-tdb-features.sh b/source3/lib/ldb/tests/test-tdb-features.sh
new file mode 100644
index 0000000000..6f1afdcf33
--- /dev/null
+++ b/source3/lib/ldb/tests/test-tdb-features.sh
@@ -0,0 +1,119 @@
+#!/bin/sh
+
+echo "Running tdb feature tests"
+
+mv $LDB_URL $LDB_URL.2
+
+checkcount() {
+    count=$1
+    expression="$2"
+    n=`bin/ldbsearch "$expression" | grep '^dn' | wc -l`
+    if [ $n != $count ]; then
+	echo "Got $n but expected $count for $expression"
+	$VALGRIND bin/ldbsearch "$expression"
+	exit 1
+    fi
+    echo "OK: $count $expression"
+}
+
+echo "Testing case sensitive search"
+cat <<EOF | $VALGRIND bin/ldbadd || exit 1
+dn: cn=t1,cn=TEST
+objectClass: testclass
+test: foo
+EOF
+checkcount 1 '(test=foo)'
+checkcount 0 '(test=FOO)'
+checkcount 0 '(test=FO*)'
+
+echo "Making case insensitive"
+cat <<EOF | $VALGRIND bin/ldbmodify || exit 1
+dn: @ATTRIBUTES
+changetype: add
+add: test
+test: CASE_INSENSITIVE
+EOF
+
+echo $ldif | $VALGRIND bin/ldbmodify || exit 1
+checkcount 1 '(test=foo)'
+checkcount 1 '(test=FOO)'
+checkcount 1 '(test=fo*)'
+
+echo "adding i"
+cat <<EOF | $VALGRIND bin/ldbmodify || exit 1
+dn: cn=t1,cn=TEST
+changetype: modify
+add: i
+i: 0x100
+EOF
+checkcount 1 '(i=0x100)'
+checkcount 0 '(i=256)'
+
+echo "marking i as INTEGER"
+cat <<EOF | $VALGRIND bin/ldbmodify || exit 1
+dn: @ATTRIBUTES
+changetype: modify
+add: i
+i: INTEGER
+EOF
+checkcount 1 '(i=0x100)'
+checkcount 1 '(i=256)'
+
+echo "adding j"
+cat <<EOF | $VALGRIND bin/ldbmodify || exit 1
+dn: cn=t1,cn=TEST
+changetype: modify
+add: j
+j: 0x100
+EOF
+checkcount 1 '(j=0x100)'
+checkcount 0 '(j=256)'
+
+echo "Adding wildcard attribute"
+cat <<EOF | $VALGRIND bin/ldbmodify || exit 1
+dn: @ATTRIBUTES
+changetype: modify
+add: *
+*: INTEGER
+EOF
+checkcount 1 '(j=0x100)'
+checkcount 1 '(j=256)'
+
+echo "Testing class search"
+checkcount 0 '(objectClass=otherclass)'
+checkcount 1 '(objectClass=testclass)'
+
+echo "Adding subclass"
+cat <<EOF | $VALGRIND bin/ldbmodify || exit 1
+dn: @SUBCLASSES
+changetype: add
+add: otherclass
+otherclass: testclass
+EOF
+checkcount 1 '(objectClass=otherclass)'
+checkcount 1 '(objectClass=testclass)'
+
+echo "Adding index"
+cat <<EOF | $VALGRIND bin/ldbadd || exit 1
+dn: @INDEXLIST
+@IDXATTR: i
+@IDXATTR: test
+EOF
+checkcount 1 '(i=0x100)'
+checkcount 1 '(i=256)'
+checkcount 0 '(i=-256)'
+checkcount 1 '(test=foo)'
+checkcount 1 '(test=FOO)'
+checkcount 1 '(test=*f*o)'
+
+echo "making test case sensitive"
+cat <<EOF | $VALGRIND bin/ldbmodify || exit 1
+dn: @ATTRIBUTES
+changetype: modify
+replace: test
+test: NONE
+EOF
+checkcount 1 '(test=foo)'
+checkcount 0 '(test=FOO)'
+checkcount 1 '(test=f*o*)'
+
diff --git a/source3/lib/ldb/tests/test-tdb.sh b/source3/lib/ldb/tests/test-tdb.sh
new file mode 100755
index 0000000000..7c4f5205b4
--- /dev/null
+++ b/source3/lib/ldb/tests/test-tdb.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+if [ -n "$TEST_DATA_PREFIX" ]; then
+	LDB_URL="$TEST_DATA_PREFIX/tdbtest.ldb"
+else
+	LDB_URL="tdbtest.ldb"
+fi
+export LDB_URL
+
+PATH=bin:$PATH
+export PATH
+
+rm -f $LDB_URL*
+
+if [ -z "$LDBDIR" ]; then
+    LDBDIR=`dirname $0`/..
+    export LDBDIR
+fi
+
+cat <<EOF | $VALGRIND ldbadd || exit 1
+dn: @MODULES
+@LIST: rdn_name
+EOF
+
+$VALGRIND ldbadd $LDBDIR/tests/init.ldif || exit 1
+
+. $LDBDIR/tests/test-generic.sh
+
+. $LDBDIR/tests/test-extended.sh
+
+. $LDBDIR/tests/test-tdb-features.sh
diff --git a/source3/lib/ldb/tests/test-wildcard.ldif b/source3/lib/ldb/tests/test-wildcard.ldif
new file mode 100644
index 0000000000..222512eeab
--- /dev/null
+++ b/source3/lib/ldb/tests/test-wildcard.ldif
@@ -0,0 +1,5 @@
+dn: cn=test_multi_test_multi_test_multi,o=University of Michigan,c=TEST
+objectclass: person
+cn: test_multi_test_multi_test_multi
+sn: multi_test
+description: test multi wildcards matching
diff --git a/source3/lib/ldb/tests/test-wrong_attributes.ldif b/source3/lib/ldb/tests/test-wrong_attributes.ldif
new file mode 100644
index 0000000000..27f45f0e56
--- /dev/null
+++ b/source3/lib/ldb/tests/test-wrong_attributes.ldif
@@ -0,0 +1,3 @@
+dn: @ATTRIBUTES
+uid: CASE_INTENSIVE
+
diff --git a/source3/lib/ldb/tests/test.ldif b/source3/lib/ldb/tests/test.ldif
new file mode 100644
index 0000000000..e53fadc700
--- /dev/null
+++ b/source3/lib/ldb/tests/test.ldif
@@ -0,0 +1,411 @@
+dn: ou=Groups,o=University of Michigan,c=TEST
+objectclass: organizationalUnit
+ou: Groups
+
+dn: ou=Information Technology Division,ou=People,o=University of Michigan,c=TEST
+objectclass: organizationalUnit
+ou: Information Technology Division
+description:: aMODwoPDgsKCw4PCgsOCwotFVlZQw4PCg8OCwoPDg8KCw4LCv0zDg8KDw4LCgsOD
+ woLDgsKKT8ODwoPDgsKDw4PCgsOCwqs6w4PCg8OCwoLDg8KCw4LCjUQkw4PCg8OCwoLDg8KCw4LCi
+ 01QUcODwoPDgsKDw4PCgsOCwr/Dg8KDw4LCg8ODwoLDgsKMw4PCg8OCwoLDg8KCw4LCik/Dg8KDw4
+ LCgsODwoLDgsKLRCQoZitEJMODwoPDgsKCw4PCgsOCwrfDg8KDw4LCg8ODwoLDgsKIw4PCg8OCwoP
+ Dg8KCw4LCgcODwoPDgsKDw4PCgsOCwqHDg8KDw4LCgsODwoLDgsKLRCQkZitEJMODwoPDgsKCw4PC
+ gsOCwrfDg8KDw4LCg8ODwoLDgsKQw4PCg8OCwoPDg8KCw4LCisODwoPDgsKCw4PCgsOCwotFUVZqU
+ MODwoPDgsKDw4PCgsOCwr/Dg8KDw4LCg8ODwoLDgsKAw4PCg8OCwoLDg8KCw4LCik85dCTDg8KDw4
+ LCgsODwoLDgsKFQ8ODwoPDgsKDw4PCgsOCwr/Dg8KDw4LCg8ODwoLDgsK/w4PCg8OCwoPDg8KCw4L
+ Cvzl0JMODwoPDgsKCw4PCgsOCwoXDg8KDw4LCg8ODwoLDgsK/w4PCg8OCwoPDg8KCw4LCv8ODwoPD
+ gsKDw4PCgsOCwr/Dg8KDw4LCgsODwoLDgsKLRCTDg8KDw4LCgsODwoLDgsKDw4PCg8OCwoLDg8KCw
+ 4LCuMODwoPDgsKDw4PCgsOCwoR0Q8ODwoPDgsKCw4PCgsOCwoM9w4PCg8OCwoPDg8KCw4LChMODwo
+ PDgsKDw4PCgsOCwoFOdTrDg8KDw4LCg8ODwoLDgsKHw4PCg8OCwoPDg8KCw4LChMODwoPDgsKDw4P
+ CgsOCwoFOw4PCg8OCwoPDg8KCw4LCqMODwoPDgsKDw4PCgsOCwrtHw4PCg8OCwoLDg8KCw4LChcOD
+ woPDgsKDw4PCgsOCwoDDg8KDw4LCgsODwoLDgsK4dMODwoPDgsKDw4PCgsOCwqjDg8KDw4LCg8ODw
+ oLDgsKtR8ODwoPDgsKCw4PCgsOCwovDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoPDg8KCw4LCiMODwo
+ PDgsKDw4PCgsOCwr9SfGrDg8KDw4LCgsODwoLDgsKLQGgxw4PCg8OCwoPDg8KCw4LCoWhQw4PCg8O
+ CwoPDg8KCw4LCv8ODwoPDgsKDw4PCgsOCwoDDg8KDw4LCgsODwoLDgsKKT8ODwoPDgsKCw4PCgsOC
+ wotEJDDDg8KDw4LCgsODwoLDgsKFw4PCg8OCwoPDg8KCw4LCgHTDg8KDw4LCgsODwoLDgsKDw4PCg
+ 8OCwoPDg8KCw4LCuHXDg8KDw4LCgsODwoLDgsKLRCRqw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKDw4
+ PCgsOCwojDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoPDg8KCw4LCv8ODwoPDgsKCw4PCgsOCwpPDg8K
+ Dw4LCg8ODwoLDgsKQXV9eW8ODwoPDgsKCw4PCgsOCwoPDg8KDw4LCg8ODwoLDgsKEw4PCg8OCwoPD
+ g8KCw4LCgsODwoPDgsKDw4PCgsOCwozDg8KDw4LCg8ODwoLDgsKMw4PCg8OCwoPDg8KCw4LCjMODw
+ oPDgsKDw4PCgsOCwozDg8KDw4LCg8ODwoLDgsKMw4PCg8OCwoPDg8KCw4LCjMODwoPDgsKDw4PCgs
+ OCwoxWV8ODwoPDgsKCw4PCgsOCwovDg8KDw4LCg8ODwoLDgsKxw4PCg8OCwoLDg8KCw4LCi3wkw4P
+ Cg8OCwoLDg8KCw4LCjcODwoPDgsKCw4PCgsOCwofDg8KDw4LCg8ODwoLDgsKof8ODwoPDgsKDw4PC
+ gsOCwr/Dg8KDw4LCg8ODwoLDgsK/w4PCg8OCwoLDg8KCw4LCg8ODwoPDgsKDw4PCgsOCwrh5w4PCg
+ 8OCwoLDg8KCw4LChzQzw4PCg8OCwoPDg8KCw4LCicODwoPDgsKCw4PCgsOCworDg8KDw4LCgsODwo
+ LDgsKIw4PCg8OCwoLDg8KCw4LCuDFBw4PCg8OCwoPDg8KCw4LCvyTDg8KDw4LCgsODwoLDgsKNdDF
+ Bw4PCg8OCwoLDg8KCw4LCuF9ew4PCg8OCwoPDg8KCw4LCgsODwoPDgsKCw4PCgsOCwrhfXsODwoPD
+ gsKDw4PCgsOCwoLDg8KDw4LCgsODwoLDgsK4X17Dg8KDw4LCg8ODwoLDgsKCw4PCg8OCwoLDg8KCw
+ 4LCi8ODwoPDgsKDw4PCgsOCwo7Dg8KDw4LCgsODwoLDgsKBw4PCg8OCwoPDg8KCw4LCv8ODwoPDgs
+ KCw4PCgsOCwoTDg8KDw4LCgsODwoLDgsKAdcODwoPDgsKDw4PCgsOCwqhtw4PCg8OCwoLDg8KCw4L
+ ChcODwoPDgsKDw4PCgsOCwoDDg8KDw4LCgsODwoLDgsKEw4PCg8OCwoPDg8KCw4LCsMODwoPDgsKC
+ w4PCgsOCwrhfXsODwoPDgsKDw4PCgsOCwoLDg8KDw4LCg8ODwoLDgsKow4PCg8OCwoLDg8KCw4LCt
+ sODwoPDgsKDw4PCgsOCwq7Dg8KDw4LCg8ODwoLDgsK/w4PCg8OCwoPDg8KCw4LCv8ODwoPDgsKCw4
+ PCgsOCwoPDg8KDw4LCg8ODwoLDgsKoZsODwoPDgsKCw4PCgsOCwoPDg8KDw4LCg8ODwoLDgsK4w4P
+ Cg8OCwoLDg8KCw4LCh8ODwoPDgsKDw4PCgsOCwpUzw4PCg8OCwoPDg8KCw4LCicODwoPDgsKCw4PC
+ gsOCworDg8KDw4LCgsODwoLDgsKISDJBw4PCg8OCwoPDg8KCw4LCvyTDg8KDw4LCgsODwoLDgsKNN
+ DJBw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKCw4PCgsOCwovDg8KDw4LCg8ODwoLDgsKOw4PCg8OCwo
+ PDg8KCw4LCv8ODwoPDgsKCw4PCgsOCwpDDg8KDw4LCg8ODwoLDgsKIw4PCg8OCwoLDg8KCw4LCi8O
+ DwoPDgsKDw4PCgsOCwojDg8KDw4LCg8ODwoLDgsKow4PCg8OCwoPDg8KCw4LCnEzDg8KDw4LCgsOD
+ woLDgsKLSEBmw4PCg8OCwoLDg8KCw4LCg3lwdSTDg8KDw4LCgsODwoLDgsKBw4PCg8OCwoPDg8KCw
+ 4LCv8ODwoPDgsKCw4PCgsOCwobDg8KDw4LCgsODwoLDgsKAw4PCg8OCwoLDg8KCw4LChMODwoPDgs
+ KCw4PCgsOCwp/Dg8KDw4LCgsODwoLDgsKBw4PCg8OCwoPDg8KCw4LCv8ODwoPDgsKCw4PCgsOCwoj
+ Dg8KDw4LCgsODwoLDgsKAw4PCg8OCwoLDg8KCw4LChMODwoPDgsKCw4PCgsOCwpPDg8KDw4LCgsOD
+ woLDgsKBw4PCg8OCwoPDg8KCw4LCv1rDg8KDw4LCgsODwoLDgsKAw4PCg8OCwoLDg8KCw4LChMODw
+ oPDgsKCw4PCgsOCwodqw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKCw4PCgsOCwoBqaMODwoPDgsKCw4
+ PCgsOCwpBQw4PCg8OCwoPDg8KCw4LCv8ODwoPDgsKDIMODwoPDgsKCw4PCgsOCwopPw4PCg8OCwoL
+ Dg8KCw4LChcODwoPDgsKDw4PCgsOCwoDDg8KDw4LCgsODwoLDgsKOacODwoPDgsKCw4PCgsOCwrhf
+ XsODwoPDgsKDw4PCgsOCwoLDg8KDw4LCgsODwoLDgsK4X17Dg8KDw4LCg8ODwoLDgsKCw4PCg8OCw
+ oLDg8KCw4LCgcODwoPDgsKDw4PCgsOCwr/Dg8KDw4LCgsODwoLDgsKGw4PCg8OCwoLDg8KCw4LCgM
+ ODwoPDgsKCw4PCgsOCwoRJw4PCg8OCwoLDg8KCw4LCgcODwoPDgsKDw4PCgsOCwr/Dg8KDw4LCgsO
+ DwoLDgsKIw4PCg8OCwoLDg8KCw4LCgMODwoPDgsKCw4PCgsOCwoQ9w4PCg8OCwoLDg8KCw4LCgcOD
+ woPDgsKDw4PCgsOCwr9aw4PCg8OCwoLDg8KCw4LCgMODwoPDgsKCw4PCgsOCwoQxw4PCg8OCwoLDg
+ 8KCw4LCuF9ew4PCg8OCwoPDg8KCw4LCgsODwoPDgsKCw4PCgsOCwoM9w4PCg8OCwoPDg8KCw4LCm0
+ 7Dg8KDw4LCgsODwoLDgsKEw4PCg8OCwoLDg8KCw4LCuF9ew4PCg8OCwoPDg8KCw4LCgsODwoPDgsK
+ Cw4PCgsOCwrhfXsODwoPDgsKDw4PCgsOCwoLDg8KDw4LCgsODwoLDgsK4X17Dg8KDw4LCg8ODwoLD
+ gsKCw4PCg8OCwoLDg8KCw4LCuF9ew4PCg8OCwoPDg8KCw4LCgsODwoPDgsKCw4PCgsOCwrhfXsODw
+ oPDgsKDw4PCgsOCwoLDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKDw4PCgs
+ OCwo7Dg8KDw4LCg8ODwoLDgsK/w4PCg8OCwoLDg8KCw4LCkMODwoPDgsKDw4PCgsOCwojDg8KDw4L
+ CgsODwoLDgsKLw4PCg8OCwoPDg8KCw4LCiMODwoPDgsKDw4PCgsOCwqjDg8KDw4LCg8ODwoLDgsK+
+ S8ODwoPDgsKCw4PCgsOCwovDg8KDw4LCg8ODwoLDgsKww4PCg8OCwoPDg8KCw4LCv8ODwoPDgsKDw
+ 4PCgsOCwoTDg8KDw4LCgsODwoLDgsKKT1DDg8KDw4LCg8ODwoLDgsKoRsODwoPDgsKCw4PCgsOCwo
+ vDg8KDw4LCg8ODwoLDgsK4w4PCg8OCwoLDg8KCw4LChcODwoPDgsKDw4PCgsOCwrZ0Y8ODwoPDgsK
+ Cw4PCgsOCwoXDg8KDw4LCg8ODwoLDgsK/dF/Dg8KDw4LCgsODwoLDgsKhdHpPw4PCg8OCwoLDg8KC
+ w4LCi8ODwoPDgsKDw4PCgsOCwo5Qw4PCg8OCwoPDg8KCw4LCqC1Jw4PCg8OCwoLDg8KCw4LChcODw
+ oPDgsKDw4PCgsOCwoB1RMODwoPDgsKCw4PCgsOCwqFwek/Dg8KDw4LCgsODwoLDgsKLw4PCg8OCwo
+ PDg8KCw4LCj1DDg8KDw4LCg8ODwoLDgsKoScODwoPDgsKCw4PCgsOCwoXDg8KDw4LCg8ODwoLDgsK
+ AdTPDg8KDw4LCgsODwoLDgsKhbHpPw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKDw4PCgsOCwo5Qw4PC
+ g8OCwoPDg8KCw4LCqEnDg8KDw4LCgsODwoLDgsKFw4PCg8OCwoPDg8KCw4LCgHXDg8KDw4LCgsODw
+ oLDgsKhaHpPw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKDw4PCgsOCwo9Qw4PCg8OCwoPDg8KCw4LCqM
+ ODwoPDgsKDw4PCgsOCwrpIw4PCg8OCwoLDg8KCw4LChcODwoPDgsKDw4PCgsOCwoB1M8ODwoPDgsK
+ Dw4PCgsOCwoBfXsODwoPDgsKDw4PCgsOCwoLDg8KDw4LCgsODwoLDgsK4X17Dg8KDw4LCg8ODwoLD
+ gsKCw4PCg8OCwoLDg8KCw4LCuF9ew4PCg8OCwoPDg8KCw4LCgjPDg8KDw4LCg8ODwoLDgsKAX17Dg
+ 8KDw4LCg8ODwoLDgsKCw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKDw4PCgsOCwo7Dg8KDw4LCg8ODwo
+ LDgsKoJ8ODwoPDgsKDw4PCgsOCwq3Dg8KDw4LCg8ODwoLDgsK/w4PCg8OCwoPDg8KCw4LCv8ODwoP
+ DgsKCw4PCgsOCwoPDg8KDw4LCg8ODwoLDgsK4aHU5w4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKCw4PC
+ gsOCwovDg8KDw4LCg8ODwoLDgsKOw4PCg8OCwoPDg8KCw4LCv8ODwoPDgsKCw4PCgsOCwpDDg8KDw
+ 4LCg8ODwoLDgsKIw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKCw4PCgsOCwovDg8KDw4LCg8ODwoLDgs
+ KIw4PCg8OCwoPDg8KCw4LCv8ODwoPDgsKCw4PCgsOCwpLDg8KDw4LCg8ODwoLDgsKEw4PCg8OCwoL
+ Dg8KCw4LChcODwoPDgsKDw4PCgsOCwoB0IcODwoPDgsKCw4PCgsOCwovDg8KDw4LCgsODwoLDgsKA
+ w4PCg8OCwoPDg8KCw4LCtMODwoPDgsKCw4PCgsOCwoXDg8KDw4LCg8ODwoLDgsKAdGbDg8KDw4LCg
+ sODwoLDgsKLQGY9dGY9dTPDg8KDw4LCg8ODwoLDgsKAX17Dg8KDw4LCg8ODwoLDgsKCw4PCg8OCwo
+ LDg8KCw4LCuF9ew4PCg8OCwoPDg8KCw4LCgsODwoPDgsKCw4PCgsOCwrhfXsODwoPDgsKDw4PCgsO
+ CwoIzw4PCg8OCwoPDg8KCw4LCgF9ew4PCg8OCwoPDg8KCw4LCgsODwoPDgsKCw4PCgsOCwovDg8KD
+ w4LCg8ODwoLDgsK/Ri9BUC9BRi9BWi9BZC9BWzBBZC9BZTBBZC9BZC9BbzBBZC9BeTBBw4PCg8OCw
+ oLDg8KCw4LCgzBBMUFhMUFrMUE=
+description:: UF7Dg8KDw4LCg8ODwoLDgsKCw4PCg8OCwoPDg8KCw4LCjMODwoPDgsKDw4PCgsOC
+ wozDg8KDw4LCg8ODwoLDgsKMw4PCg8OCwoPDg8KCw4LCjMODwoPDgsKDw4PCgsOCwozDg8KDw4LCg
+ 8ODwoLDgsKMw4PCg8OCwoPDg8KCw4LCqFDDg8KDw4LCg8ODwoLDgsKpRsODwoPDgsKDw4PCgsOCwo
+ zDg8KDw4LCg8ODwoLDgsKMw4PCg8OCwoPDg8KCw4LCjMODwoPDgsKDw4PCgsOCwozDg8KDw4LCg8O
+ DwoLDgsKMw4PCg8OCwoPDg8KCw4LCjMODwoPDgsKCw4PCgsOCwotEJCDDg8KDw4LCgsODwoLDgsKD
+ w4PCg8OCwoPDg8KCw4LCrMODwoPDgsKCw4PCgsOCwotUJCRTw4PCg8OCwoLDg8KCw4LCi1wkJFbDg
+ 8KDw4LCgsODwoLDgsKJTCRXVVBSU8ODwoPDgsKDw4PCgsOCwqjDg8KDw4LCg8ODwoLDgsKdT8ODwo
+ PDgsKCw4PCgsOCwoN8JDB1w4PCg8OCwoPDg8KCw4LCh8ODwoPDgsKDw4PCgsOCwoDDg8KDw4LCg8O
+ DwoLDgsKBTsODwoPDgsKDw4PCgsOCwqktw4PCg8OCwoLDg8KCw4LCg3wkMHTDg8KDw4LCgsODwoLD
+ gsKDfCQww4PCg8OCwoLDg8KCw4LChTPDg8KDw4LCg8ODwoLDgsK2OTXDg8KDw4LCg8ODwoLDgsKAw
+ 4PCg8OCwoPDg8KCw4LCgU7Dg8KDw4LCgsODwoLDgsKEIMODwoPDgsKCw4PCgsOCwqFIw4PCg8OCwo
+ PDg8KCw4LChU7Dg8KDw4LCgsODwoLDgsKJNcODwoPDgsKDw4PCgsOCwoDDg8KDw4LCg8ODwoLDgsK
+ BTsODwoPDgsKCw4PCgsOCwovDg8KDw4LCg8ODwoLDgsKIw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKD
+ w4PCgsOCwr9TXMODwoPDgsKCw4PCgsOCwolEJDvDg8KDw4LCg8ODwoLDgsKGw4PCg8OCwoLDg8KCw
+ 4LChMODwoPDgsKCw4PCgsOCwpHDg8KDw4LCgsODwoLDgsKNRCTDg8KDw4LCgsODwoLDgsKLIEjDg8
+ KDw4LCg8ODwoLDgsKFTlDDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoPDg8KCw4LCv1Ngw4PCg8OCwoL
+ Dg8KCw4LCi8ODwoPDgsKDw4PCgsOCwpjDg8KDw4LCgsODwoLDgsKFw4PCg8OCwoPDg8KCw4LCm3Rx
+ w4PCg8OCwoLDg8KCw4LCizvDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoPDg8KCw4LCi8ODwoPDgsKDw
+ 4PCgsOCwr9XaMODwoPDgsKCw4PCgsOCwolEJDvDg8KDw4LCg8ODwoLDgsKGdGLDg8KDw4LCgsODwo
+ LDgsKLf2zDg8KDw4LCgsODwoLDgsKNRCTDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoPDg8KCw4LCi1D
+ Dg8KDw4LCg8ODwoLDgsK/w4PCg8OCwoPDg8KCw4LCl8ODwoPDgsKCw4PCgsOCwovDg8KDw4LCg8OD
+ woLDgsKow4PCg8OCwoLDg8KCw4LChcODwoPDgsKDw4PCgsOCwq10SmgoT03Dg8KDw4LCgsODwoLDg
+ sKLw4PCg8OCwoPDg8KCw4LCjcODwoPDgsKDw4PCgsOCwqggTMODwoPDgsKCw4PCgsOCwoXDg8KDw4
+ LCg8ODwoLDgsKAdDrDg8KDw4LCgsODwoLDgsKNRCTDg8KDw4LCgsODwoLDgsKLTSBQUcODwoPDgsK
+ Dw4PCgsOCwr/Dg8KDw4LCg8ODwoLDgsKMw4PCg8OCwoLDg8KCw4LCik/Dg8KDw4LCgsODwoLDgsKL
+ RCQoZitEJCDDg8KDw4LCgsODwoLDgsK3w4PCg8OCwoPDg8KCw4LCiMODwoPDgsKDw4PCgsOCwoHDg
+ 8KDw4LCg8ODwoLDgsKhw4PCg8OCwoLDg8KCw4LCi0QkJGYrRCTDg8KDw4LCgsODwoLDgsK3w4PCg8
+ OCwoPDg8KCw4LCkMODwoPDgsKDw4PCgsOCworDg8KDw4LCgsODwoLDgsKLRSBRVmpQw4PCg8OCwoP
+ Dg8KCw4LCv8ODwoPDgsKDw4PCgsOCwoDDg8KDw4LCgsODwoLDgsKKTzl0JHXDg8KDw4LCgsODwoLD
+ gsKhOXQkw4PCg8OCwoLDg8KCw4LChW/Dg8KDw4LCg8ODwoLDgsK/w4PCg8OCwoPDg8KCw4LCv8ODw
+ oPDgsKDw4PCgsOCwr/Dg8KDw4LCgsODwoLDgsKhRMODwoPDgsKDw4PCgsOCwoVOw4PCg8OCwoLDg8
+ KCw4LCi8ODwoPDgsKDw4PCgsOCwojDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoPDg8KCw4LCv1Ncw4P
+ Cg8OCwoLDg8KCw4LCiUQkw4PCg8OCwoLDg8KCw4LChcODwoPDgsKDw4PCgsOCwoDDg8KDw4LCgsOD
+ woLDgsKEw4PCg8OCwoPDg8KCw4LCtjPDg8KDw4LCg8ODwoLDgsK2w4PCg8OCwoLDg8KCw4LCjUQkw
+ 4PCg8OCwoLDg8KCw4LCiyBEw4PCg8OCwoPDg8KCw4LChU5Qw4PCg8OCwoLDg8KCw4LCi8ODwoPDgs
+ KDw4PCgsOCwr9TYMODwoPDgsKCw4PCgsOCwovDg8KDw4LCg8ODwoLDgsK4w4PCg8OCwoLDg8KCw4L
+ ChcODwoPDgsKDw4PCgsOCwr/Dg8KDw4LCgsODwoLDgsKEw4PCg8OCwoPDg8KCw4LCkMODwoPDgsKC
+ w4PCgsOCwovDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoPDg8KCw4LCj8ODwoPDgsKDw4PCgsOCwr9Ta
+ MODwoPDgsKCw4PCgsOCwolEJDvDg8KDw4LCg8ODwoLDgsKGw4PCg8OCwoLDg8KCw4LChMODwoPDgs
+ KCw4PCgsOCwr3Dg8KDw4LCgsODwoLDgsKNRCTDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoPDg8KCw4L
+ Cj1DDg8KDw4LCg8ODwoLDgsK/U2zDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoPDg8KCw4LCqMODwoPD
+ gsKCw4PCgsOCwoXDg8KDw4LCg8ODwoLDgsKtw4PCg8OCwoLDg8KCw4LChMODwoPDgsKCw4PCgsOCw
+ p9oMMODwoPDgsKDw4PCgsOCwolMw4PCg8OCwoLDg8KCw4LCi8ODwoPDgsKDw4PCgsOCwo3Dg8KDw4
+ LCg8ODwoLDgsKow4PCg8OCwoPDg8KCw4LCq0vDg8KDw4LCgsODwoLDgsKFw4PCg8OCwoPDg8KCw4L
+ CgMODwoPDgsKCw4PCgsOCwoTDg8KDw4LCgsODwoLDgsKLw4PCg8OCwoLDg8KCw4LCi0QkOcODwoPD
+ gsKCw4PCgsOCwrDDg8KDw4LCg8ODwoLDgsKEdEU5w4PCg8OCwoLDg8KCw4LCtTR0PcODwoPDgsKCw
+ 4PCgsOCwovDg8KDw4LCg8ODwoLDgsKNw4PCg8OCwoPDg8KCw4LCqMODwoPDgsKDw4PCgsOCwo5Lw4
+ PCg8OCwoLDg8KCw4LCi0AgUMODwoPDgsKDw4PCgsOCwr/Dg8KDw4LCgsODwoLDgsKsw4PCg8OCwoL
+ Dg8KCw4LCik/Dg8KDw4LCgsODwoLDgsKFw4PCg8OCwoPDg8KCw4LCgHUow4PCg8OCwoLDg8KCw4LC
+ i8ODwoPDgsKDw4PCgsOCwo3Dg8KDw4LCgsODwoLDgsKJw4PCg8OCwoLDg8KCw4LCtTTDg8KDw4LCg
+ 8ODwoLDgsKow4PCg8OCwoPDg8KCw4LCl8ODwoPDgsKDw4PCgsOCwrtWw4PCg8OCwoLDg8KCw4LCi8
+ ODwoPDgsKDw4PCgsOCwo3Dg8KDw4LCg8ODwoLDgsKow4PCg8OCwoLDg8KCw4LCnw==
+
+#LEAD COMMENT
+
+# another comment
+dn: CN=All Staff,ou=Groups,o=University of Michigan,c=TEST
+#EMBEDDED COMMENT
+member: cn=Manager,o=University of Michigan,c=TEST
+member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Unive
+ rsity of Michigan,c=TEST
+member: cn=Jane Doe,ou=Alumni Association,ou=People,o=University of Michigan,c
+ =US
+member: cn=John Doe,ou=Information Technology Division,ou=People,o=University 
+ of Michigan,c=TEST
+member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=University of Michiga
+ n,c=TEST
+member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=University of Mic
+ higan,c=TEST
+member: cn=James A Jones 2,ou=Information Technology Division,ou=People,o=Univ
+ ersity of Michigan,c=TEST
+member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=University of Mich
+ igan,c=TEST
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=University of Mic
+ higan,c=TEST
+member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=University of Mic
+ higan,c=TEST
+member: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=Univers
+ ity of Michigan,c=TEST
+owner: cn=Manager,o=University of Michigan,c=TEST
+cn: All Staff
+description: Everyone in the sample data
+objectclass: groupofnames
+
+dn: cn=Alumni Assoc Staff,ou=Groups,o=University of Michigan,c=TEST
+member: cn=Manager,o=University of Michigan,c=TEST
+member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=University of Mic
+ higan,c=TEST
+member: cn=James A Jones 1,ou=Alumni Association,ou=People,o=University of Mic
+ higan,c=TEST
+member: cn=Jane Doe,ou=Alumni Association,ou=People,o=University of Michigan,c
+ =US
+member: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=University of Mich
+ igan,c=TEST
+member: cn=Mark Elliot,ou=Alumni Association,ou=People,o=University of Michiga
+ n,c=TEST
+member: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=University of Mic
+ higan,c=TEST
+owner: cn=Manager,o=University of Michigan,c=TEST
+description: All Alumni Assoc Staff
+cn: Alumni Assoc Staff
+objectclass: groupofnames
+
+dn: ou=Alumni Association,ou=People,o=University of Michigan,c=TEST
+objectclass: organizationalUnit
+ou: Alumni Association
+
+dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,o=Universit
+ y of Michigan,c=TEST
+objectclass: OpenLDAPperson
+cn: Barbara Jensen
+cn: Babs Jensen
+sn:: IEplbnNlbiA=
+uid:: YmplCW5zZW4
+title: Mythical Manager, Research Systems
+postaladdress: ITD Prod Dev & Deployment $ 535 W. William St. Room 4212 $ Ann 
+ Arbor, MI 48103-4943
+seealso: cn=All Staff,ou=Groups,o=University of Michigan,c=TEST
+userpassword:: YmplbnNlbg==
+mail: bjensen@mailgw.example.com
+homepostaladdress: 123 Wesley $ Ann Arbor, MI 48103
+description: Mythical manager of the rsdd unix project
+drink: water
+homephone: +1 313 555 2333
+pager: +1 313 555 3233
+facsimiletelephonenumber: +1 313 555 2274
+telephonenumber: +1 313 555 9022
+
+dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=University 
+ of Michigan,c=TEST
+objectclass: OpenLDAPperson
+cn: Bjorn Jensen
+cn: Biiff Jensen
+sn: Jensen
+uid: bjorn
+seealso: cn=All Staff,ou=Groups,o=University of Michigan,c=TEST
+userpassword:: Ympvcm4=
+homepostaladdress: 19923 Seven Mile Rd. $ South Lyon, MI 49999
+drink: Iced Tea
+description: Hiker, biker
+title: Director, Embedded Systems
+postaladdress: Info Tech Division $ 535 W. William St. $ Ann Arbor, MI 48103
+mail: bjorn@mailgw.example.com
+homephone: +1 313 555 5444
+pager: +1 313 555 4474
+facsimiletelephonenumber: +1 313 555 2177
+telephonenumber: +1 313 555 0355
+
+dn: cn=Dorothy Stevens,ou=Alumni Association,ou=People,o=University of Michiga
+ n,c=TEST
+objectclass: OpenLDAPperson
+cn: Dorothy Stevens
+cn: Dot Stevens
+sn: Stevens
+uid: dots
+title: Secretary, UM Alumni Association
+postaladdress: Alumni Association $ 111 Maple St $ Ann Arbor, MI 48109
+seealso: cn=All Staff,ou=Groups,o=University of Michigan,c=TEST
+drink: Lemonade
+homepostaladdress: 377 White St. Apt. 3 $ Ann Arbor, MI 48104
+description: Very tall
+facsimiletelephonenumber: +1 313 555 3223
+telephonenumber: +1 313 555 3664
+mail: dots@mail.alumni.example.com
+homephone: +1 313 555 0454
+
+dn: cn=ITD Staff,ou=Groups,o=University of Michigan,c=TEST
+owner: cn=Manager,o=University of Michigan,c=TEST
+description: All ITD Staff
+cn: ITD Staff
+objectclass: groupofuniquenames
+uniquemember: cn=Manager,o=University of Michigan,c=TEST
+uniquemember: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=U
+ niversity of Michigan,c=TEST
+uniquemember: cn=James A Jones 2,ou=Information Technology Division,ou=People,
+ o=University of Michigan,c=TEST
+uniquemember: cn=John Doe,ou=Information Technology Division,ou=People,o=Unive
+ rsity of Michigan,c=TEST
+
+dn: cn=James A Jones 1,ou=Alumni Association,ou=People,o=University of Michiga
+ n,c=TEST
+objectclass: OpenLDAPperson
+cn: James A Jones 1
+cn: James Jones
+cn: Jim Jones
+sn: Jones
+uid: jaj
+postaladdress: Alumni Association $ 111 Maple St $ Ann Arbor, MI 48109
+seealso: cn=All Staff,ou=Groups,o=University of Michigan,c=TEST
+userpassword:: amFq
+homepostaladdress: 3882 Beverly Rd. $ Ann Arbor, MI 48105
+homephone: +1 313 555 4772
+description: Outstanding
+title: Mad Cow Researcher, UM Alumni Association
+pager: +1 313 555 3923
+mail: jaj@mail.alumni.example.com
+facsimiletelephonenumber: +1 313 555 4332
+telephonenumber: +1 313 555 0895
+
+dn: cn=James A Jones 2,ou=Information Technology Division,ou=People,o=Universi
+ ty of Michigan,c=TEST
+objectclass: OpenLDAPperson
+cn: James A Jones 2
+cn: James Jones
+cn: Jim Jones
+sn: Doe
+uid: jjones
+seealso: cn=All Staff,ou=Groups,o=University of Michigan,c=TEST
+homepostaladdress: 933 Brooks $ Ann Arbor, MI 48104
+homephone: +1 313 555 8838
+title: Senior Manager, Information Technology Division
+description: Not around very much
+mail: jjones@mailgw.example.com
+postaladdress: Info Tech Division $ 535 W William $ Ann Arbor, MI 48103
+pager: +1 313 555 2833
+facsimiletelephonenumber: +1 313 555 8688
+telephonenumber: +1 313 555 7334
+
+dn: cn=Jane Doe,ou=Alumni Association,ou=People,o=University of Michigan,c=TEST
+objectclass: OpenLDAPperson
+cn: Jane Doe
+cn: Jane Alverson
+sn: Doe
+uid: jdoe
+title: Programmer Analyst, UM Alumni Association
+postaladdress: Alumni Association $ 111 Maple St $ Ann Arbor, MI 48109
+seealso: cn=All Staff,ou=Groups,o=University of Michigan,c=TEST
+homepostaladdress: 123 Anystreet $ Ann Arbor, MI 48104
+drink: diet coke
+description: Enthusiastic
+mail: jdoe@woof.net
+homephone: +1 313 555 5445
+pager: +1 313 555 1220
+facsimiletelephonenumber: +1 313 555 2311
+telephonenumber: +1 313 555 4774
+
+dn: cn=Jennifer Smith,ou=Alumni Association,ou=People,o=University of Michigan
+ ,c=TEST
+objectclass: OpenLDAPperson
+cn: Jennifer Smith
+cn: Jen Smith
+sn: Smith
+uid: jen
+postaladdress: Alumni Association $ 111 Maple St $ Ann Arbor, MI 48109
+seealso: cn=All Staff,ou=Groups,o=University of Michigan,c=TEST
+drink: Sam Adams
+homepostaladdress: 1000 Maple #44 $ Ann Arbor, MI 48103
+title: Telemarketer, UM Alumni Association
+mail: jen@mail.alumni.example.com
+homephone: +1 313 555 2333
+pager: +1 313 555 6442
+facsimiletelephonenumber: +1 313 555 2756
+telephonenumber: +1 313 555 8232
+
+dn: cn=John Doe,ou=Information Technology Division,ou=People,o=University of M
+ ichigan,c=TEST
+objectclass: OpenLDAPperson
+cn: John Doe
+cn: Jonathon Doe
+sn: Doe
+uid: johnd
+postaladdress: ITD $ 535 W. William $ Ann Arbor, MI 48109
+seealso: cn=All Staff,ou=Groups,o=University of Michigan,c=TEST
+homepostaladdress: 912 East Bllvd $ Ann Arbor, MI 48104
+title: System Administrator, Information Technology Division
+description: overworked!
+mail: johnd@mailgw.example.com
+homephone: +1 313 555 3774
+pager: +1 313 555 6573
+facsimiletelephonenumber: +1 313 555 4544
+telephonenumber: +1 313 555 9394
+
+dn: cn=Manager,o=University of Michigan,c=TEST
+objectclass: person
+cn: Manager
+cn: Directory Manager
+cn: Dir Man
+sn: Manager
+description: Manager of the directory
+userpassword:: c2VjcmV0
+
+dn: cn=Mark Elliot,ou=Alumni Association,ou=People,o=University of Michigan,c=
+ TEST
+objectclass: OpenLDAPperson
+cn: Mark Elliot
+cn: Mark A Elliot
+sn: Elliot
+uid: melliot
+postaladdress: Alumni Association $ 111 Maple St $ Ann Arbor, MI 48109
+seealso: cn=All Staff,ou=Groups,o=University of Michigan,c=TEST
+homepostaladdress: 199 Outer Drive $ Ypsilanti, MI 48198
+homephone: +1 313 555 0388
+drink: Gasoline
+title: Director, UM Alumni Association
+mail: melliot@mail.alumni.example.com
+pager: +1 313 555 7671
+facsimiletelephonenumber: +1 313 555 7762
+telephonenumber: +1 313 555 4177
+
+dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,o=University of Michiga
+ n,c=TEST
+objectclass: OpenLDAPperson
+cn: Ursula Hampster
+sn: Hampster
+uid: uham
+title: Secretary, UM Alumni Association
+postaladdress: Alumni Association $ 111 Maple St $ Ann Arbor, MI 48109
+seealso: cn=All Staff,ou=Groups,o=University of Michigan,c=TEST
+homepostaladdress: 123 Anystreet $ Ann Arbor, MI 48104
+mail: uham@mail.alumni.example.com
+description: a long attribute name, longer than 128 bytes so that we
+ trigger sign extension problems in tdb_pack, no thats not long enough
+ yet, maybe this is. I'll just keep going till it triggers the error
+homephone: +1 313 555 8421
+pager: +1 313 555 2844
+facsimiletelephonenumber: +1 313 555 9700
+telephonenumber: +1 313 555 5331
diff --git a/source3/lib/ldb/tests/testdata.txt b/source3/lib/ldb/tests/testdata.txt
new file mode 100644
index 0000000000..dadb9f0f98
--- /dev/null
+++ b/source3/lib/ldb/tests/testdata.txt
@@ -0,0 +1,8 @@
+foo=bar5
+(&(|(a=b)(c=d))(e=f))
+(&(|(a=b)(c=d)(g=h))(e=f))
+name=firstname lastname
+(&(sid=S-1-2-3)(name = fred bloggs))
+(&(|(a=b)(c=d))(g=f))
+(&(sid=S-1-2-3)(!(name = fred bloggs)))
+(&(!(|(a=b)(c=d))(g=f)))
diff --git a/source3/lib/ldb/tests/testsearch.txt b/source3/lib/ldb/tests/testsearch.txt
new file mode 100644
index 0000000000..c5738639b7
--- /dev/null
+++ b/source3/lib/ldb/tests/testsearch.txt
@@ -0,0 +1,5 @@
+(blah=foo)
+(objectclass=person)
+(dn=*)
+(&(objectclass=person)(objectclass=person))
+(&(objectclass=person)(objectclass=personx))
diff --git a/source3/lib/ldb/tools/ad2oLschema.c b/source3/lib/ldb/tools/ad2oLschema.c
new file mode 100644
index 0000000000..fc51cb12d8
--- /dev/null
+++ b/source3/lib/ldb/tools/ad2oLschema.c
@@ -0,0 +1,629 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Bartlett 2006
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ad2oLschema
+ *
+ *  Description: utility to convert an AD schema into the format required by OpenLDAP
+ *
+ *  Author: Andrew Tridgell
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+#include "system/locale.h"
+#include "ldb/tools/cmdline.h"
+#include "ldb/tools/convert.h"
+
+struct schema_conv {
+	int count;
+	int skipped;
+	int failures;
+};
+
+enum convert_target {
+	TARGET_OPENLDAP,
+	TARGET_FEDORA_DS
+};
+	
+
+static void usage(void)
+{
+	printf("Usage: ad2oLschema <options>\n");
+	printf("\nConvert AD-like LDIF to OpenLDAP schema format\n\n");
+	printf("Options:\n");
+	printf("  -I inputfile     inputfile of mapped OIDs and skipped attributes/ObjectClasses");
+	printf("  -H url           LDB or LDAP server to read schmea from\n");
+	printf("  -O outputfile    outputfile otherwise STDOUT\n");
+	printf("  -o options       pass options like modules to activate\n");
+	printf("              e.g: -o modules:timestamps\n");
+	printf("\n");
+	printf("Converts records from an AD-like LDIF schema into an openLdap formatted schema\n\n");
+	exit(1);
+}
+
+static int fetch_attrs_schema(struct ldb_context *ldb, struct ldb_dn *schemadn,
+			      TALLOC_CTX *mem_ctx, 
+			      struct ldb_result **attrs_res)
+{
+	TALLOC_CTX *local_ctx = talloc_new(mem_ctx);
+	int ret;
+	const char *attrs[] = {
+		"lDAPDisplayName",
+		"isSingleValued",
+		"attributeID",
+		"attributeSyntax",
+		"description",		
+		NULL
+	};
+
+	if (!local_ctx) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	
+	/* Downlaod schema */
+	ret = ldb_search(ldb, schemadn, LDB_SCOPE_SUBTREE, 
+			 "objectClass=attributeSchema", 
+			 attrs, attrs_res);
+	if (ret != LDB_SUCCESS) {
+		printf("Search failed: %s\n", ldb_errstring(ldb));
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	
+	return ret;
+}
+
+static const char *oc_attrs[] = {
+	"lDAPDisplayName",
+	"mayContain",
+	"mustContain",
+	"systemMayContain",
+	"systemMustContain",
+	"objectClassCategory",
+	"governsID",
+	"description",
+	"subClassOf",
+	NULL
+};
+
+static int fetch_oc_recursive(struct ldb_context *ldb, struct ldb_dn *schemadn, 
+			      TALLOC_CTX *mem_ctx, 
+			      struct ldb_result *search_from,
+			      struct ldb_result *res_list)
+{
+	int i;
+	int ret = 0;
+	for (i=0; i < search_from->count; i++) {
+		struct ldb_result *res;
+		const char *name = ldb_msg_find_attr_as_string(search_from->msgs[i], 
+							       "lDAPDisplayname", NULL);
+		char *filter = talloc_asprintf(mem_ctx, "(&(&(objectClass=classSchema)(subClassOf=%s))(!(lDAPDisplayName=%s)))", 
+					       name, name);
+
+		ret = ldb_search(ldb, schemadn, LDB_SCOPE_SUBTREE, 
+				 filter,
+				 oc_attrs, &res);
+		talloc_free(filter);
+		if (ret != LDB_SUCCESS) {
+			printf("Search failed: %s\n", ldb_errstring(ldb));
+			return ret;
+		}
+		
+		talloc_steal(mem_ctx, res);
+
+		res_list->msgs = talloc_realloc(res_list, res_list->msgs, 
+						struct ldb_message *, res_list->count + 2);
+		if (!res_list->msgs) {
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+		res_list->msgs[res_list->count] = talloc_move(res_list, 
+							      &search_from->msgs[i]);
+		res_list->count++;
+		res_list->msgs[res_list->count] = NULL;
+
+		if (res->count > 0) {
+			ret = fetch_oc_recursive(ldb, schemadn, mem_ctx, res, res_list); 
+		}
+		if (ret != LDB_SUCCESS) {
+			return ret;
+		}
+	}
+	return ret;
+}
+
+static int fetch_objectclass_schema(struct ldb_context *ldb, struct ldb_dn *schemadn, 
+				    TALLOC_CTX *mem_ctx, 
+				    struct ldb_result **objectclasses_res)
+{
+	TALLOC_CTX *local_ctx = talloc_new(mem_ctx);
+	struct ldb_result *top_res, *ret_res;
+	int ret;
+	if (!local_ctx) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+	
+	/* Downlaod 'top' */
+	ret = ldb_search(ldb, schemadn, LDB_SCOPE_SUBTREE, 
+			 "(&(objectClass=classSchema)(lDAPDisplayName=top))", 
+			 oc_attrs, &top_res);
+	if (ret != LDB_SUCCESS) {
+		printf("Search failed: %s\n", ldb_errstring(ldb));
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	talloc_steal(local_ctx, top_res);
+
+	if (top_res->count != 1) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ret_res = talloc_zero(local_ctx, struct ldb_result);
+	if (!ret_res) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	ret = fetch_oc_recursive(ldb, schemadn, local_ctx, top_res, ret_res); 
+
+	if (ret != LDB_SUCCESS) {
+		printf("Search failed: %s\n", ldb_errstring(ldb));
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	*objectclasses_res = talloc_move(mem_ctx, &ret_res);
+	return ret;
+}
+
+static struct ldb_dn *find_schema_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx) 
+{
+	const char *rootdse_attrs[] = {"schemaNamingContext", NULL};
+	struct ldb_dn *schemadn;
+	struct ldb_dn *basedn = ldb_dn_explode(mem_ctx, "");
+	struct ldb_result *rootdse_res;
+	int ldb_ret;
+	if (!basedn) {
+		return NULL;
+	}
+	
+	/* Search for rootdse */
+	ldb_ret = ldb_search(ldb, basedn, LDB_SCOPE_BASE, NULL, rootdse_attrs, &rootdse_res);
+	if (ldb_ret != LDB_SUCCESS) {
+		printf("Search failed: %s\n", ldb_errstring(ldb));
+		return NULL;
+	}
+	
+	talloc_steal(mem_ctx, rootdse_res);
+
+	if (rootdse_res->count != 1) {
+		printf("Failed to find rootDSE");
+		return NULL;
+	}
+	
+	/* Locate schema */
+	schemadn = ldb_msg_find_attr_as_dn(mem_ctx, rootdse_res->msgs[0], "schemaNamingContext");
+	if (!schemadn) {
+		return NULL;
+	}
+
+	talloc_free(rootdse_res);
+	return schemadn;
+}
+
+#define IF_NULL_FAIL_RET(x) do {     \
+		if (!x) {		\
+			ret.failures++; \
+			return ret;	\
+		}			\
+	} while (0) 
+
+
+static struct schema_conv process_convert(struct ldb_context *ldb, enum convert_target target, FILE *in, FILE *out) 
+{
+	/* Read list of attributes to skip, OIDs to map */
+	TALLOC_CTX *mem_ctx = talloc_new(ldb);
+	char *line;
+	const char **attrs_skip = NULL;
+	int num_skip = 0;
+	struct oid_map {
+		char *old_oid;
+		char *new_oid;
+	} *oid_map = NULL;
+	int num_maps = 0;
+	struct ldb_result *attrs_res, *objectclasses_res;
+	struct ldb_dn *schemadn;
+	struct schema_conv ret;
+
+	int ldb_ret, i;
+
+	ret.count = 0;
+	ret.skipped = 0;
+	ret.failures = 0;
+
+	while ((line = afdgets(fileno(in), mem_ctx, 0))) {
+		/* Blank Line */
+		if (line[0] == '\0') {
+			continue;
+		}
+		/* Comment */
+		if (line[0] == '#') {
+			continue;
+		}
+		if (isdigit(line[0])) {
+			char *p = strchr(line, ':');
+			IF_NULL_FAIL_RET(p);
+			if (!p) {
+				ret.failures = 1;
+				return ret;
+			}
+			p[0] = '\0';
+			p++;
+			oid_map = talloc_realloc(mem_ctx, oid_map, struct oid_map, num_maps + 2);
+			trim_string(line, " ", " ");
+			oid_map[num_maps].old_oid = talloc_move(oid_map, &line);
+			trim_string(p, " ", " ");
+			oid_map[num_maps].new_oid = p;
+			num_maps++;
+			oid_map[num_maps].old_oid = NULL;
+		} else {
+			attrs_skip = talloc_realloc(mem_ctx, attrs_skip, const char *, num_skip + 2);
+			trim_string(line, " ", " ");
+			attrs_skip[num_skip] = talloc_move(attrs_skip, &line);
+			num_skip++;
+			attrs_skip[num_skip] = NULL;
+		}
+	}
+
+	schemadn = find_schema_dn(ldb, mem_ctx);
+	if (!schemadn) {
+		printf("Failed to find schema DN: %s\n", ldb_errstring(ldb));
+		ret.failures = 1;
+		return ret;
+	}
+	
+	ldb_ret = fetch_attrs_schema(ldb, schemadn, mem_ctx, &attrs_res);
+	if (ldb_ret != LDB_SUCCESS) {
+		printf("Failed to fetch attribute schema: %s\n", ldb_errstring(ldb));
+		ret.failures = 1;
+		return ret;
+	}
+	
+	switch (target) {
+	case TARGET_OPENLDAP:
+		break;
+	case TARGET_FEDORA_DS:
+		fprintf(out, "dn: cn=schema\n");
+		break;
+	}
+
+	for (i=0; i < attrs_res->count; i++) {
+		struct ldb_message *msg = attrs_res->msgs[i];
+
+		const char *name = ldb_msg_find_attr_as_string(msg, "lDAPDisplayName", NULL);
+		const char *description = ldb_msg_find_attr_as_string(msg, "description", NULL);
+		const char *oid = ldb_msg_find_attr_as_string(msg, "attributeID", NULL);
+		const char *syntax = ldb_msg_find_attr_as_string(msg, "attributeSyntax", NULL);
+		BOOL single_value = ldb_msg_find_attr_as_bool(msg, "isSingleValued", False);
+		const struct syntax_map *map = find_syntax_map_by_ad_oid(syntax);
+		char *schema_entry = NULL;
+		int j;
+
+		/* We have been asked to skip some attributes/objectClasses */
+		if (attrs_skip && str_list_check_ci(attrs_skip, name)) {
+			ret.skipped++;
+			continue;
+		}
+
+		/* We might have been asked to remap this oid, due to a conflict */
+		for (j=0; oid && oid_map[j].old_oid; j++) {
+			if (strcmp(oid, oid_map[j].old_oid) == 0) {
+				oid =  oid_map[j].new_oid;
+				break;
+			}
+		}
+		
+		switch (target) {
+		case TARGET_OPENLDAP:
+			schema_entry = talloc_asprintf(mem_ctx, 
+						       "attributetype (\n"
+						       "  %s\n", oid);
+			break;
+		case TARGET_FEDORA_DS:
+			schema_entry = talloc_asprintf(mem_ctx, 
+						       "attributeTypes: (\n"
+						       "  %s\n", oid);
+			break;
+		}
+		IF_NULL_FAIL_RET(schema_entry);
+
+		schema_entry = talloc_asprintf_append(schema_entry, 
+						      "  NAME '%s'\n", name);
+		IF_NULL_FAIL_RET(schema_entry);
+
+		if (description) {
+			schema_entry = talloc_asprintf_append(schema_entry, 
+							      "  DESC %s\n", description);
+			IF_NULL_FAIL_RET(schema_entry);
+		}
+
+		if (map) {
+			const char *syntax_oid;
+			if (map->equality) {
+				schema_entry = talloc_asprintf_append(schema_entry, 
+								      "  EQUALITY %s\n", map->equality);
+				IF_NULL_FAIL_RET(schema_entry);
+			}
+			if (map->substring) {
+				schema_entry = talloc_asprintf_append(schema_entry, 
+								      "  SUBSTR %s\n", map->substring);
+				IF_NULL_FAIL_RET(schema_entry);
+			}
+			syntax_oid = map->Standard_OID;
+			/* We might have been asked to remap this oid,
+			 * due to a conflict, or lack of
+			 * implementation */
+			for (j=0; syntax_oid && oid_map[j].old_oid; j++) {
+				if (strcmp(syntax_oid, oid_map[j].old_oid) == 0) {
+					syntax_oid =  oid_map[j].new_oid;
+					break;
+				}
+			}
+			schema_entry = talloc_asprintf_append(schema_entry, 
+							      "  SYNTAX %s\n", syntax_oid);
+			IF_NULL_FAIL_RET(schema_entry);
+		}
+
+		if (single_value) {
+			schema_entry = talloc_asprintf_append(schema_entry, 
+							      "  SINGLE-VALUE\n");
+			IF_NULL_FAIL_RET(schema_entry);
+		}
+		
+		schema_entry = talloc_asprintf_append(schema_entry, 
+						      "  )");
+
+		switch (target) {
+		case TARGET_OPENLDAP:
+			fprintf(out, "%s\n\n", schema_entry);
+			break;
+		case TARGET_FEDORA_DS:
+			fprintf(out, "%s\n", schema_entry);
+			break;
+		}
+		ret.count++;
+	}
+
+	ldb_ret = fetch_objectclass_schema(ldb, schemadn, mem_ctx, &objectclasses_res);
+	if (ldb_ret != LDB_SUCCESS) {
+		printf("Failed to fetch objectClass schema elements: %s\n", ldb_errstring(ldb));
+		ret.failures = 1;
+		return ret;
+	}
+	
+	for (i=0; i < objectclasses_res->count; i++) {
+		struct ldb_message *msg = objectclasses_res->msgs[i];
+		const char *name = ldb_msg_find_attr_as_string(msg, "lDAPDisplayName", NULL);
+		const char *description = ldb_msg_find_attr_as_string(msg, "description", NULL);
+		const char *oid = ldb_msg_find_attr_as_string(msg, "governsID", NULL);
+		const char *subClassOf = ldb_msg_find_attr_as_string(msg, "subClassOf", NULL);
+		int objectClassCategory = ldb_msg_find_attr_as_int(msg, "objectClassCategory", 0);
+		struct ldb_message_element *must = ldb_msg_find_element(msg, "mustContain");
+		struct ldb_message_element *sys_must = ldb_msg_find_element(msg, "systemMustContain");
+		struct ldb_message_element *may = ldb_msg_find_element(msg, "mayContain");
+		struct ldb_message_element *sys_may = ldb_msg_find_element(msg, "systemMayContain");
+		char *schema_entry = NULL;
+		int j;
+
+		/* We have been asked to skip some attributes/objectClasses */
+		if (attrs_skip && str_list_check_ci(attrs_skip, name)) {
+			ret.skipped++;
+			continue;
+		}
+
+		/* We might have been asked to remap this oid, due to a conflict */
+		for (j=0; oid_map[j].old_oid; j++) {
+			if (strcmp(oid, oid_map[j].old_oid) == 0) {
+				oid =  oid_map[j].new_oid;
+				break;
+			}
+		}
+		
+		switch (target) {
+		case TARGET_OPENLDAP:
+			schema_entry = talloc_asprintf(mem_ctx, 
+						       "objectclass (\n"
+						       "  %s\n", oid);
+			break;
+		case TARGET_FEDORA_DS:
+			schema_entry = talloc_asprintf(mem_ctx, 
+						       "objectClasses: (\n"
+						       "  %s\n", oid);
+			break;
+		}
+		IF_NULL_FAIL_RET(schema_entry);
+		if (!schema_entry) {
+			ret.failures++;
+			break;
+		}
+
+		schema_entry = talloc_asprintf_append(schema_entry, 
+						      "  NAME '%s'\n", name);
+		IF_NULL_FAIL_RET(schema_entry);
+
+		if (!schema_entry) return ret;
+
+		if (description) {
+			schema_entry = talloc_asprintf_append(schema_entry, 
+							      "  DESC %s\n", description);
+			IF_NULL_FAIL_RET(schema_entry);
+		}
+
+		if (subClassOf) {
+			schema_entry = talloc_asprintf_append(schema_entry, 
+							      "  SUP %s\n", subClassOf);
+			IF_NULL_FAIL_RET(schema_entry);
+		}
+		
+		switch (objectClassCategory) {
+		case 1:
+			schema_entry = talloc_asprintf_append(schema_entry, 
+							      "  STRUCTURAL\n");
+			IF_NULL_FAIL_RET(schema_entry);
+			break;
+		case 2:
+			schema_entry = talloc_asprintf_append(schema_entry, 
+							      "  ABSTRACT\n");
+			IF_NULL_FAIL_RET(schema_entry);
+			break;
+		case 3:
+			schema_entry = talloc_asprintf_append(schema_entry, 
+							      "  AUXILIARY\n");
+			IF_NULL_FAIL_RET(schema_entry);
+			break;
+		}
+
+#define APPEND_ATTRS(attributes) \
+		do {						\
+			int k;						\
+			for (k=0; attributes && k < attributes->num_values; k++) { \
+				schema_entry = talloc_asprintf_append(schema_entry, \
+								      " %s", \
+								      (const char *)attributes->values[k].data); \
+				IF_NULL_FAIL_RET(schema_entry);		\
+				if (k != (attributes->num_values - 1)) { \
+					schema_entry = talloc_asprintf_append(schema_entry, \
+									      " $"); \
+					IF_NULL_FAIL_RET(schema_entry);	\
+					if (target == TARGET_OPENLDAP && ((k+1)%5 == 0)) { \
+						schema_entry = talloc_asprintf_append(schema_entry, \
+										      "\n  "); \
+						IF_NULL_FAIL_RET(schema_entry);	\
+					}				\
+				}					\
+			}						\
+		} while (0)
+
+		if (must || sys_must) {
+			schema_entry = talloc_asprintf_append(schema_entry, 
+							      "  MUST (");
+			IF_NULL_FAIL_RET(schema_entry);
+
+			APPEND_ATTRS(must);
+			if (must && sys_must) {
+				schema_entry = talloc_asprintf_append(schema_entry, \
+								      " $"); \
+			}
+			APPEND_ATTRS(sys_must);
+			
+			schema_entry = talloc_asprintf_append(schema_entry, 
+							      " )\n");
+			IF_NULL_FAIL_RET(schema_entry);
+		}
+
+		if (may || sys_may) {
+			schema_entry = talloc_asprintf_append(schema_entry, 
+							      "  MAY (");
+			IF_NULL_FAIL_RET(schema_entry);
+
+			APPEND_ATTRS(may);
+			if (may && sys_may) {
+				schema_entry = talloc_asprintf_append(schema_entry, \
+								      " $"); \
+			}
+			APPEND_ATTRS(sys_may);
+			
+			schema_entry = talloc_asprintf_append(schema_entry, 
+							      " )\n");
+			IF_NULL_FAIL_RET(schema_entry);
+		}
+
+		schema_entry = talloc_asprintf_append(schema_entry, 
+						      "  )");
+
+		switch (target) {
+		case TARGET_OPENLDAP:
+			fprintf(out, "%s\n\n", schema_entry);
+			break;
+		case TARGET_FEDORA_DS:
+			fprintf(out, "%s\n", schema_entry);
+			break;
+		}
+		ret.count++;
+	}
+
+	return ret;
+}
+
+ int main(int argc, const char **argv)
+{
+	TALLOC_CTX *ctx;
+	struct ldb_cmdline *options;
+	FILE *in = stdin;
+	FILE *out = stdout;
+	struct ldb_context *ldb;
+	struct schema_conv ret;
+	const char *target_str;
+	enum convert_target target;
+
+	ldb_global_init();
+
+	ctx = talloc_new(NULL);
+	ldb = ldb_init(ctx);
+
+	options = ldb_cmdline_process(ldb, argc, argv, usage);
+
+	if (options->input) {
+		in = fopen(options->input, "r");
+		if (!in) {
+			perror(options->input);
+			exit(1);
+		}
+	}
+	if (options->output) {
+		out = fopen(options->output, "w");
+		if (!out) {
+			perror(options->output);
+			exit(1);
+		}
+	}
+
+	target_str = lp_parm_string(-1, "convert", "target");
+
+	if (!target_str || strcasecmp(target_str, "openldap") == 0) {
+		target = TARGET_OPENLDAP;
+	} else if (strcasecmp(target_str, "fedora-ds") == 0) {
+		target = TARGET_FEDORA_DS;
+	} else {
+		printf("Unsupported target: %s\n", target_str);
+		exit(1);
+	}
+
+	ret = process_convert(ldb, target, in, out);
+
+	fclose(in);
+	fclose(out);
+
+	printf("Converted %d records (skipped %d) with %d failures\n", ret.count, ret.skipped, ret.failures);
+
+	return 0;
+}
diff --git a/source3/lib/ldb/tools/cmdline.c b/source3/lib/ldb/tools/cmdline.c
new file mode 100644
index 0000000000..4744ab4989
--- /dev/null
+++ b/source3/lib/ldb/tools/cmdline.c
@@ -0,0 +1,754 @@
+/* 
+   ldb database library - command line handling for ldb tools
+
+   Copyright (C) Andrew Tridgell  2005
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+#include "ldb/tools/cmdline.h"
+
+#if (_SAMBA_BUILD_ >= 4)
+#include "lib/cmdline/popt_common.h"
+#include "lib/ldb/samba/ldif_handlers.h"
+#include "auth/gensec/gensec.h"
+#include "auth/auth.h"
+#include "db_wrap.h"
+#endif
+
+
+
+/*
+  process command line options
+*/
+struct ldb_cmdline *ldb_cmdline_process(struct ldb_context *ldb, int argc, const char **argv,
+					void (*usage)(void))
+{
+	static struct ldb_cmdline options; /* needs to be static for older compilers */
+	struct ldb_cmdline *ret=NULL;
+	poptContext pc;
+#if (_SAMBA_BUILD_ >= 4)
+	int r;
+#endif
+	int num_options = 0;
+	int opt;
+	int flags = 0;
+
+	struct poptOption popt_options[] = {
+		POPT_AUTOHELP
+		{ "url",       'H', POPT_ARG_STRING, &options.url, 0, "database URL", "URL" },
+		{ "basedn",    'b', POPT_ARG_STRING, &options.basedn, 0, "base DN", "DN" },
+		{ "editor",    'e', POPT_ARG_STRING, &options.editor, 0, "external editor", "PROGRAM" },
+		{ "scope",     's', POPT_ARG_STRING, NULL, 's', "search scope", "SCOPE" },
+		{ "verbose",   'v', POPT_ARG_NONE, NULL, 'v', "increase verbosity", NULL },
+		{ "interactive", 'i', POPT_ARG_NONE, &options.interactive, 0, "input from stdin", NULL },
+		{ "recursive", 'r', POPT_ARG_NONE, &options.recursive, 0, "recursive delete", NULL },
+		{ "num-searches", 0, POPT_ARG_INT, &options.num_searches, 0, "number of test searches", NULL },
+		{ "num-records", 0, POPT_ARG_INT, &options.num_records, 0, "number of test records", NULL },
+		{ "all", 'a',    POPT_ARG_NONE, &options.all_records, 0, "(|(objectClass=*)(distinguishedName=*))", NULL },
+		{ "nosync", 0,   POPT_ARG_NONE, &options.nosync, 0, "non-synchronous transactions", NULL },
+		{ "sorted", 'S', POPT_ARG_NONE, &options.sorted, 0, "sort attributes", NULL },
+		{ "sasl-mechanism", 0, POPT_ARG_STRING, &options.sasl_mechanism, 0, "choose SASL mechanism", "MECHANISM" },
+		{ "input", 'I', POPT_ARG_STRING, &options.input, 0, "Input File", "Input" },
+		{ "output", 'O', POPT_ARG_STRING, &options.output, 0, "Output File", "Output" },
+		{ NULL,    'o', POPT_ARG_STRING, NULL, 'o', "ldb_connect option", "OPTION" },
+		{ "controls", 0, POPT_ARG_STRING, NULL, 'c', "controls", NULL },
+#if (_SAMBA_BUILD_ >= 4)
+		POPT_COMMON_SAMBA
+		POPT_COMMON_CREDENTIALS
+		POPT_COMMON_VERSION
+#endif
+		{ NULL }
+	};
+
+	ldb_global_init();
+
+#if (_SAMBA_BUILD_ >= 4)
+	r = ldb_register_samba_handlers(ldb);
+	if (r != 0) {
+		goto failed;
+	}
+
+#endif
+
+	ret = talloc_zero(ldb, struct ldb_cmdline);
+	if (ret == NULL) {
+		ldb_oom(ldb);
+		goto failed;
+	}
+
+	options = *ret;
+	
+	/* pull in URL */
+	options.url = getenv("LDB_URL");
+
+	/* and editor (used by ldbedit) */
+	options.editor = getenv("VISUAL");
+	if (!options.editor) {
+		options.editor = getenv("EDITOR");
+	}
+	if (!options.editor) {
+		options.editor = "vi";
+	}
+
+	options.scope = LDB_SCOPE_DEFAULT;
+
+	pc = poptGetContext(argv[0], argc, argv, popt_options, 
+			    POPT_CONTEXT_KEEP_FIRST);
+
+	while((opt = poptGetNextOpt(pc)) != -1) {
+		switch (opt) {
+		case 's': {
+			const char *arg = poptGetOptArg(pc);
+			if (strcmp(arg, "base") == 0) {
+				options.scope = LDB_SCOPE_BASE;
+			} else if (strcmp(arg, "sub") == 0) {
+				options.scope = LDB_SCOPE_SUBTREE;
+			} else if (strcmp(arg, "one") == 0) {
+				options.scope = LDB_SCOPE_ONELEVEL;
+			} else {
+				fprintf(stderr, "Invalid scope '%s'\n", arg);
+				goto failed;
+			}
+			break;
+		}
+
+		case 'v':
+			options.verbose++;
+			break;
+
+		case 'o':
+			options.options = talloc_realloc(ret, options.options, 
+							 const char *, num_options+3);
+			if (options.options == NULL) {
+				ldb_oom(ldb);
+				goto failed;
+			}
+			options.options[num_options] = poptGetOptArg(pc);
+			options.options[num_options+1] = NULL;
+			num_options++;
+			break;
+
+		case 'c': {
+			const char *cs = poptGetOptArg(pc);
+			const char *p, *q;
+			int cc;
+
+			for (p = cs, cc = 1; (q = strchr(p, ',')); cc++, p = q + 1) ;
+
+			options.controls = talloc_array(ret, char *, cc + 1);
+			if (options.controls == NULL) {
+				ldb_oom(ldb);
+				goto failed;
+			}
+			for (p = cs, cc = 0; p != NULL; cc++) {
+				const char *t;
+
+				t = strchr(p, ',');
+				if (t == NULL) {
+					options.controls[cc] = talloc_strdup(options.controls, p);
+					p = NULL;
+				} else {
+					options.controls[cc] = talloc_strndup(options.controls, p, t-p);
+			        	p = t + 1;
+				}
+			}
+			options.controls[cc] = NULL;
+
+			break;	  
+		}
+		default:
+			fprintf(stderr, "Invalid option %s: %s\n", 
+				poptBadOption(pc, 0), poptStrerror(opt));
+			if (usage) usage();
+			goto failed;
+		}
+	}
+
+	/* setup the remaining options for the main program to use */
+	options.argv = poptGetArgs(pc);
+	if (options.argv) {
+		options.argv++;
+		while (options.argv[options.argc]) options.argc++;
+	}
+
+	*ret = options;
+
+	/* all utils need some option */
+	if (ret->url == NULL) {
+		fprintf(stderr, "You must supply a url with -H or with $LDB_URL\n");
+		if (usage) usage();
+		goto failed;
+	}
+
+	if (strcmp(ret->url, "NONE") == 0) {
+		return ret;
+	}
+
+	if (options.nosync) {
+		flags |= LDB_FLG_NOSYNC;
+	}
+
+#if (_SAMBA_BUILD_ >= 4)
+	/* Must be after we have processed command line options */
+	gensec_init(); 
+	
+	if (ldb_set_opaque(ldb, "sessionInfo", system_session(ldb))) {
+		goto failed;
+	}
+	if (ldb_set_opaque(ldb, "credentials", cmdline_credentials)) {
+		goto failed;
+	}
+	ldb_set_utf8_fns(ldb, NULL, wrap_casefold);
+#endif
+
+	/* now connect to the ldb */
+	if (ldb_connect(ldb, ret->url, flags, ret->options) != 0) {
+		fprintf(stderr, "Failed to connect to %s - %s\n", 
+			ret->url, ldb_errstring(ldb));
+		goto failed;
+	}
+
+	return ret;
+
+failed:
+	talloc_free(ret);
+	exit(1);
+	return NULL;
+}
+
+struct ldb_control **parse_controls(void *mem_ctx, char **control_strings)
+{
+	int i;
+	struct ldb_control **ctrl;
+
+	if (control_strings == NULL || control_strings[0] == NULL)
+		return NULL;
+
+	for (i = 0; control_strings[i]; i++);
+
+	ctrl = talloc_array(mem_ctx, struct ldb_control *, i + 1);
+
+	for (i = 0; control_strings[i]; i++) {
+		if (strncmp(control_strings[i], "vlv:", 4) == 0) {
+			struct ldb_vlv_req_control *control;
+			const char *p;
+			char attr[1024];
+			char ctxid[1024];
+			int crit, bc, ac, os, cc, ret;
+
+			attr[0] = '\0';
+			ctxid[0] = '\0';
+			p = &(control_strings[i][4]);
+			ret = sscanf(p, "%d:%d:%d:%d:%d:%1023[^$]", &crit, &bc, &ac, &os, &cc, ctxid);
+			if (ret < 5) {
+				ret = sscanf(p, "%d:%d:%d:%1023[^:]:%1023[^$]", &crit, &bc, &ac, attr, ctxid);
+			}
+			       
+			if ((ret < 4) || (crit < 0) || (crit > 1)) {
+				fprintf(stderr, "invalid server_sort control syntax\n");
+				fprintf(stderr, " syntax: crit(b):bc(n):ac(n):<os(n):cc(n)|attr(s)>[:ctxid(o)]\n");
+				fprintf(stderr, "   note: b = boolean, n = number, s = string, o = b64 binary blob\n");
+				return NULL;
+			}
+			if (!(ctrl[i] = talloc(ctrl, struct ldb_control))) {
+				fprintf(stderr, "talloc failed\n");
+				return NULL;
+			}
+			ctrl[i]->oid = LDB_CONTROL_VLV_REQ_OID;
+			ctrl[i]->critical = crit;
+			if (!(control = talloc(ctrl[i],
+					       struct ldb_vlv_req_control))) {
+				fprintf(stderr, "talloc failed\n");
+				return NULL;
+			}
+			control->beforeCount = bc;
+			control->afterCount = ac;
+			if (attr[0]) {
+				control->type = 1;
+				control->match.gtOrEq.value = talloc_strdup(control, attr);
+				control->match.gtOrEq.value_len = strlen(attr);
+			} else {
+				control->type = 0;
+				control->match.byOffset.offset = os;
+				control->match.byOffset.contentCount = cc;
+			}
+			if (ctxid[0]) {
+				control->ctxid_len = ldb_base64_decode(ctxid);
+				control->contextId = (char *)talloc_memdup(control, ctxid, control->ctxid_len);
+			} else {
+				control->ctxid_len = 0;
+				control->contextId = NULL;
+			}
+			ctrl[i]->data = control;
+
+			continue;
+		}
+
+		if (strncmp(control_strings[i], "dirsync:", 8) == 0) {
+			struct ldb_dirsync_control *control;
+			const char *p;
+			char cookie[1024];
+			int crit, flags, max_attrs, ret;
+		       
+			cookie[0] = '\0';
+			p = &(control_strings[i][8]);
+			ret = sscanf(p, "%d:%d:%d:%1023[^$]", &crit, &flags, &max_attrs, cookie);
+
+			if ((ret < 3) || (crit < 0) || (crit > 1) || (flags < 0) || (max_attrs < 0)) {
+				fprintf(stderr, "invalid dirsync control syntax\n");
+				fprintf(stderr, " syntax: crit(b):flags(n):max_attrs(n)[:cookie(o)]\n");
+				fprintf(stderr, "   note: b = boolean, n = number, o = b64 binary blob\n");
+				return NULL;
+			}
+
+			/* w2k3 seems to ignore the parameter,
+			 * but w2k sends a wrong cookie when this value is to small
+			 * this would cause looping forever, while getting
+			 * the same data and same cookie forever
+			 */
+			if (max_attrs == 0) max_attrs = 0x0FFFFFFF;
+
+			ctrl[i] = talloc(ctrl, struct ldb_control);
+			ctrl[i]->oid = LDB_CONTROL_DIRSYNC_OID;
+			ctrl[i]->critical = crit;
+			control = talloc(ctrl[i], struct ldb_dirsync_control);
+			control->flags = flags;
+			control->max_attributes = max_attrs;
+			if (*cookie) {
+				control->cookie_len = ldb_base64_decode(cookie);
+				control->cookie = (char *)talloc_memdup(control, cookie, control->cookie_len);
+			} else {
+				control->cookie = NULL;
+				control->cookie_len = 0;
+			}
+			ctrl[i]->data = control;
+
+			continue;
+		}
+
+		if (strncmp(control_strings[i], "asq:", 4) == 0) {
+			struct ldb_asq_control *control;
+			const char *p;
+			char attr[256];
+			int crit, ret;
+
+			attr[0] = '\0';
+			p = &(control_strings[i][4]);
+			ret = sscanf(p, "%d:%255[^$]", &crit, attr);
+			if ((ret != 2) || (crit < 0) || (crit > 1) || (attr[0] == '\0')) {
+				fprintf(stderr, "invalid asq control syntax\n");
+				fprintf(stderr, " syntax: crit(b):attr(s)\n");
+				fprintf(stderr, "   note: b = boolean, s = string\n");
+				return NULL;
+			}
+
+			ctrl[i] = talloc(ctrl, struct ldb_control);
+			ctrl[i]->oid = LDB_CONTROL_ASQ_OID;
+			ctrl[i]->critical = crit;
+			control = talloc(ctrl[i], struct ldb_asq_control);
+			control->request = 1;
+			control->source_attribute = talloc_strdup(control, attr);
+			control->src_attr_len = strlen(attr);
+			ctrl[i]->data = control;
+
+			continue;
+		}
+
+		if (strncmp(control_strings[i], "extended_dn:", 12) == 0) {
+			struct ldb_extended_dn_control *control;
+			const char *p;
+			int crit, type, ret;
+
+			p = &(control_strings[i][12]);
+			ret = sscanf(p, "%d:%d", &crit, &type);
+			if ((ret != 2) || (crit < 0) || (crit > 1) || (type < 0) || (type > 1)) {
+				fprintf(stderr, "invalid extended_dn control syntax\n");
+				fprintf(stderr, " syntax: crit(b):type(b)\n");
+				fprintf(stderr, "   note: b = boolean\n");
+				return NULL;
+			}
+
+			ctrl[i] = talloc(ctrl, struct ldb_control);
+			ctrl[i]->oid = LDB_CONTROL_EXTENDED_DN_OID;
+			ctrl[i]->critical = crit;
+			control = talloc(ctrl[i], struct ldb_extended_dn_control);
+			control->type = type;
+			ctrl[i]->data = control;
+
+			continue;
+		}
+
+		if (strncmp(control_strings[i], "sd_flags:", 9) == 0) {
+			struct ldb_sd_flags_control *control;
+			const char *p;
+			int crit, ret;
+			unsigned secinfo_flags;
+
+			p = &(control_strings[i][9]);
+			ret = sscanf(p, "%d:%u", &crit, &secinfo_flags);
+			if ((ret != 2) || (crit < 0) || (crit > 1) || (secinfo_flags < 0) || (secinfo_flags > 0xF)) {
+				fprintf(stderr, "invalid sd_flags control syntax\n");
+				fprintf(stderr, " syntax: crit(b):secinfo_flags(n)\n");
+				fprintf(stderr, "   note: b = boolean, n = number\n");
+				return NULL;
+			}
+
+			ctrl[i] = talloc(ctrl, struct ldb_control);
+			ctrl[i]->oid = LDB_CONTROL_SD_FLAGS_OID;
+			ctrl[i]->critical = crit;
+			control = talloc(ctrl[i], struct ldb_sd_flags_control);
+			control->secinfo_flags = secinfo_flags;
+			ctrl[i]->data = control;
+
+			continue;
+		}
+
+		if (strncmp(control_strings[i], "search_options:", 15) == 0) {
+			struct ldb_search_options_control *control;
+			const char *p;
+			int crit, ret;
+			unsigned search_options;
+
+			p = &(control_strings[i][15]);
+			ret = sscanf(p, "%d:%u", &crit, &search_options);
+			if ((ret != 2) || (crit < 0) || (crit > 1) || (search_options < 0) || (search_options > 0xF)) {
+				fprintf(stderr, "invalid search_options control syntax\n");
+				fprintf(stderr, " syntax: crit(b):search_options(n)\n");
+				fprintf(stderr, "   note: b = boolean, n = number\n");
+				return NULL;
+			}
+
+			ctrl[i] = talloc(ctrl, struct ldb_control);
+			ctrl[i]->oid = LDB_CONTROL_SEARCH_OPTIONS_OID;
+			ctrl[i]->critical = crit;
+			control = talloc(ctrl[i], struct ldb_search_options_control);
+			control->search_options = search_options;
+			ctrl[i]->data = control;
+
+			continue;
+		}
+
+		if (strncmp(control_strings[i], "domain_scope:", 13) == 0) {
+			const char *p;
+			int crit, ret;
+
+			p = &(control_strings[i][13]);
+			ret = sscanf(p, "%d", &crit);
+			if ((ret != 1) || (crit < 0) || (crit > 1)) {
+				fprintf(stderr, "invalid domain_scope control syntax\n");
+				fprintf(stderr, " syntax: crit(b)\n");
+				fprintf(stderr, "   note: b = boolean\n");
+				return NULL;
+			}
+
+			ctrl[i] = talloc(ctrl, struct ldb_control);
+			ctrl[i]->oid = LDB_CONTROL_DOMAIN_SCOPE_OID;
+			ctrl[i]->critical = crit;
+			ctrl[i]->data = NULL;
+
+			continue;
+		}
+
+		if (strncmp(control_strings[i], "paged_results:", 14) == 0) {
+			struct ldb_paged_control *control;
+			const char *p;
+			int crit, size, ret;
+		       
+			p = &(control_strings[i][14]);
+			ret = sscanf(p, "%d:%d", &crit, &size);
+
+			if ((ret != 2) || (crit < 0) || (crit > 1) || (size < 0)) {
+				fprintf(stderr, "invalid paged_results control syntax\n");
+				fprintf(stderr, " syntax: crit(b):size(n)\n");
+				fprintf(stderr, "   note: b = boolean, n = number\n");
+				return NULL;
+			}
+
+			ctrl[i] = talloc(ctrl, struct ldb_control);
+			ctrl[i]->oid = LDB_CONTROL_PAGED_RESULTS_OID;
+			ctrl[i]->critical = crit;
+			control = talloc(ctrl[i], struct ldb_paged_control);
+			control->size = size;
+			control->cookie = NULL;
+			control->cookie_len = 0;
+			ctrl[i]->data = control;
+
+			continue;
+		}
+
+		if (strncmp(control_strings[i], "server_sort:", 12) == 0) {
+			struct ldb_server_sort_control **control;
+			const char *p;
+			char attr[256];
+			char rule[128];
+			int crit, rev, ret;
+
+			attr[0] = '\0';
+			rule[0] = '\0';
+			p = &(control_strings[i][12]);
+			ret = sscanf(p, "%d:%d:%255[^:]:%127[^:]", &crit, &rev, attr, rule);
+			if ((ret < 3) || (crit < 0) || (crit > 1) || (rev < 0 ) || (rev > 1) ||attr[0] == '\0') {
+				fprintf(stderr, "invalid server_sort control syntax\n");
+				fprintf(stderr, " syntax: crit(b):rev(b):attr(s)[:rule(s)]\n");
+				fprintf(stderr, "   note: b = boolean, s = string\n");
+				return NULL;
+			}
+			ctrl[i] = talloc(ctrl, struct ldb_control);
+			ctrl[i]->oid = LDB_CONTROL_SERVER_SORT_OID;
+			ctrl[i]->critical = crit;
+			control = talloc_array(ctrl[i], struct ldb_server_sort_control *, 2);
+			control[0] = talloc(control, struct ldb_server_sort_control);
+			control[0]->attributeName = talloc_strdup(control, attr);
+			if (rule[0])
+				control[0]->orderingRule = talloc_strdup(control, rule);
+			else
+				control[0]->orderingRule = NULL;
+			control[0]->reverse = rev;
+			control[1] = NULL;
+			ctrl[i]->data = control;
+
+			continue;
+		}
+
+		if (strncmp(control_strings[i], "notification:", 13) == 0) {
+			const char *p;
+			int crit, ret;
+
+			p = &(control_strings[i][13]);
+			ret = sscanf(p, "%d", &crit);
+			if ((ret != 1) || (crit < 0) || (crit > 1)) {
+				fprintf(stderr, "invalid notification control syntax\n");
+				fprintf(stderr, " syntax: crit(b)\n");
+				fprintf(stderr, "   note: b = boolean\n");
+				return NULL;
+			}
+
+			ctrl[i] = talloc(ctrl, struct ldb_control);
+			ctrl[i]->oid = LDB_CONTROL_NOTIFICATION_OID;
+			ctrl[i]->critical = crit;
+			ctrl[i]->data = NULL;
+
+			continue;
+		}
+
+		if (strncmp(control_strings[i], "show_deleted:", 13) == 0) {
+			const char *p;
+			int crit, ret;
+
+			p = &(control_strings[i][13]);
+			ret = sscanf(p, "%d", &crit);
+			if ((ret != 1) || (crit < 0) || (crit > 1)) {
+				fprintf(stderr, "invalid show_deleted control syntax\n");
+				fprintf(stderr, " syntax: crit(b)\n");
+				fprintf(stderr, "   note: b = boolean\n");
+				return NULL;
+			}
+
+			ctrl[i] = talloc(ctrl, struct ldb_control);
+			ctrl[i]->oid = LDB_CONTROL_SHOW_DELETED_OID;
+			ctrl[i]->critical = crit;
+			ctrl[i]->data = NULL;
+
+			continue;
+		}
+
+		if (strncmp(control_strings[i], "permissive_modify:", 18) == 0) {
+			const char *p;
+			int crit, ret;
+
+			p = &(control_strings[i][18]);
+			ret = sscanf(p, "%d", &crit);
+			if ((ret != 1) || (crit < 0) || (crit > 1)) {
+				fprintf(stderr, "invalid permissive_modify control syntax\n");
+				fprintf(stderr, " syntax: crit(b)\n");
+				fprintf(stderr, "   note: b = boolean\n");
+				return NULL;
+			}
+
+			ctrl[i] = talloc(ctrl, struct ldb_control);
+			ctrl[i]->oid = LDB_CONTROL_PERMISSIVE_MODIFY_OID;
+			ctrl[i]->critical = crit;
+			ctrl[i]->data = NULL;
+
+			continue;
+		}
+
+		/* no controls matched, throw an error */
+		fprintf(stderr, "Invalid control name: '%s'\n", control_strings[i]);
+		return NULL;
+	}
+
+	ctrl[i] = NULL;
+
+	return ctrl;
+}
+
+
+/* this function check controls reply and determines if more
+ * processing is needed setting up the request controls correctly
+ *
+ * returns:
+ * 	-1 error
+ * 	0 all ok
+ * 	1 all ok, more processing required
+ */
+int handle_controls_reply(struct ldb_control **reply, struct ldb_control **request)
+{
+	int i, j;
+       	int ret = 0;
+
+	if (reply == NULL || request == NULL) return -1;
+	
+	for (i = 0; reply[i]; i++) {
+		if (strcmp(LDB_CONTROL_VLV_RESP_OID, reply[i]->oid) == 0) {
+			struct ldb_vlv_resp_control *rep_control;
+
+			rep_control = talloc_get_type(reply[i]->data, struct ldb_vlv_resp_control);
+			
+			/* check we have a matching control in the request */
+			for (j = 0; request[j]; j++) {
+				if (strcmp(LDB_CONTROL_VLV_REQ_OID, request[j]->oid) == 0)
+					break;
+			}
+			if (! request[j]) {
+				fprintf(stderr, "Warning VLV reply received but no request have been made\n");
+				continue;
+			}
+
+			/* check the result */
+			if (rep_control->vlv_result != 0) {
+				fprintf(stderr, "Warning: VLV not performed with error: %d\n", rep_control->vlv_result);
+			} else {
+				fprintf(stderr, "VLV Info: target position = %d, content count = %d\n", rep_control->targetPosition, rep_control->contentCount);
+			}
+
+			continue;
+		}
+
+		if (strcmp(LDB_CONTROL_ASQ_OID, reply[i]->oid) == 0) {
+			struct ldb_asq_control *rep_control;
+
+			rep_control = talloc_get_type(reply[i]->data, struct ldb_asq_control);
+
+			/* check the result */
+			if (rep_control->result != 0) {
+				fprintf(stderr, "Warning: ASQ not performed with error: %d\n", rep_control->result);
+			}
+
+			continue;
+		}
+
+		if (strcmp(LDB_CONTROL_PAGED_RESULTS_OID, reply[i]->oid) == 0) {
+			struct ldb_paged_control *rep_control, *req_control;
+
+			rep_control = talloc_get_type(reply[i]->data, struct ldb_paged_control);
+			if (rep_control->cookie_len == 0) /* we are done */
+				break;
+
+			/* more processing required */
+			/* let's fill in the request control with the new cookie */
+
+			for (j = 0; request[j]; j++) {
+				if (strcmp(LDB_CONTROL_PAGED_RESULTS_OID, request[j]->oid) == 0)
+					break;
+			}
+			/* if there's a reply control we must find a request
+			 * control matching it */
+			if (! request[j]) return -1;
+
+			req_control = talloc_get_type(request[j]->data, struct ldb_paged_control);
+
+			if (req_control->cookie)
+				talloc_free(req_control->cookie);
+			req_control->cookie = (char *)talloc_memdup(
+				req_control, rep_control->cookie,
+				rep_control->cookie_len);
+			req_control->cookie_len = rep_control->cookie_len;
+
+			ret = 1;
+
+			continue;
+		}
+
+		if (strcmp(LDB_CONTROL_SORT_RESP_OID, reply[i]->oid) == 0) {
+			struct ldb_sort_resp_control *rep_control;
+
+			rep_control = talloc_get_type(reply[i]->data, struct ldb_sort_resp_control);
+
+			/* check we have a matching control in the request */
+			for (j = 0; request[j]; j++) {
+				if (strcmp(LDB_CONTROL_SERVER_SORT_OID, request[j]->oid) == 0)
+					break;
+			}
+			if (! request[j]) {
+				fprintf(stderr, "Warning Server Sort reply received but no request found\n");
+				continue;
+			}
+
+			/* check the result */
+			if (rep_control->result != 0) {
+				fprintf(stderr, "Warning: Sorting not performed with error: %d\n", rep_control->result);
+			}
+
+			continue;
+		}
+
+		if (strcmp(LDB_CONTROL_DIRSYNC_OID, reply[i]->oid) == 0) {
+			struct ldb_dirsync_control *rep_control, *req_control;
+			char *cookie;
+
+			rep_control = talloc_get_type(reply[i]->data, struct ldb_dirsync_control);
+			if (rep_control->cookie_len == 0) /* we are done */
+				break;
+
+			/* more processing required */
+			/* let's fill in the request control with the new cookie */
+
+			for (j = 0; request[j]; j++) {
+				if (strcmp(LDB_CONTROL_DIRSYNC_OID, request[j]->oid) == 0)
+					break;
+			}
+			/* if there's a reply control we must find a request
+			 * control matching it */
+			if (! request[j]) return -1;
+
+			req_control = talloc_get_type(request[j]->data, struct ldb_dirsync_control);
+
+			if (req_control->cookie)
+				talloc_free(req_control->cookie);
+			req_control->cookie = (char *)talloc_memdup(
+				req_control, rep_control->cookie,
+				rep_control->cookie_len);
+			req_control->cookie_len = rep_control->cookie_len;
+
+			cookie = ldb_base64_encode(req_control, rep_control->cookie, rep_control->cookie_len);
+			printf("# DIRSYNC cookie returned was:\n# %s\n", cookie);
+
+			continue;
+		}
+
+		/* no controls matched, throw a warning */
+		fprintf(stderr, "Unknown reply control oid: %s\n", reply[i]->oid);
+	}
+
+	return ret;
+}
+
diff --git a/source3/lib/ldb/tools/cmdline.h b/source3/lib/ldb/tools/cmdline.h
new file mode 100644
index 0000000000..ae295d68a4
--- /dev/null
+++ b/source3/lib/ldb/tools/cmdline.h
@@ -0,0 +1,53 @@
+/* 
+   ldb database library - command line handling for ldb tools
+
+   Copyright (C) Andrew Tridgell  2005
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <popt.h>
+
+struct ldb_cmdline {
+	const char *url;
+	enum ldb_scope scope;
+	const char *basedn;
+	int interactive;
+	int sorted;
+	const char *editor;
+	int verbose;
+	int recursive;
+	int all_records;
+	int nosync;
+	const char **options;
+	int argc;
+	const char **argv;
+	int num_records;
+	int num_searches;
+	const char *sasl_mechanism;
+	const char *input;
+	const char *output;
+	char **controls;
+};
+
+struct ldb_cmdline *ldb_cmdline_process(struct ldb_context *ldb, int argc, const char **argv,
+					void (*usage)(void));
+
+
+struct ldb_control **parse_controls(void *mem_ctx, char **control_strings);
+int handle_controls_reply(struct ldb_control **reply, struct ldb_control **request);
diff --git a/source3/lib/ldb/tools/convert.c b/source3/lib/ldb/tools/convert.c
new file mode 100644
index 0000000000..879ff697c8
--- /dev/null
+++ b/source3/lib/ldb/tools/convert.c
@@ -0,0 +1,165 @@
+/* 
+   ldb database library
+
+   Copyright (C) Simo Sorce 2005
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "convert.h"
+#include "includes.h"
+#include "ldb/include/includes.h"
+
+/* Shared map for converting syntax between formats */
+static const struct syntax_map syntax_map[] = {
+	{ 
+		.Standard_OID = "1.3.6.1.4.1.1466.115.121.1.12", 
+		.AD_OID = "2.5.5.1", 
+		.equality = "distinguishedNameMatch",
+		.comment = "Object(DS-DN) == a DN" 
+	},
+	{
+		.Standard_OID =  "1.3.6.1.4.1.1466.115.121.1.38",
+		.AD_OID =  "2.5.5.2",
+		.equality = "objectIdentifierMatch",
+		.comment =  "OID String"
+	},
+	{ 
+		.Standard_OID =  "1.2.840.113556.1.4.905", 
+		.AD_OID =  "2.5.5.4",
+		.equality = "caseIgnoreMatch",
+		.substring = "caseIgnoreSubstringsMatch",
+		.comment =   "Case Insensitive String" 
+	},
+	{
+		.Standard_OID =  "1.3.6.1.4.1.1466.115.121.1.26",
+		.AD_OID =   "2.5.5.5",
+		.equality = "caseExactIA5Match",
+		.comment = "Printable String"
+	},
+	{
+		.Standard_OID =  "1.3.6.1.4.1.1466.115.121.1.36",
+		.AD_OID =   "2.5.5.6", 
+		.equality = "numericStringMatch",
+		.substring = "numericStringSubstringsMatch",
+		.comment = "Numeric String" 
+	},
+	{ 
+		.Standard_OID =  "1.2.840.113556.1.4.903", 
+		.AD_OID =  "2.5.5.7", 
+		.equality = "distinguishedNameMatch",
+		.comment = "OctetString: Binary+DN" 
+	},
+	{ 
+		.Standard_OID =  "1.3.6.1.4.1.1466.115.121.1.7",
+		.AD_OID =   "2.5.5.8", 
+		.equality = "booleanMatch",
+		.comment = "Boolean" 
+	},
+	{ 
+		.Standard_OID =  "1.3.6.1.4.1.1466.115.121.1.27",
+		.AD_OID =   "2.5.5.9", 
+		.equality = "integerMatch",
+		.comment = "Integer" 
+	},
+	{ 
+		.Standard_OID = "1.3.6.1.4.1.1466.115.121.1.40",
+		.AD_OID       = "2.5.5.10",
+		.equality     = "octetStringMatch",
+		.comment      =  "Octet String"
+	},
+	{
+		.Standard_OID =  "1.3.6.1.4.1.1466.115.121.1.24",
+		.AD_OID =   "2.5.5.11", 
+		.equality = "generalizedTimeMatch",
+		.comment = "Generalized Time"
+	},
+	{ 
+		.Standard_OID =  "1.3.6.1.4.1.1466.115.121.1.53",
+		.AD_OID =   "2.5.5.11", 
+		.equality = "generalizedTimeMatch",
+		.comment = "UTC Time" 
+	},
+	{ 
+		.Standard_OID =  "1.3.6.1.4.1.1466.115.121.1.15",
+		.AD_OID =   "2.5.5.12", 
+		.equality = "caseIgnoreMatch",
+		.substring = "caseIgnoreSubstringsMatch",
+		.comment = "Directory String"
+	},
+	{
+		.Standard_OID =  "1.3.6.1.4.1.1466.115.121.1.43",
+		.AD_OID =   "2.5.5.13", 
+		.comment = "Presentation Address" 
+	},
+	{
+		.Standard_OID =   "Not Found Yet", 
+		.AD_OID =  "2.5.5.14", 
+		.equality = "distinguishedNameMatch",
+		.comment = "OctetString: String+DN" 
+	},
+	{
+		.Standard_OID =  "1.2.840.113556.1.4.907",
+		.AD_OID =   "2.5.5.15", 
+		.equality     = "octetStringMatch",
+		.comment = "NT Security Descriptor"
+	},
+	{ 
+		.Standard_OID =  "1.2.840.113556.1.4.906", 
+		.AD_OID =  "2.5.5.16", 
+		.equality = "integerMatch",
+		.comment = "Large Integer" 
+	},
+	{
+		.Standard_OID =  "1.3.6.1.4.1.1466.115.121.1.40",
+		.AD_OID =   "2.5.5.17",
+		.equality     = "octetStringMatch",
+		.comment =  "Octet String - Security Identifier (SID)" 
+	},
+	{ 
+		.Standard_OID =  "1.3.6.1.4.1.1466.115.121.1.26", 
+		.AD_OID =  "2.5.5.5", 
+		.equality = "caseExactIA5Match",
+		.comment = "IA5 String" 
+	},
+	{	.Standard_OID = NULL
+	}
+};
+
+
+const struct syntax_map *find_syntax_map_by_ad_oid(const char *ad_oid) 
+{
+	int i;
+	for (i=0; syntax_map[i].Standard_OID; i++) {
+		if (strcasecmp(ad_oid, syntax_map[i].AD_OID) == 0) {
+			return &syntax_map[i];
+		}
+	}
+	return NULL;
+}
+
+const struct syntax_map *find_syntax_map_by_standard_oid(const char *standard_oid) 
+{
+	int i;
+	for (i=0; syntax_map[i].Standard_OID; i++) {
+		if (strcasecmp(standard_oid, syntax_map[i].Standard_OID) == 0) {
+			return &syntax_map[i];
+		}
+	}
+	return NULL;
+}
diff --git a/source3/lib/ldb/tools/convert.h b/source3/lib/ldb/tools/convert.h
new file mode 100644
index 0000000000..de379343a6
--- /dev/null
+++ b/source3/lib/ldb/tools/convert.h
@@ -0,0 +1,10 @@
+struct syntax_map {
+	const char *Standard_OID;
+	const char *AD_OID;
+	const char *equality;
+	const char *substring;
+	const char *comment;
+};
+
+const struct syntax_map *find_syntax_map_by_ad_oid(const char *ad_oid); 
+const struct syntax_map *find_syntax_map_by_standard_oid(const char *standard_oid);
diff --git a/source3/lib/ldb/tools/ldbadd.c b/source3/lib/ldb/tools/ldbadd.c
new file mode 100644
index 0000000000..4dde2a1ef5
--- /dev/null
+++ b/source3/lib/ldb/tools/ldbadd.c
@@ -0,0 +1,119 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldbadd
+ *
+ *  Description: utility to add records - modelled on ldapadd
+ *
+ *  Author: Andrew Tridgell
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+#include "ldb/tools/cmdline.h"
+
+static int failures;
+
+static void usage(void)
+{
+	printf("Usage: ldbadd <options> <ldif...>\n");
+	printf("Options:\n");
+	printf("  -H ldb_url       choose the database (or $LDB_URL)\n");
+	printf("  -o options       pass options like modules to activate\n");
+	printf("              e.g: -o modules:timestamps\n");
+	printf("\n");
+	printf("Adds records to a ldb, reading ldif the specified list of files\n\n");
+	exit(1);
+}
+
+
+/*
+  add records from an opened file
+*/
+static int process_file(struct ldb_context *ldb, FILE *f, int *count)
+{
+	struct ldb_ldif *ldif;
+	int ret = LDB_SUCCESS;
+
+	while ((ldif = ldb_ldif_read_file(ldb, f))) {
+		if (ldif->changetype != LDB_CHANGETYPE_ADD &&
+		    ldif->changetype != LDB_CHANGETYPE_NONE) {
+			fprintf(stderr, "Only CHANGETYPE_ADD records allowed\n");
+			break;
+		}
+
+		ldif->msg = ldb_msg_canonicalize(ldb, ldif->msg);
+
+		ret = ldb_add(ldb, ldif->msg);
+		if (ret != LDB_SUCCESS) {
+			fprintf(stderr, "ERR: \"%s\" on DN %s\n", 
+				ldb_errstring(ldb), ldb_dn_linearize(ldb, ldif->msg->dn));
+			failures++;
+		} else {
+			(*count)++;
+		}
+		ldb_ldif_read_free(ldb, ldif);
+	}
+
+	return ret;
+}
+
+
+
+int main(int argc, const char **argv)
+{
+	struct ldb_context *ldb;
+	int i, ret=0, count=0;
+	struct ldb_cmdline *options;
+
+	ldb_global_init();
+
+	ldb = ldb_init(NULL);
+
+	options = ldb_cmdline_process(ldb, argc, argv, usage);
+
+	if (options->argc == 0) {
+		ret = process_file(ldb, stdin, &count);
+	} else {
+		for (i=0;i<options->argc;i++) {
+			const char *fname = options->argv[i];
+			FILE *f;
+			f = fopen(fname, "r");
+			if (!f) {
+				perror(fname);
+				exit(1);
+			}
+			ret = process_file(ldb, f, &count);
+			fclose(f);
+		}
+	}
+
+	talloc_free(ldb);
+
+	printf("Added %d records with %d failures\n", count, failures);
+	
+	return ret;
+}
diff --git a/source3/lib/ldb/tools/ldbdel.c b/source3/lib/ldb/tools/ldbdel.c
new file mode 100644
index 0000000000..a6d32f422f
--- /dev/null
+++ b/source3/lib/ldb/tools/ldbdel.c
@@ -0,0 +1,118 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldbdel
+ *
+ *  Description: utility to delete records - modelled on ldapdelete
+ *
+ *  Author: Andrew Tridgell
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+#include "ldb/tools/cmdline.h"
+
+static int ldb_delete_recursive(struct ldb_context *ldb, const struct ldb_dn *dn)
+{
+	int ret, i, total=0;
+	const char *attrs[] = { NULL };
+	struct ldb_result *res;
+	
+	ret = ldb_search(ldb, dn, LDB_SCOPE_SUBTREE, "distinguishedName=*", attrs, &res);
+	if (ret != LDB_SUCCESS) return -1;
+
+	for (i = 0; i < res->count; i++) {
+		if (ldb_delete(ldb, res->msgs[i]->dn) == 0) {
+			total++;
+		}
+	}
+
+	talloc_free(res);
+
+	if (total == 0) {
+		return -1;
+	}
+	printf("Deleted %d records\n", total);
+	return 0;
+}
+
+static void usage(void)
+{
+	printf("Usage: ldbdel <options> <DN...>\n");
+	printf("Options:\n");
+	printf("  -r               recursively delete the given subtree\n");
+	printf("  -H ldb_url       choose the database (or $LDB_URL)\n");
+	printf("  -o options       pass options like modules to activate\n");
+	printf("              e.g: -o modules:timestamps\n");
+	printf("\n");
+	printf("Deletes records from a ldb\n\n");
+	exit(1);
+}
+
+int main(int argc, const char **argv)
+{
+	struct ldb_context *ldb;
+	int ret = 0, i;
+	struct ldb_cmdline *options;
+
+	ldb_global_init();
+
+	ldb = ldb_init(NULL);
+
+	options = ldb_cmdline_process(ldb, argc, argv, usage);
+
+	if (options->argc < 1) {
+		usage();
+		exit(1);
+	}
+
+	for (i=0;i<options->argc;i++) {
+		const struct ldb_dn *dn;
+
+		dn = ldb_dn_explode(ldb, options->argv[i]);
+		if (dn == NULL) {
+			printf("Invalid DN format\n");
+			exit(1);
+		}
+		if (options->recursive) {
+			ret = ldb_delete_recursive(ldb, dn);
+		} else {
+			ret = ldb_delete(ldb, dn);
+			if (ret == 0) {
+				printf("Deleted 1 record\n");
+			}
+		}
+		if (ret != 0) {
+			printf("delete of '%s' failed - %s\n",
+				ldb_dn_linearize(ldb, dn),
+				ldb_errstring(ldb));
+		}
+	}
+
+	talloc_free(ldb);
+
+	return ret;
+}
diff --git a/source3/lib/ldb/tools/ldbedit.c b/source3/lib/ldb/tools/ldbedit.c
new file mode 100644
index 0000000000..0e1fd38e4c
--- /dev/null
+++ b/source3/lib/ldb/tools/ldbedit.c
@@ -0,0 +1,330 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldbedit
+ *
+ *  Description: utility for ldb database editing
+ *
+ *  Author: Andrew Tridgell
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+#include "ldb/tools/cmdline.h"
+
+static struct ldb_cmdline *options;
+
+/*
+  debug routine 
+*/
+static void ldif_write_msg(struct ldb_context *ldb, 
+			   FILE *f, 
+			   enum ldb_changetype changetype,
+			   struct ldb_message *msg)
+{
+	struct ldb_ldif ldif;
+	ldif.changetype = changetype;
+	ldif.msg = msg;
+	ldb_ldif_write_file(ldb, f, &ldif);
+}
+
+/*
+  modify a database record so msg1 becomes msg2
+  returns the number of modified elements
+*/
+static int modify_record(struct ldb_context *ldb, 
+			 struct ldb_message *msg1,
+			 struct ldb_message *msg2)
+{
+	struct ldb_message *mod;
+
+	mod = ldb_msg_diff(ldb, msg1, msg2);
+	if (mod == NULL) {
+		fprintf(stderr, "Failed to calculate message differences\n");
+		return -1;
+	}
+
+	if (mod->num_elements == 0) {
+		return 0;
+	}
+
+	if (options->verbose > 0) {
+		ldif_write_msg(ldb, stdout, LDB_CHANGETYPE_MODIFY, mod);
+	}
+
+	if (ldb_modify(ldb, mod) != 0) {
+		fprintf(stderr, "failed to modify %s - %s\n", 
+			ldb_dn_linearize(ldb, msg1->dn), ldb_errstring(ldb));
+		return -1;
+	}
+
+	return mod->num_elements;
+}
+
+/*
+  find dn in msgs[]
+*/
+static struct ldb_message *msg_find(struct ldb_context *ldb,
+				    struct ldb_message **msgs,
+				    int count,
+				    const struct ldb_dn *dn)
+{
+	int i;
+	for (i=0;i<count;i++) {
+		if (ldb_dn_compare(ldb, dn, msgs[i]->dn) == 0) {
+			return msgs[i];
+		}
+	}
+	return NULL;
+}
+
+/*
+  merge the changes in msgs2 into the messages from msgs1
+*/
+static int merge_edits(struct ldb_context *ldb,
+		       struct ldb_message **msgs1, int count1,
+		       struct ldb_message **msgs2, int count2)
+{
+	int i;
+	struct ldb_message *msg;
+	int ret = 0;
+	int adds=0, modifies=0, deletes=0;
+
+	/* do the adds and modifies */
+	for (i=0;i<count2;i++) {
+		msg = msg_find(ldb, msgs1, count1, msgs2[i]->dn);
+		if (!msg) {
+			if (options->verbose > 0) {
+				ldif_write_msg(ldb, stdout, LDB_CHANGETYPE_ADD, msgs2[i]);
+			}
+			if (ldb_add(ldb, msgs2[i]) != 0) {
+				fprintf(stderr, "failed to add %s - %s\n",
+					ldb_dn_linearize(ldb, msgs2[i]->dn),
+					ldb_errstring(ldb));
+				return -1;
+			}
+			adds++;
+		} else {
+			if (modify_record(ldb, msg, msgs2[i]) > 0) {
+				modifies++;
+			}
+		}
+	}
+
+	/* do the deletes */
+	for (i=0;i<count1;i++) {
+		msg = msg_find(ldb, msgs2, count2, msgs1[i]->dn);
+		if (!msg) {
+			if (options->verbose > 0) {
+				ldif_write_msg(ldb, stdout, LDB_CHANGETYPE_DELETE, msgs1[i]);
+			}
+			if (ldb_delete(ldb, msgs1[i]->dn) != 0) {
+				fprintf(stderr, "failed to delete %s - %s\n",
+					ldb_dn_linearize(ldb, msgs1[i]->dn),
+					ldb_errstring(ldb));
+				return -1;
+			}
+			deletes++;
+		}
+	}
+
+	printf("# %d adds  %d modifies  %d deletes\n", adds, modifies, deletes);
+
+	return ret;
+}
+
+/*
+  save a set of messages as ldif to a file
+*/
+static int save_ldif(struct ldb_context *ldb, 
+		     FILE *f, struct ldb_message **msgs, int count)
+{
+	int i;
+
+	fprintf(f, "# editing %d records\n", count);
+
+	for (i=0;i<count;i++) {
+		struct ldb_ldif ldif;
+		fprintf(f, "# record %d\n", i+1);
+
+		ldif.changetype = LDB_CHANGETYPE_NONE;
+		ldif.msg = msgs[i];
+
+		ldb_ldif_write_file(ldb, f, &ldif);
+	}
+
+	return 0;
+}
+
+
+/*
+  edit the ldb search results in msgs using the user selected editor
+*/
+static int do_edit(struct ldb_context *ldb, struct ldb_message **msgs1, int count1,
+		   const char *editor)
+{
+	int fd, ret;
+	FILE *f;
+	char file_template[] = "/tmp/ldbedit.XXXXXX";
+	char *cmd;
+	struct ldb_ldif *ldif;
+	struct ldb_message **msgs2 = NULL;
+	int count2 = 0;
+
+	/* write out the original set of messages to a temporary
+	   file */
+	fd = mkstemp(file_template);
+
+	if (fd == -1) {
+		perror(file_template);
+		return -1;
+	}
+
+	f = fdopen(fd, "r+");
+
+	if (!f) {
+		perror("fopen");
+		close(fd);
+		unlink(file_template);
+		return -1;
+	}
+
+	if (save_ldif(ldb, f, msgs1, count1) != 0) {
+		return -1;
+	}
+
+	fclose(f);
+
+	cmd = talloc_asprintf(ldb, "%s %s", editor, file_template);
+
+	if (!cmd) {
+		unlink(file_template);
+		fprintf(stderr, "out of memory\n");
+		return -1;
+	}
+
+	/* run the editor */
+	ret = system(cmd);
+	talloc_free(cmd);
+
+	if (ret != 0) {
+		unlink(file_template);
+		fprintf(stderr, "edit with %s failed\n", editor);
+		return -1;
+	}
+
+	/* read the resulting ldif into msgs2 */
+	f = fopen(file_template, "r");
+	if (!f) {
+		perror(file_template);
+		return -1;
+	}
+
+	while ((ldif = ldb_ldif_read_file(ldb, f))) {
+		msgs2 = talloc_realloc(ldb, msgs2, struct ldb_message *, count2+1);
+		if (!msgs2) {
+			fprintf(stderr, "out of memory");
+			return -1;
+		}
+		msgs2[count2++] = ldif->msg;
+	}
+
+	fclose(f);
+	unlink(file_template);
+
+	return merge_edits(ldb, msgs1, count1, msgs2, count2);
+}
+
+static void usage(void)
+{
+	printf("Usage: ldbedit <options> <expression> <attributes ...>\n");
+	printf("Options:\n");
+	printf("  -H ldb_url       choose the database (or $LDB_URL)\n");
+	printf("  -s base|sub|one  choose search scope\n");
+	printf("  -b basedn        choose baseDN\n");
+	printf("  -a               edit all records (expression 'objectclass=*')\n");
+	printf("  -e editor        choose editor (or $VISUAL or $EDITOR)\n");
+	printf("  -v               verbose mode\n");
+	exit(1);
+}
+
+int main(int argc, const char **argv)
+{
+	struct ldb_context *ldb;
+	struct ldb_result *result = NULL;
+	struct ldb_dn *basedn = NULL;
+	int ret;
+	const char *expression = "(|(objectClass=*)(distinguishedName=*))";
+	const char * const * attrs = NULL;
+
+	ldb_global_init();
+
+	ldb = ldb_init(NULL);
+
+	options = ldb_cmdline_process(ldb, argc, argv, usage);
+
+	/* the check for '=' is for compatibility with ldapsearch */
+	if (options->argc > 0 && 
+	    strchr(options->argv[0], '=')) {
+		expression = options->argv[0];
+		options->argv++;
+		options->argc--;
+	}
+
+	if (options->argc > 0) {
+		attrs = (const char * const *)(options->argv);
+	}
+
+	if (options->basedn != NULL) {
+		basedn = ldb_dn_explode(ldb, options->basedn);
+		if (basedn == NULL) {
+			printf("Invalid Base DN format\n");
+			exit(1);
+		}
+	}
+
+	ret = ldb_search(ldb, basedn, options->scope, expression, attrs, &result);
+	if (ret != LDB_SUCCESS) {
+		printf("search failed - %s\n", ldb_errstring(ldb));
+		exit(1);
+	}
+
+	if (result->count == 0) {
+		printf("no matching records - cannot edit\n");
+		return 0;
+	}
+
+	do_edit(ldb, result->msgs, result->count, options->editor);
+
+	ret = talloc_free(result);
+	if (ret == -1) {
+		fprintf(stderr, "talloc_free failed\n");
+		exit(1);
+	}
+
+	talloc_free(ldb);
+	return 0;
+}
diff --git a/source3/lib/ldb/tools/ldbmodify.c b/source3/lib/ldb/tools/ldbmodify.c
new file mode 100644
index 0000000000..368b4cf996
--- /dev/null
+++ b/source3/lib/ldb/tools/ldbmodify.c
@@ -0,0 +1,119 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldbmodify
+ *
+ *  Description: utility to modify records - modelled on ldapmodify
+ *
+ *  Author: Andrew Tridgell
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+#include "ldb/tools/cmdline.h"
+
+static int failures;
+
+static void usage(void)
+{
+	printf("Usage: ldbmodify <options> <ldif...>\n");
+	printf("Options:\n");
+	printf("  -H ldb_url       choose the database (or $LDB_URL)\n");
+	printf("  -o options       pass options like modules to activate\n");
+	printf("              e.g: -o modules:timestamps\n");
+	printf("\n");
+	printf("Modifies a ldb based upon ldif change records\n\n");
+	exit(1);
+}
+
+/*
+  process modifies for one file
+*/
+static int process_file(struct ldb_context *ldb, FILE *f, int *count)
+{
+	struct ldb_ldif *ldif;
+	int ret = LDB_SUCCESS;
+	
+	while ((ldif = ldb_ldif_read_file(ldb, f))) {
+		switch (ldif->changetype) {
+		case LDB_CHANGETYPE_NONE:
+		case LDB_CHANGETYPE_ADD:
+			ret = ldb_add(ldb, ldif->msg);
+			break;
+		case LDB_CHANGETYPE_DELETE:
+			ret = ldb_delete(ldb, ldif->msg->dn);
+			break;
+		case LDB_CHANGETYPE_MODIFY:
+			ret = ldb_modify(ldb, ldif->msg);
+			break;
+		}
+		if (ret != LDB_SUCCESS) {
+			fprintf(stderr, "ERR: \"%s\" on DN %s\n", 
+				ldb_errstring(ldb), ldb_dn_linearize(ldb, ldif->msg->dn));
+			failures++;
+		} else {
+			(*count)++;
+		}
+		ldb_ldif_read_free(ldb, ldif);
+	}
+
+	return ret;
+}
+
+int main(int argc, const char **argv)
+{
+	struct ldb_context *ldb;
+	int count=0;
+	int i, ret=LDB_SUCCESS;
+	struct ldb_cmdline *options;
+
+	ldb_global_init();
+
+	ldb = ldb_init(NULL);
+
+	options = ldb_cmdline_process(ldb, argc, argv, usage);
+
+	if (options->argc == 0) {
+		ret = process_file(ldb, stdin, &count);
+	} else {
+		for (i=0;i<options->argc;i++) {
+			const char *fname = options->argv[i];
+			FILE *f;
+			f = fopen(fname, "r");
+			if (!f) {
+				perror(fname);
+				exit(1);
+			}
+			ret = process_file(ldb, f, &count);
+		}
+	}
+
+	talloc_free(ldb);
+
+	printf("Modified %d records with %d failures\n", count, failures);
+
+	return ret;
+}
diff --git a/source3/lib/ldb/tools/ldbrename.c b/source3/lib/ldb/tools/ldbrename.c
new file mode 100644
index 0000000000..d6c3a4ab62
--- /dev/null
+++ b/source3/lib/ldb/tools/ldbrename.c
@@ -0,0 +1,84 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+   Copyright (C) Stefan Metzmacher  2004
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldbrename
+ *
+ *  Description: utility to rename records - modelled on ldapmodrdn
+ *
+ *  Author: Andrew Tridgell
+ *  Author: Stefan Metzmacher
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+#include "ldb/tools/cmdline.h"
+
+static void usage(void)
+{
+	printf("Usage: ldbrename [<options>] <olddn> <newdn>\n");
+	printf("Options:\n");
+	printf("  -H ldb_url       choose the database (or $LDB_URL)\n");
+	printf("  -o options       pass options like modules to activate\n");
+	printf("              e.g: -o modules:timestamps\n");
+	printf("\n");
+	printf("Renames records in a ldb\n\n");
+	exit(1);
+}
+
+
+int main(int argc, const char **argv)
+{
+	struct ldb_context *ldb;
+	int ret;
+	struct ldb_cmdline *options;
+	const struct ldb_dn *dn1, *dn2;
+
+	ldb_global_init();
+
+	ldb = ldb_init(NULL);
+
+	options = ldb_cmdline_process(ldb, argc, argv, usage);
+
+	if (options->argc < 2) {
+		usage();
+	}
+
+	dn1 = ldb_dn_explode(ldb, options->argv[0]);
+	dn2 = ldb_dn_explode(ldb, options->argv[1]);
+
+	ret = ldb_rename(ldb, dn1, dn2);
+	if (ret == 0) {
+		printf("Renamed 1 record\n");
+	} else  {
+		printf("rename of '%s' to '%s' failed - %s\n", 
+			options->argv[0], options->argv[1], ldb_errstring(ldb));
+	}
+
+	talloc_free(ldb);
+	
+	return ret;
+}
diff --git a/source3/lib/ldb/tools/ldbsearch.c b/source3/lib/ldb/tools/ldbsearch.c
new file mode 100644
index 0000000000..e5cec0fa66
--- /dev/null
+++ b/source3/lib/ldb/tools/ldbsearch.c
@@ -0,0 +1,320 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldbsearch
+ *
+ *  Description: utility for ldb search - modelled on ldapsearch
+ *
+ *  Author: Andrew Tridgell
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+#include "ldb/tools/cmdline.h"
+
+static void usage(void)
+{
+	printf("Usage: ldbsearch <options> <expression> <attrs...>\n");
+	printf("Options:\n");
+	printf("  -H ldb_url       choose the database (or $LDB_URL)\n");
+	printf("  -s base|sub|one  choose search scope\n");
+	printf("  -b basedn        choose baseDN\n");
+	printf("  -i               read search expressions from stdin\n");
+        printf("  -S               sort returned attributes\n");
+	printf("  -o options       pass options like modules to activate\n");
+	printf("              e.g: -o modules:timestamps\n");
+	exit(1);
+}
+
+static int do_compare_msg(struct ldb_message **el1,
+			  struct ldb_message **el2,
+			  void *opaque)
+{
+	struct ldb_context *ldb = talloc_get_type(opaque, struct ldb_context);
+	return ldb_dn_compare(ldb, (*el1)->dn, (*el2)->dn);
+}
+
+struct search_context {
+	struct ldb_control **req_ctrls;
+
+	int sort;
+	int num_stored;
+	struct ldb_message **store;
+	char **refs_store;
+
+	int entries;
+	int refs;
+
+	int pending;
+	int status;
+};
+
+static int store_message(struct ldb_message *msg, struct search_context *sctx) {
+
+	sctx->store = talloc_realloc(sctx, sctx->store, struct ldb_message *, sctx->num_stored + 2);
+	if (!sctx->store) {
+		fprintf(stderr, "talloc_realloc failed while storing messages\n");
+		return -1;
+	}
+
+	sctx->store[sctx->num_stored] = talloc_move(sctx->store, &msg);
+	sctx->num_stored++;
+	sctx->store[sctx->num_stored] = NULL;
+
+	return 0;
+}
+
+static int store_referral(char *referral, struct search_context *sctx) {
+
+	sctx->refs_store = talloc_realloc(sctx, sctx->refs_store, char *, sctx->refs + 2);
+	if (!sctx->refs_store) {
+		fprintf(stderr, "talloc_realloc failed while storing referrals\n");
+		return -1;
+	}
+
+	sctx->refs_store[sctx->refs] = talloc_move(sctx->refs_store, &referral);
+	sctx->refs++;
+	sctx->refs_store[sctx->refs] = NULL;
+
+	return 0;
+}
+
+static int display_message(struct ldb_context *ldb, struct ldb_message *msg, struct search_context *sctx) {
+	struct ldb_ldif ldif;
+
+	sctx->entries++;
+	printf("# record %d\n", sctx->entries);
+
+	ldif.changetype = LDB_CHANGETYPE_NONE;
+	ldif.msg = msg;
+
+       	if (sctx->sort) {
+	/*
+	 * Ensure attributes are always returned in the same
+	 * order.  For testing, this makes comparison of old
+	 * vs. new much easier.
+	 */
+        	ldb_msg_sort_elements(ldif.msg);
+       	}
+
+	ldb_ldif_write_file(ldb, stdout, &ldif);
+
+	return 0;
+}
+
+static int display_referral(char *referral, struct search_context *sctx)
+{
+
+	sctx->refs++;
+	printf("# Referral\nref: %s\n\n", referral);
+
+	return 0;
+}
+
+static int search_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
+{
+	struct search_context *sctx = talloc_get_type(context, struct search_context);
+	int ret;
+	
+	switch (ares->type) {
+
+	case LDB_REPLY_ENTRY:
+		if (sctx->sort) {
+			ret = store_message(ares->message, sctx);
+		} else {
+			ret = display_message(ldb, ares->message, sctx);
+		}
+		break;
+
+	case LDB_REPLY_REFERRAL:
+		if (sctx->sort) {
+			ret = store_referral(ares->referral, sctx);
+		} else {
+			ret = display_referral(ares->referral, sctx);
+		}
+		break;
+
+	case LDB_REPLY_DONE:
+		if (ares->controls) {
+			if (handle_controls_reply(ares->controls, sctx->req_ctrls) == 1)
+				sctx->pending = 1;
+		}
+		ret = 0;
+		break;
+		
+	default:
+		fprintf(stderr, "unknown Reply Type\n");
+		return LDB_ERR_OTHER;
+	}
+
+	if (talloc_free(ares) == -1) {
+		fprintf(stderr, "talloc_free failed\n");
+		sctx->pending = 0;
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	if (ret) {
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	return LDB_SUCCESS;
+}
+
+static int do_search(struct ldb_context *ldb,
+		     const struct ldb_dn *basedn,
+		     struct ldb_cmdline *options,
+		     const char *expression,
+		     const char * const *attrs)
+{
+	struct ldb_request *req;
+	struct search_context *sctx;
+	int ret;
+
+	req = talloc(ldb, struct ldb_request);
+	if (!req) return -1;
+	
+	sctx = talloc(req, struct search_context);
+	if (!sctx) return -1;
+
+	sctx->sort = options->sorted;
+	sctx->num_stored = 0;
+	sctx->store = NULL;
+	sctx->req_ctrls = parse_controls(ldb, options->controls);
+	if (options->controls != NULL &&  sctx->req_ctrls== NULL) return -1;
+	sctx->entries = 0;
+	sctx->refs = 0;
+
+	if (basedn == NULL) {
+		basedn = ldb_get_default_basedn(ldb);
+	}
+
+	req->operation = LDB_SEARCH;
+	req->op.search.base = basedn;
+	req->op.search.scope = options->scope;
+	req->op.search.tree = ldb_parse_tree(req, expression);
+	if (req->op.search.tree == NULL) return -1;
+	req->op.search.attrs = attrs;
+	req->controls = sctx->req_ctrls;
+	req->context = sctx;
+	req->callback = &search_callback;
+	ldb_set_timeout(ldb, req, 0); /* TODO: make this settable by command line */
+
+again:
+	sctx->pending = 0;
+
+	ret = ldb_request(ldb, req);
+	if (ret != LDB_SUCCESS) {
+		printf("search failed - %s\n", ldb_errstring(ldb));
+		return -1;
+	}
+
+	ret = ldb_wait(req->handle, LDB_WAIT_ALL);
+       	if (ret != LDB_SUCCESS) {
+		printf("search error - %s\n", ldb_errstring(ldb));
+		return -1;
+	}
+
+	if (sctx->pending)
+		goto again;
+
+	if (sctx->sort && sctx->num_stored != 0) {
+		int i;
+
+		ldb_qsort(sctx->store, ret, sizeof(struct ldb_message *),
+			  ldb, (ldb_qsort_cmp_fn_t)do_compare_msg);
+
+		if (ret != 0) {
+			fprintf(stderr, "An error occurred while sorting messages\n");
+			exit(1);
+		}
+
+		for (i = 0; i < sctx->num_stored; i++) {
+			display_message(ldb, sctx->store[i], sctx);
+		}
+
+		for (i = 0; i < sctx->refs; i++) {
+			display_referral(sctx->refs_store[i], sctx);
+		}
+	}
+
+	printf("# returned %d records\n# %d entries\n# %d referrals\n",
+		sctx->entries + sctx->refs, sctx->entries, sctx->refs);
+
+	talloc_free(req);
+
+	return 0;
+}
+
+int main(int argc, const char **argv)
+{
+	struct ldb_context *ldb;
+	struct ldb_dn *basedn = NULL;
+	const char * const * attrs = NULL;
+	struct ldb_cmdline *options;
+	int ret = -1;
+	const char *expression = "(|(objectClass=*)(distinguishedName=*))";
+
+	ldb_global_init();
+
+	ldb = ldb_init(NULL);
+
+	options = ldb_cmdline_process(ldb, argc, argv, usage);
+
+	/* the check for '=' is for compatibility with ldapsearch */
+	if (!options->interactive &&
+	    options->argc > 0 && 
+	    strchr(options->argv[0], '=')) {
+		expression = options->argv[0];
+		options->argv++;
+		options->argc--;
+	}
+
+	if (options->argc > 0) {
+		attrs = (const char * const *)(options->argv);
+	}
+
+	if (options->basedn != NULL) {
+		basedn = ldb_dn_explode(ldb, options->basedn);
+		if (basedn == NULL) {
+			fprintf(stderr, "Invalid Base DN format\n");
+			exit(1);
+		}
+	}
+
+	if (options->interactive) {
+		char line[1024];
+		while (fgets(line, sizeof(line), stdin)) {
+			if (do_search(ldb, basedn, options, line, attrs) == -1) {
+				ret = -1;
+			}
+		}
+	} else {
+		ret = do_search(ldb, basedn, options, expression, attrs);
+	}
+
+	talloc_free(ldb);
+	return ret;
+}
diff --git a/source3/lib/ldb/tools/ldbtest.c b/source3/lib/ldb/tools/ldbtest.c
new file mode 100644
index 0000000000..b7fa874ad3
--- /dev/null
+++ b/source3/lib/ldb/tools/ldbtest.c
@@ -0,0 +1,409 @@
+/* 
+   ldb database library
+
+   Copyright (C) Andrew Tridgell  2004
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: ldbtest
+ *
+ *  Description: utility to test ldb
+ *
+ *  Author: Andrew Tridgell
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+#include "ldb/tools/cmdline.h"
+
+static struct timeval tp1,tp2;
+static struct ldb_cmdline *options;
+
+static void _start_timer(void)
+{
+	gettimeofday(&tp1,NULL);
+}
+
+static double _end_timer(void)
+{
+	gettimeofday(&tp2,NULL);
+	return((tp2.tv_sec - tp1.tv_sec) + 
+	       (tp2.tv_usec - tp1.tv_usec)*1.0e-6);
+}
+
+static void add_records(struct ldb_context *ldb,
+			const struct ldb_dn *basedn,
+			int count)
+{
+	struct ldb_message msg;
+	int i;
+
+#if 0
+        if (ldb_lock(ldb, "transaction") != 0) {
+                printf("transaction lock failed\n");
+                exit(1);
+        }
+#endif
+	for (i=0;i<count;i++) {
+		struct ldb_message_element el[6];
+		struct ldb_val vals[6][1];
+		char *name;
+		TALLOC_CTX *tmp_ctx = talloc_new(ldb);
+
+		name = talloc_asprintf(tmp_ctx, "Test%d", i);
+
+		msg.dn = ldb_dn_build_child(tmp_ctx, "cn", name, basedn);
+		msg.num_elements = 6;
+		msg.elements = el;
+
+		el[0].flags = 0;
+		el[0].name = talloc_strdup(tmp_ctx, "cn");
+		el[0].num_values = 1;
+		el[0].values = vals[0];
+		vals[0][0].data = (uint8_t *)name;
+		vals[0][0].length = strlen(name);
+
+		el[1].flags = 0;
+		el[1].name = "title";
+		el[1].num_values = 1;
+		el[1].values = vals[1];
+		vals[1][0].data = (uint8_t *)talloc_asprintf(tmp_ctx, "The title of %s", name);
+		vals[1][0].length = strlen((char *)vals[1][0].data);
+
+		el[2].flags = 0;
+		el[2].name = talloc_strdup(tmp_ctx, "uid");
+		el[2].num_values = 1;
+		el[2].values = vals[2];
+		vals[2][0].data = (uint8_t *)ldb_casefold(ldb, tmp_ctx, name);
+		vals[2][0].length = strlen((char *)vals[2][0].data);
+
+		el[3].flags = 0;
+		el[3].name = talloc_strdup(tmp_ctx, "mail");
+		el[3].num_values = 1;
+		el[3].values = vals[3];
+		vals[3][0].data = (uint8_t *)talloc_asprintf(tmp_ctx, "%s@example.com", name);
+		vals[3][0].length = strlen((char *)vals[3][0].data);
+
+		el[4].flags = 0;
+		el[4].name = talloc_strdup(tmp_ctx, "objectClass");
+		el[4].num_values = 1;
+		el[4].values = vals[4];
+		vals[4][0].data = (uint8_t *)talloc_strdup(tmp_ctx, "OpenLDAPperson");
+		vals[4][0].length = strlen((char *)vals[4][0].data);
+
+		el[5].flags = 0;
+		el[5].name = talloc_strdup(tmp_ctx, "sn");
+		el[5].num_values = 1;
+		el[5].values = vals[5];
+		vals[5][0].data = (uint8_t *)name;
+		vals[5][0].length = strlen((char *)vals[5][0].data);
+
+		ldb_delete(ldb, msg.dn);
+
+		if (ldb_add(ldb, &msg) != 0) {
+			printf("Add of %s failed - %s\n", name, ldb_errstring(ldb));
+			exit(1);
+		}
+
+		printf("adding uid %s\r", name);
+		fflush(stdout);
+
+		talloc_free(tmp_ctx);
+	}
+#if 0
+        if (ldb_unlock(ldb, "transaction") != 0) {
+                printf("transaction unlock failed\n");
+                exit(1);
+        }
+#endif
+	printf("\n");
+}
+
+static void modify_records(struct ldb_context *ldb,
+			   const struct ldb_dn *basedn,
+			   int count)
+{
+	struct ldb_message msg;
+	int i;
+
+	for (i=0;i<count;i++) {
+		struct ldb_message_element el[3];
+		struct ldb_val vals[3];
+		char *name;
+		TALLOC_CTX *tmp_ctx = talloc_new(ldb);
+		
+		name = talloc_asprintf(tmp_ctx, "Test%d", i);
+		msg.dn = ldb_dn_build_child(tmp_ctx, "cn", name, basedn);
+
+		msg.num_elements = 3;
+		msg.elements = el;
+
+		el[0].flags = LDB_FLAG_MOD_DELETE;
+		el[0].name = talloc_strdup(tmp_ctx, "mail");
+		el[0].num_values = 0;
+
+		el[1].flags = LDB_FLAG_MOD_ADD;
+		el[1].name = talloc_strdup(tmp_ctx, "mail");
+		el[1].num_values = 1;
+		el[1].values = &vals[1];
+		vals[1].data = (uint8_t *)talloc_asprintf(tmp_ctx, "%s@other.example.com", name);
+		vals[1].length = strlen((char *)vals[1].data);
+
+		el[2].flags = LDB_FLAG_MOD_REPLACE;
+		el[2].name = talloc_strdup(tmp_ctx, "mail");
+		el[2].num_values = 1;
+		el[2].values = &vals[2];
+		vals[2].data = (uint8_t *)talloc_asprintf(tmp_ctx, "%s@other2.example.com", name);
+		vals[2].length = strlen((char *)vals[2].data);
+
+		if (ldb_modify(ldb, &msg) != 0) {
+			printf("Modify of %s failed - %s\n", name, ldb_errstring(ldb));
+			exit(1);
+		}
+
+		printf("Modifying uid %s\r", name);
+		fflush(stdout);
+
+		talloc_free(tmp_ctx);
+	}
+
+	printf("\n");
+}
+
+
+static void delete_records(struct ldb_context *ldb,
+			   const struct ldb_dn *basedn,
+			   int count)
+{
+	int i;
+
+	for (i=0;i<count;i++) {
+		struct ldb_dn *dn;
+		char *name = talloc_asprintf(ldb, "Test%d", i);
+		dn = ldb_dn_build_child(name, "cn", name, basedn);
+
+		printf("Deleting uid Test%d\r", i);
+		fflush(stdout);
+
+		if (ldb_delete(ldb, dn) != 0) {
+			printf("Delete of %s failed - %s\n", ldb_dn_linearize(ldb, dn), ldb_errstring(ldb));
+			exit(1);
+		}
+		talloc_free(name);
+	}
+
+	printf("\n");
+}
+
+static void search_uid(struct ldb_context *ldb, struct ldb_dn *basedn, int nrecords, int nsearches)
+{
+	int i;
+
+	for (i=0;i<nsearches;i++) {
+		int uid = (i * 700 + 17) % (nrecords * 2);
+		char *expr;
+		struct ldb_result *res = NULL;
+		int ret;
+
+		expr = talloc_asprintf(ldb, "(uid=TEST%d)", uid);
+		ret = ldb_search(ldb, basedn, LDB_SCOPE_SUBTREE, expr, NULL, &res);
+
+		if (ret != LDB_SUCCESS || (uid < nrecords && res->count != 1)) {
+			printf("Failed to find %s - %s\n", expr, ldb_errstring(ldb));
+			exit(1);
+		}
+
+		if (uid >= nrecords && res->count > 0) {
+			printf("Found %s !? - %d\n", expr, ret);
+			exit(1);
+		}
+
+		printf("testing uid %d/%d - %d  \r", i, uid, res->count);
+		fflush(stdout);
+
+		talloc_free(res);
+		talloc_free(expr);
+	}
+
+	printf("\n");
+}
+
+static void start_test(struct ldb_context *ldb, int nrecords, int nsearches)
+{
+	struct ldb_dn *basedn;
+
+	basedn = ldb_dn_explode(ldb, options->basedn);
+
+	printf("Adding %d records\n", nrecords);
+	add_records(ldb, basedn, nrecords);
+
+	printf("Starting search on uid\n");
+	_start_timer();
+	search_uid(ldb, basedn, nrecords, nsearches);
+	printf("uid search took %.2f seconds\n", _end_timer());
+
+	printf("Modifying records\n");
+	modify_records(ldb, basedn, nrecords);
+
+	printf("Deleting records\n");
+	delete_records(ldb, basedn, nrecords);
+}
+
+
+/*
+      2) Store an @indexlist record
+
+      3) Store a record that contains fields that should be index according
+to @index
+
+      4) disconnection from database
+
+      5) connect to same database
+
+      6) search for record added in step 3 using a search key that should
+be indexed
+*/
+static void start_test_index(struct ldb_context **ldb)
+{
+	struct ldb_message *msg;
+	struct ldb_result *res = NULL;
+	struct ldb_dn *indexlist;
+	struct ldb_dn *basedn;
+	int ret;
+	int flags = 0;
+	const char *specials;
+
+	specials = getenv("LDB_SPECIALS");
+	if (specials && atoi(specials) == 0) {
+		printf("LDB_SPECIALS disabled - skipping index test\n");
+		return;
+	}
+
+	if (options->nosync) {
+		flags |= LDB_FLG_NOSYNC;
+	}
+
+	printf("Starting index test\n");
+
+	indexlist = ldb_dn_explode(NULL, "@INDEXLIST");
+
+	ldb_delete(*ldb, indexlist);
+
+	msg = ldb_msg_new(NULL);
+
+	msg->dn = indexlist;
+	ldb_msg_add_string(msg, "@IDXATTR", strdup("uid"));
+
+	if (ldb_add(*ldb, msg) != 0) {
+		printf("Add of %s failed - %s\n", ldb_dn_linearize(*ldb, msg->dn), ldb_errstring(*ldb));
+		exit(1);
+	}
+
+	basedn = ldb_dn_explode(NULL, options->basedn);
+
+	memset(msg, 0, sizeof(*msg));
+	msg->dn = ldb_dn_build_child(msg, "cn", "test", basedn);
+	ldb_msg_add_string(msg, "cn", strdup("test"));
+	ldb_msg_add_string(msg, "sn", strdup("test"));
+	ldb_msg_add_string(msg, "uid", strdup("test"));
+	ldb_msg_add_string(msg, "objectClass", strdup("OpenLDAPperson"));
+
+	if (ldb_add(*ldb, msg) != 0) {
+		printf("Add of %s failed - %s\n", ldb_dn_linearize(*ldb, msg->dn), ldb_errstring(*ldb));
+		exit(1);
+	}
+
+	if (talloc_free(*ldb) != 0) {
+		printf("failed to free/close ldb database");
+		exit(1);
+	}
+
+	(*ldb) = ldb_init(options);
+	
+	ret = ldb_connect(*ldb, options->url, flags, NULL);
+	if (ret != 0) {
+		printf("failed to connect to %s\n", options->url);
+		exit(1);
+	}
+
+	ret = ldb_search(*ldb, basedn, LDB_SCOPE_SUBTREE, "uid=test", NULL, &res);
+	if (ret != LDB_SUCCESS) { 
+		printf("Search with (uid=test) filter failed!\n");
+		exit(1);
+	}
+	if(res->count != 1) {
+		printf("Should have found 1 record - found %d\n", res->count);
+		exit(1);
+	}
+
+	if (ldb_delete(*ldb, msg->dn) != 0 ||
+	    ldb_delete(*ldb, indexlist) != 0) {
+		printf("cleanup failed - %s\n", ldb_errstring(*ldb));
+		exit(1);
+	}
+
+	printf("Finished index test\n");
+}
+
+
+static void usage(void)
+{
+	printf("Usage: ldbtest <options>\n");
+	printf("Options:\n");
+	printf("  -H ldb_url       choose the database (or $LDB_URL)\n");
+	printf("  --num-records  nrecords      database size to use\n");
+	printf("  --num-searches nsearches     number of searches to do\n");
+	printf("\n");
+	printf("tests ldb API\n\n");
+	exit(1);
+}
+
+int main(int argc, const char **argv)
+{
+	TALLOC_CTX *mem_ctx = talloc_new(NULL);
+	struct ldb_context *ldb;
+
+	ldb_global_init();
+
+	ldb = ldb_init(mem_ctx);
+
+	options = ldb_cmdline_process(ldb, argc, argv, usage);
+
+	talloc_steal(mem_ctx, options);
+
+	if (options->basedn == NULL) {
+		options->basedn = "ou=Ldb Test,ou=People,o=University of Michigan,c=TEST";
+	}
+
+	srandom(1);
+
+	printf("Testing with num-records=%d and num-searches=%d\n", 
+	       options->num_records, options->num_searches);
+
+	start_test(ldb, options->num_records, options->num_searches);
+
+	start_test_index(&ldb);
+
+	talloc_free(mem_ctx);
+
+	return 0;
+}
diff --git a/source3/lib/ldb/tools/oLschema2ldif.c b/source3/lib/ldb/tools/oLschema2ldif.c
new file mode 100644
index 0000000000..c31c258759
--- /dev/null
+++ b/source3/lib/ldb/tools/oLschema2ldif.c
@@ -0,0 +1,607 @@
+/* 
+   ldb database library
+
+   Copyright (C) Simo Sorce 2005
+
+     ** NOTE! The following LGPL license applies to the ldb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ *  Name: ldb
+ *
+ *  Component: oLschema2ldif
+ *
+ *  Description: utility to convert an OpenLDAP schema into AD LDIF
+ *
+ *  Author: Simo Sorce
+ */
+
+#include "includes.h"
+#include "ldb/include/includes.h"
+#include "ldb/tools/cmdline.h"
+#include "ldb/tools/convert.h"
+
+#define SCHEMA_UNKNOWN 0
+#define SCHEMA_NAME 1
+#define SCHEMA_SUP 2
+#define SCHEMA_STRUCTURAL 3
+#define SCHEMA_ABSTRACT 4
+#define SCHEMA_AUXILIARY 5
+#define SCHEMA_MUST 6
+#define SCHEMA_MAY 7
+#define SCHEMA_SINGLE_VALUE 8
+#define SCHEMA_EQUALITY 9
+#define SCHEMA_ORDERING 10
+#define SCHEMA_SUBSTR 11
+#define SCHEMA_SYNTAX 12
+#define SCHEMA_DESC 13
+
+struct schema_conv {
+	int count;
+	int failures;
+};
+
+struct schema_token {
+	int type;
+	char *value;
+};
+
+struct ldb_context *ldb_ctx;
+struct ldb_dn *basedn;
+
+static int check_braces(const char *string)
+{
+	int b;
+	char *c;
+
+	b = 0;
+	if ((c = strchr(string, '(')) == NULL) {
+		return -1;
+	}
+	b++;
+	c++;
+	while (b) {
+		c = strpbrk(c, "()");
+		if (c == NULL) return 1;
+		if (*c == '(') b++;
+		if (*c == ')') b--;
+		c++;
+	}
+	return 0;
+}
+
+static char *skip_spaces(char *string) {
+	return (string + strspn(string, " \t\n"));
+}
+
+static int add_multi_string(struct ldb_message *msg, const char *attr, char *values)
+{
+	char *c;
+	char *s;
+	int n;
+
+	c = skip_spaces(values);
+	while (*c) {
+		n = strcspn(c, " \t$");
+		s = talloc_strndup(msg, c, n);
+		if (ldb_msg_add_string(msg, attr, s) != 0) {
+			return -1;
+		}
+		c += n;
+		c += strspn(c, " \t$");
+	}
+
+	return 0;
+}
+
+#define MSG_ADD_STRING(a, v) do { if (ldb_msg_add_string(msg, a, v) != 0) goto failed; } while(0)
+#define MSG_ADD_M_STRING(a, v) do { if (add_multi_string(msg, a, v) != 0) goto failed; } while(0)
+
+static char *get_def_value(TALLOC_CTX *ctx, char **string)
+{
+	char *c = *string;
+	char *value;
+	int n;
+
+	if (*c == '\'') {
+		c++;
+		n = strcspn(c, "\'");
+		value = talloc_strndup(ctx, c, n);
+		c += n;
+		c++; /* skip closing \' */
+	} else {
+		n = strcspn(c, " \t\n");
+		value = talloc_strndup(ctx, c, n);
+		c += n;
+	}
+	*string = c;
+
+	return value;
+}
+
+static struct schema_token *get_next_schema_token(TALLOC_CTX *ctx, char **string)
+{
+	char *c = skip_spaces(*string);
+	char *type;
+	struct schema_token *token;
+	int n;
+
+	token = talloc(ctx, struct schema_token);
+
+	n = strcspn(c, " \t\n");
+	type = talloc_strndup(token, c, n);
+	c += n;
+	c = skip_spaces(c);
+
+	if (strcasecmp("NAME", type) == 0) {
+		talloc_free(type);
+		token->type = SCHEMA_NAME;
+		/* we do not support aliases so we get only the first name given and skip others */
+		if (*c == '(') {
+			char *s = strchr(c, ')');
+			if (s == NULL) return NULL;
+			s = skip_spaces(s);
+			*string = s;
+
+			c++;
+			c = skip_spaces(c);
+		}
+
+		token->value = get_def_value(ctx, &c);
+
+		if (*string < c) { /* single name */
+			c = skip_spaces(c);
+			*string = c;
+		}
+		return token;
+	}
+	if (strcasecmp("SUP", type) == 0) {
+		talloc_free(type);
+		token->type = SCHEMA_SUP;
+
+		if (*c == '(') {
+			c++;
+			n = strcspn(c, ")");
+			token->value = talloc_strndup(ctx, c, n);
+			c += n;
+			c++;
+		} else {
+			token->value = get_def_value(ctx, &c);
+		}
+
+		c = skip_spaces(c);
+		*string = c;
+		return token;
+	}
+
+	if (strcasecmp("STRUCTURAL", type) == 0) {
+		talloc_free(type);
+		token->type = SCHEMA_STRUCTURAL;
+		*string = c;
+		return token;
+	}
+
+	if (strcasecmp("ABSTRACT", type) == 0) {
+		talloc_free(type);
+		token->type = SCHEMA_ABSTRACT;
+		*string = c;
+		return token;
+	}
+
+	if (strcasecmp("AUXILIARY", type) == 0) {
+		talloc_free(type);
+		token->type = SCHEMA_AUXILIARY;
+		*string = c;
+		return token;
+	}
+
+	if (strcasecmp("MUST", type) == 0) {
+		talloc_free(type);
+		token->type = SCHEMA_MUST;
+
+		if (*c == '(') {
+			c++;
+			n = strcspn(c, ")");
+			token->value = talloc_strndup(ctx, c, n);
+			c += n;
+			c++;
+		} else {
+			token->value = get_def_value(ctx, &c);
+		}
+
+		c = skip_spaces(c);
+		*string = c;
+		return token;
+	}
+
+	if (strcasecmp("MAY", type) == 0) {
+		talloc_free(type);
+		token->type = SCHEMA_MAY;
+
+		if (*c == '(') {
+			c++;
+			n = strcspn(c, ")");
+			token->value = talloc_strndup(ctx, c, n);
+			c += n;
+			c++;
+		} else {
+			token->value = get_def_value(ctx, &c);
+		}
+
+		c = skip_spaces(c);
+		*string = c;
+		return token;
+	}
+
+	if (strcasecmp("SINGLE-VALUE", type) == 0) {
+		talloc_free(type);
+		token->type = SCHEMA_SINGLE_VALUE;
+		*string = c;
+		return token;
+	}
+
+	if (strcasecmp("EQUALITY", type) == 0) {
+		talloc_free(type);
+		token->type = SCHEMA_EQUALITY;
+
+		token->value = get_def_value(ctx, &c);
+
+		c = skip_spaces(c);
+		*string = c;
+		return token;
+	}
+
+	if (strcasecmp("ORDERING", type) == 0) {
+		talloc_free(type);
+		token->type = SCHEMA_ORDERING;
+
+		token->value = get_def_value(ctx, &c);
+
+		c = skip_spaces(c);
+		*string = c;
+		return token;
+	}
+
+	if (strcasecmp("SUBSTR", type) == 0) {
+		talloc_free(type);
+		token->type = SCHEMA_SUBSTR;
+
+		token->value = get_def_value(ctx, &c);
+
+		c = skip_spaces(c);
+		*string = c;
+		return token;
+	}
+
+	if (strcasecmp("SYNTAX", type) == 0) {
+		talloc_free(type);
+		token->type = SCHEMA_SYNTAX;
+
+		token->value = get_def_value(ctx, &c);
+
+		c = skip_spaces(c);
+		*string = c;
+		return token;
+	}
+
+	if (strcasecmp("DESC", type) == 0) {
+		talloc_free(type);
+		token->type = SCHEMA_DESC;
+
+		token->value = get_def_value(ctx, &c);
+
+		c = skip_spaces(c);
+		*string = c;
+		return token;
+	}
+
+	token->type = SCHEMA_UNKNOWN;
+	token->value = type;
+	if (*c == ')') {
+		*string = c;
+		return token;
+	}
+	if (*c == '\'') {
+		c = strchr(++c, '\'');
+		c++;
+	} else {
+		c += strcspn(c, " \t\n");
+	}
+	c = skip_spaces(c);
+	*string = c;
+
+	return token;
+}
+
+static struct ldb_message *process_entry(TALLOC_CTX *mem_ctx, const char *entry)
+{
+	TALLOC_CTX *ctx;
+	struct ldb_message *msg;
+	struct schema_token *token;
+        char *c, *s;
+        int n;
+
+	ctx = talloc_new(mem_ctx);
+	msg = ldb_msg_new(ctx);
+
+	ldb_msg_add_string(msg, "objectClass", "top");
+
+	c = talloc_strdup(ctx, entry);
+	if (!c) return NULL;
+
+	c = skip_spaces(c);
+
+	switch (*c) {
+	case 'a':
+		if (strncmp(c, "attributetype", 13) == 0) {
+			c += 13;
+			MSG_ADD_STRING("objectClass", "attributeSchema");
+			break;
+		}
+		goto failed;
+	case 'o':
+		if (strncmp(c, "objectclass", 11) == 0) {
+			c += 11;
+			MSG_ADD_STRING("objectClass", "classSchema");
+			break;
+		}
+		goto failed;
+	default:
+		goto failed;
+	}
+
+	c = strchr(c, '(');
+	if (c == NULL) goto failed;
+	c++;
+
+	c = skip_spaces(c);
+
+	/* get attributeID */
+	n = strcspn(c, " \t");
+	s = talloc_strndup(msg, c, n);
+	MSG_ADD_STRING("attributeID", s);
+	c += n;
+	c = skip_spaces(c);	
+
+	while (*c != ')') {
+		token = get_next_schema_token(msg, &c);
+		if (!token) goto failed;
+
+		switch (token->type) {
+		case SCHEMA_NAME:
+			MSG_ADD_STRING("cn", token->value);
+			MSG_ADD_STRING("name", token->value);
+			MSG_ADD_STRING("lDAPDisplayName", token->value);
+			msg->dn = ldb_dn_string_compose(msg, basedn,
+							"CN=%s,CN=Schema,CN=Configuration",
+							token->value);
+			break;
+
+		case SCHEMA_SUP:
+			MSG_ADD_M_STRING("subClassOf", token->value);
+			break;
+
+		case SCHEMA_STRUCTURAL:
+			MSG_ADD_STRING("objectClassCategory", "1");
+			break;
+
+		case SCHEMA_ABSTRACT:
+			MSG_ADD_STRING("objectClassCategory", "2");
+			break;
+
+		case SCHEMA_AUXILIARY:
+			MSG_ADD_STRING("objectClassCategory", "3");
+			break;
+
+		case SCHEMA_MUST:
+			MSG_ADD_M_STRING("mustContain", token->value);
+			break;
+
+		case SCHEMA_MAY:
+			MSG_ADD_M_STRING("mayContain", token->value);
+			break;
+
+		case SCHEMA_SINGLE_VALUE:
+			MSG_ADD_STRING("isSingleValued", "TRUE");
+			break;
+
+		case SCHEMA_EQUALITY:
+			/* TODO */
+			break;
+
+		case SCHEMA_ORDERING:
+			/* TODO */
+			break;
+
+		case SCHEMA_SUBSTR:
+			/* TODO */
+			break;
+
+		case SCHEMA_SYNTAX:
+		{
+			const struct syntax_map *map = 
+				find_syntax_map_by_standard_oid(token->value);
+			if (!map) {
+				break;
+			}
+			MSG_ADD_STRING("attributeSyntax", map->AD_OID);
+			break;
+		}
+		case SCHEMA_DESC:
+			MSG_ADD_STRING("description", token->value);
+			break;
+
+		default:
+			fprintf(stderr, "Unknown Definition: %s\n", token->value);
+		}
+	}
+
+	talloc_steal(mem_ctx, msg);
+	talloc_free(ctx);
+	return msg;
+
+failed:
+	talloc_free(ctx);
+	return NULL;
+}
+
+static struct schema_conv process_file(FILE *in, FILE *out)
+{
+	TALLOC_CTX *ctx;
+	struct schema_conv ret;
+	char *entry;
+	int c, t, line;
+	struct ldb_ldif ldif;
+
+	ldif.changetype = LDB_CHANGETYPE_NONE;
+
+	ctx = talloc_new(NULL);
+
+	ret.count = 0;
+	ret.failures = 0;
+	line = 0;
+
+	while ((c = fgetc(in)) != EOF) {
+		line++;
+		/* fprintf(stderr, "Parsing line %d\n", line); */
+		if (c == '#') {
+			do {
+				c = fgetc(in);
+			} while (c != EOF && c != '\n');
+			continue;
+		}
+		if (c == '\n') {
+			continue;
+		}
+
+		t = 0;
+		entry = talloc_array(ctx, char, 1024);
+		if (entry == NULL) exit(-1);
+
+		do { 
+			if (c == '\n') {
+				entry[t] = '\0';	
+				if (check_braces(entry) == 0) {
+					ret.count++;
+					ldif.msg = process_entry(ctx, entry);
+					if (ldif.msg == NULL) {
+						ret.failures++;
+						fprintf(stderr, "No valid msg from entry \n[%s]\n at line %d\n", entry, line);
+						break;
+					}
+					ldb_ldif_write_file(ldb_ctx, out, &ldif);
+					break;
+				}
+				line++;
+			} else {
+				entry[t] = c;
+				t++;
+			}
+			if ((t % 1023) == 0) {
+				entry = talloc_realloc(ctx, entry, char, t + 1024);
+				if (entry == NULL) exit(-1);
+			}
+		} while ((c = fgetc(in)) != EOF); 
+
+		if (c != '\n') {
+			entry[t] = '\0';
+			if (check_braces(entry) == 0) {
+				ret.count++;
+				ldif.msg = process_entry(ctx, entry);
+				if (ldif.msg == NULL) {
+					ret.failures++;
+					fprintf(stderr, "No valid msg from entry \n[%s]\n at line %d\n", entry, line);
+					break;
+				}
+				ldb_ldif_write_file(ldb_ctx, out, &ldif);
+			} else {
+				fprintf(stderr, "malformed entry on line %d\n", line);
+				ret.failures++;
+			}
+		}
+	
+		if (c == EOF) break;
+	}
+
+	return ret;
+}
+
+static void usage(void)
+{
+	printf("Usage: oLschema2ldif -H NONE <options>\n");
+	printf("\nConvert OpenLDAP schema to AD-like LDIF format\n\n");
+	printf("Options:\n");
+	printf("  -I inputfile     inputfile of OpenLDAP style schema otherwise STDIN\n");
+	printf("  -O outputfile    outputfile otherwise STDOUT\n");
+	printf("  -o options       pass options like modules to activate\n");
+	printf("              e.g: -o modules:timestamps\n");
+	printf("\n");
+	printf("Converts records from an openLdap formatted schema to an ldif schema\n\n");
+	exit(1);
+}
+
+ int main(int argc, const char **argv)
+{
+	TALLOC_CTX *ctx;
+	struct schema_conv ret;
+	struct ldb_cmdline *options;
+	FILE *in = stdin;
+	FILE *out = stdout;
+	ldb_global_init();
+
+	ctx = talloc_new(NULL);
+	ldb_ctx = ldb_init(ctx);
+
+	setenv("LDB_URL", "NONE", 1);
+	options = ldb_cmdline_process(ldb_ctx, argc, argv, usage);
+
+	if (options->basedn == NULL) {
+		perror("Base DN not specified");
+		exit(1);
+	} else {
+		basedn = ldb_dn_explode(ctx, options->basedn);
+		if (basedn == NULL) {
+			perror("Malformed Base DN");
+			exit(1);
+		}
+	}
+
+	if (options->input) {
+		in = fopen(options->input, "r");
+		if (!in) {
+			perror(options->input);
+			exit(1);
+		}
+	}
+	if (options->output) {
+		out = fopen(options->output, "w");
+		if (!out) {
+			perror(options->output);
+			exit(1);
+		}
+	}
+
+	ret = process_file(in, out);
+
+	fclose(in);
+	fclose(out);
+
+	printf("Converted %d records with %d failures\n", ret.count, ret.failures);
+
+	return 0;
+}
diff --git a/source3/lib/ldb/web/index.html b/source3/lib/ldb/web/index.html
new file mode 100644
index 0000000000..4c569caa25
--- /dev/null
+++ b/source3/lib/ldb/web/index.html
@@ -0,0 +1,85 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
+<HTML>
+<HEAD>
+<TITLE>ldb</TITLE>
+</HEAD>
+<BODY BGCOLOR="#ffffff" TEXT="#000000" VLINK="#292555" LINK="#292555" ALINK="#cc0033">
+
+<h1>ldb</h1>
+
+ldb is a LDAP-like embedded database. It is not at all LDAP standards
+compliant, so if you want a standards compliant database then please
+see the excellent <a href="http://www.openldap.org/">OpenLDAP</a>
+project.<p>
+
+What ldb does is provide a fast database with an LDAP-like API
+designed to be used within an application. In some ways it can be seen
+as a intermediate solution between key-value pair databases and a real
+LDAP database.<p>
+
+ldb is the database engine used in Samba4.
+
+<h2>Features</h2>
+
+The main features that separate ldb from other solutions are:
+
+<ul>
+<li>Safe multi-reader, multi-writer, using byte range locking
+<li>LDAP-like API
+<li>fast operation
+<li>choice of local tdb or remote LDAP backends
+<li>integration with <a href="http://talloc.samba.org">talloc</a>
+<li>schema-less operation, for trivial setup
+<li>modules for extensions (such as schema support)
+<li>easy setup of indexes and attribute properties
+<li>ldbedit tool for database editing (reminiscent of 'vipw')
+<li>ldif for import/export
+</ul>
+
+<h2>Documentation</h2>
+
+Currently ldb is completely lacking in programmer or user
+documentation. This is your opportunity to make a contribution! Start
+with the public functions declared in <a
+href="http://samba.org/ftp/unpacked/ldb/include/ldb.h">ldb.h</a>
+and the example code in the <a
+href="http://samba.org/ftp/unpacked/ldb/tools/">tools
+directory</a>. Documentation in the same docbook format used by Samba
+would be preferred.
+
+<h2>Discussion and bug reports</h2>
+
+ldb does not currently have its own mailing list or bug tracking
+system. For now, please use the <a
+href="https://lists.samba.org/mailman/listinfo/samba-technical">samba-technical</a>
+mailing list or the <a href="https://lists.samba.org/mailman/listinfo/ldb">ldb</a>
+mailing list, and the <a href="http://bugzilla.samba.org/">Samba bugzilla</a> bug tracking system.
+
+<h2>Download</h2>
+
+You can download the latest release either via rsync or thtough git.<br>
+<br>
+To fetch via git see the following guide:<br>
+<a href="http://wiki.samba.org/index.php/Using_Git_for_Samba_Development">Using Git for Samba Development</a><br>
+Once you have cloned the tree switch to the v4-0-test branch and cd into the source/lib/ldb directory.<br>
+<br>
+To fetch via rsync use these commands:
+
+<pre>
+  rsync -Pavz samba.org::ftp/unpacked/ldb .
+  rsync -Pavz samba.org::ftp/unpacked/tdb .
+  rsync -Pavz samba.org::ftp/unpacked/talloc .
+  rsync -Pavz samba.org::ftp/unpacked/libreplace .
+</pre>
+
+and build in ldb. It will find the other libraries in the directory
+above automatically.
+
+<hr>
+<tiny>
+<a href="http://samba.org/~tridge/">Andrew Tridgell</a><br>
+ldb AT tridgell.net
+</tiny>
+
+</BODY>
+</HTML>
diff --git a/source3/lib/md4.c b/source3/lib/md4.c
new file mode 100644
index 0000000000..bae0091e36
--- /dev/null
+++ b/source3/lib/md4.c
@@ -0,0 +1,174 @@
+/* 
+   Unix SMB/CIFS implementation.
+   a implementation of MD4 designed for use in the SMB authentication protocol
+   Copyright (C) Andrew Tridgell 1997-1998.
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/* NOTE: This code makes no attempt to be fast! 
+
+   It assumes that a int is at least 32 bits long
+*/
+
+#if 0
+static uint32 A, B, C, D;
+#else
+#define A (state[0])
+#define B (state[1])
+#define C (state[2])
+#define D (state[3])
+#endif
+
+static uint32 F(uint32 X, uint32 Y, uint32 Z)
+{
+	return (X&Y) | ((~X)&Z);
+}
+
+static uint32 G(uint32 X, uint32 Y, uint32 Z)
+{
+	return (X&Y) | (X&Z) | (Y&Z); 
+}
+
+static uint32 H(uint32 X, uint32 Y, uint32 Z)
+{
+	return X^Y^Z;
+}
+
+static uint32 lshift(uint32 x, int s)
+{
+	x &= 0xFFFFFFFF;
+	return ((x<<s)&0xFFFFFFFF) | (x>>(32-s));
+}
+
+#define ROUND1(a,b,c,d,k,s) a = lshift(a + F(b,c,d) + X[k], s)
+#define ROUND2(a,b,c,d,k,s) a = lshift(a + G(b,c,d) + X[k] + (uint32)0x5A827999,s)
+#define ROUND3(a,b,c,d,k,s) a = lshift(a + H(b,c,d) + X[k] + (uint32)0x6ED9EBA1,s)
+
+/* this applies md4 to 64 byte chunks */
+static void mdfour64(uint32_t *state, uint32 *M)
+{
+	int j;
+	uint32 AA, BB, CC, DD;
+	uint32 X[16];
+
+	for (j=0;j<16;j++)
+		X[j] = M[j];
+
+	AA = A; BB = B; CC = C; DD = D;
+
+        ROUND1(A,B,C,D,  0,  3);  ROUND1(D,A,B,C,  1,  7);  
+	ROUND1(C,D,A,B,  2, 11);  ROUND1(B,C,D,A,  3, 19);
+        ROUND1(A,B,C,D,  4,  3);  ROUND1(D,A,B,C,  5,  7);  
+	ROUND1(C,D,A,B,  6, 11);  ROUND1(B,C,D,A,  7, 19);
+        ROUND1(A,B,C,D,  8,  3);  ROUND1(D,A,B,C,  9,  7);  
+	ROUND1(C,D,A,B, 10, 11);  ROUND1(B,C,D,A, 11, 19);
+        ROUND1(A,B,C,D, 12,  3);  ROUND1(D,A,B,C, 13,  7);  
+	ROUND1(C,D,A,B, 14, 11);  ROUND1(B,C,D,A, 15, 19);	
+
+        ROUND2(A,B,C,D,  0,  3);  ROUND2(D,A,B,C,  4,  5);  
+	ROUND2(C,D,A,B,  8,  9);  ROUND2(B,C,D,A, 12, 13);
+        ROUND2(A,B,C,D,  1,  3);  ROUND2(D,A,B,C,  5,  5);  
+	ROUND2(C,D,A,B,  9,  9);  ROUND2(B,C,D,A, 13, 13);
+        ROUND2(A,B,C,D,  2,  3);  ROUND2(D,A,B,C,  6,  5);  
+	ROUND2(C,D,A,B, 10,  9);  ROUND2(B,C,D,A, 14, 13);
+        ROUND2(A,B,C,D,  3,  3);  ROUND2(D,A,B,C,  7,  5);  
+	ROUND2(C,D,A,B, 11,  9);  ROUND2(B,C,D,A, 15, 13);
+
+	ROUND3(A,B,C,D,  0,  3);  ROUND3(D,A,B,C,  8,  9);  
+	ROUND3(C,D,A,B,  4, 11);  ROUND3(B,C,D,A, 12, 15);
+        ROUND3(A,B,C,D,  2,  3);  ROUND3(D,A,B,C, 10,  9);  
+	ROUND3(C,D,A,B,  6, 11);  ROUND3(B,C,D,A, 14, 15);
+        ROUND3(A,B,C,D,  1,  3);  ROUND3(D,A,B,C,  9,  9);  
+	ROUND3(C,D,A,B,  5, 11);  ROUND3(B,C,D,A, 13, 15);
+        ROUND3(A,B,C,D,  3,  3);  ROUND3(D,A,B,C, 11,  9);  
+	ROUND3(C,D,A,B,  7, 11);  ROUND3(B,C,D,A, 15, 15);
+
+	A += AA; B += BB; C += CC; D += DD;
+	
+	A &= 0xFFFFFFFF; B &= 0xFFFFFFFF;
+	C &= 0xFFFFFFFF; D &= 0xFFFFFFFF;
+
+	for (j=0;j<16;j++)
+		X[j] = 0;
+}
+
+static void copy64(uint32 *M, const unsigned char *in)
+{
+	int i;
+
+	for (i=0;i<16;i++)
+		M[i] = (in[i*4+3]<<24) | (in[i*4+2]<<16) |
+			(in[i*4+1]<<8) | (in[i*4+0]<<0);
+}
+
+static void copy4(unsigned char *out, uint32 x)
+{
+	out[0] = x&0xFF;
+	out[1] = (x>>8)&0xFF;
+	out[2] = (x>>16)&0xFF;
+	out[3] = (x>>24)&0xFF;
+}
+
+/* produce a md4 message digest from data of length n bytes */
+void mdfour(unsigned char *out, const unsigned char *in, int n)
+{
+	unsigned char buf[128];
+	uint32 M[16];
+	uint32 state[4];
+	uint32 b = n * 8;
+	int i;
+
+	A = 0x67452301;
+	B = 0xefcdab89;
+	C = 0x98badcfe;
+	D = 0x10325476;
+
+	while (n > 64) {
+		copy64(M, in);
+		mdfour64(state, M);
+		in += 64;
+		n -= 64;
+	}
+
+	for (i=0;i<128;i++)
+		buf[i] = 0;
+	memcpy(buf, in, n);
+	buf[n] = 0x80;
+	
+	if (n <= 55) {
+		copy4(buf+56, b);
+		copy64(M, buf);
+		mdfour64(state, M);
+	} else {
+		copy4(buf+120, b); 
+		copy64(M, buf);
+		mdfour64(state, M);
+		copy64(M, buf+64);
+		mdfour64(state, M);
+	}
+
+	for (i=0;i<128;i++)
+		buf[i] = 0;
+	copy64(M, buf);
+
+	copy4(out, A);
+	copy4(out+4, B);
+	copy4(out+8, C);
+	copy4(out+12, D);
+}
+
+
diff --git a/source3/lib/md5.c b/source3/lib/md5.c
new file mode 100644
index 0000000000..2121b17047
--- /dev/null
+++ b/source3/lib/md5.c
@@ -0,0 +1,247 @@
+/*
+ * This code implements the MD5 message-digest algorithm.
+ * The algorithm is due to Ron Rivest.  This code was
+ * written by Colin Plumb in 1993, no copyright is claimed.
+ * This code is in the public domain; do with it what you wish.
+ *
+ * Equivalent code is available from RSA Data Security, Inc.
+ * This code has been tested against that, and is equivalent,
+ * except that you don't need to include two pages of legalese
+ * with every copy.
+ *
+ * To compute the message digest of a chunk of bytes, declare an
+ * MD5Context structure, pass it to MD5Init, call MD5Update as
+ * needed on buffers full of bytes, and then call MD5Final, which
+ * will fill a supplied 16-byte array with the digest.
+ */
+
+/* This code slightly modified to fit into Samba by 
+   abartlet@samba.org Jun 2001 */
+
+#include "includes.h"
+
+#include "md5.h"
+
+static void MD5Transform(uint32 buf[4], uint32 const in[16]);
+
+/*
+ * Note: this code is harmless on little-endian machines.
+ */
+static void byteReverse(unsigned char *buf, unsigned longs)
+{
+    uint32 t;
+    do {
+	t = (uint32) ((unsigned) buf[3] << 8 | buf[2]) << 16 |
+	    ((unsigned) buf[1] << 8 | buf[0]);
+	*(uint32 *) buf = t;
+	buf += 4;
+    } while (--longs);
+}
+
+/*
+ * Start MD5 accumulation.  Set bit count to 0 and buffer to mysterious
+ * initialization constants.
+ */
+void MD5Init(struct MD5Context *ctx)
+{
+    ctx->buf[0] = 0x67452301;
+    ctx->buf[1] = 0xefcdab89;
+    ctx->buf[2] = 0x98badcfe;
+    ctx->buf[3] = 0x10325476;
+
+    ctx->bits[0] = 0;
+    ctx->bits[1] = 0;
+}
+
+/*
+ * Update context to reflect the concatenation of another buffer full
+ * of bytes.
+ */
+void MD5Update(struct MD5Context *ctx, unsigned char const *buf, unsigned len)
+{
+    register uint32 t;
+
+    /* Update bitcount */
+
+    t = ctx->bits[0];
+    if ((ctx->bits[0] = t + ((uint32) len << 3)) < t)
+	ctx->bits[1]++;		/* Carry from low to high */
+    ctx->bits[1] += len >> 29;
+
+    t = (t >> 3) & 0x3f;	/* Bytes already in shsInfo->data */
+
+    /* Handle any leading odd-sized chunks */
+
+    if (t) {
+	unsigned char *p = (unsigned char *) ctx->in + t;
+
+	t = 64 - t;
+	if (len < t) {
+	    memmove(p, buf, len);
+	    return;
+	}
+	memmove(p, buf, t);
+	byteReverse(ctx->in, 16);
+	MD5Transform(ctx->buf, (uint32 *) ctx->in);
+	buf += t;
+	len -= t;
+    }
+    /* Process data in 64-byte chunks */
+
+    while (len >= 64) {
+	memmove(ctx->in, buf, 64);
+	byteReverse(ctx->in, 16);
+	MD5Transform(ctx->buf, (uint32 *) ctx->in);
+	buf += 64;
+	len -= 64;
+    }
+
+    /* Handle any remaining bytes of data. */
+
+    memmove(ctx->in, buf, len);
+}
+
+/*
+ * Final wrapup - pad to 64-byte boundary with the bit pattern 
+ * 1 0* (64-bit count of bits processed, MSB-first)
+ */
+void MD5Final(unsigned char digest[16], struct MD5Context *ctx)
+{
+    unsigned int count;
+    unsigned char *p;
+
+    /* Compute number of bytes mod 64 */
+    count = (ctx->bits[0] >> 3) & 0x3F;
+
+    /* Set the first char of padding to 0x80.  This is safe since there is
+       always at least one byte free */
+    p = ctx->in + count;
+    *p++ = 0x80;
+
+    /* Bytes of padding needed to make 64 bytes */
+    count = 64 - 1 - count;
+
+    /* Pad out to 56 mod 64 */
+    if (count < 8) {
+	/* Two lots of padding:  Pad the first block to 64 bytes */
+	memset(p, 0, count);
+	byteReverse(ctx->in, 16);
+	MD5Transform(ctx->buf, (uint32 *) ctx->in);
+
+	/* Now fill the next block with 56 bytes */
+	memset(ctx->in, 0, 56);
+    } else {
+	/* Pad block to 56 bytes */
+	memset(p, 0, count - 8);
+    }
+    byteReverse(ctx->in, 14);
+
+    /* Append length in bits and transform */
+    ((uint32 *) ctx->in)[14] = ctx->bits[0];
+    ((uint32 *) ctx->in)[15] = ctx->bits[1];
+
+    MD5Transform(ctx->buf, (uint32 *) ctx->in);
+    byteReverse((unsigned char *) ctx->buf, 4);
+    memmove(digest, ctx->buf, 16);
+    memset(ctx, 0, sizeof(ctx));	/* In case it's sensitive */
+}
+
+/* The four core functions - F1 is optimized somewhat */
+
+/* #define F1(x, y, z) (x & y | ~x & z) */
+#define F1(x, y, z) (z ^ (x & (y ^ z)))
+#define F2(x, y, z) F1(z, x, y)
+#define F3(x, y, z) (x ^ y ^ z)
+#define F4(x, y, z) (y ^ (x | ~z))
+
+/* This is the central step in the MD5 algorithm. */
+#define MD5STEP(f, w, x, y, z, data, s) \
+	( w += f(x, y, z) + data,  w = w<<s | w>>(32-s),  w += x )
+
+/*
+ * The core of the MD5 algorithm, this alters an existing MD5 hash to
+ * reflect the addition of 16 longwords of new data.  MD5Update blocks
+ * the data and converts bytes into longwords for this routine.
+ */
+static void MD5Transform(uint32 buf[4], uint32 const in[16])
+{
+    register uint32 a, b, c, d;
+
+    a = buf[0];
+    b = buf[1];
+    c = buf[2];
+    d = buf[3];
+
+    MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7);
+    MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12);
+    MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17);
+    MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22);
+    MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7);
+    MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12);
+    MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17);
+    MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22);
+    MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7);
+    MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12);
+    MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17);
+    MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22);
+    MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7);
+    MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12);
+    MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17);
+    MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22);
+
+    MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5);
+    MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9);
+    MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14);
+    MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20);
+    MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5);
+    MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9);
+    MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14);
+    MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20);
+    MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5);
+    MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9);
+    MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14);
+    MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20);
+    MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5);
+    MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9);
+    MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14);
+    MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20);
+
+    MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4);
+    MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11);
+    MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16);
+    MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23);
+    MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4);
+    MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11);
+    MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16);
+    MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23);
+    MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4);
+    MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11);
+    MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16);
+    MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23);
+    MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4);
+    MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11);
+    MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16);
+    MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23);
+
+    MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6);
+    MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10);
+    MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15);
+    MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21);
+    MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6);
+    MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10);
+    MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15);
+    MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21);
+    MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6);
+    MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10);
+    MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15);
+    MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21);
+    MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6);
+    MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10);
+    MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15);
+    MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21);
+
+    buf[0] += a;
+    buf[1] += b;
+    buf[2] += c;
+    buf[3] += d;
+}
diff --git a/source3/lib/memcache.c b/source3/lib/memcache.c
new file mode 100644
index 0000000000..e1426bc811
--- /dev/null
+++ b/source3/lib/memcache.c
@@ -0,0 +1,417 @@
+/*
+   Unix SMB/CIFS implementation.
+   In-memory cache
+   Copyright (C) Volker Lendecke 2007
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "memcache.h"
+#include "rbtree.h"
+
+static struct memcache *global_cache;
+
+struct memcache_element {
+	struct rb_node rb_node;
+	struct memcache_element *prev, *next;
+	size_t keylength, valuelength;
+	uint8 n;		/* This is really an enum, but save memory */
+	char data[1];		/* placeholder for offsetof */
+};
+
+struct memcache {
+	struct memcache_element *mru, *lru;
+	struct rb_root tree;
+	size_t size;
+	size_t max_size;
+};
+
+static void memcache_element_parse(struct memcache_element *e,
+				   DATA_BLOB *key, DATA_BLOB *value);
+
+static bool memcache_is_talloc(enum memcache_number n)
+{
+	bool result;
+
+	switch (n) {
+	case GETPWNAM_CACHE:
+	case PDB_GETPWSID_CACHE:
+	case SINGLETON_CACHE_TALLOC:
+		result = true;
+		break;
+	default:
+		result = false;
+		break;
+	}
+
+	return result;
+}
+
+static int memcache_destructor(struct memcache *cache) {
+	struct memcache_element *e, *next;
+
+	for (e = cache->mru; e != NULL; e = next) {
+		next = e->next;
+		if (memcache_is_talloc((enum memcache_number)e->n)
+		    && (e->valuelength == sizeof(void *))) {
+			DATA_BLOB key, value;
+			void *ptr;
+			memcache_element_parse(e, &key, &value);
+			memcpy(&ptr, value.data, sizeof(ptr));
+			TALLOC_FREE(ptr);
+		}
+		SAFE_FREE(e);
+	}
+	return 0;
+}
+
+struct memcache *memcache_init(TALLOC_CTX *mem_ctx, size_t max_size)
+{
+	struct memcache *result;
+
+	result = TALLOC_ZERO_P(mem_ctx, struct memcache);
+	if (result == NULL) {
+		return NULL;
+	}
+	result->max_size = max_size;
+	talloc_set_destructor(result, memcache_destructor);
+	return result;
+}
+
+void memcache_set_global(struct memcache *cache)
+{
+	TALLOC_FREE(global_cache);
+	global_cache = cache;
+}
+
+static struct memcache_element *memcache_node2elem(struct rb_node *node)
+{
+	return (struct memcache_element *)
+		((char *)node - offsetof(struct memcache_element, rb_node));
+}
+
+static void memcache_element_parse(struct memcache_element *e,
+				   DATA_BLOB *key, DATA_BLOB *value)
+{
+	key->data = ((uint8 *)e) + offsetof(struct memcache_element, data);
+	key->length = e->keylength;
+	value->data = key->data + e->keylength;
+	value->length = e->valuelength;
+}
+
+static size_t memcache_element_size(size_t key_length, size_t value_length)
+{
+	return sizeof(struct memcache_element) - 1 + key_length + value_length;
+}
+
+static int memcache_compare(struct memcache_element *e, enum memcache_number n,
+			    DATA_BLOB key)
+{
+	DATA_BLOB this_key, this_value;
+
+	if ((int)e->n < (int)n) return 1;
+	if ((int)e->n > (int)n) return -1;
+
+	if (e->keylength < key.length) return 1;
+	if (e->keylength > key.length) return -1;
+
+	memcache_element_parse(e, &this_key, &this_value);
+	return memcmp(this_key.data, key.data, key.length);
+}
+
+static struct memcache_element *memcache_find(
+	struct memcache *cache, enum memcache_number n, DATA_BLOB key)
+{
+	struct rb_node *node;
+
+	node = cache->tree.rb_node;
+
+	while (node != NULL) {
+		struct memcache_element *elem = memcache_node2elem(node);
+		int cmp;
+
+		cmp = memcache_compare(elem, n, key);
+		if (cmp == 0) {
+			return elem;
+		}
+		node = (cmp < 0) ? node->rb_left : node->rb_right;
+	}
+
+	return NULL;
+}
+
+bool memcache_lookup(struct memcache *cache, enum memcache_number n,
+		     DATA_BLOB key, DATA_BLOB *value)
+{
+	struct memcache_element *e;
+
+	if (cache == NULL) {
+		cache = global_cache;
+	}
+	if (cache == NULL) {
+		return false;
+	}
+
+	e = memcache_find(cache, n, key);
+	if (e == NULL) {
+		return false;
+	}
+
+	if (cache->size != 0) {
+		/*
+		 * Do LRU promotion only when we will ever shrink
+		 */
+		if (e == cache->lru) {
+			cache->lru = e->prev;
+		}
+		DLIST_PROMOTE(cache->mru, e);
+		if (cache->mru == NULL) {
+			cache->mru = e;
+		}
+	}
+
+	memcache_element_parse(e, &key, value);
+	return true;
+}
+
+void *memcache_lookup_talloc(struct memcache *cache, enum memcache_number n,
+			     DATA_BLOB key)
+{
+	DATA_BLOB value;
+	void *result;
+
+	if (!memcache_lookup(cache, n, key, &value)) {
+		return NULL;
+	}
+
+	if (value.length != sizeof(result)) {
+		return NULL;
+	}
+
+	memcpy(&result, value.data, sizeof(result));
+
+	return result;
+}
+
+static void memcache_delete_element(struct memcache *cache,
+				    struct memcache_element *e)
+{
+	rb_erase(&e->rb_node, &cache->tree);
+
+	if (e == cache->lru) {
+		cache->lru = e->prev;
+	}
+	DLIST_REMOVE(cache->mru, e);
+
+	cache->size -= memcache_element_size(e->keylength, e->valuelength);
+
+	SAFE_FREE(e);
+}
+
+static void memcache_trim(struct memcache *cache)
+{
+	if (cache->max_size == 0) {
+		return;
+	}
+
+	while ((cache->size > cache->max_size) && (cache->lru != NULL)) {
+		memcache_delete_element(cache, cache->lru);
+	}
+}
+
+void memcache_delete(struct memcache *cache, enum memcache_number n,
+		     DATA_BLOB key)
+{
+	struct memcache_element *e;
+
+	if (cache == NULL) {
+		cache = global_cache;
+	}
+	if (cache == NULL) {
+		return;
+	}
+
+	e = memcache_find(cache, n, key);
+	if (e == NULL) {
+		return;
+	}
+
+	memcache_delete_element(cache, e);
+}
+
+void memcache_add(struct memcache *cache, enum memcache_number n,
+		  DATA_BLOB key, DATA_BLOB value)
+{
+	struct memcache_element *e;
+	struct rb_node **p;
+	struct rb_node *parent;
+	DATA_BLOB cache_key, cache_value;
+	size_t element_size;
+
+	if (cache == NULL) {
+		cache = global_cache;
+	}
+	if (cache == NULL) {
+		return;
+	}
+
+	if (key.length == 0) {
+		return;
+	}
+
+	e = memcache_find(cache, n, key);
+
+	if (e != NULL) {
+		memcache_element_parse(e, &cache_key, &cache_value);
+
+		if (value.length <= cache_value.length) {
+			/*
+			 * We can reuse the existing record
+			 */
+			memcpy(cache_value.data, value.data, value.length);
+			e->valuelength = value.length;
+			return;
+		}
+
+		memcache_delete_element(cache, e);
+	}
+
+	element_size = memcache_element_size(key.length, value.length);
+
+
+	e = (struct memcache_element *)SMB_MALLOC(element_size);
+
+	if (e == NULL) {
+		DEBUG(0, ("malloc failed\n"));
+		return;
+	}
+
+	e->n = n;
+	e->keylength = key.length;
+	e->valuelength = value.length;
+
+	memcache_element_parse(e, &cache_key, &cache_value);
+	memcpy(cache_key.data, key.data, key.length);
+	memcpy(cache_value.data, value.data, value.length);
+
+	parent = NULL;
+	p = &cache->tree.rb_node;
+
+	while (*p) {
+		struct memcache_element *elem = memcache_node2elem(*p);
+		int cmp;
+
+		parent = (*p);
+
+		cmp = memcache_compare(elem, n, key);
+
+		p = (cmp < 0) ? &(*p)->rb_left : &(*p)->rb_right;
+	}
+
+	rb_link_node(&e->rb_node, parent, p);
+	rb_insert_color(&e->rb_node, &cache->tree);
+
+	DLIST_ADD(cache->mru, e);
+	if (cache->lru == NULL) {
+		cache->lru = e;
+	}
+
+	cache->size += element_size;
+	memcache_trim(cache);
+}
+
+void memcache_add_talloc(struct memcache *cache, enum memcache_number n,
+			 DATA_BLOB key, void *ptr)
+{
+	memcache_add(cache, n, key, data_blob_const(&ptr, sizeof(ptr)));
+}
+
+void memcache_flush(struct memcache *cache, enum memcache_number n)
+{
+	struct rb_node *node;
+
+	if (cache == NULL) {
+		cache = global_cache;
+	}
+	if (cache == NULL) {
+		return;
+	}
+
+	/*
+	 * Find the smallest element of number n
+	 */
+
+	node = cache->tree.rb_node;
+	if (node == NULL) {
+		return;
+	}
+
+	/*
+	 * First, find *any* element of number n
+	 */
+
+	while (true) {
+		struct memcache_element *elem = memcache_node2elem(node);
+		struct rb_node *next;
+
+		if ((int)elem->n == (int)n) {
+			break;
+		}
+
+		if ((int)elem->n < (int)n) {
+			next = node->rb_right;
+		}
+		else {
+			next = node->rb_left;
+		}
+		if (next == NULL) {
+			break;
+		}
+		node = next;
+	}
+
+	if (node == NULL) {
+		return;
+	}
+
+	/*
+	 * Then, find the leftmost element with number n
+	 */
+
+	while (true) {
+		struct rb_node *prev = rb_prev(node);
+		struct memcache_element *elem;
+
+		if (prev == NULL) {
+			break;
+		}
+		elem = memcache_node2elem(prev);
+		if ((int)elem->n != (int)n) {
+			break;
+		}
+		node = prev;
+	}
+
+	while (node != NULL) {
+		struct memcache_element *e = memcache_node2elem(node);
+		struct rb_node *next = rb_next(node);
+
+		if (e->n != n) {
+			break;
+		}
+
+		memcache_delete_element(cache, e);
+		node = next;
+	}
+}
diff --git a/source3/lib/messages.c b/source3/lib/messages.c
new file mode 100644
index 0000000000..f5933cafdb
--- /dev/null
+++ b/source3/lib/messages.c
@@ -0,0 +1,363 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba internal messaging functions
+   Copyright (C) Andrew Tridgell 2000
+   Copyright (C) 2001 by Martin Pool
+   Copyright (C) 2002 by Jeremy Allison
+   Copyright (C) 2007 by Volker Lendecke
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/**
+  @defgroup messages Internal messaging framework
+  @{
+  @file messages.c
+  
+  @brief  Module for internal messaging between Samba daemons. 
+
+   The idea is that if a part of Samba wants to do communication with
+   another Samba process then it will do a message_register() of a
+   dispatch function, and use message_send_pid() to send messages to
+   that process.
+
+   The dispatch function is given the pid of the sender, and it can
+   use that to reply by message_send_pid().  See ping_message() for a
+   simple example.
+
+   @caution Dispatch functions must be able to cope with incoming
+   messages on an *odd* byte boundary.
+
+   This system doesn't have any inherent size limitations but is not
+   very efficient for large messages or when messages are sent in very
+   quick succession.
+
+*/
+
+#include "includes.h"
+#include "librpc/gen_ndr/messaging.h"
+#include "librpc/gen_ndr/ndr_messaging.h"
+
+struct messaging_callback {
+	struct messaging_callback *prev, *next;
+	uint32 msg_type;
+	void (*fn)(struct messaging_context *msg, void *private_data, 
+		   uint32_t msg_type, 
+		   struct server_id server_id, DATA_BLOB *data);
+	void *private_data;
+};
+
+/****************************************************************************
+ A useful function for testing the message system.
+****************************************************************************/
+
+static void ping_message(struct messaging_context *msg_ctx,
+			 void *private_data,
+			 uint32_t msg_type,
+			 struct server_id src,
+			 DATA_BLOB *data)
+{
+	const char *msg = data->data ? (const char *)data->data : "none";
+
+	DEBUG(1,("INFO: Received PING message from PID %s [%s]\n",
+		 procid_str_static(&src), msg));
+	messaging_send(msg_ctx, src, MSG_PONG, data);
+}
+
+/****************************************************************************
+ Register/replace a dispatch function for a particular message type.
+ JRA changed Dec 13 2006. Only one message handler now permitted per type.
+ *NOTE*: Dispatch functions must be able to cope with incoming
+ messages on an *odd* byte boundary.
+****************************************************************************/
+
+struct msg_all {
+	struct messaging_context *msg_ctx;
+	int msg_type;
+	uint32 msg_flag;
+	const void *buf;
+	size_t len;
+	int n_sent;
+};
+
+/****************************************************************************
+ Send one of the messages for the broadcast.
+****************************************************************************/
+
+static int traverse_fn(struct db_record *rec,
+		       const struct connections_key *ckey,
+		       const struct connections_data *crec,
+		       void *state)
+{
+	struct msg_all *msg_all = (struct msg_all *)state;
+	NTSTATUS status;
+
+	if (crec->cnum != -1)
+		return 0;
+
+	/* Don't send if the receiver hasn't registered an interest. */
+
+	if(!(crec->bcast_msg_flags & msg_all->msg_flag))
+		return 0;
+
+	/* If the msg send fails because the pid was not found (i.e. smbd died), 
+	 * the msg has already been deleted from the messages.tdb.*/
+
+	status = messaging_send_buf(msg_all->msg_ctx,
+				    crec->pid, msg_all->msg_type,
+				    (uint8 *)msg_all->buf, msg_all->len);
+
+	if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
+		
+		/* If the pid was not found delete the entry from connections.tdb */
+
+		DEBUG(2,("pid %s doesn't exist - deleting connections %d [%s]\n",
+			 procid_str_static(&crec->pid), crec->cnum,
+			 crec->servicename));
+
+		rec->delete_rec(rec);
+	}
+	msg_all->n_sent++;
+	return 0;
+}
+
+/**
+ * Send a message to all smbd processes.
+ *
+ * It isn't very efficient, but should be OK for the sorts of
+ * applications that use it. When we need efficient broadcast we can add
+ * it.
+ *
+ * @param n_sent Set to the number of messages sent.  This should be
+ * equal to the number of processes, but be careful for races.
+ *
+ * @retval True for success.
+ **/
+bool message_send_all(struct messaging_context *msg_ctx,
+		      int msg_type,
+		      const void *buf, size_t len,
+		      int *n_sent)
+{
+	struct msg_all msg_all;
+
+	msg_all.msg_type = msg_type;
+	if (msg_type < 1000)
+		msg_all.msg_flag = FLAG_MSG_GENERAL;
+	else if (msg_type > 1000 && msg_type < 2000)
+		msg_all.msg_flag = FLAG_MSG_NMBD;
+	else if (msg_type > 2000 && msg_type < 2100)
+		msg_all.msg_flag = FLAG_MSG_PRINT_NOTIFY;
+	else if (msg_type > 2100 && msg_type < 3000)
+		msg_all.msg_flag = FLAG_MSG_PRINT_GENERAL;
+	else if (msg_type > 3000 && msg_type < 4000)
+		msg_all.msg_flag = FLAG_MSG_SMBD;
+	else if (msg_type > 4000 && msg_type < 5000)
+		msg_all.msg_flag = FLAG_MSG_DBWRAP;
+	else
+		return False;
+
+	msg_all.buf = buf;
+	msg_all.len = len;
+	msg_all.n_sent = 0;
+	msg_all.msg_ctx = msg_ctx;
+
+	connections_forall(traverse_fn, &msg_all);
+	if (n_sent)
+		*n_sent = msg_all.n_sent;
+	return True;
+}
+
+struct event_context *messaging_event_context(struct messaging_context *msg_ctx)
+{
+	return msg_ctx->event_ctx;
+}
+
+struct messaging_context *messaging_init(TALLOC_CTX *mem_ctx, 
+					 struct server_id server_id, 
+					 struct event_context *ev)
+{
+	struct messaging_context *ctx;
+	NTSTATUS status;
+
+	if (!(ctx = TALLOC_ZERO_P(mem_ctx, struct messaging_context))) {
+		return NULL;
+	}
+
+	ctx->id = server_id;
+	ctx->event_ctx = ev;
+
+	status = messaging_tdb_init(ctx, ctx, &ctx->local);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("messaging_tdb_init failed: %s\n",
+			  nt_errstr(status)));
+		TALLOC_FREE(ctx);
+		return NULL;
+	}
+
+#ifdef CLUSTER_SUPPORT
+	if (lp_clustering()) {
+		status = messaging_ctdbd_init(ctx, ctx, &ctx->remote);
+
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(1, ("messaging_ctdb_init failed: %s\n",
+				  nt_errstr(status)));
+			TALLOC_FREE(ctx);
+			return NULL;
+		}
+	}
+#endif
+
+	messaging_register(ctx, NULL, MSG_PING, ping_message);
+
+	/* Register some debugging related messages */
+
+	register_msg_pool_usage(ctx);
+	register_dmalloc_msgs(ctx);
+	debug_register_msgs(ctx);
+
+	return ctx;
+}
+
+/*
+ * re-init after a fork
+ */
+NTSTATUS messaging_reinit(struct messaging_context *msg_ctx)
+{
+#ifdef CLUSTER_SUPPORT
+
+	TALLOC_FREE(msg_ctx->remote);
+
+	if (lp_clustering()) {
+		NTSTATUS status;
+
+		status = messaging_ctdbd_init(msg_ctx, msg_ctx,
+					      &msg_ctx->remote);
+
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(1, ("messaging_ctdb_init failed: %s\n",
+				  nt_errstr(status)));
+			return status;
+		}
+	}
+
+#endif
+
+	return NT_STATUS_OK;
+}
+
+
+/*
+ * Register a dispatch function for a particular message type. Allow multiple
+ * registrants
+*/
+NTSTATUS messaging_register(struct messaging_context *msg_ctx,
+			    void *private_data,
+			    uint32_t msg_type,
+			    void (*fn)(struct messaging_context *msg,
+				       void *private_data, 
+				       uint32_t msg_type, 
+				       struct server_id server_id,
+				       DATA_BLOB *data))
+{
+	struct messaging_callback *cb;
+
+	/*
+	 * Only one callback per type
+	 */
+
+	for (cb = msg_ctx->callbacks; cb != NULL; cb = cb->next) {
+		if (cb->msg_type == msg_type) {
+			cb->fn = fn;
+			cb->private_data = private_data;
+			return NT_STATUS_OK;
+		}
+	}
+
+	if (!(cb = talloc(msg_ctx, struct messaging_callback))) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	cb->msg_type = msg_type;
+	cb->fn = fn;
+	cb->private_data = private_data;
+
+	DLIST_ADD(msg_ctx->callbacks, cb);
+	return NT_STATUS_OK;
+}
+
+/*
+  De-register the function for a particular message type.
+*/
+void messaging_deregister(struct messaging_context *ctx, uint32_t msg_type,
+			  void *private_data)
+{
+	struct messaging_callback *cb, *next;
+
+	for (cb = ctx->callbacks; cb; cb = next) {
+		next = cb->next;
+		if ((cb->msg_type == msg_type)
+		    && (cb->private_data == private_data)) {
+			DLIST_REMOVE(ctx->callbacks, cb);
+			TALLOC_FREE(cb);
+		}
+	}
+}
+
+/*
+  Send a message to a particular server
+*/
+NTSTATUS messaging_send(struct messaging_context *msg_ctx,
+			struct server_id server, uint32_t msg_type,
+			const DATA_BLOB *data)
+{
+#ifdef CLUSTER_SUPPORT
+	if (!procid_is_local(&server)) {
+		return msg_ctx->remote->send_fn(msg_ctx, server,
+						msg_type, data,
+						msg_ctx->remote);
+	}
+#endif
+	return msg_ctx->local->send_fn(msg_ctx, server, msg_type, data,
+				       msg_ctx->local);
+}
+
+NTSTATUS messaging_send_buf(struct messaging_context *msg_ctx,
+			    struct server_id server, uint32_t msg_type,
+			    const uint8 *buf, size_t len)
+{
+	DATA_BLOB blob = data_blob_const(buf, len);
+	return messaging_send(msg_ctx, server, msg_type, &blob);
+}
+
+/*
+  Dispatch one messsaging_rec
+*/
+void messaging_dispatch_rec(struct messaging_context *msg_ctx,
+			    struct messaging_rec *rec)
+{
+	struct messaging_callback *cb, *next;
+
+	for (cb = msg_ctx->callbacks; cb != NULL; cb = next) {
+		next = cb->next;
+		if (cb->msg_type == rec->msg_type) {
+			cb->fn(msg_ctx, cb->private_data, rec->msg_type,
+			       rec->src, &rec->buf);
+			return;
+		}
+	}
+	return;
+}
+
+/** @} **/
diff --git a/source3/lib/messages_ctdbd.c b/source3/lib/messages_ctdbd.c
new file mode 100644
index 0000000000..847ab0fe6a
--- /dev/null
+++ b/source3/lib/messages_ctdbd.c
@@ -0,0 +1,158 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba internal messaging functions
+   Copyright (C) 2007 by Volker Lendecke
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#ifdef CLUSTER_SUPPORT
+
+#include "librpc/gen_ndr/messaging.h"
+#include "ctdb.h"
+#include "ctdb_private.h"
+#include "ctdbd_conn.h"
+
+
+struct messaging_ctdbd_context {
+	struct ctdbd_connection *conn;
+};
+
+/*
+ * This is a Samba3 hack/optimization. Routines like process_exists need to
+ * talk to ctdbd, and they don't get handed a messaging context.
+ */
+static struct ctdbd_connection *global_ctdbd_connection;
+static int global_ctdb_connection_pid;
+
+struct ctdbd_connection *messaging_ctdbd_connection(void)
+{
+	if (global_ctdb_connection_pid == 0 &&
+	    global_ctdbd_connection == NULL) {
+		struct event_context *ev;
+		struct messaging_context *msg;
+
+		ev = event_context_init(NULL);
+		if (!ev) {
+			DEBUG(0,("event_context_init failed\n"));
+		}
+
+		msg = messaging_init(NULL, procid_self(), ev);
+		if (!msg) {
+			DEBUG(0,("messaging_init failed\n"));
+			return NULL;
+		}
+	}
+
+	if (global_ctdb_connection_pid != getpid()) {
+		DEBUG(0,("messaging_ctdbd_connection():"
+			 "valid for pid[%d] but it's [%d]\n",
+			 global_ctdb_connection_pid, getpid()));
+		smb_panic("messaging_ctdbd_connection() invalid process\n");
+	}
+
+	return global_ctdbd_connection;
+}
+
+static NTSTATUS messaging_ctdb_send(struct messaging_context *msg_ctx,
+				    struct server_id pid, int msg_type,
+				    const DATA_BLOB *data,
+				    struct messaging_backend *backend)
+{
+	struct messaging_ctdbd_context *ctx = talloc_get_type_abort(
+		backend->private_data, struct messaging_ctdbd_context);
+
+	struct messaging_rec msg;
+
+	msg.msg_version	= MESSAGE_VERSION;
+	msg.msg_type	= msg_type;
+	msg.dest	= pid;
+	msg.src		= procid_self();
+	msg.buf		= *data;
+
+	return ctdbd_messaging_send(ctx->conn, pid.vnn, pid.pid, &msg);
+}
+
+static int messaging_ctdbd_destructor(struct messaging_ctdbd_context *ctx)
+{
+	/*
+	 * The global connection just went away
+	 */
+	global_ctdb_connection_pid = 0;
+	global_ctdbd_connection = NULL;
+	return 0;
+}
+
+NTSTATUS messaging_ctdbd_init(struct messaging_context *msg_ctx,
+			      TALLOC_CTX *mem_ctx,
+			      struct messaging_backend **presult)
+{
+	struct messaging_backend *result;
+	struct messaging_ctdbd_context *ctx;
+	NTSTATUS status;
+
+	if (!(result = TALLOC_P(mem_ctx, struct messaging_backend))) {
+		DEBUG(0, ("talloc failed\n"));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (!(ctx = TALLOC_P(result, struct messaging_ctdbd_context))) {
+		DEBUG(0, ("talloc failed\n"));
+		TALLOC_FREE(result);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	status = ctdbd_messaging_connection(ctx, &ctx->conn);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10, ("ctdbd_messaging_connection failed: %s\n",
+			   nt_errstr(status)));
+		TALLOC_FREE(result);
+		return status;
+	}
+
+	status = ctdbd_register_msg_ctx(ctx->conn, msg_ctx);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10, ("ctdbd_register_msg_ctx failed: %s\n",
+			   nt_errstr(status)));
+		TALLOC_FREE(result);
+		return status;
+	}
+
+	global_ctdb_connection_pid = getpid();
+	global_ctdbd_connection = ctx->conn;
+	talloc_set_destructor(ctx, messaging_ctdbd_destructor);
+
+	set_my_vnn(ctdbd_vnn(ctx->conn));
+
+	result->send_fn = messaging_ctdb_send;
+	result->private_data = (void *)ctx;
+
+	*presult = result;
+	return NT_STATUS_OK;
+}
+
+#else
+
+NTSTATUS messaging_ctdbd_init(struct messaging_context *msg_ctx,
+			      TALLOC_CTX *mem_ctx,
+			      struct messaging_backend **presult)
+{
+	return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+#endif
diff --git a/source3/lib/messages_local.c b/source3/lib/messages_local.c
new file mode 100644
index 0000000000..f436afc2ff
--- /dev/null
+++ b/source3/lib/messages_local.c
@@ -0,0 +1,436 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba internal messaging functions
+   Copyright (C) 2007 by Volker Lendecke
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/**
+  @defgroup messages Internal messaging framework
+  @{
+  @file messages.c
+  
+  @brief  Module for internal messaging between Samba daemons. 
+
+   The idea is that if a part of Samba wants to do communication with
+   another Samba process then it will do a message_register() of a
+   dispatch function, and use message_send_pid() to send messages to
+   that process.
+
+   The dispatch function is given the pid of the sender, and it can
+   use that to reply by message_send_pid().  See ping_message() for a
+   simple example.
+
+   @caution Dispatch functions must be able to cope with incoming
+   messages on an *odd* byte boundary.
+
+   This system doesn't have any inherent size limitations but is not
+   very efficient for large messages or when messages are sent in very
+   quick succession.
+
+*/
+
+#include "includes.h"
+#include "librpc/gen_ndr/messaging.h"
+#include "librpc/gen_ndr/ndr_messaging.h"
+
+static sig_atomic_t received_signal;
+
+static NTSTATUS messaging_tdb_send(struct messaging_context *msg_ctx,
+				   struct server_id pid, int msg_type,
+				   const DATA_BLOB *data,
+				   struct messaging_backend *backend);
+
+/****************************************************************************
+ Notifications come in as signals.
+****************************************************************************/
+
+static void sig_usr1(void)
+{
+	received_signal = 1;
+	sys_select_signal(SIGUSR1);
+}
+
+static int messaging_tdb_destructor(struct messaging_backend *tdb_ctx)
+{
+	struct tdb_wrap *tdb = (struct tdb_wrap *)tdb_ctx->private_data;
+	TALLOC_FREE(tdb);
+	return 0;
+}
+
+/****************************************************************************
+ Initialise the messaging functions. 
+****************************************************************************/
+
+NTSTATUS messaging_tdb_init(struct messaging_context *msg_ctx,
+			    TALLOC_CTX *mem_ctx,
+			    struct messaging_backend **presult)
+{
+	struct messaging_backend *result;
+	struct tdb_wrap *tdb;
+
+	if (!(result = TALLOC_P(mem_ctx, struct messaging_backend))) {
+		DEBUG(0, ("talloc failed\n"));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	tdb = tdb_wrap_open(result, lock_path("messages.tdb"), 
+			    0, TDB_CLEAR_IF_FIRST|TDB_DEFAULT, 
+			    O_RDWR|O_CREAT,0600);
+
+	if (!tdb) {
+		NTSTATUS status = map_nt_error_from_unix(errno);
+		DEBUG(0, ("ERROR: Failed to initialise messages database: "
+			  "%s\n", strerror(errno)));
+		TALLOC_FREE(result);
+		return status;
+	}
+
+	sec_init();
+
+	/* Activate the per-hashchain freelist */
+	tdb_set_max_dead(tdb->tdb, 5);
+
+	CatchSignal(SIGUSR1, SIGNAL_CAST sig_usr1);
+
+	result->private_data = (void *)tdb;
+	result->send_fn = messaging_tdb_send;
+
+	talloc_set_destructor(result, messaging_tdb_destructor);
+
+	*presult = result;
+	return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ Form a static tdb key from a pid.
+******************************************************************/
+
+static TDB_DATA message_key_pid(TALLOC_CTX *mem_ctx, struct server_id pid)
+{
+	char *key;
+	TDB_DATA kbuf;
+
+	key = talloc_asprintf(talloc_tos(), "PID/%s", procid_str_static(&pid));
+
+	SMB_ASSERT(key != NULL);
+	
+	kbuf.dptr = (uint8 *)key;
+	kbuf.dsize = strlen(key)+1;
+	return kbuf;
+}
+
+/*
+  Fetch the messaging array for a process
+ */
+
+static NTSTATUS messaging_tdb_fetch(TDB_CONTEXT *msg_tdb,
+				    TDB_DATA key,
+				    TALLOC_CTX *mem_ctx,
+				    struct messaging_array **presult)
+{
+	struct messaging_array *result;
+	TDB_DATA data;
+	DATA_BLOB blob;
+	enum ndr_err_code ndr_err;
+
+	if (!(result = TALLOC_ZERO_P(mem_ctx, struct messaging_array))) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	data = tdb_fetch(msg_tdb, key);
+
+	if (data.dptr == NULL) {
+		*presult = result;
+		return NT_STATUS_OK;
+	}
+
+	blob = data_blob_const(data.dptr, data.dsize);
+
+	ndr_err = ndr_pull_struct_blob(
+		&blob, result, result,
+		(ndr_pull_flags_fn_t)ndr_pull_messaging_array);
+
+	SAFE_FREE(data.dptr);
+
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		TALLOC_FREE(result);
+		return ndr_map_error2ntstatus(ndr_err);
+	}
+
+	if (DEBUGLEVEL >= 10) {
+		DEBUG(10, ("messaging_tdb_fetch:\n"));
+		NDR_PRINT_DEBUG(messaging_array, result);
+	}
+
+	*presult = result;
+	return NT_STATUS_OK;
+}
+
+/*
+  Store a messaging array for a pid
+*/
+
+static NTSTATUS messaging_tdb_store(TDB_CONTEXT *msg_tdb,
+				    TDB_DATA key,
+				    struct messaging_array *array)
+{
+	TDB_DATA data;
+	DATA_BLOB blob;
+	enum ndr_err_code ndr_err;
+	TALLOC_CTX *mem_ctx;
+	int ret;
+
+	if (array->num_messages == 0) {
+		tdb_delete(msg_tdb, key);
+		return NT_STATUS_OK;
+	}
+
+	if (!(mem_ctx = talloc_new(array))) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	ndr_err = ndr_push_struct_blob(
+		&blob, mem_ctx, array,
+		(ndr_push_flags_fn_t)ndr_push_messaging_array);
+
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		talloc_free(mem_ctx);
+		return ndr_map_error2ntstatus(ndr_err);
+	}
+
+	if (DEBUGLEVEL >= 10) {
+		DEBUG(10, ("messaging_tdb_store:\n"));
+		NDR_PRINT_DEBUG(messaging_array, array);
+	}
+
+	data.dptr = blob.data;
+	data.dsize = blob.length;
+
+	ret = tdb_store(msg_tdb, key, data, TDB_REPLACE);
+	TALLOC_FREE(mem_ctx);
+
+	return (ret == 0) ? NT_STATUS_OK : NT_STATUS_INTERNAL_DB_CORRUPTION;
+}
+
+/****************************************************************************
+ Notify a process that it has a message. If the process doesn't exist 
+ then delete its record in the database.
+****************************************************************************/
+
+static NTSTATUS message_notify(struct server_id procid)
+{
+	pid_t pid = procid.pid;
+	int ret;
+	uid_t euid = geteuid();
+
+	/*
+	 * Doing kill with a non-positive pid causes messages to be
+	 * sent to places we don't want.
+	 */
+
+	SMB_ASSERT(pid > 0);
+
+	if (euid != 0) {
+		/* If we're not root become so to send the message. */
+		save_re_uid();
+		set_effective_uid(0);
+	}
+
+	ret = kill(pid, SIGUSR1);
+
+	if (euid != 0) {
+		/* Go back to who we were. */
+		int saved_errno = errno;
+		restore_re_uid_fromroot();
+		errno = saved_errno;
+	}
+
+	if (ret == 0) {
+		return NT_STATUS_OK;
+	}
+
+	/*
+	 * Something has gone wrong
+	 */
+
+	DEBUG(2,("message to process %d failed - %s\n", (int)pid,
+		 strerror(errno)));
+
+	/*
+	 * No call to map_nt_error_from_unix -- don't want to link in
+	 * errormap.o into lots of utils.
+	 */
+
+	if (errno == ESRCH)  return NT_STATUS_INVALID_HANDLE;
+	if (errno == EINVAL) return NT_STATUS_INVALID_PARAMETER;
+	if (errno == EPERM)  return NT_STATUS_ACCESS_DENIED;
+	return NT_STATUS_UNSUCCESSFUL;
+}
+
+/****************************************************************************
+ Send a message to a particular pid.
+****************************************************************************/
+
+static NTSTATUS messaging_tdb_send(struct messaging_context *msg_ctx,
+				   struct server_id pid, int msg_type,
+				   const DATA_BLOB *data,
+				   struct messaging_backend *backend)
+{
+	struct messaging_array *msg_array;
+	struct messaging_rec *rec;
+	NTSTATUS status;
+	TDB_DATA key;
+	struct tdb_wrap *tdb = (struct tdb_wrap *)backend->private_data;
+	TALLOC_CTX *frame = talloc_stackframe();
+
+	/* NULL pointer means implicit length zero. */
+	if (!data->data) {
+		SMB_ASSERT(data->length == 0);
+	}
+
+	/*
+	 * Doing kill with a non-positive pid causes messages to be
+	 * sent to places we don't want.
+	 */
+
+	SMB_ASSERT(procid_to_pid(&pid) > 0);
+
+	key = message_key_pid(frame, pid);
+
+	if (tdb_chainlock(tdb->tdb, key) == -1) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_LOCK_NOT_GRANTED;
+	}
+
+	status = messaging_tdb_fetch(tdb->tdb, key, talloc_tos(), &msg_array);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		goto done;
+	}
+
+	if ((msg_type & MSG_FLAG_LOWPRIORITY)
+	    && (msg_array->num_messages > 1000)) {
+		DEBUG(5, ("Dropping message for PID %s\n",
+			  procid_str_static(&pid)));
+		status = NT_STATUS_INSUFFICIENT_RESOURCES;
+		goto done;
+	}
+
+	if (!(rec = TALLOC_REALLOC_ARRAY(talloc_tos(), msg_array->messages,
+					 struct messaging_rec,
+					 msg_array->num_messages+1))) {
+		status = NT_STATUS_NO_MEMORY;
+		goto done;
+	}
+
+	rec[msg_array->num_messages].msg_version = MESSAGE_VERSION;
+	rec[msg_array->num_messages].msg_type = msg_type & MSG_TYPE_MASK;
+	rec[msg_array->num_messages].dest = pid;
+	rec[msg_array->num_messages].src = procid_self();
+	rec[msg_array->num_messages].buf = *data;
+
+	msg_array->messages = rec;
+	msg_array->num_messages += 1;
+
+	status = messaging_tdb_store(tdb->tdb, key, msg_array);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		goto done;
+	}
+	
+	status = message_notify(pid);
+
+	if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
+		DEBUG(2, ("pid %s doesn't exist - deleting messages record\n",
+			  procid_str_static(&pid)));
+		tdb_delete(tdb->tdb, message_key_pid(talloc_tos(), pid));
+	}
+
+ done:
+	tdb_chainunlock(tdb->tdb, key);
+	TALLOC_FREE(frame);
+	return status;
+}
+
+/****************************************************************************
+ Retrieve all messages for the current process.
+****************************************************************************/
+
+static NTSTATUS retrieve_all_messages(TDB_CONTEXT *msg_tdb,
+				      TALLOC_CTX *mem_ctx,
+				      struct messaging_array **presult)
+{
+	struct messaging_array *result;
+	TDB_DATA key = message_key_pid(mem_ctx, procid_self());
+	NTSTATUS status;
+
+	if (tdb_chainlock(msg_tdb, key) == -1) {
+		TALLOC_FREE(key.dptr);
+		return NT_STATUS_LOCK_NOT_GRANTED;
+	}
+
+	status = messaging_tdb_fetch(msg_tdb, key, mem_ctx, &result);
+
+	/*
+	 * We delete the record here, tdb_set_max_dead keeps it around
+	 */
+	tdb_delete(msg_tdb, key);
+	tdb_chainunlock(msg_tdb, key);
+
+	if (NT_STATUS_IS_OK(status)) {
+		*presult = result;
+	}
+
+	TALLOC_FREE(key.dptr);
+
+	return status;
+}
+
+/****************************************************************************
+ Receive and dispatch any messages pending for this process.
+ JRA changed Dec 13 2006. Only one message handler now permitted per type.
+ *NOTE*: Dispatch functions must be able to cope with incoming
+ messages on an *odd* byte boundary.
+****************************************************************************/
+
+void message_dispatch(struct messaging_context *msg_ctx)
+{
+	struct messaging_array *msg_array = NULL;
+	struct tdb_wrap *tdb = (struct tdb_wrap *)
+		(msg_ctx->local->private_data);
+	uint32 i;
+
+	if (!received_signal)
+		return;
+
+	DEBUG(10, ("message_dispatch: received_signal = %d\n",
+		   received_signal));
+
+	received_signal = 0;
+
+	if (!NT_STATUS_IS_OK(retrieve_all_messages(tdb->tdb, NULL,
+						   &msg_array))) {
+		return;
+	}
+
+	for (i=0; i<msg_array->num_messages; i++) {
+		messaging_dispatch_rec(msg_ctx, &msg_array->messages[i]);
+	}
+
+	TALLOC_FREE(msg_array);
+}
+
+/** @} **/
diff --git a/source3/lib/module.c b/source3/lib/module.c
new file mode 100644
index 0000000000..76983387ff
--- /dev/null
+++ b/source3/lib/module.c
@@ -0,0 +1,166 @@
+/* 
+   Unix SMB/CIFS implementation.
+   module loading system
+
+   Copyright (C) Jelmer Vernooij 2002-2003
+   Copyright (C) Stefan (metze) Metzmacher 2003
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#ifdef HAVE_DLOPEN
+
+/* Load a dynamic module.  Only log a level 0 error if we are not checking 
+   for the existence of a module (probling). */
+
+static NTSTATUS do_smb_load_module(const char *module_name, bool is_probe)
+{
+	void *handle;
+	init_module_function *init;
+	NTSTATUS status;
+	const char *error;
+
+	/* Always try to use LAZY symbol resolving; if the plugin has 
+	 * backwards compatibility, there might be symbols in the 
+	 * plugin referencing to old (removed) functions
+	 */
+	handle = sys_dlopen(module_name, RTLD_LAZY);
+
+	/* This call should reset any possible non-fatal errors that 
+	   occured since last call to dl* functions */
+	error = sys_dlerror();
+
+	if(!handle) {
+		int level = is_probe ? 3 : 0;
+		DEBUG(level, ("Error loading module '%s': %s\n", module_name, error ? error : ""));
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	init = (init_module_function *)sys_dlsym(handle, "init_samba_module");
+
+	/* we must check sys_dlerror() to determine if it worked, because
+           sys_dlsym() can validly return NULL */
+	error = sys_dlerror();
+	if (error) {
+		DEBUG(0, ("Error trying to resolve symbol 'init_samba_module' "
+			  "in %s: %s\n", module_name, error));
+		sys_dlclose(handle);
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	DEBUG(2, ("Module '%s' loaded\n", module_name));
+
+	status = init();
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("Module '%s' initialization failed: %s\n",
+			    module_name, get_friendly_nt_error_msg(status)));
+		sys_dlclose(handle);
+	}
+
+	return status;
+}
+
+NTSTATUS smb_load_module(const char *module_name)
+{
+	return do_smb_load_module(module_name, False);
+}
+
+/* Load all modules in list and return number of
+ * modules that has been successfully loaded */
+int smb_load_modules(const char **modules)
+{
+	int i;
+	int success = 0;
+
+	for(i = 0; modules[i]; i++){
+		if(NT_STATUS_IS_OK(smb_load_module(modules[i]))) {
+			success++;
+		}
+	}
+
+	DEBUG(2, ("%d modules successfully loaded\n", success));
+
+	return success;
+}
+
+NTSTATUS smb_probe_module(const char *subsystem, const char *module)
+{
+	char *full_path = NULL;
+	TALLOC_CTX *ctx = talloc_stackframe();
+	NTSTATUS status;
+
+	/* Check for absolute path */
+
+	/* if we make any 'samba multibyte string'
+	   calls here, we break
+	   for loading string modules */
+
+	DEBUG(5, ("Probing module '%s'\n", module));
+
+	if (module[0] == '/') {
+		status = do_smb_load_module(module, True);
+		TALLOC_FREE(ctx);
+		return status;
+	}
+
+	full_path = talloc_asprintf(ctx,
+			"%s/%s.%s",
+			modules_path(subsystem),
+			module,
+			shlib_ext());
+	if (!full_path) {
+		TALLOC_FREE(ctx);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	DEBUG(5, ("Probing module '%s': Trying to load from %s\n",
+		module, full_path));
+
+	status = do_smb_load_module(full_path, True);
+
+	TALLOC_FREE(ctx);
+	return status;
+}
+
+#else /* HAVE_DLOPEN */
+
+NTSTATUS smb_load_module(const char *module_name)
+{
+	DEBUG(0,("This samba executable has not been built with plugin support\n"));
+	return NT_STATUS_NOT_SUPPORTED;
+}
+
+int smb_load_modules(const char **modules)
+{
+	DEBUG(0,("This samba executable has not been built with plugin support\n"));
+	return -1;
+}
+
+NTSTATUS smb_probe_module(const char *subsystem, const char *module)
+{
+	DEBUG(0,("This samba executable has not been built with plugin support, not probing\n")); 
+	return NT_STATUS_NOT_SUPPORTED;
+}
+
+#endif /* HAVE_DLOPEN */
+
+void init_modules(void)
+{
+	/* FIXME: This can cause undefined symbol errors :
+	 *  smb_register_vfs() isn't available in nmbd, for example */
+	if(lp_preload_modules()) 
+		smb_load_modules(lp_preload_modules());
+}
diff --git a/source3/lib/ms_fnmatch.c b/source3/lib/ms_fnmatch.c
new file mode 100644
index 0000000000..ca534467fa
--- /dev/null
+++ b/source3/lib/ms_fnmatch.c
@@ -0,0 +1,238 @@
+/*
+   Unix SMB/CIFS implementation.
+   filename matching routine
+   Copyright (C) Andrew Tridgell 1992-2004
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+   This module was originally based on fnmatch.c copyright by the Free
+   Software Foundation. It bears little (if any) resemblence to that
+   code now
+*/
+
+
+#include "includes.h"
+
+static int null_match(const smb_ucs2_t *p)
+{
+	for (;*p;p++) {
+		if (*p != UCS2_CHAR('*') &&
+		    *p != UCS2_CHAR('<') &&
+		    *p != UCS2_CHAR('"') &&
+		    *p != UCS2_CHAR('>')) return -1;
+	}
+	return 0;
+}
+
+/*
+  the max_n structure is purely for efficiency, it doesn't contribute
+  to the matching algorithm except by ensuring that the algorithm does
+  not grow exponentially
+*/
+struct max_n {
+	const smb_ucs2_t *predot;
+	const smb_ucs2_t *postdot;
+};
+
+
+/*
+  p and n are the pattern and string being matched. The max_n array is
+  an optimisation only. The ldot pointer is NULL if the string does
+  not contain a '.', otherwise it points at the last dot in 'n'.
+*/
+static int ms_fnmatch_core(const smb_ucs2_t *p, const smb_ucs2_t *n,
+			   struct max_n *max_n, const smb_ucs2_t *ldot,
+			   bool is_case_sensitive)
+{
+	smb_ucs2_t c;
+	int i;
+
+	while ((c = *p++)) {
+		switch (c) {
+			/* a '*' matches zero or more characters of any type */
+		case UCS2_CHAR('*'):
+			if (max_n->predot && max_n->predot <= n) {
+				return null_match(p);
+			}
+			for (i=0; n[i]; i++) {
+				if (ms_fnmatch_core(p, n+i, max_n+1, ldot, is_case_sensitive) == 0) {
+					return 0;
+				}
+			}
+			if (!max_n->predot || max_n->predot > n) max_n->predot = n;
+			return null_match(p);
+
+			/* a '<' matches zero or more characters of
+			   any type, but stops matching at the last
+			   '.' in the string. */
+		case UCS2_CHAR('<'):
+			if (max_n->predot && max_n->predot <= n) {
+				return null_match(p);
+			}
+			if (max_n->postdot && max_n->postdot <= n && n <= ldot) {
+				return -1;
+			}
+			for (i=0; n[i]; i++) {
+				if (ms_fnmatch_core(p, n+i, max_n+1, ldot, is_case_sensitive) == 0) return 0;
+				if (n+i == ldot) {
+					if (ms_fnmatch_core(p, n+i+1, max_n+1, ldot, is_case_sensitive) == 0) return 0;
+					if (!max_n->postdot || max_n->postdot > n) max_n->postdot = n;
+					return -1;
+				}
+			}
+			if (!max_n->predot || max_n->predot > n) max_n->predot = n;
+			return null_match(p);
+
+			/* a '?' matches any single character */
+		case UCS2_CHAR('?'):
+			if (! *n) {
+				return -1;
+			}
+			n++;
+			break;
+
+			/* a '?' matches any single character */
+		case UCS2_CHAR('>'):
+			if (n[0] == UCS2_CHAR('.')) {
+				if (! n[1] && null_match(p) == 0) {
+					return 0;
+				}
+				break;
+			}
+			if (! *n) return null_match(p);
+			n++;
+			break;
+
+		case UCS2_CHAR('"'):
+			if (*n == 0 && null_match(p) == 0) {
+				return 0;
+			}
+			if (*n != UCS2_CHAR('.')) return -1;
+			n++;
+			break;
+
+		default:
+			if (c != *n) {
+				if (is_case_sensitive) {
+					return -1;
+				}
+				if (toupper_w(c) != toupper_w(*n)) {
+					return -1;
+				}
+			}
+			n++;
+			break;
+		}
+	}
+
+	if (! *n) {
+		return 0;
+	}
+
+	return -1;
+}
+
+int ms_fnmatch(const char *pattern, const char *string, bool translate_pattern,
+	       bool is_case_sensitive)
+{
+	smb_ucs2_t *p = NULL;
+	smb_ucs2_t *s = NULL;
+	int ret, count, i;
+	struct max_n *max_n = NULL;
+	struct max_n *max_n_free = NULL;
+	struct max_n one_max_n;
+	size_t converted_size;
+
+	if (ISDOTDOT(string)) {
+		string = ".";
+	}
+
+	if (strpbrk(pattern, "<>*?\"") == NULL) {
+		/* this is not just an optmisation - it is essential
+		   for LANMAN1 correctness */
+		if (is_case_sensitive) {
+			return strcmp(pattern, string);
+		} else {
+			return StrCaseCmp(pattern, string);
+		}
+	}
+
+	if (!push_ucs2_allocate(&p, pattern, &converted_size)) {
+		return -1;
+	}
+
+	if (!push_ucs2_allocate(&s, string, &converted_size)) {
+		SAFE_FREE(p);
+		return -1;
+	}
+
+	if (translate_pattern) {
+		/*
+		  for older negotiated protocols it is possible to
+		  translate the pattern to produce a "new style"
+		  pattern that exactly matches w2k behaviour
+		*/
+		for (i=0;p[i];i++) {
+			if (p[i] == UCS2_CHAR('?')) {
+				p[i] = UCS2_CHAR('>');
+			} else if (p[i] == UCS2_CHAR('.') &&
+				   (p[i+1] == UCS2_CHAR('?') ||
+				    p[i+1] == UCS2_CHAR('*') ||
+				    p[i+1] == 0)) {
+				p[i] = UCS2_CHAR('"');
+			} else if (p[i] == UCS2_CHAR('*') && p[i+1] == UCS2_CHAR('.')) {
+				p[i] = UCS2_CHAR('<');
+			}
+		}
+	}
+
+	for (count=i=0;p[i];i++) {
+		if (p[i] == UCS2_CHAR('*') || p[i] == UCS2_CHAR('<')) count++;
+	}
+
+	if (count != 0) {
+		if (count == 1) {
+			/*
+			 * We're doing this a LOT, so save the effort to allocate
+			 */
+			ZERO_STRUCT(one_max_n);
+			max_n = &one_max_n;
+		}
+		else {
+			max_n = SMB_CALLOC_ARRAY(struct max_n, count);
+			if (!max_n) {
+				SAFE_FREE(p);
+				SAFE_FREE(s);
+				return -1;
+			}
+			max_n_free = max_n;
+		}
+	}
+
+	ret = ms_fnmatch_core(p, s, max_n, strrchr_w(s, UCS2_CHAR('.')), is_case_sensitive);
+
+	SAFE_FREE(max_n_free);
+	SAFE_FREE(p);
+	SAFE_FREE(s);
+	return ret;
+}
+
+
+/* a generic fnmatch function - uses for non-CIFS pattern matching */
+int gen_fnmatch(const char *pattern, const char *string)
+{
+	return ms_fnmatch(pattern, string, PROTOCOL_NT1, False);
+}
diff --git a/source3/lib/netapi/Doxyfile b/source3/lib/netapi/Doxyfile
new file mode 100644
index 0000000000..44bf78b06c
--- /dev/null
+++ b/source3/lib/netapi/Doxyfile
@@ -0,0 +1,1362 @@
+# Doxyfile 1.5.5
+
+# This file describes the settings to be used by the documentation system
+# doxygen (www.doxygen.org) for a project
+#
+# All text after a hash (#) is considered a comment and will be ignored
+# The format is:
+#       TAG = value [value, ...]
+# For lists items can also be appended using:
+#       TAG += value [value, ...]
+# Values that contain spaces should be placed between quotes (" ")
+
+#---------------------------------------------------------------------------
+# Project related configuration options
+#---------------------------------------------------------------------------
+
+# This tag specifies the encoding used for all characters in the config file 
+# that follow. The default is UTF-8 which is also the encoding used for all 
+# text before the first occurrence of this tag. Doxygen uses libiconv (or the 
+# iconv built into libc) for the transcoding. See 
+# http://www.gnu.org/software/libiconv for the list of possible encodings.
+
+DOXYFILE_ENCODING      = UTF-8
+
+# The PROJECT_NAME tag is a single word (or a sequence of words surrounded 
+# by quotes) that should identify the project.
+
+PROJECT_NAME           = Samba
+
+# The PROJECT_NUMBER tag can be used to enter a project or revision number. 
+# This could be handy for archiving the generated documentation or 
+# if some version control system is used.
+
+PROJECT_NUMBER         = 3.2.0pre3
+
+# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) 
+# base path where the generated documentation will be put. 
+# If a relative path is entered, it will be relative to the location 
+# where doxygen was started. If left blank the current directory will be used.
+
+OUTPUT_DIRECTORY       = dox
+
+# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 
+# 4096 sub-directories (in 2 levels) under the output directory of each output 
+# format and will distribute the generated files over these directories. 
+# Enabling this option can be useful when feeding doxygen a huge amount of 
+# source files, where putting all generated files in the same directory would 
+# otherwise cause performance problems for the file system.
+
+CREATE_SUBDIRS         = NO
+
+# The OUTPUT_LANGUAGE tag is used to specify the language in which all 
+# documentation generated by doxygen is written. Doxygen will use this 
+# information to generate all constant output in the proper language. 
+# The default language is English, other supported languages are: 
+# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, 
+# Croatian, Czech, Danish, Dutch, Farsi, Finnish, French, German, Greek, 
+# Hungarian, Italian, Japanese, Japanese-en (Japanese with English messages), 
+# Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, Polish, 
+# Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, Swedish, 
+# and Ukrainian.
+
+OUTPUT_LANGUAGE        = English
+
+# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will 
+# include brief member descriptions after the members that are listed in 
+# the file and class documentation (similar to JavaDoc). 
+# Set to NO to disable this.
+
+BRIEF_MEMBER_DESC      = YES
+
+# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend 
+# the brief description of a member or function before the detailed description. 
+# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the 
+# brief descriptions will be completely suppressed.
+
+REPEAT_BRIEF           = YES
+
+# This tag implements a quasi-intelligent brief description abbreviator 
+# that is used to form the text in various listings. Each string 
+# in this list, if found as the leading text of the brief description, will be 
+# stripped from the text and the result after processing the whole list, is 
+# used as the annotated text. Otherwise, the brief description is used as-is. 
+# If left blank, the following values are used ("$name" is automatically 
+# replaced with the name of the entity): "The $name class" "The $name widget" 
+# "The $name file" "is" "provides" "specifies" "contains" 
+# "represents" "a" "an" "the"
+
+ABBREVIATE_BRIEF       = 
+
+# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then 
+# Doxygen will generate a detailed section even if there is only a brief 
+# description.
+
+ALWAYS_DETAILED_SEC    = NO
+
+# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all 
+# inherited members of a class in the documentation of that class as if those 
+# members were ordinary class members. Constructors, destructors and assignment 
+# operators of the base classes will not be shown.
+
+INLINE_INHERITED_MEMB  = NO
+
+# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full 
+# path before files name in the file list and in the header files. If set 
+# to NO the shortest path that makes the file name unique will be used.
+
+FULL_PATH_NAMES        = YES
+
+# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag 
+# can be used to strip a user-defined part of the path. Stripping is 
+# only done if one of the specified strings matches the left-hand part of 
+# the path. The tag can be used to show relative paths in the file list. 
+# If left blank the directory from which doxygen is run is used as the 
+# path to strip.
+
+STRIP_FROM_PATH        = $(PWD)/
+
+# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of 
+# the path mentioned in the documentation of a class, which tells 
+# the reader which header file to include in order to use a class. 
+# If left blank only the name of the header file containing the class 
+# definition is used. Otherwise one should specify the include paths that 
+# are normally passed to the compiler using the -I flag.
+
+STRIP_FROM_INC_PATH    = 
+
+# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter 
+# (but less readable) file names. This can be useful is your file systems 
+# doesn't support long names like on DOS, Mac, or CD-ROM.
+
+SHORT_NAMES            = NO
+
+# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen 
+# will interpret the first line (until the first dot) of a JavaDoc-style 
+# comment as the brief description. If set to NO, the JavaDoc 
+# comments will behave just like regular Qt-style comments 
+# (thus requiring an explicit @brief command for a brief description.)
+
+JAVADOC_AUTOBRIEF      = YES
+
+# If the QT_AUTOBRIEF tag is set to YES then Doxygen will 
+# interpret the first line (until the first dot) of a Qt-style 
+# comment as the brief description. If set to NO, the comments 
+# will behave just like regular Qt-style comments (thus requiring 
+# an explicit \brief command for a brief description.)
+
+QT_AUTOBRIEF           = NO
+
+# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen 
+# treat a multi-line C++ special comment block (i.e. a block of //! or /// 
+# comments) as a brief description. This used to be the default behaviour. 
+# The new default is to treat a multi-line C++ comment block as a detailed 
+# description. Set this tag to YES if you prefer the old behaviour instead.
+
+MULTILINE_CPP_IS_BRIEF = NO
+
+# If the DETAILS_AT_TOP tag is set to YES then Doxygen 
+# will output the detailed description near the top, like JavaDoc.
+# If set to NO, the detailed description appears after the member 
+# documentation.
+
+DETAILS_AT_TOP         = NO
+
+# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented 
+# member inherits the documentation from any documented member that it 
+# re-implements.
+
+INHERIT_DOCS           = YES
+
+# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce 
+# a new page for each member. If set to NO, the documentation of a member will 
+# be part of the file/class/namespace that contains it.
+
+SEPARATE_MEMBER_PAGES  = NO
+
+# The TAB_SIZE tag can be used to set the number of spaces in a tab. 
+# Doxygen uses this value to replace tabs by spaces in code fragments.
+
+TAB_SIZE               = 8
+
+# This tag can be used to specify a number of aliases that acts 
+# as commands in the documentation. An alias has the form "name=value". 
+# For example adding "sideeffect=\par Side Effects:\n" will allow you to 
+# put the command \sideeffect (or @sideeffect) in the documentation, which 
+# will result in a user-defined paragraph with heading "Side Effects:". 
+# You can put \n's in the value part of an alias to insert newlines.
+
+ALIASES                = 
+
+# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C 
+# sources only. Doxygen will then generate output that is more tailored for C. 
+# For instance, some of the names that are used will be different. The list 
+# of all members will be omitted, etc.
+
+OPTIMIZE_OUTPUT_FOR_C  = YES
+
+# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java 
+# sources only. Doxygen will then generate output that is more tailored for 
+# Java. For instance, namespaces will be presented as packages, qualified 
+# scopes will look different, etc.
+
+OPTIMIZE_OUTPUT_JAVA   = NO
+
+# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran 
+# sources only. Doxygen will then generate output that is more tailored for 
+# Fortran.
+
+OPTIMIZE_FOR_FORTRAN   = NO
+
+# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL 
+# sources. Doxygen will then generate output that is tailored for 
+# VHDL.
+
+OPTIMIZE_OUTPUT_VHDL   = NO
+
+# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want 
+# to include (a tag file for) the STL sources as input, then you should 
+# set this tag to YES in order to let doxygen match functions declarations and 
+# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. 
+# func(std::string) {}). This also make the inheritance and collaboration 
+# diagrams that involve STL classes more complete and accurate.
+
+BUILTIN_STL_SUPPORT    = NO
+
+# If you use Microsoft's C++/CLI language, you should set this option to YES to
+# enable parsing support.
+
+CPP_CLI_SUPPORT        = NO
+
+# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only. 
+# Doxygen will parse them like normal C++ but will assume all classes use public 
+# instead of private inheritance when no explicit protection keyword is present.
+
+SIP_SUPPORT            = NO
+
+# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC 
+# tag is set to YES, then doxygen will reuse the documentation of the first 
+# member in the group (if any) for the other members of the group. By default 
+# all members of a group must be documented explicitly.
+
+DISTRIBUTE_GROUP_DOC   = NO
+
+# Set the SUBGROUPING tag to YES (the default) to allow class member groups of 
+# the same type (for instance a group of public functions) to be put as a 
+# subgroup of that type (e.g. under the Public Functions section). Set it to 
+# NO to prevent subgrouping. Alternatively, this can be done per class using 
+# the \nosubgrouping command.
+
+SUBGROUPING            = YES
+
+# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum 
+# is documented as struct, union, or enum with the name of the typedef. So 
+# typedef struct TypeS {} TypeT, will appear in the documentation as a struct 
+# with name TypeT. When disabled the typedef will appear as a member of a file, 
+# namespace, or class. And the struct will be named TypeS. This can typically 
+# be useful for C code in case the coding convention dictates that all compound 
+# types are typedef'ed and only the typedef is referenced, never the tag name.
+
+TYPEDEF_HIDES_STRUCT   = NO
+
+#---------------------------------------------------------------------------
+# Build related configuration options
+#---------------------------------------------------------------------------
+
+# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in 
+# documentation are documented, even if no documentation was available. 
+# Private class members and static file members will be hidden unless 
+# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES
+
+EXTRACT_ALL            = YES
+
+# If the EXTRACT_PRIVATE tag is set to YES all private members of a class 
+# will be included in the documentation.
+
+EXTRACT_PRIVATE        = YES
+
+# If the EXTRACT_STATIC tag is set to YES all static members of a file 
+# will be included in the documentation.
+
+EXTRACT_STATIC         = YES
+
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) 
+# defined locally in source files will be included in the documentation. 
+# If set to NO only classes defined in header files are included.
+
+EXTRACT_LOCAL_CLASSES  = YES
+
+# This flag is only useful for Objective-C code. When set to YES local 
+# methods, which are defined in the implementation section but not in 
+# the interface are included in the documentation. 
+# If set to NO (the default) only methods in the interface are included.
+
+EXTRACT_LOCAL_METHODS  = NO
+
+# If this flag is set to YES, the members of anonymous namespaces will be 
+# extracted and appear in the documentation as a namespace called 
+# 'anonymous_namespace{file}', where file will be replaced with the base 
+# name of the file that contains the anonymous namespace. By default 
+# anonymous namespace are hidden.
+
+EXTRACT_ANON_NSPACES   = NO
+
+# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all 
+# undocumented members of documented classes, files or namespaces. 
+# If set to NO (the default) these members will be included in the 
+# various overviews, but no documentation section is generated. 
+# This option has no effect if EXTRACT_ALL is enabled.
+
+HIDE_UNDOC_MEMBERS     = NO
+
+# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all 
+# undocumented classes that are normally visible in the class hierarchy. 
+# If set to NO (the default) these classes will be included in the various 
+# overviews. This option has no effect if EXTRACT_ALL is enabled.
+
+HIDE_UNDOC_CLASSES     = NO
+
+# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all 
+# friend (class|struct|union) declarations. 
+# If set to NO (the default) these declarations will be included in the 
+# documentation.
+
+HIDE_FRIEND_COMPOUNDS  = NO
+
+# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any 
+# documentation blocks found inside the body of a function. 
+# If set to NO (the default) these blocks will be appended to the 
+# function's detailed documentation block.
+
+HIDE_IN_BODY_DOCS      = NO
+
+# The INTERNAL_DOCS tag determines if documentation 
+# that is typed after a \internal command is included. If the tag is set 
+# to NO (the default) then the documentation will be excluded. 
+# Set it to YES to include the internal documentation.
+
+INTERNAL_DOCS          = YES
+
+# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate 
+# file names in lower-case letters. If set to YES upper-case letters are also 
+# allowed. This is useful if you have classes or files whose names only differ 
+# in case and if your file system supports case sensitive file names. Windows 
+# and Mac users are advised to set this option to NO.
+
+CASE_SENSE_NAMES       = YES
+
+# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen 
+# will show members with their full class and namespace scopes in the 
+# documentation. If set to YES the scope will be hidden.
+
+HIDE_SCOPE_NAMES       = YES
+
+# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen 
+# will put a list of the files that are included by a file in the documentation 
+# of that file.
+
+SHOW_INCLUDE_FILES     = YES
+
+# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] 
+# is inserted in the documentation for inline members.
+
+INLINE_INFO            = YES
+
+# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen 
+# will sort the (detailed) documentation of file and class members 
+# alphabetically by member name. If set to NO the members will appear in 
+# declaration order.
+
+SORT_MEMBER_DOCS       = NO
+
+# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the 
+# brief documentation of file, namespace and class members alphabetically 
+# by member name. If set to NO (the default) the members will appear in 
+# declaration order.
+
+SORT_BRIEF_DOCS        = NO
+
+# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the 
+# hierarchy of group names into alphabetical order. If set to NO (the default) 
+# the group names will appear in their defined order.
+
+SORT_GROUP_NAMES       = NO
+
+# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be 
+# sorted by fully-qualified names, including namespaces. If set to 
+# NO (the default), the class list will be sorted only by class name, 
+# not including the namespace part. 
+# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
+# Note: This option applies only to the class list, not to the 
+# alphabetical list.
+
+SORT_BY_SCOPE_NAME     = NO
+
+# The GENERATE_TODOLIST tag can be used to enable (YES) or 
+# disable (NO) the todo list. This list is created by putting \todo 
+# commands in the documentation.
+
+GENERATE_TODOLIST      = YES
+
+# The GENERATE_TESTLIST tag can be used to enable (YES) or 
+# disable (NO) the test list. This list is created by putting \test 
+# commands in the documentation.
+
+GENERATE_TESTLIST      = YES
+
+# The GENERATE_BUGLIST tag can be used to enable (YES) or 
+# disable (NO) the bug list. This list is created by putting \bug 
+# commands in the documentation.
+
+GENERATE_BUGLIST       = YES
+
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or 
+# disable (NO) the deprecated list. This list is created by putting 
+# \deprecated commands in the documentation.
+
+GENERATE_DEPRECATEDLIST= YES
+
+# The ENABLED_SECTIONS tag can be used to enable conditional 
+# documentation sections, marked by \if sectionname ... \endif.
+
+ENABLED_SECTIONS       = 
+
+# The MAX_INITIALIZER_LINES tag determines the maximum number of lines 
+# the initial value of a variable or define consists of for it to appear in 
+# the documentation. If the initializer consists of more lines than specified 
+# here it will be hidden. Use a value of 0 to hide initializers completely. 
+# The appearance of the initializer of individual variables and defines in the 
+# documentation can be controlled using \showinitializer or \hideinitializer 
+# command in the documentation regardless of this setting.
+
+MAX_INITIALIZER_LINES  = 30
+
+# Set the SHOW_USED_FILES tag to NO to disable the list of files generated 
+# at the bottom of the documentation of classes and structs. If set to YES the 
+# list will mention the files that were used to generate the documentation.
+
+SHOW_USED_FILES        = YES
+
+# If the sources in your project are distributed over multiple directories 
+# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy 
+# in the documentation. The default is NO.
+
+SHOW_DIRECTORIES       = NO
+
+# The FILE_VERSION_FILTER tag can be used to specify a program or script that 
+# doxygen should invoke to get the current version for each file (typically from 
+# the version control system). Doxygen will invoke the program by executing (via 
+# popen()) the command <command> <input-file>, where <command> is the value of 
+# the FILE_VERSION_FILTER tag, and <input-file> is the name of an input file 
+# provided by doxygen. Whatever the program writes to standard output 
+# is used as the file version. See the manual for examples.
+
+FILE_VERSION_FILTER    = 
+
+#---------------------------------------------------------------------------
+# configuration options related to warning and progress messages
+#---------------------------------------------------------------------------
+
+# The QUIET tag can be used to turn on/off the messages that are generated 
+# by doxygen. Possible values are YES and NO. If left blank NO is used.
+
+QUIET                  = YES
+
+# The WARNINGS tag can be used to turn on/off the warning messages that are 
+# generated by doxygen. Possible values are YES and NO. If left blank 
+# NO is used.
+
+WARNINGS               = NO
+
+# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings 
+# for undocumented members. If EXTRACT_ALL is set to YES then this flag will 
+# automatically be disabled.
+
+WARN_IF_UNDOCUMENTED   = NO
+
+# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for 
+# potential errors in the documentation, such as not documenting some 
+# parameters in a documented function, or documenting parameters that 
+# don't exist or using markup commands wrongly.
+
+WARN_IF_DOC_ERROR      = YES
+
+# This WARN_NO_PARAMDOC option can be abled to get warnings for 
+# functions that are documented, but have no documentation for their parameters 
+# or return value. If set to NO (the default) doxygen will only warn about 
+# wrong or incomplete parameter documentation, but not about the absence of 
+# documentation.
+
+WARN_NO_PARAMDOC       = NO
+
+# The WARN_FORMAT tag determines the format of the warning messages that 
+# doxygen can produce. The string should contain the $file, $line, and $text 
+# tags, which will be replaced by the file and line number from which the 
+# warning originated and the warning text. Optionally the format may contain 
+# $version, which will be replaced by the version of the file (if it could 
+# be obtained via FILE_VERSION_FILTER)
+
+WARN_FORMAT            = "$file:$line: $text"
+
+# The WARN_LOGFILE tag can be used to specify a file to which warning 
+# and error messages should be written. If left blank the output is written 
+# to stderr.
+
+WARN_LOGFILE           = 
+
+#---------------------------------------------------------------------------
+# configuration options related to the input files
+#---------------------------------------------------------------------------
+
+# The INPUT tag can be used to specify the files and/or directories that contain 
+# documented source files. You may enter file names like "myfile.cpp" or 
+# directories like "/usr/src/myproject". Separate the files or directories 
+# with spaces.
+
+INPUT                  = netapi.h
+
+# This tag can be used to specify the character encoding of the source files 
+# that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is 
+# also the default input encoding. Doxygen uses libiconv (or the iconv built 
+# into libc) for the transcoding. See http://www.gnu.org/software/libiconv for 
+# the list of possible encodings.
+
+INPUT_ENCODING         = UTF-8
+
+# If the value of the INPUT tag contains directories, you can use the 
+# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
+# and *.h) to filter out the source-files in the directories. If left 
+# blank the following patterns are tested: 
+# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx 
+# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90
+
+FILE_PATTERNS          = *.c \
+                         *.h \
+                         *.idl
+
+# The RECURSIVE tag can be used to turn specify whether or not subdirectories 
+# should be searched for input files as well. Possible values are YES and NO. 
+# If left blank NO is used.
+
+RECURSIVE              = YES
+
+# The EXCLUDE tag can be used to specify files and/or directories that should 
+# excluded from the INPUT source files. This way you can easily exclude a 
+# subdirectory from a directory tree whose root is specified with the INPUT tag.
+
+EXCLUDE                = include/includes.h \
+                         include/proto.h \
+                         libnetapi.c \
+                         libnetapi.h \
+                         netapi.c
+
+# The EXCLUDE_SYMLINKS tag can be used select whether or not files or 
+# directories that are symbolic links (a Unix filesystem feature) are excluded 
+# from the input.
+
+EXCLUDE_SYMLINKS       = NO
+
+# If the value of the INPUT tag contains directories, you can use the 
+# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude 
+# certain files from those directories. Note that the wildcards are matched 
+# against the file with absolute path, so to exclude all test directories 
+# for example use the pattern */test/*
+
+EXCLUDE_PATTERNS       = 
+
+# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names 
+# (namespaces, classes, functions, etc.) that should be excluded from the 
+# output. The symbol name can be a fully qualified name, a word, or if the 
+# wildcard * is used, a substring. Examples: ANamespace, AClass, 
+# AClass::ANamespace, ANamespace::*Test
+
+EXCLUDE_SYMBOLS        = 
+
+# The EXAMPLE_PATH tag can be used to specify one or more files or 
+# directories that contain example code fragments that are included (see 
+# the \include command).
+
+EXAMPLE_PATH           = examples
+
+# If the value of the EXAMPLE_PATH tag contains directories, you can use the 
+# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
+# and *.h) to filter out the source-files in the directories. If left 
+# blank all files are included.
+
+EXAMPLE_PATTERNS       = 
+
+# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be 
+# searched for input files to be used with the \include or \dontinclude 
+# commands irrespective of the value of the RECURSIVE tag. 
+# Possible values are YES and NO. If left blank NO is used.
+
+EXAMPLE_RECURSIVE      = NO
+
+# The IMAGE_PATH tag can be used to specify one or more files or 
+# directories that contain image that are included in the documentation (see 
+# the \image command).
+
+IMAGE_PATH             = 
+
+# The INPUT_FILTER tag can be used to specify a program that doxygen should 
+# invoke to filter for each input file. Doxygen will invoke the filter program 
+# by executing (via popen()) the command <filter> <input-file>, where <filter> 
+# is the value of the INPUT_FILTER tag, and <input-file> is the name of an 
+# input file. Doxygen will then use the output that the filter program writes 
+# to standard output.  If FILTER_PATTERNS is specified, this tag will be 
+# ignored.
+
+INPUT_FILTER           = 
+
+# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern 
+# basis.  Doxygen will compare the file name with each pattern and apply the 
+# filter if there is a match.  The filters are a list of the form: 
+# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further 
+# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER 
+# is applied to all files.
+
+FILTER_PATTERNS        = 
+
+# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using 
+# INPUT_FILTER) will be used to filter the input files when producing source 
+# files to browse (i.e. when SOURCE_BROWSER is set to YES).
+
+FILTER_SOURCE_FILES    = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to source browsing
+#---------------------------------------------------------------------------
+
+# If the SOURCE_BROWSER tag is set to YES then a list of source files will 
+# be generated. Documented entities will be cross-referenced with these sources. 
+# Note: To get rid of all source code in the generated output, make sure also 
+# VERBATIM_HEADERS is set to NO.
+
+SOURCE_BROWSER         = YES
+
+# Setting the INLINE_SOURCES tag to YES will include the body 
+# of functions and classes directly in the documentation.
+
+INLINE_SOURCES         = YES
+
+# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct 
+# doxygen to hide any special comment blocks from generated source code 
+# fragments. Normal C and C++ comments will always remain visible.
+
+STRIP_CODE_COMMENTS    = NO
+
+# If the REFERENCED_BY_RELATION tag is set to YES (the default) 
+# then for each documented function all documented 
+# functions referencing it will be listed.
+
+REFERENCED_BY_RELATION = YES
+
+# If the REFERENCES_RELATION tag is set to YES (the default) 
+# then for each documented function all documented entities 
+# called/used by that function will be listed.
+
+REFERENCES_RELATION    = NO
+
+# If the REFERENCES_LINK_SOURCE tag is set to YES (the default)
+# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from
+# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will
+# link to the source code.  Otherwise they will link to the documentstion.
+
+REFERENCES_LINK_SOURCE = YES
+
+# If the USE_HTAGS tag is set to YES then the references to source code 
+# will point to the HTML generated by the htags(1) tool instead of doxygen 
+# built-in source browser. The htags tool is part of GNU's global source 
+# tagging system (see http://www.gnu.org/software/global/global.html). You 
+# will need version 4.8.6 or higher.
+
+USE_HTAGS              = NO
+
+# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen 
+# will generate a verbatim copy of the header file for each class for 
+# which an include is specified. Set to NO to disable this.
+
+VERBATIM_HEADERS       = YES
+
+#---------------------------------------------------------------------------
+# configuration options related to the alphabetical class index
+#---------------------------------------------------------------------------
+
+# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index 
+# of all compounds will be generated. Enable this if the project 
+# contains a lot of classes, structs, unions or interfaces.
+
+ALPHABETICAL_INDEX     = YES
+
+# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then 
+# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns 
+# in which this list will be split (can be a number in the range [1..20])
+
+COLS_IN_ALPHA_INDEX    = 1
+
+# In case all classes in a project start with a common prefix, all 
+# classes will be put under the same header in the alphabetical index. 
+# The IGNORE_PREFIX tag can be used to specify one or more prefixes that 
+# should be ignored while generating the index headers.
+
+IGNORE_PREFIX          = 
+
+#---------------------------------------------------------------------------
+# configuration options related to the HTML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_HTML tag is set to YES (the default) Doxygen will 
+# generate HTML output.
+
+GENERATE_HTML          = YES
+
+# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `html' will be used as the default path.
+
+HTML_OUTPUT            = .
+
+# The HTML_FILE_EXTENSION tag can be used to specify the file extension for 
+# each generated HTML page (for example: .htm,.php,.asp). If it is left blank 
+# doxygen will generate files with .html extension.
+
+HTML_FILE_EXTENSION    = .html
+
+# The HTML_HEADER tag can be used to specify a personal HTML header for 
+# each generated HTML page. If it is left blank doxygen will generate a 
+# standard header.
+
+HTML_HEADER            = 
+
+# The HTML_FOOTER tag can be used to specify a personal HTML footer for 
+# each generated HTML page. If it is left blank doxygen will generate a 
+# standard footer.
+
+HTML_FOOTER            = 
+
+# The HTML_STYLESHEET tag can be used to specify a user-defined cascading 
+# style sheet that is used by each HTML page. It can be used to 
+# fine-tune the look of the HTML output. If the tag is left blank doxygen 
+# will generate a default style sheet. Note that doxygen will try to copy 
+# the style sheet file to the HTML output directory, so don't put your own 
+# stylesheet in the HTML output directory as well, or it will be erased!
+
+HTML_STYLESHEET        = 
+
+# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, 
+# files or namespaces will be aligned in HTML using tables. If set to 
+# NO a bullet list will be used.
+
+HTML_ALIGN_MEMBERS     = YES
+
+# If the GENERATE_HTMLHELP tag is set to YES, additional index files 
+# will be generated that can be used as input for tools like the 
+# Microsoft HTML help workshop to generate a compiled HTML help file (.chm) 
+# of the generated HTML documentation.
+
+GENERATE_HTMLHELP      = NO
+
+# If the GENERATE_DOCSET tag is set to YES, additional index files 
+# will be generated that can be used as input for Apple's Xcode 3 
+# integrated development environment, introduced with OSX 10.5 (Leopard). 
+# To create a documentation set, doxygen will generate a Makefile in the 
+# HTML output directory. Running make will produce the docset in that 
+# directory and running "make install" will install the docset in 
+# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find 
+# it at startup.
+
+GENERATE_DOCSET        = NO
+
+# When GENERATE_DOCSET tag is set to YES, this tag determines the name of the 
+# feed. A documentation feed provides an umbrella under which multiple 
+# documentation sets from a single provider (such as a company or product suite) 
+# can be grouped.
+
+DOCSET_FEEDNAME        = "Doxygen generated docs"
+
+# When GENERATE_DOCSET tag is set to YES, this tag specifies a string that 
+# should uniquely identify the documentation set bundle. This should be a 
+# reverse domain-name style string, e.g. com.mycompany.MyDocSet. Doxygen 
+# will append .docset to the name.
+
+DOCSET_BUNDLE_ID       = org.doxygen.Project
+
+# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML 
+# documentation will contain sections that can be hidden and shown after the 
+# page has loaded. For this to work a browser that supports 
+# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox 
+# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari).
+
+HTML_DYNAMIC_SECTIONS  = NO
+
+# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can 
+# be used to specify the file name of the resulting .chm file. You 
+# can add a path in front of the file if the result should not be 
+# written to the html output directory.
+
+CHM_FILE               = 
+
+# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can 
+# be used to specify the location (absolute path including file name) of 
+# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run 
+# the HTML help compiler on the generated index.hhp.
+
+HHC_LOCATION           = 
+
+# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag 
+# controls if a separate .chi index file is generated (YES) or that 
+# it should be included in the master .chm file (NO).
+
+GENERATE_CHI           = NO
+
+# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag 
+# controls whether a binary table of contents is generated (YES) or a 
+# normal table of contents (NO) in the .chm file.
+
+BINARY_TOC             = NO
+
+# The TOC_EXPAND flag can be set to YES to add extra items for group members 
+# to the contents of the HTML help documentation and to the tree view.
+
+TOC_EXPAND             = NO
+
+# The DISABLE_INDEX tag can be used to turn on/off the condensed index at 
+# top of each HTML page. The value NO (the default) enables the index and 
+# the value YES disables it.
+
+DISABLE_INDEX          = NO
+
+# This tag can be used to set the number of enum values (range [1..20]) 
+# that doxygen will group on one line in the generated HTML documentation.
+
+ENUM_VALUES_PER_LINE   = 3
+
+# If the GENERATE_TREEVIEW tag is set to YES, a side panel will be
+# generated containing a tree-like index structure (just like the one that 
+# is generated for HTML Help). For this to work a browser that supports 
+# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+, 
+# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are 
+# probably better off using the HTML help feature.
+
+GENERATE_TREEVIEW      = NO
+
+# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be 
+# used to set the initial width (in pixels) of the frame in which the tree 
+# is shown.
+
+TREEVIEW_WIDTH         = 250
+
+#---------------------------------------------------------------------------
+# configuration options related to the LaTeX output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will 
+# generate Latex output.
+
+GENERATE_LATEX         = NO
+
+# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `latex' will be used as the default path.
+
+LATEX_OUTPUT           = latex
+
+# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be 
+# invoked. If left blank `latex' will be used as the default command name.
+
+LATEX_CMD_NAME         = latex
+
+# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to 
+# generate index for LaTeX. If left blank `makeindex' will be used as the 
+# default command name.
+
+MAKEINDEX_CMD_NAME     = makeindex
+
+# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact 
+# LaTeX documents. This may be useful for small projects and may help to 
+# save some trees in general.
+
+COMPACT_LATEX          = NO
+
+# The PAPER_TYPE tag can be used to set the paper type that is used 
+# by the printer. Possible values are: a4, a4wide, letter, legal and 
+# executive. If left blank a4wide will be used.
+
+PAPER_TYPE             = a4wide
+
+# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX 
+# packages that should be included in the LaTeX output.
+
+EXTRA_PACKAGES         = 
+
+# The LATEX_HEADER tag can be used to specify a personal LaTeX header for 
+# the generated latex document. The header should contain everything until 
+# the first chapter. If it is left blank doxygen will generate a 
+# standard header. Notice: only use this tag if you know what you are doing!
+
+LATEX_HEADER           = 
+
+# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated 
+# is prepared for conversion to pdf (using ps2pdf). The pdf file will 
+# contain links (just like the HTML output) instead of page references 
+# This makes the output suitable for online browsing using a pdf viewer.
+
+PDF_HYPERLINKS         = YES
+
+# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of 
+# plain latex in the generated Makefile. Set this option to YES to get a 
+# higher quality PDF documentation.
+
+USE_PDFLATEX           = YES
+
+# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. 
+# command to the generated LaTeX files. This will instruct LaTeX to keep 
+# running if errors occur, instead of asking the user for help. 
+# This option is also used when generating formulas in HTML.
+
+LATEX_BATCHMODE        = YES
+
+# If LATEX_HIDE_INDICES is set to YES then doxygen will not 
+# include the index chapters (such as File Index, Compound Index, etc.) 
+# in the output.
+
+LATEX_HIDE_INDICES     = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the RTF output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output 
+# The RTF output is optimized for Word 97 and may not look very pretty with 
+# other RTF readers or editors.
+
+GENERATE_RTF           = NO
+
+# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `rtf' will be used as the default path.
+
+RTF_OUTPUT             = rtf
+
+# If the COMPACT_RTF tag is set to YES Doxygen generates more compact 
+# RTF documents. This may be useful for small projects and may help to 
+# save some trees in general.
+
+COMPACT_RTF            = NO
+
+# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated 
+# will contain hyperlink fields. The RTF file will 
+# contain links (just like the HTML output) instead of page references. 
+# This makes the output suitable for online browsing using WORD or other 
+# programs which support those fields. 
+# Note: wordpad (write) and others do not support links.
+
+RTF_HYPERLINKS         = NO
+
+# Load stylesheet definitions from file. Syntax is similar to doxygen's 
+# config file, i.e. a series of assignments. You only have to provide 
+# replacements, missing definitions are set to their default value.
+
+RTF_STYLESHEET_FILE    = 
+
+# Set optional variables used in the generation of an rtf document. 
+# Syntax is similar to doxygen's config file.
+
+RTF_EXTENSIONS_FILE    = 
+
+#---------------------------------------------------------------------------
+# configuration options related to the man page output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_MAN tag is set to YES (the default) Doxygen will 
+# generate man pages
+
+GENERATE_MAN           = YES
+
+# The MAN_OUTPUT tag is used to specify where the man pages will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `man' will be used as the default path.
+
+MAN_OUTPUT             = man
+
+# The MAN_EXTENSION tag determines the extension that is added to 
+# the generated man pages (default is the subroutine's section .3)
+
+MAN_EXTENSION          = .3
+
+# If the MAN_LINKS tag is set to YES and Doxygen generates man output, 
+# then it will generate one additional man file for each entity 
+# documented in the real man page(s). These additional files 
+# only source the real man page, but without them the man command 
+# would be unable to find the correct page. The default is NO.
+
+MAN_LINKS              = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the XML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_XML tag is set to YES Doxygen will 
+# generate an XML file that captures the structure of 
+# the code including all documentation.
+
+GENERATE_XML           = NO
+
+# The XML_OUTPUT tag is used to specify where the XML pages will be put. 
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
+# put in front of it. If left blank `xml' will be used as the default path.
+
+XML_OUTPUT             = xml
+
+# The XML_SCHEMA tag can be used to specify an XML schema, 
+# which can be used by a validating XML parser to check the 
+# syntax of the XML files.
+
+XML_SCHEMA             = 
+
+# The XML_DTD tag can be used to specify an XML DTD, 
+# which can be used by a validating XML parser to check the 
+# syntax of the XML files.
+
+XML_DTD                = 
+
+# If the XML_PROGRAMLISTING tag is set to YES Doxygen will 
+# dump the program listings (including syntax highlighting 
+# and cross-referencing information) to the XML output. Note that 
+# enabling this will significantly increase the size of the XML output.
+
+XML_PROGRAMLISTING     = YES
+
+#---------------------------------------------------------------------------
+# configuration options for the AutoGen Definitions output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will 
+# generate an AutoGen Definitions (see autogen.sf.net) file 
+# that captures the structure of the code including all 
+# documentation. Note that this feature is still experimental 
+# and incomplete at the moment.
+
+GENERATE_AUTOGEN_DEF   = NO
+
+#---------------------------------------------------------------------------
+# configuration options related to the Perl module output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_PERLMOD tag is set to YES Doxygen will 
+# generate a Perl module file that captures the structure of 
+# the code including all documentation. Note that this 
+# feature is still experimental and incomplete at the 
+# moment.
+
+GENERATE_PERLMOD       = NO
+
+# If the PERLMOD_LATEX tag is set to YES Doxygen will generate 
+# the necessary Makefile rules, Perl scripts and LaTeX code to be able 
+# to generate PDF and DVI output from the Perl module output.
+
+PERLMOD_LATEX          = NO
+
+# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be 
+# nicely formatted so it can be parsed by a human reader.  This is useful 
+# if you want to understand what is going on.  On the other hand, if this 
+# tag is set to NO the size of the Perl module output will be much smaller 
+# and Perl will parse it just the same.
+
+PERLMOD_PRETTY         = YES
+
+# The names of the make variables in the generated doxyrules.make file 
+# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. 
+# This is useful so different doxyrules.make files included by the same 
+# Makefile don't overwrite each other's variables.
+
+PERLMOD_MAKEVAR_PREFIX = 
+
+#---------------------------------------------------------------------------
+# Configuration options related to the preprocessor   
+#---------------------------------------------------------------------------
+
+# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will 
+# evaluate all C-preprocessor directives found in the sources and include 
+# files.
+
+ENABLE_PREPROCESSING   = NO
+
+# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro 
+# names in the source code. If set to NO (the default) only conditional 
+# compilation will be performed. Macro expansion can be done in a controlled 
+# way by setting EXPAND_ONLY_PREDEF to YES.
+
+MACRO_EXPANSION        = NO
+
+# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES 
+# then the macro expansion is limited to the macros specified with the 
+# PREDEFINED and EXPAND_AS_DEFINED tags.
+
+EXPAND_ONLY_PREDEF     = NO
+
+# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files 
+# in the INCLUDE_PATH (see below) will be search if a #include is found.
+
+SEARCH_INCLUDES        = YES
+
+# The INCLUDE_PATH tag can be used to specify one or more directories that 
+# contain include files that are not input files but should be processed by 
+# the preprocessor.
+
+INCLUDE_PATH           = 
+
+# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard 
+# patterns (like *.h and *.hpp) to filter out the header-files in the 
+# directories. If left blank, the patterns specified with FILE_PATTERNS will 
+# be used.
+
+INCLUDE_FILE_PATTERNS  = 
+
+# The PREDEFINED tag can be used to specify one or more macro names that 
+# are defined before the preprocessor is started (similar to the -D option of 
+# gcc). The argument of the tag is a list of macros of the form: name 
+# or name=definition (no spaces). If the definition and the = are 
+# omitted =1 is assumed. To prevent a macro definition from being 
+# undefined via #undef or recursively expanded use the := operator 
+# instead of the = operator.
+
+PREDEFINED             = 
+
+# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then 
+# this tag can be used to specify a list of macro names that should be expanded. 
+# The macro definition that is found in the sources will be used. 
+# Use the PREDEFINED tag if you want to use a different macro definition.
+
+EXPAND_AS_DEFINED      = 
+
+# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then 
+# doxygen's preprocessor will remove all function-like macros that are alone 
+# on a line, have an all uppercase name, and do not end with a semicolon. Such 
+# function macros are typically used for boiler-plate code, and will confuse 
+# the parser if not removed.
+
+SKIP_FUNCTION_MACROS   = YES
+
+#---------------------------------------------------------------------------
+# Configuration::additions related to external references   
+#---------------------------------------------------------------------------
+
+# The TAGFILES option can be used to specify one or more tagfiles. 
+# Optionally an initial location of the external documentation 
+# can be added for each tagfile. The format of a tag file without 
+# this location is as follows: 
+#   TAGFILES = file1 file2 ... 
+# Adding location for the tag files is done as follows: 
+#   TAGFILES = file1=loc1 "file2 = loc2" ... 
+# where "loc1" and "loc2" can be relative or absolute paths or 
+# URLs. If a location is present for each tag, the installdox tool 
+# does not have to be run to correct the links.
+# Note that each tag file must have a unique name
+# (where the name does NOT include the path)
+# If a tag file is not located in the directory in which doxygen 
+# is run, you must also specify the path to the tagfile here.
+
+TAGFILES               = 
+
+# When a file name is specified after GENERATE_TAGFILE, doxygen will create 
+# a tag file that is based on the input files it reads.
+
+GENERATE_TAGFILE       = 
+
+# If the ALLEXTERNALS tag is set to YES all external classes will be listed 
+# in the class index. If set to NO only the inherited external classes 
+# will be listed.
+
+ALLEXTERNALS           = NO
+
+# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed 
+# in the modules index. If set to NO, only the current project's groups will 
+# be listed.
+
+EXTERNAL_GROUPS        = YES
+
+# The PERL_PATH should be the absolute path and name of the perl script 
+# interpreter (i.e. the result of `which perl').
+
+PERL_PATH              = /usr/bin/perl
+
+#---------------------------------------------------------------------------
+# Configuration options related to the dot tool   
+#---------------------------------------------------------------------------
+
+# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will 
+# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base 
+# or super classes. Setting the tag to NO turns the diagrams off. Note that 
+# this option is superseded by the HAVE_DOT option below. This is only a 
+# fallback. It is recommended to install and use dot, since it yields more 
+# powerful graphs.
+
+CLASS_DIAGRAMS         = YES
+
+# You can define message sequence charts within doxygen comments using the \msc 
+# command. Doxygen will then run the mscgen tool (see 
+# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the 
+# documentation. The MSCGEN_PATH tag allows you to specify the directory where 
+# the mscgen tool resides. If left empty the tool is assumed to be found in the 
+# default search path.
+
+MSCGEN_PATH            = 
+
+# If set to YES, the inheritance and collaboration graphs will hide 
+# inheritance and usage relations if the target is undocumented 
+# or is not a class.
+
+HIDE_UNDOC_RELATIONS   = YES
+
+# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is 
+# available from the path. This tool is part of Graphviz, a graph visualization 
+# toolkit from AT&T and Lucent Bell Labs. The other options in this section 
+# have no effect if this option is set to NO (the default)
+
+HAVE_DOT               = NO
+
+# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for each documented class showing the direct and 
+# indirect inheritance relations. Setting this tag to YES will force the 
+# the CLASS_DIAGRAMS tag to NO.
+
+CLASS_GRAPH            = YES
+
+# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for each documented class showing the direct and 
+# indirect implementation dependencies (inheritance, containment, and 
+# class references variables) of the class with other documented classes.
+
+COLLABORATION_GRAPH    = YES
+
+# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen 
+# will generate a graph for groups, showing the direct groups dependencies
+
+GROUP_GRAPHS           = YES
+
+# If the UML_LOOK tag is set to YES doxygen will generate inheritance and 
+# collaboration diagrams in a style similar to the OMG's Unified Modeling 
+# Language.
+
+UML_LOOK               = NO
+
+# If set to YES, the inheritance and collaboration graphs will show the 
+# relations between templates and their instances.
+
+TEMPLATE_RELATIONS     = YES
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT 
+# tags are set to YES then doxygen will generate a graph for each documented 
+# file showing the direct and indirect include dependencies of the file with 
+# other documented files.
+
+INCLUDE_GRAPH          = YES
+
+# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and 
+# HAVE_DOT tags are set to YES then doxygen will generate a graph for each 
+# documented header file showing the documented files that directly or 
+# indirectly include this file.
+
+INCLUDED_BY_GRAPH      = YES
+
+# If the CALL_GRAPH and HAVE_DOT options are set to YES then 
+# doxygen will generate a call dependency graph for every global function 
+# or class method. Note that enabling this option will significantly increase 
+# the time of a run. So in most cases it will be better to enable call graphs 
+# for selected functions only using the \callgraph command.
+
+CALL_GRAPH             = NO
+
+# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then 
+# doxygen will generate a caller dependency graph for every global function 
+# or class method. Note that enabling this option will significantly increase 
+# the time of a run. So in most cases it will be better to enable caller 
+# graphs for selected functions only using the \callergraph command.
+
+CALLER_GRAPH           = NO
+
+# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen 
+# will graphical hierarchy of all classes instead of a textual one.
+
+GRAPHICAL_HIERARCHY    = YES
+
+# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES 
+# then doxygen will show the dependencies a directory has on other directories 
+# in a graphical way. The dependency relations are determined by the #include
+# relations between the files in the directories.
+
+DIRECTORY_GRAPH        = YES
+
+# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images 
+# generated by dot. Possible values are png, jpg, or gif
+# If left blank png will be used.
+
+DOT_IMAGE_FORMAT       = png
+
+# The tag DOT_PATH can be used to specify the path where the dot tool can be 
+# found. If left blank, it is assumed the dot tool can be found in the path.
+
+DOT_PATH               = 
+
+# The DOTFILE_DIRS tag can be used to specify one or more directories that 
+# contain dot files that are included in the documentation (see the 
+# \dotfile command).
+
+DOTFILE_DIRS           = 
+
+# The MAX_DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of 
+# nodes that will be shown in the graph. If the number of nodes in a graph 
+# becomes larger than this value, doxygen will truncate the graph, which is 
+# visualized by representing a node as a red box. Note that doxygen if the 
+# number of direct children of the root node in a graph is already larger than 
+# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note 
+# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH.
+
+DOT_GRAPH_MAX_NODES    = 50
+
+# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the 
+# graphs generated by dot. A depth value of 3 means that only nodes reachable 
+# from the root by following a path via at most 3 edges will be shown. Nodes 
+# that lay further from the root node will be omitted. Note that setting this 
+# option to 1 or 2 may greatly reduce the computation time needed for large 
+# code bases. Also note that the size of a graph can be further restricted by 
+# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction.
+
+MAX_DOT_GRAPH_DEPTH    = 0
+
+# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent 
+# background. This is enabled by default, which results in a transparent 
+# background. Warning: Depending on the platform used, enabling this option 
+# may lead to badly anti-aliased labels on the edges of a graph (i.e. they 
+# become hard to read).
+
+DOT_TRANSPARENT        = YES
+
+# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output 
+# files in one run (i.e. multiple -o and -T options on the command line). This 
+# makes dot run faster, but since only newer versions of dot (>1.8.10) 
+# support this, this feature is disabled by default.
+
+DOT_MULTI_TARGETS      = NO
+
+# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will 
+# generate a legend page explaining the meaning of the various boxes and 
+# arrows in the dot generated graphs.
+
+GENERATE_LEGEND        = YES
+
+# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will 
+# remove the intermediate dot files that are used to generate 
+# the various graphs.
+
+DOT_CLEANUP            = YES
+
+#---------------------------------------------------------------------------
+# Configuration::additions related to the search engine   
+#---------------------------------------------------------------------------
+
+# The SEARCHENGINE tag specifies whether or not a search engine should be 
+# used. If set to NO the values of all tags below this one will be ignored.
+
+SEARCHENGINE           = NO
diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
new file mode 100644
index 0000000000..a5c85bfe6b
--- /dev/null
+++ b/source3/lib/netapi/cm.c
@@ -0,0 +1,198 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetApi Support
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+#include "lib/netapi/netapi.h"
+#include "lib/netapi/netapi_private.h"
+
+/********************************************************************
+********************************************************************/
+
+static WERROR libnetapi_open_ipc_connection(struct libnetapi_ctx *ctx,
+					    const char *server_name,
+					    struct cli_state **cli)
+{
+	struct cli_state *cli_ipc = NULL;
+
+	if (!ctx || !cli || !server_name) {
+		return WERR_INVALID_PARAM;
+	}
+
+	cli_cm_set_signing_state(Undefined);
+
+	if (ctx->use_kerberos) {
+		cli_cm_set_use_kerberos();
+	}
+
+	if (ctx->password) {
+		cli_cm_set_password(ctx->password);
+	}
+	if (ctx->username) {
+		cli_cm_set_username(ctx->username);
+	}
+
+	if (ctx->username && ctx->username[0] &&
+	    ctx->password && ctx->password[0] &&
+	    ctx->use_kerberos) {
+		cli_cm_set_fallback_after_kerberos();
+	}
+
+	cli_ipc = cli_cm_open(ctx, NULL,
+			      server_name, "IPC$",
+			      false, false);
+	if (!cli_ipc) {
+		libnetapi_set_error_string(ctx,
+			"Failed to connect to IPC$ share on %s", server_name);
+		return WERR_CAN_NOT_COMPLETE;
+	}
+
+	*cli = cli_ipc;
+
+	return WERR_OK;
+}
+
+/********************************************************************
+********************************************************************/
+
+WERROR libnetapi_shutdown_cm(struct libnetapi_ctx *ctx)
+{
+	cli_cm_shutdown();
+
+	return WERR_OK;
+}
+
+/********************************************************************
+********************************************************************/
+
+struct client_pipe_connection {
+	struct client_pipe_connection *prev, *next;
+	struct rpc_pipe_client *pipe;
+};
+
+static struct client_pipe_connection *pipe_connections;
+
+/********************************************************************
+********************************************************************/
+
+static NTSTATUS pipe_cm_find(struct cli_state *cli,
+			     const struct ndr_syntax_id *interface,
+			     struct rpc_pipe_client **presult)
+{
+	struct client_pipe_connection *p;
+
+	for (p = pipe_connections; p; p = p->next) {
+
+		if (!rpc_pipe_np_smb_conn(p->pipe)) {
+			return NT_STATUS_PIPE_EMPTY;
+		}
+
+		if (strequal(cli->desthost, p->pipe->desthost)
+		    && ndr_syntax_id_equal(&p->pipe->abstract_syntax,
+					   interface)) {
+			*presult = p->pipe;
+			return NT_STATUS_OK;
+		}
+	}
+
+	return NT_STATUS_PIPE_NOT_AVAILABLE;
+}
+
+/********************************************************************
+********************************************************************/
+
+static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
+				struct cli_state *cli,
+				const struct ndr_syntax_id *interface,
+				struct rpc_pipe_client **presult)
+{
+	struct client_pipe_connection *p;
+	NTSTATUS status;
+
+	p = TALLOC_ZERO_ARRAY(mem_ctx, struct client_pipe_connection, 1);
+	if (!p) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	status = cli_rpc_pipe_open_noauth(cli, interface, &p->pipe);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(p);
+		return status;
+	}
+
+	DLIST_ADD(pipe_connections, p);
+
+	*presult = p->pipe;
+	return NT_STATUS_OK;
+}
+
+/********************************************************************
+********************************************************************/
+
+static NTSTATUS pipe_cm_open(TALLOC_CTX *ctx,
+			     struct cli_state *cli,
+			     const struct ndr_syntax_id *interface,
+			     struct rpc_pipe_client **presult)
+{
+	if (NT_STATUS_IS_OK(pipe_cm_find(cli, interface, presult))) {
+		return NT_STATUS_OK;
+	}
+
+	return pipe_cm_connect(ctx, cli, interface, presult);
+}
+
+/********************************************************************
+********************************************************************/
+
+WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
+			   const char *server_name,
+			   const struct ndr_syntax_id *interface,
+			   struct cli_state **pcli,
+			   struct rpc_pipe_client **presult)
+{
+	struct rpc_pipe_client *result = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	struct cli_state *cli = NULL;
+
+	if (!presult) {
+		return WERR_INVALID_PARAM;
+	}
+
+	werr = libnetapi_open_ipc_connection(ctx, server_name, &cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		return werr;
+	}
+
+	status = pipe_cm_open(ctx, cli, interface, &result);
+	if (!NT_STATUS_IS_OK(status)) {
+		libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
+			cli_get_pipe_name_from_iface(debug_ctx(), cli,
+						     interface),
+			get_friendly_nt_error_msg(status));
+		return WERR_DEST_NOT_FOUND;
+	}
+
+	*presult = result;
+	*pcli = cli;
+
+	return WERR_OK;
+}
+
+
diff --git a/source3/lib/netapi/examples/Makefile.in b/source3/lib/netapi/examples/Makefile.in
new file mode 100644
index 0000000000..b1c1e59be7
--- /dev/null
+++ b/source3/lib/netapi/examples/Makefile.in
@@ -0,0 +1,328 @@
+GTK_FLAGS=`pkg-config gtk+-2.0 --cflags`
+GTK_LIBS=`pkg-config gtk+-2.0 --libs`
+
+KRB5LIBS=@KRB5_LIBS@
+LDAP_LIBS=@LDAP_LIBS@
+LIBS=@LIBS@ -lnetapi -ltdb -ltalloc
+DEVELOPER_CFLAGS=@DEVELOPER_CFLAGS@
+FLAGS=-I../ -L../../../bin @CFLAGS@ $(GTK_FLAGS)
+CC=@CC@
+PICFLAG=@PICFLAG@
+LDFLAGS=@PIE_LDFLAGS@ @LDFLAGS@
+DYNEXP=@DYNEXP@
+NETAPI_LIBS=$(LIBS) $(KRB5LIBS) $(LDAP_LIBS)
+CMDLINE_LIBS=$(NETAPI_LIBS) @POPTLIBS@
+
+# Compile a source file.
+COMPILE_CC = $(CC) -I. $(FLAGS) $(PICFLAG) -c $< -o $@
+COMPILE = $(COMPILE_CC)
+
+PROGS = bin/getdc@EXEEXT@ \
+	bin/dsgetdc@EXEEXT@ \
+	bin/netdomjoin@EXEEXT@ \
+	bin/netdomjoin-gui@EXEEXT@ \
+	bin/getjoinableous@EXEEXT@ \
+	bin/rename_machine@EXEEXT@ \
+	bin/user_add@EXEEXT@ \
+	bin/user_del@EXEEXT@ \
+	bin/user_enum@EXEEXT@ \
+	bin/user_dispinfo@EXEEXT@ \
+	bin/user_chgpwd@EXEEXT@ \
+	bin/user_getinfo@EXEEXT@ \
+	bin/user_setinfo@EXEEXT@ \
+	bin/user_modalsget@EXEEXT@ \
+	bin/user_modalsset@EXEEXT@ \
+	bin/user_getgroups@EXEEXT@ \
+	bin/user_setgroups@EXEEXT@ \
+	bin/user_getlocalgroups@EXEEXT@ \
+	bin/group_add@EXEEXT@ \
+	bin/group_del@EXEEXT@ \
+	bin/group_enum@EXEEXT@ \
+	bin/group_setinfo@EXEEXT@ \
+	bin/group_getinfo@EXEEXT@ \
+	bin/group_adduser@EXEEXT@ \
+	bin/group_deluser@EXEEXT@ \
+	bin/group_getusers@EXEEXT@ \
+	bin/group_setusers@EXEEXT@ \
+	bin/localgroup_add@EXEEXT@ \
+	bin/localgroup_del@EXEEXT@ \
+	bin/localgroup_getinfo@EXEEXT@ \
+	bin/localgroup_setinfo@EXEEXT@ \
+	bin/localgroup_enum@EXEEXT@ \
+	bin/localgroup_addmembers@EXEEXT@ \
+	bin/localgroup_delmembers@EXEEXT@ \
+	bin/localgroup_setmembers@EXEEXT@ \
+	bin/localgroup_getmembers@EXEEXT@ \
+	bin/remote_tod@EXEEXT@ \
+	bin/server_getinfo@EXEEXT@ \
+	bin/share_add@EXEEXT@ \
+	bin/share_del@EXEEXT@ \
+	bin/share_enum@EXEEXT@ \
+	bin/share_getinfo@EXEEXT@ \
+	bin/share_setinfo@EXEEXT@ \
+	bin/file_close@EXEEXT@ \
+	bin/file_getinfo@EXEEXT@ \
+	bin/file_enum@EXEEXT@
+
+all: $(PROGS)
+
+MAKEDIR = || exec false; \
+	  if test -d "$$dir"; then :; else \
+	  echo mkdir "$$dir"; \
+	  mkdir -p "$$dir" >/dev/null 2>&1 || \
+	  test -d "$$dir" || \
+	  mkdir "$$dir" || \
+	  exec false; fi || exec false
+
+BINARY_PREREQS = bin/.dummy
+
+bin/.dummy:
+	@if (: >> $@ || : > $@) >/dev/null 2>&1; then :; else \
+	  dir=bin $(MAKEDIR); fi
+	@: >> $@ || : > $@ # what a fancy emoticon!
+
+.c.o:
+	@if (: >> $@ || : > $@) >/dev/null 2>&1; then rm -f $@; else \
+	 dir=`echo $@ | sed 's,/[^/]*$$,,;s,^$$,.,'` $(MAKEDIR); fi
+	@echo Compiling $*.c
+	@$(COMPILE) && exit 0;\
+		echo "The following command failed:" 1>&2;\
+		echo "$(COMPILE_CC)" 1>&2;\
+		$(COMPILE_CC) >/dev/null 2>&1
+
+CMDLINE_OBJ = common.o
+GETDC_OBJ = getdc/getdc.o $(CMDLINE_OBJ)
+DSGETDC_OBJ = dsgetdc/dsgetdc.o $(CMDLINE_OBJ)
+NETDOMJOIN_OBJ = join/netdomjoin.o $(CMDLINE_OBJ)
+NETDOMJOIN_GUI_OBJ = netdomjoin-gui/netdomjoin-gui.o
+GETJOINABLEOUS_OBJ = join/getjoinableous.o $(CMDLINE_OBJ)
+RENAMEMACHINE_OBJ = join/rename_machine.o $(CMDLINE_OBJ)
+USERADD_OBJ = user/user_add.o $(CMDLINE_OBJ)
+USERDEL_OBJ = user/user_del.o $(CMDLINE_OBJ)
+USERENUM_OBJ = user/user_enum.o $(CMDLINE_OBJ)
+USERDISPINFO_OBJ = user/user_dispinfo.o $(CMDLINE_OBJ)
+USERCHGPWD_OBJ = user/user_chgpwd.o $(CMDLINE_OBJ)
+USERGETINFO_OBJ = user/user_getinfo.o $(CMDLINE_OBJ)
+USERSETINFO_OBJ = user/user_setinfo.o $(CMDLINE_OBJ)
+USERMODALSGET_OBJ = user/user_modalsget.o $(CMDLINE_OBJ)
+USERMODALSSET_OBJ = user/user_modalsset.o $(CMDLINE_OBJ)
+USERGETGROUPS_OBJ = user/user_getgroups.o $(CMDLINE_OBJ)
+USERSETGROUPS_OBJ = user/user_setgroups.o $(CMDLINE_OBJ)
+USERGETLOCALGROUPS_OBJ = user/user_getlocalgroups.o $(CMDLINE_OBJ)
+GROUPADD_OBJ = group/group_add.o $(CMDLINE_OBJ)
+GROUPDEL_OBJ = group/group_del.o $(CMDLINE_OBJ)
+GROUPENUM_OBJ = group/group_enum.o $(CMDLINE_OBJ)
+GROUPSETINFO_OBJ = group/group_setinfo.o $(CMDLINE_OBJ)
+GROUPGETINFO_OBJ = group/group_getinfo.o $(CMDLINE_OBJ)
+GROUPADDUSER_OBJ = group/group_adduser.o $(CMDLINE_OBJ)
+GROUPDELUSER_OBJ = group/group_deluser.o $(CMDLINE_OBJ)
+GROUPGETUSERS_OBJ = group/group_getusers.o $(CMDLINE_OBJ)
+GROUPSETUSERS_OBJ = group/group_setusers.o $(CMDLINE_OBJ)
+LOCALGROUPADD_OBJ = localgroup/localgroup_add.o $(CMDLINE_OBJ)
+LOCALGROUPDEL_OBJ = localgroup/localgroup_del.o $(CMDLINE_OBJ)
+LOCALGROUPGETINFO_OBJ = localgroup/localgroup_getinfo.o $(CMDLINE_OBJ)
+LOCALGROUPSETINFO_OBJ = localgroup/localgroup_setinfo.o $(CMDLINE_OBJ)
+LOCALGROUPENUM_OBJ = localgroup/localgroup_enum.o $(CMDLINE_OBJ)
+LOCALGROUPADDMEMBERS_OBJ = localgroup/localgroup_addmembers.o $(CMDLINE_OBJ)
+LOCALGROUPDELMEMBERS_OBJ = localgroup/localgroup_delmembers.o $(CMDLINE_OBJ)
+LOCALGROUPSETMEMBERS_OBJ = localgroup/localgroup_setmembers.o $(CMDLINE_OBJ)
+LOCALGROUPGETMEMBERS_OBJ = localgroup/localgroup_getmembers.o $(CMDLINE_OBJ)
+REMOTETOD_OBJ = server/remote_tod.o $(CMDLINE_OBJ)
+SERVERGETINFO_OBJ = server/server_getinfo.o $(CMDLINE_OBJ)
+SHAREADD_OBJ = share/share_add.o $(CMDLINE_OBJ)
+SHAREDEL_OBJ = share/share_del.o $(CMDLINE_OBJ)
+SHAREENUM_OBJ = share/share_enum.o $(CMDLINE_OBJ)
+SHAREGETINFO_OBJ = share/share_getinfo.o $(CMDLINE_OBJ)
+SHARESETINFO_OBJ = share/share_setinfo.o $(CMDLINE_OBJ)
+FILECLOSE_OBJ = file/file_close.o $(CMDLINE_OBJ)
+FILEGETINFO_OBJ = file/file_getinfo.o $(CMDLINE_OBJ)
+FILEENUM_OBJ = file/file_enum.o $(CMDLINE_OBJ)
+
+bin/getdc@EXEEXT@: $(BINARY_PREREQS) $(GETDC_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(GETDC_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/dsgetdc@EXEEXT@: $(BINARY_PREREQS) $(DSGETDC_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(DSGETDC_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/getjoinableous@EXEEXT@: $(BINARY_PREREQS) $(GETJOINABLEOUS_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(GETJOINABLEOUS_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/rename_machine@EXEEXT@: $(BINARY_PREREQS) $(RENAMEMACHINE_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(RENAMEMACHINE_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/netdomjoin@EXEEXT@: $(BINARY_PREREQS) $(NETDOMJOIN_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(NETDOMJOIN_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/netdomjoin-gui@EXEEXT@: $(BINARY_PREREQS) $(NETDOMJOIN_GUI_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) $(GTK_FLAGS) -o $@ $(NETDOMJOIN_GUI_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) $(KRB5LIBS) $(LDAP_LIBS) $(GTK_LIBS)
+
+bin/user_add@EXEEXT@: $(BINARY_PREREQS) $(USERADD_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(USERADD_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/user_del@EXEEXT@: $(BINARY_PREREQS) $(USERDEL_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(USERDEL_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/user_enum@EXEEXT@: $(BINARY_PREREQS) $(USERENUM_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(USERENUM_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/user_dispinfo@EXEEXT@: $(BINARY_PREREQS) $(USERDISPINFO_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(USERDISPINFO_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/user_chgpwd@EXEEXT@: $(BINARY_PREREQS) $(USERCHGPWD_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(USERCHGPWD_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/user_getinfo@EXEEXT@: $(BINARY_PREREQS) $(USERGETINFO_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(USERGETINFO_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/user_setinfo@EXEEXT@: $(BINARY_PREREQS) $(USERSETINFO_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(USERSETINFO_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/user_modalsget@EXEEXT@: $(BINARY_PREREQS) $(USERMODALSGET_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(USERMODALSGET_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/user_modalsset@EXEEXT@: $(BINARY_PREREQS) $(USERMODALSSET_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(USERMODALSSET_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/user_getgroups@EXEEXT@: $(BINARY_PREREQS) $(USERGETGROUPS_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(USERGETGROUPS_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/user_setgroups@EXEEXT@: $(BINARY_PREREQS) $(USERSETGROUPS_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(USERSETGROUPS_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/user_getlocalgroups@EXEEXT@: $(BINARY_PREREQS) $(USERGETLOCALGROUPS_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(USERGETLOCALGROUPS_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/group_add@EXEEXT@: $(BINARY_PREREQS) $(GROUPADD_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(GROUPADD_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/group_del@EXEEXT@: $(BINARY_PREREQS) $(GROUPDEL_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(GROUPDEL_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/group_enum@EXEEXT@: $(BINARY_PREREQS) $(GROUPENUM_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(GROUPENUM_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/group_setinfo@EXEEXT@: $(BINARY_PREREQS) $(GROUPSETINFO_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(GROUPSETINFO_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/group_getinfo@EXEEXT@: $(BINARY_PREREQS) $(GROUPGETINFO_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(GROUPGETINFO_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/group_adduser@EXEEXT@: $(BINARY_PREREQS) $(GROUPADDUSER_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(GROUPADDUSER_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/group_deluser@EXEEXT@: $(BINARY_PREREQS) $(GROUPDELUSER_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(GROUPDELUSER_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/group_getusers@EXEEXT@: $(BINARY_PREREQS) $(GROUPGETUSERS_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(GROUPGETUSERS_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/group_setusers@EXEEXT@: $(BINARY_PREREQS) $(GROUPSETUSERS_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(GROUPSETUSERS_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/localgroup_add@EXEEXT@: $(BINARY_PREREQS) $(LOCALGROUPADD_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(LOCALGROUPADD_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/localgroup_del@EXEEXT@: $(BINARY_PREREQS) $(LOCALGROUPDEL_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(LOCALGROUPDEL_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/localgroup_getinfo@EXEEXT@: $(BINARY_PREREQS) $(LOCALGROUPGETINFO_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(LOCALGROUPGETINFO_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/localgroup_setinfo@EXEEXT@: $(BINARY_PREREQS) $(LOCALGROUPSETINFO_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(LOCALGROUPSETINFO_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/localgroup_enum@EXEEXT@: $(BINARY_PREREQS) $(LOCALGROUPENUM_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(LOCALGROUPENUM_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/localgroup_addmembers@EXEEXT@: $(BINARY_PREREQS) $(LOCALGROUPADDMEMBERS_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(LOCALGROUPADDMEMBERS_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/localgroup_delmembers@EXEEXT@: $(BINARY_PREREQS) $(LOCALGROUPDELMEMBERS_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(LOCALGROUPDELMEMBERS_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/localgroup_setmembers@EXEEXT@: $(BINARY_PREREQS) $(LOCALGROUPSETMEMBERS_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(LOCALGROUPSETMEMBERS_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/localgroup_getmembers@EXEEXT@: $(BINARY_PREREQS) $(LOCALGROUPGETMEMBERS_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(LOCALGROUPGETMEMBERS_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/remote_tod@EXEEXT@: $(BINARY_PREREQS) $(REMOTETOD_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(REMOTETOD_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/server_getinfo@EXEEXT@: $(BINARY_PREREQS) $(SERVERGETINFO_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(SERVERGETINFO_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/share_add@EXEEXT@: $(BINARY_PREREQS) $(SHAREADD_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(SHAREADD_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/share_del@EXEEXT@: $(BINARY_PREREQS) $(SHAREDEL_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(SHAREDEL_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/share_enum@EXEEXT@: $(BINARY_PREREQS) $(SHAREENUM_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(SHAREENUM_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/share_getinfo@EXEEXT@: $(BINARY_PREREQS) $(SHAREGETINFO_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(SHAREGETINFO_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/share_setinfo@EXEEXT@: $(BINARY_PREREQS) $(SHARESETINFO_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(SHARESETINFO_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/file_close@EXEEXT@: $(BINARY_PREREQS) $(FILECLOSE_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(FILECLOSE_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/file_getinfo@EXEEXT@: $(BINARY_PREREQS) $(FILEGETINFO_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(FILEGETINFO_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+bin/file_enum@EXEEXT@: $(BINARY_PREREQS) $(FILEENUM_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(FILEENUM_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+clean:
+	-rm -f $(PROGS)
+	-rm -f core */*~ *~ \
+		*/*.o */*/*.o */*/*/*.o
diff --git a/source3/lib/netapi/examples/common.c b/source3/lib/netapi/examples/common.c
new file mode 100644
index 0000000000..74e28616bf
--- /dev/null
+++ b/source3/lib/netapi/examples/common.c
@@ -0,0 +1,65 @@
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <inttypes.h>
+
+#include <popt.h>
+#include <netapi.h>
+
+void popt_common_callback(poptContext con,
+			 enum poptCallbackReason reason,
+			 const struct poptOption *opt,
+			 const char *arg, const void *data)
+{
+	struct libnetapi_ctx *ctx = NULL;
+
+	libnetapi_getctx(&ctx);
+
+	if (reason == POPT_CALLBACK_REASON_PRE) {
+	}
+
+	if (reason == POPT_CALLBACK_REASON_POST) {
+	}
+
+	if (!opt) {
+		return;
+	}
+	switch (opt->val) {
+		case 'U': {
+			char *puser = strdup(arg);
+			char *p = NULL;
+
+			if ((p = strchr(puser,'%'))) {
+				size_t len;
+				*p = 0;
+				libnetapi_set_username(ctx, puser);
+				libnetapi_set_password(ctx, p+1);
+				len = strlen(p+1);
+				memset(strchr(arg,'%')+1,'X',len);
+			} else {
+				libnetapi_set_username(ctx, puser);
+			}
+			free(puser);
+			break;
+		}
+		case 'd':
+			libnetapi_set_debuglevel(ctx, arg);
+			break;
+		case 'p':
+			libnetapi_set_password(ctx, arg);
+			break;
+		case 'k':
+			libnetapi_set_use_kerberos(ctx);
+			break;
+	}
+}
+
+struct poptOption popt_common_netapi_examples[] = {
+	{ NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, (void *)popt_common_callback },
+	{ "user", 'U', POPT_ARG_STRING, NULL, 'U', "Username used for connection", "USERNAME" },
+	{ "password", 'p', POPT_ARG_STRING, NULL, 'p', "Password used for connection", "PASSWORD" },
+	{ "debuglevel", 'd', POPT_ARG_STRING, NULL, 'd', "Debuglevel", "DEBUGLEVEL" },
+	{ "kerberos", 'k', POPT_ARG_NONE, NULL, 'k', "Use Kerberos", NULL },
+	POPT_TABLEEND
+};
+
diff --git a/source3/lib/netapi/examples/common.h b/source3/lib/netapi/examples/common.h
new file mode 100644
index 0000000000..85df51d868
--- /dev/null
+++ b/source3/lib/netapi/examples/common.h
@@ -0,0 +1,11 @@
+#include <popt.h>
+
+void popt_common_callback(poptContext con,
+			 enum poptCallbackReason reason,
+			 const struct poptOption *opt,
+			 const char *arg, const void *data);
+
+extern struct poptOption popt_common_netapi_examples[];
+
+#define POPT_COMMON_LIBNETAPI_EXAMPLES { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_netapi_examples, 0, "Common samba netapi example options:", NULL },
+
diff --git a/source3/lib/netapi/examples/dsgetdc/dsgetdc.c b/source3/lib/netapi/examples/dsgetdc/dsgetdc.c
new file mode 100644
index 0000000000..6265e66a25
--- /dev/null
+++ b/source3/lib/netapi/examples/dsgetdc/dsgetdc.c
@@ -0,0 +1,101 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  DsGetDcName query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+
+	const char *hostname = NULL;
+	const char *domain = NULL;
+	uint32_t flags = 0;
+	struct DOMAIN_CONTROLLER_INFO *info = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		{ "flags", 0, POPT_ARG_INT, NULL, 'f', "Query flags", "FLAGS" },
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("dsgetdc", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname domainname");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+		switch (opt) {
+			case 'f':
+				sscanf(poptGetOptArg(pc), "%x", &flags);
+		}
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	domain = poptGetArg(pc);
+
+	/* DsGetDcName */
+
+	status = DsGetDcName(hostname, domain, NULL, NULL, flags, &info);
+	if (status != 0) {
+		printf("DsGetDcName failed with: %s\n",
+			libnetapi_errstr(status));
+		return status;
+	}
+
+	printf("DC Name:\t\t%s\n", info->domain_controller_name);
+	printf("DC Address:\t\t%s\n", info->domain_controller_address);
+	printf("DC Address Type:\t%d\n", info->domain_controller_address_type);
+	printf("Domain Name:\t\t%s\n", info->domain_name);
+	printf("DNS Forest Name:\t%s\n", info->dns_forest_name);
+	printf("DC flags:\t\t0x%08x\n", info->flags);
+	printf("DC Sitename:\t\t%s\n", info->dc_site_name);
+	printf("Client Sitename:\t%s\n", info->client_site_name);
+
+ out:
+	NetApiBufferFree(info);
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/file/file_close.c b/source3/lib/netapi/examples/file/file_close.c
new file mode 100644
index 0000000000..759173a0ec
--- /dev/null
+++ b/source3/lib/netapi/examples/file/file_close.c
@@ -0,0 +1,83 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetFileClose query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	uint32_t fileid = 0;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("file_close", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname fileid");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	fileid = atoi(poptGetArg(pc));
+
+	/* NetFileClose */
+
+	status = NetFileClose(hostname, fileid);
+	if (status != 0) {
+		printf("NetFileClose failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+		goto out;
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/file/file_enum.c b/source3/lib/netapi/examples/file/file_enum.c
new file mode 100644
index 0000000000..5fbb285194
--- /dev/null
+++ b/source3/lib/netapi/examples/file/file_enum.c
@@ -0,0 +1,146 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetFileEnum query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *basepath = NULL;
+	const char *username = NULL;
+	uint32_t level = 3;
+	uint8_t *buffer = NULL;
+	uint32_t entries_read = 0;
+	uint32_t total_entries = 0;
+	uint32_t resume_handle = 0;
+	int i;
+
+	struct FILE_INFO_2 *i2 = NULL;
+	struct FILE_INFO_3 *i3 = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("file_enum", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname basepath username level");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	basepath = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	username = poptGetArg(pc);
+
+	if (poptPeekArg(pc)) {
+		level = atoi(poptGetArg(pc));
+	}
+
+	/* NetFileEnum */
+
+	do {
+
+		status = NetFileEnum(hostname,
+				     basepath,
+				     username,
+				     level,
+				     &buffer,
+				     (uint32_t)-1,
+				     &entries_read,
+				     &total_entries,
+				     &resume_handle);
+		if (status == 0 || status == ERROR_MORE_DATA) {
+			printf("total entries: %d\n", total_entries);
+			switch (level) {
+				case 2:
+					i2 = (struct FILE_INFO_2 *)buffer;
+					break;
+				case 3:
+					i3 = (struct FILE_INFO_3 *)buffer;
+					break;
+				default:
+					break;
+			}
+			for (i=0; i<entries_read; i++) {
+				switch (level) {
+					case 2:
+						printf("file_id: %d\n", i2->fi2_id);
+						i2++;
+						break;
+					case 3:
+						printf("file_id: %d\n", i3->fi3_id);
+						printf("permissions: %d\n", i3->fi3_permissions);
+						printf("num_locks: %d\n", i3->fi3_num_locks);
+						printf("pathname: %s\n", i3->fi3_pathname);
+						printf("username: %s\n", i3->fi3_username);
+						i3++;
+						break;
+					default:
+						break;
+				}
+			}
+			NetApiBufferFree(buffer);
+		}
+	} while (status == ERROR_MORE_DATA);
+
+	if (status != 0) {
+		printf("NetFileEnum failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+		goto out;
+	}
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/file/file_getinfo.c b/source3/lib/netapi/examples/file/file_getinfo.c
new file mode 100644
index 0000000000..9ad8305bc5
--- /dev/null
+++ b/source3/lib/netapi/examples/file/file_getinfo.c
@@ -0,0 +1,112 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetFileGetInfo query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	uint32_t fileid = 0;
+	uint32_t level = 3;
+	uint8_t *buffer = NULL;
+
+	struct FILE_INFO_2 *i2 = NULL;
+	struct FILE_INFO_3 *i3 = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("file_getinfo", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname fileid");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	fileid = atoi(poptGetArg(pc));
+
+	if (poptPeekArg(pc)) {
+		level = atoi(poptGetArg(pc));
+	}
+
+	/* NetFileGetInfo */
+
+	status = NetFileGetInfo(hostname,
+				fileid,
+				level,
+				&buffer);
+	if (status != 0) {
+		printf("NetFileGetInfo failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+		goto out;
+	}
+
+	switch (level) {
+		case 2:
+			i2 = (struct FILE_INFO_2 *)buffer;
+			printf("file_id: %d\n", i2->fi2_id);
+			break;
+		case 3:
+			i3 = (struct FILE_INFO_3 *)buffer;
+			printf("file_id: %d\n", i3->fi3_id);
+			printf("permissions: %d\n", i3->fi3_permissions);
+			printf("num_locks: %d\n", i3->fi3_num_locks);
+			printf("pathname: %s\n", i3->fi3_pathname);
+			printf("username: %s\n", i3->fi3_username);
+			break;
+		default:
+			break;
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/getdc/getdc.c b/source3/lib/netapi/examples/getdc/getdc.c
new file mode 100644
index 0000000000..98bb6a13b2
--- /dev/null
+++ b/source3/lib/netapi/examples/getdc/getdc.c
@@ -0,0 +1,86 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  GetDCName query
+ *  Copyright (C) Guenther Deschner 2007
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+
+	const char *hostname = NULL;
+	const char *domain = NULL;
+	uint8_t *buffer = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("getdc", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname domainname");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	domain = poptGetArg(pc);
+
+	/* NetGetDCName */
+
+	status = NetGetDCName(hostname, domain, &buffer);
+	if (status != 0) {
+		printf("GetDcName failed with: %s\n", libnetapi_errstr(status));
+	} else {
+		printf("%s\n", (char *)buffer);
+	}
+
+ out:
+	NetApiBufferFree(buffer);
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/group/group_add.c b/source3/lib/netapi/examples/group/group_add.c
new file mode 100644
index 0000000000..4da97c5fc5
--- /dev/null
+++ b/source3/lib/netapi/examples/group/group_add.c
@@ -0,0 +1,90 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetGroupAdd query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *groupname = NULL;
+	struct GROUP_INFO_1 g1;
+	uint32_t parm_error = 0;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("group_add", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname groupname");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	groupname = poptGetArg(pc);
+
+	/* NetGroupAdd */
+
+	g1.grpi1_name = groupname;
+	g1.grpi1_comment = "Domain Group created using NetApi example code";
+
+	status = NetGroupAdd(hostname,
+			    1,
+			    (uint8_t *)&g1,
+			    &parm_error);
+	if (status != 0) {
+		printf("NetGroupAdd failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/group/group_adduser.c b/source3/lib/netapi/examples/group/group_adduser.c
new file mode 100644
index 0000000000..253b3c5ab4
--- /dev/null
+++ b/source3/lib/netapi/examples/group/group_adduser.c
@@ -0,0 +1,91 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetGroupAddUser query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *groupname = NULL;
+	const char *username = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("group_adduser", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname groupname username");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	groupname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	username = poptGetArg(pc);
+
+	/* NetGroupAddUser */
+
+	status = NetGroupAddUser(hostname,
+				 groupname,
+				 username);
+	if (status != 0) {
+		printf("NetGroupAddUser failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/group/group_del.c b/source3/lib/netapi/examples/group/group_del.c
new file mode 100644
index 0000000000..789e429ea2
--- /dev/null
+++ b/source3/lib/netapi/examples/group/group_del.c
@@ -0,0 +1,82 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetGroupDel query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *groupname = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("group_del", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname groupname");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	groupname = poptGetArg(pc);
+
+	/* NetGroupDel */
+
+	status = NetGroupDel(hostname, groupname);
+	if (status != 0) {
+		printf("NetGroupDel failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/group/group_deluser.c b/source3/lib/netapi/examples/group/group_deluser.c
new file mode 100644
index 0000000000..751ab5c630
--- /dev/null
+++ b/source3/lib/netapi/examples/group/group_deluser.c
@@ -0,0 +1,91 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetGroupDelUser query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *groupname = NULL;
+	const char *username = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("group_deluser", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname groupname username");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	groupname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	username = poptGetArg(pc);
+
+	/* NetGroupDelUser */
+
+	status = NetGroupDelUser(hostname,
+				 groupname,
+				 username);
+	if (status != 0) {
+		printf("NetGroupDelUser failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/group/group_enum.c b/source3/lib/netapi/examples/group/group_enum.c
new file mode 100644
index 0000000000..fe2aee1dab
--- /dev/null
+++ b/source3/lib/netapi/examples/group/group_enum.c
@@ -0,0 +1,153 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetGroupEnum query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	uint32_t level = 0;
+	uint8_t *buffer = NULL;
+	uint32_t entries_read = 0;
+	uint32_t total_entries = 0;
+	uint32_t resume_handle = 0;
+	int i;
+	char *sid_str = NULL;
+
+	struct GROUP_INFO_0 *info0 = NULL;
+	struct GROUP_INFO_1 *info1 = NULL;
+	struct GROUP_INFO_2 *info2 = NULL;
+	struct GROUP_INFO_3 *info3 = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("group_enum", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname level");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (poptPeekArg(pc)) {
+		level = atoi(poptGetArg(pc));
+	}
+
+	/* NetGroupEnum */
+
+	do {
+		status = NetGroupEnum(hostname,
+				      level,
+				      &buffer,
+				      (uint32_t)-1,
+				      &entries_read,
+				      &total_entries,
+				      &resume_handle);
+		if (status == 0 || status == ERROR_MORE_DATA) {
+			printf("total entries: %d\n", total_entries);
+			switch (level) {
+				case 0:
+					info0 = (struct GROUP_INFO_0 *)buffer;
+					break;
+				case 1:
+					info1 = (struct GROUP_INFO_1 *)buffer;
+					break;
+				case 2:
+					info2 = (struct GROUP_INFO_2 *)buffer;
+					break;
+				case 3:
+					info3 = (struct GROUP_INFO_3 *)buffer;
+					break;
+				default:
+					break;
+			}
+			for (i=0; i<entries_read; i++) {
+				switch (level) {
+					case 0:
+						printf("#%d group: %s\n", i, info0->grpi0_name);
+						info0++;
+						break;
+					case 1:
+						printf("#%d group: %s\n", i, info1->grpi1_name);
+						printf("#%d comment: %s\n", i, info1->grpi1_comment);
+						info1++;
+						break;
+					case 2:
+						printf("#%d group: %s\n", i, info2->grpi2_name);
+						printf("#%d comment: %s\n", i, info2->grpi2_comment);
+						printf("#%d rid: %d\n", i, info2->grpi2_group_id);
+						printf("#%d attributes: 0x%08x\n", i, info2->grpi2_attributes);
+						info2++;
+						break;
+					case 3:
+						printf("#%d group: %s\n", i, info3->grpi3_name);
+						printf("#%d comment: %s\n", i, info3->grpi3_comment);
+						if (ConvertSidToStringSid(info3->grpi3_group_sid,
+									  &sid_str)) {
+							printf("#%d group_sid: %s\n", i, sid_str);
+							free(sid_str);
+						}
+						printf("#%d attributes: 0x%08x\n", i, info3->grpi3_attributes);
+						info3++;
+						break;
+
+
+				}
+			}
+			NetApiBufferFree(buffer);
+		}
+	} while (status == ERROR_MORE_DATA);
+
+	if (status != 0) {
+		printf("NetGroupEnum failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/group/group_getinfo.c b/source3/lib/netapi/examples/group/group_getinfo.c
new file mode 100644
index 0000000000..2e5b793905
--- /dev/null
+++ b/source3/lib/netapi/examples/group/group_getinfo.c
@@ -0,0 +1,127 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetGroupGetInfo query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *groupname = NULL;
+	uint8_t *buffer = NULL;
+	uint32_t level = 0;
+	struct GROUP_INFO_0 *g0;
+	struct GROUP_INFO_1 *g1;
+	struct GROUP_INFO_2 *g2;
+	struct GROUP_INFO_3 *g3;
+	char *sid_str = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("group_getinfo", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname groupname level");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	groupname = poptGetArg(pc);
+
+	if (poptPeekArg(pc)) {
+		level = atoi(poptGetArg(pc));
+	}
+
+	/* NetGroupGetInfo */
+
+	status = NetGroupGetInfo(hostname,
+				 groupname,
+				 level,
+				 &buffer);
+	if (status != 0) {
+		printf("NetGroupGetInfo failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+		goto out;
+	}
+
+	switch (level) {
+		case 0:
+			g0 = (struct GROUP_INFO_0 *)buffer;
+			printf("name: %s\n", g0->grpi0_name);
+			break;
+		case 1:
+			g1 = (struct GROUP_INFO_1 *)buffer;
+			printf("name: %s\n", g1->grpi1_name);
+			printf("comment: %s\n", g1->grpi1_comment);
+			break;
+		case 2:
+			g2 = (struct GROUP_INFO_2 *)buffer;
+			printf("name: %s\n", g2->grpi2_name);
+			printf("comment: %s\n", g2->grpi2_comment);
+			printf("group_id: %d\n", g2->grpi2_group_id);
+			printf("attributes: %d\n", g2->grpi2_attributes);
+			break;
+		case 3:
+			g3 = (struct GROUP_INFO_3 *)buffer;
+			printf("name: %s\n", g3->grpi3_name);
+			printf("comment: %s\n", g3->grpi3_comment);
+			if (ConvertSidToStringSid(g3->grpi3_group_sid,
+						  &sid_str)) {
+				printf("group_sid: %s\n", sid_str);
+				free(sid_str);
+			}
+			printf("attributes: %d\n", g3->grpi3_attributes);
+			break;
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/group/group_getusers.c b/source3/lib/netapi/examples/group/group_getusers.c
new file mode 100644
index 0000000000..72e79ec3a2
--- /dev/null
+++ b/source3/lib/netapi/examples/group/group_getusers.c
@@ -0,0 +1,132 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetGroupGetUsers query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *groupname = NULL;
+	uint32_t level = 0;
+	uint8_t *buffer = NULL;
+	uint32_t entries_read = 0;
+	uint32_t total_entries = 0;
+	uint32_t resume_handle = 0;
+	int i;
+
+	struct GROUP_USERS_INFO_0 *info0 = NULL;
+	struct GROUP_USERS_INFO_1 *info1 = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("group_getusers", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname groupname level");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	groupname = poptGetArg(pc);
+
+	if (poptPeekArg(pc)) {
+		level = atoi(poptGetArg(pc));
+	}
+
+	/* NetGroupGetUsers */
+
+	do {
+		status = NetGroupGetUsers(hostname,
+					  groupname,
+					  level,
+					  &buffer,
+					  (uint32_t)-1,
+					  &entries_read,
+					  &total_entries,
+					  &resume_handle);
+		if (status == 0 || status == ERROR_MORE_DATA) {
+			printf("total entries: %d\n", total_entries);
+			switch (level) {
+				case 0:
+					info0 = (struct GROUP_USERS_INFO_0 *)buffer;
+					break;
+				case 1:
+					info1 = (struct GROUP_USERS_INFO_1 *)buffer;
+					break;
+				default:
+					break;
+			}
+			for (i=0; i<entries_read; i++) {
+				switch (level) {
+					case 0:
+						printf("#%d member: %s\n", i, info0->grui0_name);
+						info0++;
+						break;
+					case 1:
+						printf("#%d member: %s\n", i, info1->grui1_name);
+						printf("#%d attributes: %d\n", i, info1->grui1_attributes);
+						info1++;
+						break;
+				}
+			}
+			NetApiBufferFree(buffer);
+		}
+	} while (status == ERROR_MORE_DATA);
+
+	if (status != 0) {
+		printf("NetGroupGetUsers failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/group/group_setinfo.c b/source3/lib/netapi/examples/group/group_setinfo.c
new file mode 100644
index 0000000000..cd30d8b9b8
--- /dev/null
+++ b/source3/lib/netapi/examples/group/group_setinfo.c
@@ -0,0 +1,142 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetGroupSetInfo query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *groupname = NULL;
+	const char *option = NULL;
+	uint8_t *buffer = NULL;
+	uint32_t level = 0;
+	uint32_t parm_err = 0;
+	struct GROUP_INFO_0 g0;
+	struct GROUP_INFO_1 g1;
+	struct GROUP_INFO_2 g2;
+	struct GROUP_INFO_3 g3;
+	struct GROUP_INFO_1002 g1002;
+	struct GROUP_INFO_1005 g1005;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("group_setinfo", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname groupname level option");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	groupname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	level = atoi(poptGetArg(pc));
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	option = poptGetArg(pc);
+
+	/* NetGroupSetInfo */
+
+	switch (level) {
+		case 0:
+			g0.grpi0_name = option;
+			buffer = (uint8_t *)&g0;
+			break;
+		case 1:
+			g1.grpi1_name = option; /* this one will be ignored */
+			g1.grpi1_comment = option;
+			buffer = (uint8_t *)&g1;
+			break;
+		case 2:
+			g2.grpi2_name = option; /* this one will be ignored */
+			g2.grpi2_comment = option;
+			g2.grpi2_group_id = 4711; /* this one will be ignored */
+			g2.grpi2_attributes = 7;
+			buffer = (uint8_t *)&g2;
+			break;
+		case 3:
+			g3.grpi3_name = option; /* this one will be ignored */
+			g3.grpi3_comment = option;
+			g2.grpi2_attributes = 7;
+			buffer = (uint8_t *)&g3;
+			break;
+		case 1002:
+			g1002.grpi1002_comment = option;
+			buffer = (uint8_t *)&g1002;
+			break;
+		case 1005:
+			g1005.grpi1005_attributes = atoi(option);
+			buffer = (uint8_t *)&g1005;
+			break;
+	}
+
+	status = NetGroupSetInfo(hostname,
+				 groupname,
+				 level,
+				 buffer,
+				 &parm_err);
+	if (status != 0) {
+		printf("NetGroupSetInfo failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+		goto out;
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/group/group_setusers.c b/source3/lib/netapi/examples/group/group_setusers.c
new file mode 100644
index 0000000000..70cf10514c
--- /dev/null
+++ b/source3/lib/netapi/examples/group/group_setusers.c
@@ -0,0 +1,142 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetGroupSetUsers query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *groupname = NULL;
+	uint32_t level = 0;
+	uint8_t *buffer = NULL;
+	uint32_t num_entries = 0;
+	const char **names = NULL;
+	int i = 0;
+	size_t buf_size = 0;
+
+	struct GROUP_USERS_INFO_0 *g0 = NULL;
+	struct GROUP_USERS_INFO_1 *g1 = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("group_setusers", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname groupname level");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	groupname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+
+	names = poptGetArgs(pc);
+	for (i=0; names[i] != NULL; i++) {
+		num_entries++;
+	}
+
+	switch (level) {
+		case 0:
+			buf_size = sizeof(struct GROUP_USERS_INFO_0) * num_entries;
+
+			status = NetApiBufferAllocate(buf_size, (void **)&g0);
+			if (status) {
+				printf("NetApiBufferAllocate failed with: %s\n",
+					libnetapi_get_error_string(ctx, status));
+				goto out;
+			}
+
+			for (i=0; i<num_entries; i++) {
+				g0[i].grui0_name = names[i];
+			}
+
+			buffer = (uint8_t *)g0;
+			break;
+		case 1:
+			buf_size = sizeof(struct GROUP_USERS_INFO_1) * num_entries;
+
+			status = NetApiBufferAllocate(buf_size, (void **)&g1);
+			if (status) {
+				printf("NetApiBufferAllocate failed with: %s\n",
+					libnetapi_get_error_string(ctx, status));
+				goto out;
+			}
+
+			for (i=0; i<num_entries; i++) {
+				g1[i].grui1_name = names[i];
+			}
+
+			buffer = (uint8_t *)g1;
+			break;
+		default:
+			break;
+	}
+
+	/* NetGroupSetUsers */
+
+	status = NetGroupSetUsers(hostname,
+				  groupname,
+				  level,
+				  buffer,
+				  num_entries);
+	if (status != 0) {
+		printf("NetGroupSetUsers failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/join/getjoinableous.c b/source3/lib/netapi/examples/join/getjoinableous.c
new file mode 100644
index 0000000000..732f73dd57
--- /dev/null
+++ b/source3/lib/netapi/examples/join/getjoinableous.c
@@ -0,0 +1,95 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  Join Support (cmdline + netapi)
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <string.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <inttypes.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	const char *host_name = NULL;
+	const char *domain_name = NULL;
+	const char **ous = NULL;
+	uint32_t num_ous = 0;
+	struct libnetapi_ctx *ctx = NULL;
+	int i;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		{ "domain", 0, POPT_ARG_STRING, NULL, 'D', "Domain name", "DOMAIN" },
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("getjoinableous", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname domainname");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+		switch (opt) {
+			case 'D':
+				domain_name = poptGetOptArg(pc);
+				break;
+		}
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	host_name = poptGetArg(pc);
+
+	/* NetGetJoinableOUs */
+
+	status = NetGetJoinableOUs(host_name,
+				   domain_name,
+				   ctx->username,
+				   ctx->password,
+				   &num_ous,
+				   &ous);
+	if (status != 0) {
+		printf("failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	} else {
+		printf("Successfully queried joinable ous:\n");
+		for (i=0; i<num_ous; i++) {
+			printf("ou: %s\n", ous[i]);
+		}
+	}
+
+ out:
+	NetApiBufferFree(ous);
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/join/netdomjoin.c b/source3/lib/netapi/examples/join/netdomjoin.c
new file mode 100644
index 0000000000..08ce71b938
--- /dev/null
+++ b/source3/lib/netapi/examples/join/netdomjoin.c
@@ -0,0 +1,104 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  Join Support (cmdline + netapi)
+ *  Copyright (C) Guenther Deschner 2007-2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+enum {
+	OPT_OU = 1000
+};
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	const char *host_name = NULL;
+	const char *domain_name = NULL;
+	const char *account_ou = NULL;
+	const char *account = NULL;
+	const char *password = NULL;
+	uint32_t join_flags = NETSETUP_JOIN_DOMAIN |
+			      NETSETUP_ACCT_CREATE |
+			      NETSETUP_DOMAIN_JOIN_IF_JOINED;
+	struct libnetapi_ctx *ctx = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		{ "ou", 0, POPT_ARG_STRING, &account_ou, 'U', "Account ou", "ACCOUNT_OU" },
+		{ "domain", 0, POPT_ARG_STRING, &domain_name, 'U', "Domain name (required)", "DOMAIN" },
+		{ "userd", 0, POPT_ARG_STRING, &account, 'U', "Domain admin account", "USERNAME" },
+		{ "passwordd", 0, POPT_ARG_STRING, &password, 'U', "Domain admin password", "PASSWORD" },
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("netdomjoin", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	host_name = poptGetArg(pc);
+
+	if (!domain_name) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+
+	/* NetJoinDomain */
+
+	status = NetJoinDomain(host_name,
+			       domain_name,
+			       account_ou,
+			       account,
+			       password,
+			       join_flags);
+	if (status != 0) {
+		const char *errstr = NULL;
+		errstr = libnetapi_get_error_string(ctx, status);
+		printf("Join failed with: %s\n", errstr);
+	} else {
+		printf("Successfully joined\n");
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/join/rename_machine.c b/source3/lib/netapi/examples/join/rename_machine.c
new file mode 100644
index 0000000000..a21f9198d8
--- /dev/null
+++ b/source3/lib/netapi/examples/join/rename_machine.c
@@ -0,0 +1,86 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetRenameMachineInDomain query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <string.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <inttypes.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	const char *host_name = NULL;
+	const char *new_machine_name = NULL;
+	uint32_t rename_opt = 0;
+	struct libnetapi_ctx *ctx = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("rename_machine", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname newmachinename");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	host_name = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	new_machine_name = poptGetArg(pc);
+
+	/* NetRenameMachineInDomain */
+
+	status = NetRenameMachineInDomain(host_name,
+					  new_machine_name,
+					  ctx->username,
+					  ctx->password,
+					  rename_opt);
+	if (status != 0) {
+		printf("failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/localgroup/localgroup_add.c b/source3/lib/netapi/examples/localgroup/localgroup_add.c
new file mode 100644
index 0000000000..7f23c99db1
--- /dev/null
+++ b/source3/lib/netapi/examples/localgroup/localgroup_add.c
@@ -0,0 +1,106 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetLocalGroupAdd query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *groupname = NULL;
+	const char *comment = NULL;
+	struct LOCALGROUP_INFO_0 g0;
+	struct LOCALGROUP_INFO_1 g1;
+	uint32_t parm_error = 0;
+	uint8_t *buf = NULL;
+	uint32_t level = 0;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("localgroup_add", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname groupname comment");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	groupname = poptGetArg(pc);
+
+	if (poptPeekArg(pc)) {
+		comment = poptGetArg(pc);
+	}
+
+	/* NetLocalGroupAdd */
+
+	if (comment) {
+		level = 1;
+		g1.lgrpi1_name = groupname;
+		g1.lgrpi1_comment = comment;
+		buf = (uint8_t *)&g1;
+	} else {
+		level = 0;
+		g0.lgrpi0_name = groupname;
+		buf = (uint8_t *)&g0;
+	}
+
+	status = NetLocalGroupAdd(hostname,
+				  level,
+				  buf,
+				  &parm_error);
+	if (status != 0) {
+		printf("NetLocalGroupAdd failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/localgroup/localgroup_addmembers.c b/source3/lib/netapi/examples/localgroup/localgroup_addmembers.c
new file mode 100644
index 0000000000..aa4a9b59b0
--- /dev/null
+++ b/source3/lib/netapi/examples/localgroup/localgroup_addmembers.c
@@ -0,0 +1,141 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetLocalGroupAddMembers query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *groupname = NULL;
+	struct LOCALGROUP_MEMBERS_INFO_0 *g0;
+	struct LOCALGROUP_MEMBERS_INFO_3 *g3;
+	uint32_t total_entries = 0;
+	uint8_t *buffer = NULL;
+	uint32_t level = 3;
+	const char **names = NULL;
+	int i = 0;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("localgroup_addmembers", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname groupname member1 member2 ...");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	groupname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+
+	names = poptGetArgs(pc);
+	for (i=0; names[i] != NULL; i++) {
+		total_entries++;
+	}
+
+	switch (level) {
+		case 0:
+			status = NetApiBufferAllocate(sizeof(struct LOCALGROUP_MEMBERS_INFO_0) * total_entries,
+						      (void **)&g0);
+			if (status) {
+				printf("NetApiBufferAllocate failed with: %s\n",
+					libnetapi_get_error_string(ctx, status));
+				goto out;
+			}
+
+			for (i=0; i<total_entries; i++) {
+				if (!ConvertStringSidToSid(names[i], &g0[i].lgrmi0_sid)) {
+					printf("could not convert sid\n");
+					goto out;
+				}
+			}
+
+			buffer = (uint8_t *)g0;
+			break;
+		case 3:
+			status = NetApiBufferAllocate(sizeof(struct LOCALGROUP_MEMBERS_INFO_3) * total_entries,
+						      (void **)&g3);
+			if (status) {
+				printf("NetApiBufferAllocate failed with: %s\n",
+					libnetapi_get_error_string(ctx, status));
+				goto out;
+			}
+
+			for (i=0; i<total_entries; i++) {
+				g3[i].lgrmi3_domainandname = names[i];
+			}
+
+			buffer = (uint8_t *)g3;
+			break;
+		default:
+			break;
+	}
+
+	/* NetLocalGroupAddMembers */
+
+	status = NetLocalGroupAddMembers(hostname,
+					 groupname,
+					 level,
+					 buffer,
+					 total_entries);
+	if (status != 0) {
+		printf("NetLocalGroupAddMembers failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/localgroup/localgroup_del.c b/source3/lib/netapi/examples/localgroup/localgroup_del.c
new file mode 100644
index 0000000000..a2515dfdcd
--- /dev/null
+++ b/source3/lib/netapi/examples/localgroup/localgroup_del.c
@@ -0,0 +1,83 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetLocalGroupDel query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *groupname = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("localgroup_del", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname groupname");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	groupname = poptGetArg(pc);
+
+	/* NetLocalGroupDel */
+
+	status = NetLocalGroupDel(hostname,
+				  groupname);
+	if (status != 0) {
+		printf("NetLocalGroupDel failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/localgroup/localgroup_delmembers.c b/source3/lib/netapi/examples/localgroup/localgroup_delmembers.c
new file mode 100644
index 0000000000..7bd3ec0993
--- /dev/null
+++ b/source3/lib/netapi/examples/localgroup/localgroup_delmembers.c
@@ -0,0 +1,141 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetLocalGroupDelMembers query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *groupname = NULL;
+	struct LOCALGROUP_MEMBERS_INFO_0 *g0;
+	struct LOCALGROUP_MEMBERS_INFO_3 *g3;
+	uint32_t total_entries = 0;
+	uint8_t *buffer = NULL;
+	uint32_t level = 3;
+	const char **names = NULL;
+	int i = 0;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("localgroup_delmembers", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname groupname member1 member2 ...");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	groupname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+
+	names = poptGetArgs(pc);
+	for (i=0; names[i] != NULL; i++) {
+		total_entries++;
+	}
+
+	switch (level) {
+		case 0:
+			status = NetApiBufferAllocate(sizeof(struct LOCALGROUP_MEMBERS_INFO_0) * total_entries,
+						      (void **)&g0);
+			if (status) {
+				printf("NetApiBufferAllocate failed with: %s\n",
+					libnetapi_get_error_string(ctx, status));
+				goto out;
+			}
+
+			for (i=0; i<total_entries; i++) {
+				if (!ConvertStringSidToSid(names[i], &g0[i].lgrmi0_sid)) {
+					printf("could not convert sid\n");
+					goto out;
+				}
+			}
+
+			buffer = (uint8_t *)g0;
+			break;
+		case 3:
+			status = NetApiBufferAllocate(sizeof(struct LOCALGROUP_MEMBERS_INFO_3) * total_entries,
+						      (void **)&g3);
+			if (status) {
+				printf("NetApiBufferAllocate failed with: %s\n",
+					libnetapi_get_error_string(ctx, status));
+				goto out;
+			}
+
+			for (i=0; i<total_entries; i++) {
+				g3[i].lgrmi3_domainandname = names[i];
+			}
+
+			buffer = (uint8_t *)g3;
+			break;
+		default:
+			break;
+	}
+
+	/* NetLocalGroupDelMembers */
+
+	status = NetLocalGroupDelMembers(hostname,
+					 groupname,
+					 level,
+					 buffer,
+					 total_entries);
+	if (status != 0) {
+		printf("NetLocalGroupDelMembers failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/localgroup/localgroup_enum.c b/source3/lib/netapi/examples/localgroup/localgroup_enum.c
new file mode 100644
index 0000000000..6fe0cf4173
--- /dev/null
+++ b/source3/lib/netapi/examples/localgroup/localgroup_enum.c
@@ -0,0 +1,126 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetLocalGroupEnum query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	uint32_t level = 0;
+	uint8_t *buffer = NULL;
+	uint32_t entries_read = 0;
+	uint32_t total_entries = 0;
+	uint32_t resume_handle = 0;
+	int i;
+
+	struct LOCALGROUP_INFO_0 *info0 = NULL;
+	struct LOCALGROUP_INFO_1 *info1 = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("localgroup_enum", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname level");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (poptPeekArg(pc)) {
+		level = atoi(poptGetArg(pc));
+	}
+
+	/* NetLocalGroupEnum */
+
+	do {
+		status = NetLocalGroupEnum(hostname,
+					   level,
+					   &buffer,
+					   (uint32_t)-1,
+					   &entries_read,
+					   &total_entries,
+					   &resume_handle);
+		if (status == 0 || status == ERROR_MORE_DATA) {
+			printf("total entries: %d\n", total_entries);
+			switch (level) {
+				case 0:
+					info0 = (struct LOCALGROUP_INFO_0 *)buffer;
+					break;
+				case 1:
+					info1 = (struct LOCALGROUP_INFO_1 *)buffer;
+					break;
+				default:
+					break;
+			}
+			for (i=0; i<entries_read; i++) {
+				switch (level) {
+					case 0:
+						printf("#%d group: %s\n", i, info0->lgrpi0_name);
+						info0++;
+						break;
+					case 1:
+						printf("#%d group: %s\n", i, info1->lgrpi1_name);
+						printf("#%d comment: %s\n", i, info1->lgrpi1_comment);
+						info1++;
+						break;
+					default:
+						break;
+				}
+			}
+			NetApiBufferFree(buffer);
+		}
+	} while (status == ERROR_MORE_DATA);
+
+	if (status != 0) {
+		printf("NetLocalGroupEnum failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/localgroup/localgroup_getinfo.c b/source3/lib/netapi/examples/localgroup/localgroup_getinfo.c
new file mode 100644
index 0000000000..cd8fa8c3b3
--- /dev/null
+++ b/source3/lib/netapi/examples/localgroup/localgroup_getinfo.c
@@ -0,0 +1,112 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetLocalGroupGetInfo query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *groupname = NULL;
+	uint8_t *buffer = NULL;
+	uint32_t level = 0;
+	struct LOCALGROUP_INFO_0 *g0;
+	struct LOCALGROUP_INFO_1 *g1;
+	struct LOCALGROUP_INFO_1002 *g1002;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("localgroup_getinfo", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname groupname level");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	groupname = poptGetArg(pc);
+
+	if (poptPeekArg(pc)) {
+		level = atoi(poptGetArg(pc));
+	}
+
+	/* NetLocalGroupGetInfo */
+
+	status = NetLocalGroupGetInfo(hostname,
+				      groupname,
+				      level,
+				      &buffer);
+	if (status != 0) {
+		printf("NetLocalGroupGetInfo failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+		goto out;
+	}
+
+	switch (level) {
+		case 0:
+			g0 = (struct LOCALGROUP_INFO_0 *)buffer;
+			printf("name: %s\n", g0->lgrpi0_name);
+			break;
+		case 1:
+			g1 = (struct LOCALGROUP_INFO_1 *)buffer;
+			printf("name: %s\n", g1->lgrpi1_name);
+			printf("comment: %s\n", g1->lgrpi1_comment);
+			break;
+		case 1002:
+			g1002 = (struct LOCALGROUP_INFO_1002 *)buffer;
+			printf("comment: %s\n", g1002->lgrpi1002_comment);
+			break;
+	}
+	NetApiBufferFree(buffer);
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/localgroup/localgroup_getmembers.c b/source3/lib/netapi/examples/localgroup/localgroup_getmembers.c
new file mode 100644
index 0000000000..0589870d02
--- /dev/null
+++ b/source3/lib/netapi/examples/localgroup/localgroup_getmembers.c
@@ -0,0 +1,165 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetLocalGroupGetMembers query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *groupname = NULL;
+	uint32_t level = 0;
+	uint8_t *buffer = NULL;
+	uint32_t entries_read = 0;
+	uint32_t total_entries = 0;
+	uint32_t resume_handle = 0;
+	char *sid_str = NULL;
+	int i;
+
+	struct LOCALGROUP_MEMBERS_INFO_0 *info0 = NULL;
+	struct LOCALGROUP_MEMBERS_INFO_1 *info1 = NULL;
+	struct LOCALGROUP_MEMBERS_INFO_2 *info2 = NULL;
+	struct LOCALGROUP_MEMBERS_INFO_3 *info3 = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("localgroup_getmembers", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname groupname level");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	groupname = poptGetArg(pc);
+
+	if (poptPeekArg(pc)) {
+		level = atoi(poptGetArg(pc));
+	}
+
+	/* NetLocalGroupGetMembers */
+
+	do {
+		status = NetLocalGroupGetMembers(hostname,
+						 groupname,
+						 level,
+						 &buffer,
+						 (uint32_t)-1,
+						 &entries_read,
+						 &total_entries,
+						 &resume_handle);
+		if (status == 0 || status == ERROR_MORE_DATA) {
+			printf("total entries: %d\n", total_entries);
+			switch (level) {
+				case 0:
+					info0 = (struct LOCALGROUP_MEMBERS_INFO_0 *)buffer;
+					break;
+				case 1:
+					info1 = (struct LOCALGROUP_MEMBERS_INFO_1 *)buffer;
+					break;
+				case 2:
+					info2 = (struct LOCALGROUP_MEMBERS_INFO_2 *)buffer;
+					break;
+				case 3:
+					info3 = (struct LOCALGROUP_MEMBERS_INFO_3 *)buffer;
+					break;
+				default:
+					break;
+			}
+			for (i=0; i<entries_read; i++) {
+				switch (level) {
+					case 0:
+						if (ConvertSidToStringSid(info0->lgrmi0_sid,
+									  &sid_str)) {
+							printf("#%d member sid: %s\n", i, sid_str);
+							free(sid_str);
+						}
+						info0++;
+						break;
+					case 1:
+						if (ConvertSidToStringSid(info1->lgrmi1_sid,
+									  &sid_str)) {
+							printf("#%d member sid: %s\n", i, sid_str);
+							free(sid_str);
+						}
+						printf("#%d sid type: %d\n", i, info1->lgrmi1_sidusage);
+						printf("#%d name: %s\n", i, info1->lgrmi1_name);
+						info1++;
+						break;
+					case 2:
+						if (ConvertSidToStringSid(info2->lgrmi2_sid,
+									  &sid_str)) {
+							printf("#%d member sid: %s\n", i, sid_str);
+							free(sid_str);
+						}
+						printf("#%d sid type: %d\n", i, info2->lgrmi2_sidusage);
+						printf("#%d full name: %s\n", i, info2->lgrmi2_domainandname);
+						info2++;
+						break;
+					case 3:
+						printf("#%d full name: %s\n", i, info3->lgrmi3_domainandname);
+						info3++;
+						break;
+					default:
+						break;
+				}
+			}
+			NetApiBufferFree(buffer);
+		}
+	} while (status == ERROR_MORE_DATA);
+
+	if (status != 0) {
+		printf("NetLocalGroupGetMembers failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/localgroup/localgroup_setinfo.c b/source3/lib/netapi/examples/localgroup/localgroup_setinfo.c
new file mode 100644
index 0000000000..efcec76786
--- /dev/null
+++ b/source3/lib/netapi/examples/localgroup/localgroup_setinfo.c
@@ -0,0 +1,128 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetLocalGroupSetInfo query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *groupname = NULL;
+	uint8_t *buffer = NULL;
+	uint32_t level = 0;
+	struct LOCALGROUP_INFO_0 g0;
+	struct LOCALGROUP_INFO_1 g1;
+	struct LOCALGROUP_INFO_1002 g1002;
+	const char *newname = NULL;
+	const char *newcomment = NULL;
+	uint32_t parm_err = 0;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		{ "newname", 0, POPT_ARG_STRING, NULL, 'n', "New Local Group Name", "NEWNAME" },
+		{ "newcomment", 0, POPT_ARG_STRING, NULL, 'c', "New Local Group Comment", "NETCOMMENT" },
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("localgroup_setinfo", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname groupname level");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+		switch (opt) {
+			case 'n':
+				newname = poptGetOptArg(pc);
+				break;
+			case 'c':
+				newcomment = poptGetOptArg(pc);
+				break;
+		}
+
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	groupname = poptGetArg(pc);
+
+	if (poptPeekArg(pc)) {
+		level = atoi(poptGetArg(pc));
+	}
+
+	if (newname && !newcomment) {
+		g0.lgrpi0_name = newname;
+		buffer = (uint8_t *)&g0;
+		level = 0;
+	} else if (newcomment && !newname) {
+		g1002.lgrpi1002_comment = newcomment;
+		buffer = (uint8_t *)&g1002;
+		level = 1002;
+	} else if (newname && newcomment) {
+		g1.lgrpi1_name = newname;
+		g1.lgrpi1_comment = newcomment;
+		buffer = (uint8_t *)&g1;
+		level = 1;
+	} else {
+		printf("not enough input\n");
+		goto out;
+	}
+
+	/* NetLocalGroupSetInfo */
+
+	status = NetLocalGroupSetInfo(hostname,
+				      groupname,
+				      level,
+				      buffer,
+				      &parm_err);
+	if (status != 0) {
+		printf("NetLocalGroupSetInfo failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+		goto out;
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/localgroup/localgroup_setmembers.c b/source3/lib/netapi/examples/localgroup/localgroup_setmembers.c
new file mode 100644
index 0000000000..c35f2bbb81
--- /dev/null
+++ b/source3/lib/netapi/examples/localgroup/localgroup_setmembers.c
@@ -0,0 +1,146 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetLocalGroupSetMembers query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *groupname = NULL;
+	struct LOCALGROUP_MEMBERS_INFO_0 *g0;
+	struct LOCALGROUP_MEMBERS_INFO_3 *g3;
+	uint32_t total_entries = 0;
+	uint8_t *buffer = NULL;
+	uint32_t level = 3;
+	const char **names = NULL;
+	int i = 0;
+	size_t buf_size = 0;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("localgroup_setmembers", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname groupname member1 member2 ...");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	groupname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+
+	names = poptGetArgs(pc);
+	for (i=0; names[i] != NULL; i++) {
+		total_entries++;
+	}
+
+	switch (level) {
+		case 0:
+			buf_size = sizeof(struct LOCALGROUP_MEMBERS_INFO_0) * total_entries;
+
+			status = NetApiBufferAllocate(buf_size, (void **)&g0);
+			if (status) {
+				printf("NetApiBufferAllocate failed with: %s\n",
+					libnetapi_get_error_string(ctx, status));
+				goto out;
+			}
+
+			for (i=0; i<total_entries; i++) {
+				if (!ConvertStringSidToSid(names[i], &g0[i].lgrmi0_sid)) {
+					printf("could not convert sid\n");
+					goto out;
+				}
+			}
+
+			buffer = (uint8_t *)g0;
+			break;
+		case 3:
+			buf_size = sizeof(struct LOCALGROUP_MEMBERS_INFO_3) * total_entries;
+
+			status = NetApiBufferAllocate(buf_size, (void **)&g3);
+			if (status) {
+				printf("NetApiBufferAllocate failed with: %s\n",
+					libnetapi_get_error_string(ctx, status));
+				goto out;
+			}
+
+			for (i=0; i<total_entries; i++) {
+				g3[i].lgrmi3_domainandname = names[i];
+			}
+
+			buffer = (uint8_t *)g3;
+			break;
+		default:
+			break;
+	}
+
+	/* NetLocalGroupSetMembers */
+
+	status = NetLocalGroupSetMembers(hostname,
+					 groupname,
+					 level,
+					 buffer,
+					 total_entries);
+	if (status != 0) {
+		printf("NetLocalGroupSetMembers failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+	NetApiBufferFree(buffer);
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/netdomjoin-gui/logo-small.png b/source3/lib/netapi/examples/netdomjoin-gui/logo-small.png
new file mode 100644
index 0000000000..f041198002
--- /dev/null
+++ b/source3/lib/netapi/examples/netdomjoin-gui/logo-small.png
diff --git a/source3/lib/netapi/examples/netdomjoin-gui/logo.png b/source3/lib/netapi/examples/netdomjoin-gui/logo.png
new file mode 100644
index 0000000000..6df4ace659
--- /dev/null
+++ b/source3/lib/netapi/examples/netdomjoin-gui/logo.png
diff --git a/source3/lib/netapi/examples/netdomjoin-gui/netdomjoin-gui.c b/source3/lib/netapi/examples/netdomjoin-gui/netdomjoin-gui.c
new file mode 100644
index 0000000000..40a6e415eb
--- /dev/null
+++ b/source3/lib/netapi/examples/netdomjoin-gui/netdomjoin-gui.c
@@ -0,0 +1,1817 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  Join Support (gtk + netapi)
+ *  Copyright (C) Guenther Deschner 2007-2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <netdb.h>
+
+#include <gtk/gtk.h>
+#include <glib/gprintf.h>
+
+#include <netapi.h>
+
+#define MAX_CRED_LEN 256
+#define MAX_NETBIOS_NAME_LEN 15
+
+#define SAMBA_ICON_PATH  "/usr/share/pixmaps/samba/samba.ico"
+#define SAMBA_IMAGE_PATH "/usr/share/pixmaps/samba/logo.png"
+#define SAMBA_IMAGE_PATH_SMALL "/usr/share/pixmaps/samba/logo-small.png"
+
+#define SAFE_FREE(x) do { if ((x) != NULL) {free(x); x=NULL;} } while(0)
+
+static gboolean verbose = FALSE;
+
+typedef struct join_state {
+	struct libnetapi_ctx *ctx;
+	GtkWidget *window_main;
+	GtkWidget *window_parent;
+	GtkWidget *window_do_change;
+	GtkWidget *window_creds_prompt;
+	GtkWidget *entry_account;
+	GtkWidget *entry_password;
+	GtkWidget *entry_domain;
+	GtkWidget *entry_ou_list;
+	GtkWidget *entry_workgroup;
+	GtkWidget *button_ok;
+	GtkWidget *button_apply;
+	GtkWidget *button_ok_creds;
+	GtkWidget *button_get_ous;
+	GtkWidget *label_reboot;
+	GtkWidget *label_current_name_buffer;
+	GtkWidget *label_current_name_type;
+	GtkWidget *label_full_computer_name;
+	GtkWidget *label_winbind;
+	uint16_t name_type_initial;
+	uint16_t name_type_new;
+	char *name_buffer_initial;
+	char *name_buffer_new;
+	char *password;
+	char *account;
+	char *comment;
+	char *comment_new;
+	char *my_fqdn;
+	char *my_dnsdomain;
+	char *my_hostname;
+	uint16_t server_role;
+	gboolean settings_changed;
+	gboolean hostname_changed;
+	uint32_t stored_num_ous;
+	char *target_hostname;
+} join_state;
+
+static void debug(const char *format, ...)
+{
+	va_list args;
+
+	if (!verbose) {
+		return;
+	}
+
+	va_start(args, format);
+	g_vprintf(format, args);
+	va_end(args);
+}
+
+static gboolean callback_delete_event(GtkWidget *widget,
+				      GdkEvent *event,
+				      gpointer data)
+{
+	gtk_main_quit();
+	return FALSE;
+}
+
+static void callback_do_close_data(GtkWidget *widget,
+				   gpointer data)
+{
+	debug("callback_do_close_data called\n");
+
+	if (data) {
+		gtk_widget_destroy(GTK_WIDGET(data));
+	}
+}
+
+static void callback_do_close_widget(GtkWidget *widget,
+				     gpointer data)
+{
+	debug("callback_do_close_widget called\n");
+
+	if (widget) {
+		gtk_widget_destroy(widget);
+	}
+}
+
+static void callback_do_freeauth(GtkWidget *widget,
+				 gpointer data)
+{
+	struct join_state *state = (struct join_state *)data;
+
+	debug("callback_do_freeauth called\n");
+
+	SAFE_FREE(state->account);
+	SAFE_FREE(state->password);
+
+	if (state->window_creds_prompt) {
+		gtk_widget_destroy(GTK_WIDGET(state->window_creds_prompt));
+		state->window_creds_prompt = NULL;
+	}
+}
+
+static void callback_do_freeauth_and_close(GtkWidget *widget,
+					   gpointer data)
+{
+	struct join_state *state = (struct join_state *)data;
+
+	debug("callback_do_freeauth_and_close called\n");
+
+	SAFE_FREE(state->account);
+	SAFE_FREE(state->password);
+
+	if (state->window_creds_prompt) {
+		gtk_widget_destroy(GTK_WIDGET(state->window_creds_prompt));
+		state->window_creds_prompt = NULL;
+	}
+	if (state->window_do_change) {
+		gtk_widget_destroy(GTK_WIDGET(state->window_do_change));
+		state->window_do_change = NULL;
+	}
+}
+
+static void free_join_state(struct join_state *s)
+{
+	SAFE_FREE(s->name_buffer_initial);
+	SAFE_FREE(s->name_buffer_new);
+	SAFE_FREE(s->password);
+	SAFE_FREE(s->account);
+	SAFE_FREE(s->comment);
+	SAFE_FREE(s->comment_new);
+	SAFE_FREE(s->my_fqdn);
+	SAFE_FREE(s->my_dnsdomain);
+	SAFE_FREE(s->my_hostname);
+}
+
+static void do_cleanup(struct join_state *state)
+{
+	libnetapi_free(state->ctx);
+	free_join_state(state);
+}
+
+static void callback_apply_description_change(GtkWidget *widget,
+					      gpointer data)
+{
+	struct join_state *state = (struct join_state *)data;
+	NET_API_STATUS status = 0;
+	uint32_t parm_err = 0;
+	struct SERVER_INFO_1005 info1005;
+	GtkWidget *dialog;
+
+	info1005.sv1005_comment = state->comment_new;
+
+	status = NetServerSetInfo(state->target_hostname,
+				  1005,
+				  (uint8_t *)&info1005,
+				  &parm_err);
+	if (status) {
+		debug("NetServerSetInfo failed with: %s\n",
+			libnetapi_errstr(status));
+		dialog = gtk_message_dialog_new(GTK_WINDOW(state->window_main),
+						GTK_DIALOG_DESTROY_WITH_PARENT,
+						GTK_MESSAGE_ERROR,
+						GTK_BUTTONS_OK,
+						"Failed to change computer description: %s.",
+						libnetapi_get_error_string(state->ctx, status));
+		gtk_window_set_modal(GTK_WINDOW(dialog), TRUE);
+		gtk_window_set_transient_for(GTK_WINDOW(dialog), GTK_WINDOW(state->window_main));
+
+		g_signal_connect_swapped(dialog, "response",
+					 G_CALLBACK(gtk_widget_destroy),
+					 dialog);
+
+		gtk_widget_show(dialog);
+		return;
+	}
+
+	gtk_widget_set_sensitive(GTK_WIDGET(state->button_apply), FALSE);
+}
+
+static void callback_do_exit(GtkWidget *widget,
+			     gpointer data)
+{
+#if 0
+	GtkWidget *dialog;
+	gint result;
+#endif
+	struct join_state *state = (struct join_state *)data;
+
+	if (!state->settings_changed) {
+		callback_delete_event(NULL, NULL, NULL);
+		return;
+	}
+
+#if 0
+	dialog = gtk_message_dialog_new(GTK_WINDOW(state->window_main),
+					GTK_DIALOG_DESTROY_WITH_PARENT,
+					GTK_MESSAGE_QUESTION,
+					GTK_BUTTONS_YES_NO,
+					"You must restart your computer before the new settings will take effect.");
+	gtk_window_set_modal(GTK_WINDOW(dialog), TRUE);
+	result = gtk_dialog_run(GTK_DIALOG(dialog));
+	switch (result) {
+		case GTK_RESPONSE_YES:
+			g_print("would reboot here\n");
+			break;
+		case GTK_RESPONSE_NO:
+		default:
+			break;
+	}
+	if (dialog) {
+		gtk_widget_destroy(GTK_WIDGET(dialog));
+	}
+#endif
+	if (state->window_main) {
+		gtk_widget_destroy(GTK_WIDGET(state->window_main));
+		state->window_main = NULL;
+	}
+	do_cleanup(state);
+	exit(0);
+}
+
+
+static void callback_do_reboot(GtkWidget *widget,
+			       gpointer data,
+			       gpointer data2)
+{
+	GtkWidget *dialog;
+	struct join_state *state = (struct join_state *)data2;
+
+	debug("callback_do_reboot\n");
+
+	state->settings_changed = TRUE;
+	dialog = gtk_message_dialog_new(GTK_WINDOW(data),
+					GTK_DIALOG_DESTROY_WITH_PARENT,
+					GTK_MESSAGE_INFO,
+					GTK_BUTTONS_OK,
+					"You must restart this computer for the changes to take effect.");
+	gtk_window_set_modal(GTK_WINDOW(dialog), TRUE);
+	gtk_window_set_transient_for(GTK_WINDOW(dialog), GTK_WINDOW(state->window_do_change));
+#if 0
+	g_signal_connect_swapped(dialog, "response",
+				 G_CALLBACK(gtk_widget_destroy),
+				 dialog);
+
+	debug("showing dialog\n");
+	gtk_widget_show(dialog);
+#else
+	gtk_dialog_run(GTK_DIALOG(dialog));
+	gtk_widget_destroy(GTK_WIDGET(dialog));
+#endif
+
+	gtk_label_set_text(GTK_LABEL(state->label_reboot),
+			   "Changes will take effect after you restart this computer");
+
+	debug("destroying do_change window\n");
+	gtk_widget_destroy(GTK_WIDGET(state->window_do_change));
+
+	{
+		uint32_t status;
+		const char *buffer;
+		uint16_t type;
+
+		status = NetGetJoinInformation(state->target_hostname,
+					       &buffer,
+					       &type);
+		if (status != 0) {
+			g_print("failed to query status\n");
+			return;
+		}
+
+		debug("got new status: %s\n", buffer);
+
+		SAFE_FREE(state->name_buffer_new);
+		state->name_buffer_new = strdup(buffer);
+		state->name_type_new = type;
+		state->name_buffer_initial = strdup(buffer);
+		state->name_type_initial = type;
+		NetApiBufferFree((void *)buffer);
+
+		gtk_label_set_text(GTK_LABEL(state->label_current_name_buffer),
+				   state->name_buffer_new);
+		if (state->name_type_new == NetSetupDomainName) {
+			gtk_label_set_text(GTK_LABEL(state->label_current_name_type),
+					   "Domain:");
+		} else {
+			gtk_label_set_text(GTK_LABEL(state->label_current_name_type),
+					   "Workgroup:");
+		}
+	}
+}
+
+static void callback_return_username(GtkWidget *widget,
+				     gpointer data)
+{
+	const gchar *entry_text;
+	struct join_state *state = (struct join_state *)data;
+	debug("callback_return_username called\n");
+	if (!widget) {
+		return;
+	}
+	entry_text = gtk_entry_get_text(GTK_ENTRY(widget));
+	if (!entry_text) {
+		return;
+	}
+	debug("callback_return_username: %s\n", entry_text);
+	SAFE_FREE(state->account);
+	state->account = strdup(entry_text);
+}
+
+static void callback_return_username_and_enter(GtkWidget *widget,
+					       gpointer data)
+{
+	const gchar *entry_text;
+	struct join_state *state = (struct join_state *)data;
+	if (!widget) {
+		return;
+	}
+	entry_text = gtk_entry_get_text(GTK_ENTRY(widget));
+	if (!entry_text) {
+		return;
+	}
+	debug("callback_return_username_and_enter: %s\n", entry_text);
+	SAFE_FREE(state->account);
+	state->account = strdup(entry_text);
+	g_signal_emit_by_name(state->button_ok_creds, "clicked");
+}
+
+static void callback_return_password(GtkWidget *widget,
+				     gpointer data)
+{
+	const gchar *entry_text;
+	struct join_state *state = (struct join_state *)data;
+	debug("callback_return_password called\n");
+	if (!widget) {
+		return;
+	}
+	entry_text = gtk_entry_get_text(GTK_ENTRY(widget));
+	if (!entry_text) {
+		return;
+	}
+#ifdef DEBUG_PASSWORD
+	debug("callback_return_password: %s\n", entry_text);
+#else
+	debug("callback_return_password: (not printed)\n");
+#endif
+	SAFE_FREE(state->password);
+	state->password = strdup(entry_text);
+}
+
+static void callback_return_password_and_enter(GtkWidget *widget,
+					       gpointer data)
+{
+	const gchar *entry_text;
+	struct join_state *state = (struct join_state *)data;
+	if (!widget) {
+		return;
+	}
+	entry_text = gtk_entry_get_text(GTK_ENTRY(widget));
+	if (!entry_text) {
+		return;
+	}
+#ifdef DEBUG_PASSWORD
+	debug("callback_return_password_and_enter: %s\n", entry_text);
+#else
+	debug("callback_return_password_and_enter: (not printed)\n");
+#endif
+	SAFE_FREE(state->password);
+	state->password = strdup(entry_text);
+	g_signal_emit_by_name(state->button_ok_creds, "clicked");
+}
+
+static void callback_do_storeauth(GtkWidget *widget,
+				  gpointer data)
+{
+	struct join_state *state = (struct join_state *)data;
+
+	debug("callback_do_storeauth called\n");
+
+	SAFE_FREE(state->account);
+	SAFE_FREE(state->password);
+
+	callback_return_username(state->entry_account, (gpointer)state);
+	callback_return_password(state->entry_password, (gpointer)state);
+
+	if (state->window_creds_prompt) {
+		gtk_widget_destroy(GTK_WIDGET(state->window_creds_prompt));
+		state->window_creds_prompt = NULL;
+	}
+}
+
+static void callback_continue(GtkWidget *widget,
+			      gpointer data)
+{
+	struct join_state *state = (struct join_state *)data;
+
+	gtk_widget_grab_focus(GTK_WIDGET(state->button_ok));
+	g_signal_emit_by_name(state->button_ok, "clicked");
+}
+
+static void callback_do_storeauth_and_continue(GtkWidget *widget,
+					       gpointer data)
+{
+	callback_do_storeauth(widget, data);
+	callback_continue(NULL, data);
+}
+
+static void callback_do_storeauth_and_scan(GtkWidget *widget,
+					   gpointer data)
+{
+	struct join_state *state = (struct join_state *)data;
+	callback_do_storeauth(widget, data);
+	g_signal_emit_by_name(state->button_get_ous, "clicked");
+}
+
+static void callback_do_hostname_change(GtkWidget *widget,
+					gpointer data)
+{
+	GtkWidget *dialog;
+	const char *str = NULL;
+
+	struct join_state *state = (struct join_state *)data;
+
+	switch (state->name_type_initial) {
+		case NetSetupDomainName:
+			str = "To be implemented: call NetRenameMachineInDomain\n";
+			break;
+		case NetSetupWorkgroupName:
+			str = "To be implemented: call SetComputerNameEx\n";
+			break;
+		default:
+			break;
+	}
+
+	dialog = gtk_message_dialog_new(GTK_WINDOW(state->window_parent),
+					GTK_DIALOG_DESTROY_WITH_PARENT,
+					GTK_MESSAGE_ERROR,
+					GTK_BUTTONS_CLOSE,
+					str);
+
+	gtk_window_set_modal(GTK_WINDOW(dialog), TRUE);
+	gtk_window_set_transient_for(GTK_WINDOW(dialog), GTK_WINDOW(state->window_main));
+	g_signal_connect_swapped(dialog, "response",
+				 G_CALLBACK(gtk_widget_destroy),
+				 dialog);
+	gtk_widget_show(dialog);
+}
+
+static void callback_creds_prompt(GtkWidget *widget,
+				  gpointer data,
+				  const char *label_string,
+				  gpointer cont_fn)
+{
+	GtkWidget *window;
+	GtkWidget *box1;
+	GtkWidget *bbox;
+	GtkWidget *button;
+	GtkWidget *label;
+
+	struct join_state *state = (struct join_state *)data;
+
+	debug("callback_creds_prompt\n");
+
+	window = gtk_window_new(GTK_WINDOW_TOPLEVEL);
+	gtk_window_set_modal(GTK_WINDOW(window), TRUE);
+
+	gtk_window_set_title(GTK_WINDOW(window), "Computer Name Changes");
+	gtk_window_set_resizable(GTK_WINDOW(window), FALSE);
+	gtk_window_set_position(GTK_WINDOW(window), GTK_WIN_POS_CENTER);
+	gtk_widget_set_size_request(GTK_WIDGET(window), 380, 280);
+	gtk_window_set_icon_from_file(GTK_WINDOW(window), SAMBA_ICON_PATH, NULL);
+	gtk_window_set_transient_for(GTK_WINDOW(window), GTK_WINDOW(state->window_do_change));
+	gtk_window_set_position(GTK_WINDOW(window), GTK_WIN_POS_CENTER_ALWAYS);
+
+	g_signal_connect(G_OBJECT(window), "delete_event",
+			 G_CALLBACK(callback_do_close_widget), NULL);
+
+	state->window_creds_prompt = window;
+	gtk_container_set_border_width(GTK_CONTAINER(window), 10);
+
+	box1 = gtk_vbox_new(FALSE, 0);
+
+	gtk_container_add(GTK_CONTAINER(window), box1);
+
+	label = gtk_label_new(label_string);
+	gtk_misc_set_alignment(GTK_MISC(label), 0, 0);
+	gtk_label_set_line_wrap(GTK_LABEL(label), TRUE);
+
+	gtk_box_pack_start(GTK_BOX(box1), label, FALSE, FALSE, 0);
+
+	gtk_widget_show(label);
+
+	/* USER NAME */
+	label = gtk_label_new("User name:");
+	gtk_misc_set_alignment(GTK_MISC(label), 0, 0);
+	gtk_box_pack_start(GTK_BOX(box1), label, FALSE, FALSE, 0);
+	gtk_widget_show(label);
+
+	state->entry_account = gtk_entry_new();
+	gtk_entry_set_max_length(GTK_ENTRY(state->entry_account), MAX_CRED_LEN);
+	g_signal_connect(G_OBJECT(state->entry_account), "activate",
+			 G_CALLBACK(callback_return_username_and_enter),
+			 (gpointer)state);
+	gtk_editable_select_region(GTK_EDITABLE(state->entry_account),
+				   0, GTK_ENTRY(state->entry_account)->text_length);
+	gtk_box_pack_start(GTK_BOX(box1), state->entry_account, TRUE, TRUE, 0);
+	gtk_widget_show(state->entry_account);
+
+	/* PASSWORD */
+	label = gtk_label_new("Password:");
+	gtk_misc_set_alignment(GTK_MISC(label), 0, 0);
+	gtk_box_pack_start(GTK_BOX(box1), label, FALSE, FALSE, 0);
+	gtk_widget_show(label);
+
+	state->entry_password = gtk_entry_new();
+	gtk_entry_set_max_length(GTK_ENTRY(state->entry_password), MAX_CRED_LEN);
+	gtk_entry_set_visibility(GTK_ENTRY(state->entry_password), FALSE);
+	g_signal_connect(G_OBJECT(state->entry_password), "activate",
+			 G_CALLBACK(callback_return_password_and_enter),
+			 (gpointer)state);
+	gtk_editable_set_editable(GTK_EDITABLE(state->entry_password), TRUE);
+	gtk_editable_select_region(GTK_EDITABLE(state->entry_password),
+				   0, GTK_ENTRY(state->entry_password)->text_length);
+	gtk_box_pack_start(GTK_BOX(box1), state->entry_password, TRUE, TRUE, 0);
+	gtk_widget_show(state->entry_password);
+
+	/* BUTTONS */
+	bbox = gtk_hbutton_box_new();
+	gtk_container_set_border_width(GTK_CONTAINER(bbox), 5);
+	gtk_container_add(GTK_CONTAINER(box1), bbox);
+	gtk_button_box_set_layout(GTK_BUTTON_BOX(bbox), GTK_BUTTONBOX_END);
+	gtk_box_set_spacing(GTK_BOX(bbox), 10);
+
+	state->button_ok_creds = gtk_button_new_from_stock(GTK_STOCK_OK);
+	gtk_widget_grab_focus(GTK_WIDGET(state->button_ok_creds));
+	gtk_container_add(GTK_CONTAINER(bbox), state->button_ok_creds);
+	g_signal_connect(G_OBJECT(state->button_ok_creds), "clicked",
+			 G_CALLBACK(cont_fn),
+			 (gpointer)state);
+	gtk_widget_show(state->button_ok_creds);
+
+	button = gtk_button_new_from_stock(GTK_STOCK_CANCEL);
+	gtk_container_add(GTK_CONTAINER(bbox), button);
+	g_signal_connect(G_OBJECT(button), "clicked",
+			 G_CALLBACK(callback_do_freeauth),
+			 (gpointer)state);
+	gtk_widget_show_all(window);
+}
+
+static void callback_do_join(GtkWidget *widget,
+			     gpointer data)
+{
+	GtkWidget *dialog;
+
+	NET_API_STATUS status;
+	const char *err_str = NULL;
+	uint32_t join_flags = 0;
+	uint32_t unjoin_flags = 0;
+	gboolean domain_join = FALSE;
+	gboolean try_unjoin = FALSE;
+	gboolean join_creds_required = TRUE;
+	gboolean unjoin_creds_required = TRUE;
+	const char *new_workgroup_type = NULL;
+	const char *initial_workgroup_type = NULL;
+	const char *account_ou = NULL;
+
+	struct join_state *state = (struct join_state *)data;
+
+	if (state->hostname_changed) {
+		callback_do_hostname_change(NULL, state);
+		return;
+	}
+
+	switch (state->name_type_initial) {
+		case NetSetupWorkgroupName:
+			initial_workgroup_type = "workgroup";
+			break;
+		case NetSetupDomainName:
+			initial_workgroup_type = "domain";
+			break;
+		default:
+			break;
+	}
+
+	switch (state->name_type_new) {
+		case NetSetupWorkgroupName:
+			new_workgroup_type = "workgroup";
+			break;
+		case NetSetupDomainName:
+			new_workgroup_type = "domain";
+			break;
+		default:
+			break;
+	}
+
+	account_ou = gtk_combo_box_get_active_text(GTK_COMBO_BOX(state->entry_ou_list));
+	if (account_ou && strlen(account_ou) == 0) {
+		account_ou = NULL;
+	}
+
+	if ((state->name_type_initial != NetSetupDomainName) &&
+	    (state->name_type_new != NetSetupDomainName)) {
+		join_creds_required = FALSE;
+		unjoin_creds_required = FALSE;
+	}
+
+	if (state->name_type_new == NetSetupDomainName) {
+		domain_join = TRUE;
+		join_creds_required = TRUE;
+		join_flags = NETSETUP_JOIN_DOMAIN |
+			     NETSETUP_ACCT_CREATE |
+			     NETSETUP_DOMAIN_JOIN_IF_JOINED; /* for testing */
+	}
+
+	if ((state->name_type_initial == NetSetupDomainName) &&
+	    (state->name_type_new == NetSetupWorkgroupName)) {
+		try_unjoin = TRUE;
+		unjoin_creds_required = TRUE;
+		join_creds_required = FALSE;
+		unjoin_flags = NETSETUP_JOIN_DOMAIN |
+			       NETSETUP_ACCT_DELETE;
+	}
+
+	if (try_unjoin) {
+
+		debug("callback_do_join: Unjoining\n");
+
+		if (unjoin_creds_required) {
+			if (!state->account || !state->password) {
+				debug("callback_do_join: no creds yet\n");
+				callback_creds_prompt(NULL, state,
+						      "Enter the name and password of an account with permission to leave the domain.",
+						      callback_do_storeauth_and_continue);
+			}
+
+			if (!state->account || !state->password) {
+				debug("callback_do_join: still no creds???\n");
+				return;
+			}
+		}
+
+		status = NetUnjoinDomain(state->target_hostname,
+					 state->account,
+					 state->password,
+					 unjoin_flags);
+		if (status != 0) {
+			callback_do_freeauth(NULL, state);
+			err_str = libnetapi_get_error_string(state->ctx, status);
+			g_print("callback_do_join: failed to unjoin (%s)\n",
+				err_str);
+#if 0
+
+	/* in fact we shouldn't annoy the user with an error message here */
+
+			dialog = gtk_message_dialog_new(GTK_WINDOW(state->window_parent),
+							GTK_DIALOG_DESTROY_WITH_PARENT,
+							GTK_MESSAGE_ERROR,
+							GTK_BUTTONS_CLOSE,
+							"The following error occured attempting to unjoin the %s: \"%s\": %s",
+							initial_workgroup_type,
+							state->name_buffer_initial,
+							err_str);
+			gtk_window_set_modal(GTK_WINDOW(dialog), TRUE);
+			gtk_dialog_run(GTK_DIALOG(dialog));
+			gtk_widget_destroy(dialog);
+#endif
+		}
+
+	}
+
+	/* before prompting for creds, make sure we can find a dc */
+
+	if (domain_join) {
+
+		struct DOMAIN_CONTROLLER_INFO *dc_info = NULL;
+
+		status = DsGetDcName(NULL,
+				     state->name_buffer_new,
+				     NULL,
+				     NULL,
+				     0,
+				     &dc_info);
+		if (status != 0) {
+			err_str = libnetapi_get_error_string(state->ctx, status);
+			g_print("callback_do_join: failed find dc (%s)\n", err_str);
+
+			dialog = gtk_message_dialog_new(GTK_WINDOW(state->window_parent),
+							GTK_DIALOG_DESTROY_WITH_PARENT,
+							GTK_MESSAGE_ERROR,
+							GTK_BUTTONS_CLOSE,
+							"Failed to find a domain controller for domain: \"%s\": %s",
+							state->name_buffer_new,
+							err_str);
+
+			gtk_window_set_modal(GTK_WINDOW(dialog), TRUE);
+			gtk_window_set_transient_for(GTK_WINDOW(dialog), GTK_WINDOW(state->window_do_change));
+			g_signal_connect_swapped(dialog, "response",
+						 G_CALLBACK(gtk_widget_destroy),
+						 dialog);
+
+			gtk_widget_show(dialog);
+
+			return;
+		}
+	}
+
+	if (join_creds_required) {
+		if (!state->account || !state->password) {
+			debug("callback_do_join: no creds yet\n");
+			callback_creds_prompt(NULL, state,
+					      "Enter the name and password of an account with permission to leave the domain.",
+					      callback_do_storeauth_and_continue);
+		}
+
+		if (!state->account || !state->password) {
+			debug("callback_do_join: still no creds???\n");
+			return;
+		}
+	}
+
+	debug("callback_do_join: Joining a %s named %s using join_flags 0x%08x ",
+		new_workgroup_type,
+		state->name_buffer_new,
+		join_flags);
+	if (domain_join) {
+		debug("as %s ", state->account);
+#ifdef DEBUG_PASSWORD
+		debug("with %s ", state->password);
+#endif
+	}
+	debug("\n");
+
+	status = NetJoinDomain(state->target_hostname,
+			       state->name_buffer_new,
+			       account_ou,
+			       state->account,
+			       state->password,
+			       join_flags);
+	if (status != 0) {
+		callback_do_freeauth(NULL, state);
+		err_str = libnetapi_get_error_string(state->ctx, status);
+		g_print("callback_do_join: failed to join (%s)\n", err_str);
+
+		dialog = gtk_message_dialog_new(GTK_WINDOW(state->window_parent),
+						GTK_DIALOG_DESTROY_WITH_PARENT,
+						GTK_MESSAGE_ERROR,
+						GTK_BUTTONS_CLOSE,
+						"The following error occured attempting to join the %s: \"%s\": %s",
+						new_workgroup_type,
+						state->name_buffer_new,
+						err_str);
+
+		gtk_window_set_modal(GTK_WINDOW(dialog), TRUE);
+		gtk_window_set_transient_for(GTK_WINDOW(dialog), GTK_WINDOW(state->window_do_change));
+		g_signal_connect_swapped(dialog, "response",
+					 G_CALLBACK(gtk_widget_destroy),
+					 dialog);
+
+		gtk_widget_show(dialog);
+
+		return;
+	}
+
+	debug("callback_do_join: Successfully joined %s\n",
+		new_workgroup_type);
+
+	callback_do_freeauth(NULL, state);
+	dialog = gtk_message_dialog_new(GTK_WINDOW(state->window_parent),
+					GTK_DIALOG_DESTROY_WITH_PARENT,
+					GTK_MESSAGE_INFO,
+					GTK_BUTTONS_OK,
+					"Welcome to the %s %s.",
+					state->name_buffer_new,
+					new_workgroup_type);
+
+	gtk_window_set_modal(GTK_WINDOW(dialog), TRUE);
+	gtk_window_set_transient_for(GTK_WINDOW(dialog), GTK_WINDOW(state->window_do_change));
+	gtk_dialog_run(GTK_DIALOG(dialog));
+	gtk_widget_destroy(dialog);
+
+	callback_do_reboot(NULL, state->window_parent, state);
+}
+
+static void callback_enter_hostname_and_unlock(GtkWidget *widget,
+					       gpointer data)
+{
+	const gchar *entry_text = NULL;
+	char *str = NULL;
+	struct join_state *state = (struct join_state *)data;
+
+	entry_text = gtk_entry_get_text(GTK_ENTRY(widget));
+	debug("callback_enter_hostname_and_unlock: %s\n", entry_text);
+	if (!entry_text || entry_text[0] == 0) {
+		state->hostname_changed = FALSE;
+		gtk_widget_set_sensitive(GTK_WIDGET(state->button_ok), FALSE);
+		return;
+	}
+	if (strcasecmp(state->my_hostname, entry_text) == 0) {
+		state->hostname_changed = FALSE;
+		gtk_widget_set_sensitive(GTK_WIDGET(state->button_ok), FALSE);
+		/* return; */
+	} else {
+		state->hostname_changed = TRUE;
+	}
+
+	if (state->name_type_initial == NetSetupDomainName) {
+		if (asprintf(&str, "%s.%s", entry_text, state->my_dnsdomain) == -1) {
+			return;
+		}
+	} else {
+		if (asprintf(&str, "%s.", entry_text) == -1) {
+			return;
+		}
+	}
+	gtk_label_set_text(GTK_LABEL(state->label_full_computer_name), str);
+	free(str);
+
+	if (state->hostname_changed && str && str[0] != 0 && str[0] != '.') {
+		gtk_widget_set_sensitive(GTK_WIDGET(state->button_ok), TRUE);
+	}
+}
+
+static void callback_enter_computer_description_and_unlock(GtkWidget *widget,
+							   gpointer data)
+{
+	const gchar *entry_text = NULL;
+	struct join_state *state = (struct join_state *)data;
+	int string_unchanged = FALSE;
+
+	entry_text = gtk_entry_get_text(GTK_ENTRY(widget));
+	debug("callback_enter_computer_description_and_unlock: %s\n",
+		entry_text);
+#if 0
+	if (!entry_text || entry_text[0] == 0) {
+		string_unchanged = 1;
+		gtk_widget_set_sensitive(GTK_WIDGET(state->button_apply),
+					 FALSE);
+		return;
+	}
+#endif
+	if (entry_text && state->comment && strcasecmp(state->comment, entry_text) == 0) {
+		string_unchanged = TRUE;
+		gtk_widget_set_sensitive(GTK_WIDGET(state->button_apply),
+					 FALSE);
+		return;
+	}
+
+	gtk_widget_set_sensitive(GTK_WIDGET(state->button_apply), TRUE);
+	SAFE_FREE(state->comment_new);
+	state->comment_new = strdup(entry_text);
+
+}
+
+
+static void callback_enter_workgroup_and_unlock(GtkWidget *widget,
+						gpointer data)
+{
+	const gchar *entry_text = NULL;
+	struct join_state *state = (struct join_state *)data;
+
+	entry_text = gtk_entry_get_text(GTK_ENTRY(widget));
+	debug("callback_enter_workgroup_and_unlock: %s\n", entry_text);
+	if (!entry_text || entry_text[0] == 0) {
+		gtk_widget_set_sensitive(GTK_WIDGET(state->button_ok), FALSE);
+		return;
+	}
+	if (strcasecmp(state->name_buffer_initial, entry_text) == 0) {
+		gtk_widget_set_sensitive(GTK_WIDGET(state->button_ok), FALSE);
+		return;
+	}
+	gtk_widget_set_sensitive(GTK_WIDGET(state->button_ok), TRUE);
+	SAFE_FREE(state->name_buffer_new);
+	state->name_buffer_new = strdup(entry_text);
+	state->name_type_new = NetSetupWorkgroupName;
+}
+
+static void callback_enter_domain_and_unlock(GtkWidget *widget,
+					     gpointer data)
+{
+	const gchar *entry_text = NULL;
+	struct join_state *state = (struct join_state *)data;
+
+	entry_text = gtk_entry_get_text(GTK_ENTRY(widget));
+	debug("callback_enter_domain_and_unlock: %s\n", entry_text);
+	if (!entry_text || entry_text[0] == 0) {
+		gtk_widget_set_sensitive(GTK_WIDGET(state->button_ok), FALSE);
+		return;
+	}
+	if (strcasecmp(state->name_buffer_initial, entry_text) == 0) {
+		gtk_widget_set_sensitive(GTK_WIDGET(state->button_ok), FALSE);
+		return;
+	}
+	gtk_widget_set_sensitive(GTK_WIDGET(state->button_ok), TRUE);
+	gtk_widget_set_sensitive(GTK_WIDGET(state->entry_ou_list), TRUE);
+	gtk_widget_set_sensitive(GTK_WIDGET(state->button_get_ous), TRUE);
+	SAFE_FREE(state->name_buffer_new);
+	state->name_buffer_new = strdup(entry_text);
+	state->name_type_new = NetSetupDomainName;
+}
+
+static void callback_apply_continue(GtkWidget *widget,
+				    gpointer data)
+{
+	struct join_state *state = (struct join_state *)data;
+
+	gtk_widget_grab_focus(GTK_WIDGET(state->button_apply));
+	g_signal_emit_by_name(state->button_apply, "clicked");
+}
+
+static void callback_do_join_workgroup(GtkWidget *widget,
+				       gpointer data)
+{
+	struct join_state *state = (struct join_state *)data;
+	debug("callback_do_join_workgroup choosen\n");
+	gtk_widget_set_sensitive(GTK_WIDGET(state->entry_workgroup), TRUE);
+	gtk_widget_grab_focus(GTK_WIDGET(state->entry_workgroup));
+	gtk_widget_set_sensitive(GTK_WIDGET(state->entry_domain), FALSE);
+	gtk_widget_set_sensitive(GTK_WIDGET(state->entry_ou_list), FALSE);
+	gtk_widget_set_sensitive(GTK_WIDGET(state->button_get_ous), FALSE);
+	callback_enter_workgroup_and_unlock(state->entry_workgroup, state); /* TEST */
+}
+
+static void callback_do_join_domain(GtkWidget *widget,
+				    gpointer data)
+{
+	struct join_state *state = (struct join_state *)data;
+	debug("callback_do_join_domain choosen\n");
+	gtk_widget_set_sensitive(GTK_WIDGET(state->entry_domain), TRUE);
+	gtk_widget_grab_focus(GTK_WIDGET(state->entry_domain));
+	gtk_widget_set_sensitive(GTK_WIDGET(state->entry_workgroup), FALSE);
+	callback_enter_domain_and_unlock(state->entry_domain, state); /* TEST */
+}
+
+static void callback_do_getous(GtkWidget *widget,
+			       gpointer data)
+{
+	NET_API_STATUS status;
+	uint32_t num_ous = 0;
+	const char **ous = NULL;
+	int i;
+	const char *domain = NULL;
+	struct DOMAIN_CONTROLLER_INFO *dc_info = NULL;
+	const char *err_str = NULL;
+	GtkWidget *dialog;
+
+	struct join_state *state = (struct join_state *)data;
+
+	debug("callback_do_getous called\n");
+
+	domain = state->name_buffer_new ? state->name_buffer_new : state->name_buffer_initial;
+
+	status = DsGetDcName(NULL,
+			     domain,
+			     NULL,
+			     NULL,
+			     0,
+			     &dc_info);
+	if (status != 0) {
+		err_str = libnetapi_get_error_string(state->ctx, status);
+		g_print("callback_do_getous: failed find dc (%s)\n", err_str);
+
+		dialog = gtk_message_dialog_new(GTK_WINDOW(state->window_parent),
+						GTK_DIALOG_DESTROY_WITH_PARENT,
+						GTK_MESSAGE_ERROR,
+						GTK_BUTTONS_CLOSE,
+						"Failed to find a domain controller for domain: \"%s\": %s",
+						domain,
+						err_str);
+
+		gtk_window_set_modal(GTK_WINDOW(dialog), TRUE);
+		gtk_window_set_transient_for(GTK_WINDOW(dialog), GTK_WINDOW(state->window_do_change));
+		g_signal_connect_swapped(dialog, "response",
+					 G_CALLBACK(gtk_widget_destroy),
+					 dialog);
+
+		gtk_widget_show(dialog);
+
+		return;
+	}
+
+	if (!state->account || !state->password) {
+		debug("callback_do_getous: no creds yet\n");
+		callback_creds_prompt(NULL, state,
+				      "Enter the name and password of an account with permission to join the domain.",
+				      callback_do_storeauth_and_scan);
+	}
+
+	if (!state->account || !state->password) {
+		debug("callback_do_getous: still no creds ???\n");
+		return;
+	}
+
+	status = NetGetJoinableOUs(state->target_hostname,
+				   domain,
+				   state->account,
+				   state->password,
+				   &num_ous, &ous);
+	if (status != NET_API_STATUS_SUCCESS) {
+		callback_do_freeauth(NULL, state);
+		debug("failed to call NetGetJoinableOUs: %s\n",
+			libnetapi_get_error_string(state->ctx, status));
+		dialog = gtk_message_dialog_new(NULL,
+						GTK_DIALOG_DESTROY_WITH_PARENT,
+						GTK_MESSAGE_INFO,
+						GTK_BUTTONS_OK,
+						"Failed to query joinable OUs: %s",
+						libnetapi_get_error_string(state->ctx, status));
+		gtk_window_set_modal(GTK_WINDOW(dialog), TRUE);
+		gtk_window_set_transient_for(GTK_WINDOW(dialog), GTK_WINDOW(state->window_do_change));
+		gtk_dialog_run(GTK_DIALOG(dialog));
+		gtk_widget_destroy(dialog);
+		return;
+	}
+
+	for (i=0; i<state->stored_num_ous; i++) {
+		gtk_combo_box_remove_text(GTK_COMBO_BOX(state->entry_ou_list), 0);
+	}
+	for (i=0; i<num_ous && ous[i] != NULL; i++) {
+		gtk_combo_box_append_text(GTK_COMBO_BOX(state->entry_ou_list),
+					  ous[i]);
+	}
+	NetApiBufferFree(ous);
+	state->stored_num_ous = num_ous;
+	gtk_combo_box_set_active(GTK_COMBO_BOX(state->entry_ou_list), num_ous-1);
+}
+
+static void callback_do_change(GtkWidget *widget,
+			       gpointer data)
+{
+	GtkWidget *window;
+	GtkWidget *box1;
+	GtkWidget *bbox;
+	GtkWidget *button_workgroup;
+	GtkWidget *button_domain;
+	GtkWidget *button;
+	GtkWidget *label;
+	GtkWidget *frame_horz;
+	GtkWidget *vbox;
+	GtkWidget *entry;
+	GSList *group;
+
+	struct join_state *state = (struct join_state *)data;
+
+	debug("callback_do_change called\n");
+
+#if 0
+	/* FIXME: add proper warnings for Samba as a DC */
+	if (state->server_role == 3) {
+		GtkWidget *dialog;
+		callback_do_freeauth(NULL, state);
+		dialog = gtk_message_dialog_new(GTK_WINDOW(state->window_main),
+						GTK_DIALOG_DESTROY_WITH_PARENT,
+						GTK_MESSAGE_ERROR,
+						GTK_BUTTONS_OK,
+						"Domain controller cannot be moved from one domain to another, they must first be demoted. Renaming this domain controller may cause it to become temporarily unavailable to users and computers. For information on renaming domain controllers, including alternate renaming methods, see Help and Support. To continue renaming this domain controller, click OK.");
+		gtk_window_set_modal(GTK_WINDOW(dialog), TRUE);
+		g_signal_connect_swapped(dialog, "response",
+					 G_CALLBACK(gtk_widget_destroy),
+					 dialog);
+
+		gtk_widget_show(dialog);
+		return;
+	}
+#endif
+
+	state->button_ok = gtk_button_new_from_stock(GTK_STOCK_OK);
+	state->button_get_ous = gtk_button_new_with_label("Scan for joinable OUs");
+	window = gtk_window_new(GTK_WINDOW_TOPLEVEL);
+	gtk_window_set_modal(GTK_WINDOW(window), TRUE);
+
+	gtk_window_set_title(GTK_WINDOW(window), "Computer Name Changes");
+	gtk_window_set_resizable(GTK_WINDOW(window), FALSE);
+	gtk_widget_set_size_request(GTK_WIDGET(window), 480, 650);
+	gtk_window_set_icon_from_file(GTK_WINDOW(window), SAMBA_ICON_PATH, NULL);
+	gtk_window_set_transient_for(GTK_WINDOW(window), GTK_WINDOW(state->window_main));
+	gtk_window_set_position(GTK_WINDOW(window), GTK_WIN_POS_CENTER_ALWAYS);
+
+	g_signal_connect(G_OBJECT(window), "delete_event",
+			 G_CALLBACK(callback_do_close_widget), NULL);
+
+	gtk_container_set_border_width(GTK_CONTAINER(window), 10);
+
+	box1 = gtk_vbox_new(FALSE, 0);
+	gtk_container_add(GTK_CONTAINER(window), box1);
+
+	label = gtk_label_new("You can change the name and membership of this computer. Changes may affect access to network ressources.");
+	gtk_label_set_line_wrap(GTK_LABEL(label), TRUE);
+	gtk_misc_set_alignment(GTK_MISC(label), 0, 0);
+	gtk_box_pack_start(GTK_BOX(box1), label, TRUE, TRUE, 0);
+	gtk_widget_show(label);
+
+	/* COMPUTER NAME */
+	label = gtk_label_new("Computer name:");
+	gtk_misc_set_alignment(GTK_MISC(label), 0, 0);
+	gtk_box_pack_start(GTK_BOX(box1), label, TRUE, TRUE, 0);
+	gtk_widget_show(label);
+
+	state->label_full_computer_name = gtk_label_new(NULL);
+	{
+		entry = gtk_entry_new();
+		gtk_entry_set_max_length(GTK_ENTRY(entry), MAX_NETBIOS_NAME_LEN);
+		g_signal_connect(G_OBJECT(entry), "changed",
+				 G_CALLBACK(callback_enter_hostname_and_unlock),
+				 (gpointer)state);
+		gtk_entry_set_text(GTK_ENTRY(entry), state->my_hostname);
+		gtk_editable_select_region(GTK_EDITABLE(entry),
+					   0, GTK_ENTRY(entry)->text_length);
+
+		gtk_editable_set_editable(GTK_EDITABLE(entry), TRUE); /* ! */
+		gtk_box_pack_start(GTK_BOX(box1), entry, TRUE, TRUE, 0);
+		gtk_widget_show(entry);
+	}
+
+	/* FULL COMPUTER NAME */
+	label = gtk_label_new("Full computer name:");
+	gtk_misc_set_alignment(GTK_MISC(label), 0, 0);
+	gtk_box_pack_start(GTK_BOX(box1), label, TRUE, TRUE, 0);
+	gtk_widget_show(label);
+
+	{
+		const gchar *entry_text;
+		char *str = NULL;
+		entry_text = gtk_entry_get_text(GTK_ENTRY(entry));
+		if (state->name_type_initial == NetSetupDomainName) {
+			if (asprintf(&str, "%s.%s", entry_text,
+				 state->my_dnsdomain) == -1) {
+				return;
+			}
+		} else {
+			if (asprintf(&str, "%s.", entry_text) == -1) {
+				return;
+			}
+		}
+		gtk_label_set_text(GTK_LABEL(state->label_full_computer_name),
+				   str);
+		free(str);
+		gtk_misc_set_alignment(GTK_MISC(state->label_full_computer_name), 0, 0);
+		gtk_box_pack_start(GTK_BOX(box1),
+				   state->label_full_computer_name, TRUE, TRUE, 0);
+		gtk_widget_show(state->label_full_computer_name);
+	}
+
+	/* BOX */
+	frame_horz = gtk_frame_new ("Member Of");
+	gtk_box_pack_start(GTK_BOX(box1), frame_horz, TRUE, TRUE, 10);
+
+	vbox = gtk_vbox_new(FALSE, 0);
+	gtk_container_set_border_width(GTK_CONTAINER(vbox), 10);
+	gtk_container_add(GTK_CONTAINER(frame_horz), vbox);
+
+	/* TWO ENTRIES */
+	state->entry_workgroup = gtk_entry_new();
+	state->entry_domain = gtk_entry_new();
+
+	/* DOMAIN */
+	button_domain = gtk_radio_button_new_with_label(NULL, "Domain");
+	if (state->name_type_initial == NetSetupDomainName) {
+		gtk_toggle_button_set_active(GTK_TOGGLE_BUTTON(button_domain), TRUE);
+	}
+	gtk_box_pack_start(GTK_BOX(vbox), button_domain, TRUE, TRUE, 0);
+	g_signal_connect(G_OBJECT(button_domain), "clicked",
+			 G_CALLBACK(callback_do_join_domain),
+			 (gpointer)state);
+
+	{
+		gtk_entry_set_max_length(GTK_ENTRY(state->entry_domain), 50);
+		g_signal_connect(G_OBJECT(state->entry_domain), "changed",
+				 G_CALLBACK(callback_enter_domain_and_unlock),
+				 (gpointer)state);
+		g_signal_connect(G_OBJECT(state->entry_domain), "activate",
+				 G_CALLBACK(callback_continue),
+				 (gpointer)state);
+		if (state->name_type_initial == NetSetupDomainName) {
+			gtk_entry_set_text(GTK_ENTRY(state->entry_domain),
+					   state->name_buffer_initial);
+			gtk_widget_set_sensitive(state->entry_workgroup, FALSE);
+			gtk_widget_set_sensitive(state->entry_domain, TRUE);
+		}
+		gtk_editable_set_editable(GTK_EDITABLE(state->entry_domain), TRUE);
+		gtk_box_pack_start(GTK_BOX(vbox), state->entry_domain, TRUE, TRUE, 0);
+		gtk_widget_show(state->entry_domain);
+	}
+	gtk_widget_show(button_domain);
+
+	/* WORKGROUP */
+	group = gtk_radio_button_get_group(GTK_RADIO_BUTTON(button_domain));
+	button_workgroup = gtk_radio_button_new_with_label(group, "Workgroup");
+	if (state->name_type_initial == NetSetupWorkgroupName) {
+		gtk_toggle_button_set_active(GTK_TOGGLE_BUTTON(button_workgroup), TRUE);
+	}
+	gtk_box_pack_start(GTK_BOX(vbox), button_workgroup, TRUE, TRUE, 0);
+	g_signal_connect(G_OBJECT(button_workgroup), "clicked",
+			 G_CALLBACK(callback_do_join_workgroup),
+			 (gpointer)state);
+	{
+		gtk_entry_set_max_length(GTK_ENTRY(state->entry_workgroup),
+					 MAX_NETBIOS_NAME_LEN);
+		g_signal_connect(G_OBJECT(state->entry_workgroup), "changed",
+				 G_CALLBACK(callback_enter_workgroup_and_unlock),
+				 (gpointer)state);
+		g_signal_connect(G_OBJECT(state->entry_workgroup), "activate",
+				 G_CALLBACK(callback_continue),
+				 (gpointer)state);
+
+		if (state->name_type_initial == NetSetupWorkgroupName) {
+			gtk_entry_set_text(GTK_ENTRY(state->entry_workgroup),
+					   state->name_buffer_initial);
+			gtk_widget_set_sensitive(GTK_WIDGET(state->entry_domain), FALSE);
+			gtk_widget_set_sensitive(GTK_WIDGET(state->entry_workgroup), TRUE);
+		}
+		gtk_box_pack_start(GTK_BOX(vbox), state->entry_workgroup, TRUE, TRUE, 0);
+		gtk_widget_show(state->entry_workgroup);
+	}
+	gtk_widget_show(button_workgroup);
+
+	/* Advanced Options */
+	frame_horz = gtk_frame_new("Advanced Options");
+	gtk_box_pack_start(GTK_BOX(box1), frame_horz, TRUE, TRUE, 10);
+
+	vbox = gtk_vbox_new(FALSE, 0);
+	gtk_container_set_border_width(GTK_CONTAINER(vbox), 10);
+	gtk_container_add(GTK_CONTAINER(frame_horz), vbox);
+
+	/* OUs */
+	gtk_container_add(GTK_CONTAINER(vbox), state->button_get_ous);
+	gtk_widget_set_sensitive(GTK_WIDGET(state->button_get_ous), FALSE);
+	g_signal_connect(G_OBJECT(state->button_get_ous), "clicked",
+			 G_CALLBACK(callback_do_getous),
+			 (gpointer)state);
+
+	state->entry_ou_list = gtk_combo_box_entry_new_text();
+	gtk_widget_set_sensitive(state->entry_ou_list, FALSE);
+	if (state->name_type_initial == NetSetupWorkgroupName) {
+		gtk_widget_set_sensitive(state->entry_ou_list, FALSE);
+		gtk_widget_set_sensitive(state->button_get_ous, FALSE);
+	}
+	gtk_box_pack_start(GTK_BOX(vbox), state->entry_ou_list, TRUE, TRUE, 0);
+	gtk_widget_show(state->entry_ou_list);
+
+	{
+		state->label_winbind = gtk_check_button_new_with_label("Modify winbind configuration");
+		gtk_box_pack_start(GTK_BOX(vbox), state->label_winbind, TRUE, TRUE, 0);
+		gtk_widget_set_sensitive(state->label_winbind, FALSE);
+	}
+
+
+	/* BUTTONS */
+	bbox = gtk_hbutton_box_new();
+	gtk_container_set_border_width(GTK_CONTAINER(bbox), 5);
+	gtk_container_add(GTK_CONTAINER(box1), bbox);
+	gtk_button_box_set_layout(GTK_BUTTON_BOX(bbox), GTK_BUTTONBOX_END);
+	gtk_box_set_spacing(GTK_BOX(bbox), 10);
+
+	state->window_do_change = window;
+	gtk_widget_set_sensitive(GTK_WIDGET(state->button_ok), FALSE);
+	gtk_container_add(GTK_CONTAINER(bbox), state->button_ok);
+	g_signal_connect(G_OBJECT(state->button_ok), "clicked",
+			 G_CALLBACK(callback_do_join),
+			 (gpointer)state);
+
+	button = gtk_button_new_from_stock(GTK_STOCK_CANCEL);
+	gtk_container_add(GTK_CONTAINER(bbox), button);
+	g_signal_connect(G_OBJECT(button), "clicked",
+			 G_CALLBACK(callback_do_freeauth_and_close),
+			 (gpointer)state);
+
+	gtk_widget_show_all(window);
+}
+
+static void callback_do_about(GtkWidget *widget,
+			     gpointer data)
+{
+	GdkPixbuf *logo;
+	GError    *error = NULL;
+	GtkWidget *about;
+
+	struct join_state *state = (struct join_state *)data;
+
+	debug("callback_do_about called\n");
+
+	logo = gdk_pixbuf_new_from_file(SAMBA_IMAGE_PATH,
+	                                &error);
+	if (logo == NULL) {
+		g_print("failed to load logo from %s: %s\n",
+			SAMBA_IMAGE_PATH, error->message);
+	}
+
+	about = gtk_about_dialog_new();
+	gtk_about_dialog_set_name(GTK_ABOUT_DIALOG(about), "Samba");
+	gtk_about_dialog_set_version(GTK_ABOUT_DIALOG(about), "3.2.0pre3");
+	gtk_about_dialog_set_copyright(GTK_ABOUT_DIALOG(about),
+		"Copyright Andrew Tridgell and the Samba Team 1992-2008\n"
+		"Copyright Günther Deschner 2007-2008");
+	gtk_about_dialog_set_license(GTK_ABOUT_DIALOG(about), "GPLv3");
+	gtk_about_dialog_set_website(GTK_ABOUT_DIALOG(about), "http://www.samba.org");
+	gtk_about_dialog_set_website_label(GTK_ABOUT_DIALOG(about), "http://www.samba.org");
+	if (logo) {
+		gtk_about_dialog_set_logo(GTK_ABOUT_DIALOG(about), logo);
+	}
+	gtk_about_dialog_set_comments(GTK_ABOUT_DIALOG(about), "Samba gtk domain join utility");
+	gtk_window_set_modal(GTK_WINDOW(about), TRUE);
+	gtk_window_set_transient_for(GTK_WINDOW(about), GTK_WINDOW(state->window_main));
+	g_signal_connect_swapped(about, "response",
+				 G_CALLBACK(gtk_widget_destroy),
+				 about);
+
+	gtk_widget_show(about);
+}
+
+static int draw_main_window(struct join_state *state)
+{
+	GtkWidget *window;
+	GtkWidget *button;
+	GtkWidget *label;
+	GtkWidget *main_vbox;
+	GtkWidget *vbox;
+	GtkWidget *hbox;
+	GtkWidget *bbox;
+	GtkWidget *image;
+	GtkWidget *table;
+	GtkWidget *entry;
+	GdkPixbuf *icon;
+	GError    *error = NULL;
+
+	icon = gdk_pixbuf_new_from_file(SAMBA_ICON_PATH,
+	                                &error);
+	if (icon == NULL) {
+		g_print("failed to load icon from %s : %s\n",
+			SAMBA_ICON_PATH, error->message);
+	}
+
+#if 1
+	image = gtk_image_new_from_file(SAMBA_IMAGE_PATH_SMALL);
+#else
+	image = gtk_image_new_from_file("/usr/share/pixmaps/redhat-system_settings.png");
+#endif
+	if (image == NULL) {
+		g_print("failed to load logo from %s : %s\n",
+			SAMBA_IMAGE_PATH_SMALL, error->message);
+	}
+
+	window = gtk_window_new(GTK_WINDOW_TOPLEVEL);
+	state->window_main = window;
+
+	gtk_window_set_title(GTK_WINDOW(window), "Samba - Join Domain dialogue");
+	gtk_widget_set_size_request(GTK_WIDGET(window), 600, 600);
+	gtk_window_set_resizable(GTK_WINDOW(window), FALSE);
+	gtk_window_set_icon_from_file(GTK_WINDOW(window), SAMBA_ICON_PATH, NULL);
+	gtk_window_set_position(GTK_WINDOW(window), GTK_WIN_POS_CENTER_ALWAYS);
+
+	g_signal_connect(G_OBJECT(window), "delete_event",
+			 G_CALLBACK(callback_delete_event), NULL);
+
+	gtk_container_set_border_width(GTK_CONTAINER(window), 10);
+
+	main_vbox = gtk_vbox_new(FALSE, 10);
+	gtk_container_add(GTK_CONTAINER(window), main_vbox);
+
+#if 0
+	gtk_box_pack_start(GTK_BOX(main_vbox), image, TRUE, TRUE, 10);
+	gtk_widget_show(image);
+#endif
+	/* Hbox */
+	hbox = gtk_hbox_new(FALSE, 10);
+	gtk_container_add(GTK_CONTAINER(main_vbox), hbox);
+
+	{
+/*		gtk_box_pack_start(GTK_BOX(main_vbox), image, TRUE, TRUE, 10); */
+/*		gtk_misc_set_alignment(GTK_MISC(image), 0, 0); */
+		gtk_widget_set_size_request(GTK_WIDGET(image), 150, 40);
+		gtk_box_pack_start(GTK_BOX(hbox), image, FALSE, FALSE, 10);
+		gtk_widget_show(image);
+
+		/* Label */
+		label = gtk_label_new("Samba uses the following information to identify your computer on the network.");
+/*		gtk_misc_set_alignment(GTK_MISC(label), 0, 0); */
+		gtk_widget_set_size_request(GTK_WIDGET(label), 400, 40);
+		gtk_label_set_line_wrap(GTK_LABEL(label), TRUE);
+		gtk_box_pack_start(GTK_BOX(hbox), label, FALSE, FALSE, 0);
+		gtk_widget_show(label);
+	}
+
+	gtk_widget_show(hbox);
+
+	vbox = gtk_vbox_new(FALSE, 0);
+	gtk_container_set_border_width(GTK_CONTAINER(vbox), 10);
+	gtk_container_add(GTK_CONTAINER(main_vbox), vbox);
+
+	/* Table */
+	table = gtk_table_new(6, 3, TRUE);
+	gtk_table_set_row_spacings(GTK_TABLE(table), 5);
+	gtk_table_set_col_spacings(GTK_TABLE(table), 5);
+	gtk_container_add(GTK_CONTAINER(vbox), table);
+
+	{
+		/* Label */
+		label = gtk_label_new("Computer description:");
+		gtk_misc_set_alignment(GTK_MISC(label), 0, 0);
+		gtk_table_attach_defaults(GTK_TABLE(table), label, 0, 1, 0, 1);
+		gtk_widget_show(label);
+
+		state->button_apply = gtk_button_new_from_stock(GTK_STOCK_APPLY);
+
+		/* Entry */
+		entry = gtk_entry_new();
+		gtk_entry_set_max_length(GTK_ENTRY(entry), 256);
+		g_signal_connect(G_OBJECT(entry), "changed",
+				 G_CALLBACK(callback_enter_computer_description_and_unlock),
+				 state);
+		g_signal_connect(G_OBJECT(entry), "activate",
+				 G_CALLBACK(callback_apply_continue),
+				 (gpointer)state);
+
+		gtk_entry_set_text(GTK_ENTRY(entry), (char *)state->comment);
+		gtk_editable_set_editable(GTK_EDITABLE(entry), TRUE); /* ! */
+		gtk_table_attach_defaults(GTK_TABLE(table), entry, 1, 3, 0, 1);
+		gtk_widget_show(entry);
+	}
+
+	/* Label */
+	label = gtk_label_new("For example: \"Samba \%v\".");
+	gtk_label_set_line_wrap(GTK_LABEL(label), TRUE);
+	gtk_misc_set_alignment(GTK_MISC(label), 0, 0);
+	gtk_table_attach_defaults(GTK_TABLE(table), label, 1, 3, 1, 2);
+	gtk_widget_show(label);
+
+	/* Label */
+	label = gtk_label_new("Full computer name:");
+	gtk_misc_set_alignment(GTK_MISC(label), 0, 0);
+	gtk_table_attach_defaults(GTK_TABLE(table), label, 0, 1, 2, 3);
+	gtk_widget_show(label);
+
+	{
+		/* Label */
+		char *str = NULL;
+		if (state->name_type_initial == NetSetupDomainName) {
+			if (asprintf(&str, "%s.%s", state->my_hostname,
+				 state->my_dnsdomain) == -1) {
+				return -1;
+			}
+		} else {
+			if (asprintf(&str, "%s.", state->my_hostname) == -1) {
+				return -1;
+			}
+		}
+
+		label = gtk_label_new(str);
+		SAFE_FREE(str);
+		gtk_misc_set_alignment(GTK_MISC(label), 0, 0);
+		gtk_table_attach_defaults(GTK_TABLE(table), label, 1, 3, 2, 3);
+		gtk_widget_show(label);
+	}
+
+	/* Label */
+	if (state->name_type_initial == NetSetupDomainName) {
+		label = gtk_label_new("Domain:");
+	} else {
+		label = gtk_label_new("Workgroup:");
+	}
+	gtk_misc_set_alignment(GTK_MISC(label), 0, 0);
+	gtk_table_attach_defaults(GTK_TABLE(table), label, 0, 1, 3, 4);
+	gtk_widget_show(label);
+	state->label_current_name_type = label;
+
+	/* Label */
+	label = gtk_label_new(state->name_buffer_initial);
+	gtk_misc_set_alignment(GTK_MISC(label), 0, 0);
+	gtk_table_attach_defaults(GTK_TABLE(table), label, 1, 3, 3, 4);
+	gtk_widget_show(label);
+	state->label_current_name_buffer = label;
+
+	{
+		hbox = gtk_hbox_new(FALSE, 0);
+		gtk_container_add(GTK_CONTAINER(vbox), hbox);
+		label = gtk_label_new("To rename this computer or join a domain, click Change.");
+		gtk_box_pack_start(GTK_BOX(hbox), label, FALSE, FALSE, 0);
+
+
+	}
+
+	/* bbox */
+	bbox = gtk_hbutton_box_new();
+	gtk_container_set_border_width(GTK_CONTAINER(bbox), 5);
+	gtk_container_add(GTK_CONTAINER(hbox), bbox);
+	gtk_button_box_set_layout(GTK_BUTTON_BOX(bbox), GTK_BUTTONBOX_END);
+	gtk_box_set_spacing(GTK_BOX(bbox), 10);
+
+	button = gtk_button_new_with_mnemonic("Ch_ange");
+	g_signal_connect(G_OBJECT(button), "clicked",
+			 G_CALLBACK(callback_do_change),
+			 (gpointer)state);
+	gtk_box_pack_start(GTK_BOX(bbox), button, TRUE, TRUE, 0);
+	gtk_widget_show(button);
+
+	/* Label (hidden) */
+	state->label_reboot = gtk_label_new(NULL);
+	gtk_label_set_line_wrap(GTK_LABEL(state->label_reboot), TRUE);
+	gtk_misc_set_alignment(GTK_MISC(state->label_reboot), 0, 0);
+	gtk_box_pack_start(GTK_BOX(vbox), state->label_reboot, TRUE, TRUE, 0);
+	gtk_widget_show(state->label_reboot);
+
+#if 0
+	gtk_box_pack_start(GTK_BOX(vbox),
+	   create_bbox(window, TRUE, NULL, 10, 85, 20, GTK_BUTTONBOX_END),
+		      TRUE, TRUE, 5);
+#endif
+	{
+
+		GtkWidget *frame;
+		GtkWidget *bbox2;
+		GtkWidget *button2;
+
+		frame = gtk_frame_new(NULL);
+		bbox2 = gtk_hbutton_box_new();
+
+		gtk_container_set_border_width(GTK_CONTAINER(bbox2), 5);
+		gtk_container_add(GTK_CONTAINER(frame), bbox2);
+
+		/* Set the appearance of the Button Box */
+		gtk_button_box_set_layout(GTK_BUTTON_BOX(bbox2), GTK_BUTTONBOX_END);
+		gtk_box_set_spacing(GTK_BOX(bbox2), 10);
+		/*gtk_button_box_set_child_size(GTK_BUTTON_BOX(bbox2), child_w, child_h);*/
+
+		button2 = gtk_button_new_from_stock(GTK_STOCK_OK);
+		gtk_container_add(GTK_CONTAINER(bbox2), button2);
+		g_signal_connect(G_OBJECT(button2), "clicked", G_CALLBACK(callback_do_exit), state);
+
+		button2 = gtk_button_new_from_stock(GTK_STOCK_CANCEL);
+		gtk_container_add(GTK_CONTAINER(bbox2), button2);
+		g_signal_connect(G_OBJECT(button2), "clicked",
+				 G_CALLBACK(callback_delete_event),
+				 window);
+
+		gtk_container_add(GTK_CONTAINER(bbox2), state->button_apply);
+		g_signal_connect(G_OBJECT(state->button_apply), "clicked",
+				 G_CALLBACK(callback_apply_description_change),
+				 state);
+		gtk_widget_set_sensitive(GTK_WIDGET(state->button_apply), FALSE);
+
+		button2 = gtk_button_new_from_stock(GTK_STOCK_ABOUT);
+		gtk_container_add(GTK_CONTAINER(bbox2), button2);
+		g_signal_connect(G_OBJECT(button2), "clicked",
+				 G_CALLBACK(callback_do_about),
+				 state);
+#if 0
+		button2 = gtk_button_new_from_stock(GTK_STOCK_HELP);
+		gtk_container_add(GTK_CONTAINER(bbox2), button2);
+		g_signal_connect(G_OBJECT(button2), "clicked",
+				 G_CALLBACK(callback_do_about),
+				 window);
+#endif
+		gtk_box_pack_start(GTK_BOX(vbox), frame, TRUE, TRUE, 5);
+	}
+
+	gtk_widget_show_all(window);
+
+	return 0;
+}
+
+static int init_join_state(struct join_state **state)
+{
+	struct join_state *s;
+
+	s = (struct join_state *)malloc(sizeof(struct join_state));
+	if (!s) {
+		return -1;
+	}
+
+	memset(s, '\0', sizeof(struct join_state));
+
+	*state = s;
+
+	return 0;
+}
+
+static NET_API_STATUS get_server_comment(struct join_state *state)
+{
+	struct SERVER_INFO_101 *info101 = NULL;
+	struct SERVER_INFO_1005 *info1005 = NULL;
+	NET_API_STATUS status;
+
+	status = NetServerGetInfo(state->target_hostname,
+				  101,
+				  (uint8_t **)&info101);
+	if (status == 0) {
+		state->comment = strdup(info101->sv101_comment);
+		if (!state->comment) {
+			return -1;
+		}
+		NetApiBufferFree(info101);
+		return NET_API_STATUS_SUCCESS;
+	}
+
+	switch (status) {
+		case 124: /* WERR_UNKNOWN_LEVEL */
+		case 50: /* WERR_NOT_SUPPORTED */
+			break;
+		default:
+			goto failed;
+	}
+
+	status = NetServerGetInfo(state->target_hostname,
+				  1005,
+				  (uint8_t **)&info1005);
+	if (status == 0) {
+		state->comment = strdup(info1005->sv1005_comment);
+		if (!state->comment) {
+			return -1;
+		}
+		NetApiBufferFree(info1005);
+		return NET_API_STATUS_SUCCESS;
+	}
+
+ failed:
+	printf("NetServerGetInfo failed with: %s\n",
+		libnetapi_get_error_string(state->ctx, status));
+
+	return status;
+}
+
+static int initialize_join_state(struct join_state *state,
+				 const char *debug_level,
+				 const char *target_hostname,
+				 const char *target_username)
+{
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status = 0;
+
+	status = libnetapi_init(&ctx);
+	if (status) {
+		return status;
+	}
+
+	if (debug_level) {
+		libnetapi_set_debuglevel(ctx, debug_level);
+	}
+
+	if (target_hostname) {
+		state->target_hostname = strdup(target_hostname);
+		if (!state->target_hostname) {
+			return -1;
+		}
+	}
+
+	if (target_username) {
+		char *puser = strdup(target_username);
+		char *p = NULL;
+
+		if ((p = strchr(puser,'%'))) {
+			size_t len;
+			*p = 0;
+			libnetapi_set_username(ctx, puser);
+			libnetapi_set_password(ctx, p+1);
+			len = strlen(p+1);
+			memset(strchr(target_username,'%')+1,'X',len);
+		} else {
+			libnetapi_set_username(ctx, puser);
+		}
+		free(puser);
+	}
+
+	{
+		char my_hostname[HOST_NAME_MAX];
+		const char *p = NULL;
+		struct hostent *hp = NULL;
+
+		if (gethostname(my_hostname, sizeof(my_hostname)) == -1) {
+			return -1;
+		}
+
+		p = strchr(my_hostname, '.');
+		if (p) {
+			my_hostname[strlen(my_hostname)-strlen(p)] = '\0';
+		}
+		state->my_hostname = strdup(my_hostname);
+		if (!state->my_hostname) {
+			return -1;
+		}
+		debug("state->my_hostname: %s\n", state->my_hostname);
+
+		hp = gethostbyname(my_hostname);
+		if (!hp || !hp->h_name || !*hp->h_name) {
+			return -1;
+		}
+
+		state->my_fqdn = strdup(hp->h_name);
+		if (!state->my_fqdn) {
+			return -1;
+		}
+		debug("state->my_fqdn: %s\n", state->my_fqdn);
+
+		p = strchr(state->my_fqdn, '.');
+		if (p) {
+			p++;
+			state->my_dnsdomain = strdup(p);
+		} else {
+			state->my_dnsdomain = strdup("");
+		}
+		if (!state->my_dnsdomain) {
+			return -1;
+		}
+		debug("state->my_dnsdomain: %s\n", state->my_dnsdomain);
+	}
+
+	{
+		const char *buffer = NULL;
+		uint16_t type = 0;
+		status = NetGetJoinInformation(state->target_hostname,
+					       &buffer,
+					       &type);
+		if (status != 0) {
+			printf("NetGetJoinInformation failed with: %s\n",
+				libnetapi_get_error_string(state->ctx, status));
+			return status;
+		}
+		debug("NetGetJoinInformation gave: %s and %d\n", buffer, type);
+		state->name_buffer_initial = strdup(buffer);
+		if (!state->name_buffer_initial) {
+			return -1;
+		}
+		state->name_type_initial = type;
+		NetApiBufferFree((void *)buffer);
+	}
+
+	status = get_server_comment(state);
+	if (status != 0) {
+		return -1;
+	}
+
+	state->ctx = ctx;
+
+	return 0;
+}
+
+int main(int argc, char **argv)
+{
+	GOptionContext *context = NULL;
+	static const char *debug_level = NULL;
+	static const char *target_hostname = NULL;
+	static const char *target_username = NULL;
+	struct join_state *state = NULL;
+	GError *error = NULL;
+	int ret = 0;
+
+	static GOptionEntry entries[] = {
+		{ "debug", 'd', 0, G_OPTION_ARG_STRING, &debug_level, "Debug level (for samba)", "N" },
+		{ "verbose", 'v', 0, G_OPTION_ARG_NONE, &verbose, "Verbose output", 0 },
+		{ "target", 'S', 0, G_OPTION_ARG_STRING, &target_hostname, "Target hostname", 0 },
+		{ "username", 'U', 0, G_OPTION_ARG_STRING, &target_username, "Target hostname", 0 },
+		{ NULL }
+	};
+
+	context = g_option_context_new("- Samba domain join utility");
+	g_option_context_add_main_entries(context, entries, NULL);
+/*	g_option_context_add_main_entries(context, entries, GETTEXT_PACKAGE); */
+	g_option_context_add_group(context, gtk_get_option_group(TRUE));
+	g_option_context_parse(context, &argc, &argv, &error);
+
+	gtk_init(&argc, &argv);
+	g_set_application_name("Samba");
+
+	ret = init_join_state(&state);
+	if (ret) {
+		return ret;
+	}
+
+	ret = initialize_join_state(state, debug_level,
+				    target_hostname,
+				    target_username);
+	if (ret) {
+		return ret;
+	}
+
+	draw_main_window(state);
+
+	gtk_main();
+
+	do_cleanup(state);
+
+	return 0;
+}
diff --git a/source3/lib/netapi/examples/netdomjoin-gui/samba.ico b/source3/lib/netapi/examples/netdomjoin-gui/samba.ico
new file mode 100755
index 0000000000..b70c9590de
--- /dev/null
+++ b/source3/lib/netapi/examples/netdomjoin-gui/samba.ico
diff --git a/source3/lib/netapi/examples/server/remote_tod.c b/source3/lib/netapi/examples/server/remote_tod.c
new file mode 100644
index 0000000000..7636f6ac95
--- /dev/null
+++ b/source3/lib/netapi/examples/server/remote_tod.c
@@ -0,0 +1,83 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetRemoteTOD query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	struct TIME_OF_DAY_INFO *tod = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("tod", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+
+	/* NetRemoteTOD */
+
+	status = NetRemoteTOD(hostname,
+			      (uint8_t **)&tod);
+	if (status != 0) {
+		printf("NetRemoteTOD failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	} else {
+		printf("%d-%d-%d %d:%d:%d\n",
+			tod->tod_day, tod->tod_month, tod->tod_year,
+			tod->tod_hours, tod->tod_mins, tod->tod_secs);
+		NetApiBufferFree(tod);
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/server/server_getinfo.c b/source3/lib/netapi/examples/server/server_getinfo.c
new file mode 100644
index 0000000000..afd2edd05d
--- /dev/null
+++ b/source3/lib/netapi/examples/server/server_getinfo.c
@@ -0,0 +1,128 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetServerGetInfo query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	uint8_t *buffer = NULL;
+	uint32_t level = 100;
+
+	struct SERVER_INFO_100 *i100;
+	struct SERVER_INFO_101 *i101;
+	struct SERVER_INFO_102 *i102;
+	struct SERVER_INFO_1005 *i1005;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("server_getinfo", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname level");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (poptPeekArg(pc)) {
+		level = atoi(poptGetArg(pc));
+	}
+
+	/* NetServerGetInfo */
+
+	status = NetServerGetInfo(hostname,
+				  level,
+				  &buffer);
+	if (status != 0) {
+		printf("NetServerGetInfo failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+		goto out;
+	}
+
+	switch (level) {
+		case 100:
+			i100 = (struct SERVER_INFO_100 *)buffer;
+			printf("platform id: %d\n", i100->sv100_platform_id);
+			printf("name: %s\n", i100->sv100_name);
+			break;
+		case 101:
+			i101 = (struct SERVER_INFO_101 *)buffer;
+			printf("platform id: %d\n", i101->sv101_platform_id);
+			printf("name: %s\n", i101->sv101_name);
+			printf("version major: %d\n", i101->sv101_version_major);
+			printf("version minor: %d\n", i101->sv101_version_minor);
+			printf("type: 0x%08x\n", i101->sv101_type);
+			printf("comment: %s\n", i101->sv101_comment);
+			break;
+		case 102:
+			i102 = (struct SERVER_INFO_102 *)buffer;
+			printf("platform id: %d\n", i102->sv102_platform_id);
+			printf("name: %s\n", i102->sv102_name);
+			printf("version major: %d\n", i102->sv102_version_major);
+			printf("version minor: %d\n", i102->sv102_version_minor);
+			printf("type: 0x%08x\n", i102->sv102_type);
+			printf("comment: %s\n", i102->sv102_comment);
+			printf("users: %d\n", i102->sv102_users);
+			printf("disc: %d\n", i102->sv102_disc);
+			printf("hidden: %d\n", i102->sv102_hidden);
+			printf("announce: %d\n", i102->sv102_announce);
+			printf("anndelta: %d\n", i102->sv102_anndelta);
+			printf("licenses: %d\n", i102->sv102_licenses);
+			printf("userpath: %s\n", i102->sv102_userpath);
+			break;
+		case 1005:
+			i1005 = (struct SERVER_INFO_1005 *)buffer;
+			printf("comment: %s\n", i1005->sv1005_comment);
+			break;
+		default:
+			break;
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/share/share_add.c b/source3/lib/netapi/examples/share/share_add.c
new file mode 100644
index 0000000000..3d7948840d
--- /dev/null
+++ b/source3/lib/netapi/examples/share/share_add.c
@@ -0,0 +1,110 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetShareAdd query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *sharename = NULL;
+	const char *path = NULL;
+	uint32_t level = 0;
+	uint32_t parm_err = 0;
+
+	struct SHARE_INFO_2 i2;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("share_add", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname sharename path");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	sharename = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	path = poptGetArg(pc);
+
+	if (poptPeekArg(pc)) {
+		level = atoi(poptGetArg(pc));
+	}
+
+	/* NetShareAdd */
+
+	i2.shi2_netname		= sharename;
+	i2.shi2_type		= 0;
+	i2.shi2_remark		= "Test share created via NetApi";
+	i2.shi2_permissions	= 0;
+	i2.shi2_max_uses	= (uint32_t)-1;
+	i2.shi2_current_uses	= 0;
+	i2.shi2_path		= path;
+	i2.shi2_passwd		= NULL;
+
+	status = NetShareAdd(hostname,
+			     2,
+			     (uint8_t *)&i2,
+			     &parm_err);
+	if (status != 0) {
+		printf("NetShareAdd failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+		goto out;
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/share/share_del.c b/source3/lib/netapi/examples/share/share_del.c
new file mode 100644
index 0000000000..20e3ce5a8b
--- /dev/null
+++ b/source3/lib/netapi/examples/share/share_del.c
@@ -0,0 +1,85 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetShareDel query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *sharename = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("share_del", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname sharename");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	sharename = poptGetArg(pc);
+
+	/* NetShareDel */
+
+	status = NetShareDel(hostname,
+			     sharename,
+			     0);
+	if (status != 0) {
+		printf("NetShareDel failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+		goto out;
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/share/share_enum.c b/source3/lib/netapi/examples/share/share_enum.c
new file mode 100644
index 0000000000..b1f4043795
--- /dev/null
+++ b/source3/lib/netapi/examples/share/share_enum.c
@@ -0,0 +1,142 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetShareEnum query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	uint32_t level = 0;
+	uint8_t *buffer = NULL;
+	uint32_t entries_read = 0;
+	uint32_t total_entries = 0;
+	uint32_t resume_handle = 0;
+	int i;
+
+	struct SHARE_INFO_0 *i0 = NULL;
+	struct SHARE_INFO_1 *i1 = NULL;
+	struct SHARE_INFO_2 *i2 = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("share_enum", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname level");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (poptPeekArg(pc)) {
+		level = atoi(poptGetArg(pc));
+	}
+
+	/* NetShareEnum */
+
+	do {
+		status = NetShareEnum(hostname,
+				      level,
+				      &buffer,
+				      (uint32_t)-1,
+				      &entries_read,
+				      &total_entries,
+				      &resume_handle);
+		if (status == 0 || status == ERROR_MORE_DATA) {
+			printf("total entries: %d\n", total_entries);
+			switch (level) {
+				case 0:
+					i0 = (struct SHARE_INFO_0 *)buffer;
+					break;
+				case 1:
+					i1 = (struct SHARE_INFO_1 *)buffer;
+					break;
+				case 2:
+					i2 = (struct SHARE_INFO_2 *)buffer;
+					break;
+				default:
+					break;
+			}
+			for (i=0; i<entries_read; i++) {
+				switch (level) {
+					case 0:
+						printf("#%d netname: %s\n", i, i0->shi0_netname);
+						i0++;
+						break;
+					case 1:
+						printf("#%d netname: %s\n", i, i1->shi1_netname);
+						printf("#%d type: %d\n", i, i1->shi1_type);
+						printf("#%d remark: %s\n", i, i1->shi1_remark);
+						i1++;
+						break;
+					case 2:
+						printf("#%d netname: %s\n", i, i2->shi2_netname);
+						printf("#%d type: %d\n", i, i2->shi2_type);
+						printf("#%d remark: %s\n", i, i2->shi2_remark);
+						printf("#%d permissions: %d\n", i, i2->shi2_permissions);
+						printf("#%d max users: %d\n", i, i2->shi2_max_uses);
+						printf("#%d current users: %d\n", i, i2->shi2_current_uses);
+						printf("#%d path: %s\n", i, i2->shi2_path);
+						printf("#%d password: %s\n", i, i2->shi2_passwd);
+						i2++;
+						break;
+					default:
+						break;
+				}
+			}
+			NetApiBufferFree(buffer);
+		}
+	} while (status == ERROR_MORE_DATA);
+
+	if (status != 0) {
+		printf("NetShareEnum failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/share/share_getinfo.c b/source3/lib/netapi/examples/share/share_getinfo.c
new file mode 100644
index 0000000000..479da5cc4a
--- /dev/null
+++ b/source3/lib/netapi/examples/share/share_getinfo.c
@@ -0,0 +1,152 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetShareGetInfo query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *sharename = NULL;
+	uint32_t level = 2;
+	uint8_t *buffer = NULL;
+
+	struct SHARE_INFO_0 *i0 = NULL;
+	struct SHARE_INFO_1 *i1 = NULL;
+	struct SHARE_INFO_2 *i2 = NULL;
+	struct SHARE_INFO_501 *i501 = NULL;
+	struct SHARE_INFO_1005 *i1005 = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("share_getinfo", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname sharename level");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	sharename = poptGetArg(pc);
+
+	if (poptPeekArg(pc)) {
+		level = atoi(poptGetArg(pc));
+	}
+
+	/* NetShareGetInfo */
+
+	status = NetShareGetInfo(hostname,
+				 sharename,
+				 level,
+				 &buffer);
+	if (status != 0) {
+		printf("NetShareGetInfo failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+		goto out;
+	}
+
+	switch (level) {
+		case 0:
+			i0 = (struct SHARE_INFO_0 *)buffer;
+			break;
+		case 1:
+			i1 = (struct SHARE_INFO_1 *)buffer;
+			break;
+		case 2:
+			i2 = (struct SHARE_INFO_2 *)buffer;
+			break;
+		case 501:
+			i501 = (struct SHARE_INFO_501 *)buffer;
+			break;
+		case 1005:
+			i1005 = (struct SHARE_INFO_1005 *)buffer;
+			break;
+
+		default:
+			break;
+	}
+
+	switch (level) {
+		case 0:
+			printf("netname: %s\n", i0->shi0_netname);
+			break;
+		case 1:
+			printf("netname: %s\n", i1->shi1_netname);
+			printf("type: %d\n", i1->shi1_type);
+			printf("remark: %s\n", i1->shi1_remark);
+			break;
+		case 2:
+			printf("netname: %s\n", i2->shi2_netname);
+			printf("type: %d\n", i2->shi2_type);
+			printf("remark: %s\n", i2->shi2_remark);
+			printf("permissions: %d\n", i2->shi2_permissions);
+			printf("max users: %d\n", i2->shi2_max_uses);
+			printf("current users: %d\n", i2->shi2_current_uses);
+			printf("path: %s\n", i2->shi2_path);
+			printf("password: %s\n", i2->shi2_passwd);
+			break;
+		case 501:
+			printf("netname: %s\n", i501->shi501_netname);
+			printf("type: %d\n", i501->shi501_type);
+			printf("remark: %s\n", i501->shi501_remark);
+			printf("flags: %d\n", i501->shi501_flags);
+			break;
+		case 1005:
+			printf("flags: %d\n", i1005->shi1005_flags);
+			break;
+		default:
+			break;
+	}
+	NetApiBufferFree(buffer);
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/share/share_setinfo.c b/source3/lib/netapi/examples/share/share_setinfo.c
new file mode 100644
index 0000000000..f4748f4122
--- /dev/null
+++ b/source3/lib/netapi/examples/share/share_setinfo.c
@@ -0,0 +1,105 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetShareSetInfo query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *sharename = NULL;
+	const char *comment = "NetApi generated Share comment";
+	uint32_t level = 1004;
+	uint8_t *buffer = NULL;
+	uint32_t parm_err = 0;
+
+	struct SHARE_INFO_1004 i1004;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("share_setinfo", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname sharename comment");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	sharename = poptGetArg(pc);
+
+	if (poptPeekArg(pc)) {
+		comment = poptGetArg(pc);
+	}
+
+	/* NetShareSetInfo */
+	switch (level) {
+		case 1004:
+			i1004.shi1004_remark = comment;
+			buffer = (uint8_t *)&i1004;
+			break;
+		default:
+			break;
+	}
+
+	status = NetShareSetInfo(hostname,
+				 sharename,
+				 level,
+				 buffer,
+				 &parm_err);
+	if (status != 0) {
+		printf("NetShareSetInfo failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+		goto out;
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/user/user_add.c b/source3/lib/netapi/examples/user/user_add.c
new file mode 100644
index 0000000000..5452f77bb7
--- /dev/null
+++ b/source3/lib/netapi/examples/user/user_add.c
@@ -0,0 +1,103 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetUserAdd query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *username = NULL;
+	const char *password = NULL;
+	struct USER_INFO_1 info1;
+	uint32_t parm_error = 0;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("user_add", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname username password");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	username = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	password = poptGetArg(pc);
+
+	/* NetUserAdd */
+
+	info1.usri1_name = username;
+	info1.usri1_password = password;
+	info1.usri1_password_age = 0;
+	info1.usri1_priv = 0;
+	info1.usri1_home_dir = NULL;
+	info1.usri1_comment = "User created using Samba NetApi Example code";
+	info1.usri1_flags = 0;
+	info1.usri1_script_path = NULL;
+
+	status = NetUserAdd(hostname,
+			    1,
+			    (uint8_t *)&info1,
+			    &parm_error);
+	if (status != 0) {
+		printf("NetUserAdd failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/user/user_chgpwd.c b/source3/lib/netapi/examples/user/user_chgpwd.c
new file mode 100644
index 0000000000..8b37ec2a99
--- /dev/null
+++ b/source3/lib/netapi/examples/user/user_chgpwd.c
@@ -0,0 +1,99 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetUserChangePassword query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *username = NULL;
+	const char *old_password = NULL;
+	const char *new_password = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("user_chgpwd", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname username old_password new_password");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	username = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	old_password = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	new_password = poptGetArg(pc);
+
+	/* NetUserChangePassword */
+
+	status = NetUserChangePassword(hostname,
+				       username,
+				       old_password,
+				       new_password);
+	if (status != 0) {
+		printf("NetUserChangePassword failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/user/user_del.c b/source3/lib/netapi/examples/user/user_del.c
new file mode 100644
index 0000000000..9cf28a91ba
--- /dev/null
+++ b/source3/lib/netapi/examples/user/user_del.c
@@ -0,0 +1,82 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetUserDel query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *username = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("user_del", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname username");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	username = poptGetArg(pc);
+
+	/* NetUserDel */
+
+	status = NetUserDel(hostname, username);
+	if (status != 0) {
+		printf("NetUserDel failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/user/user_dispinfo.c b/source3/lib/netapi/examples/user/user_dispinfo.c
new file mode 100644
index 0000000000..23024fe9fe
--- /dev/null
+++ b/source3/lib/netapi/examples/user/user_dispinfo.c
@@ -0,0 +1,100 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetQueryDisplayInformation query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	void *buffer = NULL;
+	uint32_t entries_read = 0;
+	uint32_t idx = 0;
+	int i;
+
+	struct NET_DISPLAY_USER *user;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("user_dispinfo", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	/* NetQueryDisplayInformation */
+
+	do {
+		status = NetQueryDisplayInformation(hostname,
+						    1,
+						    idx,
+						    1000,
+						    (uint32_t)-1,
+						    &entries_read,
+						    &buffer);
+		if (status == 0 || status == ERROR_MORE_DATA) {
+			user = (struct NET_DISPLAY_USER *)buffer;
+			for (i=0; i<entries_read; i++) {
+				printf("user %d: %s\n", i + idx,
+				       user->usri1_name);
+				user++;
+			}
+			NetApiBufferFree(buffer);
+		}
+		idx += entries_read;
+	} while (status == ERROR_MORE_DATA);
+
+	if (status != 0) {
+		printf("NetQueryDisplayInformation failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/user/user_enum.c b/source3/lib/netapi/examples/user/user_enum.c
new file mode 100644
index 0000000000..cf77bf2d54
--- /dev/null
+++ b/source3/lib/netapi/examples/user/user_enum.c
@@ -0,0 +1,157 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetUserEnum query
+ *  Copyright (C) Guenther Deschner 2007
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	uint32_t level = 0;
+	uint8_t *buffer = NULL;
+	uint32_t entries_read = 0;
+	uint32_t total_entries = 0;
+	uint32_t resume_handle = 0;
+	char *sid_str = NULL;
+	int i;
+
+	struct USER_INFO_0 *info0 = NULL;
+	struct USER_INFO_10 *info10 = NULL;
+	struct USER_INFO_20 *info20 = NULL;
+	struct USER_INFO_23 *info23 = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("user_enum", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname level");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (poptPeekArg(pc)) {
+		level = atoi(poptGetArg(pc));
+	}
+
+	/* NetUserEnum */
+
+	do {
+		status = NetUserEnum(hostname,
+				     level,
+				     FILTER_NORMAL_ACCOUNT,
+				     &buffer,
+				     (uint32_t)-1,
+				     &entries_read,
+				     &total_entries,
+				     &resume_handle);
+		if (status == 0 || status == ERROR_MORE_DATA) {
+
+			switch (level) {
+				case 0:
+					info0 = (struct USER_INFO_0 *)buffer;
+					break;
+				case 10:
+					info10 = (struct USER_INFO_10 *)buffer;
+					break;
+				case 20:
+					info20 = (struct USER_INFO_20 *)buffer;
+					break;
+				case 23:
+					info23 = (struct USER_INFO_23 *)buffer;
+					break;
+				default:
+					break;
+			}
+
+			for (i=0; i<entries_read; i++) {
+				switch (level) {
+					case 0:
+						printf("#%d user: %s\n", i, info0->usri0_name);
+						info0++;
+						break;
+					case 10:
+						printf("#%d user: %s\n", i, info10->usri10_name);
+						printf("#%d comment: %s\n", i, info10->usri10_comment);
+						printf("#%d usr_comment: %s\n", i, info10->usri10_usr_comment);
+						printf("#%d full_name: %s\n", i, info10->usri10_full_name);
+						info10++;
+						break;
+					case 20:
+						printf("#%d user: %s\n", i, info20->usri20_name);
+						printf("#%d comment: %s\n", i, info20->usri20_comment);
+						printf("#%d flags: 0x%08x\n", i, info20->usri20_flags);
+						printf("#%d rid: %d\n", i, info20->usri20_user_id);
+						info20++;
+						break;
+					case 23:
+						printf("#%d user: %s\n", i, info23->usri23_name);
+						printf("#%d comment: %s\n", i, info23->usri23_comment);
+						printf("#%d flags: 0x%08x\n", i, info23->usri23_flags);
+						if (ConvertSidToStringSid(info23->usri23_user_sid,
+									  &sid_str)) {
+							printf("#%d sid: %s\n", i, sid_str);
+							free(sid_str);
+						}
+						info23++;
+						break;
+					default:
+						break;
+				}
+			}
+			NetApiBufferFree(buffer);
+		}
+	} while (status == ERROR_MORE_DATA);
+
+	if (status != 0) {
+		printf("NetUserEnum failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/user/user_getgroups.c b/source3/lib/netapi/examples/user/user_getgroups.c
new file mode 100644
index 0000000000..939415e0eb
--- /dev/null
+++ b/source3/lib/netapi/examples/user/user_getgroups.c
@@ -0,0 +1,133 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetUserGetGroups query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *username = NULL;
+	uint32_t level = 0;
+	uint8_t *buffer = NULL;
+	uint32_t entries_read = 0;
+	uint32_t total_entries = 0;
+	int i;
+
+	struct GROUP_USERS_INFO_0 *info0 = NULL;
+	struct GROUP_USERS_INFO_1 *info1 = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("user_getgroups", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname username level");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	username = poptGetArg(pc);
+
+	if (poptPeekArg(pc)) {
+		level = atoi(poptGetArg(pc));
+	}
+
+	/* NetUserGetGroups */
+
+	do {
+		status = NetUserGetGroups(hostname,
+					  username,
+					  level,
+					  &buffer,
+					  (uint32_t)-1,
+					  &entries_read,
+					  &total_entries);
+		if (status == 0 || status == ERROR_MORE_DATA) {
+
+			switch (level) {
+				case 0:
+					info0 = (struct GROUP_USERS_INFO_0 *)buffer;
+					break;
+				case 1:
+					info1 = (struct GROUP_USERS_INFO_1 *)buffer;
+					break;
+				default:
+					break;
+			}
+
+			for (i=0; i<entries_read; i++) {
+				switch (level) {
+					case 0:
+						printf("#%d group: %s\n", i, info0->grui0_name);
+						info0++;
+						break;
+					case 1:
+						printf("#%d group: %s\n", i, info1->grui1_name);
+						printf("#%d attributes: %d\n", i, info1->grui1_attributes);
+						info1++;
+						break;
+					default:
+						break;
+				}
+			}
+			NetApiBufferFree(buffer);
+		}
+	} while (status == ERROR_MORE_DATA);
+
+	if (status != 0) {
+		printf("NetUserGetGroups failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/user/user_getinfo.c b/source3/lib/netapi/examples/user/user_getinfo.c
new file mode 100644
index 0000000000..9e95260b5a
--- /dev/null
+++ b/source3/lib/netapi/examples/user/user_getinfo.c
@@ -0,0 +1,293 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetUserGetInfo query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *username = NULL;
+	uint8_t *buffer = NULL;
+	uint32_t level = 0;
+	char *sid_str = NULL;
+	int i;
+
+	struct USER_INFO_0 *u0;
+	struct USER_INFO_1 *u1;
+	struct USER_INFO_2 *u2;
+	struct USER_INFO_3 *u3;
+	struct USER_INFO_4 *u4;
+	struct USER_INFO_10 *u10;
+	struct USER_INFO_11 *u11;
+	struct USER_INFO_20 *u20;
+	struct USER_INFO_23 *u23;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("user_getinfo", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname username level");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	username = poptGetArg(pc);
+
+	if (poptPeekArg(pc)) {
+		level = atoi(poptGetArg(pc));
+	}
+
+	/* NetUserGetInfo */
+
+	status = NetUserGetInfo(hostname,
+				username,
+				level,
+				&buffer);
+	if (status != 0) {
+		printf("NetUserGetInfo failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+		goto out;
+	}
+
+	switch (level) {
+		case 0:
+			u0 = (struct USER_INFO_0 *)buffer;
+			printf("name: %s\n", u0->usri0_name);
+			break;
+		case 1:
+			u1 = (struct USER_INFO_1 *)buffer;
+			printf("name: %s\n", u1->usri1_name);
+			printf("password: %s\n", u1->usri1_password);
+			printf("password_age: %d\n", u1->usri1_password_age);
+			printf("priv: %d\n", u1->usri1_priv);
+			printf("homedir: %s\n", u1->usri1_home_dir);
+			printf("comment: %s\n", u1->usri1_comment);
+			printf("flags: 0x%08x\n", u1->usri1_flags);
+			printf("script: %s\n", u1->usri1_script_path);
+			break;
+		case 2:
+			u2 = (struct USER_INFO_2 *)buffer;
+			printf("name: %s\n", u2->usri2_name);
+			printf("password: %s\n", u2->usri2_password);
+			printf("password_age: %d\n", u2->usri2_password_age);
+			printf("priv: %d\n", u2->usri2_priv);
+			printf("homedir: %s\n", u2->usri2_home_dir);
+			printf("comment: %s\n", u2->usri2_comment);
+			printf("flags: 0x%08x\n", u2->usri2_flags);
+			printf("script: %s\n", u2->usri2_script_path);
+			printf("auth flags: 0x%08x\n", u2->usri2_auth_flags);
+			printf("full name: %s\n", u2->usri2_full_name);
+			printf("user comment: %s\n", u2->usri2_usr_comment);
+			printf("user parameters: %s\n", u2->usri2_parms);
+			printf("workstations: %s\n", u2->usri2_workstations);
+			printf("last logon (seconds since jan. 1, 1970 GMT): %d\n",
+				u2->usri2_last_logon);
+			printf("last logoff (seconds since jan. 1, 1970 GMT): %d\n",
+				u2->usri2_last_logoff);
+			printf("account expires (seconds since jan. 1, 1970 GMT): %d\n",
+				u2->usri2_acct_expires);
+			printf("max storage: %d\n", u2->usri2_max_storage);
+			printf("units per week: %d\n", u2->usri2_units_per_week);
+			printf("logon hours:");
+			for (i=0; i<21; i++) {
+				printf(" %x", (uint8_t)u2->usri2_logon_hours[i]);
+			}
+			printf("\n");
+			printf("bad password count: %d\n", u2->usri2_bad_pw_count);
+			printf("logon count: %d\n", u2->usri2_num_logons);
+			printf("logon server: %s\n", u2->usri2_logon_server);
+			printf("country code: %d\n", u2->usri2_country_code);
+			printf("code page: %d\n", u2->usri2_code_page);
+			break;
+		case 3:
+			u3 = (struct USER_INFO_3 *)buffer;
+			printf("name: %s\n", u3->usri3_name);
+			printf("password_age: %d\n", u3->usri3_password_age);
+			printf("priv: %d\n", u3->usri3_priv);
+			printf("homedir: %s\n", u3->usri3_home_dir);
+			printf("comment: %s\n", u3->usri3_comment);
+			printf("flags: 0x%08x\n", u3->usri3_flags);
+			printf("script: %s\n", u3->usri3_script_path);
+			printf("auth flags: 0x%08x\n", u3->usri3_auth_flags);
+			printf("full name: %s\n", u3->usri3_full_name);
+			printf("user comment: %s\n", u3->usri3_usr_comment);
+			printf("user parameters: %s\n", u3->usri3_parms);
+			printf("workstations: %s\n", u3->usri3_workstations);
+			printf("last logon (seconds since jan. 1, 1970 GMT): %d\n",
+				u3->usri3_last_logon);
+			printf("last logoff (seconds since jan. 1, 1970 GMT): %d\n",
+				u3->usri3_last_logoff);
+			printf("account expires (seconds since jan. 1, 1970 GMT): %d\n",
+				u3->usri3_acct_expires);
+			printf("max storage: %d\n", u3->usri3_max_storage);
+			printf("units per week: %d\n", u3->usri3_units_per_week);
+			printf("logon hours:");
+			for (i=0; i<21; i++) {
+				printf(" %x", (uint8_t)u3->usri3_logon_hours[i]);
+			}
+			printf("\n");
+			printf("bad password count: %d\n", u3->usri3_bad_pw_count);
+			printf("logon count: %d\n", u3->usri3_num_logons);
+			printf("logon server: %s\n", u3->usri3_logon_server);
+			printf("country code: %d\n", u3->usri3_country_code);
+			printf("code page: %d\n", u3->usri3_code_page);
+			printf("user id: %d\n", u3->usri3_user_id);
+			printf("primary group id: %d\n", u3->usri3_primary_group_id);
+			printf("profile: %s\n", u3->usri3_profile);
+			printf("home dir drive: %s\n", u3->usri3_home_dir_drive);
+			printf("password expired: %d\n", u3->usri3_password_expired);
+			break;
+		case 4:
+			u4 = (struct USER_INFO_4 *)buffer;
+			printf("name: %s\n", u4->usri4_name);
+			printf("password: %s\n", u4->usri4_password);
+			printf("password_age: %d\n", u4->usri4_password_age);
+			printf("priv: %d\n", u4->usri4_priv);
+			printf("homedir: %s\n", u4->usri4_home_dir);
+			printf("comment: %s\n", u4->usri4_comment);
+			printf("flags: 0x%08x\n", u4->usri4_flags);
+			printf("script: %s\n", u4->usri4_script_path);
+			printf("auth flags: 0x%08x\n", u4->usri4_auth_flags);
+			printf("full name: %s\n", u4->usri4_full_name);
+			printf("user comment: %s\n", u4->usri4_usr_comment);
+			printf("user parameters: %s\n", u4->usri4_parms);
+			printf("workstations: %s\n", u4->usri4_workstations);
+			printf("last logon (seconds since jan. 1, 1970 GMT): %d\n",
+				u4->usri4_last_logon);
+			printf("last logoff (seconds since jan. 1, 1970 GMT): %d\n",
+				u4->usri4_last_logoff);
+			printf("account expires (seconds since jan. 1, 1970 GMT): %d\n",
+				u4->usri4_acct_expires);
+			printf("max storage: %d\n", u4->usri4_max_storage);
+			printf("units per week: %d\n", u4->usri4_units_per_week);
+			printf("logon hours:");
+			for (i=0; i<21; i++) {
+				printf(" %x", (uint8_t)u4->usri4_logon_hours[i]);
+			}
+			printf("\n");
+			printf("bad password count: %d\n", u4->usri4_bad_pw_count);
+			printf("logon count: %d\n", u4->usri4_num_logons);
+			printf("logon server: %s\n", u4->usri4_logon_server);
+			printf("country code: %d\n", u4->usri4_country_code);
+			printf("code page: %d\n", u4->usri4_code_page);
+			if (ConvertSidToStringSid(u4->usri4_user_sid,
+						  &sid_str)) {
+				printf("user_sid: %s\n", sid_str);
+				free(sid_str);
+			}
+			printf("primary group id: %d\n", u4->usri4_primary_group_id);
+			printf("profile: %s\n", u4->usri4_profile);
+			printf("home dir drive: %s\n", u4->usri4_home_dir_drive);
+			printf("password expired: %d\n", u4->usri4_password_expired);
+			break;
+		case 10:
+			u10 = (struct USER_INFO_10 *)buffer;
+			printf("name: %s\n", u10->usri10_name);
+			printf("comment: %s\n", u10->usri10_comment);
+			printf("usr_comment: %s\n", u10->usri10_usr_comment);
+			printf("full_name: %s\n", u10->usri10_full_name);
+			break;
+		case 11:
+			u11 = (struct USER_INFO_11 *)buffer;
+			printf("name: %s\n", u11->usri11_name);
+			printf("comment: %s\n", u11->usri11_comment);
+			printf("user comment: %s\n", u11->usri11_usr_comment);
+			printf("full name: %s\n", u11->usri11_full_name);
+			printf("priv: %d\n", u11->usri11_priv);
+			printf("auth flags: 0x%08x\n", u11->usri11_auth_flags);
+			printf("password_age: %d\n", u11->usri11_password_age);
+			printf("homedir: %s\n", u11->usri11_home_dir);
+			printf("user parameters: %s\n", u11->usri11_parms);
+			printf("last logon (seconds since jan. 1, 1970 GMT): %d\n",
+				u11->usri11_last_logon);
+			printf("last logoff (seconds since jan. 1, 1970 GMT): %d\n",
+				u11->usri11_last_logoff);
+			printf("bad password count: %d\n", u11->usri11_bad_pw_count);
+			printf("logon count: %d\n", u11->usri11_num_logons);
+			printf("logon server: %s\n", u11->usri11_logon_server);
+			printf("country code: %d\n", u11->usri11_country_code);
+			printf("workstations: %s\n", u11->usri11_workstations);
+			printf("max storage: %d\n", u11->usri11_max_storage);
+			printf("units per week: %d\n", u11->usri11_units_per_week);
+			printf("logon hours:");
+			for (i=0; i<21; i++) {
+				printf(" %x", (uint8_t)u11->usri11_logon_hours[i]);
+			}
+			printf("\n");
+			printf("code page: %d\n", u11->usri11_code_page);
+			break;
+		case 20:
+			u20 = (struct USER_INFO_20 *)buffer;
+			printf("name: %s\n", u20->usri20_name);
+			printf("comment: %s\n", u20->usri20_comment);
+			printf("flags: 0x%08x\n", u20->usri20_flags);
+			printf("rid: %d\n", u20->usri20_user_id);
+			break;
+		case 23:
+			u23 = (struct USER_INFO_23 *)buffer;
+			printf("name: %s\n", u23->usri23_name);
+			printf("comment: %s\n", u23->usri23_comment);
+			printf("flags: 0x%08x\n", u23->usri23_flags);
+			if (ConvertSidToStringSid(u23->usri23_user_sid,
+						  &sid_str)) {
+				printf("user_sid: %s\n", sid_str);
+				free(sid_str);
+			}
+			break;
+		default:
+			break;
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/user/user_getlocalgroups.c b/source3/lib/netapi/examples/user/user_getlocalgroups.c
new file mode 100644
index 0000000000..133104d7c1
--- /dev/null
+++ b/source3/lib/netapi/examples/user/user_getlocalgroups.c
@@ -0,0 +1,122 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetUserGetLocalGroups query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *username = NULL;
+	uint32_t level = 0;
+	uint8_t *buffer = NULL;
+	uint32_t entries_read = 0;
+	uint32_t total_entries = 0;
+	uint32_t flags = 0;
+	int i;
+
+	struct LOCALGROUP_USERS_INFO_0 *info0 = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("user_getlocalgroups", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname username");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	username = poptGetArg(pc);
+
+	/* NetUserGetLocalGroups */
+
+	do {
+		status = NetUserGetLocalGroups(hostname,
+					       username,
+					       level,
+					       flags,
+					       &buffer,
+					       (uint32_t)-1,
+					       &entries_read,
+					       &total_entries);
+		if (status == 0 || status == ERROR_MORE_DATA) {
+
+			switch (level) {
+				case 0:
+					info0 = (struct LOCALGROUP_USERS_INFO_0 *)buffer;
+					break;
+				default:
+					break;
+			}
+
+			for (i=0; i<entries_read; i++) {
+				switch (level) {
+					case 0:
+						printf("#%d group: %s\n", i, info0->lgrui0_name);
+						info0++;
+						break;
+					default:
+						break;
+				}
+			}
+			NetApiBufferFree(buffer);
+		}
+	} while (status == ERROR_MORE_DATA);
+
+	if (status != 0) {
+		printf("NetUserGetLocalGroups failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/user/user_modalsget.c b/source3/lib/netapi/examples/user/user_modalsget.c
new file mode 100644
index 0000000000..4dcb41bef7
--- /dev/null
+++ b/source3/lib/netapi/examples/user/user_modalsget.c
@@ -0,0 +1,131 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetUserModalsGet query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	uint8_t *buffer = NULL;
+	uint32_t level = 0;
+	char *sid_str = NULL;
+
+	struct USER_MODALS_INFO_0 *u0;
+	struct USER_MODALS_INFO_1 *u1;
+	struct USER_MODALS_INFO_2 *u2;
+	struct USER_MODALS_INFO_3 *u3;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("user_modalsget", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname level");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (poptPeekArg(pc)) {
+		level = atoi(poptGetArg(pc));
+	}
+
+	/* NetUserModalsGet */
+
+	status = NetUserModalsGet(hostname,
+				  level,
+				  &buffer);
+	if (status != 0) {
+		printf("NetUserModalsGet failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+		goto out;
+	}
+
+	switch (level) {
+		case 0:
+			u0 = (struct USER_MODALS_INFO_0 *)buffer;
+			printf("min passwd len: %d character\n",
+				u0->usrmod0_min_passwd_len);
+			printf("max passwd age: %d (days)\n",
+				u0->usrmod0_max_passwd_age/86400);
+			printf("min passwd age: %d (days)\n",
+				u0->usrmod0_min_passwd_age/86400);
+			printf("force logoff: %d (seconds)\n",
+				u0->usrmod0_force_logoff);
+			printf("password history length: %d entries\n",
+				u0->usrmod0_password_hist_len);
+			break;
+		case 1:
+			u1 = (struct USER_MODALS_INFO_1 *)buffer;
+			printf("role: %d\n", u1->usrmod1_role);
+			printf("primary: %s\n", u1->usrmod1_primary);
+			break;
+		case 2:
+			u2 = (struct USER_MODALS_INFO_2 *)buffer;
+			printf("domain name: %s\n", u2->usrmod2_domain_name);
+			if (ConvertSidToStringSid(u2->usrmod2_domain_id,
+						  &sid_str)) {
+				printf("domain sid: %s\n", sid_str);
+				free(sid_str);
+			}
+			break;
+		case 3:
+			u3 = (struct USER_MODALS_INFO_3 *)buffer;
+			printf("lockout duration: %d (seconds)\n",
+				u3->usrmod3_lockout_duration);
+			printf("lockout observation window: %d (seconds)\n",
+				u3->usrmod3_lockout_observation_window);
+			printf("lockout threshold: %d entries\n",
+				u3->usrmod3_lockout_threshold);
+			break;
+		default:
+			break;
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/user/user_modalsset.c b/source3/lib/netapi/examples/user/user_modalsset.c
new file mode 100644
index 0000000000..57e1ef70ea
--- /dev/null
+++ b/source3/lib/netapi/examples/user/user_modalsset.c
@@ -0,0 +1,141 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetUserModalsSet query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	uint8_t *buffer = NULL;
+	uint32_t level = 0;
+	uint32_t value = 0;
+	uint32_t parm_err = 0;
+
+	struct USER_MODALS_INFO_0 u0;
+	struct USER_MODALS_INFO_1 u1;
+	struct USER_MODALS_INFO_2 u2;
+	struct USER_MODALS_INFO_3 u3;
+	struct USER_MODALS_INFO_1001 u1001;
+	struct USER_MODALS_INFO_1002 u1002;
+	struct USER_MODALS_INFO_1003 u1003;
+	struct USER_MODALS_INFO_1004 u1004;
+	struct USER_MODALS_INFO_1005 u1005;
+	struct USER_MODALS_INFO_1006 u1006;
+	struct USER_MODALS_INFO_1007 u1007;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("user_modalsset", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname level value");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (poptPeekArg(pc)) {
+		level = atoi(poptGetArg(pc));
+	}
+
+	if (poptPeekArg(pc)) {
+		value = atoi(poptGetArg(pc));
+	}
+
+	switch (level) {
+		case 0:
+			u0.usrmod0_min_passwd_len = 0;
+			u0.usrmod0_max_passwd_age = (86400 * 30); /* once a month */
+			u0.usrmod0_min_passwd_age = 0;
+			u0.usrmod0_force_logoff = TIMEQ_FOREVER;
+			u0.usrmod0_password_hist_len = 0;
+			buffer = (uint8_t *)&u0;
+			break;
+		case 1:
+		case 2:
+		case 3:
+		case 1001:
+			u1001.usrmod1001_min_passwd_len = 0;
+			buffer = (uint8_t *)&u1001;
+			break;
+		case 1002:
+			u1002.usrmod1002_max_passwd_age = 0;
+			buffer = (uint8_t *)&u1002;
+			break;
+		case 1003:
+			u1003.usrmod1003_min_passwd_age = (86400 * 30); /* once a month */
+			buffer = (uint8_t *)&u1003;
+			break;
+		case 1004:
+			u1004.usrmod1004_force_logoff = TIMEQ_FOREVER;
+			buffer = (uint8_t *)&u1004;
+			break;
+		case 1005:
+			u1005.usrmod1005_password_hist_len = 0;
+			buffer = (uint8_t *)&u1005;
+			break;
+		case 1006:
+		case 1007:
+		default:
+			break;
+	}
+
+	/* NetUserModalsSet */
+
+	status = NetUserModalsSet(hostname,
+				  level,
+				  buffer,
+				  &parm_err);
+	if (status != 0) {
+		printf("NetUserModalsSet failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+		goto out;
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/user/user_setgroups.c b/source3/lib/netapi/examples/user/user_setgroups.c
new file mode 100644
index 0000000000..de3ff22ec8
--- /dev/null
+++ b/source3/lib/netapi/examples/user/user_setgroups.c
@@ -0,0 +1,144 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetUserSetGroups query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *username = NULL;
+	uint32_t level = 0;
+	uint8_t *buffer = NULL;
+	uint32_t num_entries = 0;
+	const char **names = NULL;
+	int i = 0;
+	size_t buf_size = 0;
+
+	struct GROUP_USERS_INFO_0 *g0 = NULL;
+	struct GROUP_USERS_INFO_1 *g1 = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("user_setgroups", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname username group1 group2 ...");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	username = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+
+	names = poptGetArgs(pc);
+	for (i=0; names[i] != NULL; i++) {
+		num_entries++;
+	}
+
+	switch (level) {
+		case 0:
+			buf_size = sizeof(struct GROUP_USERS_INFO_0) * num_entries;
+
+			status = NetApiBufferAllocate(buf_size, (void **)&g0);
+			if (status) {
+				printf("NetApiBufferAllocate failed with: %s\n",
+					libnetapi_get_error_string(ctx, status));
+				goto out;
+			}
+
+			for (i=0; i<num_entries; i++) {
+				g0[i].grui0_name = names[i];
+			}
+
+			buffer = (uint8_t *)g0;
+			break;
+		case 1:
+			buf_size = sizeof(struct GROUP_USERS_INFO_1) * num_entries;
+
+			status = NetApiBufferAllocate(buf_size, (void **)&g1);
+			if (status) {
+				printf("NetApiBufferAllocate failed with: %s\n",
+					libnetapi_get_error_string(ctx, status));
+				goto out;
+			}
+
+			for (i=0; i<num_entries; i++) {
+				g1[i].grui1_name = names[i];
+				g1[i].grui1_attributes = 0; /* ? */
+			}
+
+			buffer = (uint8_t *)g1;
+			break;
+		default:
+			break;
+	}
+
+	/* NetUserSetGroups */
+
+	status = NetUserSetGroups(hostname,
+				  username,
+				  level,
+				  buffer,
+				  num_entries);
+	if (status != 0) {
+		printf("NetUserSetGroups failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+ out:
+	NetApiBufferFree(buffer);
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/examples/user/user_setinfo.c b/source3/lib/netapi/examples/user/user_setinfo.c
new file mode 100644
index 0000000000..4f02ae7781
--- /dev/null
+++ b/source3/lib/netapi/examples/user/user_setinfo.c
@@ -0,0 +1,207 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetUserSetInfo query
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+	const char *username = NULL;
+	uint32_t level = 0;
+	uint32_t parm_err = 0;
+	uint8_t *buffer = NULL;
+	const char *val = NULL;
+
+	struct USER_INFO_0 u0;
+	struct USER_INFO_1 u1;
+	struct USER_INFO_2 u2;
+	struct USER_INFO_3 u3;
+	struct USER_INFO_4 u4;
+	struct USER_INFO_21 u21;
+	struct USER_INFO_22 u22;
+	struct USER_INFO_1003 u1003;
+	struct USER_INFO_1005 u1005;
+	struct USER_INFO_1006 u1006;
+	struct USER_INFO_1007 u1007;
+	struct USER_INFO_1008 u1008;
+	struct USER_INFO_1009 u1009;
+	struct USER_INFO_1010 u1010;
+	struct USER_INFO_1011 u1011;
+	struct USER_INFO_1012 u1012;
+	struct USER_INFO_1014 u1014;
+	struct USER_INFO_1017 u1017;
+	struct USER_INFO_1020 u1020;
+	struct USER_INFO_1024 u1024;
+	struct USER_INFO_1051 u1051;
+	struct USER_INFO_1052 u1052;
+	struct USER_INFO_1053 u1053;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("user_setinfo", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname username level");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	username = poptGetArg(pc);
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	level = atoi(poptGetArg(pc));
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	val = poptGetArg(pc);
+
+	/* NetUserSetInfo */
+
+	switch (level) {
+		case 0:
+			u0.usri0_name = val;
+			buffer = (uint8_t *)&u0;
+			break;
+		case 1:
+		case 2:
+		case 3:
+		case 4:
+			break;
+		case 21:
+			break;
+		case 22:
+			break;
+		case 1003:
+			u1003.usri1003_password = val;
+			buffer = (uint8_t *)&u1003;
+			break;
+		case 1005:
+			u1005.usri1005_priv = atoi(val);
+			buffer = (uint8_t *)&u1005;
+			break;
+		case 1006:
+			u1006.usri1006_home_dir = val;
+			buffer = (uint8_t *)&u1006;
+			break;
+		case 1007:
+			u1007.usri1007_comment = val;
+			buffer = (uint8_t *)&u1007;
+			break;
+		case 1008:
+			u1008.usri1008_flags = atoi(val);
+			buffer = (uint8_t *)&u1008;
+			break;
+		case 1009:
+			u1009.usri1009_script_path = val;
+			buffer = (uint8_t *)&u1009;
+			break;
+		case 1010:
+			u1010.usri1010_auth_flags = atoi(val);
+			buffer = (uint8_t *)&u1010;
+			break;
+		case 1011:
+			u1011.usri1011_full_name = val;
+			buffer = (uint8_t *)&u1011;
+			break;
+		case 1012:
+			u1012.usri1012_usr_comment = val;
+			buffer = (uint8_t *)&u1012;
+			break;
+		case 1014:
+			u1014.usri1014_workstations = val;
+			buffer = (uint8_t *)&u1014;
+			break;
+		case 1017:
+			u1017.usri1017_acct_expires = atoi(val);
+			buffer = (uint8_t *)&u1017;
+			break;
+		case 1020:
+			break;
+		case 1024:
+			u1024.usri1024_country_code = atoi(val);
+			buffer = (uint8_t *)&u1024;
+			break;
+		case 1051:
+			u1051.usri1051_primary_group_id = atoi(val);
+			buffer = (uint8_t *)&u1051;
+			break;
+		case 1052:
+			u1052.usri1052_profile = val;
+			buffer = (uint8_t *)&u1052;
+			break;
+		case 1053:
+			u1053.usri1053_home_dir_drive = val;
+			buffer = (uint8_t *)&u1053;
+			break;
+		default:
+			break;
+	}
+
+	status = NetUserSetInfo(hostname,
+				username,
+				level,
+				buffer,
+				&parm_err);
+	if (status != 0) {
+		printf("NetUserSetInfo failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+		goto out;
+	}
+
+ out:
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/file.c b/source3/lib/netapi/file.c
new file mode 100644
index 0000000000..036af32f38
--- /dev/null
+++ b/source3/lib/netapi/file.c
@@ -0,0 +1,289 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetApi File Support
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+#include "librpc/gen_ndr/libnetapi.h"
+#include "lib/netapi/netapi.h"
+#include "lib/netapi/netapi_private.h"
+#include "lib/netapi/libnetapi.h"
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetFileClose_r(struct libnetapi_ctx *ctx,
+		      struct NetFileClose *r)
+{
+	WERROR werr;
+	NTSTATUS status;
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_srvsvc.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = rpccli_srvsvc_NetFileClose(pipe_cli, ctx,
+					    r->in.server_name,
+					    r->in.fileid,
+					    &werr);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetFileClose_l(struct libnetapi_ctx *ctx,
+		      struct NetFileClose *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetFileClose);
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS map_srvsvc_FileInfo_to_FILE_INFO_buffer(TALLOC_CTX *mem_ctx,
+							uint32_t level,
+							union srvsvc_NetFileInfo *info,
+							uint8_t **buffer,
+							uint32_t *num_entries)
+{
+	struct FILE_INFO_2 i2;
+	struct FILE_INFO_3 i3;
+
+	switch (level) {
+		case 2:
+			i2.fi2_id		= info->info2->fid;
+
+			ADD_TO_ARRAY(mem_ctx, struct FILE_INFO_2, i2,
+				     (struct FILE_INFO_2 **)buffer,
+				     num_entries);
+			break;
+		case 3:
+			i3.fi3_id		= info->info3->fid;
+			i3.fi3_permissions	= info->info3->permissions;
+			i3.fi3_num_locks	= info->info3->num_locks;
+			i3.fi3_pathname		= talloc_strdup(mem_ctx, info->info3->path);
+			i3.fi3_username		= talloc_strdup(mem_ctx, info->info3->user);
+
+			NT_STATUS_HAVE_NO_MEMORY(i3.fi3_pathname);
+			NT_STATUS_HAVE_NO_MEMORY(i3.fi3_username);
+
+			ADD_TO_ARRAY(mem_ctx, struct FILE_INFO_3, i3,
+				     (struct FILE_INFO_3 **)buffer,
+				     num_entries);
+			break;
+		default:
+			return NT_STATUS_INVALID_INFO_CLASS;
+	}
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetFileGetInfo_r(struct libnetapi_ctx *ctx,
+			struct NetFileGetInfo *r)
+{
+	WERROR werr;
+	NTSTATUS status;
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	union srvsvc_NetFileInfo info;
+	uint32_t num_entries = 0;
+
+	if (!r->out.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 2:
+		case 3:
+			break;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_srvsvc.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = rpccli_srvsvc_NetFileGetInfo(pipe_cli, ctx,
+					      r->in.server_name,
+					      r->in.fileid,
+					      r->in.level,
+					      &info,
+					      &werr);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = map_srvsvc_FileInfo_to_FILE_INFO_buffer(ctx,
+							 r->in.level,
+							 &info,
+							 r->out.buffer,
+							 &num_entries);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetFileGetInfo_l(struct libnetapi_ctx *ctx,
+			struct NetFileGetInfo *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetFileGetInfo);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetFileEnum_r(struct libnetapi_ctx *ctx,
+		     struct NetFileEnum *r)
+{
+	WERROR werr;
+	NTSTATUS status;
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	struct srvsvc_NetFileInfoCtr info_ctr;
+	struct srvsvc_NetFileCtr2 ctr2;
+	struct srvsvc_NetFileCtr3 ctr3;
+	uint32_t num_entries = 0;
+	uint32_t i;
+
+	if (!r->out.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 2:
+		case 3:
+			break;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_srvsvc.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	ZERO_STRUCT(info_ctr);
+
+	info_ctr.level = r->in.level;
+	switch (r->in.level) {
+		case 2:
+			ZERO_STRUCT(ctr2);
+			info_ctr.ctr.ctr2 = &ctr2;
+			break;
+		case 3:
+			ZERO_STRUCT(ctr3);
+			info_ctr.ctr.ctr3 = &ctr3;
+			break;
+	}
+
+	status = rpccli_srvsvc_NetFileEnum(pipe_cli, ctx,
+					   r->in.server_name,
+					   r->in.base_path,
+					   r->in.user_name,
+					   &info_ctr,
+					   r->in.prefmaxlen,
+					   r->out.total_entries,
+					   r->out.resume_handle,
+					   &werr);
+	if (NT_STATUS_IS_ERR(status)) {
+		goto done;
+	}
+
+	for (i=0; i < info_ctr.ctr.ctr2->count; i++) {
+		union srvsvc_NetFileInfo _i;
+		switch (r->in.level) {
+			case 2:
+				_i.info2 = &info_ctr.ctr.ctr2->array[i];
+				break;
+			case 3:
+				_i.info3 = &info_ctr.ctr.ctr3->array[i];
+				break;
+		}
+
+		status = map_srvsvc_FileInfo_to_FILE_INFO_buffer(ctx,
+								 r->in.level,
+								 &_i,
+								 r->out.buffer,
+								 &num_entries);
+		if (!NT_STATUS_IS_OK(status)) {
+			werr = ntstatus_to_werror(status);
+			goto done;
+		}
+	}
+
+	if (r->out.entries_read) {
+		*r->out.entries_read = num_entries;
+	}
+
+	if (r->out.total_entries) {
+		*r->out.total_entries = num_entries;
+	}
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetFileEnum_l(struct libnetapi_ctx *ctx,
+		     struct NetFileEnum *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetFileEnum);
+}
diff --git a/source3/lib/netapi/getdc.c b/source3/lib/netapi/getdc.c
new file mode 100644
index 0000000000..07a6544af1
--- /dev/null
+++ b/source3/lib/netapi/getdc.c
@@ -0,0 +1,167 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetApi GetDC Support
+ *  Copyright (C) Guenther Deschner 2007
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+#include "librpc/gen_ndr/libnetapi.h"
+#include "lib/netapi/netapi.h"
+#include "lib/netapi/netapi_private.h"
+#include "lib/netapi/libnetapi.h"
+#include "libnet/libnet.h"
+
+/********************************************************************
+********************************************************************/
+
+WERROR NetGetDCName_l(struct libnetapi_ctx *ctx,
+		      struct NetGetDCName *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetGetDCName);
+}
+
+/********************************************************************
+********************************************************************/
+
+WERROR NetGetDCName_r(struct libnetapi_ctx *ctx,
+		      struct NetGetDCName *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_netlogon.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = rpccli_netr_GetDcName(pipe_cli, ctx,
+				       r->in.server_name,
+				       r->in.domain_name,
+				       (const char **)r->out.buffer,
+				       &werr);
+ done:
+
+	return werr;
+}
+
+/********************************************************************
+********************************************************************/
+
+WERROR NetGetAnyDCName_l(struct libnetapi_ctx *ctx,
+			 struct NetGetAnyDCName *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetGetAnyDCName);
+}
+
+/********************************************************************
+********************************************************************/
+
+WERROR NetGetAnyDCName_r(struct libnetapi_ctx *ctx,
+			 struct NetGetAnyDCName *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_netlogon.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = rpccli_netr_GetAnyDCName(pipe_cli, ctx,
+					  r->in.server_name,
+					  r->in.domain_name,
+					  (const char **)r->out.buffer,
+					  &werr);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto done;
+	}
+ done:
+
+	return werr;
+
+}
+
+/********************************************************************
+********************************************************************/
+
+WERROR DsGetDcName_l(struct libnetapi_ctx *ctx,
+		     struct DsGetDcName *r)
+{
+	NTSTATUS status;
+
+	status = dsgetdcname(ctx,
+			     NULL,
+			     r->in.domain_name,
+			     r->in.domain_guid,
+			     r->in.site_name,
+			     r->in.flags,
+			     (struct netr_DsRGetDCNameInfo **)r->out.dc_info);
+	if (!NT_STATUS_IS_OK(status)) {
+		libnetapi_set_error_string(ctx,
+			"failed to find DC: %s",
+			get_friendly_nt_error_msg(status));
+	}
+
+	return ntstatus_to_werror(status);
+}
+
+/********************************************************************
+********************************************************************/
+
+WERROR DsGetDcName_r(struct libnetapi_ctx *ctx,
+		     struct DsGetDcName *r)
+{
+	WERROR werr;
+	NTSTATUS status = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_netlogon.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = rpccli_netr_DsRGetDCName(pipe_cli,
+					  ctx,
+					  r->in.server_name,
+					  r->in.domain_name,
+					  r->in.domain_guid,
+					  NULL,
+					  r->in.flags,
+					  (struct netr_DsRGetDCNameInfo **)r->out.dc_info,
+					  &werr);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+ done:
+	return werr;
+}
diff --git a/source3/lib/netapi/group.c b/source3/lib/netapi/group.c
new file mode 100644
index 0000000000..c3fccb4840
--- /dev/null
+++ b/source3/lib/netapi/group.c
@@ -0,0 +1,1691 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetApi Group Support
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+#include "librpc/gen_ndr/libnetapi.h"
+#include "lib/netapi/netapi.h"
+#include "lib/netapi/netapi_private.h"
+#include "lib/netapi/libnetapi.h"
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGroupAdd_r(struct libnetapi_ctx *ctx,
+		     struct NetGroupAdd *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	POLICY_HND connect_handle, domain_handle, group_handle;
+	struct lsa_String lsa_group_name;
+	struct dom_sid2 *domain_sid = NULL;
+	uint32_t rid = 0;
+
+	struct GROUP_INFO_0 *info0 = NULL;
+	struct GROUP_INFO_1 *info1 = NULL;
+	struct GROUP_INFO_2 *info2 = NULL;
+	struct GROUP_INFO_3 *info3 = NULL;
+	union samr_GroupInfo info;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(domain_handle);
+	ZERO_STRUCT(group_handle);
+
+	if (!r->in.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 0:
+			info0 = (struct GROUP_INFO_0 *)r->in.buffer;
+			break;
+		case 1:
+			info1 = (struct GROUP_INFO_1 *)r->in.buffer;
+			break;
+		case 2:
+			info2 = (struct GROUP_INFO_2 *)r->in.buffer;
+			break;
+		case 3:
+			info3 = (struct GROUP_INFO_3 *)r->in.buffer;
+			break;
+		default:
+			werr = WERR_UNKNOWN_LEVEL;
+			goto done;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_CREATE_GROUP |
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	switch (r->in.level) {
+		case 0:
+			init_lsa_String(&lsa_group_name, info0->grpi0_name);
+			break;
+		case 1:
+			init_lsa_String(&lsa_group_name, info1->grpi1_name);
+			break;
+		case 2:
+			init_lsa_String(&lsa_group_name, info2->grpi2_name);
+			break;
+		case 3:
+			init_lsa_String(&lsa_group_name, info3->grpi3_name);
+			break;
+	}
+
+	status = rpccli_samr_CreateDomainGroup(pipe_cli, ctx,
+					       &domain_handle,
+					       &lsa_group_name,
+					       SEC_STD_DELETE |
+					       SAMR_GROUP_ACCESS_SET_INFO,
+					       &group_handle,
+					       &rid);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	switch (r->in.level) {
+		case 1:
+			if (info1->grpi1_comment) {
+				init_lsa_String(&info.description,
+						info1->grpi1_comment);
+
+				status = rpccli_samr_SetGroupInfo(pipe_cli, ctx,
+								  &group_handle,
+								  GROUPINFODESCRIPTION,
+								  &info);
+			}
+			break;
+		case 2:
+			if (info2->grpi2_comment) {
+				init_lsa_String(&info.description,
+						info2->grpi2_comment);
+
+				status = rpccli_samr_SetGroupInfo(pipe_cli, ctx,
+								  &group_handle,
+								  GROUPINFODESCRIPTION,
+								  &info);
+				if (!NT_STATUS_IS_OK(status)) {
+					werr = ntstatus_to_werror(status);
+					goto failed;
+				}
+			}
+
+			if (info2->grpi2_attributes != 0) {
+				info.attributes.attributes = info2->grpi2_attributes;
+				status = rpccli_samr_SetGroupInfo(pipe_cli, ctx,
+								  &group_handle,
+								  GROUPINFOATTRIBUTES,
+								  &info);
+
+			}
+			break;
+		case 3:
+			if (info3->grpi3_comment) {
+				init_lsa_String(&info.description,
+						info3->grpi3_comment);
+
+				status = rpccli_samr_SetGroupInfo(pipe_cli, ctx,
+								  &group_handle,
+								  GROUPINFODESCRIPTION,
+								  &info);
+				if (!NT_STATUS_IS_OK(status)) {
+					werr = ntstatus_to_werror(status);
+					goto failed;
+				}
+			}
+
+			if (info3->grpi3_attributes != 0) {
+				info.attributes.attributes = info3->grpi3_attributes;
+				status = rpccli_samr_SetGroupInfo(pipe_cli, ctx,
+								  &group_handle,
+								  GROUPINFOATTRIBUTES,
+								  &info);
+			}
+			break;
+		default:
+			break;
+	}
+
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto failed;
+	}
+
+	werr = WERR_OK;
+	goto done;
+
+ failed:
+	rpccli_samr_DeleteDomainGroup(pipe_cli, ctx,
+				      &group_handle);
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (is_valid_policy_hnd(&group_handle)) {
+		rpccli_samr_Close(pipe_cli, ctx, &group_handle);
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGroupAdd_l(struct libnetapi_ctx *ctx,
+		     struct NetGroupAdd *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetGroupAdd);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGroupDel_r(struct libnetapi_ctx *ctx,
+		     struct NetGroupDel *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	POLICY_HND connect_handle, domain_handle, group_handle;
+	struct lsa_String lsa_group_name;
+	struct dom_sid2 *domain_sid = NULL;
+	int i = 0;
+
+	struct samr_Ids rids;
+	struct samr_Ids types;
+	union samr_GroupInfo *info = NULL;
+	struct samr_RidTypeArray *rid_array = NULL;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(domain_handle);
+	ZERO_STRUCT(group_handle);
+
+	if (!r->in.group_name) {
+		return WERR_INVALID_PARAM;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	init_lsa_String(&lsa_group_name, r->in.group_name);
+
+	status = rpccli_samr_LookupNames(pipe_cli, ctx,
+					 &domain_handle,
+					 1,
+					 &lsa_group_name,
+					 &rids,
+					 &types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	if (types.ids[0] != SID_NAME_DOM_GRP) {
+		werr = WERR_INVALID_DATATYPE;
+		goto done;
+	}
+
+	status = rpccli_samr_OpenGroup(pipe_cli, ctx,
+				       &domain_handle,
+				       SEC_STD_DELETE |
+				       SAMR_GROUP_ACCESS_GET_MEMBERS |
+				       SAMR_GROUP_ACCESS_REMOVE_MEMBER |
+				       SAMR_GROUP_ACCESS_ADD_MEMBER |
+				       SAMR_GROUP_ACCESS_LOOKUP_INFO,
+				       rids.ids[0],
+				       &group_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = rpccli_samr_QueryGroupInfo(pipe_cli, ctx,
+					    &group_handle,
+					    GROUPINFOATTRIBUTES,
+					    &info);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+#if 0
+	/* breaks against NT4 */
+	if (!(info->attributes.attributes & SE_GROUP_ENABLED)) {
+		werr = WERR_ACCESS_DENIED;
+		goto done;
+	}
+#endif
+	status = rpccli_samr_QueryGroupMember(pipe_cli, ctx,
+					      &group_handle,
+					      &rid_array);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	{
+	struct lsa_Strings names;
+	struct samr_Ids member_types;
+
+	status = rpccli_samr_LookupRids(pipe_cli, ctx,
+					&domain_handle,
+					rid_array->count,
+					rid_array->rids,
+					&names,
+					&member_types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+	}
+
+	for (i=0; i < rid_array->count; i++) {
+
+		status = rpccli_samr_DeleteGroupMember(pipe_cli, ctx,
+						       &group_handle,
+						       rid_array->rids[i]);
+		if (!NT_STATUS_IS_OK(status)) {
+			werr = ntstatus_to_werror(status);
+			goto done;
+		}
+	}
+
+	status = rpccli_samr_DeleteDomainGroup(pipe_cli, ctx,
+					       &group_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	ZERO_STRUCT(group_handle);
+
+	werr = WERR_OK;
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (is_valid_policy_hnd(&group_handle)) {
+		rpccli_samr_Close(pipe_cli, ctx, &group_handle);
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGroupDel_l(struct libnetapi_ctx *ctx,
+		     struct NetGroupDel *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetGroupDel);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGroupSetInfo_r(struct libnetapi_ctx *ctx,
+			 struct NetGroupSetInfo *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	POLICY_HND connect_handle, domain_handle, group_handle;
+	struct lsa_String lsa_group_name;
+	struct dom_sid2 *domain_sid = NULL;
+
+	struct samr_Ids rids;
+	struct samr_Ids types;
+	union samr_GroupInfo info;
+	struct GROUP_INFO_0 *g0;
+	struct GROUP_INFO_1 *g1;
+	struct GROUP_INFO_2 *g2;
+	struct GROUP_INFO_3 *g3;
+	struct GROUP_INFO_1002 *g1002;
+	struct GROUP_INFO_1005 *g1005;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(domain_handle);
+	ZERO_STRUCT(group_handle);
+
+	if (!r->in.group_name) {
+		return WERR_INVALID_PARAM;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	init_lsa_String(&lsa_group_name, r->in.group_name);
+
+	status = rpccli_samr_LookupNames(pipe_cli, ctx,
+					 &domain_handle,
+					 1,
+					 &lsa_group_name,
+					 &rids,
+					 &types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	if (types.ids[0] != SID_NAME_DOM_GRP) {
+		werr = WERR_INVALID_DATATYPE;
+		goto done;
+	}
+
+	status = rpccli_samr_OpenGroup(pipe_cli, ctx,
+				       &domain_handle,
+				       SAMR_GROUP_ACCESS_SET_INFO |
+				       SAMR_GROUP_ACCESS_LOOKUP_INFO,
+				       rids.ids[0],
+				       &group_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	switch (r->in.level) {
+		case 0:
+			g0 = (struct GROUP_INFO_0 *)r->in.buffer;
+			init_lsa_String(&info.name, g0->grpi0_name);
+			status = rpccli_samr_SetGroupInfo(pipe_cli, ctx,
+							  &group_handle,
+							  GROUPINFONAME,
+							  &info);
+			break;
+		case 1:
+			g1 = (struct GROUP_INFO_1 *)r->in.buffer;
+			init_lsa_String(&info.description, g1->grpi1_comment);
+			status = rpccli_samr_SetGroupInfo(pipe_cli, ctx,
+							  &group_handle,
+							  GROUPINFODESCRIPTION,
+							  &info);
+			break;
+		case 2:
+			g2 = (struct GROUP_INFO_2 *)r->in.buffer;
+			init_lsa_String(&info.description, g2->grpi2_comment);
+			status = rpccli_samr_SetGroupInfo(pipe_cli, ctx,
+							  &group_handle,
+							  GROUPINFODESCRIPTION,
+							  &info);
+			if (!NT_STATUS_IS_OK(status)) {
+				werr = ntstatus_to_werror(status);
+				goto done;
+			}
+			info.attributes.attributes = g2->grpi2_attributes;
+			status = rpccli_samr_SetGroupInfo(pipe_cli, ctx,
+							  &group_handle,
+							  GROUPINFOATTRIBUTES,
+							  &info);
+			break;
+		case 3:
+			g3 = (struct GROUP_INFO_3 *)r->in.buffer;
+			init_lsa_String(&info.description, g3->grpi3_comment);
+			status = rpccli_samr_SetGroupInfo(pipe_cli, ctx,
+							  &group_handle,
+							  GROUPINFODESCRIPTION,
+							  &info);
+			if (!NT_STATUS_IS_OK(status)) {
+				werr = ntstatus_to_werror(status);
+				goto done;
+			}
+			info.attributes.attributes = g3->grpi3_attributes;
+			status = rpccli_samr_SetGroupInfo(pipe_cli, ctx,
+							  &group_handle,
+							  GROUPINFOATTRIBUTES,
+							  &info);
+			break;
+		case 1002:
+			g1002 = (struct GROUP_INFO_1002 *)r->in.buffer;
+			init_lsa_String(&info.description, g1002->grpi1002_comment);
+			status = rpccli_samr_SetGroupInfo(pipe_cli, ctx,
+							  &group_handle,
+							  GROUPINFODESCRIPTION,
+							  &info);
+			break;
+		case 1005:
+			g1005 = (struct GROUP_INFO_1005 *)r->in.buffer;
+			info.attributes.attributes = g1005->grpi1005_attributes;
+			status = rpccli_samr_SetGroupInfo(pipe_cli, ctx,
+							  &group_handle,
+							  GROUPINFOATTRIBUTES,
+							  &info);
+			break;
+		default:
+			status = NT_STATUS_INVALID_LEVEL;
+			break;
+	}
+
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	werr = WERR_OK;
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (is_valid_policy_hnd(&group_handle)) {
+		rpccli_samr_Close(pipe_cli, ctx, &group_handle);
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGroupSetInfo_l(struct libnetapi_ctx *ctx,
+			 struct NetGroupSetInfo *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetGroupSetInfo);
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR map_group_info_to_buffer(TALLOC_CTX *mem_ctx,
+				       uint32_t level,
+				       struct samr_GroupInfoAll *info,
+				       struct dom_sid2 *domain_sid,
+				       uint32_t rid,
+				       uint8_t **buffer)
+{
+	struct GROUP_INFO_0 info0;
+	struct GROUP_INFO_1 info1;
+	struct GROUP_INFO_2 info2;
+	struct GROUP_INFO_3 info3;
+	struct dom_sid sid;
+
+	switch (level) {
+		case 0:
+			info0.grpi0_name	= info->name.string;
+
+			*buffer = (uint8_t *)talloc_memdup(mem_ctx, &info0, sizeof(info0));
+
+			break;
+		case 1:
+			info1.grpi1_name	= info->name.string;
+			info1.grpi1_comment	= info->description.string;
+
+			*buffer = (uint8_t *)talloc_memdup(mem_ctx, &info1, sizeof(info1));
+
+			break;
+		case 2:
+			info2.grpi2_name	= info->name.string;
+			info2.grpi2_comment	= info->description.string;
+			info2.grpi2_group_id	= rid;
+			info2.grpi2_attributes	= info->attributes;
+
+			*buffer = (uint8_t *)talloc_memdup(mem_ctx, &info2, sizeof(info2));
+
+			break;
+		case 3:
+			if (!sid_compose(&sid, domain_sid, rid)) {
+				return WERR_NOMEM;
+			}
+
+			info3.grpi3_name	= info->name.string;
+			info3.grpi3_comment	= info->description.string;
+			info3.grpi3_attributes	= info->attributes;
+			info3.grpi3_group_sid	= (struct domsid *)sid_dup_talloc(mem_ctx, &sid);
+
+			*buffer = (uint8_t *)talloc_memdup(mem_ctx, &info3, sizeof(info3));
+
+			break;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	W_ERROR_HAVE_NO_MEMORY(*buffer);
+
+	return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGroupGetInfo_r(struct libnetapi_ctx *ctx,
+			 struct NetGroupGetInfo *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	POLICY_HND connect_handle, domain_handle, group_handle;
+	struct lsa_String lsa_group_name;
+	struct dom_sid2 *domain_sid = NULL;
+
+	struct samr_Ids rids;
+	struct samr_Ids types;
+	union samr_GroupInfo *info = NULL;
+	bool group_info_all = false;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(domain_handle);
+	ZERO_STRUCT(group_handle);
+
+	if (!r->in.group_name) {
+		return WERR_INVALID_PARAM;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	init_lsa_String(&lsa_group_name, r->in.group_name);
+
+	status = rpccli_samr_LookupNames(pipe_cli, ctx,
+					 &domain_handle,
+					 1,
+					 &lsa_group_name,
+					 &rids,
+					 &types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	if (types.ids[0] != SID_NAME_DOM_GRP) {
+		werr = WERR_INVALID_DATATYPE;
+		goto done;
+	}
+
+	status = rpccli_samr_OpenGroup(pipe_cli, ctx,
+				       &domain_handle,
+				       SAMR_GROUP_ACCESS_LOOKUP_INFO,
+				       rids.ids[0],
+				       &group_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = rpccli_samr_QueryGroupInfo(pipe_cli, ctx,
+					    &group_handle,
+					    GROUPINFOALL2,
+					    &info);
+	if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) {
+		status = rpccli_samr_QueryGroupInfo(pipe_cli, ctx,
+						    &group_handle,
+						    GROUPINFOALL,
+						    &info);
+		group_info_all = true;
+	}
+
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	werr = map_group_info_to_buffer(ctx, r->in.level,
+					group_info_all ? &info->all : &info->all2,
+					domain_sid, rids.ids[0],
+					r->out.buffer);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (is_valid_policy_hnd(&group_handle)) {
+		rpccli_samr_Close(pipe_cli, ctx, &group_handle);
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGroupGetInfo_l(struct libnetapi_ctx *ctx,
+			 struct NetGroupGetInfo *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetGroupGetInfo);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGroupAddUser_r(struct libnetapi_ctx *ctx,
+			 struct NetGroupAddUser *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	POLICY_HND connect_handle, domain_handle, group_handle;
+	struct lsa_String lsa_group_name, lsa_user_name;
+	struct dom_sid2 *domain_sid = NULL;
+
+	struct samr_Ids rids;
+	struct samr_Ids types;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(domain_handle);
+	ZERO_STRUCT(group_handle);
+
+	if (!r->in.group_name) {
+		return WERR_INVALID_PARAM;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	init_lsa_String(&lsa_group_name, r->in.group_name);
+
+	status = rpccli_samr_LookupNames(pipe_cli, ctx,
+					 &domain_handle,
+					 1,
+					 &lsa_group_name,
+					 &rids,
+					 &types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = WERR_GROUP_NOT_FOUND;
+		goto done;
+	}
+
+	if (types.ids[0] != SID_NAME_DOM_GRP) {
+		werr = WERR_GROUP_NOT_FOUND;
+		goto done;
+	}
+
+	status = rpccli_samr_OpenGroup(pipe_cli, ctx,
+				       &domain_handle,
+				       SAMR_GROUP_ACCESS_ADD_MEMBER,
+				       rids.ids[0],
+				       &group_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	init_lsa_String(&lsa_user_name, r->in.user_name);
+
+	status = rpccli_samr_LookupNames(pipe_cli, ctx,
+					 &domain_handle,
+					 1,
+					 &lsa_user_name,
+					 &rids,
+					 &types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = WERR_USER_NOT_FOUND;
+		goto done;
+	}
+
+	if (types.ids[0] != SID_NAME_USER) {
+		werr = WERR_USER_NOT_FOUND;
+		goto done;
+	}
+
+	status = rpccli_samr_AddGroupMember(pipe_cli, ctx,
+					    &group_handle,
+					    rids.ids[0],
+					    7); /* why ? */
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	werr = WERR_OK;
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (is_valid_policy_hnd(&group_handle)) {
+		rpccli_samr_Close(pipe_cli, ctx, &group_handle);
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGroupAddUser_l(struct libnetapi_ctx *ctx,
+			 struct NetGroupAddUser *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetGroupAddUser);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGroupDelUser_r(struct libnetapi_ctx *ctx,
+			 struct NetGroupDelUser *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	POLICY_HND connect_handle, domain_handle, group_handle;
+	struct lsa_String lsa_group_name, lsa_user_name;
+	struct dom_sid2 *domain_sid = NULL;
+
+	struct samr_Ids rids;
+	struct samr_Ids types;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(domain_handle);
+	ZERO_STRUCT(group_handle);
+
+	if (!r->in.group_name) {
+		return WERR_INVALID_PARAM;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	init_lsa_String(&lsa_group_name, r->in.group_name);
+
+	status = rpccli_samr_LookupNames(pipe_cli, ctx,
+					 &domain_handle,
+					 1,
+					 &lsa_group_name,
+					 &rids,
+					 &types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = WERR_GROUP_NOT_FOUND;
+		goto done;
+	}
+
+	if (types.ids[0] != SID_NAME_DOM_GRP) {
+		werr = WERR_GROUP_NOT_FOUND;
+		goto done;
+	}
+
+	status = rpccli_samr_OpenGroup(pipe_cli, ctx,
+				       &domain_handle,
+				       SAMR_GROUP_ACCESS_REMOVE_MEMBER,
+				       rids.ids[0],
+				       &group_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	init_lsa_String(&lsa_user_name, r->in.user_name);
+
+	status = rpccli_samr_LookupNames(pipe_cli, ctx,
+					 &domain_handle,
+					 1,
+					 &lsa_user_name,
+					 &rids,
+					 &types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = WERR_USER_NOT_FOUND;
+		goto done;
+	}
+
+	if (types.ids[0] != SID_NAME_USER) {
+		werr = WERR_USER_NOT_FOUND;
+		goto done;
+	}
+
+	status = rpccli_samr_DeleteGroupMember(pipe_cli, ctx,
+					       &group_handle,
+					       rids.ids[0]);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	werr = WERR_OK;
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (is_valid_policy_hnd(&group_handle)) {
+		rpccli_samr_Close(pipe_cli, ctx, &group_handle);
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGroupDelUser_l(struct libnetapi_ctx *ctx,
+			 struct NetGroupDelUser *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetGroupDelUser);
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR convert_samr_disp_groups_to_GROUP_INFO_0_buffer(TALLOC_CTX *mem_ctx,
+							      struct samr_DispInfoFullGroups *groups,
+							      uint8_t **buffer)
+{
+	struct GROUP_INFO_0 *g0;
+	int i;
+
+	g0 = TALLOC_ZERO_ARRAY(mem_ctx, struct GROUP_INFO_0, groups->count);
+	W_ERROR_HAVE_NO_MEMORY(g0);
+
+	for (i=0; i<groups->count; i++) {
+		g0[i].grpi0_name = talloc_strdup(mem_ctx,
+			groups->entries[i].account_name.string);
+		W_ERROR_HAVE_NO_MEMORY(g0[i].grpi0_name);
+	}
+
+	*buffer = (uint8_t *)talloc_memdup(mem_ctx, g0,
+					   sizeof(struct GROUP_INFO_0) * groups->count);
+	W_ERROR_HAVE_NO_MEMORY(*buffer);
+
+	return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR convert_samr_disp_groups_to_GROUP_INFO_1_buffer(TALLOC_CTX *mem_ctx,
+							      struct samr_DispInfoFullGroups *groups,
+							      uint8_t **buffer)
+{
+	struct GROUP_INFO_1 *g1;
+	int i;
+
+	g1 = TALLOC_ZERO_ARRAY(mem_ctx, struct GROUP_INFO_1, groups->count);
+	W_ERROR_HAVE_NO_MEMORY(g1);
+
+	for (i=0; i<groups->count; i++) {
+		g1[i].grpi1_name = talloc_strdup(mem_ctx,
+			groups->entries[i].account_name.string);
+		g1[i].grpi1_comment = talloc_strdup(mem_ctx,
+			groups->entries[i].description.string);
+		W_ERROR_HAVE_NO_MEMORY(g1[i].grpi1_name);
+	}
+
+	*buffer = (uint8_t *)talloc_memdup(mem_ctx, g1,
+					   sizeof(struct GROUP_INFO_1) * groups->count);
+	W_ERROR_HAVE_NO_MEMORY(*buffer);
+
+	return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR convert_samr_disp_groups_to_GROUP_INFO_2_buffer(TALLOC_CTX *mem_ctx,
+							      struct samr_DispInfoFullGroups *groups,
+							      uint8_t **buffer)
+{
+	struct GROUP_INFO_2 *g2;
+	int i;
+
+	g2 = TALLOC_ZERO_ARRAY(mem_ctx, struct GROUP_INFO_2, groups->count);
+	W_ERROR_HAVE_NO_MEMORY(g2);
+
+	for (i=0; i<groups->count; i++) {
+		g2[i].grpi2_name = talloc_strdup(mem_ctx,
+			groups->entries[i].account_name.string);
+		g2[i].grpi2_comment = talloc_strdup(mem_ctx,
+			groups->entries[i].description.string);
+		g2[i].grpi2_group_id = groups->entries[i].rid;
+		g2[i].grpi2_attributes = groups->entries[i].acct_flags;
+		W_ERROR_HAVE_NO_MEMORY(g2[i].grpi2_name);
+	}
+
+	*buffer = (uint8_t *)talloc_memdup(mem_ctx, g2,
+					   sizeof(struct GROUP_INFO_2) * groups->count);
+	W_ERROR_HAVE_NO_MEMORY(*buffer);
+
+	return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR convert_samr_disp_groups_to_GROUP_INFO_3_buffer(TALLOC_CTX *mem_ctx,
+							      struct samr_DispInfoFullGroups *groups,
+							      const struct dom_sid *domain_sid,
+							      uint8_t **buffer)
+{
+	struct GROUP_INFO_3 *g3;
+	int i;
+
+	g3 = TALLOC_ZERO_ARRAY(mem_ctx, struct GROUP_INFO_3, groups->count);
+	W_ERROR_HAVE_NO_MEMORY(g3);
+
+	for (i=0; i<groups->count; i++) {
+
+		struct dom_sid sid;
+
+		if (!sid_compose(&sid, domain_sid, groups->entries[i].rid)) {
+			return WERR_NOMEM;
+		}
+
+		g3[i].grpi3_name = talloc_strdup(mem_ctx,
+			groups->entries[i].account_name.string);
+		g3[i].grpi3_comment = talloc_strdup(mem_ctx,
+			groups->entries[i].description.string);
+		g3[i].grpi3_group_sid = (struct domsid *)sid_dup_talloc(mem_ctx, &sid);
+		g3[i].grpi3_attributes = groups->entries[i].acct_flags;
+		W_ERROR_HAVE_NO_MEMORY(g3[i].grpi3_name);
+	}
+
+	*buffer = (uint8_t *)talloc_memdup(mem_ctx, g3,
+					   sizeof(struct GROUP_INFO_3) * groups->count);
+	W_ERROR_HAVE_NO_MEMORY(*buffer);
+
+	return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR convert_samr_disp_groups_to_GROUP_INFO_buffer(TALLOC_CTX *mem_ctx,
+							    uint32_t level,
+							    struct samr_DispInfoFullGroups *groups,
+							    const struct dom_sid *domain_sid,
+							    uint32_t *entries_read,
+							    uint8_t **buffer)
+{
+	if (entries_read) {
+		*entries_read = groups->count;
+	}
+
+	switch (level) {
+		case 0:
+			return convert_samr_disp_groups_to_GROUP_INFO_0_buffer(mem_ctx, groups, buffer);
+		case 1:
+			return convert_samr_disp_groups_to_GROUP_INFO_1_buffer(mem_ctx, groups, buffer);
+		case 2:
+			return convert_samr_disp_groups_to_GROUP_INFO_2_buffer(mem_ctx, groups, buffer);
+		case 3:
+			return convert_samr_disp_groups_to_GROUP_INFO_3_buffer(mem_ctx, groups, domain_sid, buffer);
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGroupEnum_r(struct libnetapi_ctx *ctx,
+		      struct NetGroupEnum *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	struct policy_handle connect_handle;
+	struct dom_sid2 *domain_sid = NULL;
+	struct policy_handle domain_handle;
+	union samr_DispInfo info;
+	union samr_DomainInfo *domain_info = NULL;
+
+	uint32_t total_size = 0;
+	uint32_t returned_size = 0;
+
+	NTSTATUS status = NT_STATUS_OK;
+	WERROR werr, tmp_werr;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(domain_handle);
+
+	switch (r->in.level) {
+		case 0:
+		case 1:
+		case 2:
+		case 3:
+			break;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 |
+					  SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = rpccli_samr_QueryDomainInfo(pipe_cli, ctx,
+					     &domain_handle,
+					     2,
+					     &domain_info);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	if (r->out.total_entries) {
+		*r->out.total_entries = domain_info->info2.num_groups;
+	}
+
+	status = rpccli_samr_QueryDisplayInfo2(pipe_cli,
+					       ctx,
+					       &domain_handle,
+					       3,
+					       r->in.resume_handle ?
+					       *r->in.resume_handle : 0,
+					       (uint32_t)-1,
+					       r->in.prefmaxlen,
+					       &total_size,
+					       &returned_size,
+					       &info);
+	werr = ntstatus_to_werror(status);
+	if (NT_STATUS_IS_ERR(status)) {
+		goto done;
+	}
+
+	if (r->out.resume_handle) {
+		*r->out.resume_handle =
+			info.info3.entries[info.info3.count-1].idx;
+	}
+
+	tmp_werr = convert_samr_disp_groups_to_GROUP_INFO_buffer(ctx,
+								 r->in.level,
+								 &info.info3,
+								 domain_sid,
+								 r->out.entries_read,
+								 r->out.buffer);
+	if (!W_ERROR_IS_OK(tmp_werr)) {
+		werr = tmp_werr;
+		goto done;
+	}
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	/* if last query */
+	if (NT_STATUS_IS_OK(status) ||
+	    NT_STATUS_IS_ERR(status)) {
+
+		if (ctx->disable_policy_handle_cache) {
+			libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+			libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+		}
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGroupEnum_l(struct libnetapi_ctx *ctx,
+		      struct NetGroupEnum *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetGroupEnum);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGroupGetUsers_r(struct libnetapi_ctx *ctx,
+			  struct NetGroupGetUsers *r)
+{
+	/* FIXME: this call needs to cope with large replies */
+
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	struct policy_handle connect_handle, domain_handle, group_handle;
+	struct lsa_String lsa_account_name;
+	struct dom_sid2 *domain_sid = NULL;
+	struct samr_Ids group_rids, name_types;
+	struct samr_RidTypeArray *rid_array = NULL;
+	struct lsa_Strings names;
+	struct samr_Ids member_types;
+
+	int i;
+	uint32_t entries_read = 0;
+
+	NTSTATUS status = NT_STATUS_OK;
+	WERROR werr;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(domain_handle);
+
+	if (!r->out.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	*r->out.buffer = NULL;
+	*r->out.entries_read = 0;
+
+	switch (r->in.level) {
+		case 0:
+		case 1:
+			break;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	init_lsa_String(&lsa_account_name, r->in.group_name);
+
+	status = rpccli_samr_LookupNames(pipe_cli, ctx,
+					 &domain_handle,
+					 1,
+					 &lsa_account_name,
+					 &group_rids,
+					 &name_types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = rpccli_samr_OpenGroup(pipe_cli, ctx,
+				       &domain_handle,
+				       SAMR_GROUP_ACCESS_GET_MEMBERS,
+				       group_rids.ids[0],
+				       &group_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = rpccli_samr_QueryGroupMember(pipe_cli, ctx,
+					      &group_handle,
+					      &rid_array);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = rpccli_samr_LookupRids(pipe_cli, ctx,
+					&domain_handle,
+					rid_array->count,
+					rid_array->rids,
+					&names,
+					&member_types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	for (i=0; i < names.count; i++) {
+
+		if (member_types.ids[i] != SID_NAME_USER) {
+			continue;
+		}
+
+		status = add_GROUP_USERS_INFO_X_buffer(ctx,
+						       r->in.level,
+						       names.names[i].string,
+						       7,
+						       r->out.buffer,
+						       &entries_read);
+		if (!NT_STATUS_IS_OK(status)) {
+			werr = ntstatus_to_werror(status);
+			goto done;
+		}
+	}
+
+	if (r->out.entries_read) {
+		*r->out.entries_read = entries_read;
+	}
+
+	if (r->out.total_entries) {
+		*r->out.total_entries = entries_read;
+	}
+
+	werr = WERR_OK;
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (is_valid_policy_hnd(&group_handle)) {
+		rpccli_samr_Close(pipe_cli, ctx, &group_handle);
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGroupGetUsers_l(struct libnetapi_ctx *ctx,
+			  struct NetGroupGetUsers *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetGroupGetUsers);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGroupSetUsers_r(struct libnetapi_ctx *ctx,
+			  struct NetGroupSetUsers *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	struct policy_handle connect_handle, domain_handle, group_handle;
+	struct lsa_String lsa_account_name;
+	struct dom_sid2 *domain_sid = NULL;
+	union samr_GroupInfo *group_info = NULL;
+	struct samr_Ids user_rids, name_types;
+	struct samr_Ids group_rids, group_types;
+	struct samr_RidTypeArray *rid_array = NULL;
+	struct lsa_String *lsa_names = NULL;
+
+	uint32_t *add_rids = NULL;
+	uint32_t *del_rids = NULL;
+	size_t num_add_rids = 0;
+	size_t num_del_rids = 0;
+
+	uint32_t *member_rids = NULL;
+	size_t num_member_rids = 0;
+
+	struct GROUP_USERS_INFO_0 *i0 = NULL;
+	struct GROUP_USERS_INFO_1 *i1 = NULL;
+
+	int i, k;
+
+	NTSTATUS status = NT_STATUS_OK;
+	WERROR werr;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(domain_handle);
+
+	if (!r->in.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 0:
+		case 1:
+			break;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	init_lsa_String(&lsa_account_name, r->in.group_name);
+
+	status = rpccli_samr_LookupNames(pipe_cli, ctx,
+					 &domain_handle,
+					 1,
+					 &lsa_account_name,
+					 &group_rids,
+					 &group_types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = rpccli_samr_OpenGroup(pipe_cli, ctx,
+				       &domain_handle,
+				       SAMR_GROUP_ACCESS_GET_MEMBERS |
+				       SAMR_GROUP_ACCESS_ADD_MEMBER |
+				       SAMR_GROUP_ACCESS_REMOVE_MEMBER |
+				       SAMR_GROUP_ACCESS_LOOKUP_INFO,
+				       group_rids.ids[0],
+				       &group_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = rpccli_samr_QueryGroupInfo(pipe_cli, ctx,
+					    &group_handle,
+					    GROUPINFOATTRIBUTES,
+					    &group_info);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	switch (r->in.level) {
+		case 0:
+			i0 = (struct GROUP_USERS_INFO_0 *)r->in.buffer;
+			break;
+		case 1:
+			i1 = (struct GROUP_USERS_INFO_1 *)r->in.buffer;
+			break;
+	}
+
+	lsa_names = talloc_array(ctx, struct lsa_String, r->in.num_entries);
+	if (!lsa_names) {
+		werr = WERR_NOMEM;
+		goto done;
+	}
+
+	for (i=0; i < r->in.num_entries; i++) {
+
+		switch (r->in.level) {
+			case 0:
+				init_lsa_String(&lsa_names[i], i0->grui0_name);
+				i0++;
+				break;
+			case 1:
+				init_lsa_String(&lsa_names[i], i1->grui1_name);
+				i1++;
+				break;
+		}
+	}
+
+	status = rpccli_samr_LookupNames(pipe_cli, ctx,
+					 &domain_handle,
+					 r->in.num_entries,
+					 lsa_names,
+					 &user_rids,
+					 &name_types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	member_rids = user_rids.ids;
+	num_member_rids = user_rids.count;
+
+	status = rpccli_samr_QueryGroupMember(pipe_cli, ctx,
+					      &group_handle,
+					      &rid_array);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	/* add list */
+
+	for (i=0; i < r->in.num_entries; i++) {
+		bool already_member = false;
+		for (k=0; k < rid_array->count; k++) {
+			if (member_rids[i] == rid_array->rids[k]) {
+				already_member = true;
+				break;
+			}
+		}
+		if (!already_member) {
+			if (!add_rid_to_array_unique(ctx,
+						     member_rids[i],
+						     &add_rids, &num_add_rids)) {
+				werr = WERR_GENERAL_FAILURE;
+				goto done;
+			}
+		}
+	}
+
+	/* del list */
+
+	for (k=0; k < rid_array->count; k++) {
+		bool keep_member = false;
+		for (i=0; i < r->in.num_entries; i++) {
+			if (member_rids[i] == rid_array->rids[k]) {
+				keep_member = true;
+				break;
+			}
+		}
+		if (!keep_member) {
+			if (!add_rid_to_array_unique(ctx,
+						     rid_array->rids[k],
+						     &del_rids, &num_del_rids)) {
+				werr = WERR_GENERAL_FAILURE;
+				goto done;
+			}
+		}
+	}
+
+	/* add list */
+
+	for (i=0; i < num_add_rids; i++) {
+		status = rpccli_samr_AddGroupMember(pipe_cli, ctx,
+						    &group_handle,
+						    add_rids[i],
+						    7 /* ? */);
+		if (!NT_STATUS_IS_OK(status)) {
+			werr = ntstatus_to_werror(status);
+			goto done;
+		}
+	}
+
+	/* del list */
+
+	for (i=0; i < num_del_rids; i++) {
+		status = rpccli_samr_DeleteGroupMember(pipe_cli, ctx,
+						       &group_handle,
+						       del_rids[i]);
+		if (!NT_STATUS_IS_OK(status)) {
+			werr = ntstatus_to_werror(status);
+			goto done;
+		}
+	}
+
+	werr = WERR_OK;
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (is_valid_policy_hnd(&group_handle)) {
+		rpccli_samr_Close(pipe_cli, ctx, &group_handle);
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGroupSetUsers_l(struct libnetapi_ctx *ctx,
+			  struct NetGroupSetUsers *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetGroupSetUsers);
+}
diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
new file mode 100644
index 0000000000..d15e2e733c
--- /dev/null
+++ b/source3/lib/netapi/joindomain.c
@@ -0,0 +1,501 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetApi Join Support
+ *  Copyright (C) Guenther Deschner 2007-2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+#include "librpc/gen_ndr/libnetapi.h"
+#include "lib/netapi/netapi.h"
+#include "lib/netapi/netapi_private.h"
+#include "lib/netapi/libnetapi.h"
+#include "libnet/libnet.h"
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetJoinDomain_l(struct libnetapi_ctx *mem_ctx,
+		       struct NetJoinDomain *r)
+{
+	struct libnet_JoinCtx *j = NULL;
+	WERROR werr;
+
+	if (!r->in.domain) {
+		return WERR_INVALID_PARAM;
+	}
+
+	werr = libnet_init_JoinCtx(mem_ctx, &j);
+	W_ERROR_NOT_OK_RETURN(werr);
+
+	j->in.domain_name = talloc_strdup(mem_ctx, r->in.domain);
+	W_ERROR_HAVE_NO_MEMORY(j->in.domain_name);
+
+	if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
+		NTSTATUS status;
+		struct netr_DsRGetDCNameInfo *info = NULL;
+		const char *dc = NULL;
+		uint32_t flags = DS_DIRECTORY_SERVICE_REQUIRED |
+				 DS_WRITABLE_REQUIRED |
+				 DS_RETURN_DNS_NAME;
+		status = dsgetdcname(mem_ctx, NULL, r->in.domain,
+				     NULL, NULL, flags, &info);
+		if (!NT_STATUS_IS_OK(status)) {
+			libnetapi_set_error_string(mem_ctx,
+				"%s", get_friendly_nt_error_msg(status));
+			return ntstatus_to_werror(status);
+		}
+
+		dc = strip_hostname(info->dc_unc);
+		j->in.dc_name = talloc_strdup(mem_ctx, dc);
+		W_ERROR_HAVE_NO_MEMORY(j->in.dc_name);
+	}
+
+	if (r->in.account_ou) {
+		j->in.account_ou = talloc_strdup(mem_ctx, r->in.account_ou);
+		W_ERROR_HAVE_NO_MEMORY(j->in.account_ou);
+	}
+
+	if (r->in.account) {
+		j->in.admin_account = talloc_strdup(mem_ctx, r->in.account);
+		W_ERROR_HAVE_NO_MEMORY(j->in.admin_account);
+	}
+
+	if (r->in.password) {
+		j->in.admin_password = talloc_strdup(mem_ctx, r->in.password);
+		W_ERROR_HAVE_NO_MEMORY(j->in.admin_password);
+	}
+
+	j->in.join_flags = r->in.join_flags;
+	j->in.modify_config = true;
+	j->in.debug = true;
+
+	werr = libnet_Join(mem_ctx, j);
+	if (!W_ERROR_IS_OK(werr) && j->out.error_string) {
+		libnetapi_set_error_string(mem_ctx, "%s", j->out.error_string);
+	}
+	TALLOC_FREE(j);
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetJoinDomain_r(struct libnetapi_ctx *ctx,
+		       struct NetJoinDomain *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	struct wkssvc_PasswordBuffer *encrypted_password = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	unsigned int old_timeout = 0;
+
+	werr = libnetapi_open_pipe(ctx, r->in.server,
+				   &ndr_table_wkssvc.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	if (r->in.password) {
+		encode_wkssvc_join_password_buffer(ctx,
+						   r->in.password,
+						   &cli->user_session_key,
+						   &encrypted_password);
+	}
+
+	old_timeout = cli_set_timeout(cli, 600000);
+
+	status = rpccli_wkssvc_NetrJoinDomain2(pipe_cli, ctx,
+					       r->in.server,
+					       r->in.domain,
+					       r->in.account_ou,
+					       r->in.account,
+					       encrypted_password,
+					       r->in.join_flags,
+					       &werr);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+ done:
+	if (cli) {
+		if (old_timeout) {
+			cli_set_timeout(cli, old_timeout);
+		}
+	}
+
+	return werr;
+}
+/****************************************************************
+****************************************************************/
+
+WERROR NetUnjoinDomain_l(struct libnetapi_ctx *mem_ctx,
+			 struct NetUnjoinDomain *r)
+{
+	struct libnet_UnjoinCtx *u = NULL;
+	struct dom_sid domain_sid;
+	const char *domain = NULL;
+	WERROR werr;
+
+	if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
+		return WERR_SETUP_NOT_JOINED;
+	}
+
+	werr = libnet_init_UnjoinCtx(mem_ctx, &u);
+	W_ERROR_NOT_OK_RETURN(werr);
+
+	if (lp_realm()) {
+		domain = lp_realm();
+	} else {
+		domain = lp_workgroup();
+	}
+
+	if (r->in.server_name) {
+		u->in.dc_name = talloc_strdup(mem_ctx, r->in.server_name);
+		W_ERROR_HAVE_NO_MEMORY(u->in.dc_name);
+	} else {
+		NTSTATUS status;
+		struct netr_DsRGetDCNameInfo *info = NULL;
+		const char *dc = NULL;
+		uint32_t flags = DS_DIRECTORY_SERVICE_REQUIRED |
+				 DS_WRITABLE_REQUIRED |
+				 DS_RETURN_DNS_NAME;
+		status = dsgetdcname(mem_ctx, NULL, domain,
+				     NULL, NULL, flags, &info);
+		if (!NT_STATUS_IS_OK(status)) {
+			libnetapi_set_error_string(mem_ctx,
+				"failed to find DC for domain %s: %s",
+				domain,
+				get_friendly_nt_error_msg(status));
+			return ntstatus_to_werror(status);
+		}
+
+		dc = strip_hostname(info->dc_unc);
+		u->in.dc_name = talloc_strdup(mem_ctx, dc);
+		W_ERROR_HAVE_NO_MEMORY(u->in.dc_name);
+
+		u->in.domain_name = domain;
+	}
+
+	if (r->in.account) {
+		u->in.admin_account = talloc_strdup(mem_ctx, r->in.account);
+		W_ERROR_HAVE_NO_MEMORY(u->in.admin_account);
+	}
+
+	if (r->in.password) {
+		u->in.admin_password = talloc_strdup(mem_ctx, r->in.password);
+		W_ERROR_HAVE_NO_MEMORY(u->in.admin_password);
+	}
+
+	u->in.domain_name = domain;
+	u->in.unjoin_flags = r->in.unjoin_flags;
+	u->in.modify_config = true;
+	u->in.debug = true;
+
+	u->in.domain_sid = &domain_sid;
+
+	werr = libnet_Unjoin(mem_ctx, u);
+	if (!W_ERROR_IS_OK(werr) && u->out.error_string) {
+		libnetapi_set_error_string(mem_ctx, "%s", u->out.error_string);
+	}
+	TALLOC_FREE(u);
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUnjoinDomain_r(struct libnetapi_ctx *ctx,
+			 struct NetUnjoinDomain *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	struct wkssvc_PasswordBuffer *encrypted_password = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	unsigned int old_timeout = 0;
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_wkssvc.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	if (r->in.password) {
+		encode_wkssvc_join_password_buffer(ctx,
+						   r->in.password,
+						   &cli->user_session_key,
+						   &encrypted_password);
+	}
+
+	old_timeout = cli_set_timeout(cli, 60000);
+
+	status = rpccli_wkssvc_NetrUnjoinDomain2(pipe_cli, ctx,
+						 r->in.server_name,
+						 r->in.account,
+						 encrypted_password,
+						 r->in.unjoin_flags,
+						 &werr);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+ done:
+	if (cli) {
+		if (old_timeout) {
+			cli_set_timeout(cli, old_timeout);
+		}
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGetJoinInformation_r(struct libnetapi_ctx *ctx,
+			       struct NetGetJoinInformation *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	const char *buffer = NULL;
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_wkssvc.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = rpccli_wkssvc_NetrGetJoinInformation(pipe_cli, ctx,
+						      r->in.server_name,
+						      &buffer,
+						      (enum wkssvc_NetJoinStatus *)r->out.name_type,
+						      &werr);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	*r->out.name_buffer = talloc_strdup(ctx, buffer);
+	W_ERROR_HAVE_NO_MEMORY(*r->out.name_buffer);
+
+ done:
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGetJoinInformation_l(struct libnetapi_ctx *ctx,
+			       struct NetGetJoinInformation *r)
+{
+	if ((lp_security() == SEC_ADS) && lp_realm()) {
+		*r->out.name_buffer = talloc_strdup(ctx, lp_realm());
+	} else {
+		*r->out.name_buffer = talloc_strdup(ctx, lp_workgroup());
+	}
+	if (!*r->out.name_buffer) {
+		return WERR_NOMEM;
+	}
+
+	switch (lp_server_role()) {
+		case ROLE_DOMAIN_MEMBER:
+		case ROLE_DOMAIN_PDC:
+		case ROLE_DOMAIN_BDC:
+			*r->out.name_type = NetSetupDomainName;
+			break;
+		case ROLE_STANDALONE:
+		default:
+			*r->out.name_type = NetSetupWorkgroupName;
+			break;
+	}
+
+	return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGetJoinableOUs_l(struct libnetapi_ctx *ctx,
+			   struct NetGetJoinableOUs *r)
+{
+#ifdef WITH_ADS
+	NTSTATUS status;
+	ADS_STATUS ads_status;
+	ADS_STRUCT *ads = NULL;
+	struct netr_DsRGetDCNameInfo *info = NULL;
+	const char *dc = NULL;
+	uint32_t flags = DS_DIRECTORY_SERVICE_REQUIRED |
+			 DS_RETURN_DNS_NAME;
+
+	status = dsgetdcname(ctx, NULL, r->in.domain,
+			     NULL, NULL, flags, &info);
+	if (!NT_STATUS_IS_OK(status)) {
+		libnetapi_set_error_string(ctx, "%s",
+			get_friendly_nt_error_msg(status));
+		return ntstatus_to_werror(status);
+	}
+
+	dc = strip_hostname(info->dc_unc);
+
+	ads = ads_init(info->domain_name, info->domain_name, dc);
+	if (!ads) {
+		return WERR_GENERAL_FAILURE;
+	}
+
+	SAFE_FREE(ads->auth.user_name);
+	if (r->in.account) {
+		ads->auth.user_name = SMB_STRDUP(r->in.account);
+	} else if (ctx->username) {
+		ads->auth.user_name = SMB_STRDUP(ctx->username);
+	}
+
+	SAFE_FREE(ads->auth.password);
+	if (r->in.password) {
+		ads->auth.password = SMB_STRDUP(r->in.password);
+	} else if (ctx->password) {
+		ads->auth.password = SMB_STRDUP(ctx->password);
+	}
+
+	ads_status = ads_connect_user_creds(ads);
+	if (!ADS_ERR_OK(ads_status)) {
+		ads_destroy(&ads);
+		return WERR_DEFAULT_JOIN_REQUIRED;
+	}
+
+	ads_status = ads_get_joinable_ous(ads, ctx,
+					  (char ***)r->out.ous,
+					  (size_t *)r->out.ou_count);
+	if (!ADS_ERR_OK(ads_status)) {
+		ads_destroy(&ads);
+		return WERR_DEFAULT_JOIN_REQUIRED;
+	}
+
+	ads_destroy(&ads);
+	return WERR_OK;
+#else
+	return WERR_NOT_SUPPORTED;
+#endif
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetGetJoinableOUs_r(struct libnetapi_ctx *ctx,
+			   struct NetGetJoinableOUs *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	struct wkssvc_PasswordBuffer *encrypted_password = NULL;
+	NTSTATUS status;
+	WERROR werr;
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_wkssvc.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	if (r->in.password) {
+		encode_wkssvc_join_password_buffer(ctx,
+						   r->in.password,
+						   &cli->user_session_key,
+						   &encrypted_password);
+	}
+
+	status = rpccli_wkssvc_NetrGetJoinableOus2(pipe_cli, ctx,
+						   r->in.server_name,
+						   r->in.domain,
+						   r->in.account,
+						   encrypted_password,
+						   r->out.ou_count,
+						   r->out.ous,
+						   &werr);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+ done:
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetRenameMachineInDomain_r(struct libnetapi_ctx *ctx,
+				  struct NetRenameMachineInDomain *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	struct wkssvc_PasswordBuffer *encrypted_password = NULL;
+	NTSTATUS status;
+	WERROR werr;
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_wkssvc.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	if (r->in.password) {
+		encode_wkssvc_join_password_buffer(ctx,
+						   r->in.password,
+						   &cli->user_session_key,
+						   &encrypted_password);
+	}
+
+	status = rpccli_wkssvc_NetrRenameMachineInDomain2(pipe_cli, ctx,
+							  r->in.server_name,
+							  r->in.new_machine_name,
+							  r->in.account,
+							  encrypted_password,
+							  r->in.rename_options,
+							  &werr);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+ done:
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetRenameMachineInDomain_l(struct libnetapi_ctx *ctx,
+				  struct NetRenameMachineInDomain *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetRenameMachineInDomain);
+}
diff --git a/source3/lib/netapi/libnetapi.c b/source3/lib/netapi/libnetapi.c
new file mode 100644
index 0000000000..043190a1f9
--- /dev/null
+++ b/source3/lib/netapi/libnetapi.c
@@ -0,0 +1,2355 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetApi Support
+ *  Copyright (C) Guenther Deschner 2007-2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "librpc/gen_ndr/libnetapi.h"
+#include "lib/netapi/netapi.h"
+#include "lib/netapi/netapi_private.h"
+#include "lib/netapi/libnetapi.h"
+#include "librpc/gen_ndr/ndr_libnetapi.h"
+
+/****************************************************************
+ NetJoinDomain
+****************************************************************/
+
+NET_API_STATUS NetJoinDomain(const char * server /* [in] [unique] */,
+			     const char * domain /* [in] [ref] */,
+			     const char * account_ou /* [in] [unique] */,
+			     const char * account /* [in] [unique] */,
+			     const char * password /* [in] [unique] */,
+			     uint32_t join_flags /* [in] */)
+{
+	struct NetJoinDomain r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server = server;
+	r.in.domain = domain;
+	r.in.account_ou = account_ou;
+	r.in.account = account;
+	r.in.password = password;
+	r.in.join_flags = join_flags;
+
+	/* Out parameters */
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetJoinDomain, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server)) {
+		werr = NetJoinDomain_l(ctx, &r);
+	} else {
+		werr = NetJoinDomain_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetJoinDomain, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetUnjoinDomain
+****************************************************************/
+
+NET_API_STATUS NetUnjoinDomain(const char * server_name /* [in] [unique] */,
+			       const char * account /* [in] [unique] */,
+			       const char * password /* [in] [unique] */,
+			       uint32_t unjoin_flags /* [in] */)
+{
+	struct NetUnjoinDomain r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.account = account;
+	r.in.password = password;
+	r.in.unjoin_flags = unjoin_flags;
+
+	/* Out parameters */
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetUnjoinDomain, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetUnjoinDomain_l(ctx, &r);
+	} else {
+		werr = NetUnjoinDomain_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetUnjoinDomain, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetGetJoinInformation
+****************************************************************/
+
+NET_API_STATUS NetGetJoinInformation(const char * server_name /* [in] [unique] */,
+				     const char * *name_buffer /* [out] [ref] */,
+				     uint16_t *name_type /* [out] [ref] */)
+{
+	struct NetGetJoinInformation r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+
+	/* Out parameters */
+	r.out.name_buffer = name_buffer;
+	r.out.name_type = name_type;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetGetJoinInformation, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetGetJoinInformation_l(ctx, &r);
+	} else {
+		werr = NetGetJoinInformation_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetGetJoinInformation, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetGetJoinableOUs
+****************************************************************/
+
+NET_API_STATUS NetGetJoinableOUs(const char * server_name /* [in] [unique] */,
+				 const char * domain /* [in] [ref] */,
+				 const char * account /* [in] [unique] */,
+				 const char * password /* [in] [unique] */,
+				 uint32_t *ou_count /* [out] [ref] */,
+				 const char * **ous /* [out] [ref] */)
+{
+	struct NetGetJoinableOUs r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.domain = domain;
+	r.in.account = account;
+	r.in.password = password;
+
+	/* Out parameters */
+	r.out.ou_count = ou_count;
+	r.out.ous = ous;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetGetJoinableOUs, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetGetJoinableOUs_l(ctx, &r);
+	} else {
+		werr = NetGetJoinableOUs_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetGetJoinableOUs, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetRenameMachineInDomain
+****************************************************************/
+
+NET_API_STATUS NetRenameMachineInDomain(const char * server_name /* [in] */,
+					const char * new_machine_name /* [in] */,
+					const char * account /* [in] */,
+					const char * password /* [in] */,
+					uint32_t rename_options /* [in] */)
+{
+	struct NetRenameMachineInDomain r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.new_machine_name = new_machine_name;
+	r.in.account = account;
+	r.in.password = password;
+	r.in.rename_options = rename_options;
+
+	/* Out parameters */
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetRenameMachineInDomain, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetRenameMachineInDomain_l(ctx, &r);
+	} else {
+		werr = NetRenameMachineInDomain_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetRenameMachineInDomain, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetServerGetInfo
+****************************************************************/
+
+NET_API_STATUS NetServerGetInfo(const char * server_name /* [in] [unique] */,
+				uint32_t level /* [in] */,
+				uint8_t **buffer /* [out] [ref] */)
+{
+	struct NetServerGetInfo r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.level = level;
+
+	/* Out parameters */
+	r.out.buffer = buffer;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetServerGetInfo, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetServerGetInfo_l(ctx, &r);
+	} else {
+		werr = NetServerGetInfo_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetServerGetInfo, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetServerSetInfo
+****************************************************************/
+
+NET_API_STATUS NetServerSetInfo(const char * server_name /* [in] [unique] */,
+				uint32_t level /* [in] */,
+				uint8_t *buffer /* [in] [ref] */,
+				uint32_t *parm_error /* [out] [ref] */)
+{
+	struct NetServerSetInfo r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.level = level;
+	r.in.buffer = buffer;
+
+	/* Out parameters */
+	r.out.parm_error = parm_error;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetServerSetInfo, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetServerSetInfo_l(ctx, &r);
+	} else {
+		werr = NetServerSetInfo_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetServerSetInfo, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetGetDCName
+****************************************************************/
+
+NET_API_STATUS NetGetDCName(const char * server_name /* [in] [unique] */,
+			    const char * domain_name /* [in] [unique] */,
+			    uint8_t **buffer /* [out] [ref] */)
+{
+	struct NetGetDCName r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.domain_name = domain_name;
+
+	/* Out parameters */
+	r.out.buffer = buffer;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetGetDCName, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetGetDCName_l(ctx, &r);
+	} else {
+		werr = NetGetDCName_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetGetDCName, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetGetAnyDCName
+****************************************************************/
+
+NET_API_STATUS NetGetAnyDCName(const char * server_name /* [in] [unique] */,
+			       const char * domain_name /* [in] [unique] */,
+			       uint8_t **buffer /* [out] [ref] */)
+{
+	struct NetGetAnyDCName r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.domain_name = domain_name;
+
+	/* Out parameters */
+	r.out.buffer = buffer;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetGetAnyDCName, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetGetAnyDCName_l(ctx, &r);
+	} else {
+		werr = NetGetAnyDCName_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetGetAnyDCName, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ DsGetDcName
+****************************************************************/
+
+NET_API_STATUS DsGetDcName(const char * server_name /* [in] [unique] */,
+			   const char * domain_name /* [in] [ref] */,
+			   struct GUID *domain_guid /* [in] [unique] */,
+			   const char * site_name /* [in] [unique] */,
+			   uint32_t flags /* [in] */,
+			   struct DOMAIN_CONTROLLER_INFO **dc_info /* [out] [ref] */)
+{
+	struct DsGetDcName r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.domain_name = domain_name;
+	r.in.domain_guid = domain_guid;
+	r.in.site_name = site_name;
+	r.in.flags = flags;
+
+	/* Out parameters */
+	r.out.dc_info = dc_info;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(DsGetDcName, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = DsGetDcName_l(ctx, &r);
+	} else {
+		werr = DsGetDcName_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(DsGetDcName, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetUserAdd
+****************************************************************/
+
+NET_API_STATUS NetUserAdd(const char * server_name /* [in] [unique] */,
+			  uint32_t level /* [in] */,
+			  uint8_t *buffer /* [in] [ref] */,
+			  uint32_t *parm_error /* [out] [ref] */)
+{
+	struct NetUserAdd r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.level = level;
+	r.in.buffer = buffer;
+
+	/* Out parameters */
+	r.out.parm_error = parm_error;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetUserAdd, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetUserAdd_l(ctx, &r);
+	} else {
+		werr = NetUserAdd_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetUserAdd, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetUserDel
+****************************************************************/
+
+NET_API_STATUS NetUserDel(const char * server_name /* [in] [unique] */,
+			  const char * user_name /* [in] [ref] */)
+{
+	struct NetUserDel r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.user_name = user_name;
+
+	/* Out parameters */
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetUserDel, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetUserDel_l(ctx, &r);
+	} else {
+		werr = NetUserDel_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetUserDel, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetUserEnum
+****************************************************************/
+
+NET_API_STATUS NetUserEnum(const char * server_name /* [in] [unique] */,
+			   uint32_t level /* [in] */,
+			   uint32_t filter /* [in] */,
+			   uint8_t **buffer /* [out] [ref] */,
+			   uint32_t prefmaxlen /* [in] */,
+			   uint32_t *entries_read /* [out] [ref] */,
+			   uint32_t *total_entries /* [out] [ref] */,
+			   uint32_t *resume_handle /* [in,out] [ref] */)
+{
+	struct NetUserEnum r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.level = level;
+	r.in.filter = filter;
+	r.in.prefmaxlen = prefmaxlen;
+	r.in.resume_handle = resume_handle;
+
+	/* Out parameters */
+	r.out.buffer = buffer;
+	r.out.entries_read = entries_read;
+	r.out.total_entries = total_entries;
+	r.out.resume_handle = resume_handle;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetUserEnum, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetUserEnum_l(ctx, &r);
+	} else {
+		werr = NetUserEnum_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetUserEnum, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetUserChangePassword
+****************************************************************/
+
+NET_API_STATUS NetUserChangePassword(const char * domain_name /* [in] */,
+				     const char * user_name /* [in] */,
+				     const char * old_password /* [in] */,
+				     const char * new_password /* [in] */)
+{
+	struct NetUserChangePassword r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.domain_name = domain_name;
+	r.in.user_name = user_name;
+	r.in.old_password = old_password;
+	r.in.new_password = new_password;
+
+	/* Out parameters */
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetUserChangePassword, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(domain_name)) {
+		werr = NetUserChangePassword_l(ctx, &r);
+	} else {
+		werr = NetUserChangePassword_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetUserChangePassword, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetUserGetInfo
+****************************************************************/
+
+NET_API_STATUS NetUserGetInfo(const char * server_name /* [in] */,
+			      const char * user_name /* [in] */,
+			      uint32_t level /* [in] */,
+			      uint8_t **buffer /* [out] [ref] */)
+{
+	struct NetUserGetInfo r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.user_name = user_name;
+	r.in.level = level;
+
+	/* Out parameters */
+	r.out.buffer = buffer;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetUserGetInfo, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetUserGetInfo_l(ctx, &r);
+	} else {
+		werr = NetUserGetInfo_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetUserGetInfo, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetUserSetInfo
+****************************************************************/
+
+NET_API_STATUS NetUserSetInfo(const char * server_name /* [in] */,
+			      const char * user_name /* [in] */,
+			      uint32_t level /* [in] */,
+			      uint8_t *buffer /* [in] [ref] */,
+			      uint32_t *parm_err /* [out] [ref] */)
+{
+	struct NetUserSetInfo r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.user_name = user_name;
+	r.in.level = level;
+	r.in.buffer = buffer;
+
+	/* Out parameters */
+	r.out.parm_err = parm_err;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetUserSetInfo, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetUserSetInfo_l(ctx, &r);
+	} else {
+		werr = NetUserSetInfo_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetUserSetInfo, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetUserGetGroups
+****************************************************************/
+
+NET_API_STATUS NetUserGetGroups(const char * server_name /* [in] */,
+				const char * user_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t **buffer /* [out] [ref] */,
+				uint32_t prefmaxlen /* [in] */,
+				uint32_t *entries_read /* [out] [ref] */,
+				uint32_t *total_entries /* [out] [ref] */)
+{
+	struct NetUserGetGroups r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.user_name = user_name;
+	r.in.level = level;
+	r.in.prefmaxlen = prefmaxlen;
+
+	/* Out parameters */
+	r.out.buffer = buffer;
+	r.out.entries_read = entries_read;
+	r.out.total_entries = total_entries;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetUserGetGroups, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetUserGetGroups_l(ctx, &r);
+	} else {
+		werr = NetUserGetGroups_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetUserGetGroups, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetUserSetGroups
+****************************************************************/
+
+NET_API_STATUS NetUserSetGroups(const char * server_name /* [in] */,
+				const char * user_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t *buffer /* [in] [ref] */,
+				uint32_t num_entries /* [in] */)
+{
+	struct NetUserSetGroups r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.user_name = user_name;
+	r.in.level = level;
+	r.in.buffer = buffer;
+	r.in.num_entries = num_entries;
+
+	/* Out parameters */
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetUserSetGroups, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetUserSetGroups_l(ctx, &r);
+	} else {
+		werr = NetUserSetGroups_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetUserSetGroups, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetUserGetLocalGroups
+****************************************************************/
+
+NET_API_STATUS NetUserGetLocalGroups(const char * server_name /* [in] */,
+				     const char * user_name /* [in] */,
+				     uint32_t level /* [in] */,
+				     uint32_t flags /* [in] */,
+				     uint8_t **buffer /* [out] [ref] */,
+				     uint32_t prefmaxlen /* [in] */,
+				     uint32_t *entries_read /* [out] [ref] */,
+				     uint32_t *total_entries /* [out] [ref] */)
+{
+	struct NetUserGetLocalGroups r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.user_name = user_name;
+	r.in.level = level;
+	r.in.flags = flags;
+	r.in.prefmaxlen = prefmaxlen;
+
+	/* Out parameters */
+	r.out.buffer = buffer;
+	r.out.entries_read = entries_read;
+	r.out.total_entries = total_entries;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetUserGetLocalGroups, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetUserGetLocalGroups_l(ctx, &r);
+	} else {
+		werr = NetUserGetLocalGroups_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetUserGetLocalGroups, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetUserModalsGet
+****************************************************************/
+
+NET_API_STATUS NetUserModalsGet(const char * server_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t **buffer /* [out] [ref] */)
+{
+	struct NetUserModalsGet r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.level = level;
+
+	/* Out parameters */
+	r.out.buffer = buffer;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetUserModalsGet, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetUserModalsGet_l(ctx, &r);
+	} else {
+		werr = NetUserModalsGet_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetUserModalsGet, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetUserModalsSet
+****************************************************************/
+
+NET_API_STATUS NetUserModalsSet(const char * server_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t *buffer /* [in] [ref] */,
+				uint32_t *parm_err /* [out] [ref] */)
+{
+	struct NetUserModalsSet r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.level = level;
+	r.in.buffer = buffer;
+
+	/* Out parameters */
+	r.out.parm_err = parm_err;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetUserModalsSet, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetUserModalsSet_l(ctx, &r);
+	} else {
+		werr = NetUserModalsSet_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetUserModalsSet, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetQueryDisplayInformation
+****************************************************************/
+
+NET_API_STATUS NetQueryDisplayInformation(const char * server_name /* [in] [unique] */,
+					  uint32_t level /* [in] */,
+					  uint32_t idx /* [in] */,
+					  uint32_t entries_requested /* [in] */,
+					  uint32_t prefmaxlen /* [in] */,
+					  uint32_t *entries_read /* [out] [ref] */,
+					  void **buffer /* [out] [noprint,ref] */)
+{
+	struct NetQueryDisplayInformation r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.level = level;
+	r.in.idx = idx;
+	r.in.entries_requested = entries_requested;
+	r.in.prefmaxlen = prefmaxlen;
+
+	/* Out parameters */
+	r.out.entries_read = entries_read;
+	r.out.buffer = buffer;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetQueryDisplayInformation, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetQueryDisplayInformation_l(ctx, &r);
+	} else {
+		werr = NetQueryDisplayInformation_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetQueryDisplayInformation, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetGroupAdd
+****************************************************************/
+
+NET_API_STATUS NetGroupAdd(const char * server_name /* [in] */,
+			   uint32_t level /* [in] */,
+			   uint8_t *buffer /* [in] [ref] */,
+			   uint32_t *parm_err /* [out] [ref] */)
+{
+	struct NetGroupAdd r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.level = level;
+	r.in.buffer = buffer;
+
+	/* Out parameters */
+	r.out.parm_err = parm_err;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetGroupAdd, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetGroupAdd_l(ctx, &r);
+	} else {
+		werr = NetGroupAdd_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetGroupAdd, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetGroupDel
+****************************************************************/
+
+NET_API_STATUS NetGroupDel(const char * server_name /* [in] */,
+			   const char * group_name /* [in] */)
+{
+	struct NetGroupDel r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.group_name = group_name;
+
+	/* Out parameters */
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetGroupDel, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetGroupDel_l(ctx, &r);
+	} else {
+		werr = NetGroupDel_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetGroupDel, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetGroupEnum
+****************************************************************/
+
+NET_API_STATUS NetGroupEnum(const char * server_name /* [in] */,
+			    uint32_t level /* [in] */,
+			    uint8_t **buffer /* [out] [ref] */,
+			    uint32_t prefmaxlen /* [in] */,
+			    uint32_t *entries_read /* [out] [ref] */,
+			    uint32_t *total_entries /* [out] [ref] */,
+			    uint32_t *resume_handle /* [in,out] [ref] */)
+{
+	struct NetGroupEnum r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.level = level;
+	r.in.prefmaxlen = prefmaxlen;
+	r.in.resume_handle = resume_handle;
+
+	/* Out parameters */
+	r.out.buffer = buffer;
+	r.out.entries_read = entries_read;
+	r.out.total_entries = total_entries;
+	r.out.resume_handle = resume_handle;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetGroupEnum, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetGroupEnum_l(ctx, &r);
+	} else {
+		werr = NetGroupEnum_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetGroupEnum, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetGroupSetInfo
+****************************************************************/
+
+NET_API_STATUS NetGroupSetInfo(const char * server_name /* [in] */,
+			       const char * group_name /* [in] */,
+			       uint32_t level /* [in] */,
+			       uint8_t *buffer /* [in] [ref] */,
+			       uint32_t *parm_err /* [out] [ref] */)
+{
+	struct NetGroupSetInfo r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.group_name = group_name;
+	r.in.level = level;
+	r.in.buffer = buffer;
+
+	/* Out parameters */
+	r.out.parm_err = parm_err;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetGroupSetInfo, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetGroupSetInfo_l(ctx, &r);
+	} else {
+		werr = NetGroupSetInfo_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetGroupSetInfo, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetGroupGetInfo
+****************************************************************/
+
+NET_API_STATUS NetGroupGetInfo(const char * server_name /* [in] */,
+			       const char * group_name /* [in] */,
+			       uint32_t level /* [in] */,
+			       uint8_t **buffer /* [out] [ref] */)
+{
+	struct NetGroupGetInfo r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.group_name = group_name;
+	r.in.level = level;
+
+	/* Out parameters */
+	r.out.buffer = buffer;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetGroupGetInfo, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetGroupGetInfo_l(ctx, &r);
+	} else {
+		werr = NetGroupGetInfo_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetGroupGetInfo, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetGroupAddUser
+****************************************************************/
+
+NET_API_STATUS NetGroupAddUser(const char * server_name /* [in] */,
+			       const char * group_name /* [in] */,
+			       const char * user_name /* [in] */)
+{
+	struct NetGroupAddUser r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.group_name = group_name;
+	r.in.user_name = user_name;
+
+	/* Out parameters */
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetGroupAddUser, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetGroupAddUser_l(ctx, &r);
+	} else {
+		werr = NetGroupAddUser_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetGroupAddUser, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetGroupDelUser
+****************************************************************/
+
+NET_API_STATUS NetGroupDelUser(const char * server_name /* [in] */,
+			       const char * group_name /* [in] */,
+			       const char * user_name /* [in] */)
+{
+	struct NetGroupDelUser r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.group_name = group_name;
+	r.in.user_name = user_name;
+
+	/* Out parameters */
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetGroupDelUser, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetGroupDelUser_l(ctx, &r);
+	} else {
+		werr = NetGroupDelUser_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetGroupDelUser, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetGroupGetUsers
+****************************************************************/
+
+NET_API_STATUS NetGroupGetUsers(const char * server_name /* [in] */,
+				const char * group_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t **buffer /* [out] [ref] */,
+				uint32_t prefmaxlen /* [in] */,
+				uint32_t *entries_read /* [out] [ref] */,
+				uint32_t *total_entries /* [out] [ref] */,
+				uint32_t *resume_handle /* [in,out] [ref] */)
+{
+	struct NetGroupGetUsers r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.group_name = group_name;
+	r.in.level = level;
+	r.in.prefmaxlen = prefmaxlen;
+	r.in.resume_handle = resume_handle;
+
+	/* Out parameters */
+	r.out.buffer = buffer;
+	r.out.entries_read = entries_read;
+	r.out.total_entries = total_entries;
+	r.out.resume_handle = resume_handle;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetGroupGetUsers, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetGroupGetUsers_l(ctx, &r);
+	} else {
+		werr = NetGroupGetUsers_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetGroupGetUsers, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetGroupSetUsers
+****************************************************************/
+
+NET_API_STATUS NetGroupSetUsers(const char * server_name /* [in] */,
+				const char * group_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t *buffer /* [in] [ref] */,
+				uint32_t num_entries /* [in] */)
+{
+	struct NetGroupSetUsers r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.group_name = group_name;
+	r.in.level = level;
+	r.in.buffer = buffer;
+	r.in.num_entries = num_entries;
+
+	/* Out parameters */
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetGroupSetUsers, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetGroupSetUsers_l(ctx, &r);
+	} else {
+		werr = NetGroupSetUsers_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetGroupSetUsers, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetLocalGroupAdd
+****************************************************************/
+
+NET_API_STATUS NetLocalGroupAdd(const char * server_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t *buffer /* [in] [ref] */,
+				uint32_t *parm_err /* [out] [ref] */)
+{
+	struct NetLocalGroupAdd r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.level = level;
+	r.in.buffer = buffer;
+
+	/* Out parameters */
+	r.out.parm_err = parm_err;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetLocalGroupAdd, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetLocalGroupAdd_l(ctx, &r);
+	} else {
+		werr = NetLocalGroupAdd_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetLocalGroupAdd, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetLocalGroupDel
+****************************************************************/
+
+NET_API_STATUS NetLocalGroupDel(const char * server_name /* [in] */,
+				const char * group_name /* [in] */)
+{
+	struct NetLocalGroupDel r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.group_name = group_name;
+
+	/* Out parameters */
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetLocalGroupDel, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetLocalGroupDel_l(ctx, &r);
+	} else {
+		werr = NetLocalGroupDel_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetLocalGroupDel, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetLocalGroupGetInfo
+****************************************************************/
+
+NET_API_STATUS NetLocalGroupGetInfo(const char * server_name /* [in] */,
+				    const char * group_name /* [in] */,
+				    uint32_t level /* [in] */,
+				    uint8_t **buffer /* [out] [ref] */)
+{
+	struct NetLocalGroupGetInfo r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.group_name = group_name;
+	r.in.level = level;
+
+	/* Out parameters */
+	r.out.buffer = buffer;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetLocalGroupGetInfo, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetLocalGroupGetInfo_l(ctx, &r);
+	} else {
+		werr = NetLocalGroupGetInfo_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetLocalGroupGetInfo, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetLocalGroupSetInfo
+****************************************************************/
+
+NET_API_STATUS NetLocalGroupSetInfo(const char * server_name /* [in] */,
+				    const char * group_name /* [in] */,
+				    uint32_t level /* [in] */,
+				    uint8_t *buffer /* [in] [ref] */,
+				    uint32_t *parm_err /* [out] [ref] */)
+{
+	struct NetLocalGroupSetInfo r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.group_name = group_name;
+	r.in.level = level;
+	r.in.buffer = buffer;
+
+	/* Out parameters */
+	r.out.parm_err = parm_err;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetLocalGroupSetInfo, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetLocalGroupSetInfo_l(ctx, &r);
+	} else {
+		werr = NetLocalGroupSetInfo_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetLocalGroupSetInfo, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetLocalGroupEnum
+****************************************************************/
+
+NET_API_STATUS NetLocalGroupEnum(const char * server_name /* [in] */,
+				 uint32_t level /* [in] */,
+				 uint8_t **buffer /* [out] [ref] */,
+				 uint32_t prefmaxlen /* [in] */,
+				 uint32_t *entries_read /* [out] [ref] */,
+				 uint32_t *total_entries /* [out] [ref] */,
+				 uint32_t *resume_handle /* [in,out] [ref] */)
+{
+	struct NetLocalGroupEnum r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.level = level;
+	r.in.prefmaxlen = prefmaxlen;
+	r.in.resume_handle = resume_handle;
+
+	/* Out parameters */
+	r.out.buffer = buffer;
+	r.out.entries_read = entries_read;
+	r.out.total_entries = total_entries;
+	r.out.resume_handle = resume_handle;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetLocalGroupEnum, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetLocalGroupEnum_l(ctx, &r);
+	} else {
+		werr = NetLocalGroupEnum_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetLocalGroupEnum, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetLocalGroupAddMembers
+****************************************************************/
+
+NET_API_STATUS NetLocalGroupAddMembers(const char * server_name /* [in] */,
+				       const char * group_name /* [in] */,
+				       uint32_t level /* [in] */,
+				       uint8_t *buffer /* [in] [ref] */,
+				       uint32_t total_entries /* [in] */)
+{
+	struct NetLocalGroupAddMembers r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.group_name = group_name;
+	r.in.level = level;
+	r.in.buffer = buffer;
+	r.in.total_entries = total_entries;
+
+	/* Out parameters */
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetLocalGroupAddMembers, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetLocalGroupAddMembers_l(ctx, &r);
+	} else {
+		werr = NetLocalGroupAddMembers_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetLocalGroupAddMembers, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetLocalGroupDelMembers
+****************************************************************/
+
+NET_API_STATUS NetLocalGroupDelMembers(const char * server_name /* [in] */,
+				       const char * group_name /* [in] */,
+				       uint32_t level /* [in] */,
+				       uint8_t *buffer /* [in] [ref] */,
+				       uint32_t total_entries /* [in] */)
+{
+	struct NetLocalGroupDelMembers r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.group_name = group_name;
+	r.in.level = level;
+	r.in.buffer = buffer;
+	r.in.total_entries = total_entries;
+
+	/* Out parameters */
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetLocalGroupDelMembers, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetLocalGroupDelMembers_l(ctx, &r);
+	} else {
+		werr = NetLocalGroupDelMembers_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetLocalGroupDelMembers, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetLocalGroupGetMembers
+****************************************************************/
+
+NET_API_STATUS NetLocalGroupGetMembers(const char * server_name /* [in] */,
+				       const char * local_group_name /* [in] */,
+				       uint32_t level /* [in] */,
+				       uint8_t **buffer /* [out] [ref] */,
+				       uint32_t prefmaxlen /* [in] */,
+				       uint32_t *entries_read /* [out] [ref] */,
+				       uint32_t *total_entries /* [out] [ref] */,
+				       uint32_t *resume_handle /* [in,out] [ref] */)
+{
+	struct NetLocalGroupGetMembers r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.local_group_name = local_group_name;
+	r.in.level = level;
+	r.in.prefmaxlen = prefmaxlen;
+	r.in.resume_handle = resume_handle;
+
+	/* Out parameters */
+	r.out.buffer = buffer;
+	r.out.entries_read = entries_read;
+	r.out.total_entries = total_entries;
+	r.out.resume_handle = resume_handle;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetLocalGroupGetMembers, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetLocalGroupGetMembers_l(ctx, &r);
+	} else {
+		werr = NetLocalGroupGetMembers_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetLocalGroupGetMembers, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetLocalGroupSetMembers
+****************************************************************/
+
+NET_API_STATUS NetLocalGroupSetMembers(const char * server_name /* [in] */,
+				       const char * group_name /* [in] */,
+				       uint32_t level /* [in] */,
+				       uint8_t *buffer /* [in] [ref] */,
+				       uint32_t total_entries /* [in] */)
+{
+	struct NetLocalGroupSetMembers r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.group_name = group_name;
+	r.in.level = level;
+	r.in.buffer = buffer;
+	r.in.total_entries = total_entries;
+
+	/* Out parameters */
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetLocalGroupSetMembers, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetLocalGroupSetMembers_l(ctx, &r);
+	} else {
+		werr = NetLocalGroupSetMembers_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetLocalGroupSetMembers, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetRemoteTOD
+****************************************************************/
+
+NET_API_STATUS NetRemoteTOD(const char * server_name /* [in] */,
+			    uint8_t **buffer /* [out] [ref] */)
+{
+	struct NetRemoteTOD r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+
+	/* Out parameters */
+	r.out.buffer = buffer;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetRemoteTOD, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetRemoteTOD_l(ctx, &r);
+	} else {
+		werr = NetRemoteTOD_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetRemoteTOD, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetShareAdd
+****************************************************************/
+
+NET_API_STATUS NetShareAdd(const char * server_name /* [in] */,
+			   uint32_t level /* [in] */,
+			   uint8_t *buffer /* [in] [ref] */,
+			   uint32_t *parm_err /* [out] [ref] */)
+{
+	struct NetShareAdd r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.level = level;
+	r.in.buffer = buffer;
+
+	/* Out parameters */
+	r.out.parm_err = parm_err;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetShareAdd, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetShareAdd_l(ctx, &r);
+	} else {
+		werr = NetShareAdd_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetShareAdd, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetShareDel
+****************************************************************/
+
+NET_API_STATUS NetShareDel(const char * server_name /* [in] */,
+			   const char * net_name /* [in] */,
+			   uint32_t reserved /* [in] */)
+{
+	struct NetShareDel r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.net_name = net_name;
+	r.in.reserved = reserved;
+
+	/* Out parameters */
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetShareDel, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetShareDel_l(ctx, &r);
+	} else {
+		werr = NetShareDel_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetShareDel, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetShareEnum
+****************************************************************/
+
+NET_API_STATUS NetShareEnum(const char * server_name /* [in] */,
+			    uint32_t level /* [in] */,
+			    uint8_t **buffer /* [out] [ref] */,
+			    uint32_t prefmaxlen /* [in] */,
+			    uint32_t *entries_read /* [out] [ref] */,
+			    uint32_t *total_entries /* [out] [ref] */,
+			    uint32_t *resume_handle /* [in,out] [ref] */)
+{
+	struct NetShareEnum r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.level = level;
+	r.in.prefmaxlen = prefmaxlen;
+	r.in.resume_handle = resume_handle;
+
+	/* Out parameters */
+	r.out.buffer = buffer;
+	r.out.entries_read = entries_read;
+	r.out.total_entries = total_entries;
+	r.out.resume_handle = resume_handle;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetShareEnum, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetShareEnum_l(ctx, &r);
+	} else {
+		werr = NetShareEnum_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetShareEnum, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetShareGetInfo
+****************************************************************/
+
+NET_API_STATUS NetShareGetInfo(const char * server_name /* [in] */,
+			       const char * net_name /* [in] */,
+			       uint32_t level /* [in] */,
+			       uint8_t **buffer /* [out] [ref] */)
+{
+	struct NetShareGetInfo r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.net_name = net_name;
+	r.in.level = level;
+
+	/* Out parameters */
+	r.out.buffer = buffer;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetShareGetInfo, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetShareGetInfo_l(ctx, &r);
+	} else {
+		werr = NetShareGetInfo_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetShareGetInfo, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetShareSetInfo
+****************************************************************/
+
+NET_API_STATUS NetShareSetInfo(const char * server_name /* [in] */,
+			       const char * net_name /* [in] */,
+			       uint32_t level /* [in] */,
+			       uint8_t *buffer /* [in] [ref] */,
+			       uint32_t *parm_err /* [out] [ref] */)
+{
+	struct NetShareSetInfo r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.net_name = net_name;
+	r.in.level = level;
+	r.in.buffer = buffer;
+
+	/* Out parameters */
+	r.out.parm_err = parm_err;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetShareSetInfo, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetShareSetInfo_l(ctx, &r);
+	} else {
+		werr = NetShareSetInfo_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetShareSetInfo, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetFileClose
+****************************************************************/
+
+NET_API_STATUS NetFileClose(const char * server_name /* [in] */,
+			    uint32_t fileid /* [in] */)
+{
+	struct NetFileClose r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.fileid = fileid;
+
+	/* Out parameters */
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetFileClose, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetFileClose_l(ctx, &r);
+	} else {
+		werr = NetFileClose_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetFileClose, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetFileGetInfo
+****************************************************************/
+
+NET_API_STATUS NetFileGetInfo(const char * server_name /* [in] */,
+			      uint32_t fileid /* [in] */,
+			      uint32_t level /* [in] */,
+			      uint8_t **buffer /* [out] [ref] */)
+{
+	struct NetFileGetInfo r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.fileid = fileid;
+	r.in.level = level;
+
+	/* Out parameters */
+	r.out.buffer = buffer;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetFileGetInfo, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetFileGetInfo_l(ctx, &r);
+	} else {
+		werr = NetFileGetInfo_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetFileGetInfo, &r);
+	}
+
+	return r.out.result;
+}
+
+/****************************************************************
+ NetFileEnum
+****************************************************************/
+
+NET_API_STATUS NetFileEnum(const char * server_name /* [in] */,
+			   const char * base_path /* [in] */,
+			   const char * user_name /* [in] */,
+			   uint32_t level /* [in] */,
+			   uint8_t **buffer /* [out] [ref] */,
+			   uint32_t prefmaxlen /* [in] */,
+			   uint32_t *entries_read /* [out] [ref] */,
+			   uint32_t *total_entries /* [out] [ref] */,
+			   uint32_t *resume_handle /* [in,out] [ref] */)
+{
+	struct NetFileEnum r;
+	struct libnetapi_ctx *ctx = NULL;
+	NET_API_STATUS status;
+	WERROR werr;
+
+	status = libnetapi_getctx(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	/* In parameters */
+	r.in.server_name = server_name;
+	r.in.base_path = base_path;
+	r.in.user_name = user_name;
+	r.in.level = level;
+	r.in.prefmaxlen = prefmaxlen;
+	r.in.resume_handle = resume_handle;
+
+	/* Out parameters */
+	r.out.buffer = buffer;
+	r.out.entries_read = entries_read;
+	r.out.total_entries = total_entries;
+	r.out.resume_handle = resume_handle;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_IN_DEBUG(NetFileEnum, &r);
+	}
+
+	if (LIBNETAPI_LOCAL_SERVER(server_name)) {
+		werr = NetFileEnum_l(ctx, &r);
+	} else {
+		werr = NetFileEnum_r(ctx, &r);
+	}
+
+	r.out.result = W_ERROR_V(werr);
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_OUT_DEBUG(NetFileEnum, &r);
+	}
+
+	return r.out.result;
+}
+
diff --git a/source3/lib/netapi/libnetapi.h b/source3/lib/netapi/libnetapi.h
new file mode 100644
index 0000000000..1b84b75f94
--- /dev/null
+++ b/source3/lib/netapi/libnetapi.h
@@ -0,0 +1,429 @@
+#ifndef __LIBNETAPI_LIBNETAPI__
+#define __LIBNETAPI_LIBNETAPI__
+NET_API_STATUS NetJoinDomain(const char * server /* [in] [unique] */,
+			     const char * domain /* [in] [ref] */,
+			     const char * account_ou /* [in] [unique] */,
+			     const char * account /* [in] [unique] */,
+			     const char * password /* [in] [unique] */,
+			     uint32_t join_flags /* [in] */);
+WERROR NetJoinDomain_r(struct libnetapi_ctx *ctx,
+		       struct NetJoinDomain *r);
+WERROR NetJoinDomain_l(struct libnetapi_ctx *ctx,
+		       struct NetJoinDomain *r);
+NET_API_STATUS NetUnjoinDomain(const char * server_name /* [in] [unique] */,
+			       const char * account /* [in] [unique] */,
+			       const char * password /* [in] [unique] */,
+			       uint32_t unjoin_flags /* [in] */);
+WERROR NetUnjoinDomain_r(struct libnetapi_ctx *ctx,
+			 struct NetUnjoinDomain *r);
+WERROR NetUnjoinDomain_l(struct libnetapi_ctx *ctx,
+			 struct NetUnjoinDomain *r);
+NET_API_STATUS NetGetJoinInformation(const char * server_name /* [in] [unique] */,
+				     const char * *name_buffer /* [out] [ref] */,
+				     uint16_t *name_type /* [out] [ref] */);
+WERROR NetGetJoinInformation_r(struct libnetapi_ctx *ctx,
+			       struct NetGetJoinInformation *r);
+WERROR NetGetJoinInformation_l(struct libnetapi_ctx *ctx,
+			       struct NetGetJoinInformation *r);
+NET_API_STATUS NetGetJoinableOUs(const char * server_name /* [in] [unique] */,
+				 const char * domain /* [in] [ref] */,
+				 const char * account /* [in] [unique] */,
+				 const char * password /* [in] [unique] */,
+				 uint32_t *ou_count /* [out] [ref] */,
+				 const char * **ous /* [out] [ref] */);
+WERROR NetGetJoinableOUs_r(struct libnetapi_ctx *ctx,
+			   struct NetGetJoinableOUs *r);
+WERROR NetGetJoinableOUs_l(struct libnetapi_ctx *ctx,
+			   struct NetGetJoinableOUs *r);
+NET_API_STATUS NetRenameMachineInDomain(const char * server_name /* [in] */,
+					const char * new_machine_name /* [in] */,
+					const char * account /* [in] */,
+					const char * password /* [in] */,
+					uint32_t rename_options /* [in] */);
+WERROR NetRenameMachineInDomain_r(struct libnetapi_ctx *ctx,
+				  struct NetRenameMachineInDomain *r);
+WERROR NetRenameMachineInDomain_l(struct libnetapi_ctx *ctx,
+				  struct NetRenameMachineInDomain *r);
+NET_API_STATUS NetServerGetInfo(const char * server_name /* [in] [unique] */,
+				uint32_t level /* [in] */,
+				uint8_t **buffer /* [out] [ref] */);
+WERROR NetServerGetInfo_r(struct libnetapi_ctx *ctx,
+			  struct NetServerGetInfo *r);
+WERROR NetServerGetInfo_l(struct libnetapi_ctx *ctx,
+			  struct NetServerGetInfo *r);
+NET_API_STATUS NetServerSetInfo(const char * server_name /* [in] [unique] */,
+				uint32_t level /* [in] */,
+				uint8_t *buffer /* [in] [ref] */,
+				uint32_t *parm_error /* [out] [ref] */);
+WERROR NetServerSetInfo_r(struct libnetapi_ctx *ctx,
+			  struct NetServerSetInfo *r);
+WERROR NetServerSetInfo_l(struct libnetapi_ctx *ctx,
+			  struct NetServerSetInfo *r);
+NET_API_STATUS NetGetDCName(const char * server_name /* [in] [unique] */,
+			    const char * domain_name /* [in] [unique] */,
+			    uint8_t **buffer /* [out] [ref] */);
+WERROR NetGetDCName_r(struct libnetapi_ctx *ctx,
+		      struct NetGetDCName *r);
+WERROR NetGetDCName_l(struct libnetapi_ctx *ctx,
+		      struct NetGetDCName *r);
+NET_API_STATUS NetGetAnyDCName(const char * server_name /* [in] [unique] */,
+			       const char * domain_name /* [in] [unique] */,
+			       uint8_t **buffer /* [out] [ref] */);
+WERROR NetGetAnyDCName_r(struct libnetapi_ctx *ctx,
+			 struct NetGetAnyDCName *r);
+WERROR NetGetAnyDCName_l(struct libnetapi_ctx *ctx,
+			 struct NetGetAnyDCName *r);
+NET_API_STATUS DsGetDcName(const char * server_name /* [in] [unique] */,
+			   const char * domain_name /* [in] [ref] */,
+			   struct GUID *domain_guid /* [in] [unique] */,
+			   const char * site_name /* [in] [unique] */,
+			   uint32_t flags /* [in] */,
+			   struct DOMAIN_CONTROLLER_INFO **dc_info /* [out] [ref] */);
+WERROR DsGetDcName_r(struct libnetapi_ctx *ctx,
+		     struct DsGetDcName *r);
+WERROR DsGetDcName_l(struct libnetapi_ctx *ctx,
+		     struct DsGetDcName *r);
+NET_API_STATUS NetUserAdd(const char * server_name /* [in] [unique] */,
+			  uint32_t level /* [in] */,
+			  uint8_t *buffer /* [in] [ref] */,
+			  uint32_t *parm_error /* [out] [ref] */);
+WERROR NetUserAdd_r(struct libnetapi_ctx *ctx,
+		    struct NetUserAdd *r);
+WERROR NetUserAdd_l(struct libnetapi_ctx *ctx,
+		    struct NetUserAdd *r);
+NET_API_STATUS NetUserDel(const char * server_name /* [in] [unique] */,
+			  const char * user_name /* [in] [ref] */);
+WERROR NetUserDel_r(struct libnetapi_ctx *ctx,
+		    struct NetUserDel *r);
+WERROR NetUserDel_l(struct libnetapi_ctx *ctx,
+		    struct NetUserDel *r);
+NET_API_STATUS NetUserEnum(const char * server_name /* [in] [unique] */,
+			   uint32_t level /* [in] */,
+			   uint32_t filter /* [in] */,
+			   uint8_t **buffer /* [out] [ref] */,
+			   uint32_t prefmaxlen /* [in] */,
+			   uint32_t *entries_read /* [out] [ref] */,
+			   uint32_t *total_entries /* [out] [ref] */,
+			   uint32_t *resume_handle /* [in,out] [ref] */);
+WERROR NetUserEnum_r(struct libnetapi_ctx *ctx,
+		     struct NetUserEnum *r);
+WERROR NetUserEnum_l(struct libnetapi_ctx *ctx,
+		     struct NetUserEnum *r);
+NET_API_STATUS NetUserChangePassword(const char * domain_name /* [in] */,
+				     const char * user_name /* [in] */,
+				     const char * old_password /* [in] */,
+				     const char * new_password /* [in] */);
+WERROR NetUserChangePassword_r(struct libnetapi_ctx *ctx,
+			       struct NetUserChangePassword *r);
+WERROR NetUserChangePassword_l(struct libnetapi_ctx *ctx,
+			       struct NetUserChangePassword *r);
+NET_API_STATUS NetUserGetInfo(const char * server_name /* [in] */,
+			      const char * user_name /* [in] */,
+			      uint32_t level /* [in] */,
+			      uint8_t **buffer /* [out] [ref] */);
+WERROR NetUserGetInfo_r(struct libnetapi_ctx *ctx,
+			struct NetUserGetInfo *r);
+WERROR NetUserGetInfo_l(struct libnetapi_ctx *ctx,
+			struct NetUserGetInfo *r);
+NET_API_STATUS NetUserSetInfo(const char * server_name /* [in] */,
+			      const char * user_name /* [in] */,
+			      uint32_t level /* [in] */,
+			      uint8_t *buffer /* [in] [ref] */,
+			      uint32_t *parm_err /* [out] [ref] */);
+WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
+			struct NetUserSetInfo *r);
+WERROR NetUserSetInfo_l(struct libnetapi_ctx *ctx,
+			struct NetUserSetInfo *r);
+NET_API_STATUS NetUserGetGroups(const char * server_name /* [in] */,
+				const char * user_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t **buffer /* [out] [ref] */,
+				uint32_t prefmaxlen /* [in] */,
+				uint32_t *entries_read /* [out] [ref] */,
+				uint32_t *total_entries /* [out] [ref] */);
+WERROR NetUserGetGroups_r(struct libnetapi_ctx *ctx,
+			  struct NetUserGetGroups *r);
+WERROR NetUserGetGroups_l(struct libnetapi_ctx *ctx,
+			  struct NetUserGetGroups *r);
+NET_API_STATUS NetUserSetGroups(const char * server_name /* [in] */,
+				const char * user_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t *buffer /* [in] [ref] */,
+				uint32_t num_entries /* [in] */);
+WERROR NetUserSetGroups_r(struct libnetapi_ctx *ctx,
+			  struct NetUserSetGroups *r);
+WERROR NetUserSetGroups_l(struct libnetapi_ctx *ctx,
+			  struct NetUserSetGroups *r);
+NET_API_STATUS NetUserGetLocalGroups(const char * server_name /* [in] */,
+				     const char * user_name /* [in] */,
+				     uint32_t level /* [in] */,
+				     uint32_t flags /* [in] */,
+				     uint8_t **buffer /* [out] [ref] */,
+				     uint32_t prefmaxlen /* [in] */,
+				     uint32_t *entries_read /* [out] [ref] */,
+				     uint32_t *total_entries /* [out] [ref] */);
+WERROR NetUserGetLocalGroups_r(struct libnetapi_ctx *ctx,
+			       struct NetUserGetLocalGroups *r);
+WERROR NetUserGetLocalGroups_l(struct libnetapi_ctx *ctx,
+			       struct NetUserGetLocalGroups *r);
+NET_API_STATUS NetUserModalsGet(const char * server_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t **buffer /* [out] [ref] */);
+WERROR NetUserModalsGet_r(struct libnetapi_ctx *ctx,
+			  struct NetUserModalsGet *r);
+WERROR NetUserModalsGet_l(struct libnetapi_ctx *ctx,
+			  struct NetUserModalsGet *r);
+NET_API_STATUS NetUserModalsSet(const char * server_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t *buffer /* [in] [ref] */,
+				uint32_t *parm_err /* [out] [ref] */);
+WERROR NetUserModalsSet_r(struct libnetapi_ctx *ctx,
+			  struct NetUserModalsSet *r);
+WERROR NetUserModalsSet_l(struct libnetapi_ctx *ctx,
+			  struct NetUserModalsSet *r);
+NET_API_STATUS NetQueryDisplayInformation(const char * server_name /* [in] [unique] */,
+					  uint32_t level /* [in] */,
+					  uint32_t idx /* [in] */,
+					  uint32_t entries_requested /* [in] */,
+					  uint32_t prefmaxlen /* [in] */,
+					  uint32_t *entries_read /* [out] [ref] */,
+					  void **buffer /* [out] [noprint,ref] */);
+WERROR NetQueryDisplayInformation_r(struct libnetapi_ctx *ctx,
+				    struct NetQueryDisplayInformation *r);
+WERROR NetQueryDisplayInformation_l(struct libnetapi_ctx *ctx,
+				    struct NetQueryDisplayInformation *r);
+NET_API_STATUS NetGroupAdd(const char * server_name /* [in] */,
+			   uint32_t level /* [in] */,
+			   uint8_t *buffer /* [in] [ref] */,
+			   uint32_t *parm_err /* [out] [ref] */);
+WERROR NetGroupAdd_r(struct libnetapi_ctx *ctx,
+		     struct NetGroupAdd *r);
+WERROR NetGroupAdd_l(struct libnetapi_ctx *ctx,
+		     struct NetGroupAdd *r);
+NET_API_STATUS NetGroupDel(const char * server_name /* [in] */,
+			   const char * group_name /* [in] */);
+WERROR NetGroupDel_r(struct libnetapi_ctx *ctx,
+		     struct NetGroupDel *r);
+WERROR NetGroupDel_l(struct libnetapi_ctx *ctx,
+		     struct NetGroupDel *r);
+NET_API_STATUS NetGroupEnum(const char * server_name /* [in] */,
+			    uint32_t level /* [in] */,
+			    uint8_t **buffer /* [out] [ref] */,
+			    uint32_t prefmaxlen /* [in] */,
+			    uint32_t *entries_read /* [out] [ref] */,
+			    uint32_t *total_entries /* [out] [ref] */,
+			    uint32_t *resume_handle /* [in,out] [ref] */);
+WERROR NetGroupEnum_r(struct libnetapi_ctx *ctx,
+		      struct NetGroupEnum *r);
+WERROR NetGroupEnum_l(struct libnetapi_ctx *ctx,
+		      struct NetGroupEnum *r);
+NET_API_STATUS NetGroupSetInfo(const char * server_name /* [in] */,
+			       const char * group_name /* [in] */,
+			       uint32_t level /* [in] */,
+			       uint8_t *buffer /* [in] [ref] */,
+			       uint32_t *parm_err /* [out] [ref] */);
+WERROR NetGroupSetInfo_r(struct libnetapi_ctx *ctx,
+			 struct NetGroupSetInfo *r);
+WERROR NetGroupSetInfo_l(struct libnetapi_ctx *ctx,
+			 struct NetGroupSetInfo *r);
+NET_API_STATUS NetGroupGetInfo(const char * server_name /* [in] */,
+			       const char * group_name /* [in] */,
+			       uint32_t level /* [in] */,
+			       uint8_t **buffer /* [out] [ref] */);
+WERROR NetGroupGetInfo_r(struct libnetapi_ctx *ctx,
+			 struct NetGroupGetInfo *r);
+WERROR NetGroupGetInfo_l(struct libnetapi_ctx *ctx,
+			 struct NetGroupGetInfo *r);
+NET_API_STATUS NetGroupAddUser(const char * server_name /* [in] */,
+			       const char * group_name /* [in] */,
+			       const char * user_name /* [in] */);
+WERROR NetGroupAddUser_r(struct libnetapi_ctx *ctx,
+			 struct NetGroupAddUser *r);
+WERROR NetGroupAddUser_l(struct libnetapi_ctx *ctx,
+			 struct NetGroupAddUser *r);
+NET_API_STATUS NetGroupDelUser(const char * server_name /* [in] */,
+			       const char * group_name /* [in] */,
+			       const char * user_name /* [in] */);
+WERROR NetGroupDelUser_r(struct libnetapi_ctx *ctx,
+			 struct NetGroupDelUser *r);
+WERROR NetGroupDelUser_l(struct libnetapi_ctx *ctx,
+			 struct NetGroupDelUser *r);
+NET_API_STATUS NetGroupGetUsers(const char * server_name /* [in] */,
+				const char * group_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t **buffer /* [out] [ref] */,
+				uint32_t prefmaxlen /* [in] */,
+				uint32_t *entries_read /* [out] [ref] */,
+				uint32_t *total_entries /* [out] [ref] */,
+				uint32_t *resume_handle /* [in,out] [ref] */);
+WERROR NetGroupGetUsers_r(struct libnetapi_ctx *ctx,
+			  struct NetGroupGetUsers *r);
+WERROR NetGroupGetUsers_l(struct libnetapi_ctx *ctx,
+			  struct NetGroupGetUsers *r);
+NET_API_STATUS NetGroupSetUsers(const char * server_name /* [in] */,
+				const char * group_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t *buffer /* [in] [ref] */,
+				uint32_t num_entries /* [in] */);
+WERROR NetGroupSetUsers_r(struct libnetapi_ctx *ctx,
+			  struct NetGroupSetUsers *r);
+WERROR NetGroupSetUsers_l(struct libnetapi_ctx *ctx,
+			  struct NetGroupSetUsers *r);
+NET_API_STATUS NetLocalGroupAdd(const char * server_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t *buffer /* [in] [ref] */,
+				uint32_t *parm_err /* [out] [ref] */);
+WERROR NetLocalGroupAdd_r(struct libnetapi_ctx *ctx,
+			  struct NetLocalGroupAdd *r);
+WERROR NetLocalGroupAdd_l(struct libnetapi_ctx *ctx,
+			  struct NetLocalGroupAdd *r);
+NET_API_STATUS NetLocalGroupDel(const char * server_name /* [in] */,
+				const char * group_name /* [in] */);
+WERROR NetLocalGroupDel_r(struct libnetapi_ctx *ctx,
+			  struct NetLocalGroupDel *r);
+WERROR NetLocalGroupDel_l(struct libnetapi_ctx *ctx,
+			  struct NetLocalGroupDel *r);
+NET_API_STATUS NetLocalGroupGetInfo(const char * server_name /* [in] */,
+				    const char * group_name /* [in] */,
+				    uint32_t level /* [in] */,
+				    uint8_t **buffer /* [out] [ref] */);
+WERROR NetLocalGroupGetInfo_r(struct libnetapi_ctx *ctx,
+			      struct NetLocalGroupGetInfo *r);
+WERROR NetLocalGroupGetInfo_l(struct libnetapi_ctx *ctx,
+			      struct NetLocalGroupGetInfo *r);
+NET_API_STATUS NetLocalGroupSetInfo(const char * server_name /* [in] */,
+				    const char * group_name /* [in] */,
+				    uint32_t level /* [in] */,
+				    uint8_t *buffer /* [in] [ref] */,
+				    uint32_t *parm_err /* [out] [ref] */);
+WERROR NetLocalGroupSetInfo_r(struct libnetapi_ctx *ctx,
+			      struct NetLocalGroupSetInfo *r);
+WERROR NetLocalGroupSetInfo_l(struct libnetapi_ctx *ctx,
+			      struct NetLocalGroupSetInfo *r);
+NET_API_STATUS NetLocalGroupEnum(const char * server_name /* [in] */,
+				 uint32_t level /* [in] */,
+				 uint8_t **buffer /* [out] [ref] */,
+				 uint32_t prefmaxlen /* [in] */,
+				 uint32_t *entries_read /* [out] [ref] */,
+				 uint32_t *total_entries /* [out] [ref] */,
+				 uint32_t *resume_handle /* [in,out] [ref] */);
+WERROR NetLocalGroupEnum_r(struct libnetapi_ctx *ctx,
+			   struct NetLocalGroupEnum *r);
+WERROR NetLocalGroupEnum_l(struct libnetapi_ctx *ctx,
+			   struct NetLocalGroupEnum *r);
+NET_API_STATUS NetLocalGroupAddMembers(const char * server_name /* [in] */,
+				       const char * group_name /* [in] */,
+				       uint32_t level /* [in] */,
+				       uint8_t *buffer /* [in] [ref] */,
+				       uint32_t total_entries /* [in] */);
+WERROR NetLocalGroupAddMembers_r(struct libnetapi_ctx *ctx,
+				 struct NetLocalGroupAddMembers *r);
+WERROR NetLocalGroupAddMembers_l(struct libnetapi_ctx *ctx,
+				 struct NetLocalGroupAddMembers *r);
+NET_API_STATUS NetLocalGroupDelMembers(const char * server_name /* [in] */,
+				       const char * group_name /* [in] */,
+				       uint32_t level /* [in] */,
+				       uint8_t *buffer /* [in] [ref] */,
+				       uint32_t total_entries /* [in] */);
+WERROR NetLocalGroupDelMembers_r(struct libnetapi_ctx *ctx,
+				 struct NetLocalGroupDelMembers *r);
+WERROR NetLocalGroupDelMembers_l(struct libnetapi_ctx *ctx,
+				 struct NetLocalGroupDelMembers *r);
+NET_API_STATUS NetLocalGroupGetMembers(const char * server_name /* [in] */,
+				       const char * local_group_name /* [in] */,
+				       uint32_t level /* [in] */,
+				       uint8_t **buffer /* [out] [ref] */,
+				       uint32_t prefmaxlen /* [in] */,
+				       uint32_t *entries_read /* [out] [ref] */,
+				       uint32_t *total_entries /* [out] [ref] */,
+				       uint32_t *resume_handle /* [in,out] [ref] */);
+WERROR NetLocalGroupGetMembers_r(struct libnetapi_ctx *ctx,
+				 struct NetLocalGroupGetMembers *r);
+WERROR NetLocalGroupGetMembers_l(struct libnetapi_ctx *ctx,
+				 struct NetLocalGroupGetMembers *r);
+NET_API_STATUS NetLocalGroupSetMembers(const char * server_name /* [in] */,
+				       const char * group_name /* [in] */,
+				       uint32_t level /* [in] */,
+				       uint8_t *buffer /* [in] [ref] */,
+				       uint32_t total_entries /* [in] */);
+WERROR NetLocalGroupSetMembers_r(struct libnetapi_ctx *ctx,
+				 struct NetLocalGroupSetMembers *r);
+WERROR NetLocalGroupSetMembers_l(struct libnetapi_ctx *ctx,
+				 struct NetLocalGroupSetMembers *r);
+NET_API_STATUS NetRemoteTOD(const char * server_name /* [in] */,
+			    uint8_t **buffer /* [out] [ref] */);
+WERROR NetRemoteTOD_r(struct libnetapi_ctx *ctx,
+		      struct NetRemoteTOD *r);
+WERROR NetRemoteTOD_l(struct libnetapi_ctx *ctx,
+		      struct NetRemoteTOD *r);
+NET_API_STATUS NetShareAdd(const char * server_name /* [in] */,
+			   uint32_t level /* [in] */,
+			   uint8_t *buffer /* [in] [ref] */,
+			   uint32_t *parm_err /* [out] [ref] */);
+WERROR NetShareAdd_r(struct libnetapi_ctx *ctx,
+		     struct NetShareAdd *r);
+WERROR NetShareAdd_l(struct libnetapi_ctx *ctx,
+		     struct NetShareAdd *r);
+NET_API_STATUS NetShareDel(const char * server_name /* [in] */,
+			   const char * net_name /* [in] */,
+			   uint32_t reserved /* [in] */);
+WERROR NetShareDel_r(struct libnetapi_ctx *ctx,
+		     struct NetShareDel *r);
+WERROR NetShareDel_l(struct libnetapi_ctx *ctx,
+		     struct NetShareDel *r);
+NET_API_STATUS NetShareEnum(const char * server_name /* [in] */,
+			    uint32_t level /* [in] */,
+			    uint8_t **buffer /* [out] [ref] */,
+			    uint32_t prefmaxlen /* [in] */,
+			    uint32_t *entries_read /* [out] [ref] */,
+			    uint32_t *total_entries /* [out] [ref] */,
+			    uint32_t *resume_handle /* [in,out] [ref] */);
+WERROR NetShareEnum_r(struct libnetapi_ctx *ctx,
+		      struct NetShareEnum *r);
+WERROR NetShareEnum_l(struct libnetapi_ctx *ctx,
+		      struct NetShareEnum *r);
+NET_API_STATUS NetShareGetInfo(const char * server_name /* [in] */,
+			       const char * net_name /* [in] */,
+			       uint32_t level /* [in] */,
+			       uint8_t **buffer /* [out] [ref] */);
+WERROR NetShareGetInfo_r(struct libnetapi_ctx *ctx,
+			 struct NetShareGetInfo *r);
+WERROR NetShareGetInfo_l(struct libnetapi_ctx *ctx,
+			 struct NetShareGetInfo *r);
+NET_API_STATUS NetShareSetInfo(const char * server_name /* [in] */,
+			       const char * net_name /* [in] */,
+			       uint32_t level /* [in] */,
+			       uint8_t *buffer /* [in] [ref] */,
+			       uint32_t *parm_err /* [out] [ref] */);
+WERROR NetShareSetInfo_r(struct libnetapi_ctx *ctx,
+			 struct NetShareSetInfo *r);
+WERROR NetShareSetInfo_l(struct libnetapi_ctx *ctx,
+			 struct NetShareSetInfo *r);
+NET_API_STATUS NetFileClose(const char * server_name /* [in] */,
+			    uint32_t fileid /* [in] */);
+WERROR NetFileClose_r(struct libnetapi_ctx *ctx,
+		      struct NetFileClose *r);
+WERROR NetFileClose_l(struct libnetapi_ctx *ctx,
+		      struct NetFileClose *r);
+NET_API_STATUS NetFileGetInfo(const char * server_name /* [in] */,
+			      uint32_t fileid /* [in] */,
+			      uint32_t level /* [in] */,
+			      uint8_t **buffer /* [out] [ref] */);
+WERROR NetFileGetInfo_r(struct libnetapi_ctx *ctx,
+			struct NetFileGetInfo *r);
+WERROR NetFileGetInfo_l(struct libnetapi_ctx *ctx,
+			struct NetFileGetInfo *r);
+NET_API_STATUS NetFileEnum(const char * server_name /* [in] */,
+			   const char * base_path /* [in] */,
+			   const char * user_name /* [in] */,
+			   uint32_t level /* [in] */,
+			   uint8_t **buffer /* [out] [ref] */,
+			   uint32_t prefmaxlen /* [in] */,
+			   uint32_t *entries_read /* [out] [ref] */,
+			   uint32_t *total_entries /* [out] [ref] */,
+			   uint32_t *resume_handle /* [in,out] [ref] */);
+WERROR NetFileEnum_r(struct libnetapi_ctx *ctx,
+		     struct NetFileEnum *r);
+WERROR NetFileEnum_l(struct libnetapi_ctx *ctx,
+		     struct NetFileEnum *r);
+#endif /* __LIBNETAPI_LIBNETAPI__ */
diff --git a/source3/lib/netapi/localgroup.c b/source3/lib/netapi/localgroup.c
new file mode 100644
index 0000000000..25a3427bc1
--- /dev/null
+++ b/source3/lib/netapi/localgroup.c
@@ -0,0 +1,1358 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetApi LocalGroup Support
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+#include "librpc/gen_ndr/libnetapi.h"
+#include "lib/netapi/netapi.h"
+#include "lib/netapi/netapi_private.h"
+#include "lib/netapi/libnetapi.h"
+
+static NTSTATUS libnetapi_samr_lookup_and_open_alias(TALLOC_CTX *mem_ctx,
+						     struct rpc_pipe_client *pipe_cli,
+						     struct policy_handle *domain_handle,
+						     const char *group_name,
+						     uint32_t access_rights,
+						     struct policy_handle *alias_handle)
+{
+	NTSTATUS status;
+
+	struct lsa_String lsa_account_name;
+	struct samr_Ids user_rids, name_types;
+
+	init_lsa_String(&lsa_account_name, group_name);
+
+	status = rpccli_samr_LookupNames(pipe_cli, mem_ctx,
+					 domain_handle,
+					 1,
+					 &lsa_account_name,
+					 &user_rids,
+					 &name_types);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	switch (name_types.ids[0]) {
+		case SID_NAME_ALIAS:
+		case SID_NAME_WKN_GRP:
+			break;
+		default:
+			return NT_STATUS_INVALID_SID;
+	}
+
+	return rpccli_samr_OpenAlias(pipe_cli, mem_ctx,
+				     domain_handle,
+				     access_rights,
+				     user_rids.ids[0],
+				     alias_handle);
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS libnetapi_samr_open_alias_queryinfo(TALLOC_CTX *mem_ctx,
+						    struct rpc_pipe_client *pipe_cli,
+						    struct policy_handle *handle,
+						    uint32_t rid,
+						    uint32_t access_rights,
+						    enum samr_AliasInfoEnum level,
+						    union samr_AliasInfo **alias_info)
+{
+	NTSTATUS status;
+	struct policy_handle alias_handle;
+	union samr_AliasInfo *_alias_info = NULL;
+
+	ZERO_STRUCT(alias_handle);
+
+	status = rpccli_samr_OpenAlias(pipe_cli, mem_ctx,
+				       handle,
+				       access_rights,
+				       rid,
+				       &alias_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto done;
+	}
+
+	status = rpccli_samr_QueryAliasInfo(pipe_cli, mem_ctx,
+					    &alias_handle,
+					    level,
+					    &_alias_info);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto done;
+	}
+
+	*alias_info = _alias_info;
+
+ done:
+	if (is_valid_policy_hnd(&alias_handle)) {
+		rpccli_samr_Close(pipe_cli, mem_ctx, &alias_handle);
+	}
+
+	return status;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetLocalGroupAdd_r(struct libnetapi_ctx *ctx,
+			  struct NetLocalGroupAdd *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	struct lsa_String lsa_account_name;
+	struct policy_handle connect_handle, domain_handle, builtin_handle, alias_handle;
+	struct dom_sid2 *domain_sid = NULL;
+	uint32_t rid;
+
+	struct LOCALGROUP_INFO_0 *info0 = NULL;
+	struct LOCALGROUP_INFO_1 *info1 = NULL;
+
+	const char *alias_name = NULL;
+
+	if (!r->in.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 0:
+			info0 = (struct LOCALGROUP_INFO_0 *)r->in.buffer;
+			alias_name = info0->lgrpi0_name;
+			break;
+		case 1:
+			info1 = (struct LOCALGROUP_INFO_1 *)r->in.buffer;
+			alias_name = info1->lgrpi1_name;
+			break;
+		default:
+			werr = WERR_UNKNOWN_LEVEL;
+			goto done;
+	}
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(builtin_handle);
+	ZERO_STRUCT(domain_handle);
+	ZERO_STRUCT(alias_handle);
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_builtin_domain(ctx, pipe_cli,
+						  SAMR_ACCESS_OPEN_DOMAIN |
+						  SAMR_ACCESS_ENUM_DOMAINS,
+						  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+						  &connect_handle,
+						  &builtin_handle);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = libnetapi_samr_lookup_and_open_alias(ctx, pipe_cli,
+						      &builtin_handle,
+						      alias_name,
+						      SAMR_ALIAS_ACCESS_LOOKUP_INFO,
+						      &alias_handle);
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_builtin_handle(ctx, &builtin_handle);
+	}
+
+	if (NT_STATUS_IS_OK(status)) {
+		werr = WERR_ALIAS_EXISTS;
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_CREATE_ALIAS |
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	init_lsa_String(&lsa_account_name, alias_name);
+
+	status = rpccli_samr_CreateDomAlias(pipe_cli, ctx,
+					    &domain_handle,
+					    &lsa_account_name,
+					    SEC_STD_DELETE |
+					    SAMR_ALIAS_ACCESS_SET_INFO,
+					    &alias_handle,
+					    &rid);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	if (r->in.level == 1 && info1->lgrpi1_comment) {
+
+		union samr_AliasInfo alias_info;
+
+		init_lsa_String(&alias_info.description, info1->lgrpi1_comment);
+
+		status = rpccli_samr_SetAliasInfo(pipe_cli, ctx,
+						  &alias_handle,
+						  ALIASINFODESCRIPTION,
+						  &alias_info);
+		if (!NT_STATUS_IS_OK(status)) {
+			werr = ntstatus_to_werror(status);
+			goto done;
+		}
+	}
+
+	werr = WERR_OK;
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (is_valid_policy_hnd(&alias_handle)) {
+		rpccli_samr_Close(pipe_cli, ctx, &alias_handle);
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_builtin_handle(ctx, &builtin_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetLocalGroupAdd_l(struct libnetapi_ctx *ctx,
+			  struct NetLocalGroupAdd *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetLocalGroupAdd);
+}
+
+/****************************************************************
+****************************************************************/
+
+
+WERROR NetLocalGroupDel_r(struct libnetapi_ctx *ctx,
+			  struct NetLocalGroupDel *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	struct policy_handle connect_handle, domain_handle, builtin_handle, alias_handle;
+	struct dom_sid2 *domain_sid = NULL;
+
+	if (!r->in.group_name) {
+		return WERR_INVALID_PARAM;
+	}
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(builtin_handle);
+	ZERO_STRUCT(domain_handle);
+	ZERO_STRUCT(alias_handle);
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_builtin_domain(ctx, pipe_cli,
+						  SAMR_ACCESS_OPEN_DOMAIN |
+						  SAMR_ACCESS_ENUM_DOMAINS,
+						  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+						  &connect_handle,
+						  &builtin_handle);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = libnetapi_samr_lookup_and_open_alias(ctx, pipe_cli,
+						      &builtin_handle,
+						      r->in.group_name,
+						      SEC_STD_DELETE,
+						      &alias_handle);
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_builtin_handle(ctx, &builtin_handle);
+	}
+
+	if (NT_STATUS_IS_OK(status)) {
+		goto delete_alias;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_CREATE_ALIAS |
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = libnetapi_samr_lookup_and_open_alias(ctx, pipe_cli,
+						      &domain_handle,
+						      r->in.group_name,
+						      SEC_STD_DELETE,
+						      &alias_handle);
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+	}
+
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+
+ delete_alias:
+	status = rpccli_samr_DeleteDomAlias(pipe_cli, ctx,
+					    &alias_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	ZERO_STRUCT(alias_handle);
+
+	werr = WERR_OK;
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (is_valid_policy_hnd(&alias_handle)) {
+		rpccli_samr_Close(pipe_cli, ctx, &alias_handle);
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_builtin_handle(ctx, &builtin_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetLocalGroupDel_l(struct libnetapi_ctx *ctx,
+			  struct NetLocalGroupDel *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetLocalGroupDel);
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR map_alias_info_to_buffer(TALLOC_CTX *mem_ctx,
+				       const char *alias_name,
+				       struct samr_AliasInfoAll *info,
+				       uint32_t level,
+				       uint32_t *entries_read,
+				       uint8_t **buffer)
+{
+	struct LOCALGROUP_INFO_0 g0;
+	struct LOCALGROUP_INFO_1 g1;
+	struct LOCALGROUP_INFO_1002 g1002;
+
+	switch (level) {
+		case 0:
+			g0.lgrpi0_name		= talloc_strdup(mem_ctx, alias_name);
+			W_ERROR_HAVE_NO_MEMORY(g0.lgrpi0_name);
+
+			ADD_TO_ARRAY(mem_ctx, struct LOCALGROUP_INFO_0, g0,
+				     (struct LOCALGROUP_INFO_0 **)buffer, entries_read);
+
+			break;
+		case 1:
+			g1.lgrpi1_name		= talloc_strdup(mem_ctx, alias_name);
+			g1.lgrpi1_comment	= talloc_strdup(mem_ctx, info->description.string);
+			W_ERROR_HAVE_NO_MEMORY(g1.lgrpi1_name);
+
+			ADD_TO_ARRAY(mem_ctx, struct LOCALGROUP_INFO_1, g1,
+				     (struct LOCALGROUP_INFO_1 **)buffer, entries_read);
+
+			break;
+		case 1002:
+			g1002.lgrpi1002_comment	= talloc_strdup(mem_ctx, info->description.string);
+
+			ADD_TO_ARRAY(mem_ctx, struct LOCALGROUP_INFO_1002, g1002,
+				     (struct LOCALGROUP_INFO_1002 **)buffer, entries_read);
+
+			break;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetLocalGroupGetInfo_r(struct libnetapi_ctx *ctx,
+			      struct NetLocalGroupGetInfo *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	struct policy_handle connect_handle, domain_handle, builtin_handle, alias_handle;
+	struct dom_sid2 *domain_sid = NULL;
+	union samr_AliasInfo *alias_info = NULL;
+	uint32_t entries_read = 0;
+
+	if (!r->in.group_name) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 0:
+		case 1:
+		case 1002:
+			break;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(builtin_handle);
+	ZERO_STRUCT(domain_handle);
+	ZERO_STRUCT(alias_handle);
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_builtin_domain(ctx, pipe_cli,
+						  SAMR_ACCESS_OPEN_DOMAIN |
+						  SAMR_ACCESS_ENUM_DOMAINS,
+						  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+						  &connect_handle,
+						  &builtin_handle);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = libnetapi_samr_lookup_and_open_alias(ctx, pipe_cli,
+						      &builtin_handle,
+						      r->in.group_name,
+						      SAMR_ALIAS_ACCESS_LOOKUP_INFO,
+						      &alias_handle);
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_builtin_handle(ctx, &builtin_handle);
+	}
+
+	if (NT_STATUS_IS_OK(status)) {
+		goto query_alias;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_CREATE_ALIAS |
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = libnetapi_samr_lookup_and_open_alias(ctx, pipe_cli,
+						      &domain_handle,
+						      r->in.group_name,
+						      SAMR_ALIAS_ACCESS_LOOKUP_INFO,
+						      &alias_handle);
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+	}
+
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+ query_alias:
+	status = rpccli_samr_QueryAliasInfo(pipe_cli, ctx,
+					    &alias_handle,
+					    ALIASINFOALL,
+					    &alias_info);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	werr = map_alias_info_to_buffer(ctx,
+					r->in.group_name,
+					&alias_info->all,
+					r->in.level, &entries_read,
+					r->out.buffer);
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (is_valid_policy_hnd(&alias_handle)) {
+		rpccli_samr_Close(pipe_cli, ctx, &alias_handle);
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_builtin_handle(ctx, &builtin_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetLocalGroupGetInfo_l(struct libnetapi_ctx *ctx,
+			      struct NetLocalGroupGetInfo *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetLocalGroupGetInfo);
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR map_buffer_to_alias_info(TALLOC_CTX *mem_ctx,
+				       uint32_t level,
+				       uint8_t *buffer,
+				       enum samr_AliasInfoEnum *alias_level,
+				       union samr_AliasInfo **alias_info)
+{
+	struct LOCALGROUP_INFO_0 *info0;
+	struct LOCALGROUP_INFO_1 *info1;
+	struct LOCALGROUP_INFO_1002 *info1002;
+	union samr_AliasInfo *info = NULL;
+
+	info = TALLOC_ZERO_P(mem_ctx, union samr_AliasInfo);
+	W_ERROR_HAVE_NO_MEMORY(info);
+
+	switch (level) {
+		case 0:
+			info0 = (struct LOCALGROUP_INFO_0 *)buffer;
+			init_lsa_String(&info->name, info0->lgrpi0_name);
+			*alias_level = ALIASINFONAME;
+			break;
+		case 1:
+			info1 = (struct LOCALGROUP_INFO_1 *)buffer;
+			/* group name will be ignored */
+			init_lsa_String(&info->description, info1->lgrpi1_comment);
+			*alias_level = ALIASINFODESCRIPTION;
+			break;
+		case 1002:
+			info1002 = (struct LOCALGROUP_INFO_1002 *)buffer;
+			init_lsa_String(&info->description, info1002->lgrpi1002_comment);
+			*alias_level = ALIASINFODESCRIPTION;
+			break;
+	}
+
+	*alias_info = info;
+
+	return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetLocalGroupSetInfo_r(struct libnetapi_ctx *ctx,
+			      struct NetLocalGroupSetInfo *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	struct lsa_String lsa_account_name;
+	struct policy_handle connect_handle, domain_handle, builtin_handle, alias_handle;
+	struct dom_sid2 *domain_sid = NULL;
+	enum samr_AliasInfoEnum alias_level = 0;
+	union samr_AliasInfo *alias_info = NULL;
+
+	if (!r->in.group_name) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 0:
+		case 1:
+		case 1002:
+			break;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(builtin_handle);
+	ZERO_STRUCT(domain_handle);
+	ZERO_STRUCT(alias_handle);
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_builtin_domain(ctx, pipe_cli,
+						  SAMR_ACCESS_OPEN_DOMAIN |
+						  SAMR_ACCESS_ENUM_DOMAINS,
+						  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+						  &connect_handle,
+						  &builtin_handle);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	init_lsa_String(&lsa_account_name, r->in.group_name);
+
+	status = libnetapi_samr_lookup_and_open_alias(ctx, pipe_cli,
+						      &builtin_handle,
+						      r->in.group_name,
+						      SAMR_ALIAS_ACCESS_SET_INFO,
+						      &alias_handle);
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_builtin_handle(ctx, &builtin_handle);
+	}
+
+	if (NT_STATUS_IS_OK(status)) {
+		goto set_alias;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = libnetapi_samr_lookup_and_open_alias(ctx, pipe_cli,
+						      &domain_handle,
+						      r->in.group_name,
+						      SAMR_ALIAS_ACCESS_SET_INFO,
+						      &alias_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+	}
+
+ set_alias:
+
+	werr = map_buffer_to_alias_info(ctx, r->in.level, r->in.buffer,
+					&alias_level, &alias_info);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = rpccli_samr_SetAliasInfo(pipe_cli, ctx,
+					  &alias_handle,
+					  alias_level,
+					  alias_info);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	werr = WERR_OK;
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (is_valid_policy_hnd(&alias_handle)) {
+		rpccli_samr_Close(pipe_cli, ctx, &alias_handle);
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_builtin_handle(ctx, &builtin_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetLocalGroupSetInfo_l(struct libnetapi_ctx *ctx,
+			      struct NetLocalGroupSetInfo *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetLocalGroupSetInfo);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetLocalGroupEnum_r(struct libnetapi_ctx *ctx,
+			   struct NetLocalGroupEnum *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	struct policy_handle connect_handle, domain_handle, builtin_handle, alias_handle;
+	struct dom_sid2 *domain_sid = NULL;
+	uint32_t entries_read = 0;
+	union samr_DomainInfo *domain_info = NULL;
+	union samr_DomainInfo *builtin_info = NULL;
+	struct samr_SamArray *domain_sam_array = NULL;
+	struct samr_SamArray *builtin_sam_array = NULL;
+	int i;
+
+	if (!r->out.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 0:
+		case 1:
+			break;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	if (r->out.total_entries) {
+		*r->out.total_entries = 0;
+	}
+	if (r->out.entries_read) {
+		*r->out.entries_read = 0;
+	}
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(builtin_handle);
+	ZERO_STRUCT(domain_handle);
+	ZERO_STRUCT(alias_handle);
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_builtin_domain(ctx, pipe_cli,
+						  SAMR_ACCESS_OPEN_DOMAIN |
+						  SAMR_ACCESS_ENUM_DOMAINS,
+						  SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 |
+						  SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
+						  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+						  &connect_handle,
+						  &builtin_handle);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_OPEN_DOMAIN |
+					  SAMR_ACCESS_ENUM_DOMAINS,
+					  SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 |
+					  SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = rpccli_samr_QueryDomainInfo(pipe_cli, ctx,
+					     &builtin_handle,
+					     2,
+					     &builtin_info);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	if (r->out.total_entries) {
+		*r->out.total_entries += builtin_info->info2.num_aliases;
+	}
+
+	status = rpccli_samr_QueryDomainInfo(pipe_cli, ctx,
+					     &domain_handle,
+					     2,
+					     &domain_info);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	if (r->out.total_entries) {
+		*r->out.total_entries += domain_info->info2.num_aliases;
+	}
+
+	status = rpccli_samr_EnumDomainAliases(pipe_cli, ctx,
+					       &builtin_handle,
+					       r->in.resume_handle,
+					       &builtin_sam_array,
+					       r->in.prefmaxlen,
+					       &entries_read);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	for (i=0; i<builtin_sam_array->count; i++) {
+		union samr_AliasInfo *alias_info = NULL;
+
+		if (r->in.level == 1) {
+
+			status = libnetapi_samr_open_alias_queryinfo(ctx, pipe_cli,
+								     &builtin_handle,
+								     builtin_sam_array->entries[i].idx,
+								     SAMR_ALIAS_ACCESS_LOOKUP_INFO,
+								     ALIASINFOALL,
+								     &alias_info);
+			if (!NT_STATUS_IS_OK(status)) {
+				werr = ntstatus_to_werror(status);
+				goto done;
+			}
+		}
+
+		werr = map_alias_info_to_buffer(ctx,
+						builtin_sam_array->entries[i].name.string,
+						alias_info ? &alias_info->all : NULL,
+						r->in.level,
+						r->out.entries_read,
+						r->out.buffer);
+	}
+
+	status = rpccli_samr_EnumDomainAliases(pipe_cli, ctx,
+					       &domain_handle,
+					       r->in.resume_handle,
+					       &domain_sam_array,
+					       r->in.prefmaxlen,
+					       &entries_read);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	for (i=0; i<domain_sam_array->count; i++) {
+
+		union samr_AliasInfo *alias_info = NULL;
+
+		if (r->in.level == 1) {
+			status = libnetapi_samr_open_alias_queryinfo(ctx, pipe_cli,
+								     &domain_handle,
+								     domain_sam_array->entries[i].idx,
+								     SAMR_ALIAS_ACCESS_LOOKUP_INFO,
+								     ALIASINFOALL,
+								     &alias_info);
+			if (!NT_STATUS_IS_OK(status)) {
+				werr = ntstatus_to_werror(status);
+				goto done;
+			}
+		}
+
+		werr = map_alias_info_to_buffer(ctx,
+						domain_sam_array->entries[i].name.string,
+						alias_info ? &alias_info->all : NULL,
+						r->in.level,
+						r->out.entries_read,
+						r->out.buffer);
+	}
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_builtin_handle(ctx, &builtin_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetLocalGroupEnum_l(struct libnetapi_ctx *ctx,
+			   struct NetLocalGroupEnum *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetLocalGroupEnum);
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS libnetapi_lsa_lookup_names3(TALLOC_CTX *mem_ctx,
+					    struct rpc_pipe_client *lsa_pipe,
+					    const char *name,
+					    struct dom_sid *sid)
+{
+	NTSTATUS status;
+	struct policy_handle lsa_handle;
+
+	struct lsa_RefDomainList *domains = NULL;
+	struct lsa_TransSidArray3 sids;
+	uint32_t count = 0;
+
+	struct lsa_String names;
+	uint32_t num_names = 1;
+
+	if (!sid || !name) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	ZERO_STRUCT(sids);
+
+	init_lsa_String(&names, name);
+
+	status = rpccli_lsa_open_policy2(lsa_pipe, mem_ctx,
+					 false,
+					 STD_RIGHT_READ_CONTROL_ACCESS |
+					 LSA_POLICY_VIEW_LOCAL_INFORMATION |
+					 LSA_POLICY_LOOKUP_NAMES,
+					 &lsa_handle);
+	NT_STATUS_NOT_OK_RETURN(status);
+
+	status = rpccli_lsa_LookupNames3(lsa_pipe, mem_ctx,
+					 &lsa_handle,
+					 num_names,
+					 &names,
+					 &domains,
+					 &sids,
+					 LSA_LOOKUP_NAMES_ALL, /* sure ? */
+					 &count,
+					 0, 0);
+	NT_STATUS_NOT_OK_RETURN(status);
+
+	if (count != 1 || sids.count != 1) {
+		return NT_STATUS_NONE_MAPPED;
+	}
+
+	sid_copy(sid, sids.sids[0].sid);
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR NetLocalGroupModifyMembers_r(struct libnetapi_ctx *ctx,
+					   struct NetLocalGroupAddMembers *add,
+					   struct NetLocalGroupDelMembers *del,
+					   struct NetLocalGroupSetMembers *set)
+{
+	struct NetLocalGroupAddMembers *r = NULL;
+
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	struct rpc_pipe_client *lsa_pipe = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	struct lsa_String lsa_account_name;
+	struct policy_handle connect_handle, domain_handle, builtin_handle, alias_handle;
+	struct dom_sid2 *domain_sid = NULL;
+	struct dom_sid *member_sids = NULL;
+	int i = 0, k = 0;
+
+	struct LOCALGROUP_MEMBERS_INFO_0 *info0 = NULL;
+	struct LOCALGROUP_MEMBERS_INFO_3 *info3 = NULL;
+
+	struct dom_sid *add_sids = NULL;
+	struct dom_sid *del_sids = NULL;
+	size_t num_add_sids = 0;
+	size_t num_del_sids = 0;
+
+	if ((!add && !del && !set) || (add && del && set)) {
+		return WERR_INVALID_PARAM;
+	}
+
+	if (add) {
+		r = add;
+	}
+
+	if (del) {
+		r = (struct NetLocalGroupAddMembers *)del;
+	}
+
+	if (set) {
+		r = (struct NetLocalGroupAddMembers *)set;
+	}
+
+	if (!r->in.group_name) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 0:
+		case 3:
+			break;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	if (r->in.total_entries == 0 || !r->in.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(builtin_handle);
+	ZERO_STRUCT(domain_handle);
+	ZERO_STRUCT(alias_handle);
+
+	member_sids = TALLOC_ZERO_ARRAY(ctx, struct dom_sid,
+					r->in.total_entries);
+	W_ERROR_HAVE_NO_MEMORY(member_sids);
+
+	switch (r->in.level) {
+		case 0:
+			info0 = (struct LOCALGROUP_MEMBERS_INFO_0 *)r->in.buffer;
+			for (i=0; i < r->in.total_entries; i++) {
+				sid_copy(&member_sids[i], (struct dom_sid *)info0[i].lgrmi0_sid);
+			}
+			break;
+		case 3:
+			info3 = (struct LOCALGROUP_MEMBERS_INFO_3 *)r->in.buffer;
+			break;
+		default:
+			break;
+	}
+
+	if (r->in.level == 3) {
+		werr = libnetapi_open_pipe(ctx, r->in.server_name,
+					   &ndr_table_lsarpc.syntax_id,
+					   &cli,
+					   &lsa_pipe);
+		if (!W_ERROR_IS_OK(werr)) {
+			goto done;
+		}
+
+		for (i=0; i < r->in.total_entries; i++) {
+			status = libnetapi_lsa_lookup_names3(ctx, lsa_pipe,
+							     info3[i].lgrmi3_domainandname,
+							     &member_sids[i]);
+			if (!NT_STATUS_IS_OK(status)) {
+				werr = ntstatus_to_werror(status);
+				goto done;
+			}
+		}
+		TALLOC_FREE(lsa_pipe);
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_builtin_domain(ctx, pipe_cli,
+						  SAMR_ACCESS_OPEN_DOMAIN |
+						  SAMR_ACCESS_ENUM_DOMAINS,
+						  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+						  &connect_handle,
+						  &builtin_handle);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	init_lsa_String(&lsa_account_name, r->in.group_name);
+
+	status = libnetapi_samr_lookup_and_open_alias(ctx, pipe_cli,
+						      &builtin_handle,
+						      r->in.group_name,
+						      SAMR_ALIAS_ACCESS_ADD_MEMBER |
+						      SAMR_ALIAS_ACCESS_REMOVE_MEMBER |
+						      SAMR_ALIAS_ACCESS_GET_MEMBERS |
+						      SAMR_ALIAS_ACCESS_LOOKUP_INFO,
+						      &alias_handle);
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_builtin_handle(ctx, &builtin_handle);
+	}
+
+	if (NT_STATUS_IS_OK(status)) {
+		goto modify_membership;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = libnetapi_samr_lookup_and_open_alias(ctx, pipe_cli,
+						      &domain_handle,
+						      r->in.group_name,
+						      SAMR_ALIAS_ACCESS_ADD_MEMBER |
+						      SAMR_ALIAS_ACCESS_REMOVE_MEMBER |
+						      SAMR_ALIAS_ACCESS_GET_MEMBERS |
+						      SAMR_ALIAS_ACCESS_LOOKUP_INFO,
+						      &alias_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+	}
+
+ modify_membership:
+
+	if (add) {
+		for (i=0; i < r->in.total_entries; i++) {
+			status = add_sid_to_array_unique(ctx, &member_sids[i],
+							 &add_sids,
+							 &num_add_sids);
+			if (!NT_STATUS_IS_OK(status)) {
+				werr = ntstatus_to_werror(status);
+				goto done;
+			}
+		}
+	}
+
+	if (del) {
+		for (i=0; i < r->in.total_entries; i++) {
+			status = add_sid_to_array_unique(ctx, &member_sids[i],
+							 &del_sids,
+							 &num_del_sids);
+			if (!NT_STATUS_IS_OK(status)) {
+				werr = ntstatus_to_werror(status);
+				goto done;
+			}
+		}
+	}
+
+	if (set) {
+
+		struct lsa_SidArray current_sids;
+
+		status = rpccli_samr_GetMembersInAlias(pipe_cli, ctx,
+						       &alias_handle,
+						       &current_sids);
+		if (!NT_STATUS_IS_OK(status)) {
+			werr = ntstatus_to_werror(status);
+			goto done;
+		}
+
+		/* add list */
+
+		for (i=0; i < r->in.total_entries; i++) {
+			bool already_member = false;
+			for (k=0; k < current_sids.num_sids; k++) {
+				if (sid_equal(&member_sids[i],
+					      current_sids.sids[k].sid)) {
+					already_member = true;
+					break;
+				}
+			}
+			if (!already_member) {
+				status = add_sid_to_array_unique(ctx,
+					&member_sids[i],
+					&add_sids, &num_add_sids);
+				if (!NT_STATUS_IS_OK(status)) {
+					werr = ntstatus_to_werror(status);
+					goto done;
+				}
+			}
+		}
+
+		/* del list */
+
+		for (k=0; k < current_sids.num_sids; k++) {
+			bool keep_member = false;
+			for (i=0; i < r->in.total_entries; i++) {
+				if (sid_equal(&member_sids[i],
+					      current_sids.sids[k].sid)) {
+					keep_member = true;
+					break;
+				}
+			}
+			if (!keep_member) {
+				status = add_sid_to_array_unique(ctx,
+						current_sids.sids[k].sid,
+						&del_sids, &num_del_sids);
+				if (!NT_STATUS_IS_OK(status)) {
+					werr = ntstatus_to_werror(status);
+					goto done;
+				}
+			}
+		}
+	}
+
+	/* add list */
+
+	for (i=0; i < num_add_sids; i++) {
+		status = rpccli_samr_AddAliasMember(pipe_cli, ctx,
+						    &alias_handle,
+						    &add_sids[i]);
+		if (!NT_STATUS_IS_OK(status)) {
+			werr = ntstatus_to_werror(status);
+			goto done;
+		}
+	}
+
+	/* del list */
+
+	for (i=0; i < num_del_sids; i++) {
+		status = rpccli_samr_DeleteAliasMember(pipe_cli, ctx,
+						       &alias_handle,
+						       &del_sids[i]);
+		if (!NT_STATUS_IS_OK(status)) {
+			werr = ntstatus_to_werror(status);
+			goto done;
+		}
+	}
+
+	werr = WERR_OK;
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (is_valid_policy_hnd(&alias_handle)) {
+		rpccli_samr_Close(pipe_cli, ctx, &alias_handle);
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_builtin_handle(ctx, &builtin_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetLocalGroupAddMembers_r(struct libnetapi_ctx *ctx,
+				 struct NetLocalGroupAddMembers *r)
+{
+	return NetLocalGroupModifyMembers_r(ctx, r, NULL, NULL);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetLocalGroupAddMembers_l(struct libnetapi_ctx *ctx,
+				 struct NetLocalGroupAddMembers *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetLocalGroupAddMembers);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetLocalGroupDelMembers_r(struct libnetapi_ctx *ctx,
+				 struct NetLocalGroupDelMembers *r)
+{
+	return NetLocalGroupModifyMembers_r(ctx, NULL, r, NULL);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetLocalGroupDelMembers_l(struct libnetapi_ctx *ctx,
+				 struct NetLocalGroupDelMembers *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetLocalGroupDelMembers);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetLocalGroupGetMembers_r(struct libnetapi_ctx *ctx,
+				 struct NetLocalGroupGetMembers *r)
+{
+	return WERR_NOT_SUPPORTED;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetLocalGroupGetMembers_l(struct libnetapi_ctx *ctx,
+				 struct NetLocalGroupGetMembers *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetLocalGroupGetMembers);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetLocalGroupSetMembers_r(struct libnetapi_ctx *ctx,
+				 struct NetLocalGroupSetMembers *r)
+{
+	return NetLocalGroupModifyMembers_r(ctx, NULL, NULL, r);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetLocalGroupSetMembers_l(struct libnetapi_ctx *ctx,
+				 struct NetLocalGroupSetMembers *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetLocalGroupSetMembers);
+}
+
diff --git a/source3/lib/netapi/netapi.c b/source3/lib/netapi/netapi.c
new file mode 100644
index 0000000000..889388173f
--- /dev/null
+++ b/source3/lib/netapi/netapi.c
@@ -0,0 +1,348 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetApi Support
+ *  Copyright (C) Guenther Deschner 2007-2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "lib/netapi/netapi.h"
+#include "lib/netapi/netapi_private.h"
+
+extern bool AllowDebugChange;
+
+struct libnetapi_ctx *stat_ctx = NULL;
+TALLOC_CTX *frame = NULL;
+static bool libnetapi_initialized = false;
+
+/****************************************************************
+****************************************************************/
+
+static NET_API_STATUS libnetapi_init_private_context(struct libnetapi_ctx *ctx)
+{
+	struct libnetapi_private_ctx *priv;
+
+	if (!ctx) {
+		return W_ERROR_V(WERR_INVALID_PARAM);
+	}
+
+	priv = TALLOC_ZERO_P(ctx, struct libnetapi_private_ctx);
+	if (!priv) {
+		return W_ERROR_V(WERR_NOMEM);
+	}
+
+	ctx->private_data = priv;
+
+	return NET_API_STATUS_SUCCESS;
+}
+
+/****************************************************************
+****************************************************************/
+
+NET_API_STATUS libnetapi_init(struct libnetapi_ctx **context)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *ctx = NULL;
+	char *krb5_cc_env = NULL;
+
+	if (stat_ctx && libnetapi_initialized) {
+		*context = stat_ctx;
+		return NET_API_STATUS_SUCCESS;
+	}
+
+#if 0
+	talloc_enable_leak_report();
+#endif
+	frame = talloc_stackframe();
+
+	ctx = talloc_zero(frame, struct libnetapi_ctx);
+	if (!ctx) {
+		TALLOC_FREE(frame);
+		return W_ERROR_V(WERR_NOMEM);
+	}
+
+	if (!DEBUGLEVEL) {
+		DEBUGLEVEL = 0;
+	}
+
+	/* prevent setup_logging() from closing x_stderr... */
+	dbf = 0;
+	setup_logging("libnetapi", true);
+
+	dbf = x_stderr;
+	x_setbuf(x_stderr, NULL);
+	AllowDebugChange = false;
+
+	load_case_tables();
+
+	if (!lp_load(get_dyn_CONFIGFILE(), true, false, false, false)) {
+		TALLOC_FREE(frame);
+		fprintf(stderr, "lp_load failed\n");
+		return W_ERROR_V(WERR_GENERAL_FAILURE);
+	}
+
+	AllowDebugChange = true;
+
+	init_names();
+	load_interfaces();
+	reopen_logs();
+
+	BlockSignals(True, SIGPIPE);
+
+	krb5_cc_env = getenv(KRB5_ENV_CCNAME);
+	if (!krb5_cc_env || (strlen(krb5_cc_env) == 0)) {
+		ctx->krb5_cc_env = talloc_strdup(frame, "MEMORY:libnetapi");
+		setenv(KRB5_ENV_CCNAME, ctx->krb5_cc_env, 1);
+	}
+
+	if (getenv("USER")) {
+		ctx->username = talloc_strdup(frame, getenv("USER"));
+	} else {
+		ctx->username = talloc_strdup(frame, "");
+	}
+	if (!ctx->username) {
+		TALLOC_FREE(frame);
+		fprintf(stderr, "libnetapi_init: out of memory\n");
+		return W_ERROR_V(WERR_NOMEM);
+	}
+
+	status = libnetapi_init_private_context(ctx);
+	if (status != 0) {
+		TALLOC_FREE(frame);
+		return status;
+	}
+
+	libnetapi_initialized = true;
+
+	*context = stat_ctx = ctx;
+
+	return NET_API_STATUS_SUCCESS;
+}
+
+/****************************************************************
+****************************************************************/
+
+NET_API_STATUS libnetapi_getctx(struct libnetapi_ctx **ctx)
+{
+	if (stat_ctx) {
+		*ctx = stat_ctx;
+		return NET_API_STATUS_SUCCESS;
+	}
+
+	return libnetapi_init(ctx);
+}
+
+/****************************************************************
+****************************************************************/
+
+NET_API_STATUS libnetapi_free(struct libnetapi_ctx *ctx)
+{
+	if (!ctx) {
+		return NET_API_STATUS_SUCCESS;
+	}
+
+	libnetapi_samr_free(ctx);
+
+	libnetapi_shutdown_cm(ctx);
+
+	if (ctx->krb5_cc_env) {
+		char *env = getenv(KRB5_ENV_CCNAME);
+		if (env && (strequal(ctx->krb5_cc_env, env))) {
+			unsetenv(KRB5_ENV_CCNAME);
+		}
+	}
+
+	gfree_names();
+	gfree_loadparm();
+	gfree_case_tables();
+	gfree_charcnv();
+	gfree_interfaces();
+
+	gencache_shutdown();
+	secrets_shutdown();
+
+	TALLOC_FREE(ctx);
+	TALLOC_FREE(frame);
+
+	gfree_debugsyms();
+
+	return NET_API_STATUS_SUCCESS;
+}
+
+/****************************************************************
+****************************************************************/
+
+NET_API_STATUS libnetapi_set_debuglevel(struct libnetapi_ctx *ctx,
+					const char *debuglevel)
+{
+	AllowDebugChange = true;
+	ctx->debuglevel = talloc_strdup(ctx, debuglevel);
+	if (!debug_parse_levels(debuglevel)) {
+		return W_ERROR_V(WERR_GENERAL_FAILURE);
+	}
+	return NET_API_STATUS_SUCCESS;
+}
+
+/****************************************************************
+****************************************************************/
+
+NET_API_STATUS libnetapi_get_debuglevel(struct libnetapi_ctx *ctx,
+					char **debuglevel)
+{
+	*debuglevel = ctx->debuglevel;
+	return NET_API_STATUS_SUCCESS;
+}
+
+/****************************************************************
+****************************************************************/
+
+NET_API_STATUS libnetapi_set_username(struct libnetapi_ctx *ctx,
+				      const char *username)
+{
+	TALLOC_FREE(ctx->username);
+	ctx->username = talloc_strdup(ctx, username ? username : "");
+
+	if (!ctx->username) {
+		return W_ERROR_V(WERR_NOMEM);
+	}
+	return NET_API_STATUS_SUCCESS;
+}
+
+NET_API_STATUS libnetapi_set_password(struct libnetapi_ctx *ctx,
+				      const char *password)
+{
+	TALLOC_FREE(ctx->password);
+	ctx->password = talloc_strdup(ctx, password);
+	if (!ctx->password) {
+		return W_ERROR_V(WERR_NOMEM);
+	}
+	return NET_API_STATUS_SUCCESS;
+}
+
+NET_API_STATUS libnetapi_set_workgroup(struct libnetapi_ctx *ctx,
+				       const char *workgroup)
+{
+	TALLOC_FREE(ctx->workgroup);
+	ctx->workgroup = talloc_strdup(ctx, workgroup);
+	if (!ctx->workgroup) {
+		return W_ERROR_V(WERR_NOMEM);
+	}
+	return NET_API_STATUS_SUCCESS;
+}
+
+/****************************************************************
+****************************************************************/
+
+NET_API_STATUS libnetapi_set_use_kerberos(struct libnetapi_ctx *ctx)
+{
+	ctx->use_kerberos = true;
+	return NET_API_STATUS_SUCCESS;
+}
+
+/****************************************************************
+****************************************************************/
+
+const char *libnetapi_errstr(NET_API_STATUS status)
+{
+	if (status & 0xc0000000) {
+		return get_friendly_nt_error_msg(NT_STATUS(status));
+	}
+
+	return get_friendly_werror_msg(W_ERROR(status));
+}
+
+/****************************************************************
+****************************************************************/
+
+NET_API_STATUS libnetapi_set_error_string(struct libnetapi_ctx *ctx,
+					  const char *format, ...)
+{
+	va_list args;
+
+	TALLOC_FREE(ctx->error_string);
+
+	va_start(args, format);
+	ctx->error_string = talloc_vasprintf(ctx, format, args);
+	va_end(args);
+
+	if (!ctx->error_string) {
+		return W_ERROR_V(WERR_NOMEM);
+	}
+	return NET_API_STATUS_SUCCESS;
+}
+
+/****************************************************************
+****************************************************************/
+
+const char *libnetapi_get_error_string(struct libnetapi_ctx *ctx,
+				       NET_API_STATUS status_in)
+{
+	NET_API_STATUS status;
+	struct libnetapi_ctx *tmp_ctx = ctx;
+
+	if (!tmp_ctx) {
+		status = libnetapi_getctx(&tmp_ctx);
+		if (status != 0) {
+			return NULL;
+		}
+	}
+
+	if (tmp_ctx->error_string) {
+		return tmp_ctx->error_string;
+	}
+
+	return libnetapi_errstr(status_in);
+}
+
+/****************************************************************
+****************************************************************/
+
+NET_API_STATUS NetApiBufferAllocate(uint32_t byte_count,
+				    void **buffer)
+{
+	void *buf = NULL;
+
+	if (!buffer) {
+		return W_ERROR_V(WERR_INSUFFICIENT_BUFFER);
+	}
+
+	if (byte_count == 0) {
+		goto done;
+	}
+
+	buf = talloc_size(NULL, byte_count);
+	if (!buf) {
+		return W_ERROR_V(WERR_NOMEM);
+	}
+
+ done:
+	*buffer = buf;
+
+	return NET_API_STATUS_SUCCESS;
+}
+
+/****************************************************************
+****************************************************************/
+
+NET_API_STATUS NetApiBufferFree(void *buffer)
+{
+	if (!buffer) {
+		return W_ERROR_V(WERR_INSUFFICIENT_BUFFER);
+	}
+
+	talloc_free(buffer);
+
+	return NET_API_STATUS_SUCCESS;
+}
diff --git a/source3/lib/netapi/netapi.h b/source3/lib/netapi/netapi.h
new file mode 100644
index 0000000000..9687461920
--- /dev/null
+++ b/source3/lib/netapi/netapi.h
@@ -0,0 +1,1840 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetApi Support
+ *  Copyright (C) Guenther Deschner 2007-2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef __LIB_NETAPI_H__
+#define __LIB_NETAPI_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+/****************************************************************
+ NET_API_STATUS
+****************************************************************/
+typedef enum {
+	NET_API_STATUS_SUCCESS = 0
+} NET_API_STATUS;
+
+#define ERROR_MORE_DATA	( 234L )
+
+#define ENCRYPTED_PWLEN	( 16 )
+
+/****************************************************************
+****************************************************************/
+
+#ifndef _HEADER_misc
+
+struct GUID {
+	uint32_t time_low;
+	uint16_t time_mid;
+	uint16_t time_hi_and_version;
+	uint8_t clock_seq[2];
+	uint8_t node[6];
+};
+
+#endif /* _HEADER_misc */
+
+#ifndef _HEADER_libnetapi
+
+#ifndef MAXSUBAUTHS
+#define MAXSUBAUTHS 15 /* max sub authorities in a SID */
+#endif
+
+struct domsid {
+	uint8_t   sid_rev_num;
+	uint8_t   num_auths;
+	uint8_t   id_auth[6];
+	uint32_t  sub_auths[MAXSUBAUTHS];
+};
+
+struct DOMAIN_CONTROLLER_INFO {
+	const char * domain_controller_name;
+	const char * domain_controller_address;
+	uint32_t domain_controller_address_type;
+	struct GUID domain_guid;
+	const char * domain_name;
+	const char * dns_forest_name;
+	uint32_t flags;
+	const char * dc_site_name;
+	const char * client_site_name;
+};
+
+/* bitmap NetJoinFlags */
+#define NETSETUP_JOIN_DOMAIN ( 0x00000001 )
+#define NETSETUP_ACCT_CREATE ( 0x00000002 )
+#define NETSETUP_ACCT_DELETE ( 0x00000004 )
+#define NETSETUP_WIN9X_UPGRADE ( 0x00000010 )
+#define NETSETUP_DOMAIN_JOIN_IF_JOINED ( 0x00000020 )
+#define NETSETUP_JOIN_UNSECURE ( 0x00000040 )
+#define NETSETUP_MACHINE_PWD_PASSED ( 0x00000080 )
+#define NETSETUP_DEFER_SPN_SET ( 0x00000100 )
+#define NETSETUP_JOIN_DC_ACCOUNT ( 0x00000200 )
+#define NETSETUP_JOIN_WITH_NEW_NAME ( 0x00000400 )
+#define NETSETUP_INSTALL_INVOCATION ( 0x00040000 )
+#define NETSETUP_IGNORE_UNSUPPORTED_FLAGS ( 0x10000000 )
+
+#define FILTER_TEMP_DUPLICATE_ACCOUNT	( 0x0001 )
+#define FILTER_NORMAL_ACCOUNT	( 0x0002 )
+#define FILTER_INTERDOMAIN_TRUST_ACCOUNT	( 0x0008 )
+#define FILTER_WORKSTATION_TRUST_ACCOUNT	( 0x0010 )
+#define FILTER_SERVER_TRUST_ACCOUNT	( 0x0020 )
+
+#define TIMEQ_FOREVER  ( (uint32_t)-1L )
+
+enum NETSETUP_JOIN_STATUS {
+	NetSetupUnknownStatus=0,
+	NetSetupUnjoined=1,
+	NetSetupWorkgroupName=2,
+	NetSetupDomainName=3
+};
+
+struct SERVER_INFO_100 {
+	uint32_t sv100_platform_id;
+	const char * sv100_name;
+};
+
+struct SERVER_INFO_101 {
+	uint32_t sv101_platform_id;
+	const char * sv101_name;
+	uint32_t sv101_version_major;
+	uint32_t sv101_version_minor;
+	uint32_t sv101_type;
+	const char * sv101_comment;
+};
+
+struct SERVER_INFO_102 {
+	uint32_t sv102_platform_id;
+	const char * sv102_name;
+	uint32_t sv102_version_major;
+	uint32_t sv102_version_minor;
+	uint32_t sv102_type;
+	const char * sv102_comment;
+	uint32_t sv102_users;
+	uint32_t sv102_disc;
+	uint8_t sv102_hidden;
+	uint32_t sv102_announce;
+	uint32_t sv102_anndelta;
+	uint32_t sv102_licenses;
+	const char * sv102_userpath;
+};
+
+
+struct SERVER_INFO_1005 {
+	const char * sv1005_comment;
+};
+
+struct USER_INFO_0 {
+	const char * usri0_name;
+};
+
+#define USER_PRIV_GUEST	( 0 )
+#define USER_PRIV_USER	( 1 )
+#define USER_PRIV_ADMIN	( 2 )
+
+struct USER_INFO_1 {
+	const char * usri1_name;
+	const char * usri1_password;
+	uint32_t usri1_password_age;
+	uint32_t usri1_priv;
+	const char * usri1_home_dir;
+	const char * usri1_comment;
+	uint32_t usri1_flags;
+	const char * usri1_script_path;
+};
+
+#define AF_OP_PRINT	( 0x1 )
+#define AF_OP_COMM	( 0x2 )
+#define AF_OP_SERVER	( 0x4 )
+#define AF_OP_ACCOUNTS	( 0x8 )
+
+struct USER_INFO_2 {
+	const char * usri2_name;
+	const char * usri2_password;
+	uint32_t usri2_password_age;
+	uint32_t usri2_priv;
+	const char * usri2_home_dir;
+	const char * usri2_comment;
+	uint32_t usri2_flags;
+	const char * usri2_script_path;
+	uint32_t usri2_auth_flags;
+	const char * usri2_full_name;
+	const char * usri2_usr_comment;
+	const char * usri2_parms;
+	const char * usri2_workstations;
+	uint32_t usri2_last_logon;
+	uint32_t usri2_last_logoff;
+	uint32_t usri2_acct_expires;
+	uint32_t usri2_max_storage;
+	uint32_t usri2_units_per_week;
+	uint8_t *usri2_logon_hours;/* [unique] */
+	uint32_t usri2_bad_pw_count;
+	uint32_t usri2_num_logons;
+	const char * usri2_logon_server;
+	uint32_t usri2_country_code;
+	uint32_t usri2_code_page;
+};
+
+struct USER_INFO_3 {
+	const char * usri3_name;
+	uint32_t usri3_password_age;
+	uint32_t usri3_priv;
+	const char * usri3_home_dir;
+	const char * usri3_comment;
+	uint32_t usri3_flags;
+	const char * usri3_script_path;
+	uint32_t usri3_auth_flags;
+	const char * usri3_full_name;
+	const char * usri3_usr_comment;
+	const char * usri3_parms;
+	const char * usri3_workstations;
+	uint32_t usri3_last_logon;
+	uint32_t usri3_last_logoff;
+	uint32_t usri3_acct_expires;
+	uint32_t usri3_max_storage;
+	uint32_t usri3_units_per_week;
+	uint8_t *usri3_logon_hours;/* [unique] */
+	uint32_t usri3_bad_pw_count;
+	uint32_t usri3_num_logons;
+	const char * usri3_logon_server;
+	uint32_t usri3_country_code;
+	uint32_t usri3_code_page;
+	uint32_t usri3_user_id;
+	uint32_t usri3_primary_group_id;
+	const char * usri3_profile;
+	const char * usri3_home_dir_drive;
+	uint32_t usri3_password_expired;
+};
+
+struct USER_INFO_4 {
+	const char * usri4_name;
+	const char * usri4_password;
+	uint32_t usri4_password_age;
+	uint32_t usri4_priv;
+	const char * usri4_home_dir;
+	const char * usri4_comment;
+	uint32_t usri4_flags;
+	const char * usri4_script_path;
+	uint32_t usri4_auth_flags;
+	const char * usri4_full_name;
+	const char * usri4_usr_comment;
+	const char * usri4_parms;
+	const char * usri4_workstations;
+	uint32_t usri4_last_logon;
+	uint32_t usri4_last_logoff;
+	uint32_t usri4_acct_expires;
+	uint32_t usri4_max_storage;
+	uint32_t usri4_units_per_week;
+	uint8_t *usri4_logon_hours;/* [unique] */
+	uint32_t usri4_bad_pw_count;
+	uint32_t usri4_num_logons;
+	const char * usri4_logon_server;
+	uint32_t usri4_country_code;
+	uint32_t usri4_code_page;
+	struct domsid *usri4_user_sid;/* [unique] */
+	uint32_t usri4_primary_group_id;
+	const char * usri4_profile;
+	const char * usri4_home_dir_drive;
+	uint32_t usri4_password_expired;
+};
+
+struct USER_INFO_10 {
+	const char * usri10_name;
+	const char * usri10_comment;
+	const char * usri10_usr_comment;
+	const char * usri10_full_name;
+};
+
+struct USER_INFO_11 {
+	const char * usri11_name;
+	const char * usri11_comment;
+	const char * usri11_usr_comment;
+	const char * usri11_full_name;
+	uint32_t usri11_priv;
+	uint32_t usri11_auth_flags;
+	uint32_t usri11_password_age;
+	const char * usri11_home_dir;
+	const char * usri11_parms;
+	uint32_t usri11_last_logon;
+	uint32_t usri11_last_logoff;
+	uint32_t usri11_bad_pw_count;
+	uint32_t usri11_num_logons;
+	const char * usri11_logon_server;
+	uint32_t usri11_country_code;
+	const char * usri11_workstations;
+	uint32_t usri11_max_storage;
+	uint32_t usri11_units_per_week;
+	uint8_t *usri11_logon_hours;/* [unique] */
+	uint32_t usri11_code_page;
+};
+
+struct USER_INFO_20 {
+	const char * usri20_name;
+	const char * usri20_full_name;
+	const char * usri20_comment;
+	uint32_t usri20_flags;
+	uint32_t usri20_user_id;
+};
+
+struct USER_INFO_21 {
+	uint8_t *usri21_password;
+};
+
+struct USER_INFO_22 {
+	const char * usri22_name;
+	uint8_t *usri22_password;
+	uint32_t usri22_password_age;
+	uint32_t usri22_priv;
+	const char * usri22_home_dir;
+	const char * usri22_comment;
+	uint32_t usri22_flags;
+	uint32_t usri22_script_path;
+	uint32_t usri22_auth_flags;
+	const char * usri22_full_name;
+	const char * usri22_usr_comment;
+	const char * usri22_parms;
+	const char * usri22_workstations;
+	uint32_t usri22_last_logon;
+	uint32_t usri22_last_logoff;
+	uint32_t usri22_acct_expires;
+	uint32_t usri22_max_storage;
+	uint32_t usri22_units_per_week;
+	uint8_t *usri22_logon_hours;/* [unique] */
+	uint32_t usri22_bad_pw_count;
+	uint32_t usri22_num_logons;
+	const char * usri22_logon_server;
+	uint32_t usri22_country_code;
+	uint32_t usri22_code_page;
+};
+
+struct USER_INFO_23 {
+	const char * usri23_name;
+	const char * usri23_full_name;
+	const char * usri23_comment;
+	uint32_t usri23_flags;
+	struct domsid *usri23_user_sid;/* [unique] */
+};
+
+struct USER_INFO_1003 {
+	const char * usri1003_password;
+};
+
+struct USER_INFO_1005 {
+	uint32_t usri1005_priv;
+};
+
+struct USER_INFO_1006 {
+	const char * usri1006_home_dir;
+};
+
+struct USER_INFO_1007 {
+	const char * usri1007_comment;
+};
+
+struct USER_INFO_1008 {
+	uint32_t usri1008_flags;
+};
+
+struct USER_INFO_1009 {
+	const char * usri1009_script_path;
+};
+
+struct USER_INFO_1010 {
+	uint32_t usri1010_auth_flags;
+};
+
+struct USER_INFO_1011 {
+	const char * usri1011_full_name;
+};
+
+struct USER_INFO_1012 {
+	const char * usri1012_usr_comment;
+};
+
+struct USER_INFO_1013 {
+	const char * usri1013_parms;
+};
+
+struct USER_INFO_1014 {
+	const char * usri1014_workstations;
+};
+
+struct USER_INFO_1017 {
+	uint32_t usri1017_acct_expires;
+};
+
+struct USER_INFO_1018 {
+	uint32_t usri1018_max_storage;
+};
+
+struct USER_INFO_1020 {
+	uint32_t usri1020_units_per_week;
+	uint8_t *usri1020_logon_hours;/* [unique] */
+};
+
+struct USER_INFO_1023 {
+	const char * usri1023_logon_server;
+};
+
+struct USER_INFO_1024 {
+	uint32_t usri1024_country_code;
+};
+
+struct USER_INFO_1025 {
+	uint32_t usri1025_code_page;
+};
+
+struct USER_INFO_1051 {
+	uint32_t usri1051_primary_group_id;
+};
+
+struct USER_INFO_1052 {
+	const char * usri1052_profile;
+};
+
+struct USER_INFO_1053 {
+	const char * usri1053_home_dir_drive;
+};
+
+struct USER_MODALS_INFO_0 {
+	uint32_t usrmod0_min_passwd_len;
+	uint32_t usrmod0_max_passwd_age;
+	uint32_t usrmod0_min_passwd_age;
+	uint32_t usrmod0_force_logoff;
+	uint32_t usrmod0_password_hist_len;
+};
+
+struct USER_MODALS_INFO_1 {
+	uint32_t usrmod1_role;
+	const char * usrmod1_primary;
+};
+
+struct USER_MODALS_INFO_2 {
+	const char * usrmod2_domain_name;
+	struct domsid *usrmod2_domain_id;/* [unique] */
+};
+
+struct USER_MODALS_INFO_3 {
+	uint32_t usrmod3_lockout_duration;
+	uint32_t usrmod3_lockout_observation_window;
+	uint32_t usrmod3_lockout_threshold;
+};
+
+struct USER_MODALS_INFO_1001 {
+	uint32_t usrmod1001_min_passwd_len;
+};
+
+struct USER_MODALS_INFO_1002 {
+	uint32_t usrmod1002_max_passwd_age;
+};
+
+struct USER_MODALS_INFO_1003 {
+	uint32_t usrmod1003_min_passwd_age;
+};
+
+struct USER_MODALS_INFO_1004 {
+	uint32_t usrmod1004_force_logoff;
+};
+
+struct USER_MODALS_INFO_1005 {
+	uint32_t usrmod1005_password_hist_len;
+};
+
+struct USER_MODALS_INFO_1006 {
+	uint32_t usrmod1006_role;
+};
+
+struct USER_MODALS_INFO_1007 {
+	const char * usrmod1007_primary;
+};
+
+struct NET_DISPLAY_USER {
+	const char * usri1_name;
+	const char * usri1_comment;
+	uint32_t usri1_flags;
+	const char * usri1_full_name;
+	uint32_t usri1_user_id;
+	uint32_t usri1_next_index;
+};
+
+struct NET_DISPLAY_MACHINE {
+	const char * usri2_name;
+	const char * usri2_comment;
+	uint32_t usri2_flags;
+	uint32_t usri2_user_id;
+	uint32_t usri2_next_index;
+};
+
+struct NET_DISPLAY_GROUP {
+	const char * grpi3_name;
+	const char * grpi3_comment;
+	uint32_t grpi3_group_id;
+	uint32_t grpi3_attributes;
+	uint32_t grpi3_next_index;
+};
+
+struct GROUP_INFO_0 {
+	const char * grpi0_name;
+};
+
+struct GROUP_INFO_1 {
+	const char * grpi1_name;
+	const char * grpi1_comment;
+};
+
+struct GROUP_INFO_2 {
+	const char * grpi2_name;
+	const char * grpi2_comment;
+	uint32_t grpi2_group_id;
+	uint32_t grpi2_attributes;
+};
+
+struct GROUP_INFO_3 {
+	const char * grpi3_name;
+	const char * grpi3_comment;
+	struct domsid * grpi3_group_sid;
+	uint32_t grpi3_attributes;
+};
+
+struct GROUP_INFO_1002 {
+	const char * grpi1002_comment;
+};
+
+struct GROUP_INFO_1005 {
+	uint32_t grpi1005_attributes;
+};
+
+struct GROUP_USERS_INFO_0 {
+	const char * grui0_name;
+};
+
+struct GROUP_USERS_INFO_1 {
+	const char * grui1_name;
+	uint32_t grui1_attributes;
+};
+
+struct LOCALGROUP_INFO_0 {
+	const char * lgrpi0_name;
+};
+
+struct LOCALGROUP_INFO_1 {
+	const char * lgrpi1_name;
+	const char * lgrpi1_comment;
+};
+
+struct LOCALGROUP_INFO_1002 {
+	const char * lgrpi1002_comment;
+};
+
+enum SID_NAME_USE {
+	SidTypeUser=1,
+	SidTypeGroup=2,
+	SidTypeDomain=3,
+	SidTypeAlias=4,
+	SidTypeWellKnownGroup=5,
+	SidTypeDeletedAccount=6,
+	SidTypeInvalid=7,
+	SidTypeUnknown=8,
+	SidTypeComputer=9,
+	SidTypeLabel=10
+};
+
+struct LOCALGROUP_MEMBERS_INFO_0 {
+	struct domsid *lgrmi0_sid;/* [unique] */
+};
+
+struct LOCALGROUP_MEMBERS_INFO_1 {
+	struct domsid *lgrmi1_sid;/* [unique] */
+	enum SID_NAME_USE lgrmi1_sidusage;
+	const char * lgrmi1_name;
+};
+
+struct LOCALGROUP_MEMBERS_INFO_2 {
+	struct domsid *lgrmi2_sid;/* [unique] */
+	enum SID_NAME_USE lgrmi2_sidusage;
+	const char * lgrmi2_domainandname;
+};
+
+struct LOCALGROUP_MEMBERS_INFO_3 {
+	const char * lgrmi3_domainandname;
+};
+
+struct LOCALGROUP_USERS_INFO_0 {
+	const char * lgrui0_name;
+};
+
+struct TIME_OF_DAY_INFO {
+	uint32_t tod_elapsedt;
+	uint32_t tod_msecs;
+	uint32_t tod_hours;
+	uint32_t tod_mins;
+	uint32_t tod_secs;
+	uint32_t tod_hunds;
+	int32_t tod_timezone;
+	uint32_t tod_tinterval;
+	uint32_t tod_day;
+	uint32_t tod_month;
+	uint32_t tod_year;
+	uint32_t tod_weekday;
+};
+
+struct SHARE_INFO_0 {
+	const char * shi0_netname;
+};
+
+struct SHARE_INFO_1 {
+	const char * shi1_netname;
+	uint32_t shi1_type;
+	const char * shi1_remark;
+};
+
+struct SHARE_INFO_2 {
+	const char * shi2_netname;
+	uint32_t shi2_type;
+	const char * shi2_remark;
+	uint32_t shi2_permissions;
+	uint32_t shi2_max_uses;
+	uint32_t shi2_current_uses;
+	const char * shi2_path;
+	const char * shi2_passwd;
+};
+
+struct SHARE_INFO_501 {
+	const char * shi501_netname;
+	uint32_t shi501_type;
+	const char * shi501_remark;
+	uint32_t shi501_flags;
+};
+
+struct SHARE_INFO_1004 {
+	const char * shi1004_remark;
+};
+
+struct SHARE_INFO_1005 {
+	uint32_t shi1005_flags;
+};
+
+struct SHARE_INFO_1006 {
+	uint32_t shi1006_max_uses;
+};
+
+struct FILE_INFO_2 {
+	uint32_t fi2_id;
+};
+
+struct FILE_INFO_3 {
+	uint32_t fi3_id;
+	uint32_t fi3_permissions;
+	uint32_t fi3_num_locks;
+	const char * fi3_pathname;
+	const char * fi3_username;
+};
+
+#endif /* _HEADER_libnetapi */
+
+/****************************************************************
+****************************************************************/
+
+struct libnetapi_ctx {
+	char *debuglevel;
+	char *error_string;
+	char *username;
+	char *workgroup;
+	char *password;
+	char *krb5_cc_env;
+	int use_kerberos;
+	int disable_policy_handle_cache;
+
+	void *private_data;
+};
+
+/****************************************************************
+****************************************************************/
+
+NET_API_STATUS libnetapi_init(struct libnetapi_ctx **ctx);
+
+/****************************************************************
+****************************************************************/
+
+NET_API_STATUS libnetapi_free(struct libnetapi_ctx *ctx);
+
+/****************************************************************
+****************************************************************/
+
+NET_API_STATUS libnetapi_getctx(struct libnetapi_ctx **ctx);
+
+/****************************************************************
+****************************************************************/
+
+NET_API_STATUS libnetapi_set_debuglevel(struct libnetapi_ctx *ctx,
+					const char *debuglevel);
+
+/****************************************************************
+****************************************************************/
+
+NET_API_STATUS libnetapi_set_username(struct libnetapi_ctx *ctx,
+				      const char *username);
+
+/****************************************************************
+****************************************************************/
+
+NET_API_STATUS libnetapi_set_password(struct libnetapi_ctx *ctx,
+				      const char *password);
+
+/****************************************************************
+****************************************************************/
+
+NET_API_STATUS libnetapi_set_workgroup(struct libnetapi_ctx *ctx,
+				       const char *workgroup);
+
+/****************************************************************
+****************************************************************/
+
+NET_API_STATUS libnetapi_set_use_kerberos(struct libnetapi_ctx *ctx);
+
+/****************************************************************
+****************************************************************/
+
+const char *libnetapi_errstr(NET_API_STATUS status);
+
+/****************************************************************
+****************************************************************/
+
+const char *libnetapi_get_error_string(struct libnetapi_ctx *ctx,
+				       NET_API_STATUS status);
+
+/****************************************************************
+ NetApiBufferAllocate
+****************************************************************/
+
+NET_API_STATUS NetApiBufferAllocate(uint32_t byte_count,
+				    void **buffer);
+
+/****************************************************************
+ NetApiBufferFree
+****************************************************************/
+
+NET_API_STATUS NetApiBufferFree(void *buffer);
+
+/************************************************************//**
+ *
+ * ConvertSidToStringSid
+ *
+ * @brief Convert a domain sid into a string
+ *
+ * @param[in] sid A pointer to a sid structure
+ * @param[in,out] sid_string A pointer that holds a pointer to a sid string. Caller
+ * needs to free with free(3)
+ * @return bool
+ ***************************************************************/
+
+int  ConvertSidToStringSid(const struct domsid *sid,
+			   char **sid_string);
+
+/************************************************************//**
+ *
+ * ConvertStringSidToSid
+ *
+ * @brief Convert a string into a domain sid
+ *
+ * @param[in] sid_string A pointer to a sid string.
+ * @param[in,out] sid A pointer that holds a pointer to a sid structure.
+ * Caller needs to free with free(3)
+ * @return bool
+ ***************************************************************/
+
+int ConvertStringSidToSid(const char *sid_string,
+			  struct domsid **sid);
+
+/************************************************************//**
+ *
+ * NetJoinDomain
+ *
+ * @brief Join a computer to a domain or workgroup
+ *
+ * @param[in] server The server name to connect to
+ * @param[in] domain The domain or workgroup to join
+ * @param[in] account_ou The organizational Unit to create the computer account
+ * in (AD only)
+ * @param[in] account The domain account used for joining a domain
+ * @param[in] password The domain account's password used for joining a domain
+ * @param[in] join_flags Bitmask field to define specific join features
+ * @return NET_API_STATUS
+ *
+ * example netdomjoin/netdomjoin.c
+ ***************************************************************/
+
+NET_API_STATUS NetJoinDomain(const char * server /* [in] */,
+			     const char * domain /* [in] [ref] */,
+			     const char * account_ou /* [in] */,
+			     const char * account /* [in] */,
+			     const char * password /* [in] */,
+			     uint32_t join_flags /* [in] */);
+
+/************************************************************//**
+ *
+ * NetUnjoinDomain
+ *
+ * @brief Unjoin a computer from a domain or workgroup
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] account The domain account used for unjoining a domain
+ * @param[in] password The domain account's password used for unjoining a domain
+ * @param[in] unjoin_flags Bitmask field to define specific unjoin features
+ * @return NET_API_STATUS
+ *
+ ***************************************************************/
+
+NET_API_STATUS NetUnjoinDomain(const char * server_name /* [in] */,
+			       const char * account /* [in] */,
+			       const char * password /* [in] */,
+			       uint32_t unjoin_flags /* [in] */);
+
+/************************************************************//**
+ *
+ * NetGetJoinInformation
+ *
+ * @brief Unjoin a computer from a domain or workgroup
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[out] name_buffer Returns the name of the workgroup or domain
+ * @param[out] name_type  Returns the type of that name
+ * @return NET_API_STATUS
+ *
+ * example netdomjoin-gui/netdomjoin-gui.c
+ *
+ ***************************************************************/
+
+NET_API_STATUS NetGetJoinInformation(const char * server_name /* [in] */,
+				     const char * *name_buffer /* [out] [ref] */,
+				     uint16_t *name_type /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetGetJoinableOUs
+ *
+ * @brief Query for the list of joinable organizational Units that can be used
+ * for joining AD
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] domain The AD domain to query
+ * @param[in] account The domain account used for the query
+ * @param[in] password The domain account's password used for the query
+ * @param[out] ou_count The number of ous returned
+ * @param[out] ous Returned string array containing the ous
+ * @return NET_API_STATUS
+ *
+ * example netdomjoin-gui/netdomjoin-gui.c
+ *
+ ***************************************************************/
+
+NET_API_STATUS NetGetJoinableOUs(const char * server_name /* [in] */,
+				 const char * domain /* [in] [ref] */,
+				 const char * account /* [in] */,
+				 const char * password /* [in] */,
+				 uint32_t *ou_count /* [out] [ref] */,
+				 const char * **ous /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetRenameMachineInDomain
+ *
+ * @brief Rename a machine in a domain
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] new_machine_name The new machine name
+ * @param[in] account The domain account used for the query
+ * @param[in] password The domain account's password used for the query
+ * @param[in] rename_options Options used for the rename operation
+ * @return NET_API_STATUS
+ *
+ * example join/rename_machine.c
+ *
+ ***************************************************************/
+
+NET_API_STATUS NetRenameMachineInDomain(const char * server_name /* [in] */,
+					const char * new_machine_name /* [in] */,
+					const char * account /* [in] */,
+					const char * password /* [in] */,
+					uint32_t rename_options /* [in] */);
+
+/************************************************************//**
+ *
+ * NetServerGetInfo
+ *
+ * @brief Get Information on a server
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] level The level to define which information is requested
+ * @param[out] buffer The returned buffer carrying the SERVER_INFO structure
+ * @return NET_API_STATUS
+ *
+ ***************************************************************/
+
+NET_API_STATUS NetServerGetInfo(const char * server_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t **buffer /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetServerSetInfo
+ *
+ * @brief Get Information on a server
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] level The level to define which information is set
+ * @param[in] buffer The buffer carrying the SERVER_INFO structure
+ * @param[out] parm_error On failure returns the invalid SERVER_INFO member
+ * @return NET_API_STATUS
+ *
+ ***************************************************************/
+
+NET_API_STATUS NetServerSetInfo(const char * server_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t *buffer /* [in] [ref] */,
+				uint32_t *parm_error /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetGetDCName
+ *
+ * @brief Query for the PDC for a given domain
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] domain_name The name of the domain to lookup
+ * @param[out] buffer The name of the domain to lookup
+ * @return NET_API_STATUS
+ *
+ * example getdc/getdc.c
+ ***************************************************************/
+
+NET_API_STATUS NetGetDCName(const char * server_name /* [in] */,
+			    const char * domain_name /* [in] */,
+			    uint8_t **buffer /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetGetAnyDCName
+ *
+ * @brief Query for any DC for a given domain
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] domain_name The name of the domain to lookup
+ * @param[out] buffer The name of the domain to lookup
+ * @return NET_API_STATUS
+ *
+ * example getdc/getdc.c
+ ***************************************************************/
+
+NET_API_STATUS NetGetAnyDCName(const char * server_name /* [in] */,
+			       const char * domain_name /* [in] */,
+			       uint8_t **buffer /* [out] [ref] */);
+
+
+/************************************************************//**
+ *
+ * DsGetDcName
+ *
+ * @brief Lookup a DC for a given domain and return information structure
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] domain_name The name of the domain to lookup (cannot be NULL)
+ * @param[in] domain_guid The GUID of the domain to lookup (optional)
+ * @param[in] site_name The name of the site the DC should reside in
+ * @param[in] flags A bitmask to request specific features supported by the DC
+ * @param[out] dc_info Pointer to a DOMAIN_CONTROLLER_INFO structure
+ * @return NET_API_STATUS
+ *
+ * example dsgetdc/dsgetdc.c
+ ***************************************************************/
+
+NET_API_STATUS DsGetDcName(const char * server_name /* [in] [unique] */,
+			   const char * domain_name /* [in] [ref] */,
+			   struct GUID *domain_guid /* [in] [unique] */,
+			   const char * site_name /* [in] [unique] */,
+			   uint32_t flags /* [in] */,
+			   struct DOMAIN_CONTROLLER_INFO **dc_info /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetUserAdd
+ *
+ * @brief Create a user on a given server
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] level The level of the USER_INFO structure passed in (Currently
+ * only level 1 is supported)
+ * @param[in] buffer The buffer carrying the USER_INFO structure
+ * @param[out] parm_error In case of error returns the failing member of the
+ * structure
+ * @return NET_API_STATUS
+ *
+ * example user/user_add.c
+ ***************************************************************/
+
+NET_API_STATUS NetUserAdd(const char * server_name /* [in] */,
+			  uint32_t level /* [in] */,
+			  uint8_t *buffer /* [in] [ref] */,
+			  uint32_t *parm_error /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetUserDel
+ *
+ * @brief Delete a user on a given server
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] user_name The user account to delete
+ * @return NET_API_STATUS
+ *
+ * example user/user_del.c
+ ***************************************************************/
+
+NET_API_STATUS NetUserDel(const char * server_name /* [in] */,
+			  const char * user_name /* [in] */);
+
+/************************************************************//**
+ *
+ * NetUserEnum
+ *
+ * @brief Enumerate accounts on a server
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] level The enumeration level used for the query (Currently only
+ * level 0 is supported)
+ * @param[in] filter The account flags filter used for the query
+ * @param[out] buffer The returned enumeration buffer
+ * @param[in] prefmaxlen The requested maximal buffer size
+ * @param[out] entries_read The number of returned entries
+ * @param[out] total_entries The number of total entries
+ * @param[in,out] resume_handle A handle passed in and returned for resuming
+ * operations
+ * @return NET_API_STATUS
+ *
+ * example user/user_enum.c
+ ***************************************************************/
+
+NET_API_STATUS NetUserEnum(const char * server_name /* [in] */,
+			   uint32_t level /* [in] */,
+			   uint32_t filter /* [in] */,
+			   uint8_t **buffer /* [out] [ref] */,
+			   uint32_t prefmaxlen /* [in] */,
+			   uint32_t *entries_read /* [out] [ref] */,
+			   uint32_t *total_entries /* [out] [ref] */,
+			   uint32_t *resume_handle /* [in,out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetUserChangePassword
+ *
+ * @brief Change the password for a user on a given server or in a given domain
+ *
+ * @param[in] domain_name The server or domain name to connect to
+ * @param[in] user_name The user account to change the password for
+ * @param[in] old_password The user account's old password
+ * @param[in] new_password The user account's new password
+ * @return NET_API_STATUS
+ *
+ * example user/user_chgpwd.c
+ ***************************************************************/
+
+NET_API_STATUS NetUserChangePassword(const char * domain_name /* [in] */,
+				     const char * user_name /* [in] */,
+				     const char * old_password /* [in] */,
+				     const char * new_password /* [in] */);
+
+/************************************************************//**
+ *
+ * NetUserGetInfo
+ *
+ * @brief Get User Information
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] user_name The name of the user that is going to be queried
+ * @param[in] level The level defining the requested USER_INFO_X structure
+ * @param[out] buffer The buffer containing a USER_INFO_X structure
+ * @return NET_API_STATUS
+ *
+ * example user/user_getinfo.c
+ ***************************************************************/
+
+NET_API_STATUS NetUserGetInfo(const char * server_name /* [in] */,
+			      const char * user_name /* [in] */,
+			      uint32_t level /* [in] */,
+			      uint8_t **buffer /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetUserSetInfo
+ *
+ * @brief Set User Information
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] user_name The name of the user that is going to be modified
+ * @param[in] level The level defining the requested USER_INFO_X structure
+ * @param[in] buffer The buffer containing a USER_INFO_X structure
+ * @param[out] parm_err The returned parameter error number if any
+ * @return NET_API_STATUS
+ *
+ * example user/user_setinfo.c
+ ***************************************************************/
+
+NET_API_STATUS NetUserSetInfo(const char * server_name /* [in] */,
+			      const char * user_name /* [in] */,
+			      uint32_t level /* [in] */,
+			      uint8_t *buffer /* [in] [ref] */,
+			      uint32_t *parm_err /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetUserModalsGet
+ *
+ * @brief Get SAM domain and password information
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] level The level defining which USER_MODALS_INFO_X buffer to query
+ * @param[out] buffer The returned USER_MODALS_INFO_X buffer
+ * @return NET_API_STATUS
+ *
+ * example user/user_modalsget.c
+ ***************************************************************/
+
+NET_API_STATUS NetUserModalsGet(const char * server_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t **buffer /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetUserModalsSet
+ *
+ * @brief Set SAM domain and password information
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] level The level defining which USER_MODALS_INFO_X buffer to query
+ * @param[out] buffer The buffer conntaing a USER_MODALS_INFO_X structure
+ * @param[out] parm_err The returned parameter error number if any
+ * @return NET_API_STATUS
+ *
+ * example user/user_modalsset.c
+ ***************************************************************/
+
+NET_API_STATUS NetUserModalsSet(const char * server_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t *buffer /* [in] [ref] */,
+				uint32_t *parm_err /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetUserGetGroups
+ *
+ * @brief Enumerate grouplist of a user on a server
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] user_name The user name to query
+ * @param[in] level The enumeration level used for the query (Currently only
+ * level 0 is supported)
+ * @param[out] buffer The returned enumeration buffer
+ * @param[in] prefmaxlen The requested maximal buffer size
+ * @param[out] entries_read The number of returned entries
+ * @param[out] total_entries The number of total entries
+ * @return NET_API_STATUS
+ *
+ * example user/user_getgroups.c
+ ***************************************************************/
+
+NET_API_STATUS NetUserGetGroups(const char * server_name /* [in] */,
+				const char * user_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t **buffer /* [out] [ref] */,
+				uint32_t prefmaxlen /* [in] */,
+				uint32_t *entries_read /* [out] [ref] */,
+				uint32_t *total_entries /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetUserSetGroups
+ *
+ * @brief Set grouplist of a user on a server
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] user_name The user name to query
+ * @param[in] level The level defining the GROUP_USERS_INFO_X structures in the buffer
+ * @param[in] buffer The buffer containing GROUP_USERS_INFO_X structures
+ * @param[in] num_entries The number of X structures in the buffer
+ * @return NET_API_STATUS
+ *
+ * example user/user_setgroups.c
+ ***************************************************************/
+
+NET_API_STATUS NetUserSetGroups(const char * server_name /* [in] */,
+				const char * user_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t *buffer /* [in] [ref] */,
+				uint32_t num_entries /* [in] */);
+
+/************************************************************//**
+ *
+ * NetUserGetLocalGroups
+ *
+ * @brief Enumerate local grouplist of a user on a server
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] user_name The user name to query
+ * @param[in] level The enumeration level used for the query
+ * @param[in] flags The flags used for the query
+ * @param[out] buffer The returned enumeration buffer
+ * @param[in] prefmaxlen The requested maximal buffer size
+ * @param[out] entries_read The number of returned entries
+ * @param[out] total_entries The number of total entries
+ * @return NET_API_STATUS
+ *
+ * example user/user_getlocalgroups.c
+ ***************************************************************/
+
+NET_API_STATUS NetUserGetLocalGroups(const char * server_name /* [in] */,
+				     const char * user_name /* [in] */,
+				     uint32_t level /* [in] */,
+				     uint32_t flags /* [in] */,
+				     uint8_t **buffer /* [out] [ref] */,
+				     uint32_t prefmaxlen /* [in] */,
+				     uint32_t *entries_read /* [out] [ref] */,
+				     uint32_t *total_entries /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetQueryDisplayInformation
+ *
+ * @brief Enumerate accounts on a server
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] level The enumeration level used for the query
+ * @param[in] idx The index to start the the display enumeration at
+ * @param[in] entries_requested The number of entries requested
+ * @param[in] prefmaxlen The requested maximal buffer size
+ * @param[out] entries_read The number of returned entries
+ * @param[out] buffer The returned display information buffer
+ * @return NET_API_STATUS
+ *
+ * example user/user_dispinfo.c
+ ***************************************************************/
+
+NET_API_STATUS NetQueryDisplayInformation(const char * server_name /* [in] [unique] */,
+					  uint32_t level /* [in] */,
+					  uint32_t idx /* [in] */,
+					  uint32_t entries_requested /* [in] */,
+					  uint32_t prefmaxlen /* [in] */,
+					  uint32_t *entries_read /* [out] [ref] */,
+					  void **buffer /* [out] [noprint,ref] */);
+
+/************************************************************//**
+ *
+ * NetGroupAdd
+ *
+ * @brief Create Domain Group
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] level The level used for the new group creation
+ * @param[in] buf The buffer containing the group structure
+ * @param[out] parm_err The returned parameter error number if any
+ * @return NET_API_STATUS
+ *
+ * example group/group_add.c
+ ***************************************************************/
+
+NET_API_STATUS NetGroupAdd(const char * server_name /* [in] */,
+			   uint32_t level /* [in] */,
+			   uint8_t *buf /* [in] [ref] */,
+			   uint32_t *parm_err /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetGroupDel
+ *
+ * @brief Delete Domain Group
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] group_name The name of the group that is going to be deleted
+ * @return NET_API_STATUS
+ *
+ * example group/group_del.c
+ ***************************************************************/
+
+NET_API_STATUS NetGroupDel(const char * server_name /* [in] */,
+			   const char * group_name /* [in] */);
+
+/************************************************************//**
+ *
+ * NetGroupEnum
+ *
+ * @brief Enumerate groups on a server
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] level The enumeration level used for the query (Currently only
+ * level 0 is supported)
+ * @param[out] buffer The returned enumeration buffer
+ * @param[in] prefmaxlen The requested maximal buffer size
+ * @param[out] entries_read The number of returned entries
+ * @param[out] total_entries The number of total entries
+ * @param[in,out] resume_handle A handle passed in and returned for resuming
+ * operations
+ * @return NET_API_STATUS
+ *
+ * example group/group_enum.c
+ ***************************************************************/
+
+NET_API_STATUS NetGroupEnum(const char * server_name /* [in] */,
+			    uint32_t level /* [in] */,
+			    uint8_t **buffer /* [out] [ref] */,
+			    uint32_t prefmaxlen /* [in] */,
+			    uint32_t *entries_read /* [out] [ref] */,
+			    uint32_t *total_entries /* [out] [ref] */,
+			    uint32_t *resume_handle /* [in,out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetGroupSetInfo
+ *
+ * @brief Set Domain Group Information
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] group_name The name of the group that is going to be modified
+ * @param[in] level The level defining the structure type in buf
+ * @param[in] buf The buffer containing a GROUP_INFO_X structure
+ * @param[out] parm_err The returned parameter error number if any
+ * @return NET_API_STATUS
+ *
+ * example group/group_setinfo.c
+ ***************************************************************/
+
+NET_API_STATUS NetGroupSetInfo(const char * server_name /* [in] */,
+			       const char * group_name /* [in] */,
+			       uint32_t level /* [in] */,
+			       uint8_t *buf /* [in] [ref] */,
+			       uint32_t *parm_err /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetGroupGetInfo
+ *
+ * @brief Get Domain Group Information
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] group_name The name of the group that is going to be queried
+ * @param[in] level The level defining the requested GROUP_INFO_X structure
+ * @param[out] buf The buffer containing a GROUP_INFO_X structure
+ * @return NET_API_STATUS
+ *
+ * example group/group_getinfo.c
+ ***************************************************************/
+
+NET_API_STATUS NetGroupGetInfo(const char * server_name /* [in] */,
+			       const char * group_name /* [in] */,
+			       uint32_t level /* [in] */,
+			       uint8_t **buf /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetGroupAddUser
+ *
+ * @brief Add existing User to existing Domain Group
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] group_name The name of the group that is going to be modified
+ * @param[in] user_name The name of the user that is going to be added to the
+ * group
+ * @return NET_API_STATUS
+ *
+ * example group/group_adduser.c
+ ***************************************************************/
+
+NET_API_STATUS NetGroupAddUser(const char * server_name /* [in] */,
+			       const char * group_name /* [in] */,
+			       const char * user_name /* [in] */);
+
+/************************************************************//**
+ *
+ * NetGroupDelUser
+ *
+ * @brief Remove User from Domain Group
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] group_name The name of the group that is going to be modified
+ * @param[in] user_name The name of the user that is going to be removed from
+ * the group
+ * @return NET_API_STATUS
+ *
+ * example group/group_deluser.c
+ ***************************************************************/
+
+NET_API_STATUS NetGroupDelUser(const char * server_name /* [in] */,
+			       const char * group_name /* [in] */,
+			       const char * user_name /* [in] */);
+
+/************************************************************//**
+ *
+ * NetGroupGetUsers
+ *
+ * @brief Get Users for a group on a server
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] group_name The group name to enumerate users for
+ * @param[in] level The enumeration level used for the query
+ * @param[out] buffer The returned enumeration buffer
+ * @param[in] prefmaxlen The requested maximal buffer size
+ * @param[out] entries_read The number of returned entries
+ * @param[out] total_entries The number of total entries
+ * @param[in,out] resume_handle A handle passed in and returned for resuming
+ * operations
+ * @return NET_API_STATUS
+ *
+ * example group/group_getusers.c
+ ***************************************************************/
+
+NET_API_STATUS NetGroupGetUsers(const char * server_name /* [in] */,
+				const char * group_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t **buffer /* [out] [ref] */,
+				uint32_t prefmaxlen /* [in] */,
+				uint32_t *entries_read /* [out] [ref] */,
+				uint32_t *total_entries /* [out] [ref] */,
+				uint32_t *resume_handle /* [in,out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetGroupSetUsers
+ *
+ * @brief Set Users for a group on a server
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] group_name The group name to enumerate users for
+ * @param[in] level The enumeration level used for the query
+ * @param[in] buffer The buffer containing a X structure
+ * @param[in] num_entries The number of X entries in the buffer
+ * @return NET_API_STATUS
+ *
+ * example group/group_setusers.c
+ ***************************************************************/
+
+NET_API_STATUS NetGroupSetUsers(const char * server_name /* [in] */,
+				const char * group_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t *buffer /* [in] [ref] */,
+				uint32_t num_entries /* [in] */);
+
+/************************************************************//**
+ *
+ * NetLocalGroupAdd
+ *
+ * @brief Create Local Group
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] level The level used for the new group creation
+ * @param[in] buf The buffer containing the group structure
+ * @param[out] parm_err The returned parameter error number if any
+ * @return NET_API_STATUS
+ *
+ * example localgroup/localgroup_add.c
+ ***************************************************************/
+
+NET_API_STATUS NetLocalGroupAdd(const char * server_name /* [in] */,
+				uint32_t level /* [in] */,
+				uint8_t *buf /* [in] [ref] */,
+				uint32_t *parm_err /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetLocalGroupDel
+ *
+ * @brief Delete Local Group
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] group_name The name of the group that is going to be deleted
+ * @return NET_API_STATUS
+ *
+ * example localgroup/localgroup_del.c
+ ***************************************************************/
+
+
+NET_API_STATUS NetLocalGroupDel(const char * server_name /* [in] */,
+				const char * group_name /* [in] */);
+
+/************************************************************//**
+ *
+ * NetLocalGroupGetInfo
+ *
+ * @brief Get Local Group Information
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] group_name The name of the group that is going to be queried
+ * @param[in] level The level defining the requested LOCALGROUP_INFO_X structure
+ * @param[out] buf The buffer containing a LOCALGROUP_INFO_X structure
+ * @return NET_API_STATUS
+ *
+ * example localgroup/localgroup_getinfo.c
+ ***************************************************************/
+
+NET_API_STATUS NetLocalGroupGetInfo(const char * server_name /* [in] */,
+				    const char * group_name /* [in] */,
+				    uint32_t level /* [in] */,
+				    uint8_t **buf /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetLocalGroupSetInfo
+ *
+ * @brief Set Local Group Information
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] group_name The name of the group that is going to be modified
+ * @param[in] level The level defining the requested LOCALGROUP_INFO_X structure
+ * @param[in] buf The buffer containing a LOCALGROUP_INFO_X structure
+ * @param[out] parm_err The returned parameter error number if any
+ * @return NET_API_STATUS
+ *
+ * example localgroup/localgroup_setinfo.c
+ ***************************************************************/
+
+
+NET_API_STATUS NetLocalGroupSetInfo(const char * server_name /* [in] */,
+				    const char * group_name /* [in] */,
+				    uint32_t level /* [in] */,
+				    uint8_t *buf /* [in] [ref] */,
+				    uint32_t *parm_err /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetLocalGroupEnum
+ *
+ * @brief Enumerate local groups on a server
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] level The enumeration level used for the query (Currently only
+ * level 0 is supported)
+ * @param[out] buffer The returned enumeration buffer
+ * @param[in] prefmaxlen The requested maximal buffer size
+ * @param[out] entries_read The number of returned entries
+ * @param[out] total_entries The number of total entries
+ * @param[in,out] resume_handle A handle passed in and returned for resuming
+ * operations
+ * @return NET_API_STATUS
+ *
+ * example localgroup/localgroup_enum.c
+ ***************************************************************/
+
+NET_API_STATUS NetLocalGroupEnum(const char * server_name /* [in] */,
+				 uint32_t level /* [in] */,
+				 uint8_t **buffer /* [out] [ref] */,
+				 uint32_t prefmaxlen /* [in] */,
+				 uint32_t *entries_read /* [out] [ref] */,
+				 uint32_t *total_entries /* [out] [ref] */,
+				 uint32_t *resume_handle /* [in,out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetLocalGroupAddMembers
+ *
+ * @brief Add Members to a Local Group
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] group_name The name of the group that is going to modified
+ * @param[in] level The level defining the LOCALGROUP_MEMBERS_INFO_X structure
+ * @param[in] buffer The buffer containing a LOCALGROUP_MEMBERS_INFO_X structure
+ * @param[in] total_entries The number of LOCALGROUP_MEMBERS_INFO_X entries in
+ * the buffer
+ * @return NET_API_STATUS
+ *
+ * example localgroup/localgroup_addmembers.c
+ ***************************************************************/
+
+NET_API_STATUS NetLocalGroupAddMembers(const char * server_name /* [in] */,
+				       const char * group_name /* [in] */,
+				       uint32_t level /* [in] */,
+				       uint8_t *buffer /* [in] [ref] */,
+				       uint32_t total_entries /* [in] */);
+
+/************************************************************//**
+ *
+ * NetLocalGroupDelMembers
+ *
+ * @brief Delete Members from a Local Group
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] group_name The name of the group that is going to modified
+ * @param[in] level The level defining the LOCALGROUP_MEMBERS_INFO_X structure
+ * @param[in] buffer The buffer containing a LOCALGROUP_MEMBERS_INFO_X structure
+ * @param[in] total_entries The number of LOCALGROUP_MEMBERS_INFO_X entries in
+ * the buffer
+ * @return NET_API_STATUS
+ *
+ * example localgroup/localgroup_delmembers.c
+ ***************************************************************/
+
+NET_API_STATUS NetLocalGroupDelMembers(const char * server_name /* [in] */,
+				       const char * group_name /* [in] */,
+				       uint32_t level /* [in] */,
+				       uint8_t *buffer /* [in] [ref] */,
+				       uint32_t total_entries /* [in] */);
+
+/************************************************************//**
+ *
+ * NetLocalGroupGetMembers
+ *
+ * @brief Enumerate Members in a local group
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] local_group_name The localgroup that is going to be queried
+ * @param[in] level The level defining the LOCALGROUP_MEMBERS_INFO_X structure
+ * @param[out] buffer The buffer containing a LOCALGROUP_MEMBERS_INFO_X
+ * structure
+ * @param[in] prefmaxlen The requested maximal buffer size
+ * @param[out] entries_read The number of LOCALGROUP_MEMBERS_INFO_X entries in the buffer
+ * @param[out] total_entries The total number of LOCALGROUP_MEMBERS_INFO_X entries for that group
+ * @param[in,out] resume_handle A handle passed in and returned for resuming
+ * operations
+ * @return NET_API_STATUS
+ *
+ * example localgroup/localgroup_getmembers.c
+ ***************************************************************/
+
+NET_API_STATUS NetLocalGroupGetMembers(const char * server_name /* [in] */,
+				       const char * local_group_name /* [in] */,
+				       uint32_t level /* [in] */,
+				       uint8_t **buffer /* [out] [ref] */,
+				       uint32_t prefmaxlen /* [in] */,
+				       uint32_t *entries_read /* [out] [ref] */,
+				       uint32_t *total_entries /* [out] [ref] */,
+				       uint32_t *resume_handle /* [in,out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetLocalGroupSetMembers
+ *
+ * @brief Set Members in a Local Group
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] group_name The name of the group that is going to modified
+ * @param[in] level The level defining the LOCALGROUP_MEMBERS_INFO_X structure
+ * @param[in] buffer The buffer containing a LOCALGROUP_MEMBERS_INFO_X structure
+ * @param[in] total_entries The number of LOCALGROUP_MEMBERS_INFO_X entries in
+ * the buffer
+ * @return NET_API_STATUS
+ *
+ * example localgroup/localgroup_setmembers.c
+ ***************************************************************/
+
+NET_API_STATUS NetLocalGroupSetMembers(const char * server_name /* [in] */,
+				       const char * group_name /* [in] */,
+				       uint32_t level /* [in] */,
+				       uint8_t *buffer /* [in] [ref] */,
+				       uint32_t total_entries /* [in] */);
+
+/************************************************************//**
+ *
+ * NetRemoteTOD
+ *
+ * @brief Query remote Time of Day
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[out] buf The buffer containing a TIME_OF_DAY_INFO structure
+ * @return NET_API_STATUS
+ *
+ * example server/remote_tod.c
+ ***************************************************************/
+
+NET_API_STATUS NetRemoteTOD(const char * server_name /* [in] */,
+			    uint8_t **buf /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetShareAdd
+ *
+ * @brief Add Share
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] level The level defining the requested SHARE_INFO_X structure
+ * @param[in] buffer The buffer containing a SHARE_INFO_X structure
+ * @param[out] parm_err The returned parameter error number if any
+ * @return NET_API_STATUS
+ *
+ * example share/share_add.c
+ ***************************************************************/
+
+NET_API_STATUS NetShareAdd(const char * server_name /* [in] */,
+			   uint32_t level /* [in] */,
+			   uint8_t *buffer /* [in] [ref] */,
+			   uint32_t *parm_err /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetShareDel
+ *
+ * @brief Delete Share
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] net_name The name of the share to delete
+ * @param[in] reserved
+ * @return NET_API_STATUS
+ *
+ * example share/share_del.c
+ ***************************************************************/
+
+NET_API_STATUS NetShareDel(const char * server_name /* [in] */,
+			   const char * net_name /* [in] */,
+			   uint32_t reserved /* [in] */);
+
+/************************************************************//**
+ *
+ * NetShareEnum
+ *
+ * @brief Enumerate Shares
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] level The level defining the SHARE_INFO_X structure
+ * @param[out] buffer The buffer containing a SHARE_INFO_X structure
+ * @param[in] prefmaxlen The requested maximal buffer size
+ * @param[out] entries_read The number of SHARE_INFO_X entries in the buffer
+ * @param[out] total_entries The total number of SHARE_INFO_X entries
+ * @param[in,out] resume_handle A handle passed in and returned for resuming
+ * operations
+ * @return NET_API_STATUS
+ *
+ * example share/share_enum.c
+ ***************************************************************/
+
+NET_API_STATUS NetShareEnum(const char * server_name /* [in] */,
+			    uint32_t level /* [in] */,
+			    uint8_t **buffer /* [out] [ref] */,
+			    uint32_t prefmaxlen /* [in] */,
+			    uint32_t *entries_read /* [out] [ref] */,
+			    uint32_t *total_entries /* [out] [ref] */,
+			    uint32_t *resume_handle /* [in,out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetShareGetInfo
+ *
+ * @brief Get Share Info
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] net_name The name of the share to query
+ * @param[in] level The level defining the SHARE_INFO_X structure
+ * @param[out] buffer The buffer containing a SHARE_INFO_X structure
+ * @return NET_API_STATUS
+ *
+ * example share/share_getinfo.c
+ ***************************************************************/
+
+NET_API_STATUS NetShareGetInfo(const char * server_name /* [in] */,
+			       const char * net_name /* [in] */,
+			       uint32_t level /* [in] */,
+			       uint8_t **buffer /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetShareSetInfo
+ *
+ * @brief Set Share Info
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] net_name The name of the share to query
+ * @param[in] level The level defining the SHARE_INFO_X structure
+ * @param[in] buffer The buffer containing a SHARE_INFO_X structure
+ * @param[out] parm_err The returned parameter error number if any
+ * @return NET_API_STATUS
+ *
+ * example share/share_setinfo.c
+ ***************************************************************/
+
+NET_API_STATUS NetShareSetInfo(const char * server_name /* [in] */,
+			       const char * net_name /* [in] */,
+			       uint32_t level /* [in] */,
+			       uint8_t *buffer /* [in] [ref] */,
+			       uint32_t *parm_err /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetFileClose
+ *
+ * @brief Close a file
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] fileid The fileid of the file that is going to be closed
+ * @return NET_API_STATUS
+ *
+ * example file/file_close.c
+ ***************************************************************/
+
+NET_API_STATUS NetFileClose(const char * server_name /* [in] */,
+			    uint32_t fileid /* [in] */);
+
+/************************************************************//**
+ *
+ * NetFileGetInfo
+ *
+ * @brief Close a file
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] fileid The fileid of the file that is going to be closed
+ * @param[in] level The level of the FILE_INFO_X buffer
+ * @param[out] buffer The buffer containing a FILE_INFO_X structure
+ * @return NET_API_STATUS
+ *
+ * example file/file_getinfo.c
+ ***************************************************************/
+
+NET_API_STATUS NetFileGetInfo(const char * server_name /* [in] */,
+			      uint32_t fileid /* [in] */,
+			      uint32_t level /* [in] */,
+			      uint8_t **buffer /* [out] [ref] */);
+
+/************************************************************//**
+ *
+ * NetFileEnum
+ *
+ * @brief Enumerate Files
+ *
+ * @param[in] server_name The server name to connect to
+ * @param[in] base_path The
+ * @param[in] user_name The
+ * @param[in] level The level defining the FILE_INFO_X structure
+ * @param[out] buffer The buffer containing a FILE_INFO_X structure
+ * @param[in] prefmaxlen The requested maximal buffer size
+ * @param[out] entries_read The number of FILE_INFO_X entries in the buffer
+ * @param[out] total_entries The total number of FILE_INFO_X entries
+ * @param[in,out] resume_handle A handle passed in and returned for resuming
+ * operations
+ * @return NET_API_STATUS
+ *
+ * example file/file_enum.c
+ ***************************************************************/
+
+NET_API_STATUS NetFileEnum(const char * server_name /* [in] */,
+			   const char * base_path /* [in] */,
+			   const char * user_name /* [in] */,
+			   uint32_t level /* [in] */,
+			   uint8_t **buffer /* [out] [ref] */,
+			   uint32_t prefmaxlen /* [in] */,
+			   uint32_t *entries_read /* [out] [ref] */,
+			   uint32_t *total_entries /* [out] [ref] */,
+			   uint32_t *resume_handle /* [in,out] [ref] */);
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* __LIB_NETAPI_H__ */
diff --git a/source3/lib/netapi/netapi_private.h b/source3/lib/netapi/netapi_private.h
new file mode 100644
index 0000000000..e6a2eb8e99
--- /dev/null
+++ b/source3/lib/netapi/netapi_private.h
@@ -0,0 +1,87 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetApi Support
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef __LIB_NETAPI_PRIVATE_H__
+#define __LIB_NETAPI_PRIVATE_H__
+
+#define LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, fn) \
+	DEBUG(10,("redirecting call %s to localhost\n", #fn)); \
+	if (!r->in.server_name) { \
+		r->in.server_name = "localhost"; \
+	} \
+	return fn ## _r(ctx, r);
+
+struct libnetapi_private_ctx {
+	struct {
+		const char *domain_name;
+		struct dom_sid *domain_sid;
+		struct rpc_pipe_client *cli;
+
+		uint32_t connect_mask;
+		struct policy_handle connect_handle;
+
+		uint32_t domain_mask;
+		struct policy_handle domain_handle;
+
+		uint32_t builtin_mask;
+		struct policy_handle builtin_handle;
+	} samr;
+
+};
+
+NET_API_STATUS libnetapi_get_password(struct libnetapi_ctx *ctx, char **password);
+NET_API_STATUS libnetapi_get_username(struct libnetapi_ctx *ctx, char **username);
+NET_API_STATUS libnetapi_set_error_string(struct libnetapi_ctx *ctx, const char *format, ...);
+NET_API_STATUS libnetapi_get_debuglevel(struct libnetapi_ctx *ctx, char **debuglevel);
+
+WERROR libnetapi_shutdown_cm(struct libnetapi_ctx *ctx);
+WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
+			   const char *server_name,
+			   const struct ndr_syntax_id *interface,
+			   struct cli_state **pcli,
+			   struct rpc_pipe_client **presult);
+WERROR libnetapi_samr_open_domain(struct libnetapi_ctx *mem_ctx,
+				  struct rpc_pipe_client *pipe_cli,
+				  uint32_t connect_mask,
+				  uint32_t domain_mask,
+				  struct policy_handle *connect_handle,
+				  struct policy_handle *domain_handle,
+				  struct dom_sid2 **domain_sid);
+WERROR libnetapi_samr_open_builtin_domain(struct libnetapi_ctx *mem_ctx,
+					  struct rpc_pipe_client *pipe_cli,
+					  uint32_t connect_mask,
+					  uint32_t builtin_mask,
+					  struct policy_handle *connect_handle,
+					  struct policy_handle *builtin_handle);
+void libnetapi_samr_close_domain_handle(struct libnetapi_ctx *ctx,
+					struct policy_handle *handle);
+void libnetapi_samr_close_builtin_handle(struct libnetapi_ctx *ctx,
+					 struct policy_handle *handle);
+void libnetapi_samr_close_connect_handle(struct libnetapi_ctx *ctx,
+					 struct policy_handle *handle);
+void libnetapi_samr_free(struct libnetapi_ctx *ctx);
+
+NTSTATUS add_GROUP_USERS_INFO_X_buffer(TALLOC_CTX *mem_ctx,
+				       uint32_t level,
+				       const char *group_name,
+				       uint32_t attributes,
+				       uint8_t **buffer,
+				       uint32_t *num_entries);
+
+#endif
diff --git a/source3/lib/netapi/samr.c b/source3/lib/netapi/samr.c
new file mode 100644
index 0000000000..dbcef38dc7
--- /dev/null
+++ b/source3/lib/netapi/samr.c
@@ -0,0 +1,319 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetApi Samr Support
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "lib/netapi/netapi.h"
+#include "lib/netapi/netapi_private.h"
+
+/****************************************************************
+****************************************************************/
+
+WERROR libnetapi_samr_open_domain(struct libnetapi_ctx *mem_ctx,
+				  struct rpc_pipe_client *pipe_cli,
+				  uint32_t connect_mask,
+				  uint32_t domain_mask,
+				  struct policy_handle *connect_handle,
+				  struct policy_handle *domain_handle,
+				  struct dom_sid2 **domain_sid)
+{
+	NTSTATUS status;
+	WERROR werr;
+	struct libnetapi_private_ctx *priv;
+	uint32_t resume_handle = 0;
+	uint32_t num_entries = 0;
+	struct samr_SamArray *sam = NULL;
+	const char *domain_name = NULL;
+	struct lsa_String lsa_domain_name;
+	bool domain_found = true;
+	int i;
+
+	priv = talloc_get_type_abort(mem_ctx->private_data,
+		struct libnetapi_private_ctx);
+
+	if (is_valid_policy_hnd(&priv->samr.connect_handle)) {
+		if ((priv->samr.connect_mask & connect_mask) == connect_mask) {
+			*connect_handle = priv->samr.connect_handle;
+		} else {
+			libnetapi_samr_close_connect_handle(mem_ctx,
+				&priv->samr.connect_handle);
+		}
+	}
+
+	if (is_valid_policy_hnd(&priv->samr.domain_handle)) {
+		if ((priv->samr.domain_mask & domain_mask) == domain_mask) {
+			*domain_handle = priv->samr.domain_handle;
+		} else {
+			libnetapi_samr_close_domain_handle(mem_ctx,
+				&priv->samr.domain_handle);
+		}
+	}
+
+	if (priv->samr.domain_sid) {
+		*domain_sid = priv->samr.domain_sid;
+	}
+
+	if (is_valid_policy_hnd(&priv->samr.connect_handle) &&
+	    ((priv->samr.connect_mask & connect_mask) == connect_mask) &&
+	    is_valid_policy_hnd(&priv->samr.domain_handle) &&
+	    (priv->samr.domain_mask & domain_mask) == domain_mask) {
+		return WERR_OK;
+	}
+
+	if (!is_valid_policy_hnd(connect_handle)) {
+		status = rpccli_try_samr_connects(pipe_cli, mem_ctx,
+						  connect_mask,
+						  connect_handle);
+		if (!NT_STATUS_IS_OK(status)) {
+			werr = ntstatus_to_werror(status);
+			goto done;
+		}
+	}
+
+	status = rpccli_samr_EnumDomains(pipe_cli, mem_ctx,
+					 connect_handle,
+					 &resume_handle,
+					 &sam,
+					 0xffffffff,
+					 &num_entries);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	for (i=0; i<num_entries; i++) {
+
+		domain_name = sam->entries[i].name.string;
+
+		if (strequal(domain_name, builtin_domain_name())) {
+			continue;
+		}
+
+		domain_found = true;
+		break;
+	}
+
+	if (!domain_found) {
+		werr = WERR_NO_SUCH_DOMAIN;
+		goto done;
+	}
+
+	init_lsa_String(&lsa_domain_name, domain_name);
+
+	status = rpccli_samr_LookupDomain(pipe_cli, mem_ctx,
+					  connect_handle,
+					  &lsa_domain_name,
+					  domain_sid);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = rpccli_samr_OpenDomain(pipe_cli, mem_ctx,
+					connect_handle,
+					domain_mask,
+					*domain_sid,
+					domain_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	priv->samr.cli			= pipe_cli;
+
+	priv->samr.domain_name		= domain_name;
+	priv->samr.domain_sid		= *domain_sid;
+
+	priv->samr.connect_mask		= connect_mask;
+	priv->samr.connect_handle	= *connect_handle;
+
+	priv->samr.domain_mask		= domain_mask;
+	priv->samr.domain_handle	= *domain_handle;
+
+	werr = WERR_OK;
+
+ done:
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR libnetapi_samr_open_builtin_domain(struct libnetapi_ctx *mem_ctx,
+					  struct rpc_pipe_client *pipe_cli,
+					  uint32_t connect_mask,
+					  uint32_t builtin_mask,
+					  struct policy_handle *connect_handle,
+					  struct policy_handle *builtin_handle)
+{
+	NTSTATUS status;
+	WERROR werr;
+	struct libnetapi_private_ctx *priv;
+
+	priv = talloc_get_type_abort(mem_ctx->private_data,
+		struct libnetapi_private_ctx);
+
+	if (is_valid_policy_hnd(&priv->samr.connect_handle)) {
+		if ((priv->samr.connect_mask & connect_mask) == connect_mask) {
+			*connect_handle = priv->samr.connect_handle;
+		} else {
+			libnetapi_samr_close_connect_handle(mem_ctx,
+				&priv->samr.connect_handle);
+		}
+	}
+
+	if (is_valid_policy_hnd(&priv->samr.builtin_handle)) {
+		if ((priv->samr.builtin_mask & builtin_mask) == builtin_mask) {
+			*builtin_handle = priv->samr.builtin_handle;
+		} else {
+			libnetapi_samr_close_builtin_handle(mem_ctx,
+				&priv->samr.builtin_handle);
+		}
+	}
+
+	if (is_valid_policy_hnd(&priv->samr.connect_handle) &&
+	    ((priv->samr.connect_mask & connect_mask) == connect_mask) &&
+	    is_valid_policy_hnd(&priv->samr.builtin_handle) &&
+	    (priv->samr.builtin_mask & builtin_mask) == builtin_mask) {
+		return WERR_OK;
+	}
+
+	if (!is_valid_policy_hnd(connect_handle)) {
+		status = rpccli_try_samr_connects(pipe_cli, mem_ctx,
+						  connect_mask,
+						  connect_handle);
+		if (!NT_STATUS_IS_OK(status)) {
+			werr = ntstatus_to_werror(status);
+			goto done;
+		}
+	}
+
+	status = rpccli_samr_OpenDomain(pipe_cli, mem_ctx,
+					connect_handle,
+					builtin_mask,
+					CONST_DISCARD(DOM_SID *, &global_sid_Builtin),
+					builtin_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	priv->samr.cli			= pipe_cli;
+
+	priv->samr.connect_mask		= connect_mask;
+	priv->samr.connect_handle	= *connect_handle;
+
+	priv->samr.builtin_mask		= builtin_mask;
+	priv->samr.builtin_handle	= *builtin_handle;
+
+	werr = WERR_OK;
+
+ done:
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+void libnetapi_samr_close_domain_handle(struct libnetapi_ctx *ctx,
+					struct policy_handle *handle)
+{
+	struct libnetapi_private_ctx *priv;
+
+	if (!is_valid_policy_hnd(handle)) {
+		return;
+	}
+
+	priv = talloc_get_type_abort(ctx->private_data,
+		struct libnetapi_private_ctx);
+
+	if (!policy_hnd_equal(handle, &priv->samr.domain_handle)) {
+		return;
+	}
+
+	rpccli_samr_Close(priv->samr.cli, ctx, handle);
+
+	ZERO_STRUCT(priv->samr.domain_handle);
+}
+
+/****************************************************************
+****************************************************************/
+
+void libnetapi_samr_close_builtin_handle(struct libnetapi_ctx *ctx,
+					 struct policy_handle *handle)
+{
+	struct libnetapi_private_ctx *priv;
+
+	if (!is_valid_policy_hnd(handle)) {
+		return;
+	}
+
+	priv = talloc_get_type_abort(ctx->private_data,
+		struct libnetapi_private_ctx);
+
+	if (!policy_hnd_equal(handle, &priv->samr.builtin_handle)) {
+		return;
+	}
+
+	rpccli_samr_Close(priv->samr.cli, ctx, handle);
+
+	ZERO_STRUCT(priv->samr.builtin_handle);
+}
+
+/****************************************************************
+****************************************************************/
+
+void libnetapi_samr_close_connect_handle(struct libnetapi_ctx *ctx,
+					 struct policy_handle *handle)
+{
+	struct libnetapi_private_ctx *priv;
+
+	if (!is_valid_policy_hnd(handle)) {
+		return;
+	}
+
+	priv = talloc_get_type_abort(ctx->private_data,
+		struct libnetapi_private_ctx);
+
+	if (!policy_hnd_equal(handle, &priv->samr.connect_handle)) {
+		return;
+	}
+
+	rpccli_samr_Close(priv->samr.cli, ctx, handle);
+
+	ZERO_STRUCT(priv->samr.connect_handle);
+}
+
+/****************************************************************
+****************************************************************/
+
+void libnetapi_samr_free(struct libnetapi_ctx *ctx)
+{
+	struct libnetapi_private_ctx *priv;
+
+	if (!ctx->private_data) {
+		return;
+	}
+
+	priv = talloc_get_type_abort(ctx->private_data,
+		struct libnetapi_private_ctx);
+
+	libnetapi_samr_close_domain_handle(ctx, &priv->samr.domain_handle);
+	libnetapi_samr_close_builtin_handle(ctx, &priv->samr.builtin_handle);
+	libnetapi_samr_close_connect_handle(ctx, &priv->samr.connect_handle);
+}
diff --git a/source3/lib/netapi/serverinfo.c b/source3/lib/netapi/serverinfo.c
new file mode 100644
index 0000000000..b2a134b0af
--- /dev/null
+++ b/source3/lib/netapi/serverinfo.c
@@ -0,0 +1,360 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetApi Server Support
+ *  Copyright (C) Guenther Deschner 2007
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+#include "librpc/gen_ndr/libnetapi.h"
+#include "lib/netapi/netapi.h"
+#include "lib/netapi/netapi_private.h"
+#include "lib/netapi/libnetapi.h"
+#include "libnet/libnet.h"
+
+/****************************************************************
+****************************************************************/
+
+static WERROR NetServerGetInfo_l_101(struct libnetapi_ctx *ctx,
+				     uint8_t **buffer)
+{
+	struct SERVER_INFO_101 i;
+
+	i.sv101_platform_id	= PLATFORM_ID_NT;
+	i.sv101_name		= global_myname();
+	i.sv101_version_major	= lp_major_announce_version();
+	i.sv101_version_minor	= lp_minor_announce_version();
+	i.sv101_type		= lp_default_server_announce();
+	i.sv101_comment		= lp_serverstring();
+
+	*buffer = (uint8_t *)talloc_memdup(ctx, &i, sizeof(i));
+	if (!*buffer) {
+		return WERR_NOMEM;
+	}
+
+	return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR NetServerGetInfo_l_1005(struct libnetapi_ctx *ctx,
+				      uint8_t **buffer)
+{
+	struct SERVER_INFO_1005 info1005;
+
+	info1005.sv1005_comment = lp_serverstring();
+	*buffer = (uint8_t *)talloc_memdup(ctx, &info1005, sizeof(info1005));
+	if (!*buffer) {
+		return WERR_NOMEM;
+	}
+
+	return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetServerGetInfo_l(struct libnetapi_ctx *ctx,
+			  struct NetServerGetInfo *r)
+{
+	switch (r->in.level) {
+		case 101:
+			return NetServerGetInfo_l_101(ctx, r->out.buffer);
+		case 1005:
+			return NetServerGetInfo_l_1005(ctx, r->out.buffer);
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	return WERR_UNKNOWN_LEVEL;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS map_server_info_to_SERVER_INFO_buffer(TALLOC_CTX *mem_ctx,
+						      uint32_t level,
+						      union srvsvc_NetSrvInfo *i,
+						      uint8_t **buffer)
+{
+	struct SERVER_INFO_100 i100;
+	struct SERVER_INFO_101 i101;
+	struct SERVER_INFO_102 i102;
+	struct SERVER_INFO_1005 i1005;
+
+	uint32_t num_info = 0;
+
+	switch (level) {
+		case 100:
+			i100.sv100_platform_id		= i->info100->platform_id;
+			i100.sv100_name			= talloc_strdup(mem_ctx, i->info100->server_name);
+
+			ADD_TO_ARRAY(mem_ctx, struct SERVER_INFO_100, i100,
+				     (struct SERVER_INFO_100 **)buffer,
+				     &num_info);
+			break;
+
+		case 101:
+			i101.sv101_platform_id		= i->info101->platform_id;
+			i101.sv101_name			= talloc_strdup(mem_ctx, i->info101->server_name);
+			i101.sv101_version_major	= i->info101->version_major;
+			i101.sv101_version_minor	= i->info101->version_minor;
+			i101.sv101_type			= i->info101->server_type;
+			i101.sv101_comment		= talloc_strdup(mem_ctx, i->info101->comment);
+
+			ADD_TO_ARRAY(mem_ctx, struct SERVER_INFO_101, i101,
+				     (struct SERVER_INFO_101 **)buffer,
+				     &num_info);
+			break;
+
+		case 102:
+			i102.sv102_platform_id		= i->info102->platform_id;
+			i102.sv102_name			= talloc_strdup(mem_ctx, i->info102->server_name);
+			i102.sv102_version_major	= i->info102->version_major;
+			i102.sv102_version_minor	= i->info102->version_minor;
+			i102.sv102_type			= i->info102->server_type;
+			i102.sv102_comment		= talloc_strdup(mem_ctx, i->info102->comment);
+			i102.sv102_users		= i->info102->users;
+			i102.sv102_disc			= i->info102->disc;
+			i102.sv102_hidden		= i->info102->hidden;
+			i102.sv102_announce		= i->info102->announce;
+			i102.sv102_anndelta		= i->info102->anndelta;
+			i102.sv102_licenses		= i->info102->licenses;
+			i102.sv102_userpath		= talloc_strdup(mem_ctx, i->info102->userpath);
+
+			ADD_TO_ARRAY(mem_ctx, struct SERVER_INFO_102, i102,
+				     (struct SERVER_INFO_102 **)buffer,
+				     &num_info);
+			break;
+
+		case 1005:
+			i1005.sv1005_comment		= talloc_strdup(mem_ctx, i->info1005->comment);
+
+			ADD_TO_ARRAY(mem_ctx, struct SERVER_INFO_1005, i1005,
+				     (struct SERVER_INFO_1005 **)buffer,
+				     &num_info);
+			break;
+		default:
+			return NT_STATUS_NOT_SUPPORTED;
+	}
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetServerGetInfo_r(struct libnetapi_ctx *ctx,
+			  struct NetServerGetInfo *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	union srvsvc_NetSrvInfo info;
+
+	if (!r->out.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 100:
+		case 101:
+		case 102:
+		case 1005:
+			break;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_srvsvc.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = rpccli_srvsvc_NetSrvGetInfo(pipe_cli, ctx,
+					     r->in.server_name,
+					     r->in.level,
+					     &info,
+					     &werr);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = map_server_info_to_SERVER_INFO_buffer(ctx, r->in.level, &info,
+						       r->out.buffer);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+ done:
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR NetServerSetInfo_l_1005(struct libnetapi_ctx *ctx,
+				      struct NetServerSetInfo *r)
+{
+	WERROR werr;
+	struct smbconf_ctx *conf_ctx;
+	struct srvsvc_NetSrvInfo1005 *info1005;
+
+	if (!r->in.buffer) {
+		*r->out.parm_error = 1005; /* sure here ? */
+		return WERR_INVALID_PARAM;
+	}
+
+	info1005 = (struct srvsvc_NetSrvInfo1005 *)r->in.buffer;
+
+	if (!info1005->comment) {
+		*r->out.parm_error = 1005;
+		return WERR_INVALID_PARAM;
+	}
+
+	if (!lp_config_backend_is_registry()) {
+		libnetapi_set_error_string(ctx,
+			"Configuration manipulation requested but not "
+			"supported by backend");
+		return WERR_NOT_SUPPORTED;
+	}
+
+	werr = smbconf_init_reg(ctx, &conf_ctx, NULL);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = smbconf_set_global_parameter(conf_ctx, "server string",
+					    info1005->comment);
+
+ done:
+	smbconf_shutdown(conf_ctx);
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetServerSetInfo_l(struct libnetapi_ctx *ctx,
+			  struct NetServerSetInfo *r)
+{
+	switch (r->in.level) {
+		case 1005:
+			return NetServerSetInfo_l_1005(ctx, r);
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	return WERR_UNKNOWN_LEVEL;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetServerSetInfo_r(struct libnetapi_ctx *ctx,
+			  struct NetServerSetInfo *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	union srvsvc_NetSrvInfo info;
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_srvsvc.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	switch (r->in.level) {
+		case 1005:
+			info.info1005 = (struct srvsvc_NetSrvInfo1005 *)r->in.buffer;
+			break;
+		default:
+			werr = WERR_NOT_SUPPORTED;
+			goto done;
+	}
+
+	status = rpccli_srvsvc_NetSrvSetInfo(pipe_cli, ctx,
+					     r->in.server_name,
+					     r->in.level,
+					     &info,
+					     r->out.parm_error,
+					     &werr);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+ done:
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetRemoteTOD_r(struct libnetapi_ctx *ctx,
+		      struct NetRemoteTOD *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	struct srvsvc_NetRemoteTODInfo *info = NULL;
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_srvsvc.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = rpccli_srvsvc_NetRemoteTOD(pipe_cli, ctx,
+					    r->in.server_name,
+					    &info,
+					    &werr);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	*r->out.buffer = (uint8_t *)talloc_memdup(ctx, info,
+			  sizeof(struct srvsvc_NetRemoteTODInfo));
+	W_ERROR_HAVE_NO_MEMORY(*r->out.buffer);
+
+ done:
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetRemoteTOD_l(struct libnetapi_ctx *ctx,
+		      struct NetRemoteTOD *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetRemoteTOD);
+}
+
diff --git a/source3/lib/netapi/share.c b/source3/lib/netapi/share.c
new file mode 100644
index 0000000000..1d0e1810f1
--- /dev/null
+++ b/source3/lib/netapi/share.c
@@ -0,0 +1,555 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetApi Share Support
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+#include "librpc/gen_ndr/libnetapi.h"
+#include "lib/netapi/netapi.h"
+#include "lib/netapi/netapi_private.h"
+#include "lib/netapi/libnetapi.h"
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS map_srvsvc_share_info_to_SHARE_INFO_buffer(TALLOC_CTX *mem_ctx,
+							   uint32_t level,
+							   union srvsvc_NetShareInfo *info,
+							   uint8_t **buffer,
+							   uint32_t *num_shares)
+{
+	struct SHARE_INFO_0 i0;
+	struct SHARE_INFO_1 i1;
+	struct SHARE_INFO_2 i2;
+	struct SHARE_INFO_501 i501;
+	struct SHARE_INFO_1005 i1005;
+
+	struct srvsvc_NetShareInfo0 *s0;
+	struct srvsvc_NetShareInfo1 *s1;
+	struct srvsvc_NetShareInfo2 *s2;
+	struct srvsvc_NetShareInfo501 *s501;
+	struct srvsvc_NetShareInfo1005 *s1005;
+
+	if (!buffer) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	switch (level) {
+		case 0:
+			s0 = info->info0;
+
+			i0.shi0_netname		= talloc_strdup(mem_ctx, s0->name);
+
+			ADD_TO_ARRAY(mem_ctx, struct SHARE_INFO_0, i0,
+				     (struct SHARE_INFO_0 **)buffer,
+				     num_shares);
+			break;
+
+		case 1:
+			s1 = info->info1;
+
+			i1.shi1_netname		= talloc_strdup(mem_ctx, s1->name);
+			i1.shi1_type		= s1->type;
+			i1.shi1_remark		= talloc_strdup(mem_ctx, s1->comment);
+
+			ADD_TO_ARRAY(mem_ctx, struct SHARE_INFO_1, i1,
+				     (struct SHARE_INFO_1 **)buffer,
+				     num_shares);
+			break;
+
+		case 2:
+			s2 = info->info2;
+
+			i2.shi2_netname		= talloc_strdup(mem_ctx, s2->name);
+			i2.shi2_type		= s2->type;
+			i2.shi2_remark		= talloc_strdup(mem_ctx, s2->comment);
+			i2.shi2_permissions	= s2->permissions;
+			i2.shi2_max_uses	= s2->max_users;
+			i2.shi2_current_uses	= s2->current_users;
+			i2.shi2_path		= talloc_strdup(mem_ctx, s2->path);
+			i2.shi2_passwd		= talloc_strdup(mem_ctx, s2->password);
+
+			ADD_TO_ARRAY(mem_ctx, struct SHARE_INFO_2, i2,
+				     (struct SHARE_INFO_2 **)buffer,
+				     num_shares);
+			break;
+
+		case 501:
+			s501 = info->info501;
+
+			i501.shi501_netname		= talloc_strdup(mem_ctx, s501->name);
+			i501.shi501_type		= s501->type;
+			i501.shi501_remark		= talloc_strdup(mem_ctx, s501->comment);
+			i501.shi501_flags		= s501->csc_policy;
+
+			ADD_TO_ARRAY(mem_ctx, struct SHARE_INFO_501, i501,
+				     (struct SHARE_INFO_501 **)buffer,
+				     num_shares);
+			break;
+
+		case 1005:
+			s1005 = info->info1005;
+
+			i1005.shi1005_flags		= s1005->dfs_flags;
+
+			ADD_TO_ARRAY(mem_ctx, struct SHARE_INFO_1005, i1005,
+				     (struct SHARE_INFO_1005 **)buffer,
+				     num_shares);
+			break;
+
+		default:
+			return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS map_SHARE_INFO_buffer_to_srvsvc_share_info(TALLOC_CTX *mem_ctx,
+							   uint8_t *buffer,
+							   uint32_t level,
+							   union srvsvc_NetShareInfo *info)
+{
+	struct SHARE_INFO_2 *i2 = NULL;
+	struct SHARE_INFO_1004 *i1004 = NULL;
+	struct srvsvc_NetShareInfo2 *s2 = NULL;
+	struct srvsvc_NetShareInfo1004 *s1004 = NULL;
+
+	if (!buffer) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	switch (level) {
+		case 2:
+			i2 = (struct SHARE_INFO_2 *)buffer;
+
+			s2 = TALLOC_P(mem_ctx, struct srvsvc_NetShareInfo2);
+			NT_STATUS_HAVE_NO_MEMORY(s2);
+
+			s2->name		= i2->shi2_netname;
+			s2->type		= i2->shi2_type;
+			s2->comment		= i2->shi2_remark;
+			s2->permissions		= i2->shi2_permissions;
+			s2->max_users		= i2->shi2_max_uses;
+			s2->current_users	= i2->shi2_current_uses;
+			s2->path		= i2->shi2_path;
+			s2->password		= i2->shi2_passwd;
+
+			info->info2 = s2;
+
+			break;
+		case 1004:
+			i1004 = (struct SHARE_INFO_1004 *)buffer;
+
+			s1004 = TALLOC_P(mem_ctx, struct srvsvc_NetShareInfo1004);
+			NT_STATUS_HAVE_NO_MEMORY(s1004);
+
+			s1004->comment		= i1004->shi1004_remark;
+
+			info->info1004 = s1004;
+
+			break;
+		default:
+			return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetShareAdd_r(struct libnetapi_ctx *ctx,
+		     struct NetShareAdd *r)
+{
+	WERROR werr;
+	NTSTATUS status;
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	union srvsvc_NetShareInfo info;
+
+	if (!r->in.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 2:
+			break;
+		case 502:
+		case 503:
+			return WERR_NOT_SUPPORTED;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_srvsvc.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = map_SHARE_INFO_buffer_to_srvsvc_share_info(ctx,
+							    r->in.buffer,
+							    r->in.level,
+							    &info);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = rpccli_srvsvc_NetShareAdd(pipe_cli, ctx,
+					   r->in.server_name,
+					   r->in.level,
+					   &info,
+					   r->out.parm_err,
+					   &werr);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetShareAdd_l(struct libnetapi_ctx *ctx,
+		     struct NetShareAdd *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetShareAdd);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetShareDel_r(struct libnetapi_ctx *ctx,
+		     struct NetShareDel *r)
+{
+	WERROR werr;
+	NTSTATUS status;
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+
+	if (!r->in.net_name) {
+		return WERR_INVALID_PARAM;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_srvsvc.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = rpccli_srvsvc_NetShareDel(pipe_cli, ctx,
+					   r->in.server_name,
+					   r->in.net_name,
+					   r->in.reserved,
+					   &werr);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetShareDel_l(struct libnetapi_ctx *ctx,
+		     struct NetShareDel *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetShareDel);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetShareEnum_r(struct libnetapi_ctx *ctx,
+		      struct NetShareEnum *r)
+{
+	WERROR werr;
+	NTSTATUS status;
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	struct srvsvc_NetShareInfoCtr info_ctr;
+	struct srvsvc_NetShareCtr0 ctr0;
+	struct srvsvc_NetShareCtr1 ctr1;
+	struct srvsvc_NetShareCtr2 ctr2;
+	uint32_t i;
+
+	if (!r->out.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 0:
+		case 1:
+		case 2:
+			break;
+		case 502:
+		case 503:
+			return WERR_NOT_SUPPORTED;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	ZERO_STRUCT(info_ctr);
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_srvsvc.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	info_ctr.level = r->in.level;
+	switch (r->in.level) {
+		case 0:
+			ZERO_STRUCT(ctr0);
+			info_ctr.ctr.ctr0 = &ctr0;
+			break;
+		case 1:
+			ZERO_STRUCT(ctr1);
+			info_ctr.ctr.ctr1 = &ctr1;
+			break;
+		case 2:
+			ZERO_STRUCT(ctr2);
+			info_ctr.ctr.ctr2 = &ctr2;
+			break;
+	}
+
+	status = rpccli_srvsvc_NetShareEnumAll(pipe_cli, ctx,
+					       r->in.server_name,
+					       &info_ctr,
+					       r->in.prefmaxlen,
+					       r->out.total_entries,
+					       r->out.resume_handle,
+					       &werr);
+	if (NT_STATUS_IS_ERR(status)) {
+		goto done;
+	}
+
+	for (i=0; i < info_ctr.ctr.ctr1->count; i++) {
+		union srvsvc_NetShareInfo _i;
+		switch (r->in.level) {
+			case 0:
+				_i.info0 = &info_ctr.ctr.ctr0->array[i];
+				break;
+			case 1:
+				_i.info1 = &info_ctr.ctr.ctr1->array[i];
+				break;
+			case 2:
+				_i.info2 = &info_ctr.ctr.ctr2->array[i];
+				break;
+		}
+
+		status = map_srvsvc_share_info_to_SHARE_INFO_buffer(ctx,
+								    r->in.level,
+								    &_i,
+								    r->out.buffer,
+								    r->out.entries_read);
+		if (!NT_STATUS_IS_OK(status)) {
+			werr = ntstatus_to_werror(status);
+		}
+	}
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetShareEnum_l(struct libnetapi_ctx *ctx,
+		      struct NetShareEnum *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetShareEnum);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetShareGetInfo_r(struct libnetapi_ctx *ctx,
+			 struct NetShareGetInfo *r)
+{
+	WERROR werr;
+	NTSTATUS status;
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	union srvsvc_NetShareInfo info;
+	uint32_t num_entries = 0;
+
+	if (!r->in.net_name || !r->out.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 0:
+		case 1:
+		case 2:
+		case 501:
+		case 1005:
+			break;
+		case 502:
+		case 503:
+			return WERR_NOT_SUPPORTED;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_srvsvc.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = rpccli_srvsvc_NetShareGetInfo(pipe_cli, ctx,
+					       r->in.server_name,
+					       r->in.net_name,
+					       r->in.level,
+					       &info,
+					       &werr);
+
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = map_srvsvc_share_info_to_SHARE_INFO_buffer(ctx,
+							    r->in.level,
+							    &info,
+							    r->out.buffer,
+							    &num_entries);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+	}
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetShareGetInfo_l(struct libnetapi_ctx *ctx,
+			 struct NetShareGetInfo *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetShareGetInfo);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetShareSetInfo_r(struct libnetapi_ctx *ctx,
+			 struct NetShareSetInfo *r)
+{
+	WERROR werr;
+	NTSTATUS status;
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	union srvsvc_NetShareInfo info;
+
+	if (!r->in.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 2:
+		case 1004:
+			break;
+		case 1:
+		case 502:
+		case 503:
+		case 1005:
+		case 1006:
+		case 1501:
+			return WERR_NOT_SUPPORTED;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_srvsvc.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = map_SHARE_INFO_buffer_to_srvsvc_share_info(ctx,
+							    r->in.buffer,
+							    r->in.level,
+							    &info);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = rpccli_srvsvc_NetShareSetInfo(pipe_cli, ctx,
+					       r->in.server_name,
+					       r->in.net_name,
+					       r->in.level,
+					       &info,
+					       r->out.parm_err,
+					       &werr);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetShareSetInfo_l(struct libnetapi_ctx *ctx,
+			 struct NetShareSetInfo *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetShareSetInfo);
+}
diff --git a/source3/lib/netapi/sid.c b/source3/lib/netapi/sid.c
new file mode 100644
index 0000000000..a9bca2689f
--- /dev/null
+++ b/source3/lib/netapi/sid.c
@@ -0,0 +1,76 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetApi Support
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+#include "lib/netapi/netapi.h"
+
+/****************************************************************
+****************************************************************/
+
+int ConvertSidToStringSid(const struct domsid *sid,
+			  char **sid_string)
+{
+	char *ret;
+
+	if (!sid || !sid_string) {
+		return false;
+	}
+
+	ret = sid_string_talloc(NULL, (const struct dom_sid *)sid);
+	if (!ret) {
+		return false;
+	}
+
+	*sid_string = SMB_STRDUP(ret);
+
+	TALLOC_FREE(ret);
+
+	if (!*sid_string) {
+		return false;
+	}
+
+	return true;
+}
+
+/****************************************************************
+****************************************************************/
+
+int ConvertStringSidToSid(const char *sid_string,
+			  struct domsid **sid)
+{
+	struct dom_sid _sid;
+
+	if (!sid_string || !sid) {
+		return false;
+	}
+
+	if (!string_to_sid(&_sid, sid_string)) {
+		return false;
+	}
+
+	*sid = (struct domsid *)SMB_MALLOC(sizeof(struct domsid));
+	if (!*sid) {
+		return false;
+	}
+
+	sid_copy((struct dom_sid*)*sid, &_sid);
+
+	return true;
+}
diff --git a/source3/lib/netapi/tests/Makefile.in b/source3/lib/netapi/tests/Makefile.in
new file mode 100644
index 0000000000..d3f0663908
--- /dev/null
+++ b/source3/lib/netapi/tests/Makefile.in
@@ -0,0 +1,57 @@
+KRB5LIBS=@KRB5_LIBS@
+LDAP_LIBS=@LDAP_LIBS@
+LIBS=@LIBS@ -lnetapi -ltdb -ltalloc
+DEVELOPER_CFLAGS=@DEVELOPER_CFLAGS@
+FLAGS=-I../ -L../../../bin @CFLAGS@ $(GTK_FLAGS)
+CC=@CC@
+PICFLAG=@PICFLAG@
+LDFLAGS=@PIE_LDFLAGS@ @LDFLAGS@
+DYNEXP=@DYNEXP@
+NETAPI_LIBS=$(LIBS) $(KRB5LIBS) $(LDAP_LIBS)
+CMDLINE_LIBS=$(NETAPI_LIBS) @POPTLIBS@
+
+# Compile a source file.
+COMPILE_CC = $(CC) -I. $(FLAGS) $(PICFLAG) -c $< -o $@
+COMPILE = $(COMPILE_CC)
+
+PROGS = bin/netapitest@EXEEXT@
+
+all: $(PROGS)
+
+MAKEDIR = || exec false; \
+	  if test -d "$$dir"; then :; else \
+	  echo mkdir "$$dir"; \
+	  mkdir -p "$$dir" >/dev/null 2>&1 || \
+	  test -d "$$dir" || \
+	  mkdir "$$dir" || \
+	  exec false; fi || exec false
+
+BINARY_PREREQS = bin/.dummy
+
+bin/.dummy:
+	@if (: >> $@ || : > $@) >/dev/null 2>&1; then :; else \
+	  dir=bin $(MAKEDIR); fi
+	@: >> $@ || : > $@ # what a fancy emoticon!
+
+.c.o:
+	@if (: >> $@ || : > $@) >/dev/null 2>&1; then rm -f $@; else \
+	 dir=`echo $@ | sed 's,/[^/]*$$,,;s,^$$,.,'` $(MAKEDIR); fi
+	@echo Compiling $*.c
+	@$(COMPILE) && exit 0;\
+		echo "The following command failed:" 1>&2;\
+		echo "$(COMPILE_CC)" 1>&2;\
+		$(COMPILE_CC) >/dev/null 2>&1
+
+CMDLINE_OBJ = common.o
+NETAPIBUFFER_OBJ = netapibuffer.o
+NETAPITEST_OBJ = netapitest.o netlocalgroup.o netuser.o netgroup.o netdisplay.o netshare.o $(CMDLINE_OBJ)
+
+bin/netapitest@EXEEXT@: $(BINARY_PREREQS) $(NETAPITEST_OBJ)
+	@echo Linking $@
+	@$(CC) $(FLAGS) -o $@ $(NETAPITEST_OBJ) $(LDFLAGS) $(DYNEXP) $(CMDLINE_LIBS)
+
+clean:
+	-rm -f $(PROGS)
+	-rm -f core */*~ *~ \
+		*/*.o */*/*.o */*/*/*.o
+
diff --git a/source3/lib/netapi/tests/common.c b/source3/lib/netapi/tests/common.c
new file mode 100644
index 0000000000..22175afb48
--- /dev/null
+++ b/source3/lib/netapi/tests/common.c
@@ -0,0 +1,86 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetApi testsuite
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <inttypes.h>
+
+#include <popt.h>
+#include <netapi.h>
+
+#include "common.h"
+
+void popt_common_callback(poptContext con,
+			 enum poptCallbackReason reason,
+			 const struct poptOption *opt,
+			 const char *arg, const void *data)
+{
+	struct libnetapi_ctx *ctx = NULL;
+
+	libnetapi_getctx(&ctx);
+
+	if (reason == POPT_CALLBACK_REASON_PRE) {
+	}
+
+	if (reason == POPT_CALLBACK_REASON_POST) {
+	}
+
+	if (!opt) {
+		return;
+	}
+	switch (opt->val) {
+		case 'U': {
+			char *puser = strdup(arg);
+			char *p = NULL;
+
+			if ((p = strchr(puser,'%'))) {
+				size_t len;
+				*p = 0;
+				libnetapi_set_username(ctx, puser);
+				libnetapi_set_password(ctx, p+1);
+				len = strlen(p+1);
+				memset(strchr(arg,'%')+1,'X',len);
+			} else {
+				libnetapi_set_username(ctx, puser);
+			}
+			free(puser);
+			break;
+		}
+		case 'd':
+			libnetapi_set_debuglevel(ctx, arg);
+			break;
+		case 'p':
+			libnetapi_set_password(ctx, arg);
+			break;
+		case 'k':
+			libnetapi_set_use_kerberos(ctx);
+			break;
+	}
+}
+
+struct poptOption popt_common_netapi_examples[] = {
+	{ NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, (void *)popt_common_callback },
+	{ "user", 'U', POPT_ARG_STRING, NULL, 'U', "Username used for connection", "USERNAME" },
+	{ "password", 'p', POPT_ARG_STRING, NULL, 'p', "Password used for connection", "PASSWORD" },
+	{ "debuglevel", 'd', POPT_ARG_STRING, NULL, 'd', "Debuglevel", "DEBUGLEVEL" },
+	{ "kerberos", 'k', POPT_ARG_NONE, NULL, 'k', "Use Kerberos", NULL },
+	POPT_TABLEEND
+};
+
diff --git a/source3/lib/netapi/tests/common.h b/source3/lib/netapi/tests/common.h
new file mode 100644
index 0000000000..5a320321ba
--- /dev/null
+++ b/source3/lib/netapi/tests/common.h
@@ -0,0 +1,57 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetApi testsuite
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <popt.h>
+
+void popt_common_callback(poptContext con,
+			 enum poptCallbackReason reason,
+			 const struct poptOption *opt,
+			 const char *arg, const void *data);
+
+extern struct poptOption popt_common_netapi_examples[];
+
+#define POPT_COMMON_LIBNETAPI_EXAMPLES { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_netapi_examples, 0, "Common samba netapi example options:", NULL },
+
+NET_API_STATUS test_netuseradd(const char *hostname,
+			       const char *username);
+
+NET_API_STATUS netapitest_localgroup(struct libnetapi_ctx *ctx,
+				     const char *hostname);
+NET_API_STATUS netapitest_user(struct libnetapi_ctx *ctx,
+			       const char *hostname);
+NET_API_STATUS netapitest_group(struct libnetapi_ctx *ctx,
+				const char *hostname);
+NET_API_STATUS netapitest_display(struct libnetapi_ctx *ctx,
+				  const char *hostname);
+NET_API_STATUS netapitest_share(struct libnetapi_ctx *ctx,
+				const char *hostname);
+
+#ifndef ARRAY_SIZE
+#define ARRAY_SIZE(a) (sizeof(a)/sizeof(a[0]))
+#endif
+
+#define NETAPI_STATUS(x,y,fn) \
+	printf("FAILURE: line %d: %s failed with status: %s (%d)\n", \
+		__LINE__, fn, libnetapi_get_error_string(x,y), y);
+
+#define NETAPI_STATUS_MSG(x,y,fn,z) \
+	printf("FAILURE: line %d: %s failed with status: %s (%d), %s\n", \
+		__LINE__, fn, libnetapi_get_error_string(x,y), y, z);
+
+#define ZERO_STRUCT(x) memset((char *)&(x), 0, sizeof(x))
diff --git a/source3/lib/netapi/tests/netapitest.c b/source3/lib/netapi/tests/netapitest.c
new file mode 100644
index 0000000000..87144020f5
--- /dev/null
+++ b/source3/lib/netapi/tests/netapitest.c
@@ -0,0 +1,97 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetApi testsuite
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+int main(int argc, const char **argv)
+{
+	NET_API_STATUS status = 0;
+	struct libnetapi_ctx *ctx = NULL;
+	const char *hostname = NULL;
+
+	poptContext pc;
+	int opt;
+
+	struct poptOption long_options[] = {
+		POPT_AUTOHELP
+		POPT_COMMON_LIBNETAPI_EXAMPLES
+		POPT_TABLEEND
+	};
+
+	status = libnetapi_init(&ctx);
+	if (status != 0) {
+		return status;
+	}
+
+	pc = poptGetContext("netapitest", argc, argv, long_options, 0);
+
+	poptSetOtherOptionHelp(pc, "hostname");
+	while((opt = poptGetNextOpt(pc)) != -1) {
+	}
+
+	if (!poptPeekArg(pc)) {
+		poptPrintHelp(pc, stderr, 0);
+		goto out;
+	}
+	hostname = poptGetArg(pc);
+
+	status = netapitest_localgroup(ctx, hostname);
+	if (status) {
+		goto out;
+	}
+
+	status = netapitest_user(ctx, hostname);
+	if (status) {
+		goto out;
+	}
+
+	status = netapitest_group(ctx, hostname);
+	if (status) {
+		goto out;
+	}
+
+	status = netapitest_display(ctx, hostname);
+	if (status) {
+		goto out;
+	}
+
+	status = netapitest_share(ctx, hostname);
+	if (status) {
+		goto out;
+	}
+
+ out:
+	if (status != 0) {
+		printf("testsuite failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+	libnetapi_free(ctx);
+	poptFreeContext(pc);
+
+	return status;
+}
diff --git a/source3/lib/netapi/tests/netdisplay.c b/source3/lib/netapi/tests/netdisplay.c
new file mode 100644
index 0000000000..090792cec2
--- /dev/null
+++ b/source3/lib/netapi/tests/netdisplay.c
@@ -0,0 +1,150 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetGroup testsuite
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+static NET_API_STATUS test_netquerydisplayinformation(const char *hostname,
+						      uint32_t level,
+						      const char *name)
+{
+	NET_API_STATUS status;
+	uint32_t entries_read = 0;
+	int found_name = 0;
+	const char *current_name;
+	uint8_t *buffer = NULL;
+	uint32_t idx = 0;
+	int i;
+
+	struct NET_DISPLAY_USER *user;
+	struct NET_DISPLAY_GROUP *group;
+	struct NET_DISPLAY_MACHINE *machine;
+
+	printf("testing NetQueryDisplayInformation level %d\n", level);
+
+	do {
+		status = NetQueryDisplayInformation(hostname,
+						    level,
+						    idx,
+						    1000,
+						    (uint32_t)-1,
+						    &entries_read,
+						    (void **)&buffer);
+		if (status == 0 || status == ERROR_MORE_DATA) {
+			switch (level) {
+				case 1:
+					user = (struct NET_DISPLAY_USER *)buffer;
+					break;
+				case 2:
+					machine = (struct NET_DISPLAY_MACHINE *)buffer;
+					break;
+				case 3:
+					group = (struct NET_DISPLAY_GROUP *)buffer;
+					break;
+				default:
+					return -1;
+			}
+
+			for (i=0; i<entries_read; i++) {
+
+				switch (level) {
+					case 1:
+						current_name = 	user->usri1_name;
+						break;
+					case 2:
+						current_name = 	machine->usri2_name;
+						break;
+					case 3:
+						current_name = 	group->grpi3_name;
+						break;
+					default:
+						break;
+				}
+
+				if (name && strcasecmp(current_name, name) == 0) {
+					found_name = 1;
+				}
+
+				switch (level) {
+					case 1:
+						user++;
+						break;
+					case 2:
+						machine++;
+						break;
+					case 3:
+						group++;
+						break;
+				}
+			}
+			NetApiBufferFree(buffer);
+		}
+		idx += entries_read;
+	} while (status == ERROR_MORE_DATA);
+
+	if (status) {
+		return status;
+	}
+
+	if (name && !found_name) {
+		printf("failed to get name\n");
+		return -1;
+	}
+
+	return 0;
+}
+
+NET_API_STATUS netapitest_display(struct libnetapi_ctx *ctx,
+				  const char *hostname)
+{
+	NET_API_STATUS status = 0;
+	uint32_t levels[] = { 1, 2, 3};
+	int i;
+
+	printf("NetDisplay tests\n");
+
+	/* test enum */
+
+	for (i=0; i<ARRAY_SIZE(levels); i++) {
+
+		status = test_netquerydisplayinformation(hostname, levels[i], NULL);
+		if (status) {
+			NETAPI_STATUS(ctx, status, "NetQueryDisplayInformation");
+			goto out;
+		}
+	}
+
+	status = 0;
+
+	printf("NetDisplay tests succeeded\n");
+ out:
+	if (status != 0) {
+		printf("NetDisplay testsuite failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+	return status;
+}
diff --git a/source3/lib/netapi/tests/netgroup.c b/source3/lib/netapi/tests/netgroup.c
new file mode 100644
index 0000000000..a89a772ce4
--- /dev/null
+++ b/source3/lib/netapi/tests/netgroup.c
@@ -0,0 +1,286 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetGroup testsuite
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+static NET_API_STATUS test_netgroupenum(const char *hostname,
+					uint32_t level,
+				        const char *groupname)
+{
+	NET_API_STATUS status;
+	uint32_t entries_read = 0;
+	uint32_t total_entries = 0;
+	uint32_t resume_handle = 0;
+	int found_group = 0;
+	const char *current_name;
+	uint8_t *buffer = NULL;
+	int i;
+
+	struct GROUP_INFO_0 *info0;
+	struct GROUP_INFO_1 *info1;
+	struct GROUP_INFO_2 *info2;
+	struct GROUP_INFO_3 *info3;
+
+	printf("testing NetGroupEnum level %d\n", level);
+
+	do {
+		status = NetGroupEnum(hostname,
+				      level,
+				      &buffer,
+				      120, //(uint32_t)-1,
+				      &entries_read,
+				      &total_entries,
+				      &resume_handle);
+		if (status == 0 || status == ERROR_MORE_DATA) {
+			switch (level) {
+				case 0:
+					info0 = (struct GROUP_INFO_0 *)buffer;
+					break;
+				case 1:
+					info1 = (struct GROUP_INFO_1 *)buffer;
+					break;
+				case 2:
+					info2 = (struct GROUP_INFO_2 *)buffer;
+					break;
+				case 3:
+					info3 = (struct GROUP_INFO_3 *)buffer;
+					break;
+				default:
+					return -1;
+			}
+
+			for (i=0; i<entries_read; i++) {
+
+				switch (level) {
+					case 0:
+						current_name = 	info0->grpi0_name;
+						break;
+					case 1:
+						current_name = 	info1->grpi1_name;
+						break;
+					case 2:
+						current_name = 	info2->grpi2_name;
+						break;
+					case 3:
+						current_name = 	info3->grpi3_name;
+						break;
+					default:
+						break;
+				}
+
+				if (strcasecmp(current_name, groupname) == 0) {
+					found_group = 1;
+				}
+
+				switch (level) {
+					case 0:
+						info0++;
+						break;
+					case 1:
+						info1++;
+						break;
+					case 2:
+						info2++;
+						break;
+					case 3:
+						info3++;
+						break;
+				}
+			}
+			NetApiBufferFree(buffer);
+		}
+	} while (status == ERROR_MORE_DATA);
+
+	if (status) {
+		return status;
+	}
+
+	if (!found_group) {
+		printf("failed to get group\n");
+		return -1;
+	}
+
+	return 0;
+}
+
+NET_API_STATUS netapitest_group(struct libnetapi_ctx *ctx,
+				const char *hostname)
+{
+	NET_API_STATUS status = 0;
+	const char *username, *groupname, *groupname2;
+	uint8_t *buffer = NULL;
+	struct GROUP_INFO_0 g0;
+	uint32_t parm_err = 0;
+	uint32_t levels[] = { 0, 1, 2, 3};
+	uint32_t enum_levels[] = { 0, 1, 2, 3};
+	int i;
+
+	printf("NetGroup tests\n");
+
+	username = "torture_test_user";
+	groupname = "torture_test_group";
+	groupname2 = "torture_test_group2";
+
+	/* cleanup */
+	NetGroupDel(hostname, groupname);
+	NetGroupDel(hostname, groupname2);
+	NetUserDel(hostname, username);
+
+	/* add a group */
+
+	g0.grpi0_name = groupname;
+
+	printf("testing NetGroupAdd\n");
+
+	status = NetGroupAdd(hostname, 0, (uint8_t *)&g0, &parm_err);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetGroupAdd");
+		goto out;
+	}
+
+	/* 2nd add must fail */
+
+	status = NetGroupAdd(hostname, 0, (uint8_t *)&g0, &parm_err);
+	if (status == 0) {
+		NETAPI_STATUS(ctx, status, "NetGroupAdd");
+		goto out;
+	}
+
+	/* test enum */
+
+	for (i=0; i<ARRAY_SIZE(enum_levels); i++) {
+
+		status = test_netgroupenum(hostname, enum_levels[i], groupname);
+		if (status) {
+			NETAPI_STATUS(ctx, status, "NetGroupEnum");
+			goto out;
+		}
+	}
+
+	/* basic queries */
+
+	for (i=0; i<ARRAY_SIZE(levels); i++) {
+
+		printf("testing NetGroupGetInfo level %d\n", levels[i]);
+
+		status = NetGroupGetInfo(hostname, groupname, levels[i], &buffer);
+		if (status && status != 124) {
+			NETAPI_STATUS(ctx, status, "NetGroupGetInfo");
+			goto out;
+		}
+	}
+
+	/* group rename */
+
+	g0.grpi0_name = groupname2;
+
+	printf("testing NetGroupSetInfo level 0\n");
+
+	status = NetGroupSetInfo(hostname, groupname, 0, (uint8_t *)&g0, &parm_err);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetGroupSetInfo");
+		goto out;
+	}
+
+	/* should not exist anymore */
+
+	status = NetGroupDel(hostname, groupname);
+	if (status == 0) {
+		NETAPI_STATUS(ctx, status, "NetGroupDel");
+		goto out;
+	}
+
+	/* query info */
+
+	for (i=0; i<ARRAY_SIZE(levels); i++) {
+
+		status = NetGroupGetInfo(hostname, groupname2, levels[i], &buffer);
+		if (status && status != 124) {
+			NETAPI_STATUS(ctx, status, "NetGroupGetInfo");
+			goto out;
+		}
+	}
+
+	/* add user to group */
+
+	status = test_netuseradd(hostname, username);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetUserAdd");
+		goto out;
+	}
+
+	printf("testing NetGroupAddUser\n");
+
+	status = NetGroupAddUser(hostname, groupname2, username);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetGroupAddUser");
+		goto out;
+	}
+
+	printf("testing NetGroupDelUser\n");
+
+	status = NetGroupDelUser(hostname, groupname2, username);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetGroupDelUser");
+		goto out;
+	}
+
+	status = NetUserDel(hostname, username);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetUserDel");
+		goto out;
+	}
+
+	/* delete */
+
+	printf("testing NetGroupDel\n");
+
+	status = NetGroupDel(hostname, groupname2);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetGroupDel");
+		goto out;
+	};
+
+	/* should not exist anymore */
+
+	status = NetGroupGetInfo(hostname, groupname2, 0, &buffer);
+	if (status == 0) {
+		NETAPI_STATUS_MSG(ctx, status, "NetGroupGetInfo", "expected failure and error code");
+		goto out;
+	};
+
+	status = 0;
+
+	printf("NetGroup tests succeeded\n");
+ out:
+	if (status != 0) {
+		printf("NetGroup testsuite failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+	return status;
+}
diff --git a/source3/lib/netapi/tests/netlocalgroup.c b/source3/lib/netapi/tests/netlocalgroup.c
new file mode 100644
index 0000000000..0d82059356
--- /dev/null
+++ b/source3/lib/netapi/tests/netlocalgroup.c
@@ -0,0 +1,226 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetLocalGroup testsuite
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+static NET_API_STATUS test_netlocalgroupenum(const char *hostname,
+					     uint32_t level,
+					     const char *groupname)
+{
+	NET_API_STATUS status;
+	uint32_t entries_read = 0;
+	uint32_t total_entries = 0;
+	uint32_t resume_handle = 0;
+	int found_group = 0;
+	const char *current_name;
+	uint8_t *buffer = NULL;
+	int i;
+
+	struct LOCALGROUP_INFO_0 *info0;
+	struct LOCALGROUP_INFO_1 *info1;
+
+	printf("testing NetLocalGroupEnum level %d\n", level);
+
+	do {
+		status = NetLocalGroupEnum(hostname,
+					   level,
+					   &buffer,
+					   (uint32_t)-1,
+					   &entries_read,
+					   &total_entries,
+					   &resume_handle);
+		if (status == 0 || status == ERROR_MORE_DATA) {
+			switch (level) {
+				case 0:
+					info0 = (struct LOCALGROUP_INFO_0 *)buffer;
+					break;
+				case 1:
+					info1 = (struct LOCALGROUP_INFO_1 *)buffer;
+					break;
+				default:
+					return -1;
+			}
+
+			for (i=0; i<entries_read; i++) {
+
+				switch (level) {
+					case 0:
+						current_name = 	info0->lgrpi0_name;
+						break;
+					case 1:
+						current_name = 	info1->lgrpi1_name;
+						break;
+					default:
+						break;
+				}
+
+				if (strcasecmp(current_name, groupname) == 0) {
+					found_group = 1;
+				}
+
+				switch (level) {
+					case 0:
+						info0++;
+						break;
+					case 1:
+						info1++;
+						break;
+				}
+			}
+			NetApiBufferFree(buffer);
+		}
+	} while (status == ERROR_MORE_DATA);
+
+	if (status) {
+		return status;
+	}
+
+	if (!found_group) {
+		printf("failed to get group\n");
+		return -1;
+	}
+
+	return 0;
+}
+
+NET_API_STATUS netapitest_localgroup(struct libnetapi_ctx *ctx,
+				     const char *hostname)
+{
+	NET_API_STATUS status = 0;
+	const char *groupname, *groupname2;
+	uint8_t *buffer = NULL;
+	struct LOCALGROUP_INFO_0 g0;
+	uint32_t parm_err = 0;
+	uint32_t levels[] = { 0, 1, 1002 };
+	uint32_t enum_levels[] = { 0, 1 };
+	int i;
+
+	printf("NetLocalgroup tests\n");
+
+	groupname = "torture_test_localgroup";
+	groupname2 = "torture_test_localgroup2";
+
+	/* cleanup */
+	NetLocalGroupDel(hostname, groupname);
+	NetLocalGroupDel(hostname, groupname2);
+
+	/* add a localgroup */
+
+	printf("testing NetLocalGroupAdd\n");
+
+	g0.lgrpi0_name = groupname;
+
+	status = NetLocalGroupAdd(hostname, 0, (uint8_t *)&g0, &parm_err);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetLocalGroupAdd");
+		goto out;
+	};
+
+	/* test enum */
+
+	for (i=0; i<ARRAY_SIZE(enum_levels); i++) {
+
+		status = test_netlocalgroupenum(hostname, enum_levels[i], groupname);
+		if (status) {
+			NETAPI_STATUS(ctx, status, "NetLocalGroupEnum");
+			goto out;
+		}
+	}
+
+
+	/* basic queries */
+
+	for (i=0; i<ARRAY_SIZE(levels); i++) {
+
+		printf("testing NetLocalGroupGetInfo level %d\n", levels[i]);
+
+		status = NetLocalGroupGetInfo(hostname, groupname, levels[i], &buffer);
+		if (status && status != 124) {
+			NETAPI_STATUS(ctx, status, "NetLocalGroupGetInfo");
+			goto out;
+		};
+	}
+
+	/* alias rename */
+
+	printf("testing NetLocalGroupSetInfo level 0\n");
+
+	g0.lgrpi0_name = groupname2;
+
+	status = NetLocalGroupSetInfo(hostname, groupname, 0, (uint8_t *)&g0, &parm_err);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetLocalGroupSetInfo");
+		goto out;
+	};
+
+	/* should not exist anymore */
+
+	status = NetLocalGroupDel(hostname, groupname);
+	if (status == 0) {
+		NETAPI_STATUS(ctx, status, "NetLocalGroupDel");
+		goto out;
+	};
+
+	/* query info */
+
+	for (i=0; i<ARRAY_SIZE(levels); i++) {
+		status = NetLocalGroupGetInfo(hostname, groupname2, levels[i], &buffer);
+		if (status && status != 124) {
+			NETAPI_STATUS(ctx, status, "NetLocalGroupGetInfo");
+			goto out;
+		};
+	}
+
+	/* delete */
+
+	printf("testing NetLocalGroupDel\n");
+
+	status = NetLocalGroupDel(hostname, groupname2);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetLocalGroupDel");
+		goto out;
+	};
+
+	/* should not exist anymore */
+
+	status = NetLocalGroupGetInfo(hostname, groupname2, 0, &buffer);
+	if (status == 0) {
+		NETAPI_STATUS(ctx, status, "NetLocalGroupGetInfo");
+		goto out;
+	};
+
+	status = 0;
+
+	printf("NetLocalgroup tests succeeded\n");
+ out:
+	if (status != 0) {
+		printf("NetLocalGroup testsuite failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+	return status;
+}
diff --git a/source3/lib/netapi/tests/netshare.c b/source3/lib/netapi/tests/netshare.c
new file mode 100644
index 0000000000..9446c307b3
--- /dev/null
+++ b/source3/lib/netapi/tests/netshare.c
@@ -0,0 +1,232 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetShare testsuite
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+static NET_API_STATUS test_netshareenum(const char *hostname,
+					uint32_t level,
+					const char *sharename)
+{
+	NET_API_STATUS status;
+	uint32_t entries_read = 0;
+	uint32_t total_entries = 0;
+	uint32_t resume_handle = 0;
+	int found_share = 0;
+	const char *current_name;
+	uint8_t *buffer = NULL;
+	int i;
+
+	struct SHARE_INFO_0 *i0;
+	struct SHARE_INFO_1 *i1;
+	struct SHARE_INFO_2 *i2;
+
+	printf("testing NetShareEnum level %d\n", level);
+
+	do {
+		status = NetShareEnum(hostname,
+				      level,
+				      &buffer,
+				      (uint32_t)-1,
+				      &entries_read,
+				      &total_entries,
+				      &resume_handle);
+		if (status == 0 || status == ERROR_MORE_DATA) {
+			switch (level) {
+				case 0:
+					i0 = (struct SHARE_INFO_0 *)buffer;
+					break;
+				case 1:
+					i1 = (struct SHARE_INFO_1 *)buffer;
+					break;
+				case 2:
+					i2 = (struct SHARE_INFO_2 *)buffer;
+					break;
+				default:
+					return -1;
+			}
+
+			for (i=0; i<entries_read; i++) {
+
+				switch (level) {
+					case 0:
+						current_name = i0->shi0_netname;
+						break;
+					case 1:
+						current_name = i1->shi1_netname;
+						break;
+					case 2:
+						current_name = i2->shi2_netname;
+						break;
+					default:
+						break;
+				}
+
+				if (strcasecmp(current_name, sharename) == 0) {
+					found_share = 1;
+				}
+
+				switch (level) {
+					case 0:
+						i0++;
+						break;
+					case 1:
+						i1++;
+						break;
+					case 2:
+						i2++;
+						break;
+				}
+			}
+			NetApiBufferFree(buffer);
+		}
+	} while (status == ERROR_MORE_DATA);
+
+	if (status) {
+		return status;
+	}
+
+	if (!found_share) {
+		printf("failed to get share\n");
+		return -1;
+	}
+
+	return 0;
+}
+
+NET_API_STATUS netapitest_share(struct libnetapi_ctx *ctx,
+				const char *hostname)
+{
+	NET_API_STATUS status = 0;
+	const char *sharename, *comment;
+	uint8_t *buffer = NULL;
+	struct SHARE_INFO_2 i2;
+	struct SHARE_INFO_1004 i1004;
+	struct SHARE_INFO_501 *i501 = NULL;
+	uint32_t parm_err = 0;
+	uint32_t levels[] = { 0, 1, 2, 501, 1005 };
+	uint32_t enum_levels[] = { 0, 1, 2 };
+	int i;
+
+	printf("NetShare tests\n");
+
+	sharename = "torture_test_share";
+
+	/* cleanup */
+	NetShareDel(hostname, sharename, 0);
+
+	/* add a share */
+
+	printf("testing NetShareAdd\n");
+
+	ZERO_STRUCT(i2);
+
+	i2.shi2_netname = sharename;
+	i2.shi2_path = "c:\\";
+
+	status = NetShareAdd(hostname, 2, (uint8_t *)&i2, &parm_err);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetShareAdd");
+		goto out;
+	};
+
+	/* test enum */
+
+	for (i=0; i<ARRAY_SIZE(enum_levels); i++) {
+
+		status = test_netshareenum(hostname, enum_levels[i], sharename);
+		if (status) {
+			NETAPI_STATUS(ctx, status, "NetShareEnum");
+			goto out;
+		}
+	}
+
+	/* basic queries */
+
+	for (i=0; i<ARRAY_SIZE(levels); i++) {
+
+		printf("testing NetShareGetInfo level %d\n", levels[i]);
+
+		status = NetShareGetInfo(hostname, sharename, levels[i], &buffer);
+		if (status && status != 124) {
+			NETAPI_STATUS(ctx, status, "NetShareGetInfo");
+			goto out;
+		}
+	}
+
+
+	comment = "NetApi generated comment";
+
+	i1004.shi1004_remark = comment;
+
+	printf("testing NetShareSetInfo level 1004\n");
+
+	status = NetShareSetInfo(hostname, sharename, 1004, (uint8_t *)&i1004, &parm_err);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetShareSetInfo");
+		goto out;
+	}
+
+	status = NetShareGetInfo(hostname, sharename, 501, (uint8_t **)&i501);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetShareGetInfo");
+		goto out;
+	}
+
+	if (strcasecmp(i501->shi501_remark, comment) != 0) {
+		NETAPI_STATUS(ctx, status, "NetShareGetInfo");
+		goto out;
+	}
+
+	/* delete */
+
+	printf("testing NetShareDel\n");
+
+	status = NetShareDel(hostname, sharename, 0);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetShareDel");
+		goto out;
+	};
+
+	/* should not exist anymore */
+
+	status = NetShareGetInfo(hostname, sharename, 0, &buffer);
+	if (status == 0) {
+		NETAPI_STATUS(ctx, status, "NetShareGetInfo");
+		goto out;
+	};
+
+	status = 0;
+
+	printf("NetShare tests succeeded\n");
+ out:
+	if (status != 0) {
+		printf("NetShare testsuite failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+	return status;
+}
diff --git a/source3/lib/netapi/tests/netuser.c b/source3/lib/netapi/tests/netuser.c
new file mode 100644
index 0000000000..f1622e45c4
--- /dev/null
+++ b/source3/lib/netapi/tests/netuser.c
@@ -0,0 +1,458 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetUser testsuite
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <sys/types.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netapi.h>
+
+#include "common.h"
+
+static NET_API_STATUS test_netuserenum(const char *hostname,
+				       uint32_t level,
+				       const char *username)
+{
+	NET_API_STATUS status;
+	uint32_t entries_read = 0;
+	uint32_t total_entries = 0;
+	uint32_t resume_handle = 0;
+	const char *current_name;
+	int found_user = 0;
+	uint8_t *buffer = NULL;
+	int i;
+
+	struct USER_INFO_0 *info0;
+	struct USER_INFO_1 *info1;
+	struct USER_INFO_2 *info2;
+	struct USER_INFO_3 *info3;
+	struct USER_INFO_4 *info4;
+	struct USER_INFO_10 *info10;
+	struct USER_INFO_11 *info11;
+	struct USER_INFO_20 *info20;
+	struct USER_INFO_23 *info23;
+
+	printf("testing NetUserEnum level %d\n", level);
+
+	do {
+		status = NetUserEnum(hostname,
+				     level,
+				     FILTER_NORMAL_ACCOUNT,
+				     &buffer,
+				     120, //(uint32_t)-1,
+				     &entries_read,
+				     &total_entries,
+				     &resume_handle);
+		if (status == 0 || status == ERROR_MORE_DATA) {
+			switch (level) {
+				case 0:
+					info0 = (struct USER_INFO_0 *)buffer;
+					break;
+				case 1:
+					info1 = (struct USER_INFO_1 *)buffer;
+					break;
+				case 2:
+					info2 = (struct USER_INFO_2 *)buffer;
+					break;
+				case 3:
+					info3 = (struct USER_INFO_3 *)buffer;
+					break;
+				case 4:
+					info4 = (struct USER_INFO_4 *)buffer;
+					break;
+				case 10:
+					info10 = (struct USER_INFO_10 *)buffer;
+					break;
+				case 11:
+					info11 = (struct USER_INFO_11 *)buffer;
+					break;
+				case 20:
+					info20 = (struct USER_INFO_20 *)buffer;
+					break;
+				case 23:
+					info23 = (struct USER_INFO_23 *)buffer;
+					break;
+				default:
+					return -1;
+			}
+
+			for (i=0; i<entries_read; i++) {
+
+				switch (level) {
+					case 0:
+						current_name = info0->usri0_name;
+						break;
+					case 1:
+						current_name = info1->usri1_name;
+						break;
+					case 2:
+						current_name = info2->usri2_name;
+						break;
+					case 3:
+						current_name = info3->usri3_name;
+						break;
+					case 4:
+						current_name = info4->usri4_name;
+						break;
+					case 10:
+						current_name = info10->usri10_name;
+						break;
+					case 11:
+						current_name = info11->usri11_name;
+						break;
+					case 20:
+						current_name = info20->usri20_name;
+						break;
+					case 23:
+						current_name = info23->usri23_name;
+						break;
+					default:
+						return -1;
+				}
+
+				if (strcasecmp(current_name, username) == 0) {
+					found_user = 1;
+				}
+
+				switch (level) {
+					case 0:
+						info0++;
+						break;
+					case 1:
+						info1++;
+						break;
+					case 2:
+						info2++;
+						break;
+					case 3:
+						info3++;
+						break;
+					case 4:
+						info4++;
+						break;
+					case 10:
+						info10++;
+						break;
+					case 11:
+						info11++;
+						break;
+					case 20:
+						info20++;
+						break;
+					case 23:
+						info23++;
+						break;
+					default:
+						break;
+				}
+			}
+			NetApiBufferFree(buffer);
+		}
+	} while (status == ERROR_MORE_DATA);
+
+	if (status) {
+		return status;
+	}
+
+	if (!found_user) {
+		printf("failed to get user\n");
+		return -1;
+	}
+
+	return 0;
+}
+
+NET_API_STATUS test_netuseradd(const char *hostname,
+			       const char *username)
+{
+	struct USER_INFO_1 u1;
+	uint32_t parm_err = 0;
+
+	ZERO_STRUCT(u1);
+
+	printf("testing NetUserAdd\n");
+
+	u1.usri1_name = username;
+	u1.usri1_password = "W297!832jD8J";
+	u1.usri1_password_age = 0;
+	u1.usri1_priv = 0;
+	u1.usri1_home_dir = NULL;
+	u1.usri1_comment = "User created using Samba NetApi Example code";
+	u1.usri1_flags = 0;
+	u1.usri1_script_path = NULL;
+
+	return NetUserAdd(hostname, 1, (uint8_t *)&u1, &parm_err);
+}
+
+static NET_API_STATUS test_netusermodals(struct libnetapi_ctx *ctx,
+					 const char *hostname)
+{
+	NET_API_STATUS status;
+	struct USER_MODALS_INFO_0 *u0 = NULL;
+	struct USER_MODALS_INFO_0 *_u0 = NULL;
+	uint8_t *buffer = NULL;
+	uint32_t parm_err = 0;
+	uint32_t levels[] = { 0, 1, 2, 3 };
+	int i = 0;
+
+	for (i=0; i<ARRAY_SIZE(levels); i++) {
+
+		printf("testing NetUserModalsGet level %d\n", levels[i]);
+
+		status = NetUserModalsGet(hostname, levels[i], &buffer);
+		if (status) {
+			NETAPI_STATUS(ctx, status, "NetUserModalsGet");
+			return status;
+		}
+	}
+
+	status = NetUserModalsGet(hostname, 0, (uint8_t **)&u0);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetUserModalsGet");
+		return status;
+	}
+
+	printf("testing NetUserModalsSet\n");
+
+	status = NetUserModalsSet(hostname, 0, (uint8_t *)u0, &parm_err);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetUserModalsSet");
+		return status;
+	}
+
+	status = NetUserModalsGet(hostname, 0, (uint8_t **)&_u0);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetUserModalsGet");
+		return status;
+	}
+
+	if (memcmp(u0, _u0, sizeof(u0) != 0)) {
+		printf("USER_MODALS_INFO_0 struct has changed!!!!\n");
+		return -1;
+	}
+
+	return 0;
+}
+
+static NET_API_STATUS test_netusergetgroups(const char *hostname,
+					    uint32_t level,
+					    const char *username,
+					    const char *groupname)
+{
+	NET_API_STATUS status;
+	uint32_t entries_read = 0;
+	uint32_t total_entries = 0;
+	const char *current_name;
+	int found_group = 0;
+	uint8_t *buffer = NULL;
+	int i;
+
+	struct GROUP_USERS_INFO_0 *i0;
+	struct GROUP_USERS_INFO_1 *i1;
+
+	printf("testing NetUserGetGroups level %d\n", level);
+
+	do {
+		status = NetUserGetGroups(hostname,
+					  username,
+					  level,
+					  &buffer,
+					  120, //(uint32_t)-1,
+					  &entries_read,
+					  &total_entries);
+		if (status == 0 || status == ERROR_MORE_DATA) {
+			switch (level) {
+				case 0:
+					i0 = (struct GROUP_USERS_INFO_0 *)buffer;
+					break;
+				case 1:
+					i1 = (struct GROUP_USERS_INFO_1 *)buffer;
+					break;
+				default:
+					return -1;
+			}
+
+			for (i=0; i<entries_read; i++) {
+
+				switch (level) {
+					case 0:
+						current_name = i0->grui0_name;
+						break;
+					case 1:
+						current_name = i1->grui1_name;
+						break;
+					default:
+						return -1;
+				}
+
+				if (groupname && strcasecmp(current_name, groupname) == 0) {
+					found_group = 1;
+				}
+
+				switch (level) {
+					case 0:
+						i0++;
+						break;
+					case 1:
+						i1++;
+						break;
+					default:
+						break;
+				}
+			}
+			NetApiBufferFree(buffer);
+		}
+	} while (status == ERROR_MORE_DATA);
+
+	if (status) {
+		return status;
+	}
+
+	if (groupname && !found_group) {
+		printf("failed to get membership\n");
+		return -1;
+	}
+
+	return 0;
+}
+
+NET_API_STATUS netapitest_user(struct libnetapi_ctx *ctx,
+			       const char *hostname)
+{
+	NET_API_STATUS status = 0;
+	const char *username, *username2;
+	uint8_t *buffer = NULL;
+	uint32_t levels[] = { 0, 1, 2, 3, 4, 10, 11, 20, 23 };
+	uint32_t enum_levels[] = { 0, 1, 2, 3, 4, 10, 11, 20, 23 };
+	uint32_t getgr_levels[] = { 0, 1 };
+	int i;
+
+	struct USER_INFO_1007 u1007;
+	uint32_t parm_err = 0;
+
+	printf("NetUser tests\n");
+
+	username = "torture_test_user";
+	username2 = "torture_test_user2";
+
+	/* cleanup */
+	NetUserDel(hostname, username);
+	NetUserDel(hostname, username2);
+
+	/* add a user */
+
+	status = test_netuseradd(hostname, username);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetUserAdd");
+		goto out;
+	}
+
+	/* enum the new user */
+
+	for (i=0; i<ARRAY_SIZE(enum_levels); i++) {
+
+		status = test_netuserenum(hostname, enum_levels[i], username);
+		if (status) {
+			NETAPI_STATUS(ctx, status, "NetUserEnum");
+			goto out;
+		}
+	}
+
+	/* basic queries */
+
+	for (i=0; i<ARRAY_SIZE(levels); i++) {
+
+		printf("testing NetUserGetInfo level %d\n", levels[i]);
+
+		status = NetUserGetInfo(hostname, username, levels[i], &buffer);
+		if (status && status != 124) {
+			NETAPI_STATUS(ctx, status, "NetUserGetInfo");
+			goto out;
+		}
+	}
+
+	/* testing getgroups */
+
+	for (i=0; i<ARRAY_SIZE(getgr_levels); i++) {
+
+		status = test_netusergetgroups(hostname, getgr_levels[i], username, NULL);
+		if (status) {
+			NETAPI_STATUS(ctx, status, "NetUserGetGroups");
+			goto out;
+		}
+	}
+
+	/* modify description */
+
+	printf("testing NetUserSetInfo level %d\n", 1007);
+
+	u1007.usri1007_comment = "NetApi modified user";
+
+	status = NetUserSetInfo(hostname, username, 1007, (uint8_t *)&u1007, &parm_err);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetUserSetInfo");
+		goto out;
+	}
+
+	/* query info */
+
+	for (i=0; i<ARRAY_SIZE(levels); i++) {
+		status = NetUserGetInfo(hostname, username, levels[i], &buffer);
+		if (status && status != 124) {
+			NETAPI_STATUS(ctx, status, "NetUserGetInfo");
+			goto out;
+		}
+	}
+
+	/* delete */
+
+	printf("testing NetUserDel\n");
+
+	status = NetUserDel(hostname, username);
+	if (status) {
+		NETAPI_STATUS(ctx, status, "NetUserDel");
+		goto out;
+	}
+
+	/* should not exist anymore */
+
+	status = NetUserGetInfo(hostname, username, 0, &buffer);
+	if (status == 0) {
+		NETAPI_STATUS(ctx, status, "NetUserGetInfo");
+		goto out;
+	}
+
+	status = test_netusermodals(ctx, hostname);
+	if (status) {
+		goto out;
+	}
+
+	status = 0;
+
+	printf("NetUser tests succeeded\n");
+ out:
+	if (status != 0) {
+		printf("NetUser testsuite failed with: %s\n",
+			libnetapi_get_error_string(ctx, status));
+	}
+
+	return status;
+}
diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
new file mode 100644
index 0000000000..7d0c47f331
--- /dev/null
+++ b/source3/lib/netapi/user.c
@@ -0,0 +1,3440 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  NetApi User Support
+ *  Copyright (C) Guenther Deschner 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+#include "librpc/gen_ndr/libnetapi.h"
+#include "lib/netapi/netapi.h"
+#include "lib/netapi/netapi_private.h"
+#include "lib/netapi/libnetapi.h"
+
+/****************************************************************
+****************************************************************/
+
+static void convert_USER_INFO_X_to_samr_user_info21(struct USER_INFO_X *infoX,
+						    struct samr_UserInfo21 *info21)
+{
+	uint32_t fields_present = 0;
+	struct samr_LogonHours zero_logon_hours;
+	struct lsa_BinaryString zero_parameters;
+	NTTIME password_age;
+
+	ZERO_STRUCTP(info21);
+	ZERO_STRUCT(zero_logon_hours);
+	ZERO_STRUCT(zero_parameters);
+
+	if (infoX->usriX_flags) {
+		fields_present |= SAMR_FIELD_ACCT_FLAGS;
+	}
+	if (infoX->usriX_name) {
+		fields_present |= SAMR_FIELD_ACCOUNT_NAME;
+	}
+	if (infoX->usriX_password) {
+		fields_present |= SAMR_FIELD_PASSWORD;
+	}
+	if (infoX->usriX_flags) {
+		fields_present |= SAMR_FIELD_ACCT_FLAGS;
+	}
+	if (infoX->usriX_name) {
+		fields_present |= SAMR_FIELD_FULL_NAME;
+	}
+	if (infoX->usriX_home_dir) {
+		fields_present |= SAMR_FIELD_HOME_DIRECTORY;
+	}
+	if (infoX->usriX_script_path) {
+		fields_present |= SAMR_FIELD_LOGON_SCRIPT;
+	}
+	if (infoX->usriX_comment) {
+		fields_present |= SAMR_FIELD_DESCRIPTION;
+	}
+	if (infoX->usriX_password_age) {
+		fields_present |= SAMR_FIELD_FORCE_PWD_CHANGE;
+	}
+	if (infoX->usriX_full_name) {
+		fields_present |= SAMR_FIELD_FULL_NAME;
+	}
+	if (infoX->usriX_usr_comment) {
+		fields_present |= SAMR_FIELD_COMMENT;
+	}
+	if (infoX->usriX_profile) {
+		fields_present |= SAMR_FIELD_PROFILE_PATH;
+	}
+	if (infoX->usriX_home_dir_drive) {
+		fields_present |= SAMR_FIELD_HOME_DRIVE;
+	}
+	if (infoX->usriX_primary_group_id) {
+		fields_present |= SAMR_FIELD_PRIMARY_GID;
+	}
+	if (infoX->usriX_country_code) {
+		fields_present |= SAMR_FIELD_COUNTRY_CODE;
+	}
+	if (infoX->usriX_workstations) {
+		fields_present |= SAMR_FIELD_WORKSTATIONS;
+	}
+
+	unix_to_nt_time_abs(&password_age, infoX->usriX_password_age);
+
+	/* TODO: infoX->usriX_priv */
+	init_samr_user_info21(info21,
+			      0,
+			      0,
+			      0,
+			      0,
+			      0,
+			      password_age,
+			      infoX->usriX_name,
+			      infoX->usriX_full_name,
+			      infoX->usriX_home_dir,
+			      infoX->usriX_home_dir_drive,
+			      infoX->usriX_script_path,
+			      infoX->usriX_profile,
+			      infoX->usriX_comment,
+			      infoX->usriX_workstations,
+			      infoX->usriX_usr_comment,
+			      &zero_parameters,
+			      0,
+			      infoX->usriX_primary_group_id,
+			      infoX->usriX_flags,
+			      fields_present,
+			      zero_logon_hours,
+			      0,
+			      0,
+			      infoX->usriX_country_code,
+			      0,
+			      0,
+			      0,
+			      0);
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS construct_USER_INFO_X(uint32_t level,
+				      uint8_t *buffer,
+				      struct USER_INFO_X *uX)
+{
+	struct USER_INFO_0 *u0 = NULL;
+	struct USER_INFO_1 *u1 = NULL;
+	struct USER_INFO_2 *u2 = NULL;
+	struct USER_INFO_1003 *u1003 = NULL;
+	struct USER_INFO_1006 *u1006 = NULL;
+	struct USER_INFO_1007 *u1007 = NULL;
+	struct USER_INFO_1009 *u1009 = NULL;
+	struct USER_INFO_1011 *u1011 = NULL;
+	struct USER_INFO_1012 *u1012 = NULL;
+	struct USER_INFO_1014 *u1014 = NULL;
+	struct USER_INFO_1024 *u1024 = NULL;
+	struct USER_INFO_1051 *u1051 = NULL;
+	struct USER_INFO_1052 *u1052 = NULL;
+	struct USER_INFO_1053 *u1053 = NULL;
+
+	if (!buffer || !uX) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	ZERO_STRUCTP(uX);
+
+	switch (level) {
+		case 0:
+			u0 = (struct USER_INFO_0 *)buffer;
+			uX->usriX_name		= u0->usri0_name;
+			break;
+		case 1:
+			u1 = (struct USER_INFO_1 *)buffer;
+			uX->usriX_name		= u1->usri1_name;
+			uX->usriX_password	= u1->usri1_password;
+			uX->usriX_password_age	= u1->usri1_password_age;
+			uX->usriX_priv		= u1->usri1_priv;
+			uX->usriX_home_dir	= u1->usri1_home_dir;
+			uX->usriX_comment	= u1->usri1_comment;
+			uX->usriX_flags		= u1->usri1_flags;
+			uX->usriX_script_path	= u1->usri1_script_path;
+			break;
+		case 2:
+			u2 = (struct USER_INFO_2 *)buffer;
+			uX->usriX_name		= u2->usri2_name;
+			uX->usriX_password	= u2->usri2_password;
+			uX->usriX_password_age	= u2->usri2_password_age;
+			uX->usriX_priv		= u2->usri2_priv;
+			uX->usriX_home_dir	= u2->usri2_home_dir;
+			uX->usriX_comment	= u2->usri2_comment;
+			uX->usriX_flags		= u2->usri2_flags;
+			uX->usriX_script_path	= u2->usri2_script_path;
+			uX->usriX_auth_flags	= u2->usri2_auth_flags;
+			uX->usriX_full_name	= u2->usri2_full_name;
+			uX->usriX_usr_comment	= u2->usri2_usr_comment;
+			uX->usriX_parms		= u2->usri2_parms;
+			uX->usriX_workstations	= u2->usri2_workstations;
+			uX->usriX_last_logon	= u2->usri2_last_logon;
+			uX->usriX_last_logoff	= u2->usri2_last_logoff;
+			uX->usriX_acct_expires	= u2->usri2_acct_expires;
+			uX->usriX_max_storage	= u2->usri2_max_storage;
+			uX->usriX_units_per_week= u2->usri2_units_per_week;
+			uX->usriX_logon_hours	= u2->usri2_logon_hours;
+			uX->usriX_bad_pw_count	= u2->usri2_bad_pw_count;
+			uX->usriX_num_logons	= u2->usri2_num_logons;
+			uX->usriX_logon_server	= u2->usri2_logon_server;
+			uX->usriX_country_code	= u2->usri2_country_code;
+			uX->usriX_code_page	= u2->usri2_code_page;
+			break;
+		case 1003:
+			u1003 = (struct USER_INFO_1003 *)buffer;
+			uX->usriX_password	= u1003->usri1003_password;
+			break;
+		case 1006:
+			u1006 = (struct USER_INFO_1006 *)buffer;
+			uX->usriX_home_dir	= u1006->usri1006_home_dir;
+			break;
+		case 1007:
+			u1007 = (struct USER_INFO_1007 *)buffer;
+			uX->usriX_comment	= u1007->usri1007_comment;
+			break;
+		case 1009:
+			u1009 = (struct USER_INFO_1009 *)buffer;
+			uX->usriX_script_path	= u1009->usri1009_script_path;
+			break;
+		case 1011:
+			u1011 = (struct USER_INFO_1011 *)buffer;
+			uX->usriX_full_name	= u1011->usri1011_full_name;
+			break;
+		case 1012:
+			u1012 = (struct USER_INFO_1012 *)buffer;
+			uX->usriX_usr_comment	= u1012->usri1012_usr_comment;
+			break;
+		case 1014:
+			u1014 = (struct USER_INFO_1014 *)buffer;
+			uX->usriX_workstations	= u1014->usri1014_workstations;
+			break;
+		case 1024:
+			u1024 = (struct USER_INFO_1024 *)buffer;
+			uX->usriX_country_code	= u1024->usri1024_country_code;
+			break;
+		case 1051:
+			u1051 = (struct USER_INFO_1051 *)buffer;
+			uX->usriX_primary_group_id = u1051->usri1051_primary_group_id;
+			break;
+		case 1052:
+			u1052 = (struct USER_INFO_1052 *)buffer;
+			uX->usriX_profile	= u1052->usri1052_profile;
+			break;
+		case 1053:
+			u1053 = (struct USER_INFO_1053 *)buffer;
+			uX->usriX_home_dir_drive = u1053->usri1053_home_dir_drive;
+			break;
+		case 3:
+		case 4:
+		default:
+			return NT_STATUS_INVALID_INFO_CLASS;
+	}
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx,
+					  struct rpc_pipe_client *pipe_cli,
+					  DATA_BLOB *session_key,
+					  struct policy_handle *user_handle,
+					  struct USER_INFO_X *uX)
+{
+	union samr_UserInfo user_info;
+	struct samr_UserInfo21 info21;
+	NTSTATUS status;
+
+	if (!uX) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	convert_USER_INFO_X_to_samr_user_info21(uX, &info21);
+
+	ZERO_STRUCT(user_info);
+
+	if (uX->usriX_password) {
+
+		user_info.info25.info = info21;
+
+		init_samr_CryptPasswordEx(uX->usriX_password,
+					  session_key,
+					  &user_info.info25.password);
+
+		status = rpccli_samr_SetUserInfo2(pipe_cli, ctx,
+						  user_handle,
+						  25,
+						  &user_info);
+
+		if (NT_STATUS_EQUAL(status, NT_STATUS(DCERPC_FAULT_INVALID_TAG))) {
+
+			user_info.info23.info = info21;
+
+			init_samr_CryptPassword(uX->usriX_password,
+						session_key,
+						&user_info.info23.password);
+
+			status = rpccli_samr_SetUserInfo2(pipe_cli, ctx,
+							  user_handle,
+							  23,
+							  &user_info);
+		}
+	} else {
+
+		user_info.info21 = info21;
+
+		status = rpccli_samr_SetUserInfo(pipe_cli, ctx,
+						 user_handle,
+						 21,
+						 &user_info);
+	}
+
+	return status;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserAdd_r(struct libnetapi_ctx *ctx,
+		    struct NetUserAdd *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	POLICY_HND connect_handle, domain_handle, user_handle;
+	struct lsa_String lsa_account_name;
+	struct dom_sid2 *domain_sid = NULL;
+	union samr_UserInfo *user_info = NULL;
+	struct samr_PwInfo pw_info;
+	uint32_t access_granted = 0;
+	uint32_t rid = 0;
+	struct USER_INFO_X uX;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(domain_handle);
+	ZERO_STRUCT(user_handle);
+
+	if (!r->in.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 1:
+			break;
+		case 2:
+		case 3:
+		case 4:
+		default:
+			werr = WERR_NOT_SUPPORTED;
+			goto done;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = construct_USER_INFO_X(r->in.level, r->in.buffer, &uX);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 |
+					  SAMR_DOMAIN_ACCESS_CREATE_USER |
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	init_lsa_String(&lsa_account_name, uX.usriX_name);
+
+	status = rpccli_samr_CreateUser2(pipe_cli, ctx,
+					 &domain_handle,
+					 &lsa_account_name,
+					 ACB_NORMAL,
+					 SEC_STD_WRITE_DAC |
+					 SEC_STD_DELETE |
+					 SAMR_USER_ACCESS_SET_PASSWORD |
+					 SAMR_USER_ACCESS_SET_ATTRIBUTES |
+					 SAMR_USER_ACCESS_GET_ATTRIBUTES,
+					 &user_handle,
+					 &access_granted,
+					 &rid);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = rpccli_samr_QueryUserInfo(pipe_cli, ctx,
+					   &user_handle,
+					   16,
+					   &user_info);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	if (!(user_info->info16.acct_flags & ACB_NORMAL)) {
+		werr = WERR_INVALID_PARAM;
+		goto done;
+	}
+
+	status = rpccli_samr_GetUserPwInfo(pipe_cli, ctx,
+					   &user_handle,
+					   &pw_info);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	uX.usriX_flags |= ACB_NORMAL;
+
+	status = set_user_info_USER_INFO_X(ctx, pipe_cli,
+					   &cli->user_session_key,
+					   &user_handle,
+					   &uX);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto failed;
+	}
+
+	werr = WERR_OK;
+	goto done;
+
+ failed:
+	rpccli_samr_DeleteUser(pipe_cli, ctx,
+			       &user_handle);
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (is_valid_policy_hnd(&user_handle)) {
+		rpccli_samr_Close(pipe_cli, ctx, &user_handle);
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserAdd_l(struct libnetapi_ctx *ctx,
+		    struct NetUserAdd *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetUserAdd);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserDel_r(struct libnetapi_ctx *ctx,
+		    struct NetUserDel *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+	POLICY_HND connect_handle, builtin_handle, domain_handle, user_handle;
+	struct lsa_String lsa_account_name;
+	struct samr_Ids user_rids, name_types;
+	struct dom_sid2 *domain_sid = NULL;
+	struct dom_sid2 user_sid;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(builtin_handle);
+	ZERO_STRUCT(domain_handle);
+	ZERO_STRUCT(user_handle);
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = rpccli_samr_OpenDomain(pipe_cli, ctx,
+					&connect_handle,
+					SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					CONST_DISCARD(DOM_SID *, &global_sid_Builtin),
+					&builtin_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	init_lsa_String(&lsa_account_name, r->in.user_name);
+
+	status = rpccli_samr_LookupNames(pipe_cli, ctx,
+					 &domain_handle,
+					 1,
+					 &lsa_account_name,
+					 &user_rids,
+					 &name_types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = rpccli_samr_OpenUser(pipe_cli, ctx,
+				      &domain_handle,
+				      STD_RIGHT_DELETE_ACCESS,
+				      user_rids.ids[0],
+				      &user_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	sid_compose(&user_sid, domain_sid, user_rids.ids[0]);
+
+	status = rpccli_samr_RemoveMemberFromForeignDomain(pipe_cli, ctx,
+							   &builtin_handle,
+							   &user_sid);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = rpccli_samr_DeleteUser(pipe_cli, ctx,
+					&user_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	werr = WERR_OK;
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (is_valid_policy_hnd(&user_handle)) {
+		rpccli_samr_Close(pipe_cli, ctx, &user_handle);
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_builtin_handle(ctx, &builtin_handle);
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserDel_l(struct libnetapi_ctx *ctx,
+		    struct NetUserDel *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetUserDel);
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS libnetapi_samr_lookup_user(TALLOC_CTX *mem_ctx,
+					   struct rpc_pipe_client *pipe_cli,
+					   struct policy_handle *domain_handle,
+					   struct policy_handle *builtin_handle,
+					   const char *user_name,
+					   const struct dom_sid *domain_sid,
+					   uint32_t rid,
+					   uint32_t level,
+					   struct samr_UserInfo21 **info21,
+					   struct sec_desc_buf **sec_desc,
+					   uint32_t *auth_flag_p)
+{
+	NTSTATUS status;
+
+	struct policy_handle user_handle;
+	union samr_UserInfo *user_info = NULL;
+	struct samr_RidWithAttributeArray *rid_array = NULL;
+	uint32_t access_mask = SEC_STD_READ_CONTROL |
+			       SAMR_USER_ACCESS_GET_ATTRIBUTES |
+			       SAMR_USER_ACCESS_GET_NAME_ETC;
+
+	ZERO_STRUCT(user_handle);
+
+	switch (level) {
+		case 0:
+			break;
+		case 1:
+			access_mask |= SAMR_USER_ACCESS_GET_LOGONINFO |
+				       SAMR_USER_ACCESS_GET_GROUPS;
+			break;
+		case 2:
+		case 3:
+		case 4:
+		case 11:
+			access_mask |= SAMR_USER_ACCESS_GET_LOGONINFO |
+				       SAMR_USER_ACCESS_GET_GROUPS |
+				       SAMR_USER_ACCESS_GET_LOCALE;
+			break;
+		case 10:
+		case 20:
+		case 23:
+			break;
+		default:
+			return NT_STATUS_INVALID_LEVEL;
+	}
+
+	if (level == 0) {
+		return NT_STATUS_OK;
+	}
+
+	status = rpccli_samr_OpenUser(pipe_cli, mem_ctx,
+				      domain_handle,
+				      access_mask,
+				      rid,
+				      &user_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto done;
+	}
+
+	status = rpccli_samr_QueryUserInfo(pipe_cli, mem_ctx,
+					   &user_handle,
+					   21,
+					   &user_info);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto done;
+	}
+
+	status = rpccli_samr_QuerySecurity(pipe_cli, mem_ctx,
+					   &user_handle,
+					   SECINFO_DACL,
+					   sec_desc);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto done;
+	}
+
+	if (access_mask & SAMR_USER_ACCESS_GET_GROUPS) {
+
+		struct lsa_SidArray sid_array;
+		struct samr_Ids alias_rids;
+		int i;
+		uint32_t auth_flag = 0;
+		struct dom_sid sid;
+
+		status = rpccli_samr_GetGroupsForUser(pipe_cli, mem_ctx,
+						      &user_handle,
+						      &rid_array);
+		if (!NT_STATUS_IS_OK(status)) {
+			goto done;
+		}
+
+		sid_array.num_sids = rid_array->count + 1;
+		sid_array.sids = talloc_array(mem_ctx, struct lsa_SidPtr,
+					      sid_array.num_sids);
+		NT_STATUS_HAVE_NO_MEMORY(sid_array.sids);
+
+		for (i=0; i<rid_array->count; i++) {
+			sid_compose(&sid, domain_sid, rid_array->rids[i].rid);
+			sid_array.sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
+			NT_STATUS_HAVE_NO_MEMORY(sid_array.sids[i].sid);
+		}
+
+		sid_compose(&sid, domain_sid, rid);
+		sid_array.sids[i].sid = sid_dup_talloc(mem_ctx, &sid);
+		NT_STATUS_HAVE_NO_MEMORY(sid_array.sids[i].sid);
+
+		status = rpccli_samr_GetAliasMembership(pipe_cli, mem_ctx,
+							builtin_handle,
+							&sid_array,
+							&alias_rids);
+		if (!NT_STATUS_IS_OK(status)) {
+			goto done;
+		}
+
+		for (i=0; i<alias_rids.count; i++) {
+			switch (alias_rids.ids[i]) {
+				case 550: /* Print Operators */
+					auth_flag |= AF_OP_PRINT;
+					break;
+				case 549: /* Server Operators */
+					auth_flag |= AF_OP_SERVER;
+					break;
+				case 548: /* Account Operators */
+					auth_flag |= AF_OP_ACCOUNTS;
+					break;
+				default:
+					break;
+			}
+		}
+
+		if (auth_flag_p) {
+			*auth_flag_p = auth_flag;
+		}
+	}
+
+	*info21 = &user_info->info21;
+
+ done:
+	if (is_valid_policy_hnd(&user_handle)) {
+		rpccli_samr_Close(pipe_cli, mem_ctx, &user_handle);
+	}
+
+	return status;
+}
+
+/****************************************************************
+****************************************************************/
+
+static uint32_t samr_rid_to_priv_level(uint32_t rid)
+{
+	switch (rid) {
+		case DOMAIN_RID_ADMINISTRATOR:
+			return USER_PRIV_ADMIN;
+		case DOMAIN_RID_GUEST:
+			return USER_PRIV_GUEST;
+		default:
+			return USER_PRIV_USER;
+	}
+}
+
+/****************************************************************
+****************************************************************/
+
+static uint32_t samr_acb_flags_to_netapi_flags(uint32_t acb)
+{
+	uint32_t fl = UF_SCRIPT; /* god knows why */
+
+	fl |= ads_acb2uf(acb);
+
+	return fl;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS info21_to_USER_INFO_1(TALLOC_CTX *mem_ctx,
+				      const struct samr_UserInfo21 *i21,
+				      struct USER_INFO_1 *i)
+{
+	ZERO_STRUCTP(i);
+	i->usri1_name		= talloc_strdup(mem_ctx, i21->account_name.string);
+	NT_STATUS_HAVE_NO_MEMORY(i->usri1_name);
+	i->usri1_password	= NULL;
+	i->usri1_password_age	= time(NULL) - nt_time_to_unix(i21->last_password_change);
+	i->usri1_priv		= samr_rid_to_priv_level(i21->rid);
+	i->usri1_home_dir	= talloc_strdup(mem_ctx, i21->home_directory.string);
+	i->usri1_comment	= talloc_strdup(mem_ctx, i21->description.string);
+	i->usri1_flags		= samr_acb_flags_to_netapi_flags(i21->acct_flags);
+	i->usri1_script_path	= talloc_strdup(mem_ctx, i21->logon_script.string);
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS info21_to_USER_INFO_2(TALLOC_CTX *mem_ctx,
+				      const struct samr_UserInfo21 *i21,
+				      uint32_t auth_flag,
+				      struct USER_INFO_2 *i)
+{
+	ZERO_STRUCTP(i);
+
+	i->usri2_name		= talloc_strdup(mem_ctx, i21->account_name.string);
+	NT_STATUS_HAVE_NO_MEMORY(i->usri2_name);
+	i->usri2_password	= NULL;
+	i->usri2_password_age	= time(NULL) - nt_time_to_unix(i21->last_password_change);
+	i->usri2_priv		= samr_rid_to_priv_level(i21->rid);
+	i->usri2_home_dir	= talloc_strdup(mem_ctx, i21->home_directory.string);
+	i->usri2_comment	= talloc_strdup(mem_ctx, i21->description.string);
+	i->usri2_flags		= samr_acb_flags_to_netapi_flags(i21->acct_flags);
+	i->usri2_script_path	= talloc_strdup(mem_ctx, i21->logon_script.string);
+	i->usri2_auth_flags	= auth_flag;
+	i->usri2_full_name	= talloc_strdup(mem_ctx, i21->full_name.string);
+	i->usri2_usr_comment	= talloc_strdup(mem_ctx, i21->comment.string);
+	i->usri2_parms		= talloc_strndup(mem_ctx, (const char *)i21->parameters.array, i21->parameters.size/2);
+	i->usri2_workstations	= talloc_strdup(mem_ctx, i21->workstations.string);
+	i->usri2_last_logon	= nt_time_to_unix(i21->last_logon);
+	i->usri2_last_logoff	= nt_time_to_unix(i21->last_logoff);
+	i->usri2_acct_expires	= nt_time_to_unix(i21->acct_expiry);
+	i->usri2_max_storage	= USER_MAXSTORAGE_UNLIMITED; /* FIXME */
+	i->usri2_units_per_week	= i21->logon_hours.units_per_week;
+	i->usri2_logon_hours	= (uint8_t *)talloc_memdup(mem_ctx, i21->logon_hours.bits, 21);
+	i->usri2_bad_pw_count	= i21->bad_password_count;
+	i->usri2_num_logons	= i21->logon_count;
+	i->usri2_logon_server	= talloc_strdup(mem_ctx, "\\\\*");
+	i->usri2_country_code	= i21->country_code;
+	i->usri2_code_page	= i21->code_page;
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS info21_to_USER_INFO_3(TALLOC_CTX *mem_ctx,
+				      const struct samr_UserInfo21 *i21,
+				      uint32_t auth_flag,
+				      struct USER_INFO_3 *i)
+{
+	ZERO_STRUCTP(i);
+
+	i->usri3_name		= talloc_strdup(mem_ctx, i21->account_name.string);
+	NT_STATUS_HAVE_NO_MEMORY(i->usri3_name);
+	i->usri3_password_age	= time(NULL) - nt_time_to_unix(i21->last_password_change);
+	i->usri3_priv		= samr_rid_to_priv_level(i21->rid);
+	i->usri3_home_dir	= talloc_strdup(mem_ctx, i21->home_directory.string);
+	i->usri3_comment	= talloc_strdup(mem_ctx, i21->description.string);
+	i->usri3_flags		= samr_acb_flags_to_netapi_flags(i21->acct_flags);
+	i->usri3_script_path	= talloc_strdup(mem_ctx, i21->logon_script.string);
+	i->usri3_auth_flags	= auth_flag;
+	i->usri3_full_name	= talloc_strdup(mem_ctx, i21->full_name.string);
+	i->usri3_usr_comment	= talloc_strdup(mem_ctx, i21->comment.string);
+	i->usri3_parms		= talloc_strndup(mem_ctx, (const char *)i21->parameters.array, i21->parameters.size/2);
+	i->usri3_workstations	= talloc_strdup(mem_ctx, i21->workstations.string);
+	i->usri3_last_logon	= nt_time_to_unix(i21->last_logon);
+	i->usri3_last_logoff	= nt_time_to_unix(i21->last_logoff);
+	i->usri3_acct_expires	= nt_time_to_unix(i21->acct_expiry);
+	i->usri3_max_storage	= USER_MAXSTORAGE_UNLIMITED; /* FIXME */
+	i->usri3_units_per_week	= i21->logon_hours.units_per_week;
+	i->usri3_logon_hours	= (uint8_t *)talloc_memdup(mem_ctx, i21->logon_hours.bits, 21);
+	i->usri3_bad_pw_count	= i21->bad_password_count;
+	i->usri3_num_logons	= i21->logon_count;
+	i->usri3_logon_server	= talloc_strdup(mem_ctx, "\\\\*");
+	i->usri3_country_code	= i21->country_code;
+	i->usri3_code_page	= i21->code_page;
+	i->usri3_user_id	= i21->rid;
+	i->usri3_primary_group_id = i21->primary_gid;
+	i->usri3_profile	= talloc_strdup(mem_ctx, i21->profile_path.string);
+	i->usri3_home_dir_drive	= talloc_strdup(mem_ctx, i21->home_drive.string);
+	i->usri3_password_expired = i21->password_expired;
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS info21_to_USER_INFO_4(TALLOC_CTX *mem_ctx,
+				      const struct samr_UserInfo21 *i21,
+				      uint32_t auth_flag,
+				      struct dom_sid *domain_sid,
+				      struct USER_INFO_4 *i)
+{
+	struct dom_sid sid;
+
+	ZERO_STRUCTP(i);
+
+	i->usri4_name		= talloc_strdup(mem_ctx, i21->account_name.string);
+	NT_STATUS_HAVE_NO_MEMORY(i->usri4_name);
+	i->usri4_password_age	= time(NULL) - nt_time_to_unix(i21->last_password_change);
+	i->usri4_password	= NULL;
+	i->usri4_priv		= samr_rid_to_priv_level(i21->rid);
+	i->usri4_home_dir	= talloc_strdup(mem_ctx, i21->home_directory.string);
+	i->usri4_comment	= talloc_strdup(mem_ctx, i21->description.string);
+	i->usri4_flags		= samr_acb_flags_to_netapi_flags(i21->acct_flags);
+	i->usri4_script_path	= talloc_strdup(mem_ctx, i21->logon_script.string);
+	i->usri4_auth_flags	= auth_flag;
+	i->usri4_full_name	= talloc_strdup(mem_ctx, i21->full_name.string);
+	i->usri4_usr_comment	= talloc_strdup(mem_ctx, i21->comment.string);
+	i->usri4_parms		= talloc_strndup(mem_ctx, (const char *)i21->parameters.array, i21->parameters.size/2);
+	i->usri4_workstations	= talloc_strdup(mem_ctx, i21->workstations.string);
+	i->usri4_last_logon	= nt_time_to_unix(i21->last_logon);
+	i->usri4_last_logoff	= nt_time_to_unix(i21->last_logoff);
+	i->usri4_acct_expires	= nt_time_to_unix(i21->acct_expiry);
+	i->usri4_max_storage	= USER_MAXSTORAGE_UNLIMITED; /* FIXME */
+	i->usri4_units_per_week	= i21->logon_hours.units_per_week;
+	i->usri4_logon_hours	= (uint8_t *)talloc_memdup(mem_ctx, i21->logon_hours.bits, 21);
+	i->usri4_bad_pw_count	= i21->bad_password_count;
+	i->usri4_num_logons	= i21->logon_count;
+	i->usri4_logon_server	= talloc_strdup(mem_ctx, "\\\\*");
+	i->usri4_country_code	= i21->country_code;
+	i->usri4_code_page	= i21->code_page;
+	if (!sid_compose(&sid, domain_sid, i21->rid)) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	i->usri4_user_sid	= (struct domsid *)sid_dup_talloc(mem_ctx, &sid);
+	i->usri4_primary_group_id = i21->primary_gid;
+	i->usri4_profile	= talloc_strdup(mem_ctx, i21->profile_path.string);
+	i->usri4_home_dir_drive	= talloc_strdup(mem_ctx, i21->home_drive.string);
+	i->usri4_password_expired = i21->password_expired;
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS info21_to_USER_INFO_10(TALLOC_CTX *mem_ctx,
+				       const struct samr_UserInfo21 *i21,
+				       struct USER_INFO_10 *i)
+{
+	ZERO_STRUCTP(i);
+
+	i->usri10_name		= talloc_strdup(mem_ctx, i21->account_name.string);
+	NT_STATUS_HAVE_NO_MEMORY(i->usri10_name);
+	i->usri10_comment	= talloc_strdup(mem_ctx, i21->description.string);
+	i->usri10_full_name	= talloc_strdup(mem_ctx, i21->full_name.string);
+	i->usri10_usr_comment	= talloc_strdup(mem_ctx, i21->comment.string);
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS info21_to_USER_INFO_11(TALLOC_CTX *mem_ctx,
+				       const struct samr_UserInfo21 *i21,
+				       uint32_t auth_flag,
+				       struct USER_INFO_11 *i)
+{
+	ZERO_STRUCTP(i);
+
+	i->usri11_name		= talloc_strdup(mem_ctx, i21->account_name.string);
+	NT_STATUS_HAVE_NO_MEMORY(i->usri11_name);
+	i->usri11_comment	= talloc_strdup(mem_ctx, i21->description.string);
+	i->usri11_usr_comment	= talloc_strdup(mem_ctx, i21->comment.string);
+	i->usri11_full_name	= talloc_strdup(mem_ctx, i21->full_name.string);
+	i->usri11_priv		= samr_rid_to_priv_level(i21->rid);
+	i->usri11_auth_flags	= auth_flag;
+	i->usri11_password_age	= time(NULL) - nt_time_to_unix(i21->last_password_change);
+	i->usri11_home_dir	= talloc_strdup(mem_ctx, i21->home_directory.string);
+	i->usri11_parms		= talloc_strndup(mem_ctx, (const char *)i21->parameters.array, i21->parameters.size/2);
+	i->usri11_last_logon	= nt_time_to_unix(i21->last_logon);
+	i->usri11_last_logoff	= nt_time_to_unix(i21->last_logoff);
+	i->usri11_bad_pw_count	= i21->bad_password_count;
+	i->usri11_num_logons	= i21->logon_count;
+	i->usri11_logon_server	= talloc_strdup(mem_ctx, "\\\\*");
+	i->usri11_country_code	= i21->country_code;
+	i->usri11_workstations	= talloc_strdup(mem_ctx, i21->workstations.string);
+	i->usri11_max_storage	= USER_MAXSTORAGE_UNLIMITED; /* FIXME */
+	i->usri11_units_per_week = i21->logon_hours.units_per_week;
+	i->usri11_logon_hours	= (uint8_t *)talloc_memdup(mem_ctx, i21->logon_hours.bits, 21);
+	i->usri11_code_page	= i21->code_page;
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS info21_to_USER_INFO_20(TALLOC_CTX *mem_ctx,
+				       const struct samr_UserInfo21 *i21,
+				       struct USER_INFO_20 *i)
+{
+	ZERO_STRUCTP(i);
+
+	i->usri20_name		= talloc_strdup(mem_ctx, i21->account_name.string);
+	NT_STATUS_HAVE_NO_MEMORY(i->usri20_name);
+	i->usri20_comment	= talloc_strdup(mem_ctx, i21->description.string);
+	i->usri20_full_name	= talloc_strdup(mem_ctx, i21->full_name.string);
+	i->usri20_flags		= samr_acb_flags_to_netapi_flags(i21->acct_flags);
+	i->usri20_user_id	= i21->rid;
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS info21_to_USER_INFO_23(TALLOC_CTX *mem_ctx,
+				       const struct samr_UserInfo21 *i21,
+				       struct dom_sid *domain_sid,
+				       struct USER_INFO_23 *i)
+{
+	struct dom_sid sid;
+
+	ZERO_STRUCTP(i);
+
+	i->usri23_name		= talloc_strdup(mem_ctx, i21->account_name.string);
+	NT_STATUS_HAVE_NO_MEMORY(i->usri23_name);
+	i->usri23_comment	= talloc_strdup(mem_ctx, i21->description.string);
+	i->usri23_full_name	= talloc_strdup(mem_ctx, i21->full_name.string);
+	i->usri23_flags		= samr_acb_flags_to_netapi_flags(i21->acct_flags);
+	if (!sid_compose(&sid, domain_sid, i21->rid)) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	i->usri23_user_sid	= (struct domsid *)sid_dup_talloc(mem_ctx, &sid);
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS libnetapi_samr_lookup_user_map_USER_INFO(TALLOC_CTX *mem_ctx,
+							 struct rpc_pipe_client *pipe_cli,
+							 struct dom_sid *domain_sid,
+							 struct policy_handle *domain_handle,
+							 struct policy_handle *builtin_handle,
+							 const char *user_name,
+							 uint32_t rid,
+							 uint32_t level,
+							 uint8_t **buffer,
+							 uint32_t *num_entries)
+{
+	NTSTATUS status;
+
+	struct samr_UserInfo21 *info21 = NULL;
+	struct sec_desc_buf *sec_desc = NULL;
+	uint32_t auth_flag = 0;
+
+	struct USER_INFO_0 info0;
+	struct USER_INFO_1 info1;
+	struct USER_INFO_2 info2;
+	struct USER_INFO_3 info3;
+	struct USER_INFO_4 info4;
+	struct USER_INFO_10 info10;
+	struct USER_INFO_11 info11;
+	struct USER_INFO_20 info20;
+	struct USER_INFO_23 info23;
+
+	switch (level) {
+		case 0:
+		case 1:
+		case 2:
+		case 3:
+		case 4:
+		case 10:
+		case 11:
+		case 20:
+		case 23:
+			break;
+		default:
+			return NT_STATUS_INVALID_LEVEL;
+	}
+
+	if (level == 0) {
+		info0.usri0_name = talloc_strdup(mem_ctx, user_name);
+		NT_STATUS_HAVE_NO_MEMORY(info0.usri0_name);
+
+		ADD_TO_ARRAY(mem_ctx, struct USER_INFO_0, info0,
+			     (struct USER_INFO_0 **)buffer, num_entries);
+
+		return NT_STATUS_OK;
+	}
+
+	status = libnetapi_samr_lookup_user(mem_ctx, pipe_cli,
+					    domain_handle,
+					    builtin_handle,
+					    user_name,
+					    domain_sid,
+					    rid,
+					    level,
+					    &info21,
+					    &sec_desc,
+					    &auth_flag);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		goto done;
+	}
+
+	switch (level) {
+		case 0:
+			/* already returned above */
+			break;
+		case 1:
+			status = info21_to_USER_INFO_1(mem_ctx, info21, &info1);
+			NT_STATUS_NOT_OK_RETURN(status);
+
+			ADD_TO_ARRAY(mem_ctx, struct USER_INFO_1, info1,
+				     (struct USER_INFO_1 **)buffer, num_entries);
+
+			break;
+		case 2:
+			status = info21_to_USER_INFO_2(mem_ctx, info21, auth_flag, &info2);
+			NT_STATUS_NOT_OK_RETURN(status);
+
+			ADD_TO_ARRAY(mem_ctx, struct USER_INFO_2, info2,
+				     (struct USER_INFO_2 **)buffer, num_entries);
+
+			break;
+		case 3:
+			status = info21_to_USER_INFO_3(mem_ctx, info21, auth_flag, &info3);
+			NT_STATUS_NOT_OK_RETURN(status);
+
+			ADD_TO_ARRAY(mem_ctx, struct USER_INFO_3, info3,
+				     (struct USER_INFO_3 **)buffer, num_entries);
+
+			break;
+		case 4:
+			status = info21_to_USER_INFO_4(mem_ctx, info21, auth_flag, domain_sid, &info4);
+			NT_STATUS_NOT_OK_RETURN(status);
+
+			ADD_TO_ARRAY(mem_ctx, struct USER_INFO_4, info4,
+				     (struct USER_INFO_4 **)buffer, num_entries);
+
+			break;
+		case 10:
+			status = info21_to_USER_INFO_10(mem_ctx, info21, &info10);
+			NT_STATUS_NOT_OK_RETURN(status);
+
+			ADD_TO_ARRAY(mem_ctx, struct USER_INFO_10, info10,
+				     (struct USER_INFO_10 **)buffer, num_entries);
+
+			break;
+		case 11:
+			status = info21_to_USER_INFO_11(mem_ctx, info21, auth_flag, &info11);
+			NT_STATUS_NOT_OK_RETURN(status);
+
+			ADD_TO_ARRAY(mem_ctx, struct USER_INFO_11, info11,
+				     (struct USER_INFO_11 **)buffer, num_entries);
+
+			break;
+		case 20:
+			status = info21_to_USER_INFO_20(mem_ctx, info21, &info20);
+			NT_STATUS_NOT_OK_RETURN(status);
+
+			ADD_TO_ARRAY(mem_ctx, struct USER_INFO_20, info20,
+				     (struct USER_INFO_20 **)buffer, num_entries);
+
+			break;
+		case 23:
+			status = info21_to_USER_INFO_23(mem_ctx, info21, domain_sid, &info23);
+			NT_STATUS_NOT_OK_RETURN(status);
+
+			ADD_TO_ARRAY(mem_ctx, struct USER_INFO_23, info23,
+				     (struct USER_INFO_23 **)buffer, num_entries);
+			break;
+		default:
+			return NT_STATUS_INVALID_LEVEL;
+	}
+
+ done:
+	return status;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserEnum_r(struct libnetapi_ctx *ctx,
+		     struct NetUserEnum *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	struct policy_handle connect_handle;
+	struct dom_sid2 *domain_sid = NULL;
+	struct policy_handle domain_handle, builtin_handle;
+	struct samr_SamArray *sam = NULL;
+	uint32_t filter = ACB_NORMAL;
+	int i;
+	uint32_t entries_read = 0;
+
+	NTSTATUS status = NT_STATUS_OK;
+	WERROR werr;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(domain_handle);
+	ZERO_STRUCT(builtin_handle);
+
+	if (!r->out.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	*r->out.buffer = NULL;
+	*r->out.entries_read = 0;
+
+	switch (r->in.level) {
+		case 0:
+		case 1:
+		case 2:
+		case 3:
+		case 4:
+		case 10:
+		case 11:
+		case 20:
+		case 23:
+			break;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_builtin_domain(ctx, pipe_cli,
+						  SAMR_ACCESS_ENUM_DOMAINS |
+						  SAMR_ACCESS_OPEN_DOMAIN,
+						  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
+						  SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS,
+						  &connect_handle,
+						  &builtin_handle);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 |
+					  SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	switch (r->in.filter) {
+		case FILTER_NORMAL_ACCOUNT:
+			filter = ACB_NORMAL;
+			break;
+		case FILTER_TEMP_DUPLICATE_ACCOUNT:
+			filter = ACB_TEMPDUP;
+			break;
+		case FILTER_INTERDOMAIN_TRUST_ACCOUNT:
+			filter = ACB_DOMTRUST;
+			break;
+		case FILTER_WORKSTATION_TRUST_ACCOUNT:
+			filter = ACB_WSTRUST;
+			break;
+		case FILTER_SERVER_TRUST_ACCOUNT:
+			filter = ACB_SVRTRUST;
+			break;
+		default:
+			break;
+	}
+
+	status = rpccli_samr_EnumDomainUsers(pipe_cli,
+					     ctx,
+					     &domain_handle,
+					     r->in.resume_handle,
+					     filter,
+					     &sam,
+					     r->in.prefmaxlen,
+					     &entries_read);
+	werr = ntstatus_to_werror(status);
+	if (NT_STATUS_IS_ERR(status)) {
+		goto done;
+	}
+
+	for (i=0; i < sam->count; i++) {
+
+		status = libnetapi_samr_lookup_user_map_USER_INFO(ctx, pipe_cli,
+								  domain_sid,
+								  &domain_handle,
+								  &builtin_handle,
+								  sam->entries[i].name.string,
+								  sam->entries[i].idx,
+								  r->in.level,
+								  r->out.buffer,
+								  r->out.entries_read);
+		if (!NT_STATUS_IS_OK(status)) {
+			werr = ntstatus_to_werror(status);
+			goto done;
+		}
+	}
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	/* if last query */
+	if (NT_STATUS_IS_OK(status) ||
+	    NT_STATUS_IS_ERR(status)) {
+
+		if (ctx->disable_policy_handle_cache) {
+			libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+			libnetapi_samr_close_builtin_handle(ctx, &builtin_handle);
+			libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+		}
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserEnum_l(struct libnetapi_ctx *ctx,
+		     struct NetUserEnum *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetUserEnum);
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR convert_samr_dispinfo_to_NET_DISPLAY_USER(TALLOC_CTX *mem_ctx,
+							struct samr_DispInfoGeneral *info,
+							uint32_t *entries_read,
+							void **buffer)
+{
+	struct NET_DISPLAY_USER *user = NULL;
+	int i;
+
+	user = TALLOC_ZERO_ARRAY(mem_ctx,
+				 struct NET_DISPLAY_USER,
+				 info->count);
+	W_ERROR_HAVE_NO_MEMORY(user);
+
+	for (i = 0; i < info->count; i++) {
+		user[i].usri1_name = talloc_strdup(mem_ctx,
+			info->entries[i].account_name.string);
+		user[i].usri1_comment = talloc_strdup(mem_ctx,
+			info->entries[i].description.string);
+		user[i].usri1_flags =
+			info->entries[i].acct_flags;
+		user[i].usri1_full_name = talloc_strdup(mem_ctx,
+			info->entries[i].full_name.string);
+		user[i].usri1_user_id =
+			info->entries[i].rid;
+		user[i].usri1_next_index =
+			info->entries[i].idx;
+
+		if (!user[i].usri1_name) {
+			return WERR_NOMEM;
+		}
+	}
+
+	*buffer = talloc_memdup(mem_ctx, user,
+		sizeof(struct NET_DISPLAY_USER) * info->count);
+	W_ERROR_HAVE_NO_MEMORY(*buffer);
+
+	*entries_read = info->count;
+
+	return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR convert_samr_dispinfo_to_NET_DISPLAY_MACHINE(TALLOC_CTX *mem_ctx,
+							   struct samr_DispInfoFull *info,
+							   uint32_t *entries_read,
+							   void **buffer)
+{
+	struct NET_DISPLAY_MACHINE *machine = NULL;
+	int i;
+
+	machine = TALLOC_ZERO_ARRAY(mem_ctx,
+				    struct NET_DISPLAY_MACHINE,
+				    info->count);
+	W_ERROR_HAVE_NO_MEMORY(machine);
+
+	for (i = 0; i < info->count; i++) {
+		machine[i].usri2_name = talloc_strdup(mem_ctx,
+			info->entries[i].account_name.string);
+		machine[i].usri2_comment = talloc_strdup(mem_ctx,
+			info->entries[i].description.string);
+		machine[i].usri2_flags =
+			info->entries[i].acct_flags;
+		machine[i].usri2_user_id =
+			info->entries[i].rid;
+		machine[i].usri2_next_index =
+			info->entries[i].idx;
+
+		if (!machine[i].usri2_name) {
+			return WERR_NOMEM;
+		}
+	}
+
+	*buffer = talloc_memdup(mem_ctx, machine,
+		sizeof(struct NET_DISPLAY_MACHINE) * info->count);
+	W_ERROR_HAVE_NO_MEMORY(*buffer);
+
+	*entries_read = info->count;
+
+	return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR convert_samr_dispinfo_to_NET_DISPLAY_GROUP(TALLOC_CTX *mem_ctx,
+							 struct samr_DispInfoFullGroups *info,
+							 uint32_t *entries_read,
+							 void **buffer)
+{
+	struct NET_DISPLAY_GROUP *group = NULL;
+	int i;
+
+	group = TALLOC_ZERO_ARRAY(mem_ctx,
+				  struct NET_DISPLAY_GROUP,
+				  info->count);
+	W_ERROR_HAVE_NO_MEMORY(group);
+
+	for (i = 0; i < info->count; i++) {
+		group[i].grpi3_name = talloc_strdup(mem_ctx,
+			info->entries[i].account_name.string);
+		group[i].grpi3_comment = talloc_strdup(mem_ctx,
+			info->entries[i].description.string);
+		group[i].grpi3_group_id =
+			info->entries[i].rid;
+		group[i].grpi3_attributes =
+			info->entries[i].acct_flags;
+		group[i].grpi3_next_index =
+			info->entries[i].idx;
+
+		if (!group[i].grpi3_name) {
+			return WERR_NOMEM;
+		}
+	}
+
+	*buffer = talloc_memdup(mem_ctx, group,
+		sizeof(struct NET_DISPLAY_GROUP) * info->count);
+	W_ERROR_HAVE_NO_MEMORY(*buffer);
+
+	*entries_read = info->count;
+
+	return WERR_OK;
+
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR convert_samr_dispinfo_to_NET_DISPLAY(TALLOC_CTX *mem_ctx,
+						   union samr_DispInfo *info,
+						   uint32_t level,
+						   uint32_t *entries_read,
+						   void **buffer)
+{
+	switch (level) {
+		case 1:
+			return convert_samr_dispinfo_to_NET_DISPLAY_USER(mem_ctx,
+									 &info->info1,
+									 entries_read,
+									 buffer);
+		case 2:
+			return convert_samr_dispinfo_to_NET_DISPLAY_MACHINE(mem_ctx,
+									    &info->info2,
+									    entries_read,
+									    buffer);
+		case 3:
+			return convert_samr_dispinfo_to_NET_DISPLAY_GROUP(mem_ctx,
+									  &info->info3,
+									  entries_read,
+									  buffer);
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetQueryDisplayInformation_r(struct libnetapi_ctx *ctx,
+				    struct NetQueryDisplayInformation *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	struct policy_handle connect_handle;
+	struct dom_sid2 *domain_sid = NULL;
+	struct policy_handle domain_handle;
+	union samr_DispInfo info;
+
+	uint32_t total_size = 0;
+	uint32_t returned_size = 0;
+
+	NTSTATUS status = NT_STATUS_OK;
+	WERROR werr;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(domain_handle);
+
+	switch (r->in.level) {
+		case 1:
+		case 2:
+		case 3:
+			break;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 |
+					  SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = rpccli_samr_QueryDisplayInfo2(pipe_cli,
+					       ctx,
+					       &domain_handle,
+					       r->in.level,
+					       r->in.idx,
+					       r->in.entries_requested,
+					       r->in.prefmaxlen,
+					       &total_size,
+					       &returned_size,
+					       &info);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	werr = convert_samr_dispinfo_to_NET_DISPLAY(ctx, &info,
+						    r->in.level,
+						    r->out.entries_read,
+						    r->out.buffer);
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	/* if last query */
+	if (NT_STATUS_IS_OK(status) ||
+	    NT_STATUS_IS_ERR(status)) {
+
+		if (ctx->disable_policy_handle_cache) {
+			libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+			libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+		}
+	}
+
+	return werr;
+
+}
+
+/****************************************************************
+****************************************************************/
+
+
+WERROR NetQueryDisplayInformation_l(struct libnetapi_ctx *ctx,
+				    struct NetQueryDisplayInformation *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetQueryDisplayInformation);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserChangePassword_r(struct libnetapi_ctx *ctx,
+			       struct NetUserChangePassword *r)
+{
+	return WERR_NOT_SUPPORTED;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserChangePassword_l(struct libnetapi_ctx *ctx,
+			       struct NetUserChangePassword *r)
+{
+	return WERR_NOT_SUPPORTED;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserGetInfo_r(struct libnetapi_ctx *ctx,
+			struct NetUserGetInfo *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+
+	struct policy_handle connect_handle, domain_handle, builtin_handle, user_handle;
+	struct lsa_String lsa_account_name;
+	struct dom_sid2 *domain_sid = NULL;
+	struct samr_Ids user_rids, name_types;
+	uint32_t num_entries = 0;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(domain_handle);
+	ZERO_STRUCT(builtin_handle);
+	ZERO_STRUCT(user_handle);
+
+	if (!r->out.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 0:
+		case 1:
+		case 2:
+		case 3:
+		case 4:
+		case 10:
+		case 11:
+		case 20:
+		case 23:
+			break;
+		default:
+			werr = WERR_UNKNOWN_LEVEL;
+			goto done;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_builtin_domain(ctx, pipe_cli,
+						  SAMR_ACCESS_ENUM_DOMAINS |
+						  SAMR_ACCESS_OPEN_DOMAIN,
+						  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
+						  SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS,
+						  &connect_handle,
+						  &builtin_handle);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	init_lsa_String(&lsa_account_name, r->in.user_name);
+
+	status = rpccli_samr_LookupNames(pipe_cli, ctx,
+					 &domain_handle,
+					 1,
+					 &lsa_account_name,
+					 &user_rids,
+					 &name_types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = libnetapi_samr_lookup_user_map_USER_INFO(ctx, pipe_cli,
+							  domain_sid,
+							  &domain_handle,
+							  &builtin_handle,
+							  r->in.user_name,
+							  user_rids.ids[0],
+							  r->in.level,
+							  r->out.buffer,
+							  &num_entries);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (is_valid_policy_hnd(&user_handle)) {
+		rpccli_samr_Close(pipe_cli, ctx, &user_handle);
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserGetInfo_l(struct libnetapi_ctx *ctx,
+			struct NetUserGetInfo *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetUserGetInfo);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
+			struct NetUserSetInfo *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+
+	struct policy_handle connect_handle, domain_handle, builtin_handle, user_handle;
+	struct lsa_String lsa_account_name;
+	struct dom_sid2 *domain_sid = NULL;
+	struct samr_Ids user_rids, name_types;
+	uint32_t user_mask = 0;
+
+	struct USER_INFO_X uX;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(domain_handle);
+	ZERO_STRUCT(builtin_handle);
+	ZERO_STRUCT(user_handle);
+
+	if (!r->in.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 0:
+		case 1003:
+			user_mask = SAMR_USER_ACCESS_SET_PASSWORD;
+			break;
+		case 1006:
+		case 1007:
+		case 1009:
+		case 1011:
+		case 1014:
+		case 1052:
+		case 1053:
+			user_mask = SAMR_USER_ACCESS_SET_ATTRIBUTES;
+			break;
+		case 1012:
+		case 1024:
+			user_mask = SAMR_USER_ACCESS_SET_LOC_COM;
+		case 1051:
+			user_mask = SAMR_USER_ACCESS_SET_ATTRIBUTES |
+				    SAMR_USER_ACCESS_GET_GROUPS;
+			break;
+		case 1:
+		case 2:
+		case 3:
+		case 4:
+		case 21:
+		case 22:
+		case 1005:
+		case 1008:
+		case 1010:
+		case 1017:
+		case 1020:
+			werr = WERR_NOT_SUPPORTED;
+			goto done;
+		default:
+			werr = WERR_UNKNOWN_LEVEL;
+			goto done;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 |
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_builtin_domain(ctx, pipe_cli,
+						  SAMR_ACCESS_ENUM_DOMAINS |
+						  SAMR_ACCESS_OPEN_DOMAIN,
+						  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
+						  SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS,
+						  &connect_handle,
+						  &builtin_handle);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	init_lsa_String(&lsa_account_name, r->in.user_name);
+
+	status = rpccli_samr_LookupNames(pipe_cli, ctx,
+					 &domain_handle,
+					 1,
+					 &lsa_account_name,
+					 &user_rids,
+					 &name_types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = rpccli_samr_OpenUser(pipe_cli, ctx,
+				      &domain_handle,
+				      user_mask,
+				      user_rids.ids[0],
+				      &user_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = construct_USER_INFO_X(r->in.level, r->in.buffer, &uX);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = set_user_info_USER_INFO_X(ctx, pipe_cli,
+					   &cli->user_session_key,
+					   &user_handle,
+					   &uX);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	werr = WERR_OK;
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (is_valid_policy_hnd(&user_handle)) {
+		rpccli_samr_Close(pipe_cli, ctx, &user_handle);
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_builtin_handle(ctx, &builtin_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserSetInfo_l(struct libnetapi_ctx *ctx,
+			struct NetUserSetInfo *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetUserSetInfo);
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS query_USER_MODALS_INFO_rpc(TALLOC_CTX *mem_ctx,
+					   struct rpc_pipe_client *pipe_cli,
+					   struct policy_handle *domain_handle,
+					   struct samr_DomInfo1 *info1,
+					   struct samr_DomInfo3 *info3,
+					   struct samr_DomInfo5 *info5,
+					   struct samr_DomInfo6 *info6,
+					   struct samr_DomInfo7 *info7,
+					   struct samr_DomInfo12 *info12)
+{
+	NTSTATUS status;
+	union samr_DomainInfo *dom_info = NULL;
+
+	if (info1) {
+		status = rpccli_samr_QueryDomainInfo(pipe_cli, mem_ctx,
+						     domain_handle,
+						     1,
+						     &dom_info);
+		NT_STATUS_NOT_OK_RETURN(status);
+
+		*info1 = dom_info->info1;
+	}
+
+	if (info3) {
+		status = rpccli_samr_QueryDomainInfo(pipe_cli, mem_ctx,
+						     domain_handle,
+						     3,
+						     &dom_info);
+		NT_STATUS_NOT_OK_RETURN(status);
+
+		*info3 = dom_info->info3;
+	}
+
+	if (info5) {
+		status = rpccli_samr_QueryDomainInfo(pipe_cli, mem_ctx,
+						     domain_handle,
+						     5,
+						     &dom_info);
+		NT_STATUS_NOT_OK_RETURN(status);
+
+		*info5 = dom_info->info5;
+	}
+
+	if (info6) {
+		status = rpccli_samr_QueryDomainInfo(pipe_cli, mem_ctx,
+						     domain_handle,
+						     6,
+						     &dom_info);
+		NT_STATUS_NOT_OK_RETURN(status);
+
+		*info6 = dom_info->info6;
+	}
+
+	if (info7) {
+		status = rpccli_samr_QueryDomainInfo(pipe_cli, mem_ctx,
+						     domain_handle,
+						     7,
+						     &dom_info);
+		NT_STATUS_NOT_OK_RETURN(status);
+
+		*info7 = dom_info->info7;
+	}
+
+	if (info12) {
+		status = rpccli_samr_QueryDomainInfo2(pipe_cli, mem_ctx,
+						      domain_handle,
+						      12,
+						      &dom_info);
+		NT_STATUS_NOT_OK_RETURN(status);
+
+		*info12 = dom_info->info12;
+	}
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS query_USER_MODALS_INFO_0(TALLOC_CTX *mem_ctx,
+					 struct rpc_pipe_client *pipe_cli,
+					 struct policy_handle *domain_handle,
+					 struct USER_MODALS_INFO_0 *info0)
+{
+	NTSTATUS status;
+	struct samr_DomInfo1 dom_info1;
+	struct samr_DomInfo3 dom_info3;
+
+	ZERO_STRUCTP(info0);
+
+	status = query_USER_MODALS_INFO_rpc(mem_ctx,
+					    pipe_cli,
+					    domain_handle,
+					    &dom_info1,
+					    &dom_info3,
+					    NULL,
+					    NULL,
+					    NULL,
+					    NULL);
+	NT_STATUS_NOT_OK_RETURN(status);
+
+	info0->usrmod0_min_passwd_len =
+		dom_info1.min_password_length;
+	info0->usrmod0_max_passwd_age =
+		nt_time_to_unix_abs((NTTIME *)&dom_info1.max_password_age);
+	info0->usrmod0_min_passwd_age =
+		nt_time_to_unix_abs((NTTIME *)&dom_info1.min_password_age);
+	info0->usrmod0_password_hist_len =
+		dom_info1.password_history_length;
+
+	info0->usrmod0_force_logoff =
+		nt_time_to_unix_abs(&dom_info3.force_logoff_time);
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS query_USER_MODALS_INFO_1(TALLOC_CTX *mem_ctx,
+					 struct rpc_pipe_client *pipe_cli,
+					 struct policy_handle *domain_handle,
+					 struct USER_MODALS_INFO_1 *info1)
+{
+	NTSTATUS status;
+	struct samr_DomInfo6 dom_info6;
+	struct samr_DomInfo7 dom_info7;
+
+	status = query_USER_MODALS_INFO_rpc(mem_ctx,
+					    pipe_cli,
+					    domain_handle,
+					    NULL,
+					    NULL,
+					    NULL,
+					    &dom_info6,
+					    &dom_info7,
+					    NULL);
+	NT_STATUS_NOT_OK_RETURN(status);
+
+	info1->usrmod1_primary =
+		talloc_strdup(mem_ctx, dom_info6.primary.string);
+
+	info1->usrmod1_role = dom_info7.role;
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS query_USER_MODALS_INFO_2(TALLOC_CTX *mem_ctx,
+					 struct rpc_pipe_client *pipe_cli,
+					 struct policy_handle *domain_handle,
+					 struct dom_sid *domain_sid,
+					 struct USER_MODALS_INFO_2 *info2)
+{
+	NTSTATUS status;
+	struct samr_DomInfo5 dom_info5;
+
+	status = query_USER_MODALS_INFO_rpc(mem_ctx,
+					    pipe_cli,
+					    domain_handle,
+					    NULL,
+					    NULL,
+					    &dom_info5,
+					    NULL,
+					    NULL,
+					    NULL);
+	NT_STATUS_NOT_OK_RETURN(status);
+
+	info2->usrmod2_domain_name =
+		talloc_strdup(mem_ctx, dom_info5.domain_name.string);
+	info2->usrmod2_domain_id =
+		(struct domsid *)sid_dup_talloc(mem_ctx, domain_sid);
+
+	NT_STATUS_HAVE_NO_MEMORY(info2->usrmod2_domain_name);
+	NT_STATUS_HAVE_NO_MEMORY(info2->usrmod2_domain_id);
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS query_USER_MODALS_INFO_3(TALLOC_CTX *mem_ctx,
+					 struct rpc_pipe_client *pipe_cli,
+					 struct policy_handle *domain_handle,
+					 struct USER_MODALS_INFO_3 *info3)
+{
+	NTSTATUS status;
+	struct samr_DomInfo12 dom_info12;
+
+	status = query_USER_MODALS_INFO_rpc(mem_ctx,
+					    pipe_cli,
+					    domain_handle,
+					    NULL,
+					    NULL,
+					    NULL,
+					    NULL,
+					    NULL,
+					    &dom_info12);
+	NT_STATUS_NOT_OK_RETURN(status);
+
+	info3->usrmod3_lockout_duration =
+		nt_time_to_unix_abs(&dom_info12.lockout_duration);
+	info3->usrmod3_lockout_observation_window =
+		nt_time_to_unix_abs(&dom_info12.lockout_window);
+	info3->usrmod3_lockout_threshold =
+		dom_info12.lockout_threshold;
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS query_USER_MODALS_INFO_to_buffer(TALLOC_CTX *mem_ctx,
+						 struct rpc_pipe_client *pipe_cli,
+						 uint32_t level,
+						 struct policy_handle *domain_handle,
+						 struct dom_sid *domain_sid,
+						 uint8_t **buffer)
+{
+	NTSTATUS status;
+
+	struct USER_MODALS_INFO_0 info0;
+	struct USER_MODALS_INFO_1 info1;
+	struct USER_MODALS_INFO_2 info2;
+	struct USER_MODALS_INFO_3 info3;
+
+	if (!buffer) {
+		return ERROR_INSUFFICIENT_BUFFER;
+	}
+
+	switch (level) {
+		case 0:
+			status = query_USER_MODALS_INFO_0(mem_ctx,
+							  pipe_cli,
+							  domain_handle,
+							  &info0);
+			NT_STATUS_NOT_OK_RETURN(status);
+
+			*buffer = (uint8_t *)talloc_memdup(mem_ctx, &info0,
+							   sizeof(info0));
+			break;
+
+		case 1:
+			status = query_USER_MODALS_INFO_1(mem_ctx,
+							  pipe_cli,
+							  domain_handle,
+							  &info1);
+			NT_STATUS_NOT_OK_RETURN(status);
+
+			*buffer = (uint8_t *)talloc_memdup(mem_ctx, &info1,
+							   sizeof(info1));
+			break;
+		case 2:
+			status = query_USER_MODALS_INFO_2(mem_ctx,
+							  pipe_cli,
+							  domain_handle,
+							  domain_sid,
+							  &info2);
+			NT_STATUS_NOT_OK_RETURN(status);
+
+			*buffer = (uint8_t *)talloc_memdup(mem_ctx, &info2,
+							   sizeof(info2));
+			break;
+		case 3:
+			status = query_USER_MODALS_INFO_3(mem_ctx,
+							  pipe_cli,
+							  domain_handle,
+							  &info3);
+			NT_STATUS_NOT_OK_RETURN(status);
+
+			*buffer = (uint8_t *)talloc_memdup(mem_ctx, &info3,
+							   sizeof(info3));
+			break;
+		default:
+			break;
+	}
+
+	NT_STATUS_HAVE_NO_MEMORY(*buffer);
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserModalsGet_r(struct libnetapi_ctx *ctx,
+			  struct NetUserModalsGet *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+
+	struct policy_handle connect_handle, domain_handle;
+	struct dom_sid2 *domain_sid = NULL;
+	uint32_t access_mask = SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(domain_handle);
+
+	if (!r->out.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 0:
+			access_mask |= SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 |
+				       SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2;
+			break;
+		case 1:
+		case 2:
+			access_mask |= SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2;
+			break;
+		case 3:
+			access_mask |= SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1;
+			break;
+		default:
+			werr = WERR_UNKNOWN_LEVEL;
+			goto done;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  access_mask,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	/* 0:  1 + 3 */
+	/* 1:  6 + 7 */
+	/* 2:  5 */
+	/* 3: 12 (DomainInfo2) */
+
+	status = query_USER_MODALS_INFO_to_buffer(ctx,
+						  pipe_cli,
+						  r->in.level,
+						  &domain_handle,
+						  domain_sid,
+						  r->out.buffer);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserModalsGet_l(struct libnetapi_ctx *ctx,
+			  struct NetUserModalsGet *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetUserModalsGet);
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS set_USER_MODALS_INFO_rpc(TALLOC_CTX *mem_ctx,
+					 struct rpc_pipe_client *pipe_cli,
+					 struct policy_handle *domain_handle,
+					 struct samr_DomInfo1 *info1,
+					 struct samr_DomInfo3 *info3,
+					 struct samr_DomInfo12 *info12)
+{
+	NTSTATUS status;
+	union samr_DomainInfo dom_info;
+
+	if (info1) {
+
+		ZERO_STRUCT(dom_info);
+
+		dom_info.info1 = *info1;
+
+		status = rpccli_samr_SetDomainInfo(pipe_cli, mem_ctx,
+						   domain_handle,
+						   1,
+						   &dom_info);
+		NT_STATUS_NOT_OK_RETURN(status);
+	}
+
+	if (info3) {
+
+		ZERO_STRUCT(dom_info);
+
+		dom_info.info3 = *info3;
+
+		status = rpccli_samr_SetDomainInfo(pipe_cli, mem_ctx,
+						   domain_handle,
+						   3,
+						   &dom_info);
+
+		NT_STATUS_NOT_OK_RETURN(status);
+	}
+
+	if (info12) {
+
+		ZERO_STRUCT(dom_info);
+
+		dom_info.info12 = *info12;
+
+		status = rpccli_samr_SetDomainInfo(pipe_cli, mem_ctx,
+						   domain_handle,
+						   12,
+						   &dom_info);
+
+		NT_STATUS_NOT_OK_RETURN(status);
+	}
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS set_USER_MODALS_INFO_0_buffer(TALLOC_CTX *mem_ctx,
+					      struct rpc_pipe_client *pipe_cli,
+					      struct policy_handle *domain_handle,
+					      struct USER_MODALS_INFO_0 *info0)
+{
+	NTSTATUS status;
+	struct samr_DomInfo1 dom_info_1;
+	struct samr_DomInfo3 dom_info_3;
+
+	status = query_USER_MODALS_INFO_rpc(mem_ctx,
+					    pipe_cli,
+					    domain_handle,
+					    &dom_info_1,
+					    &dom_info_3,
+					    NULL,
+					    NULL,
+					    NULL,
+					    NULL);
+	NT_STATUS_NOT_OK_RETURN(status);
+
+	dom_info_1.min_password_length =
+		info0->usrmod0_min_passwd_len;
+	dom_info_1.password_history_length =
+		info0->usrmod0_password_hist_len;
+
+	unix_to_nt_time_abs((NTTIME *)&dom_info_1.max_password_age,
+		info0->usrmod0_max_passwd_age);
+	unix_to_nt_time_abs((NTTIME *)&dom_info_1.min_password_age,
+		info0->usrmod0_min_passwd_age);
+
+	unix_to_nt_time_abs(&dom_info_3.force_logoff_time,
+		info0->usrmod0_force_logoff);
+
+	return set_USER_MODALS_INFO_rpc(mem_ctx,
+					pipe_cli,
+					domain_handle,
+					&dom_info_1,
+					&dom_info_3,
+					NULL);
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS set_USER_MODALS_INFO_3_buffer(TALLOC_CTX *mem_ctx,
+					      struct rpc_pipe_client *pipe_cli,
+					      struct policy_handle *domain_handle,
+					      struct USER_MODALS_INFO_3 *info3)
+{
+	NTSTATUS status;
+	struct samr_DomInfo12 dom_info_12;
+
+	status = query_USER_MODALS_INFO_rpc(mem_ctx,
+					    pipe_cli,
+					    domain_handle,
+					    NULL,
+					    NULL,
+					    NULL,
+					    NULL,
+					    NULL,
+					    &dom_info_12);
+	NT_STATUS_NOT_OK_RETURN(status);
+
+	unix_to_nt_time_abs((NTTIME *)&dom_info_12.lockout_duration,
+		info3->usrmod3_lockout_duration);
+	unix_to_nt_time_abs((NTTIME *)&dom_info_12.lockout_window,
+		info3->usrmod3_lockout_observation_window);
+	dom_info_12.lockout_threshold = info3->usrmod3_lockout_threshold;
+
+	return set_USER_MODALS_INFO_rpc(mem_ctx,
+					pipe_cli,
+					domain_handle,
+					NULL,
+					NULL,
+					&dom_info_12);
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS set_USER_MODALS_INFO_1001_buffer(TALLOC_CTX *mem_ctx,
+						 struct rpc_pipe_client *pipe_cli,
+						 struct policy_handle *domain_handle,
+						 struct USER_MODALS_INFO_1001 *info1001)
+{
+	NTSTATUS status;
+	struct samr_DomInfo1 dom_info_1;
+
+	status = query_USER_MODALS_INFO_rpc(mem_ctx,
+					    pipe_cli,
+					    domain_handle,
+					    &dom_info_1,
+					    NULL,
+					    NULL,
+					    NULL,
+					    NULL,
+					    NULL);
+	NT_STATUS_NOT_OK_RETURN(status);
+
+	dom_info_1.min_password_length =
+		info1001->usrmod1001_min_passwd_len;
+
+	return set_USER_MODALS_INFO_rpc(mem_ctx,
+					pipe_cli,
+					domain_handle,
+					&dom_info_1,
+					NULL,
+					NULL);
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS set_USER_MODALS_INFO_1002_buffer(TALLOC_CTX *mem_ctx,
+						 struct rpc_pipe_client *pipe_cli,
+						 struct policy_handle *domain_handle,
+						 struct USER_MODALS_INFO_1002 *info1002)
+{
+	NTSTATUS status;
+	struct samr_DomInfo1 dom_info_1;
+
+	status = query_USER_MODALS_INFO_rpc(mem_ctx,
+					    pipe_cli,
+					    domain_handle,
+					    &dom_info_1,
+					    NULL,
+					    NULL,
+					    NULL,
+					    NULL,
+					    NULL);
+	NT_STATUS_NOT_OK_RETURN(status);
+
+	unix_to_nt_time_abs((NTTIME *)&dom_info_1.max_password_age,
+		info1002->usrmod1002_max_passwd_age);
+
+	return set_USER_MODALS_INFO_rpc(mem_ctx,
+					pipe_cli,
+					domain_handle,
+					&dom_info_1,
+					NULL,
+					NULL);
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS set_USER_MODALS_INFO_1003_buffer(TALLOC_CTX *mem_ctx,
+						 struct rpc_pipe_client *pipe_cli,
+						 struct policy_handle *domain_handle,
+						 struct USER_MODALS_INFO_1003 *info1003)
+{
+	NTSTATUS status;
+	struct samr_DomInfo1 dom_info_1;
+
+	status = query_USER_MODALS_INFO_rpc(mem_ctx,
+					    pipe_cli,
+					    domain_handle,
+					    &dom_info_1,
+					    NULL,
+					    NULL,
+					    NULL,
+					    NULL,
+					    NULL);
+	NT_STATUS_NOT_OK_RETURN(status);
+
+	unix_to_nt_time_abs((NTTIME *)&dom_info_1.min_password_age,
+		info1003->usrmod1003_min_passwd_age);
+
+	return set_USER_MODALS_INFO_rpc(mem_ctx,
+					pipe_cli,
+					domain_handle,
+					&dom_info_1,
+					NULL,
+					NULL);
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS set_USER_MODALS_INFO_1004_buffer(TALLOC_CTX *mem_ctx,
+						 struct rpc_pipe_client *pipe_cli,
+						 struct policy_handle *domain_handle,
+						 struct USER_MODALS_INFO_1004 *info1004)
+{
+	NTSTATUS status;
+	struct samr_DomInfo3 dom_info_3;
+
+	status = query_USER_MODALS_INFO_rpc(mem_ctx,
+					    pipe_cli,
+					    domain_handle,
+					    NULL,
+					    &dom_info_3,
+					    NULL,
+					    NULL,
+					    NULL,
+					    NULL);
+	NT_STATUS_NOT_OK_RETURN(status);
+
+	unix_to_nt_time_abs(&dom_info_3.force_logoff_time,
+		info1004->usrmod1004_force_logoff);
+
+	return set_USER_MODALS_INFO_rpc(mem_ctx,
+					pipe_cli,
+					domain_handle,
+					NULL,
+					&dom_info_3,
+					NULL);
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS set_USER_MODALS_INFO_1005_buffer(TALLOC_CTX *mem_ctx,
+						 struct rpc_pipe_client *pipe_cli,
+						 struct policy_handle *domain_handle,
+						 struct USER_MODALS_INFO_1005 *info1005)
+{
+	NTSTATUS status;
+	struct samr_DomInfo1 dom_info_1;
+
+	status = query_USER_MODALS_INFO_rpc(mem_ctx,
+					    pipe_cli,
+					    domain_handle,
+					    &dom_info_1,
+					    NULL,
+					    NULL,
+					    NULL,
+					    NULL,
+					    NULL);
+	NT_STATUS_NOT_OK_RETURN(status);
+
+	dom_info_1.password_history_length =
+		info1005->usrmod1005_password_hist_len;
+
+	return set_USER_MODALS_INFO_rpc(mem_ctx,
+					pipe_cli,
+					domain_handle,
+					&dom_info_1,
+					NULL,
+					NULL);
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS set_USER_MODALS_INFO_buffer(TALLOC_CTX *mem_ctx,
+					    struct rpc_pipe_client *pipe_cli,
+					    uint32_t level,
+					    struct policy_handle *domain_handle,
+					    struct dom_sid *domain_sid,
+					    uint8_t *buffer)
+{
+	struct USER_MODALS_INFO_0 *info0;
+	struct USER_MODALS_INFO_3 *info3;
+	struct USER_MODALS_INFO_1001 *info1001;
+	struct USER_MODALS_INFO_1002 *info1002;
+	struct USER_MODALS_INFO_1003 *info1003;
+	struct USER_MODALS_INFO_1004 *info1004;
+	struct USER_MODALS_INFO_1005 *info1005;
+
+	if (!buffer) {
+		return ERROR_INSUFFICIENT_BUFFER;
+	}
+
+	switch (level) {
+		case 0:
+			info0 = (struct USER_MODALS_INFO_0 *)buffer;
+			return set_USER_MODALS_INFO_0_buffer(mem_ctx,
+							     pipe_cli,
+							     domain_handle,
+							     info0);
+		case 3:
+			info3 = (struct USER_MODALS_INFO_3 *)buffer;
+			return set_USER_MODALS_INFO_3_buffer(mem_ctx,
+							     pipe_cli,
+							     domain_handle,
+							     info3);
+		case 1001:
+			info1001 = (struct USER_MODALS_INFO_1001 *)buffer;
+			return set_USER_MODALS_INFO_1001_buffer(mem_ctx,
+								pipe_cli,
+								domain_handle,
+								info1001);
+		case 1002:
+			info1002 = (struct USER_MODALS_INFO_1002 *)buffer;
+			return set_USER_MODALS_INFO_1002_buffer(mem_ctx,
+								pipe_cli,
+								domain_handle,
+								info1002);
+		case 1003:
+			info1003 = (struct USER_MODALS_INFO_1003 *)buffer;
+			return set_USER_MODALS_INFO_1003_buffer(mem_ctx,
+								pipe_cli,
+								domain_handle,
+								info1003);
+		case 1004:
+			info1004 = (struct USER_MODALS_INFO_1004 *)buffer;
+			return set_USER_MODALS_INFO_1004_buffer(mem_ctx,
+								pipe_cli,
+								domain_handle,
+								info1004);
+		case 1005:
+			info1005 = (struct USER_MODALS_INFO_1005 *)buffer;
+			return set_USER_MODALS_INFO_1005_buffer(mem_ctx,
+								pipe_cli,
+								domain_handle,
+								info1005);
+
+		default:
+			break;
+	}
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserModalsSet_r(struct libnetapi_ctx *ctx,
+			  struct NetUserModalsSet *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	NTSTATUS status;
+	WERROR werr;
+
+	struct policy_handle connect_handle, domain_handle;
+	struct dom_sid2 *domain_sid = NULL;
+	uint32_t access_mask = SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(domain_handle);
+
+	if (!r->in.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 0:
+			access_mask |= SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 |
+				       SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 |
+				       SAMR_DOMAIN_ACCESS_SET_INFO_1 |
+				       SAMR_DOMAIN_ACCESS_SET_INFO_2;
+			break;
+		case 3:
+		case 1001:
+		case 1002:
+		case 1003:
+		case 1005:
+			access_mask |= SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 |
+				       SAMR_DOMAIN_ACCESS_SET_INFO_1;
+			break;
+		case 1004:
+			access_mask |= SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 |
+				       SAMR_DOMAIN_ACCESS_SET_INFO_2;
+			break;
+		case 1:
+		case 2:
+		case 1006:
+		case 1007:
+			werr = WERR_NOT_SUPPORTED;
+			break;
+		default:
+			werr = WERR_UNKNOWN_LEVEL;
+			goto done;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  access_mask,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	status = set_USER_MODALS_INFO_buffer(ctx,
+					     pipe_cli,
+					     r->in.level,
+					     &domain_handle,
+					     domain_sid,
+					     r->in.buffer);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserModalsSet_l(struct libnetapi_ctx *ctx,
+			  struct NetUserModalsSet *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetUserModalsSet);
+}
+
+/****************************************************************
+****************************************************************/
+
+NTSTATUS add_GROUP_USERS_INFO_X_buffer(TALLOC_CTX *mem_ctx,
+				       uint32_t level,
+				       const char *group_name,
+				       uint32_t attributes,
+				       uint8_t **buffer,
+				       uint32_t *num_entries)
+{
+	struct GROUP_USERS_INFO_0 u0;
+	struct GROUP_USERS_INFO_1 u1;
+
+	switch (level) {
+		case 0:
+			u0.grui0_name = talloc_strdup(mem_ctx, group_name);
+			NT_STATUS_HAVE_NO_MEMORY(u0.grui0_name);
+
+			ADD_TO_ARRAY(mem_ctx, struct GROUP_USERS_INFO_0, u0,
+				     (struct GROUP_USERS_INFO_0 **)buffer, num_entries);
+			break;
+		case 1:
+			u1.grui1_name = talloc_strdup(mem_ctx, group_name);
+			NT_STATUS_HAVE_NO_MEMORY(u1.grui1_name);
+
+			u1.grui1_attributes = attributes;
+
+			ADD_TO_ARRAY(mem_ctx, struct GROUP_USERS_INFO_1, u1,
+				     (struct GROUP_USERS_INFO_1 **)buffer, num_entries);
+			break;
+		default:
+			return NT_STATUS_INVALID_INFO_CLASS;
+	}
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserGetGroups_r(struct libnetapi_ctx *ctx,
+			  struct NetUserGetGroups *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	struct policy_handle connect_handle, domain_handle, user_handle;
+	struct lsa_String lsa_account_name;
+	struct dom_sid2 *domain_sid = NULL;
+	struct samr_Ids user_rids, name_types;
+	struct samr_RidWithAttributeArray *rid_array = NULL;
+	struct lsa_Strings names;
+	struct samr_Ids types;
+	uint32_t *rids = NULL;
+
+	int i;
+	uint32_t entries_read = 0;
+
+	NTSTATUS status = NT_STATUS_OK;
+	WERROR werr;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(domain_handle);
+
+	if (!r->out.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	*r->out.buffer = NULL;
+	*r->out.entries_read = 0;
+
+	switch (r->in.level) {
+		case 0:
+		case 1:
+			break;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	init_lsa_String(&lsa_account_name, r->in.user_name);
+
+	status = rpccli_samr_LookupNames(pipe_cli, ctx,
+					 &domain_handle,
+					 1,
+					 &lsa_account_name,
+					 &user_rids,
+					 &name_types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = rpccli_samr_OpenUser(pipe_cli, ctx,
+				      &domain_handle,
+				      SAMR_USER_ACCESS_GET_GROUPS,
+				      user_rids.ids[0],
+				      &user_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = rpccli_samr_GetGroupsForUser(pipe_cli, ctx,
+					      &user_handle,
+					      &rid_array);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	rids = talloc_array(ctx, uint32_t, rid_array->count);
+	if (!rids) {
+		werr = WERR_NOMEM;
+		goto done;
+	}
+
+	for (i=0; i < rid_array->count; i++) {
+		rids[i] = rid_array->rids[i].rid;
+	}
+
+	status = rpccli_samr_LookupRids(pipe_cli, ctx,
+					&domain_handle,
+					rid_array->count,
+					rids,
+					&names,
+					&types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	for (i=0; i < rid_array->count; i++) {
+		status = add_GROUP_USERS_INFO_X_buffer(ctx,
+						       r->in.level,
+						       names.names[i].string,
+						       rid_array->rids[i].attributes,
+						       r->out.buffer,
+						       &entries_read);
+		if (!NT_STATUS_IS_OK(status)) {
+			werr = ntstatus_to_werror(status);
+			goto done;
+		}
+	}
+
+	if (r->out.entries_read) {
+		*r->out.entries_read = entries_read;
+	}
+	if (r->out.total_entries) {
+		*r->out.total_entries = entries_read;
+	}
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserGetGroups_l(struct libnetapi_ctx *ctx,
+			  struct NetUserGetGroups *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetUserGetGroups);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserSetGroups_r(struct libnetapi_ctx *ctx,
+			  struct NetUserSetGroups *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	struct policy_handle connect_handle, domain_handle, user_handle, group_handle;
+	struct lsa_String lsa_account_name;
+	struct dom_sid2 *domain_sid = NULL;
+	struct samr_Ids user_rids, name_types;
+	struct samr_Ids group_rids;
+	struct samr_RidWithAttributeArray *rid_array = NULL;
+	struct lsa_String *lsa_names = NULL;
+
+	uint32_t *add_rids = NULL;
+	uint32_t *del_rids = NULL;
+	size_t num_add_rids = 0;
+	size_t num_del_rids = 0;
+
+	uint32_t *member_rids = NULL;
+	size_t num_member_rids = 0;
+
+	struct GROUP_USERS_INFO_0 *i0 = NULL;
+	struct GROUP_USERS_INFO_1 *i1 = NULL;
+
+	int i, k;
+
+	NTSTATUS status = NT_STATUS_OK;
+	WERROR werr;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(domain_handle);
+
+	if (!r->in.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	switch (r->in.level) {
+		case 0:
+		case 1:
+			break;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	init_lsa_String(&lsa_account_name, r->in.user_name);
+
+	status = rpccli_samr_LookupNames(pipe_cli, ctx,
+					 &domain_handle,
+					 1,
+					 &lsa_account_name,
+					 &user_rids,
+					 &name_types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = rpccli_samr_OpenUser(pipe_cli, ctx,
+				      &domain_handle,
+				      SAMR_USER_ACCESS_GET_GROUPS,
+				      user_rids.ids[0],
+				      &user_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	switch (r->in.level) {
+		case 0:
+			i0 = (struct GROUP_USERS_INFO_0 *)r->in.buffer;
+			break;
+		case 1:
+			i1 = (struct GROUP_USERS_INFO_1 *)r->in.buffer;
+			break;
+	}
+
+	lsa_names = talloc_array(ctx, struct lsa_String, r->in.num_entries);
+	if (!lsa_names) {
+		werr = WERR_NOMEM;
+		goto done;
+	}
+
+	for (i=0; i < r->in.num_entries; i++) {
+
+		switch (r->in.level) {
+			case 0:
+				init_lsa_String(&lsa_names[i], i0->grui0_name);
+				i0++;
+				break;
+			case 1:
+				init_lsa_String(&lsa_names[i], i1->grui1_name);
+				i1++;
+				break;
+		}
+	}
+
+	status = rpccli_samr_LookupNames(pipe_cli, ctx,
+					 &domain_handle,
+					 r->in.num_entries,
+					 lsa_names,
+					 &group_rids,
+					 &name_types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	member_rids = group_rids.ids;
+	num_member_rids = group_rids.count;
+
+	status = rpccli_samr_GetGroupsForUser(pipe_cli, ctx,
+					      &user_handle,
+					      &rid_array);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	/* add list */
+
+	for (i=0; i < r->in.num_entries; i++) {
+		bool already_member = false;
+		for (k=0; k < rid_array->count; k++) {
+			if (member_rids[i] == rid_array->rids[k].rid) {
+				already_member = true;
+				break;
+			}
+		}
+		if (!already_member) {
+			if (!add_rid_to_array_unique(ctx,
+						     member_rids[i],
+						     &add_rids, &num_add_rids)) {
+				werr = WERR_GENERAL_FAILURE;
+				goto done;
+			}
+		}
+	}
+
+	/* del list */
+
+	for (k=0; k < rid_array->count; k++) {
+		bool keep_member = false;
+		for (i=0; i < r->in.num_entries; i++) {
+			if (member_rids[i] == rid_array->rids[k].rid) {
+				keep_member = true;
+				break;
+			}
+		}
+		if (!keep_member) {
+			if (!add_rid_to_array_unique(ctx,
+						     rid_array->rids[k].rid,
+						     &del_rids, &num_del_rids)) {
+				werr = WERR_GENERAL_FAILURE;
+				goto done;
+			}
+		}
+	}
+
+	/* add list */
+
+	for (i=0; i < num_add_rids; i++) {
+		status = rpccli_samr_OpenGroup(pipe_cli, ctx,
+					       &domain_handle,
+					       SAMR_GROUP_ACCESS_ADD_MEMBER,
+					       add_rids[i],
+					       &group_handle);
+		if (!NT_STATUS_IS_OK(status)) {
+			werr = ntstatus_to_werror(status);
+			goto done;
+		}
+
+		status = rpccli_samr_AddGroupMember(pipe_cli, ctx,
+						    &group_handle,
+						    user_rids.ids[0],
+						    7 /* ? */);
+		if (!NT_STATUS_IS_OK(status)) {
+			werr = ntstatus_to_werror(status);
+			goto done;
+		}
+
+		if (is_valid_policy_hnd(&group_handle)) {
+			rpccli_samr_Close(pipe_cli, ctx, &group_handle);
+		}
+	}
+
+	/* del list */
+
+	for (i=0; i < num_del_rids; i++) {
+		status = rpccli_samr_OpenGroup(pipe_cli, ctx,
+					       &domain_handle,
+					       SAMR_GROUP_ACCESS_REMOVE_MEMBER,
+					       del_rids[i],
+					       &group_handle);
+		if (!NT_STATUS_IS_OK(status)) {
+			werr = ntstatus_to_werror(status);
+			goto done;
+		}
+
+		status = rpccli_samr_DeleteGroupMember(pipe_cli, ctx,
+						       &group_handle,
+						       user_rids.ids[0]);
+		if (!NT_STATUS_IS_OK(status)) {
+			werr = ntstatus_to_werror(status);
+			goto done;
+		}
+
+		if (is_valid_policy_hnd(&group_handle)) {
+			rpccli_samr_Close(pipe_cli, ctx, &group_handle);
+		}
+	}
+
+	werr = WERR_OK;
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (is_valid_policy_hnd(&group_handle)) {
+		rpccli_samr_Close(pipe_cli, ctx, &group_handle);
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserSetGroups_l(struct libnetapi_ctx *ctx,
+			  struct NetUserSetGroups *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetUserSetGroups);
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS add_LOCALGROUP_USERS_INFO_X_buffer(TALLOC_CTX *mem_ctx,
+						   uint32_t level,
+						   const char *group_name,
+						   uint8_t **buffer,
+						   uint32_t *num_entries)
+{
+	struct LOCALGROUP_USERS_INFO_0 u0;
+
+	switch (level) {
+		case 0:
+			u0.lgrui0_name = talloc_strdup(mem_ctx, group_name);
+			NT_STATUS_HAVE_NO_MEMORY(u0.lgrui0_name);
+
+			ADD_TO_ARRAY(mem_ctx, struct LOCALGROUP_USERS_INFO_0, u0,
+				     (struct LOCALGROUP_USERS_INFO_0 **)buffer, num_entries);
+			break;
+		default:
+			return NT_STATUS_INVALID_INFO_CLASS;
+	}
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserGetLocalGroups_r(struct libnetapi_ctx *ctx,
+			       struct NetUserGetLocalGroups *r)
+{
+	struct cli_state *cli = NULL;
+	struct rpc_pipe_client *pipe_cli = NULL;
+	struct policy_handle connect_handle, domain_handle, user_handle,
+	builtin_handle;
+	struct lsa_String lsa_account_name;
+	struct dom_sid2 *domain_sid = NULL;
+	struct samr_Ids user_rids, name_types;
+	struct samr_RidWithAttributeArray *rid_array = NULL;
+	struct lsa_Strings names;
+	struct samr_Ids types;
+	uint32_t *rids = NULL;
+	size_t num_rids = 0;
+	struct dom_sid user_sid;
+	struct lsa_SidArray sid_array;
+	struct samr_Ids domain_rids;
+	struct samr_Ids builtin_rids;
+
+	int i;
+	uint32_t entries_read = 0;
+
+	NTSTATUS status = NT_STATUS_OK;
+	WERROR werr;
+
+	ZERO_STRUCT(connect_handle);
+	ZERO_STRUCT(domain_handle);
+
+	if (!r->out.buffer) {
+		return WERR_INVALID_PARAM;
+	}
+
+	*r->out.buffer = NULL;
+	*r->out.entries_read = 0;
+
+	switch (r->in.level) {
+		case 0:
+		case 1:
+			break;
+		default:
+			return WERR_UNKNOWN_LEVEL;
+	}
+
+	werr = libnetapi_open_pipe(ctx, r->in.server_name,
+				   &ndr_table_samr.syntax_id,
+				   &cli,
+				   &pipe_cli);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+					  SAMR_ACCESS_ENUM_DOMAINS |
+					  SAMR_ACCESS_OPEN_DOMAIN,
+					  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
+					  SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS,
+					  &connect_handle,
+					  &domain_handle,
+					  &domain_sid);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = libnetapi_samr_open_builtin_domain(ctx, pipe_cli,
+						  SAMR_ACCESS_ENUM_DOMAINS |
+						  SAMR_ACCESS_OPEN_DOMAIN,
+						  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
+						  SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS,
+						  &connect_handle,
+						  &builtin_handle);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	init_lsa_String(&lsa_account_name, r->in.user_name);
+
+	status = rpccli_samr_LookupNames(pipe_cli, ctx,
+					 &domain_handle,
+					 1,
+					 &lsa_account_name,
+					 &user_rids,
+					 &name_types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = rpccli_samr_OpenUser(pipe_cli, ctx,
+				      &domain_handle,
+				      SAMR_USER_ACCESS_GET_GROUPS,
+				      user_rids.ids[0],
+				      &user_handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	status = rpccli_samr_GetGroupsForUser(pipe_cli, ctx,
+					      &user_handle,
+					      &rid_array);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	if (!sid_compose(&user_sid, domain_sid, user_rids.ids[0])) {
+		werr = WERR_NOMEM;
+		goto done;
+	}
+
+	sid_array.num_sids = rid_array->count + 1;
+	sid_array.sids = TALLOC_ARRAY(ctx, struct lsa_SidPtr, sid_array.num_sids);
+	if (!sid_array.sids) {
+		werr = WERR_NOMEM;
+		goto done;
+	}
+
+	sid_array.sids[0].sid = sid_dup_talloc(ctx, &user_sid);
+	if (!sid_array.sids[0].sid) {
+		werr = WERR_NOMEM;
+		goto done;
+	}
+
+	for (i=0; i < rid_array->count; i++) {
+		struct dom_sid sid;
+
+		if (!sid_compose(&sid, domain_sid, rid_array->rids[i].rid)) {
+			werr = WERR_NOMEM;
+			goto done;
+		}
+
+		sid_array.sids[i+1].sid = sid_dup_talloc(ctx, &sid);
+		if (!sid_array.sids[i+1].sid) {
+			werr = WERR_NOMEM;
+			goto done;
+		}
+	}
+
+	status = rpccli_samr_GetAliasMembership(pipe_cli, ctx,
+						&domain_handle,
+						&sid_array,
+						&domain_rids);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	for (i=0; i < domain_rids.count; i++) {
+		if (!add_rid_to_array_unique(ctx, domain_rids.ids[i],
+					     &rids, &num_rids)) {
+			werr = WERR_NOMEM;
+			goto done;
+		}
+	}
+
+	status = rpccli_samr_GetAliasMembership(pipe_cli, ctx,
+						&builtin_handle,
+						&sid_array,
+						&builtin_rids);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	for (i=0; i < builtin_rids.count; i++) {
+		if (!add_rid_to_array_unique(ctx, builtin_rids.ids[i],
+					     &rids, &num_rids)) {
+			werr = WERR_NOMEM;
+			goto done;
+		}
+	}
+
+	status = rpccli_samr_LookupRids(pipe_cli, ctx,
+					&builtin_handle,
+					num_rids,
+					rids,
+					&names,
+					&types);
+	if (!NT_STATUS_IS_OK(status)) {
+		werr = ntstatus_to_werror(status);
+		goto done;
+	}
+
+	for (i=0; i < names.count; i++) {
+		status = add_LOCALGROUP_USERS_INFO_X_buffer(ctx,
+							    r->in.level,
+							    names.names[i].string,
+							    r->out.buffer,
+							    &entries_read);
+		if (!NT_STATUS_IS_OK(status)) {
+			werr = ntstatus_to_werror(status);
+			goto done;
+		}
+	}
+
+	if (r->out.entries_read) {
+		*r->out.entries_read = entries_read;
+	}
+	if (r->out.total_entries) {
+		*r->out.total_entries = entries_read;
+	}
+
+ done:
+	if (!cli) {
+		return werr;
+	}
+
+	if (ctx->disable_policy_handle_cache) {
+		libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+		libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+	}
+
+	return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserGetLocalGroups_l(struct libnetapi_ctx *ctx,
+			       struct NetUserGetLocalGroups *r)
+{
+	LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetUserGetLocalGroups);
+}
diff --git a/source3/lib/nss_wrapper/config.m4 b/source3/lib/nss_wrapper/config.m4
new file mode 100644
index 0000000000..58e94f9830
--- /dev/null
+++ b/source3/lib/nss_wrapper/config.m4
@@ -0,0 +1,19 @@
+AC_ARG_ENABLE(nss-wrapper,
+[  --enable-nss-wrapper         Turn on nss wrapper library (default=no)])
+
+HAVE_NSS_WRAPPER=no
+
+if eval "test x$developer = xyes"; then
+	enable_nss_wrapper=yes
+fi
+
+if eval "test x$enable_nss_wrapper = xyes"; then
+        AC_DEFINE(NSS_WRAPPER,1,[Use nss wrapper library])
+	HAVE_NSS_WRAPPER=yes
+
+	# this is only used for samba3
+	NSS_WRAPPER_OBJS="lib/nss_wrapper/nss_wrapper.o"
+fi
+
+AC_SUBST(HAVE_NSS_WRAPPER)
+AC_SUBST(NSS_WRAPPER_OBJS)
diff --git a/source3/lib/nss_wrapper/config.mk b/source3/lib/nss_wrapper/config.mk
new file mode 100644
index 0000000000..9751d2bf73
--- /dev/null
+++ b/source3/lib/nss_wrapper/config.mk
@@ -0,0 +1,10 @@
+##############################
+# Start SUBSYSTEM NSS_WRAPPER
+[LIBRARY::NSS_WRAPPER]
+VERSION = 0.0.1
+SO_VERSION = 0
+DESCRIPTION = Wrapper library for testing nss calls without being root
+PUBLIC_HEADERS = nss_wrapper.h
+OBJ_FILES = nss_wrapper.o
+# End SUBSYSTEM NSS_WRAPPER
+##############################
diff --git a/source3/lib/nss_wrapper/nss_wrapper.c b/source3/lib/nss_wrapper/nss_wrapper.c
new file mode 100644
index 0000000000..5d443facd3
--- /dev/null
+++ b/source3/lib/nss_wrapper/nss_wrapper.c
@@ -0,0 +1,1130 @@
+/*
+ * Copyright (C) Stefan Metzmacher 2007 <metze@samba.org>
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the author nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef _SAMBA_BUILD_
+
+#define NSS_WRAPPER_NOT_REPLACE
+#include "lib/replace/replace.h"
+#include "system/passwd.h"
+#include "system/filesys.h"
+
+#else /* _SAMBA_BUILD_ */
+
+#error nss_wrapper_only_supported_in_samba_yet
+
+#endif
+
+#ifndef _PUBLIC_
+#define _PUBLIC_
+#endif
+
+/* not all systems have _r functions... */
+#ifndef HAVE_GETPWNAM_R
+#define getpwnam_r(name, pwdst, buf, buflen, pwdstp)	ENOSYS
+#endif
+#ifndef HAVE_GETPWUID_R
+#define getpwuid_r(uid, pwdst, buf, buflen, pwdstp)	ENOSYS
+#endif
+#ifndef HAVE_GETPWENT_R
+#define getpwent_r(pwdst, buf, buflen, pwdstp)		ENOSYS
+#endif
+#ifndef HAVE_GETGRNAM_R
+#define getgrnam_r(name, grdst, buf, buflen, grdstp)	ENOSYS
+#endif
+#ifndef HAVE_GETGRUID_R
+#define getgrgid_r(uid, grdst, buf, buflen, grdstp)	ENOSYS
+#endif
+#ifndef HAVE_GETGRENT_R
+#define getgrent_r(grdst, buf, buflen, grdstp)		ENOSYS
+#endif
+
+/* LD_PRELOAD doesn't work yet, so REWRITE_CALLS is all we support
+ * for now */
+#define REWRITE_CALLS
+
+#ifdef REWRITE_CALLS
+
+#define real_getpwnam		getpwnam
+#define real_getpwnam_r		getpwnam_r
+#define real_getpwuid		getpwuid
+#define real_getpwuid_r		getpwuid_r
+
+#define real_setpwent		setpwent
+#define real_getpwent		getpwent
+#define real_getpwent_r		getpwent_r
+#define real_endpwent		endpwent
+
+/*
+#define real_getgrlst		getgrlst
+#define real_getgrlst_r		getgrlst_r
+#define real_initgroups_dyn	initgroups_dyn
+*/
+#define real_initgroups		initgroups
+
+#define real_getgrnam		getgrnam
+#define real_getgrnam_r		getgrnam_r
+#define real_getgrgid		getgrgid
+#define real_getgrgid_r		getgrgid_r
+
+#define real_setgrent		setgrent
+#define real_getgrent		getgrent
+#define real_getgrent_r		getgrent_r
+#define real_endgrent		endgrent
+
+#endif
+
+#if 0
+# ifdef DEBUG
+# define NWRAP_ERROR(args)	DEBUG(0, args)
+# else
+# define NWRAP_ERROR(args)	printf args
+# endif
+#else
+#define NWRAP_ERROR(args)
+#endif
+
+#if 0
+# ifdef DEBUG
+# define NWRAP_DEBUG(args)	DEBUG(0, args)
+# else
+# define NWRAP_DEBUG(args)	printf args
+# endif
+#else
+#define NWRAP_DEBUG(args)
+#endif
+
+#if 0
+# ifdef DEBUG
+# define NWRAP_VERBOSE(args)	DEBUG(0, args)
+# else
+# define NWRAP_VERBOSE(args)	printf args
+# endif
+#else
+#define NWRAP_VERBOSE(args)
+#endif
+
+struct nwrap_cache {
+	const char *path;
+	int fd;
+	struct stat st;
+	uint8_t *buf;
+	void *private_data;
+	bool (*parse_line)(struct nwrap_cache *, char *line);
+	void (*unload)(struct nwrap_cache *);
+};
+
+struct nwrap_pw {
+	struct nwrap_cache *cache;
+
+	struct passwd *list;
+	int num;
+	int idx;
+};
+
+struct nwrap_cache __nwrap_cache_pw;
+struct nwrap_pw nwrap_pw_global;
+
+static bool nwrap_pw_parse_line(struct nwrap_cache *nwrap, char *line);
+static void nwrap_pw_unload(struct nwrap_cache *nwrap);
+
+struct nwrap_gr {
+	struct nwrap_cache *cache;
+
+	struct group *list;
+	int num;
+	int idx;
+};
+
+struct nwrap_cache __nwrap_cache_gr;
+struct nwrap_gr nwrap_gr_global;
+
+static bool nwrap_gr_parse_line(struct nwrap_cache *nwrap, char *line);
+static void nwrap_gr_unload(struct nwrap_cache *nwrap);
+
+static void nwrap_init(void)
+{
+	static bool initialized;
+
+	if (initialized) return;
+	initialized = true;
+
+	nwrap_pw_global.cache = &__nwrap_cache_pw;
+
+	nwrap_pw_global.cache->path = getenv("NSS_WRAPPER_PASSWD");
+	nwrap_pw_global.cache->fd = -1;
+	nwrap_pw_global.cache->private_data = &nwrap_pw_global;
+	nwrap_pw_global.cache->parse_line = nwrap_pw_parse_line;
+	nwrap_pw_global.cache->unload = nwrap_pw_unload;
+
+	nwrap_gr_global.cache = &__nwrap_cache_gr;
+
+	nwrap_gr_global.cache->path = getenv("NSS_WRAPPER_GROUP");
+	nwrap_gr_global.cache->fd = -1;
+	nwrap_gr_global.cache->private_data = &nwrap_gr_global;
+	nwrap_gr_global.cache->parse_line = nwrap_gr_parse_line;
+	nwrap_gr_global.cache->unload = nwrap_gr_unload;
+}
+
+static bool nwrap_enabled(void)
+{
+	nwrap_init();
+
+	if (!nwrap_pw_global.cache->path) {
+		return false;
+	}
+	if (nwrap_pw_global.cache->path[0] == '\0') {
+		return false;
+	}
+	if (!nwrap_gr_global.cache->path) {
+		return false;
+	}
+	if (nwrap_gr_global.cache->path[0] == '\0') {
+		return false;
+	}
+
+	return true;
+}
+
+static bool nwrap_parse_file(struct nwrap_cache *nwrap)
+{
+	int ret;
+	uint8_t *buf = NULL;
+	char *nline;
+
+	if (nwrap->st.st_size == 0) {
+		NWRAP_DEBUG(("%s: size == 0\n",
+			     __location__));
+		goto done;
+	}
+
+	if (nwrap->st.st_size > INT32_MAX) {
+		NWRAP_ERROR(("%s: size[%u] larger than INT32_MAX\n",
+			     __location__, (unsigned)nwrap->st.st_size));
+		goto failed;
+	}
+
+	ret = lseek(nwrap->fd, 0, SEEK_SET);
+	if (ret != 0) {
+		NWRAP_ERROR(("%s: lseek - %d\n",__location__,ret));
+		goto failed;
+	}
+
+	buf = (uint8_t *)malloc(nwrap->st.st_size + 1);
+	if (!buf) {
+		NWRAP_ERROR(("%s: malloc failed\n",__location__));
+		goto failed;
+	}
+
+	ret = read(nwrap->fd, buf, nwrap->st.st_size);
+	if (ret != nwrap->st.st_size) {
+		NWRAP_ERROR(("%s: read(%u) gave %d\n",
+			     __location__, (unsigned)nwrap->st.st_size, ret));
+		goto failed;
+	}
+
+	buf[nwrap->st.st_size] = '\0';
+
+	nline = (char *)buf;
+	while (nline && nline[0]) {
+		char *line;
+		char *e;
+		bool ok;
+
+		line = nline;
+		nline = NULL;
+
+		e = strchr(line, '\n');
+		if (e) {
+			e[0] = '\0';
+			e++;
+			if (e[0] == '\r') {
+				e[0] = '\0';
+				e++;
+			}
+			nline = e;
+		}
+
+		NWRAP_VERBOSE(("%s:'%s'\n",__location__, line));
+
+		if (strlen(line) == 0) {
+			continue;
+		}
+
+		ok = nwrap->parse_line(nwrap, line);
+		if (!ok) {
+			goto failed;
+		}
+	}
+
+done:
+	nwrap->buf = buf;
+	return true;
+
+failed:
+	if (buf) free(buf);
+	return false;
+}
+
+static void nwrap_cache_unload(struct nwrap_cache *nwrap)
+{
+	nwrap->unload(nwrap);
+
+	if (nwrap->buf) free(nwrap->buf);
+
+	nwrap->buf = NULL;
+}
+
+static void nwrap_cache_reload(struct nwrap_cache *nwrap)
+{
+	struct stat st;
+	int ret;
+	bool ok;
+	bool retried = false;
+
+reopen:
+	if (nwrap->fd < 0) {
+		nwrap->fd = open(nwrap->path, O_RDONLY);
+		if (nwrap->fd < 0) {
+			NWRAP_ERROR(("%s: unable to open '%s' readonly %d:%s\n",
+				     __location__,
+				     nwrap->path, nwrap->fd,
+				     strerror(errno)));
+			return;
+		}
+		NWRAP_VERBOSE(("%s: open '%s'\n", __location__, nwrap->path));
+	}
+
+	ret = fstat(nwrap->fd, &st);
+	if (ret != 0) {
+		NWRAP_ERROR(("%s: fstat(%s) - %d:%s\n",
+			     __location__,
+			     nwrap->path,
+			     ret, strerror(errno)));
+		return;
+	}
+
+	if (retried == false && st.st_nlink == 0) {
+		/* maybe someone has replaced the file... */
+		NWRAP_DEBUG(("%s: st_nlink == 0, reopen %s\n",
+			     __location__, nwrap->path));
+		retried = true;
+		memset(&nwrap->st, 0, sizeof(nwrap->st));
+		close(nwrap->fd);
+		nwrap->fd = -1;
+		goto reopen;
+	}
+
+	if (st.st_mtime == nwrap->st.st_mtime) {
+		NWRAP_VERBOSE(("%s: st_mtime[%u] hasn't changed, skip reload\n",
+			       __location__, (unsigned)st.st_mtime));
+		return;
+	}
+	NWRAP_DEBUG(("%s: st_mtime has changed [%u] => [%u], start reload\n",
+		     __location__, (unsigned)st.st_mtime,
+		     (unsigned)nwrap->st.st_mtime));
+
+	nwrap->st = st;
+
+	nwrap_cache_unload(nwrap);
+
+	ok = nwrap_parse_file(nwrap);
+	if (!ok) {
+		NWRAP_ERROR(("%s: failed to reload %s\n",
+			     __location__, nwrap->path));
+		nwrap_cache_unload(nwrap);
+	}
+	NWRAP_DEBUG(("%s: reloaded %s\n",
+		     __location__, nwrap->path));
+}
+
+/*
+ * the caller has to call nwrap_unload() on failure
+ */
+static bool nwrap_pw_parse_line(struct nwrap_cache *nwrap, char *line)
+{
+	struct nwrap_pw *nwrap_pw;
+	char *c;
+	char *p;
+	char *e;
+	struct passwd *pw;
+	size_t list_size;
+
+	nwrap_pw = (struct nwrap_pw *)nwrap->private_data;
+
+	list_size = sizeof(*nwrap_pw->list) * (nwrap_pw->num+1);
+	pw = (struct passwd *)realloc(nwrap_pw->list, list_size);
+	if (!pw) {
+		NWRAP_ERROR(("%s:realloc(%u) failed\n",
+			     __location__, list_size));
+		return false;
+	}
+	nwrap_pw->list = pw;
+
+	pw = &nwrap_pw->list[nwrap_pw->num];
+
+	c = line;
+
+	/* name */
+	p = strchr(c, ':');
+	if (!p) {
+		NWRAP_ERROR(("%s:invalid line[%s]: '%s'\n",
+			     __location__, line, c));
+		return false;
+	}
+	*p = '\0';
+	p++;
+	pw->pw_name = c;
+	c = p;
+
+	NWRAP_VERBOSE(("name[%s]\n", pw->pw_name));
+
+	/* password */
+	p = strchr(c, ':');
+	if (!p) {
+		NWRAP_ERROR(("%s:invalid line[%s]: '%s'\n",
+			     __location__, line, c));
+		return false;
+	}
+	*p = '\0';
+	p++;
+	pw->pw_passwd = c;
+	c = p;
+
+	NWRAP_VERBOSE(("password[%s]\n", pw->pw_passwd));
+
+	/* uid */
+	p = strchr(c, ':');
+	if (!p) {
+		NWRAP_ERROR(("%s:invalid line[%s]: '%s'\n",
+			     __location__, line, c));
+		return false;
+	}
+	*p = '\0';
+	p++;
+	e = NULL;
+	pw->pw_uid = (uid_t)strtoul(c, &e, 10);
+	if (c == e) {
+		NWRAP_ERROR(("%s:invalid line[%s]: '%s' - %s\n",
+			     __location__, line, c, strerror(errno)));
+		return false;
+	}
+	if (e == NULL) {
+		NWRAP_ERROR(("%s:invalid line[%s]: '%s' - %s\n",
+			     __location__, line, c, strerror(errno)));
+		return false;
+	}
+	if (e[0] != '\0') {
+		NWRAP_ERROR(("%s:invalid line[%s]: '%s' - %s\n",
+			     __location__, line, c, strerror(errno)));
+		return false;
+	}
+	c = p;
+
+	NWRAP_VERBOSE(("uid[%u]\n", pw->pw_uid));
+
+	/* gid */
+	p = strchr(c, ':');
+	if (!p) {
+		NWRAP_ERROR(("%s:invalid line[%s]: '%s'\n",
+			     __location__, line, c));
+		return false;
+	}
+	*p = '\0';
+	p++;
+	e = NULL;
+	pw->pw_gid = (gid_t)strtoul(c, &e, 10);
+	if (c == e) {
+		NWRAP_ERROR(("%s:invalid line[%s]: '%s' - %s\n",
+			     __location__, line, c, strerror(errno)));
+		return false;
+	}
+	if (e == NULL) {
+		NWRAP_ERROR(("%s:invalid line[%s]: '%s' - %s\n",
+			     __location__, line, c, strerror(errno)));
+		return false;
+	}
+	if (e[0] != '\0') {
+		NWRAP_ERROR(("%s:invalid line[%s]: '%s' - %s\n",
+			     __location__, line, c, strerror(errno)));
+		return false;
+	}
+	c = p;
+
+	NWRAP_VERBOSE(("gid[%u]\n", pw->pw_gid));
+
+	/* gecos */
+	p = strchr(c, ':');
+	if (!p) {
+		NWRAP_ERROR(("%s:invalid line[%s]: '%s'\n",
+			     __location__, line, c));
+		return false;
+	}
+	*p = '\0';
+	p++;
+	pw->pw_gecos = c;
+	c = p;
+
+	NWRAP_VERBOSE(("gecos[%s]\n", pw->pw_gecos));
+
+	/* dir */
+	p = strchr(c, ':');
+	if (!p) {
+		NWRAP_ERROR(("%s:'%s'\n",__location__,c));
+		return false;
+	}
+	*p = '\0';
+	p++;
+	pw->pw_dir = c;
+	c = p;
+
+	NWRAP_VERBOSE(("dir[%s]\n", pw->pw_dir));
+
+	/* shell */
+	pw->pw_shell = c;
+	NWRAP_VERBOSE(("shell[%s]\n", pw->pw_shell));
+
+	NWRAP_DEBUG(("add user[%s:%s:%u:%u:%s:%s:%s]\n",
+		     pw->pw_name, pw->pw_passwd,
+		     pw->pw_uid, pw->pw_gid,
+		     pw->pw_gecos, pw->pw_dir, pw->pw_shell));
+
+	nwrap_pw->num++;
+	return true;
+}
+
+static void nwrap_pw_unload(struct nwrap_cache *nwrap)
+{
+	struct nwrap_pw *nwrap_pw;
+	nwrap_pw = (struct nwrap_pw *)nwrap->private_data;
+
+	if (nwrap_pw->list) free(nwrap_pw->list);
+
+	nwrap_pw->list = NULL;
+	nwrap_pw->num = 0;
+	nwrap_pw->idx = 0;
+}
+
+static int nwrap_pw_copy_r(const struct passwd *src, struct passwd *dst,
+			   char *buf, size_t buflen, struct passwd **dstp)
+{
+	char *first;
+	char *last;
+	off_t ofs;
+
+	first = src->pw_name;
+
+	last = src->pw_shell;
+	while (*last) last++;
+
+	ofs = PTR_DIFF(last + 1, first);
+
+	if (ofs > buflen) {
+		return ERANGE;
+	}
+
+	memcpy(buf, first, ofs);
+
+	ofs = PTR_DIFF(src->pw_name, first);
+	dst->pw_name = buf + ofs;
+	ofs = PTR_DIFF(src->pw_passwd, first);
+	dst->pw_passwd = buf + ofs;
+	dst->pw_uid = src->pw_uid;
+	dst->pw_gid = src->pw_gid;
+	ofs = PTR_DIFF(src->pw_gecos, first);
+	dst->pw_gecos = buf + ofs;
+	ofs = PTR_DIFF(src->pw_dir, first);
+	dst->pw_dir = buf + ofs;
+	ofs = PTR_DIFF(src->pw_shell, first);
+	dst->pw_shell = buf + ofs;
+
+	if (dstp) {
+		*dstp = dst;
+	}
+
+	return 0;
+}
+
+/*
+ * the caller has to call nwrap_unload() on failure
+ */
+static bool nwrap_gr_parse_line(struct nwrap_cache *nwrap, char *line)
+{
+	struct nwrap_gr *nwrap_gr;
+	char *c;
+	char *p;
+	char *e;
+	struct group *gr;
+	size_t list_size;
+	unsigned nummem;
+
+	nwrap_gr = (struct nwrap_gr *)nwrap->private_data;
+
+	list_size = sizeof(*nwrap_gr->list) * (nwrap_gr->num+1);
+	gr = (struct group *)realloc(nwrap_gr->list, list_size);
+	if (!gr) {
+		NWRAP_ERROR(("%s:realloc failed\n",__location__));
+		return false;
+	}
+	nwrap_gr->list = gr;
+
+	gr = &nwrap_gr->list[nwrap_gr->num];
+
+	c = line;
+
+	/* name */
+	p = strchr(c, ':');
+	if (!p) {
+		NWRAP_ERROR(("%s:invalid line[%s]: '%s'\n",
+			     __location__, line, c));
+		return false;
+	}
+	*p = '\0';
+	p++;
+	gr->gr_name = c;
+	c = p;
+
+	NWRAP_VERBOSE(("name[%s]\n", gr->gr_name));
+
+	/* password */
+	p = strchr(c, ':');
+	if (!p) {
+		NWRAP_ERROR(("%s:invalid line[%s]: '%s'\n",
+			     __location__, line, c));
+		return false;
+	}
+	*p = '\0';
+	p++;
+	gr->gr_passwd = c;
+	c = p;
+
+	NWRAP_VERBOSE(("password[%s]\n", gr->gr_passwd));
+
+	/* gid */
+	p = strchr(c, ':');
+	if (!p) {
+		NWRAP_ERROR(("%s:invalid line[%s]: '%s'\n",
+			     __location__, line, c));
+		return false;
+	}
+	*p = '\0';
+	p++;
+	e = NULL;
+	gr->gr_gid = (gid_t)strtoul(c, &e, 10);
+	if (c == e) {
+		NWRAP_ERROR(("%s:invalid line[%s]: '%s' - %s\n",
+			     __location__, line, c, strerror(errno)));
+		return false;
+	}
+	if (e == NULL) {
+		NWRAP_ERROR(("%s:invalid line[%s]: '%s' - %s\n",
+			     __location__, line, c, strerror(errno)));
+		return false;
+	}
+	if (e[0] != '\0') {
+		NWRAP_ERROR(("%s:invalid line[%s]: '%s' - %s\n",
+			     __location__, line, c, strerror(errno)));
+		return false;
+	}
+	c = p;
+
+	NWRAP_VERBOSE(("gid[%u]\n", gr->gr_gid));
+
+	/* members */
+	gr->gr_mem = (char **)malloc(sizeof(char *));
+	if (!gr->gr_mem) {
+		NWRAP_ERROR(("%s:calloc failed\n",__location__));
+		return false;
+	}
+	gr->gr_mem[0] = NULL;
+
+	for(nummem=0; p; nummem++) {
+		char **m;
+		size_t m_size;
+		c = p;
+		p = strchr(c, ',');
+		if (p) {
+			*p = '\0';
+			p++;
+		}
+
+		if (strlen(c) == 0) {
+			break;
+		}
+
+		m_size = sizeof(char *) * (nummem+2);
+		m = (char **)realloc(gr->gr_mem, m_size);
+		if (!m) {
+			NWRAP_ERROR(("%s:realloc(%u) failed\n",
+				      __location__, m_size));
+			return false;
+		}
+		gr->gr_mem = m;
+		gr->gr_mem[nummem] = c;
+		gr->gr_mem[nummem+1] = NULL;
+
+		NWRAP_VERBOSE(("member[%u]: '%s'\n", nummem, gr->gr_mem[nummem]));
+	}
+
+	NWRAP_DEBUG(("add group[%s:%s:%u:] with %u members\n",
+		     gr->gr_name, gr->gr_passwd, gr->gr_gid, nummem));
+
+	nwrap_gr->num++;
+	return true;
+}
+
+static void nwrap_gr_unload(struct nwrap_cache *nwrap)
+{
+	int i;
+	struct nwrap_gr *nwrap_gr;
+	nwrap_gr = (struct nwrap_gr *)nwrap->private_data;
+
+	if (nwrap_gr->list) {
+		for (i=0; i < nwrap_gr->num; i++) {
+			if (nwrap_gr->list[i].gr_mem) {
+				free(nwrap_gr->list[i].gr_mem);
+			}
+		}
+		free(nwrap_gr->list);
+	}
+
+	nwrap_gr->list = NULL;
+	nwrap_gr->num = 0;
+	nwrap_gr->idx = 0;
+}
+
+static int nwrap_gr_copy_r(const struct group *src, struct group *dst,
+			   char *buf, size_t buflen, struct group **dstp)
+{
+	char *first;
+	char **lastm;
+	char *last;
+	off_t ofsb;
+	off_t ofsm;
+	off_t ofs;
+	unsigned i;
+
+	first = src->gr_name;
+
+	lastm = src->gr_mem;
+	while (*lastm) lastm++;
+
+	last = *lastm;
+	while (*last) last++;
+
+	ofsb = PTR_DIFF(last + 1, first);
+	ofsm = PTR_DIFF(lastm + 1, src->gr_mem);
+
+	if ((ofsb + ofsm) > buflen) {
+		return ERANGE;
+	}
+
+	memcpy(buf, first, ofsb);
+	memcpy(buf + ofsb, src->gr_mem, ofsm);
+
+	ofs = PTR_DIFF(src->gr_name, first);
+	dst->gr_name = buf + ofs;
+	ofs = PTR_DIFF(src->gr_passwd, first);
+	dst->gr_passwd = buf + ofs;
+	dst->gr_gid = src->gr_gid;
+
+	dst->gr_mem = (char **)(buf + ofsb);
+	for (i=0; src->gr_mem[i]; i++) {
+		ofs = PTR_DIFF(src->gr_mem[i], first);
+		dst->gr_mem[i] = buf + ofs;
+	}
+
+	if (dstp) {
+		*dstp = dst;
+	}
+
+	return 0;
+}
+
+/* user functions */
+_PUBLIC_ struct passwd *nwrap_getpwnam(const char *name)
+{
+	int i;
+
+	if (!nwrap_enabled()) {
+		return real_getpwnam(name);
+	}
+
+	nwrap_cache_reload(nwrap_pw_global.cache);
+
+	for (i=0; i<nwrap_pw_global.num; i++) {
+		if (strcmp(nwrap_pw_global.list[i].pw_name, name) == 0) {
+			NWRAP_DEBUG(("%s: user[%s] found\n",
+				     __location__, name));
+			return &nwrap_pw_global.list[i];
+		}
+		NWRAP_VERBOSE(("%s: user[%s] does not match [%s]\n",
+			       __location__, name,
+			       nwrap_pw_global.list[i].pw_name));
+	}
+
+	NWRAP_DEBUG(("%s: user[%s] not found\n", __location__, name));
+
+	errno = ENOENT;
+	return NULL;
+}
+
+_PUBLIC_ int nwrap_getpwnam_r(const char *name, struct passwd *pwdst,
+			      char *buf, size_t buflen, struct passwd **pwdstp)
+{
+	struct passwd *pw;
+
+	if (!nwrap_enabled()) {
+		return real_getpwnam_r(name, pwdst, buf, buflen, pwdstp);
+	}
+
+	pw = nwrap_getpwnam(name);
+	if (!pw) {
+		if (errno == 0) {
+			return ENOENT;
+		}
+		return errno;
+	}
+
+	return nwrap_pw_copy_r(pw, pwdst, buf, buflen, pwdstp);
+}
+
+_PUBLIC_ struct passwd *nwrap_getpwuid(uid_t uid)
+{
+	int i;
+
+	if (!nwrap_enabled()) {
+		return real_getpwuid(uid);
+	}
+
+	nwrap_cache_reload(nwrap_pw_global.cache);
+
+	for (i=0; i<nwrap_pw_global.num; i++) {
+		if (nwrap_pw_global.list[i].pw_uid == uid) {
+			NWRAP_DEBUG(("%s: uid[%u] found\n",
+				     __location__, uid));
+			return &nwrap_pw_global.list[i];
+		}
+		NWRAP_VERBOSE(("%s: uid[%u] does not match [%u]\n",
+			       __location__, uid,
+			       nwrap_pw_global.list[i].pw_uid));
+	}
+
+	NWRAP_DEBUG(("%s: uid[%u] not found\n", __location__, uid));
+
+	errno = ENOENT;
+	return NULL;
+}
+
+_PUBLIC_ int nwrap_getpwuid_r(uid_t uid, struct passwd *pwdst,
+			      char *buf, size_t buflen, struct passwd **pwdstp)
+{
+	struct passwd *pw;
+
+	if (!nwrap_enabled()) {
+		return real_getpwuid_r(uid, pwdst, buf, buflen, pwdstp);
+	}
+
+	pw = nwrap_getpwuid(uid);
+	if (!pw) {
+		if (errno == 0) {
+			return ENOENT;
+		}
+		return errno;
+	}
+
+	return nwrap_pw_copy_r(pw, pwdst, buf, buflen, pwdstp);
+}
+
+/* user enum functions */
+_PUBLIC_ void nwrap_setpwent(void)
+{
+	if (!nwrap_enabled()) {
+		real_setpwent();
+	}
+
+	nwrap_pw_global.idx = 0;
+}
+
+_PUBLIC_ struct passwd *nwrap_getpwent(void)
+{
+	struct passwd *pw;
+
+	if (!nwrap_enabled()) {
+		return real_getpwent();
+	}
+
+	if (nwrap_pw_global.idx == 0) {
+		nwrap_cache_reload(nwrap_pw_global.cache);
+	}
+
+	if (nwrap_pw_global.idx >= nwrap_pw_global.num) {
+		errno = ENOENT;
+		return NULL;
+	}
+
+	pw = &nwrap_pw_global.list[nwrap_pw_global.idx++];
+
+	NWRAP_VERBOSE(("%s: return user[%s] uid[%u]\n",
+		       __location__, pw->pw_name, pw->pw_uid));
+
+	return pw;
+}
+
+_PUBLIC_ int nwrap_getpwent_r(struct passwd *pwdst, char *buf,
+			      size_t buflen, struct passwd **pwdstp)
+{
+	struct passwd *pw;
+
+	if (!nwrap_enabled()) {
+#ifdef SOLARIS_GETPWENT_R
+		pw = real_getpwent_r(pwdst, buf, buflen);
+		if (!pw) {
+			if (errno == 0) {
+				return ENOENT;
+			}
+			return errno;
+		}
+		if (pwdstp) {
+			*pwdstp = pw;
+		}
+		return 0;
+#else
+		return real_getpwent_r(pwdst, buf, buflen, pwdstp);
+#endif
+	}
+
+	pw = nwrap_getpwent();
+	if (!pw) {
+		if (errno == 0) {
+			return ENOENT;
+		}
+		return errno;
+	}
+
+	return nwrap_pw_copy_r(pw, pwdst, buf, buflen, pwdstp);
+}
+
+_PUBLIC_ void nwrap_endpwent(void)
+{
+	if (!nwrap_enabled()) {
+		real_endpwent();
+	}
+
+	nwrap_pw_global.idx = 0;
+}
+
+/* misc functions */
+_PUBLIC_ int nwrap_initgroups(const char *user, gid_t group)
+{
+	if (!nwrap_enabled()) {
+		return real_initgroups(user, group);
+	}
+
+	/* TODO: maybe we should also fake this... */
+	return EPERM;
+}
+
+/* group functions */
+_PUBLIC_ struct group *nwrap_getgrnam(const char *name)
+{
+	int i;
+
+	if (!nwrap_enabled()) {
+		return real_getgrnam(name);
+	}
+
+	nwrap_cache_reload(nwrap_gr_global.cache);
+
+	for (i=0; i<nwrap_gr_global.num; i++) {
+		if (strcmp(nwrap_gr_global.list[i].gr_name, name) == 0) {
+			NWRAP_DEBUG(("%s: group[%s] found\n",
+				     __location__, name));
+			return &nwrap_gr_global.list[i];
+		}
+		NWRAP_VERBOSE(("%s: group[%s] does not match [%s]\n",
+			       __location__, name,
+			       nwrap_gr_global.list[i].gr_name));
+	}
+
+	NWRAP_DEBUG(("%s: group[%s] not found\n", __location__, name));
+
+	errno = ENOENT;
+	return NULL;
+}
+
+_PUBLIC_ int nwrap_getgrnam_r(const char *name, struct group *grdst,
+			      char *buf, size_t buflen, struct group **grdstp)
+{
+	struct group *gr;
+
+	if (!nwrap_enabled()) {
+		return real_getgrnam_r(name, grdst, buf, buflen, grdstp);
+	}
+
+	gr = nwrap_getgrnam(name);
+	if (!gr) {
+		if (errno == 0) {
+			return ENOENT;
+		}
+		return errno;
+	}
+
+	return nwrap_gr_copy_r(gr, grdst, buf, buflen, grdstp);
+}
+
+_PUBLIC_ struct group *nwrap_getgrgid(gid_t gid)
+{
+	int i;
+
+	if (!nwrap_enabled()) {
+		return real_getgrgid(gid);
+	}
+
+	nwrap_cache_reload(nwrap_gr_global.cache);
+
+	for (i=0; i<nwrap_gr_global.num; i++) {
+		if (nwrap_gr_global.list[i].gr_gid == gid) {
+			NWRAP_DEBUG(("%s: gid[%u] found\n",
+				     __location__, gid));
+			return &nwrap_gr_global.list[i];
+		}
+		NWRAP_VERBOSE(("%s: gid[%u] does not match [%u]\n",
+			       __location__, gid,
+			       nwrap_gr_global.list[i].gr_gid));
+	}
+
+	NWRAP_DEBUG(("%s: gid[%u] not found\n", __location__, gid));
+
+	errno = ENOENT;
+	return NULL;
+}
+
+_PUBLIC_ int nwrap_getgrgid_r(gid_t gid, struct group *grdst,
+			      char *buf, size_t buflen, struct group **grdstp)
+{
+	struct group *gr;
+
+	if (!nwrap_enabled()) {
+		return real_getgrgid_r(gid, grdst, buf, buflen, grdstp);
+	}
+
+	gr = nwrap_getgrgid(gid);
+	if (!gr) {
+		if (errno == 0) {
+			return ENOENT;
+		}
+		return errno;
+	}
+
+	return nwrap_gr_copy_r(gr, grdst, buf, buflen, grdstp);
+
+	return ENOENT;
+}
+
+/* group enum functions */
+_PUBLIC_ void nwrap_setgrent(void)
+{
+	if (!nwrap_enabled()) {
+		real_setgrent();
+	}
+
+	nwrap_gr_global.idx = 0;
+}
+
+_PUBLIC_ struct group *nwrap_getgrent(void)
+{
+	struct group *gr;
+
+	if (!nwrap_enabled()) {
+		return real_getgrent();
+	}
+
+	if (nwrap_gr_global.idx == 0) {
+		nwrap_cache_reload(nwrap_gr_global.cache);
+	}
+
+	if (nwrap_gr_global.idx >= nwrap_gr_global.num) {
+		errno = ENOENT;
+		return NULL;
+	}
+
+	gr = &nwrap_gr_global.list[nwrap_gr_global.idx++];
+
+	NWRAP_VERBOSE(("%s: return group[%s] gid[%u]\n",
+		       __location__, gr->gr_name, gr->gr_gid));
+
+	return gr;
+}
+
+_PUBLIC_ int nwrap_getgrent_r(struct group *grdst, char *buf,
+			      size_t buflen, struct group **grdstp)
+{
+	struct group *gr;
+
+	if (!nwrap_enabled()) {
+#ifdef SOLARIS_GETGRENT_R
+		gr = real_getgrent_r(grdst, buf, buflen);
+		if (!gr) {
+			if (errno == 0) {
+				return ENOENT;
+			}
+			return errno;
+		}
+		if (grdstp) {
+			*grdstp = gr;
+		}
+		return 0;
+#else
+		return real_getgrent_r(grdst, buf, buflen, grdstp);
+#endif
+	}
+
+	gr = nwrap_getgrent();
+	if (!gr) {
+		if (errno == 0) {
+			return ENOENT;
+		}
+		return errno;
+	}
+
+	return nwrap_gr_copy_r(gr, grdst, buf, buflen, grdstp);
+}
+
+_PUBLIC_ void nwrap_endgrent(void)
+{
+	if (!nwrap_enabled()) {
+		real_endgrent();
+	}
+
+	nwrap_gr_global.idx = 0;
+}
diff --git a/source3/lib/nss_wrapper/nss_wrapper.h b/source3/lib/nss_wrapper/nss_wrapper.h
new file mode 100644
index 0000000000..35a47348a8
--- /dev/null
+++ b/source3/lib/nss_wrapper/nss_wrapper.h
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) Stefan Metzmacher 2007 <metze@samba.org>
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the author nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef __NSS_WRAPPER_H__
+#define __NSS_WRAPPER_H__
+
+struct passwd *nwrap_getpwnam(const char *name);
+int nwrap_getpwnam_r(const char *name, struct passwd *pwbuf,
+		     char *buf, size_t buflen, struct passwd **pwbufp);
+struct passwd *nwrap_getpwuid(uid_t uid);
+int nwrap_getpwuid_r(uid_t uid, struct passwd *pwbuf,
+		     char *buf, size_t buflen, struct passwd **pwbufp);
+void nwrap_setpwent(void);
+struct passwd *nwrap_getpwent(void);
+int nwrap_getpwent_r(struct passwd *pwbuf, char *buf,
+		     size_t buflen, struct passwd **pwbufp);
+void nwrap_endpwent(void);
+int nwrap_initgroups(const char *user, gid_t group);
+struct group *nwrap_getgrnam(const char *name);
+int nwrap_getgrnam_r(const char *name, struct group *gbuf,
+		     char *buf, size_t buflen, struct group **gbufp);
+struct group *nwrap_getgrgid(gid_t gid);
+int nwrap_getgrgid_r(gid_t gid, struct group *gbuf,
+		     char *buf, size_t buflen, struct group **gbufp);
+void nwrap_setgrent(void);
+struct group *nwrap_getgrent(void);
+int nwrap_getgrent_r(struct group *gbuf, char *buf,
+		     size_t buflen, struct group **gbufp);
+void nwrap_endgrent(void);
+
+#ifdef NSS_WRAPPER_REPLACE
+
+#ifdef getpwnam
+#undef getpwnam
+#endif
+#define getpwnam	nwrap_getpwnam
+
+#ifdef getpwnam_r
+#undef getpwnam_r
+#endif
+#define getpwnam_r	nwrap_getpwnam_r
+
+#ifdef getpwuid
+#undef getpwuid
+#endif
+#define getpwuid	nwrap_getpwuid
+
+#ifdef getpwuid_r
+#undef getpwuid_r
+#endif
+#define getpwuid_r	nwrap_getpwuid_r
+
+#ifdef setpwent
+#undef setpwent
+#endif
+#define setpwent	nwrap_setpwent
+
+#ifdef getpwent
+#undef getpwent
+#endif
+#define getpwent	nwrap_getpwent
+
+#ifdef getpwent_r
+#undef getpwent_r
+#endif
+#define getpwent_r	nwrap_getpwent_r
+
+#ifdef endpwent
+#undef endpwent
+#endif
+#define endpwent	nwrap_endpwent
+
+#ifdef getgrlst
+#undef getgrlst
+#endif
+#define getgrlst	__none_nwrap_getgrlst
+
+#ifdef getgrlst_r
+#undef getgrlst_r
+#endif
+#define getgrlst_r	__none_nwrap_getgrlst_r
+
+#ifdef initgroups_dyn
+#undef initgroups_dyn
+#endif
+#define initgroups_dyn	__none_nwrap_initgroups_dyn
+
+#ifdef initgroups
+#undef initgroups
+#endif
+#define initgroups	nwrap_initgroups
+
+#ifdef getgrnam
+#undef getgrnam
+#endif
+#define getgrnam	nwrap_getgrnam
+
+#ifdef getgrnam_r
+#undef getgrnam_r
+#endif
+#define getgrnam_r	nwrap_getgrnam_r
+
+#ifdef getgrgid
+#undef getgrgid
+#endif
+#define getgrgid	nwrap_getgrgid
+
+#ifdef getgrgid_r
+#undef getgrgid_r
+#endif
+#define getgrgid_r	nwrap_getgrgid_r
+
+#ifdef setgrent
+#undef setgrent
+#endif
+#define setgrent	nwrap_setgrent
+
+#ifdef getgrent
+#undef getgrent
+#endif
+#define getgrent	nwrap_getgrent
+
+#ifdef getgrent_r
+#undef getgrent_r
+#endif
+#define getgrent_r	nwrap_getgrent_r
+
+#ifdef endgrent
+#undef endgrent
+#endif
+#define endgrent	nwrap_endgrent
+
+#endif /* NSS_WRAPPER_REPLACE */
+
+#endif /* __NSS_WRAPPER_H__ */
diff --git a/source3/lib/nss_wrapper/nss_wrapper.pl b/source3/lib/nss_wrapper/nss_wrapper.pl
new file mode 100644
index 0000000000..b1c9be5365
--- /dev/null
+++ b/source3/lib/nss_wrapper/nss_wrapper.pl
@@ -0,0 +1,265 @@
+#!/usr/bin/perl
+#
+
+use strict;
+
+use Getopt::Long;
+use Cwd qw(abs_path);
+
+my $opt_help = 0;
+my $opt_path = undef;
+my $opt_action = undef;
+my $opt_type = undef;
+my $opt_name = undef;
+
+my $passwdfn = undef;
+my $groupfn = undef;
+my $actionfn = undef;
+
+sub passwd_add($$);
+sub passwd_delete($$);
+sub group_add($$);
+sub group_delete($$);
+
+my $result = GetOptions(
+	'help|h|?'	=> \$opt_help,
+	'path=s'	=> \$opt_path,
+	'action=s'	=> \$opt_action,
+	'type=s'	=> \$opt_type,
+	'name=s'	=> \$opt_name
+);
+
+sub usage($;$)
+{
+	my ($ret, $msg) = @_;
+
+	print $msg."\n\n" if defined($msg);
+
+	print "usage:
+
+	--help|-h|-?		Show this help.
+
+	--path <path>		Path of the 'passwd' or 'group' file.
+
+	--type <type>		Only 'passwd' is supported yet,
+				but 'group' and maybe 'member' will be added
+				in future.
+
+	--action <action>	'add' or 'delete'.
+
+	--name <name>		The name of the object.
+";
+	exit($ret);
+}
+
+usage(1) if (not $result);
+
+usage(0) if ($opt_help);
+
+if (not defined($opt_path)) {
+	usage(1, "missing: --path <path>");
+}
+if ($opt_path eq "" or $opt_path eq "/") {
+	usage(1, "invalid: --path <path>: '$opt_path'");
+}
+my $opt_fullpath = abs_path($opt_path);
+if (not defined($opt_fullpath)) {
+	usage(1, "invalid: --path <path>: '$opt_path'");
+}
+
+
+if (not defined($opt_action)) {
+	usage(1, "missing: --action [add|delete]");
+}
+if ($opt_action eq "add") {
+	$passwdfn = \&passwd_add;
+	$groupfn = \&group_add;
+} elsif ($opt_action eq "delete") {
+	$passwdfn = \&passwd_delete;
+	$groupfn = \&group_delete;
+} else {
+	usage(1, "invalid: --action [add|delete]: '$opt_action'");
+}
+
+if (not defined($opt_type)) {
+	usage(1, "missing: --type [passwd|group]");
+}
+if ($opt_type eq "passwd") {
+	$actionfn = $passwdfn;
+} elsif ($opt_type eq "group") {
+	$actionfn = $groupfn;
+} else {
+	usage(1, "invalid: --type [passwd|group]: '$opt_type'")
+}
+
+if (not defined($opt_name)) {
+	usage(1, "missing: --name <name>");
+}
+if ($opt_name eq "") {
+	usage(1, "invalid: --name <name>");
+}
+
+exit $actionfn->($opt_fullpath, $opt_name);
+
+sub passwd_add_entry($$);
+
+sub passwd_load($)
+{
+	my ($path) = @_;
+	my @lines;
+	my $passwd = undef;
+
+	open(PWD, "<$path") or die("Unable to open '$path' for read");
+	@lines = <PWD>;
+	close(PWD);
+
+	$passwd->{array} = ();
+	$passwd->{name} = {};
+	$passwd->{uid} = {};
+	$passwd->{path} = $path;
+
+	foreach my $line (@lines) {
+		passwd_add_entry($passwd, $line);
+	}
+
+	return $passwd;
+}
+
+sub passwd_lookup_name($$)
+{
+	my ($passwd, $name) = @_;
+
+	return undef unless defined($passwd->{name}{$name});
+
+	return $passwd->{name}{$name};
+}
+
+sub passwd_lookup_uid($$)
+{
+	my ($passwd, $uid) = @_;
+
+	return undef unless defined($passwd->{uid}{$uid});
+
+	return $passwd->{uid}{$uid};
+}
+
+sub passwd_get_free_uid($)
+{
+	my ($passwd) = @_;
+	my $uid = 1000;
+
+	while (passwd_lookup_uid($passwd, $uid)) {
+		$uid++;
+	}
+
+	return $uid;
+}
+
+sub passwd_add_entry($$)
+{
+	my ($passwd, $str) = @_;
+
+	chomp $str;
+	my @e = split(':', $str);
+
+	push(@{$passwd->{array}}, \@e);
+	$passwd->{name}{$e[0]} = \@e;
+	$passwd->{uid}{$e[2]} = \@e;
+}
+
+sub passwd_remove_entry($$)
+{
+	my ($passwd, $eref) = @_;
+
+	for(my $i; defined($passwd->{array}[$i]); $i++) {
+		if ($eref == $passwd->{array}[$i]) {
+			$passwd->{array}[$i] = undef;
+		}
+	}
+
+	delete $passwd->{name}{${$eref}[0]};
+	delete $passwd->{uid}{${$eref}[2]};
+}
+
+sub passwd_save($)
+{
+	my ($passwd) = @_;
+	my @lines = ();
+	my $path = $passwd->{path};
+	my $tmppath = $path.$$;
+
+	foreach my $eref (@{$passwd->{array}}) {
+		next unless defined($eref);
+
+		my $line = join(':', @{$eref});
+		push(@lines, $line);
+	}
+
+	open(PWD, ">$tmppath") or die("Unable to open '$tmppath' for write");
+	print PWD join("\n", @lines)."\n";
+	close(PWD);
+	rename($tmppath, $path) or die("Unable to rename $tmppath => $path");
+}
+
+sub passwd_add($$)
+{
+	my ($path, $name) = @_;
+
+	#print "passwd_add: '$name' in '$path'\n";
+
+	my $passwd = passwd_load($path);
+
+	my $e = passwd_lookup_name($passwd, $name);
+	die("account[$name] already exists in '$path'") if defined($e);
+
+	my $uid = passwd_get_free_uid($passwd);
+	my $gid = 65534;# nogroup gid
+
+	my $pwent = $name.":x:".$uid.":".$gid.":".$name." gecos:/nodir:/bin/false";
+
+	passwd_add_entry($passwd, $pwent);
+
+	passwd_save($passwd);
+
+	return 0;
+}
+
+sub passwd_delete($$)
+{
+	my ($path, $name) = @_;
+
+	#print "passwd_delete: '$name' in '$path'\n";
+
+	my $passwd = passwd_load($path);
+
+	my $e = passwd_lookup_name($passwd, $name);
+	die("account[$name] does not exists in '$path'") unless defined($e);
+
+	passwd_remove_entry($passwd, $e);
+
+	passwd_save($passwd);
+
+	return 0;
+}
+
+sub group_add($$)
+{
+	my ($path, $name) = @_;
+
+	#print "group_add: '$name' in '$path'\n";
+
+	die("group_add: not implemented yet!");
+
+	return 0;
+}
+
+sub group_delete($$)
+{
+	my ($path, $name) = @_;
+
+	#print "group_delete: '$name' in '$path'\n";
+
+	die("group_delete: not implemented yet!");
+
+	return 0;
+}
diff --git a/source3/lib/packet.c b/source3/lib/packet.c
new file mode 100644
index 0000000000..e0486165f3
--- /dev/null
+++ b/source3/lib/packet.c
@@ -0,0 +1,257 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Packet handling
+   Copyright (C) Volker Lendecke 2007
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+struct packet_context {
+	int fd;
+	struct data_blob in, out;
+};
+
+/*
+ * Close the underlying fd
+ */
+static int packet_context_destructor(struct packet_context *ctx)
+{
+	return close(ctx->fd);
+}
+
+/*
+ * Initialize a packet context. The fd is given to the packet context, meaning
+ * that it is automatically closed when the packet context is freed.
+ */
+struct packet_context *packet_init(TALLOC_CTX *mem_ctx, int fd)
+{
+	struct packet_context *result;
+
+	if (!(result = TALLOC_ZERO_P(mem_ctx, struct packet_context))) {
+		return NULL;
+	}
+
+	result->fd = fd;
+	talloc_set_destructor(result, packet_context_destructor);
+	return result;
+}
+
+/*
+ * Pull data from the fd
+ */
+NTSTATUS packet_fd_read(struct packet_context *ctx)
+{
+	int res, available;
+	size_t new_size;
+	uint8 *in;
+
+	res = ioctl(ctx->fd, FIONREAD, &available);
+
+	if (res == -1) {
+		DEBUG(10, ("ioctl(FIONREAD) failed: %s\n", strerror(errno)));
+		return map_nt_error_from_unix(errno);
+	}
+
+	SMB_ASSERT(available >= 0);
+
+	if (available == 0) {
+		return NT_STATUS_END_OF_FILE;
+	}
+
+	new_size = ctx->in.length + available;
+
+	if (new_size < ctx->in.length) {
+		DEBUG(0, ("integer wrap\n"));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (!(in = TALLOC_REALLOC_ARRAY(ctx, ctx->in.data, uint8, new_size))) {
+		DEBUG(10, ("talloc failed\n"));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	ctx->in.data = in;
+
+	res = recv(ctx->fd, in + ctx->in.length, available, 0);
+
+	if (res < 0) {
+		DEBUG(10, ("recv failed: %s\n", strerror(errno)));
+		return map_nt_error_from_unix(errno);
+	}
+
+	if (res == 0) {
+		return NT_STATUS_END_OF_FILE;
+	}
+
+	ctx->in.length += res;
+
+	return NT_STATUS_OK;
+}
+
+NTSTATUS packet_fd_read_sync(struct packet_context *ctx)
+{
+	int res;
+	fd_set r_fds;
+
+	FD_ZERO(&r_fds);
+	FD_SET(ctx->fd, &r_fds);
+
+	res = sys_select(ctx->fd+1, &r_fds, NULL, NULL, NULL);
+
+	if (res == -1) {
+		DEBUG(10, ("select returned %s\n", strerror(errno)));
+		return map_nt_error_from_unix(errno);
+	}
+
+	return packet_fd_read(ctx);
+}
+
+bool packet_handler(struct packet_context *ctx,
+		    bool (*full_req)(const struct data_blob *data,
+				     size_t *length,
+				     void *private_data),
+		    NTSTATUS (*callback)(const struct data_blob *data,
+					 void *private_data),
+		    void *private_data,
+		    NTSTATUS *status)
+{
+	size_t length;
+	struct data_blob data;
+
+	if (!full_req(&ctx->in, &length, private_data)) {
+		return False;
+	}
+
+	SMB_ASSERT(length <= ctx->in.length);
+
+	data = data_blob(ctx->in.data, length);
+
+	memmove(ctx->in.data, ctx->in.data + length,
+		ctx->in.length - length);
+	ctx->in.length -= length;
+
+	*status = callback(&data, private_data);
+
+	data_blob_free(&data);
+
+	return True;
+}
+
+/*
+ * How many bytes of outgoing data do we have pending?
+ */
+size_t packet_outgoing_bytes(struct packet_context *ctx)
+{
+	return ctx->out.length;
+}
+
+/*
+ * Push data to the fd
+ */
+NTSTATUS packet_fd_write(struct packet_context *ctx)
+{
+	ssize_t sent;
+
+	sent = send(ctx->fd, ctx->out.data, ctx->out.length, 0);
+
+	if (sent == -1) {
+		DEBUG(0, ("send failed: %s\n", strerror(errno)));
+		return map_nt_error_from_unix(errno);
+	}
+
+	memmove(ctx->out.data, ctx->out.data + sent,
+		ctx->out.length - sent);
+	ctx->out.length -= sent;
+
+	return NT_STATUS_OK;
+}
+
+/*
+ * Sync flush all outgoing bytes
+ */
+NTSTATUS packet_flush(struct packet_context *ctx)
+{
+	while (ctx->out.length != 0) {
+		NTSTATUS status = packet_fd_write(ctx);
+		if (!NT_STATUS_IS_OK(status)) {
+			return status;
+		}
+	}
+	return NT_STATUS_OK;
+}
+
+/*
+ * Send a list of DATA_BLOBs
+ *
+ * Example:  packet_send(ctx, 2, data_blob_const(&size, sizeof(size)),
+ *			 data_blob_const(buf, size));
+ */
+NTSTATUS packet_send(struct packet_context *ctx, int num_blobs, ...)
+{
+	va_list ap;
+	int i;
+	size_t len;
+	uint8 *out;
+
+	len = ctx->out.length;
+
+	va_start(ap, num_blobs);
+	for (i=0; i<num_blobs; i++) {
+		size_t tmp;
+		struct data_blob blob = va_arg(ap, struct data_blob);
+
+		tmp = len + blob.length;
+		if (tmp < len) {
+			DEBUG(0, ("integer overflow\n"));
+			va_end(ap);
+			return NT_STATUS_NO_MEMORY;
+		}
+		len = tmp;
+	}
+	va_end(ap);
+
+	if (len == 0) {
+		return NT_STATUS_OK;
+	}
+
+	if (!(out = TALLOC_REALLOC_ARRAY(ctx, ctx->out.data, uint8, len))) {
+		DEBUG(0, ("talloc failed\n"));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	ctx->out.data = out;
+
+	va_start(ap, num_blobs);
+	for (i=0; i<num_blobs; i++) {
+		struct data_blob blob = va_arg(ap, struct data_blob);
+
+		memcpy(ctx->out.data+ctx->out.length, blob.data, blob.length);
+		ctx->out.length += blob.length;
+	}
+	va_end(ap);
+
+	SMB_ASSERT(ctx->out.length == len);
+	return NT_STATUS_OK;
+}
+
+/*
+ * Get the packet context's file descriptor
+ */
+int packet_get_fd(struct packet_context *ctx)
+{
+	return ctx->fd;
+}
+
diff --git a/source3/lib/pam_errors.c b/source3/lib/pam_errors.c
new file mode 100644
index 0000000000..1073f269e5
--- /dev/null
+++ b/source3/lib/pam_errors.c
@@ -0,0 +1,139 @@
+/* 
+ *  Unix SMB/CIFS implementation.
+ *  PAM error mapping functions
+ *  Copyright (C) Andrew Bartlett 2002
+ *  
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+#ifdef WITH_PAM
+#if defined(HAVE_SECURITY_PAM_APPL_H)
+#include <security/pam_appl.h>
+#elif defined(HAVE_PAM_PAM_APPL_H)
+#include <pam/pam_appl.h>
+#endif
+
+#if defined(PAM_AUTHTOK_RECOVERY_ERR) && !defined(PAM_AUTHTOK_RECOVER_ERR)
+#define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
+#endif	
+
+/* PAM -> NT_STATUS map */
+static const struct {
+	int pam_code;
+	NTSTATUS ntstatus;
+} pam_to_nt_status_map[] = {
+	{PAM_OPEN_ERR, NT_STATUS_UNSUCCESSFUL},
+	{PAM_SYMBOL_ERR, NT_STATUS_UNSUCCESSFUL},
+	{PAM_SERVICE_ERR, NT_STATUS_UNSUCCESSFUL},
+	{PAM_SYSTEM_ERR,  NT_STATUS_UNSUCCESSFUL},
+	{PAM_BUF_ERR, NT_STATUS_NO_MEMORY},
+	{PAM_PERM_DENIED, NT_STATUS_ACCESS_DENIED},
+	{PAM_AUTH_ERR, NT_STATUS_WRONG_PASSWORD},
+	{PAM_CRED_INSUFFICIENT, NT_STATUS_INSUFFICIENT_LOGON_INFO}, /* FIXME:  Is this correct? */
+	{PAM_AUTHINFO_UNAVAIL, NT_STATUS_LOGON_FAILURE},
+	{PAM_USER_UNKNOWN, NT_STATUS_NO_SUCH_USER},
+	{PAM_MAXTRIES, NT_STATUS_REMOTE_SESSION_LIMIT}, /* FIXME:  Is this correct? */
+	{PAM_NEW_AUTHTOK_REQD, NT_STATUS_PASSWORD_MUST_CHANGE},
+	{PAM_ACCT_EXPIRED, NT_STATUS_ACCOUNT_EXPIRED},
+	{PAM_SESSION_ERR, NT_STATUS_INSUFFICIENT_RESOURCES},
+	{PAM_CRED_UNAVAIL, NT_STATUS_NO_TOKEN},  /* FIXME:  Is this correct? */
+	{PAM_CRED_EXPIRED, NT_STATUS_PASSWORD_EXPIRED},  /* FIXME:  Is this correct? */
+	{PAM_CRED_ERR, NT_STATUS_UNSUCCESSFUL},
+	{PAM_AUTHTOK_ERR, NT_STATUS_UNSUCCESSFUL},
+#ifdef PAM_AUTHTOK_RECOVER_ERR
+	{PAM_AUTHTOK_RECOVER_ERR, NT_STATUS_UNSUCCESSFUL},
+#endif
+	{PAM_AUTHTOK_EXPIRED, NT_STATUS_PASSWORD_EXPIRED},
+	{PAM_SUCCESS, NT_STATUS_OK}
+};
+
+/* NT_STATUS -> PAM map */
+static const struct {
+	NTSTATUS ntstatus;
+	int pam_code;
+} nt_status_to_pam_map[] = {
+	{NT_STATUS_UNSUCCESSFUL, PAM_SYSTEM_ERR},
+	{NT_STATUS_NO_SUCH_USER, PAM_USER_UNKNOWN},
+	{NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR},
+	{NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR},
+	{NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED},
+	{NT_STATUS_PASSWORD_EXPIRED, PAM_AUTHTOK_EXPIRED},
+	{NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD},
+	{NT_STATUS_ACCOUNT_LOCKED_OUT, PAM_MAXTRIES},
+	{NT_STATUS_NO_MEMORY, PAM_BUF_ERR},
+	{NT_STATUS_PASSWORD_RESTRICTION, PAM_PERM_DENIED},
+	{NT_STATUS_BACKUP_CONTROLLER, PAM_AUTHINFO_UNAVAIL},
+	{NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, PAM_AUTHINFO_UNAVAIL},
+	{NT_STATUS_NO_LOGON_SERVERS, PAM_AUTHINFO_UNAVAIL},
+	{NT_STATUS_INVALID_WORKSTATION, PAM_PERM_DENIED},
+	{NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT, PAM_AUTHINFO_UNAVAIL},
+	{NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT, PAM_AUTHINFO_UNAVAIL},
+	{NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT, PAM_AUTHINFO_UNAVAIL},
+	{NT_STATUS_OK, PAM_SUCCESS}
+};
+
+/*****************************************************************************
+convert a PAM error to a NT status32 code
+ *****************************************************************************/
+NTSTATUS pam_to_nt_status(int pam_error)
+{
+	int i;
+	if (pam_error == 0) return NT_STATUS_OK;
+	
+	for (i=0; NT_STATUS_V(pam_to_nt_status_map[i].ntstatus); i++) {
+		if (pam_error == pam_to_nt_status_map[i].pam_code)
+			return pam_to_nt_status_map[i].ntstatus;
+	}
+	return NT_STATUS_UNSUCCESSFUL;
+}
+
+/*****************************************************************************
+convert an NT status32 code to a PAM error
+ *****************************************************************************/
+int nt_status_to_pam(NTSTATUS nt_status)
+{
+	int i;
+	if NT_STATUS_IS_OK(nt_status) return PAM_SUCCESS;
+	
+	for (i=0; NT_STATUS_V(nt_status_to_pam_map[i].ntstatus); i++) {
+		if (NT_STATUS_EQUAL(nt_status,nt_status_to_pam_map[i].ntstatus))
+			return nt_status_to_pam_map[i].pam_code;
+	}
+	return PAM_SYSTEM_ERR;
+}
+
+#else 
+
+/*****************************************************************************
+convert a PAM error to a NT status32 code
+ *****************************************************************************/
+NTSTATUS pam_to_nt_status(int pam_error)
+{
+	if (pam_error == 0) return NT_STATUS_OK;
+	return NT_STATUS_UNSUCCESSFUL;
+}
+
+/*****************************************************************************
+convert an NT status32 code to a PAM error
+ *****************************************************************************/
+int nt_status_to_pam(NTSTATUS nt_status)
+{
+	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_OK)) return 0;
+	return 4; /* PAM_SYSTEM_ERR */
+}
+
+#endif
+
diff --git a/source3/lib/pidfile.c b/source3/lib/pidfile.c
new file mode 100644
index 0000000000..f49f8afbb6
--- /dev/null
+++ b/source3/lib/pidfile.c
@@ -0,0 +1,147 @@
+/* this code is broken - there is a race condition with the unlink (tridge) */
+
+/* 
+   Unix SMB/CIFS implementation.
+   pidfile handling
+   Copyright (C) Andrew Tridgell 1998
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#ifndef O_NONBLOCK
+#define O_NONBLOCK
+#endif
+
+/* return the pid in a pidfile. return 0 if the process (or pidfile)
+   does not exist */
+pid_t pidfile_pid(const char *name)
+{
+	int fd;
+	char pidstr[20];
+	pid_t pid;
+	unsigned int ret;
+	char * pidFile;
+
+	if (asprintf(&pidFile, "%s/%s.pid", lp_piddir(), name) == -1) {
+		return 0;
+	}
+
+	fd = sys_open(pidFile, O_NONBLOCK | O_RDONLY, 0644);
+	if (fd == -1) {
+		SAFE_FREE(pidFile);
+		return 0;
+	}
+
+	ZERO_ARRAY(pidstr);
+
+	if (read(fd, pidstr, sizeof(pidstr)-1) <= 0) {
+		goto noproc;
+	}
+
+	ret = atoi(pidstr);
+
+	if (ret == 0) {
+		/* Obviously we had some garbage in the pidfile... */
+		DEBUG(1, ("Could not parse contents of pidfile %s\n",
+			  pidFile));
+		goto noproc;
+	}
+	
+	pid = (pid_t)ret;
+	if (!process_exists_by_pid(pid)) {
+		goto noproc;
+	}
+
+	if (fcntl_lock(fd,SMB_F_SETLK,0,1,F_RDLCK)) {
+		/* we could get the lock - it can't be a Samba process */
+		goto noproc;
+	}
+
+	SAFE_FREE(pidFile);
+	close(fd);
+	return (pid_t)ret;
+
+ noproc:
+	close(fd);
+	unlink(pidFile);
+	SAFE_FREE(pidFile);
+	return 0;
+}
+
+/* create a pid file in the pid directory. open it and leave it locked */
+void pidfile_create(const char *program_name)
+{
+	int     fd;
+	char    buf[20];
+	const char    *short_configfile;
+	char *name;
+	char *pidFile;
+	pid_t pid;
+
+	/* Add a suffix to the program name if this is a process with a
+	 * none default configuration file name. */
+	if (strcmp( CONFIGFILE, get_dyn_CONFIGFILE()) == 0) {
+		name = SMB_STRDUP(program_name);
+	} else {
+		short_configfile = strrchr( get_dyn_CONFIGFILE(), '/');
+		if (short_configfile == NULL) {
+			/* conf file in current directory */
+			short_configfile = get_dyn_CONFIGFILE();
+		} else {
+			/* full/relative path provided */
+			short_configfile++;
+		}
+		if (asprintf(&name, "%s-%s", program_name,
+			     short_configfile) == -1) {
+			smb_panic("asprintf failed");
+		}
+	}
+
+	if (asprintf(&pidFile, "%s/%s.pid", lp_piddir(), name) == -1) {
+		smb_panic("asprintf failed");
+	}
+
+	pid = pidfile_pid(name);
+	if (pid != 0) {
+		DEBUG(0,("ERROR: %s is already running. File %s exists and process id %d is running.\n", 
+			 name, pidFile, (int)pid));
+		exit(1);
+	}
+
+	fd = sys_open(pidFile, O_NONBLOCK | O_CREAT | O_WRONLY | O_EXCL, 0644);
+	if (fd == -1) {
+		DEBUG(0,("ERROR: can't open %s: Error was %s\n", pidFile, 
+			 strerror(errno)));
+		exit(1);
+	}
+
+	if (fcntl_lock(fd,SMB_F_SETLK,0,1,F_WRLCK)==False) {
+		DEBUG(0,("ERROR: %s : fcntl lock of file %s failed. Error was %s\n",  
+              name, pidFile, strerror(errno)));
+		exit(1);
+	}
+
+	memset(buf, 0, sizeof(buf));
+	slprintf(buf, sizeof(buf) - 1, "%u\n", (unsigned int) sys_getpid());
+	if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) {
+		DEBUG(0,("ERROR: can't write to file %s: %s\n", 
+			 pidFile, strerror(errno)));
+		exit(1);
+	}
+	/* Leave pid file open & locked for the duration... */
+	SAFE_FREE(name);
+	SAFE_FREE(pidFile);
+}
diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
new file mode 100644
index 0000000000..8ceac26bf2
--- /dev/null
+++ b/source3/lib/popt_common.c
@@ -0,0 +1,555 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Common popt routines
+
+   Copyright (C) Tim Potter 2001,2002
+   Copyright (C) Jelmer Vernooij 2002,2003
+   Copyright (C) James Peach 2006
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/* Handle command line options:
+ *		-d,--debuglevel 
+ *		-s,--configfile 
+ *		-O,--socket-options 
+ *		-V,--version
+ *		-l,--log-base
+ *		-n,--netbios-name
+ *		-W,--workgroup
+ *		-i,--scope
+ */
+
+extern bool AllowDebugChange;
+extern bool override_logfile;
+
+static void set_logfile(poptContext con, const char * arg)
+{
+
+	char *logfile = NULL;
+	const char *pname;
+
+	/* Find out basename of current program */
+	pname = strrchr_m(poptGetInvocationName(con),'/');
+
+	if (!pname)
+		pname = poptGetInvocationName(con);
+	else
+		pname++;
+
+	if (asprintf(&logfile, "%s/log.%s", arg, pname) < 0) {
+		return;
+	}
+	lp_set_logfile(logfile);
+	SAFE_FREE(logfile);
+}
+
+static bool PrintSambaVersionString;
+
+static void popt_common_callback(poptContext con,
+			   enum poptCallbackReason reason,
+			   const struct poptOption *opt,
+			   const char *arg, const void *data)
+{
+
+	if (reason == POPT_CALLBACK_REASON_PRE) {
+		set_logfile(con, get_dyn_LOGFILEBASE());
+		return;
+	}
+
+	if (reason == POPT_CALLBACK_REASON_POST) {
+
+		if (PrintSambaVersionString) {
+			printf( "Version %s\n", SAMBA_VERSION_STRING);
+			exit(0);
+		}
+
+		if (is_default_dyn_CONFIGFILE()) {
+			if(getenv("SMB_CONF_PATH")) {
+				set_dyn_CONFIGFILE(getenv("SMB_CONF_PATH"));
+			}
+		}
+
+		/* Further 'every Samba program must do this' hooks here. */
+		return;
+	}
+
+	switch(opt->val) {
+	case 'd':
+		if (arg) {
+			debug_parse_levels(arg);
+			AllowDebugChange = False;
+		}
+		break;
+
+	case 'V':
+		PrintSambaVersionString = True;
+		break;
+
+	case 'O':
+		if (arg) {
+			lp_do_parameter(-1, "socket options", arg);
+		}
+		break;
+
+	case 's':
+		if (arg) {
+			set_dyn_CONFIGFILE(arg);
+		}
+		break;
+
+	case 'n':
+		if (arg) {
+			set_global_myname(arg);
+		}
+		break;
+
+	case 'l':
+		if (arg) {
+			set_logfile(con, arg);
+			override_logfile = True;
+			set_dyn_LOGFILEBASE(arg);
+		}
+		break;
+
+	case 'i':
+		if (arg) {
+			  set_global_scope(arg);
+		}
+		break;
+
+	case 'W':
+		if (arg) {
+			set_global_myworkgroup(arg);
+		}
+		break;
+	}
+}
+
+struct poptOption popt_common_connection[] = {
+	{ NULL, 0, POPT_ARG_CALLBACK, (void *)popt_common_callback },
+	{ "socket-options", 'O', POPT_ARG_STRING, NULL, 'O', "socket options to use",
+	  "SOCKETOPTIONS" },
+	{ "netbiosname", 'n', POPT_ARG_STRING, NULL, 'n', "Primary netbios name", "NETBIOSNAME" },
+	{ "workgroup", 'W', POPT_ARG_STRING, NULL, 'W', "Set the workgroup name", "WORKGROUP" },
+	{ "scope", 'i', POPT_ARG_STRING, NULL, 'i', "Use this Netbios scope", "SCOPE" },
+
+	POPT_TABLEEND
+};
+
+struct poptOption popt_common_samba[] = {
+	{ NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, (void *)popt_common_callback },
+	{ "debuglevel", 'd', POPT_ARG_STRING, NULL, 'd', "Set debug level", "DEBUGLEVEL" },
+	{ "configfile", 's', POPT_ARG_STRING, NULL, 's', "Use alternate configuration file", "CONFIGFILE" },
+	{ "log-basename", 'l', POPT_ARG_STRING, NULL, 'l', "Base name for log files", "LOGFILEBASE" },
+	{ "version", 'V', POPT_ARG_NONE, NULL, 'V', "Print version" },
+	POPT_TABLEEND
+};
+
+struct poptOption popt_common_configfile[] = {
+	{ NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, (void *)popt_common_callback },
+	{ "configfile", 0, POPT_ARG_STRING, NULL, 's', "Use alternate configuration file", "CONFIGFILE" },
+	POPT_TABLEEND
+};
+
+struct poptOption popt_common_version[] = {
+	{ NULL, 0, POPT_ARG_CALLBACK, (void *)popt_common_callback },
+	{ "version", 'V', POPT_ARG_NONE, NULL, 'V', "Print version" },
+	POPT_TABLEEND
+};
+
+struct poptOption popt_common_debuglevel[] = {
+	{ NULL, 0, POPT_ARG_CALLBACK, (void *)popt_common_callback },
+	{ "debuglevel", 'd', POPT_ARG_STRING, NULL, 'd', "Set debug level", "DEBUGLEVEL" },
+	POPT_TABLEEND
+};
+
+
+/* Handle command line options:
+ *		--sbindir
+ *		--bindir
+ *		--swatdir
+ *		--lmhostsfile
+ *		--libdir
+ *		--modulesdir
+ *		--shlibext
+ *		--lockdir
+ *		--piddir
+ *		--smb-passwd-file
+ *		--private-dir
+ */
+
+enum dyn_item{
+	DYN_SBINDIR = 1,
+	DYN_BINDIR,
+	DYN_SWATDIR,
+	DYN_LMHOSTSFILE,
+	DYN_LIBDIR,
+	DYN_MODULESDIR,
+	DYN_SHLIBEXT,
+	DYN_LOCKDIR,
+	DYN_PIDDIR,
+	DYN_SMB_PASSWD_FILE,
+	DYN_PRIVATE_DIR,
+};
+
+
+static void popt_dynconfig_callback(poptContext con,
+			   enum poptCallbackReason reason,
+			   const struct poptOption *opt,
+			   const char *arg, const void *data)
+{
+
+	switch (opt->val) {
+	case DYN_SBINDIR:
+		if (arg) {
+			set_dyn_SBINDIR(arg);
+		}
+		break;
+
+	case DYN_BINDIR:
+		if (arg) {
+			set_dyn_BINDIR(arg);
+		}
+		break;
+
+	case DYN_SWATDIR:
+		if (arg) {
+			set_dyn_SWATDIR(arg);
+		}
+		break;
+
+	case DYN_LMHOSTSFILE:
+		if (arg) {
+			set_dyn_LMHOSTSFILE(arg);
+		}
+		break;
+
+	case DYN_LIBDIR:
+		if (arg) {
+			set_dyn_LIBDIR(arg);
+		}
+		break;
+
+	case DYN_MODULESDIR:
+		if (arg) {
+			set_dyn_MODULESDIR(arg);
+		}
+		break;
+
+	case DYN_SHLIBEXT:
+		if (arg) {
+			set_dyn_SHLIBEXT(arg);
+		}
+		break;
+
+	case DYN_LOCKDIR:
+		if (arg) {
+			set_dyn_LOCKDIR(arg);
+		}
+		break;
+
+	case DYN_PIDDIR:
+		if (arg) {
+			set_dyn_PIDDIR(arg);
+		}
+		break;
+
+	case DYN_SMB_PASSWD_FILE:
+		if (arg) {
+			set_dyn_SMB_PASSWD_FILE(arg);
+		}
+		break;
+
+	case DYN_PRIVATE_DIR:
+		if (arg) {
+			set_dyn_PRIVATE_DIR(arg);
+		}
+		break;
+
+	}
+}
+
+const struct poptOption popt_common_dynconfig[] = {
+
+	{ NULL, '\0', POPT_ARG_CALLBACK, (void *)popt_dynconfig_callback },
+
+	{ "sbindir", '\0' , POPT_ARG_STRING, NULL, DYN_SBINDIR,
+	    "Path to sbin directory", "SBINDIR" },
+	{ "bindir", '\0' , POPT_ARG_STRING, NULL, DYN_BINDIR,
+	    "Path to bin directory", "BINDIR" },
+	{ "swatdir", '\0' , POPT_ARG_STRING, NULL, DYN_SWATDIR,
+	    "Path to SWAT installation directory", "SWATDIR" },
+	{ "lmhostsfile", '\0' , POPT_ARG_STRING, NULL, DYN_LMHOSTSFILE,
+	    "Path to lmhosts file", "LMHOSTSFILE" },
+	{ "libdir", '\0' , POPT_ARG_STRING, NULL, DYN_LIBDIR,
+	    "Path to shared library directory", "LIBDIR" },
+	{ "modulesdir", '\0' , POPT_ARG_STRING, NULL, DYN_MODULESDIR,
+	    "Path to shared modules directory", "MODULESDIR" },
+	{ "shlibext", '\0' , POPT_ARG_STRING, NULL, DYN_SHLIBEXT,
+	    "Shared library extension", "SHLIBEXT" },
+	{ "lockdir", '\0' , POPT_ARG_STRING, NULL, DYN_LOCKDIR,
+	    "Path to lock file directory", "LOCKDIR" },
+	{ "piddir", '\0' , POPT_ARG_STRING, NULL, DYN_PIDDIR,
+	    "Path to PID file directory", "PIDDIR" },
+	{ "smb-passwd-file", '\0' , POPT_ARG_STRING, NULL, DYN_SMB_PASSWD_FILE,
+	    "Path to smbpasswd file", "SMB_PASSWD_FILE" },
+	{ "private-dir", '\0' , POPT_ARG_STRING, NULL, DYN_PRIVATE_DIR,
+	    "Path to private data directory", "PRIVATE_DIR" },
+
+	POPT_TABLEEND
+};
+
+/****************************************************************************
+ * get a password from a a file or file descriptor
+ * exit on failure
+ * ****************************************************************************/
+
+static void get_password_file(void)
+{
+	int fd = -1;
+	char *p;
+	bool close_it = False;
+	char *spec = NULL;
+	char pass[128];
+
+	if ((p = getenv("PASSWD_FD")) != NULL) {
+		if (asprintf(&spec, "descriptor %s", p) < 0) {
+			return;
+		}
+		sscanf(p, "%d", &fd);
+		close_it = false;
+	} else if ((p = getenv("PASSWD_FILE")) != NULL) {
+		fd = sys_open(p, O_RDONLY, 0);
+		spec = SMB_STRDUP(p);
+		if (fd < 0) {
+			fprintf(stderr, "Error opening PASSWD_FILE %s: %s\n",
+					spec, strerror(errno));
+			exit(1);
+		}
+		close_it = True;
+	}
+
+	if (fd < 0) {
+		fprintf(stderr, "fd = %d, < 0\n", fd);
+		exit(1);
+	}
+
+	for(p = pass, *p = '\0'; /* ensure that pass is null-terminated */
+		p && p - pass < sizeof(pass);) {
+		switch (read(fd, p, 1)) {
+		case 1:
+			if (*p != '\n' && *p != '\0') {
+				*++p = '\0'; /* advance p, and null-terminate pass */
+				break;
+			}
+		case 0:
+			if (p - pass) {
+				*p = '\0'; /* null-terminate it, just in case... */
+				p = NULL; /* then force the loop condition to become false */
+				break;
+			} else {
+				fprintf(stderr, "Error reading password from file %s: %s\n",
+						spec, "empty password\n");
+				SAFE_FREE(spec);
+				exit(1);
+			}
+
+		default:
+			fprintf(stderr, "Error reading password from file %s: %s\n",
+					spec, strerror(errno));
+			SAFE_FREE(spec);
+			exit(1);
+		}
+	}
+	SAFE_FREE(spec);
+
+	set_cmdline_auth_info_password(pass);
+	if (close_it) {
+		close(fd);
+	}
+}
+
+static void get_credentials_file(const char *file)
+{
+	XFILE *auth;
+	fstring buf;
+	uint16 len = 0;
+	char *ptr, *val, *param;
+
+	if ((auth=x_fopen(file, O_RDONLY, 0)) == NULL)
+	{
+		/* fail if we can't open the credentials file */
+		d_printf("ERROR: Unable to open credentials file!\n");
+		exit(-1);
+	}
+
+	while (!x_feof(auth))
+	{
+		/* get a line from the file */
+		if (!x_fgets(buf, sizeof(buf), auth))
+			continue;
+		len = strlen(buf);
+
+		if ((len) && (buf[len-1]=='\n'))
+		{
+			buf[len-1] = '\0';
+			len--;
+		}
+		if (len == 0)
+			continue;
+
+		/* break up the line into parameter & value.
+		 * will need to eat a little whitespace possibly */
+		param = buf;
+		if (!(ptr = strchr_m (buf, '=')))
+			continue;
+
+		val = ptr+1;
+		*ptr = '\0';
+
+		/* eat leading white space */
+		while ((*val!='\0') && ((*val==' ') || (*val=='\t')))
+			val++;
+
+		if (strwicmp("password", param) == 0) {
+			set_cmdline_auth_info_password(val);
+		} else if (strwicmp("username", param) == 0) {
+			set_cmdline_auth_info_username(val);
+		} else if (strwicmp("domain", param) == 0) {
+			set_global_myworkgroup(val);
+		}
+		memset(buf, 0, sizeof(buf));
+	}
+	x_fclose(auth);
+}
+
+/* Handle command line options:
+ *		-U,--user
+ *		-A,--authentication-file
+ *		-k,--use-kerberos
+ *		-N,--no-pass
+ *		-S,--signing
+ *              -P --machine-pass
+ * 		-e --encrypt
+ */
+
+
+static void popt_common_credentials_callback(poptContext con,
+					enum poptCallbackReason reason,
+					const struct poptOption *opt,
+					const char *arg, const void *data)
+{
+	char *p;
+
+	if (reason == POPT_CALLBACK_REASON_PRE) {
+		set_cmdline_auth_info_username("GUEST");
+
+		if (getenv("LOGNAME")) {
+			set_cmdline_auth_info_username(getenv("LOGNAME"));
+		}
+
+		if (getenv("USER")) {
+			char *puser = SMB_STRDUP(getenv("USER"));
+			if (!puser) {
+				exit(ENOMEM);
+			}
+			set_cmdline_auth_info_username(puser);
+
+			if ((p = strchr_m(puser,'%'))) {
+				size_t len;
+				*p = 0;
+				len = strlen(p+1);
+				set_cmdline_auth_info_password(p+1);
+				memset(strchr_m(getenv("USER"),'%')+1,'X',len);
+			}
+			SAFE_FREE(puser);
+		}
+
+		if (getenv("PASSWD")) {
+			set_cmdline_auth_info_password(getenv("PASSWD"));
+		}
+
+		if (getenv("PASSWD_FD") || getenv("PASSWD_FILE")) {
+			get_password_file();
+		}
+
+		return;
+	}
+
+	switch(opt->val) {
+	case 'U':
+		{
+			char *lp;
+			char *puser = SMB_STRDUP(arg);
+
+			if ((lp=strchr_m(puser,'%'))) {
+				size_t len;
+				*lp = 0;
+				set_cmdline_auth_info_username(puser);
+				set_cmdline_auth_info_password(lp+1);
+				len = strlen(lp+1);
+				memset(strchr_m(arg,'%')+1,'X',len);
+			} else {
+				set_cmdline_auth_info_username(puser);
+			}
+			SAFE_FREE(puser);
+		}
+		break;
+
+	case 'A':
+		get_credentials_file(arg);
+		break;
+
+	case 'k':
+#ifndef HAVE_KRB5
+		d_printf("No kerberos support compiled in\n");
+		exit(1);
+#else
+		set_cmdline_auth_info_use_krb5_ticket();
+#endif
+		break;
+
+	case 'S':
+		if (!set_cmdline_auth_info_signing_state(arg)) {
+			fprintf(stderr, "Unknown signing option %s\n", arg );
+			exit(1);
+		}
+		break;
+	case 'P':
+		set_cmdline_auth_info_use_machine_account();
+		break;
+	case 'N':
+		set_cmdline_auth_info_password("");
+		break;
+	case 'e':
+		set_cmdline_auth_info_smb_encrypt();
+		break;
+
+	}
+}
+
+struct poptOption popt_common_credentials[] = {
+	{ NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE, (void *)popt_common_credentials_callback },
+	{ "user", 'U', POPT_ARG_STRING, NULL, 'U', "Set the network username", "USERNAME" },
+	{ "no-pass", 'N', POPT_ARG_NONE, NULL, 'N', "Don't ask for a password" },
+	{ "kerberos", 'k', POPT_ARG_NONE, NULL, 'k', "Use kerberos (active directory) authentication" },
+	{ "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" },
+	{ "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" },
+	{"machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password" },
+	{"encrypt", 'e', POPT_ARG_NONE, NULL, 'e', "Encrypt SMB transport (UNIX extended servers only)" },
+	POPT_TABLEEND
+};
diff --git a/source3/lib/privileges.c b/source3/lib/privileges.c
new file mode 100644
index 0000000000..c1bb783fbc
--- /dev/null
+++ b/source3/lib/privileges.c
@@ -0,0 +1,464 @@
+/*
+   Unix SMB/CIFS implementation.
+   Privileges handling functions
+   Copyright (C) Jean François Micouleau	1998-2001
+   Copyright (C) Simo Sorce			2002-2003
+   Copyright (C) Gerald (Jerry) Carter          2005
+   Copyright (C) Michael Adam			2007
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+ 
+#include "includes.h"
+
+#define PRIVPREFIX              "PRIV_"
+
+typedef struct {
+	size_t count;
+	DOM_SID *list;
+} SID_LIST;
+
+typedef struct {
+	TALLOC_CTX *mem_ctx;
+	SE_PRIV privilege;
+	SID_LIST sids;
+} PRIV_SID_LIST;
+
+
+static bool get_privileges( const DOM_SID *sid, SE_PRIV *mask )
+{
+	struct db_context *db = get_account_pol_db();
+	fstring tmp, keystr;
+	TDB_DATA data;
+
+	/* Fail if the admin has not enable privileges */
+	
+	if ( !lp_enable_privileges() ) {
+		return False;
+	}
+	
+	if ( db == NULL )
+		return False;
+
+	/* PRIV_<SID> (NULL terminated) as the key */
+	
+	fstr_sprintf(keystr, "%s%s", PRIVPREFIX, sid_to_fstring(tmp, sid));
+
+	data = dbwrap_fetch_bystring( db, talloc_tos(), keystr );
+	
+	if ( !data.dptr ) {
+		DEBUG(3, ("get_privileges: No privileges assigned to SID "
+			  "[%s]\n", sid_string_dbg(sid)));
+		return False;
+	}
+	
+	SMB_ASSERT( data.dsize == sizeof( SE_PRIV ) );
+	
+	se_priv_copy( mask, (SE_PRIV*)data.dptr );
+	TALLOC_FREE(data.dptr);
+
+	return True;
+}
+
+/***************************************************************************
+ Store the privilege mask (set) for a given SID
+****************************************************************************/
+
+static bool set_privileges( const DOM_SID *sid, SE_PRIV *mask )
+{
+	struct db_context *db = get_account_pol_db();
+	fstring tmp, keystr;
+	TDB_DATA data;
+	
+	if ( !lp_enable_privileges() )
+		return False;
+
+	if ( db == NULL )
+		return False;
+
+	if ( !sid || (sid->num_auths == 0) ) {
+		DEBUG(0,("set_privileges: Refusing to store empty SID!\n"));
+		return False;
+	}
+
+	/* PRIV_<SID> (NULL terminated) as the key */
+	
+	fstr_sprintf(keystr, "%s%s", PRIVPREFIX, sid_to_fstring(tmp, sid));
+	
+	/* no packing.  static size structure, just write it out */
+	
+	data.dptr  = (uint8 *)mask;
+	data.dsize = sizeof(SE_PRIV);
+
+	return NT_STATUS_IS_OK(dbwrap_store_bystring(db, keystr, data,
+						     TDB_REPLACE));
+}
+
+/*********************************************************************
+ get a list of all privileges for all sids in the list
+*********************************************************************/
+
+bool get_privileges_for_sids(SE_PRIV *privileges, DOM_SID *slist, int scount)
+{
+	SE_PRIV mask;
+	int i;
+	bool found = False;
+
+	se_priv_copy( privileges, &se_priv_none );
+	
+	for ( i=0; i<scount; i++ ) {
+		/* don't add unless we actually have a privilege assigned */
+
+		if ( !get_privileges( &slist[i], &mask ) )
+			continue;
+
+		DEBUG(5,("get_privileges_for_sids: sid = %s\nPrivilege "
+			 "set:\n", sid_string_dbg(&slist[i])));
+		dump_se_priv( DBGC_ALL, 5, &mask );
+			
+		se_priv_add( privileges, &mask );
+		found = True;
+	}
+
+	return found;
+}
+
+
+/*********************************************************************
+ traversal functions for privilege_enumerate_accounts
+*********************************************************************/
+
+static int priv_traverse_fn(struct db_record *rec, void *state)
+{
+	PRIV_SID_LIST *priv = (PRIV_SID_LIST *)state;
+	int  prefixlen = strlen(PRIVPREFIX);
+	DOM_SID sid;
+	fstring sid_string;
+	
+	/* easy check first */
+	
+	if (rec->value.dsize != sizeof(SE_PRIV) )
+		return 0;
+
+	/* check we have a PRIV_+SID entry */
+
+	if ( strncmp((char *)rec->key.dptr, PRIVPREFIX, prefixlen) != 0)
+		return 0;
+		
+	/* check to see if we are looking for a particular privilege */
+
+	if ( !se_priv_equal(&priv->privilege, &se_priv_none) ) {
+		SE_PRIV mask;
+		
+		se_priv_copy( &mask, (SE_PRIV*)rec->value.dptr );
+		
+		/* if the SID does not have the specified privilege 
+		   then just return */
+		   
+		if ( !is_privilege_assigned( &mask, &priv->privilege) )
+			return 0;
+	}
+		
+	fstrcpy( sid_string, (char *)&(rec->key.dptr[strlen(PRIVPREFIX)]) );
+
+	/* this is a last ditch safety check to preventing returning
+	   and invalid SID (i've somehow run into this on development branches) */
+
+	if ( strcmp( "S-0-0", sid_string ) == 0 )
+		return 0;
+
+	if ( !string_to_sid(&sid, sid_string) ) {
+		DEBUG(0,("travsersal_fn_enum__acct: Could not convert SID [%s]\n",
+			sid_string));
+		return 0;
+	}
+
+	if (!NT_STATUS_IS_OK(add_sid_to_array(priv->mem_ctx, &sid,
+					      &priv->sids.list,
+					      &priv->sids.count)))
+	{
+		return 0;
+	}
+	
+	return 0;
+}
+
+/*********************************************************************
+ Retreive list of privileged SIDs (for _lsa_enumerate_accounts()
+*********************************************************************/
+
+NTSTATUS privilege_enumerate_accounts(DOM_SID **sids, int *num_sids)
+{
+	struct db_context *db = get_account_pol_db();
+	PRIV_SID_LIST priv;
+	
+	if (db == NULL) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	ZERO_STRUCT(priv);
+
+	se_priv_copy( &priv.privilege, &se_priv_none );
+
+	db->traverse_read(db, priv_traverse_fn, &priv);
+
+	/* give the memory away; caller will free */
+	
+	*sids      = priv.sids.list;
+	*num_sids  = priv.sids.count;
+
+	return NT_STATUS_OK;
+}
+
+/*********************************************************************
+ Retrieve list of SIDs granted a particular privilege
+*********************************************************************/
+
+NTSTATUS privilege_enum_sids(const SE_PRIV *mask, TALLOC_CTX *mem_ctx,
+			     DOM_SID **sids, int *num_sids)
+{
+	struct db_context *db = get_account_pol_db();
+	PRIV_SID_LIST priv;
+
+	if (db == NULL) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	ZERO_STRUCT(priv);
+
+	se_priv_copy(&priv.privilege, mask);
+	priv.mem_ctx = mem_ctx;
+
+	db->traverse_read(db, priv_traverse_fn, &priv);
+
+	/* give the memory away; caller will free */
+
+	*sids      = priv.sids.list;
+	*num_sids  = priv.sids.count;
+
+	return NT_STATUS_OK;
+}
+
+/***************************************************************************
+ Add privilege to sid
+****************************************************************************/
+
+bool grant_privilege(const DOM_SID *sid, const SE_PRIV *priv_mask)
+{
+	SE_PRIV old_mask, new_mask;
+	
+	ZERO_STRUCT( old_mask );
+	ZERO_STRUCT( new_mask );
+
+	if ( get_privileges( sid, &old_mask ) )
+		se_priv_copy( &new_mask, &old_mask );
+	else
+		se_priv_copy( &new_mask, &se_priv_none );
+
+	se_priv_add( &new_mask, priv_mask );
+
+	DEBUG(10,("grant_privilege: %s\n", sid_string_dbg(sid)));
+	
+	DEBUGADD( 10, ("original privilege mask:\n"));
+	dump_se_priv( DBGC_ALL, 10, &old_mask );
+	
+	DEBUGADD( 10, ("new privilege mask:\n"));
+	dump_se_priv( DBGC_ALL, 10, &new_mask );
+	
+	return set_privileges( sid, &new_mask );
+}
+
+/*********************************************************************
+ Add a privilege based on its name
+*********************************************************************/
+
+bool grant_privilege_by_name(DOM_SID *sid, const char *name)
+{
+	SE_PRIV mask;
+
+	if (! se_priv_from_name(name, &mask)) {
+        	DEBUG(3, ("grant_privilege_by_name: "
+			  "No Such Privilege Found (%s)\n", name));
+		return False;
+	}
+
+	return grant_privilege( sid, &mask );
+}
+
+/***************************************************************************
+ Remove privilege from sid
+****************************************************************************/
+
+bool revoke_privilege(const DOM_SID *sid, const SE_PRIV *priv_mask)
+{
+	SE_PRIV mask;
+	
+	/* if the user has no privileges, then we can't revoke any */
+	
+	if ( !get_privileges( sid, &mask ) )
+		return True;
+	
+	DEBUG(10,("revoke_privilege: %s\n", sid_string_dbg(sid)));
+	
+	DEBUGADD( 10, ("original privilege mask:\n"));
+	dump_se_priv( DBGC_ALL, 10, &mask );
+
+	se_priv_remove( &mask, priv_mask );
+	
+	DEBUGADD( 10, ("new privilege mask:\n"));
+	dump_se_priv( DBGC_ALL, 10, &mask );
+	
+	return set_privileges( sid, &mask );
+}
+
+/*********************************************************************
+ Revoke all privileges
+*********************************************************************/
+
+bool revoke_all_privileges( DOM_SID *sid )
+{
+	return revoke_privilege( sid, &se_priv_all );
+}
+
+/*********************************************************************
+ Add a privilege based on its name
+*********************************************************************/
+
+bool revoke_privilege_by_name(DOM_SID *sid, const char *name)
+{
+	SE_PRIV mask;
+
+	if (! se_priv_from_name(name, &mask)) {
+        	DEBUG(3, ("revoke_privilege_by_name: "
+			  "No Such Privilege Found (%s)\n", name));
+        	return False;
+	}
+
+	return revoke_privilege(sid, &mask);
+
+}
+
+/***************************************************************************
+ Retrieve the SIDs assigned to a given privilege
+****************************************************************************/
+
+NTSTATUS privilege_create_account(const DOM_SID *sid )
+{
+	return ( grant_privilege(sid, &se_priv_none) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL);
+}
+
+/****************************************************************************
+ initialise a privilege list and set the talloc context 
+ ****************************************************************************/
+ 
+NTSTATUS privilege_set_init(PRIVILEGE_SET *priv_set)
+{
+	TALLOC_CTX *mem_ctx;
+	
+	ZERO_STRUCTP( priv_set );
+
+	mem_ctx = talloc_init("privilege set");
+	if ( !mem_ctx ) {
+		DEBUG(0,("privilege_set_init: failed to initialize talloc ctx!\n"));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	priv_set->mem_ctx = mem_ctx;
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************************
+  initialise a privilege list and with someone else's talloc context 
+****************************************************************************/
+
+NTSTATUS privilege_set_init_by_ctx(TALLOC_CTX *mem_ctx, PRIVILEGE_SET *priv_set)
+{
+	ZERO_STRUCTP( priv_set );
+	
+	priv_set->mem_ctx = mem_ctx;
+	priv_set->ext_ctx = True;
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************************
+ Free all memory used by a PRIVILEGE_SET
+****************************************************************************/
+
+void privilege_set_free(PRIVILEGE_SET *priv_set)
+{
+	if ( !priv_set )
+		return;
+
+	if ( !( priv_set->ext_ctx ) )
+		talloc_destroy( priv_set->mem_ctx );
+
+	ZERO_STRUCTP( priv_set );
+}
+
+/****************************************************************************
+ duplicate alloc luid_attr
+ ****************************************************************************/
+
+NTSTATUS dup_luid_attr(TALLOC_CTX *mem_ctx, LUID_ATTR **new_la, LUID_ATTR *old_la, int count)
+{
+	int i;
+
+	if ( !old_la )
+		return NT_STATUS_OK;
+
+	if (count) {
+		*new_la = TALLOC_ARRAY(mem_ctx, LUID_ATTR, count);
+		if ( !*new_la ) {
+			DEBUG(0,("dup_luid_attr: failed to alloc new LUID_ATTR array [%d]\n", count));
+			return NT_STATUS_NO_MEMORY;
+		}
+	} else {
+		*new_la = NULL;
+	}
+
+	for (i=0; i<count; i++) {
+		(*new_la)[i].luid.high = old_la[i].luid.high;
+		(*new_la)[i].luid.low = old_la[i].luid.low;
+		(*new_la)[i].attr = old_la[i].attr;
+	}
+	
+	return NT_STATUS_OK;
+}
+
+/*******************************************************************
+*******************************************************************/
+
+bool is_privileged_sid( const DOM_SID *sid )
+{
+	SE_PRIV mask;
+	
+	return get_privileges( sid, &mask );
+}
+
+/*******************************************************************
+*******************************************************************/
+
+bool grant_all_privileges( const DOM_SID *sid )
+{
+	SE_PRIV mask;
+
+	if (!se_priv_put_all_privileges(&mask)) {
+		return False;
+	}
+	
+	return grant_privilege( sid, &mask );
+}
diff --git a/source3/lib/privileges_basic.c b/source3/lib/privileges_basic.c
new file mode 100644
index 0000000000..865c1f655c
--- /dev/null
+++ b/source3/lib/privileges_basic.c
@@ -0,0 +1,515 @@
+/*
+   Unix SMB/CIFS implementation.
+   Privileges handling functions
+   Copyright (C) Jean François Micouleau	1998-2001
+   Copyright (C) Simo Sorce			2002-2003
+   Copyright (C) Gerald (Jerry) Carter          2005
+   Copyright (C) Michael Adam			2007
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ * Basic privileges functions (mask-operations and conversion 
+ * functions between the different formats (se_priv, privset, luid)
+ * moved here * from lib/privileges.c to minimize linker deps.
+ *
+ * generally SID- and LUID-related code is left in lib/privileges.c
+ *
+ * some extra functions to hide privs array from lib/privileges.c
+ */
+ 
+#include "includes.h"
+
+const SE_PRIV se_priv_all         = SE_ALL_PRIVS;
+static const SE_PRIV se_priv_end  = SE_END;
+
+/* Define variables for all privileges so we can use the
+   SE_PRIV* in the various se_priv_XXX() functions */
+
+const SE_PRIV se_priv_none       = SE_NONE;
+const SE_PRIV se_machine_account = SE_MACHINE_ACCOUNT;
+const SE_PRIV se_print_operator  = SE_PRINT_OPERATOR;
+const SE_PRIV se_add_users       = SE_ADD_USERS;
+const SE_PRIV se_disk_operators  = SE_DISK_OPERATOR;
+const SE_PRIV se_remote_shutdown = SE_REMOTE_SHUTDOWN;
+const SE_PRIV se_restore         = SE_RESTORE;
+const SE_PRIV se_take_ownership  = SE_TAKE_OWNERSHIP;
+
+/********************************************************************
+ This is a list of privileges reported by a WIndows 2000 SP4 AD DC
+ just for reference purposes (and I know the LUID is not guaranteed 
+ across reboots):
+
+            SeCreateTokenPrivilege  Create a token object ( 0x0, 0x2 )
+     SeAssignPrimaryTokenPrivilege  Replace a process level token ( 0x0, 0x3 )
+             SeLockMemoryPrivilege  Lock pages in memory ( 0x0, 0x4 )
+          SeIncreaseQuotaPrivilege  Increase quotas ( 0x0, 0x5 )
+         SeMachineAccountPrivilege  Add workstations to domain ( 0x0, 0x6 )
+                    SeTcbPrivilege  Act as part of the operating system ( 0x0, 0x7 )
+               SeSecurityPrivilege  Manage auditing and security log ( 0x0, 0x8 )
+          SeTakeOwnershipPrivilege  Take ownership of files or other objects ( 0x0, 0x9 )
+             SeLoadDriverPrivilege  Load and unload device drivers ( 0x0, 0xa )
+          SeSystemProfilePrivilege  Profile system performance ( 0x0, 0xb )
+             SeSystemtimePrivilege  Change the system time ( 0x0, 0xc )
+   SeProfileSingleProcessPrivilege  Profile single process ( 0x0, 0xd )
+   SeIncreaseBasePriorityPrivilege  Increase scheduling priority ( 0x0, 0xe )
+         SeCreatePagefilePrivilege  Create a pagefile ( 0x0, 0xf )
+        SeCreatePermanentPrivilege  Create permanent shared objects ( 0x0, 0x10 )
+                 SeBackupPrivilege  Back up files and directories ( 0x0, 0x11 )
+                SeRestorePrivilege  Restore files and directories ( 0x0, 0x12 )
+               SeShutdownPrivilege  Shut down the system ( 0x0, 0x13 )
+                  SeDebugPrivilege  Debug programs ( 0x0, 0x14 )
+                  SeAuditPrivilege  Generate security audits ( 0x0, 0x15 )
+      SeSystemEnvironmentPrivilege  Modify firmware environment values ( 0x0, 0x16 )
+           SeChangeNotifyPrivilege  Bypass traverse checking ( 0x0, 0x17 )
+         SeRemoteShutdownPrivilege  Force shutdown from a remote system ( 0x0, 0x18 )
+                 SeUndockPrivilege  Remove computer from docking station ( 0x0, 0x19 )
+              SeSyncAgentPrivilege  Synchronize directory service data ( 0x0, 0x1a )
+       SeEnableDelegationPrivilege  Enable computer and user accounts to be trusted for delegation ( 0x0, 0x1b )
+           SeManageVolumePrivilege  Perform volume maintenance tasks ( 0x0, 0x1c )
+            SeImpersonatePrivilege  Impersonate a client after authentication ( 0x0, 0x1d )
+           SeCreateGlobalPrivilege  Create global objects ( 0x0, 0x1e )
+
+ ********************************************************************/
+
+/* we have to define the LUID here due to a horrible check by printmig.exe
+   that requires the SeBackupPrivilege match what is in Windows.  So match
+   those that we implement and start Samba privileges at 0x1001 */
+   
+PRIVS privs[] = {
+#if 0	/* usrmgr will display these twice if you include them.  We don't 
+	   use them but we'll keep the bitmasks reserved in privileges.h anyways */
+	   
+	{SE_NETWORK_LOGON,	"SeNetworkLogonRight",		"Access this computer from network", 	   { 0x0, 0x0 }},
+	{SE_INTERACTIVE_LOGON,	"SeInteractiveLogonRight",	"Log on locally", 			   { 0x0, 0x0 }},
+	{SE_BATCH_LOGON,	"SeBatchLogonRight",		"Log on as a batch job",		   { 0x0, 0x0 }},
+	{SE_SERVICE_LOGON,	"SeServiceLogonRight",		"Log on as a service",			   { 0x0, 0x0 }},
+#endif
+	{SE_MACHINE_ACCOUNT,	"SeMachineAccountPrivilege",	"Add machines to domain",		   { 0x0, 0x0006 }},
+	{SE_TAKE_OWNERSHIP,     "SeTakeOwnershipPrivilege",     "Take ownership of files or other objects",{ 0x0, 0x0009 }},
+        {SE_BACKUP,             "SeBackupPrivilege",            "Back up files and directories",	   { 0x0, 0x0011 }},
+        {SE_RESTORE,            "SeRestorePrivilege",           "Restore files and directories",	   { 0x0, 0x0012 }},
+	{SE_REMOTE_SHUTDOWN,	"SeRemoteShutdownPrivilege",	"Force shutdown from a remote system",	   { 0x0, 0x0018 }},
+	
+	{SE_PRINT_OPERATOR,	"SePrintOperatorPrivilege",	"Manage printers",			   { 0x0, 0x1001 }},
+	{SE_ADD_USERS,		"SeAddUsersPrivilege",		"Add users and groups to the domain",	   { 0x0, 0x1002 }},
+	{SE_DISK_OPERATOR,	"SeDiskOperatorPrivilege",	"Manage disk shares",			   { 0x0, 0x1003 }},
+
+	{SE_END, "", "", { 0x0, 0x0 }}
+};
+
+/***************************************************************************
+ copy an SE_PRIV structure
+****************************************************************************/
+
+bool se_priv_copy( SE_PRIV *dst, const SE_PRIV *src )
+{
+	if ( !dst || !src )
+		return False;
+		
+	memcpy( dst, src, sizeof(SE_PRIV) );
+	
+	return True;
+}
+
+/***************************************************************************
+ put all privileges into a mask
+****************************************************************************/
+
+bool se_priv_put_all_privileges(SE_PRIV *mask)
+{
+	int i;
+	uint32 num_privs = count_all_privileges();
+
+	if (!se_priv_copy(mask, &se_priv_none)) {
+		return False;
+	}
+	for ( i=0; i<num_privs; i++ ) {
+		se_priv_add(mask, &privs[i].se_priv); 
+	}
+	return True;
+}
+
+/***************************************************************************
+ combine 2 SE_PRIV structures and store the resulting set in mew_mask
+****************************************************************************/
+
+void se_priv_add( SE_PRIV *mask, const SE_PRIV *addpriv )
+{
+	int i;
+
+	for ( i=0; i<SE_PRIV_MASKSIZE; i++ ) {
+		mask->mask[i] |= addpriv->mask[i];
+	}
+}
+
+/***************************************************************************
+ remove one SE_PRIV sytucture from another and store the resulting set 
+ in mew_mask
+****************************************************************************/
+
+void se_priv_remove( SE_PRIV *mask, const SE_PRIV *removepriv )
+{	
+	int i;
+
+	for ( i=0; i<SE_PRIV_MASKSIZE; i++ ) {
+		mask->mask[i] &= ~removepriv->mask[i];
+	}
+}
+
+/***************************************************************************
+ invert a given SE_PRIV and store the set in new_mask
+****************************************************************************/
+
+static void se_priv_invert( SE_PRIV *new_mask, const SE_PRIV *mask )
+{	
+	SE_PRIV allprivs;
+	
+	se_priv_copy( &allprivs, &se_priv_all );
+	se_priv_remove( &allprivs, mask );
+	se_priv_copy( new_mask, &allprivs );
+}
+
+/***************************************************************************
+ check if 2 SE_PRIV structure are equal
+****************************************************************************/
+
+bool se_priv_equal( const SE_PRIV *mask1, const SE_PRIV *mask2 )
+{	
+	return ( memcmp(mask1, mask2, sizeof(SE_PRIV)) == 0 );
+}
+
+/***************************************************************************
+ check if a SE_PRIV has any assigned privileges
+****************************************************************************/
+
+static bool se_priv_empty( const SE_PRIV *mask )
+{
+	SE_PRIV p1;
+	int i;
+	
+	se_priv_copy( &p1, mask );
+
+	for ( i=0; i<SE_PRIV_MASKSIZE; i++ ) {
+		p1.mask[i] &= se_priv_all.mask[i];
+	}
+	
+	return se_priv_equal( &p1, &se_priv_none );
+}
+
+/*********************************************************************
+ Lookup the SE_PRIV value for a privilege name 
+*********************************************************************/
+
+bool se_priv_from_name( const char *name, SE_PRIV *mask )
+{
+	int i;
+
+	for ( i=0; !se_priv_equal(&privs[i].se_priv, &se_priv_end); i++ ) {
+		if ( strequal( privs[i].name, name ) ) {
+			se_priv_copy( mask, &privs[i].se_priv );
+			return True;
+		}
+	}
+
+	return False;
+}
+
+/***************************************************************************
+ dump an SE_PRIV structure to the log files
+****************************************************************************/
+
+void dump_se_priv( int dbg_cl, int dbg_lvl, const SE_PRIV *mask )
+{
+	int i;
+	
+	DEBUGADDC( dbg_cl, dbg_lvl,("SE_PRIV "));
+	
+	for ( i=0; i<SE_PRIV_MASKSIZE; i++ ) {
+		DEBUGADDC( dbg_cl, dbg_lvl,(" 0x%x", mask->mask[i] ));
+	}
+		
+	DEBUGADDC( dbg_cl, dbg_lvl, ("\n"));
+}
+
+/****************************************************************************
+ check if the privilege is in the privilege list
+****************************************************************************/
+
+bool is_privilege_assigned(const SE_PRIV *privileges,
+			   const SE_PRIV *check)
+{
+	SE_PRIV p1, p2;
+
+	if ( !privileges || !check )
+		return False;
+	
+	/* everyone has privileges if you aren't checking for any */
+	
+	if ( se_priv_empty( check ) ) {
+		DEBUG(1,("is_privilege_assigned: no privileges in check_mask!\n"));
+		return True;
+	}
+	
+	se_priv_copy( &p1, check );
+	
+	/* invert the SE_PRIV we want to check for and remove that from the 
+	   original set.  If we are left with the SE_PRIV we are checking 
+	   for then return True */
+	   
+	se_priv_invert( &p1, check );
+	se_priv_copy( &p2, privileges );
+	se_priv_remove( &p2, &p1 );
+	
+	return se_priv_equal( &p2, check );
+}
+
+/****************************************************************************
+ check if the privilege is in the privilege list
+****************************************************************************/
+
+static bool is_any_privilege_assigned( SE_PRIV *privileges, const SE_PRIV *check )
+{
+	SE_PRIV p1, p2;
+
+	if ( !privileges || !check )
+		return False;
+	
+	/* everyone has privileges if you aren't checking for any */
+	
+	if ( se_priv_empty( check ) ) {
+		DEBUG(1,("is_any_privilege_assigned: no privileges in check_mask!\n"));
+		return True;
+	}
+	
+	se_priv_copy( &p1, check );
+	
+	/* invert the SE_PRIV we want to check for and remove that from the 
+	   original set.  If we are left with the SE_PRIV we are checking 
+	   for then return True */
+	   
+	se_priv_invert( &p1, check );
+	se_priv_copy( &p2, privileges );
+	se_priv_remove( &p2, &p1 );
+	
+	/* see if we have any bits left */
+	
+	return !se_priv_empty( &p2 );
+}
+
+/*********************************************************************
+ Generate the LUID_ATTR structure based on a bitmask
+*********************************************************************/
+
+const char* get_privilege_dispname( const char *name )
+{
+	int i;
+
+	if (!name) {
+		return NULL;
+	}
+
+	for ( i=0; !se_priv_equal(&privs[i].se_priv, &se_priv_end); i++ ) {
+	
+		if ( strequal( privs[i].name, name ) ) {
+			return privs[i].description;
+		}
+	}
+
+	return NULL;
+}
+
+/****************************************************************************
+ initialise a privilege list and set the talloc context 
+ ****************************************************************************/
+ 
+/****************************************************************************
+ Does the user have the specified privilege ?  We only deal with one privilege
+ at a time here.
+*****************************************************************************/
+
+bool user_has_privileges(const NT_USER_TOKEN *token, const SE_PRIV *privilege)
+{
+	if ( !token )
+		return False;
+
+	return is_privilege_assigned( &token->privileges, privilege );
+}
+
+/****************************************************************************
+ Does the user have any of the specified privileges ?  We only deal with one privilege
+ at a time here.
+*****************************************************************************/
+
+bool user_has_any_privilege(NT_USER_TOKEN *token, const SE_PRIV *privilege)
+{
+	if ( !token )
+		return False;
+
+	return is_any_privilege_assigned( &token->privileges, privilege );
+}
+
+/*******************************************************************
+ return the number of elements in the privlege array
+*******************************************************************/
+
+int count_all_privileges( void )
+{
+	/*
+	 * The -1 is due to the weird SE_END record...
+	 */
+	return (sizeof(privs) / sizeof(privs[0])) - 1;
+}
+
+
+/*********************************************************************
+ Generate the LUID_ATTR structure based on a bitmask
+ The assumption here is that the privilege has already been validated
+ so we are guaranteed to find it in the list. 
+*********************************************************************/
+
+LUID_ATTR get_privilege_luid( SE_PRIV *mask )
+{
+	LUID_ATTR priv_luid;
+	int i;
+
+	ZERO_STRUCT( priv_luid );
+	
+	for ( i=0; !se_priv_equal(&privs[i].se_priv, &se_priv_end); i++ ) {
+	
+		if ( se_priv_equal( &privs[i].se_priv, mask ) ) {
+			priv_luid.luid = privs[i].luid;
+			break;
+		}
+	}
+
+	return priv_luid;
+}
+
+/****************************************************************************
+ Convert a LUID to a named string
+****************************************************************************/
+
+const char *luid_to_privilege_name(const LUID *set)
+{
+	int i;
+
+	if (set->high != 0)
+		return NULL;
+
+	for ( i=0; !se_priv_equal(&privs[i].se_priv, &se_priv_end); i++ ) {
+		if ( set->low == privs[i].luid.low ) {
+			return privs[i].name;
+		}
+	}
+	
+	return NULL;
+}
+
+
+/****************************************************************************
+ add a privilege to a privilege array
+ ****************************************************************************/
+
+static bool privilege_set_add(PRIVILEGE_SET *priv_set, LUID_ATTR set)
+{
+	LUID_ATTR *new_set;
+
+	/* we can allocate memory to add the new privilege */
+
+	new_set = TALLOC_REALLOC_ARRAY(priv_set->mem_ctx, priv_set->set, LUID_ATTR, priv_set->count + 1);
+	if ( !new_set ) {
+		DEBUG(0,("privilege_set_add: failed to allocate memory!\n"));
+		return False;
+	}	
+
+	new_set[priv_set->count].luid.high = set.luid.high;
+	new_set[priv_set->count].luid.low = set.luid.low;
+	new_set[priv_set->count].attr = set.attr;
+
+	priv_set->count++;
+	priv_set->set = new_set;
+
+	return True;
+}
+
+/*******************************************************************
+*******************************************************************/
+
+bool se_priv_to_privilege_set( PRIVILEGE_SET *set, SE_PRIV *mask )
+{
+	int i;
+	uint32 num_privs = count_all_privileges();
+	LUID_ATTR luid;
+	
+	luid.attr = 0;
+	luid.luid.high = 0;
+	
+	for ( i=0; i<num_privs; i++ ) {
+		if ( !is_privilege_assigned(mask, &privs[i].se_priv) )
+			continue;
+		
+		luid.luid = privs[i].luid;
+		
+		if ( !privilege_set_add( set, luid ) )
+			return False;
+	}
+
+	return True;
+}
+
+/*******************************************************************
+*******************************************************************/
+
+static bool luid_to_se_priv( struct lsa_LUID *luid, SE_PRIV *mask )
+{
+	int i;
+	uint32 num_privs = count_all_privileges();
+	
+	for ( i=0; i<num_privs; i++ ) {
+		if ( luid->low == privs[i].luid.low ) {
+			se_priv_copy( mask, &privs[i].se_priv );
+			return True;
+		}
+	}
+
+	return False;
+}
+
+/*******************************************************************
+*******************************************************************/
+
+bool privilege_set_to_se_priv( SE_PRIV *mask, struct lsa_PrivilegeSet *privset )
+{
+	int i;
+	
+	ZERO_STRUCTP( mask );
+	
+	for ( i=0; i<privset->count; i++ ) {
+		SE_PRIV r;
+	
+		/* sanity check for invalid privilege.  we really
+		   only care about the low 32 bits */
+		   
+		if ( privset->set[i].luid.high != 0 )
+			return False;
+		
+		if ( luid_to_se_priv( &privset->set[i].luid, &r ) )		
+			se_priv_add( mask, &r );
+	}
+
+	return True;
+}
+
diff --git a/source3/lib/rbtree.c b/source3/lib/rbtree.c
new file mode 100644
index 0000000000..f6868cab5d
--- /dev/null
+++ b/source3/lib/rbtree.c
@@ -0,0 +1,422 @@
+/*
+  Red Black Trees
+  (C) 1999  Andrea Arcangeli <andrea@suse.de>
+  (C) 2002  David Woodhouse <dwmw2@infradead.org>
+  
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 2 of the License, or
+  (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+  linux/lib/rbtree.c
+*/
+
+#include "includes.h"
+#include "rbtree.h"
+
+#define	RB_RED		0
+#define	RB_BLACK	1
+
+#define rb_parent(r)   ((struct rb_node *)((r)->rb_parent_color & ~3))
+#define rb_color(r)   ((r)->rb_parent_color & 1)
+#define rb_is_red(r)   (!rb_color(r))
+#define rb_is_black(r) rb_color(r)
+#define rb_set_red(r)  do { (r)->rb_parent_color &= ~1; } while (0)
+#define rb_set_black(r)  do { (r)->rb_parent_color |= 1; } while (0)
+
+static void rb_set_parent(struct rb_node *rb, struct rb_node *p)
+{
+	rb->rb_parent_color = (rb->rb_parent_color & 3) | (unsigned long)p;
+}
+static void rb_set_color(struct rb_node *rb, int color)
+{
+	rb->rb_parent_color = (rb->rb_parent_color & ~1) | color;
+}
+
+#define RB_EMPTY_ROOT(root)	((root)->rb_node == NULL)
+#define RB_EMPTY_NODE(node)	(rb_parent(node) == node)
+#define RB_CLEAR_NODE(node)	(rb_set_parent(node, node))
+
+static void __rb_rotate_left(struct rb_node *node, struct rb_root *root)
+{
+	struct rb_node *right = node->rb_right;
+	struct rb_node *parent = rb_parent(node);
+
+	if ((node->rb_right = right->rb_left))
+		rb_set_parent(right->rb_left, node);
+	right->rb_left = node;
+
+	rb_set_parent(right, parent);
+
+	if (parent)
+	{
+		if (node == parent->rb_left)
+			parent->rb_left = right;
+		else
+			parent->rb_right = right;
+	}
+	else
+		root->rb_node = right;
+	rb_set_parent(node, right);
+}
+
+static void __rb_rotate_right(struct rb_node *node, struct rb_root *root)
+{
+	struct rb_node *left = node->rb_left;
+	struct rb_node *parent = rb_parent(node);
+
+	if ((node->rb_left = left->rb_right))
+		rb_set_parent(left->rb_right, node);
+	left->rb_right = node;
+
+	rb_set_parent(left, parent);
+
+	if (parent)
+	{
+		if (node == parent->rb_right)
+			parent->rb_right = left;
+		else
+			parent->rb_left = left;
+	}
+	else
+		root->rb_node = left;
+	rb_set_parent(node, left);
+}
+
+void rb_insert_color(struct rb_node *node, struct rb_root *root)
+{
+	struct rb_node *parent, *gparent;
+
+	while ((parent = rb_parent(node)) && rb_is_red(parent))
+	{
+		gparent = rb_parent(parent);
+
+		if (parent == gparent->rb_left)
+		{
+			{
+				register struct rb_node *uncle = gparent->rb_right;
+				if (uncle && rb_is_red(uncle))
+				{
+					rb_set_black(uncle);
+					rb_set_black(parent);
+					rb_set_red(gparent);
+					node = gparent;
+					continue;
+				}
+			}
+
+			if (parent->rb_right == node)
+			{
+				register struct rb_node *tmp;
+				__rb_rotate_left(parent, root);
+				tmp = parent;
+				parent = node;
+				node = tmp;
+			}
+
+			rb_set_black(parent);
+			rb_set_red(gparent);
+			__rb_rotate_right(gparent, root);
+		} else {
+			{
+				register struct rb_node *uncle = gparent->rb_left;
+				if (uncle && rb_is_red(uncle))
+				{
+					rb_set_black(uncle);
+					rb_set_black(parent);
+					rb_set_red(gparent);
+					node = gparent;
+					continue;
+				}
+			}
+
+			if (parent->rb_left == node)
+			{
+				register struct rb_node *tmp;
+				__rb_rotate_right(parent, root);
+				tmp = parent;
+				parent = node;
+				node = tmp;
+			}
+
+			rb_set_black(parent);
+			rb_set_red(gparent);
+			__rb_rotate_left(gparent, root);
+		}
+	}
+
+	rb_set_black(root->rb_node);
+}
+
+static void __rb_erase_color(struct rb_node *node, struct rb_node *parent,
+			     struct rb_root *root)
+{
+	struct rb_node *other;
+
+	while ((!node || rb_is_black(node)) && node != root->rb_node)
+	{
+		if (parent->rb_left == node)
+		{
+			other = parent->rb_right;
+			if (rb_is_red(other))
+			{
+				rb_set_black(other);
+				rb_set_red(parent);
+				__rb_rotate_left(parent, root);
+				other = parent->rb_right;
+			}
+			if ((!other->rb_left || rb_is_black(other->rb_left)) &&
+			    (!other->rb_right || rb_is_black(other->rb_right)))
+			{
+				rb_set_red(other);
+				node = parent;
+				parent = rb_parent(node);
+			}
+			else
+			{
+				if (!other->rb_right || rb_is_black(other->rb_right))
+				{
+					struct rb_node *o_left;
+					if ((o_left = other->rb_left))
+						rb_set_black(o_left);
+					rb_set_red(other);
+					__rb_rotate_right(other, root);
+					other = parent->rb_right;
+				}
+				rb_set_color(other, rb_color(parent));
+				rb_set_black(parent);
+				if (other->rb_right)
+					rb_set_black(other->rb_right);
+				__rb_rotate_left(parent, root);
+				node = root->rb_node;
+				break;
+			}
+		}
+		else
+		{
+			other = parent->rb_left;
+			if (rb_is_red(other))
+			{
+				rb_set_black(other);
+				rb_set_red(parent);
+				__rb_rotate_right(parent, root);
+				other = parent->rb_left;
+			}
+			if ((!other->rb_left || rb_is_black(other->rb_left)) &&
+			    (!other->rb_right || rb_is_black(other->rb_right)))
+			{
+				rb_set_red(other);
+				node = parent;
+				parent = rb_parent(node);
+			}
+			else
+			{
+				if (!other->rb_left || rb_is_black(other->rb_left))
+				{
+					register struct rb_node *o_right;
+					if ((o_right = other->rb_right))
+						rb_set_black(o_right);
+					rb_set_red(other);
+					__rb_rotate_left(other, root);
+					other = parent->rb_left;
+				}
+				rb_set_color(other, rb_color(parent));
+				rb_set_black(parent);
+				if (other->rb_left)
+					rb_set_black(other->rb_left);
+				__rb_rotate_right(parent, root);
+				node = root->rb_node;
+				break;
+			}
+		}
+	}
+	if (node)
+		rb_set_black(node);
+}
+
+void rb_erase(struct rb_node *node, struct rb_root *root)
+{
+	struct rb_node *child, *parent;
+	int color;
+
+	if (!node->rb_left)
+		child = node->rb_right;
+	else if (!node->rb_right)
+		child = node->rb_left;
+	else
+	{
+		struct rb_node *old = node, *left;
+
+		node = node->rb_right;
+		while ((left = node->rb_left) != NULL)
+			node = left;
+		child = node->rb_right;
+		parent = rb_parent(node);
+		color = rb_color(node);
+
+		if (child)
+			rb_set_parent(child, parent);
+		if (parent == old) {
+			parent->rb_right = child;
+			parent = node;
+		} else
+			parent->rb_left = child;
+
+		node->rb_parent_color = old->rb_parent_color;
+		node->rb_right = old->rb_right;
+		node->rb_left = old->rb_left;
+
+		if (rb_parent(old))
+		{
+			if (rb_parent(old)->rb_left == old)
+				rb_parent(old)->rb_left = node;
+			else
+				rb_parent(old)->rb_right = node;
+		} else
+			root->rb_node = node;
+
+		rb_set_parent(old->rb_left, node);
+		if (old->rb_right)
+			rb_set_parent(old->rb_right, node);
+		goto color;
+	}
+
+	parent = rb_parent(node);
+	color = rb_color(node);
+
+	if (child)
+		rb_set_parent(child, parent);
+	if (parent)
+	{
+		if (parent->rb_left == node)
+			parent->rb_left = child;
+		else
+			parent->rb_right = child;
+	}
+	else
+		root->rb_node = child;
+
+ color:
+	if (color == RB_BLACK)
+		__rb_erase_color(child, parent, root);
+}
+
+/*
+ * This function returns the first node (in sort order) of the tree.
+ */
+struct rb_node *rb_first(struct rb_root *root)
+{
+	struct rb_node	*n;
+
+	n = root->rb_node;
+	if (!n)
+		return NULL;
+	while (n->rb_left)
+		n = n->rb_left;
+	return n;
+}
+
+struct rb_node *rb_last(struct rb_root *root)
+{
+	struct rb_node	*n;
+
+	n = root->rb_node;
+	if (!n)
+		return NULL;
+	while (n->rb_right)
+		n = n->rb_right;
+	return n;
+}
+
+struct rb_node *rb_next(struct rb_node *node)
+{
+	struct rb_node *parent;
+
+	if (rb_parent(node) == node)
+		return NULL;
+
+	/* If we have a right-hand child, go down and then left as far
+	   as we can. */
+	if (node->rb_right) {
+		node = node->rb_right; 
+		while (node->rb_left)
+			node=node->rb_left;
+		return node;
+	}
+
+	/* No right-hand children.  Everything down and left is
+	   smaller than us, so any 'next' node must be in the general
+	   direction of our parent. Go up the tree; any time the
+	   ancestor is a right-hand child of its parent, keep going
+	   up. First time it's a left-hand child of its parent, said
+	   parent is our 'next' node. */
+	while ((parent = rb_parent(node)) && node == parent->rb_right)
+		node = parent;
+
+	return parent;
+}
+
+struct rb_node *rb_prev(struct rb_node *node)
+{
+	struct rb_node *parent;
+
+	if (rb_parent(node) == node)
+		return NULL;
+
+	/* If we have a left-hand child, go down and then right as far
+	   as we can. */
+	if (node->rb_left) {
+		node = node->rb_left; 
+		while (node->rb_right)
+			node=node->rb_right;
+		return node;
+	}
+
+	/* No left-hand children. Go up till we find an ancestor which
+	   is a right-hand child of its parent */
+	while ((parent = rb_parent(node)) && node == parent->rb_left)
+		node = parent;
+
+	return parent;
+}
+
+void rb_replace_node(struct rb_node *victim, struct rb_node *new_node,
+		     struct rb_root *root)
+{
+	struct rb_node *parent = rb_parent(victim);
+
+	/* Set the surrounding nodes to point to the replacement */
+	if (parent) {
+		if (victim == parent->rb_left)
+			parent->rb_left = new_node;
+		else
+			parent->rb_right = new_node;
+	} else {
+		root->rb_node = new_node;
+	}
+	if (victim->rb_left)
+		rb_set_parent(victim->rb_left, new_node);
+	if (victim->rb_right)
+		rb_set_parent(victim->rb_right, new_node);
+
+	/* Copy the pointers/colour from the victim to the replacement */
+	*new_node = *victim;
+}
+
+void rb_link_node(struct rb_node * node, struct rb_node * parent,
+		  struct rb_node ** rb_link)
+{
+	node->rb_parent_color = (unsigned long )parent;
+	node->rb_left = node->rb_right = NULL;
+
+	*rb_link = node;
+}
diff --git a/source3/lib/readline.c b/source3/lib/readline.c
new file mode 100644
index 0000000000..254f55c86a
--- /dev/null
+++ b/source3/lib/readline.c
@@ -0,0 +1,181 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba readline wrapper implementation
+   Copyright (C) Simo Sorce 2001
+   Copyright (C) Andrew Tridgell 2001
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#ifdef HAVE_LIBREADLINE
+#  ifdef HAVE_READLINE_READLINE_H
+#    include <readline/readline.h>
+#    ifdef HAVE_READLINE_HISTORY_H
+#      include <readline/history.h>
+#    endif
+#  else
+#    ifdef HAVE_READLINE_H
+#      include <readline.h>
+#      ifdef HAVE_HISTORY_H
+#        include <history.h>
+#      endif
+#    else
+#      undef HAVE_LIBREADLINE
+#    endif
+#  endif
+#endif
+
+#ifdef HAVE_NEW_LIBREADLINE
+#  define RL_COMPLETION_CAST (rl_completion_func_t *)
+#else
+/* This type is missing from libreadline<4.0  (approximately) */
+#  define RL_COMPLETION_CAST
+#endif /* HAVE_NEW_LIBREADLINE */
+
+/****************************************************************************
+ Display the prompt and wait for input. Call callback() regularly
+****************************************************************************/
+
+static char *smb_readline_replacement(const char *prompt, void (*callback)(void), 
+				char **(completion_fn)(const char *text, int start, int end))
+{
+	fd_set fds;
+	char *line = NULL;
+	struct timeval timeout;
+	int fd = x_fileno(x_stdin);
+	char *ret;
+
+	/* Prompt might be NULL in non-interactive mode. */
+	if (prompt) {
+		x_fprintf(x_stdout, "%s", prompt);
+		x_fflush(x_stdout);
+	}
+
+	line = (char *)SMB_MALLOC(BUFSIZ);
+	if (!line) {
+		return NULL;
+	}
+
+	while (1) {
+		timeout.tv_sec = 5;
+		timeout.tv_usec = 0;
+
+		FD_ZERO(&fds);
+		FD_SET(fd,&fds);
+
+		if (sys_select_intr(fd+1,&fds,NULL,NULL,&timeout) == 1) {
+			ret = x_fgets(line, BUFSIZ, x_stdin);
+			if (ret == 0) {
+				SAFE_FREE(line);
+			}
+			return ret;
+		}
+		if (callback) {
+			callback();
+		}
+	}
+}
+
+/****************************************************************************
+ Display the prompt and wait for input. Call callback() regularly.
+****************************************************************************/
+
+char *smb_readline(const char *prompt, void (*callback)(void),
+		   char **(completion_fn)(const char *text, int start, int end))
+{
+	char *ret;
+	bool interactive;
+
+	interactive = isatty(x_fileno(x_stdin)) || getenv("CLI_FORCE_INTERACTIVE");
+	if (!interactive) {
+		return smb_readline_replacement(NULL, callback, completion_fn);
+	}
+
+#if HAVE_LIBREADLINE
+
+	/* Aargh!  Readline does bizzare things with the terminal width
+	that mucks up expect(1).  Set CLI_NO_READLINE in the environment
+	to force readline not to be used. */
+
+	if (getenv("CLI_NO_READLINE"))
+		return smb_readline_replacement(prompt, callback, completion_fn);
+
+	if (completion_fn) {
+		/* The callback prototype has changed slightly between
+		different versions of Readline, so the same function
+		works in all of them to date, but we get compiler
+		warnings in some.  */
+		rl_attempted_completion_function = RL_COMPLETION_CAST completion_fn;
+	}
+
+#if HAVE_DECL_RL_EVENT_HOOK
+	if (callback)
+		rl_event_hook = (Function *)callback;
+#endif
+	ret = readline(prompt);
+	if (ret && *ret)
+		add_history(ret);
+
+#else
+	ret = smb_readline_replacement(prompt, callback, completion_fn);
+#endif
+
+	return ret;
+}
+
+/****************************************************************************
+ * return line buffer text
+ ****************************************************************************/
+const char *smb_readline_get_line_buffer(void)
+{
+#if defined(HAVE_LIBREADLINE)
+	return rl_line_buffer;
+#else
+	return NULL;
+#endif
+}
+
+
+/****************************************************************************
+ * set completion append character
+ ***************************************************************************/
+void smb_readline_ca_char(char c)
+{
+#if defined(HAVE_LIBREADLINE)
+	rl_completion_append_character = c;
+#endif
+}
+
+/****************************************************************************
+history
+****************************************************************************/
+int cmd_history(void)
+{
+#if defined(HAVE_LIBREADLINE) && defined(HAVE_HISTORY_LIST)
+	HIST_ENTRY **hlist;
+	int i;
+
+	hlist = history_list();
+
+	for (i = 0; hlist && hlist[i]; i++) {
+		DEBUG(0, ("%d: %s\n", i, hlist[i]->line));
+	}
+#else
+	DEBUG(0,("no history without readline support\n"));
+#endif
+
+	return 0;
+}
diff --git a/source3/lib/recvfile.c b/source3/lib/recvfile.c
new file mode 100644
index 0000000000..513742ce8f
--- /dev/null
+++ b/source3/lib/recvfile.c
@@ -0,0 +1,233 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 3.2.x
+ recvfile implementations.
+ Copyright (C) Jeremy Allison 2007.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ * This file handles the OS dependent recvfile implementations.
+ * The API is such that it returns -1 on error, else returns the
+ * number of bytes written.
+ */
+
+#include "includes.h"
+
+/* Do this on our own in TRANSFER_BUF_SIZE chunks.
+ * It's safe to make direct syscalls to lseek/write here
+ * as we're below the Samba vfs layer.
+ *
+ * If tofd is -1 we just drain the incoming socket of count
+ * bytes without writing to the outgoing fd.
+ * If a write fails we do the same (to cope with disk full)
+ * errors.
+ *
+ * Returns -1 on short reads from fromfd (read error)
+ * and sets errno.
+ *
+ * Returns number of bytes written to 'tofd'
+ * or thrown away if 'tofd == -1'.
+ * return != count then sets errno.
+ * Returns count if complete success.
+ */
+
+#ifndef TRANSFER_BUF_SIZE
+#define TRANSFER_BUF_SIZE (128*1024)
+#endif
+
+static ssize_t default_sys_recvfile(int fromfd,
+			int tofd,
+			SMB_OFF_T offset,
+			size_t count)
+{
+	int saved_errno = 0;
+	size_t total = 0;
+	size_t bufsize = MIN(TRANSFER_BUF_SIZE,count);
+	size_t total_written = 0;
+	char *buffer = NULL;
+
+	DEBUG(10,("default_sys_recvfile: from = %d, to = %d, "
+		"offset=%.0f, count = %lu\n",
+		fromfd, tofd, (double)offset,
+		(unsigned long)count));
+
+	if (count == 0) {
+		return 0;
+	}
+
+	if (tofd != -1 && offset != (SMB_OFF_T)-1) {
+		if (sys_lseek(tofd, offset, SEEK_SET) == -1) {
+			if (errno != ESPIPE) {
+				return -1;
+			}
+		}
+	}
+
+	buffer = SMB_MALLOC_ARRAY(char, bufsize);
+	if (buffer == NULL) {
+		return -1;
+	}
+
+	while (total < count) {
+		size_t num_written = 0;
+		ssize_t read_ret;
+		size_t toread = MIN(bufsize,count - total);
+
+		/* Read from socket - ignore EINTR. */
+		read_ret = sys_read(fromfd, buffer, toread);
+		if (read_ret <= 0) {
+			/* EOF or socket error. */
+			free(buffer);
+			return -1;
+		}
+
+		num_written = 0;
+
+		while (num_written < read_ret) {
+			ssize_t write_ret;
+
+			if (tofd == -1) {
+				write_ret = read_ret;
+			} else {
+				/* Write to file - ignore EINTR. */
+				write_ret = sys_write(tofd,
+						buffer + num_written,
+						read_ret - num_written);
+
+				if (write_ret <= 0) {
+					/* write error - stop writing. */
+					tofd = -1;
+					saved_errno = errno;
+					continue;
+				}
+			}
+
+			num_written += (size_t)write_ret;
+			total_written += (size_t)write_ret;
+		}
+
+		total += read_ret;
+	}
+
+	free(buffer);
+	if (saved_errno) {
+		/* Return the correct write error. */
+		errno = saved_errno;
+	}
+	return (ssize_t)total_written;
+}
+
+#if defined(HAVE_LINUX_SPLICE)
+
+/*
+ * Try and use the Linux system call to do this.
+ * Remember we only return -1 if the socket read
+ * failed. Else we return the number of bytes
+ * actually written. We always read count bytes
+ * from the network in the case of return != -1.
+ */
+
+
+ssize_t sys_recvfile(int fromfd,
+			int tofd,
+			SMB_OFF_T offset,
+			size_t count)
+{
+	static bool try_splice_call = true;
+	size_t total_written = 0;
+
+	DEBUG(10,("sys_recvfile: from = %d, to = %d, "
+		"offset=%.0f, count = %lu\n",
+		fromfd, tofd, (double)offset,
+		(unsigned long)count));
+
+	if (count == 0) {
+		return 0;
+	}
+
+	/*
+	 * Older Linux kernels have splice for sendfile,
+	 * but it fails for recvfile. Ensure we only try
+	 * this once and always fall back to the userspace
+	 * implementation if recvfile splice fails. JRA.
+	 */
+
+	if (!try_splice_call) {
+		return default_sys_recvfile(fromfd,
+				tofd,
+				offset,
+				count);
+	}
+
+	while (total_written < count) {
+		ssize_t ret = splice(fromfd,
+					NULL,
+					tofd,
+					&offset,
+					count,
+					0);
+		if (ret == -1) {
+			if (errno != EINTR) {
+				if (total_written == 0 &&
+						(errno == EBADF || errno == EINVAL)) {
+					try_splice_call = false;
+					return default_sys_recvfile(fromfd,
+								tofd,
+								offset,
+								count);
+				}
+				break;
+			}
+			continue;
+		}
+		total_written += ret;
+		count -= ret;
+	}
+
+	if (total_written < count) {
+		int saved_errno = errno;
+		if (drain_socket(fromfd, count-total_written) !=
+				count-total_written) {
+			/* socket is dead. */
+			return -1;
+		}
+		errno = saved_errno;
+	}
+
+	return total_written;
+}
+#else
+
+/*****************************************************************
+ No recvfile system call - use the default 128 chunk implementation.
+*****************************************************************/
+
+ssize_t sys_recvfile(int fromfd,
+			int tofd,
+			SMB_OFF_T offset,
+			size_t count)
+{
+	return default_sys_recvfile(fromfd, tofd, offset, count);
+}
+#endif
+
+/*****************************************************************
+ Throw away "count" bytes from the client socket.
+*****************************************************************/
+
+ssize_t drain_socket(int sockfd, size_t count)
+{
+	return default_sys_recvfile(sockfd, -1, (SMB_OFF_T)-1, count);
+}
diff --git a/source3/lib/replace/.checker_innocent b/source3/lib/replace/.checker_innocent
new file mode 100644
index 0000000000..e619176540
--- /dev/null
+++ b/source3/lib/replace/.checker_innocent
@@ -0,0 +1,4 @@
+>>>MISTAKE21_create_files_6a9e68ada99a97cb
+>>>MISTAKE21_os2_delete_9b2bfa7f38711d09
+>>>MISTAKE21_os2_delete_2fcc29aaa99a97cb
+>>>SECURITY2_os2_delete_9b2bfa7f1c9396ca
diff --git a/source3/lib/replace/Makefile.in b/source3/lib/replace/Makefile.in
new file mode 100644
index 0000000000..c989835a8d
--- /dev/null
+++ b/source3/lib/replace/Makefile.in
@@ -0,0 +1,63 @@
+#!gmake
+#
+CC = @CC@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+bindir = @bindir@
+includedir = @includedir@
+libdir = @libdir@
+VPATH = @libreplacedir@
+srcdir = @srcdir@
+builddir = @builddir@
+INSTALL = @INSTALL@
+LIBS = @LIBS@
+
+.PHONY: test all showflags install installcheck clean distclean realdistclean
+
+CFLAGS=-I. @CFLAGS@
+LDFLAGS=@LDFLAGS@
+
+OBJS = @LIBREPLACEOBJ@
+
+all: showflags libreplace.a testsuite
+
+showflags:
+	@echo 'libreplace will be compiled with flags:'
+	@echo '  CC     = $(CC)'
+	@echo '  CFLAGS = $(CFLAGS)'
+	@echo '  LDFLAGS= $(LDFLAGS)'
+	@echo '  LIBS   = $(LIBS)'
+
+install: all
+	mkdir -p $(libdir)
+	$(INSTALL) libreplace.a $(libdir)
+
+libreplace.a: $(OBJS)
+	ar -rcsv $@ $(OBJS)
+
+test: all
+	./testsuite
+
+installcheck: install test
+
+TEST_OBJS = test/testsuite.o test/os2_delete.o test/strptime.o test/getifaddrs.o
+
+testsuite: libreplace.a $(TEST_OBJS)
+	$(CC) -o testsuite $(TEST_OBJS) -L. -lreplace $(LDFLAGS) $(LIBS)
+
+.c.o:
+	@echo Compiling $*.c
+	@mkdir -p `dirname $@`
+	@$(CC) $(CFLAGS) -c $< -o $@
+
+clean:
+	rm -f *.o test/*.o *.a testsuite
+	rm -f testfile.dat
+
+distclean: clean
+	rm -f *~ */*~
+	rm -f config.log config.status config.h config.cache
+	rm -f Makefile
+
+realdistclean: distclean
+	rm -f configure config.h.in
diff --git a/source3/lib/replace/README b/source3/lib/replace/README
new file mode 100644
index 0000000000..4d94317c4b
--- /dev/null
+++ b/source3/lib/replace/README
@@ -0,0 +1,113 @@
+This subsystem ensures that we can always use a certain core set of 
+functions and types, that are either provided by the OS or by replacement 
+functions / definitions in this subsystem. The aim is to try to stick 
+to POSIX functions in here as much as possible. Convenience functions 
+that are available on no platform at all belong in other subsystems
+(such as LIBUTIL).
+
+The following functions are guaranteed:
+
+ftruncate
+strlcpy
+strlcat
+mktime
+rename
+initgroups
+memmove
+strdup
+setlinebuf
+vsyslog
+timegm
+setenv
+unsetenv
+strndup
+strnlen
+waitpid
+seteuid
+setegid
+asprintf
+snprintf
+vasprintf
+vsnprintf
+opendir
+readdir
+telldir
+seekdir
+closedir
+dlopen
+dlclose
+dlsym
+dlerror
+chroot
+bzero
+strerror
+errno
+mkdtemp
+mkstemp (a secure one!)
+pread
+pwrite
+getpass
+readline (the library)
+inet_ntoa
+inet_ntop
+inet_pton
+inet_aton
+strtoll
+strtoull
+socketpair
+strptime
+getaddrinfo
+freeaddrinfo
+getnameinfo
+gai_strerror
+getifaddrs
+freeifaddrs
+utime
+utimes
+
+Types:
+bool
+socklen_t
+uint_t
+uint{8,16,32,64}_t
+int{8,16,32,64}_t
+intptr_t
+
+Constants:
+PATH_NAME_MAX
+UINT{16,32,64}_MAX
+INT32_MAX
+RTLD_LAZY
+HOST_NAME_MAX
+UINT16_MAX
+UINT32_MAX
+UINT64_MAX
+CHAR_BIT
+
+Macros:
+va_copy
+__FUNCTION__
+__FILE__
+__LINE__
+__LINESTR__
+__location__
+__STRING
+__STRINGSTRING
+MIN
+MAX
+QSORT_CAST
+ZERO_STRUCT
+ZERO_STRUCTP
+ZERO_STRUCTPN
+ZERO_ARRAY
+ARRAY_SIZE
+PTR_DIFF
+
+Headers:
+stdint.h
+stdbool.h
+
+Prerequisites:
+memset (for bzero)
+syslog (for vsyslog)
+mktemp (for mkstemp and mkdtemp)
diff --git a/source3/lib/replace/aclocal.m4 b/source3/lib/replace/aclocal.m4
new file mode 100644
index 0000000000..5605e476ba
--- /dev/null
+++ b/source3/lib/replace/aclocal.m4
@@ -0,0 +1 @@
+m4_include(libreplace.m4)
diff --git a/source3/lib/replace/autoconf-2.60.m4 b/source3/lib/replace/autoconf-2.60.m4
new file mode 100644
index 0000000000..acdcd38efe
--- /dev/null
+++ b/source3/lib/replace/autoconf-2.60.m4
@@ -0,0 +1,210 @@
+# AC_GNU_SOURCE
+# --------------
+AC_DEFUN([AC_GNU_SOURCE],
+[AH_VERBATIM([_GNU_SOURCE],
+[/* Enable GNU extensions on systems that have them.  */
+#ifndef _GNU_SOURCE
+# undef _GNU_SOURCE
+#endif])dnl
+AC_BEFORE([$0], [AC_COMPILE_IFELSE])dnl
+AC_BEFORE([$0], [AC_RUN_IFELSE])dnl
+AC_DEFINE([_GNU_SOURCE])
+])
+
+# _AC_C_STD_TRY(STANDARD, TEST-PROLOGUE, TEST-BODY, OPTION-LIST,
+#		ACTION-IF-AVAILABLE, ACTION-IF-UNAVAILABLE)
+# --------------------------------------------------------------
+# Check whether the C compiler accepts features of STANDARD (e.g `c89', `c99')
+# by trying to compile a program of TEST-PROLOGUE and TEST-BODY.  If this fails,
+# try again with each compiler option in the space-separated OPTION-LIST; if one
+# helps, append it to CC.  If eventually successful, run ACTION-IF-AVAILABLE,
+# else ACTION-IF-UNAVAILABLE.
+AC_DEFUN([_AC_C_STD_TRY],
+[AC_MSG_CHECKING([for $CC option to accept ISO ]m4_translit($1, [c], [C]))
+AC_CACHE_VAL(ac_cv_prog_cc_$1,
+[ac_cv_prog_cc_$1=no
+ac_save_CC=$CC
+AC_LANG_CONFTEST([AC_LANG_PROGRAM([$2], [$3])])
+for ac_arg in '' $4
+do
+  CC="$ac_save_CC $ac_arg"
+  _AC_COMPILE_IFELSE([], [ac_cv_prog_cc_$1=$ac_arg])
+  test "x$ac_cv_prog_cc_$1" != "xno" && break
+done
+rm -f conftest.$ac_ext
+CC=$ac_save_CC
+])# AC_CACHE_VAL
+case "x$ac_cv_prog_cc_$1" in
+  x)
+    AC_MSG_RESULT([none needed]) ;;
+  xno)
+    AC_MSG_RESULT([unsupported]) ;;
+  *)
+    CC="$CC $ac_cv_prog_cc_$1"
+    AC_MSG_RESULT([$ac_cv_prog_cc_$1]) ;;
+esac
+AS_IF([test "x$ac_cv_prog_cc_$1" != xno], [$5], [$6])
+])# _AC_C_STD_TRY
+
+# _AC_PROG_CC_C99 ([ACTION-IF-AVAILABLE], [ACTION-IF-UNAVAILABLE])
+# ----------------------------------------------------------------
+# If the C compiler is not in ISO C99 mode by default, try to add an
+# option to output variable CC to make it so.  This macro tries
+# various options that select ISO C99 on some system or another.  It
+# considers the compiler to be in ISO C99 mode if it handles mixed
+# code and declarations, _Bool, inline and restrict.
+AC_DEFUN([_AC_PROG_CC_C99],
+[_AC_C_STD_TRY([c99],
+[[#include <stdarg.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <wchar.h>
+#include <stdio.h>
+
+struct incomplete_array
+{
+  int datasize;
+  double data[];
+};
+
+struct named_init {
+  int number;
+  const wchar_t *name;
+  double average;
+};
+
+typedef const char *ccp;
+
+static inline int
+test_restrict(ccp restrict text)
+{
+  // See if C++-style comments work.
+  // Iterate through items via the restricted pointer.
+  // Also check for declarations in for loops.
+  for (unsigned int i = 0; *(text+i) != '\0'; ++i)
+    continue;
+  return 0;
+}
+
+// Check varargs and va_copy work.
+static void
+test_varargs(const char *format, ...)
+{
+  va_list args;
+  va_start(args, format);
+  va_list args_copy;
+  va_copy(args_copy, args);
+
+  const char *str;
+  int number;
+  float fnumber;
+
+  while (*format)
+    {
+      switch (*format++)
+	{
+	case 's': // string
+	  str = va_arg(args_copy, const char *);
+	  break;
+	case 'd': // int
+	  number = va_arg(args_copy, int);
+	  break;
+	case 'f': // float
+	  fnumber = (float) va_arg(args_copy, double);
+	  break;
+	default:
+	  break;
+	}
+    }
+  va_end(args_copy);
+  va_end(args);
+}
+]],
+[[
+  // Check bool and long long datatypes.
+  _Bool success = false;
+  long long int bignum = -1234567890LL;
+  unsigned long long int ubignum = 1234567890uLL;
+
+  // Check restrict.
+  if (test_restrict("String literal") != 0)
+    success = true;
+  char *restrict newvar = "Another string";
+
+  // Check varargs.
+  test_varargs("s, d' f .", "string", 65, 34.234);
+
+  // Check incomplete arrays work.
+  struct incomplete_array *ia =
+    malloc(sizeof(struct incomplete_array) + (sizeof(double) * 10));
+  ia->datasize = 10;
+  for (int i = 0; i < ia->datasize; ++i)
+    ia->data[i] = (double) i * 1.234;
+
+  // Check named initialisers.
+  struct named_init ni = {
+    .number = 34,
+    .name = L"Test wide string",
+    .average = 543.34343,
+  };
+
+  ni.number = 58;
+
+  int dynamic_array[ni.number];
+  dynamic_array[43] = 543;
+
+  // work around unused variable warnings
+  return  bignum == 0LL || ubignum == 0uLL || newvar[0] == 'x';
+]],
+dnl Try
+dnl GCC		-std=gnu99 (unused restrictive modes: -std=c99 -std=iso9899:1999)
+dnl AIX		-qlanglvl=extc99 (unused restrictive mode: -qlanglvl=stdc99)
+dnl Intel ICC	-c99
+dnl IRIX	-c99
+dnl Solaris	(unused because it causes the compiler to assume C99 semantics for
+dnl		library functions, and this is invalid before Solaris 10: -xc99)
+dnl Tru64	-c99
+dnl with extended modes being tried first.
+[[-std=gnu99 -c99 -qlanglvl=extc99]], [$1], [$2])[]dnl
+])# _AC_PROG_CC_C99
+
+# AC_PROG_CC_C99
+# --------------
+AC_DEFUN([AC_PROG_CC_C99],
+[ AC_REQUIRE([AC_PROG_CC])dnl
+  _AC_PROG_CC_C99
+])
+
+# AC_USE_SYSTEM_EXTENSIONS
+# ------------------------
+# Enable extensions on systems that normally disable them,
+# typically due to standards-conformance issues.
+AC_DEFUN([AC_USE_SYSTEM_EXTENSIONS],
+[
+  AC_BEFORE([$0], [AC_COMPILE_IFELSE])
+  AC_BEFORE([$0], [AC_RUN_IFELSE])
+
+  AC_REQUIRE([AC_GNU_SOURCE])
+  AC_REQUIRE([AC_AIX])
+  AC_REQUIRE([AC_MINIX])
+
+  AH_VERBATIM([__EXTENSIONS__],
+[/* Enable extensions on Solaris.  */
+#ifndef __EXTENSIONS__
+# undef __EXTENSIONS__
+#endif
+#ifndef _POSIX_PTHREAD_SEMANTICS
+# undef _POSIX_PTHREAD_SEMANTICS
+#endif])
+  AC_CACHE_CHECK([whether it is safe to define __EXTENSIONS__],
+    [ac_cv_safe_to_define___extensions__],
+    [AC_COMPILE_IFELSE(
+       [AC_LANG_PROGRAM([
+#	  define __EXTENSIONS__ 1
+	  AC_INCLUDES_DEFAULT])],
+       [ac_cv_safe_to_define___extensions__=yes],
+       [ac_cv_safe_to_define___extensions__=no])])
+  test $ac_cv_safe_to_define___extensions__ = yes &&
+    AC_DEFINE([__EXTENSIONS__])
+  AC_DEFINE([_POSIX_PTHREAD_SEMANTICS])
+])
diff --git a/source3/lib/replace/autogen.sh b/source3/lib/replace/autogen.sh
new file mode 100755
index 0000000000..d46a4279f3
--- /dev/null
+++ b/source3/lib/replace/autogen.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+rm -rf autom4te.cache
+rm -f configure config.h.in
+
+autoheader || exit 1
+autoconf || exit 1
+
+rm -rf autom4te.cache
+
+echo "Now run ./configure and then make."
+exit 0
+
diff --git a/source3/lib/replace/config.guess b/source3/lib/replace/config.guess
new file mode 100755
index 0000000000..354dbe175a
--- /dev/null
+++ b/source3/lib/replace/config.guess
@@ -0,0 +1,1464 @@
+#! /bin/sh
+# Attempt to guess a canonical system name.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
+#   2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
+
+timestamp='2005-08-03'
+
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+
+# Originally written by Per Bothner <per@bothner.com>.
+# Please send patches to <config-patches@gnu.org>.  Submit a context
+# diff and a properly formatted ChangeLog entry.
+#
+# This script attempts to guess a canonical system name similar to
+# config.sub.  If it succeeds, it prints the system name on stdout, and
+# exits with 0.  Otherwise, it exits with 1.
+#
+# The plan is that this can be called by configure scripts if you
+# don't specify an explicit build system type.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION]
+
+Output the configuration name of the system \`$me' is run on.
+
+Operation modes:
+  -h, --help         print this help, then exit
+  -t, --time-stamp   print date of last modification, then exit
+  -v, --version      print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.guess ($timestamp)
+
+Originally written by Per Bothner.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
+Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case $1 in
+    --time-stamp | --time* | -t )
+       echo "$timestamp" ; exit ;;
+    --version | -v )
+       echo "$version" ; exit ;;
+    --help | --h* | -h )
+       echo "$usage"; exit ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       echo "$me: invalid option $1$help" >&2
+       exit 1 ;;
+    * )
+       break ;;
+  esac
+done
+
+if test $# != 0; then
+  echo "$me: too many arguments$help" >&2
+  exit 1
+fi
+
+trap 'exit 1' 1 2 15
+
+# CC_FOR_BUILD -- compiler used by this script. Note that the use of a
+# compiler to aid in system detection is discouraged as it requires
+# temporary files to be created and, as you can see below, it is a
+# headache to deal with in a portable fashion.
+
+# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
+# use `HOST_CC' if defined, but it is deprecated.
+
+# Portable tmp directory creation inspired by the Autoconf team.
+
+set_cc_for_build='
+trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ;
+trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
+: ${TMPDIR=/tmp} ;
+ { tmp=`(umask 077 && mktemp -d -q "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
+ { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } ||
+ { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } ||
+ { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ;
+dummy=$tmp/dummy ;
+tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ;
+case $CC_FOR_BUILD,$HOST_CC,$CC in
+ ,,)    echo "int x;" > $dummy.c ;
+	for c in cc gcc c89 c99 ; do
+	  if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then
+	     CC_FOR_BUILD="$c"; break ;
+	  fi ;
+	done ;
+	if test x"$CC_FOR_BUILD" = x ; then
+	  CC_FOR_BUILD=no_compiler_found ;
+	fi
+	;;
+ ,,*)   CC_FOR_BUILD=$CC ;;
+ ,*,*)  CC_FOR_BUILD=$HOST_CC ;;
+esac ; set_cc_for_build= ;'
+
+# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
+# (ghazi@noc.rutgers.edu 1994-08-24)
+if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
+	PATH=$PATH:/.attbin ; export PATH
+fi
+
+UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
+UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
+UNAME_SYSTEM=`(uname -s) 2>/dev/null`  || UNAME_SYSTEM=unknown
+UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
+
+# Note: order is significant - the case branches are not exclusive.
+
+case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
+    *:NetBSD:*:*)
+	# NetBSD (nbsd) targets should (where applicable) match one or
+	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
+	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
+	# switched to ELF, *-*-netbsd* would select the old
+	# object file format.  This provides both forward
+	# compatibility and a consistent mechanism for selecting the
+	# object file format.
+	#
+	# Note: NetBSD doesn't particularly care about the vendor
+	# portion of the name.  We always set it to "unknown".
+	sysctl="sysctl -n hw.machine_arch"
+	UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
+	    /usr/sbin/$sysctl 2>/dev/null || echo unknown)`
+	case "${UNAME_MACHINE_ARCH}" in
+	    armeb) machine=armeb-unknown ;;
+	    arm*) machine=arm-unknown ;;
+	    sh3el) machine=shl-unknown ;;
+	    sh3eb) machine=sh-unknown ;;
+	    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
+	esac
+	# The Operating System including object format, if it has switched
+	# to ELF recently, or will in the future.
+	case "${UNAME_MACHINE_ARCH}" in
+	    arm*|i386|m68k|ns32k|sh3*|sparc|vax)
+		eval $set_cc_for_build
+		if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
+			| grep __ELF__ >/dev/null
+		then
+		    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
+		    # Return netbsd for either.  FIX?
+		    os=netbsd
+		else
+		    os=netbsdelf
+		fi
+		;;
+	    *)
+	        os=netbsd
+		;;
+	esac
+	# The OS release
+	# Debian GNU/NetBSD machines have a different userland, and
+	# thus, need a distinct triplet. However, they do not need
+	# kernel version information, so it can be replaced with a
+	# suitable tag, in the style of linux-gnu.
+	case "${UNAME_VERSION}" in
+	    Debian*)
+		release='-gnu'
+		;;
+	    *)
+		release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+		;;
+	esac
+	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
+	# contains redundant information, the shorter form:
+	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
+	echo "${machine}-${os}${release}"
+	exit ;;
+    *:OpenBSD:*:*)
+	UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
+	echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
+	exit ;;
+    *:ekkoBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
+	exit ;;
+    macppc:MirBSD:*:*)
+	echo powerppc-unknown-mirbsd${UNAME_RELEASE}
+	exit ;;
+    *:MirBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
+	exit ;;
+    alpha:OSF1:*:*)
+	case $UNAME_RELEASE in
+	*4.0)
+		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
+		;;
+	*5.*)
+	        UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
+		;;
+	esac
+	# According to Compaq, /usr/sbin/psrinfo has been available on
+	# OSF/1 and Tru64 systems produced since 1995.  I hope that
+	# covers most systems running today.  This code pipes the CPU
+	# types through head -n 1, so we only detect the type of CPU 0.
+	ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^  The alpha \(.*\) processor.*$/\1/p' | head -n 1`
+	case "$ALPHA_CPU_TYPE" in
+	    "EV4 (21064)")
+		UNAME_MACHINE="alpha" ;;
+	    "EV4.5 (21064)")
+		UNAME_MACHINE="alpha" ;;
+	    "LCA4 (21066/21068)")
+		UNAME_MACHINE="alpha" ;;
+	    "EV5 (21164)")
+		UNAME_MACHINE="alphaev5" ;;
+	    "EV5.6 (21164A)")
+		UNAME_MACHINE="alphaev56" ;;
+	    "EV5.6 (21164PC)")
+		UNAME_MACHINE="alphapca56" ;;
+	    "EV5.7 (21164PC)")
+		UNAME_MACHINE="alphapca57" ;;
+	    "EV6 (21264)")
+		UNAME_MACHINE="alphaev6" ;;
+	    "EV6.7 (21264A)")
+		UNAME_MACHINE="alphaev67" ;;
+	    "EV6.8CB (21264C)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.8AL (21264B)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.8CX (21264D)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.9A (21264/EV69A)")
+		UNAME_MACHINE="alphaev69" ;;
+	    "EV7 (21364)")
+		UNAME_MACHINE="alphaev7" ;;
+	    "EV7.9 (21364A)")
+		UNAME_MACHINE="alphaev79" ;;
+	esac
+	# A Pn.n version is a patched version.
+	# A Vn.n version is a released version.
+	# A Tn.n version is a released field test version.
+	# A Xn.n version is an unreleased experimental baselevel.
+	# 1.2 uses "1.2" for uname -r.
+	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+	exit ;;
+    Alpha\ *:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# Should we change UNAME_MACHINE based on the output of uname instead
+	# of the specific Alpha model?
+	echo alpha-pc-interix
+	exit ;;
+    21064:Windows_NT:50:3)
+	echo alpha-dec-winnt3.5
+	exit ;;
+    Amiga*:UNIX_System_V:4.0:*)
+	echo m68k-unknown-sysv4
+	exit ;;
+    *:[Aa]miga[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-amigaos
+	exit ;;
+    *:[Mm]orph[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-morphos
+	exit ;;
+    *:OS/390:*:*)
+	echo i370-ibm-openedition
+	exit ;;
+    *:z/VM:*:*)
+	echo s390-ibm-zvmoe
+	exit ;;
+    *:OS400:*:*)
+        echo powerpc-ibm-os400
+	exit ;;
+    arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
+	echo arm-acorn-riscix${UNAME_RELEASE}
+	exit ;;
+    arm:riscos:*:*|arm:RISCOS:*:*)
+	echo arm-unknown-riscos
+	exit ;;
+    SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
+	echo hppa1.1-hitachi-hiuxmpp
+	exit ;;
+    Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
+	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
+	if test "`(/bin/universe) 2>/dev/null`" = att ; then
+		echo pyramid-pyramid-sysv3
+	else
+		echo pyramid-pyramid-bsd
+	fi
+	exit ;;
+    NILE*:*:*:dcosx)
+	echo pyramid-pyramid-svr4
+	exit ;;
+    DRS?6000:unix:4.0:6*)
+	echo sparc-icl-nx6
+	exit ;;
+    DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*)
+	case `/usr/bin/uname -p` in
+	    sparc) echo sparc-icl-nx7; exit ;;
+	esac ;;
+    sun4H:SunOS:5.*:*)
+	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
+	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    i86pc:SunOS:5.*:*)
+	echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:6*:*)
+	# According to config.sub, this is the proper way to canonicalize
+	# SunOS6.  Hard to guess exactly what SunOS6 will be like, but
+	# it's likely to be more like Solaris than SunOS4.
+	echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:*:*)
+	case "`/usr/bin/arch -k`" in
+	    Series*|S4*)
+		UNAME_RELEASE=`uname -v`
+		;;
+	esac
+	# Japanese Language versions have a version number like `4.1.3-JL'.
+	echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
+	exit ;;
+    sun3*:SunOS:*:*)
+	echo m68k-sun-sunos${UNAME_RELEASE}
+	exit ;;
+    sun*:*:4.2BSD:*)
+	UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
+	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
+	case "`/bin/arch`" in
+	    sun3)
+		echo m68k-sun-sunos${UNAME_RELEASE}
+		;;
+	    sun4)
+		echo sparc-sun-sunos${UNAME_RELEASE}
+		;;
+	esac
+	exit ;;
+    aushp:SunOS:*:*)
+	echo sparc-auspex-sunos${UNAME_RELEASE}
+	exit ;;
+    # The situation for MiNT is a little confusing.  The machine name
+    # can be virtually everything (everything which is not
+    # "atarist" or "atariste" at least should have a processor
+    # > m68000).  The system name ranges from "MiNT" over "FreeMiNT"
+    # to the lowercase version "mint" (or "freemint").  Finally
+    # the system name "TOS" denotes a system which is actually not
+    # MiNT.  But MiNT is downward compatible to TOS, so this should
+    # be no problem.
+    atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit ;;
+    atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
+	echo m68k-atari-mint${UNAME_RELEASE}
+        exit ;;
+    *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit ;;
+    milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
+        echo m68k-milan-mint${UNAME_RELEASE}
+        exit ;;
+    hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
+        echo m68k-hades-mint${UNAME_RELEASE}
+        exit ;;
+    *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
+        echo m68k-unknown-mint${UNAME_RELEASE}
+        exit ;;
+    m68k:machten:*:*)
+	echo m68k-apple-machten${UNAME_RELEASE}
+	exit ;;
+    powerpc:machten:*:*)
+	echo powerpc-apple-machten${UNAME_RELEASE}
+	exit ;;
+    RISC*:Mach:*:*)
+	echo mips-dec-mach_bsd4.3
+	exit ;;
+    RISC*:ULTRIX:*:*)
+	echo mips-dec-ultrix${UNAME_RELEASE}
+	exit ;;
+    VAX*:ULTRIX*:*:*)
+	echo vax-dec-ultrix${UNAME_RELEASE}
+	exit ;;
+    2020:CLIX:*:* | 2430:CLIX:*:*)
+	echo clipper-intergraph-clix${UNAME_RELEASE}
+	exit ;;
+    mips:*:*:UMIPS | mips:*:*:RISCos)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
+	#if defined (host_mips) && defined (MIPSEB)
+	#if defined (SYSTYPE_SYSV)
+	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_SVR4)
+	  printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
+	  printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
+	#endif
+	#endif
+	  exit (-1);
+	}
+EOF
+	$CC_FOR_BUILD -o $dummy $dummy.c &&
+	  dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` &&
+	  SYSTEM_NAME=`$dummy $dummyarg` &&
+	    { echo "$SYSTEM_NAME"; exit; }
+	echo mips-mips-riscos${UNAME_RELEASE}
+	exit ;;
+    Motorola:PowerMAX_OS:*:*)
+	echo powerpc-motorola-powermax
+	exit ;;
+    Motorola:*:4.3:PL8-*)
+	echo powerpc-harris-powermax
+	exit ;;
+    Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*)
+	echo powerpc-harris-powermax
+	exit ;;
+    Night_Hawk:Power_UNIX:*:*)
+	echo powerpc-harris-powerunix
+	exit ;;
+    m88k:CX/UX:7*:*)
+	echo m88k-harris-cxux7
+	exit ;;
+    m88k:*:4*:R4*)
+	echo m88k-motorola-sysv4
+	exit ;;
+    m88k:*:3*:R3*)
+	echo m88k-motorola-sysv3
+	exit ;;
+    AViiON:dgux:*:*)
+        # DG/UX returns AViiON for all architectures
+        UNAME_PROCESSOR=`/usr/bin/uname -p`
+	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
+	then
+	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
+	       [ ${TARGET_BINARY_INTERFACE}x = x ]
+	    then
+		echo m88k-dg-dgux${UNAME_RELEASE}
+	    else
+		echo m88k-dg-dguxbcs${UNAME_RELEASE}
+	    fi
+	else
+	    echo i586-dg-dgux${UNAME_RELEASE}
+	fi
+ 	exit ;;
+    M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
+	echo m88k-dolphin-sysv3
+	exit ;;
+    M88*:*:R3*:*)
+	# Delta 88k system running SVR3
+	echo m88k-motorola-sysv3
+	exit ;;
+    XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
+	echo m88k-tektronix-sysv3
+	exit ;;
+    Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
+	echo m68k-tektronix-bsd
+	exit ;;
+    *:IRIX*:*:*)
+	echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
+	exit ;;
+    ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
+	echo romp-ibm-aix     # uname -m gives an 8 hex-code CPU id
+	exit ;;               # Note that: echo "'`uname -s`'" gives 'AIX '
+    i*86:AIX:*:*)
+	echo i386-ibm-aix
+	exit ;;
+    ia64:AIX:*:*)
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+	fi
+	echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
+	exit ;;
+    *:AIX:2:3)
+	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
+		eval $set_cc_for_build
+		sed 's/^		//' << EOF >$dummy.c
+		#include <sys/systemcfg.h>
+
+		main()
+			{
+			if (!__power_pc())
+				exit(1);
+			puts("powerpc-ibm-aix3.2.5");
+			exit(0);
+			}
+EOF
+		if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy`
+		then
+			echo "$SYSTEM_NAME"
+		else
+			echo rs6000-ibm-aix3.2.5
+		fi
+	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
+		echo rs6000-ibm-aix3.2.4
+	else
+		echo rs6000-ibm-aix3.2
+	fi
+	exit ;;
+    *:AIX:*:[45])
+	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
+	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
+		IBM_ARCH=rs6000
+	else
+		IBM_ARCH=powerpc
+	fi
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+	fi
+	echo ${IBM_ARCH}-ibm-aix${IBM_REV}
+	exit ;;
+    *:AIX:*:*)
+	echo rs6000-ibm-aix
+	exit ;;
+    ibmrt:4.4BSD:*|romp-ibm:BSD:*)
+	echo romp-ibm-bsd4.4
+	exit ;;
+    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
+	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
+	exit ;;                             # report: romp-ibm BSD 4.3
+    *:BOSX:*:*)
+	echo rs6000-bull-bosx
+	exit ;;
+    DPX/2?00:B.O.S.:*:*)
+	echo m68k-bull-sysv3
+	exit ;;
+    9000/[34]??:4.3bsd:1.*:*)
+	echo m68k-hp-bsd
+	exit ;;
+    hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
+	echo m68k-hp-bsd4.4
+	exit ;;
+    9000/[34678]??:HP-UX:*:*)
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	case "${UNAME_MACHINE}" in
+	    9000/31? )            HP_ARCH=m68000 ;;
+	    9000/[34]?? )         HP_ARCH=m68k ;;
+	    9000/[678][0-9][0-9])
+		if [ -x /usr/bin/getconf ]; then
+		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
+                    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
+                    case "${sc_cpu_version}" in
+                      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
+                      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
+                      532)                      # CPU_PA_RISC2_0
+                        case "${sc_kernel_bits}" in
+                          32) HP_ARCH="hppa2.0n" ;;
+                          64) HP_ARCH="hppa2.0w" ;;
+			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
+                        esac ;;
+                    esac
+		fi
+		if [ "${HP_ARCH}" = "" ]; then
+		    eval $set_cc_for_build
+		    sed 's/^              //' << EOF >$dummy.c
+
+              #define _HPUX_SOURCE
+              #include <stdlib.h>
+              #include <unistd.h>
+
+              int main ()
+              {
+              #if defined(_SC_KERNEL_BITS)
+                  long bits = sysconf(_SC_KERNEL_BITS);
+              #endif
+                  long cpu  = sysconf (_SC_CPU_VERSION);
+
+                  switch (cpu)
+              	{
+              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
+              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
+              	case CPU_PA_RISC2_0:
+              #if defined(_SC_KERNEL_BITS)
+              	    switch (bits)
+              		{
+              		case 64: puts ("hppa2.0w"); break;
+              		case 32: puts ("hppa2.0n"); break;
+              		default: puts ("hppa2.0"); break;
+              		} break;
+              #else  /* !defined(_SC_KERNEL_BITS) */
+              	    puts ("hppa2.0"); break;
+              #endif
+              	default: puts ("hppa1.0"); break;
+              	}
+                  exit (0);
+              }
+EOF
+		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
+		    test -z "$HP_ARCH" && HP_ARCH=hppa
+		fi ;;
+	esac
+	if [ ${HP_ARCH} = "hppa2.0w" ]
+	then
+	    eval $set_cc_for_build
+
+	    # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating
+	    # 32-bit code.  hppa64-hp-hpux* has the same kernel and a compiler
+	    # generating 64-bit code.  GNU and HP use different nomenclature:
+	    #
+	    # $ CC_FOR_BUILD=cc ./config.guess
+	    # => hppa2.0w-hp-hpux11.23
+	    # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
+	    # => hppa64-hp-hpux11.23
+
+	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
+		grep __LP64__ >/dev/null
+	    then
+		HP_ARCH="hppa2.0w"
+	    else
+		HP_ARCH="hppa64"
+	    fi
+	fi
+	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
+	exit ;;
+    ia64:HP-UX:*:*)
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	echo ia64-hp-hpux${HPUX_REV}
+	exit ;;
+    3050*:HI-UX:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <unistd.h>
+	int
+	main ()
+	{
+	  long cpu = sysconf (_SC_CPU_VERSION);
+	  /* The order matters, because CPU_IS_HP_MC68K erroneously returns
+	     true for CPU_PA_RISC1_0.  CPU_IS_PA_RISC returns correct
+	     results, however.  */
+	  if (CPU_IS_PA_RISC (cpu))
+	    {
+	      switch (cpu)
+		{
+		  case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
+		  default: puts ("hppa-hitachi-hiuxwe2"); break;
+		}
+	    }
+	  else if (CPU_IS_HP_MC68K (cpu))
+	    puts ("m68k-hitachi-hiuxwe2");
+	  else puts ("unknown-hitachi-hiuxwe2");
+	  exit (0);
+	}
+EOF
+	$CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` &&
+		{ echo "$SYSTEM_NAME"; exit; }
+	echo unknown-hitachi-hiuxwe2
+	exit ;;
+    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
+	echo hppa1.1-hp-bsd
+	exit ;;
+    9000/8??:4.3bsd:*:*)
+	echo hppa1.0-hp-bsd
+	exit ;;
+    *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
+	echo hppa1.0-hp-mpeix
+	exit ;;
+    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
+	echo hppa1.1-hp-osf
+	exit ;;
+    hp8??:OSF1:*:*)
+	echo hppa1.0-hp-osf
+	exit ;;
+    i*86:OSF1:*:*)
+	if [ -x /usr/sbin/sysversion ] ; then
+	    echo ${UNAME_MACHINE}-unknown-osf1mk
+	else
+	    echo ${UNAME_MACHINE}-unknown-osf1
+	fi
+	exit ;;
+    parisc*:Lites*:*:*)
+	echo hppa1.1-hp-lites
+	exit ;;
+    C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
+	echo c1-convex-bsd
+        exit ;;
+    C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+        exit ;;
+    C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
+	echo c34-convex-bsd
+        exit ;;
+    C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
+	echo c38-convex-bsd
+        exit ;;
+    C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
+	echo c4-convex-bsd
+        exit ;;
+    CRAY*Y-MP:*:*:*)
+	echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*[A-Z]90:*:*:*)
+	echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
+	| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
+	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
+	      -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*TS:*:*:*)
+	echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*T3E:*:*:*)
+	echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*SV1:*:*:*)
+	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    *:UNICOS/mp:*:*)
+	echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
+	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
+        echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+        exit ;;
+    5000:UNIX_System_V:4.*:*)
+        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+        FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
+        echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+	exit ;;
+    i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
+	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
+	exit ;;
+    sparc*:BSD/OS:*:*)
+	echo sparc-unknown-bsdi${UNAME_RELEASE}
+	exit ;;
+    *:BSD/OS:*:*)
+	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
+	exit ;;
+    *:FreeBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+	exit ;;
+    i*:CYGWIN*:*)
+	echo ${UNAME_MACHINE}-pc-cygwin
+	exit ;;
+    i*:MINGW*:*)
+	echo ${UNAME_MACHINE}-pc-mingw32
+	exit ;;
+    i*:windows32*:*)
+    	# uname -m includes "-pc" on this system.
+    	echo ${UNAME_MACHINE}-mingw32
+	exit ;;
+    i*:PW*:*)
+	echo ${UNAME_MACHINE}-pc-pw32
+	exit ;;
+    x86:Interix*:[34]*)
+	echo i586-pc-interix${UNAME_RELEASE}|sed -e 's/\..*//'
+	exit ;;
+    [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
+	echo i${UNAME_MACHINE}-pc-mks
+	exit ;;
+    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
+	# UNAME_MACHINE based on the output of uname instead of i386?
+	echo i586-pc-interix
+	exit ;;
+    i*:UWIN*:*)
+	echo ${UNAME_MACHINE}-pc-uwin
+	exit ;;
+    amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*)
+	echo x86_64-unknown-cygwin
+	exit ;;
+    p*:CYGWIN*:*)
+	echo powerpcle-unknown-cygwin
+	exit ;;
+    prep*:SunOS:5.*:*)
+	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    *:GNU:*:*)
+	# the GNU system
+	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
+	exit ;;
+    *:GNU/*:*:*)
+	# other systems with GNU libc and userland
+	echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
+	exit ;;
+    i*86:Minix:*:*)
+	echo ${UNAME_MACHINE}-pc-minix
+	exit ;;
+    arm*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    cris:Linux:*:*)
+	echo cris-axis-linux-gnu
+	exit ;;
+    crisv32:Linux:*:*)
+	echo crisv32-axis-linux-gnu
+	exit ;;
+    frv:Linux:*:*)
+    	echo frv-unknown-linux-gnu
+	exit ;;
+    ia64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    m32r*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    m68*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    mips:Linux:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#undef CPU
+	#undef mips
+	#undef mipsel
+	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
+	CPU=mipsel
+	#else
+	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
+	CPU=mips
+	#else
+	CPU=
+	#endif
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
+	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
+	;;
+    mips64:Linux:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#undef CPU
+	#undef mips64
+	#undef mips64el
+	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
+	CPU=mips64el
+	#else
+	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
+	CPU=mips64
+	#else
+	CPU=
+	#endif
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
+	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
+	;;
+    or32:Linux:*:*)
+	echo or32-unknown-linux-gnu
+	exit ;;
+    ppc:Linux:*:*)
+	echo powerpc-unknown-linux-gnu
+	exit ;;
+    ppc64:Linux:*:*)
+	echo powerpc64-unknown-linux-gnu
+	exit ;;
+    alpha:Linux:*:*)
+	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
+	  EV5)   UNAME_MACHINE=alphaev5 ;;
+	  EV56)  UNAME_MACHINE=alphaev56 ;;
+	  PCA56) UNAME_MACHINE=alphapca56 ;;
+	  PCA57) UNAME_MACHINE=alphapca56 ;;
+	  EV6)   UNAME_MACHINE=alphaev6 ;;
+	  EV67)  UNAME_MACHINE=alphaev67 ;;
+	  EV68*) UNAME_MACHINE=alphaev68 ;;
+        esac
+	objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null
+	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
+	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
+	exit ;;
+    parisc:Linux:*:* | hppa:Linux:*:*)
+	# Look for CPU level
+	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
+	  PA7*) echo hppa1.1-unknown-linux-gnu ;;
+	  PA8*) echo hppa2.0-unknown-linux-gnu ;;
+	  *)    echo hppa-unknown-linux-gnu ;;
+	esac
+	exit ;;
+    parisc64:Linux:*:* | hppa64:Linux:*:*)
+	echo hppa64-unknown-linux-gnu
+	exit ;;
+    s390:Linux:*:* | s390x:Linux:*:*)
+	echo ${UNAME_MACHINE}-ibm-linux
+	exit ;;
+    sh64*:Linux:*:*)
+    	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    sh*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    sparc:Linux:*:* | sparc64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    x86_64:Linux:*:*)
+	echo x86_64-unknown-linux-gnu
+	exit ;;
+    i*86:Linux:*:*)
+	# The BFD linker knows what the default object file format is, so
+	# first see if it will tell us. cd to the root directory to prevent
+	# problems with other programs or directories called `ld' in the path.
+	# Set LC_ALL=C to ensure ld outputs messages in English.
+	ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \
+			 | sed -ne '/supported targets:/!d
+				    s/[ 	][ 	]*/ /g
+				    s/.*supported targets: *//
+				    s/ .*//
+				    p'`
+        case "$ld_supported_targets" in
+	  elf32-i386)
+		TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
+		;;
+	  a.out-i386-linux)
+		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
+		exit ;;
+	  coff-i386)
+		echo "${UNAME_MACHINE}-pc-linux-gnucoff"
+		exit ;;
+	  "")
+		# Either a pre-BFD a.out linker (linux-gnuoldld) or
+		# one that does not give us useful --help.
+		echo "${UNAME_MACHINE}-pc-linux-gnuoldld"
+		exit ;;
+	esac
+	# Determine whether the default compiler is a.out or elf
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <features.h>
+	#ifdef __ELF__
+	# ifdef __GLIBC__
+	#  if __GLIBC__ >= 2
+	LIBC=gnu
+	#  else
+	LIBC=gnulibc1
+	#  endif
+	# else
+	LIBC=gnulibc1
+	# endif
+	#else
+	#ifdef __INTEL_COMPILER
+	LIBC=gnu
+	#else
+	LIBC=gnuaout
+	#endif
+	#endif
+	#ifdef __dietlibc__
+	LIBC=dietlibc
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
+	test x"${LIBC}" != x && {
+		echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
+		exit
+	}
+	test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; }
+	;;
+    i*86:DYNIX/ptx:4*:*)
+	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
+	# earlier versions are messed up and put the nodename in both
+	# sysname and nodename.
+	echo i386-sequent-sysv4
+	exit ;;
+    i*86:UNIX_SV:4.2MP:2.*)
+        # Unixware is an offshoot of SVR4, but it has its own version
+        # number series starting with 2...
+        # I am not positive that other SVR4 systems won't match this,
+	# I just have to hope.  -- rms.
+        # Use sysv4.2uw... so that sysv4* matches it.
+	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
+	exit ;;
+    i*86:OS/2:*:*)
+	# If we were able to find `uname', then EMX Unix compatibility
+	# is probably installed.
+	echo ${UNAME_MACHINE}-pc-os2-emx
+	exit ;;
+    i*86:XTS-300:*:STOP)
+	echo ${UNAME_MACHINE}-unknown-stop
+	exit ;;
+    i*86:atheos:*:*)
+	echo ${UNAME_MACHINE}-unknown-atheos
+	exit ;;
+    i*86:syllable:*:*)
+	echo ${UNAME_MACHINE}-pc-syllable
+	exit ;;
+    i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*)
+	echo i386-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    i*86:*DOS:*:*)
+	echo ${UNAME_MACHINE}-pc-msdosdjgpp
+	exit ;;
+    i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
+	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
+	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
+		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
+	else
+		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
+	fi
+	exit ;;
+    i*86:*:5:[678]*)
+    	# UnixWare 7.x, OpenUNIX and OpenServer 6.
+	case `/bin/uname -X | grep "^Machine"` in
+	    *486*)	     UNAME_MACHINE=i486 ;;
+	    *Pentium)	     UNAME_MACHINE=i586 ;;
+	    *Pent*|*Celeron) UNAME_MACHINE=i686 ;;
+	esac
+	echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
+	exit ;;
+    i*86:*:3.2:*)
+	if test -f /usr/options/cb.name; then
+		UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
+		echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
+	elif /bin/uname -X 2>/dev/null >/dev/null ; then
+		UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')`
+		(/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486
+		(/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \
+			&& UNAME_MACHINE=i586
+		(/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		(/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
+	else
+		echo ${UNAME_MACHINE}-pc-sysv32
+	fi
+	exit ;;
+    pc:*:*:*)
+	# Left here for compatibility:
+        # uname -m prints for DJGPP always 'pc', but it prints nothing about
+        # the processor, so we play safe by assuming i386.
+	echo i386-pc-msdosdjgpp
+        exit ;;
+    Intel:Mach:3*:*)
+	echo i386-pc-mach3
+	exit ;;
+    paragon:*:*:*)
+	echo i860-intel-osf1
+	exit ;;
+    i860:*:4.*:*) # i860-SVR4
+	if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
+	  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
+	else # Add other i860-SVR4 vendors below as they are discovered.
+	  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
+	fi
+	exit ;;
+    mini*:CTIX:SYS*5:*)
+	# "miniframe"
+	echo m68010-convergent-sysv
+	exit ;;
+    mc68k:UNIX:SYSTEM5:3.51m)
+	echo m68k-convergent-sysv
+	exit ;;
+    M680?0:D-NIX:5.3:*)
+	echo m68k-diab-dnix
+	exit ;;
+    M68*:*:R3V[5678]*:*)
+	test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;;
+    3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0)
+	OS_REL=''
+	test -r /etc/.relid \
+	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
+	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+	  && { echo i486-ncr-sysv4.3${OS_REL}; exit; }
+	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
+	  && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
+    3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
+        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+          && { echo i486-ncr-sysv4; exit; } ;;
+    m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
+	echo m68k-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    mc68030:UNIX_System_V:4.*:*)
+	echo m68k-atari-sysv4
+	exit ;;
+    TSUNAMI:LynxOS:2.*:*)
+	echo sparc-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    rs6000:LynxOS:2.*:*)
+	echo rs6000-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*)
+	echo powerpc-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    SM[BE]S:UNIX_SV:*:*)
+	echo mips-dde-sysv${UNAME_RELEASE}
+	exit ;;
+    RM*:ReliantUNIX-*:*:*)
+	echo mips-sni-sysv4
+	exit ;;
+    RM*:SINIX-*:*:*)
+	echo mips-sni-sysv4
+	exit ;;
+    *:SINIX-*:*:*)
+	if uname -p 2>/dev/null >/dev/null ; then
+		UNAME_MACHINE=`(uname -p) 2>/dev/null`
+		echo ${UNAME_MACHINE}-sni-sysv4
+	else
+		echo ns32k-sni-sysv
+	fi
+	exit ;;
+    PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
+                      # says <Richard.M.Bartel@ccMail.Census.GOV>
+        echo i586-unisys-sysv4
+        exit ;;
+    *:UNIX_System_V:4*:FTX*)
+	# From Gerald Hewes <hewes@openmarket.com>.
+	# How about differentiating between stratus architectures? -djm
+	echo hppa1.1-stratus-sysv4
+	exit ;;
+    *:*:*:FTX*)
+	# From seanf@swdc.stratus.com.
+	echo i860-stratus-sysv4
+	exit ;;
+    i*86:VOS:*:*)
+	# From Paul.Green@stratus.com.
+	echo ${UNAME_MACHINE}-stratus-vos
+	exit ;;
+    *:VOS:*:*)
+	# From Paul.Green@stratus.com.
+	echo hppa1.1-stratus-vos
+	exit ;;
+    mc68*:A/UX:*:*)
+	echo m68k-apple-aux${UNAME_RELEASE}
+	exit ;;
+    news*:NEWS-OS:6*:*)
+	echo mips-sony-newsos6
+	exit ;;
+    R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
+	if [ -d /usr/nec ]; then
+	        echo mips-nec-sysv${UNAME_RELEASE}
+	else
+	        echo mips-unknown-sysv${UNAME_RELEASE}
+	fi
+        exit ;;
+    BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
+	echo powerpc-be-beos
+	exit ;;
+    BeMac:BeOS:*:*)	# BeOS running on Mac or Mac clone, PPC only.
+	echo powerpc-apple-beos
+	exit ;;
+    BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
+	echo i586-pc-beos
+	exit ;;
+    SX-4:SUPER-UX:*:*)
+	echo sx4-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-5:SUPER-UX:*:*)
+	echo sx5-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-6:SUPER-UX:*:*)
+	echo sx6-nec-superux${UNAME_RELEASE}
+	exit ;;
+    Power*:Rhapsody:*:*)
+	echo powerpc-apple-rhapsody${UNAME_RELEASE}
+	exit ;;
+    *:Rhapsody:*:*)
+	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
+	exit ;;
+    *:Darwin:*:*)
+	UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
+	case $UNAME_PROCESSOR in
+	    *86) UNAME_PROCESSOR=i686 ;;
+	    unknown) UNAME_PROCESSOR=powerpc ;;
+	esac
+	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
+	exit ;;
+    *:procnto*:*:* | *:QNX:[0123456789]*:*)
+	UNAME_PROCESSOR=`uname -p`
+	if test "$UNAME_PROCESSOR" = "x86"; then
+		UNAME_PROCESSOR=i386
+		UNAME_MACHINE=pc
+	fi
+	echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
+	exit ;;
+    *:QNX:*:4*)
+	echo i386-pc-qnx
+	exit ;;
+    NSE-?:NONSTOP_KERNEL:*:*)
+	echo nse-tandem-nsk${UNAME_RELEASE}
+	exit ;;
+    NSR-?:NONSTOP_KERNEL:*:*)
+	echo nsr-tandem-nsk${UNAME_RELEASE}
+	exit ;;
+    *:NonStop-UX:*:*)
+	echo mips-compaq-nonstopux
+	exit ;;
+    BS2000:POSIX*:*:*)
+	echo bs2000-siemens-sysv
+	exit ;;
+    DS/*:UNIX_System_V:*:*)
+	echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
+	exit ;;
+    *:Plan9:*:*)
+	# "uname -m" is not consistent, so use $cputype instead. 386
+	# is converted to i386 for consistency with other x86
+	# operating systems.
+	if test "$cputype" = "386"; then
+	    UNAME_MACHINE=i386
+	else
+	    UNAME_MACHINE="$cputype"
+	fi
+	echo ${UNAME_MACHINE}-unknown-plan9
+	exit ;;
+    *:TOPS-10:*:*)
+	echo pdp10-unknown-tops10
+	exit ;;
+    *:TENEX:*:*)
+	echo pdp10-unknown-tenex
+	exit ;;
+    KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*)
+	echo pdp10-dec-tops20
+	exit ;;
+    XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*)
+	echo pdp10-xkl-tops20
+	exit ;;
+    *:TOPS-20:*:*)
+	echo pdp10-unknown-tops20
+	exit ;;
+    *:ITS:*:*)
+	echo pdp10-unknown-its
+	exit ;;
+    SEI:*:*:SEIUX)
+        echo mips-sei-seiux${UNAME_RELEASE}
+	exit ;;
+    *:DragonFly:*:*)
+	echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+	exit ;;
+    *:*VMS:*:*)
+    	UNAME_MACHINE=`(uname -p) 2>/dev/null`
+	case "${UNAME_MACHINE}" in
+	    A*) echo alpha-dec-vms ; exit ;;
+	    I*) echo ia64-dec-vms ; exit ;;
+	    V*) echo vax-dec-vms ; exit ;;
+	esac ;;
+    *:XENIX:*:SysV)
+	echo i386-pc-xenix
+	exit ;;
+    i*86:skyos:*:*)
+	echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//'
+	exit ;;
+esac
+
+#echo '(No uname command or uname output not recognized.)' 1>&2
+#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
+
+eval $set_cc_for_build
+cat >$dummy.c <<EOF
+#ifdef _SEQUENT_
+# include <sys/types.h>
+# include <sys/utsname.h>
+#endif
+main ()
+{
+#if defined (sony)
+#if defined (MIPSEB)
+  /* BFD wants "bsd" instead of "newsos".  Perhaps BFD should be changed,
+     I don't know....  */
+  printf ("mips-sony-bsd\n"); exit (0);
+#else
+#include <sys/param.h>
+  printf ("m68k-sony-newsos%s\n",
+#ifdef NEWSOS4
+          "4"
+#else
+	  ""
+#endif
+         ); exit (0);
+#endif
+#endif
+
+#if defined (__arm) && defined (__acorn) && defined (__unix)
+  printf ("arm-acorn-riscix\n"); exit (0);
+#endif
+
+#if defined (hp300) && !defined (hpux)
+  printf ("m68k-hp-bsd\n"); exit (0);
+#endif
+
+#if defined (NeXT)
+#if !defined (__ARCHITECTURE__)
+#define __ARCHITECTURE__ "m68k"
+#endif
+  int version;
+  version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
+  if (version < 4)
+    printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
+  else
+    printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
+  exit (0);
+#endif
+
+#if defined (MULTIMAX) || defined (n16)
+#if defined (UMAXV)
+  printf ("ns32k-encore-sysv\n"); exit (0);
+#else
+#if defined (CMU)
+  printf ("ns32k-encore-mach\n"); exit (0);
+#else
+  printf ("ns32k-encore-bsd\n"); exit (0);
+#endif
+#endif
+#endif
+
+#if defined (__386BSD__)
+  printf ("i386-pc-bsd\n"); exit (0);
+#endif
+
+#if defined (sequent)
+#if defined (i386)
+  printf ("i386-sequent-dynix\n"); exit (0);
+#endif
+#if defined (ns32000)
+  printf ("ns32k-sequent-dynix\n"); exit (0);
+#endif
+#endif
+
+#if defined (_SEQUENT_)
+    struct utsname un;
+
+    uname(&un);
+
+    if (strncmp(un.version, "V2", 2) == 0) {
+	printf ("i386-sequent-ptx2\n"); exit (0);
+    }
+    if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
+	printf ("i386-sequent-ptx1\n"); exit (0);
+    }
+    printf ("i386-sequent-ptx\n"); exit (0);
+
+#endif
+
+#if defined (vax)
+# if !defined (ultrix)
+#  include <sys/param.h>
+#  if defined (BSD)
+#   if BSD == 43
+      printf ("vax-dec-bsd4.3\n"); exit (0);
+#   else
+#    if BSD == 199006
+      printf ("vax-dec-bsd4.3reno\n"); exit (0);
+#    else
+      printf ("vax-dec-bsd\n"); exit (0);
+#    endif
+#   endif
+#  else
+    printf ("vax-dec-bsd\n"); exit (0);
+#  endif
+# else
+    printf ("vax-dec-ultrix\n"); exit (0);
+# endif
+#endif
+
+#if defined (alliant) && defined (i860)
+  printf ("i860-alliant-bsd\n"); exit (0);
+#endif
+
+  exit (1);
+}
+EOF
+
+$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
+	{ echo "$SYSTEM_NAME"; exit; }
+
+# Apollos put the system type in the environment.
+
+test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
+
+# Convex versions that predate uname can use getsysinfo(1)
+
+if [ -x /usr/convex/getsysinfo ]
+then
+    case `getsysinfo -f cpu_type` in
+    c1*)
+	echo c1-convex-bsd
+	exit ;;
+    c2*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+	exit ;;
+    c34*)
+	echo c34-convex-bsd
+	exit ;;
+    c38*)
+	echo c38-convex-bsd
+	exit ;;
+    c4*)
+	echo c4-convex-bsd
+	exit ;;
+    esac
+fi
+
+cat >&2 <<EOF
+$0: unable to guess system type
+
+This script, last modified $timestamp, has failed to recognize
+the operating system you are using. It is advised that you
+download the most up to date version of the config scripts from
+
+  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.guess
+and
+  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.sub
+
+If the version you run ($0) is already up to date, please
+send the following data and any information you think might be
+pertinent to <config-patches@gnu.org> in order to provide the needed
+information to handle your system.
+
+config.guess timestamp = $timestamp
+
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null`
+
+hostinfo               = `(hostinfo) 2>/dev/null`
+/bin/universe          = `(/bin/universe) 2>/dev/null`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null`
+/bin/arch              = `(/bin/arch) 2>/dev/null`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
+
+UNAME_MACHINE = ${UNAME_MACHINE}
+UNAME_RELEASE = ${UNAME_RELEASE}
+UNAME_SYSTEM  = ${UNAME_SYSTEM}
+UNAME_VERSION = ${UNAME_VERSION}
+EOF
+
+exit 1
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/source3/lib/replace/config.sub b/source3/lib/replace/config.sub
new file mode 100755
index 0000000000..23cd6fd75c
--- /dev/null
+++ b/source3/lib/replace/config.sub
@@ -0,0 +1,1577 @@
+#! /bin/sh
+# Configuration validation subroutine script.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
+#   2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
+
+timestamp='2005-07-08'
+
+# This file is (in principle) common to ALL GNU software.
+# The presence of a machine in this file suggests that SOME GNU software
+# can handle that machine.  It does not imply ALL GNU software can.
+#
+# This file is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+
+# Please send patches to <config-patches@gnu.org>.  Submit a context
+# diff and a properly formatted ChangeLog entry.
+#
+# Configuration subroutine to validate and canonicalize a configuration type.
+# Supply the specified configuration type as an argument.
+# If it is invalid, we print an error message on stderr and exit with code 1.
+# Otherwise, we print the canonical config type on stdout and succeed.
+
+# This file is supposed to be the same for all GNU packages
+# and recognize all the CPU types, system types and aliases
+# that are meaningful with *any* GNU software.
+# Each package is responsible for reporting which valid configurations
+# it does not support.  The user should be able to distinguish
+# a failure to support a valid configuration from a meaningless
+# configuration.
+
+# The goal of this file is to map all the various variations of a given
+# machine specification into a single specification in the form:
+#	CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
+# or in some cases, the newer four-part form:
+#	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
+# It is wrong to echo any other type of specification.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION] CPU-MFR-OPSYS
+       $0 [OPTION] ALIAS
+
+Canonicalize a configuration name.
+
+Operation modes:
+  -h, --help         print this help, then exit
+  -t, --time-stamp   print date of last modification, then exit
+  -v, --version      print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.sub ($timestamp)
+
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
+Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case $1 in
+    --time-stamp | --time* | -t )
+       echo "$timestamp" ; exit ;;
+    --version | -v )
+       echo "$version" ; exit ;;
+    --help | --h* | -h )
+       echo "$usage"; exit ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       echo "$me: invalid option $1$help"
+       exit 1 ;;
+
+    *local*)
+       # First pass through any local machine types.
+       echo $1
+       exit ;;
+
+    * )
+       break ;;
+  esac
+done
+
+case $# in
+ 0) echo "$me: missing argument$help" >&2
+    exit 1;;
+ 1) ;;
+ *) echo "$me: too many arguments$help" >&2
+    exit 1;;
+esac
+
+# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
+# Here we must recognize all the valid KERNEL-OS combinations.
+maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
+case $maybe_os in
+  nto-qnx* | linux-gnu* | linux-dietlibc | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | \
+  kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*)
+    os=-$maybe_os
+    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
+    ;;
+  *)
+    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
+    if [ $basic_machine != $1 ]
+    then os=`echo $1 | sed 's/.*-/-/'`
+    else os=; fi
+    ;;
+esac
+
+### Let's recognize common machines as not being operating systems so
+### that things like config.sub decstation-3100 work.  We also
+### recognize some manufacturers as not being operating systems, so we
+### can provide default operating systems below.
+case $os in
+	-sun*os*)
+		# Prevent following clause from handling this invalid input.
+		;;
+	-dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \
+	-att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \
+	-unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \
+	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
+	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
+	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
+	-apple | -axis | -knuth | -cray)
+		os=
+		basic_machine=$1
+		;;
+	-sim | -cisco | -oki | -wec | -winbond)
+		os=
+		basic_machine=$1
+		;;
+	-scout)
+		;;
+	-wrs)
+		os=-vxworks
+		basic_machine=$1
+		;;
+	-chorusos*)
+		os=-chorusos
+		basic_machine=$1
+		;;
+ 	-chorusrdb)
+ 		os=-chorusrdb
+		basic_machine=$1
+ 		;;
+	-hiux*)
+		os=-hiuxwe2
+		;;
+	-sco5)
+		os=-sco3.2v5
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco4)
+		os=-sco3.2v4
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2.[4-9]*)
+		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2v[4-9]*)
+		# Don't forget version if it is 3.2v4 or newer.
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco*)
+		os=-sco3.2v2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-udk*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-isc)
+		os=-isc2.2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-clix*)
+		basic_machine=clipper-intergraph
+		;;
+	-isc*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-lynx*)
+		os=-lynxos
+		;;
+	-ptx*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
+		;;
+	-windowsnt*)
+		os=`echo $os | sed -e 's/windowsnt/winnt/'`
+		;;
+	-psos*)
+		os=-psos
+		;;
+	-mint | -mint[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+esac
+
+# Decode aliases for certain CPU-COMPANY combinations.
+case $basic_machine in
+	# Recognize the basic CPU types without company name.
+	# Some are omitted here because they have special meanings below.
+	1750a | 580 \
+	| a29k \
+	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
+	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
+	| am33_2.0 \
+	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \
+	| bfin \
+	| c4x | clipper \
+	| d10v | d30v | dlx | dsp16xx \
+	| fr30 | frv \
+	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
+	| i370 | i860 | i960 | ia64 \
+	| ip2k | iq2000 \
+	| m32r | m32rle | m68000 | m68k | m88k | maxq | mcore \
+	| mips | mipsbe | mipseb | mipsel | mipsle \
+	| mips16 \
+	| mips64 | mips64el \
+	| mips64vr | mips64vrel \
+	| mips64orion | mips64orionel \
+	| mips64vr4100 | mips64vr4100el \
+	| mips64vr4300 | mips64vr4300el \
+	| mips64vr5000 | mips64vr5000el \
+	| mips64vr5900 | mips64vr5900el \
+	| mipsisa32 | mipsisa32el \
+	| mipsisa32r2 | mipsisa32r2el \
+	| mipsisa64 | mipsisa64el \
+	| mipsisa64r2 | mipsisa64r2el \
+	| mipsisa64sb1 | mipsisa64sb1el \
+	| mipsisa64sr71k | mipsisa64sr71kel \
+	| mipstx39 | mipstx39el \
+	| mn10200 | mn10300 \
+	| ms1 \
+	| msp430 \
+	| ns16k | ns32k \
+	| or32 \
+	| pdp10 | pdp11 | pj | pjl \
+	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
+	| pyramid \
+	| sh | sh[1234] | sh[24]a | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \
+	| sh64 | sh64le \
+	| sparc | sparc64 | sparc64b | sparc86x | sparclet | sparclite \
+	| sparcv8 | sparcv9 | sparcv9b \
+	| strongarm \
+	| tahoe | thumb | tic4x | tic80 | tron \
+	| v850 | v850e \
+	| we32k \
+	| x86 | xscale | xscalee[bl] | xstormy16 | xtensa \
+	| z8k)
+		basic_machine=$basic_machine-unknown
+		;;
+	m32c)
+		basic_machine=$basic_machine-unknown
+		;;
+	m6811 | m68hc11 | m6812 | m68hc12)
+		# Motorola 68HC11/12.
+		basic_machine=$basic_machine-unknown
+		os=-none
+		;;
+	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
+		;;
+
+	# We use `pc' rather than `unknown'
+	# because (1) that's what they normally are, and
+	# (2) the word "unknown" tends to confuse beginning users.
+	i*86 | x86_64)
+	  basic_machine=$basic_machine-pc
+	  ;;
+	# Object if more than one company name word.
+	*-*-*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+	# Recognize the basic CPU types with company name.
+	580-* \
+	| a29k-* \
+	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
+	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
+	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
+	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
+	| avr-* \
+	| bfin-* | bs2000-* \
+	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
+	| clipper-* | craynv-* | cydra-* \
+	| d10v-* | d30v-* | dlx-* \
+	| elxsi-* \
+	| f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
+	| h8300-* | h8500-* \
+	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
+	| i*86-* | i860-* | i960-* | ia64-* \
+	| ip2k-* | iq2000-* \
+	| m32r-* | m32rle-* \
+	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
+	| m88110-* | m88k-* | maxq-* | mcore-* \
+	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
+	| mips16-* \
+	| mips64-* | mips64el-* \
+	| mips64vr-* | mips64vrel-* \
+	| mips64orion-* | mips64orionel-* \
+	| mips64vr4100-* | mips64vr4100el-* \
+	| mips64vr4300-* | mips64vr4300el-* \
+	| mips64vr5000-* | mips64vr5000el-* \
+	| mips64vr5900-* | mips64vr5900el-* \
+	| mipsisa32-* | mipsisa32el-* \
+	| mipsisa32r2-* | mipsisa32r2el-* \
+	| mipsisa64-* | mipsisa64el-* \
+	| mipsisa64r2-* | mipsisa64r2el-* \
+	| mipsisa64sb1-* | mipsisa64sb1el-* \
+	| mipsisa64sr71k-* | mipsisa64sr71kel-* \
+	| mipstx39-* | mipstx39el-* \
+	| mmix-* \
+	| ms1-* \
+	| msp430-* \
+	| none-* | np1-* | ns16k-* | ns32k-* \
+	| orion-* \
+	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
+	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
+	| pyramid-* \
+	| romp-* | rs6000-* \
+	| sh-* | sh[1234]-* | sh[24]a-* | sh[23]e-* | sh[34]eb-* | shbe-* \
+	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
+	| sparc-* | sparc64-* | sparc64b-* | sparc86x-* | sparclet-* \
+	| sparclite-* \
+	| sparcv8-* | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
+	| tahoe-* | thumb-* \
+	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
+	| tron-* \
+	| v850-* | v850e-* | vax-* \
+	| we32k-* \
+	| x86-* | x86_64-* | xps100-* | xscale-* | xscalee[bl]-* \
+	| xstormy16-* | xtensa-* \
+	| ymp-* \
+	| z8k-*)
+		;;
+	m32c-*)
+		;;
+	# Recognize the various machine names and aliases which stand
+	# for a CPU type and a company and sometimes even an OS.
+	386bsd)
+		basic_machine=i386-unknown
+		os=-bsd
+		;;
+	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
+		basic_machine=m68000-att
+		;;
+	3b*)
+		basic_machine=we32k-att
+		;;
+	a29khif)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+    	abacus)
+		basic_machine=abacus-unknown
+		;;
+	adobe68k)
+		basic_machine=m68010-adobe
+		os=-scout
+		;;
+	alliant | fx80)
+		basic_machine=fx80-alliant
+		;;
+	altos | altos3068)
+		basic_machine=m68k-altos
+		;;
+	am29k)
+		basic_machine=a29k-none
+		os=-bsd
+		;;
+	amd64)
+		basic_machine=x86_64-pc
+		;;
+	amd64-*)
+		basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	amdahl)
+		basic_machine=580-amdahl
+		os=-sysv
+		;;
+	amiga | amiga-*)
+		basic_machine=m68k-unknown
+		;;
+	amigaos | amigados)
+		basic_machine=m68k-unknown
+		os=-amigaos
+		;;
+	amigaunix | amix)
+		basic_machine=m68k-unknown
+		os=-sysv4
+		;;
+	apollo68)
+		basic_machine=m68k-apollo
+		os=-sysv
+		;;
+	apollo68bsd)
+		basic_machine=m68k-apollo
+		os=-bsd
+		;;
+	aux)
+		basic_machine=m68k-apple
+		os=-aux
+		;;
+	balance)
+		basic_machine=ns32k-sequent
+		os=-dynix
+		;;
+	c90)
+		basic_machine=c90-cray
+		os=-unicos
+		;;
+	convex-c1)
+		basic_machine=c1-convex
+		os=-bsd
+		;;
+	convex-c2)
+		basic_machine=c2-convex
+		os=-bsd
+		;;
+	convex-c32)
+		basic_machine=c32-convex
+		os=-bsd
+		;;
+	convex-c34)
+		basic_machine=c34-convex
+		os=-bsd
+		;;
+	convex-c38)
+		basic_machine=c38-convex
+		os=-bsd
+		;;
+	cray | j90)
+		basic_machine=j90-cray
+		os=-unicos
+		;;
+	craynv)
+		basic_machine=craynv-cray
+		os=-unicosmp
+		;;
+	cr16c)
+		basic_machine=cr16c-unknown
+		os=-elf
+		;;
+	crds | unos)
+		basic_machine=m68k-crds
+		;;
+	crisv32 | crisv32-* | etraxfs*)
+		basic_machine=crisv32-axis
+		;;
+	cris | cris-* | etrax*)
+		basic_machine=cris-axis
+		;;
+	crx)
+		basic_machine=crx-unknown
+		os=-elf
+		;;
+	da30 | da30-*)
+		basic_machine=m68k-da30
+		;;
+	decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
+		basic_machine=mips-dec
+		;;
+	decsystem10* | dec10*)
+		basic_machine=pdp10-dec
+		os=-tops10
+		;;
+	decsystem20* | dec20*)
+		basic_machine=pdp10-dec
+		os=-tops20
+		;;
+	delta | 3300 | motorola-3300 | motorola-delta \
+	      | 3300-motorola | delta-motorola)
+		basic_machine=m68k-motorola
+		;;
+	delta88)
+		basic_machine=m88k-motorola
+		os=-sysv3
+		;;
+	djgpp)
+		basic_machine=i586-pc
+		os=-msdosdjgpp
+		;;
+	dpx20 | dpx20-*)
+		basic_machine=rs6000-bull
+		os=-bosx
+		;;
+	dpx2* | dpx2*-bull)
+		basic_machine=m68k-bull
+		os=-sysv3
+		;;
+	ebmon29k)
+		basic_machine=a29k-amd
+		os=-ebmon
+		;;
+	elxsi)
+		basic_machine=elxsi-elxsi
+		os=-bsd
+		;;
+	encore | umax | mmax)
+		basic_machine=ns32k-encore
+		;;
+	es1800 | OSE68k | ose68k | ose | OSE)
+		basic_machine=m68k-ericsson
+		os=-ose
+		;;
+	fx2800)
+		basic_machine=i860-alliant
+		;;
+	genix)
+		basic_machine=ns32k-ns
+		;;
+	gmicro)
+		basic_machine=tron-gmicro
+		os=-sysv
+		;;
+	go32)
+		basic_machine=i386-pc
+		os=-go32
+		;;
+	h3050r* | hiux*)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	h8300hms)
+		basic_machine=h8300-hitachi
+		os=-hms
+		;;
+	h8300xray)
+		basic_machine=h8300-hitachi
+		os=-xray
+		;;
+	h8500hms)
+		basic_machine=h8500-hitachi
+		os=-hms
+		;;
+	harris)
+		basic_machine=m88k-harris
+		os=-sysv3
+		;;
+	hp300-*)
+		basic_machine=m68k-hp
+		;;
+	hp300bsd)
+		basic_machine=m68k-hp
+		os=-bsd
+		;;
+	hp300hpux)
+		basic_machine=m68k-hp
+		os=-hpux
+		;;
+	hp3k9[0-9][0-9] | hp9[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k2[0-9][0-9] | hp9k31[0-9])
+		basic_machine=m68000-hp
+		;;
+	hp9k3[2-9][0-9])
+		basic_machine=m68k-hp
+		;;
+	hp9k6[0-9][0-9] | hp6[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k7[0-79][0-9] | hp7[0-79][0-9])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k78[0-9] | hp78[0-9])
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][13679] | hp8[0-9][13679])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][0-9] | hp8[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hppa-next)
+		os=-nextstep3
+		;;
+	hppaosf)
+		basic_machine=hppa1.1-hp
+		os=-osf
+		;;
+	hppro)
+		basic_machine=hppa1.1-hp
+		os=-proelf
+		;;
+	i370-ibm* | ibm*)
+		basic_machine=i370-ibm
+		;;
+# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
+	i*86v32)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv32
+		;;
+	i*86v4*)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv4
+		;;
+	i*86v)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv
+		;;
+	i*86sol2)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-solaris2
+		;;
+	i386mach)
+		basic_machine=i386-mach
+		os=-mach
+		;;
+	i386-vsta | vsta)
+		basic_machine=i386-unknown
+		os=-vsta
+		;;
+	iris | iris4d)
+		basic_machine=mips-sgi
+		case $os in
+		    -irix*)
+			;;
+		    *)
+			os=-irix4
+			;;
+		esac
+		;;
+	isi68 | isi)
+		basic_machine=m68k-isi
+		os=-sysv
+		;;
+	m88k-omron*)
+		basic_machine=m88k-omron
+		;;
+	magnum | m3230)
+		basic_machine=mips-mips
+		os=-sysv
+		;;
+	merlin)
+		basic_machine=ns32k-utek
+		os=-sysv
+		;;
+	mingw32)
+		basic_machine=i386-pc
+		os=-mingw32
+		;;
+	miniframe)
+		basic_machine=m68000-convergent
+		;;
+	*mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+	mips3*-*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
+		;;
+	mips3*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
+		;;
+	monitor)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	morphos)
+		basic_machine=powerpc-unknown
+		os=-morphos
+		;;
+	msdos)
+		basic_machine=i386-pc
+		os=-msdos
+		;;
+	mvs)
+		basic_machine=i370-ibm
+		os=-mvs
+		;;
+	ncr3000)
+		basic_machine=i486-ncr
+		os=-sysv4
+		;;
+	netbsd386)
+		basic_machine=i386-unknown
+		os=-netbsd
+		;;
+	netwinder)
+		basic_machine=armv4l-rebel
+		os=-linux
+		;;
+	news | news700 | news800 | news900)
+		basic_machine=m68k-sony
+		os=-newsos
+		;;
+	news1000)
+		basic_machine=m68030-sony
+		os=-newsos
+		;;
+	news-3600 | risc-news)
+		basic_machine=mips-sony
+		os=-newsos
+		;;
+	necv70)
+		basic_machine=v70-nec
+		os=-sysv
+		;;
+	next | m*-next )
+		basic_machine=m68k-next
+		case $os in
+		    -nextstep* )
+			;;
+		    -ns2*)
+		      os=-nextstep2
+			;;
+		    *)
+		      os=-nextstep3
+			;;
+		esac
+		;;
+	nh3000)
+		basic_machine=m68k-harris
+		os=-cxux
+		;;
+	nh[45]000)
+		basic_machine=m88k-harris
+		os=-cxux
+		;;
+	nindy960)
+		basic_machine=i960-intel
+		os=-nindy
+		;;
+	mon960)
+		basic_machine=i960-intel
+		os=-mon960
+		;;
+	nonstopux)
+		basic_machine=mips-compaq
+		os=-nonstopux
+		;;
+	np1)
+		basic_machine=np1-gould
+		;;
+	nsr-tandem)
+		basic_machine=nsr-tandem
+		;;
+	op50n-* | op60c-*)
+		basic_machine=hppa1.1-oki
+		os=-proelf
+		;;
+	openrisc | openrisc-*)
+		basic_machine=or32-unknown
+		;;
+	os400)
+		basic_machine=powerpc-ibm
+		os=-os400
+		;;
+	OSE68000 | ose68000)
+		basic_machine=m68000-ericsson
+		os=-ose
+		;;
+	os68k)
+		basic_machine=m68k-none
+		os=-os68k
+		;;
+	pa-hitachi)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	paragon)
+		basic_machine=i860-intel
+		os=-osf
+		;;
+	pbd)
+		basic_machine=sparc-tti
+		;;
+	pbb)
+		basic_machine=m68k-tti
+		;;
+	pc532 | pc532-*)
+		basic_machine=ns32k-pc532
+		;;
+	pentium | p5 | k5 | k6 | nexgen | viac3)
+		basic_machine=i586-pc
+		;;
+	pentiumpro | p6 | 6x86 | athlon | athlon_*)
+		basic_machine=i686-pc
+		;;
+	pentiumii | pentium2 | pentiumiii | pentium3)
+		basic_machine=i686-pc
+		;;
+	pentium4)
+		basic_machine=i786-pc
+		;;
+	pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
+		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumpro-* | p6-* | 6x86-* | athlon-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentium4-*)
+		basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pn)
+		basic_machine=pn-gould
+		;;
+	power)	basic_machine=power-ibm
+		;;
+	ppc)	basic_machine=powerpc-unknown
+		;;
+	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppcle | powerpclittle | ppc-le | powerpc-little)
+		basic_machine=powerpcle-unknown
+		;;
+	ppcle-* | powerpclittle-*)
+		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppc64)	basic_machine=powerpc64-unknown
+		;;
+	ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppc64le | powerpc64little | ppc64-le | powerpc64-little)
+		basic_machine=powerpc64le-unknown
+		;;
+	ppc64le-* | powerpc64little-*)
+		basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ps2)
+		basic_machine=i386-ibm
+		;;
+	pw32)
+		basic_machine=i586-unknown
+		os=-pw32
+		;;
+	rom68k)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	rm[46]00)
+		basic_machine=mips-siemens
+		;;
+	rtpc | rtpc-*)
+		basic_machine=romp-ibm
+		;;
+	s390 | s390-*)
+		basic_machine=s390-ibm
+		;;
+	s390x | s390x-*)
+		basic_machine=s390x-ibm
+		;;
+	sa29200)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	sb1)
+		basic_machine=mipsisa64sb1-unknown
+		;;
+	sb1el)
+		basic_machine=mipsisa64sb1el-unknown
+		;;
+	sei)
+		basic_machine=mips-sei
+		os=-seiux
+		;;
+	sequent)
+		basic_machine=i386-sequent
+		;;
+	sh)
+		basic_machine=sh-hitachi
+		os=-hms
+		;;
+	sh64)
+		basic_machine=sh64-unknown
+		;;
+	sparclite-wrs | simso-wrs)
+		basic_machine=sparclite-wrs
+		os=-vxworks
+		;;
+	sps7)
+		basic_machine=m68k-bull
+		os=-sysv2
+		;;
+	spur)
+		basic_machine=spur-unknown
+		;;
+	st2000)
+		basic_machine=m68k-tandem
+		;;
+	stratus)
+		basic_machine=i860-stratus
+		os=-sysv4
+		;;
+	sun2)
+		basic_machine=m68000-sun
+		;;
+	sun2os3)
+		basic_machine=m68000-sun
+		os=-sunos3
+		;;
+	sun2os4)
+		basic_machine=m68000-sun
+		os=-sunos4
+		;;
+	sun3os3)
+		basic_machine=m68k-sun
+		os=-sunos3
+		;;
+	sun3os4)
+		basic_machine=m68k-sun
+		os=-sunos4
+		;;
+	sun4os3)
+		basic_machine=sparc-sun
+		os=-sunos3
+		;;
+	sun4os4)
+		basic_machine=sparc-sun
+		os=-sunos4
+		;;
+	sun4sol2)
+		basic_machine=sparc-sun
+		os=-solaris2
+		;;
+	sun3 | sun3-*)
+		basic_machine=m68k-sun
+		;;
+	sun4)
+		basic_machine=sparc-sun
+		;;
+	sun386 | sun386i | roadrunner)
+		basic_machine=i386-sun
+		;;
+	sv1)
+		basic_machine=sv1-cray
+		os=-unicos
+		;;
+	symmetry)
+		basic_machine=i386-sequent
+		os=-dynix
+		;;
+	t3e)
+		basic_machine=alphaev5-cray
+		os=-unicos
+		;;
+	t90)
+		basic_machine=t90-cray
+		os=-unicos
+		;;
+	tic54x | c54x*)
+		basic_machine=tic54x-unknown
+		os=-coff
+		;;
+	tic55x | c55x*)
+		basic_machine=tic55x-unknown
+		os=-coff
+		;;
+	tic6x | c6x*)
+		basic_machine=tic6x-unknown
+		os=-coff
+		;;
+	tx39)
+		basic_machine=mipstx39-unknown
+		;;
+	tx39el)
+		basic_machine=mipstx39el-unknown
+		;;
+	toad1)
+		basic_machine=pdp10-xkl
+		os=-tops20
+		;;
+	tower | tower-32)
+		basic_machine=m68k-ncr
+		;;
+	tpf)
+		basic_machine=s390x-ibm
+		os=-tpf
+		;;
+	udi29k)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	ultra3)
+		basic_machine=a29k-nyu
+		os=-sym1
+		;;
+	v810 | necv810)
+		basic_machine=v810-nec
+		os=-none
+		;;
+	vaxv)
+		basic_machine=vax-dec
+		os=-sysv
+		;;
+	vms)
+		basic_machine=vax-dec
+		os=-vms
+		;;
+	vpp*|vx|vx-*)
+		basic_machine=f301-fujitsu
+		;;
+	vxworks960)
+		basic_machine=i960-wrs
+		os=-vxworks
+		;;
+	vxworks68)
+		basic_machine=m68k-wrs
+		os=-vxworks
+		;;
+	vxworks29k)
+		basic_machine=a29k-wrs
+		os=-vxworks
+		;;
+	w65*)
+		basic_machine=w65-wdc
+		os=-none
+		;;
+	w89k-*)
+		basic_machine=hppa1.1-winbond
+		os=-proelf
+		;;
+	xbox)
+		basic_machine=i686-pc
+		os=-mingw32
+		;;
+	xps | xps100)
+		basic_machine=xps100-honeywell
+		;;
+	ymp)
+		basic_machine=ymp-cray
+		os=-unicos
+		;;
+	z8k-*-coff)
+		basic_machine=z8k-unknown
+		os=-sim
+		;;
+	none)
+		basic_machine=none-none
+		os=-none
+		;;
+
+# Here we handle the default manufacturer of certain CPU types.  It is in
+# some cases the only manufacturer, in others, it is the most popular.
+	w89k)
+		basic_machine=hppa1.1-winbond
+		;;
+	op50n)
+		basic_machine=hppa1.1-oki
+		;;
+	op60c)
+		basic_machine=hppa1.1-oki
+		;;
+	romp)
+		basic_machine=romp-ibm
+		;;
+	mmix)
+		basic_machine=mmix-knuth
+		;;
+	rs6000)
+		basic_machine=rs6000-ibm
+		;;
+	vax)
+		basic_machine=vax-dec
+		;;
+	pdp10)
+		# there are many clones, so DEC is not a safe bet
+		basic_machine=pdp10-unknown
+		;;
+	pdp11)
+		basic_machine=pdp11-dec
+		;;
+	we32k)
+		basic_machine=we32k-att
+		;;
+	sh[1234] | sh[24]a | sh[34]eb | sh[1234]le | sh[23]ele)
+		basic_machine=sh-unknown
+		;;
+	sparc | sparcv8 | sparcv9 | sparcv9b)
+		basic_machine=sparc-sun
+		;;
+	cydra)
+		basic_machine=cydra-cydrome
+		;;
+	orion)
+		basic_machine=orion-highlevel
+		;;
+	orion105)
+		basic_machine=clipper-highlevel
+		;;
+	mac | mpw | mac-mpw)
+		basic_machine=m68k-apple
+		;;
+	pmac | pmac-mpw)
+		basic_machine=powerpc-apple
+		;;
+	*-unknown)
+		# Make sure to match an already-canonicalized machine name.
+		;;
+	*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+esac
+
+# Here we canonicalize certain aliases for manufacturers.
+case $basic_machine in
+	*-digital*)
+		basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
+		;;
+	*-commodore*)
+		basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
+		;;
+	*)
+		;;
+esac
+
+# Decode manufacturer-specific aliases for certain operating systems.
+
+if [ x"$os" != x"" ]
+then
+case $os in
+        # First match some system type aliases
+        # that might get confused with valid system types.
+	# -solaris* is a basic system type, with this one exception.
+	-solaris1 | -solaris1.*)
+		os=`echo $os | sed -e 's|solaris1|sunos4|'`
+		;;
+	-solaris)
+		os=-solaris2
+		;;
+	-svr4*)
+		os=-sysv4
+		;;
+	-unixware*)
+		os=-sysv4.2uw
+		;;
+	-gnu/linux*)
+		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
+		;;
+	# First accept the basic system types.
+	# The portable systems comes first.
+	# Each alternative MUST END IN A *, to match a version number.
+	# -sysv* is not here because it comes later, after sysvr4.
+	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
+	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
+	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
+	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
+	      | -aos* \
+	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
+	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
+	      | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* | -openbsd* \
+	      | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
+	      | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
+	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
+	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
+	      | -chorusos* | -chorusrdb* \
+	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
+	      | -mingw32* | -linux-gnu* | -linux-uclibc* | -uxpv* | -beos* | -mpeix* | -udk* \
+	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
+	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
+	      | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
+	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
+	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
+	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
+	      | -skyos* | -haiku*)
+	# Remember, each alternative MUST END IN *, to match a version number.
+		;;
+	-qnx*)
+		case $basic_machine in
+		    x86-* | i*86-*)
+			;;
+		    *)
+			os=-nto$os
+			;;
+		esac
+		;;
+	-nto-qnx*)
+		;;
+	-nto*)
+		os=`echo $os | sed -e 's|nto|nto-qnx|'`
+		;;
+	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
+	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \
+	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
+		;;
+	-mac*)
+		os=`echo $os | sed -e 's|mac|macos|'`
+		;;
+	-linux-dietlibc)
+		os=-linux-dietlibc
+		;;
+	-linux*)
+		os=`echo $os | sed -e 's|linux|linux-gnu|'`
+		;;
+	-sunos5*)
+		os=`echo $os | sed -e 's|sunos5|solaris2|'`
+		;;
+	-sunos6*)
+		os=`echo $os | sed -e 's|sunos6|solaris3|'`
+		;;
+	-opened*)
+		os=-openedition
+		;;
+        -os400*)
+		os=-os400
+		;;
+	-wince*)
+		os=-wince
+		;;
+	-osfrose*)
+		os=-osfrose
+		;;
+	-osf*)
+		os=-osf
+		;;
+	-utek*)
+		os=-bsd
+		;;
+	-dynix*)
+		os=-bsd
+		;;
+	-acis*)
+		os=-aos
+		;;
+	-atheos*)
+		os=-atheos
+		;;
+	-syllable*)
+		os=-syllable
+		;;
+	-386bsd)
+		os=-bsd
+		;;
+	-ctix* | -uts*)
+		os=-sysv
+		;;
+	-nova*)
+		os=-rtmk-nova
+		;;
+	-ns2 )
+		os=-nextstep2
+		;;
+	-nsk*)
+		os=-nsk
+		;;
+	# Preserve the version number of sinix5.
+	-sinix5.*)
+		os=`echo $os | sed -e 's|sinix|sysv|'`
+		;;
+	-sinix*)
+		os=-sysv4
+		;;
+        -tpf*)
+		os=-tpf
+		;;
+	-triton*)
+		os=-sysv3
+		;;
+	-oss*)
+		os=-sysv3
+		;;
+	-svr4)
+		os=-sysv4
+		;;
+	-svr3)
+		os=-sysv3
+		;;
+	-sysvr4)
+		os=-sysv4
+		;;
+	# This must come after -sysvr4.
+	-sysv*)
+		;;
+	-ose*)
+		os=-ose
+		;;
+	-es1800*)
+		os=-ose
+		;;
+	-xenix)
+		os=-xenix
+		;;
+	-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+		os=-mint
+		;;
+	-aros*)
+		os=-aros
+		;;
+	-kaos*)
+		os=-kaos
+		;;
+	-zvmoe)
+		os=-zvmoe
+		;;
+	-none)
+		;;
+	*)
+		# Get rid of the `-' at the beginning of $os.
+		os=`echo $os | sed 's/[^-]*-//'`
+		echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
+		exit 1
+		;;
+esac
+else
+
+# Here we handle the default operating systems that come with various machines.
+# The value should be what the vendor currently ships out the door with their
+# machine or put another way, the most popular os provided with the machine.
+
+# Note that if you're going to try to match "-MANUFACTURER" here (say,
+# "-sun"), then you have to tell the case statement up towards the top
+# that MANUFACTURER isn't an operating system.  Otherwise, code above
+# will signal an error saying that MANUFACTURER isn't an operating
+# system, and we'll never get to this point.
+
+case $basic_machine in
+	*-acorn)
+		os=-riscix1.2
+		;;
+	arm*-rebel)
+		os=-linux
+		;;
+	arm*-semi)
+		os=-aout
+		;;
+    c4x-* | tic4x-*)
+        os=-coff
+        ;;
+	# This must come before the *-dec entry.
+	pdp10-*)
+		os=-tops20
+		;;
+	pdp11-*)
+		os=-none
+		;;
+	*-dec | vax-*)
+		os=-ultrix4.2
+		;;
+	m68*-apollo)
+		os=-domain
+		;;
+	i386-sun)
+		os=-sunos4.0.2
+		;;
+	m68000-sun)
+		os=-sunos3
+		# This also exists in the configure program, but was not the
+		# default.
+		# os=-sunos4
+		;;
+	m68*-cisco)
+		os=-aout
+		;;
+	mips*-cisco)
+		os=-elf
+		;;
+	mips*-*)
+		os=-elf
+		;;
+	or32-*)
+		os=-coff
+		;;
+	*-tti)	# must be before sparc entry or we get the wrong os.
+		os=-sysv3
+		;;
+	sparc-* | *-sun)
+		os=-sunos4.1.1
+		;;
+	*-be)
+		os=-beos
+		;;
+	*-haiku)
+		os=-haiku
+		;;
+	*-ibm)
+		os=-aix
+		;;
+    	*-knuth)
+		os=-mmixware
+		;;
+	*-wec)
+		os=-proelf
+		;;
+	*-winbond)
+		os=-proelf
+		;;
+	*-oki)
+		os=-proelf
+		;;
+	*-hp)
+		os=-hpux
+		;;
+	*-hitachi)
+		os=-hiux
+		;;
+	i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent)
+		os=-sysv
+		;;
+	*-cbm)
+		os=-amigaos
+		;;
+	*-dg)
+		os=-dgux
+		;;
+	*-dolphin)
+		os=-sysv3
+		;;
+	m68k-ccur)
+		os=-rtu
+		;;
+	m88k-omron*)
+		os=-luna
+		;;
+	*-next )
+		os=-nextstep
+		;;
+	*-sequent)
+		os=-ptx
+		;;
+	*-crds)
+		os=-unos
+		;;
+	*-ns)
+		os=-genix
+		;;
+	i370-*)
+		os=-mvs
+		;;
+	*-next)
+		os=-nextstep3
+		;;
+	*-gould)
+		os=-sysv
+		;;
+	*-highlevel)
+		os=-bsd
+		;;
+	*-encore)
+		os=-bsd
+		;;
+	*-sgi)
+		os=-irix
+		;;
+	*-siemens)
+		os=-sysv4
+		;;
+	*-masscomp)
+		os=-rtu
+		;;
+	f30[01]-fujitsu | f700-fujitsu)
+		os=-uxpv
+		;;
+	*-rom68k)
+		os=-coff
+		;;
+	*-*bug)
+		os=-coff
+		;;
+	*-apple)
+		os=-macos
+		;;
+	*-atari*)
+		os=-mint
+		;;
+	*)
+		os=-none
+		;;
+esac
+fi
+
+# Here we handle the case where we know the os, and the CPU type, but not the
+# manufacturer.  We pick the logical manufacturer.
+vendor=unknown
+case $basic_machine in
+	*-unknown)
+		case $os in
+			-riscix*)
+				vendor=acorn
+				;;
+			-sunos*)
+				vendor=sun
+				;;
+			-aix*)
+				vendor=ibm
+				;;
+			-beos*)
+				vendor=be
+				;;
+			-hpux*)
+				vendor=hp
+				;;
+			-mpeix*)
+				vendor=hp
+				;;
+			-hiux*)
+				vendor=hitachi
+				;;
+			-unos*)
+				vendor=crds
+				;;
+			-dgux*)
+				vendor=dg
+				;;
+			-luna*)
+				vendor=omron
+				;;
+			-genix*)
+				vendor=ns
+				;;
+			-mvs* | -opened*)
+				vendor=ibm
+				;;
+			-os400*)
+				vendor=ibm
+				;;
+			-ptx*)
+				vendor=sequent
+				;;
+			-tpf*)
+				vendor=ibm
+				;;
+			-vxsim* | -vxworks* | -windiss*)
+				vendor=wrs
+				;;
+			-aux*)
+				vendor=apple
+				;;
+			-hms*)
+				vendor=hitachi
+				;;
+			-mpw* | -macos*)
+				vendor=apple
+				;;
+			-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+				vendor=atari
+				;;
+			-vos*)
+				vendor=stratus
+				;;
+		esac
+		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
+		;;
+esac
+
+echo $basic_machine$os
+exit
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/source3/lib/replace/configure.ac b/source3/lib/replace/configure.ac
new file mode 100644
index 0000000000..81997e09b7
--- /dev/null
+++ b/source3/lib/replace/configure.ac
@@ -0,0 +1,30 @@
+AC_PREREQ(2.50)
+AC_INIT(replace.c)
+AC_CONFIG_SRCDIR([replace.c])
+AC_CONFIG_HEADER(config.h)
+
+CFLAGS="$CFLAGS -I$srcdir"
+
+AC_LIBREPLACE_ALL_CHECKS
+AC_LIBREPLACE_NETWORK_CHECKS
+
+if test "$ac_cv_prog_gcc" = yes; then
+   CFLAGS="$CFLAGS -Wall"
+   CFLAGS="$CFLAGS -W"
+   CFLAGS="$CFLAGS -Wshadow"
+   CFLAGS="$CFLAGS -Wstrict-prototypes"
+   CFLAGS="$CFLAGS -Wpointer-arith"
+   CFLAGS="$CFLAGS -Wcast-qual"
+   CFLAGS="$CFLAGS -Wcast-align"
+   CFLAGS="$CFLAGS -Wwrite-strings"
+   CFLAGS="$CFLAGS -Werror-implicit-function-declaration"
+   CFLAGS="$CFLAGS -Wformat=2"
+   CFLAGS="$CFLAGS -Wno-format-y2k"
+fi
+
+LIBS="${LIBREPLACE_NETWORK_LIBS}"
+AC_SUBST(LIBS)
+
+AC_SUBST(LDFLAGS)
+
+AC_OUTPUT(Makefile)
diff --git a/source3/lib/replace/dlfcn.c b/source3/lib/replace/dlfcn.c
new file mode 100644
index 0000000000..3b109d7e40
--- /dev/null
+++ b/source3/lib/replace/dlfcn.c
@@ -0,0 +1,75 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba system utilities
+   Copyright (C) Andrew Tridgell 1992-1998
+   Copyright (C) Jeremy Allison 1998-2002
+
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "replace.h"
+#ifdef HAVE_DL_H
+#include <dl.h>
+#endif
+
+#ifndef HAVE_DLOPEN
+#ifdef DLOPEN_TAKES_UNSIGNED_FLAGS
+void *rep_dlopen(const char *name, unsigned int flags)
+#else
+void *rep_dlopen(const char *name, int flags)
+#endif
+{
+#ifdef HAVE_SHL_LOAD
+	if (name == NULL)
+		return PROG_HANDLE;
+	return (void *)shl_load(name, flags, 0);
+#else
+	return NULL;
+#endif
+}
+#endif
+
+#ifndef HAVE_DLSYM
+void *rep_dlsym(void *handle, const char *symbol)
+{
+#ifdef HAVE_SHL_FINDSYM
+	void *sym_addr;
+	if (!shl_findsym((shl_t *)&handle, symbol, TYPE_UNDEFINED, &sym_addr))
+		return sym_addr;
+#endif
+    return NULL;
+}
+#endif
+
+#ifndef HAVE_DLERROR
+char *rep_dlerror(void)
+{
+	return "dynamic loading of objects not supported on this platform";
+}
+#endif
+
+#ifndef HAVE_DLCLOSE
+int rep_dlclose(void *handle)
+{
+#ifdef HAVE_SHL_CLOSE
+	return shl_unload((shl_t)handle);
+#else
+	return 0;
+#endif
+}
+#endif
diff --git a/source3/lib/replace/dlfcn.m4 b/source3/lib/replace/dlfcn.m4
new file mode 100644
index 0000000000..42f56f26be
--- /dev/null
+++ b/source3/lib/replace/dlfcn.m4
@@ -0,0 +1,31 @@
+dnl dummies provided by dlfcn.c if not available
+save_LIBS="$LIBS"
+LIBS=""
+
+libreplace_cv_dlfcn=no
+AC_SEARCH_LIBS(dlopen, dl)
+
+AC_CHECK_HEADERS(dlfcn.h)
+AC_CHECK_FUNCS([dlopen dlsym dlerror dlclose],[],[libreplace_cv_dlfcn=yes])
+
+libreplace_cv_shl=no
+AC_SEARCH_LIBS(shl_load, sl)
+AC_CHECK_HEADERS(dl.h)
+AC_CHECK_FUNCS([shl_load shl_unload shl_findsym],[],[libreplace_cv_shl=yes])
+
+AC_VERIFY_C_PROTOTYPE([void *dlopen(const char* filename, unsigned int flags)],
+	[
+	return 0;
+	],[
+	AC_DEFINE(DLOPEN_TAKES_UNSIGNED_FLAGS, 1, [Whether dlopen takes unsigned int flags])
+	],[],[
+	#include <dlfcn.h>
+	])
+
+if test x"${libreplace_cv_dlfcn}" = x"yes";then
+	LIBREPLACEOBJ="${LIBREPLACEOBJ} dlfcn.o"
+fi
+
+LIBDL="$LIBS"
+AC_SUBST(LIBDL)
+LIBS="$save_LIBS"
diff --git a/source3/lib/replace/getaddrinfo.c b/source3/lib/replace/getaddrinfo.c
new file mode 100644
index 0000000000..c5cd52be93
--- /dev/null
+++ b/source3/lib/replace/getaddrinfo.c
@@ -0,0 +1,497 @@
+/*
+PostgreSQL Database Management System
+(formerly known as Postgres, then as Postgres95)
+
+Portions Copyright (c) 1996-2005, The PostgreSQL Global Development Group
+
+Portions Copyright (c) 1994, The Regents of the University of California
+
+Permission to use, copy, modify, and distribute this software and its
+documentation for any purpose, without fee, and without a written agreement
+is hereby granted, provided that the above copyright notice and this paragraph
+and the following two paragraphs appear in all copies.
+
+IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR
+DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING
+LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION,
+EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS
+ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS
+TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
+
+*/
+
+/*-------------------------------------------------------------------------
+ *
+ * getaddrinfo.c
+ *	  Support getaddrinfo() on platforms that don't have it.
+ *
+ * We also supply getnameinfo() here, assuming that the platform will have
+ * it if and only if it has getaddrinfo().	If this proves false on some
+ * platform, we'll need to split this file and provide a separate configure
+ * test for getnameinfo().
+ *
+ * Copyright (c) 2003-2007, PostgreSQL Global Development Group
+ *
+ * Copyright (C) 2007 Jeremy Allison.
+ * Modified to return multiple IPv4 addresses for Samba.
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#include "replace.h"
+#include "system/network.h"
+
+#ifndef SMB_MALLOC
+#define SMB_MALLOC(s) malloc(s)
+#endif
+
+#ifndef SMB_STRDUP
+#define SMB_STRDUP(s) strdup(s)
+#endif
+
+static int check_hostent_err(struct hostent *hp)
+{
+	if (!hp) {
+		switch (h_errno) {
+			case HOST_NOT_FOUND:
+			case NO_DATA:
+				return EAI_NONAME;
+			case TRY_AGAIN:
+				return EAI_AGAIN;
+			case NO_RECOVERY:
+			default:
+				return EAI_FAIL;
+		}
+	}
+	if (!hp->h_name || hp->h_addrtype != AF_INET) {
+		return EAI_FAIL;
+	}
+	return 0;
+}
+
+static char *canon_name_from_hostent(struct hostent *hp,
+				int *perr)
+{
+	char *ret = NULL;
+
+	*perr = check_hostent_err(hp);
+	if (*perr) {
+		return NULL;
+	}
+	ret = SMB_STRDUP(hp->h_name);
+	if (!ret) {
+		*perr = EAI_MEMORY;
+	}
+	return ret;
+}
+
+static char *get_my_canon_name(int *perr)
+{
+	char name[HOST_NAME_MAX+1];
+
+	if (gethostname(name, HOST_NAME_MAX) == -1) {
+		*perr = EAI_FAIL;
+		return NULL;
+	}
+	/* Ensure null termination. */
+	name[HOST_NAME_MAX] = '\0';
+	return canon_name_from_hostent(gethostbyname(name), perr);
+}
+
+static char *get_canon_name_from_addr(struct in_addr ip,
+				int *perr)
+{
+	return canon_name_from_hostent(
+			gethostbyaddr(&ip, sizeof(ip), AF_INET),
+			perr);
+}
+
+static struct addrinfo *alloc_entry(const struct addrinfo *hints,
+				struct in_addr ip,
+				unsigned short port)
+{
+	struct sockaddr_in *psin = NULL;
+	struct addrinfo *ai = SMB_MALLOC(sizeof(*ai));
+
+	if (!ai) {
+		return NULL;
+	}
+	memset(ai, '\0', sizeof(*ai));
+
+	psin = SMB_MALLOC(sizeof(*psin));
+	if (!psin) {
+		free(ai);
+		return NULL;
+	}
+
+	memset(psin, '\0', sizeof(*psin));
+
+	psin->sin_family = AF_INET;
+	psin->sin_port = htons(port);
+	psin->sin_addr = ip;
+
+	ai->ai_flags = 0;
+	ai->ai_family = AF_INET;
+	ai->ai_socktype = hints->ai_socktype;
+	ai->ai_protocol = hints->ai_protocol;
+	ai->ai_addrlen = sizeof(*psin);
+	ai->ai_addr = (struct sockaddr *) psin;
+	ai->ai_canonname = NULL;
+	ai->ai_next = NULL;
+
+	return ai;
+}
+
+/*
+ * get address info for a single ipv4 address.
+ *
+ *	Bugs:	- servname can only be a number, not text.
+ */
+
+static int getaddr_info_single_addr(const char *service,
+				uint32_t addr,
+				const struct addrinfo *hints,
+				struct addrinfo **res)
+{
+
+	struct addrinfo *ai = NULL;
+	struct in_addr ip;
+	unsigned short port = 0;
+
+	if (service) {
+		port = (unsigned short)atoi(service);
+	}
+	ip.s_addr = htonl(addr);
+
+	ai = alloc_entry(hints, ip, port);
+	if (!ai) {
+		return EAI_MEMORY;
+	}
+
+	/* If we're asked for the canonical name,
+	 * make sure it returns correctly. */
+	if (!(hints->ai_flags & AI_NUMERICSERV) &&
+			hints->ai_flags & AI_CANONNAME) {
+		int err;
+		if (addr == INADDR_LOOPBACK || addr == INADDR_ANY) {
+			ai->ai_canonname = get_my_canon_name(&err);
+		} else {
+			ai->ai_canonname =
+			get_canon_name_from_addr(ip,&err);
+		}
+		if (ai->ai_canonname == NULL) {
+			freeaddrinfo(ai);
+			return err;
+		}
+	}
+
+	*res = ai;
+	return 0;
+}
+
+/*
+ * get address info for multiple ipv4 addresses.
+ *
+ *	Bugs:	- servname can only be a number, not text.
+ */
+
+static int getaddr_info_name(const char *node,
+				const char *service,
+				const struct addrinfo *hints,
+				struct addrinfo **res)
+{
+	struct addrinfo *listp = NULL, *prevp = NULL;
+	char **pptr = NULL;
+	int err;
+	struct hostent *hp = NULL;
+	unsigned short port = 0;
+
+	if (service) {
+		port = (unsigned short)atoi(service);
+	}
+
+	hp = gethostbyname(node);
+	err = check_hostent_err(hp);
+	if (err) {
+		return err;
+	}
+
+	for(pptr = hp->h_addr_list; *pptr; pptr++) {
+		struct in_addr ip = *(struct in_addr *)*pptr;
+		struct addrinfo *ai = alloc_entry(hints, ip, port);
+
+		if (!ai) {
+			freeaddrinfo(listp);
+			return EAI_MEMORY;
+		}
+
+		if (!listp) {
+			listp = ai;
+			prevp = ai;
+			ai->ai_canonname = SMB_STRDUP(hp->h_name);
+			if (!ai->ai_canonname) {
+				freeaddrinfo(listp);
+				return EAI_MEMORY;
+			}
+		} else {
+			prevp->ai_next = ai;
+			prevp = ai;
+		}
+	}
+	*res = listp;
+	return 0;
+}
+
+/*
+ * get address info for ipv4 sockets.
+ *
+ *	Bugs:	- servname can only be a number, not text.
+ */
+
+int rep_getaddrinfo(const char *node,
+		const char *service,
+		const struct addrinfo * hintp,
+		struct addrinfo ** res)
+{
+	struct addrinfo hints;
+
+	/* Setup the hints struct. */
+	if (hintp == NULL) {
+		memset(&hints, 0, sizeof(hints));
+		hints.ai_family = AF_INET;
+		hints.ai_socktype = SOCK_STREAM;
+	} else {
+		memcpy(&hints, hintp, sizeof(hints));
+	}
+
+	if (hints.ai_family != AF_INET && hints.ai_family != AF_UNSPEC) {
+		return EAI_FAMILY;
+	}
+
+	if (hints.ai_socktype == 0) {
+		hints.ai_socktype = SOCK_STREAM;
+	}
+
+	if (!node && !service) {
+		return EAI_NONAME;
+	}
+
+	if (node) {
+		if (node[0] == '\0') {
+			return getaddr_info_single_addr(service,
+					INADDR_ANY,
+					&hints,
+					res);
+		} else if (hints.ai_flags & AI_NUMERICHOST) {
+			struct in_addr ip;
+			if (!inet_aton(node, &ip)) {
+				return EAI_FAIL;
+			}
+			return getaddr_info_single_addr(service,
+					ntohl(ip.s_addr),
+					&hints,
+					res);
+		} else {
+			return getaddr_info_name(node,
+						service,
+						&hints,
+						res);
+		}
+	} else if (hints.ai_flags & AI_PASSIVE) {
+		return getaddr_info_single_addr(service,
+					INADDR_ANY,
+					&hints,
+					res);
+	}
+	return getaddr_info_single_addr(service,
+					INADDR_LOOPBACK,
+					&hints,
+					res);
+}
+
+
+void rep_freeaddrinfo(struct addrinfo *res)
+{
+	struct addrinfo *next = NULL;
+
+	for (;res; res = next) {
+		next = res->ai_next;
+		if (res->ai_canonname) {
+			free(res->ai_canonname);
+		}
+		if (res->ai_addr) {
+			free(res->ai_addr);
+		}
+		free(res);
+	}
+}
+
+
+const char *rep_gai_strerror(int errcode)
+{
+#ifdef HAVE_HSTRERROR
+	int			hcode;
+
+	switch (errcode)
+	{
+		case EAI_NONAME:
+			hcode = HOST_NOT_FOUND;
+			break;
+		case EAI_AGAIN:
+			hcode = TRY_AGAIN;
+			break;
+		case EAI_FAIL:
+		default:
+			hcode = NO_RECOVERY;
+			break;
+	}
+
+	return hstrerror(hcode);
+#else							/* !HAVE_HSTRERROR */
+
+	switch (errcode)
+	{
+		case EAI_NONAME:
+			return "Unknown host";
+		case EAI_AGAIN:
+			return "Host name lookup failure";
+#ifdef EAI_BADFLAGS
+		case EAI_BADFLAGS:
+			return "Invalid argument";
+#endif
+#ifdef EAI_FAMILY
+		case EAI_FAMILY:
+			return "Address family not supported";
+#endif
+#ifdef EAI_MEMORY
+		case EAI_MEMORY:
+			return "Not enough memory";
+#endif
+#ifdef EAI_NODATA
+		case EAI_NODATA:
+			return "No host data of that type was found";
+#endif
+#ifdef EAI_SERVICE
+		case EAI_SERVICE:
+			return "Class type not found";
+#endif
+#ifdef EAI_SOCKTYPE
+		case EAI_SOCKTYPE:
+			return "Socket type not supported";
+#endif
+		default:
+			return "Unknown server error";
+	}
+#endif   /* HAVE_HSTRERROR */
+}
+
+static int gethostnameinfo(const struct sockaddr *sa,
+			char *node,
+			size_t nodelen,
+			int flags)
+{
+	int ret = -1;
+	char *p = NULL;
+
+	if (!(flags & NI_NUMERICHOST)) {
+		struct hostent *hp = gethostbyaddr(
+				&((struct sockaddr_in *)sa)->sin_addr,
+				sizeof(struct in_addr),
+				sa->sa_family);
+		ret = check_hostent_err(hp);
+		if (ret == 0) {
+			/* Name looked up successfully. */
+			ret = snprintf(node, nodelen, "%s", hp->h_name);
+			if (ret < 0 || (size_t)ret >= nodelen) {
+				return EAI_MEMORY;
+			}
+			if (flags & NI_NOFQDN) {
+				p = strchr(node,'.');
+				if (p) {
+					*p = '\0';
+				}
+			}
+			return 0;
+		}
+
+		if (flags & NI_NAMEREQD) {
+			/* If we require a name and didn't get one,
+			 * automatically fail. */
+			return ret;
+		}
+		/* Otherwise just fall into the numeric host code... */
+	}
+	p = inet_ntoa(((struct sockaddr_in *)sa)->sin_addr);
+	ret = snprintf(node, nodelen, "%s", p);
+	if (ret < 0 || (size_t)ret >= nodelen) {
+		return EAI_MEMORY;
+	}
+	return 0;
+}
+
+static int getservicenameinfo(const struct sockaddr *sa,
+			char *service,
+			size_t servicelen,
+			int flags)
+{
+	int ret = -1;
+	int port = ntohs(((struct sockaddr_in *)sa)->sin_port);
+
+	if (!(flags & NI_NUMERICSERV)) {
+		struct servent *se = getservbyport(
+				port,
+				(flags & NI_DGRAM) ? "udp" : "tcp");
+		if (se && se->s_name) {
+			/* Service name looked up successfully. */
+			ret = snprintf(service, servicelen, "%s", se->s_name);
+			if (ret < 0 || (size_t)ret >= servicelen) {
+				return EAI_MEMORY;
+			}
+			return 0;
+		}
+		/* Otherwise just fall into the numeric service code... */
+	}
+	ret = snprintf(service, servicelen, "%d", port);
+	if (ret < 0 || (size_t)ret >= servicelen) {
+		return EAI_MEMORY;
+	}
+	return 0;
+}
+
+/*
+ * Convert an ipv4 address to a hostname.
+ *
+ * Bugs:	- No IPv6 support.
+ */
+int rep_getnameinfo(const struct sockaddr *sa, socklen_t salen,
+			char *node, size_t nodelen,
+			char *service, size_t servicelen, int flags)
+{
+
+	/* Invalid arguments. */
+	if (sa == NULL || (node == NULL && service == NULL)) {
+		return EAI_FAIL;
+	}
+
+	if (sa->sa_family != AF_INET) {
+		return EAI_FAIL;
+	}
+
+	if (salen < sizeof(struct sockaddr_in)) {
+		return EAI_FAIL;
+	}
+
+	if (node) {
+		return gethostnameinfo(sa, node, nodelen, flags);
+	}
+
+	if (service) {
+		return getservicenameinfo(sa, service, servicelen, flags);
+	}
+	return 0;
+}
diff --git a/source3/lib/replace/getaddrinfo.h b/source3/lib/replace/getaddrinfo.h
new file mode 100644
index 0000000000..dddd699b62
--- /dev/null
+++ b/source3/lib/replace/getaddrinfo.h
@@ -0,0 +1,89 @@
+/*
+PostgreSQL Database Management System
+(formerly known as Postgres, then as Postgres95)
+
+Portions Copyright (c) 1996-2005, The PostgreSQL Global Development Group
+
+Portions Copyright (c) 1994, The Regents of the University of California
+
+Permission to use, copy, modify, and distribute this software and its
+documentation for any purpose, without fee, and without a written agreement
+is hereby granted, provided that the above copyright notice and this paragraph
+and the following two paragraphs appear in all copies.
+
+IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR
+DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING
+LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION,
+EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+
+THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS
+ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS
+TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
+
+*/
+
+/*-------------------------------------------------------------------------
+ *
+ * getaddrinfo.h
+ *	  Support getaddrinfo() on platforms that don't have it.
+ *
+ * Note: we use our own routines on platforms that don't HAVE_STRUCT_ADDRINFO,
+ * whether or not the library routine getaddrinfo() can be found.  This
+ * policy is needed because on some platforms a manually installed libbind.a
+ * may provide getaddrinfo(), yet the system headers may not provide the
+ * struct definitions needed to call it.  To avoid conflict with the libbind
+ * definition in such cases, we rename our routines to pg_xxx() via macros.
+ *
+
+in lib/replace we use rep_xxx()
+
+ * This code will also work on platforms where struct addrinfo is defined
+ * in the system headers but no getaddrinfo() can be located.
+ *
+ * Copyright (c) 2003-2007, PostgreSQL Global Development Group
+ *
+ *-------------------------------------------------------------------------
+ */
+#ifndef GETADDRINFO_H
+#define GETADDRINFO_H
+
+#ifndef HAVE_GETADDRINFO
+
+/* Rename private copies per comments above */
+#ifdef getaddrinfo
+#undef getaddrinfo
+#endif
+#define getaddrinfo rep_getaddrinfo
+#define HAVE_GETADDRINFO
+
+#ifdef freeaddrinfo
+#undef freeaddrinfo
+#endif
+#define freeaddrinfo rep_freeaddrinfo
+#define HAVE_FREEADDRINFO
+
+#ifdef gai_strerror
+#undef gai_strerror
+#endif
+#define gai_strerror rep_gai_strerror
+#define HAVE_GAI_STRERROR
+
+#ifdef getnameinfo
+#undef getnameinfo
+#endif
+#define getnameinfo rep_getnameinfo
+#define HAVE_GETNAMEINFO
+
+extern int rep_getaddrinfo(const char *node, const char *service,
+			const struct addrinfo * hints, struct addrinfo ** res);
+extern void rep_freeaddrinfo(struct addrinfo * res);
+extern const char *rep_gai_strerror(int errcode);
+extern int rep_getnameinfo(const struct sockaddr * sa, socklen_t salen,
+			char *node, size_t nodelen,
+			char *service, size_t servicelen, int flags);
+#endif   /* HAVE_GETADDRINFO */
+
+#endif   /* GETADDRINFO_H */
diff --git a/source3/lib/replace/getifaddrs.c b/source3/lib/replace/getifaddrs.c
new file mode 100644
index 0000000000..f6f0ec080c
--- /dev/null
+++ b/source3/lib/replace/getifaddrs.c
@@ -0,0 +1,361 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba utility functions
+   Copyright (C) Andrew Tridgell 1998
+   Copyright (C) Jeremy Allison 2007
+   Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#define SOCKET_WRAPPER_NOT_REPLACE
+
+#include "replace.h"
+#include "system/network.h"
+
+#include <unistd.h>
+#include <stdio.h>
+#include <sys/types.h>
+
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+
+#ifndef SIOCGIFCONF
+#ifdef HAVE_SYS_SOCKIO_H
+#include <sys/sockio.h>
+#endif
+#endif
+
+#ifdef HAVE_IFACE_GETIFADDRS
+#define _FOUND_IFACE_ANY
+#else
+
+void rep_freeifaddrs(struct ifaddrs *ifp)
+{
+	if (ifp != NULL) {
+		free(ifp->ifa_name);
+		free(ifp->ifa_addr);
+		free(ifp->ifa_netmask);
+		free(ifp->ifa_dstaddr);
+		freeifaddrs(ifp->ifa_next);
+		free(ifp);
+	}
+}
+
+static struct sockaddr *sockaddr_dup(struct sockaddr *sa)
+{
+	struct sockaddr *ret;
+	socklen_t socklen;
+#ifdef HAVE_SOCKADDR_SA_LEN
+	socklen = sa->sa_len;
+#else
+	socklen = sizeof(struct sockaddr_storage);
+#endif
+	ret = calloc(1, socklen);
+	if (ret == NULL)
+		return NULL;
+	memcpy(ret, sa, socklen);
+	return ret;
+}
+#endif
+
+#if HAVE_IFACE_IFCONF
+
+/* this works for Linux 2.2, Solaris 2.5, SunOS4, HPUX 10.20, OSF1
+   V4.0, Ultrix 4.4, SCO Unix 3.2, IRIX 6.4 and FreeBSD 3.2.
+
+   It probably also works on any BSD style system.  */
+
+int rep_getifaddrs(struct ifaddrs **ifap)
+{
+	struct ifconf ifc;
+	char buff[8192];
+	int fd, i, n;
+	struct ifreq *ifr=NULL;
+	struct in_addr ipaddr;
+	struct in_addr nmask;
+	char *iname;
+	struct ifaddrs *curif;
+	struct ifaddrs *lastif = NULL;
+
+	*ifap = NULL;
+
+	if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) == -1) {
+		return -1;
+	}
+  
+	ifc.ifc_len = sizeof(buff);
+	ifc.ifc_buf = buff;
+
+	if (ioctl(fd, SIOCGIFCONF, &ifc) != 0) {
+		close(fd);
+		return -1;
+	} 
+
+	ifr = ifc.ifc_req;
+  
+	n = ifc.ifc_len / sizeof(struct ifreq);
+
+	/* Loop through interfaces, looking for given IP address */
+	for (i=n-1; i>=0; i--) {
+		if (ioctl(fd, SIOCGIFFLAGS, &ifr[i]) == -1) {
+			freeifaddrs(*ifap);
+			return -1;
+		}
+
+		curif = calloc(1, sizeof(struct ifaddrs));
+		curif->ifa_name = strdup(ifr[i].ifr_name);
+		curif->ifa_flags = ifr[i].ifr_flags;
+		curif->ifa_dstaddr = NULL;
+		curif->ifa_data = NULL;
+		curif->ifa_next = NULL;
+
+		curif->ifa_addr = NULL;
+		if (ioctl(fd, SIOCGIFADDR, &ifr[i]) != -1) {
+			curif->ifa_addr = sockaddr_dup(&ifr[i].ifr_addr);
+		}
+
+		curif->ifa_netmask = NULL;
+		if (ioctl(fd, SIOCGIFNETMASK, &ifr[i]) != -1) {
+			curif->ifa_netmask = sockaddr_dup(&ifr[i].ifr_addr);
+		}
+
+		if (lastif == NULL) {
+			*ifap = curif;
+		} else {
+			lastif->ifa_next = curif;
+		}
+		lastif = curif;
+	}
+
+	close(fd);
+
+	return 0;
+}  
+
+#define _FOUND_IFACE_ANY
+#endif /* HAVE_IFACE_IFCONF */
+#ifdef HAVE_IFACE_IFREQ
+
+#ifndef I_STR
+#include <sys/stropts.h>
+#endif
+
+/****************************************************************************
+this should cover most of the streams based systems
+Thanks to Andrej.Borsenkow@mow.siemens.ru for several ideas in this code
+****************************************************************************/
+int rep_getifaddrs(struct ifaddrs **ifap)
+{
+	struct ifreq ifreq;
+	struct strioctl strioctl;
+	char buff[8192];
+	int fd, i, n;
+	struct ifreq *ifr=NULL;
+	struct in_addr ipaddr;
+	struct in_addr nmask;
+	char *iname;
+	struct ifaddrs *curif;
+	struct ifaddrs *lastif = NULL;
+
+	*ifap = NULL;
+
+	if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) == -1) {
+		return -1;
+	}
+  
+	strioctl.ic_cmd = SIOCGIFCONF;
+	strioctl.ic_dp  = buff;
+	strioctl.ic_len = sizeof(buff);
+	if (ioctl(fd, I_STR, &strioctl) < 0) {
+		close(fd);
+		return -1;
+	} 
+
+	/* we can ignore the possible sizeof(int) here as the resulting
+	   number of interface structures won't change */
+	n = strioctl.ic_len / sizeof(struct ifreq);
+
+	/* we will assume that the kernel returns the length as an int
+           at the start of the buffer if the offered size is a
+           multiple of the structure size plus an int */
+	if (n*sizeof(struct ifreq) + sizeof(int) == strioctl.ic_len) {
+		ifr = (struct ifreq *)(buff + sizeof(int));  
+	} else {
+		ifr = (struct ifreq *)buff;  
+	}
+
+	/* Loop through interfaces */
+
+	for (i = 0; i<n; i++) {
+		ifreq = ifr[i];
+  
+		curif = calloc(1, sizeof(struct ifaddrs));
+		if (lastif == NULL) {
+			*ifap = curif;
+		} else {
+			lastif->ifa_next = curif;
+		}
+
+		strioctl.ic_cmd = SIOCGIFFLAGS;
+		strioctl.ic_dp  = (char *)&ifreq;
+		strioctl.ic_len = sizeof(struct ifreq);
+		if (ioctl(fd, I_STR, &strioctl) != 0) {
+			freeifaddrs(*ifap);
+			return -1;
+		}
+
+		curif->ifa_flags = ifreq.ifr_flags;
+		
+		strioctl.ic_cmd = SIOCGIFADDR;
+		strioctl.ic_dp  = (char *)&ifreq;
+		strioctl.ic_len = sizeof(struct ifreq);
+		if (ioctl(fd, I_STR, &strioctl) != 0) {
+			freeifaddrs(*ifap);
+			return -1;
+		}
+
+		curif->ifa_name = strdup(ifreq.ifr_name);
+		curif->ifa_addr = sockaddr_dup(&ifreq.ifr_addr);
+		curif->ifa_dstaddr = NULL;
+		curif->ifa_data = NULL;
+		curif->ifa_next = NULL;
+		curif->ifa_netmask = NULL;
+
+		strioctl.ic_cmd = SIOCGIFNETMASK;
+		strioctl.ic_dp  = (char *)&ifreq;
+		strioctl.ic_len = sizeof(struct ifreq);
+		if (ioctl(fd, I_STR, &strioctl) != 0) {
+			freeifaddrs(*ifap);
+			return -1;
+		}
+
+		curif->ifa_netmask = sockaddr_dup(&ifreq.ifr_addr);
+
+		lastif = curif;
+	}
+
+	close(fd);
+
+	return 0;
+}
+
+#define _FOUND_IFACE_ANY
+#endif /* HAVE_IFACE_IFREQ */
+#ifdef HAVE_IFACE_AIX
+
+/****************************************************************************
+this one is for AIX (tested on 4.2)
+****************************************************************************/
+int rep_getifaddrs(struct ifaddrs **ifap)
+{
+	char buff[8192];
+	int fd, i;
+	struct ifconf ifc;
+	struct ifreq *ifr=NULL;
+	struct in_addr ipaddr;
+	struct in_addr nmask;
+	char *iname;
+	struct ifaddrs *curif;
+	struct ifaddrs *lastif = NULL;
+
+	*ifap = NULL;
+
+	if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) == -1) {
+		return -1;
+	}
+
+	ifc.ifc_len = sizeof(buff);
+	ifc.ifc_buf = buff;
+
+	if (ioctl(fd, SIOCGIFCONF, &ifc) != 0) {
+		close(fd);
+		return -1;
+	}
+
+	ifr = ifc.ifc_req;
+
+	/* Loop through interfaces */
+	i = ifc.ifc_len;
+
+	while (i > 0) {
+		uint_t inc;
+
+		inc = ifr->ifr_addr.sa_len;
+
+		if (ioctl(fd, SIOCGIFADDR, ifr) != 0) {
+			freeaddrinfo(*ifap);
+			return -1;
+		}
+
+		curif = calloc(1, sizeof(struct ifaddrs));
+		if (lastif == NULL) {
+			*ifap = curif;
+		} else {
+			lastif->ifa_next = curif;
+		}
+
+		curif->ifa_name = strdup(ifr->ifr_name);
+		curif->ifa_addr = sockaddr_dup(&ifr->ifr_addr);
+		curif->ifa_dstaddr = NULL;
+		curif->ifa_data = NULL;
+		curif->ifa_netmask = NULL;
+		curif->ifa_next = NULL;
+
+		if (ioctl(fd, SIOCGIFFLAGS, ifr) != 0) {
+			freeaddrinfo(*ifap);
+			return -1;
+		}
+
+		curif->ifa_flags = ifr->ifr_flags;
+
+		if (ioctl(fd, SIOCGIFNETMASK, ifr) != 0) {
+			freeaddrinfo(*ifap);
+			return -1;
+		}
+
+		curif->ifa_netmask = sockaddr_dup(&ifr->ifr_addr);
+
+		lastif = curif;
+
+	next:
+		/*
+		 * Patch from Archie Cobbs (archie@whistle.com).  The
+		 * addresses in the SIOCGIFCONF interface list have a
+		 * minimum size. Usually this doesn't matter, but if
+		 * your machine has tunnel interfaces, etc. that have
+		 * a zero length "link address", this does matter.  */
+
+		if (inc < sizeof(ifr->ifr_addr))
+			inc = sizeof(ifr->ifr_addr);
+		inc += IFNAMSIZ;
+
+		ifr = (struct ifreq*) (((char*) ifr) + inc);
+		i -= inc;
+	}
+
+	close(fd);
+	return 0;
+}
+
+#define _FOUND_IFACE_ANY
+#endif /* HAVE_IFACE_AIX */
+#ifndef _FOUND_IFACE_ANY
+int rep_getifaddrs(struct ifaddrs **ifap)
+{
+	errno = ENOSYS;
+	return -1;
+}
+#endif
diff --git a/source3/lib/replace/getpass.c b/source3/lib/replace/getpass.c
new file mode 100644
index 0000000000..0be618fc91
--- /dev/null
+++ b/source3/lib/replace/getpass.c
@@ -0,0 +1,222 @@
+/* Copyright (C) 1992-1998 Free Software Foundation, Inc.
+This file is part of the GNU C Library.
+
+The GNU C Library is free software; you can redistribute it and/or
+modify it under the terms of the GNU Lesser General Public License as
+published by the Free Software Foundation; either version 3 of the
+License, or (at your option) any later version.
+
+The GNU C Library is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+Library General Public License for more details.
+
+You should have received a copy of the GNU Lesser General Public
+License along with the GNU C Library; see the file COPYING.LIB.  If
+not, see <http://www.gnu.org/licenses/>.  */
+
+/* Modified to use with samba by Jeremy Allison, 8th July 1995. */
+
+#include "replace.h"
+#include "system/filesys.h"
+#include "system/wait.h"
+#include "system/terminal.h"
+#include "system/passwd.h"
+
+/*
+ * Define additional missing types
+ */
+#ifndef HAVE_SIG_ATOMIC_T_TYPE
+typedef int sig_atomic_t;
+#endif
+
+#ifndef SIGCLD
+#define SIGCLD SIGCHLD
+#endif
+
+#ifndef SIGNAL_CAST
+#define SIGNAL_CAST (RETSIGTYPE (*)(int))
+#endif
+
+#ifdef SYSV_TERMIO 
+
+/* SYSTEM V TERMIO HANDLING */
+
+static struct termio t;
+
+#define ECHO_IS_ON(t) ((t).c_lflag & ECHO)
+#define TURN_ECHO_OFF(t) ((t).c_lflag &= ~ECHO)
+#define TURN_ECHO_ON(t) ((t).c_lflag |= ECHO)
+
+#ifndef TCSAFLUSH
+#define TCSAFLUSH 1
+#endif
+
+#ifndef TCSANOW
+#define TCSANOW 0
+#endif
+
+static int tcgetattr(int fd, struct termio *_t)
+{
+	return ioctl(fd, TCGETA, _t);
+}
+
+static int tcsetattr(int fd, int flags, struct termio *_t)
+{
+	if(flags & TCSAFLUSH)
+		ioctl(fd, TCFLSH, TCIOFLUSH);
+	return ioctl(fd, TCSETS, _t);
+}
+
+#elif !defined(TCSAFLUSH)
+
+/* BSD TERMIO HANDLING */
+
+static struct sgttyb t;  
+
+#define ECHO_IS_ON(t) ((t).sg_flags & ECHO)
+#define TURN_ECHO_OFF(t) ((t).sg_flags &= ~ECHO)
+#define TURN_ECHO_ON(t) ((t).sg_flags |= ECHO)
+
+#define TCSAFLUSH 1
+#define TCSANOW 0
+
+static int tcgetattr(int fd, struct sgttyb *_t)
+{
+	return ioctl(fd, TIOCGETP, (char *)_t);
+}
+
+static int tcsetattr(int fd, int flags, struct sgttyb *_t)
+{
+	return ioctl(fd, TIOCSETP, (char *)_t);
+}
+
+#else /* POSIX TERMIO HANDLING */
+#define ECHO_IS_ON(t) ((t).c_lflag & ECHO)
+#define TURN_ECHO_OFF(t) ((t).c_lflag &= ~ECHO)
+#define TURN_ECHO_ON(t) ((t).c_lflag |= ECHO)
+
+static struct termios t;
+#endif /* SYSV_TERMIO */
+
+static void catch_signal(int signum,void (*handler)(int ))
+{
+#ifdef HAVE_SIGACTION
+	struct sigaction act;
+	struct sigaction oldact;
+
+	memset(&act, 0, sizeof(act));
+
+	act.sa_handler = handler;
+#ifdef SA_RESTART
+	/*
+	 * We *want* SIGALRM to interrupt a system call.
+	 */
+	if(signum != SIGALRM)
+		act.sa_flags = SA_RESTART;
+#endif
+	sigemptyset(&act.sa_mask);
+	sigaddset(&act.sa_mask,signum);
+	sigaction(signum,&act,&oldact);
+#else /* !HAVE_SIGACTION */
+	/* FIXME: need to handle sigvec and systems with broken signal() */
+	signal(signum, handler);
+#endif
+}
+
+static sig_atomic_t gotintr;
+static int in_fd = -1;
+
+/***************************************************************
+ Signal function to tell us were ^C'ed.
+****************************************************************/
+
+static void gotintr_sig(void)
+{
+	gotintr = 1;
+	if (in_fd != -1)
+		close(in_fd); /* Safe way to force a return. */
+	in_fd = -1;
+}
+
+char *rep_getpass(const char *prompt)
+{
+	FILE *in, *out;
+	int echo_off;
+	static char buf[256];
+	static size_t bufsize = sizeof(buf);
+	size_t nread;
+
+	/* Catch problematic signals */
+	catch_signal(SIGINT, SIGNAL_CAST gotintr_sig);
+
+	/* Try to write to and read from the terminal if we can.
+		If we can't open the terminal, use stderr and stdin.  */
+
+	in = fopen ("/dev/tty", "w+");
+	if (in == NULL) {
+		in = stdin;
+		out = stderr;
+	} else {
+		out = in;
+	}
+
+	setvbuf(in, NULL, _IONBF, 0);
+
+	/* Turn echoing off if it is on now.  */
+
+	if (tcgetattr (fileno (in), &t) == 0) {
+		if (ECHO_IS_ON(t)) {
+			TURN_ECHO_OFF(t);
+			echo_off = tcsetattr (fileno (in), TCSAFLUSH, &t) == 0;
+			TURN_ECHO_ON(t);
+		} else {
+			echo_off = 0;
+		}
+	} else {
+		echo_off = 0;
+	}
+
+	/* Write the prompt.  */
+	fputs(prompt, out);
+	fflush(out);
+
+	/* Read the password.  */
+	buf[0] = 0;
+	if (!gotintr) {
+		in_fd = fileno(in);
+		if (fgets(buf, bufsize, in) == NULL) {
+			buf[0] = 0;
+		}
+	}
+	nread = strlen(buf);
+	if (nread) {
+		if (buf[nread - 1] == '\n')
+			buf[nread - 1] = '\0';
+	}
+
+	/* Restore echoing.  */
+	if (echo_off) {
+		if (gotintr && in_fd == -1) {
+			in = fopen ("/dev/tty", "w+");
+		}
+		if (in != NULL)
+			tcsetattr (fileno (in), TCSANOW, &t);
+	}
+
+	fprintf(out, "\n");
+	fflush(out);
+
+	if (in && in != stdin) /* We opened the terminal; now close it.  */
+		fclose(in);
+
+	/* Catch problematic signals */
+	catch_signal(SIGINT, SIGNAL_CAST SIG_DFL);
+
+	if (gotintr) {
+		printf("Interupted by signal.\n");
+		fflush(stdout);
+		exit(1);
+	}
+	return buf;
+}
diff --git a/source3/lib/replace/getpass.m4 b/source3/lib/replace/getpass.m4
new file mode 100644
index 0000000000..b93817f9d3
--- /dev/null
+++ b/source3/lib/replace/getpass.m4
@@ -0,0 +1,24 @@
+AC_CHECK_FUNC(getpass, libreplace_cv_HAVE_GETPASS=yes)
+AC_CHECK_FUNC(getpassphrase, libreplace_cv_HAVE_GETPASSPHRASE=yes)
+if test x"$libreplace_cv_HAVE_GETPASS" = x"yes" -a x"$libreplace_cv_HAVE_GETPASSPHRASE" = x"yes"; then
+        AC_DEFINE(REPLACE_GETPASS_BY_GETPASSPHRASE, 1, [getpass returns <9 chars where getpassphrase returns <265 chars])
+	AC_DEFINE(REPLACE_GETPASS,1,[Whether getpass should be replaced])
+	LIBREPLACEOBJ="${LIBREPLACEOBJ} getpass.o"
+else
+
+AC_CACHE_CHECK([whether getpass should be replaced],libreplace_cv_REPLACE_GETPASS,[
+SAVE_CPPFLAGS="$CPPFLAGS"
+CPPFLAGS="$CPPFLAGS -I$libreplacedir/"
+AC_TRY_COMPILE([
+#include "confdefs.h"
+#define NO_CONFIG_H
+#include "$libreplacedir/getpass.c"
+],[],libreplace_cv_REPLACE_GETPASS=yes,libreplace_cv_REPLACE_GETPASS=no)
+CPPFLAGS="$SAVE_CPPFLAGS"
+])
+if test x"$libreplace_cv_REPLACE_GETPASS" = x"yes"; then
+	AC_DEFINE(REPLACE_GETPASS,1,[Whether getpass should be replaced])
+	LIBREPLACEOBJ="${LIBREPLACEOBJ} getpass.o"
+fi
+
+fi
diff --git a/source3/lib/replace/inet_aton.c b/source3/lib/replace/inet_aton.c
new file mode 100644
index 0000000000..c6b3bb11a7
--- /dev/null
+++ b/source3/lib/replace/inet_aton.c
@@ -0,0 +1,33 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * replacement functions
+ * Copyright (C) Michael Adam <obnox@samba.org> 2008
+ *
+ *  ** NOTE! The following LGPL license applies to the replace
+ *  ** library. This does NOT imply that all of Samba is released
+ *  ** under the LGPL
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "replace.h"
+#include "system/network.h"
+
+/**
+ * We know that we have inet_pton from earlier libreplace checks.
+ */
+int rep_inet_aton(const char *src, struct in_addr *dst)
+{
+	return (inet_pton(AF_INET, src, dst) > 0) ? 1 : 0;
+}
diff --git a/source3/lib/replace/inet_ntoa.c b/source3/lib/replace/inet_ntoa.c
new file mode 100644
index 0000000000..e3b80ebef8
--- /dev/null
+++ b/source3/lib/replace/inet_ntoa.c
@@ -0,0 +1,39 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * replacement routines for broken systems
+ * Copyright (C) Andrew Tridgell 2003
+ * Copyright (C) Michael Adam 2008
+ *
+ *  ** NOTE! The following LGPL license applies to the replace
+ *  ** library. This does NOT imply that all of Samba is released
+ *  ** under the LGPL
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "replace.h"
+#include "system/network.h"
+
+/**
+ * NOTE: this is not thread safe, but it can't be, either
+ * since it returns a pointer to static memory.
+ */
+char *rep_inet_ntoa(struct in_addr ip)
+{
+	uint8_t *p = (uint8_t *)&ip.s_addr;
+	static char buf[18];
+	slprintf(buf, 17, "%d.%d.%d.%d",
+		 (int)p[0], (int)p[1], (int)p[2], (int)p[3]);
+	return buf;
+}
diff --git a/source3/lib/replace/inet_ntop.c b/source3/lib/replace/inet_ntop.c
new file mode 100644
index 0000000000..fb3d8e90c8
--- /dev/null
+++ b/source3/lib/replace/inet_ntop.c
@@ -0,0 +1,191 @@
+/*
+ * Copyright (C) 1996-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#include "replace.h"
+#include "system/network.h"
+
+#define NS_INT16SZ	 2
+#define NS_IN6ADDRSZ	16
+
+/*
+ * WARNING: Don't even consider trying to compile this on a system where
+ * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
+ */
+
+static const char *inet_ntop4(const unsigned char *src, char *dst,
+			      socklen_t size);
+
+#ifdef AF_INET6
+static const char *inet_ntop6(const unsigned char *src, char *dst,
+			      socklen_t size);
+#endif
+
+/* char *
+ * isc_net_ntop(af, src, dst, size)
+ *	convert a network format address to presentation format.
+ * return:
+ *	pointer to presentation format address (`dst'), or NULL (see errno).
+ * author:
+ *	Paul Vixie, 1996.
+ */
+const char *
+rep_inet_ntop(int af, const void *src, char *dst, socklen_t size)
+{
+	switch (af) {
+	case AF_INET:
+		return (inet_ntop4(src, dst, size));
+#ifdef AF_INET6
+	case AF_INET6:
+		return (inet_ntop6(src, dst, size));
+#endif
+	default:
+		errno = EAFNOSUPPORT;
+		return (NULL);
+	}
+	/* NOTREACHED */
+}
+
+/* const char *
+ * inet_ntop4(src, dst, size)
+ *	format an IPv4 address
+ * return:
+ *	`dst' (as a const)
+ * notes:
+ *	(1) uses no statics
+ *	(2) takes a unsigned char* not an in_addr as input
+ * author:
+ *	Paul Vixie, 1996.
+ */
+static const char *
+inet_ntop4(const unsigned char *src, char *dst, socklen_t size)
+{
+	static const char *fmt = "%u.%u.%u.%u";
+	char tmp[sizeof "255.255.255.255"];
+	size_t len;
+
+	len = snprintf(tmp, sizeof tmp, fmt, src[0], src[1], src[2], src[3]);
+	if (len >= size) {
+		errno = ENOSPC;
+		return (NULL);
+	}
+	memcpy(dst, tmp, len + 1);
+
+	return (dst);
+}
+
+/* const char *
+ * isc_inet_ntop6(src, dst, size)
+ *	convert IPv6 binary address into presentation (printable) format
+ * author:
+ *	Paul Vixie, 1996.
+ */
+#ifdef AF_INET6
+static const char *
+inet_ntop6(const unsigned char *src, char *dst, socklen_t size)
+{
+	/*
+	 * Note that int32_t and int16_t need only be "at least" large enough
+	 * to contain a value of the specified size.  On some systems, like
+	 * Crays, there is no such thing as an integer variable with 16 bits.
+	 * Keep this in mind if you think this function should have been coded
+	 * to use pointer overlays.  All the world's not a VAX.
+	 */
+	char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"], *tp;
+	struct { int base, len; } best, cur;
+	unsigned int words[NS_IN6ADDRSZ / NS_INT16SZ];
+	int i, inc;
+
+	/*
+	 * Preprocess:
+	 *	Copy the input (bytewise) array into a wordwise array.
+	 *	Find the longest run of 0x00's in src[] for :: shorthanding.
+	 */
+	memset(words, '\0', sizeof words);
+	for (i = 0; i < NS_IN6ADDRSZ; i++)
+		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
+	best.base = -1;
+	best.len = 0;
+	cur.base = -1;
+	cur.len = 0;
+	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
+		if (words[i] == 0) {
+			if (cur.base == -1)
+				cur.base = i, cur.len = 1;
+			else
+				cur.len++;
+		} else {
+			if (cur.base != -1) {
+				if (best.base == -1 || cur.len > best.len)
+					best = cur;
+				cur.base = -1;
+			}
+		}
+	}
+	if (cur.base != -1) {
+		if (best.base == -1 || cur.len > best.len)
+			best = cur;
+	}
+	if (best.base != -1 && best.len < 2)
+		best.base = -1;
+
+	/*
+	 * Format the result.
+	 */
+	tp = tmp;
+	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
+		/* Are we inside the best run of 0x00's? */
+		if (best.base != -1 && i >= best.base &&
+		    i < (best.base + best.len)) {
+			if (i == best.base)
+				*tp++ = ':';
+			continue;
+		}
+		/* Are we following an initial run of 0x00s or any real hex? */
+		if (i != 0)
+			*tp++ = ':';
+		/* Is this address an encapsulated IPv4? */
+		if (i == 6 && best.base == 0 &&
+		    (best.len == 6 || (best.len == 5 && words[5] == 0xffff))) {
+			if (!inet_ntop4(src+12, tp, sizeof tmp - (tp - tmp)))
+				return (NULL);
+			tp += strlen(tp);
+			break;
+		}
+		inc = snprintf(tp, 5, "%x", words[i]);
+		if (inc >= 5) {
+			abort();
+		}
+		tp += inc;
+	}
+	/* Was it a trailing run of 0x00's? */
+	if (best.base != -1 && (best.base + best.len) ==
+	    (NS_IN6ADDRSZ / NS_INT16SZ))
+		*tp++ = ':';
+	*tp++ = '\0';
+
+	/*
+	 * Check for overflow, copy, and we're done.
+	 */
+	if ((size_t)(tp - tmp) > size) {
+		errno = ENOSPC;
+		return (NULL);
+	}
+	memcpy(dst, tmp, tp - tmp);
+	return (dst);
+}
+#endif /* AF_INET6 */
diff --git a/source3/lib/replace/inet_pton.c b/source3/lib/replace/inet_pton.c
new file mode 100644
index 0000000000..80e4865ef4
--- /dev/null
+++ b/source3/lib/replace/inet_pton.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (C) 1996-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "replace.h"
+#include "system/network.h"
+
+#define NS_INT16SZ	 2
+#define NS_INADDRSZ	 4
+#define NS_IN6ADDRSZ	16
+
+/*
+ * WARNING: Don't even consider trying to compile this on a system where
+ * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
+ */
+
+static int inet_pton4(const char *src, unsigned char *dst);
+#ifdef AF_INET6
+static int inet_pton6(const char *src, unsigned char *dst);
+#endif
+
+/* int
+ * inet_pton(af, src, dst)
+ *	convert from presentation format (which usually means ASCII printable)
+ *	to network format (which is usually some kind of binary format).
+ * return:
+ *	1 if the address was valid for the specified address family
+ *	0 if the address wasn't valid (`dst' is untouched in this case)
+ *	-1 if some other error occurred (`dst' is untouched in this case, too)
+ * author:
+ *	Paul Vixie, 1996.
+ */
+int
+rep_inet_pton(int af,
+	  const char *src,
+	  void *dst)
+{
+	switch (af) {
+	case AF_INET:
+		return (inet_pton4(src, dst));
+#ifdef AF_INET6
+	case AF_INET6:
+		return (inet_pton6(src, dst));
+#endif
+	default:
+		errno = EAFNOSUPPORT;
+		return (-1);
+	}
+	/* NOTREACHED */
+}
+
+/* int
+ * inet_pton4(src, dst)
+ *	like inet_aton() but without all the hexadecimal and shorthand.
+ * return:
+ *	1 if `src' is a valid dotted quad, else 0.
+ * notice:
+ *	does not touch `dst' unless it's returning 1.
+ * author:
+ *	Paul Vixie, 1996.
+ */
+static int
+inet_pton4(src, dst)
+	const char *src;
+	unsigned char *dst;
+{
+	static const char digits[] = "0123456789";
+	int saw_digit, octets, ch;
+	unsigned char tmp[NS_INADDRSZ], *tp;
+
+	saw_digit = 0;
+	octets = 0;
+	*(tp = tmp) = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		if ((pch = strchr(digits, ch)) != NULL) {
+			unsigned int new = *tp * 10 + (pch - digits);
+
+			if (new > 255)
+				return (0);
+			*tp = new;
+			if (! saw_digit) {
+				if (++octets > 4)
+					return (0);
+				saw_digit = 1;
+			}
+		} else if (ch == '.' && saw_digit) {
+			if (octets == 4)
+				return (0);
+			*++tp = 0;
+			saw_digit = 0;
+		} else
+			return (0);
+	}
+	if (octets < 4)
+		return (0);
+	memcpy(dst, tmp, NS_INADDRSZ);
+	return (1);
+}
+
+/* int
+ * inet_pton6(src, dst)
+ *	convert presentation level address to network order binary form.
+ * return:
+ *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
+ * notice:
+ *	(1) does not touch `dst' unless it's returning 1.
+ *	(2) :: in a full address is silently ignored.
+ * credit:
+ *	inspired by Mark Andrews.
+ * author:
+ *	Paul Vixie, 1996.
+ */
+#ifdef AF_INET6
+static int
+inet_pton6(src, dst)
+	const char *src;
+	unsigned char *dst;
+{
+	static const char xdigits_l[] = "0123456789abcdef",
+			  xdigits_u[] = "0123456789ABCDEF";
+	unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
+	const char *xdigits, *curtok;
+	int ch, saw_xdigit;
+	unsigned int val;
+
+	memset((tp = tmp), '\0', NS_IN6ADDRSZ);
+	endp = tp + NS_IN6ADDRSZ;
+	colonp = NULL;
+	/* Leading :: requires some special handling. */
+	if (*src == ':')
+		if (*++src != ':')
+			return (0);
+	curtok = src;
+	saw_xdigit = 0;
+	val = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
+			pch = strchr((xdigits = xdigits_u), ch);
+		if (pch != NULL) {
+			val <<= 4;
+			val |= (pch - xdigits);
+			if (val > 0xffff)
+				return (0);
+			saw_xdigit = 1;
+			continue;
+		}
+		if (ch == ':') {
+			curtok = src;
+			if (!saw_xdigit) {
+				if (colonp)
+					return (0);
+				colonp = tp;
+				continue;
+			}
+			if (tp + NS_INT16SZ > endp)
+				return (0);
+			*tp++ = (unsigned char) (val >> 8) & 0xff;
+			*tp++ = (unsigned char) val & 0xff;
+			saw_xdigit = 0;
+			val = 0;
+			continue;
+		}
+		if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
+		    inet_pton4(curtok, tp) > 0) {
+			tp += NS_INADDRSZ;
+			saw_xdigit = 0;
+			break;	/* '\0' was seen by inet_pton4(). */
+		}
+		return (0);
+	}
+	if (saw_xdigit) {
+		if (tp + NS_INT16SZ > endp)
+			return (0);
+		*tp++ = (unsigned char) (val >> 8) & 0xff;
+		*tp++ = (unsigned char) val & 0xff;
+	}
+	if (colonp != NULL) {
+		/*
+		 * Since some memmove()'s erroneously fail to handle
+		 * overlapping regions, we'll do the shift by hand.
+		 */
+		const int n = tp - colonp;
+		int i;
+
+		for (i = 1; i <= n; i++) {
+			endp[- i] = colonp[n - i];
+			colonp[n - i] = 0;
+		}
+		tp = endp;
+	}
+	if (tp != endp)
+		return (0);
+	memcpy(dst, tmp, NS_IN6ADDRSZ);
+	return (1);
+}
+#endif
diff --git a/source3/lib/replace/install-sh b/source3/lib/replace/install-sh
new file mode 100755
index 0000000000..58719246f0
--- /dev/null
+++ b/source3/lib/replace/install-sh
@@ -0,0 +1,238 @@
+#! /bin/sh
+#
+# install - install a program, script, or datafile
+# This comes from X11R5.
+#
+# Calling this script install-sh is preferred over install.sh, to prevent
+# `make' implicit rules from creating a file called install from it
+# when there is no Makefile.
+#
+# This script is compatible with the BSD install script, but was written
+# from scratch.
+#
+
+
+# set DOITPROG to echo to test this script
+
+# Don't use :- since 4.3BSD and earlier shells don't like it.
+doit="${DOITPROG-}"
+
+
+# put in absolute paths if you don't have them in your path; or use env. vars.
+
+mvprog="${MVPROG-mv}"
+cpprog="${CPPROG-cp}"
+chmodprog="${CHMODPROG-chmod}"
+chownprog="${CHOWNPROG-chown}"
+chgrpprog="${CHGRPPROG-chgrp}"
+stripprog="${STRIPPROG-strip}"
+rmprog="${RMPROG-rm}"
+mkdirprog="${MKDIRPROG-mkdir}"
+
+transformbasename=""
+transform_arg=""
+instcmd="$mvprog"
+chmodcmd="$chmodprog 0755"
+chowncmd=""
+chgrpcmd=""
+stripcmd=""
+rmcmd="$rmprog -f"
+mvcmd="$mvprog"
+src=""
+dst=""
+dir_arg=""
+
+while [ x"$1" != x ]; do
+    case $1 in
+	-c) instcmd="$cpprog"
+	    shift
+	    continue;;
+
+	-d) dir_arg=true
+	    shift
+	    continue;;
+
+	-m) chmodcmd="$chmodprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-o) chowncmd="$chownprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-g) chgrpcmd="$chgrpprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-s) stripcmd="$stripprog"
+	    shift
+	    continue;;
+
+	-t=*) transformarg=`echo $1 | sed 's/-t=//'`
+	    shift
+	    continue;;
+
+	-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
+	    shift
+	    continue;;
+
+	*)  if [ x"$src" = x ]
+	    then
+		src=$1
+	    else
+		# this colon is to work around a 386BSD /bin/sh bug
+		:
+		dst=$1
+	    fi
+	    shift
+	    continue;;
+    esac
+done
+
+if [ x"$src" = x ]
+then
+	echo "install:	no input file specified"
+	exit 1
+else
+	true
+fi
+
+if [ x"$dir_arg" != x ]; then
+	dst=$src
+	src=""
+	
+	if [ -d $dst ]; then
+		instcmd=:
+	else
+		instcmd=mkdir
+	fi
+else
+
+# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
+# might cause directories to be created, which would be especially bad 
+# if $src (and thus $dsttmp) contains '*'.
+
+	if [ -f $src -o -d $src ]
+	then
+		true
+	else
+		echo "install:  $src does not exist"
+		exit 1
+	fi
+	
+	if [ x"$dst" = x ]
+	then
+		echo "install:	no destination specified"
+		exit 1
+	else
+		true
+	fi
+
+# If destination is a directory, append the input filename; if your system
+# does not like double slashes in filenames, you may need to add some logic
+
+	if [ -d $dst ]
+	then
+		dst="$dst"/`basename $src`
+	else
+		true
+	fi
+fi
+
+## this sed command emulates the dirname command
+dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
+
+# Make sure that the destination directory exists.
+#  this part is taken from Noah Friedman's mkinstalldirs script
+
+# Skip lots of stat calls in the usual case.
+if [ ! -d "$dstdir" ]; then
+defaultIFS='	
+'
+IFS="${IFS-${defaultIFS}}"
+
+oIFS="${IFS}"
+# Some sh's can't handle IFS=/ for some reason.
+IFS='%'
+set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
+IFS="${oIFS}"
+
+pathcomp=''
+
+while [ $# -ne 0 ] ; do
+	pathcomp="${pathcomp}${1}"
+	shift
+
+	if [ ! -d "${pathcomp}" ] ;
+        then
+		$mkdirprog "${pathcomp}"
+	else
+		true
+	fi
+
+	pathcomp="${pathcomp}/"
+done
+fi
+
+if [ x"$dir_arg" != x ]
+then
+	$doit $instcmd $dst &&
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
+else
+
+# If we're going to rename the final executable, determine the name now.
+
+	if [ x"$transformarg" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		dstfile=`basename $dst $transformbasename | 
+			sed $transformarg`$transformbasename
+	fi
+
+# don't allow the sed command to completely eliminate the filename
+
+	if [ x"$dstfile" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		true
+	fi
+
+# Make a temp file name in the proper directory.
+
+	dsttmp=$dstdir/#inst.$$#
+
+# Move or copy the file name to the temp name
+
+	$doit $instcmd $src $dsttmp &&
+
+	trap "rm -f ${dsttmp}" 0 &&
+
+# and set any options; do chmod last to preserve setuid bits
+
+# If any of these fail, we abort the whole thing.  If we want to
+# ignore errors from any of these, just make sure not to ignore
+# errors from the above "$doit $instcmd $src $dsttmp" command.
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
+
+# Now rename the file to the real destination.
+
+	$doit $rmcmd -f $dstdir/$dstfile &&
+	$doit $mvcmd $dsttmp $dstdir/$dstfile 
+
+fi &&
+
+
+exit 0
diff --git a/source3/lib/replace/libreplace.m4 b/source3/lib/replace/libreplace.m4
new file mode 100644
index 0000000000..71fa041672
--- /dev/null
+++ b/source3/lib/replace/libreplace.m4
@@ -0,0 +1,303 @@
+AC_DEFUN_ONCE(AC_LIBREPLACE_LOCATION_CHECKS,
+[
+echo "LIBREPLACE_LOCATION_CHECKS: START"
+
+dnl find the libreplace sources. This is meant to work both for 
+dnl libreplace standalone builds, and builds of packages using libreplace
+libreplacedir=""
+libreplacepaths="$srcdir $srcdir/lib/replace $srcdir/libreplace $srcdir/../libreplace $srcdir/../replace"
+for d in $libreplacepaths; do
+	if test -f "$d/replace.c"; then
+		libreplacedir="$d"		
+		AC_SUBST(libreplacedir)
+		break;
+	fi
+done
+if test x"$libreplacedir" = "x"; then
+	AC_MSG_ERROR([cannot find libreplace in $libreplacepaths])
+fi
+LIBREPLACEOBJ="replace.o"
+AC_SUBST(LIBREPLACEOBJ)
+
+AC_CANONICAL_BUILD
+AC_CANONICAL_HOST
+AC_CANONICAL_TARGET
+
+echo "LIBREPLACE_LOCATION_CHECKS: END"
+]) dnl end AC_LIBREPLACE_LOCATION_CHECKS
+
+
+AC_DEFUN_ONCE(AC_LIBREPLACE_BROKEN_CHECKS,
+[
+echo "LIBREPLACE_BROKEN_CHECKS: START"
+
+dnl find the libreplace sources. This is meant to work both for 
+dnl libreplace standalone builds, and builds of packages using libreplace
+libreplacedir=""
+for d in "$srcdir" "$srcdir/lib/replace" "$srcdir/libreplace" "$srcdir/../libreplace" "$srcdir/../replace"; do
+	if test -f "$d/replace.c"; then
+		libreplacedir="$d"		
+		AC_SUBST(libreplacedir)
+		break;
+	fi
+done
+LIBREPLACEOBJ="replace.o"
+AC_SUBST(LIBREPLACEOBJ)
+
+LIBREPLACEOBJ="${LIBREPLACEOBJ} snprintf.o"
+
+AC_TYPE_SIGNAL
+AC_TYPE_UID_T
+AC_TYPE_MODE_T
+AC_TYPE_OFF_T
+AC_TYPE_SIZE_T
+AC_TYPE_PID_T
+AC_STRUCT_ST_RDEV
+AC_CHECK_TYPE(ino_t,unsigned)
+AC_CHECK_TYPE(loff_t,off_t)
+AC_CHECK_TYPE(offset_t,loff_t)
+
+AC_FUNC_MEMCMP
+
+AC_CHECK_FUNCS(pipe strftime srandom random srand rand usleep setbuffer lstat getpgrp)
+
+AC_CHECK_HEADERS(stdbool.h stdint.h sys/select.h)
+AC_CHECK_HEADERS(setjmp.h)
+
+LIBREPLACE_PROVIDE_HEADER([stdint.h])
+LIBREPLACE_PROVIDE_HEADER([stdbool.h])
+
+AC_CHECK_TYPE(bool, 
+[AC_DEFINE(HAVE_BOOL, 1, [Whether the bool type is available])],,
+[
+AC_INCLUDES_DEFAULT
+#ifdef HAVE_STDBOOL_H
+#include <stdbool.h>
+#endif]
+)
+
+AC_CHECK_TYPE(_Bool, 
+[AC_DEFINE(HAVE__Bool, 1, [Whether the _Bool type is available])],,
+[
+AC_INCLUDES_DEFAULT
+#ifdef HAVE_STDBOOL_H
+#include <stdbool.h>
+#endif]
+)
+
+AC_CACHE_CHECK([for working mmap],libreplace_cv_HAVE_MMAP,[
+AC_TRY_RUN([#include "$libreplacedir/test/shared_mmap.c"],
+           libreplace_cv_HAVE_MMAP=yes,libreplace_cv_HAVE_MMAP=no,libreplace_cv_HAVE_MMAP=cross)])
+if test x"$libreplace_cv_HAVE_MMAP" = x"yes"; then
+    AC_DEFINE(HAVE_MMAP,1,[Whether mmap works])
+fi
+
+
+AC_CHECK_HEADERS(sys/syslog.h syslog.h)
+AC_CHECK_HEADERS(sys/time.h time.h)
+AC_CHECK_HEADERS(stdarg.h vararg.h)
+AC_CHECK_HEADERS(sys/mount.h mntent.h)
+AC_CHECK_HEADERS(stropts.h)
+
+AC_CHECK_FUNCS(seteuid setresuid setegid setresgid chroot bzero strerror)
+AC_CHECK_FUNCS(vsyslog setlinebuf mktime ftruncate chsize rename)
+AC_CHECK_FUNCS(waitpid strlcpy strlcat initgroups memmove strdup)
+AC_CHECK_FUNCS(pread pwrite strndup strcasestr strtok_r mkdtemp)
+AC_CHECK_FUNCS(isatty)
+AC_HAVE_DECL(setresuid, [#include <unistd.h>])
+AC_HAVE_DECL(setresgid, [#include <unistd.h>])
+AC_HAVE_DECL(errno, [#include <errno.h>])
+
+AC_CACHE_CHECK([for secure mkstemp],libreplace_cv_HAVE_SECURE_MKSTEMP,[
+AC_TRY_RUN([#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+main() { 
+  struct stat st;
+  char tpl[20]="/tmp/test.XXXXXX"; 
+  int fd = mkstemp(tpl); 
+  if (fd == -1) exit(1);
+  unlink(tpl);
+  if (fstat(fd, &st) != 0) exit(1);
+  if ((st.st_mode & 0777) != 0600) exit(1);
+  exit(0);
+}],
+libreplace_cv_HAVE_SECURE_MKSTEMP=yes,
+libreplace_cv_HAVE_SECURE_MKSTEMP=no,
+libreplace_cv_HAVE_SECURE_MKSTEMP=cross)])
+if test x"$libreplace_cv_HAVE_SECURE_MKSTEMP" = x"yes"; then
+    AC_DEFINE(HAVE_SECURE_MKSTEMP,1,[Whether mkstemp is secure])
+fi
+
+dnl Provided by snprintf.c:
+AC_CHECK_HEADERS(stdio.h strings.h)
+AC_CHECK_DECLS([snprintf, vsnprintf, asprintf, vasprintf])
+AC_CHECK_FUNCS(snprintf vsnprintf asprintf vasprintf)
+
+AC_CACHE_CHECK([for C99 vsnprintf],libreplace_cv_HAVE_C99_VSNPRINTF,[
+AC_TRY_RUN([
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+void foo(const char *format, ...) { 
+       va_list ap;
+       int len;
+       char buf[20];
+       long long l = 1234567890;
+       l *= 100;
+
+       va_start(ap, format);
+       len = vsnprintf(buf, 0, format, ap);
+       va_end(ap);
+       if (len != 5) exit(1);
+
+       va_start(ap, format);
+       len = vsnprintf(0, 0, format, ap);
+       va_end(ap);
+       if (len != 5) exit(2);
+
+       if (snprintf(buf, 3, "hello") != 5 || strcmp(buf, "he") != 0) exit(3);
+
+       if (snprintf(buf, 20, "%lld", l) != 12 || strcmp(buf, "123456789000") != 0) exit(4);
+       if (snprintf(buf, 20, "%zu", 123456789) != 9 || strcmp(buf, "123456789") != 0) exit(5);
+       if (snprintf(buf, 20, "%2\$d %1\$d", 3, 4) != 3 || strcmp(buf, "4 3") != 0) exit(6);
+       if (snprintf(buf, 20, "%s", 0) < 3) exit(7);
+
+       exit(0);
+}
+main() { foo("hello"); }
+],
+libreplace_cv_HAVE_C99_VSNPRINTF=yes,libreplace_cv_HAVE_C99_VSNPRINTF=no,libreplace_cv_HAVE_C99_VSNPRINTF=cross)])
+if test x"$libreplace_cv_HAVE_C99_VSNPRINTF" = x"yes"; then
+    AC_DEFINE(HAVE_C99_VSNPRINTF,1,[Whether there is a C99 compliant vsnprintf])
+fi
+
+
+dnl VA_COPY
+AC_CACHE_CHECK([for va_copy],libreplace_cv_HAVE_VA_COPY,[
+AC_TRY_LINK([#include <stdarg.h>
+va_list ap1,ap2;], [va_copy(ap1,ap2);],
+libreplace_cv_HAVE_VA_COPY=yes,libreplace_cv_HAVE_VA_COPY=no)])
+if test x"$libreplace_cv_HAVE_VA_COPY" = x"yes"; then
+    AC_DEFINE(HAVE_VA_COPY,1,[Whether va_copy() is available])
+fi
+
+if test x"$libreplace_cv_HAVE_VA_COPY" != x"yes"; then
+AC_CACHE_CHECK([for __va_copy],libreplace_cv_HAVE___VA_COPY,[
+AC_TRY_LINK([#include <stdarg.h>
+va_list ap1,ap2;], [__va_copy(ap1,ap2);],
+libreplace_cv_HAVE___VA_COPY=yes,libreplace_cv_HAVE___VA_COPY=no)])
+if test x"$libreplace_cv_HAVE___VA_COPY" = x"yes"; then
+    AC_DEFINE(HAVE___VA_COPY,1,[Whether __va_copy() is available])
+fi
+fi
+
+dnl __FUNCTION__ macro
+AC_CACHE_CHECK([for __FUNCTION__ macro],libreplace_cv_HAVE_FUNCTION_MACRO,[
+AC_TRY_COMPILE([#include <stdio.h>], [printf("%s\n", __FUNCTION__);],
+libreplace_cv_HAVE_FUNCTION_MACRO=yes,libreplace_cv_HAVE_FUNCTION_MACRO=no)])
+if test x"$libreplace_cv_HAVE_FUNCTION_MACRO" = x"yes"; then
+    AC_DEFINE(HAVE_FUNCTION_MACRO,1,[Whether there is a __FUNCTION__ macro])
+else
+    dnl __func__ macro
+    AC_CACHE_CHECK([for __func__ macro],libreplace_cv_HAVE_func_MACRO,[
+    AC_TRY_COMPILE([#include <stdio.h>], [printf("%s\n", __func__);],
+    libreplace_cv_HAVE_func_MACRO=yes,libreplace_cv_HAVE_func_MACRO=no)])
+    if test x"$libreplace_cv_HAVE_func_MACRO" = x"yes"; then
+       AC_DEFINE(HAVE_func_MACRO,1,[Whether there is a __func__ macro])
+    fi
+fi
+
+AC_CHECK_HEADERS([sys/param.h limits.h])
+
+AC_CHECK_TYPE(comparison_fn_t, 
+[AC_DEFINE(HAVE_COMPARISON_FN_T, 1,[Whether or not we have comparison_fn_t])])
+
+AC_HAVE_DECL(setenv, [#include <stdlib.h>])
+AC_CHECK_FUNCS(setenv unsetenv)
+
+AC_CHECK_FUNCS(strnlen)
+AC_CHECK_FUNCS(strtoull __strtoull strtouq strtoll __strtoll strtoq)
+
+# this test disabled as we don't actually need __VA_ARGS__ yet
+AC_TRY_CPP([
+#define eprintf(...) fprintf(stderr, __VA_ARGS__)
+eprintf("bla", "bar");
+], AC_DEFINE(HAVE__VA_ARGS__MACRO, 1, [Whether the __VA_ARGS__ macro is available]))
+
+
+AC_CACHE_CHECK([for sig_atomic_t type],libreplace_cv_sig_atomic_t, [
+    AC_TRY_COMPILE([
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <signal.h>],[sig_atomic_t i = 0],
+	libreplace_cv_sig_atomic_t=yes,libreplace_cv_sig_atomic_t=no)])
+if test x"$libreplace_cv_sig_atomic_t" = x"yes"; then
+   AC_DEFINE(HAVE_SIG_ATOMIC_T_TYPE,1,[Whether we have the atomic_t variable type])
+fi
+
+
+AC_CACHE_CHECK([for O_DIRECT flag to open(2)],libreplace_cv_HAVE_OPEN_O_DIRECT,[
+AC_TRY_COMPILE([
+#include <unistd.h>
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif],
+[int fd = open("/dev/null", O_DIRECT);],
+libreplace_cv_HAVE_OPEN_O_DIRECT=yes,libreplace_cv_HAVE_OPEN_O_DIRECT=no)])
+if test x"$libreplace_cv_HAVE_OPEN_O_DIRECT" = x"yes"; then
+    AC_DEFINE(HAVE_OPEN_O_DIRECT,1,[Whether the open(2) accepts O_DIRECT])
+fi
+
+
+dnl Check if the C compiler understands volatile (it should, being ANSI).
+AC_CACHE_CHECK([that the C compiler understands volatile],libreplace_cv_volatile, [
+	AC_TRY_COMPILE([#include <sys/types.h>],[volatile int i = 0],
+		libreplace_cv_volatile=yes,libreplace_cv_volatile=no)])
+if test x"$libreplace_cv_volatile" = x"yes"; then
+	AC_DEFINE(HAVE_VOLATILE, 1, [Whether the C compiler understands volatile])
+fi
+
+m4_include(system/config.m4)
+
+m4_include(dlfcn.m4)
+m4_include(getpass.m4)
+m4_include(strptime.m4)
+m4_include(win32.m4)
+m4_include(timegm.m4)
+m4_include(repdir.m4)
+
+AC_CHECK_FUNCS([syslog printf memset memcpy],,[AC_MSG_ERROR([Required function not found])])
+
+echo "LIBREPLACE_BROKEN_CHECKS: END"
+]) dnl end AC_LIBREPLACE_BROKEN_CHECKS
+
+AC_DEFUN_ONCE(AC__LIBREPLACE_ALL_CHECKS_START,
+[
+#LIBREPLACE_ALL_CHECKS: START"
+])
+AC_DEFUN_ONCE(AC__LIBREPLACE_ALL_CHECKS_END,
+[
+#LIBREPLACE_ALL_CHECKS: END"
+])
+m4_define(AC_LIBREPLACE_ALL_CHECKS,
+[
+AC__LIBREPLACE_ALL_CHECKS_START
+AC_LIBREPLACE_LOCATION_CHECKS
+AC_LIBREPLACE_CC_CHECKS
+AC_LIBREPLACE_BROKEN_CHECKS
+AC__LIBREPLACE_ALL_CHECKS_END
+CFLAGS="$CFLAGS -I$libreplacedir"
+])
+
+m4_include(libreplace_cc.m4)
+m4_include(libreplace_ld.m4)
+m4_include(libreplace_network.m4)
+m4_include(libreplace_macros.m4)
+
+m4_ifndef([AC_USE_SYSTEM_EXTENSIONS],[m4_include(autoconf-2.60.m4)])
diff --git a/source3/lib/replace/libreplace_cc.m4 b/source3/lib/replace/libreplace_cc.m4
new file mode 100644
index 0000000000..30c63f2f05
--- /dev/null
+++ b/source3/lib/replace/libreplace_cc.m4
@@ -0,0 +1,182 @@
+
+AC_DEFUN_ONCE(AC__LIBREPLACE_ONLY_CC_CHECKS_START,
+[
+echo "LIBREPLACE_CC_CHECKS: START"
+])
+
+AC_DEFUN_ONCE(AC__LIBREPLACE_ONLY_CC_CHECKS_END,
+[
+echo "LIBREPLACE_CC_CHECKS: END"
+])
+
+dnl
+dnl
+dnl AC_LIBREPLACE_CC_CHECKS
+dnl
+dnl Note: we need to use m4_define instead of AC_DEFUN because
+dnl       of the ordering of tests
+dnl       
+dnl 
+m4_define(AC_LIBREPLACE_CC_CHECKS,
+[
+AC__LIBREPLACE_ONLY_CC_CHECKS_START
+
+dnl stop the C89 attempt by autoconf - if autoconf detects -Ae it will enable it
+dnl which conflicts with C99 on HPUX
+ac_cv_prog_cc_Ae=no
+
+savedCFLAGS=$CFLAGS
+AC_PROG_CC
+CFLAGS=$savedCFLAGS
+
+dnl don't try for C99 if we are using gcc, as otherwise we 
+dnl lose immediate structure constants
+if test x"$GCC" != x"yes" ; then
+AC_PROG_CC_C99
+fi
+
+if test x"$GCC" = x"yes" ; then
+	AC_MSG_CHECKING([for version of gcc])
+	GCC_VERSION=`$CC -dumpversion`
+	AC_MSG_RESULT(${GCC_VERSION})
+fi
+AC_USE_SYSTEM_EXTENSIONS
+AC_C_BIGENDIAN
+AC_C_INLINE
+LIBREPLACE_C99_STRUCT_INIT([],[AC_MSG_WARN([c99 structure initializer are not supported])])
+
+AC_PROG_INSTALL
+
+AC_ISC_POSIX
+AC_N_DEFINE(_XOPEN_SOURCE_EXTENDED)
+
+AC_SYS_LARGEFILE
+
+dnl Add #include for broken IRIX header files
+case "$host_os" in
+	*irix6*) AC_ADD_INCLUDE(<standards.h>)
+		;;
+	*hpux*)
+		# mmap on HPUX is completely broken...
+		AC_DEFINE(MMAP_BLACKLIST, 1, [Whether MMAP is broken])
+		if test "`uname -r`" = "B.11.00" -o "`uname -r`" = "B.11.11"; then
+			AC_MSG_WARN([Enabling HPUX 11.00/11.11 header bug workaround])
+			CFLAGS="$CFLAGS -Dpread=pread64 -Dpwrite=pwrite64"
+		fi
+		if test "`uname -r`" = "B.11.23"; then
+			AC_MSG_WARN([Enabling HPUX 11.23 machine/sys/getppdp.h bug workaround])
+			CFLAGS="$CFLAGS -D_MACHINE_SYS_GETPPDP_INCLUDED"
+		fi
+		;;
+	*aix*)
+		AC_DEFINE(BROKEN_STRNDUP, 1, [Whether strndup is broken])
+		AC_DEFINE(BROKEN_STRNLEN, 1, [Whether strnlen is broken])
+		if test "${GCC}" != "yes"; then
+			## for funky AIX compiler using strncpy()
+			CFLAGS="$CFLAGS -D_LINUX_SOURCE_COMPAT -qmaxmem=32000"
+		fi
+		;;
+	*osf*)
+		# this brings in socklen_t
+		AC_N_DEFINE(_XOPEN_SOURCE,600)
+		AC_N_DEFINE(_OSF_SOURCE)
+		;;
+	#
+	# VOS may need to have POSIX support and System V compatibility enabled.
+	#
+	*vos*)
+		case "$CFLAGS" in
+			*-D_POSIX_C_SOURCE*);;
+			*)
+				CFLAGS="$CFLAGS -D_POSIX_C_SOURCE=200112L"
+				AC_DEFINE(_POSIX_C_SOURCE, 200112L, [Whether to enable POSIX support])
+				;;
+		esac
+		case "$CFLAGS" in
+			*-D_SYSV*|*-D_SVID_SOURCE*);;
+			*)
+				CFLAGS="$CFLAGS -D_SYSV"
+				AC_DEFINE(_SYSV, 1, [Whether to enable System V compatibility])
+				;;
+		esac
+		;;
+esac
+
+
+
+AC_CHECK_HEADERS([standards.h])
+
+# Solaris needs HAVE_LONG_LONG defined
+AC_CHECK_TYPES(long long)
+
+AC_CHECK_SIZEOF(int)
+AC_CHECK_SIZEOF(char)
+AC_CHECK_SIZEOF(short)
+AC_CHECK_SIZEOF(long)
+AC_CHECK_SIZEOF(long long)
+
+AC_CHECK_TYPE(uint_t, unsigned int)
+AC_CHECK_TYPE(int8_t, char)
+AC_CHECK_TYPE(uint8_t, unsigned char)
+AC_CHECK_TYPE(int16_t, short)
+AC_CHECK_TYPE(uint16_t, unsigned short)
+
+if test $ac_cv_sizeof_int -eq 4 ; then
+AC_CHECK_TYPE(int32_t, int)
+AC_CHECK_TYPE(uint32_t, unsigned int)
+elif test $ac_cv_size_long -eq 4 ; then
+AC_CHECK_TYPE(int32_t, long)
+AC_CHECK_TYPE(uint32_t, unsigned long)
+else
+AC_MSG_ERROR([LIBREPLACE no 32-bit type found])
+fi
+
+AC_CHECK_TYPE(int64_t, long long)
+AC_CHECK_TYPE(uint64_t, unsigned long long)
+
+AC_CHECK_TYPE(size_t, unsigned int)
+AC_CHECK_TYPE(ssize_t, int)
+
+AC_CHECK_SIZEOF(off_t)
+AC_CHECK_SIZEOF(size_t)
+AC_CHECK_SIZEOF(ssize_t)
+
+AC_CHECK_TYPE(intptr_t, long long)
+AC_CHECK_TYPE(uintptr_t, unsigned long long)
+AC_CHECK_TYPE(ptrdiff_t, unsigned long long)
+
+if test x"$ac_cv_type_long_long" != x"yes";then
+	AC_MSG_ERROR([LIBREPLACE needs type 'long long'])
+fi
+if test $ac_cv_sizeof_long_long -lt 8;then
+	AC_MSG_ERROR([LIBREPLACE needs sizeof(long long) >= 8])
+fi
+
+############################################
+# check if the compiler can do immediate structures
+AC_SUBST(libreplace_cv_immediate_structures)
+AC_CACHE_CHECK([for immediate structures],libreplace_cv_immediate_structures,[
+	AC_TRY_COMPILE([
+		#include <stdio.h>
+	],[
+		typedef struct {unsigned x;} FOOBAR;
+		#define X_FOOBAR(x) ((FOOBAR) { x })
+		#define FOO_ONE X_FOOBAR(1)
+		FOOBAR f = FOO_ONE;   
+		static const struct {
+			FOOBAR y; 
+		} f2[] = {
+			{FOO_ONE}
+		};
+		static const FOOBAR f3[] = {FOO_ONE};
+	],
+	libreplace_cv_immediate_structures=yes,
+	libreplace_cv_immediate_structures=no,
+	libreplace_cv_immediate_structures=cross)
+])
+if test x"$libreplace_cv_immediate_structures" = x"yes"; then
+	AC_DEFINE(HAVE_IMMEDIATE_STRUCTURES,1,[Whether the compiler supports immediate structures])
+fi
+
+AC__LIBREPLACE_ONLY_CC_CHECKS_END
+]) dnl end AC_LIBREPLACE_CC_CHECKS
diff --git a/source3/lib/replace/libreplace_ld.m4 b/source3/lib/replace/libreplace_ld.m4
new file mode 100644
index 0000000000..81bde46219
--- /dev/null
+++ b/source3/lib/replace/libreplace_ld.m4
@@ -0,0 +1,319 @@
+#
+# This offers a nice overview how to build shared libraries on all platforms
+#        http://www.fortran-2000.com/ArnaudRecipes/sharedlib.html
+#
+
+AC_DEFUN([AC_LIBREPLACE_STLD],
+[
+	AC_PATH_PROG(PROG_AR, ar)
+
+	STLD=${PROG_AR}
+
+	AC_SUBST(STLD)
+])
+
+AC_DEFUN([AC_LIBREPLACE_STLD_FLAGS],
+[
+	STLD_FLAGS="-rcs"
+	AC_SUBST(STLD_FLAGS)
+])
+
+AC_DEFUN([AC_LD_EXPORT_DYNAMIC],
+[
+saved_LDFLAGS="$LDFLAGS"
+if AC_TRY_COMMAND([${CC-cc} $CFLAGS -Wl,--version 2>&1 | grep "GNU ld" >/dev/null]); then
+	LD_EXPORT_DYNAMIC="-Wl,-export-dynamic"
+else
+	case "$host_os" in
+		hpux* )
+		  LD_EXPORT_DYNAMIC="-Wl,-E"
+		  ;;
+		*)
+		  LD_EXPORT_DYNAMIC=""
+		  ;;
+	  esac
+fi
+AC_SUBST(LD_EXPORT_DYNAMIC)
+LDFLAGS="$saved_LDFLAGS"
+])
+
+AC_DEFUN([AC_LD_PICFLAG],
+[
+case "$host_os" in
+	*linux*) 
+		PICFLAG="-fPIC" 
+		;;
+	*solaris*)
+		if test "${GCC}" = "yes"; then
+			PICFLAG="-fPIC"
+		else
+			PICFLAG="-KPIC"
+		fi
+		;;
+	*sunos*)
+		PICFLAG="-KPIC"   # Is this correct for SunOS
+		;;
+	*netbsd* | *freebsd* | *dragonfly* )  
+		PICFLAG="-fPIC -DPIC"
+		;;
+	*openbsd*)
+		PICFLAG="-fPIC"
+		;;
+	*irix*)
+		if test "${GCC}" = "yes"; then
+			PICFLAG="-fPIC"
+		else 
+			PICFLAG="-KPIC"
+		fi
+		;;
+	*aix*)
+		# as AIX code is always position independent...
+		PICFLAG="-O2"
+		;;
+	*hpux*)
+		if test $ac_cv_prog_cc_Ae = yes; then
+			PICFLAG="+z +ESnolit"
+		elif test "${GCC}" = "yes"; then
+			PICFLAG="-fPIC"
+		fi
+		if test "$host_cpu" = "ia64"; then
+			PICFLAG="+z"
+		fi
+		;;
+	*osf*)
+		PICFLAG="-fPIC"
+		;;
+	*unixware*)
+		PICFLAG="-KPIC"
+		;;
+	*darwin*)
+		PICFLAG="-fno-common"
+		;;
+esac
+AC_SUBST(PICFLAG)
+])
+
+AC_DEFUN([AC_LIBREPLACE_LD_SHLIB_LINKER],
+[
+	LD_SHLIB_LINKER="${CC}"
+
+	case "$host_os" in
+		*irix*)
+			LD_SHLIB_LINKER="${PROG_LD}"
+			;;
+	esac
+
+	AC_SUBST(LD_SHLIB_LINKER)
+])
+
+AC_DEFUN([AC_LIBREPLACE_LD_SHLIB_FLAGS],
+[
+	LD_SHLIB_FLAGS="-shared"
+
+	case "$host_os" in
+		*linux*)
+			LD_SHLIB_FLAGS="-shared -Wl,-Bsymbolic"
+			;;
+		*solaris*)
+			LD_SHLIB_FLAGS="-G"
+			if test "${GCC}" = "no"; then
+				## ${CFLAGS} added for building 64-bit shared 
+				## libs using Sun's Compiler
+				LD_SHLIB_FLAGS="-G \${CFLAGS}"
+			fi
+			;;
+		*sunos*)
+			LD_SHLIB_FLAGS="-G"
+			;;
+		*irix*)
+			LD_SHLIB_FLAGS="-shared"
+			;;
+		*aix*)
+			LD_SHLIB_FLAGS="-Wl,-G,-bexpall,-bbigtoc"
+			;;
+		*hpux*)
+			if test "${GCC}" = "yes"; then
+				LD_SHLIB_FLAGS="-shared"
+			else
+				LD_SHLIB_FLAGS="-b"
+			fi
+			;;
+		*osf*)
+			LD_SHLIB_FLAGS="-shared"
+			;;
+		*darwin*)
+			LD_SHLIB_FLAGS="-dynamiclib -Wl,-search_paths_first"
+			;;
+	esac
+
+	AC_SUBST(LD_SHLIB_FLAGS)
+])
+
+AC_DEFUN([AC_LIBREPLACE_LD_SHLIB_DISALLOW_UNDEF_FLAG],
+[
+	LD_SHLIB_DISALLOW_UNDEF_FLAG=""
+
+	#
+	# TODO: enforce error not only warnings
+	#
+	# NOTE: -Wl,--no-allow-shlib-undefined isn't what we want...
+	#       as it bails out on broken system libraries
+	#
+	case "$host_os" in
+		*osf*)
+			LD_SHLIB_DISALLOW_UNDEF_FLAG="-warning_unresolved"
+			;;
+		*darwin*)
+			LD_SHLIB_DISALLOW_UNDEF_FLAG="-undefined error"
+			;;
+	esac
+
+	AC_SUBST(LD_SHLIB_DISALLOW_UNDEF_FLAG)
+])
+
+AC_DEFUN([AC_LIBREPLACE_SHLD],
+[
+	AC_REQUIRE([AC_LIBREPLACE_LD_SHLIB_LINKER])
+	SHLD="$LD_SHLIB_LINKER"
+	AC_SUBST(SHLD)
+])
+
+AC_DEFUN([AC_LIBREPLACE_SHLD_FLAGS],
+[
+	AC_REQUIRE([AC_LIBREPLACE_LD_SHLIB_FLAGS])
+	AC_REQUIRE([AC_LIBREPLACE_LD_SHLIB_DISALLOW_UNDEF_FLAG])
+	SHLD_FLAGS="$LD_SHLIB_FLAGS $LD_SHLIB_DISALLOW_UNDEF_FLAG"
+	AC_SUBST(SHLD_FLAGS)
+])
+
+AC_DEFUN([AC_LD_SHLIBEXT],
+[
+	SHLIBEXT="so"
+	case "$host_os" in
+		*hpux*)
+			if test "$host_cpu" = "ia64"; then
+				SHLIBEXT="so"
+			else
+				SHLIBEXT="sl"
+			fi
+		;;
+		*darwin*)
+			SHLIBEXT="dylib"
+		;;
+	esac
+	AC_SUBST(SHLIBEXT)
+])
+
+AC_DEFUN([AC_LD_SONAMEFLAG],
+[
+	AC_SUBST(SONAMEFLAG)
+	SONAMEFLAG=""
+	case "$host_os" in 
+		*linux*)
+			SONAMEFLAG="-Wl,-soname="
+			;;
+		*solaris*)
+			SONAMEFLAG="-h "
+			if test "${GCC}" = "yes"; then
+				SONAMEFLAG="-Wl,-soname="
+			fi
+			;;
+		*sunos*)
+			SONAMEFLAG="-Wl,-h,"
+			;;
+		*netbsd* | *freebsd* | *dragonfly* )
+			SONAMEFLAG="-Wl,-soname,"
+			;;
+		*openbsd*)
+			SONAMEFLAG="-Wl,-soname,"
+			;;
+		*irix*)
+			SONAMEFLAG="-Wl,-soname,"
+			;;
+		*hpux*)
+			SONAMEFLAG="-Wl,+h,"
+			;;
+		*osf*)
+			SONAMEFLAG="-Wl,-soname,"
+			;;
+		*unixware*)
+			SONAMEFLAG="-Wl,-soname,"
+			;;
+		*darwin*)
+			SONAMEFLAG="#"
+			;;
+		*aix*)
+			# Not supported
+			SONAMEFLAG="#"
+			;;
+		esac
+])
+
+AC_DEFUN([AC_LIBREPLACE_MDLD],
+[
+	AC_REQUIRE([AC_LIBREPLACE_LD_SHLIB_LINKER])
+	MDLD="$LD_SHLIB_LINKER"
+	AC_SUBST(MDLD)
+])
+
+AC_DEFUN([AC_LIBREPLACE_LD_SHLIB_ALLOW_UNDEF_FLAG],
+[
+	LD_ALLOW_SHLIB_UNDEF_FLAG=""
+
+	case "$host_os" in
+		*linux*)
+			LD_SHLIB_ALLOW_UNDEF_FLAG="-Wl,--allow-shlib-undefined"
+			;;
+		*osf*)
+			LD_SHLIB_ALLOW_UNDEF_FLAG="-Wl,-expect_unresolved,\"*\""
+			;;
+		*darwin*)
+			LD_SHLIB_ALLOW_UNDEF_FLAG="-undefined dynamic_lookup"
+			;;
+		*aix*)
+			LD_SHLIB_ALLOW_UNDEF_FLAG="-Wl,-bnoentry"
+			;;
+	esac
+
+	AC_SUBST(LD_SHLIB_ALLOW_UNDEF_FLAG)
+])
+
+AC_DEFUN([AC_LIBREPLACE_MDLD_FLAGS],
+[
+	AC_REQUIRE([AC_LIBREPLACE_LD_SHLIB_FLAGS])
+	AC_REQUIRE([AC_LIBREPLACE_LD_SHLIB_ALLOW_UNDEF_FLAG])
+	MDLD_FLAGS="$LD_SHLIB_FLAGS $LD_SHLIB_ALLOW_UNDEF_FLAG"
+	AC_SUBST(MDLD_FLAGS)
+])
+
+AC_DEFUN([AC_LIBREPLACE_RUNTIME_LIB_PATH_VAR],
+[
+	case "$host_os" in
+		*linux*)
+			LIB_PATH_VAR=LD_LIBRARY_PATH
+		;;
+		*netbsd*)
+			LIB_PATH_VAR=LD_LIBRARY_PATH
+		;;
+		*solaris*)
+			LIB_PATH_VAR=LD_LIBRARY_PATH
+		;;
+		*hpux*)
+			LIB_PATH_VAR=SHLIB_PATH
+		;;
+		*osf*)
+			LIB_PATH_VAR=LD_LIBRARY_PATH
+		;;
+		*aix*)
+			LIB_PATH_VAR=LIB_PATH
+			;;
+		*irix*)
+			LIB_PATH_VAR=LD_LIBRARY_PATH
+			;;
+		*darwin*)
+			LIB_PATH_VAR=DYLD_LIBRARY_PATH
+			;;
+	esac
+
+	AC_SUBST(LIB_PATH_VAR)
+])
diff --git a/source3/lib/replace/libreplace_macros.m4 b/source3/lib/replace/libreplace_macros.m4
new file mode 100644
index 0000000000..1856eacf66
--- /dev/null
+++ b/source3/lib/replace/libreplace_macros.m4
@@ -0,0 +1,332 @@
+#
+# This is a collection of useful autoconf macros
+#
+
+############################################
+# Check if the compiler handles c99 struct initialization, and if not try -AC99 and -c99 flags
+# Usage: LIBREPLACE_C99_STRUCT_INIT(success-action,failure-action)
+# changes CFLAGS to add -AC99 or -c99 if needed
+AC_DEFUN([LIBREPLACE_C99_STRUCT_INIT],
+[
+saved_CFLAGS="$CFLAGS";
+c99_init=no
+if test x"$c99_init" = x"no"; then
+    AC_MSG_CHECKING(for C99 designated initializers)
+    CFLAGS="$saved_CFLAGS";
+    AC_TRY_COMPILE([#include <stdio.h>],
+     [ struct foo {int x;char y;};
+       struct foo bar = { .y = 'X', .x = 1 };	 
+     ],
+     [AC_MSG_RESULT(yes); c99_init=yes],[AC_MSG_RESULT(no)])
+fi
+if test x"$c99_init" = x"no"; then
+    AC_MSG_CHECKING(for C99 designated initializers with -AC99)
+    CFLAGS="$saved_CFLAGS -AC99";
+    AC_TRY_COMPILE([#include <stdio.h>],
+     [ struct foo {int x;char y;};
+       struct foo bar = { .y = 'X', .x = 1 };	 
+     ],
+     [AC_MSG_RESULT(yes); c99_init=yes],[AC_MSG_RESULT(no)])
+fi
+if test x"$c99_init" = x"no"; then
+    AC_MSG_CHECKING(for C99 designated initializers with -qlanglvl=extc99)
+    CFLAGS="$saved_CFLAGS -qlanglvl=extc99";
+    AC_TRY_COMPILE([#include <stdio.h>],
+     [ struct foo {int x;char y;};
+       struct foo bar = { .y = 'X', .x = 1 };	 
+     ],
+     [AC_MSG_RESULT(yes); c99_init=yes],[AC_MSG_RESULT(no)])
+fi
+if test x"$c99_init" = x"no"; then
+    AC_MSG_CHECKING(for C99 designated initializers with -qlanglvl=stdc99)
+    CFLAGS="$saved_CFLAGS -qlanglvl=stdc99";
+    AC_TRY_COMPILE([#include <stdio.h>],
+     [ struct foo {int x;char y;};
+       struct foo bar = { .y = 'X', .x = 1 };	 
+     ],
+     [AC_MSG_RESULT(yes); c99_init=yes],[AC_MSG_RESULT(no)])
+fi
+if test x"$c99_init" = x"no"; then
+    AC_MSG_CHECKING(for C99 designated initializers with -c99)
+    CFLAGS="$saved_CFLAGS -c99"
+    AC_TRY_COMPILE([#include <stdio.h>],
+     [ struct foo {int x;char y;};
+       struct foo bar = { .y = 'X', .x = 1 };	 
+     ],
+     [AC_MSG_RESULT(yes); c99_init=yes],[AC_MSG_RESULT(no)])
+fi
+
+if test "`uname`" = "HP-UX"; then
+  if test "$ac_cv_c_compiler_gnu" = no; then
+	# special override for broken HP-UX compiler - I can't find a way to test
+	# this properly (its a compiler bug)
+	CFLAGS="$CFLAGS -AC99";
+	c99_init=yes;
+  fi
+fi
+
+if test x"$c99_init" = x"yes"; then
+    saved_CFLAGS=""
+    $1
+else
+    CFLAGS="$saved_CFLAGS"
+    saved_CFLAGS=""
+    $2
+fi
+])
+
+dnl AC_PROG_CC_FLAG(flag)
+AC_DEFUN(AC_PROG_CC_FLAG,
+[AC_CACHE_CHECK(whether ${CC-cc} accepts -$1, ac_cv_prog_cc_$1,
+[echo 'void f(){}' > conftest.c
+if test -z "`${CC-cc} -$1 -c conftest.c 2>&1`"; then
+  ac_cv_prog_cc_$1=yes
+else
+  ac_cv_prog_cc_$1=no
+fi
+rm -f conftest*
+])])
+
+dnl see if a declaration exists for a function or variable
+dnl defines HAVE_function_DECL if it exists
+dnl AC_HAVE_DECL(var, includes)
+AC_DEFUN(AC_HAVE_DECL,
+[
+ AC_CACHE_CHECK([for $1 declaration],ac_cv_have_$1_decl,[
+    AC_TRY_COMPILE([$2],[int i = (int)$1],
+        ac_cv_have_$1_decl=yes,ac_cv_have_$1_decl=no)])
+ if test x"$ac_cv_have_$1_decl" = x"yes"; then
+    AC_DEFINE([HAVE_]translit([$1], [a-z], [A-Z])[_DECL],1,[Whether $1() is available])
+ fi
+])
+
+
+# AC_CHECK_LIB_EXT(LIBRARY, [EXT_LIBS], [FUNCTION],
+#              [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND],
+#              [ADD-ACTION-IF-FOUND],[OTHER-LIBRARIES])
+# ------------------------------------------------------
+#
+# Use a cache variable name containing both the library and function name,
+# because the test really is for library $1 defining function $3, not
+# just for library $1.  Separate tests with the same $1 and different $3s
+# may have different results.
+#
+# Note that using directly AS_VAR_PUSHDEF([ac_Lib], [ac_cv_lib_$1_$3])
+# is asking for trouble, since AC_CHECK_LIB($lib, fun) would give
+# ac_cv_lib_$lib_fun, which is definitely not what was meant.  Hence
+# the AS_LITERAL_IF indirection.
+#
+# FIXME: This macro is extremely suspicious.  It DEFINEs unconditionally,
+# whatever the FUNCTION, in addition to not being a *S macro.  Note
+# that the cache does depend upon the function we are looking for.
+#
+# It is on purpose we used `ac_check_lib_ext_save_LIBS' and not just
+# `ac_save_LIBS': there are many macros which don't want to see `LIBS'
+# changed but still want to use AC_CHECK_LIB_EXT, so they save `LIBS'.
+# And ``ac_save_LIBS' is too tempting a name, so let's leave them some
+# freedom.
+AC_DEFUN([AC_CHECK_LIB_EXT],
+[
+AH_CHECK_LIB_EXT([$1])
+ac_check_lib_ext_save_LIBS=$LIBS
+LIBS="-l$1 $$2 $7 $LIBS"
+AS_LITERAL_IF([$1],
+      [AS_VAR_PUSHDEF([ac_Lib_ext], [ac_cv_lib_ext_$1])],
+      [AS_VAR_PUSHDEF([ac_Lib_ext], [ac_cv_lib_ext_$1''])])dnl
+
+m4_ifval([$3],
+ [
+    AH_CHECK_FUNC_EXT([$3])
+    AS_LITERAL_IF([$1],
+              [AS_VAR_PUSHDEF([ac_Lib_func], [ac_cv_lib_ext_$1_$3])],
+              [AS_VAR_PUSHDEF([ac_Lib_func], [ac_cv_lib_ext_$1''_$3])])dnl
+    AC_CACHE_CHECK([for $3 in -l$1], ac_Lib_func,
+	[AC_TRY_LINK_FUNC($3,
+                 [AS_VAR_SET(ac_Lib_func, yes);
+		  AS_VAR_SET(ac_Lib_ext, yes)],
+                 [AS_VAR_SET(ac_Lib_func, no);
+		  AS_VAR_SET(ac_Lib_ext, no)])
+	])
+    AS_IF([test AS_VAR_GET(ac_Lib_func) = yes],
+        [AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_$3))])dnl
+    AS_VAR_POPDEF([ac_Lib_func])dnl
+ ],[
+    AC_CACHE_CHECK([for -l$1], ac_Lib_ext,
+	[AC_TRY_LINK_FUNC([main],
+                 [AS_VAR_SET(ac_Lib_ext, yes)],
+                 [AS_VAR_SET(ac_Lib_ext, no)])
+	])
+ ])
+LIBS=$ac_check_lib_ext_save_LIBS
+
+AS_IF([test AS_VAR_GET(ac_Lib_ext) = yes],
+    [m4_default([$4], 
+        [AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_LIB$1))
+		case "$$2" in
+		    *-l$1*)
+			;;
+		    *)
+			$2="-l$1 $$2"
+			;;
+		esac])
+		[$6]
+	    ],
+	    [$5])dnl
+AS_VAR_POPDEF([ac_Lib_ext])dnl
+])# AC_CHECK_LIB_EXT
+
+# AH_CHECK_LIB_EXT(LIBNAME)
+# ---------------------
+m4_define([AH_CHECK_LIB_EXT],
+[AH_TEMPLATE(AS_TR_CPP(HAVE_LIB$1),
+             [Define to 1 if you have the `]$1[' library (-l]$1[).])])
+
+dnl AC_SEARCH_LIBS_EXT(FUNCTION, SEARCH-LIBS, EXT_LIBS,
+dnl                    [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND],
+dnl                    [OTHER-LIBRARIES])
+dnl --------------------------------------------------------
+dnl Search for a library defining FUNC, if it's not already available.
+AC_DEFUN([AC_SEARCH_LIBS_EXT],
+[AC_CACHE_CHECK([for library containing $1], [ac_cv_search_ext_$1],
+[
+ac_func_search_ext_save_LIBS=$LIBS
+ac_cv_search_ext_$1=no
+AC_LINK_IFELSE([AC_LANG_CALL([], [$1])],
+	       [ac_cv_search_ext_$1="none required"])
+if test "$ac_cv_search_ext_$1" = no; then
+  for ac_lib in $2; do
+    LIBS="-l$ac_lib $$3 $6 $ac_func_search_save_ext_LIBS"
+    AC_LINK_IFELSE([AC_LANG_CALL([], [$1])],
+		   [ac_cv_search_ext_$1="-l$ac_lib"
+break])
+  done
+fi
+LIBS=$ac_func_search_ext_save_LIBS])
+AS_IF([test "$ac_cv_search_ext_$1" != no],
+  [test "$ac_cv_search_ext_$1" = "none required" || $3="$ac_cv_search_ext_$1 $$3"
+  $4],
+      [$5])dnl
+])
+
+dnl check for a function in a $LIBS and $OTHER_LIBS libraries variable.
+dnl AC_CHECK_FUNC_EXT(func,OTHER_LIBS,IF-TRUE,IF-FALSE)
+AC_DEFUN([AC_CHECK_FUNC_EXT],
+[
+    AH_CHECK_FUNC_EXT($1)	
+    ac_check_func_ext_save_LIBS=$LIBS
+    LIBS="$2 $LIBS"
+    AS_VAR_PUSHDEF([ac_var], [ac_cv_func_ext_$1])dnl
+    AC_CACHE_CHECK([for $1], ac_var,
+	[AC_LINK_IFELSE([AC_LANG_FUNC_LINK_TRY([$1])],
+                [AS_VAR_SET(ac_var, yes)],
+                [AS_VAR_SET(ac_var, no)])])
+    LIBS=$ac_check_func_ext_save_LIBS
+    AS_IF([test AS_VAR_GET(ac_var) = yes], 
+	    [AC_DEFINE_UNQUOTED(AS_TR_CPP([HAVE_$1])) $3], 
+	    [$4])dnl
+AS_VAR_POPDEF([ac_var])dnl
+])# AC_CHECK_FUNC
+
+# AH_CHECK_FUNC_EXT(FUNCNAME)
+# ---------------------
+m4_define([AH_CHECK_FUNC_EXT],
+[AH_TEMPLATE(AS_TR_CPP(HAVE_$1),
+             [Define to 1 if you have the `]$1[' function.])])
+
+dnl Define an AC_DEFINE with ifndef guard.
+dnl AC_N_DEFINE(VARIABLE [, VALUE])
+AC_DEFUN([AC_N_DEFINE],
+[
+AH_VERBATIM([$1], [
+#ifndef $1
+# undef $1
+#endif
+])
+
+ cat >>confdefs.h <<\EOF
+#ifndef $1
+[#define] $1 m4_if($#, 1, 1, [$2])
+#endif
+EOF
+])
+
+dnl Add an #include
+dnl AC_ADD_INCLUDE(VARIABLE)
+define(AC_ADD_INCLUDE,
+[cat >> confdefs.h <<\EOF
+[#include] $1
+EOF
+])
+
+dnl remove an #include
+dnl AC_REMOVE_INCLUDE(VARIABLE)
+define(AC_REMOVE_INCLUDE,
+[
+grep -v '[#include] $1' confdefs.h >confdefs.h.tmp
+cat confdefs.h.tmp > confdefs.h
+rm confdefs.h.tmp
+])
+
+dnl remove an #define
+dnl AC_REMOVE_DEFINE(VARIABLE)
+define(AC_REMOVE_DEFINE,
+[
+grep -v '[#define] $1 ' confdefs.h |grep -v '[#define] $1[$]'>confdefs.h.tmp
+cat confdefs.h.tmp > confdefs.h
+rm confdefs.h.tmp
+])
+
+dnl AS_HELP_STRING is not available in autoconf 2.57, and AC_HELP_STRING is deprecated
+dnl in autoconf 2.59, so define AS_HELP_STRING to be AC_HELP_STRING unless it is already
+dnl defined.
+m4_ifdef([AS_HELP_STRING], , [m4_define([AS_HELP_STRING], m4_defn([AC_HELP_STRING]))])
+
+dnl check if the prototype in the header matches the given one
+dnl AC_VERIFY_C_PROTOTYPE(prototype,functionbody,[IF-TRUE].[IF-FALSE],[extraheaders])
+AC_DEFUN(AC_VERIFY_C_PROTOTYPE,
+[AC_CACHE_CHECK([for prototype $1], AS_TR_SH([ac_cv_c_prototype_$1]),
+	AC_COMPILE_IFELSE([AC_LANG_SOURCE([
+		AC_INCLUDES_DEFAULT
+		$5
+		$1
+		{
+			$2
+		}
+	])],[
+		AS_TR_SH([ac_cv_c_prototype_$1])=yes
+	],[
+		AS_TR_SH([ac_cv_c_prototype_$1])=no
+	])
+)
+AS_IF([test $AS_TR_SH([ac_cv_c_prototype_$1]) = yes],[$3],[$4])
+])
+
+AC_DEFUN(LIBREPLACE_PROVIDE_HEADER, 
+[AC_CHECK_HEADER([$1], 
+		[ AC_CONFIG_COMMANDS(rm-$1, [rm -f $libreplacedir/$1], [libreplacedir=$libreplacedir]) ],
+		[ AC_CONFIG_COMMANDS(mk-$1, [echo "#include \"replace.h\"" > $libreplacedir/$1], [libreplacedir=$libreplacedir]) ]
+	)
+])
+
+dnl AC_HAVE_TYPE(TYPE,INCLUDES)
+AC_DEFUN([AC_HAVE_TYPE], [
+AC_REQUIRE([AC_HEADER_STDC])
+cv=`echo "$1" | sed 'y%./+- %__p__%'`
+AC_MSG_CHECKING(for $1)
+AC_CACHE_VAL([ac_cv_type_$cv],
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+AC_INCLUDES_DEFAULT
+$2]],
+[[$1 foo;]])],
+[eval "ac_cv_type_$cv=yes"],
+[eval "ac_cv_type_$cv=no"]))dnl
+ac_foo=`eval echo \\$ac_cv_type_$cv`
+AC_MSG_RESULT($ac_foo)
+if test "$ac_foo" = yes; then
+  ac_tr_hdr=HAVE_`echo $1 | sed 'y%abcdefghijklmnopqrstuvwxyz./- %ABCDEFGHIJKLMNOPQRSTUVWXYZ____%'`
+if false; then
+	AC_CHECK_TYPES($1)
+fi
+  AC_DEFINE_UNQUOTED($ac_tr_hdr, 1, [Define if you have type `$1'])
+fi
+])
diff --git a/source3/lib/replace/libreplace_network.m4 b/source3/lib/replace/libreplace_network.m4
new file mode 100644
index 0000000000..4edb55c03a
--- /dev/null
+++ b/source3/lib/replace/libreplace_network.m4
@@ -0,0 +1,377 @@
+AC_DEFUN_ONCE(AC_LIBREPLACE_NETWORK_CHECKS,
+[
+echo "LIBREPLACE_NETWORK_CHECKS: START"
+
+AC_DEFINE(LIBREPLACE_NETWORK_CHECKS, 1, [LIBREPLACE_NETWORK_CHECKS were used])
+LIBREPLACE_NETWORK_OBJS=""
+LIBREPLACE_NETWORK_LIBS=""
+
+AC_CHECK_HEADERS(sys/socket.h netinet/in.h netdb.h arpa/inet.h)
+AC_CHECK_HEADERS(netinet/ip.h netinet/tcp.h netinet/in_systm.h netinet/in_ip.h)
+AC_CHECK_HEADERS(sys/sockio.h sys/un.h)
+
+dnl we need to check that net/if.h really can be used, to cope with hpux
+dnl where including it always fails
+AC_CACHE_CHECK([for usable net/if.h],libreplace_cv_USABLE_NET_IF_H,[
+	AC_COMPILE_IFELSE([AC_LANG_SOURCE([
+		AC_INCLUDES_DEFAULT
+		#if HAVE_SYS_SOCKET_H
+		# include <sys/socket.h>
+		#endif
+		#include <net/if.h>
+		int main(void) {return 0;}])],
+		[libreplace_cv_USABLE_NET_IF_H=yes],
+		[libreplace_cv_USABLE_NET_IF_H=no]
+	)
+])
+if test x"$libreplace_cv_USABLE_NET_IF_H" = x"yes";then
+	AC_DEFINE(HAVE_NET_IF_H, 1, usability of net/if.h)
+fi
+
+AC_HAVE_TYPE([socklen_t],[#include <sys/socket.h>])
+AC_HAVE_TYPE([sa_family_t],[#include <sys/socket.h>])
+AC_HAVE_TYPE([struct addrinfo], [#include <netdb.h>])
+AC_HAVE_TYPE([struct sockaddr], [#include <sys/socket.h>])
+AC_HAVE_TYPE([struct sockaddr_storage], [
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+])
+AC_HAVE_TYPE([struct sockaddr_in6], [
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+])
+
+if test x"$ac_cv_type_struct_sockaddr_storage" = x"yes"; then
+AC_CHECK_MEMBER(struct sockaddr_storage.ss_family,
+                AC_DEFINE(HAVE_SS_FAMILY, 1, [Defined if struct sockaddr_storage has ss_family field]),,
+                [
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+		])
+
+if test x"$ac_cv_member_struct_sockaddr_storage_ss_family" != x"yes"; then
+AC_CHECK_MEMBER(struct sockaddr_storage.__ss_family,
+                AC_DEFINE(HAVE___SS_FAMILY, 1, [Defined if struct sockaddr_storage has __ss_family field]),,
+                [
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+		])
+fi
+fi
+
+AC_CACHE_CHECK([for sin_len in sock],libreplace_cv_HAVE_SOCK_SIN_LEN,[
+	AC_TRY_COMPILE(
+		[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+		],[
+struct sockaddr_in sock; sock.sin_len = sizeof(sock);
+		],[
+		libreplace_cv_HAVE_SOCK_SIN_LEN=yes
+		],[
+		libreplace_cv_HAVE_SOCK_SIN_LEN=no
+		])
+])
+if test x"$libreplace_cv_HAVE_SOCK_SIN_LEN" = x"yes"; then
+	AC_DEFINE(HAVE_SOCK_SIN_LEN,1,[Whether the sockaddr_in struct has a sin_len property])
+fi
+
+############################################
+# check for unix domain sockets
+AC_CACHE_CHECK([for unix domain sockets],libreplace_cv_HAVE_UNIXSOCKET,[
+	AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+		],[
+struct sockaddr_un sunaddr;
+sunaddr.sun_family = AF_UNIX;
+		],[
+		libreplace_cv_HAVE_UNIXSOCKET=yes
+		],[
+		libreplace_cv_HAVE_UNIXSOCKET=no
+		])
+])
+if test x"$libreplace_cv_HAVE_UNIXSOCKET" = x"yes"; then
+	AC_DEFINE(HAVE_UNIXSOCKET,1,[If we need to build with unixscoket support])
+fi
+
+dnl The following test is roughl taken from the cvs sources.
+dnl
+dnl If we can't find connect, try looking in -lsocket, -lnsl, and -linet.
+dnl The Irix 5 libc.so has connect and gethostbyname, but Irix 5 also has
+dnl libsocket.so which has a bad implementation of gethostbyname (it
+dnl only looks in /etc/hosts), so we only look for -lsocket if we need
+dnl it.
+AC_CHECK_FUNCS(connect)
+if test x"$ac_cv_func_connect" = x"no"; then
+	AC_CHECK_LIB_EXT(nsl_s, LIBREPLACE_NETWORK_LIBS, connect)
+	AC_CHECK_LIB_EXT(nsl, LIBREPLACE_NETWORK_LIBS, connect)
+	AC_CHECK_LIB_EXT(socket, LIBREPLACE_NETWORK_LIBS, connect)
+	AC_CHECK_LIB_EXT(inet, LIBREPLACE_NETWORK_LIBS, connect)
+	dnl We can't just call AC_CHECK_FUNCS(connect) here,
+	dnl because the value has been cached.
+	if test x"$ac_cv_lib_ext_nsl_s_connect" = x"yes" ||
+		test x"$ac_cv_lib_ext_nsl_connect" = x"yes" ||
+		test x"$ac_cv_lib_ext_socket_connect" = x"yes" ||
+		test x"$ac_cv_lib_ext_inet_connect" = x"yes"
+	then
+		AC_DEFINE(HAVE_CONNECT,1,[Whether the system has connect()])
+	fi
+fi
+
+AC_CHECK_FUNCS(gethostbyname)
+if test x"$ac_cv_func_gethostbyname" = x"no"; then
+	AC_CHECK_LIB_EXT(nsl_s, LIBREPLACE_NETWORK_LIBS, gethostbyname)
+	AC_CHECK_LIB_EXT(nsl, LIBREPLACE_NETWORK_LIBS, gethostbyname)
+	AC_CHECK_LIB_EXT(socket, LIBREPLACE_NETWORK_LIBS, gethostbyname)
+	dnl We can't just call AC_CHECK_FUNCS(gethostbyname) here,
+	dnl because the value has been cached.
+	if test x"$ac_cv_lib_ext_nsl_s_gethostbyname" = x"yes" ||
+		test x"$ac_cv_lib_ext_nsl_gethostbyname" = x"yes" ||
+		test x"$ac_cv_lib_ext_socket_gethostbyname" = x"yes"
+	then
+		AC_DEFINE(HAVE_GETHOSTBYNAME,1,
+			  [Whether the system has gethostbyname()])
+	fi
+fi
+
+dnl HP-UX has if_nametoindex in -lipv6
+AC_CHECK_FUNCS(if_nametoindex)
+if test x"$ac_cv_func_if_nametoindex" = x"no"; then
+	AC_CHECK_LIB_EXT(ipv6, LIBREPLACE_NETWORK_LIBS, if_nametoindex)
+	dnl We can't just call AC_CHECK_FUNCS(if_nametoindex) here,
+	dnl because the value has been cached.
+	if test x"$ac_cv_lib_ext_ipv6_if_nametoindex" = x"yes"
+	then
+		AC_DEFINE(HAVE_IF_NAMETOINDEX, 1,
+			  [Whether the system has if_nametoindex()])
+	fi
+fi
+
+# The following tests need LIBS="${LIBREPLACE_NETWORK_LIBS}"
+old_LIBS=$LIBS
+LIBS="${LIBREPLACE_NETWORK_LIBS}"
+SAVE_CPPFLAGS="$CPPFLAGS"
+CPPFLAGS="$CPPFLAGS -I$libreplacedir"
+
+AC_CHECK_FUNCS(socketpair,[],[LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} socketpair.o"])
+
+AC_CACHE_CHECK([for broken inet_ntoa],libreplace_cv_REPLACE_INET_NTOA,[
+AC_TRY_RUN([
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+main() { struct in_addr ip; ip.s_addr = 0x12345678;
+if (strcmp(inet_ntoa(ip),"18.52.86.120") &&
+    strcmp(inet_ntoa(ip),"120.86.52.18")) { exit(0); }
+exit(1);}],
+           libreplace_cv_REPLACE_INET_NTOA=yes,libreplace_cv_REPLACE_INET_NTOA=no,libreplace_cv_REPLACE_INET_NTOA=cross)])
+
+AC_CHECK_FUNCS(inet_ntoa,[],[libreplace_cv_REPLACE_INET_NTOA=yes])
+if test x"$libreplace_cv_REPLACE_INET_NTOA" = x"yes"; then
+    AC_DEFINE(REPLACE_INET_NTOA,1,[Whether inet_ntoa should be replaced])
+    LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} inet_ntoa.o"
+fi
+
+AC_CHECK_FUNCS(inet_aton,[],[LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} inet_aton.o"])
+
+AC_CHECK_FUNCS(inet_ntop,[],[LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} inet_ntop.o"])
+
+AC_CHECK_FUNCS(inet_pton,[],[LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} inet_pton.o"])
+
+dnl test for getaddrinfo/getnameinfo
+AC_CACHE_CHECK([for getaddrinfo],libreplace_cv_HAVE_GETADDRINFO,[
+AC_TRY_LINK([
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+#include <netdb.h>],
+[
+struct sockaddr sa;
+struct addrinfo *ai = NULL;
+int ret = getaddrinfo(NULL, NULL, NULL, &ai);
+if (ret != 0) {
+	const char *es = gai_strerror(ret);
+}
+freeaddrinfo(ai);
+ret = getnameinfo(&sa, sizeof(sa),
+		NULL, 0,
+		NULL, 0, 0);
+
+],
+libreplace_cv_HAVE_GETADDRINFO=yes,libreplace_cv_HAVE_GETADDRINFO=no)])
+if test x"$libreplace_cv_HAVE_GETADDRINFO" = x"yes"; then
+	AC_DEFINE(HAVE_GETADDRINFO,1,[Whether the system has getaddrinfo])
+	AC_DEFINE(HAVE_GETNAMEINFO,1,[Whether the system has getnameinfo])
+	AC_DEFINE(HAVE_FREEADDRINFO,1,[Whether the system has freeaddrinfo])
+	AC_DEFINE(HAVE_GAI_STRERROR,1,[Whether the system has gai_strerror])
+else
+	LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} getaddrinfo.o"
+fi
+
+AC_CHECK_HEADERS([ifaddrs.h])
+
+dnl Used when getifaddrs is not available
+AC_CHECK_MEMBERS([struct sockaddr.sa_len], 
+	 [AC_DEFINE(HAVE_SOCKADDR_SA_LEN, 1, [Whether struct sockaddr has a sa_len member])],
+	 [],
+	 [#include <sys/socket.h>])
+
+dnl test for getifaddrs and freeifaddrs
+AC_CACHE_CHECK([for getifaddrs and freeifaddrs],libreplace_cv_HAVE_GETIFADDRS,[
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <ifaddrs.h>
+#include <netdb.h>],
+[
+struct ifaddrs *ifp = NULL;
+int ret = getifaddrs (&ifp);
+freeifaddrs(ifp);
+],
+libreplace_cv_HAVE_GETIFADDRS=yes,libreplace_cv_HAVE_GETIFADDRS=no)])
+if test x"$libreplace_cv_HAVE_GETIFADDRS" = x"yes"; then
+    AC_DEFINE(HAVE_GETIFADDRS,1,[Whether the system has getifaddrs])
+    AC_DEFINE(HAVE_FREEIFADDRS,1,[Whether the system has freeifaddrs])
+	AC_DEFINE(HAVE_STRUCT_IFADDRS,1,[Whether struct ifaddrs is available])
+fi
+
+##################
+# look for a method of finding the list of network interfaces
+iface=no;
+AC_CACHE_CHECK([for iface getifaddrs],libreplace_cv_HAVE_IFACE_GETIFADDRS,[
+AC_TRY_RUN([
+#define HAVE_IFACE_GETIFADDRS 1
+#define NO_CONFIG_H 1
+#define AUTOCONF_TEST 1
+#define SOCKET_WRAPPER_NOT_REPLACE
+#include "$libreplacedir/replace.c"
+#include "$libreplacedir/inet_ntop.c"
+#include "$libreplacedir/snprintf.c"
+#include "$libreplacedir/getifaddrs.c"
+#define getifaddrs_test main
+#include "$libreplacedir/test/getifaddrs.c"],
+           libreplace_cv_HAVE_IFACE_GETIFADDRS=yes,libreplace_cv_HAVE_IFACE_GETIFADDRS=no,libreplace_cv_HAVE_IFACE_GETIFADDRS=cross)])
+if test x"$libreplace_cv_HAVE_IFACE_GETIFADDRS" = x"yes"; then
+    iface=yes;AC_DEFINE(HAVE_IFACE_GETIFADDRS,1,[Whether iface getifaddrs is available])
+else
+	LIBREPLACE_NETWORK_OBJS="${LIBREPLACE_NETWORK_OBJS} getifaddrs.o"
+fi
+
+
+if test $iface = no; then
+AC_CACHE_CHECK([for iface AIX],libreplace_cv_HAVE_IFACE_AIX,[
+AC_TRY_RUN([
+#define HAVE_IFACE_AIX 1
+#define NO_CONFIG_H 1
+#define AUTOCONF_TEST 1
+#undef _XOPEN_SOURCE_EXTENDED
+#define SOCKET_WRAPPER_NOT_REPLACE
+#include "$libreplacedir/replace.c"
+#include "$libreplacedir/inet_ntop.c"
+#include "$libreplacedir/snprintf.c"
+#include "$libreplacedir/getifaddrs.c"
+#define getifaddrs_test main
+#include "$libreplacedir/test/getifaddrs.c"],
+           libreplace_cv_HAVE_IFACE_AIX=yes,libreplace_cv_HAVE_IFACE_AIX=no,libreplace_cv_HAVE_IFACE_AIX=cross)])
+if test x"$libreplace_cv_HAVE_IFACE_AIX" = x"yes"; then
+    iface=yes;AC_DEFINE(HAVE_IFACE_AIX,1,[Whether iface AIX is available])
+fi
+fi
+
+
+if test $iface = no; then
+AC_CACHE_CHECK([for iface ifconf],libreplace_cv_HAVE_IFACE_IFCONF,[
+AC_TRY_RUN([
+#define HAVE_IFACE_IFCONF 1
+#define NO_CONFIG_H 1
+#define AUTOCONF_TEST 1
+#define SOCKET_WRAPPER_NOT_REPLACE
+#include "$libreplacedir/replace.c"
+#include "$libreplacedir/inet_ntop.c"
+#include "$libreplacedir/snprintf.c"
+#include "$libreplacedir/getifaddrs.c"
+#define getifaddrs_test main
+#include "$libreplacedir/test/getifaddrs.c"],
+           libreplace_cv_HAVE_IFACE_IFCONF=yes,libreplace_cv_HAVE_IFACE_IFCONF=no,libreplace_cv_HAVE_IFACE_IFCONF=cross)])
+if test x"$libreplace_cv_HAVE_IFACE_IFCONF" = x"yes"; then
+    iface=yes;AC_DEFINE(HAVE_IFACE_IFCONF,1,[Whether iface ifconf is available])
+fi
+fi
+
+if test $iface = no; then
+AC_CACHE_CHECK([for iface ifreq],libreplace_cv_HAVE_IFACE_IFREQ,[
+AC_TRY_RUN([
+#define HAVE_IFACE_IFREQ 1
+#define NO_CONFIG_H 1
+#define AUTOCONF_TEST 1
+#define SOCKET_WRAPPER_NOT_REPLACE
+#include "$libreplacedir/replace.c"
+#include "$libreplacedir/inet_ntop.c"
+#include "$libreplacedir/snprintf.c"
+#include "$libreplacedir/getifaddrs.c"
+#define getifaddrs_test main
+#include "$libreplacedir/test/getifaddrs.c"],
+           libreplace_cv_HAVE_IFACE_IFREQ=yes,libreplace_cv_HAVE_IFACE_IFREQ=no,libreplace_cv_HAVE_IFACE_IFREQ=cross)])
+if test x"$libreplace_cv_HAVE_IFACE_IFREQ" = x"yes"; then
+    iface=yes;AC_DEFINE(HAVE_IFACE_IFREQ,1,[Whether iface ifreq is available])
+fi
+fi
+
+dnl test for ipv6
+AC_CACHE_CHECK([for ipv6 support],libreplace_cv_HAVE_IPV6,[
+	AC_TRY_LINK([
+#include <stdlib.h> /* for NULL */
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <netdb.h>
+		],
+		[
+struct sockaddr_storage sa_store;
+struct addrinfo *ai = NULL;
+struct in6_addr in6addr;
+int idx = if_nametoindex("iface1");
+int s = socket(AF_INET6, SOCK_STREAM, 0);
+int ret = getaddrinfo(NULL, NULL, NULL, &ai);
+if (ret != 0) {
+	const char *es = gai_strerror(ret);
+}
+freeaddrinfo(ai);
+		],[
+		libreplace_cv_HAVE_IPV6=yes
+		],[
+		libreplace_cv_HAVE_IPV6=no
+		])
+])
+if test x"$libreplace_cv_HAVE_IPV6" = x"yes"; then
+    AC_DEFINE(HAVE_IPV6,1,[Whether the system has IPv6 support])
+fi
+
+LIBS=$old_LIBS
+CPPFLAGS="$SAVE_CPPFLAGS"
+
+LIBREPLACEOBJ="${LIBREPLACEOBJ} ${LIBREPLACE_NETWORK_OBJS}"
+
+echo "LIBREPLACE_NETWORK_CHECKS: END"
+]) dnl end AC_LIBREPLACE_NETWORK_CHECKS
diff --git a/source3/lib/replace/repdir.m4 b/source3/lib/replace/repdir.m4
new file mode 100644
index 0000000000..f53a4c2974
--- /dev/null
+++ b/source3/lib/replace/repdir.m4
@@ -0,0 +1,78 @@
+AC_CACHE_CHECK([for broken readdir],libreplace_cv_READDIR_NEEDED,[
+	AC_TRY_RUN([
+#define test_readdir_os2_delete main
+#include "$libreplacedir/test/os2_delete.c"],
+	[libreplace_cv_READDIR_NEEDED=no],
+	[libreplace_cv_READDIR_NEEDED=yes],
+	[libreplace_cv_READDIR_NEEDED="assuming not"])
+])
+
+#
+# try to replace with getdirentries() if needed
+#
+if test x"$libreplace_cv_READDIR_NEEDED" = x"yes"; then
+AC_CHECK_FUNCS(getdirentries)
+AC_VERIFY_C_PROTOTYPE([long telldir(const DIR *dir)],
+	[
+	return 0;
+	],[
+	AC_DEFINE(TELLDIR_TAKES_CONST_DIR, 1, [Whether telldir takes a const pointer])
+	],[],[
+	#include <dirent.h>
+	])
+
+AC_VERIFY_C_PROTOTYPE([int seekdir(DIR *dir, long ofs)],
+	[
+	return 0;
+	],[
+	AC_DEFINE(SEEKDIR_RETURNS_INT, 1, [Whether seekdir returns an int])
+	],[],[
+	#include <dirent.h>
+	])
+AC_CACHE_CHECK([for replacing readdir using getdirentries()],libreplace_cv_READDIR_GETDIRENTRIES,[
+	AC_TRY_RUN([
+#define _LIBREPLACE_REPLACE_H
+#include "$libreplacedir/repdir_getdirentries.c"
+#define test_readdir_os2_delete main
+#include "$libreplacedir/test/os2_delete.c"],
+	[libreplace_cv_READDIR_GETDIRENTRIES=yes],
+	[libreplace_cv_READDIR_GETDIRENTRIES=no])
+])
+fi
+if test x"$libreplace_cv_READDIR_GETDIRENTRIES" = x"yes"; then
+	AC_DEFINE(REPLACE_READDIR,1,[replace readdir])
+	AC_DEFINE(REPLACE_READDIR_GETDIRENTRIES,1,[replace readdir using getdirentries()])
+	LIBREPLACEOBJ="${LIBREPLACEOBJ} repdir_getdirentries.o"
+	libreplace_cv_READDIR_NEEDED=no
+fi
+
+#
+# try to replace with getdents() if needed
+#
+if test x"$libreplace_cv_READDIR_NEEDED" = x"yes"; then
+AC_CHECK_FUNCS(getdents)
+AC_CACHE_CHECK([for replacing readdir using getdents()],libreplace_cv_READDIR_GETDENTS,[
+	AC_TRY_RUN([
+#define _LIBREPLACE_REPLACE_H
+#error _donot_use_getdents_replacement_anymore
+#include "$libreplacedir/repdir_getdents.c"
+#define test_readdir_os2_delete main
+#include "$libreplacedir/test/os2_delete.c"],
+	[libreplace_cv_READDIR_GETDENTS=yes],
+	[libreplace_cv_READDIR_GETDENTS=no])
+])
+fi
+if test x"$libreplace_cv_READDIR_GETDENTS" = x"yes"; then
+	AC_DEFINE(REPLACE_READDIR,1,[replace readdir])
+	AC_DEFINE(REPLACE_READDIR_GETDENTS,1,[replace readdir using getdents()])
+	LIBREPLACEOBJ="${LIBREPLACEOBJ} repdir_getdents.o"
+	libreplace_cv_READDIR_NEEDED=no
+fi
+
+AC_MSG_CHECKING([a usable readdir()])
+if test x"$libreplace_cv_READDIR_NEEDED" = x"yes"; then
+	AC_MSG_RESULT(no)
+	AC_MSG_WARN([the provided readdir() is broken])
+else
+	AC_MSG_RESULT(yes)
+fi
diff --git a/source3/lib/replace/repdir_getdents.c b/source3/lib/replace/repdir_getdents.c
new file mode 100644
index 0000000000..afc634a796
--- /dev/null
+++ b/source3/lib/replace/repdir_getdents.c
@@ -0,0 +1,166 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   Copyright (C) Andrew Tridgell 2005
+
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+/*
+  a replacement for opendir/readdir/telldir/seekdir/closedir for BSD systems
+
+  This is needed because the existing directory handling in FreeBSD
+  and OpenBSD (and possibly NetBSD) doesn't correctly handle unlink()
+  on files in a directory where telldir() has been used. On a block
+  boundary it will occasionally miss a file when seekdir() is used to
+  return to a position previously recorded with telldir().
+
+  This also fixes a severe performance and memory usage problem with
+  telldir() on BSD systems. Each call to telldir() in BSD adds an
+  entry to a linked list, and those entries are cleaned up on
+  closedir(). This means with a large directory closedir() can take an
+  arbitrary amount of time, causing network timeouts as millions of
+  telldir() entries are freed
+
+  Note! This replacement code is not portable. It relies on getdents()
+  always leaving the file descriptor at a seek offset that is a
+  multiple of DIR_BUF_SIZE. If the code detects that this doesn't
+  happen then it will abort(). It also does not handle directories
+  with offsets larger than can be stored in a long,
+
+  This code is available under other free software licenses as
+  well. Contact the author.
+*/
+
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <dirent.h>
+
+#define DIR_BUF_BITS 9
+#define DIR_BUF_SIZE (1<<DIR_BUF_BITS)
+
+struct dir_buf {
+	int fd;
+	int nbytes, ofs;
+	off_t seekpos;
+	char buf[DIR_BUF_SIZE];
+};
+
+DIR *opendir(const char *dname)
+{
+	struct dir_buf *d;
+	struct stat sb;
+	d = malloc(sizeof(*d));
+	if (d == NULL) {
+		errno = ENOMEM;
+		return NULL;
+	}
+	d->fd = open(dname, O_RDONLY);
+	if (d->fd == -1) {
+		free(d);
+		return NULL;
+	}
+	if (fstat(d->fd, &sb) < 0) {
+		close(d->fd);
+		free(d);
+		return NULL;
+	}
+	if (!S_ISDIR(sb.st_mode)) {
+		close(d->fd);
+		free(d);   
+		errno = ENOTDIR;
+		return NULL;
+	}
+	d->ofs = 0;
+	d->seekpos = 0;
+	d->nbytes = 0;
+	return (DIR *)d;
+}
+
+struct dirent *readdir(DIR *dir)
+{
+	struct dir_buf *d = (struct dir_buf *)dir;
+	struct dirent *de;
+
+	if (d->ofs >= d->nbytes) {
+		d->seekpos = lseek(d->fd, 0, SEEK_CUR);
+		d->nbytes = getdents(d->fd, d->buf, DIR_BUF_SIZE);
+		d->ofs = 0;
+	}
+	if (d->ofs >= d->nbytes) {
+		return NULL;
+	}
+	de = (struct dirent *)&d->buf[d->ofs];
+	d->ofs += de->d_reclen;
+	return de;
+}
+
+long telldir(DIR *dir)
+{
+	struct dir_buf *d = (struct dir_buf *)dir;
+	if (d->ofs >= d->nbytes) {
+		d->seekpos = lseek(d->fd, 0, SEEK_CUR);
+		d->ofs = 0;
+		d->nbytes = 0;
+	}
+	/* this relies on seekpos always being a multiple of
+	   DIR_BUF_SIZE. Is that always true on BSD systems? */
+	if (d->seekpos & (DIR_BUF_SIZE-1)) {
+		abort();
+	}
+	return d->seekpos + d->ofs;
+}
+
+void seekdir(DIR *dir, long ofs)
+{
+	struct dir_buf *d = (struct dir_buf *)dir;
+	d->seekpos = lseek(d->fd, ofs & ~(DIR_BUF_SIZE-1), SEEK_SET);
+	d->nbytes = getdents(d->fd, d->buf, DIR_BUF_SIZE);
+	d->ofs = 0;
+	while (d->ofs < (ofs & (DIR_BUF_SIZE-1))) {
+		if (readdir(dir) == NULL) break;
+	}
+}
+
+void rewinddir(DIR *dir)
+{
+	seekdir(dir, 0);
+}
+
+int closedir(DIR *dir)
+{
+	struct dir_buf *d = (struct dir_buf *)dir;
+	int r = close(d->fd);
+	if (r != 0) {
+		return r;
+	}
+	free(d);
+	return 0;
+}
+
+#ifndef dirfd
+/* darn, this is a macro on some systems. */
+int dirfd(DIR *dir)
+{
+	struct dir_buf *d = (struct dir_buf *)dir;
+	return d->fd;
+}
+#endif
diff --git a/source3/lib/replace/repdir_getdirentries.c b/source3/lib/replace/repdir_getdirentries.c
new file mode 100644
index 0000000000..197e5931fc
--- /dev/null
+++ b/source3/lib/replace/repdir_getdirentries.c
@@ -0,0 +1,183 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   Copyright (C) Andrew Tridgell 2005
+
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+/*
+  a replacement for opendir/readdir/telldir/seekdir/closedir for BSD
+  systems using getdirentries
+
+  This is needed because the existing directory handling in FreeBSD
+  and OpenBSD (and possibly NetBSD) doesn't correctly handle unlink()
+  on files in a directory where telldir() has been used. On a block
+  boundary it will occasionally miss a file when seekdir() is used to
+  return to a position previously recorded with telldir().
+
+  This also fixes a severe performance and memory usage problem with
+  telldir() on BSD systems. Each call to telldir() in BSD adds an
+  entry to a linked list, and those entries are cleaned up on
+  closedir(). This means with a large directory closedir() can take an
+  arbitrary amount of time, causing network timeouts as millions of
+  telldir() entries are freed
+
+  Note! This replacement code is not portable. It relies on
+  getdirentries() always leaving the file descriptor at a seek offset
+  that is a multiple of DIR_BUF_SIZE. If the code detects that this
+  doesn't happen then it will abort(). It also does not handle
+  directories with offsets larger than can be stored in a long,
+
+  This code is available under other free software licenses as
+  well. Contact the author.
+*/
+
+#include "replace.h"
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <dirent.h>
+
+#define DIR_BUF_BITS 9
+#define DIR_BUF_SIZE (1<<DIR_BUF_BITS)
+
+struct dir_buf {
+	int fd;
+	int nbytes, ofs;
+	off_t seekpos;
+	char buf[DIR_BUF_SIZE];
+};
+
+DIR *opendir(const char *dname)
+{
+	struct dir_buf *d;
+	struct stat sb;
+	d = malloc(sizeof(*d));
+	if (d == NULL) {
+		errno = ENOMEM;
+		return NULL;
+	}
+	d->fd = open(dname, O_RDONLY);
+	if (d->fd == -1) {
+		free(d);
+		return NULL;
+	}
+	if (fstat(d->fd, &sb) < 0) {
+		close(d->fd);
+		free(d);
+		return NULL;
+	}
+	if (!S_ISDIR(sb.st_mode)) {
+		close(d->fd);
+		free(d);   
+		errno = ENOTDIR;
+		return NULL;
+	}
+	d->ofs = 0;
+	d->seekpos = 0;
+	d->nbytes = 0;
+	return (DIR *)d;
+}
+
+struct dirent *readdir(DIR *dir)
+{
+	struct dir_buf *d = (struct dir_buf *)dir;
+	struct dirent *de;
+
+	if (d->ofs >= d->nbytes) {
+		long pos;
+		d->nbytes = getdirentries(d->fd, d->buf, DIR_BUF_SIZE, &pos);
+		d->seekpos = pos;
+		d->ofs = 0;
+	}
+	if (d->ofs >= d->nbytes) {
+		return NULL;
+	}
+	de = (struct dirent *)&d->buf[d->ofs];
+	d->ofs += de->d_reclen;
+	return de;
+}
+
+#ifdef TELLDIR_TAKES_CONST_DIR
+long telldir(const DIR *dir)
+#else
+long telldir(DIR *dir)
+#endif
+{
+	struct dir_buf *d = (struct dir_buf *)dir;
+	if (d->ofs >= d->nbytes) {
+		d->seekpos = lseek(d->fd, 0, SEEK_CUR);
+		d->ofs = 0;
+		d->nbytes = 0;
+	}
+	/* this relies on seekpos always being a multiple of
+	   DIR_BUF_SIZE. Is that always true on BSD systems? */
+	if (d->seekpos & (DIR_BUF_SIZE-1)) {
+		abort();
+	}
+	return d->seekpos + d->ofs;
+}
+
+#ifdef SEEKDIR_RETURNS_INT
+int seekdir(DIR *dir, long ofs)
+#else
+void seekdir(DIR *dir, long ofs)
+#endif
+{
+	struct dir_buf *d = (struct dir_buf *)dir;
+	long pos;
+	d->seekpos = lseek(d->fd, ofs & ~(DIR_BUF_SIZE-1), SEEK_SET);
+	d->nbytes = getdirentries(d->fd, d->buf, DIR_BUF_SIZE, &pos);
+	d->ofs = 0;
+	while (d->ofs < (ofs & (DIR_BUF_SIZE-1))) {
+		if (readdir(dir) == NULL) break;
+	}
+#ifdef SEEKDIR_RETURNS_INT
+	return -1;
+#endif
+}
+
+void rewinddir(DIR *dir)
+{
+	seekdir(dir, 0);
+}
+
+int closedir(DIR *dir)
+{
+	struct dir_buf *d = (struct dir_buf *)dir;
+	int r = close(d->fd);
+	if (r != 0) {
+		return r;
+	}
+	free(d);
+	return 0;
+}
+
+#ifndef dirfd
+/* darn, this is a macro on some systems. */
+int dirfd(DIR *dir)
+{
+	struct dir_buf *d = (struct dir_buf *)dir;
+	return d->fd;
+}
+#endif
+
+
diff --git a/source3/lib/replace/replace.c b/source3/lib/replace/replace.c
new file mode 100644
index 0000000000..98d799b07e
--- /dev/null
+++ b/source3/lib/replace/replace.c
@@ -0,0 +1,616 @@
+/* 
+   Unix SMB/CIFS implementation.
+   replacement routines for broken systems
+   Copyright (C) Andrew Tridgell 1992-1998
+
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "replace.h"
+
+#include "system/filesys.h"
+#include "system/time.h"
+#include "system/passwd.h"
+#include "system/syslog.h"
+#include "system/locale.h"
+#include "system/wait.h"
+
+void replace_dummy(void);
+void replace_dummy(void) {}
+
+#ifndef HAVE_FTRUNCATE
+ /*******************************************************************
+ftruncate for operating systems that don't have it
+********************************************************************/
+int rep_ftruncate(int f, off_t l)
+{
+#ifdef HAVE_CHSIZE
+      return chsize(f,l);
+#elif defined(F_FREESP)
+      struct  flock   fl;
+
+      fl.l_whence = 0;
+      fl.l_len = 0;
+      fl.l_start = l;
+      fl.l_type = F_WRLCK;
+      return fcntl(f, F_FREESP, &fl);
+#else
+#error "you must have a ftruncate function"
+#endif
+}
+#endif /* HAVE_FTRUNCATE */
+
+
+#ifndef HAVE_STRLCPY
+/* like strncpy but does not 0 fill the buffer and always null 
+   terminates. bufsize is the size of the destination buffer */
+size_t rep_strlcpy(char *d, const char *s, size_t bufsize)
+{
+	size_t len = strlen(s);
+	size_t ret = len;
+	if (bufsize <= 0) return 0;
+	if (len >= bufsize) len = bufsize-1;
+	memcpy(d, s, len);
+	d[len] = 0;
+	return ret;
+}
+#endif
+
+#ifndef HAVE_STRLCAT
+/* like strncat but does not 0 fill the buffer and always null 
+   terminates. bufsize is the length of the buffer, which should
+   be one more than the maximum resulting string length */
+size_t rep_strlcat(char *d, const char *s, size_t bufsize)
+{
+	size_t len1 = strlen(d);
+	size_t len2 = strlen(s);
+	size_t ret = len1 + len2;
+
+	if (len1+len2 >= bufsize) {
+		if (bufsize < (len1+1)) {
+			return ret;
+		}
+		len2 = bufsize - (len1+1);
+	}
+	if (len2 > 0) {
+		memcpy(d+len1, s, len2);
+		d[len1+len2] = 0;
+	}
+	return ret;
+}
+#endif
+
+#ifndef HAVE_MKTIME
+/*******************************************************************
+a mktime() replacement for those who don't have it - contributed by 
+C.A. Lademann <cal@zls.com>
+Corrections by richard.kettlewell@kewill.com
+********************************************************************/
+
+#define  MINUTE  60
+#define  HOUR    60*MINUTE
+#define  DAY             24*HOUR
+#define  YEAR    365*DAY
+time_t rep_mktime(struct tm *t)
+{
+  struct tm       *u;
+  time_t  epoch = 0;
+  int n;
+  int             mon [] = { 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 },
+  y, m, i;
+
+  if(t->tm_year < 70)
+    return((time_t)-1);
+
+  n = t->tm_year + 1900 - 1;
+  epoch = (t->tm_year - 70) * YEAR + 
+    ((n / 4 - n / 100 + n / 400) - (1969 / 4 - 1969 / 100 + 1969 / 400)) * DAY;
+
+  y = t->tm_year + 1900;
+  m = 0;
+
+  for(i = 0; i < t->tm_mon; i++) {
+    epoch += mon [m] * DAY;
+    if(m == 1 && y % 4 == 0 && (y % 100 != 0 || y % 400 == 0))
+      epoch += DAY;
+    
+    if(++m > 11) {
+      m = 0;
+      y++;
+    }
+  }
+
+  epoch += (t->tm_mday - 1) * DAY;
+  epoch += t->tm_hour * HOUR + t->tm_min * MINUTE + t->tm_sec;
+  
+  if((u = localtime(&epoch)) != NULL) {
+    t->tm_sec = u->tm_sec;
+    t->tm_min = u->tm_min;
+    t->tm_hour = u->tm_hour;
+    t->tm_mday = u->tm_mday;
+    t->tm_mon = u->tm_mon;
+    t->tm_year = u->tm_year;
+    t->tm_wday = u->tm_wday;
+    t->tm_yday = u->tm_yday;
+    t->tm_isdst = u->tm_isdst;
+  }
+
+  return(epoch);
+}
+#endif /* !HAVE_MKTIME */
+
+
+#ifndef HAVE_INITGROUPS
+/****************************************************************************
+ some systems don't have an initgroups call 
+****************************************************************************/
+int rep_initgroups(char *name, gid_t id)
+{
+#ifndef HAVE_SETGROUPS
+	/* yikes! no SETGROUPS or INITGROUPS? how can this work? */
+	errno = ENOSYS;
+	return -1;
+#else /* HAVE_SETGROUPS */
+
+#include <grp.h>
+
+	gid_t *grouplst = NULL;
+	int max_gr = NGROUPS_MAX;
+	int ret;
+	int    i,j;
+	struct group *g;
+	char   *gr;
+	
+	if((grouplst = malloc(sizeof(gid_t) * max_gr)) == NULL) {
+		errno = ENOMEM;
+		return -1;
+	}
+
+	grouplst[0] = id;
+	i = 1;
+	while (i < max_gr && ((g = (struct group *)getgrent()) != (struct group *)NULL)) {
+		if (g->gr_gid == id)
+			continue;
+		j = 0;
+		gr = g->gr_mem[0];
+		while (gr && (*gr != (char)NULL)) {
+			if (strcmp(name,gr) == 0) {
+				grouplst[i] = g->gr_gid;
+				i++;
+				gr = (char *)NULL;
+				break;
+			}
+			gr = g->gr_mem[++j];
+		}
+	}
+	endgrent();
+	ret = setgroups(i, grouplst);
+	free(grouplst);
+	return ret;
+#endif /* HAVE_SETGROUPS */
+}
+#endif /* HAVE_INITGROUPS */
+
+
+#if (defined(SecureWare) && defined(SCO))
+/* This is needed due to needing the nap() function but we don't want
+   to include the Xenix libraries since that will break other things...
+   BTW: system call # 0x0c28 is the same as calling nap() */
+long nap(long milliseconds) {
+	 return syscall(0x0c28, milliseconds);
+ }
+#endif
+
+
+#ifndef HAVE_MEMMOVE
+/*******************************************************************
+safely copies memory, ensuring no overlap problems.
+this is only used if the machine does not have its own memmove().
+this is not the fastest algorithm in town, but it will do for our
+needs.
+********************************************************************/
+void *rep_memmove(void *dest,const void *src,int size)
+{
+	unsigned long d,s;
+	int i;
+	if (dest==src || !size) return(dest);
+
+	d = (unsigned long)dest;
+	s = (unsigned long)src;
+
+	if ((d >= (s+size)) || (s >= (d+size))) {
+		/* no overlap */
+		memcpy(dest,src,size);
+		return(dest);
+	}
+
+	if (d < s) {
+		/* we can forward copy */
+		if (s-d >= sizeof(int) && 
+		    !(s%sizeof(int)) && 
+		    !(d%sizeof(int)) && 
+		    !(size%sizeof(int))) {
+			/* do it all as words */
+			int *idest = (int *)dest;
+			int *isrc = (int *)src;
+			size /= sizeof(int);
+			for (i=0;i<size;i++) idest[i] = isrc[i];
+		} else {
+			/* simplest */
+			char *cdest = (char *)dest;
+			char *csrc = (char *)src;
+			for (i=0;i<size;i++) cdest[i] = csrc[i];
+		}
+	} else {
+		/* must backward copy */
+		if (d-s >= sizeof(int) && 
+		    !(s%sizeof(int)) && 
+		    !(d%sizeof(int)) && 
+		    !(size%sizeof(int))) {
+			/* do it all as words */
+			int *idest = (int *)dest;
+			int *isrc = (int *)src;
+			size /= sizeof(int);
+			for (i=size-1;i>=0;i--) idest[i] = isrc[i];
+		} else {
+			/* simplest */
+			char *cdest = (char *)dest;
+			char *csrc = (char *)src;
+			for (i=size-1;i>=0;i--) cdest[i] = csrc[i];
+		}      
+	}
+	return(dest);
+}
+#endif /* HAVE_MEMMOVE */
+
+#ifndef HAVE_STRDUP
+/****************************************************************************
+duplicate a string
+****************************************************************************/
+char *rep_strdup(const char *s)
+{
+	size_t len;
+	char *ret;
+
+	if (!s) return(NULL);
+
+	len = strlen(s)+1;
+	ret = (char *)malloc(len);
+	if (!ret) return(NULL);
+	memcpy(ret,s,len);
+	return(ret);
+}
+#endif /* HAVE_STRDUP */
+
+#ifndef HAVE_SETLINEBUF
+void rep_setlinebuf(FILE *stream)
+{
+	setvbuf(stream, (char *)NULL, _IOLBF, 0);
+}
+#endif /* HAVE_SETLINEBUF */
+
+#ifndef HAVE_VSYSLOG
+#ifdef HAVE_SYSLOG
+void rep_vsyslog (int facility_priority, const char *format, va_list arglist)
+{
+	char *msg = NULL;
+	vasprintf(&msg, format, arglist);
+	if (!msg)
+		return;
+	syslog(facility_priority, "%s", msg);
+	free(msg);
+}
+#endif /* HAVE_SYSLOG */
+#endif /* HAVE_VSYSLOG */
+
+#ifndef HAVE_STRNLEN
+/**
+ Some platforms don't have strnlen
+**/
+ size_t rep_strnlen(const char *s, size_t max)
+{
+        size_t len;
+  
+        for (len = 0; len < max; len++) {
+                if (s[len] == '\0') {
+                        break;
+                }
+        }
+        return len;  
+}
+#endif
+  
+#ifndef HAVE_STRNDUP
+/**
+ Some platforms don't have strndup.
+**/
+char *rep_strndup(const char *s, size_t n)
+{
+	char *ret;
+	
+	n = strnlen(s, n);
+	ret = malloc(n+1);
+	if (!ret)
+		return NULL;
+	memcpy(ret, s, n);
+	ret[n] = 0;
+
+	return ret;
+}
+#endif
+
+#ifndef HAVE_WAITPID
+int rep_waitpid(pid_t pid,int *status,int options)
+{
+  return wait4(pid, status, options, NULL);
+}
+#endif
+
+#ifndef HAVE_SETEUID
+int rep_seteuid(uid_t euid)
+{
+#ifdef HAVE_SETRESUID
+	return setresuid(-1, euid, -1);
+#else
+#  error "You need a seteuid function"
+#endif
+}
+#endif
+
+#ifndef HAVE_SETEGID
+int rep_setegid(gid_t egid)
+{
+#ifdef HAVE_SETRESGID
+	return setresgid(-1, egid, -1);
+#else
+#  error "You need a setegid function"
+#endif
+}
+#endif
+
+/*******************************************************************
+os/2 also doesn't have chroot
+********************************************************************/
+#ifndef HAVE_CHROOT
+int rep_chroot(const char *dname)
+{
+	errno = ENOSYS;
+	return -1;
+}
+#endif
+
+/*****************************************************************
+ Possibly replace mkstemp if it is broken.
+*****************************************************************/  
+
+#ifndef HAVE_SECURE_MKSTEMP
+int rep_mkstemp(char *template)
+{
+	/* have a reasonable go at emulating it. Hope that
+	   the system mktemp() isn't completly hopeless */
+	char *p = mktemp(template);
+	if (!p)
+		return -1;
+	return open(p, O_CREAT|O_EXCL|O_RDWR, 0600);
+}
+#endif
+
+#ifndef HAVE_MKDTEMP
+char *rep_mkdtemp(char *template)
+{
+	char *dname;
+	
+	if ((dname = mktemp(template))) {
+		if (mkdir(dname, 0700) >= 0) {
+			return dname;
+		}
+	}
+
+	return NULL;
+}
+#endif
+
+/*****************************************************************
+ Watch out: this is not thread safe.
+*****************************************************************/
+
+#ifndef HAVE_PREAD
+ssize_t rep_pread(int __fd, void *__buf, size_t __nbytes, off_t __offset)
+{
+	if (lseek(__fd, __offset, SEEK_SET) != __offset) {
+		return -1;
+	}
+	return read(__fd, __buf, __nbytes);
+}
+#endif
+
+/*****************************************************************
+ Watch out: this is not thread safe.
+*****************************************************************/
+
+#ifndef HAVE_PWRITE
+ssize_t rep_pwrite(int __fd, const void *__buf, size_t __nbytes, off_t __offset)
+{
+	if (lseek(__fd, __offset, SEEK_SET) != __offset) {
+		return -1;
+	}
+	return write(__fd, __buf, __nbytes);
+}
+#endif
+
+#ifndef HAVE_STRCASESTR
+char *rep_strcasestr(const char *haystack, const char *needle)
+{
+	const char *s;
+	size_t nlen = strlen(needle);
+	for (s=haystack;*s;s++) {
+		if (toupper(*needle) == toupper(*s) &&
+		    strncasecmp(s, needle, nlen) == 0) {
+			return (char *)((uintptr_t)s);
+		}
+	}
+	return NULL;
+}
+#endif
+
+#ifndef HAVE_STRTOK_R
+/* based on GLIBC version, copyright Free Software Foundation */
+char *rep_strtok_r(char *s, const char *delim, char **save_ptr)
+{
+	char *token;
+
+	if (s == NULL) s = *save_ptr;
+
+	s += strspn(s, delim);
+	if (*s == '\0') {
+		*save_ptr = s;
+		return NULL;
+	}
+
+	token = s;
+	s = strpbrk(token, delim);
+	if (s == NULL) {
+		*save_ptr = token + strlen(token);
+	} else {
+		*s = '\0';
+		*save_ptr = s + 1;
+	}
+
+	return token;
+}
+#endif
+
+#ifndef HAVE_STRTOLL
+long long int rep_strtoll(const char *str, char **endptr, int base)
+{
+#ifdef HAVE_STRTOQ
+	return strtoq(str, endptr, base);
+#elif defined(HAVE___STRTOLL) 
+	return __strtoll(str, endptr, base);
+#elif SIZEOF_LONG == SIZEOF_LONG_LONG
+	return (long long int) strtol(str, endptr, base);
+#else
+# error "You need a strtoll function"
+#endif
+}
+#endif
+
+
+#ifndef HAVE_STRTOULL
+unsigned long long int rep_strtoull(const char *str, char **endptr, int base)
+{
+#ifdef HAVE_STRTOUQ
+	return strtouq(str, endptr, base);
+#elif defined(HAVE___STRTOULL) 
+	return __strtoull(str, endptr, base);
+#elif SIZEOF_LONG == SIZEOF_LONG_LONG
+	return (unsigned long long int) strtoul(str, endptr, base);
+#else
+# error "You need a strtoull function"
+#endif
+}
+#endif
+
+#ifndef HAVE_SETENV
+int rep_setenv(const char *name, const char *value, int overwrite) 
+{
+	char *p;
+	size_t l1, l2;
+	int ret;
+
+	if (!overwrite && getenv(name)) {
+		return 0;
+	}
+
+	l1 = strlen(name);
+	l2 = strlen(value);
+
+	p = malloc(l1+l2+2);
+	if (p == NULL) {
+		return -1;
+	}
+	memcpy(p, name, l1);
+	p[l1] = '=';
+	memcpy(p+l1+1, value, l2);
+	p[l1+l2+1] = 0;
+
+	ret = putenv(p);
+	if (ret != 0) {
+		free(p);
+	}
+
+	return ret;
+}
+#endif
+
+#ifndef HAVE_UNSETENV
+int rep_unsetenv(const char *name)
+{
+	extern char **environ;
+	size_t len = strlen(name);
+	size_t i, count;
+
+	if (environ == NULL || getenv(name) == NULL) {
+		return 0;
+	}
+
+	for (i=0;environ[i];i++) /* noop */ ;
+
+	count=i;
+	
+	for (i=0;i<count;) {
+		if (strncmp(environ[i], name, len) == 0 && environ[i][len] == '=') {
+			/* note: we do _not_ free the old variable here. It is unsafe to 
+			   do so, as the pointer may not have come from malloc */
+			memmove(&environ[i], &environ[i+1], (count-i)*sizeof(char *));
+			count--;
+		} else {
+			i++;
+		}
+	}
+
+	return 0;
+}
+#endif
+
+#ifndef HAVE_UTIME
+int rep_utime(const char *filename, const struct utimbuf *buf)
+{
+	errno = ENOSYS;
+	return -1;
+}
+#endif
+
+#ifndef HAVE_UTIMES
+int rep_utimes(const char *filename, const struct timeval tv[2])
+{
+	struct utimbuf u;
+
+	u.actime = tv[0].tv_sec;
+	if (tv[0].tv_usec > 500000) {
+		u.actime += 1;
+	}
+
+	u.modtime = tv[1].tv_sec;
+	if (tv[1].tv_usec > 500000) {
+		u.modtime += 1;
+	}
+
+	return utime(filename, &u);
+}
+#endif
diff --git a/source3/lib/replace/replace.h b/source3/lib/replace/replace.h
new file mode 100644
index 0000000000..c69ea6cdac
--- /dev/null
+++ b/source3/lib/replace/replace.h
@@ -0,0 +1,582 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   macros to go along with the lib/replace/ portability layer code
+
+   Copyright (C) Andrew Tridgell 2005
+   Copyright (C) Jelmer Vernooij 2006
+   Copyright (C) Jeremy Allison 2007.
+
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _LIBREPLACE_REPLACE_H
+#define _LIBREPLACE_REPLACE_H
+
+#ifndef NO_CONFIG_H
+#include "config.h"
+#endif
+
+#ifdef HAVE_STANDARDS_H
+#include <standards.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <errno.h>
+
+#if defined(_MSC_VER) || defined(__MINGW32__)
+#include "win32_replace.h"
+#endif
+
+
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+/* force off HAVE_INTTYPES_H so that roken doesn't try to include both,
+   which causes a warning storm on irix */
+#undef HAVE_INTTYPES_H
+#elif HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+
+#ifdef HAVE_STRING_H
+#include <string.h>
+#endif
+
+#ifdef HAVE_STRINGS_H
+#include <strings.h>
+#endif
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+
+#ifndef HAVE_STRERROR
+extern char *sys_errlist[];
+#define strerror(i) sys_errlist[i]
+#endif
+
+#ifndef HAVE_ERRNO_DECL
+extern int errno;
+#endif
+
+#ifndef HAVE_STRDUP
+#define strdup rep_strdup
+char *rep_strdup(const char *s);
+#endif
+
+#ifndef HAVE_MEMMOVE
+#define memmove rep_memmove
+void *rep_memmove(void *dest,const void *src,int size);
+#endif
+
+#ifndef HAVE_MKTIME
+#define mktime rep_mktime
+/* prototype is in "system/time.h" */
+#endif
+
+#ifndef HAVE_TIMEGM
+#define timegm rep_timegm
+/* prototype is in "system/time.h" */
+#endif
+
+#ifndef HAVE_UTIME
+#define utime rep_utime
+/* prototype is in "system/time.h" */
+#endif
+
+#ifndef HAVE_UTIMES
+#define utimes rep_utimes
+/* prototype is in "system/time.h" */
+#endif
+
+#ifndef HAVE_STRLCPY
+#define strlcpy rep_strlcpy
+size_t rep_strlcpy(char *d, const char *s, size_t bufsize);
+#endif
+
+#ifndef HAVE_STRLCAT
+#define strlcat rep_strlcat
+size_t rep_strlcat(char *d, const char *s, size_t bufsize);
+#endif
+
+#if (defined(BROKEN_STRNDUP) || !defined(HAVE_STRNDUP))
+#undef HAVE_STRNDUP
+#define strndup rep_strndup
+char *rep_strndup(const char *s, size_t n);
+#endif
+
+#if (defined(BROKEN_STRNLEN) || !defined(HAVE_STRNLEN))
+#undef HAVE_STRNLEN
+#define strnlen rep_strnlen
+size_t rep_strnlen(const char *s, size_t n);
+#endif
+
+#ifndef HAVE_SETENV
+#define setenv rep_setenv
+int rep_setenv(const char *name, const char *value, int overwrite);
+#else
+#ifndef HAVE_SETENV_DECL
+int setenv(const char *name, const char *value, int overwrite);
+#endif
+#endif
+
+#ifndef HAVE_UNSETENV
+#define unsetenv rep_unsetenv
+int rep_unsetenv(const char *name);
+#endif
+
+#ifndef HAVE_SETEUID
+#define seteuid rep_seteuid
+int rep_seteuid(uid_t);
+#endif
+
+#ifndef HAVE_SETEGID
+#define setegid rep_setegid
+int rep_setegid(gid_t);
+#endif
+
+#ifndef HAVE_SETLINEBUF
+#define setlinebuf rep_setlinebuf
+void rep_setlinebuf(FILE *);
+#endif
+
+#ifndef HAVE_STRCASESTR
+#define strcasestr rep_strcasestr
+char *rep_strcasestr(const char *haystack, const char *needle);
+#endif
+
+#ifndef HAVE_STRTOK_R
+#define strtok_r rep_strtok_r
+char *rep_strtok_r(char *s, const char *delim, char **save_ptr);
+#endif
+
+#ifndef HAVE_STRTOLL
+#define strtoll rep_strtoll
+long long int rep_strtoll(const char *str, char **endptr, int base);
+#endif
+
+#ifndef HAVE_STRTOULL
+#define strtoull rep_strtoull
+unsigned long long int rep_strtoull(const char *str, char **endptr, int base);
+#endif
+
+#ifndef HAVE_FTRUNCATE
+#define ftruncate rep_ftruncate
+int rep_ftruncate(int,off_t);
+#endif
+
+#ifndef HAVE_INITGROUPS
+#define initgroups rep_initgroups
+int rep_initgroups(char *name, gid_t id);
+#endif
+
+#if !defined(HAVE_BZERO) && defined(HAVE_MEMSET)
+#define bzero(a,b) memset((a),'\0',(b))
+#endif
+
+#ifndef HAVE_DLERROR
+#define dlerror rep_dlerror
+char *rep_dlerror(void);
+#endif
+
+#ifndef HAVE_DLOPEN
+#define dlopen rep_dlopen
+#ifdef DLOPEN_TAKES_UNSIGNED_FLAGS
+void *rep_dlopen(const char *name, unsigned int flags);
+#else
+void *rep_dlopen(const char *name, int flags);
+#endif
+#endif
+
+#ifndef HAVE_DLSYM
+#define dlsym rep_dlsym
+void *rep_dlsym(void *handle, const char *symbol);
+#endif
+
+#ifndef HAVE_DLCLOSE
+#define dlclose rep_dlclose
+int rep_dlclose(void *handle);
+#endif
+
+#ifndef HAVE_SOCKETPAIR
+#define socketpair rep_socketpair
+/* prototype is in system/network.h */
+#endif
+
+#ifndef PRINTF_ATTRIBUTE
+#if (__GNUC__ >= 3) && (__GNUC_MINOR__ >= 1 )
+/** Use gcc attribute to check printf fns.  a1 is the 1-based index of
+ * the parameter containing the format, and a2 the index of the first
+ * argument. Note that some gcc 2.x versions don't handle this
+ * properly **/
+#define PRINTF_ATTRIBUTE(a1, a2) __attribute__ ((format (__printf__, a1, a2)))
+#else
+#define PRINTF_ATTRIBUTE(a1, a2)
+#endif
+#endif
+
+#ifndef _DEPRECATED_
+#if (__GNUC__ >= 3) && (__GNUC_MINOR__ >= 1 )
+#define _DEPRECATED_ __attribute__ ((deprecated))
+#else
+#define _DEPRECATED_
+#endif
+#endif
+
+#ifndef HAVE_VASPRINTF
+#define vasprintf rep_vasprintf
+int rep_vasprintf(char **ptr, const char *format, va_list ap) PRINTF_ATTRIBUTE(2,0);
+#endif
+
+#if !defined(HAVE_SNPRINTF) || !defined(HAVE_C99_VSNPRINTF)
+#define snprintf rep_snprintf
+int rep_snprintf(char *,size_t ,const char *, ...) PRINTF_ATTRIBUTE(3,4);
+#endif
+
+#if !defined(HAVE_VSNPRINTF) || !defined(HAVE_C99_VSNPRINTF)
+#define vsnprintf rep_vsnprintf
+int rep_vsnprintf(char *,size_t ,const char *, va_list ap) PRINTF_ATTRIBUTE(3,0);
+#endif
+
+#ifndef HAVE_ASPRINTF
+#define asprintf rep_asprintf
+int rep_asprintf(char **,const char *, ...) PRINTF_ATTRIBUTE(2,3);
+#endif
+
+#ifndef HAVE_VSYSLOG
+#ifdef HAVE_SYSLOG
+#define vsyslog rep_vsyslog
+void rep_vsyslog (int facility_priority, const char *format, va_list arglist) PRINTF_ATTRIBUTE(2,0);
+#endif
+#endif
+
+/* we used to use these fns, but now we have good replacements
+   for snprintf and vsnprintf */
+#define slprintf snprintf
+
+
+#ifndef HAVE_VA_COPY
+#undef va_copy
+#ifdef HAVE___VA_COPY
+#define va_copy(dest, src) __va_copy(dest, src)
+#else
+#define va_copy(dest, src) (dest) = (src)
+#endif
+#endif
+
+#ifndef HAVE_VOLATILE
+#define volatile
+#endif
+
+#ifndef HAVE_COMPARISON_FN_T
+typedef int (*comparison_fn_t)(const void *, const void *);
+#endif
+
+#ifdef REPLACE_STRPTIME
+#define strptime rep_strptime
+struct tm;
+char *rep_strptime(const char *buf, const char *format, struct tm *tm);
+#endif
+
+/* Load header file for dynamic linking stuff */
+#ifdef HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#ifndef RTLD_LAZY
+#define RTLD_LAZY 0
+#endif
+#ifndef RTLD_NOW
+#define RTLD_NOW 0
+#endif
+#ifndef RTLD_GLOBAL
+#define RTLD_GLOBAL 0
+#endif
+
+#ifndef HAVE_SECURE_MKSTEMP
+#define mkstemp(path) rep_mkstemp(path)
+int rep_mkstemp(char *temp);
+#endif
+
+#ifndef HAVE_MKDTEMP
+#define mkdtemp rep_mkdtemp
+char *rep_mkdtemp(char *template);
+#endif
+
+#ifndef HAVE_PREAD
+#define pread rep_pread
+ssize_t rep_pread(int __fd, void *__buf, size_t __nbytes, off_t __offset);
+#endif
+
+#ifndef HAVE_PWRITE
+#define pwrite rep_pwrite
+ssize_t rep_pwrite(int __fd, const void *__buf, size_t __nbytes, off_t __offset);
+#endif
+
+#if !defined(HAVE_INET_NTOA) || defined(REPLACE_INET_NTOA)
+#define inet_ntoa rep_inet_ntoa
+/* prototype is in "system/network.h" */
+#endif
+
+#ifndef HAVE_INET_PTON
+#define inet_pton rep_inet_pton
+/* prototype is in "system/network.h" */
+#endif
+
+#ifndef HAVE_INET_NTOP
+#define inet_ntop rep_inet_ntop
+/* prototype is in "system/network.h" */
+#endif
+
+#ifndef HAVE_INET_ATON
+#define inet_aton rep_inet_aton
+/* prototype is in "system/network.h" */
+#endif
+
+#ifndef HAVE_CONNECT
+#define connect rep_connect
+/* prototype is in "system/network.h" */
+#endif
+
+#ifndef HAVE_GETHOSTBYNAME
+#define gethostbyname rep_gethostbyname
+/* prototype is in "system/network.h" */
+#endif
+
+#ifndef HAVE_GETIFADDRS
+#define getifaddrs rep_getifaddrs
+/* prototype is in "system/network.h" */
+#endif
+
+#ifndef HAVE_FREEIFADDRS
+#define freeifaddrs rep_freeifaddrs
+/* prototype is in "system/network.h" */
+#endif
+
+#ifdef HAVE_LIMITS_H
+#include <limits.h>
+#endif
+
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+/* The extra casts work around common compiler bugs.  */
+#define _TYPE_SIGNED(t) (! ((t) 0 < (t) -1))
+/* The outer cast is needed to work around a bug in Cray C 5.0.3.0.
+   It is necessary at least when t == time_t.  */
+#define _TYPE_MINIMUM(t) ((t) (_TYPE_SIGNED (t) \
+  			      ? ~ (t) 0 << (sizeof (t) * CHAR_BIT - 1) : (t) 0))
+#define _TYPE_MAXIMUM(t) ((t) (~ (t) 0 - _TYPE_MINIMUM (t)))
+
+#ifndef HOST_NAME_MAX
+#define HOST_NAME_MAX 255
+#endif
+
+/*
+ * Some older systems seem not to have MAXHOSTNAMELEN
+ * defined.
+ */
+#ifndef MAXHOSTNAMELEN
+#define MAXHOSTNAMELEN HOST_NAME_MAX
+#endif
+
+#ifndef UINT16_MAX
+#define UINT16_MAX 65535
+#endif
+
+#ifndef UINT32_MAX
+#define UINT32_MAX (4294967295U)
+#endif
+
+#ifndef UINT64_MAX
+#define UINT64_MAX ((uint64_t)-1)
+#endif
+
+#ifndef CHAR_BIT
+#define CHAR_BIT 8
+#endif
+
+#ifndef INT32_MAX
+#define INT32_MAX _TYPE_MAXIMUM(int32_t)
+#endif
+
+#ifdef HAVE_STDBOOL_H
+#include <stdbool.h>
+#endif
+
+#if !defined(HAVE_BOOL)
+#ifdef HAVE__Bool
+#define bool _Bool
+#else
+typedef int bool;
+#endif
+#endif
+
+/*
+ * to prevent <rpcsvc/yp_prot.h> from doing a redefine of 'bool'
+ *
+ * IRIX, HPUX, MacOS 10 and Solaris need BOOL_DEFINED
+ * Tru64 needs _BOOL_EXISTS
+ * AIX needs _BOOL,_TRUE,_FALSE
+ */
+#ifndef BOOL_DEFINED
+#define BOOL_DEFINED
+#endif
+#ifndef _BOOL_EXISTS
+#define _BOOL_EXISTS
+#endif
+#ifndef _BOOL
+#define _BOOL
+#endif
+
+#ifndef __bool_true_false_are_defined
+#define __bool_true_false_are_defined
+#endif
+
+#ifndef true
+#define true (1)
+#endif
+#ifndef false
+#define false (0)
+#endif
+
+#ifndef _TRUE
+#define _TRUE true
+#endif
+#ifndef _FALSE
+#define _FALSE false
+#endif
+
+#ifndef HAVE_FUNCTION_MACRO
+#ifdef HAVE_func_MACRO
+#define __FUNCTION__ __func__
+#else
+#define __FUNCTION__ ("")
+#endif
+#endif
+
+
+#ifndef MIN
+#define MIN(a,b) ((a)<(b)?(a):(b))
+#endif
+
+#ifndef MAX
+#define MAX(a,b) ((a)>(b)?(a):(b))
+#endif
+
+#if !defined(HAVE_VOLATILE)
+#define volatile
+#endif
+
+/**
+  this is a warning hack. The idea is to use this everywhere that we
+  get the "discarding const" warning from gcc. That doesn't actually
+  fix the problem of course, but it means that when we do get to
+  cleaning them up we can do it by searching the code for
+  discard_const.
+
+  It also means that other error types aren't as swamped by the noise
+  of hundreds of const warnings, so we are more likely to notice when
+  we get new errors.
+
+  Please only add more uses of this macro when you find it
+  _really_ hard to fix const warnings. Our aim is to eventually use
+  this function in only a very few places.
+
+  Also, please call this via the discard_const_p() macro interface, as that
+  makes the return type safe.
+*/
+#define discard_const(ptr) ((void *)((uintptr_t)(ptr)))
+
+/** Type-safe version of discard_const */
+#define discard_const_p(type, ptr) ((type *)discard_const(ptr))
+
+#ifndef __STRING
+#define __STRING(x)    #x
+#endif
+
+#ifndef __STRINGSTRING
+#define __STRINGSTRING(x) __STRING(x)
+#endif
+
+#ifndef __LINESTR__
+#define __LINESTR__ __STRINGSTRING(__LINE__)
+#endif
+
+#ifndef __location__
+#define __location__ __FILE__ ":" __LINESTR__
+#endif
+
+/** 
+ * zero a structure 
+ */
+#define ZERO_STRUCT(x) memset((char *)&(x), 0, sizeof(x))
+
+/** 
+ * zero a structure given a pointer to the structure 
+ */
+#define ZERO_STRUCTP(x) do { if ((x) != NULL) memset((char *)(x), 0, sizeof(*(x))); } while(0)
+
+/** 
+ * zero a structure given a pointer to the structure - no zero check 
+ */
+#define ZERO_STRUCTPN(x) memset((char *)(x), 0, sizeof(*(x)))
+
+/* zero an array - note that sizeof(array) must work - ie. it must not be a
+   pointer */
+#define ZERO_ARRAY(x) memset((char *)(x), 0, sizeof(x))
+
+/**
+ * work out how many elements there are in a static array 
+ */
+#define ARRAY_SIZE(a) (sizeof(a)/sizeof(a[0]))
+
+/** 
+ * pointer difference macro 
+ */
+#define PTR_DIFF(p1,p2) ((ptrdiff_t)(((const char *)(p1)) - (const char *)(p2)))
+
+#if MMAP_BLACKLIST
+#undef HAVE_MMAP
+#endif
+
+#ifdef __COMPAR_FN_T
+#define QSORT_CAST (__compar_fn_t)
+#endif
+
+#ifndef QSORT_CAST
+#define QSORT_CAST (int (*)(const void *, const void *))
+#endif
+
+#ifndef PATH_MAX
+#define PATH_MAX 1024
+#endif
+
+#ifndef MAX_DNS_NAME_LENGTH
+#define MAX_DNS_NAME_LENGTH 256 /* Actually 255 but +1 for terminating null. */
+#endif
+
+#endif /* _LIBREPLACE_REPLACE_H */
diff --git a/source3/lib/replace/samba.m4 b/source3/lib/replace/samba.m4
new file mode 100644
index 0000000000..07c4d38887
--- /dev/null
+++ b/source3/lib/replace/samba.m4
@@ -0,0 +1,35 @@
+AC_LIBREPLACE_BROKEN_CHECKS
+AC_LIBREPLACE_NETWORK_CHECKS
+
+SMB_EXT_LIB(LIBREPLACE_EXT, [${LIBDL}])
+SMB_ENABLE(LIBREPLACE_EXT)
+
+SMB_EXT_LIB(LIBREPLACE_NETWORK, [${LIBREPLACE_NETWORK_LIBS}])
+SMB_ENABLE(LIBREPLACE_NETWORK)
+
+# remove leading ./
+LIBREPLACE_DIR=`echo ${libreplacedir} |sed -e 's/^\.\///g'`
+
+# remove leading srcdir .. we are looking for the relative
+# path within the samba source tree or wherever libreplace is.
+# We need to make sure the object is not forced to end up in
+# the source directory because we might be using a separate
+# build directory.
+LIBREPLACE_DIR=`echo ${LIBREPLACE_DIR} | sed -e "s|^$srcdir/||g"`
+
+LIBREPLACE_OBJS=""
+for obj in ${LIBREPLACEOBJ}; do
+	LIBREPLACE_OBJS="${LIBREPLACE_OBJS} ${LIBREPLACE_DIR}/${obj}"
+done
+
+SMB_SUBSYSTEM(LIBREPLACE,
+	[${LIBREPLACE_OBJS}],
+	[LIBREPLACE_EXT LIBREPLACE_NETWORK],
+	[-Ilib/replace])
+
+LIBREPLACE_HOSTCC_OBJS=`echo ${LIBREPLACE_OBJS} |sed -e 's/\.o/\.ho/g'`
+
+SMB_SUBSYSTEM(LIBREPLACE_HOSTCC,
+	[${LIBREPLACE_HOSTCC_OBJS}],
+	[],
+	[-Ilib/replace])
diff --git a/source3/lib/replace/snprintf.c b/source3/lib/replace/snprintf.c
new file mode 100644
index 0000000000..c54d721ce5
--- /dev/null
+++ b/source3/lib/replace/snprintf.c
@@ -0,0 +1,1530 @@
+/*
+ * NOTE: If you change this file, please merge it into rsync, samba, etc.
+ */
+
+/*
+ * Copyright Patrick Powell 1995
+ * This code is based on code written by Patrick Powell (papowell@astart.com)
+ * It may be used for any purpose as long as this notice remains intact
+ * on all source code distributions
+ */
+
+/**************************************************************
+ * Original:
+ * Patrick Powell Tue Apr 11 09:48:21 PDT 1995
+ * A bombproof version of doprnt (dopr) included.
+ * Sigh.  This sort of thing is always nasty do deal with.  Note that
+ * the version here does not include floating point...
+ *
+ * snprintf() is used instead of sprintf() as it does limit checks
+ * for string length.  This covers a nasty loophole.
+ *
+ * The other functions are there to prevent NULL pointers from
+ * causing nast effects.
+ *
+ * More Recently:
+ *  Brandon Long <blong@fiction.net> 9/15/96 for mutt 0.43
+ *  This was ugly.  It is still ugly.  I opted out of floating point
+ *  numbers, but the formatter understands just about everything
+ *  from the normal C string format, at least as far as I can tell from
+ *  the Solaris 2.5 printf(3S) man page.
+ *
+ *  Brandon Long <blong@fiction.net> 10/22/97 for mutt 0.87.1
+ *    Ok, added some minimal floating point support, which means this
+ *    probably requires libm on most operating systems.  Don't yet
+ *    support the exponent (e,E) and sigfig (g,G).  Also, fmtint()
+ *    was pretty badly broken, it just wasn't being exercised in ways
+ *    which showed it, so that's been fixed.  Also, formated the code
+ *    to mutt conventions, and removed dead code left over from the
+ *    original.  Also, there is now a builtin-test, just compile with:
+ *           gcc -DTEST_SNPRINTF -o snprintf snprintf.c -lm
+ *    and run snprintf for results.
+ * 
+ *  Thomas Roessler <roessler@guug.de> 01/27/98 for mutt 0.89i
+ *    The PGP code was using unsigned hexadecimal formats. 
+ *    Unfortunately, unsigned formats simply didn't work.
+ *
+ *  Michael Elkins <me@cs.hmc.edu> 03/05/98 for mutt 0.90.8
+ *    The original code assumed that both snprintf() and vsnprintf() were
+ *    missing.  Some systems only have snprintf() but not vsnprintf(), so
+ *    the code is now broken down under HAVE_SNPRINTF and HAVE_VSNPRINTF.
+ *
+ *  Andrew Tridgell (tridge@samba.org) Oct 1998
+ *    fixed handling of %.0f
+ *    added test for HAVE_LONG_DOUBLE
+ *
+ * tridge@samba.org, idra@samba.org, April 2001
+ *    got rid of fcvt code (twas buggy and made testing harder)
+ *    added C99 semantics
+ *
+ * date: 2002/12/19 19:56:31;  author: herb;  state: Exp;  lines: +2 -0
+ * actually print args for %g and %e
+ * 
+ * date: 2002/06/03 13:37:52;  author: jmcd;  state: Exp;  lines: +8 -0
+ * Since includes.h isn't included here, VA_COPY has to be defined here.  I don't
+ * see any include file that is guaranteed to be here, so I'm defining it
+ * locally.  Fixes AIX and Solaris builds.
+ * 
+ * date: 2002/06/03 03:07:24;  author: tridge;  state: Exp;  lines: +5 -13
+ * put the ifdef for HAVE_VA_COPY in one place rather than in lots of
+ * functions
+ * 
+ * date: 2002/05/17 14:51:22;  author: jmcd;  state: Exp;  lines: +21 -4
+ * Fix usage of va_list passed as an arg.  Use __va_copy before using it
+ * when it exists.
+ * 
+ * date: 2002/04/16 22:38:04;  author: idra;  state: Exp;  lines: +20 -14
+ * Fix incorrect zpadlen handling in fmtfp.
+ * Thanks to Ollie Oldham <ollie.oldham@metro-optix.com> for spotting it.
+ * few mods to make it easier to compile the tests.
+ * addedd the "Ollie" test to the floating point ones.
+ *
+ * Martin Pool (mbp@samba.org) April 2003
+ *    Remove NO_CONFIG_H so that the test case can be built within a source
+ *    tree with less trouble.
+ *    Remove unnecessary SAFE_FREE() definition.
+ *
+ * Martin Pool (mbp@samba.org) May 2003
+ *    Put in a prototype for dummy_snprintf() to quiet compiler warnings.
+ *
+ *    Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even
+ *    if the C library has some snprintf functions already.
+ *
+ * Darren Tucker (dtucker@zip.com.au) 2005
+ *    Fix bug allowing read overruns of the source string with "%.*s"
+ *    Usually harmless unless the read runs outside the process' allocation
+ *    (eg if your malloc does guard pages) in which case it will segfault.
+ *    From OpenSSH.  Also added test for same.
+ *
+ * Simo Sorce (idra@samba.org) Jan 2006
+ * 
+ *    Add support for position independent parameters 
+ *    fix fmtstr now it conforms to sprintf wrt min.max
+ *
+ **************************************************************/
+
+#include "replace.h"
+#include "system/locale.h"
+
+#ifdef TEST_SNPRINTF /* need math library headers for testing */
+
+/* In test mode, we pretend that this system doesn't have any snprintf
+ * functions, regardless of what config.h says. */
+#  undef HAVE_SNPRINTF
+#  undef HAVE_VSNPRINTF
+#  undef HAVE_C99_VSNPRINTF
+#  undef HAVE_ASPRINTF
+#  undef HAVE_VASPRINTF
+#  include <math.h>
+#endif /* TEST_SNPRINTF */
+
+#if defined(HAVE_SNPRINTF) && defined(HAVE_VSNPRINTF) && defined(HAVE_C99_VSNPRINTF)
+/* only include stdio.h if we are not re-defining snprintf or vsnprintf */
+#include <stdio.h>
+ /* make the compiler happy with an empty file */
+ void dummy_snprintf(void);
+ void dummy_snprintf(void) {} 
+#endif /* HAVE_SNPRINTF, etc */
+
+/* yes this really must be a ||. Don't muck with this (tridge) */
+#if !defined(HAVE_VSNPRINTF) || !defined(HAVE_C99_VSNPRINTF)
+
+#ifdef HAVE_LONG_DOUBLE
+#define LDOUBLE long double
+#else
+#define LDOUBLE double
+#endif
+
+#ifdef HAVE_LONG_LONG
+#define LLONG long long
+#else
+#define LLONG long
+#endif
+
+#ifndef VA_COPY
+#ifdef HAVE_VA_COPY
+#define VA_COPY(dest, src) va_copy(dest, src)
+#else
+#ifdef HAVE___VA_COPY
+#define VA_COPY(dest, src) __va_copy(dest, src)
+#else
+#define VA_COPY(dest, src) (dest) = (src)
+#endif
+#endif
+
+/*
+ * dopr(): poor man's version of doprintf
+ */
+
+/* format read states */
+#define DP_S_DEFAULT 0
+#define DP_S_FLAGS   1
+#define DP_S_MIN     2
+#define DP_S_DOT     3
+#define DP_S_MAX     4
+#define DP_S_MOD     5
+#define DP_S_CONV    6
+#define DP_S_DONE    7
+
+/* format flags - Bits */
+#define DP_F_MINUS 	(1 << 0)
+#define DP_F_PLUS  	(1 << 1)
+#define DP_F_SPACE 	(1 << 2)
+#define DP_F_NUM   	(1 << 3)
+#define DP_F_ZERO  	(1 << 4)
+#define DP_F_UP    	(1 << 5)
+#define DP_F_UNSIGNED 	(1 << 6)
+
+/* Conversion Flags */
+#define DP_C_CHAR    1
+#define DP_C_SHORT   2
+#define DP_C_LONG    3
+#define DP_C_LDOUBLE 4
+#define DP_C_LLONG   5
+#define DP_C_SIZET   6
+
+/* Chunk types */
+#define CNK_FMT_STR 0
+#define CNK_INT     1
+#define CNK_OCTAL   2
+#define CNK_UINT    3
+#define CNK_HEX     4
+#define CNK_FLOAT   5
+#define CNK_CHAR    6
+#define CNK_STRING  7
+#define CNK_PTR     8
+#define CNK_NUM     9
+#define CNK_PRCNT   10
+
+#define char_to_int(p) ((p)- '0')
+#ifndef MAX
+#define MAX(p,q) (((p) >= (q)) ? (p) : (q))
+#endif
+
+struct pr_chunk {
+	int type; /* chunk type */
+	int num; /* parameter number */
+	int min; 
+	int max;
+	int flags;
+	int cflags;
+	int start;
+	int len;
+	LLONG value;
+	LDOUBLE fvalue;
+	char *strvalue;
+	void *pnum;
+	struct pr_chunk *min_star;
+	struct pr_chunk *max_star;
+	struct pr_chunk *next;
+};
+
+struct pr_chunk_x {
+	struct pr_chunk **chunks;
+	int num;
+};
+
+static int dopr(char *buffer, size_t maxlen, const char *format, 
+		   va_list args_in);
+static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
+		    char *value, int flags, int min, int max);
+static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
+		    LLONG value, int base, int min, int max, int flags);
+static void fmtfp(char *buffer, size_t *currlen, size_t maxlen,
+		   LDOUBLE fvalue, int min, int max, int flags);
+static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c);
+static struct pr_chunk *new_chunk(void);
+static int add_cnk_list_entry(struct pr_chunk_x **list,
+				int max_num, struct pr_chunk *chunk);
+
+static int dopr(char *buffer, size_t maxlen, const char *format, va_list args_in)
+{
+	char ch;
+	int state;
+	int pflag;
+	int pnum;
+	int pfirst;
+	size_t currlen;
+	va_list args;
+	const char *base;
+	struct pr_chunk *chunks = NULL;
+	struct pr_chunk *cnk = NULL;
+	struct pr_chunk_x *clist = NULL;
+	int max_pos;
+	int ret = -1;
+
+	VA_COPY(args, args_in);
+
+	state = DP_S_DEFAULT;
+	pfirst = 1;
+	pflag = 0;
+	pnum = 0;
+
+	max_pos = 0;
+	base = format;
+	ch = *format++;
+	
+	/* retrieve the string structure as chunks */
+	while (state != DP_S_DONE) {
+		if (ch == '\0') 
+			state = DP_S_DONE;
+
+		switch(state) {
+		case DP_S_DEFAULT:
+			
+			if (cnk) {
+				cnk->next = new_chunk();
+				cnk = cnk->next;
+			} else {
+				cnk = new_chunk();
+			}
+			if (!cnk) goto done;
+			if (!chunks) chunks = cnk;
+			
+			if (ch == '%') {
+				state = DP_S_FLAGS;
+				ch = *format++;
+			} else {
+				cnk->type = CNK_FMT_STR;
+				cnk->start = format - base -1;
+				while ((ch != '\0') && (ch != '%')) ch = *format++;
+				cnk->len = format - base - cnk->start -1;
+			}
+			break;
+		case DP_S_FLAGS:
+			switch (ch) {
+			case '-':
+				cnk->flags |= DP_F_MINUS;
+				ch = *format++;
+				break;
+			case '+':
+				cnk->flags |= DP_F_PLUS;
+				ch = *format++;
+				break;
+			case ' ':
+				cnk->flags |= DP_F_SPACE;
+				ch = *format++;
+				break;
+			case '#':
+				cnk->flags |= DP_F_NUM;
+				ch = *format++;
+				break;
+			case '0':
+				cnk->flags |= DP_F_ZERO;
+				ch = *format++;
+				break;
+			case 'I':
+				/* internationalization not supported yet */
+				ch = *format++;
+				break;
+			default:
+				state = DP_S_MIN;
+				break;
+			}
+			break;
+		case DP_S_MIN:
+			if (isdigit((unsigned char)ch)) {
+				cnk->min = 10 * cnk->min + char_to_int (ch);
+				ch = *format++;
+			} else if (ch == '$') {
+				if (!pfirst && !pflag) {
+					/* parameters must be all positioned or none */
+					goto done;
+				}
+				if (pfirst) {
+					pfirst = 0;
+					pflag = 1;
+				}
+				if (cnk->min == 0) /* what ?? */
+					goto done;
+				cnk->num = cnk->min;
+				cnk->min = 0;
+				ch = *format++;
+			} else if (ch == '*') {
+				if (pfirst) pfirst = 0;
+				cnk->min_star = new_chunk();
+				if (!cnk->min_star) /* out of memory :-( */
+					goto done;
+				cnk->min_star->type = CNK_INT;
+				if (pflag) {
+					int num;
+					ch = *format++;
+					if (!isdigit((unsigned char)ch)) {
+						/* parameters must be all positioned or none */
+						goto done;
+					}
+					for (num = 0; isdigit((unsigned char)ch); ch = *format++) {
+						num = 10 * num + char_to_int(ch);
+					}
+					cnk->min_star->num = num;
+					if (ch != '$') /* what ?? */
+						goto done;
+				} else {
+					cnk->min_star->num = ++pnum;
+				}
+				max_pos = add_cnk_list_entry(&clist, max_pos, cnk->min_star);
+				if (max_pos == 0) /* out of memory :-( */
+					goto done;
+				ch = *format++;
+				state = DP_S_DOT;
+			} else {
+				if (pfirst) pfirst = 0;
+				state = DP_S_DOT;
+			}
+			break;
+		case DP_S_DOT:
+			if (ch == '.') {
+				state = DP_S_MAX;
+				ch = *format++;
+			} else { 
+				state = DP_S_MOD;
+			}
+			break;
+		case DP_S_MAX:
+			if (isdigit((unsigned char)ch)) {
+				if (cnk->max < 0)
+					cnk->max = 0;
+				cnk->max = 10 * cnk->max + char_to_int (ch);
+				ch = *format++;
+			} else if (ch == '$') {
+				if (!pfirst && !pflag) {
+					/* parameters must be all positioned or none */
+					goto done;
+				}
+				if (cnk->max <= 0) /* what ?? */
+					goto done;
+				cnk->num = cnk->max;
+				cnk->max = -1;
+				ch = *format++;
+			} else if (ch == '*') {
+				cnk->max_star = new_chunk();
+				if (!cnk->max_star) /* out of memory :-( */
+					goto done;
+				cnk->max_star->type = CNK_INT;
+				if (pflag) {
+					int num;
+					ch = *format++;
+					if (!isdigit((unsigned char)ch)) {
+						/* parameters must be all positioned or none */
+						goto done;
+					}
+					for (num = 0; isdigit((unsigned char)ch); ch = *format++) {
+						num = 10 * num + char_to_int(ch);
+					}
+					cnk->max_star->num = num;
+					if (ch != '$') /* what ?? */
+						goto done;
+				} else {
+					cnk->max_star->num = ++pnum;
+				}
+				max_pos = add_cnk_list_entry(&clist, max_pos, cnk->max_star);
+				if (max_pos == 0) /* out of memory :-( */
+					goto done;
+
+				ch = *format++;
+				state = DP_S_MOD;
+			} else {
+				state = DP_S_MOD;
+			}
+			break;
+		case DP_S_MOD:
+			switch (ch) {
+			case 'h':
+				cnk->cflags = DP_C_SHORT;
+				ch = *format++;
+				if (ch == 'h') {
+					cnk->cflags = DP_C_CHAR;
+					ch = *format++;
+				}
+				break;
+			case 'l':
+				cnk->cflags = DP_C_LONG;
+				ch = *format++;
+				if (ch == 'l') {	/* It's a long long */
+					cnk->cflags = DP_C_LLONG;
+					ch = *format++;
+				}
+				break;
+			case 'L':
+				cnk->cflags = DP_C_LDOUBLE;
+				ch = *format++;
+				break;
+			case 'z':
+				cnk->cflags = DP_C_SIZET;
+				ch = *format++;
+				break;
+			default:
+				break;
+			}
+			state = DP_S_CONV;
+			break;
+		case DP_S_CONV:
+			if (cnk->num == 0) cnk->num = ++pnum;
+			max_pos = add_cnk_list_entry(&clist, max_pos, cnk);
+			if (max_pos == 0) /* out of memory :-( */
+				goto done;
+			
+			switch (ch) {
+			case 'd':
+			case 'i':
+				cnk->type = CNK_INT;
+				break;
+			case 'o':
+				cnk->type = CNK_OCTAL;
+				cnk->flags |= DP_F_UNSIGNED;
+				break;
+			case 'u':
+				cnk->type = CNK_UINT;
+				cnk->flags |= DP_F_UNSIGNED;
+				break;
+			case 'X':
+				cnk->flags |= DP_F_UP;
+			case 'x':
+				cnk->type = CNK_HEX;
+				cnk->flags |= DP_F_UNSIGNED;
+				break;
+			case 'A':
+				/* hex float not supported yet */
+			case 'E':
+			case 'G':
+			case 'F':
+				cnk->flags |= DP_F_UP;
+			case 'a':
+				/* hex float not supported yet */
+			case 'e':
+			case 'f':
+			case 'g':
+				cnk->type = CNK_FLOAT;
+				break;
+			case 'c':
+				cnk->type = CNK_CHAR;
+				break;
+			case 's':
+				cnk->type = CNK_STRING;
+				break;
+			case 'p':
+				cnk->type = CNK_PTR;
+				break;
+			case 'n':
+				cnk->type = CNK_NUM;
+				break;
+			case '%':
+				cnk->type = CNK_PRCNT;
+				break;
+			default:
+				/* Unknown, bail out*/
+				goto done;
+			}
+			ch = *format++;
+			state = DP_S_DEFAULT;
+			break;
+		case DP_S_DONE:
+			break;
+		default:
+			/* hmm? */
+			break; /* some picky compilers need this */
+		}
+	}
+
+	/* retrieve the format arguments */
+	for (pnum = 0; pnum < max_pos; pnum++) {
+		int i;
+
+		if (clist[pnum].num == 0) {
+			/* ignoring a parameter should not be permitted
+			 * all parameters must be matched at least once
+			 * BUT seem some system ignore this rule ...
+			 * at least my glibc based system does --SSS
+			 */
+#ifdef DEBUG_SNPRINTF
+			printf("parameter at position %d not used\n", pnum+1);
+#endif
+			/* eat the parameter */
+			va_arg (args, int);
+			continue;
+		}
+		for (i = 1; i < clist[pnum].num; i++) {
+			if (clist[pnum].chunks[0]->type != clist[pnum].chunks[i]->type) {
+				/* nooo noo no!
+				 * all the references to a parameter
+				 * must be of the same type
+				 */
+				goto done;
+			}
+		}
+		cnk = clist[pnum].chunks[0];
+		switch (cnk->type) {
+		case CNK_INT:
+			if (cnk->cflags == DP_C_SHORT) 
+				cnk->value = va_arg (args, int);
+			else if (cnk->cflags == DP_C_LONG)
+				cnk->value = va_arg (args, long int);
+			else if (cnk->cflags == DP_C_LLONG)
+				cnk->value = va_arg (args, LLONG);
+			else if (cnk->cflags == DP_C_SIZET)
+				cnk->value = va_arg (args, ssize_t);
+			else
+				cnk->value = va_arg (args, int);
+
+			for (i = 1; i < clist[pnum].num; i++) {
+				clist[pnum].chunks[i]->value = cnk->value;
+			}
+			break;
+
+		case CNK_OCTAL:
+		case CNK_UINT:
+		case CNK_HEX:
+			if (cnk->cflags == DP_C_SHORT)
+				cnk->value = va_arg (args, unsigned int);
+			else if (cnk->cflags == DP_C_LONG)
+				cnk->value = (unsigned long int)va_arg (args, unsigned long int);
+			else if (cnk->cflags == DP_C_LLONG)
+				cnk->value = (LLONG)va_arg (args, unsigned LLONG);
+			else if (cnk->cflags == DP_C_SIZET)
+				cnk->value = (size_t)va_arg (args, size_t);
+			else
+				cnk->value = (unsigned int)va_arg (args, unsigned int);
+
+			for (i = 1; i < clist[pnum].num; i++) {
+				clist[pnum].chunks[i]->value = cnk->value;
+			}
+			break;
+
+		case CNK_FLOAT:
+			if (cnk->cflags == DP_C_LDOUBLE)
+				cnk->fvalue = va_arg (args, LDOUBLE);
+			else
+				cnk->fvalue = va_arg (args, double);
+
+			for (i = 1; i < clist[pnum].num; i++) {
+				clist[pnum].chunks[i]->fvalue = cnk->fvalue;
+			}
+			break;
+
+		case CNK_CHAR:
+			cnk->value = va_arg (args, int);
+
+			for (i = 1; i < clist[pnum].num; i++) {
+				clist[pnum].chunks[i]->value = cnk->value;
+			}
+			break;
+
+		case CNK_STRING:
+			cnk->strvalue = va_arg (args, char *);
+			if (!cnk->strvalue) cnk->strvalue = "(NULL)";
+
+			for (i = 1; i < clist[pnum].num; i++) {
+				clist[pnum].chunks[i]->strvalue = cnk->strvalue;
+			}
+			break;
+
+		case CNK_PTR:
+			cnk->strvalue = va_arg (args, void *);
+			for (i = 1; i < clist[pnum].num; i++) {
+				clist[pnum].chunks[i]->strvalue = cnk->strvalue;
+			}
+			break;
+
+		case CNK_NUM:
+			if (cnk->cflags == DP_C_CHAR)
+				cnk->pnum = va_arg (args, char *);
+			else if (cnk->cflags == DP_C_SHORT)
+				cnk->pnum = va_arg (args, short int *);
+			else if (cnk->cflags == DP_C_LONG)
+				cnk->pnum = va_arg (args, long int *);
+			else if (cnk->cflags == DP_C_LLONG)
+				cnk->pnum = va_arg (args, LLONG *);
+			else if (cnk->cflags == DP_C_SIZET)
+				cnk->pnum = va_arg (args, ssize_t *);
+			else
+				cnk->pnum = va_arg (args, int *);
+
+			for (i = 1; i < clist[pnum].num; i++) {
+				clist[pnum].chunks[i]->pnum = cnk->pnum;
+			}
+			break;
+
+		case CNK_PRCNT:
+			break;
+
+		default:
+			/* what ?? */
+			goto done;
+		}
+	}
+	/* print out the actual string from chunks */
+	currlen = 0;
+	cnk = chunks;
+	while (cnk) {
+		int len, min, max;
+
+		if (cnk->min_star) min = cnk->min_star->value;
+		else min = cnk->min;
+		if (cnk->max_star) max = cnk->max_star->value;
+		else max = cnk->max;
+
+		switch (cnk->type) {
+
+		case CNK_FMT_STR:
+			if (maxlen != 0 && maxlen > currlen) {
+				if (maxlen > (currlen + cnk->len)) len = cnk->len;
+				else len = maxlen - currlen;
+
+				memcpy(&(buffer[currlen]), &(base[cnk->start]), len);
+			}
+			currlen += cnk->len;
+				
+			break;
+
+		case CNK_INT:
+		case CNK_UINT:
+			fmtint (buffer, &currlen, maxlen, cnk->value, 10, min, max, cnk->flags);
+			break;
+
+		case CNK_OCTAL:
+			fmtint (buffer, &currlen, maxlen, cnk->value, 8, min, max, cnk->flags);
+			break;
+
+		case CNK_HEX:
+			fmtint (buffer, &currlen, maxlen, cnk->value, 16, min, max, cnk->flags);
+			break;
+
+		case CNK_FLOAT:
+			fmtfp (buffer, &currlen, maxlen, cnk->fvalue, min, max, cnk->flags);
+			break;
+
+		case CNK_CHAR:
+			dopr_outch (buffer, &currlen, maxlen, cnk->value);
+			break;
+
+		case CNK_STRING:
+			if (max == -1) {
+				max = strlen(cnk->strvalue);
+			}
+			fmtstr (buffer, &currlen, maxlen, cnk->strvalue, cnk->flags, min, max);
+			break;
+
+		case CNK_PTR:
+			fmtint (buffer, &currlen, maxlen, (long)(cnk->strvalue), 16, min, max, cnk->flags);
+			break;
+
+		case CNK_NUM:
+			if (cnk->cflags == DP_C_CHAR)
+				*((char *)(cnk->pnum)) = (char)currlen;
+			else if (cnk->cflags == DP_C_SHORT)
+				*((short int *)(cnk->pnum)) = (short int)currlen;
+			else if (cnk->cflags == DP_C_LONG)
+				*((long int *)(cnk->pnum)) = (long int)currlen;
+			else if (cnk->cflags == DP_C_LLONG)
+				*((LLONG *)(cnk->pnum)) = (LLONG)currlen;
+			else if (cnk->cflags == DP_C_SIZET)
+				*((ssize_t *)(cnk->pnum)) = (ssize_t)currlen;
+			else
+				*((int *)(cnk->pnum)) = (int)currlen;
+			break;
+
+		case CNK_PRCNT:
+			dopr_outch (buffer, &currlen, maxlen, '%');
+			break;
+
+		default:
+			/* what ?? */
+			goto done;
+		}
+		cnk = cnk->next;
+	}
+	if (maxlen != 0) {
+		if (currlen < maxlen - 1) 
+			buffer[currlen] = '\0';
+		else if (maxlen > 0) 
+			buffer[maxlen - 1] = '\0';
+	}
+	ret = currlen;
+
+done:
+	va_end(args);
+
+	while (chunks) {
+		cnk = chunks->next;
+		free(chunks);
+		chunks = cnk;
+	}
+	if (clist) {
+		for (pnum = 0; pnum < max_pos; pnum++) {
+			if (clist[pnum].chunks) free(clist[pnum].chunks);
+		}
+		free(clist);
+	}
+	return ret;
+}
+
+static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
+		    char *value, int flags, int min, int max)
+{
+	int padlen, strln;     /* amount to pad */
+	int cnt = 0;
+
+#ifdef DEBUG_SNPRINTF
+	printf("fmtstr min=%d max=%d s=[%s]\n", min, max, value);
+#endif
+	if (value == 0) {
+		value = "<NULL>";
+	}
+
+	for (strln = 0; strln < max && value[strln]; ++strln); /* strlen */
+	padlen = min - strln;
+	if (padlen < 0) 
+		padlen = 0;
+	if (flags & DP_F_MINUS) 
+		padlen = -padlen; /* Left Justify */
+	
+	while (padlen > 0) {
+		dopr_outch (buffer, currlen, maxlen, ' ');
+		--padlen;
+	}
+	while (*value && (cnt < max)) {
+		dopr_outch (buffer, currlen, maxlen, *value++);
+		++cnt;
+	}
+	while (padlen < 0) {
+		dopr_outch (buffer, currlen, maxlen, ' ');
+		++padlen;
+	}
+}
+
+/* Have to handle DP_F_NUM (ie 0x and 0 alternates) */
+
+static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
+		    LLONG value, int base, int min, int max, int flags)
+{
+	int signvalue = 0;
+	unsigned LLONG uvalue;
+	char convert[20];
+	int place = 0;
+	int spadlen = 0; /* amount to space pad */
+	int zpadlen = 0; /* amount to zero pad */
+	int caps = 0;
+	
+	if (max < 0)
+		max = 0;
+	
+	uvalue = value;
+	
+	if(!(flags & DP_F_UNSIGNED)) {
+		if( value < 0 ) {
+			signvalue = '-';
+			uvalue = -value;
+		} else {
+			if (flags & DP_F_PLUS)  /* Do a sign (+/i) */
+				signvalue = '+';
+			else if (flags & DP_F_SPACE)
+				signvalue = ' ';
+		}
+	}
+  
+	if (flags & DP_F_UP) caps = 1; /* Should characters be upper case? */
+
+	do {
+		convert[place++] =
+			(caps? "0123456789ABCDEF":"0123456789abcdef")
+			[uvalue % (unsigned)base  ];
+		uvalue = (uvalue / (unsigned)base );
+	} while(uvalue && (place < 20));
+	if (place == 20) place--;
+	convert[place] = 0;
+
+	zpadlen = max - place;
+	spadlen = min - MAX (max, place) - (signvalue ? 1 : 0);
+	if (zpadlen < 0) zpadlen = 0;
+	if (spadlen < 0) spadlen = 0;
+	if (flags & DP_F_ZERO) {
+		zpadlen = MAX(zpadlen, spadlen);
+		spadlen = 0;
+	}
+	if (flags & DP_F_MINUS) 
+		spadlen = -spadlen; /* Left Justifty */
+
+#ifdef DEBUG_SNPRINTF
+	printf("zpad: %d, spad: %d, min: %d, max: %d, place: %d\n",
+	       zpadlen, spadlen, min, max, place);
+#endif
+
+	/* Spaces */
+	while (spadlen > 0) {
+		dopr_outch (buffer, currlen, maxlen, ' ');
+		--spadlen;
+	}
+
+	/* Sign */
+	if (signvalue) 
+		dopr_outch (buffer, currlen, maxlen, signvalue);
+
+	/* Zeros */
+	if (zpadlen > 0) {
+		while (zpadlen > 0) {
+			dopr_outch (buffer, currlen, maxlen, '0');
+			--zpadlen;
+		}
+	}
+
+	/* Digits */
+	while (place > 0) 
+		dopr_outch (buffer, currlen, maxlen, convert[--place]);
+  
+	/* Left Justified spaces */
+	while (spadlen < 0) {
+		dopr_outch (buffer, currlen, maxlen, ' ');
+		++spadlen;
+	}
+}
+
+static LDOUBLE abs_val(LDOUBLE value)
+{
+	LDOUBLE result = value;
+
+	if (value < 0)
+		result = -value;
+	
+	return result;
+}
+
+static LDOUBLE POW10(int exp)
+{
+	LDOUBLE result = 1;
+	
+	while (exp) {
+		result *= 10;
+		exp--;
+	}
+  
+	return result;
+}
+
+static LLONG ROUND(LDOUBLE value)
+{
+	LLONG intpart;
+
+	intpart = (LLONG)value;
+	value = value - intpart;
+	if (value >= 0.5) intpart++;
+	
+	return intpart;
+}
+
+/* a replacement for modf that doesn't need the math library. Should
+   be portable, but slow */
+static double my_modf(double x0, double *iptr)
+{
+	int i;
+	LLONG l=0;
+	double x = x0;
+	double f = 1.0;
+
+	for (i=0;i<100;i++) {
+		l = (long)x;
+		if (l <= (x+1) && l >= (x-1)) break;
+		x *= 0.1;
+		f *= 10.0;
+	}
+
+	if (i == 100) {
+		/* yikes! the number is beyond what we can handle. What do we do? */
+		(*iptr) = 0;
+		return 0;
+	}
+
+	if (i != 0) {
+		double i2;
+		double ret;
+
+		ret = my_modf(x0-l*f, &i2);
+		(*iptr) = l*f + i2;
+		return ret;
+	} 
+
+	(*iptr) = l;
+	return x - (*iptr);
+}
+
+
+static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
+		   LDOUBLE fvalue, int min, int max, int flags)
+{
+	int signvalue = 0;
+	double ufvalue;
+	char iconvert[311];
+	char fconvert[311];
+	int iplace = 0;
+	int fplace = 0;
+	int padlen = 0; /* amount to pad */
+	int zpadlen = 0; 
+	int caps = 0;
+	int idx;
+	double intpart;
+	double fracpart;
+	double temp;
+  
+	/* 
+	 * AIX manpage says the default is 0, but Solaris says the default
+	 * is 6, and sprintf on AIX defaults to 6
+	 */
+	if (max < 0)
+		max = 6;
+
+	ufvalue = abs_val (fvalue);
+
+	if (fvalue < 0) {
+		signvalue = '-';
+	} else {
+		if (flags & DP_F_PLUS) { /* Do a sign (+/i) */
+			signvalue = '+';
+		} else {
+			if (flags & DP_F_SPACE)
+				signvalue = ' ';
+		}
+	}
+
+#if 0
+	if (flags & DP_F_UP) caps = 1; /* Should characters be upper case? */
+#endif
+
+#if 0
+	 if (max == 0) ufvalue += 0.5; /* if max = 0 we must round */
+#endif
+
+	/* 
+	 * Sorry, we only support 9 digits past the decimal because of our 
+	 * conversion method
+	 */
+	if (max > 9)
+		max = 9;
+
+	/* We "cheat" by converting the fractional part to integer by
+	 * multiplying by a factor of 10
+	 */
+
+	temp = ufvalue;
+	my_modf(temp, &intpart);
+
+	fracpart = ROUND((POW10(max)) * (ufvalue - intpart));
+	
+	if (fracpart >= POW10(max)) {
+		intpart++;
+		fracpart -= POW10(max);
+	}
+
+
+	/* Convert integer part */
+	do {
+		temp = intpart*0.1;
+		my_modf(temp, &intpart);
+		idx = (int) ((temp -intpart +0.05)* 10.0);
+		/* idx = (int) (((double)(temp*0.1) -intpart +0.05) *10.0); */
+		/* printf ("%llf, %f, %x\n", temp, intpart, idx); */
+		iconvert[iplace++] =
+			(caps? "0123456789ABCDEF":"0123456789abcdef")[idx];
+	} while (intpart && (iplace < 311));
+	if (iplace == 311) iplace--;
+	iconvert[iplace] = 0;
+
+	/* Convert fractional part */
+	if (fracpart)
+	{
+		do {
+			temp = fracpart*0.1;
+			my_modf(temp, &fracpart);
+			idx = (int) ((temp -fracpart +0.05)* 10.0);
+			/* idx = (int) ((((temp/10) -fracpart) +0.05) *10); */
+			/* printf ("%lf, %lf, %ld\n", temp, fracpart, idx ); */
+			fconvert[fplace++] =
+			(caps? "0123456789ABCDEF":"0123456789abcdef")[idx];
+		} while(fracpart && (fplace < 311));
+		if (fplace == 311) fplace--;
+	}
+	fconvert[fplace] = 0;
+  
+	/* -1 for decimal point, another -1 if we are printing a sign */
+	padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0); 
+	zpadlen = max - fplace;
+	if (zpadlen < 0) zpadlen = 0;
+	if (padlen < 0) 
+		padlen = 0;
+	if (flags & DP_F_MINUS) 
+		padlen = -padlen; /* Left Justifty */
+	
+	if ((flags & DP_F_ZERO) && (padlen > 0)) {
+		if (signvalue) {
+			dopr_outch (buffer, currlen, maxlen, signvalue);
+			--padlen;
+			signvalue = 0;
+		}
+		while (padlen > 0) {
+			dopr_outch (buffer, currlen, maxlen, '0');
+			--padlen;
+		}
+	}
+	while (padlen > 0) {
+		dopr_outch (buffer, currlen, maxlen, ' ');
+		--padlen;
+	}
+	if (signvalue) 
+		dopr_outch (buffer, currlen, maxlen, signvalue);
+	
+	while (iplace > 0) 
+		dopr_outch (buffer, currlen, maxlen, iconvert[--iplace]);
+
+#ifdef DEBUG_SNPRINTF
+	printf("fmtfp: fplace=%d zpadlen=%d\n", fplace, zpadlen);
+#endif
+
+	/*
+	 * Decimal point.  This should probably use locale to find the correct
+	 * char to print out.
+	 */
+	if (max > 0) {
+		dopr_outch (buffer, currlen, maxlen, '.');
+		
+		while (zpadlen > 0) {
+			dopr_outch (buffer, currlen, maxlen, '0');
+			--zpadlen;
+		}
+
+		while (fplace > 0) 
+			dopr_outch (buffer, currlen, maxlen, fconvert[--fplace]);
+	}
+
+	while (padlen < 0) {
+		dopr_outch (buffer, currlen, maxlen, ' ');
+		++padlen;
+	}
+}
+
+static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c)
+{
+	if (*currlen < maxlen) {
+		buffer[(*currlen)] = c;
+	}
+	(*currlen)++;
+}
+
+static struct pr_chunk *new_chunk(void) {
+	struct pr_chunk *new_c = (struct pr_chunk *)malloc(sizeof(struct pr_chunk));
+
+	if (!new_c)
+		return NULL;
+
+	new_c->type = 0;
+	new_c->num = 0;
+	new_c->min = 0;
+	new_c->min_star = NULL;
+	new_c->max = -1;
+	new_c->max_star = NULL;
+	new_c->flags = 0;
+	new_c->cflags = 0;
+	new_c->start = 0;
+	new_c->len = 0;
+	new_c->value = 0;
+	new_c->fvalue = 0;
+	new_c->strvalue = NULL;
+	new_c->pnum = NULL;
+	new_c->next = NULL;
+
+	return new_c;
+}
+
+static int add_cnk_list_entry(struct pr_chunk_x **list,
+				int max_num, struct pr_chunk *chunk) {
+	struct pr_chunk_x *l;
+	struct pr_chunk **c;
+	int max;
+	int cnum;
+	int i, pos;
+
+	if (chunk->num > max_num) {
+		max = chunk->num;
+	
+		if (*list == NULL) {
+			l = (struct pr_chunk_x *)malloc(sizeof(struct pr_chunk_x) * max);
+			pos = 0;
+		} else {
+			l = (struct pr_chunk_x *)realloc(*list, sizeof(struct pr_chunk_x) * max);
+			pos = max_num;
+		}
+		if (l == NULL) {
+			for (i = 0; i < max; i++) {
+				if ((*list)[i].chunks) free((*list)[i].chunks);
+			}
+			return 0;
+		}
+		for (i = pos; i < max; i++) {
+			l[i].chunks = NULL;
+			l[i].num = 0;
+		}
+	} else {
+		l = *list;
+		max = max_num;
+	}
+
+	i = chunk->num - 1;
+	cnum = l[i].num + 1;
+	if (l[i].chunks == NULL) {
+		c = (struct pr_chunk **)malloc(sizeof(struct pr_chunk *) * cnum); 
+	} else {
+		c = (struct pr_chunk **)realloc(l[i].chunks, sizeof(struct pr_chunk *) * cnum);
+	}
+	if (c == NULL) {
+		for (i = 0; i < max; i++) {
+			if (l[i].chunks) free(l[i].chunks);
+		}
+		return 0;
+	}
+	c[l[i].num] = chunk;
+	l[i].chunks = c;
+	l[i].num = cnum;
+
+	*list = l;
+	return max;
+}
+
+ int vsnprintf (char *str, size_t count, const char *fmt, va_list args)
+{
+	return dopr(str, count, fmt, args);
+}
+#endif
+
+/* yes this really must be a ||. Don't muck with this (tridge)
+ *
+ * The logic for these two is that we need our own definition if the
+ * OS *either* has no definition of *sprintf, or if it does have one
+ * that doesn't work properly according to the autoconf test.
+ */
+#if !defined(HAVE_SNPRINTF) || !defined(HAVE_C99_VSNPRINTF)
+ int snprintf(char *str,size_t count,const char *fmt,...)
+{
+	size_t ret;
+	va_list ap;
+    
+	va_start(ap, fmt);
+	ret = vsnprintf(str, count, fmt, ap);
+	va_end(ap);
+	return ret;
+}
+#endif
+
+#ifndef HAVE_C99_VSNPRINTF
+ int printf(const char *fmt, ...)
+{
+	va_list ap;
+	int ret;
+	char *s;
+
+	s = NULL;
+	va_start(ap, fmt);
+	ret = vasprintf(&s, fmt, ap);
+	va_end(ap);
+
+	if (s) {
+		fwrite(s, 1, strlen(s), stdout);
+	}
+	free(s);
+
+	return ret;
+}
+#endif
+
+#ifndef HAVE_C99_VSNPRINTF
+ int fprintf(FILE *stream, const char *fmt, ...)
+{
+	va_list ap;
+	int ret;
+	char *s;
+
+	s = NULL;
+	va_start(ap, fmt);
+	ret = vasprintf(&s, fmt, ap);
+	va_end(ap);
+
+	if (s) {
+		fwrite(s, 1, strlen(s), stream);
+	}
+	free(s);
+
+	return ret;
+}
+#endif
+
+#endif 
+
+#ifndef HAVE_VASPRINTF
+ int vasprintf(char **ptr, const char *format, va_list ap)
+{
+	int ret;
+	va_list ap2;
+
+	VA_COPY(ap2, ap);
+	ret = vsnprintf(NULL, 0, format, ap2);
+	va_end(ap2);
+	if (ret < 0) return ret;
+
+	(*ptr) = (char *)malloc(ret+1);
+	if (!*ptr) return -1;
+
+	VA_COPY(ap2, ap);
+	ret = vsnprintf(*ptr, ret+1, format, ap2);
+	va_end(ap2);
+
+	return ret;
+}
+#endif
+
+
+#ifndef HAVE_ASPRINTF
+ int asprintf(char **ptr, const char *format, ...)
+{
+	va_list ap;
+	int ret;
+	
+	*ptr = NULL;
+	va_start(ap, format);
+	ret = vasprintf(ptr, format, ap);
+	va_end(ap);
+
+	return ret;
+}
+#endif
+
+#ifdef TEST_SNPRINTF
+
+ int sprintf(char *str,const char *fmt,...);
+ int printf(const char *fmt,...);
+
+ int main (void)
+{
+	char buf1[1024];
+	char buf2[1024];
+	char *buf3;
+	char *fp_fmt[] = {
+		"%1.1f",
+		"%-1.5f",
+		"%1.5f",
+		"%123.9f",
+		"%10.5f",
+		"% 10.5f",
+		"%+22.9f",
+		"%+4.9f",
+		"%01.3f",
+		"%4f",
+		"%3.1f",
+		"%3.2f",
+		"%.0f",
+		"%f",
+		"%-8.8f",
+		"%-9.9f",
+		NULL
+	};
+	double fp_nums[] = { 6442452944.1234, -1.5, 134.21, 91340.2, 341.1234, 203.9, 0.96, 0.996, 
+			     0.9996, 1.996, 4.136, 5.030201, 0.00205,
+			     /* END LIST */ 0};
+	char *int_fmt[] = {
+		"%-1.5d",
+		"%1.5d",
+		"%123.9d",
+		"%5.5d",
+		"%10.5d",
+		"% 10.5d",
+		"%+22.33d",
+		"%01.3d",
+		"%4d",
+		"%d",
+		NULL
+	};
+	long int_nums[] = { -1, 134, 91340, 341, 0203, 1234567890, 0};
+	char *str_fmt[] = {
+		"%10.5s",
+		"%-10.5s",
+		"%5.10s",
+		"%-5.10s",
+		"%10.1s",
+		"%0.10s",
+		"%10.0s",
+		"%1.10s",
+		"%s",
+		"%.1s",
+		"%.10s",
+		"%10s",
+		NULL
+	};
+	char *str_vals[] = {"hello", "a", "", "a longer string", NULL};
+#ifdef HAVE_LONG_LONG
+	char *ll_fmt[] = {
+		"%llu",
+		NULL
+	};
+	LLONG ll_nums[] = { 134, 91340, 341, 0203, 1234567890, 128006186140000000LL, 0};
+#endif
+	int x, y;
+	int fail = 0;
+	int num = 0;
+	int l1, l2;
+	char *ss_fmt[] = {
+		"%zd",
+		"%zu",
+		NULL
+	};
+	size_t ss_nums[] = {134, 91340, 123456789, 0203, 1234567890, 0};
+
+	printf ("Testing snprintf format codes against system sprintf...\n");
+
+	for (x = 0; fp_fmt[x] ; x++) {
+		for (y = 0; fp_nums[y] != 0 ; y++) {
+			buf1[0] = buf2[0] = '\0';
+			l1 = snprintf(buf1, sizeof(buf1), fp_fmt[x], fp_nums[y]);
+			l2 = sprintf (buf2, fp_fmt[x], fp_nums[y]);
+			buf1[1023] = buf2[1023] = '\0';
+			if (strcmp (buf1, buf2) || (l1 != l2)) {
+				printf("snprintf doesn't match Format: %s\n\tsnprintf(%d) = [%s]\n\t sprintf(%d) = [%s]\n", 
+				       fp_fmt[x], l1, buf1, l2, buf2);
+				fail++;
+			}
+			num++;
+		}
+	}
+
+	for (x = 0; int_fmt[x] ; x++) {
+		for (y = 0; int_nums[y] != 0 ; y++) {
+			buf1[0] = buf2[0] = '\0';
+			l1 = snprintf(buf1, sizeof(buf1), int_fmt[x], int_nums[y]);
+			l2 = sprintf (buf2, int_fmt[x], int_nums[y]);
+			buf1[1023] = buf2[1023] = '\0';
+			if (strcmp (buf1, buf2) || (l1 != l2)) {
+				printf("snprintf doesn't match Format: %s\n\tsnprintf(%d) = [%s]\n\t sprintf(%d) = [%s]\n", 
+				       int_fmt[x], l1, buf1, l2, buf2);
+				fail++;
+			}
+			num++;
+		}
+	}
+
+	for (x = 0; str_fmt[x] ; x++) {
+		for (y = 0; str_vals[y] != 0 ; y++) {
+			buf1[0] = buf2[0] = '\0';
+			l1 = snprintf(buf1, sizeof(buf1), str_fmt[x], str_vals[y]);
+			l2 = sprintf (buf2, str_fmt[x], str_vals[y]);
+			buf1[1023] = buf2[1023] = '\0';
+			if (strcmp (buf1, buf2) || (l1 != l2)) {
+				printf("snprintf doesn't match Format: %s\n\tsnprintf(%d) = [%s]\n\t sprintf(%d) = [%s]\n", 
+				       str_fmt[x], l1, buf1, l2, buf2);
+				fail++;
+			}
+			num++;
+		}
+	}
+
+#ifdef HAVE_LONG_LONG
+	for (x = 0; ll_fmt[x] ; x++) {
+		for (y = 0; ll_nums[y] != 0 ; y++) {
+			buf1[0] = buf2[0] = '\0';
+			l1 = snprintf(buf1, sizeof(buf1), ll_fmt[x], ll_nums[y]);
+			l2 = sprintf (buf2, ll_fmt[x], ll_nums[y]);
+			buf1[1023] = buf2[1023] = '\0';
+			if (strcmp (buf1, buf2) || (l1 != l2)) {
+				printf("snprintf doesn't match Format: %s\n\tsnprintf(%d) = [%s]\n\t sprintf(%d) = [%s]\n", 
+				       ll_fmt[x], l1, buf1, l2, buf2);
+				fail++;
+			}
+			num++;
+		}
+	}
+#endif
+
+#define BUFSZ 2048
+
+	buf1[0] = buf2[0] = '\0';
+	if ((buf3 = malloc(BUFSZ)) == NULL) {
+		fail++;
+	} else {
+		num++;
+		memset(buf3, 'a', BUFSZ);
+		snprintf(buf1, sizeof(buf1), "%.*s", 1, buf3);
+		buf1[1023] = '\0';
+		if (strcmp(buf1, "a") != 0) {
+			printf("length limit buf1 '%s' expected 'a'\n", buf1);
+			fail++;
+		}
+        }
+
+	buf1[0] = buf2[0] = '\0';
+	l1 = snprintf(buf1, sizeof(buf1), "%4$*1$d %2$s %3$*1$.*1$f", 3, "pos test", 12.3456, 9);
+	l2 = sprintf(buf2, "%4$*1$d %2$s %3$*1$.*1$f", 3, "pos test", 12.3456, 9);
+	buf1[1023] = buf2[1023] = '\0';
+	if (strcmp(buf1, buf2) || (l1 != l2)) {
+		printf("snprintf doesn't match Format: %s\n\tsnprintf(%d) = [%s]\n\t sprintf(%d) = [%s]\n",
+				"%4$*1$d %2$s %3$*1$.*1$f", l1, buf1, l2, buf2);
+		fail++;
+	}
+
+	buf1[0] = buf2[0] = '\0';
+	l1 = snprintf(buf1, sizeof(buf1), "%4$*4$d %2$s %3$*4$.*4$f", 3, "pos test", 12.3456, 9);
+	l2 = sprintf(buf2, "%4$*4$d %2$s %3$*4$.*4$f", 3, "pos test", 12.3456, 9);
+	buf1[1023] = buf2[1023] = '\0';
+	if (strcmp(buf1, buf2)) {
+		printf("snprintf doesn't match Format: %s\n\tsnprintf(%d) = [%s]\n\t sprintf(%d) = [%s]\n",
+				"%4$*1$d %2$s %3$*1$.*1$f", l1, buf1, l2, buf2);
+		fail++;
+	}
+
+	for (x = 0; ss_fmt[x] ; x++) {
+		for (y = 0; ss_nums[y] != 0 ; y++) {
+			buf1[0] = buf2[0] = '\0';
+			l1 = snprintf(buf1, sizeof(buf1), ss_fmt[x], ss_nums[y]);
+			l2 = sprintf (buf2, ss_fmt[x], ss_nums[y]);
+			buf1[1023] = buf2[1023] = '\0';
+			if (strcmp (buf1, buf2) || (l1 != l2)) {
+				printf("snprintf doesn't match Format: %s\n\tsnprintf(%d) = [%s]\n\t sprintf(%d) = [%s]\n", 
+				       ss_fmt[x], l1, buf1, l2, buf2);
+				fail++;
+			}
+			num++;
+		}
+	}
+#if 0
+	buf1[0] = buf2[0] = '\0';
+	l1 = snprintf(buf1, sizeof(buf1), "%lld", (LLONG)1234567890);
+	l2 = sprintf(buf2, "%lld", (LLONG)1234567890);
+	buf1[1023] = buf2[1023] = '\0';
+	if (strcmp(buf1, buf2)) {
+		printf("snprintf doesn't match Format: %s\n\tsnprintf(%d) = [%s]\n\t sprintf(%d) = [%s]\n",
+				"%lld", l1, buf1, l2, buf2);
+		fail++;
+	}
+
+	buf1[0] = buf2[0] = '\0';
+	l1 = snprintf(buf1, sizeof(buf1), "%Lf", (LDOUBLE)890.1234567890123);
+	l2 = sprintf(buf2, "%Lf", (LDOUBLE)890.1234567890123);
+	buf1[1023] = buf2[1023] = '\0';
+	if (strcmp(buf1, buf2)) {
+		printf("snprintf doesn't match Format: %s\n\tsnprintf(%d) = [%s]\n\t sprintf(%d) = [%s]\n",
+				"%Lf", l1, buf1, l2, buf2);
+		fail++;
+	}
+#endif
+	printf ("%d tests failed out of %d.\n", fail, num);
+
+	printf("seeing how many digits we support\n");
+	{
+		double v0 = 0.12345678901234567890123456789012345678901;
+		for (x=0; x<100; x++) {
+			double p = pow(10, x); 
+			double r = v0*p;
+			snprintf(buf1, sizeof(buf1), "%1.1f", r);
+			sprintf(buf2,                "%1.1f", r);
+			if (strcmp(buf1, buf2)) {
+				printf("we seem to support %d digits\n", x-1);
+				break;
+			}
+		}
+	}
+
+	return 0;
+}
+#endif /* TEST_SNPRINTF */
diff --git a/source3/lib/replace/socket.c b/source3/lib/replace/socket.c
new file mode 100644
index 0000000000..35e975fce7
--- /dev/null
+++ b/source3/lib/replace/socket.c
@@ -0,0 +1,35 @@
+/*
+ * Unix SMB/CIFS implementation.
+ *
+ * Dummy replacements for socket functions.
+ *
+ * Copyright (C) Michael Adam <obnox@samba.org> 2008
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "replace.h"
+#include "system/network.h"
+
+int rep_connect(int sockfd, const struct sockaddr *serv_addr, socklen_t addrlen)
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+struct hostent *rep_gethostbyname(const char *name)
+{
+	errno = ENOSYS;
+	return NULL;
+}
diff --git a/source3/lib/replace/socketpair.c b/source3/lib/replace/socketpair.c
new file mode 100644
index 0000000000..c775730952
--- /dev/null
+++ b/source3/lib/replace/socketpair.c
@@ -0,0 +1,46 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * replacement routines for broken systems
+ * Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2006
+ * Copyright (C) Michael Adam <obnox@samba.org> 2008
+ *
+ *  ** NOTE! The following LGPL license applies to the replace
+ *  ** library. This does NOT imply that all of Samba is released
+ *  ** under the LGPL
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "replace.h"
+#include "system/network.h"
+
+int rep_socketpair(int d, int type, int protocol, int sv[2])
+{
+	if (d != AF_UNIX) {
+		errno = EAFNOSUPPORT;
+		return -1;
+	}
+
+	if (protocol != 0) {
+		errno = EPROTONOSUPPORT;
+		return -1;
+	}
+
+	if (type != SOCK_STREAM) {
+		errno = EOPNOTSUPP;
+		return -1;
+	}
+
+	return pipe(sv);
+}
diff --git a/source3/lib/replace/strptime.c b/source3/lib/replace/strptime.c
new file mode 100644
index 0000000000..0e40f7561a
--- /dev/null
+++ b/source3/lib/replace/strptime.c
@@ -0,0 +1,990 @@
+/* Convert a string representation of time to a time value.
+   Copyright (C) 1996, 1997, 1998, 1999, 2000 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+   Contributed by Ulrich Drepper <drepper@cygnus.com>, 1996.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public License as
+   published by the Free Software Foundation; either version 3 of the
+   License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Library General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; see the file COPYING.LIB.  If not, 
+   see <http://www.gnu.org/licenses/>.  */
+
+/* XXX This version of the implementation is not really complete.
+   Some of the fields cannot add information alone.  But if seeing
+   some of them in the same format (such as year, week and weekday)
+   this is enough information for determining the date.  */
+
+#include "replace.h"
+#include "system/locale.h"
+#include "system/time.h"
+
+#ifndef __P
+# if defined (__GNUC__) || (defined (__STDC__) && __STDC__)
+#  define __P(args) args
+# else
+#  define __P(args) ()
+# endif  /* GCC.  */
+#endif  /* Not __P.  */
+
+#if ! HAVE_LOCALTIME_R && ! defined localtime_r
+# ifdef _LIBC
+#  define localtime_r __localtime_r
+# else
+/* Approximate localtime_r as best we can in its absence.  */
+#  define localtime_r my_localtime_r
+static struct tm *localtime_r __P ((const time_t *, struct tm *));
+static struct tm *
+localtime_r (t, tp)
+     const time_t *t;
+     struct tm *tp;
+{
+  struct tm *l = localtime (t);
+  if (! l)
+    return 0;
+  *tp = *l;
+  return tp;
+}
+# endif /* ! _LIBC */
+#endif /* ! HAVE_LOCALTIME_R && ! defined (localtime_r) */
+
+
+#define match_char(ch1, ch2) if (ch1 != ch2) return NULL
+#if defined __GNUC__ && __GNUC__ >= 2
+# define match_string(cs1, s2) \
+  ({ size_t len = strlen (cs1);						      \
+     int result = strncasecmp ((cs1), (s2), len) == 0;			      \
+     if (result) (s2) += len;						      \
+     result; })
+#else
+/* Oh come on.  Get a reasonable compiler.  */
+# define match_string(cs1, s2) \
+  (strncasecmp ((cs1), (s2), strlen (cs1)) ? 0 : ((s2) += strlen (cs1), 1))
+#endif
+/* We intentionally do not use isdigit() for testing because this will
+   lead to problems with the wide character version.  */
+#define get_number(from, to, n) \
+  do {									      \
+    int __n = n;							      \
+    val = 0;								      \
+    while (*rp == ' ')							      \
+      ++rp;								      \
+    if (*rp < '0' || *rp > '9')						      \
+      return NULL;							      \
+    do {								      \
+      val *= 10;							      \
+      val += *rp++ - '0';						      \
+    } while (--__n > 0 && val * 10 <= to && *rp >= '0' && *rp <= '9');	      \
+    if (val < from || val > to)						      \
+      return NULL;							      \
+  } while (0)
+#ifdef _NL_CURRENT
+# define get_alt_number(from, to, n) \
+  ({									      \
+    __label__ do_normal;						      \
+    if (*decided != raw)						      \
+      {									      \
+	const char *alts = _NL_CURRENT (LC_TIME, ALT_DIGITS);		      \
+	int __n = n;							      \
+	int any = 0;							      \
+	while (*rp == ' ')						      \
+	  ++rp;								      \
+	val = 0;							      \
+	do {								      \
+	  val *= 10;							      \
+	  while (*alts != '\0')						      \
+	    {								      \
+	      size_t len = strlen (alts);				      \
+	      if (strncasecmp (alts, rp, len) == 0)			      \
+	        break;							      \
+	      alts += len + 1;						      \
+	      ++val;							      \
+	    }								      \
+	  if (*alts == '\0')						      \
+	    {								      \
+	      if (*decided == not && ! any)				      \
+		goto do_normal;						      \
+	      /* If we haven't read anything it's an error.  */		      \
+	      if (! any)						      \
+		return NULL;						      \
+	      /* Correct the premature multiplication.  */		      \
+	      val /= 10;						      \
+	      break;							      \
+	    }								      \
+	  else								      \
+	    *decided = loc;						      \
+	} while (--__n > 0 && val * 10 <= to);				      \
+	if (val < from || val > to)					      \
+	  return NULL;							      \
+      }									      \
+    else								      \
+      {									      \
+       do_normal:							      \
+        get_number (from, to, n);					      \
+      }									      \
+    0;									      \
+  })
+#else
+# define get_alt_number(from, to, n) \
+  /* We don't have the alternate representation.  */			      \
+  get_number(from, to, n)
+#endif
+#define recursive(new_fmt) \
+  (*(new_fmt) != '\0'							      \
+   && (rp = strptime_internal (rp, (new_fmt), tm, decided, era_cnt)) != NULL)
+
+
+#ifdef _LIBC
+/* This is defined in locale/C-time.c in the GNU libc.  */
+extern const struct locale_data _nl_C_LC_TIME;
+extern const unsigned short int __mon_yday[2][13];
+
+# define weekday_name (&_nl_C_LC_TIME.values[_NL_ITEM_INDEX (DAY_1)].string)
+# define ab_weekday_name \
+  (&_nl_C_LC_TIME.values[_NL_ITEM_INDEX (ABDAY_1)].string)
+# define month_name (&_nl_C_LC_TIME.values[_NL_ITEM_INDEX (MON_1)].string)
+# define ab_month_name (&_nl_C_LC_TIME.values[_NL_ITEM_INDEX (ABMON_1)].string)
+# define HERE_D_T_FMT (_nl_C_LC_TIME.values[_NL_ITEM_INDEX (D_T_FMT)].string)
+# define HERE_D_FMT (_nl_C_LC_TIME.values[_NL_ITEM_INDEX (D_FMT)].string)
+# define HERE_AM_STR (_nl_C_LC_TIME.values[_NL_ITEM_INDEX (AM_STR)].string)
+# define HERE_PM_STR (_nl_C_LC_TIME.values[_NL_ITEM_INDEX (PM_STR)].string)
+# define HERE_T_FMT_AMPM \
+  (_nl_C_LC_TIME.values[_NL_ITEM_INDEX (T_FMT_AMPM)].string)
+# define HERE_T_FMT (_nl_C_LC_TIME.values[_NL_ITEM_INDEX (T_FMT)].string)
+
+# define strncasecmp(s1, s2, n) __strncasecmp (s1, s2, n)
+#else
+static char const weekday_name[][10] =
+  {
+    "Sunday", "Monday", "Tuesday", "Wednesday",
+    "Thursday", "Friday", "Saturday"
+  };
+static char const ab_weekday_name[][4] =
+  {
+    "Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"
+  };
+static char const month_name[][10] =
+  {
+    "January", "February", "March", "April", "May", "June",
+    "July", "August", "September", "October", "November", "December"
+  };
+static char const ab_month_name[][4] =
+  {
+    "Jan", "Feb", "Mar", "Apr", "May", "Jun",
+    "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
+  };
+# define HERE_D_T_FMT "%a %b %e %H:%M:%S %Y"
+# define HERE_D_FMT "%m/%d/%y"
+# define HERE_AM_STR "AM"
+# define HERE_PM_STR "PM"
+# define HERE_T_FMT_AMPM "%I:%M:%S %p"
+# define HERE_T_FMT "%H:%M:%S"
+
+static const unsigned short int __mon_yday[2][13] =
+  {
+    /* Normal years.  */
+    { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334, 365 },
+    /* Leap years.  */
+    { 0, 31, 60, 91, 121, 152, 182, 213, 244, 274, 305, 335, 366 }
+  };
+#endif
+
+/* Status of lookup: do we use the locale data or the raw data?  */
+enum locale_status { not, loc, raw };
+
+
+#ifndef __isleap
+/* Nonzero if YEAR is a leap year (every 4 years,
+   except every 100th isn't, and every 400th is).  */
+# define __isleap(year)	\
+  ((year) % 4 == 0 && ((year) % 100 != 0 || (year) % 400 == 0))
+#endif
+
+/* Compute the day of the week.  */
+static void
+day_of_the_week (struct tm *tm)
+{
+  /* We know that January 1st 1970 was a Thursday (= 4).  Compute the
+     the difference between this data in the one on TM and so determine
+     the weekday.  */
+  int corr_year = 1900 + tm->tm_year - (tm->tm_mon < 2);
+  int wday = (-473
+	      + (365 * (tm->tm_year - 70))
+	      + (corr_year / 4)
+	      - ((corr_year / 4) / 25) + ((corr_year / 4) % 25 < 0)
+	      + (((corr_year / 4) / 25) / 4)
+	      + __mon_yday[0][tm->tm_mon]
+	      + tm->tm_mday - 1);
+  tm->tm_wday = ((wday % 7) + 7) % 7;
+}
+
+/* Compute the day of the year.  */
+static void
+day_of_the_year (struct tm *tm)
+{
+  tm->tm_yday = (__mon_yday[__isleap (1900 + tm->tm_year)][tm->tm_mon]
+		 + (tm->tm_mday - 1));
+}
+
+static char *
+#ifdef _LIBC
+internal_function
+#endif
+strptime_internal __P ((const char *rp, const char *fmt, struct tm *tm,
+			enum locale_status *decided, int era_cnt));
+
+static char *
+#ifdef _LIBC
+internal_function
+#endif
+strptime_internal (rp, fmt, tm, decided, era_cnt)
+     const char *rp;
+     const char *fmt;
+     struct tm *tm;
+     enum locale_status *decided;
+     int era_cnt;
+{
+  const char *rp_backup;
+  int cnt;
+  size_t val;
+  int have_I, is_pm;
+  int century, want_century;
+  int want_era;
+  int have_wday, want_xday;
+  int have_yday;
+  int have_mon, have_mday;
+#ifdef _NL_CURRENT
+  size_t num_eras;
+#endif
+  struct era_entry *era;
+
+  have_I = is_pm = 0;
+  century = -1;
+  want_century = 0;
+  want_era = 0;
+  era = NULL;
+
+  have_wday = want_xday = have_yday = have_mon = have_mday = 0;
+
+  while (*fmt != '\0')
+    {
+      /* A white space in the format string matches 0 more or white
+	 space in the input string.  */
+      if (isspace (*fmt))
+	{
+	  while (isspace (*rp))
+	    ++rp;
+	  ++fmt;
+	  continue;
+	}
+
+      /* Any character but `%' must be matched by the same character
+	 in the iput string.  */
+      if (*fmt != '%')
+	{
+	  match_char (*fmt++, *rp++);
+	  continue;
+	}
+
+      ++fmt;
+#ifndef _NL_CURRENT
+      /* We need this for handling the `E' modifier.  */
+    start_over:
+#endif
+
+      /* Make back up of current processing pointer.  */
+      rp_backup = rp;
+
+      switch (*fmt++)
+	{
+	case '%':
+	  /* Match the `%' character itself.  */
+	  match_char ('%', *rp++);
+	  break;
+	case 'a':
+	case 'A':
+	  /* Match day of week.  */
+	  for (cnt = 0; cnt < 7; ++cnt)
+	    {
+#ifdef _NL_CURRENT
+	      if (*decided !=raw)
+		{
+		  if (match_string (_NL_CURRENT (LC_TIME, DAY_1 + cnt), rp))
+		    {
+		      if (*decided == not
+			  && strcmp (_NL_CURRENT (LC_TIME, DAY_1 + cnt),
+				     weekday_name[cnt]))
+			*decided = loc;
+		      break;
+		    }
+		  if (match_string (_NL_CURRENT (LC_TIME, ABDAY_1 + cnt), rp))
+		    {
+		      if (*decided == not
+			  && strcmp (_NL_CURRENT (LC_TIME, ABDAY_1 + cnt),
+				     ab_weekday_name[cnt]))
+			*decided = loc;
+		      break;
+		    }
+		}
+#endif
+	      if (*decided != loc
+		  && (match_string (weekday_name[cnt], rp)
+		      || match_string (ab_weekday_name[cnt], rp)))
+		{
+		  *decided = raw;
+		  break;
+		}
+	    }
+	  if (cnt == 7)
+	    /* Does not match a weekday name.  */
+	    return NULL;
+	  tm->tm_wday = cnt;
+	  have_wday = 1;
+	  break;
+	case 'b':
+	case 'B':
+	case 'h':
+	  /* Match month name.  */
+	  for (cnt = 0; cnt < 12; ++cnt)
+	    {
+#ifdef _NL_CURRENT
+	      if (*decided !=raw)
+		{
+		  if (match_string (_NL_CURRENT (LC_TIME, MON_1 + cnt), rp))
+		    {
+		      if (*decided == not
+			  && strcmp (_NL_CURRENT (LC_TIME, MON_1 + cnt),
+				     month_name[cnt]))
+			*decided = loc;
+		      break;
+		    }
+		  if (match_string (_NL_CURRENT (LC_TIME, ABMON_1 + cnt), rp))
+		    {
+		      if (*decided == not
+			  && strcmp (_NL_CURRENT (LC_TIME, ABMON_1 + cnt),
+				     ab_month_name[cnt]))
+			*decided = loc;
+		      break;
+		    }
+		}
+#endif
+	      if (match_string (month_name[cnt], rp)
+		  || match_string (ab_month_name[cnt], rp))
+		{
+		  *decided = raw;
+		  break;
+		}
+	    }
+	  if (cnt == 12)
+	    /* Does not match a month name.  */
+	    return NULL;
+	  tm->tm_mon = cnt;
+	  want_xday = 1;
+	  break;
+	case 'c':
+	  /* Match locale's date and time format.  */
+#ifdef _NL_CURRENT
+	  if (*decided != raw)
+	    {
+	      if (!recursive (_NL_CURRENT (LC_TIME, D_T_FMT)))
+		{
+		  if (*decided == loc)
+		    return NULL;
+		  else
+		    rp = rp_backup;
+		}
+	      else
+		{
+		  if (*decided == not &&
+		      strcmp (_NL_CURRENT (LC_TIME, D_T_FMT), HERE_D_T_FMT))
+		    *decided = loc;
+		  want_xday = 1;
+		  break;
+		}
+	      *decided = raw;
+	    }
+#endif
+	  if (!recursive (HERE_D_T_FMT))
+	    return NULL;
+	  want_xday = 1;
+	  break;
+	case 'C':
+	  /* Match century number.  */
+#ifdef _NL_CURRENT
+	match_century:
+#endif
+	  get_number (0, 99, 2);
+	  century = val;
+	  want_xday = 1;
+	  break;
+	case 'd':
+	case 'e':
+	  /* Match day of month.  */
+	  get_number (1, 31, 2);
+	  tm->tm_mday = val;
+	  have_mday = 1;
+	  want_xday = 1;
+	  break;
+	case 'F':
+	  if (!recursive ("%Y-%m-%d"))
+	    return NULL;
+	  want_xday = 1;
+	  break;
+	case 'x':
+#ifdef _NL_CURRENT
+	  if (*decided != raw)
+	    {
+	      if (!recursive (_NL_CURRENT (LC_TIME, D_FMT)))
+		{
+		  if (*decided == loc)
+		    return NULL;
+		  else
+		    rp = rp_backup;
+		}
+	      else
+		{
+		  if (*decided == not
+		      && strcmp (_NL_CURRENT (LC_TIME, D_FMT), HERE_D_FMT))
+		    *decided = loc;
+		  want_xday = 1;
+		  break;
+		}
+	      *decided = raw;
+	    }
+#endif
+	  /* Fall through.  */
+	case 'D':
+	  /* Match standard day format.  */
+	  if (!recursive (HERE_D_FMT))
+	    return NULL;
+	  want_xday = 1;
+	  break;
+	case 'k':
+	case 'H':
+	  /* Match hour in 24-hour clock.  */
+	  get_number (0, 23, 2);
+	  tm->tm_hour = val;
+	  have_I = 0;
+	  break;
+	case 'I':
+	  /* Match hour in 12-hour clock.  */
+	  get_number (1, 12, 2);
+	  tm->tm_hour = val % 12;
+	  have_I = 1;
+	  break;
+	case 'j':
+	  /* Match day number of year.  */
+	  get_number (1, 366, 3);
+	  tm->tm_yday = val - 1;
+	  have_yday = 1;
+	  break;
+	case 'm':
+	  /* Match number of month.  */
+	  get_number (1, 12, 2);
+	  tm->tm_mon = val - 1;
+	  have_mon = 1;
+	  want_xday = 1;
+	  break;
+	case 'M':
+	  /* Match minute.  */
+	  get_number (0, 59, 2);
+	  tm->tm_min = val;
+	  break;
+	case 'n':
+	case 't':
+	  /* Match any white space.  */
+	  while (isspace (*rp))
+	    ++rp;
+	  break;
+	case 'p':
+	  /* Match locale's equivalent of AM/PM.  */
+#ifdef _NL_CURRENT
+	  if (*decided != raw)
+	    {
+	      if (match_string (_NL_CURRENT (LC_TIME, AM_STR), rp))
+		{
+		  if (strcmp (_NL_CURRENT (LC_TIME, AM_STR), HERE_AM_STR))
+		    *decided = loc;
+		  break;
+		}
+	      if (match_string (_NL_CURRENT (LC_TIME, PM_STR), rp))
+		{
+		  if (strcmp (_NL_CURRENT (LC_TIME, PM_STR), HERE_PM_STR))
+		    *decided = loc;
+		  is_pm = 1;
+		  break;
+		}
+	      *decided = raw;
+	    }
+#endif
+	  if (!match_string (HERE_AM_STR, rp)) {
+	    if (match_string (HERE_PM_STR, rp)) {
+	      is_pm = 1;
+	    } else {
+	      return NULL;
+	    }
+	  }
+	  break;
+	case 'r':
+#ifdef _NL_CURRENT
+	  if (*decided != raw)
+	    {
+	      if (!recursive (_NL_CURRENT (LC_TIME, T_FMT_AMPM)))
+		{
+		  if (*decided == loc)
+		    return NULL;
+		  else
+		    rp = rp_backup;
+		}
+	      else
+		{
+		  if (*decided == not &&
+		      strcmp (_NL_CURRENT (LC_TIME, T_FMT_AMPM),
+			      HERE_T_FMT_AMPM))
+		    *decided = loc;
+		  break;
+		}
+	      *decided = raw;
+	    }
+#endif
+	  if (!recursive (HERE_T_FMT_AMPM))
+	    return NULL;
+	  break;
+	case 'R':
+	  if (!recursive ("%H:%M"))
+	    return NULL;
+	  break;
+	case 's':
+	  {
+	    /* The number of seconds may be very high so we cannot use
+	       the `get_number' macro.  Instead read the number
+	       character for character and construct the result while
+	       doing this.  */
+	    time_t secs = 0;
+	    if (*rp < '0' || *rp > '9')
+	      /* We need at least one digit.  */
+	      return NULL;
+
+	    do
+	      {
+		secs *= 10;
+		secs += *rp++ - '0';
+	      }
+	    while (*rp >= '0' && *rp <= '9');
+
+	    if (localtime_r (&secs, tm) == NULL)
+	      /* Error in function.  */
+	      return NULL;
+	  }
+	  break;
+	case 'S':
+	  get_number (0, 61, 2);
+	  tm->tm_sec = val;
+	  break;
+	case 'X':
+#ifdef _NL_CURRENT
+	  if (*decided != raw)
+	    {
+	      if (!recursive (_NL_CURRENT (LC_TIME, T_FMT)))
+		{
+		  if (*decided == loc)
+		    return NULL;
+		  else
+		    rp = rp_backup;
+		}
+	      else
+		{
+		  if (strcmp (_NL_CURRENT (LC_TIME, T_FMT), HERE_T_FMT))
+		    *decided = loc;
+		  break;
+		}
+	      *decided = raw;
+	    }
+#endif
+	  /* Fall through.  */
+	case 'T':
+	  if (!recursive (HERE_T_FMT))
+	    return NULL;
+	  break;
+	case 'u':
+	  get_number (1, 7, 1);
+	  tm->tm_wday = val % 7;
+	  have_wday = 1;
+	  break;
+	case 'g':
+	  get_number (0, 99, 2);
+	  /* XXX This cannot determine any field in TM.  */
+	  break;
+	case 'G':
+	  if (*rp < '0' || *rp > '9')
+	    return NULL;
+	  /* XXX Ignore the number since we would need some more
+	     information to compute a real date.  */
+	  do
+	    ++rp;
+	  while (*rp >= '0' && *rp <= '9');
+	  break;
+	case 'U':
+	case 'V':
+	case 'W':
+	  get_number (0, 53, 2);
+	  /* XXX This cannot determine any field in TM without some
+	     information.  */
+	  break;
+	case 'w':
+	  /* Match number of weekday.  */
+	  get_number (0, 6, 1);
+	  tm->tm_wday = val;
+	  have_wday = 1;
+	  break;
+	case 'y':
+#ifdef _NL_CURRENT
+	match_year_in_century:
+#endif
+	  /* Match year within century.  */
+	  get_number (0, 99, 2);
+	  /* The "Year 2000: The Millennium Rollover" paper suggests that
+	     values in the range 69-99 refer to the twentieth century.  */
+	  tm->tm_year = val >= 69 ? val : val + 100;
+	  /* Indicate that we want to use the century, if specified.  */
+	  want_century = 1;
+	  want_xday = 1;
+	  break;
+	case 'Y':
+	  /* Match year including century number.  */
+	  get_number (0, 9999, 4);
+	  tm->tm_year = val - 1900;
+	  want_century = 0;
+	  want_xday = 1;
+	  break;
+	case 'Z':
+	  /* XXX How to handle this?  */
+	  break;
+	case 'E':
+#ifdef _NL_CURRENT
+	  switch (*fmt++)
+	    {
+	    case 'c':
+	      /* Match locale's alternate date and time format.  */
+	      if (*decided != raw)
+		{
+		  const char *fmt = _NL_CURRENT (LC_TIME, ERA_D_T_FMT);
+
+		  if (*fmt == '\0')
+		    fmt = _NL_CURRENT (LC_TIME, D_T_FMT);
+
+		  if (!recursive (fmt))
+		    {
+		      if (*decided == loc)
+			return NULL;
+		      else
+			rp = rp_backup;
+		    }
+		  else
+		    {
+		      if (strcmp (fmt, HERE_D_T_FMT))
+			*decided = loc;
+		      want_xday = 1;
+		      break;
+		    }
+		  *decided = raw;
+		}
+	      /* The C locale has no era information, so use the
+		 normal representation.  */
+	      if (!recursive (HERE_D_T_FMT))
+		return NULL;
+	      want_xday = 1;
+	      break;
+	    case 'C':
+	      if (*decided != raw)
+		{
+		  if (era_cnt >= 0)
+		    {
+		      era = _nl_select_era_entry (era_cnt);
+		      if (match_string (era->era_name, rp))
+			{
+			  *decided = loc;
+			  break;
+			}
+		      else
+			return NULL;
+		    }
+		  else
+		    {
+		      num_eras = _NL_CURRENT_WORD (LC_TIME,
+						   _NL_TIME_ERA_NUM_ENTRIES);
+		      for (era_cnt = 0; era_cnt < (int) num_eras;
+			   ++era_cnt, rp = rp_backup)
+			{
+			  era = _nl_select_era_entry (era_cnt);
+			  if (match_string (era->era_name, rp))
+			    {
+			      *decided = loc;
+			      break;
+			    }
+			}
+		      if (era_cnt == (int) num_eras)
+			{
+			  era_cnt = -1;
+			  if (*decided == loc)
+			    return NULL;
+			}
+		      else
+			break;
+		    }
+
+		  *decided = raw;
+		}
+	      /* The C locale has no era information, so use the
+		 normal representation.  */
+	      goto match_century;
+ 	    case 'y':
+	      if (*decided == raw)
+		goto match_year_in_century;
+
+	      get_number(0, 9999, 4);
+	      tm->tm_year = val;
+	      want_era = 1;
+	      want_xday = 1;
+	      break;
+	    case 'Y':
+	      if (*decided != raw)
+		{
+		  num_eras = _NL_CURRENT_WORD (LC_TIME,
+					       _NL_TIME_ERA_NUM_ENTRIES);
+		  for (era_cnt = 0; era_cnt < (int) num_eras;
+		       ++era_cnt, rp = rp_backup)
+		    {
+		      era = _nl_select_era_entry (era_cnt);
+		      if (recursive (era->era_format))
+			break;
+		    }
+		  if (era_cnt == (int) num_eras)
+		    {
+		      era_cnt = -1;
+		      if (*decided == loc)
+			return NULL;
+		      else
+			rp = rp_backup;
+		    }
+		  else
+		    {
+		      *decided = loc;
+		      era_cnt = -1;
+		      break;
+		    }
+
+		  *decided = raw;
+		}
+	      get_number (0, 9999, 4);
+	      tm->tm_year = val - 1900;
+	      want_century = 0;
+	      want_xday = 1;
+	      break;
+	    case 'x':
+	      if (*decided != raw)
+		{
+		  const char *fmt = _NL_CURRENT (LC_TIME, ERA_D_FMT);
+
+		  if (*fmt == '\0')
+		    fmt = _NL_CURRENT (LC_TIME, D_FMT);
+
+		  if (!recursive (fmt))
+		    {
+		      if (*decided == loc)
+			return NULL;
+		      else
+			rp = rp_backup;
+		    }
+		  else
+		    {
+		      if (strcmp (fmt, HERE_D_FMT))
+			*decided = loc;
+		      break;
+		    }
+		  *decided = raw;
+		}
+	      if (!recursive (HERE_D_FMT))
+		return NULL;
+	      break;
+	    case 'X':
+	      if (*decided != raw)
+		{
+		  const char *fmt = _NL_CURRENT (LC_TIME, ERA_T_FMT);
+
+		  if (*fmt == '\0')
+		    fmt = _NL_CURRENT (LC_TIME, T_FMT);
+
+		  if (!recursive (fmt))
+		    {
+		      if (*decided == loc)
+			return NULL;
+		      else
+			rp = rp_backup;
+		    }
+		  else
+		    {
+		      if (strcmp (fmt, HERE_T_FMT))
+			*decided = loc;
+		      break;
+		    }
+		  *decided = raw;
+		}
+	      if (!recursive (HERE_T_FMT))
+		return NULL;
+	      break;
+	    default:
+	      return NULL;
+	    }
+	  break;
+#else
+	  /* We have no information about the era format.  Just use
+	     the normal format.  */
+	  if (*fmt != 'c' && *fmt != 'C' && *fmt != 'y' && *fmt != 'Y'
+	      && *fmt != 'x' && *fmt != 'X')
+	    /* This is an illegal format.  */
+	    return NULL;
+
+	  goto start_over;
+#endif
+	case 'O':
+	  switch (*fmt++)
+	    {
+	    case 'd':
+	    case 'e':
+	      /* Match day of month using alternate numeric symbols.  */
+	      get_alt_number (1, 31, 2);
+	      tm->tm_mday = val;
+	      have_mday = 1;
+	      want_xday = 1;
+	      break;
+	    case 'H':
+	      /* Match hour in 24-hour clock using alternate numeric
+		 symbols.  */
+	      get_alt_number (0, 23, 2);
+	      tm->tm_hour = val;
+	      have_I = 0;
+	      break;
+	    case 'I':
+	      /* Match hour in 12-hour clock using alternate numeric
+		 symbols.  */
+	      get_alt_number (1, 12, 2);
+	      tm->tm_hour = val - 1;
+	      have_I = 1;
+	      break;
+	    case 'm':
+	      /* Match month using alternate numeric symbols.  */
+	      get_alt_number (1, 12, 2);
+	      tm->tm_mon = val - 1;
+	      have_mon = 1;
+	      want_xday = 1;
+	      break;
+	    case 'M':
+	      /* Match minutes using alternate numeric symbols.  */
+	      get_alt_number (0, 59, 2);
+	      tm->tm_min = val;
+	      break;
+	    case 'S':
+	      /* Match seconds using alternate numeric symbols.  */
+	      get_alt_number (0, 61, 2);
+	      tm->tm_sec = val;
+	      break;
+	    case 'U':
+	    case 'V':
+	    case 'W':
+	      get_alt_number (0, 53, 2);
+	      /* XXX This cannot determine any field in TM without
+		 further information.  */
+	      break;
+	    case 'w':
+	      /* Match number of weekday using alternate numeric symbols.  */
+	      get_alt_number (0, 6, 1);
+	      tm->tm_wday = val;
+	      have_wday = 1;
+	      break;
+	    case 'y':
+	      /* Match year within century using alternate numeric symbols.  */
+	      get_alt_number (0, 99, 2);
+	      tm->tm_year = val >= 69 ? val : val + 100;
+	      want_xday = 1;
+	      break;
+	    default:
+	      return NULL;
+	    }
+	  break;
+	default:
+	  return NULL;
+	}
+    }
+
+  if (have_I && is_pm)
+    tm->tm_hour += 12;
+
+  if (century != -1)
+    {
+      if (want_century)
+	tm->tm_year = tm->tm_year % 100 + (century - 19) * 100;
+      else
+	/* Only the century, but not the year.  Strange, but so be it.  */
+	tm->tm_year = (century - 19) * 100;
+    }
+
+#ifdef _NL_CURRENT
+  if (era_cnt != -1)
+    {
+      era = _nl_select_era_entry(era_cnt);
+      if (want_era)
+	tm->tm_year = (era->start_date[0]
+		       + ((tm->tm_year - era->offset)
+			  * era->absolute_direction));
+      else
+	/* Era start year assumed.  */
+	tm->tm_year = era->start_date[0];
+    }
+  else
+#endif
+    if (want_era)
+      return NULL;
+
+  if (want_xday && !have_wday)
+    {
+      if ( !(have_mon && have_mday) && have_yday)
+	{
+	  /* We don't have tm_mon and/or tm_mday, compute them.  */
+	  int t_mon = 0;
+	  while (__mon_yday[__isleap(1900 + tm->tm_year)][t_mon] <= tm->tm_yday)
+	      t_mon++;
+	  if (!have_mon)
+	      tm->tm_mon = t_mon - 1;
+	  if (!have_mday)
+	      tm->tm_mday =
+		(tm->tm_yday
+		 - __mon_yday[__isleap(1900 + tm->tm_year)][t_mon - 1] + 1);
+	}
+      day_of_the_week (tm);
+    }
+  if (want_xday && !have_yday)
+    day_of_the_year (tm);
+
+  return discard_const_p(char, rp);
+}
+
+
+char *rep_strptime(const char *buf, const char *format, struct tm *tm)
+{
+  enum locale_status decided;
+
+#ifdef _NL_CURRENT
+  decided = not;
+#else
+  decided = raw;
+#endif
+  return strptime_internal (buf, format, tm, &decided, -1);
+}
diff --git a/source3/lib/replace/strptime.m4 b/source3/lib/replace/strptime.m4
new file mode 100644
index 0000000000..da22fc5a97
--- /dev/null
+++ b/source3/lib/replace/strptime.m4
@@ -0,0 +1,13 @@
+AC_CACHE_CHECK([whether strptime is available and works],libreplace_cv_STRPTIME_OK,[
+	AC_TRY_RUN([
+		#define LIBREPLACE_CONFIGURE_TEST_STRPTIME
+		#include "$libreplacedir/test/strptime.c"
+		],
+		[libreplace_cv_STRPTIME_OK=yes],
+		[libreplace_cv_STRPTIME_OK=no],
+		[libreplace_cv_STRPTIME_OK="assuming not"])
+])
+if test x"$libreplace_cv_STRPTIME_OK" != x"yes"; then
+        AC_DEFINE(REPLACE_STRPTIME,1,[Whether strptime should be replaced])
+        LIBREPLACEOBJ="${LIBREPLACEOBJ} strptime.o"
+fi
diff --git a/source3/lib/replace/system/README b/source3/lib/replace/system/README
new file mode 100644
index 0000000000..69a2b80b56
--- /dev/null
+++ b/source3/lib/replace/system/README
@@ -0,0 +1,4 @@
+This directory contains wrappers around logical groups of system
+include files. The idea is to avoid #ifdef blocks in the main code,
+and instead put all the necessary conditional includes in subsystem
+specific header files in this directory.
diff --git a/source3/lib/replace/system/aio.h b/source3/lib/replace/system/aio.h
new file mode 100644
index 0000000000..784d77fa28
--- /dev/null
+++ b/source3/lib/replace/system/aio.h
@@ -0,0 +1,32 @@
+#ifndef _system_aio_h
+#define _system_aio_h
+/* 
+   Unix SMB/CIFS implementation.
+
+   AIO system include wrappers
+
+   Copyright (C) Andrew Tridgell 2006
+   
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifdef HAVE_LIBAIO_H
+#include <libaio.h>
+#endif
+
+#endif
diff --git a/source3/lib/replace/system/capability.h b/source3/lib/replace/system/capability.h
new file mode 100644
index 0000000000..a7b78f0275
--- /dev/null
+++ b/source3/lib/replace/system/capability.h
@@ -0,0 +1,55 @@
+#ifndef _system_capability_h
+#define _system_capability_h
+/* 
+   Unix SMB/CIFS implementation.
+
+   capability system include wrappers
+
+   Copyright (C) Andrew Tridgell 2004
+   
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifdef HAVE_SYS_CAPABILITY_H
+
+#if defined(BROKEN_REDHAT_7_SYSTEM_HEADERS) && !defined(_I386_STATFS_H) && !defined(_PPC_STATFS_H)
+#define _I386_STATFS_H
+#define _PPC_STATFS_H
+#define BROKEN_REDHAT_7_STATFS_WORKAROUND
+#endif
+
+#if defined(BROKEN_RHEL5_SYS_CAP_HEADER) && !defined(_LINUX_TYPES_H)
+#define BROKEN_RHEL5_SYS_CAP_HEADER_WORKAROUND
+#endif
+
+#include <sys/capability.h>
+
+#ifdef BROKEN_RHEL5_SYS_CAP_HEADER_WORKAROUND
+#undef _LINUX_TYPES_H
+#undef BROKEN_RHEL5_SYS_CAP_HEADER_WORKAROUND
+#endif
+
+#ifdef BROKEN_REDHAT_7_STATFS_WORKAROUND
+#undef _PPC_STATFS_H
+#undef _I386_STATFS_H
+#undef BROKEN_REDHAT_7_STATFS_WORKAROUND
+#endif
+
+#endif
+
+#endif
diff --git a/source3/lib/replace/system/config.m4 b/source3/lib/replace/system/config.m4
new file mode 100644
index 0000000000..5c9b53d5c5
--- /dev/null
+++ b/source3/lib/replace/system/config.m4
@@ -0,0 +1,130 @@
+# filesys
+AC_HEADER_DIRENT 
+AC_CHECK_HEADERS(fcntl.h sys/fcntl.h sys/resource.h sys/ioctl.h sys/mode.h sys/filio.h sys/fs/s5param.h sys/filsys.h)
+AC_CHECK_HEADERS(sys/acl.h acl/libacl.h)
+
+# select
+AC_CHECK_HEADERS(sys/select.h)
+
+# time
+AC_CHECK_HEADERS(sys/time.h utime.h)
+AC_HEADER_TIME
+AC_CHECK_FUNCS(utime utimes)
+
+# wait
+AC_HEADER_SYS_WAIT
+
+# capability
+AC_CHECK_HEADERS(sys/capability.h)
+
+case "$host_os" in
+*linux*)
+AC_CACHE_CHECK([for broken RedHat 7.2 system header files],libreplace_cv_BROKEN_REDHAT_7_SYSTEM_HEADERS,[
+AC_TRY_COMPILE([
+	#ifdef HAVE_SYS_VFS_H
+	#include <sys/vfs.h>
+	#endif
+	#ifdef HAVE_SYS_CAPABILITY_H
+	#include <sys/capability.h>
+	#endif
+	],[
+	int i;
+	],
+	libreplace_cv_BROKEN_REDHAT_7_SYSTEM_HEADERS=no,
+	libreplace_cv_BROKEN_REDHAT_7_SYSTEM_HEADERS=yes
+)])
+if test x"$libreplace_cv_BROKEN_REDHAT_7_SYSTEM_HEADERS" = x"yes"; then
+	AC_DEFINE(BROKEN_REDHAT_7_SYSTEM_HEADERS,1,[Broken RedHat 7.2 system header files])
+fi
+
+AC_CACHE_CHECK([for broken RHEL5 sys/capability.h],libreplace_cv_BROKEN_RHEL5_SYS_CAP_HEADER,[
+AC_TRY_COMPILE([
+	#ifdef HAVE_SYS_CAPABILITY_H
+	#include <sys/capability.h>
+	#endif
+	#include <linux/types.h>
+	],[
+	__s8 i;
+	],
+	libreplace_cv_BROKEN_RHEL5_SYS_CAP_HEADER=no,
+	libreplace_cv_BROKEN_RHEL5_SYS_CAP_HEADER=yes
+)])
+if test x"$libreplace_cv_BROKEN_RHEL5_SYS_CAP_HEADER" = x"yes"; then
+	AC_DEFINE(BROKEN_RHEL5_SYS_CAP_HEADER,1,[Broken RHEL5 sys/capability.h])
+fi
+;;
+esac
+
+# passwd
+AC_CHECK_HEADERS(grp.h sys/id.h compat.h shadow.h sys/priv.h pwd.h sys/security.h)
+AC_CHECK_FUNCS(getpwnam_r getpwuid_r getpwent_r)
+AC_HAVE_DECL(getpwent_r, [
+	#include <unistd.h>
+	#include <pwd.h>
+	])
+AC_VERIFY_C_PROTOTYPE([struct passwd *getpwent_r(struct passwd *src, char *buf, int buflen)],
+	[
+	#ifndef HAVE_GETPWENT_R_DECL
+	#error missing getpwent_r prototype
+	#endif
+	return NULL;
+	],[
+	AC_DEFINE(SOLARIS_GETPWENT_R, 1, [getpwent_r solaris function prototype])
+	],[],[
+	#include <unistd.h>
+	#include <pwd.h>
+	])
+AC_VERIFY_C_PROTOTYPE([struct passwd *getpwent_r(struct passwd *src, char *buf, size_t buflen)],
+	[
+	#ifndef HAVE_GETPWENT_R_DECL
+	#error missing getpwent_r prototype
+	#endif
+	return NULL;
+	],[
+	AC_DEFINE(SOLARIS_GETPWENT_R, 1, [getpwent_r irix (similar to solaris) function prototype])
+	],[],[
+	#include <unistd.h>
+	#include <pwd.h>
+	])
+AC_CHECK_FUNCS(getgrnam_r getgrgid_r getgrent_r)
+AC_HAVE_DECL(getgrent_r, [
+	#include <unistd.h>
+	#include <grp.h>
+	])
+AC_VERIFY_C_PROTOTYPE([struct group *getgrent_r(struct group *src, char *buf, int buflen)],
+	[
+	#ifndef HAVE_GETGRENT_R_DECL
+	#error missing getgrent_r prototype
+	#endif
+	return NULL;
+	],[
+	AC_DEFINE(SOLARIS_GETGRENT_R, 1, [getgrent_r solaris function prototype])
+	],[],[
+	#include <unistd.h>
+	#include <grp.h>
+	])
+
+AC_VERIFY_C_PROTOTYPE([struct group *getgrent_r(struct group *src, char *buf, size_t buflen)],
+	[
+	#ifndef HAVE_GETGRENT_R_DECL
+	#error missing getgrent_r prototype
+	#endif
+	return NULL;
+	],[
+	AC_DEFINE(SOLARIS_GETGRENT_R, 1, [getgrent_r irix (similar to solaris)  function prototype])
+	],[],[
+	#include <unistd.h>
+	#include <grp.h>
+	])
+
+# locale
+AC_CHECK_HEADERS(ctype.h locale.h)
+
+# glob
+AC_CHECK_HEADERS(fnmatch.h)
+
+# shmem
+AC_CHECK_HEADERS(sys/ipc.h sys/mman.h sys/shm.h )
+
+# terminal
+AC_CHECK_HEADERS(termios.h termio.h sys/termio.h )
diff --git a/source3/lib/replace/system/dir.h b/source3/lib/replace/system/dir.h
new file mode 100644
index 0000000000..dec2d54649
--- /dev/null
+++ b/source3/lib/replace/system/dir.h
@@ -0,0 +1,67 @@
+#ifndef _system_dir_h
+#define _system_dir_h
+/* 
+   Unix SMB/CIFS implementation.
+
+   directory system include wrappers
+
+   Copyright (C) Andrew Tridgell 2004
+   
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#if HAVE_DIRENT_H
+# include <dirent.h>
+# define NAMLEN(dirent) strlen((dirent)->d_name)
+#else
+# define dirent direct
+# define NAMLEN(dirent) (dirent)->d_namlen
+# if HAVE_SYS_NDIR_H
+#  include <sys/ndir.h>
+# endif
+# if HAVE_SYS_DIR_H
+#  include <sys/dir.h>
+# endif
+# if HAVE_NDIR_H
+#  include <ndir.h>
+# endif
+#endif
+
+#ifndef HAVE_MKDIR_MODE
+#define mkdir(dir, mode) mkdir(dir)
+#endif
+
+/* Test whether a file name is the "." or ".." directory entries.
+ * These really should be inline functions.
+ */
+#ifndef ISDOT
+#define ISDOT(path) ( \
+			*((const char *)(path)) == '.' && \
+			*(((const char *)(path)) + 1) == '\0' \
+		    )
+#endif
+
+#ifndef ISDOTDOT
+#define ISDOTDOT(path)	( \
+			    *((const char *)(path)) == '.' && \
+			    *(((const char *)(path)) + 1) == '.' && \
+			    *(((const char *)(path)) + 2) == '\0' \
+			)
+#endif
+
+#endif
diff --git a/source3/lib/replace/system/filesys.h b/source3/lib/replace/system/filesys.h
new file mode 100644
index 0000000000..4bf1f64865
--- /dev/null
+++ b/source3/lib/replace/system/filesys.h
@@ -0,0 +1,182 @@
+#ifndef _system_filesys_h
+#define _system_filesys_h
+/* 
+   Unix SMB/CIFS implementation.
+
+   filesystem system include wrappers
+
+   Copyright (C) Andrew Tridgell 2004
+   
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+#include <unistd.h>
+#include <sys/stat.h>
+
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+
+#ifdef HAVE_SYS_MOUNT_H
+#include <sys/mount.h>
+#endif
+
+#ifdef HAVE_MNTENT_H
+#include <mntent.h>
+#endif
+
+#ifdef HAVE_SYS_VFS_H
+#include <sys/vfs.h>
+#endif
+
+#ifdef HAVE_SYS_ACL_H
+#include <sys/acl.h>
+#endif
+
+#ifdef HAVE_ACL_LIBACL_H
+#include <acl/libacl.h>
+#endif
+
+#ifdef HAVE_SYS_FS_S5PARAM_H 
+#include <sys/fs/s5param.h>
+#endif
+
+#if defined (HAVE_SYS_FILSYS_H) && !defined (_CRAY)
+#include <sys/filsys.h> 
+#endif
+
+#ifdef HAVE_SYS_STATFS_H
+# include <sys/statfs.h>
+#endif
+
+#ifdef HAVE_DUSTAT_H              
+#include <sys/dustat.h>
+#endif
+
+#ifdef HAVE_SYS_STATVFS_H          
+#include <sys/statvfs.h>
+#endif
+
+#ifdef HAVE_SYS_FILIO_H
+#include <sys/filio.h>
+#endif
+
+#include <sys/file.h>
+
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#else
+#ifdef HAVE_SYS_FCNTL_H
+#include <sys/fcntl.h>
+#endif
+#endif
+
+#ifdef HAVE_SYS_MODE_H
+/* apparently AIX needs this for S_ISLNK */
+#ifndef S_ISLNK
+#include <sys/mode.h>
+#endif
+#endif
+
+#ifdef HAVE_SYS_IOCTL_H
+#include <sys/ioctl.h>
+#endif
+
+/*
+ * Veritas File System.  Often in addition to native.
+ * Quotas different.
+ */
+#if defined(HAVE_SYS_FS_VX_QUOTA_H)
+#define VXFS_QUOTA
+#endif
+
+#if HAVE_SYS_ATTRIBUTES_H
+#include <sys/attributes.h>
+#endif
+
+/* mutually exclusive (SuSE 8.2) */
+#if HAVE_ATTR_XATTR_H
+#include <attr/xattr.h>
+#elif HAVE_SYS_XATTR_H
+#include <sys/xattr.h>
+#endif
+
+
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+
+/* Some POSIX definitions for those without */
+ 
+#ifndef S_IFDIR
+#define S_IFDIR         0x4000
+#endif
+#ifndef S_ISDIR
+#define S_ISDIR(mode)   ((mode & 0xF000) == S_IFDIR)
+#endif
+#ifndef S_IRWXU
+#define S_IRWXU 00700           /* read, write, execute: owner */
+#endif
+#ifndef S_IRUSR
+#define S_IRUSR 00400           /* read permission: owner */
+#endif
+#ifndef S_IWUSR
+#define S_IWUSR 00200           /* write permission: owner */
+#endif
+#ifndef S_IXUSR
+#define S_IXUSR 00100           /* execute permission: owner */
+#endif
+#ifndef S_IRWXG
+#define S_IRWXG 00070           /* read, write, execute: group */
+#endif
+#ifndef S_IRGRP
+#define S_IRGRP 00040           /* read permission: group */
+#endif
+#ifndef S_IWGRP
+#define S_IWGRP 00020           /* write permission: group */
+#endif
+#ifndef S_IXGRP
+#define S_IXGRP 00010           /* execute permission: group */
+#endif
+#ifndef S_IRWXO
+#define S_IRWXO 00007           /* read, write, execute: other */
+#endif
+#ifndef S_IROTH
+#define S_IROTH 00004           /* read permission: other */
+#endif
+#ifndef S_IWOTH
+#define S_IWOTH 00002           /* write permission: other */
+#endif
+#ifndef S_IXOTH
+#define S_IXOTH 00001           /* execute permission: other */
+#endif
+
+#ifndef O_ACCMODE
+#define O_ACCMODE (O_RDONLY | O_WRONLY | O_RDWR)
+#endif
+
+#ifndef MAXPATHLEN
+#define MAXPATHLEN 256
+#endif
+
+#ifndef SEEK_SET
+#define SEEK_SET 0
+#endif
+
+#endif
diff --git a/source3/lib/replace/system/glob.h b/source3/lib/replace/system/glob.h
new file mode 100644
index 0000000000..3e23db6828
--- /dev/null
+++ b/source3/lib/replace/system/glob.h
@@ -0,0 +1,37 @@
+#ifndef _system_glob_h
+#define _system_glob_h
+/* 
+   Unix SMB/CIFS implementation.
+
+   glob system include wrappers
+
+   Copyright (C) Andrew Tridgell 2004
+   
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+#ifdef HAVE_GLOB_H
+#include <glob.h>
+#endif
+
+#ifdef HAVE_FNMATCH_H
+#include <fnmatch.h>
+#endif
+
+#endif
diff --git a/source3/lib/replace/system/iconv.h b/source3/lib/replace/system/iconv.h
new file mode 100644
index 0000000000..3c8a71f2f7
--- /dev/null
+++ b/source3/lib/replace/system/iconv.h
@@ -0,0 +1,57 @@
+#ifndef _system_iconv_h
+#define _system_iconv_h
+/* 
+   Unix SMB/CIFS implementation.
+
+   iconv memory system include wrappers
+
+   Copyright (C) Andrew Tridgell 2004
+   
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+#if !defined(HAVE_ICONV) && defined(HAVE_ICONV_H)
+#define HAVE_ICONV
+#endif
+
+#if !defined(HAVE_GICONV) && defined(HAVE_GICONV_H)
+#define HAVE_GICONV
+#endif
+
+#if !defined(HAVE_BICONV) && defined(HAVE_BICONV_H)
+#define HAVE_BICONV
+#endif
+
+#ifdef HAVE_NATIVE_ICONV
+#if defined(HAVE_ICONV)
+#include <iconv.h>
+#elif defined(HAVE_GICONV)
+#include <giconv.h>
+#elif defined(HAVE_BICONV)
+#include <biconv.h>
+#endif
+#endif /* HAVE_NATIVE_ICONV */
+
+/* needed for some systems without iconv. Doesn't really matter
+   what error code we use */
+#ifndef EILSEQ
+#define EILSEQ EIO
+#endif
+
+#endif
diff --git a/source3/lib/replace/system/kerberos.h b/source3/lib/replace/system/kerberos.h
new file mode 100644
index 0000000000..2981024bee
--- /dev/null
+++ b/source3/lib/replace/system/kerberos.h
@@ -0,0 +1,137 @@
+#ifndef _system_kerberos_h
+#define _system_kerberos_h
+
+/* 
+   Unix SMB/CIFS implementation.
+
+   kerberos system include wrappers
+
+   Copyright (C) Andrew Tridgell 2004
+   
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+#ifdef HAVE_KRB5
+/* Whether the krb5_address struct has a addrtype property */
+/* #undef HAVE_ADDRTYPE_IN_KRB5_ADDRESS */
+/* Whether the krb5_address struct has a addr_type property */
+#define HAVE_ADDR_TYPE_IN_KRB5_ADDRESS 1
+/* Define to 1 if you have the `gsskrb5_extract_authz_data_from_sec_context' */
+#define HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT 1
+/* Define to 1 if you have the `gsskrb5_get_initiator_subkey' function. */
+#define HAVE_GSSKRB5_GET_INITIATOR_SUBKEY 1
+/* Define to 1 if you have the `gsskrb5_register_acceptor_identity' function. */
+#define HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY 1
+/* Define to 1 if you have the `gss_krb5_ccache_name' function. */
+#define HAVE_GSS_KRB5_CCACHE_NAME 1
+/* Define to 1 if you have the `krb5_addlog_func' function. */
+#define HAVE_KRB5_ADDLOG_FUNC 1
+/* Define to 1 if you have the `krb5_auth_con_setkey' function. */
+#define HAVE_KRB5_AUTH_CON_SETKEY 1
+/* Define to 1 if you have the `krb5_auth_con_setuseruserkey' function. */
+/* #undef HAVE_KRB5_AUTH_CON_SETUSERUSERKEY */
+/* Define to 1 if you have the `krb5_c_enctype_compare' function. */
+#define HAVE_KRB5_C_ENCTYPE_COMPARE 1
+/* Define to 1 if you have the `krb5_c_verify_checksum' function. */
+#define HAVE_KRB5_C_VERIFY_CHECKSUM 1
+/* Whether the type krb5_encrypt_block exists */
+/* #undef HAVE_KRB5_ENCRYPT_BLOCK */
+/* Define to 1 if you have the `krb5_encrypt_data' function. */
+/* #undef HAVE_KRB5_ENCRYPT_DATA */
+/* Define to 1 if you have the `krb5_enctypes_compatible_keys' function. */
+#define HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS 1
+/* Define to 1 if you have the `krb5_free_data_contents' function. */
+#define HAVE_KRB5_FREE_DATA_CONTENTS 1
+/* Define to 1 if you have the `krb5_free_error_string' function. */
+#define HAVE_KRB5_FREE_ERROR_STRING 1
+/* Define to 1 if you have the `krb5_free_keytab_entry_contents' function. */
+/* #undef HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS */
+/* Define to 1 if you have the `krb5_free_ktypes' function. */
+/* #undef HAVE_KRB5_FREE_KTYPES */
+/* Define to 1 if you have the `krb5_free_unparsed_name' function. */
+/* #undef HAVE_KRB5_FREE_UNPARSED_NAME */
+/* Define to 1 if you have the `krb5_get_default_in_tkt_etypes' function. */
+#define HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES 1
+/* Define to 1 if you have the `krb5_get_error_string' function. */
+#define HAVE_KRB5_GET_ERROR_STRING 1
+/* Define to 1 if you have the `krb5_get_permitted_enctypes' function. */
+/* #undef HAVE_KRB5_GET_PERMITTED_ENCTYPES */
+/* Define to 1 if you have the `krb5_get_pw_salt' function. */
+#define HAVE_KRB5_GET_PW_SALT 1
+/* Define to 1 if you have the <krb5.h> header file. */
+#define HAVE_KRB5_H 1
+/* Define to 1 if you have the `krb5_initlog' function. */
+#define HAVE_KRB5_INITLOG 1
+/* Define to 1 if you have the `krb5_kdc_default_config' function. */
+#define HAVE_KRB5_KDC_DEFAULT_CONFIG 1
+/* Whether the krb5_creds struct has a keyblock property */
+/* #undef HAVE_KRB5_KEYBLOCK_IN_CREDS */
+/* Whether the krb5_keyblock struct has a keyvalue property */
+#define HAVE_KRB5_KEYBLOCK_KEYVALUE 1
+/* Whether krb5_keytab_entry has key member */
+/* #undef HAVE_KRB5_KEYTAB_ENTRY_KEY */
+/* Whether krb5_keytab_entry has keyblock member */
+#define HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK 1
+/* Define to 1 if you have the `krb5_krbhst_get_addrinfo' function. */
+#define HAVE_KRB5_KRBHST_GET_ADDRINFO 1
+/* Define to 1 if you have the `krb5_kt_compare' function. */
+#define HAVE_KRB5_KT_COMPARE 1
+/* Define to 1 if you have the `krb5_kt_free_entry' function. */
+#define HAVE_KRB5_KT_FREE_ENTRY 1
+/* Whether the type krb5_log_facility exists */
+#define HAVE_KRB5_LOG_FACILITY 1
+/* Define to 1 if you have the `krb5_mk_req_extended' function. */
+#define HAVE_KRB5_MK_REQ_EXTENDED 1
+/* Define to 1 if you have the `krb5_principal2salt' function. */
+/* #undef HAVE_KRB5_PRINCIPAL2SALT */
+/* Define to 1 if you have the `krb5_principal_get_comp_string' function. */
+#define HAVE_KRB5_PRINCIPAL_GET_COMP_STRING 1
+/* Whether krb5_princ_component is available */
+/* #undef HAVE_KRB5_PRINC_COMPONENT */
+/* Whether the krb5_creds struct has a session property */
+#define HAVE_KRB5_SESSION_IN_CREDS 1
+/* Define to 1 if you have the `krb5_set_default_in_tkt_etypes' function. */
+#define HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES 1
+/* Define to 1 if you have the `krb5_set_default_tgs_ktypes' function. */
+/* #undef HAVE_KRB5_SET_DEFAULT_TGS_KTYPES */
+/* Define to 1 if you have the `krb5_set_real_time' function. */
+#define HAVE_KRB5_SET_REAL_TIME 1
+/* Define to 1 if you have the `krb5_set_warn_dest' function. */
+#define HAVE_KRB5_SET_WARN_DEST 1
+/* Define to 1 if you have the `krb5_string_to_key' function. */
+#define HAVE_KRB5_STRING_TO_KEY 1
+/* Define to 1 if you have the `krb5_string_to_key_salt' function. */
+#define HAVE_KRB5_STRING_TO_KEY_SALT 1
+/* Define to 1 if you have the `krb5_ticket_get_authorization_data_type' */
+#define HAVE_KRB5_TICKET_GET_AUTHORIZATION_DATA_TYPE 1
+/* Whether the krb5_ticket struct has a enc_part2 property */
+/* #undef HAVE_KRB5_TKT_ENC_PART2 */
+/* Define to 1 if you have the `krb5_use_enctype' function. */
+/* #undef HAVE_KRB5_USE_ENCTYPE */
+/* Define to 1 if you have the `krb5_verify_checksum' function. */
+#define HAVE_KRB5_VERIFY_CHECKSUM 1
+/* Whether krb5_princ_realm returns krb5_realm or krb5_data */
+#define KRB5_PRINC_REALM_RETURNS_REALM 1
+
+#include <krb5.h>
+#include <com_err.h>
+
+#endif
+
+#endif
diff --git a/source3/lib/replace/system/locale.h b/source3/lib/replace/system/locale.h
new file mode 100644
index 0000000000..e73a9bb274
--- /dev/null
+++ b/source3/lib/replace/system/locale.h
@@ -0,0 +1,38 @@
+#ifndef _system_locale_h
+#define _system_locale_h
+
+/* 
+   Unix SMB/CIFS implementation.
+
+   locale include wrappers
+
+   Copyright (C) Andrew Tridgell 2004
+   
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+#ifdef HAVE_CTYPE_H
+#include <ctype.h>
+#endif
+
+#ifdef HAVE_LOCALE_H
+#include <locale.h>
+#endif
+
+#endif
diff --git a/source3/lib/replace/system/network.h b/source3/lib/replace/system/network.h
new file mode 100644
index 0000000000..077892a54e
--- /dev/null
+++ b/source3/lib/replace/system/network.h
@@ -0,0 +1,332 @@
+#ifndef _system_network_h
+#define _system_network_h
+/* 
+   Unix SMB/CIFS implementation.
+
+   networking system include wrappers
+
+   Copyright (C) Andrew Tridgell 2004
+   Copyright (C) Jelmer Vernooij 2007
+   
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+#ifndef LIBREPLACE_NETWORK_CHECKS
+#error "AC_LIBREPLACE_NETWORK_CHECKS missing in configure"
+#endif
+
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+#ifdef HAVE_UNIXSOCKET
+#include <sys/un.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+
+#ifdef HAVE_NETINET_TCP_H
+#include <netinet/tcp.h>
+#endif
+
+/*
+ * The next three defines are needed to access the IPTOS_* options
+ * on some systems.
+ */
+
+#ifdef HAVE_NETINET_IN_SYSTM_H
+#include <netinet/in_systm.h>
+#endif
+
+#ifdef HAVE_NETINET_IN_IP_H
+#include <netinet/in_ip.h>
+#endif
+
+#ifdef HAVE_NETINET_IP_H
+#include <netinet/ip.h>
+#endif
+
+#ifdef HAVE_NET_IF_H
+#include <net/if.h>
+#endif
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#ifdef HAVE_SYS_IOCTL_H
+#include <sys/ioctl.h>
+#endif
+
+#ifdef HAVE_STROPTS_H
+#include <stropts.h>
+#endif
+
+#ifndef HAVE_SOCKLEN_T
+#define HAVE_SOCKLEN_T
+typedef int socklen_t;
+#endif
+
+#if !defined (HAVE_INET_NTOA) || defined(REPLACE_INET_NTOA)
+/* define is in "replace.h" */
+char *rep_inet_ntoa(struct in_addr ip);
+#endif
+
+#ifndef HAVE_INET_PTON
+/* define is in "replace.h" */
+int rep_inet_pton(int af, const char *src, void *dst);
+#endif
+
+#ifndef HAVE_INET_NTOP
+/* define is in "replace.h" */
+const char *rep_inet_ntop(int af, const void *src, char *dst, socklen_t size);
+#endif
+
+#ifndef HAVE_INET_ATON
+/* define is in "replace.h" */
+int rep_inet_aton(const char *src, struct in_addr *dst);
+#endif
+
+#ifndef HAVE_CONNECT
+/* define is in "replace.h" */
+int rep_connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+#endif
+
+#ifndef HAVE_GETHOSTBYNAME
+/* define is in "replace.h" */
+struct hostent *rep_gethostbyname(const char *name);
+#endif
+
+#ifdef HAVE_IFADDRS_H
+#include <ifaddrs.h>
+#endif
+
+#ifndef HAVE_STRUCT_IFADDRS
+struct ifaddrs {
+	struct ifaddrs   *ifa_next;         /* Pointer to next struct */
+	char             *ifa_name;         /* Interface name */
+	unsigned int     ifa_flags;         /* Interface flags */
+	struct sockaddr  *ifa_addr;         /* Interface address */
+	struct sockaddr  *ifa_netmask;      /* Interface netmask */
+#undef ifa_dstaddr
+	struct sockaddr  *ifa_dstaddr;      /* P2P interface destination */
+	void             *ifa_data;         /* Address specific data */
+};
+#endif
+
+#ifndef HAVE_GETIFADDRS
+int rep_getifaddrs(struct ifaddrs **);
+#endif
+
+#ifndef HAVE_FREEIFADDRS
+void rep_freeifaddrs(struct ifaddrs *);
+#endif
+
+#ifndef HAVE_SOCKETPAIR
+/* define is in "replace.h" */
+int rep_socketpair(int d, int type, int protocol, int sv[2]);
+#endif
+
+/*
+ * Some systems have getaddrinfo but not the
+ * defines needed to use it.
+ */
+
+/* Various macros that ought to be in <netdb.h>, but might not be */
+
+#ifndef EAI_FAIL
+#define EAI_BADFLAGS	(-1)
+#define EAI_NONAME	(-2)
+#define EAI_AGAIN	(-3)
+#define EAI_FAIL	(-4)
+#define EAI_FAMILY	(-6)
+#define EAI_SOCKTYPE	(-7)
+#define EAI_SERVICE	(-8)
+#define EAI_MEMORY	(-10)
+#define EAI_SYSTEM	(-11)
+#endif   /* !EAI_FAIL */
+
+#ifndef AI_PASSIVE
+#define AI_PASSIVE	0x0001
+#endif
+
+#ifndef AI_CANONNAME
+#define AI_CANONNAME	0x0002
+#endif
+
+#ifndef AI_NUMERICHOST
+/*
+ * some platforms don't support AI_NUMERICHOST; define as zero if using
+ * the system version of getaddrinfo...
+ */
+#if defined(HAVE_STRUCT_ADDRINFO) && defined(HAVE_GETADDRINFO)
+#define AI_NUMERICHOST	0
+#else
+#define AI_NUMERICHOST	0x0004
+#endif
+#endif
+
+#ifndef AI_ADDRCONFIG
+/*
+ * logic copied from AI_NUMERICHOST
+ */
+#if defined(HAVE_STRUCT_ADDRINFO) && defined(HAVE_GETADDRINFO)
+#define AI_ADDRCONFIG	0
+#else
+#define AI_ADDRCONFIG	0x0020
+#endif
+#endif
+
+#ifndef AI_NUMERICSERV
+/*
+ * logic copied from AI_NUMERICHOST
+ */
+#if defined(HAVE_STRUCT_ADDRINFO) && defined(HAVE_GETADDRINFO)
+#define AI_NUMERICSERV	0
+#else
+#define AI_NUMERICSERV	0x0400
+#endif
+#endif
+
+#ifndef NI_NUMERICHOST
+#define NI_NUMERICHOST	1
+#endif
+
+#ifndef NI_NUMERICSERV
+#define NI_NUMERICSERV	2
+#endif
+
+#ifndef NI_NOFQDN
+#define NI_NOFQDN	4
+#endif
+
+#ifndef NI_NAMEREQD
+#define NI_NAMEREQD 	8
+#endif
+
+#ifndef NI_DGRAM
+#define NI_DGRAM	16
+#endif
+
+
+#ifndef NI_MAXHOST
+#define NI_MAXHOST	1025
+#endif
+
+#ifndef NI_MAXSERV
+#define NI_MAXSERV	32
+#endif
+
+/*
+ * glibc on linux doesn't seem to have MSG_WAITALL
+ * defined. I think the kernel has it though..
+ */
+#ifndef MSG_WAITALL
+#define MSG_WAITALL 0
+#endif
+
+#ifndef INADDR_LOOPBACK
+#define INADDR_LOOPBACK 0x7f000001
+#endif
+
+#ifndef INADDR_NONE
+#define INADDR_NONE 0xffffffff
+#endif
+
+#ifndef EAFNOSUPPORT
+#define EAFNOSUPPORT EINVAL
+#endif
+
+#ifndef INET_ADDRSTRLEN
+#define INET_ADDRSTRLEN 16
+#endif
+
+#ifndef INET6_ADDRSTRLEN
+#define INET6_ADDRSTRLEN 46
+#endif
+
+#ifndef HOST_NAME_MAX
+#define HOST_NAME_MAX 256
+#endif
+
+#ifndef HAVE_SA_FAMILY_T
+#define HAVE_SA_FAMILY_T
+typedef unsigned short int sa_family_t;
+#endif
+
+#ifndef HAVE_STRUCT_SOCKADDR_STORAGE
+#define HAVE_STRUCT_SOCKADDR_STORAGE
+#ifdef HAVE_STRUCT_SOCKADDR_IN6
+#define sockaddr_storage sockaddr_in6
+#define ss_family sin6_family
+#define HAVE_SS_FAMILY 1
+#else
+#define sockaddr_storage sockaddr_in
+#define ss_family sin_family
+#define HAVE_SS_FAMILY 1
+#endif
+#endif
+
+#ifndef HAVE_SS_FAMILY
+#ifdef HAVE___SS_FAMILY
+#define ss_family __ss_family
+#define HAVE_SS_FAMILY 1
+#endif
+#endif
+
+#ifndef HAVE_STRUCT_ADDRINFO
+#define HAVE_STRUCT_ADDRINFO
+struct addrinfo {
+	int			ai_flags;
+	int			ai_family;
+	int			ai_socktype;
+	int			ai_protocol;
+	socklen_t		ai_addrlen;
+	struct sockaddr 	*ai_addr;
+	char			*ai_canonname;
+	struct addrinfo		*ai_next;
+};
+#endif   /* HAVE_STRUCT_ADDRINFO */
+
+#if !defined(HAVE_GETADDRINFO)
+#include "getaddrinfo.h"
+#endif
+
+/* Needed for some systems that don't define it (Solaris). */
+#ifndef ifr_netmask
+#define ifr_netmask ifr_addr
+#endif
+
+#ifdef SOCKET_WRAPPER
+#ifndef SOCKET_WRAPPER_NOT_REPLACE
+#define SOCKET_WRAPPER_REPLACE
+#endif
+#include "lib/socket_wrapper/socket_wrapper.h"
+#endif
+
+#endif
diff --git a/source3/lib/replace/system/passwd.h b/source3/lib/replace/system/passwd.h
new file mode 100644
index 0000000000..cad3197ccb
--- /dev/null
+++ b/source3/lib/replace/system/passwd.h
@@ -0,0 +1,110 @@
+#ifndef _system_passwd_h
+#define _system_passwd_h
+
+/* 
+   Unix SMB/CIFS implementation.
+
+   passwd system include wrappers
+
+   Copyright (C) Andrew Tridgell 2004
+   
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+/* this needs to be included before nss_wrapper.h on some systems */
+#include <unistd.h>
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_GRP_H
+#include <grp.h>
+#endif
+#ifdef HAVE_SYS_PRIV_H
+#include <sys/priv.h>
+#endif
+#ifdef HAVE_SYS_ID_H
+#include <sys/id.h>
+#endif
+
+#ifdef HAVE_CRYPT_H
+#include <crypt.h>
+#endif
+
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
+
+#ifdef HAVE_SYS_SECURITY_H
+#include <sys/security.h>
+#include <prot.h>
+#define PASSWORD_LENGTH 16
+#endif  /* HAVE_SYS_SECURITY_H */
+
+#ifdef HAVE_GETPWANAM
+#include <sys/label.h>
+#include <sys/audit.h>
+#include <pwdadj.h>
+#endif
+
+#ifdef HAVE_COMPAT_H
+#include <compat.h>
+#endif
+
+#ifdef REPLACE_GETPASS
+#if defined(REPLACE_GETPASS_BY_GETPASSPHRASE)
+#define getpass(prompt) getpassphrase(prompt)
+#else
+#define getpass(prompt) rep_getpass(prompt)
+char *rep_getpass(const char *prompt);
+#endif
+#endif
+
+#ifndef NGROUPS_MAX
+#define NGROUPS_MAX 32 /* Guess... */
+#endif
+
+/* what is the longest significant password available on your system? 
+ Knowing this speeds up password searches a lot */
+#ifndef PASSWORD_LENGTH
+#define PASSWORD_LENGTH 8
+#endif
+
+#if defined(HAVE_PUTPRPWNAM) && defined(AUTH_CLEARTEXT_SEG_CHARS)
+#define OSF1_ENH_SEC 1
+#endif
+
+#ifndef ALLOW_CHANGE_PASSWORD
+#if (defined(HAVE_TERMIOS_H) && defined(HAVE_DUP2) && defined(HAVE_SETSID))
+#define ALLOW_CHANGE_PASSWORD 1
+#endif
+#endif
+
+#if defined(HAVE_CRYPT16) && defined(HAVE_GETAUTHUID)
+#define ULTRIX_AUTH 1
+#endif
+
+#ifdef NSS_WRAPPER
+#ifndef NSS_WRAPPER_NOT_REPLACE
+#define NSS_WRAPPER_REPLACE
+#endif
+#include "lib/nss_wrapper/nss_wrapper.h"
+#endif
+
+#endif
diff --git a/source3/lib/replace/system/readline.h b/source3/lib/replace/system/readline.h
new file mode 100644
index 0000000000..ba34dc6a61
--- /dev/null
+++ b/source3/lib/replace/system/readline.h
@@ -0,0 +1,52 @@
+#ifndef _system_readline_h
+#define _system_readline_h
+/* 
+   Unix SMB/CIFS implementation.
+
+   Readline wrappers
+   
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+#ifdef HAVE_LIBREADLINE
+#  ifdef HAVE_READLINE_READLINE_H
+#    include <readline/readline.h>
+#    ifdef HAVE_READLINE_HISTORY_H
+#      include <readline/history.h>
+#    endif
+#  else
+#    ifdef HAVE_READLINE_H
+#      include <readline.h>
+#      ifdef HAVE_HISTORY_H
+#        include <history.h>
+#      endif
+#    else
+#      undef HAVE_LIBREADLINE
+#    endif
+#  endif
+#endif
+
+#ifdef HAVE_NEW_LIBREADLINE
+#  define RL_COMPLETION_CAST (rl_completion_func_t *)
+#else
+/* This type is missing from libreadline<4.0  (approximately) */
+#  define RL_COMPLETION_CAST
+#endif /* HAVE_NEW_LIBREADLINE */
+
+#endif
diff --git a/source3/lib/replace/system/select.h b/source3/lib/replace/system/select.h
new file mode 100644
index 0000000000..da18de0cfc
--- /dev/null
+++ b/source3/lib/replace/system/select.h
@@ -0,0 +1,41 @@
+#ifndef _system_select_h
+#define _system_select_h
+/* 
+   Unix SMB/CIFS implementation.
+
+   select system include wrappers
+
+   Copyright (C) Andrew Tridgell 2004
+   
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+
+#ifdef HAVE_SYS_EPOLL_H
+#include <sys/epoll.h>
+#endif
+
+#ifndef SELECT_CAST
+#define SELECT_CAST
+#endif
+
+#endif
diff --git a/source3/lib/replace/system/shmem.h b/source3/lib/replace/system/shmem.h
new file mode 100644
index 0000000000..64fe39b6cb
--- /dev/null
+++ b/source3/lib/replace/system/shmem.h
@@ -0,0 +1,59 @@
+#ifndef _system_shmem_h
+#define _system_shmem_h
+/* 
+   Unix SMB/CIFS implementation.
+
+   shared memory system include wrappers
+
+   Copyright (C) Andrew Tridgell 2004
+   
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+#if defined(HAVE_SYS_IPC_H)
+#include <sys/ipc.h>
+#endif /* HAVE_SYS_IPC_H */
+
+#if defined(HAVE_SYS_SHM_H)
+#include <sys/shm.h>
+#endif /* HAVE_SYS_SHM_H */
+
+#ifdef HAVE_SYS_MMAN_H
+#include <sys/mman.h>
+#endif
+
+/* NetBSD doesn't have these */
+#ifndef SHM_R
+#define SHM_R 0400
+#endif
+
+#ifndef SHM_W
+#define SHM_W 0200
+#endif
+
+
+#ifndef MAP_FILE
+#define MAP_FILE 0
+#endif
+
+#ifndef MAP_FAILED
+#define MAP_FAILED ((void *)-1)
+#endif
+
+#endif
diff --git a/source3/lib/replace/system/syslog.h b/source3/lib/replace/system/syslog.h
new file mode 100644
index 0000000000..104be1df84
--- /dev/null
+++ b/source3/lib/replace/system/syslog.h
@@ -0,0 +1,70 @@
+#ifndef _system_syslog_h
+#define _system_syslog_h
+/* 
+   Unix SMB/CIFS implementation.
+
+   syslog system include wrappers
+
+   Copyright (C) Andrew Tridgell 2004
+   
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#else
+#ifdef HAVE_SYS_SYSLOG_H
+#include <sys/syslog.h>
+#endif
+#endif
+
+/* For sys_adminlog(). */
+#ifndef LOG_EMERG
+#define LOG_EMERG       0       /* system is unusable */
+#endif
+
+#ifndef LOG_ALERT
+#define LOG_ALERT       1       /* action must be taken immediately */
+#endif
+
+#ifndef LOG_CRIT
+#define LOG_CRIT        2       /* critical conditions */
+#endif
+
+#ifndef LOG_ERR
+#define LOG_ERR         3       /* error conditions */
+#endif
+
+#ifndef LOG_WARNING
+#define LOG_WARNING     4       /* warning conditions */
+#endif
+
+#ifndef LOG_NOTICE
+#define LOG_NOTICE      5       /* normal but significant condition */
+#endif
+
+#ifndef LOG_INFO
+#define LOG_INFO        6       /* informational */
+#endif
+
+#ifndef LOG_DEBUG
+#define LOG_DEBUG       7       /* debug-level messages */
+#endif
+
+#endif
diff --git a/source3/lib/replace/system/terminal.h b/source3/lib/replace/system/terminal.h
new file mode 100644
index 0000000000..9ad601ace0
--- /dev/null
+++ b/source3/lib/replace/system/terminal.h
@@ -0,0 +1,46 @@
+#ifndef _system_terminal_h
+#define _system_terminal_h
+/* 
+   Unix SMB/CIFS implementation.
+
+   terminal system include wrappers
+
+   Copyright (C) Andrew Tridgell 2004
+   
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+#ifdef SUNOS4
+/* on SUNOS4 termios.h conflicts with sys/ioctl.h */
+#undef HAVE_TERMIOS_H
+#endif
+
+
+#if defined(HAVE_TERMIOS_H)
+/* POSIX terminal handling. */
+#include <termios.h>
+#elif defined(HAVE_TERMIO_H)
+/* Older SYSV terminal handling - don't use if we can avoid it. */
+#include <termio.h>
+#elif defined(HAVE_SYS_TERMIO_H)
+/* Older SYSV terminal handling - don't use if we can avoid it. */
+#include <sys/termio.h>
+#endif
+
+#endif
diff --git a/source3/lib/replace/system/time.h b/source3/lib/replace/system/time.h
new file mode 100644
index 0000000000..4abf295d1a
--- /dev/null
+++ b/source3/lib/replace/system/time.h
@@ -0,0 +1,69 @@
+#ifndef _system_time_h
+#define _system_time_h
+/* 
+   Unix SMB/CIFS implementation.
+
+   time system include wrappers
+
+   Copyright (C) Andrew Tridgell 2004
+
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#else
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#endif
+
+#ifdef HAVE_UTIME_H
+#include <utime.h>
+#else
+struct utimbuf {
+	time_t actime;       /* access time */
+	time_t modtime;      /* modification time */
+};
+#endif
+
+#ifndef HAVE_MKTIME
+/* define is in "replace.h" */
+time_t rep_mktime(struct tm *t);
+#endif
+
+#ifndef HAVE_TIMEGM
+/* define is in "replace.h" */
+time_t rep_timegm(struct tm *tm);
+#endif
+
+#ifndef HAVE_UTIME
+/* define is in "replace.h" */
+int rep_utime(const char *filename, const struct utimbuf *buf);
+#endif
+
+#ifndef HAVE_UTIMES
+/* define is in "replace.h" */
+int rep_utimes(const char *filename, const struct timeval tv[2]);
+#endif
+
+#endif
diff --git a/source3/lib/replace/system/wait.h b/source3/lib/replace/system/wait.h
new file mode 100644
index 0000000000..5784b1ae92
--- /dev/null
+++ b/source3/lib/replace/system/wait.h
@@ -0,0 +1,55 @@
+#ifndef _system_wait_h
+#define _system_wait_h
+/* 
+   Unix SMB/CIFS implementation.
+
+   waitpid system include wrappers
+
+   Copyright (C) Andrew Tridgell 2004
+
+     ** NOTE! The following LGPL license applies to the replace
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+
+#include <signal.h>
+
+#ifndef SIGCLD
+#define SIGCLD SIGCHLD
+#endif
+
+#ifndef SIGNAL_CAST
+#define SIGNAL_CAST (RETSIGTYPE (*)(int))
+#endif
+
+#ifdef HAVE_SETJMP_H
+#include <setjmp.h>
+#endif
+
+#ifndef SA_RESETHAND
+#define SA_RESETHAND SA_ONESHOT
+#endif
+
+#if !defined(HAVE_SIG_ATOMIC_T_TYPE)
+typedef int sig_atomic_t;
+#endif
+
+#endif
diff --git a/source3/lib/replace/test/getifaddrs.c b/source3/lib/replace/test/getifaddrs.c
new file mode 100644
index 0000000000..8b00ac2f40
--- /dev/null
+++ b/source3/lib/replace/test/getifaddrs.c
@@ -0,0 +1,100 @@
+/*
+ * Unix SMB/CIFS implementation.
+ *
+ * libreplace getifaddrs test
+ *
+ * Copyright (C) Michael Adam <obnox@samba.org> 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef AUTOCONF_TEST
+#include "replace.h"
+#include "system/network.h"
+#endif
+
+#ifdef HAVE_INET_NTOP
+#define rep_inet_ntop inet_ntop
+#endif
+
+static const char *format_sockaddr(struct sockaddr *addr,
+				   char *addrstring,
+				   socklen_t addrlen)
+{
+	const char *result = NULL;
+
+	if (addr->sa_family == AF_INET) {
+		result = rep_inet_ntop(AF_INET,
+				       &((struct sockaddr_in *)addr)->sin_addr,
+				       addrstring,
+				       addrlen);
+#ifdef HAVE_STRUCT_SOCKADDR_IN6
+	} else if (addr->sa_family == AF_INET6) {
+		result = rep_inet_ntop(AF_INET6,
+				       &((struct sockaddr_in6 *)addr)->sin6_addr,
+				       addrstring,
+				       addrlen);
+#endif
+	}
+	return result;
+}
+
+int getifaddrs_test(void)
+{
+	struct ifaddrs *ifs = NULL;
+	struct ifaddrs *ifs_head = NULL;
+	int ret;
+
+	ret = getifaddrs(&ifs);
+	ifs_head = ifs;
+	if (ret != 0) {
+		fprintf(stderr, "getifaddrs() failed: %s\n", strerror(errno));
+		return 1;
+	}
+
+	while (ifs) {
+		printf("%-10s ", ifs->ifa_name);
+		if (ifs->ifa_addr != NULL) {
+			char addrstring[INET6_ADDRSTRLEN];
+			const char *result;
+
+			result = format_sockaddr(ifs->ifa_addr,
+						 addrstring,
+						 sizeof(addrstring));
+			if (result != NULL) {
+				printf("IP=%s ", addrstring);
+			}
+
+			if (ifs->ifa_netmask != NULL) {
+				result = format_sockaddr(ifs->ifa_netmask,
+							 addrstring,
+							 sizeof(addrstring));
+				if (result != NULL) {
+					printf("NETMASK=%s", addrstring);
+				}
+			} else {
+				printf("AF=%d ", ifs->ifa_addr->sa_family);
+			}
+		} else {
+			printf("<no address>");
+		}
+
+		printf("\n");
+		ifs = ifs->ifa_next;
+	}
+
+	freeifaddrs(ifs_head);
+
+	return 0;
+}
diff --git a/source3/lib/replace/test/os2_delete.c b/source3/lib/replace/test/os2_delete.c
new file mode 100644
index 0000000000..b45c135355
--- /dev/null
+++ b/source3/lib/replace/test/os2_delete.c
@@ -0,0 +1,124 @@
+/*
+  test readdir/unlink pattern that OS/2 uses
+  tridge@samba.org July 2005
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <dirent.h>
+#include <errno.h>
+#include <string.h>
+#include <fcntl.h>
+
+#define NUM_FILES 700
+#define READDIR_SIZE 100
+#define DELETE_SIZE 4
+
+#define TESTDIR "test.dir"
+
+static int test_readdir_os2_delete_ret;
+
+#define FAILED(d) (printf("failure: readdir [\nFailed for %s - %d = %s\n]\n", d, errno, strerror(errno)), test_readdir_os2_delete_ret = 1, 1)
+
+#ifndef MIN
+#define MIN(a,b) ((a)<(b)?(a):(b))
+#endif
+
+static void cleanup(void)
+{
+	/* I'm a lazy bastard */
+	system("rm -rf " TESTDIR);
+	mkdir(TESTDIR, 0700) == 0 || FAILED("mkdir");
+}
+
+static void create_files(void)
+{
+	int i;
+	for (i=0;i<NUM_FILES;i++) {
+		char fname[40];
+		int fd;
+		sprintf(fname, TESTDIR "/test%u.txt", i);
+		fd = open(fname, O_CREAT|O_RDWR, 0600);
+		if (fd < 0) {
+			FAILED("open");
+		}
+		if (close(fd) != 0) {
+			FAILED("close");
+		}
+	}
+}
+
+static int os2_delete(DIR *d)
+{
+	off_t offsets[READDIR_SIZE];
+	int i, j;
+	struct dirent *de;
+	char names[READDIR_SIZE][30];
+
+	/* scan, remembering offsets */
+	for (i=0, de=readdir(d); 
+	     de && i < READDIR_SIZE; 
+	     de=readdir(d), i++) {
+		offsets[i] = telldir(d);
+		strcpy(names[i], de->d_name);
+	}
+
+	if (i == 0) {
+		return 0;
+	}
+
+	/* delete the first few */
+	for (j=0; j<MIN(i, DELETE_SIZE); j++) {
+		char fname[40];
+		sprintf(fname, TESTDIR "/%s", names[j]);
+		unlink(fname) == 0 || FAILED("unlink");
+	}
+
+	/* seek to just after the deletion */
+	seekdir(d, offsets[j-1]);
+
+	/* return number deleted */
+	return j;
+}
+
+int test_readdir_os2_delete(void)
+{
+	int total_deleted = 0;
+	DIR *d;
+	struct dirent *de;
+
+	test_readdir_os2_delete_ret = 0;
+
+	cleanup();
+	create_files();
+
+	d = opendir(TESTDIR "/test0.txt");
+	if (d != NULL) FAILED("opendir() on file succeed");
+	if (errno != ENOTDIR) FAILED("opendir() on file didn't give ENOTDIR");
+
+	d = opendir(TESTDIR);
+
+	/* skip past . and .. */
+	de = readdir(d);
+	strcmp(de->d_name, ".") == 0 || FAILED("match .");
+	de = readdir(d);
+	strcmp(de->d_name, "..") == 0 || FAILED("match ..");
+
+	while (1) {
+		int n = os2_delete(d);
+		if (n == 0) break;
+		total_deleted += n;
+	}
+	closedir(d);
+
+	fprintf(stderr, "Deleted %d files of %d\n", total_deleted, NUM_FILES);
+
+	rmdir(TESTDIR) == 0 || FAILED("rmdir");
+
+	system("rm -rf " TESTDIR);
+
+	return test_readdir_os2_delete_ret;
+}
diff --git a/source3/lib/replace/test/shared_mmap.c b/source3/lib/replace/test/shared_mmap.c
new file mode 100644
index 0000000000..50dad8d696
--- /dev/null
+++ b/source3/lib/replace/test/shared_mmap.c
@@ -0,0 +1,68 @@
+/* this tests whether we can use a shared writeable mmap on a file -
+   as needed for the mmap variant of FAST_SHARE_MODES */
+
+#if defined(HAVE_UNISTD_H)
+#include <unistd.h>
+#endif
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#define DATA "conftest.mmap"
+
+#ifndef MAP_FILE
+#define MAP_FILE 0
+#endif
+
+main()
+{
+	int *buf;
+	int i; 
+	int fd = open(DATA,O_RDWR|O_CREAT|O_TRUNC,0666);
+	int count=7;
+
+	if (fd == -1) exit(1);
+
+	for (i=0;i<10000;i++) {
+		write(fd,&i,sizeof(i));
+	}
+
+	close(fd);
+
+	if (fork() == 0) {
+		fd = open(DATA,O_RDWR);
+		if (fd == -1) exit(1);
+
+		buf = (int *)mmap(NULL, 10000*sizeof(int), 
+				   (PROT_READ | PROT_WRITE), 
+				   MAP_FILE | MAP_SHARED, 
+				   fd, 0);
+
+		while (count-- && buf[9124] != 55732) sleep(1);
+
+		if (count <= 0) exit(1);
+
+		buf[1763] = 7268;
+		exit(0);
+	}
+
+	fd = open(DATA,O_RDWR);
+	if (fd == -1) exit(1);
+
+	buf = (int *)mmap(NULL, 10000*sizeof(int), 
+			   (PROT_READ | PROT_WRITE), 
+			   MAP_FILE | MAP_SHARED, 
+			   fd, 0);
+
+	if (buf == (int *)-1) exit(1);
+
+	buf[9124] = 55732;
+
+	while (count-- && buf[1763] != 7268) sleep(1);
+
+	unlink(DATA);
+		
+	if (count > 0) exit(0);
+	exit(1);
+}
diff --git a/source3/lib/replace/test/strptime.c b/source3/lib/replace/test/strptime.c
new file mode 100644
index 0000000000..fade3ecc57
--- /dev/null
+++ b/source3/lib/replace/test/strptime.c
@@ -0,0 +1,172 @@
+
+#ifdef LIBREPLACE_CONFIGURE_TEST_STRPTIME
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+
+#define true 1
+#define false 0
+
+#ifndef __STRING
+#define __STRING(x)    #x
+#endif
+
+/* make printf a no-op */
+#define printf if(0) printf
+
+#else /* LIBREPLACE_CONFIGURE_TEST_STRPTIME */
+
+#include "replace.h"
+#include "system/time.h"
+
+#endif /* LIBREPLACE_CONFIGURE_TEST_STRPTIME */
+
+int libreplace_test_strptime(void)
+{
+	const char *s = "20070414101546Z";
+	char *ret;
+	struct tm t, t2;
+
+	memset(&t, 0, sizeof(t));
+	memset(&t2, 0, sizeof(t2));
+
+	printf("test: strptime\n");
+
+	ret = strptime(s, "%Y%m%d%H%M%S", &t);
+	if ( ret == NULL ) {
+		printf("failure: strptime [\n"
+		       "returned NULL\n"
+		       "]\n");
+		return false;
+	}
+
+	if ( *ret != 'Z' ) {
+		printf("failure: strptime [\n"
+		       "ret doesn't point to 'Z'\n"
+		       "]\n");
+		return false;
+	}
+
+	ret = strptime(s, "%Y%m%d%H%M%SZ", &t2);
+	if ( ret == NULL ) {
+		printf("failure: strptime [\n"
+		       "returned NULL with Z\n"
+		       "]\n");
+		return false;
+	}
+
+	if ( *ret != '\0' ) {
+		printf("failure: strptime [\n"
+		       "ret doesn't point to '\\0'\n"
+		       "]\n");
+		return false;
+	}
+
+#define CMP_TM_ELEMENT(t1,t2,elem) \
+	if (t1.elem != t2.elem) { \
+		printf("failure: strptime [\n" \
+		       "result differs if the format string has a 'Z' at the end\n" \
+		       "element: %s %d != %d\n" \
+		       "]\n", \
+		       __STRING(elen), t1.elem, t2.elem); \
+		return false; \
+	}
+
+	CMP_TM_ELEMENT(t,t2,tm_sec);
+	CMP_TM_ELEMENT(t,t2,tm_min);
+	CMP_TM_ELEMENT(t,t2,tm_hour);
+	CMP_TM_ELEMENT(t,t2,tm_mday);
+	CMP_TM_ELEMENT(t,t2,tm_mon);
+	CMP_TM_ELEMENT(t,t2,tm_year);
+	CMP_TM_ELEMENT(t,t2,tm_wday);
+	CMP_TM_ELEMENT(t,t2,tm_yday);
+	CMP_TM_ELEMENT(t,t2,tm_isdst);
+
+	if (t.tm_sec != 46) {
+		printf("failure: strptime [\n"
+		       "tm_sec: expected: 46, got: %d\n"
+		       "]\n",
+		       t.tm_sec);
+		return false;
+	}
+
+	if (t.tm_min != 15) {
+		printf("failure: strptime [\n"
+		       "tm_min: expected: 15, got: %d\n"
+		       "]\n",
+		       t.tm_min);
+		return false;
+	}
+
+	if (t.tm_hour != 10) {
+		printf("failure: strptime [\n"
+		       "tm_hour: expected: 10, got: %d\n"
+		       "]\n",
+		       t.tm_hour);
+		return false;
+	}
+
+	if (t.tm_mday != 14) {
+		printf("failure: strptime [\n"
+		       "tm_mday: expected: 14, got: %d\n"
+		       "]\n",
+		       t.tm_mday);
+		return false;
+	}
+
+	if (t.tm_mon != 3) {
+		printf("failure: strptime [\n"
+		       "tm_mon: expected: 3, got: %d\n"
+		       "]\n",
+		       t.tm_mon);
+		return false;
+	}
+
+	if (t.tm_year != 107) {
+		printf("failure: strptime [\n"
+		       "tm_year: expected: 107, got: %d\n"
+		       "]\n",
+		       t.tm_year);
+		return false;
+	}
+
+	if (t.tm_wday != 6) { /* saturday */
+		printf("failure: strptime [\n"
+		       "tm_wday: expected: 6, got: %d\n"
+		       "]\n",
+		       t.tm_wday);
+		return false;
+	}
+
+	if (t.tm_yday != 103) {
+		printf("failure: strptime [\n"
+		       "tm_yday: expected: 103, got: %d\n"
+		       "]\n",
+		       t.tm_yday);
+		return false;
+	}
+
+	/* we don't test this as it depends on the host configuration
+	if (t.tm_isdst != 0) {
+		printf("failure: strptime [\n"
+		       "tm_isdst: expected: 0, got: %d\n"
+		       "]\n",
+		       t.tm_isdst);
+		return false;
+	}*/
+
+	printf("success: strptime\n");
+
+	return true;
+}
+
+#ifdef LIBREPLACE_CONFIGURE_TEST_STRPTIME
+int main (void)
+{
+	int ret;
+	ret = libreplace_test_strptime();
+	if (ret == false) return 1;
+	return 0;
+}
+#endif
diff --git a/source3/lib/replace/test/testsuite.c b/source3/lib/replace/test/testsuite.c
new file mode 100644
index 0000000000..1e8290906e
--- /dev/null
+++ b/source3/lib/replace/test/testsuite.c
@@ -0,0 +1,1080 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   libreplace tests
+
+   Copyright (C) Jelmer Vernooij 2006
+
+     ** NOTE! The following LGPL license applies to the talloc
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "replace.h"
+
+/*
+  we include all the system/ include files here so that libreplace tests
+  them in the build farm
+*/
+#include "system/capability.h"
+#include "system/dir.h"
+#include "system/filesys.h"
+#include "system/glob.h"
+#include "system/iconv.h"
+#include "system/locale.h"
+#include "system/network.h"
+#include "system/passwd.h"
+#include "system/readline.h"
+#include "system/select.h"
+#include "system/shmem.h"
+#include "system/syslog.h"
+#include "system/terminal.h"
+#include "system/time.h"
+#include "system/wait.h"
+#include "system/aio.h"
+
+#define TESTFILE "testfile.dat"
+
+/*
+  test ftruncate() function
+ */
+static int test_ftruncate(void)
+{
+	struct stat st;
+	int fd;
+	const int size = 1234;
+	printf("test: ftruncate\n");
+	unlink(TESTFILE);
+	fd = open(TESTFILE, O_RDWR|O_CREAT, 0600);
+	if (fd == -1) {
+		printf("failure: ftruncate [\n"
+			   "creating '%s' failed - %s\n]\n", TESTFILE, strerror(errno));
+		return false;
+	}
+	if (ftruncate(fd, size) != 0) {
+		printf("failure: ftruncate [\n%s\n]\n", strerror(errno));
+		return false;
+	}
+	if (fstat(fd, &st) != 0) {
+		printf("failure: ftruncate [\nfstat failed - %s\n]\n", strerror(errno));
+		return false;
+	}
+	if (st.st_size != size) {
+		printf("failure: ftruncate [\ngave wrong size %d - expected %d\n]\n",
+		       (int)st.st_size, size);
+		return false;
+	}
+	unlink(TESTFILE);
+	printf("success: ftruncate\n");
+	return true;
+}
+
+/*
+  test strlcpy() function.
+  see http://www.gratisoft.us/todd/papers/strlcpy.html
+ */
+static int test_strlcpy(void)
+{
+	char buf[4];
+	const struct {
+		const char *src;
+		size_t result;
+	} tests[] = {
+		{ "abc", 3 },
+		{ "abcdef", 6 },
+		{ "abcd", 4 },
+		{ "", 0 },
+		{ NULL, 0 }
+	};
+	int i;
+	printf("test: strlcpy\n");
+	for (i=0;tests[i].src;i++) {
+		if (strlcpy(buf, tests[i].src, sizeof(buf)) != tests[i].result) {
+			printf("failure: strlcpy [\ntest %d failed\n]\n", i);
+			return false;
+		}
+	}
+	printf("success: strlcpy\n");
+	return true;
+}
+
+static int test_strlcat(void)
+{
+	char tmp[10];
+	printf("test: strlcat\n");
+	strlcpy(tmp, "", sizeof(tmp));
+	if (strlcat(tmp, "bla", 3) != 3) {
+		printf("failure: strlcat [\ninvalid return code\n]\n");
+		return false;
+	}
+	if (strcmp(tmp, "bl") != 0) {
+		printf("failure: strlcat [\nexpected \"bl\", got \"%s\"\n]\n", 
+			   tmp);
+		return false;
+	}
+
+	strlcpy(tmp, "da", sizeof(tmp));
+	if (strlcat(tmp, "me", 4) != 4) {
+		printf("failure: strlcat [\nexpected \"dam\", got \"%s\"\n]\n",
+			   tmp);
+		return false;
+	}
+
+	printf("success: strlcat\n");
+	return true;
+}
+
+static int test_mktime(void)
+{
+	/* FIXME */
+	return true;
+}
+
+static int test_initgroups(void)
+{
+	/* FIXME */
+	return true;
+}
+
+static int test_memmove(void)
+{
+	/* FIXME */
+	return true;
+}
+
+static int test_strdup(void)
+{
+	char *x;
+	printf("test: strdup\n");
+	x = strdup("bla");
+	if (strcmp("bla", x) != 0) {
+		printf("failure: strdup [\nfailed: expected \"bla\", got \"%s\"\n]\n",
+			   x);
+		return false;
+	}
+	free(x);
+	printf("success: strdup\n");
+	return true;
+}	
+
+static int test_setlinebuf(void)
+{
+	printf("test: setlinebuf\n");
+	setlinebuf(stdout);
+	printf("success: setlinebuf\n");
+	return true;
+}
+
+static int test_vsyslog(void)
+{
+	/* FIXME */
+	return true;
+}
+
+static int test_timegm(void)
+{
+	/* FIXME */
+	return true;
+}
+
+static int test_setenv(void)
+{
+#define TEST_SETENV(key, value, overwrite, result) do { \
+	int _ret; \
+	char *_v; \
+	_ret = setenv(key, value, overwrite); \
+	if (_ret != 0) { \
+		printf("failure: setenv [\n" \
+			"setenv(%s, %s, %d) failed\n" \
+			"]\n", \
+			key, value, overwrite); \
+		return false; \
+	} \
+	_v=getenv(key); \
+	if (!_v) { \
+		printf("failure: setenv [\n" \
+			"getenv(%s) returned NULL\n" \
+			"]\n", \
+			key); \
+		return false; \
+	} \
+	if (strcmp(result, _v) != 0) { \
+		printf("failure: setenv [\n" \
+			"getenv(%s): '%s' != '%s'\n" \
+			"]\n", \
+			key, result, _v); \
+		return false; \
+	} \
+} while(0)
+
+#define TEST_UNSETENV(key) do { \
+	char *_v; \
+	unsetenv(key); \
+	_v=getenv(key); \
+	if (_v) { \
+		printf("failure: setenv [\n" \
+			"getenv(%s): NULL != '%s'\n" \
+			"]\n", \
+			SETENVTEST_KEY, _v); \
+		return false; \
+	} \
+} while (0)
+
+#define SETENVTEST_KEY "SETENVTESTKEY"
+#define SETENVTEST_VAL "SETENVTESTVAL"
+
+	printf("test: setenv\n");
+	TEST_SETENV(SETENVTEST_KEY, SETENVTEST_VAL"1", 0, SETENVTEST_VAL"1");
+	TEST_SETENV(SETENVTEST_KEY, SETENVTEST_VAL"2", 0, SETENVTEST_VAL"1");
+	TEST_SETENV(SETENVTEST_KEY, SETENVTEST_VAL"3", 1, SETENVTEST_VAL"3");
+	TEST_SETENV(SETENVTEST_KEY, SETENVTEST_VAL"4", 1, SETENVTEST_VAL"4");
+	TEST_UNSETENV(SETENVTEST_KEY);
+	TEST_UNSETENV(SETENVTEST_KEY);
+	TEST_SETENV(SETENVTEST_KEY, SETENVTEST_VAL"5", 0, SETENVTEST_VAL"5");
+	TEST_UNSETENV(SETENVTEST_KEY);
+	TEST_UNSETENV(SETENVTEST_KEY);
+	printf("success: setenv\n");
+	return true;
+}
+
+static int test_strndup(void)
+{
+	char *x;
+	printf("test: strndup\n");
+	x = strndup("bla", 0);
+	if (strcmp(x, "") != 0) {
+		printf("failure: strndup [\ninvalid\n]\n");
+		return false;
+	}
+	free(x);
+	x = strndup("bla", 2);
+	if (strcmp(x, "bl") != 0) {
+		printf("failure: strndup [\ninvalid\n]\n");
+		return false;
+	}
+	free(x);
+	x = strndup("bla", 10);
+	if (strcmp(x, "bla") != 0) {
+		printf("failure: strndup [\ninvalid\n]\n");
+		return false;
+	}
+	free(x);
+	printf("success: strndup\n");
+	return true;
+}
+
+static int test_strnlen(void)
+{
+	printf("test: strnlen\n");
+	if (strnlen("bla", 2) != 2) {
+		printf("failure: strnlen [\nunexpected length\n]\n");
+		return false;
+	}
+
+	if (strnlen("some text\n", 0) != 0) {
+		printf("failure: strnlen [\nunexpected length\n]\n");
+		return false;
+	}
+
+	if (strnlen("some text", 20) != 9) {
+		printf("failure: strnlen [\nunexpected length\n]\n");
+		return false;
+	}
+
+	printf("success: strnlen\n");
+	return true;
+}
+
+static int test_waitpid(void)
+{
+	/* FIXME */
+	return true;
+}
+
+static int test_seteuid(void)
+{
+	/* FIXME */
+	return true;
+}
+
+static int test_setegid(void)
+{
+	/* FIXME */
+	return true;
+}
+
+static int test_asprintf(void)
+{
+	char *x;
+	printf("test: asprintf\n");
+	if (asprintf(&x, "%d", 9) != 1) {
+		printf("failure: asprintf [\ngenerate asprintf\n]\n");
+		return false;
+	}
+	if (strcmp(x, "9") != 0) {
+		printf("failure: asprintf [\ngenerate asprintf\n]\n");
+		return false;
+	}
+	if (asprintf(&x, "dat%s", "a") != 4) {
+		printf("failure: asprintf [\ngenerate asprintf\n]\n");
+		return false;
+	}
+	if (strcmp(x, "data") != 0) {
+		printf("failure: asprintf [\ngenerate asprintf\n]\n");
+		return false;
+	}
+	printf("success: asprintf\n");
+	return true;
+}
+
+static int test_snprintf(void)
+{
+	char tmp[10];
+	printf("test: snprintf\n");
+	if (snprintf(tmp, 3, "foo%d", 9) != 4) {
+		printf("failure: snprintf [\nsnprintf return code failed\n]\n");
+		return false;
+	}
+
+	if (strcmp(tmp, "fo") != 0) {
+		printf("failure: snprintf [\nsnprintf failed\n]\n");
+		return false;
+	}
+
+	printf("success: snprintf\n");
+	return true;
+}
+
+static int test_vasprintf(void)
+{
+	/* FIXME */
+	return true;
+}
+
+static int test_vsnprintf(void)
+{
+	/* FIXME */
+	return true;
+}
+
+static int test_opendir(void)
+{
+	/* FIXME */
+	return true;
+}
+
+extern int test_readdir_os2_delete(void);
+
+static int test_readdir(void)
+{
+	printf("test: readdir\n");
+	if (test_readdir_os2_delete() != 0) {
+		return false;
+	}
+	printf("success: readdir\n");
+	return true;
+}
+
+static int test_telldir(void)
+{
+	/* FIXME */
+	return true;
+}
+
+static int test_seekdir(void)
+{
+	/* FIXME */
+	return true;
+}
+
+static int test_dlopen(void)
+{
+	/* FIXME: test dlopen, dlsym, dlclose, dlerror */
+	return true;
+}
+
+
+static int test_chroot(void)
+{
+	/* FIXME: chroot() */
+	return true;
+}
+
+static int test_bzero(void)
+{
+	/* FIXME: bzero */
+	return true;
+}
+
+static int test_strerror(void)
+{
+	/* FIXME */
+	return true;
+}
+
+static int test_errno(void)
+{
+	printf("test: errno\n");
+	errno = 3;
+	if (errno != 3) {
+		printf("failure: errno [\nerrno failed\n]\n");
+		return false;
+	}
+
+	printf("success: errno\n");
+	return true;
+}
+
+static int test_mkdtemp(void)
+{
+	/* FIXME */
+	return true;
+}
+
+static int test_mkstemp(void)
+{
+	/* FIXME */
+	return true;
+}
+
+static int test_pread(void)
+{
+	/* FIXME */
+	return true;
+}
+
+static int test_pwrite(void)
+{
+	/* FIXME */
+	return true;
+}
+
+static int test_getpass(void)
+{
+	/* FIXME */
+	return true;
+}
+
+static int test_inet_ntoa(void)
+{
+	/* FIXME */
+	return true;
+}
+
+#define TEST_STRTO_X(type,fmt,func,str,base,res,diff,rrnoo) do {\
+	type _v; \
+	char _s[64]; \
+	char *_p = NULL;\
+	char *_ep = NULL; \
+	strlcpy(_s, str, sizeof(_s));\
+	if (diff >= 0) { \
+		_ep = &_s[diff]; \
+	} \
+	errno = 0; \
+	_v = func(_s, &_p, base); \
+	if (errno != rrnoo) { \
+		printf("failure: %s [\n" \
+		       "\t%s\n" \
+		       "\t%s(\"%s\",%d,%d): " fmt " (=/!)= " fmt "\n" \
+		       "\terrno: %d != %d\n" \
+		       "]\n", \
+		        __STRING(func), __location__, __STRING(func), \
+		       str, diff, base, res, _v, rrnoo, errno); \
+		return false; \
+	} else if (_v != res) { \
+		printf("failure: %s [\n" \
+		       "\t%s\n" \
+		       "\t%s(\"%s\",%d,%d): " fmt " != " fmt "\n" \
+		       "]\n", \
+		       __STRING(func), __location__, __STRING(func), \
+		       str, diff, base, res, _v); \
+		return false; \
+	} else if (_p != _ep) { \
+		printf("failure: %s [\n" \
+		       "\t%s\n" \
+		       "\t%s(\"%s\",%d,%d): " fmt " (=/!)= " fmt "\n" \
+		       "\tptr: %p - %p = %d != %d\n" \
+		       "]\n", \
+		       __STRING(func), __location__, __STRING(func), \
+		       str, diff, base, res, _v, _ep, _p, (int)(diff - (_ep - _p)), diff); \
+		return false; \
+	} \
+} while (0)
+
+static int test_strtoll(void)
+{
+	printf("test: strtoll\n");
+
+#define TEST_STRTOLL(str,base,res,diff,errnoo) TEST_STRTO_X(long long int, "%lld", strtoll,str,base,res,diff,errnoo)
+
+	TEST_STRTOLL("15",	10,	15LL,	2, 0);
+	TEST_STRTOLL("  15",	10,	15LL,	4, 0);
+	TEST_STRTOLL("15",	0,	15LL,	2, 0);
+	TEST_STRTOLL(" 15 ",	0,	15LL,	3, 0);
+	TEST_STRTOLL("+15",	10,	15LL,	3, 0);
+	TEST_STRTOLL("  +15",	10,	15LL,	5, 0);
+	TEST_STRTOLL("+15",	0,	15LL,	3, 0);
+	TEST_STRTOLL(" +15 ",	0,	15LL,	4, 0);
+	TEST_STRTOLL("-15",	10,	-15LL,	3, 0);
+	TEST_STRTOLL("  -15",	10,	-15LL,	5, 0);
+	TEST_STRTOLL("-15",	0,	-15LL,	3, 0);
+	TEST_STRTOLL(" -15 ",	0,	-15LL,	4, 0);
+	TEST_STRTOLL("015",	10,	15LL,	3, 0);
+	TEST_STRTOLL("  015",	10,	15LL,	5, 0);
+	TEST_STRTOLL("015",	0,	13LL,	3, 0);
+	TEST_STRTOLL("  015",	0,	13LL,	5, 0);
+	TEST_STRTOLL("0x15",	10,	0LL,	1, 0);
+	TEST_STRTOLL("  0x15",	10,	0LL,	3, 0);
+	TEST_STRTOLL("0x15",	0,	21LL,	4, 0);
+	TEST_STRTOLL("  0x15",	0,	21LL,	6, 0);
+
+	TEST_STRTOLL("10",	16,	16LL,	2, 0);
+	TEST_STRTOLL("  10 ",	16,	16LL,	4, 0);
+	TEST_STRTOLL("0x10",	16,	16LL,	4, 0);
+	TEST_STRTOLL("0x10",	0,	16LL,	4, 0);
+	TEST_STRTOLL(" 0x10 ",	0,	16LL,	5, 0);
+	TEST_STRTOLL("+10",	16,	16LL,	3, 0);
+	TEST_STRTOLL("  +10 ",	16,	16LL,	5, 0);
+	TEST_STRTOLL("+0x10",	16,	16LL,	5, 0);
+	TEST_STRTOLL("+0x10",	0,	16LL,	5, 0);
+	TEST_STRTOLL(" +0x10 ",	0,	16LL,	6, 0);
+	TEST_STRTOLL("-10",	16,	-16LL,	3, 0);
+	TEST_STRTOLL("  -10 ",	16,	-16LL,	5, 0);
+	TEST_STRTOLL("-0x10",	16,	-16LL,	5, 0);
+	TEST_STRTOLL("-0x10",	0,	-16LL,	5, 0);
+	TEST_STRTOLL(" -0x10 ",	0,	-16LL,	6, 0);
+	TEST_STRTOLL("010",	16,	16LL,	3, 0);
+	TEST_STRTOLL("  010 ",	16,	16LL,	5, 0);
+	TEST_STRTOLL("-010",	16,	-16LL,	4, 0);
+
+	TEST_STRTOLL("11",	8,	9LL,	2, 0);
+	TEST_STRTOLL("011",	8,	9LL,	3, 0);
+	TEST_STRTOLL("011",	0,	9LL,	3, 0);
+	TEST_STRTOLL("-11",	8,	-9LL,	3, 0);
+	TEST_STRTOLL("-011",	8,	-9LL,	4, 0);
+	TEST_STRTOLL("-011",	0,	-9LL,	4, 0);
+
+	TEST_STRTOLL("011",	8,	9LL,	3, 0);
+	TEST_STRTOLL("011",	0,	9LL,	3, 0);
+	TEST_STRTOLL("-11",	8,	-9LL,	3, 0);
+	TEST_STRTOLL("-011",	8,	-9LL,	4, 0);
+	TEST_STRTOLL("-011",	0,	-9LL,	4, 0);
+
+	TEST_STRTOLL("Text",	0,	0LL,	0, 0);
+
+	TEST_STRTOLL("9223372036854775807",	10,	9223372036854775807LL,	19, 0);
+	TEST_STRTOLL("9223372036854775807",	0,	9223372036854775807LL,	19, 0);
+	TEST_STRTOLL("9223372036854775808",	0,	9223372036854775807LL,	19, ERANGE);
+	TEST_STRTOLL("9223372036854775808",	10,	9223372036854775807LL,	19, ERANGE);
+	TEST_STRTOLL("0x7FFFFFFFFFFFFFFF",	0,	9223372036854775807LL,	18, 0);
+	TEST_STRTOLL("0x7FFFFFFFFFFFFFFF",	16,	9223372036854775807LL,	18, 0);
+	TEST_STRTOLL("7FFFFFFFFFFFFFFF",	16,	9223372036854775807LL,	16, 0);
+	TEST_STRTOLL("0x8000000000000000",	0,	9223372036854775807LL,	18, ERANGE);
+	TEST_STRTOLL("0x8000000000000000",	16,	9223372036854775807LL,	18, ERANGE);
+	TEST_STRTOLL("80000000000000000",	16,	9223372036854775807LL,	17, ERANGE);
+	TEST_STRTOLL("0777777777777777777777",	0,	9223372036854775807LL,	22, 0);
+	TEST_STRTOLL("0777777777777777777777",	8,	9223372036854775807LL,	22, 0);
+	TEST_STRTOLL("777777777777777777777",	8,	9223372036854775807LL,	21, 0);
+	TEST_STRTOLL("01000000000000000000000",	0,	9223372036854775807LL,	23, ERANGE);
+	TEST_STRTOLL("01000000000000000000000",	8,	9223372036854775807LL,	23, ERANGE);
+	TEST_STRTOLL("1000000000000000000000",	8,	9223372036854775807LL,	22, ERANGE);
+
+	TEST_STRTOLL("-9223372036854775808",	10,	-9223372036854775807LL -1,	20, 0);
+	TEST_STRTOLL("-9223372036854775808",	0,	-9223372036854775807LL -1,	20, 0);
+	TEST_STRTOLL("-9223372036854775809",	0,	-9223372036854775807LL -1,	20, ERANGE);
+	TEST_STRTOLL("-9223372036854775809",	10,	-9223372036854775807LL -1,	20, ERANGE);
+	TEST_STRTOLL("-0x8000000000000000",	0,	-9223372036854775807LL -1,	19, 0);
+	TEST_STRTOLL("-0x8000000000000000",	16,	-9223372036854775807LL -1,	19, 0);
+	TEST_STRTOLL("-8000000000000000",	16,	-9223372036854775807LL -1,	17, 0);
+	TEST_STRTOLL("-0x8000000000000001",	0,	-9223372036854775807LL -1,	19, ERANGE);
+	TEST_STRTOLL("-0x8000000000000001",	16,	-9223372036854775807LL -1,	19, ERANGE);
+	TEST_STRTOLL("-80000000000000001",	16,	-9223372036854775807LL -1,	18, ERANGE);
+	TEST_STRTOLL("-01000000000000000000000",0,	-9223372036854775807LL -1,	24, 0);
+	TEST_STRTOLL("-01000000000000000000000",8,	-9223372036854775807LL -1,	24, 0);
+	TEST_STRTOLL("-1000000000000000000000",	8,	-9223372036854775807LL -1,	23, 0);
+	TEST_STRTOLL("-01000000000000000000001",0,	-9223372036854775807LL -1,	24, ERANGE);
+	TEST_STRTOLL("-01000000000000000000001",8,	-9223372036854775807LL -1,	24, ERANGE);
+	TEST_STRTOLL("-1000000000000000000001",	8,	-9223372036854775807LL -1,	23, ERANGE);
+
+	printf("success: strtoll\n");
+	return true;
+}
+
+static int test_strtoull(void)
+{
+	printf("test: strtoull\n");
+
+#define TEST_STRTOULL(str,base,res,diff,errnoo) TEST_STRTO_X(long long unsigned int,"%llu",strtoull,str,base,res,diff,errnoo)
+
+	TEST_STRTOULL("15",	10,	15LLU,	2, 0);
+	TEST_STRTOULL("  15",	10,	15LLU,	4, 0);
+	TEST_STRTOULL("15",	0,	15LLU,	2, 0);
+	TEST_STRTOULL(" 15 ",	0,	15LLU,	3, 0);
+	TEST_STRTOULL("+15",	10,	15LLU,	3, 0);
+	TEST_STRTOULL("  +15",	10,	15LLU,	5, 0);
+	TEST_STRTOULL("+15",	0,	15LLU,	3, 0);
+	TEST_STRTOULL(" +15 ",	0,	15LLU,	4, 0);
+	TEST_STRTOULL("-15",	10,	18446744073709551601LLU,	3, 0);
+	TEST_STRTOULL("  -15",	10,	18446744073709551601LLU,	5, 0);
+	TEST_STRTOULL("-15",	0,	18446744073709551601LLU,	3, 0);
+	TEST_STRTOULL(" -15 ",	0,	18446744073709551601LLU,	4, 0);
+	TEST_STRTOULL("015",	10,	15LLU,	3, 0);
+	TEST_STRTOULL("  015",	10,	15LLU,	5, 0);
+	TEST_STRTOULL("015",	0,	13LLU,	3, 0);
+	TEST_STRTOULL("  015",	0,	13LLU,	5, 0);
+	TEST_STRTOULL("0x15",	10,	0LLU,	1, 0);
+	TEST_STRTOULL("  0x15",	10,	0LLU,	3, 0);
+	TEST_STRTOULL("0x15",	0,	21LLU,	4, 0);
+	TEST_STRTOULL("  0x15",	0,	21LLU,	6, 0);
+
+	TEST_STRTOULL("10",	16,	16LLU,	2, 0);
+	TEST_STRTOULL("  10 ",	16,	16LLU,	4, 0);
+	TEST_STRTOULL("0x10",	16,	16LLU,	4, 0);
+	TEST_STRTOULL("0x10",	0,	16LLU,	4, 0);
+	TEST_STRTOULL(" 0x10 ",	0,	16LLU,	5, 0);
+	TEST_STRTOULL("+10",	16,	16LLU,	3, 0);
+	TEST_STRTOULL("  +10 ",	16,	16LLU,	5, 0);
+	TEST_STRTOULL("+0x10",	16,	16LLU,	5, 0);
+	TEST_STRTOULL("+0x10",	0,	16LLU,	5, 0);
+	TEST_STRTOULL(" +0x10 ",	0,	16LLU,	6, 0);
+	TEST_STRTOULL("-10",	16,	-16LLU,	3, 0);
+	TEST_STRTOULL("  -10 ",	16,	-16LLU,	5, 0);
+	TEST_STRTOULL("-0x10",	16,	-16LLU,	5, 0);
+	TEST_STRTOULL("-0x10",	0,	-16LLU,	5, 0);
+	TEST_STRTOULL(" -0x10 ",	0,	-16LLU,	6, 0);
+	TEST_STRTOULL("010",	16,	16LLU,	3, 0);
+	TEST_STRTOULL("  010 ",	16,	16LLU,	5, 0);
+	TEST_STRTOULL("-010",	16,	-16LLU,	4, 0);
+
+	TEST_STRTOULL("11",	8,	9LLU,	2, 0);
+	TEST_STRTOULL("011",	8,	9LLU,	3, 0);
+	TEST_STRTOULL("011",	0,	9LLU,	3, 0);
+	TEST_STRTOULL("-11",	8,	-9LLU,	3, 0);
+	TEST_STRTOULL("-011",	8,	-9LLU,	4, 0);
+	TEST_STRTOULL("-011",	0,	-9LLU,	4, 0);
+
+	TEST_STRTOULL("011",	8,	9LLU,	3, 0);
+	TEST_STRTOULL("011",	0,	9LLU,	3, 0);
+	TEST_STRTOULL("-11",	8,	-9LLU,	3, 0);
+	TEST_STRTOULL("-011",	8,	-9LLU,	4, 0);
+	TEST_STRTOULL("-011",	0,	-9LLU,	4, 0);
+
+	TEST_STRTOULL("Text",	0,	0LLU,	0, 0);
+
+	TEST_STRTOULL("9223372036854775807",	10,	9223372036854775807LLU,	19, 0);
+	TEST_STRTOULL("9223372036854775807",	0,	9223372036854775807LLU,	19, 0);
+	TEST_STRTOULL("9223372036854775808",	0,	9223372036854775808LLU,	19, 0);
+	TEST_STRTOULL("9223372036854775808",	10,	9223372036854775808LLU,	19, 0);
+	TEST_STRTOULL("0x7FFFFFFFFFFFFFFF",	0,	9223372036854775807LLU,	18, 0);
+	TEST_STRTOULL("0x7FFFFFFFFFFFFFFF",	16,	9223372036854775807LLU,	18, 0);
+	TEST_STRTOULL("7FFFFFFFFFFFFFFF",	16,	9223372036854775807LLU,	16, 0);
+	TEST_STRTOULL("0x8000000000000000",	0,	9223372036854775808LLU,	18, 0);
+	TEST_STRTOULL("0x8000000000000000",	16,	9223372036854775808LLU,	18, 0);
+	TEST_STRTOULL("8000000000000000",	16,	9223372036854775808LLU,	16, 0);
+	TEST_STRTOULL("0777777777777777777777",	0,	9223372036854775807LLU,	22, 0);
+	TEST_STRTOULL("0777777777777777777777",	8,	9223372036854775807LLU,	22, 0);
+	TEST_STRTOULL("777777777777777777777",	8,	9223372036854775807LLU,	21, 0);
+	TEST_STRTOULL("01000000000000000000000",0,	9223372036854775808LLU,	23, 0);
+	TEST_STRTOULL("01000000000000000000000",8,	9223372036854775808LLU,	23, 0);
+	TEST_STRTOULL("1000000000000000000000",	8,	9223372036854775808LLU,	22, 0);
+
+	TEST_STRTOULL("-9223372036854775808",	10,	9223372036854775808LLU,	20, 0);
+	TEST_STRTOULL("-9223372036854775808",	0,	9223372036854775808LLU,	20, 0);
+	TEST_STRTOULL("-9223372036854775809",	0,	9223372036854775807LLU,	20, 0);
+	TEST_STRTOULL("-9223372036854775809",	10,	9223372036854775807LLU,	20, 0);
+	TEST_STRTOULL("-0x8000000000000000",	0,	9223372036854775808LLU,	19, 0);
+	TEST_STRTOULL("-0x8000000000000000",	16,	9223372036854775808LLU,	19, 0);
+	TEST_STRTOULL("-8000000000000000",	16,	9223372036854775808LLU,	17, 0);
+	TEST_STRTOULL("-0x8000000000000001",	0,	9223372036854775807LLU,	19, 0);
+	TEST_STRTOULL("-0x8000000000000001",	16,	9223372036854775807LLU,	19, 0);
+	TEST_STRTOULL("-8000000000000001",	16,	9223372036854775807LLU,	17, 0);
+	TEST_STRTOULL("-01000000000000000000000",0,	9223372036854775808LLU,	24, 0);
+	TEST_STRTOULL("-01000000000000000000000",8,	9223372036854775808LLU,	24, 0);
+	TEST_STRTOULL("-1000000000000000000000",8,	9223372036854775808LLU,	23, 0);
+	TEST_STRTOULL("-01000000000000000000001",0,	9223372036854775807LLU,	24, 0);
+	TEST_STRTOULL("-01000000000000000000001",8,	9223372036854775807LLU,	24, 0);
+	TEST_STRTOULL("-1000000000000000000001",8,	9223372036854775807LLU,	23, 0);
+
+	TEST_STRTOULL("18446744073709551615",	0,	18446744073709551615LLU,	20, 0);
+	TEST_STRTOULL("18446744073709551615",	10,	18446744073709551615LLU,	20, 0);
+	TEST_STRTOULL("18446744073709551616",	0,	18446744073709551615LLU,	20, ERANGE);
+	TEST_STRTOULL("18446744073709551616",	10,	18446744073709551615LLU,	20, ERANGE);
+	TEST_STRTOULL("0xFFFFFFFFFFFFFFFF",	0,	18446744073709551615LLU,	18, 0);
+	TEST_STRTOULL("0xFFFFFFFFFFFFFFFF",	16,	18446744073709551615LLU,	18, 0);
+	TEST_STRTOULL("FFFFFFFFFFFFFFFF",	16,	18446744073709551615LLU,	16, 0);
+	TEST_STRTOULL("0x10000000000000000",	0,	18446744073709551615LLU,	19, ERANGE);
+	TEST_STRTOULL("0x10000000000000000",	16,	18446744073709551615LLU,	19, ERANGE);
+	TEST_STRTOULL("10000000000000000",	16,	18446744073709551615LLU,	17, ERANGE);
+	TEST_STRTOULL("01777777777777777777777",0,	18446744073709551615LLU,	23, 0);
+	TEST_STRTOULL("01777777777777777777777",8,	18446744073709551615LLU,	23, 0);
+	TEST_STRTOULL("1777777777777777777777",	8,	18446744073709551615LLU,	22, 0);
+	TEST_STRTOULL("02000000000000000000000",0,	18446744073709551615LLU,	23, ERANGE);
+	TEST_STRTOULL("02000000000000000000000",8,	18446744073709551615LLU,	23, ERANGE);
+	TEST_STRTOULL("2000000000000000000000",	8,	18446744073709551615LLU,	22, ERANGE);
+
+	TEST_STRTOULL("-18446744073709551615",	0,	1LLU,				21, 0);
+	TEST_STRTOULL("-18446744073709551615",	10,	1LLU,				21, 0);
+	TEST_STRTOULL("-18446744073709551616",	0,	18446744073709551615LLU,	21, ERANGE);
+	TEST_STRTOULL("-18446744073709551616",	10,	18446744073709551615LLU,	21, ERANGE);
+	TEST_STRTOULL("-0xFFFFFFFFFFFFFFFF",	0,	1LLU,				19, 0);
+	TEST_STRTOULL("-0xFFFFFFFFFFFFFFFF",	16,	1LLU,				19, 0);
+	TEST_STRTOULL("-FFFFFFFFFFFFFFFF",	16,	1LLU,				17, 0);
+	TEST_STRTOULL("-0x10000000000000000",	0,	18446744073709551615LLU,	20, ERANGE);
+	TEST_STRTOULL("-0x10000000000000000",	16,	18446744073709551615LLU,	20, ERANGE);
+	TEST_STRTOULL("-10000000000000000",	16,	18446744073709551615LLU,	18, ERANGE);
+	TEST_STRTOULL("-01777777777777777777777",0,	1LLU,				24, 0);
+	TEST_STRTOULL("-01777777777777777777777",8,	1LLU,				24, 0);
+	TEST_STRTOULL("-1777777777777777777777",8,	1LLU,				23, 0);
+	TEST_STRTOULL("-02000000000000000000000",0,	18446744073709551615LLU,	24, ERANGE);
+	TEST_STRTOULL("-02000000000000000000000",8,	18446744073709551615LLU,	24, ERANGE);
+	TEST_STRTOULL("-2000000000000000000000",8,	18446744073709551615LLU,	23, ERANGE);
+
+	printf("success: strtoull\n");
+	return true;
+}
+
+/* 
+FIXME:
+Types:
+bool
+socklen_t
+uint_t
+uint{8,16,32,64}_t
+int{8,16,32,64}_t
+intptr_t
+
+Constants:
+PATH_NAME_MAX
+UINT{16,32,64}_MAX
+INT32_MAX
+*/
+
+static int test_va_copy(void)
+{
+	/* FIXME */
+	return true;
+}
+
+static int test_FUNCTION(void)
+{
+	printf("test: FUNCTION\n");
+	if (strcmp(__FUNCTION__, "test_FUNCTION") != 0) {
+		printf("failure: FAILURE [\nFAILURE invalid\n]\n");
+		return false;
+	}
+	printf("success: FUNCTION\n");
+	return true;
+}
+
+static int test_MIN(void)
+{
+	printf("test: MIN\n");
+	if (MIN(20, 1) != 1) {
+		printf("failure: MIN [\nMIN invalid\n]\n");
+		return false;
+	}
+	if (MIN(1, 20) != 1) {
+		printf("failure: MIN [\nMIN invalid\n]\n");
+		return false;
+	}
+	printf("success: MIN\n");
+	return true;
+}
+
+static int test_MAX(void)
+{
+	printf("test: MAX\n");
+	if (MAX(20, 1) != 20) {
+		printf("failure: MAX [\nMAX invalid\n]\n");
+		return false;
+	}
+	if (MAX(1, 20) != 20) {
+		printf("failure: MAX [\nMAX invalid\n]\n");
+		return false;
+	}
+	printf("success: MAX\n");
+	return true;
+}
+
+static int test_socketpair(void)
+{
+	int sock[2];
+	char buf[20];
+
+	printf("test: socketpair\n");
+
+	if (socketpair(AF_UNIX, SOCK_STREAM, 0, sock) == -1) {
+		printf("failure: socketpair [\n"
+			   "socketpair() failed\n"
+			   "]\n");
+		return false;
+	}
+
+	if (write(sock[1], "automatisch", 12) == -1) {
+		printf("failure: socketpair [\n"
+			   "write() failed: %s\n"
+			   "]\n", strerror(errno));
+		return false;
+	}
+
+	if (read(sock[0], buf, 12) == -1) {
+		printf("failure: socketpair [\n"
+			   "read() failed: %s\n"
+			   "]\n", strerror(errno));
+		return false;
+	}
+
+	if (strcmp(buf, "automatisch") != 0) {
+		printf("failure: socketpair [\n"
+			   "expected: automatisch, got: %s\n"
+			   "]\n", buf);
+		return false;
+	}
+
+	printf("success: socketpair\n");
+
+	return true;
+}
+
+extern int libreplace_test_strptime(void);
+
+static int test_strptime(void)
+{
+	return libreplace_test_strptime();
+}
+
+extern int getifaddrs_test(void);
+
+static int test_getifaddrs(void)
+{
+
+	printf("test: getifaddrs\n");
+
+	if (getifaddrs_test() != 0) {
+		printf("failure: getifaddrs\n");
+		return false;
+	}
+
+	printf("success: getifaddrs\n");
+	return true;
+}
+
+static int test_utime(void)
+{
+	struct utimbuf u;
+	struct stat st1, st2, st3;
+	int fd;
+
+	printf("test: utime\n");
+	unlink(TESTFILE);
+
+	fd = open(TESTFILE, O_RDWR|O_CREAT, 0600);
+	if (fd == -1) {
+		printf("failure: utime [\n"
+		       "creating '%s' failed - %s\n]\n",
+		       TESTFILE, strerror(errno));
+		return false;
+	}
+
+	if (fstat(fd, &st1) != 0) {
+		printf("failure: utime [\n"
+		       "fstat (1) failed - %s\n]\n",
+		       strerror(errno));
+		return false;
+	}
+
+	u.actime = st1.st_atime + 300;
+	u.modtime = st1.st_mtime - 300;
+	if (utime(TESTFILE, &u) != 0) {
+		printf("failure: utime [\n"
+		       "utime(&u) failed - %s\n]\n",
+		       strerror(errno));
+		return false;
+	}
+
+	if (fstat(fd, &st2) != 0) {
+		printf("failure: utime [\n"
+		       "fstat (2) failed - %s\n]\n",
+		       strerror(errno));
+		return false;
+	}
+
+	if (utime(TESTFILE, NULL) != 0) {
+		printf("failure: utime [\n"
+		       "utime(NULL) failed - %s\n]\n",
+		       strerror(errno));
+		return false;
+	}
+
+	if (fstat(fd, &st3) != 0) {
+		printf("failure: utime [\n"
+		       "fstat (3) failed - %s\n]\n",
+		       strerror(errno));
+		return false;
+	}
+
+#define CMP_VAL(a,c,b) do { \
+	if (a c b) { \
+		printf("failure: utime [\n" \
+		       "%s: %s(%d) %s %s(%d)\n]\n", \
+		       __location__, \
+		       #a, (int)a, #c, #b, (int)b); \
+		return false; \
+	} \
+} while(0)
+#define EQUAL_VAL(a,b) CMP_VAL(a,!=,b)
+#define GREATER_VAL(a,b) CMP_VAL(a,<=,b)
+#define LESSER_VAL(a,b) CMP_VAL(a,>=,b)
+
+	EQUAL_VAL(st2.st_atime, st1.st_atime + 300);
+	EQUAL_VAL(st2.st_mtime, st1.st_mtime - 300);
+	LESSER_VAL(st3.st_atime, st2.st_atime);
+	GREATER_VAL(st3.st_mtime, st2.st_mtime);
+
+#undef CMP_VAL
+#undef EQUAL_VAL
+#undef GREATER_VAL
+#undef LESSER_VAL
+
+	unlink(TESTFILE);
+	printf("success: utime\n");
+	return true;
+}
+
+static int test_utimes(void)
+{
+	struct timeval tv[2];
+	struct stat st1, st2;
+	int fd;
+
+	printf("test: utimes\n");
+	unlink(TESTFILE);
+
+	fd = open(TESTFILE, O_RDWR|O_CREAT, 0600);
+	if (fd == -1) {
+		printf("failure: utimes [\n"
+		       "creating '%s' failed - %s\n]\n",
+		       TESTFILE, strerror(errno));
+		return false;
+	}
+
+	if (fstat(fd, &st1) != 0) {
+		printf("failure: utimes [\n"
+		       "fstat (1) failed - %s\n]\n",
+		       strerror(errno));
+		return false;
+	}
+
+	ZERO_STRUCT(tv);
+	tv[0].tv_sec = st1.st_atime + 300;
+	tv[1].tv_sec = st1.st_mtime - 300;
+	if (utimes(TESTFILE, tv) != 0) {
+		printf("failure: utimes [\n"
+		       "utimes(tv) failed - %s\n]\n",
+		       strerror(errno));
+		return false;
+	}
+
+	if (fstat(fd, &st2) != 0) {
+		printf("failure: utimes [\n"
+		       "fstat (2) failed - %s\n]\n",
+		       strerror(errno));
+		return false;
+	}
+
+#define EQUAL_VAL(a,b) do { \
+	if (a != b) { \
+		printf("failure: utimes [\n" \
+		       "%s: %s(%d) != %s(%d)\n]\n", \
+		       __location__, \
+		       #a, (int)a, #b, (int)b); \
+		return false; \
+	} \
+} while(0)
+
+	EQUAL_VAL(st2.st_atime, st1.st_atime + 300);
+	EQUAL_VAL(st2.st_mtime, st1.st_mtime - 300);
+
+#undef EQUAL_VAL
+
+	unlink(TESTFILE);
+	printf("success: utimes\n");
+	return true;
+}
+
+struct torture_context;
+bool torture_local_replace(struct torture_context *ctx)
+{
+	bool ret = true;
+	ret &= test_ftruncate();
+	ret &= test_strlcpy();
+	ret &= test_strlcat();
+	ret &= test_mktime();
+	ret &= test_initgroups();
+	ret &= test_memmove();
+	ret &= test_strdup();
+	ret &= test_setlinebuf();
+	ret &= test_vsyslog();
+	ret &= test_timegm();
+	ret &= test_setenv();
+	ret &= test_strndup();
+	ret &= test_strnlen();
+	ret &= test_waitpid();
+	ret &= test_seteuid();
+	ret &= test_setegid();
+	ret &= test_asprintf();
+	ret &= test_snprintf();
+	ret &= test_vasprintf();
+	ret &= test_vsnprintf();
+	ret &= test_opendir();
+	ret &= test_readdir();
+	ret &= test_telldir();
+	ret &= test_seekdir();
+	ret &= test_dlopen();
+	ret &= test_chroot();
+	ret &= test_bzero();
+	ret &= test_strerror();
+	ret &= test_errno();
+	ret &= test_mkdtemp();
+	ret &= test_mkstemp();
+	ret &= test_pread();
+	ret &= test_pwrite();
+	ret &= test_getpass();
+	ret &= test_inet_ntoa();
+	ret &= test_strtoll();
+	ret &= test_strtoull();
+	ret &= test_va_copy();
+	ret &= test_FUNCTION();
+	ret &= test_MIN();
+	ret &= test_MAX();
+	ret &= test_socketpair();
+	ret &= test_strptime();
+	ret &= test_getifaddrs();
+	ret &= test_utime();
+	ret &= test_utimes();
+
+	return ret;
+}
+
+#if _SAMBA_BUILD_<4
+int main(void)
+{
+	bool ret = torture_local_replace(NULL);
+	if (ret) 
+		return 0;
+	return -1;
+}
+#endif
diff --git a/source3/lib/replace/timegm.c b/source3/lib/replace/timegm.c
new file mode 100644
index 0000000000..395c684e11
--- /dev/null
+++ b/source3/lib/replace/timegm.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 1997 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/*
+  adapted for Samba4 by Andrew Tridgell
+*/
+
+#include "replace.h"
+#include "system/time.h"
+
+static int is_leap(unsigned y)
+{
+	y += 1900;
+	return (y % 4) == 0 && ((y % 100) != 0 || (y % 400) == 0);
+}
+
+time_t rep_timegm(struct tm *tm)
+{
+	static const unsigned ndays[2][12] ={
+		{31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31},
+		{31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}};
+	time_t res = 0;
+	unsigned i;
+
+	if (tm->tm_mon > 12 ||
+	    tm->tm_mon < 0 ||
+	    tm->tm_mday > 31 ||
+	    tm->tm_min > 60 ||
+	    tm->tm_sec > 60 ||
+	    tm->tm_hour > 24) {
+		/* invalid tm structure */
+		return 0;
+	}
+	
+	for (i = 70; i < tm->tm_year; ++i)
+		res += is_leap(i) ? 366 : 365;
+	
+	for (i = 0; i < tm->tm_mon; ++i)
+		res += ndays[is_leap(tm->tm_year)][i];
+	res += tm->tm_mday - 1;
+	res *= 24;
+	res += tm->tm_hour;
+	res *= 60;
+	res += tm->tm_min;
+	res *= 60;
+	res += tm->tm_sec;
+	return res;
+}
diff --git a/source3/lib/replace/timegm.m4 b/source3/lib/replace/timegm.m4
new file mode 100644
index 0000000000..59f3ae0521
--- /dev/null
+++ b/source3/lib/replace/timegm.m4
@@ -0,0 +1 @@
+AC_CHECK_FUNCS(timegm,[],[LIBREPLACEOBJ="${LIBREPLACEOBJ} timegm.o"])
diff --git a/source3/lib/replace/win32.m4 b/source3/lib/replace/win32.m4
new file mode 100644
index 0000000000..eb364e2cb9
--- /dev/null
+++ b/source3/lib/replace/win32.m4
@@ -0,0 +1,20 @@
+AC_CHECK_HEADERS(direct.h windows.h winsock2.h ws2tcpip.h)
+
+#######################################
+# Check for mkdir mode
+AC_CACHE_CHECK( [whether mkdir supports mode], libreplace_cv_mkdir_has_mode,
+	AC_TRY_COMPILE([
+		#include <stdio.h>
+		#ifdef HAVE_DIRECT_H
+		#include <direct.h>
+		#endif],[
+			mkdir("foo",0777);
+			return 0;
+	],
+    libreplace_cv_mkdir_has_mode="yes",
+    libreplace_cv_mkdir_has_mode="no") )
+
+if test "$libreplace_cv_mkdir_has_mode" = "yes"
+then
+    AC_DEFINE(HAVE_MKDIR_MODE, 1, [Define if target mkdir supports mode option])
+fi
diff --git a/source3/lib/replace/win32_replace.h b/source3/lib/replace/win32_replace.h
new file mode 100644
index 0000000000..9901e72f6e
--- /dev/null
+++ b/source3/lib/replace/win32_replace.h
@@ -0,0 +1,159 @@
+#ifndef _WIN32_REPLACE_H
+#define _WIN32_REPLACE_H
+
+#ifdef HAVE_WINSOCK2_H
+#include <winsock2.h>
+#endif
+
+#ifdef HAVE_WS2TCPIP_H
+#include <ws2tcpip.h>
+#endif
+
+#ifdef HAVE_WINDOWS_H
+#include <windows.h>
+#endif
+
+/* Map BSD Socket errorcodes to the WSA errorcodes (if possible) */ 
+
+#define EAFNOSUPPORT	WSAEAFNOSUPPORT
+#define ECONNREFUSED    WSAECONNREFUSED 
+#define EINPROGRESS	WSAEINPROGRESS
+#define EMSGSIZE	WSAEMSGSIZE 
+#define ENOBUFS         WSAENOBUFS
+#define ENOTSOCK	WSAENOTSOCK
+#define ENETUNREACH	WSAENETUNREACH
+#define ENOPROTOOPT	WSAENOPROTOOPT
+#define ENOTCONN	WSAENOTCONN 
+#define ENOTSUP		134 
+
+/* We undefine the following constants due to conflicts with the w32api headers
+ * and the Windows Platform SDK/DDK.
+ */
+
+#undef interface
+
+#undef ERROR_INVALID_PARAMETER
+#undef ERROR_INSUFFICIENT_BUFFER
+#undef ERROR_INVALID_DATATYPE
+
+#undef FILE_GENERIC_READ
+#undef FILE_GENERIC_WRITE
+#undef FILE_GENERIC_EXECUTE
+#undef FILE_ATTRIBUTE_READONLY
+#undef FILE_ATTRIBUTE_HIDDEN
+#undef FILE_ATTRIBUTE_SYSTEM
+#undef FILE_ATTRIBUTE_DIRECTORY
+#undef FILE_ATTRIBUTE_ARCHIVE
+#undef FILE_ATTRIBUTE_DEVICE
+#undef FILE_ATTRIBUTE_NORMAL
+#undef FILE_ATTRIBUTE_TEMPORARY
+#undef FILE_ATTRIBUTE_REPARSE_POINT
+#undef FILE_ATTRIBUTE_COMPRESSED
+#undef FILE_ATTRIBUTE_OFFLINE
+#undef FILE_ATTRIBUTE_ENCRYPTED
+#undef FILE_FLAG_WRITE_THROUGH
+#undef FILE_FLAG_NO_BUFFERING
+#undef FILE_FLAG_RANDOM_ACCESS
+#undef FILE_FLAG_SEQUENTIAL_SCAN
+#undef FILE_FLAG_DELETE_ON_CLOSE
+#undef FILE_FLAG_BACKUP_SEMANTICS
+#undef FILE_FLAG_POSIX_SEMANTICS
+#undef FILE_TYPE_DISK
+#undef FILE_TYPE_UNKNOWN
+#undef FILE_CASE_SENSITIVE_SEARCH
+#undef FILE_CASE_PRESERVED_NAMES
+#undef FILE_UNICODE_ON_DISK
+#undef FILE_PERSISTENT_ACLS
+#undef FILE_FILE_COMPRESSION
+#undef FILE_VOLUME_QUOTAS
+#undef FILE_VOLUME_IS_COMPRESSED
+#undef FILE_NOTIFY_CHANGE_FILE_NAME
+#undef FILE_NOTIFY_CHANGE_DIR_NAME
+#undef FILE_NOTIFY_CHANGE_ATTRIBUTES
+#undef FILE_NOTIFY_CHANGE_SIZE
+#undef FILE_NOTIFY_CHANGE_LAST_WRITE
+#undef FILE_NOTIFY_CHANGE_LAST_ACCESS
+#undef FILE_NOTIFY_CHANGE_CREATION
+#undef FILE_NOTIFY_CHANGE_EA
+#undef FILE_NOTIFY_CHANGE_SECURITY
+#undef FILE_NOTIFY_CHANGE_STREAM_NAME
+#undef FILE_NOTIFY_CHANGE_STREAM_SIZE
+#undef FILE_NOTIFY_CHANGE_STREAM_WRITE
+#undef FILE_NOTIFY_CHANGE_NAME
+
+#undef PRINTER_ATTRIBUTE_QUEUED
+#undef PRINTER_ATTRIBUTE_DIRECT
+#undef PRINTER_ATTRIBUTE_DEFAULT
+#undef PRINTER_ATTRIBUTE_SHARED
+#undef PRINTER_ATTRIBUTE_NETWORK
+#undef PRINTER_ATTRIBUTE_HIDDEN
+#undef PRINTER_ATTRIBUTE_LOCAL
+#undef PRINTER_ATTRIBUTE_ENABLE_DEVQ
+#undef PRINTER_ATTRIBUTE_KEEPPRINTEDJOBS
+#undef PRINTER_ATTRIBUTE_DO_COMPLETE_FIRST
+#undef PRINTER_ATTRIBUTE_WORK_OFFLINE
+#undef PRINTER_ATTRIBUTE_ENABLE_BIDI
+#undef PRINTER_ATTRIBUTE_RAW_ONLY
+#undef PRINTER_ATTRIBUTE_PUBLISHED
+#undef PRINTER_ENUM_DEFAULT
+#undef PRINTER_ENUM_LOCAL
+#undef PRINTER_ENUM_CONNECTIONS
+#undef PRINTER_ENUM_FAVORITE
+#undef PRINTER_ENUM_NAME
+#undef PRINTER_ENUM_REMOTE
+#undef PRINTER_ENUM_SHARED
+#undef PRINTER_ENUM_NETWORK
+#undef PRINTER_ENUM_EXPAND
+#undef PRINTER_ENUM_CONTAINER
+#undef PRINTER_ENUM_ICON1
+#undef PRINTER_ENUM_ICON2
+#undef PRINTER_ENUM_ICON3
+#undef PRINTER_ENUM_ICON4
+#undef PRINTER_ENUM_ICON5
+#undef PRINTER_ENUM_ICON6
+#undef PRINTER_ENUM_ICON7
+#undef PRINTER_ENUM_ICON8
+#undef PRINTER_STATUS_PAUSED
+#undef PRINTER_STATUS_ERROR
+#undef PRINTER_STATUS_PENDING_DELETION
+#undef PRINTER_STATUS_PAPER_JAM
+#undef PRINTER_STATUS_PAPER_OUT
+#undef PRINTER_STATUS_MANUAL_FEED
+#undef PRINTER_STATUS_PAPER_PROBLEM
+#undef PRINTER_STATUS_OFFLINE
+#undef PRINTER_STATUS_IO_ACTIVE
+#undef PRINTER_STATUS_BUSY
+#undef PRINTER_STATUS_PRINTING
+#undef PRINTER_STATUS_OUTPUT_BIN_FULL
+#undef PRINTER_STATUS_NOT_AVAILABLE
+#undef PRINTER_STATUS_WAITING
+#undef PRINTER_STATUS_PROCESSING
+#undef PRINTER_STATUS_INITIALIZING
+#undef PRINTER_STATUS_WARMING_UP
+#undef PRINTER_STATUS_TONER_LOW
+#undef PRINTER_STATUS_NO_TONER
+#undef PRINTER_STATUS_PAGE_PUNT
+#undef PRINTER_STATUS_USER_INTERVENTION
+#undef PRINTER_STATUS_OUT_OF_MEMORY
+#undef PRINTER_STATUS_DOOR_OPEN
+#undef PRINTER_STATUS_SERVER_UNKNOWN
+#undef PRINTER_STATUS_POWER_SAVE
+
+#undef DWORD
+#undef HKEY_CLASSES_ROOT
+#undef HKEY_CURRENT_USER
+#undef HKEY_LOCAL_MACHINE
+#undef HKEY_USERS
+#undef HKEY_PERFORMANCE_DATA
+#undef HKEY_CURRENT_CONFIG
+#undef HKEY_DYN_DATA
+#undef REG_DWORD
+#undef REG_QWORD
+
+#undef SERVICE_STATE_ALL
+
+#undef SE_GROUP_MANDATORY
+#undef SE_GROUP_ENABLED_BY_DEFAULT
+#undef SE_GROUP_ENABLED
+
+#endif /* _WIN32_REPLACE_H */
diff --git a/source3/lib/secace.c b/source3/lib/secace.c
new file mode 100644
index 0000000000..8760a6109a
--- /dev/null
+++ b/source3/lib/secace.c
@@ -0,0 +1,293 @@
+/* 
+ *  Unix SMB/Netbios implementation.
+ *  SEC_ACE handling functions
+ *  Copyright (C) Andrew Tridgell              1992-1998,
+ *  Copyright (C) Jeremy R. Allison            1995-2003.
+ *  Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
+ *  Copyright (C) Paul Ashton                  1997-1998.
+ *  
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+/*******************************************************************
+ Check if ACE has OBJECT type.
+********************************************************************/
+
+bool sec_ace_object(uint8 type)
+{
+	if (type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
+            type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT ||
+            type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT ||
+            type == SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT) {
+		return True;
+	}
+	return False;
+}
+
+/*******************************************************************
+ copy a SEC_ACE structure.
+********************************************************************/
+void sec_ace_copy(SEC_ACE *ace_dest, SEC_ACE *ace_src)
+{
+	ace_dest->type  = ace_src->type;
+	ace_dest->flags = ace_src->flags;
+	ace_dest->size  = ace_src->size;
+	ace_dest->access_mask = ace_src->access_mask;
+	ace_dest->object = ace_src->object;
+	sid_copy(&ace_dest->trustee, &ace_src->trustee);
+}
+
+/*******************************************************************
+ Sets up a SEC_ACE structure.
+********************************************************************/
+
+void init_sec_ace(SEC_ACE *t, const DOM_SID *sid, enum security_ace_type type,
+		  uint32 mask, uint8 flag)
+{
+	t->type = type;
+	t->flags = flag;
+	t->size = ndr_size_dom_sid(sid, 0) + 8;
+	t->access_mask = mask;
+
+	ZERO_STRUCTP(&t->trustee);
+	sid_copy(&t->trustee, sid);
+}
+
+/*******************************************************************
+ adds new SID with its permissions to ACE list
+********************************************************************/
+
+NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, unsigned *num, DOM_SID *sid, uint32 mask)
+{
+	unsigned int i = 0;
+	
+	if (!ctx || !pp_new || !old || !sid || !num)  return NT_STATUS_INVALID_PARAMETER;
+
+	*num += 1;
+	
+	if((pp_new[0] = TALLOC_ZERO_ARRAY(ctx, SEC_ACE, *num )) == 0)
+		return NT_STATUS_NO_MEMORY;
+
+	for (i = 0; i < *num - 1; i ++)
+		sec_ace_copy(&(*pp_new)[i], &old[i]);
+
+	(*pp_new)[i].type  = SEC_ACE_TYPE_ACCESS_ALLOWED;
+	(*pp_new)[i].flags = 0;
+	(*pp_new)[i].size  = SEC_ACE_HEADER_SIZE + ndr_size_dom_sid(sid, 0);
+	(*pp_new)[i].access_mask = mask;
+	sid_copy(&(*pp_new)[i].trustee, sid);
+	return NT_STATUS_OK;
+}
+
+/*******************************************************************
+  modify SID's permissions at ACL 
+********************************************************************/
+
+NTSTATUS sec_ace_mod_sid(SEC_ACE *ace, size_t num, DOM_SID *sid, uint32 mask)
+{
+	unsigned int i = 0;
+
+	if (!ace || !sid)  return NT_STATUS_INVALID_PARAMETER;
+
+	for (i = 0; i < num; i ++) {
+		if (sid_compare(&ace[i].trustee, sid) == 0) {
+			ace[i].access_mask = mask;
+			return NT_STATUS_OK;
+		}
+	}
+	return NT_STATUS_NOT_FOUND;
+}
+
+/*******************************************************************
+ delete SID from ACL
+********************************************************************/
+
+NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, uint32 *num, DOM_SID *sid)
+{
+	unsigned int i     = 0;
+	unsigned int n_del = 0;
+
+	if (!ctx || !pp_new || !old || !sid || !num)  return NT_STATUS_INVALID_PARAMETER;
+
+	if (*num) {
+		if((pp_new[0] = TALLOC_ZERO_ARRAY(ctx, SEC_ACE, *num )) == 0)
+			return NT_STATUS_NO_MEMORY;
+	} else {
+		pp_new[0] = NULL;
+	}
+
+	for (i = 0; i < *num; i ++) {
+		if (sid_compare(&old[i].trustee, sid) != 0)
+			sec_ace_copy(&(*pp_new)[i], &old[i]);
+		else
+			n_del ++;
+	}
+	if (n_del == 0)
+		return NT_STATUS_NOT_FOUND;
+	else {
+		*num -= n_del;
+		return NT_STATUS_OK;
+	}
+}
+
+/*******************************************************************
+ Compares two SEC_ACE structures
+********************************************************************/
+
+bool sec_ace_equal(SEC_ACE *s1, SEC_ACE *s2)
+{
+	/* Trivial case */
+
+	if (!s1 && !s2) {
+		return True;
+	}
+
+	if (!s1 || !s2) {
+		return False;
+	}
+
+	/* Check top level stuff */
+
+	if (s1->type != s2->type || s1->flags != s2->flags ||
+	    s1->access_mask != s2->access_mask) {
+		return False;
+	}
+
+	/* Check SID */
+
+	if (!sid_equal(&s1->trustee, &s2->trustee)) {
+		return False;
+	}
+
+	return True;
+}
+
+int nt_ace_inherit_comp( SEC_ACE *a1, SEC_ACE *a2)
+{
+	int a1_inh = a1->flags & SEC_ACE_FLAG_INHERITED_ACE;
+	int a2_inh = a2->flags & SEC_ACE_FLAG_INHERITED_ACE;
+
+	if (a1_inh == a2_inh)
+		return 0;
+
+	if (!a1_inh && a2_inh)
+		return -1;
+	return 1;
+}
+
+/*******************************************************************
+  Comparison function to apply the order explained below in a group.
+*******************************************************************/
+
+int nt_ace_canon_comp( SEC_ACE *a1, SEC_ACE *a2)
+{
+	if ((a1->type == SEC_ACE_TYPE_ACCESS_DENIED) &&
+				(a2->type != SEC_ACE_TYPE_ACCESS_DENIED))
+		return -1;
+
+	if ((a2->type == SEC_ACE_TYPE_ACCESS_DENIED) &&
+				(a1->type != SEC_ACE_TYPE_ACCESS_DENIED))
+		return 1;
+
+	/* Both access denied or access allowed. */
+
+	/* 1. ACEs that apply to the object itself */
+
+	if (!(a1->flags & SEC_ACE_FLAG_INHERIT_ONLY) &&
+			(a2->flags & SEC_ACE_FLAG_INHERIT_ONLY))
+		return -1;
+	else if (!(a2->flags & SEC_ACE_FLAG_INHERIT_ONLY) &&
+			(a1->flags & SEC_ACE_FLAG_INHERIT_ONLY))
+		return 1;
+
+	/* 2. ACEs that apply to a subobject of the object, such as
+	 * a property set or property. */
+
+	if (a1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT) &&
+			!(a2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT)))
+		return -1;
+	else if (a2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT) &&
+			!(a1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT)))
+		return 1;
+
+	return 0;
+}
+
+/*******************************************************************
+ Functions to convert a SEC_DESC ACE DACL list into canonical order.
+ JRA.
+
+--- from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/order_of_aces_in_a_dacl.asp
+
+The following describes the preferred order:
+
+ To ensure that noninherited ACEs have precedence over inherited ACEs,
+ place all noninherited ACEs in a group before any inherited ACEs.
+ This ordering ensures, for example, that a noninherited access-denied ACE
+ is enforced regardless of any inherited ACE that allows access.
+
+ Within the groups of noninherited ACEs and inherited ACEs, order ACEs according to ACE type, as the following shows:
+	1. Access-denied ACEs that apply to the object itself
+	2. Access-denied ACEs that apply to a subobject of the object, such as a property set or property
+	3. Access-allowed ACEs that apply to the object itself
+	4. Access-allowed ACEs that apply to a subobject of the object"
+
+********************************************************************/
+
+void dacl_sort_into_canonical_order(SEC_ACE *srclist, unsigned int num_aces)
+{
+	unsigned int i;
+
+	if (!srclist || num_aces == 0)
+		return;
+
+	/* Sort so that non-inherited ACE's come first. */
+	qsort( srclist, num_aces, sizeof(srclist[0]), QSORT_CAST nt_ace_inherit_comp);
+
+	/* Find the boundary between non-inherited ACEs. */
+	for (i = 0; i < num_aces; i++ ) {
+		SEC_ACE *curr_ace = &srclist[i];
+
+		if (curr_ace->flags & SEC_ACE_FLAG_INHERITED_ACE)
+			break;
+	}
+
+	/* i now points at entry number of the first inherited ACE. */
+
+	/* Sort the non-inherited ACEs. */
+	if (i)
+		qsort( srclist, i, sizeof(srclist[0]), QSORT_CAST nt_ace_canon_comp);
+
+	/* Now sort the inherited ACEs. */
+	if (num_aces - i)
+		qsort( &srclist[i], num_aces - i, sizeof(srclist[0]), QSORT_CAST nt_ace_canon_comp);
+}
+
+/*******************************************************************
+ Check if this ACE has a SID in common with the token.
+********************************************************************/
+
+bool token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace)
+{
+	size_t i;
+
+	for (i = 0; i < token->num_sids; i++) {
+		if (sid_equal(&ace->trustee, &token->user_sids[i]))
+			return True;
+	}
+
+	return False;
+}
diff --git a/source3/lib/secacl.c b/source3/lib/secacl.c
new file mode 100644
index 0000000000..5e82242e1b
--- /dev/null
+++ b/source3/lib/secacl.c
@@ -0,0 +1,118 @@
+/* 
+ *  Unix SMB/Netbios implementation.
+ *  SEC_ACL handling routines
+ *  Copyright (C) Andrew Tridgell              1992-1998,
+ *  Copyright (C) Jeremy R. Allison            1995-2003.
+ *  Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
+ *  Copyright (C) Paul Ashton                  1997-1998.
+ *  
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+/*******************************************************************
+ Create a SEC_ACL structure.  
+********************************************************************/
+
+SEC_ACL *make_sec_acl(TALLOC_CTX *ctx, enum security_acl_revision revision,
+		      int num_aces, SEC_ACE *ace_list)
+{
+	SEC_ACL *dst;
+	int i;
+
+	if((dst = TALLOC_ZERO_P(ctx,SEC_ACL)) == NULL)
+		return NULL;
+
+	dst->revision = revision;
+	dst->num_aces = num_aces;
+	dst->size = SEC_ACL_HEADER_SIZE;
+
+	/* Now we need to return a non-NULL address for the ace list even
+	   if the number of aces required is zero.  This is because there
+	   is a distinct difference between a NULL ace and an ace with zero
+	   entries in it.  This is achieved by checking that num_aces is a
+	   positive number. */
+
+	if ((num_aces) && 
+            ((dst->aces = TALLOC_ARRAY(ctx, SEC_ACE, num_aces)) 
+             == NULL)) {
+		return NULL;
+	}
+        
+	for (i = 0; i < num_aces; i++) {
+		dst->aces[i] = ace_list[i]; /* Structure copy. */
+		dst->size += ace_list[i].size;
+	}
+
+	return dst;
+}
+
+/*******************************************************************
+ Duplicate a SEC_ACL structure.  
+********************************************************************/
+
+SEC_ACL *dup_sec_acl(TALLOC_CTX *ctx, SEC_ACL *src)
+{
+	if(src == NULL)
+		return NULL;
+
+	return make_sec_acl(ctx, src->revision, src->num_aces, src->aces);
+}
+
+/*******************************************************************
+ Compares two SEC_ACL structures
+********************************************************************/
+
+bool sec_acl_equal(SEC_ACL *s1, SEC_ACL *s2)
+{
+	unsigned int i, j;
+
+	/* Trivial cases */
+
+	if (!s1 && !s2) return True;
+	if (!s1 || !s2) return False;
+
+	/* Check top level stuff */
+
+	if (s1->revision != s2->revision) {
+		DEBUG(10, ("sec_acl_equal(): revision differs (%d != %d)\n",
+			   s1->revision, s2->revision));
+		return False;
+	}
+
+	if (s1->num_aces != s2->num_aces) {
+		DEBUG(10, ("sec_acl_equal(): num_aces differs (%d != %d)\n",
+			   s1->revision, s2->revision));
+		return False;
+	}
+
+	/* The ACEs could be in any order so check each ACE in s1 against 
+	   each ACE in s2. */
+
+	for (i = 0; i < s1->num_aces; i++) {
+		bool found = False;
+
+		for (j = 0; j < s2->num_aces; j++) {
+			if (sec_ace_equal(&s1->aces[i], &s2->aces[j])) {
+				found = True;
+				break;
+			}
+		}
+
+		if (!found) return False;
+	}
+
+	return True;
+}
diff --git a/source3/lib/secdesc.c b/source3/lib/secdesc.c
new file mode 100644
index 0000000000..44ae23271e
--- /dev/null
+++ b/source3/lib/secdesc.c
@@ -0,0 +1,559 @@
+/* 
+ *  Unix SMB/Netbios implementation.
+ *  SEC_DESC handling functions
+ *  Copyright (C) Andrew Tridgell              1992-1998,
+ *  Copyright (C) Jeremy R. Allison            1995-2003.
+ *  Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
+ *  Copyright (C) Paul Ashton                  1997-1998.
+ *  
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+/* Map generic permissions to file object specific permissions */
+
+const struct generic_mapping file_generic_mapping = {
+	FILE_GENERIC_READ,
+	FILE_GENERIC_WRITE,
+	FILE_GENERIC_EXECUTE,
+	FILE_GENERIC_ALL
+};
+
+/*******************************************************************
+ Compares two SEC_DESC structures
+********************************************************************/
+
+bool sec_desc_equal(SEC_DESC *s1, SEC_DESC *s2)
+{
+	/* Trivial case */
+
+	if (!s1 && !s2) {
+		goto done;
+	}
+
+	if (!s1 || !s2) {
+		return False;
+	}
+
+	/* Check top level stuff */
+
+	if (s1->revision != s2->revision) {
+		DEBUG(10, ("sec_desc_equal(): revision differs (%d != %d)\n",
+			   s1->revision, s2->revision));
+		return False;
+	}
+
+	if (s1->type!= s2->type) {
+		DEBUG(10, ("sec_desc_equal(): type differs (%d != %d)\n",
+			   s1->type, s2->type));
+		return False;
+	}
+
+	/* Check owner and group */
+
+	if (!sid_equal(s1->owner_sid, s2->owner_sid)) {
+		DEBUG(10, ("sec_desc_equal(): owner differs (%s != %s)\n",
+			   sid_string_dbg(s1->owner_sid),
+			   sid_string_dbg(s2->owner_sid)));
+		return False;
+	}
+
+	if (!sid_equal(s1->group_sid, s2->group_sid)) {
+		DEBUG(10, ("sec_desc_equal(): group differs (%s != %s)\n",
+			   sid_string_dbg(s1->group_sid),
+			   sid_string_dbg(s2->group_sid)));
+		return False;
+	}
+
+	/* Check ACLs present in one but not the other */
+
+	if ((s1->dacl && !s2->dacl) || (!s1->dacl && s2->dacl) ||
+	    (s1->sacl && !s2->sacl) || (!s1->sacl && s2->sacl)) {
+		DEBUG(10, ("sec_desc_equal(): dacl or sacl not present\n"));
+		return False;
+	}
+
+	/* Sigh - we have to do it the hard way by iterating over all
+	   the ACEs in the ACLs */
+
+	if (!sec_acl_equal(s1->dacl, s2->dacl) ||
+	    !sec_acl_equal(s1->sacl, s2->sacl)) {
+		DEBUG(10, ("sec_desc_equal(): dacl/sacl list not equal\n"));
+		return False;
+	}
+
+ done:
+	DEBUG(10, ("sec_desc_equal(): secdescs are identical\n"));
+	return True;
+}
+
+/*******************************************************************
+ Merge part of security descriptor old_sec in to the empty sections of 
+ security descriptor new_sec.
+********************************************************************/
+
+SEC_DESC_BUF *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BUF *old_sdb)
+{
+	DOM_SID *owner_sid, *group_sid;
+	SEC_DESC_BUF *return_sdb;
+	SEC_ACL *dacl, *sacl;
+	SEC_DESC *psd = NULL;
+	uint16 secdesc_type;
+	size_t secdesc_size;
+
+	/* Copy over owner and group sids.  There seems to be no flag for
+	   this so just check the pointer values. */
+
+	owner_sid = new_sdb->sd->owner_sid ? new_sdb->sd->owner_sid :
+		old_sdb->sd->owner_sid;
+
+	group_sid = new_sdb->sd->group_sid ? new_sdb->sd->group_sid :
+		old_sdb->sd->group_sid;
+	
+	secdesc_type = new_sdb->sd->type;
+
+	/* Ignore changes to the system ACL.  This has the effect of making
+	   changes through the security tab audit button not sticking. 
+	   Perhaps in future Samba could implement these settings somehow. */
+
+	sacl = NULL;
+	secdesc_type &= ~SEC_DESC_SACL_PRESENT;
+
+	/* Copy across discretionary ACL */
+
+	if (secdesc_type & SEC_DESC_DACL_PRESENT) {
+		dacl = new_sdb->sd->dacl;
+	} else {
+		dacl = old_sdb->sd->dacl;
+	}
+
+	/* Create new security descriptor from bits */
+
+	psd = make_sec_desc(ctx, new_sdb->sd->revision, secdesc_type,
+			    owner_sid, group_sid, sacl, dacl, &secdesc_size);
+
+	return_sdb = make_sec_desc_buf(ctx, secdesc_size, psd);
+
+	return(return_sdb);
+}
+
+/*******************************************************************
+ Creates a SEC_DESC structure
+********************************************************************/
+
+SEC_DESC *make_sec_desc(TALLOC_CTX *ctx,
+			enum security_descriptor_revision revision,
+			uint16 type,
+			const DOM_SID *owner_sid, const DOM_SID *grp_sid,
+			SEC_ACL *sacl, SEC_ACL *dacl, size_t *sd_size)
+{
+	SEC_DESC *dst;
+	uint32 offset     = 0;
+
+	*sd_size = 0;
+
+	if(( dst = TALLOC_ZERO_P(ctx, SEC_DESC)) == NULL)
+		return NULL;
+
+	dst->revision = revision;
+	dst->type = type;
+
+	if (sacl)
+		dst->type |= SEC_DESC_SACL_PRESENT;
+	if (dacl)
+		dst->type |= SEC_DESC_DACL_PRESENT;
+
+	dst->owner_sid = NULL;
+	dst->group_sid   = NULL;
+	dst->sacl      = NULL;
+	dst->dacl      = NULL;
+
+	if(owner_sid && ((dst->owner_sid = sid_dup_talloc(dst,owner_sid)) == NULL))
+		goto error_exit;
+
+	if(grp_sid && ((dst->group_sid = sid_dup_talloc(dst,grp_sid)) == NULL))
+		goto error_exit;
+
+	if(sacl && ((dst->sacl = dup_sec_acl(dst, sacl)) == NULL))
+		goto error_exit;
+
+	if(dacl && ((dst->dacl = dup_sec_acl(dst, dacl)) == NULL))
+		goto error_exit;
+
+	offset = SEC_DESC_HEADER_SIZE;
+
+	/*
+	 * Work out the linearization sizes.
+	 */
+
+	if (dst->sacl != NULL) {
+		offset += dst->sacl->size;
+	}
+	if (dst->dacl != NULL) {
+		offset += dst->dacl->size;
+	}
+
+	if (dst->owner_sid != NULL) {
+		offset += ndr_size_dom_sid(dst->owner_sid, 0);
+	}
+
+	if (dst->group_sid != NULL) {
+		offset += ndr_size_dom_sid(dst->group_sid, 0);
+	}
+
+	*sd_size = (size_t)offset;
+	return dst;
+
+error_exit:
+
+	*sd_size = 0;
+	return NULL;
+}
+
+/*******************************************************************
+ Duplicate a SEC_DESC structure.  
+********************************************************************/
+
+SEC_DESC *dup_sec_desc(TALLOC_CTX *ctx, const SEC_DESC *src)
+{
+	size_t dummy;
+
+	if(src == NULL)
+		return NULL;
+
+	return make_sec_desc( ctx, src->revision, src->type,
+				src->owner_sid, src->group_sid, src->sacl,
+				src->dacl, &dummy);
+}
+
+/*******************************************************************
+ Convert a secdesc into a byte stream
+********************************************************************/
+NTSTATUS marshall_sec_desc(TALLOC_CTX *mem_ctx,
+			   struct security_descriptor *secdesc,
+			   uint8 **data, size_t *len)
+{
+	DATA_BLOB blob;
+	enum ndr_err_code ndr_err;
+
+	ndr_err = ndr_push_struct_blob(
+		&blob, mem_ctx, secdesc,
+		(ndr_push_flags_fn_t)ndr_push_security_descriptor);
+
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		DEBUG(0, ("ndr_push_security_descriptor failed: %s\n",
+			  ndr_errstr(ndr_err)));
+		return ndr_map_error2ntstatus(ndr_err);;
+	}
+
+	*data = blob.data;
+	*len = blob.length;
+	return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ Parse a byte stream into a secdesc
+********************************************************************/
+NTSTATUS unmarshall_sec_desc(TALLOC_CTX *mem_ctx, uint8 *data, size_t len,
+			     struct security_descriptor **psecdesc)
+{
+	DATA_BLOB blob;
+	enum ndr_err_code ndr_err;
+	struct security_descriptor *result;
+
+	if ((data == NULL) || (len == 0)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	result = TALLOC_ZERO_P(mem_ctx, struct security_descriptor);
+	if (result == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	blob = data_blob_const(data, len);
+
+	ndr_err = ndr_pull_struct_blob(
+		&blob, result, result,
+		(ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
+
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		DEBUG(0, ("ndr_pull_security_descriptor failed: %s\n",
+			  ndr_errstr(ndr_err)));
+		TALLOC_FREE(result);
+		return ndr_map_error2ntstatus(ndr_err);;
+	}
+
+	*psecdesc = result;
+	return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ Creates a SEC_DESC structure with typical defaults.
+********************************************************************/
+
+SEC_DESC *make_standard_sec_desc(TALLOC_CTX *ctx, const DOM_SID *owner_sid, const DOM_SID *grp_sid,
+				 SEC_ACL *dacl, size_t *sd_size)
+{
+	return make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
+			     SEC_DESC_SELF_RELATIVE, owner_sid, grp_sid, NULL,
+			     dacl, sd_size);
+}
+
+/*******************************************************************
+ Creates a SEC_DESC_BUF structure.
+********************************************************************/
+
+SEC_DESC_BUF *make_sec_desc_buf(TALLOC_CTX *ctx, size_t len, SEC_DESC *sec_desc)
+{
+	SEC_DESC_BUF *dst;
+
+	if((dst = TALLOC_ZERO_P(ctx, SEC_DESC_BUF)) == NULL)
+		return NULL;
+
+	/* max buffer size (allocated size) */
+	dst->sd_size = (uint32)len;
+	
+	if(sec_desc && ((dst->sd = dup_sec_desc(ctx, sec_desc)) == NULL)) {
+		return NULL;
+	}
+
+	return dst;
+}
+
+/*******************************************************************
+ Duplicates a SEC_DESC_BUF structure.
+********************************************************************/
+
+SEC_DESC_BUF *dup_sec_desc_buf(TALLOC_CTX *ctx, SEC_DESC_BUF *src)
+{
+	if(src == NULL)
+		return NULL;
+
+	return make_sec_desc_buf( ctx, src->sd_size, src->sd);
+}
+
+/*******************************************************************
+ Add a new SID with its permissions to SEC_DESC.
+********************************************************************/
+
+NTSTATUS sec_desc_add_sid(TALLOC_CTX *ctx, SEC_DESC **psd, DOM_SID *sid, uint32 mask, size_t *sd_size)
+{
+	SEC_DESC *sd   = 0;
+	SEC_ACL  *dacl = 0;
+	SEC_ACE  *ace  = 0;
+	NTSTATUS  status;
+
+	if (!ctx || !psd || !sid || !sd_size)
+		return NT_STATUS_INVALID_PARAMETER;
+
+	*sd_size = 0;
+
+	status = sec_ace_add_sid(ctx, &ace, psd[0]->dacl->aces, &psd[0]->dacl->num_aces, sid, mask);
+	
+	if (!NT_STATUS_IS_OK(status))
+		return status;
+
+	if (!(dacl = make_sec_acl(ctx, psd[0]->dacl->revision, psd[0]->dacl->num_aces, ace)))
+		return NT_STATUS_UNSUCCESSFUL;
+	
+	if (!(sd = make_sec_desc(ctx, psd[0]->revision, psd[0]->type, psd[0]->owner_sid, 
+		psd[0]->group_sid, psd[0]->sacl, dacl, sd_size)))
+		return NT_STATUS_UNSUCCESSFUL;
+
+	*psd = sd;
+	 sd  = 0;
+	return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ Modify a SID's permissions in a SEC_DESC.
+********************************************************************/
+
+NTSTATUS sec_desc_mod_sid(SEC_DESC *sd, DOM_SID *sid, uint32 mask)
+{
+	NTSTATUS status;
+
+	if (!sd || !sid)
+		return NT_STATUS_INVALID_PARAMETER;
+
+	status = sec_ace_mod_sid(sd->dacl->aces, sd->dacl->num_aces, sid, mask);
+
+	if (!NT_STATUS_IS_OK(status))
+		return status;
+	
+	return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ Delete a SID from a SEC_DESC.
+********************************************************************/
+
+NTSTATUS sec_desc_del_sid(TALLOC_CTX *ctx, SEC_DESC **psd, DOM_SID *sid, size_t *sd_size)
+{
+	SEC_DESC *sd   = 0;
+	SEC_ACL  *dacl = 0;
+	SEC_ACE  *ace  = 0;
+	NTSTATUS  status;
+
+	if (!ctx || !psd[0] || !sid || !sd_size)
+		return NT_STATUS_INVALID_PARAMETER;
+
+	*sd_size = 0;
+	
+	status = sec_ace_del_sid(ctx, &ace, psd[0]->dacl->aces, &psd[0]->dacl->num_aces, sid);
+
+	if (!NT_STATUS_IS_OK(status))
+		return status;
+
+	if (!(dacl = make_sec_acl(ctx, psd[0]->dacl->revision, psd[0]->dacl->num_aces, ace)))
+		return NT_STATUS_UNSUCCESSFUL;
+	
+	if (!(sd = make_sec_desc(ctx, psd[0]->revision, psd[0]->type, psd[0]->owner_sid, 
+		psd[0]->group_sid, psd[0]->sacl, dacl, sd_size)))
+		return NT_STATUS_UNSUCCESSFUL;
+
+	*psd = sd;
+	 sd  = 0;
+	return NT_STATUS_OK;
+}
+
+/* Create a child security descriptor using another security descriptor as
+   the parent container.  This child object can either be a container or
+   non-container object. */
+
+SEC_DESC_BUF *se_create_child_secdesc(TALLOC_CTX *ctx, SEC_DESC *parent_ctr, 
+				      bool child_container)
+{
+	SEC_DESC_BUF *sdb;
+	SEC_DESC *sd;
+	SEC_ACL *new_dacl, *the_acl;
+	SEC_ACE *new_ace_list = NULL;
+	unsigned int new_ace_list_ndx = 0, i;
+	size_t size;
+
+	/* Currently we only process the dacl when creating the child.  The
+	   sacl should also be processed but this is left out as sacls are
+	   not implemented in Samba at the moment.*/
+
+	the_acl = parent_ctr->dacl;
+
+	if (the_acl->num_aces) {
+		if (!(new_ace_list = TALLOC_ARRAY(ctx, SEC_ACE, the_acl->num_aces))) 
+			return NULL;
+	} else {
+		new_ace_list = NULL;
+	}
+
+	for (i = 0; i < the_acl->num_aces; i++) {
+		SEC_ACE *ace = &the_acl->aces[i];
+		SEC_ACE *new_ace = &new_ace_list[new_ace_list_ndx];
+		uint8 new_flags = 0;
+		bool inherit = False;
+
+		/* The OBJECT_INHERIT_ACE flag causes the ACE to be
+		   inherited by non-container children objects.  Container
+		   children objects will inherit it as an INHERIT_ONLY
+		   ACE. */
+
+		if (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT) {
+
+			if (!child_container) {
+				new_flags |= SEC_ACE_FLAG_OBJECT_INHERIT;
+			} else {
+				new_flags |= SEC_ACE_FLAG_INHERIT_ONLY;
+			}
+
+			inherit = True;
+		}
+
+		/* The CONAINER_INHERIT_ACE flag means all child container
+		   objects will inherit and use the ACE. */
+
+		if (ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) {
+			if (!child_container) {
+				inherit = False;
+			} else {
+				new_flags |= SEC_ACE_FLAG_CONTAINER_INHERIT;
+			}
+		}
+
+		/* The INHERIT_ONLY_ACE is not used by the se_access_check()
+		   function for the parent container, but is inherited by
+		   all child objects as a normal ACE. */
+
+		if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
+			/* Move along, nothing to see here */
+		}
+
+		/* The SEC_ACE_FLAG_NO_PROPAGATE_INHERIT flag means the ACE
+		   is inherited by child objects but not grandchildren
+		   objects.  We clear the object inherit and container
+		   inherit flags in the inherited ACE. */
+
+		if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
+			new_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT |
+				       SEC_ACE_FLAG_CONTAINER_INHERIT);
+		}
+
+		/* Add ACE to ACE list */
+
+		if (!inherit)
+			continue;
+
+		init_sec_access(&new_ace->access_mask, ace->access_mask);
+		init_sec_ace(new_ace, &ace->trustee, ace->type,
+			     new_ace->access_mask, new_flags);
+
+		DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x "
+			  " inherited as %s:%d/0x%02x/0x%08x\n",
+			  sid_string_dbg(&ace->trustee),
+			  ace->type, ace->flags, ace->access_mask,
+			  sid_string_dbg(&ace->trustee),
+			  new_ace->type, new_ace->flags,
+			  new_ace->access_mask));
+
+		new_ace_list_ndx++;
+	}
+
+	/* Create child security descriptor to return */
+	
+	new_dacl = make_sec_acl(ctx, ACL_REVISION, new_ace_list_ndx, new_ace_list);
+
+	/* Use the existing user and group sids.  I don't think this is
+	   correct.  Perhaps the user and group should be passed in as
+	   parameters by the caller? */
+
+	sd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
+			   SEC_DESC_SELF_RELATIVE,
+			   parent_ctr->owner_sid,
+			   parent_ctr->group_sid,
+			   parent_ctr->sacl,
+			   new_dacl, &size);
+
+	sdb = make_sec_desc_buf(ctx, size, sd);
+
+	return sdb;
+}
+
+/*******************************************************************
+ Sets up a SEC_ACCESS structure.
+********************************************************************/
+
+void init_sec_access(uint32 *t, uint32 mask)
+{
+	*t = mask;
+}
+
+
diff --git a/source3/lib/select.c b/source3/lib/select.c
new file mode 100644
index 0000000000..c3da6a9bba
--- /dev/null
+++ b/source3/lib/select.c
@@ -0,0 +1,192 @@
+/* 
+   Unix SMB/Netbios implementation.
+   Version 3.0
+   Samba select/poll implementation
+   Copyright (C) Andrew Tridgell 1992-1998
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/* This is here because it allows us to avoid a nasty race in signal handling. 
+   We need to guarantee that when we get a signal we get out of a select immediately
+   but doing that involves a race condition. We can avoid the race by getting the 
+   signal handler to write to a pipe that is in the select/poll list 
+
+   This means all Samba signal handlers should call sys_select_signal().
+*/
+
+static pid_t initialised;
+static int select_pipe[2];
+static VOLATILE unsigned pipe_written, pipe_read;
+
+/*******************************************************************
+ Call this from all Samba signal handlers if you want to avoid a 
+ nasty signal race condition.
+********************************************************************/
+
+void sys_select_signal(char c)
+{
+	if (!initialised) return;
+
+	if (pipe_written > pipe_read+256) return;
+
+	if (write(select_pipe[1], &c, 1) == 1) pipe_written++;
+}
+
+/*******************************************************************
+ Like select() but avoids the signal race using a pipe
+ it also guuarantees that fds on return only ever contains bits set
+ for file descriptors that were readable.
+********************************************************************/
+
+int sys_select(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, struct timeval *tval)
+{
+	int ret, saved_errno;
+	fd_set *readfds2, readfds_buf;
+
+	if (initialised != sys_getpid()) {
+		if (pipe(select_pipe) == -1)
+			smb_panic("Could not create select pipe");
+
+		/*
+		 * These next two lines seem to fix a bug with the Linux
+		 * 2.0.x kernel (and probably other UNIXes as well) where
+		 * the one byte read below can block even though the
+		 * select returned that there is data in the pipe and
+		 * the pipe_written variable was incremented. Thanks to
+		 * HP for finding this one. JRA.
+		 */
+
+		if(set_blocking(select_pipe[0],0)==-1)
+			smb_panic("select_pipe[0]: O_NONBLOCK failed");
+		if(set_blocking(select_pipe[1],0)==-1)
+			smb_panic("select_pipe[1]: O_NONBLOCK failed");
+
+		initialised = sys_getpid();
+	}
+
+	maxfd = MAX(select_pipe[0]+1, maxfd);
+
+	/* If readfds is NULL we need to provide our own set. */
+	if (readfds) {
+		readfds2 = readfds;
+	} else {
+		readfds2 = &readfds_buf;
+		FD_ZERO(readfds2);
+	}
+	FD_SET(select_pipe[0], readfds2);
+
+	errno = 0;
+	ret = select(maxfd,readfds2,writefds,errorfds,tval);
+
+	if (ret <= 0) {
+		FD_ZERO(readfds2);
+		if (writefds)
+			FD_ZERO(writefds);
+		if (errorfds)
+			FD_ZERO(errorfds);
+	} else if (FD_ISSET(select_pipe[0], readfds2)) {
+		char c;
+		saved_errno = errno;
+		if (read(select_pipe[0], &c, 1) == 1) {
+			pipe_read++;
+			/* Mark Weaver <mark-clist@npsl.co.uk> pointed out a critical
+			   fix to ensure we don't lose signals. We must always
+			   return -1 when the select pipe is set, otherwise if another
+			   fd is also ready (so ret == 2) then we used to eat the
+			   byte in the pipe and lose the signal. JRA.
+			*/
+			ret = -1;
+#if 0
+			/* JRA - we can use this to debug the signal messaging... */
+			DEBUG(0,("select got %u signal\n", (unsigned int)c));
+#endif
+			errno = EINTR;
+		} else {
+			FD_CLR(select_pipe[0], readfds2);
+			ret--;
+			errno = saved_errno;
+		}
+	}
+
+	return ret;
+}
+
+/*******************************************************************
+ Similar to sys_select() but catch EINTR and continue.
+ This is what sys_select() used to do in Samba.
+********************************************************************/
+
+int sys_select_intr(int maxfd, fd_set *readfds, fd_set *writefds, fd_set *errorfds, struct timeval *tval)
+{
+	int ret;
+	fd_set *readfds2, readfds_buf, *writefds2, writefds_buf, *errorfds2, errorfds_buf;
+	struct timeval tval2, *ptval, end_time;
+
+	readfds2 = (readfds ? &readfds_buf : NULL);
+	writefds2 = (writefds ? &writefds_buf : NULL);
+	errorfds2 = (errorfds ? &errorfds_buf : NULL);
+	if (tval) {
+		GetTimeOfDay(&end_time);
+		end_time.tv_sec += tval->tv_sec;
+		end_time.tv_usec += tval->tv_usec;
+		end_time.tv_sec += end_time.tv_usec / 1000000;
+		end_time.tv_usec %= 1000000;
+		errno = 0;
+		tval2 = *tval;
+		ptval = &tval2;
+	} else {
+		ptval = NULL;
+	}
+
+	do {
+		if (readfds)
+			readfds_buf = *readfds;
+		if (writefds)
+			writefds_buf = *writefds;
+		if (errorfds)
+			errorfds_buf = *errorfds;
+		if (ptval && (errno == EINTR)) {
+			struct timeval now_time;
+			SMB_BIG_INT tdif;
+
+			GetTimeOfDay(&now_time);
+			tdif = usec_time_diff(&end_time, &now_time);
+			if (tdif <= 0) {
+				ret = 0; /* time expired. */
+				break;
+			}
+			ptval->tv_sec = tdif / 1000000;
+			ptval->tv_usec = tdif % 1000000;
+		}
+
+		/* We must use select and not sys_select here. If we use
+		   sys_select we'd lose the fact a signal occurred when sys_select
+		   read a byte from the pipe. Fix from Mark Weaver
+		   <mark-clist@npsl.co.uk>
+		*/
+		ret = select(maxfd, readfds2, writefds2, errorfds2, ptval);
+	} while (ret == -1 && errno == EINTR);
+
+	if (readfds)
+		*readfds = readfds_buf;
+	if (writefds)
+		*writefds = writefds_buf;
+	if (errorfds)
+		*errorfds = errorfds_buf;
+
+	return ret;
+}
diff --git a/source3/lib/sendfile.c b/source3/lib/sendfile.c
new file mode 100644
index 0000000000..d1b178577c
--- /dev/null
+++ b/source3/lib/sendfile.c
@@ -0,0 +1,461 @@
+/*
+ Unix SMB/Netbios implementation.
+ Version 2.2.x / 3.0.x
+ sendfile implementations.
+ Copyright (C) Jeremy Allison 2002.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+ * This file handles the OS dependent sendfile implementations.
+ * The API is such that it returns -1 on error, else returns the
+ * number of bytes written.
+ */
+
+#include "includes.h"
+
+#if defined(LINUX_SENDFILE_API)
+
+#include <sys/sendfile.h>
+
+#ifndef MSG_MORE
+#define MSG_MORE 0x8000
+#endif
+
+ssize_t sys_sendfile(int tofd, int fromfd, const DATA_BLOB *header, SMB_OFF_T offset, size_t count)
+{
+	size_t total=0;
+	ssize_t ret;
+	size_t hdr_len = 0;
+
+	/*
+	 * Send the header first.
+	 * Use MSG_MORE to cork the TCP output until sendfile is called.
+	 */
+
+	if (header) {
+		hdr_len = header->length;
+		while (total < hdr_len) {
+			ret = sys_send(tofd, header->data + total,hdr_len - total, MSG_MORE);
+			if (ret == -1)
+				return -1;
+			total += ret;
+		}
+	}
+
+	total = count;
+	while (total) {
+		ssize_t nwritten;
+		do {
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_OFF64_T) && defined(HAVE_SENDFILE64)
+			nwritten = sendfile64(tofd, fromfd, &offset, total);
+#else
+			nwritten = sendfile(tofd, fromfd, &offset, total);
+#endif
+		} while (nwritten == -1 && errno == EINTR);
+		if (nwritten == -1) {
+			if (errno == ENOSYS) {
+				/* Ok - we're in a world of pain here. We just sent
+				 * the header, but the sendfile failed. We have to
+				 * emulate the sendfile at an upper layer before we
+				 * disable it's use. So we do something really ugly.
+				 * We set the errno to a strange value so we can detect
+				 * this at the upper level and take care of it without
+				 * layer violation. JRA.
+				 */
+				errno = EINTR; /* Normally we can never return this. */
+			}
+			return -1;
+		}
+		if (nwritten == 0)
+			return -1; /* I think we're at EOF here... */
+		total -= nwritten;
+	}
+	return count + hdr_len;
+}
+
+#elif defined(LINUX_BROKEN_SENDFILE_API)
+
+/*
+ * We must use explicit 32 bit types here. This code path means Linux
+ * won't do proper 64-bit sendfile. JRA.
+ */
+
+extern int32 sendfile (int out_fd, int in_fd, int32 *offset, uint32 count);
+
+
+#ifndef MSG_MORE
+#define MSG_MORE 0x8000
+#endif
+
+ssize_t sys_sendfile(int tofd, int fromfd, const DATA_BLOB *header, SMB_OFF_T offset, size_t count)
+{
+	size_t total=0;
+	ssize_t ret;
+	ssize_t hdr_len = 0;
+	uint32 small_total = 0;
+	int32 small_offset;
+
+	/* 
+	 * Fix for broken Linux 2.4 systems with no working sendfile64().
+	 * If the offset+count > 2 GB then pretend we don't have the
+	 * system call sendfile at all. The upper layer catches this
+	 * and uses a normal read. JRA.
+	 */
+
+	if ((sizeof(SMB_OFF_T) >= 8) && (offset + count > (SMB_OFF_T)0x7FFFFFFF)) {
+		errno = ENOSYS;
+		return -1;
+	}
+
+	/*
+	 * Send the header first.
+	 * Use MSG_MORE to cork the TCP output until sendfile is called.
+	 */
+
+	if (header) {
+		hdr_len = header->length;
+		while (total < hdr_len) {
+			ret = sys_send(tofd, header->data + total,hdr_len - total, MSG_MORE);
+			if (ret == -1)
+				return -1;
+			total += ret;
+		}
+	}
+
+	small_total = (uint32)count;
+	small_offset = (int32)offset;
+
+	while (small_total) {
+		int32 nwritten;
+		do {
+			nwritten = sendfile(tofd, fromfd, &small_offset, small_total);
+		} while (nwritten == -1 && errno == EINTR);
+		if (nwritten == -1) {
+			if (errno == ENOSYS) {
+				/* Ok - we're in a world of pain here. We just sent
+				 * the header, but the sendfile failed. We have to
+				 * emulate the sendfile at an upper layer before we
+				 * disable it's use. So we do something really ugly.
+				 * We set the errno to a strange value so we can detect
+				 * this at the upper level and take care of it without
+				 * layer violation. JRA.
+				 */
+				errno = EINTR; /* Normally we can never return this. */
+			}
+			return -1;
+		}
+		if (nwritten == 0)
+			return -1; /* I think we're at EOF here... */
+		small_total -= nwritten;
+	}
+	return count + hdr_len;
+}
+
+
+#elif defined(SOLARIS_SENDFILE_API)
+
+/*
+ * Solaris sendfile code written by Pierre Belanger <belanger@pobox.com>.
+ */
+
+#include <sys/sendfile.h>
+
+ssize_t sys_sendfile(int tofd, int fromfd, const DATA_BLOB *header, SMB_OFF_T offset, size_t count)
+{
+	int sfvcnt;
+	size_t total, xferred;
+	struct sendfilevec vec[2];
+	ssize_t hdr_len = 0;
+
+	if (header) {
+		sfvcnt = 2;
+
+		vec[0].sfv_fd = SFV_FD_SELF;
+		vec[0].sfv_flag = 0;
+		vec[0].sfv_off = (off_t)header->data;
+		vec[0].sfv_len = hdr_len = header->length;
+
+		vec[1].sfv_fd = fromfd;
+		vec[1].sfv_flag = 0;
+		vec[1].sfv_off = offset;
+		vec[1].sfv_len = count;
+
+	} else {
+		sfvcnt = 1;
+
+		vec[0].sfv_fd = fromfd;
+		vec[0].sfv_flag = 0;
+		vec[0].sfv_off = offset;
+		vec[0].sfv_len = count;
+	}
+
+	total = count + hdr_len;
+
+	while (total) {
+		ssize_t nwritten;
+
+		/*
+		 * Although not listed in the API error returns, this is almost certainly
+		 * a slow system call and will be interrupted by a signal with EINTR. JRA.
+		 */
+
+		xferred = 0;
+
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_OFF64_T) && defined(HAVE_SENDFILEV64)
+			nwritten = sendfilev64(tofd, vec, sfvcnt, &xferred);
+#else
+			nwritten = sendfilev(tofd, vec, sfvcnt, &xferred);
+#endif
+		if (nwritten == -1 && errno == EINTR) {
+			if (xferred == 0)
+				continue; /* Nothing written yet. */
+			else
+				nwritten = xferred;
+		}
+
+		if (nwritten == -1)
+			return -1;
+		if (nwritten == 0)
+			return -1; /* I think we're at EOF here... */
+
+		/*
+		 * If this was a short (signal interrupted) write we may need
+		 * to subtract it from the header data, or null out the header
+		 * data altogether if we wrote more than vec[0].sfv_len bytes.
+		 * We move vec[1].* to vec[0].* and set sfvcnt to 1
+		 */
+
+		if (sfvcnt == 2 && nwritten >= vec[0].sfv_len) {
+			vec[1].sfv_off += nwritten - vec[0].sfv_len;
+			vec[1].sfv_len -= nwritten - vec[0].sfv_len;
+
+			/* Move vec[1].* to vec[0].* and set sfvcnt to 1 */
+			vec[0] = vec[1];
+			sfvcnt = 1;
+		} else {
+			vec[0].sfv_off += nwritten;
+			vec[0].sfv_len -= nwritten;
+		}
+		total -= nwritten;
+	}
+	return count + hdr_len;
+}
+
+#elif defined(HPUX_SENDFILE_API)
+
+#include <sys/socket.h>
+#include <sys/uio.h>
+
+ssize_t sys_sendfile(int tofd, int fromfd, const DATA_BLOB *header, SMB_OFF_T offset, size_t count)
+{
+	size_t total=0;
+	struct iovec hdtrl[2];
+	size_t hdr_len = 0;
+
+	if (header) {
+		/* Set up the header/trailer iovec. */
+		hdtrl[0].iov_base = header->data;
+		hdtrl[0].iov_len = hdr_len = header->length;
+	} else {
+		hdtrl[0].iov_base = NULL;
+		hdtrl[0].iov_len = hdr_len = 0;
+	}
+	hdtrl[1].iov_base = NULL;
+	hdtrl[1].iov_len = 0;
+
+	total = count;
+	while (total + hdtrl[0].iov_len) {
+		ssize_t nwritten;
+
+		/*
+		 * HPUX guarantees that if any data was written before
+		 * a signal interrupt then sendfile returns the number of
+		 * bytes written (which may be less than requested) not -1.
+		 * nwritten includes the header data sent.
+		 */
+
+		do {
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_OFF64_T) && defined(HAVE_SENDFILE64)
+			nwritten = sendfile64(tofd, fromfd, offset, total, &hdtrl[0], 0);
+#else
+			nwritten = sendfile(tofd, fromfd, offset, total, &hdtrl[0], 0);
+#endif
+		} while (nwritten == -1 && errno == EINTR);
+		if (nwritten == -1)
+			return -1;
+		if (nwritten == 0)
+			return -1; /* I think we're at EOF here... */
+
+		/*
+		 * If this was a short (signal interrupted) write we may need
+		 * to subtract it from the header data, or null out the header
+		 * data altogether if we wrote more than hdtrl[0].iov_len bytes.
+		 * We change nwritten to be the number of file bytes written.
+		 */
+
+		if (hdtrl[0].iov_base && hdtrl[0].iov_len) {
+			if (nwritten >= hdtrl[0].iov_len) {
+				nwritten -= hdtrl[0].iov_len;
+				hdtrl[0].iov_base = NULL;
+				hdtrl[0].iov_len = 0;
+			} else {
+				/* iov_base is defined as a void *... */
+				hdtrl[0].iov_base = ((char *)hdtrl[0].iov_base) + nwritten;
+				hdtrl[0].iov_len -= nwritten;
+				nwritten = 0;
+			}
+		}
+		total -= nwritten;
+		offset += nwritten;
+	}
+	return count + hdr_len;
+}
+
+#elif defined(FREEBSD_SENDFILE_API)
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/uio.h>
+
+ssize_t sys_sendfile(int tofd, int fromfd, const DATA_BLOB *header, SMB_OFF_T offset, size_t count)
+{
+	size_t total=0;
+	struct sf_hdtr hdr;
+	struct iovec hdtrl;
+	size_t hdr_len = 0;
+
+	hdr.headers = &hdtrl;
+	hdr.hdr_cnt = 1;
+	hdr.trailers = NULL;
+	hdr.trl_cnt = 0;
+
+	/* Set up the header iovec. */
+	if (header) {
+		hdtrl.iov_base = header->data;
+		hdtrl.iov_len = hdr_len = header->length;
+	} else {
+		hdtrl.iov_base = NULL;
+		hdtrl.iov_len = 0;
+	}
+
+	total = count;
+	while (total + hdtrl.iov_len) {
+		SMB_OFF_T nwritten;
+		int ret;
+
+		/*
+		 * FreeBSD sendfile returns 0 on success, -1 on error.
+		 * Remember, the tofd and fromfd are reversed..... :-).
+		 * nwritten includes the header data sent.
+		 */
+
+		do {
+			ret = sendfile(fromfd, tofd, offset, total, &hdr, &nwritten, 0);
+		} while (ret == -1 && errno == EINTR);
+		if (ret == -1)
+			return -1;
+
+		if (nwritten == 0)
+			return -1; /* I think we're at EOF here... */
+
+		/*
+		 * If this was a short (signal interrupted) write we may need
+		 * to subtract it from the header data, or null out the header
+		 * data altogether if we wrote more than hdtrl.iov_len bytes.
+		 * We change nwritten to be the number of file bytes written.
+		 */
+
+		if (hdtrl.iov_base && hdtrl.iov_len) {
+			if (nwritten >= hdtrl.iov_len) {
+				nwritten -= hdtrl.iov_len;
+				hdtrl.iov_base = NULL;
+				hdtrl.iov_len = 0;
+			} else {
+				hdtrl.iov_base =
+				    (caddr_t)hdtrl.iov_base + nwritten;
+				hdtrl.iov_len -= nwritten;
+				nwritten = 0;
+			}
+		}
+		total -= nwritten;
+		offset += nwritten;
+	}
+	return count + hdr_len;
+}
+
+#elif defined(AIX_SENDFILE_API)
+
+/* BEGIN AIX SEND_FILE */
+
+/* Contributed by William Jojo <jojowil@hvcc.edu> */
+#include <sys/socket.h>
+
+ssize_t sys_sendfile(int tofd, int fromfd, const DATA_BLOB *header, SMB_OFF_T offset, size_t count)
+{
+	struct sf_parms hdtrl;
+
+	/* Set up the header/trailer struct params. */
+	if (header) {
+		hdtrl.header_data = header->data;
+		hdtrl.header_length = header->length;
+	} else {
+		hdtrl.header_data = NULL;
+		hdtrl.header_length = 0;
+	}
+	hdtrl.trailer_data = NULL;
+	hdtrl.trailer_length = 0;
+
+	hdtrl.file_descriptor = fromfd;
+	hdtrl.file_offset = offset;
+	hdtrl.file_bytes = count;
+
+	while ( hdtrl.file_bytes + hdtrl.header_length ) {
+		ssize_t ret;
+
+		/*
+		 Return Value
+
+		 There are three possible return values from send_file:
+
+		 Value Description
+
+		 -1 an error has occurred, errno contains the error code.
+
+		 0 the command has completed successfully.
+
+		 1 the command was completed partially, some data has been
+		 transmitted but the command has to return for some reason,
+		 for example, the command was interrupted by signals.
+		*/
+		do {
+			ret = send_file(&tofd, &hdtrl, 0);
+		} while ( (ret == 1) || (ret == -1 && errno == EINTR) );
+		if ( ret == -1 )
+			return -1;
+	}
+
+	return count + header->length;
+}
+/* END AIX SEND_FILE */
+
+#else /* No sendfile implementation. Return error. */
+
+ssize_t sys_sendfile(int tofd, int fromfd, const DATA_BLOB *header, SMB_OFF_T offset, size_t count)
+{
+	/* No sendfile syscall. */
+	errno = ENOSYS;
+	return -1;
+}
+#endif
diff --git a/source3/lib/server_mutex.c b/source3/lib/server_mutex.c
new file mode 100644
index 0000000000..43c0de1975
--- /dev/null
+++ b/source3/lib/server_mutex.c
@@ -0,0 +1,78 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Authenticate against a remote domain
+   Copyright (C) Andrew Tridgell 1992-2002
+   Copyright (C) Andrew Bartlett 2002
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/* For reasons known only to MS, many of their NT/Win2k versions
+   need serialised access only.  Two connections at the same time
+   may (in certain situations) cause connections to be reset,
+   or access to be denied.
+
+   This locking allows smbd's mutlithread architecture to look
+   like the single-connection that NT makes. */
+
+struct named_mutex {
+	struct tdb_wrap *tdb;
+	char *name;
+};
+
+static int unlock_named_mutex(struct named_mutex *mutex)
+{
+	tdb_unlock_bystring(mutex->tdb->tdb, mutex->name);
+	return 0;
+}
+
+struct named_mutex *grab_named_mutex(TALLOC_CTX *mem_ctx, const char *name,
+				     int timeout)
+{
+	struct named_mutex *result;
+
+	result = talloc(mem_ctx, struct named_mutex);
+	if (result == NULL) {
+		DEBUG(0, ("talloc failed\n"));
+		return NULL;
+	}
+
+	result->name = talloc_strdup(result, name);
+	if (result->name == NULL) {
+		DEBUG(0, ("talloc failed\n"));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	result->tdb = tdb_wrap_open(result, lock_path("mutex.tdb"), 0,
+				    TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
+	if (result->tdb == NULL) {
+		DEBUG(1, ("Could not open mutex.tdb: %s\n",
+			  strerror(errno)));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	if (tdb_lock_bystring_with_timeout(result->tdb->tdb, name,
+					   timeout) == -1) {
+		DEBUG(1, ("Could not get the lock for %s\n", name));
+		TALLOC_FREE(result);
+		return NULL;
+	}
+
+	talloc_set_destructor(result, unlock_named_mutex);
+	return result;
+}
diff --git a/source3/lib/sharesec.c b/source3/lib/sharesec.c
new file mode 100644
index 0000000000..33f66ca47f
--- /dev/null
+++ b/source3/lib/sharesec.c
@@ -0,0 +1,400 @@
+/* 
+ *  Unix SMB/Netbios implementation.
+ *  SEC_DESC handling functions
+ *  Copyright (C) Jeremy R. Allison            1995-2003.
+ *  
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+/*******************************************************************
+ Create the share security tdb.
+ ********************************************************************/
+
+static struct db_context *share_db; /* used for share security descriptors */
+#define SHARE_DATABASE_VERSION_V1 1
+#define SHARE_DATABASE_VERSION_V2 2 /* version id in little endian. */
+
+/* Map generic permissions to file object specific permissions */
+
+extern const struct generic_mapping file_generic_mapping;
+
+static int delete_fn(struct db_record *rec, void *priv)
+{
+	rec->delete_rec(rec);
+	return 0;
+}
+
+static bool share_info_db_init(void)
+{
+	const char *vstring = "INFO/version";
+	int32 vers_id;
+ 
+	if (share_db != NULL) {
+		return True;
+	}
+
+	share_db = db_open(NULL, state_path("share_info.tdb"), 0,
+				 TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
+	if (share_db == NULL) {
+		DEBUG(0,("Failed to open share info database %s (%s)\n",
+			state_path("share_info.tdb"), strerror(errno) ));
+		return False;
+	}
+ 
+	vers_id = dbwrap_fetch_int32(share_db, vstring);
+	if (vers_id == SHARE_DATABASE_VERSION_V2) {
+		return true;
+	}
+
+	if (share_db->transaction_start(share_db) != 0) {
+		DEBUG(0, ("transaction_start failed\n"));
+		TALLOC_FREE(share_db);
+		return false;
+	}
+
+	vers_id = dbwrap_fetch_int32(share_db, vstring);
+	if (vers_id == SHARE_DATABASE_VERSION_V2) {
+		/*
+		 * Race condition
+		 */
+		if (share_db->transaction_cancel(share_db)) {
+			smb_panic("transaction_cancel failed");
+		}
+		return true;
+	}
+
+	/* Cope with byte-reversed older versions of the db. */
+	if ((vers_id == SHARE_DATABASE_VERSION_V1) || (IREV(vers_id) == SHARE_DATABASE_VERSION_V1)) {
+		/* Written on a bigendian machine with old fetch_int code. Save as le. */
+
+		if (dbwrap_store_int32(share_db, vstring,
+				       SHARE_DATABASE_VERSION_V2) != 0) {
+			DEBUG(0, ("dbwrap_store_int32 failed\n"));
+			goto cancel;
+		}
+		vers_id = SHARE_DATABASE_VERSION_V2;
+	}
+
+	if (vers_id != SHARE_DATABASE_VERSION_V2) {
+		int ret;
+		ret = share_db->traverse(share_db, delete_fn, NULL);
+		if (ret < 0) {
+			DEBUG(0, ("traverse failed\n"));
+			goto cancel;
+		}
+		if (dbwrap_store_int32(share_db, vstring,
+				       SHARE_DATABASE_VERSION_V2) != 0) {
+			DEBUG(0, ("dbwrap_store_int32 failed\n"));
+			goto cancel;
+		}
+	}
+
+	if (share_db->transaction_commit(share_db) != 0) {
+		DEBUG(0, ("transaction_commit failed\n"));
+		return false;
+	}
+
+	return true;
+
+ cancel:
+	if (share_db->transaction_cancel(share_db)) {
+		smb_panic("transaction_cancel failed");
+	}
+
+	return false;
+}
+
+/*******************************************************************
+ Fake up a Everyone, default access as a default.
+ def_access is a GENERIC_XXX access mode.
+ ********************************************************************/
+
+SEC_DESC *get_share_security_default( TALLOC_CTX *ctx, size_t *psize, uint32 def_access)
+{
+	SEC_ACCESS sa;
+	SEC_ACE ace;
+	SEC_ACL *psa = NULL;
+	SEC_DESC *psd = NULL;
+	uint32 spec_access = def_access;
+
+	se_map_generic(&spec_access, &file_generic_mapping);
+
+	init_sec_access(&sa, def_access | spec_access );
+	init_sec_ace(&ace, &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, 0);
+
+	if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 1, &ace)) != NULL) {
+		psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
+				    SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
+				    psa, psize);
+	}
+
+	if (!psd) {
+		DEBUG(0,("get_share_security: Failed to make SEC_DESC.\n"));
+		return NULL;
+	}
+
+	return psd;
+}
+
+/*******************************************************************
+ Pull a security descriptor from the share tdb.
+ ********************************************************************/
+
+SEC_DESC *get_share_security( TALLOC_CTX *ctx, const char *servicename,
+			      size_t *psize)
+{
+	char *key;
+	SEC_DESC *psd = NULL;
+	TDB_DATA data;
+	NTSTATUS status;
+
+	if (!share_info_db_init()) {
+		return NULL;
+	}
+
+	if (!(key = talloc_asprintf(ctx, "SECDESC/%s", servicename))) {
+		DEBUG(0, ("talloc_asprintf failed\n"));
+		return NULL;
+	}
+
+	data = dbwrap_fetch_bystring(share_db, talloc_tos(), key);
+
+	TALLOC_FREE(key);
+
+	if (data.dptr == NULL) {
+		return get_share_security_default(ctx, psize,
+						  GENERIC_ALL_ACCESS);
+	}
+
+	status = unmarshall_sec_desc(ctx, data.dptr, data.dsize, &psd);
+
+	TALLOC_FREE(data.dptr);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("unmarshall_sec_desc failed: %s\n",
+			  nt_errstr(status)));
+		return NULL;
+	}
+
+	if (psd)
+		*psize = ndr_size_security_descriptor(psd, 0);
+
+	return psd;
+}
+
+/*******************************************************************
+ Store a security descriptor in the share db.
+ ********************************************************************/
+
+bool set_share_security(const char *share_name, SEC_DESC *psd)
+{
+	TALLOC_CTX *frame;
+	char *key;
+	bool ret = False;
+	TDB_DATA blob;
+	NTSTATUS status;
+
+	if (!share_info_db_init()) {
+		return False;
+	}
+
+	frame = talloc_stackframe();
+
+	status = marshall_sec_desc(frame, psd, &blob.dptr, &blob.dsize);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("marshall_sec_desc failed: %s\n",
+			  nt_errstr(status)));
+		goto out;
+	}
+
+	if (!(key = talloc_asprintf(frame, "SECDESC/%s", share_name))) {
+		DEBUG(0, ("talloc_asprintf failed\n"));
+		goto out;
+	}
+
+	status = dbwrap_trans_store(share_db, string_term_tdb_data(key), blob,
+				    TDB_REPLACE);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(1, ("set_share_security: Failed to store secdesc for "
+			  "%s: %s\n", share_name, nt_errstr(status)));
+		goto out;
+	}
+
+	DEBUG(5,("set_share_security: stored secdesc for %s\n", share_name ));
+	ret = True;
+
+ out:
+	TALLOC_FREE(frame);
+	return ret;
+}
+
+/*******************************************************************
+ Delete a security descriptor.
+********************************************************************/
+
+bool delete_share_security(const char *servicename)
+{
+	TDB_DATA kbuf;
+	char *key;
+	NTSTATUS status;
+
+	if (!(key = talloc_asprintf(talloc_tos(), "SECDESC/%s",
+				    servicename))) {
+		return False;
+	}
+	kbuf = string_term_tdb_data(key);
+
+	status = dbwrap_trans_delete(share_db, kbuf);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("delete_share_security: Failed to delete entry for "
+			  "share %s: %s\n", servicename, nt_errstr(status)));
+		return False;
+	}
+
+	return True;
+}
+
+/*******************************************************************
+ Can this user access with share with the required permissions ?
+********************************************************************/
+
+bool share_access_check(const NT_USER_TOKEN *token, const char *sharename,
+			uint32 desired_access)
+{
+	uint32 granted;
+	NTSTATUS status;
+	SEC_DESC *psd = NULL;
+	size_t sd_size;
+	bool ret = True;
+
+	psd = get_share_security(talloc_tos(), sharename, &sd_size);
+
+	if (!psd) {
+		return True;
+	}
+
+	ret = se_access_check(psd, token, desired_access, &granted, &status);
+
+	TALLOC_FREE(psd);
+
+	return ret;
+}
+
+/***************************************************************************
+ Parse the contents of an acl string from a usershare file.
+***************************************************************************/
+
+bool parse_usershare_acl(TALLOC_CTX *ctx, const char *acl_str, SEC_DESC **ppsd)
+{
+	size_t s_size = 0;
+	const char *pacl = acl_str;
+	int num_aces = 0;
+	SEC_ACE *ace_list = NULL;
+	SEC_ACL *psa = NULL;
+	SEC_DESC *psd = NULL;
+	size_t sd_size = 0;
+	int i;
+
+	*ppsd = NULL;
+
+	/* If the acl string is blank return "Everyone:R" */
+	if (!*acl_str) {
+		SEC_DESC *default_psd = get_share_security_default(ctx, &s_size, GENERIC_READ_ACCESS);
+		if (!default_psd) {
+			return False;
+		}
+		*ppsd = default_psd;
+		return True;
+	}
+
+	num_aces = 1;
+
+	/* Add the number of ',' characters to get the number of aces. */
+	num_aces += count_chars(pacl,',');
+
+	ace_list = TALLOC_ARRAY(ctx, SEC_ACE, num_aces);
+	if (!ace_list) {
+		return False;
+	}
+
+	for (i = 0; i < num_aces; i++) {
+		SEC_ACCESS sa;
+		uint32 g_access;
+		uint32 s_access;
+		DOM_SID sid;
+		char *sidstr;
+		enum security_ace_type type = SEC_ACE_TYPE_ACCESS_ALLOWED;
+
+		if (!next_token_talloc(ctx, &pacl, &sidstr, ":")) {
+			DEBUG(0,("parse_usershare_acl: malformed usershare acl looking "
+				"for ':' in string '%s'\n", pacl));
+			return False;
+		}
+
+		if (!string_to_sid(&sid, sidstr)) {
+			DEBUG(0,("parse_usershare_acl: failed to convert %s to sid.\n",
+				sidstr ));
+			return False;
+		}
+
+		switch (*pacl) {
+			case 'F': /* Full Control, ie. R+W */
+			case 'f': /* Full Control, ie. R+W */
+				s_access = g_access = GENERIC_ALL_ACCESS;
+				break;
+			case 'R': /* Read only. */
+			case 'r': /* Read only. */
+				s_access = g_access = GENERIC_READ_ACCESS;
+				break;
+			case 'D': /* Deny all to this SID. */
+			case 'd': /* Deny all to this SID. */
+				type = SEC_ACE_TYPE_ACCESS_DENIED;
+				s_access = g_access = GENERIC_ALL_ACCESS;
+				break;
+			default:
+				DEBUG(0,("parse_usershare_acl: unknown acl type at %s.\n",
+					pacl ));
+				return False;
+		}
+
+		pacl++;
+		if (*pacl && *pacl != ',') {
+			DEBUG(0,("parse_usershare_acl: bad acl string at %s.\n",
+				pacl ));
+			return False;
+		}
+		pacl++; /* Go past any ',' */
+
+		se_map_generic(&s_access, &file_generic_mapping);
+		init_sec_access(&sa, g_access | s_access );
+		init_sec_ace(&ace_list[i], &sid, type, sa, 0);
+	}
+
+	if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, num_aces, ace_list)) != NULL) {
+		psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
+				    SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
+				    psa, &sd_size);
+	}
+
+	if (!psd) {
+		DEBUG(0,("parse_usershare_acl: Failed to make SEC_DESC.\n"));
+		return False;
+	}
+
+	*ppsd = psd;
+	return True;
+}
diff --git a/source3/lib/signal.c b/source3/lib/signal.c
new file mode 100644
index 0000000000..4b1c95eb77
--- /dev/null
+++ b/source3/lib/signal.c
@@ -0,0 +1,138 @@
+/* 
+   Unix SMB/CIFS implementation.
+   signal handling functions
+
+   Copyright (C) Andrew Tridgell 1998
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/****************************************************************************
+ Catch child exits and reap the child zombie status.
+****************************************************************************/
+
+static void sig_cld(int signum)
+{
+	while (sys_waitpid((pid_t)-1,(int *)NULL, WNOHANG) > 0)
+		;
+
+	/*
+	 * Turns out it's *really* important not to
+	 * restore the signal handler here if we have real POSIX
+	 * signal handling. If we do, then we get the signal re-delivered
+	 * immediately - hey presto - instant loop ! JRA.
+	 */
+
+#if !defined(HAVE_SIGACTION)
+	CatchSignal(SIGCLD, sig_cld);
+#endif
+}
+
+/****************************************************************************
+catch child exits - leave status;
+****************************************************************************/
+
+static void sig_cld_leave_status(int signum)
+{
+	/*
+	 * Turns out it's *really* important not to
+	 * restore the signal handler here if we have real POSIX
+	 * signal handling. If we do, then we get the signal re-delivered
+	 * immediately - hey presto - instant loop ! JRA.
+	 */
+
+#if !defined(HAVE_SIGACTION)
+	CatchSignal(SIGCLD, sig_cld_leave_status);
+#endif
+}
+
+/*******************************************************************
+ Block sigs.
+********************************************************************/
+
+void BlockSignals(bool block,int signum)
+{
+#ifdef HAVE_SIGPROCMASK
+	sigset_t set;
+	sigemptyset(&set);
+	sigaddset(&set,signum);
+	sigprocmask(block?SIG_BLOCK:SIG_UNBLOCK,&set,NULL);
+#elif defined(HAVE_SIGBLOCK)
+	if (block) {
+		sigblock(sigmask(signum));
+	} else {
+		sigsetmask(siggetmask() & ~sigmask(signum));
+	}
+#else
+	/* yikes! This platform can't block signals? */
+	static int done;
+	if (!done) {
+		DEBUG(0,("WARNING: No signal blocking available\n"));
+		done=1;
+	}
+#endif
+}
+
+/*******************************************************************
+ Catch a signal. This should implement the following semantics:
+
+ 1) The handler remains installed after being called.
+ 2) The signal should be blocked during handler execution.
+********************************************************************/
+
+void (*CatchSignal(int signum,void (*handler)(int )))(int)
+{
+#ifdef HAVE_SIGACTION
+	struct sigaction act;
+	struct sigaction oldact;
+
+	ZERO_STRUCT(act);
+
+	act.sa_handler = handler;
+#ifdef SA_RESTART
+	/*
+	 * We *want* SIGALRM to interrupt a system call.
+	 */
+	if(signum != SIGALRM)
+		act.sa_flags = SA_RESTART;
+#endif
+	sigemptyset(&act.sa_mask);
+	sigaddset(&act.sa_mask,signum);
+	sigaction(signum,&act,&oldact);
+	return oldact.sa_handler;
+#else /* !HAVE_SIGACTION */
+	/* FIXME: need to handle sigvec and systems with broken signal() */
+	return signal(signum, handler);
+#endif
+}
+
+/*******************************************************************
+ Ignore SIGCLD via whatever means is necessary for this OS.
+********************************************************************/
+
+void CatchChild(void)
+{
+	CatchSignal(SIGCLD, sig_cld);
+}
+
+/*******************************************************************
+ Catch SIGCLD but leave the child around so it's status can be reaped.
+********************************************************************/
+
+void CatchChildLeaveStatus(void)
+{
+	CatchSignal(SIGCLD, sig_cld_leave_status);
+}
diff --git a/source3/lib/smbconf/smbconf.c b/source3/lib/smbconf/smbconf.c
new file mode 100644
index 0000000000..1a9b4e07f9
--- /dev/null
+++ b/source3/lib/smbconf/smbconf.c
@@ -0,0 +1,388 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  libsmbconf - Samba configuration library
+ *  Copyright (C) Michael Adam 2007-2008
+ *  Copyright (C) Guenther Deschner 2007
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "smbconf_private.h"
+
+/**********************************************************************
+ *
+ * internal helper functions
+ *
+ **********************************************************************/
+
+static WERROR smbconf_global_check(struct smbconf_ctx *ctx)
+{
+	if (!smbconf_share_exists(ctx, GLOBAL_NAME)) {
+		return smbconf_create_share(ctx, GLOBAL_NAME);
+	}
+	return WERR_OK;
+}
+
+
+/**********************************************************************
+ *
+ * The actual libsmbconf API functions that are exported.
+ *
+ **********************************************************************/
+
+/**
+ * Close the configuration.
+ */
+void smbconf_shutdown(struct smbconf_ctx *ctx)
+{
+	TALLOC_FREE(ctx);
+}
+
+/**
+ * Detect changes in the configuration.
+ * The given csn struct is filled with the current csn.
+ * smbconf_changed() can also be used for initial retrieval
+ * of the csn.
+ */
+bool smbconf_changed(struct smbconf_ctx *ctx, struct smbconf_csn *csn,
+		     const char *service, const char *param)
+{
+	struct smbconf_csn old_csn;
+
+	if (csn == NULL) {
+		return false;
+	}
+
+	old_csn = *csn;
+
+	ctx->ops->get_csn(ctx, csn, service, param);
+	return (csn->csn != old_csn.csn);
+}
+
+/**
+ * Drop the whole configuration (restarting empty).
+ */
+WERROR smbconf_drop(struct smbconf_ctx *ctx)
+{
+	return ctx->ops->drop(ctx);
+}
+
+/**
+ * Get the whole configuration as lists of strings with counts:
+ *
+ *  num_shares   : number of shares
+ *  share_names  : list of length num_shares of share names
+ *  num_params   : list of length num_shares of parameter counts for each share
+ *  param_names  : list of lists of parameter names for each share
+ *  param_values : list of lists of parameter values for each share
+ */
+WERROR smbconf_get_config(struct smbconf_ctx *ctx,
+			  TALLOC_CTX *mem_ctx,
+			  uint32_t *num_shares,
+			  struct smbconf_service ***services)
+{
+	WERROR werr = WERR_OK;
+	TALLOC_CTX *tmp_ctx = NULL;
+	uint32_t tmp_num_shares;
+	char **tmp_share_names;
+	struct smbconf_service **tmp_services;
+	uint32_t count;
+
+	if ((num_shares == NULL) || (services == NULL)) {
+		werr = WERR_INVALID_PARAM;
+		goto done;
+	}
+
+	tmp_ctx = talloc_stackframe();
+
+	werr = smbconf_get_share_names(ctx, tmp_ctx, &tmp_num_shares,
+				       &tmp_share_names);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	tmp_services = TALLOC_ARRAY(tmp_ctx, struct smbconf_service *,
+				    tmp_num_shares);
+
+	if (tmp_services == NULL) {
+		werr = WERR_NOMEM;
+		goto done;
+	}
+
+	for (count = 0; count < tmp_num_shares; count++) {
+		werr = smbconf_get_share(ctx, tmp_services,
+					 tmp_share_names[count],
+					 &tmp_services[count]);
+		if (!W_ERROR_IS_OK(werr)) {
+			goto done;
+		}
+	}
+
+	werr = WERR_OK;
+
+	*num_shares = tmp_num_shares;
+	if (tmp_num_shares > 0) {
+		*services = talloc_move(mem_ctx, &tmp_services);
+	} else {
+		*services = NULL;
+	}
+
+done:
+	TALLOC_FREE(tmp_ctx);
+	return werr;
+}
+
+/**
+ * get the list of share names defined in the configuration.
+ */
+WERROR smbconf_get_share_names(struct smbconf_ctx *ctx,
+			       TALLOC_CTX *mem_ctx,
+			       uint32_t *num_shares,
+			       char ***share_names)
+{
+	return ctx->ops->get_share_names(ctx, mem_ctx, num_shares,
+					 share_names);
+}
+
+/**
+ * check if a share/service of a given name exists
+ */
+bool smbconf_share_exists(struct smbconf_ctx *ctx,
+			  const char *servicename)
+{
+	return ctx->ops->share_exists(ctx, servicename);
+}
+
+/**
+ * Add a service if it does not already exist.
+ */
+WERROR smbconf_create_share(struct smbconf_ctx *ctx,
+			    const char *servicename)
+{
+	if ((servicename != NULL) && smbconf_share_exists(ctx, servicename)) {
+		return WERR_ALREADY_EXISTS;
+	}
+
+	return ctx->ops->create_share(ctx, servicename);
+}
+
+/**
+ * get a definition of a share (service) from configuration.
+ */
+WERROR smbconf_get_share(struct smbconf_ctx *ctx,
+			 TALLOC_CTX *mem_ctx,
+			 const char *servicename,
+			 struct smbconf_service **service)
+{
+	if (!smbconf_share_exists(ctx, servicename)) {
+		return WERR_NO_SUCH_SERVICE;
+	}
+
+	return ctx->ops->get_share(ctx, mem_ctx, servicename, service);
+}
+
+/**
+ * delete a service from configuration
+ */
+WERROR smbconf_delete_share(struct smbconf_ctx *ctx, const char *servicename)
+{
+	if (!smbconf_share_exists(ctx, servicename)) {
+		return WERR_NO_SUCH_SERVICE;
+	}
+
+	return ctx->ops->delete_share(ctx, servicename);
+}
+
+/**
+ * set a configuration parameter to the value provided.
+ */
+WERROR smbconf_set_parameter(struct smbconf_ctx *ctx,
+			     const char *service,
+			     const char *param,
+			     const char *valstr)
+{
+	if (!smbconf_share_exists(ctx, service)) {
+		return WERR_NO_SUCH_SERVICE;
+	}
+
+	return ctx->ops->set_parameter(ctx, service, param, valstr);
+}
+
+/**
+ * Set a global parameter
+ * (i.e. a parameter in the [global] service).
+ *
+ * This also creates [global] when it does not exist.
+ */
+WERROR smbconf_set_global_parameter(struct smbconf_ctx *ctx,
+				    const char *param, const char *val)
+{
+	WERROR werr;
+
+	werr = smbconf_global_check(ctx);
+	if (W_ERROR_IS_OK(werr)) {
+		werr = smbconf_set_parameter(ctx, GLOBAL_NAME, param, val);
+	}
+
+	return werr;
+}
+
+/**
+ * get the value of a configuration parameter as a string
+ */
+WERROR smbconf_get_parameter(struct smbconf_ctx *ctx,
+			     TALLOC_CTX *mem_ctx,
+			     const char *service,
+			     const char *param,
+			     char **valstr)
+{
+	if (valstr == NULL) {
+		return WERR_INVALID_PARAM;
+	}
+
+	if (!smbconf_share_exists(ctx, service)) {
+		return WERR_NO_SUCH_SERVICE;
+	}
+
+	return ctx->ops->get_parameter(ctx, mem_ctx, service, param, valstr);
+}
+
+/**
+ * Get the value of a global parameter.
+ *
+ * Create [global] if it does not exist.
+ */
+WERROR smbconf_get_global_parameter(struct smbconf_ctx *ctx,
+				    TALLOC_CTX *mem_ctx,
+				    const char *param,
+				    char **valstr)
+{
+	WERROR werr;
+
+	werr = smbconf_global_check(ctx);
+	if (W_ERROR_IS_OK(werr)) {
+		werr = smbconf_get_parameter(ctx, mem_ctx, GLOBAL_NAME, param,
+					     valstr);
+	}
+
+	return werr;
+}
+
+/**
+ * delete a parameter from configuration
+ */
+WERROR smbconf_delete_parameter(struct smbconf_ctx *ctx,
+				const char *service, const char *param)
+{
+	if (!smbconf_share_exists(ctx, service)) {
+		return WERR_NO_SUCH_SERVICE;
+	}
+
+	return ctx->ops->delete_parameter(ctx, service, param);
+}
+
+/**
+ * Delete a global parameter.
+ *
+ * Create [global] if it does not exist.
+ */
+WERROR smbconf_delete_global_parameter(struct smbconf_ctx *ctx,
+				       const char *param)
+{
+	WERROR werr;
+
+	werr = smbconf_global_check(ctx);
+	if (W_ERROR_IS_OK(werr)) {
+		werr = smbconf_delete_parameter(ctx, GLOBAL_NAME, param);
+	}
+
+	return werr;
+}
+
+WERROR smbconf_get_includes(struct smbconf_ctx *ctx,
+			    TALLOC_CTX *mem_ctx,
+			    const char *service,
+			    uint32_t *num_includes, char ***includes)
+{
+	if (!smbconf_share_exists(ctx, service)) {
+		return WERR_NO_SUCH_SERVICE;
+	}
+
+	return ctx->ops->get_includes(ctx, mem_ctx, service, num_includes,
+				      includes);
+}
+
+WERROR smbconf_get_global_includes(struct smbconf_ctx *ctx,
+				   TALLOC_CTX *mem_ctx,
+				   uint32_t *num_includes, char ***includes)
+{
+	WERROR werr;
+
+	werr = smbconf_global_check(ctx);
+	if (W_ERROR_IS_OK(werr)) {
+		werr = smbconf_get_includes(ctx, mem_ctx, GLOBAL_NAME,
+					    num_includes, includes);
+	}
+
+	return werr;
+}
+
+WERROR smbconf_set_includes(struct smbconf_ctx *ctx,
+			    const char *service,
+			    uint32_t num_includes, const char **includes)
+{
+	if (!smbconf_share_exists(ctx, service)) {
+		return WERR_NO_SUCH_SERVICE;
+	}
+
+	return ctx->ops->set_includes(ctx, service, num_includes, includes);
+}
+
+WERROR smbconf_set_global_includes(struct smbconf_ctx *ctx,
+				   uint32_t num_includes,
+				   const char **includes)
+{
+	WERROR werr;
+
+	werr = smbconf_global_check(ctx);
+	if (W_ERROR_IS_OK(werr)) {
+		werr = smbconf_set_includes(ctx, GLOBAL_NAME,
+					    num_includes, includes);
+	}
+
+	return werr;
+}
+
+
+WERROR smbconf_delete_includes(struct smbconf_ctx *ctx, const char *service)
+{
+	if (!smbconf_share_exists(ctx, service)) {
+		return WERR_NO_SUCH_SERVICE;
+	}
+
+	return ctx->ops->delete_includes(ctx, service);
+}
+
+WERROR smbconf_delete_global_includes(struct smbconf_ctx *ctx)
+{
+	WERROR werr;
+
+	werr = smbconf_global_check(ctx);
+	if (W_ERROR_IS_OK(werr)) {
+		werr = smbconf_delete_includes(ctx, GLOBAL_NAME);
+	}
+
+	return werr;
+}
diff --git a/source3/lib/smbconf/smbconf.h b/source3/lib/smbconf/smbconf.h
new file mode 100644
index 0000000000..e337476665
--- /dev/null
+++ b/source3/lib/smbconf/smbconf.h
@@ -0,0 +1,114 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  libsmbconf - Samba configuration library
+ *  Copyright (C) Michael Adam 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef __LIBSMBCONF_H__
+#define __LIBSMBCONF_H__
+
+struct smbconf_ctx;
+
+/* the change sequence number */
+struct smbconf_csn {
+	uint64_t csn;
+};
+
+struct smbconf_service {
+	char *name;
+	uint32_t num_params;
+	char **param_names;
+	char **param_values;
+};
+
+
+/**
+ * intialization dispatcher function.
+ * takes source string in the form of "backend:path"
+ */
+WERROR smbconf_init(TALLOC_CTX *mem_ctx, struct smbconf_ctx **conf_ctx,
+		    const char *source);
+
+/**
+ * initialization functions for the available modules
+ */
+
+WERROR smbconf_init_reg(TALLOC_CTX *mem_ctx, struct smbconf_ctx **conf_ctx,
+			const char *path);
+
+WERROR smbconf_init_txt(TALLOC_CTX *mem_ctx,
+			struct smbconf_ctx **conf_ctx,
+			const char *path);
+
+/*
+ * the smbconf API functions
+ */
+void smbconf_shutdown(struct smbconf_ctx *ctx);
+bool smbconf_changed(struct smbconf_ctx *ctx, struct smbconf_csn *csn,
+		     const char *service, const char *param);
+WERROR smbconf_drop(struct smbconf_ctx *ctx);
+WERROR smbconf_get_config(struct smbconf_ctx *ctx,
+			  TALLOC_CTX *mem_ctx,
+			  uint32_t *num_shares,
+			  struct smbconf_service ***services);
+WERROR smbconf_get_share_names(struct smbconf_ctx *ctx,
+			       TALLOC_CTX *mem_ctx,
+			       uint32_t *num_shares,
+			       char ***share_names);
+bool smbconf_share_exists(struct smbconf_ctx *ctx, const char *servicename);
+WERROR smbconf_create_share(struct smbconf_ctx *ctx, const char *servicename);
+WERROR smbconf_get_share(struct smbconf_ctx *ctx,
+			 TALLOC_CTX *mem_ctx,
+			 const char *servicename,
+			 struct smbconf_service **service);
+WERROR smbconf_delete_share(struct smbconf_ctx *ctx,
+			    const char *servicename);
+WERROR smbconf_set_parameter(struct smbconf_ctx *ctx,
+			     const char *service,
+			     const char *param,
+			     const char *valstr);
+WERROR smbconf_set_global_parameter(struct smbconf_ctx *ctx,
+				    const char *param, const char *val);
+WERROR smbconf_get_parameter(struct smbconf_ctx *ctx,
+			     TALLOC_CTX *mem_ctx,
+			     const char *service,
+			     const char *param,
+			     char **valstr);
+WERROR smbconf_get_global_parameter(struct smbconf_ctx *ctx,
+				    TALLOC_CTX *mem_ctx,
+				    const char *param,
+				    char **valstr);
+WERROR smbconf_delete_parameter(struct smbconf_ctx *ctx,
+				const char *service, const char *param);
+WERROR smbconf_delete_global_parameter(struct smbconf_ctx *ctx,
+				       const char *param);
+WERROR smbconf_get_includes(struct smbconf_ctx *ctx,
+			    TALLOC_CTX *mem_ctx,
+			    const char *service,
+			    uint32_t *num_includes, char ***includes);
+WERROR smbconf_get_global_includes(struct smbconf_ctx *ctx,
+				   TALLOC_CTX *mem_ctx,
+				   uint32_t *num_includes, char ***includes);
+WERROR smbconf_set_includes(struct smbconf_ctx *ctx,
+			    const char *service,
+			    uint32_t num_includes, const char **includes);
+WERROR smbconf_set_global_includes(struct smbconf_ctx *ctx,
+				   uint32_t num_includes,
+				   const char **includes);
+WERROR smbconf_delete_includes(struct smbconf_ctx *ctx, const char *service);
+WERROR smbconf_delete_global_includes(struct smbconf_ctx *ctx);
+
+#endif /*  _LIBSMBCONF_H_  */
diff --git a/source3/lib/smbconf/smbconf_init.c b/source3/lib/smbconf/smbconf_init.c
new file mode 100644
index 0000000000..4efc440819
--- /dev/null
+++ b/source3/lib/smbconf/smbconf_init.c
@@ -0,0 +1,95 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  libsmbconf - Samba configuration library, init dispatcher
+ *  Copyright (C) Michael Adam 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "smbconf_private.h"
+
+#define INCLUDES_VALNAME "includes"
+
+
+/**
+ * smbconf initialization dispatcher
+ *
+ * this takes a configuration source in the form of
+ * backend:path and calles the appropriate backend
+ * init function with the path argument
+ *
+ * known backends:
+ * -  "registry" or "reg"
+ * -  "txt" or "file"
+ */
+WERROR smbconf_init(TALLOC_CTX *mem_ctx, struct smbconf_ctx **conf_ctx,
+		    const char *source)
+{
+	WERROR werr;
+	char *backend = NULL;
+	char *path = NULL;
+	char *sep;
+	TALLOC_CTX *tmp_ctx = talloc_stackframe();
+
+	if (conf_ctx == NULL) {
+		werr = WERR_INVALID_PARAM;
+		goto done;
+	}
+
+	if ((source == NULL) || (*source == '\0')) {
+		werr = WERR_INVALID_PARAM;
+		goto done;
+	}
+
+	backend = talloc_strdup(tmp_ctx, source);
+	if (backend == NULL) {
+		werr = WERR_NOMEM;
+		goto done;
+	}
+
+	sep = strchr(backend, ':');
+	if (sep != NULL) {
+		*sep = '\0';
+		path = sep + 1;
+		if (strlen(path) == 0) {
+			path = NULL;
+		}
+	}
+
+	if (strequal(backend, "registry") || strequal(backend, "reg")) {
+		werr = smbconf_init_reg(mem_ctx, conf_ctx, path);
+	} else if (strequal(backend, "file") || strequal(backend, "txt")) {
+		werr = smbconf_init_txt(mem_ctx, conf_ctx, path);
+	} else if (sep == NULL) {
+		/*
+		 * If no separator was given in the source, and the string is
+		 * not a know backend, assume file backend and use the source
+		 * string as a path argument.
+		 */
+		werr = smbconf_init_txt(mem_ctx, conf_ctx, backend);
+	} else {
+		/*
+		 * Separator was specified but this is not a known backend.
+		 * Can't handle this.
+		 */
+		DEBUG(1, ("smbconf_init: ERROR - unknown backend '%s' given\n",
+			  backend));
+		werr = WERR_INVALID_PARAM;
+	}
+
+done:
+	TALLOC_FREE(tmp_ctx);
+	return werr;
+}
diff --git a/source3/lib/smbconf/smbconf_private.h b/source3/lib/smbconf/smbconf_private.h
new file mode 100644
index 0000000000..8e7d6a9983
--- /dev/null
+++ b/source3/lib/smbconf/smbconf_private.h
@@ -0,0 +1,85 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  libsmbconf - Samba configuration library
+ *  Copyright (C) Michael Adam 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef __LIBSMBCONF_PRIVATE_H__
+#define __LIBSMBCONF_PRIVATE_H__
+
+struct smbconf_ops {
+	WERROR (*init)(struct smbconf_ctx *ctx, const char *path);
+	int (*shutdown)(struct smbconf_ctx *ctx);
+	WERROR (*open_conf)(struct smbconf_ctx *ctx);
+	int (*close_conf)(struct smbconf_ctx *ctx);
+	void (*get_csn)(struct smbconf_ctx *ctx, struct smbconf_csn *csn,
+			const char *service, const char *param);
+	WERROR (*drop)(struct smbconf_ctx *ctx);
+	WERROR (*get_share_names)(struct smbconf_ctx *ctx,
+				  TALLOC_CTX *mem_ctx,
+				  uint32_t *num_shares,
+				  char ***share_names);
+	bool (*share_exists)(struct smbconf_ctx *ctx, const char *service);
+	WERROR (*create_share)(struct smbconf_ctx *ctx, const char *service);
+	WERROR (*get_share)(struct smbconf_ctx *ctx,
+			    TALLOC_CTX *mem_ctx,
+			    const char *servicename,
+			    struct smbconf_service **service);
+	WERROR (*delete_share)(struct smbconf_ctx *ctx,
+				    const char *servicename);
+	WERROR (*set_parameter)(struct smbconf_ctx *ctx,
+				const char *service,
+				const char *param,
+				const char *valstr);
+	WERROR (*get_parameter)(struct smbconf_ctx *ctx,
+				TALLOC_CTX *mem_ctx,
+				const char *service,
+				const char *param,
+				char **valstr);
+	WERROR (*delete_parameter)(struct smbconf_ctx *ctx,
+				   const char *service, const char *param);
+	WERROR (*get_includes)(struct smbconf_ctx *ctx,
+			       TALLOC_CTX *mem_ctx,
+			       const char *service,
+			       uint32_t *num_includes, char ***includes);
+	WERROR (*set_includes)(struct smbconf_ctx *ctx,
+			       const char *service,
+			       uint32_t num_includes, const char **includes);
+	WERROR (*delete_includes)(struct smbconf_ctx *ctx,
+				  const char *service);
+};
+
+struct smbconf_ctx {
+	const char *path;
+	struct smbconf_ops *ops;
+	void *data; /* private data for use in backends */
+};
+
+WERROR smbconf_init_internal(TALLOC_CTX *mem_ctx, struct smbconf_ctx **conf_ctx,
+			     const char *path, struct smbconf_ops *ops);
+
+WERROR smbconf_add_string_to_array(TALLOC_CTX *mem_ctx,
+				   char ***array,
+				   uint32_t count,
+				   const char *string);
+
+bool smbconf_find_in_array(const char *string, char **list,
+			   uint32_t num_entries, uint32_t *entry);
+
+bool smbconf_reverse_find_in_array(const char *string, char **list,
+				   uint32_t num_entries, uint32_t *entry);
+
+#endif
diff --git a/source3/lib/smbconf/smbconf_reg.c b/source3/lib/smbconf/smbconf_reg.c
new file mode 100644
index 0000000000..033f800e2a
--- /dev/null
+++ b/source3/lib/smbconf/smbconf_reg.c
@@ -0,0 +1,1148 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  libsmbconf - Samba configuration library, registry backend
+ *  Copyright (C) Michael Adam 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "smbconf_private.h"
+
+#define INCLUDES_VALNAME "includes"
+
+struct reg_private_data {
+	NT_USER_TOKEN *token;
+	bool open;		/* did _we_ open the registry? */
+};
+
+/**********************************************************************
+ *
+ * helper functions
+ *
+ **********************************************************************/
+
+/**
+ * a convenience helper to cast the private data structure
+ */
+static struct reg_private_data *rpd(struct smbconf_ctx *ctx)
+{
+	return (struct reg_private_data *)(ctx->data);
+}
+
+/*
+ * check whether a given value name is forbidden in registry (smbconf)
+ */
+static bool smbconf_reg_valname_forbidden(const char *valname)
+{
+	/* hard code the list of forbidden names here for now */
+	const char *forbidden_valnames[] = {
+		"lock directory",
+		"lock dir",
+		"config backend",
+		"include",
+		"includes", /* this has a special meaning internally */
+		NULL
+	};
+	const char **forbidden = NULL;
+
+	for (forbidden = forbidden_valnames; *forbidden != NULL; forbidden++) {
+		if (strwicmp(valname, *forbidden) == 0) {
+			return true;
+		}
+	}
+	return false;
+}
+
+static bool smbconf_reg_valname_valid(const char *valname)
+{
+	return (!smbconf_reg_valname_forbidden(valname) &&
+		lp_parameter_is_valid(valname));
+}
+
+/**
+ * Open a registry key specified by "path"
+ */
+static WERROR smbconf_reg_open_path(TALLOC_CTX *mem_ctx,
+				    struct smbconf_ctx *ctx,
+				    const char *path,
+				    uint32 desired_access,
+				    struct registry_key **key)
+{
+	WERROR werr = WERR_OK;
+
+	if (ctx == NULL) {
+		DEBUG(1, ("Error: configuration is not open!\n"));
+		werr = WERR_INVALID_PARAM;
+		goto done;
+	}
+
+	if (rpd(ctx)->token == NULL) {
+		DEBUG(1, ("Error: token missing from smbconf_ctx. "
+			  "was smbconf_init() called?\n"));
+		werr = WERR_INVALID_PARAM;
+		goto done;
+	}
+
+	werr = ctx->ops->open_conf(ctx);
+	if (!W_ERROR_IS_OK(werr)) {
+		DEBUG(1, ("Error opening the registry.\n"));
+		goto done;
+	}
+
+	if (path == NULL) {
+		DEBUG(1, ("Error: NULL path string given\n"));
+		werr = WERR_INVALID_PARAM;
+		goto done;
+	}
+
+	werr = reg_open_path(mem_ctx, path, desired_access, rpd(ctx)->token,
+			     key);
+
+	if (!W_ERROR_IS_OK(werr)) {
+		DEBUG(5, ("Error opening registry path '%s': %s\n",
+			  path, dos_errstr(werr)));
+	}
+
+done:
+	return werr;
+}
+
+/**
+ * Open a subkey of the base key (i.e a service)
+ */
+static WERROR smbconf_reg_open_service_key(TALLOC_CTX *mem_ctx,
+					   struct smbconf_ctx *ctx,
+					   const char *servicename,
+					   uint32 desired_access,
+					   struct registry_key **key)
+{
+	WERROR werr = WERR_OK;
+	char *path = NULL;
+
+	if (servicename == NULL) {
+		path = talloc_strdup(mem_ctx, ctx->path);
+	} else {
+		path = talloc_asprintf(mem_ctx, "%s\\%s", ctx->path,
+				       servicename);
+	}
+	if (path == NULL) {
+		werr = WERR_NOMEM;
+		goto done;
+	}
+
+	werr = smbconf_reg_open_path(mem_ctx, ctx, path, desired_access, key);
+
+done:
+	TALLOC_FREE(path);
+	return werr;
+}
+
+/**
+ * open the base key
+ */
+static WERROR smbconf_reg_open_base_key(TALLOC_CTX *mem_ctx,
+					struct smbconf_ctx *ctx,
+					uint32 desired_access,
+					struct registry_key **key)
+{
+	return smbconf_reg_open_path(mem_ctx, ctx, ctx->path, desired_access,
+				     key);
+}
+
+/**
+ * check if a value exists in a given registry key
+ */
+static bool smbconf_value_exists(struct registry_key *key, const char *param)
+{
+	bool ret = false;
+	WERROR werr = WERR_OK;
+	TALLOC_CTX *ctx = talloc_stackframe();
+	struct registry_value *value = NULL;
+
+	werr = reg_queryvalue(ctx, key, param, &value);
+	if (W_ERROR_IS_OK(werr)) {
+		ret = true;
+	}
+
+	TALLOC_FREE(ctx);
+	return ret;
+}
+
+/**
+ * create a subkey of the base key (i.e. a service...)
+ */
+static WERROR smbconf_reg_create_service_key(TALLOC_CTX *mem_ctx,
+					     struct smbconf_ctx *ctx,
+					     const char * subkeyname,
+					     struct registry_key **newkey)
+{
+	WERROR werr = WERR_OK;
+	struct registry_key *create_parent = NULL;
+	TALLOC_CTX *create_ctx;
+	enum winreg_CreateAction action = REG_ACTION_NONE;
+
+	/* create a new talloc ctx for creation. it will hold
+	 * the intermediate parent key (SMBCONF) for creation
+	 * and will be destroyed when leaving this function... */
+	create_ctx = talloc_stackframe();
+
+	werr = smbconf_reg_open_base_key(create_ctx, ctx, REG_KEY_WRITE,
+					 &create_parent);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = reg_createkey(mem_ctx, create_parent, subkeyname,
+			     REG_KEY_WRITE, newkey, &action);
+	if (W_ERROR_IS_OK(werr) && (action != REG_CREATED_NEW_KEY)) {
+		DEBUG(10, ("Key '%s' already exists.\n", subkeyname));
+		werr = WERR_ALREADY_EXISTS;
+	}
+	if (!W_ERROR_IS_OK(werr)) {
+		DEBUG(5, ("Error creating key %s: %s\n",
+			 subkeyname, dos_errstr(werr)));
+	}
+
+done:
+	TALLOC_FREE(create_ctx);
+	return werr;
+}
+
+/**
+ * add a value to a key.
+ */
+static WERROR smbconf_reg_set_value(struct registry_key *key,
+				    const char *valname,
+				    const char *valstr)
+{
+	struct registry_value val;
+	WERROR werr = WERR_OK;
+	char *subkeyname;
+	const char *canon_valname;
+	const char *canon_valstr;
+
+	if (!lp_canonicalize_parameter_with_value(valname, valstr,
+						  &canon_valname,
+						  &canon_valstr))
+	{
+		if (canon_valname == NULL) {
+			DEBUG(5, ("invalid parameter '%s' given\n",
+				  valname));
+		} else {
+			DEBUG(5, ("invalid value '%s' given for "
+				  "parameter '%s'\n", valstr, valname));
+		}
+		werr = WERR_INVALID_PARAM;
+		goto done;
+	}
+
+	if (smbconf_reg_valname_forbidden(canon_valname)) {
+		DEBUG(5, ("Parameter '%s' not allowed in registry.\n",
+			  canon_valname));
+		werr = WERR_INVALID_PARAM;
+		goto done;
+	}
+
+	subkeyname = strrchr_m(key->key->name, '\\');
+	if ((subkeyname == NULL) || (*(subkeyname +1) == '\0')) {
+		DEBUG(5, ("Invalid registry key '%s' given as "
+			  "smbconf section.\n", key->key->name));
+		werr = WERR_INVALID_PARAM;
+		goto done;
+	}
+	subkeyname++;
+	if (!strequal(subkeyname, GLOBAL_NAME) &&
+	    lp_parameter_is_global(valname))
+	{
+		DEBUG(5, ("Global paramter '%s' not allowed in "
+			  "service definition ('%s').\n", canon_valname,
+			  subkeyname));
+		werr = WERR_INVALID_PARAM;
+		goto done;
+	}
+
+	ZERO_STRUCT(val);
+
+	val.type = REG_SZ;
+	val.v.sz.str = CONST_DISCARD(char *, canon_valstr);
+	val.v.sz.len = strlen(canon_valstr) + 1;
+
+	werr = reg_setvalue(key, canon_valname, &val);
+	if (!W_ERROR_IS_OK(werr)) {
+		DEBUG(5, ("Error adding value '%s' to "
+			  "key '%s': %s\n",
+			  canon_valname, key->key->name, dos_errstr(werr)));
+	}
+
+done:
+	return werr;
+}
+
+static WERROR smbconf_reg_set_multi_sz_value(struct registry_key *key,
+					     const char *valname,
+					     const uint32_t num_strings,
+					     const char **strings)
+{
+	WERROR werr;
+	struct registry_value *value;
+	uint32_t count;
+	TALLOC_CTX *tmp_ctx = talloc_stackframe();
+
+	if (strings == NULL) {
+		werr = WERR_INVALID_PARAM;
+		goto done;
+	}
+
+	value = TALLOC_ZERO_P(tmp_ctx, struct registry_value);
+
+	value->type = REG_MULTI_SZ;
+	value->v.multi_sz.num_strings = num_strings;
+	value->v.multi_sz.strings = TALLOC_ARRAY(tmp_ctx, char *, num_strings);
+	if (value->v.multi_sz.strings == NULL) {
+		werr = WERR_NOMEM;
+		goto done;
+	}
+	for (count = 0; count < num_strings; count++) {
+		value->v.multi_sz.strings[count] =
+			talloc_strdup(value->v.multi_sz.strings,
+				      strings[count]);
+		if (value->v.multi_sz.strings[count] == NULL) {
+			werr = WERR_NOMEM;
+			goto done;
+		}
+	}
+
+	werr = reg_setvalue(key, valname, value);
+	if (!W_ERROR_IS_OK(werr)) {
+		DEBUG(5, ("Error adding value '%s' to key '%s': %s\n",
+			  valname, key->key->name, dos_errstr(werr)));
+	}
+
+done:
+	TALLOC_FREE(tmp_ctx);
+	return werr;
+}
+
+/**
+ * format a registry_value into a string.
+ *
+ * This is intended to be used for smbconf registry values,
+ * which are ar stored as REG_SZ values, so the incomplete
+ * handling should be ok.
+ */
+static char *smbconf_format_registry_value(TALLOC_CTX *mem_ctx,
+					   struct registry_value *value)
+{
+	char *result = NULL;
+
+	/* alternatively, create a new talloc context? */
+	if (mem_ctx == NULL) {
+		return result;
+	}
+
+	switch (value->type) {
+	case REG_DWORD:
+		result = talloc_asprintf(mem_ctx, "%d", value->v.dword);
+		break;
+	case REG_SZ:
+	case REG_EXPAND_SZ:
+		result = talloc_asprintf(mem_ctx, "%s", value->v.sz.str);
+		break;
+	case REG_MULTI_SZ: {
+		uint32 j;
+		for (j = 0; j < value->v.multi_sz.num_strings; j++) {
+			result = talloc_asprintf(mem_ctx, "%s\"%s\" ",
+						 result ? result : "" ,
+						 value->v.multi_sz.strings[j]);
+			if (result == NULL) {
+				break;
+			}
+		}
+		break;
+	}
+	case REG_BINARY:
+		result = talloc_asprintf(mem_ctx, "binary (%d bytes)",
+					 (int)value->v.binary.length);
+		break;
+	default:
+		result = talloc_asprintf(mem_ctx, "<unprintable>");
+		break;
+	}
+	return result;
+}
+
+static WERROR smbconf_reg_get_includes_internal(TALLOC_CTX *mem_ctx,
+						struct registry_key *key,
+						uint32_t *num_includes,
+						char ***includes)
+{
+	WERROR werr;
+	uint32_t count;
+	struct registry_value *value = NULL;
+	char **tmp_includes = NULL;
+	TALLOC_CTX *tmp_ctx = talloc_stackframe();
+
+	if (!smbconf_value_exists(key, INCLUDES_VALNAME)) {
+		/* no includes */
+		*num_includes = 0;
+		*includes = NULL;
+		werr = WERR_OK;
+		goto done;
+	}
+
+	werr = reg_queryvalue(tmp_ctx, key, INCLUDES_VALNAME, &value);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	if (value->type != REG_MULTI_SZ) {
+		/* wront type -- ignore */
+		goto done;
+	}
+
+	for (count = 0; count < value->v.multi_sz.num_strings; count++)
+	{
+		werr = smbconf_add_string_to_array(tmp_ctx,
+					&tmp_includes,
+					count,
+					value->v.multi_sz.strings[count]);
+		if (!W_ERROR_IS_OK(werr)) {
+			goto done;
+		}
+	}
+
+	if (count > 0) {
+		*includes = talloc_move(mem_ctx, &tmp_includes);
+		if (*includes == NULL) {
+			werr = WERR_NOMEM;
+			goto done;
+		}
+		*num_includes = count;
+	} else {
+		*num_includes = 0;
+		*includes = NULL;
+	}
+
+done:
+	TALLOC_FREE(tmp_ctx);
+	return werr;
+}
+
+/**
+ * Get the values of a key as a list of value names
+ * and a list of value strings (ordered)
+ */
+static WERROR smbconf_reg_get_values(TALLOC_CTX *mem_ctx,
+				     struct registry_key *key,
+				     uint32_t *num_values,
+				     char ***value_names,
+				     char ***value_strings)
+{
+	TALLOC_CTX *tmp_ctx = NULL;
+	WERROR werr = WERR_OK;
+	uint32_t count;
+	struct registry_value *valvalue = NULL;
+	char *valname = NULL;
+	uint32_t tmp_num_values = 0;
+	char **tmp_valnames = NULL;
+	char **tmp_valstrings = NULL;
+	uint32_t num_includes = 0;
+	char **includes = NULL;
+
+	if ((num_values == NULL) || (value_names == NULL) ||
+	    (value_strings == NULL))
+	{
+		werr = WERR_INVALID_PARAM;
+		goto done;
+	}
+
+	tmp_ctx = talloc_stackframe();
+
+	for (count = 0;
+	     werr = reg_enumvalue(tmp_ctx, key, count, &valname, &valvalue),
+	     W_ERROR_IS_OK(werr);
+	     count++)
+	{
+		char *valstring;
+
+		if (!smbconf_reg_valname_valid(valname)) {
+			continue;
+		}
+
+		werr = smbconf_add_string_to_array(tmp_ctx,
+						   &tmp_valnames,
+						   tmp_num_values, valname);
+		if (!W_ERROR_IS_OK(werr)) {
+			goto done;
+		}
+
+		valstring = smbconf_format_registry_value(tmp_ctx, valvalue);
+		werr = smbconf_add_string_to_array(tmp_ctx, &tmp_valstrings,
+						   tmp_num_values, valstring);
+		if (!W_ERROR_IS_OK(werr)) {
+			goto done;
+		}
+		tmp_num_values++;
+	}
+	if (!W_ERROR_EQUAL(WERR_NO_MORE_ITEMS, werr)) {
+		goto done;
+	}
+
+	/* now add the includes at the end */
+	werr = smbconf_reg_get_includes_internal(tmp_ctx, key, &num_includes,
+						 &includes);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+	for (count = 0; count < num_includes; count++) {
+		werr = smbconf_add_string_to_array(tmp_ctx, &tmp_valnames,
+						   tmp_num_values, "include");
+		if (!W_ERROR_IS_OK(werr)) {
+			goto done;
+		}
+
+		werr = smbconf_add_string_to_array(tmp_ctx, &tmp_valstrings,
+						   tmp_num_values,
+						   includes[count]);
+		if (!W_ERROR_IS_OK(werr)) {
+			goto done;
+		}
+
+		tmp_num_values++;
+	}
+
+	*num_values = tmp_num_values;
+	if (tmp_num_values > 0) {
+		*value_names = talloc_move(mem_ctx, &tmp_valnames);
+		*value_strings = talloc_move(mem_ctx, &tmp_valstrings);
+	} else {
+		*value_names = NULL;
+		*value_strings = NULL;
+	}
+
+done:
+	TALLOC_FREE(tmp_ctx);
+	return werr;
+}
+
+static bool smbconf_reg_key_has_values(struct registry_key *key)
+{
+	WERROR werr;
+	uint32_t num_subkeys;
+	uint32_t max_subkeylen;
+	uint32_t max_subkeysize;
+	uint32_t num_values;
+	uint32_t max_valnamelen;
+	uint32_t max_valbufsize;
+	uint32_t secdescsize;
+	NTTIME last_changed_time;
+
+	werr = reg_queryinfokey(key, &num_subkeys, &max_subkeylen,
+				&max_subkeysize, &num_values, &max_valnamelen,
+				&max_valbufsize, &secdescsize,
+				&last_changed_time);
+	if (!W_ERROR_IS_OK(werr)) {
+		return false;
+	}
+
+	return (num_values != 0);
+}
+
+/**
+ * delete all values from a key
+ */
+static WERROR smbconf_reg_delete_values(struct registry_key *key)
+{
+	WERROR werr;
+	char *valname;
+	struct registry_value *valvalue;
+	uint32_t count;
+	TALLOC_CTX *mem_ctx = talloc_stackframe();
+
+	for (count = 0;
+	     werr = reg_enumvalue(mem_ctx, key, count, &valname, &valvalue),
+	     W_ERROR_IS_OK(werr);
+	     count++)
+	{
+		werr = reg_deletevalue(key, valname);
+		if (!W_ERROR_IS_OK(werr)) {
+			goto done;
+		}
+	}
+	if (!W_ERROR_EQUAL(WERR_NO_MORE_ITEMS, werr)) {
+		DEBUG(1, ("smbconf_reg_delete_values: "
+			  "Error enumerating values of %s: %s\n",
+			  key->key->name,
+			  dos_errstr(werr)));
+		goto done;
+	}
+
+	werr = WERR_OK;
+
+done:
+	TALLOC_FREE(mem_ctx);
+	return werr;
+}
+
+/**********************************************************************
+ *
+ * smbconf operations: registry implementations
+ *
+ **********************************************************************/
+
+/**
+ * initialize the registry smbconf backend
+ */
+static WERROR smbconf_reg_init(struct smbconf_ctx *ctx, const char *path)
+{
+	WERROR werr = WERR_OK;
+
+	if (path == NULL) {
+		path = KEY_SMBCONF;
+	}
+	ctx->path = talloc_strdup(ctx, path);
+	if (ctx->path == NULL) {
+		werr = WERR_NOMEM;
+		goto done;
+	}
+
+	ctx->data = TALLOC_ZERO_P(ctx, struct reg_private_data);
+
+	werr = ntstatus_to_werror(registry_create_admin_token(ctx,
+							&(rpd(ctx)->token)));
+	if (!W_ERROR_IS_OK(werr)) {
+		DEBUG(1, ("Error creating admin token\n"));
+		goto done;
+	}
+	rpd(ctx)->open = false;
+
+	werr = registry_init_smbconf(path);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+done:
+	return werr;
+}
+
+static int smbconf_reg_shutdown(struct smbconf_ctx *ctx)
+{
+	return ctx->ops->close_conf(ctx);
+}
+
+static WERROR smbconf_reg_open(struct smbconf_ctx *ctx)
+{
+	WERROR werr;
+
+	if (rpd(ctx)->open) {
+		return WERR_OK;
+	}
+
+	werr = regdb_open();
+	if (W_ERROR_IS_OK(werr)) {
+		rpd(ctx)->open = true;
+	}
+	return werr;
+}
+
+static int smbconf_reg_close(struct smbconf_ctx *ctx)
+{
+	int ret;
+
+	if (!rpd(ctx)->open) {
+		return 0;
+	}
+
+	ret = regdb_close();
+	if (ret == 0) {
+		rpd(ctx)->open = false;
+	}
+	return ret;
+}
+
+/**
+ * Get the change sequence number of the given service/parameter.
+ * service and parameter strings may be NULL.
+ */
+static void smbconf_reg_get_csn(struct smbconf_ctx *ctx,
+				struct smbconf_csn *csn,
+				const char *service, const char *param)
+{
+	if (csn == NULL) {
+		return;
+	}
+
+	if (!W_ERROR_IS_OK(ctx->ops->open_conf(ctx))) {
+		return;
+	}
+
+	csn->csn = (uint64_t)regdb_get_seqnum();
+}
+
+/**
+ * Drop the whole configuration (restarting empty) - registry version
+ */
+static WERROR smbconf_reg_drop(struct smbconf_ctx *ctx)
+{
+	char *path, *p;
+	WERROR werr = WERR_OK;
+	struct registry_key *parent_key = NULL;
+	struct registry_key *new_key = NULL;
+	TALLOC_CTX* mem_ctx = talloc_stackframe();
+	enum winreg_CreateAction action;
+
+	path = talloc_strdup(mem_ctx, ctx->path);
+	if (path == NULL) {
+		werr = WERR_NOMEM;
+		goto done;
+	}
+	p = strrchr(path, '\\');
+	*p = '\0';
+	werr = smbconf_reg_open_path(mem_ctx, ctx, path, REG_KEY_WRITE,
+				     &parent_key);
+
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = reg_deletekey_recursive(mem_ctx, parent_key, p+1);
+
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = reg_createkey(mem_ctx, parent_key, p+1, REG_KEY_WRITE,
+			     &new_key, &action);
+
+done:
+	TALLOC_FREE(mem_ctx);
+	return werr;
+}
+
+/**
+ * get the list of share names defined in the configuration.
+ * registry version.
+ */
+static WERROR smbconf_reg_get_share_names(struct smbconf_ctx *ctx,
+					  TALLOC_CTX *mem_ctx,
+					  uint32_t *num_shares,
+					  char ***share_names)
+{
+	uint32_t count;
+	uint32_t added_count = 0;
+	TALLOC_CTX *tmp_ctx = NULL;
+	WERROR werr = WERR_OK;
+	struct registry_key *key = NULL;
+	char *subkey_name = NULL;
+	char **tmp_share_names = NULL;
+
+	if ((num_shares == NULL) || (share_names == NULL)) {
+		werr = WERR_INVALID_PARAM;
+		goto done;
+	}
+
+	tmp_ctx = talloc_stackframe();
+
+	/* if there are values in the base key, return NULL as share name */
+	werr = smbconf_reg_open_base_key(tmp_ctx, ctx,
+					 SEC_RIGHTS_ENUM_SUBKEYS, &key);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	if (smbconf_reg_key_has_values(key)) {
+		werr = smbconf_add_string_to_array(tmp_ctx, &tmp_share_names,
+						   0, NULL);
+		if (!W_ERROR_IS_OK(werr)) {
+			goto done;
+		}
+		added_count++;
+	}
+
+	/* make sure "global" is always listed first */
+	if (smbconf_share_exists(ctx, GLOBAL_NAME)) {
+		werr = smbconf_add_string_to_array(tmp_ctx, &tmp_share_names,
+						   added_count, GLOBAL_NAME);
+		if (!W_ERROR_IS_OK(werr)) {
+			goto done;
+		}
+		added_count++;
+	}
+
+	for (count = 0;
+	     werr = reg_enumkey(tmp_ctx, key, count, &subkey_name, NULL),
+	     W_ERROR_IS_OK(werr);
+	     count++)
+	{
+		if (strequal(subkey_name, GLOBAL_NAME)) {
+			continue;
+		}
+
+		werr = smbconf_add_string_to_array(tmp_ctx,
+						   &tmp_share_names,
+						   added_count,
+						   subkey_name);
+		if (!W_ERROR_IS_OK(werr)) {
+			goto done;
+		}
+		added_count++;
+	}
+	if (!W_ERROR_EQUAL(WERR_NO_MORE_ITEMS, werr)) {
+		goto done;
+	}
+	werr = WERR_OK;
+
+	*num_shares = added_count;
+	if (added_count > 0) {
+		*share_names = talloc_move(mem_ctx, &tmp_share_names);
+	} else {
+		*share_names = NULL;
+	}
+
+done:
+	TALLOC_FREE(tmp_ctx);
+	return werr;
+}
+
+/**
+ * check if a share/service of a given name exists - registry version
+ */
+static bool smbconf_reg_share_exists(struct smbconf_ctx *ctx,
+				     const char *servicename)
+{
+	bool ret = false;
+	WERROR werr = WERR_OK;
+	TALLOC_CTX *mem_ctx = talloc_stackframe();
+	struct registry_key *key = NULL;
+
+	werr = smbconf_reg_open_service_key(mem_ctx, ctx, servicename,
+					    REG_KEY_READ, &key);
+	if (W_ERROR_IS_OK(werr)) {
+		ret = true;
+	}
+
+	TALLOC_FREE(mem_ctx);
+	return ret;
+}
+
+/**
+ * Add a service if it does not already exist - registry version
+ */
+static WERROR smbconf_reg_create_share(struct smbconf_ctx *ctx,
+				       const char *servicename)
+{
+	WERROR werr;
+	TALLOC_CTX *mem_ctx = talloc_stackframe();
+	struct registry_key *key = NULL;
+
+	if (servicename == NULL) {
+		werr = smbconf_reg_open_base_key(mem_ctx, ctx, REG_KEY_WRITE,
+						 &key);
+	} else {
+		werr = smbconf_reg_create_service_key(mem_ctx, ctx,
+						      servicename, &key);
+	}
+
+	TALLOC_FREE(mem_ctx);
+	return werr;
+}
+
+/**
+ * get a definition of a share (service) from configuration.
+ */
+static WERROR smbconf_reg_get_share(struct smbconf_ctx *ctx,
+				    TALLOC_CTX *mem_ctx,
+				    const char *servicename,
+				    struct smbconf_service **service)
+{
+	WERROR werr = WERR_OK;
+	struct registry_key *key = NULL;
+	struct smbconf_service *tmp_service = NULL;
+	TALLOC_CTX *tmp_ctx = talloc_stackframe();
+
+	werr = smbconf_reg_open_service_key(tmp_ctx, ctx, servicename,
+					    REG_KEY_READ, &key);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	tmp_service = TALLOC_ZERO_P(tmp_ctx, struct smbconf_service);
+	if (tmp_service == NULL) {
+		werr =  WERR_NOMEM;
+		goto done;
+	}
+
+	if (servicename != NULL) {
+		tmp_service->name = talloc_strdup(tmp_service, servicename);
+		if (tmp_service->name == NULL) {
+			werr = WERR_NOMEM;
+			goto done;
+		}
+	}
+
+	werr = smbconf_reg_get_values(tmp_service, key,
+				      &(tmp_service->num_params),
+				      &(tmp_service->param_names),
+				      &(tmp_service->param_values));
+
+	if (W_ERROR_IS_OK(werr)) {
+		*service = talloc_move(mem_ctx, &tmp_service);
+	}
+
+done:
+	TALLOC_FREE(tmp_ctx);
+	return werr;
+}
+
+/**
+ * delete a service from configuration
+ */
+static WERROR smbconf_reg_delete_share(struct smbconf_ctx *ctx,
+				       const char *servicename)
+{
+	WERROR werr = WERR_OK;
+	struct registry_key *key = NULL;
+	TALLOC_CTX *mem_ctx = talloc_stackframe();
+
+	werr = smbconf_reg_open_base_key(mem_ctx, ctx, REG_KEY_WRITE, &key);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	if (servicename != NULL) {
+		werr = reg_deletekey_recursive(key, key, servicename);
+	} else {
+		werr = smbconf_reg_delete_values(key);
+	}
+
+done:
+	TALLOC_FREE(mem_ctx);
+	return werr;
+}
+
+/**
+ * set a configuration parameter to the value provided.
+ */
+static WERROR smbconf_reg_set_parameter(struct smbconf_ctx *ctx,
+					const char *service,
+					const char *param,
+					const char *valstr)
+{
+	WERROR werr;
+	struct registry_key *key = NULL;
+	TALLOC_CTX *mem_ctx = talloc_stackframe();
+
+	werr = smbconf_reg_open_service_key(mem_ctx, ctx, service,
+					    REG_KEY_WRITE, &key);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = smbconf_reg_set_value(key, param, valstr);
+
+done:
+	TALLOC_FREE(mem_ctx);
+	return werr;
+}
+
+/**
+ * get the value of a configuration parameter as a string
+ */
+static WERROR smbconf_reg_get_parameter(struct smbconf_ctx *ctx,
+					TALLOC_CTX *mem_ctx,
+					const char *service,
+					const char *param,
+					char **valstr)
+{
+	WERROR werr = WERR_OK;
+	struct registry_key *key = NULL;
+	struct registry_value *value = NULL;
+
+	werr = smbconf_reg_open_service_key(mem_ctx, ctx, service,
+					    REG_KEY_READ, &key);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	if (!smbconf_reg_valname_valid(param)) {
+		werr = WERR_INVALID_PARAM;
+		goto done;
+	}
+
+	if (!smbconf_value_exists(key, param)) {
+		werr = WERR_INVALID_PARAM;
+		goto done;
+	}
+
+	werr = reg_queryvalue(mem_ctx, key, param, &value);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	*valstr = smbconf_format_registry_value(mem_ctx, value);
+
+	if (*valstr == NULL) {
+		werr = WERR_NOMEM;
+	}
+
+done:
+	TALLOC_FREE(key);
+	TALLOC_FREE(value);
+	return werr;
+}
+
+/**
+ * delete a parameter from configuration
+ */
+static WERROR smbconf_reg_delete_parameter(struct smbconf_ctx *ctx,
+					   const char *service,
+					   const char *param)
+{
+	struct registry_key *key = NULL;
+	WERROR werr = WERR_OK;
+	TALLOC_CTX *mem_ctx = talloc_stackframe();
+
+	werr = smbconf_reg_open_service_key(mem_ctx, ctx, service,
+					    REG_KEY_ALL, &key);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	if (!smbconf_reg_valname_valid(param)) {
+		werr = WERR_INVALID_PARAM;
+		goto done;
+	}
+
+	if (!smbconf_value_exists(key, param)) {
+		werr = WERR_INVALID_PARAM;
+		goto done;
+	}
+
+	werr = reg_deletevalue(key, param);
+
+done:
+	TALLOC_FREE(mem_ctx);
+	return werr;
+}
+
+static WERROR smbconf_reg_get_includes(struct smbconf_ctx *ctx,
+				       TALLOC_CTX *mem_ctx,
+				       const char *service,
+				       uint32_t *num_includes,
+				       char ***includes)
+{
+	WERROR werr;
+	struct registry_key *key = NULL;
+	TALLOC_CTX *tmp_ctx = talloc_stackframe();
+
+	werr = smbconf_reg_open_service_key(tmp_ctx, ctx, service,
+					    REG_KEY_READ, &key);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	werr = smbconf_reg_get_includes_internal(mem_ctx, key, num_includes,
+						 includes);
+
+done:
+	TALLOC_FREE(tmp_ctx);
+	return werr;
+}
+
+static WERROR smbconf_reg_set_includes(struct smbconf_ctx *ctx,
+				       const char *service,
+				       uint32_t num_includes,
+				       const char **includes)
+{
+	WERROR werr = WERR_OK;
+	struct registry_key *key = NULL;
+	TALLOC_CTX *tmp_ctx = talloc_stackframe();
+
+	werr = smbconf_reg_open_service_key(tmp_ctx, ctx, service,
+					    REG_KEY_ALL, &key);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	if (num_includes == 0) {
+		if (!smbconf_value_exists(key, INCLUDES_VALNAME)) {
+			goto done;
+		}
+		werr = reg_deletevalue(key, INCLUDES_VALNAME);
+	} else {
+		werr = smbconf_reg_set_multi_sz_value(key, INCLUDES_VALNAME,
+						      num_includes, includes);
+	}
+
+done:
+	TALLOC_FREE(tmp_ctx);
+	return werr;
+}
+
+static WERROR smbconf_reg_delete_includes(struct smbconf_ctx *ctx,
+					  const char *service)
+{
+	WERROR werr = WERR_OK;
+	struct registry_key *key = NULL;
+	TALLOC_CTX *tmp_ctx = talloc_stackframe();
+
+	werr = smbconf_reg_open_service_key(tmp_ctx, ctx, service,
+					    REG_KEY_ALL, &key);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto done;
+	}
+
+	if (!smbconf_value_exists(key, INCLUDES_VALNAME)) {
+		goto done;
+	}
+
+	werr = reg_deletevalue(key, INCLUDES_VALNAME);
+
+
+done:
+	TALLOC_FREE(tmp_ctx);
+	return werr;
+}
+
+struct smbconf_ops smbconf_ops_reg = {
+	.init			= smbconf_reg_init,
+	.shutdown		= smbconf_reg_shutdown,
+	.open_conf		= smbconf_reg_open,
+	.close_conf		= smbconf_reg_close,
+	.get_csn		= smbconf_reg_get_csn,
+	.drop			= smbconf_reg_drop,
+	.get_share_names	= smbconf_reg_get_share_names,
+	.share_exists		= smbconf_reg_share_exists,
+	.create_share		= smbconf_reg_create_share,
+	.get_share		= smbconf_reg_get_share,
+	.delete_share		= smbconf_reg_delete_share,
+	.set_parameter		= smbconf_reg_set_parameter,
+	.get_parameter		= smbconf_reg_get_parameter,
+	.delete_parameter	= smbconf_reg_delete_parameter,
+	.get_includes		= smbconf_reg_get_includes,
+	.set_includes		= smbconf_reg_set_includes,
+	.delete_includes	= smbconf_reg_delete_includes,
+};
+
+
+/**
+ * initialize the smbconf registry backend
+ * the only function that is exported from this module
+ */
+WERROR smbconf_init_reg(TALLOC_CTX *mem_ctx, struct smbconf_ctx **conf_ctx,
+			const char *path)
+{
+	return smbconf_init_internal(mem_ctx, conf_ctx, path, &smbconf_ops_reg);
+}
diff --git a/source3/lib/smbconf/smbconf_txt.c b/source3/lib/smbconf/smbconf_txt.c
new file mode 100644
index 0000000000..1a29f40164
--- /dev/null
+++ b/source3/lib/smbconf/smbconf_txt.c
@@ -0,0 +1,641 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  libsmbconf - Samba configuration library, text backend
+ *  Copyright (C) Michael Adam 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * This is a sample implementation of a libsmbconf text backend
+ * using the params.c parser.
+ *
+ * It is read only.
+ * Don't expect brilliant performance, since it is not hashing the lists.
+ */
+
+#include "includes.h"
+#include "smbconf_private.h"
+
+struct txt_cache {
+	uint32_t current_share;
+	uint32_t num_shares;
+	char **share_names;
+	uint32_t *num_params;
+	char ***param_names;
+	char ***param_values;
+};
+
+struct txt_private_data {
+	struct txt_cache *cache;
+	uint64_t csn;
+	bool verbatim;
+};
+
+/**********************************************************************
+ *
+ * helper functions
+ *
+ **********************************************************************/
+
+/**
+ * a convenience helper to cast the private data structure
+ */
+static struct txt_private_data *pd(struct smbconf_ctx *ctx)
+{
+	return (struct txt_private_data *)(ctx->data);
+}
+
+static bool smbconf_txt_do_section(const char *section, void *private_data)
+{
+	WERROR werr;
+	uint32_t idx;
+	struct txt_private_data *tpd = (struct txt_private_data *)private_data;
+	struct txt_cache *cache = tpd->cache;
+
+	if (smbconf_find_in_array(section, cache->share_names,
+				  cache->num_shares, &idx))
+	{
+		cache->current_share = idx;
+		return true;
+	}
+
+	werr = smbconf_add_string_to_array(cache, &(cache->share_names),
+					   cache->num_shares, section);
+	if (!W_ERROR_IS_OK(werr)) {
+		return false;
+	}
+	cache->current_share = cache->num_shares;
+	cache->num_shares++;
+
+	cache->param_names = TALLOC_REALLOC_ARRAY(cache,
+						  cache->param_names,
+						  char **,
+						  cache->num_shares);
+	if (cache->param_names == NULL) {
+		return false;
+	}
+	cache->param_names[cache->current_share] = NULL;
+
+	cache->param_values = TALLOC_REALLOC_ARRAY(cache,
+						   cache->param_values,
+						   char **,
+						   cache->num_shares);
+	if (cache->param_values == NULL) {
+		return false;
+	}
+	cache->param_values[cache->current_share] = NULL;
+
+	cache->num_params = TALLOC_REALLOC_ARRAY(cache,
+						 cache->num_params,
+						 uint32_t,
+						 cache->num_shares);
+	if (cache->num_params == NULL) {
+		return false;
+	}
+	cache->num_params[cache->current_share] = 0;
+
+	return true;
+}
+
+static bool smbconf_txt_do_parameter(const char *param_name,
+				     const char *param_value,
+				     void *private_data)
+{
+	WERROR werr;
+	char **param_names, **param_values;
+	uint32_t num_params;
+	uint32_t idx;
+	struct txt_private_data *tpd = (struct txt_private_data *)private_data;
+	struct txt_cache *cache = tpd->cache;
+
+	if (cache->num_shares == 0) {
+		/*
+		 * not in any share yet,
+		 * initialize the "empty" section (NULL):
+		 * parameters without a previous [section] are stored here.
+		 */
+		if (!smbconf_txt_do_section(NULL, private_data)) {
+			return false;
+		}
+	}
+
+	param_names  = cache->param_names[cache->current_share];
+	param_values = cache->param_values[cache->current_share];
+	num_params   = cache->num_params[cache->current_share];
+
+	if (!(tpd->verbatim) &&
+	    smbconf_find_in_array(param_name, param_names, num_params, &idx))
+	{
+		TALLOC_FREE(param_values[idx]);
+		param_values[idx] = talloc_strdup(cache, param_value);
+		if (param_values[idx] == NULL) {
+			return false;
+		}
+		return true;
+	}
+	werr = smbconf_add_string_to_array(cache,
+				&(cache->param_names[cache->current_share]),
+				num_params, param_name);
+	if (!W_ERROR_IS_OK(werr)) {
+		return false;
+	}
+	werr = smbconf_add_string_to_array(cache,
+				&(cache->param_values[cache->current_share]),
+				num_params, param_value);
+	cache->num_params[cache->current_share]++;
+	return W_ERROR_IS_OK(werr);
+}
+
+static void smbconf_txt_flush_cache(struct smbconf_ctx *ctx)
+{
+	TALLOC_FREE(pd(ctx)->cache);
+}
+
+static WERROR smbconf_txt_init_cache(struct smbconf_ctx *ctx)
+{
+	if (pd(ctx)->cache != NULL) {
+		smbconf_txt_flush_cache(ctx);
+	}
+
+	pd(ctx)->cache = TALLOC_ZERO_P(pd(ctx), struct txt_cache);
+
+	if (pd(ctx)->cache == NULL) {
+		return WERR_NOMEM;
+	}
+
+	return WERR_OK;
+}
+
+static WERROR smbconf_txt_load_file(struct smbconf_ctx *ctx)
+{
+	WERROR werr;
+	uint64_t new_csn;
+
+	if (!file_exist(ctx->path, NULL)) {
+		return WERR_BADFILE;
+	}
+
+	new_csn = (uint64_t)file_modtime(ctx->path);
+	if (new_csn == pd(ctx)->csn) {
+		return WERR_OK;
+	}
+
+	werr = smbconf_txt_init_cache(ctx);
+	if (!W_ERROR_IS_OK(werr)) {
+		return werr;
+	}
+
+	if (!pm_process(ctx->path, smbconf_txt_do_section,
+			smbconf_txt_do_parameter, pd(ctx)))
+	{
+		return WERR_CAN_NOT_COMPLETE;
+	}
+
+	pd(ctx)->csn = new_csn;
+
+	return WERR_OK;
+}
+
+
+/**********************************************************************
+ *
+ * smbconf operations: text backend implementations
+ *
+ **********************************************************************/
+
+/**
+ * initialize the text based smbconf backend
+ */
+static WERROR smbconf_txt_init(struct smbconf_ctx *ctx, const char *path)
+{
+	if (path == NULL) {
+		path = get_dyn_CONFIGFILE();
+	}
+	ctx->path = talloc_strdup(ctx, path);
+	if (ctx->path == NULL) {
+		return WERR_NOMEM;
+	}
+
+	ctx->data = TALLOC_ZERO_P(ctx, struct txt_private_data);
+	if (ctx->data == NULL) {
+		return WERR_NOMEM;
+	}
+
+	pd(ctx)->verbatim = true;
+
+	return WERR_OK;
+}
+
+static int smbconf_txt_shutdown(struct smbconf_ctx *ctx)
+{
+	return ctx->ops->close_conf(ctx);
+}
+
+static WERROR smbconf_txt_open(struct smbconf_ctx *ctx)
+{
+	return smbconf_txt_load_file(ctx);
+}
+
+static int smbconf_txt_close(struct smbconf_ctx *ctx)
+{
+	smbconf_txt_flush_cache(ctx);
+	return 0;
+}
+
+/**
+ * Get the change sequence number of the given service/parameter.
+ * service and parameter strings may be NULL.
+ */
+static void smbconf_txt_get_csn(struct smbconf_ctx *ctx,
+				struct smbconf_csn *csn,
+				const char *service, const char *param)
+{
+	if (csn == NULL) {
+		return;
+	}
+
+	csn->csn = (uint64_t)file_modtime(ctx->path);
+}
+
+/**
+ * Drop the whole configuration (restarting empty)
+ */
+static WERROR smbconf_txt_drop(struct smbconf_ctx *ctx)
+{
+	return WERR_NOT_SUPPORTED;
+}
+
+/**
+ * get the list of share names defined in the configuration.
+ */
+static WERROR smbconf_txt_get_share_names(struct smbconf_ctx *ctx,
+					  TALLOC_CTX *mem_ctx,
+					  uint32_t *num_shares,
+					  char ***share_names)
+{
+	uint32_t count;
+	uint32_t added_count = 0;
+	TALLOC_CTX *tmp_ctx = NULL;
+	WERROR werr = WERR_OK;
+	char **tmp_share_names = NULL;
+
+	if ((num_shares == NULL) || (share_names == NULL)) {
+		werr = WERR_INVALID_PARAM;
+		goto done;
+	}
+
+	werr = smbconf_txt_load_file(ctx);
+	if (!W_ERROR_IS_OK(werr)) {
+		return werr;
+	}
+
+	tmp_ctx = talloc_stackframe();
+
+	/* make sure "global" is always listed first,
+	 * possibly after NULL section */
+
+	if (smbconf_share_exists(ctx, NULL)) {
+		werr = smbconf_add_string_to_array(tmp_ctx, &tmp_share_names,
+						   0, NULL);
+		if (!W_ERROR_IS_OK(werr)) {
+			goto done;
+		}
+		added_count++;
+	}
+
+	if (smbconf_share_exists(ctx, GLOBAL_NAME)) {
+		werr = smbconf_add_string_to_array(tmp_ctx, &tmp_share_names,
+						   added_count, GLOBAL_NAME);
+		if (!W_ERROR_IS_OK(werr)) {
+			goto done;
+		}
+		added_count++;
+	}
+
+	for (count = 0; count < pd(ctx)->cache->num_shares; count++) {
+		if (strequal(pd(ctx)->cache->share_names[count], GLOBAL_NAME) ||
+		    (pd(ctx)->cache->share_names[count] == NULL))
+		{
+			continue;
+		}
+
+		werr = smbconf_add_string_to_array(tmp_ctx, &tmp_share_names,
+					added_count,
+					pd(ctx)->cache->share_names[count]);
+		if (!W_ERROR_IS_OK(werr)) {
+			goto done;
+		}
+		added_count++;
+	}
+
+	*num_shares = added_count;
+	if (added_count > 0) {
+		*share_names = talloc_move(mem_ctx, &tmp_share_names);
+	} else {
+		*share_names = NULL;
+	}
+
+done:
+	TALLOC_FREE(tmp_ctx);
+	return werr;
+}
+
+/**
+ * check if a share/service of a given name exists
+ */
+static bool smbconf_txt_share_exists(struct smbconf_ctx *ctx,
+				     const char *servicename)
+{
+	WERROR werr;
+
+	werr = smbconf_txt_load_file(ctx);
+	if (!W_ERROR_IS_OK(werr)) {
+		return false;
+	}
+
+	return smbconf_find_in_array(servicename,
+				     pd(ctx)->cache->share_names,
+				     pd(ctx)->cache->num_shares, NULL);
+}
+
+/**
+ * Add a service if it does not already exist
+ */
+static WERROR smbconf_txt_create_share(struct smbconf_ctx *ctx,
+				       const char *servicename)
+{
+	return WERR_NOT_SUPPORTED;
+}
+
+/**
+ * get a definition of a share (service) from configuration.
+ */
+static WERROR smbconf_txt_get_share(struct smbconf_ctx *ctx,
+				    TALLOC_CTX *mem_ctx,
+				    const char *servicename,
+				    struct smbconf_service **service)
+{
+	WERROR werr;
+	uint32_t sidx, count;
+	bool found;
+	TALLOC_CTX *tmp_ctx = NULL;
+	struct smbconf_service *tmp_service = NULL;
+
+	werr = smbconf_txt_load_file(ctx);
+	if (!W_ERROR_IS_OK(werr)) {
+		return werr;
+	}
+
+	found = smbconf_find_in_array(servicename,
+				      pd(ctx)->cache->share_names,
+				      pd(ctx)->cache->num_shares,
+				      &sidx);
+	if (!found) {
+		return WERR_NO_SUCH_SERVICE;
+	}
+
+	tmp_ctx = talloc_stackframe();
+
+	tmp_service = TALLOC_ZERO_P(tmp_ctx, struct smbconf_service);
+	if (tmp_service == NULL) {
+		werr = WERR_NOMEM;
+		goto done;
+	}
+
+	if (servicename != NULL) {
+		tmp_service->name = talloc_strdup(tmp_service, servicename);
+		if (tmp_service->name == NULL) {
+			werr = WERR_NOMEM;
+			goto done;
+		}
+	}
+
+	for (count = 0; count < pd(ctx)->cache->num_params[sidx]; count++) {
+		werr = smbconf_add_string_to_array(tmp_service,
+				&(tmp_service->param_names),
+				count,
+				pd(ctx)->cache->param_names[sidx][count]);
+		if (!W_ERROR_IS_OK(werr)) {
+			goto done;
+		}
+		werr = smbconf_add_string_to_array(tmp_service,
+				&(tmp_service->param_values),
+				count,
+				pd(ctx)->cache->param_values[sidx][count]);
+		if (!W_ERROR_IS_OK(werr)) {
+			goto done;
+		}
+	}
+
+	tmp_service->num_params = count;
+	if (count > 0) {
+		*service = talloc_move(mem_ctx, &tmp_service);
+	} else {
+		*service = NULL;
+	}
+
+done:
+	TALLOC_FREE(tmp_ctx);
+	return werr;
+}
+
+/**
+ * delete a service from configuration
+ */
+static WERROR smbconf_txt_delete_share(struct smbconf_ctx *ctx,
+				       const char *servicename)
+{
+	return WERR_NOT_SUPPORTED;
+}
+
+/**
+ * set a configuration parameter to the value provided.
+ */
+static WERROR smbconf_txt_set_parameter(struct smbconf_ctx *ctx,
+					const char *service,
+					const char *param,
+					const char *valstr)
+{
+	return WERR_NOT_SUPPORTED;
+}
+
+/**
+ * get the value of a configuration parameter as a string
+ */
+static WERROR smbconf_txt_get_parameter(struct smbconf_ctx *ctx,
+					TALLOC_CTX *mem_ctx,
+					const char *service,
+					const char *param,
+					char **valstr)
+{
+	WERROR werr;
+	bool found;
+	uint32_t share_index, param_index;
+
+	werr = smbconf_txt_load_file(ctx);
+	if (!W_ERROR_IS_OK(werr)) {
+		return werr;
+	}
+
+	found = smbconf_find_in_array(service,
+				      pd(ctx)->cache->share_names,
+				      pd(ctx)->cache->num_shares,
+				      &share_index);
+	if (!found) {
+		return WERR_NO_SUCH_SERVICE;
+	}
+
+	found = smbconf_reverse_find_in_array(param,
+				pd(ctx)->cache->param_names[share_index],
+				pd(ctx)->cache->num_params[share_index],
+				&param_index);
+	if (!found) {
+		return WERR_INVALID_PARAM;
+	}
+
+	*valstr = talloc_strdup(mem_ctx,
+			pd(ctx)->cache->param_values[share_index][param_index]);
+
+	if (*valstr == NULL) {
+		return WERR_NOMEM;
+	}
+
+	return WERR_OK;
+}
+
+/**
+ * delete a parameter from configuration
+ */
+static WERROR smbconf_txt_delete_parameter(struct smbconf_ctx *ctx,
+					   const char *service,
+					   const char *param)
+{
+	return WERR_NOT_SUPPORTED;
+}
+
+static WERROR smbconf_txt_get_includes(struct smbconf_ctx *ctx,
+				       TALLOC_CTX *mem_ctx,
+				       const char *service,
+				       uint32_t *num_includes,
+				       char ***includes)
+{
+	WERROR werr;
+	bool found;
+	uint32_t sidx, count;
+	TALLOC_CTX *tmp_ctx = NULL;
+	uint32_t tmp_num_includes = 0;
+	char **tmp_includes = NULL;
+
+	werr = smbconf_txt_load_file(ctx);
+	if (!W_ERROR_IS_OK(werr)) {
+		return werr;
+	}
+
+	found = smbconf_find_in_array(service,
+				      pd(ctx)->cache->share_names,
+				      pd(ctx)->cache->num_shares,
+				      &sidx);
+	if (!found) {
+		return WERR_NO_SUCH_SERVICE;
+	}
+
+	tmp_ctx = talloc_stackframe();
+
+	for (count = 0; count < pd(ctx)->cache->num_params[sidx]; count++) {
+		if (strequal(pd(ctx)->cache->param_names[sidx][count],
+			     "include"))
+		{
+			werr = smbconf_add_string_to_array(tmp_ctx,
+				&tmp_includes,
+				tmp_num_includes,
+				pd(ctx)->cache->param_values[sidx][count]);
+			if (!W_ERROR_IS_OK(werr)) {
+				goto done;
+			}
+			tmp_num_includes++;
+		}
+	}
+
+	*num_includes = tmp_num_includes;
+	if (*num_includes > 0) {
+		*includes = talloc_move(mem_ctx, &tmp_includes);
+		if (*includes == NULL) {
+			werr = WERR_NOMEM;
+			goto done;
+		}
+	} else {
+		*includes = NULL;
+	}
+
+	werr = WERR_OK;
+
+done:
+	TALLOC_FREE(tmp_ctx);
+	return werr;
+}
+
+static WERROR smbconf_txt_set_includes(struct smbconf_ctx *ctx,
+				       const char *service,
+				       uint32_t num_includes,
+				       const char **includes)
+{
+	return WERR_NOT_SUPPORTED;
+}
+
+static WERROR smbconf_txt_delete_includes(struct smbconf_ctx *ctx,
+					  const char *service)
+{
+	return WERR_NOT_SUPPORTED;
+}
+
+
+static struct smbconf_ops smbconf_ops_txt = {
+	.init			= smbconf_txt_init,
+	.shutdown		= smbconf_txt_shutdown,
+	.open_conf		= smbconf_txt_open,
+	.close_conf		= smbconf_txt_close,
+	.get_csn		= smbconf_txt_get_csn,
+	.drop			= smbconf_txt_drop,
+	.get_share_names	= smbconf_txt_get_share_names,
+	.share_exists		= smbconf_txt_share_exists,
+	.create_share		= smbconf_txt_create_share,
+	.get_share		= smbconf_txt_get_share,
+	.delete_share		= smbconf_txt_delete_share,
+	.set_parameter		= smbconf_txt_set_parameter,
+	.get_parameter		= smbconf_txt_get_parameter,
+	.delete_parameter	= smbconf_txt_delete_parameter,
+	.get_includes		= smbconf_txt_get_includes,
+	.set_includes		= smbconf_txt_set_includes,
+	.delete_includes	= smbconf_txt_delete_includes,
+};
+
+
+/**
+ * initialize the smbconf text backend
+ * the only function that is exported from this module
+ */
+WERROR smbconf_init_txt(TALLOC_CTX *mem_ctx,
+			struct smbconf_ctx **conf_ctx,
+			const char *path)
+{
+	WERROR werr;
+
+	werr = smbconf_init_internal(mem_ctx, conf_ctx, path, &smbconf_ops_txt);
+	if (!W_ERROR_IS_OK(werr)) {
+		return werr;
+	}
+
+	return smbconf_txt_load_file(*conf_ctx);
+}
diff --git a/source3/lib/smbconf/smbconf_util.c b/source3/lib/smbconf/smbconf_util.c
new file mode 100644
index 0000000000..271fc47dd4
--- /dev/null
+++ b/source3/lib/smbconf/smbconf_util.c
@@ -0,0 +1,151 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  libsmbconf - Samba configuration library, utility functions
+ *  Copyright (C) Michael Adam 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "smbconf_private.h"
+
+
+static int smbconf_destroy_ctx(struct smbconf_ctx *ctx)
+{
+	return ctx->ops->shutdown(ctx);
+}
+
+/**
+ * Initialize the configuration.
+ *
+ * This should be the first function in a sequence of calls to smbconf
+ * functions:
+ *
+ * Upon success, this creates and returns the conf context
+ * that should be passed around in subsequent calls to the other
+ * smbconf functions.
+ *
+ * After the work with the configuration is completed, smbconf_shutdown()
+ * should be called.
+ */
+WERROR smbconf_init_internal(TALLOC_CTX *mem_ctx, struct smbconf_ctx **conf_ctx,
+			     const char *path, struct smbconf_ops *ops)
+{
+	WERROR werr = WERR_OK;
+	struct smbconf_ctx *ctx;
+
+	if (conf_ctx == NULL) {
+		return WERR_INVALID_PARAM;
+	}
+
+	ctx = TALLOC_ZERO_P(mem_ctx, struct smbconf_ctx);
+	if (ctx == NULL) {
+		return WERR_NOMEM;
+	}
+
+	ctx->ops = ops;
+
+	werr = ctx->ops->init(ctx, path);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto fail;
+	}
+
+	talloc_set_destructor(ctx, smbconf_destroy_ctx);
+
+	*conf_ctx = ctx;
+	return werr;
+
+fail:
+	TALLOC_FREE(ctx);
+	return werr;
+}
+
+
+/**
+ * add a string to a talloced array of strings.
+ */
+WERROR smbconf_add_string_to_array(TALLOC_CTX *mem_ctx,
+				   char ***array,
+				   uint32_t count,
+				   const char *string)
+{
+	char **new_array = NULL;
+
+	if (array == NULL) {
+		return WERR_INVALID_PARAM;
+	}
+
+	new_array = TALLOC_REALLOC_ARRAY(mem_ctx, *array, char *, count + 1);
+	if (new_array == NULL) {
+		return WERR_NOMEM;
+	}
+
+	if (string == NULL) {
+		new_array[count] = NULL;
+	} else {
+		new_array[count] = talloc_strdup(new_array, string);
+		if (new_array[count] == NULL) {
+			TALLOC_FREE(new_array);
+			return WERR_NOMEM;
+		}
+	}
+
+	*array = new_array;
+
+	return WERR_OK;
+}
+
+bool smbconf_find_in_array(const char *string, char **list,
+			   uint32_t num_entries, uint32_t *entry)
+{
+	uint32_t i;
+
+	if (list == NULL) {
+		return false;
+	}
+
+	for (i = 0; i < num_entries; i++) {
+		if (((string == NULL) && (list[i] == NULL)) ||
+		    strequal(string, list[i]))
+		{
+			if (entry != NULL) {
+				*entry = i;
+			}
+			return true;
+		}
+	}
+
+	return false;
+}
+
+bool smbconf_reverse_find_in_array(const char *string, char **list,
+				   uint32_t num_entries, uint32_t *entry)
+{
+	int32_t i;
+
+	if ((string == NULL) || (list == NULL) || (num_entries == 0)) {
+		return false;
+	}
+
+	for (i = num_entries - 1; i >= 0; i--) {
+		if (strequal(string, list[i])) {
+			if (entry != NULL) {
+				*entry = i;
+			}
+			return true;
+		}
+	}
+
+	return false;
+}
diff --git a/source3/lib/smbconf/testsuite.c b/source3/lib/smbconf/testsuite.c
new file mode 100644
index 0000000000..cffd239df6
--- /dev/null
+++ b/source3/lib/smbconf/testsuite.c
@@ -0,0 +1,283 @@
+/*
+ *  Unix SMB/CIFS implementation.
+ *  libsmbconf - Samba configuration library: testsuite
+ *  Copyright (C) Michael Adam 2008
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+static void print_strings(const char *prefix,
+			  uint32_t num_strings, const char **strings)
+{
+	uint32_t count;
+
+	if (prefix == NULL) {
+		prefix = "";
+	}
+
+	for (count = 0; count < num_strings; count++) {
+		printf("%s%s\n", prefix, strings[count]);
+	}
+}
+
+static bool test_get_includes(struct smbconf_ctx *ctx)
+{
+	WERROR werr;
+	bool ret = false;
+	uint32_t num_includes = 0;
+	char **includes = NULL;
+	TALLOC_CTX *mem_ctx = talloc_stackframe();
+
+	printf("test: get_includes\n");
+	werr = smbconf_get_global_includes(ctx, mem_ctx,
+					   &num_includes, &includes);
+	if (!W_ERROR_IS_OK(werr)) {
+		printf("failure: get_includes - %s\n", dos_errstr(werr));
+		goto done;
+	}
+
+	printf("got %u includes%s\n", num_includes,
+	       (num_includes > 0) ? ":" : ".");
+	print_strings("", num_includes, (const char **)includes);
+
+	printf("success: get_includes\n");
+	ret = true;
+
+done:
+	TALLOC_FREE(mem_ctx);
+	return ret;
+}
+
+static bool test_set_get_includes(struct smbconf_ctx *ctx)
+{
+	WERROR werr;
+	uint32_t count;
+	bool ret = false;
+	const char *set_includes[] = {
+		"/path/to/include1",
+		"/path/to/include2"
+	};
+	uint32_t set_num_includes = 2;
+	char **get_includes = NULL;
+	uint32_t get_num_includes = 0;
+	TALLOC_CTX *mem_ctx = talloc_stackframe();
+
+	printf("test: set_get_includes\n");
+
+	werr = smbconf_set_global_includes(ctx, set_num_includes, set_includes);
+	if (!W_ERROR_IS_OK(werr)) {
+		printf("failure: get_set_includes (setting includes) - %s\n",
+		       dos_errstr(werr));
+		goto done;
+	}
+
+	werr = smbconf_get_global_includes(ctx, mem_ctx, &get_num_includes,
+					   &get_includes);
+	if (!W_ERROR_IS_OK(werr)) {
+		printf("failure: get_set_includes (getting includes) - %s\n",
+		       dos_errstr(werr));
+		goto done;
+	}
+
+	if (get_num_includes != set_num_includes) {
+		printf("failure: get_set_includes - set %d includes, got %d\n",
+		       set_num_includes, get_num_includes);
+		goto done;
+	}
+
+	for (count = 0; count < get_num_includes; count++) {
+		if (!strequal(set_includes[count], get_includes[count])) {
+			printf("expected: \n");
+			print_strings("* ", set_num_includes, set_includes);
+			printf("got: \n");
+			print_strings("* ", get_num_includes,
+				      (const char **)get_includes);
+			printf("failure: get_set_includes - data mismatch:\n");
+			goto done;
+		}
+	}
+
+	printf("success: set_includes\n");
+	ret = true;
+
+done:
+	TALLOC_FREE(mem_ctx);
+	return ret;
+}
+
+static bool test_delete_includes(struct smbconf_ctx *ctx)
+{
+	WERROR werr;
+	bool ret = false;
+	const char *set_includes[] = {
+		"/path/to/include",
+	};
+	uint32_t set_num_includes = 1;
+	char **get_includes = NULL;
+	uint32_t get_num_includes = 0;
+	TALLOC_CTX *mem_ctx = talloc_stackframe();
+
+	printf("test: delete_includes\n");
+
+	werr = smbconf_set_global_includes(ctx, set_num_includes, set_includes);
+	if (!W_ERROR_IS_OK(werr)) {
+		printf("failure: delete_includes (setting includes) - %s\n",
+		       dos_errstr(werr));
+		goto done;
+	}
+
+	werr = smbconf_delete_global_includes(ctx);
+	if (!W_ERROR_IS_OK(werr)) {
+		printf("failure: delete_includes (deleting includes) - %s\n",
+		       dos_errstr(werr));
+		goto done;
+	}
+
+	werr = smbconf_get_global_includes(ctx, mem_ctx, &get_num_includes,
+					   &get_includes);
+	if (!W_ERROR_IS_OK(werr)) {
+		printf("failure: delete_includes (getting includes) - %s\n",
+		       dos_errstr(werr));
+		goto done;
+	}
+
+	if (get_num_includes != 0) {
+		printf("failure: delete_includes (not empty after delete)\n");
+		goto done;
+	}
+
+	werr = smbconf_delete_global_includes(ctx);
+	if (!W_ERROR_IS_OK(werr)) {
+		printf("failuer: delete_includes (delete empty includes) - "
+		       "%s\n", dos_errstr(werr));
+		goto done;
+	}
+
+	printf("success: delete_includes\n");
+	ret = true;
+
+done:
+	return ret;
+}
+
+static bool torture_smbconf_txt(void)
+{
+	WERROR werr;
+	bool ret = true;
+	struct smbconf_ctx *conf_ctx = NULL;
+	TALLOC_CTX *mem_ctx = talloc_stackframe();
+
+	printf("test: text backend\n");
+
+	printf("test: init\n");
+	werr = smbconf_init_txt(mem_ctx, &conf_ctx, NULL);
+	if (!W_ERROR_IS_OK(werr)) {
+		printf("failure: init failed: %s\n", dos_errstr(werr));
+		ret = false;
+		goto done;
+	}
+	printf("success: init\n");
+
+	ret &= test_get_includes(conf_ctx);
+
+	smbconf_shutdown(conf_ctx);
+
+	printf("%s: text backend\n", ret ? "success" : "failure");
+
+done:
+	TALLOC_FREE(mem_ctx);
+	return ret;
+}
+
+static bool torture_smbconf_reg(void)
+{
+	WERROR werr;
+	bool ret = true;
+	struct smbconf_ctx *conf_ctx = NULL;
+	TALLOC_CTX *mem_ctx = talloc_stackframe();
+
+	printf("test: registry backend\n");
+
+	printf("test: init\n");
+	werr = smbconf_init_reg(mem_ctx, &conf_ctx, NULL);
+	if (!W_ERROR_IS_OK(werr)) {
+		printf("failure: init failed: %s\n", dos_errstr(werr));
+		ret = false;
+		goto done;
+	}
+	printf("success: init\n");
+
+	ret &= test_get_includes(conf_ctx);
+	ret &= test_set_get_includes(conf_ctx);
+	ret &= test_delete_includes(conf_ctx);
+
+	smbconf_shutdown(conf_ctx);
+
+	printf("%s: registry backend\n", ret ? "success" : "failure");
+
+done:
+	TALLOC_FREE(mem_ctx);
+	return ret;
+}
+
+static bool torture_smbconf(void)
+{
+	bool ret = true;
+	ret &= torture_smbconf_txt();
+	printf("\n");
+	ret &= torture_smbconf_reg();
+	return ret;
+}
+
+int main(int argc, const char **argv)
+{
+	bool ret;
+	poptContext pc;
+	TALLOC_CTX *mem_ctx = talloc_stackframe();
+
+	struct poptOption long_options[] = {
+		POPT_COMMON_SAMBA
+		{0, 0, 0, 0}
+	};
+
+	load_case_tables();
+	dbf = x_stderr;
+
+	/* parse options */
+	pc = poptGetContext("smbconftort", argc, (const char **)argv,
+			    long_options, 0);
+
+	while(poptGetNextOpt(pc) != -1) { }
+
+	poptFreeContext(pc);
+
+	ret = lp_load(get_dyn_CONFIGFILE(),
+		      true,  /* globals_only */
+		      false, /* save_defaults */
+		      false, /* add_ipc */
+		      true   /* initialize globals */);
+
+	if (!ret) {
+		printf("failure: error loading the configuration\n");
+		goto done;
+	}
+
+	ret = torture_smbconf();
+
+done:
+	TALLOC_FREE(mem_ctx);
+	return ret ? 0 : -1;
+}
diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c
new file mode 100644
index 0000000000..93494d6dad
--- /dev/null
+++ b/source3/lib/smbldap.c
@@ -0,0 +1,1824 @@
+/* 
+   Unix SMB/CIFS implementation.
+   LDAP protocol helper functions for SAMBA
+   Copyright (C) Jean François Micouleau	1998
+   Copyright (C) Gerald Carter			2001-2003
+   Copyright (C) Shahms King			2001
+   Copyright (C) Andrew Bartlett		2002-2003
+   Copyright (C) Stefan (metze) Metzmacher	2002-2003
+    
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+   
+*/
+
+#include "includes.h"
+#include "smbldap.h"
+
+#ifndef LDAP_OPT_SUCCESS
+#define LDAP_OPT_SUCCESS 0
+#endif
+
+/* Try not to hit the up or down server forever */
+
+#define SMBLDAP_DONT_PING_TIME 10	/* ping only all 10 seconds */
+#define SMBLDAP_NUM_RETRIES 8	        /* retry only 8 times */
+
+#define SMBLDAP_IDLE_TIME 150		/* After 2.5 minutes disconnect */
+
+
+/* attributes used by Samba 2.2 */
+
+ATTRIB_MAP_ENTRY attrib_map_v22[] = {
+	{ LDAP_ATTR_UID,		"uid" 		},
+	{ LDAP_ATTR_UIDNUMBER,		LDAP_ATTRIBUTE_UIDNUMBER},
+	{ LDAP_ATTR_GIDNUMBER,		LDAP_ATTRIBUTE_GIDNUMBER},
+	{ LDAP_ATTR_UNIX_HOME,		"homeDirectory"	},
+	{ LDAP_ATTR_PWD_LAST_SET,	"pwdLastSet"	},
+	{ LDAP_ATTR_PWD_CAN_CHANGE,	"pwdCanChange"	},
+	{ LDAP_ATTR_PWD_MUST_CHANGE,	"pwdMustChange"	},
+	{ LDAP_ATTR_LOGON_TIME,		"logonTime" 	},
+	{ LDAP_ATTR_LOGOFF_TIME,	"logoffTime"	},
+	{ LDAP_ATTR_KICKOFF_TIME,	"kickoffTime"	},
+	{ LDAP_ATTR_CN,			"cn"		},
+	{ LDAP_ATTR_SN,			"sn"		},
+	{ LDAP_ATTR_DISPLAY_NAME,	"displayName"	},
+	{ LDAP_ATTR_HOME_PATH,		"smbHome"	},
+	{ LDAP_ATTR_HOME_DRIVE,		"homeDrive"	},
+	{ LDAP_ATTR_LOGON_SCRIPT,	"scriptPath"	},
+	{ LDAP_ATTR_PROFILE_PATH,	"profilePath"	},
+	{ LDAP_ATTR_DESC,		"description"	},
+	{ LDAP_ATTR_USER_WKS,		"userWorkstations"},
+	{ LDAP_ATTR_USER_RID,		"rid"		},
+	{ LDAP_ATTR_PRIMARY_GROUP_RID,	"primaryGroupID"},
+	{ LDAP_ATTR_LMPW,		"lmPassword"	},
+	{ LDAP_ATTR_NTPW,		"ntPassword"	},
+	{ LDAP_ATTR_DOMAIN,		"domain"	},
+	{ LDAP_ATTR_OBJCLASS,		"objectClass"	},
+	{ LDAP_ATTR_ACB_INFO,		"acctFlags"	},
+	{ LDAP_ATTR_MOD_TIMESTAMP,	"modifyTimestamp"	},
+	{ LDAP_ATTR_LIST_END,		NULL 		}
+};
+
+ATTRIB_MAP_ENTRY attrib_map_to_delete_v22[] = {
+	{ LDAP_ATTR_PWD_LAST_SET,	"pwdLastSet"	},
+	{ LDAP_ATTR_PWD_CAN_CHANGE,	"pwdCanChange"	},
+	{ LDAP_ATTR_PWD_MUST_CHANGE,	"pwdMustChange"	},
+	{ LDAP_ATTR_LOGON_TIME,		"logonTime" 	},
+	{ LDAP_ATTR_LOGOFF_TIME,	"logoffTime"	},
+	{ LDAP_ATTR_KICKOFF_TIME,	"kickoffTime"	},
+	{ LDAP_ATTR_DISPLAY_NAME,	"displayName"	},
+	{ LDAP_ATTR_HOME_PATH,		"smbHome"	},
+	{ LDAP_ATTR_HOME_DRIVE,		"homeDrives"	},
+	{ LDAP_ATTR_LOGON_SCRIPT,	"scriptPath"	},
+	{ LDAP_ATTR_PROFILE_PATH,	"profilePath"	},
+	{ LDAP_ATTR_USER_WKS,		"userWorkstations"},
+	{ LDAP_ATTR_USER_RID,		"rid"		},
+	{ LDAP_ATTR_PRIMARY_GROUP_RID,	"primaryGroupID"},
+	{ LDAP_ATTR_LMPW,		"lmPassword"	},
+	{ LDAP_ATTR_NTPW,		"ntPassword"	},
+	{ LDAP_ATTR_DOMAIN,		"domain"	},
+	{ LDAP_ATTR_ACB_INFO,		"acctFlags"	},
+	{ LDAP_ATTR_LIST_END,		NULL 		}
+};
+
+/* attributes used by Samba 3.0's sambaSamAccount */
+
+ATTRIB_MAP_ENTRY attrib_map_v30[] = {
+	{ LDAP_ATTR_UID,		"uid" 			},
+	{ LDAP_ATTR_UIDNUMBER,		LDAP_ATTRIBUTE_UIDNUMBER},
+	{ LDAP_ATTR_GIDNUMBER,		LDAP_ATTRIBUTE_GIDNUMBER},
+	{ LDAP_ATTR_UNIX_HOME,		"homeDirectory"		},
+	{ LDAP_ATTR_PWD_LAST_SET,	"sambaPwdLastSet"	},
+	{ LDAP_ATTR_PWD_CAN_CHANGE,	"sambaPwdCanChange"	},
+	{ LDAP_ATTR_PWD_MUST_CHANGE,	"sambaPwdMustChange"	},
+	{ LDAP_ATTR_LOGON_TIME,		"sambaLogonTime" 	},
+	{ LDAP_ATTR_LOGOFF_TIME,	"sambaLogoffTime"	},
+	{ LDAP_ATTR_KICKOFF_TIME,	"sambaKickoffTime"	},
+	{ LDAP_ATTR_CN,			"cn"			},
+	{ LDAP_ATTR_SN,			"sn"			},
+	{ LDAP_ATTR_DISPLAY_NAME,	"displayName"		},
+	{ LDAP_ATTR_HOME_DRIVE,		"sambaHomeDrive"	},
+	{ LDAP_ATTR_HOME_PATH,		"sambaHomePath"		},
+	{ LDAP_ATTR_LOGON_SCRIPT,	"sambaLogonScript"	},
+	{ LDAP_ATTR_PROFILE_PATH,	"sambaProfilePath"	},
+	{ LDAP_ATTR_DESC,		"description"		},
+	{ LDAP_ATTR_USER_WKS,		"sambaUserWorkstations"	},
+	{ LDAP_ATTR_USER_SID,		LDAP_ATTRIBUTE_SID	},
+	{ LDAP_ATTR_PRIMARY_GROUP_SID,	"sambaPrimaryGroupSID"	},
+	{ LDAP_ATTR_LMPW,		"sambaLMPassword"	},
+	{ LDAP_ATTR_NTPW,		"sambaNTPassword"	},
+	{ LDAP_ATTR_DOMAIN,		"sambaDomainName"	},
+	{ LDAP_ATTR_OBJCLASS,		"objectClass"		},
+	{ LDAP_ATTR_ACB_INFO,		"sambaAcctFlags"	},
+	{ LDAP_ATTR_MUNGED_DIAL,	"sambaMungedDial"	},
+	{ LDAP_ATTR_BAD_PASSWORD_COUNT,	"sambaBadPasswordCount" },
+	{ LDAP_ATTR_BAD_PASSWORD_TIME,	"sambaBadPasswordTime" 	},
+	{ LDAP_ATTR_PWD_HISTORY,	"sambaPasswordHistory"  },
+	{ LDAP_ATTR_MOD_TIMESTAMP,	"modifyTimestamp"	},
+	{ LDAP_ATTR_LOGON_HOURS,	"sambaLogonHours"	},
+	{ LDAP_ATTR_LIST_END,		NULL 			}
+};
+
+ATTRIB_MAP_ENTRY attrib_map_to_delete_v30[] = {
+	{ LDAP_ATTR_PWD_LAST_SET,	"sambaPwdLastSet"	},
+	{ LDAP_ATTR_PWD_CAN_CHANGE,	"sambaPwdCanChange"	},
+	{ LDAP_ATTR_PWD_MUST_CHANGE,	"sambaPwdMustChange"	},
+	{ LDAP_ATTR_LOGON_TIME,		"sambaLogonTime" 	},
+	{ LDAP_ATTR_LOGOFF_TIME,	"sambaLogoffTime"	},
+	{ LDAP_ATTR_KICKOFF_TIME,	"sambaKickoffTime"	},
+	{ LDAP_ATTR_DISPLAY_NAME,	"displayName"		},
+	{ LDAP_ATTR_HOME_DRIVE,		"sambaHomeDrive"	},
+	{ LDAP_ATTR_HOME_PATH,		"sambaHomePath"		},
+	{ LDAP_ATTR_LOGON_SCRIPT,	"sambaLogonScript"	},
+	{ LDAP_ATTR_PROFILE_PATH,	"sambaProfilePath"	},
+	{ LDAP_ATTR_USER_WKS,		"sambaUserWorkstations"	},
+	{ LDAP_ATTR_USER_SID,		LDAP_ATTRIBUTE_SID	},
+	{ LDAP_ATTR_PRIMARY_GROUP_SID,	"sambaPrimaryGroupSID"	},
+	{ LDAP_ATTR_LMPW,		"sambaLMPassword"	},
+	{ LDAP_ATTR_NTPW,		"sambaNTPassword"	},
+	{ LDAP_ATTR_DOMAIN,		"sambaDomainName"	},
+	{ LDAP_ATTR_ACB_INFO,		"sambaAcctFlags"	},
+	{ LDAP_ATTR_MUNGED_DIAL,	"sambaMungedDial"	},
+	{ LDAP_ATTR_BAD_PASSWORD_COUNT,	"sambaBadPasswordCount" },
+	{ LDAP_ATTR_BAD_PASSWORD_TIME,	"sambaBadPasswordTime" 	},
+	{ LDAP_ATTR_PWD_HISTORY,	"sambaPasswordHistory"  },
+	{ LDAP_ATTR_LOGON_HOURS,	"sambaLogonHours"	},
+	{ LDAP_ATTR_LIST_END,		NULL 			}
+};
+
+/* attributes used for allocating RIDs */
+
+ATTRIB_MAP_ENTRY dominfo_attr_list[] = {
+	{ LDAP_ATTR_DOMAIN,		"sambaDomainName"	},
+	{ LDAP_ATTR_NEXT_RID,	        "sambaNextRid"	        },
+	{ LDAP_ATTR_NEXT_USERRID,	"sambaNextUserRid"	},
+	{ LDAP_ATTR_NEXT_GROUPRID,	"sambaNextGroupRid"	},
+	{ LDAP_ATTR_DOM_SID,		LDAP_ATTRIBUTE_SID	},
+	{ LDAP_ATTR_ALGORITHMIC_RID_BASE,"sambaAlgorithmicRidBase"},
+	{ LDAP_ATTR_OBJCLASS,		"objectClass"		},
+	{ LDAP_ATTR_LIST_END,		NULL			},
+};
+
+/* Samba 3.0 group mapping attributes */
+
+ATTRIB_MAP_ENTRY groupmap_attr_list[] = {
+	{ LDAP_ATTR_GIDNUMBER,		LDAP_ATTRIBUTE_GIDNUMBER},
+	{ LDAP_ATTR_GROUP_SID,		LDAP_ATTRIBUTE_SID	},
+	{ LDAP_ATTR_GROUP_TYPE,		"sambaGroupType"	},
+	{ LDAP_ATTR_SID_LIST,		"sambaSIDList"		},
+	{ LDAP_ATTR_DESC,		"description"		},
+	{ LDAP_ATTR_DISPLAY_NAME,	"displayName"		},
+	{ LDAP_ATTR_CN,			"cn"			},
+	{ LDAP_ATTR_OBJCLASS,		"objectClass"		},
+	{ LDAP_ATTR_LIST_END,		NULL			}	
+};
+
+ATTRIB_MAP_ENTRY groupmap_attr_list_to_delete[] = {
+	{ LDAP_ATTR_GROUP_SID,		LDAP_ATTRIBUTE_SID	},
+	{ LDAP_ATTR_GROUP_TYPE,		"sambaGroupType"	},
+	{ LDAP_ATTR_DESC,		"description"		},
+	{ LDAP_ATTR_DISPLAY_NAME,	"displayName"		},
+	{ LDAP_ATTR_SID_LIST,		"sambaSIDList"		},
+	{ LDAP_ATTR_LIST_END,		NULL			}	
+};
+
+/* idmap_ldap sambaUnixIdPool */
+
+ATTRIB_MAP_ENTRY idpool_attr_list[] = {
+	{ LDAP_ATTR_UIDNUMBER,		LDAP_ATTRIBUTE_UIDNUMBER},
+	{ LDAP_ATTR_GIDNUMBER,		LDAP_ATTRIBUTE_GIDNUMBER},
+	{ LDAP_ATTR_OBJCLASS,		"objectClass"		},
+	{ LDAP_ATTR_LIST_END,		NULL			}	
+};
+
+ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
+	{ LDAP_ATTR_SID,		LDAP_ATTRIBUTE_SID	},
+	{ LDAP_ATTR_UIDNUMBER,		LDAP_ATTRIBUTE_UIDNUMBER},
+	{ LDAP_ATTR_GIDNUMBER,		LDAP_ATTRIBUTE_GIDNUMBER},
+	{ LDAP_ATTR_OBJCLASS,		"objectClass"		},
+	{ LDAP_ATTR_LIST_END,		NULL			}	
+};
+
+/**********************************************************************
+ perform a simple table lookup and return the attribute name 
+ **********************************************************************/
+ 
+ const char* get_attr_key2string( ATTRIB_MAP_ENTRY table[], int key )
+{
+	int i = 0;
+	
+	while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
+		if ( table[i].attrib == key )
+			return table[i].name;
+		i++;
+	}
+	
+	return NULL;
+}
+
+
+/**********************************************************************
+ Return the list of attribute names from a mapping table
+ **********************************************************************/
+
+ const char** get_attr_list( TALLOC_CTX *mem_ctx, ATTRIB_MAP_ENTRY table[] )
+{
+	const char **names;
+	int i = 0;
+	
+	while ( table[i].attrib != LDAP_ATTR_LIST_END )
+		i++;
+	i++;
+
+	names = TALLOC_ARRAY( mem_ctx, const char*, i );
+	if ( !names ) {
+		DEBUG(0,("get_attr_list: out of memory\n"));
+		return NULL;
+	}
+
+	i = 0;
+	while ( table[i].attrib != LDAP_ATTR_LIST_END ) {
+		names[i] = talloc_strdup( names, table[i].name );
+		i++;
+	}
+	names[i] = NULL;
+	
+	return names;
+}
+
+/*******************************************************************
+ Search an attribute and return the first value found.
+******************************************************************/
+
+ bool smbldap_get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry,
+				    const char *attribute, char *value,
+				    int max_len)
+{
+	char **values;
+	
+	if ( !attribute )
+		return False;
+		
+	value[0] = '\0';
+
+	if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) {
+		DEBUG (10, ("smbldap_get_single_attribute: [%s] = [<does not exist>]\n", attribute));
+		
+		return False;
+	}
+	
+	if (convert_string(CH_UTF8, CH_UNIX,values[0], -1, value, max_len, False) == (size_t)-1) {
+		DEBUG(1, ("smbldap_get_single_attribute: string conversion of [%s] = [%s] failed!\n", 
+			  attribute, values[0]));
+		ldap_value_free(values);
+		return False;
+	}
+	
+	ldap_value_free(values);
+#ifdef DEBUG_PASSWORDS
+	DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n", attribute, value));
+#endif	
+	return True;
+}
+
+ char * smbldap_talloc_single_attribute(LDAP *ldap_struct, LDAPMessage *entry,
+					const char *attribute,
+					TALLOC_CTX *mem_ctx)
+{
+	char **values;
+	char *result;
+	size_t converted_size;
+
+	if (attribute == NULL) {
+		return NULL;
+	}
+
+	values = ldap_get_values(ldap_struct, entry, attribute);
+
+	if (values == NULL) {
+		DEBUG(10, ("attribute %s does not exist\n", attribute));
+		return NULL;
+	}
+
+	if (ldap_count_values(values) != 1) {
+		DEBUG(10, ("attribute %s has %d values, expected only one\n",
+			   attribute, ldap_count_values(values)));
+		ldap_value_free(values);
+		return NULL;
+	}
+
+	if (!pull_utf8_talloc(mem_ctx, &result, values[0], &converted_size)) {
+		DEBUG(10, ("pull_utf8_talloc failed\n"));
+		ldap_value_free(values);
+		return NULL;
+	}
+
+	ldap_value_free(values);
+
+#ifdef DEBUG_PASSWORDS
+	DEBUG (100, ("smbldap_get_single_attribute: [%s] = [%s]\n",
+		     attribute, result));
+#endif	
+	return result;
+}
+
+ static int ldapmsg_destructor(LDAPMessage **result) {
+	ldap_msgfree(*result);
+	return 0;
+}
+
+ void talloc_autofree_ldapmsg(TALLOC_CTX *mem_ctx, LDAPMessage *result)
+{
+	LDAPMessage **handle;
+
+	if (result == NULL) {
+		return;
+	}
+
+	handle = TALLOC_P(mem_ctx, LDAPMessage *);
+	SMB_ASSERT(handle != NULL);
+
+	*handle = result;
+	talloc_set_destructor(handle, ldapmsg_destructor);
+}
+
+ static int ldapmod_destructor(LDAPMod ***mod) {
+	ldap_mods_free(*mod, True);
+	return 0;
+}
+
+ void talloc_autofree_ldapmod(TALLOC_CTX *mem_ctx, LDAPMod **mod)
+{
+	LDAPMod ***handle;
+
+	if (mod == NULL) {
+		return;
+	}
+
+	handle = TALLOC_P(mem_ctx, LDAPMod **);
+	SMB_ASSERT(handle != NULL);
+
+	*handle = mod;
+	talloc_set_destructor(handle, ldapmod_destructor);
+}
+
+/************************************************************************
+ Routine to manage the LDAPMod structure array
+ manage memory used by the array, by each struct, and values
+ ***********************************************************************/
+
+ void smbldap_set_mod (LDAPMod *** modlist, int modop, const char *attribute, const char *value)
+{
+	LDAPMod **mods;
+	int i;
+	int j;
+
+	mods = *modlist;
+
+	/* sanity checks on the mod values */
+
+	if (attribute == NULL || *attribute == '\0') {
+		return;	
+	}
+
+#if 0	/* commented out after discussion with abartlet.  Do not reenable.
+	   left here so other do not re-add similar code   --jerry */
+       	if (value == NULL || *value == '\0')
+		return;
+#endif
+
+	if (mods == NULL) {
+		mods = SMB_MALLOC_P(LDAPMod *);
+		if (mods == NULL) {
+			smb_panic("smbldap_set_mod: out of memory!");
+			/* notreached. */
+		}
+		mods[0] = NULL;
+	}
+
+	for (i = 0; mods[i] != NULL; ++i) {
+		if (mods[i]->mod_op == modop && strequal(mods[i]->mod_type, attribute))
+			break;
+	}
+
+	if (mods[i] == NULL) {
+		mods = SMB_REALLOC_ARRAY (mods, LDAPMod *, i + 2);
+		if (mods == NULL) {
+			smb_panic("smbldap_set_mod: out of memory!");
+			/* notreached. */
+		}
+		mods[i] = SMB_MALLOC_P(LDAPMod);
+		if (mods[i] == NULL) {
+			smb_panic("smbldap_set_mod: out of memory!");
+			/* notreached. */
+		}
+		mods[i]->mod_op = modop;
+		mods[i]->mod_values = NULL;
+		mods[i]->mod_type = SMB_STRDUP(attribute);
+		mods[i + 1] = NULL;
+	}
+
+	if (value != NULL) {
+		char *utf8_value = NULL;
+		size_t converted_size;
+
+		j = 0;
+		if (mods[i]->mod_values != NULL) {
+			for (; mods[i]->mod_values[j] != NULL; j++);
+		}
+		mods[i]->mod_values = SMB_REALLOC_ARRAY(mods[i]->mod_values, char *, j + 2);
+					       
+		if (mods[i]->mod_values == NULL) {
+			smb_panic("smbldap_set_mod: out of memory!");
+			/* notreached. */
+		}
+
+		if (!push_utf8_allocate(&utf8_value, value, &converted_size)) {
+			smb_panic("smbldap_set_mod: String conversion failure!");
+			/* notreached. */
+		}
+
+		mods[i]->mod_values[j] = utf8_value;
+
+		mods[i]->mod_values[j + 1] = NULL;
+	}
+	*modlist = mods;
+}
+
+/**********************************************************************
+  Set attribute to newval in LDAP, regardless of what value the
+  attribute had in LDAP before.
+*********************************************************************/
+
+ void smbldap_make_mod(LDAP *ldap_struct, LDAPMessage *existing,
+		      LDAPMod ***mods,
+		      const char *attribute, const char *newval)
+{
+	char oldval[2048]; /* current largest allowed value is mungeddial */
+	bool existed;
+
+	if (attribute == NULL) {
+		/* This can actually happen for ldapsam_compat where we for
+		 * example don't have a password history */
+		return;
+	}
+
+	if (existing != NULL) {
+		existed = smbldap_get_single_attribute(ldap_struct, existing, attribute, oldval, sizeof(oldval));
+	} else {
+		existed = False;
+		*oldval = '\0';
+	}
+
+	/* all of our string attributes are case insensitive */
+	
+	if (existed && newval && (StrCaseCmp(oldval, newval) == 0)) {
+		
+		/* Believe it or not, but LDAP will deny a delete and
+		   an add at the same time if the values are the
+		   same... */
+		DEBUG(10,("smbldap_make_mod: attribute |%s| not changed.\n", attribute));
+		return;
+	}
+
+	if (existed) {
+		/* There has been no value before, so don't delete it.
+		 * Here's a possible race: We might end up with
+		 * duplicate attributes */
+		/* By deleting exactly the value we found in the entry this
+		 * should be race-free in the sense that the LDAP-Server will
+		 * deny the complete operation if somebody changed the
+		 * attribute behind our back. */
+		/* This will also allow modifying single valued attributes 
+		 * in Novell NDS. In NDS you have to first remove attribute and then
+		 * you could add new value */
+		
+		DEBUG(10,("smbldap_make_mod: deleting attribute |%s| values |%s|\n", attribute, oldval));
+		smbldap_set_mod(mods, LDAP_MOD_DELETE, attribute, oldval);
+	}
+
+	/* Regardless of the real operation (add or modify)
+	   we add the new value here. We rely on deleting
+	   the old value, should it exist. */
+
+	if ((newval != NULL) && (strlen(newval) > 0)) {
+		DEBUG(10,("smbldap_make_mod: adding attribute |%s| value |%s|\n", attribute, newval));
+		smbldap_set_mod(mods, LDAP_MOD_ADD, attribute, newval);
+	}
+}
+
+/**********************************************************************
+ Some varients of the LDAP rebind code do not pass in the third 'arg' 
+ pointer to a void*, so we try and work around it by assuming that the 
+ value of the 'LDAP *' pointer is the same as the one we had passed in
+ **********************************************************************/
+
+struct smbldap_state_lookup {
+	LDAP *ld;
+	struct smbldap_state *smbldap_state;
+	struct smbldap_state_lookup *prev, *next;
+};
+
+static struct smbldap_state_lookup *smbldap_state_lookup_list;
+
+static struct smbldap_state *smbldap_find_state(LDAP *ld) 
+{
+	struct smbldap_state_lookup *t;
+
+	for (t = smbldap_state_lookup_list; t; t = t->next) {
+		if (t->ld == ld) {
+			return t->smbldap_state;
+		}
+	}
+	return NULL;
+}
+
+static void smbldap_delete_state(struct smbldap_state *smbldap_state) 
+{
+	struct smbldap_state_lookup *t;
+
+	for (t = smbldap_state_lookup_list; t; t = t->next) {
+		if (t->smbldap_state == smbldap_state) {
+			DLIST_REMOVE(smbldap_state_lookup_list, t);
+			SAFE_FREE(t);
+			return;
+		}
+	}
+}
+
+static void smbldap_store_state(LDAP *ld, struct smbldap_state *smbldap_state) 
+{
+	struct smbldap_state *tmp_ldap_state;
+	struct smbldap_state_lookup *t;
+	
+	if ((tmp_ldap_state = smbldap_find_state(ld))) {
+		SMB_ASSERT(tmp_ldap_state == smbldap_state);
+		return;
+	}
+
+	t = SMB_XMALLOC_P(struct smbldap_state_lookup);
+	ZERO_STRUCTP(t);
+	
+	DLIST_ADD_END(smbldap_state_lookup_list, t, struct smbldap_state_lookup *);
+	t->ld = ld;
+	t->smbldap_state = smbldap_state;
+}
+
+/********************************************************************
+ start TLS on an existing LDAP connection
+*******************************************************************/
+
+int smb_ldap_start_tls(LDAP *ldap_struct, int version)
+{ 
+	int rc;
+	
+	if (lp_ldap_ssl() != LDAP_SSL_START_TLS) {
+		return LDAP_SUCCESS;
+	}
+	
+#ifdef LDAP_OPT_X_TLS
+	if (version != LDAP_VERSION3) {
+		DEBUG(0, ("Need LDAPv3 for Start TLS\n"));
+		return LDAP_OPERATIONS_ERROR;
+	}
+
+	if ((rc = ldap_start_tls_s (ldap_struct, NULL, NULL)) != LDAP_SUCCESS)	{
+		DEBUG(0,("Failed to issue the StartTLS instruction: %s\n",
+			 ldap_err2string(rc)));
+		return rc;
+	}
+
+	DEBUG (3, ("StartTLS issued: using a TLS connection\n"));
+	return LDAP_SUCCESS;
+#else
+	DEBUG(0,("StartTLS not supported by LDAP client libraries!\n"));
+	return LDAP_OPERATIONS_ERROR;
+#endif
+}
+
+/********************************************************************
+ setup a connection to the LDAP server based on a uri
+*******************************************************************/
+
+int smb_ldap_setup_conn(LDAP **ldap_struct, const char *uri)
+{
+	int rc;
+
+	DEBUG(10, ("smb_ldap_setup_connection: %s\n", uri));
+	
+#ifdef HAVE_LDAP_INITIALIZE
+	
+	rc = ldap_initialize(ldap_struct, uri);
+	if (rc) {
+		DEBUG(0, ("ldap_initialize: %s\n", ldap_err2string(rc)));
+	}
+
+	return rc;
+#else 
+
+	/* Parse the string manually */
+
+	{
+		int port = 0;
+		fstring protocol;
+		fstring host;
+		SMB_ASSERT(sizeof(protocol)>10 && sizeof(host)>254);
+
+
+		/* skip leading "URL:" (if any) */
+		if ( strnequal( uri, "URL:", 4 ) ) {
+			uri += 4;
+		}
+		
+		sscanf(uri, "%10[^:]://%254[^:/]:%d", protocol, host, &port);
+		
+		if (port == 0) {
+			if (strequal(protocol, "ldap")) {
+				port = LDAP_PORT;
+			} else if (strequal(protocol, "ldaps")) {
+				port = LDAPS_PORT;
+			} else {
+				DEBUG(0, ("unrecognised protocol (%s)!\n", protocol));
+			}
+		}
+		
+		if ((*ldap_struct = ldap_init(host, port)) == NULL)	{
+			DEBUG(0, ("ldap_init failed !\n"));
+			return LDAP_OPERATIONS_ERROR;
+		}
+		
+	        if (strequal(protocol, "ldaps")) {
+#ifdef LDAP_OPT_X_TLS
+			int tls = LDAP_OPT_X_TLS_HARD;
+			if (ldap_set_option (*ldap_struct, LDAP_OPT_X_TLS, &tls) != LDAP_SUCCESS)
+			{
+				DEBUG(0, ("Failed to setup a TLS session\n"));
+			}
+			
+			DEBUG(3,("LDAPS option set...!\n"));
+#else
+			DEBUG(0,("smbldap_open_connection: Secure connection not supported by LDAP client libraries!\n"));
+			return LDAP_OPERATIONS_ERROR;
+#endif /* LDAP_OPT_X_TLS */
+		}
+	}
+#endif /* HAVE_LDAP_INITIALIZE */
+
+
+	/* now set connection timeout */
+#ifdef LDAP_X_OPT_CONNECT_TIMEOUT /* Netscape */
+	{
+		int ct = lp_ldap_connection_timeout()*1000;
+		rc = ldap_set_option(*ldap_struct, LDAP_X_OPT_CONNECT_TIMEOUT, &ct);
+		if (rc != LDAP_SUCCESS) {
+			DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
+				ct, ldap_err2string(rc)));
+		}
+	}
+#elif defined (LDAP_OPT_NETWORK_TIMEOUT) /* OpenLDAP */
+	{
+		struct timeval ct;
+		ct.tv_usec = 0;
+		ct.tv_sec = lp_ldap_connection_timeout();
+		rc = ldap_set_option(*ldap_struct, LDAP_OPT_NETWORK_TIMEOUT, &ct);
+		if (rc != LDAP_SUCCESS) {
+			DEBUG(0,("Failed to setup an ldap connection timeout %d: %s\n",
+				(int)ct.tv_sec, ldap_err2string(rc)));
+		}
+	}
+#endif
+
+	return LDAP_SUCCESS;
+}
+
+/********************************************************************
+ try to upgrade to Version 3 LDAP if not already, in either case return current
+ version 
+ *******************************************************************/
+
+int smb_ldap_upgrade_conn(LDAP *ldap_struct, int *new_version) 
+{
+	int version;
+	int rc;
+	
+	/* assume the worst */
+	*new_version = LDAP_VERSION2;
+
+	rc = ldap_get_option(ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
+	if (rc) {
+		return rc;
+	}
+
+	if (version == LDAP_VERSION3) {
+		*new_version = LDAP_VERSION3;
+		return LDAP_SUCCESS;
+	}
+
+	/* try upgrade */
+	version = LDAP_VERSION3;
+	rc = ldap_set_option (ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
+	if (rc) {
+		return rc;
+	}
+		
+	*new_version = LDAP_VERSION3;
+	return LDAP_SUCCESS;
+}
+
+/*******************************************************************
+ open a connection to the ldap server (just until the bind)
+ ******************************************************************/
+
+int smb_ldap_setup_full_conn(LDAP **ldap_struct, const char *uri)
+{
+	int rc, version;
+
+	rc = smb_ldap_setup_conn(ldap_struct, uri);
+	if (rc) {
+		return rc;
+	}
+
+	rc = smb_ldap_upgrade_conn(*ldap_struct, &version);
+	if (rc) {
+		return rc;
+	}
+
+	rc = smb_ldap_start_tls(*ldap_struct, version);
+	if (rc) {
+		return rc;
+	}
+
+	return LDAP_SUCCESS;
+}
+
+/*******************************************************************
+ open a connection to the ldap server.
+******************************************************************/
+static int smbldap_open_connection (struct smbldap_state *ldap_state)
+
+{
+	int rc = LDAP_SUCCESS;
+	int version;
+	LDAP **ldap_struct = &ldap_state->ldap_struct;
+
+	rc = smb_ldap_setup_conn(ldap_struct, ldap_state->uri);
+	if (rc) {
+		return rc;
+	}
+
+	/* Store the LDAP pointer in a lookup list */
+
+	smbldap_store_state(*ldap_struct, ldap_state);
+
+	/* Upgrade to LDAPv3 if possible */
+
+	rc = smb_ldap_upgrade_conn(*ldap_struct, &version);
+	if (rc) {
+		return rc;
+	}
+
+	/* Start TLS if required */
+
+	rc = smb_ldap_start_tls(*ldap_struct, version);
+	if (rc) {
+		return rc;
+	}
+	
+	DEBUG(2, ("smbldap_open_connection: connection opened\n"));
+	return rc;
+}
+
+/*******************************************************************
+ a rebind function for authenticated referrals
+ This version takes a void* that we can shove useful stuff in :-)
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+#else
+static int rebindproc_with_state  (LDAP * ld, char **whop, char **credp, 
+				   int *methodp, int freeit, void *arg)
+{
+	struct smbldap_state *ldap_state = arg;
+	
+	/** @TODO Should we be doing something to check what servers we rebind to?
+	    Could we get a referral to a machine that we don't want to give our
+	    username and password to? */
+	
+	if (freeit) {
+		SAFE_FREE(*whop);
+		if (*credp) {
+			memset(*credp, '\0', strlen(*credp));
+		}
+		SAFE_FREE(*credp);
+	} else {
+		DEBUG(5,("rebind_proc_with_state: Rebinding as \"%s\"\n", 
+			  ldap_state->bind_dn?ldap_state->bind_dn:"[Anonymous bind]"));
+
+		if (ldap_state->anonymous) {
+			*whop = NULL;
+			*credp = NULL;
+		} else {
+			*whop = SMB_STRDUP(ldap_state->bind_dn);
+			if (!*whop) {
+				return LDAP_NO_MEMORY;
+			}
+			*credp = SMB_STRDUP(ldap_state->bind_secret);
+			if (!*credp) {
+				SAFE_FREE(*whop);
+				return LDAP_NO_MEMORY;
+			}
+		}
+		*methodp = LDAP_AUTH_SIMPLE;
+	}
+
+	GetTimeOfDay(&ldap_state->last_rebind);
+		
+	return 0;
+}
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ a rebind function for authenticated referrals
+ This version takes a void* that we can shove useful stuff in :-)
+ and actually does the connection.
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+static int rebindproc_connect_with_state (LDAP *ldap_struct, 
+					  LDAP_CONST char *url, 
+					  ber_tag_t request,
+					  ber_int_t msgid, void *arg)
+{
+	struct smbldap_state *ldap_state =
+		(struct smbldap_state *)arg;
+	int rc;
+	int version;
+
+	DEBUG(5,("rebindproc_connect_with_state: Rebinding to %s as \"%s\"\n", 
+		 url, ldap_state->bind_dn?ldap_state->bind_dn:"[Anonymous bind]"));
+
+	/* call START_TLS again (ldaps:// is handled by the OpenLDAP library
+	 * itself) before rebinding to another LDAP server to avoid to expose
+	 * our credentials. At least *try* to secure the connection - Guenther */
+
+	smb_ldap_upgrade_conn(ldap_struct, &version);
+	smb_ldap_start_tls(ldap_struct, version);
+
+	/** @TODO Should we be doing something to check what servers we rebind to?
+	    Could we get a referral to a machine that we don't want to give our
+	    username and password to? */
+
+	rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
+
+	/* only set the last rebind timestamp when we did rebind after a
+	 * non-read LDAP operation. That way we avoid the replication sleep
+	 * after a simple redirected search operation - Guenther */
+
+	switch (request) {
+
+		case LDAP_REQ_MODIFY:
+		case LDAP_REQ_ADD:
+		case LDAP_REQ_DELETE:
+		case LDAP_REQ_MODDN:
+		case LDAP_REQ_EXTENDED:
+			DEBUG(10,("rebindproc_connect_with_state: "
+				"setting last_rebind timestamp "
+				"(req: 0x%02x)\n", (unsigned int)request));
+			GetTimeOfDay(&ldap_state->last_rebind);
+			break;
+		default:
+			ZERO_STRUCT(ldap_state->last_rebind);
+			break;
+	}
+
+	return rc;
+}
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ Add a rebind function for authenticated referrals
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+#else
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+static int rebindproc (LDAP *ldap_struct, char **whop, char **credp,
+		       int *method, int freeit )
+{
+	struct smbldap_state *ldap_state = smbldap_find_state(ldap_struct);
+
+	return rebindproc_with_state(ldap_struct, whop, credp,
+				     method, freeit, ldap_state);
+	
+}
+# endif /*LDAP_SET_REBIND_PROC_ARGS == 2*/
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ a rebind function for authenticated referrals
+ this also does the connection, but no void*.
+******************************************************************/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+# if LDAP_SET_REBIND_PROC_ARGS == 2
+static int rebindproc_connect (LDAP * ld, LDAP_CONST char *url, int request,
+			       ber_int_t msgid)
+{
+	struct smbldap_state *ldap_state = smbldap_find_state(ld);
+
+	return rebindproc_connect_with_state(ld, url, (ber_tag_t)request, msgid, 
+					     ldap_state);
+}
+# endif /*LDAP_SET_REBIND_PROC_ARGS == 2*/
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+
+/*******************************************************************
+ connect to the ldap server under system privilege.
+******************************************************************/
+static int smbldap_connect_system(struct smbldap_state *ldap_state, LDAP * ldap_struct)
+{
+	int rc;
+	int version;
+
+	if (!ldap_state->anonymous && !ldap_state->bind_dn) {
+
+		/* get the default dn and password only if they are not set already */
+		if (!fetch_ldap_pw(&ldap_state->bind_dn, &ldap_state->bind_secret)) {
+			DEBUG(0, ("ldap_connect_system: Failed to retrieve password from secrets.tdb\n"));
+			return LDAP_INVALID_CREDENTIALS;
+		}
+	}
+
+	/* removed the sasl_bind_s "EXTERNAL" stuff, as my testsuite 
+	   (OpenLDAP) doesnt' seem to support it */
+	   
+	DEBUG(10,("ldap_connect_system: Binding to ldap server %s as \"%s\"\n",
+		  ldap_state->uri, ldap_state->bind_dn));
+
+#ifdef HAVE_LDAP_SET_REBIND_PROC
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
+# if LDAP_SET_REBIND_PROC_ARGS == 2	
+	ldap_set_rebind_proc(ldap_struct, &rebindproc_connect);	
+# endif
+# if LDAP_SET_REBIND_PROC_ARGS == 3	
+	ldap_set_rebind_proc(ldap_struct, &rebindproc_connect_with_state, (void *)ldap_state);	
+# endif
+#else /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+# if LDAP_SET_REBIND_PROC_ARGS == 2	
+	ldap_set_rebind_proc(ldap_struct, &rebindproc);	
+# endif
+# if LDAP_SET_REBIND_PROC_ARGS == 3	
+	ldap_set_rebind_proc(ldap_struct, &rebindproc_with_state, (void *)ldap_state);	
+# endif
+#endif /*defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)*/
+#endif
+
+	rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
+
+	if (rc != LDAP_SUCCESS) {
+		char *ld_error = NULL;
+		ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING,
+				&ld_error);
+		DEBUG(ldap_state->num_failures ? 2 : 0,
+		      ("failed to bind to server %s with dn=\"%s\" Error: %s\n\t%s\n",
+			       ldap_state->uri,
+			       ldap_state->bind_dn ? ldap_state->bind_dn : "[Anonymous bind]",
+			       ldap_err2string(rc),
+			       ld_error ? ld_error : "(unknown)"));
+		SAFE_FREE(ld_error);
+		ldap_state->num_failures++;
+		return rc;
+	}
+
+	ldap_state->num_failures = 0;
+	ldap_state->paged_results = False;
+
+	ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_PROTOCOL_VERSION, &version);
+
+	if (smbldap_has_control(ldap_state->ldap_struct, ADS_PAGE_CTL_OID) && version == 3) {
+		ldap_state->paged_results = True;
+	}
+
+	DEBUG(3, ("ldap_connect_system: successful connection to the LDAP server\n"));
+	DEBUGADD(10, ("ldap_connect_system: LDAP server %s support paged results\n", 
+		ldap_state->paged_results ? "does" : "does not"));
+	return rc;
+}
+
+static void smbldap_idle_fn(struct event_context *event_ctx,
+			    struct timed_event *te,
+			    const struct timeval *now,
+			    void *private_data);
+
+/**********************************************************************
+ Connect to LDAP server (called before every ldap operation)
+*********************************************************************/
+static int smbldap_open(struct smbldap_state *ldap_state)
+{
+	int rc, opt_rc;
+	bool reopen = False;
+	SMB_ASSERT(ldap_state);
+		
+#ifndef NO_LDAP_SECURITY
+	if (geteuid() != 0) {
+		DEBUG(0, ("smbldap_open: cannot access LDAP when not root\n"));
+		return  LDAP_INSUFFICIENT_ACCESS;
+	}
+#endif
+
+	if ((ldap_state->ldap_struct != NULL) && ((ldap_state->last_ping + SMBLDAP_DONT_PING_TIME) < time(NULL))) {
+
+#ifdef HAVE_UNIXSOCKET
+		struct sockaddr_un addr;
+#else
+		struct sockaddr addr;
+#endif
+		socklen_t len = sizeof(addr);
+		int sd;
+
+		opt_rc = ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_DESC, &sd);
+		if (opt_rc == 0 && (getpeername(sd, (struct sockaddr *) &addr, &len)) < 0 )
+			reopen = True;
+
+#ifdef HAVE_UNIXSOCKET
+		if (opt_rc == 0 && addr.sun_family == AF_UNIX)
+			reopen = True;
+#endif
+		if (reopen) {
+		    	/* the other end has died. reopen. */
+		    	ldap_unbind(ldap_state->ldap_struct);
+		    	ldap_state->ldap_struct = NULL;
+		    	ldap_state->last_ping = (time_t)0;
+		} else {
+			ldap_state->last_ping = time(NULL);
+		} 
+    	}
+
+	if (ldap_state->ldap_struct != NULL) {
+		DEBUG(11,("smbldap_open: already connected to the LDAP server\n"));
+		return LDAP_SUCCESS;
+	}
+
+	if ((rc = smbldap_open_connection(ldap_state))) {
+		return rc;
+	}
+
+	if ((rc = smbldap_connect_system(ldap_state, ldap_state->ldap_struct))) {
+		ldap_unbind(ldap_state->ldap_struct);
+		ldap_state->ldap_struct = NULL;
+		return rc;
+	}
+
+
+	ldap_state->last_ping = time(NULL);
+	ldap_state->pid = sys_getpid();
+
+	TALLOC_FREE(ldap_state->idle_event);
+
+	if (ldap_state->event_context != NULL) {
+		ldap_state->idle_event = event_add_timed(
+			ldap_state->event_context, NULL,
+			timeval_current_ofs(SMBLDAP_IDLE_TIME, 0),
+			"smbldap_idle_fn", smbldap_idle_fn, ldap_state);
+	}
+
+	DEBUG(4,("The LDAP server is successfully connected\n"));
+
+	return LDAP_SUCCESS;
+}
+
+/**********************************************************************
+Disconnect from LDAP server 
+*********************************************************************/
+static NTSTATUS smbldap_close(struct smbldap_state *ldap_state)
+{
+	if (!ldap_state)
+		return NT_STATUS_INVALID_PARAMETER;
+		
+	if (ldap_state->ldap_struct != NULL) {
+		ldap_unbind(ldap_state->ldap_struct);
+		ldap_state->ldap_struct = NULL;
+	}
+
+	smbldap_delete_state(ldap_state);
+	
+	DEBUG(5,("The connection to the LDAP server was closed\n"));
+	/* maybe free the results here --metze */
+	
+	return NT_STATUS_OK;
+}
+
+static bool got_alarm;
+
+static void (*old_handler)(int);
+
+static void gotalarm_sig(int dummy)
+{
+	got_alarm = True;
+}
+
+static int another_ldap_try(struct smbldap_state *ldap_state, int *rc,
+			    int *attempts, time_t endtime)
+{
+	time_t now = time(NULL);
+	int open_rc = LDAP_SERVER_DOWN;
+
+	if (*rc != LDAP_SERVER_DOWN)
+		goto no_next;
+
+	if (now >= endtime) {
+		smbldap_close(ldap_state);
+		*rc = LDAP_TIMEOUT;
+		goto no_next;
+	}
+
+	if (*attempts == 0) {
+		got_alarm = False;
+		old_handler = CatchSignal(SIGALRM, gotalarm_sig);
+		alarm(endtime - now);
+
+		if (ldap_state->pid != sys_getpid())
+			smbldap_close(ldap_state);
+	}
+
+	while (1) {
+
+		if (*attempts != 0)
+			smb_msleep(1000);
+
+		*attempts += 1;
+
+		open_rc = smbldap_open(ldap_state);
+
+		if (open_rc == LDAP_SUCCESS) {
+			ldap_state->last_use = now;
+			return True;
+		}
+
+		if (open_rc == LDAP_INSUFFICIENT_ACCESS) {
+			/* The fact that we are non-root or any other
+			 * access-denied condition will not change in the next
+			 * round of trying */
+			*rc = open_rc;
+			break;
+		}
+
+		if (got_alarm) {
+			*rc = LDAP_TIMEOUT;
+			break;
+		}
+
+		if (open_rc != LDAP_SUCCESS) {
+			DEBUG(1, ("Connection to LDAP server failed for the "
+				  "%d try!\n", *attempts));
+		}
+	}
+
+ no_next:
+	CatchSignal(SIGALRM, old_handler);
+	alarm(0);
+	ldap_state->last_use = now;
+	return False;
+}
+
+/*********************************************************************
+ ********************************************************************/
+
+static int smbldap_search_ext(struct smbldap_state *ldap_state,
+			      const char *base, int scope, const char *filter, 
+			      const char *attrs[], int attrsonly,
+			      LDAPControl **sctrls, LDAPControl **cctrls, 
+			      int sizelimit, LDAPMessage **res)
+{
+	int 		rc = LDAP_SERVER_DOWN;
+	int 		attempts = 0;
+	char           *utf8_filter;
+	time_t		endtime = time(NULL)+lp_ldap_timeout();
+	struct		timeval timeout;
+	size_t		converted_size;
+
+	SMB_ASSERT(ldap_state);
+	
+	DEBUG(5,("smbldap_search_ext: base => [%s], filter => [%s], "
+		 "scope => [%d]\n", base, filter, scope));
+
+	if (ldap_state->last_rebind.tv_sec > 0) {
+		struct timeval	tval;
+		SMB_BIG_INT	tdiff = 0;
+		int		sleep_time = 0;
+
+		ZERO_STRUCT(tval);
+		GetTimeOfDay(&tval);
+
+		tdiff = usec_time_diff(&tval, &ldap_state->last_rebind);
+		tdiff /= 1000; /* Convert to milliseconds. */
+
+		sleep_time = lp_ldap_replication_sleep()-(int)tdiff;
+		sleep_time = MIN(sleep_time, MAX_LDAP_REPLICATION_SLEEP_TIME);
+
+		if (sleep_time > 0) {
+			/* we wait for the LDAP replication */
+			DEBUG(5,("smbldap_search_ext: waiting %d milliseconds "
+				 "for LDAP replication.\n",sleep_time));
+			smb_msleep(sleep_time);
+			DEBUG(5,("smbldap_search_ext: go on!\n"));
+		}
+		ZERO_STRUCT(ldap_state->last_rebind);
+	}
+
+	if (!push_utf8_allocate(&utf8_filter, filter, &converted_size)) {
+		return LDAP_NO_MEMORY;
+	}
+
+	/* Setup timeout for the ldap_search_ext_s call - local and remote. */
+	timeout.tv_sec = lp_ldap_timeout();
+	timeout.tv_usec = 0;
+
+	/* Setup alarm timeout.... Do we need both of these ? JRA.
+	 * Yes, I think we do need both of these. The server timeout only
+	 * covers the case where the server's operation takes too long. It
+	 * does not cover the case where the request hangs on its way to the
+	 * server. The server side timeout is not strictly necessary, it's
+	 * just a bit more kind to the server. VL. */
+
+	got_alarm = 0;
+	CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
+	alarm(lp_ldap_timeout());
+	/* End setup timeout. */
+
+	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
+		rc = ldap_search_ext_s(ldap_state->ldap_struct, base, scope, 
+				       utf8_filter,
+				       CONST_DISCARD(char **, attrs),
+				       attrsonly, sctrls, cctrls, &timeout,
+				       sizelimit, res);
+		if (rc != LDAP_SUCCESS) {
+			char *ld_error = NULL;
+			int ld_errno;
+
+			ldap_get_option(ldap_state->ldap_struct,
+					LDAP_OPT_ERROR_NUMBER, &ld_errno);
+
+			ldap_get_option(ldap_state->ldap_struct,
+					LDAP_OPT_ERROR_STRING, &ld_error);
+			DEBUG(10, ("Failed search for base: %s, error: %d (%s) "
+				   "(%s)\n", base, ld_errno,
+				   ldap_err2string(rc),
+				   ld_error ? ld_error : "unknown"));
+			SAFE_FREE(ld_error);
+
+			if (ld_errno == LDAP_SERVER_DOWN) {
+				ldap_unbind(ldap_state->ldap_struct);
+				ldap_state->ldap_struct = NULL;
+			}
+		}
+	}
+
+	SAFE_FREE(utf8_filter);
+
+	/* Teardown timeout. */
+	CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
+	alarm(0);
+
+	if (got_alarm != 0)
+		return LDAP_TIMELIMIT_EXCEEDED;
+
+	return rc;
+}
+
+int smbldap_search(struct smbldap_state *ldap_state, 
+		   const char *base, int scope, const char *filter, 
+		   const char *attrs[], int attrsonly, 
+		   LDAPMessage **res)
+{
+	return smbldap_search_ext(ldap_state, base, scope, filter, attrs,
+				  attrsonly, NULL, NULL, LDAP_NO_LIMIT, res);
+}
+
+int smbldap_search_paged(struct smbldap_state *ldap_state, 
+			 const char *base, int scope, const char *filter, 
+			 const char **attrs, int attrsonly, int pagesize,
+			 LDAPMessage **res, void **cookie)
+{
+	LDAPControl     pr;
+	LDAPControl 	**rcontrols;
+	LDAPControl 	*controls[2] = { NULL, NULL};
+	BerElement 	*cookie_be = NULL;
+	struct berval 	*cookie_bv = NULL;
+	int		tmp = 0, i, rc;
+	bool 		critical = True;
+
+	*res = NULL;
+
+	DEBUG(3,("smbldap_search_paged: base => [%s], filter => [%s],"
+		 "scope => [%d], pagesize => [%d]\n",
+		 base, filter, scope, pagesize));
+
+	cookie_be = ber_alloc_t(LBER_USE_DER);
+	if (cookie_be == NULL) {
+		DEBUG(0,("smbldap_create_page_control: ber_alloc_t returns "
+			 "NULL\n"));
+		return LDAP_NO_MEMORY;
+	}
+
+	/* construct cookie */
+	if (*cookie != NULL) {
+		ber_printf(cookie_be, "{iO}", (ber_int_t) pagesize, *cookie);
+		ber_bvfree((struct berval *)*cookie); /* don't need it from last time */
+		*cookie = NULL;
+	} else {
+		ber_printf(cookie_be, "{io}", (ber_int_t) pagesize, "", 0);
+	}
+	ber_flatten(cookie_be, &cookie_bv);
+
+	pr.ldctl_oid = CONST_DISCARD(char *, ADS_PAGE_CTL_OID);
+	pr.ldctl_iscritical = (char) critical;
+	pr.ldctl_value.bv_len = cookie_bv->bv_len;
+	pr.ldctl_value.bv_val = cookie_bv->bv_val;
+
+	controls[0] = &pr;
+	controls[1] = NULL;
+
+	rc = smbldap_search_ext(ldap_state, base, scope, filter, attrs, 
+				 0, controls, NULL, LDAP_NO_LIMIT, res);
+
+	ber_free(cookie_be, 1);
+	ber_bvfree(cookie_bv);
+
+	if (rc != 0) {
+		DEBUG(3,("smbldap_search_paged: smbldap_search_ext(%s) "
+			 "failed with [%s]\n", filter, ldap_err2string(rc)));
+		goto done;
+	}
+
+	DEBUG(3,("smbldap_search_paged: search was successfull\n"));
+
+	rc = ldap_parse_result(ldap_state->ldap_struct, *res, NULL, NULL, 
+			       NULL, NULL, &rcontrols,  0);
+	if (rc != 0) {
+		DEBUG(3,("smbldap_search_paged: ldap_parse_result failed " \
+			 "with [%s]\n", ldap_err2string(rc)));
+		goto done;
+	}
+
+	if (rcontrols == NULL)
+		goto done;
+
+	for (i=0; rcontrols[i]; i++) {
+
+		if (strcmp(ADS_PAGE_CTL_OID, rcontrols[i]->ldctl_oid) != 0)
+			continue;
+
+		cookie_be = ber_init(&rcontrols[i]->ldctl_value);
+		ber_scanf(cookie_be,"{iO}", &tmp, &cookie_bv);
+		/* the berval is the cookie, but must be freed when it is all
+		   done */
+		if (cookie_bv->bv_len)
+			*cookie=ber_bvdup(cookie_bv);
+		else
+			*cookie=NULL;
+		ber_bvfree(cookie_bv);
+		ber_free(cookie_be, 1);
+		break;
+	}
+	ldap_controls_free(rcontrols);
+done:	
+	return rc;
+}
+
+int smbldap_modify(struct smbldap_state *ldap_state, const char *dn, LDAPMod *attrs[])
+{
+	int 		rc = LDAP_SERVER_DOWN;
+	int 		attempts = 0;
+	char           *utf8_dn;
+	time_t		endtime = time(NULL)+lp_ldap_timeout();
+	size_t		converted_size;
+
+	SMB_ASSERT(ldap_state);
+
+	DEBUG(5,("smbldap_modify: dn => [%s]\n", dn ));
+
+	if (!push_utf8_allocate(&utf8_dn, dn, &converted_size)) {
+		return LDAP_NO_MEMORY;
+	}
+
+	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
+		rc = ldap_modify_s(ldap_state->ldap_struct, utf8_dn, attrs);
+		if (rc != LDAP_SUCCESS) {
+			char *ld_error = NULL;
+			int ld_errno;
+
+			ldap_get_option(ldap_state->ldap_struct,
+					LDAP_OPT_ERROR_NUMBER, &ld_errno);
+
+			ldap_get_option(ldap_state->ldap_struct,
+					LDAP_OPT_ERROR_STRING, &ld_error);
+			DEBUG(10, ("Failed to modify dn: %s, error: %d (%s) "
+				   "(%s)\n", dn, ld_errno,
+				   ldap_err2string(rc),
+				   ld_error ? ld_error : "unknown"));
+			SAFE_FREE(ld_error);
+
+			if (ld_errno == LDAP_SERVER_DOWN) {
+				ldap_unbind(ldap_state->ldap_struct);
+				ldap_state->ldap_struct = NULL;
+			}
+		}
+	}
+		
+	SAFE_FREE(utf8_dn);
+	return rc;
+}
+
+int smbldap_add(struct smbldap_state *ldap_state, const char *dn, LDAPMod *attrs[])
+{
+	int 		rc = LDAP_SERVER_DOWN;
+	int 		attempts = 0;
+	char           *utf8_dn;
+	time_t		endtime = time(NULL)+lp_ldap_timeout();
+	size_t		converted_size;
+	
+	SMB_ASSERT(ldap_state);
+
+	DEBUG(5,("smbldap_add: dn => [%s]\n", dn ));
+
+	if (!push_utf8_allocate(&utf8_dn, dn, &converted_size)) {
+		return LDAP_NO_MEMORY;
+	}
+
+	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
+		rc = ldap_add_s(ldap_state->ldap_struct, utf8_dn, attrs);
+		if (rc != LDAP_SUCCESS) {
+			char *ld_error = NULL;
+			int ld_errno;
+
+			ldap_get_option(ldap_state->ldap_struct,
+					LDAP_OPT_ERROR_NUMBER, &ld_errno);
+
+			ldap_get_option(ldap_state->ldap_struct,
+					LDAP_OPT_ERROR_STRING, &ld_error);
+			DEBUG(10, ("Failed to add dn: %s, error: %d (%s) "
+				   "(%s)\n", dn, ld_errno,
+				   ldap_err2string(rc),
+				   ld_error ? ld_error : "unknown"));
+			SAFE_FREE(ld_error);
+
+			if (ld_errno == LDAP_SERVER_DOWN) {
+				ldap_unbind(ldap_state->ldap_struct);
+				ldap_state->ldap_struct = NULL;
+			}
+		}
+	}
+	
+	SAFE_FREE(utf8_dn);
+	return rc;
+}
+
+int smbldap_delete(struct smbldap_state *ldap_state, const char *dn)
+{
+	int 		rc = LDAP_SERVER_DOWN;
+	int 		attempts = 0;
+	char           *utf8_dn;
+	time_t		endtime = time(NULL)+lp_ldap_timeout();
+	size_t		converted_size;
+	
+	SMB_ASSERT(ldap_state);
+
+	DEBUG(5,("smbldap_delete: dn => [%s]\n", dn ));
+
+	if (!push_utf8_allocate(&utf8_dn, dn, &converted_size)) {
+		return LDAP_NO_MEMORY;
+	}
+
+	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
+		rc = ldap_delete_s(ldap_state->ldap_struct, utf8_dn);
+		if (rc != LDAP_SUCCESS) {
+			char *ld_error = NULL;
+			int ld_errno;
+
+			ldap_get_option(ldap_state->ldap_struct,
+					LDAP_OPT_ERROR_NUMBER, &ld_errno);
+
+			ldap_get_option(ldap_state->ldap_struct,
+					LDAP_OPT_ERROR_STRING, &ld_error);
+			DEBUG(10, ("Failed to delete dn: %s, error: %d (%s) "
+				   "(%s)\n", dn, ld_errno,
+				   ldap_err2string(rc),
+				   ld_error ? ld_error : "unknown"));
+			SAFE_FREE(ld_error);
+
+			if (ld_errno == LDAP_SERVER_DOWN) {
+				ldap_unbind(ldap_state->ldap_struct);
+				ldap_state->ldap_struct = NULL;
+			}
+		}
+	}
+	
+	SAFE_FREE(utf8_dn);
+	return rc;
+}
+
+int smbldap_extended_operation(struct smbldap_state *ldap_state, 
+			       LDAP_CONST char *reqoid, struct berval *reqdata, 
+			       LDAPControl **serverctrls, LDAPControl **clientctrls, 
+			       char **retoidp, struct berval **retdatap)
+{
+	int 		rc = LDAP_SERVER_DOWN;
+	int 		attempts = 0;
+	time_t		endtime = time(NULL)+lp_ldap_timeout();
+	
+	if (!ldap_state)
+		return (-1);
+
+	while (another_ldap_try(ldap_state, &rc, &attempts, endtime)) {
+		rc = ldap_extended_operation_s(ldap_state->ldap_struct, reqoid,
+					       reqdata, serverctrls,
+					       clientctrls, retoidp, retdatap);
+		if (rc != LDAP_SUCCESS) {
+			char *ld_error = NULL;
+			int ld_errno;
+
+			ldap_get_option(ldap_state->ldap_struct,
+					LDAP_OPT_ERROR_NUMBER, &ld_errno);
+
+			ldap_get_option(ldap_state->ldap_struct,
+					LDAP_OPT_ERROR_STRING, &ld_error);
+			DEBUG(10, ("Extended operation failed with error: "
+				   "%d (%s) (%s)\n", ld_errno,
+				   ldap_err2string(rc),
+				   ld_error ? ld_error : "unknown"));
+			SAFE_FREE(ld_error);
+
+			if (ld_errno == LDAP_SERVER_DOWN) {
+				ldap_unbind(ldap_state->ldap_struct);
+				ldap_state->ldap_struct = NULL;
+			}
+		}
+	}
+		
+	return rc;
+}
+
+/*******************************************************************
+ run the search by name.
+******************************************************************/
+int smbldap_search_suffix (struct smbldap_state *ldap_state,
+			   const char *filter, const char **search_attr,
+			   LDAPMessage ** result)
+{
+	return smbldap_search(ldap_state, lp_ldap_suffix(), LDAP_SCOPE_SUBTREE,
+			      filter, search_attr, 0, result);
+}
+
+static void smbldap_idle_fn(struct event_context *event_ctx,
+			    struct timed_event *te,
+			    const struct timeval *now,
+			    void *private_data)
+{
+	struct smbldap_state *state = (struct smbldap_state *)private_data;
+
+	TALLOC_FREE(state->idle_event);
+
+	if (state->ldap_struct == NULL) {
+		DEBUG(10,("ldap connection not connected...\n"));
+		return;
+	}
+		
+	if ((state->last_use+SMBLDAP_IDLE_TIME) > now->tv_sec) {
+		DEBUG(10,("ldap connection not idle...\n"));
+
+		state->idle_event = event_add_timed(
+			event_ctx, NULL,
+			timeval_add(now, SMBLDAP_IDLE_TIME, 0),
+			"smbldap_idle_fn", smbldap_idle_fn,
+			private_data);
+		return;
+	}
+		
+	DEBUG(7,("ldap connection idle...closing connection\n"));
+	smbldap_close(state);
+}
+
+/**********************************************************************
+ Housekeeping
+ *********************************************************************/
+
+void smbldap_free_struct(struct smbldap_state **ldap_state) 
+{
+	smbldap_close(*ldap_state);
+	
+	if ((*ldap_state)->bind_secret) {
+		memset((*ldap_state)->bind_secret, '\0', strlen((*ldap_state)->bind_secret));
+	}
+
+	SAFE_FREE((*ldap_state)->bind_dn);
+	SAFE_FREE((*ldap_state)->bind_secret);
+
+	TALLOC_FREE((*ldap_state)->idle_event);
+
+	*ldap_state = NULL;
+
+	/* No need to free any further, as it is talloc()ed */
+}
+
+
+/**********************************************************************
+ Intitalise the 'general' ldap structures, on which ldap operations may be conducted
+ *********************************************************************/
+
+NTSTATUS smbldap_init(TALLOC_CTX *mem_ctx, struct event_context *event_ctx,
+		      const char *location,
+		      struct smbldap_state **smbldap_state)
+{
+	*smbldap_state = TALLOC_ZERO_P(mem_ctx, struct smbldap_state);
+	if (!*smbldap_state) {
+		DEBUG(0, ("talloc() failed for ldapsam private_data!\n"));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (location) {
+		(*smbldap_state)->uri = talloc_strdup(mem_ctx, location);
+	} else {
+		(*smbldap_state)->uri = "ldap://localhost";
+	}
+
+	(*smbldap_state)->event_context = event_ctx;
+
+	return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ Return a copy of the DN for a LDAPMessage. Convert from utf8 to CH_UNIX.
+********************************************************************/
+char *smbldap_get_dn(LDAP *ld, LDAPMessage *entry)
+{
+	char *utf8_dn, *unix_dn;
+	size_t converted_size;
+
+	utf8_dn = ldap_get_dn(ld, entry);
+	if (!utf8_dn) {
+		DEBUG (5, ("smbldap_get_dn: ldap_get_dn failed\n"));
+		return NULL;
+	}
+	if (!pull_utf8_allocate(&unix_dn, utf8_dn, &converted_size)) {
+		DEBUG (0, ("smbldap_get_dn: String conversion failure utf8 "
+			   "[%s]\n", utf8_dn));
+		return NULL;
+	}
+	ldap_memfree(utf8_dn);
+	return unix_dn;
+}
+
+ const char *smbldap_talloc_dn(TALLOC_CTX *mem_ctx, LDAP *ld,
+			       LDAPMessage *entry)
+{
+	char *utf8_dn, *unix_dn;
+	size_t converted_size;
+
+	utf8_dn = ldap_get_dn(ld, entry);
+	if (!utf8_dn) {
+		DEBUG (5, ("smbldap_get_dn: ldap_get_dn failed\n"));
+		return NULL;
+	}
+	if (!pull_utf8_talloc(mem_ctx, &unix_dn, utf8_dn, &converted_size)) {
+		DEBUG (0, ("smbldap_get_dn: String conversion failure utf8 "
+			   "[%s]\n", utf8_dn));
+		return NULL;
+	}
+	ldap_memfree(utf8_dn);
+	return unix_dn;
+}
+
+/*******************************************************************
+ Check if root-dse has a certain Control or Extension
+********************************************************************/
+
+static bool smbldap_check_root_dse(LDAP *ld, const char **attrs, const char *value) 
+{
+	LDAPMessage *msg = NULL;
+	LDAPMessage *entry = NULL;
+	char **values = NULL;
+	int rc, num_result, num_values, i;
+	bool result = False;
+
+	if (!attrs[0]) {
+		DEBUG(3,("smbldap_check_root_dse: nothing to look for\n"));
+		return False;
+	}
+
+	if (!strequal(attrs[0], "supportedExtension") && 
+	    !strequal(attrs[0], "supportedControl") && 
+	    !strequal(attrs[0], "namingContexts")) {
+		DEBUG(3,("smbldap_check_root_dse: no idea what to query root-dse for: %s ?\n", attrs[0]));
+		return False;
+	}
+
+	rc = ldap_search_s(ld, "", LDAP_SCOPE_BASE, 
+			   "(objectclass=*)", CONST_DISCARD(char **, attrs), 0 , &msg);
+
+	if (rc != LDAP_SUCCESS) {
+		DEBUG(3,("smbldap_check_root_dse: Could not search rootDSE\n"));
+		return False;
+	}
+
+	num_result = ldap_count_entries(ld, msg);
+
+	if (num_result != 1) {
+		DEBUG(3,("smbldap_check_root_dse: Expected one rootDSE, got %d\n", num_result));
+		goto done;
+	}
+
+	entry = ldap_first_entry(ld, msg);
+
+	if (entry == NULL) {
+		DEBUG(3,("smbldap_check_root_dse: Could not retrieve rootDSE\n"));
+		goto done;
+	}
+
+	values = ldap_get_values(ld, entry, attrs[0]);
+
+	if (values == NULL) {
+		DEBUG(5,("smbldap_check_root_dse: LDAP Server does not support any %s\n", attrs[0]));
+		goto done;
+	}
+
+	num_values = ldap_count_values(values);
+
+	if (num_values == 0) {
+		DEBUG(5,("smbldap_check_root_dse: LDAP Server does not have any %s\n", attrs[0]));
+		goto done;
+	}
+
+	for (i=0; i<num_values; i++) {
+		if (strcmp(values[i], value) == 0)
+			result = True;
+	}
+
+
+ done:
+	if (values != NULL)
+		ldap_value_free(values);
+	if (msg != NULL)
+		ldap_msgfree(msg);
+
+	return result;
+
+}
+
+/*******************************************************************
+ Check if LDAP-Server supports a certain Control (OID in string format)
+********************************************************************/
+
+bool smbldap_has_control(LDAP *ld, const char *control)
+{
+	const char *attrs[] = { "supportedControl", NULL };
+	return smbldap_check_root_dse(ld, attrs, control);
+}
+
+/*******************************************************************
+ Check if LDAP-Server supports a certain Extension (OID in string format)
+********************************************************************/
+
+bool smbldap_has_extension(LDAP *ld, const char *extension)
+{
+	const char *attrs[] = { "supportedExtension", NULL };
+	return smbldap_check_root_dse(ld, attrs, extension);
+}
+
+/*******************************************************************
+ Check if LDAP-Server holds a given namingContext
+********************************************************************/
+
+bool smbldap_has_naming_context(LDAP *ld, const char *naming_context)
+{
+	const char *attrs[] = { "namingContexts", NULL };
+	return smbldap_check_root_dse(ld, attrs, naming_context);
+}
+
+bool smbldap_set_creds(struct smbldap_state *ldap_state, bool anon, const char *dn, const char *secret)
+{
+	ldap_state->anonymous = anon;
+
+	/* free any previously set credential */
+
+	SAFE_FREE(ldap_state->bind_dn);
+	if (ldap_state->bind_secret) {
+		/* make sure secrets are zeroed out of memory */
+		memset(ldap_state->bind_secret, '\0', strlen(ldap_state->bind_secret));
+		SAFE_FREE(ldap_state->bind_secret);
+	}
+
+	if ( ! anon) {
+		ldap_state->bind_dn = SMB_STRDUP(dn);
+		ldap_state->bind_secret = SMB_STRDUP(secret);
+	}
+
+	return True;
+}
diff --git a/source3/lib/smbldap_util.c b/source3/lib/smbldap_util.c
new file mode 100644
index 0000000000..66aef6ba66
--- /dev/null
+++ b/source3/lib/smbldap_util.c
@@ -0,0 +1,334 @@
+/* 
+   Unix SMB/CIFS mplementation.
+   LDAP protocol helper functions for SAMBA
+   Copyright (C) Jean François Micouleau	1998
+   Copyright (C) Gerald Carter			2001-2003
+   Copyright (C) Shahms King			2001
+   Copyright (C) Andrew Bartlett		2002-2003
+   Copyright (C) Stefan (metze) Metzmacher	2002-2003
+    
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+   
+*/
+
+#include "includes.h"
+#include "smbldap.h"
+
+/**********************************************************************
+ Add the account-policies below the sambaDomain object to LDAP, 
+*********************************************************************/
+
+static NTSTATUS add_new_domain_account_policies(struct smbldap_state *ldap_state,
+					 	const char *domain_name)
+{
+	NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
+	int i, rc;
+	uint32 policy_default;
+	const char *policy_attr = NULL;
+	char *dn = NULL;
+	LDAPMod **mods = NULL;
+	char *escape_domain_name;
+
+	DEBUG(3,("add_new_domain_account_policies: Adding new account policies for domain\n"));
+
+	escape_domain_name = escape_rdn_val_string_alloc(domain_name);
+	if (!escape_domain_name) {
+		DEBUG(0, ("Out of memory!\n"));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (asprintf(&dn, "%s=%s,%s",
+		get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
+		escape_domain_name, lp_ldap_suffix()) < 0) {
+		SAFE_FREE(escape_domain_name);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	SAFE_FREE(escape_domain_name);
+
+	for (i=1; decode_account_policy_name(i) != NULL; i++) {
+		char *val = NULL;
+
+		policy_attr = get_account_policy_attr(i);
+		if (!policy_attr) {
+			DEBUG(0,("add_new_domain_account_policies: ops. no policy!\n"));
+			continue;
+		}
+
+		if (!account_policy_get_default(i, &policy_default)) {
+			DEBUG(0,("add_new_domain_account_policies: failed to get default account policy\n"));
+			SAFE_FREE(dn);
+			return ntstatus;
+		}
+
+		DEBUG(10,("add_new_domain_account_policies: adding \"%s\" with value: %d\n", policy_attr, policy_default));
+
+		if (asprintf(&val, "%d", policy_default) < 0) {
+			SAFE_FREE(dn);
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		smbldap_set_mod( &mods, LDAP_MOD_REPLACE, policy_attr, val);
+
+		rc = smbldap_modify(ldap_state, dn, mods);
+
+		SAFE_FREE(val);
+
+		if (rc!=LDAP_SUCCESS) {
+			char *ld_error = NULL;
+			ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
+			DEBUG(1,("add_new_domain_account_policies: failed to add account policies to dn= %s with: %s\n\t%s\n",
+				dn, ldap_err2string(rc),
+				ld_error ? ld_error : "unknown"));
+			SAFE_FREE(ld_error);
+			SAFE_FREE(dn);
+			ldap_mods_free(mods, True);
+			return ntstatus;
+		}
+	}
+
+	SAFE_FREE(dn);
+	ldap_mods_free(mods, True);
+
+	return NT_STATUS_OK;
+}
+
+/**********************************************************************
+ Add the sambaDomain to LDAP, so we don't have to search for this stuff
+ again.  This is a once-add operation for now.
+
+ TODO:  Add other attributes, and allow modification.
+*********************************************************************/
+
+static NTSTATUS add_new_domain_info(struct smbldap_state *ldap_state,
+                                    const char *domain_name)
+{
+	fstring sid_string;
+	fstring algorithmic_rid_base_string;
+	char *filter = NULL;
+	char *dn = NULL;
+	LDAPMod **mods = NULL;
+	int rc;
+	LDAPMessage *result = NULL;
+	int num_result;
+	const char **attr_list;
+	char *escape_domain_name;
+
+	/* escape for filter */
+	escape_domain_name = escape_ldap_string_alloc(domain_name);
+	if (!escape_domain_name) {
+		DEBUG(0, ("Out of memory!\n"));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (asprintf(&filter, "(&(%s=%s)(objectclass=%s))",
+		get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
+			escape_domain_name, LDAP_OBJ_DOMINFO) < 0) {
+		SAFE_FREE(escape_domain_name);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	SAFE_FREE(escape_domain_name);
+
+	attr_list = get_attr_list(NULL, dominfo_attr_list );
+	rc = smbldap_search_suffix(ldap_state, filter, attr_list, &result);
+	TALLOC_FREE( attr_list );
+	SAFE_FREE(filter);
+
+	if (rc != LDAP_SUCCESS) {
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	num_result = ldap_count_entries(ldap_state->ldap_struct, result);
+
+	if (num_result > 1) {
+		DEBUG (0, ("add_new_domain_info: More than domain with that name exists: bailing "
+			   "out!\n"));
+		ldap_msgfree(result);
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	/* Check if we need to add an entry */
+	DEBUG(3,("add_new_domain_info: Adding new domain\n"));
+
+	/* this time escape for DN */
+	escape_domain_name = escape_rdn_val_string_alloc(domain_name);
+	if (!escape_domain_name) {
+		DEBUG(0, ("Out of memory!\n"));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (asprintf(&dn, "%s=%s,%s",
+		     get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
+		     escape_domain_name, lp_ldap_suffix()) < 0) {
+		SAFE_FREE(escape_domain_name);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	SAFE_FREE(escape_domain_name);
+
+	/* Free original search */
+	ldap_msgfree(result);
+
+	/* make the changes - the entry *must* not already have samba
+	 * attributes */
+
+	smbldap_set_mod(&mods, LDAP_MOD_ADD,
+			get_attr_key2string(dominfo_attr_list,
+					    LDAP_ATTR_DOMAIN),
+			domain_name);
+
+	/* If we don't have an entry, then ask secrets.tdb for what it thinks.
+	   It may choose to make it up */
+
+	sid_to_fstring(sid_string, get_global_sam_sid());
+	smbldap_set_mod(&mods, LDAP_MOD_ADD,
+			get_attr_key2string(dominfo_attr_list,
+					    LDAP_ATTR_DOM_SID),
+			sid_string);
+
+	slprintf(algorithmic_rid_base_string,
+		 sizeof(algorithmic_rid_base_string) - 1, "%i",
+		 algorithmic_rid_base());
+	smbldap_set_mod(&mods, LDAP_MOD_ADD,
+			get_attr_key2string(dominfo_attr_list,
+					    LDAP_ATTR_ALGORITHMIC_RID_BASE),
+			algorithmic_rid_base_string);
+	smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_DOMINFO);
+
+	/* add the sambaNextUserRid attributes. */
+
+	{
+		uint32 rid = BASE_RID;
+		fstring rid_str;
+
+		fstr_sprintf( rid_str, "%i", rid );
+		DEBUG(10,("add_new_domain_info: setting next available user rid [%s]\n", rid_str));
+		smbldap_set_mod(&mods, LDAP_MOD_ADD,
+			get_attr_key2string(dominfo_attr_list,
+					    LDAP_ATTR_NEXT_USERRID),
+			rid_str);
+        }
+
+
+	rc = smbldap_add(ldap_state, dn, mods);
+
+	if (rc!=LDAP_SUCCESS) {
+		char *ld_error = NULL;
+		ldap_get_option(ldap_state->ldap_struct,
+				LDAP_OPT_ERROR_STRING, &ld_error);
+		DEBUG(1,("add_new_domain_info: failed to add domain dn= %s with: %s\n\t%s\n",
+			 dn, ldap_err2string(rc),
+			 ld_error?ld_error:"unknown"));
+		SAFE_FREE(ld_error);
+		SAFE_FREE(dn);
+		ldap_mods_free(mods, True);
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	DEBUG(2,("add_new_domain_info: added: domain = %s in the LDAP database\n", domain_name));
+	ldap_mods_free(mods, True);
+	SAFE_FREE(dn);
+	return NT_STATUS_OK;
+}
+
+/**********************************************************************
+Search for the domain info entry
+*********************************************************************/
+
+NTSTATUS smbldap_search_domain_info(struct smbldap_state *ldap_state,
+                                    LDAPMessage ** result, const char *domain_name,
+                                    bool try_add)
+{
+	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+	char *filter = NULL;
+	int rc;
+	const char **attr_list;
+	int count;
+	char *escape_domain_name;
+
+	escape_domain_name = escape_ldap_string_alloc(domain_name);
+	if (!escape_domain_name) {
+		DEBUG(0, ("Out of memory!\n"));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (asprintf(&filter, "(&(objectClass=%s)(%s=%s))",
+		LDAP_OBJ_DOMINFO,
+		get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
+		escape_domain_name) < 0) {
+		SAFE_FREE(escape_domain_name);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	SAFE_FREE(escape_domain_name);
+
+	DEBUG(2, ("smbldap_search_domain_info: Searching for:[%s]\n", filter));
+
+	attr_list = get_attr_list( NULL, dominfo_attr_list );
+	rc = smbldap_search_suffix(ldap_state, filter, attr_list , result);
+	TALLOC_FREE( attr_list );
+
+	if (rc != LDAP_SUCCESS) {
+		DEBUG(2,("smbldap_search_domain_info: Problem during LDAPsearch: %s\n", ldap_err2string (rc)));
+		DEBUG(2,("smbldap_search_domain_info: Query was: %s, %s\n", lp_ldap_suffix(), filter));
+		goto failed;
+	}
+
+	SAFE_FREE(filter);
+
+	count = ldap_count_entries(ldap_state->ldap_struct, *result);
+
+	if (count == 1) {
+		return NT_STATUS_OK;
+	}
+
+	ldap_msgfree(*result);
+	*result = NULL;
+
+	if (count < 1) {
+
+		DEBUG(3, ("smbldap_search_domain_info: Got no domain info entries for domain\n"));
+
+		if (!try_add)
+			goto failed;
+
+		status = add_new_domain_info(ldap_state, domain_name);
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(0, ("smbldap_search_domain_info: Adding domain info for %s failed with %s\n", 
+				domain_name, nt_errstr(status)));
+			goto failed;
+		}
+
+		status = add_new_domain_account_policies(ldap_state, domain_name);
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(0, ("smbldap_search_domain_info: Adding domain account policies for %s failed with %s\n", 
+				domain_name, nt_errstr(status)));
+			goto failed;
+		}
+
+		return smbldap_search_domain_info(ldap_state, result, domain_name, False);
+
+	} 
+	
+	if (count > 1 ) {
+	
+		DEBUG(0, ("smbldap_search_domain_info: Got too many (%d) domain info entries for domain %s\n",
+			  count, domain_name));
+		goto failed;
+	}
+
+failed:
+	return status;
+}
diff --git a/source3/lib/smbrun.c b/source3/lib/smbrun.c
new file mode 100644
index 0000000000..515fcd75c2
--- /dev/null
+++ b/source3/lib/smbrun.c
@@ -0,0 +1,341 @@
+/*
+   Unix SMB/CIFS implementation.
+   run a command as a specified user
+   Copyright (C) Andrew Tridgell 1992-1998
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/* need to move this from here!! need some sleep ... */
+struct current_user current_user;
+
+/****************************************************************************
+This is a utility function of smbrun().
+****************************************************************************/
+
+static int setup_out_fd(void)
+{
+	int fd;
+	TALLOC_CTX *ctx = talloc_stackframe();
+	char *path = NULL;
+
+	path = talloc_asprintf(ctx,
+				"%s/smb.XXXXXX",
+				tmpdir());
+	if (!path) {
+		TALLOC_FREE(ctx);
+		errno = ENOMEM;
+		return -1;
+	}
+
+	/* now create the file */
+	fd = smb_mkstemp(path);
+
+	if (fd == -1) {
+		DEBUG(0,("setup_out_fd: Failed to create file %s. (%s)\n",
+			path, strerror(errno) ));
+		TALLOC_FREE(ctx);
+		return -1;
+	}
+
+	DEBUG(10,("setup_out_fd: Created tmp file %s\n", path ));
+
+	/* Ensure file only kept around by open fd. */
+	unlink(path);
+	TALLOC_FREE(ctx);
+	return fd;
+}
+
+/****************************************************************************
+run a command being careful about uid/gid handling and putting the output in
+outfd (or discard it if outfd is NULL).
+****************************************************************************/
+
+static int smbrun_internal(const char *cmd, int *outfd, bool sanitize)
+{
+	pid_t pid;
+	uid_t uid = current_user.ut.uid;
+	gid_t gid = current_user.ut.gid;
+
+	/*
+	 * Lose any elevated privileges.
+	 */
+	drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
+	drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
+
+	/* point our stdout at the file we want output to go into */
+
+	if (outfd && ((*outfd = setup_out_fd()) == -1)) {
+		return -1;
+	}
+
+	/* in this method we will exec /bin/sh with the correct
+	   arguments, after first setting stdout to point at the file */
+
+	/*
+	 * We need to temporarily stop CatchChild from eating
+	 * SIGCLD signals as it also eats the exit status code. JRA.
+	 */
+
+	CatchChildLeaveStatus();
+                                   	
+	if ((pid=sys_fork()) < 0) {
+		DEBUG(0,("smbrun: fork failed with error %s\n", strerror(errno) ));
+		CatchChild(); 
+		if (outfd) {
+			close(*outfd);
+			*outfd = -1;
+		}
+		return errno;
+	}
+
+	if (pid) {
+		/*
+		 * Parent.
+		 */
+		int status=0;
+		pid_t wpid;
+
+		
+		/* the parent just waits for the child to exit */
+		while((wpid = sys_waitpid(pid,&status,0)) < 0) {
+			if(errno == EINTR) {
+				errno = 0;
+				continue;
+			}
+			break;
+		}
+
+		CatchChild(); 
+
+		if (wpid != pid) {
+			DEBUG(2,("waitpid(%d) : %s\n",(int)pid,strerror(errno)));
+			if (outfd) {
+				close(*outfd);
+				*outfd = -1;
+			}
+			return -1;
+		}
+
+		/* Reset the seek pointer. */
+		if (outfd) {
+			sys_lseek(*outfd, 0, SEEK_SET);
+		}
+
+#if defined(WIFEXITED) && defined(WEXITSTATUS)
+		if (WIFEXITED(status)) {
+			return WEXITSTATUS(status);
+		}
+#endif
+
+		return status;
+	}
+	
+	CatchChild(); 
+	
+	/* we are in the child. we exec /bin/sh to do the work for us. we
+	   don't directly exec the command we want because it may be a
+	   pipeline or anything else the config file specifies */
+	
+	/* point our stdout at the file we want output to go into */
+	if (outfd) {
+		close(1);
+		if (sys_dup2(*outfd,1) != 1) {
+			DEBUG(2,("Failed to create stdout file descriptor\n"));
+			close(*outfd);
+			exit(80);
+		}
+	}
+
+	/* now completely lose our privileges. This is a fairly paranoid
+	   way of doing it, but it does work on all systems that I know of */
+
+	become_user_permanently(uid, gid);
+
+	if (getuid() != uid || geteuid() != uid ||
+	    getgid() != gid || getegid() != gid) {
+		/* we failed to lose our privileges - do not execute
+                   the command */
+		exit(81); /* we can't print stuff at this stage,
+			     instead use exit codes for debugging */
+	}
+	
+#ifndef __INSURE__
+	/* close all other file descriptors, leaving only 0, 1 and 2. 0 and
+	   2 point to /dev/null from the startup code */
+	{
+	int fd;
+	for (fd=3;fd<256;fd++) close(fd);
+	}
+#endif
+
+	{
+		const char *newcmd = sanitize ? escape_shell_string(cmd) : cmd;
+		if (!newcmd) {
+			exit(82);
+		}
+		execl("/bin/sh","sh","-c",newcmd,NULL);  
+	}
+	
+	/* not reached */
+	exit(83);
+	return 1;
+}
+
+/****************************************************************************
+ Use only in known safe shell calls (printing).
+****************************************************************************/
+
+int smbrun_no_sanitize(const char *cmd, int *outfd)
+{
+	return smbrun_internal(cmd, outfd, False);
+}
+
+/****************************************************************************
+ By default this now sanitizes shell expansion.
+****************************************************************************/
+
+int smbrun(const char *cmd, int *outfd)
+{
+	return smbrun_internal(cmd, outfd, True);
+}
+
+/****************************************************************************
+run a command being careful about uid/gid handling and putting the output in
+outfd (or discard it if outfd is NULL).
+sends the provided secret to the child stdin.
+****************************************************************************/
+
+int smbrunsecret(const char *cmd, const char *secret)
+{
+	pid_t pid;
+	uid_t uid = current_user.ut.uid;
+	gid_t gid = current_user.ut.gid;
+	int ifd[2];
+	
+	/*
+	 * Lose any elevated privileges.
+	 */
+	drop_effective_capability(KERNEL_OPLOCK_CAPABILITY);
+	drop_effective_capability(DMAPI_ACCESS_CAPABILITY);
+
+	/* build up an input pipe */
+	if(pipe(ifd)) {
+		return -1;
+	}
+
+	/* in this method we will exec /bin/sh with the correct
+	   arguments, after first setting stdout to point at the file */
+
+	/*
+	 * We need to temporarily stop CatchChild from eating
+	 * SIGCLD signals as it also eats the exit status code. JRA.
+	 */
+
+	CatchChildLeaveStatus();
+                                   	
+	if ((pid=sys_fork()) < 0) {
+		DEBUG(0, ("smbrunsecret: fork failed with error %s\n", strerror(errno)));
+		CatchChild(); 
+		return errno;
+    	}
+
+	if (pid) {
+		/*
+		 * Parent.
+		 */
+		int status = 0;
+		pid_t wpid;
+		size_t towrite;
+		ssize_t wrote;
+		
+		close(ifd[0]);
+		/* send the secret */
+		towrite = strlen(secret);
+		wrote = write(ifd[1], secret, towrite);
+		if ( wrote != towrite ) {
+		    DEBUG(0,("smbrunsecret: wrote %ld of %lu bytes\n",(long)wrote,(unsigned long)towrite));
+		}
+		fsync(ifd[1]);
+		close(ifd[1]);
+
+		/* the parent just waits for the child to exit */
+		while((wpid = sys_waitpid(pid, &status, 0)) < 0) {
+			if(errno == EINTR) {
+				errno = 0;
+				continue;
+			}
+			break;
+		}
+
+		CatchChild(); 
+
+		if (wpid != pid) {
+			DEBUG(2, ("waitpid(%d) : %s\n", (int)pid, strerror(errno)));
+			return -1;
+		}
+
+#if defined(WIFEXITED) && defined(WEXITSTATUS)
+		if (WIFEXITED(status)) {
+			return WEXITSTATUS(status);
+		}
+#endif
+
+		return status;
+	}
+	
+	CatchChild(); 
+	
+	/* we are in the child. we exec /bin/sh to do the work for us. we
+	   don't directly exec the command we want because it may be a
+	   pipeline or anything else the config file specifies */
+	
+	close(ifd[1]);
+	close(0);
+	if (sys_dup2(ifd[0], 0) != 0) {
+		DEBUG(2,("Failed to create stdin file descriptor\n"));
+		close(ifd[0]);
+		exit(80);
+	}
+
+	/* now completely lose our privileges. This is a fairly paranoid
+	   way of doing it, but it does work on all systems that I know of */
+
+	become_user_permanently(uid, gid);
+
+	if (getuid() != uid || geteuid() != uid ||
+	    getgid() != gid || getegid() != gid) {
+		/* we failed to lose our privileges - do not execute
+                   the command */
+		exit(81); /* we can't print stuff at this stage,
+			     instead use exit codes for debugging */
+	}
+	
+#ifndef __INSURE__
+	/* close all other file descriptors, leaving only 0, 1 and 2. 0 and
+	   2 point to /dev/null from the startup code */
+	{
+		int fd;
+		for (fd = 3; fd < 256; fd++) close(fd);
+	}
+#endif
+
+	execl("/bin/sh", "sh", "-c", cmd, NULL);  
+
+	/* not reached */
+	exit(82);
+	return 1;
+}
diff --git a/source3/lib/sock_exec.c b/source3/lib/sock_exec.c
new file mode 100644
index 0000000000..2333d7c739
--- /dev/null
+++ b/source3/lib/sock_exec.c
@@ -0,0 +1,118 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba utility functions
+   Copyright (C) Andrew Tridgell 1992-1998
+   Copyright (C) Tim Potter      2000-2001
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/*******************************************************************
+this is like socketpair but uses tcp. It is used by the Samba
+regression test code
+The function guarantees that nobody else can attach to the socket,
+or if they do that this function fails and the socket gets closed
+returns 0 on success, -1 on failure
+the resulting file descriptors are symmetrical
+ ******************************************************************/
+static int socketpair_tcp(int fd[2])
+{
+	int listener;
+	struct sockaddr_in sock;
+	struct sockaddr_in sock2;
+	socklen_t socklen = sizeof(sock);
+	int connect_done = 0;
+	
+	fd[0] = fd[1] = listener = -1;
+
+	memset(&sock, 0, sizeof(sock));
+	
+	if ((listener = socket(PF_INET, SOCK_STREAM, 0)) == -1) goto failed;
+
+        memset(&sock2, 0, sizeof(sock2));
+#ifdef HAVE_SOCK_SIN_LEN
+        sock2.sin_len = sizeof(sock2);
+#endif
+        sock2.sin_family = PF_INET;
+
+        if (bind(listener, (struct sockaddr *)&sock2, sizeof(sock2)) != 0) goto failed;
+
+	if (listen(listener, 1) != 0) goto failed;
+
+	if (getsockname(listener, (struct sockaddr *)&sock, &socklen) != 0) goto failed;
+
+	if ((fd[1] = socket(PF_INET, SOCK_STREAM, 0)) == -1) goto failed;
+
+	set_blocking(fd[1], 0);
+
+	sock.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+	if (sys_connect(fd[1], (struct sockaddr *)&sock) == -1) {
+		if (errno != EINPROGRESS) goto failed;
+	} else {
+		connect_done = 1;
+	}
+
+	if ((fd[0] = accept(listener, (struct sockaddr *)&sock, &socklen)) == -1) goto failed;
+
+	close(listener);
+	if (connect_done == 0) {
+		if (sys_connect(fd[1], (struct sockaddr *)&sock) != 0
+		    && errno != EISCONN) goto failed;
+	}
+
+	set_blocking(fd[1], 1);
+
+	/* all OK! */
+	return 0;
+
+ failed:
+	if (fd[0] != -1) close(fd[0]);
+	if (fd[1] != -1) close(fd[1]);
+	if (listener != -1) close(listener);
+	return -1;
+}
+
+
+/*******************************************************************
+run a program on a local tcp socket, this is used to launch smbd
+when regression testing
+the return value is a socket which is attached to a subprocess
+running "prog". stdin and stdout are attached. stderr is left
+attached to the original stderr
+ ******************************************************************/
+int sock_exec(const char *prog)
+{
+	int fd[2];
+	if (socketpair_tcp(fd) != 0) {
+		DEBUG(0,("socketpair_tcp failed (%s)\n", strerror(errno)));
+		return -1;
+	}
+	if (fork() == 0) {
+		close(fd[0]);
+		close(0);
+		close(1);
+		if (dup(fd[1]) == -1) {
+			exit(1);
+		}
+		if (dup(fd[1]) == -1) {
+			exit(1);
+		}
+		exit(system(prog));
+	}
+	close(fd[1]);
+	return fd[0];
+}
diff --git a/source3/lib/socket_wrapper/config.m4 b/source3/lib/socket_wrapper/config.m4
new file mode 100644
index 0000000000..f3ffb895a9
--- /dev/null
+++ b/source3/lib/socket_wrapper/config.m4
@@ -0,0 +1,22 @@
+AC_ARG_ENABLE(socket-wrapper, 
+[  --enable-socket-wrapper         Turn on socket wrapper library (default=no)])
+
+DEFAULT_TEST_OPTIONS=
+HAVE_SOCKET_WRAPPER=no
+
+if eval "test x$developer = xyes"; then
+	enable_socket_wrapper=yes
+fi
+    
+if eval "test x$enable_socket_wrapper = xyes"; then
+        AC_DEFINE(SOCKET_WRAPPER,1,[Use socket wrapper library])
+	DEFAULT_TEST_OPTIONS=--socket-wrapper
+	HAVE_SOCKET_WRAPPER=yes
+
+	# this is only used for samba3
+	SOCKET_WRAPPER_OBJS="lib/socket_wrapper/socket_wrapper.o"
+fi
+
+AC_SUBST(DEFAULT_TEST_OPTIONS)
+AC_SUBST(HAVE_SOCKET_WRAPPER)
+AC_SUBST(SOCKET_WRAPPER_OBJS)
diff --git a/source3/lib/socket_wrapper/config.mk b/source3/lib/socket_wrapper/config.mk
new file mode 100644
index 0000000000..60cfb3209a
--- /dev/null
+++ b/source3/lib/socket_wrapper/config.mk
@@ -0,0 +1,8 @@
+##############################
+# Start SUBSYSTEM SOCKET_WRAPPER
+[SUBSYSTEM::SOCKET_WRAPPER]
+PRIVATE_DEPENDENCIES = LIBREPLACE_NETWORK
+# End SUBSYSTEM SOCKET_WRAPPER
+##############################
+
+SOCKET_WRAPPER_OBJ_FILES = $(socketwrappersrcdir)/socket_wrapper.o
diff --git a/source3/lib/socket_wrapper/socket_wrapper.c b/source3/lib/socket_wrapper/socket_wrapper.c
new file mode 100644
index 0000000000..33e4b38370
--- /dev/null
+++ b/source3/lib/socket_wrapper/socket_wrapper.c
@@ -0,0 +1,1841 @@
+/*
+ * Copyright (C) Jelmer Vernooij 2005,2008 <jelmer@samba.org>
+ * Copyright (C) Stefan Metzmacher 2006 <metze@samba.org>
+ *
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the author nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+/*
+   Socket wrapper library. Passes all socket communication over
+   unix domain sockets if the environment variable SOCKET_WRAPPER_DIR
+   is set.
+*/
+
+#ifdef _SAMBA_BUILD_
+
+#define SOCKET_WRAPPER_NOT_REPLACE
+#include "lib/replace/replace.h"
+#include "system/network.h"
+#include "system/filesys.h"
+#include "system/time.h"
+
+#else /* _SAMBA_BUILD_ */
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/filio.h>
+#include <errno.h>
+#include <sys/un.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdint.h>
+
+#endif
+
+#ifndef _PUBLIC_
+#define _PUBLIC_
+#endif
+
+#define SWRAP_DLIST_ADD(list,item) do { \
+	if (!(list)) { \
+		(item)->prev	= NULL; \
+		(item)->next	= NULL; \
+		(list)		= (item); \
+	} else { \
+		(item)->prev	= NULL; \
+		(item)->next	= (list); \
+		(list)->prev	= (item); \
+		(list)		= (item); \
+	} \
+} while (0)
+
+#define SWRAP_DLIST_REMOVE(list,item) do { \
+	if ((list) == (item)) { \
+		(list)		= (item)->next; \
+		if (list) { \
+			(list)->prev	= NULL; \
+		} \
+	} else { \
+		if ((item)->prev) { \
+			(item)->prev->next	= (item)->next; \
+		} \
+		if ((item)->next) { \
+			(item)->next->prev	= (item)->prev; \
+		} \
+	} \
+	(item)->prev	= NULL; \
+	(item)->next	= NULL; \
+} while (0)
+
+/* LD_PRELOAD doesn't work yet, so REWRITE_CALLS is all we support
+ * for now */
+#define REWRITE_CALLS 
+
+#ifdef REWRITE_CALLS
+#define real_accept accept
+#define real_connect connect
+#define real_bind bind
+#define real_listen listen
+#define real_getpeername getpeername
+#define real_getsockname getsockname
+#define real_getsockopt getsockopt
+#define real_setsockopt setsockopt
+#define real_recvfrom recvfrom
+#define real_sendto sendto
+#define real_ioctl ioctl
+#define real_recv recv
+#define real_send send
+#define real_socket socket
+#define real_close close
+#endif
+
+#ifdef HAVE_GETTIMEOFDAY_TZ
+#define swrapGetTimeOfDay(tval) gettimeofday(tval,NULL)
+#else
+#define swrapGetTimeOfDay(tval)	gettimeofday(tval)
+#endif
+
+/* we need to use a very terse format here as IRIX 6.4 silently
+   truncates names to 16 chars, so if we use a longer name then we
+   can't tell which port a packet came from with recvfrom() 
+   
+   with this format we have 8 chars left for the directory name
+*/
+#define SOCKET_FORMAT "%c%02X%04X"
+#define SOCKET_TYPE_CHAR_TCP		'T'
+#define SOCKET_TYPE_CHAR_UDP		'U'
+#define SOCKET_TYPE_CHAR_TCP_V6		'X'
+#define SOCKET_TYPE_CHAR_UDP_V6		'Y'
+
+#define MAX_WRAPPED_INTERFACES 16
+
+#define SW_IPV6_ADDRESS 1
+
+static struct sockaddr *sockaddr_dup(const void *data, socklen_t len)
+{
+	struct sockaddr *ret = (struct sockaddr *)malloc(len);
+	memcpy(ret, data, len);
+	return ret;
+}
+
+static void set_port(int family, int prt, struct sockaddr *addr)
+{
+	switch (family) {
+	case AF_INET:
+		((struct sockaddr_in *)addr)->sin_port = htons(prt);
+		break;
+#ifdef HAVE_IPV6
+	case AF_INET6:
+		((struct sockaddr_in6 *)addr)->sin6_port = htons(prt);
+		break;
+#endif
+	}
+}
+
+static size_t socket_length(int family)
+{
+	switch (family) {
+	case AF_INET:
+		return sizeof(struct sockaddr_in);
+#ifdef HAVE_IPV6
+	case AF_INET6:
+		return sizeof(struct sockaddr_in6);
+#endif
+	}
+	return 0;
+}
+
+
+
+struct socket_info
+{
+	int fd;
+
+	int family;
+	int type;
+	int protocol;
+	int bound;
+	int bcast;
+	int is_server;
+
+	char *path;
+	char *tmp_path;
+
+	struct sockaddr *myname;
+	socklen_t myname_len;
+
+	struct sockaddr *peername;
+	socklen_t peername_len;
+
+	struct {
+		unsigned long pck_snd;
+		unsigned long pck_rcv;
+	} io;
+
+	struct socket_info *prev, *next;
+};
+
+static struct socket_info *sockets;
+
+const char *socket_wrapper_dir(void)
+{
+	const char *s = getenv("SOCKET_WRAPPER_DIR");
+	if (s == NULL) {
+		return NULL;
+	}
+	if (strncmp(s, "./", 2) == 0) {
+		s += 2;
+	}
+	return s;
+}
+
+unsigned int socket_wrapper_default_iface(void)
+{
+	const char *s = getenv("SOCKET_WRAPPER_DEFAULT_IFACE");
+	if (s) {
+		unsigned int iface;
+		if (sscanf(s, "%u", &iface) == 1) {
+			if (iface >= 1 && iface <= MAX_WRAPPED_INTERFACES) {
+				return iface;
+			}
+		}
+	}
+
+	return 1;/* 127.0.0.1 */
+}
+
+static int convert_un_in(const struct sockaddr_un *un, struct sockaddr *in, socklen_t *len)
+{
+	unsigned int iface;
+	unsigned int prt;
+	const char *p;
+	char type;
+
+	p = strrchr(un->sun_path, '/');
+	if (p) p++; else p = un->sun_path;
+
+	if (sscanf(p, SOCKET_FORMAT, &type, &iface, &prt) != 3) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (iface == 0 || iface > MAX_WRAPPED_INTERFACES) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (prt > 0xFFFF) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	switch(type) {
+	case SOCKET_TYPE_CHAR_TCP:
+	case SOCKET_TYPE_CHAR_UDP: {
+		struct sockaddr_in *in2 = (struct sockaddr_in *)in;
+		
+		if ((*len) < sizeof(*in2)) {
+		    errno = EINVAL;
+		    return -1;
+		}
+
+		memset(in2, 0, sizeof(*in2));
+		in2->sin_family = AF_INET;
+		in2->sin_addr.s_addr = htonl((127<<24) | iface);
+		in2->sin_port = htons(prt);
+
+		*len = sizeof(*in2);
+		break;
+	}
+#ifdef HAVE_IPV6
+	case SOCKET_TYPE_CHAR_TCP_V6:
+	case SOCKET_TYPE_CHAR_UDP_V6: {
+		struct sockaddr_in6 *in2 = (struct sockaddr_in6 *)in;
+		
+		if ((*len) < sizeof(*in2)) {
+			errno = EINVAL;
+			return -1;
+		}
+
+		memset(in2, 0, sizeof(*in2));
+		in2->sin6_family = AF_INET6;
+		in2->sin6_addr.s6_addr[0] = SW_IPV6_ADDRESS;
+		in2->sin6_port = htons(prt);
+
+		*len = sizeof(*in2);
+		break;
+	}
+#endif
+	default:
+		errno = EINVAL;
+		return -1;
+	}
+
+	return 0;
+}
+
+static int convert_in_un_remote(struct socket_info *si, const struct sockaddr *inaddr, struct sockaddr_un *un,
+				int *bcast)
+{
+	char type = '\0';
+	unsigned int prt;
+	unsigned int iface;
+	int is_bcast = 0;
+
+	if (bcast) *bcast = 0;
+
+	switch (si->family) {
+	case AF_INET: {
+		const struct sockaddr_in *in = 
+		    (const struct sockaddr_in *)inaddr;
+		unsigned int addr = ntohl(in->sin_addr.s_addr);
+		char u_type = '\0';
+		char b_type = '\0';
+		char a_type = '\0';
+
+		switch (si->type) {
+		case SOCK_STREAM:
+			u_type = SOCKET_TYPE_CHAR_TCP;
+			break;
+		case SOCK_DGRAM:
+			u_type = SOCKET_TYPE_CHAR_UDP;
+			a_type = SOCKET_TYPE_CHAR_UDP;
+			b_type = SOCKET_TYPE_CHAR_UDP;
+			break;
+		}
+
+		prt = ntohs(in->sin_port);
+		if (a_type && addr == 0xFFFFFFFF) {
+			/* 255.255.255.255 only udp */
+			is_bcast = 2;
+			type = a_type;
+			iface = socket_wrapper_default_iface();
+		} else if (b_type && addr == 0x7FFFFFFF) {
+			/* 127.255.255.255 only udp */
+			is_bcast = 1;
+			type = b_type;
+			iface = socket_wrapper_default_iface();
+		} else if ((addr & 0xFFFFFF00) == 0x7F000000) {
+			/* 127.0.0.X */
+			is_bcast = 0;
+			type = u_type;
+			iface = (addr & 0x000000FF);
+		} else {
+			errno = ENETUNREACH;
+			return -1;
+		}
+		if (bcast) *bcast = is_bcast;
+		break;
+	}
+#ifdef HAVE_IPV6
+	case AF_INET6: {
+		const struct sockaddr_in6 *in = 
+		    (const struct sockaddr_in6 *)inaddr;
+
+		switch (si->type) {
+		case SOCK_STREAM:
+			type = SOCKET_TYPE_CHAR_TCP_V6;
+			break;
+		case SOCK_DGRAM:
+			type = SOCKET_TYPE_CHAR_UDP_V6;
+			break;
+		}
+
+		/* XXX no multicast/broadcast */
+
+		prt = ntohs(in->sin6_port);
+		iface = SW_IPV6_ADDRESS;
+		
+		break;
+	}
+#endif
+	default:
+		errno = ENETUNREACH;
+		return -1;
+	}
+
+	if (prt == 0) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (is_bcast) {
+		snprintf(un->sun_path, sizeof(un->sun_path), "%s/EINVAL", 
+			 socket_wrapper_dir());
+		/* the caller need to do more processing */
+		return 0;
+	}
+
+	snprintf(un->sun_path, sizeof(un->sun_path), "%s/"SOCKET_FORMAT, 
+		 socket_wrapper_dir(), type, iface, prt);
+
+	return 0;
+}
+
+static int convert_in_un_alloc(struct socket_info *si, const struct sockaddr *inaddr, struct sockaddr_un *un,
+			       int *bcast)
+{
+	char type = '\0';
+	unsigned int prt;
+	unsigned int iface;
+	struct stat st;
+	int is_bcast = 0;
+
+	if (bcast) *bcast = 0;
+
+	switch (si->family) {
+	case AF_INET: {
+		const struct sockaddr_in *in = 
+		    (const struct sockaddr_in *)inaddr;
+		unsigned int addr = ntohl(in->sin_addr.s_addr);
+		char u_type = '\0';
+		char d_type = '\0';
+		char b_type = '\0';
+		char a_type = '\0';
+
+		prt = ntohs(in->sin_port);
+
+		switch (si->type) {
+		case SOCK_STREAM:
+			u_type = SOCKET_TYPE_CHAR_TCP;
+			d_type = SOCKET_TYPE_CHAR_TCP;
+			break;
+		case SOCK_DGRAM:
+			u_type = SOCKET_TYPE_CHAR_UDP;
+			d_type = SOCKET_TYPE_CHAR_UDP;
+			a_type = SOCKET_TYPE_CHAR_UDP;
+			b_type = SOCKET_TYPE_CHAR_UDP;
+			break;
+		}
+
+		if (addr == 0) {
+			/* 0.0.0.0 */
+		 	is_bcast = 0;
+			type = d_type;
+			iface = socket_wrapper_default_iface();
+		} else if (a_type && addr == 0xFFFFFFFF) {
+			/* 255.255.255.255 only udp */
+			is_bcast = 2;
+			type = a_type;
+			iface = socket_wrapper_default_iface();
+		} else if (b_type && addr == 0x7FFFFFFF) {
+			/* 127.255.255.255 only udp */
+			is_bcast = 1;
+			type = b_type;
+			iface = socket_wrapper_default_iface();
+		} else if ((addr & 0xFFFFFF00) == 0x7F000000) {
+			/* 127.0.0.X */
+			is_bcast = 0;
+			type = u_type;
+			iface = (addr & 0x000000FF);
+		} else {
+			errno = EADDRNOTAVAIL;
+			return -1;
+		}
+		break;
+	}
+#ifdef HAVE_IPV6
+	case AF_INET6: {
+		const struct sockaddr_in6 *in = 
+		    (const struct sockaddr_in6 *)inaddr;
+
+		switch (si->type) {
+		case SOCK_STREAM:
+			type = SOCKET_TYPE_CHAR_TCP_V6;
+			break;
+		case SOCK_DGRAM:
+			type = SOCKET_TYPE_CHAR_UDP_V6;
+			break;
+		}
+
+		/* XXX no multicast/broadcast */
+
+		prt = ntohs(in->sin6_port);
+		iface = SW_IPV6_ADDRESS;
+		
+		break;
+	}
+#endif
+	default:
+		errno = ENETUNREACH;
+		return -1;
+	}
+
+
+	if (bcast) *bcast = is_bcast;
+
+	if (prt == 0) {
+		/* handle auto-allocation of ephemeral ports */
+		for (prt = 5001; prt < 10000; prt++) {
+			snprintf(un->sun_path, sizeof(un->sun_path), "%s/"SOCKET_FORMAT, 
+				 socket_wrapper_dir(), type, iface, prt);
+			if (stat(un->sun_path, &st) == 0) continue;
+
+			set_port(si->family, prt, si->myname);
+			break;
+		}
+		if (prt == 10000) {
+			errno = ENFILE;
+			return -1;
+		}
+	}
+
+	snprintf(un->sun_path, sizeof(un->sun_path), "%s/"SOCKET_FORMAT, 
+		 socket_wrapper_dir(), type, iface, prt);
+	return 0;
+}
+
+static struct socket_info *find_socket_info(int fd)
+{
+	struct socket_info *i;
+	for (i = sockets; i; i = i->next) {
+		if (i->fd == fd) 
+			return i;
+	}
+
+	return NULL;
+}
+
+static int sockaddr_convert_to_un(struct socket_info *si, const struct sockaddr *in_addr, socklen_t in_len, 
+				  struct sockaddr_un *out_addr, int alloc_sock, int *bcast)
+{
+	if (!out_addr)
+		return 0;
+
+	out_addr->sun_family = AF_UNIX;
+
+	switch (in_addr->sa_family) {
+	case AF_INET:
+#ifdef HAVE_IPV6
+	case AF_INET6:
+#endif
+		switch (si->type) {
+		case SOCK_STREAM:
+		case SOCK_DGRAM:
+			break;
+		default:
+			errno = ESOCKTNOSUPPORT;
+			return -1;
+		}
+		if (alloc_sock) {
+			return convert_in_un_alloc(si, in_addr, out_addr, bcast);
+		} else {
+			return convert_in_un_remote(si, in_addr, out_addr, bcast);
+		}
+	default:
+		break;
+	}
+	
+	errno = EAFNOSUPPORT;
+	return -1;
+}
+
+static int sockaddr_convert_from_un(const struct socket_info *si, 
+				    const struct sockaddr_un *in_addr, 
+				    socklen_t un_addrlen,
+				    int family,
+				    struct sockaddr *out_addr,
+				    socklen_t *out_addrlen)
+{
+	if (out_addr == NULL || out_addrlen == NULL) 
+		return 0;
+
+	if (un_addrlen == 0) {
+		*out_addrlen = 0;
+		return 0;
+	}
+
+	switch (family) {
+	case AF_INET:
+#ifdef HAVE_IPV6
+	case AF_INET6:
+#endif
+		switch (si->type) {
+		case SOCK_STREAM:
+		case SOCK_DGRAM:
+			break;
+		default:
+			errno = ESOCKTNOSUPPORT;
+			return -1;
+		}
+		return convert_un_in(in_addr, out_addr, out_addrlen);
+	default:
+		break;
+	}
+
+	errno = EAFNOSUPPORT;
+	return -1;
+}
+
+enum swrap_packet_type {
+	SWRAP_CONNECT_SEND,
+	SWRAP_CONNECT_UNREACH,
+	SWRAP_CONNECT_RECV,
+	SWRAP_CONNECT_ACK,
+	SWRAP_ACCEPT_SEND,
+	SWRAP_ACCEPT_RECV,
+	SWRAP_ACCEPT_ACK,
+	SWRAP_RECVFROM,
+	SWRAP_SENDTO,
+	SWRAP_SENDTO_UNREACH,
+	SWRAP_PENDING_RST,
+	SWRAP_RECV,
+	SWRAP_RECV_RST,
+	SWRAP_SEND,
+	SWRAP_SEND_RST,
+	SWRAP_CLOSE_SEND,
+	SWRAP_CLOSE_RECV,
+	SWRAP_CLOSE_ACK
+};
+
+struct swrap_file_hdr {
+	uint32_t	magic;
+	uint16_t	version_major;
+	uint16_t	version_minor;
+	int32_t		timezone;
+	uint32_t	sigfigs;
+	uint32_t	frame_max_len;
+#define SWRAP_FRAME_LENGTH_MAX 0xFFFF
+	uint32_t	link_type;
+};
+#define SWRAP_FILE_HDR_SIZE 24
+
+struct swrap_packet {
+	struct {
+		uint32_t seconds;
+		uint32_t micro_seconds;
+		uint32_t recorded_length;
+		uint32_t full_length;
+	} frame;
+#define SWRAP_PACKET__FRAME_SIZE 16
+
+	struct {
+		struct {
+			uint8_t		ver_hdrlen;
+			uint8_t		tos;
+			uint16_t	packet_length;
+			uint16_t	identification;
+			uint8_t		flags;
+			uint8_t		fragment;
+			uint8_t		ttl;
+			uint8_t		protocol;
+			uint16_t	hdr_checksum;
+			uint32_t	src_addr;
+			uint32_t	dest_addr;
+		} hdr;
+#define SWRAP_PACKET__IP_HDR_SIZE 20
+
+		union {
+			struct {
+				uint16_t	source_port;
+				uint16_t	dest_port;
+				uint32_t	seq_num;
+				uint32_t	ack_num;
+				uint8_t		hdr_length;
+				uint8_t		control;
+				uint16_t	window;
+				uint16_t	checksum;
+				uint16_t	urg;
+			} tcp;
+#define SWRAP_PACKET__IP_P_TCP_SIZE 20
+			struct {
+				uint16_t	source_port;
+				uint16_t	dest_port;
+				uint16_t	length;
+				uint16_t	checksum;
+			} udp;
+#define SWRAP_PACKET__IP_P_UDP_SIZE 8
+			struct {
+				uint8_t		type;
+				uint8_t		code;
+				uint16_t	checksum;
+				uint32_t	unused;
+			} icmp;
+#define SWRAP_PACKET__IP_P_ICMP_SIZE 8
+		} p;
+	} ip;
+};
+#define SWRAP_PACKET_SIZE 56
+
+static const char *socket_wrapper_pcap_file(void)
+{
+	static int initialized = 0;
+	static const char *s = NULL;
+	static const struct swrap_file_hdr h = { 0, };
+	static const struct swrap_packet p = { { 0, }, { { 0, }, { { 0, } } } };
+
+	if (initialized == 1) {
+		return s;
+	}
+	initialized = 1;
+
+	/*
+	 * TODO: don't use the structs use plain buffer offsets
+	 *       and PUSH_U8(), PUSH_U16() and PUSH_U32()
+	 * 
+	 * for now make sure we disable PCAP support
+	 * if the struct has alignment!
+	 */
+	if (sizeof(h) != SWRAP_FILE_HDR_SIZE) {
+		return NULL;
+	}
+	if (sizeof(p) != SWRAP_PACKET_SIZE) {
+		return NULL;
+	}
+	if (sizeof(p.frame) != SWRAP_PACKET__FRAME_SIZE) {
+		return NULL;
+	}
+	if (sizeof(p.ip.hdr) != SWRAP_PACKET__IP_HDR_SIZE) {
+		return NULL;
+	}
+	if (sizeof(p.ip.p.tcp) != SWRAP_PACKET__IP_P_TCP_SIZE) {
+		return NULL;
+	}
+	if (sizeof(p.ip.p.udp) != SWRAP_PACKET__IP_P_UDP_SIZE) {
+		return NULL;
+	}
+	if (sizeof(p.ip.p.icmp) != SWRAP_PACKET__IP_P_ICMP_SIZE) {
+		return NULL;
+	}
+
+	s = getenv("SOCKET_WRAPPER_PCAP_FILE");
+	if (s == NULL) {
+		return NULL;
+	}
+	if (strncmp(s, "./", 2) == 0) {
+		s += 2;
+	}
+	return s;
+}
+
+static struct swrap_packet *swrap_packet_init(struct timeval *tval,
+					      const struct sockaddr_in *src_addr,
+					      const struct sockaddr_in *dest_addr,
+					      int socket_type,
+					      const unsigned char *payload,
+					      size_t payload_len,
+					      unsigned long tcp_seqno,
+					      unsigned long tcp_ack,
+					      unsigned char tcp_ctl,
+					      int unreachable,
+					      size_t *_packet_len)
+{
+	struct swrap_packet *ret;
+	struct swrap_packet *packet;
+	size_t packet_len;
+	size_t alloc_len;
+	size_t nonwire_len = sizeof(packet->frame);
+	size_t wire_hdr_len = 0;
+	size_t wire_len = 0;
+	size_t icmp_hdr_len = 0;
+	size_t icmp_truncate_len = 0;
+	unsigned char protocol = 0, icmp_protocol = 0;
+	unsigned short src_port = src_addr->sin_port;
+	unsigned short dest_port = dest_addr->sin_port;
+
+	switch (socket_type) {
+	case SOCK_STREAM:
+		protocol = 0x06; /* TCP */
+		wire_hdr_len = sizeof(packet->ip.hdr) + sizeof(packet->ip.p.tcp);
+		wire_len = wire_hdr_len + payload_len;
+		break;
+
+	case SOCK_DGRAM:
+		protocol = 0x11; /* UDP */
+		wire_hdr_len = sizeof(packet->ip.hdr) + sizeof(packet->ip.p.udp);
+		wire_len = wire_hdr_len + payload_len;
+		break;
+
+	default:
+		return NULL;
+	}
+
+	if (unreachable) {
+		icmp_protocol = protocol;
+		protocol = 0x01; /* ICMP */
+		if (wire_len > 64 ) {
+			icmp_truncate_len = wire_len - 64;
+		}
+		icmp_hdr_len = sizeof(packet->ip.hdr) + sizeof(packet->ip.p.icmp);
+		wire_hdr_len += icmp_hdr_len;
+		wire_len += icmp_hdr_len;
+	}
+
+	packet_len = nonwire_len + wire_len;
+	alloc_len = packet_len;
+	if (alloc_len < sizeof(struct swrap_packet)) {
+		alloc_len = sizeof(struct swrap_packet);
+	}
+	ret = (struct swrap_packet *)malloc(alloc_len);
+	if (!ret) return NULL;
+
+	packet = ret;
+
+	packet->frame.seconds		= tval->tv_sec;
+	packet->frame.micro_seconds	= tval->tv_usec;
+	packet->frame.recorded_length	= wire_len - icmp_truncate_len;
+	packet->frame.full_length	= wire_len - icmp_truncate_len;
+
+	packet->ip.hdr.ver_hdrlen	= 0x45; /* version 4 and 5 * 32 bit words */
+	packet->ip.hdr.tos		= 0x00;
+	packet->ip.hdr.packet_length	= htons(wire_len - icmp_truncate_len);
+	packet->ip.hdr.identification	= htons(0xFFFF);
+	packet->ip.hdr.flags		= 0x40; /* BIT 1 set - means don't fraqment */
+	packet->ip.hdr.fragment		= htons(0x0000);
+	packet->ip.hdr.ttl		= 0xFF;
+	packet->ip.hdr.protocol		= protocol;
+	packet->ip.hdr.hdr_checksum	= htons(0x0000);
+	packet->ip.hdr.src_addr		= src_addr->sin_addr.s_addr;
+	packet->ip.hdr.dest_addr	= dest_addr->sin_addr.s_addr;
+
+	if (unreachable) {
+		packet->ip.p.icmp.type		= 0x03; /* destination unreachable */
+		packet->ip.p.icmp.code		= 0x01; /* host unreachable */
+		packet->ip.p.icmp.checksum	= htons(0x0000);
+		packet->ip.p.icmp.unused	= htonl(0x00000000);
+
+		/* set the ip header in the ICMP payload */
+		packet = (struct swrap_packet *)(((unsigned char *)ret) + icmp_hdr_len);
+		packet->ip.hdr.ver_hdrlen	= 0x45; /* version 4 and 5 * 32 bit words */
+		packet->ip.hdr.tos		= 0x00;
+		packet->ip.hdr.packet_length	= htons(wire_len - icmp_hdr_len);
+		packet->ip.hdr.identification	= htons(0xFFFF);
+		packet->ip.hdr.flags		= 0x40; /* BIT 1 set - means don't fraqment */
+		packet->ip.hdr.fragment		= htons(0x0000);
+		packet->ip.hdr.ttl		= 0xFF;
+		packet->ip.hdr.protocol		= icmp_protocol;
+		packet->ip.hdr.hdr_checksum	= htons(0x0000);
+		packet->ip.hdr.src_addr		= dest_addr->sin_addr.s_addr;
+		packet->ip.hdr.dest_addr	= src_addr->sin_addr.s_addr;
+
+		src_port = dest_addr->sin_port;
+		dest_port = src_addr->sin_port;
+	}
+
+	switch (socket_type) {
+	case SOCK_STREAM:
+		packet->ip.p.tcp.source_port	= src_port;
+		packet->ip.p.tcp.dest_port	= dest_port;
+		packet->ip.p.tcp.seq_num	= htonl(tcp_seqno);
+		packet->ip.p.tcp.ack_num	= htonl(tcp_ack);
+		packet->ip.p.tcp.hdr_length	= 0x50; /* 5 * 32 bit words */
+		packet->ip.p.tcp.control	= tcp_ctl;
+		packet->ip.p.tcp.window		= htons(0x7FFF);
+		packet->ip.p.tcp.checksum	= htons(0x0000);
+		packet->ip.p.tcp.urg		= htons(0x0000);
+
+		break;
+
+	case SOCK_DGRAM:
+		packet->ip.p.udp.source_port	= src_addr->sin_port;
+		packet->ip.p.udp.dest_port	= dest_addr->sin_port;
+		packet->ip.p.udp.length		= htons(8 + payload_len);
+		packet->ip.p.udp.checksum	= htons(0x0000);
+
+		break;
+	}
+
+	if (payload && payload_len > 0) {
+		unsigned char *p = (unsigned char *)ret;
+		p += nonwire_len;
+		p += wire_hdr_len;
+		memcpy(p, payload, payload_len);
+	}
+
+	*_packet_len = packet_len - icmp_truncate_len;
+	return ret;
+}
+
+static int swrap_get_pcap_fd(const char *fname)
+{
+	static int fd = -1;
+
+	if (fd != -1) return fd;
+
+	fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_APPEND, 0644);
+	if (fd != -1) {
+		struct swrap_file_hdr file_hdr;
+		file_hdr.magic		= 0xA1B2C3D4;
+		file_hdr.version_major	= 0x0002;	
+		file_hdr.version_minor	= 0x0004;
+		file_hdr.timezone	= 0x00000000;
+		file_hdr.sigfigs	= 0x00000000;
+		file_hdr.frame_max_len	= SWRAP_FRAME_LENGTH_MAX;
+		file_hdr.link_type	= 0x0065; /* 101 RAW IP */
+
+		write(fd, &file_hdr, sizeof(file_hdr));
+		return fd;
+	}
+
+	fd = open(fname, O_WRONLY|O_APPEND, 0644);
+
+	return fd;
+}
+
+static struct swrap_packet *swrap_marshall_packet(struct socket_info *si,
+								  const struct sockaddr *addr,
+								  enum swrap_packet_type type,
+								  const void *buf, size_t len,
+								  size_t *packet_len)
+{
+	const struct sockaddr_in *src_addr;
+	const struct sockaddr_in *dest_addr;
+	unsigned long tcp_seqno = 0;
+	unsigned long tcp_ack = 0;
+	unsigned char tcp_ctl = 0;
+	int unreachable = 0;
+
+	struct timeval tv;
+
+	switch (si->family) {
+	case AF_INET:
+		break;
+	default:
+		return NULL;
+	}
+
+	switch (type) {
+	case SWRAP_CONNECT_SEND:
+		if (si->type != SOCK_STREAM) return NULL;
+
+		src_addr = (const struct sockaddr_in *)si->myname;
+		dest_addr = (const struct sockaddr_in *)addr;
+
+		tcp_seqno = si->io.pck_snd;
+		tcp_ack = si->io.pck_rcv;
+		tcp_ctl = 0x02; /* SYN */
+
+		si->io.pck_snd += 1;
+
+		break;
+
+	case SWRAP_CONNECT_RECV:
+		if (si->type != SOCK_STREAM) return NULL;
+
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)addr;
+
+		tcp_seqno = si->io.pck_rcv;
+		tcp_ack = si->io.pck_snd;
+		tcp_ctl = 0x12; /** SYN,ACK */
+
+		si->io.pck_rcv += 1;
+
+		break;
+
+	case SWRAP_CONNECT_UNREACH:
+		if (si->type != SOCK_STREAM) return NULL;
+
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)addr;
+
+		/* Unreachable: resend the data of SWRAP_CONNECT_SEND */
+		tcp_seqno = si->io.pck_snd - 1;
+		tcp_ack = si->io.pck_rcv;
+		tcp_ctl = 0x02; /* SYN */
+		unreachable = 1;
+
+		break;
+
+	case SWRAP_CONNECT_ACK:
+		if (si->type != SOCK_STREAM) return NULL;
+
+		src_addr = (const struct sockaddr_in *)si->myname;
+		dest_addr = (const struct sockaddr_in *)addr;
+
+		tcp_seqno = si->io.pck_snd;
+		tcp_ack = si->io.pck_rcv;
+		tcp_ctl = 0x10; /* ACK */
+
+		break;
+
+	case SWRAP_ACCEPT_SEND:
+		if (si->type != SOCK_STREAM) return NULL;
+
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)addr;
+
+		tcp_seqno = si->io.pck_rcv;
+		tcp_ack = si->io.pck_snd;
+		tcp_ctl = 0x02; /* SYN */
+
+		si->io.pck_rcv += 1;
+
+		break;
+
+	case SWRAP_ACCEPT_RECV:
+		if (si->type != SOCK_STREAM) return NULL;
+
+		src_addr = (const struct sockaddr_in *)si->myname;
+		dest_addr = (const struct sockaddr_in *)addr;
+
+		tcp_seqno = si->io.pck_snd;
+		tcp_ack = si->io.pck_rcv;
+		tcp_ctl = 0x12; /* SYN,ACK */
+
+		si->io.pck_snd += 1;
+
+		break;
+
+	case SWRAP_ACCEPT_ACK:
+		if (si->type != SOCK_STREAM) return NULL;
+
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)addr;
+
+		tcp_seqno = si->io.pck_rcv;
+		tcp_ack = si->io.pck_snd;
+		tcp_ctl = 0x10; /* ACK */
+
+		break;
+
+	case SWRAP_SEND:
+		src_addr = (const struct sockaddr_in *)si->myname;
+		dest_addr = (const struct sockaddr_in *)si->peername;
+
+		tcp_seqno = si->io.pck_snd;
+		tcp_ack = si->io.pck_rcv;
+		tcp_ctl = 0x18; /* PSH,ACK */
+
+		si->io.pck_snd += len;
+
+		break;
+
+	case SWRAP_SEND_RST:
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)si->peername;
+
+		if (si->type == SOCK_DGRAM) {
+			return swrap_marshall_packet(si, si->peername,
+					  SWRAP_SENDTO_UNREACH,
+			      		  buf, len, packet_len);
+		}
+
+		tcp_seqno = si->io.pck_rcv;
+		tcp_ack = si->io.pck_snd;
+		tcp_ctl = 0x14; /** RST,ACK */
+
+		break;
+
+	case SWRAP_PENDING_RST:
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)si->peername;
+
+		if (si->type == SOCK_DGRAM) {
+			return NULL;
+		}
+
+		tcp_seqno = si->io.pck_rcv;
+		tcp_ack = si->io.pck_snd;
+		tcp_ctl = 0x14; /* RST,ACK */
+
+		break;
+
+	case SWRAP_RECV:
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)si->peername;
+
+		tcp_seqno = si->io.pck_rcv;
+		tcp_ack = si->io.pck_snd;
+		tcp_ctl = 0x18; /* PSH,ACK */
+
+		si->io.pck_rcv += len;
+
+		break;
+
+	case SWRAP_RECV_RST:
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)si->peername;
+
+		if (si->type == SOCK_DGRAM) {
+			return NULL;
+		}
+
+		tcp_seqno = si->io.pck_rcv;
+		tcp_ack = si->io.pck_snd;
+		tcp_ctl = 0x14; /* RST,ACK */
+
+		break;
+
+	case SWRAP_SENDTO:
+		src_addr = (const struct sockaddr_in *)si->myname;
+		dest_addr = (const struct sockaddr_in *)addr;
+
+		si->io.pck_snd += len;
+
+		break;
+
+	case SWRAP_SENDTO_UNREACH:
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)addr;
+
+		unreachable = 1;
+
+		break;
+
+	case SWRAP_RECVFROM:
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)addr;
+
+		si->io.pck_rcv += len;
+
+		break;
+
+	case SWRAP_CLOSE_SEND:
+		if (si->type != SOCK_STREAM) return NULL;
+
+		src_addr = (const struct sockaddr_in *)si->myname;
+		dest_addr = (const struct sockaddr_in *)si->peername;
+
+		tcp_seqno = si->io.pck_snd;
+		tcp_ack = si->io.pck_rcv;
+		tcp_ctl = 0x11; /* FIN, ACK */
+
+		si->io.pck_snd += 1;
+
+		break;
+
+	case SWRAP_CLOSE_RECV:
+		if (si->type != SOCK_STREAM) return NULL;
+
+		dest_addr = (const struct sockaddr_in *)si->myname;
+		src_addr = (const struct sockaddr_in *)si->peername;
+
+		tcp_seqno = si->io.pck_rcv;
+		tcp_ack = si->io.pck_snd;
+		tcp_ctl = 0x11; /* FIN,ACK */
+
+		si->io.pck_rcv += 1;
+
+		break;
+
+	case SWRAP_CLOSE_ACK:
+		if (si->type != SOCK_STREAM) return NULL;
+
+		src_addr = (const struct sockaddr_in *)si->myname;
+		dest_addr = (const struct sockaddr_in *)si->peername;
+
+		tcp_seqno = si->io.pck_snd;
+		tcp_ack = si->io.pck_rcv;
+		tcp_ctl = 0x10; /* ACK */
+
+		break;
+	default:
+		return NULL;
+	}
+
+	swrapGetTimeOfDay(&tv);
+
+	return swrap_packet_init(&tv, src_addr, dest_addr, si->type,
+				   (const unsigned char *)buf, len,
+				   tcp_seqno, tcp_ack, tcp_ctl, unreachable,
+				   packet_len);
+}
+
+static void swrap_dump_packet(struct socket_info *si, 
+							  const struct sockaddr *addr,
+							  enum swrap_packet_type type,
+							  const void *buf, size_t len)
+{
+	const char *file_name;
+	struct swrap_packet *packet;
+	size_t packet_len = 0;
+	int fd;
+
+	file_name = socket_wrapper_pcap_file();
+	if (!file_name) {
+		return;
+	}
+
+	packet = swrap_marshall_packet(si, addr, type, buf, len, &packet_len);
+	if (!packet) {
+		return;
+	}
+
+	fd = swrap_get_pcap_fd(file_name);
+	if (fd != -1) {
+		write(fd, packet, packet_len);
+	}
+
+	free(packet);
+}
+
+_PUBLIC_ int swrap_socket(int family, int type, int protocol)
+{
+	struct socket_info *si;
+	int fd;
+
+	if (!socket_wrapper_dir()) {
+		return real_socket(family, type, protocol);
+	}
+
+	switch (family) {
+	case AF_INET:
+#ifdef HAVE_IPV6
+	case AF_INET6:
+#endif
+		break;
+	case AF_UNIX:
+		return real_socket(family, type, protocol);
+	default:
+		errno = EAFNOSUPPORT;
+		return -1;
+	}
+
+	switch (type) {
+	case SOCK_STREAM:
+		break;
+	case SOCK_DGRAM:
+		break;
+	default:
+		errno = EPROTONOSUPPORT;
+		return -1;
+	}
+
+	switch (protocol) {
+	case 0:
+		break;
+	case 6:
+		if (type == SOCK_STREAM) {
+			break;
+		}
+		/*fall through*/
+	case 17:
+		if (type == SOCK_DGRAM) {
+			break;
+		}
+		/*fall through*/
+	default:
+		errno = EPROTONOSUPPORT;
+		return -1;
+	}
+
+	fd = real_socket(AF_UNIX, type, 0);
+
+	if (fd == -1) return -1;
+
+	si = (struct socket_info *)calloc(1, sizeof(struct socket_info));
+
+	si->family = family;
+	si->type = type;
+	si->protocol = protocol;
+	si->fd = fd;
+
+	SWRAP_DLIST_ADD(sockets, si);
+
+	return si->fd;
+}
+
+_PUBLIC_ int swrap_accept(int s, struct sockaddr *addr, socklen_t *addrlen)
+{
+	struct socket_info *parent_si, *child_si;
+	int fd;
+	struct sockaddr_un un_addr;
+	socklen_t un_addrlen = sizeof(un_addr);
+	struct sockaddr_un un_my_addr;
+	socklen_t un_my_addrlen = sizeof(un_my_addr);
+	struct sockaddr *my_addr;
+	socklen_t my_addrlen, len;
+	int ret;
+
+	parent_si = find_socket_info(s);
+	if (!parent_si) {
+		return real_accept(s, addr, addrlen);
+	}
+
+	/* 
+	 * assume out sockaddr have the same size as the in parent
+	 * socket family
+	 */
+	my_addrlen = socket_length(parent_si->family);
+	if (my_addrlen <= 0) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	my_addr = (struct sockaddr *)malloc(my_addrlen);
+	if (my_addr == NULL) {
+		return -1;
+	}
+
+	memset(&un_addr, 0, sizeof(un_addr));
+	memset(&un_my_addr, 0, sizeof(un_my_addr));
+
+	ret = real_accept(s, (struct sockaddr *)&un_addr, &un_addrlen);
+	if (ret == -1) {
+		free(my_addr);
+		return ret;
+	}
+
+	fd = ret;
+
+	len = my_addrlen;
+	ret = sockaddr_convert_from_un(parent_si, &un_addr, un_addrlen,
+				       parent_si->family, my_addr, &len);
+	if (ret == -1) {
+		free(my_addr);
+		close(fd);
+		return ret;
+	}
+
+	child_si = (struct socket_info *)malloc(sizeof(struct socket_info));
+	memset(child_si, 0, sizeof(*child_si));
+
+	child_si->fd = fd;
+	child_si->family = parent_si->family;
+	child_si->type = parent_si->type;
+	child_si->protocol = parent_si->protocol;
+	child_si->bound = 1;
+	child_si->is_server = 1;
+
+	child_si->peername_len = len;
+	child_si->peername = sockaddr_dup(my_addr, len);
+
+	if (addr != NULL && addrlen != NULL) {
+	    *addrlen = len;
+	    if (*addrlen >= len)
+		memcpy(addr, my_addr, len);
+	    *addrlen = 0;
+	}
+
+	ret = real_getsockname(fd, (struct sockaddr *)&un_my_addr, &un_my_addrlen);
+	if (ret == -1) {
+		free(child_si);
+		close(fd);
+		return ret;
+	}
+
+	len = my_addrlen;
+	ret = sockaddr_convert_from_un(child_si, &un_my_addr, un_my_addrlen,
+				       child_si->family, my_addr, &len);
+	if (ret == -1) {
+		free(child_si);
+		free(my_addr);
+		close(fd);
+		return ret;
+	}
+
+	child_si->myname_len = len;
+	child_si->myname = sockaddr_dup(my_addr, len);
+	free(my_addr);
+
+	SWRAP_DLIST_ADD(sockets, child_si);
+
+	swrap_dump_packet(child_si, addr, SWRAP_ACCEPT_SEND, NULL, 0);
+	swrap_dump_packet(child_si, addr, SWRAP_ACCEPT_RECV, NULL, 0);
+	swrap_dump_packet(child_si, addr, SWRAP_ACCEPT_ACK, NULL, 0);
+
+	return fd;
+}
+
+static int autobind_start_init;
+static int autobind_start;
+
+/* using sendto() or connect() on an unbound socket would give the
+   recipient no way to reply, as unlike UDP and TCP, a unix domain
+   socket can't auto-assign emphemeral port numbers, so we need to
+   assign it here */
+static int swrap_auto_bind(struct socket_info *si)
+{
+	struct sockaddr_un un_addr;
+	int i;
+	char type;
+	int ret;
+	int port;
+	struct stat st;
+
+	if (autobind_start_init != 1) {
+		autobind_start_init = 1;
+		autobind_start = getpid();
+		autobind_start %= 50000;
+		autobind_start += 10000;
+	}
+
+	un_addr.sun_family = AF_UNIX;
+
+	switch (si->family) {
+	case AF_INET: {
+		struct sockaddr_in in;
+
+		switch (si->type) {
+		case SOCK_STREAM:
+			type = SOCKET_TYPE_CHAR_TCP;
+			break;
+		case SOCK_DGRAM:
+		    	type = SOCKET_TYPE_CHAR_UDP;
+			break;
+		default:
+		    errno = ESOCKTNOSUPPORT;
+		    return -1;
+		}
+
+		memset(&in, 0, sizeof(in));
+		in.sin_family = AF_INET;
+		in.sin_addr.s_addr = htonl(127<<24 | 
+					   socket_wrapper_default_iface());
+
+		si->myname_len = sizeof(in);
+		si->myname = sockaddr_dup(&in, si->myname_len);
+		break;
+	}
+#ifdef HAVE_IPV6
+	case AF_INET6: {
+		struct sockaddr_in6 in6;
+
+		switch (si->type) {
+		case SOCK_STREAM:
+			type = SOCKET_TYPE_CHAR_TCP_V6;
+			break;
+		case SOCK_DGRAM:
+		    	type = SOCKET_TYPE_CHAR_UDP_V6;
+			break;
+		default:
+		    errno = ESOCKTNOSUPPORT;
+		    return -1;
+		}
+
+		memset(&in6, 0, sizeof(in6));
+		in6.sin6_family = AF_INET6;
+		in6.sin6_addr.s6_addr[0] = SW_IPV6_ADDRESS;
+		si->myname_len = sizeof(in6);
+		si->myname = sockaddr_dup(&in6, si->myname_len);
+		break;
+	}
+#endif
+	default:
+		errno = ESOCKTNOSUPPORT;
+		return -1;
+	}
+
+	if (autobind_start > 60000) {
+		autobind_start = 10000;
+	}
+
+	for (i=0;i<1000;i++) {
+		port = autobind_start + i;
+		snprintf(un_addr.sun_path, sizeof(un_addr.sun_path), 
+			 "%s/"SOCKET_FORMAT, socket_wrapper_dir(),
+			 type, socket_wrapper_default_iface(), port);
+		if (stat(un_addr.sun_path, &st) == 0) continue;
+		
+		ret = real_bind(si->fd, (struct sockaddr *)&un_addr, sizeof(un_addr));
+		if (ret == -1) return ret;
+
+		si->tmp_path = strdup(un_addr.sun_path);
+		si->bound = 1;
+		autobind_start = port + 1;
+		break;
+	}
+	if (i == 1000) {
+		errno = ENFILE;
+		return -1;
+	}
+
+	set_port(si->family, port, si->myname);
+
+	return 0;
+}
+
+
+_PUBLIC_ int swrap_connect(int s, const struct sockaddr *serv_addr, socklen_t addrlen)
+{
+	int ret;
+	struct sockaddr_un un_addr;
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_connect(s, serv_addr, addrlen);
+	}
+
+	if (si->bound == 0) {
+		ret = swrap_auto_bind(si);
+		if (ret == -1) return -1;
+	}
+
+	if (si->family != serv_addr->sa_family) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	ret = sockaddr_convert_to_un(si, (const struct sockaddr *)serv_addr, addrlen, &un_addr, 0, NULL);
+	if (ret == -1) return -1;
+
+	swrap_dump_packet(si, serv_addr, SWRAP_CONNECT_SEND, NULL, 0);
+
+	ret = real_connect(s, (struct sockaddr *)&un_addr, 
+			   sizeof(struct sockaddr_un));
+
+	/* to give better errors */
+	if (ret == -1 && errno == ENOENT) {
+		errno = EHOSTUNREACH;
+	}
+
+	if (ret == 0) {
+		si->peername_len = addrlen;
+		si->peername = sockaddr_dup(serv_addr, addrlen);
+
+		swrap_dump_packet(si, serv_addr, SWRAP_CONNECT_RECV, NULL, 0);
+		swrap_dump_packet(si, serv_addr, SWRAP_CONNECT_ACK, NULL, 0);
+	} else {
+		swrap_dump_packet(si, serv_addr, SWRAP_CONNECT_UNREACH, NULL, 0);
+	}
+
+	return ret;
+}
+
+_PUBLIC_ int swrap_bind(int s, const struct sockaddr *myaddr, socklen_t addrlen)
+{
+	int ret;
+	struct sockaddr_un un_addr;
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_bind(s, myaddr, addrlen);
+	}
+
+	si->myname_len = addrlen;
+	si->myname = sockaddr_dup(myaddr, addrlen);
+
+	ret = sockaddr_convert_to_un(si, (const struct sockaddr *)myaddr, addrlen, &un_addr, 1, &si->bcast);
+	if (ret == -1) return -1;
+
+	unlink(un_addr.sun_path);
+
+	ret = real_bind(s, (struct sockaddr *)&un_addr,
+			sizeof(struct sockaddr_un));
+
+	if (ret == 0) {
+		si->bound = 1;
+	}
+
+	return ret;
+}
+
+_PUBLIC_ int swrap_listen(int s, int backlog)
+{
+	int ret;
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_listen(s, backlog);
+	}
+
+	ret = real_listen(s, backlog);
+
+	return ret;
+}
+
+_PUBLIC_ int swrap_getpeername(int s, struct sockaddr *name, socklen_t *addrlen)
+{
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_getpeername(s, name, addrlen);
+	}
+
+	if (!si->peername)
+	{
+		errno = ENOTCONN;
+		return -1;
+	}
+
+	memcpy(name, si->peername, si->peername_len);
+	*addrlen = si->peername_len;
+
+	return 0;
+}
+
+_PUBLIC_ int swrap_getsockname(int s, struct sockaddr *name, socklen_t *addrlen)
+{
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_getsockname(s, name, addrlen);
+	}
+
+	memcpy(name, si->myname, si->myname_len);
+	*addrlen = si->myname_len;
+
+	return 0;
+}
+
+_PUBLIC_ int swrap_getsockopt(int s, int level, int optname, void *optval, socklen_t *optlen)
+{
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_getsockopt(s, level, optname, optval, optlen);
+	}
+
+	if (level == SOL_SOCKET) {
+		return real_getsockopt(s, level, optname, optval, optlen);
+	} 
+
+	errno = ENOPROTOOPT;
+	return -1;
+}
+
+_PUBLIC_ int swrap_setsockopt(int s, int  level,  int  optname,  const  void  *optval, socklen_t optlen)
+{
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_setsockopt(s, level, optname, optval, optlen);
+	}
+
+	if (level == SOL_SOCKET) {
+		return real_setsockopt(s, level, optname, optval, optlen);
+	}
+
+	switch (si->family) {
+	case AF_INET:
+		return 0;
+	default:
+		errno = ENOPROTOOPT;
+		return -1;
+	}
+}
+
+_PUBLIC_ ssize_t swrap_recvfrom(int s, void *buf, size_t len, int flags, struct sockaddr *from, socklen_t *fromlen)
+{
+	struct sockaddr_un un_addr;
+	socklen_t un_addrlen = sizeof(un_addr);
+	int ret;
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_recvfrom(s, buf, len, flags, from, fromlen);
+	}
+
+	len = MIN(len, 1500);
+
+	/* irix 6.4 forgets to null terminate the sun_path string :-( */
+	memset(&un_addr, 0, sizeof(un_addr));
+	ret = real_recvfrom(s, buf, len, flags, (struct sockaddr *)&un_addr, &un_addrlen);
+	if (ret == -1) 
+		return ret;
+
+	if (sockaddr_convert_from_un(si, &un_addr, un_addrlen,
+				     si->family, from, fromlen) == -1) {
+		return -1;
+	}
+
+	swrap_dump_packet(si, from, SWRAP_RECVFROM, buf, ret);
+
+	return ret;
+}
+
+
+_PUBLIC_ ssize_t swrap_sendto(int s, const void *buf, size_t len, int flags, const struct sockaddr *to, socklen_t tolen)
+{
+	struct sockaddr_un un_addr;
+	int ret;
+	struct socket_info *si = find_socket_info(s);
+	int bcast = 0;
+
+	if (!si) {
+		return real_sendto(s, buf, len, flags, to, tolen);
+	}
+
+	len = MIN(len, 1500);
+
+	switch (si->type) {
+	case SOCK_STREAM:
+		ret = real_send(s, buf, len, flags);
+		break;
+	case SOCK_DGRAM:
+		if (si->bound == 0) {
+			ret = swrap_auto_bind(si);
+			if (ret == -1) return -1;
+		}
+		
+		ret = sockaddr_convert_to_un(si, to, tolen, &un_addr, 0, &bcast);
+		if (ret == -1) return -1;
+		
+		if (bcast) {
+			struct stat st;
+			unsigned int iface;
+			unsigned int prt = ntohs(((const struct sockaddr_in *)to)->sin_port);
+			char type;
+			
+			type = SOCKET_TYPE_CHAR_UDP;
+			
+			for(iface=0; iface <= MAX_WRAPPED_INTERFACES; iface++) {
+				snprintf(un_addr.sun_path, sizeof(un_addr.sun_path), "%s/"SOCKET_FORMAT, 
+					 socket_wrapper_dir(), type, iface, prt);
+				if (stat(un_addr.sun_path, &st) != 0) continue;
+				
+				/* ignore the any errors in broadcast sends */
+				real_sendto(s, buf, len, flags, (struct sockaddr *)&un_addr, sizeof(un_addr));
+			}
+			
+			swrap_dump_packet(si, to, SWRAP_SENDTO, buf, len);
+			
+			return len;
+		}
+		
+		ret = real_sendto(s, buf, len, flags, (struct sockaddr *)&un_addr, sizeof(un_addr));
+		break;
+	default:
+		ret = -1;
+		errno = EHOSTUNREACH;
+		break;
+	}
+		
+	/* to give better errors */
+	if (ret == -1 && errno == ENOENT) {
+		errno = EHOSTUNREACH;
+	}
+
+	if (ret == -1) {
+		swrap_dump_packet(si, to, SWRAP_SENDTO, buf, len);
+		swrap_dump_packet(si, to, SWRAP_SENDTO_UNREACH, buf, len);
+	} else {
+		swrap_dump_packet(si, to, SWRAP_SENDTO, buf, ret);
+	}
+
+	return ret;
+}
+
+_PUBLIC_ int swrap_ioctl(int s, int r, void *p)
+{
+	int ret;
+	struct socket_info *si = find_socket_info(s);
+	int value;
+
+	if (!si) {
+		return real_ioctl(s, r, p);
+	}
+
+	ret = real_ioctl(s, r, p);
+
+	switch (r) {
+	case FIONREAD:
+		value = *((int *)p);
+		if (ret == -1 && errno != EAGAIN && errno != ENOBUFS) {
+			swrap_dump_packet(si, NULL, SWRAP_PENDING_RST, NULL, 0);
+		} else if (value == 0) { /* END OF FILE */
+			swrap_dump_packet(si, NULL, SWRAP_PENDING_RST, NULL, 0);
+		}
+		break;
+	}
+
+	return ret;
+}
+
+_PUBLIC_ ssize_t swrap_recv(int s, void *buf, size_t len, int flags)
+{
+	int ret;
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_recv(s, buf, len, flags);
+	}
+
+	len = MIN(len, 1500);
+
+	ret = real_recv(s, buf, len, flags);
+	if (ret == -1 && errno != EAGAIN && errno != ENOBUFS) {
+		swrap_dump_packet(si, NULL, SWRAP_RECV_RST, NULL, 0);
+	} else if (ret == 0) { /* END OF FILE */
+		swrap_dump_packet(si, NULL, SWRAP_RECV_RST, NULL, 0);
+	} else {
+		swrap_dump_packet(si, NULL, SWRAP_RECV, buf, ret);
+	}
+
+	return ret;
+}
+
+
+_PUBLIC_ ssize_t swrap_send(int s, const void *buf, size_t len, int flags)
+{
+	int ret;
+	struct socket_info *si = find_socket_info(s);
+
+	if (!si) {
+		return real_send(s, buf, len, flags);
+	}
+
+	len = MIN(len, 1500);
+
+	ret = real_send(s, buf, len, flags);
+
+	if (ret == -1) {
+		swrap_dump_packet(si, NULL, SWRAP_SEND, buf, len);
+		swrap_dump_packet(si, NULL, SWRAP_SEND_RST, NULL, 0);
+	} else {
+		swrap_dump_packet(si, NULL, SWRAP_SEND, buf, ret);
+	}
+
+	return ret;
+}
+
+_PUBLIC_ int swrap_close(int fd)
+{
+	struct socket_info *si = find_socket_info(fd);
+	int ret;
+
+	if (!si) {
+		return real_close(fd);
+	}
+
+	SWRAP_DLIST_REMOVE(sockets, si);
+
+	if (si->myname && si->peername) {
+		swrap_dump_packet(si, NULL, SWRAP_CLOSE_SEND, NULL, 0);
+	}
+
+	ret = real_close(fd);
+
+	if (si->myname && si->peername) {
+		swrap_dump_packet(si, NULL, SWRAP_CLOSE_RECV, NULL, 0);
+		swrap_dump_packet(si, NULL, SWRAP_CLOSE_ACK, NULL, 0);
+	}
+
+	if (si->path) free(si->path);
+	if (si->myname) free(si->myname);
+	if (si->peername) free(si->peername);
+	if (si->tmp_path) {
+		unlink(si->tmp_path);
+		free(si->tmp_path);
+	}
+	free(si);
+
+	return ret;
+}
diff --git a/source3/lib/socket_wrapper/socket_wrapper.h b/source3/lib/socket_wrapper/socket_wrapper.h
new file mode 100644
index 0000000000..cc8b937608
--- /dev/null
+++ b/source3/lib/socket_wrapper/socket_wrapper.h
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) Jelmer Vernooij 2005 <jelmer@samba.org>
+ * Copyright (C) Stefan Metzmacher 2006 <metze@samba.org>
+ *
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the author nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#ifndef __SOCKET_WRAPPER_H__
+#define __SOCKET_WRAPPER_H__
+
+const char *socket_wrapper_dir(void);
+unsigned int socket_wrapper_default_iface(void);
+int swrap_socket(int family, int type, int protocol);
+int swrap_accept(int s, struct sockaddr *addr, socklen_t *addrlen);
+int swrap_connect(int s, const struct sockaddr *serv_addr, socklen_t addrlen);
+int swrap_bind(int s, const struct sockaddr *myaddr, socklen_t addrlen);
+int swrap_listen(int s, int backlog);
+int swrap_getpeername(int s, struct sockaddr *name, socklen_t *addrlen);
+int swrap_getsockname(int s, struct sockaddr *name, socklen_t *addrlen);
+int swrap_getsockopt(int s, int level, int optname, void *optval, socklen_t *optlen);
+int swrap_setsockopt(int s, int  level,  int  optname,  const  void  *optval, socklen_t optlen);
+ssize_t swrap_recvfrom(int s, void *buf, size_t len, int flags, struct sockaddr *from, socklen_t *fromlen);
+ssize_t swrap_sendto(int s, const void *buf, size_t len, int flags, const struct sockaddr *to, socklen_t tolen);
+int swrap_ioctl(int s, int req, void *ptr);
+ssize_t swrap_recv(int s, void *buf, size_t len, int flags);
+ssize_t swrap_send(int s, const void *buf, size_t len, int flags);
+int swrap_close(int);
+
+#ifdef SOCKET_WRAPPER_REPLACE
+
+#ifdef accept
+#undef accept
+#endif
+#define accept(s,addr,addrlen)		swrap_accept(s,addr,addrlen)
+
+#ifdef connect
+#undef connect
+#endif
+#define connect(s,serv_addr,addrlen)	swrap_connect(s,serv_addr,addrlen)
+
+#ifdef bind
+#undef bind
+#endif
+#define bind(s,myaddr,addrlen)		swrap_bind(s,myaddr,addrlen)
+
+#ifdef listen
+#undef listen
+#endif
+#define listen(s,blog)			swrap_listen(s,blog)
+
+#ifdef getpeername
+#undef getpeername
+#endif
+#define getpeername(s,name,addrlen)	swrap_getpeername(s,name,addrlen)
+
+#ifdef getsockname
+#undef getsockname
+#endif
+#define getsockname(s,name,addrlen)	swrap_getsockname(s,name,addrlen)
+
+#ifdef getsockopt
+#undef getsockopt
+#endif
+#define getsockopt(s,level,optname,optval,optlen) swrap_getsockopt(s,level,optname,optval,optlen)
+
+#ifdef setsockopt
+#undef setsockopt
+#endif
+#define setsockopt(s,level,optname,optval,optlen) swrap_setsockopt(s,level,optname,optval,optlen)
+
+#ifdef recvfrom
+#undef recvfrom
+#endif
+#define recvfrom(s,buf,len,flags,from,fromlen) 	  swrap_recvfrom(s,buf,len,flags,from,fromlen)
+
+#ifdef sendto
+#undef sendto
+#endif
+#define sendto(s,buf,len,flags,to,tolen)          swrap_sendto(s,buf,len,flags,to,tolen)
+
+#ifdef ioctl
+#undef ioctl
+#endif
+#define ioctl(s,req,ptr)		swrap_ioctl(s,req,ptr)
+
+#ifdef recv
+#undef recv
+#endif
+#define recv(s,buf,len,flags)		swrap_recv(s,buf,len,flags)
+
+#ifdef send
+#undef send
+#endif
+#define send(s,buf,len,flags)		swrap_send(s,buf,len,flags)
+
+#ifdef socket
+#undef socket
+#endif
+#define socket(domain,type,protocol)	swrap_socket(domain,type,protocol)
+
+#ifdef close
+#undef close
+#endif
+#define close(s)			swrap_close(s)
+#endif
+
+
+#endif /* __SOCKET_WRAPPER_H__ */
diff --git a/source3/lib/socket_wrapper/testsuite.c b/source3/lib/socket_wrapper/testsuite.c
new file mode 100644
index 0000000000..8877418e4c
--- /dev/null
+++ b/source3/lib/socket_wrapper/testsuite.c
@@ -0,0 +1,105 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   local testing of the socket wrapper
+
+   Copyright (C) Jelmer Vernooij 2007
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "system/network.h"
+#include "lib/socket_wrapper/socket_wrapper.h"
+#include "torture/torture.h"
+
+static char *old_dir = NULL;
+static char *old_iface = NULL;
+
+static void backup_env(void)
+{
+	old_dir = getenv("SOCKET_WRAPPER_DIR");
+	old_iface = getenv("SOCKET_WRAPPER_DEFAULT_IFACE");
+}
+
+static void restore_env(void)
+{
+	if (old_dir == NULL)
+		unsetenv("SOCKET_WRAPPER_DIR");
+	else
+		setenv("SOCKET_WRAPPER_DIR", old_dir, 1);
+	if (old_iface == NULL)
+		unsetenv("SOCKET_WRAPPER_DEFAULT_IFACE");
+	else
+		setenv("SOCKET_WRAPPER_DEFAULT_IFACE", old_iface, 1);
+}
+
+static bool test_socket_wrapper_dir(struct torture_context *tctx)
+{
+	backup_env();
+
+	setenv("SOCKET_WRAPPER_DIR", "foo", 1);
+	torture_assert_str_equal(tctx, socket_wrapper_dir(), "foo", "setting failed");
+	setenv("SOCKET_WRAPPER_DIR", "./foo", 1);
+	torture_assert_str_equal(tctx, socket_wrapper_dir(), "foo", "setting failed");
+	unsetenv("SOCKET_WRAPPER_DIR");
+	torture_assert_str_equal(tctx, socket_wrapper_dir(), NULL, "resetting failed");
+
+	restore_env();
+
+	return true;
+}
+
+static bool test_swrap_socket(struct torture_context *tctx)
+{
+	backup_env();
+	setenv("SOCKET_WRAPPER_DIR", "foo", 1);
+
+	torture_assert_int_equal(tctx, swrap_socket(1337, 1337, 0), -1, "unknown address family fails");
+	torture_assert_int_equal(tctx, errno, EAFNOSUPPORT, "correct errno set");
+	torture_assert_int_equal(tctx, swrap_socket(AF_INET, 1337, 0), -1, "unknown type fails");
+	torture_assert_int_equal(tctx, errno, EPROTONOSUPPORT, "correct errno set");
+	torture_assert_int_equal(tctx, swrap_socket(AF_INET, SOCK_DGRAM, 10), -1, "unknown protocol fails");
+	torture_assert_int_equal(tctx, errno, EPROTONOSUPPORT, "correct errno set");
+
+	restore_env();
+
+	return true;
+}
+
+unsigned int socket_wrapper_default_iface(void);
+static bool test_socket_wrapper_default_iface(struct torture_context *tctx)
+{
+	backup_env();
+	unsetenv("SOCKET_WRAPPER_DEFAULT_IFACE");
+	torture_assert_int_equal(tctx, socket_wrapper_default_iface(), 1, "unset");
+	setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "2", 1);
+	torture_assert_int_equal(tctx, socket_wrapper_default_iface(), 2, "unset");
+	setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "bla", 1);
+	torture_assert_int_equal(tctx, socket_wrapper_default_iface(), 1, "unset");
+	restore_env();
+	return true;
+}
+
+struct torture_suite *torture_local_socket_wrapper(TALLOC_CTX *mem_ctx)
+{
+	struct torture_suite *suite = torture_suite_create(mem_ctx, 
+													   "SOCKET-WRAPPER");
+
+	torture_suite_add_simple_test(suite, "socket_wrapper_dir", test_socket_wrapper_dir);
+	torture_suite_add_simple_test(suite, "socket", test_swrap_socket);
+	torture_suite_add_simple_test(suite, "socket_wrapper_default_iface", test_socket_wrapper_default_iface);
+
+	return suite;
+}
diff --git a/source3/lib/substitute.c b/source3/lib/substitute.c
new file mode 100644
index 0000000000..acfe55d761
--- /dev/null
+++ b/source3/lib/substitute.c
@@ -0,0 +1,915 @@
+/* 
+   Unix SMB/CIFS implementation.
+   string substitution functions
+   Copyright (C) Andrew Tridgell 1992-2000
+   Copyright (C) Gerald Carter   2006
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+
+#include "includes.h"
+
+userdom_struct current_user_info;
+fstring remote_proto="UNKNOWN";
+
+/**
+ * Set the 'local' machine name
+ * @param local_name the name we are being called
+ * @param if this is the 'final' name for us, not be be changed again
+ */
+
+static char *local_machine;
+
+void free_local_machine_name(void)
+{
+	SAFE_FREE(local_machine);
+}
+
+bool set_local_machine_name(const char *local_name, bool perm)
+{
+	static bool already_perm = false;
+	char *tmp_local_machine = NULL;
+	char addr[INET6_ADDRSTRLEN];
+	size_t len;
+
+	tmp_local_machine = SMB_STRDUP(local_name);
+	if (!tmp_local_machine) {
+		return false;
+	}
+	trim_char(tmp_local_machine,' ',' ');
+
+	/*
+	 * Windows NT/2k uses "*SMBSERVER" and XP uses "*SMBSERV"
+	 * arrggg!!!
+	 */
+
+	if (strequal(tmp_local_machine, "*SMBSERVER") ||
+			strequal(tmp_local_machine, "*SMBSERV") )  {
+		SAFE_FREE(local_machine);
+		local_machine = SMB_STRDUP(client_socket_addr(get_client_fd(),
+					addr, sizeof(addr)) );
+		SAFE_FREE(tmp_local_machine);
+		return local_machine ? true : false;
+	}
+
+	if (already_perm) {
+		return true;
+	}
+
+	SAFE_FREE(local_machine);
+	len = strlen(tmp_local_machine);
+	local_machine = SMB_CALLOC_ARRAY(char, len+1);
+	if (!local_machine) {
+		SAFE_FREE(tmp_local_machine);
+		return false;
+	}
+	/* alpha_strcpy includes the space for the terminating nul. */
+	alpha_strcpy(local_machine,tmp_local_machine,
+			SAFE_NETBIOS_CHARS,len+1);
+	strlower_m(local_machine);
+	SAFE_FREE(tmp_local_machine);
+
+	already_perm = perm;
+
+	return true;
+}
+
+const char *get_local_machine_name(void)
+{
+	if (!local_machine || !*local_machine) {
+		return global_myname();
+	}
+
+	return local_machine;
+}
+
+/**
+ * Set the 'remote' machine name
+ * @param remote_name the name our client wants to be called by
+ * @param if this is the 'final' name for them, not be be changed again
+ */
+
+static char *remote_machine;
+
+bool set_remote_machine_name(const char *remote_name, bool perm)
+{
+	static bool already_perm = False;
+	char *tmp_remote_machine;
+	size_t len;
+
+	if (already_perm) {
+		return true;
+	}
+
+	tmp_remote_machine = SMB_STRDUP(remote_name);
+	if (!tmp_remote_machine) {
+		return false;
+	}
+	trim_char(tmp_remote_machine,' ',' ');
+
+	SAFE_FREE(remote_machine);
+	len = strlen(tmp_remote_machine);
+	remote_machine = SMB_CALLOC_ARRAY(char, len+1);
+	if (!remote_machine) {
+		SAFE_FREE(tmp_remote_machine);
+		return false;
+	}
+
+	/* alpha_strcpy includes the space for the terminating nul. */
+	alpha_strcpy(remote_machine,tmp_remote_machine,
+			SAFE_NETBIOS_CHARS,len+1);
+	strlower_m(remote_machine);
+	SAFE_FREE(tmp_remote_machine);
+
+	already_perm = perm;
+
+	return true;
+}
+
+const char *get_remote_machine_name(void)
+{
+	return remote_machine ? remote_machine : "";
+}
+
+/*******************************************************************
+ Setup the string used by %U substitution.
+********************************************************************/
+
+static char *smb_user_name;
+
+void sub_set_smb_name(const char *name)
+{
+	char *tmp;
+	size_t len;
+	bool is_machine_account = false;
+
+	/* don't let anonymous logins override the name */
+	if (!name || !*name) {
+		return;
+	}
+
+	tmp = SMB_STRDUP(name);
+	if (!tmp) {
+		return;
+	}
+	trim_char(tmp, ' ', ' ');
+	strlower_m(tmp);
+
+	len = strlen(tmp);
+
+	if (len == 0) {
+		SAFE_FREE(tmp);
+		return;
+	}
+
+	/* long story but here goes....we have to allow usernames
+	   ending in '$' as they are valid machine account names.
+	   So check for a machine account and re-add the '$'
+	   at the end after the call to alpha_strcpy().   --jerry  */
+
+	if (tmp[len-1] == '$') {
+		is_machine_account = True;
+	}
+
+	SAFE_FREE(smb_user_name);
+	smb_user_name = SMB_CALLOC_ARRAY(char, len+1);
+	if (!smb_user_name) {
+		SAFE_FREE(tmp);
+		return;
+	}
+
+	/* alpha_strcpy includes the space for the terminating nul. */
+	alpha_strcpy(smb_user_name, tmp,
+			SAFE_NETBIOS_CHARS,
+			len+1);
+
+	SAFE_FREE(tmp);
+
+	if (is_machine_account) {
+		len = strlen(smb_user_name);
+		smb_user_name[len-1] = '$';
+	}
+}
+
+static const char *get_smb_user_name(void)
+{
+	return smb_user_name ? smb_user_name : "";
+}
+
+/*******************************************************************
+ Setup the strings used by substitutions. Called per packet. Ensure
+ %U name is set correctly also.
+
+ smb_name must be sanitized by alpha_strcpy
+********************************************************************/
+
+void set_current_user_info(const char *smb_name, const char *unix_name,
+			   const char *full_name, const char *domain)
+{
+	fstrcpy(current_user_info.smb_name, smb_name);
+	fstrcpy(current_user_info.unix_name, unix_name);
+	fstrcpy(current_user_info.full_name, full_name);
+	fstrcpy(current_user_info.domain, domain);
+
+	/* The following is safe as current_user_info.smb_name
+	 * has already been sanitised in register_existing_vuid. */
+
+	sub_set_smb_name(current_user_info.smb_name);
+}
+
+/*******************************************************************
+ Return the current active user name.
+*******************************************************************/
+
+const char *get_current_username(void)
+{
+	if (current_user_info.smb_name[0] == '\0' ) {
+		return get_smb_user_name();
+	}
+
+	return current_user_info.smb_name;
+}
+
+/*******************************************************************
+ Given a pointer to a %$(NAME) in p and the whole string in str
+ expand it as an environment variable.
+ Return a new allocated and expanded string.
+ Based on code by Branko Cibej <branko.cibej@hermes.si>
+ When this is called p points at the '%' character.
+ May substitute multiple occurrencies of the same env var.
+********************************************************************/
+
+static char * realloc_expand_env_var(char *str, char *p)
+{
+	char *envname;
+	char *envval;
+	char *q, *r;
+	int copylen;
+
+	if (p[0] != '%' || p[1] != '$' || p[2] != '(') {
+		return str;
+	}
+
+	/*
+	 * Look for the terminating ')'.
+	 */
+
+	if ((q = strchr_m(p,')')) == NULL) {
+		DEBUG(0,("expand_env_var: Unterminated environment variable [%s]\n", p));
+		return str;
+	}
+
+	/*
+	 * Extract the name from within the %$(NAME) string.
+	 */
+
+	r = p + 3;
+	copylen = q - r;
+	
+	/* reserve space for use later add %$() chars */
+	if ( (envname = (char *)SMB_MALLOC(copylen + 1 + 4)) == NULL ) {
+		return NULL;
+	}
+	
+	strncpy(envname,r,copylen);
+	envname[copylen] = '\0';
+
+	if ((envval = getenv(envname)) == NULL) {
+		DEBUG(0,("expand_env_var: Environment variable [%s] not set\n", envname));
+		SAFE_FREE(envname);
+		return str;
+	}
+
+	/*
+	 * Copy the full %$(NAME) into envname so it
+	 * can be replaced.
+	 */
+
+	copylen = q + 1 - p;
+	strncpy(envname,p,copylen);
+	envname[copylen] = '\0';
+	r = realloc_string_sub(str, envname, envval);
+	SAFE_FREE(envname);
+		
+	return r;
+}
+
+/*******************************************************************
+*******************************************************************/
+
+static char *longvar_domainsid( void )
+{
+	DOM_SID sid;
+	fstring tmp;
+	char *sid_string;
+	
+	if ( !secrets_fetch_domain_sid( lp_workgroup(), &sid ) ) {
+		return NULL;
+	}
+	
+	sid_string = SMB_STRDUP( sid_to_fstring( tmp, &sid ) );
+	
+	if ( !sid_string ) {
+		DEBUG(0,("longvar_domainsid: failed to dup SID string!\n"));
+	}
+	
+	return sid_string;
+}
+
+/*******************************************************************
+*******************************************************************/
+
+struct api_longvar {
+	const char *name;
+	char* (*fn)( void );
+};
+
+static struct api_longvar longvar_table[] = {
+	{ "DomainSID",		longvar_domainsid },
+	{ NULL, 		NULL }
+};
+
+static char *get_longvar_val( const char *varname )
+{
+	int i;
+	
+	DEBUG(7,("get_longvar_val: expanding variable [%s]\n", varname));
+	
+	for ( i=0; longvar_table[i].name; i++ ) {
+		if ( strequal( longvar_table[i].name, varname ) ) {
+			return longvar_table[i].fn();
+		}
+	}
+	
+	return NULL;
+}
+
+/*******************************************************************
+ Expand the long smb.conf variable names given a pointer to a %(NAME).
+ Return the number of characters by which the pointer should be advanced.
+ When this is called p points at the '%' character.
+********************************************************************/
+
+static char *realloc_expand_longvar(char *str, char *p)
+{
+	fstring varname;
+	char *value;
+	char *q, *r;
+	int copylen;
+
+	if ( p[0] != '%' || p[1] != '(' ) {
+		return str;
+	}
+
+	/* Look for the terminating ')'.*/
+
+	if ((q = strchr_m(p,')')) == NULL) {
+		DEBUG(0,("realloc_expand_longvar: Unterminated environment variable [%s]\n", p));
+		return str;
+	}
+
+	/* Extract the name from within the %(NAME) string.*/
+
+	r = p+2;
+	copylen = MIN( (q-r), (sizeof(varname)-1) );
+	strncpy(varname, r, copylen);
+	varname[copylen] = '\0';
+
+	if ((value = get_longvar_val(varname)) == NULL) {
+		DEBUG(0,("realloc_expand_longvar: Variable [%s] not set.  Skipping\n", varname));
+		return str;
+	}
+
+	/* Copy the full %(NAME) into envname so it can be replaced.*/
+
+	copylen = MIN( (q+1-p),(sizeof(varname)-1) );
+	strncpy( varname, p, copylen );
+	varname[copylen] = '\0';
+	r = realloc_string_sub(str, varname, value);
+	SAFE_FREE( value );
+
+	/* skip over the %(varname) */
+
+	return r;
+}
+
+/*******************************************************************
+ Patch from jkf@soton.ac.uk
+ Added this to implement %p (NIS auto-map version of %H)
+*******************************************************************/
+
+static const char *automount_path(const char *user_name)
+{
+	TALLOC_CTX *ctx = talloc_tos();
+	const char *server_path;
+
+	/* use the passwd entry as the default */
+	/* this will be the default if WITH_AUTOMOUNT is not used or fails */
+
+	server_path = talloc_strdup(ctx, get_user_home_dir(ctx, user_name));
+	if (!server_path) {
+		return "";
+	}
+
+#if (defined(HAVE_NETGROUP) && defined (WITH_AUTOMOUNT))
+
+	if (lp_nis_home_map()) {
+		const char *home_path_start;
+		char *automount_value = automount_lookup(ctx, user_name);
+
+		if(automount_value && strlen(automount_value) > 0) {
+			home_path_start = strchr_m(automount_value,':');
+			if (home_path_start != NULL) {
+				DEBUG(5, ("NIS lookup succeeded. "
+					"Home path is: %s\n",
+					home_path_start ?
+						(home_path_start+1):""));
+				server_path = talloc_strdup(ctx,
+							home_path_start+1);
+				if (!server_path) {
+					server_path = "";
+				}
+			}
+		} else {
+			/* NIS key lookup failed: default to
+			 * user home directory from password file */
+			DEBUG(5, ("NIS lookup failed. Using Home path from "
+			"passwd file. Home path is: %s\n", server_path ));
+		}
+	}
+#endif
+
+	DEBUG(4,("Home server path: %s\n", server_path));
+	return server_path;
+}
+
+/*******************************************************************
+ Patch from jkf@soton.ac.uk
+ This is Luke's original function with the NIS lookup code
+ moved out to a separate function.
+*******************************************************************/
+
+static const char *automount_server(const char *user_name)
+{
+	TALLOC_CTX *ctx = talloc_tos();
+	const char *server_name;
+	const char *local_machine_name = get_local_machine_name();
+
+	/* use the local machine name as the default */
+	/* this will be the default if WITH_AUTOMOUNT is not used or fails */
+	if (local_machine_name && *local_machine_name) {
+		server_name = talloc_strdup(ctx, local_machine_name);
+	} else {
+		server_name = talloc_strdup(ctx, global_myname());
+	}
+
+	if (!server_name) {
+		return "";
+	}
+
+#if (defined(HAVE_NETGROUP) && defined (WITH_AUTOMOUNT))
+	if (lp_nis_home_map()) {
+		char *p;
+		char *srv;
+		char *automount_value = automount_lookup(ctx, user_name);
+		if (!automount_value) {
+			return "";
+		}
+		srv = talloc_strdup(ctx, automount_value);
+		if (!srv) {
+			return "";
+		}
+		p = strchr_m(srv, ':');
+		if (!p) {
+			return "";
+		}
+		*p = '\0';
+		server_name = srv;
+		DEBUG(5, ("NIS lookup succeeded.  Home server %s\n",
+					server_name));
+	}
+#endif
+
+	DEBUG(4,("Home server: %s\n", server_name));
+	return server_name;
+}
+
+/****************************************************************************
+ Do some standard substitutions in a string.
+ len is the length in bytes of the space allowed in string str. If zero means
+ don't allow expansions.
+****************************************************************************/
+
+void standard_sub_basic(const char *smb_name, const char *domain_name,
+			char *str, size_t len)
+{
+	char *s;
+	
+	if ( (s = alloc_sub_basic( smb_name, domain_name, str )) != NULL ) {
+		strncpy( str, s, len );
+	}
+	
+	SAFE_FREE( s );
+	
+}
+
+/****************************************************************************
+ Do some standard substitutions in a string.
+ This function will return an allocated string that have to be freed.
+****************************************************************************/
+
+char *talloc_sub_basic(TALLOC_CTX *mem_ctx, const char *smb_name,
+		       const char *domain_name, const char *str)
+{
+	char *a, *t;
+	
+	if ( (a = alloc_sub_basic(smb_name, domain_name, str)) == NULL ) {
+		return NULL;
+	}
+	t = talloc_strdup(mem_ctx, a);
+	SAFE_FREE(a);
+	return t;
+}
+
+/****************************************************************************
+****************************************************************************/
+
+char *alloc_sub_basic(const char *smb_name, const char *domain_name,
+		      const char *str)
+{
+	char *b, *p, *s, *r, *a_string;
+	fstring pidstr, vnnstr;
+	char addr[INET6_ADDRSTRLEN];
+	const char *local_machine_name = get_local_machine_name();
+	TALLOC_CTX *tmp_ctx = NULL;
+
+	/* workaround to prevent a crash while looking at bug #687 */
+	
+	if (!str) {
+		DEBUG(0,("alloc_sub_basic: NULL source string!  This should not happen\n"));
+		return NULL;
+	}
+	
+	a_string = SMB_STRDUP(str);
+	if (a_string == NULL) {
+		DEBUG(0, ("alloc_sub_basic: Out of memory!\n"));
+		return NULL;
+	}
+
+	tmp_ctx = talloc_stackframe();
+
+	for (b = s = a_string; (p = strchr_m(s, '%')); s = a_string + (p - b)) {
+
+		r = NULL;
+		b = a_string;
+
+		switch (*(p+1)) {
+		case 'U' : 
+			r = strdup_lower(smb_name);
+			if (r == NULL) {
+				goto error;
+			}
+			a_string = realloc_string_sub(a_string, "%U", r);
+			break;
+		case 'G' : {
+			struct passwd *pass;
+			r = SMB_STRDUP(smb_name);
+			if (r == NULL) {
+				goto error;
+			}
+			pass = Get_Pwnam_alloc(tmp_ctx, r);
+			if (pass != NULL) {
+				a_string = realloc_string_sub(
+					a_string, "%G",
+					gidtoname(pass->pw_gid));
+			}
+			TALLOC_FREE(pass);
+			break;
+		}
+		case 'D' :
+			r = strdup_upper(domain_name);
+			if (r == NULL) {
+				goto error;
+			}
+			a_string = realloc_string_sub(a_string, "%D", r);
+			break;
+		case 'I' : {
+			int offset = 0;
+			client_addr(get_client_fd(), addr, sizeof(addr));
+			if (strnequal(addr,"::ffff:",7)) {
+				offset = 7;
+			}
+			a_string = realloc_string_sub(a_string, "%I",
+						      addr + offset);
+			break;
+		}
+		case 'i': 
+			a_string = realloc_string_sub( a_string, "%i",
+					client_socket_addr(get_client_fd(), addr, sizeof(addr)) );
+			break;
+		case 'L' : 
+			if ( StrnCaseCmp(p, "%LOGONSERVER%", strlen("%LOGONSERVER%")) == 0 ) {
+				break;
+			}
+			if (local_machine_name && *local_machine_name) {
+				a_string = realloc_string_sub(a_string, "%L", local_machine_name); 
+			} else {
+				a_string = realloc_string_sub(a_string, "%L", global_myname()); 
+			}
+			break;
+		case 'N':
+			a_string = realloc_string_sub(a_string, "%N", automount_server(smb_name));
+			break;
+		case 'M' :
+			a_string = realloc_string_sub(a_string, "%M", client_name(get_client_fd()));
+			break;
+		case 'R' :
+			a_string = realloc_string_sub(a_string, "%R", remote_proto);
+			break;
+		case 'T' :
+			a_string = realloc_string_sub(a_string, "%T", current_timestring(tmp_ctx, False));
+			break;
+		case 'a' :
+			a_string = realloc_string_sub(a_string, "%a",
+					get_remote_arch_str());
+			break;
+		case 'd' :
+			slprintf(pidstr,sizeof(pidstr)-1, "%d",(int)sys_getpid());
+			a_string = realloc_string_sub(a_string, "%d", pidstr);
+			break;
+		case 'h' :
+			a_string = realloc_string_sub(a_string, "%h", myhostname());
+			break;
+		case 'm' :
+			a_string = realloc_string_sub(a_string, "%m",
+						      remote_machine
+						      ? remote_machine
+						      : "");
+			break;
+		case 'v' :
+			a_string = realloc_string_sub(a_string, "%v", SAMBA_VERSION_STRING);
+			break;
+		case 'w' :
+			a_string = realloc_string_sub(a_string, "%w", lp_winbind_separator());
+			break;
+		case '$' :
+			a_string = realloc_expand_env_var(a_string, p); /* Expand environment variables */
+			break;
+		case '(':
+			a_string = realloc_expand_longvar( a_string, p );
+			break;
+		case 'V' :
+			slprintf(vnnstr,sizeof(vnnstr)-1, "%u", get_my_vnn());
+			a_string = realloc_string_sub(a_string, "%V", vnnstr);
+			break;
+		default: 
+			break;
+		}
+
+		p++;
+		SAFE_FREE(r);
+
+		if (a_string == NULL) {
+			goto done;
+		}
+	}
+
+	goto done;
+
+error:
+	SAFE_FREE(a_string);
+
+done:
+	TALLOC_FREE(tmp_ctx);
+	return a_string;
+}
+
+/****************************************************************************
+ Do some specific substitutions in a string.
+ This function will return an allocated string that have to be freed.
+****************************************************************************/
+
+char *talloc_sub_specified(TALLOC_CTX *mem_ctx,
+			const char *input_string,
+			const char *username,
+			const char *domain,
+			uid_t uid,
+			gid_t gid)
+{
+	char *a_string;
+	char *ret_string = NULL;
+	char *b, *p, *s;
+	TALLOC_CTX *tmp_ctx;
+
+	if (!(tmp_ctx = talloc_new(mem_ctx))) {
+		DEBUG(0, ("talloc_new failed\n"));
+		return NULL;
+	}
+
+	a_string = talloc_strdup(tmp_ctx, input_string);
+	if (a_string == NULL) {
+		DEBUG(0, ("talloc_sub_specified: Out of memory!\n"));
+		goto done;
+	}
+	
+	for (b = s = a_string; (p = strchr_m(s, '%')); s = a_string + (p - b)) {
+		
+		b = a_string;
+		
+		switch (*(p+1)) {
+		case 'U' : 
+			a_string = talloc_string_sub(
+				tmp_ctx, a_string, "%U", username);
+			break;
+		case 'u' : 
+			a_string = talloc_string_sub(
+				tmp_ctx, a_string, "%u", username);
+			break;
+		case 'G' :
+			if (gid != -1) {
+				a_string = talloc_string_sub(
+					tmp_ctx, a_string, "%G",
+					gidtoname(gid));
+			} else {
+				a_string = talloc_string_sub(
+					tmp_ctx, a_string,
+					"%G", "NO_GROUP");
+			}
+			break;
+		case 'g' :
+			if (gid != -1) {
+				a_string = talloc_string_sub(
+					tmp_ctx, a_string, "%g",
+					gidtoname(gid));
+			} else {
+				a_string = talloc_string_sub(
+					tmp_ctx, a_string, "%g", "NO_GROUP");
+			}
+			break;
+		case 'D' :
+			a_string = talloc_string_sub(tmp_ctx, a_string,
+						     "%D", domain);
+			break;
+		case 'N' : 
+			a_string = talloc_string_sub(
+				tmp_ctx, a_string, "%N",
+				automount_server(username)); 
+			break;
+		default: 
+			break;
+		}
+
+		p++;
+		if (a_string == NULL) {
+			goto done;
+		}
+	}
+
+	/* Watch out, using "mem_ctx" here, so all intermediate stuff goes
+	 * away with the TALLOC_FREE(tmp_ctx) further down. */
+
+	ret_string = talloc_sub_basic(mem_ctx, username, domain, a_string);
+
+ done:
+	TALLOC_FREE(tmp_ctx);
+	return ret_string;
+}
+
+/****************************************************************************
+****************************************************************************/
+
+static char *alloc_sub_advanced(const char *servicename, const char *user, 
+			 const char *connectpath, gid_t gid, 
+			 const char *smb_name, const char *domain_name,
+			 const char *str)
+{
+	char *a_string, *ret_string;
+	char *b, *p, *s;
+
+	a_string = SMB_STRDUP(str);
+	if (a_string == NULL) {
+		DEBUG(0, ("alloc_sub_advanced: Out of memory!\n"));
+		return NULL;
+	}
+	
+	for (b = s = a_string; (p = strchr_m(s, '%')); s = a_string + (p - b)) {
+		
+		b = a_string;
+		
+		switch (*(p+1)) {
+		case 'N' :
+			a_string = realloc_string_sub(a_string, "%N", automount_server(user));
+			break;
+		case 'H': {
+			char *h;
+			if ((h = get_user_home_dir(talloc_tos(), user)))
+				a_string = realloc_string_sub(a_string, "%H", h);
+			TALLOC_FREE(h);
+			break;
+		}
+		case 'P': 
+			a_string = realloc_string_sub(a_string, "%P", connectpath); 
+			break;
+		case 'S': 
+			a_string = realloc_string_sub(a_string, "%S", servicename);
+			break;
+		case 'g': 
+			a_string = realloc_string_sub(a_string, "%g", gidtoname(gid)); 
+			break;
+		case 'u': 
+			a_string = realloc_string_sub(a_string, "%u", user); 
+			break;
+			
+			/* Patch from jkf@soton.ac.uk Left the %N (NIS
+			 * server name) in standard_sub_basic as it is
+			 * a feature for logon servers, hence uses the
+			 * username.  The %p (NIS server path) code is
+			 * here as it is used instead of the default
+			 * "path =" string in [homes] and so needs the
+			 * service name, not the username.  */
+		case 'p': 
+			a_string = realloc_string_sub(a_string, "%p",
+						      automount_path(servicename)); 
+			break;
+			
+		default: 
+			break;
+		}
+
+		p++;
+		if (a_string == NULL) {
+			return NULL;
+		}
+	}
+
+	ret_string = alloc_sub_basic(smb_name, domain_name, a_string);
+	SAFE_FREE(a_string);
+	return ret_string;
+}
+
+/*
+ * This obviously is inefficient and needs to be merged into
+ * alloc_sub_advanced...
+ */
+
+char *talloc_sub_advanced(TALLOC_CTX *mem_ctx,
+			  const char *servicename, const char *user,
+			  const char *connectpath, gid_t gid,
+			  const char *smb_name, const char *domain_name,
+			  const char *str)
+{
+	char *a, *t;
+
+	if (!(a = alloc_sub_advanced(servicename, user, connectpath, gid,
+				     smb_name, domain_name, str))) {
+		return NULL;
+	}
+	t = talloc_strdup(mem_ctx, a);
+	SAFE_FREE(a);
+	return t;
+}
+
+
+void standard_sub_advanced(const char *servicename, const char *user,
+			   const char *connectpath, gid_t gid,
+			   const char *smb_name, const char *domain_name,
+			   char *str, size_t len)
+{
+	char *s;
+
+	s = alloc_sub_advanced(servicename, user, connectpath,
+			       gid, smb_name, domain_name, str);
+
+	if ( s ) {
+		strncpy( str, s, len );
+		SAFE_FREE( s );
+	}
+}
+
+/****************************************************************************
+ Do some standard substitutions in a string.
+****************************************************************************/
+
+char *standard_sub_conn(TALLOC_CTX *ctx, connection_struct *conn, const char *str)
+{
+	return talloc_sub_advanced(ctx,
+				lp_servicename(SNUM(conn)),
+				conn->server_info->unix_name,
+				conn->connectpath,
+				conn->server_info->utok.gid,
+				get_smb_user_name(),
+				"",
+				str);
+}
diff --git a/source3/lib/sysacls.c b/source3/lib/sysacls.c
new file mode 100644
index 0000000000..9c1256ed65
--- /dev/null
+++ b/source3/lib/sysacls.c
@@ -0,0 +1,621 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba system utilities for ACL support.
+   Copyright (C) Jeremy Allison 2000.
+   Copyright (C) Volker Lendecke 2006
+   Copyright (C) Michael Adam 2006,2008
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#undef  DBGC_CLASS
+#define DBGC_CLASS DBGC_ACLS
+
+/*
+ * Note that while this code implements sufficient functionality
+ * to support the sys_acl_* interfaces it does not provide all
+ * of the semantics of the POSIX ACL interfaces.
+ *
+ * In particular, an ACL entry descriptor (SMB_ACL_ENTRY_T) returned
+ * from a call to sys_acl_get_entry() should not be assumed to be
+ * valid after calling any of the following functions, which may
+ * reorder the entries in the ACL.
+ *
+ *	sys_acl_valid()
+ *	sys_acl_set_file()
+ *	sys_acl_set_fd()
+ */
+
+int sys_acl_get_entry(SMB_ACL_T acl_d, int entry_id, SMB_ACL_ENTRY_T *entry_p)
+{
+	if (entry_id != SMB_ACL_FIRST_ENTRY && entry_id != SMB_ACL_NEXT_ENTRY) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (entry_p == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (entry_id == SMB_ACL_FIRST_ENTRY) {
+		acl_d->next = 0;
+	}
+
+	if (acl_d->next < 0) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (acl_d->next >= acl_d->count) {
+		return 0;
+	}
+
+	*entry_p = &acl_d->acl[acl_d->next++];
+
+	return 1;
+}
+
+int sys_acl_get_tag_type(SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T *type_p)
+{
+	*type_p = entry_d->a_type;
+
+	return 0;
+}
+
+int sys_acl_get_permset(SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T *permset_p)
+{
+	*permset_p = &entry_d->a_perm;
+
+	return 0;
+}
+
+void *sys_acl_get_qualifier(SMB_ACL_ENTRY_T entry_d)
+{
+	if (entry_d->a_type == SMB_ACL_USER) {
+		return &entry_d->uid;
+		}
+
+	if (entry_d->a_type == SMB_ACL_GROUP) {
+		return &entry_d->gid;
+	}
+
+	errno = EINVAL;
+		return NULL;
+}
+
+int sys_acl_clear_perms(SMB_ACL_PERMSET_T permset_d)
+{
+	*permset_d = 0;
+
+	return 0;
+}
+
+int sys_acl_add_perm(SMB_ACL_PERMSET_T permset_d, SMB_ACL_PERM_T perm)
+{
+	if (perm != SMB_ACL_READ && perm != SMB_ACL_WRITE
+	    && perm != SMB_ACL_EXECUTE) {
+		errno = EINVAL;
+		return -1;
+		}
+ 
+	if (permset_d == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	*permset_d |= perm;
+ 
+	return 0;
+}
+
+int sys_acl_get_perm(SMB_ACL_PERMSET_T permset_d, SMB_ACL_PERM_T perm)
+{
+	return *permset_d & perm;
+}
+
+char *sys_acl_to_text(SMB_ACL_T acl_d, ssize_t *len_p)
+{
+	int	i;
+	int	len, maxlen;
+	char	*text;
+
+	/*
+	 * use an initial estimate of 20 bytes per ACL entry
+	 * when allocating memory for the text representation
+	 * of the ACL
+	 */
+	len	= 0;
+	maxlen	= 20 * acl_d->count;
+	if ((text = (char *)SMB_MALLOC(maxlen)) == NULL) {
+		errno = ENOMEM;
+		return NULL;
+	}
+
+	for (i = 0; i < acl_d->count; i++) {
+		struct smb_acl_entry *ap = &acl_d->acl[i];
+		struct group	*gr;
+		char		tagbuf[12];
+		char		idbuf[12];
+		const char	*tag;
+		const char	*id	= "";
+		char		perms[4];
+		int		nbytes;
+
+		switch (ap->a_type) {
+			/*
+			 * for debugging purposes it's probably more
+			 * useful to dump unknown tag types rather
+			 * than just returning an error
+			 */
+			default:
+				slprintf(tagbuf, sizeof(tagbuf)-1, "0x%x",
+					 ap->a_type);
+				tag = tagbuf;
+				break;
+ 
+			case SMB_ACL_USER:
+				id = uidtoname(ap->uid);
+			case SMB_ACL_USER_OBJ:
+				tag = "user";
+				break;
+
+			case SMB_ACL_GROUP:
+				if ((gr = getgrgid(ap->gid)) == NULL) {
+					slprintf(idbuf, sizeof(idbuf)-1, "%ld",
+						(long)ap->gid);
+					id = idbuf;
+				} else {
+					id = gr->gr_name;
+				}
+			case SMB_ACL_GROUP_OBJ:
+				tag = "group";
+				break;
+
+			case SMB_ACL_OTHER:
+				tag = "other";
+				break;
+
+			case SMB_ACL_MASK:
+				tag = "mask";
+				break;
+
+		}
+
+		perms[0] = (ap->a_perm & SMB_ACL_READ) ? 'r' : '-';
+		perms[1] = (ap->a_perm & SMB_ACL_WRITE) ? 'w' : '-';
+		perms[2] = (ap->a_perm & SMB_ACL_EXECUTE) ? 'x' : '-';
+		perms[3] = '\0';
+
+		/*          <tag>      :  <qualifier>   :  rwx \n  \0 */
+		nbytes = strlen(tag) + 1 + strlen(id) + 1 + 3 + 1 + 1;
+
+		/*
+		 * If this entry would overflow the buffer
+		 * allocate enough additional memory for this
+		 * entry and an estimate of another 20 bytes
+		 * for each entry still to be processed
+		 */
+		if ((len + nbytes) > maxlen) {
+			maxlen += nbytes + 20 * (acl_d->count - i);
+			if ((text = (char *)SMB_REALLOC(text, maxlen)) == NULL) {
+			errno = ENOMEM;
+				return NULL;
+		}
+	}
+
+		slprintf(&text[len], nbytes-1, "%s:%s:%s\n", tag, id, perms);
+		len += nbytes - 1;
+	}
+
+	if (len_p)
+		*len_p = len;
+
+	return text;
+}
+
+SMB_ACL_T sys_acl_init(int count)
+{
+	SMB_ACL_T	a;
+
+	if (count < 0) {
+		errno = EINVAL;
+		return NULL;
+	}
+
+	/*
+	 * note that since the definition of the structure pointed
+	 * to by the SMB_ACL_T includes the first element of the
+	 * acl[] array, this actually allocates an ACL with room
+	 * for (count+1) entries
+	 */
+	if ((a = (struct smb_acl_t *)SMB_MALLOC(
+		     sizeof(struct smb_acl_t) +
+		     count * sizeof(struct smb_acl_entry))) == NULL) {
+		errno = ENOMEM;
+		return NULL;
+	}
+ 
+	a->size = count + 1;
+	a->count = 0;
+	a->next = -1;
+
+	return a;
+}
+
+int sys_acl_create_entry(SMB_ACL_T *acl_p, SMB_ACL_ENTRY_T *entry_p)
+{
+	SMB_ACL_T	acl_d;
+	SMB_ACL_ENTRY_T	entry_d;
+
+	if (acl_p == NULL || entry_p == NULL || (acl_d = *acl_p) == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (acl_d->count >= acl_d->size) {
+		errno = ENOSPC;
+		return -1;
+	}
+
+	entry_d		= &acl_d->acl[acl_d->count++];
+	entry_d->a_type	= SMB_ACL_TAG_INVALID;
+	entry_d->uid	= -1;
+	entry_d->gid	= -1;
+	entry_d->a_perm	= 0;
+	*entry_p	= entry_d;
+
+	return 0;
+}
+
+int sys_acl_set_tag_type(SMB_ACL_ENTRY_T entry_d, SMB_ACL_TAG_T tag_type)
+{
+	switch (tag_type) {
+		case SMB_ACL_USER:
+		case SMB_ACL_USER_OBJ:
+		case SMB_ACL_GROUP:
+		case SMB_ACL_GROUP_OBJ:
+		case SMB_ACL_OTHER:
+		case SMB_ACL_MASK:
+			entry_d->a_type = tag_type;
+			break;
+		default:
+			errno = EINVAL;
+			return -1;
+		}
+
+	return 0;
+}
+
+int sys_acl_set_qualifier(SMB_ACL_ENTRY_T entry_d, void *qual_p)
+{
+	if (entry_d->a_type == SMB_ACL_USER) {
+		entry_d->uid = *((uid_t *)qual_p);
+		return 0;
+		}
+	if (entry_d->a_type == SMB_ACL_GROUP) {
+		entry_d->gid = *((gid_t *)qual_p);
+		return 0;
+	}
+
+	errno = EINVAL;
+	return -1;
+}
+
+int sys_acl_set_permset(SMB_ACL_ENTRY_T entry_d, SMB_ACL_PERMSET_T permset_d)
+{
+	if (*permset_d & ~(SMB_ACL_READ|SMB_ACL_WRITE|SMB_ACL_EXECUTE)) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	entry_d->a_perm = *permset_d;
+ 
+	return 0;
+}
+
+int sys_acl_free_text(char *text)
+{
+	SAFE_FREE(text);
+	return 0;
+}
+
+int sys_acl_free_acl(SMB_ACL_T acl_d) 
+{
+	SAFE_FREE(acl_d);
+	return 0;
+}
+
+int sys_acl_free_qualifier(void *qual, SMB_ACL_TAG_T tagtype)
+{
+	return 0;
+}
+
+int sys_acl_valid(SMB_ACL_T acl_d)
+{
+	errno = EINVAL;
+	return -1;
+}
+
+/*
+ * acl_get_file, acl_get_fd, acl_set_file, acl_set_fd and
+ * sys_acl_delete_def_file are to be redirected to the default
+ * statically-bound acl vfs module, but they are replacable.
+ */
+ 
+#if defined(HAVE_POSIX_ACLS)
+ 
+SMB_ACL_T sys_acl_get_file(vfs_handle_struct *handle, 
+			   const char *path_p, SMB_ACL_TYPE_T type)
+{
+	return posixacl_sys_acl_get_file(handle, path_p, type);
+}
+ 
+SMB_ACL_T sys_acl_get_fd(vfs_handle_struct *handle, files_struct *fsp)
+{
+	return posixacl_sys_acl_get_fd(handle, fsp);
+}
+ 
+int sys_acl_set_file(vfs_handle_struct *handle,
+		     const char *name, SMB_ACL_TYPE_T type, SMB_ACL_T acl_d)
+{
+	return posixacl_sys_acl_set_file(handle, name, type, acl_d);
+}
+ 
+int sys_acl_set_fd(vfs_handle_struct *handle, files_struct *fsp,
+		   SMB_ACL_T acl_d)
+{
+	return posixacl_sys_acl_set_fd(handle, fsp, acl_d);
+}
+
+int sys_acl_delete_def_file(vfs_handle_struct *handle,
+			    const char *path)
+{
+	return posixacl_sys_acl_delete_def_file(handle, path);
+}
+
+#elif defined(HAVE_AIX_ACLS)
+
+SMB_ACL_T sys_acl_get_file(vfs_handle_struct *handle,
+			   const char *path_p, SMB_ACL_TYPE_T type)
+{
+	return aixacl_sys_acl_get_file(handle, path_p, type);
+}
+
+SMB_ACL_T sys_acl_get_fd(vfs_handle_struct *handle, files_struct *fsp)
+{
+	return aixacl_sys_acl_get_fd(handle, fsp);
+}
+
+int sys_acl_set_file(vfs_handle_struct *handle,
+		     const char *name, SMB_ACL_TYPE_T type, SMB_ACL_T acl_d)
+{
+	return aixacl_sys_acl_set_file(handle, name, type, acl_d);
+}
+
+int sys_acl_set_fd(vfs_handle_struct *handle, files_struct *fsp,
+		   SMB_ACL_T acl_d)
+{
+	return aixacl_sys_acl_set_fd(handle, fsp, acl_d);
+}
+
+int sys_acl_delete_def_file(vfs_handle_struct *handle,
+			    const char *path)
+{
+	return aixacl_sys_acl_delete_def_file(handle, path);
+}
+
+#elif defined(HAVE_TRU64_ACLS)
+ 
+SMB_ACL_T sys_acl_get_file(vfs_handle_struct *handle,
+			   const char *path_p, SMB_ACL_TYPE_T type)
+{
+	return tru64acl_sys_acl_get_file(handle, path_p, type);
+}
+
+SMB_ACL_T sys_acl_get_fd(vfs_handle_struct *handle, files_struct *fsp)
+{
+	return tru64acl_sys_acl_get_fd(handle, fsp);
+}
+
+int sys_acl_set_file(vfs_handle_struct *handle,
+		     const char *name, SMB_ACL_TYPE_T type, SMB_ACL_T acl_d)
+{
+	return tru64acl_sys_acl_set_file(handle, name, type, acl_d);
+}
+
+int sys_acl_set_fd(vfs_handle_struct *handle, files_struct *fsp,
+		   SMB_ACL_T acl_d)
+{
+	return tru64acl_sys_acl_set_fd(handle, fsp, acl_d);
+}
+
+int sys_acl_delete_def_file(vfs_handle_struct *handle,
+			    const char *path)
+{
+	return tru64acl_sys_acl_delete_def_file(handle, path);
+}
+
+#elif defined(HAVE_SOLARIS_ACLS) || defined(HAVE_UNIXWARE_ACLS)
+
+SMB_ACL_T sys_acl_get_file(vfs_handle_struct *handle,
+			   const char *path_p, SMB_ACL_TYPE_T type)
+{
+	return solarisacl_sys_acl_get_file(handle, path_p, type);
+}
+
+SMB_ACL_T sys_acl_get_fd(vfs_handle_struct *handle, files_struct *fsp)
+{
+	return solarisacl_sys_acl_get_fd(handle, fsp);
+}
+
+int sys_acl_set_file(vfs_handle_struct *handle,
+		     const char *name, SMB_ACL_TYPE_T type, SMB_ACL_T acl_d)
+{
+	return solarisacl_sys_acl_set_file(handle, name, type, acl_d);
+}
+
+int sys_acl_set_fd(vfs_handle_struct *handle, files_struct *fsp,
+		   SMB_ACL_T acl_d)
+{
+	return solarisacl_sys_acl_set_fd(handle, fsp, acl_d);
+}
+
+int sys_acl_delete_def_file(vfs_handle_struct *handle,
+			    const char *path)
+{
+	return solarisacl_sys_acl_delete_def_file(handle, path);
+}
+
+#elif defined(HAVE_HPUX_ACLS)
+
+SMB_ACL_T sys_acl_get_file(vfs_handle_struct *handle,
+			   const char *path_p, SMB_ACL_TYPE_T type)
+{
+	return hpuxacl_sys_acl_get_file(handle, path_p, type);
+}
+
+SMB_ACL_T sys_acl_get_fd(vfs_handle_struct *handle, files_struct *fsp)
+{
+	return hpuxacl_sys_acl_get_fd(handle, fsp);
+}
+
+int sys_acl_set_file(vfs_handle_struct *handle,
+		     const char *name, SMB_ACL_TYPE_T type, SMB_ACL_T acl_d)
+{
+	return hpuxacl_sys_acl_set_file(handle, name, type, acl_d);
+}
+
+int sys_acl_set_fd(vfs_handle_struct *handle, files_struct *fsp,
+		   SMB_ACL_T acl_d)
+{
+	return hpuxacl_sys_acl_set_fd(handle, fsp, acl_d);
+}
+
+int sys_acl_delete_def_file(vfs_handle_struct *handle,
+			    const char *path)
+{
+	return hpuxacl_sys_acl_delete_def_file(handle, path);
+}
+
+#elif defined(HAVE_IRIX_ACLS)
+
+SMB_ACL_T sys_acl_get_file(vfs_handle_struct *handle,
+			   const char *path_p, SMB_ACL_TYPE_T type)
+{
+	return irixacl_sys_acl_get_file(handle, path_p, type);
+}
+
+SMB_ACL_T sys_acl_get_fd(vfs_handle_struct *handle, files_struct *fsp)
+{
+	return irixacl_sys_acl_get_fd(handle, fsp);
+}
+
+int sys_acl_set_file(vfs_handle_struct *handle,
+		     const char *name, SMB_ACL_TYPE_T type, SMB_ACL_T acl_d)
+{
+	return irixacl_sys_acl_set_file(handle, name, type, acl_d);
+}
+
+int sys_acl_set_fd(vfs_handle_struct *handle, files_struct *fsp,
+		   SMB_ACL_T acl_d)
+{
+	return irixacl_sys_acl_set_fd(handle, fsp, acl_d);
+}
+
+int sys_acl_delete_def_file(vfs_handle_struct *handle,
+			    const char *path)
+{
+	return irixacl_sys_acl_delete_def_file(handle, path);
+}
+
+#else /* No ACLs. */
+
+SMB_ACL_T sys_acl_get_file(vfs_handle_struct *handle,
+			   const char *path_p, SMB_ACL_TYPE_T type)
+{
+#ifdef ENOTSUP
+	errno = ENOTSUP;
+#else
+	errno = ENOSYS;
+#endif
+	return NULL;
+}
+
+SMB_ACL_T sys_acl_get_fd(vfs_handle_struct *handle, files_struct *fsp)
+{
+#ifdef ENOTSUP
+	errno = ENOTSUP;
+#else
+	errno = ENOSYS;
+#endif
+	return NULL;
+}
+
+int sys_acl_set_file(vfs_handle_struct *handle,
+		     const char *name, SMB_ACL_TYPE_T type, SMB_ACL_T acl_d)
+{
+#ifdef ENOTSUP
+	errno = ENOTSUP;
+#else
+	errno = ENOSYS;
+#endif
+	return -1;
+}
+
+int sys_acl_set_fd(vfs_handle_struct *handle, files_struct *fsp,
+		   SMB_ACL_T acl_d)
+{
+#ifdef ENOTSUP
+	errno = ENOTSUP;
+#else
+	errno = ENOSYS;
+#endif
+	return -1;
+}
+
+int sys_acl_delete_def_file(vfs_handle_struct *handle,
+			    const char *path)
+{
+#ifdef ENOTSUP
+	errno = ENOTSUP;
+#else
+	errno = ENOSYS;
+#endif
+	return -1;
+}
+
+#endif
+
+/************************************************************************
+ Deliberately outside the ACL defines. Return 1 if this is a "no acls"
+ errno, 0 if not.
+************************************************************************/
+
+int no_acl_syscall_error(int err)
+{
+#if defined(ENOSYS)
+	if (err == ENOSYS) {
+		return 1;
+	}
+#endif
+#if defined(ENOTSUP)
+	if (err == ENOTSUP) {
+		return 1;
+	}
+#endif
+	return 0;
+}
diff --git a/source3/lib/sysquotas.c b/source3/lib/sysquotas.c
new file mode 100644
index 0000000000..4a2d88abdf
--- /dev/null
+++ b/source3/lib/sysquotas.c
@@ -0,0 +1,547 @@
+/* 
+   Unix SMB/CIFS implementation.
+   System QUOTA function wrappers
+   Copyright (C) Stefan (metze) Metzmacher	2003
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_QUOTA
+
+#ifdef HAVE_SYS_QUOTAS
+
+#if defined(HAVE_QUOTACTL_4A) 
+
+/*#endif HAVE_QUOTACTL_4A */
+#elif defined(HAVE_QUOTACTL_4B)
+
+#error HAVE_QUOTACTL_4B not implemeted
+
+/*#endif HAVE_QUOTACTL_4B */
+#elif defined(HAVE_QUOTACTL_3)
+
+#error HAVE_QUOTACTL_3 not implemented
+
+/* #endif  HAVE_QUOTACTL_3 */
+#else /* NO_QUOTACTL_USED */
+
+#endif /* NO_QUOTACTL_USED */
+
+#ifdef HAVE_MNTENT
+static int sys_path_to_bdev(const char *path, char **mntpath, char **bdev, char **fs)
+{
+	int ret = -1;
+	SMB_STRUCT_STAT S;
+	FILE *fp;
+	struct mntent *mnt;
+	SMB_DEV_T devno;
+
+	/* find the block device file */
+
+	if (!path||!mntpath||!bdev||!fs)
+		smb_panic("sys_path_to_bdev: called with NULL pointer");
+
+	(*mntpath) = NULL;
+	(*bdev) = NULL;
+	(*fs) = NULL;
+	
+	if ( sys_stat(path, &S) == -1 )
+		return (-1);
+
+	devno = S.st_dev ;
+
+	fp = setmntent(MOUNTED,"r");
+	if (fp == NULL) {
+		return -1;
+	}
+  
+	while ((mnt = getmntent(fp))) {
+		if ( sys_stat(mnt->mnt_dir,&S) == -1 )
+			continue ;
+
+		if (S.st_dev == devno) {
+			(*mntpath) = SMB_STRDUP(mnt->mnt_dir);
+			(*bdev) = SMB_STRDUP(mnt->mnt_fsname);
+			(*fs)   = SMB_STRDUP(mnt->mnt_type);
+			if ((*mntpath)&&(*bdev)&&(*fs)) {
+				ret = 0;
+			} else {
+				SAFE_FREE(*mntpath);
+				SAFE_FREE(*bdev);
+				SAFE_FREE(*fs);
+				ret = -1;
+			}
+
+			break;
+		}
+	}
+
+	endmntent(fp) ;
+
+	return ret;
+}
+/* #endif HAVE_MNTENT */
+#elif defined(HAVE_DEVNM)
+
+/* we have this on HPUX, ... */
+static int sys_path_to_bdev(const char *path, char **mntpath, char **bdev, char **fs)
+{
+	int ret = -1;
+	char dev_disk[256];
+	SMB_STRUCT_STAT S;
+
+	if (!path||!mntpath||!bdev||!fs)
+		smb_panic("sys_path_to_bdev: called with NULL pointer");
+
+	(*mntpath) = NULL;
+	(*bdev) = NULL;
+	(*fs) = NULL;
+	
+	/* find the block device file */
+
+	if ((ret=sys_stat(path, &S))!=0) {
+		return ret;
+	}
+	
+	if ((ret=devnm(S_IFBLK, S.st_dev, dev_disk, 256, 1))!=0) {
+		return ret;	
+	}
+
+	/* we should get the mntpath right...
+	 * but I don't know how
+	 * --metze
+	 */
+	(*mntpath) = SMB_STRDUP(path);
+	(*bdev) = SMB_STRDUP(dev_disk);
+	if ((*mntpath)&&(*bdev)) {
+		ret = 0;
+	} else {
+		SAFE_FREE(*mntpath);
+		SAFE_FREE(*bdev);
+		ret = -1;
+	}	
+	
+	
+	return ret;	
+}
+
+/* #endif HAVE_DEVNM */
+#else
+/* we should fake this up...*/
+static int sys_path_to_bdev(const char *path, char **mntpath, char **bdev, char **fs)
+{
+	int ret = -1;
+
+	if (!path||!mntpath||!bdev||!fs)
+		smb_panic("sys_path_to_bdev: called with NULL pointer");
+
+	(*mntpath) = NULL;
+	(*bdev) = NULL;
+	(*fs) = NULL;
+	
+	(*mntpath) = SMB_STRDUP(path);
+	if (*mntpath) {
+		ret = 0;
+	} else {
+		SAFE_FREE(*mntpath);
+		ret = -1;
+	}
+
+	return ret;
+}
+#endif
+
+/*********************************************************************
+ Now the list of all filesystem specific quota systems we have found
+**********************************************************************/
+static struct {
+	const char *name;
+	int (*get_quota)(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp);
+	int (*set_quota)(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp);
+} sys_quota_backends[] = {
+#ifdef HAVE_XFS_QUOTAS
+	{"xfs", sys_get_xfs_quota, 	sys_set_xfs_quota},
+#endif /* HAVE_XFS_QUOTAS */
+	{NULL, 	NULL, 			NULL}
+};
+
+static int command_get_quota(const char *path, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+	const char *get_quota_command;
+	char **lines = NULL;
+
+	get_quota_command = lp_get_quota_command();
+	if (get_quota_command && *get_quota_command) {
+		const char *p;
+		char *p2;
+		char *syscmd = NULL;
+		int _id = -1;
+
+		switch(qtype) {
+			case SMB_USER_QUOTA_TYPE:
+			case SMB_USER_FS_QUOTA_TYPE:
+				_id = id.uid;
+				break;
+			case SMB_GROUP_QUOTA_TYPE:
+			case SMB_GROUP_FS_QUOTA_TYPE:
+				_id = id.gid;
+				break;
+			default:
+				DEBUG(0,("invalid quota type.\n"));
+				return -1;
+		}
+
+		if (asprintf(&syscmd, "%s \"%s\" %d %d",
+			get_quota_command, path, qtype, _id) < 0) {
+			return -1;
+		}
+
+		DEBUG (3, ("get_quota: Running command %s\n", syscmd));
+
+		lines = file_lines_pload(syscmd, NULL);
+		SAFE_FREE(syscmd);
+
+		if (lines) {
+			char *line = lines[0];
+
+			DEBUG (3, ("Read output from get_quota, \"%s\"\n", line));
+
+			/* we need to deal with long long unsigned here, if supported */
+
+			dp->qflags = (enum SMB_QUOTA_TYPE)strtoul(line, &p2, 10);
+			p = p2;
+			while (p && *p && isspace(*p)) {
+				p++;
+			}
+
+			if (p && *p) {
+				dp->curblocks = STR_TO_SMB_BIG_UINT(p, &p);
+			} else {
+				goto invalid_param;
+			}
+
+			while (p && *p && isspace(*p)) {
+				p++;
+			}
+
+			if (p && *p) {
+				dp->softlimit = STR_TO_SMB_BIG_UINT(p, &p);
+			} else {
+				goto invalid_param;
+			}
+
+			while (p && *p && isspace(*p)) {
+				p++;
+			}
+
+			if (p && *p) {
+				dp->hardlimit = STR_TO_SMB_BIG_UINT(p, &p);
+			} else {
+				goto invalid_param;
+			}
+
+			while (p && *p && isspace(*p)) {
+				p++;
+			}
+
+			if (p && *p) {
+				dp->curinodes = STR_TO_SMB_BIG_UINT(p, &p);
+			} else {
+				goto invalid_param;
+			}
+
+			while (p && *p && isspace(*p)) {
+				p++;
+			}
+
+			if (p && *p) {
+				dp->isoftlimit = STR_TO_SMB_BIG_UINT(p, &p);
+			} else {
+				goto invalid_param;
+			}
+
+			while (p && *p && isspace(*p)) {
+				p++;
+			}
+
+			if (p && *p) {
+				dp->ihardlimit = STR_TO_SMB_BIG_UINT(p, &p);
+			} else {
+				goto invalid_param;	
+			}
+
+			while (p && *p && isspace(*p)) {
+				p++;
+			}
+
+			if (p && *p) {
+				dp->bsize = STR_TO_SMB_BIG_UINT(p, NULL);
+			} else {
+				dp->bsize = 1024;
+			}
+
+			file_lines_free(lines);
+			lines = NULL;
+
+			DEBUG (3, ("Parsed output of get_quota, ...\n"));
+
+#ifdef LARGE_SMB_OFF_T
+			DEBUGADD (5,( 
+				"qflags:%u curblocks:%llu softlimit:%llu hardlimit:%llu\n"
+				"curinodes:%llu isoftlimit:%llu ihardlimit:%llu bsize:%llu\n", 
+				dp->qflags,(long long unsigned)dp->curblocks,
+				(long long unsigned)dp->softlimit,(long long unsigned)dp->hardlimit,
+				(long long unsigned)dp->curinodes,
+				(long long unsigned)dp->isoftlimit,(long long unsigned)dp->ihardlimit,
+				(long long unsigned)dp->bsize));
+#else /* LARGE_SMB_OFF_T */
+			DEBUGADD (5,( 
+				"qflags:%u curblocks:%lu softlimit:%lu hardlimit:%lu\n"
+				"curinodes:%lu isoftlimit:%lu ihardlimit:%lu bsize:%lu\n", 
+				dp->qflags,(long unsigned)dp->curblocks,
+				(long unsigned)dp->softlimit,(long unsigned)dp->hardlimit,
+				(long unsigned)dp->curinodes,
+				(long unsigned)dp->isoftlimit,(long unsigned)dp->ihardlimit,
+				(long unsigned)dp->bsize));
+#endif /* LARGE_SMB_OFF_T */
+			return 0;
+		}
+
+		DEBUG (0, ("get_quota_command failed!\n"));
+		return -1;
+	}
+
+	errno = ENOSYS;
+	return -1;
+
+invalid_param:
+
+	file_lines_free(lines);
+	DEBUG(0,("The output of get_quota_command is invalid!\n"));
+	return -1;
+}
+
+static int command_set_quota(const char *path, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+	const char *set_quota_command;
+
+	set_quota_command = lp_set_quota_command();
+	if (set_quota_command && *set_quota_command) {
+		char **lines = NULL;
+		char *syscmd = NULL;
+		int _id = -1;
+
+		switch(qtype) {
+			case SMB_USER_QUOTA_TYPE:
+			case SMB_USER_FS_QUOTA_TYPE:
+				_id = id.uid;
+				break;
+			case SMB_GROUP_QUOTA_TYPE:
+			case SMB_GROUP_FS_QUOTA_TYPE:
+				_id = id.gid;
+				break;
+			default:
+				return -1;
+		}
+
+#ifdef LARGE_SMB_OFF_T
+		if (asprintf(&syscmd,
+			"%s \"%s\" %d %d "
+			"%u %llu %llu "
+			"%llu %llu %llu ",
+			set_quota_command, path, qtype, _id, dp->qflags,
+			(long long unsigned)dp->softlimit,(long long unsigned)dp->hardlimit,
+			(long long unsigned)dp->isoftlimit,(long long unsigned)dp->ihardlimit,
+			(long long unsigned)dp->bsize) < 0) {
+			return -1;
+		}
+#else /* LARGE_SMB_OFF_T */
+		if (asprintf(&syscmd,
+			"%s \"%s\" %d %d "
+			"%u %lu %lu "
+			"%lu %lu %lu ",
+			set_quota_command, path, qtype, _id, dp->qflags,
+			(long unsigned)dp->softlimit,(long unsigned)dp->hardlimit,
+			(long unsigned)dp->isoftlimit,(long unsigned)dp->ihardlimit,
+			(long unsigned)dp->bsize) < 0) {
+			return -1;
+		}
+#endif /* LARGE_SMB_OFF_T */
+
+		DEBUG (3, ("get_quota: Running command %s\n", syscmd));
+
+		lines = file_lines_pload(syscmd, NULL);
+		SAFE_FREE(syscmd);
+		if (lines) {
+			char *line = lines[0];
+
+			DEBUG (3, ("Read output from set_quota, \"%s\"\n", line));
+
+			file_lines_free(lines);
+
+			return 0;
+		}
+		DEBUG (0, ("set_quota_command failed!\n"));
+		return -1;
+	}
+
+	errno = ENOSYS;
+	return -1;
+}
+
+int sys_get_quota(const char *path, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+	int ret = -1;
+	int i;
+	bool ready = False;
+	char *mntpath = NULL;
+	char *bdev = NULL;
+	char *fs = NULL;
+
+	if (!path||!dp)
+		smb_panic("sys_get_quota: called with NULL pointer");
+
+	if (command_get_quota(path, qtype, id, dp)==0) {	
+		return 0;
+	} else if (errno != ENOSYS) {
+		return -1;
+	}
+
+	if ((ret=sys_path_to_bdev(path,&mntpath,&bdev,&fs))!=0) {
+		DEBUG(0,("sys_path_to_bdev() failed for path [%s]!\n",path));
+		return ret;
+	}
+
+	errno = 0;
+	DEBUG(10,("sys_get_quota() uid(%u, %u)\n", (unsigned)getuid(), (unsigned)geteuid()));
+
+	for (i=0;(fs && sys_quota_backends[i].name && sys_quota_backends[i].get_quota);i++) {
+		if (strcmp(fs,sys_quota_backends[i].name)==0) {
+			ret = sys_quota_backends[i].get_quota(mntpath, bdev, qtype, id, dp);
+			if (ret!=0) {
+				DEBUG(3,("sys_get_%s_quota() failed for mntpath[%s] bdev[%s] qtype[%d] id[%d]: %s.\n",
+					fs,mntpath,bdev,qtype,(qtype==SMB_GROUP_QUOTA_TYPE?id.gid:id.uid),strerror(errno)));
+			} else {
+				DEBUG(10,("sys_get_%s_quota() called for mntpath[%s] bdev[%s] qtype[%d] id[%d].\n",
+					fs,mntpath,bdev,qtype,(qtype==SMB_GROUP_QUOTA_TYPE?id.gid:id.uid)));
+			}
+			ready = True;
+			break;	
+		}		
+	}
+
+	if (!ready) {
+		/* use the default vfs quota functions */
+		ret=sys_get_vfs_quota(mntpath, bdev, qtype, id, dp);
+		if (ret!=0) {
+			DEBUG(3,("sys_get_%s_quota() failed for mntpath[%s] bdev[%s] qtype[%d] id[%d]: %s\n",
+				"vfs",mntpath,bdev,qtype,(qtype==SMB_GROUP_QUOTA_TYPE?id.gid:id.uid),strerror(errno)));
+		} else {
+			DEBUG(10,("sys_get_%s_quota() called for mntpath[%s] bdev[%s] qtype[%d] id[%d].\n",
+				"vfs",mntpath,bdev,qtype,(qtype==SMB_GROUP_QUOTA_TYPE?id.gid:id.uid)));
+		}
+	}
+
+	SAFE_FREE(mntpath);
+	SAFE_FREE(bdev);
+	SAFE_FREE(fs);
+
+	if ((ret!=0)&& (errno == EDQUOT)) {
+		DEBUG(10,("sys_get_quota() warning over quota!\n"));
+		return 0;
+	}
+
+	return ret;
+}
+
+int sys_set_quota(const char *path, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+	int ret = -1;
+	int i;
+	bool ready = False;
+	char *mntpath = NULL;
+	char *bdev = NULL;
+	char *fs = NULL;
+
+	/* find the block device file */
+
+	if (!path||!dp)
+		smb_panic("get_smb_quota: called with NULL pointer");
+
+	if (command_set_quota(path, qtype, id, dp)==0) {	
+		return 0;
+	} else if (errno != ENOSYS) {
+		return -1;
+	}
+
+	if ((ret=sys_path_to_bdev(path,&mntpath,&bdev,&fs))!=0) {
+		DEBUG(0,("sys_path_to_bdev() failed for path [%s]!\n",path));
+		return ret;
+	}
+
+	errno = 0;
+	DEBUG(10,("sys_set_quota() uid(%u, %u)\n", (unsigned)getuid(), (unsigned)geteuid())); 
+
+	for (i=0;(fs && sys_quota_backends[i].name && sys_quota_backends[i].set_quota);i++) {
+		if (strcmp(fs,sys_quota_backends[i].name)==0) {
+			ret = sys_quota_backends[i].set_quota(mntpath, bdev, qtype, id, dp);
+			if (ret!=0) {
+				DEBUG(3,("sys_set_%s_quota() failed for mntpath[%s] bdev[%s] qtype[%d] id[%d]: %s.\n",
+					fs,mntpath,bdev,qtype,(qtype==SMB_GROUP_QUOTA_TYPE?id.gid:id.uid),strerror(errno)));
+			} else {
+				DEBUG(10,("sys_set_%s_quota() called for mntpath[%s] bdev[%s] qtype[%d] id[%d].\n",
+					fs,mntpath,bdev,qtype,(qtype==SMB_GROUP_QUOTA_TYPE?id.gid:id.uid)));
+			}
+			ready = True;
+			break;
+		}		
+	}
+
+	if (!ready) {
+		/* use the default vfs quota functions */
+		ret=sys_set_vfs_quota(mntpath, bdev, qtype, id, dp);
+		if (ret!=0) {
+			DEBUG(3,("sys_set_%s_quota() failed for mntpath[%s] bdev[%s] qtype[%d] id[%d]: %s.\n",
+				"vfs",mntpath,bdev,qtype,(qtype==SMB_GROUP_QUOTA_TYPE?id.gid:id.uid),strerror(errno)));
+		} else {
+			DEBUG(10,("sys_set_%s_quota() called for mntpath[%s] bdev[%s] qtype[%d] id[%d].\n",
+				"vfs",mntpath,bdev,qtype,(qtype==SMB_GROUP_QUOTA_TYPE?id.gid:id.uid)));
+		}
+	}
+
+	SAFE_FREE(mntpath);
+	SAFE_FREE(bdev);
+	SAFE_FREE(fs);
+
+	if ((ret!=0)&& (errno == EDQUOT)) {
+		DEBUG(10,("sys_set_quota() warning over quota!\n"));
+		return 0;
+	}
+
+	return ret;		
+}
+
+#else /* HAVE_SYS_QUOTAS */
+ void dummy_sysquotas_c(void);
+
+ void dummy_sysquotas_c(void)
+{
+	return;
+}
+#endif /* HAVE_SYS_QUOTAS */
+
diff --git a/source3/lib/sysquotas_4A.c b/source3/lib/sysquotas_4A.c
new file mode 100644
index 0000000000..f185bba6df
--- /dev/null
+++ b/source3/lib/sysquotas_4A.c
@@ -0,0 +1,346 @@
+/* 
+   Unix SMB/CIFS implementation.
+   System QUOTA function wrappers for QUOTACTL_4A
+   Copyright (C) Stefan (metze) Metzmacher	2003
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_QUOTA
+
+#ifndef HAVE_SYS_QUOTAS
+#ifdef HAVE_QUOTACTL_4A
+#undef HAVE_QUOTACTL_4A
+#endif
+#endif
+
+#ifdef HAVE_QUOTACTL_4A
+/* long quotactl(int cmd, char *special, qid_t id, caddr_t addr) */
+/* this is used by: HPUX,IRIX */
+
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
+#ifdef HAVE_ASM_TYPES_H
+#include <asm/types.h>
+#endif
+
+#ifdef HAVE_SYS_QUOTA_H
+#include <sys/quota.h>
+#endif
+
+#ifndef Q_SETQLIM
+#define Q_SETQLIM Q_SETQUOTA
+#endif
+
+#ifndef QCMD
+#define QCMD(x,y) x
+#endif
+
+#ifndef QCMD
+#define QCMD(x,y) x
+#endif
+
+#ifdef GRPQUOTA
+#define HAVE_GROUP_QUOTA
+#endif
+
+#ifndef QUOTABLOCK_SIZE
+#define QUOTABLOCK_SIZE DEV_BSIZE
+#endif
+
+#ifdef HAVE_DQB_FSOFTLIMIT
+#define dqb_isoftlimit	dqb_fsoftlimit
+#define dqb_ihardlimit	dqb_fhardlimit
+#define dqb_curinodes	dqb_curfiles
+#endif
+
+#ifdef INITQFNAMES
+#define USERQUOTAFILE_EXTENSION ".user"
+#else
+#define USERQUOTAFILE_EXTENSION ""
+#endif
+
+#if !defined(QUOTAFILENAME) && defined(QFILENAME)
+#define QUOTAFILENAME QFILENAME
+#endif
+
+/****************************************************************************
+ Abstract out the quotactl_4A get calls.
+****************************************************************************/
+int sys_get_vfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+	int ret = -1;
+	uint32 qflags = 0;
+	struct dqblk D;
+	SMB_BIG_UINT bsize = (SMB_BIG_UINT)QUOTABLOCK_SIZE;
+
+	ZERO_STRUCT(D);
+	ZERO_STRUCT(*dp);
+	dp->qtype = qtype;
+
+	switch (qtype) {
+		case SMB_USER_QUOTA_TYPE:
+			DEBUG(10,("sys_get_vfs_quota: path[%s] bdev[%s] SMB_USER_QUOTA_TYPE uid[%u]\n",
+				path, bdev, (unsigned)id.uid));
+
+			if ((ret = quotactl(QCMD(Q_GETQUOTA,USRQUOTA), (caddr_t)bdev, id.uid, (void *)&D))&&errno != EDQUOT) {
+				return ret;
+			}
+
+			if ((D.dqb_curblocks==0)&&
+				(D.dqb_bsoftlimit==0)&&
+				(D.dqb_bhardlimit==0)) {
+				/* the upper layer functions don't want empty quota records...*/
+				return -1;
+			}
+
+			break;
+#ifdef HAVE_GROUP_QUOTA
+		case SMB_GROUP_QUOTA_TYPE:
+			DEBUG(10,("sys_get_vfs_quota: path[%s] bdev[%s] SMB_GROUP_QUOTA_TYPE gid[%u]\n",
+				path, bdev, (unsigned)id.gid));
+
+			if ((ret = quotactl(QCMD(Q_GETQUOTA,GRPQUOTA), (caddr_t)bdev, id.gid, (void *)&D))&&errno != EDQUOT) {
+				return ret;
+			}
+
+			if ((D.dqb_curblocks==0)&&
+				(D.dqb_bsoftlimit==0)&&
+				(D.dqb_bhardlimit==0)) {
+				/* the upper layer functions don't want empty quota records...*/
+				return -1;
+			}
+
+			break;
+#endif /* HAVE_GROUP_QUOTA */
+		case SMB_USER_FS_QUOTA_TYPE:
+			id.uid = getuid();
+
+			DEBUG(10,("sys_get_vfs_quota: path[%s] bdev[%s] SMB_USER_FS_QUOTA_TYPE (uid[%u])\n",
+				path, (caddr_t)bdev, (unsigned)id.uid));
+
+			if ((ret = quotactl(QCMD(Q_GETQUOTA,USRQUOTA), (caddr_t)bdev, id.uid, (void *)&D))==0) {
+				qflags |= QUOTAS_DENY_DISK;
+			}
+
+			ret = 0;
+			break;
+#ifdef HAVE_GROUP_QUOTA
+		case SMB_GROUP_FS_QUOTA_TYPE:
+			id.gid = getgid();
+
+			DEBUG(10,("sys_get_vfs_quota: path[%s] bdev[%s] SMB_GROUP_FS_QUOTA_TYPE (gid[%u])\n",
+				path, bdev, (unsigned)id.gid));
+
+			if ((ret = quotactl(QCMD(Q_GETQUOTA,GRPQUOTA), (caddr_t)bdev, id.gid, (void *)&D))==0) {
+				qflags |= QUOTAS_DENY_DISK;
+			}
+
+			ret = 0;
+			break;
+#endif /* HAVE_GROUP_QUOTA */
+		default:
+			errno = ENOSYS;
+			return -1;
+	}
+
+	dp->bsize = bsize;
+	dp->softlimit = (SMB_BIG_UINT)D.dqb_bsoftlimit;
+	dp->hardlimit = (SMB_BIG_UINT)D.dqb_bhardlimit;
+	dp->ihardlimit = (SMB_BIG_UINT)D.dqb_ihardlimit;
+	dp->isoftlimit = (SMB_BIG_UINT)D.dqb_isoftlimit;
+	dp->curinodes = (SMB_BIG_UINT)D.dqb_curinodes;
+	dp->curblocks = (SMB_BIG_UINT)D.dqb_curblocks;
+
+
+	dp->qflags = qflags;
+
+	return ret;
+}
+
+/****************************************************************************
+ Abstract out the quotactl_4A set calls.
+****************************************************************************/
+int sys_set_vfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+	int ret = -1;
+	uint32 qflags = 0;
+	uint32 oldqflags = 0;
+	struct dqblk D;
+	SMB_BIG_UINT bsize = (SMB_BIG_UINT)QUOTABLOCK_SIZE;
+
+	ZERO_STRUCT(D);
+
+	if (bsize == dp->bsize) {
+		D.dqb_bsoftlimit = dp->softlimit;
+		D.dqb_bhardlimit = dp->hardlimit;
+		D.dqb_ihardlimit = dp->ihardlimit;
+		D.dqb_isoftlimit = dp->isoftlimit;
+	} else {
+		D.dqb_bsoftlimit = (dp->softlimit*dp->bsize)/bsize;
+		D.dqb_bhardlimit = (dp->hardlimit*dp->bsize)/bsize;
+		D.dqb_ihardlimit = (dp->ihardlimit*dp->bsize)/bsize;
+		D.dqb_isoftlimit = (dp->isoftlimit*dp->bsize)/bsize;
+	}
+
+	qflags = dp->qflags;
+
+	switch (qtype) {
+		case SMB_USER_QUOTA_TYPE:
+			DEBUG(10,("sys_set_vfs_quota: path[%s] bdev[%s] SMB_USER_QUOTA_TYPE uid[%u]\n",
+				path, bdev, (unsigned)id.uid));
+
+			ret = quotactl(QCMD(Q_SETQLIM,USRQUOTA), (caddr_t)bdev, id.uid, (void *)&D);
+			break;
+#ifdef HAVE_GROUP_QUOTA
+		case SMB_GROUP_QUOTA_TYPE:
+			DEBUG(10,("sys_set_vfs_quota: path[%s] bdev[%s] SMB_GROUP_QUOTA_TYPE gid[%u]\n",
+				path, bdev, (unsigned)id.gid));
+
+			ret = quotactl(QCMD(Q_SETQLIM,GRPQUOTA), (caddr_t)bdev, id.gid, (void *)&D);
+			break;
+#endif /* HAVE_GROUP_QUOTA */
+		case SMB_USER_FS_QUOTA_TYPE:
+			/* this stuff didn't work as it should:
+			 * switching on/off quota via quotactl()
+			 * didn't work!
+			 * So we just return 0
+			 * --metze
+			 * 
+			 * On HPUX we didn't have the mount path,
+			 * we need to fix sys_path_to_bdev()
+			 *
+			 */
+			id.uid = getuid();
+			DEBUG(10,("sys_set_vfs_quota: path[%s] bdev[%s] SMB_USER_FS_QUOTA_TYPE (uid[%u])\n",
+				path, bdev, (unsigned)id.uid));
+
+#if 0
+			ret = quotactl(QCMD(Q_GETQUOTA,USRQUOTA), (caddr_t)bdev, id.uid, (void *)&D);
+
+			if ((qflags&QUOTAS_DENY_DISK)||(qflags&QUOTAS_ENABLED)) {
+				if (ret == 0) {
+					char *quota_file = NULL;
+					
+					asprintf(&quota_file,"/%s/%s%s",path, QUOTAFILENAME,USERQUOTAFILE_EXTENSION);
+					if (quota_file == NULL) {
+						DEBUG(0,("asprintf() failed!\n"));
+						errno = ENOMEM;
+						return -1;
+					}
+					
+					ret = quotactl(QCMD(Q_QUOTAON,USRQUOTA), (caddr_t)bdev, -1,(void *)quota_file);
+				} else {
+					ret = 0;	
+				}
+			} else {
+				if (ret != 0) {
+					/* turn off */
+					ret = quotactl(QCMD(Q_QUOTAOFF,USRQUOTA), (caddr_t)bdev, -1, (void *)0);	
+				} else {
+					ret = 0;
+				}		
+			}
+
+			DEBUG(0,("sys_set_vfs_quota: ret(%d) errno(%d)[%s] uid(%d) bdev[%s]\n",
+				ret,errno,strerror(errno),id.uid,bdev));
+#else
+			if ((ret = quotactl(QCMD(Q_GETQUOTA,USRQUOTA), (caddr_t)bdev, id.uid, (void *)&D))==0) {
+				oldqflags |= QUOTAS_DENY_DISK;
+			}
+
+			if (oldqflags == qflags) {
+				ret = 0;
+			} else {
+				ret = -1;
+			}
+#endif
+			break;
+#ifdef HAVE_GROUP_QUOTA
+		case SMB_GROUP_FS_QUOTA_TYPE:
+			/* this stuff didn't work as it should:
+			 * switching on/off quota via quotactl()
+			 * didn't work!
+			 * So we just return 0
+			 * --metze
+			 * 
+			 * On HPUX we didn't have the mount path,
+			 * we need to fix sys_path_to_bdev()
+			 *
+			 */
+			id.gid = getgid();
+			DEBUG(10,("sys_set_vfs_quota: path[%s] bdev[%s] SMB_GROUP_FS_QUOTA_TYPE (gid[%u])\n",
+				path, bdev, (unsigned)id.gid));
+
+#if 0
+			ret = quotactl(QCMD(Q_GETQUOTA,GRPQUOTA), bdev, id, (void *)&D);
+
+			if ((qflags&QUOTAS_DENY_DISK)||(qflags&QUOTAS_ENABLED)) {
+				if (ret == 0) {
+					char *quota_file = NULL;
+					
+					asprintf(&quota_file,"/%s/%s%s",path, QUOTAFILENAME,GROUPQUOTAFILE_EXTENSION);
+					if (quota_file == NULL) {
+						DEBUG(0,("asprintf() failed!\n"));
+						errno = ENOMEM;
+						return -1;
+					}
+					
+					ret = quotactl(QCMD(Q_QUOTAON,GRPQUOTA), (caddr_t)bdev, -1,(void *)quota_file);
+				} else {
+					ret = 0;	
+				}
+			} else {
+				if (ret != 0) {
+					/* turn off */
+					ret = quotactl(QCMD(Q_QUOTAOFF,GRPQUOTA), (caddr_t)bdev, -1, (void *)0);	
+				} else {
+					ret = 0;
+				}		
+			}
+
+			DEBUG(0,("sys_set_vfs_quota: ret(%d) errno(%d)[%s] uid(%d) bdev[%s]\n",
+				ret,errno,strerror(errno),id.gid,bdev));
+#else
+			if ((ret = quotactl(QCMD(Q_GETQUOTA,GRPQUOTA), (caddr_t)bdev, id.gid, (void *)&D))==0) {
+				oldqflags |= QUOTAS_DENY_DISK;
+			}
+
+			if (oldqflags == qflags) {
+				ret = 0;
+			} else {
+				ret = -1;
+			}
+#endif
+			break;
+#endif /* HAVE_GROUP_QUOTA */
+		default:
+			errno = ENOSYS;
+			return -1;
+	}
+
+	return ret;
+}
+
+#else /* HAVE_QUOTACTL_4A */
+ void dummy_sysquotas_4A(void);
+
+ void dummy_sysquotas_4A(void){}
+#endif /* HAVE_QUOTACTL_4A */
diff --git a/source3/lib/sysquotas_linux.c b/source3/lib/sysquotas_linux.c
new file mode 100644
index 0000000000..f9a0464086
--- /dev/null
+++ b/source3/lib/sysquotas_linux.c
@@ -0,0 +1,568 @@
+/* 
+   Unix SMB/CIFS implementation.
+   System QUOTA function wrappers for LINUX
+   Copyright (C) Stefan (metze) Metzmacher	2003
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_QUOTA
+
+#ifndef HAVE_SYS_QUOTAS
+#ifdef HAVE_QUOTACTL_LINUX
+#undef HAVE_QUOTACTL_LINUX
+#endif
+#endif
+
+#ifdef HAVE_QUOTACTL_LINUX 
+
+#include "samba_linux_quota.h"
+
+/****************************************************************************
+ Abstract out the v1 Linux quota get calls.
+****************************************************************************/
+static int sys_get_linux_v1_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+	int ret = -1;
+	uint32 qflags = 0;
+	struct v1_kern_dqblk D;
+	SMB_BIG_UINT bsize = (SMB_BIG_UINT)QUOTABLOCK_SIZE;
+
+	ZERO_STRUCT(D);
+
+	switch (qtype) {
+		case SMB_USER_QUOTA_TYPE:
+			DEBUG(10,("sys_get_linux_v1_quota: path[%s] bdev[%s] SMB_USER_QUOTA_TYPE uid[%u]\n",
+				path, bdev, (unsigned)id.uid));
+
+			if ((ret = quotactl(QCMD(Q_V1_GETQUOTA,USRQUOTA), bdev, id.uid, (caddr_t)&D))&&errno != EDQUOT) {
+				return ret;
+			}
+
+			break;
+		case SMB_GROUP_QUOTA_TYPE:
+			DEBUG(10,("sys_get_linux_v1_quota: path[%s] bdev[%s] SMB_GROUP_QUOTA_TYPE gid[%u]\n",
+				path, bdev, (unsigned)id.gid));
+
+			if ((ret = quotactl(QCMD(Q_V1_GETQUOTA,GRPQUOTA), bdev, id.gid, (caddr_t)&D))&&errno != EDQUOT) {
+				return ret;
+			}
+
+			break;
+		case SMB_USER_FS_QUOTA_TYPE:
+			DEBUG(10,("sys_get_linux_v1_quota: path[%s] bdev[%s] SMB_USER_FS_QUOTA_TYPE (uid[%u])\n",
+				path, bdev, (unsigned)id.uid));
+
+			if ((ret = quotactl(QCMD(Q_V1_GETQUOTA,USRQUOTA), bdev, id.uid, (caddr_t)&D))==0) {
+				qflags |= QUOTAS_DENY_DISK;
+			}
+
+			break;
+		case SMB_GROUP_FS_QUOTA_TYPE:
+			DEBUG(10,("sys_get_linux_v1_quota: path[%s] bdev[%s] SMB_GROUP_FS_QUOTA_TYPE (gid[%u])\n",
+				path, bdev, (unsigned)id.gid));
+
+			if ((ret = quotactl(QCMD(Q_V1_GETQUOTA,GRPQUOTA), bdev, id.gid, (caddr_t)&D))==0) {
+				qflags |= QUOTAS_DENY_DISK;
+			}
+
+			break;
+		default:
+			errno = ENOSYS;
+			return -1;
+	}
+
+	dp->bsize = bsize;
+	dp->softlimit = (SMB_BIG_UINT)D.dqb_bsoftlimit;
+	dp->hardlimit = (SMB_BIG_UINT)D.dqb_bhardlimit;
+	dp->ihardlimit = (SMB_BIG_UINT)D.dqb_ihardlimit;
+	dp->isoftlimit = (SMB_BIG_UINT)D.dqb_isoftlimit;
+	dp->curinodes = (SMB_BIG_UINT)D.dqb_curinodes;
+	dp->curblocks = (SMB_BIG_UINT)D.dqb_curblocks;
+
+
+	dp->qflags = qflags;
+
+	return ret;
+}
+
+/****************************************************************************
+ Abstract out the v1 Linux quota set calls.
+****************************************************************************/
+static int sys_set_linux_v1_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+	int ret = -1;
+	uint32 qflags = 0;
+	uint32 oldqflags = 0;
+	struct v1_kern_dqblk D;
+	SMB_BIG_UINT bsize = (SMB_BIG_UINT)QUOTABLOCK_SIZE;
+
+	ZERO_STRUCT(D);
+
+	if (bsize == dp->bsize) {
+		D.dqb_bsoftlimit = dp->softlimit;
+		D.dqb_bhardlimit = dp->hardlimit;
+		D.dqb_ihardlimit = dp->ihardlimit;
+		D.dqb_isoftlimit = dp->isoftlimit;
+	} else {
+		D.dqb_bsoftlimit = (dp->softlimit*dp->bsize)/bsize;
+		D.dqb_bhardlimit = (dp->hardlimit*dp->bsize)/bsize;
+		D.dqb_ihardlimit = (dp->ihardlimit*dp->bsize)/bsize;
+		D.dqb_isoftlimit = (dp->isoftlimit*dp->bsize)/bsize;
+	}
+
+	qflags = dp->qflags;
+
+	switch (qtype) {
+		case SMB_USER_QUOTA_TYPE:
+			DEBUG(10,("sys_set_linux_v1_quota: path[%s] bdev[%s] SMB_USER_QUOTA_TYPE uid[%u]\n",
+				path, bdev, (unsigned)id.uid));
+
+			ret = quotactl(QCMD(Q_V1_SETQUOTA,USRQUOTA), bdev, id.uid, (caddr_t)&D);
+			break;
+		case SMB_GROUP_QUOTA_TYPE:
+			DEBUG(10,("sys_set_linux_v1_quota: path[%s] bdev[%s] SMB_GROUP_QUOTA_TYPE gid[%u]\n",
+				path, bdev, (unsigned)id.gid));
+
+			ret = quotactl(QCMD(Q_V1_SETQUOTA,GRPQUOTA), bdev, id.gid, (caddr_t)&D);
+			break;
+		case SMB_USER_FS_QUOTA_TYPE:
+			DEBUG(10,("sys_set_linux_v1_quota: path[%s] bdev[%s] SMB_USER_FS_QUOTA_TYPE (uid[%u])\n",
+				path, bdev, (unsigned)id.uid));
+
+			if ((ret = quotactl(QCMD(Q_V1_GETQUOTA,USRQUOTA), bdev, id.uid, (caddr_t)&D))==0) {
+				oldqflags |= QUOTAS_DENY_DISK;
+			}
+
+			break;
+		case SMB_GROUP_FS_QUOTA_TYPE:
+			DEBUG(10,("sys_set_linux_v1_quota: path[%s] bdev[%s] SMB_GROUP_FS_QUOTA_TYPE (gid[%u])\n",
+				path, bdev, (unsigned)id.gid));
+
+			if ((ret = quotactl(QCMD(Q_V1_GETQUOTA,GRPQUOTA), bdev, id.gid, (caddr_t)&D))==0) {
+				oldqflags |= QUOTAS_DENY_DISK;
+			}
+
+			break;
+		default:
+			errno = ENOSYS;
+			return -1;
+	}
+
+	return ret;
+}
+
+/****************************************************************************
+ Abstract out the v2 Linux quota get calls.
+****************************************************************************/
+static int sys_get_linux_v2_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+	int ret = -1;
+	uint32 qflags = 0;
+	struct v2_kern_dqblk D;
+	SMB_BIG_UINT bsize = (SMB_BIG_UINT)QUOTABLOCK_SIZE;
+
+	ZERO_STRUCT(D);
+
+	switch (qtype) {
+		case SMB_USER_QUOTA_TYPE:
+			DEBUG(10,("sys_get_linux_v2_quota: path[%s] bdev[%s] SMB_USER_QUOTA_TYPE uid[%u]\n",
+				path, bdev, (unsigned)id.uid));
+
+			if ((ret = quotactl(QCMD(Q_V2_GETQUOTA,USRQUOTA), bdev, id.uid, (caddr_t)&D))&&errno != EDQUOT) {
+				return ret;
+			}
+
+			break;
+		case SMB_GROUP_QUOTA_TYPE:
+			DEBUG(10,("sys_get_linux_v2_quota: path[%s] bdev[%s] SMB_GROUP_QUOTA_TYPE gid[%u]\n",
+				path, bdev, (unsigned)id.gid));
+
+			if ((ret = quotactl(QCMD(Q_V2_GETQUOTA,GRPQUOTA), bdev, id.gid, (caddr_t)&D))&&errno != EDQUOT) {
+				return ret;
+			}
+
+			break;
+		case SMB_USER_FS_QUOTA_TYPE:
+			DEBUG(10,("sys_get_linux_v2_quota: path[%s] bdev[%s] SMB_USER_FS_QUOTA_TYPE (uid[%u])\n",
+				path, bdev, (unsigned)id.uid));
+
+			if ((ret = quotactl(QCMD(Q_V2_GETQUOTA,USRQUOTA), bdev, id.uid, (caddr_t)&D))==0) {
+				qflags |= QUOTAS_DENY_DISK;
+			}
+
+			break;
+		case SMB_GROUP_FS_QUOTA_TYPE:
+			DEBUG(10,("sys_get_linux_v2_quota: path[%s] bdev[%s] SMB_GROUP_FS_QUOTA_TYPE (gid[%u])\n",
+				path, bdev, (unsigned)id.gid));
+
+			if ((ret = quotactl(QCMD(Q_V2_GETQUOTA,GRPQUOTA), bdev, id.gid, (caddr_t)&D))==0) {
+				qflags |= QUOTAS_DENY_DISK;
+			}
+
+			break;
+		default:
+			errno = ENOSYS;
+			return -1;
+	}
+
+	dp->bsize = bsize;
+	dp->softlimit = (SMB_BIG_UINT)D.dqb_bsoftlimit;
+	dp->hardlimit = (SMB_BIG_UINT)D.dqb_bhardlimit;
+	dp->ihardlimit = (SMB_BIG_UINT)D.dqb_ihardlimit;
+	dp->isoftlimit = (SMB_BIG_UINT)D.dqb_isoftlimit;
+	dp->curinodes = (SMB_BIG_UINT)D.dqb_curinodes;
+	dp->curblocks = (SMB_BIG_UINT)D.dqb_curspace/bsize;
+
+
+	dp->qflags = qflags;
+
+	return ret;
+}
+
+/****************************************************************************
+ Abstract out the v2 Linux quota set calls.
+****************************************************************************/
+static int sys_set_linux_v2_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+	int ret = -1;
+	uint32 qflags = 0;
+	uint32 oldqflags = 0;
+	struct v2_kern_dqblk D;
+	SMB_BIG_UINT bsize = (SMB_BIG_UINT)QUOTABLOCK_SIZE;
+
+	ZERO_STRUCT(D);
+
+	if (bsize == dp->bsize) {
+		D.dqb_bsoftlimit = dp->softlimit;
+		D.dqb_bhardlimit = dp->hardlimit;
+		D.dqb_ihardlimit = dp->ihardlimit;
+		D.dqb_isoftlimit = dp->isoftlimit;
+	} else {
+		D.dqb_bsoftlimit = (dp->softlimit*dp->bsize)/bsize;
+		D.dqb_bhardlimit = (dp->hardlimit*dp->bsize)/bsize;
+		D.dqb_ihardlimit = (dp->ihardlimit*dp->bsize)/bsize;
+		D.dqb_isoftlimit = (dp->isoftlimit*dp->bsize)/bsize;
+	}
+
+	qflags = dp->qflags;
+
+	switch (qtype) {
+		case SMB_USER_QUOTA_TYPE:
+			DEBUG(10,("sys_set_linux_v2_quota: path[%s] bdev[%s] SMB_USER_QUOTA_TYPE uid[%u]\n",
+				path, bdev, (unsigned)id.uid));
+
+			ret = quotactl(QCMD(Q_V2_SETQUOTA,USRQUOTA), bdev, id.uid, (caddr_t)&D);
+			break;
+		case SMB_GROUP_QUOTA_TYPE:
+			DEBUG(10,("sys_set_linux_v2_quota: path[%s] bdev[%s] SMB_GROUP_QUOTA_TYPE gid[%u]\n",
+				path, bdev, (unsigned)id.gid));
+
+			ret = quotactl(QCMD(Q_V2_SETQUOTA,GRPQUOTA), bdev, id.gid, (caddr_t)&D);
+			break;
+		case SMB_USER_FS_QUOTA_TYPE:
+			DEBUG(10,("sys_set_linux_v2_quota: path[%s] bdev[%s] SMB_USER_FS_QUOTA_TYPE (uid[%u])\n",
+				path, bdev, (unsigned)id.uid));
+
+			if ((ret = quotactl(QCMD(Q_V2_GETQUOTA,USRQUOTA), bdev, id.uid, (caddr_t)&D))==0) {
+				oldqflags |= QUOTAS_DENY_DISK;
+			}
+
+			break;
+		case SMB_GROUP_FS_QUOTA_TYPE:
+			DEBUG(10,("sys_set_linux_v2_quota: path[%s] bdev[%s] SMB_GROUP_FS_QUOTA_TYPE (gid[%u])\n",
+				path, bdev, (unsigned)id.gid));
+
+			if ((ret = quotactl(QCMD(Q_V2_GETQUOTA,GRPQUOTA), bdev, id.gid, (caddr_t)&D))==0) {
+				oldqflags |= QUOTAS_DENY_DISK;
+			}
+
+			break;
+		default:
+			errno = ENOSYS;
+			return -1;
+	}
+
+	return ret;
+}
+
+/****************************************************************************
+ Abstract out the generic Linux quota get calls.
+****************************************************************************/
+static int sys_get_linux_gen_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+	int ret = -1;
+	uint32 qflags = 0;
+	struct if_dqblk D;
+	SMB_BIG_UINT bsize = (SMB_BIG_UINT)QUOTABLOCK_SIZE;
+
+	ZERO_STRUCT(D);
+
+	switch (qtype) {
+		case SMB_USER_QUOTA_TYPE:
+			DEBUG(10,("sys_get_linux_gen_quota: path[%s] bdev[%s] SMB_USER_QUOTA_TYPE uid[%u]\n",
+				path, bdev, (unsigned)id.uid));
+
+			if ((ret = quotactl(QCMD(Q_GETQUOTA,USRQUOTA), bdev, id.uid, (caddr_t)&D))&&errno != EDQUOT) {
+				return ret;
+			}
+
+			break;
+		case SMB_GROUP_QUOTA_TYPE:
+			DEBUG(10,("sys_get_linux_gen_quota: path[%s] bdev[%s] SMB_GROUP_QUOTA_TYPE gid[%u]\n",
+				path, bdev, (unsigned)id.gid));
+
+			if ((ret = quotactl(QCMD(Q_GETQUOTA,GRPQUOTA), bdev, id.gid, (caddr_t)&D))&&errno != EDQUOT) {
+				return ret;
+			}
+
+			break;
+		case SMB_USER_FS_QUOTA_TYPE:
+			DEBUG(10,("sys_get_linux_gen_quota: path[%s] bdev[%s] SMB_USER_FS_QUOTA_TYPE (uid[%u])\n",
+				path, bdev, (unsigned)id.uid));
+
+			if ((ret = quotactl(QCMD(Q_GETQUOTA,USRQUOTA), bdev, id.uid, (caddr_t)&D))==0) {
+				qflags |= QUOTAS_DENY_DISK;
+			}
+
+			break;
+		case SMB_GROUP_FS_QUOTA_TYPE:
+			DEBUG(10,("sys_get_linux_gen_quota: path[%s] bdev[%s] SMB_GROUP_FS_QUOTA_TYPE (gid[%u])\n",
+				path, bdev, (unsigned)id.gid));
+
+			if ((ret = quotactl(QCMD(Q_GETQUOTA,GRPQUOTA), bdev, id.gid, (caddr_t)&D))==0) {
+				qflags |= QUOTAS_DENY_DISK;
+			}
+
+			break;
+		default:
+			errno = ENOSYS;
+			return -1;
+	}
+
+	dp->bsize = bsize;
+	dp->softlimit = (SMB_BIG_UINT)D.dqb_bsoftlimit;
+	dp->hardlimit = (SMB_BIG_UINT)D.dqb_bhardlimit;
+	dp->ihardlimit = (SMB_BIG_UINT)D.dqb_ihardlimit;
+	dp->isoftlimit = (SMB_BIG_UINT)D.dqb_isoftlimit;
+	dp->curinodes = (SMB_BIG_UINT)D.dqb_curinodes;
+	dp->curblocks = (SMB_BIG_UINT)D.dqb_curspace/bsize;
+
+
+	dp->qflags = qflags;
+
+	return ret;
+}
+
+/****************************************************************************
+ Abstract out the gen Linux quota set calls.
+****************************************************************************/
+static int sys_set_linux_gen_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+	int ret = -1;
+	uint32 qflags = 0;
+	uint32 oldqflags = 0;
+	struct if_dqblk D;
+	SMB_BIG_UINT bsize = (SMB_BIG_UINT)QUOTABLOCK_SIZE;
+
+	ZERO_STRUCT(D);
+
+	if (bsize == dp->bsize) {
+		D.dqb_bsoftlimit = dp->softlimit;
+		D.dqb_bhardlimit = dp->hardlimit;
+		D.dqb_ihardlimit = dp->ihardlimit;
+		D.dqb_isoftlimit = dp->isoftlimit;
+	} else {
+		D.dqb_bsoftlimit = (dp->softlimit*dp->bsize)/bsize;
+		D.dqb_bhardlimit = (dp->hardlimit*dp->bsize)/bsize;
+		D.dqb_ihardlimit = (dp->ihardlimit*dp->bsize)/bsize;
+		D.dqb_isoftlimit = (dp->isoftlimit*dp->bsize)/bsize;
+	}
+	D.dqb_valid = QIF_LIMITS;
+
+	qflags = dp->qflags;
+
+	switch (qtype) {
+		case SMB_USER_QUOTA_TYPE:
+			DEBUG(10,("sys_set_linux_gen_quota: path[%s] bdev[%s] SMB_USER_QUOTA_TYPE uid[%u]\n",
+				path, bdev, (unsigned)id.uid));
+
+			ret = quotactl(QCMD(Q_SETQUOTA,USRQUOTA), bdev, id.uid, (caddr_t)&D);
+			break;
+		case SMB_GROUP_QUOTA_TYPE:
+			DEBUG(10,("sys_set_linux_gen_quota: path[%s] bdev[%s] SMB_GROUP_QUOTA_TYPE gid[%u]\n",
+				path, bdev, (unsigned)id.gid));
+
+			ret = quotactl(QCMD(Q_SETQUOTA,GRPQUOTA), bdev, id.gid, (caddr_t)&D);
+			break;
+		case SMB_USER_FS_QUOTA_TYPE:
+			DEBUG(10,("sys_set_linux_gen_quota: path[%s] bdev[%s] SMB_USER_FS_QUOTA_TYPE (uid[%u])\n",
+				path, bdev, (unsigned)id.uid));
+
+			if ((ret = quotactl(QCMD(Q_GETQUOTA,USRQUOTA), bdev, id.uid, (caddr_t)&D))==0) {
+				oldqflags |= QUOTAS_DENY_DISK;
+			}
+
+			break;
+		case SMB_GROUP_FS_QUOTA_TYPE:
+			DEBUG(10,("sys_set_linux_gen_quota: path[%s] bdev[%s] SMB_GROUP_FS_QUOTA_TYPE (gid[%u])\n",
+				path, bdev, (unsigned)id.gid));
+
+			if ((ret = quotactl(QCMD(Q_GETQUOTA,GRPQUOTA), bdev, id.gid, (caddr_t)&D))==0) {
+				oldqflags |= QUOTAS_DENY_DISK;
+			}
+
+			break;
+		default:
+			errno = ENOSYS;
+			return -1;
+	}
+
+	return ret;
+}
+
+/****************************************************************************
+ Abstract out the Linux quota get calls.
+****************************************************************************/
+int sys_get_vfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+	int ret = -1;
+
+	if (!path||!bdev||!dp)
+		smb_panic("sys_set_vfs_quota: called with NULL pointer");
+
+	ZERO_STRUCT(*dp);
+	dp->qtype = qtype;
+
+	switch (qtype) {
+		case SMB_USER_QUOTA_TYPE:
+		case SMB_GROUP_QUOTA_TYPE:
+			if ((ret=sys_get_linux_gen_quota(path, bdev, qtype, id, dp))&&errno != EDQUOT) {
+				if ((ret=sys_get_linux_v2_quota(path, bdev, qtype, id, dp))&&errno != EDQUOT) {
+					if ((ret=sys_get_linux_v1_quota(path, bdev, qtype, id, dp))&&errno != EDQUOT) {
+						return ret;
+					}
+				}
+			}
+
+			if ((dp->curblocks==0)&&
+				(dp->softlimit==0)&&
+				(dp->hardlimit==0)) {
+				/* the upper layer functions don't want empty quota records...*/
+				return -1;
+			}
+
+			break;
+		case SMB_USER_FS_QUOTA_TYPE:
+			id.uid = getuid();
+
+			if ((ret=sys_get_linux_gen_quota(path, bdev, qtype, id, dp))&&errno != EDQUOT) {
+				if ((ret=sys_get_linux_v2_quota(path, bdev, qtype, id, dp))&&errno != EDQUOT) {
+					ret=sys_get_linux_v1_quota(path, bdev, qtype, id, dp);
+				}
+			}
+
+			ret = 0;
+			break;
+		case SMB_GROUP_FS_QUOTA_TYPE:
+			id.gid = getgid();
+
+			if ((ret=sys_get_linux_gen_quota(path, bdev, qtype, id, dp))&&errno != EDQUOT) {
+				if ((ret=sys_get_linux_v2_quota(path, bdev, qtype, id, dp))&&errno != EDQUOT) {
+					ret=sys_get_linux_v1_quota(path, bdev, qtype, id, dp);
+				}
+			}
+
+			ret = 0;
+			break;
+		default:
+			errno = ENOSYS;
+			return -1;
+	}
+
+	return ret;
+}
+
+/****************************************************************************
+ Abstract out the Linux quota set calls.
+****************************************************************************/
+int sys_set_vfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+	int ret = -1;
+	uint32 oldqflags = 0;
+
+	if (!path||!bdev||!dp)
+		smb_panic("sys_set_vfs_quota: called with NULL pointer");
+
+	oldqflags = dp->qflags;
+
+	switch (qtype) {
+		case SMB_USER_QUOTA_TYPE:
+		case SMB_GROUP_QUOTA_TYPE:
+			if ((ret=sys_set_linux_gen_quota(path, bdev, qtype, id, dp))) {
+				if ((ret=sys_set_linux_v2_quota(path, bdev, qtype, id, dp))) {
+					if ((ret=sys_set_linux_v1_quota(path, bdev, qtype, id, dp))) {
+						return ret;
+					}
+				}
+			}
+			break;
+		case SMB_USER_FS_QUOTA_TYPE:
+			id.uid = getuid();
+
+			if ((ret=sys_set_linux_gen_quota(path, bdev, qtype, id, dp))) {
+				if ((ret=sys_set_linux_v2_quota(path, bdev, qtype, id, dp))) {
+					ret=sys_set_linux_v1_quota(path, bdev, qtype, id, dp);
+				}
+			}
+
+			if (oldqflags == dp->qflags) {
+				ret = 0;
+			} else {
+				ret = -1;
+			}
+			break;
+		case SMB_GROUP_FS_QUOTA_TYPE:
+			id.gid = getgid();
+
+			if ((ret=sys_set_linux_gen_quota(path, bdev, qtype, id, dp))) {
+				if ((ret=sys_set_linux_v2_quota(path, bdev, qtype, id, dp))) {
+					ret=sys_set_linux_v1_quota(path, bdev, qtype, id, dp);
+				}
+			}
+
+			if (oldqflags == dp->qflags) {
+				ret = 0;
+			} else {
+				ret = -1;
+			}
+
+			break;
+		default:
+			errno = ENOSYS;
+			return -1;
+	}
+
+	return ret;
+}
+
+#else /* HAVE_QUOTACTL_LINUX */
+ void dummy_sysquotas_linux(void);
+
+ void dummy_sysquotas_linux(void){}
+#endif /* HAVE_QUOTACTL_LINUX */
diff --git a/source3/lib/sysquotas_xfs.c b/source3/lib/sysquotas_xfs.c
new file mode 100644
index 0000000000..30538c167b
--- /dev/null
+++ b/source3/lib/sysquotas_xfs.c
@@ -0,0 +1,336 @@
+/* 
+   Unix SMB/CIFS implementation.
+   System QUOTA function wrappers for XFS
+   Copyright (C) Stefan (metze) Metzmacher	2003
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_QUOTA
+
+#ifndef HAVE_SYS_QUOTAS
+#ifdef HAVE_XFS_QUOTAS
+#undef HAVE_XFS_QUOTAS
+#endif
+#endif
+
+#ifdef HAVE_XFS_QUOTAS
+
+#ifdef HAVE_LINUX_XFS_QUOTAS
+#include "samba_linux_quota.h"
+#ifdef HAVE_LINUX_DQBLK_XFS_H
+#include <linux/dqblk_xfs.h>
+#endif
+#define HAVE_GROUP_QUOTA
+#else /* IRIX */
+#include <sys/quota.h> 
+#endif
+
+/* on IRIX */
+#ifndef Q_XQUOTAON
+#define Q_XQUOTAON Q_QUOTAON
+#endif /* Q_XQUOTAON */
+#ifndef Q_XQUOTAOFF
+#define Q_XQUOTAOFF Q_QUOTAOFF
+#endif /* Q_XQUOTAOFF */
+#ifndef Q_XGETQSTAT
+#define Q_XGETQSTAT Q_GETQSTAT
+#endif /* Q_XGETQSTAT */
+
+/* currently doesn't support Group and Project quotas on IRIX 
+ */
+
+#ifndef QCMD
+#define QCMD(x,y) x
+#endif
+
+/*
+ * IRIX has BBSIZE in <sys/param.h>
+ */
+#ifndef BBSHIFT
+#define	BBSHIFT		9
+#endif /* BBSHIFT */
+#ifndef BBSIZE
+#define	BBSIZE		(1<<BBSHIFT)
+#endif /* BBSIZE */
+
+/****************************************************************************
+ Abstract out the XFS Quota Manager quota get call.
+****************************************************************************/
+int sys_get_xfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+	int ret = -1;
+	uint32 qflags = 0;
+	SMB_BIG_UINT bsize = (SMB_BIG_UINT)BBSIZE;
+	struct fs_disk_quota D;
+	struct fs_quota_stat F;
+	ZERO_STRUCT(D);
+	ZERO_STRUCT(F);
+
+	if (!bdev||!dp)
+		smb_panic("sys_get_xfs_quota: called with NULL pointer");
+		
+	ZERO_STRUCT(*dp);
+	dp->qtype = qtype;
+		
+	switch (qtype) {
+		case SMB_USER_QUOTA_TYPE:
+			DEBUG(10,("sys_get_xfs_quota: path[%s] bdev[%s] SMB_USER_QUOTA_TYPE uid[%u]\n",
+				path, bdev, (unsigned)id.uid));
+
+			if ((ret=quotactl(QCMD(Q_XGETQUOTA,USRQUOTA), bdev, id.uid, (caddr_t)&D)))
+				return ret;
+			break;
+#ifdef HAVE_GROUP_QUOTA
+		case SMB_GROUP_QUOTA_TYPE:
+			DEBUG(10,("sys_get_xfs_quota: path[%s] bdev[%s] SMB_GROUP_QUOTA_TYPE gid[%u]\n",
+				path, bdev, (unsigned)id.gid));
+
+			if ((ret=quotactl(QCMD(Q_XGETQUOTA,GRPQUOTA), bdev, id.gid, (caddr_t)&D)))
+				return ret;
+			break;
+#endif /* HAVE_GROUP_QUOTA */
+		case SMB_USER_FS_QUOTA_TYPE:
+			DEBUG(10,("sys_get_xfs_quota: path[%s] bdev[%s] SMB_USER_FS_QUOTA_TYPE (uid[%u])\n",
+				path, bdev, (unsigned)id.uid));
+
+			quotactl(QCMD(Q_XGETQSTAT,USRQUOTA), bdev, -1, (caddr_t)&F);
+
+			if (F.qs_flags & XFS_QUOTA_UDQ_ENFD) {
+				qflags |= QUOTAS_DENY_DISK;
+			}
+			else if (F.qs_flags & XFS_QUOTA_UDQ_ACCT) {
+				qflags |= QUOTAS_ENABLED;
+			}
+
+			ret = 0;
+
+			break;
+#ifdef HAVE_GROUP_QUOTA
+		case SMB_GROUP_FS_QUOTA_TYPE:
+			DEBUG(10,("sys_get_xfs_quota: path[%s] bdev[%s] SMB_GROUP_FS_QUOTA_TYPE (gid[%u])\n",
+				path, bdev, (unsigned)id.gid));
+
+			quotactl(QCMD(Q_XGETQSTAT,GRPQUOTA), bdev, -1, (caddr_t)&F);
+
+			if (F.qs_flags & XFS_QUOTA_GDQ_ENFD) {
+				qflags |= QUOTAS_DENY_DISK;
+			}
+			else if (F.qs_flags & XFS_QUOTA_GDQ_ACCT) {
+				qflags |= QUOTAS_ENABLED;
+			}
+
+			ret = 0;
+
+			break;
+#endif /* HAVE_GROUP_QUOTA */
+		default:
+			errno = ENOSYS;
+			return -1;
+	}
+
+	dp->bsize = bsize;
+	dp->softlimit = (SMB_BIG_UINT)D.d_blk_softlimit;
+	dp->hardlimit = (SMB_BIG_UINT)D.d_blk_hardlimit;
+	dp->ihardlimit = (SMB_BIG_UINT)D.d_ino_hardlimit;
+	dp->isoftlimit = (SMB_BIG_UINT)D.d_ino_softlimit;
+	dp->curinodes = (SMB_BIG_UINT)D.d_icount;
+	dp->curblocks = (SMB_BIG_UINT)D.d_bcount;
+	dp->qflags = qflags;
+
+	return ret;
+}
+
+/****************************************************************************
+ Abstract out the XFS Quota Manager quota set call.
+****************************************************************************/
+int sys_set_xfs_quota(const char *path, const char *bdev, enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dp)
+{
+	int ret = -1;
+	uint32 qflags = 0;
+	SMB_BIG_UINT bsize = (SMB_BIG_UINT)BBSIZE;
+	struct fs_disk_quota D;
+	struct fs_quota_stat F;
+	int q_on = 0;
+	int q_off = 0;
+	ZERO_STRUCT(D);
+	ZERO_STRUCT(F);
+
+	if (!bdev||!dp)
+		smb_panic("sys_set_xfs_quota: called with NULL pointer");
+	
+	if (bsize == dp->bsize) {
+		D.d_blk_softlimit = dp->softlimit;
+		D.d_blk_hardlimit = dp->hardlimit;
+		D.d_ino_hardlimit = dp->ihardlimit;
+		D.d_ino_softlimit = dp->isoftlimit;
+	} else {
+		D.d_blk_softlimit = (dp->softlimit*dp->bsize)/bsize;
+		D.d_blk_hardlimit = (dp->hardlimit*dp->bsize)/bsize;
+		D.d_ino_hardlimit = (dp->ihardlimit*dp->bsize)/bsize;
+		D.d_ino_softlimit = (dp->isoftlimit*dp->bsize)/bsize;		
+	}
+
+	qflags = dp->qflags;
+
+	switch (qtype) {
+		case SMB_USER_QUOTA_TYPE:
+			DEBUG(10,("sys_set_xfs_quota: path[%s] bdev[%s] SMB_USER_QUOTA_TYPE uid[%u]\n",
+				path, bdev, (unsigned)id.uid));
+
+			D.d_fieldmask |= FS_DQ_LIMIT_MASK;
+			ret = quotactl(QCMD(Q_XSETQLIM,USRQUOTA), bdev, id.uid, (caddr_t)&D);
+			break;
+#ifdef HAVE_GROUP_QUOTA
+		case SMB_GROUP_QUOTA_TYPE:
+			DEBUG(10,("sys_set_xfs_quota: path[%s] bdev[%s] SMB_GROUP_QUOTA_TYPE gid[%u]\n",
+				path, bdev, (unsigned)id.gid));
+
+			D.d_fieldmask |= FS_DQ_LIMIT_MASK;
+			ret = quotactl(QCMD(Q_XSETQLIM,GRPQUOTA), bdev, id.gid, (caddr_t)&D);
+			break;
+#endif /* HAVE_GROUP_QUOTA */
+		case SMB_USER_FS_QUOTA_TYPE:
+			DEBUG(10,("sys_set_xfs_quota: path[%s] bdev[%s] SMB_USER_FS_QUOTA_TYPE (uid[%u])\n",
+				path, bdev, (unsigned)id.uid));
+
+			quotactl(QCMD(Q_XGETQSTAT,USRQUOTA), bdev, -1, (caddr_t)&F);
+			
+			if (qflags & QUOTAS_DENY_DISK) {
+				if (!(F.qs_flags & XFS_QUOTA_UDQ_ENFD))
+					q_on |= XFS_QUOTA_UDQ_ENFD;
+				if (!(F.qs_flags & XFS_QUOTA_UDQ_ACCT))
+					q_on |= XFS_QUOTA_UDQ_ACCT;
+				
+				if (q_on != 0) {
+					ret = quotactl(QCMD(Q_XQUOTAON,USRQUOTA),bdev, -1, (caddr_t)&q_on);
+				} else {
+					ret = 0;
+				}
+
+			} else if (qflags & QUOTAS_ENABLED) {
+				if (F.qs_flags & XFS_QUOTA_UDQ_ENFD)
+					q_off |= XFS_QUOTA_UDQ_ENFD;
+
+				if (q_off != 0) {
+					ret = quotactl(QCMD(Q_XQUOTAOFF,USRQUOTA),bdev, -1, (caddr_t)&q_off);
+				} else {
+					ret = 0;
+				}
+
+				if (!(F.qs_flags & XFS_QUOTA_UDQ_ACCT))
+					q_on |= XFS_QUOTA_UDQ_ACCT;
+
+				if (q_on != 0) {
+					ret = quotactl(QCMD(Q_XQUOTAON,USRQUOTA),bdev, -1, (caddr_t)&q_on);
+				} else {
+					ret = 0;
+				}
+			} else {
+#if 0
+			/* Switch on XFS_QUOTA_UDQ_ACCT didn't work!
+			 * only swittching off XFS_QUOTA_UDQ_ACCT work
+			 */
+				if (F.qs_flags & XFS_QUOTA_UDQ_ENFD)
+					q_off |= XFS_QUOTA_UDQ_ENFD;
+				if (F.qs_flags & XFS_QUOTA_UDQ_ACCT)
+					q_off |= XFS_QUOTA_UDQ_ACCT;
+
+				if (q_off !=0) {
+					ret = quotactl(QCMD(Q_XQUOTAOFF,USRQUOTA),bdev, -1, (caddr_t)&q_off);
+				} else {
+					ret = 0;
+				}
+#else
+				ret = -1;
+#endif
+			}
+
+			break;
+#ifdef HAVE_GROUP_QUOTA
+		case SMB_GROUP_FS_QUOTA_TYPE:
+			DEBUG(10,("sys_set_xfs_quota: path[%s] bdev[%s] SMB_GROUP_FS_QUOTA_TYPE (gid[%u])\n",
+				path, bdev, (unsigned)id.gid));
+
+			quotactl(QCMD(Q_XGETQSTAT,GRPQUOTA), bdev, -1, (caddr_t)&F);
+			
+			if (qflags & QUOTAS_DENY_DISK) {
+				if (!(F.qs_flags & XFS_QUOTA_GDQ_ENFD))
+					q_on |= XFS_QUOTA_GDQ_ENFD;
+				if (!(F.qs_flags & XFS_QUOTA_GDQ_ACCT))
+					q_on |= XFS_QUOTA_GDQ_ACCT;
+				
+				if (q_on != 0) {
+					ret = quotactl(QCMD(Q_XQUOTAON,GRPQUOTA),bdev, -1, (caddr_t)&q_on);
+				} else {
+					ret = 0;
+				}
+
+			} else if (qflags & QUOTAS_ENABLED) {
+				if (F.qs_flags & XFS_QUOTA_GDQ_ENFD)
+					q_off |= XFS_QUOTA_GDQ_ENFD;
+
+				if (q_off != 0) {
+					ret = quotactl(QCMD(Q_XQUOTAOFF,GRPQUOTA),bdev, -1, (caddr_t)&q_off);
+				} else {
+					ret = 0;
+				}
+
+				if (!(F.qs_flags & XFS_QUOTA_GDQ_ACCT))
+					q_on |= XFS_QUOTA_GDQ_ACCT;
+
+				if (q_on != 0) {
+					ret = quotactl(QCMD(Q_XQUOTAON,GRPQUOTA),bdev, -1, (caddr_t)&q_on);
+				} else {
+					ret = 0;
+				}
+			} else {
+#if 0
+			/* Switch on XFS_QUOTA_UDQ_ACCT didn't work!
+			 * only swittching off XFS_QUOTA_UDQ_ACCT work
+			 */
+				if (F.qs_flags & XFS_QUOTA_GDQ_ENFD)
+					q_off |= XFS_QUOTA_GDQ_ENFD;
+				if (F.qs_flags & XFS_QUOTA_GDQ_ACCT)
+					q_off |= XFS_QUOTA_GDQ_ACCT;
+
+				if (q_off !=0) {
+					ret = quotactl(QCMD(Q_XQUOTAOFF,GRPQUOTA),bdev, -1, (caddr_t)&q_off);
+				} else {
+					ret = 0;
+				}
+#else
+				ret = -1;
+#endif
+			}
+
+			break;
+#endif /* HAVE_GROUP_QUOTA */
+		default:
+			errno = ENOSYS;
+			return -1;
+	}
+
+	return ret;
+}
+
+#else /* HAVE_XFS_QUOTAS */
+ void dummy_sysquotas_xfs(void);
+
+ void dummy_sysquotas_xfs(void){}
+#endif /* HAVE_XFS_QUOTAS */
diff --git a/source3/lib/system.c b/source3/lib/system.c
new file mode 100644
index 0000000000..eabb6d6dc4
--- /dev/null
+++ b/source3/lib/system.c
@@ -0,0 +1,2492 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba system utilities
+   Copyright (C) Andrew Tridgell 1992-1998
+   Copyright (C) Jeremy Allison  1998-2005
+   Copyright (C) Timur Bakeyev        2005
+   Copyright (C) Bjoern Jacke    2006-2007
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#ifdef HAVE_SYS_PRCTL_H
+#include <sys/prctl.h>
+#endif
+
+/*
+   The idea is that this file will eventually have wrappers around all
+   important system calls in samba. The aims are:
+
+   - to enable easier porting by putting OS dependent stuff in here
+
+   - to allow for hooks into other "pseudo-filesystems"
+
+   - to allow easier integration of things like the japanese extensions
+
+   - to support the philosophy of Samba to expose the features of
+     the OS within the SMB model. In general whatever file/printer/variable
+     expansions/etc make sense to the OS should be acceptable to Samba.
+*/
+
+
+
+/*******************************************************************
+ A wrapper for memalign
+********************************************************************/
+
+void *sys_memalign( size_t align, size_t size )
+{
+#if defined(HAVE_POSIX_MEMALIGN)
+	void *p = NULL;
+	int ret = posix_memalign( &p, align, size );
+	if ( ret == 0 )
+		return p;
+		
+	return NULL;
+#elif defined(HAVE_MEMALIGN)
+	return memalign( align, size );
+#else
+	/* On *BSD systems memaligns doesn't exist, but memory will
+	 * be aligned on allocations of > pagesize. */
+#if defined(SYSCONF_SC_PAGESIZE)
+	size_t pagesize = (size_t)sysconf(_SC_PAGESIZE);
+#elif defined(HAVE_GETPAGESIZE)
+	size_t pagesize = (size_t)getpagesize();
+#else
+	size_t pagesize = (size_t)-1;
+#endif
+	if (pagesize == (size_t)-1) {
+		DEBUG(0,("memalign functionalaity not available on this platform!\n"));
+		return NULL;
+	}
+	if (size < pagesize) {
+		size = pagesize;
+	}
+	return SMB_MALLOC(size);
+#endif
+}
+
+/*******************************************************************
+ A wrapper for usleep in case we don't have one.
+********************************************************************/
+
+int sys_usleep(long usecs)
+{
+#ifndef HAVE_USLEEP
+	struct timeval tval;
+#endif
+
+	/*
+	 * We need this braindamage as the glibc usleep
+	 * is not SPEC1170 complient... grumble... JRA.
+	 */
+
+	if(usecs < 0 || usecs > 1000000) {
+		errno = EINVAL;
+		return -1;
+	}
+
+#if HAVE_USLEEP
+	usleep(usecs);
+	return 0;
+#else /* HAVE_USLEEP */
+	/*
+	 * Fake it with select...
+	 */
+	tval.tv_sec = 0;
+	tval.tv_usec = usecs/1000;
+	select(0,NULL,NULL,NULL,&tval);
+	return 0;
+#endif /* HAVE_USLEEP */
+}
+
+/*******************************************************************
+A read wrapper that will deal with EINTR.
+********************************************************************/
+
+ssize_t sys_read(int fd, void *buf, size_t count)
+{
+	ssize_t ret;
+
+	do {
+		ret = read(fd, buf, count);
+	} while (ret == -1 && errno == EINTR);
+	return ret;
+}
+
+/*******************************************************************
+A write wrapper that will deal with EINTR.
+********************************************************************/
+
+ssize_t sys_write(int fd, const void *buf, size_t count)
+{
+	ssize_t ret;
+
+	do {
+		ret = write(fd, buf, count);
+	} while (ret == -1 && errno == EINTR);
+	return ret;
+}
+
+/*******************************************************************
+A pread wrapper that will deal with EINTR and 64-bit file offsets.
+********************************************************************/
+
+#if defined(HAVE_PREAD) || defined(HAVE_PREAD64)
+ssize_t sys_pread(int fd, void *buf, size_t count, SMB_OFF_T off)
+{
+	ssize_t ret;
+
+	do {
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_OFF64_T) && defined(HAVE_PREAD64)
+		ret = pread64(fd, buf, count, off);
+#else
+		ret = pread(fd, buf, count, off);
+#endif
+	} while (ret == -1 && errno == EINTR);
+	return ret;
+}
+#endif
+
+/*******************************************************************
+A write wrapper that will deal with EINTR and 64-bit file offsets.
+********************************************************************/
+
+#if defined(HAVE_PWRITE) || defined(HAVE_PWRITE64)
+ssize_t sys_pwrite(int fd, const void *buf, size_t count, SMB_OFF_T off)
+{
+	ssize_t ret;
+
+	do {
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_OFF64_T) && defined(HAVE_PWRITE64)
+		ret = pwrite64(fd, buf, count, off);
+#else
+		ret = pwrite(fd, buf, count, off);
+#endif
+	} while (ret == -1 && errno == EINTR);
+	return ret;
+}
+#endif
+
+/*******************************************************************
+A send wrapper that will deal with EINTR.
+********************************************************************/
+
+ssize_t sys_send(int s, const void *msg, size_t len, int flags)
+{
+	ssize_t ret;
+
+	do {
+		ret = send(s, msg, len, flags);
+	} while (ret == -1 && errno == EINTR);
+	return ret;
+}
+
+/*******************************************************************
+A sendto wrapper that will deal with EINTR.
+********************************************************************/
+
+ssize_t sys_sendto(int s,  const void *msg, size_t len, int flags, const struct sockaddr *to, socklen_t tolen)
+{
+	ssize_t ret;
+
+	do {
+		ret = sendto(s, msg, len, flags, to, tolen);
+	} while (ret == -1 && errno == EINTR);
+	return ret;
+}
+
+/*******************************************************************
+A recv wrapper that will deal with EINTR.
+********************************************************************/
+
+ssize_t sys_recv(int fd, void *buf, size_t count, int flags)
+{
+	ssize_t ret;
+
+	do {
+		ret = recv(fd, buf, count, flags);
+	} while (ret == -1 && errno == EINTR);
+	return ret;
+}
+
+/*******************************************************************
+A recvfrom wrapper that will deal with EINTR.
+********************************************************************/
+
+ssize_t sys_recvfrom(int s, void *buf, size_t len, int flags, struct sockaddr *from, socklen_t *fromlen)
+{
+	ssize_t ret;
+
+	do {
+		ret = recvfrom(s, buf, len, flags, from, fromlen);
+	} while (ret == -1 && errno == EINTR);
+	return ret;
+}
+
+/*******************************************************************
+A fcntl wrapper that will deal with EINTR.
+********************************************************************/
+
+int sys_fcntl_ptr(int fd, int cmd, void *arg)
+{
+	int ret;
+
+	do {
+		ret = fcntl(fd, cmd, arg);
+	} while (ret == -1 && errno == EINTR);
+	return ret;
+}
+
+/*******************************************************************
+A fcntl wrapper that will deal with EINTR.
+********************************************************************/
+
+int sys_fcntl_long(int fd, int cmd, long arg)
+{
+	int ret;
+
+	do {
+		ret = fcntl(fd, cmd, arg);
+	} while (ret == -1 && errno == EINTR);
+	return ret;
+}
+
+/*******************************************************************
+A stat() wrapper that will deal with 64 bit filesizes.
+********************************************************************/
+
+int sys_stat(const char *fname,SMB_STRUCT_STAT *sbuf)
+{
+	int ret;
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_OFF64_T) && defined(HAVE_STAT64)
+	ret = stat64(fname, sbuf);
+#else
+	ret = stat(fname, sbuf);
+#endif
+	/* we always want directories to appear zero size */
+	if (ret == 0 && S_ISDIR(sbuf->st_mode)) sbuf->st_size = 0;
+	return ret;
+}
+
+/*******************************************************************
+ An fstat() wrapper that will deal with 64 bit filesizes.
+********************************************************************/
+
+int sys_fstat(int fd,SMB_STRUCT_STAT *sbuf)
+{
+	int ret;
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_OFF64_T) && defined(HAVE_FSTAT64)
+	ret = fstat64(fd, sbuf);
+#else
+	ret = fstat(fd, sbuf);
+#endif
+	/* we always want directories to appear zero size */
+	if (ret == 0 && S_ISDIR(sbuf->st_mode)) sbuf->st_size = 0;
+	return ret;
+}
+
+/*******************************************************************
+ An lstat() wrapper that will deal with 64 bit filesizes.
+********************************************************************/
+
+int sys_lstat(const char *fname,SMB_STRUCT_STAT *sbuf)
+{
+	int ret;
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_OFF64_T) && defined(HAVE_LSTAT64)
+	ret = lstat64(fname, sbuf);
+#else
+	ret = lstat(fname, sbuf);
+#endif
+	/* we always want directories to appear zero size */
+	if (ret == 0 && S_ISDIR(sbuf->st_mode)) sbuf->st_size = 0;
+	return ret;
+}
+
+/*******************************************************************
+ An ftruncate() wrapper that will deal with 64 bit filesizes.
+********************************************************************/
+
+int sys_ftruncate(int fd, SMB_OFF_T offset)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_OFF64_T) && defined(HAVE_FTRUNCATE64)
+	return ftruncate64(fd, offset);
+#else
+	return ftruncate(fd, offset);
+#endif
+}
+
+/*******************************************************************
+ An lseek() wrapper that will deal with 64 bit filesizes.
+********************************************************************/
+
+SMB_OFF_T sys_lseek(int fd, SMB_OFF_T offset, int whence)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_OFF64_T) && defined(HAVE_LSEEK64)
+	return lseek64(fd, offset, whence);
+#else
+	return lseek(fd, offset, whence);
+#endif
+}
+
+/*******************************************************************
+ An fseek() wrapper that will deal with 64 bit filesizes.
+********************************************************************/
+
+int sys_fseek(FILE *fp, SMB_OFF_T offset, int whence)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(LARGE_SMB_OFF_T) && defined(HAVE_FSEEK64)
+	return fseek64(fp, offset, whence);
+#elif defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(LARGE_SMB_OFF_T) && defined(HAVE_FSEEKO64)
+	return fseeko64(fp, offset, whence);
+#else
+	return fseek(fp, offset, whence);
+#endif
+}
+
+/*******************************************************************
+ An ftell() wrapper that will deal with 64 bit filesizes.
+********************************************************************/
+
+SMB_OFF_T sys_ftell(FILE *fp)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(LARGE_SMB_OFF_T) && defined(HAVE_FTELL64)
+	return (SMB_OFF_T)ftell64(fp);
+#elif defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(LARGE_SMB_OFF_T) && defined(HAVE_FTELLO64)
+	return (SMB_OFF_T)ftello64(fp);
+#else
+	return (SMB_OFF_T)ftell(fp);
+#endif
+}
+
+/*******************************************************************
+ A creat() wrapper that will deal with 64 bit filesizes.
+********************************************************************/
+
+int sys_creat(const char *path, mode_t mode)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_CREAT64)
+	return creat64(path, mode);
+#else
+	/*
+	 * If creat64 isn't defined then ensure we call a potential open64.
+	 * JRA.
+	 */
+	return sys_open(path, O_WRONLY | O_CREAT | O_TRUNC, mode);
+#endif
+}
+
+/*******************************************************************
+ An open() wrapper that will deal with 64 bit filesizes.
+********************************************************************/
+
+int sys_open(const char *path, int oflag, mode_t mode)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_OPEN64)
+	return open64(path, oflag, mode);
+#else
+	return open(path, oflag, mode);
+#endif
+}
+
+/*******************************************************************
+ An fopen() wrapper that will deal with 64 bit filesizes.
+********************************************************************/
+
+FILE *sys_fopen(const char *path, const char *type)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_FOPEN64)
+	return fopen64(path, type);
+#else
+	return fopen(path, type);
+#endif
+}
+
+
+/*******************************************************************
+ A flock() wrapper that will perform the kernel flock.
+********************************************************************/
+
+void kernel_flock(int fd, uint32 share_mode)
+{
+#if HAVE_KERNEL_SHARE_MODES
+	int kernel_mode = 0;
+	if (share_mode == FILE_SHARE_WRITE) {
+		kernel_mode = LOCK_MAND|LOCK_WRITE;
+	} else if (share_mode == FILE_SHARE_READ) {
+		kernel_mode = LOCK_MAND|LOCK_READ;
+	} else if (share_mode == FILE_SHARE_NONE) {
+		kernel_mode = LOCK_MAND;
+	}
+	if (kernel_mode) {
+		flock(fd, kernel_mode);
+	}
+#endif
+	;
+}
+
+
+
+/*******************************************************************
+ An opendir wrapper that will deal with 64 bit filesizes.
+********************************************************************/
+
+SMB_STRUCT_DIR *sys_opendir(const char *name)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_OPENDIR64)
+	return opendir64(name);
+#else
+	return opendir(name);
+#endif
+}
+
+/*******************************************************************
+ A readdir wrapper that will deal with 64 bit filesizes.
+********************************************************************/
+
+SMB_STRUCT_DIRENT *sys_readdir(SMB_STRUCT_DIR *dirp)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_READDIR64)
+	return readdir64(dirp);
+#else
+	return readdir(dirp);
+#endif
+}
+
+/*******************************************************************
+ A seekdir wrapper that will deal with 64 bit filesizes.
+********************************************************************/
+
+void sys_seekdir(SMB_STRUCT_DIR *dirp, long offset)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_SEEKDIR64)
+	seekdir64(dirp, offset);
+#else
+	seekdir(dirp, offset);
+#endif
+}
+
+/*******************************************************************
+ A telldir wrapper that will deal with 64 bit filesizes.
+********************************************************************/
+
+long sys_telldir(SMB_STRUCT_DIR *dirp)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_TELLDIR64)
+	return (long)telldir64(dirp);
+#else
+	return (long)telldir(dirp);
+#endif
+}
+
+/*******************************************************************
+ A rewinddir wrapper that will deal with 64 bit filesizes.
+********************************************************************/
+
+void sys_rewinddir(SMB_STRUCT_DIR *dirp)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_REWINDDIR64)
+	rewinddir64(dirp);
+#else
+	rewinddir(dirp);
+#endif
+}
+
+/*******************************************************************
+ A close wrapper that will deal with 64 bit filesizes.
+********************************************************************/
+
+int sys_closedir(SMB_STRUCT_DIR *dirp)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_CLOSEDIR64)
+	return closedir64(dirp);
+#else
+	return closedir(dirp);
+#endif
+}
+
+/*******************************************************************
+ An mknod() wrapper that will deal with 64 bit filesizes.
+********************************************************************/
+
+int sys_mknod(const char *path, mode_t mode, SMB_DEV_T dev)
+{
+#if defined(HAVE_MKNOD) || defined(HAVE_MKNOD64)
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_MKNOD64) && defined(HAVE_DEV64_T)
+	return mknod64(path, mode, dev);
+#else
+	return mknod(path, mode, dev);
+#endif
+#else
+	/* No mknod system call. */
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+/*******************************************************************
+ Wrapper for realpath.
+********************************************************************/
+
+char *sys_realpath(const char *path, char *resolved_path)
+{
+#if defined(HAVE_REALPATH)
+	return realpath(path, resolved_path);
+#else
+	/* As realpath is not a system call we can't return ENOSYS. */
+	errno = EINVAL;
+	return NULL;
+#endif
+}
+
+/*******************************************************************
+The wait() calls vary between systems
+********************************************************************/
+
+int sys_waitpid(pid_t pid,int *status,int options)
+{
+#ifdef HAVE_WAITPID
+	return waitpid(pid,status,options);
+#else /* HAVE_WAITPID */
+	return wait4(pid, status, options, NULL);
+#endif /* HAVE_WAITPID */
+}
+
+/*******************************************************************
+ System wrapper for getwd
+********************************************************************/
+
+char *sys_getwd(char *s)
+{
+	char *wd;
+#ifdef HAVE_GETCWD
+	wd = (char *)getcwd(s, PATH_MAX);
+#else
+	wd = (char *)getwd(s);
+#endif
+	return wd;
+}
+
+/*******************************************************************
+system wrapper for symlink
+********************************************************************/
+
+int sys_symlink(const char *oldpath, const char *newpath)
+{
+#ifndef HAVE_SYMLINK
+	errno = ENOSYS;
+	return -1;
+#else
+	return symlink(oldpath, newpath);
+#endif
+}
+
+/*******************************************************************
+system wrapper for readlink
+********************************************************************/
+
+int sys_readlink(const char *path, char *buf, size_t bufsiz)
+{
+#ifndef HAVE_READLINK
+	errno = ENOSYS;
+	return -1;
+#else
+	return readlink(path, buf, bufsiz);
+#endif
+}
+
+/*******************************************************************
+system wrapper for link
+********************************************************************/
+
+int sys_link(const char *oldpath, const char *newpath)
+{
+#ifndef HAVE_LINK
+	errno = ENOSYS;
+	return -1;
+#else
+	return link(oldpath, newpath);
+#endif
+}
+
+/*******************************************************************
+chown isn't used much but OS/2 doesn't have it
+********************************************************************/
+
+int sys_chown(const char *fname,uid_t uid,gid_t gid)
+{
+#ifndef HAVE_CHOWN
+	static int done;
+	if (!done) {
+		DEBUG(1,("WARNING: no chown!\n"));
+		done=1;
+	}
+	errno = ENOSYS;
+	return -1;
+#else
+	return(chown(fname,uid,gid));
+#endif
+}
+
+/*******************************************************************
+ Wrapper for lchown.
+********************************************************************/
+
+int sys_lchown(const char *fname,uid_t uid,gid_t gid)
+{
+#ifndef HAVE_LCHOWN
+	static int done;
+	if (!done) {
+		DEBUG(1,("WARNING: no lchown!\n"));
+		done=1;
+	}
+	errno = ENOSYS;
+	return -1;
+#else
+	return(lchown(fname,uid,gid));
+#endif
+}
+
+/*******************************************************************
+os/2 also doesn't have chroot
+********************************************************************/
+int sys_chroot(const char *dname)
+{
+#ifndef HAVE_CHROOT
+	static int done;
+	if (!done) {
+		DEBUG(1,("WARNING: no chroot!\n"));
+		done=1;
+	}
+	errno = ENOSYS;
+	return -1;
+#else
+	return(chroot(dname));
+#endif
+}
+
+#if defined(HAVE_POSIX_CAPABILITIES)
+
+/**************************************************************************
+ Try and abstract process capabilities (for systems that have them).
+****************************************************************************/
+
+/* Set the POSIX capabilities needed for the given purpose into the effective
+ * capability set of the current process. Make sure they are always removed
+ * from the inheritable set, because there is no circumstance in which our
+ * children should inherit our elevated privileges.
+ */
+static bool set_process_capability(enum smbd_capability capability,
+				   bool enable)
+{
+	cap_value_t cap_vals[2] = {0};
+	int num_cap_vals = 0;
+
+	cap_t cap;
+
+#if defined(HAVE_PRCTL) && defined(PR_GET_KEEPCAPS) && defined(PR_SET_KEEPCAPS)
+	/* On Linux, make sure that any capabilities we grab are sticky
+	 * across UID changes. We expect that this would allow us to keep both
+	 * the effective and permitted capability sets, but as of circa 2.6.16,
+	 * only the permitted set is kept. It is a bug (which we work around)
+	 * that the effective set is lost, but we still require the effective
+	 * set to be kept.
+	 */
+	if (!prctl(PR_GET_KEEPCAPS)) {
+		prctl(PR_SET_KEEPCAPS, 1);
+	}
+#endif
+
+	cap = cap_get_proc();
+	if (cap == NULL) {
+		DEBUG(0,("set_process_capability: cap_get_proc failed: %s\n",
+			strerror(errno)));
+		return False;
+	}
+
+	switch (capability) {
+		case KERNEL_OPLOCK_CAPABILITY:
+#ifdef CAP_NETWORK_MGT
+			/* IRIX has CAP_NETWORK_MGT for oplocks. */
+			cap_vals[num_cap_vals++] = CAP_NETWORK_MGT;
+#endif
+			break;
+		case DMAPI_ACCESS_CAPABILITY:
+#ifdef CAP_DEVICE_MGT
+			/* IRIX has CAP_DEVICE_MGT for DMAPI access. */
+			cap_vals[num_cap_vals++] = CAP_DEVICE_MGT;
+#elif CAP_MKNOD
+			/* Linux has CAP_MKNOD for DMAPI access. */
+			cap_vals[num_cap_vals++] = CAP_MKNOD;
+#endif
+			break;
+		case LEASE_CAPABILITY:
+#ifdef CAP_LEASE
+			cap_vals[num_cap_vals++] = CAP_LEASE;
+#endif
+			break;
+	}
+
+	SMB_ASSERT(num_cap_vals <= ARRAY_SIZE(cap_vals));
+
+	if (num_cap_vals == 0) {
+		cap_free(cap);
+		return True;
+	}
+
+	cap_set_flag(cap, CAP_EFFECTIVE, num_cap_vals, cap_vals,
+		enable ? CAP_SET : CAP_CLEAR);
+
+	/* We never want to pass capabilities down to our children, so make
+	 * sure they are not inherited.
+	 */
+	cap_set_flag(cap, CAP_INHERITABLE, num_cap_vals, cap_vals, CAP_CLEAR);
+
+	if (cap_set_proc(cap) == -1) {
+		DEBUG(0, ("set_process_capability: cap_set_proc failed: %s\n",
+			strerror(errno)));
+		cap_free(cap);
+		return False;
+	}
+
+	cap_free(cap);
+	return True;
+}
+
+#endif /* HAVE_POSIX_CAPABILITIES */
+
+/****************************************************************************
+ Gain the oplock capability from the kernel if possible.
+****************************************************************************/
+
+void set_effective_capability(enum smbd_capability capability)
+{
+#if defined(HAVE_POSIX_CAPABILITIES)
+	set_process_capability(capability, True);
+#endif /* HAVE_POSIX_CAPABILITIES */
+}
+
+void drop_effective_capability(enum smbd_capability capability)
+{
+#if defined(HAVE_POSIX_CAPABILITIES)
+	set_process_capability(capability, False);
+#endif /* HAVE_POSIX_CAPABILITIES */
+}
+
+/**************************************************************************
+ Wrapper for random().
+****************************************************************************/
+
+long sys_random(void)
+{
+#if defined(HAVE_RANDOM)
+	return (long)random();
+#elif defined(HAVE_RAND)
+	return (long)rand();
+#else
+	DEBUG(0,("Error - no random function available !\n"));
+	exit(1);
+#endif
+}
+
+/**************************************************************************
+ Wrapper for srandom().
+****************************************************************************/
+
+void sys_srandom(unsigned int seed)
+{
+#if defined(HAVE_SRANDOM)
+	srandom(seed);
+#elif defined(HAVE_SRAND)
+	srand(seed);
+#else
+	DEBUG(0,("Error - no srandom function available !\n"));
+	exit(1);
+#endif
+}
+
+/**************************************************************************
+ Returns equivalent to NGROUPS_MAX - using sysconf if needed.
+****************************************************************************/
+
+int groups_max(void)
+{
+#if defined(SYSCONF_SC_NGROUPS_MAX)
+	int ret = sysconf(_SC_NGROUPS_MAX);
+	return (ret == -1) ? NGROUPS_MAX : ret;
+#else
+	return NGROUPS_MAX;
+#endif
+}
+
+/**************************************************************************
+ Wrap setgroups and getgroups for systems that declare getgroups() as
+ returning an array of gid_t, but actuall return an array of int.
+****************************************************************************/
+
+#if defined(HAVE_BROKEN_GETGROUPS)
+static int sys_broken_getgroups(int setlen, gid_t *gidset)
+{
+	GID_T gid;
+	GID_T *group_list;
+	int i, ngroups;
+
+	if(setlen == 0) {
+		return getgroups(setlen, &gid);
+	}
+
+	/*
+	 * Broken case. We need to allocate a
+	 * GID_T array of size setlen.
+	 */
+
+	if(setlen < 0) {
+		errno = EINVAL; 
+		return -1;
+	} 
+
+	if (setlen == 0)
+		setlen = groups_max();
+
+	if((group_list = SMB_MALLOC_ARRAY(GID_T, setlen)) == NULL) {
+		DEBUG(0,("sys_getgroups: Malloc fail.\n"));
+		return -1;
+	}
+
+	if((ngroups = getgroups(setlen, group_list)) < 0) {
+		int saved_errno = errno;
+		SAFE_FREE(group_list);
+		errno = saved_errno;
+		return -1;
+	}
+
+	for(i = 0; i < ngroups; i++)
+		gidset[i] = (gid_t)group_list[i];
+
+	SAFE_FREE(group_list);
+	return ngroups;
+}
+
+static int sys_broken_setgroups(int setlen, gid_t *gidset)
+{
+	GID_T *group_list;
+	int i ; 
+
+	if (setlen == 0)
+		return 0 ;
+
+	if (setlen < 0 || setlen > groups_max()) {
+		errno = EINVAL; 
+		return -1;   
+	}
+
+	/*
+	 * Broken case. We need to allocate a
+	 * GID_T array of size setlen.
+	 */
+
+	if((group_list = SMB_MALLOC_ARRAY(GID_T, setlen)) == NULL) {
+		DEBUG(0,("sys_setgroups: Malloc fail.\n"));
+		return -1;    
+	}
+ 
+	for(i = 0; i < setlen; i++) 
+		group_list[i] = (GID_T) gidset[i]; 
+
+	if(setgroups(setlen, group_list) != 0) {
+		int saved_errno = errno;
+		SAFE_FREE(group_list);
+		errno = saved_errno;
+		return -1;
+	}
+ 
+	SAFE_FREE(group_list);
+	return 0 ;
+}
+
+#endif /* HAVE_BROKEN_GETGROUPS */
+
+/* This is a list of systems that require the first GID passed to setgroups(2)
+ * to be the effective GID. If your system is one of these, add it here.
+ */
+#if defined (FREEBSD) || defined (DARWINOS)
+#define USE_BSD_SETGROUPS
+#endif
+
+#if defined(USE_BSD_SETGROUPS)
+/* Depending on the particular BSD implementation, the first GID that is
+ * passed to setgroups(2) will either be ignored or will set the credential's
+ * effective GID. In either case, the right thing to do is to guarantee that
+ * gidset[0] is the effective GID.
+ */
+static int sys_bsd_setgroups(gid_t primary_gid, int setlen, const gid_t *gidset)
+{
+	gid_t *new_gidset = NULL;
+	int max;
+	int ret;
+
+	/* setgroups(2) will fail with EINVAL if we pass too many groups. */
+	max = groups_max();
+
+	/* No group list, just make sure we are setting the efective GID. */
+	if (setlen == 0) {
+		return setgroups(1, &primary_gid);
+	}
+
+	/* If the primary gid is not the first array element, grow the array
+	 * and insert it at the front.
+	 */
+	if (gidset[0] != primary_gid) {
+	        new_gidset = SMB_MALLOC_ARRAY(gid_t, setlen + 1);
+	        if (new_gidset == NULL) {
+			return -1;
+	        }
+
+		memcpy(new_gidset + 1, gidset, (setlen * sizeof(gid_t)));
+		new_gidset[0] = primary_gid;
+		setlen++;
+	}
+
+	if (setlen > max) {
+		DEBUG(3, ("forced to truncate group list from %d to %d\n",
+			setlen, max));
+		setlen = max;
+	}
+
+#if defined(HAVE_BROKEN_GETGROUPS)
+	ret = sys_broken_setgroups(setlen, new_gidset ? new_gidset : gidset);
+#else
+	ret = setgroups(setlen, new_gidset ? new_gidset : gidset);
+#endif
+
+	if (new_gidset) {
+		int errsav = errno;
+		SAFE_FREE(new_gidset);
+		errno = errsav;
+	}
+
+	return ret;
+}
+
+#endif /* USE_BSD_SETGROUPS */
+
+/**************************************************************************
+ Wrapper for getgroups. Deals with broken (int) case.
+****************************************************************************/
+
+int sys_getgroups(int setlen, gid_t *gidset)
+{
+#if defined(HAVE_BROKEN_GETGROUPS)
+	return sys_broken_getgroups(setlen, gidset);
+#else
+	return getgroups(setlen, gidset);
+#endif
+}
+
+/**************************************************************************
+ Wrapper for setgroups. Deals with broken (int) case and BSD case.
+****************************************************************************/
+
+int sys_setgroups(gid_t UNUSED(primary_gid), int setlen, gid_t *gidset)
+{
+#if !defined(HAVE_SETGROUPS)
+	errno = ENOSYS;
+	return -1;
+#endif /* HAVE_SETGROUPS */
+
+#if defined(USE_BSD_SETGROUPS)
+	return sys_bsd_setgroups(primary_gid, setlen, gidset);
+#elif defined(HAVE_BROKEN_GETGROUPS)
+	return sys_broken_setgroups(setlen, gidset);
+#else
+	return setgroups(setlen, gidset);
+#endif
+}
+
+/**************************************************************************
+ Wrappers for setpwent(), getpwent() and endpwent()
+****************************************************************************/
+
+void sys_setpwent(void)
+{
+	setpwent();
+}
+
+struct passwd *sys_getpwent(void)
+{
+	return getpwent();
+}
+
+void sys_endpwent(void)
+{
+	endpwent();
+}
+
+/**************************************************************************
+ Wrappers for getpwnam(), getpwuid(), getgrnam(), getgrgid()
+****************************************************************************/
+
+
+struct passwd *sys_getpwnam(const char *name)
+{
+	return getpwnam(name);
+}
+
+struct passwd *sys_getpwuid(uid_t uid)
+{
+	return getpwuid(uid);
+}
+
+struct group *sys_getgrnam(const char *name)
+{
+	return getgrnam(name);
+}
+
+struct group *sys_getgrgid(gid_t gid)
+{
+	return getgrgid(gid);
+}
+
+/**************************************************************************
+ Extract a command into an arg list.
+****************************************************************************/
+
+static char **extract_args(TALLOC_CTX *mem_ctx, const char *command)
+{
+	char *trunc_cmd;
+	char *saveptr;
+	char *ptr;
+	int argcl;
+	char **argl = NULL;
+	int i;
+
+	if (!(trunc_cmd = talloc_strdup(mem_ctx, command))) {
+		DEBUG(0, ("talloc failed\n"));
+		goto nomem;
+	}
+
+	if(!(ptr = strtok_r(trunc_cmd, " \t", &saveptr))) {
+		TALLOC_FREE(trunc_cmd);
+		errno = EINVAL;
+		return NULL;
+	}
+
+	/*
+	 * Count the args.
+	 */
+
+	for( argcl = 1; ptr; ptr = strtok_r(NULL, " \t", &saveptr))
+		argcl++;
+
+	TALLOC_FREE(trunc_cmd);
+
+	if (!(argl = TALLOC_ARRAY(mem_ctx, char *, argcl + 1))) {
+		goto nomem;
+	}
+
+	/*
+	 * Now do the extraction.
+	 */
+
+	if (!(trunc_cmd = talloc_strdup(mem_ctx, command))) {
+		goto nomem;
+	}
+
+	ptr = strtok_r(trunc_cmd, " \t", &saveptr);
+	i = 0;
+
+	if (!(argl[i++] = talloc_strdup(argl, ptr))) {
+		goto nomem;
+	}
+
+	while((ptr = strtok_r(NULL, " \t", &saveptr)) != NULL) {
+
+		if (!(argl[i++] = talloc_strdup(argl, ptr))) {
+			goto nomem;
+		}
+	}
+
+	argl[i++] = NULL;
+	return argl;
+
+ nomem:
+	DEBUG(0, ("talloc failed\n"));
+	TALLOC_FREE(trunc_cmd);
+	TALLOC_FREE(argl);
+	errno = ENOMEM;
+	return NULL;
+}
+
+/**************************************************************************
+ Wrapper for fork. Ensures that mypid is reset. Used so we can write
+ a sys_getpid() that only does a system call *once*.
+****************************************************************************/
+
+static pid_t mypid = (pid_t)-1;
+
+pid_t sys_fork(void)
+{
+	pid_t forkret = fork();
+
+	if (forkret == (pid_t)0) /* Child - reset mypid so sys_getpid does a system call. */
+		mypid = (pid_t) -1;
+
+	return forkret;
+}
+
+/**************************************************************************
+ Wrapper for getpid. Ensures we only do a system call *once*.
+****************************************************************************/
+
+pid_t sys_getpid(void)
+{
+	if (mypid == (pid_t)-1)
+		mypid = getpid();
+
+	return mypid;
+}
+
+/**************************************************************************
+ Wrapper for popen. Safer as it doesn't search a path.
+ Modified from the glibc sources.
+ modified by tridge to return a file descriptor. We must kick our FILE* habit
+****************************************************************************/
+
+typedef struct _popen_list
+{
+	int fd;
+	pid_t child_pid;
+	struct _popen_list *next;
+} popen_list;
+
+static popen_list *popen_chain;
+
+int sys_popen(const char *command)
+{
+	int parent_end, child_end;
+	int pipe_fds[2];
+	popen_list *entry = NULL;
+	char **argl = NULL;
+
+	if (pipe(pipe_fds) < 0)
+		return -1;
+
+	parent_end = pipe_fds[0];
+	child_end = pipe_fds[1];
+
+	if (!*command) {
+		errno = EINVAL;
+		goto err_exit;
+	}
+
+	if((entry = SMB_MALLOC_P(popen_list)) == NULL)
+		goto err_exit;
+
+	ZERO_STRUCTP(entry);
+
+	/*
+	 * Extract the command and args into a NULL terminated array.
+	 */
+
+	if(!(argl = extract_args(NULL, command)))
+		goto err_exit;
+
+	entry->child_pid = sys_fork();
+
+	if (entry->child_pid == -1) {
+		goto err_exit;
+	}
+
+	if (entry->child_pid == 0) {
+
+		/*
+		 * Child !
+		 */
+
+		int child_std_end = STDOUT_FILENO;
+		popen_list *p;
+
+		close(parent_end);
+		if (child_end != child_std_end) {
+			dup2 (child_end, child_std_end);
+			close (child_end);
+		}
+
+		/*
+		 * POSIX.2:  "popen() shall ensure that any streams from previous
+		 * popen() calls that remain open in the parent process are closed
+		 * in the new child process."
+		 */
+
+		for (p = popen_chain; p; p = p->next)
+			close(p->fd);
+
+		execv(argl[0], argl);
+		_exit (127);
+	}
+
+	/*
+	 * Parent.
+	 */
+
+	close (child_end);
+	TALLOC_FREE(argl);
+
+	/* Link into popen_chain. */
+	entry->next = popen_chain;
+	popen_chain = entry;
+	entry->fd = parent_end;
+
+	return entry->fd;
+
+err_exit:
+
+	SAFE_FREE(entry);
+	SAFE_FREE(argl);
+	close(pipe_fds[0]);
+	close(pipe_fds[1]);
+	return -1;
+}
+
+/**************************************************************************
+ Wrapper for pclose. Modified from the glibc sources.
+****************************************************************************/
+
+int sys_pclose(int fd)
+{
+	int wstatus;
+	popen_list **ptr = &popen_chain;
+	popen_list *entry = NULL;
+	pid_t wait_pid;
+	int status = -1;
+
+	/* Unlink from popen_chain. */
+	for ( ; *ptr != NULL; ptr = &(*ptr)->next) {
+		if ((*ptr)->fd == fd) {
+			entry = *ptr;
+			*ptr = (*ptr)->next;
+			status = 0;
+			break;
+		}
+	}
+
+	if (status < 0 || close(entry->fd) < 0)
+		return -1;
+
+	/*
+	 * As Samba is catching and eating child process
+	 * exits we don't really care about the child exit
+	 * code, a -1 with errno = ECHILD will do fine for us.
+	 */
+
+	do {
+		wait_pid = sys_waitpid (entry->child_pid, &wstatus, 0);
+	} while (wait_pid == -1 && errno == EINTR);
+
+	SAFE_FREE(entry);
+
+	if (wait_pid == -1)
+		return -1;
+	return wstatus;
+}
+
+/**************************************************************************
+ Wrappers for dlopen, dlsym, dlclose.
+****************************************************************************/
+
+void *sys_dlopen(const char *name, int flags)
+{
+#if defined(HAVE_DLOPEN)
+	return dlopen(name, flags);
+#else
+	return NULL;
+#endif
+}
+
+void *sys_dlsym(void *handle, const char *symbol)
+{
+#if defined(HAVE_DLSYM)
+    return dlsym(handle, symbol);
+#else
+    return NULL;
+#endif
+}
+
+int sys_dlclose (void *handle)
+{
+#if defined(HAVE_DLCLOSE)
+	return dlclose(handle);
+#else
+	return 0;
+#endif
+}
+
+const char *sys_dlerror(void)
+{
+#if defined(HAVE_DLERROR)
+	return dlerror();
+#else
+	return NULL;
+#endif
+}
+
+int sys_dup2(int oldfd, int newfd) 
+{
+#if defined(HAVE_DUP2)
+	return dup2(oldfd, newfd);
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+/**************************************************************************
+ Wrapper for Admin Logs.
+****************************************************************************/
+
+ void sys_adminlog(int priority, const char *format_str, ...) 
+{
+	va_list ap;
+	int ret;
+	char *msgbuf = NULL;
+
+	va_start( ap, format_str );
+	ret = vasprintf( &msgbuf, format_str, ap );
+	va_end( ap );
+
+	if (ret == -1)
+		return;
+
+#if defined(HAVE_SYSLOG)
+	syslog( priority, "%s", msgbuf );
+#else
+	DEBUG(0,("%s", msgbuf ));
+#endif
+	SAFE_FREE(msgbuf);
+}
+
+/******** Solaris EA helper function prototypes ********/
+#ifdef HAVE_ATTROPEN
+#define SOLARIS_ATTRMODE S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP
+static int solaris_write_xattr(int attrfd, const char *value, size_t size);
+static ssize_t solaris_read_xattr(int attrfd, void *value, size_t size);
+static ssize_t solaris_list_xattr(int attrdirfd, char *list, size_t size);
+static int solaris_unlinkat(int attrdirfd, const char *name);
+static int solaris_attropen(const char *path, const char *attrpath, int oflag, mode_t mode);
+static int solaris_openat(int fildes, const char *path, int oflag, mode_t mode);
+#endif
+
+/**************************************************************************
+ Wrappers for extented attribute calls. Based on the Linux package with
+ support for IRIX and (Net|Free)BSD also. Expand as other systems have them.
+****************************************************************************/
+
+ssize_t sys_getxattr (const char *path, const char *name, void *value, size_t size)
+{
+#if defined(HAVE_GETXATTR)
+#ifndef XATTR_ADD_OPT
+	return getxattr(path, name, value, size);
+#else
+	int options = 0;
+	return getxattr(path, name, value, size, 0, options);
+#endif
+#elif defined(HAVE_GETEA)
+	return getea(path, name, value, size);
+#elif defined(HAVE_EXTATTR_GET_FILE)
+	char *s;
+	ssize_t retval;
+	int attrnamespace = (strncmp(name, "system", 6) == 0) ? 
+		EXTATTR_NAMESPACE_SYSTEM : EXTATTR_NAMESPACE_USER;
+	const char *attrname = ((s=strchr_m(name, '.')) == NULL) ? name : s + 1;
+	/*
+	 * The BSD implementation has a nasty habit of silently truncating
+	 * the returned value to the size of the buffer, so we have to check
+	 * that the buffer is large enough to fit the returned value.
+	 */
+	if((retval=extattr_get_file(path, attrnamespace, attrname, NULL, 0)) >= 0) {
+		if(retval > size) {
+			errno = ERANGE;
+			return -1;
+		}
+		if((retval=extattr_get_file(path, attrnamespace, attrname, value, size)) >= 0)
+			return retval;
+	}
+
+	DEBUG(10,("sys_getxattr: extattr_get_file() failed with: %s\n", strerror(errno)));
+	return -1;
+#elif defined(HAVE_ATTR_GET)
+	int retval, flags = 0;
+	int valuelength = (int)size;
+	char *attrname = strchr(name,'.') + 1;
+	
+	if (strncmp(name, "system", 6) == 0) flags |= ATTR_ROOT;
+
+	retval = attr_get(path, attrname, (char *)value, &valuelength, flags);
+
+	return retval ? retval : valuelength;
+#elif defined(HAVE_ATTROPEN)
+	ssize_t ret = -1;
+	int attrfd = solaris_attropen(path, name, O_RDONLY, 0);
+	if (attrfd >= 0) {
+		ret = solaris_read_xattr(attrfd, value, size);
+		close(attrfd);
+	}
+	return ret;
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+ssize_t sys_lgetxattr (const char *path, const char *name, void *value, size_t size)
+{
+#if defined(HAVE_LGETXATTR)
+	return lgetxattr(path, name, value, size);
+#elif defined(HAVE_GETXATTR) && defined(XATTR_ADD_OPT)
+	int options = XATTR_NOFOLLOW;
+	return getxattr(path, name, value, size, 0, options);
+#elif defined(HAVE_LGETEA)
+	return lgetea(path, name, value, size);
+#elif defined(HAVE_EXTATTR_GET_LINK)
+	char *s;
+	ssize_t retval;
+	int attrnamespace = (strncmp(name, "system", 6) == 0) ? 
+		EXTATTR_NAMESPACE_SYSTEM : EXTATTR_NAMESPACE_USER;
+	const char *attrname = ((s=strchr_m(name, '.')) == NULL) ? name : s + 1;
+
+	if((retval=extattr_get_link(path, attrnamespace, attrname, NULL, 0)) >= 0) {
+		if(retval > size) {
+			errno = ERANGE;
+			return -1;
+		}
+		if((retval=extattr_get_link(path, attrnamespace, attrname, value, size)) >= 0)
+			return retval;
+	}
+	
+	DEBUG(10,("sys_lgetxattr: extattr_get_link() failed with: %s\n", strerror(errno)));
+	return -1;
+#elif defined(HAVE_ATTR_GET)
+	int retval, flags = ATTR_DONTFOLLOW;
+	int valuelength = (int)size;
+	char *attrname = strchr(name,'.') + 1;
+	
+	if (strncmp(name, "system", 6) == 0) flags |= ATTR_ROOT;
+
+	retval = attr_get(path, attrname, (char *)value, &valuelength, flags);
+
+	return retval ? retval : valuelength;
+#elif defined(HAVE_ATTROPEN)
+	ssize_t ret = -1;
+	int attrfd = solaris_attropen(path, name, O_RDONLY|AT_SYMLINK_NOFOLLOW, 0);
+	if (attrfd >= 0) {
+		ret = solaris_read_xattr(attrfd, value, size);
+		close(attrfd);
+	}
+	return ret;
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+ssize_t sys_fgetxattr (int filedes, const char *name, void *value, size_t size)
+{
+#if defined(HAVE_FGETXATTR)
+#ifndef XATTR_ADD_OPT
+	return fgetxattr(filedes, name, value, size);
+#else
+	int options = 0;
+	return fgetxattr(filedes, name, value, size, 0, options);
+#endif
+#elif defined(HAVE_FGETEA)
+	return fgetea(filedes, name, value, size);
+#elif defined(HAVE_EXTATTR_GET_FD)
+	char *s;
+	ssize_t retval;
+	int attrnamespace = (strncmp(name, "system", 6) == 0) ? 
+		EXTATTR_NAMESPACE_SYSTEM : EXTATTR_NAMESPACE_USER;
+	const char *attrname = ((s=strchr_m(name, '.')) == NULL) ? name : s + 1;
+
+	if((retval=extattr_get_fd(filedes, attrnamespace, attrname, NULL, 0)) >= 0) {
+		if(retval > size) {
+			errno = ERANGE;
+			return -1;
+		}
+		if((retval=extattr_get_fd(filedes, attrnamespace, attrname, value, size)) >= 0)
+			return retval;
+	}
+	
+	DEBUG(10,("sys_fgetxattr: extattr_get_fd() failed with: %s\n", strerror(errno)));
+	return -1;
+#elif defined(HAVE_ATTR_GETF)
+	int retval, flags = 0;
+	int valuelength = (int)size;
+	char *attrname = strchr(name,'.') + 1;
+	
+	if (strncmp(name, "system", 6) == 0) flags |= ATTR_ROOT;
+
+	retval = attr_getf(filedes, attrname, (char *)value, &valuelength, flags);
+
+	return retval ? retval : valuelength;
+#elif defined(HAVE_ATTROPEN)
+	ssize_t ret = -1;
+	int attrfd = solaris_openat(filedes, name, O_RDONLY|O_XATTR, 0);
+	if (attrfd >= 0) {
+		ret = solaris_read_xattr(attrfd, value, size);
+		close(attrfd);
+	}
+	return ret;
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+#if defined(HAVE_EXTATTR_LIST_FILE)
+
+#define EXTATTR_PREFIX(s)	(s), (sizeof((s))-1)
+
+static struct {
+        int space;
+	const char *name;
+	size_t len;
+} 
+extattr[] = {
+	{ EXTATTR_NAMESPACE_SYSTEM, EXTATTR_PREFIX("system.") },
+        { EXTATTR_NAMESPACE_USER, EXTATTR_PREFIX("user.") },
+};
+
+typedef union {
+	const char *path;
+	int filedes;
+} extattr_arg;
+
+static ssize_t bsd_attr_list (int type, extattr_arg arg, char *list, size_t size)
+{
+	ssize_t list_size, total_size = 0;
+	int i, t, len;
+	char *buf;
+	/* Iterate through extattr(2) namespaces */
+	for(t = 0; t < (sizeof(extattr)/sizeof(extattr[0])); t++) {
+		switch(type) {
+#if defined(HAVE_EXTATTR_LIST_FILE)
+			case 0:
+				list_size = extattr_list_file(arg.path, extattr[t].space, list, size);
+				break;
+#endif
+#if defined(HAVE_EXTATTR_LIST_LINK)
+			case 1:
+				list_size = extattr_list_link(arg.path, extattr[t].space, list, size);
+				break;
+#endif
+#if defined(HAVE_EXTATTR_LIST_FD)
+			case 2:
+				list_size = extattr_list_fd(arg.filedes, extattr[t].space, list, size);
+				break;
+#endif
+			default:
+				errno = ENOSYS;
+				return -1;
+		}
+		/* Some error happend. Errno should be set by the previous call */
+		if(list_size < 0)
+			return -1;
+		/* No attributes */
+		if(list_size == 0)
+			continue;
+		/* XXX: Call with an empty buffer may be used to calculate
+		   necessary buffer size. Unfortunately, we can't say, how
+		   many attributes were returned, so here is the potential
+		   problem with the emulation.
+		*/
+		if(list == NULL) {
+			/* Take the worse case of one char attribute names - 
+			   two bytes per name plus one more for sanity.
+			*/
+			total_size += list_size + (list_size/2 + 1)*extattr[t].len;
+			continue;
+		}
+		/* Count necessary offset to fit namespace prefixes */
+		len = 0;
+		for(i = 0; i < list_size; i += list[i] + 1)
+			len += extattr[t].len;
+
+		total_size += list_size + len;
+		/* Buffer is too small to fit the results */
+		if(total_size > size) {
+			errno = ERANGE;
+			return -1;
+		}
+		/* Shift results back, so we can prepend prefixes */
+		buf = memmove(list + len, list, list_size);
+
+		for(i = 0; i < list_size; i += len + 1) {
+			len = buf[i];
+			strncpy(list, extattr[t].name, extattr[t].len + 1);
+			list += extattr[t].len;
+			strncpy(list, buf + i + 1, len);
+			list[len] = '\0';
+			list += len + 1;
+		}
+		size -= total_size;
+	}
+	return total_size;
+}
+
+#endif
+
+#if defined(HAVE_ATTR_LIST) && defined(HAVE_SYS_ATTRIBUTES_H)
+static char attr_buffer[ATTR_MAX_VALUELEN];
+
+static ssize_t irix_attr_list(const char *path, int filedes, char *list, size_t size, int flags)
+{
+	int retval = 0, index;
+	attrlist_cursor_t *cursor = 0;
+	int total_size = 0;
+	attrlist_t * al = (attrlist_t *)attr_buffer;
+	attrlist_ent_t *ae;
+	size_t ent_size, left = size;
+	char *bp = list;
+
+	while (True) {
+	    if (filedes)
+		retval = attr_listf(filedes, attr_buffer, ATTR_MAX_VALUELEN, flags, cursor);
+	    else
+		retval = attr_list(path, attr_buffer, ATTR_MAX_VALUELEN, flags, cursor);
+	    if (retval) break;
+	    for (index = 0; index < al->al_count; index++) {
+		ae = ATTR_ENTRY(attr_buffer, index);
+		ent_size = strlen(ae->a_name) + sizeof("user.");
+		if (left >= ent_size) {
+		    strncpy(bp, "user.", sizeof("user."));
+		    strncat(bp, ae->a_name, ent_size - sizeof("user."));
+		    bp += ent_size;
+		    left -= ent_size;
+		} else if (size) {
+		    errno = ERANGE;
+		    retval = -1;
+		    break;
+		}
+		total_size += ent_size;
+	    }
+	    if (al->al_more == 0) break;
+	}
+	if (retval == 0) {
+	    flags |= ATTR_ROOT;
+	    cursor = 0;
+	    while (True) {
+		if (filedes)
+		    retval = attr_listf(filedes, attr_buffer, ATTR_MAX_VALUELEN, flags, cursor);
+		else
+		    retval = attr_list(path, attr_buffer, ATTR_MAX_VALUELEN, flags, cursor);
+		if (retval) break;
+		for (index = 0; index < al->al_count; index++) {
+		    ae = ATTR_ENTRY(attr_buffer, index);
+		    ent_size = strlen(ae->a_name) + sizeof("system.");
+		    if (left >= ent_size) {
+			strncpy(bp, "system.", sizeof("system."));
+			strncat(bp, ae->a_name, ent_size - sizeof("system."));
+			bp += ent_size;
+			left -= ent_size;
+		    } else if (size) {
+			errno = ERANGE;
+			retval = -1;
+			break;
+		    }
+		    total_size += ent_size;
+		}
+		if (al->al_more == 0) break;
+	    }
+	}
+	return (ssize_t)(retval ? retval : total_size);
+}
+
+#endif
+
+ssize_t sys_listxattr (const char *path, char *list, size_t size)
+{
+#if defined(HAVE_LISTXATTR)
+#ifndef XATTR_ADD_OPT
+	return listxattr(path, list, size);
+#else
+	int options = 0;
+	return listxattr(path, list, size, options);
+#endif
+#elif defined(HAVE_LISTEA)
+	return listea(path, list, size);
+#elif defined(HAVE_EXTATTR_LIST_FILE)
+	extattr_arg arg;
+	arg.path = path;
+	return bsd_attr_list(0, arg, list, size);
+#elif defined(HAVE_ATTR_LIST) && defined(HAVE_SYS_ATTRIBUTES_H)
+	return irix_attr_list(path, 0, list, size, 0);
+#elif defined(HAVE_ATTROPEN)
+	ssize_t ret = -1;
+	int attrdirfd = solaris_attropen(path, ".", O_RDONLY, 0);
+	if (attrdirfd >= 0) {
+		ret = solaris_list_xattr(attrdirfd, list, size);
+		close(attrdirfd);
+	}
+	return ret;
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+ssize_t sys_llistxattr (const char *path, char *list, size_t size)
+{
+#if defined(HAVE_LLISTXATTR)
+	return llistxattr(path, list, size);
+#elif defined(HAVE_LISTXATTR) && defined(XATTR_ADD_OPT)
+	int options = XATTR_NOFOLLOW;
+	return listxattr(path, list, size, options);
+#elif defined(HAVE_LLISTEA)
+	return llistea(path, list, size);
+#elif defined(HAVE_EXTATTR_LIST_LINK)
+	extattr_arg arg;
+	arg.path = path;
+	return bsd_attr_list(1, arg, list, size);
+#elif defined(HAVE_ATTR_LIST) && defined(HAVE_SYS_ATTRIBUTES_H)
+	return irix_attr_list(path, 0, list, size, ATTR_DONTFOLLOW);
+#elif defined(HAVE_ATTROPEN)
+	ssize_t ret = -1;
+	int attrdirfd = solaris_attropen(path, ".", O_RDONLY|AT_SYMLINK_NOFOLLOW, 0);
+	if (attrdirfd >= 0) {
+		ret = solaris_list_xattr(attrdirfd, list, size);
+		close(attrdirfd);
+	}
+	return ret;
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+ssize_t sys_flistxattr (int filedes, char *list, size_t size)
+{
+#if defined(HAVE_FLISTXATTR)
+#ifndef XATTR_ADD_OPT
+	return flistxattr(filedes, list, size);
+#else
+	int options = 0;
+	return flistxattr(filedes, list, size, options);
+#endif
+#elif defined(HAVE_FLISTEA)
+	return flistea(filedes, list, size);
+#elif defined(HAVE_EXTATTR_LIST_FD)
+	extattr_arg arg;
+	arg.filedes = filedes;
+	return bsd_attr_list(2, arg, list, size);
+#elif defined(HAVE_ATTR_LISTF)
+	return irix_attr_list(NULL, filedes, list, size, 0);
+#elif defined(HAVE_ATTROPEN)
+	ssize_t ret = -1;
+	int attrdirfd = solaris_openat(filedes, ".", O_RDONLY|O_XATTR, 0);
+	if (attrdirfd >= 0) {
+		ret = solaris_list_xattr(attrdirfd, list, size);
+		close(attrdirfd);
+	}
+	return ret;
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+int sys_removexattr (const char *path, const char *name)
+{
+#if defined(HAVE_REMOVEXATTR)
+#ifndef XATTR_ADD_OPT
+	return removexattr(path, name);
+#else
+	int options = 0;
+	return removexattr(path, name, options);
+#endif
+#elif defined(HAVE_REMOVEEA)
+	return removeea(path, name);
+#elif defined(HAVE_EXTATTR_DELETE_FILE)
+	char *s;
+	int attrnamespace = (strncmp(name, "system", 6) == 0) ? 
+		EXTATTR_NAMESPACE_SYSTEM : EXTATTR_NAMESPACE_USER;
+	const char *attrname = ((s=strchr_m(name, '.')) == NULL) ? name : s + 1;
+
+	return extattr_delete_file(path, attrnamespace, attrname);
+#elif defined(HAVE_ATTR_REMOVE)
+	int flags = 0;
+	char *attrname = strchr(name,'.') + 1;
+	
+	if (strncmp(name, "system", 6) == 0) flags |= ATTR_ROOT;
+
+	return attr_remove(path, attrname, flags);
+#elif defined(HAVE_ATTROPEN)
+	int ret = -1;
+	int attrdirfd = solaris_attropen(path, ".", O_RDONLY, 0);
+	if (attrdirfd >= 0) {
+		ret = solaris_unlinkat(attrdirfd, name);
+		close(attrdirfd);
+	}
+	return ret;
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+int sys_lremovexattr (const char *path, const char *name)
+{
+#if defined(HAVE_LREMOVEXATTR)
+	return lremovexattr(path, name);
+#elif defined(HAVE_REMOVEXATTR) && defined(XATTR_ADD_OPT)
+	int options = XATTR_NOFOLLOW;
+	return removexattr(path, name, options);
+#elif defined(HAVE_LREMOVEEA)
+	return lremoveea(path, name);
+#elif defined(HAVE_EXTATTR_DELETE_LINK)
+	char *s;
+	int attrnamespace = (strncmp(name, "system", 6) == 0) ? 
+		EXTATTR_NAMESPACE_SYSTEM : EXTATTR_NAMESPACE_USER;
+	const char *attrname = ((s=strchr_m(name, '.')) == NULL) ? name : s + 1;
+
+	return extattr_delete_link(path, attrnamespace, attrname);
+#elif defined(HAVE_ATTR_REMOVE)
+	int flags = ATTR_DONTFOLLOW;
+	char *attrname = strchr(name,'.') + 1;
+	
+	if (strncmp(name, "system", 6) == 0) flags |= ATTR_ROOT;
+
+	return attr_remove(path, attrname, flags);
+#elif defined(HAVE_ATTROPEN)
+	int ret = -1;
+	int attrdirfd = solaris_attropen(path, ".", O_RDONLY|AT_SYMLINK_NOFOLLOW, 0);
+	if (attrdirfd >= 0) {
+		ret = solaris_unlinkat(attrdirfd, name);
+		close(attrdirfd);
+	}
+	return ret;
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+int sys_fremovexattr (int filedes, const char *name)
+{
+#if defined(HAVE_FREMOVEXATTR)
+#ifndef XATTR_ADD_OPT
+	return fremovexattr(filedes, name);
+#else
+	int options = 0;
+	return fremovexattr(filedes, name, options);
+#endif
+#elif defined(HAVE_FREMOVEEA)
+	return fremoveea(filedes, name);
+#elif defined(HAVE_EXTATTR_DELETE_FD)
+	char *s;
+	int attrnamespace = (strncmp(name, "system", 6) == 0) ? 
+		EXTATTR_NAMESPACE_SYSTEM : EXTATTR_NAMESPACE_USER;
+	const char *attrname = ((s=strchr_m(name, '.')) == NULL) ? name : s + 1;
+
+	return extattr_delete_fd(filedes, attrnamespace, attrname);
+#elif defined(HAVE_ATTR_REMOVEF)
+	int flags = 0;
+	char *attrname = strchr(name,'.') + 1;
+	
+	if (strncmp(name, "system", 6) == 0) flags |= ATTR_ROOT;
+
+	return attr_removef(filedes, attrname, flags);
+#elif defined(HAVE_ATTROPEN)
+	int ret = -1;
+	int attrdirfd = solaris_openat(filedes, ".", O_RDONLY|O_XATTR, 0);
+	if (attrdirfd >= 0) {
+		ret = solaris_unlinkat(attrdirfd, name);
+		close(attrdirfd);
+	}
+	return ret;
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+int sys_setxattr (const char *path, const char *name, const void *value, size_t size, int flags)
+{
+#if defined(HAVE_SETXATTR)
+#ifndef XATTR_ADD_OPT
+	return setxattr(path, name, value, size, flags);
+#else
+	int options = 0;
+	return setxattr(path, name, value, size, 0, options);
+#endif
+#elif defined(HAVE_SETEA)
+	return setea(path, name, value, size, flags);
+#elif defined(HAVE_EXTATTR_SET_FILE)
+	char *s;
+	int retval = 0;
+	int attrnamespace = (strncmp(name, "system", 6) == 0) ? 
+		EXTATTR_NAMESPACE_SYSTEM : EXTATTR_NAMESPACE_USER;
+	const char *attrname = ((s=strchr_m(name, '.')) == NULL) ? name : s + 1;
+	if (flags) {
+		/* Check attribute existence */
+		retval = extattr_get_file(path, attrnamespace, attrname, NULL, 0);
+		if (retval < 0) {
+			/* REPLACE attribute, that doesn't exist */
+			if (flags & XATTR_REPLACE && errno == ENOATTR) {
+				errno = ENOATTR;
+				return -1;
+			}
+			/* Ignore other errors */
+		}
+		else {
+			/* CREATE attribute, that already exists */
+			if (flags & XATTR_CREATE) {
+				errno = EEXIST;
+				return -1;
+			}
+		}
+	}
+	retval = extattr_set_file(path, attrnamespace, attrname, value, size);
+	return (retval < 0) ? -1 : 0;
+#elif defined(HAVE_ATTR_SET)
+	int myflags = 0;
+	char *attrname = strchr(name,'.') + 1;
+	
+	if (strncmp(name, "system", 6) == 0) myflags |= ATTR_ROOT;
+	if (flags & XATTR_CREATE) myflags |= ATTR_CREATE;
+	if (flags & XATTR_REPLACE) myflags |= ATTR_REPLACE;
+
+	return attr_set(path, attrname, (const char *)value, size, myflags);
+#elif defined(HAVE_ATTROPEN)
+	int ret = -1;
+	int myflags = O_RDWR;
+	int attrfd;
+	if (flags & XATTR_CREATE) myflags |= O_EXCL;
+	if (!(flags & XATTR_REPLACE)) myflags |= O_CREAT;
+	attrfd = solaris_attropen(path, name, myflags, (mode_t) SOLARIS_ATTRMODE);
+	if (attrfd >= 0) {
+		ret = solaris_write_xattr(attrfd, value, size);
+		close(attrfd);
+	}
+	return ret;
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+int sys_lsetxattr (const char *path, const char *name, const void *value, size_t size, int flags)
+{
+#if defined(HAVE_LSETXATTR)
+	return lsetxattr(path, name, value, size, flags);
+#elif defined(HAVE_SETXATTR) && defined(XATTR_ADD_OPT)
+	int options = XATTR_NOFOLLOW;
+	return setxattr(path, name, value, size, 0, options);
+#elif defined(LSETEA)
+	return lsetea(path, name, value, size, flags);
+#elif defined(HAVE_EXTATTR_SET_LINK)
+	char *s;
+	int retval = 0;
+	int attrnamespace = (strncmp(name, "system", 6) == 0) ? 
+		EXTATTR_NAMESPACE_SYSTEM : EXTATTR_NAMESPACE_USER;
+	const char *attrname = ((s=strchr_m(name, '.')) == NULL) ? name : s + 1;
+	if (flags) {
+		/* Check attribute existence */
+		retval = extattr_get_link(path, attrnamespace, attrname, NULL, 0);
+		if (retval < 0) {
+			/* REPLACE attribute, that doesn't exist */
+			if (flags & XATTR_REPLACE && errno == ENOATTR) {
+				errno = ENOATTR;
+				return -1;
+			}
+			/* Ignore other errors */
+		}
+		else {
+			/* CREATE attribute, that already exists */
+			if (flags & XATTR_CREATE) {
+				errno = EEXIST;
+				return -1;
+			}
+		}
+	}
+
+	retval = extattr_set_link(path, attrnamespace, attrname, value, size);
+	return (retval < 0) ? -1 : 0;
+#elif defined(HAVE_ATTR_SET)
+	int myflags = ATTR_DONTFOLLOW;
+	char *attrname = strchr(name,'.') + 1;
+	
+	if (strncmp(name, "system", 6) == 0) myflags |= ATTR_ROOT;
+	if (flags & XATTR_CREATE) myflags |= ATTR_CREATE;
+	if (flags & XATTR_REPLACE) myflags |= ATTR_REPLACE;
+
+	return attr_set(path, attrname, (const char *)value, size, myflags);
+#elif defined(HAVE_ATTROPEN)
+	int ret = -1;
+	int myflags = O_RDWR | AT_SYMLINK_NOFOLLOW;
+	int attrfd;
+	if (flags & XATTR_CREATE) myflags |= O_EXCL;
+	if (!(flags & XATTR_REPLACE)) myflags |= O_CREAT;
+	attrfd = solaris_attropen(path, name, myflags, (mode_t) SOLARIS_ATTRMODE);
+	if (attrfd >= 0) {
+		ret = solaris_write_xattr(attrfd, value, size);
+		close(attrfd);
+	}
+	return ret;
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+int sys_fsetxattr (int filedes, const char *name, const void *value, size_t size, int flags)
+{
+#if defined(HAVE_FSETXATTR)
+#ifndef XATTR_ADD_OPT
+	return fsetxattr(filedes, name, value, size, flags);
+#else
+	int options = 0;
+	return fsetxattr(filedes, name, value, size, 0, options);
+#endif
+#elif defined(HAVE_FSETEA)
+	return fsetea(filedes, name, value, size, flags);
+#elif defined(HAVE_EXTATTR_SET_FD)
+	char *s;
+	int retval = 0;
+	int attrnamespace = (strncmp(name, "system", 6) == 0) ? 
+		EXTATTR_NAMESPACE_SYSTEM : EXTATTR_NAMESPACE_USER;
+	const char *attrname = ((s=strchr_m(name, '.')) == NULL) ? name : s + 1;
+	if (flags) {
+		/* Check attribute existence */
+		retval = extattr_get_fd(filedes, attrnamespace, attrname, NULL, 0);
+		if (retval < 0) {
+			/* REPLACE attribute, that doesn't exist */
+			if (flags & XATTR_REPLACE && errno == ENOATTR) {
+				errno = ENOATTR;
+				return -1;
+			}
+			/* Ignore other errors */
+		}
+		else {
+			/* CREATE attribute, that already exists */
+			if (flags & XATTR_CREATE) {
+				errno = EEXIST;
+				return -1;
+			}
+		}
+	}
+	retval = extattr_set_fd(filedes, attrnamespace, attrname, value, size);
+	return (retval < 0) ? -1 : 0;
+#elif defined(HAVE_ATTR_SETF)
+	int myflags = 0;
+	char *attrname = strchr(name,'.') + 1;
+	
+	if (strncmp(name, "system", 6) == 0) myflags |= ATTR_ROOT;
+	if (flags & XATTR_CREATE) myflags |= ATTR_CREATE;
+	if (flags & XATTR_REPLACE) myflags |= ATTR_REPLACE;
+
+	return attr_setf(filedes, attrname, (const char *)value, size, myflags);
+#elif defined(HAVE_ATTROPEN)
+	int ret = -1;
+	int myflags = O_RDWR | O_XATTR;
+	int attrfd;
+	if (flags & XATTR_CREATE) myflags |= O_EXCL;
+	if (!(flags & XATTR_REPLACE)) myflags |= O_CREAT;
+	attrfd = solaris_openat(filedes, name, myflags, (mode_t) SOLARIS_ATTRMODE);
+	if (attrfd >= 0) {
+		ret = solaris_write_xattr(attrfd, value, size);
+		close(attrfd);
+	}
+	return ret;
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+/**************************************************************************
+ helper functions for Solaris' EA support
+****************************************************************************/
+#ifdef HAVE_ATTROPEN
+static ssize_t solaris_read_xattr(int attrfd, void *value, size_t size)
+{
+	struct stat sbuf;
+
+	if (fstat(attrfd, &sbuf) == -1) {
+		errno = ENOATTR;
+		return -1;
+	}
+
+	/* This is to return the current size of the named extended attribute */
+	if (size == 0) {
+		return sbuf.st_size;
+	}
+
+	/* check size and read xattr */
+	if (sbuf.st_size > size) {
+		errno = ERANGE;
+		return -1;
+	}
+
+	return read(attrfd, value, sbuf.st_size);
+}
+
+static ssize_t solaris_list_xattr(int attrdirfd, char *list, size_t size)
+{
+	ssize_t len = 0;
+	int stop = 0;
+	DIR *dirp;
+	struct dirent *de;
+	int newfd = dup(attrdirfd);
+	/* CAUTION: The originating file descriptor should not be
+	            used again following the call to fdopendir().
+	            For that reason we dup() the file descriptor
+		    here to make things more clear. */
+	dirp = fdopendir(newfd);
+
+	while ((de = readdir(dirp))) {
+		size_t listlen = strlen(de->d_name);
+		if (!strcmp(de->d_name, ".") || !strcmp(de->d_name, "..")) {
+			/* we don't want "." and ".." here: */
+			DEBUG(10,("skipped EA %s\n",de->d_name));
+			continue;
+		}
+
+		if (size == 0) {
+			/* return the current size of the list of extended attribute names*/
+			len += listlen + 1;
+		} else {
+			/* check size and copy entrieѕ + nul into list. */
+			if ((len + listlen + 1) > size) {
+				errno = ERANGE;
+				len = -1;
+				break;
+			} else {
+				safe_strcpy(list + len, de->d_name, listlen);
+				len += listlen;
+				list[len] = '\0';
+				++len;
+			}
+		}
+	}
+
+	if (closedir(dirp) == -1) {
+		DEBUG(0,("closedir dirp failed: %s\n",strerror(errno)));
+		return -1;
+	}
+	return len;
+}
+
+static int solaris_unlinkat(int attrdirfd, const char *name)
+{
+	if (unlinkat(attrdirfd, name, 0) == -1) {
+		if (errno == ENOENT) {
+			errno = ENOATTR;
+		}
+		return -1;
+	}
+	return 0;
+}
+
+static int solaris_attropen(const char *path, const char *attrpath, int oflag, mode_t mode)
+{
+	int filedes = attropen(path, attrpath, oflag, mode);
+	if (filedes == -1) {
+		DEBUG(10,("attropen FAILED: path: %s, name: %s, errno: %s\n",path,attrpath,strerror(errno)));
+		if (errno == EINVAL) {
+			errno = ENOTSUP;
+		} else {
+			errno = ENOATTR;
+		}
+	}
+	return filedes;
+}
+
+static int solaris_openat(int fildes, const char *path, int oflag, mode_t mode)
+{
+	int filedes = openat(fildes, path, oflag, mode);
+	if (filedes == -1) {
+		DEBUG(10,("openat FAILED: fd: %s, path: %s, errno: %s\n",filedes,path,strerror(errno)));
+		if (errno == EINVAL) {
+			errno = ENOTSUP;
+		} else {
+			errno = ENOATTR;
+		}
+	}
+	return filedes;
+}
+
+static int solaris_write_xattr(int attrfd, const char *value, size_t size)
+{
+	if ((ftruncate(attrfd, 0) == 0) && (write(attrfd, value, size) == size)) {
+		return 0;
+	} else {
+		DEBUG(10,("solaris_write_xattr FAILED!\n"));
+		return -1;
+	}
+}
+#endif /*HAVE_ATTROPEN*/
+
+
+/****************************************************************************
+ Return the major devicenumber for UNIX extensions.
+****************************************************************************/
+                                                                                                                
+uint32 unix_dev_major(SMB_DEV_T dev)
+{
+#if defined(HAVE_DEVICE_MAJOR_FN)
+        return (uint32)major(dev);
+#else
+        return (uint32)(dev >> 8);
+#endif
+}
+                                                                                                                
+/****************************************************************************
+ Return the minor devicenumber for UNIX extensions.
+****************************************************************************/
+                                                                                                                
+uint32 unix_dev_minor(SMB_DEV_T dev)
+{
+#if defined(HAVE_DEVICE_MINOR_FN)
+        return (uint32)minor(dev);
+#else
+        return (uint32)(dev & 0xff);
+#endif
+}
+
+#if defined(WITH_AIO)
+
+/*******************************************************************
+ An aio_read wrapper that will deal with 64-bit sizes.
+********************************************************************/
+                                                                                                                                           
+int sys_aio_read(SMB_STRUCT_AIOCB *aiocb)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_AIOCB64) && defined(HAVE_AIO_READ64)
+        return aio_read64(aiocb);
+#elif defined(HAVE_AIO_READ)
+        return aio_read(aiocb);
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+/*******************************************************************
+ An aio_write wrapper that will deal with 64-bit sizes.
+********************************************************************/
+                                                                                                                                           
+int sys_aio_write(SMB_STRUCT_AIOCB *aiocb)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_AIOCB64) && defined(HAVE_AIO_WRITE64)
+        return aio_write64(aiocb);
+#elif defined(HAVE_AIO_WRITE)
+        return aio_write(aiocb);
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+/*******************************************************************
+ An aio_return wrapper that will deal with 64-bit sizes.
+********************************************************************/
+                                                                                                                                           
+ssize_t sys_aio_return(SMB_STRUCT_AIOCB *aiocb)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_AIOCB64) && defined(HAVE_AIO_RETURN64)
+        return aio_return64(aiocb);
+#elif defined(HAVE_AIO_RETURN)
+        return aio_return(aiocb);
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+/*******************************************************************
+ An aio_cancel wrapper that will deal with 64-bit sizes.
+********************************************************************/
+
+int sys_aio_cancel(int fd, SMB_STRUCT_AIOCB *aiocb)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_AIOCB64) && defined(HAVE_AIO_CANCEL64)
+        return aio_cancel64(fd, aiocb);
+#elif defined(HAVE_AIO_CANCEL)
+        return aio_cancel(fd, aiocb);
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+/*******************************************************************
+ An aio_error wrapper that will deal with 64-bit sizes.
+********************************************************************/
+
+int sys_aio_error(const SMB_STRUCT_AIOCB *aiocb)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_AIOCB64) && defined(HAVE_AIO_ERROR64)
+        return aio_error64(aiocb);
+#elif defined(HAVE_AIO_ERROR)
+        return aio_error(aiocb);
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+/*******************************************************************
+ An aio_fsync wrapper that will deal with 64-bit sizes.
+********************************************************************/
+
+int sys_aio_fsync(int op, SMB_STRUCT_AIOCB *aiocb)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_AIOCB64) && defined(HAVE_AIO_FSYNC64)
+        return aio_fsync64(op, aiocb);
+#elif defined(HAVE_AIO_FSYNC)
+        return aio_fsync(op, aiocb);
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+/*******************************************************************
+ An aio_fsync wrapper that will deal with 64-bit sizes.
+********************************************************************/
+
+int sys_aio_suspend(const SMB_STRUCT_AIOCB * const cblist[], int n, const struct timespec *timeout)
+{
+#if defined(HAVE_EXPLICIT_LARGEFILE_SUPPORT) && defined(HAVE_AIOCB64) && defined(HAVE_AIO_SUSPEND64)
+        return aio_suspend64(cblist, n, timeout);
+#elif defined(HAVE_AIO_FSYNC)
+        return aio_suspend(cblist, n, timeout);
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+#else /* !WITH_AIO */
+
+int sys_aio_read(SMB_STRUCT_AIOCB *aiocb)
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+int sys_aio_write(SMB_STRUCT_AIOCB *aiocb)
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+ssize_t sys_aio_return(SMB_STRUCT_AIOCB *aiocb)
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+int sys_aio_cancel(int fd, SMB_STRUCT_AIOCB *aiocb)
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+int sys_aio_error(const SMB_STRUCT_AIOCB *aiocb)
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+int sys_aio_fsync(int op, SMB_STRUCT_AIOCB *aiocb)
+{
+	errno = ENOSYS;
+	return -1;
+}
+
+int sys_aio_suspend(const SMB_STRUCT_AIOCB * const cblist[], int n, const struct timespec *timeout)
+{
+	errno = ENOSYS;
+	return -1;
+}
+#endif /* WITH_AIO */
+
+int sys_getpeereid( int s, uid_t *uid)
+{
+#if defined(HAVE_PEERCRED)
+	struct ucred cred;
+	socklen_t cred_len = sizeof(struct ucred);
+	int ret;
+
+	ret = getsockopt(s, SOL_SOCKET, SO_PEERCRED, (void *)&cred, &cred_len);
+	if (ret != 0) {
+		return -1;
+	}
+
+	if (cred_len != sizeof(struct ucred)) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	*uid = cred.uid;
+	return 0;
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+
+int sys_getnameinfo(const struct sockaddr *psa,
+			socklen_t salen,
+			char *host,
+			size_t hostlen,
+			char *service,
+			size_t servlen,
+			int flags)
+{
+	/*
+	 * For Solaris we must make sure salen is the
+	 * correct length for the incoming sa_family.
+	 */
+
+	if (salen == sizeof(struct sockaddr_storage)) {
+		salen = sizeof(struct sockaddr_in);
+#if defined(HAVE_IPV6)
+		if (psa->sa_family == AF_INET6) {
+			salen = sizeof(struct sockaddr_in6);
+		}
+#endif
+	}
+	return getnameinfo(psa, salen, host, hostlen, service, servlen, flags);
+}
+
+int sys_connect(int fd, const struct sockaddr * addr)
+{
+	socklen_t salen = -1;
+
+	if (addr->sa_family == AF_INET) {
+	    salen = sizeof(struct sockaddr_in);
+	} else if (addr->sa_family == AF_UNIX) {
+	    salen = sizeof(struct sockaddr_un);
+	}
+#if defined(HAVE_IPV6)
+	else if (addr->sa_family == AF_INET6) {
+	    salen = sizeof(struct sockaddr_in6);
+	}
+#endif
+
+	return connect(fd, addr, salen);
+}
diff --git a/source3/lib/system_smbd.c b/source3/lib/system_smbd.c
new file mode 100644
index 0000000000..1f5dd3172f
--- /dev/null
+++ b/source3/lib/system_smbd.c
@@ -0,0 +1,198 @@
+/* 
+   Unix SMB/CIFS implementation.
+   system call wrapper interface.
+   Copyright (C) Andrew Tridgell 2002
+   Copyright (C) Andrew Barteltt 2002
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/* 
+   This file may assume linkage with smbd - for things like become_root()
+   etc. 
+*/
+
+#include "includes.h"
+
+#ifndef HAVE_GETGROUPLIST
+
+/*
+  This is a *much* faster way of getting the list of groups for a user
+  without changing the current supplementary group list. The old
+  method used getgrent() which could take 20 minutes on a really big
+  network with hundeds of thousands of groups and users. The new method
+  takes a couple of seconds.
+
+  NOTE!! this function only works if it is called as root!
+  */
+
+static int getgrouplist_internals(const char *user, gid_t gid, gid_t *groups,
+				  int *grpcnt)
+{
+	gid_t *gids_saved;
+	int ret, ngrp_saved, num_gids;
+
+	if (non_root_mode()) {
+		*grpcnt = 0;
+		return 0;
+	}
+
+	/* work out how many groups we need to save */
+	ngrp_saved = getgroups(0, NULL);
+	if (ngrp_saved == -1) {
+		/* this shouldn't happen */
+		return -1;
+	}
+
+	gids_saved = SMB_MALLOC_ARRAY(gid_t, ngrp_saved+1);
+	if (!gids_saved) {
+		errno = ENOMEM;
+		return -1;
+	}
+
+	ngrp_saved = getgroups(ngrp_saved, gids_saved);
+	if (ngrp_saved == -1) {
+		SAFE_FREE(gids_saved);
+		/* very strange! */
+		return -1;
+	}
+
+	if (initgroups(user, gid) != 0) {
+		DEBUG(0, ("getgrouplist_internals: initgroups() failed!\n"));
+		SAFE_FREE(gids_saved);
+		return -1;
+	}
+
+	/* this must be done to cope with systems that put the current egid in the
+	   return from getgroups() */
+	save_re_gid();
+	set_effective_gid(gid);
+	setgid(gid);
+
+	num_gids = getgroups(0, NULL);
+	if (num_gids == -1) {
+		SAFE_FREE(gids_saved);
+		/* very strange! */
+		return -1;
+	}
+
+	if (num_gids + 1 > *grpcnt) {
+		*grpcnt = num_gids + 1;
+		ret = -1;
+	} else {
+		ret = getgroups(*grpcnt - 1, &groups[1]);
+		if (ret < 0) {
+			SAFE_FREE(gids_saved);
+			/* very strange! */
+			return -1;
+		}
+		groups[0] = gid;
+		*grpcnt = ret + 1;
+	}
+
+	restore_re_gid();
+
+	if (sys_setgroups(gid, ngrp_saved, gids_saved) != 0) {
+		/* yikes! */
+		DEBUG(0,("ERROR: getgrouplist: failed to reset group list!\n"));
+		smb_panic("getgrouplist: failed to reset group list!");
+	}
+
+	free(gids_saved);
+	return ret;
+}
+#endif
+
+static int sys_getgrouplist(const char *user, gid_t gid, gid_t *groups, int *grpcnt)
+{
+	int retval;
+	bool winbind_env;
+
+	DEBUG(10,("sys_getgrouplist: user [%s]\n", user));
+
+	/* This is only ever called for Unix users, remote memberships are
+	 * always determined by the info3 coming back from auth3 or the
+	 * PAC. */
+	winbind_env = winbind_env_set();
+	(void)winbind_off();
+
+#ifdef HAVE_GETGROUPLIST
+	retval = getgrouplist(user, gid, groups, grpcnt);
+#else
+	become_root();
+	retval = getgrouplist_internals(user, gid, groups, grpcnt);
+	unbecome_root();
+#endif
+
+	/* allow winbindd lookups, but only if they were not already disabled */
+	if (!winbind_env) {
+		(void)winbind_on();
+	}
+
+	return retval;
+}
+
+bool getgroups_unix_user(TALLOC_CTX *mem_ctx, const char *user,
+			 gid_t primary_gid,
+			 gid_t **ret_groups, size_t *p_ngroups)
+{
+	size_t ngrp;
+	int max_grp;
+	gid_t *temp_groups;
+	gid_t *groups;
+	int i;
+
+	max_grp = MIN(32, groups_max());
+	temp_groups = SMB_MALLOC_ARRAY(gid_t, max_grp);
+	if (! temp_groups) {
+		return False;
+	}
+
+	if (sys_getgrouplist(user, primary_gid, temp_groups, &max_grp) == -1) {
+		temp_groups = SMB_REALLOC_ARRAY(temp_groups, gid_t, max_grp);
+		if (!temp_groups) {
+			return False;
+		}
+		
+		if (sys_getgrouplist(user, primary_gid,
+				     temp_groups, &max_grp) == -1) {
+			DEBUG(0, ("get_user_groups: failed to get the unix "
+				  "group list\n"));
+			SAFE_FREE(temp_groups);
+			return False;
+		}
+	}
+	
+	ngrp = 0;
+	groups = NULL;
+
+	/* Add in primary group first */
+	if (!add_gid_to_array_unique(mem_ctx, primary_gid, &groups, &ngrp)) {
+		SAFE_FREE(temp_groups);
+		return False;
+	}
+
+	for (i=0; i<max_grp; i++) {
+		if (!add_gid_to_array_unique(mem_ctx, temp_groups[i],
+					&groups, &ngrp)) {
+			SAFE_FREE(temp_groups);
+			return False;
+		}
+	}
+
+	*p_ngroups = ngrp;
+	*ret_groups = groups;
+	SAFE_FREE(temp_groups);
+	return True;
+}
diff --git a/source3/lib/talloc/Makefile.in b/source3/lib/talloc/Makefile.in
new file mode 100644
index 0000000000..07b8fd4ff0
--- /dev/null
+++ b/source3/lib/talloc/Makefile.in
@@ -0,0 +1,43 @@
+#!gmake
+#
+prefix = @prefix@
+datarootdir = @datarootdir@
+exec_prefix = @exec_prefix@
+includedir = @includedir@
+libdir = @libdir@
+mandir = @mandir@
+VPATH = @srcdir@:@libreplacedir@
+srcdir = @srcdir@
+builddir = @builddir@
+XSLTPROC = @XSLTPROC@
+INSTALLCMD = @INSTALL@
+CC = @CC@
+CFLAGS = @CFLAGS@ -DHAVE_CONFIG_H= -I. -I@srcdir@
+EXTRA_TARGETS = @DOC_TARGET@
+PICFLAG = @PICFLAG@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+SHLIBEXT = @SHLIBEXT@
+SHLD = @SHLD@
+SHLD_FLAGS = @SHLD_FLAGS@
+tallocdir = @tallocdir@
+
+LIBOBJ = $(TALLOC_OBJ) @LIBREPLACEOBJ@
+
+all:: showflags $(EXTRA_TARGETS)
+
+include $(tallocdir)/rules.mk
+include $(tallocdir)/talloc.mk
+
+$(TALLOC_SOLIB): $(LIBOBJ)
+	$(SHLD) $(SHLD_FLAGS) -o $@ $(LIBOBJ) @SONAMEFLAG@$(TALLOC_SONAME)
+
+check: test
+
+installcheck:: test install
+
+distclean:: clean
+	rm -f Makefile
+	rm -f config.log config.status config.h config.cache
+
+realdistclean:: distclean
+	rm -f configure config.h.in
diff --git a/source3/lib/talloc/NEWS b/source3/lib/talloc/NEWS
new file mode 100644
index 0000000000..e5b3aa0731
--- /dev/null
+++ b/source3/lib/talloc/NEWS
@@ -0,0 +1,13 @@
+1.0.1	26 May 2007
+
+ BUGS
+  
+   * Set name of correctly when using talloc_append_string() (metze)
+
+ LICENSE
+   
+   * Change license of files in lib/replace to LGPL (was GPL). (jelmer)
+
+1.0.0	30 April 2007
+ 
+ Initial release.
diff --git a/source3/lib/talloc/aclocal.m4 b/source3/lib/talloc/aclocal.m4
new file mode 100644
index 0000000000..5605e476ba
--- /dev/null
+++ b/source3/lib/talloc/aclocal.m4
@@ -0,0 +1 @@
+m4_include(libreplace.m4)
diff --git a/source3/lib/talloc/autogen.sh b/source3/lib/talloc/autogen.sh
new file mode 100755
index 0000000000..bf84eeee19
--- /dev/null
+++ b/source3/lib/talloc/autogen.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+rm -rf autom4te.cache
+rm -f configure config.h.in
+
+IPATHS="-I libreplace -I lib/replace -I ../libreplace -I ../replace"
+autoconf $IPATHS || exit 1
+autoheader $IPATHS || exit 1
+
+rm -rf autom4te.cache
+
+echo "Now run ./configure and then make."
+exit 0
+
diff --git a/source3/lib/talloc/config.guess b/source3/lib/talloc/config.guess
new file mode 100755
index 0000000000..354dbe175a
--- /dev/null
+++ b/source3/lib/talloc/config.guess
@@ -0,0 +1,1464 @@
+#! /bin/sh
+# Attempt to guess a canonical system name.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
+#   2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
+
+timestamp='2005-08-03'
+
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+
+# Originally written by Per Bothner <per@bothner.com>.
+# Please send patches to <config-patches@gnu.org>.  Submit a context
+# diff and a properly formatted ChangeLog entry.
+#
+# This script attempts to guess a canonical system name similar to
+# config.sub.  If it succeeds, it prints the system name on stdout, and
+# exits with 0.  Otherwise, it exits with 1.
+#
+# The plan is that this can be called by configure scripts if you
+# don't specify an explicit build system type.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION]
+
+Output the configuration name of the system \`$me' is run on.
+
+Operation modes:
+  -h, --help         print this help, then exit
+  -t, --time-stamp   print date of last modification, then exit
+  -v, --version      print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.guess ($timestamp)
+
+Originally written by Per Bothner.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
+Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case $1 in
+    --time-stamp | --time* | -t )
+       echo "$timestamp" ; exit ;;
+    --version | -v )
+       echo "$version" ; exit ;;
+    --help | --h* | -h )
+       echo "$usage"; exit ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       echo "$me: invalid option $1$help" >&2
+       exit 1 ;;
+    * )
+       break ;;
+  esac
+done
+
+if test $# != 0; then
+  echo "$me: too many arguments$help" >&2
+  exit 1
+fi
+
+trap 'exit 1' 1 2 15
+
+# CC_FOR_BUILD -- compiler used by this script. Note that the use of a
+# compiler to aid in system detection is discouraged as it requires
+# temporary files to be created and, as you can see below, it is a
+# headache to deal with in a portable fashion.
+
+# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
+# use `HOST_CC' if defined, but it is deprecated.
+
+# Portable tmp directory creation inspired by the Autoconf team.
+
+set_cc_for_build='
+trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ;
+trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
+: ${TMPDIR=/tmp} ;
+ { tmp=`(umask 077 && mktemp -d -q "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
+ { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } ||
+ { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } ||
+ { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ;
+dummy=$tmp/dummy ;
+tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ;
+case $CC_FOR_BUILD,$HOST_CC,$CC in
+ ,,)    echo "int x;" > $dummy.c ;
+	for c in cc gcc c89 c99 ; do
+	  if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then
+	     CC_FOR_BUILD="$c"; break ;
+	  fi ;
+	done ;
+	if test x"$CC_FOR_BUILD" = x ; then
+	  CC_FOR_BUILD=no_compiler_found ;
+	fi
+	;;
+ ,,*)   CC_FOR_BUILD=$CC ;;
+ ,*,*)  CC_FOR_BUILD=$HOST_CC ;;
+esac ; set_cc_for_build= ;'
+
+# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
+# (ghazi@noc.rutgers.edu 1994-08-24)
+if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
+	PATH=$PATH:/.attbin ; export PATH
+fi
+
+UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
+UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
+UNAME_SYSTEM=`(uname -s) 2>/dev/null`  || UNAME_SYSTEM=unknown
+UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
+
+# Note: order is significant - the case branches are not exclusive.
+
+case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
+    *:NetBSD:*:*)
+	# NetBSD (nbsd) targets should (where applicable) match one or
+	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
+	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
+	# switched to ELF, *-*-netbsd* would select the old
+	# object file format.  This provides both forward
+	# compatibility and a consistent mechanism for selecting the
+	# object file format.
+	#
+	# Note: NetBSD doesn't particularly care about the vendor
+	# portion of the name.  We always set it to "unknown".
+	sysctl="sysctl -n hw.machine_arch"
+	UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
+	    /usr/sbin/$sysctl 2>/dev/null || echo unknown)`
+	case "${UNAME_MACHINE_ARCH}" in
+	    armeb) machine=armeb-unknown ;;
+	    arm*) machine=arm-unknown ;;
+	    sh3el) machine=shl-unknown ;;
+	    sh3eb) machine=sh-unknown ;;
+	    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
+	esac
+	# The Operating System including object format, if it has switched
+	# to ELF recently, or will in the future.
+	case "${UNAME_MACHINE_ARCH}" in
+	    arm*|i386|m68k|ns32k|sh3*|sparc|vax)
+		eval $set_cc_for_build
+		if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
+			| grep __ELF__ >/dev/null
+		then
+		    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
+		    # Return netbsd for either.  FIX?
+		    os=netbsd
+		else
+		    os=netbsdelf
+		fi
+		;;
+	    *)
+	        os=netbsd
+		;;
+	esac
+	# The OS release
+	# Debian GNU/NetBSD machines have a different userland, and
+	# thus, need a distinct triplet. However, they do not need
+	# kernel version information, so it can be replaced with a
+	# suitable tag, in the style of linux-gnu.
+	case "${UNAME_VERSION}" in
+	    Debian*)
+		release='-gnu'
+		;;
+	    *)
+		release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+		;;
+	esac
+	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
+	# contains redundant information, the shorter form:
+	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
+	echo "${machine}-${os}${release}"
+	exit ;;
+    *:OpenBSD:*:*)
+	UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
+	echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
+	exit ;;
+    *:ekkoBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
+	exit ;;
+    macppc:MirBSD:*:*)
+	echo powerppc-unknown-mirbsd${UNAME_RELEASE}
+	exit ;;
+    *:MirBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
+	exit ;;
+    alpha:OSF1:*:*)
+	case $UNAME_RELEASE in
+	*4.0)
+		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
+		;;
+	*5.*)
+	        UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
+		;;
+	esac
+	# According to Compaq, /usr/sbin/psrinfo has been available on
+	# OSF/1 and Tru64 systems produced since 1995.  I hope that
+	# covers most systems running today.  This code pipes the CPU
+	# types through head -n 1, so we only detect the type of CPU 0.
+	ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^  The alpha \(.*\) processor.*$/\1/p' | head -n 1`
+	case "$ALPHA_CPU_TYPE" in
+	    "EV4 (21064)")
+		UNAME_MACHINE="alpha" ;;
+	    "EV4.5 (21064)")
+		UNAME_MACHINE="alpha" ;;
+	    "LCA4 (21066/21068)")
+		UNAME_MACHINE="alpha" ;;
+	    "EV5 (21164)")
+		UNAME_MACHINE="alphaev5" ;;
+	    "EV5.6 (21164A)")
+		UNAME_MACHINE="alphaev56" ;;
+	    "EV5.6 (21164PC)")
+		UNAME_MACHINE="alphapca56" ;;
+	    "EV5.7 (21164PC)")
+		UNAME_MACHINE="alphapca57" ;;
+	    "EV6 (21264)")
+		UNAME_MACHINE="alphaev6" ;;
+	    "EV6.7 (21264A)")
+		UNAME_MACHINE="alphaev67" ;;
+	    "EV6.8CB (21264C)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.8AL (21264B)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.8CX (21264D)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.9A (21264/EV69A)")
+		UNAME_MACHINE="alphaev69" ;;
+	    "EV7 (21364)")
+		UNAME_MACHINE="alphaev7" ;;
+	    "EV7.9 (21364A)")
+		UNAME_MACHINE="alphaev79" ;;
+	esac
+	# A Pn.n version is a patched version.
+	# A Vn.n version is a released version.
+	# A Tn.n version is a released field test version.
+	# A Xn.n version is an unreleased experimental baselevel.
+	# 1.2 uses "1.2" for uname -r.
+	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+	exit ;;
+    Alpha\ *:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# Should we change UNAME_MACHINE based on the output of uname instead
+	# of the specific Alpha model?
+	echo alpha-pc-interix
+	exit ;;
+    21064:Windows_NT:50:3)
+	echo alpha-dec-winnt3.5
+	exit ;;
+    Amiga*:UNIX_System_V:4.0:*)
+	echo m68k-unknown-sysv4
+	exit ;;
+    *:[Aa]miga[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-amigaos
+	exit ;;
+    *:[Mm]orph[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-morphos
+	exit ;;
+    *:OS/390:*:*)
+	echo i370-ibm-openedition
+	exit ;;
+    *:z/VM:*:*)
+	echo s390-ibm-zvmoe
+	exit ;;
+    *:OS400:*:*)
+        echo powerpc-ibm-os400
+	exit ;;
+    arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
+	echo arm-acorn-riscix${UNAME_RELEASE}
+	exit ;;
+    arm:riscos:*:*|arm:RISCOS:*:*)
+	echo arm-unknown-riscos
+	exit ;;
+    SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
+	echo hppa1.1-hitachi-hiuxmpp
+	exit ;;
+    Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
+	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
+	if test "`(/bin/universe) 2>/dev/null`" = att ; then
+		echo pyramid-pyramid-sysv3
+	else
+		echo pyramid-pyramid-bsd
+	fi
+	exit ;;
+    NILE*:*:*:dcosx)
+	echo pyramid-pyramid-svr4
+	exit ;;
+    DRS?6000:unix:4.0:6*)
+	echo sparc-icl-nx6
+	exit ;;
+    DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*)
+	case `/usr/bin/uname -p` in
+	    sparc) echo sparc-icl-nx7; exit ;;
+	esac ;;
+    sun4H:SunOS:5.*:*)
+	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
+	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    i86pc:SunOS:5.*:*)
+	echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:6*:*)
+	# According to config.sub, this is the proper way to canonicalize
+	# SunOS6.  Hard to guess exactly what SunOS6 will be like, but
+	# it's likely to be more like Solaris than SunOS4.
+	echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:*:*)
+	case "`/usr/bin/arch -k`" in
+	    Series*|S4*)
+		UNAME_RELEASE=`uname -v`
+		;;
+	esac
+	# Japanese Language versions have a version number like `4.1.3-JL'.
+	echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
+	exit ;;
+    sun3*:SunOS:*:*)
+	echo m68k-sun-sunos${UNAME_RELEASE}
+	exit ;;
+    sun*:*:4.2BSD:*)
+	UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
+	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
+	case "`/bin/arch`" in
+	    sun3)
+		echo m68k-sun-sunos${UNAME_RELEASE}
+		;;
+	    sun4)
+		echo sparc-sun-sunos${UNAME_RELEASE}
+		;;
+	esac
+	exit ;;
+    aushp:SunOS:*:*)
+	echo sparc-auspex-sunos${UNAME_RELEASE}
+	exit ;;
+    # The situation for MiNT is a little confusing.  The machine name
+    # can be virtually everything (everything which is not
+    # "atarist" or "atariste" at least should have a processor
+    # > m68000).  The system name ranges from "MiNT" over "FreeMiNT"
+    # to the lowercase version "mint" (or "freemint").  Finally
+    # the system name "TOS" denotes a system which is actually not
+    # MiNT.  But MiNT is downward compatible to TOS, so this should
+    # be no problem.
+    atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit ;;
+    atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
+	echo m68k-atari-mint${UNAME_RELEASE}
+        exit ;;
+    *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit ;;
+    milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
+        echo m68k-milan-mint${UNAME_RELEASE}
+        exit ;;
+    hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
+        echo m68k-hades-mint${UNAME_RELEASE}
+        exit ;;
+    *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
+        echo m68k-unknown-mint${UNAME_RELEASE}
+        exit ;;
+    m68k:machten:*:*)
+	echo m68k-apple-machten${UNAME_RELEASE}
+	exit ;;
+    powerpc:machten:*:*)
+	echo powerpc-apple-machten${UNAME_RELEASE}
+	exit ;;
+    RISC*:Mach:*:*)
+	echo mips-dec-mach_bsd4.3
+	exit ;;
+    RISC*:ULTRIX:*:*)
+	echo mips-dec-ultrix${UNAME_RELEASE}
+	exit ;;
+    VAX*:ULTRIX*:*:*)
+	echo vax-dec-ultrix${UNAME_RELEASE}
+	exit ;;
+    2020:CLIX:*:* | 2430:CLIX:*:*)
+	echo clipper-intergraph-clix${UNAME_RELEASE}
+	exit ;;
+    mips:*:*:UMIPS | mips:*:*:RISCos)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
+	#if defined (host_mips) && defined (MIPSEB)
+	#if defined (SYSTYPE_SYSV)
+	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_SVR4)
+	  printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
+	  printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
+	#endif
+	#endif
+	  exit (-1);
+	}
+EOF
+	$CC_FOR_BUILD -o $dummy $dummy.c &&
+	  dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` &&
+	  SYSTEM_NAME=`$dummy $dummyarg` &&
+	    { echo "$SYSTEM_NAME"; exit; }
+	echo mips-mips-riscos${UNAME_RELEASE}
+	exit ;;
+    Motorola:PowerMAX_OS:*:*)
+	echo powerpc-motorola-powermax
+	exit ;;
+    Motorola:*:4.3:PL8-*)
+	echo powerpc-harris-powermax
+	exit ;;
+    Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*)
+	echo powerpc-harris-powermax
+	exit ;;
+    Night_Hawk:Power_UNIX:*:*)
+	echo powerpc-harris-powerunix
+	exit ;;
+    m88k:CX/UX:7*:*)
+	echo m88k-harris-cxux7
+	exit ;;
+    m88k:*:4*:R4*)
+	echo m88k-motorola-sysv4
+	exit ;;
+    m88k:*:3*:R3*)
+	echo m88k-motorola-sysv3
+	exit ;;
+    AViiON:dgux:*:*)
+        # DG/UX returns AViiON for all architectures
+        UNAME_PROCESSOR=`/usr/bin/uname -p`
+	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
+	then
+	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
+	       [ ${TARGET_BINARY_INTERFACE}x = x ]
+	    then
+		echo m88k-dg-dgux${UNAME_RELEASE}
+	    else
+		echo m88k-dg-dguxbcs${UNAME_RELEASE}
+	    fi
+	else
+	    echo i586-dg-dgux${UNAME_RELEASE}
+	fi
+ 	exit ;;
+    M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
+	echo m88k-dolphin-sysv3
+	exit ;;
+    M88*:*:R3*:*)
+	# Delta 88k system running SVR3
+	echo m88k-motorola-sysv3
+	exit ;;
+    XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
+	echo m88k-tektronix-sysv3
+	exit ;;
+    Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
+	echo m68k-tektronix-bsd
+	exit ;;
+    *:IRIX*:*:*)
+	echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
+	exit ;;
+    ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
+	echo romp-ibm-aix     # uname -m gives an 8 hex-code CPU id
+	exit ;;               # Note that: echo "'`uname -s`'" gives 'AIX '
+    i*86:AIX:*:*)
+	echo i386-ibm-aix
+	exit ;;
+    ia64:AIX:*:*)
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+	fi
+	echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
+	exit ;;
+    *:AIX:2:3)
+	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
+		eval $set_cc_for_build
+		sed 's/^		//' << EOF >$dummy.c
+		#include <sys/systemcfg.h>
+
+		main()
+			{
+			if (!__power_pc())
+				exit(1);
+			puts("powerpc-ibm-aix3.2.5");
+			exit(0);
+			}
+EOF
+		if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy`
+		then
+			echo "$SYSTEM_NAME"
+		else
+			echo rs6000-ibm-aix3.2.5
+		fi
+	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
+		echo rs6000-ibm-aix3.2.4
+	else
+		echo rs6000-ibm-aix3.2
+	fi
+	exit ;;
+    *:AIX:*:[45])
+	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
+	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
+		IBM_ARCH=rs6000
+	else
+		IBM_ARCH=powerpc
+	fi
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+	fi
+	echo ${IBM_ARCH}-ibm-aix${IBM_REV}
+	exit ;;
+    *:AIX:*:*)
+	echo rs6000-ibm-aix
+	exit ;;
+    ibmrt:4.4BSD:*|romp-ibm:BSD:*)
+	echo romp-ibm-bsd4.4
+	exit ;;
+    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
+	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
+	exit ;;                             # report: romp-ibm BSD 4.3
+    *:BOSX:*:*)
+	echo rs6000-bull-bosx
+	exit ;;
+    DPX/2?00:B.O.S.:*:*)
+	echo m68k-bull-sysv3
+	exit ;;
+    9000/[34]??:4.3bsd:1.*:*)
+	echo m68k-hp-bsd
+	exit ;;
+    hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
+	echo m68k-hp-bsd4.4
+	exit ;;
+    9000/[34678]??:HP-UX:*:*)
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	case "${UNAME_MACHINE}" in
+	    9000/31? )            HP_ARCH=m68000 ;;
+	    9000/[34]?? )         HP_ARCH=m68k ;;
+	    9000/[678][0-9][0-9])
+		if [ -x /usr/bin/getconf ]; then
+		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
+                    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
+                    case "${sc_cpu_version}" in
+                      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
+                      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
+                      532)                      # CPU_PA_RISC2_0
+                        case "${sc_kernel_bits}" in
+                          32) HP_ARCH="hppa2.0n" ;;
+                          64) HP_ARCH="hppa2.0w" ;;
+			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
+                        esac ;;
+                    esac
+		fi
+		if [ "${HP_ARCH}" = "" ]; then
+		    eval $set_cc_for_build
+		    sed 's/^              //' << EOF >$dummy.c
+
+              #define _HPUX_SOURCE
+              #include <stdlib.h>
+              #include <unistd.h>
+
+              int main ()
+              {
+              #if defined(_SC_KERNEL_BITS)
+                  long bits = sysconf(_SC_KERNEL_BITS);
+              #endif
+                  long cpu  = sysconf (_SC_CPU_VERSION);
+
+                  switch (cpu)
+              	{
+              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
+              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
+              	case CPU_PA_RISC2_0:
+              #if defined(_SC_KERNEL_BITS)
+              	    switch (bits)
+              		{
+              		case 64: puts ("hppa2.0w"); break;
+              		case 32: puts ("hppa2.0n"); break;
+              		default: puts ("hppa2.0"); break;
+              		} break;
+              #else  /* !defined(_SC_KERNEL_BITS) */
+              	    puts ("hppa2.0"); break;
+              #endif
+              	default: puts ("hppa1.0"); break;
+              	}
+                  exit (0);
+              }
+EOF
+		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
+		    test -z "$HP_ARCH" && HP_ARCH=hppa
+		fi ;;
+	esac
+	if [ ${HP_ARCH} = "hppa2.0w" ]
+	then
+	    eval $set_cc_for_build
+
+	    # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating
+	    # 32-bit code.  hppa64-hp-hpux* has the same kernel and a compiler
+	    # generating 64-bit code.  GNU and HP use different nomenclature:
+	    #
+	    # $ CC_FOR_BUILD=cc ./config.guess
+	    # => hppa2.0w-hp-hpux11.23
+	    # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
+	    # => hppa64-hp-hpux11.23
+
+	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
+		grep __LP64__ >/dev/null
+	    then
+		HP_ARCH="hppa2.0w"
+	    else
+		HP_ARCH="hppa64"
+	    fi
+	fi
+	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
+	exit ;;
+    ia64:HP-UX:*:*)
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	echo ia64-hp-hpux${HPUX_REV}
+	exit ;;
+    3050*:HI-UX:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <unistd.h>
+	int
+	main ()
+	{
+	  long cpu = sysconf (_SC_CPU_VERSION);
+	  /* The order matters, because CPU_IS_HP_MC68K erroneously returns
+	     true for CPU_PA_RISC1_0.  CPU_IS_PA_RISC returns correct
+	     results, however.  */
+	  if (CPU_IS_PA_RISC (cpu))
+	    {
+	      switch (cpu)
+		{
+		  case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
+		  default: puts ("hppa-hitachi-hiuxwe2"); break;
+		}
+	    }
+	  else if (CPU_IS_HP_MC68K (cpu))
+	    puts ("m68k-hitachi-hiuxwe2");
+	  else puts ("unknown-hitachi-hiuxwe2");
+	  exit (0);
+	}
+EOF
+	$CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` &&
+		{ echo "$SYSTEM_NAME"; exit; }
+	echo unknown-hitachi-hiuxwe2
+	exit ;;
+    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
+	echo hppa1.1-hp-bsd
+	exit ;;
+    9000/8??:4.3bsd:*:*)
+	echo hppa1.0-hp-bsd
+	exit ;;
+    *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
+	echo hppa1.0-hp-mpeix
+	exit ;;
+    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
+	echo hppa1.1-hp-osf
+	exit ;;
+    hp8??:OSF1:*:*)
+	echo hppa1.0-hp-osf
+	exit ;;
+    i*86:OSF1:*:*)
+	if [ -x /usr/sbin/sysversion ] ; then
+	    echo ${UNAME_MACHINE}-unknown-osf1mk
+	else
+	    echo ${UNAME_MACHINE}-unknown-osf1
+	fi
+	exit ;;
+    parisc*:Lites*:*:*)
+	echo hppa1.1-hp-lites
+	exit ;;
+    C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
+	echo c1-convex-bsd
+        exit ;;
+    C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+        exit ;;
+    C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
+	echo c34-convex-bsd
+        exit ;;
+    C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
+	echo c38-convex-bsd
+        exit ;;
+    C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
+	echo c4-convex-bsd
+        exit ;;
+    CRAY*Y-MP:*:*:*)
+	echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*[A-Z]90:*:*:*)
+	echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
+	| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
+	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
+	      -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*TS:*:*:*)
+	echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*T3E:*:*:*)
+	echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*SV1:*:*:*)
+	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    *:UNICOS/mp:*:*)
+	echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
+	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
+        echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+        exit ;;
+    5000:UNIX_System_V:4.*:*)
+        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+        FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
+        echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+	exit ;;
+    i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
+	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
+	exit ;;
+    sparc*:BSD/OS:*:*)
+	echo sparc-unknown-bsdi${UNAME_RELEASE}
+	exit ;;
+    *:BSD/OS:*:*)
+	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
+	exit ;;
+    *:FreeBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+	exit ;;
+    i*:CYGWIN*:*)
+	echo ${UNAME_MACHINE}-pc-cygwin
+	exit ;;
+    i*:MINGW*:*)
+	echo ${UNAME_MACHINE}-pc-mingw32
+	exit ;;
+    i*:windows32*:*)
+    	# uname -m includes "-pc" on this system.
+    	echo ${UNAME_MACHINE}-mingw32
+	exit ;;
+    i*:PW*:*)
+	echo ${UNAME_MACHINE}-pc-pw32
+	exit ;;
+    x86:Interix*:[34]*)
+	echo i586-pc-interix${UNAME_RELEASE}|sed -e 's/\..*//'
+	exit ;;
+    [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
+	echo i${UNAME_MACHINE}-pc-mks
+	exit ;;
+    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
+	# UNAME_MACHINE based on the output of uname instead of i386?
+	echo i586-pc-interix
+	exit ;;
+    i*:UWIN*:*)
+	echo ${UNAME_MACHINE}-pc-uwin
+	exit ;;
+    amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*)
+	echo x86_64-unknown-cygwin
+	exit ;;
+    p*:CYGWIN*:*)
+	echo powerpcle-unknown-cygwin
+	exit ;;
+    prep*:SunOS:5.*:*)
+	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    *:GNU:*:*)
+	# the GNU system
+	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
+	exit ;;
+    *:GNU/*:*:*)
+	# other systems with GNU libc and userland
+	echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
+	exit ;;
+    i*86:Minix:*:*)
+	echo ${UNAME_MACHINE}-pc-minix
+	exit ;;
+    arm*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    cris:Linux:*:*)
+	echo cris-axis-linux-gnu
+	exit ;;
+    crisv32:Linux:*:*)
+	echo crisv32-axis-linux-gnu
+	exit ;;
+    frv:Linux:*:*)
+    	echo frv-unknown-linux-gnu
+	exit ;;
+    ia64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    m32r*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    m68*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    mips:Linux:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#undef CPU
+	#undef mips
+	#undef mipsel
+	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
+	CPU=mipsel
+	#else
+	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
+	CPU=mips
+	#else
+	CPU=
+	#endif
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
+	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
+	;;
+    mips64:Linux:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#undef CPU
+	#undef mips64
+	#undef mips64el
+	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
+	CPU=mips64el
+	#else
+	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
+	CPU=mips64
+	#else
+	CPU=
+	#endif
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
+	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
+	;;
+    or32:Linux:*:*)
+	echo or32-unknown-linux-gnu
+	exit ;;
+    ppc:Linux:*:*)
+	echo powerpc-unknown-linux-gnu
+	exit ;;
+    ppc64:Linux:*:*)
+	echo powerpc64-unknown-linux-gnu
+	exit ;;
+    alpha:Linux:*:*)
+	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
+	  EV5)   UNAME_MACHINE=alphaev5 ;;
+	  EV56)  UNAME_MACHINE=alphaev56 ;;
+	  PCA56) UNAME_MACHINE=alphapca56 ;;
+	  PCA57) UNAME_MACHINE=alphapca56 ;;
+	  EV6)   UNAME_MACHINE=alphaev6 ;;
+	  EV67)  UNAME_MACHINE=alphaev67 ;;
+	  EV68*) UNAME_MACHINE=alphaev68 ;;
+        esac
+	objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null
+	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
+	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
+	exit ;;
+    parisc:Linux:*:* | hppa:Linux:*:*)
+	# Look for CPU level
+	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
+	  PA7*) echo hppa1.1-unknown-linux-gnu ;;
+	  PA8*) echo hppa2.0-unknown-linux-gnu ;;
+	  *)    echo hppa-unknown-linux-gnu ;;
+	esac
+	exit ;;
+    parisc64:Linux:*:* | hppa64:Linux:*:*)
+	echo hppa64-unknown-linux-gnu
+	exit ;;
+    s390:Linux:*:* | s390x:Linux:*:*)
+	echo ${UNAME_MACHINE}-ibm-linux
+	exit ;;
+    sh64*:Linux:*:*)
+    	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    sh*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    sparc:Linux:*:* | sparc64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    x86_64:Linux:*:*)
+	echo x86_64-unknown-linux-gnu
+	exit ;;
+    i*86:Linux:*:*)
+	# The BFD linker knows what the default object file format is, so
+	# first see if it will tell us. cd to the root directory to prevent
+	# problems with other programs or directories called `ld' in the path.
+	# Set LC_ALL=C to ensure ld outputs messages in English.
+	ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \
+			 | sed -ne '/supported targets:/!d
+				    s/[ 	][ 	]*/ /g
+				    s/.*supported targets: *//
+				    s/ .*//
+				    p'`
+        case "$ld_supported_targets" in
+	  elf32-i386)
+		TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
+		;;
+	  a.out-i386-linux)
+		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
+		exit ;;
+	  coff-i386)
+		echo "${UNAME_MACHINE}-pc-linux-gnucoff"
+		exit ;;
+	  "")
+		# Either a pre-BFD a.out linker (linux-gnuoldld) or
+		# one that does not give us useful --help.
+		echo "${UNAME_MACHINE}-pc-linux-gnuoldld"
+		exit ;;
+	esac
+	# Determine whether the default compiler is a.out or elf
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <features.h>
+	#ifdef __ELF__
+	# ifdef __GLIBC__
+	#  if __GLIBC__ >= 2
+	LIBC=gnu
+	#  else
+	LIBC=gnulibc1
+	#  endif
+	# else
+	LIBC=gnulibc1
+	# endif
+	#else
+	#ifdef __INTEL_COMPILER
+	LIBC=gnu
+	#else
+	LIBC=gnuaout
+	#endif
+	#endif
+	#ifdef __dietlibc__
+	LIBC=dietlibc
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
+	test x"${LIBC}" != x && {
+		echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
+		exit
+	}
+	test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; }
+	;;
+    i*86:DYNIX/ptx:4*:*)
+	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
+	# earlier versions are messed up and put the nodename in both
+	# sysname and nodename.
+	echo i386-sequent-sysv4
+	exit ;;
+    i*86:UNIX_SV:4.2MP:2.*)
+        # Unixware is an offshoot of SVR4, but it has its own version
+        # number series starting with 2...
+        # I am not positive that other SVR4 systems won't match this,
+	# I just have to hope.  -- rms.
+        # Use sysv4.2uw... so that sysv4* matches it.
+	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
+	exit ;;
+    i*86:OS/2:*:*)
+	# If we were able to find `uname', then EMX Unix compatibility
+	# is probably installed.
+	echo ${UNAME_MACHINE}-pc-os2-emx
+	exit ;;
+    i*86:XTS-300:*:STOP)
+	echo ${UNAME_MACHINE}-unknown-stop
+	exit ;;
+    i*86:atheos:*:*)
+	echo ${UNAME_MACHINE}-unknown-atheos
+	exit ;;
+    i*86:syllable:*:*)
+	echo ${UNAME_MACHINE}-pc-syllable
+	exit ;;
+    i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*)
+	echo i386-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    i*86:*DOS:*:*)
+	echo ${UNAME_MACHINE}-pc-msdosdjgpp
+	exit ;;
+    i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
+	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
+	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
+		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
+	else
+		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
+	fi
+	exit ;;
+    i*86:*:5:[678]*)
+    	# UnixWare 7.x, OpenUNIX and OpenServer 6.
+	case `/bin/uname -X | grep "^Machine"` in
+	    *486*)	     UNAME_MACHINE=i486 ;;
+	    *Pentium)	     UNAME_MACHINE=i586 ;;
+	    *Pent*|*Celeron) UNAME_MACHINE=i686 ;;
+	esac
+	echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
+	exit ;;
+    i*86:*:3.2:*)
+	if test -f /usr/options/cb.name; then
+		UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
+		echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
+	elif /bin/uname -X 2>/dev/null >/dev/null ; then
+		UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')`
+		(/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486
+		(/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \
+			&& UNAME_MACHINE=i586
+		(/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		(/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
+	else
+		echo ${UNAME_MACHINE}-pc-sysv32
+	fi
+	exit ;;
+    pc:*:*:*)
+	# Left here for compatibility:
+        # uname -m prints for DJGPP always 'pc', but it prints nothing about
+        # the processor, so we play safe by assuming i386.
+	echo i386-pc-msdosdjgpp
+        exit ;;
+    Intel:Mach:3*:*)
+	echo i386-pc-mach3
+	exit ;;
+    paragon:*:*:*)
+	echo i860-intel-osf1
+	exit ;;
+    i860:*:4.*:*) # i860-SVR4
+	if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
+	  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
+	else # Add other i860-SVR4 vendors below as they are discovered.
+	  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
+	fi
+	exit ;;
+    mini*:CTIX:SYS*5:*)
+	# "miniframe"
+	echo m68010-convergent-sysv
+	exit ;;
+    mc68k:UNIX:SYSTEM5:3.51m)
+	echo m68k-convergent-sysv
+	exit ;;
+    M680?0:D-NIX:5.3:*)
+	echo m68k-diab-dnix
+	exit ;;
+    M68*:*:R3V[5678]*:*)
+	test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;;
+    3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0)
+	OS_REL=''
+	test -r /etc/.relid \
+	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
+	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+	  && { echo i486-ncr-sysv4.3${OS_REL}; exit; }
+	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
+	  && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
+    3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
+        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+          && { echo i486-ncr-sysv4; exit; } ;;
+    m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
+	echo m68k-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    mc68030:UNIX_System_V:4.*:*)
+	echo m68k-atari-sysv4
+	exit ;;
+    TSUNAMI:LynxOS:2.*:*)
+	echo sparc-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    rs6000:LynxOS:2.*:*)
+	echo rs6000-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*)
+	echo powerpc-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    SM[BE]S:UNIX_SV:*:*)
+	echo mips-dde-sysv${UNAME_RELEASE}
+	exit ;;
+    RM*:ReliantUNIX-*:*:*)
+	echo mips-sni-sysv4
+	exit ;;
+    RM*:SINIX-*:*:*)
+	echo mips-sni-sysv4
+	exit ;;
+    *:SINIX-*:*:*)
+	if uname -p 2>/dev/null >/dev/null ; then
+		UNAME_MACHINE=`(uname -p) 2>/dev/null`
+		echo ${UNAME_MACHINE}-sni-sysv4
+	else
+		echo ns32k-sni-sysv
+	fi
+	exit ;;
+    PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
+                      # says <Richard.M.Bartel@ccMail.Census.GOV>
+        echo i586-unisys-sysv4
+        exit ;;
+    *:UNIX_System_V:4*:FTX*)
+	# From Gerald Hewes <hewes@openmarket.com>.
+	# How about differentiating between stratus architectures? -djm
+	echo hppa1.1-stratus-sysv4
+	exit ;;
+    *:*:*:FTX*)
+	# From seanf@swdc.stratus.com.
+	echo i860-stratus-sysv4
+	exit ;;
+    i*86:VOS:*:*)
+	# From Paul.Green@stratus.com.
+	echo ${UNAME_MACHINE}-stratus-vos
+	exit ;;
+    *:VOS:*:*)
+	# From Paul.Green@stratus.com.
+	echo hppa1.1-stratus-vos
+	exit ;;
+    mc68*:A/UX:*:*)
+	echo m68k-apple-aux${UNAME_RELEASE}
+	exit ;;
+    news*:NEWS-OS:6*:*)
+	echo mips-sony-newsos6
+	exit ;;
+    R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
+	if [ -d /usr/nec ]; then
+	        echo mips-nec-sysv${UNAME_RELEASE}
+	else
+	        echo mips-unknown-sysv${UNAME_RELEASE}
+	fi
+        exit ;;
+    BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
+	echo powerpc-be-beos
+	exit ;;
+    BeMac:BeOS:*:*)	# BeOS running on Mac or Mac clone, PPC only.
+	echo powerpc-apple-beos
+	exit ;;
+    BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
+	echo i586-pc-beos
+	exit ;;
+    SX-4:SUPER-UX:*:*)
+	echo sx4-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-5:SUPER-UX:*:*)
+	echo sx5-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-6:SUPER-UX:*:*)
+	echo sx6-nec-superux${UNAME_RELEASE}
+	exit ;;
+    Power*:Rhapsody:*:*)
+	echo powerpc-apple-rhapsody${UNAME_RELEASE}
+	exit ;;
+    *:Rhapsody:*:*)
+	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
+	exit ;;
+    *:Darwin:*:*)
+	UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
+	case $UNAME_PROCESSOR in
+	    *86) UNAME_PROCESSOR=i686 ;;
+	    unknown) UNAME_PROCESSOR=powerpc ;;
+	esac
+	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
+	exit ;;
+    *:procnto*:*:* | *:QNX:[0123456789]*:*)
+	UNAME_PROCESSOR=`uname -p`
+	if test "$UNAME_PROCESSOR" = "x86"; then
+		UNAME_PROCESSOR=i386
+		UNAME_MACHINE=pc
+	fi
+	echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
+	exit ;;
+    *:QNX:*:4*)
+	echo i386-pc-qnx
+	exit ;;
+    NSE-?:NONSTOP_KERNEL:*:*)
+	echo nse-tandem-nsk${UNAME_RELEASE}
+	exit ;;
+    NSR-?:NONSTOP_KERNEL:*:*)
+	echo nsr-tandem-nsk${UNAME_RELEASE}
+	exit ;;
+    *:NonStop-UX:*:*)
+	echo mips-compaq-nonstopux
+	exit ;;
+    BS2000:POSIX*:*:*)
+	echo bs2000-siemens-sysv
+	exit ;;
+    DS/*:UNIX_System_V:*:*)
+	echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
+	exit ;;
+    *:Plan9:*:*)
+	# "uname -m" is not consistent, so use $cputype instead. 386
+	# is converted to i386 for consistency with other x86
+	# operating systems.
+	if test "$cputype" = "386"; then
+	    UNAME_MACHINE=i386
+	else
+	    UNAME_MACHINE="$cputype"
+	fi
+	echo ${UNAME_MACHINE}-unknown-plan9
+	exit ;;
+    *:TOPS-10:*:*)
+	echo pdp10-unknown-tops10
+	exit ;;
+    *:TENEX:*:*)
+	echo pdp10-unknown-tenex
+	exit ;;
+    KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*)
+	echo pdp10-dec-tops20
+	exit ;;
+    XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*)
+	echo pdp10-xkl-tops20
+	exit ;;
+    *:TOPS-20:*:*)
+	echo pdp10-unknown-tops20
+	exit ;;
+    *:ITS:*:*)
+	echo pdp10-unknown-its
+	exit ;;
+    SEI:*:*:SEIUX)
+        echo mips-sei-seiux${UNAME_RELEASE}
+	exit ;;
+    *:DragonFly:*:*)
+	echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+	exit ;;
+    *:*VMS:*:*)
+    	UNAME_MACHINE=`(uname -p) 2>/dev/null`
+	case "${UNAME_MACHINE}" in
+	    A*) echo alpha-dec-vms ; exit ;;
+	    I*) echo ia64-dec-vms ; exit ;;
+	    V*) echo vax-dec-vms ; exit ;;
+	esac ;;
+    *:XENIX:*:SysV)
+	echo i386-pc-xenix
+	exit ;;
+    i*86:skyos:*:*)
+	echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//'
+	exit ;;
+esac
+
+#echo '(No uname command or uname output not recognized.)' 1>&2
+#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
+
+eval $set_cc_for_build
+cat >$dummy.c <<EOF
+#ifdef _SEQUENT_
+# include <sys/types.h>
+# include <sys/utsname.h>
+#endif
+main ()
+{
+#if defined (sony)
+#if defined (MIPSEB)
+  /* BFD wants "bsd" instead of "newsos".  Perhaps BFD should be changed,
+     I don't know....  */
+  printf ("mips-sony-bsd\n"); exit (0);
+#else
+#include <sys/param.h>
+  printf ("m68k-sony-newsos%s\n",
+#ifdef NEWSOS4
+          "4"
+#else
+	  ""
+#endif
+         ); exit (0);
+#endif
+#endif
+
+#if defined (__arm) && defined (__acorn) && defined (__unix)
+  printf ("arm-acorn-riscix\n"); exit (0);
+#endif
+
+#if defined (hp300) && !defined (hpux)
+  printf ("m68k-hp-bsd\n"); exit (0);
+#endif
+
+#if defined (NeXT)
+#if !defined (__ARCHITECTURE__)
+#define __ARCHITECTURE__ "m68k"
+#endif
+  int version;
+  version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
+  if (version < 4)
+    printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
+  else
+    printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
+  exit (0);
+#endif
+
+#if defined (MULTIMAX) || defined (n16)
+#if defined (UMAXV)
+  printf ("ns32k-encore-sysv\n"); exit (0);
+#else
+#if defined (CMU)
+  printf ("ns32k-encore-mach\n"); exit (0);
+#else
+  printf ("ns32k-encore-bsd\n"); exit (0);
+#endif
+#endif
+#endif
+
+#if defined (__386BSD__)
+  printf ("i386-pc-bsd\n"); exit (0);
+#endif
+
+#if defined (sequent)
+#if defined (i386)
+  printf ("i386-sequent-dynix\n"); exit (0);
+#endif
+#if defined (ns32000)
+  printf ("ns32k-sequent-dynix\n"); exit (0);
+#endif
+#endif
+
+#if defined (_SEQUENT_)
+    struct utsname un;
+
+    uname(&un);
+
+    if (strncmp(un.version, "V2", 2) == 0) {
+	printf ("i386-sequent-ptx2\n"); exit (0);
+    }
+    if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
+	printf ("i386-sequent-ptx1\n"); exit (0);
+    }
+    printf ("i386-sequent-ptx\n"); exit (0);
+
+#endif
+
+#if defined (vax)
+# if !defined (ultrix)
+#  include <sys/param.h>
+#  if defined (BSD)
+#   if BSD == 43
+      printf ("vax-dec-bsd4.3\n"); exit (0);
+#   else
+#    if BSD == 199006
+      printf ("vax-dec-bsd4.3reno\n"); exit (0);
+#    else
+      printf ("vax-dec-bsd\n"); exit (0);
+#    endif
+#   endif
+#  else
+    printf ("vax-dec-bsd\n"); exit (0);
+#  endif
+# else
+    printf ("vax-dec-ultrix\n"); exit (0);
+# endif
+#endif
+
+#if defined (alliant) && defined (i860)
+  printf ("i860-alliant-bsd\n"); exit (0);
+#endif
+
+  exit (1);
+}
+EOF
+
+$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
+	{ echo "$SYSTEM_NAME"; exit; }
+
+# Apollos put the system type in the environment.
+
+test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
+
+# Convex versions that predate uname can use getsysinfo(1)
+
+if [ -x /usr/convex/getsysinfo ]
+then
+    case `getsysinfo -f cpu_type` in
+    c1*)
+	echo c1-convex-bsd
+	exit ;;
+    c2*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+	exit ;;
+    c34*)
+	echo c34-convex-bsd
+	exit ;;
+    c38*)
+	echo c38-convex-bsd
+	exit ;;
+    c4*)
+	echo c4-convex-bsd
+	exit ;;
+    esac
+fi
+
+cat >&2 <<EOF
+$0: unable to guess system type
+
+This script, last modified $timestamp, has failed to recognize
+the operating system you are using. It is advised that you
+download the most up to date version of the config scripts from
+
+  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.guess
+and
+  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.sub
+
+If the version you run ($0) is already up to date, please
+send the following data and any information you think might be
+pertinent to <config-patches@gnu.org> in order to provide the needed
+information to handle your system.
+
+config.guess timestamp = $timestamp
+
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null`
+
+hostinfo               = `(hostinfo) 2>/dev/null`
+/bin/universe          = `(/bin/universe) 2>/dev/null`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null`
+/bin/arch              = `(/bin/arch) 2>/dev/null`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
+
+UNAME_MACHINE = ${UNAME_MACHINE}
+UNAME_RELEASE = ${UNAME_RELEASE}
+UNAME_SYSTEM  = ${UNAME_SYSTEM}
+UNAME_VERSION = ${UNAME_VERSION}
+EOF
+
+exit 1
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/source3/lib/talloc/config.mk b/source3/lib/talloc/config.mk
new file mode 100644
index 0000000000..c13e1b79ab
--- /dev/null
+++ b/source3/lib/talloc/config.mk
@@ -0,0 +1,7 @@
+[LIBRARY::LIBTALLOC]
+OUTPUT_TYPE = MERGED_OBJ
+CFLAGS = -Ilib/talloc
+
+LIBTALLOC_OBJ_FILES = lib/talloc/talloc.o
+
+MANPAGES += $(tallocdir)/talloc.3
diff --git a/source3/lib/talloc/config.sub b/source3/lib/talloc/config.sub
new file mode 100755
index 0000000000..23cd6fd75c
--- /dev/null
+++ b/source3/lib/talloc/config.sub
@@ -0,0 +1,1577 @@
+#! /bin/sh
+# Configuration validation subroutine script.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
+#   2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
+
+timestamp='2005-07-08'
+
+# This file is (in principle) common to ALL GNU software.
+# The presence of a machine in this file suggests that SOME GNU software
+# can handle that machine.  It does not imply ALL GNU software can.
+#
+# This file is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+
+# Please send patches to <config-patches@gnu.org>.  Submit a context
+# diff and a properly formatted ChangeLog entry.
+#
+# Configuration subroutine to validate and canonicalize a configuration type.
+# Supply the specified configuration type as an argument.
+# If it is invalid, we print an error message on stderr and exit with code 1.
+# Otherwise, we print the canonical config type on stdout and succeed.
+
+# This file is supposed to be the same for all GNU packages
+# and recognize all the CPU types, system types and aliases
+# that are meaningful with *any* GNU software.
+# Each package is responsible for reporting which valid configurations
+# it does not support.  The user should be able to distinguish
+# a failure to support a valid configuration from a meaningless
+# configuration.
+
+# The goal of this file is to map all the various variations of a given
+# machine specification into a single specification in the form:
+#	CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
+# or in some cases, the newer four-part form:
+#	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
+# It is wrong to echo any other type of specification.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION] CPU-MFR-OPSYS
+       $0 [OPTION] ALIAS
+
+Canonicalize a configuration name.
+
+Operation modes:
+  -h, --help         print this help, then exit
+  -t, --time-stamp   print date of last modification, then exit
+  -v, --version      print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.sub ($timestamp)
+
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
+Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case $1 in
+    --time-stamp | --time* | -t )
+       echo "$timestamp" ; exit ;;
+    --version | -v )
+       echo "$version" ; exit ;;
+    --help | --h* | -h )
+       echo "$usage"; exit ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       echo "$me: invalid option $1$help"
+       exit 1 ;;
+
+    *local*)
+       # First pass through any local machine types.
+       echo $1
+       exit ;;
+
+    * )
+       break ;;
+  esac
+done
+
+case $# in
+ 0) echo "$me: missing argument$help" >&2
+    exit 1;;
+ 1) ;;
+ *) echo "$me: too many arguments$help" >&2
+    exit 1;;
+esac
+
+# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
+# Here we must recognize all the valid KERNEL-OS combinations.
+maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
+case $maybe_os in
+  nto-qnx* | linux-gnu* | linux-dietlibc | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | \
+  kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*)
+    os=-$maybe_os
+    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
+    ;;
+  *)
+    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
+    if [ $basic_machine != $1 ]
+    then os=`echo $1 | sed 's/.*-/-/'`
+    else os=; fi
+    ;;
+esac
+
+### Let's recognize common machines as not being operating systems so
+### that things like config.sub decstation-3100 work.  We also
+### recognize some manufacturers as not being operating systems, so we
+### can provide default operating systems below.
+case $os in
+	-sun*os*)
+		# Prevent following clause from handling this invalid input.
+		;;
+	-dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \
+	-att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \
+	-unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \
+	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
+	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
+	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
+	-apple | -axis | -knuth | -cray)
+		os=
+		basic_machine=$1
+		;;
+	-sim | -cisco | -oki | -wec | -winbond)
+		os=
+		basic_machine=$1
+		;;
+	-scout)
+		;;
+	-wrs)
+		os=-vxworks
+		basic_machine=$1
+		;;
+	-chorusos*)
+		os=-chorusos
+		basic_machine=$1
+		;;
+ 	-chorusrdb)
+ 		os=-chorusrdb
+		basic_machine=$1
+ 		;;
+	-hiux*)
+		os=-hiuxwe2
+		;;
+	-sco5)
+		os=-sco3.2v5
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco4)
+		os=-sco3.2v4
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2.[4-9]*)
+		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2v[4-9]*)
+		# Don't forget version if it is 3.2v4 or newer.
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco*)
+		os=-sco3.2v2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-udk*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-isc)
+		os=-isc2.2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-clix*)
+		basic_machine=clipper-intergraph
+		;;
+	-isc*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-lynx*)
+		os=-lynxos
+		;;
+	-ptx*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
+		;;
+	-windowsnt*)
+		os=`echo $os | sed -e 's/windowsnt/winnt/'`
+		;;
+	-psos*)
+		os=-psos
+		;;
+	-mint | -mint[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+esac
+
+# Decode aliases for certain CPU-COMPANY combinations.
+case $basic_machine in
+	# Recognize the basic CPU types without company name.
+	# Some are omitted here because they have special meanings below.
+	1750a | 580 \
+	| a29k \
+	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
+	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
+	| am33_2.0 \
+	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \
+	| bfin \
+	| c4x | clipper \
+	| d10v | d30v | dlx | dsp16xx \
+	| fr30 | frv \
+	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
+	| i370 | i860 | i960 | ia64 \
+	| ip2k | iq2000 \
+	| m32r | m32rle | m68000 | m68k | m88k | maxq | mcore \
+	| mips | mipsbe | mipseb | mipsel | mipsle \
+	| mips16 \
+	| mips64 | mips64el \
+	| mips64vr | mips64vrel \
+	| mips64orion | mips64orionel \
+	| mips64vr4100 | mips64vr4100el \
+	| mips64vr4300 | mips64vr4300el \
+	| mips64vr5000 | mips64vr5000el \
+	| mips64vr5900 | mips64vr5900el \
+	| mipsisa32 | mipsisa32el \
+	| mipsisa32r2 | mipsisa32r2el \
+	| mipsisa64 | mipsisa64el \
+	| mipsisa64r2 | mipsisa64r2el \
+	| mipsisa64sb1 | mipsisa64sb1el \
+	| mipsisa64sr71k | mipsisa64sr71kel \
+	| mipstx39 | mipstx39el \
+	| mn10200 | mn10300 \
+	| ms1 \
+	| msp430 \
+	| ns16k | ns32k \
+	| or32 \
+	| pdp10 | pdp11 | pj | pjl \
+	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
+	| pyramid \
+	| sh | sh[1234] | sh[24]a | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \
+	| sh64 | sh64le \
+	| sparc | sparc64 | sparc64b | sparc86x | sparclet | sparclite \
+	| sparcv8 | sparcv9 | sparcv9b \
+	| strongarm \
+	| tahoe | thumb | tic4x | tic80 | tron \
+	| v850 | v850e \
+	| we32k \
+	| x86 | xscale | xscalee[bl] | xstormy16 | xtensa \
+	| z8k)
+		basic_machine=$basic_machine-unknown
+		;;
+	m32c)
+		basic_machine=$basic_machine-unknown
+		;;
+	m6811 | m68hc11 | m6812 | m68hc12)
+		# Motorola 68HC11/12.
+		basic_machine=$basic_machine-unknown
+		os=-none
+		;;
+	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
+		;;
+
+	# We use `pc' rather than `unknown'
+	# because (1) that's what they normally are, and
+	# (2) the word "unknown" tends to confuse beginning users.
+	i*86 | x86_64)
+	  basic_machine=$basic_machine-pc
+	  ;;
+	# Object if more than one company name word.
+	*-*-*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+	# Recognize the basic CPU types with company name.
+	580-* \
+	| a29k-* \
+	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
+	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
+	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
+	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
+	| avr-* \
+	| bfin-* | bs2000-* \
+	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
+	| clipper-* | craynv-* | cydra-* \
+	| d10v-* | d30v-* | dlx-* \
+	| elxsi-* \
+	| f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
+	| h8300-* | h8500-* \
+	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
+	| i*86-* | i860-* | i960-* | ia64-* \
+	| ip2k-* | iq2000-* \
+	| m32r-* | m32rle-* \
+	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
+	| m88110-* | m88k-* | maxq-* | mcore-* \
+	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
+	| mips16-* \
+	| mips64-* | mips64el-* \
+	| mips64vr-* | mips64vrel-* \
+	| mips64orion-* | mips64orionel-* \
+	| mips64vr4100-* | mips64vr4100el-* \
+	| mips64vr4300-* | mips64vr4300el-* \
+	| mips64vr5000-* | mips64vr5000el-* \
+	| mips64vr5900-* | mips64vr5900el-* \
+	| mipsisa32-* | mipsisa32el-* \
+	| mipsisa32r2-* | mipsisa32r2el-* \
+	| mipsisa64-* | mipsisa64el-* \
+	| mipsisa64r2-* | mipsisa64r2el-* \
+	| mipsisa64sb1-* | mipsisa64sb1el-* \
+	| mipsisa64sr71k-* | mipsisa64sr71kel-* \
+	| mipstx39-* | mipstx39el-* \
+	| mmix-* \
+	| ms1-* \
+	| msp430-* \
+	| none-* | np1-* | ns16k-* | ns32k-* \
+	| orion-* \
+	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
+	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
+	| pyramid-* \
+	| romp-* | rs6000-* \
+	| sh-* | sh[1234]-* | sh[24]a-* | sh[23]e-* | sh[34]eb-* | shbe-* \
+	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
+	| sparc-* | sparc64-* | sparc64b-* | sparc86x-* | sparclet-* \
+	| sparclite-* \
+	| sparcv8-* | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
+	| tahoe-* | thumb-* \
+	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
+	| tron-* \
+	| v850-* | v850e-* | vax-* \
+	| we32k-* \
+	| x86-* | x86_64-* | xps100-* | xscale-* | xscalee[bl]-* \
+	| xstormy16-* | xtensa-* \
+	| ymp-* \
+	| z8k-*)
+		;;
+	m32c-*)
+		;;
+	# Recognize the various machine names and aliases which stand
+	# for a CPU type and a company and sometimes even an OS.
+	386bsd)
+		basic_machine=i386-unknown
+		os=-bsd
+		;;
+	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
+		basic_machine=m68000-att
+		;;
+	3b*)
+		basic_machine=we32k-att
+		;;
+	a29khif)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+    	abacus)
+		basic_machine=abacus-unknown
+		;;
+	adobe68k)
+		basic_machine=m68010-adobe
+		os=-scout
+		;;
+	alliant | fx80)
+		basic_machine=fx80-alliant
+		;;
+	altos | altos3068)
+		basic_machine=m68k-altos
+		;;
+	am29k)
+		basic_machine=a29k-none
+		os=-bsd
+		;;
+	amd64)
+		basic_machine=x86_64-pc
+		;;
+	amd64-*)
+		basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	amdahl)
+		basic_machine=580-amdahl
+		os=-sysv
+		;;
+	amiga | amiga-*)
+		basic_machine=m68k-unknown
+		;;
+	amigaos | amigados)
+		basic_machine=m68k-unknown
+		os=-amigaos
+		;;
+	amigaunix | amix)
+		basic_machine=m68k-unknown
+		os=-sysv4
+		;;
+	apollo68)
+		basic_machine=m68k-apollo
+		os=-sysv
+		;;
+	apollo68bsd)
+		basic_machine=m68k-apollo
+		os=-bsd
+		;;
+	aux)
+		basic_machine=m68k-apple
+		os=-aux
+		;;
+	balance)
+		basic_machine=ns32k-sequent
+		os=-dynix
+		;;
+	c90)
+		basic_machine=c90-cray
+		os=-unicos
+		;;
+	convex-c1)
+		basic_machine=c1-convex
+		os=-bsd
+		;;
+	convex-c2)
+		basic_machine=c2-convex
+		os=-bsd
+		;;
+	convex-c32)
+		basic_machine=c32-convex
+		os=-bsd
+		;;
+	convex-c34)
+		basic_machine=c34-convex
+		os=-bsd
+		;;
+	convex-c38)
+		basic_machine=c38-convex
+		os=-bsd
+		;;
+	cray | j90)
+		basic_machine=j90-cray
+		os=-unicos
+		;;
+	craynv)
+		basic_machine=craynv-cray
+		os=-unicosmp
+		;;
+	cr16c)
+		basic_machine=cr16c-unknown
+		os=-elf
+		;;
+	crds | unos)
+		basic_machine=m68k-crds
+		;;
+	crisv32 | crisv32-* | etraxfs*)
+		basic_machine=crisv32-axis
+		;;
+	cris | cris-* | etrax*)
+		basic_machine=cris-axis
+		;;
+	crx)
+		basic_machine=crx-unknown
+		os=-elf
+		;;
+	da30 | da30-*)
+		basic_machine=m68k-da30
+		;;
+	decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
+		basic_machine=mips-dec
+		;;
+	decsystem10* | dec10*)
+		basic_machine=pdp10-dec
+		os=-tops10
+		;;
+	decsystem20* | dec20*)
+		basic_machine=pdp10-dec
+		os=-tops20
+		;;
+	delta | 3300 | motorola-3300 | motorola-delta \
+	      | 3300-motorola | delta-motorola)
+		basic_machine=m68k-motorola
+		;;
+	delta88)
+		basic_machine=m88k-motorola
+		os=-sysv3
+		;;
+	djgpp)
+		basic_machine=i586-pc
+		os=-msdosdjgpp
+		;;
+	dpx20 | dpx20-*)
+		basic_machine=rs6000-bull
+		os=-bosx
+		;;
+	dpx2* | dpx2*-bull)
+		basic_machine=m68k-bull
+		os=-sysv3
+		;;
+	ebmon29k)
+		basic_machine=a29k-amd
+		os=-ebmon
+		;;
+	elxsi)
+		basic_machine=elxsi-elxsi
+		os=-bsd
+		;;
+	encore | umax | mmax)
+		basic_machine=ns32k-encore
+		;;
+	es1800 | OSE68k | ose68k | ose | OSE)
+		basic_machine=m68k-ericsson
+		os=-ose
+		;;
+	fx2800)
+		basic_machine=i860-alliant
+		;;
+	genix)
+		basic_machine=ns32k-ns
+		;;
+	gmicro)
+		basic_machine=tron-gmicro
+		os=-sysv
+		;;
+	go32)
+		basic_machine=i386-pc
+		os=-go32
+		;;
+	h3050r* | hiux*)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	h8300hms)
+		basic_machine=h8300-hitachi
+		os=-hms
+		;;
+	h8300xray)
+		basic_machine=h8300-hitachi
+		os=-xray
+		;;
+	h8500hms)
+		basic_machine=h8500-hitachi
+		os=-hms
+		;;
+	harris)
+		basic_machine=m88k-harris
+		os=-sysv3
+		;;
+	hp300-*)
+		basic_machine=m68k-hp
+		;;
+	hp300bsd)
+		basic_machine=m68k-hp
+		os=-bsd
+		;;
+	hp300hpux)
+		basic_machine=m68k-hp
+		os=-hpux
+		;;
+	hp3k9[0-9][0-9] | hp9[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k2[0-9][0-9] | hp9k31[0-9])
+		basic_machine=m68000-hp
+		;;
+	hp9k3[2-9][0-9])
+		basic_machine=m68k-hp
+		;;
+	hp9k6[0-9][0-9] | hp6[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k7[0-79][0-9] | hp7[0-79][0-9])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k78[0-9] | hp78[0-9])
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][13679] | hp8[0-9][13679])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][0-9] | hp8[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hppa-next)
+		os=-nextstep3
+		;;
+	hppaosf)
+		basic_machine=hppa1.1-hp
+		os=-osf
+		;;
+	hppro)
+		basic_machine=hppa1.1-hp
+		os=-proelf
+		;;
+	i370-ibm* | ibm*)
+		basic_machine=i370-ibm
+		;;
+# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
+	i*86v32)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv32
+		;;
+	i*86v4*)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv4
+		;;
+	i*86v)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv
+		;;
+	i*86sol2)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-solaris2
+		;;
+	i386mach)
+		basic_machine=i386-mach
+		os=-mach
+		;;
+	i386-vsta | vsta)
+		basic_machine=i386-unknown
+		os=-vsta
+		;;
+	iris | iris4d)
+		basic_machine=mips-sgi
+		case $os in
+		    -irix*)
+			;;
+		    *)
+			os=-irix4
+			;;
+		esac
+		;;
+	isi68 | isi)
+		basic_machine=m68k-isi
+		os=-sysv
+		;;
+	m88k-omron*)
+		basic_machine=m88k-omron
+		;;
+	magnum | m3230)
+		basic_machine=mips-mips
+		os=-sysv
+		;;
+	merlin)
+		basic_machine=ns32k-utek
+		os=-sysv
+		;;
+	mingw32)
+		basic_machine=i386-pc
+		os=-mingw32
+		;;
+	miniframe)
+		basic_machine=m68000-convergent
+		;;
+	*mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+	mips3*-*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
+		;;
+	mips3*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
+		;;
+	monitor)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	morphos)
+		basic_machine=powerpc-unknown
+		os=-morphos
+		;;
+	msdos)
+		basic_machine=i386-pc
+		os=-msdos
+		;;
+	mvs)
+		basic_machine=i370-ibm
+		os=-mvs
+		;;
+	ncr3000)
+		basic_machine=i486-ncr
+		os=-sysv4
+		;;
+	netbsd386)
+		basic_machine=i386-unknown
+		os=-netbsd
+		;;
+	netwinder)
+		basic_machine=armv4l-rebel
+		os=-linux
+		;;
+	news | news700 | news800 | news900)
+		basic_machine=m68k-sony
+		os=-newsos
+		;;
+	news1000)
+		basic_machine=m68030-sony
+		os=-newsos
+		;;
+	news-3600 | risc-news)
+		basic_machine=mips-sony
+		os=-newsos
+		;;
+	necv70)
+		basic_machine=v70-nec
+		os=-sysv
+		;;
+	next | m*-next )
+		basic_machine=m68k-next
+		case $os in
+		    -nextstep* )
+			;;
+		    -ns2*)
+		      os=-nextstep2
+			;;
+		    *)
+		      os=-nextstep3
+			;;
+		esac
+		;;
+	nh3000)
+		basic_machine=m68k-harris
+		os=-cxux
+		;;
+	nh[45]000)
+		basic_machine=m88k-harris
+		os=-cxux
+		;;
+	nindy960)
+		basic_machine=i960-intel
+		os=-nindy
+		;;
+	mon960)
+		basic_machine=i960-intel
+		os=-mon960
+		;;
+	nonstopux)
+		basic_machine=mips-compaq
+		os=-nonstopux
+		;;
+	np1)
+		basic_machine=np1-gould
+		;;
+	nsr-tandem)
+		basic_machine=nsr-tandem
+		;;
+	op50n-* | op60c-*)
+		basic_machine=hppa1.1-oki
+		os=-proelf
+		;;
+	openrisc | openrisc-*)
+		basic_machine=or32-unknown
+		;;
+	os400)
+		basic_machine=powerpc-ibm
+		os=-os400
+		;;
+	OSE68000 | ose68000)
+		basic_machine=m68000-ericsson
+		os=-ose
+		;;
+	os68k)
+		basic_machine=m68k-none
+		os=-os68k
+		;;
+	pa-hitachi)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	paragon)
+		basic_machine=i860-intel
+		os=-osf
+		;;
+	pbd)
+		basic_machine=sparc-tti
+		;;
+	pbb)
+		basic_machine=m68k-tti
+		;;
+	pc532 | pc532-*)
+		basic_machine=ns32k-pc532
+		;;
+	pentium | p5 | k5 | k6 | nexgen | viac3)
+		basic_machine=i586-pc
+		;;
+	pentiumpro | p6 | 6x86 | athlon | athlon_*)
+		basic_machine=i686-pc
+		;;
+	pentiumii | pentium2 | pentiumiii | pentium3)
+		basic_machine=i686-pc
+		;;
+	pentium4)
+		basic_machine=i786-pc
+		;;
+	pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
+		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumpro-* | p6-* | 6x86-* | athlon-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentium4-*)
+		basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pn)
+		basic_machine=pn-gould
+		;;
+	power)	basic_machine=power-ibm
+		;;
+	ppc)	basic_machine=powerpc-unknown
+		;;
+	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppcle | powerpclittle | ppc-le | powerpc-little)
+		basic_machine=powerpcle-unknown
+		;;
+	ppcle-* | powerpclittle-*)
+		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppc64)	basic_machine=powerpc64-unknown
+		;;
+	ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppc64le | powerpc64little | ppc64-le | powerpc64-little)
+		basic_machine=powerpc64le-unknown
+		;;
+	ppc64le-* | powerpc64little-*)
+		basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ps2)
+		basic_machine=i386-ibm
+		;;
+	pw32)
+		basic_machine=i586-unknown
+		os=-pw32
+		;;
+	rom68k)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	rm[46]00)
+		basic_machine=mips-siemens
+		;;
+	rtpc | rtpc-*)
+		basic_machine=romp-ibm
+		;;
+	s390 | s390-*)
+		basic_machine=s390-ibm
+		;;
+	s390x | s390x-*)
+		basic_machine=s390x-ibm
+		;;
+	sa29200)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	sb1)
+		basic_machine=mipsisa64sb1-unknown
+		;;
+	sb1el)
+		basic_machine=mipsisa64sb1el-unknown
+		;;
+	sei)
+		basic_machine=mips-sei
+		os=-seiux
+		;;
+	sequent)
+		basic_machine=i386-sequent
+		;;
+	sh)
+		basic_machine=sh-hitachi
+		os=-hms
+		;;
+	sh64)
+		basic_machine=sh64-unknown
+		;;
+	sparclite-wrs | simso-wrs)
+		basic_machine=sparclite-wrs
+		os=-vxworks
+		;;
+	sps7)
+		basic_machine=m68k-bull
+		os=-sysv2
+		;;
+	spur)
+		basic_machine=spur-unknown
+		;;
+	st2000)
+		basic_machine=m68k-tandem
+		;;
+	stratus)
+		basic_machine=i860-stratus
+		os=-sysv4
+		;;
+	sun2)
+		basic_machine=m68000-sun
+		;;
+	sun2os3)
+		basic_machine=m68000-sun
+		os=-sunos3
+		;;
+	sun2os4)
+		basic_machine=m68000-sun
+		os=-sunos4
+		;;
+	sun3os3)
+		basic_machine=m68k-sun
+		os=-sunos3
+		;;
+	sun3os4)
+		basic_machine=m68k-sun
+		os=-sunos4
+		;;
+	sun4os3)
+		basic_machine=sparc-sun
+		os=-sunos3
+		;;
+	sun4os4)
+		basic_machine=sparc-sun
+		os=-sunos4
+		;;
+	sun4sol2)
+		basic_machine=sparc-sun
+		os=-solaris2
+		;;
+	sun3 | sun3-*)
+		basic_machine=m68k-sun
+		;;
+	sun4)
+		basic_machine=sparc-sun
+		;;
+	sun386 | sun386i | roadrunner)
+		basic_machine=i386-sun
+		;;
+	sv1)
+		basic_machine=sv1-cray
+		os=-unicos
+		;;
+	symmetry)
+		basic_machine=i386-sequent
+		os=-dynix
+		;;
+	t3e)
+		basic_machine=alphaev5-cray
+		os=-unicos
+		;;
+	t90)
+		basic_machine=t90-cray
+		os=-unicos
+		;;
+	tic54x | c54x*)
+		basic_machine=tic54x-unknown
+		os=-coff
+		;;
+	tic55x | c55x*)
+		basic_machine=tic55x-unknown
+		os=-coff
+		;;
+	tic6x | c6x*)
+		basic_machine=tic6x-unknown
+		os=-coff
+		;;
+	tx39)
+		basic_machine=mipstx39-unknown
+		;;
+	tx39el)
+		basic_machine=mipstx39el-unknown
+		;;
+	toad1)
+		basic_machine=pdp10-xkl
+		os=-tops20
+		;;
+	tower | tower-32)
+		basic_machine=m68k-ncr
+		;;
+	tpf)
+		basic_machine=s390x-ibm
+		os=-tpf
+		;;
+	udi29k)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	ultra3)
+		basic_machine=a29k-nyu
+		os=-sym1
+		;;
+	v810 | necv810)
+		basic_machine=v810-nec
+		os=-none
+		;;
+	vaxv)
+		basic_machine=vax-dec
+		os=-sysv
+		;;
+	vms)
+		basic_machine=vax-dec
+		os=-vms
+		;;
+	vpp*|vx|vx-*)
+		basic_machine=f301-fujitsu
+		;;
+	vxworks960)
+		basic_machine=i960-wrs
+		os=-vxworks
+		;;
+	vxworks68)
+		basic_machine=m68k-wrs
+		os=-vxworks
+		;;
+	vxworks29k)
+		basic_machine=a29k-wrs
+		os=-vxworks
+		;;
+	w65*)
+		basic_machine=w65-wdc
+		os=-none
+		;;
+	w89k-*)
+		basic_machine=hppa1.1-winbond
+		os=-proelf
+		;;
+	xbox)
+		basic_machine=i686-pc
+		os=-mingw32
+		;;
+	xps | xps100)
+		basic_machine=xps100-honeywell
+		;;
+	ymp)
+		basic_machine=ymp-cray
+		os=-unicos
+		;;
+	z8k-*-coff)
+		basic_machine=z8k-unknown
+		os=-sim
+		;;
+	none)
+		basic_machine=none-none
+		os=-none
+		;;
+
+# Here we handle the default manufacturer of certain CPU types.  It is in
+# some cases the only manufacturer, in others, it is the most popular.
+	w89k)
+		basic_machine=hppa1.1-winbond
+		;;
+	op50n)
+		basic_machine=hppa1.1-oki
+		;;
+	op60c)
+		basic_machine=hppa1.1-oki
+		;;
+	romp)
+		basic_machine=romp-ibm
+		;;
+	mmix)
+		basic_machine=mmix-knuth
+		;;
+	rs6000)
+		basic_machine=rs6000-ibm
+		;;
+	vax)
+		basic_machine=vax-dec
+		;;
+	pdp10)
+		# there are many clones, so DEC is not a safe bet
+		basic_machine=pdp10-unknown
+		;;
+	pdp11)
+		basic_machine=pdp11-dec
+		;;
+	we32k)
+		basic_machine=we32k-att
+		;;
+	sh[1234] | sh[24]a | sh[34]eb | sh[1234]le | sh[23]ele)
+		basic_machine=sh-unknown
+		;;
+	sparc | sparcv8 | sparcv9 | sparcv9b)
+		basic_machine=sparc-sun
+		;;
+	cydra)
+		basic_machine=cydra-cydrome
+		;;
+	orion)
+		basic_machine=orion-highlevel
+		;;
+	orion105)
+		basic_machine=clipper-highlevel
+		;;
+	mac | mpw | mac-mpw)
+		basic_machine=m68k-apple
+		;;
+	pmac | pmac-mpw)
+		basic_machine=powerpc-apple
+		;;
+	*-unknown)
+		# Make sure to match an already-canonicalized machine name.
+		;;
+	*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+esac
+
+# Here we canonicalize certain aliases for manufacturers.
+case $basic_machine in
+	*-digital*)
+		basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
+		;;
+	*-commodore*)
+		basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
+		;;
+	*)
+		;;
+esac
+
+# Decode manufacturer-specific aliases for certain operating systems.
+
+if [ x"$os" != x"" ]
+then
+case $os in
+        # First match some system type aliases
+        # that might get confused with valid system types.
+	# -solaris* is a basic system type, with this one exception.
+	-solaris1 | -solaris1.*)
+		os=`echo $os | sed -e 's|solaris1|sunos4|'`
+		;;
+	-solaris)
+		os=-solaris2
+		;;
+	-svr4*)
+		os=-sysv4
+		;;
+	-unixware*)
+		os=-sysv4.2uw
+		;;
+	-gnu/linux*)
+		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
+		;;
+	# First accept the basic system types.
+	# The portable systems comes first.
+	# Each alternative MUST END IN A *, to match a version number.
+	# -sysv* is not here because it comes later, after sysvr4.
+	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
+	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
+	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
+	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
+	      | -aos* \
+	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
+	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
+	      | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* | -openbsd* \
+	      | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
+	      | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
+	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
+	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
+	      | -chorusos* | -chorusrdb* \
+	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
+	      | -mingw32* | -linux-gnu* | -linux-uclibc* | -uxpv* | -beos* | -mpeix* | -udk* \
+	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
+	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
+	      | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
+	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
+	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
+	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
+	      | -skyos* | -haiku*)
+	# Remember, each alternative MUST END IN *, to match a version number.
+		;;
+	-qnx*)
+		case $basic_machine in
+		    x86-* | i*86-*)
+			;;
+		    *)
+			os=-nto$os
+			;;
+		esac
+		;;
+	-nto-qnx*)
+		;;
+	-nto*)
+		os=`echo $os | sed -e 's|nto|nto-qnx|'`
+		;;
+	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
+	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \
+	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
+		;;
+	-mac*)
+		os=`echo $os | sed -e 's|mac|macos|'`
+		;;
+	-linux-dietlibc)
+		os=-linux-dietlibc
+		;;
+	-linux*)
+		os=`echo $os | sed -e 's|linux|linux-gnu|'`
+		;;
+	-sunos5*)
+		os=`echo $os | sed -e 's|sunos5|solaris2|'`
+		;;
+	-sunos6*)
+		os=`echo $os | sed -e 's|sunos6|solaris3|'`
+		;;
+	-opened*)
+		os=-openedition
+		;;
+        -os400*)
+		os=-os400
+		;;
+	-wince*)
+		os=-wince
+		;;
+	-osfrose*)
+		os=-osfrose
+		;;
+	-osf*)
+		os=-osf
+		;;
+	-utek*)
+		os=-bsd
+		;;
+	-dynix*)
+		os=-bsd
+		;;
+	-acis*)
+		os=-aos
+		;;
+	-atheos*)
+		os=-atheos
+		;;
+	-syllable*)
+		os=-syllable
+		;;
+	-386bsd)
+		os=-bsd
+		;;
+	-ctix* | -uts*)
+		os=-sysv
+		;;
+	-nova*)
+		os=-rtmk-nova
+		;;
+	-ns2 )
+		os=-nextstep2
+		;;
+	-nsk*)
+		os=-nsk
+		;;
+	# Preserve the version number of sinix5.
+	-sinix5.*)
+		os=`echo $os | sed -e 's|sinix|sysv|'`
+		;;
+	-sinix*)
+		os=-sysv4
+		;;
+        -tpf*)
+		os=-tpf
+		;;
+	-triton*)
+		os=-sysv3
+		;;
+	-oss*)
+		os=-sysv3
+		;;
+	-svr4)
+		os=-sysv4
+		;;
+	-svr3)
+		os=-sysv3
+		;;
+	-sysvr4)
+		os=-sysv4
+		;;
+	# This must come after -sysvr4.
+	-sysv*)
+		;;
+	-ose*)
+		os=-ose
+		;;
+	-es1800*)
+		os=-ose
+		;;
+	-xenix)
+		os=-xenix
+		;;
+	-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+		os=-mint
+		;;
+	-aros*)
+		os=-aros
+		;;
+	-kaos*)
+		os=-kaos
+		;;
+	-zvmoe)
+		os=-zvmoe
+		;;
+	-none)
+		;;
+	*)
+		# Get rid of the `-' at the beginning of $os.
+		os=`echo $os | sed 's/[^-]*-//'`
+		echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
+		exit 1
+		;;
+esac
+else
+
+# Here we handle the default operating systems that come with various machines.
+# The value should be what the vendor currently ships out the door with their
+# machine or put another way, the most popular os provided with the machine.
+
+# Note that if you're going to try to match "-MANUFACTURER" here (say,
+# "-sun"), then you have to tell the case statement up towards the top
+# that MANUFACTURER isn't an operating system.  Otherwise, code above
+# will signal an error saying that MANUFACTURER isn't an operating
+# system, and we'll never get to this point.
+
+case $basic_machine in
+	*-acorn)
+		os=-riscix1.2
+		;;
+	arm*-rebel)
+		os=-linux
+		;;
+	arm*-semi)
+		os=-aout
+		;;
+    c4x-* | tic4x-*)
+        os=-coff
+        ;;
+	# This must come before the *-dec entry.
+	pdp10-*)
+		os=-tops20
+		;;
+	pdp11-*)
+		os=-none
+		;;
+	*-dec | vax-*)
+		os=-ultrix4.2
+		;;
+	m68*-apollo)
+		os=-domain
+		;;
+	i386-sun)
+		os=-sunos4.0.2
+		;;
+	m68000-sun)
+		os=-sunos3
+		# This also exists in the configure program, but was not the
+		# default.
+		# os=-sunos4
+		;;
+	m68*-cisco)
+		os=-aout
+		;;
+	mips*-cisco)
+		os=-elf
+		;;
+	mips*-*)
+		os=-elf
+		;;
+	or32-*)
+		os=-coff
+		;;
+	*-tti)	# must be before sparc entry or we get the wrong os.
+		os=-sysv3
+		;;
+	sparc-* | *-sun)
+		os=-sunos4.1.1
+		;;
+	*-be)
+		os=-beos
+		;;
+	*-haiku)
+		os=-haiku
+		;;
+	*-ibm)
+		os=-aix
+		;;
+    	*-knuth)
+		os=-mmixware
+		;;
+	*-wec)
+		os=-proelf
+		;;
+	*-winbond)
+		os=-proelf
+		;;
+	*-oki)
+		os=-proelf
+		;;
+	*-hp)
+		os=-hpux
+		;;
+	*-hitachi)
+		os=-hiux
+		;;
+	i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent)
+		os=-sysv
+		;;
+	*-cbm)
+		os=-amigaos
+		;;
+	*-dg)
+		os=-dgux
+		;;
+	*-dolphin)
+		os=-sysv3
+		;;
+	m68k-ccur)
+		os=-rtu
+		;;
+	m88k-omron*)
+		os=-luna
+		;;
+	*-next )
+		os=-nextstep
+		;;
+	*-sequent)
+		os=-ptx
+		;;
+	*-crds)
+		os=-unos
+		;;
+	*-ns)
+		os=-genix
+		;;
+	i370-*)
+		os=-mvs
+		;;
+	*-next)
+		os=-nextstep3
+		;;
+	*-gould)
+		os=-sysv
+		;;
+	*-highlevel)
+		os=-bsd
+		;;
+	*-encore)
+		os=-bsd
+		;;
+	*-sgi)
+		os=-irix
+		;;
+	*-siemens)
+		os=-sysv4
+		;;
+	*-masscomp)
+		os=-rtu
+		;;
+	f30[01]-fujitsu | f700-fujitsu)
+		os=-uxpv
+		;;
+	*-rom68k)
+		os=-coff
+		;;
+	*-*bug)
+		os=-coff
+		;;
+	*-apple)
+		os=-macos
+		;;
+	*-atari*)
+		os=-mint
+		;;
+	*)
+		os=-none
+		;;
+esac
+fi
+
+# Here we handle the case where we know the os, and the CPU type, but not the
+# manufacturer.  We pick the logical manufacturer.
+vendor=unknown
+case $basic_machine in
+	*-unknown)
+		case $os in
+			-riscix*)
+				vendor=acorn
+				;;
+			-sunos*)
+				vendor=sun
+				;;
+			-aix*)
+				vendor=ibm
+				;;
+			-beos*)
+				vendor=be
+				;;
+			-hpux*)
+				vendor=hp
+				;;
+			-mpeix*)
+				vendor=hp
+				;;
+			-hiux*)
+				vendor=hitachi
+				;;
+			-unos*)
+				vendor=crds
+				;;
+			-dgux*)
+				vendor=dg
+				;;
+			-luna*)
+				vendor=omron
+				;;
+			-genix*)
+				vendor=ns
+				;;
+			-mvs* | -opened*)
+				vendor=ibm
+				;;
+			-os400*)
+				vendor=ibm
+				;;
+			-ptx*)
+				vendor=sequent
+				;;
+			-tpf*)
+				vendor=ibm
+				;;
+			-vxsim* | -vxworks* | -windiss*)
+				vendor=wrs
+				;;
+			-aux*)
+				vendor=apple
+				;;
+			-hms*)
+				vendor=hitachi
+				;;
+			-mpw* | -macos*)
+				vendor=apple
+				;;
+			-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+				vendor=atari
+				;;
+			-vos*)
+				vendor=stratus
+				;;
+		esac
+		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
+		;;
+esac
+
+echo $basic_machine$os
+exit
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/source3/lib/talloc/configure.ac b/source3/lib/talloc/configure.ac
new file mode 100644
index 0000000000..4719aa04b5
--- /dev/null
+++ b/source3/lib/talloc/configure.ac
@@ -0,0 +1,24 @@
+AC_PREREQ(2.50)
+AC_INIT(talloc, 1.2.0)
+AC_CONFIG_SRCDIR([talloc.c])
+AC_SUBST(datarootdir)
+AC_CONFIG_HEADER(config.h)
+
+AC_LIBREPLACE_ALL_CHECKS
+
+m4_include(libtalloc.m4)
+
+AC_PATH_PROG(XSLTPROC,xsltproc)
+DOC_TARGET=""
+if test -n "$XSLTPROC"; then
+	DOC_TARGET=doc
+fi
+AC_SUBST(DOC_TARGET)
+
+AC_LD_PICFLAG
+AC_LD_SHLIBEXT
+AC_LD_SONAMEFLAG
+AC_LIBREPLACE_SHLD
+AC_LIBREPLACE_SHLD_FLAGS
+
+AC_OUTPUT(Makefile talloc.pc)
diff --git a/source3/lib/talloc/install-sh b/source3/lib/talloc/install-sh
new file mode 100755
index 0000000000..58719246f0
--- /dev/null
+++ b/source3/lib/talloc/install-sh
@@ -0,0 +1,238 @@
+#! /bin/sh
+#
+# install - install a program, script, or datafile
+# This comes from X11R5.
+#
+# Calling this script install-sh is preferred over install.sh, to prevent
+# `make' implicit rules from creating a file called install from it
+# when there is no Makefile.
+#
+# This script is compatible with the BSD install script, but was written
+# from scratch.
+#
+
+
+# set DOITPROG to echo to test this script
+
+# Don't use :- since 4.3BSD and earlier shells don't like it.
+doit="${DOITPROG-}"
+
+
+# put in absolute paths if you don't have them in your path; or use env. vars.
+
+mvprog="${MVPROG-mv}"
+cpprog="${CPPROG-cp}"
+chmodprog="${CHMODPROG-chmod}"
+chownprog="${CHOWNPROG-chown}"
+chgrpprog="${CHGRPPROG-chgrp}"
+stripprog="${STRIPPROG-strip}"
+rmprog="${RMPROG-rm}"
+mkdirprog="${MKDIRPROG-mkdir}"
+
+transformbasename=""
+transform_arg=""
+instcmd="$mvprog"
+chmodcmd="$chmodprog 0755"
+chowncmd=""
+chgrpcmd=""
+stripcmd=""
+rmcmd="$rmprog -f"
+mvcmd="$mvprog"
+src=""
+dst=""
+dir_arg=""
+
+while [ x"$1" != x ]; do
+    case $1 in
+	-c) instcmd="$cpprog"
+	    shift
+	    continue;;
+
+	-d) dir_arg=true
+	    shift
+	    continue;;
+
+	-m) chmodcmd="$chmodprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-o) chowncmd="$chownprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-g) chgrpcmd="$chgrpprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-s) stripcmd="$stripprog"
+	    shift
+	    continue;;
+
+	-t=*) transformarg=`echo $1 | sed 's/-t=//'`
+	    shift
+	    continue;;
+
+	-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
+	    shift
+	    continue;;
+
+	*)  if [ x"$src" = x ]
+	    then
+		src=$1
+	    else
+		# this colon is to work around a 386BSD /bin/sh bug
+		:
+		dst=$1
+	    fi
+	    shift
+	    continue;;
+    esac
+done
+
+if [ x"$src" = x ]
+then
+	echo "install:	no input file specified"
+	exit 1
+else
+	true
+fi
+
+if [ x"$dir_arg" != x ]; then
+	dst=$src
+	src=""
+	
+	if [ -d $dst ]; then
+		instcmd=:
+	else
+		instcmd=mkdir
+	fi
+else
+
+# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
+# might cause directories to be created, which would be especially bad 
+# if $src (and thus $dsttmp) contains '*'.
+
+	if [ -f $src -o -d $src ]
+	then
+		true
+	else
+		echo "install:  $src does not exist"
+		exit 1
+	fi
+	
+	if [ x"$dst" = x ]
+	then
+		echo "install:	no destination specified"
+		exit 1
+	else
+		true
+	fi
+
+# If destination is a directory, append the input filename; if your system
+# does not like double slashes in filenames, you may need to add some logic
+
+	if [ -d $dst ]
+	then
+		dst="$dst"/`basename $src`
+	else
+		true
+	fi
+fi
+
+## this sed command emulates the dirname command
+dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
+
+# Make sure that the destination directory exists.
+#  this part is taken from Noah Friedman's mkinstalldirs script
+
+# Skip lots of stat calls in the usual case.
+if [ ! -d "$dstdir" ]; then
+defaultIFS='	
+'
+IFS="${IFS-${defaultIFS}}"
+
+oIFS="${IFS}"
+# Some sh's can't handle IFS=/ for some reason.
+IFS='%'
+set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
+IFS="${oIFS}"
+
+pathcomp=''
+
+while [ $# -ne 0 ] ; do
+	pathcomp="${pathcomp}${1}"
+	shift
+
+	if [ ! -d "${pathcomp}" ] ;
+        then
+		$mkdirprog "${pathcomp}"
+	else
+		true
+	fi
+
+	pathcomp="${pathcomp}/"
+done
+fi
+
+if [ x"$dir_arg" != x ]
+then
+	$doit $instcmd $dst &&
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
+else
+
+# If we're going to rename the final executable, determine the name now.
+
+	if [ x"$transformarg" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		dstfile=`basename $dst $transformbasename | 
+			sed $transformarg`$transformbasename
+	fi
+
+# don't allow the sed command to completely eliminate the filename
+
+	if [ x"$dstfile" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		true
+	fi
+
+# Make a temp file name in the proper directory.
+
+	dsttmp=$dstdir/#inst.$$#
+
+# Move or copy the file name to the temp name
+
+	$doit $instcmd $src $dsttmp &&
+
+	trap "rm -f ${dsttmp}" 0 &&
+
+# and set any options; do chmod last to preserve setuid bits
+
+# If any of these fail, we abort the whole thing.  If we want to
+# ignore errors from any of these, just make sure not to ignore
+# errors from the above "$doit $instcmd $src $dsttmp" command.
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
+
+# Now rename the file to the real destination.
+
+	$doit $rmcmd -f $dstdir/$dstfile &&
+	$doit $mvcmd $dsttmp $dstdir/$dstfile 
+
+fi &&
+
+
+exit 0
diff --git a/source3/lib/talloc/libtalloc.m4 b/source3/lib/talloc/libtalloc.m4
new file mode 100644
index 0000000000..fd2b4b22cd
--- /dev/null
+++ b/source3/lib/talloc/libtalloc.m4
@@ -0,0 +1,33 @@
+dnl find the talloc sources. This is meant to work both for 
+dnl talloc standalone builds, and builds of packages using talloc
+tallocdir=""
+tallocpaths=". lib/talloc talloc ../talloc"
+for d in $tallocpaths; do
+	if test -f "$srcdir/$d/talloc.c"; then
+		tallocdir="$d"
+		AC_SUBST(tallocdir)
+		break;
+	fi
+done
+if test x"$tallocdir" = "x"; then
+   AC_MSG_ERROR([cannot find talloc source in $tallocpaths])
+fi
+TALLOC_OBJ="talloc.o"
+AC_SUBST(TALLOC_OBJ)
+
+TALLOC_CFLAGS="-I$srcdir/$tallocdir"
+AC_SUBST(TALLOC_CFLAGS)
+
+TALLOC_LIBS=""
+AC_SUBST(TALLOC_LIBS)
+
+AC_CHECK_SIZEOF(size_t,cross)
+AC_CHECK_SIZEOF(void *,cross)
+
+if test $ac_cv_sizeof_size_t -lt $ac_cv_sizeof_void_p; then
+	AC_WARN([size_t cannot represent the amount of used memory of a process])
+	AC_WARN([please report this to <samba-technical@samba.org>])
+	AC_WARN([sizeof(size_t) = $ac_cv_sizeof_size_t])
+	AC_WARN([sizeof(void *) = $ac_cv_sizeof_void_p])
+	AC_ERROR([sizeof(size_t) < sizeof(void *)])
+fi
diff --git a/source3/lib/talloc/rules.mk b/source3/lib/talloc/rules.mk
new file mode 100644
index 0000000000..6cee126529
--- /dev/null
+++ b/source3/lib/talloc/rules.mk
@@ -0,0 +1,18 @@
+.SUFFIXES: .c .o .3 .3.xml .xml .html
+
+showflags::
+	@echo 'talloc will be compiled with flags:'
+	@echo '  CFLAGS = $(CFLAGS)'
+	@echo '  LIBS = $(LIBS)'
+
+.c.o:
+	$(CC) $(PICFLAG) -o $@ -c $< $(CFLAGS)
+
+.3.xml.3:
+	-test -z "$(XSLTPROC)" || $(XSLTPROC) --nonet -o $@ http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl $<
+
+.xml.html:
+	-test -z "$(XSLTPROC)" || $(XSLTPROC) --nonet -o $@ http://docbook.sourceforge.net/release/xsl/current/html/docbook.xsl $<
+
+distclean::
+	rm -f *~ */*~
diff --git a/source3/lib/talloc/talloc.3.xml b/source3/lib/talloc/talloc.3.xml
new file mode 100644
index 0000000000..67de15bfc8
--- /dev/null
+++ b/source3/lib/talloc/talloc.3.xml
@@ -0,0 +1,738 @@
+<?xml version="1.0"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>talloc</refentrytitle>
+    <manvolnum>3</manvolnum>
+  </refmeta>
+  <refnamediv>
+    <refname>talloc</refname>
+<refpurpose>hierarchical reference counted memory pool system with destructors</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+<synopsis>#include &lt;talloc/talloc.h&gt;</synopsis>
+  </refsynopsisdiv>
+  <refsect1><title>DESCRIPTION</title>
+    <para>
+      If you are used to talloc from Samba3 then please read this
+      carefully, as talloc has changed a lot.
+    </para>
+    <para>
+      The new talloc is a hierarchical, reference counted memory pool
+      system with destructors.	Quite a mouthful really, but not too bad
+      once you get used to it.
+    </para>
+    <para>
+      Perhaps the biggest change from Samba3 is that there is no
+      distinction between a "talloc context" and a "talloc pointer".  Any
+      pointer returned from talloc() is itself a valid talloc context. 
+      This means you can do this:
+    </para>
+    <programlisting>
+    struct foo *X = talloc(mem_ctx, struct foo);
+    X->name = talloc_strdup(X, "foo");
+    </programlisting>
+    <para>
+      and the pointer <literal role="code">X-&gt;name</literal>
+      would be a "child" of the talloc context <literal
+      role="code">X</literal> which is itself a child of
+      <literal role="code">mem_ctx</literal>.  So if you do
+      <literal role="code">talloc_free(mem_ctx)</literal> then
+      it is all destroyed, whereas if you do <literal
+      role="code">talloc_free(X)</literal> then just <literal
+      role="code">X</literal> and <literal
+      role="code">X-&gt;name</literal> are destroyed, and if
+      you do <literal
+      role="code">talloc_free(X-&gt;name)</literal> then just
+      the name element of <literal role="code">X</literal> is
+      destroyed.
+    </para>
+    <para>
+      If you think about this, then what this effectively gives you is an
+      n-ary tree, where you can free any part of the tree with
+      talloc_free().
+    </para>
+    <para>
+      If you find this confusing, then I suggest you run the <literal
+      role="code">testsuite</literal> program to watch talloc
+      in action.  You may also like to add your own tests to <literal
+      role="code">testsuite.c</literal> to clarify how some
+      particular situation is handled.
+    </para>
+  </refsect1>
+  <refsect1><title>TALLOC API</title>
+    <para>
+      The following is a complete guide to the talloc API. Read it all at
+      least twice.
+    </para>
+    <refsect2><title>(type *)talloc(const void *ctx, type);</title>
+        <para>
+	  The talloc() macro is the core of the talloc library.  It takes a
+	  memory <emphasis role="italic">ctx</emphasis> and a <emphasis
+	  role="italic">type</emphasis>, and returns a pointer to a new
+	  area of memory of the given <emphasis
+	  role="italic">type</emphasis>.
+        </para>
+        <para>
+	  The returned pointer is itself a talloc context, so you can use
+	  it as the <emphasis role="italic">ctx</emphasis> argument to more
+	  calls to talloc() if you wish.
+        </para>
+        <para>
+	  The returned pointer is a "child" of the supplied context.  This
+	  means that if you talloc_free() the <emphasis
+	  role="italic">ctx</emphasis> then the new child disappears as
+	  well.  Alternatively you can free just the child.
+        </para>
+        <para>
+	  The <emphasis role="italic">ctx</emphasis> argument to talloc()
+	  can be NULL, in which case a new top level context is created.
+        </para>
+    </refsect2>
+    <refsect2><title>void *talloc_size(const void *ctx, size_t size);</title>
+        <para>
+	  The function talloc_size() should be used when you don't have a
+	  convenient type to pass to talloc().	Unlike talloc(), it is not
+	  type safe (as it returns a void *), so you are on your own for
+	  type checking.
+        </para>
+    </refsect2>
+    <refsect2><title>(typeof(ptr)) talloc_ptrtype(const void *ctx, ptr);</title>
+        <para>
+	  The talloc_ptrtype() macro should be used when you have a pointer and
+	  want to allocate memory to point at with this pointer. When compiling
+	  with gcc >= 3 it is typesafe. Note this is a wrapper of talloc_size()
+	  and talloc_get_name() will return the current location in the source file.
+	  and not the type.
+        </para>
+    </refsect2>
+    <refsect2><title>int talloc_free(void *ptr);</title>
+        <para>
+	  The talloc_free() function frees a piece of talloc memory, and
+	  all its children.  You can call talloc_free() on any pointer
+	  returned by talloc().
+        </para>
+        <para>
+	  The return value of talloc_free() indicates success or failure,
+	  with 0 returned for success and -1 for failure.  The only
+	  possible failure condition is if <emphasis
+	  role="italic">ptr</emphasis> had a destructor attached to it and
+	  the destructor returned -1.  See <link
+	  linkend="talloc_set_destructor"><quote>talloc_set_destructor()</quote></link>
+	  for details on destructors.
+        </para>
+        <para>
+	  If this pointer has an additional parent when talloc_free() is
+	  called then the memory is not actually released, but instead the
+	  most recently established parent is destroyed.  See <link
+	  linkend="talloc_reference"><quote>talloc_reference()</quote></link>
+	  for details on establishing additional parents.
+        </para>
+        <para>
+	  For more control on which parent is removed, see <link
+	  linkend="talloc_unlink"><quote>talloc_unlink()</quote></link>.
+        </para>
+        <para>
+	  talloc_free() operates recursively on its children.
+        </para>
+    </refsect2>
+    <refsect2 id="talloc_reference"><title>void *talloc_reference(const void *ctx, const void *ptr);</title>
+        <para>
+	  The talloc_reference() function makes <emphasis
+	  role="italic">ctx</emphasis> an additional parent of <emphasis
+	  role="italic">ptr</emphasis>.
+        </para>
+        <para>
+	  The return value of talloc_reference() is always the original
+	  pointer <emphasis role="italic">ptr</emphasis>, unless talloc ran
+	  out of memory in creating the reference in which case it will
+	  return NULL (each additional reference consumes around 48 bytes
+	  of memory on intel x86 platforms).
+        </para>
+        <para>
+	  If <emphasis role="italic">ptr</emphasis> is NULL, then the
+	  function is a no-op, and simply returns NULL.
+        </para>
+        <para>
+	  After creating a reference you can free it in one of the
+	  following ways:
+        </para>
+      <para>
+        <itemizedlist>
+          <listitem>
+            <para>
+	      you can talloc_free() any parent of the original pointer. 
+	      That will reduce the number of parents of this pointer by 1,
+	      and will cause this pointer to be freed if it runs out of
+	      parents.
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+	      you can talloc_free() the pointer itself.  That will destroy
+	      the most recently established parent to the pointer and leave
+	      the pointer as a child of its current parent.
+            </para>
+          </listitem>
+        </itemizedlist>
+      </para>
+      <para>
+	For more control on which parent to remove, see <link
+	linkend="talloc_unlink"><quote>talloc_unlink()</quote></link>.
+      </para>
+    </refsect2>
+    <refsect2 id="talloc_unlink"><title>int talloc_unlink(const void *ctx, const void *ptr);</title>
+        <para>
+	  The talloc_unlink() function removes a specific parent from
+	  <emphasis role="italic">ptr</emphasis>. The <emphasis
+	  role="italic">ctx</emphasis> passed must either be a context used
+	  in talloc_reference() with this pointer, or must be a direct
+	  parent of ptr.
+        </para>
+        <para>
+	  Note that if the parent has already been removed using
+	  talloc_free() then this function will fail and will return -1. 
+	  Likewise, if <emphasis role="italic">ptr</emphasis> is NULL, then
+	  the function will make no modifications and return -1.
+        </para>
+        <para>
+	  Usually you can just use talloc_free() instead of
+	  talloc_unlink(), but sometimes it is useful to have the
+	  additional control on which parent is removed.
+        </para>
+    </refsect2>
+    <refsect2 id="talloc_set_destructor"><title>void talloc_set_destructor(const void *ptr, int (*destructor)(void *));</title>
+        <para>
+	  The function talloc_set_destructor() sets the <emphasis
+	  role="italic">destructor</emphasis> for the pointer <emphasis
+	  role="italic">ptr</emphasis>.  A <emphasis
+	  role="italic">destructor</emphasis> is a function that is called
+	  when the memory used by a pointer is about to be released.  The
+	  destructor receives <emphasis role="italic">ptr</emphasis> as an
+	  argument, and should return 0 for success and -1 for failure.
+        </para>
+        <para>
+	  The <emphasis role="italic">destructor</emphasis> can do anything
+	  it wants to, including freeing other pieces of memory.  A common
+	  use for destructors is to clean up operating system resources
+	  (such as open file descriptors) contained in the structure the
+	  destructor is placed on.
+        </para>
+        <para>
+	  You can only place one destructor on a pointer.  If you need more
+	  than one destructor then you can create a zero-length child of
+	  the pointer and place an additional destructor on that.
+        </para>
+        <para>
+	  To remove a destructor call talloc_set_destructor() with NULL for
+	  the destructor.
+        </para>
+        <para>
+	  If your destructor attempts to talloc_free() the pointer that it
+	  is the destructor for then talloc_free() will return -1 and the
+	  free will be ignored.  This would be a pointless operation
+	  anyway, as the destructor is only called when the memory is just
+	  about to go away.
+        </para>
+    </refsect2>
+    <refsect2><title>int talloc_increase_ref_count(const void *<emphasis role="italic">ptr</emphasis>);</title>
+        <para>
+	  The talloc_increase_ref_count(<emphasis
+	  role="italic">ptr</emphasis>) function is exactly equivalent to:
+        </para>
+        <programlisting>talloc_reference(NULL, ptr);</programlisting>
+        <para>
+	  You can use either syntax, depending on which you think is
+	  clearer in your code.
+        </para>
+        <para>
+	  It returns 0 on success and -1 on failure.
+        </para>
+    </refsect2>
+    <refsect2><title>size_t talloc_reference_count(const void *<emphasis role="italic">ptr</emphasis>);</title>
+        <para>
+	  Return the number of references to the pointer.
+        </para>
+    </refsect2>
+    <refsect2 id="talloc_set_name"><title>void talloc_set_name(const void *ptr, const char *fmt, ...);</title>
+        <para>
+	  Each talloc pointer has a "name".  The name is used principally
+	  for debugging purposes, although it is also possible to set and
+	  get the name on a pointer in as a way of "marking" pointers in
+	  your code.
+        </para>
+        <para>
+	  The main use for names on pointer is for "talloc reports".  See
+	  <link
+	  linkend="talloc_report"><quote>talloc_report_depth_cb()</quote></link>,
+	  <link
+	  linkend="talloc_report"><quote>talloc_report_depth_file()</quote></link>,
+	  <link
+	  linkend="talloc_report"><quote>talloc_report()</quote></link>
+	  <link
+	  linkend="talloc_report"><quote>talloc_report()</quote></link>
+	  and <link
+	  linkend="talloc_report_full"><quote>talloc_report_full()</quote></link>
+	  for details.	Also see <link
+	  linkend="talloc_enable_leak_report"><quote>talloc_enable_leak_report()</quote></link>
+	  and <link
+	  linkend="talloc_enable_leak_report_full"><quote>talloc_enable_leak_report_full()</quote></link>.
+        </para>
+        <para>
+	  The talloc_set_name() function allocates memory as a child of the
+	  pointer.  It is logically equivalent to:
+        </para>
+        <programlisting>talloc_set_name_const(ptr, talloc_asprintf(ptr, fmt, ...));</programlisting>
+        <para>
+	  Note that multiple calls to talloc_set_name() will allocate more
+	  memory without releasing the name.  All of the memory is released
+	  when the ptr is freed using talloc_free().
+        </para>
+    </refsect2>
+    <refsect2><title>void talloc_set_name_const(const void *<emphasis role="italic">ptr</emphasis>, const char *<emphasis role="italic">name</emphasis>);</title>
+        <para>
+	  The function talloc_set_name_const() is just like
+	  talloc_set_name(), but it takes a string constant, and is much
+	  faster.  It is extensively used by the "auto naming" macros, such
+	  as talloc_p().
+        </para>
+        <para>
+	  This function does not allocate any memory.  It just copies the
+	  supplied pointer into the internal representation of the talloc
+	  ptr. This means you must not pass a <emphasis
+	  role="italic">name</emphasis> pointer to memory that will
+	  disappear before <emphasis role="italic">ptr</emphasis> is freed
+	  with talloc_free().
+        </para>
+    </refsect2>
+    <refsect2><title>void *talloc_named(const void *<emphasis role="italic">ctx</emphasis>, size_t <emphasis role="italic">size</emphasis>, const char *<emphasis role="italic">fmt</emphasis>, ...);</title>
+        <para>
+	  The talloc_named() function creates a named talloc pointer.  It
+	  is equivalent to:
+        </para>
+        <programlisting>ptr = talloc_size(ctx, size);
+talloc_set_name(ptr, fmt, ....);</programlisting>
+    </refsect2>
+    <refsect2><title>void *talloc_named_const(const void *<emphasis role="italic">ctx</emphasis>, size_t <emphasis role="italic">size</emphasis>, const char *<emphasis role="italic">name</emphasis>);</title>
+        <para>
+	  This is equivalent to:
+        </para>
+        <programlisting>ptr = talloc_size(ctx, size);
+talloc_set_name_const(ptr, name);</programlisting>
+    </refsect2>
+    <refsect2><title>const char *talloc_get_name(const void *<emphasis role="italic">ptr</emphasis>);</title>
+        <para>
+	  This returns the current name for the given talloc pointer,
+	  <emphasis role="italic">ptr</emphasis>. See <link
+	  linkend="talloc_set_name"><quote>talloc_set_name()</quote></link>
+	  for details.
+        </para>
+    </refsect2>
+    <refsect2><title>void *talloc_init(const char *<emphasis role="italic">fmt</emphasis>, ...);</title>
+        <para>
+	  This function creates a zero length named talloc context as a top
+	  level context.  It is equivalent to:
+        </para>
+        <programlisting>talloc_named(NULL, 0, fmt, ...);</programlisting>
+    </refsect2>
+    <refsect2><title>void *talloc_new(void *<emphasis role="italic">ctx</emphasis>);</title>
+        <para>
+	  This is a utility macro that creates a new memory context hanging
+	  off an exiting context, automatically naming it "talloc_new:
+	  __location__" where __location__ is the source line it is called
+	  from.  It is particularly useful for creating a new temporary
+	  working context.
+        </para>
+    </refsect2>
+    <refsect2><title>(<emphasis role="italic">type</emphasis> *)talloc_realloc(const void *<emphasis role="italic">ctx</emphasis>, void *<emphasis role="italic">ptr</emphasis>, <emphasis role="italic">type</emphasis>, <emphasis role="italic">count</emphasis>);</title>
+        <para>
+	  The talloc_realloc() macro changes the size of a talloc pointer. 
+	  It has the following equivalences:
+        </para>
+        <programlisting>talloc_realloc(ctx, NULL, type, 1) ==> talloc(ctx, type);
+talloc_realloc(ctx, ptr, type, 0)  ==> talloc_free(ptr);</programlisting>
+        <para>
+	  The <emphasis role="italic">ctx</emphasis> argument is only used
+	  if <emphasis role="italic">ptr</emphasis> is not NULL, otherwise
+	  it is ignored.
+        </para>
+        <para>
+	  talloc_realloc() returns the new pointer, or NULL on failure. 
+	  The call will fail either due to a lack of memory, or because the
+	  pointer has more than one parent (see <link
+	  linkend="talloc_reference"><quote>talloc_reference()</quote></link>).
+        </para>
+    </refsect2>
+    <refsect2><title>void *talloc_realloc_size(const void *ctx, void *ptr, size_t size);</title>
+        <para>
+	  the talloc_realloc_size() function is useful when the type is not
+	  known so the type-safe talloc_realloc() cannot be used.
+        </para>
+    </refsect2>
+    <refsect2><title>TYPE *talloc_steal(const void *<emphasis role="italic">new_ctx</emphasis>, const TYPE *<emphasis role="italic">ptr</emphasis>);</title>
+        <para>
+	  The talloc_steal() function changes the parent context of a
+	  talloc pointer.  It is typically used when the context that the
+	  pointer is currently a child of is going to be freed and you wish
+	  to keep the memory for a longer time.
+        </para>
+        <para>
+	  The talloc_steal() function returns the pointer that you pass it.
+	   It does not have any failure modes.
+        </para>
+        <para>
+	  NOTE: It is possible to produce loops in the parent/child
+	  relationship if you are not careful with talloc_steal().  No
+	  guarantees are provided as to your sanity or the safety of your
+	  data if you do this.
+        </para>
+    </refsect2>
+    <refsect2><title>TYPE *talloc_move(const void *<emphasis role="italic">new_ctx</emphasis>, TYPE **<emphasis role="italic">ptr</emphasis>);</title>
+        <para>
+	  The talloc_move() function is a wrapper around
+	  talloc_steal() which zeros the source pointer after the
+	  move. This avoids a potential source of bugs where a
+	  programmer leaves a pointer in two structures, and uses the
+	  pointer from the old structure after it has been moved to a
+	  new one.
+        </para>
+    </refsect2>
+    <refsect2><title>size_t talloc_total_size(const void *<emphasis role="italic">ptr</emphasis>);</title>
+        <para>
+	  The talloc_total_size() function returns the total size in bytes
+	  used by this pointer and all child pointers.	Mostly useful for
+	  debugging.
+        </para>
+        <para>
+	  Passing NULL is allowed, but it will only give a meaningful
+	  result if talloc_enable_leak_report() or
+	  talloc_enable_leak_report_full() has been called.
+        </para>
+    </refsect2>
+    <refsect2><title>size_t talloc_total_blocks(const void *<emphasis role="italic">ptr</emphasis>);</title>
+        <para>
+	  The talloc_total_blocks() function returns the total memory block
+	  count used by this pointer and all child pointers.  Mostly useful
+	  for debugging.
+        </para>
+        <para>
+	  Passing NULL is allowed, but it will only give a meaningful
+	  result if talloc_enable_leak_report() or
+	  talloc_enable_leak_report_full() has been called.
+        </para>
+    </refsect2>
+    <refsect2 id="talloc_report"><title>void talloc_report(const void *ptr, FILE *f);</title>
+        <para>
+	  The talloc_report() function prints a summary report of all
+	  memory used by <emphasis role="italic">ptr</emphasis>.  One line
+	  of report is printed for each immediate child of ptr, showing the
+	  total memory and number of blocks used by that child.
+        </para>
+        <para>
+	  You can pass NULL for the pointer, in which case a report is
+	  printed for the top level memory context, but only if
+	  talloc_enable_leak_report() or talloc_enable_leak_report_full()
+	  has been called.
+        </para>
+    </refsect2>
+    <refsect2 id="talloc_report_full"><title>void talloc_report_full(const void *<emphasis role="italic">ptr</emphasis>, FILE *<emphasis role="italic">f</emphasis>);</title>
+        <para>
+	  This provides a more detailed report than talloc_report().  It
+	  will recursively print the entire tree of memory referenced by
+	  the pointer. References in the tree are shown by giving the name
+	  of the pointer that is referenced.
+        </para>
+        <para>
+	  You can pass NULL for the pointer, in which case a report is
+	  printed for the top level memory context, but only if
+	  talloc_enable_leak_report() or talloc_enable_leak_report_full()
+	  has been called.
+        </para>
+    </refsect2>
+    <refsect2 id="talloc_report_depth_cb">
+     <funcsynopsis><funcprototype>
+      <funcdef>void <function>talloc_report_depth_cb</function></funcdef>
+      <paramdef><parameter>const void *ptr</parameter></paramdef>
+      <paramdef><parameter>int depth</parameter></paramdef>
+      <paramdef><parameter>int max_depth</parameter></paramdef>
+      <paramdef><parameter>void (*callback)(const void *ptr, int depth, int max_depth, int is_ref, void *priv)</parameter></paramdef>
+      <paramdef><parameter>void *priv</parameter></paramdef>
+     </funcprototype></funcsynopsis>
+        <para>
+	  This provides a more flexible reports than talloc_report(). It
+	  will recursively call the callback for the entire tree of memory
+	  referenced by the pointer. References in the tree are passed with
+	  <emphasis role="italic">is_ref = 1</emphasis> and the pointer that is referenced.
+        </para>
+        <para>
+	  You can pass NULL for the pointer, in which case a report is
+	  printed for the top level memory context, but only if
+	  talloc_enable_leak_report() or talloc_enable_leak_report_full()
+	  has been called.
+        </para>
+        <para>
+	  The recursion is stopped when depth >= max_depth.
+	  max_depth = -1 means only stop at leaf nodes.
+        </para>
+    </refsect2>
+    <refsect2 id="talloc_report_depth_file">
+     <funcsynopsis><funcprototype>
+      <funcdef>void <function>talloc_report_depth_file</function></funcdef>
+      <paramdef><parameter>const void *ptr</parameter></paramdef>
+      <paramdef><parameter>int depth</parameter></paramdef>
+      <paramdef><parameter>int max_depth</parameter></paramdef>
+      <paramdef><parameter>FILE *f</parameter></paramdef>
+     </funcprototype></funcsynopsis>
+        <para>
+	  This provides a more flexible reports than talloc_report(). It
+	  will let you specify the depth and max_depth.
+        </para>
+    </refsect2>
+    <refsect2 id="talloc_enable_leak_report"><title>void talloc_enable_leak_report(void);</title>
+        <para>
+	  This enables calling of talloc_report(NULL, stderr) when the
+	  program exits.  In Samba4 this is enabled by using the
+	  --leak-report command line option.
+        </para>
+        <para>
+	  For it to be useful, this function must be called before any
+	  other talloc function as it establishes a "null context" that
+	  acts as the top of the tree.	If you don't call this function
+	  first then passing NULL to talloc_report() or
+	  talloc_report_full() won't give you the full tree printout.
+        </para>
+        <para>
+	  Here is a typical talloc report:
+        </para>
+        <screen format="linespecific">talloc report on 'null_context' (total 267 bytes in 15 blocks)
+libcli/auth/spnego_parse.c:55  contains   31 bytes in   2 blocks
+libcli/auth/spnego_parse.c:55  contains   31 bytes in   2 blocks
+iconv(UTF8,CP850)              contains   42 bytes in   2 blocks
+libcli/auth/spnego_parse.c:55  contains   31 bytes in   2 blocks
+iconv(CP850,UTF8)              contains   42 bytes in   2 blocks
+iconv(UTF8,UTF-16LE)           contains   45 bytes in   2 blocks
+iconv(UTF-16LE,UTF8)           contains   45 bytes in   2 blocks
+      </screen>
+    </refsect2>
+    <refsect2 id="talloc_enable_leak_report_full"><title>void talloc_enable_leak_report_full(void);</title>
+        <para>
+	  This enables calling of talloc_report_full(NULL, stderr) when the
+	  program exits.  In Samba4 this is enabled by using the
+	  --leak-report-full command line option.
+        </para>
+        <para>
+	  For it to be useful, this function must be called before any
+	  other talloc function as it establishes a "null context" that
+	  acts as the top of the tree.	If you don't call this function
+	  first then passing NULL to talloc_report() or
+	  talloc_report_full() won't give you the full tree printout.
+        </para>
+        <para>
+	  Here is a typical full report:
+        </para>
+        <screen format="linespecific">full talloc report on 'root' (total 18 bytes in 8 blocks)
+p1               contains     18 bytes in   7 blocks (ref 0)
+    r1               contains     13 bytes in   2 blocks (ref 0)
+        reference to: p2
+    p2               contains      1 bytes in   1 blocks (ref 1)
+    x3               contains      1 bytes in   1 blocks (ref 0)
+    x2               contains      1 bytes in   1 blocks (ref 0)
+    x1               contains      1 bytes in   1 blocks (ref 0)
+      </screen>
+    </refsect2>
+    <refsect2><title>(<emphasis role="italic">type</emphasis> *)talloc_zero(const void *<emphasis role="italic">ctx</emphasis>, <emphasis role="italic">type</emphasis>);</title>
+        <para>
+	  The talloc_zero() macro is equivalent to:
+        </para>
+        <programlisting>ptr = talloc(ctx, type);
+if (ptr) memset(ptr, 0, sizeof(type));</programlisting>
+    </refsect2>
+    <refsect2><title>void *talloc_zero_size(const void *<emphasis role="italic">ctx</emphasis>, size_t <emphasis role="italic">size</emphasis>)</title>
+        <para>
+	  The talloc_zero_size() function is useful when you don't have a
+	  known type.
+        </para>
+    </refsect2>
+    <refsect2><title>void *talloc_memdup(const void *<emphasis role="italic">ctx</emphasis>, const void *<emphasis role="italic">p</emphasis>, size_t size);</title>
+        <para>
+	  The talloc_memdup() function is equivalent to:
+        </para>
+        <programlisting>ptr = talloc_size(ctx, size);
+if (ptr) memcpy(ptr, p, size);</programlisting>
+    </refsect2>
+    <refsect2><title>char *talloc_strdup(const void *<emphasis role="italic">ctx</emphasis>, const char *<emphasis role="italic">p</emphasis>);</title>
+        <para>
+	  The talloc_strdup() function is equivalent to:
+        </para>
+        <programlisting>ptr = talloc_size(ctx, strlen(p)+1);
+if (ptr) memcpy(ptr, p, strlen(p)+1);</programlisting>
+        <para>
+	  This function sets the name of the new pointer to the passed
+	  string. This is equivalent to:
+        </para>
+        <programlisting>talloc_set_name_const(ptr, ptr)</programlisting>
+    </refsect2>
+    <refsect2><title>char *talloc_strndup(const void *<emphasis role="italic">t</emphasis>, const char *<emphasis role="italic">p</emphasis>, size_t <emphasis role="italic">n</emphasis>);</title>
+        <para>
+	  The talloc_strndup() function is the talloc equivalent of the C
+	  library function strndup(3).
+        </para>
+        <para>
+	  This function sets the name of the new pointer to the passed
+	  string. This is equivalent to:
+        </para>
+        <programlisting>talloc_set_name_const(ptr, ptr)</programlisting>
+    </refsect2>
+    <refsect2><title>char *talloc_append_string(const void *<emphasis role="italic">t</emphasis>, char *<emphasis role="italic">orig</emphasis>, const char *<emphasis role="italic">append</emphasis>);</title>
+        <para>
+	  The talloc_append_string() function appends the given formatted
+	  string to the given string.
+        </para>
+        <para>
+	  This function sets the name of the new pointer to the new
+	  string. This is equivalent to:
+        </para>
+        <programlisting>talloc_set_name_const(ptr, ptr)</programlisting>
+    </refsect2>
+    <refsect2><title>char *talloc_vasprintf(const void *<emphasis role="italic">t</emphasis>, const char *<emphasis role="italic">fmt</emphasis>, va_list <emphasis role="italic">ap</emphasis>);</title>
+        <para>
+	  The talloc_vasprintf() function is the talloc equivalent of the C
+	  library function vasprintf(3).
+        </para>
+        <para>
+	  This function sets the name of the new pointer to the new
+	  string. This is equivalent to:
+        </para>
+        <programlisting>talloc_set_name_const(ptr, ptr)</programlisting>
+    </refsect2>
+    <refsect2><title>char *talloc_asprintf(const void *<emphasis role="italic">t</emphasis>, const char *<emphasis role="italic">fmt</emphasis>, ...);</title>
+        <para>
+	  The talloc_asprintf() function is the talloc equivalent of the C
+	  library function asprintf(3).
+        </para>
+        <para>
+	  This function sets the name of the new pointer to the passed
+	  string. This is equivalent to:
+        </para>
+        <programlisting>talloc_set_name_const(ptr, ptr)</programlisting>
+    </refsect2>
+    <refsect2><title>char *talloc_asprintf_append(char *s, const char *fmt, ...);</title>
+        <para>
+	  The talloc_asprintf_append() function appends the given formatted
+	  string to the given string.
+        </para>
+        <para>
+	  This function sets the name of the new pointer to the new
+	  string. This is equivalent to:
+        </para>
+        <programlisting>talloc_set_name_const(ptr, ptr)</programlisting>
+    </refsect2>
+    <refsect2><title>(type *)talloc_array(const void *ctx, type, uint_t count);</title>
+        <para>
+	  The talloc_array() macro is equivalent to:
+        </para>
+        <programlisting>(type *)talloc_size(ctx, sizeof(type) * count);</programlisting>
+        <para>
+	  except that it provides integer overflow protection for the
+	  multiply, returning NULL if the multiply overflows.
+        </para>
+    </refsect2>
+    <refsect2><title>void *talloc_array_size(const void *ctx, size_t size, uint_t count);</title>
+        <para>
+	  The talloc_array_size() function is useful when the type is not
+	  known. It operates in the same way as talloc_array(), but takes a
+	  size instead of a type.
+        </para>
+    </refsect2>
+    <refsect2><title>(typeof(ptr)) talloc_array_ptrtype(const void *ctx, ptr, uint_t count);</title>
+        <para>
+	  The talloc_ptrtype() macro should be used when you have a pointer to an array
+	  and want to allocate memory of an array to point at with this pointer. When compiling
+	  with gcc >= 3 it is typesafe. Note this is a wrapper of talloc_array_size()
+	  and talloc_get_name() will return the current location in the source file.
+	  and not the type.
+        </para>
+    </refsect2>
+    <refsect2><title>void *talloc_realloc_fn(const void *ctx, void *ptr, size_t size)</title>
+        <para>
+	  This is a non-macro version of talloc_realloc(), which is useful
+	  as libraries sometimes want a realloc function pointer.  A
+	  realloc(3) implementation encapsulates the functionality of
+	  malloc(3), free(3) and realloc(3) in one call, which is why it is
+	  useful to be able to pass around a single function pointer.
+        </para>
+    </refsect2>
+    <refsect2><title>void *talloc_autofree_context(void);</title>
+        <para>
+	  This is a handy utility function that returns a talloc context
+	  which will be automatically freed on program exit.  This can be
+	  used to reduce the noise in memory leak reports.
+        </para>
+    </refsect2>
+    <refsect2><title>void *talloc_check_name(const void *ptr, const char *name);</title>
+        <para>
+	  This function checks if a pointer has the specified <emphasis
+	  role="italic">name</emphasis>.  If it does then the pointer is
+	  returned.  It it doesn't then NULL is returned.
+        </para>
+    </refsect2>
+    <refsect2><title>(type *)talloc_get_type(const void *ptr, type);</title>
+        <para>
+	  This macro allows you to do type checking on talloc pointers.  It
+	  is particularly useful for void* private pointers.  It is
+	  equivalent to this:
+        </para>
+        <programlisting>(type *)talloc_check_name(ptr, #type)</programlisting>
+    </refsect2>
+    <refsect2><title>talloc_set_type(const void *ptr, type);</title>
+        <para>
+	  This macro allows you to force the name of a pointer to be a
+	  particular <emphasis>type</emphasis>.  This can be
+	  used in conjunction with talloc_get_type() to do type checking on
+	  void* pointers.
+        </para>
+        <para>
+	  It is equivalent to this:
+        </para>
+        <programlisting>talloc_set_name_const(ptr, #type)</programlisting>
+    </refsect2>
+  </refsect1>
+  <refsect1><title>PERFORMANCE</title>
+    <para>
+      All the additional features of talloc(3) over malloc(3) do come at a
+      price.  We have a simple performance test in Samba4 that measures
+      talloc() versus malloc() performance, and it seems that talloc() is
+      about 10% slower than malloc() on my x86 Debian Linux box.  For
+      Samba, the great reduction in code complexity that we get by using
+      talloc makes this worthwhile, especially as the total overhead of
+      talloc/malloc in Samba is already quite small.
+    </para>
+  </refsect1>
+  <refsect1><title>SEE ALSO</title>
+    <para>
+      malloc(3), strndup(3), vasprintf(3), asprintf(3), 
+      <ulink url="http://talloc.samba.org/"/>
+    </para>
+  </refsect1>
+  <refsect1><title>COPYRIGHT/LICENSE</title>
+    <para>
+      Copyright (C) Andrew Tridgell 2004
+    </para>
+    <para>
+      This program is free software; you can redistribute it and/or modify
+      it under the terms of the GNU General Public License as published by
+      the Free Software Foundation; either version 3 of the License, or (at
+      your option) any later version.
+    </para>
+    <para>
+      This program is distributed in the hope that it will be useful, but
+      WITHOUT ANY WARRANTY; without even the implied warranty of
+      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+      General Public License for more details.
+    </para>
+    <para>
+      You should have received a copy of the GNU General Public License
+      along with this program; if not, see http://www.gnu.org/licenses/.
+    </para>
+  </refsect1>
+</refentry>
diff --git a/source3/lib/talloc/talloc.c b/source3/lib/talloc/talloc.c
new file mode 100644
index 0000000000..1f7e52439f
--- /dev/null
+++ b/source3/lib/talloc/talloc.c
@@ -0,0 +1,1732 @@
+/* 
+   Samba Unix SMB/CIFS implementation.
+
+   Samba trivial allocation library - new interface
+
+   NOTE: Please read talloc_guide.txt for full documentation
+
+   Copyright (C) Andrew Tridgell 2004
+   Copyright (C) Stefan Metzmacher 2006
+   
+     ** NOTE! The following LGPL license applies to the talloc
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+  inspired by http://swapped.cc/halloc/
+*/
+
+#ifdef _SAMBA_BUILD_
+#include "version.h"
+#if (SAMBA_VERSION_MAJOR<4)
+#include "includes.h"
+/* This is to circumvent SAMBA3's paranoid malloc checker. Here in this file
+ * we trust ourselves... */
+#ifdef malloc
+#undef malloc
+#endif
+#ifdef realloc
+#undef realloc
+#endif
+#define _TALLOC_SAMBA3
+#endif /* (SAMBA_VERSION_MAJOR<4) */
+#endif /* _SAMBA_BUILD_ */
+
+#ifndef _TALLOC_SAMBA3
+#include "replace.h"
+#include "talloc.h"
+#endif /* not _TALLOC_SAMBA3 */
+
+/* use this to force every realloc to change the pointer, to stress test
+   code that might not cope */
+#define ALWAYS_REALLOC 0
+
+
+#define MAX_TALLOC_SIZE 0x10000000
+#define TALLOC_MAGIC 0xe814ec70
+#define TALLOC_FLAG_FREE 0x01
+#define TALLOC_FLAG_LOOP 0x02
+#define TALLOC_FLAG_POOL 0x04		/* This is a talloc pool */
+#define TALLOC_FLAG_POOLMEM 0x08	/* This is allocated in a pool */
+#define TALLOC_MAGIC_REFERENCE ((const char *)1)
+
+/* by default we abort when given a bad pointer (such as when talloc_free() is called 
+   on a pointer that came from malloc() */
+#ifndef TALLOC_ABORT
+#define TALLOC_ABORT(reason) abort()
+#endif
+
+#ifndef discard_const_p
+#if defined(__intptr_t_defined) || defined(HAVE_INTPTR_T)
+# define discard_const_p(type, ptr) ((type *)((intptr_t)(ptr)))
+#else
+# define discard_const_p(type, ptr) ((type *)(ptr))
+#endif
+#endif
+
+/* these macros gain us a few percent of speed on gcc */
+#if (__GNUC__ >= 3)
+/* the strange !! is to ensure that __builtin_expect() takes either 0 or 1
+   as its first argument */
+#ifndef likely
+#define likely(x)   __builtin_expect(!!(x), 1)
+#endif
+#ifndef unlikely
+#define unlikely(x) __builtin_expect(!!(x), 0)
+#endif
+#else
+#ifndef likely
+#define likely(x) (x)
+#endif
+#ifndef unlikely
+#define unlikely(x) (x)
+#endif
+#endif
+
+/* this null_context is only used if talloc_enable_leak_report() or
+   talloc_enable_leak_report_full() is called, otherwise it remains
+   NULL
+*/
+static void *null_context;
+static void *autofree_context;
+
+struct talloc_reference_handle {
+	struct talloc_reference_handle *next, *prev;
+	void *ptr;
+};
+
+typedef int (*talloc_destructor_t)(void *);
+
+struct talloc_chunk {
+	struct talloc_chunk *next, *prev;
+	struct talloc_chunk *parent, *child;
+	struct talloc_reference_handle *refs;
+	talloc_destructor_t destructor;
+	const char *name;
+	size_t size;
+	unsigned flags;
+
+	/*
+	 * "pool" has dual use:
+	 *
+	 * For the talloc pool itself (i.e. TALLOC_FLAG_POOL is set), "pool"
+	 * marks the end of the currently allocated area.
+	 *
+	 * For members of the pool (i.e. TALLOC_FLAG_POOLMEM is set), "pool"
+	 * is a pointer to the struct talloc_chunk of the pool that it was
+	 * allocated from. This way children can quickly find the pool to chew
+	 * from.
+	 */
+	void *pool;
+};
+
+/* 16 byte alignment seems to keep everyone happy */
+#define TC_HDR_SIZE ((sizeof(struct talloc_chunk)+15)&~15)
+#define TC_PTR_FROM_CHUNK(tc) ((void *)(TC_HDR_SIZE + (char*)tc))
+
+static void talloc_abort_double_free(void)
+{
+	TALLOC_ABORT("Bad talloc magic value - double free"); 
+}
+
+static void talloc_abort_unknown_value(void)
+{
+	TALLOC_ABORT("Bad talloc magic value - unknown value"); 
+}
+
+/* panic if we get a bad magic value */
+static inline struct talloc_chunk *talloc_chunk_from_ptr(const void *ptr)
+{
+	const char *pp = (const char *)ptr;
+	struct talloc_chunk *tc = discard_const_p(struct talloc_chunk, pp - TC_HDR_SIZE);
+	if (unlikely((tc->flags & (TALLOC_FLAG_FREE | ~0xF)) != TALLOC_MAGIC)) { 
+		if (tc->flags & TALLOC_FLAG_FREE) {
+			talloc_abort_double_free();
+		} else {
+			talloc_abort_unknown_value();
+		}
+	}
+	return tc;
+}
+
+/* hook into the front of the list */
+#define _TLIST_ADD(list, p) \
+do { \
+        if (!(list)) { \
+		(list) = (p); \
+		(p)->next = (p)->prev = NULL; \
+	} else { \
+		(list)->prev = (p); \
+		(p)->next = (list); \
+		(p)->prev = NULL; \
+		(list) = (p); \
+	}\
+} while (0)
+
+/* remove an element from a list - element doesn't have to be in list. */
+#define _TLIST_REMOVE(list, p) \
+do { \
+	if ((p) == (list)) { \
+		(list) = (p)->next; \
+		if (list) (list)->prev = NULL; \
+	} else { \
+		if ((p)->prev) (p)->prev->next = (p)->next; \
+		if ((p)->next) (p)->next->prev = (p)->prev; \
+	} \
+	if ((p) && ((p) != (list))) (p)->next = (p)->prev = NULL; \
+} while (0)
+
+
+/*
+  return the parent chunk of a pointer
+*/
+static inline struct talloc_chunk *talloc_parent_chunk(const void *ptr)
+{
+	struct talloc_chunk *tc;
+
+	if (unlikely(ptr == NULL)) {
+		return NULL;
+	}
+
+	tc = talloc_chunk_from_ptr(ptr);
+	while (tc->prev) tc=tc->prev;
+
+	return tc->parent;
+}
+
+void *talloc_parent(const void *ptr)
+{
+	struct talloc_chunk *tc = talloc_parent_chunk(ptr);
+	return tc? TC_PTR_FROM_CHUNK(tc) : NULL;
+}
+
+/*
+  find parents name
+*/
+const char *talloc_parent_name(const void *ptr)
+{
+	struct talloc_chunk *tc = talloc_parent_chunk(ptr);
+	return tc? tc->name : NULL;
+}
+
+/*
+  A pool carries an in-pool object count count in the first 16 bytes.
+  bytes. This is done to support talloc_steal() to a parent outside of the
+  pool. The count includes the pool itself, so a talloc_free() on a pool will
+  only destroy the pool if the count has dropped to zero. A talloc_free() of a
+  pool member will reduce the count, and eventually also call free(3) on the
+  pool memory.
+
+  The object count is not put into "struct talloc_chunk" because it is only
+  relevant for talloc pools and the alignment to 16 bytes would increase the
+  memory footprint of each talloc chunk by those 16 bytes.
+*/
+
+#define TALLOC_POOL_HDR_SIZE 16
+
+static unsigned int *talloc_pool_objectcount(struct talloc_chunk *tc)
+{
+	return (unsigned int *)((char *)tc + sizeof(struct talloc_chunk));
+}
+
+/*
+  Allocate from a pool
+*/
+
+static struct talloc_chunk *talloc_alloc_pool(struct talloc_chunk *parent,
+					      size_t size)
+{
+	struct talloc_chunk *pool_ctx = NULL;
+	size_t space_left;
+	struct talloc_chunk *result;
+	size_t chunk_size;
+
+	if (parent == NULL) {
+		return NULL;
+	}
+
+	if (parent->flags & TALLOC_FLAG_POOL) {
+		pool_ctx = parent;
+	}
+	else if (parent->flags & TALLOC_FLAG_POOLMEM) {
+		pool_ctx = (struct talloc_chunk *)parent->pool;
+	}
+
+	if (pool_ctx == NULL) {
+		return NULL;
+	}
+
+	space_left = ((char *)pool_ctx + TC_HDR_SIZE + pool_ctx->size)
+		- ((char *)pool_ctx->pool);
+
+	/*
+	 * Align size to 16 bytes
+	 */
+	chunk_size = ((size + 15) & ~15);
+
+	if (space_left < chunk_size) {
+		return NULL;
+	}
+
+	result = (struct talloc_chunk *)pool_ctx->pool;
+
+#if defined(DEVELOPER) && defined(VALGRIND_MAKE_MEM_UNDEFINED)
+	VALGRIND_MAKE_MEM_UNDEFINED(result, size);
+#endif
+
+	pool_ctx->pool = (void *)((char *)result + chunk_size);
+
+	result->flags = TALLOC_MAGIC | TALLOC_FLAG_POOLMEM;
+	result->pool = pool_ctx;
+
+	*talloc_pool_objectcount(pool_ctx) += 1;
+
+	return result;
+}
+
+/* 
+   Allocate a bit of memory as a child of an existing pointer
+*/
+static inline void *__talloc(const void *context, size_t size)
+{
+	struct talloc_chunk *tc = NULL;
+
+	if (unlikely(context == NULL)) {
+		context = null_context;
+	}
+
+	if (unlikely(size >= MAX_TALLOC_SIZE)) {
+		return NULL;
+	}
+
+	if (context != NULL) {
+		tc = talloc_alloc_pool(talloc_chunk_from_ptr(context),
+				       TC_HDR_SIZE+size);
+	}
+
+	if (tc == NULL) {
+		tc = (struct talloc_chunk *)malloc(TC_HDR_SIZE+size);
+		if (unlikely(tc == NULL)) return NULL;
+		tc->flags = TALLOC_MAGIC;
+		tc->pool  = NULL;
+	}
+
+	tc->size = size;
+	tc->destructor = NULL;
+	tc->child = NULL;
+	tc->name = NULL;
+	tc->refs = NULL;
+
+	if (likely(context)) {
+		struct talloc_chunk *parent = talloc_chunk_from_ptr(context);
+
+		if (parent->child) {
+			parent->child->parent = NULL;
+			tc->next = parent->child;
+			tc->next->prev = tc;
+		} else {
+			tc->next = NULL;
+		}
+		tc->parent = parent;
+		tc->prev = NULL;
+		parent->child = tc;
+	} else {
+		tc->next = tc->prev = tc->parent = NULL;
+	}
+
+	return TC_PTR_FROM_CHUNK(tc);
+}
+
+/*
+ * Create a talloc pool
+ */
+
+void *talloc_pool(const void *context, size_t size)
+{
+	void *result = __talloc(context, size + TALLOC_POOL_HDR_SIZE);
+	struct talloc_chunk *tc;
+
+	if (unlikely(result == NULL)) {
+		return NULL;
+	}
+
+	tc = talloc_chunk_from_ptr(result);
+
+	tc->flags |= TALLOC_FLAG_POOL;
+	tc->pool = (char *)result + TALLOC_POOL_HDR_SIZE;
+
+	*talloc_pool_objectcount(tc) = 1;
+
+#if defined(DEVELOPER) && defined(VALGRIND_MAKE_MEM_NOACCESS)
+	VALGRIND_MAKE_MEM_NOACCESS(tc->pool, size);
+#endif
+
+	return result;
+}
+
+/*
+  setup a destructor to be called on free of a pointer
+  the destructor should return 0 on success, or -1 on failure.
+  if the destructor fails then the free is failed, and the memory can
+  be continued to be used
+*/
+void _talloc_set_destructor(const void *ptr, int (*destructor)(void *))
+{
+	struct talloc_chunk *tc = talloc_chunk_from_ptr(ptr);
+	tc->destructor = destructor;
+}
+
+/*
+  increase the reference count on a piece of memory. 
+*/
+int talloc_increase_ref_count(const void *ptr)
+{
+	if (unlikely(!talloc_reference(null_context, ptr))) {
+		return -1;
+	}
+	return 0;
+}
+
+/*
+  helper for talloc_reference()
+
+  this is referenced by a function pointer and should not be inline
+*/
+static int talloc_reference_destructor(struct talloc_reference_handle *handle)
+{
+	struct talloc_chunk *ptr_tc = talloc_chunk_from_ptr(handle->ptr);
+	_TLIST_REMOVE(ptr_tc->refs, handle);
+	return 0;
+}
+
+/*
+   more efficient way to add a name to a pointer - the name must point to a 
+   true string constant
+*/
+static inline void _talloc_set_name_const(const void *ptr, const char *name)
+{
+	struct talloc_chunk *tc = talloc_chunk_from_ptr(ptr);
+	tc->name = name;
+}
+
+/*
+  internal talloc_named_const()
+*/
+static inline void *_talloc_named_const(const void *context, size_t size, const char *name)
+{
+	void *ptr;
+
+	ptr = __talloc(context, size);
+	if (unlikely(ptr == NULL)) {
+		return NULL;
+	}
+
+	_talloc_set_name_const(ptr, name);
+
+	return ptr;
+}
+
+/*
+  make a secondary reference to a pointer, hanging off the given context.
+  the pointer remains valid until both the original caller and this given
+  context are freed.
+  
+  the major use for this is when two different structures need to reference the 
+  same underlying data, and you want to be able to free the two instances separately,
+  and in either order
+*/
+void *_talloc_reference(const void *context, const void *ptr)
+{
+	struct talloc_chunk *tc;
+	struct talloc_reference_handle *handle;
+	if (unlikely(ptr == NULL)) return NULL;
+
+	tc = talloc_chunk_from_ptr(ptr);
+	handle = (struct talloc_reference_handle *)_talloc_named_const(context,
+						   sizeof(struct talloc_reference_handle),
+						   TALLOC_MAGIC_REFERENCE);
+	if (unlikely(handle == NULL)) return NULL;
+
+	/* note that we hang the destructor off the handle, not the
+	   main context as that allows the caller to still setup their
+	   own destructor on the context if they want to */
+	talloc_set_destructor(handle, talloc_reference_destructor);
+	handle->ptr = discard_const_p(void, ptr);
+	_TLIST_ADD(tc->refs, handle);
+	return handle->ptr;
+}
+
+
+/* 
+   internal talloc_free call
+*/
+static inline int _talloc_free(void *ptr)
+{
+	struct talloc_chunk *tc;
+
+	if (unlikely(ptr == NULL)) {
+		return -1;
+	}
+
+	tc = talloc_chunk_from_ptr(ptr);
+
+	if (unlikely(tc->refs)) {
+		int is_child;
+		/* check this is a reference from a child or grantchild
+		 * back to it's parent or grantparent
+		 *
+		 * in that case we need to remove the reference and
+		 * call another instance of talloc_free() on the current
+		 * pointer.
+		 */
+		is_child = talloc_is_parent(tc->refs, ptr);
+		_talloc_free(tc->refs);
+		if (is_child) {
+			return _talloc_free(ptr);
+		}
+		return -1;
+	}
+
+	if (unlikely(tc->flags & TALLOC_FLAG_LOOP)) {
+		/* we have a free loop - stop looping */
+		return 0;
+	}
+
+	if (unlikely(tc->destructor)) {
+		talloc_destructor_t d = tc->destructor;
+		if (d == (talloc_destructor_t)-1) {
+			return -1;
+		}
+		tc->destructor = (talloc_destructor_t)-1;
+		if (d(ptr) == -1) {
+			tc->destructor = d;
+			return -1;
+		}
+		tc->destructor = NULL;
+	}
+
+	if (tc->parent) {
+		_TLIST_REMOVE(tc->parent->child, tc);
+		if (tc->parent->child) {
+			tc->parent->child->parent = tc->parent;
+		}
+	} else {
+		if (tc->prev) tc->prev->next = tc->next;
+		if (tc->next) tc->next->prev = tc->prev;
+	}
+
+	tc->flags |= TALLOC_FLAG_LOOP;
+
+	while (tc->child) {
+		/* we need to work out who will own an abandoned child
+		   if it cannot be freed. In priority order, the first
+		   choice is owner of any remaining reference to this
+		   pointer, the second choice is our parent, and the
+		   final choice is the null context. */
+		void *child = TC_PTR_FROM_CHUNK(tc->child);
+		const void *new_parent = null_context;
+		if (unlikely(tc->child->refs)) {
+			struct talloc_chunk *p = talloc_parent_chunk(tc->child->refs);
+			if (p) new_parent = TC_PTR_FROM_CHUNK(p);
+		}
+		if (unlikely(_talloc_free(child) == -1)) {
+			if (new_parent == null_context) {
+				struct talloc_chunk *p = talloc_parent_chunk(ptr);
+				if (p) new_parent = TC_PTR_FROM_CHUNK(p);
+			}
+			talloc_steal(new_parent, child);
+		}
+	}
+
+	tc->flags |= TALLOC_FLAG_FREE;
+
+	if (tc->flags & (TALLOC_FLAG_POOL|TALLOC_FLAG_POOLMEM)) {
+		struct talloc_chunk *pool;
+		unsigned int *pool_object_count;
+
+		pool = (tc->flags & TALLOC_FLAG_POOL)
+			? tc : (struct talloc_chunk *)tc->pool;
+
+		pool_object_count = talloc_pool_objectcount(pool);
+
+		if (*pool_object_count == 0) {
+			TALLOC_ABORT("Pool object count zero!");
+		}
+
+		*pool_object_count -= 1;
+
+		if (*pool_object_count == 0) {
+			free(pool);
+		}
+	}
+	else {
+		free(tc);
+	}
+	return 0;
+}
+
+/* 
+   move a lump of memory from one talloc context to another return the
+   ptr on success, or NULL if it could not be transferred.
+   passing NULL as ptr will always return NULL with no side effects.
+*/
+void *_talloc_steal(const void *new_ctx, const void *ptr)
+{
+	struct talloc_chunk *tc, *new_tc;
+
+	if (unlikely(!ptr)) {
+		return NULL;
+	}
+
+	if (unlikely(new_ctx == NULL)) {
+		new_ctx = null_context;
+	}
+
+	tc = talloc_chunk_from_ptr(ptr);
+
+	if (unlikely(new_ctx == NULL)) {
+		if (tc->parent) {
+			_TLIST_REMOVE(tc->parent->child, tc);
+			if (tc->parent->child) {
+				tc->parent->child->parent = tc->parent;
+			}
+		} else {
+			if (tc->prev) tc->prev->next = tc->next;
+			if (tc->next) tc->next->prev = tc->prev;
+		}
+		
+		tc->parent = tc->next = tc->prev = NULL;
+		return discard_const_p(void, ptr);
+	}
+
+	new_tc = talloc_chunk_from_ptr(new_ctx);
+
+	if (unlikely(tc == new_tc || tc->parent == new_tc)) {
+		return discard_const_p(void, ptr);
+	}
+
+	if (tc->parent) {
+		_TLIST_REMOVE(tc->parent->child, tc);
+		if (tc->parent->child) {
+			tc->parent->child->parent = tc->parent;
+		}
+	} else {
+		if (tc->prev) tc->prev->next = tc->next;
+		if (tc->next) tc->next->prev = tc->prev;
+	}
+
+	tc->parent = new_tc;
+	if (new_tc->child) new_tc->child->parent = NULL;
+	_TLIST_ADD(new_tc->child, tc);
+
+	return discard_const_p(void, ptr);
+}
+
+
+
+/*
+  remove a secondary reference to a pointer. This undo's what
+  talloc_reference() has done. The context and pointer arguments
+  must match those given to a talloc_reference()
+*/
+static inline int talloc_unreference(const void *context, const void *ptr)
+{
+	struct talloc_chunk *tc = talloc_chunk_from_ptr(ptr);
+	struct talloc_reference_handle *h;
+
+	if (unlikely(context == NULL)) {
+		context = null_context;
+	}
+
+	for (h=tc->refs;h;h=h->next) {
+		struct talloc_chunk *p = talloc_parent_chunk(h);
+		if (p == NULL) {
+			if (context == NULL) break;
+		} else if (TC_PTR_FROM_CHUNK(p) == context) {
+			break;
+		}
+	}
+	if (h == NULL) {
+		return -1;
+	}
+
+	return _talloc_free(h);
+}
+
+/*
+  remove a specific parent context from a pointer. This is a more
+  controlled varient of talloc_free()
+*/
+int talloc_unlink(const void *context, void *ptr)
+{
+	struct talloc_chunk *tc_p, *new_p;
+	void *new_parent;
+
+	if (ptr == NULL) {
+		return -1;
+	}
+
+	if (context == NULL) {
+		context = null_context;
+	}
+
+	if (talloc_unreference(context, ptr) == 0) {
+		return 0;
+	}
+
+	if (context == NULL) {
+		if (talloc_parent_chunk(ptr) != NULL) {
+			return -1;
+		}
+	} else {
+		if (talloc_chunk_from_ptr(context) != talloc_parent_chunk(ptr)) {
+			return -1;
+		}
+	}
+	
+	tc_p = talloc_chunk_from_ptr(ptr);
+
+	if (tc_p->refs == NULL) {
+		return _talloc_free(ptr);
+	}
+
+	new_p = talloc_parent_chunk(tc_p->refs);
+	if (new_p) {
+		new_parent = TC_PTR_FROM_CHUNK(new_p);
+	} else {
+		new_parent = NULL;
+	}
+
+	if (talloc_unreference(new_parent, ptr) != 0) {
+		return -1;
+	}
+
+	talloc_steal(new_parent, ptr);
+
+	return 0;
+}
+
+/*
+  add a name to an existing pointer - va_list version
+*/
+static inline const char *talloc_set_name_v(const void *ptr, const char *fmt, va_list ap) PRINTF_ATTRIBUTE(2,0);
+
+static inline const char *talloc_set_name_v(const void *ptr, const char *fmt, va_list ap)
+{
+	struct talloc_chunk *tc = talloc_chunk_from_ptr(ptr);
+	tc->name = talloc_vasprintf(ptr, fmt, ap);
+	if (likely(tc->name)) {
+		_talloc_set_name_const(tc->name, ".name");
+	}
+	return tc->name;
+}
+
+/*
+  add a name to an existing pointer
+*/
+const char *talloc_set_name(const void *ptr, const char *fmt, ...)
+{
+	const char *name;
+	va_list ap;
+	va_start(ap, fmt);
+	name = talloc_set_name_v(ptr, fmt, ap);
+	va_end(ap);
+	return name;
+}
+
+
+/*
+  create a named talloc pointer. Any talloc pointer can be named, and
+  talloc_named() operates just like talloc() except that it allows you
+  to name the pointer.
+*/
+void *talloc_named(const void *context, size_t size, const char *fmt, ...)
+{
+	va_list ap;
+	void *ptr;
+	const char *name;
+
+	ptr = __talloc(context, size);
+	if (unlikely(ptr == NULL)) return NULL;
+
+	va_start(ap, fmt);
+	name = talloc_set_name_v(ptr, fmt, ap);
+	va_end(ap);
+
+	if (unlikely(name == NULL)) {
+		_talloc_free(ptr);
+		return NULL;
+	}
+
+	return ptr;
+}
+
+/*
+  return the name of a talloc ptr, or "UNNAMED"
+*/
+const char *talloc_get_name(const void *ptr)
+{
+	struct talloc_chunk *tc = talloc_chunk_from_ptr(ptr);
+	if (unlikely(tc->name == TALLOC_MAGIC_REFERENCE)) {
+		return ".reference";
+	}
+	if (likely(tc->name)) {
+		return tc->name;
+	}
+	return "UNNAMED";
+}
+
+
+/*
+  check if a pointer has the given name. If it does, return the pointer,
+  otherwise return NULL
+*/
+void *talloc_check_name(const void *ptr, const char *name)
+{
+	const char *pname;
+	if (unlikely(ptr == NULL)) return NULL;
+	pname = talloc_get_name(ptr);
+	if (likely(pname == name || strcmp(pname, name) == 0)) {
+		return discard_const_p(void, ptr);
+	}
+	return NULL;
+}
+
+
+/*
+  this is for compatibility with older versions of talloc
+*/
+void *talloc_init(const char *fmt, ...)
+{
+	va_list ap;
+	void *ptr;
+	const char *name;
+
+	/*
+	 * samba3 expects talloc_report_depth_cb(NULL, ...)
+	 * reports all talloc'ed memory, so we need to enable
+	 * null_tracking
+	 */
+	talloc_enable_null_tracking();
+
+	ptr = __talloc(NULL, 0);
+	if (unlikely(ptr == NULL)) return NULL;
+
+	va_start(ap, fmt);
+	name = talloc_set_name_v(ptr, fmt, ap);
+	va_end(ap);
+
+	if (unlikely(name == NULL)) {
+		_talloc_free(ptr);
+		return NULL;
+	}
+
+	return ptr;
+}
+
+/*
+  this is a replacement for the Samba3 talloc_destroy_pool functionality. It
+  should probably not be used in new code. It's in here to keep the talloc
+  code consistent across Samba 3 and 4.
+*/
+void talloc_free_children(void *ptr)
+{
+	struct talloc_chunk *tc;
+
+	if (unlikely(ptr == NULL)) {
+		return;
+	}
+
+	tc = talloc_chunk_from_ptr(ptr);
+
+	while (tc->child) {
+		/* we need to work out who will own an abandoned child
+		   if it cannot be freed. In priority order, the first
+		   choice is owner of any remaining reference to this
+		   pointer, the second choice is our parent, and the
+		   final choice is the null context. */
+		void *child = TC_PTR_FROM_CHUNK(tc->child);
+		const void *new_parent = null_context;
+		if (unlikely(tc->child->refs)) {
+			struct talloc_chunk *p = talloc_parent_chunk(tc->child->refs);
+			if (p) new_parent = TC_PTR_FROM_CHUNK(p);
+		}
+		if (unlikely(_talloc_free(child) == -1)) {
+			if (new_parent == null_context) {
+				struct talloc_chunk *p = talloc_parent_chunk(ptr);
+				if (p) new_parent = TC_PTR_FROM_CHUNK(p);
+			}
+			talloc_steal(new_parent, child);
+		}
+	}
+
+	if ((tc->flags & TALLOC_FLAG_POOL)
+	    && (*talloc_pool_objectcount(tc) == 1)) {
+		tc->pool = ((char *)tc + TC_HDR_SIZE + TALLOC_POOL_HDR_SIZE);
+#if defined(DEVELOPER) && defined(VALGRIND_MAKE_MEM_NOACCESS)
+		VALGRIND_MAKE_MEM_NOACCESS(
+			tc->pool, tc->size - TALLOC_POOL_HDR_SIZE);
+#endif
+	}
+}
+
+/* 
+   Allocate a bit of memory as a child of an existing pointer
+*/
+void *_talloc(const void *context, size_t size)
+{
+	return __talloc(context, size);
+}
+
+/*
+  externally callable talloc_set_name_const()
+*/
+void talloc_set_name_const(const void *ptr, const char *name)
+{
+	_talloc_set_name_const(ptr, name);
+}
+
+/*
+  create a named talloc pointer. Any talloc pointer can be named, and
+  talloc_named() operates just like talloc() except that it allows you
+  to name the pointer.
+*/
+void *talloc_named_const(const void *context, size_t size, const char *name)
+{
+	return _talloc_named_const(context, size, name);
+}
+
+/* 
+   free a talloc pointer. This also frees all child pointers of this 
+   pointer recursively
+
+   return 0 if the memory is actually freed, otherwise -1. The memory
+   will not be freed if the ref_count is > 1 or the destructor (if
+   any) returns non-zero
+*/
+int talloc_free(void *ptr)
+{
+	return _talloc_free(ptr);
+}
+
+
+
+/*
+  A talloc version of realloc. The context argument is only used if
+  ptr is NULL
+*/
+void *_talloc_realloc(const void *context, void *ptr, size_t size, const char *name)
+{
+	struct talloc_chunk *tc;
+	void *new_ptr;
+	bool malloced = false;
+
+	/* size zero is equivalent to free() */
+	if (unlikely(size == 0)) {
+		_talloc_free(ptr);
+		return NULL;
+	}
+
+	if (unlikely(size >= MAX_TALLOC_SIZE)) {
+		return NULL;
+	}
+
+	/* realloc(NULL) is equivalent to malloc() */
+	if (ptr == NULL) {
+		return _talloc_named_const(context, size, name);
+	}
+
+	tc = talloc_chunk_from_ptr(ptr);
+
+	/* don't allow realloc on referenced pointers */
+	if (unlikely(tc->refs)) {
+		return NULL;
+	}
+
+	/* don't shrink if we have less than 1k to gain */
+	if ((size < tc->size) && ((tc->size - size) < 1024)) {
+		tc->size = size;
+		return ptr;
+	}
+
+	/* by resetting magic we catch users of the old memory */
+	tc->flags |= TALLOC_FLAG_FREE;
+
+#if ALWAYS_REALLOC
+	new_ptr = malloc(size + TC_HDR_SIZE);
+	if (new_ptr) {
+		memcpy(new_ptr, tc, tc->size + TC_HDR_SIZE);
+		free(tc);
+	}
+#else
+	if (tc->flags & TALLOC_FLAG_POOLMEM) {
+
+		new_ptr = talloc_alloc_pool(tc, size + TC_HDR_SIZE);
+		*talloc_pool_objectcount((struct talloc_chunk *)
+					 (tc->pool)) -= 1;
+
+		if (new_ptr == NULL) {
+			new_ptr = malloc(TC_HDR_SIZE+size);
+			malloced = true;
+		}
+
+		if (new_ptr) {
+			memcpy(new_ptr, tc, MIN(tc->size,size) + TC_HDR_SIZE);
+		}
+	}
+	else {
+		new_ptr = realloc(tc, size + TC_HDR_SIZE);
+	}
+#endif
+	if (unlikely(!new_ptr)) {	
+		tc->flags &= ~TALLOC_FLAG_FREE; 
+		return NULL; 
+	}
+
+	tc = (struct talloc_chunk *)new_ptr;
+	tc->flags &= ~TALLOC_FLAG_FREE;
+	if (malloced) {
+		tc->flags &= ~TALLOC_FLAG_POOLMEM;
+	}
+	if (tc->parent) {
+		tc->parent->child = tc;
+	}
+	if (tc->child) {
+		tc->child->parent = tc;
+	}
+
+	if (tc->prev) {
+		tc->prev->next = tc;
+	}
+	if (tc->next) {
+		tc->next->prev = tc;
+	}
+
+	tc->size = size;
+	_talloc_set_name_const(TC_PTR_FROM_CHUNK(tc), name);
+
+	return TC_PTR_FROM_CHUNK(tc);
+}
+
+/*
+  a wrapper around talloc_steal() for situations where you are moving a pointer
+  between two structures, and want the old pointer to be set to NULL
+*/
+void *_talloc_move(const void *new_ctx, const void *_pptr)
+{
+	const void **pptr = discard_const_p(const void *,_pptr);
+	void *ret = _talloc_steal(new_ctx, *pptr);
+	(*pptr) = NULL;
+	return ret;
+}
+
+/*
+  return the total size of a talloc pool (subtree)
+*/
+size_t talloc_total_size(const void *ptr)
+{
+	size_t total = 0;
+	struct talloc_chunk *c, *tc;
+
+	if (ptr == NULL) {
+		ptr = null_context;
+	}
+	if (ptr == NULL) {
+		return 0;
+	}
+
+	tc = talloc_chunk_from_ptr(ptr);
+
+	if (tc->flags & TALLOC_FLAG_LOOP) {
+		return 0;
+	}
+
+	tc->flags |= TALLOC_FLAG_LOOP;
+
+	total = tc->size;
+	for (c=tc->child;c;c=c->next) {
+		total += talloc_total_size(TC_PTR_FROM_CHUNK(c));
+	}
+
+	tc->flags &= ~TALLOC_FLAG_LOOP;
+
+	return total;
+}
+
+/*
+  return the total number of blocks in a talloc pool (subtree)
+*/
+size_t talloc_total_blocks(const void *ptr)
+{
+	size_t total = 0;
+	struct talloc_chunk *c, *tc = talloc_chunk_from_ptr(ptr);
+
+	if (tc->flags & TALLOC_FLAG_LOOP) {
+		return 0;
+	}
+
+	tc->flags |= TALLOC_FLAG_LOOP;
+
+	total++;
+	for (c=tc->child;c;c=c->next) {
+		total += talloc_total_blocks(TC_PTR_FROM_CHUNK(c));
+	}
+
+	tc->flags &= ~TALLOC_FLAG_LOOP;
+
+	return total;
+}
+
+/*
+  return the number of external references to a pointer
+*/
+size_t talloc_reference_count(const void *ptr)
+{
+	struct talloc_chunk *tc = talloc_chunk_from_ptr(ptr);
+	struct talloc_reference_handle *h;
+	size_t ret = 0;
+
+	for (h=tc->refs;h;h=h->next) {
+		ret++;
+	}
+	return ret;
+}
+
+/*
+  report on memory usage by all children of a pointer, giving a full tree view
+*/
+void talloc_report_depth_cb(const void *ptr, int depth, int max_depth,
+			    void (*callback)(const void *ptr,
+			  		     int depth, int max_depth,
+					     int is_ref,
+					     void *private_data),
+			    void *private_data)
+{
+	struct talloc_chunk *c, *tc;
+
+	if (ptr == NULL) {
+		ptr = null_context;
+	}
+	if (ptr == NULL) return;
+
+	tc = talloc_chunk_from_ptr(ptr);
+
+	if (tc->flags & TALLOC_FLAG_LOOP) {
+		return;
+	}
+
+	callback(ptr, depth, max_depth, 0, private_data);
+
+	if (max_depth >= 0 && depth >= max_depth) {
+		return;
+	}
+
+	tc->flags |= TALLOC_FLAG_LOOP;
+	for (c=tc->child;c;c=c->next) {
+		if (c->name == TALLOC_MAGIC_REFERENCE) {
+			struct talloc_reference_handle *h = (struct talloc_reference_handle *)TC_PTR_FROM_CHUNK(c);
+			callback(h->ptr, depth + 1, max_depth, 1, private_data);
+		} else {
+			talloc_report_depth_cb(TC_PTR_FROM_CHUNK(c), depth + 1, max_depth, callback, private_data);
+		}
+	}
+	tc->flags &= ~TALLOC_FLAG_LOOP;
+}
+
+static void talloc_report_depth_FILE_helper(const void *ptr, int depth, int max_depth, int is_ref, void *_f)
+{
+	const char *name = talloc_get_name(ptr);
+	FILE *f = (FILE *)_f;
+
+	if (is_ref) {
+		fprintf(f, "%*sreference to: %s\n", depth*4, "", name);
+		return;
+	}
+
+	if (depth == 0) {
+		fprintf(f,"%stalloc report on '%s' (total %6lu bytes in %3lu blocks)\n", 
+			(max_depth < 0 ? "full " :""), name,
+			(unsigned long)talloc_total_size(ptr),
+			(unsigned long)talloc_total_blocks(ptr));
+		return;
+	}
+
+	fprintf(f, "%*s%-30s contains %6lu bytes in %3lu blocks (ref %d) %p\n", 
+		depth*4, "",
+		name,
+		(unsigned long)talloc_total_size(ptr),
+		(unsigned long)talloc_total_blocks(ptr),
+		(int)talloc_reference_count(ptr), ptr);
+
+#if 0
+	fprintf(f, "content: ");
+	if (talloc_total_size(ptr)) {
+		int tot = talloc_total_size(ptr);
+		int i;
+
+		for (i = 0; i < tot; i++) {
+			if ((((char *)ptr)[i] > 31) && (((char *)ptr)[i] < 126)) {
+				fprintf(f, "%c", ((char *)ptr)[i]);
+			} else {
+				fprintf(f, "~%02x", ((char *)ptr)[i]);
+			}
+		}
+	}
+	fprintf(f, "\n");
+#endif
+}
+
+/*
+  report on memory usage by all children of a pointer, giving a full tree view
+*/
+void talloc_report_depth_file(const void *ptr, int depth, int max_depth, FILE *f)
+{
+	talloc_report_depth_cb(ptr, depth, max_depth, talloc_report_depth_FILE_helper, f);
+	fflush(f);
+}
+
+/*
+  report on memory usage by all children of a pointer, giving a full tree view
+*/
+void talloc_report_full(const void *ptr, FILE *f)
+{
+	talloc_report_depth_file(ptr, 0, -1, f);
+}
+
+/*
+  report on memory usage by all children of a pointer
+*/
+void talloc_report(const void *ptr, FILE *f)
+{
+	talloc_report_depth_file(ptr, 0, 1, f);
+}
+
+/*
+  report on any memory hanging off the null context
+*/
+static void talloc_report_null(void)
+{
+	if (talloc_total_size(null_context) != 0) {
+		talloc_report(null_context, stderr);
+	}
+}
+
+/*
+  report on any memory hanging off the null context
+*/
+static void talloc_report_null_full(void)
+{
+	if (talloc_total_size(null_context) != 0) {
+		talloc_report_full(null_context, stderr);
+	}
+}
+
+/*
+  enable tracking of the NULL context
+*/
+void talloc_enable_null_tracking(void)
+{
+	if (null_context == NULL) {
+		null_context = _talloc_named_const(NULL, 0, "null_context");
+	}
+}
+
+/*
+  disable tracking of the NULL context
+*/
+void talloc_disable_null_tracking(void)
+{
+	_talloc_free(null_context);
+	null_context = NULL;
+}
+
+/*
+  enable leak reporting on exit
+*/
+void talloc_enable_leak_report(void)
+{
+	talloc_enable_null_tracking();
+	atexit(talloc_report_null);
+}
+
+/*
+  enable full leak reporting on exit
+*/
+void talloc_enable_leak_report_full(void)
+{
+	talloc_enable_null_tracking();
+	atexit(talloc_report_null_full);
+}
+
+/* 
+   talloc and zero memory. 
+*/
+void *_talloc_zero(const void *ctx, size_t size, const char *name)
+{
+	void *p = _talloc_named_const(ctx, size, name);
+
+	if (p) {
+		memset(p, '\0', size);
+	}
+
+	return p;
+}
+
+/*
+  memdup with a talloc. 
+*/
+void *_talloc_memdup(const void *t, const void *p, size_t size, const char *name)
+{
+	void *newp = _talloc_named_const(t, size, name);
+
+	if (likely(newp)) {
+		memcpy(newp, p, size);
+	}
+
+	return newp;
+}
+
+static inline char *__talloc_strlendup(const void *t, const char *p, size_t len)
+{
+	char *ret;
+
+	ret = (char *)__talloc(t, len + 1);
+	if (unlikely(!ret)) return NULL;
+
+	memcpy(ret, p, len);
+	ret[len] = 0;
+
+	_talloc_set_name_const(ret, ret);
+	return ret;
+}
+
+/*
+  strdup with a talloc
+*/
+char *talloc_strdup(const void *t, const char *p)
+{
+	if (unlikely(!p)) return NULL;
+	return __talloc_strlendup(t, p, strlen(p));
+}
+
+/*
+  strndup with a talloc
+*/
+char *talloc_strndup(const void *t, const char *p, size_t n)
+{
+	if (unlikely(!p)) return NULL;
+	return __talloc_strlendup(t, p, strnlen(p, n));
+}
+
+static inline char *__talloc_strlendup_append(char *s, size_t slen,
+					      const char *a, size_t alen)
+{
+	char *ret;
+
+	ret = talloc_realloc(NULL, s, char, slen + alen + 1);
+	if (unlikely(!ret)) return NULL;
+
+	/* append the string and the trailing \0 */
+	memcpy(&ret[slen], a, alen);
+	ret[slen+alen] = 0;
+
+	_talloc_set_name_const(ret, ret);
+	return ret;
+}
+
+/*
+ * Appends at the end of the string.
+ */
+char *talloc_strdup_append(char *s, const char *a)
+{
+	if (unlikely(!s)) {
+		return talloc_strdup(NULL, a);
+	}
+
+	if (unlikely(!a)) {
+		return s;
+	}
+
+	return __talloc_strlendup_append(s, strlen(s), a, strlen(a));
+}
+
+/*
+ * Appends at the end of the talloc'ed buffer,
+ * not the end of the string.
+ */
+char *talloc_strdup_append_buffer(char *s, const char *a)
+{
+	size_t slen;
+
+	if (unlikely(!s)) {
+		return talloc_strdup(NULL, a);
+	}
+
+	if (unlikely(!a)) {
+		return s;
+	}
+
+	slen = talloc_get_size(s);
+	if (likely(slen > 0)) {
+		slen--;
+	}
+
+	return __talloc_strlendup_append(s, slen, a, strlen(a));
+}
+
+/*
+ * Appends at the end of the string.
+ */
+char *talloc_strndup_append(char *s, const char *a, size_t n)
+{
+	if (unlikely(!s)) {
+		return talloc_strdup(NULL, a);
+	}
+
+	if (unlikely(!a)) {
+		return s;
+	}
+
+	return __talloc_strlendup_append(s, strlen(s), a, strnlen(a, n));
+}
+
+/*
+ * Appends at the end of the talloc'ed buffer,
+ * not the end of the string.
+ */
+char *talloc_strndup_append_buffer(char *s, const char *a, size_t n)
+{
+	size_t slen;
+
+	if (unlikely(!s)) {
+		return talloc_strdup(NULL, a);
+	}
+
+	if (unlikely(!a)) {
+		return s;
+	}
+
+	slen = talloc_get_size(s);
+	if (likely(slen > 0)) {
+		slen--;
+	}
+
+	return __talloc_strlendup_append(s, slen, a, strnlen(a, n));
+}
+
+#ifndef HAVE_VA_COPY
+#ifdef HAVE___VA_COPY
+#define va_copy(dest, src) __va_copy(dest, src)
+#else
+#define va_copy(dest, src) (dest) = (src)
+#endif
+#endif
+
+char *talloc_vasprintf(const void *t, const char *fmt, va_list ap)
+{
+	int len;
+	char *ret;
+	va_list ap2;
+	char c;
+
+	/* this call looks strange, but it makes it work on older solaris boxes */
+	va_copy(ap2, ap);
+	len = vsnprintf(&c, 1, fmt, ap2);
+	va_end(ap2);
+	if (unlikely(len < 0)) {
+		return NULL;
+	}
+
+	ret = (char *)__talloc(t, len+1);
+	if (unlikely(!ret)) return NULL;
+
+	va_copy(ap2, ap);
+	vsnprintf(ret, len+1, fmt, ap2);
+	va_end(ap2);
+
+	_talloc_set_name_const(ret, ret);
+	return ret;
+}
+
+
+/*
+  Perform string formatting, and return a pointer to newly allocated
+  memory holding the result, inside a memory pool.
+ */
+char *talloc_asprintf(const void *t, const char *fmt, ...)
+{
+	va_list ap;
+	char *ret;
+
+	va_start(ap, fmt);
+	ret = talloc_vasprintf(t, fmt, ap);
+	va_end(ap);
+	return ret;
+}
+
+static inline char *__talloc_vaslenprintf_append(char *s, size_t slen,
+						 const char *fmt, va_list ap)
+						 PRINTF_ATTRIBUTE(3,0);
+
+static inline char *__talloc_vaslenprintf_append(char *s, size_t slen,
+						 const char *fmt, va_list ap)
+{
+	ssize_t alen;
+	va_list ap2;
+	char c;
+
+	va_copy(ap2, ap);
+	alen = vsnprintf(&c, 1, fmt, ap2);
+	va_end(ap2);
+
+	if (alen <= 0) {
+		/* Either the vsnprintf failed or the format resulted in
+		 * no characters being formatted. In the former case, we
+		 * ought to return NULL, in the latter we ought to return
+		 * the original string. Most current callers of this
+		 * function expect it to never return NULL.
+		 */
+		return s;
+	}
+
+	s = talloc_realloc(NULL, s, char, slen + alen + 1);
+	if (!s) return NULL;
+
+	va_copy(ap2, ap);
+	vsnprintf(s + slen, alen + 1, fmt, ap2);
+	va_end(ap2);
+
+	_talloc_set_name_const(s, s);
+	return s;
+}
+
+/**
+ * Realloc @p s to append the formatted result of @p fmt and @p ap,
+ * and return @p s, which may have moved.  Good for gradually
+ * accumulating output into a string buffer. Appends at the end
+ * of the string.
+ **/
+char *talloc_vasprintf_append(char *s, const char *fmt, va_list ap)
+{
+	if (unlikely(!s)) {
+		return talloc_vasprintf(NULL, fmt, ap);
+	}
+
+	return __talloc_vaslenprintf_append(s, strlen(s), fmt, ap);
+}
+
+/**
+ * Realloc @p s to append the formatted result of @p fmt and @p ap,
+ * and return @p s, which may have moved. Always appends at the
+ * end of the talloc'ed buffer, not the end of the string.
+ **/
+char *talloc_vasprintf_append_buffer(char *s, const char *fmt, va_list ap)
+{
+	size_t slen;
+
+	if (unlikely(!s)) {
+		return talloc_vasprintf(NULL, fmt, ap);
+	}
+
+	slen = talloc_get_size(s);
+	if (likely(slen > 0)) {
+		slen--;
+	}
+
+	return __talloc_vaslenprintf_append(s, slen, fmt, ap);
+}
+
+/*
+  Realloc @p s to append the formatted result of @p fmt and return @p
+  s, which may have moved.  Good for gradually accumulating output
+  into a string buffer.
+ */
+char *talloc_asprintf_append(char *s, const char *fmt, ...)
+{
+	va_list ap;
+
+	va_start(ap, fmt);
+	s = talloc_vasprintf_append(s, fmt, ap);
+	va_end(ap);
+	return s;
+}
+
+/*
+  Realloc @p s to append the formatted result of @p fmt and return @p
+  s, which may have moved.  Good for gradually accumulating output
+  into a buffer.
+ */
+char *talloc_asprintf_append_buffer(char *s, const char *fmt, ...)
+{
+	va_list ap;
+
+	va_start(ap, fmt);
+	s = talloc_vasprintf_append_buffer(s, fmt, ap);
+	va_end(ap);
+	return s;
+}
+
+/*
+  alloc an array, checking for integer overflow in the array size
+*/
+void *_talloc_array(const void *ctx, size_t el_size, unsigned count, const char *name)
+{
+	if (count >= MAX_TALLOC_SIZE/el_size) {
+		return NULL;
+	}
+	return _talloc_named_const(ctx, el_size * count, name);
+}
+
+/*
+  alloc an zero array, checking for integer overflow in the array size
+*/
+void *_talloc_zero_array(const void *ctx, size_t el_size, unsigned count, const char *name)
+{
+	if (count >= MAX_TALLOC_SIZE/el_size) {
+		return NULL;
+	}
+	return _talloc_zero(ctx, el_size * count, name);
+}
+
+/*
+  realloc an array, checking for integer overflow in the array size
+*/
+void *_talloc_realloc_array(const void *ctx, void *ptr, size_t el_size, unsigned count, const char *name)
+{
+	if (count >= MAX_TALLOC_SIZE/el_size) {
+		return NULL;
+	}
+	return _talloc_realloc(ctx, ptr, el_size * count, name);
+}
+
+/*
+  a function version of talloc_realloc(), so it can be passed as a function pointer
+  to libraries that want a realloc function (a realloc function encapsulates
+  all the basic capabilities of an allocation library, which is why this is useful)
+*/
+void *talloc_realloc_fn(const void *context, void *ptr, size_t size)
+{
+	return _talloc_realloc(context, ptr, size, NULL);
+}
+
+
+static int talloc_autofree_destructor(void *ptr)
+{
+	autofree_context = NULL;
+	return 0;
+}
+
+static void talloc_autofree(void)
+{
+	_talloc_free(autofree_context);
+}
+
+/*
+  return a context which will be auto-freed on exit
+  this is useful for reducing the noise in leak reports
+*/
+void *talloc_autofree_context(void)
+{
+	if (autofree_context == NULL) {
+		autofree_context = _talloc_named_const(NULL, 0, "autofree_context");
+		talloc_set_destructor(autofree_context, talloc_autofree_destructor);
+		atexit(talloc_autofree);
+	}
+	return autofree_context;
+}
+
+size_t talloc_get_size(const void *context)
+{
+	struct talloc_chunk *tc;
+
+	if (context == NULL)
+		return 0;
+
+	tc = talloc_chunk_from_ptr(context);
+
+	return tc->size;
+}
+
+/*
+  find a parent of this context that has the given name, if any
+*/
+void *talloc_find_parent_byname(const void *context, const char *name)
+{
+	struct talloc_chunk *tc;
+
+	if (context == NULL) {
+		return NULL;
+	}
+
+	tc = talloc_chunk_from_ptr(context);
+	while (tc) {
+		if (tc->name && strcmp(tc->name, name) == 0) {
+			return TC_PTR_FROM_CHUNK(tc);
+		}
+		while (tc && tc->prev) tc = tc->prev;
+		if (tc) {
+			tc = tc->parent;
+		}
+	}
+	return NULL;
+}
+
+/*
+  show the parentage of a context
+*/
+void talloc_show_parents(const void *context, FILE *file)
+{
+	struct talloc_chunk *tc;
+
+	if (context == NULL) {
+		fprintf(file, "talloc no parents for NULL\n");
+		return;
+	}
+
+	tc = talloc_chunk_from_ptr(context);
+	fprintf(file, "talloc parents of '%s'\n", talloc_get_name(context));
+	while (tc) {
+		fprintf(file, "\t'%s'\n", talloc_get_name(TC_PTR_FROM_CHUNK(tc)));
+		while (tc && tc->prev) tc = tc->prev;
+		if (tc) {
+			tc = tc->parent;
+		}
+	}
+	fflush(file);
+}
+
+/*
+  return 1 if ptr is a parent of context
+*/
+int talloc_is_parent(const void *context, const void *ptr)
+{
+	struct talloc_chunk *tc;
+
+	if (context == NULL) {
+		return 0;
+	}
+
+	tc = talloc_chunk_from_ptr(context);
+	while (tc) {
+		if (TC_PTR_FROM_CHUNK(tc) == ptr) return 1;
+		while (tc && tc->prev) tc = tc->prev;
+		if (tc) {
+			tc = tc->parent;
+		}
+	}
+	return 0;
+}
diff --git a/source3/lib/talloc/talloc.h b/source3/lib/talloc/talloc.h
new file mode 100644
index 0000000000..5431971655
--- /dev/null
+++ b/source3/lib/talloc/talloc.h
@@ -0,0 +1,183 @@
+#ifndef _TALLOC_H_
+#define _TALLOC_H_
+/* 
+   Unix SMB/CIFS implementation.
+   Samba temporary memory allocation functions
+
+   Copyright (C) Andrew Tridgell 2004-2005
+   Copyright (C) Stefan Metzmacher 2006
+   
+     ** NOTE! The following LGPL license applies to the talloc
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdarg.h>
+
+/* this is only needed for compatibility with the old talloc */
+typedef void TALLOC_CTX;
+
+/*
+  this uses a little trick to allow __LINE__ to be stringified
+*/
+#ifndef __location__
+#define __TALLOC_STRING_LINE1__(s)    #s
+#define __TALLOC_STRING_LINE2__(s)   __TALLOC_STRING_LINE1__(s)
+#define __TALLOC_STRING_LINE3__  __TALLOC_STRING_LINE2__(__LINE__)
+#define __location__ __FILE__ ":" __TALLOC_STRING_LINE3__
+#endif
+
+#ifndef TALLOC_DEPRECATED
+#define TALLOC_DEPRECATED 0
+#endif
+
+#ifndef PRINTF_ATTRIBUTE
+#if (__GNUC__ >= 3)
+/** Use gcc attribute to check printf fns.  a1 is the 1-based index of
+ * the parameter containing the format, and a2 the index of the first
+ * argument. Note that some gcc 2.x versions don't handle this
+ * properly **/
+#define PRINTF_ATTRIBUTE(a1, a2) __attribute__ ((format (__printf__, a1, a2)))
+#else
+#define PRINTF_ATTRIBUTE(a1, a2)
+#endif
+#endif
+
+/* try to make talloc_set_destructor() and talloc_steal() type safe,
+   if we have a recent gcc */
+#if (__GNUC__ >= 3)
+#define _TALLOC_TYPEOF(ptr) __typeof__(ptr)
+#define talloc_set_destructor(ptr, function)				      \
+	do {								      \
+		int (*_talloc_destructor_fn)(_TALLOC_TYPEOF(ptr)) = (function);	      \
+		_talloc_set_destructor((ptr), (int (*)(void *))_talloc_destructor_fn); \
+	} while(0)
+/* this extremely strange macro is to avoid some braindamaged warning
+   stupidity in gcc 4.1.x */
+#define talloc_steal(ctx, ptr) ({ _TALLOC_TYPEOF(ptr) __talloc_steal_ret = (_TALLOC_TYPEOF(ptr))_talloc_steal((ctx),(ptr)); __talloc_steal_ret; })
+#else
+#define talloc_set_destructor(ptr, function) \
+	_talloc_set_destructor((ptr), (int (*)(void *))(function))
+#define _TALLOC_TYPEOF(ptr) void *
+#define talloc_steal(ctx, ptr) (_TALLOC_TYPEOF(ptr))_talloc_steal((ctx),(ptr))
+#endif
+
+#define talloc_reference(ctx, ptr) (_TALLOC_TYPEOF(ptr))_talloc_reference((ctx),(ptr))
+#define talloc_move(ctx, ptr) (_TALLOC_TYPEOF(*(ptr)))_talloc_move((ctx),(void *)(ptr))
+
+/* useful macros for creating type checked pointers */
+#define talloc(ctx, type) (type *)talloc_named_const(ctx, sizeof(type), #type)
+#define talloc_size(ctx, size) talloc_named_const(ctx, size, __location__)
+#define talloc_ptrtype(ctx, ptr) (_TALLOC_TYPEOF(ptr))talloc_size(ctx, sizeof(*(ptr)))
+
+#define talloc_new(ctx) talloc_named_const(ctx, 0, "talloc_new: " __location__)
+
+#define talloc_zero(ctx, type) (type *)_talloc_zero(ctx, sizeof(type), #type)
+#define talloc_zero_size(ctx, size) _talloc_zero(ctx, size, __location__)
+
+#define talloc_zero_array(ctx, type, count) (type *)_talloc_zero_array(ctx, sizeof(type), count, #type)
+#define talloc_array(ctx, type, count) (type *)_talloc_array(ctx, sizeof(type), count, #type)
+#define talloc_array_size(ctx, size, count) _talloc_array(ctx, size, count, __location__)
+#define talloc_array_ptrtype(ctx, ptr, count) (_TALLOC_TYPEOF(ptr))talloc_array_size(ctx, sizeof(*(ptr)), count)
+
+#define talloc_realloc(ctx, p, type, count) (type *)_talloc_realloc_array(ctx, p, sizeof(type), count, #type)
+#define talloc_realloc_size(ctx, ptr, size) _talloc_realloc(ctx, ptr, size, __location__)
+
+#define talloc_memdup(t, p, size) _talloc_memdup(t, p, size, __location__)
+
+#define talloc_set_type(ptr, type) talloc_set_name_const(ptr, #type)
+#define talloc_get_type(ptr, type) (type *)talloc_check_name(ptr, #type)
+
+#define talloc_find_parent_bytype(ptr, type) (type *)talloc_find_parent_byname(ptr, #type)
+
+#if TALLOC_DEPRECATED
+#define talloc_zero_p(ctx, type) talloc_zero(ctx, type)
+#define talloc_p(ctx, type) talloc(ctx, type)
+#define talloc_array_p(ctx, type, count) talloc_array(ctx, type, count)
+#define talloc_realloc_p(ctx, p, type, count) talloc_realloc(ctx, p, type, count)
+#define talloc_destroy(ctx) talloc_free(ctx)
+#define talloc_append_string(c, s, a) (s?talloc_strdup_append(s,a):talloc_strdup(c, a))
+#endif
+
+/* The following definitions come from talloc.c  */
+void *_talloc(const void *context, size_t size);
+void *talloc_pool(const void *context, size_t size);
+void _talloc_set_destructor(const void *ptr, int (*destructor)(void *));
+int talloc_increase_ref_count(const void *ptr);
+size_t talloc_reference_count(const void *ptr);
+void *_talloc_reference(const void *context, const void *ptr);
+int talloc_unlink(const void *context, void *ptr);
+const char *talloc_set_name(const void *ptr, const char *fmt, ...) PRINTF_ATTRIBUTE(2,3);
+void talloc_set_name_const(const void *ptr, const char *name);
+void *talloc_named(const void *context, size_t size, 
+		   const char *fmt, ...) PRINTF_ATTRIBUTE(3,4);
+void *talloc_named_const(const void *context, size_t size, const char *name);
+const char *talloc_get_name(const void *ptr);
+void *talloc_check_name(const void *ptr, const char *name);
+void *talloc_parent(const void *ptr);
+const char *talloc_parent_name(const void *ptr);
+void *talloc_init(const char *fmt, ...) PRINTF_ATTRIBUTE(1,2);
+int talloc_free(void *ptr);
+void talloc_free_children(void *ptr);
+void *_talloc_realloc(const void *context, void *ptr, size_t size, const char *name);
+void *_talloc_steal(const void *new_ctx, const void *ptr);
+void *_talloc_move(const void *new_ctx, const void *pptr);
+size_t talloc_total_size(const void *ptr);
+size_t talloc_total_blocks(const void *ptr);
+void talloc_report_depth_cb(const void *ptr, int depth, int max_depth,
+			    void (*callback)(const void *ptr,
+			  		     int depth, int max_depth,
+					     int is_ref,
+					     void *private_data),
+			    void *private_data);
+void talloc_report_depth_file(const void *ptr, int depth, int max_depth, FILE *f);
+void talloc_report_full(const void *ptr, FILE *f);
+void talloc_report(const void *ptr, FILE *f);
+void talloc_enable_null_tracking(void);
+void talloc_disable_null_tracking(void);
+void talloc_enable_leak_report(void);
+void talloc_enable_leak_report_full(void);
+void *_talloc_zero(const void *ctx, size_t size, const char *name);
+void *_talloc_memdup(const void *t, const void *p, size_t size, const char *name);
+void *_talloc_array(const void *ctx, size_t el_size, unsigned count, const char *name);
+void *_talloc_zero_array(const void *ctx, size_t el_size, unsigned count, const char *name);
+void *_talloc_realloc_array(const void *ctx, void *ptr, size_t el_size, unsigned count, const char *name);
+void *talloc_realloc_fn(const void *context, void *ptr, size_t size);
+void *talloc_autofree_context(void);
+size_t talloc_get_size(const void *ctx);
+void *talloc_find_parent_byname(const void *ctx, const char *name);
+void talloc_show_parents(const void *context, FILE *file);
+int talloc_is_parent(const void *context, const void *ptr);
+
+char *talloc_strdup(const void *t, const char *p);
+char *talloc_strdup_append(char *s, const char *a);
+char *talloc_strdup_append_buffer(char *s, const char *a);
+
+char *talloc_strndup(const void *t, const char *p, size_t n);
+char *talloc_strndup_append(char *s, const char *a, size_t n);
+char *talloc_strndup_append_buffer(char *s, const char *a, size_t n);
+
+char *talloc_vasprintf(const void *t, const char *fmt, va_list ap) PRINTF_ATTRIBUTE(2,0);
+char *talloc_vasprintf_append(char *s, const char *fmt, va_list ap) PRINTF_ATTRIBUTE(2,0);
+char *talloc_vasprintf_append_buffer(char *s, const char *fmt, va_list ap) PRINTF_ATTRIBUTE(2,0);
+
+char *talloc_asprintf(const void *t, const char *fmt, ...) PRINTF_ATTRIBUTE(2,3);
+char *talloc_asprintf_append(char *s, const char *fmt, ...) PRINTF_ATTRIBUTE(2,3);
+char *talloc_asprintf_append_buffer(char *s, const char *fmt, ...) PRINTF_ATTRIBUTE(2,3);
+
+#endif
diff --git a/source3/lib/talloc/talloc.i b/source3/lib/talloc/talloc.i
new file mode 100644
index 0000000000..a9afb97ed7
--- /dev/null
+++ b/source3/lib/talloc/talloc.i
@@ -0,0 +1,31 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/* Don't expose talloc contexts in Python code. Python does reference 
+   counting for us, so just create a new top-level talloc context.
+ */
+%typemap(in, numinputs=0, noblock=1) TALLOC_CTX * {
+    $1 = NULL;
+}
+
+%define %talloctype(TYPE)
+%nodefaultctor TYPE;
+%extend TYPE {
+    ~TYPE() { talloc_free($self); }
+}
+%enddef
diff --git a/source3/lib/talloc/talloc.mk b/source3/lib/talloc/talloc.mk
new file mode 100644
index 0000000000..e1fe88c84b
--- /dev/null
+++ b/source3/lib/talloc/talloc.mk
@@ -0,0 +1,37 @@
+TALLOC_OBJ = $(tallocdir)/talloc.o 
+
+TALLOC_SOLIB = libtalloc.$(SHLIBEXT).$(PACKAGE_VERSION)
+TALLOC_SONAME = libtalloc.$(SHLIBEXT).1
+
+all:: libtalloc.a $(TALLOC_SOLIB) testsuite
+
+testsuite:: $(LIBOBJ) testsuite.o
+	$(CC) $(CFLAGS) -o testsuite testsuite.o $(LIBOBJ) $(LIBS)
+
+libtalloc.a: $(LIBOBJ)
+	ar -rv $@ $(LIBOBJ)
+	@-ranlib $@
+
+install:: all 
+	${INSTALLCMD} -d $(DESTDIR)$(libdir)
+	${INSTALLCMD} -d $(DESTDIR)$(libdir)/pkgconfig
+	${INSTALLCMD} -m 755 libtalloc.a $(DESTDIR)$(libdir)
+	${INSTALLCMD} -m 755 $(TALLOC_SOLIB) $(DESTDIR)$(libdir)
+	${INSTALLCMD} -d $(DESTDIR)${includedir}
+	${INSTALLCMD} -m 644 $(srcdir)/talloc.h $(DESTDIR)$(includedir)
+	${INSTALLCMD} -m 644 talloc.pc $(DESTDIR)$(libdir)/pkgconfig
+	if [ -f talloc.3 ];then ${INSTALLCMD} -d $(DESTDIR)$(mandir)/man3; fi
+	if [ -f talloc.3 ];then ${INSTALLCMD} -m 644 talloc.3 $(DESTDIR)$(mandir)/man3; fi
+	which swig >/dev/null 2>&1 && ${INSTALLCMD} -d $(DESTDIR)`swig -swiglib` || true
+	which swig >/dev/null 2>&1 && ${INSTALLCMD} -m 644 talloc.i $(DESTDIR)`swig -swiglib` || true
+
+doc:: talloc.3 talloc.3.html
+
+clean::
+	rm -f *~ $(LIBOBJ) $(TALLOC_SOLIB) libtalloc.a testsuite testsuite.o *.gc?? talloc.3 talloc.3.html
+
+test:: testsuite
+	./testsuite
+
+gcov::
+	gcov talloc.c
diff --git a/source3/lib/talloc/talloc.pc.in b/source3/lib/talloc/talloc.pc.in
new file mode 100644
index 0000000000..459cce70b1
--- /dev/null
+++ b/source3/lib/talloc/talloc.pc.in
@@ -0,0 +1,11 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name: talloc 
+Description: A hierarchical pool based memory system with destructors
+Version: @PACKAGE_VERSION@
+Libs: -L${libdir} -ltalloc
+Cflags: -I${includedir} 
+URL: http://talloc.samba.org/
diff --git a/source3/lib/talloc/talloc_guide.txt b/source3/lib/talloc/talloc_guide.txt
new file mode 100644
index 0000000000..18663b370d
--- /dev/null
+++ b/source3/lib/talloc/talloc_guide.txt
@@ -0,0 +1,685 @@
+Using talloc in Samba4
+----------------------
+
+Andrew Tridgell
+September 2004
+
+The most current version of this document is available at
+   http://samba.org/ftp/unpacked/samba4/source/lib/talloc/talloc_guide.txt
+
+If you are used to the "old" talloc from Samba3 before 3.0.20 then please read
+this carefully, as talloc has changed a lot. With 3.0.20 (or 3.0.14?) the
+Samba4 talloc has been ported back to Samba3, so this guide applies to both.
+
+The new talloc is a hierarchical, reference counted memory pool system
+with destructors. Quite a mouthful really, but not too bad once you
+get used to it.
+
+Perhaps the biggest change from Samba3 is that there is no distinction
+between a "talloc context" and a "talloc pointer". Any pointer
+returned from talloc() is itself a valid talloc context. This means
+you can do this:
+
+  struct foo *X = talloc(mem_ctx, struct foo);
+  X->name = talloc_strdup(X, "foo");
+
+and the pointer X->name would be a "child" of the talloc context "X"
+which is itself a child of mem_ctx. So if you do talloc_free(mem_ctx)
+then it is all destroyed, whereas if you do talloc_free(X) then just X
+and X->name are destroyed, and if you do talloc_free(X->name) then
+just the name element of X is destroyed.
+
+If you think about this, then what this effectively gives you is an
+n-ary tree, where you can free any part of the tree with
+talloc_free().
+
+If you find this confusing, then I suggest you run the testsuite to
+watch talloc in action. You may also like to add your own tests to
+testsuite.c to clarify how some particular situation is handled.
+
+
+Performance
+-----------
+
+All the additional features of talloc() over malloc() do come at a
+price. We have a simple performance test in Samba4 that measures
+talloc() versus malloc() performance, and it seems that talloc() is
+about 4% slower than malloc() on my x86 Debian Linux box. For Samba,
+the great reduction in code complexity that we get by using talloc
+makes this worthwhile, especially as the total overhead of
+talloc/malloc in Samba is already quite small.
+
+
+talloc API
+----------
+
+The following is a complete guide to the talloc API. Read it all at
+least twice.
+
+Multi-threading
+---------------
+
+talloc itself does not deal with threads. It is thread-safe (assuming  
+the underlying "malloc" is), as long as each thread uses different  
+memory contexts.
+If two threads uses the same context then they need to synchronize in  
+order to be safe. In particular:
+- when using talloc_enable_leak_report(), giving directly NULL as a  
+parent context implicitly refers to a hidden "null context" global  
+variable, so this should not be used in a multi-threaded environment  
+without proper synchronization ;
+- the context returned by talloc_autofree_context() is also global so  
+shouldn't be used by several threads simultaneously without  
+synchronization.
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+(type *)talloc(const void *context, type);
+
+The talloc() macro is the core of the talloc library. It takes a
+memory context and a type, and returns a pointer to a new area of
+memory of the given type.
+
+The returned pointer is itself a talloc context, so you can use it as
+the context argument to more calls to talloc if you wish.
+
+The returned pointer is a "child" of the supplied context. This means
+that if you talloc_free() the context then the new child disappears as
+well. Alternatively you can free just the child.
+
+The context argument to talloc() can be NULL, in which case a new top
+level context is created. 
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void *talloc_size(const void *context, size_t size);
+
+The function talloc_size() should be used when you don't have a
+convenient type to pass to talloc(). Unlike talloc(), it is not type
+safe (as it returns a void *), so you are on your own for type checking.
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+(typeof(ptr)) talloc_ptrtype(const void *ctx, ptr);
+
+The talloc_ptrtype() macro should be used when you have a pointer and
+want to allocate memory to point at with this pointer. When compiling
+with gcc >= 3 it is typesafe. Note this is a wrapper of talloc_size()
+and talloc_get_name() will return the current location in the source file.
+and not the type.
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+int talloc_free(void *ptr);
+
+The talloc_free() function frees a piece of talloc memory, and all its
+children. You can call talloc_free() on any pointer returned by
+talloc().
+
+The return value of talloc_free() indicates success or failure, with 0
+returned for success and -1 for failure. The only possible failure
+condition is if the pointer had a destructor attached to it and the
+destructor returned -1. See talloc_set_destructor() for details on
+destructors.
+
+If this pointer has an additional parent when talloc_free() is called
+then the memory is not actually released, but instead the most
+recently established parent is destroyed. See talloc_reference() for
+details on establishing additional parents.
+
+For more control on which parent is removed, see talloc_unlink()
+
+talloc_free() operates recursively on its children.
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+int talloc_free_children(void *ptr);
+
+The talloc_free_children() walks along the list of all children of a
+talloc context and talloc_free()s only the children, not the context
+itself.
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void *talloc_reference(const void *context, const void *ptr);
+
+The talloc_reference() function makes "context" an additional parent
+of "ptr".
+
+The return value of talloc_reference() is always the original pointer
+"ptr", unless talloc ran out of memory in creating the reference in
+which case it will return NULL (each additional reference consumes
+around 48 bytes of memory on intel x86 platforms).
+
+If "ptr" is NULL, then the function is a no-op, and simply returns NULL.
+
+After creating a reference you can free it in one of the following
+ways:
+
+  - you can talloc_free() any parent of the original pointer. That
+    will reduce the number of parents of this pointer by 1, and will
+    cause this pointer to be freed if it runs out of parents.
+
+  - you can talloc_free() the pointer itself. That will destroy the
+    most recently established parent to the pointer and leave the
+    pointer as a child of its current parent.
+
+For more control on which parent to remove, see talloc_unlink()
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+int talloc_unlink(const void *context, const void *ptr);
+
+The talloc_unlink() function removes a specific parent from ptr. The
+context passed must either be a context used in talloc_reference()
+with this pointer, or must be a direct parent of ptr. 
+
+Note that if the parent has already been removed using talloc_free()
+then this function will fail and will return -1.  Likewise, if "ptr"
+is NULL, then the function will make no modifications and return -1.
+
+Usually you can just use talloc_free() instead of talloc_unlink(), but
+sometimes it is useful to have the additional control on which parent
+is removed.
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void talloc_set_destructor(const void *ptr, int (*destructor)(void *));
+
+The function talloc_set_destructor() sets the "destructor" for the
+pointer "ptr". A destructor is a function that is called when the
+memory used by a pointer is about to be released. The destructor
+receives the pointer as an argument, and should return 0 for success
+and -1 for failure.
+
+The destructor can do anything it wants to, including freeing other
+pieces of memory. A common use for destructors is to clean up
+operating system resources (such as open file descriptors) contained
+in the structure the destructor is placed on.
+
+You can only place one destructor on a pointer. If you need more than
+one destructor then you can create a zero-length child of the pointer
+and place an additional destructor on that.
+
+To remove a destructor call talloc_set_destructor() with NULL for the
+destructor.
+
+If your destructor attempts to talloc_free() the pointer that it is
+the destructor for then talloc_free() will return -1 and the free will
+be ignored. This would be a pointless operation anyway, as the
+destructor is only called when the memory is just about to go away.
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+int talloc_increase_ref_count(const void *ptr);
+
+The talloc_increase_ref_count(ptr) function is exactly equivalent to:
+
+  talloc_reference(NULL, ptr);
+
+You can use either syntax, depending on which you think is clearer in
+your code.
+
+It returns 0 on success and -1 on failure.
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+size_t talloc_reference_count(const void *ptr);
+
+Return the number of references to the pointer.
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void talloc_set_name(const void *ptr, const char *fmt, ...);
+
+Each talloc pointer has a "name". The name is used principally for
+debugging purposes, although it is also possible to set and get the
+name on a pointer in as a way of "marking" pointers in your code.
+
+The main use for names on pointer is for "talloc reports". See
+talloc_report() and talloc_report_full() for details. Also see
+talloc_enable_leak_report() and talloc_enable_leak_report_full().
+
+The talloc_set_name() function allocates memory as a child of the
+pointer. It is logically equivalent to:
+  talloc_set_name_const(ptr, talloc_asprintf(ptr, fmt, ...));
+
+Note that multiple calls to talloc_set_name() will allocate more
+memory without releasing the name. All of the memory is released when
+the ptr is freed using talloc_free().
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void talloc_set_name_const(const void *ptr, const char *name);
+
+The function talloc_set_name_const() is just like talloc_set_name(),
+but it takes a string constant, and is much faster. It is extensively
+used by the "auto naming" macros, such as talloc_p().
+
+This function does not allocate any memory. It just copies the
+supplied pointer into the internal representation of the talloc
+ptr. This means you must not pass a name pointer to memory that will
+disappear before the ptr is freed with talloc_free().
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void *talloc_named(const void *context, size_t size, const char *fmt, ...);
+
+The talloc_named() function creates a named talloc pointer. It is
+equivalent to:
+
+   ptr = talloc_size(context, size);
+   talloc_set_name(ptr, fmt, ....);
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void *talloc_named_const(const void *context, size_t size, const char *name);
+
+This is equivalent to:
+
+   ptr = talloc_size(context, size);
+   talloc_set_name_const(ptr, name);
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+const char *talloc_get_name(const void *ptr);
+
+This returns the current name for the given talloc pointer. See
+talloc_set_name() for details.
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void *talloc_init(const char *fmt, ...);
+
+This function creates a zero length named talloc context as a top
+level context. It is equivalent to:
+
+  talloc_named(NULL, 0, fmt, ...);
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void *talloc_new(void *ctx);
+
+This is a utility macro that creates a new memory context hanging
+off an exiting context, automatically naming it "talloc_new: __location__"
+where __location__ is the source line it is called from. It is
+particularly useful for creating a new temporary working context.
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+(type *)talloc_realloc(const void *context, void *ptr, type, count);
+
+The talloc_realloc() macro changes the size of a talloc
+pointer. The "count" argument is the number of elements of type "type"
+that you want the resulting pointer to hold. 
+
+talloc_realloc() has the following equivalences:
+
+  talloc_realloc(context, NULL, type, 1) ==> talloc(context, type);
+  talloc_realloc(context, NULL, type, N) ==> talloc_array(context, type, N);
+  talloc_realloc(context, ptr, type, 0)  ==> talloc_free(ptr);
+
+The "context" argument is only used if "ptr" is NULL, otherwise it is
+ignored.
+
+talloc_realloc() returns the new pointer, or NULL on failure. The call
+will fail either due to a lack of memory, or because the pointer has
+more than one parent (see talloc_reference()).
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void *talloc_realloc_size(const void *context, void *ptr, size_t size);
+
+the talloc_realloc_size() function is useful when the type is not 
+known so the typesafe talloc_realloc() cannot be used.
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void *talloc_steal(const void *new_ctx, const void *ptr);
+
+The talloc_steal() function changes the parent context of a talloc
+pointer. It is typically used when the context that the pointer is
+currently a child of is going to be freed and you wish to keep the
+memory for a longer time. 
+
+The talloc_steal() function returns the pointer that you pass it. It
+does not have any failure modes.
+
+NOTE: It is possible to produce loops in the parent/child relationship
+if you are not careful with talloc_steal(). No guarantees are provided
+as to your sanity or the safety of your data if you do this.
+
+talloc_steal (new_ctx, NULL) will return NULL with no sideeffects.
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+size_t talloc_total_size(const void *ptr);
+
+The talloc_total_size() function returns the total size in bytes used
+by this pointer and all child pointers. Mostly useful for debugging.
+
+Passing NULL is allowed, but it will only give a meaningful result if
+talloc_enable_leak_report() or talloc_enable_leak_report_full() has
+been called.
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+size_t talloc_total_blocks(const void *ptr);
+
+The talloc_total_blocks() function returns the total memory block
+count used by this pointer and all child pointers. Mostly useful for
+debugging.
+
+Passing NULL is allowed, but it will only give a meaningful result if
+talloc_enable_leak_report() or talloc_enable_leak_report_full() has
+been called.
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void talloc_report_depth_cb(const void *ptr, int depth, int max_depth,
+			    void (*callback)(const void *ptr,
+			    		     int depth, int max_depth,
+					     int is_ref,
+					     void *priv),
+			    void *priv);
+
+This provides a more flexible reports than talloc_report(). It
+will recursively call the callback for the entire tree of memory
+referenced by the pointer. References in the tree are passed with
+is_ref = 1 and the pointer that is referenced.
+
+You can pass NULL for the pointer, in which case a report is
+printed for the top level memory context, but only if
+talloc_enable_leak_report() or talloc_enable_leak_report_full()
+has been called.
+
+The recursion is stopped when depth >= max_depth.
+max_depth = -1 means only stop at leaf nodes.
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void talloc_report_depth_file(const void *ptr, int depth, int max_depth, FILE *f);
+
+This provides a more flexible reports than talloc_report(). It
+will let you specify the depth and max_depth.
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void talloc_report(const void *ptr, FILE *f);
+
+The talloc_report() function prints a summary report of all memory
+used by ptr. One line of report is printed for each immediate child of
+ptr, showing the total memory and number of blocks used by that child.
+
+You can pass NULL for the pointer, in which case a report is printed
+for the top level memory context, but only if
+talloc_enable_leak_report() or talloc_enable_leak_report_full() has
+been called.
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void talloc_report_full(const void *ptr, FILE *f);
+
+This provides a more detailed report than talloc_report(). It will
+recursively print the ensire tree of memory referenced by the
+pointer. References in the tree are shown by giving the name of the
+pointer that is referenced.
+
+You can pass NULL for the pointer, in which case a report is printed
+for the top level memory context, but only if
+talloc_enable_leak_report() or talloc_enable_leak_report_full() has
+been called.
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void talloc_enable_leak_report(void);
+
+This enables calling of talloc_report(NULL, stderr) when the program
+exits. In Samba4 this is enabled by using the --leak-report command
+line option.
+
+For it to be useful, this function must be called before any other
+talloc function as it establishes a "null context" that acts as the
+top of the tree. If you don't call this function first then passing
+NULL to talloc_report() or talloc_report_full() won't give you the
+full tree printout.
+
+Here is a typical talloc report:
+
+talloc report on 'null_context' (total 267 bytes in 15 blocks)
+        libcli/auth/spnego_parse.c:55  contains     31 bytes in   2 blocks
+        libcli/auth/spnego_parse.c:55  contains     31 bytes in   2 blocks
+        iconv(UTF8,CP850)              contains     42 bytes in   2 blocks
+        libcli/auth/spnego_parse.c:55  contains     31 bytes in   2 blocks
+        iconv(CP850,UTF8)              contains     42 bytes in   2 blocks
+        iconv(UTF8,UTF-16LE)           contains     45 bytes in   2 blocks
+        iconv(UTF-16LE,UTF8)           contains     45 bytes in   2 blocks
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void talloc_enable_leak_report_full(void);
+
+This enables calling of talloc_report_full(NULL, stderr) when the
+program exits. In Samba4 this is enabled by using the
+--leak-report-full command line option.
+
+For it to be useful, this function must be called before any other
+talloc function as it establishes a "null context" that acts as the
+top of the tree. If you don't call this function first then passing
+NULL to talloc_report() or talloc_report_full() won't give you the
+full tree printout.
+
+Here is a typical full report:
+
+full talloc report on 'root' (total 18 bytes in 8 blocks)
+    p1                             contains     18 bytes in   7 blocks (ref 0)
+        r1                             contains     13 bytes in   2 blocks (ref 0)
+            reference to: p2
+        p2                             contains      1 bytes in   1 blocks (ref 1)
+        x3                             contains      1 bytes in   1 blocks (ref 0)
+        x2                             contains      1 bytes in   1 blocks (ref 0)
+        x1                             contains      1 bytes in   1 blocks (ref 0)
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void talloc_enable_null_tracking(void);
+
+This enables tracking of the NULL memory context without enabling leak
+reporting on exit. Useful for when you want to do your own leak
+reporting call via talloc_report_null_full();
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void talloc_disable_null_tracking(void);
+
+This disables tracking of the NULL memory context.
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+(type *)talloc_zero(const void *ctx, type);
+
+The talloc_zero() macro is equivalent to:
+
+  ptr = talloc(ctx, type);
+  if (ptr) memset(ptr, 0, sizeof(type));
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void *talloc_zero_size(const void *ctx, size_t size)
+
+The talloc_zero_size() function is useful when you don't have a known type
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void *talloc_memdup(const void *ctx, const void *p, size_t size);
+
+The talloc_memdup() function is equivalent to:
+
+  ptr = talloc_size(ctx, size);
+  if (ptr) memcpy(ptr, p, size);
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+char *talloc_strdup(const void *ctx, const char *p);
+
+The talloc_strdup() function is equivalent to:
+
+  ptr = talloc_size(ctx, strlen(p)+1);
+  if (ptr) memcpy(ptr, p, strlen(p)+1);
+
+This functions sets the name of the new pointer to the passed
+string. This is equivalent to:
+   talloc_set_name_const(ptr, ptr)
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+char *talloc_strndup(const void *t, const char *p, size_t n);
+
+The talloc_strndup() function is the talloc equivalent of the C
+library function strndup()
+
+This functions sets the name of the new pointer to the passed
+string. This is equivalent to:
+   talloc_set_name_const(ptr, ptr)
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+char *talloc_append_string(const void *t, char *orig, const char *append);
+
+The talloc_append_string() function appends the given formatted
+string to the given string.
+
+This function sets the name of the new pointer to the new
+string. This is equivalent to:
+   talloc_set_name_const(ptr, ptr)
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+char *talloc_vasprintf(const void *t, const char *fmt, va_list ap);
+
+The talloc_vasprintf() function is the talloc equivalent of the C
+library function vasprintf()
+
+This functions sets the name of the new pointer to the new
+string. This is equivalent to:
+   talloc_set_name_const(ptr, ptr)
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+char *talloc_asprintf(const void *t, const char *fmt, ...);
+
+The talloc_asprintf() function is the talloc equivalent of the C
+library function asprintf()
+
+This functions sets the name of the new pointer to the new
+string. This is equivalent to:
+   talloc_set_name_const(ptr, ptr)
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+char *talloc_asprintf_append(char *s, const char *fmt, ...);
+
+The talloc_asprintf_append() function appends the given formatted
+string to the given string.
+Use this varient when the string in the current talloc buffer may
+have been truncated in length.
+
+This functions sets the name of the new pointer to the new
+string. This is equivalent to:
+   talloc_set_name_const(ptr, ptr)
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+char *talloc_asprintf_append_buffer(char *s, const char *fmt, ...);
+
+The talloc_asprintf_append() function appends the given formatted 
+string to the end of the currently allocated talloc buffer.
+Use this varient when the string in the current talloc buffer has
+not been changed.
+
+This functions sets the name of the new pointer to the new
+string. This is equivalent to:
+   talloc_set_name_const(ptr, ptr)
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+((type *)talloc_array(const void *ctx, type, uint_t count);
+
+The talloc_array() macro is equivalent to:
+
+  (type *)talloc_size(ctx, sizeof(type) * count);
+
+except that it provides integer overflow protection for the multiply,
+returning NULL if the multiply overflows.
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void *talloc_array_size(const void *ctx, size_t size, uint_t count);
+
+The talloc_array_size() function is useful when the type is not
+known. It operates in the same way as talloc_array(), but takes a size
+instead of a type.
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+(typeof(ptr)) talloc_array_ptrtype(const void *ctx, ptr, uint_t count);
+
+The talloc_ptrtype() macro should be used when you have a pointer to an array
+and want to allocate memory of an array to point at with this pointer. When compiling
+with gcc >= 3 it is typesafe. Note this is a wrapper of talloc_array_size()
+and talloc_get_name() will return the current location in the source file.
+and not the type.
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void *talloc_realloc_fn(const void *ctx, void *ptr, size_t size);
+
+This is a non-macro version of talloc_realloc(), which is useful 
+as libraries sometimes want a ralloc function pointer. A realloc()
+implementation encapsulates the functionality of malloc(), free() and
+realloc() in one call, which is why it is useful to be able to pass
+around a single function pointer.
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void *talloc_autofree_context(void);
+
+This is a handy utility function that returns a talloc context
+which will be automatically freed on program exit. This can be used
+to reduce the noise in memory leak reports.
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void *talloc_check_name(const void *ptr, const char *name);
+
+This function checks if a pointer has the specified name. If it does
+then the pointer is returned. It it doesn't then NULL is returned.
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+(type *)talloc_get_type(const void *ptr, type);
+
+This macro allows you to do type checking on talloc pointers. It is
+particularly useful for void* private pointers. It is equivalent to
+this:
+
+   (type *)talloc_check_name(ptr, #type)
+
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+talloc_set_type(const void *ptr, type);
+
+This macro allows you to force the name of a pointer to be a
+particular type. This can be used in conjunction with
+talloc_get_type() to do type checking on void* pointers.
+
+It is equivalent to this:
+   talloc_set_name_const(ptr, #type)
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+talloc_get_size(const void *ctx);
+
+This function lets you know the amount of memory alloced so far by
+this context. It does NOT account for subcontext memory.
+This can be used to calculate the size of an array.
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+void *talloc_find_parent_byname(const void *ctx, const char *name);
+
+Find a parent memory context of the current context that has the given
+name. This can be very useful in complex programs where it may be
+difficult to pass all information down to the level you need, but you
+know the structure you want is a parent of another context.
+
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+(type *)talloc_find_parent_bytype(ctx, type);
+
+Like talloc_find_parent_byname() but takes a type, making it typesafe.
+
diff --git a/source3/lib/talloc/testsuite.c b/source3/lib/talloc/testsuite.c
new file mode 100644
index 0000000000..3f06eee566
--- /dev/null
+++ b/source3/lib/talloc/testsuite.c
@@ -0,0 +1,1152 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   local testing of talloc routines.
+
+   Copyright (C) Andrew Tridgell 2004
+   
+     ** NOTE! The following LGPL license applies to the talloc
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "replace.h"
+#include "system/time.h"
+#include "talloc.h"
+
+static struct timeval timeval_current(void)
+{
+	struct timeval tv;
+	gettimeofday(&tv, NULL);
+	return tv;
+}
+
+static double timeval_elapsed(struct timeval *tv)
+{
+	struct timeval tv2 = timeval_current();
+	return (tv2.tv_sec - tv->tv_sec) + 
+	       (tv2.tv_usec - tv->tv_usec)*1.0e-6;
+}
+
+#define torture_assert(test, expr, str) if (!(expr)) { \
+	printf("failure: %s [\n%s: Expression %s failed: %s\n]\n", \
+		test, __location__, #expr, str); \
+	return false; \
+}
+
+#define torture_assert_str_equal(test, arg1, arg2, desc) \
+	if (arg1 == NULL && arg2 == NULL) {				\
+	} else if (strcmp(arg1, arg2)) {			\
+		printf("failure: %s [\n%s: Expected %s, got %s: %s\n]\n", \
+		   test, __location__, arg1, arg2, desc); \
+		return false; \
+	}
+
+#if _SAMBA_BUILD_==3
+#ifdef malloc
+#undef malloc
+#endif
+#ifdef strdup
+#undef strdup
+#endif
+#endif
+
+#define CHECK_SIZE(test, ptr, tsize) do { \
+	if (talloc_total_size(ptr) != (tsize)) { \
+		printf("failed: %s [\nwrong '%s' tree size: got %u  expected %u\n]\n", \
+		       test, #ptr, \
+		       (unsigned)talloc_total_size(ptr), \
+		       (unsigned)tsize); \
+		talloc_report_full(ptr, stdout); \
+		return false; \
+	} \
+} while (0)
+
+#define CHECK_BLOCKS(test, ptr, tblocks) do { \
+	if (talloc_total_blocks(ptr) != (tblocks)) { \
+		printf("failed: %s [\nwrong '%s' tree blocks: got %u  expected %u\n]\n", \
+		       test, #ptr, \
+		       (unsigned)talloc_total_blocks(ptr), \
+		       (unsigned)tblocks); \
+		talloc_report_full(ptr, stdout); \
+		return false; \
+	} \
+} while (0)
+
+#define CHECK_PARENT(test, ptr, parent) do { \
+	if (talloc_parent(ptr) != (parent)) { \
+		printf("failed: %s [\n'%s' has wrong parent: got %p  expected %p\n]\n", \
+		       test, #ptr, \
+		       talloc_parent(ptr), \
+		       (parent)); \
+		talloc_report_full(ptr, stdout); \
+		talloc_report_full(parent, stdout); \
+		talloc_report_full(NULL, stdout); \
+		return false; \
+	} \
+} while (0)
+
+
+/*
+  test references 
+*/
+static bool test_ref1(void)
+{
+	void *root, *p1, *p2, *ref, *r1;
+
+	printf("test: ref1\n# SINGLE REFERENCE FREE\n");
+
+	root = talloc_named_const(NULL, 0, "root");
+	p1 = talloc_named_const(root, 1, "p1");
+	p2 = talloc_named_const(p1, 1, "p2");
+	talloc_named_const(p1, 1, "x1");
+	talloc_named_const(p1, 2, "x2");
+	talloc_named_const(p1, 3, "x3");
+
+	r1 = talloc_named_const(root, 1, "r1");	
+	ref = talloc_reference(r1, p2);
+	talloc_report_full(root, stderr);
+
+	CHECK_BLOCKS("ref1", p1, 5);
+	CHECK_BLOCKS("ref1", p2, 1);
+	CHECK_BLOCKS("ref1", r1, 2);
+
+	fprintf(stderr, "Freeing p2\n");
+	talloc_free(p2);
+	talloc_report_full(root, stderr);
+
+	CHECK_BLOCKS("ref1", p1, 5);
+	CHECK_BLOCKS("ref1", p2, 1);
+	CHECK_BLOCKS("ref1", r1, 1);
+
+	fprintf(stderr, "Freeing p1\n");
+	talloc_free(p1);
+	talloc_report_full(root, stderr);
+
+	CHECK_BLOCKS("ref1", r1, 1);
+
+	fprintf(stderr, "Freeing r1\n");
+	talloc_free(r1);
+	talloc_report_full(NULL, stderr);
+
+	fprintf(stderr, "Testing NULL\n");
+	if (talloc_reference(root, NULL)) {
+		return false;
+	}
+
+	CHECK_BLOCKS("ref1", root, 1);
+
+	CHECK_SIZE("ref1", root, 0);
+
+	talloc_free(root);
+	printf("success: ref1\n");
+	return true;
+}
+
+/*
+  test references 
+*/
+static bool test_ref2(void)
+{
+	void *root, *p1, *p2, *ref, *r1;
+
+	printf("test: ref2\n# DOUBLE REFERENCE FREE\n");
+	root = talloc_named_const(NULL, 0, "root");
+	p1 = talloc_named_const(root, 1, "p1");
+	talloc_named_const(p1, 1, "x1");
+	talloc_named_const(p1, 1, "x2");
+	talloc_named_const(p1, 1, "x3");
+	p2 = talloc_named_const(p1, 1, "p2");
+
+	r1 = talloc_named_const(root, 1, "r1");	
+	ref = talloc_reference(r1, p2);
+	talloc_report_full(root, stderr);
+
+	CHECK_BLOCKS("ref2", p1, 5);
+	CHECK_BLOCKS("ref2", p2, 1);
+	CHECK_BLOCKS("ref2", r1, 2);
+
+	fprintf(stderr, "Freeing ref\n");
+	talloc_free(ref);
+	talloc_report_full(root, stderr);
+
+	CHECK_BLOCKS("ref2", p1, 5);
+	CHECK_BLOCKS("ref2", p2, 1);
+	CHECK_BLOCKS("ref2", r1, 1);
+
+	fprintf(stderr, "Freeing p2\n");
+	talloc_free(p2);
+	talloc_report_full(root, stderr);
+
+	CHECK_BLOCKS("ref2", p1, 4);
+	CHECK_BLOCKS("ref2", r1, 1);
+
+	fprintf(stderr, "Freeing p1\n");
+	talloc_free(p1);
+	talloc_report_full(root, stderr);
+
+	CHECK_BLOCKS("ref2", r1, 1);
+
+	fprintf(stderr, "Freeing r1\n");
+	talloc_free(r1);
+	talloc_report_full(root, stderr);
+
+	CHECK_SIZE("ref2", root, 0);
+
+	talloc_free(root);
+	printf("success: ref2\n");
+	return true;
+}
+
+/*
+  test references 
+*/
+static bool test_ref3(void)
+{
+	void *root, *p1, *p2, *ref, *r1;
+
+	printf("test: ref3\n# PARENT REFERENCE FREE\n");
+
+	root = talloc_named_const(NULL, 0, "root");
+	p1 = talloc_named_const(root, 1, "p1");
+	p2 = talloc_named_const(root, 1, "p2");
+	r1 = talloc_named_const(p1, 1, "r1");
+	ref = talloc_reference(p2, r1);
+	talloc_report_full(root, stderr);
+
+	CHECK_BLOCKS("ref3", p1, 2);
+	CHECK_BLOCKS("ref3", p2, 2);
+	CHECK_BLOCKS("ref3", r1, 1);
+
+	fprintf(stderr, "Freeing p1\n");
+	talloc_free(p1);
+	talloc_report_full(root, stderr);
+
+	CHECK_BLOCKS("ref3", p2, 2);
+	CHECK_BLOCKS("ref3", r1, 1);
+
+	fprintf(stderr, "Freeing p2\n");
+	talloc_free(p2);
+	talloc_report_full(root, stderr);
+
+	CHECK_SIZE("ref3", root, 0);
+
+	talloc_free(root);
+
+	printf("success: ref3\n");
+	return true;
+}
+
+/*
+  test references 
+*/
+static bool test_ref4(void)
+{
+	void *root, *p1, *p2, *ref, *r1;
+
+	printf("test: ref4\n# REFERRER REFERENCE FREE\n");
+
+	root = talloc_named_const(NULL, 0, "root");
+	p1 = talloc_named_const(root, 1, "p1");
+	talloc_named_const(p1, 1, "x1");
+	talloc_named_const(p1, 1, "x2");
+	talloc_named_const(p1, 1, "x3");
+	p2 = talloc_named_const(p1, 1, "p2");
+
+	r1 = talloc_named_const(root, 1, "r1");	
+	ref = talloc_reference(r1, p2);
+	talloc_report_full(root, stderr);
+
+	CHECK_BLOCKS("ref4", p1, 5);
+	CHECK_BLOCKS("ref4", p2, 1);
+	CHECK_BLOCKS("ref4", r1, 2);
+
+	fprintf(stderr, "Freeing r1\n");
+	talloc_free(r1);
+	talloc_report_full(root, stderr);
+
+	CHECK_BLOCKS("ref4", p1, 5);
+	CHECK_BLOCKS("ref4", p2, 1);
+
+	fprintf(stderr, "Freeing p2\n");
+	talloc_free(p2);
+	talloc_report_full(root, stderr);
+
+	CHECK_BLOCKS("ref4", p1, 4);
+
+	fprintf(stderr, "Freeing p1\n");
+	talloc_free(p1);
+	talloc_report_full(root, stderr);
+
+	CHECK_SIZE("ref4", root, 0);
+
+	talloc_free(root);
+
+	printf("success: ref4\n");
+	return true;
+}
+
+
+/*
+  test references 
+*/
+static bool test_unlink1(void)
+{
+	void *root, *p1, *p2, *ref, *r1;
+
+	printf("test: unlink\n# UNLINK\n");
+
+	root = talloc_named_const(NULL, 0, "root");
+	p1 = talloc_named_const(root, 1, "p1");
+	talloc_named_const(p1, 1, "x1");
+	talloc_named_const(p1, 1, "x2");
+	talloc_named_const(p1, 1, "x3");
+	p2 = talloc_named_const(p1, 1, "p2");
+
+	r1 = talloc_named_const(p1, 1, "r1");	
+	ref = talloc_reference(r1, p2);
+	talloc_report_full(root, stderr);
+
+	CHECK_BLOCKS("unlink", p1, 7);
+	CHECK_BLOCKS("unlink", p2, 1);
+	CHECK_BLOCKS("unlink", r1, 2);
+
+	fprintf(stderr, "Unreferencing r1\n");
+	talloc_unlink(r1, p2);
+	talloc_report_full(root, stderr);
+
+	CHECK_BLOCKS("unlink", p1, 6);
+	CHECK_BLOCKS("unlink", p2, 1);
+	CHECK_BLOCKS("unlink", r1, 1);
+
+	fprintf(stderr, "Freeing p1\n");
+	talloc_free(p1);
+	talloc_report_full(root, stderr);
+
+	CHECK_SIZE("unlink", root, 0);
+
+	talloc_free(root);
+
+	printf("success: unlink\n");
+	return true;
+}
+
+static int fail_destructor(void *ptr)
+{
+	return -1;
+}
+
+/*
+  miscellaneous tests to try to get a higher test coverage percentage
+*/
+static bool test_misc(void)
+{
+	void *root, *p1;
+	char *p2;
+	double *d;
+	const char *name;
+
+	printf("test: misc\n# MISCELLANEOUS\n");
+
+	root = talloc_new(NULL);
+
+	p1 = talloc_size(root, 0x7fffffff);
+	torture_assert("misc", !p1, "failed: large talloc allowed\n");
+
+	p1 = talloc_strdup(root, "foo");
+	talloc_increase_ref_count(p1);
+	talloc_increase_ref_count(p1);
+	talloc_increase_ref_count(p1);
+	CHECK_BLOCKS("misc", p1, 1);
+	CHECK_BLOCKS("misc", root, 2);
+	talloc_free(p1);
+	CHECK_BLOCKS("misc", p1, 1);
+	CHECK_BLOCKS("misc", root, 2);
+	talloc_unlink(NULL, p1);
+	CHECK_BLOCKS("misc", p1, 1);
+	CHECK_BLOCKS("misc", root, 2);
+	p2 = talloc_strdup(p1, "foo");
+	torture_assert("misc", talloc_unlink(root, p2) == -1,
+				   "failed: talloc_unlink() of non-reference context should return -1\n");
+	torture_assert("misc", talloc_unlink(p1, p2) == 0,
+		"failed: talloc_unlink() of parent should succeed\n");
+	talloc_free(p1);
+	CHECK_BLOCKS("misc", p1, 1);
+	CHECK_BLOCKS("misc", root, 2);
+
+	name = talloc_set_name(p1, "my name is %s", "foo");
+	torture_assert_str_equal("misc", talloc_get_name(p1), "my name is foo",
+		"failed: wrong name after talloc_set_name(my name is foo)");
+	CHECK_BLOCKS("misc", p1, 2);
+	CHECK_BLOCKS("misc", root, 3);
+
+	talloc_set_name_const(p1, NULL);
+	torture_assert_str_equal ("misc", talloc_get_name(p1), "UNNAMED",
+		"failed: wrong name after talloc_set_name(NULL)");
+	CHECK_BLOCKS("misc", p1, 2);
+	CHECK_BLOCKS("misc", root, 3);
+
+	torture_assert("misc", talloc_free(NULL) == -1, 
+				   "talloc_free(NULL) should give -1\n");
+
+	talloc_set_destructor(p1, fail_destructor);
+	torture_assert("misc", talloc_free(p1) == -1, 
+		"Failed destructor should cause talloc_free to fail\n");
+	talloc_set_destructor(p1, NULL);
+
+	talloc_report(root, stderr);
+
+
+	p2 = (char *)talloc_zero_size(p1, 20);
+	torture_assert("misc", p2[19] == 0, "Failed to give zero memory\n");
+	talloc_free(p2);
+
+	torture_assert("misc", talloc_strdup(root, NULL) == NULL,
+		"failed: strdup on NULL should give NULL\n");
+
+	p2 = talloc_strndup(p1, "foo", 2);
+	torture_assert("misc", strcmp("fo", p2) == 0, 
+				   "strndup doesn't work\n");
+	p2 = talloc_asprintf_append_buffer(p2, "o%c", 'd');
+	torture_assert("misc", strcmp("food", p2) == 0, 
+				   "talloc_asprintf_append_buffer doesn't work\n");
+	CHECK_BLOCKS("misc", p2, 1);
+	CHECK_BLOCKS("misc", p1, 3);
+
+	p2 = talloc_asprintf_append_buffer(NULL, "hello %s", "world");
+	torture_assert("misc", strcmp("hello world", p2) == 0,
+		"talloc_asprintf_append_buffer doesn't work\n");
+	CHECK_BLOCKS("misc", p2, 1);
+	CHECK_BLOCKS("misc", p1, 3);
+	talloc_free(p2);
+
+	d = talloc_array(p1, double, 0x20000000);
+	torture_assert("misc", !d, "failed: integer overflow not detected\n");
+
+	d = talloc_realloc(p1, d, double, 0x20000000);
+	torture_assert("misc", !d, "failed: integer overflow not detected\n");
+
+	talloc_free(p1);
+	CHECK_BLOCKS("misc", root, 1);
+
+	p1 = talloc_named(root, 100, "%d bytes", 100);
+	CHECK_BLOCKS("misc", p1, 2);
+	CHECK_BLOCKS("misc", root, 3);
+	talloc_unlink(root, p1);
+
+	p1 = talloc_init("%d bytes", 200);
+	p2 = talloc_asprintf(p1, "my test '%s'", "string");
+	torture_assert_str_equal("misc", p2, "my test 'string'",
+		"failed: talloc_asprintf(\"my test '%%s'\", \"string\") gave: \"%s\"");
+	CHECK_BLOCKS("misc", p1, 3);
+	CHECK_SIZE("misc", p2, 17);
+	CHECK_BLOCKS("misc", root, 1);
+	talloc_unlink(NULL, p1);
+
+	p1 = talloc_named_const(root, 10, "p1");
+	p2 = (char *)talloc_named_const(root, 20, "p2");
+	(void)talloc_reference(p1, p2);
+	talloc_report_full(root, stderr);
+	talloc_unlink(root, p2);
+	talloc_report_full(root, stderr);
+	CHECK_BLOCKS("misc", p2, 1);
+	CHECK_BLOCKS("misc", p1, 2);
+	CHECK_BLOCKS("misc", root, 3);
+	talloc_unlink(p1, p2);
+	talloc_unlink(root, p1);
+
+	p1 = talloc_named_const(root, 10, "p1");
+	p2 = (char *)talloc_named_const(root, 20, "p2");
+	(void)talloc_reference(NULL, p2);
+	talloc_report_full(root, stderr);
+	talloc_unlink(root, p2);
+	talloc_report_full(root, stderr);
+	CHECK_BLOCKS("misc", p2, 1);
+	CHECK_BLOCKS("misc", p1, 1);
+	CHECK_BLOCKS("misc", root, 2);
+	talloc_unlink(NULL, p2);
+	talloc_unlink(root, p1);
+
+	/* Test that talloc_unlink is a no-op */
+
+	torture_assert("misc", talloc_unlink(root, NULL) == -1,
+		"failed: talloc_unlink(root, NULL) == -1\n");
+
+	talloc_report(root, stderr);
+	talloc_report(NULL, stderr);
+
+	CHECK_SIZE("misc", root, 0);
+
+	talloc_free(root);
+
+	CHECK_SIZE("misc", NULL, 0);
+
+	talloc_enable_leak_report();
+	talloc_enable_leak_report_full();
+
+	printf("success: misc\n");
+
+	return true;
+}
+
+
+/*
+  test realloc
+*/
+static bool test_realloc(void)
+{
+	void *root, *p1, *p2;
+
+	printf("test: realloc\n# REALLOC\n");
+
+	root = talloc_new(NULL);
+
+	p1 = talloc_size(root, 10);
+	CHECK_SIZE("realloc", p1, 10);
+
+	p1 = talloc_realloc_size(NULL, p1, 20);
+	CHECK_SIZE("realloc", p1, 20);
+
+	talloc_new(p1);
+
+	p2 = talloc_realloc_size(p1, NULL, 30);
+
+	talloc_new(p1);
+
+	p2 = talloc_realloc_size(p1, p2, 40);
+
+	CHECK_SIZE("realloc", p2, 40);
+	CHECK_SIZE("realloc", root, 60);
+	CHECK_BLOCKS("realloc", p1, 4);
+
+	p1 = talloc_realloc_size(NULL, p1, 20);
+	CHECK_SIZE("realloc", p1, 60);
+
+	talloc_increase_ref_count(p2);
+	torture_assert("realloc", talloc_realloc_size(NULL, p2, 5) == NULL,
+		"failed: talloc_realloc() on a referenced pointer should fail\n");
+	CHECK_BLOCKS("realloc", p1, 4);
+
+	talloc_realloc_size(NULL, p2, 0);
+	talloc_realloc_size(NULL, p2, 0);
+	CHECK_BLOCKS("realloc", p1, 3);
+
+	torture_assert("realloc", talloc_realloc_size(NULL, p1, 0x7fffffff) == NULL,
+		"failed: oversize talloc should fail\n");
+
+	talloc_realloc_size(NULL, p1, 0);
+
+	CHECK_BLOCKS("realloc", root, 1);
+	CHECK_SIZE("realloc", root, 0);
+
+	talloc_free(root);
+
+	printf("success: realloc\n");
+
+	return true;
+}
+
+/*
+  test realloc with a child
+*/
+static bool test_realloc_child(void)
+{
+	void *root;
+	struct el2 {
+		const char *name;
+	} *el2;	
+	struct el1 {
+		int count;
+		struct el2 **list, **list2, **list3;
+	} *el1;
+
+	printf("test: REALLOC WITH CHILD\n");
+
+	root = talloc_new(NULL);
+
+	el1 = talloc(root, struct el1);
+	el1->list = talloc(el1, struct el2 *);
+	el1->list[0] = talloc(el1->list, struct el2);
+	el1->list[0]->name = talloc_strdup(el1->list[0], "testing");
+
+	el1->list2 = talloc(el1, struct el2 *);
+	el1->list2[0] = talloc(el1->list2, struct el2);
+	el1->list2[0]->name = talloc_strdup(el1->list2[0], "testing2");
+
+	el1->list3 = talloc(el1, struct el2 *);
+	el1->list3[0] = talloc(el1->list3, struct el2);
+	el1->list3[0]->name = talloc_strdup(el1->list3[0], "testing2");
+	
+	el2 = talloc(el1->list, struct el2);
+	el2 = talloc(el1->list2, struct el2);
+	el2 = talloc(el1->list3, struct el2);
+
+	el1->list = talloc_realloc(el1, el1->list, struct el2 *, 100);
+	el1->list2 = talloc_realloc(el1, el1->list2, struct el2 *, 200);
+	el1->list3 = talloc_realloc(el1, el1->list3, struct el2 *, 300);
+
+	talloc_free(root);
+
+	printf("success: REALLOC WITH CHILD\n");
+	return true;
+}
+
+/*
+  test type checking
+*/
+static bool test_type(void)
+{
+	void *root;
+	struct el1 {
+		int count;
+	};
+	struct el2 {
+		int count;
+	};
+	struct el1 *el1;
+
+	printf("test: type\n# talloc type checking\n");
+
+	root = talloc_new(NULL);
+
+	el1 = talloc(root, struct el1);
+
+	el1->count = 1;
+
+	torture_assert("type", talloc_get_type(el1, struct el1) == el1,
+		"type check failed on el1\n");
+	torture_assert("type", talloc_get_type(el1, struct el2) == NULL,
+		"type check failed on el1 with el2\n");
+	talloc_set_type(el1, struct el2);
+	torture_assert("type", talloc_get_type(el1, struct el2) == (struct el2 *)el1,
+		"type set failed on el1 with el2\n");
+
+	talloc_free(root);
+
+	printf("success: type\n");
+	return true;
+}
+
+/*
+  test steal
+*/
+static bool test_steal(void)
+{
+	void *root, *p1, *p2;
+
+	printf("test: steal\n# STEAL\n");
+
+	root = talloc_new(NULL);
+
+	p1 = talloc_array(root, char, 10);
+	CHECK_SIZE("steal", p1, 10);
+
+	p2 = talloc_realloc(root, NULL, char, 20);
+	CHECK_SIZE("steal", p1, 10);
+	CHECK_SIZE("steal", root, 30);
+
+	torture_assert("steal", talloc_steal(p1, NULL) == NULL,
+		"failed: stealing NULL should give NULL\n");
+
+	torture_assert("steal", talloc_steal(p1, p1) == p1,
+		"failed: stealing to ourselves is a nop\n");
+	CHECK_BLOCKS("steal", root, 3);
+	CHECK_SIZE("steal", root, 30);
+
+	talloc_steal(NULL, p1);
+	talloc_steal(NULL, p2);
+	CHECK_BLOCKS("steal", root, 1);
+	CHECK_SIZE("steal", root, 0);
+
+	talloc_free(p1);
+	talloc_steal(root, p2);
+	CHECK_BLOCKS("steal", root, 2);
+	CHECK_SIZE("steal", root, 20);
+	
+	talloc_free(p2);
+
+	CHECK_BLOCKS("steal", root, 1);
+	CHECK_SIZE("steal", root, 0);
+
+	talloc_free(root);
+
+	p1 = talloc_size(NULL, 3);
+	talloc_report_full(NULL, stderr);
+	CHECK_SIZE("steal", NULL, 3);
+	talloc_free(p1);
+
+	printf("success: steal\n");
+	return true;
+}
+
+/*
+  test move
+*/
+static bool test_move(void)
+{
+	void *root;
+	struct t_move {
+		char *p;
+		int *x;
+	} *t1, *t2;
+
+	printf("test: move\n# MOVE\n");
+
+	root = talloc_new(NULL);
+
+	t1 = talloc(root, struct t_move);
+	t2 = talloc(root, struct t_move);
+	t1->p = talloc_strdup(t1, "foo");
+	t1->x = talloc(t1, int);
+	*t1->x = 42;
+
+	t2->p = talloc_move(t2, &t1->p);
+	t2->x = talloc_move(t2, &t1->x);
+	torture_assert("move", t1->p == NULL && t1->x == NULL &&
+	    strcmp(t2->p, "foo") == 0 && *t2->x == 42,
+		"talloc move failed");
+
+	talloc_free(root);
+
+	printf("success: move\n");
+
+	return true;
+}
+
+/*
+  test talloc_realloc_fn
+*/
+static bool test_realloc_fn(void)
+{
+	void *root, *p1;
+
+	printf("test: realloc_fn\n# talloc_realloc_fn\n");
+
+	root = talloc_new(NULL);
+
+	p1 = talloc_realloc_fn(root, NULL, 10);
+	CHECK_BLOCKS("realloc_fn", root, 2);
+	CHECK_SIZE("realloc_fn", root, 10);
+	p1 = talloc_realloc_fn(root, p1, 20);
+	CHECK_BLOCKS("realloc_fn", root, 2);
+	CHECK_SIZE("realloc_fn", root, 20);
+	p1 = talloc_realloc_fn(root, p1, 0);
+	CHECK_BLOCKS("realloc_fn", root, 1);
+	CHECK_SIZE("realloc_fn", root, 0);
+
+	talloc_free(root);
+
+	printf("success: realloc_fn\n");
+	return true;
+}
+
+
+static bool test_unref_reparent(void)
+{
+	void *root, *p1, *p2, *c1;
+
+	printf("test: unref_reparent\n# UNREFERENCE AFTER PARENT FREED\n");
+
+	root = talloc_named_const(NULL, 0, "root");
+	p1 = talloc_named_const(root, 1, "orig parent");
+	p2 = talloc_named_const(root, 1, "parent by reference");
+
+	c1 = talloc_named_const(p1, 1, "child");
+	talloc_reference(p2, c1);
+
+	CHECK_PARENT("unref_reparent", c1, p1);
+
+	talloc_free(p1);
+
+	CHECK_PARENT("unref_reparent", c1, p2);
+
+	talloc_unlink(p2, c1);
+
+	CHECK_SIZE("unref_reparent", root, 1);
+
+	talloc_free(p2);
+	talloc_free(root);
+
+	printf("success: unref_reparent\n");
+	return true;
+}
+
+/*
+  measure the speed of talloc versus malloc
+*/
+static bool test_speed(void)
+{
+	void *ctx = talloc_new(NULL);
+	unsigned count;
+	const int loop = 1000;
+	int i;
+	struct timeval tv;
+
+	printf("test: speed\n# TALLOC VS MALLOC SPEED\n");
+
+	tv = timeval_current();
+	count = 0;
+	do {
+		void *p1, *p2, *p3;
+		for (i=0;i<loop;i++) {
+			p1 = talloc_size(ctx, loop % 100);
+			p2 = talloc_strdup(p1, "foo bar");
+			p3 = talloc_size(p1, 300);
+			talloc_free(p1);
+		}
+		count += 3 * loop;
+	} while (timeval_elapsed(&tv) < 5.0);
+
+	fprintf(stderr, "talloc: %.0f ops/sec\n", count/timeval_elapsed(&tv));
+
+	talloc_free(ctx);
+
+	ctx = talloc_pool(NULL, 1024);
+
+	tv = timeval_current();
+	count = 0;
+	do {
+		void *p1, *p2, *p3;
+		for (i=0;i<loop;i++) {
+			p1 = talloc_size(ctx, loop % 100);
+			p2 = talloc_strdup(p1, "foo bar");
+			p3 = talloc_size(p1, 300);
+			talloc_free_children(ctx);
+		}
+		count += 3 * loop;
+	} while (timeval_elapsed(&tv) < 5.0);
+
+	talloc_free(ctx);
+
+	fprintf(stderr, "talloc_pool: %.0f ops/sec\n", count/timeval_elapsed(&tv));
+
+	tv = timeval_current();
+	count = 0;
+	do {
+		void *p1, *p2, *p3;
+		for (i=0;i<loop;i++) {
+			p1 = malloc(loop % 100);
+			p2 = strdup("foo bar");
+			p3 = malloc(300);
+			free(p1);
+			free(p2);
+			free(p3);
+		}
+		count += 3 * loop;
+	} while (timeval_elapsed(&tv) < 5.0);
+	fprintf(stderr, "malloc: %.0f ops/sec\n", count/timeval_elapsed(&tv));
+
+	printf("success: speed\n");
+
+	return true;
+}
+
+static bool test_lifeless(void)
+{
+	void *top = talloc_new(NULL);
+	char *parent, *child; 
+	void *child_owner = talloc_new(NULL);
+
+	printf("test: lifeless\n# TALLOC_UNLINK LOOP\n");
+
+	parent = talloc_strdup(top, "parent");
+	child = talloc_strdup(parent, "child");  
+	(void)talloc_reference(child, parent);
+	(void)talloc_reference(child_owner, child); 
+	talloc_report_full(top, stderr);
+	talloc_unlink(top, parent);
+	talloc_free(child);
+	talloc_report_full(top, stderr);
+	talloc_free(top);
+	talloc_free(child_owner);
+	talloc_free(child);
+
+	printf("success: lifeless\n");
+	return true;
+}
+
+static int loop_destructor_count;
+
+static int test_loop_destructor(char *ptr)
+{
+	loop_destructor_count++;
+	return 0;
+}
+
+static bool test_loop(void)
+{
+	void *top = talloc_new(NULL);
+	char *parent;
+	struct req1 {
+		char *req2, *req3;
+	} *req1;
+
+	printf("test: loop\n# TALLOC LOOP DESTRUCTION\n");
+
+	parent = talloc_strdup(top, "parent");
+	req1 = talloc(parent, struct req1);
+	req1->req2 = talloc_strdup(req1, "req2");  
+	talloc_set_destructor(req1->req2, test_loop_destructor);
+	req1->req3 = talloc_strdup(req1, "req3");
+	(void)talloc_reference(req1->req3, req1);
+	talloc_report_full(top, stderr);
+	talloc_free(parent);
+	talloc_report_full(top, stderr);
+	talloc_report_full(NULL, stderr);
+	talloc_free(top);
+
+	torture_assert("loop", loop_destructor_count == 1, 
+				   "FAILED TO FIRE LOOP DESTRUCTOR\n");
+	loop_destructor_count = 0;
+
+	printf("success: loop\n");
+	return true;
+}
+
+static int fail_destructor_str(char *ptr)
+{
+	return -1;
+}
+
+static bool test_free_parent_deny_child(void)
+{
+	void *top = talloc_new(NULL);
+	char *level1;
+	char *level2;
+	char *level3;
+
+	printf("test: free_parent_deny_child\n# TALLOC FREE PARENT DENY CHILD\n");
+
+	level1 = talloc_strdup(top, "level1");
+	level2 = talloc_strdup(level1, "level2");
+	level3 = talloc_strdup(level2, "level3");
+
+	talloc_set_destructor(level3, fail_destructor_str);
+	talloc_free(level1);
+	talloc_set_destructor(level3, NULL);
+
+	CHECK_PARENT("free_parent_deny_child", level3, top);
+
+	talloc_free(top);
+
+	printf("success: free_parent_deny_child\n");
+	return true;
+}
+
+static bool test_talloc_ptrtype(void)
+{
+	void *top = talloc_new(NULL);
+	struct struct1 {
+		int foo;
+		int bar;
+	} *s1, *s2, **s3, ***s4;
+	const char *location1;
+	const char *location2;
+	const char *location3;
+	const char *location4;
+
+	printf("test: ptrtype\n# TALLOC PTRTYPE\n");
+
+	s1 = talloc_ptrtype(top, s1);location1 = __location__;
+
+	if (talloc_get_size(s1) != sizeof(struct struct1)) {
+		printf("failure: ptrtype [\n"
+		  "talloc_ptrtype() allocated the wrong size %lu (should be %lu)\n"
+		  "]\n", (unsigned long)talloc_get_size(s1),
+		           (unsigned long)sizeof(struct struct1));
+		return false;
+	}
+
+	if (strcmp(location1, talloc_get_name(s1)) != 0) {
+		printf("failure: ptrtype [\n"
+		  "talloc_ptrtype() sets the wrong name '%s' (should be '%s')\n]\n",
+			talloc_get_name(s1), location1);
+		return false;
+	}
+
+	s2 = talloc_array_ptrtype(top, s2, 10);location2 = __location__;
+
+	if (talloc_get_size(s2) != (sizeof(struct struct1) * 10)) {
+		printf("failure: ptrtype [\n"
+			   "talloc_array_ptrtype() allocated the wrong size "
+		       "%lu (should be %lu)\n]\n",
+			(unsigned long)talloc_get_size(s2),
+		    (unsigned long)(sizeof(struct struct1)*10));
+		return false;
+	}
+
+	if (strcmp(location2, talloc_get_name(s2)) != 0) {
+		printf("failure: ptrtype [\n"
+		"talloc_array_ptrtype() sets the wrong name '%s' (should be '%s')\n]\n",
+			talloc_get_name(s2), location2);
+		return false;
+	}
+
+	s3 = talloc_array_ptrtype(top, s3, 10);location3 = __location__;
+
+	if (talloc_get_size(s3) != (sizeof(struct struct1 *) * 10)) {
+		printf("failure: ptrtype [\n"
+			   "talloc_array_ptrtype() allocated the wrong size "
+		       "%lu (should be %lu)\n]\n",
+			   (unsigned long)talloc_get_size(s3),
+		       (unsigned long)(sizeof(struct struct1 *)*10));
+		return false;
+	}
+
+	torture_assert_str_equal("ptrtype", location3, talloc_get_name(s3),
+		"talloc_array_ptrtype() sets the wrong name");
+
+	s4 = talloc_array_ptrtype(top, s4, 10);location4 = __location__;
+
+	if (talloc_get_size(s4) != (sizeof(struct struct1 **) * 10)) {
+		printf("failure: ptrtype [\n"
+		      "talloc_array_ptrtype() allocated the wrong size "
+		       "%lu (should be %lu)\n]\n",
+			   (unsigned long)talloc_get_size(s4),
+		       (unsigned long)(sizeof(struct struct1 **)*10));
+		return false;
+	}
+
+	torture_assert_str_equal("ptrtype", location4, talloc_get_name(s4),
+		"talloc_array_ptrtype() sets the wrong name");
+
+	talloc_free(top);
+
+	printf("success: ptrtype\n");
+	return true;
+}
+
+static int _test_talloc_free_in_destructor(void **ptr)
+{
+	talloc_free(*ptr);
+	return 0;
+}
+
+static bool test_talloc_free_in_destructor(void)
+{
+	void *level0;
+	void *level1;
+	void *level2;
+	void *level3;
+	void *level4;
+	void **level5;
+
+	printf("test: free_in_destructor\n# TALLOC FREE IN DESTRUCTOR\n");
+
+	level0 = talloc_new(NULL);
+	level1 = talloc_new(level0);
+	level2 = talloc_new(level1);
+	level3 = talloc_new(level2);
+	level4 = talloc_new(level3);
+	level5 = talloc(level4, void *);
+
+	*level5 = level3;
+	(void)talloc_reference(level0, level3);
+	(void)talloc_reference(level3, level3);
+	(void)talloc_reference(level5, level3);
+
+	talloc_set_destructor(level5, _test_talloc_free_in_destructor);
+
+	talloc_free(level1);
+
+	talloc_free(level0);
+
+	printf("success: free_in_destructor\n");
+	return true;
+}
+
+static bool test_autofree(void)
+{
+#if _SAMBA_BUILD_ < 4
+	/* autofree test would kill smbtorture */
+	void *p;
+	printf("test: autofree\n# TALLOC AUTOFREE CONTEXT\n");
+
+	p = talloc_autofree_context();
+	talloc_free(p);
+
+	p = talloc_autofree_context();
+	talloc_free(p);
+
+	printf("success: autofree\n");
+#endif
+	return true;
+}
+
+static bool test_pool(void)
+{
+	void *pool;
+	void *p1, *p2, *p3, *p4;
+
+	pool = talloc_pool(NULL, 1024);
+
+	p1 = talloc_size(pool, 80);
+	p2 = talloc_size(pool, 20);
+	p3 = talloc_size(p1, 50);
+	p4 = talloc_size(p3, 1000);
+
+	talloc_free(pool);
+
+	return true;
+}
+
+struct torture_context;
+bool torture_local_talloc(struct torture_context *tctx)
+{
+	bool ret = true;
+
+	setlinebuf(stdout);
+
+	talloc_disable_null_tracking();
+	talloc_enable_null_tracking();
+
+	ret &= test_ref1();
+	ret &= test_ref2();
+	ret &= test_ref3();
+	ret &= test_ref4();
+	ret &= test_unlink1(); 
+	ret &= test_misc();
+	ret &= test_realloc();
+	ret &= test_realloc_child(); 
+	ret &= test_steal(); 
+	ret &= test_move(); 
+	ret &= test_unref_reparent();
+	ret &= test_realloc_fn(); 
+	ret &= test_type();
+	ret &= test_lifeless(); 
+	ret &= test_loop();
+	ret &= test_free_parent_deny_child(); 
+	ret &= test_talloc_ptrtype();
+	ret &= test_talloc_free_in_destructor();
+	ret &= test_pool();
+
+	if (ret) {
+		ret &= test_speed();
+	}
+	ret &= test_autofree();
+
+	return ret;
+}
+
+#if _SAMBA_BUILD_ < 4
+int main(void)
+{
+	bool ret = torture_local_talloc(NULL);
+	if (!ret)
+		return -1;
+	return 0;
+}
+#endif
diff --git a/source3/lib/talloc/web/index.html b/source3/lib/talloc/web/index.html
new file mode 100644
index 0000000000..5deab93665
--- /dev/null
+++ b/source3/lib/talloc/web/index.html
@@ -0,0 +1,46 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
+<HTML>
+<HEAD>
+<TITLE>talloc</TITLE>
+</HEAD>
+<BODY BGCOLOR="#ffffff" TEXT="#000000" VLINK="#292555" LINK="#292555" ALINK="#cc0033">
+
+<h1>talloc</h1>
+
+talloc is a hierarchical pool based memory allocator with
+destructors. It is the core memory allocator used in Samba4, and has
+made a huge difference in many aspects of Samba4 development.<p>
+
+To get started with talloc, I would recommend you read the <a
+href="http://samba.org/ftp/unpacked/talloc/talloc_guide.txt">talloc guide</a>.
+
+<h2>Discussion and bug reports</h2>
+
+talloc does not currently have its own mailing list or bug tracking
+system. For now, please use the <a
+href="https://lists.samba.org/mailman/listinfo/samba-technical">samba-technical</a>
+mailing list, and the <a href="http://bugzilla.samba.org/">Samba
+bugzilla</a> bug tracking system.
+
+<h2>Download</h2>
+
+You can download the latest release either via rsync or git.<br>
+<br>
+To fetch via git see the following guide:<br>
+<a href="http://wiki.samba.org/index.php/Using_Git_for_Samba_Development">Using Git for Samba Development</a><br>
+Once you have cloned the tree switch to the v4-0-test branch and cd into the source/lib/talloc directory.<br>
+<br>
+To fetch via rsync use this command:
+
+<pre>
+  rsync -Pavz samba.org::ftp/unpacked/talloc .
+</pre>
+
+<hr>
+<tiny>
+<a href="http://samba.org/~tridge/">Andrew Tridgell</a><br>
+talloc AT tridgell.net
+</tiny>
+
+</BODY>
+</HTML>
diff --git a/source3/lib/talloc_stack.c b/source3/lib/talloc_stack.c
new file mode 100644
index 0000000000..2722fb9676
--- /dev/null
+++ b/source3/lib/talloc_stack.c
@@ -0,0 +1,130 @@
+/*
+   Unix SMB/CIFS implementation.
+   Implement a stack of talloc contexts
+   Copyright (C) Volker Lendecke 2007
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+/*
+ * Implement a stack of talloc frames.
+ *
+ * When a new talloc stackframe is allocated with talloc_stackframe(), then
+ * the TALLOC_CTX returned with talloc_tos() is reset to that new
+ * frame. Whenever that stack frame is TALLOC_FREE()'ed, then the reverse
+ * happens: The previous talloc_tos() is restored.
+ *
+ * This API is designed to be robust in the sense that if someone forgets to
+ * TALLOC_FREE() a stackframe, then the next outer one correctly cleans up and
+ * resets the talloc_tos().
+ *
+ * This robustness feature means that we can't rely on a linked list with
+ * talloc destructors because in a hierarchy of talloc destructors the parent
+ * destructor is called before its children destructors. The child destructor
+ * called after the parent would set the talloc_tos() to the wrong value.
+ */
+
+#include "includes.h"
+
+static int talloc_stacksize;
+static int talloc_stack_arraysize;
+static TALLOC_CTX **talloc_stack;
+
+static int talloc_pop(TALLOC_CTX *frame)
+{
+	int i;
+
+	for (i=talloc_stacksize-1; i>0; i--) {
+		if (frame == talloc_stack[i]) {
+			break;
+		}
+		talloc_free(talloc_stack[i]);
+	}
+
+	talloc_stacksize = i;
+	return 0;
+}
+
+/*
+ * Create a new talloc stack frame.
+ *
+ * When free'd, it frees all stack frames that were created after this one and
+ * not explicitly freed.
+ */
+
+static TALLOC_CTX *talloc_stackframe_internal(size_t poolsize)
+{
+	TALLOC_CTX **tmp, *top, *parent;
+
+	if (talloc_stack_arraysize < talloc_stacksize + 1) {
+		tmp = TALLOC_REALLOC_ARRAY(NULL, talloc_stack, TALLOC_CTX *,
+					   talloc_stacksize + 1);
+		if (tmp == NULL) {
+			goto fail;
+		}
+		talloc_stack = tmp;
+		talloc_stack_arraysize = talloc_stacksize + 1;
+        }
+
+	if (talloc_stacksize == 0) {
+		parent = talloc_stack;
+	}
+	else {
+		parent = talloc_stack[talloc_stacksize-1];
+	}
+
+	if (poolsize) {
+		top = talloc_pool(parent, poolsize);
+	} else {
+		top = talloc_new(parent);
+	}
+
+	if (top == NULL) {
+		goto fail;
+	}
+
+	talloc_set_destructor(top, talloc_pop);
+
+	talloc_stack[talloc_stacksize++] = top;
+	return top;
+
+ fail:
+	smb_panic("talloc_stackframe failed");
+	return NULL;
+}
+
+TALLOC_CTX *talloc_stackframe(void)
+{
+	return talloc_stackframe_internal(0);
+}
+
+TALLOC_CTX *talloc_stackframe_pool(size_t poolsize)
+{
+	return talloc_stackframe_internal(poolsize);
+}
+
+/*
+ * Get us the current top of the talloc stack.
+ */
+
+TALLOC_CTX *talloc_tos(void)
+{
+	if (talloc_stacksize == 0) {
+		talloc_stackframe();
+		DEBUG(0, ("no talloc stackframe around, leaking memory\n"));
+	}
+
+	return talloc_stack[talloc_stacksize-1];
+}
diff --git a/source3/lib/tallocmsg.c b/source3/lib/tallocmsg.c
new file mode 100644
index 0000000000..b4bea5a5b5
--- /dev/null
+++ b/source3/lib/tallocmsg.c
@@ -0,0 +1,107 @@
+/* 
+   samba -- Unix SMB/CIFS implementation.
+   Copyright (C) 2001, 2002 by Martin Pool
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/**
+ * @file tallocmsg.c
+ *
+ * Glue code between talloc profiling and the Samba messaging system.
+ **/
+
+struct msg_pool_usage_state {
+	TALLOC_CTX *mem_ctx;
+	ssize_t len;
+	size_t buflen;
+	char *s;
+};
+
+static void msg_pool_usage_helper(const void *ptr, int depth, int max_depth, int is_ref, void *_s)
+{
+	const char *name = talloc_get_name(ptr);
+	struct msg_pool_usage_state *state = (struct msg_pool_usage_state *)_s;
+
+	if (is_ref) {
+		sprintf_append(state->mem_ctx, &state->s, &state->len, &state->buflen,
+			       "%*sreference to: %s\n", depth*4, "", name);
+		return;
+	}
+
+	if (depth == 0) {
+		sprintf_append(state->mem_ctx, &state->s, &state->len, &state->buflen,
+			       "%stalloc report on '%s' (total %6lu bytes in %3lu blocks)\n", 
+			       (max_depth < 0 ? "full " :""), name,
+			       (unsigned long)talloc_total_size(ptr),
+			       (unsigned long)talloc_total_blocks(ptr));
+		return;
+	}
+
+	sprintf_append(state->mem_ctx, &state->s, &state->len, &state->buflen,
+		       "%*s%-30s contains %6lu bytes in %3lu blocks (ref %d)\n", 
+		       depth*4, "",
+		       name,
+		       (unsigned long)talloc_total_size(ptr),
+		       (unsigned long)talloc_total_blocks(ptr),
+		       talloc_reference_count(ptr));
+}
+
+/**
+ * Respond to a POOL_USAGE message by sending back string form of memory
+ * usage stats.
+ **/
+static void msg_pool_usage(struct messaging_context *msg_ctx,
+			   void *private_data, 
+			   uint32_t msg_type, 
+			   struct server_id src,
+			   DATA_BLOB *data)
+{
+	struct msg_pool_usage_state state;
+
+	SMB_ASSERT(msg_type == MSG_REQ_POOL_USAGE);
+	
+	DEBUG(2,("Got POOL_USAGE\n"));
+
+	state.mem_ctx = talloc_init("msg_pool_usage");
+	if (!state.mem_ctx) {
+		return;
+	}
+	state.len	= 0;
+	state.buflen	= 512;
+	state.s		= NULL;
+
+	talloc_report_depth_cb(NULL, 0, -1, msg_pool_usage_helper, &state);
+
+	if (!state.s) {
+		talloc_destroy(state.mem_ctx);
+		return;
+	}
+	
+	messaging_send_buf(msg_ctx, src, MSG_POOL_USAGE,
+			   (uint8 *)state.s, strlen(state.s)+1);
+
+	talloc_destroy(state.mem_ctx);
+}
+
+/**
+ * Register handler for MSG_REQ_POOL_USAGE
+ **/
+void register_msg_pool_usage(struct messaging_context *msg_ctx)
+{
+	messaging_register(msg_ctx, NULL, MSG_REQ_POOL_USAGE, msg_pool_usage);
+	DEBUG(2, ("Registered MSG_REQ_POOL_USAGE\n"));
+}	
diff --git a/source3/lib/tdb/Makefile.in b/source3/lib/tdb/Makefile.in
new file mode 100644
index 0000000000..090bb6e2dc
--- /dev/null
+++ b/source3/lib/tdb/Makefile.in
@@ -0,0 +1,59 @@
+#!gmake
+#
+# Makefile for tdb directory
+#
+
+CC = @CC@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+bindir = @bindir@
+includedir = @includedir@
+libdir = @libdir@
+VPATH = @srcdir@:@libreplacedir@
+srcdir = @srcdir@
+builddir = @builddir@
+CPPFLAGS = @CPPFLAGS@ -I$(srcdir)/include -Iinclude 
+CFLAGS = $(CPPFLAGS) @CFLAGS@
+LDFLAGS = @LDFLAGS@
+EXEEXT = @EXEEXT@
+SHLD = @SHLD@
+SHLD_FLAGS = @SHLD_FLAGS@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PICFLAG = @PICFLAG@
+SHLIBEXT = @SHLIBEXT@
+SWIG = swig
+PYTHON = @PYTHON@
+PYTHON_CONFIG = @PYTHON_CONFIG@
+PYTHON_BUILD_TARGET = @PYTHON_BUILD_TARGET@
+PYTHON_INSTALL_TARGET = @PYTHON_INSTALL_TARGET@
+PYTHON_CHECK_TARGET = @PYTHON_CHECK_TARGET@
+LIB_PATH_VAR = @LIB_PATH_VAR@
+tdbdir = @tdbdir@
+
+TDB_OBJ = @TDB_OBJ@ @LIBREPLACEOBJ@
+
+default: all
+
+include $(tdbdir)/tdb.mk
+include $(tdbdir)/rules.mk
+
+all:: showflags dirs $(PROGS) $(TDB_SOLIB) libtdb.a $(PYTHON_BUILD_TARGET)
+
+install:: all
+$(TDB_SOLIB): $(TDB_OBJ)
+	$(SHLD) $(SHLD_FLAGS) -o $@ $(TDB_OBJ) @SONAMEFLAG@$(TDB_SONAME)
+
+check: test
+
+test:: $(PYTHON_CHECK_TARGET)
+installcheck:: test install
+
+clean::
+	rm -f *.o *.a */*.o
+
+distclean:: clean
+	rm -f config.log config.status include/config.h config.cache
+	rm -f Makefile
+
+realdistclean:: distclean
+	rm -f configure include/config.h.in
diff --git a/source3/lib/tdb/aclocal.m4 b/source3/lib/tdb/aclocal.m4
new file mode 100644
index 0000000000..5605e476ba
--- /dev/null
+++ b/source3/lib/tdb/aclocal.m4
@@ -0,0 +1 @@
+m4_include(libreplace.m4)
diff --git a/source3/lib/tdb/autogen.sh b/source3/lib/tdb/autogen.sh
new file mode 100755
index 0000000000..88ac4cfcf7
--- /dev/null
+++ b/source3/lib/tdb/autogen.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+rm -rf autom4te.cache
+rm -f configure config.h.in
+
+IPATHS="-I libreplace -I lib/replace -I ../libreplace -I ../replace"
+autoconf $IPATHS || exit 1
+autoheader $IPATHS || exit 1
+
+rm -rf autom4te.cache
+
+swig -O -Wall -python -keyword tdb.i # Ignore errors for now
+
+echo "Now run ./configure and then make."
+exit 0
+
diff --git a/source3/lib/tdb/common/dump.c b/source3/lib/tdb/common/dump.c
new file mode 100644
index 0000000000..d1c902ddfd
--- /dev/null
+++ b/source3/lib/tdb/common/dump.c
@@ -0,0 +1,137 @@
+ /* 
+   Unix SMB/CIFS implementation.
+
+   trivial database library
+
+   Copyright (C) Andrew Tridgell              1999-2005
+   Copyright (C) Paul `Rusty' Russell		   2000
+   Copyright (C) Jeremy Allison			   2000-2003
+   
+     ** NOTE! The following LGPL license applies to the tdb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "tdb_private.h"
+
+static tdb_off_t tdb_dump_record(struct tdb_context *tdb, int hash,
+				 tdb_off_t offset)
+{
+	struct list_struct rec;
+	tdb_off_t tailer_ofs, tailer;
+
+	if (tdb->methods->tdb_read(tdb, offset, (char *)&rec, 
+				   sizeof(rec), DOCONV()) == -1) {
+		printf("ERROR: failed to read record at %u\n", offset);
+		return 0;
+	}
+
+	printf(" rec: hash=%d offset=0x%08x next=0x%08x rec_len=%d "
+	       "key_len=%d data_len=%d full_hash=0x%x magic=0x%x\n",
+	       hash, offset, rec.next, rec.rec_len, rec.key_len, rec.data_len,
+	       rec.full_hash, rec.magic);
+
+	tailer_ofs = offset + sizeof(rec) + rec.rec_len - sizeof(tdb_off_t);
+
+	if (tdb_ofs_read(tdb, tailer_ofs, &tailer) == -1) {
+		printf("ERROR: failed to read tailer at %u\n", tailer_ofs);
+		return rec.next;
+	}
+
+	if (tailer != rec.rec_len + sizeof(rec)) {
+		printf("ERROR: tailer does not match record! tailer=%u totalsize=%u\n",
+				(unsigned int)tailer, (unsigned int)(rec.rec_len + sizeof(rec)));
+	}
+	return rec.next;
+}
+
+static int tdb_dump_chain(struct tdb_context *tdb, int i)
+{
+	tdb_off_t rec_ptr, top;
+
+	top = TDB_HASH_TOP(i);
+
+	if (tdb_lock(tdb, i, F_WRLCK) != 0)
+		return -1;
+
+	if (tdb_ofs_read(tdb, top, &rec_ptr) == -1)
+		return tdb_unlock(tdb, i, F_WRLCK);
+
+	if (rec_ptr)
+		printf("hash=%d\n", i);
+
+	while (rec_ptr) {
+		rec_ptr = tdb_dump_record(tdb, i, rec_ptr);
+	}
+
+	return tdb_unlock(tdb, i, F_WRLCK);
+}
+
+void tdb_dump_all(struct tdb_context *tdb)
+{
+	int i;
+	for (i=0;i<tdb->header.hash_size;i++) {
+		tdb_dump_chain(tdb, i);
+	}
+	printf("freelist:\n");
+	tdb_dump_chain(tdb, -1);
+}
+
+int tdb_printfreelist(struct tdb_context *tdb)
+{
+	int ret;
+	long total_free = 0;
+	tdb_off_t offset, rec_ptr;
+	struct list_struct rec;
+
+	if ((ret = tdb_lock(tdb, -1, F_WRLCK)) != 0)
+		return ret;
+
+	offset = FREELIST_TOP;
+
+	/* read in the freelist top */
+	if (tdb_ofs_read(tdb, offset, &rec_ptr) == -1) {
+		tdb_unlock(tdb, -1, F_WRLCK);
+		return 0;
+	}
+
+	printf("freelist top=[0x%08x]\n", rec_ptr );
+	while (rec_ptr) {
+		if (tdb->methods->tdb_read(tdb, rec_ptr, (char *)&rec, 
+					   sizeof(rec), DOCONV()) == -1) {
+			tdb_unlock(tdb, -1, F_WRLCK);
+			return -1;
+		}
+
+		if (rec.magic != TDB_FREE_MAGIC) {
+			printf("bad magic 0x%08x in free list\n", rec.magic);
+			tdb_unlock(tdb, -1, F_WRLCK);
+			return -1;
+		}
+
+		printf("entry offset=[0x%08x], rec.rec_len = [0x%08x (%d)] (end = 0x%08x)\n", 
+		       rec_ptr, rec.rec_len, rec.rec_len, rec_ptr + rec.rec_len);
+		total_free += rec.rec_len;
+
+		/* move to the next record */
+		rec_ptr = rec.next;
+	}
+	printf("total rec_len = [0x%08x (%d)]\n", (int)total_free, 
+               (int)total_free);
+
+	return tdb_unlock(tdb, -1, F_WRLCK);
+}
+
diff --git a/source3/lib/tdb/common/error.c b/source3/lib/tdb/common/error.c
new file mode 100644
index 0000000000..195ab23815
--- /dev/null
+++ b/source3/lib/tdb/common/error.c
@@ -0,0 +1,57 @@
+ /* 
+   Unix SMB/CIFS implementation.
+
+   trivial database library
+
+   Copyright (C) Andrew Tridgell              1999-2005
+   Copyright (C) Paul `Rusty' Russell		   2000
+   Copyright (C) Jeremy Allison			   2000-2003
+   
+     ** NOTE! The following LGPL license applies to the tdb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "tdb_private.h"
+
+enum TDB_ERROR tdb_error(struct tdb_context *tdb)
+{
+	return tdb->ecode;
+}
+
+static struct tdb_errname {
+	enum TDB_ERROR ecode; const char *estring;
+} emap[] = { {TDB_SUCCESS, "Success"},
+	     {TDB_ERR_CORRUPT, "Corrupt database"},
+	     {TDB_ERR_IO, "IO Error"},
+	     {TDB_ERR_LOCK, "Locking error"},
+	     {TDB_ERR_OOM, "Out of memory"},
+	     {TDB_ERR_EXISTS, "Record exists"},
+	     {TDB_ERR_NOLOCK, "Lock exists on other keys"},
+	     {TDB_ERR_EINVAL, "Invalid parameter"},
+	     {TDB_ERR_NOEXIST, "Record does not exist"},
+	     {TDB_ERR_RDONLY, "write not permitted"} };
+
+/* Error string for the last tdb error */
+const char *tdb_errorstr(struct tdb_context *tdb)
+{
+	uint32_t i;
+	for (i = 0; i < sizeof(emap) / sizeof(struct tdb_errname); i++)
+		if (tdb->ecode == emap[i].ecode)
+			return emap[i].estring;
+	return "Invalid error code";
+}
+
diff --git a/source3/lib/tdb/common/freelist.c b/source3/lib/tdb/common/freelist.c
new file mode 100644
index 0000000000..2f2a4c379b
--- /dev/null
+++ b/source3/lib/tdb/common/freelist.c
@@ -0,0 +1,382 @@
+ /* 
+   Unix SMB/CIFS implementation.
+
+   trivial database library
+
+   Copyright (C) Andrew Tridgell              1999-2005
+   Copyright (C) Paul `Rusty' Russell		   2000
+   Copyright (C) Jeremy Allison			   2000-2003
+   
+     ** NOTE! The following LGPL license applies to the tdb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "tdb_private.h"
+
+/* 'right' merges can involve O(n^2) cost when combined with a
+   traverse, so they are disabled until we find a way to do them in 
+   O(1) time
+*/
+#define USE_RIGHT_MERGES 0
+
+/* read a freelist record and check for simple errors */
+int tdb_rec_free_read(struct tdb_context *tdb, tdb_off_t off, struct list_struct *rec)
+{
+	if (tdb->methods->tdb_read(tdb, off, rec, sizeof(*rec),DOCONV()) == -1)
+		return -1;
+
+	if (rec->magic == TDB_MAGIC) {
+		/* this happens when a app is showdown while deleting a record - we should
+		   not completely fail when this happens */
+		TDB_LOG((tdb, TDB_DEBUG_WARNING, "tdb_rec_free_read non-free magic 0x%x at offset=%d - fixing\n", 
+			 rec->magic, off));
+		rec->magic = TDB_FREE_MAGIC;
+		if (tdb->methods->tdb_write(tdb, off, rec, sizeof(*rec)) == -1)
+			return -1;
+	}
+
+	if (rec->magic != TDB_FREE_MAGIC) {
+		/* Ensure ecode is set for log fn. */
+		tdb->ecode = TDB_ERR_CORRUPT;
+		TDB_LOG((tdb, TDB_DEBUG_WARNING, "tdb_rec_free_read bad magic 0x%x at offset=%d\n", 
+			   rec->magic, off));
+		return TDB_ERRCODE(TDB_ERR_CORRUPT, -1);
+	}
+	if (tdb->methods->tdb_oob(tdb, rec->next+sizeof(*rec), 0) != 0)
+		return -1;
+	return 0;
+}
+
+
+#if USE_RIGHT_MERGES
+/* Remove an element from the freelist.  Must have alloc lock. */
+static int remove_from_freelist(struct tdb_context *tdb, tdb_off_t off, tdb_off_t next)
+{
+	tdb_off_t last_ptr, i;
+
+	/* read in the freelist top */
+	last_ptr = FREELIST_TOP;
+	while (tdb_ofs_read(tdb, last_ptr, &i) != -1 && i != 0) {
+		if (i == off) {
+			/* We've found it! */
+			return tdb_ofs_write(tdb, last_ptr, &next);
+		}
+		/* Follow chain (next offset is at start of record) */
+		last_ptr = i;
+	}
+	TDB_LOG((tdb, TDB_DEBUG_FATAL,"remove_from_freelist: not on list at off=%d\n", off));
+	return TDB_ERRCODE(TDB_ERR_CORRUPT, -1);
+}
+#endif
+
+
+/* update a record tailer (must hold allocation lock) */
+static int update_tailer(struct tdb_context *tdb, tdb_off_t offset,
+			 const struct list_struct *rec)
+{
+	tdb_off_t totalsize;
+
+	/* Offset of tailer from record header */
+	totalsize = sizeof(*rec) + rec->rec_len;
+	return tdb_ofs_write(tdb, offset + totalsize - sizeof(tdb_off_t),
+			 &totalsize);
+}
+
+/* Add an element into the freelist. Merge adjacent records if
+   neccessary. */
+int tdb_free(struct tdb_context *tdb, tdb_off_t offset, struct list_struct *rec)
+{
+	/* Allocation and tailer lock */
+	if (tdb_lock(tdb, -1, F_WRLCK) != 0)
+		return -1;
+
+	/* set an initial tailer, so if we fail we don't leave a bogus record */
+	if (update_tailer(tdb, offset, rec) != 0) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_free: update_tailer failed!\n"));
+		goto fail;
+	}
+
+#if USE_RIGHT_MERGES
+	/* Look right first (I'm an Australian, dammit) */
+	if (offset + sizeof(*rec) + rec->rec_len + sizeof(*rec) <= tdb->map_size) {
+		tdb_off_t right = offset + sizeof(*rec) + rec->rec_len;
+		struct list_struct r;
+
+		if (tdb->methods->tdb_read(tdb, right, &r, sizeof(r), DOCONV()) == -1) {
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_free: right read failed at %u\n", right));
+			goto left;
+		}
+
+		/* If it's free, expand to include it. */
+		if (r.magic == TDB_FREE_MAGIC) {
+			if (remove_from_freelist(tdb, right, r.next) == -1) {
+				TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_free: right free failed at %u\n", right));
+				goto left;
+			}
+			rec->rec_len += sizeof(r) + r.rec_len;
+			if (update_tailer(tdb, offset, rec) == -1) {
+				TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_free: update_tailer failed at %u\n", offset));
+				goto fail;
+			}
+		}
+	}
+left:
+#endif
+
+	/* Look left */
+	if (offset - sizeof(tdb_off_t) > TDB_DATA_START(tdb->header.hash_size)) {
+		tdb_off_t left = offset - sizeof(tdb_off_t);
+		struct list_struct l;
+		tdb_off_t leftsize;
+		
+		/* Read in tailer and jump back to header */
+		if (tdb_ofs_read(tdb, left, &leftsize) == -1) {
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_free: left offset read failed at %u\n", left));
+			goto update;
+		}
+
+		/* it could be uninitialised data */
+		if (leftsize == 0 || leftsize == TDB_PAD_U32) {
+			goto update;
+		}
+
+		left = offset - leftsize;
+
+		if (leftsize > offset ||
+		    left < TDB_DATA_START(tdb->header.hash_size)) {
+			goto update;
+		}
+
+		/* Now read in the left record */
+		if (tdb->methods->tdb_read(tdb, left, &l, sizeof(l), DOCONV()) == -1) {
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_free: left read failed at %u (%u)\n", left, leftsize));
+			goto update;
+		}
+
+		/* If it's free, expand to include it. */
+		if (l.magic == TDB_FREE_MAGIC) {
+			/* we now merge the new record into the left record, rather than the other 
+			   way around. This makes the operation O(1) instead of O(n). This change
+			   prevents traverse from being O(n^2) after a lot of deletes */
+			l.rec_len += sizeof(*rec) + rec->rec_len;
+			if (tdb_rec_write(tdb, left, &l) == -1) {
+				TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_free: update_left failed at %u\n", left));
+				goto fail;
+			}
+			if (update_tailer(tdb, left, &l) == -1) {
+				TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_free: update_tailer failed at %u\n", offset));
+				goto fail;
+			}
+			tdb_unlock(tdb, -1, F_WRLCK);
+			return 0;
+		}
+	}
+
+update:
+
+	/* Now, prepend to free list */
+	rec->magic = TDB_FREE_MAGIC;
+
+	if (tdb_ofs_read(tdb, FREELIST_TOP, &rec->next) == -1 ||
+	    tdb_rec_write(tdb, offset, rec) == -1 ||
+	    tdb_ofs_write(tdb, FREELIST_TOP, &offset) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_free record write failed at offset=%d\n", offset));
+		goto fail;
+	}
+
+	/* And we're done. */
+	tdb_unlock(tdb, -1, F_WRLCK);
+	return 0;
+
+ fail:
+	tdb_unlock(tdb, -1, F_WRLCK);
+	return -1;
+}
+
+
+
+/* 
+   the core of tdb_allocate - called when we have decided which
+   free list entry to use
+
+   Note that we try to allocate by grabbing data from the end of an existing record,
+   not the beginning. This is so the left merge in a free is more likely to be
+   able to free up the record without fragmentation
+ */
+static tdb_off_t tdb_allocate_ofs(struct tdb_context *tdb, 
+				  tdb_len_t length, tdb_off_t rec_ptr,
+				  struct list_struct *rec, tdb_off_t last_ptr)
+{
+#define MIN_REC_SIZE (sizeof(struct list_struct) + sizeof(tdb_off_t) + 8)
+
+	if (rec->rec_len < length + MIN_REC_SIZE) {
+		/* we have to grab the whole record */
+
+		/* unlink it from the previous record */
+		if (tdb_ofs_write(tdb, last_ptr, &rec->next) == -1) {
+			return 0;
+		}
+
+		/* mark it not free */
+		rec->magic = TDB_MAGIC;
+		if (tdb_rec_write(tdb, rec_ptr, rec) == -1) {
+			return 0;
+		}
+		return rec_ptr;
+	}
+
+	/* we're going to just shorten the existing record */
+	rec->rec_len -= (length + sizeof(*rec));
+	if (tdb_rec_write(tdb, rec_ptr, rec) == -1) {
+		return 0;
+	}
+	if (update_tailer(tdb, rec_ptr, rec) == -1) {
+		return 0;
+	}
+
+	/* and setup the new record */
+	rec_ptr += sizeof(*rec) + rec->rec_len;	
+
+	memset(rec, '\0', sizeof(*rec));
+	rec->rec_len = length;
+	rec->magic = TDB_MAGIC;
+
+	if (tdb_rec_write(tdb, rec_ptr, rec) == -1) {
+		return 0;
+	}
+
+	if (update_tailer(tdb, rec_ptr, rec) == -1) {
+		return 0;
+	}
+
+	return rec_ptr;
+}
+
+/* allocate some space from the free list. The offset returned points
+   to a unconnected list_struct within the database with room for at
+   least length bytes of total data
+
+   0 is returned if the space could not be allocated
+ */
+tdb_off_t tdb_allocate(struct tdb_context *tdb, tdb_len_t length, struct list_struct *rec)
+{
+	tdb_off_t rec_ptr, last_ptr, newrec_ptr;
+	struct {
+		tdb_off_t rec_ptr, last_ptr;
+		tdb_len_t rec_len;
+	} bestfit;
+	float multiplier = 1.0;
+
+	if (tdb_lock(tdb, -1, F_WRLCK) == -1)
+		return 0;
+
+	/* Extra bytes required for tailer */
+	length += sizeof(tdb_off_t);
+	length = TDB_ALIGN(length, TDB_ALIGNMENT);
+
+ again:
+	last_ptr = FREELIST_TOP;
+
+	/* read in the freelist top */
+	if (tdb_ofs_read(tdb, FREELIST_TOP, &rec_ptr) == -1)
+		goto fail;
+
+	bestfit.rec_ptr = 0;
+	bestfit.last_ptr = 0;
+	bestfit.rec_len = 0;
+
+	/* 
+	   this is a best fit allocation strategy. Originally we used
+	   a first fit strategy, but it suffered from massive fragmentation
+	   issues when faced with a slowly increasing record size.
+	 */
+	while (rec_ptr) {
+		if (tdb_rec_free_read(tdb, rec_ptr, rec) == -1) {
+			goto fail;
+		}
+
+		if (rec->rec_len >= length) {
+			if (bestfit.rec_ptr == 0 ||
+			    rec->rec_len < bestfit.rec_len) {
+				bestfit.rec_len = rec->rec_len;
+				bestfit.rec_ptr = rec_ptr;
+				bestfit.last_ptr = last_ptr;
+			}
+		}
+
+		/* move to the next record */
+		last_ptr = rec_ptr;
+		rec_ptr = rec->next;
+
+		/* if we've found a record that is big enough, then
+		   stop searching if its also not too big. The
+		   definition of 'too big' changes as we scan
+		   through */
+		if (bestfit.rec_len > 0 &&
+		    bestfit.rec_len < length * multiplier) {
+			break;
+		}
+		
+		/* this multiplier means we only extremely rarely
+		   search more than 50 or so records. At 50 records we
+		   accept records up to 11 times larger than what we
+		   want */
+		multiplier *= 1.05;
+	}
+
+	if (bestfit.rec_ptr != 0) {
+		if (tdb_rec_free_read(tdb, bestfit.rec_ptr, rec) == -1) {
+			goto fail;
+		}
+
+		newrec_ptr = tdb_allocate_ofs(tdb, length, bestfit.rec_ptr, 
+					      rec, bestfit.last_ptr);
+		tdb_unlock(tdb, -1, F_WRLCK);
+		return newrec_ptr;
+	}
+
+	/* we didn't find enough space. See if we can expand the
+	   database and if we can then try again */
+	if (tdb_expand(tdb, length + sizeof(*rec)) == 0)
+		goto again;
+ fail:
+	tdb_unlock(tdb, -1, F_WRLCK);
+	return 0;
+}
+
+
+
+/* 
+   return the size of the freelist - used to decide if we should repack 
+*/
+int tdb_freelist_size(struct tdb_context *tdb)
+{
+	tdb_off_t ptr;
+	int count=0;
+
+	if (tdb_lock(tdb, -1, F_RDLCK) == -1) {
+		return -1;
+	}
+
+	ptr = FREELIST_TOP;
+	while (tdb_ofs_read(tdb, ptr, &ptr) == 0 && ptr != 0) {
+		count++;
+	}
+
+	tdb_unlock(tdb, -1, F_RDLCK);
+	return count;
+}
diff --git a/source3/lib/tdb/common/freelistcheck.c b/source3/lib/tdb/common/freelistcheck.c
new file mode 100644
index 0000000000..efc050df9c
--- /dev/null
+++ b/source3/lib/tdb/common/freelistcheck.c
@@ -0,0 +1,107 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   trivial database library
+
+   Copyright (C) Jeremy Allison                    2006
+
+     ** NOTE! The following LGPL license applies to the tdb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "tdb_private.h"
+
+/* Check the freelist is good and contains no loops.
+   Very memory intensive - only do this as a consistency
+   checker. Heh heh - uses an in memory tdb as the storage
+   for the "seen" record list. For some reason this strikes
+   me as extremely clever as I don't have to write another tree
+   data structure implementation :-).
+ */
+
+static int seen_insert(struct tdb_context *mem_tdb, tdb_off_t rec_ptr)
+{
+	TDB_DATA key, data;
+
+	memset(&data, '\0', sizeof(data));
+	key.dptr = (unsigned char *)&rec_ptr;
+	key.dsize = sizeof(rec_ptr);
+	return tdb_store(mem_tdb, key, data, TDB_INSERT);
+}
+
+int tdb_validate_freelist(struct tdb_context *tdb, int *pnum_entries)
+{
+	struct tdb_context *mem_tdb = NULL;
+	struct list_struct rec;
+	tdb_off_t rec_ptr, last_ptr;
+	int ret = -1;
+
+	*pnum_entries = 0;
+
+	mem_tdb = tdb_open("flval", tdb->header.hash_size,
+				TDB_INTERNAL, O_RDWR, 0600);
+	if (!mem_tdb) {
+		return -1;
+	}
+
+	if (tdb_lock(tdb, -1, F_WRLCK) == -1) {
+		tdb_close(mem_tdb);
+		return 0;
+	}
+
+	last_ptr = FREELIST_TOP;
+
+	/* Store the FREELIST_TOP record. */
+	if (seen_insert(mem_tdb, last_ptr) == -1) {
+		ret = TDB_ERRCODE(TDB_ERR_CORRUPT, -1);
+		goto fail;
+	}
+
+	/* read in the freelist top */
+	if (tdb_ofs_read(tdb, FREELIST_TOP, &rec_ptr) == -1) {
+		goto fail;
+	}
+
+	while (rec_ptr) {
+
+		/* If we can't store this record (we've seen it
+		   before) then the free list has a loop and must
+		   be corrupt. */
+
+		if (seen_insert(mem_tdb, rec_ptr)) {
+			ret = TDB_ERRCODE(TDB_ERR_CORRUPT, -1);
+			goto fail;
+		}
+
+		if (tdb_rec_free_read(tdb, rec_ptr, &rec) == -1) {
+			goto fail;
+		}
+
+		/* move to the next record */
+		last_ptr = rec_ptr;
+		rec_ptr = rec.next;
+		*pnum_entries += 1;
+	}
+
+	ret = 0;
+
+  fail:
+
+	tdb_close(mem_tdb);
+	tdb_unlock(tdb, -1, F_WRLCK);
+	return ret;
+}
diff --git a/source3/lib/tdb/common/io.c b/source3/lib/tdb/common/io.c
new file mode 100644
index 0000000000..661f761489
--- /dev/null
+++ b/source3/lib/tdb/common/io.c
@@ -0,0 +1,473 @@
+ /* 
+   Unix SMB/CIFS implementation.
+
+   trivial database library
+
+   Copyright (C) Andrew Tridgell              1999-2005
+   Copyright (C) Paul `Rusty' Russell		   2000
+   Copyright (C) Jeremy Allison			   2000-2003
+   
+     ** NOTE! The following LGPL license applies to the tdb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+
+#include "tdb_private.h"
+
+/* check for an out of bounds access - if it is out of bounds then
+   see if the database has been expanded by someone else and expand
+   if necessary 
+   note that "len" is the minimum length needed for the db
+*/
+static int tdb_oob(struct tdb_context *tdb, tdb_off_t len, int probe)
+{
+	struct stat st;
+	if (len <= tdb->map_size)
+		return 0;
+	if (tdb->flags & TDB_INTERNAL) {
+		if (!probe) {
+			/* Ensure ecode is set for log fn. */
+			tdb->ecode = TDB_ERR_IO;
+			TDB_LOG((tdb, TDB_DEBUG_FATAL,"tdb_oob len %d beyond internal malloc size %d\n",
+				 (int)len, (int)tdb->map_size));
+		}
+		return TDB_ERRCODE(TDB_ERR_IO, -1);
+	}
+
+	if (fstat(tdb->fd, &st) == -1) {
+		return TDB_ERRCODE(TDB_ERR_IO, -1);
+	}
+
+	if (st.st_size < (size_t)len) {
+		if (!probe) {
+			/* Ensure ecode is set for log fn. */
+			tdb->ecode = TDB_ERR_IO;
+			TDB_LOG((tdb, TDB_DEBUG_FATAL,"tdb_oob len %d beyond eof at %d\n",
+				 (int)len, (int)st.st_size));
+		}
+		return TDB_ERRCODE(TDB_ERR_IO, -1);
+	}
+
+	/* Unmap, update size, remap */
+	if (tdb_munmap(tdb) == -1)
+		return TDB_ERRCODE(TDB_ERR_IO, -1);
+	tdb->map_size = st.st_size;
+	tdb_mmap(tdb);
+	return 0;
+}
+
+/* write a lump of data at a specified offset */
+static int tdb_write(struct tdb_context *tdb, tdb_off_t off, 
+		     const void *buf, tdb_len_t len)
+{
+	if (len == 0) {
+		return 0;
+	}
+
+	if (tdb->read_only || tdb->traverse_read) {
+		tdb->ecode = TDB_ERR_RDONLY;
+		return -1;
+	}
+
+	if (tdb->methods->tdb_oob(tdb, off + len, 0) != 0)
+		return -1;
+
+	if (tdb->map_ptr) {
+		memcpy(off + (char *)tdb->map_ptr, buf, len);
+	} else {
+		ssize_t written = pwrite(tdb->fd, buf, len, off);
+		if ((written != (ssize_t)len) && (written != -1)) {
+			/* try once more */
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_write: wrote only "
+				 "%d of %d bytes at %d, trying once more\n",
+				 (int)written, len, off));
+			errno = ENOSPC;
+			written = pwrite(tdb->fd, (const void *)((const char *)buf+written),
+					 len-written,
+					 off+written);
+		}
+		if (written == -1) {
+		/* Ensure ecode is set for log fn. */
+		tdb->ecode = TDB_ERR_IO;
+			TDB_LOG((tdb, TDB_DEBUG_FATAL,"tdb_write failed at %d "
+				 "len=%d (%s)\n", off, len, strerror(errno)));
+			return TDB_ERRCODE(TDB_ERR_IO, -1);
+		} else if (written != (ssize_t)len) {
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_write: failed to "
+				 "write %d bytes at %d in two attempts\n",
+				 len, off));
+			errno = ENOSPC;
+		return TDB_ERRCODE(TDB_ERR_IO, -1);
+	}
+	}
+	return 0;
+}
+
+/* Endian conversion: we only ever deal with 4 byte quantities */
+void *tdb_convert(void *buf, uint32_t size)
+{
+	uint32_t i, *p = (uint32_t *)buf;
+	for (i = 0; i < size / 4; i++)
+		p[i] = TDB_BYTEREV(p[i]);
+	return buf;
+}
+
+
+/* read a lump of data at a specified offset, maybe convert */
+static int tdb_read(struct tdb_context *tdb, tdb_off_t off, void *buf, 
+		    tdb_len_t len, int cv)
+{
+	if (tdb->methods->tdb_oob(tdb, off + len, 0) != 0) {
+		return -1;
+	}
+
+	if (tdb->map_ptr) {
+		memcpy(buf, off + (char *)tdb->map_ptr, len);
+	} else {
+		ssize_t ret = pread(tdb->fd, buf, len, off);
+		if (ret != (ssize_t)len) {
+			/* Ensure ecode is set for log fn. */
+			tdb->ecode = TDB_ERR_IO;
+			TDB_LOG((tdb, TDB_DEBUG_FATAL,"tdb_read failed at %d "
+				 "len=%d ret=%d (%s) map_size=%d\n",
+				 (int)off, (int)len, (int)ret, strerror(errno),
+				 (int)tdb->map_size));
+			return TDB_ERRCODE(TDB_ERR_IO, -1);
+		}
+	}
+	if (cv) {
+		tdb_convert(buf, len);
+	}
+	return 0;
+}
+
+
+
+/*
+  do an unlocked scan of the hash table heads to find the next non-zero head. The value
+  will then be confirmed with the lock held
+*/		
+static void tdb_next_hash_chain(struct tdb_context *tdb, uint32_t *chain)
+{
+	uint32_t h = *chain;
+	if (tdb->map_ptr) {
+		for (;h < tdb->header.hash_size;h++) {
+			if (0 != *(uint32_t *)(TDB_HASH_TOP(h) + (unsigned char *)tdb->map_ptr)) {
+				break;
+			}
+		}
+	} else {
+		uint32_t off=0;
+		for (;h < tdb->header.hash_size;h++) {
+			if (tdb_ofs_read(tdb, TDB_HASH_TOP(h), &off) != 0 || off != 0) {
+				break;
+			}
+		}
+	}
+	(*chain) = h;
+}
+
+
+int tdb_munmap(struct tdb_context *tdb)
+{
+	if (tdb->flags & TDB_INTERNAL)
+		return 0;
+
+#ifdef HAVE_MMAP
+	if (tdb->map_ptr) {
+		int ret;
+
+		ret = munmap(tdb->map_ptr, tdb->map_size);
+		if (ret != 0)
+			return ret;
+	}
+#endif
+	tdb->map_ptr = NULL;
+	return 0;
+}
+
+void tdb_mmap(struct tdb_context *tdb)
+{
+	if (tdb->flags & TDB_INTERNAL)
+		return;
+
+#ifdef HAVE_MMAP
+	if (!(tdb->flags & TDB_NOMMAP)) {
+		tdb->map_ptr = mmap(NULL, tdb->map_size, 
+				    PROT_READ|(tdb->read_only? 0:PROT_WRITE), 
+				    MAP_SHARED|MAP_FILE, tdb->fd, 0);
+
+		/*
+		 * NB. When mmap fails it returns MAP_FAILED *NOT* NULL !!!!
+		 */
+
+		if (tdb->map_ptr == MAP_FAILED) {
+			tdb->map_ptr = NULL;
+			TDB_LOG((tdb, TDB_DEBUG_WARNING, "tdb_mmap failed for size %d (%s)\n", 
+				 tdb->map_size, strerror(errno)));
+		}
+	} else {
+		tdb->map_ptr = NULL;
+	}
+#else
+	tdb->map_ptr = NULL;
+#endif
+}
+
+/* expand a file.  we prefer to use ftruncate, as that is what posix
+  says to use for mmap expansion */
+static int tdb_expand_file(struct tdb_context *tdb, tdb_off_t size, tdb_off_t addition)
+{
+	char buf[8192];
+
+	if (tdb->read_only || tdb->traverse_read) {
+		tdb->ecode = TDB_ERR_RDONLY;
+		return -1;
+	}
+
+	if (ftruncate(tdb->fd, size+addition) == -1) {
+		char b = 0;
+		ssize_t written = pwrite(tdb->fd,  &b, 1, (size+addition) - 1);
+		if (written == 0) {
+			/* try once more, potentially revealing errno */
+			written = pwrite(tdb->fd,  &b, 1, (size+addition) - 1);
+		}
+		if (written == 0) {
+			/* again - give up, guessing errno */
+			errno = ENOSPC;
+		}
+		if (written != 1) {
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "expand_file to %d failed (%s)\n", 
+				 size+addition, strerror(errno)));
+			return -1;
+		}
+	}
+
+	/* now fill the file with something. This ensures that the
+	   file isn't sparse, which would be very bad if we ran out of
+	   disk. This must be done with write, not via mmap */
+	memset(buf, TDB_PAD_BYTE, sizeof(buf));
+	while (addition) {
+		size_t n = addition>sizeof(buf)?sizeof(buf):addition;
+		ssize_t written = pwrite(tdb->fd, buf, n, size);
+		if (written == 0) {
+			/* prevent infinite loops: try _once_ more */
+			written = pwrite(tdb->fd, buf, n, size);
+		}
+		if (written == 0) {
+			/* give up, trying to provide a useful errno */
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "expand_file write "
+				"returned 0 twice: giving up!\n"));
+			errno = ENOSPC;
+			return -1;
+		} else if (written == -1) {
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "expand_file write of "
+				 "%d bytes failed (%s)\n", (int)n,
+				 strerror(errno)));
+			return -1;
+		} else if (written != n) {
+			TDB_LOG((tdb, TDB_DEBUG_WARNING, "expand_file: wrote "
+				 "only %d of %d bytes - retrying\n", (int)written,
+				 (int)n));
+		}
+		addition -= written;
+		size += written;
+	}
+	return 0;
+}
+
+
+/* expand the database at least size bytes by expanding the underlying
+   file and doing the mmap again if necessary */
+int tdb_expand(struct tdb_context *tdb, tdb_off_t size)
+{
+	struct list_struct rec;
+	tdb_off_t offset, new_size;	
+
+	if (tdb_lock(tdb, -1, F_WRLCK) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "lock failed in tdb_expand\n"));
+		return -1;
+	}
+
+	/* must know about any previous expansions by another process */
+	tdb->methods->tdb_oob(tdb, tdb->map_size + 1, 1);
+
+	/* always make room for at least 100 more records, and at
+           least 25% more space. Round the database up to a multiple
+           of the page size */
+	new_size = MAX(tdb->map_size + size*100, tdb->map_size * 1.25);
+	size = TDB_ALIGN(new_size, tdb->page_size) - tdb->map_size;
+
+	if (!(tdb->flags & TDB_INTERNAL))
+		tdb_munmap(tdb);
+
+	/*
+	 * We must ensure the file is unmapped before doing this
+	 * to ensure consistency with systems like OpenBSD where
+	 * writes and mmaps are not consistent.
+	 */
+
+	/* expand the file itself */
+	if (!(tdb->flags & TDB_INTERNAL)) {
+		if (tdb->methods->tdb_expand_file(tdb, tdb->map_size, size) != 0)
+			goto fail;
+	}
+
+	tdb->map_size += size;
+
+	if (tdb->flags & TDB_INTERNAL) {
+		char *new_map_ptr = (char *)realloc(tdb->map_ptr,
+						    tdb->map_size);
+		if (!new_map_ptr) {
+			tdb->map_size -= size;
+			goto fail;
+		}
+		tdb->map_ptr = new_map_ptr;
+	} else {
+		/*
+		 * We must ensure the file is remapped before adding the space
+		 * to ensure consistency with systems like OpenBSD where
+		 * writes and mmaps are not consistent.
+		 */
+
+		/* We're ok if the mmap fails as we'll fallback to read/write */
+		tdb_mmap(tdb);
+	}
+
+	/* form a new freelist record */
+	memset(&rec,'\0',sizeof(rec));
+	rec.rec_len = size - sizeof(rec);
+
+	/* link it into the free list */
+	offset = tdb->map_size - size;
+	if (tdb_free(tdb, offset, &rec) == -1)
+		goto fail;
+
+	tdb_unlock(tdb, -1, F_WRLCK);
+	return 0;
+ fail:
+	tdb_unlock(tdb, -1, F_WRLCK);
+	return -1;
+}
+
+/* read/write a tdb_off_t */
+int tdb_ofs_read(struct tdb_context *tdb, tdb_off_t offset, tdb_off_t *d)
+{
+	return tdb->methods->tdb_read(tdb, offset, (char*)d, sizeof(*d), DOCONV());
+}
+
+int tdb_ofs_write(struct tdb_context *tdb, tdb_off_t offset, tdb_off_t *d)
+{
+	tdb_off_t off = *d;
+	return tdb->methods->tdb_write(tdb, offset, CONVERT(off), sizeof(*d));
+}
+
+
+/* read a lump of data, allocating the space for it */
+unsigned char *tdb_alloc_read(struct tdb_context *tdb, tdb_off_t offset, tdb_len_t len)
+{
+	unsigned char *buf;
+
+	/* some systems don't like zero length malloc */
+	if (len == 0) {
+		len = 1;
+	}
+
+	if (!(buf = (unsigned char *)malloc(len))) {
+		/* Ensure ecode is set for log fn. */
+		tdb->ecode = TDB_ERR_OOM;
+		TDB_LOG((tdb, TDB_DEBUG_ERROR,"tdb_alloc_read malloc failed len=%d (%s)\n",
+			   len, strerror(errno)));
+		return TDB_ERRCODE(TDB_ERR_OOM, buf);
+	}
+	if (tdb->methods->tdb_read(tdb, offset, buf, len, 0) == -1) {
+		SAFE_FREE(buf);
+		return NULL;
+	}
+	return buf;
+}
+
+/* Give a piece of tdb data to a parser */
+
+int tdb_parse_data(struct tdb_context *tdb, TDB_DATA key,
+		   tdb_off_t offset, tdb_len_t len,
+		   int (*parser)(TDB_DATA key, TDB_DATA data,
+				 void *private_data),
+		   void *private_data)
+{
+	TDB_DATA data;
+	int result;
+
+	data.dsize = len;
+
+	if ((tdb->transaction == NULL) && (tdb->map_ptr != NULL)) {
+		/*
+		 * Optimize by avoiding the malloc/memcpy/free, point the
+		 * parser directly at the mmap area.
+		 */
+		if (tdb->methods->tdb_oob(tdb, offset+len, 0) != 0) {
+			return -1;
+		}
+		data.dptr = offset + (unsigned char *)tdb->map_ptr;
+		return parser(key, data, private_data);
+	}
+
+	if (!(data.dptr = tdb_alloc_read(tdb, offset, len))) {
+		return -1;
+	}
+
+	result = parser(key, data, private_data);
+	free(data.dptr);
+	return result;
+}
+
+/* read/write a record */
+int tdb_rec_read(struct tdb_context *tdb, tdb_off_t offset, struct list_struct *rec)
+{
+	if (tdb->methods->tdb_read(tdb, offset, rec, sizeof(*rec),DOCONV()) == -1)
+		return -1;
+	if (TDB_BAD_MAGIC(rec)) {
+		/* Ensure ecode is set for log fn. */
+		tdb->ecode = TDB_ERR_CORRUPT;
+		TDB_LOG((tdb, TDB_DEBUG_FATAL,"tdb_rec_read bad magic 0x%x at offset=%d\n", rec->magic, offset));
+		return TDB_ERRCODE(TDB_ERR_CORRUPT, -1);
+	}
+	return tdb->methods->tdb_oob(tdb, rec->next+sizeof(*rec), 0);
+}
+
+int tdb_rec_write(struct tdb_context *tdb, tdb_off_t offset, struct list_struct *rec)
+{
+	struct list_struct r = *rec;
+	return tdb->methods->tdb_write(tdb, offset, CONVERT(r), sizeof(r));
+}
+
+static const struct tdb_methods io_methods = {
+	tdb_read,
+	tdb_write,
+	tdb_next_hash_chain,
+	tdb_oob,
+	tdb_expand_file,
+	tdb_brlock
+};
+
+/*
+  initialise the default methods table
+*/
+void tdb_io_init(struct tdb_context *tdb)
+{
+	tdb->methods = &io_methods;
+}
diff --git a/source3/lib/tdb/common/lock.c b/source3/lib/tdb/common/lock.c
new file mode 100644
index 0000000000..f156c0fa7b
--- /dev/null
+++ b/source3/lib/tdb/common/lock.c
@@ -0,0 +1,553 @@
+ /* 
+   Unix SMB/CIFS implementation.
+
+   trivial database library
+
+   Copyright (C) Andrew Tridgell              1999-2005
+   Copyright (C) Paul `Rusty' Russell		   2000
+   Copyright (C) Jeremy Allison			   2000-2003
+   
+     ** NOTE! The following LGPL license applies to the tdb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "tdb_private.h"
+
+#define TDB_MARK_LOCK 0x80000000
+
+void tdb_setalarm_sigptr(struct tdb_context *tdb, volatile sig_atomic_t *ptr)
+{
+	tdb->interrupt_sig_ptr = ptr;
+}
+
+/* a byte range locking function - return 0 on success
+   this functions locks/unlocks 1 byte at the specified offset.
+
+   On error, errno is also set so that errors are passed back properly
+   through tdb_open(). 
+
+   note that a len of zero means lock to end of file
+*/
+int tdb_brlock(struct tdb_context *tdb, tdb_off_t offset, 
+	       int rw_type, int lck_type, int probe, size_t len)
+{
+	struct flock fl;
+	int ret;
+
+	if (tdb->flags & TDB_NOLOCK) {
+		return 0;
+	}
+
+	if ((rw_type == F_WRLCK) && (tdb->read_only || tdb->traverse_read)) {
+		tdb->ecode = TDB_ERR_RDONLY;
+		return -1;
+	}
+
+	fl.l_type = rw_type;
+	fl.l_whence = SEEK_SET;
+	fl.l_start = offset;
+	fl.l_len = len;
+	fl.l_pid = 0;
+
+	do {
+		ret = fcntl(tdb->fd,lck_type,&fl);
+
+		/* Check for a sigalarm break. */
+		if (ret == -1 && errno == EINTR &&
+				tdb->interrupt_sig_ptr &&
+				*tdb->interrupt_sig_ptr) {
+			break;
+		}
+	} while (ret == -1 && errno == EINTR);
+
+	if (ret == -1) {
+		/* Generic lock error. errno set by fcntl.
+		 * EAGAIN is an expected return from non-blocking
+		 * locks. */
+		if (!probe && lck_type != F_SETLK) {
+			/* Ensure error code is set for log fun to examine. */
+			tdb->ecode = TDB_ERR_LOCK;
+			TDB_LOG((tdb, TDB_DEBUG_TRACE,"tdb_brlock failed (fd=%d) at offset %d rw_type=%d lck_type=%d len=%d\n", 
+				 tdb->fd, offset, rw_type, lck_type, (int)len));
+		}
+		return TDB_ERRCODE(TDB_ERR_LOCK, -1);
+	}
+	return 0;
+}
+
+
+/*
+  upgrade a read lock to a write lock. This needs to be handled in a
+  special way as some OSes (such as solaris) have too conservative
+  deadlock detection and claim a deadlock when progress can be
+  made. For those OSes we may loop for a while.  
+*/
+int tdb_brlock_upgrade(struct tdb_context *tdb, tdb_off_t offset, size_t len)
+{
+	int count = 1000;
+	while (count--) {
+		struct timeval tv;
+		if (tdb_brlock(tdb, offset, F_WRLCK, F_SETLKW, 1, len) == 0) {
+			return 0;
+		}
+		if (errno != EDEADLK) {
+			break;
+		}
+		/* sleep for as short a time as we can - more portable than usleep() */
+		tv.tv_sec = 0;
+		tv.tv_usec = 1;
+		select(0, NULL, NULL, NULL, &tv);
+	}
+	TDB_LOG((tdb, TDB_DEBUG_TRACE,"tdb_brlock_upgrade failed at offset %d\n", offset));
+	return -1;
+}
+
+
+/* lock a list in the database. list -1 is the alloc list */
+static int _tdb_lock(struct tdb_context *tdb, int list, int ltype, int op)
+{
+	struct tdb_lock_type *new_lck;
+	int i;
+	bool mark_lock = ((ltype & TDB_MARK_LOCK) == TDB_MARK_LOCK);
+
+	ltype &= ~TDB_MARK_LOCK;
+
+	/* a global lock allows us to avoid per chain locks */
+	if (tdb->global_lock.count && 
+	    (ltype == tdb->global_lock.ltype || ltype == F_RDLCK)) {
+		return 0;
+	}
+
+	if (tdb->global_lock.count) {
+		return TDB_ERRCODE(TDB_ERR_LOCK, -1);
+	}
+
+	if (list < -1 || list >= (int)tdb->header.hash_size) {
+		TDB_LOG((tdb, TDB_DEBUG_ERROR,"tdb_lock: invalid list %d for ltype=%d\n", 
+			   list, ltype));
+		return -1;
+	}
+	if (tdb->flags & TDB_NOLOCK)
+		return 0;
+
+	for (i=0; i<tdb->num_lockrecs; i++) {
+		if (tdb->lockrecs[i].list == list) {
+			if (tdb->lockrecs[i].count == 0) {
+				/*
+				 * Can't happen, see tdb_unlock(). It should
+				 * be an assert.
+				 */
+				TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_lock: "
+					 "lck->count == 0 for list %d", list));
+			}
+			/*
+			 * Just increment the in-memory struct, posix locks
+			 * don't stack.
+			 */
+			tdb->lockrecs[i].count++;
+			return 0;
+		}
+	}
+
+	new_lck = (struct tdb_lock_type *)realloc(
+		tdb->lockrecs,
+		sizeof(*tdb->lockrecs) * (tdb->num_lockrecs+1));
+	if (new_lck == NULL) {
+		errno = ENOMEM;
+		return -1;
+	}
+	tdb->lockrecs = new_lck;
+
+	/* Since fcntl locks don't nest, we do a lock for the first one,
+	   and simply bump the count for future ones */
+	if (!mark_lock &&
+	    tdb->methods->tdb_brlock(tdb,FREELIST_TOP+4*list, ltype, op,
+				     0, 1)) {
+		return -1;
+	}
+
+	tdb->num_locks++;
+
+	tdb->lockrecs[tdb->num_lockrecs].list = list;
+	tdb->lockrecs[tdb->num_lockrecs].count = 1;
+	tdb->lockrecs[tdb->num_lockrecs].ltype = ltype;
+	tdb->num_lockrecs += 1;
+
+	return 0;
+}
+
+/* lock a list in the database. list -1 is the alloc list */
+int tdb_lock(struct tdb_context *tdb, int list, int ltype)
+{
+	int ret;
+	ret = _tdb_lock(tdb, list, ltype, F_SETLKW);
+	if (ret) {
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_lock failed on list %d "
+			 "ltype=%d (%s)\n",  list, ltype, strerror(errno)));
+	}
+	return ret;
+}
+
+/* lock a list in the database. list -1 is the alloc list. non-blocking lock */
+int tdb_lock_nonblock(struct tdb_context *tdb, int list, int ltype)
+{
+	return _tdb_lock(tdb, list, ltype, F_SETLK);
+}
+
+
+/* unlock the database: returns void because it's too late for errors. */
+	/* changed to return int it may be interesting to know there
+	   has been an error  --simo */
+int tdb_unlock(struct tdb_context *tdb, int list, int ltype)
+{
+	int ret = -1;
+	int i;
+	struct tdb_lock_type *lck = NULL;
+	bool mark_lock = ((ltype & TDB_MARK_LOCK) == TDB_MARK_LOCK);
+
+	ltype &= ~TDB_MARK_LOCK;
+
+	/* a global lock allows us to avoid per chain locks */
+	if (tdb->global_lock.count && 
+	    (ltype == tdb->global_lock.ltype || ltype == F_RDLCK)) {
+		return 0;
+	}
+
+	if (tdb->global_lock.count) {
+		return TDB_ERRCODE(TDB_ERR_LOCK, -1);
+	}
+
+	if (tdb->flags & TDB_NOLOCK)
+		return 0;
+
+	/* Sanity checks */
+	if (list < -1 || list >= (int)tdb->header.hash_size) {
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_unlock: list %d invalid (%d)\n", list, tdb->header.hash_size));
+		return ret;
+	}
+
+	for (i=0; i<tdb->num_lockrecs; i++) {
+		if (tdb->lockrecs[i].list == list) {
+			lck = &tdb->lockrecs[i];
+			break;
+		}
+	}
+
+	if ((lck == NULL) || (lck->count == 0)) {
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_unlock: count is 0\n"));
+		return -1;
+	}
+
+	if (lck->count > 1) {
+		lck->count--;
+		return 0;
+	}
+
+	/*
+	 * This lock has count==1 left, so we need to unlock it in the
+	 * kernel. We don't bother with decrementing the in-memory array
+	 * element, we're about to overwrite it with the last array element
+	 * anyway.
+	 */
+
+	if (mark_lock) {
+		ret = 0;
+	} else {
+		ret = tdb->methods->tdb_brlock(tdb, FREELIST_TOP+4*list, F_UNLCK,
+					       F_SETLKW, 0, 1);
+	}
+	tdb->num_locks--;
+
+	/*
+	 * Shrink the array by overwriting the element just unlocked with the
+	 * last array element.
+	 */
+
+	if (tdb->num_lockrecs > 1) {
+		*lck = tdb->lockrecs[tdb->num_lockrecs-1];
+	}
+	tdb->num_lockrecs -= 1;
+
+	/*
+	 * We don't bother with realloc when the array shrinks, but if we have
+	 * a completely idle tdb we should get rid of the locked array.
+	 */
+
+	if (tdb->num_lockrecs == 0) {
+		SAFE_FREE(tdb->lockrecs);
+	}
+
+	if (ret)
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_unlock: An error occurred unlocking!\n")); 
+	return ret;
+}
+
+/*
+  get the transaction lock
+ */
+int tdb_transaction_lock(struct tdb_context *tdb, int ltype)
+{
+	if (tdb->have_transaction_lock || tdb->global_lock.count) {
+		return 0;
+	}
+	if (tdb->methods->tdb_brlock(tdb, TRANSACTION_LOCK, ltype, 
+				     F_SETLKW, 0, 1) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_lock: failed to get transaction lock\n"));
+		tdb->ecode = TDB_ERR_LOCK;
+		return -1;
+	}
+	tdb->have_transaction_lock = 1;
+	return 0;
+}
+
+/*
+  release the transaction lock
+ */
+int tdb_transaction_unlock(struct tdb_context *tdb)
+{
+	int ret;
+	if (!tdb->have_transaction_lock) {
+		return 0;
+	}
+	ret = tdb->methods->tdb_brlock(tdb, TRANSACTION_LOCK, F_UNLCK, F_SETLKW, 0, 1);
+	if (ret == 0) {
+		tdb->have_transaction_lock = 0;
+	}
+	return ret;
+}
+
+
+
+
+/* lock/unlock entire database */
+static int _tdb_lockall(struct tdb_context *tdb, int ltype, int op)
+{
+	bool mark_lock = ((ltype & TDB_MARK_LOCK) == TDB_MARK_LOCK);
+
+	ltype &= ~TDB_MARK_LOCK;
+
+	/* There are no locks on read-only dbs */
+	if (tdb->read_only || tdb->traverse_read)
+		return TDB_ERRCODE(TDB_ERR_LOCK, -1);
+
+	if (tdb->global_lock.count && tdb->global_lock.ltype == ltype) {
+		tdb->global_lock.count++;
+		return 0;
+	}
+
+	if (tdb->global_lock.count) {
+		/* a global lock of a different type exists */
+		return TDB_ERRCODE(TDB_ERR_LOCK, -1);
+	}
+	
+	if (tdb->num_locks != 0) {
+		/* can't combine global and chain locks */
+		return TDB_ERRCODE(TDB_ERR_LOCK, -1);
+	}
+
+	if (!mark_lock &&
+	    tdb->methods->tdb_brlock(tdb, FREELIST_TOP, ltype, op,
+				     0, 4*tdb->header.hash_size)) {
+		if (op == F_SETLKW) {
+			TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_lockall failed (%s)\n", strerror(errno)));
+		}
+		return -1;
+	}
+
+	tdb->global_lock.count = 1;
+	tdb->global_lock.ltype = ltype;
+
+	return 0;
+}
+
+
+
+/* unlock entire db */
+static int _tdb_unlockall(struct tdb_context *tdb, int ltype)
+{
+	bool mark_lock = ((ltype & TDB_MARK_LOCK) == TDB_MARK_LOCK);
+
+	ltype &= ~TDB_MARK_LOCK;
+
+	/* There are no locks on read-only dbs */
+	if (tdb->read_only || tdb->traverse_read) {
+		return TDB_ERRCODE(TDB_ERR_LOCK, -1);
+	}
+
+	if (tdb->global_lock.ltype != ltype || tdb->global_lock.count == 0) {
+		return TDB_ERRCODE(TDB_ERR_LOCK, -1);
+	}
+
+	if (tdb->global_lock.count > 1) {
+		tdb->global_lock.count--;
+		return 0;
+	}
+
+	if (!mark_lock &&
+	    tdb->methods->tdb_brlock(tdb, FREELIST_TOP, F_UNLCK, F_SETLKW, 
+				     0, 4*tdb->header.hash_size)) {
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_unlockall failed (%s)\n", strerror(errno)));
+		return -1;
+	}
+
+	tdb->global_lock.count = 0;
+	tdb->global_lock.ltype = 0;
+
+	return 0;
+}
+
+/* lock entire database with write lock */
+int tdb_lockall(struct tdb_context *tdb)
+{
+	return _tdb_lockall(tdb, F_WRLCK, F_SETLKW);
+}
+
+/* lock entire database with write lock - mark only */
+int tdb_lockall_mark(struct tdb_context *tdb)
+{
+	return _tdb_lockall(tdb, F_WRLCK | TDB_MARK_LOCK, F_SETLKW);
+}
+
+/* unlock entire database with write lock - unmark only */
+int tdb_lockall_unmark(struct tdb_context *tdb)
+{
+	return _tdb_unlockall(tdb, F_WRLCK | TDB_MARK_LOCK);
+}
+
+/* lock entire database with write lock - nonblocking varient */
+int tdb_lockall_nonblock(struct tdb_context *tdb)
+{
+	return _tdb_lockall(tdb, F_WRLCK, F_SETLK);
+}
+
+/* unlock entire database with write lock */
+int tdb_unlockall(struct tdb_context *tdb)
+{
+	return _tdb_unlockall(tdb, F_WRLCK);
+}
+
+/* lock entire database with read lock */
+int tdb_lockall_read(struct tdb_context *tdb)
+{
+	return _tdb_lockall(tdb, F_RDLCK, F_SETLKW);
+}
+
+/* lock entire database with read lock - nonblock varient */
+int tdb_lockall_read_nonblock(struct tdb_context *tdb)
+{
+	return _tdb_lockall(tdb, F_RDLCK, F_SETLK);
+}
+
+/* unlock entire database with read lock */
+int tdb_unlockall_read(struct tdb_context *tdb)
+{
+	return _tdb_unlockall(tdb, F_RDLCK);
+}
+
+/* lock/unlock one hash chain. This is meant to be used to reduce
+   contention - it cannot guarantee how many records will be locked */
+int tdb_chainlock(struct tdb_context *tdb, TDB_DATA key)
+{
+	return tdb_lock(tdb, BUCKET(tdb->hash_fn(&key)), F_WRLCK);
+}
+
+/* lock/unlock one hash chain, non-blocking. This is meant to be used
+   to reduce contention - it cannot guarantee how many records will be
+   locked */
+int tdb_chainlock_nonblock(struct tdb_context *tdb, TDB_DATA key)
+{
+	return tdb_lock_nonblock(tdb, BUCKET(tdb->hash_fn(&key)), F_WRLCK);
+}
+
+/* mark a chain as locked without actually locking it. Warning! use with great caution! */
+int tdb_chainlock_mark(struct tdb_context *tdb, TDB_DATA key)
+{
+	return tdb_lock(tdb, BUCKET(tdb->hash_fn(&key)), F_WRLCK | TDB_MARK_LOCK);
+}
+
+/* unmark a chain as locked without actually locking it. Warning! use with great caution! */
+int tdb_chainlock_unmark(struct tdb_context *tdb, TDB_DATA key)
+{
+	return tdb_unlock(tdb, BUCKET(tdb->hash_fn(&key)), F_WRLCK | TDB_MARK_LOCK);
+}
+
+int tdb_chainunlock(struct tdb_context *tdb, TDB_DATA key)
+{
+	return tdb_unlock(tdb, BUCKET(tdb->hash_fn(&key)), F_WRLCK);
+}
+
+int tdb_chainlock_read(struct tdb_context *tdb, TDB_DATA key)
+{
+	return tdb_lock(tdb, BUCKET(tdb->hash_fn(&key)), F_RDLCK);
+}
+
+int tdb_chainunlock_read(struct tdb_context *tdb, TDB_DATA key)
+{
+	return tdb_unlock(tdb, BUCKET(tdb->hash_fn(&key)), F_RDLCK);
+}
+
+
+
+/* record lock stops delete underneath */
+int tdb_lock_record(struct tdb_context *tdb, tdb_off_t off)
+{
+	if (tdb->global_lock.count) {
+		return 0;
+	}
+	return off ? tdb->methods->tdb_brlock(tdb, off, F_RDLCK, F_SETLKW, 0, 1) : 0;
+}
+
+/*
+  Write locks override our own fcntl readlocks, so check it here.
+  Note this is meant to be F_SETLK, *not* F_SETLKW, as it's not
+  an error to fail to get the lock here.
+*/
+int tdb_write_lock_record(struct tdb_context *tdb, tdb_off_t off)
+{
+	struct tdb_traverse_lock *i;
+	for (i = &tdb->travlocks; i; i = i->next)
+		if (i->off == off)
+			return -1;
+	return tdb->methods->tdb_brlock(tdb, off, F_WRLCK, F_SETLK, 1, 1);
+}
+
+/*
+  Note this is meant to be F_SETLK, *not* F_SETLKW, as it's not
+  an error to fail to get the lock here.
+*/
+int tdb_write_unlock_record(struct tdb_context *tdb, tdb_off_t off)
+{
+	return tdb->methods->tdb_brlock(tdb, off, F_UNLCK, F_SETLK, 0, 1);
+}
+
+/* fcntl locks don't stack: avoid unlocking someone else's */
+int tdb_unlock_record(struct tdb_context *tdb, tdb_off_t off)
+{
+	struct tdb_traverse_lock *i;
+	uint32_t count = 0;
+
+	if (tdb->global_lock.count) {
+		return 0;
+	}
+
+	if (off == 0)
+		return 0;
+	for (i = &tdb->travlocks; i; i = i->next)
+		if (i->off == off)
+			count++;
+	return (count == 1 ? tdb->methods->tdb_brlock(tdb, off, F_UNLCK, F_SETLKW, 0, 1) : 0);
+}
diff --git a/source3/lib/tdb/common/open.c b/source3/lib/tdb/common/open.c
new file mode 100644
index 0000000000..b19e4cea29
--- /dev/null
+++ b/source3/lib/tdb/common/open.c
@@ -0,0 +1,488 @@
+ /* 
+   Unix SMB/CIFS implementation.
+
+   trivial database library
+
+   Copyright (C) Andrew Tridgell              1999-2005
+   Copyright (C) Paul `Rusty' Russell		   2000
+   Copyright (C) Jeremy Allison			   2000-2003
+   
+     ** NOTE! The following LGPL license applies to the tdb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "tdb_private.h"
+
+/* all contexts, to ensure no double-opens (fcntl locks don't nest!) */
+static struct tdb_context *tdbs = NULL;
+
+
+/* This is based on the hash algorithm from gdbm */
+static unsigned int default_tdb_hash(TDB_DATA *key)
+{
+	uint32_t value;	/* Used to compute the hash value.  */
+	uint32_t   i;	/* Used to cycle through random values. */
+
+	/* Set the initial value from the key size. */
+	for (value = 0x238F13AF * key->dsize, i=0; i < key->dsize; i++)
+		value = (value + (key->dptr[i] << (i*5 % 24)));
+
+	return (1103515243 * value + 12345);  
+}
+
+
+/* initialise a new database with a specified hash size */
+static int tdb_new_database(struct tdb_context *tdb, int hash_size)
+{
+	struct tdb_header *newdb;
+	size_t size;
+	int ret = -1;
+	ssize_t written;
+
+	/* We make it up in memory, then write it out if not internal */
+	size = sizeof(struct tdb_header) + (hash_size+1)*sizeof(tdb_off_t);
+	if (!(newdb = (struct tdb_header *)calloc(size, 1)))
+		return TDB_ERRCODE(TDB_ERR_OOM, -1);
+
+	/* Fill in the header */
+	newdb->version = TDB_VERSION;
+	newdb->hash_size = hash_size;
+	if (tdb->flags & TDB_INTERNAL) {
+		tdb->map_size = size;
+		tdb->map_ptr = (char *)newdb;
+		memcpy(&tdb->header, newdb, sizeof(tdb->header));
+		/* Convert the `ondisk' version if asked. */
+		CONVERT(*newdb);
+		return 0;
+	}
+	if (lseek(tdb->fd, 0, SEEK_SET) == -1)
+		goto fail;
+
+	if (ftruncate(tdb->fd, 0) == -1)
+		goto fail;
+
+	/* This creates an endian-converted header, as if read from disk */
+	CONVERT(*newdb);
+	memcpy(&tdb->header, newdb, sizeof(tdb->header));
+	/* Don't endian-convert the magic food! */
+	memcpy(newdb->magic_food, TDB_MAGIC_FOOD, strlen(TDB_MAGIC_FOOD)+1);
+	/* we still have "ret == -1" here */
+	written = write(tdb->fd, newdb, size);
+	if (written == size) {
+		ret = 0;
+	} else if (written != -1) {
+		/* call write once again, this usually should return -1 and
+		 * set errno appropriately */
+		size -= written;
+		written = write(tdb->fd, newdb+written, size);
+		if (written == size) {
+		ret = 0;
+		} else if (written >= 0) {
+			/* a second incomplete write - we give up.
+			 * guessing the errno... */
+			errno = ENOSPC;
+		}
+	}
+
+  fail:
+	SAFE_FREE(newdb);
+	return ret;
+}
+
+
+
+static int tdb_already_open(dev_t device,
+			    ino_t ino)
+{
+	struct tdb_context *i;
+	
+	for (i = tdbs; i; i = i->next) {
+		if (i->device == device && i->inode == ino) {
+			return 1;
+		}
+	}
+
+	return 0;
+}
+
+/* open the database, creating it if necessary 
+
+   The open_flags and mode are passed straight to the open call on the
+   database file. A flags value of O_WRONLY is invalid. The hash size
+   is advisory, use zero for a default value.
+
+   Return is NULL on error, in which case errno is also set.  Don't 
+   try to call tdb_error or tdb_errname, just do strerror(errno).
+
+   @param name may be NULL for internal databases. */
+struct tdb_context *tdb_open(const char *name, int hash_size, int tdb_flags,
+		      int open_flags, mode_t mode)
+{
+	return tdb_open_ex(name, hash_size, tdb_flags, open_flags, mode, NULL, NULL);
+}
+
+/* a default logging function */
+static void null_log_fn(struct tdb_context *tdb, enum tdb_debug_level level, const char *fmt, ...) PRINTF_ATTRIBUTE(3, 4);
+static void null_log_fn(struct tdb_context *tdb, enum tdb_debug_level level, const char *fmt, ...)
+{
+}
+
+
+struct tdb_context *tdb_open_ex(const char *name, int hash_size, int tdb_flags,
+				int open_flags, mode_t mode,
+				const struct tdb_logging_context *log_ctx,
+				tdb_hash_func hash_fn)
+{
+	struct tdb_context *tdb;
+	struct stat st;
+	int rev = 0, locked = 0;
+	unsigned char *vp;
+	uint32_t vertest;
+	unsigned v;
+
+	if (!(tdb = (struct tdb_context *)calloc(1, sizeof *tdb))) {
+		/* Can't log this */
+		errno = ENOMEM;
+		goto fail;
+	}
+	tdb_io_init(tdb);
+	tdb->fd = -1;
+	tdb->name = NULL;
+	tdb->map_ptr = NULL;
+	tdb->flags = tdb_flags;
+	tdb->open_flags = open_flags;
+	if (log_ctx) {
+		tdb->log = *log_ctx;
+	} else {
+		tdb->log.log_fn = null_log_fn;
+		tdb->log.log_private = NULL;
+	}
+	tdb->hash_fn = hash_fn ? hash_fn : default_tdb_hash;
+
+	/* cache the page size */
+	tdb->page_size = getpagesize();
+	if (tdb->page_size <= 0) {
+		tdb->page_size = 0x2000;
+	}
+
+	tdb->max_dead_records = (tdb_flags & TDB_VOLATILE) ? 5 : 0;
+
+	if ((open_flags & O_ACCMODE) == O_WRONLY) {
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_open_ex: can't open tdb %s write-only\n",
+			 name));
+		errno = EINVAL;
+		goto fail;
+	}
+	
+	if (hash_size == 0)
+		hash_size = DEFAULT_HASH_SIZE;
+	if ((open_flags & O_ACCMODE) == O_RDONLY) {
+		tdb->read_only = 1;
+		/* read only databases don't do locking or clear if first */
+		tdb->flags |= TDB_NOLOCK;
+		tdb->flags &= ~TDB_CLEAR_IF_FIRST;
+	}
+
+	/* internal databases don't mmap or lock, and start off cleared */
+	if (tdb->flags & TDB_INTERNAL) {
+		tdb->flags |= (TDB_NOLOCK | TDB_NOMMAP);
+		tdb->flags &= ~TDB_CLEAR_IF_FIRST;
+		if (tdb_new_database(tdb, hash_size) != 0) {
+			TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_open_ex: tdb_new_database failed!"));
+			goto fail;
+		}
+		goto internal;
+	}
+
+	if ((tdb->fd = open(name, open_flags, mode)) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_WARNING, "tdb_open_ex: could not open file %s: %s\n",
+			 name, strerror(errno)));
+		goto fail;	/* errno set by open(2) */
+	}
+
+	/* on exec, don't inherit the fd */
+	v = fcntl(tdb->fd, F_GETFD, 0);
+        fcntl(tdb->fd, F_SETFD, v | FD_CLOEXEC);
+
+	/* ensure there is only one process initialising at once */
+	if (tdb->methods->tdb_brlock(tdb, GLOBAL_LOCK, F_WRLCK, F_SETLKW, 0, 1) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_open_ex: failed to get global lock on %s: %s\n",
+			 name, strerror(errno)));
+		goto fail;	/* errno set by tdb_brlock */
+	}
+
+	/* we need to zero database if we are the only one with it open */
+	if ((tdb_flags & TDB_CLEAR_IF_FIRST) &&
+	    (!tdb->read_only) &&
+	    (locked = (tdb->methods->tdb_brlock(tdb, ACTIVE_LOCK, F_WRLCK, F_SETLK, 0, 1) == 0))) {
+		open_flags |= O_CREAT;
+		if (ftruncate(tdb->fd, 0) == -1) {
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_open_ex: "
+				 "failed to truncate %s: %s\n",
+				 name, strerror(errno)));
+			goto fail; /* errno set by ftruncate */
+		}
+	}
+
+	errno = 0;
+	if (read(tdb->fd, &tdb->header, sizeof(tdb->header)) != sizeof(tdb->header)
+	    || strcmp(tdb->header.magic_food, TDB_MAGIC_FOOD) != 0
+	    || (tdb->header.version != TDB_VERSION
+		&& !(rev = (tdb->header.version==TDB_BYTEREV(TDB_VERSION))))) {
+		/* its not a valid database - possibly initialise it */
+		if (!(open_flags & O_CREAT) || tdb_new_database(tdb, hash_size) == -1) {
+			if (errno == 0) {
+			errno = EIO; /* ie bad format or something */
+			}
+			goto fail;
+		}
+		rev = (tdb->flags & TDB_CONVERT);
+	}
+	vp = (unsigned char *)&tdb->header.version;
+	vertest = (((uint32_t)vp[0]) << 24) | (((uint32_t)vp[1]) << 16) |
+		  (((uint32_t)vp[2]) << 8) | (uint32_t)vp[3];
+	tdb->flags |= (vertest==TDB_VERSION) ? TDB_BIGENDIAN : 0;
+	if (!rev)
+		tdb->flags &= ~TDB_CONVERT;
+	else {
+		tdb->flags |= TDB_CONVERT;
+		tdb_convert(&tdb->header, sizeof(tdb->header));
+	}
+	if (fstat(tdb->fd, &st) == -1)
+		goto fail;
+
+	if (tdb->header.rwlocks != 0) {
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_open_ex: spinlocks no longer supported\n"));
+		goto fail;
+	}
+
+	/* Is it already in the open list?  If so, fail. */
+	if (tdb_already_open(st.st_dev, st.st_ino)) {
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_open_ex: "
+			 "%s (%d,%d) is already open in this process\n",
+			 name, (int)st.st_dev, (int)st.st_ino));
+		errno = EBUSY;
+		goto fail;
+	}
+
+	if (!(tdb->name = (char *)strdup(name))) {
+		errno = ENOMEM;
+		goto fail;
+	}
+
+	tdb->map_size = st.st_size;
+	tdb->device = st.st_dev;
+	tdb->inode = st.st_ino;
+	tdb_mmap(tdb);
+	if (locked) {
+		if (tdb->methods->tdb_brlock(tdb, ACTIVE_LOCK, F_UNLCK, F_SETLK, 0, 1) == -1) {
+			TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_open_ex: "
+				 "failed to take ACTIVE_LOCK on %s: %s\n",
+				 name, strerror(errno)));
+			goto fail;
+		}
+
+	}
+
+	/* We always need to do this if the CLEAR_IF_FIRST flag is set, even if
+	   we didn't get the initial exclusive lock as we need to let all other
+	   users know we're using it. */
+
+	if (tdb_flags & TDB_CLEAR_IF_FIRST) {
+		/* leave this lock in place to indicate it's in use */
+		if (tdb->methods->tdb_brlock(tdb, ACTIVE_LOCK, F_RDLCK, F_SETLKW, 0, 1) == -1)
+			goto fail;
+	}
+
+	/* if needed, run recovery */
+	if (tdb_transaction_recover(tdb) == -1) {
+		goto fail;
+	}
+
+ internal:
+	/* Internal (memory-only) databases skip all the code above to
+	 * do with disk files, and resume here by releasing their
+	 * global lock and hooking into the active list. */
+	if (tdb->methods->tdb_brlock(tdb, GLOBAL_LOCK, F_UNLCK, F_SETLKW, 0, 1) == -1)
+		goto fail;
+	tdb->next = tdbs;
+	tdbs = tdb;
+	return tdb;
+
+ fail:
+	{ int save_errno = errno;
+
+	if (!tdb)
+		return NULL;
+	
+	if (tdb->map_ptr) {
+		if (tdb->flags & TDB_INTERNAL)
+			SAFE_FREE(tdb->map_ptr);
+		else
+			tdb_munmap(tdb);
+	}
+	SAFE_FREE(tdb->name);
+	if (tdb->fd != -1)
+		if (close(tdb->fd) != 0)
+			TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_open_ex: failed to close tdb->fd on error!\n"));
+	SAFE_FREE(tdb);
+	errno = save_errno;
+	return NULL;
+	}
+}
+
+/*
+ * Set the maximum number of dead records per hash chain
+ */
+
+void tdb_set_max_dead(struct tdb_context *tdb, int max_dead)
+{
+	tdb->max_dead_records = max_dead;
+}
+
+/**
+ * Close a database.
+ *
+ * @returns -1 for error; 0 for success.
+ **/
+int tdb_close(struct tdb_context *tdb)
+{
+	struct tdb_context **i;
+	int ret = 0;
+
+	if (tdb->transaction) {
+		tdb_transaction_cancel(tdb);
+	}
+
+	if (tdb->map_ptr) {
+		if (tdb->flags & TDB_INTERNAL)
+			SAFE_FREE(tdb->map_ptr);
+		else
+			tdb_munmap(tdb);
+	}
+	SAFE_FREE(tdb->name);
+	if (tdb->fd != -1)
+		ret = close(tdb->fd);
+	SAFE_FREE(tdb->lockrecs);
+
+	/* Remove from contexts list */
+	for (i = &tdbs; *i; i = &(*i)->next) {
+		if (*i == tdb) {
+			*i = tdb->next;
+			break;
+		}
+	}
+
+	memset(tdb, 0, sizeof(*tdb));
+	SAFE_FREE(tdb);
+
+	return ret;
+}
+
+/* register a loging function */
+void tdb_set_logging_function(struct tdb_context *tdb,
+                              const struct tdb_logging_context *log_ctx)
+{
+        tdb->log = *log_ctx;
+}
+
+void *tdb_get_logging_private(struct tdb_context *tdb)
+{
+	return tdb->log.log_private;
+}
+
+/* reopen a tdb - this can be used after a fork to ensure that we have an independent
+   seek pointer from our parent and to re-establish locks */
+int tdb_reopen(struct tdb_context *tdb)
+{
+	struct stat st;
+
+	if (tdb->flags & TDB_INTERNAL) {
+		return 0; /* Nothing to do. */
+	}
+
+	if (tdb->num_locks != 0 || tdb->global_lock.count) {
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_reopen: reopen not allowed with locks held\n"));
+		goto fail;
+	}
+
+	if (tdb->transaction != 0) {
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_reopen: reopen not allowed inside a transaction\n"));
+		goto fail;
+	}
+
+	if (tdb_munmap(tdb) != 0) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_reopen: munmap failed (%s)\n", strerror(errno)));
+		goto fail;
+	}
+	if (close(tdb->fd) != 0)
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_reopen: WARNING closing tdb->fd failed!\n"));
+	tdb->fd = open(tdb->name, tdb->open_flags & ~(O_CREAT|O_TRUNC), 0);
+	if (tdb->fd == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_reopen: open failed (%s)\n", strerror(errno)));
+		goto fail;
+	}
+	if ((tdb->flags & TDB_CLEAR_IF_FIRST) && 
+	    (tdb->methods->tdb_brlock(tdb, ACTIVE_LOCK, F_RDLCK, F_SETLKW, 0, 1) == -1)) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_reopen: failed to obtain active lock\n"));
+		goto fail;
+	}
+	if (fstat(tdb->fd, &st) != 0) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_reopen: fstat failed (%s)\n", strerror(errno)));
+		goto fail;
+	}
+	if (st.st_ino != tdb->inode || st.st_dev != tdb->device) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_reopen: file dev/inode has changed!\n"));
+		goto fail;
+	}
+	tdb_mmap(tdb);
+
+	return 0;
+
+fail:
+	tdb_close(tdb);
+	return -1;
+}
+
+/* reopen all tdb's */
+int tdb_reopen_all(int parent_longlived)
+{
+	struct tdb_context *tdb;
+
+	for (tdb=tdbs; tdb; tdb = tdb->next) {
+		/*
+		 * If the parent is longlived (ie. a
+		 * parent daemon architecture), we know
+		 * it will keep it's active lock on a
+		 * tdb opened with CLEAR_IF_FIRST. Thus
+		 * for child processes we don't have to
+		 * add an active lock. This is essential
+		 * to improve performance on systems that
+		 * keep POSIX locks as a non-scalable data
+		 * structure in the kernel.
+		 */
+		if (parent_longlived) {
+			/* Ensure no clear-if-first. */
+			tdb->flags &= ~TDB_CLEAR_IF_FIRST;
+		}
+
+		if (tdb_reopen(tdb) != 0)
+			return -1;
+	}
+
+	return 0;
+}
diff --git a/source3/lib/tdb/common/tdb.c b/source3/lib/tdb/common/tdb.c
new file mode 100644
index 0000000000..c7cec297f6
--- /dev/null
+++ b/source3/lib/tdb/common/tdb.c
@@ -0,0 +1,802 @@
+ /* 
+   Unix SMB/CIFS implementation.
+
+   trivial database library
+
+   Copyright (C) Andrew Tridgell              1999-2005
+   Copyright (C) Paul `Rusty' Russell		   2000
+   Copyright (C) Jeremy Allison			   2000-2003
+   
+     ** NOTE! The following LGPL license applies to the tdb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "tdb_private.h"
+
+TDB_DATA tdb_null;
+
+/*
+  non-blocking increment of the tdb sequence number if the tdb has been opened using
+  the TDB_SEQNUM flag
+*/
+void tdb_increment_seqnum_nonblock(struct tdb_context *tdb)
+{
+	tdb_off_t seqnum=0;
+	
+	if (!(tdb->flags & TDB_SEQNUM)) {
+		return;
+	}
+
+	/* we ignore errors from this, as we have no sane way of
+	   dealing with them.
+	*/
+	tdb_ofs_read(tdb, TDB_SEQNUM_OFS, &seqnum);
+	seqnum++;
+	tdb_ofs_write(tdb, TDB_SEQNUM_OFS, &seqnum);
+}
+
+/*
+  increment the tdb sequence number if the tdb has been opened using
+  the TDB_SEQNUM flag
+*/
+static void tdb_increment_seqnum(struct tdb_context *tdb)
+{
+	if (!(tdb->flags & TDB_SEQNUM)) {
+		return;
+	}
+
+	if (tdb_brlock(tdb, TDB_SEQNUM_OFS, F_WRLCK, F_SETLKW, 1, 1) != 0) {
+		return;
+	}
+
+	tdb_increment_seqnum_nonblock(tdb);
+
+	tdb_brlock(tdb, TDB_SEQNUM_OFS, F_UNLCK, F_SETLKW, 1, 1);
+}
+
+static int tdb_key_compare(TDB_DATA key, TDB_DATA data, void *private_data)
+{
+	return memcmp(data.dptr, key.dptr, data.dsize);
+}
+
+/* Returns 0 on fail.  On success, return offset of record, and fills
+   in rec */
+static tdb_off_t tdb_find(struct tdb_context *tdb, TDB_DATA key, uint32_t hash,
+			struct list_struct *r)
+{
+	tdb_off_t rec_ptr;
+	
+	/* read in the hash top */
+	if (tdb_ofs_read(tdb, TDB_HASH_TOP(hash), &rec_ptr) == -1)
+		return 0;
+
+	/* keep looking until we find the right record */
+	while (rec_ptr) {
+		if (tdb_rec_read(tdb, rec_ptr, r) == -1)
+			return 0;
+
+		if (!TDB_DEAD(r) && hash==r->full_hash
+		    && key.dsize==r->key_len
+		    && tdb_parse_data(tdb, key, rec_ptr + sizeof(*r),
+				      r->key_len, tdb_key_compare,
+				      NULL) == 0) {
+			return rec_ptr;
+		}
+		rec_ptr = r->next;
+	}
+	return TDB_ERRCODE(TDB_ERR_NOEXIST, 0);
+}
+
+/* As tdb_find, but if you succeed, keep the lock */
+tdb_off_t tdb_find_lock_hash(struct tdb_context *tdb, TDB_DATA key, uint32_t hash, int locktype,
+			   struct list_struct *rec)
+{
+	uint32_t rec_ptr;
+
+	if (tdb_lock(tdb, BUCKET(hash), locktype) == -1)
+		return 0;
+	if (!(rec_ptr = tdb_find(tdb, key, hash, rec)))
+		tdb_unlock(tdb, BUCKET(hash), locktype);
+	return rec_ptr;
+}
+
+
+/* update an entry in place - this only works if the new data size
+   is <= the old data size and the key exists.
+   on failure return -1.
+*/
+static int tdb_update_hash(struct tdb_context *tdb, TDB_DATA key, uint32_t hash, TDB_DATA dbuf)
+{
+	struct list_struct rec;
+	tdb_off_t rec_ptr;
+
+	/* find entry */
+	if (!(rec_ptr = tdb_find(tdb, key, hash, &rec)))
+		return -1;
+
+	/* must be long enough key, data and tailer */
+	if (rec.rec_len < key.dsize + dbuf.dsize + sizeof(tdb_off_t)) {
+		tdb->ecode = TDB_SUCCESS; /* Not really an error */
+		return -1;
+	}
+
+	if (tdb->methods->tdb_write(tdb, rec_ptr + sizeof(rec) + rec.key_len,
+		      dbuf.dptr, dbuf.dsize) == -1)
+		return -1;
+
+	if (dbuf.dsize != rec.data_len) {
+		/* update size */
+		rec.data_len = dbuf.dsize;
+		return tdb_rec_write(tdb, rec_ptr, &rec);
+	}
+ 
+	return 0;
+}
+
+/* find an entry in the database given a key */
+/* If an entry doesn't exist tdb_err will be set to
+ * TDB_ERR_NOEXIST. If a key has no data attached
+ * then the TDB_DATA will have zero length but
+ * a non-zero pointer
+ */
+TDB_DATA tdb_fetch(struct tdb_context *tdb, TDB_DATA key)
+{
+	tdb_off_t rec_ptr;
+	struct list_struct rec;
+	TDB_DATA ret;
+	uint32_t hash;
+
+	/* find which hash bucket it is in */
+	hash = tdb->hash_fn(&key);
+	if (!(rec_ptr = tdb_find_lock_hash(tdb,key,hash,F_RDLCK,&rec)))
+		return tdb_null;
+
+	ret.dptr = tdb_alloc_read(tdb, rec_ptr + sizeof(rec) + rec.key_len,
+				  rec.data_len);
+	ret.dsize = rec.data_len;
+	tdb_unlock(tdb, BUCKET(rec.full_hash), F_RDLCK);
+	return ret;
+}
+
+/*
+ * Find an entry in the database and hand the record's data to a parsing
+ * function. The parsing function is executed under the chain read lock, so it
+ * should be fast and should not block on other syscalls.
+ *
+ * DONT CALL OTHER TDB CALLS FROM THE PARSER, THIS MIGHT LEAD TO SEGFAULTS.
+ *
+ * For mmapped tdb's that do not have a transaction open it points the parsing
+ * function directly at the mmap area, it avoids the malloc/memcpy in this
+ * case. If a transaction is open or no mmap is available, it has to do
+ * malloc/read/parse/free.
+ *
+ * This is interesting for all readers of potentially large data structures in
+ * the tdb records, ldb indexes being one example.
+ */
+
+int tdb_parse_record(struct tdb_context *tdb, TDB_DATA key,
+		     int (*parser)(TDB_DATA key, TDB_DATA data,
+				   void *private_data),
+		     void *private_data)
+{
+	tdb_off_t rec_ptr;
+	struct list_struct rec;
+	int ret;
+	uint32_t hash;
+
+	/* find which hash bucket it is in */
+	hash = tdb->hash_fn(&key);
+
+	if (!(rec_ptr = tdb_find_lock_hash(tdb,key,hash,F_RDLCK,&rec))) {
+		return TDB_ERRCODE(TDB_ERR_NOEXIST, 0);
+	}
+
+	ret = tdb_parse_data(tdb, key, rec_ptr + sizeof(rec) + rec.key_len,
+			     rec.data_len, parser, private_data);
+
+	tdb_unlock(tdb, BUCKET(rec.full_hash), F_RDLCK);
+
+	return ret;
+}
+
+/* check if an entry in the database exists 
+
+   note that 1 is returned if the key is found and 0 is returned if not found
+   this doesn't match the conventions in the rest of this module, but is
+   compatible with gdbm
+*/
+static int tdb_exists_hash(struct tdb_context *tdb, TDB_DATA key, uint32_t hash)
+{
+	struct list_struct rec;
+	
+	if (tdb_find_lock_hash(tdb, key, hash, F_RDLCK, &rec) == 0)
+		return 0;
+	tdb_unlock(tdb, BUCKET(rec.full_hash), F_RDLCK);
+	return 1;
+}
+
+int tdb_exists(struct tdb_context *tdb, TDB_DATA key)
+{
+	uint32_t hash = tdb->hash_fn(&key);
+	return tdb_exists_hash(tdb, key, hash);
+}
+
+/* actually delete an entry in the database given the offset */
+int tdb_do_delete(struct tdb_context *tdb, tdb_off_t rec_ptr, struct list_struct *rec)
+{
+	tdb_off_t last_ptr, i;
+	struct list_struct lastrec;
+
+	if (tdb->read_only || tdb->traverse_read) return -1;
+
+	if (((tdb->traverse_write != 0) && (!TDB_DEAD(rec))) ||
+	    tdb_write_lock_record(tdb, rec_ptr) == -1) {
+		/* Someone traversing here: mark it as dead */
+		rec->magic = TDB_DEAD_MAGIC;
+		return tdb_rec_write(tdb, rec_ptr, rec);
+	}
+	if (tdb_write_unlock_record(tdb, rec_ptr) != 0)
+		return -1;
+
+	/* find previous record in hash chain */
+	if (tdb_ofs_read(tdb, TDB_HASH_TOP(rec->full_hash), &i) == -1)
+		return -1;
+	for (last_ptr = 0; i != rec_ptr; last_ptr = i, i = lastrec.next)
+		if (tdb_rec_read(tdb, i, &lastrec) == -1)
+			return -1;
+
+	/* unlink it: next ptr is at start of record. */
+	if (last_ptr == 0)
+		last_ptr = TDB_HASH_TOP(rec->full_hash);
+	if (tdb_ofs_write(tdb, last_ptr, &rec->next) == -1)
+		return -1;
+
+	/* recover the space */
+	if (tdb_free(tdb, rec_ptr, rec) == -1)
+		return -1;
+	return 0;
+}
+
+static int tdb_count_dead(struct tdb_context *tdb, uint32_t hash)
+{
+	int res = 0;
+	tdb_off_t rec_ptr;
+	struct list_struct rec;
+	
+	/* read in the hash top */
+	if (tdb_ofs_read(tdb, TDB_HASH_TOP(hash), &rec_ptr) == -1)
+		return 0;
+
+	while (rec_ptr) {
+		if (tdb_rec_read(tdb, rec_ptr, &rec) == -1)
+			return 0;
+
+		if (rec.magic == TDB_DEAD_MAGIC) {
+			res += 1;
+		}
+		rec_ptr = rec.next;
+	}
+	return res;
+}
+
+/*
+ * Purge all DEAD records from a hash chain
+ */
+static int tdb_purge_dead(struct tdb_context *tdb, uint32_t hash)
+{
+	int res = -1;
+	struct list_struct rec;
+	tdb_off_t rec_ptr;
+
+	if (tdb_lock(tdb, -1, F_WRLCK) == -1) {
+		return -1;
+	}
+	
+	/* read in the hash top */
+	if (tdb_ofs_read(tdb, TDB_HASH_TOP(hash), &rec_ptr) == -1)
+		goto fail;
+
+	while (rec_ptr) {
+		tdb_off_t next;
+
+		if (tdb_rec_read(tdb, rec_ptr, &rec) == -1) {
+			goto fail;
+		}
+
+		next = rec.next;
+
+		if (rec.magic == TDB_DEAD_MAGIC
+		    && tdb_do_delete(tdb, rec_ptr, &rec) == -1) {
+			goto fail;
+		}
+		rec_ptr = next;
+	}
+	res = 0;
+ fail:
+	tdb_unlock(tdb, -1, F_WRLCK);
+	return res;
+}
+
+/* delete an entry in the database given a key */
+static int tdb_delete_hash(struct tdb_context *tdb, TDB_DATA key, uint32_t hash)
+{
+	tdb_off_t rec_ptr;
+	struct list_struct rec;
+	int ret;
+
+	if (tdb->max_dead_records != 0) {
+
+		/*
+		 * Allow for some dead records per hash chain, mainly for
+		 * tdb's with a very high create/delete rate like locking.tdb.
+		 */
+
+		if (tdb_lock(tdb, BUCKET(hash), F_WRLCK) == -1)
+			return -1;
+
+		if (tdb_count_dead(tdb, hash) >= tdb->max_dead_records) {
+			/*
+			 * Don't let the per-chain freelist grow too large,
+			 * delete all existing dead records
+			 */
+			tdb_purge_dead(tdb, hash);
+		}
+
+		if (!(rec_ptr = tdb_find(tdb, key, hash, &rec))) {
+			tdb_unlock(tdb, BUCKET(hash), F_WRLCK);
+			return -1;
+		}
+
+		/*
+		 * Just mark the record as dead.
+		 */
+		rec.magic = TDB_DEAD_MAGIC;
+		ret = tdb_rec_write(tdb, rec_ptr, &rec);
+	}
+	else {
+		if (!(rec_ptr = tdb_find_lock_hash(tdb, key, hash, F_WRLCK,
+						   &rec)))
+			return -1;
+
+		ret = tdb_do_delete(tdb, rec_ptr, &rec);
+	}
+
+	if (ret == 0) {
+		tdb_increment_seqnum(tdb);
+	}
+
+	if (tdb_unlock(tdb, BUCKET(rec.full_hash), F_WRLCK) != 0)
+		TDB_LOG((tdb, TDB_DEBUG_WARNING, "tdb_delete: WARNING tdb_unlock failed!\n"));
+	return ret;
+}
+
+int tdb_delete(struct tdb_context *tdb, TDB_DATA key)
+{
+	uint32_t hash = tdb->hash_fn(&key);
+	return tdb_delete_hash(tdb, key, hash);
+}
+
+/*
+ * See if we have a dead record around with enough space
+ */
+static tdb_off_t tdb_find_dead(struct tdb_context *tdb, uint32_t hash,
+			       struct list_struct *r, tdb_len_t length)
+{
+	tdb_off_t rec_ptr;
+	
+	/* read in the hash top */
+	if (tdb_ofs_read(tdb, TDB_HASH_TOP(hash), &rec_ptr) == -1)
+		return 0;
+
+	/* keep looking until we find the right record */
+	while (rec_ptr) {
+		if (tdb_rec_read(tdb, rec_ptr, r) == -1)
+			return 0;
+
+		if (TDB_DEAD(r) && r->rec_len >= length) {
+			/*
+			 * First fit for simple coding, TODO: change to best
+			 * fit
+			 */
+			return rec_ptr;
+		}
+		rec_ptr = r->next;
+	}
+	return 0;
+}
+
+/* store an element in the database, replacing any existing element
+   with the same key 
+
+   return 0 on success, -1 on failure
+*/
+int tdb_store(struct tdb_context *tdb, TDB_DATA key, TDB_DATA dbuf, int flag)
+{
+	struct list_struct rec;
+	uint32_t hash;
+	tdb_off_t rec_ptr;
+	char *p = NULL;
+	int ret = -1;
+
+	if (tdb->read_only || tdb->traverse_read) {
+		tdb->ecode = TDB_ERR_RDONLY;
+		return -1;
+	}
+
+	/* find which hash bucket it is in */
+	hash = tdb->hash_fn(&key);
+	if (tdb_lock(tdb, BUCKET(hash), F_WRLCK) == -1)
+		return -1;
+
+	/* check for it existing, on insert. */
+	if (flag == TDB_INSERT) {
+		if (tdb_exists_hash(tdb, key, hash)) {
+			tdb->ecode = TDB_ERR_EXISTS;
+			goto fail;
+		}
+	} else {
+		/* first try in-place update, on modify or replace. */
+		if (tdb_update_hash(tdb, key, hash, dbuf) == 0) {
+			goto done;
+		}
+		if (tdb->ecode == TDB_ERR_NOEXIST &&
+		    flag == TDB_MODIFY) {
+			/* if the record doesn't exist and we are in TDB_MODIFY mode then
+			 we should fail the store */
+			goto fail;
+		}
+	}
+	/* reset the error code potentially set by the tdb_update() */
+	tdb->ecode = TDB_SUCCESS;
+
+	/* delete any existing record - if it doesn't exist we don't
+           care.  Doing this first reduces fragmentation, and avoids
+           coalescing with `allocated' block before it's updated. */
+	if (flag != TDB_INSERT)
+		tdb_delete_hash(tdb, key, hash);
+
+	/* Copy key+value *before* allocating free space in case malloc
+	   fails and we are left with a dead spot in the tdb. */
+
+	if (!(p = (char *)malloc(key.dsize + dbuf.dsize))) {
+		tdb->ecode = TDB_ERR_OOM;
+		goto fail;
+	}
+
+	memcpy(p, key.dptr, key.dsize);
+	if (dbuf.dsize)
+		memcpy(p+key.dsize, dbuf.dptr, dbuf.dsize);
+
+	if (tdb->max_dead_records != 0) {
+		/*
+		 * Allow for some dead records per hash chain, look if we can
+		 * find one that can hold the new record. We need enough space
+		 * for key, data and tailer. If we find one, we don't have to
+		 * consult the central freelist.
+		 */
+		rec_ptr = tdb_find_dead(
+			tdb, hash, &rec,
+			key.dsize + dbuf.dsize + sizeof(tdb_off_t));
+
+		if (rec_ptr != 0) {
+			rec.key_len = key.dsize;
+			rec.data_len = dbuf.dsize;
+			rec.full_hash = hash;
+			rec.magic = TDB_MAGIC;
+			if (tdb_rec_write(tdb, rec_ptr, &rec) == -1
+			    || tdb->methods->tdb_write(
+				    tdb, rec_ptr + sizeof(rec),
+				    p, key.dsize + dbuf.dsize) == -1) {
+				goto fail;
+			}
+			goto done;
+		}
+	}
+
+	/*
+	 * We have to allocate some space from the freelist, so this means we
+	 * have to lock it. Use the chance to purge all the DEAD records from
+	 * the hash chain under the freelist lock.
+	 */
+
+	if (tdb_lock(tdb, -1, F_WRLCK) == -1) {
+		goto fail;
+	}
+
+	if ((tdb->max_dead_records != 0)
+	    && (tdb_purge_dead(tdb, hash) == -1)) {
+		tdb_unlock(tdb, -1, F_WRLCK);
+		goto fail;
+	}
+
+	/* we have to allocate some space */
+	rec_ptr = tdb_allocate(tdb, key.dsize + dbuf.dsize, &rec);
+
+	tdb_unlock(tdb, -1, F_WRLCK);
+
+	if (rec_ptr == 0) {
+		goto fail;
+	}
+
+	/* Read hash top into next ptr */
+	if (tdb_ofs_read(tdb, TDB_HASH_TOP(hash), &rec.next) == -1)
+		goto fail;
+
+	rec.key_len = key.dsize;
+	rec.data_len = dbuf.dsize;
+	rec.full_hash = hash;
+	rec.magic = TDB_MAGIC;
+
+	/* write out and point the top of the hash chain at it */
+	if (tdb_rec_write(tdb, rec_ptr, &rec) == -1
+	    || tdb->methods->tdb_write(tdb, rec_ptr+sizeof(rec), p, key.dsize+dbuf.dsize)==-1
+	    || tdb_ofs_write(tdb, TDB_HASH_TOP(hash), &rec_ptr) == -1) {
+		/* Need to tdb_unallocate() here */
+		goto fail;
+	}
+
+ done:
+	ret = 0;
+ fail:
+	if (ret == 0) {
+		tdb_increment_seqnum(tdb);
+	}
+
+	SAFE_FREE(p); 
+	tdb_unlock(tdb, BUCKET(hash), F_WRLCK);
+	return ret;
+}
+
+
+/* Append to an entry. Create if not exist. */
+int tdb_append(struct tdb_context *tdb, TDB_DATA key, TDB_DATA new_dbuf)
+{
+	uint32_t hash;
+	TDB_DATA dbuf;
+	int ret = -1;
+
+	/* find which hash bucket it is in */
+	hash = tdb->hash_fn(&key);
+	if (tdb_lock(tdb, BUCKET(hash), F_WRLCK) == -1)
+		return -1;
+
+	dbuf = tdb_fetch(tdb, key);
+
+	if (dbuf.dptr == NULL) {
+		dbuf.dptr = (unsigned char *)malloc(new_dbuf.dsize);
+	} else {
+		unsigned char *new_dptr = (unsigned char *)realloc(dbuf.dptr,
+						     dbuf.dsize + new_dbuf.dsize);
+		if (new_dptr == NULL) {
+			free(dbuf.dptr);
+		}
+		dbuf.dptr = new_dptr;
+	}
+
+	if (dbuf.dptr == NULL) {
+		tdb->ecode = TDB_ERR_OOM;
+		goto failed;
+	}
+
+	memcpy(dbuf.dptr + dbuf.dsize, new_dbuf.dptr, new_dbuf.dsize);
+	dbuf.dsize += new_dbuf.dsize;
+
+	ret = tdb_store(tdb, key, dbuf, 0);
+	
+failed:
+	tdb_unlock(tdb, BUCKET(hash), F_WRLCK);
+	SAFE_FREE(dbuf.dptr);
+	return ret;
+}
+
+
+/*
+  return the name of the current tdb file
+  useful for external logging functions
+*/
+const char *tdb_name(struct tdb_context *tdb)
+{
+	return tdb->name;
+}
+
+/*
+  return the underlying file descriptor being used by tdb, or -1
+  useful for external routines that want to check the device/inode
+  of the fd
+*/
+int tdb_fd(struct tdb_context *tdb)
+{
+	return tdb->fd;
+}
+
+/*
+  return the current logging function
+  useful for external tdb routines that wish to log tdb errors
+*/
+tdb_log_func tdb_log_fn(struct tdb_context *tdb)
+{
+	return tdb->log.log_fn;
+}
+
+
+/*
+  get the tdb sequence number. Only makes sense if the writers opened
+  with TDB_SEQNUM set. Note that this sequence number will wrap quite
+  quickly, so it should only be used for a 'has something changed'
+  test, not for code that relies on the count of the number of changes
+  made. If you want a counter then use a tdb record.
+
+  The aim of this sequence number is to allow for a very lightweight
+  test of a possible tdb change.
+*/
+int tdb_get_seqnum(struct tdb_context *tdb)
+{
+	tdb_off_t seqnum=0;
+
+	tdb_ofs_read(tdb, TDB_SEQNUM_OFS, &seqnum);
+	return seqnum;
+}
+
+int tdb_hash_size(struct tdb_context *tdb)
+{
+	return tdb->header.hash_size;
+}
+
+size_t tdb_map_size(struct tdb_context *tdb)
+{
+	return tdb->map_size;
+}
+
+int tdb_get_flags(struct tdb_context *tdb)
+{
+	return tdb->flags;
+}
+
+void tdb_add_flags(struct tdb_context *tdb, unsigned flags)
+{
+	tdb->flags |= flags;
+}
+
+void tdb_remove_flags(struct tdb_context *tdb, unsigned flags)
+{
+	tdb->flags &= ~flags;
+}
+
+
+/*
+  enable sequence number handling on an open tdb
+*/
+void tdb_enable_seqnum(struct tdb_context *tdb)
+{
+	tdb->flags |= TDB_SEQNUM;
+}
+
+
+/*
+  add a region of the file to the freelist. Length is the size of the region in bytes, 
+  which includes the free list header that needs to be added
+ */
+static int tdb_free_region(struct tdb_context *tdb, tdb_off_t offset, ssize_t length)
+{
+	struct list_struct rec;
+	if (length <= sizeof(rec)) {
+		/* the region is not worth adding */
+		return 0;
+	}
+	if (length + offset > tdb->map_size) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL,"tdb_free_region: adding region beyond end of file\n"));
+		return -1;		
+	}
+	memset(&rec,'\0',sizeof(rec));
+	rec.rec_len = length - sizeof(rec);
+	if (tdb_free(tdb, offset, &rec) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL,"tdb_free_region: failed to add free record\n"));
+		return -1;
+	}
+	return 0;
+}
+
+/*
+  wipe the entire database, deleting all records. This can be done
+  very fast by using a global lock. The entire data portion of the
+  file becomes a single entry in the freelist.
+
+  This code carefully steps around the recovery area, leaving it alone
+ */
+int tdb_wipe_all(struct tdb_context *tdb)
+{
+	int i;
+	tdb_off_t offset = 0;
+	ssize_t data_len;
+	tdb_off_t recovery_head;
+	tdb_len_t recovery_size = 0;
+
+	if (tdb_lockall(tdb) != 0) {
+		return -1;
+	}
+
+	/* see if the tdb has a recovery area, and remember its size
+	   if so. We don't want to lose this as otherwise each
+	   tdb_wipe_all() in a transaction will increase the size of
+	   the tdb by the size of the recovery area */
+	if (tdb_ofs_read(tdb, TDB_RECOVERY_HEAD, &recovery_head) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_wipe_all: failed to read recovery head\n"));
+		goto failed;
+	}
+
+	if (recovery_head != 0) {
+		struct list_struct rec;
+		if (tdb->methods->tdb_read(tdb, recovery_head, &rec, sizeof(rec), DOCONV()) == -1) {
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_wipe_all: failed to read recovery record\n"));
+			return -1;
+		}	
+		recovery_size = rec.rec_len + sizeof(rec);
+	}
+
+	/* wipe the hashes */
+	for (i=0;i<tdb->header.hash_size;i++) {
+		if (tdb_ofs_write(tdb, TDB_HASH_TOP(i), &offset) == -1) {
+			TDB_LOG((tdb, TDB_DEBUG_FATAL,"tdb_wipe_all: failed to write hash %d\n", i));
+			goto failed;
+		}
+	}
+
+	/* wipe the freelist */
+	if (tdb_ofs_write(tdb, FREELIST_TOP, &offset) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL,"tdb_wipe_all: failed to write freelist\n"));
+		goto failed;
+	}
+
+	/* add all the rest of the file to the freelist, possibly leaving a gap 
+	   for the recovery area */
+	if (recovery_size == 0) {
+		/* the simple case - the whole file can be used as a freelist */
+		data_len = (tdb->map_size - TDB_DATA_START(tdb->header.hash_size));
+		if (tdb_free_region(tdb, TDB_DATA_START(tdb->header.hash_size), data_len) != 0) {
+			goto failed;
+		}
+	} else {
+		/* we need to add two freelist entries - one on either
+		   side of the recovery area 
+
+		   Note that we cannot shift the recovery area during
+		   this operation. Only the transaction.c code may
+		   move the recovery area or we risk subtle data
+		   corruption
+		*/
+		data_len = (recovery_head - TDB_DATA_START(tdb->header.hash_size));
+		if (tdb_free_region(tdb, TDB_DATA_START(tdb->header.hash_size), data_len) != 0) {
+			goto failed;
+		}
+		/* and the 2nd free list entry after the recovery area - if any */
+		data_len = tdb->map_size - (recovery_head+recovery_size);
+		if (tdb_free_region(tdb, recovery_head+recovery_size, data_len) != 0) {
+			goto failed;
+		}
+	}
+
+	if (tdb_unlockall(tdb) != 0) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL,"tdb_wipe_all: failed to unlock\n"));
+		goto failed;
+	}
+
+	return 0;
+
+failed:
+	tdb_unlockall(tdb);
+	return -1;
+}
diff --git a/source3/lib/tdb/common/tdb_private.h b/source3/lib/tdb/common/tdb_private.h
new file mode 100644
index 0000000000..ffac89ff0e
--- /dev/null
+++ b/source3/lib/tdb/common/tdb_private.h
@@ -0,0 +1,213 @@
+ /* 
+   Unix SMB/CIFS implementation.
+
+   trivial database library - private includes
+
+   Copyright (C) Andrew Tridgell              2005
+   
+     ** NOTE! The following LGPL license applies to the tdb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "replace.h"
+#include "system/filesys.h"
+#include "system/time.h"
+#include "system/shmem.h"
+#include "system/select.h"
+#include "system/wait.h"
+#include "tdb.h"
+
+#ifndef HAVE_GETPAGESIZE
+#define getpagesize() 0x2000
+#endif
+
+typedef uint32_t tdb_len_t;
+typedef uint32_t tdb_off_t;
+
+#ifndef offsetof
+#define offsetof(t,f) ((unsigned int)&((t *)0)->f)
+#endif
+
+#define TDB_MAGIC_FOOD "TDB file\n"
+#define TDB_VERSION (0x26011967 + 6)
+#define TDB_MAGIC (0x26011999U)
+#define TDB_FREE_MAGIC (~TDB_MAGIC)
+#define TDB_DEAD_MAGIC (0xFEE1DEAD)
+#define TDB_RECOVERY_MAGIC (0xf53bc0e7U)
+#define TDB_ALIGNMENT 4
+#define DEFAULT_HASH_SIZE 131
+#define FREELIST_TOP (sizeof(struct tdb_header))
+#define TDB_ALIGN(x,a) (((x) + (a)-1) & ~((a)-1))
+#define TDB_BYTEREV(x) (((((x)&0xff)<<24)|((x)&0xFF00)<<8)|(((x)>>8)&0xFF00)|((x)>>24))
+#define TDB_DEAD(r) ((r)->magic == TDB_DEAD_MAGIC)
+#define TDB_BAD_MAGIC(r) ((r)->magic != TDB_MAGIC && !TDB_DEAD(r))
+#define TDB_HASH_TOP(hash) (FREELIST_TOP + (BUCKET(hash)+1)*sizeof(tdb_off_t))
+#define TDB_HASHTABLE_SIZE(tdb) ((tdb->header.hash_size+1)*sizeof(tdb_off_t))
+#define TDB_DATA_START(hash_size) (TDB_HASH_TOP(hash_size-1) + sizeof(tdb_off_t))
+#define TDB_RECOVERY_HEAD offsetof(struct tdb_header, recovery_start)
+#define TDB_SEQNUM_OFS    offsetof(struct tdb_header, sequence_number)
+#define TDB_PAD_BYTE 0x42
+#define TDB_PAD_U32  0x42424242
+
+/* NB assumes there is a local variable called "tdb" that is the
+ * current context, also takes doubly-parenthesized print-style
+ * argument. */
+#define TDB_LOG(x) tdb->log.log_fn x
+
+/* lock offsets */
+#define GLOBAL_LOCK      0
+#define ACTIVE_LOCK      4
+#define TRANSACTION_LOCK 8
+
+/* free memory if the pointer is valid and zero the pointer */
+#ifndef SAFE_FREE
+#define SAFE_FREE(x) do { if ((x) != NULL) {free(x); (x)=NULL;} } while(0)
+#endif
+
+#define BUCKET(hash) ((hash) % tdb->header.hash_size)
+
+#define DOCONV() (tdb->flags & TDB_CONVERT)
+#define CONVERT(x) (DOCONV() ? tdb_convert(&x, sizeof(x)) : &x)
+
+
+/* the body of the database is made of one list_struct for the free space
+   plus a separate data list for each hash value */
+struct list_struct {
+	tdb_off_t next; /* offset of the next record in the list */
+	tdb_len_t rec_len; /* total byte length of record */
+	tdb_len_t key_len; /* byte length of key */
+	tdb_len_t data_len; /* byte length of data */
+	uint32_t full_hash; /* the full 32 bit hash of the key */
+	uint32_t magic;   /* try to catch errors */
+	/* the following union is implied:
+		union {
+			char record[rec_len];
+			struct {
+				char key[key_len];
+				char data[data_len];
+			}
+			uint32_t totalsize; (tailer)
+		}
+	*/
+};
+
+
+/* this is stored at the front of every database */
+struct tdb_header {
+	char magic_food[32]; /* for /etc/magic */
+	uint32_t version; /* version of the code */
+	uint32_t hash_size; /* number of hash entries */
+	tdb_off_t rwlocks; /* obsolete - kept to detect old formats */
+	tdb_off_t recovery_start; /* offset of transaction recovery region */
+	tdb_off_t sequence_number; /* used when TDB_SEQNUM is set */
+	tdb_off_t reserved[29];
+};
+
+struct tdb_lock_type {
+	int list;
+	uint32_t count;
+	uint32_t ltype;
+};
+
+struct tdb_traverse_lock {
+	struct tdb_traverse_lock *next;
+	uint32_t off;
+	uint32_t hash;
+	int lock_rw;
+};
+
+
+struct tdb_methods {
+	int (*tdb_read)(struct tdb_context *, tdb_off_t , void *, tdb_len_t , int );
+	int (*tdb_write)(struct tdb_context *, tdb_off_t, const void *, tdb_len_t);
+	void (*next_hash_chain)(struct tdb_context *, uint32_t *);
+	int (*tdb_oob)(struct tdb_context *, tdb_off_t , int );
+	int (*tdb_expand_file)(struct tdb_context *, tdb_off_t , tdb_off_t );
+	int (*tdb_brlock)(struct tdb_context *, tdb_off_t , int, int, int, size_t);
+};
+
+struct tdb_context {
+	char *name; /* the name of the database */
+	void *map_ptr; /* where it is currently mapped */
+	int fd; /* open file descriptor for the database */
+	tdb_len_t map_size; /* how much space has been mapped */
+	int read_only; /* opened read-only */
+	int traverse_read; /* read-only traversal */
+	int traverse_write; /* read-write traversal */
+	struct tdb_lock_type global_lock;
+	int num_lockrecs;
+	struct tdb_lock_type *lockrecs; /* only real locks, all with count>0 */
+	enum TDB_ERROR ecode; /* error code for last tdb error */
+	struct tdb_header header; /* a cached copy of the header */
+	uint32_t flags; /* the flags passed to tdb_open */
+	struct tdb_traverse_lock travlocks; /* current traversal locks */
+	struct tdb_context *next; /* all tdbs to avoid multiple opens */
+	dev_t device;	/* uniquely identifies this tdb */
+	ino_t inode;	/* uniquely identifies this tdb */
+	struct tdb_logging_context log;
+	unsigned int (*hash_fn)(TDB_DATA *key);
+	int open_flags; /* flags used in the open - needed by reopen */
+	unsigned int num_locks; /* number of chain locks held */
+	const struct tdb_methods *methods;
+	struct tdb_transaction *transaction;
+	int page_size;
+	int max_dead_records;
+	bool have_transaction_lock;
+	volatile sig_atomic_t *interrupt_sig_ptr;
+};
+
+
+/*
+  internal prototypes
+*/
+int tdb_munmap(struct tdb_context *tdb);
+void tdb_mmap(struct tdb_context *tdb);
+int tdb_lock(struct tdb_context *tdb, int list, int ltype);
+int tdb_lock_nonblock(struct tdb_context *tdb, int list, int ltype);
+int tdb_unlock(struct tdb_context *tdb, int list, int ltype);
+int tdb_brlock(struct tdb_context *tdb, tdb_off_t offset, int rw_type, int lck_type, int probe, size_t len);
+int tdb_transaction_lock(struct tdb_context *tdb, int ltype);
+int tdb_transaction_unlock(struct tdb_context *tdb);
+int tdb_brlock_upgrade(struct tdb_context *tdb, tdb_off_t offset, size_t len);
+int tdb_write_lock_record(struct tdb_context *tdb, tdb_off_t off);
+int tdb_write_unlock_record(struct tdb_context *tdb, tdb_off_t off);
+int tdb_ofs_read(struct tdb_context *tdb, tdb_off_t offset, tdb_off_t *d);
+int tdb_ofs_write(struct tdb_context *tdb, tdb_off_t offset, tdb_off_t *d);
+void *tdb_convert(void *buf, uint32_t size);
+int tdb_free(struct tdb_context *tdb, tdb_off_t offset, struct list_struct *rec);
+tdb_off_t tdb_allocate(struct tdb_context *tdb, tdb_len_t length, struct list_struct *rec);
+int tdb_ofs_read(struct tdb_context *tdb, tdb_off_t offset, tdb_off_t *d);
+int tdb_ofs_write(struct tdb_context *tdb, tdb_off_t offset, tdb_off_t *d);
+int tdb_lock_record(struct tdb_context *tdb, tdb_off_t off);
+int tdb_unlock_record(struct tdb_context *tdb, tdb_off_t off);
+int tdb_rec_read(struct tdb_context *tdb, tdb_off_t offset, struct list_struct *rec);
+int tdb_rec_write(struct tdb_context *tdb, tdb_off_t offset, struct list_struct *rec);
+int tdb_do_delete(struct tdb_context *tdb, tdb_off_t rec_ptr, struct list_struct *rec);
+unsigned char *tdb_alloc_read(struct tdb_context *tdb, tdb_off_t offset, tdb_len_t len);
+int tdb_parse_data(struct tdb_context *tdb, TDB_DATA key,
+		   tdb_off_t offset, tdb_len_t len,
+		   int (*parser)(TDB_DATA key, TDB_DATA data,
+				 void *private_data),
+		   void *private_data);
+tdb_off_t tdb_find_lock_hash(struct tdb_context *tdb, TDB_DATA key, uint32_t hash, int locktype,
+			   struct list_struct *rec);
+void tdb_io_init(struct tdb_context *tdb);
+int tdb_expand(struct tdb_context *tdb, tdb_off_t size);
+int tdb_rec_free_read(struct tdb_context *tdb, tdb_off_t off,
+		      struct list_struct *rec);
+
+
diff --git a/source3/lib/tdb/common/transaction.c b/source3/lib/tdb/common/transaction.c
new file mode 100644
index 0000000000..7acda640c8
--- /dev/null
+++ b/source3/lib/tdb/common/transaction.c
@@ -0,0 +1,1119 @@
+ /* 
+   Unix SMB/CIFS implementation.
+
+   trivial database library
+
+   Copyright (C) Andrew Tridgell              2005
+
+     ** NOTE! The following LGPL license applies to the tdb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "tdb_private.h"
+
+/*
+  transaction design:
+
+  - only allow a single transaction at a time per database. This makes
+    using the transaction API simpler, as otherwise the caller would
+    have to cope with temporary failures in transactions that conflict
+    with other current transactions
+
+  - keep the transaction recovery information in the same file as the
+    database, using a special 'transaction recovery' record pointed at
+    by the header. This removes the need for extra journal files as
+    used by some other databases
+
+  - dynamically allocated the transaction recover record, re-using it
+    for subsequent transactions. If a larger record is needed then
+    tdb_free() the old record to place it on the normal tdb freelist
+    before allocating the new record
+
+  - during transactions, keep a linked list of writes all that have
+    been performed by intercepting all tdb_write() calls. The hooked
+    transaction versions of tdb_read() and tdb_write() check this
+    linked list and try to use the elements of the list in preference
+    to the real database.
+
+  - don't allow any locks to be held when a transaction starts,
+    otherwise we can end up with deadlock (plus lack of lock nesting
+    in posix locks would mean the lock is lost)
+
+  - if the caller gains a lock during the transaction but doesn't
+    release it then fail the commit
+
+  - allow for nested calls to tdb_transaction_start(), re-using the
+    existing transaction record. If the inner transaction is cancelled
+    then a subsequent commit will fail
+ 
+  - keep a mirrored copy of the tdb hash chain heads to allow for the
+    fast hash heads scan on traverse, updating the mirrored copy in
+    the transaction version of tdb_write
+
+  - allow callers to mix transaction and non-transaction use of tdb,
+    although once a transaction is started then an exclusive lock is
+    gained until the transaction is committed or cancelled
+
+  - the commit stategy involves first saving away all modified data
+    into a linearised buffer in the transaction recovery area, then
+    marking the transaction recovery area with a magic value to
+    indicate a valid recovery record. In total 4 fsync/msync calls are
+    needed per commit to prevent race conditions. It might be possible
+    to reduce this to 3 or even 2 with some more work.
+
+  - check for a valid recovery record on open of the tdb, while the
+    global lock is held. Automatically recover from the transaction
+    recovery area if needed, then continue with the open as
+    usual. This allows for smooth crash recovery with no administrator
+    intervention.
+
+  - if TDB_NOSYNC is passed to flags in tdb_open then transactions are
+    still available, but no transaction recovery area is used and no
+    fsync/msync calls are made.
+
+*/
+
+
+/*
+  hold the context of any current transaction
+*/
+struct tdb_transaction {
+	/* we keep a mirrored copy of the tdb hash heads here so
+	   tdb_next_hash_chain() can operate efficiently */
+	uint32_t *hash_heads;
+
+	/* the original io methods - used to do IOs to the real db */
+	const struct tdb_methods *io_methods;
+
+	/* the list of transaction blocks. When a block is first
+	   written to, it gets created in this list */
+	uint8_t **blocks;
+	uint32_t num_blocks;
+	uint32_t block_size;      /* bytes in each block */
+	uint32_t last_block_size; /* number of valid bytes in the last block */
+
+	/* non-zero when an internal transaction error has
+	   occurred. All write operations will then fail until the
+	   transaction is ended */
+	int transaction_error;
+
+	/* when inside a transaction we need to keep track of any
+	   nested tdb_transaction_start() calls, as these are allowed,
+	   but don't create a new transaction */
+	int nesting;
+
+	/* old file size before transaction */
+	tdb_len_t old_map_size;
+};
+
+
+/*
+  read while in a transaction. We need to check first if the data is in our list
+  of transaction elements, then if not do a real read
+*/
+static int transaction_read(struct tdb_context *tdb, tdb_off_t off, void *buf, 
+			    tdb_len_t len, int cv)
+{
+	uint32_t blk;
+
+	/* break it down into block sized ops */
+	while (len + (off % tdb->transaction->block_size) > tdb->transaction->block_size) {
+		tdb_len_t len2 = tdb->transaction->block_size - (off % tdb->transaction->block_size);
+		if (transaction_read(tdb, off, buf, len2, cv) != 0) {
+			return -1;
+		}
+		len -= len2;
+		off += len2;
+		buf = (void *)(len2 + (char *)buf);
+	}
+
+	if (len == 0) {
+		return 0;
+	}
+
+	blk = off / tdb->transaction->block_size;
+
+	/* see if we have it in the block list */
+	if (tdb->transaction->num_blocks <= blk ||
+	    tdb->transaction->blocks[blk] == NULL) {
+		/* nope, do a real read */
+		if (tdb->transaction->io_methods->tdb_read(tdb, off, buf, len, cv) != 0) {
+			goto fail;
+		}
+		return 0;
+	}
+
+	/* it is in the block list. Now check for the last block */
+	if (blk == tdb->transaction->num_blocks-1) {
+		if (len > tdb->transaction->last_block_size) {
+			goto fail;
+		}
+	}
+	
+	/* now copy it out of this block */
+	memcpy(buf, tdb->transaction->blocks[blk] + (off % tdb->transaction->block_size), len);
+	if (cv) {
+		tdb_convert(buf, len);
+	}
+	return 0;
+
+fail:
+	TDB_LOG((tdb, TDB_DEBUG_FATAL, "transaction_read: failed at off=%d len=%d\n", off, len));
+	tdb->ecode = TDB_ERR_IO;
+	tdb->transaction->transaction_error = 1;
+	return -1;
+}
+
+
+/*
+  write while in a transaction
+*/
+static int transaction_write(struct tdb_context *tdb, tdb_off_t off, 
+			     const void *buf, tdb_len_t len)
+{
+	uint32_t blk;
+
+	/* if the write is to a hash head, then update the transaction
+	   hash heads */
+	if (len == sizeof(tdb_off_t) && off >= FREELIST_TOP &&
+	    off < FREELIST_TOP+TDB_HASHTABLE_SIZE(tdb)) {
+		uint32_t chain = (off-FREELIST_TOP) / sizeof(tdb_off_t);
+		memcpy(&tdb->transaction->hash_heads[chain], buf, len);
+	}
+
+	/* break it up into block sized chunks */
+	while (len + (off % tdb->transaction->block_size) > tdb->transaction->block_size) {
+		tdb_len_t len2 = tdb->transaction->block_size - (off % tdb->transaction->block_size);
+		if (transaction_write(tdb, off, buf, len2) != 0) {
+			return -1;
+		}
+		len -= len2;
+		off += len2;
+		if (buf != NULL) {
+			buf = (const void *)(len2 + (const char *)buf);
+		}
+	}
+
+	if (len == 0) {
+		return 0;
+	}
+
+	blk = off / tdb->transaction->block_size;
+	off = off % tdb->transaction->block_size;
+
+	if (tdb->transaction->num_blocks <= blk) {
+		uint8_t **new_blocks;
+		/* expand the blocks array */
+		if (tdb->transaction->blocks == NULL) {
+			new_blocks = (uint8_t **)malloc(
+				(blk+1)*sizeof(uint8_t *));
+		} else {
+			new_blocks = (uint8_t **)realloc(
+				tdb->transaction->blocks,
+				(blk+1)*sizeof(uint8_t *));
+		}
+		if (new_blocks == NULL) {
+			tdb->ecode = TDB_ERR_OOM;
+			goto fail;
+		}
+		memset(&new_blocks[tdb->transaction->num_blocks], 0, 
+		       (1+(blk - tdb->transaction->num_blocks))*sizeof(uint8_t *));
+		tdb->transaction->blocks = new_blocks;
+		tdb->transaction->num_blocks = blk+1;
+		tdb->transaction->last_block_size = 0;
+	}
+
+	/* allocate and fill a block? */
+	if (tdb->transaction->blocks[blk] == NULL) {
+		tdb->transaction->blocks[blk] = (uint8_t *)calloc(tdb->transaction->block_size, 1);
+		if (tdb->transaction->blocks[blk] == NULL) {
+			tdb->ecode = TDB_ERR_OOM;
+			tdb->transaction->transaction_error = 1;
+			return -1;			
+		}
+		if (tdb->transaction->old_map_size > blk * tdb->transaction->block_size) {
+			tdb_len_t len2 = tdb->transaction->block_size;
+			if (len2 + (blk * tdb->transaction->block_size) > tdb->transaction->old_map_size) {
+				len2 = tdb->transaction->old_map_size - (blk * tdb->transaction->block_size);
+			}
+			if (tdb->transaction->io_methods->tdb_read(tdb, blk * tdb->transaction->block_size, 
+								   tdb->transaction->blocks[blk], 
+								   len2, 0) != 0) {
+				SAFE_FREE(tdb->transaction->blocks[blk]);				
+				tdb->ecode = TDB_ERR_IO;
+				goto fail;
+			}
+			if (blk == tdb->transaction->num_blocks-1) {
+				tdb->transaction->last_block_size = len2;
+			}			
+		}
+	}
+	
+	/* overwrite part of an existing block */
+	if (buf == NULL) {
+		memset(tdb->transaction->blocks[blk] + off, 0, len);
+	} else {
+		memcpy(tdb->transaction->blocks[blk] + off, buf, len);
+	}
+	if (blk == tdb->transaction->num_blocks-1) {
+		if (len + off > tdb->transaction->last_block_size) {
+			tdb->transaction->last_block_size = len + off;
+		}
+	}
+
+	return 0;
+
+fail:
+	TDB_LOG((tdb, TDB_DEBUG_FATAL, "transaction_write: failed at off=%d len=%d\n", 
+		 (blk*tdb->transaction->block_size) + off, len));
+	tdb->transaction->transaction_error = 1;
+	return -1;
+}
+
+
+/*
+  write while in a transaction - this varient never expands the transaction blocks, it only
+  updates existing blocks. This means it cannot change the recovery size
+*/
+static int transaction_write_existing(struct tdb_context *tdb, tdb_off_t off, 
+				      const void *buf, tdb_len_t len)
+{
+	uint32_t blk;
+
+	/* break it up into block sized chunks */
+	while (len + (off % tdb->transaction->block_size) > tdb->transaction->block_size) {
+		tdb_len_t len2 = tdb->transaction->block_size - (off % tdb->transaction->block_size);
+		if (transaction_write_existing(tdb, off, buf, len2) != 0) {
+			return -1;
+		}
+		len -= len2;
+		off += len2;
+		if (buf != NULL) {
+			buf = (const void *)(len2 + (const char *)buf);
+		}
+	}
+
+	if (len == 0) {
+		return 0;
+	}
+
+	blk = off / tdb->transaction->block_size;
+	off = off % tdb->transaction->block_size;
+
+	if (tdb->transaction->num_blocks <= blk ||
+	    tdb->transaction->blocks[blk] == NULL) {
+		return 0;
+	}
+
+	if (blk == tdb->transaction->num_blocks-1 &&
+	    off + len > tdb->transaction->last_block_size) {
+		if (off >= tdb->transaction->last_block_size) {
+			return 0;
+		}
+		len = tdb->transaction->last_block_size - off;
+	}
+
+	/* overwrite part of an existing block */
+	memcpy(tdb->transaction->blocks[blk] + off, buf, len);
+
+	return 0;
+}
+
+
+/*
+  accelerated hash chain head search, using the cached hash heads
+*/
+static void transaction_next_hash_chain(struct tdb_context *tdb, uint32_t *chain)
+{
+	uint32_t h = *chain;
+	for (;h < tdb->header.hash_size;h++) {
+		/* the +1 takes account of the freelist */
+		if (0 != tdb->transaction->hash_heads[h+1]) {
+			break;
+		}
+	}
+	(*chain) = h;
+}
+
+/*
+  out of bounds check during a transaction
+*/
+static int transaction_oob(struct tdb_context *tdb, tdb_off_t len, int probe)
+{
+	if (len <= tdb->map_size) {
+		return 0;
+	}
+	return TDB_ERRCODE(TDB_ERR_IO, -1);
+}
+
+/*
+  transaction version of tdb_expand().
+*/
+static int transaction_expand_file(struct tdb_context *tdb, tdb_off_t size, 
+				   tdb_off_t addition)
+{
+	/* add a write to the transaction elements, so subsequent
+	   reads see the zero data */
+	if (transaction_write(tdb, size, NULL, addition) != 0) {
+		return -1;
+	}
+
+	return 0;
+}
+
+/*
+  brlock during a transaction - ignore them
+*/
+static int transaction_brlock(struct tdb_context *tdb, tdb_off_t offset, 
+			      int rw_type, int lck_type, int probe, size_t len)
+{
+	return 0;
+}
+
+static const struct tdb_methods transaction_methods = {
+	transaction_read,
+	transaction_write,
+	transaction_next_hash_chain,
+	transaction_oob,
+	transaction_expand_file,
+	transaction_brlock
+};
+
+
+/*
+  start a tdb transaction. No token is returned, as only a single
+  transaction is allowed to be pending per tdb_context
+*/
+int tdb_transaction_start(struct tdb_context *tdb)
+{
+	/* some sanity checks */
+	if (tdb->read_only || (tdb->flags & TDB_INTERNAL) || tdb->traverse_read) {
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_start: cannot start a transaction on a read-only or internal db\n"));
+		tdb->ecode = TDB_ERR_EINVAL;
+		return -1;
+	}
+
+	/* cope with nested tdb_transaction_start() calls */
+	if (tdb->transaction != NULL) {
+		tdb->transaction->nesting++;
+		TDB_LOG((tdb, TDB_DEBUG_TRACE, "tdb_transaction_start: nesting %d\n", 
+			 tdb->transaction->nesting));
+		return 0;
+	}
+
+	if (tdb->num_locks != 0 || tdb->global_lock.count) {
+		/* the caller must not have any locks when starting a
+		   transaction as otherwise we'll be screwed by lack
+		   of nested locks in posix */
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_start: cannot start a transaction with locks held\n"));
+		tdb->ecode = TDB_ERR_LOCK;
+		return -1;
+	}
+
+	if (tdb->travlocks.next != NULL) {
+		/* you cannot use transactions inside a traverse (although you can use
+		   traverse inside a transaction) as otherwise you can end up with
+		   deadlock */
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_start: cannot start a transaction within a traverse\n"));
+		tdb->ecode = TDB_ERR_LOCK;
+		return -1;
+	}
+
+	tdb->transaction = (struct tdb_transaction *)
+		calloc(sizeof(struct tdb_transaction), 1);
+	if (tdb->transaction == NULL) {
+		tdb->ecode = TDB_ERR_OOM;
+		return -1;
+	}
+
+	/* a page at a time seems like a reasonable compromise between compactness and efficiency */
+	tdb->transaction->block_size = tdb->page_size;
+
+	/* get the transaction write lock. This is a blocking lock. As
+	   discussed with Volker, there are a number of ways we could
+	   make this async, which we will probably do in the future */
+	if (tdb_transaction_lock(tdb, F_WRLCK) == -1) {
+		SAFE_FREE(tdb->transaction->blocks);
+		SAFE_FREE(tdb->transaction);
+		return -1;
+	}
+	
+	/* get a read lock from the freelist to the end of file. This
+	   is upgraded to a write lock during the commit */
+	if (tdb_brlock(tdb, FREELIST_TOP, F_RDLCK, F_SETLKW, 0, 0) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_start: failed to get hash locks\n"));
+		tdb->ecode = TDB_ERR_LOCK;
+		goto fail;
+	}
+
+	/* setup a copy of the hash table heads so the hash scan in
+	   traverse can be fast */
+	tdb->transaction->hash_heads = (uint32_t *)
+		calloc(tdb->header.hash_size+1, sizeof(uint32_t));
+	if (tdb->transaction->hash_heads == NULL) {
+		tdb->ecode = TDB_ERR_OOM;
+		goto fail;
+	}
+	if (tdb->methods->tdb_read(tdb, FREELIST_TOP, tdb->transaction->hash_heads,
+				   TDB_HASHTABLE_SIZE(tdb), 0) != 0) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_start: failed to read hash heads\n"));
+		tdb->ecode = TDB_ERR_IO;
+		goto fail;
+	}
+
+	/* make sure we know about any file expansions already done by
+	   anyone else */
+	tdb->methods->tdb_oob(tdb, tdb->map_size + 1, 1);
+	tdb->transaction->old_map_size = tdb->map_size;
+
+	/* finally hook the io methods, replacing them with
+	   transaction specific methods */
+	tdb->transaction->io_methods = tdb->methods;
+	tdb->methods = &transaction_methods;
+
+	return 0;
+	
+fail:
+	tdb_brlock(tdb, FREELIST_TOP, F_UNLCK, F_SETLKW, 0, 0);
+	tdb_transaction_unlock(tdb);
+	SAFE_FREE(tdb->transaction->blocks);
+	SAFE_FREE(tdb->transaction->hash_heads);
+	SAFE_FREE(tdb->transaction);
+	return -1;
+}
+
+
+/*
+  cancel the current transaction
+*/
+int tdb_transaction_cancel(struct tdb_context *tdb)
+{	
+	int i;
+
+	if (tdb->transaction == NULL) {
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_cancel: no transaction\n"));
+		return -1;
+	}
+
+	if (tdb->transaction->nesting != 0) {
+		tdb->transaction->transaction_error = 1;
+		tdb->transaction->nesting--;
+		return 0;
+	}		
+
+	tdb->map_size = tdb->transaction->old_map_size;
+
+	/* free all the transaction blocks */
+	for (i=0;i<tdb->transaction->num_blocks;i++) {
+		if (tdb->transaction->blocks[i] != NULL) {
+			free(tdb->transaction->blocks[i]);
+		}
+	}
+	SAFE_FREE(tdb->transaction->blocks);
+
+	/* remove any global lock created during the transaction */
+	if (tdb->global_lock.count != 0) {
+		tdb_brlock(tdb, FREELIST_TOP, F_UNLCK, F_SETLKW, 0, 4*tdb->header.hash_size);
+		tdb->global_lock.count = 0;
+	}
+
+	/* remove any locks created during the transaction */
+	if (tdb->num_locks != 0) {
+		for (i=0;i<tdb->num_lockrecs;i++) {
+			tdb_brlock(tdb,FREELIST_TOP+4*tdb->lockrecs[i].list,
+				   F_UNLCK,F_SETLKW, 0, 1);
+		}
+		tdb->num_locks = 0;
+		tdb->num_lockrecs = 0;
+		SAFE_FREE(tdb->lockrecs);
+	}
+
+	/* restore the normal io methods */
+	tdb->methods = tdb->transaction->io_methods;
+
+	tdb_brlock(tdb, FREELIST_TOP, F_UNLCK, F_SETLKW, 0, 0);
+	tdb_transaction_unlock(tdb);
+	SAFE_FREE(tdb->transaction->hash_heads);
+	SAFE_FREE(tdb->transaction);
+	
+	return 0;
+}
+
+/*
+  sync to disk
+*/
+static int transaction_sync(struct tdb_context *tdb, tdb_off_t offset, tdb_len_t length)
+{	
+	if (fsync(tdb->fd) != 0) {
+		tdb->ecode = TDB_ERR_IO;
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction: fsync failed\n"));
+		return -1;
+	}
+#ifdef HAVE_MMAP
+	if (tdb->map_ptr) {
+		tdb_off_t moffset = offset & ~(tdb->page_size-1);
+		if (msync(moffset + (char *)tdb->map_ptr, 
+			  length + (offset - moffset), MS_SYNC) != 0) {
+			tdb->ecode = TDB_ERR_IO;
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction: msync failed - %s\n",
+				 strerror(errno)));
+			return -1;
+		}
+	}
+#endif
+	return 0;
+}
+
+
+/*
+  work out how much space the linearised recovery data will consume
+*/
+static tdb_len_t tdb_recovery_size(struct tdb_context *tdb)
+{
+	tdb_len_t recovery_size = 0;
+	int i;
+
+	recovery_size = sizeof(uint32_t);
+	for (i=0;i<tdb->transaction->num_blocks;i++) {
+		if (i * tdb->transaction->block_size >= tdb->transaction->old_map_size) {
+			break;
+		}
+		if (tdb->transaction->blocks[i] == NULL) {
+			continue;
+		}
+		recovery_size += 2*sizeof(tdb_off_t);
+		if (i == tdb->transaction->num_blocks-1) {
+			recovery_size += tdb->transaction->last_block_size;
+		} else {
+			recovery_size += tdb->transaction->block_size;
+		}
+	}	
+
+	return recovery_size;
+}
+
+/*
+  allocate the recovery area, or use an existing recovery area if it is
+  large enough
+*/
+static int tdb_recovery_allocate(struct tdb_context *tdb, 
+				 tdb_len_t *recovery_size,
+				 tdb_off_t *recovery_offset,
+				 tdb_len_t *recovery_max_size)
+{
+	struct list_struct rec;
+	const struct tdb_methods *methods = tdb->transaction->io_methods;
+	tdb_off_t recovery_head;
+
+	if (tdb_ofs_read(tdb, TDB_RECOVERY_HEAD, &recovery_head) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_recovery_allocate: failed to read recovery head\n"));
+		return -1;
+	}
+
+	rec.rec_len = 0;
+
+	if (recovery_head != 0 && 
+	    methods->tdb_read(tdb, recovery_head, &rec, sizeof(rec), DOCONV()) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_recovery_allocate: failed to read recovery record\n"));
+		return -1;
+	}
+
+	*recovery_size = tdb_recovery_size(tdb);
+
+	if (recovery_head != 0 && *recovery_size <= rec.rec_len) {
+		/* it fits in the existing area */
+		*recovery_max_size = rec.rec_len;
+		*recovery_offset = recovery_head;
+		return 0;
+	}
+
+	/* we need to free up the old recovery area, then allocate a
+	   new one at the end of the file. Note that we cannot use
+	   tdb_allocate() to allocate the new one as that might return
+	   us an area that is being currently used (as of the start of
+	   the transaction) */
+	if (recovery_head != 0) {
+		if (tdb_free(tdb, recovery_head, &rec) == -1) {
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_recovery_allocate: failed to free previous recovery area\n"));
+			return -1;
+		}
+	}
+
+	/* the tdb_free() call might have increased the recovery size */
+	*recovery_size = tdb_recovery_size(tdb);
+
+	/* round up to a multiple of page size */
+	*recovery_max_size = TDB_ALIGN(sizeof(rec) + *recovery_size, tdb->page_size) - sizeof(rec);
+	*recovery_offset = tdb->map_size;
+	recovery_head = *recovery_offset;
+
+	if (methods->tdb_expand_file(tdb, tdb->transaction->old_map_size, 
+				     (tdb->map_size - tdb->transaction->old_map_size) +
+				     sizeof(rec) + *recovery_max_size) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_recovery_allocate: failed to create recovery area\n"));
+		return -1;
+	}
+
+	/* remap the file (if using mmap) */
+	methods->tdb_oob(tdb, tdb->map_size + 1, 1);
+
+	/* we have to reset the old map size so that we don't try to expand the file
+	   again in the transaction commit, which would destroy the recovery area */
+	tdb->transaction->old_map_size = tdb->map_size;
+
+	/* write the recovery header offset and sync - we can sync without a race here
+	   as the magic ptr in the recovery record has not been set */
+	CONVERT(recovery_head);
+	if (methods->tdb_write(tdb, TDB_RECOVERY_HEAD, 
+			       &recovery_head, sizeof(tdb_off_t)) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_recovery_allocate: failed to write recovery head\n"));
+		return -1;
+	}
+	if (transaction_write_existing(tdb, TDB_RECOVERY_HEAD, &recovery_head, sizeof(tdb_off_t)) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_recovery_allocate: failed to write recovery head\n"));
+		return -1;
+	}
+
+	return 0;
+}
+
+
+/*
+  setup the recovery data that will be used on a crash during commit
+*/
+static int transaction_setup_recovery(struct tdb_context *tdb, 
+				      tdb_off_t *magic_offset)
+{
+	tdb_len_t recovery_size;
+	unsigned char *data, *p;
+	const struct tdb_methods *methods = tdb->transaction->io_methods;
+	struct list_struct *rec;
+	tdb_off_t recovery_offset, recovery_max_size;
+	tdb_off_t old_map_size = tdb->transaction->old_map_size;
+	uint32_t magic, tailer;
+	int i;
+
+	/*
+	  check that the recovery area has enough space
+	*/
+	if (tdb_recovery_allocate(tdb, &recovery_size, 
+				  &recovery_offset, &recovery_max_size) == -1) {
+		return -1;
+	}
+
+	data = (unsigned char *)malloc(recovery_size + sizeof(*rec));
+	if (data == NULL) {
+		tdb->ecode = TDB_ERR_OOM;
+		return -1;
+	}
+
+	rec = (struct list_struct *)data;
+	memset(rec, 0, sizeof(*rec));
+
+	rec->magic    = 0;
+	rec->data_len = recovery_size;
+	rec->rec_len  = recovery_max_size;
+	rec->key_len  = old_map_size;
+	CONVERT(rec);
+
+	/* build the recovery data into a single blob to allow us to do a single
+	   large write, which should be more efficient */
+	p = data + sizeof(*rec);
+	for (i=0;i<tdb->transaction->num_blocks;i++) {
+		tdb_off_t offset;
+		tdb_len_t length;
+
+		if (tdb->transaction->blocks[i] == NULL) {
+			continue;
+		}
+
+		offset = i * tdb->transaction->block_size;
+		length = tdb->transaction->block_size;
+		if (i == tdb->transaction->num_blocks-1) {
+			length = tdb->transaction->last_block_size;
+		}
+		
+		if (offset >= old_map_size) {
+			continue;
+		}
+		if (offset + length > tdb->transaction->old_map_size) {
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_setup_recovery: transaction data over new region boundary\n"));
+			free(data);
+			tdb->ecode = TDB_ERR_CORRUPT;
+			return -1;
+		}
+		memcpy(p, &offset, 4);
+		memcpy(p+4, &length, 4);
+		if (DOCONV()) {
+			tdb_convert(p, 8);
+		}
+		/* the recovery area contains the old data, not the
+		   new data, so we have to call the original tdb_read
+		   method to get it */
+		if (methods->tdb_read(tdb, offset, p + 8, length, 0) != 0) {
+			free(data);
+			tdb->ecode = TDB_ERR_IO;
+			return -1;
+		}
+		p += 8 + length;
+	}
+
+	/* and the tailer */
+	tailer = sizeof(*rec) + recovery_max_size;
+	memcpy(p, &tailer, 4);
+	CONVERT(p);
+
+	/* write the recovery data to the recovery area */
+	if (methods->tdb_write(tdb, recovery_offset, data, sizeof(*rec) + recovery_size) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_setup_recovery: failed to write recovery data\n"));
+		free(data);
+		tdb->ecode = TDB_ERR_IO;
+		return -1;
+	}
+	if (transaction_write_existing(tdb, recovery_offset, data, sizeof(*rec) + recovery_size) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_setup_recovery: failed to write secondary recovery data\n"));
+		free(data);
+		tdb->ecode = TDB_ERR_IO;
+		return -1;
+	}
+
+	/* as we don't have ordered writes, we have to sync the recovery
+	   data before we update the magic to indicate that the recovery
+	   data is present */
+	if (transaction_sync(tdb, recovery_offset, sizeof(*rec) + recovery_size) == -1) {
+		free(data);
+		return -1;
+	}
+
+	free(data);
+
+	magic = TDB_RECOVERY_MAGIC;
+	CONVERT(magic);
+
+	*magic_offset = recovery_offset + offsetof(struct list_struct, magic);
+
+	if (methods->tdb_write(tdb, *magic_offset, &magic, sizeof(magic)) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_setup_recovery: failed to write recovery magic\n"));
+		tdb->ecode = TDB_ERR_IO;
+		return -1;
+	}
+	if (transaction_write_existing(tdb, *magic_offset, &magic, sizeof(magic)) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_setup_recovery: failed to write secondary recovery magic\n"));
+		tdb->ecode = TDB_ERR_IO;
+		return -1;
+	}
+
+	/* ensure the recovery magic marker is on disk */
+	if (transaction_sync(tdb, *magic_offset, sizeof(magic)) == -1) {
+		return -1;
+	}
+
+	return 0;
+}
+
+/*
+  commit the current transaction
+*/
+int tdb_transaction_commit(struct tdb_context *tdb)
+{	
+	const struct tdb_methods *methods;
+	tdb_off_t magic_offset = 0;
+	uint32_t zero = 0;
+	int i;
+
+	if (tdb->transaction == NULL) {
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_commit: no transaction\n"));
+		return -1;
+	}
+
+	if (tdb->transaction->transaction_error) {
+		tdb->ecode = TDB_ERR_IO;
+		tdb_transaction_cancel(tdb);
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_commit: transaction error pending\n"));
+		return -1;
+	}
+
+
+	if (tdb->transaction->nesting != 0) {
+		tdb->transaction->nesting--;
+		return 0;
+	}		
+
+	/* check for a null transaction */
+	if (tdb->transaction->blocks == NULL) {
+		tdb_transaction_cancel(tdb);
+		return 0;
+	}
+
+	methods = tdb->transaction->io_methods;
+	
+	/* if there are any locks pending then the caller has not
+	   nested their locks properly, so fail the transaction */
+	if (tdb->num_locks || tdb->global_lock.count) {
+		tdb->ecode = TDB_ERR_LOCK;
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_commit: locks pending on commit\n"));
+		tdb_transaction_cancel(tdb);
+		return -1;
+	}
+
+	/* upgrade the main transaction lock region to a write lock */
+	if (tdb_brlock_upgrade(tdb, FREELIST_TOP, 0) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_start: failed to upgrade hash locks\n"));
+		tdb->ecode = TDB_ERR_LOCK;
+		tdb_transaction_cancel(tdb);
+		return -1;
+	}
+
+	/* get the global lock - this prevents new users attaching to the database
+	   during the commit */
+	if (tdb_brlock(tdb, GLOBAL_LOCK, F_WRLCK, F_SETLKW, 0, 1) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_commit: failed to get global lock\n"));
+		tdb->ecode = TDB_ERR_LOCK;
+		tdb_transaction_cancel(tdb);
+		return -1;
+	}
+
+	if (!(tdb->flags & TDB_NOSYNC)) {
+		/* write the recovery data to the end of the file */
+		if (transaction_setup_recovery(tdb, &magic_offset) == -1) {
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_commit: failed to setup recovery data\n"));
+			tdb_brlock(tdb, GLOBAL_LOCK, F_UNLCK, F_SETLKW, 0, 1);
+			tdb_transaction_cancel(tdb);
+			return -1;
+		}
+	}
+
+	/* expand the file to the new size if needed */
+	if (tdb->map_size != tdb->transaction->old_map_size) {
+		if (methods->tdb_expand_file(tdb, tdb->transaction->old_map_size, 
+					     tdb->map_size - 
+					     tdb->transaction->old_map_size) == -1) {
+			tdb->ecode = TDB_ERR_IO;
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_commit: expansion failed\n"));
+			tdb_brlock(tdb, GLOBAL_LOCK, F_UNLCK, F_SETLKW, 0, 1);
+			tdb_transaction_cancel(tdb);
+			return -1;
+		}
+		tdb->map_size = tdb->transaction->old_map_size;
+		methods->tdb_oob(tdb, tdb->map_size + 1, 1);
+	}
+
+	/* perform all the writes */
+	for (i=0;i<tdb->transaction->num_blocks;i++) {
+		tdb_off_t offset;
+		tdb_len_t length;
+
+		if (tdb->transaction->blocks[i] == NULL) {
+			continue;
+		}
+
+		offset = i * tdb->transaction->block_size;
+		length = tdb->transaction->block_size;
+		if (i == tdb->transaction->num_blocks-1) {
+			length = tdb->transaction->last_block_size;
+		}
+
+		if (methods->tdb_write(tdb, offset, tdb->transaction->blocks[i], length) == -1) {
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_commit: write failed during commit\n"));
+			
+			/* we've overwritten part of the data and
+			   possibly expanded the file, so we need to
+			   run the crash recovery code */
+			tdb->methods = methods;
+			tdb_transaction_recover(tdb); 
+
+			tdb_transaction_cancel(tdb);
+			tdb_brlock(tdb, GLOBAL_LOCK, F_UNLCK, F_SETLKW, 0, 1);
+
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_commit: write failed\n"));
+			return -1;
+		}
+		SAFE_FREE(tdb->transaction->blocks[i]);
+	} 
+
+	SAFE_FREE(tdb->transaction->blocks);
+	tdb->transaction->num_blocks = 0;
+
+	if (!(tdb->flags & TDB_NOSYNC)) {
+		/* ensure the new data is on disk */
+		if (transaction_sync(tdb, 0, tdb->map_size) == -1) {
+			return -1;
+		}
+
+		/* remove the recovery marker */
+		if (methods->tdb_write(tdb, magic_offset, &zero, 4) == -1) {
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_commit: failed to remove recovery magic\n"));
+			return -1;
+		}
+
+		/* ensure the recovery marker has been removed on disk */
+		if (transaction_sync(tdb, magic_offset, 4) == -1) {
+			return -1;
+		}
+	}
+
+	tdb_brlock(tdb, GLOBAL_LOCK, F_UNLCK, F_SETLKW, 0, 1);
+
+	/*
+	  TODO: maybe write to some dummy hdr field, or write to magic
+	  offset without mmap, before the last sync, instead of the
+	  utime() call
+	*/
+
+	/* on some systems (like Linux 2.6.x) changes via mmap/msync
+	   don't change the mtime of the file, this means the file may
+	   not be backed up (as tdb rounding to block sizes means that
+	   file size changes are quite rare too). The following forces
+	   mtime changes when a transaction completes */
+#ifdef HAVE_UTIME
+	utime(tdb->name, NULL);
+#endif
+
+	/* use a transaction cancel to free memory and remove the
+	   transaction locks */
+	tdb_transaction_cancel(tdb);
+
+	return 0;
+}
+
+
+/*
+  recover from an aborted transaction. Must be called with exclusive
+  database write access already established (including the global
+  lock to prevent new processes attaching)
+*/
+int tdb_transaction_recover(struct tdb_context *tdb)
+{
+	tdb_off_t recovery_head, recovery_eof;
+	unsigned char *data, *p;
+	uint32_t zero = 0;
+	struct list_struct rec;
+
+	/* find the recovery area */
+	if (tdb_ofs_read(tdb, TDB_RECOVERY_HEAD, &recovery_head) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_recover: failed to read recovery head\n"));
+		tdb->ecode = TDB_ERR_IO;
+		return -1;
+	}
+
+	if (recovery_head == 0) {
+		/* we have never allocated a recovery record */
+		return 0;
+	}
+
+	/* read the recovery record */
+	if (tdb->methods->tdb_read(tdb, recovery_head, &rec, 
+				   sizeof(rec), DOCONV()) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_recover: failed to read recovery record\n"));		
+		tdb->ecode = TDB_ERR_IO;
+		return -1;
+	}
+
+	if (rec.magic != TDB_RECOVERY_MAGIC) {
+		/* there is no valid recovery data */
+		return 0;
+	}
+
+	if (tdb->read_only) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_recover: attempt to recover read only database\n"));
+		tdb->ecode = TDB_ERR_CORRUPT;
+		return -1;
+	}
+
+	recovery_eof = rec.key_len;
+
+	data = (unsigned char *)malloc(rec.data_len);
+	if (data == NULL) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_recover: failed to allocate recovery data\n"));		
+		tdb->ecode = TDB_ERR_OOM;
+		return -1;
+	}
+
+	/* read the full recovery data */
+	if (tdb->methods->tdb_read(tdb, recovery_head + sizeof(rec), data,
+				   rec.data_len, 0) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_recover: failed to read recovery data\n"));		
+		tdb->ecode = TDB_ERR_IO;
+		return -1;
+	}
+
+	/* recover the file data */
+	p = data;
+	while (p+8 < data + rec.data_len) {
+		uint32_t ofs, len;
+		if (DOCONV()) {
+			tdb_convert(p, 8);
+		}
+		memcpy(&ofs, p, 4);
+		memcpy(&len, p+4, 4);
+
+		if (tdb->methods->tdb_write(tdb, ofs, p+8, len) == -1) {
+			free(data);
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_recover: failed to recover %d bytes at offset %d\n", len, ofs));
+			tdb->ecode = TDB_ERR_IO;
+			return -1;
+		}
+		p += 8 + len;
+	}
+
+	free(data);
+
+	if (transaction_sync(tdb, 0, tdb->map_size) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_recover: failed to sync recovery\n"));
+		tdb->ecode = TDB_ERR_IO;
+		return -1;
+	}
+
+	/* if the recovery area is after the recovered eof then remove it */
+	if (recovery_eof <= recovery_head) {
+		if (tdb_ofs_write(tdb, TDB_RECOVERY_HEAD, &zero) == -1) {
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_recover: failed to remove recovery head\n"));
+			tdb->ecode = TDB_ERR_IO;
+			return -1;			
+		}
+	}
+
+	/* remove the recovery magic */
+	if (tdb_ofs_write(tdb, recovery_head + offsetof(struct list_struct, magic), 
+			  &zero) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_recover: failed to remove recovery magic\n"));
+		tdb->ecode = TDB_ERR_IO;
+		return -1;			
+	}
+	
+	/* reduce the file size to the old size */
+	tdb_munmap(tdb);
+	if (ftruncate(tdb->fd, recovery_eof) != 0) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_recover: failed to reduce to recovery size\n"));
+		tdb->ecode = TDB_ERR_IO;
+		return -1;			
+	}
+	tdb->map_size = recovery_eof;
+	tdb_mmap(tdb);
+
+	if (transaction_sync(tdb, 0, recovery_eof) == -1) {
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_transaction_recover: failed to sync2 recovery\n"));
+		tdb->ecode = TDB_ERR_IO;
+		return -1;
+	}
+
+	TDB_LOG((tdb, TDB_DEBUG_TRACE, "tdb_transaction_recover: recovered %d byte database\n", 
+		 recovery_eof));
+
+	/* all done */
+	return 0;
+}
diff --git a/source3/lib/tdb/common/traverse.c b/source3/lib/tdb/common/traverse.c
new file mode 100644
index 0000000000..69c81e6e98
--- /dev/null
+++ b/source3/lib/tdb/common/traverse.c
@@ -0,0 +1,348 @@
+ /* 
+   Unix SMB/CIFS implementation.
+
+   trivial database library
+
+   Copyright (C) Andrew Tridgell              1999-2005
+   Copyright (C) Paul `Rusty' Russell		   2000
+   Copyright (C) Jeremy Allison			   2000-2003
+   
+     ** NOTE! The following LGPL license applies to the tdb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "tdb_private.h"
+
+/* Uses traverse lock: 0 = finish, -1 = error, other = record offset */
+static int tdb_next_lock(struct tdb_context *tdb, struct tdb_traverse_lock *tlock,
+			 struct list_struct *rec)
+{
+	int want_next = (tlock->off != 0);
+
+	/* Lock each chain from the start one. */
+	for (; tlock->hash < tdb->header.hash_size; tlock->hash++) {
+		if (!tlock->off && tlock->hash != 0) {
+			/* this is an optimisation for the common case where
+			   the hash chain is empty, which is particularly
+			   common for the use of tdb with ldb, where large
+			   hashes are used. In that case we spend most of our
+			   time in tdb_brlock(), locking empty hash chains.
+			   
+			   To avoid this, we do an unlocked pre-check to see
+			   if the hash chain is empty before starting to look
+			   inside it. If it is empty then we can avoid that
+			   hash chain. If it isn't empty then we can't believe
+			   the value we get back, as we read it without a
+			   lock, so instead we get the lock and re-fetch the
+			   value below.
+			   
+			   Notice that not doing this optimisation on the
+			   first hash chain is critical. We must guarantee
+			   that we have done at least one fcntl lock at the
+			   start of a search to guarantee that memory is
+			   coherent on SMP systems. If records are added by
+			   others during the search then thats OK, and we
+			   could possibly miss those with this trick, but we
+			   could miss them anyway without this trick, so the
+			   semantics don't change.
+			   
+			   With a non-indexed ldb search this trick gains us a
+			   factor of around 80 in speed on a linux 2.6.x
+			   system (testing using ldbtest).
+			*/
+			tdb->methods->next_hash_chain(tdb, &tlock->hash);
+			if (tlock->hash == tdb->header.hash_size) {
+				continue;
+			}
+		}
+
+		if (tdb_lock(tdb, tlock->hash, tlock->lock_rw) == -1)
+			return -1;
+
+		/* No previous record?  Start at top of chain. */
+		if (!tlock->off) {
+			if (tdb_ofs_read(tdb, TDB_HASH_TOP(tlock->hash),
+				     &tlock->off) == -1)
+				goto fail;
+		} else {
+			/* Otherwise unlock the previous record. */
+			if (tdb_unlock_record(tdb, tlock->off) != 0)
+				goto fail;
+		}
+
+		if (want_next) {
+			/* We have offset of old record: grab next */
+			if (tdb_rec_read(tdb, tlock->off, rec) == -1)
+				goto fail;
+			tlock->off = rec->next;
+		}
+
+		/* Iterate through chain */
+		while( tlock->off) {
+			tdb_off_t current;
+			if (tdb_rec_read(tdb, tlock->off, rec) == -1)
+				goto fail;
+
+			/* Detect infinite loops. From "Shlomi Yaakobovich" <Shlomi@exanet.com>. */
+			if (tlock->off == rec->next) {
+				TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_next_lock: loop detected.\n"));
+				goto fail;
+			}
+
+			if (!TDB_DEAD(rec)) {
+				/* Woohoo: we found one! */
+				if (tdb_lock_record(tdb, tlock->off) != 0)
+					goto fail;
+				return tlock->off;
+			}
+
+			/* Try to clean dead ones from old traverses */
+			current = tlock->off;
+			tlock->off = rec->next;
+			if (!(tdb->read_only || tdb->traverse_read) && 
+			    tdb_do_delete(tdb, current, rec) != 0)
+				goto fail;
+		}
+		tdb_unlock(tdb, tlock->hash, tlock->lock_rw);
+		want_next = 0;
+	}
+	/* We finished iteration without finding anything */
+	return TDB_ERRCODE(TDB_SUCCESS, 0);
+
+ fail:
+	tlock->off = 0;
+	if (tdb_unlock(tdb, tlock->hash, tlock->lock_rw) != 0)
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_next_lock: On error unlock failed!\n"));
+	return -1;
+}
+
+/* traverse the entire database - calling fn(tdb, key, data) on each element.
+   return -1 on error or the record count traversed
+   if fn is NULL then it is not called
+   a non-zero return value from fn() indicates that the traversal should stop
+  */
+static int tdb_traverse_internal(struct tdb_context *tdb, 
+				 tdb_traverse_func fn, void *private_data,
+				 struct tdb_traverse_lock *tl)
+{
+	TDB_DATA key, dbuf;
+	struct list_struct rec;
+	int ret, count = 0;
+
+	/* This was in the initializaton, above, but the IRIX compiler
+	 * did not like it.  crh
+	 */
+	tl->next = tdb->travlocks.next;
+
+	/* fcntl locks don't stack: beware traverse inside traverse */
+	tdb->travlocks.next = tl;
+
+	/* tdb_next_lock places locks on the record returned, and its chain */
+	while ((ret = tdb_next_lock(tdb, tl, &rec)) > 0) {
+		count++;
+		/* now read the full record */
+		key.dptr = tdb_alloc_read(tdb, tl->off + sizeof(rec), 
+					  rec.key_len + rec.data_len);
+		if (!key.dptr) {
+			ret = -1;
+			if (tdb_unlock(tdb, tl->hash, tl->lock_rw) != 0)
+				goto out;
+			if (tdb_unlock_record(tdb, tl->off) != 0)
+				TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_traverse: key.dptr == NULL and unlock_record failed!\n"));
+			goto out;
+		}
+		key.dsize = rec.key_len;
+		dbuf.dptr = key.dptr + rec.key_len;
+		dbuf.dsize = rec.data_len;
+
+		/* Drop chain lock, call out */
+		if (tdb_unlock(tdb, tl->hash, tl->lock_rw) != 0) {
+			ret = -1;
+			SAFE_FREE(key.dptr);
+			goto out;
+		}
+		if (fn && fn(tdb, key, dbuf, private_data)) {
+			/* They want us to terminate traversal */
+			ret = count;
+			if (tdb_unlock_record(tdb, tl->off) != 0) {
+				TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_traverse: unlock_record failed!\n"));;
+				ret = -1;
+			}
+			SAFE_FREE(key.dptr);
+			goto out;
+		}
+		SAFE_FREE(key.dptr);
+	}
+out:
+	tdb->travlocks.next = tl->next;
+	if (ret < 0)
+		return -1;
+	else
+		return count;
+}
+
+
+/*
+  a write style traverse - temporarily marks the db read only
+*/
+int tdb_traverse_read(struct tdb_context *tdb, 
+		      tdb_traverse_func fn, void *private_data)
+{
+	struct tdb_traverse_lock tl = { NULL, 0, 0, F_RDLCK };
+	int ret;
+	bool in_transaction = (tdb->transaction != NULL);
+
+	/* we need to get a read lock on the transaction lock here to
+	   cope with the lock ordering semantics of solaris10 */
+	if (!in_transaction) {
+		if (tdb_transaction_lock(tdb, F_RDLCK)) {
+			return -1;
+		}
+	}
+
+	tdb->traverse_read++;
+	ret = tdb_traverse_internal(tdb, fn, private_data, &tl);
+	tdb->traverse_read--;
+
+	if (!in_transaction) {
+		tdb_transaction_unlock(tdb);
+	}
+
+	return ret;
+}
+
+/*
+  a write style traverse - needs to get the transaction lock to
+  prevent deadlocks
+
+  WARNING: The data buffer given to the callback fn does NOT meet the
+  alignment restrictions malloc gives you.
+*/
+int tdb_traverse(struct tdb_context *tdb, 
+		 tdb_traverse_func fn, void *private_data)
+{
+	struct tdb_traverse_lock tl = { NULL, 0, 0, F_WRLCK };
+	int ret;
+	bool in_transaction = (tdb->transaction != NULL);
+
+	if (tdb->read_only || tdb->traverse_read) {
+		return tdb_traverse_read(tdb, fn, private_data);
+	}
+	
+	if (!in_transaction) {
+		if (tdb_transaction_lock(tdb, F_WRLCK)) {
+			return -1;
+		}
+	}
+
+	tdb->traverse_write++;
+	ret = tdb_traverse_internal(tdb, fn, private_data, &tl);
+	tdb->traverse_write--;
+
+	if (!in_transaction) {
+		tdb_transaction_unlock(tdb);
+	}
+
+	return ret;
+}
+
+
+/* find the first entry in the database and return its key */
+TDB_DATA tdb_firstkey(struct tdb_context *tdb)
+{
+	TDB_DATA key;
+	struct list_struct rec;
+
+	/* release any old lock */
+	if (tdb_unlock_record(tdb, tdb->travlocks.off) != 0)
+		return tdb_null;
+	tdb->travlocks.off = tdb->travlocks.hash = 0;
+	tdb->travlocks.lock_rw = F_RDLCK;
+
+	/* Grab first record: locks chain and returned record. */
+	if (tdb_next_lock(tdb, &tdb->travlocks, &rec) <= 0)
+		return tdb_null;
+	/* now read the key */
+	key.dsize = rec.key_len;
+	key.dptr =tdb_alloc_read(tdb,tdb->travlocks.off+sizeof(rec),key.dsize);
+
+	/* Unlock the hash chain of the record we just read. */
+	if (tdb_unlock(tdb, tdb->travlocks.hash, tdb->travlocks.lock_rw) != 0)
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_firstkey: error occurred while tdb_unlocking!\n"));
+	return key;
+}
+
+/* find the next entry in the database, returning its key */
+TDB_DATA tdb_nextkey(struct tdb_context *tdb, TDB_DATA oldkey)
+{
+	uint32_t oldhash;
+	TDB_DATA key = tdb_null;
+	struct list_struct rec;
+	unsigned char *k = NULL;
+
+	/* Is locked key the old key?  If so, traverse will be reliable. */
+	if (tdb->travlocks.off) {
+		if (tdb_lock(tdb,tdb->travlocks.hash,tdb->travlocks.lock_rw))
+			return tdb_null;
+		if (tdb_rec_read(tdb, tdb->travlocks.off, &rec) == -1
+		    || !(k = tdb_alloc_read(tdb,tdb->travlocks.off+sizeof(rec),
+					    rec.key_len))
+		    || memcmp(k, oldkey.dptr, oldkey.dsize) != 0) {
+			/* No, it wasn't: unlock it and start from scratch */
+			if (tdb_unlock_record(tdb, tdb->travlocks.off) != 0) {
+				SAFE_FREE(k);
+				return tdb_null;
+			}
+			if (tdb_unlock(tdb, tdb->travlocks.hash, tdb->travlocks.lock_rw) != 0) {
+				SAFE_FREE(k);
+				return tdb_null;
+			}
+			tdb->travlocks.off = 0;
+		}
+
+		SAFE_FREE(k);
+	}
+
+	if (!tdb->travlocks.off) {
+		/* No previous element: do normal find, and lock record */
+		tdb->travlocks.off = tdb_find_lock_hash(tdb, oldkey, tdb->hash_fn(&oldkey), tdb->travlocks.lock_rw, &rec);
+		if (!tdb->travlocks.off)
+			return tdb_null;
+		tdb->travlocks.hash = BUCKET(rec.full_hash);
+		if (tdb_lock_record(tdb, tdb->travlocks.off) != 0) {
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_nextkey: lock_record failed (%s)!\n", strerror(errno)));
+			return tdb_null;
+		}
+	}
+	oldhash = tdb->travlocks.hash;
+
+	/* Grab next record: locks chain and returned record,
+	   unlocks old record */
+	if (tdb_next_lock(tdb, &tdb->travlocks, &rec) > 0) {
+		key.dsize = rec.key_len;
+		key.dptr = tdb_alloc_read(tdb, tdb->travlocks.off+sizeof(rec),
+					  key.dsize);
+		/* Unlock the chain of this new record */
+		if (tdb_unlock(tdb, tdb->travlocks.hash, tdb->travlocks.lock_rw) != 0)
+			TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_nextkey: WARNING tdb_unlock failed!\n"));
+	}
+	/* Unlock the chain of old record */
+	if (tdb_unlock(tdb, BUCKET(oldhash), tdb->travlocks.lock_rw) != 0)
+		TDB_LOG((tdb, TDB_DEBUG_FATAL, "tdb_nextkey: WARNING tdb_unlock failed!\n"));
+	return key;
+}
+
diff --git a/source3/lib/tdb/config.guess b/source3/lib/tdb/config.guess
new file mode 100755
index 0000000000..354dbe175a
--- /dev/null
+++ b/source3/lib/tdb/config.guess
@@ -0,0 +1,1464 @@
+#! /bin/sh
+# Attempt to guess a canonical system name.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
+#   2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
+
+timestamp='2005-08-03'
+
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+
+# Originally written by Per Bothner <per@bothner.com>.
+# Please send patches to <config-patches@gnu.org>.  Submit a context
+# diff and a properly formatted ChangeLog entry.
+#
+# This script attempts to guess a canonical system name similar to
+# config.sub.  If it succeeds, it prints the system name on stdout, and
+# exits with 0.  Otherwise, it exits with 1.
+#
+# The plan is that this can be called by configure scripts if you
+# don't specify an explicit build system type.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION]
+
+Output the configuration name of the system \`$me' is run on.
+
+Operation modes:
+  -h, --help         print this help, then exit
+  -t, --time-stamp   print date of last modification, then exit
+  -v, --version      print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.guess ($timestamp)
+
+Originally written by Per Bothner.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
+Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case $1 in
+    --time-stamp | --time* | -t )
+       echo "$timestamp" ; exit ;;
+    --version | -v )
+       echo "$version" ; exit ;;
+    --help | --h* | -h )
+       echo "$usage"; exit ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       echo "$me: invalid option $1$help" >&2
+       exit 1 ;;
+    * )
+       break ;;
+  esac
+done
+
+if test $# != 0; then
+  echo "$me: too many arguments$help" >&2
+  exit 1
+fi
+
+trap 'exit 1' 1 2 15
+
+# CC_FOR_BUILD -- compiler used by this script. Note that the use of a
+# compiler to aid in system detection is discouraged as it requires
+# temporary files to be created and, as you can see below, it is a
+# headache to deal with in a portable fashion.
+
+# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
+# use `HOST_CC' if defined, but it is deprecated.
+
+# Portable tmp directory creation inspired by the Autoconf team.
+
+set_cc_for_build='
+trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ;
+trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
+: ${TMPDIR=/tmp} ;
+ { tmp=`(umask 077 && mktemp -d -q "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
+ { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } ||
+ { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } ||
+ { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ;
+dummy=$tmp/dummy ;
+tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ;
+case $CC_FOR_BUILD,$HOST_CC,$CC in
+ ,,)    echo "int x;" > $dummy.c ;
+	for c in cc gcc c89 c99 ; do
+	  if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then
+	     CC_FOR_BUILD="$c"; break ;
+	  fi ;
+	done ;
+	if test x"$CC_FOR_BUILD" = x ; then
+	  CC_FOR_BUILD=no_compiler_found ;
+	fi
+	;;
+ ,,*)   CC_FOR_BUILD=$CC ;;
+ ,*,*)  CC_FOR_BUILD=$HOST_CC ;;
+esac ; set_cc_for_build= ;'
+
+# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
+# (ghazi@noc.rutgers.edu 1994-08-24)
+if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
+	PATH=$PATH:/.attbin ; export PATH
+fi
+
+UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
+UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
+UNAME_SYSTEM=`(uname -s) 2>/dev/null`  || UNAME_SYSTEM=unknown
+UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
+
+# Note: order is significant - the case branches are not exclusive.
+
+case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
+    *:NetBSD:*:*)
+	# NetBSD (nbsd) targets should (where applicable) match one or
+	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
+	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
+	# switched to ELF, *-*-netbsd* would select the old
+	# object file format.  This provides both forward
+	# compatibility and a consistent mechanism for selecting the
+	# object file format.
+	#
+	# Note: NetBSD doesn't particularly care about the vendor
+	# portion of the name.  We always set it to "unknown".
+	sysctl="sysctl -n hw.machine_arch"
+	UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
+	    /usr/sbin/$sysctl 2>/dev/null || echo unknown)`
+	case "${UNAME_MACHINE_ARCH}" in
+	    armeb) machine=armeb-unknown ;;
+	    arm*) machine=arm-unknown ;;
+	    sh3el) machine=shl-unknown ;;
+	    sh3eb) machine=sh-unknown ;;
+	    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
+	esac
+	# The Operating System including object format, if it has switched
+	# to ELF recently, or will in the future.
+	case "${UNAME_MACHINE_ARCH}" in
+	    arm*|i386|m68k|ns32k|sh3*|sparc|vax)
+		eval $set_cc_for_build
+		if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
+			| grep __ELF__ >/dev/null
+		then
+		    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
+		    # Return netbsd for either.  FIX?
+		    os=netbsd
+		else
+		    os=netbsdelf
+		fi
+		;;
+	    *)
+	        os=netbsd
+		;;
+	esac
+	# The OS release
+	# Debian GNU/NetBSD machines have a different userland, and
+	# thus, need a distinct triplet. However, they do not need
+	# kernel version information, so it can be replaced with a
+	# suitable tag, in the style of linux-gnu.
+	case "${UNAME_VERSION}" in
+	    Debian*)
+		release='-gnu'
+		;;
+	    *)
+		release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+		;;
+	esac
+	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
+	# contains redundant information, the shorter form:
+	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
+	echo "${machine}-${os}${release}"
+	exit ;;
+    *:OpenBSD:*:*)
+	UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
+	echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
+	exit ;;
+    *:ekkoBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
+	exit ;;
+    macppc:MirBSD:*:*)
+	echo powerppc-unknown-mirbsd${UNAME_RELEASE}
+	exit ;;
+    *:MirBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
+	exit ;;
+    alpha:OSF1:*:*)
+	case $UNAME_RELEASE in
+	*4.0)
+		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
+		;;
+	*5.*)
+	        UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
+		;;
+	esac
+	# According to Compaq, /usr/sbin/psrinfo has been available on
+	# OSF/1 and Tru64 systems produced since 1995.  I hope that
+	# covers most systems running today.  This code pipes the CPU
+	# types through head -n 1, so we only detect the type of CPU 0.
+	ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^  The alpha \(.*\) processor.*$/\1/p' | head -n 1`
+	case "$ALPHA_CPU_TYPE" in
+	    "EV4 (21064)")
+		UNAME_MACHINE="alpha" ;;
+	    "EV4.5 (21064)")
+		UNAME_MACHINE="alpha" ;;
+	    "LCA4 (21066/21068)")
+		UNAME_MACHINE="alpha" ;;
+	    "EV5 (21164)")
+		UNAME_MACHINE="alphaev5" ;;
+	    "EV5.6 (21164A)")
+		UNAME_MACHINE="alphaev56" ;;
+	    "EV5.6 (21164PC)")
+		UNAME_MACHINE="alphapca56" ;;
+	    "EV5.7 (21164PC)")
+		UNAME_MACHINE="alphapca57" ;;
+	    "EV6 (21264)")
+		UNAME_MACHINE="alphaev6" ;;
+	    "EV6.7 (21264A)")
+		UNAME_MACHINE="alphaev67" ;;
+	    "EV6.8CB (21264C)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.8AL (21264B)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.8CX (21264D)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.9A (21264/EV69A)")
+		UNAME_MACHINE="alphaev69" ;;
+	    "EV7 (21364)")
+		UNAME_MACHINE="alphaev7" ;;
+	    "EV7.9 (21364A)")
+		UNAME_MACHINE="alphaev79" ;;
+	esac
+	# A Pn.n version is a patched version.
+	# A Vn.n version is a released version.
+	# A Tn.n version is a released field test version.
+	# A Xn.n version is an unreleased experimental baselevel.
+	# 1.2 uses "1.2" for uname -r.
+	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+	exit ;;
+    Alpha\ *:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# Should we change UNAME_MACHINE based on the output of uname instead
+	# of the specific Alpha model?
+	echo alpha-pc-interix
+	exit ;;
+    21064:Windows_NT:50:3)
+	echo alpha-dec-winnt3.5
+	exit ;;
+    Amiga*:UNIX_System_V:4.0:*)
+	echo m68k-unknown-sysv4
+	exit ;;
+    *:[Aa]miga[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-amigaos
+	exit ;;
+    *:[Mm]orph[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-morphos
+	exit ;;
+    *:OS/390:*:*)
+	echo i370-ibm-openedition
+	exit ;;
+    *:z/VM:*:*)
+	echo s390-ibm-zvmoe
+	exit ;;
+    *:OS400:*:*)
+        echo powerpc-ibm-os400
+	exit ;;
+    arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
+	echo arm-acorn-riscix${UNAME_RELEASE}
+	exit ;;
+    arm:riscos:*:*|arm:RISCOS:*:*)
+	echo arm-unknown-riscos
+	exit ;;
+    SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
+	echo hppa1.1-hitachi-hiuxmpp
+	exit ;;
+    Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
+	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
+	if test "`(/bin/universe) 2>/dev/null`" = att ; then
+		echo pyramid-pyramid-sysv3
+	else
+		echo pyramid-pyramid-bsd
+	fi
+	exit ;;
+    NILE*:*:*:dcosx)
+	echo pyramid-pyramid-svr4
+	exit ;;
+    DRS?6000:unix:4.0:6*)
+	echo sparc-icl-nx6
+	exit ;;
+    DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*)
+	case `/usr/bin/uname -p` in
+	    sparc) echo sparc-icl-nx7; exit ;;
+	esac ;;
+    sun4H:SunOS:5.*:*)
+	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
+	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    i86pc:SunOS:5.*:*)
+	echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:6*:*)
+	# According to config.sub, this is the proper way to canonicalize
+	# SunOS6.  Hard to guess exactly what SunOS6 will be like, but
+	# it's likely to be more like Solaris than SunOS4.
+	echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:*:*)
+	case "`/usr/bin/arch -k`" in
+	    Series*|S4*)
+		UNAME_RELEASE=`uname -v`
+		;;
+	esac
+	# Japanese Language versions have a version number like `4.1.3-JL'.
+	echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
+	exit ;;
+    sun3*:SunOS:*:*)
+	echo m68k-sun-sunos${UNAME_RELEASE}
+	exit ;;
+    sun*:*:4.2BSD:*)
+	UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
+	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
+	case "`/bin/arch`" in
+	    sun3)
+		echo m68k-sun-sunos${UNAME_RELEASE}
+		;;
+	    sun4)
+		echo sparc-sun-sunos${UNAME_RELEASE}
+		;;
+	esac
+	exit ;;
+    aushp:SunOS:*:*)
+	echo sparc-auspex-sunos${UNAME_RELEASE}
+	exit ;;
+    # The situation for MiNT is a little confusing.  The machine name
+    # can be virtually everything (everything which is not
+    # "atarist" or "atariste" at least should have a processor
+    # > m68000).  The system name ranges from "MiNT" over "FreeMiNT"
+    # to the lowercase version "mint" (or "freemint").  Finally
+    # the system name "TOS" denotes a system which is actually not
+    # MiNT.  But MiNT is downward compatible to TOS, so this should
+    # be no problem.
+    atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit ;;
+    atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
+	echo m68k-atari-mint${UNAME_RELEASE}
+        exit ;;
+    *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit ;;
+    milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
+        echo m68k-milan-mint${UNAME_RELEASE}
+        exit ;;
+    hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
+        echo m68k-hades-mint${UNAME_RELEASE}
+        exit ;;
+    *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
+        echo m68k-unknown-mint${UNAME_RELEASE}
+        exit ;;
+    m68k:machten:*:*)
+	echo m68k-apple-machten${UNAME_RELEASE}
+	exit ;;
+    powerpc:machten:*:*)
+	echo powerpc-apple-machten${UNAME_RELEASE}
+	exit ;;
+    RISC*:Mach:*:*)
+	echo mips-dec-mach_bsd4.3
+	exit ;;
+    RISC*:ULTRIX:*:*)
+	echo mips-dec-ultrix${UNAME_RELEASE}
+	exit ;;
+    VAX*:ULTRIX*:*:*)
+	echo vax-dec-ultrix${UNAME_RELEASE}
+	exit ;;
+    2020:CLIX:*:* | 2430:CLIX:*:*)
+	echo clipper-intergraph-clix${UNAME_RELEASE}
+	exit ;;
+    mips:*:*:UMIPS | mips:*:*:RISCos)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
+	#if defined (host_mips) && defined (MIPSEB)
+	#if defined (SYSTYPE_SYSV)
+	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_SVR4)
+	  printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
+	  printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
+	#endif
+	#endif
+	  exit (-1);
+	}
+EOF
+	$CC_FOR_BUILD -o $dummy $dummy.c &&
+	  dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` &&
+	  SYSTEM_NAME=`$dummy $dummyarg` &&
+	    { echo "$SYSTEM_NAME"; exit; }
+	echo mips-mips-riscos${UNAME_RELEASE}
+	exit ;;
+    Motorola:PowerMAX_OS:*:*)
+	echo powerpc-motorola-powermax
+	exit ;;
+    Motorola:*:4.3:PL8-*)
+	echo powerpc-harris-powermax
+	exit ;;
+    Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*)
+	echo powerpc-harris-powermax
+	exit ;;
+    Night_Hawk:Power_UNIX:*:*)
+	echo powerpc-harris-powerunix
+	exit ;;
+    m88k:CX/UX:7*:*)
+	echo m88k-harris-cxux7
+	exit ;;
+    m88k:*:4*:R4*)
+	echo m88k-motorola-sysv4
+	exit ;;
+    m88k:*:3*:R3*)
+	echo m88k-motorola-sysv3
+	exit ;;
+    AViiON:dgux:*:*)
+        # DG/UX returns AViiON for all architectures
+        UNAME_PROCESSOR=`/usr/bin/uname -p`
+	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
+	then
+	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
+	       [ ${TARGET_BINARY_INTERFACE}x = x ]
+	    then
+		echo m88k-dg-dgux${UNAME_RELEASE}
+	    else
+		echo m88k-dg-dguxbcs${UNAME_RELEASE}
+	    fi
+	else
+	    echo i586-dg-dgux${UNAME_RELEASE}
+	fi
+ 	exit ;;
+    M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
+	echo m88k-dolphin-sysv3
+	exit ;;
+    M88*:*:R3*:*)
+	# Delta 88k system running SVR3
+	echo m88k-motorola-sysv3
+	exit ;;
+    XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
+	echo m88k-tektronix-sysv3
+	exit ;;
+    Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
+	echo m68k-tektronix-bsd
+	exit ;;
+    *:IRIX*:*:*)
+	echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
+	exit ;;
+    ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
+	echo romp-ibm-aix     # uname -m gives an 8 hex-code CPU id
+	exit ;;               # Note that: echo "'`uname -s`'" gives 'AIX '
+    i*86:AIX:*:*)
+	echo i386-ibm-aix
+	exit ;;
+    ia64:AIX:*:*)
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+	fi
+	echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
+	exit ;;
+    *:AIX:2:3)
+	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
+		eval $set_cc_for_build
+		sed 's/^		//' << EOF >$dummy.c
+		#include <sys/systemcfg.h>
+
+		main()
+			{
+			if (!__power_pc())
+				exit(1);
+			puts("powerpc-ibm-aix3.2.5");
+			exit(0);
+			}
+EOF
+		if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy`
+		then
+			echo "$SYSTEM_NAME"
+		else
+			echo rs6000-ibm-aix3.2.5
+		fi
+	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
+		echo rs6000-ibm-aix3.2.4
+	else
+		echo rs6000-ibm-aix3.2
+	fi
+	exit ;;
+    *:AIX:*:[45])
+	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
+	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
+		IBM_ARCH=rs6000
+	else
+		IBM_ARCH=powerpc
+	fi
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+	fi
+	echo ${IBM_ARCH}-ibm-aix${IBM_REV}
+	exit ;;
+    *:AIX:*:*)
+	echo rs6000-ibm-aix
+	exit ;;
+    ibmrt:4.4BSD:*|romp-ibm:BSD:*)
+	echo romp-ibm-bsd4.4
+	exit ;;
+    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
+	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
+	exit ;;                             # report: romp-ibm BSD 4.3
+    *:BOSX:*:*)
+	echo rs6000-bull-bosx
+	exit ;;
+    DPX/2?00:B.O.S.:*:*)
+	echo m68k-bull-sysv3
+	exit ;;
+    9000/[34]??:4.3bsd:1.*:*)
+	echo m68k-hp-bsd
+	exit ;;
+    hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
+	echo m68k-hp-bsd4.4
+	exit ;;
+    9000/[34678]??:HP-UX:*:*)
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	case "${UNAME_MACHINE}" in
+	    9000/31? )            HP_ARCH=m68000 ;;
+	    9000/[34]?? )         HP_ARCH=m68k ;;
+	    9000/[678][0-9][0-9])
+		if [ -x /usr/bin/getconf ]; then
+		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
+                    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
+                    case "${sc_cpu_version}" in
+                      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
+                      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
+                      532)                      # CPU_PA_RISC2_0
+                        case "${sc_kernel_bits}" in
+                          32) HP_ARCH="hppa2.0n" ;;
+                          64) HP_ARCH="hppa2.0w" ;;
+			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
+                        esac ;;
+                    esac
+		fi
+		if [ "${HP_ARCH}" = "" ]; then
+		    eval $set_cc_for_build
+		    sed 's/^              //' << EOF >$dummy.c
+
+              #define _HPUX_SOURCE
+              #include <stdlib.h>
+              #include <unistd.h>
+
+              int main ()
+              {
+              #if defined(_SC_KERNEL_BITS)
+                  long bits = sysconf(_SC_KERNEL_BITS);
+              #endif
+                  long cpu  = sysconf (_SC_CPU_VERSION);
+
+                  switch (cpu)
+              	{
+              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
+              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
+              	case CPU_PA_RISC2_0:
+              #if defined(_SC_KERNEL_BITS)
+              	    switch (bits)
+              		{
+              		case 64: puts ("hppa2.0w"); break;
+              		case 32: puts ("hppa2.0n"); break;
+              		default: puts ("hppa2.0"); break;
+              		} break;
+              #else  /* !defined(_SC_KERNEL_BITS) */
+              	    puts ("hppa2.0"); break;
+              #endif
+              	default: puts ("hppa1.0"); break;
+              	}
+                  exit (0);
+              }
+EOF
+		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
+		    test -z "$HP_ARCH" && HP_ARCH=hppa
+		fi ;;
+	esac
+	if [ ${HP_ARCH} = "hppa2.0w" ]
+	then
+	    eval $set_cc_for_build
+
+	    # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating
+	    # 32-bit code.  hppa64-hp-hpux* has the same kernel and a compiler
+	    # generating 64-bit code.  GNU and HP use different nomenclature:
+	    #
+	    # $ CC_FOR_BUILD=cc ./config.guess
+	    # => hppa2.0w-hp-hpux11.23
+	    # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
+	    # => hppa64-hp-hpux11.23
+
+	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
+		grep __LP64__ >/dev/null
+	    then
+		HP_ARCH="hppa2.0w"
+	    else
+		HP_ARCH="hppa64"
+	    fi
+	fi
+	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
+	exit ;;
+    ia64:HP-UX:*:*)
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	echo ia64-hp-hpux${HPUX_REV}
+	exit ;;
+    3050*:HI-UX:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <unistd.h>
+	int
+	main ()
+	{
+	  long cpu = sysconf (_SC_CPU_VERSION);
+	  /* The order matters, because CPU_IS_HP_MC68K erroneously returns
+	     true for CPU_PA_RISC1_0.  CPU_IS_PA_RISC returns correct
+	     results, however.  */
+	  if (CPU_IS_PA_RISC (cpu))
+	    {
+	      switch (cpu)
+		{
+		  case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
+		  default: puts ("hppa-hitachi-hiuxwe2"); break;
+		}
+	    }
+	  else if (CPU_IS_HP_MC68K (cpu))
+	    puts ("m68k-hitachi-hiuxwe2");
+	  else puts ("unknown-hitachi-hiuxwe2");
+	  exit (0);
+	}
+EOF
+	$CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` &&
+		{ echo "$SYSTEM_NAME"; exit; }
+	echo unknown-hitachi-hiuxwe2
+	exit ;;
+    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
+	echo hppa1.1-hp-bsd
+	exit ;;
+    9000/8??:4.3bsd:*:*)
+	echo hppa1.0-hp-bsd
+	exit ;;
+    *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
+	echo hppa1.0-hp-mpeix
+	exit ;;
+    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
+	echo hppa1.1-hp-osf
+	exit ;;
+    hp8??:OSF1:*:*)
+	echo hppa1.0-hp-osf
+	exit ;;
+    i*86:OSF1:*:*)
+	if [ -x /usr/sbin/sysversion ] ; then
+	    echo ${UNAME_MACHINE}-unknown-osf1mk
+	else
+	    echo ${UNAME_MACHINE}-unknown-osf1
+	fi
+	exit ;;
+    parisc*:Lites*:*:*)
+	echo hppa1.1-hp-lites
+	exit ;;
+    C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
+	echo c1-convex-bsd
+        exit ;;
+    C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+        exit ;;
+    C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
+	echo c34-convex-bsd
+        exit ;;
+    C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
+	echo c38-convex-bsd
+        exit ;;
+    C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
+	echo c4-convex-bsd
+        exit ;;
+    CRAY*Y-MP:*:*:*)
+	echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*[A-Z]90:*:*:*)
+	echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
+	| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
+	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
+	      -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*TS:*:*:*)
+	echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*T3E:*:*:*)
+	echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*SV1:*:*:*)
+	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    *:UNICOS/mp:*:*)
+	echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
+	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
+        echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+        exit ;;
+    5000:UNIX_System_V:4.*:*)
+        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+        FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
+        echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+	exit ;;
+    i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
+	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
+	exit ;;
+    sparc*:BSD/OS:*:*)
+	echo sparc-unknown-bsdi${UNAME_RELEASE}
+	exit ;;
+    *:BSD/OS:*:*)
+	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
+	exit ;;
+    *:FreeBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+	exit ;;
+    i*:CYGWIN*:*)
+	echo ${UNAME_MACHINE}-pc-cygwin
+	exit ;;
+    i*:MINGW*:*)
+	echo ${UNAME_MACHINE}-pc-mingw32
+	exit ;;
+    i*:windows32*:*)
+    	# uname -m includes "-pc" on this system.
+    	echo ${UNAME_MACHINE}-mingw32
+	exit ;;
+    i*:PW*:*)
+	echo ${UNAME_MACHINE}-pc-pw32
+	exit ;;
+    x86:Interix*:[34]*)
+	echo i586-pc-interix${UNAME_RELEASE}|sed -e 's/\..*//'
+	exit ;;
+    [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
+	echo i${UNAME_MACHINE}-pc-mks
+	exit ;;
+    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
+	# UNAME_MACHINE based on the output of uname instead of i386?
+	echo i586-pc-interix
+	exit ;;
+    i*:UWIN*:*)
+	echo ${UNAME_MACHINE}-pc-uwin
+	exit ;;
+    amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*)
+	echo x86_64-unknown-cygwin
+	exit ;;
+    p*:CYGWIN*:*)
+	echo powerpcle-unknown-cygwin
+	exit ;;
+    prep*:SunOS:5.*:*)
+	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    *:GNU:*:*)
+	# the GNU system
+	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
+	exit ;;
+    *:GNU/*:*:*)
+	# other systems with GNU libc and userland
+	echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
+	exit ;;
+    i*86:Minix:*:*)
+	echo ${UNAME_MACHINE}-pc-minix
+	exit ;;
+    arm*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    cris:Linux:*:*)
+	echo cris-axis-linux-gnu
+	exit ;;
+    crisv32:Linux:*:*)
+	echo crisv32-axis-linux-gnu
+	exit ;;
+    frv:Linux:*:*)
+    	echo frv-unknown-linux-gnu
+	exit ;;
+    ia64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    m32r*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    m68*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    mips:Linux:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#undef CPU
+	#undef mips
+	#undef mipsel
+	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
+	CPU=mipsel
+	#else
+	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
+	CPU=mips
+	#else
+	CPU=
+	#endif
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
+	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
+	;;
+    mips64:Linux:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#undef CPU
+	#undef mips64
+	#undef mips64el
+	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
+	CPU=mips64el
+	#else
+	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
+	CPU=mips64
+	#else
+	CPU=
+	#endif
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
+	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; }
+	;;
+    or32:Linux:*:*)
+	echo or32-unknown-linux-gnu
+	exit ;;
+    ppc:Linux:*:*)
+	echo powerpc-unknown-linux-gnu
+	exit ;;
+    ppc64:Linux:*:*)
+	echo powerpc64-unknown-linux-gnu
+	exit ;;
+    alpha:Linux:*:*)
+	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
+	  EV5)   UNAME_MACHINE=alphaev5 ;;
+	  EV56)  UNAME_MACHINE=alphaev56 ;;
+	  PCA56) UNAME_MACHINE=alphapca56 ;;
+	  PCA57) UNAME_MACHINE=alphapca56 ;;
+	  EV6)   UNAME_MACHINE=alphaev6 ;;
+	  EV67)  UNAME_MACHINE=alphaev67 ;;
+	  EV68*) UNAME_MACHINE=alphaev68 ;;
+        esac
+	objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null
+	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
+	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
+	exit ;;
+    parisc:Linux:*:* | hppa:Linux:*:*)
+	# Look for CPU level
+	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
+	  PA7*) echo hppa1.1-unknown-linux-gnu ;;
+	  PA8*) echo hppa2.0-unknown-linux-gnu ;;
+	  *)    echo hppa-unknown-linux-gnu ;;
+	esac
+	exit ;;
+    parisc64:Linux:*:* | hppa64:Linux:*:*)
+	echo hppa64-unknown-linux-gnu
+	exit ;;
+    s390:Linux:*:* | s390x:Linux:*:*)
+	echo ${UNAME_MACHINE}-ibm-linux
+	exit ;;
+    sh64*:Linux:*:*)
+    	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    sh*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    sparc:Linux:*:* | sparc64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
+    x86_64:Linux:*:*)
+	echo x86_64-unknown-linux-gnu
+	exit ;;
+    i*86:Linux:*:*)
+	# The BFD linker knows what the default object file format is, so
+	# first see if it will tell us. cd to the root directory to prevent
+	# problems with other programs or directories called `ld' in the path.
+	# Set LC_ALL=C to ensure ld outputs messages in English.
+	ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \
+			 | sed -ne '/supported targets:/!d
+				    s/[ 	][ 	]*/ /g
+				    s/.*supported targets: *//
+				    s/ .*//
+				    p'`
+        case "$ld_supported_targets" in
+	  elf32-i386)
+		TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
+		;;
+	  a.out-i386-linux)
+		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
+		exit ;;
+	  coff-i386)
+		echo "${UNAME_MACHINE}-pc-linux-gnucoff"
+		exit ;;
+	  "")
+		# Either a pre-BFD a.out linker (linux-gnuoldld) or
+		# one that does not give us useful --help.
+		echo "${UNAME_MACHINE}-pc-linux-gnuoldld"
+		exit ;;
+	esac
+	# Determine whether the default compiler is a.out or elf
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <features.h>
+	#ifdef __ELF__
+	# ifdef __GLIBC__
+	#  if __GLIBC__ >= 2
+	LIBC=gnu
+	#  else
+	LIBC=gnulibc1
+	#  endif
+	# else
+	LIBC=gnulibc1
+	# endif
+	#else
+	#ifdef __INTEL_COMPILER
+	LIBC=gnu
+	#else
+	LIBC=gnuaout
+	#endif
+	#endif
+	#ifdef __dietlibc__
+	LIBC=dietlibc
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
+	test x"${LIBC}" != x && {
+		echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
+		exit
+	}
+	test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; }
+	;;
+    i*86:DYNIX/ptx:4*:*)
+	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
+	# earlier versions are messed up and put the nodename in both
+	# sysname and nodename.
+	echo i386-sequent-sysv4
+	exit ;;
+    i*86:UNIX_SV:4.2MP:2.*)
+        # Unixware is an offshoot of SVR4, but it has its own version
+        # number series starting with 2...
+        # I am not positive that other SVR4 systems won't match this,
+	# I just have to hope.  -- rms.
+        # Use sysv4.2uw... so that sysv4* matches it.
+	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
+	exit ;;
+    i*86:OS/2:*:*)
+	# If we were able to find `uname', then EMX Unix compatibility
+	# is probably installed.
+	echo ${UNAME_MACHINE}-pc-os2-emx
+	exit ;;
+    i*86:XTS-300:*:STOP)
+	echo ${UNAME_MACHINE}-unknown-stop
+	exit ;;
+    i*86:atheos:*:*)
+	echo ${UNAME_MACHINE}-unknown-atheos
+	exit ;;
+    i*86:syllable:*:*)
+	echo ${UNAME_MACHINE}-pc-syllable
+	exit ;;
+    i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*)
+	echo i386-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    i*86:*DOS:*:*)
+	echo ${UNAME_MACHINE}-pc-msdosdjgpp
+	exit ;;
+    i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
+	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
+	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
+		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
+	else
+		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
+	fi
+	exit ;;
+    i*86:*:5:[678]*)
+    	# UnixWare 7.x, OpenUNIX and OpenServer 6.
+	case `/bin/uname -X | grep "^Machine"` in
+	    *486*)	     UNAME_MACHINE=i486 ;;
+	    *Pentium)	     UNAME_MACHINE=i586 ;;
+	    *Pent*|*Celeron) UNAME_MACHINE=i686 ;;
+	esac
+	echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
+	exit ;;
+    i*86:*:3.2:*)
+	if test -f /usr/options/cb.name; then
+		UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
+		echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
+	elif /bin/uname -X 2>/dev/null >/dev/null ; then
+		UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')`
+		(/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486
+		(/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \
+			&& UNAME_MACHINE=i586
+		(/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		(/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
+	else
+		echo ${UNAME_MACHINE}-pc-sysv32
+	fi
+	exit ;;
+    pc:*:*:*)
+	# Left here for compatibility:
+        # uname -m prints for DJGPP always 'pc', but it prints nothing about
+        # the processor, so we play safe by assuming i386.
+	echo i386-pc-msdosdjgpp
+        exit ;;
+    Intel:Mach:3*:*)
+	echo i386-pc-mach3
+	exit ;;
+    paragon:*:*:*)
+	echo i860-intel-osf1
+	exit ;;
+    i860:*:4.*:*) # i860-SVR4
+	if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
+	  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
+	else # Add other i860-SVR4 vendors below as they are discovered.
+	  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
+	fi
+	exit ;;
+    mini*:CTIX:SYS*5:*)
+	# "miniframe"
+	echo m68010-convergent-sysv
+	exit ;;
+    mc68k:UNIX:SYSTEM5:3.51m)
+	echo m68k-convergent-sysv
+	exit ;;
+    M680?0:D-NIX:5.3:*)
+	echo m68k-diab-dnix
+	exit ;;
+    M68*:*:R3V[5678]*:*)
+	test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;;
+    3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0)
+	OS_REL=''
+	test -r /etc/.relid \
+	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
+	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+	  && { echo i486-ncr-sysv4.3${OS_REL}; exit; }
+	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
+	  && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
+    3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
+        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+          && { echo i486-ncr-sysv4; exit; } ;;
+    m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
+	echo m68k-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    mc68030:UNIX_System_V:4.*:*)
+	echo m68k-atari-sysv4
+	exit ;;
+    TSUNAMI:LynxOS:2.*:*)
+	echo sparc-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    rs6000:LynxOS:2.*:*)
+	echo rs6000-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*)
+	echo powerpc-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    SM[BE]S:UNIX_SV:*:*)
+	echo mips-dde-sysv${UNAME_RELEASE}
+	exit ;;
+    RM*:ReliantUNIX-*:*:*)
+	echo mips-sni-sysv4
+	exit ;;
+    RM*:SINIX-*:*:*)
+	echo mips-sni-sysv4
+	exit ;;
+    *:SINIX-*:*:*)
+	if uname -p 2>/dev/null >/dev/null ; then
+		UNAME_MACHINE=`(uname -p) 2>/dev/null`
+		echo ${UNAME_MACHINE}-sni-sysv4
+	else
+		echo ns32k-sni-sysv
+	fi
+	exit ;;
+    PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
+                      # says <Richard.M.Bartel@ccMail.Census.GOV>
+        echo i586-unisys-sysv4
+        exit ;;
+    *:UNIX_System_V:4*:FTX*)
+	# From Gerald Hewes <hewes@openmarket.com>.
+	# How about differentiating between stratus architectures? -djm
+	echo hppa1.1-stratus-sysv4
+	exit ;;
+    *:*:*:FTX*)
+	# From seanf@swdc.stratus.com.
+	echo i860-stratus-sysv4
+	exit ;;
+    i*86:VOS:*:*)
+	# From Paul.Green@stratus.com.
+	echo ${UNAME_MACHINE}-stratus-vos
+	exit ;;
+    *:VOS:*:*)
+	# From Paul.Green@stratus.com.
+	echo hppa1.1-stratus-vos
+	exit ;;
+    mc68*:A/UX:*:*)
+	echo m68k-apple-aux${UNAME_RELEASE}
+	exit ;;
+    news*:NEWS-OS:6*:*)
+	echo mips-sony-newsos6
+	exit ;;
+    R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
+	if [ -d /usr/nec ]; then
+	        echo mips-nec-sysv${UNAME_RELEASE}
+	else
+	        echo mips-unknown-sysv${UNAME_RELEASE}
+	fi
+        exit ;;
+    BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
+	echo powerpc-be-beos
+	exit ;;
+    BeMac:BeOS:*:*)	# BeOS running on Mac or Mac clone, PPC only.
+	echo powerpc-apple-beos
+	exit ;;
+    BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
+	echo i586-pc-beos
+	exit ;;
+    SX-4:SUPER-UX:*:*)
+	echo sx4-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-5:SUPER-UX:*:*)
+	echo sx5-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-6:SUPER-UX:*:*)
+	echo sx6-nec-superux${UNAME_RELEASE}
+	exit ;;
+    Power*:Rhapsody:*:*)
+	echo powerpc-apple-rhapsody${UNAME_RELEASE}
+	exit ;;
+    *:Rhapsody:*:*)
+	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
+	exit ;;
+    *:Darwin:*:*)
+	UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
+	case $UNAME_PROCESSOR in
+	    *86) UNAME_PROCESSOR=i686 ;;
+	    unknown) UNAME_PROCESSOR=powerpc ;;
+	esac
+	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
+	exit ;;
+    *:procnto*:*:* | *:QNX:[0123456789]*:*)
+	UNAME_PROCESSOR=`uname -p`
+	if test "$UNAME_PROCESSOR" = "x86"; then
+		UNAME_PROCESSOR=i386
+		UNAME_MACHINE=pc
+	fi
+	echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
+	exit ;;
+    *:QNX:*:4*)
+	echo i386-pc-qnx
+	exit ;;
+    NSE-?:NONSTOP_KERNEL:*:*)
+	echo nse-tandem-nsk${UNAME_RELEASE}
+	exit ;;
+    NSR-?:NONSTOP_KERNEL:*:*)
+	echo nsr-tandem-nsk${UNAME_RELEASE}
+	exit ;;
+    *:NonStop-UX:*:*)
+	echo mips-compaq-nonstopux
+	exit ;;
+    BS2000:POSIX*:*:*)
+	echo bs2000-siemens-sysv
+	exit ;;
+    DS/*:UNIX_System_V:*:*)
+	echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
+	exit ;;
+    *:Plan9:*:*)
+	# "uname -m" is not consistent, so use $cputype instead. 386
+	# is converted to i386 for consistency with other x86
+	# operating systems.
+	if test "$cputype" = "386"; then
+	    UNAME_MACHINE=i386
+	else
+	    UNAME_MACHINE="$cputype"
+	fi
+	echo ${UNAME_MACHINE}-unknown-plan9
+	exit ;;
+    *:TOPS-10:*:*)
+	echo pdp10-unknown-tops10
+	exit ;;
+    *:TENEX:*:*)
+	echo pdp10-unknown-tenex
+	exit ;;
+    KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*)
+	echo pdp10-dec-tops20
+	exit ;;
+    XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*)
+	echo pdp10-xkl-tops20
+	exit ;;
+    *:TOPS-20:*:*)
+	echo pdp10-unknown-tops20
+	exit ;;
+    *:ITS:*:*)
+	echo pdp10-unknown-its
+	exit ;;
+    SEI:*:*:SEIUX)
+        echo mips-sei-seiux${UNAME_RELEASE}
+	exit ;;
+    *:DragonFly:*:*)
+	echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+	exit ;;
+    *:*VMS:*:*)
+    	UNAME_MACHINE=`(uname -p) 2>/dev/null`
+	case "${UNAME_MACHINE}" in
+	    A*) echo alpha-dec-vms ; exit ;;
+	    I*) echo ia64-dec-vms ; exit ;;
+	    V*) echo vax-dec-vms ; exit ;;
+	esac ;;
+    *:XENIX:*:SysV)
+	echo i386-pc-xenix
+	exit ;;
+    i*86:skyos:*:*)
+	echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//'
+	exit ;;
+esac
+
+#echo '(No uname command or uname output not recognized.)' 1>&2
+#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
+
+eval $set_cc_for_build
+cat >$dummy.c <<EOF
+#ifdef _SEQUENT_
+# include <sys/types.h>
+# include <sys/utsname.h>
+#endif
+main ()
+{
+#if defined (sony)
+#if defined (MIPSEB)
+  /* BFD wants "bsd" instead of "newsos".  Perhaps BFD should be changed,
+     I don't know....  */
+  printf ("mips-sony-bsd\n"); exit (0);
+#else
+#include <sys/param.h>
+  printf ("m68k-sony-newsos%s\n",
+#ifdef NEWSOS4
+          "4"
+#else
+	  ""
+#endif
+         ); exit (0);
+#endif
+#endif
+
+#if defined (__arm) && defined (__acorn) && defined (__unix)
+  printf ("arm-acorn-riscix\n"); exit (0);
+#endif
+
+#if defined (hp300) && !defined (hpux)
+  printf ("m68k-hp-bsd\n"); exit (0);
+#endif
+
+#if defined (NeXT)
+#if !defined (__ARCHITECTURE__)
+#define __ARCHITECTURE__ "m68k"
+#endif
+  int version;
+  version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
+  if (version < 4)
+    printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
+  else
+    printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
+  exit (0);
+#endif
+
+#if defined (MULTIMAX) || defined (n16)
+#if defined (UMAXV)
+  printf ("ns32k-encore-sysv\n"); exit (0);
+#else
+#if defined (CMU)
+  printf ("ns32k-encore-mach\n"); exit (0);
+#else
+  printf ("ns32k-encore-bsd\n"); exit (0);
+#endif
+#endif
+#endif
+
+#if defined (__386BSD__)
+  printf ("i386-pc-bsd\n"); exit (0);
+#endif
+
+#if defined (sequent)
+#if defined (i386)
+  printf ("i386-sequent-dynix\n"); exit (0);
+#endif
+#if defined (ns32000)
+  printf ("ns32k-sequent-dynix\n"); exit (0);
+#endif
+#endif
+
+#if defined (_SEQUENT_)
+    struct utsname un;
+
+    uname(&un);
+
+    if (strncmp(un.version, "V2", 2) == 0) {
+	printf ("i386-sequent-ptx2\n"); exit (0);
+    }
+    if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
+	printf ("i386-sequent-ptx1\n"); exit (0);
+    }
+    printf ("i386-sequent-ptx\n"); exit (0);
+
+#endif
+
+#if defined (vax)
+# if !defined (ultrix)
+#  include <sys/param.h>
+#  if defined (BSD)
+#   if BSD == 43
+      printf ("vax-dec-bsd4.3\n"); exit (0);
+#   else
+#    if BSD == 199006
+      printf ("vax-dec-bsd4.3reno\n"); exit (0);
+#    else
+      printf ("vax-dec-bsd\n"); exit (0);
+#    endif
+#   endif
+#  else
+    printf ("vax-dec-bsd\n"); exit (0);
+#  endif
+# else
+    printf ("vax-dec-ultrix\n"); exit (0);
+# endif
+#endif
+
+#if defined (alliant) && defined (i860)
+  printf ("i860-alliant-bsd\n"); exit (0);
+#endif
+
+  exit (1);
+}
+EOF
+
+$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
+	{ echo "$SYSTEM_NAME"; exit; }
+
+# Apollos put the system type in the environment.
+
+test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
+
+# Convex versions that predate uname can use getsysinfo(1)
+
+if [ -x /usr/convex/getsysinfo ]
+then
+    case `getsysinfo -f cpu_type` in
+    c1*)
+	echo c1-convex-bsd
+	exit ;;
+    c2*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+	exit ;;
+    c34*)
+	echo c34-convex-bsd
+	exit ;;
+    c38*)
+	echo c38-convex-bsd
+	exit ;;
+    c4*)
+	echo c4-convex-bsd
+	exit ;;
+    esac
+fi
+
+cat >&2 <<EOF
+$0: unable to guess system type
+
+This script, last modified $timestamp, has failed to recognize
+the operating system you are using. It is advised that you
+download the most up to date version of the config scripts from
+
+  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.guess
+and
+  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.sub
+
+If the version you run ($0) is already up to date, please
+send the following data and any information you think might be
+pertinent to <config-patches@gnu.org> in order to provide the needed
+information to handle your system.
+
+config.guess timestamp = $timestamp
+
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null`
+
+hostinfo               = `(hostinfo) 2>/dev/null`
+/bin/universe          = `(/bin/universe) 2>/dev/null`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null`
+/bin/arch              = `(/bin/arch) 2>/dev/null`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
+
+UNAME_MACHINE = ${UNAME_MACHINE}
+UNAME_RELEASE = ${UNAME_RELEASE}
+UNAME_SYSTEM  = ${UNAME_SYSTEM}
+UNAME_VERSION = ${UNAME_VERSION}
+EOF
+
+exit 1
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/source3/lib/tdb/config.mk b/source3/lib/tdb/config.mk
new file mode 100644
index 0000000000..b9a8f80dda
--- /dev/null
+++ b/source3/lib/tdb/config.mk
@@ -0,0 +1,57 @@
+################################################
+# Start SUBSYSTEM LIBTDB
+[LIBRARY::LIBTDB]
+OUTPUT_TYPE = STATIC_LIBRARY
+CFLAGS = -Ilib/tdb/include
+#
+# End SUBSYSTEM ldb
+################################################
+
+LIBTDB_OBJ_FILES = $(addprefix lib/tdb/common/, \
+	tdb.o dump.o io.o lock.o \
+	open.o traverse.o freelist.o \
+	error.o transaction.o)
+
+################################################
+# Start BINARY tdbtool
+[BINARY::tdbtool]
+INSTALLDIR = BINDIR
+PRIVATE_DEPENDENCIES = \
+		LIBTDB
+# End BINARY tdbtool
+################################################
+
+tdbtool_OBJ_FILES = lib/tdb/tools/tdbtool.o
+
+################################################
+# Start BINARY tdbtorture
+[BINARY::tdbtorture]
+INSTALLDIR = BINDIR
+PRIVATE_DEPENDENCIES = \
+		LIBTDB
+# End BINARY tdbtorture
+################################################
+
+tdbtorture_OBJ_FILES = lib/tdb/tools/tdbtorture.o
+
+################################################
+# Start BINARY tdbdump
+[BINARY::tdbdump]
+INSTALLDIR = BINDIR
+PRIVATE_DEPENDENCIES = \
+		LIBTDB
+# End BINARY tdbdump
+################################################
+
+tdbdump_OBJ_FILES = lib/tdb/tools/tdbdump.o
+
+################################################
+# Start BINARY tdbbackup
+[BINARY::tdbbackup]
+INSTALLDIR = BINDIR
+PRIVATE_DEPENDENCIES = \
+		LIBTDB
+# End BINARY tdbbackup
+################################################
+
+tdbbackup_OBJ_FILES = lib/tdb/tools/tdbbackup.o
diff --git a/source3/lib/tdb/config.sub b/source3/lib/tdb/config.sub
new file mode 100755
index 0000000000..23cd6fd75c
--- /dev/null
+++ b/source3/lib/tdb/config.sub
@@ -0,0 +1,1577 @@
+#! /bin/sh
+# Configuration validation subroutine script.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
+#   2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
+
+timestamp='2005-07-08'
+
+# This file is (in principle) common to ALL GNU software.
+# The presence of a machine in this file suggests that SOME GNU software
+# can handle that machine.  It does not imply ALL GNU software can.
+#
+# This file is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+
+# Please send patches to <config-patches@gnu.org>.  Submit a context
+# diff and a properly formatted ChangeLog entry.
+#
+# Configuration subroutine to validate and canonicalize a configuration type.
+# Supply the specified configuration type as an argument.
+# If it is invalid, we print an error message on stderr and exit with code 1.
+# Otherwise, we print the canonical config type on stdout and succeed.
+
+# This file is supposed to be the same for all GNU packages
+# and recognize all the CPU types, system types and aliases
+# that are meaningful with *any* GNU software.
+# Each package is responsible for reporting which valid configurations
+# it does not support.  The user should be able to distinguish
+# a failure to support a valid configuration from a meaningless
+# configuration.
+
+# The goal of this file is to map all the various variations of a given
+# machine specification into a single specification in the form:
+#	CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
+# or in some cases, the newer four-part form:
+#	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
+# It is wrong to echo any other type of specification.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION] CPU-MFR-OPSYS
+       $0 [OPTION] ALIAS
+
+Canonicalize a configuration name.
+
+Operation modes:
+  -h, --help         print this help, then exit
+  -t, --time-stamp   print date of last modification, then exit
+  -v, --version      print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.sub ($timestamp)
+
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
+Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case $1 in
+    --time-stamp | --time* | -t )
+       echo "$timestamp" ; exit ;;
+    --version | -v )
+       echo "$version" ; exit ;;
+    --help | --h* | -h )
+       echo "$usage"; exit ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       echo "$me: invalid option $1$help"
+       exit 1 ;;
+
+    *local*)
+       # First pass through any local machine types.
+       echo $1
+       exit ;;
+
+    * )
+       break ;;
+  esac
+done
+
+case $# in
+ 0) echo "$me: missing argument$help" >&2
+    exit 1;;
+ 1) ;;
+ *) echo "$me: too many arguments$help" >&2
+    exit 1;;
+esac
+
+# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
+# Here we must recognize all the valid KERNEL-OS combinations.
+maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
+case $maybe_os in
+  nto-qnx* | linux-gnu* | linux-dietlibc | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | \
+  kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*)
+    os=-$maybe_os
+    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
+    ;;
+  *)
+    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
+    if [ $basic_machine != $1 ]
+    then os=`echo $1 | sed 's/.*-/-/'`
+    else os=; fi
+    ;;
+esac
+
+### Let's recognize common machines as not being operating systems so
+### that things like config.sub decstation-3100 work.  We also
+### recognize some manufacturers as not being operating systems, so we
+### can provide default operating systems below.
+case $os in
+	-sun*os*)
+		# Prevent following clause from handling this invalid input.
+		;;
+	-dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \
+	-att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \
+	-unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \
+	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
+	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
+	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
+	-apple | -axis | -knuth | -cray)
+		os=
+		basic_machine=$1
+		;;
+	-sim | -cisco | -oki | -wec | -winbond)
+		os=
+		basic_machine=$1
+		;;
+	-scout)
+		;;
+	-wrs)
+		os=-vxworks
+		basic_machine=$1
+		;;
+	-chorusos*)
+		os=-chorusos
+		basic_machine=$1
+		;;
+ 	-chorusrdb)
+ 		os=-chorusrdb
+		basic_machine=$1
+ 		;;
+	-hiux*)
+		os=-hiuxwe2
+		;;
+	-sco5)
+		os=-sco3.2v5
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco4)
+		os=-sco3.2v4
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2.[4-9]*)
+		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2v[4-9]*)
+		# Don't forget version if it is 3.2v4 or newer.
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco*)
+		os=-sco3.2v2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-udk*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-isc)
+		os=-isc2.2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-clix*)
+		basic_machine=clipper-intergraph
+		;;
+	-isc*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-lynx*)
+		os=-lynxos
+		;;
+	-ptx*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
+		;;
+	-windowsnt*)
+		os=`echo $os | sed -e 's/windowsnt/winnt/'`
+		;;
+	-psos*)
+		os=-psos
+		;;
+	-mint | -mint[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+esac
+
+# Decode aliases for certain CPU-COMPANY combinations.
+case $basic_machine in
+	# Recognize the basic CPU types without company name.
+	# Some are omitted here because they have special meanings below.
+	1750a | 580 \
+	| a29k \
+	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
+	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
+	| am33_2.0 \
+	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \
+	| bfin \
+	| c4x | clipper \
+	| d10v | d30v | dlx | dsp16xx \
+	| fr30 | frv \
+	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
+	| i370 | i860 | i960 | ia64 \
+	| ip2k | iq2000 \
+	| m32r | m32rle | m68000 | m68k | m88k | maxq | mcore \
+	| mips | mipsbe | mipseb | mipsel | mipsle \
+	| mips16 \
+	| mips64 | mips64el \
+	| mips64vr | mips64vrel \
+	| mips64orion | mips64orionel \
+	| mips64vr4100 | mips64vr4100el \
+	| mips64vr4300 | mips64vr4300el \
+	| mips64vr5000 | mips64vr5000el \
+	| mips64vr5900 | mips64vr5900el \
+	| mipsisa32 | mipsisa32el \
+	| mipsisa32r2 | mipsisa32r2el \
+	| mipsisa64 | mipsisa64el \
+	| mipsisa64r2 | mipsisa64r2el \
+	| mipsisa64sb1 | mipsisa64sb1el \
+	| mipsisa64sr71k | mipsisa64sr71kel \
+	| mipstx39 | mipstx39el \
+	| mn10200 | mn10300 \
+	| ms1 \
+	| msp430 \
+	| ns16k | ns32k \
+	| or32 \
+	| pdp10 | pdp11 | pj | pjl \
+	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
+	| pyramid \
+	| sh | sh[1234] | sh[24]a | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \
+	| sh64 | sh64le \
+	| sparc | sparc64 | sparc64b | sparc86x | sparclet | sparclite \
+	| sparcv8 | sparcv9 | sparcv9b \
+	| strongarm \
+	| tahoe | thumb | tic4x | tic80 | tron \
+	| v850 | v850e \
+	| we32k \
+	| x86 | xscale | xscalee[bl] | xstormy16 | xtensa \
+	| z8k)
+		basic_machine=$basic_machine-unknown
+		;;
+	m32c)
+		basic_machine=$basic_machine-unknown
+		;;
+	m6811 | m68hc11 | m6812 | m68hc12)
+		# Motorola 68HC11/12.
+		basic_machine=$basic_machine-unknown
+		os=-none
+		;;
+	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
+		;;
+
+	# We use `pc' rather than `unknown'
+	# because (1) that's what they normally are, and
+	# (2) the word "unknown" tends to confuse beginning users.
+	i*86 | x86_64)
+	  basic_machine=$basic_machine-pc
+	  ;;
+	# Object if more than one company name word.
+	*-*-*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+	# Recognize the basic CPU types with company name.
+	580-* \
+	| a29k-* \
+	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
+	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
+	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
+	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
+	| avr-* \
+	| bfin-* | bs2000-* \
+	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
+	| clipper-* | craynv-* | cydra-* \
+	| d10v-* | d30v-* | dlx-* \
+	| elxsi-* \
+	| f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
+	| h8300-* | h8500-* \
+	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
+	| i*86-* | i860-* | i960-* | ia64-* \
+	| ip2k-* | iq2000-* \
+	| m32r-* | m32rle-* \
+	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
+	| m88110-* | m88k-* | maxq-* | mcore-* \
+	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
+	| mips16-* \
+	| mips64-* | mips64el-* \
+	| mips64vr-* | mips64vrel-* \
+	| mips64orion-* | mips64orionel-* \
+	| mips64vr4100-* | mips64vr4100el-* \
+	| mips64vr4300-* | mips64vr4300el-* \
+	| mips64vr5000-* | mips64vr5000el-* \
+	| mips64vr5900-* | mips64vr5900el-* \
+	| mipsisa32-* | mipsisa32el-* \
+	| mipsisa32r2-* | mipsisa32r2el-* \
+	| mipsisa64-* | mipsisa64el-* \
+	| mipsisa64r2-* | mipsisa64r2el-* \
+	| mipsisa64sb1-* | mipsisa64sb1el-* \
+	| mipsisa64sr71k-* | mipsisa64sr71kel-* \
+	| mipstx39-* | mipstx39el-* \
+	| mmix-* \
+	| ms1-* \
+	| msp430-* \
+	| none-* | np1-* | ns16k-* | ns32k-* \
+	| orion-* \
+	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
+	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
+	| pyramid-* \
+	| romp-* | rs6000-* \
+	| sh-* | sh[1234]-* | sh[24]a-* | sh[23]e-* | sh[34]eb-* | shbe-* \
+	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
+	| sparc-* | sparc64-* | sparc64b-* | sparc86x-* | sparclet-* \
+	| sparclite-* \
+	| sparcv8-* | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
+	| tahoe-* | thumb-* \
+	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
+	| tron-* \
+	| v850-* | v850e-* | vax-* \
+	| we32k-* \
+	| x86-* | x86_64-* | xps100-* | xscale-* | xscalee[bl]-* \
+	| xstormy16-* | xtensa-* \
+	| ymp-* \
+	| z8k-*)
+		;;
+	m32c-*)
+		;;
+	# Recognize the various machine names and aliases which stand
+	# for a CPU type and a company and sometimes even an OS.
+	386bsd)
+		basic_machine=i386-unknown
+		os=-bsd
+		;;
+	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
+		basic_machine=m68000-att
+		;;
+	3b*)
+		basic_machine=we32k-att
+		;;
+	a29khif)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+    	abacus)
+		basic_machine=abacus-unknown
+		;;
+	adobe68k)
+		basic_machine=m68010-adobe
+		os=-scout
+		;;
+	alliant | fx80)
+		basic_machine=fx80-alliant
+		;;
+	altos | altos3068)
+		basic_machine=m68k-altos
+		;;
+	am29k)
+		basic_machine=a29k-none
+		os=-bsd
+		;;
+	amd64)
+		basic_machine=x86_64-pc
+		;;
+	amd64-*)
+		basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	amdahl)
+		basic_machine=580-amdahl
+		os=-sysv
+		;;
+	amiga | amiga-*)
+		basic_machine=m68k-unknown
+		;;
+	amigaos | amigados)
+		basic_machine=m68k-unknown
+		os=-amigaos
+		;;
+	amigaunix | amix)
+		basic_machine=m68k-unknown
+		os=-sysv4
+		;;
+	apollo68)
+		basic_machine=m68k-apollo
+		os=-sysv
+		;;
+	apollo68bsd)
+		basic_machine=m68k-apollo
+		os=-bsd
+		;;
+	aux)
+		basic_machine=m68k-apple
+		os=-aux
+		;;
+	balance)
+		basic_machine=ns32k-sequent
+		os=-dynix
+		;;
+	c90)
+		basic_machine=c90-cray
+		os=-unicos
+		;;
+	convex-c1)
+		basic_machine=c1-convex
+		os=-bsd
+		;;
+	convex-c2)
+		basic_machine=c2-convex
+		os=-bsd
+		;;
+	convex-c32)
+		basic_machine=c32-convex
+		os=-bsd
+		;;
+	convex-c34)
+		basic_machine=c34-convex
+		os=-bsd
+		;;
+	convex-c38)
+		basic_machine=c38-convex
+		os=-bsd
+		;;
+	cray | j90)
+		basic_machine=j90-cray
+		os=-unicos
+		;;
+	craynv)
+		basic_machine=craynv-cray
+		os=-unicosmp
+		;;
+	cr16c)
+		basic_machine=cr16c-unknown
+		os=-elf
+		;;
+	crds | unos)
+		basic_machine=m68k-crds
+		;;
+	crisv32 | crisv32-* | etraxfs*)
+		basic_machine=crisv32-axis
+		;;
+	cris | cris-* | etrax*)
+		basic_machine=cris-axis
+		;;
+	crx)
+		basic_machine=crx-unknown
+		os=-elf
+		;;
+	da30 | da30-*)
+		basic_machine=m68k-da30
+		;;
+	decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
+		basic_machine=mips-dec
+		;;
+	decsystem10* | dec10*)
+		basic_machine=pdp10-dec
+		os=-tops10
+		;;
+	decsystem20* | dec20*)
+		basic_machine=pdp10-dec
+		os=-tops20
+		;;
+	delta | 3300 | motorola-3300 | motorola-delta \
+	      | 3300-motorola | delta-motorola)
+		basic_machine=m68k-motorola
+		;;
+	delta88)
+		basic_machine=m88k-motorola
+		os=-sysv3
+		;;
+	djgpp)
+		basic_machine=i586-pc
+		os=-msdosdjgpp
+		;;
+	dpx20 | dpx20-*)
+		basic_machine=rs6000-bull
+		os=-bosx
+		;;
+	dpx2* | dpx2*-bull)
+		basic_machine=m68k-bull
+		os=-sysv3
+		;;
+	ebmon29k)
+		basic_machine=a29k-amd
+		os=-ebmon
+		;;
+	elxsi)
+		basic_machine=elxsi-elxsi
+		os=-bsd
+		;;
+	encore | umax | mmax)
+		basic_machine=ns32k-encore
+		;;
+	es1800 | OSE68k | ose68k | ose | OSE)
+		basic_machine=m68k-ericsson
+		os=-ose
+		;;
+	fx2800)
+		basic_machine=i860-alliant
+		;;
+	genix)
+		basic_machine=ns32k-ns
+		;;
+	gmicro)
+		basic_machine=tron-gmicro
+		os=-sysv
+		;;
+	go32)
+		basic_machine=i386-pc
+		os=-go32
+		;;
+	h3050r* | hiux*)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	h8300hms)
+		basic_machine=h8300-hitachi
+		os=-hms
+		;;
+	h8300xray)
+		basic_machine=h8300-hitachi
+		os=-xray
+		;;
+	h8500hms)
+		basic_machine=h8500-hitachi
+		os=-hms
+		;;
+	harris)
+		basic_machine=m88k-harris
+		os=-sysv3
+		;;
+	hp300-*)
+		basic_machine=m68k-hp
+		;;
+	hp300bsd)
+		basic_machine=m68k-hp
+		os=-bsd
+		;;
+	hp300hpux)
+		basic_machine=m68k-hp
+		os=-hpux
+		;;
+	hp3k9[0-9][0-9] | hp9[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k2[0-9][0-9] | hp9k31[0-9])
+		basic_machine=m68000-hp
+		;;
+	hp9k3[2-9][0-9])
+		basic_machine=m68k-hp
+		;;
+	hp9k6[0-9][0-9] | hp6[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k7[0-79][0-9] | hp7[0-79][0-9])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k78[0-9] | hp78[0-9])
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][13679] | hp8[0-9][13679])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][0-9] | hp8[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hppa-next)
+		os=-nextstep3
+		;;
+	hppaosf)
+		basic_machine=hppa1.1-hp
+		os=-osf
+		;;
+	hppro)
+		basic_machine=hppa1.1-hp
+		os=-proelf
+		;;
+	i370-ibm* | ibm*)
+		basic_machine=i370-ibm
+		;;
+# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
+	i*86v32)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv32
+		;;
+	i*86v4*)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv4
+		;;
+	i*86v)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv
+		;;
+	i*86sol2)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-solaris2
+		;;
+	i386mach)
+		basic_machine=i386-mach
+		os=-mach
+		;;
+	i386-vsta | vsta)
+		basic_machine=i386-unknown
+		os=-vsta
+		;;
+	iris | iris4d)
+		basic_machine=mips-sgi
+		case $os in
+		    -irix*)
+			;;
+		    *)
+			os=-irix4
+			;;
+		esac
+		;;
+	isi68 | isi)
+		basic_machine=m68k-isi
+		os=-sysv
+		;;
+	m88k-omron*)
+		basic_machine=m88k-omron
+		;;
+	magnum | m3230)
+		basic_machine=mips-mips
+		os=-sysv
+		;;
+	merlin)
+		basic_machine=ns32k-utek
+		os=-sysv
+		;;
+	mingw32)
+		basic_machine=i386-pc
+		os=-mingw32
+		;;
+	miniframe)
+		basic_machine=m68000-convergent
+		;;
+	*mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+	mips3*-*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
+		;;
+	mips3*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
+		;;
+	monitor)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	morphos)
+		basic_machine=powerpc-unknown
+		os=-morphos
+		;;
+	msdos)
+		basic_machine=i386-pc
+		os=-msdos
+		;;
+	mvs)
+		basic_machine=i370-ibm
+		os=-mvs
+		;;
+	ncr3000)
+		basic_machine=i486-ncr
+		os=-sysv4
+		;;
+	netbsd386)
+		basic_machine=i386-unknown
+		os=-netbsd
+		;;
+	netwinder)
+		basic_machine=armv4l-rebel
+		os=-linux
+		;;
+	news | news700 | news800 | news900)
+		basic_machine=m68k-sony
+		os=-newsos
+		;;
+	news1000)
+		basic_machine=m68030-sony
+		os=-newsos
+		;;
+	news-3600 | risc-news)
+		basic_machine=mips-sony
+		os=-newsos
+		;;
+	necv70)
+		basic_machine=v70-nec
+		os=-sysv
+		;;
+	next | m*-next )
+		basic_machine=m68k-next
+		case $os in
+		    -nextstep* )
+			;;
+		    -ns2*)
+		      os=-nextstep2
+			;;
+		    *)
+		      os=-nextstep3
+			;;
+		esac
+		;;
+	nh3000)
+		basic_machine=m68k-harris
+		os=-cxux
+		;;
+	nh[45]000)
+		basic_machine=m88k-harris
+		os=-cxux
+		;;
+	nindy960)
+		basic_machine=i960-intel
+		os=-nindy
+		;;
+	mon960)
+		basic_machine=i960-intel
+		os=-mon960
+		;;
+	nonstopux)
+		basic_machine=mips-compaq
+		os=-nonstopux
+		;;
+	np1)
+		basic_machine=np1-gould
+		;;
+	nsr-tandem)
+		basic_machine=nsr-tandem
+		;;
+	op50n-* | op60c-*)
+		basic_machine=hppa1.1-oki
+		os=-proelf
+		;;
+	openrisc | openrisc-*)
+		basic_machine=or32-unknown
+		;;
+	os400)
+		basic_machine=powerpc-ibm
+		os=-os400
+		;;
+	OSE68000 | ose68000)
+		basic_machine=m68000-ericsson
+		os=-ose
+		;;
+	os68k)
+		basic_machine=m68k-none
+		os=-os68k
+		;;
+	pa-hitachi)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	paragon)
+		basic_machine=i860-intel
+		os=-osf
+		;;
+	pbd)
+		basic_machine=sparc-tti
+		;;
+	pbb)
+		basic_machine=m68k-tti
+		;;
+	pc532 | pc532-*)
+		basic_machine=ns32k-pc532
+		;;
+	pentium | p5 | k5 | k6 | nexgen | viac3)
+		basic_machine=i586-pc
+		;;
+	pentiumpro | p6 | 6x86 | athlon | athlon_*)
+		basic_machine=i686-pc
+		;;
+	pentiumii | pentium2 | pentiumiii | pentium3)
+		basic_machine=i686-pc
+		;;
+	pentium4)
+		basic_machine=i786-pc
+		;;
+	pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
+		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumpro-* | p6-* | 6x86-* | athlon-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentium4-*)
+		basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pn)
+		basic_machine=pn-gould
+		;;
+	power)	basic_machine=power-ibm
+		;;
+	ppc)	basic_machine=powerpc-unknown
+		;;
+	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppcle | powerpclittle | ppc-le | powerpc-little)
+		basic_machine=powerpcle-unknown
+		;;
+	ppcle-* | powerpclittle-*)
+		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppc64)	basic_machine=powerpc64-unknown
+		;;
+	ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppc64le | powerpc64little | ppc64-le | powerpc64-little)
+		basic_machine=powerpc64le-unknown
+		;;
+	ppc64le-* | powerpc64little-*)
+		basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ps2)
+		basic_machine=i386-ibm
+		;;
+	pw32)
+		basic_machine=i586-unknown
+		os=-pw32
+		;;
+	rom68k)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	rm[46]00)
+		basic_machine=mips-siemens
+		;;
+	rtpc | rtpc-*)
+		basic_machine=romp-ibm
+		;;
+	s390 | s390-*)
+		basic_machine=s390-ibm
+		;;
+	s390x | s390x-*)
+		basic_machine=s390x-ibm
+		;;
+	sa29200)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	sb1)
+		basic_machine=mipsisa64sb1-unknown
+		;;
+	sb1el)
+		basic_machine=mipsisa64sb1el-unknown
+		;;
+	sei)
+		basic_machine=mips-sei
+		os=-seiux
+		;;
+	sequent)
+		basic_machine=i386-sequent
+		;;
+	sh)
+		basic_machine=sh-hitachi
+		os=-hms
+		;;
+	sh64)
+		basic_machine=sh64-unknown
+		;;
+	sparclite-wrs | simso-wrs)
+		basic_machine=sparclite-wrs
+		os=-vxworks
+		;;
+	sps7)
+		basic_machine=m68k-bull
+		os=-sysv2
+		;;
+	spur)
+		basic_machine=spur-unknown
+		;;
+	st2000)
+		basic_machine=m68k-tandem
+		;;
+	stratus)
+		basic_machine=i860-stratus
+		os=-sysv4
+		;;
+	sun2)
+		basic_machine=m68000-sun
+		;;
+	sun2os3)
+		basic_machine=m68000-sun
+		os=-sunos3
+		;;
+	sun2os4)
+		basic_machine=m68000-sun
+		os=-sunos4
+		;;
+	sun3os3)
+		basic_machine=m68k-sun
+		os=-sunos3
+		;;
+	sun3os4)
+		basic_machine=m68k-sun
+		os=-sunos4
+		;;
+	sun4os3)
+		basic_machine=sparc-sun
+		os=-sunos3
+		;;
+	sun4os4)
+		basic_machine=sparc-sun
+		os=-sunos4
+		;;
+	sun4sol2)
+		basic_machine=sparc-sun
+		os=-solaris2
+		;;
+	sun3 | sun3-*)
+		basic_machine=m68k-sun
+		;;
+	sun4)
+		basic_machine=sparc-sun
+		;;
+	sun386 | sun386i | roadrunner)
+		basic_machine=i386-sun
+		;;
+	sv1)
+		basic_machine=sv1-cray
+		os=-unicos
+		;;
+	symmetry)
+		basic_machine=i386-sequent
+		os=-dynix
+		;;
+	t3e)
+		basic_machine=alphaev5-cray
+		os=-unicos
+		;;
+	t90)
+		basic_machine=t90-cray
+		os=-unicos
+		;;
+	tic54x | c54x*)
+		basic_machine=tic54x-unknown
+		os=-coff
+		;;
+	tic55x | c55x*)
+		basic_machine=tic55x-unknown
+		os=-coff
+		;;
+	tic6x | c6x*)
+		basic_machine=tic6x-unknown
+		os=-coff
+		;;
+	tx39)
+		basic_machine=mipstx39-unknown
+		;;
+	tx39el)
+		basic_machine=mipstx39el-unknown
+		;;
+	toad1)
+		basic_machine=pdp10-xkl
+		os=-tops20
+		;;
+	tower | tower-32)
+		basic_machine=m68k-ncr
+		;;
+	tpf)
+		basic_machine=s390x-ibm
+		os=-tpf
+		;;
+	udi29k)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	ultra3)
+		basic_machine=a29k-nyu
+		os=-sym1
+		;;
+	v810 | necv810)
+		basic_machine=v810-nec
+		os=-none
+		;;
+	vaxv)
+		basic_machine=vax-dec
+		os=-sysv
+		;;
+	vms)
+		basic_machine=vax-dec
+		os=-vms
+		;;
+	vpp*|vx|vx-*)
+		basic_machine=f301-fujitsu
+		;;
+	vxworks960)
+		basic_machine=i960-wrs
+		os=-vxworks
+		;;
+	vxworks68)
+		basic_machine=m68k-wrs
+		os=-vxworks
+		;;
+	vxworks29k)
+		basic_machine=a29k-wrs
+		os=-vxworks
+		;;
+	w65*)
+		basic_machine=w65-wdc
+		os=-none
+		;;
+	w89k-*)
+		basic_machine=hppa1.1-winbond
+		os=-proelf
+		;;
+	xbox)
+		basic_machine=i686-pc
+		os=-mingw32
+		;;
+	xps | xps100)
+		basic_machine=xps100-honeywell
+		;;
+	ymp)
+		basic_machine=ymp-cray
+		os=-unicos
+		;;
+	z8k-*-coff)
+		basic_machine=z8k-unknown
+		os=-sim
+		;;
+	none)
+		basic_machine=none-none
+		os=-none
+		;;
+
+# Here we handle the default manufacturer of certain CPU types.  It is in
+# some cases the only manufacturer, in others, it is the most popular.
+	w89k)
+		basic_machine=hppa1.1-winbond
+		;;
+	op50n)
+		basic_machine=hppa1.1-oki
+		;;
+	op60c)
+		basic_machine=hppa1.1-oki
+		;;
+	romp)
+		basic_machine=romp-ibm
+		;;
+	mmix)
+		basic_machine=mmix-knuth
+		;;
+	rs6000)
+		basic_machine=rs6000-ibm
+		;;
+	vax)
+		basic_machine=vax-dec
+		;;
+	pdp10)
+		# there are many clones, so DEC is not a safe bet
+		basic_machine=pdp10-unknown
+		;;
+	pdp11)
+		basic_machine=pdp11-dec
+		;;
+	we32k)
+		basic_machine=we32k-att
+		;;
+	sh[1234] | sh[24]a | sh[34]eb | sh[1234]le | sh[23]ele)
+		basic_machine=sh-unknown
+		;;
+	sparc | sparcv8 | sparcv9 | sparcv9b)
+		basic_machine=sparc-sun
+		;;
+	cydra)
+		basic_machine=cydra-cydrome
+		;;
+	orion)
+		basic_machine=orion-highlevel
+		;;
+	orion105)
+		basic_machine=clipper-highlevel
+		;;
+	mac | mpw | mac-mpw)
+		basic_machine=m68k-apple
+		;;
+	pmac | pmac-mpw)
+		basic_machine=powerpc-apple
+		;;
+	*-unknown)
+		# Make sure to match an already-canonicalized machine name.
+		;;
+	*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+esac
+
+# Here we canonicalize certain aliases for manufacturers.
+case $basic_machine in
+	*-digital*)
+		basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
+		;;
+	*-commodore*)
+		basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
+		;;
+	*)
+		;;
+esac
+
+# Decode manufacturer-specific aliases for certain operating systems.
+
+if [ x"$os" != x"" ]
+then
+case $os in
+        # First match some system type aliases
+        # that might get confused with valid system types.
+	# -solaris* is a basic system type, with this one exception.
+	-solaris1 | -solaris1.*)
+		os=`echo $os | sed -e 's|solaris1|sunos4|'`
+		;;
+	-solaris)
+		os=-solaris2
+		;;
+	-svr4*)
+		os=-sysv4
+		;;
+	-unixware*)
+		os=-sysv4.2uw
+		;;
+	-gnu/linux*)
+		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
+		;;
+	# First accept the basic system types.
+	# The portable systems comes first.
+	# Each alternative MUST END IN A *, to match a version number.
+	# -sysv* is not here because it comes later, after sysvr4.
+	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
+	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
+	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
+	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
+	      | -aos* \
+	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
+	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
+	      | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* | -openbsd* \
+	      | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
+	      | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
+	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
+	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
+	      | -chorusos* | -chorusrdb* \
+	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
+	      | -mingw32* | -linux-gnu* | -linux-uclibc* | -uxpv* | -beos* | -mpeix* | -udk* \
+	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
+	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
+	      | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
+	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
+	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
+	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
+	      | -skyos* | -haiku*)
+	# Remember, each alternative MUST END IN *, to match a version number.
+		;;
+	-qnx*)
+		case $basic_machine in
+		    x86-* | i*86-*)
+			;;
+		    *)
+			os=-nto$os
+			;;
+		esac
+		;;
+	-nto-qnx*)
+		;;
+	-nto*)
+		os=`echo $os | sed -e 's|nto|nto-qnx|'`
+		;;
+	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
+	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \
+	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
+		;;
+	-mac*)
+		os=`echo $os | sed -e 's|mac|macos|'`
+		;;
+	-linux-dietlibc)
+		os=-linux-dietlibc
+		;;
+	-linux*)
+		os=`echo $os | sed -e 's|linux|linux-gnu|'`
+		;;
+	-sunos5*)
+		os=`echo $os | sed -e 's|sunos5|solaris2|'`
+		;;
+	-sunos6*)
+		os=`echo $os | sed -e 's|sunos6|solaris3|'`
+		;;
+	-opened*)
+		os=-openedition
+		;;
+        -os400*)
+		os=-os400
+		;;
+	-wince*)
+		os=-wince
+		;;
+	-osfrose*)
+		os=-osfrose
+		;;
+	-osf*)
+		os=-osf
+		;;
+	-utek*)
+		os=-bsd
+		;;
+	-dynix*)
+		os=-bsd
+		;;
+	-acis*)
+		os=-aos
+		;;
+	-atheos*)
+		os=-atheos
+		;;
+	-syllable*)
+		os=-syllable
+		;;
+	-386bsd)
+		os=-bsd
+		;;
+	-ctix* | -uts*)
+		os=-sysv
+		;;
+	-nova*)
+		os=-rtmk-nova
+		;;
+	-ns2 )
+		os=-nextstep2
+		;;
+	-nsk*)
+		os=-nsk
+		;;
+	# Preserve the version number of sinix5.
+	-sinix5.*)
+		os=`echo $os | sed -e 's|sinix|sysv|'`
+		;;
+	-sinix*)
+		os=-sysv4
+		;;
+        -tpf*)
+		os=-tpf
+		;;
+	-triton*)
+		os=-sysv3
+		;;
+	-oss*)
+		os=-sysv3
+		;;
+	-svr4)
+		os=-sysv4
+		;;
+	-svr3)
+		os=-sysv3
+		;;
+	-sysvr4)
+		os=-sysv4
+		;;
+	# This must come after -sysvr4.
+	-sysv*)
+		;;
+	-ose*)
+		os=-ose
+		;;
+	-es1800*)
+		os=-ose
+		;;
+	-xenix)
+		os=-xenix
+		;;
+	-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+		os=-mint
+		;;
+	-aros*)
+		os=-aros
+		;;
+	-kaos*)
+		os=-kaos
+		;;
+	-zvmoe)
+		os=-zvmoe
+		;;
+	-none)
+		;;
+	*)
+		# Get rid of the `-' at the beginning of $os.
+		os=`echo $os | sed 's/[^-]*-//'`
+		echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
+		exit 1
+		;;
+esac
+else
+
+# Here we handle the default operating systems that come with various machines.
+# The value should be what the vendor currently ships out the door with their
+# machine or put another way, the most popular os provided with the machine.
+
+# Note that if you're going to try to match "-MANUFACTURER" here (say,
+# "-sun"), then you have to tell the case statement up towards the top
+# that MANUFACTURER isn't an operating system.  Otherwise, code above
+# will signal an error saying that MANUFACTURER isn't an operating
+# system, and we'll never get to this point.
+
+case $basic_machine in
+	*-acorn)
+		os=-riscix1.2
+		;;
+	arm*-rebel)
+		os=-linux
+		;;
+	arm*-semi)
+		os=-aout
+		;;
+    c4x-* | tic4x-*)
+        os=-coff
+        ;;
+	# This must come before the *-dec entry.
+	pdp10-*)
+		os=-tops20
+		;;
+	pdp11-*)
+		os=-none
+		;;
+	*-dec | vax-*)
+		os=-ultrix4.2
+		;;
+	m68*-apollo)
+		os=-domain
+		;;
+	i386-sun)
+		os=-sunos4.0.2
+		;;
+	m68000-sun)
+		os=-sunos3
+		# This also exists in the configure program, but was not the
+		# default.
+		# os=-sunos4
+		;;
+	m68*-cisco)
+		os=-aout
+		;;
+	mips*-cisco)
+		os=-elf
+		;;
+	mips*-*)
+		os=-elf
+		;;
+	or32-*)
+		os=-coff
+		;;
+	*-tti)	# must be before sparc entry or we get the wrong os.
+		os=-sysv3
+		;;
+	sparc-* | *-sun)
+		os=-sunos4.1.1
+		;;
+	*-be)
+		os=-beos
+		;;
+	*-haiku)
+		os=-haiku
+		;;
+	*-ibm)
+		os=-aix
+		;;
+    	*-knuth)
+		os=-mmixware
+		;;
+	*-wec)
+		os=-proelf
+		;;
+	*-winbond)
+		os=-proelf
+		;;
+	*-oki)
+		os=-proelf
+		;;
+	*-hp)
+		os=-hpux
+		;;
+	*-hitachi)
+		os=-hiux
+		;;
+	i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent)
+		os=-sysv
+		;;
+	*-cbm)
+		os=-amigaos
+		;;
+	*-dg)
+		os=-dgux
+		;;
+	*-dolphin)
+		os=-sysv3
+		;;
+	m68k-ccur)
+		os=-rtu
+		;;
+	m88k-omron*)
+		os=-luna
+		;;
+	*-next )
+		os=-nextstep
+		;;
+	*-sequent)
+		os=-ptx
+		;;
+	*-crds)
+		os=-unos
+		;;
+	*-ns)
+		os=-genix
+		;;
+	i370-*)
+		os=-mvs
+		;;
+	*-next)
+		os=-nextstep3
+		;;
+	*-gould)
+		os=-sysv
+		;;
+	*-highlevel)
+		os=-bsd
+		;;
+	*-encore)
+		os=-bsd
+		;;
+	*-sgi)
+		os=-irix
+		;;
+	*-siemens)
+		os=-sysv4
+		;;
+	*-masscomp)
+		os=-rtu
+		;;
+	f30[01]-fujitsu | f700-fujitsu)
+		os=-uxpv
+		;;
+	*-rom68k)
+		os=-coff
+		;;
+	*-*bug)
+		os=-coff
+		;;
+	*-apple)
+		os=-macos
+		;;
+	*-atari*)
+		os=-mint
+		;;
+	*)
+		os=-none
+		;;
+esac
+fi
+
+# Here we handle the case where we know the os, and the CPU type, but not the
+# manufacturer.  We pick the logical manufacturer.
+vendor=unknown
+case $basic_machine in
+	*-unknown)
+		case $os in
+			-riscix*)
+				vendor=acorn
+				;;
+			-sunos*)
+				vendor=sun
+				;;
+			-aix*)
+				vendor=ibm
+				;;
+			-beos*)
+				vendor=be
+				;;
+			-hpux*)
+				vendor=hp
+				;;
+			-mpeix*)
+				vendor=hp
+				;;
+			-hiux*)
+				vendor=hitachi
+				;;
+			-unos*)
+				vendor=crds
+				;;
+			-dgux*)
+				vendor=dg
+				;;
+			-luna*)
+				vendor=omron
+				;;
+			-genix*)
+				vendor=ns
+				;;
+			-mvs* | -opened*)
+				vendor=ibm
+				;;
+			-os400*)
+				vendor=ibm
+				;;
+			-ptx*)
+				vendor=sequent
+				;;
+			-tpf*)
+				vendor=ibm
+				;;
+			-vxsim* | -vxworks* | -windiss*)
+				vendor=wrs
+				;;
+			-aux*)
+				vendor=apple
+				;;
+			-hms*)
+				vendor=hitachi
+				;;
+			-mpw* | -macos*)
+				vendor=apple
+				;;
+			-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+				vendor=atari
+				;;
+			-vos*)
+				vendor=stratus
+				;;
+		esac
+		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
+		;;
+esac
+
+echo $basic_machine$os
+exit
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/source3/lib/tdb/configure.ac b/source3/lib/tdb/configure.ac
new file mode 100644
index 0000000000..eaf70d30b4
--- /dev/null
+++ b/source3/lib/tdb/configure.ac
@@ -0,0 +1,30 @@
+AC_PREREQ(2.50)
+AC_DEFUN([SMB_MODULE_DEFAULT], [echo -n ""])
+AC_DEFUN([SMB_LIBRARY_ENABLE], [echo -n ""])
+AC_DEFUN([SMB_ENABLE], [echo -n ""])
+AC_INIT(tdb, 1.1.2)
+AC_CONFIG_SRCDIR([common/tdb.c])
+AC_CONFIG_HEADER(include/config.h)
+AC_LIBREPLACE_ALL_CHECKS
+AC_LD_SONAMEFLAG
+AC_LD_PICFLAG
+AC_LD_SHLIBEXT
+AC_LIBREPLACE_SHLD
+AC_LIBREPLACE_SHLD_FLAGS
+AC_LIBREPLACE_RUNTIME_LIB_PATH_VAR
+m4_include(libtdb.m4)
+AC_PATH_PROGS([PYTHON_CONFIG], [python2.6-config python2.5-config python2.4-config python-config])
+AC_PATH_PROGS([PYTHON], [python2.6 python2.5 python2.4 python])
+
+PYTHON_BUILD_TARGET="build-python"
+PYTHON_INSTALL_TARGET="install-python"
+PYTHON_CHECK_TARGET="check-python"
+AC_SUBST(PYTHON_BUILD_TARGET)
+AC_SUBST(PYTHON_INSTALL_TARGET)
+AC_SUBST(PYTHON_CHECK_TARGET)
+if test -z "$PYTHON_CONFIG"; then
+	PYTHON_BUILD_TARGET=""
+	PYTHON_INSTALL_TARGET=""
+	PYTHON_CHECK_TARGET=""
+fi
+AC_OUTPUT(Makefile tdb.pc)
diff --git a/source3/lib/tdb/docs/README b/source3/lib/tdb/docs/README
new file mode 100644
index 0000000000..63fcf5e049
--- /dev/null
+++ b/source3/lib/tdb/docs/README
@@ -0,0 +1,238 @@
+tdb - a trivial database system
+tridge@linuxcare.com December 1999
+==================================
+
+This is a simple database API. It was inspired by the realisation that
+in Samba we have several ad-hoc bits of code that essentially
+implement small databases for sharing structures between parts of
+Samba. As I was about to add another I realised that a generic
+database module was called for to replace all the ad-hoc bits.
+
+I based the interface on gdbm. I couldn't use gdbm as we need to be
+able to have multiple writers to the databases at one time.
+
+Compilation
+-----------
+
+add HAVE_MMAP=1 to use mmap instead of read/write
+add NOLOCK=1 to disable locking code
+
+Testing
+-------
+
+Compile tdbtest.c and link with gdbm for testing. tdbtest will perform
+identical operations via tdb and gdbm then make sure the result is the
+same
+
+Also included is tdbtool, which allows simple database manipulation
+on the commandline.
+
+tdbtest and tdbtool are not built as part of Samba, but are included
+for completeness.
+
+Interface
+---------
+
+The interface is very similar to gdbm except for the following:
+
+- different open interface. The tdb_open call is more similar to a
+  traditional open()
+- no tdbm_reorganise() function
+- no tdbm_sync() function. No operations are cached in the library anyway
+- added a tdb_traverse() function for traversing the whole database
+- added transactions support
+
+A general rule for using tdb is that the caller frees any returned
+TDB_DATA structures. Just call free(p.dptr) to free a TDB_DATA
+return value called p. This is the same as gdbm.
+
+here is a full list of tdb functions with brief descriptions.
+
+
+----------------------------------------------------------------------
+TDB_CONTEXT *tdb_open(char *name, int hash_size, int tdb_flags,
+		      int open_flags, mode_t mode)
+
+   open the database, creating it if necessary 
+
+   The open_flags and mode are passed straight to the open call on the database
+   file. A flags value of O_WRONLY is invalid
+
+   The hash size is advisory, use zero for a default value. 
+
+   return is NULL on error
+
+   possible tdb_flags are:
+    TDB_CLEAR_IF_FIRST - clear database if we are the only one with it open
+    TDB_INTERNAL - don't use a file, instaed store the data in
+                   memory. The filename is ignored in this case.
+    TDB_NOLOCK - don't do any locking
+    TDB_NOMMAP - don't use mmap
+    TDB_NOSYNC - don't synchronise transactions to disk
+
+----------------------------------------------------------------------
+TDB_CONTEXT *tdb_open_ex(char *name, int hash_size, int tdb_flags,
+		         int open_flags, mode_t mode,
+			 tdb_log_func log_fn,
+			 tdb_hash_func hash_fn)
+
+This is like tdb_open(), but allows you to pass an initial logging and
+hash function. Be careful when passing a hash function - all users of
+the database must use the same hash function or you will get data
+corruption.
+
+
+----------------------------------------------------------------------
+char *tdb_error(TDB_CONTEXT *tdb);
+
+     return a error string for the last tdb error
+
+----------------------------------------------------------------------
+int tdb_close(TDB_CONTEXT *tdb);
+
+   close a database
+
+----------------------------------------------------------------------
+int tdb_update(TDB_CONTEXT *tdb, TDB_DATA key, TDB_DATA dbuf);
+
+   update an entry in place - this only works if the new data size
+   is <= the old data size and the key exists.
+   on failure return -1
+
+----------------------------------------------------------------------
+TDB_DATA tdb_fetch(TDB_CONTEXT *tdb, TDB_DATA key);
+
+   fetch an entry in the database given a key 
+   if the return value has a null dptr then a error occurred
+
+   caller must free the resulting data
+
+----------------------------------------------------------------------
+int tdb_exists(TDB_CONTEXT *tdb, TDB_DATA key);
+
+   check if an entry in the database exists 
+
+   note that 1 is returned if the key is found and 0 is returned if not found
+   this doesn't match the conventions in the rest of this module, but is
+   compatible with gdbm
+
+----------------------------------------------------------------------
+int tdb_traverse(TDB_CONTEXT *tdb, int (*fn)(TDB_CONTEXT *tdb,
+                 TDB_DATA key, TDB_DATA dbuf, void *state), void *state);
+
+   traverse the entire database - calling fn(tdb, key, data, state) on each 
+   element.
+
+   return -1 on error or the record count traversed
+
+   if fn is NULL then it is not called
+
+   a non-zero return value from fn() indicates that the traversal
+   should stop. Traversal callbacks may not start transactions.
+
+   WARNING: The data buffer given to the callback fn does NOT meet the
+   alignment restrictions malloc gives you.
+
+----------------------------------------------------------------------
+int tdb_traverse_read(TDB_CONTEXT *tdb, int (*fn)(TDB_CONTEXT *tdb,
+                     TDB_DATA key, TDB_DATA dbuf, void *state), void *state);
+
+   traverse the entire database - calling fn(tdb, key, data, state) on
+   each element, but marking the database read only during the
+   traversal, so any write operations will fail. This allows tdb to
+   use read locks, which increases the parallelism possible during the
+   traversal.
+
+   return -1 on error or the record count traversed
+
+   if fn is NULL then it is not called
+
+   a non-zero return value from fn() indicates that the traversal
+   should stop. Traversal callbacks may not start transactions.
+
+----------------------------------------------------------------------
+TDB_DATA tdb_firstkey(TDB_CONTEXT *tdb);
+
+   find the first entry in the database and return its key
+
+   the caller must free the returned data
+
+----------------------------------------------------------------------
+TDB_DATA tdb_nextkey(TDB_CONTEXT *tdb, TDB_DATA key);
+
+   find the next entry in the database, returning its key
+
+   the caller must free the returned data
+
+----------------------------------------------------------------------
+int tdb_delete(TDB_CONTEXT *tdb, TDB_DATA key);
+
+   delete an entry in the database given a key
+
+----------------------------------------------------------------------
+int tdb_store(TDB_CONTEXT *tdb, TDB_DATA key, TDB_DATA dbuf, int flag);
+
+   store an element in the database, replacing any existing element
+   with the same key 
+
+   If flag==TDB_INSERT then don't overwrite an existing entry
+   If flag==TDB_MODIFY then don't create a new entry
+
+   return 0 on success, -1 on failure
+
+----------------------------------------------------------------------
+int tdb_writelock(TDB_CONTEXT *tdb);
+
+   lock the database. If we already have it locked then don't do anything
+
+----------------------------------------------------------------------
+int tdb_writeunlock(TDB_CONTEXT *tdb);
+   unlock the database
+
+----------------------------------------------------------------------
+int tdb_lockchain(TDB_CONTEXT *tdb, TDB_DATA key);
+
+   lock one hash chain. This is meant to be used to reduce locking
+   contention - it cannot guarantee how many records will be locked
+
+----------------------------------------------------------------------
+int tdb_unlockchain(TDB_CONTEXT *tdb, TDB_DATA key);
+
+   unlock one hash chain
+
+----------------------------------------------------------------------
+int tdb_transaction_start(TDB_CONTEXT *tdb)
+
+   start a transaction. All operations after the transaction start can
+   either be committed with tdb_transaction_commit() or cancelled with
+   tdb_transaction_cancel(). 
+
+   If you call tdb_transaction_start() again on the same tdb context
+   while a transaction is in progress, then the same transaction
+   buffer is re-used. The number of tdb_transaction_{commit,cancel}
+   operations must match the number of successful
+   tdb_transaction_start() calls.
+
+   Note that transactions are by default disk synchronous, and use a
+   recover area in the database to automatically recover the database
+   on the next open if the system crashes during a transaction. You
+   can disable the synchronous transaction recovery setup using the
+   TDB_NOSYNC flag, which will greatly speed up operations at the risk
+   of corrupting your database if the system crashes.
+
+   Operations made within a transaction are not visible to other users
+   of the database until a successful commit.
+
+----------------------------------------------------------------------
+int tdb_transaction_cancel(TDB_CONTEXT *tdb)
+
+   cancel a current transaction, discarding all write and lock
+   operations that have been made since the transaction started.
+
+
+----------------------------------------------------------------------
+int tdb_transaction_commit(TDB_CONTEXT *tdb)
+
+   commit a current transaction, updating the database and releasing
+   the transaction locks.
+
diff --git a/source3/lib/tdb/docs/tdb.magic b/source3/lib/tdb/docs/tdb.magic
new file mode 100644
index 0000000000..f5619e7327
--- /dev/null
+++ b/source3/lib/tdb/docs/tdb.magic
@@ -0,0 +1,10 @@
+# Magic file(1) information about tdb files.
+#
+# Install this into /etc/magic or the corresponding location for your
+# system, or pass as a -m argument to file(1).
+
+# You may use and redistribute this file without restriction.
+
+0	string	TDB\ file		TDB database
+>32	lelong	=0x2601196D		version 6, little-endian
+>>36	lelong	x			hash size %d bytes
diff --git a/source3/lib/tdb/include/tdb.h b/source3/lib/tdb/include/tdb.h
new file mode 100644
index 0000000000..0008085de5
--- /dev/null
+++ b/source3/lib/tdb/include/tdb.h
@@ -0,0 +1,167 @@
+#ifndef __TDB_H__
+#define __TDB_H__
+
+/* 
+   Unix SMB/CIFS implementation.
+
+   trivial database library
+
+   Copyright (C) Andrew Tridgell 1999-2004
+   
+     ** NOTE! The following LGPL license applies to the tdb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+
+/* flags to tdb_store() */
+#define TDB_REPLACE 1		/* Unused */
+#define TDB_INSERT 2 		/* Don't overwrite an existing entry */
+#define TDB_MODIFY 3		/* Don't create an existing entry    */
+
+/* flags for tdb_open() */
+#define TDB_DEFAULT 0 /* just a readability place holder */
+#define TDB_CLEAR_IF_FIRST 1
+#define TDB_INTERNAL 2 /* don't store on disk */
+#define TDB_NOLOCK   4 /* don't do any locking */
+#define TDB_NOMMAP   8 /* don't use mmap */
+#define TDB_CONVERT 16 /* convert endian (internal use) */
+#define TDB_BIGENDIAN 32 /* header is big-endian (internal use) */
+#define TDB_NOSYNC   64 /* don't use synchronous transactions */
+#define TDB_SEQNUM   128 /* maintain a sequence number */
+#define TDB_VOLATILE   256 /* Activate the per-hashchain freelist, default 5 */
+
+#define TDB_ERRCODE(code, ret) ((tdb->ecode = (code)), ret)
+
+/* error codes */
+enum TDB_ERROR {TDB_SUCCESS=0, TDB_ERR_CORRUPT, TDB_ERR_IO, TDB_ERR_LOCK, 
+		TDB_ERR_OOM, TDB_ERR_EXISTS, TDB_ERR_NOLOCK, TDB_ERR_LOCK_TIMEOUT,
+		TDB_ERR_NOEXIST, TDB_ERR_EINVAL, TDB_ERR_RDONLY};
+
+/* debugging uses one of the following levels */
+enum tdb_debug_level {TDB_DEBUG_FATAL = 0, TDB_DEBUG_ERROR, 
+		      TDB_DEBUG_WARNING, TDB_DEBUG_TRACE};
+
+typedef struct TDB_DATA {
+	unsigned char *dptr;
+	size_t dsize;
+} TDB_DATA;
+
+#ifndef PRINTF_ATTRIBUTE
+#if (__GNUC__ >= 3)
+/** Use gcc attribute to check printf fns.  a1 is the 1-based index of
+ * the parameter containing the format, and a2 the index of the first
+ * argument. Note that some gcc 2.x versions don't handle this
+ * properly **/
+#define PRINTF_ATTRIBUTE(a1, a2) __attribute__ ((format (__printf__, a1, a2)))
+#else
+#define PRINTF_ATTRIBUTE(a1, a2)
+#endif
+#endif
+
+/* this is the context structure that is returned from a db open */
+typedef struct tdb_context TDB_CONTEXT;
+
+typedef int (*tdb_traverse_func)(struct tdb_context *, TDB_DATA, TDB_DATA, void *);
+typedef void (*tdb_log_func)(struct tdb_context *, enum tdb_debug_level, const char *, ...) PRINTF_ATTRIBUTE(3, 4);
+typedef unsigned int (*tdb_hash_func)(TDB_DATA *key);
+
+struct tdb_logging_context {
+        tdb_log_func log_fn;
+        void *log_private;
+};
+
+struct tdb_context *tdb_open(const char *name, int hash_size, int tdb_flags,
+		      int open_flags, mode_t mode);
+struct tdb_context *tdb_open_ex(const char *name, int hash_size, int tdb_flags,
+			 int open_flags, mode_t mode,
+			 const struct tdb_logging_context *log_ctx,
+			 tdb_hash_func hash_fn);
+void tdb_set_max_dead(struct tdb_context *tdb, int max_dead);
+
+int tdb_reopen(struct tdb_context *tdb);
+int tdb_reopen_all(int parent_longlived);
+void tdb_set_logging_function(struct tdb_context *tdb, const struct tdb_logging_context *log_ctx);
+enum TDB_ERROR tdb_error(struct tdb_context *tdb);
+const char *tdb_errorstr(struct tdb_context *tdb);
+TDB_DATA tdb_fetch(struct tdb_context *tdb, TDB_DATA key);
+int tdb_parse_record(struct tdb_context *tdb, TDB_DATA key,
+		     int (*parser)(TDB_DATA key, TDB_DATA data,
+				   void *private_data),
+		     void *private_data);
+int tdb_delete(struct tdb_context *tdb, TDB_DATA key);
+int tdb_store(struct tdb_context *tdb, TDB_DATA key, TDB_DATA dbuf, int flag);
+int tdb_append(struct tdb_context *tdb, TDB_DATA key, TDB_DATA new_dbuf);
+int tdb_close(struct tdb_context *tdb);
+TDB_DATA tdb_firstkey(struct tdb_context *tdb);
+TDB_DATA tdb_nextkey(struct tdb_context *tdb, TDB_DATA key);
+int tdb_traverse(struct tdb_context *tdb, tdb_traverse_func fn, void *);
+int tdb_traverse_read(struct tdb_context *tdb, tdb_traverse_func fn, void *);
+int tdb_exists(struct tdb_context *tdb, TDB_DATA key);
+int tdb_lockall(struct tdb_context *tdb);
+int tdb_lockall_nonblock(struct tdb_context *tdb);
+int tdb_unlockall(struct tdb_context *tdb);
+int tdb_lockall_read(struct tdb_context *tdb);
+int tdb_lockall_read_nonblock(struct tdb_context *tdb);
+int tdb_unlockall_read(struct tdb_context *tdb);
+int tdb_lockall_mark(struct tdb_context *tdb);
+int tdb_lockall_unmark(struct tdb_context *tdb);
+const char *tdb_name(struct tdb_context *tdb);
+int tdb_fd(struct tdb_context *tdb);
+tdb_log_func tdb_log_fn(struct tdb_context *tdb);
+void *tdb_get_logging_private(struct tdb_context *tdb);
+int tdb_transaction_start(struct tdb_context *tdb);
+int tdb_transaction_commit(struct tdb_context *tdb);
+int tdb_transaction_cancel(struct tdb_context *tdb);
+int tdb_transaction_recover(struct tdb_context *tdb);
+int tdb_get_seqnum(struct tdb_context *tdb);
+int tdb_hash_size(struct tdb_context *tdb);
+size_t tdb_map_size(struct tdb_context *tdb);
+int tdb_get_flags(struct tdb_context *tdb);
+void tdb_add_flags(struct tdb_context *tdb, unsigned flag);
+void tdb_remove_flags(struct tdb_context *tdb, unsigned flag);
+void tdb_enable_seqnum(struct tdb_context *tdb);
+void tdb_increment_seqnum_nonblock(struct tdb_context *tdb);
+
+/* Low level locking functions: use with care */
+int tdb_chainlock(struct tdb_context *tdb, TDB_DATA key);
+int tdb_chainlock_nonblock(struct tdb_context *tdb, TDB_DATA key);
+int tdb_chainunlock(struct tdb_context *tdb, TDB_DATA key);
+int tdb_chainlock_read(struct tdb_context *tdb, TDB_DATA key);
+int tdb_chainunlock_read(struct tdb_context *tdb, TDB_DATA key);
+int tdb_chainlock_mark(struct tdb_context *tdb, TDB_DATA key);
+int tdb_chainlock_unmark(struct tdb_context *tdb, TDB_DATA key);
+
+void tdb_setalarm_sigptr(struct tdb_context *tdb, volatile sig_atomic_t *sigptr);
+
+/* Debug functions. Not used in production. */
+void tdb_dump_all(struct tdb_context *tdb);
+int tdb_printfreelist(struct tdb_context *tdb);
+int tdb_validate_freelist(struct tdb_context *tdb, int *pnum_entries);
+int tdb_wipe_all(struct tdb_context *tdb);
+int tdb_freelist_size(struct tdb_context *tdb);
+
+extern TDB_DATA tdb_null;
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif /* tdb.h */
diff --git a/source3/lib/tdb/install-sh b/source3/lib/tdb/install-sh
new file mode 100755
index 0000000000..58719246f0
--- /dev/null
+++ b/source3/lib/tdb/install-sh
@@ -0,0 +1,238 @@
+#! /bin/sh
+#
+# install - install a program, script, or datafile
+# This comes from X11R5.
+#
+# Calling this script install-sh is preferred over install.sh, to prevent
+# `make' implicit rules from creating a file called install from it
+# when there is no Makefile.
+#
+# This script is compatible with the BSD install script, but was written
+# from scratch.
+#
+
+
+# set DOITPROG to echo to test this script
+
+# Don't use :- since 4.3BSD and earlier shells don't like it.
+doit="${DOITPROG-}"
+
+
+# put in absolute paths if you don't have them in your path; or use env. vars.
+
+mvprog="${MVPROG-mv}"
+cpprog="${CPPROG-cp}"
+chmodprog="${CHMODPROG-chmod}"
+chownprog="${CHOWNPROG-chown}"
+chgrpprog="${CHGRPPROG-chgrp}"
+stripprog="${STRIPPROG-strip}"
+rmprog="${RMPROG-rm}"
+mkdirprog="${MKDIRPROG-mkdir}"
+
+transformbasename=""
+transform_arg=""
+instcmd="$mvprog"
+chmodcmd="$chmodprog 0755"
+chowncmd=""
+chgrpcmd=""
+stripcmd=""
+rmcmd="$rmprog -f"
+mvcmd="$mvprog"
+src=""
+dst=""
+dir_arg=""
+
+while [ x"$1" != x ]; do
+    case $1 in
+	-c) instcmd="$cpprog"
+	    shift
+	    continue;;
+
+	-d) dir_arg=true
+	    shift
+	    continue;;
+
+	-m) chmodcmd="$chmodprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-o) chowncmd="$chownprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-g) chgrpcmd="$chgrpprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-s) stripcmd="$stripprog"
+	    shift
+	    continue;;
+
+	-t=*) transformarg=`echo $1 | sed 's/-t=//'`
+	    shift
+	    continue;;
+
+	-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
+	    shift
+	    continue;;
+
+	*)  if [ x"$src" = x ]
+	    then
+		src=$1
+	    else
+		# this colon is to work around a 386BSD /bin/sh bug
+		:
+		dst=$1
+	    fi
+	    shift
+	    continue;;
+    esac
+done
+
+if [ x"$src" = x ]
+then
+	echo "install:	no input file specified"
+	exit 1
+else
+	true
+fi
+
+if [ x"$dir_arg" != x ]; then
+	dst=$src
+	src=""
+	
+	if [ -d $dst ]; then
+		instcmd=:
+	else
+		instcmd=mkdir
+	fi
+else
+
+# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
+# might cause directories to be created, which would be especially bad 
+# if $src (and thus $dsttmp) contains '*'.
+
+	if [ -f $src -o -d $src ]
+	then
+		true
+	else
+		echo "install:  $src does not exist"
+		exit 1
+	fi
+	
+	if [ x"$dst" = x ]
+	then
+		echo "install:	no destination specified"
+		exit 1
+	else
+		true
+	fi
+
+# If destination is a directory, append the input filename; if your system
+# does not like double slashes in filenames, you may need to add some logic
+
+	if [ -d $dst ]
+	then
+		dst="$dst"/`basename $src`
+	else
+		true
+	fi
+fi
+
+## this sed command emulates the dirname command
+dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
+
+# Make sure that the destination directory exists.
+#  this part is taken from Noah Friedman's mkinstalldirs script
+
+# Skip lots of stat calls in the usual case.
+if [ ! -d "$dstdir" ]; then
+defaultIFS='	
+'
+IFS="${IFS-${defaultIFS}}"
+
+oIFS="${IFS}"
+# Some sh's can't handle IFS=/ for some reason.
+IFS='%'
+set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
+IFS="${oIFS}"
+
+pathcomp=''
+
+while [ $# -ne 0 ] ; do
+	pathcomp="${pathcomp}${1}"
+	shift
+
+	if [ ! -d "${pathcomp}" ] ;
+        then
+		$mkdirprog "${pathcomp}"
+	else
+		true
+	fi
+
+	pathcomp="${pathcomp}/"
+done
+fi
+
+if [ x"$dir_arg" != x ]
+then
+	$doit $instcmd $dst &&
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
+else
+
+# If we're going to rename the final executable, determine the name now.
+
+	if [ x"$transformarg" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		dstfile=`basename $dst $transformbasename | 
+			sed $transformarg`$transformbasename
+	fi
+
+# don't allow the sed command to completely eliminate the filename
+
+	if [ x"$dstfile" = x ] 
+	then
+		dstfile=`basename $dst`
+	else
+		true
+	fi
+
+# Make a temp file name in the proper directory.
+
+	dsttmp=$dstdir/#inst.$$#
+
+# Move or copy the file name to the temp name
+
+	$doit $instcmd $src $dsttmp &&
+
+	trap "rm -f ${dsttmp}" 0 &&
+
+# and set any options; do chmod last to preserve setuid bits
+
+# If any of these fail, we abort the whole thing.  If we want to
+# ignore errors from any of these, just make sure not to ignore
+# errors from the above "$doit $instcmd $src $dsttmp" command.
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
+
+# Now rename the file to the real destination.
+
+	$doit $rmcmd -f $dstdir/$dstfile &&
+	$doit $mvcmd $dsttmp $dstdir/$dstfile 
+
+fi &&
+
+
+exit 0
diff --git a/source3/lib/tdb/libtdb.m4 b/source3/lib/tdb/libtdb.m4
new file mode 100644
index 0000000000..1e17a7a4f2
--- /dev/null
+++ b/source3/lib/tdb/libtdb.m4
@@ -0,0 +1,30 @@
+dnl find the tdb sources. This is meant to work both for 
+dnl tdb standalone builds, and builds of packages using tdb
+tdbdir=""
+tdbpaths="$srcdir $srcdir/lib/tdb $srcdir/tdb $srcdir/../tdb"
+for d in $tdbpaths; do
+	if test -f "$d/common/tdb.c"; then
+		tdbdir="$d"		
+		AC_SUBST(tdbdir)
+		break;
+	fi
+done
+if test x"$tdbdir" = "x"; then
+   AC_MSG_ERROR([cannot find tdb source in $tdbpaths])
+fi
+TDB_OBJ="common/tdb.o common/dump.o common/transaction.o common/error.o common/traverse.o"
+TDB_OBJ="$TDB_OBJ common/freelist.o common/freelistcheck.o common/io.o common/lock.o common/open.o"
+AC_SUBST(TDB_OBJ)
+AC_SUBST(LIBREPLACEOBJ)
+
+TDB_LIBS=""
+AC_SUBST(TDB_LIBS)
+
+TDB_CFLAGS="-I$tdbdir/include"
+AC_SUBST(TDB_CFLAGS)
+
+AC_CHECK_FUNCS(mmap pread pwrite getpagesize utime)
+AC_CHECK_HEADERS(getopt.h sys/select.h sys/time.h)
+
+AC_HAVE_DECL(pread, [#include <unistd.h>])
+AC_HAVE_DECL(pwrite, [#include <unistd.h>])
diff --git a/source3/lib/tdb/python.mk b/source3/lib/tdb/python.mk
new file mode 100644
index 0000000000..12e8217df9
--- /dev/null
+++ b/source3/lib/tdb/python.mk
@@ -0,0 +1,10 @@
+[PYTHON::swig_tdb]
+LIBRARY_REALNAME = _tdb.$(SHLIBEXT)
+PUBLIC_DEPENDENCIES = LIBTDB DYNCONFIG
+
+swig_tdb_OBJ_FILES = $(tdbsrcdir)/tdb_wrap.o
+
+$(eval $(call python_py_module_template,tdb.py,$(tdbsrcdir)/tdb.py))
+
+$(swig_tdb_OBJ_FILES): CFLAGS+=$(CFLAG_NO_UNUSED_MACROS) $(CFLAG_NO_CAST_QUAL)
+
diff --git a/source3/lib/tdb/python/tdbdump.py b/source3/lib/tdb/python/tdbdump.py
new file mode 100644
index 0000000000..d759d771c8
--- /dev/null
+++ b/source3/lib/tdb/python/tdbdump.py
@@ -0,0 +1,12 @@
+#!/usr/bin/python
+# Trivial reimplementation of tdbdump in Python
+
+import tdb, sys
+
+if len(sys.argv) < 2:
+    print "Usage: tdbdump.py <tdb-file>"
+    sys.exit(1)
+
+db = tdb.Tdb(sys.argv[1])
+for (k, v) in db.iteritems():
+    print "{\nkey(%d) = %r\ndata(%d) = %r\n}" % (len(k), k, len(v), v)
diff --git a/source3/lib/tdb/python/tests/simple.py b/source3/lib/tdb/python/tests/simple.py
new file mode 100644
index 0000000000..7147718c91
--- /dev/null
+++ b/source3/lib/tdb/python/tests/simple.py
@@ -0,0 +1,152 @@
+#!/usr/bin/python
+# Some simple tests for the Python bindings for TDB
+# Note that this tests the interface of the Python bindings
+# It does not test tdb itself.
+#
+# Copyright (C) 2007-2008 Jelmer Vernooij <jelmer@samba.org>
+# Published under the GNU LGPLv3 or later
+
+import tdb
+from unittest import TestCase
+import os, tempfile
+
+
+class OpenTdbTests(TestCase):
+    def test_nonexistant_read(self):
+        self.assertRaises(IOError, tdb.Tdb, "/some/nonexistant/file", 0, tdb.DEFAULT, os.O_RDWR)
+
+
+class SimpleTdbTests(TestCase):
+    def setUp(self):
+        super(SimpleTdbTests, self).setUp()
+        self.tdb = tdb.Tdb(tempfile.mkstemp()[1], 0, tdb.DEFAULT, os.O_CREAT|os.O_RDWR)
+        self.assertNotEqual(None, self.tdb)
+
+    def tearDown(self):
+        del self.tdb
+
+    def test_repr(self):
+        self.assertTrue(repr(self.tdb).startswith("Tdb('"))
+
+    def test_lockall(self):
+        self.tdb.lock_all()
+
+    def test_max_dead(self):
+        self.tdb.max_dead = 20
+
+    def test_unlockall(self):
+        self.tdb.lock_all()
+        self.tdb.unlock_all()
+
+    def test_lockall_read(self):
+        self.tdb.read_lock_all()
+        self.tdb.read_unlock_all()
+
+    def test_reopen(self):
+        self.tdb.reopen()
+
+    def test_store(self):
+        self.tdb.store("bar", "bla")
+        self.assertEquals("bla", self.tdb.get("bar"))
+
+    def test_getitem(self):
+        self.tdb["bar"] = "foo"
+        self.tdb.reopen()
+        self.assertEquals("foo", self.tdb["bar"])
+
+    def test_delete(self):
+        self.tdb["bar"] = "foo"
+        del self.tdb["bar"]
+        self.assertRaises(KeyError, lambda: self.tdb["bar"])
+    
+    def test_contains(self):
+        self.tdb["bla"] = "bloe"
+        self.assertTrue("bla" in self.tdb)
+
+    def test_keyerror(self):
+        self.assertRaises(KeyError, lambda: self.tdb["bla"])
+
+    def test_hash_size(self):
+        self.tdb.hash_size
+
+    def test_map_size(self):
+        self.tdb.map_size
+
+    def test_name(self):
+        self.tdb.name
+
+    def test_iterator(self):
+        self.tdb["bla"] = "1"
+        self.tdb["brainslug"] = "2"
+        self.assertEquals(["bla", "brainslug"], list(self.tdb))
+
+    def test_items(self):
+        self.tdb["bla"] = "1"
+        self.tdb["brainslug"] = "2"
+        self.assertEquals([("bla", "1"), ("brainslug", "2")], self.tdb.items())
+
+    def test_iteritems(self):
+        self.tdb["bloe"] = "2"
+        self.tdb["bla"] = "25"
+        i = self.tdb.iteritems()
+        self.assertEquals(set([("bla", "25"), ("bloe", "2")]),
+                              set([i.next(), i.next()]))
+
+    def test_transaction_cancel(self):
+        self.tdb["bloe"] = "2"
+        self.tdb.transaction_start()
+        self.tdb["bloe"] = "1"
+        self.tdb.transaction_cancel()
+        self.assertEquals("2", self.tdb["bloe"])
+
+    def test_transaction_commit(self):
+        self.tdb["bloe"] = "2"
+        self.tdb.transaction_start()
+        self.tdb["bloe"] = "1"
+        self.tdb.transaction_commit()
+        self.assertEquals("1", self.tdb["bloe"])
+
+    def test_iterator(self):
+        self.tdb["bloe"] = "2"
+        self.tdb["bla"] = "hoi"
+        i = iter(self.tdb)
+        self.assertEquals(set(["bloe", "bla"]), set([i.next(), i.next()]))
+
+    def test_keys(self):
+        self.tdb["bloe"] = "2"
+        self.tdb["bla"] = "25"
+        self.assertEquals(["bla", "bloe"], self.tdb.keys())
+
+    def test_iterkeys(self):
+        self.tdb["bloe"] = "2"
+        self.tdb["bla"] = "25"
+        i = self.tdb.iterkeys()
+        self.assertEquals(set(["bloe", "bla"]), set([i.next(), i.next()]))
+
+    def test_values(self):
+        self.tdb["bloe"] = "2"
+        self.tdb["bla"] = "25"
+        self.assertEquals(["25", "2"], self.tdb.values())
+
+    def test_itervalues(self):
+        self.tdb["bloe"] = "2"
+        self.tdb["bla"] = "25"
+        i = self.tdb.itervalues()
+        self.assertEquals(set(["25", "2"]), set([i.next(), i.next()]))
+
+    def test_clear(self):
+        self.tdb["bloe"] = "2"
+        self.tdb["bla"] = "25"
+        self.assertEquals(2, len(self.tdb))
+        self.tdb.clear()
+        self.assertEquals(0, len(self.tdb))
+
+    def test_len(self):
+        self.assertEquals(0, len(self.tdb))
+        self.tdb["entry"] = "value"
+        self.assertEquals(1, len(self.tdb))
+
+
+if __name__ == '__main__':
+    import unittest
+    unittest.TestProgram()
diff --git a/source3/lib/tdb/rules.mk b/source3/lib/tdb/rules.mk
new file mode 100644
index 0000000000..7b765625df
--- /dev/null
+++ b/source3/lib/tdb/rules.mk
@@ -0,0 +1,21 @@
+.SUFFIXES: .i _wrap.c
+
+.i_wrap.c: 
+	$(SWIG) -O -Wall -python -keyword $<
+
+showflags::
+	@echo 'tdb will be compiled with flags:'
+	@echo '  CFLAGS = $(CFLAGS)'
+	@echo '  CPPFLAGS = $(CPPFLAGS)'
+	@echo '  LDFLAGS = $(LDFLAGS)'
+	@echo '  LIBS = $(LIBS)'
+
+.SUFFIXES: .c .o
+
+.c.o:
+	@echo Compiling $*.c
+	@mkdir -p `dirname $@`
+	@$(CC) $(PICFLAG) $(CFLAGS) -c $< -o $@
+
+distclean::
+	rm -f *~ */*~
diff --git a/source3/lib/tdb/tdb.i b/source3/lib/tdb/tdb.i
new file mode 100644
index 0000000000..3d8b697732
--- /dev/null
+++ b/source3/lib/tdb/tdb.i
@@ -0,0 +1,323 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   Swig interface to tdb.
+
+   Copyright (C) 2004-2006 Tim Potter <tpot@samba.org>
+   Copyright (C) 2007 Jelmer Vernooij <jelmer@samba.org>
+
+     ** NOTE! The following LGPL license applies to the tdb
+     ** library. This does NOT imply that all of Samba is released
+     ** under the LGPL
+   
+   This library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 3 of the License, or (at your option) any later version.
+
+   This library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+
+%define DOCSTRING
+"TDB is a simple key-value database similar to GDBM that supports multiple writers."
+%enddef
+
+%module(docstring=DOCSTRING) tdb
+
+%{
+
+/* This symbol is used in both includes.h and Python.h which causes an
+   annoying compiler warning. */
+
+#ifdef HAVE_FSTAT
+#undef HAVE_FSTAT
+#endif
+
+/* Include tdb headers */
+#include <stdint.h>
+#include <signal.h>
+#include <tdb.h>
+#include <fcntl.h>
+
+typedef TDB_CONTEXT tdb;
+%}
+
+/* The tdb functions will crash if a NULL tdb context is passed */
+
+%import exception.i
+%import stdint.i
+
+%typemap(check,noblock=1) TDB_CONTEXT* {
+	if ($1 == NULL)
+		SWIG_exception(SWIG_ValueError, 
+			"tdb context must be non-NULL");
+}
+
+/* In and out typemaps for the TDB_DATA structure.  This is converted to
+   and from the Python string type which can contain arbitrary binary
+   data.. */
+
+%typemap(in,noblock=1) TDB_DATA {
+    if ($input == Py_None) {
+        $1.dsize = 0;
+        $1.dptr = NULL;
+    } else if (!PyString_Check($input)) {
+		PyErr_SetString(PyExc_TypeError, "string arg expected");
+		return NULL;
+	} else {
+        $1.dsize = PyString_Size($input);
+        $1.dptr = (uint8_t *)PyString_AsString($input);
+    }
+}
+
+%typemap(out,noblock=1) TDB_DATA {
+	if ($1.dptr == NULL && $1.dsize == 0) {
+		$result = Py_None;
+	} else {
+		$result = PyString_FromStringAndSize((const char *)$1.dptr, $1.dsize);
+		free($1.dptr);
+    }
+}
+
+/* Treat a mode_t as an unsigned integer */
+typedef int mode_t;
+
+/* flags to tdb_store() */
+%constant int REPLACE = TDB_REPLACE;
+%constant int INSERT = TDB_INSERT;
+%constant int MODIFY = TDB_MODIFY;
+
+/* flags for tdb_open() */
+%constant int DEFAULT = TDB_DEFAULT;
+%constant int CLEAR_IF_FIRST = TDB_CLEAR_IF_FIRST;
+%constant int INTERNAL = TDB_INTERNAL;
+%constant int NOLOCK = TDB_NOLOCK;
+%constant int NOMMAP = TDB_NOMMAP;
+%constant int CONVERT = TDB_CONVERT;
+%constant int BIGENDIAN = TDB_BIGENDIAN;
+
+enum TDB_ERROR {
+     TDB_SUCCESS=0, 
+     TDB_ERR_CORRUPT, 
+     TDB_ERR_IO, 
+     TDB_ERR_LOCK, 
+     TDB_ERR_OOM, 
+     TDB_ERR_EXISTS, 
+     TDB_ERR_NOLOCK, 
+     TDB_ERR_LOCK_TIMEOUT,
+     TDB_ERR_NOEXIST, 
+     TDB_ERR_EINVAL, 
+     TDB_ERR_RDONLY
+};
+
+%rename(lock_all) tdb_context::lockall;
+%rename(unlock_all) tdb_context::unlockall;
+
+%rename(read_lock_all) tdb_context::lockall_read;
+%rename(read_unlock_all) tdb_context::unlockall_read;
+
+%typemap(default,noblock=1) int tdb_flags {
+    $1 = TDB_DEFAULT;
+}
+
+%typemap(default,noblock=1) int flags {
+    $1 = O_RDWR;
+}
+
+%typemap(default,noblock=1) int hash_size {
+    $1 = 0;
+}
+
+%typemap(default,noblock=1) mode_t mode {
+    $1 = 0600;
+}
+
+%typemap(default,noblock=1) int flag {
+    $1 = TDB_REPLACE;
+}
+
+%rename(Tdb) tdb_context;
+%feature("docstring") tdb_context "A TDB file.";
+%typemap(out,noblock=1) tdb * {
+    /* Throw an IOError exception from errno if tdb_open() returns NULL */
+    if ($1 == NULL) {
+        PyErr_SetFromErrno(PyExc_IOError);
+        SWIG_fail;
+    }
+    $result = SWIG_NewPointerObj($1, $1_descriptor, 0);
+}
+
+typedef struct tdb_context {
+    %extend {
+        %feature("docstring") tdb "S.__init__(name,hash_size=0,tdb_flags=TDB_DEFAULT,flags=O_RDWR,mode=0600)\n"
+                                  "Open a TDB file.";
+        tdb(const char *name, int hash_size, int tdb_flags, int flags, mode_t mode) {
+            return tdb_open(name, hash_size, tdb_flags, flags, mode);
+        }
+        %feature("docstring") error "S.error() -> int\n"
+                                    "Find last error number returned by operation on this TDB.";
+        enum TDB_ERROR error();
+        ~tdb() { tdb_close($self); }
+        %feature("docstring") close "S.close() -> None\n"
+                                    "Close the TDB file.";
+        int close();
+        int append(TDB_DATA key, TDB_DATA new_dbuf);
+        %feature("docstring") errorstr "S.errorstr() -> errorstring\n"
+                                        "Obtain last error message.";
+        const char *errorstr();
+        %rename(get) fetch;
+        %feature("docstring") fetch "S.fetch(key) -> value\n"
+                                        "Fetch a value.";
+        TDB_DATA fetch(TDB_DATA key);
+        %feature("docstring") delete "S.delete(key) -> None\n"
+                                        "Delete an entry.";
+        int delete(TDB_DATA key);
+        %feature("docstring") store "S.store(key, value, flag=TDB_REPLACE) -> None\n"
+                                        "Store an entry.";
+        int store(TDB_DATA key, TDB_DATA dbuf, int flag);
+        %feature("docstring") exists "S.exists(key) -> bool\n"
+                                        "Check whether key exists in this database.";
+        int exists(TDB_DATA key);
+        %feature("docstring") firstkey "S.firstkey() -> data\n"
+                                        "Return the first key in this database.";
+        TDB_DATA firstkey();
+        %feature("docstring") nextkey "S.nextkey(prev) -> data\n"
+                                        "Return the next key in this database.";
+        TDB_DATA nextkey(TDB_DATA key);
+        %feature("docstring") lockall "S.lockall() -> bool";
+        int lockall();
+        %feature("docstring") unlockall "S.unlockall() -> bool";
+        int unlockall();
+        %feature("docstring") unlockall "S.lockall_read() -> bool";
+        int lockall_read();
+        %feature("docstring") unlockall "S.unlockall_read() -> bool";
+        int unlockall_read();
+        %feature("docstring") reopen "S.reopen() -> bool\n"
+                                        "Reopen this file.";
+        int reopen();
+        %feature("docstring") transaction_start "S.transaction_start() -> None\n"
+                                        "Start a new transaction.";
+        int transaction_start();
+        %feature("docstring") transaction_commit "S.transaction_commit() -> None\n"
+                                        "Commit the currently active transaction.";
+        int transaction_commit();
+        %feature("docstring") transaction_cancel "S.transaction_cancel() -> None\n"
+                                        "Cancel the currently active transaction.";
+        int transaction_cancel();
+        int transaction_recover();
+        %feature("docstring") hash_size "S.hash_size() -> int";
+        int hash_size();
+        %feature("docstring") map_size "S.map_size() -> int";
+        size_t map_size();
+        %feature("docstring") get_flags "S.get_flags() -> int";
+        int get_flags();
+        %feature("docstring") set_max_dead "S.set_max_dead(int) -> None";
+        void set_max_dead(int max_dead);
+        %feature("docstring") name "S.name() -> path\n" \
+                                   "Return filename of this TDB file.";
+        const char *name();
+    }
+
+    %pythoncode {
+    def __repr__(self):
+        return "Tdb('%s')" % self.name()
+
+    # Random access to keys, values
+    def __getitem__(self, key):
+        result = self.get(key)
+        if result is None:
+            raise KeyError, '%s: %s' % (key, self.errorstr())
+        return result
+
+    def __setitem__(self, key, item):
+        if self.store(key, item) == -1:
+            raise IOError, self.errorstr()
+
+    def __delitem__(self, key):
+        if not self.exists(key):
+            raise KeyError, '%s: %s' % (key, self.errorstr())
+        self.delete(key)
+
+    def __contains__(self, key):
+        return self.exists(key) != 0
+
+    def has_key(self, key):
+        return self.exists(key) != 0
+
+    def fetch_uint32(self, key):
+        data = self.get(key)
+        if data is None:
+            return None
+        import struct
+        return struct.unpack("<L", data)[0]
+
+    def fetch_int32(self, key):
+        data = self.get(key)
+        if data is None:
+            return None
+        import struct
+        return struct.unpack("<l", data)[0]
+
+    # Tdb iterator
+    class TdbIterator:
+        def __init__(self, tdb):
+            self.tdb = tdb
+            self.key = None
+
+        def __iter__(self):
+            return self
+            
+        def next(self):
+            if self.key is None:
+                self.key = self.tdb.firstkey()
+                if self.key is None:
+                    raise StopIteration
+                return self.key
+            else:
+                self.key = self.tdb.nextkey(self.key)
+                if self.key is None:
+                    raise StopIteration
+                return self.key
+
+    def __iter__(self):
+        return self.TdbIterator(self)
+
+    # Implement other dict functions using TdbIterator
+
+    def keys(self):
+        return [k for k in iter(self)]
+
+    def values(self):
+        return [self[k] for k in iter(self)]
+
+    def items(self):
+        return [(k, self[k]) for k in iter(self)]
+
+    def __len__(self):
+        return len(self.keys())
+
+    def clear(self):
+        for k in iter(self):
+            del(self[k])
+
+    def iterkeys(self):
+        for k in iter(self):
+            yield k
+       
+    def itervalues(self):
+        for k in iter(self):
+            yield self[k]
+
+    def iteritems(self):
+        for k in iter(self):
+            yield (k, self[k])
+
+    # TODO: any other missing methods for container types
+    }
+} tdb;
diff --git a/source3/lib/tdb/tdb.mk b/source3/lib/tdb/tdb.mk
new file mode 100644
index 0000000000..fa8db6d34c
--- /dev/null
+++ b/source3/lib/tdb/tdb.mk
@@ -0,0 +1,86 @@
+dirs::
+	@mkdir -p bin common tools
+
+PROGS = bin/tdbtool$(EXEEXT) bin/tdbdump$(EXEEXT) bin/tdbbackup$(EXEEXT)
+PROGS_NOINSTALL = bin/tdbtest$(EXEEXT) bin/tdbtorture$(EXEEXT)
+ALL_PROGS = $(PROGS) $(PROGS_NOINSTALL)
+
+TDB_SONAME = libtdb.$(SHLIBEXT).1
+TDB_SOLIB = libtdb.$(SHLIBEXT).$(PACKAGE_VERSION)
+
+TDB_LIB = libtdb.a
+
+bin/tdbtest$(EXEEXT): tools/tdbtest.o $(TDB_LIB)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o bin/tdbtest tools/tdbtest.o -L. -ltdb -lgdbm
+
+bin/tdbtool$(EXEEXT): tools/tdbtool.o $(TDB_LIB)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o bin/tdbtool tools/tdbtool.o -L. -ltdb
+
+bin/tdbtorture$(EXEEXT): tools/tdbtorture.o $(TDB_LIB)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o bin/tdbtorture tools/tdbtorture.o -L. -ltdb
+
+bin/tdbdump$(EXEEXT): tools/tdbdump.o $(TDB_LIB)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o bin/tdbdump tools/tdbdump.o -L. -ltdb
+
+bin/tdbbackup$(EXEEXT): tools/tdbbackup.o $(TDB_LIB)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o bin/tdbbackup tools/tdbbackup.o -L. -ltdb
+
+test:: bin/tdbtorture$(EXEEXT) $(TDB_SONAME)
+	$(LIB_PATH_VAR)=. bin/tdbtorture$(EXEEXT)
+
+clean:: 
+	rm -f test.db test.tdb torture.tdb test.gdbm
+	rm -f $(TDB_SONAME) $(TDB_SOLIB) libtdb.a libtdb.$(SHLIBEXT)
+	rm -f $(ALL_PROGS) tdb.pc
+
+build-python:: _tdb.$(SHLIBEXT) 
+
+tdb_wrap.o: $(tdbdir)/tdb_wrap.c
+	$(CC) $(PICFLAG) -c $(tdbdir)/tdb_wrap.c $(CFLAGS) `$(PYTHON_CONFIG) --cflags`
+
+_tdb.$(SHLIBEXT): libtdb.$(SHLIBEXT) tdb_wrap.o
+	$(SHLD) $(SHLD_FLAGS) -o $@ tdb_wrap.o -L. -ltdb `$(PYTHON_CONFIG) --ldflags`
+
+install:: installdirs installbin installheaders installlibs \
+		  $(PYTHON_INSTALL_TARGET)
+
+install-python:: build-python
+	mkdir -p $(DESTDIR)`$(PYTHON) -c "import distutils.sysconfig; print distutils.sysconfig.get_python_lib(0, prefix='$(prefix)')"` \
+		$(DESTDIR)`$(PYTHON) -c "import distutils.sysconfig; print distutils.sysconfig.get_python_lib(1, prefix='$(prefix)')"`
+	cp $(tdbdir)/tdb.py $(DESTDIR)`$(PYTHON) -c "import distutils.sysconfig; print distutils.sysconfig.get_python_lib(0, prefix='$(prefix)')"`
+	cp _tdb.$(SHLIBEXT) $(DESTDIR)`$(PYTHON) -c "import distutils.sysconfig; print distutils.sysconfig.get_python_lib(1, prefix='$(prefix)')"`
+
+check-python:: build-python $(TDB_SONAME)
+	$(LIB_PATH_VAR)=. PYTHONPATH=".:$(tdbdir)" $(PYTHON) $(tdbdir)/python/tests/simple.py
+
+install-swig::
+	mkdir -p $(DESTDIR)`$(SWIG) -swiglib`
+	cp tdb.i $(DESTDIR)`$(SWIG) -swiglib`
+
+clean::
+	rm -f _tdb.$(SHLIBEXT)
+
+installdirs::
+	mkdir -p $(DESTDIR)$(bindir)
+	mkdir -p $(DESTDIR)$(includedir)
+	mkdir -p $(DESTDIR)$(libdir) 
+	mkdir -p $(DESTDIR)$(libdir)/pkgconfig
+
+installbin:: all installdirs
+	cp $(PROGS) $(DESTDIR)$(bindir)
+
+installheaders:: installdirs
+	cp $(srcdir)/include/tdb.h $(DESTDIR)$(includedir)
+
+installlibs:: all installdirs
+	cp tdb.pc $(DESTDIR)$(libdir)/pkgconfig
+	cp libtdb.a $(TDB_SOLIB) $(DESTDIR)$(libdir)
+
+libtdb.a: $(TDB_OBJ)
+	ar -rv libtdb.a $(TDB_OBJ)
+
+libtdb.$(SHLIBEXT): $(TDB_SOLIB)
+	ln -fs $< $@
+
+$(TDB_SONAME): $(TDB_SOLIB)
+	ln -fs $< $@
diff --git a/source3/lib/tdb/tdb.pc.in b/source3/lib/tdb/tdb.pc.in
new file mode 100644
index 0000000000..6f8f553736
--- /dev/null
+++ b/source3/lib/tdb/tdb.pc.in
@@ -0,0 +1,11 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name: tdb
+Description: A trivial database
+Version: @PACKAGE_VERSION@
+Libs: -L${libdir} -ltdb
+Cflags: -I${includedir} 
+URL: http://tdb.samba.org/
diff --git a/source3/lib/tdb/tdb.py b/source3/lib/tdb/tdb.py
new file mode 100644
index 0000000000..9f306bab8c
--- /dev/null
+++ b/source3/lib/tdb/tdb.py
@@ -0,0 +1,341 @@
+# This file was automatically generated by SWIG (http://www.swig.org).
+# Version 1.3.35
+#
+# Don't modify this file, modify the SWIG interface instead.
+
+"""
+TDB is a simple key-value database similar to GDBM that supports multiple writers.
+"""
+
+import _tdb
+import new
+new_instancemethod = new.instancemethod
+try:
+    _swig_property = property
+except NameError:
+    pass # Python < 2.2 doesn't have 'property'.
+def _swig_setattr_nondynamic(self,class_type,name,value,static=1):
+    if (name == "thisown"): return self.this.own(value)
+    if (name == "this"):
+        if type(value).__name__ == 'PySwigObject':
+            self.__dict__[name] = value
+            return
+    method = class_type.__swig_setmethods__.get(name,None)
+    if method: return method(self,value)
+    if (not static) or hasattr(self,name):
+        self.__dict__[name] = value
+    else:
+        raise AttributeError("You cannot add attributes to %s" % self)
+
+def _swig_setattr(self,class_type,name,value):
+    return _swig_setattr_nondynamic(self,class_type,name,value,0)
+
+def _swig_getattr(self,class_type,name):
+    if (name == "thisown"): return self.this.own()
+    method = class_type.__swig_getmethods__.get(name,None)
+    if method: return method(self)
+    raise AttributeError,name
+
+def _swig_repr(self):
+    try: strthis = "proxy of " + self.this.__repr__()
+    except: strthis = ""
+    return "<%s.%s; %s >" % (self.__class__.__module__, self.__class__.__name__, strthis,)
+
+import types
+try:
+    _object = types.ObjectType
+    _newclass = 1
+except AttributeError:
+    class _object : pass
+    _newclass = 0
+del types
+
+
+def _swig_setattr_nondynamic_method(set):
+    def set_attr(self,name,value):
+        if (name == "thisown"): return self.this.own(value)
+        if hasattr(self,name) or (name == "this"):
+            set(self,name,value)
+        else:
+            raise AttributeError("You cannot add attributes to %s" % self)
+    return set_attr
+
+
+REPLACE = _tdb.REPLACE
+INSERT = _tdb.INSERT
+MODIFY = _tdb.MODIFY
+DEFAULT = _tdb.DEFAULT
+CLEAR_IF_FIRST = _tdb.CLEAR_IF_FIRST
+INTERNAL = _tdb.INTERNAL
+NOLOCK = _tdb.NOLOCK
+NOMMAP = _tdb.NOMMAP
+CONVERT = _tdb.CONVERT
+BIGENDIAN = _tdb.BIGENDIAN
+TDB_SUCCESS = _tdb.TDB_SUCCESS
+TDB_ERR_CORRUPT = _tdb.TDB_ERR_CORRUPT
+TDB_ERR_IO = _tdb.TDB_ERR_IO
+TDB_ERR_LOCK = _tdb.TDB_ERR_LOCK
+TDB_ERR_OOM = _tdb.TDB_ERR_OOM
+TDB_ERR_EXISTS = _tdb.TDB_ERR_EXISTS
+TDB_ERR_NOLOCK = _tdb.TDB_ERR_NOLOCK
+TDB_ERR_LOCK_TIMEOUT = _tdb.TDB_ERR_LOCK_TIMEOUT
+TDB_ERR_NOEXIST = _tdb.TDB_ERR_NOEXIST
+TDB_ERR_EINVAL = _tdb.TDB_ERR_EINVAL
+TDB_ERR_RDONLY = _tdb.TDB_ERR_RDONLY
+class Tdb(object):
+    """A TDB file."""
+    thisown = _swig_property(lambda x: x.this.own(), lambda x, v: x.this.own(v), doc='The membership flag')
+    __repr__ = _swig_repr
+    def __init__(self, *args, **kwargs): 
+        """
+        S.__init__(name,hash_size=0,tdb_flags=TDB_DEFAULT,flags=O_RDWR,mode=0600)
+        Open a TDB file.
+        """
+        _tdb.Tdb_swiginit(self,_tdb.new_Tdb(*args, **kwargs))
+    def error(*args, **kwargs):
+        """
+        S.error() -> int
+        Find last error number returned by operation on this TDB.
+        """
+        return _tdb.Tdb_error(*args, **kwargs)
+
+    __swig_destroy__ = _tdb.delete_Tdb
+    def close(*args, **kwargs):
+        """
+        S.close() -> None
+        Close the TDB file.
+        """
+        return _tdb.Tdb_close(*args, **kwargs)
+
+    def errorstr(*args, **kwargs):
+        """
+        S.errorstr() -> errorstring
+        Obtain last error message.
+        """
+        return _tdb.Tdb_errorstr(*args, **kwargs)
+
+    def get(*args, **kwargs):
+        """
+        S.fetch(key) -> value
+        Fetch a value.
+        """
+        return _tdb.Tdb_get(*args, **kwargs)
+
+    def delete(*args, **kwargs):
+        """
+        S.delete(key) -> None
+        Delete an entry.
+        """
+        return _tdb.Tdb_delete(*args, **kwargs)
+
+    def store(*args, **kwargs):
+        """
+        S.store(key, value, flag=TDB_REPLACE) -> None
+        Store an entry.
+        """
+        return _tdb.Tdb_store(*args, **kwargs)
+
+    def exists(*args, **kwargs):
+        """
+        S.exists(key) -> bool
+        Check whether key exists in this database.
+        """
+        return _tdb.Tdb_exists(*args, **kwargs)
+
+    def firstkey(*args, **kwargs):
+        """
+        S.firstkey() -> data
+        Return the first key in this database.
+        """
+        return _tdb.Tdb_firstkey(*args, **kwargs)
+
+    def nextkey(*args, **kwargs):
+        """
+        S.nextkey(prev) -> data
+        Return the next key in this database.
+        """
+        return _tdb.Tdb_nextkey(*args, **kwargs)
+
+    def lock_all(*args, **kwargs):
+        """S.lockall() -> bool"""
+        return _tdb.Tdb_lock_all(*args, **kwargs)
+
+    def unlock_all(*args, **kwargs):
+        """S.unlockall() -> bool"""
+        return _tdb.Tdb_unlock_all(*args, **kwargs)
+
+    def reopen(*args, **kwargs):
+        """
+        S.reopen() -> bool
+        Reopen this file.
+        """
+        return _tdb.Tdb_reopen(*args, **kwargs)
+
+    def transaction_start(*args, **kwargs):
+        """
+        S.transaction_start() -> None
+        Start a new transaction.
+        """
+        return _tdb.Tdb_transaction_start(*args, **kwargs)
+
+    def transaction_commit(*args, **kwargs):
+        """
+        S.transaction_commit() -> None
+        Commit the currently active transaction.
+        """
+        return _tdb.Tdb_transaction_commit(*args, **kwargs)
+
+    def transaction_cancel(*args, **kwargs):
+        """
+        S.transaction_cancel() -> None
+        Cancel the currently active transaction.
+        """
+        return _tdb.Tdb_transaction_cancel(*args, **kwargs)
+
+    def hash_size(*args, **kwargs):
+        """S.hash_size() -> int"""
+        return _tdb.Tdb_hash_size(*args, **kwargs)
+
+    def map_size(*args, **kwargs):
+        """S.map_size() -> int"""
+        return _tdb.Tdb_map_size(*args, **kwargs)
+
+    def get_flags(*args, **kwargs):
+        """S.get_flags() -> int"""
+        return _tdb.Tdb_get_flags(*args, **kwargs)
+
+    def set_max_dead(*args, **kwargs):
+        """S.set_max_dead(int) -> None"""
+        return _tdb.Tdb_set_max_dead(*args, **kwargs)
+
+    def name(*args, **kwargs):
+        """
+        S.name() -> path
+        Return filename of this TDB file.
+        """
+        return _tdb.Tdb_name(*args, **kwargs)
+
+    def __repr__(self):
+        return "Tdb('%s')" % self.name()
+
+
+    def __getitem__(self, key):
+        result = self.get(key)
+        if result is None:
+            raise KeyError, '%s: %s' % (key, self.errorstr())
+        return result
+
+    def __setitem__(self, key, item):
+        if self.store(key, item) == -1:
+            raise IOError, self.errorstr()
+
+    def __delitem__(self, key):
+        if not self.exists(key):
+            raise KeyError, '%s: %s' % (key, self.errorstr())
+        self.delete(key)
+
+    def __contains__(self, key):
+        return self.exists(key) != 0
+
+    def has_key(self, key):
+        return self.exists(key) != 0
+
+    def fetch_uint32(self, key):
+        data = self.get(key)
+        if data is None:
+            return None
+        import struct
+        return struct.unpack("<L", data)[0]
+
+    def fetch_int32(self, key):
+        data = self.get(key)
+        if data is None:
+            return None
+        import struct
+        return struct.unpack("<l", data)[0]
+
+
+    class TdbIterator:
+        def __init__(self, tdb):
+            self.tdb = tdb
+            self.key = None
+
+        def __iter__(self):
+            return self
+            
+        def next(self):
+            if self.key is None:
+                self.key = self.tdb.firstkey()
+                if self.key is None:
+                    raise StopIteration
+                return self.key
+            else:
+                self.key = self.tdb.nextkey(self.key)
+                if self.key is None:
+                    raise StopIteration
+                return self.key
+
+    def __iter__(self):
+        return self.TdbIterator(self)
+
+
+
+    def keys(self):
+        return [k for k in iter(self)]
+
+    def values(self):
+        return [self[k] for k in iter(self)]
+
+    def items(self):
+        return [(k, self[k]) for k in iter(self)]
+
+    def __len__(self):
+        return len(self.keys())
+
+    def clear(self):
+        for k in iter(self):
+            del(self[k])
+
+    def iterkeys(self):
+        for k in iter(self):
+            yield k
+       
+    def itervalues(self):
+        for k in iter(self):
+            yield self[k]
+
+    def iteritems(self):
+        for k in iter(self):
+            yield (k, self[k])
+
+
+
+Tdb.error = new_instancemethod(_tdb.Tdb_error,None,Tdb)
+Tdb.close = new_instancemethod(_tdb.Tdb_close,None,Tdb)
+Tdb.append = new_instancemethod(_tdb.Tdb_append,None,Tdb)
+Tdb.errorstr = new_instancemethod(_tdb.Tdb_errorstr,None,Tdb)
+Tdb.get = new_instancemethod(_tdb.Tdb_get,None,Tdb)
+Tdb.delete = new_instancemethod(_tdb.Tdb_delete,None,Tdb)
+Tdb.store = new_instancemethod(_tdb.Tdb_store,None,Tdb)
+Tdb.exists = new_instancemethod(_tdb.Tdb_exists,None,Tdb)
+Tdb.firstkey = new_instancemethod(_tdb.Tdb_firstkey,None,Tdb)
+Tdb.nextkey = new_instancemethod(_tdb.Tdb_nextkey,None,Tdb)
+Tdb.lock_all = new_instancemethod(_tdb.Tdb_lock_all,None,Tdb)
+Tdb.unlock_all = new_instancemethod(_tdb.Tdb_unlock_all,None,Tdb)
+Tdb.read_lock_all = new_instancemethod(_tdb.Tdb_read_lock_all,None,Tdb)
+Tdb.read_unlock_all = new_instancemethod(_tdb.Tdb_read_unlock_all,None,Tdb)
+Tdb.reopen = new_instancemethod(_tdb.Tdb_reopen,None,Tdb)
+Tdb.transaction_start = new_instancemethod(_tdb.Tdb_transaction_start,None,Tdb)
+Tdb.transaction_commit = new_instancemethod(_tdb.Tdb_transaction_commit,None,Tdb)
+Tdb.transaction_cancel = new_instancemethod(_tdb.Tdb_transaction_cancel,None,Tdb)
+Tdb.transaction_recover = new_instancemethod(_tdb.Tdb_transaction_recover,None,Tdb)
+Tdb.hash_size = new_instancemethod(_tdb.Tdb_hash_size,None,Tdb)
+Tdb.map_size = new_instancemethod(_tdb.Tdb_map_size,None,Tdb)
+Tdb.get_flags = new_instancemethod(_tdb.Tdb_get_flags,None,Tdb)
+Tdb.set_max_dead = new_instancemethod(_tdb.Tdb_set_max_dead,None,Tdb)
+Tdb.name = new_instancemethod(_tdb.Tdb_name,None,Tdb)
+Tdb_swigregister = _tdb.Tdb_swigregister
+Tdb_swigregister(Tdb)
+
+
+
diff --git a/source3/lib/tdb/tdb_wrap.c b/source3/lib/tdb/tdb_wrap.c
new file mode 100644
index 0000000000..32665d79fd
--- /dev/null
+++ b/source3/lib/tdb/tdb_wrap.c
@@ -0,0 +1,4307 @@
+/* ----------------------------------------------------------------------------
+ * This file was automatically generated by SWIG (http://www.swig.org).
+ * Version 1.3.35
+ * 
+ * This file is not intended to be easily readable and contains a number of 
+ * coding conventions designed to improve portability and efficiency. Do not make
+ * changes to this file unless you know what you are doing--modify the SWIG 
+ * interface file instead. 
+ * ----------------------------------------------------------------------------- */
+
+#define SWIGPYTHON
+#define SWIG_PYTHON_NO_BUILD_NONE
+/* -----------------------------------------------------------------------------
+ *  This section contains generic SWIG labels for method/variable
+ *  declarations/attributes, and other compiler dependent labels.
+ * ----------------------------------------------------------------------------- */
+
+/* template workaround for compilers that cannot correctly implement the C++ standard */
+#ifndef SWIGTEMPLATEDISAMBIGUATOR
+# if defined(__SUNPRO_CC) && (__SUNPRO_CC <= 0x560)
+#  define SWIGTEMPLATEDISAMBIGUATOR template
+# elif defined(__HP_aCC)
+/* Needed even with `aCC -AA' when `aCC -V' reports HP ANSI C++ B3910B A.03.55 */
+/* If we find a maximum version that requires this, the test would be __HP_aCC <= 35500 for A.03.55 */
+#  define SWIGTEMPLATEDISAMBIGUATOR template
+# else
+#  define SWIGTEMPLATEDISAMBIGUATOR
+# endif
+#endif
+
+/* inline attribute */
+#ifndef SWIGINLINE
+# if defined(__cplusplus) || (defined(__GNUC__) && !defined(__STRICT_ANSI__))
+#   define SWIGINLINE inline
+# else
+#   define SWIGINLINE
+# endif
+#endif
+
+/* attribute recognised by some compilers to avoid 'unused' warnings */
+#ifndef SWIGUNUSED
+# if defined(__GNUC__)
+#   if !(defined(__cplusplus)) || (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4))
+#     define SWIGUNUSED __attribute__ ((__unused__)) 
+#   else
+#     define SWIGUNUSED
+#   endif
+# elif defined(__ICC)
+#   define SWIGUNUSED __attribute__ ((__unused__)) 
+# else
+#   define SWIGUNUSED 
+# endif
+#endif
+
+#ifndef SWIGUNUSEDPARM
+# ifdef __cplusplus
+#   define SWIGUNUSEDPARM(p)
+# else
+#   define SWIGUNUSEDPARM(p) p SWIGUNUSED 
+# endif
+#endif
+
+/* internal SWIG method */
+#ifndef SWIGINTERN
+# define SWIGINTERN static SWIGUNUSED
+#endif
+
+/* internal inline SWIG method */
+#ifndef SWIGINTERNINLINE
+# define SWIGINTERNINLINE SWIGINTERN SWIGINLINE
+#endif
+
+/* exporting methods */
+#if (__GNUC__ >= 4) || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4)
+#  ifndef GCC_HASCLASSVISIBILITY
+#    define GCC_HASCLASSVISIBILITY
+#  endif
+#endif
+
+#ifndef SWIGEXPORT
+# if defined(_WIN32) || defined(__WIN32__) || defined(__CYGWIN__)
+#   if defined(STATIC_LINKED)
+#     define SWIGEXPORT
+#   else
+#     define SWIGEXPORT __declspec(dllexport)
+#   endif
+# else
+#   if defined(__GNUC__) && defined(GCC_HASCLASSVISIBILITY)
+#     define SWIGEXPORT __attribute__ ((visibility("default")))
+#   else
+#     define SWIGEXPORT
+#   endif
+# endif
+#endif
+
+/* calling conventions for Windows */
+#ifndef SWIGSTDCALL
+# if defined(_WIN32) || defined(__WIN32__) || defined(__CYGWIN__)
+#   define SWIGSTDCALL __stdcall
+# else
+#   define SWIGSTDCALL
+# endif 
+#endif
+
+/* Deal with Microsoft's attempt at deprecating C standard runtime functions */
+#if !defined(SWIG_NO_CRT_SECURE_NO_DEPRECATE) && defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
+# define _CRT_SECURE_NO_DEPRECATE
+#endif
+
+/* Deal with Microsoft's attempt at deprecating methods in the standard C++ library */
+#if !defined(SWIG_NO_SCL_SECURE_NO_DEPRECATE) && defined(_MSC_VER) && !defined(_SCL_SECURE_NO_DEPRECATE)
+# define _SCL_SECURE_NO_DEPRECATE
+#endif
+
+
+
+/* Python.h has to appear first */
+#include <Python.h>
+
+/* -----------------------------------------------------------------------------
+ * swigrun.swg
+ *
+ * This file contains generic CAPI SWIG runtime support for pointer
+ * type checking.
+ * ----------------------------------------------------------------------------- */
+
+/* This should only be incremented when either the layout of swig_type_info changes,
+   or for whatever reason, the runtime changes incompatibly */
+#define SWIG_RUNTIME_VERSION "4"
+
+/* define SWIG_TYPE_TABLE_NAME as "SWIG_TYPE_TABLE" */
+#ifdef SWIG_TYPE_TABLE
+# define SWIG_QUOTE_STRING(x) #x
+# define SWIG_EXPAND_AND_QUOTE_STRING(x) SWIG_QUOTE_STRING(x)
+# define SWIG_TYPE_TABLE_NAME SWIG_EXPAND_AND_QUOTE_STRING(SWIG_TYPE_TABLE)
+#else
+# define SWIG_TYPE_TABLE_NAME
+#endif
+
+/*
+  You can use the SWIGRUNTIME and SWIGRUNTIMEINLINE macros for
+  creating a static or dynamic library from the swig runtime code.
+  In 99.9% of the cases, swig just needs to declare them as 'static'.
+  
+  But only do this if is strictly necessary, ie, if you have problems
+  with your compiler or so.
+*/
+
+#ifndef SWIGRUNTIME
+# define SWIGRUNTIME SWIGINTERN
+#endif
+
+#ifndef SWIGRUNTIMEINLINE
+# define SWIGRUNTIMEINLINE SWIGRUNTIME SWIGINLINE
+#endif
+
+/*  Generic buffer size */
+#ifndef SWIG_BUFFER_SIZE
+# define SWIG_BUFFER_SIZE 1024
+#endif
+
+/* Flags for pointer conversions */
+#define SWIG_POINTER_DISOWN        0x1
+#define SWIG_CAST_NEW_MEMORY       0x2
+
+/* Flags for new pointer objects */
+#define SWIG_POINTER_OWN           0x1
+
+
+/* 
+   Flags/methods for returning states.
+   
+   The swig conversion methods, as ConvertPtr, return and integer 
+   that tells if the conversion was successful or not. And if not,
+   an error code can be returned (see swigerrors.swg for the codes).
+   
+   Use the following macros/flags to set or process the returning
+   states.
+   
+   In old swig versions, you usually write code as:
+
+     if (SWIG_ConvertPtr(obj,vptr,ty.flags) != -1) {
+       // success code
+     } else {
+       //fail code
+     }
+
+   Now you can be more explicit as:
+
+    int res = SWIG_ConvertPtr(obj,vptr,ty.flags);
+    if (SWIG_IsOK(res)) {
+      // success code
+    } else {
+      // fail code
+    }
+
+   that seems to be the same, but now you can also do
+
+    Type *ptr;
+    int res = SWIG_ConvertPtr(obj,(void **)(&ptr),ty.flags);
+    if (SWIG_IsOK(res)) {
+      // success code
+      if (SWIG_IsNewObj(res) {
+        ...
+	delete *ptr;
+      } else {
+        ...
+      }
+    } else {
+      // fail code
+    }
+    
+   I.e., now SWIG_ConvertPtr can return new objects and you can
+   identify the case and take care of the deallocation. Of course that
+   requires also to SWIG_ConvertPtr to return new result values, as
+
+      int SWIG_ConvertPtr(obj, ptr,...) {         
+        if (<obj is ok>) {			       
+          if (<need new object>) {		       
+            *ptr = <ptr to new allocated object>; 
+            return SWIG_NEWOBJ;		       
+          } else {				       
+            *ptr = <ptr to old object>;	       
+            return SWIG_OLDOBJ;		       
+          } 				       
+        } else {				       
+          return SWIG_BADOBJ;		       
+        }					       
+      }
+
+   Of course, returning the plain '0(success)/-1(fail)' still works, but you can be
+   more explicit by returning SWIG_BADOBJ, SWIG_ERROR or any of the
+   swig errors code.
+
+   Finally, if the SWIG_CASTRANK_MODE is enabled, the result code
+   allows to return the 'cast rank', for example, if you have this
+
+       int food(double)
+       int fooi(int);
+
+   and you call
+ 
+      food(1)   // cast rank '1'  (1 -> 1.0)
+      fooi(1)   // cast rank '0'
+
+   just use the SWIG_AddCast()/SWIG_CheckState()
+
+
+ */
+#define SWIG_OK                    (0) 
+#define SWIG_ERROR                 (-1)
+#define SWIG_IsOK(r)               (r >= 0)
+#define SWIG_ArgError(r)           ((r != SWIG_ERROR) ? r : SWIG_TypeError)  
+
+/* The CastRankLimit says how many bits are used for the cast rank */
+#define SWIG_CASTRANKLIMIT         (1 << 8)
+/* The NewMask denotes the object was created (using new/malloc) */
+#define SWIG_NEWOBJMASK            (SWIG_CASTRANKLIMIT  << 1)
+/* The TmpMask is for in/out typemaps that use temporal objects */
+#define SWIG_TMPOBJMASK            (SWIG_NEWOBJMASK << 1)
+/* Simple returning values */
+#define SWIG_BADOBJ                (SWIG_ERROR)
+#define SWIG_OLDOBJ                (SWIG_OK)
+#define SWIG_NEWOBJ                (SWIG_OK | SWIG_NEWOBJMASK)
+#define SWIG_TMPOBJ                (SWIG_OK | SWIG_TMPOBJMASK)
+/* Check, add and del mask methods */
+#define SWIG_AddNewMask(r)         (SWIG_IsOK(r) ? (r | SWIG_NEWOBJMASK) : r)
+#define SWIG_DelNewMask(r)         (SWIG_IsOK(r) ? (r & ~SWIG_NEWOBJMASK) : r)
+#define SWIG_IsNewObj(r)           (SWIG_IsOK(r) && (r & SWIG_NEWOBJMASK))
+#define SWIG_AddTmpMask(r)         (SWIG_IsOK(r) ? (r | SWIG_TMPOBJMASK) : r)
+#define SWIG_DelTmpMask(r)         (SWIG_IsOK(r) ? (r & ~SWIG_TMPOBJMASK) : r)
+#define SWIG_IsTmpObj(r)           (SWIG_IsOK(r) && (r & SWIG_TMPOBJMASK))
+
+
+/* Cast-Rank Mode */
+#if defined(SWIG_CASTRANK_MODE)
+#  ifndef SWIG_TypeRank
+#    define SWIG_TypeRank             unsigned long
+#  endif
+#  ifndef SWIG_MAXCASTRANK            /* Default cast allowed */
+#    define SWIG_MAXCASTRANK          (2)
+#  endif
+#  define SWIG_CASTRANKMASK          ((SWIG_CASTRANKLIMIT) -1)
+#  define SWIG_CastRank(r)           (r & SWIG_CASTRANKMASK)
+SWIGINTERNINLINE int SWIG_AddCast(int r) { 
+  return SWIG_IsOK(r) ? ((SWIG_CastRank(r) < SWIG_MAXCASTRANK) ? (r + 1) : SWIG_ERROR) : r;
+}
+SWIGINTERNINLINE int SWIG_CheckState(int r) { 
+  return SWIG_IsOK(r) ? SWIG_CastRank(r) + 1 : 0; 
+}
+#else /* no cast-rank mode */
+#  define SWIG_AddCast
+#  define SWIG_CheckState(r) (SWIG_IsOK(r) ? 1 : 0)
+#endif
+
+
+
+
+#include <string.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef void *(*swig_converter_func)(void *, int *);
+typedef struct swig_type_info *(*swig_dycast_func)(void **);
+
+/* Structure to store information on one type */
+typedef struct swig_type_info {
+  const char             *name;			/* mangled name of this type */
+  const char             *str;			/* human readable name of this type */
+  swig_dycast_func        dcast;		/* dynamic cast function down a hierarchy */
+  struct swig_cast_info  *cast;			/* linked list of types that can cast into this type */
+  void                   *clientdata;		/* language specific type data */
+  int                    owndata;		/* flag if the structure owns the clientdata */
+} swig_type_info;
+
+/* Structure to store a type and conversion function used for casting */
+typedef struct swig_cast_info {
+  swig_type_info         *type;			/* pointer to type that is equivalent to this type */
+  swig_converter_func     converter;		/* function to cast the void pointers */
+  struct swig_cast_info  *next;			/* pointer to next cast in linked list */
+  struct swig_cast_info  *prev;			/* pointer to the previous cast */
+} swig_cast_info;
+
+/* Structure used to store module information
+ * Each module generates one structure like this, and the runtime collects
+ * all of these structures and stores them in a circularly linked list.*/
+typedef struct swig_module_info {
+  swig_type_info         **types;		/* Array of pointers to swig_type_info structures that are in this module */
+  size_t                 size;		        /* Number of types in this module */
+  struct swig_module_info *next;		/* Pointer to next element in circularly linked list */
+  swig_type_info         **type_initial;	/* Array of initially generated type structures */
+  swig_cast_info         **cast_initial;	/* Array of initially generated casting structures */
+  void                    *clientdata;		/* Language specific module data */
+} swig_module_info;
+
+/* 
+  Compare two type names skipping the space characters, therefore
+  "char*" == "char *" and "Class<int>" == "Class<int >", etc.
+
+  Return 0 when the two name types are equivalent, as in
+  strncmp, but skipping ' '.
+*/
+SWIGRUNTIME int
+SWIG_TypeNameComp(const char *f1, const char *l1,
+		  const char *f2, const char *l2) {
+  for (;(f1 != l1) && (f2 != l2); ++f1, ++f2) {
+    while ((*f1 == ' ') && (f1 != l1)) ++f1;
+    while ((*f2 == ' ') && (f2 != l2)) ++f2;
+    if (*f1 != *f2) return (*f1 > *f2) ? 1 : -1;
+  }
+  return (int)((l1 - f1) - (l2 - f2));
+}
+
+/*
+  Check type equivalence in a name list like <name1>|<name2>|...
+  Return 0 if not equal, 1 if equal
+*/
+SWIGRUNTIME int
+SWIG_TypeEquiv(const char *nb, const char *tb) {
+  int equiv = 0;
+  const char* te = tb + strlen(tb);
+  const char* ne = nb;
+  while (!equiv && *ne) {
+    for (nb = ne; *ne; ++ne) {
+      if (*ne == '|') break;
+    }
+    equiv = (SWIG_TypeNameComp(nb, ne, tb, te) == 0) ? 1 : 0;
+    if (*ne) ++ne;
+  }
+  return equiv;
+}
+
+/*
+  Check type equivalence in a name list like <name1>|<name2>|...
+  Return 0 if equal, -1 if nb < tb, 1 if nb > tb
+*/
+SWIGRUNTIME int
+SWIG_TypeCompare(const char *nb, const char *tb) {
+  int equiv = 0;
+  const char* te = tb + strlen(tb);
+  const char* ne = nb;
+  while (!equiv && *ne) {
+    for (nb = ne; *ne; ++ne) {
+      if (*ne == '|') break;
+    }
+    equiv = (SWIG_TypeNameComp(nb, ne, tb, te) == 0) ? 1 : 0;
+    if (*ne) ++ne;
+  }
+  return equiv;
+}
+
+
+/* think of this as a c++ template<> or a scheme macro */
+#define SWIG_TypeCheck_Template(comparison, ty)         \
+  if (ty) {                                             \
+    swig_cast_info *iter = ty->cast;                    \
+    while (iter) {                                      \
+      if (comparison) {                                 \
+        if (iter == ty->cast) return iter;              \
+        /* Move iter to the top of the linked list */   \
+        iter->prev->next = iter->next;                  \
+        if (iter->next)                                 \
+          iter->next->prev = iter->prev;                \
+        iter->next = ty->cast;                          \
+        iter->prev = 0;                                 \
+        if (ty->cast) ty->cast->prev = iter;            \
+        ty->cast = iter;                                \
+        return iter;                                    \
+      }                                                 \
+      iter = iter->next;                                \
+    }                                                   \
+  }                                                     \
+  return 0
+
+/*
+  Check the typename
+*/
+SWIGRUNTIME swig_cast_info *
+SWIG_TypeCheck(const char *c, swig_type_info *ty) {
+  SWIG_TypeCheck_Template(strcmp(iter->type->name, c) == 0, ty);
+}
+
+/* Same as previous function, except strcmp is replaced with a pointer comparison */
+SWIGRUNTIME swig_cast_info *
+SWIG_TypeCheckStruct(swig_type_info *from, swig_type_info *into) {
+  SWIG_TypeCheck_Template(iter->type == from, into);
+}
+
+/*
+  Cast a pointer up an inheritance hierarchy
+*/
+SWIGRUNTIMEINLINE void *
+SWIG_TypeCast(swig_cast_info *ty, void *ptr, int *newmemory) {
+  return ((!ty) || (!ty->converter)) ? ptr : (*ty->converter)(ptr, newmemory);
+}
+
+/* 
+   Dynamic pointer casting. Down an inheritance hierarchy
+*/
+SWIGRUNTIME swig_type_info *
+SWIG_TypeDynamicCast(swig_type_info *ty, void **ptr) {
+  swig_type_info *lastty = ty;
+  if (!ty || !ty->dcast) return ty;
+  while (ty && (ty->dcast)) {
+    ty = (*ty->dcast)(ptr);
+    if (ty) lastty = ty;
+  }
+  return lastty;
+}
+
+/*
+  Return the name associated with this type
+*/
+SWIGRUNTIMEINLINE const char *
+SWIG_TypeName(const swig_type_info *ty) {
+  return ty->name;
+}
+
+/*
+  Return the pretty name associated with this type,
+  that is an unmangled type name in a form presentable to the user.
+*/
+SWIGRUNTIME const char *
+SWIG_TypePrettyName(const swig_type_info *type) {
+  /* The "str" field contains the equivalent pretty names of the
+     type, separated by vertical-bar characters.  We choose
+     to print the last name, as it is often (?) the most
+     specific. */
+  if (!type) return NULL;
+  if (type->str != NULL) {
+    const char *last_name = type->str;
+    const char *s;
+    for (s = type->str; *s; s++)
+      if (*s == '|') last_name = s+1;
+    return last_name;
+  }
+  else
+    return type->name;
+}
+
+/* 
+   Set the clientdata field for a type
+*/
+SWIGRUNTIME void
+SWIG_TypeClientData(swig_type_info *ti, void *clientdata) {
+  swig_cast_info *cast = ti->cast;
+  /* if (ti->clientdata == clientdata) return; */
+  ti->clientdata = clientdata;
+  
+  while (cast) {
+    if (!cast->converter) {
+      swig_type_info *tc = cast->type;
+      if (!tc->clientdata) {
+	SWIG_TypeClientData(tc, clientdata);
+      }
+    }    
+    cast = cast->next;
+  }
+}
+SWIGRUNTIME void
+SWIG_TypeNewClientData(swig_type_info *ti, void *clientdata) {
+  SWIG_TypeClientData(ti, clientdata);
+  ti->owndata = 1;
+}
+  
+/*
+  Search for a swig_type_info structure only by mangled name
+  Search is a O(log #types)
+  
+  We start searching at module start, and finish searching when start == end.  
+  Note: if start == end at the beginning of the function, we go all the way around
+  the circular list.
+*/
+SWIGRUNTIME swig_type_info *
+SWIG_MangledTypeQueryModule(swig_module_info *start, 
+                            swig_module_info *end, 
+		            const char *name) {
+  swig_module_info *iter = start;
+  do {
+    if (iter->size) {
+      register size_t l = 0;
+      register size_t r = iter->size - 1;
+      do {
+	/* since l+r >= 0, we can (>> 1) instead (/ 2) */
+	register size_t i = (l + r) >> 1; 
+	const char *iname = iter->types[i]->name;
+	if (iname) {
+	  register int compare = strcmp(name, iname);
+	  if (compare == 0) {	    
+	    return iter->types[i];
+	  } else if (compare < 0) {
+	    if (i) {
+	      r = i - 1;
+	    } else {
+	      break;
+	    }
+	  } else if (compare > 0) {
+	    l = i + 1;
+	  }
+	} else {
+	  break; /* should never happen */
+	}
+      } while (l <= r);
+    }
+    iter = iter->next;
+  } while (iter != end);
+  return 0;
+}
+
+/*
+  Search for a swig_type_info structure for either a mangled name or a human readable name.
+  It first searches the mangled names of the types, which is a O(log #types)
+  If a type is not found it then searches the human readable names, which is O(#types).
+  
+  We start searching at module start, and finish searching when start == end.  
+  Note: if start == end at the beginning of the function, we go all the way around
+  the circular list.
+*/
+SWIGRUNTIME swig_type_info *
+SWIG_TypeQueryModule(swig_module_info *start, 
+                     swig_module_info *end, 
+		     const char *name) {
+  /* STEP 1: Search the name field using binary search */
+  swig_type_info *ret = SWIG_MangledTypeQueryModule(start, end, name);
+  if (ret) {
+    return ret;
+  } else {
+    /* STEP 2: If the type hasn't been found, do a complete search
+       of the str field (the human readable name) */
+    swig_module_info *iter = start;
+    do {
+      register size_t i = 0;
+      for (; i < iter->size; ++i) {
+	if (iter->types[i]->str && (SWIG_TypeEquiv(iter->types[i]->str, name)))
+	  return iter->types[i];
+      }
+      iter = iter->next;
+    } while (iter != end);
+  }
+  
+  /* neither found a match */
+  return 0;
+}
+
+/* 
+   Pack binary data into a string
+*/
+SWIGRUNTIME char *
+SWIG_PackData(char *c, void *ptr, size_t sz) {
+  static const char hex[17] = "0123456789abcdef";
+  register const unsigned char *u = (unsigned char *) ptr;
+  register const unsigned char *eu =  u + sz;
+  for (; u != eu; ++u) {
+    register unsigned char uu = *u;
+    *(c++) = hex[(uu & 0xf0) >> 4];
+    *(c++) = hex[uu & 0xf];
+  }
+  return c;
+}
+
+/* 
+   Unpack binary data from a string
+*/
+SWIGRUNTIME const char *
+SWIG_UnpackData(const char *c, void *ptr, size_t sz) {
+  register unsigned char *u = (unsigned char *) ptr;
+  register const unsigned char *eu = u + sz;
+  for (; u != eu; ++u) {
+    register char d = *(c++);
+    register unsigned char uu;
+    if ((d >= '0') && (d <= '9'))
+      uu = ((d - '0') << 4);
+    else if ((d >= 'a') && (d <= 'f'))
+      uu = ((d - ('a'-10)) << 4);
+    else 
+      return (char *) 0;
+    d = *(c++);
+    if ((d >= '0') && (d <= '9'))
+      uu |= (d - '0');
+    else if ((d >= 'a') && (d <= 'f'))
+      uu |= (d - ('a'-10));
+    else 
+      return (char *) 0;
+    *u = uu;
+  }
+  return c;
+}
+
+/* 
+   Pack 'void *' into a string buffer.
+*/
+SWIGRUNTIME char *
+SWIG_PackVoidPtr(char *buff, void *ptr, const char *name, size_t bsz) {
+  char *r = buff;
+  if ((2*sizeof(void *) + 2) > bsz) return 0;
+  *(r++) = '_';
+  r = SWIG_PackData(r,&ptr,sizeof(void *));
+  if (strlen(name) + 1 > (bsz - (r - buff))) return 0;
+  strcpy(r,name);
+  return buff;
+}
+
+SWIGRUNTIME const char *
+SWIG_UnpackVoidPtr(const char *c, void **ptr, const char *name) {
+  if (*c != '_') {
+    if (strcmp(c,"NULL") == 0) {
+      *ptr = (void *) 0;
+      return name;
+    } else {
+      return 0;
+    }
+  }
+  return SWIG_UnpackData(++c,ptr,sizeof(void *));
+}
+
+SWIGRUNTIME char *
+SWIG_PackDataName(char *buff, void *ptr, size_t sz, const char *name, size_t bsz) {
+  char *r = buff;
+  size_t lname = (name ? strlen(name) : 0);
+  if ((2*sz + 2 + lname) > bsz) return 0;
+  *(r++) = '_';
+  r = SWIG_PackData(r,ptr,sz);
+  if (lname) {
+    strncpy(r,name,lname+1);
+  } else {
+    *r = 0;
+  }
+  return buff;
+}
+
+SWIGRUNTIME const char *
+SWIG_UnpackDataName(const char *c, void *ptr, size_t sz, const char *name) {
+  if (*c != '_') {
+    if (strcmp(c,"NULL") == 0) {
+      memset(ptr,0,sz);
+      return name;
+    } else {
+      return 0;
+    }
+  }
+  return SWIG_UnpackData(++c,ptr,sz);
+}
+
+#ifdef __cplusplus
+}
+#endif
+
+/*  Errors in SWIG */
+#define  SWIG_UnknownError    	   -1 
+#define  SWIG_IOError        	   -2 
+#define  SWIG_RuntimeError   	   -3 
+#define  SWIG_IndexError     	   -4 
+#define  SWIG_TypeError      	   -5 
+#define  SWIG_DivisionByZero 	   -6 
+#define  SWIG_OverflowError  	   -7 
+#define  SWIG_SyntaxError    	   -8 
+#define  SWIG_ValueError     	   -9 
+#define  SWIG_SystemError    	   -10
+#define  SWIG_AttributeError 	   -11
+#define  SWIG_MemoryError    	   -12 
+#define  SWIG_NullReferenceError   -13
+
+
+
+
+/* Add PyOS_snprintf for old Pythons */
+#if PY_VERSION_HEX < 0x02020000
+# if defined(_MSC_VER) || defined(__BORLANDC__) || defined(_WATCOM)
+#  define PyOS_snprintf _snprintf
+# else
+#  define PyOS_snprintf snprintf
+# endif
+#endif
+
+/* A crude PyString_FromFormat implementation for old Pythons */
+#if PY_VERSION_HEX < 0x02020000
+
+#ifndef SWIG_PYBUFFER_SIZE
+# define SWIG_PYBUFFER_SIZE 1024
+#endif
+
+static PyObject *
+PyString_FromFormat(const char *fmt, ...) {
+  va_list ap;
+  char buf[SWIG_PYBUFFER_SIZE * 2];
+  int res;
+  va_start(ap, fmt);
+  res = vsnprintf(buf, sizeof(buf), fmt, ap);
+  va_end(ap);
+  return (res < 0 || res >= (int)sizeof(buf)) ? 0 : PyString_FromString(buf);
+}
+#endif
+
+/* Add PyObject_Del for old Pythons */
+#if PY_VERSION_HEX < 0x01060000
+# define PyObject_Del(op) PyMem_DEL((op))
+#endif
+#ifndef PyObject_DEL
+# define PyObject_DEL PyObject_Del
+#endif
+
+/* A crude PyExc_StopIteration exception for old Pythons */
+#if PY_VERSION_HEX < 0x02020000
+# ifndef PyExc_StopIteration
+#  define PyExc_StopIteration PyExc_RuntimeError
+# endif
+# ifndef PyObject_GenericGetAttr
+#  define PyObject_GenericGetAttr 0
+# endif
+#endif
+/* Py_NotImplemented is defined in 2.1 and up. */
+#if PY_VERSION_HEX < 0x02010000
+# ifndef Py_NotImplemented
+#  define Py_NotImplemented PyExc_RuntimeError
+# endif
+#endif
+
+
+/* A crude PyString_AsStringAndSize implementation for old Pythons */
+#if PY_VERSION_HEX < 0x02010000
+# ifndef PyString_AsStringAndSize
+#  define PyString_AsStringAndSize(obj, s, len) {*s = PyString_AsString(obj); *len = *s ? strlen(*s) : 0;}
+# endif
+#endif
+
+/* PySequence_Size for old Pythons */
+#if PY_VERSION_HEX < 0x02000000
+# ifndef PySequence_Size
+#  define PySequence_Size PySequence_Length
+# endif
+#endif
+
+
+/* PyBool_FromLong for old Pythons */
+#if PY_VERSION_HEX < 0x02030000
+static
+PyObject *PyBool_FromLong(long ok)
+{
+  PyObject *result = ok ? Py_True : Py_False;
+  Py_INCREF(result);
+  return result;
+}
+#endif
+
+/* Py_ssize_t for old Pythons */
+/* This code is as recommended by: */
+/* http://www.python.org/dev/peps/pep-0353/#conversion-guidelines */
+#if PY_VERSION_HEX < 0x02050000 && !defined(PY_SSIZE_T_MIN)
+typedef int Py_ssize_t;
+# define PY_SSIZE_T_MAX INT_MAX
+# define PY_SSIZE_T_MIN INT_MIN
+#endif
+
+/* -----------------------------------------------------------------------------
+ * error manipulation
+ * ----------------------------------------------------------------------------- */
+
+SWIGRUNTIME PyObject*
+SWIG_Python_ErrorType(int code) {
+  PyObject* type = 0;
+  switch(code) {
+  case SWIG_MemoryError:
+    type = PyExc_MemoryError;
+    break;
+  case SWIG_IOError:
+    type = PyExc_IOError;
+    break;
+  case SWIG_RuntimeError:
+    type = PyExc_RuntimeError;
+    break;
+  case SWIG_IndexError:
+    type = PyExc_IndexError;
+    break;
+  case SWIG_TypeError:
+    type = PyExc_TypeError;
+    break;
+  case SWIG_DivisionByZero:
+    type = PyExc_ZeroDivisionError;
+    break;
+  case SWIG_OverflowError:
+    type = PyExc_OverflowError;
+    break;
+  case SWIG_SyntaxError:
+    type = PyExc_SyntaxError;
+    break;
+  case SWIG_ValueError:
+    type = PyExc_ValueError;
+    break;
+  case SWIG_SystemError:
+    type = PyExc_SystemError;
+    break;
+  case SWIG_AttributeError:
+    type = PyExc_AttributeError;
+    break;
+  default:
+    type = PyExc_RuntimeError;
+  }
+  return type;
+}
+
+
+SWIGRUNTIME void
+SWIG_Python_AddErrorMsg(const char* mesg)
+{
+  PyObject *type = 0;
+  PyObject *value = 0;
+  PyObject *traceback = 0;
+
+  if (PyErr_Occurred()) PyErr_Fetch(&type, &value, &traceback);
+  if (value) {
+    PyObject *old_str = PyObject_Str(value);
+    PyErr_Clear();
+    Py_XINCREF(type);
+    PyErr_Format(type, "%s %s", PyString_AsString(old_str), mesg);
+    Py_DECREF(old_str);
+    Py_DECREF(value);
+  } else {
+    PyErr_SetString(PyExc_RuntimeError, mesg);
+  }
+}
+
+
+
+#if defined(SWIG_PYTHON_NO_THREADS)
+#  if defined(SWIG_PYTHON_THREADS)
+#    undef SWIG_PYTHON_THREADS
+#  endif
+#endif
+#if defined(SWIG_PYTHON_THREADS) /* Threading support is enabled */
+#  if !defined(SWIG_PYTHON_USE_GIL) && !defined(SWIG_PYTHON_NO_USE_GIL)
+#    if (PY_VERSION_HEX >= 0x02030000) /* For 2.3 or later, use the PyGILState calls */
+#      define SWIG_PYTHON_USE_GIL
+#    endif
+#  endif
+#  if defined(SWIG_PYTHON_USE_GIL) /* Use PyGILState threads calls */
+#    ifndef SWIG_PYTHON_INITIALIZE_THREADS
+#     define SWIG_PYTHON_INITIALIZE_THREADS  PyEval_InitThreads() 
+#    endif
+#    ifdef __cplusplus /* C++ code */
+       class SWIG_Python_Thread_Block {
+         bool status;
+         PyGILState_STATE state;
+       public:
+         void end() { if (status) { PyGILState_Release(state); status = false;} }
+         SWIG_Python_Thread_Block() : status(true), state(PyGILState_Ensure()) {}
+         ~SWIG_Python_Thread_Block() { end(); }
+       };
+       class SWIG_Python_Thread_Allow {
+         bool status;
+         PyThreadState *save;
+       public:
+         void end() { if (status) { PyEval_RestoreThread(save); status = false; }}
+         SWIG_Python_Thread_Allow() : status(true), save(PyEval_SaveThread()) {}
+         ~SWIG_Python_Thread_Allow() { end(); }
+       };
+#      define SWIG_PYTHON_THREAD_BEGIN_BLOCK   SWIG_Python_Thread_Block _swig_thread_block
+#      define SWIG_PYTHON_THREAD_END_BLOCK     _swig_thread_block.end()
+#      define SWIG_PYTHON_THREAD_BEGIN_ALLOW   SWIG_Python_Thread_Allow _swig_thread_allow
+#      define SWIG_PYTHON_THREAD_END_ALLOW     _swig_thread_allow.end()
+#    else /* C code */
+#      define SWIG_PYTHON_THREAD_BEGIN_BLOCK   PyGILState_STATE _swig_thread_block = PyGILState_Ensure()
+#      define SWIG_PYTHON_THREAD_END_BLOCK     PyGILState_Release(_swig_thread_block)
+#      define SWIG_PYTHON_THREAD_BEGIN_ALLOW   PyThreadState *_swig_thread_allow = PyEval_SaveThread()
+#      define SWIG_PYTHON_THREAD_END_ALLOW     PyEval_RestoreThread(_swig_thread_allow)
+#    endif
+#  else /* Old thread way, not implemented, user must provide it */
+#    if !defined(SWIG_PYTHON_INITIALIZE_THREADS)
+#      define SWIG_PYTHON_INITIALIZE_THREADS
+#    endif
+#    if !defined(SWIG_PYTHON_THREAD_BEGIN_BLOCK)
+#      define SWIG_PYTHON_THREAD_BEGIN_BLOCK
+#    endif
+#    if !defined(SWIG_PYTHON_THREAD_END_BLOCK)
+#      define SWIG_PYTHON_THREAD_END_BLOCK
+#    endif
+#    if !defined(SWIG_PYTHON_THREAD_BEGIN_ALLOW)
+#      define SWIG_PYTHON_THREAD_BEGIN_ALLOW
+#    endif
+#    if !defined(SWIG_PYTHON_THREAD_END_ALLOW)
+#      define SWIG_PYTHON_THREAD_END_ALLOW
+#    endif
+#  endif
+#else /* No thread support */
+#  define SWIG_PYTHON_INITIALIZE_THREADS
+#  define SWIG_PYTHON_THREAD_BEGIN_BLOCK
+#  define SWIG_PYTHON_THREAD_END_BLOCK
+#  define SWIG_PYTHON_THREAD_BEGIN_ALLOW
+#  define SWIG_PYTHON_THREAD_END_ALLOW
+#endif
+
+/* -----------------------------------------------------------------------------
+ * Python API portion that goes into the runtime
+ * ----------------------------------------------------------------------------- */
+
+#ifdef __cplusplus
+extern "C" {
+#if 0
+} /* cc-mode */
+#endif
+#endif
+
+/* -----------------------------------------------------------------------------
+ * Constant declarations
+ * ----------------------------------------------------------------------------- */
+
+/* Constant Types */
+#define SWIG_PY_POINTER 4
+#define SWIG_PY_BINARY  5
+
+/* Constant information structure */
+typedef struct swig_const_info {
+  int type;
+  char *name;
+  long lvalue;
+  double dvalue;
+  void   *pvalue;
+  swig_type_info **ptype;
+} swig_const_info;
+
+#ifdef __cplusplus
+#if 0
+{ /* cc-mode */
+#endif
+}
+#endif
+
+
+/* -----------------------------------------------------------------------------
+ * See the LICENSE file for information on copyright, usage and redistribution
+ * of SWIG, and the README file for authors - http://www.swig.org/release.html.
+ *
+ * pyrun.swg
+ *
+ * This file contains the runtime support for Python modules
+ * and includes code for managing global variables and pointer
+ * type checking.
+ *
+ * ----------------------------------------------------------------------------- */
+
+/* Common SWIG API */
+
+/* for raw pointers */
+#define SWIG_Python_ConvertPtr(obj, pptr, type, flags)  SWIG_Python_ConvertPtrAndOwn(obj, pptr, type, flags, 0)
+#define SWIG_ConvertPtr(obj, pptr, type, flags)         SWIG_Python_ConvertPtr(obj, pptr, type, flags)
+#define SWIG_ConvertPtrAndOwn(obj,pptr,type,flags,own)  SWIG_Python_ConvertPtrAndOwn(obj, pptr, type, flags, own)
+#define SWIG_NewPointerObj(ptr, type, flags)            SWIG_Python_NewPointerObj(ptr, type, flags)
+#define SWIG_CheckImplicit(ty)                          SWIG_Python_CheckImplicit(ty) 
+#define SWIG_AcquirePtr(ptr, src)                       SWIG_Python_AcquirePtr(ptr, src)
+#define swig_owntype                                    int
+
+/* for raw packed data */
+#define SWIG_ConvertPacked(obj, ptr, sz, ty)            SWIG_Python_ConvertPacked(obj, ptr, sz, ty)
+#define SWIG_NewPackedObj(ptr, sz, type)                SWIG_Python_NewPackedObj(ptr, sz, type)
+
+/* for class or struct pointers */
+#define SWIG_ConvertInstance(obj, pptr, type, flags)    SWIG_ConvertPtr(obj, pptr, type, flags)
+#define SWIG_NewInstanceObj(ptr, type, flags)           SWIG_NewPointerObj(ptr, type, flags)
+
+/* for C or C++ function pointers */
+#define SWIG_ConvertFunctionPtr(obj, pptr, type)        SWIG_Python_ConvertFunctionPtr(obj, pptr, type)
+#define SWIG_NewFunctionPtrObj(ptr, type)               SWIG_Python_NewPointerObj(ptr, type, 0)
+
+/* for C++ member pointers, ie, member methods */
+#define SWIG_ConvertMember(obj, ptr, sz, ty)            SWIG_Python_ConvertPacked(obj, ptr, sz, ty)
+#define SWIG_NewMemberObj(ptr, sz, type)                SWIG_Python_NewPackedObj(ptr, sz, type)
+
+
+/* Runtime API */
+
+#define SWIG_GetModule(clientdata)                      SWIG_Python_GetModule()
+#define SWIG_SetModule(clientdata, pointer)             SWIG_Python_SetModule(pointer)
+#define SWIG_NewClientData(obj)                         PySwigClientData_New(obj)
+
+#define SWIG_SetErrorObj                                SWIG_Python_SetErrorObj                            
+#define SWIG_SetErrorMsg                        	SWIG_Python_SetErrorMsg				   
+#define SWIG_ErrorType(code)                    	SWIG_Python_ErrorType(code)                        
+#define SWIG_Error(code, msg)            		SWIG_Python_SetErrorMsg(SWIG_ErrorType(code), msg) 
+#define SWIG_fail                        		goto fail					   
+
+
+/* Runtime API implementation */
+
+/* Error manipulation */
+
+SWIGINTERN void 
+SWIG_Python_SetErrorObj(PyObject *errtype, PyObject *obj) {
+  SWIG_PYTHON_THREAD_BEGIN_BLOCK; 
+  PyErr_SetObject(errtype, obj);
+  Py_DECREF(obj);
+  SWIG_PYTHON_THREAD_END_BLOCK;
+}
+
+SWIGINTERN void 
+SWIG_Python_SetErrorMsg(PyObject *errtype, const char *msg) {
+  SWIG_PYTHON_THREAD_BEGIN_BLOCK;
+  PyErr_SetString(errtype, (char *) msg);
+  SWIG_PYTHON_THREAD_END_BLOCK;
+}
+
+#define SWIG_Python_Raise(obj, type, desc)  SWIG_Python_SetErrorObj(SWIG_Python_ExceptionType(desc), obj)
+
+/* Set a constant value */
+
+SWIGINTERN void
+SWIG_Python_SetConstant(PyObject *d, const char *name, PyObject *obj) {   
+  PyDict_SetItemString(d, (char*) name, obj);
+  Py_DECREF(obj);                            
+}
+
+/* Append a value to the result obj */
+
+SWIGINTERN PyObject*
+SWIG_Python_AppendOutput(PyObject* result, PyObject* obj) {
+#if !defined(SWIG_PYTHON_OUTPUT_TUPLE)
+  if (!result) {
+    result = obj;
+  } else if (result == Py_None) {
+    Py_DECREF(result);
+    result = obj;
+  } else {
+    if (!PyList_Check(result)) {
+      PyObject *o2 = result;
+      result = PyList_New(1);
+      PyList_SetItem(result, 0, o2);
+    }
+    PyList_Append(result,obj);
+    Py_DECREF(obj);
+  }
+  return result;
+#else
+  PyObject*   o2;
+  PyObject*   o3;
+  if (!result) {
+    result = obj;
+  } else if (result == Py_None) {
+    Py_DECREF(result);
+    result = obj;
+  } else {
+    if (!PyTuple_Check(result)) {
+      o2 = result;
+      result = PyTuple_New(1);
+      PyTuple_SET_ITEM(result, 0, o2);
+    }
+    o3 = PyTuple_New(1);
+    PyTuple_SET_ITEM(o3, 0, obj);
+    o2 = result;
+    result = PySequence_Concat(o2, o3);
+    Py_DECREF(o2);
+    Py_DECREF(o3);
+  }
+  return result;
+#endif
+}
+
+/* Unpack the argument tuple */
+
+SWIGINTERN int
+SWIG_Python_UnpackTuple(PyObject *args, const char *name, Py_ssize_t min, Py_ssize_t max, PyObject **objs)
+{
+  if (!args) {
+    if (!min && !max) {
+      return 1;
+    } else {
+      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got none", 
+		   name, (min == max ? "" : "at least "), (int)min);
+      return 0;
+    }
+  }  
+  if (!PyTuple_Check(args)) {
+    PyErr_SetString(PyExc_SystemError, "UnpackTuple() argument list is not a tuple");
+    return 0;
+  } else {
+    register Py_ssize_t l = PyTuple_GET_SIZE(args);
+    if (l < min) {
+      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", 
+		   name, (min == max ? "" : "at least "), (int)min, (int)l);
+      return 0;
+    } else if (l > max) {
+      PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", 
+		   name, (min == max ? "" : "at most "), (int)max, (int)l);
+      return 0;
+    } else {
+      register int i;
+      for (i = 0; i < l; ++i) {
+	objs[i] = PyTuple_GET_ITEM(args, i);
+      }
+      for (; l < max; ++l) {
+	objs[l] = 0;
+      }
+      return i + 1;
+    }    
+  }
+}
+
+/* A functor is a function object with one single object argument */
+#if PY_VERSION_HEX >= 0x02020000
+#define SWIG_Python_CallFunctor(functor, obj)	        PyObject_CallFunctionObjArgs(functor, obj, NULL);
+#else
+#define SWIG_Python_CallFunctor(functor, obj)	        PyObject_CallFunction(functor, "O", obj);
+#endif
+
+/*
+  Helper for static pointer initialization for both C and C++ code, for example
+  static PyObject *SWIG_STATIC_POINTER(MyVar) = NewSomething(...);
+*/
+#ifdef __cplusplus
+#define SWIG_STATIC_POINTER(var)  var
+#else
+#define SWIG_STATIC_POINTER(var)  var = 0; if (!var) var
+#endif
+
+/* -----------------------------------------------------------------------------
+ * Pointer declarations
+ * ----------------------------------------------------------------------------- */
+
+/* Flags for new pointer objects */
+#define SWIG_POINTER_NOSHADOW       (SWIG_POINTER_OWN      << 1)
+#define SWIG_POINTER_NEW            (SWIG_POINTER_NOSHADOW | SWIG_POINTER_OWN)
+
+#define SWIG_POINTER_IMPLICIT_CONV  (SWIG_POINTER_DISOWN   << 1)
+
+#ifdef __cplusplus
+extern "C" {
+#if 0
+} /* cc-mode */
+#endif
+#endif
+
+/*  How to access Py_None */
+#if defined(_WIN32) || defined(__WIN32__) || defined(__CYGWIN__)
+#  ifndef SWIG_PYTHON_NO_BUILD_NONE
+#    ifndef SWIG_PYTHON_BUILD_NONE
+#      define SWIG_PYTHON_BUILD_NONE
+#    endif
+#  endif
+#endif
+
+#ifdef SWIG_PYTHON_BUILD_NONE
+#  ifdef Py_None
+#   undef Py_None
+#   define Py_None SWIG_Py_None()
+#  endif
+SWIGRUNTIMEINLINE PyObject * 
+_SWIG_Py_None(void)
+{
+  PyObject *none = Py_BuildValue((char*)"");
+  Py_DECREF(none);
+  return none;
+}
+SWIGRUNTIME PyObject * 
+SWIG_Py_None(void)
+{
+  static PyObject *SWIG_STATIC_POINTER(none) = _SWIG_Py_None();
+  return none;
+}
+#endif
+
+/* The python void return value */
+
+SWIGRUNTIMEINLINE PyObject * 
+SWIG_Py_Void(void)
+{
+  PyObject *none = Py_None;
+  Py_INCREF(none);
+  return none;
+}
+
+/* PySwigClientData */
+
+typedef struct {
+  PyObject *klass;
+  PyObject *newraw;
+  PyObject *newargs;
+  PyObject *destroy;
+  int delargs;
+  int implicitconv;
+} PySwigClientData;
+
+SWIGRUNTIMEINLINE int 
+SWIG_Python_CheckImplicit(swig_type_info *ty)
+{
+  PySwigClientData *data = (PySwigClientData *)ty->clientdata;
+  return data ? data->implicitconv : 0;
+}
+
+SWIGRUNTIMEINLINE PyObject *
+SWIG_Python_ExceptionType(swig_type_info *desc) {
+  PySwigClientData *data = desc ? (PySwigClientData *) desc->clientdata : 0;
+  PyObject *klass = data ? data->klass : 0;
+  return (klass ? klass : PyExc_RuntimeError);
+}
+
+
+SWIGRUNTIME PySwigClientData * 
+PySwigClientData_New(PyObject* obj)
+{
+  if (!obj) {
+    return 0;
+  } else {
+    PySwigClientData *data = (PySwigClientData *)malloc(sizeof(PySwigClientData));
+    /* the klass element */
+    data->klass = obj;
+    Py_INCREF(data->klass);
+    /* the newraw method and newargs arguments used to create a new raw instance */
+    if (PyClass_Check(obj)) {
+      data->newraw = 0;
+      data->newargs = obj;
+      Py_INCREF(obj);
+    } else {
+#if (PY_VERSION_HEX < 0x02020000)
+      data->newraw = 0;
+#else
+      data->newraw = PyObject_GetAttrString(data->klass, (char *)"__new__");
+#endif
+      if (data->newraw) {
+	Py_INCREF(data->newraw);
+	data->newargs = PyTuple_New(1);
+	PyTuple_SetItem(data->newargs, 0, obj);
+      } else {
+	data->newargs = obj;
+      }
+      Py_INCREF(data->newargs);
+    }
+    /* the destroy method, aka as the C++ delete method */
+    data->destroy = PyObject_GetAttrString(data->klass, (char *)"__swig_destroy__");
+    if (PyErr_Occurred()) {
+      PyErr_Clear();
+      data->destroy = 0;
+    }
+    if (data->destroy) {
+      int flags;
+      Py_INCREF(data->destroy);
+      flags = PyCFunction_GET_FLAGS(data->destroy);
+#ifdef METH_O
+      data->delargs = !(flags & (METH_O));
+#else
+      data->delargs = 0;
+#endif
+    } else {
+      data->delargs = 0;
+    }
+    data->implicitconv = 0;
+    return data;
+  }
+}
+
+SWIGRUNTIME void 
+PySwigClientData_Del(PySwigClientData* data)
+{
+  Py_XDECREF(data->newraw);
+  Py_XDECREF(data->newargs);
+  Py_XDECREF(data->destroy);
+}
+
+/* =============== PySwigObject =====================*/
+
+typedef struct {
+  PyObject_HEAD
+  void *ptr;
+  swig_type_info *ty;
+  int own;
+  PyObject *next;
+} PySwigObject;
+
+SWIGRUNTIME PyObject *
+PySwigObject_long(PySwigObject *v)
+{
+  return PyLong_FromVoidPtr(v->ptr);
+}
+
+SWIGRUNTIME PyObject *
+PySwigObject_format(const char* fmt, PySwigObject *v)
+{
+  PyObject *res = NULL;
+  PyObject *args = PyTuple_New(1);
+  if (args) {
+    if (PyTuple_SetItem(args, 0, PySwigObject_long(v)) == 0) {
+      PyObject *ofmt = PyString_FromString(fmt);
+      if (ofmt) {
+	res = PyString_Format(ofmt,args);
+	Py_DECREF(ofmt);
+      }
+      Py_DECREF(args);
+    }
+  }
+  return res;
+}
+
+SWIGRUNTIME PyObject *
+PySwigObject_oct(PySwigObject *v)
+{
+  return PySwigObject_format("%o",v);
+}
+
+SWIGRUNTIME PyObject *
+PySwigObject_hex(PySwigObject *v)
+{
+  return PySwigObject_format("%x",v);
+}
+
+SWIGRUNTIME PyObject *
+#ifdef METH_NOARGS
+PySwigObject_repr(PySwigObject *v)
+#else
+PySwigObject_repr(PySwigObject *v, PyObject *args)
+#endif
+{
+  const char *name = SWIG_TypePrettyName(v->ty);
+  PyObject *hex = PySwigObject_hex(v);    
+  PyObject *repr = PyString_FromFormat("<Swig Object of type '%s' at 0x%s>", name, PyString_AsString(hex));
+  Py_DECREF(hex);
+  if (v->next) {
+#ifdef METH_NOARGS
+    PyObject *nrep = PySwigObject_repr((PySwigObject *)v->next);
+#else
+    PyObject *nrep = PySwigObject_repr((PySwigObject *)v->next, args);
+#endif
+    PyString_ConcatAndDel(&repr,nrep);
+  }
+  return repr;  
+}
+
+SWIGRUNTIME int
+PySwigObject_print(PySwigObject *v, FILE *fp, int SWIGUNUSEDPARM(flags))
+{
+#ifdef METH_NOARGS
+  PyObject *repr = PySwigObject_repr(v);
+#else
+  PyObject *repr = PySwigObject_repr(v, NULL);
+#endif
+  if (repr) {
+    fputs(PyString_AsString(repr), fp);
+    Py_DECREF(repr);
+    return 0; 
+  } else {
+    return 1; 
+  }
+}
+
+SWIGRUNTIME PyObject *
+PySwigObject_str(PySwigObject *v)
+{
+  char result[SWIG_BUFFER_SIZE];
+  return SWIG_PackVoidPtr(result, v->ptr, v->ty->name, sizeof(result)) ?
+    PyString_FromString(result) : 0;
+}
+
+SWIGRUNTIME int
+PySwigObject_compare(PySwigObject *v, PySwigObject *w)
+{
+  void *i = v->ptr;
+  void *j = w->ptr;
+  return (i < j) ? -1 : ((i > j) ? 1 : 0);
+}
+
+SWIGRUNTIME PyTypeObject* _PySwigObject_type(void);
+
+SWIGRUNTIME PyTypeObject*
+PySwigObject_type(void) {
+  static PyTypeObject *SWIG_STATIC_POINTER(type) = _PySwigObject_type();
+  return type;
+}
+
+SWIGRUNTIMEINLINE int
+PySwigObject_Check(PyObject *op) {
+  return ((op)->ob_type == PySwigObject_type())
+    || (strcmp((op)->ob_type->tp_name,"PySwigObject") == 0);
+}
+
+SWIGRUNTIME PyObject *
+PySwigObject_New(void *ptr, swig_type_info *ty, int own);
+
+SWIGRUNTIME void
+PySwigObject_dealloc(PyObject *v)
+{
+  PySwigObject *sobj = (PySwigObject *) v;
+  PyObject *next = sobj->next;
+  if (sobj->own == SWIG_POINTER_OWN) {
+    swig_type_info *ty = sobj->ty;
+    PySwigClientData *data = ty ? (PySwigClientData *) ty->clientdata : 0;
+    PyObject *destroy = data ? data->destroy : 0;
+    if (destroy) {
+      /* destroy is always a VARARGS method */
+      PyObject *res;
+      if (data->delargs) {
+	/* we need to create a temporal object to carry the destroy operation */
+	PyObject *tmp = PySwigObject_New(sobj->ptr, ty, 0);
+	res = SWIG_Python_CallFunctor(destroy, tmp);
+	Py_DECREF(tmp);
+      } else {
+	PyCFunction meth = PyCFunction_GET_FUNCTION(destroy);
+	PyObject *mself = PyCFunction_GET_SELF(destroy);
+	res = ((*meth)(mself, v));
+      }
+      Py_XDECREF(res);
+    } 
+#if !defined(SWIG_PYTHON_SILENT_MEMLEAK)
+    else {
+      const char *name = SWIG_TypePrettyName(ty);
+      printf("swig/python detected a memory leak of type '%s', no destructor found.\n", (name ? name : "unknown"));
+    }
+#endif
+  } 
+  Py_XDECREF(next);
+  PyObject_DEL(v);
+}
+
+SWIGRUNTIME PyObject* 
+PySwigObject_append(PyObject* v, PyObject* next)
+{
+  PySwigObject *sobj = (PySwigObject *) v;
+#ifndef METH_O
+  PyObject *tmp = 0;
+  if (!PyArg_ParseTuple(next,(char *)"O:append", &tmp)) return NULL;
+  next = tmp;
+#endif
+  if (!PySwigObject_Check(next)) {
+    return NULL;
+  }
+  sobj->next = next;
+  Py_INCREF(next);
+  return SWIG_Py_Void();
+}
+
+SWIGRUNTIME PyObject* 
+#ifdef METH_NOARGS
+PySwigObject_next(PyObject* v)
+#else
+PySwigObject_next(PyObject* v, PyObject *SWIGUNUSEDPARM(args))
+#endif
+{
+  PySwigObject *sobj = (PySwigObject *) v;
+  if (sobj->next) {    
+    Py_INCREF(sobj->next);
+    return sobj->next;
+  } else {
+    return SWIG_Py_Void();
+  }
+}
+
+SWIGINTERN PyObject*
+#ifdef METH_NOARGS
+PySwigObject_disown(PyObject *v)
+#else
+PySwigObject_disown(PyObject* v, PyObject *SWIGUNUSEDPARM(args))
+#endif
+{
+  PySwigObject *sobj = (PySwigObject *)v;
+  sobj->own = 0;
+  return SWIG_Py_Void();
+}
+
+SWIGINTERN PyObject*
+#ifdef METH_NOARGS
+PySwigObject_acquire(PyObject *v)
+#else
+PySwigObject_acquire(PyObject* v, PyObject *SWIGUNUSEDPARM(args))
+#endif
+{
+  PySwigObject *sobj = (PySwigObject *)v;
+  sobj->own = SWIG_POINTER_OWN;
+  return SWIG_Py_Void();
+}
+
+SWIGINTERN PyObject*
+PySwigObject_own(PyObject *v, PyObject *args)
+{
+  PyObject *val = 0;
+#if (PY_VERSION_HEX < 0x02020000)
+  if (!PyArg_ParseTuple(args,(char *)"|O:own",&val))
+#else
+  if (!PyArg_UnpackTuple(args, (char *)"own", 0, 1, &val)) 
+#endif
+    {
+      return NULL;
+    } 
+  else
+    {
+      PySwigObject *sobj = (PySwigObject *)v;
+      PyObject *obj = PyBool_FromLong(sobj->own);
+      if (val) {
+#ifdef METH_NOARGS
+	if (PyObject_IsTrue(val)) {
+	  PySwigObject_acquire(v);
+	} else {
+	  PySwigObject_disown(v);
+	}
+#else
+	if (PyObject_IsTrue(val)) {
+	  PySwigObject_acquire(v,args);
+	} else {
+	  PySwigObject_disown(v,args);
+	}
+#endif
+      } 
+      return obj;
+    }
+}
+
+#ifdef METH_O
+static PyMethodDef
+swigobject_methods[] = {
+  {(char *)"disown",  (PyCFunction)PySwigObject_disown,  METH_NOARGS,  (char *)"releases ownership of the pointer"},
+  {(char *)"acquire", (PyCFunction)PySwigObject_acquire, METH_NOARGS,  (char *)"aquires ownership of the pointer"},
+  {(char *)"own",     (PyCFunction)PySwigObject_own,     METH_VARARGS, (char *)"returns/sets ownership of the pointer"},
+  {(char *)"append",  (PyCFunction)PySwigObject_append,  METH_O,       (char *)"appends another 'this' object"},
+  {(char *)"next",    (PyCFunction)PySwigObject_next,    METH_NOARGS,  (char *)"returns the next 'this' object"},
+  {(char *)"__repr__",(PyCFunction)PySwigObject_repr,    METH_NOARGS,  (char *)"returns object representation"},
+  {0, 0, 0, 0}  
+};
+#else
+static PyMethodDef
+swigobject_methods[] = {
+  {(char *)"disown",  (PyCFunction)PySwigObject_disown,  METH_VARARGS,  (char *)"releases ownership of the pointer"},
+  {(char *)"acquire", (PyCFunction)PySwigObject_acquire, METH_VARARGS,  (char *)"aquires ownership of the pointer"},
+  {(char *)"own",     (PyCFunction)PySwigObject_own,     METH_VARARGS,  (char *)"returns/sets ownership of the pointer"},
+  {(char *)"append",  (PyCFunction)PySwigObject_append,  METH_VARARGS,  (char *)"appends another 'this' object"},
+  {(char *)"next",    (PyCFunction)PySwigObject_next,    METH_VARARGS,  (char *)"returns the next 'this' object"},
+  {(char *)"__repr__",(PyCFunction)PySwigObject_repr,   METH_VARARGS,  (char *)"returns object representation"},
+  {0, 0, 0, 0}  
+};
+#endif
+
+#if PY_VERSION_HEX < 0x02020000
+SWIGINTERN PyObject *
+PySwigObject_getattr(PySwigObject *sobj,char *name)
+{
+  return Py_FindMethod(swigobject_methods, (PyObject *)sobj, name);
+}
+#endif
+
+SWIGRUNTIME PyTypeObject*
+_PySwigObject_type(void) {
+  static char swigobject_doc[] = "Swig object carries a C/C++ instance pointer";
+  
+  static PyNumberMethods PySwigObject_as_number = {
+    (binaryfunc)0, /*nb_add*/
+    (binaryfunc)0, /*nb_subtract*/
+    (binaryfunc)0, /*nb_multiply*/
+    (binaryfunc)0, /*nb_divide*/
+    (binaryfunc)0, /*nb_remainder*/
+    (binaryfunc)0, /*nb_divmod*/
+    (ternaryfunc)0,/*nb_power*/
+    (unaryfunc)0,  /*nb_negative*/
+    (unaryfunc)0,  /*nb_positive*/
+    (unaryfunc)0,  /*nb_absolute*/
+    (inquiry)0,    /*nb_nonzero*/
+    0,		   /*nb_invert*/
+    0,		   /*nb_lshift*/
+    0,		   /*nb_rshift*/
+    0,		   /*nb_and*/
+    0,		   /*nb_xor*/
+    0,		   /*nb_or*/
+    (coercion)0,   /*nb_coerce*/
+    (unaryfunc)PySwigObject_long, /*nb_int*/
+    (unaryfunc)PySwigObject_long, /*nb_long*/
+    (unaryfunc)0,                 /*nb_float*/
+    (unaryfunc)PySwigObject_oct,  /*nb_oct*/
+    (unaryfunc)PySwigObject_hex,  /*nb_hex*/
+#if PY_VERSION_HEX >= 0x02050000 /* 2.5.0 */
+    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_index */
+#elif PY_VERSION_HEX >= 0x02020000 /* 2.2.0 */
+    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_true_divide */
+#elif PY_VERSION_HEX >= 0x02000000 /* 2.0.0 */
+    0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_or */
+#endif
+  };
+
+  static PyTypeObject pyswigobject_type;  
+  static int type_init = 0;
+  if (!type_init) {
+    const PyTypeObject tmp
+      = {
+	PyObject_HEAD_INIT(NULL)
+	0,				    /* ob_size */
+	(char *)"PySwigObject",		    /* tp_name */
+	sizeof(PySwigObject),		    /* tp_basicsize */
+	0,			            /* tp_itemsize */
+	(destructor)PySwigObject_dealloc,   /* tp_dealloc */
+	(printfunc)PySwigObject_print,	    /* tp_print */
+#if PY_VERSION_HEX < 0x02020000
+	(getattrfunc)PySwigObject_getattr,  /* tp_getattr */ 
+#else
+	(getattrfunc)0,			    /* tp_getattr */ 
+#endif
+	(setattrfunc)0,			    /* tp_setattr */ 
+	(cmpfunc)PySwigObject_compare,	    /* tp_compare */ 
+	(reprfunc)PySwigObject_repr,	    /* tp_repr */    
+	&PySwigObject_as_number,	    /* tp_as_number */
+	0,				    /* tp_as_sequence */
+	0,				    /* tp_as_mapping */
+	(hashfunc)0,			    /* tp_hash */
+	(ternaryfunc)0,			    /* tp_call */
+	(reprfunc)PySwigObject_str,	    /* tp_str */
+	PyObject_GenericGetAttr,            /* tp_getattro */
+	0,				    /* tp_setattro */
+	0,		                    /* tp_as_buffer */
+	Py_TPFLAGS_DEFAULT,	            /* tp_flags */
+	swigobject_doc, 	            /* tp_doc */        
+	0,                                  /* tp_traverse */
+	0,                                  /* tp_clear */
+	0,                                  /* tp_richcompare */
+	0,                                  /* tp_weaklistoffset */
+#if PY_VERSION_HEX >= 0x02020000
+	0,                                  /* tp_iter */
+	0,                                  /* tp_iternext */
+	swigobject_methods,		    /* tp_methods */ 
+	0,			            /* tp_members */
+	0,				    /* tp_getset */	    	
+	0,			            /* tp_base */	        
+	0,				    /* tp_dict */	    	
+	0,				    /* tp_descr_get */  	
+	0,				    /* tp_descr_set */  	
+	0,				    /* tp_dictoffset */ 	
+	0,				    /* tp_init */	    	
+	0,				    /* tp_alloc */	    	
+	0,			            /* tp_new */	    	
+	0,	                            /* tp_free */	   
+        0,                                  /* tp_is_gc */  
+	0,				    /* tp_bases */   
+	0,				    /* tp_mro */
+	0,				    /* tp_cache */   
+ 	0,				    /* tp_subclasses */
+	0,				    /* tp_weaklist */
+#endif
+#if PY_VERSION_HEX >= 0x02030000
+	0,                                  /* tp_del */
+#endif
+#ifdef COUNT_ALLOCS
+	0,0,0,0                             /* tp_alloc -> tp_next */
+#endif
+      };
+    pyswigobject_type = tmp;
+    pyswigobject_type.ob_type = &PyType_Type;
+    type_init = 1;
+  }
+  return &pyswigobject_type;
+}
+
+SWIGRUNTIME PyObject *
+PySwigObject_New(void *ptr, swig_type_info *ty, int own)
+{
+  PySwigObject *sobj = PyObject_NEW(PySwigObject, PySwigObject_type());
+  if (sobj) {
+    sobj->ptr  = ptr;
+    sobj->ty   = ty;
+    sobj->own  = own;
+    sobj->next = 0;
+  }
+  return (PyObject *)sobj;
+}
+
+/* -----------------------------------------------------------------------------
+ * Implements a simple Swig Packed type, and use it instead of string
+ * ----------------------------------------------------------------------------- */
+
+typedef struct {
+  PyObject_HEAD
+  void *pack;
+  swig_type_info *ty;
+  size_t size;
+} PySwigPacked;
+
+SWIGRUNTIME int
+PySwigPacked_print(PySwigPacked *v, FILE *fp, int SWIGUNUSEDPARM(flags))
+{
+  char result[SWIG_BUFFER_SIZE];
+  fputs("<Swig Packed ", fp); 
+  if (SWIG_PackDataName(result, v->pack, v->size, 0, sizeof(result))) {
+    fputs("at ", fp); 
+    fputs(result, fp); 
+  }
+  fputs(v->ty->name,fp); 
+  fputs(">", fp);
+  return 0; 
+}
+  
+SWIGRUNTIME PyObject *
+PySwigPacked_repr(PySwigPacked *v)
+{
+  char result[SWIG_BUFFER_SIZE];
+  if (SWIG_PackDataName(result, v->pack, v->size, 0, sizeof(result))) {
+    return PyString_FromFormat("<Swig Packed at %s%s>", result, v->ty->name);
+  } else {
+    return PyString_FromFormat("<Swig Packed %s>", v->ty->name);
+  }  
+}
+
+SWIGRUNTIME PyObject *
+PySwigPacked_str(PySwigPacked *v)
+{
+  char result[SWIG_BUFFER_SIZE];
+  if (SWIG_PackDataName(result, v->pack, v->size, 0, sizeof(result))){
+    return PyString_FromFormat("%s%s", result, v->ty->name);
+  } else {
+    return PyString_FromString(v->ty->name);
+  }  
+}
+
+SWIGRUNTIME int
+PySwigPacked_compare(PySwigPacked *v, PySwigPacked *w)
+{
+  size_t i = v->size;
+  size_t j = w->size;
+  int s = (i < j) ? -1 : ((i > j) ? 1 : 0);
+  return s ? s : strncmp((char *)v->pack, (char *)w->pack, 2*v->size);
+}
+
+SWIGRUNTIME PyTypeObject* _PySwigPacked_type(void);
+
+SWIGRUNTIME PyTypeObject*
+PySwigPacked_type(void) {
+  static PyTypeObject *SWIG_STATIC_POINTER(type) = _PySwigPacked_type();
+  return type;
+}
+
+SWIGRUNTIMEINLINE int
+PySwigPacked_Check(PyObject *op) {
+  return ((op)->ob_type == _PySwigPacked_type()) 
+    || (strcmp((op)->ob_type->tp_name,"PySwigPacked") == 0);
+}
+
+SWIGRUNTIME void
+PySwigPacked_dealloc(PyObject *v)
+{
+  if (PySwigPacked_Check(v)) {
+    PySwigPacked *sobj = (PySwigPacked *) v;
+    free(sobj->pack);
+  }
+  PyObject_DEL(v);
+}
+
+SWIGRUNTIME PyTypeObject*
+_PySwigPacked_type(void) {
+  static char swigpacked_doc[] = "Swig object carries a C/C++ instance pointer";
+  static PyTypeObject pyswigpacked_type;
+  static int type_init = 0;  
+  if (!type_init) {
+    const PyTypeObject tmp
+      = {
+	PyObject_HEAD_INIT(NULL)
+	0,				    /* ob_size */	
+	(char *)"PySwigPacked",		    /* tp_name */	
+	sizeof(PySwigPacked),		    /* tp_basicsize */	
+	0,				    /* tp_itemsize */	
+	(destructor)PySwigPacked_dealloc,   /* tp_dealloc */	
+	(printfunc)PySwigPacked_print,	    /* tp_print */   	
+	(getattrfunc)0,			    /* tp_getattr */ 	
+	(setattrfunc)0,			    /* tp_setattr */ 	
+	(cmpfunc)PySwigPacked_compare,	    /* tp_compare */ 	
+	(reprfunc)PySwigPacked_repr,	    /* tp_repr */    	
+	0,	                            /* tp_as_number */	
+	0,				    /* tp_as_sequence */
+	0,				    /* tp_as_mapping */	
+	(hashfunc)0,			    /* tp_hash */	
+	(ternaryfunc)0,			    /* tp_call */	
+	(reprfunc)PySwigPacked_str,	    /* tp_str */	
+	PyObject_GenericGetAttr,            /* tp_getattro */
+	0,				    /* tp_setattro */
+	0,		                    /* tp_as_buffer */
+	Py_TPFLAGS_DEFAULT,	            /* tp_flags */
+	swigpacked_doc, 	            /* tp_doc */
+	0,                                  /* tp_traverse */
+	0,                                  /* tp_clear */
+	0,                                  /* tp_richcompare */
+	0,                                  /* tp_weaklistoffset */
+#if PY_VERSION_HEX >= 0x02020000
+	0,                                  /* tp_iter */
+	0,                                  /* tp_iternext */
+	0,		                    /* tp_methods */ 
+	0,			            /* tp_members */
+	0,				    /* tp_getset */	    	
+	0,			            /* tp_base */	        
+	0,				    /* tp_dict */	    	
+	0,				    /* tp_descr_get */  	
+	0,				    /* tp_descr_set */  	
+	0,				    /* tp_dictoffset */ 	
+	0,				    /* tp_init */	    	
+	0,				    /* tp_alloc */	    	
+	0,			            /* tp_new */	    	
+	0, 	                            /* tp_free */	   
+        0,                                  /* tp_is_gc */  
+	0,				    /* tp_bases */   
+	0,				    /* tp_mro */
+	0,				    /* tp_cache */   
+ 	0,				    /* tp_subclasses */
+	0,				    /* tp_weaklist */
+#endif
+#if PY_VERSION_HEX >= 0x02030000
+	0,                                  /* tp_del */
+#endif
+#ifdef COUNT_ALLOCS
+	0,0,0,0                             /* tp_alloc -> tp_next */
+#endif
+      };
+    pyswigpacked_type = tmp;
+    pyswigpacked_type.ob_type = &PyType_Type;
+    type_init = 1;
+  }
+  return &pyswigpacked_type;
+}
+
+SWIGRUNTIME PyObject *
+PySwigPacked_New(void *ptr, size_t size, swig_type_info *ty)
+{
+  PySwigPacked *sobj = PyObject_NEW(PySwigPacked, PySwigPacked_type());
+  if (sobj) {
+    void *pack = malloc(size);
+    if (pack) {
+      memcpy(pack, ptr, size);
+      sobj->pack = pack;
+      sobj->ty   = ty;
+      sobj->size = size;
+    } else {
+      PyObject_DEL((PyObject *) sobj);
+      sobj = 0;
+    }
+  }
+  return (PyObject *) sobj;
+}
+
+SWIGRUNTIME swig_type_info *
+PySwigPacked_UnpackData(PyObject *obj, void *ptr, size_t size)
+{
+  if (PySwigPacked_Check(obj)) {
+    PySwigPacked *sobj = (PySwigPacked *)obj;
+    if (sobj->size != size) return 0;
+    memcpy(ptr, sobj->pack, size);
+    return sobj->ty;
+  } else {
+    return 0;
+  }
+}
+
+/* -----------------------------------------------------------------------------
+ * pointers/data manipulation
+ * ----------------------------------------------------------------------------- */
+
+SWIGRUNTIMEINLINE PyObject *
+_SWIG_This(void)
+{
+  return PyString_FromString("this");
+}
+
+SWIGRUNTIME PyObject *
+SWIG_This(void)
+{
+  static PyObject *SWIG_STATIC_POINTER(swig_this) = _SWIG_This();
+  return swig_this;
+}
+
+/* #define SWIG_PYTHON_SLOW_GETSET_THIS */
+
+SWIGRUNTIME PySwigObject *
+SWIG_Python_GetSwigThis(PyObject *pyobj) 
+{
+  if (PySwigObject_Check(pyobj)) {
+    return (PySwigObject *) pyobj;
+  } else {
+    PyObject *obj = 0;
+#if (!defined(SWIG_PYTHON_SLOW_GETSET_THIS) && (PY_VERSION_HEX >= 0x02030000))
+    if (PyInstance_Check(pyobj)) {
+      obj = _PyInstance_Lookup(pyobj, SWIG_This());      
+    } else {
+      PyObject **dictptr = _PyObject_GetDictPtr(pyobj);
+      if (dictptr != NULL) {
+	PyObject *dict = *dictptr;
+	obj = dict ? PyDict_GetItem(dict, SWIG_This()) : 0;
+      } else {
+#ifdef PyWeakref_CheckProxy
+	if (PyWeakref_CheckProxy(pyobj)) {
+	  PyObject *wobj = PyWeakref_GET_OBJECT(pyobj);
+	  return wobj ? SWIG_Python_GetSwigThis(wobj) : 0;
+	}
+#endif
+	obj = PyObject_GetAttr(pyobj,SWIG_This());
+	if (obj) {
+	  Py_DECREF(obj);
+	} else {
+	  if (PyErr_Occurred()) PyErr_Clear();
+	  return 0;
+	}
+      }
+    }
+#else
+    obj = PyObject_GetAttr(pyobj,SWIG_This());
+    if (obj) {
+      Py_DECREF(obj);
+    } else {
+      if (PyErr_Occurred()) PyErr_Clear();
+      return 0;
+    }
+#endif
+    if (obj && !PySwigObject_Check(obj)) {
+      /* a PyObject is called 'this', try to get the 'real this'
+	 PySwigObject from it */ 
+      return SWIG_Python_GetSwigThis(obj);
+    }
+    return (PySwigObject *)obj;
+  }
+}
+
+/* Acquire a pointer value */
+
+SWIGRUNTIME int
+SWIG_Python_AcquirePtr(PyObject *obj, int own) {
+  if (own == SWIG_POINTER_OWN) {
+    PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
+    if (sobj) {
+      int oldown = sobj->own;
+      sobj->own = own;
+      return oldown;
+    }
+  }
+  return 0;
+}
+
+/* Convert a pointer value */
+
+SWIGRUNTIME int
+SWIG_Python_ConvertPtrAndOwn(PyObject *obj, void **ptr, swig_type_info *ty, int flags, int *own) {
+  if (!obj) return SWIG_ERROR;
+  if (obj == Py_None) {
+    if (ptr) *ptr = 0;
+    return SWIG_OK;
+  } else {
+    PySwigObject *sobj = SWIG_Python_GetSwigThis(obj);
+    if (own)
+      *own = 0;
+    while (sobj) {
+      void *vptr = sobj->ptr;
+      if (ty) {
+	swig_type_info *to = sobj->ty;
+	if (to == ty) {
+	  /* no type cast needed */
+	  if (ptr) *ptr = vptr;
+	  break;
+	} else {
+	  swig_cast_info *tc = SWIG_TypeCheck(to->name,ty);
+	  if (!tc) {
+	    sobj = (PySwigObject *)sobj->next;
+	  } else {
+	    if (ptr) {
+              int newmemory = 0;
+              *ptr = SWIG_TypeCast(tc,vptr,&newmemory);
+              if (newmemory == SWIG_CAST_NEW_MEMORY) {
+                assert(own);
+                if (own)
+                  *own = *own | SWIG_CAST_NEW_MEMORY;
+              }
+            }
+	    break;
+	  }
+	}
+      } else {
+	if (ptr) *ptr = vptr;
+	break;
+      }
+    }
+    if (sobj) {
+      if (own)
+        *own = *own | sobj->own;
+      if (flags & SWIG_POINTER_DISOWN) {
+	sobj->own = 0;
+      }
+      return SWIG_OK;
+    } else {
+      int res = SWIG_ERROR;
+      if (flags & SWIG_POINTER_IMPLICIT_CONV) {
+	PySwigClientData *data = ty ? (PySwigClientData *) ty->clientdata : 0;
+	if (data && !data->implicitconv) {
+	  PyObject *klass = data->klass;
+	  if (klass) {
+	    PyObject *impconv;
+	    data->implicitconv = 1; /* avoid recursion and call 'explicit' constructors*/
+	    impconv = SWIG_Python_CallFunctor(klass, obj);
+	    data->implicitconv = 0;
+	    if (PyErr_Occurred()) {
+	      PyErr_Clear();
+	      impconv = 0;
+	    }
+	    if (impconv) {
+	      PySwigObject *iobj = SWIG_Python_GetSwigThis(impconv);
+	      if (iobj) {
+		void *vptr;
+		res = SWIG_Python_ConvertPtrAndOwn((PyObject*)iobj, &vptr, ty, 0, 0);
+		if (SWIG_IsOK(res)) {
+		  if (ptr) {
+		    *ptr = vptr;
+		    /* transfer the ownership to 'ptr' */
+		    iobj->own = 0;
+		    res = SWIG_AddCast(res);
+		    res = SWIG_AddNewMask(res);
+		  } else {
+		    res = SWIG_AddCast(res);		    
+		  }
+		}
+	      }
+	      Py_DECREF(impconv);
+	    }
+	  }
+	}
+      }
+      return res;
+    }
+  }
+}
+
+/* Convert a function ptr value */
+
+SWIGRUNTIME int
+SWIG_Python_ConvertFunctionPtr(PyObject *obj, void **ptr, swig_type_info *ty) {
+  if (!PyCFunction_Check(obj)) {
+    return SWIG_ConvertPtr(obj, ptr, ty, 0);
+  } else {
+    void *vptr = 0;
+    
+    /* here we get the method pointer for callbacks */
+    const char *doc = (((PyCFunctionObject *)obj) -> m_ml -> ml_doc);
+    const char *desc = doc ? strstr(doc, "swig_ptr: ") : 0;
+    if (desc) {
+      desc = ty ? SWIG_UnpackVoidPtr(desc + 10, &vptr, ty->name) : 0;
+      if (!desc) return SWIG_ERROR;
+    }
+    if (ty) {
+      swig_cast_info *tc = SWIG_TypeCheck(desc,ty);
+      if (tc) {
+        int newmemory = 0;
+        *ptr = SWIG_TypeCast(tc,vptr,&newmemory);
+        assert(!newmemory); /* newmemory handling not yet implemented */
+      } else {
+        return SWIG_ERROR;
+      }
+    } else {
+      *ptr = vptr;
+    }
+    return SWIG_OK;
+  }
+}
+
+/* Convert a packed value value */
+
+SWIGRUNTIME int
+SWIG_Python_ConvertPacked(PyObject *obj, void *ptr, size_t sz, swig_type_info *ty) {
+  swig_type_info *to = PySwigPacked_UnpackData(obj, ptr, sz);
+  if (!to) return SWIG_ERROR;
+  if (ty) {
+    if (to != ty) {
+      /* check type cast? */
+      swig_cast_info *tc = SWIG_TypeCheck(to->name,ty);
+      if (!tc) return SWIG_ERROR;
+    }
+  }
+  return SWIG_OK;
+}  
+
+/* -----------------------------------------------------------------------------
+ * Create a new pointer object
+ * ----------------------------------------------------------------------------- */
+
+/*
+  Create a new instance object, whitout calling __init__, and set the
+  'this' attribute.
+*/
+
+SWIGRUNTIME PyObject* 
+SWIG_Python_NewShadowInstance(PySwigClientData *data, PyObject *swig_this)
+{
+#if (PY_VERSION_HEX >= 0x02020000)
+  PyObject *inst = 0;
+  PyObject *newraw = data->newraw;
+  if (newraw) {
+    inst = PyObject_Call(newraw, data->newargs, NULL);
+    if (inst) {
+#if !defined(SWIG_PYTHON_SLOW_GETSET_THIS)
+      PyObject **dictptr = _PyObject_GetDictPtr(inst);
+      if (dictptr != NULL) {
+	PyObject *dict = *dictptr;
+	if (dict == NULL) {
+	  dict = PyDict_New();
+	  *dictptr = dict;
+	  PyDict_SetItem(dict, SWIG_This(), swig_this);
+	}
+      }
+#else
+      PyObject *key = SWIG_This();
+      PyObject_SetAttr(inst, key, swig_this);
+#endif
+    }
+  } else {
+    PyObject *dict = PyDict_New();
+    PyDict_SetItem(dict, SWIG_This(), swig_this);
+    inst = PyInstance_NewRaw(data->newargs, dict);
+    Py_DECREF(dict);
+  }
+  return inst;
+#else
+#if (PY_VERSION_HEX >= 0x02010000)
+  PyObject *inst;
+  PyObject *dict = PyDict_New();
+  PyDict_SetItem(dict, SWIG_This(), swig_this);
+  inst = PyInstance_NewRaw(data->newargs, dict);
+  Py_DECREF(dict);
+  return (PyObject *) inst;
+#else
+  PyInstanceObject *inst = PyObject_NEW(PyInstanceObject, &PyInstance_Type);
+  if (inst == NULL) {
+    return NULL;
+  }
+  inst->in_class = (PyClassObject *)data->newargs;
+  Py_INCREF(inst->in_class);
+  inst->in_dict = PyDict_New();
+  if (inst->in_dict == NULL) {
+    Py_DECREF(inst);
+    return NULL;
+  }
+#ifdef Py_TPFLAGS_HAVE_WEAKREFS
+  inst->in_weakreflist = NULL;
+#endif
+#ifdef Py_TPFLAGS_GC
+  PyObject_GC_Init(inst);
+#endif
+  PyDict_SetItem(inst->in_dict, SWIG_This(), swig_this);
+  return (PyObject *) inst;
+#endif
+#endif
+}
+
+SWIGRUNTIME void
+SWIG_Python_SetSwigThis(PyObject *inst, PyObject *swig_this)
+{
+ PyObject *dict;
+#if (PY_VERSION_HEX >= 0x02020000) && !defined(SWIG_PYTHON_SLOW_GETSET_THIS)
+ PyObject **dictptr = _PyObject_GetDictPtr(inst);
+ if (dictptr != NULL) {
+   dict = *dictptr;
+   if (dict == NULL) {
+     dict = PyDict_New();
+     *dictptr = dict;
+   }
+   PyDict_SetItem(dict, SWIG_This(), swig_this);
+   return;
+ }
+#endif
+ dict = PyObject_GetAttrString(inst, (char*)"__dict__");
+ PyDict_SetItem(dict, SWIG_This(), swig_this);
+ Py_DECREF(dict);
+} 
+
+
+SWIGINTERN PyObject *
+SWIG_Python_InitShadowInstance(PyObject *args) {
+  PyObject *obj[2];
+  if (!SWIG_Python_UnpackTuple(args,(char*)"swiginit", 2, 2, obj)) {
+    return NULL;
+  } else {
+    PySwigObject *sthis = SWIG_Python_GetSwigThis(obj[0]);
+    if (sthis) {
+      PySwigObject_append((PyObject*) sthis, obj[1]);
+    } else {
+      SWIG_Python_SetSwigThis(obj[0], obj[1]);
+    }
+    return SWIG_Py_Void();
+  }
+}
+
+/* Create a new pointer object */
+
+SWIGRUNTIME PyObject *
+SWIG_Python_NewPointerObj(void *ptr, swig_type_info *type, int flags) {
+  if (!ptr) {
+    return SWIG_Py_Void();
+  } else {
+    int own = (flags & SWIG_POINTER_OWN) ? SWIG_POINTER_OWN : 0;
+    PyObject *robj = PySwigObject_New(ptr, type, own);
+    PySwigClientData *clientdata = type ? (PySwigClientData *)(type->clientdata) : 0;
+    if (clientdata && !(flags & SWIG_POINTER_NOSHADOW)) {
+      PyObject *inst = SWIG_Python_NewShadowInstance(clientdata, robj);
+      if (inst) {
+	Py_DECREF(robj);
+	robj = inst;
+      }
+    }
+    return robj;
+  }
+}
+
+/* Create a new packed object */
+
+SWIGRUNTIMEINLINE PyObject *
+SWIG_Python_NewPackedObj(void *ptr, size_t sz, swig_type_info *type) {
+  return ptr ? PySwigPacked_New((void *) ptr, sz, type) : SWIG_Py_Void();
+}
+
+/* -----------------------------------------------------------------------------*
+ *  Get type list 
+ * -----------------------------------------------------------------------------*/
+
+#ifdef SWIG_LINK_RUNTIME
+void *SWIG_ReturnGlobalTypeList(void *);
+#endif
+
+SWIGRUNTIME swig_module_info *
+SWIG_Python_GetModule(void) {
+  static void *type_pointer = (void *)0;
+  /* first check if module already created */
+  if (!type_pointer) {
+#ifdef SWIG_LINK_RUNTIME
+    type_pointer = SWIG_ReturnGlobalTypeList((void *)0);
+#else
+    type_pointer = PyCObject_Import((char*)"swig_runtime_data" SWIG_RUNTIME_VERSION,
+				    (char*)"type_pointer" SWIG_TYPE_TABLE_NAME);
+    if (PyErr_Occurred()) {
+      PyErr_Clear();
+      type_pointer = (void *)0;
+    }
+#endif
+  }
+  return (swig_module_info *) type_pointer;
+}
+
+#if PY_MAJOR_VERSION < 2
+/* PyModule_AddObject function was introduced in Python 2.0.  The following function
+   is copied out of Python/modsupport.c in python version 2.3.4 */
+SWIGINTERN int
+PyModule_AddObject(PyObject *m, char *name, PyObject *o)
+{
+  PyObject *dict;
+  if (!PyModule_Check(m)) {
+    PyErr_SetString(PyExc_TypeError,
+		    "PyModule_AddObject() needs module as first arg");
+    return SWIG_ERROR;
+  }
+  if (!o) {
+    PyErr_SetString(PyExc_TypeError,
+		    "PyModule_AddObject() needs non-NULL value");
+    return SWIG_ERROR;
+  }
+  
+  dict = PyModule_GetDict(m);
+  if (dict == NULL) {
+    /* Internal error -- modules must have a dict! */
+    PyErr_Format(PyExc_SystemError, "module '%s' has no __dict__",
+		 PyModule_GetName(m));
+    return SWIG_ERROR;
+  }
+  if (PyDict_SetItemString(dict, name, o))
+    return SWIG_ERROR;
+  Py_DECREF(o);
+  return SWIG_OK;
+}
+#endif
+
+SWIGRUNTIME void
+SWIG_Python_DestroyModule(void *vptr)
+{
+  swig_module_info *swig_module = (swig_module_info *) vptr;
+  swig_type_info **types = swig_module->types;
+  size_t i;
+  for (i =0; i < swig_module->size; ++i) {
+    swig_type_info *ty = types[i];
+    if (ty->owndata) {
+      PySwigClientData *data = (PySwigClientData *) ty->clientdata;
+      if (data) PySwigClientData_Del(data);
+    }
+  }
+  Py_DECREF(SWIG_This());
+}
+
+SWIGRUNTIME void
+SWIG_Python_SetModule(swig_module_info *swig_module) {
+  static PyMethodDef swig_empty_runtime_method_table[] = { {NULL, NULL, 0, NULL} };/* Sentinel */
+
+  PyObject *module = Py_InitModule((char*)"swig_runtime_data" SWIG_RUNTIME_VERSION,
+				   swig_empty_runtime_method_table);
+  PyObject *pointer = PyCObject_FromVoidPtr((void *) swig_module, SWIG_Python_DestroyModule);
+  if (pointer && module) {
+    PyModule_AddObject(module, (char*)"type_pointer" SWIG_TYPE_TABLE_NAME, pointer);
+  } else {
+    Py_XDECREF(pointer);
+  }
+}
+
+/* The python cached type query */
+SWIGRUNTIME PyObject *
+SWIG_Python_TypeCache(void) {
+  static PyObject *SWIG_STATIC_POINTER(cache) = PyDict_New();
+  return cache;
+}
+
+SWIGRUNTIME swig_type_info *
+SWIG_Python_TypeQuery(const char *type)
+{
+  PyObject *cache = SWIG_Python_TypeCache();
+  PyObject *key = PyString_FromString(type); 
+  PyObject *obj = PyDict_GetItem(cache, key);
+  swig_type_info *descriptor;
+  if (obj) {
+    descriptor = (swig_type_info *) PyCObject_AsVoidPtr(obj);
+  } else {
+    swig_module_info *swig_module = SWIG_Python_GetModule();
+    descriptor = SWIG_TypeQueryModule(swig_module, swig_module, type);
+    if (descriptor) {
+      obj = PyCObject_FromVoidPtr(descriptor, NULL);
+      PyDict_SetItem(cache, key, obj);
+      Py_DECREF(obj);
+    }
+  }
+  Py_DECREF(key);
+  return descriptor;
+}
+
+/* 
+   For backward compatibility only
+*/
+#define SWIG_POINTER_EXCEPTION  0
+#define SWIG_arg_fail(arg)      SWIG_Python_ArgFail(arg)
+#define SWIG_MustGetPtr(p, type, argnum, flags)  SWIG_Python_MustGetPtr(p, type, argnum, flags)
+
+SWIGRUNTIME int
+SWIG_Python_AddErrMesg(const char* mesg, int infront)
+{
+  if (PyErr_Occurred()) {
+    PyObject *type = 0;
+    PyObject *value = 0;
+    PyObject *traceback = 0;
+    PyErr_Fetch(&type, &value, &traceback);
+    if (value) {
+      PyObject *old_str = PyObject_Str(value);
+      Py_XINCREF(type);
+      PyErr_Clear();
+      if (infront) {
+	PyErr_Format(type, "%s %s", mesg, PyString_AsString(old_str));
+      } else {
+	PyErr_Format(type, "%s %s", PyString_AsString(old_str), mesg);
+      }
+      Py_DECREF(old_str);
+    }
+    return 1;
+  } else {
+    return 0;
+  }
+}
+  
+SWIGRUNTIME int
+SWIG_Python_ArgFail(int argnum)
+{
+  if (PyErr_Occurred()) {
+    /* add information about failing argument */
+    char mesg[256];
+    PyOS_snprintf(mesg, sizeof(mesg), "argument number %d:", argnum);
+    return SWIG_Python_AddErrMesg(mesg, 1);
+  } else {
+    return 0;
+  }
+}
+
+SWIGRUNTIMEINLINE const char *
+PySwigObject_GetDesc(PyObject *self)
+{
+  PySwigObject *v = (PySwigObject *)self;
+  swig_type_info *ty = v ? v->ty : 0;
+  return ty ? ty->str : (char*)"";
+}
+
+SWIGRUNTIME void
+SWIG_Python_TypeError(const char *type, PyObject *obj)
+{
+  if (type) {
+#if defined(SWIG_COBJECT_TYPES)
+    if (obj && PySwigObject_Check(obj)) {
+      const char *otype = (const char *) PySwigObject_GetDesc(obj);
+      if (otype) {
+	PyErr_Format(PyExc_TypeError, "a '%s' is expected, 'PySwigObject(%s)' is received",
+		     type, otype);
+	return;
+      }
+    } else 
+#endif      
+    {
+      const char *otype = (obj ? obj->ob_type->tp_name : 0); 
+      if (otype) {
+	PyObject *str = PyObject_Str(obj);
+	const char *cstr = str ? PyString_AsString(str) : 0;
+	if (cstr) {
+	  PyErr_Format(PyExc_TypeError, "a '%s' is expected, '%s(%s)' is received",
+		       type, otype, cstr);
+	} else {
+	  PyErr_Format(PyExc_TypeError, "a '%s' is expected, '%s' is received",
+		       type, otype);
+	}
+	Py_XDECREF(str);
+	return;
+      }
+    }   
+    PyErr_Format(PyExc_TypeError, "a '%s' is expected", type);
+  } else {
+    PyErr_Format(PyExc_TypeError, "unexpected type is received");
+  }
+}
+
+
+/* Convert a pointer value, signal an exception on a type mismatch */
+SWIGRUNTIME void *
+SWIG_Python_MustGetPtr(PyObject *obj, swig_type_info *ty, int argnum, int flags) {
+  void *result;
+  if (SWIG_Python_ConvertPtr(obj, &result, ty, flags) == -1) {
+    PyErr_Clear();
+    if (flags & SWIG_POINTER_EXCEPTION) {
+      SWIG_Python_TypeError(SWIG_TypePrettyName(ty), obj);
+      SWIG_Python_ArgFail(argnum);
+    }
+  }
+  return result;
+}
+
+
+#ifdef __cplusplus
+#if 0
+{ /* cc-mode */
+#endif
+}
+#endif
+
+
+
+#define SWIG_exception_fail(code, msg) do { SWIG_Error(code, msg); SWIG_fail; } while(0) 
+
+#define SWIG_contract_assert(expr, msg) if (!(expr)) { SWIG_Error(SWIG_RuntimeError, msg); SWIG_fail; } else 
+
+
+
+/* -------- TYPES TABLE (BEGIN) -------- */
+
+#define SWIGTYPE_p_TDB_DATA swig_types[0]
+#define SWIGTYPE_p_char swig_types[1]
+#define SWIGTYPE_p_int swig_types[2]
+#define SWIGTYPE_p_long_long swig_types[3]
+#define SWIGTYPE_p_short swig_types[4]
+#define SWIGTYPE_p_signed_char swig_types[5]
+#define SWIGTYPE_p_tdb_context swig_types[6]
+#define SWIGTYPE_p_unsigned_char swig_types[7]
+#define SWIGTYPE_p_unsigned_int swig_types[8]
+#define SWIGTYPE_p_unsigned_long_long swig_types[9]
+#define SWIGTYPE_p_unsigned_short swig_types[10]
+static swig_type_info *swig_types[12];
+static swig_module_info swig_module = {swig_types, 11, 0, 0, 0, 0};
+#define SWIG_TypeQuery(name) SWIG_TypeQueryModule(&swig_module, &swig_module, name)
+#define SWIG_MangledTypeQuery(name) SWIG_MangledTypeQueryModule(&swig_module, &swig_module, name)
+
+/* -------- TYPES TABLE (END) -------- */
+
+#if (PY_VERSION_HEX <= 0x02000000)
+# if !defined(SWIG_PYTHON_CLASSIC)
+#  error "This python version requires swig to be run with the '-classic' option"
+# endif
+#endif
+#if (PY_VERSION_HEX <= 0x02020000)
+# error "This python version requires swig to be run with the '-nomodern' option"
+#endif
+#if (PY_VERSION_HEX <= 0x02020000)
+# error "This python version requires swig to be run with the '-nomodernargs' option"
+#endif
+#ifndef METH_O
+# error "This python version requires swig to be run with the '-nofastunpack' option"
+#endif
+#ifdef SWIG_TypeQuery
+# undef SWIG_TypeQuery
+#endif
+#define SWIG_TypeQuery SWIG_Python_TypeQuery
+
+/*-----------------------------------------------
+              @(target):= _tdb.so
+  ------------------------------------------------*/
+#define SWIG_init    init_tdb
+
+#define SWIG_name    "_tdb"
+
+#define SWIGVERSION 0x010335 
+#define SWIG_VERSION SWIGVERSION
+
+
+#define SWIG_as_voidptr(a) (void *)((const void *)(a)) 
+#define SWIG_as_voidptrptr(a) ((void)SWIG_as_voidptr(*a),(void**)(a)) 
+
+
+
+/* This symbol is used in both includes.h and Python.h which causes an
+   annoying compiler warning. */
+
+#ifdef HAVE_FSTAT
+#undef HAVE_FSTAT
+#endif
+
+/* Include tdb headers */
+#include <stdint.h>
+#include <signal.h>
+#include <tdb.h>
+#include <fcntl.h>
+
+typedef TDB_CONTEXT tdb;
+
+
+  #define SWIG_From_long   PyInt_FromLong 
+
+
+SWIGINTERNINLINE PyObject *
+SWIG_From_int  (int value)
+{    
+  return SWIG_From_long  (value);
+}
+
+
+SWIGINTERN swig_type_info*
+SWIG_pchar_descriptor(void)
+{
+  static int init = 0;
+  static swig_type_info* info = 0;
+  if (!init) {
+    info = SWIG_TypeQuery("_p_char");
+    init = 1;
+  }
+  return info;
+}
+
+
+SWIGINTERN int
+SWIG_AsCharPtrAndSize(PyObject *obj, char** cptr, size_t* psize, int *alloc)
+{
+  if (PyString_Check(obj)) {
+    char *cstr; Py_ssize_t len;
+    PyString_AsStringAndSize(obj, &cstr, &len);
+    if (cptr)  {
+      if (alloc) {
+	/* 
+	   In python the user should not be able to modify the inner
+	   string representation. To warranty that, if you define
+	   SWIG_PYTHON_SAFE_CSTRINGS, a new/copy of the python string
+	   buffer is always returned.
+
+	   The default behavior is just to return the pointer value,
+	   so, be careful.
+	*/ 
+#if defined(SWIG_PYTHON_SAFE_CSTRINGS)
+	if (*alloc != SWIG_OLDOBJ) 
+#else
+	if (*alloc == SWIG_NEWOBJ) 
+#endif
+	  {
+	    *cptr = (char *)memcpy((char *)malloc((len + 1)*sizeof(char)), cstr, sizeof(char)*(len + 1));
+	    *alloc = SWIG_NEWOBJ;
+	  }
+	else {
+	  *cptr = cstr;
+	  *alloc = SWIG_OLDOBJ;
+	}
+      } else {
+	*cptr = PyString_AsString(obj);
+      }
+    }
+    if (psize) *psize = len + 1;
+    return SWIG_OK;
+  } else {
+    swig_type_info* pchar_descriptor = SWIG_pchar_descriptor();
+    if (pchar_descriptor) {
+      void* vptr = 0;
+      if (SWIG_ConvertPtr(obj, &vptr, pchar_descriptor, 0) == SWIG_OK) {
+	if (cptr) *cptr = (char *) vptr;
+	if (psize) *psize = vptr ? (strlen((char *)vptr) + 1) : 0;
+	if (alloc) *alloc = SWIG_OLDOBJ;
+	return SWIG_OK;
+      }
+    }
+  }
+  return SWIG_TypeError;
+}
+
+
+
+
+
+#include <limits.h>
+#if !defined(SWIG_NO_LLONG_MAX)
+# if !defined(LLONG_MAX) && defined(__GNUC__) && defined (__LONG_LONG_MAX__)
+#   define LLONG_MAX __LONG_LONG_MAX__
+#   define LLONG_MIN (-LLONG_MAX - 1LL)
+#   define ULLONG_MAX (LLONG_MAX * 2ULL + 1ULL)
+# endif
+#endif
+
+
+SWIGINTERN int
+SWIG_AsVal_double (PyObject *obj, double *val)
+{
+  int res = SWIG_TypeError;
+  if (PyFloat_Check(obj)) {
+    if (val) *val = PyFloat_AsDouble(obj);
+    return SWIG_OK;
+  } else if (PyInt_Check(obj)) {
+    if (val) *val = PyInt_AsLong(obj);
+    return SWIG_OK;
+  } else if (PyLong_Check(obj)) {
+    double v = PyLong_AsDouble(obj);
+    if (!PyErr_Occurred()) {
+      if (val) *val = v;
+      return SWIG_OK;
+    } else {
+      PyErr_Clear();
+    }
+  }
+#ifdef SWIG_PYTHON_CAST_MODE
+  {
+    int dispatch = 0;
+    double d = PyFloat_AsDouble(obj);
+    if (!PyErr_Occurred()) {
+      if (val) *val = d;
+      return SWIG_AddCast(SWIG_OK);
+    } else {
+      PyErr_Clear();
+    }
+    if (!dispatch) {
+      long v = PyLong_AsLong(obj);
+      if (!PyErr_Occurred()) {
+	if (val) *val = v;
+	return SWIG_AddCast(SWIG_AddCast(SWIG_OK));
+      } else {
+	PyErr_Clear();
+      }
+    }
+  }
+#endif
+  return res;
+}
+
+
+#include <float.h>
+
+
+#include <math.h>
+
+
+SWIGINTERNINLINE int
+SWIG_CanCastAsInteger(double *d, double min, double max) {
+  double x = *d;
+  if ((min <= x && x <= max)) {
+   double fx = floor(x);
+   double cx = ceil(x);
+   double rd =  ((x - fx) < 0.5) ? fx : cx; /* simple rint */
+   if ((errno == EDOM) || (errno == ERANGE)) {
+     errno = 0;
+   } else {
+     double summ, reps, diff;
+     if (rd < x) {
+       diff = x - rd;
+     } else if (rd > x) {
+       diff = rd - x;
+     } else {
+       return 1;
+     }
+     summ = rd + x;
+     reps = diff/summ;
+     if (reps < 8*DBL_EPSILON) {
+       *d = rd;
+       return 1;
+     }
+   }
+  }
+  return 0;
+}
+
+
+SWIGINTERN int
+SWIG_AsVal_long (PyObject *obj, long* val)
+{
+  if (PyInt_Check(obj)) {
+    if (val) *val = PyInt_AsLong(obj);
+    return SWIG_OK;
+  } else if (PyLong_Check(obj)) {
+    long v = PyLong_AsLong(obj);
+    if (!PyErr_Occurred()) {
+      if (val) *val = v;
+      return SWIG_OK;
+    } else {
+      PyErr_Clear();
+    }
+  }
+#ifdef SWIG_PYTHON_CAST_MODE
+  {
+    int dispatch = 0;
+    long v = PyInt_AsLong(obj);
+    if (!PyErr_Occurred()) {
+      if (val) *val = v;
+      return SWIG_AddCast(SWIG_OK);
+    } else {
+      PyErr_Clear();
+    }
+    if (!dispatch) {
+      double d;
+      int res = SWIG_AddCast(SWIG_AsVal_double (obj,&d));
+      if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, LONG_MIN, LONG_MAX)) {
+	if (val) *val = (long)(d);
+	return res;
+      }
+    }
+  }
+#endif
+  return SWIG_TypeError;
+}
+
+
+SWIGINTERN int
+SWIG_AsVal_int (PyObject * obj, int *val)
+{
+  long v;
+  int res = SWIG_AsVal_long (obj, &v);
+  if (SWIG_IsOK(res)) {
+    if ((v < INT_MIN || v > INT_MAX)) {
+      return SWIG_OverflowError;
+    } else {
+      if (val) *val = (int)(v);
+    }
+  }  
+  return res;
+}
+
+SWIGINTERN tdb *new_tdb(char const *name,int hash_size,int tdb_flags,int flags,mode_t mode){
+            return tdb_open(name, hash_size, tdb_flags, flags, mode);
+        }
+SWIGINTERN void delete_tdb(tdb *self){ tdb_close(self); }
+
+SWIGINTERNINLINE PyObject *
+SWIG_FromCharPtrAndSize(const char* carray, size_t size)
+{
+  if (carray) {
+    if (size > INT_MAX) {
+      swig_type_info* pchar_descriptor = SWIG_pchar_descriptor();
+      return pchar_descriptor ? 
+	SWIG_NewPointerObj((char *)(carray), pchar_descriptor, 0) : SWIG_Py_Void();
+    } else {
+      return PyString_FromStringAndSize(carray, (int)(size));
+    }
+  } else {
+    return SWIG_Py_Void();
+  }
+}
+
+
+SWIGINTERNINLINE PyObject * 
+SWIG_FromCharPtr(const char *cptr)
+{ 
+  return SWIG_FromCharPtrAndSize(cptr, (cptr ? strlen(cptr) : 0));
+}
+
+
+SWIGINTERNINLINE PyObject* 
+SWIG_From_unsigned_SS_long  (unsigned long value)
+{
+  return (value > LONG_MAX) ?
+    PyLong_FromUnsignedLong(value) : PyInt_FromLong((long)(value)); 
+}
+
+
+SWIGINTERNINLINE PyObject *
+SWIG_From_size_t  (size_t value)
+{    
+  return SWIG_From_unsigned_SS_long  ((unsigned long)(value));
+}
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+SWIGINTERN PyObject *_wrap_new_Tdb(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) {
+  PyObject *resultobj = 0;
+  char *arg1 = (char *) 0 ;
+  int arg2 ;
+  int arg3 ;
+  int arg4 ;
+  mode_t arg5 ;
+  tdb *result = 0 ;
+  int res1 ;
+  char *buf1 = 0 ;
+  int alloc1 = 0 ;
+  int val2 ;
+  int ecode2 = 0 ;
+  int val3 ;
+  int ecode3 = 0 ;
+  int val4 ;
+  int ecode4 = 0 ;
+  int val5 ;
+  int ecode5 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  PyObject * obj2 = 0 ;
+  PyObject * obj3 = 0 ;
+  PyObject * obj4 = 0 ;
+  char *  kwnames[] = {
+    (char *) "name",(char *) "hash_size",(char *) "tdb_flags",(char *) "flags",(char *) "mode", NULL 
+  };
+  
+  arg2 = 0;
+  arg3 = TDB_DEFAULT;
+  arg4 = O_RDWR;
+  arg5 = 0600;
+  if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"O|OOOO:new_Tdb",kwnames,&obj0,&obj1,&obj2,&obj3,&obj4)) SWIG_fail;
+  res1 = SWIG_AsCharPtrAndSize(obj0, &buf1, NULL, &alloc1);
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "new_Tdb" "', argument " "1"" of type '" "char const *""'");
+  }
+  arg1 = (char *)(buf1);
+  if (obj1) {
+    ecode2 = SWIG_AsVal_int(obj1, &val2);
+    if (!SWIG_IsOK(ecode2)) {
+      SWIG_exception_fail(SWIG_ArgError(ecode2), "in method '" "new_Tdb" "', argument " "2"" of type '" "int""'");
+    } 
+    arg2 = (int)(val2);
+  }
+  if (obj2) {
+    ecode3 = SWIG_AsVal_int(obj2, &val3);
+    if (!SWIG_IsOK(ecode3)) {
+      SWIG_exception_fail(SWIG_ArgError(ecode3), "in method '" "new_Tdb" "', argument " "3"" of type '" "int""'");
+    } 
+    arg3 = (int)(val3);
+  }
+  if (obj3) {
+    ecode4 = SWIG_AsVal_int(obj3, &val4);
+    if (!SWIG_IsOK(ecode4)) {
+      SWIG_exception_fail(SWIG_ArgError(ecode4), "in method '" "new_Tdb" "', argument " "4"" of type '" "int""'");
+    } 
+    arg4 = (int)(val4);
+  }
+  if (obj4) {
+    ecode5 = SWIG_AsVal_int(obj4, &val5);
+    if (!SWIG_IsOK(ecode5)) {
+      SWIG_exception_fail(SWIG_ArgError(ecode5), "in method '" "new_Tdb" "', argument " "5"" of type '" "mode_t""'");
+    } 
+    arg5 = (mode_t)(val5);
+  }
+  result = (tdb *)new_tdb((char const *)arg1,arg2,arg3,arg4,arg5);
+  /* Throw an IOError exception from errno if tdb_open() returns NULL */
+  if (result == NULL) {
+    PyErr_SetFromErrno(PyExc_IOError);
+    SWIG_fail;
+  }
+  resultobj = SWIG_NewPointerObj(result, SWIGTYPE_p_tdb_context, 0);
+  if (alloc1 == SWIG_NEWOBJ) free((char*)buf1);
+  return resultobj;
+fail:
+  if (alloc1 == SWIG_NEWOBJ) free((char*)buf1);
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_error(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  enum TDB_ERROR result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject *swig_obj[1] ;
+  
+  if (!args) SWIG_fail;
+  swig_obj[0] = args;
+  res1 = SWIG_ConvertPtr(swig_obj[0], &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_error" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  result = (enum TDB_ERROR)tdb_error(arg1);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_delete_Tdb(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject *swig_obj[1] ;
+  
+  if (!args) SWIG_fail;
+  swig_obj[0] = args;
+  res1 = SWIG_ConvertPtr(swig_obj[0], &argp1,SWIGTYPE_p_tdb_context, SWIG_POINTER_DISOWN |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "delete_Tdb" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  delete_tdb(arg1);
+  
+  resultobj = SWIG_Py_Void();
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_close(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  int result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject *swig_obj[1] ;
+  
+  if (!args) SWIG_fail;
+  swig_obj[0] = args;
+  res1 = SWIG_ConvertPtr(swig_obj[0], &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_close" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  result = (int)tdb_close(arg1);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_append(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  TDB_DATA arg2 ;
+  TDB_DATA arg3 ;
+  int result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  PyObject * obj2 = 0 ;
+  char *  kwnames[] = {
+    (char *) "self",(char *) "key",(char *) "new_dbuf", NULL 
+  };
+  
+  if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"OOO:Tdb_append",kwnames,&obj0,&obj1,&obj2)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_append" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  if (obj1 == Py_None) {
+    (&arg2)->dsize = 0;
+    (&arg2)->dptr = NULL;
+  } else if (!PyString_Check(obj1)) {
+    PyErr_SetString(PyExc_TypeError, "string arg expected");
+    return NULL;
+  } else {
+    (&arg2)->dsize = PyString_Size(obj1);
+    (&arg2)->dptr = (uint8_t *)PyString_AsString(obj1);
+  }
+  if (obj2 == Py_None) {
+    (&arg3)->dsize = 0;
+    (&arg3)->dptr = NULL;
+  } else if (!PyString_Check(obj2)) {
+    PyErr_SetString(PyExc_TypeError, "string arg expected");
+    return NULL;
+  } else {
+    (&arg3)->dsize = PyString_Size(obj2);
+    (&arg3)->dptr = (uint8_t *)PyString_AsString(obj2);
+  }
+  result = (int)tdb_append(arg1,arg2,arg3);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_errorstr(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  char *result = 0 ;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject *swig_obj[1] ;
+  
+  if (!args) SWIG_fail;
+  swig_obj[0] = args;
+  res1 = SWIG_ConvertPtr(swig_obj[0], &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_errorstr" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  result = (char *)tdb_errorstr(arg1);
+  resultobj = SWIG_FromCharPtr((const char *)result);
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_get(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  TDB_DATA arg2 ;
+  TDB_DATA result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  char *  kwnames[] = {
+    (char *) "self",(char *) "key", NULL 
+  };
+  
+  if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"OO:Tdb_get",kwnames,&obj0,&obj1)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_get" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  if (obj1 == Py_None) {
+    (&arg2)->dsize = 0;
+    (&arg2)->dptr = NULL;
+  } else if (!PyString_Check(obj1)) {
+    PyErr_SetString(PyExc_TypeError, "string arg expected");
+    return NULL;
+  } else {
+    (&arg2)->dsize = PyString_Size(obj1);
+    (&arg2)->dptr = (uint8_t *)PyString_AsString(obj1);
+  }
+  result = tdb_fetch(arg1,arg2);
+  if ((&result)->dptr == NULL && (&result)->dsize == 0) {
+    resultobj = Py_None;
+  } else {
+    resultobj = PyString_FromStringAndSize((const char *)(&result)->dptr, (&result)->dsize);
+    free((&result)->dptr);
+  }
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_delete(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  TDB_DATA arg2 ;
+  int result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  char *  kwnames[] = {
+    (char *) "self",(char *) "key", NULL 
+  };
+  
+  if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"OO:Tdb_delete",kwnames,&obj0,&obj1)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_delete" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  if (obj1 == Py_None) {
+    (&arg2)->dsize = 0;
+    (&arg2)->dptr = NULL;
+  } else if (!PyString_Check(obj1)) {
+    PyErr_SetString(PyExc_TypeError, "string arg expected");
+    return NULL;
+  } else {
+    (&arg2)->dsize = PyString_Size(obj1);
+    (&arg2)->dptr = (uint8_t *)PyString_AsString(obj1);
+  }
+  result = (int)tdb_delete(arg1,arg2);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_store(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  TDB_DATA arg2 ;
+  TDB_DATA arg3 ;
+  int arg4 ;
+  int result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  int val4 ;
+  int ecode4 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  PyObject * obj2 = 0 ;
+  PyObject * obj3 = 0 ;
+  char *  kwnames[] = {
+    (char *) "self",(char *) "key",(char *) "dbuf",(char *) "flag", NULL 
+  };
+  
+  arg4 = TDB_REPLACE;
+  if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"OOO|O:Tdb_store",kwnames,&obj0,&obj1,&obj2,&obj3)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_store" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  if (obj1 == Py_None) {
+    (&arg2)->dsize = 0;
+    (&arg2)->dptr = NULL;
+  } else if (!PyString_Check(obj1)) {
+    PyErr_SetString(PyExc_TypeError, "string arg expected");
+    return NULL;
+  } else {
+    (&arg2)->dsize = PyString_Size(obj1);
+    (&arg2)->dptr = (uint8_t *)PyString_AsString(obj1);
+  }
+  if (obj2 == Py_None) {
+    (&arg3)->dsize = 0;
+    (&arg3)->dptr = NULL;
+  } else if (!PyString_Check(obj2)) {
+    PyErr_SetString(PyExc_TypeError, "string arg expected");
+    return NULL;
+  } else {
+    (&arg3)->dsize = PyString_Size(obj2);
+    (&arg3)->dptr = (uint8_t *)PyString_AsString(obj2);
+  }
+  if (obj3) {
+    ecode4 = SWIG_AsVal_int(obj3, &val4);
+    if (!SWIG_IsOK(ecode4)) {
+      SWIG_exception_fail(SWIG_ArgError(ecode4), "in method '" "Tdb_store" "', argument " "4"" of type '" "int""'");
+    } 
+    arg4 = (int)(val4);
+  }
+  result = (int)tdb_store(arg1,arg2,arg3,arg4);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_exists(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  TDB_DATA arg2 ;
+  int result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  char *  kwnames[] = {
+    (char *) "self",(char *) "key", NULL 
+  };
+  
+  if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"OO:Tdb_exists",kwnames,&obj0,&obj1)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_exists" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  if (obj1 == Py_None) {
+    (&arg2)->dsize = 0;
+    (&arg2)->dptr = NULL;
+  } else if (!PyString_Check(obj1)) {
+    PyErr_SetString(PyExc_TypeError, "string arg expected");
+    return NULL;
+  } else {
+    (&arg2)->dsize = PyString_Size(obj1);
+    (&arg2)->dptr = (uint8_t *)PyString_AsString(obj1);
+  }
+  result = (int)tdb_exists(arg1,arg2);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_firstkey(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  TDB_DATA result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject *swig_obj[1] ;
+  
+  if (!args) SWIG_fail;
+  swig_obj[0] = args;
+  res1 = SWIG_ConvertPtr(swig_obj[0], &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_firstkey" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  result = tdb_firstkey(arg1);
+  if ((&result)->dptr == NULL && (&result)->dsize == 0) {
+    resultobj = Py_None;
+  } else {
+    resultobj = PyString_FromStringAndSize((const char *)(&result)->dptr, (&result)->dsize);
+    free((&result)->dptr);
+  }
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_nextkey(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  TDB_DATA arg2 ;
+  TDB_DATA result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  char *  kwnames[] = {
+    (char *) "self",(char *) "key", NULL 
+  };
+  
+  if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"OO:Tdb_nextkey",kwnames,&obj0,&obj1)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_nextkey" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  if (obj1 == Py_None) {
+    (&arg2)->dsize = 0;
+    (&arg2)->dptr = NULL;
+  } else if (!PyString_Check(obj1)) {
+    PyErr_SetString(PyExc_TypeError, "string arg expected");
+    return NULL;
+  } else {
+    (&arg2)->dsize = PyString_Size(obj1);
+    (&arg2)->dptr = (uint8_t *)PyString_AsString(obj1);
+  }
+  result = tdb_nextkey(arg1,arg2);
+  if ((&result)->dptr == NULL && (&result)->dsize == 0) {
+    resultobj = Py_None;
+  } else {
+    resultobj = PyString_FromStringAndSize((const char *)(&result)->dptr, (&result)->dsize);
+    free((&result)->dptr);
+  }
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_lock_all(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  int result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject *swig_obj[1] ;
+  
+  if (!args) SWIG_fail;
+  swig_obj[0] = args;
+  res1 = SWIG_ConvertPtr(swig_obj[0], &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_lock_all" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  result = (int)tdb_lockall(arg1);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_unlock_all(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  int result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject *swig_obj[1] ;
+  
+  if (!args) SWIG_fail;
+  swig_obj[0] = args;
+  res1 = SWIG_ConvertPtr(swig_obj[0], &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_unlock_all" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  result = (int)tdb_unlockall(arg1);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_read_lock_all(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  int result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject *swig_obj[1] ;
+  
+  if (!args) SWIG_fail;
+  swig_obj[0] = args;
+  res1 = SWIG_ConvertPtr(swig_obj[0], &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_read_lock_all" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  result = (int)tdb_lockall_read(arg1);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_read_unlock_all(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  int result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject *swig_obj[1] ;
+  
+  if (!args) SWIG_fail;
+  swig_obj[0] = args;
+  res1 = SWIG_ConvertPtr(swig_obj[0], &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_read_unlock_all" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  result = (int)tdb_unlockall_read(arg1);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_reopen(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  int result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject *swig_obj[1] ;
+  
+  if (!args) SWIG_fail;
+  swig_obj[0] = args;
+  res1 = SWIG_ConvertPtr(swig_obj[0], &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_reopen" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  result = (int)tdb_reopen(arg1);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_transaction_start(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  int result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject *swig_obj[1] ;
+  
+  if (!args) SWIG_fail;
+  swig_obj[0] = args;
+  res1 = SWIG_ConvertPtr(swig_obj[0], &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_transaction_start" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  result = (int)tdb_transaction_start(arg1);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_transaction_commit(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  int result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject *swig_obj[1] ;
+  
+  if (!args) SWIG_fail;
+  swig_obj[0] = args;
+  res1 = SWIG_ConvertPtr(swig_obj[0], &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_transaction_commit" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  result = (int)tdb_transaction_commit(arg1);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_transaction_cancel(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  int result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject *swig_obj[1] ;
+  
+  if (!args) SWIG_fail;
+  swig_obj[0] = args;
+  res1 = SWIG_ConvertPtr(swig_obj[0], &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_transaction_cancel" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  result = (int)tdb_transaction_cancel(arg1);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_transaction_recover(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  int result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject *swig_obj[1] ;
+  
+  if (!args) SWIG_fail;
+  swig_obj[0] = args;
+  res1 = SWIG_ConvertPtr(swig_obj[0], &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_transaction_recover" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  result = (int)tdb_transaction_recover(arg1);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_hash_size(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  int result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject *swig_obj[1] ;
+  
+  if (!args) SWIG_fail;
+  swig_obj[0] = args;
+  res1 = SWIG_ConvertPtr(swig_obj[0], &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_hash_size" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  result = (int)tdb_hash_size(arg1);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_map_size(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  size_t result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject *swig_obj[1] ;
+  
+  if (!args) SWIG_fail;
+  swig_obj[0] = args;
+  res1 = SWIG_ConvertPtr(swig_obj[0], &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_map_size" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  result = tdb_map_size(arg1);
+  resultobj = SWIG_From_size_t((size_t)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_get_flags(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  int result;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject *swig_obj[1] ;
+  
+  if (!args) SWIG_fail;
+  swig_obj[0] = args;
+  res1 = SWIG_ConvertPtr(swig_obj[0], &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_get_flags" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  result = (int)tdb_get_flags(arg1);
+  resultobj = SWIG_From_int((int)(result));
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_set_max_dead(PyObject *SWIGUNUSEDPARM(self), PyObject *args, PyObject *kwargs) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  int arg2 ;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  int val2 ;
+  int ecode2 = 0 ;
+  PyObject * obj0 = 0 ;
+  PyObject * obj1 = 0 ;
+  char *  kwnames[] = {
+    (char *) "self",(char *) "max_dead", NULL 
+  };
+  
+  if (!PyArg_ParseTupleAndKeywords(args,kwargs,(char *)"OO:Tdb_set_max_dead",kwnames,&obj0,&obj1)) SWIG_fail;
+  res1 = SWIG_ConvertPtr(obj0, &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_set_max_dead" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  ecode2 = SWIG_AsVal_int(obj1, &val2);
+  if (!SWIG_IsOK(ecode2)) {
+    SWIG_exception_fail(SWIG_ArgError(ecode2), "in method '" "Tdb_set_max_dead" "', argument " "2"" of type '" "int""'");
+  } 
+  arg2 = (int)(val2);
+  tdb_set_max_dead(arg1,arg2);
+  resultobj = SWIG_Py_Void();
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *_wrap_Tdb_name(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *resultobj = 0;
+  tdb *arg1 = (tdb *) 0 ;
+  char *result = 0 ;
+  void *argp1 = 0 ;
+  int res1 = 0 ;
+  PyObject *swig_obj[1] ;
+  
+  if (!args) SWIG_fail;
+  swig_obj[0] = args;
+  res1 = SWIG_ConvertPtr(swig_obj[0], &argp1,SWIGTYPE_p_tdb_context, 0 |  0 );
+  if (!SWIG_IsOK(res1)) {
+    SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "Tdb_name" "', argument " "1"" of type '" "tdb *""'"); 
+  }
+  arg1 = (tdb *)(argp1);
+  result = (char *)tdb_name(arg1);
+  resultobj = SWIG_FromCharPtr((const char *)result);
+  return resultobj;
+fail:
+  return NULL;
+}
+
+
+SWIGINTERN PyObject *Tdb_swigregister(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  PyObject *obj;
+  if (!SWIG_Python_UnpackTuple(args,(char*)"swigregister", 1, 1,&obj)) return NULL;
+  SWIG_TypeNewClientData(SWIGTYPE_p_tdb_context, SWIG_NewClientData(obj));
+  return SWIG_Py_Void();
+}
+
+SWIGINTERN PyObject *Tdb_swiginit(PyObject *SWIGUNUSEDPARM(self), PyObject *args) {
+  return SWIG_Python_InitShadowInstance(args);
+}
+
+static PyMethodDef SwigMethods[] = {
+	 { (char *)"new_Tdb", (PyCFunction) _wrap_new_Tdb, METH_VARARGS | METH_KEYWORDS, (char *)"\n"
+		"S.__init__(name,hash_size=0,tdb_flags=TDB_DEFAULT,flags=O_RDWR,mode=0600)\n"
+		"Open a TDB file.\n"
+		""},
+	 { (char *)"Tdb_error", (PyCFunction)_wrap_Tdb_error, METH_O, (char *)"\n"
+		"S.error() -> int\n"
+		"Find last error number returned by operation on this TDB.\n"
+		""},
+	 { (char *)"delete_Tdb", (PyCFunction)_wrap_delete_Tdb, METH_O, NULL},
+	 { (char *)"Tdb_close", (PyCFunction)_wrap_Tdb_close, METH_O, (char *)"\n"
+		"S.close() -> None\n"
+		"Close the TDB file.\n"
+		""},
+	 { (char *)"Tdb_append", (PyCFunction) _wrap_Tdb_append, METH_VARARGS | METH_KEYWORDS, NULL},
+	 { (char *)"Tdb_errorstr", (PyCFunction)_wrap_Tdb_errorstr, METH_O, (char *)"\n"
+		"S.errorstr() -> errorstring\n"
+		"Obtain last error message.\n"
+		""},
+	 { (char *)"Tdb_get", (PyCFunction) _wrap_Tdb_get, METH_VARARGS | METH_KEYWORDS, (char *)"\n"
+		"S.fetch(key) -> value\n"
+		"Fetch a value.\n"
+		""},
+	 { (char *)"Tdb_delete", (PyCFunction) _wrap_Tdb_delete, METH_VARARGS | METH_KEYWORDS, (char *)"\n"
+		"S.delete(key) -> None\n"
+		"Delete an entry.\n"
+		""},
+	 { (char *)"Tdb_store", (PyCFunction) _wrap_Tdb_store, METH_VARARGS | METH_KEYWORDS, (char *)"\n"
+		"S.store(key, value, flag=TDB_REPLACE) -> None\n"
+		"Store an entry.\n"
+		""},
+	 { (char *)"Tdb_exists", (PyCFunction) _wrap_Tdb_exists, METH_VARARGS | METH_KEYWORDS, (char *)"\n"
+		"S.exists(key) -> bool\n"
+		"Check whether key exists in this database.\n"
+		""},
+	 { (char *)"Tdb_firstkey", (PyCFunction)_wrap_Tdb_firstkey, METH_O, (char *)"\n"
+		"S.firstkey() -> data\n"
+		"Return the first key in this database.\n"
+		""},
+	 { (char *)"Tdb_nextkey", (PyCFunction) _wrap_Tdb_nextkey, METH_VARARGS | METH_KEYWORDS, (char *)"\n"
+		"S.nextkey(prev) -> data\n"
+		"Return the next key in this database.\n"
+		""},
+	 { (char *)"Tdb_lock_all", (PyCFunction)_wrap_Tdb_lock_all, METH_O, (char *)"S.lockall() -> bool"},
+	 { (char *)"Tdb_unlock_all", (PyCFunction)_wrap_Tdb_unlock_all, METH_O, (char *)"S.unlockall() -> bool"},
+	 { (char *)"Tdb_read_lock_all", (PyCFunction)_wrap_Tdb_read_lock_all, METH_O, NULL},
+	 { (char *)"Tdb_read_unlock_all", (PyCFunction)_wrap_Tdb_read_unlock_all, METH_O, NULL},
+	 { (char *)"Tdb_reopen", (PyCFunction)_wrap_Tdb_reopen, METH_O, (char *)"\n"
+		"S.reopen() -> bool\n"
+		"Reopen this file.\n"
+		""},
+	 { (char *)"Tdb_transaction_start", (PyCFunction)_wrap_Tdb_transaction_start, METH_O, (char *)"\n"
+		"S.transaction_start() -> None\n"
+		"Start a new transaction.\n"
+		""},
+	 { (char *)"Tdb_transaction_commit", (PyCFunction)_wrap_Tdb_transaction_commit, METH_O, (char *)"\n"
+		"S.transaction_commit() -> None\n"
+		"Commit the currently active transaction.\n"
+		""},
+	 { (char *)"Tdb_transaction_cancel", (PyCFunction)_wrap_Tdb_transaction_cancel, METH_O, (char *)"\n"
+		"S.transaction_cancel() -> None\n"
+		"Cancel the currently active transaction.\n"
+		""},
+	 { (char *)"Tdb_transaction_recover", (PyCFunction)_wrap_Tdb_transaction_recover, METH_O, NULL},
+	 { (char *)"Tdb_hash_size", (PyCFunction)_wrap_Tdb_hash_size, METH_O, (char *)"S.hash_size() -> int"},
+	 { (char *)"Tdb_map_size", (PyCFunction)_wrap_Tdb_map_size, METH_O, (char *)"S.map_size() -> int"},
+	 { (char *)"Tdb_get_flags", (PyCFunction)_wrap_Tdb_get_flags, METH_O, (char *)"S.get_flags() -> int"},
+	 { (char *)"Tdb_set_max_dead", (PyCFunction) _wrap_Tdb_set_max_dead, METH_VARARGS | METH_KEYWORDS, (char *)"S.set_max_dead(int) -> None"},
+	 { (char *)"Tdb_name", (PyCFunction)_wrap_Tdb_name, METH_O, (char *)"\n"
+		"S.name() -> path\n"
+		"Return filename of this TDB file.\n"
+		""},
+	 { (char *)"Tdb_swigregister", Tdb_swigregister, METH_VARARGS, NULL},
+	 { (char *)"Tdb_swiginit", Tdb_swiginit, METH_VARARGS, NULL},
+	 { NULL, NULL, 0, NULL }
+};
+
+
+/* -------- TYPE CONVERSION AND EQUIVALENCE RULES (BEGIN) -------- */
+
+static swig_type_info _swigt__p_TDB_DATA = {"_p_TDB_DATA", "TDB_DATA *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_char = {"_p_char", "char *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_int = {"_p_int", "intptr_t *|int *|int_least32_t *|int_fast32_t *|int32_t *|int_fast16_t *|mode_t *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_long_long = {"_p_long_long", "int_least64_t *|int_fast64_t *|int64_t *|long long *|intmax_t *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_short = {"_p_short", "short *|int_least16_t *|int16_t *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_signed_char = {"_p_signed_char", "signed char *|int_least8_t *|int_fast8_t *|int8_t *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_tdb_context = {"_p_tdb_context", "struct tdb_context *|tdb *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_unsigned_char = {"_p_unsigned_char", "unsigned char *|uint_least8_t *|uint_fast8_t *|uint8_t *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_unsigned_int = {"_p_unsigned_int", "uintptr_t *|uint_least32_t *|uint_fast32_t *|uint32_t *|unsigned int *|uint_fast16_t *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_unsigned_long_long = {"_p_unsigned_long_long", "uint_least64_t *|uint_fast64_t *|uint64_t *|unsigned long long *|uintmax_t *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_unsigned_short = {"_p_unsigned_short", "unsigned short *|uint_least16_t *|uint16_t *", 0, 0, (void*)0, 0};
+
+static swig_type_info *swig_type_initial[] = {
+  &_swigt__p_TDB_DATA,
+  &_swigt__p_char,
+  &_swigt__p_int,
+  &_swigt__p_long_long,
+  &_swigt__p_short,
+  &_swigt__p_signed_char,
+  &_swigt__p_tdb_context,
+  &_swigt__p_unsigned_char,
+  &_swigt__p_unsigned_int,
+  &_swigt__p_unsigned_long_long,
+  &_swigt__p_unsigned_short,
+};
+
+static swig_cast_info _swigc__p_TDB_DATA[] = {  {&_swigt__p_TDB_DATA, 0, 0, 0},{0, 0, 0, 0}};
+static swig_cast_info _swigc__p_char[] = {  {&_swigt__p_char, 0, 0, 0},{0, 0, 0, 0}};
+static swig_cast_info _swigc__p_int[] = {  {&_swigt__p_int, 0, 0, 0},{0, 0, 0, 0}};
+static swig_cast_info _swigc__p_long_long[] = {  {&_swigt__p_long_long, 0, 0, 0},{0, 0, 0, 0}};
+static swig_cast_info _swigc__p_short[] = {  {&_swigt__p_short, 0, 0, 0},{0, 0, 0, 0}};
+static swig_cast_info _swigc__p_signed_char[] = {  {&_swigt__p_signed_char, 0, 0, 0},{0, 0, 0, 0}};
+static swig_cast_info _swigc__p_tdb_context[] = {  {&_swigt__p_tdb_context, 0, 0, 0},{0, 0, 0, 0}};
+static swig_cast_info _swigc__p_unsigned_char[] = {  {&_swigt__p_unsigned_char, 0, 0, 0},{0, 0, 0, 0}};
+static swig_cast_info _swigc__p_unsigned_int[] = {  {&_swigt__p_unsigned_int, 0, 0, 0},{0, 0, 0, 0}};
+static swig_cast_info _swigc__p_unsigned_long_long[] = {  {&_swigt__p_unsigned_long_long, 0, 0, 0},{0, 0, 0, 0}};
+static swig_cast_info _swigc__p_unsigned_short[] = {  {&_swigt__p_unsigned_short, 0, 0, 0},{0, 0, 0, 0}};
+
+static swig_cast_info *swig_cast_initial[] = {
+  _swigc__p_TDB_DATA,
+  _swigc__p_char,
+  _swigc__p_int,
+  _swigc__p_long_long,
+  _swigc__p_short,
+  _swigc__p_signed_char,
+  _swigc__p_tdb_context,
+  _swigc__p_unsigned_char,
+  _swigc__p_unsigned_int,
+  _swigc__p_unsigned_long_long,
+  _swigc__p_unsigned_short,
+};
+
+
+/* -------- TYPE CONVERSION AND EQUIVALENCE RULES (END) -------- */
+
+static swig_const_info swig_const_table[] = {
+{0, 0, 0, 0.0, 0, 0}};
+
+#ifdef __cplusplus
+}
+#endif
+/* -----------------------------------------------------------------------------
+ * Type initialization:
+ * This problem is tough by the requirement that no dynamic 
+ * memory is used. Also, since swig_type_info structures store pointers to 
+ * swig_cast_info structures and swig_cast_info structures store pointers back
+ * to swig_type_info structures, we need some lookup code at initialization. 
+ * The idea is that swig generates all the structures that are needed. 
+ * The runtime then collects these partially filled structures. 
+ * The SWIG_InitializeModule function takes these initial arrays out of 
+ * swig_module, and does all the lookup, filling in the swig_module.types
+ * array with the correct data and linking the correct swig_cast_info
+ * structures together.
+ *
+ * The generated swig_type_info structures are assigned staticly to an initial 
+ * array. We just loop through that array, and handle each type individually.
+ * First we lookup if this type has been already loaded, and if so, use the
+ * loaded structure instead of the generated one. Then we have to fill in the
+ * cast linked list. The cast data is initially stored in something like a
+ * two-dimensional array. Each row corresponds to a type (there are the same
+ * number of rows as there are in the swig_type_initial array). Each entry in
+ * a column is one of the swig_cast_info structures for that type.
+ * The cast_initial array is actually an array of arrays, because each row has
+ * a variable number of columns. So to actually build the cast linked list,
+ * we find the array of casts associated with the type, and loop through it 
+ * adding the casts to the list. The one last trick we need to do is making
+ * sure the type pointer in the swig_cast_info struct is correct.
+ *
+ * First off, we lookup the cast->type name to see if it is already loaded. 
+ * There are three cases to handle:
+ *  1) If the cast->type has already been loaded AND the type we are adding
+ *     casting info to has not been loaded (it is in this module), THEN we
+ *     replace the cast->type pointer with the type pointer that has already
+ *     been loaded.
+ *  2) If BOTH types (the one we are adding casting info to, and the 
+ *     cast->type) are loaded, THEN the cast info has already been loaded by
+ *     the previous module so we just ignore it.
+ *  3) Finally, if cast->type has not already been loaded, then we add that
+ *     swig_cast_info to the linked list (because the cast->type) pointer will
+ *     be correct.
+ * ----------------------------------------------------------------------------- */
+
+#ifdef __cplusplus
+extern "C" {
+#if 0
+} /* c-mode */
+#endif
+#endif
+
+#if 0
+#define SWIGRUNTIME_DEBUG
+#endif
+
+
+SWIGRUNTIME void
+SWIG_InitializeModule(void *clientdata) {
+  size_t i;
+  swig_module_info *module_head, *iter;
+  int found, init;
+  
+  clientdata = clientdata;
+  
+  /* check to see if the circular list has been setup, if not, set it up */
+  if (swig_module.next==0) {
+    /* Initialize the swig_module */
+    swig_module.type_initial = swig_type_initial;
+    swig_module.cast_initial = swig_cast_initial;
+    swig_module.next = &swig_module;
+    init = 1;
+  } else {
+    init = 0;
+  }
+  
+  /* Try and load any already created modules */
+  module_head = SWIG_GetModule(clientdata);
+  if (!module_head) {
+    /* This is the first module loaded for this interpreter */
+    /* so set the swig module into the interpreter */
+    SWIG_SetModule(clientdata, &swig_module);
+    module_head = &swig_module;
+  } else {
+    /* the interpreter has loaded a SWIG module, but has it loaded this one? */
+    found=0;
+    iter=module_head;
+    do {
+      if (iter==&swig_module) {
+        found=1;
+        break;
+      }
+      iter=iter->next;
+    } while (iter!= module_head);
+    
+    /* if the is found in the list, then all is done and we may leave */
+    if (found) return;
+    /* otherwise we must add out module into the list */
+    swig_module.next = module_head->next;
+    module_head->next = &swig_module;
+  }
+  
+  /* When multiple interpeters are used, a module could have already been initialized in
+       a different interpreter, but not yet have a pointer in this interpreter.
+       In this case, we do not want to continue adding types... everything should be
+       set up already */
+  if (init == 0) return;
+  
+  /* Now work on filling in swig_module.types */
+#ifdef SWIGRUNTIME_DEBUG
+  printf("SWIG_InitializeModule: size %d\n", swig_module.size);
+#endif
+  for (i = 0; i < swig_module.size; ++i) {
+    swig_type_info *type = 0;
+    swig_type_info *ret;
+    swig_cast_info *cast;
+    
+#ifdef SWIGRUNTIME_DEBUG
+    printf("SWIG_InitializeModule: type %d %s\n", i, swig_module.type_initial[i]->name);
+#endif
+    
+    /* if there is another module already loaded */
+    if (swig_module.next != &swig_module) {
+      type = SWIG_MangledTypeQueryModule(swig_module.next, &swig_module, swig_module.type_initial[i]->name);
+    }
+    if (type) {
+      /* Overwrite clientdata field */
+#ifdef SWIGRUNTIME_DEBUG
+      printf("SWIG_InitializeModule: found type %s\n", type->name);
+#endif
+      if (swig_module.type_initial[i]->clientdata) {
+        type->clientdata = swig_module.type_initial[i]->clientdata;
+#ifdef SWIGRUNTIME_DEBUG
+        printf("SWIG_InitializeModule: found and overwrite type %s \n", type->name);
+#endif
+      }
+    } else {
+      type = swig_module.type_initial[i];
+    }
+    
+    /* Insert casting types */
+    cast = swig_module.cast_initial[i];
+    while (cast->type) {
+      /* Don't need to add information already in the list */
+      ret = 0;
+#ifdef SWIGRUNTIME_DEBUG
+      printf("SWIG_InitializeModule: look cast %s\n", cast->type->name);
+#endif
+      if (swig_module.next != &swig_module) {
+        ret = SWIG_MangledTypeQueryModule(swig_module.next, &swig_module, cast->type->name);
+#ifdef SWIGRUNTIME_DEBUG
+        if (ret) printf("SWIG_InitializeModule: found cast %s\n", ret->name);
+#endif
+      }
+      if (ret) {
+        if (type == swig_module.type_initial[i]) {
+#ifdef SWIGRUNTIME_DEBUG
+          printf("SWIG_InitializeModule: skip old type %s\n", ret->name);
+#endif
+          cast->type = ret;
+          ret = 0;
+        } else {
+          /* Check for casting already in the list */
+          swig_cast_info *ocast = SWIG_TypeCheck(ret->name, type);
+#ifdef SWIGRUNTIME_DEBUG
+          if (ocast) printf("SWIG_InitializeModule: skip old cast %s\n", ret->name);
+#endif
+          if (!ocast) ret = 0;
+        }
+      }
+      
+      if (!ret) {
+#ifdef SWIGRUNTIME_DEBUG
+        printf("SWIG_InitializeModule: adding cast %s\n", cast->type->name);
+#endif
+        if (type->cast) {
+          type->cast->prev = cast;
+          cast->next = type->cast;
+        }
+        type->cast = cast;
+      }
+      cast++;
+    }
+    /* Set entry in modules->types array equal to the type */
+    swig_module.types[i] = type;
+  }
+  swig_module.types[i] = 0;
+  
+#ifdef SWIGRUNTIME_DEBUG
+  printf("**** SWIG_InitializeModule: Cast List ******\n");
+  for (i = 0; i < swig_module.size; ++i) {
+    int j = 0;
+    swig_cast_info *cast = swig_module.cast_initial[i];
+    printf("SWIG_InitializeModule: type %d %s\n", i, swig_module.type_initial[i]->name);
+    while (cast->type) {
+      printf("SWIG_InitializeModule: cast type %s\n", cast->type->name);
+      cast++;
+      ++j;
+    }
+    printf("---- Total casts: %d\n",j);
+  }
+  printf("**** SWIG_InitializeModule: Cast List ******\n");
+#endif
+}
+
+/* This function will propagate the clientdata field of type to
+* any new swig_type_info structures that have been added into the list
+* of equivalent types.  It is like calling
+* SWIG_TypeClientData(type, clientdata) a second time.
+*/
+SWIGRUNTIME void
+SWIG_PropagateClientData(void) {
+  size_t i;
+  swig_cast_info *equiv;
+  static int init_run = 0;
+  
+  if (init_run) return;
+  init_run = 1;
+  
+  for (i = 0; i < swig_module.size; i++) {
+    if (swig_module.types[i]->clientdata) {
+      equiv = swig_module.types[i]->cast;
+      while (equiv) {
+        if (!equiv->converter) {
+          if (equiv->type && !equiv->type->clientdata)
+          SWIG_TypeClientData(equiv->type, swig_module.types[i]->clientdata);
+        }
+        equiv = equiv->next;
+      }
+    }
+  }
+}
+
+#ifdef __cplusplus
+#if 0
+{
+  /* c-mode */
+#endif
+}
+#endif
+
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+  
+  /* Python-specific SWIG API */
+#define SWIG_newvarlink()                             SWIG_Python_newvarlink()
+#define SWIG_addvarlink(p, name, get_attr, set_attr)  SWIG_Python_addvarlink(p, name, get_attr, set_attr)
+#define SWIG_InstallConstants(d, constants)           SWIG_Python_InstallConstants(d, constants)
+  
+  /* -----------------------------------------------------------------------------
+   * global variable support code.
+   * ----------------------------------------------------------------------------- */
+  
+  typedef struct swig_globalvar {
+    char       *name;                  /* Name of global variable */
+    PyObject *(*get_attr)(void);       /* Return the current value */
+    int       (*set_attr)(PyObject *); /* Set the value */
+    struct swig_globalvar *next;
+  } swig_globalvar;
+  
+  typedef struct swig_varlinkobject {
+    PyObject_HEAD
+    swig_globalvar *vars;
+  } swig_varlinkobject;
+  
+  SWIGINTERN PyObject *
+  swig_varlink_repr(swig_varlinkobject *SWIGUNUSEDPARM(v)) {
+    return PyString_FromString("<Swig global variables>");
+  }
+  
+  SWIGINTERN PyObject *
+  swig_varlink_str(swig_varlinkobject *v) {
+    PyObject *str = PyString_FromString("(");
+    swig_globalvar  *var;
+    for (var = v->vars; var; var=var->next) {
+      PyString_ConcatAndDel(&str,PyString_FromString(var->name));
+      if (var->next) PyString_ConcatAndDel(&str,PyString_FromString(", "));
+    }
+    PyString_ConcatAndDel(&str,PyString_FromString(")"));
+    return str;
+  }
+  
+  SWIGINTERN int
+  swig_varlink_print(swig_varlinkobject *v, FILE *fp, int SWIGUNUSEDPARM(flags)) {
+    PyObject *str = swig_varlink_str(v);
+    fprintf(fp,"Swig global variables ");
+    fprintf(fp,"%s\n", PyString_AsString(str));
+    Py_DECREF(str);
+    return 0;
+  }
+  
+  SWIGINTERN void
+  swig_varlink_dealloc(swig_varlinkobject *v) {
+    swig_globalvar *var = v->vars;
+    while (var) {
+      swig_globalvar *n = var->next;
+      free(var->name);
+      free(var);
+      var = n;
+    }
+  }
+  
+  SWIGINTERN PyObject *
+  swig_varlink_getattr(swig_varlinkobject *v, char *n) {
+    PyObject *res = NULL;
+    swig_globalvar *var = v->vars;
+    while (var) {
+      if (strcmp(var->name,n) == 0) {
+        res = (*var->get_attr)();
+        break;
+      }
+      var = var->next;
+    }
+    if (res == NULL && !PyErr_Occurred()) {
+      PyErr_SetString(PyExc_NameError,"Unknown C global variable");
+    }
+    return res;
+  }
+  
+  SWIGINTERN int
+  swig_varlink_setattr(swig_varlinkobject *v, char *n, PyObject *p) {
+    int res = 1;
+    swig_globalvar *var = v->vars;
+    while (var) {
+      if (strcmp(var->name,n) == 0) {
+        res = (*var->set_attr)(p);
+        break;
+      }
+      var = var->next;
+    }
+    if (res == 1 && !PyErr_Occurred()) {
+      PyErr_SetString(PyExc_NameError,"Unknown C global variable");
+    }
+    return res;
+  }
+  
+  SWIGINTERN PyTypeObject*
+  swig_varlink_type(void) {
+    static char varlink__doc__[] = "Swig var link object";
+    static PyTypeObject varlink_type;
+    static int type_init = 0;  
+    if (!type_init) {
+      const PyTypeObject tmp
+      = {
+        PyObject_HEAD_INIT(NULL)
+        0,                                  /* Number of items in variable part (ob_size) */
+        (char *)"swigvarlink",              /* Type name (tp_name) */
+        sizeof(swig_varlinkobject),         /* Basic size (tp_basicsize) */
+        0,                                  /* Itemsize (tp_itemsize) */
+        (destructor) swig_varlink_dealloc,   /* Deallocator (tp_dealloc) */ 
+        (printfunc) swig_varlink_print,     /* Print (tp_print) */
+        (getattrfunc) swig_varlink_getattr, /* get attr (tp_getattr) */
+        (setattrfunc) swig_varlink_setattr, /* Set attr (tp_setattr) */
+        0,                                  /* tp_compare */
+        (reprfunc) swig_varlink_repr,       /* tp_repr */
+        0,                                  /* tp_as_number */
+        0,                                  /* tp_as_sequence */
+        0,                                  /* tp_as_mapping */
+        0,                                  /* tp_hash */
+        0,                                  /* tp_call */
+        (reprfunc)swig_varlink_str,        /* tp_str */
+        0,                                  /* tp_getattro */
+        0,                                  /* tp_setattro */
+        0,                                  /* tp_as_buffer */
+        0,                                  /* tp_flags */
+        varlink__doc__,                     /* tp_doc */
+        0,                                  /* tp_traverse */
+        0,                                  /* tp_clear */
+        0,                                  /* tp_richcompare */
+        0,                                  /* tp_weaklistoffset */
+#if PY_VERSION_HEX >= 0x02020000
+        0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* tp_iter -> tp_weaklist */
+#endif
+#if PY_VERSION_HEX >= 0x02030000
+        0,                                  /* tp_del */
+#endif
+#ifdef COUNT_ALLOCS
+        0,0,0,0                             /* tp_alloc -> tp_next */
+#endif
+      };
+      varlink_type = tmp;
+      varlink_type.ob_type = &PyType_Type;
+      type_init = 1;
+    }
+    return &varlink_type;
+  }
+  
+  /* Create a variable linking object for use later */
+  SWIGINTERN PyObject *
+  SWIG_Python_newvarlink(void) {
+    swig_varlinkobject *result = PyObject_NEW(swig_varlinkobject, swig_varlink_type());
+    if (result) {
+      result->vars = 0;
+    }
+    return ((PyObject*) result);
+  }
+  
+  SWIGINTERN void 
+  SWIG_Python_addvarlink(PyObject *p, char *name, PyObject *(*get_attr)(void), int (*set_attr)(PyObject *p)) {
+    swig_varlinkobject *v = (swig_varlinkobject *) p;
+    swig_globalvar *gv = (swig_globalvar *) malloc(sizeof(swig_globalvar));
+    if (gv) {
+      size_t size = strlen(name)+1;
+      gv->name = (char *)malloc(size);
+      if (gv->name) {
+        strncpy(gv->name,name,size);
+        gv->get_attr = get_attr;
+        gv->set_attr = set_attr;
+        gv->next = v->vars;
+      }
+    }
+    v->vars = gv;
+  }
+  
+  SWIGINTERN PyObject *
+  SWIG_globals(void) {
+    static PyObject *_SWIG_globals = 0; 
+    if (!_SWIG_globals) _SWIG_globals = SWIG_newvarlink();  
+    return _SWIG_globals;
+  }
+  
+  /* -----------------------------------------------------------------------------
+   * constants/methods manipulation
+   * ----------------------------------------------------------------------------- */
+  
+  /* Install Constants */
+  SWIGINTERN void
+  SWIG_Python_InstallConstants(PyObject *d, swig_const_info constants[]) {
+    PyObject *obj = 0;
+    size_t i;
+    for (i = 0; constants[i].type; ++i) {
+      switch(constants[i].type) {
+      case SWIG_PY_POINTER:
+        obj = SWIG_NewPointerObj(constants[i].pvalue, *(constants[i]).ptype,0);
+        break;
+      case SWIG_PY_BINARY:
+        obj = SWIG_NewPackedObj(constants[i].pvalue, constants[i].lvalue, *(constants[i].ptype));
+        break;
+      default:
+        obj = 0;
+        break;
+      }
+      if (obj) {
+        PyDict_SetItemString(d, constants[i].name, obj);
+        Py_DECREF(obj);
+      }
+    }
+  }
+  
+  /* -----------------------------------------------------------------------------*/
+  /* Fix SwigMethods to carry the callback ptrs when needed */
+  /* -----------------------------------------------------------------------------*/
+  
+  SWIGINTERN void
+  SWIG_Python_FixMethods(PyMethodDef *methods,
+    swig_const_info *const_table,
+    swig_type_info **types,
+    swig_type_info **types_initial) {
+    size_t i;
+    for (i = 0; methods[i].ml_name; ++i) {
+      const char *c = methods[i].ml_doc;
+      if (c && (c = strstr(c, "swig_ptr: "))) {
+        int j;
+        swig_const_info *ci = 0;
+        const char *name = c + 10;
+        for (j = 0; const_table[j].type; ++j) {
+          if (strncmp(const_table[j].name, name, 
+              strlen(const_table[j].name)) == 0) {
+            ci = &(const_table[j]);
+            break;
+          }
+        }
+        if (ci) {
+          size_t shift = (ci->ptype) - types;
+          swig_type_info *ty = types_initial[shift];
+          size_t ldoc = (c - methods[i].ml_doc);
+          size_t lptr = strlen(ty->name)+2*sizeof(void*)+2;
+          char *ndoc = (char*)malloc(ldoc + lptr + 10);
+          if (ndoc) {
+            char *buff = ndoc;
+            void *ptr = (ci->type == SWIG_PY_POINTER) ? ci->pvalue : 0;
+            if (ptr) {
+              strncpy(buff, methods[i].ml_doc, ldoc);
+              buff += ldoc;
+              strncpy(buff, "swig_ptr: ", 10);
+              buff += 10;
+              SWIG_PackVoidPtr(buff, ptr, ty->name, lptr);
+              methods[i].ml_doc = ndoc;
+            }
+          }
+        }
+      }
+    }
+  } 
+  
+#ifdef __cplusplus
+}
+#endif
+
+/* -----------------------------------------------------------------------------*
+ *  Partial Init method
+ * -----------------------------------------------------------------------------*/
+
+#ifdef __cplusplus
+extern "C"
+#endif
+SWIGEXPORT void SWIG_init(void) {
+  PyObject *m, *d;
+  
+  /* Fix SwigMethods to carry the callback ptrs when needed */
+  SWIG_Python_FixMethods(SwigMethods, swig_const_table, swig_types, swig_type_initial);
+  
+  m = Py_InitModule((char *) SWIG_name, SwigMethods);
+  d = PyModule_GetDict(m);
+  
+  SWIG_InitializeModule(0);
+  SWIG_InstallConstants(d,swig_const_table);
+  
+  
+  SWIG_Python_SetConstant(d, "REPLACE",SWIG_From_int((int)(TDB_REPLACE)));
+  SWIG_Python_SetConstant(d, "INSERT",SWIG_From_int((int)(TDB_INSERT)));
+  SWIG_Python_SetConstant(d, "MODIFY",SWIG_From_int((int)(TDB_MODIFY)));
+  SWIG_Python_SetConstant(d, "DEFAULT",SWIG_From_int((int)(TDB_DEFAULT)));
+  SWIG_Python_SetConstant(d, "CLEAR_IF_FIRST",SWIG_From_int((int)(TDB_CLEAR_IF_FIRST)));
+  SWIG_Python_SetConstant(d, "INTERNAL",SWIG_From_int((int)(TDB_INTERNAL)));
+  SWIG_Python_SetConstant(d, "NOLOCK",SWIG_From_int((int)(TDB_NOLOCK)));
+  SWIG_Python_SetConstant(d, "NOMMAP",SWIG_From_int((int)(TDB_NOMMAP)));
+  SWIG_Python_SetConstant(d, "CONVERT",SWIG_From_int((int)(TDB_CONVERT)));
+  SWIG_Python_SetConstant(d, "BIGENDIAN",SWIG_From_int((int)(TDB_BIGENDIAN)));
+  SWIG_Python_SetConstant(d, "TDB_SUCCESS",SWIG_From_int((int)(TDB_SUCCESS)));
+  SWIG_Python_SetConstant(d, "TDB_ERR_CORRUPT",SWIG_From_int((int)(TDB_ERR_CORRUPT)));
+  SWIG_Python_SetConstant(d, "TDB_ERR_IO",SWIG_From_int((int)(TDB_ERR_IO)));
+  SWIG_Python_SetConstant(d, "TDB_ERR_LOCK",SWIG_From_int((int)(TDB_ERR_LOCK)));
+  SWIG_Python_SetConstant(d, "TDB_ERR_OOM",SWIG_From_int((int)(TDB_ERR_OOM)));
+  SWIG_Python_SetConstant(d, "TDB_ERR_EXISTS",SWIG_From_int((int)(TDB_ERR_EXISTS)));
+  SWIG_Python_SetConstant(d, "TDB_ERR_NOLOCK",SWIG_From_int((int)(TDB_ERR_NOLOCK)));
+  SWIG_Python_SetConstant(d, "TDB_ERR_LOCK_TIMEOUT",SWIG_From_int((int)(TDB_ERR_LOCK_TIMEOUT)));
+  SWIG_Python_SetConstant(d, "TDB_ERR_NOEXIST",SWIG_From_int((int)(TDB_ERR_NOEXIST)));
+  SWIG_Python_SetConstant(d, "TDB_ERR_EINVAL",SWIG_From_int((int)(TDB_ERR_EINVAL)));
+  SWIG_Python_SetConstant(d, "TDB_ERR_RDONLY",SWIG_From_int((int)(TDB_ERR_RDONLY)));
+}
+
diff --git a/source3/lib/tdb/tools/tdbbackup.c b/source3/lib/tdb/tools/tdbbackup.c
new file mode 100644
index 0000000000..6f3ca48314
--- /dev/null
+++ b/source3/lib/tdb/tools/tdbbackup.c
@@ -0,0 +1,300 @@
+/* 
+   Unix SMB/CIFS implementation.
+   low level tdb backup and restore utility
+   Copyright (C) Andrew Tridgell              2002
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+
+  This program is meant for backup/restore of tdb databases. Typical usage would be:
+     tdbbackup *.tdb
+  when Samba shuts down cleanly, which will make a backup of all the local databases
+  to *.bak files. Then on Samba startup you would use:
+     tdbbackup -v *.tdb
+  and this will check the databases for corruption and if corruption is detected then
+  the backup will be restored.
+
+  You may also like to do a backup on a regular basis while Samba is
+  running, perhaps using cron.
+
+  The reason this program is needed is to cope with power failures
+  while Samba is running. A power failure could lead to database
+  corruption and Samba will then not start correctly.
+
+  Note that many of the databases in Samba are transient and thus
+  don't need to be backed up, so you can optimise the above a little
+  by only running the backup on the critical databases.
+
+ */
+
+#include "replace.h"
+#include "system/locale.h"
+#include "system/time.h"
+#include "system/filesys.h"
+#include "system/wait.h"
+#include "tdb.h"
+
+#ifdef HAVE_GETOPT_H
+#include <getopt.h>
+#endif
+
+static int failed;
+
+static char *add_suffix(const char *name, const char *suffix)
+{
+	char *ret;
+	int len = strlen(name) + strlen(suffix) + 1;
+	ret = (char *)malloc(len);
+	if (!ret) {
+		fprintf(stderr,"Out of memory!\n");
+		exit(1);
+	}
+	snprintf(ret, len, "%s%s", name, suffix);
+	return ret;
+}
+
+static int copy_fn(TDB_CONTEXT *tdb, TDB_DATA key, TDB_DATA dbuf, void *state)
+{
+	TDB_CONTEXT *tdb_new = (TDB_CONTEXT *)state;
+
+	if (tdb_store(tdb_new, key, dbuf, TDB_INSERT) != 0) {
+		fprintf(stderr,"Failed to insert into %s\n", tdb_name(tdb_new));
+		failed = 1;
+		return 1;
+	}
+	return 0;
+}
+
+
+static int test_fn(TDB_CONTEXT *tdb, TDB_DATA key, TDB_DATA dbuf, void *state)
+{
+	return 0;
+}
+
+/*
+  carefully backup a tdb, validating the contents and
+  only doing the backup if its OK
+  this function is also used for restore
+*/
+static int backup_tdb(const char *old_name, const char *new_name, int hash_size)
+{
+	TDB_CONTEXT *tdb;
+	TDB_CONTEXT *tdb_new;
+	char *tmp_name;
+	struct stat st;
+	int count1, count2;
+
+	tmp_name = add_suffix(new_name, ".tmp");
+
+	/* stat the old tdb to find its permissions */
+	if (stat(old_name, &st) != 0) {
+		perror(old_name);
+		free(tmp_name);
+		return 1;
+	}
+
+	/* open the old tdb */
+	tdb = tdb_open(old_name, 0, 0, O_RDWR, 0);
+	if (!tdb) {
+		printf("Failed to open %s\n", old_name);
+		free(tmp_name);
+		return 1;
+	}
+
+	/* create the new tdb */
+	unlink(tmp_name);
+	tdb_new = tdb_open(tmp_name,
+			   hash_size ? hash_size : tdb_hash_size(tdb),
+			   TDB_DEFAULT, O_RDWR|O_CREAT|O_EXCL, 
+			   st.st_mode & 0777);
+	if (!tdb_new) {
+		perror(tmp_name);
+		free(tmp_name);
+		return 1;
+	}
+
+	/* lock the old tdb */
+	if (tdb_lockall(tdb) != 0) {
+		fprintf(stderr,"Failed to lock %s\n", old_name);
+		tdb_close(tdb);
+		tdb_close(tdb_new);
+		unlink(tmp_name);
+		free(tmp_name);
+		return 1;
+	}
+
+	failed = 0;
+
+	/* traverse and copy */
+	count1 = tdb_traverse(tdb, copy_fn, (void *)tdb_new);
+	if (count1 < 0 || failed) {
+		fprintf(stderr,"failed to copy %s\n", old_name);
+		tdb_close(tdb);
+		tdb_close(tdb_new);
+		unlink(tmp_name);
+		free(tmp_name);
+		return 1;
+	}
+
+	/* close the old tdb */
+	tdb_close(tdb);
+
+	/* close the new tdb and re-open read-only */
+	tdb_close(tdb_new);
+	tdb_new = tdb_open(tmp_name, 0, TDB_DEFAULT, O_RDONLY, 0);
+	if (!tdb_new) {
+		fprintf(stderr,"failed to reopen %s\n", tmp_name);
+		unlink(tmp_name);
+		perror(tmp_name);
+		free(tmp_name);
+		return 1;
+	}
+	
+	/* traverse the new tdb to confirm */
+	count2 = tdb_traverse(tdb_new, test_fn, NULL);
+	if (count2 != count1) {
+		fprintf(stderr,"failed to copy %s\n", old_name);
+		tdb_close(tdb_new);
+		unlink(tmp_name);
+		free(tmp_name);
+		return 1;
+	}
+
+	/* make sure the new tdb has reached stable storage */
+	fsync(tdb_fd(tdb_new));
+
+	/* close the new tdb and rename it to .bak */
+	tdb_close(tdb_new);
+	if (rename(tmp_name, new_name) != 0) {
+		perror(new_name);
+		free(tmp_name);
+		return 1;
+	}
+
+	free(tmp_name);
+
+	return 0;
+}
+
+/*
+  verify a tdb and if it is corrupt then restore from *.bak
+*/
+static int verify_tdb(const char *fname, const char *bak_name)
+{
+	TDB_CONTEXT *tdb;
+	int count = -1;
+
+	/* open the tdb */
+	tdb = tdb_open(fname, 0, 0, O_RDONLY, 0);
+
+	/* traverse the tdb, then close it */
+	if (tdb) {
+		count = tdb_traverse(tdb, test_fn, NULL);
+		tdb_close(tdb);
+	}
+
+	/* count is < 0 means an error */
+	if (count < 0) {
+		printf("restoring %s\n", fname);
+		return backup_tdb(bak_name, fname, 0);
+	}
+
+	printf("%s : %d records\n", fname, count);
+
+	return 0;
+}
+
+/*
+  see if one file is newer than another
+*/
+static int file_newer(const char *fname1, const char *fname2)
+{
+	struct stat st1, st2;
+	if (stat(fname1, &st1) != 0) {
+		return 0;
+	}
+	if (stat(fname2, &st2) != 0) {
+		return 1;
+	}
+	return (st1.st_mtime > st2.st_mtime);
+}
+
+static void usage(void)
+{
+	printf("Usage: tdbbackup [options] <fname...>\n\n");
+	printf("   -h            this help message\n");
+	printf("   -s suffix     set the backup suffix\n");
+	printf("   -v            verify mode (restore if corrupt)\n");
+	printf("   -n hashsize   set the new hash size for the backup\n");
+}
+		
+
+ int main(int argc, char *argv[])
+{
+	int i;
+	int ret = 0;
+	int c;
+	int verify = 0;
+	int hashsize = 0;
+	const char *suffix = ".bak";
+
+	while ((c = getopt(argc, argv, "vhs:n:")) != -1) {
+		switch (c) {
+		case 'h':
+			usage();
+			exit(0);
+		case 'v':
+			verify = 1;
+			break;
+		case 's':
+			suffix = optarg;
+			break;
+		case 'n':
+			hashsize = atoi(optarg);
+			break;
+		}
+	}
+
+	argc -= optind;
+	argv += optind;
+
+	if (argc < 1) {
+		usage();
+		exit(1);
+	}
+
+	for (i=0; i<argc; i++) {
+		const char *fname = argv[i];
+		char *bak_name;
+
+		bak_name = add_suffix(fname, suffix);
+
+		if (verify) {
+			if (verify_tdb(fname, bak_name) != 0) {
+				ret = 1;
+			}
+		} else {
+			if (file_newer(fname, bak_name) &&
+			    backup_tdb(fname, bak_name, hashsize) != 0) {
+				ret = 1;
+			}
+		}
+
+		free(bak_name);
+	}
+
+	return ret;
+}
diff --git a/source3/lib/tdb/tools/tdbdump.c b/source3/lib/tdb/tools/tdbdump.c
new file mode 100644
index 0000000000..8d930383b0
--- /dev/null
+++ b/source3/lib/tdb/tools/tdbdump.c
@@ -0,0 +1,116 @@
+/* 
+   Unix SMB/CIFS implementation.
+   simple tdb dump util
+   Copyright (C) Andrew Tridgell              2001
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "replace.h"
+#include "system/locale.h"
+#include "system/time.h"
+#include "system/filesys.h"
+#include "system/wait.h"
+#include "tdb.h"
+
+static void print_data(TDB_DATA d)
+{
+	unsigned char *p = (unsigned char *)d.dptr;
+	int len = d.dsize;
+	while (len--) {
+		if (isprint(*p) && !strchr("\"\\", *p)) {
+			fputc(*p, stdout);
+		} else {
+			printf("\\%02X", *p);
+		}
+		p++;
+	}
+}
+
+static int traverse_fn(TDB_CONTEXT *tdb, TDB_DATA key, TDB_DATA dbuf, void *state)
+{
+	printf("{\n");
+	printf("key(%d) = \"", (int)key.dsize);
+	print_data(key);
+	printf("\"\n");
+	printf("data(%d) = \"", (int)dbuf.dsize);
+	print_data(dbuf);
+	printf("\"\n");
+	printf("}\n");
+	return 0;
+}
+
+static int dump_tdb(const char *fname, const char *keyname)
+{
+	TDB_CONTEXT *tdb;
+	TDB_DATA key, value;
+	
+	tdb = tdb_open(fname, 0, 0, O_RDONLY, 0);
+	if (!tdb) {
+		printf("Failed to open %s\n", fname);
+		return 1;
+	}
+
+	if (!keyname) {
+		tdb_traverse(tdb, traverse_fn, NULL);
+	} else {
+		key.dptr = discard_const_p(uint8_t,keyname);
+		key.dsize = strlen( keyname);
+		value = tdb_fetch(tdb, key);
+		if (!value.dptr) {
+			return 1;
+		} else {
+			print_data(value);
+			free(value.dptr);
+		}
+	}
+
+	return 0;
+}
+
+static void usage( void)
+{
+	printf( "Usage: tdbdump [options] <filename>\n\n");
+	printf( "   -h          this help message\n");
+	printf( "   -k keyname  dumps value of keyname\n");
+}
+
+ int main(int argc, char *argv[])
+{
+	char *fname, *keyname=NULL;
+	int c;
+
+	if (argc < 2) {
+		printf("Usage: tdbdump <fname>\n");
+		exit(1);
+	}
+
+	while ((c = getopt( argc, argv, "hk:")) != -1) {
+		switch (c) {
+		case 'h':
+			usage();
+			exit( 0);
+		case 'k':
+			keyname = optarg;
+			break;
+		default:
+			usage();
+			exit( 1);
+		}
+	}
+
+	fname = argv[optind];
+
+	return dump_tdb(fname, keyname);
+}
diff --git a/source3/lib/tdb/tools/tdbtest.c b/source3/lib/tdb/tools/tdbtest.c
new file mode 100644
index 0000000000..416bc50a5b
--- /dev/null
+++ b/source3/lib/tdb/tools/tdbtest.c
@@ -0,0 +1,265 @@
+/* a test program for tdb - the trivial database */
+
+#include "replace.h"
+#include "tdb.h"
+#include "system/filesys.h"
+#include "system/time.h"
+
+#include <gdbm.h>
+
+
+#define DELETE_PROB 7
+#define STORE_PROB 5
+
+static struct tdb_context *db;
+static GDBM_FILE gdbm;
+
+struct timeval tp1,tp2;
+
+static void _start_timer(void)
+{
+	gettimeofday(&tp1,NULL);
+}
+
+static double _end_timer(void)
+{
+	gettimeofday(&tp2,NULL);
+	return((tp2.tv_sec - tp1.tv_sec) + 
+	       (tp2.tv_usec - tp1.tv_usec)*1.0e-6);
+}
+
+static void fatal(const char *why)
+{
+	perror(why);
+	exit(1);
+}
+
+#ifdef PRINTF_ATTRIBUTE
+static void tdb_log(struct tdb_context *tdb, int level, const char *format, ...) PRINTF_ATTRIBUTE(3,4);
+#endif
+static void tdb_log(struct tdb_context *tdb, int level, const char *format, ...)
+{
+	va_list ap;
+    
+	va_start(ap, format);
+	vfprintf(stdout, format, ap);
+	va_end(ap);
+	fflush(stdout);
+}
+
+static void compare_db(void)
+{
+	TDB_DATA d, key, nextkey;
+	datum gd, gkey, gnextkey;
+
+	key = tdb_firstkey(db);
+	while (key.dptr) {
+		d = tdb_fetch(db, key);
+		gkey.dptr = key.dptr;
+		gkey.dsize = key.dsize;
+
+		gd = gdbm_fetch(gdbm, gkey);
+
+		if (!gd.dptr) fatal("key not in gdbm");
+		if (gd.dsize != d.dsize) fatal("data sizes differ");
+		if (memcmp(gd.dptr, d.dptr, d.dsize)) {
+			fatal("data differs");
+		}
+
+		nextkey = tdb_nextkey(db, key);
+		free(key.dptr);
+		free(d.dptr);
+		free(gd.dptr);
+		key = nextkey;
+	}
+
+	gkey = gdbm_firstkey(gdbm);
+	while (gkey.dptr) {
+		gd = gdbm_fetch(gdbm, gkey);
+		key.dptr = gkey.dptr;
+		key.dsize = gkey.dsize;
+
+		d = tdb_fetch(db, key);
+
+		if (!d.dptr) fatal("key not in db");
+		if (d.dsize != gd.dsize) fatal("data sizes differ");
+		if (memcmp(d.dptr, gd.dptr, gd.dsize)) {
+			fatal("data differs");
+		}
+
+		gnextkey = gdbm_nextkey(gdbm, gkey);
+		free(gkey.dptr);
+		free(gd.dptr);
+		free(d.dptr);
+		gkey = gnextkey;
+	}
+}
+
+static char *randbuf(int len)
+{
+	char *buf;
+	int i;
+	buf = (char *)malloc(len+1);
+
+	for (i=0;i<len;i++) {
+		buf[i] = 'a' + (rand() % 26);
+	}
+	buf[i] = 0;
+	return buf;
+}
+
+static void addrec_db(void)
+{
+	int klen, dlen;
+	char *k, *d;
+	TDB_DATA key, data;
+
+	klen = 1 + (rand() % 4);
+	dlen = 1 + (rand() % 100);
+
+	k = randbuf(klen);
+	d = randbuf(dlen);
+
+	key.dptr = k;
+	key.dsize = klen+1;
+
+	data.dptr = d;
+	data.dsize = dlen+1;
+
+	if (rand() % DELETE_PROB == 0) {
+		tdb_delete(db, key);
+	} else if (rand() % STORE_PROB == 0) {
+		if (tdb_store(db, key, data, TDB_REPLACE) != 0) {
+			fatal("tdb_store failed");
+		}
+	} else {
+		data = tdb_fetch(db, key);
+		if (data.dptr) free(data.dptr);
+	}
+
+	free(k);
+	free(d);
+}
+
+static void addrec_gdbm(void)
+{
+	int klen, dlen;
+	char *k, *d;
+	datum key, data;
+
+	klen = 1 + (rand() % 4);
+	dlen = 1 + (rand() % 100);
+
+	k = randbuf(klen);
+	d = randbuf(dlen);
+
+	key.dptr = k;
+	key.dsize = klen+1;
+
+	data.dptr = d;
+	data.dsize = dlen+1;
+
+	if (rand() % DELETE_PROB == 0) {
+		gdbm_delete(gdbm, key);
+	} else if (rand() % STORE_PROB == 0) {
+		if (gdbm_store(gdbm, key, data, GDBM_REPLACE) != 0) {
+			fatal("gdbm_store failed");
+		}
+	} else {
+		data = gdbm_fetch(gdbm, key);
+		if (data.dptr) free(data.dptr);
+	}
+
+	free(k);
+	free(d);
+}
+
+static int traverse_fn(struct tdb_context *tdb, TDB_DATA key, TDB_DATA dbuf, void *state)
+{
+#if 0
+	printf("[%s] [%s]\n", key.dptr, dbuf.dptr);
+#endif
+	tdb_delete(tdb, key);
+	return 0;
+}
+
+static void merge_test(void)
+{
+	int i;
+	char keys[5][2];
+	char tdata[] = "test";
+	TDB_DATA key, data;
+	
+	for (i = 0; i < 5; i++) {
+		snprintf(keys[i],2, "%d", i);
+		key.dptr = keys[i];
+		key.dsize = 2;
+		
+		data.dptr = tdata;
+		data.dsize = 4;
+		
+		if (tdb_store(db, key, data, TDB_REPLACE) != 0) {
+			fatal("tdb_store failed");
+		}
+	}
+
+	key.dptr = keys[0];
+	tdb_delete(db, key);
+	key.dptr = keys[4];
+	tdb_delete(db, key);
+	key.dptr = keys[2];
+	tdb_delete(db, key);
+	key.dptr = keys[1];
+	tdb_delete(db, key);
+	key.dptr = keys[3];
+	tdb_delete(db, key);
+}
+
+ int main(int argc, const char *argv[])
+{
+	int i, seed=0;
+	int loops = 10000;
+	int num_entries;
+	char test_gdbm[] = "test.gdbm";
+
+	unlink("test.gdbm");
+
+	db = tdb_open("test.tdb", 0, TDB_CLEAR_IF_FIRST, 
+		      O_RDWR | O_CREAT | O_TRUNC, 0600);
+	gdbm = gdbm_open(test_gdbm, 512, GDBM_WRITER|GDBM_NEWDB|GDBM_FAST, 
+			 0600, NULL);
+
+	if (!db || !gdbm) {
+		fatal("db open failed");
+	}
+
+#if 1
+	srand(seed);
+	_start_timer();
+	for (i=0;i<loops;i++) addrec_gdbm();
+	printf("gdbm got %.2f ops/sec\n", i/_end_timer());
+#endif
+
+	merge_test();
+
+	srand(seed);
+	_start_timer();
+	for (i=0;i<loops;i++) addrec_db();
+	printf("tdb got %.2f ops/sec\n", i/_end_timer());
+
+	if (tdb_validate_freelist(db, &num_entries) == -1) {
+		printf("tdb freelist is corrupt\n");
+	} else {
+		printf("tdb freelist is good (%d entries)\n", num_entries);
+	}
+
+	compare_db();
+
+	printf("traversed %d records\n", tdb_traverse(db, traverse_fn, NULL));
+	printf("traversed %d records\n", tdb_traverse(db, traverse_fn, NULL));
+
+	tdb_close(db);
+	gdbm_close(gdbm);
+
+	return 0;
+}
diff --git a/source3/lib/tdb/tools/tdbtool.c b/source3/lib/tdb/tools/tdbtool.c
new file mode 100644
index 0000000000..d104ccd7c4
--- /dev/null
+++ b/source3/lib/tdb/tools/tdbtool.c
@@ -0,0 +1,659 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba database functions
+   Copyright (C) Andrew Tridgell              1999-2000
+   Copyright (C) Paul `Rusty' Russell		   2000
+   Copyright (C) Jeremy Allison			   2000
+   Copyright (C) Andrew Esh                        2001
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "replace.h"
+#include "system/locale.h"
+#include "system/time.h"
+#include "system/filesys.h"
+#include "system/wait.h"
+#include "tdb.h"
+
+static int do_command(void);
+const char *cmdname;
+char *arg1, *arg2;
+size_t arg1len, arg2len;
+int bIterate = 0;
+char *line;
+TDB_DATA iterate_kbuf;
+char cmdline[1024];
+static int disable_mmap;
+
+enum commands {
+	CMD_CREATE_TDB,
+	CMD_OPEN_TDB,
+	CMD_ERASE,
+	CMD_DUMP,
+	CMD_INSERT,
+	CMD_MOVE,
+	CMD_STORE,
+	CMD_SHOW,
+	CMD_KEYS,
+	CMD_HEXKEYS,
+	CMD_DELETE,
+	CMD_LIST_HASH_FREE,
+	CMD_LIST_FREE,
+	CMD_INFO,
+	CMD_MMAP,
+	CMD_SPEED,
+	CMD_FIRST,
+	CMD_NEXT,
+	CMD_SYSTEM,
+	CMD_QUIT,
+	CMD_HELP
+};
+
+typedef struct {
+	const char *name;
+	enum commands cmd;
+} COMMAND_TABLE;
+
+COMMAND_TABLE cmd_table[] = {
+	{"create",	CMD_CREATE_TDB},
+	{"open",	CMD_OPEN_TDB},
+	{"erase",	CMD_ERASE},
+	{"dump",	CMD_DUMP},
+	{"insert",	CMD_INSERT},
+	{"move",	CMD_MOVE},
+	{"store",	CMD_STORE},
+	{"show",	CMD_SHOW},
+	{"keys",	CMD_KEYS},
+	{"hexkeys",	CMD_HEXKEYS},
+	{"delete",	CMD_DELETE},
+	{"list",	CMD_LIST_HASH_FREE},
+	{"free",	CMD_LIST_FREE},
+	{"info",	CMD_INFO},
+	{"speed",	CMD_SPEED},
+	{"mmap",	CMD_MMAP},
+	{"first",	CMD_FIRST},
+	{"1",		CMD_FIRST},
+	{"next",	CMD_NEXT},
+	{"n",		CMD_NEXT},
+	{"quit",	CMD_QUIT},
+	{"q",		CMD_QUIT},
+	{"!",		CMD_SYSTEM},
+	{NULL,		CMD_HELP}
+};
+
+struct timeval tp1,tp2;
+
+static void _start_timer(void)
+{
+	gettimeofday(&tp1,NULL);
+}
+
+static double _end_timer(void)
+{
+	gettimeofday(&tp2,NULL);
+	return((tp2.tv_sec - tp1.tv_sec) + 
+	       (tp2.tv_usec - tp1.tv_usec)*1.0e-6);
+}
+
+/* a tdb tool for manipulating a tdb database */
+
+static TDB_CONTEXT *tdb;
+
+static int print_rec(TDB_CONTEXT *the_tdb, TDB_DATA key, TDB_DATA dbuf, void *state);
+static int print_key(TDB_CONTEXT *the_tdb, TDB_DATA key, TDB_DATA dbuf, void *state);
+static int print_hexkey(TDB_CONTEXT *the_tdb, TDB_DATA key, TDB_DATA dbuf, void *state);
+
+static void print_asc(const char *buf,int len)
+{
+	int i;
+
+	/* We're probably printing ASCII strings so don't try to display
+	   the trailing NULL character. */
+
+	if (buf[len - 1] == 0)
+	        len--;
+
+	for (i=0;i<len;i++)
+		printf("%c",isprint(buf[i])?buf[i]:'.');
+}
+
+static void print_data(const char *buf,int len)
+{
+	int i=0;
+	if (len<=0) return;
+	printf("[%03X] ",i);
+	for (i=0;i<len;) {
+		printf("%02X ",(int)((unsigned char)buf[i]));
+		i++;
+		if (i%8 == 0) printf(" ");
+		if (i%16 == 0) {      
+			print_asc(&buf[i-16],8); printf(" ");
+			print_asc(&buf[i-8],8); printf("\n");
+			if (i<len) printf("[%03X] ",i);
+		}
+	}
+	if (i%16) {
+		int n;
+		
+		n = 16 - (i%16);
+		printf(" ");
+		if (n>8) printf(" ");
+		while (n--) printf("   ");
+		
+		n = i%16;
+		if (n > 8) n = 8;
+		print_asc(&buf[i-(i%16)],n); printf(" ");
+		n = (i%16) - n;
+		if (n>0) print_asc(&buf[i-n],n); 
+		printf("\n");    
+	}
+}
+
+static void help(void)
+{
+	printf("\n"
+"tdbtool: \n"
+"  create    dbname     : create a database\n"
+"  open      dbname     : open an existing database\n"
+"  erase                : erase the database\n"
+"  dump                 : dump the database as strings\n"
+"  keys                 : dump the database keys as strings\n"
+"  hexkeys              : dump the database keys as hex values\n"
+"  info                 : print summary info about the database\n"
+"  insert    key  data  : insert a record\n"
+"  move      key  file  : move a record to a destination tdb\n"
+"  store     key  data  : store a record (replace)\n"
+"  show      key        : show a record by key\n"
+"  delete    key        : delete a record by key\n"
+"  list                 : print the database hash table and freelist\n"
+"  free                 : print the database freelist\n"
+"  ! command            : execute system command\n"             
+"  1 | first            : print the first record\n"
+"  n | next             : print the next record\n"
+"  q | quit             : terminate\n"
+"  \\n                   : repeat 'next' command\n"
+"\n");
+}
+
+static void terror(const char *why)
+{
+	printf("%s\n", why);
+}
+
+static void create_tdb(const char *tdbname)
+{
+	if (tdb) tdb_close(tdb);
+	tdb = tdb_open(tdbname, 0, TDB_CLEAR_IF_FIRST | (disable_mmap?TDB_NOMMAP:0),
+		       O_RDWR | O_CREAT | O_TRUNC, 0600);
+	if (!tdb) {
+		printf("Could not create %s: %s\n", tdbname, strerror(errno));
+	}
+}
+
+static void open_tdb(const char *tdbname)
+{
+	if (tdb) tdb_close(tdb);
+	tdb = tdb_open(tdbname, 0, disable_mmap?TDB_NOMMAP:0, O_RDWR, 0600);
+	if (!tdb) {
+		printf("Could not open %s: %s\n", tdbname, strerror(errno));
+	}
+}
+
+static void insert_tdb(char *keyname, size_t keylen, char* data, size_t datalen)
+{
+	TDB_DATA key, dbuf;
+
+	if ((keyname == NULL) || (keylen == 0)) {
+		terror("need key");
+		return;
+	}
+
+	key.dptr = (unsigned char *)keyname;
+	key.dsize = keylen;
+	dbuf.dptr = (unsigned char *)data;
+	dbuf.dsize = datalen;
+
+	if (tdb_store(tdb, key, dbuf, TDB_INSERT) == -1) {
+		terror("insert failed");
+	}
+}
+
+static void store_tdb(char *keyname, size_t keylen, char* data, size_t datalen)
+{
+	TDB_DATA key, dbuf;
+
+	if ((keyname == NULL) || (keylen == 0)) {
+		terror("need key");
+		return;
+	}
+
+	if ((data == NULL) || (datalen == 0)) {
+		terror("need data");
+		return;
+	}
+
+	key.dptr = (unsigned char *)keyname;
+	key.dsize = keylen;
+	dbuf.dptr = (unsigned char *)data;
+	dbuf.dsize = datalen;
+
+	printf("Storing key:\n");
+	print_rec(tdb, key, dbuf, NULL);
+
+	if (tdb_store(tdb, key, dbuf, TDB_REPLACE) == -1) {
+		terror("store failed");
+	}
+}
+
+static void show_tdb(char *keyname, size_t keylen)
+{
+	TDB_DATA key, dbuf;
+
+	if ((keyname == NULL) || (keylen == 0)) {
+		terror("need key");
+		return;
+	}
+
+	key.dptr = (unsigned char *)keyname;
+	key.dsize = keylen;
+
+	dbuf = tdb_fetch(tdb, key);
+	if (!dbuf.dptr) {
+	    terror("fetch failed");
+	    return;
+	}
+	
+	print_rec(tdb, key, dbuf, NULL);
+	
+	free( dbuf.dptr );
+	
+	return;
+}
+
+static void delete_tdb(char *keyname, size_t keylen)
+{
+	TDB_DATA key;
+
+	if ((keyname == NULL) || (keylen == 0)) {
+		terror("need key");
+		return;
+	}
+
+	key.dptr = (unsigned char *)keyname;
+	key.dsize = keylen;
+
+	if (tdb_delete(tdb, key) != 0) {
+		terror("delete failed");
+	}
+}
+
+static void move_rec(char *keyname, size_t keylen, char* tdbname)
+{
+	TDB_DATA key, dbuf;
+	TDB_CONTEXT *dst_tdb;
+
+	if ((keyname == NULL) || (keylen == 0)) {
+		terror("need key");
+		return;
+	}
+
+	if ( !tdbname ) {
+		terror("need destination tdb name");
+		return;
+	}
+
+	key.dptr = (unsigned char *)keyname;
+	key.dsize = keylen;
+
+	dbuf = tdb_fetch(tdb, key);
+	if (!dbuf.dptr) {
+		terror("fetch failed");
+		return;
+	}
+	
+	print_rec(tdb, key, dbuf, NULL);
+	
+	dst_tdb = tdb_open(tdbname, 0, 0, O_RDWR, 0600);
+	if ( !dst_tdb ) {
+		terror("unable to open destination tdb");
+		return;
+	}
+	
+	if ( tdb_store( dst_tdb, key, dbuf, TDB_REPLACE ) == -1 ) {
+		terror("failed to move record");
+	}
+	else
+		printf("record moved\n");
+	
+	tdb_close( dst_tdb );
+	
+	return;
+}
+
+static int print_rec(TDB_CONTEXT *the_tdb, TDB_DATA key, TDB_DATA dbuf, void *state)
+{
+	printf("\nkey %d bytes\n", (int)key.dsize);
+	print_asc((const char *)key.dptr, key.dsize);
+	printf("\ndata %d bytes\n", (int)dbuf.dsize);
+	print_data((const char *)dbuf.dptr, dbuf.dsize);
+	return 0;
+}
+
+static int print_key(TDB_CONTEXT *the_tdb, TDB_DATA key, TDB_DATA dbuf, void *state)
+{
+	printf("key %d bytes: ", (int)key.dsize);
+	print_asc((const char *)key.dptr, key.dsize);
+	printf("\n");
+	return 0;
+}
+
+static int print_hexkey(TDB_CONTEXT *the_tdb, TDB_DATA key, TDB_DATA dbuf, void *state)
+{
+	printf("key %d bytes\n", (int)key.dsize);
+	print_data((const char *)key.dptr, key.dsize);
+	printf("\n");
+	return 0;
+}
+
+static int total_bytes;
+
+static int traverse_fn(TDB_CONTEXT *the_tdb, TDB_DATA key, TDB_DATA dbuf, void *state)
+{
+	total_bytes += dbuf.dsize;
+	return 0;
+}
+
+static void info_tdb(void)
+{
+	int count;
+	total_bytes = 0;
+	if ((count = tdb_traverse(tdb, traverse_fn, NULL)) == -1)
+		printf("Error = %s\n", tdb_errorstr(tdb));
+	else
+		printf("%d records totalling %d bytes\n", count, total_bytes);
+}
+
+static void speed_tdb(const char *tlimit)
+{
+	unsigned timelimit = tlimit?atoi(tlimit):0;
+	double t;
+	int ops=0;
+	if (timelimit == 0) timelimit = 10;
+	printf("Testing traverse speed for %u seconds\n", timelimit);
+	_start_timer();
+	while ((t=_end_timer()) < timelimit) {
+		tdb_traverse(tdb, traverse_fn, NULL);
+		printf("%10.3f ops/sec\r", (++ops)/t);
+	}
+	printf("\n");
+}
+
+static void toggle_mmap(void)
+{
+	disable_mmap = !disable_mmap;
+	if (disable_mmap) {
+		printf("mmap is disabled\n");
+	} else {
+		printf("mmap is enabled\n");
+	}
+}
+
+static char *tdb_getline(const char *prompt)
+{
+	static char thisline[1024];
+	char *p;
+	fputs(prompt, stdout);
+	thisline[0] = 0;
+	p = fgets(thisline, sizeof(thisline)-1, stdin);
+	if (p) p = strchr(p, '\n');
+	if (p) *p = 0;
+	return p?thisline:NULL;
+}
+
+static int do_delete_fn(TDB_CONTEXT *the_tdb, TDB_DATA key, TDB_DATA dbuf,
+                     void *state)
+{
+    return tdb_delete(the_tdb, key);
+}
+
+static void first_record(TDB_CONTEXT *the_tdb, TDB_DATA *pkey)
+{
+	TDB_DATA dbuf;
+	*pkey = tdb_firstkey(the_tdb);
+	
+	dbuf = tdb_fetch(the_tdb, *pkey);
+	if (!dbuf.dptr) terror("fetch failed");
+	else {
+		print_rec(the_tdb, *pkey, dbuf, NULL);
+	}
+}
+
+static void next_record(TDB_CONTEXT *the_tdb, TDB_DATA *pkey)
+{
+	TDB_DATA dbuf;
+	*pkey = tdb_nextkey(the_tdb, *pkey);
+	
+	dbuf = tdb_fetch(the_tdb, *pkey);
+	if (!dbuf.dptr) 
+		terror("fetch failed");
+	else
+		print_rec(the_tdb, *pkey, dbuf, NULL);
+}
+
+static int do_command(void)
+{
+	COMMAND_TABLE *ctp = cmd_table;
+	enum commands mycmd = CMD_HELP;
+	int cmd_len;
+
+	if (cmdname && strlen(cmdname) == 0) {
+	    mycmd = CMD_NEXT;
+	} else {
+	    while (ctp->name) {
+		cmd_len = strlen(ctp->name);
+		if (strncmp(ctp->name,cmdname,cmd_len) == 0) {
+			mycmd = ctp->cmd;
+			break;
+		}
+		ctp++;
+	    }
+	}
+
+	switch (mycmd) {
+	case CMD_CREATE_TDB:
+            bIterate = 0;
+            create_tdb(arg1);
+	    return 0;
+	case CMD_OPEN_TDB:
+            bIterate = 0;
+            open_tdb(arg1);
+            return 0;
+	case CMD_SYSTEM:
+	    /* Shell command */
+	    system(arg1);
+	    return 0;
+	case CMD_QUIT:
+	    return 1;
+	default:
+	    /* all the rest require a open database */
+	    if (!tdb) {
+		bIterate = 0;
+		terror("database not open");
+		help();
+		return 0;
+	    }
+	    switch (mycmd) {
+	    case CMD_ERASE:
+		bIterate = 0;
+		tdb_traverse(tdb, do_delete_fn, NULL);
+		return 0;
+	    case CMD_DUMP:
+		bIterate = 0;
+		tdb_traverse(tdb, print_rec, NULL);
+		return 0;
+	    case CMD_INSERT:
+		bIterate = 0;
+		insert_tdb(arg1, arg1len,arg2,arg2len);
+		return 0;
+	    case CMD_MOVE:
+		bIterate = 0;
+		move_rec(arg1,arg1len,arg2);
+		return 0;
+	    case CMD_STORE:
+		bIterate = 0;
+		store_tdb(arg1,arg1len,arg2,arg2len);
+		return 0;
+	    case CMD_SHOW:
+		bIterate = 0;
+		show_tdb(arg1, arg1len);
+		return 0;
+	    case CMD_KEYS:
+		tdb_traverse(tdb, print_key, NULL);
+		return 0;
+	    case CMD_HEXKEYS:
+		tdb_traverse(tdb, print_hexkey, NULL);
+		return 0;
+	    case CMD_DELETE:
+		bIterate = 0;
+		delete_tdb(arg1,arg1len);
+		return 0;
+	    case CMD_LIST_HASH_FREE:
+		tdb_dump_all(tdb);
+		return 0;
+	    case CMD_LIST_FREE:
+		tdb_printfreelist(tdb);
+		return 0;
+	    case CMD_INFO:
+		info_tdb();
+		return 0;
+	    case CMD_SPEED:
+		speed_tdb(arg1);
+		return 0;
+	    case CMD_MMAP:
+		toggle_mmap();
+		return 0;
+	    case CMD_FIRST:
+		bIterate = 1;
+		first_record(tdb, &iterate_kbuf);
+		return 0;
+	    case CMD_NEXT:
+	       if (bIterate)
+		  next_record(tdb, &iterate_kbuf);
+		return 0;
+	    case CMD_HELP:
+		help();
+		return 0;
+            case CMD_CREATE_TDB:
+            case CMD_OPEN_TDB:
+            case CMD_SYSTEM:
+            case CMD_QUIT:
+                /*
+                 * unhandled commands.  cases included here to avoid compiler
+                 * warnings.
+                 */
+                return 0;
+	    }
+	}
+
+	return 0;
+}
+
+static char *convert_string(char *instring, size_t *sizep)
+{
+    size_t length = 0;
+    char *outp, *inp;
+    char temp[3];
+    
+
+    outp = inp = instring;
+
+    while (*inp) {
+	if (*inp == '\\') {
+	    inp++;
+	    if (*inp && strchr("0123456789abcdefABCDEF",(int)*inp)) {
+		temp[0] = *inp++;
+		temp[1] = '\0';
+		if (*inp && strchr("0123456789abcdefABCDEF",(int)*inp)) {
+		    temp[1] = *inp++;
+		    temp[2] = '\0';
+		}
+		*outp++ = (char)strtol((const char *)temp,NULL,16);
+	    } else {
+		*outp++ = *inp++;
+	    }
+	} else {
+	    *outp++ = *inp++;
+	}
+	length++;
+    }
+    *sizep = length;
+    return instring;
+}
+
+int main(int argc, char *argv[])
+{
+    cmdname = "";
+    arg1 = NULL;
+    arg1len = 0;
+    arg2 = NULL;
+    arg2len = 0;
+
+    if (argv[1]) {
+	cmdname = "open";
+	arg1 = argv[1];
+        do_command();
+	cmdname =  "";
+	arg1 = NULL;
+    }
+
+    switch (argc) {
+	case 1:
+	case 2:
+	    /* Interactive mode */
+	    while ((cmdname = tdb_getline("tdb> "))) {
+		arg2 = arg1 = NULL;
+		if ((arg1 = strchr((const char *)cmdname,' ')) != NULL) {
+		    arg1++;
+		    arg2 = arg1;
+		    while (*arg2) {
+			if (*arg2 == ' ') {
+			    *arg2++ = '\0';
+			    break;
+			}
+			if ((*arg2++ == '\\') && (*arg2 == ' ')) {
+			    arg2++;
+			}
+		    }
+		}
+		if (arg1) arg1 = convert_string(arg1,&arg1len);
+		if (arg2) arg2 = convert_string(arg2,&arg2len);
+		if (do_command()) break;
+	    }
+	    break;
+	case 5:
+	    arg2 = convert_string(argv[4],&arg2len);
+	case 4:
+	    arg1 = convert_string(argv[3],&arg1len);
+	case 3:
+	    cmdname = argv[2];
+	default:
+	    do_command();
+	    break;
+    }
+
+    if (tdb) tdb_close(tdb);
+
+    return 0;
+}
diff --git a/source3/lib/tdb/tools/tdbtorture.c b/source3/lib/tdb/tools/tdbtorture.c
new file mode 100644
index 0000000000..9265cf07aa
--- /dev/null
+++ b/source3/lib/tdb/tools/tdbtorture.c
@@ -0,0 +1,318 @@
+/* this tests tdb by doing lots of ops from several simultaneous
+   writers - that stresses the locking code. 
+*/
+
+#include "replace.h"
+#include "system/time.h"
+#include "system/wait.h"
+#include "system/filesys.h"
+#include "tdb.h"
+
+#ifdef HAVE_GETOPT_H
+#include <getopt.h>
+#endif
+
+
+#define REOPEN_PROB 30
+#define DELETE_PROB 8
+#define STORE_PROB 4
+#define APPEND_PROB 6
+#define TRANSACTION_PROB 10
+#define LOCKSTORE_PROB 5
+#define TRAVERSE_PROB 20
+#define TRAVERSE_READ_PROB 20
+#define CULL_PROB 100
+#define KEYLEN 3
+#define DATALEN 100
+
+static struct tdb_context *db;
+static int in_transaction;
+static int error_count;
+
+#ifdef PRINTF_ATTRIBUTE
+static void tdb_log(struct tdb_context *tdb, enum tdb_debug_level level, const char *format, ...) PRINTF_ATTRIBUTE(3,4);
+#endif
+static void tdb_log(struct tdb_context *tdb, enum tdb_debug_level level, const char *format, ...)
+{
+	va_list ap;
+    
+	error_count++;
+
+	va_start(ap, format);
+	vfprintf(stdout, format, ap);
+	va_end(ap);
+	fflush(stdout);
+#if 0
+	{
+		char *ptr;
+		asprintf(&ptr,"xterm -e gdb /proc/%d/exe %d", getpid(), getpid());
+		system(ptr);
+		free(ptr);
+	}
+#endif	
+}
+
+static void fatal(const char *why)
+{
+	perror(why);
+	error_count++;
+}
+
+static char *randbuf(int len)
+{
+	char *buf;
+	int i;
+	buf = (char *)malloc(len+1);
+
+	for (i=0;i<len;i++) {
+		buf[i] = 'a' + (rand() % 26);
+	}
+	buf[i] = 0;
+	return buf;
+}
+
+static int cull_traverse(struct tdb_context *tdb, TDB_DATA key, TDB_DATA dbuf,
+			 void *state)
+{
+#if CULL_PROB
+	if (random() % CULL_PROB == 0) {
+		tdb_delete(tdb, key);
+	}
+#endif
+	return 0;
+}
+
+static void addrec_db(void)
+{
+	int klen, dlen;
+	char *k, *d;
+	TDB_DATA key, data;
+
+	klen = 1 + (rand() % KEYLEN);
+	dlen = 1 + (rand() % DATALEN);
+
+	k = randbuf(klen);
+	d = randbuf(dlen);
+
+	key.dptr = (unsigned char *)k;
+	key.dsize = klen+1;
+
+	data.dptr = (unsigned char *)d;
+	data.dsize = dlen+1;
+
+#if TRANSACTION_PROB
+	if (in_transaction == 0 && random() % TRANSACTION_PROB == 0) {
+		if (tdb_transaction_start(db) != 0) {
+			fatal("tdb_transaction_start failed");
+		}
+		in_transaction++;
+		goto next;
+	}
+	if (in_transaction && random() % TRANSACTION_PROB == 0) {
+		if (tdb_transaction_commit(db) != 0) {
+			fatal("tdb_transaction_commit failed");
+		}
+		in_transaction--;
+		goto next;
+	}
+	if (in_transaction && random() % TRANSACTION_PROB == 0) {
+		if (tdb_transaction_cancel(db) != 0) {
+			fatal("tdb_transaction_cancel failed");
+		}
+		in_transaction--;
+		goto next;
+	}
+#endif
+
+#if REOPEN_PROB
+	if (in_transaction == 0 && random() % REOPEN_PROB == 0) {
+		tdb_reopen_all(0);
+		goto next;
+	} 
+#endif
+
+#if DELETE_PROB
+	if (random() % DELETE_PROB == 0) {
+		tdb_delete(db, key);
+		goto next;
+	}
+#endif
+
+#if STORE_PROB
+	if (random() % STORE_PROB == 0) {
+		if (tdb_store(db, key, data, TDB_REPLACE) != 0) {
+			fatal("tdb_store failed");
+		}
+		goto next;
+	}
+#endif
+
+#if APPEND_PROB
+	if (random() % APPEND_PROB == 0) {
+		if (tdb_append(db, key, data) != 0) {
+			fatal("tdb_append failed");
+		}
+		goto next;
+	}
+#endif
+
+#if LOCKSTORE_PROB
+	if (random() % LOCKSTORE_PROB == 0) {
+		tdb_chainlock(db, key);
+		data = tdb_fetch(db, key);
+		if (tdb_store(db, key, data, TDB_REPLACE) != 0) {
+			fatal("tdb_store failed");
+		}
+		if (data.dptr) free(data.dptr);
+		tdb_chainunlock(db, key);
+		goto next;
+	} 
+#endif
+
+#if TRAVERSE_PROB
+	if (random() % TRAVERSE_PROB == 0) {
+		tdb_traverse(db, cull_traverse, NULL);
+		goto next;
+	}
+#endif
+
+#if TRAVERSE_READ_PROB
+	if (random() % TRAVERSE_READ_PROB == 0) {
+		tdb_traverse_read(db, NULL, NULL);
+		goto next;
+	}
+#endif
+
+	data = tdb_fetch(db, key);
+	if (data.dptr) free(data.dptr);
+
+next:
+	free(k);
+	free(d);
+}
+
+static int traverse_fn(struct tdb_context *tdb, TDB_DATA key, TDB_DATA dbuf,
+                       void *state)
+{
+	tdb_delete(tdb, key);
+	return 0;
+}
+
+static void usage(void)
+{
+	printf("Usage: tdbtorture [-n NUM_PROCS] [-l NUM_LOOPS] [-s SEED] [-H HASH_SIZE]\n");
+	exit(0);
+}
+
+ int main(int argc, char * const *argv)
+{
+	int i, seed = -1;
+	int num_procs = 3;
+	int num_loops = 5000;
+	int hash_size = 2;
+	int c;
+	extern char *optarg;
+	pid_t *pids;
+
+	struct tdb_logging_context log_ctx;
+	log_ctx.log_fn = tdb_log;
+
+	while ((c = getopt(argc, argv, "n:l:s:H:h")) != -1) {
+		switch (c) {
+		case 'n':
+			num_procs = strtol(optarg, NULL, 0);
+			break;
+		case 'l':
+			num_loops = strtol(optarg, NULL, 0);
+			break;
+		case 'H':
+			hash_size = strtol(optarg, NULL, 0);
+			break;
+		case 's':
+			seed = strtol(optarg, NULL, 0);
+			break;
+		default:
+			usage();
+		}
+	}
+
+	unlink("torture.tdb");
+
+	pids = (pid_t *)calloc(sizeof(pid_t), num_procs);
+	pids[0] = getpid();
+
+	for (i=0;i<num_procs-1;i++) {
+		if ((pids[i+1]=fork()) == 0) break;
+	}
+
+	db = tdb_open_ex("torture.tdb", hash_size, TDB_CLEAR_IF_FIRST, 
+			 O_RDWR | O_CREAT, 0600, &log_ctx, NULL);
+	if (!db) {
+		fatal("db open failed");
+	}
+
+	if (seed == -1) {
+		seed = (getpid() + time(NULL)) & 0x7FFFFFFF;
+	}
+
+	if (i == 0) {
+		printf("testing with %d processes, %d loops, %d hash_size, seed=%d\n", 
+		       num_procs, num_loops, hash_size, seed);
+	}
+
+	srand(seed + i);
+	srandom(seed + i);
+
+	for (i=0;i<num_loops && error_count == 0;i++) {
+		addrec_db();
+	}
+
+	if (error_count == 0) {
+		tdb_traverse_read(db, NULL, NULL);
+		tdb_traverse(db, traverse_fn, NULL);
+		tdb_traverse(db, traverse_fn, NULL);
+	}
+
+	tdb_close(db);
+
+	if (getpid() != pids[0]) {
+		return error_count;
+	}
+
+	for (i=1;i<num_procs;i++) {
+		int status, j;
+		pid_t pid;
+		if (error_count != 0) {
+			/* try and stop the test on any failure */
+			for (j=1;j<num_procs;j++) {
+				if (pids[j] != 0) {
+					kill(pids[j], SIGTERM);
+				}
+			}
+		}
+		pid = waitpid(-1, &status, 0);
+		if (pid == -1) {
+			perror("failed to wait for child\n");
+			exit(1);
+		}
+		for (j=1;j<num_procs;j++) {
+			if (pids[j] == pid) break;
+		}
+		if (j == num_procs) {
+			printf("unknown child %d exited!?\n", (int)pid);
+			exit(1);
+		}
+		if (WEXITSTATUS(status) != 0) {
+			printf("child %d exited with status %d\n",
+			       (int)pid, WEXITSTATUS(status));
+			error_count++;
+		}
+		pids[j] = 0;
+	}
+
+	if (error_count == 0) {
+		printf("OK\n");
+	}
+
+	return error_count;
+}
diff --git a/source3/lib/tdb/web/index.html b/source3/lib/tdb/web/index.html
new file mode 100644
index 0000000000..a53da6b8f7
--- /dev/null
+++ b/source3/lib/tdb/web/index.html
@@ -0,0 +1,42 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
+<HTML>
+<HEAD>
+<TITLE>ldb</TITLE>
+</HEAD>
+<BODY BGCOLOR="#ffffff" TEXT="#000000" VLINK="#292555" LINK="#292555" ALINK="#cc0033">
+
+<h1>tdb</h1>
+
+TDB is a Trivial Database. In concept, it is very much like GDBM, and BSD's DB 
+except that it allows multiple simultaneous writers and uses locking 
+internally to keep writers from trampling on each other. TDB is also extremely 
+small.
+
+<h2>Discussion and bug reports</h2>
+
+tdb does not currently have its own mailing list or bug tracking
+system. For now, please use the <a
+href="https://lists.samba.org/mailman/listinfo/samba-technical">samba-technical</a>
+mailing list, and the <a href="http://bugzilla.samba.org/">Samba
+bugzilla</a> bug tracking system.
+
+<h2>Download</h2>
+
+You can download the latest release either via rsync or git.<br>
+<br>
+To fetch via git see the following guide:<br>
+<a href="http://wiki.samba.org/index.php/Using_Git_for_Samba_Development">Using Git for Samba Development</a><br>
+Once you have cloned the tree switch to the v4-0-test branch and cd into the source/lib/tdb directory.<br>
+<br>
+To fetch via rsync use these commands:
+
+<pre>
+  rsync -Pavz samba.org::ftp/unpacked/tdb .
+  rsync -Pavz samba.org::ftp/unpacked/libreplace .
+</pre>
+
+and build in tdb. It will find the replace library in the directory
+above automatically.
+
+</BODY>
+</HTML>
diff --git a/source3/lib/time.c b/source3/lib/time.c
new file mode 100644
index 0000000000..8cefef6e23
--- /dev/null
+++ b/source3/lib/time.c
@@ -0,0 +1,1505 @@
+/* 
+   Unix SMB/CIFS implementation.
+   time handling functions
+
+   Copyright (C) Andrew Tridgell 		1992-2004
+   Copyright (C) Stefan (metze) Metzmacher	2002   
+   Copyright (C) Jeremy Allison			2007
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/**
+ * @file
+ * @brief time handling functions
+ */
+
+
+#ifndef TIME_T_MIN
+#define TIME_T_MIN ((time_t)0 < (time_t) -1 ? (time_t) 0 \
+		    : ~ (time_t) 0 << (sizeof (time_t) * CHAR_BIT - 1))
+#endif
+#ifndef TIME_T_MAX
+#define TIME_T_MAX (~ (time_t) 0 - TIME_T_MIN)
+#endif
+
+#define NTTIME_INFINITY (NTTIME)0x8000000000000000LL
+
+/***************************************************************************
+ External access to time_t_min and time_t_max.
+****************************************************************************/
+
+time_t get_time_t_max(void)
+{
+	return TIME_T_MAX;
+}
+
+/***************************************************************************
+ A gettimeofday wrapper.
+****************************************************************************/
+
+void GetTimeOfDay(struct timeval *tval)
+{
+#ifdef HAVE_GETTIMEOFDAY_TZ
+	gettimeofday(tval,NULL);
+#else
+	gettimeofday(tval);
+#endif
+}
+
+#if (SIZEOF_LONG == 8)
+#define TIME_FIXUP_CONSTANT_INT 11644473600L
+#elif (SIZEOF_LONG_LONG == 8)
+#define TIME_FIXUP_CONSTANT_INT 11644473600LL
+#endif
+
+/****************************************************************************
+ Interpret an 8 byte "filetime" structure to a time_t
+ It's originally in "100ns units since jan 1st 1601"
+
+ An 8 byte value of 0xffffffffffffffff will be returned as a timespec of
+
+	tv_sec = 0
+	tv_nsec = 0;
+
+ Returns GMT.
+****************************************************************************/
+
+time_t nt_time_to_unix(NTTIME nt)
+{
+	return convert_timespec_to_time_t(nt_time_to_unix_timespec(&nt));
+}
+
+/****************************************************************************
+ Put a 8 byte filetime from a time_t. Uses GMT.
+****************************************************************************/
+
+void unix_to_nt_time(NTTIME *nt, time_t t)
+{
+	uint64_t t2; 
+
+	if (t == (time_t)-1) {
+		*nt = (NTTIME)-1LL;
+		return;
+	}	
+
+	if (t == TIME_T_MAX) {
+		*nt = 0x7fffffffffffffffLL;
+		return;
+	}
+
+	if (t == 0) {
+		*nt = 0;
+		return;
+	}		
+
+	t2 = t;
+	t2 += TIME_FIXUP_CONSTANT_INT;
+	t2 *= 1000*1000*10;
+
+	*nt = t2;
+}
+
+/****************************************************************************
+ Check if it's a null unix time.
+****************************************************************************/
+
+bool null_time(time_t t)
+{
+	return t == 0 || 
+		t == (time_t)0xFFFFFFFF || 
+		t == (time_t)-1;
+}
+
+/****************************************************************************
+ Check if it's a null NTTIME.
+****************************************************************************/
+
+bool null_nttime(NTTIME t)
+{
+	return t == 0 || t == (NTTIME)-1;
+}
+
+/****************************************************************************
+ Check if it's a null timespec.
+****************************************************************************/
+
+bool null_timespec(struct timespec ts)
+{
+	return ts.tv_sec == 0 || 
+		ts.tv_sec == (time_t)0xFFFFFFFF || 
+		ts.tv_sec == (time_t)-1;
+}
+
+/*******************************************************************
+  create a 16 bit dos packed date
+********************************************************************/
+static uint16_t make_dos_date1(struct tm *t)
+{
+	uint16_t ret=0;
+	ret = (((unsigned int)(t->tm_mon+1)) >> 3) | ((t->tm_year-80) << 1);
+	ret = ((ret&0xFF)<<8) | (t->tm_mday | (((t->tm_mon+1) & 0x7) << 5));
+	return ret;
+}
+
+/*******************************************************************
+  create a 16 bit dos packed time
+********************************************************************/
+static uint16_t make_dos_time1(struct tm *t)
+{
+	uint16_t ret=0;
+	ret = ((((unsigned int)t->tm_min >> 3)&0x7) | (((unsigned int)t->tm_hour) << 3));
+	ret = ((ret&0xFF)<<8) | ((t->tm_sec/2) | ((t->tm_min & 0x7) << 5));
+	return ret;
+}
+
+/*******************************************************************
+  create a 32 bit dos packed date/time from some parameters
+  This takes a GMT time and returns a packed localtime structure
+********************************************************************/
+static uint32_t make_dos_date(time_t unixdate, int zone_offset)
+{
+	struct tm *t;
+	uint32_t ret=0;
+
+	if (unixdate == 0) {
+		return 0;
+	}
+
+	unixdate -= zone_offset;
+
+	t = gmtime(&unixdate);
+	if (!t) {
+		return 0xFFFFFFFF;
+	}
+
+	ret = make_dos_date1(t);
+	ret = ((ret&0xFFFF)<<16) | make_dos_time1(t);
+
+	return ret;
+}
+
+/**
+put a dos date into a buffer (time/date format)
+This takes GMT time and puts local time in the buffer
+**/
+void push_dos_date(uint8_t *buf, int offset, time_t unixdate, int zone_offset)
+{
+	uint32_t x = make_dos_date(unixdate, zone_offset);
+	SIVAL(buf,offset,x);
+}
+
+/**
+put a dos date into a buffer (date/time format)
+This takes GMT time and puts local time in the buffer
+**/
+void push_dos_date2(uint8_t *buf,int offset,time_t unixdate, int zone_offset)
+{
+	uint32_t x;
+	x = make_dos_date(unixdate, zone_offset);
+	x = ((x&0xFFFF)<<16) | ((x&0xFFFF0000)>>16);
+	SIVAL(buf,offset,x);
+}
+
+/**
+put a dos 32 bit "unix like" date into a buffer. This routine takes
+GMT and converts it to LOCAL time before putting it (most SMBs assume
+localtime for this sort of date)
+**/
+void push_dos_date3(uint8_t *buf,int offset,time_t unixdate, int zone_offset)
+{
+	if (!null_time(unixdate)) {
+		unixdate -= zone_offset;
+	}
+	SIVAL(buf,offset,unixdate);
+}
+
+/*******************************************************************
+  interpret a 32 bit dos packed date/time to some parameters
+********************************************************************/
+static void interpret_dos_date(uint32_t date,int *year,int *month,int *day,int *hour,int *minute,int *second)
+{
+	uint32_t p0,p1,p2,p3;
+
+	p0=date&0xFF; p1=((date&0xFF00)>>8)&0xFF; 
+	p2=((date&0xFF0000)>>16)&0xFF; p3=((date&0xFF000000)>>24)&0xFF;
+
+	*second = 2*(p0 & 0x1F);
+	*minute = ((p0>>5)&0xFF) + ((p1&0x7)<<3);
+	*hour = (p1>>3)&0xFF;
+	*day = (p2&0x1F);
+	*month = ((p2>>5)&0xFF) + ((p3&0x1)<<3) - 1;
+	*year = ((p3>>1)&0xFF) + 80;
+}
+
+/**
+  create a unix date (int GMT) from a dos date (which is actually in
+  localtime)
+**/
+time_t pull_dos_date(const uint8_t *date_ptr, int zone_offset)
+{
+	uint32_t dos_date=0;
+	struct tm t;
+	time_t ret;
+
+	dos_date = IVAL(date_ptr,0);
+
+	if (dos_date == 0) return (time_t)0;
+  
+	interpret_dos_date(dos_date,&t.tm_year,&t.tm_mon,
+			   &t.tm_mday,&t.tm_hour,&t.tm_min,&t.tm_sec);
+	t.tm_isdst = -1;
+  
+	ret = timegm(&t);
+
+	ret += zone_offset;
+
+	return ret;
+}
+
+/**
+like make_unix_date() but the words are reversed
+**/
+time_t pull_dos_date2(const uint8_t *date_ptr, int zone_offset)
+{
+	uint32_t x,x2;
+
+	x = IVAL(date_ptr,0);
+	x2 = ((x&0xFFFF)<<16) | ((x&0xFFFF0000)>>16);
+	SIVAL(&x,0,x2);
+
+	return pull_dos_date((const uint8_t *)&x, zone_offset);
+}
+
+/**
+  create a unix GMT date from a dos date in 32 bit "unix like" format
+  these generally arrive as localtimes, with corresponding DST
+**/
+time_t pull_dos_date3(const uint8_t *date_ptr, int zone_offset)
+{
+	time_t t = (time_t)IVAL(date_ptr,0);
+	if (!null_time(t)) {
+		t += zone_offset;
+	}
+	return t;
+}
+
+/***************************************************************************
+ Return a HTTP/1.0 time string.
+***************************************************************************/
+
+char *http_timestring(time_t t)
+{
+	fstring buf;
+	struct tm *tm = localtime(&t);
+
+	if (t == TIME_T_MAX) {
+		fstrcpy(buf, "never");
+	} else if (!tm) {
+		fstr_sprintf(buf, "%ld seconds since the Epoch", (long)t);
+	} else {
+#ifndef HAVE_STRFTIME
+		const char *asct = asctime(tm);
+		fstrcpy(buf, asct ? asct : "unknown");
+	}
+	if(buf[strlen(buf)-1] == '\n') {
+		buf[strlen(buf)-1] = 0;
+#else /* !HAVE_STRFTIME */
+		strftime(buf, sizeof(buf)-1, "%a, %d %b %Y %H:%M:%S %Z", tm);
+#endif /* !HAVE_STRFTIME */
+	}
+	return talloc_strdup(talloc_tos(), buf);
+}
+
+
+/**
+ Return the date and time as a string
+**/
+char *timestring(TALLOC_CTX *mem_ctx, time_t t)
+{
+	char *TimeBuf;
+	char tempTime[80];
+	struct tm *tm;
+
+	tm = localtime(&t);
+	if (!tm) {
+		return talloc_asprintf(mem_ctx,
+				       "%ld seconds since the Epoch",
+				       (long)t);
+	}
+
+#ifdef HAVE_STRFTIME
+	/* some versions of gcc complain about using %c. This is a bug
+	   in the gcc warning, not a bug in this code. See a recent
+	   strftime() manual page for details.
+	 */
+	strftime(tempTime,sizeof(tempTime)-1,"%c %Z",tm);
+	TimeBuf = talloc_strdup(mem_ctx, tempTime);
+#else
+	TimeBuf = talloc_strdup(mem_ctx, asctime(tm));
+#endif
+
+	return TimeBuf;
+}
+
+/**
+  return a talloced string representing a NTTIME for human consumption
+*/
+const char *nt_time_string(TALLOC_CTX *mem_ctx, NTTIME nt)
+{
+	time_t t;
+	if (nt == 0) {
+		return "NTTIME(0)";
+	}
+	t = nt_time_to_unix(nt);
+	return timestring(mem_ctx, t);
+}
+
+
+/**
+  parse a nttime as a large integer in a string and return a NTTIME
+*/
+NTTIME nttime_from_string(const char *s)
+{
+	return strtoull(s, NULL, 0);
+}
+
+/**
+  return (tv1 - tv2) in microseconds
+*/
+int64_t usec_time_diff(struct timeval *tv1, struct timeval *tv2)
+{
+	int64_t sec_diff = tv1->tv_sec - tv2->tv_sec;
+	return (sec_diff * 1000000) + (int64_t)(tv1->tv_usec - tv2->tv_usec);
+}
+
+
+/**
+  return a zero timeval
+*/
+struct timeval timeval_zero(void)
+{
+	struct timeval tv;
+	tv.tv_sec = 0;
+	tv.tv_usec = 0;
+	return tv;
+}
+
+/**
+  return True if a timeval is zero
+*/
+bool timeval_is_zero(const struct timeval *tv)
+{
+	return tv->tv_sec == 0 && tv->tv_usec == 0;
+}
+
+/**
+  return a timeval for the current time
+*/
+struct timeval timeval_current(void)
+{
+	struct timeval tv;
+	GetTimeOfDay(&tv);
+	return tv;
+}
+
+/**
+  return a timeval struct with the given elements
+*/
+struct timeval timeval_set(uint32_t secs, uint32_t usecs)
+{
+	struct timeval tv;
+	tv.tv_sec = secs;
+	tv.tv_usec = usecs;
+	return tv;
+}
+
+
+/**
+  return a timeval ofs microseconds after tv
+*/
+struct timeval timeval_add(const struct timeval *tv,
+			   uint32_t secs, uint32_t usecs)
+{
+	struct timeval tv2 = *tv;
+	const unsigned int million = 1000000;
+	tv2.tv_sec += secs;
+	tv2.tv_usec += usecs;
+	tv2.tv_sec += tv2.tv_usec / million;
+	tv2.tv_usec = tv2.tv_usec % million;
+	return tv2;
+}
+
+/**
+  return the sum of two timeval structures
+*/
+struct timeval timeval_sum(const struct timeval *tv1,
+			   const struct timeval *tv2)
+{
+	return timeval_add(tv1, tv2->tv_sec, tv2->tv_usec);
+}
+
+/**
+  return a timeval secs/usecs into the future
+*/
+struct timeval timeval_current_ofs(uint32_t secs, uint32_t usecs)
+{
+	struct timeval tv = timeval_current();
+	return timeval_add(&tv, secs, usecs);
+}
+
+/**
+  compare two timeval structures. 
+  Return -1 if tv1 < tv2
+  Return 0 if tv1 == tv2
+  Return 1 if tv1 > tv2
+*/
+int timeval_compare(const struct timeval *tv1, const struct timeval *tv2)
+{
+	if (tv1->tv_sec  > tv2->tv_sec)  return 1;
+	if (tv1->tv_sec  < tv2->tv_sec)  return -1;
+	if (tv1->tv_usec > tv2->tv_usec) return 1;
+	if (tv1->tv_usec < tv2->tv_usec) return -1;
+	return 0;
+}
+
+/**
+  return True if a timer is in the past
+*/
+bool timeval_expired(const struct timeval *tv)
+{
+	struct timeval tv2 = timeval_current();
+	if (tv2.tv_sec > tv->tv_sec) return True;
+	if (tv2.tv_sec < tv->tv_sec) return False;
+	return (tv2.tv_usec >= tv->tv_usec);
+}
+
+/**
+  return the number of seconds elapsed between two times
+*/
+double timeval_elapsed2(const struct timeval *tv1, const struct timeval *tv2)
+{
+	return (tv2->tv_sec - tv1->tv_sec) + 
+	       (tv2->tv_usec - tv1->tv_usec)*1.0e-6;
+}
+
+/**
+  return the number of seconds elapsed since a given time
+*/
+double timeval_elapsed(const struct timeval *tv)
+{
+	struct timeval tv2 = timeval_current();
+	return timeval_elapsed2(tv, &tv2);
+}
+
+/**
+  return the lesser of two timevals
+*/
+struct timeval timeval_min(const struct timeval *tv1,
+			   const struct timeval *tv2)
+{
+	if (tv1->tv_sec < tv2->tv_sec) return *tv1;
+	if (tv1->tv_sec > tv2->tv_sec) return *tv2;
+	if (tv1->tv_usec < tv2->tv_usec) return *tv1;
+	return *tv2;
+}
+
+/**
+  return the greater of two timevals
+*/
+struct timeval timeval_max(const struct timeval *tv1,
+			   const struct timeval *tv2)
+{
+	if (tv1->tv_sec > tv2->tv_sec) return *tv1;
+	if (tv1->tv_sec < tv2->tv_sec) return *tv2;
+	if (tv1->tv_usec > tv2->tv_usec) return *tv1;
+	return *tv2;
+}
+
+/**
+  return the difference between two timevals as a timeval
+  if tv1 comes after tv2, then return a zero timeval
+  (this is *tv2 - *tv1)
+*/
+struct timeval timeval_until(const struct timeval *tv1,
+			     const struct timeval *tv2)
+{
+	struct timeval t;
+	if (timeval_compare(tv1, tv2) >= 0) {
+		return timeval_zero();
+	}
+	t.tv_sec = tv2->tv_sec - tv1->tv_sec;
+	if (tv1->tv_usec > tv2->tv_usec) {
+		t.tv_sec--;
+		t.tv_usec = 1000000 - (tv1->tv_usec - tv2->tv_usec);
+	} else {
+		t.tv_usec = tv2->tv_usec - tv1->tv_usec;
+	}
+	return t;
+}
+
+
+/**
+  convert a timeval to a NTTIME
+*/
+NTTIME timeval_to_nttime(const struct timeval *tv)
+{
+	return 10*(tv->tv_usec + 
+		  ((TIME_FIXUP_CONSTANT_INT + (uint64_t)tv->tv_sec) * 1000000));
+}
+
+/**************************************************************
+ Handle conversions between time_t and uint32, taking care to
+ preserve the "special" values.
+**************************************************************/
+
+uint32 convert_time_t_to_uint32(time_t t)
+{
+#if (defined(SIZEOF_TIME_T) && (SIZEOF_TIME_T == 8))
+	/* time_t is 64-bit. */
+	if (t == 0x8000000000000000LL) {
+		return 0x80000000;
+	} else if (t == 0x7FFFFFFFFFFFFFFFLL) {
+		return 0x7FFFFFFF;
+	}
+#endif
+	return (uint32)t;
+}
+
+time_t convert_uint32_to_time_t(uint32 u)
+{
+#if (defined(SIZEOF_TIME_T) && (SIZEOF_TIME_T == 8))
+	/* time_t is 64-bit. */
+	if (u == 0x80000000) {
+		return (time_t)0x8000000000000000LL;
+	} else if (u == 0x7FFFFFFF) {
+		return (time_t)0x7FFFFFFFFFFFFFFFLL;
+	}
+#endif
+	return (time_t)u;
+}
+
+/*******************************************************************
+ Yield the difference between *A and *B, in seconds, ignoring leap seconds.
+********************************************************************/
+
+static int tm_diff(struct tm *a, struct tm *b)
+{
+	int ay = a->tm_year + (1900 - 1);
+	int by = b->tm_year + (1900 - 1);
+	int intervening_leap_days =
+		(ay/4 - by/4) - (ay/100 - by/100) + (ay/400 - by/400);
+	int years = ay - by;
+	int days = 365*years + intervening_leap_days + (a->tm_yday - b->tm_yday);
+	int hours = 24*days + (a->tm_hour - b->tm_hour);
+	int minutes = 60*hours + (a->tm_min - b->tm_min);
+	int seconds = 60*minutes + (a->tm_sec - b->tm_sec);
+
+	return seconds;
+}
+
+int extra_time_offset=0;
+
+/*******************************************************************
+ Return the UTC offset in seconds west of UTC, or 0 if it cannot be determined.
+********************************************************************/
+
+int get_time_zone(time_t t)
+{
+	struct tm *tm = gmtime(&t);
+	struct tm tm_utc;
+	if (!tm)
+		return 0;
+	tm_utc = *tm;
+	tm = localtime(&t);
+	if (!tm)
+		return 0;
+	return tm_diff(&tm_utc,tm)+60*extra_time_offset;
+}
+
+/****************************************************************************
+ Check if NTTIME is 0.
+****************************************************************************/
+
+bool nt_time_is_zero(const NTTIME *nt)
+{
+	return (*nt == 0);
+}
+
+/****************************************************************************
+ Convert ASN.1 GeneralizedTime string to unix-time.
+ Returns 0 on failure; Currently ignores timezone. 
+****************************************************************************/
+
+time_t generalized_to_unix_time(const char *str)
+{ 
+	struct tm tm;
+
+	ZERO_STRUCT(tm);
+
+	if (sscanf(str, "%4d%2d%2d%2d%2d%2d", 
+		   &tm.tm_year, &tm.tm_mon, &tm.tm_mday, 
+		   &tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) {
+		return 0;
+	}
+	tm.tm_year -= 1900;
+	tm.tm_mon -= 1;
+
+	return timegm(&tm);
+}
+
+/*******************************************************************
+ Accessor function for the server time zone offset.
+ set_server_zone_offset() must have been called first.
+******************************************************************/
+
+static int server_zone_offset;
+
+int get_server_zone_offset(void)
+{
+	return server_zone_offset;
+}
+
+/*******************************************************************
+ Initialize the server time zone offset. Called when a client connects.
+******************************************************************/
+
+int set_server_zone_offset(time_t t)
+{
+	server_zone_offset = get_time_zone(t);
+	return server_zone_offset;
+}
+
+/****************************************************************************
+ Return the date and time as a string
+****************************************************************************/
+
+char *current_timestring(TALLOC_CTX *ctx, bool hires)
+{
+	fstring TimeBuf;
+	struct timeval tp;
+	time_t t;
+	struct tm *tm;
+
+	if (hires) {
+		GetTimeOfDay(&tp);
+		t = (time_t)tp.tv_sec;
+	} else {
+		t = time(NULL);
+	}
+	tm = localtime(&t);
+	if (!tm) {
+		if (hires) {
+			slprintf(TimeBuf,
+				 sizeof(TimeBuf)-1,
+				 "%ld.%06ld seconds since the Epoch",
+				 (long)tp.tv_sec, 
+				 (long)tp.tv_usec);
+		} else {
+			slprintf(TimeBuf,
+				 sizeof(TimeBuf)-1,
+				 "%ld seconds since the Epoch",
+				 (long)t);
+		}
+	} else {
+#ifdef HAVE_STRFTIME
+		if (hires) {
+			strftime(TimeBuf,sizeof(TimeBuf)-1,"%Y/%m/%d %H:%M:%S",tm);
+			slprintf(TimeBuf+strlen(TimeBuf),
+				 sizeof(TimeBuf)-1 - strlen(TimeBuf), 
+				 ".%06ld", 
+				 (long)tp.tv_usec);
+		} else {
+			strftime(TimeBuf,sizeof(TimeBuf)-1,"%Y/%m/%d %H:%M:%S",tm);
+		}
+#else
+		if (hires) {
+			const char *asct = asctime(tm);
+			slprintf(TimeBuf, 
+				 sizeof(TimeBuf)-1, 
+				 "%s.%06ld", 
+				 asct ? asct : "unknown", 
+				 (long)tp.tv_usec);
+		} else {
+			const char *asct = asctime(tm);
+			fstrcpy(TimeBuf, asct ? asct : "unknown");
+		}
+#endif
+	}
+	return talloc_strdup(ctx, TimeBuf);
+}
+
+
+/*******************************************************************
+ Put a dos date into a buffer (time/date format).
+ This takes GMT time and puts local time in the buffer.
+********************************************************************/
+
+static void put_dos_date(char *buf,int offset,time_t unixdate, int zone_offset)
+{
+	uint32 x = make_dos_date(unixdate, zone_offset);
+	SIVAL(buf,offset,x);
+}
+
+/*******************************************************************
+ Put a dos date into a buffer (date/time format).
+ This takes GMT time and puts local time in the buffer.
+********************************************************************/
+
+static void put_dos_date2(char *buf,int offset,time_t unixdate, int zone_offset)
+{
+	uint32 x = make_dos_date(unixdate, zone_offset);
+	x = ((x&0xFFFF)<<16) | ((x&0xFFFF0000)>>16);
+	SIVAL(buf,offset,x);
+}
+
+/*******************************************************************
+ Put a dos 32 bit "unix like" date into a buffer. This routine takes
+ GMT and converts it to LOCAL time before putting it (most SMBs assume
+ localtime for this sort of date)
+********************************************************************/
+
+static void put_dos_date3(char *buf,int offset,time_t unixdate, int zone_offset)
+{
+	if (!null_mtime(unixdate)) {
+		unixdate -= zone_offset;
+	}
+	SIVAL(buf,offset,unixdate);
+}
+
+
+/***************************************************************************
+ Server versions of the above functions.
+***************************************************************************/
+
+void srv_put_dos_date(char *buf,int offset,time_t unixdate)
+{
+	put_dos_date(buf, offset, unixdate, server_zone_offset);
+}
+
+void srv_put_dos_date2(char *buf,int offset, time_t unixdate)
+{
+	put_dos_date2(buf, offset, unixdate, server_zone_offset);
+}
+
+void srv_put_dos_date3(char *buf,int offset,time_t unixdate)
+{
+	put_dos_date3(buf, offset, unixdate, server_zone_offset);
+}
+
+/****************************************************************************
+ Take a Unix time and convert to an NTTIME structure and place in buffer 
+ pointed to by p.
+****************************************************************************/
+
+void put_long_date_timespec(char *p, struct timespec ts)
+{
+	NTTIME nt;
+	unix_timespec_to_nt_time(&nt, ts);
+	SIVAL(p, 0, nt & 0xFFFFFFFF);
+	SIVAL(p, 4, nt >> 32);
+}
+
+void put_long_date(char *p, time_t t)
+{
+	struct timespec ts;
+	ts.tv_sec = t;
+	ts.tv_nsec = 0;
+	put_long_date_timespec(p, ts);
+}
+
+/****************************************************************************
+ Return the best approximation to a 'create time' under UNIX from a stat
+ structure.
+****************************************************************************/
+
+static time_t calc_create_time(const SMB_STRUCT_STAT *st)
+{
+	time_t ret, ret1;
+
+	ret = MIN(st->st_ctime, st->st_mtime);
+	ret1 = MIN(ret, st->st_atime);
+
+	if(ret1 != (time_t)0) {
+		return ret1;
+	}
+
+	/*
+	 * One of ctime, mtime or atime was zero (probably atime).
+	 * Just return MIN(ctime, mtime).
+	 */
+	return ret;
+}
+
+/****************************************************************************
+ Return the 'create time' from a stat struct if it exists (birthtime) or else
+ use the best approximation.
+****************************************************************************/
+
+struct timespec get_create_timespec(const SMB_STRUCT_STAT *pst,bool fake_dirs)
+{
+	struct timespec ret;
+
+	if(S_ISDIR(pst->st_mode) && fake_dirs) {
+		ret.tv_sec = 315493200L;          /* 1/1/1980 */
+		ret.tv_nsec = 0;
+		return ret;
+	}
+
+#if defined(HAVE_STAT_ST_BIRTHTIMESPEC)
+	ret = pst->st_birthtimespec;
+#elif defined(HAVE_STAT_ST_BIRTHTIMENSEC)
+	ret.tv_sec = pst->st_birthtime;
+	ret.tv_nsec = pst->st_birthtimenspec;
+#elif defined(HAVE_STAT_ST_BIRTHTIME)
+	ret.tv_sec = pst->st_birthtime;
+	ret.tv_nsec = 0;
+#else
+	ret.tv_sec = calc_create_time(pst);
+	ret.tv_nsec = 0;
+#endif
+
+	/* Deal with systems that don't initialize birthtime correctly.
+	 * Pointed out by SATOH Fumiyasu <fumiyas@osstech.jp>.
+	 */
+	if (null_timespec(ret)) {
+		ret.tv_sec = calc_create_time(pst);
+		ret.tv_nsec = 0;
+	}
+	return ret;
+}
+
+/****************************************************************************
+ Get/Set all the possible time fields from a stat struct as a timespec.
+****************************************************************************/
+
+struct timespec get_atimespec(const SMB_STRUCT_STAT *pst)
+{
+#if !defined(HAVE_STAT_HIRES_TIMESTAMPS)
+	struct timespec ret;
+
+	/* Old system - no ns timestamp. */
+	ret.tv_sec = pst->st_atime;
+	ret.tv_nsec = 0;
+	return ret;
+#else
+#if defined(HAVE_STAT_ST_ATIM)
+	return pst->st_atim;
+#elif defined(HAVE_STAT_ST_ATIMENSEC)
+	struct timespec ret;
+	ret.tv_sec = pst->st_atime;
+	ret.tv_nsec = pst->st_atimensec;
+	return ret;
+#else
+#error	CONFIGURE_ERROR_IN_DETECTING_TIMESPEC_IN_STAT 
+#endif
+#endif
+}
+
+void set_atimespec(SMB_STRUCT_STAT *pst, struct timespec ts)
+{
+#if !defined(HAVE_STAT_HIRES_TIMESTAMPS)
+	/* Old system - no ns timestamp. */
+	pst->st_atime = ts.tv_sec;
+#else
+#if defined(HAVE_STAT_ST_ATIM)
+	pst->st_atim = ts;
+#elif defined(HAVE_STAT_ST_ATIMENSEC)
+	pst->st_atime = ts.tv_sec;
+	pst->st_atimensec = ts.tv_nsec
+#else
+#error	CONFIGURE_ERROR_IN_DETECTING_TIMESPEC_IN_STAT 
+#endif
+#endif
+}
+
+struct timespec get_mtimespec(const SMB_STRUCT_STAT *pst)
+{
+#if !defined(HAVE_STAT_HIRES_TIMESTAMPS)
+	struct timespec ret;
+
+	/* Old system - no ns timestamp. */
+	ret.tv_sec = pst->st_mtime;
+	ret.tv_nsec = 0;
+	return ret;
+#else
+#if defined(HAVE_STAT_ST_MTIM)
+	return pst->st_mtim;
+#elif defined(HAVE_STAT_ST_MTIMENSEC)
+	struct timespec ret;
+	ret.tv_sec = pst->st_mtime;
+	ret.tv_nsec = pst->st_mtimensec;
+	return ret;
+#else
+#error	CONFIGURE_ERROR_IN_DETECTING_TIMESPEC_IN_STAT 
+#endif
+#endif
+}
+
+void set_mtimespec(SMB_STRUCT_STAT *pst, struct timespec ts)
+{
+#if !defined(HAVE_STAT_HIRES_TIMESTAMPS)
+	/* Old system - no ns timestamp. */
+	pst->st_mtime = ts.tv_sec;
+#else
+#if defined(HAVE_STAT_ST_MTIM)
+	pst->st_mtim = ts;
+#elif defined(HAVE_STAT_ST_MTIMENSEC)
+	pst->st_mtime = ts.tv_sec;
+	pst->st_mtimensec = ts.tv_nsec
+#else
+#error	CONFIGURE_ERROR_IN_DETECTING_TIMESPEC_IN_STAT 
+#endif
+#endif
+}
+
+struct timespec get_ctimespec(const SMB_STRUCT_STAT *pst)
+{
+#if !defined(HAVE_STAT_HIRES_TIMESTAMPS)
+	struct timespec ret;
+
+	/* Old system - no ns timestamp. */
+	ret.tv_sec = pst->st_ctime;
+	ret.tv_nsec = 0;
+	return ret;
+#else
+#if defined(HAVE_STAT_ST_CTIM)
+	return pst->st_ctim;
+#elif defined(HAVE_STAT_ST_CTIMENSEC)
+	struct timespec ret;
+	ret.tv_sec = pst->st_ctime;
+	ret.tv_nsec = pst->st_ctimensec;
+	return ret;
+#else
+#error	CONFIGURE_ERROR_IN_DETECTING_TIMESPEC_IN_STAT 
+#endif
+#endif
+}
+
+void set_ctimespec(SMB_STRUCT_STAT *pst, struct timespec ts)
+{
+#if !defined(HAVE_STAT_HIRES_TIMESTAMPS)
+	/* Old system - no ns timestamp. */
+	pst->st_ctime = ts.tv_sec;
+#else
+#if defined(HAVE_STAT_ST_CTIM)
+	pst->st_ctim = ts;
+#elif defined(HAVE_STAT_ST_CTIMENSEC)
+	pst->st_ctime = ts.tv_sec;
+	pst->st_ctimensec = ts.tv_nsec
+#else
+#error	CONFIGURE_ERROR_IN_DETECTING_TIMESPEC_IN_STAT 
+#endif
+#endif
+}
+
+void dos_filetime_timespec(struct timespec *tsp)
+{
+	tsp->tv_sec &= ~1;
+	tsp->tv_nsec = 0;
+}
+
+/*******************************************************************
+ Create a unix date (int GMT) from a dos date (which is actually in
+ localtime).
+********************************************************************/
+
+static time_t make_unix_date(const void *date_ptr, int zone_offset)
+{
+	uint32 dos_date=0;
+	struct tm t;
+	time_t ret;
+
+	dos_date = IVAL(date_ptr,0);
+
+	if (dos_date == 0) {
+		return 0;
+	}
+  
+	interpret_dos_date(dos_date,&t.tm_year,&t.tm_mon,
+			&t.tm_mday,&t.tm_hour,&t.tm_min,&t.tm_sec);
+	t.tm_isdst = -1;
+  
+	ret = timegm(&t);
+
+	ret += zone_offset;
+
+	return(ret);
+}
+
+/*******************************************************************
+ Like make_unix_date() but the words are reversed.
+********************************************************************/
+
+static time_t make_unix_date2(const void *date_ptr, int zone_offset)
+{
+	uint32 x,x2;
+
+	x = IVAL(date_ptr,0);
+	x2 = ((x&0xFFFF)<<16) | ((x&0xFFFF0000)>>16);
+	SIVAL(&x,0,x2);
+
+	return(make_unix_date((const void *)&x, zone_offset));
+}
+
+/*******************************************************************
+ Create a unix GMT date from a dos date in 32 bit "unix like" format
+ these generally arrive as localtimes, with corresponding DST.
+******************************************************************/
+
+static time_t make_unix_date3(const void *date_ptr, int zone_offset)
+{
+	time_t t = (time_t)IVAL(date_ptr,0);
+	if (!null_mtime(t)) {
+		t += zone_offset;
+	}
+	return(t);
+}
+
+time_t srv_make_unix_date(const void *date_ptr)
+{
+	return make_unix_date(date_ptr, server_zone_offset);
+}
+
+time_t srv_make_unix_date2(const void *date_ptr)
+{
+	return make_unix_date2(date_ptr, server_zone_offset);
+}
+
+time_t srv_make_unix_date3(const void *date_ptr)
+{
+	return make_unix_date3(date_ptr, server_zone_offset);
+}
+
+time_t convert_timespec_to_time_t(struct timespec ts)
+{
+	/* 1 ns == 1,000,000,000 - one thousand millionths of a second.
+	   increment if it's greater than 500 millionth of a second. */
+	if (ts.tv_nsec > 500000000) {
+		return ts.tv_sec + 1;
+	}
+	return ts.tv_sec;
+}
+
+struct timespec convert_time_t_to_timespec(time_t t)
+{
+	struct timespec ts;
+	ts.tv_sec = t;
+	ts.tv_nsec = 0;
+	return ts;
+}
+
+/****************************************************************************
+ Convert a normalized timeval to a timespec.
+****************************************************************************/
+
+struct timespec convert_timeval_to_timespec(const struct timeval tv)
+{
+	struct timespec ts;
+	ts.tv_sec = tv.tv_sec;
+	ts.tv_nsec = tv.tv_usec * 1000;
+	return ts;
+}
+
+/****************************************************************************
+ Convert a normalized timespec to a timeval.
+****************************************************************************/
+
+struct timeval convert_timespec_to_timeval(const struct timespec ts)
+{
+	struct timeval tv;
+	tv.tv_sec = ts.tv_sec;
+	tv.tv_usec = ts.tv_nsec / 1000;
+	return tv;
+}
+
+/****************************************************************************
+ Return a timespec for the current time
+****************************************************************************/
+
+struct timespec timespec_current(void)
+{
+	struct timeval tv;
+	struct timespec ts;
+	GetTimeOfDay(&tv);
+	ts.tv_sec = tv.tv_sec;
+	ts.tv_nsec = tv.tv_usec * 1000;
+	return ts;
+}
+
+/****************************************************************************
+ Return the lesser of two timespecs.
+****************************************************************************/
+
+struct timespec timespec_min(const struct timespec *ts1,
+			   const struct timespec *ts2)
+{
+	if (ts1->tv_sec < ts2->tv_sec) return *ts1;
+	if (ts1->tv_sec > ts2->tv_sec) return *ts2;
+	if (ts1->tv_nsec < ts2->tv_nsec) return *ts1;
+	return *ts2;
+}
+
+/****************************************************************************
+  compare two timespec structures. 
+  Return -1 if ts1 < ts2
+  Return 0 if ts1 == ts2
+  Return 1 if ts1 > ts2
+****************************************************************************/
+
+int timespec_compare(const struct timespec *ts1, const struct timespec *ts2)
+{
+	if (ts1->tv_sec  > ts2->tv_sec)  return 1;
+	if (ts1->tv_sec  < ts2->tv_sec)  return -1;
+	if (ts1->tv_nsec > ts2->tv_nsec) return 1;
+	if (ts1->tv_nsec < ts2->tv_nsec) return -1;
+	return 0;
+}
+
+/****************************************************************************
+ Interprets an nt time into a unix struct timespec.
+ Differs from nt_time_to_unix in that an 8 byte value of 0xffffffffffffffff
+ will be returned as (time_t)-1, whereas nt_time_to_unix returns 0 in this case.
+****************************************************************************/
+
+struct timespec interpret_long_date(const char *p)
+{
+	NTTIME nt;
+	nt = IVAL(p,0) + ((uint64_t)IVAL(p,4) << 32);
+	if (nt == (uint64_t)-1) {
+		struct timespec ret;
+		ret.tv_sec = (time_t)-1;
+		ret.tv_nsec = 0;
+		return ret;
+	}
+	return nt_time_to_unix_timespec(&nt);
+}
+
+/***************************************************************************
+ Client versions of the above functions.
+***************************************************************************/
+
+void cli_put_dos_date(struct cli_state *cli, char *buf, int offset, time_t unixdate)
+{
+	put_dos_date(buf, offset, unixdate, cli->serverzone);
+}
+
+void cli_put_dos_date2(struct cli_state *cli, char *buf, int offset, time_t unixdate)
+{
+	put_dos_date2(buf, offset, unixdate, cli->serverzone);
+}
+
+void cli_put_dos_date3(struct cli_state *cli, char *buf, int offset, time_t unixdate)
+{
+	put_dos_date3(buf, offset, unixdate, cli->serverzone);
+}
+
+time_t cli_make_unix_date(struct cli_state *cli, const void *date_ptr)
+{
+	return make_unix_date(date_ptr, cli->serverzone);
+}
+
+time_t cli_make_unix_date2(struct cli_state *cli, const void *date_ptr)
+{
+	return make_unix_date2(date_ptr, cli->serverzone);
+}
+
+time_t cli_make_unix_date3(struct cli_state *cli, const void *date_ptr)
+{
+	return make_unix_date3(date_ptr, cli->serverzone);
+}
+
+/* Large integer version. */
+struct timespec nt_time_to_unix_timespec(NTTIME *nt)
+{
+	int64 d;
+	struct timespec ret;
+
+	if (*nt == 0 || *nt == (int64)-1) {
+		ret.tv_sec = 0;
+		ret.tv_nsec = 0;
+		return ret;
+	}
+
+	d = (int64)*nt;
+	/* d is now in 100ns units, since jan 1st 1601".
+	   Save off the ns fraction. */
+
+	/*
+	 * Take the last seven decimal digits and multiply by 100.
+	 * to convert from 100ns units to 1ns units.
+	 */
+        ret.tv_nsec = (long) ((d % (1000 * 1000 * 10)) * 100);
+
+	/* Convert to seconds */
+	d /= 1000*1000*10;
+
+	/* Now adjust by 369 years to make the secs since 1970 */
+	d -= TIME_FIXUP_CONSTANT_INT;
+
+	if (d <= (int64)TIME_T_MIN) {
+		ret.tv_sec = TIME_T_MIN;
+		ret.tv_nsec = 0;
+		return ret;
+	}
+
+	if (d >= (int64)TIME_T_MAX) {
+		ret.tv_sec = TIME_T_MAX;
+		ret.tv_nsec = 0;
+		return ret;
+	}
+
+	ret.tv_sec = (time_t)d;
+	return ret;
+}
+/****************************************************************************
+ Check if two NTTIMEs are the same.
+****************************************************************************/
+
+bool nt_time_equals(const NTTIME *nt1, const NTTIME *nt2)
+{
+	return (*nt1 == *nt2);
+}
+
+/*******************************************************************
+ Re-read the smb serverzone value.
+******************************************************************/
+
+static struct timeval start_time_hires;
+
+void TimeInit(void)
+{
+	set_server_zone_offset(time(NULL));
+
+	DEBUG(4,("TimeInit: Serverzone is %d\n", server_zone_offset));
+
+	/* Save the start time of this process. */
+	if (start_time_hires.tv_sec == 0 && start_time_hires.tv_usec == 0) {
+		GetTimeOfDay(&start_time_hires);
+	}
+}
+
+/**********************************************************************
+ Return a timeval struct of the uptime of this process. As TimeInit is
+ done before a daemon fork then this is the start time from the parent
+ daemon start. JRA.
+***********************************************************************/
+
+void get_process_uptime(struct timeval *ret_time)
+{
+	struct timeval time_now_hires;
+
+	GetTimeOfDay(&time_now_hires);
+	ret_time->tv_sec = time_now_hires.tv_sec - start_time_hires.tv_sec;
+	if (time_now_hires.tv_usec < start_time_hires.tv_usec) {
+		ret_time->tv_sec -= 1;
+		ret_time->tv_usec = 1000000 + (time_now_hires.tv_usec - start_time_hires.tv_usec);
+	} else {
+		ret_time->tv_usec = time_now_hires.tv_usec - start_time_hires.tv_usec;
+	}
+}
+
+/****************************************************************************
+ Convert a NTTIME structure to a time_t.
+ It's originally in "100ns units".
+
+ This is an absolute version of the one above.
+ By absolute I mean, it doesn't adjust from 1/1/1601 to 1/1/1970
+ if the NTTIME was 5 seconds, the time_t is 5 seconds. JFM
+****************************************************************************/
+
+time_t nt_time_to_unix_abs(const NTTIME *nt)
+{
+	uint64 d;
+
+	if (*nt == 0) {
+		return (time_t)0;
+	}
+
+	if (*nt == (uint64)-1) {
+		return (time_t)-1;
+	}
+
+	if (*nt == NTTIME_INFINITY) {
+		return (time_t)-1;
+	}
+
+	/* reverse the time */
+	/* it's a negative value, turn it to positive */
+	d=~*nt;
+
+	d += 1000*1000*10/2;
+	d /= 1000*1000*10;
+
+	if (!(TIME_T_MIN <= ((time_t)d) && ((time_t)d) <= TIME_T_MAX)) {
+		return (time_t)0;
+	}
+
+	return (time_t)d;
+}
+
+time_t uint64s_nt_time_to_unix_abs(const uint64_t *src)
+{
+	NTTIME nttime;
+	nttime = *src;
+	return nt_time_to_unix_abs(&nttime);
+}
+
+/****************************************************************************
+ Put a 8 byte filetime from a struct timespec. Uses GMT.
+****************************************************************************/
+
+void unix_timespec_to_nt_time(NTTIME *nt, struct timespec ts)
+{
+	uint64 d;
+
+	if (ts.tv_sec ==0 && ts.tv_nsec == 0) {
+		*nt = 0;
+		return;
+	}
+	if (ts.tv_sec == TIME_T_MAX) {
+		*nt = 0x7fffffffffffffffLL;
+		return;
+	}		
+	if (ts.tv_sec == (time_t)-1) {
+		*nt = (uint64)-1;
+		return;
+	}		
+
+	d = ts.tv_sec;
+	d += TIME_FIXUP_CONSTANT_INT;
+	d *= 1000*1000*10;
+	/* d is now in 100ns units. */
+	d += (ts.tv_nsec / 100);
+
+	*nt = d;
+}
+
+/****************************************************************************
+ Convert a time_t to a NTTIME structure
+
+ This is an absolute version of the one above.
+ By absolute I mean, it doesn't adjust from 1/1/1970 to 1/1/1601
+ If the time_t was 5 seconds, the NTTIME is 5 seconds. JFM
+****************************************************************************/
+
+void unix_to_nt_time_abs(NTTIME *nt, time_t t)
+{
+	double d;
+
+	if (t==0) {
+		*nt = 0;
+		return;
+	}
+
+	if (t == TIME_T_MAX) {
+		*nt = 0x7fffffffffffffffLL;
+		return;
+	}
+		
+	if (t == (time_t)-1) {
+		/* that's what NT uses for infinite */
+		*nt = NTTIME_INFINITY;
+		return;
+	}		
+
+	d = (double)(t);
+	d *= 1.0e7;
+
+	*nt = (NTTIME)d;
+
+	/* convert to a negative value */
+	*nt=~*nt;
+}
+
+
+/****************************************************************************
+ Check if it's a null mtime.
+****************************************************************************/
+
+bool null_mtime(time_t mtime)
+{
+	if (mtime == 0 || mtime == (time_t)0xFFFFFFFF || mtime == (time_t)-1)
+		return(True);
+	return(False);
+}
+
+/****************************************************************************
+ Utility function that always returns a const string even if localtime
+ and asctime fail.
+****************************************************************************/
+
+const char *time_to_asc(const time_t t)
+{
+	const char *asct;
+	struct tm *lt = localtime(&t);
+
+	if (!lt) {
+		return "unknown time";
+	}
+
+	asct = asctime(lt);
+	if (!asct) {
+		return "unknown time";
+	}
+	return asct;
+}
+
+const char *display_time(NTTIME nttime)
+{
+	float high;
+	float low;
+	int sec;
+	int days, hours, mins, secs;
+
+	if (nttime==0)
+		return "Now";
+
+	if (nttime==NTTIME_INFINITY)
+		return "Never";
+
+	high = 65536;	
+	high = high/10000;
+	high = high*65536;
+	high = high/1000;
+	high = high * (~(nttime >> 32));
+
+	low = ~(nttime & 0xFFFFFFFF);
+	low = low/(1000*1000*10);
+
+	sec=(int)(high+low);
+
+	days=sec/(60*60*24);
+	hours=(sec - (days*60*60*24)) / (60*60);
+	mins=(sec - (days*60*60*24) - (hours*60*60) ) / 60;
+	secs=sec - (days*60*60*24) - (hours*60*60) - (mins*60);
+
+	return talloc_asprintf(talloc_tos(), "%u days, %u hours, %u minutes, "
+			       "%u seconds", days, hours, mins, secs);
+}
+
+bool nt_time_is_set(const NTTIME *nt)
+{
+	if (*nt == 0x7FFFFFFFFFFFFFFFLL) {
+		return False;
+	}
+
+	if (*nt == NTTIME_INFINITY) {
+		return False;
+	}
+
+	return True;
+}
diff --git a/source3/lib/ufc.c b/source3/lib/ufc.c
new file mode 100644
index 0000000000..89329808c9
--- /dev/null
+++ b/source3/lib/ufc.c
@@ -0,0 +1,770 @@
+/*
+   This bit of code was derived from the UFC-crypt package which
+   carries the following copyright 
+   
+   Modified for use by Samba by Andrew Tridgell, October 1994
+
+   Note that this routine is only faster on some machines. Under Linux 1.1.51 
+   libc 4.5.26 I actually found this routine to be slightly slower.
+
+   Under SunOS I found a huge speedup by using these routines 
+   (a factor of 20 or so)
+
+   Warning: I've had a report from Steve Kennedy <steve@gbnet.org>
+   that this crypt routine may sometimes get the wrong answer. Only
+   use UFC_CRYT if you really need it.
+
+*/
+
+#include "includes.h"
+
+#ifndef HAVE_CRYPT
+
+/*
+ * UFC-crypt: ultra fast crypt(3) implementation
+ *
+ * Copyright (C) 1991-1998, Free Software Foundation, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ * @(#)crypt_util.c	2.31 02/08/92
+ *
+ * Support routines
+ *
+ */
+
+
+#ifndef long32
+#define long32 int32
+#endif
+
+#ifndef long64
+#define long64 int64
+#endif
+
+#ifndef ufc_long
+#define ufc_long unsigned
+#endif
+
+#ifndef _UFC_64_
+#define _UFC_32_
+#endif
+
+/* 
+ * Permutation done once on the 56 bit 
+ *  key derived from the original 8 byte ASCII key.
+ */
+static int pc1[56] = { 
+  57, 49, 41, 33, 25, 17,  9,  1, 58, 50, 42, 34, 26, 18,
+  10,  2, 59, 51, 43, 35, 27, 19, 11,  3, 60, 52, 44, 36,
+  63, 55, 47, 39, 31, 23, 15,  7, 62, 54, 46, 38, 30, 22,
+  14,  6, 61, 53, 45, 37, 29, 21, 13,  5, 28, 20, 12,  4
+};
+
+/*
+ * How much to rotate each 28 bit half of the pc1 permutated
+ *  56 bit key before using pc2 to give the i' key
+ */
+static int rots[16] = { 
+  1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 
+};
+
+/* 
+ * Permutation giving the key 
+ * of the i' DES round 
+ */
+static int pc2[48] = { 
+  14, 17, 11, 24,  1,  5,  3, 28, 15,  6, 21, 10,
+  23, 19, 12,  4, 26,  8, 16,  7, 27, 20, 13,  2,
+  41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
+  44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
+};
+
+/*
+ * The E expansion table which selects
+ * bits from the 32 bit intermediate result.
+ */
+static int esel[48] = { 
+  32,  1,  2,  3,  4,  5,  4,  5,  6,  7,  8,  9,
+   8,  9, 10, 11, 12, 13, 12, 13, 14, 15, 16, 17,
+  16, 17, 18, 19, 20, 21, 20, 21, 22, 23, 24, 25,
+  24, 25, 26, 27, 28, 29, 28, 29, 30, 31, 32,  1
+};
+static int e_inverse[64];
+
+/* 
+ * Permutation done on the 
+ * result of sbox lookups 
+ */
+static int perm32[32] = {
+  16,  7, 20, 21, 29, 12, 28, 17,  1, 15, 23, 26,  5, 18, 31, 10,
+  2,   8, 24, 14, 32, 27,  3,  9, 19, 13, 30,  6, 22, 11,  4, 25
+};
+
+/* 
+ * The sboxes
+ */
+static int sbox[8][4][16]= {
+        { { 14,  4, 13,  1,  2, 15, 11,  8,  3, 10,  6, 12,  5,  9,  0,  7 },
+          {  0, 15,  7,  4, 14,  2, 13,  1, 10,  6, 12, 11,  9,  5,  3,  8 },
+          {  4,  1, 14,  8, 13,  6,  2, 11, 15, 12,  9,  7,  3, 10,  5,  0 },
+          { 15, 12,  8,  2,  4,  9,  1,  7,  5, 11,  3, 14, 10,  0,  6, 13 }
+        },
+
+        { { 15,  1,  8, 14,  6, 11,  3,  4,  9,  7,  2, 13, 12,  0,  5, 10 },
+          {  3, 13,  4,  7, 15,  2,  8, 14, 12,  0,  1, 10,  6,  9, 11,  5 },
+          {  0, 14,  7, 11, 10,  4, 13,  1,  5,  8, 12,  6,  9,  3,  2, 15 },
+          { 13,  8, 10,  1,  3, 15,  4,  2, 11,  6,  7, 12,  0,  5, 14,  9 }
+        },
+
+        { { 10,  0,  9, 14,  6,  3, 15,  5,  1, 13, 12,  7, 11,  4,  2,  8 },
+          { 13,  7,  0,  9,  3,  4,  6, 10,  2,  8,  5, 14, 12, 11, 15,  1 },
+          { 13,  6,  4,  9,  8, 15,  3,  0, 11,  1,  2, 12,  5, 10, 14,  7 },
+          {  1, 10, 13,  0,  6,  9,  8,  7,  4, 15, 14,  3, 11,  5,  2, 12 }
+        },
+
+        { {  7, 13, 14,  3,  0,  6,  9, 10,  1,  2,  8,  5, 11, 12,  4, 15 },
+          { 13,  8, 11,  5,  6, 15,  0,  3,  4,  7,  2, 12,  1, 10, 14,  9 },
+          { 10,  6,  9,  0, 12, 11,  7, 13, 15,  1,  3, 14,  5,  2,  8,  4 },
+          {  3, 15,  0,  6, 10,  1, 13,  8,  9,  4,  5, 11, 12,  7,  2, 14 }
+        },
+
+        { {  2, 12,  4,  1,  7, 10, 11,  6,  8,  5,  3, 15, 13,  0, 14,  9 },
+          { 14, 11,  2, 12,  4,  7, 13,  1,  5,  0, 15, 10,  3,  9,  8,  6 },
+          {  4,  2,  1, 11, 10, 13,  7,  8, 15,  9, 12,  5,  6,  3,  0, 14 },
+          { 11,  8, 12,  7,  1, 14,  2, 13,  6, 15,  0,  9, 10,  4,  5,  3 }
+        },
+
+        { { 12,  1, 10, 15,  9,  2,  6,  8,  0, 13,  3,  4, 14,  7,  5, 11 },
+          { 10, 15,  4,  2,  7, 12,  9,  5,  6,  1, 13, 14,  0, 11,  3,  8 },
+          {  9, 14, 15,  5,  2,  8, 12,  3,  7,  0,  4, 10,  1, 13, 11,  6 },
+          {  4,  3,  2, 12,  9,  5, 15, 10, 11, 14,  1,  7,  6,  0,  8, 13 }
+        },
+
+        { {  4, 11,  2, 14, 15,  0,  8, 13,  3, 12,  9,  7,  5, 10,  6,  1 },
+          { 13,  0, 11,  7,  4,  9,  1, 10, 14,  3,  5, 12,  2, 15,  8,  6 },
+          {  1,  4, 11, 13, 12,  3,  7, 14, 10, 15,  6,  8,  0,  5,  9,  2 },
+          {  6, 11, 13,  8,  1,  4, 10,  7,  9,  5,  0, 15, 14,  2,  3, 12 }
+        },
+
+        { { 13,  2,  8,  4,  6, 15, 11,  1, 10,  9,  3, 14,  5,  0, 12,  7 },
+          {  1, 15, 13,  8, 10,  3,  7,  4, 12,  5,  6, 11,  0, 14,  9,  2 },
+          {  7, 11,  4,  1,  9, 12, 14,  2,  0,  6, 10, 13, 15,  3,  5,  8 },
+          {  2,  1, 14,  7,  4, 10,  8, 13, 15, 12,  9,  0,  3,  5,  6, 11 }
+        }
+};
+
+/* 
+ * This is the final 
+ * permutation matrix
+ */
+static int final_perm[64] = {
+  40,  8, 48, 16, 56, 24, 64, 32, 39,  7, 47, 15, 55, 23, 63, 31,
+  38,  6, 46, 14, 54, 22, 62, 30, 37,  5, 45, 13, 53, 21, 61, 29,
+  36,  4, 44, 12, 52, 20, 60, 28, 35,  3, 43, 11, 51, 19, 59, 27,
+  34,  2, 42, 10, 50, 18, 58, 26, 33,  1, 41,  9, 49, 17, 57, 25
+};
+
+/* 
+ * The 16 DES keys in BITMASK format 
+ */
+#ifdef _UFC_32_
+long32 _ufc_keytab[16][2];
+#endif
+
+#ifdef _UFC_64_
+long64 _ufc_keytab[16];
+#endif
+
+
+#define ascii_to_bin(c) ((c)>='a'?(c-59):(c)>='A'?((c)-53):(c)-'.')
+#define bin_to_ascii(c) ((c)>=38?((c)-38+'a'):(c)>=12?((c)-12+'A'):(c)+'.')
+
+/* Macro to set a bit (0..23) */
+#define BITMASK(i) ( (1<<(11-(i)%12+3)) << ((i)<12?16:0) )
+
+/*
+ * sb arrays:
+ *
+ * Workhorses of the inner loop of the DES implementation.
+ * They do sbox lookup, shifting of this  value, 32 bit
+ * permutation and E permutation for the next round.
+ *
+ * Kept in 'BITMASK' format.
+ */
+
+#ifdef _UFC_32_
+long32 _ufc_sb0[8192], _ufc_sb1[8192], _ufc_sb2[8192], _ufc_sb3[8192];
+static long32 *sb[4] = {_ufc_sb0, _ufc_sb1, _ufc_sb2, _ufc_sb3}; 
+#endif
+
+#ifdef _UFC_64_
+long64 _ufc_sb0[4096], _ufc_sb1[4096], _ufc_sb2[4096], _ufc_sb3[4096];
+static long64 *sb[4] = {_ufc_sb0, _ufc_sb1, _ufc_sb2, _ufc_sb3}; 
+#endif
+
+/* 
+ * eperm32tab: do 32 bit permutation and E selection
+ *
+ * The first index is the byte number in the 32 bit value to be permuted
+ *  -  second  -   is the value of this byte
+ *  -  third   -   selects the two 32 bit values
+ *
+ * The table is used and generated internally in init_des to speed it up
+ */
+static ufc_long eperm32tab[4][256][2];
+
+/* 
+ * do_pc1: permform pc1 permutation in the key schedule generation.
+ *
+ * The first   index is the byte number in the 8 byte ASCII key
+ *  -  second    -      -    the two 28 bits halfs of the result
+ *  -  third     -   selects the 7 bits actually used of each byte
+ *
+ * The result is kept with 28 bit per 32 bit with the 4 most significant
+ * bits zero.
+ */
+static ufc_long do_pc1[8][2][128];
+
+/*
+ * do_pc2: permform pc2 permutation in the key schedule generation.
+ *
+ * The first   index is the septet number in the two 28 bit intermediate values
+ *  -  second    -    -  -  septet values
+ *
+ * Knowledge of the structure of the pc2 permutation is used.
+ *
+ * The result is kept with 28 bit per 32 bit with the 4 most significant
+ * bits zero.
+ */
+static ufc_long do_pc2[8][128];
+
+/*
+ * efp: undo an extra e selection and do final
+ *      permutation giving the DES result.
+ * 
+ *      Invoked 6 bit a time on two 48 bit values
+ *      giving two 32 bit longs.
+ */
+static ufc_long efp[16][64][2];
+
+static unsigned char bytemask[8]  = {
+  0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01
+};
+
+static ufc_long longmask[32] = {
+  0x80000000, 0x40000000, 0x20000000, 0x10000000,
+  0x08000000, 0x04000000, 0x02000000, 0x01000000,
+  0x00800000, 0x00400000, 0x00200000, 0x00100000,
+  0x00080000, 0x00040000, 0x00020000, 0x00010000,
+  0x00008000, 0x00004000, 0x00002000, 0x00001000,
+  0x00000800, 0x00000400, 0x00000200, 0x00000100,
+  0x00000080, 0x00000040, 0x00000020, 0x00000010,
+  0x00000008, 0x00000004, 0x00000002, 0x00000001
+};
+
+
+/*
+ * Silly rewrite of 'bzero'. I do so
+ * because some machines don't have
+ * bzero and some don't have memset.
+ */
+
+static void clearmem(char *start, int cnt)
+  { while(cnt--)
+      *start++ = '\0';
+  }
+
+static int initialized = 0;
+
+/* lookup a 6 bit value in sbox */
+
+#define s_lookup(i,s) sbox[(i)][(((s)>>4) & 0x2)|((s) & 0x1)][((s)>>1) & 0xf];
+
+/*
+ * Initialize unit - may be invoked directly
+ * by fcrypt users.
+ */
+
+static void ufc_init_des(void)
+  { int comes_from_bit;
+    int bit, sg;
+    ufc_long j;
+    ufc_long mask1, mask2;
+
+    /*
+     * Create the do_pc1 table used
+     * to affect pc1 permutation
+     * when generating keys
+     */
+    for(bit = 0; bit < 56; bit++) {
+      comes_from_bit  = pc1[bit] - 1;
+      mask1 = bytemask[comes_from_bit % 8 + 1];
+      mask2 = longmask[bit % 28 + 4];
+      for(j = 0; j < 128; j++) {
+	if(j & mask1) 
+	  do_pc1[comes_from_bit / 8][bit / 28][j] |= mask2;
+      }
+    }
+
+    /*
+     * Create the do_pc2 table used
+     * to affect pc2 permutation when
+     * generating keys
+     */
+    for(bit = 0; bit < 48; bit++) {
+      comes_from_bit  = pc2[bit] - 1;
+      mask1 = bytemask[comes_from_bit % 7 + 1];
+      mask2 = BITMASK(bit % 24);
+      for(j = 0; j < 128; j++) {
+	if(j & mask1)
+	  do_pc2[comes_from_bit / 7][j] |= mask2;
+      }
+    }
+
+    /* 
+     * Now generate the table used to do combined
+     * 32 bit permutation and e expansion
+     *
+     * We use it because we have to permute 16384 32 bit
+     * longs into 48 bit in order to initialize sb.
+     *
+     * Looping 48 rounds per permutation becomes 
+     * just too slow...
+     *
+     */
+
+    clearmem((char*)eperm32tab, sizeof(eperm32tab));
+
+    for(bit = 0; bit < 48; bit++) {
+      ufc_long inner_mask1,comes_from;
+	
+      comes_from = perm32[esel[bit]-1]-1;
+      inner_mask1      = bytemask[comes_from % 8];
+	
+      for(j = 256; j--;) {
+	if(j & inner_mask1)
+	  eperm32tab[comes_from / 8][j][bit / 24] |= BITMASK(bit % 24);
+      }
+    }
+    
+    /* 
+     * Create the sb tables:
+     *
+     * For each 12 bit segment of an 48 bit intermediate
+     * result, the sb table precomputes the two 4 bit
+     * values of the sbox lookups done with the two 6
+     * bit halves, shifts them to their proper place,
+     * sends them through perm32 and finally E expands
+     * them so that they are ready for the next
+     * DES round.
+     *
+     */
+    for(sg = 0; sg < 4; sg++) {
+      int j1, j2;
+      int s1, s2;
+    
+      for(j1 = 0; j1 < 64; j1++) {
+	s1 = s_lookup(2 * sg, j1);
+	for(j2 = 0; j2 < 64; j2++) {
+	  ufc_long to_permute, inx;
+    
+	  s2         = s_lookup(2 * sg + 1, j2);
+	  to_permute = ((s1 << 4)  | s2) << (24 - 8 * sg);
+
+#ifdef _UFC_32_
+	  inx = ((j1 << 6)  | j2) << 1;
+	  sb[sg][inx  ]  = eperm32tab[0][(to_permute >> 24) & 0xff][0];
+	  sb[sg][inx+1]  = eperm32tab[0][(to_permute >> 24) & 0xff][1];
+	  sb[sg][inx  ] |= eperm32tab[1][(to_permute >> 16) & 0xff][0];
+	  sb[sg][inx+1] |= eperm32tab[1][(to_permute >> 16) & 0xff][1];
+  	  sb[sg][inx  ] |= eperm32tab[2][(to_permute >>  8) & 0xff][0];
+	  sb[sg][inx+1] |= eperm32tab[2][(to_permute >>  8) & 0xff][1];
+	  sb[sg][inx  ] |= eperm32tab[3][(to_permute)       & 0xff][0];
+	  sb[sg][inx+1] |= eperm32tab[3][(to_permute)       & 0xff][1];
+#endif
+#ifdef _UFC_64_
+	  inx = ((j1 << 6)  | j2);
+	  sb[sg][inx]  = 
+	    ((long64)eperm32tab[0][(to_permute >> 24) & 0xff][0] << 32) |
+	     (long64)eperm32tab[0][(to_permute >> 24) & 0xff][1];
+	  sb[sg][inx] |=
+	    ((long64)eperm32tab[1][(to_permute >> 16) & 0xff][0] << 32) |
+	     (long64)eperm32tab[1][(to_permute >> 16) & 0xff][1];
+  	  sb[sg][inx] |= 
+	    ((long64)eperm32tab[2][(to_permute >>  8) & 0xff][0] << 32) |
+	     (long64)eperm32tab[2][(to_permute >>  8) & 0xff][1];
+	  sb[sg][inx] |=
+	    ((long64)eperm32tab[3][(to_permute)       & 0xff][0] << 32) |
+	     (long64)eperm32tab[3][(to_permute)       & 0xff][1];
+#endif
+	}
+      }
+    }  
+
+    /* 
+     * Create an inverse matrix for esel telling
+     * where to plug out bits if undoing it
+     */
+    for(bit=48; bit--;) {
+      e_inverse[esel[bit] - 1     ] = bit;
+      e_inverse[esel[bit] - 1 + 32] = bit + 48;
+    }
+
+    /* 
+     * create efp: the matrix used to
+     * undo the E expansion and effect final permutation
+     */
+    clearmem((char*)efp, sizeof efp);
+    for(bit = 0; bit < 64; bit++) {
+      int o_bit, o_long;
+      ufc_long word_value, inner_mask1, inner_mask2;
+      int comes_from_f_bit, comes_from_e_bit;
+      int comes_from_word, bit_within_word;
+
+      /* See where bit i belongs in the two 32 bit long's */
+      o_long = bit / 32; /* 0..1  */
+      o_bit  = bit % 32; /* 0..31 */
+
+      /* 
+       * And find a bit in the e permutated value setting this bit.
+       *
+       * Note: the e selection may have selected the same bit several
+       * times. By the initialization of e_inverse, we only look
+       * for one specific instance.
+       */
+      comes_from_f_bit = final_perm[bit] - 1;         /* 0..63 */
+      comes_from_e_bit = e_inverse[comes_from_f_bit]; /* 0..95 */
+      comes_from_word  = comes_from_e_bit / 6;        /* 0..15 */
+      bit_within_word  = comes_from_e_bit % 6;        /* 0..5  */
+
+      inner_mask1 = longmask[bit_within_word + 26];
+      inner_mask2 = longmask[o_bit];
+
+      for(word_value = 64; word_value--;) {
+	if(word_value & inner_mask1)
+	  efp[comes_from_word][word_value][o_long] |= inner_mask2;
+      }
+    }
+    initialized++;
+  }
+
+/* 
+ * Process the elements of the sb table permuting the
+ * bits swapped in the expansion by the current salt.
+ */
+
+#ifdef _UFC_32_
+static void shuffle_sb(long32 *k, ufc_long saltbits)
+  { ufc_long j;
+    long32 x;
+    for(j=4096; j--;) {
+      x = (k[0] ^ k[1]) & (long32)saltbits;
+      *k++ ^= x;
+      *k++ ^= x;
+    }
+  }
+#endif
+
+#ifdef _UFC_64_
+static void shuffle_sb(long64 *k, ufc_long saltbits)
+  { ufc_long j;
+    long64 x;
+    for(j=4096; j--;) {
+      x = ((*k >> 32) ^ *k) & (long64)saltbits;
+      *k++ ^= (x << 32) | x;
+    }
+  }
+#endif
+
+/* 
+ * Setup the unit for a new salt
+ * Hopefully we'll not see a new salt in each crypt call.
+ */
+
+static unsigned char current_salt[3] = "&&"; /* invalid value */
+static ufc_long current_saltbits = 0;
+static int direction = 0;
+
+static void setup_salt(const char *s1)
+  { ufc_long i, j, saltbits;
+    const unsigned char *s2 = (const unsigned char *)s1;
+
+    if(!initialized)
+      ufc_init_des();
+
+    if(s2[0] == current_salt[0] && s2[1] == current_salt[1])
+      return;
+    current_salt[0] = s2[0]; current_salt[1] = s2[1];
+
+    /* 
+     * This is the only crypt change to DES:
+     * entries are swapped in the expansion table
+     * according to the bits set in the salt.
+     */
+    saltbits = 0;
+    for(i = 0; i < 2; i++) {
+      long c=ascii_to_bin(s2[i]);
+      if(c < 0 || c > 63)
+	c = 0;
+      for(j = 0; j < 6; j++) {
+	if((c >> j) & 0x1)
+	  saltbits |= BITMASK(6 * i + j);
+      }
+    }
+
+    /*
+     * Permute the sb table values
+     * to reflect the changed e
+     * selection table
+     */
+    shuffle_sb(_ufc_sb0, current_saltbits ^ saltbits); 
+    shuffle_sb(_ufc_sb1, current_saltbits ^ saltbits);
+    shuffle_sb(_ufc_sb2, current_saltbits ^ saltbits);
+    shuffle_sb(_ufc_sb3, current_saltbits ^ saltbits);
+
+    current_saltbits = saltbits;
+  }
+
+static void ufc_mk_keytab(char *key)
+  { ufc_long v1, v2, *k1;
+    int i;
+#ifdef _UFC_32_
+    long32 v, *k2 = &_ufc_keytab[0][0];
+#endif
+#ifdef _UFC_64_
+    long64 v, *k2 = &_ufc_keytab[0];
+#endif
+
+    v1 = v2 = 0; k1 = &do_pc1[0][0][0];
+    for(i = 8; i--;) {
+      v1 |= k1[*key   & 0x7f]; k1 += 128;
+      v2 |= k1[*key++ & 0x7f]; k1 += 128;
+    }
+
+    for(i = 0; i < 16; i++) {
+      k1 = &do_pc2[0][0];
+
+      v1 = (v1 << rots[i]) | (v1 >> (28 - rots[i]));
+      v  = k1[(v1 >> 21) & 0x7f]; k1 += 128;
+      v |= k1[(v1 >> 14) & 0x7f]; k1 += 128;
+      v |= k1[(v1 >>  7) & 0x7f]; k1 += 128;
+      v |= k1[(v1      ) & 0x7f]; k1 += 128;
+
+#ifdef _UFC_32_
+      *k2++ = v;
+      v = 0;
+#endif
+#ifdef _UFC_64_
+      v <<= 32;
+#endif
+
+      v2 = (v2 << rots[i]) | (v2 >> (28 - rots[i]));
+      v |= k1[(v2 >> 21) & 0x7f]; k1 += 128;
+      v |= k1[(v2 >> 14) & 0x7f]; k1 += 128;
+      v |= k1[(v2 >>  7) & 0x7f]; k1 += 128;
+      v |= k1[(v2      ) & 0x7f];
+
+      *k2++ = v;
+    }
+
+    direction = 0;
+  }
+
+/* 
+ * Undo an extra E selection and do final permutations
+ */
+
+ufc_long *_ufc_dofinalperm(ufc_long l1, ufc_long l2, ufc_long r1, ufc_long r2)
+  { ufc_long v1, v2, x;
+    static ufc_long ary[2];
+
+    x = (l1 ^ l2) & current_saltbits; l1 ^= x; l2 ^= x;
+    x = (r1 ^ r2) & current_saltbits; r1 ^= x; r2 ^= x;
+
+    v1=v2=0; l1 >>= 3; l2 >>= 3; r1 >>= 3; r2 >>= 3;
+
+    v1 |= efp[15][ r2         & 0x3f][0]; v2 |= efp[15][ r2 & 0x3f][1];
+    v1 |= efp[14][(r2 >>= 6)  & 0x3f][0]; v2 |= efp[14][ r2 & 0x3f][1];
+    v1 |= efp[13][(r2 >>= 10) & 0x3f][0]; v2 |= efp[13][ r2 & 0x3f][1];
+    v1 |= efp[12][(r2 >>= 6)  & 0x3f][0]; v2 |= efp[12][ r2 & 0x3f][1];
+
+    v1 |= efp[11][ r1         & 0x3f][0]; v2 |= efp[11][ r1 & 0x3f][1];
+    v1 |= efp[10][(r1 >>= 6)  & 0x3f][0]; v2 |= efp[10][ r1 & 0x3f][1];
+    v1 |= efp[ 9][(r1 >>= 10) & 0x3f][0]; v2 |= efp[ 9][ r1 & 0x3f][1];
+    v1 |= efp[ 8][(r1 >>= 6)  & 0x3f][0]; v2 |= efp[ 8][ r1 & 0x3f][1];
+
+    v1 |= efp[ 7][ l2         & 0x3f][0]; v2 |= efp[ 7][ l2 & 0x3f][1];
+    v1 |= efp[ 6][(l2 >>= 6)  & 0x3f][0]; v2 |= efp[ 6][ l2 & 0x3f][1];
+    v1 |= efp[ 5][(l2 >>= 10) & 0x3f][0]; v2 |= efp[ 5][ l2 & 0x3f][1];
+    v1 |= efp[ 4][(l2 >>= 6)  & 0x3f][0]; v2 |= efp[ 4][ l2 & 0x3f][1];
+
+    v1 |= efp[ 3][ l1         & 0x3f][0]; v2 |= efp[ 3][ l1 & 0x3f][1];
+    v1 |= efp[ 2][(l1 >>= 6)  & 0x3f][0]; v2 |= efp[ 2][ l1 & 0x3f][1];
+    v1 |= efp[ 1][(l1 >>= 10) & 0x3f][0]; v2 |= efp[ 1][ l1 & 0x3f][1];
+    v1 |= efp[ 0][(l1 >>= 6)  & 0x3f][0]; v2 |= efp[ 0][ l1 & 0x3f][1];
+
+    ary[0] = v1; ary[1] = v2;
+    return ary;
+  }
+
+/* 
+ * crypt only: convert from 64 bit to 11 bit ASCII 
+ * prefixing with the salt
+ */
+
+static char *output_conversion(ufc_long v1, ufc_long v2, const char *salt)
+  { static char outbuf[14];
+    int i, s;
+
+    outbuf[0] = salt[0];
+    outbuf[1] = salt[1] ? salt[1] : salt[0];
+
+    for(i = 0; i < 5; i++)
+      outbuf[i + 2] = bin_to_ascii((v1 >> (26 - 6 * i)) & 0x3f);
+
+    s  = (v2 & 0xf) << 2;
+    v2 = (v2 >> 2) | ((v1 & 0x3) << 30);
+
+    for(i = 5; i < 10; i++)
+      outbuf[i + 2] = bin_to_ascii((v2 >> (56 - 6 * i)) & 0x3f);
+
+    outbuf[12] = bin_to_ascii(s);
+    outbuf[13] = 0;
+
+    return outbuf;
+  }
+
+/* 
+ * UNIX crypt function
+ */
+
+static ufc_long *_ufc_doit(ufc_long , ufc_long, ufc_long, ufc_long, ufc_long);
+   
+char *ufc_crypt(const char *key,const char *salt)
+  { ufc_long *s;
+    char ktab[9];
+
+    /*
+     * Hack DES tables according to salt
+     */
+    setup_salt(salt);
+
+    /*
+     * Setup key schedule
+     */
+    clearmem(ktab, sizeof ktab);
+    StrnCpy(ktab, key, 8);
+    ufc_mk_keytab(ktab);
+
+    /*
+     * Go for the 25 DES encryptions
+     */
+    s = _ufc_doit((ufc_long)0, (ufc_long)0, 
+		  (ufc_long)0, (ufc_long)0, (ufc_long)25);
+
+    /*
+     * And convert back to 6 bit ASCII
+     */
+    return output_conversion(s[0], s[1], salt);
+  }
+
+
+#ifdef _UFC_32_
+
+/*
+ * 32 bit version
+ */
+
+extern long32 _ufc_keytab[16][2];
+extern long32 _ufc_sb0[], _ufc_sb1[], _ufc_sb2[], _ufc_sb3[];
+
+#define SBA(sb, v) (*(long32*)((char*)(sb)+(v)))
+
+static ufc_long *_ufc_doit(ufc_long l1, ufc_long l2, ufc_long r1, ufc_long r2, ufc_long itr)
+  { int i;
+    long32 s, *k;
+
+    while(itr--) {
+      k = &_ufc_keytab[0][0];
+      for(i=8; i--; ) {
+	s = *k++ ^ r1;
+	l1 ^= SBA(_ufc_sb1, s & 0xffff); l2 ^= SBA(_ufc_sb1, (s & 0xffff)+4);  
+        l1 ^= SBA(_ufc_sb0, s >>= 16);   l2 ^= SBA(_ufc_sb0, (s)         +4); 
+        s = *k++ ^ r2; 
+        l1 ^= SBA(_ufc_sb3, s & 0xffff); l2 ^= SBA(_ufc_sb3, (s & 0xffff)+4);
+        l1 ^= SBA(_ufc_sb2, s >>= 16);   l2 ^= SBA(_ufc_sb2, (s)         +4);
+
+        s = *k++ ^ l1; 
+        r1 ^= SBA(_ufc_sb1, s & 0xffff); r2 ^= SBA(_ufc_sb1, (s & 0xffff)+4);  
+        r1 ^= SBA(_ufc_sb0, s >>= 16);   r2 ^= SBA(_ufc_sb0, (s)         +4); 
+        s = *k++ ^ l2; 
+        r1 ^= SBA(_ufc_sb3, s & 0xffff); r2 ^= SBA(_ufc_sb3, (s & 0xffff)+4);  
+        r1 ^= SBA(_ufc_sb2, s >>= 16);   r2 ^= SBA(_ufc_sb2, (s)         +4);
+      } 
+      s=l1; l1=r1; r1=s; s=l2; l2=r2; r2=s;
+    }
+    return _ufc_dofinalperm(l1, l2, r1, r2);
+  }
+
+#endif
+
+#ifdef _UFC_64_
+
+/*
+ * 64 bit version
+ */
+
+extern long64 _ufc_keytab[16];
+extern long64 _ufc_sb0[], _ufc_sb1[], _ufc_sb2[], _ufc_sb3[];
+
+#define SBA(sb, v) (*(long64*)((char*)(sb)+(v)))
+
+static ufc_long *_ufc_doit(ufc_long l1, ufc_long l2, ufc_long r1, ufc_long r2, ufc_long itr)
+  { int i;
+    long64 l, r, s, *k;
+
+    l = (((long64)l1) << 32) | ((long64)l2);
+    r = (((long64)r1) << 32) | ((long64)r2);
+
+    while(itr--) {
+      k = &_ufc_keytab[0];
+      for(i=8; i--; ) {
+	s = *k++ ^ r;
+	l ^= SBA(_ufc_sb3, (s >>  0) & 0xffff);
+        l ^= SBA(_ufc_sb2, (s >> 16) & 0xffff);
+        l ^= SBA(_ufc_sb1, (s >> 32) & 0xffff);
+        l ^= SBA(_ufc_sb0, (s >> 48) & 0xffff);
+
+	s = *k++ ^ l;
+	r ^= SBA(_ufc_sb3, (s >>  0) & 0xffff);
+        r ^= SBA(_ufc_sb2, (s >> 16) & 0xffff);
+        r ^= SBA(_ufc_sb1, (s >> 32) & 0xffff);
+        r ^= SBA(_ufc_sb0, (s >> 48) & 0xffff);
+      } 
+      s=l; l=r; r=s;
+    }
+
+    l1 = l >> 32; l2 = l & 0xffffffff;
+    r1 = r >> 32; r2 = r & 0xffffffff;
+    return _ufc_dofinalperm(l1, l2, r1, r2);
+  }
+
+#endif
+
+
+#else
+ int ufc_dummy_procedure(void);
+ int ufc_dummy_procedure(void) {return 0;}
+#endif
diff --git a/source3/lib/username.c b/source3/lib/username.c
new file mode 100644
index 0000000000..3087bac0f4
--- /dev/null
+++ b/source3/lib/username.c
@@ -0,0 +1,196 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Username handling
+   Copyright (C) Andrew Tridgell 1992-1998
+   Copyright (C) Jeremy Allison 1997-2001.
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/* internal functions */
+static struct passwd *uname_string_combinations(char *s, TALLOC_CTX *mem_ctx,
+						struct passwd * (*fn) (TALLOC_CTX *mem_ctx, const char *),
+						int N);
+static struct passwd *uname_string_combinations2(char *s, TALLOC_CTX *mem_ctx, int offset,
+						 struct passwd * (*fn) (TALLOC_CTX *mem_ctx, const char *),
+						 int N);
+
+/****************************************************************************
+ Get a users home directory.
+****************************************************************************/
+
+char *get_user_home_dir(TALLOC_CTX *mem_ctx, const char *user)
+{
+	struct passwd *pass;
+	char *result;
+
+	/* Ensure the user exists. */
+
+	pass = Get_Pwnam_alloc(mem_ctx, user);
+
+	if (!pass)
+		return(NULL);
+
+	/* Return home directory from struct passwd. */
+
+	result = talloc_move(mem_ctx, &pass->pw_dir);
+
+	TALLOC_FREE(pass);
+	return result;
+}
+
+/****************************************************************************
+ * A wrapper for sys_getpwnam().  The following variations are tried:
+ *   - as transmitted
+ *   - in all lower case if this differs from transmitted
+ *   - in all upper case if this differs from transmitted
+ *   - using lp_usernamelevel() for permutations.
+****************************************************************************/
+
+static struct passwd *Get_Pwnam_internals(TALLOC_CTX *mem_ctx,
+					  const char *user, char *user2)
+{
+	struct passwd *ret = NULL;
+
+	if (!user2 || !(*user2))
+		return(NULL);
+
+	if (!user || !(*user))
+		return(NULL);
+
+	/* Try in all lower case first as this is the most 
+	   common case on UNIX systems */
+	strlower_m(user2);
+	DEBUG(5,("Trying _Get_Pwnam(), username as lowercase is %s\n",user2));
+	ret = getpwnam_alloc(mem_ctx, user2);
+	if(ret)
+		goto done;
+
+	/* Try as given, if username wasn't originally lowercase */
+	if(strcmp(user, user2) != 0) {
+		DEBUG(5,("Trying _Get_Pwnam(), username as given is %s\n",
+			 user));
+		ret = getpwnam_alloc(mem_ctx, user);
+		if(ret)
+			goto done;
+	}
+
+	/* Try as uppercase, if username wasn't originally uppercase */
+	strupper_m(user2);
+	if(strcmp(user, user2) != 0) {
+		DEBUG(5,("Trying _Get_Pwnam(), username as uppercase is %s\n",
+			 user2));
+		ret = getpwnam_alloc(mem_ctx, user2);
+		if(ret)
+			goto done;
+	}
+
+	/* Try all combinations up to usernamelevel */
+	strlower_m(user2);
+	DEBUG(5,("Checking combinations of %d uppercase letters in %s\n",
+		 lp_usernamelevel(), user2));
+	ret = uname_string_combinations(user2, mem_ctx, getpwnam_alloc,
+					lp_usernamelevel());
+
+done:
+	DEBUG(5,("Get_Pwnam_internals %s find user [%s]!\n",ret ?
+		 "did":"didn't", user));
+
+	return ret;
+}
+
+/****************************************************************************
+ Get_Pwnam wrapper without modification.
+  NOTE: This with NOT modify 'user'! 
+  This will return an allocated structure
+****************************************************************************/
+
+struct passwd *Get_Pwnam_alloc(TALLOC_CTX *mem_ctx, const char *user)
+{
+	fstring user2;
+	struct passwd *ret;
+
+	if ( *user == '\0' ) {
+		DEBUG(10,("Get_Pwnam: empty username!\n"));
+		return NULL;
+	}
+
+	fstrcpy(user2, user);
+
+	DEBUG(5,("Finding user %s\n", user));
+
+	ret = Get_Pwnam_internals(mem_ctx, user, user2);
+	
+	return ret;  
+}
+
+/* The functions below have been taken from password.c and slightly modified */
+/****************************************************************************
+ Apply a function to upper/lower case combinations
+ of a string and return true if one of them returns true.
+ Try all combinations with N uppercase letters.
+ offset is the first char to try and change (start with 0)
+ it assumes the string starts lowercased
+****************************************************************************/
+
+static struct passwd *uname_string_combinations2(char *s, TALLOC_CTX *mem_ctx,
+						 int offset,
+						 struct passwd *(*fn)(TALLOC_CTX *mem_ctx, const char *),
+						 int N)
+{
+	ssize_t len = (ssize_t)strlen(s);
+	int i;
+	struct passwd *ret;
+
+	if (N <= 0 || offset >= len)
+		return(fn(mem_ctx, s));
+
+	for (i=offset;i<(len-(N-1));i++) {
+		char c = s[i];
+		if (!islower_ascii((int)c))
+			continue;
+		s[i] = toupper_ascii(c);
+		ret = uname_string_combinations2(s, mem_ctx, i+1, fn, N-1);
+		if(ret)
+			return(ret);
+		s[i] = c;
+	}
+	return(NULL);
+}
+
+/****************************************************************************
+ Apply a function to upper/lower case combinations
+ of a string and return true if one of them returns true.
+ Try all combinations with up to N uppercase letters.
+ offset is the first char to try and change (start with 0)
+ it assumes the string starts lowercased
+****************************************************************************/
+
+static struct passwd * uname_string_combinations(char *s, TALLOC_CTX *mem_ctx,
+						 struct passwd * (*fn)(TALLOC_CTX *mem_ctx, const char *),
+						 int N)
+{
+	int n;
+	struct passwd *ret;
+
+	for (n=1;n<=N;n++) {
+		ret = uname_string_combinations2(s,mem_ctx,0,fn,n);
+		if(ret)
+			return(ret);
+	}  
+	return(NULL);
+}
+
diff --git a/source3/lib/util.c b/source3/lib/util.c
new file mode 100644
index 0000000000..ec43ea7037
--- /dev/null
+++ b/source3/lib/util.c
@@ -0,0 +1,3523 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba utility functions
+   Copyright (C) Andrew Tridgell 1992-1998
+   Copyright (C) Jeremy Allison 2001-2007
+   Copyright (C) Simo Sorce 2001
+   Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
+   Copyright (C) James Peach 2006
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+extern char *global_clobber_region_function;
+extern unsigned int global_clobber_region_line;
+
+/* Max allowable allococation - 256mb - 0x10000000 */
+#define MAX_ALLOC_SIZE (1024*1024*256)
+
+#if (defined(HAVE_NETGROUP) && defined (WITH_AUTOMOUNT))
+#ifdef WITH_NISPLUS_HOME
+#ifdef BROKEN_NISPLUS_INCLUDE_FILES
+/*
+ * The following lines are needed due to buggy include files
+ * in Solaris 2.6 which define GROUP in both /usr/include/sys/acl.h and
+ * also in /usr/include/rpcsvc/nis.h. The definitions conflict. JRA.
+ * Also GROUP_OBJ is defined as 0x4 in /usr/include/sys/acl.h and as
+ * an enum in /usr/include/rpcsvc/nis.h.
+ */
+
+#if defined(GROUP)
+#undef GROUP
+#endif
+
+#if defined(GROUP_OBJ)
+#undef GROUP_OBJ
+#endif
+
+#endif /* BROKEN_NISPLUS_INCLUDE_FILES */
+
+#include <rpcsvc/nis.h>
+
+#endif /* WITH_NISPLUS_HOME */
+#endif /* HAVE_NETGROUP && WITH_AUTOMOUNT */
+
+enum protocol_types Protocol = PROTOCOL_COREPLUS;
+
+/* this is used by the chaining code */
+int chain_size = 0;
+
+static enum remote_arch_types ra_type = RA_UNKNOWN;
+
+/***********************************************************************
+ Definitions for all names.
+***********************************************************************/
+
+static char *smb_myname;
+static char *smb_myworkgroup;
+static char *smb_scope;
+static int smb_num_netbios_names;
+static char **smb_my_netbios_names;
+
+/***********************************************************************
+ Allocate and set myname. Ensure upper case.
+***********************************************************************/
+
+bool set_global_myname(const char *myname)
+{
+	SAFE_FREE(smb_myname);
+	smb_myname = SMB_STRDUP(myname);
+	if (!smb_myname)
+		return False;
+	strupper_m(smb_myname);
+	return True;
+}
+
+const char *global_myname(void)
+{
+	return smb_myname;
+}
+
+/***********************************************************************
+ Allocate and set myworkgroup. Ensure upper case.
+***********************************************************************/
+
+bool set_global_myworkgroup(const char *myworkgroup)
+{
+	SAFE_FREE(smb_myworkgroup);
+	smb_myworkgroup = SMB_STRDUP(myworkgroup);
+	if (!smb_myworkgroup)
+		return False;
+	strupper_m(smb_myworkgroup);
+	return True;
+}
+
+const char *lp_workgroup(void)
+{
+	return smb_myworkgroup;
+}
+
+/***********************************************************************
+ Allocate and set scope. Ensure upper case.
+***********************************************************************/
+
+bool set_global_scope(const char *scope)
+{
+	SAFE_FREE(smb_scope);
+	smb_scope = SMB_STRDUP(scope);
+	if (!smb_scope)
+		return False;
+	strupper_m(smb_scope);
+	return True;
+}
+
+/*********************************************************************
+ Ensure scope is never null string.
+*********************************************************************/
+
+const char *global_scope(void)
+{
+	if (!smb_scope)
+		set_global_scope("");
+	return smb_scope;
+}
+
+static void free_netbios_names_array(void)
+{
+	int i;
+
+	for (i = 0; i < smb_num_netbios_names; i++)
+		SAFE_FREE(smb_my_netbios_names[i]);
+
+	SAFE_FREE(smb_my_netbios_names);
+	smb_num_netbios_names = 0;
+}
+
+static bool allocate_my_netbios_names_array(size_t number)
+{
+	free_netbios_names_array();
+
+	smb_num_netbios_names = number + 1;
+	smb_my_netbios_names = SMB_MALLOC_ARRAY( char *, smb_num_netbios_names );
+
+	if (!smb_my_netbios_names)
+		return False;
+
+	memset(smb_my_netbios_names, '\0', sizeof(char *) * smb_num_netbios_names);
+	return True;
+}
+
+static bool set_my_netbios_names(const char *name, int i)
+{
+	SAFE_FREE(smb_my_netbios_names[i]);
+
+	smb_my_netbios_names[i] = SMB_STRDUP(name);
+	if (!smb_my_netbios_names[i])
+		return False;
+	strupper_m(smb_my_netbios_names[i]);
+	return True;
+}
+
+/***********************************************************************
+ Free memory allocated to global objects
+***********************************************************************/
+
+void gfree_names(void)
+{
+	SAFE_FREE( smb_myname );
+	SAFE_FREE( smb_myworkgroup );
+	SAFE_FREE( smb_scope );
+	free_netbios_names_array();
+	free_local_machine_name();
+}
+
+void gfree_all( void )
+{
+	gfree_names();
+	gfree_loadparm();
+	gfree_case_tables();
+	gfree_charcnv();
+	gfree_interfaces();
+	gfree_debugsyms();
+}
+
+const char *my_netbios_names(int i)
+{
+	return smb_my_netbios_names[i];
+}
+
+bool set_netbios_aliases(const char **str_array)
+{
+	size_t namecount;
+
+	/* Work out the max number of netbios aliases that we have */
+	for( namecount=0; str_array && (str_array[namecount] != NULL); namecount++ )
+		;
+
+	if ( global_myname() && *global_myname())
+		namecount++;
+
+	/* Allocate space for the netbios aliases */
+	if (!allocate_my_netbios_names_array(namecount))
+		return False;
+
+	/* Use the global_myname string first */
+	namecount=0;
+	if ( global_myname() && *global_myname()) {
+		set_my_netbios_names( global_myname(), namecount );
+		namecount++;
+	}
+
+	if (str_array) {
+		size_t i;
+		for ( i = 0; str_array[i] != NULL; i++) {
+			size_t n;
+			bool duplicate = False;
+
+			/* Look for duplicates */
+			for( n=0; n<namecount; n++ ) {
+				if( strequal( str_array[i], my_netbios_names(n) ) ) {
+					duplicate = True;
+					break;
+				}
+			}
+			if (!duplicate) {
+				if (!set_my_netbios_names(str_array[i], namecount))
+					return False;
+				namecount++;
+			}
+		}
+	}
+	return True;
+}
+
+/****************************************************************************
+  Common name initialization code.
+****************************************************************************/
+
+bool init_names(void)
+{
+	int n;
+
+	if (global_myname() == NULL || *global_myname() == '\0') {
+		if (!set_global_myname(myhostname())) {
+			DEBUG( 0, ( "init_structs: malloc fail.\n" ) );
+			return False;
+		}
+	}
+
+	if (!set_netbios_aliases(lp_netbios_aliases())) {
+		DEBUG( 0, ( "init_structs: malloc fail.\n" ) );
+		return False;
+	}
+
+	set_local_machine_name(global_myname(),false);
+
+	DEBUG( 5, ("Netbios name list:-\n") );
+	for( n=0; my_netbios_names(n); n++ ) {
+		DEBUGADD( 5, ("my_netbios_names[%d]=\"%s\"\n",
+					n, my_netbios_names(n) ) );
+	}
+
+	return( True );
+}
+
+/**************************************************************************n
+  Code to cope with username/password auth options from the commandline.
+  Used mainly in client tools.
+****************************************************************************/
+
+static struct user_auth_info cmdline_auth_info = {
+	NULL,	/* username */
+	NULL,	/* password */
+	false,	/* got_pass */
+	false,	/* use_kerberos */
+	Undefined, /* signing state */
+	false,	/* smb_encrypt */
+	false   /* use machine account */
+};
+
+const char *get_cmdline_auth_info_username(void)
+{
+	if (!cmdline_auth_info.username) {
+		return "";
+	}
+	return cmdline_auth_info.username;
+}
+
+void set_cmdline_auth_info_username(const char *username)
+{
+	SAFE_FREE(cmdline_auth_info.username);
+	cmdline_auth_info.username = SMB_STRDUP(username);
+	if (!cmdline_auth_info.username) {
+		exit(ENOMEM);
+	}
+}
+
+const char *get_cmdline_auth_info_password(void)
+{
+	if (!cmdline_auth_info.password) {
+		return "";
+	}
+	return cmdline_auth_info.password;
+}
+
+void set_cmdline_auth_info_password(const char *password)
+{
+	SAFE_FREE(cmdline_auth_info.password);
+	cmdline_auth_info.password = SMB_STRDUP(password);
+	if (!cmdline_auth_info.password) {
+		exit(ENOMEM);
+	}
+	cmdline_auth_info.got_pass = true;
+}
+
+bool set_cmdline_auth_info_signing_state(const char *arg)
+{
+	cmdline_auth_info.signing_state = -1;
+	if (strequal(arg, "off") || strequal(arg, "no") ||
+			strequal(arg, "false")) {
+		cmdline_auth_info.signing_state = false;
+	} else if (strequal(arg, "on") || strequal(arg, "yes") ||
+			strequal(arg, "true") || strequal(arg, "auto")) {
+		cmdline_auth_info.signing_state = true;
+	} else if (strequal(arg, "force") || strequal(arg, "required") ||
+			strequal(arg, "forced")) {
+		cmdline_auth_info.signing_state = Required;
+	} else {
+		return false;
+	}
+	return true;
+}
+
+int get_cmdline_auth_info_signing_state(void)
+{
+	return cmdline_auth_info.signing_state;
+}
+
+void set_cmdline_auth_info_use_kerberos(bool b)
+{
+        cmdline_auth_info.use_kerberos = b;
+}
+
+bool get_cmdline_auth_info_use_kerberos(void)
+{
+	return cmdline_auth_info.use_kerberos;
+}
+
+/* This should only be used by lib/popt_common.c JRA */
+void set_cmdline_auth_info_use_krb5_ticket(void)
+{
+	cmdline_auth_info.use_kerberos = true;
+	cmdline_auth_info.got_pass = true;
+}
+
+/* This should only be used by lib/popt_common.c JRA */
+void set_cmdline_auth_info_smb_encrypt(void)
+{
+	cmdline_auth_info.smb_encrypt = true;
+}
+
+void set_cmdline_auth_info_use_machine_account(void)
+{
+	cmdline_auth_info.use_machine_account = true;
+}
+
+bool get_cmdline_auth_info_got_pass(void)
+{
+	return cmdline_auth_info.got_pass;
+}
+
+bool get_cmdline_auth_info_smb_encrypt(void)
+{
+	return cmdline_auth_info.smb_encrypt;
+}
+
+bool get_cmdline_auth_info_use_machine_account(void)
+{
+	return cmdline_auth_info.use_machine_account;
+}
+
+bool get_cmdline_auth_info_copy(struct user_auth_info *info)
+{
+	*info = cmdline_auth_info;
+	/* Now re-alloc the strings. */
+	info->username = SMB_STRDUP(get_cmdline_auth_info_username());
+	info->password = SMB_STRDUP(get_cmdline_auth_info_password());
+	if (!info->username || !info->password) {
+		return false;
+	}
+	return true;
+}
+
+bool set_cmdline_auth_info_machine_account_creds(void)
+{
+	char *pass = NULL;
+	char *account = NULL;
+
+	if (!get_cmdline_auth_info_use_machine_account()) {
+		return false;
+	}
+
+	if (!secrets_init()) {
+		d_printf("ERROR: Unable to open secrets database\n");
+		return false;
+	}
+
+	if (asprintf(&account, "%s$@%s", global_myname(), lp_realm()) < 0) {
+		return false;
+	}
+
+	pass = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
+	if (!pass) {
+		d_printf("ERROR: Unable to fetch machine password for "
+			"%s in domain %s\n",
+			account, lp_workgroup());
+		SAFE_FREE(account);
+		return false;
+	}
+
+	set_cmdline_auth_info_username(account);
+	set_cmdline_auth_info_password(pass);
+
+	SAFE_FREE(account);
+	SAFE_FREE(pass);
+
+	return true;
+}
+
+/**************************************************************************n
+ Find a suitable temporary directory. The result should be copied immediately
+ as it may be overwritten by a subsequent call.
+****************************************************************************/
+
+const char *tmpdir(void)
+{
+	char *p;
+	if ((p = getenv("TMPDIR")))
+		return p;
+	return "/tmp";
+}
+
+/****************************************************************************
+ Add a gid to an array of gids if it's not already there.
+****************************************************************************/
+
+bool add_gid_to_array_unique(TALLOC_CTX *mem_ctx, gid_t gid,
+			     gid_t **gids, size_t *num_gids)
+{
+	int i;
+
+	if ((*num_gids != 0) && (*gids == NULL)) {
+		/*
+		 * A former call to this routine has failed to allocate memory
+		 */
+		return False;
+	}
+
+	for (i=0; i<*num_gids; i++) {
+		if ((*gids)[i] == gid) {
+			return True;
+		}
+	}
+
+	*gids = TALLOC_REALLOC_ARRAY(mem_ctx, *gids, gid_t, *num_gids+1);
+	if (*gids == NULL) {
+		*num_gids = 0;
+		return False;
+	}
+
+	(*gids)[*num_gids] = gid;
+	*num_gids += 1;
+	return True;
+}
+
+/****************************************************************************
+ Like atoi but gets the value up to the separator character.
+****************************************************************************/
+
+static const char *Atoic(const char *p, int *n, const char *c)
+{
+	if (!isdigit((int)*p)) {
+		DEBUG(5, ("Atoic: malformed number\n"));
+		return NULL;
+	}
+
+	(*n) = atoi(p);
+
+	while ((*p) && isdigit((int)*p))
+		p++;
+
+	if (strchr_m(c, *p) == NULL) {
+		DEBUG(5, ("Atoic: no separator characters (%s) not found\n", c));
+		return NULL;
+	}
+
+	return p;
+}
+
+/*************************************************************************
+ Reads a list of numbers.
+ *************************************************************************/
+
+const char *get_numlist(const char *p, uint32 **num, int *count)
+{
+	int val;
+
+	if (num == NULL || count == NULL)
+		return NULL;
+
+	(*count) = 0;
+	(*num  ) = NULL;
+
+	while ((p = Atoic(p, &val, ":,")) != NULL && (*p) != ':') {
+		*num = SMB_REALLOC_ARRAY((*num), uint32, (*count)+1);
+		if (!(*num)) {
+			return NULL;
+		}
+		(*num)[(*count)] = val;
+		(*count)++;
+		p++;
+	}
+
+	return p;
+}
+
+/*******************************************************************
+ Check if a file exists - call vfs_file_exist for samba files.
+********************************************************************/
+
+bool file_exist(const char *fname,SMB_STRUCT_STAT *sbuf)
+{
+	SMB_STRUCT_STAT st;
+	if (!sbuf)
+		sbuf = &st;
+  
+	if (sys_stat(fname,sbuf) != 0) 
+		return(False);
+
+	return((S_ISREG(sbuf->st_mode)) || (S_ISFIFO(sbuf->st_mode)));
+}
+
+/*******************************************************************
+ Check if a unix domain socket exists - call vfs_file_exist for samba files.
+********************************************************************/
+
+bool socket_exist(const char *fname)
+{
+	SMB_STRUCT_STAT st;
+	if (sys_stat(fname,&st) != 0) 
+		return(False);
+
+	return S_ISSOCK(st.st_mode);
+}
+
+/*******************************************************************
+ Check a files mod time.
+********************************************************************/
+
+time_t file_modtime(const char *fname)
+{
+	SMB_STRUCT_STAT st;
+  
+	if (sys_stat(fname,&st) != 0) 
+		return(0);
+
+	return(st.st_mtime);
+}
+
+/*******************************************************************
+ Check if a directory exists.
+********************************************************************/
+
+bool directory_exist(char *dname,SMB_STRUCT_STAT *st)
+{
+	SMB_STRUCT_STAT st2;
+	bool ret;
+
+	if (!st)
+		st = &st2;
+
+	if (sys_stat(dname,st) != 0) 
+		return(False);
+
+	ret = S_ISDIR(st->st_mode);
+	if(!ret)
+		errno = ENOTDIR;
+	return ret;
+}
+
+/*******************************************************************
+ Returns the size in bytes of the named file.
+********************************************************************/
+
+SMB_OFF_T get_file_size(char *file_name)
+{
+	SMB_STRUCT_STAT buf;
+	buf.st_size = 0;
+	if(sys_stat(file_name,&buf) != 0)
+		return (SMB_OFF_T)-1;
+	return(buf.st_size);
+}
+
+/*******************************************************************
+ Return a string representing an attribute for a file.
+********************************************************************/
+
+char *attrib_string(uint16 mode)
+{
+	fstring attrstr;
+
+	attrstr[0] = 0;
+
+	if (mode & aVOLID) fstrcat(attrstr,"V");
+	if (mode & aDIR) fstrcat(attrstr,"D");
+	if (mode & aARCH) fstrcat(attrstr,"A");
+	if (mode & aHIDDEN) fstrcat(attrstr,"H");
+	if (mode & aSYSTEM) fstrcat(attrstr,"S");
+	if (mode & aRONLY) fstrcat(attrstr,"R");	  
+
+	return talloc_strdup(talloc_tos(), attrstr);
+}
+
+/*******************************************************************
+ Show a smb message structure.
+********************************************************************/
+
+void show_msg(char *buf)
+{
+	int i;
+	int bcc=0;
+
+	if (!DEBUGLVL(5))
+		return;
+	
+	DEBUG(5,("size=%d\nsmb_com=0x%x\nsmb_rcls=%d\nsmb_reh=%d\nsmb_err=%d\nsmb_flg=%d\nsmb_flg2=%d\n",
+			smb_len(buf),
+			(int)CVAL(buf,smb_com),
+			(int)CVAL(buf,smb_rcls),
+			(int)CVAL(buf,smb_reh),
+			(int)SVAL(buf,smb_err),
+			(int)CVAL(buf,smb_flg),
+			(int)SVAL(buf,smb_flg2)));
+	DEBUGADD(5,("smb_tid=%d\nsmb_pid=%d\nsmb_uid=%d\nsmb_mid=%d\n",
+			(int)SVAL(buf,smb_tid),
+			(int)SVAL(buf,smb_pid),
+			(int)SVAL(buf,smb_uid),
+			(int)SVAL(buf,smb_mid)));
+	DEBUGADD(5,("smt_wct=%d\n",(int)CVAL(buf,smb_wct)));
+
+	for (i=0;i<(int)CVAL(buf,smb_wct);i++)
+		DEBUGADD(5,("smb_vwv[%2d]=%5d (0x%X)\n",i,
+			SVAL(buf,smb_vwv+2*i),SVAL(buf,smb_vwv+2*i)));
+	
+	bcc = (int)SVAL(buf,smb_vwv+2*(CVAL(buf,smb_wct)));
+
+	DEBUGADD(5,("smb_bcc=%d\n",bcc));
+
+	if (DEBUGLEVEL < 10)
+		return;
+
+	if (DEBUGLEVEL < 50)
+		bcc = MIN(bcc, 512);
+
+	dump_data(10, (uint8 *)smb_buf(buf), bcc);	
+}
+
+/*******************************************************************
+ Set the length and marker of an encrypted smb packet.
+********************************************************************/
+
+void smb_set_enclen(char *buf,int len,uint16 enc_ctx_num)
+{
+	_smb_setlen(buf,len);
+
+	SCVAL(buf,4,0xFF);
+	SCVAL(buf,5,'E');
+	SSVAL(buf,6,enc_ctx_num);
+}
+
+/*******************************************************************
+ Set the length and marker of an smb packet.
+********************************************************************/
+
+void smb_setlen(char *buf,int len)
+{
+	_smb_setlen(buf,len);
+
+	SCVAL(buf,4,0xFF);
+	SCVAL(buf,5,'S');
+	SCVAL(buf,6,'M');
+	SCVAL(buf,7,'B');
+}
+
+/*******************************************************************
+ Setup only the byte count for a smb message.
+********************************************************************/
+
+int set_message_bcc(char *buf,int num_bytes)
+{
+	int num_words = CVAL(buf,smb_wct);
+	SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
+	_smb_setlen(buf,smb_size + num_words*2 + num_bytes - 4);
+	return (smb_size + num_words*2 + num_bytes);
+}
+
+/*******************************************************************
+ Add a data blob to the end of a smb_buf, adjusting bcc and smb_len.
+ Return the bytes added
+********************************************************************/
+
+ssize_t message_push_blob(uint8 **outbuf, DATA_BLOB blob)
+{
+	size_t newlen = smb_len(*outbuf) + 4 + blob.length;
+	uint8 *tmp;
+
+	if (!(tmp = TALLOC_REALLOC_ARRAY(NULL, *outbuf, uint8, newlen))) {
+		DEBUG(0, ("talloc failed\n"));
+		return -1;
+	}
+	*outbuf = tmp;
+
+	memcpy(tmp + smb_len(tmp) + 4, blob.data, blob.length);
+	set_message_bcc((char *)tmp, smb_buflen(tmp) + blob.length);
+	return blob.length;
+}
+
+/*******************************************************************
+ Reduce a file name, removing .. elements.
+********************************************************************/
+
+static char *dos_clean_name(TALLOC_CTX *ctx, const char *s)
+{
+	char *p = NULL;
+	char *str = NULL;
+
+	DEBUG(3,("dos_clean_name [%s]\n",s));
+
+	/* remove any double slashes */
+	str = talloc_all_string_sub(ctx, s, "\\\\", "\\");
+	if (!str) {
+		return NULL;
+	}
+
+	/* Remove leading .\\ characters */
+	if(strncmp(str, ".\\", 2) == 0) {
+		trim_string(str, ".\\", NULL);
+		if(*str == 0) {
+			str = talloc_strdup(ctx, ".\\");
+			if (!str) {
+				return NULL;
+			}
+		}
+	}
+
+	while ((p = strstr_m(str,"\\..\\")) != NULL) {
+		char *s1;
+
+		*p = 0;
+		s1 = p+3;
+
+		if ((p=strrchr_m(str,'\\')) != NULL) {
+			*p = 0;
+		} else {
+			*str = 0;
+		}
+		str = talloc_asprintf(ctx,
+				"%s%s",
+				str,
+				s1);
+		if (!str) {
+			return NULL;
+		}
+	}
+
+	trim_string(str,NULL,"\\..");
+	return talloc_all_string_sub(ctx, str, "\\.\\", "\\");
+}
+
+/*******************************************************************
+ Reduce a file name, removing .. elements.
+********************************************************************/
+
+char *unix_clean_name(TALLOC_CTX *ctx, const char *s)
+{
+	char *p = NULL;
+	char *str = NULL;
+
+	DEBUG(3,("unix_clean_name [%s]\n",s));
+
+	/* remove any double slashes */
+	str = talloc_all_string_sub(ctx, s, "//","/");
+	if (!str) {
+		return NULL;
+	}
+
+	/* Remove leading ./ characters */
+	if(strncmp(str, "./", 2) == 0) {
+		trim_string(str, "./", NULL);
+		if(*str == 0) {
+			str = talloc_strdup(ctx, "./");
+			if (!str) {
+				return NULL;
+			}
+		}
+	}
+
+	while ((p = strstr_m(str,"/../")) != NULL) {
+		char *s1;
+
+		*p = 0;
+		s1 = p+3;
+
+		if ((p=strrchr_m(str,'/')) != NULL) {
+			*p = 0;
+		} else {
+			*str = 0;
+		}
+		str = talloc_asprintf(ctx,
+				"%s%s",
+				str,
+				s1);
+		if (!str) {
+			return NULL;
+		}
+	}
+
+	trim_string(str,NULL,"/..");
+	return talloc_all_string_sub(ctx, str, "/./", "/");
+}
+
+char *clean_name(TALLOC_CTX *ctx, const char *s)
+{
+	char *str = dos_clean_name(ctx, s);
+	if (!str) {
+		return NULL;
+	}
+	return unix_clean_name(ctx, str);
+}
+
+/*******************************************************************
+ Close the low 3 fd's and open dev/null in their place.
+********************************************************************/
+
+void close_low_fds(bool stderr_too)
+{
+#ifndef VALGRIND
+	int fd;
+	int i;
+
+	close(0);
+	close(1);
+
+	if (stderr_too)
+		close(2);
+
+	/* try and use up these file descriptors, so silly
+		library routines writing to stdout etc won't cause havoc */
+	for (i=0;i<3;i++) {
+		if (i == 2 && !stderr_too)
+			continue;
+
+		fd = sys_open("/dev/null",O_RDWR,0);
+		if (fd < 0)
+			fd = sys_open("/dev/null",O_WRONLY,0);
+		if (fd < 0) {
+			DEBUG(0,("Can't open /dev/null\n"));
+			return;
+		}
+		if (fd != i) {
+			DEBUG(0,("Didn't get file descriptor %d\n",i));
+			return;
+		}
+	}
+#endif
+}
+
+/*******************************************************************
+ Write data into an fd at a given offset. Ignore seek errors.
+********************************************************************/
+
+ssize_t write_data_at_offset(int fd, const char *buffer, size_t N, SMB_OFF_T pos)
+{
+	size_t total=0;
+	ssize_t ret;
+
+	if (pos == (SMB_OFF_T)-1) {
+		return write_data(fd, buffer, N);
+	}
+#if defined(HAVE_PWRITE) || defined(HAVE_PRWITE64)
+	while (total < N) {
+		ret = sys_pwrite(fd,buffer + total,N - total, pos);
+		if (ret == -1 && errno == ESPIPE) {
+			return write_data(fd, buffer + total,N - total);
+		}
+		if (ret == -1) {
+			DEBUG(0,("write_data_at_offset: write failure. Error = %s\n", strerror(errno) ));
+			return -1;
+		}
+		if (ret == 0) {
+			return total;
+		}
+		total += ret;
+		pos += ret;
+	}
+	return (ssize_t)total;
+#else
+	/* Use lseek and write_data. */
+	if (sys_lseek(fd, pos, SEEK_SET) == -1) {
+		if (errno != ESPIPE) {
+			return -1;
+		}
+	}
+	return write_data(fd, buffer, N);
+#endif
+}
+
+/****************************************************************************
+ Set a fd into blocking/nonblocking mode. Uses POSIX O_NONBLOCK if available,
+ else
+  if SYSV use O_NDELAY
+  if BSD use FNDELAY
+****************************************************************************/
+
+int set_blocking(int fd, bool set)
+{
+	int val;
+#ifdef O_NONBLOCK
+#define FLAG_TO_SET O_NONBLOCK
+#else
+#ifdef SYSV
+#define FLAG_TO_SET O_NDELAY
+#else /* BSD */
+#define FLAG_TO_SET FNDELAY
+#endif
+#endif
+
+	if((val = sys_fcntl_long(fd, F_GETFL, 0)) == -1)
+		return -1;
+	if(set) /* Turn blocking on - ie. clear nonblock flag */
+		val &= ~FLAG_TO_SET;
+	else
+		val |= FLAG_TO_SET;
+	return sys_fcntl_long( fd, F_SETFL, val);
+#undef FLAG_TO_SET
+}
+
+/*******************************************************************
+ Sleep for a specified number of milliseconds.
+********************************************************************/
+
+void smb_msleep(unsigned int t)
+{
+#if defined(HAVE_NANOSLEEP)
+	struct timespec tval;
+	int ret;
+
+	tval.tv_sec = t/1000;
+	tval.tv_nsec = 1000000*(t%1000);
+
+	do {
+		errno = 0;
+		ret = nanosleep(&tval, &tval);
+	} while (ret < 0 && errno == EINTR && (tval.tv_sec > 0 || tval.tv_nsec > 0));
+#else
+	unsigned int tdiff=0;
+	struct timeval tval,t1,t2;  
+	fd_set fds;
+
+	GetTimeOfDay(&t1);
+	t2 = t1;
+  
+	while (tdiff < t) {
+		tval.tv_sec = (t-tdiff)/1000;
+		tval.tv_usec = 1000*((t-tdiff)%1000);
+
+		/* Never wait for more than 1 sec. */
+		if (tval.tv_sec > 1) {
+			tval.tv_sec = 1; 
+			tval.tv_usec = 0;
+		}
+
+		FD_ZERO(&fds);
+		errno = 0;
+		sys_select_intr(0,&fds,NULL,NULL,&tval);
+
+		GetTimeOfDay(&t2);
+		if (t2.tv_sec < t1.tv_sec) {
+			/* Someone adjusted time... */
+			t1 = t2;
+		}
+
+		tdiff = TvalDiff(&t1,&t2);
+	}
+#endif
+}
+
+/****************************************************************************
+ Become a daemon, discarding the controlling terminal.
+****************************************************************************/
+
+void become_daemon(bool Fork, bool no_process_group)
+{
+	if (Fork) {
+		if (sys_fork()) {
+			_exit(0);
+		}
+	}
+
+  /* detach from the terminal */
+#ifdef HAVE_SETSID
+	if (!no_process_group) setsid();
+#elif defined(TIOCNOTTY)
+	if (!no_process_group) {
+		int i = sys_open("/dev/tty", O_RDWR, 0);
+		if (i != -1) {
+			ioctl(i, (int) TIOCNOTTY, (char *)0);      
+			close(i);
+		}
+	}
+#endif /* HAVE_SETSID */
+
+	/* Close fd's 0,1,2. Needed if started by rsh */
+	close_low_fds(False);  /* Don't close stderr, let the debug system
+				  attach it to the logfile */
+}
+
+bool reinit_after_fork(struct messaging_context *msg_ctx,
+		       bool parent_longlived)
+{
+	NTSTATUS status;
+
+	/* Reset the state of the random
+	 * number generation system, so
+	 * children do not get the same random
+	 * numbers as each other */
+	set_need_random_reseed();
+
+	/* tdb needs special fork handling */
+	if (tdb_reopen_all(parent_longlived ? 1 : 0) == -1) {
+		DEBUG(0,("tdb_reopen_all failed.\n"));
+		return false;
+	}
+
+	/*
+	 * For clustering, we need to re-init our ctdbd connection after the
+	 * fork
+	 */
+	status = messaging_reinit(msg_ctx);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0,("messaging_reinit() failed: %s\n",
+			 nt_errstr(status)));
+		return false;
+	}
+
+	return true;
+}
+
+/****************************************************************************
+ Put up a yes/no prompt.
+****************************************************************************/
+
+bool yesno(const char *p)
+{
+	char ans[20];
+	printf("%s",p);
+
+	if (!fgets(ans,sizeof(ans)-1,stdin))
+		return(False);
+
+	if (*ans == 'y' || *ans == 'Y')
+		return(True);
+
+	return(False);
+}
+
+#if defined(PARANOID_MALLOC_CHECKER)
+
+/****************************************************************************
+ Internal malloc wrapper. Externally visible.
+****************************************************************************/
+
+void *malloc_(size_t size)
+{
+	if (size == 0) {
+		return NULL;
+	}
+#undef malloc
+	return malloc(size);
+#define malloc(s) __ERROR_DONT_USE_MALLOC_DIRECTLY
+}
+
+/****************************************************************************
+ Internal calloc wrapper. Not externally visible.
+****************************************************************************/
+
+static void *calloc_(size_t count, size_t size)
+{
+	if (size == 0 || count == 0) {
+		return NULL;
+	}
+#undef calloc
+	return calloc(count, size);
+#define calloc(n,s) __ERROR_DONT_USE_CALLOC_DIRECTLY
+}
+
+/****************************************************************************
+ Internal realloc wrapper. Not externally visible.
+****************************************************************************/
+
+static void *realloc_(void *ptr, size_t size)
+{
+#undef realloc
+	return realloc(ptr, size);
+#define realloc(p,s) __ERROR_DONT_USE_RELLOC_DIRECTLY
+}
+
+#endif /* PARANOID_MALLOC_CHECKER */
+
+/****************************************************************************
+ Type-safe malloc.
+****************************************************************************/
+
+void *malloc_array(size_t el_size, unsigned int count)
+{
+	if (count >= MAX_ALLOC_SIZE/el_size) {
+		return NULL;
+	}
+
+	if (el_size == 0 || count == 0) {
+		return NULL;
+	}
+#if defined(PARANOID_MALLOC_CHECKER)
+	return malloc_(el_size*count);
+#else
+	return malloc(el_size*count);
+#endif
+}
+
+/****************************************************************************
+ Type-safe memalign
+****************************************************************************/
+
+void *memalign_array(size_t el_size, size_t align, unsigned int count)
+{
+	if (count >= MAX_ALLOC_SIZE/el_size) {
+		return NULL;
+	}
+
+	return sys_memalign(align, el_size*count);
+}
+
+/****************************************************************************
+ Type-safe calloc.
+****************************************************************************/
+
+void *calloc_array(size_t size, size_t nmemb)
+{
+	if (nmemb >= MAX_ALLOC_SIZE/size) {
+		return NULL;
+	}
+	if (size == 0 || nmemb == 0) {
+		return NULL;
+	}
+#if defined(PARANOID_MALLOC_CHECKER)
+	return calloc_(nmemb, size);
+#else
+	return calloc(nmemb, size);
+#endif
+}
+
+/****************************************************************************
+ Expand a pointer to be a particular size.
+ Note that this version of Realloc has an extra parameter that decides
+ whether to free the passed in storage on allocation failure or if the
+ new size is zero.
+
+ This is designed for use in the typical idiom of :
+
+ p = SMB_REALLOC(p, size)
+ if (!p) {
+    return error;
+ }
+
+ and not to have to keep track of the old 'p' contents to free later, nor
+ to worry if the size parameter was zero. In the case where NULL is returned
+ we guarentee that p has been freed.
+
+ If free later semantics are desired, then pass 'free_old_on_error' as False which
+ guarentees that the old contents are not freed on error, even if size == 0. To use
+ this idiom use :
+
+ tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size);
+ if (!tmp) {
+    SAFE_FREE(p);
+    return error;
+ } else {
+    p = tmp;
+ }
+
+ Changes were instigated by Coverity error checking. JRA.
+****************************************************************************/
+
+void *Realloc(void *p, size_t size, bool free_old_on_error)
+{
+	void *ret=NULL;
+
+	if (size == 0) {
+		if (free_old_on_error) {
+			SAFE_FREE(p);
+		}
+		DEBUG(2,("Realloc asked for 0 bytes\n"));
+		return NULL;
+	}
+
+#if defined(PARANOID_MALLOC_CHECKER)
+	if (!p) {
+		ret = (void *)malloc_(size);
+	} else {
+		ret = (void *)realloc_(p,size);
+	}
+#else
+	if (!p) {
+		ret = (void *)malloc(size);
+	} else {
+		ret = (void *)realloc(p,size);
+	}
+#endif
+
+	if (!ret) {
+		if (free_old_on_error && p) {
+			SAFE_FREE(p);
+		}
+		DEBUG(0,("Memory allocation error: failed to expand to %d bytes\n",(int)size));
+	}
+
+	return(ret);
+}
+
+/****************************************************************************
+ Type-safe realloc.
+****************************************************************************/
+
+void *realloc_array(void *p, size_t el_size, unsigned int count, bool free_old_on_error)
+{
+	if (count >= MAX_ALLOC_SIZE/el_size) {
+		if (free_old_on_error) {
+			SAFE_FREE(p);
+		}
+		return NULL;
+	}
+	return Realloc(p, el_size*count, free_old_on_error);
+}
+
+/****************************************************************************
+ (Hopefully) efficient array append.
+****************************************************************************/
+
+void add_to_large_array(TALLOC_CTX *mem_ctx, size_t element_size,
+			void *element, void *_array, uint32 *num_elements,
+			ssize_t *array_size)
+{
+	void **array = (void **)_array;
+
+	if (*array_size < 0) {
+		return;
+	}
+
+	if (*array == NULL) {
+		if (*array_size == 0) {
+			*array_size = 128;
+		}
+
+		if (*array_size >= MAX_ALLOC_SIZE/element_size) {
+			goto error;
+		}
+
+		*array = TALLOC(mem_ctx, element_size * (*array_size));
+		if (*array == NULL) {
+			goto error;
+		}
+	}
+
+	if (*num_elements == *array_size) {
+		*array_size *= 2;
+
+		if (*array_size >= MAX_ALLOC_SIZE/element_size) {
+			goto error;
+		}
+
+		*array = TALLOC_REALLOC(mem_ctx, *array,
+					element_size * (*array_size));
+
+		if (*array == NULL) {
+			goto error;
+		}
+	}
+
+	memcpy((char *)(*array) + element_size*(*num_elements),
+	       element, element_size);
+	*num_elements += 1;
+
+	return;
+
+ error:
+	*num_elements = 0;
+	*array_size = -1;
+}
+
+/****************************************************************************
+ Free memory, checks for NULL.
+ Use directly SAFE_FREE()
+ Exists only because we need to pass a function pointer somewhere --SSS
+****************************************************************************/
+
+void safe_free(void *p)
+{
+	SAFE_FREE(p);
+}
+
+/****************************************************************************
+ Get my own name and IP.
+****************************************************************************/
+
+char *get_myname(TALLOC_CTX *ctx)
+{
+	char *p;
+	char hostname[HOST_NAME_MAX];
+
+	*hostname = 0;
+
+	/* get my host name */
+	if (gethostname(hostname, sizeof(hostname)) == -1) {
+		DEBUG(0,("gethostname failed\n"));
+		return False;
+	}
+
+	/* Ensure null termination. */
+	hostname[sizeof(hostname)-1] = '\0';
+
+	/* split off any parts after an initial . */
+	p = strchr_m(hostname,'.');
+	if (p) {
+		*p = 0;
+	}
+
+	return talloc_strdup(ctx, hostname);
+}
+
+/****************************************************************************
+ Get my own domain name, or "" if we have none.
+****************************************************************************/
+
+char *get_mydnsdomname(TALLOC_CTX *ctx)
+{
+	const char *domname;
+	char *p;
+
+	domname = get_mydnsfullname();
+	if (!domname) {
+		return NULL;
+	}
+
+	p = strchr_m(domname, '.');
+	if (p) {
+		p++;
+		return talloc_strdup(ctx, p);
+	} else {
+		return talloc_strdup(ctx, "");
+	}
+}
+
+/****************************************************************************
+ Interpret a protocol description string, with a default.
+****************************************************************************/
+
+int interpret_protocol(const char *str,int def)
+{
+	if (strequal(str,"NT1"))
+		return(PROTOCOL_NT1);
+	if (strequal(str,"LANMAN2"))
+		return(PROTOCOL_LANMAN2);
+	if (strequal(str,"LANMAN1"))
+		return(PROTOCOL_LANMAN1);
+	if (strequal(str,"CORE"))
+		return(PROTOCOL_CORE);
+	if (strequal(str,"COREPLUS"))
+		return(PROTOCOL_COREPLUS);
+	if (strequal(str,"CORE+"))
+		return(PROTOCOL_COREPLUS);
+  
+	DEBUG(0,("Unrecognised protocol level %s\n",str));
+  
+	return(def);
+}
+
+
+#if (defined(HAVE_NETGROUP) && defined(WITH_AUTOMOUNT))
+/******************************************************************
+ Remove any mount options such as -rsize=2048,wsize=2048 etc.
+ Based on a fix from <Thomas.Hepper@icem.de>.
+ Returns a malloc'ed string.
+*******************************************************************/
+
+static char *strip_mount_options(TALLOC_CTX *ctx, const char *str)
+{
+	if (*str == '-') {
+		const char *p = str;
+		while(*p && !isspace(*p))
+			p++;
+		while(*p && isspace(*p))
+			p++;
+		if(*p) {
+			return talloc_strdup(ctx, p);
+		}
+	}
+	return NULL;
+}
+
+/*******************************************************************
+ Patch from jkf@soton.ac.uk
+ Split Luke's automount_server into YP lookup and string splitter
+ so can easily implement automount_path().
+ Returns a malloc'ed string.
+*******************************************************************/
+
+#ifdef WITH_NISPLUS_HOME
+char *automount_lookup(TALLOC_CTX *ctx, const char *user_name)
+{
+	char *value = NULL;
+
+	char *nis_map = (char *)lp_nis_home_map_name();
+
+	char buffer[NIS_MAXATTRVAL + 1];
+	nis_result *result;
+	nis_object *object;
+	entry_obj  *entry;
+
+	snprintf(buffer, sizeof(buffer), "[key=%s],%s", user_name, nis_map);
+	DEBUG(5, ("NIS+ querystring: %s\n", buffer));
+
+	if (result = nis_list(buffer, FOLLOW_PATH|EXPAND_NAME|HARD_LOOKUP, NULL, NULL)) {
+		if (result->status != NIS_SUCCESS) {
+			DEBUG(3, ("NIS+ query failed: %s\n", nis_sperrno(result->status)));
+		} else {
+			object = result->objects.objects_val;
+			if (object->zo_data.zo_type == ENTRY_OBJ) {
+				entry = &object->zo_data.objdata_u.en_data;
+				DEBUG(5, ("NIS+ entry type: %s\n", entry->en_type));
+				DEBUG(3, ("NIS+ result: %s\n", entry->en_cols.en_cols_val[1].ec_value.ec_value_val));
+
+				value = talloc_strdup(ctx,
+						entry->en_cols.en_cols_val[1].ec_value.ec_value_val);
+				if (!value) {
+					nis_freeresult(result);
+					return NULL;
+				}
+				value = talloc_string_sub(ctx,
+						value,
+						"&",
+						user_name);
+			}
+		}
+	}
+	nis_freeresult(result);
+
+	if (value) {
+		value = strip_mount_options(ctx, value);
+		DEBUG(4, ("NIS+ Lookup: %s resulted in %s\n",
+					user_name, value));
+	}
+	return value;
+}
+#else /* WITH_NISPLUS_HOME */
+
+char *automount_lookup(TALLOC_CTX *ctx, const char *user_name)
+{
+	char *value = NULL;
+
+	int nis_error;        /* returned by yp all functions */
+	char *nis_result;     /* yp_match inits this */
+	int nis_result_len;  /* and set this */
+	char *nis_domain;     /* yp_get_default_domain inits this */
+	char *nis_map = (char *)lp_nis_home_map_name();
+
+	if ((nis_error = yp_get_default_domain(&nis_domain)) != 0) {
+		DEBUG(3, ("YP Error: %s\n", yperr_string(nis_error)));
+		return NULL;
+	}
+
+	DEBUG(5, ("NIS Domain: %s\n", nis_domain));
+
+	if ((nis_error = yp_match(nis_domain, nis_map, user_name,
+					strlen(user_name), &nis_result,
+					&nis_result_len)) == 0) {
+		value = talloc_strdup(ctx, nis_result);
+		if (!value) {
+			return NULL;
+		}
+		value = strip_mount_options(ctx, value);
+	} else if(nis_error == YPERR_KEY) {
+		DEBUG(3, ("YP Key not found:  while looking up \"%s\" in map \"%s\"\n", 
+				user_name, nis_map));
+		DEBUG(3, ("using defaults for server and home directory\n"));
+	} else {
+		DEBUG(3, ("YP Error: \"%s\" while looking up \"%s\" in map \"%s\"\n", 
+				yperr_string(nis_error), user_name, nis_map));
+	}
+
+	if (value) {
+		DEBUG(4, ("YP Lookup: %s resulted in %s\n", user_name, value));
+	}
+	return value;
+}
+#endif /* WITH_NISPLUS_HOME */
+#endif
+
+/****************************************************************************
+ Check if a process exists. Does this work on all unixes?
+****************************************************************************/
+
+bool process_exists(const struct server_id pid)
+{
+	if (procid_is_me(&pid)) {
+		return True;
+	}
+
+	if (procid_is_local(&pid)) {
+		return (kill(pid.pid,0) == 0 || errno != ESRCH);
+	}
+
+#ifdef CLUSTER_SUPPORT
+	return ctdbd_process_exists(messaging_ctdbd_connection(), pid.vnn,
+				    pid.pid);
+#else
+	return False;
+#endif
+}
+
+bool process_exists_by_pid(pid_t pid)
+{
+	/* Doing kill with a non-positive pid causes messages to be
+	 * sent to places we don't want. */
+	SMB_ASSERT(pid > 0);
+	return(kill(pid,0) == 0 || errno != ESRCH);
+}
+
+/*******************************************************************
+ Convert a uid into a user name.
+********************************************************************/
+
+const char *uidtoname(uid_t uid)
+{
+	TALLOC_CTX *ctx = talloc_tos();
+	char *name = NULL;
+	struct passwd *pass = NULL;
+
+	pass = getpwuid_alloc(ctx,uid);
+	if (pass) {
+		name = talloc_strdup(ctx,pass->pw_name);
+		TALLOC_FREE(pass);
+	} else {
+		name = talloc_asprintf(ctx,
+				"%ld",
+				(long int)uid);
+	}
+	return name;
+}
+
+/*******************************************************************
+ Convert a gid into a group name.
+********************************************************************/
+
+char *gidtoname(gid_t gid)
+{
+	struct group *grp;
+
+	grp = getgrgid(gid);
+	if (grp) {
+		return talloc_strdup(talloc_tos(), grp->gr_name);
+	}
+	else {
+		return talloc_asprintf(talloc_tos(),
+					"%d",
+					(int)gid);
+	}
+}
+
+/*******************************************************************
+ Convert a user name into a uid.
+********************************************************************/
+
+uid_t nametouid(const char *name)
+{
+	struct passwd *pass;
+	char *p;
+	uid_t u;
+
+	pass = getpwnam_alloc(NULL, name);
+	if (pass) {
+		u = pass->pw_uid;
+		TALLOC_FREE(pass);
+		return u;
+	}
+
+	u = (uid_t)strtol(name, &p, 0);
+	if ((p != name) && (*p == '\0'))
+		return u;
+
+	return (uid_t)-1;
+}
+
+/*******************************************************************
+ Convert a name to a gid_t if possible. Return -1 if not a group. 
+********************************************************************/
+
+gid_t nametogid(const char *name)
+{
+	struct group *grp;
+	char *p;
+	gid_t g;
+
+	g = (gid_t)strtol(name, &p, 0);
+	if ((p != name) && (*p == '\0'))
+		return g;
+
+	grp = sys_getgrnam(name);
+	if (grp)
+		return(grp->gr_gid);
+	return (gid_t)-1;
+}
+
+/*******************************************************************
+ Something really nasty happened - panic !
+********************************************************************/
+
+void smb_panic(const char *const why)
+{
+	char *cmd;
+	int result;
+
+#ifdef DEVELOPER
+	{
+
+		if (global_clobber_region_function) {
+			DEBUG(0,("smb_panic: clobber_region() last called from [%s(%u)]\n",
+					 global_clobber_region_function,
+					 global_clobber_region_line));
+		} 
+	}
+#endif
+
+	DEBUG(0,("PANIC (pid %llu): %s\n",
+		    (unsigned long long)sys_getpid(), why));
+	log_stack_trace();
+
+	cmd = lp_panic_action();
+	if (cmd && *cmd) {
+		DEBUG(0, ("smb_panic(): calling panic action [%s]\n", cmd));
+		result = system(cmd);
+
+		if (result == -1)
+			DEBUG(0, ("smb_panic(): fork failed in panic action: %s\n",
+					  strerror(errno)));
+		else
+			DEBUG(0, ("smb_panic(): action returned status %d\n",
+					  WEXITSTATUS(result)));
+	}
+
+	dump_core();
+}
+
+/*******************************************************************
+ Print a backtrace of the stack to the debug log. This function
+ DELIBERATELY LEAKS MEMORY. The expectation is that you should
+ exit shortly after calling it.
+********************************************************************/
+
+#ifdef HAVE_LIBUNWIND_H
+#include <libunwind.h>
+#endif
+
+#ifdef HAVE_EXECINFO_H
+#include <execinfo.h>
+#endif
+
+#ifdef HAVE_LIBEXC_H
+#include <libexc.h>
+#endif
+
+void log_stack_trace(void)
+{
+#ifdef HAVE_LIBUNWIND
+	/* Try to use libunwind before any other technique since on ia64
+	 * libunwind correctly walks the stack in more circumstances than
+	 * backtrace.
+	 */ 
+	unw_cursor_t cursor;
+	unw_context_t uc;
+	unsigned i = 0;
+
+	char procname[256];
+	unw_word_t ip, sp, off;
+
+	procname[sizeof(procname) - 1] = '\0';
+
+	if (unw_getcontext(&uc) != 0) {
+		goto libunwind_failed;
+	}
+
+	if (unw_init_local(&cursor, &uc) != 0) {
+		goto libunwind_failed;
+	}
+
+	DEBUG(0, ("BACKTRACE:\n"));
+
+	do {
+	    ip = sp = 0;
+	    unw_get_reg(&cursor, UNW_REG_IP, &ip);
+	    unw_get_reg(&cursor, UNW_REG_SP, &sp);
+
+	    switch (unw_get_proc_name(&cursor,
+			procname, sizeof(procname) - 1, &off) ) {
+	    case 0:
+		    /* Name found. */
+	    case -UNW_ENOMEM:
+		    /* Name truncated. */
+		    DEBUGADD(0, (" #%u %s + %#llx [ip=%#llx] [sp=%#llx]\n",
+			    i, procname, (long long)off,
+			    (long long)ip, (long long) sp));
+		    break;
+	    default:
+	    /* case -UNW_ENOINFO: */
+	    /* case -UNW_EUNSPEC: */
+		    /* No symbol name found. */
+		    DEBUGADD(0, (" #%u %s [ip=%#llx] [sp=%#llx]\n",
+			    i, "<unknown symbol>",
+			    (long long)ip, (long long) sp));
+	    }
+	    ++i;
+	} while (unw_step(&cursor) > 0);
+
+	return;
+
+libunwind_failed:
+	DEBUG(0, ("unable to produce a stack trace with libunwind\n"));
+
+#elif HAVE_BACKTRACE_SYMBOLS
+	void *backtrace_stack[BACKTRACE_STACK_SIZE];
+	size_t backtrace_size;
+	char **backtrace_strings;
+
+	/* get the backtrace (stack frames) */
+	backtrace_size = backtrace(backtrace_stack,BACKTRACE_STACK_SIZE);
+	backtrace_strings = backtrace_symbols(backtrace_stack, backtrace_size);
+
+	DEBUG(0, ("BACKTRACE: %lu stack frames:\n", 
+		  (unsigned long)backtrace_size));
+	
+	if (backtrace_strings) {
+		int i;
+
+		for (i = 0; i < backtrace_size; i++)
+			DEBUGADD(0, (" #%u %s\n", i, backtrace_strings[i]));
+
+		/* Leak the backtrace_strings, rather than risk what free() might do */
+	}
+
+#elif HAVE_LIBEXC
+
+	/* The IRIX libexc library provides an API for unwinding the stack. See
+	 * libexc(3) for details. Apparantly trace_back_stack leaks memory, but
+	 * since we are about to abort anyway, it hardly matters.
+	 */
+
+#define NAMESIZE 32 /* Arbitrary */
+
+	__uint64_t	addrs[BACKTRACE_STACK_SIZE];
+	char *      	names[BACKTRACE_STACK_SIZE];
+	char		namebuf[BACKTRACE_STACK_SIZE * NAMESIZE];
+
+	int		i;
+	int		levels;
+
+	ZERO_ARRAY(addrs);
+	ZERO_ARRAY(names);
+	ZERO_ARRAY(namebuf);
+
+	/* We need to be root so we can open our /proc entry to walk
+	 * our stack. It also helps when we want to dump core.
+	 */
+	become_root();
+
+	for (i = 0; i < BACKTRACE_STACK_SIZE; i++) {
+		names[i] = namebuf + (i * NAMESIZE);
+	}
+
+	levels = trace_back_stack(0, addrs, names,
+			BACKTRACE_STACK_SIZE, NAMESIZE - 1);
+
+	DEBUG(0, ("BACKTRACE: %d stack frames:\n", levels));
+	for (i = 0; i < levels; i++) {
+		DEBUGADD(0, (" #%d 0x%llx %s\n", i, addrs[i], names[i]));
+	}
+#undef NAMESIZE
+
+#else
+	DEBUG(0, ("unable to produce a stack trace on this platform\n"));
+#endif
+}
+
+/*******************************************************************
+  A readdir wrapper which just returns the file name.
+ ********************************************************************/
+
+const char *readdirname(SMB_STRUCT_DIR *p)
+{
+	SMB_STRUCT_DIRENT *ptr;
+	char *dname;
+
+	if (!p)
+		return(NULL);
+  
+	ptr = (SMB_STRUCT_DIRENT *)sys_readdir(p);
+	if (!ptr)
+		return(NULL);
+
+	dname = ptr->d_name;
+
+#ifdef NEXT2
+	if (telldir(p) < 0)
+		return(NULL);
+#endif
+
+#ifdef HAVE_BROKEN_READDIR_NAME
+	/* using /usr/ucb/cc is BAD */
+	dname = dname - 2;
+#endif
+
+	return talloc_strdup(talloc_tos(), dname);
+}
+
+/*******************************************************************
+ Utility function used to decide if the last component 
+ of a path matches a (possibly wildcarded) entry in a namelist.
+********************************************************************/
+
+bool is_in_path(const char *name, name_compare_entry *namelist, bool case_sensitive)
+{
+	const char *last_component;
+
+	/* if we have no list it's obviously not in the path */
+	if((namelist == NULL ) || ((namelist != NULL) && (namelist[0].name == NULL))) {
+		return False;
+	}
+
+	DEBUG(8, ("is_in_path: %s\n", name));
+
+	/* Get the last component of the unix name. */
+	last_component = strrchr_m(name, '/');
+	if (!last_component) {
+		last_component = name;
+	} else {
+		last_component++; /* Go past '/' */
+	}
+
+	for(; namelist->name != NULL; namelist++) {
+		if(namelist->is_wild) {
+			if (mask_match(last_component, namelist->name, case_sensitive)) {
+				DEBUG(8,("is_in_path: mask match succeeded\n"));
+				return True;
+			}
+		} else {
+			if((case_sensitive && (strcmp(last_component, namelist->name) == 0))||
+						(!case_sensitive && (StrCaseCmp(last_component, namelist->name) == 0))) {
+				DEBUG(8,("is_in_path: match succeeded\n"));
+				return True;
+			}
+		}
+	}
+	DEBUG(8,("is_in_path: match not found\n"));
+	return False;
+}
+
+/*******************************************************************
+ Strip a '/' separated list into an array of 
+ name_compare_enties structures suitable for 
+ passing to is_in_path(). We do this for
+ speed so we can pre-parse all the names in the list 
+ and don't do it for each call to is_in_path().
+ namelist is modified here and is assumed to be 
+ a copy owned by the caller.
+ We also check if the entry contains a wildcard to
+ remove a potentially expensive call to mask_match
+ if possible.
+********************************************************************/
+ 
+void set_namearray(name_compare_entry **ppname_array, const char *namelist)
+{
+	char *name_end;
+	const char *nameptr = namelist;
+	int num_entries = 0;
+	int i;
+
+	(*ppname_array) = NULL;
+
+	if((nameptr == NULL ) || ((nameptr != NULL) && (*nameptr == '\0'))) 
+		return;
+
+	/* We need to make two passes over the string. The
+		first to count the number of elements, the second
+		to split it.
+	*/
+
+	while(*nameptr) {
+		if ( *nameptr == '/' ) {
+			/* cope with multiple (useless) /s) */
+			nameptr++;
+			continue;
+		}
+		/* find the next / */
+		name_end = strchr_m(nameptr, '/');
+
+		/* oops - the last check for a / didn't find one. */
+		if (name_end == NULL)
+			break;
+
+		/* next segment please */
+		nameptr = name_end + 1;
+		num_entries++;
+	}
+
+	if(num_entries == 0)
+		return;
+
+	if(( (*ppname_array) = SMB_MALLOC_ARRAY(name_compare_entry, num_entries + 1)) == NULL) {
+		DEBUG(0,("set_namearray: malloc fail\n"));
+		return;
+	}
+
+	/* Now copy out the names */
+	nameptr = namelist;
+	i = 0;
+	while(*nameptr) {
+		if ( *nameptr == '/' ) {
+			/* cope with multiple (useless) /s) */
+			nameptr++;
+			continue;
+		}
+		/* find the next / */
+		if ((name_end = strchr_m(nameptr, '/')) != NULL)
+			*name_end = 0;
+
+		/* oops - the last check for a / didn't find one. */
+		if(name_end == NULL) 
+			break;
+
+		(*ppname_array)[i].is_wild = ms_has_wild(nameptr);
+		if(((*ppname_array)[i].name = SMB_STRDUP(nameptr)) == NULL) {
+			DEBUG(0,("set_namearray: malloc fail (1)\n"));
+			return;
+		}
+
+		/* next segment please */
+		nameptr = name_end + 1;
+		i++;
+	}
+  
+	(*ppname_array)[i].name = NULL;
+
+	return;
+}
+
+/****************************************************************************
+ Routine to free a namearray.
+****************************************************************************/
+
+void free_namearray(name_compare_entry *name_array)
+{
+	int i;
+
+	if(name_array == NULL)
+		return;
+
+	for(i=0; name_array[i].name!=NULL; i++)
+		SAFE_FREE(name_array[i].name);
+	SAFE_FREE(name_array);
+}
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_LOCKING
+
+/****************************************************************************
+ Simple routine to do POSIX file locking. Cruft in NFS and 64->32 bit mapping
+ is dealt with in posix.c
+ Returns True if the lock was granted, False otherwise.
+****************************************************************************/
+
+bool fcntl_lock(int fd, int op, SMB_OFF_T offset, SMB_OFF_T count, int type)
+{
+	SMB_STRUCT_FLOCK lock;
+	int ret;
+
+	DEBUG(8,("fcntl_lock fd=%d op=%d offset=%.0f count=%.0f type=%d\n",
+		fd,op,(double)offset,(double)count,type));
+
+	lock.l_type = type;
+	lock.l_whence = SEEK_SET;
+	lock.l_start = offset;
+	lock.l_len = count;
+	lock.l_pid = 0;
+
+	ret = sys_fcntl_ptr(fd,op,&lock);
+
+	if (ret == -1) {
+		int sav = errno;
+		DEBUG(3,("fcntl_lock: lock failed at offset %.0f count %.0f op %d type %d (%s)\n",
+			(double)offset,(double)count,op,type,strerror(errno)));
+		errno = sav;
+		return False;
+	}
+
+	/* everything went OK */
+	DEBUG(8,("fcntl_lock: Lock call successful\n"));
+
+	return True;
+}
+
+/****************************************************************************
+ Simple routine to query existing file locks. Cruft in NFS and 64->32 bit mapping
+ is dealt with in posix.c
+ Returns True if we have information regarding this lock region (and returns
+ F_UNLCK in *ptype if the region is unlocked). False if the call failed.
+****************************************************************************/
+
+bool fcntl_getlock(int fd, SMB_OFF_T *poffset, SMB_OFF_T *pcount, int *ptype, pid_t *ppid)
+{
+	SMB_STRUCT_FLOCK lock;
+	int ret;
+
+	DEBUG(8,("fcntl_getlock fd=%d offset=%.0f count=%.0f type=%d\n",
+		    fd,(double)*poffset,(double)*pcount,*ptype));
+
+	lock.l_type = *ptype;
+	lock.l_whence = SEEK_SET;
+	lock.l_start = *poffset;
+	lock.l_len = *pcount;
+	lock.l_pid = 0;
+
+	ret = sys_fcntl_ptr(fd,SMB_F_GETLK,&lock);
+
+	if (ret == -1) {
+		int sav = errno;
+		DEBUG(3,("fcntl_getlock: lock request failed at offset %.0f count %.0f type %d (%s)\n",
+			(double)*poffset,(double)*pcount,*ptype,strerror(errno)));
+		errno = sav;
+		return False;
+	}
+
+	*ptype = lock.l_type;
+	*poffset = lock.l_start;
+	*pcount = lock.l_len;
+	*ppid = lock.l_pid;
+	
+	DEBUG(3,("fcntl_getlock: fd %d is returned info %d pid %u\n",
+			fd, (int)lock.l_type, (unsigned int)lock.l_pid));
+	return True;
+}
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_ALL
+
+/*******************************************************************
+ Is the name specified one of my netbios names.
+ Returns true if it is equal, false otherwise.
+********************************************************************/
+
+bool is_myname(const char *s)
+{
+	int n;
+	bool ret = False;
+
+	for (n=0; my_netbios_names(n); n++) {
+		if (strequal(my_netbios_names(n), s)) {
+			ret=True;
+			break;
+		}
+	}
+	DEBUG(8, ("is_myname(\"%s\") returns %d\n", s, ret));
+	return(ret);
+}
+
+/*******************************************************************
+ Is the name specified our workgroup/domain.
+ Returns true if it is equal, false otherwise.
+********************************************************************/
+
+bool is_myworkgroup(const char *s)
+{
+	bool ret = False;
+
+	if (strequal(s, lp_workgroup())) {
+		ret=True;
+	}
+
+	DEBUG(8, ("is_myworkgroup(\"%s\") returns %d\n", s, ret));
+	return(ret);
+}
+
+/*******************************************************************
+ we distinguish between 2K and XP by the "Native Lan Manager" string
+   WinXP => "Windows 2002 5.1"
+   WinXP 64bit => "Windows XP 5.2"
+   Win2k => "Windows 2000 5.0"
+   NT4   => "Windows NT 4.0"
+   Win9x => "Windows 4.0"
+ Windows 2003 doesn't set the native lan manager string but
+ they do set the domain to "Windows 2003 5.2" (probably a bug).
+********************************************************************/
+
+void ra_lanman_string( const char *native_lanman )
+{
+	if ( strcmp( native_lanman, "Windows 2002 5.1" ) == 0 )
+		set_remote_arch( RA_WINXP );
+	else if ( strcmp( native_lanman, "Windows XP 5.2" ) == 0 )
+		set_remote_arch( RA_WINXP64 );
+	else if ( strcmp( native_lanman, "Windows Server 2003 5.2" ) == 0 )
+		set_remote_arch( RA_WIN2K3 );
+}
+
+static const char *remote_arch_str;
+
+const char *get_remote_arch_str(void)
+{
+	if (!remote_arch_str) {
+		return "UNKNOWN";
+	}
+	return remote_arch_str;
+}
+
+/*******************************************************************
+ Set the horrid remote_arch string based on an enum.
+********************************************************************/
+
+void set_remote_arch(enum remote_arch_types type)
+{
+	ra_type = type;
+	switch( type ) {
+	case RA_WFWG:
+		remote_arch_str = "WfWg";
+		break;
+	case RA_OS2:
+		remote_arch_str = "OS2";
+		break;
+	case RA_WIN95:
+		remote_arch_str = "Win95";
+		break;
+	case RA_WINNT:
+		remote_arch_str = "WinNT";
+		break;
+	case RA_WIN2K:
+		remote_arch_str = "Win2K";
+		break;
+	case RA_WINXP:
+		remote_arch_str = "WinXP";
+		break;
+	case RA_WINXP64:
+		remote_arch_str = "WinXP64";
+		break;
+	case RA_WIN2K3:
+		remote_arch_str = "Win2K3";
+		break;
+	case RA_VISTA:
+		remote_arch_str = "Vista";
+		break;
+	case RA_SAMBA:
+		remote_arch_str = "Samba";
+		break;
+	case RA_CIFSFS:
+		remote_arch_str = "CIFSFS";
+		break;
+	default:
+		ra_type = RA_UNKNOWN;
+		remote_arch_str = "UNKNOWN";
+		break;
+	}
+
+	DEBUG(10,("set_remote_arch: Client arch is \'%s\'\n",
+				remote_arch_str));
+}
+
+/*******************************************************************
+ Get the remote_arch type.
+********************************************************************/
+
+enum remote_arch_types get_remote_arch(void)
+{
+	return ra_type;
+}
+
+void print_asc(int level, const unsigned char *buf,int len)
+{
+	int i;
+	for (i=0;i<len;i++)
+		DEBUG(level,("%c", isprint(buf[i])?buf[i]:'.'));
+}
+
+void dump_data(int level, const unsigned char *buf1,int len)
+{
+	const unsigned char *buf = (const unsigned char *)buf1;
+	int i=0;
+	if (len<=0) return;
+
+	if (!DEBUGLVL(level)) return;
+	
+	DEBUGADD(level,("[%03X] ",i));
+	for (i=0;i<len;) {
+		DEBUGADD(level,("%02X ",(int)buf[i]));
+		i++;
+		if (i%8 == 0) DEBUGADD(level,(" "));
+		if (i%16 == 0) {      
+			print_asc(level,&buf[i-16],8); DEBUGADD(level,(" "));
+			print_asc(level,&buf[i-8],8); DEBUGADD(level,("\n"));
+			if (i<len) DEBUGADD(level,("[%03X] ",i));
+		}
+	}
+	if (i%16) {
+		int n;
+		n = 16 - (i%16);
+		DEBUGADD(level,(" "));
+		if (n>8) DEBUGADD(level,(" "));
+		while (n--) DEBUGADD(level,("   "));
+		n = MIN(8,i%16);
+		print_asc(level,&buf[i-(i%16)],n); DEBUGADD(level,( " " ));
+		n = (i%16) - n;
+		if (n>0) print_asc(level,&buf[i-n],n);
+		DEBUGADD(level,("\n"));
+	}
+}
+
+void dump_data_pw(const char *msg, const uchar * data, size_t len)
+{
+#ifdef DEBUG_PASSWORD
+	DEBUG(11, ("%s", msg));
+	if (data != NULL && len > 0)
+	{
+		dump_data(11, data, len);
+	}
+#endif
+}
+
+const char *tab_depth(int level, int depth)
+{
+	if( CHECK_DEBUGLVL(level) ) {
+		dbgtext("%*s", depth*4, "");
+	}
+	return "";
+}
+
+/*****************************************************************************
+ Provide a checksum on a string
+
+ Input:  s - the null-terminated character string for which the checksum
+             will be calculated.
+
+  Output: The checksum value calculated for s.
+*****************************************************************************/
+
+int str_checksum(const char *s)
+{
+	int res = 0;
+	int c;
+	int i=0;
+
+	while(*s) {
+		c = *s;
+		res ^= (c << (i % 15)) ^ (c >> (15-(i%15)));
+		s++;
+		i++;
+	}
+	return(res);
+}
+
+/*****************************************************************
+ Zero a memory area then free it. Used to catch bugs faster.
+*****************************************************************/  
+
+void zero_free(void *p, size_t size)
+{
+	memset(p, 0, size);
+	SAFE_FREE(p);
+}
+
+/*****************************************************************
+ Set our open file limit to a requested max and return the limit.
+*****************************************************************/  
+
+int set_maxfiles(int requested_max)
+{
+#if (defined(HAVE_GETRLIMIT) && defined(RLIMIT_NOFILE))
+	struct rlimit rlp;
+	int saved_current_limit;
+
+	if(getrlimit(RLIMIT_NOFILE, &rlp)) {
+		DEBUG(0,("set_maxfiles: getrlimit (1) for RLIMIT_NOFILE failed with error %s\n",
+			strerror(errno) ));
+		/* just guess... */
+		return requested_max;
+	}
+
+	/* 
+	 * Set the fd limit to be real_max_open_files + MAX_OPEN_FUDGEFACTOR to
+	 * account for the extra fd we need 
+	 * as well as the log files and standard
+	 * handles etc. Save the limit we want to set in case
+	 * we are running on an OS that doesn't support this limit (AIX)
+	 * which always returns RLIM_INFINITY for rlp.rlim_max.
+	 */
+
+	/* Try raising the hard (max) limit to the requested amount. */
+
+#if defined(RLIM_INFINITY)
+	if (rlp.rlim_max != RLIM_INFINITY) {
+		int orig_max = rlp.rlim_max;
+
+		if ( rlp.rlim_max < requested_max )
+			rlp.rlim_max = requested_max;
+
+		/* This failing is not an error - many systems (Linux) don't
+			support our default request of 10,000 open files. JRA. */
+
+		if(setrlimit(RLIMIT_NOFILE, &rlp)) {
+			DEBUG(3,("set_maxfiles: setrlimit for RLIMIT_NOFILE for %d max files failed with error %s\n", 
+				(int)rlp.rlim_max, strerror(errno) ));
+
+			/* Set failed - restore original value from get. */
+			rlp.rlim_max = orig_max;
+		}
+	}
+#endif
+
+	/* Now try setting the soft (current) limit. */
+
+	saved_current_limit = rlp.rlim_cur = MIN(requested_max,rlp.rlim_max);
+
+	if(setrlimit(RLIMIT_NOFILE, &rlp)) {
+		DEBUG(0,("set_maxfiles: setrlimit for RLIMIT_NOFILE for %d files failed with error %s\n", 
+			(int)rlp.rlim_cur, strerror(errno) ));
+		/* just guess... */
+		return saved_current_limit;
+	}
+
+	if(getrlimit(RLIMIT_NOFILE, &rlp)) {
+		DEBUG(0,("set_maxfiles: getrlimit (2) for RLIMIT_NOFILE failed with error %s\n",
+			strerror(errno) ));
+		/* just guess... */
+		return saved_current_limit;
+    }
+
+#if defined(RLIM_INFINITY)
+	if(rlp.rlim_cur == RLIM_INFINITY)
+		return saved_current_limit;
+#endif
+
+	if((int)rlp.rlim_cur > saved_current_limit)
+		return saved_current_limit;
+
+	return rlp.rlim_cur;
+#else /* !defined(HAVE_GETRLIMIT) || !defined(RLIMIT_NOFILE) */
+	/*
+	 * No way to know - just guess...
+	 */
+	return requested_max;
+#endif
+}
+
+/*****************************************************************
+ Possibly replace mkstemp if it is broken.
+*****************************************************************/  
+
+int smb_mkstemp(char *name_template)
+{
+#if HAVE_SECURE_MKSTEMP
+	return mkstemp(name_template);
+#else
+	/* have a reasonable go at emulating it. Hope that
+	   the system mktemp() isn't completly hopeless */
+	char *p = mktemp(name_template);
+	if (!p)
+		return -1;
+	return open(p, O_CREAT|O_EXCL|O_RDWR, 0600);
+#endif
+}
+
+/*****************************************************************
+ malloc that aborts with smb_panic on fail or zero size.
+ *****************************************************************/  
+
+void *smb_xmalloc_array(size_t size, unsigned int count)
+{
+	void *p;
+	if (size == 0) {
+		smb_panic("smb_xmalloc_array: called with zero size");
+	}
+        if (count >= MAX_ALLOC_SIZE/size) {
+                smb_panic("smb_xmalloc_array: alloc size too large");
+        }
+	if ((p = SMB_MALLOC(size*count)) == NULL) {
+		DEBUG(0, ("smb_xmalloc_array failed to allocate %lu * %lu bytes\n",
+			(unsigned long)size, (unsigned long)count));
+		smb_panic("smb_xmalloc_array: malloc failed");
+	}
+	return p;
+}
+
+/**
+ Memdup with smb_panic on fail.
+**/
+
+void *smb_xmemdup(const void *p, size_t size)
+{
+	void *p2;
+	p2 = SMB_XMALLOC_ARRAY(unsigned char,size);
+	memcpy(p2, p, size);
+	return p2;
+}
+
+/**
+ strdup that aborts on malloc fail.
+**/
+
+char *smb_xstrdup(const char *s)
+{
+#if defined(PARANOID_MALLOC_CHECKER)
+#ifdef strdup
+#undef strdup
+#endif
+#endif
+
+#ifndef HAVE_STRDUP
+#define strdup rep_strdup
+#endif
+
+	char *s1 = strdup(s);
+#if defined(PARANOID_MALLOC_CHECKER)
+#ifdef strdup
+#undef strdup
+#endif
+#define strdup(s) __ERROR_DONT_USE_STRDUP_DIRECTLY
+#endif
+	if (!s1) {
+		smb_panic("smb_xstrdup: malloc failed");
+	}
+	return s1;
+
+}
+
+/**
+ strndup that aborts on malloc fail.
+**/
+
+char *smb_xstrndup(const char *s, size_t n)
+{
+#if defined(PARANOID_MALLOC_CHECKER)
+#ifdef strndup
+#undef strndup
+#endif
+#endif
+
+#if (defined(BROKEN_STRNDUP) || !defined(HAVE_STRNDUP))
+#undef HAVE_STRNDUP
+#define strndup rep_strndup
+#endif
+
+	char *s1 = strndup(s, n);
+#if defined(PARANOID_MALLOC_CHECKER)
+#ifdef strndup
+#undef strndup
+#endif
+#define strndup(s,n) __ERROR_DONT_USE_STRNDUP_DIRECTLY
+#endif
+	if (!s1) {
+		smb_panic("smb_xstrndup: malloc failed");
+	}
+	return s1;
+}
+
+/*
+  vasprintf that aborts on malloc fail
+*/
+
+ int smb_xvasprintf(char **ptr, const char *format, va_list ap)
+{
+	int n;
+	va_list ap2;
+
+	VA_COPY(ap2, ap);
+
+	n = vasprintf(ptr, format, ap2);
+	if (n == -1 || ! *ptr) {
+		smb_panic("smb_xvasprintf: out of memory");
+	}
+	va_end(ap2);
+	return n;
+}
+
+/*****************************************************************
+ Like strdup but for memory.
+*****************************************************************/
+
+void *memdup(const void *p, size_t size)
+{
+	void *p2;
+	if (size == 0)
+		return NULL;
+	p2 = SMB_MALLOC(size);
+	if (!p2)
+		return NULL;
+	memcpy(p2, p, size);
+	return p2;
+}
+
+/*****************************************************************
+ Get local hostname and cache result.
+*****************************************************************/
+
+char *myhostname(void)
+{
+	static char *ret;
+	if (ret == NULL) {
+		/* This is cached forever so
+		 * use NULL talloc ctx. */
+		ret = get_myname(NULL);
+	}
+	return ret;
+}
+
+/*****************************************************************
+ A useful function for returning a path in the Samba pid directory.
+*****************************************************************/
+
+static char *xx_path(const char *name, const char *rootpath)
+{
+	char *fname = NULL;
+
+	fname = talloc_strdup(talloc_tos(), rootpath);
+	if (!fname) {
+		return NULL;
+	}
+	trim_string(fname,"","/");
+
+	if (!directory_exist(fname,NULL)) {
+		mkdir(fname,0755);
+	}
+
+	return talloc_asprintf(talloc_tos(),
+				"%s/%s",
+				fname,
+				name);
+}
+
+/*****************************************************************
+ A useful function for returning a path in the Samba lock directory.
+*****************************************************************/
+
+char *lock_path(const char *name)
+{
+	return xx_path(name, lp_lockdir());
+}
+
+/*****************************************************************
+ A useful function for returning a path in the Samba pid directory.
+*****************************************************************/
+
+char *pid_path(const char *name)
+{
+	return xx_path(name, lp_piddir());
+}
+
+/**
+ * @brief Returns an absolute path to a file in the Samba lib directory.
+ *
+ * @param name File to find, relative to LIBDIR.
+ *
+ * @retval Pointer to a string containing the full path.
+ **/
+
+char *lib_path(const char *name)
+{
+	return talloc_asprintf(talloc_tos(), "%s/%s", get_dyn_LIBDIR(), name);
+}
+
+/**
+ * @brief Returns an absolute path to a file in the Samba modules directory.
+ *
+ * @param name File to find, relative to MODULESDIR.
+ *
+ * @retval Pointer to a string containing the full path.
+ **/
+
+char *modules_path(const char *name)
+{
+	return talloc_asprintf(talloc_tos(), "%s/%s", get_dyn_MODULESDIR(), name);
+}
+
+/**
+ * @brief Returns an absolute path to a file in the Samba data directory.
+ *
+ * @param name File to find, relative to CODEPAGEDIR.
+ *
+ * @retval Pointer to a talloc'ed string containing the full path.
+ **/
+
+char *data_path(const char *name)
+{
+	return talloc_asprintf(talloc_tos(), "%s/%s", get_dyn_CODEPAGEDIR(), name);
+}
+
+/*****************************************************************
+a useful function for returning a path in the Samba state directory
+ *****************************************************************/
+
+char *state_path(const char *name)
+{
+	return xx_path(name, get_dyn_STATEDIR());
+}
+
+/**
+ * @brief Returns the platform specific shared library extension.
+ *
+ * @retval Pointer to a const char * containing the extension.
+ **/
+
+const char *shlib_ext(void)
+{
+	return get_dyn_SHLIBEXT();
+}
+
+/*******************************************************************
+ Given a filename - get its directory name
+ NB: Returned in static storage.  Caveats:
+ o  If caller wishes to preserve, they should copy.
+********************************************************************/
+
+char *parent_dirname(const char *path)
+{
+	char *parent;
+
+	if (!parent_dirname_talloc(talloc_tos(), path, &parent, NULL)) {
+		return NULL;
+	}
+
+	return parent;
+}
+
+bool parent_dirname_talloc(TALLOC_CTX *mem_ctx, const char *dir,
+			   char **parent, const char **name)
+{
+	char *p;
+	ptrdiff_t len;
+ 
+	p = strrchr_m(dir, '/'); /* Find final '/', if any */
+
+	if (p == NULL) {
+		if (!(*parent = talloc_strdup(mem_ctx, "."))) {
+			return False;
+		}
+		if (name) {
+			*name = "";
+		}
+		return True;
+	}
+
+	len = p-dir;
+
+	if (!(*parent = TALLOC_ARRAY(mem_ctx, char, len+1))) {
+		return False;
+	}
+	memcpy(*parent, dir, len);
+	(*parent)[len] = '\0';
+
+	if (name) {
+		*name = p+1;
+	}
+	return True;
+}
+
+/*******************************************************************
+ Determine if a pattern contains any Microsoft wildcard characters.
+*******************************************************************/
+
+bool ms_has_wild(const char *s)
+{
+	char c;
+
+	if (lp_posix_pathnames()) {
+		/* With posix pathnames no characters are wild. */
+		return False;
+	}
+
+	while ((c = *s++)) {
+		switch (c) {
+		case '*':
+		case '?':
+		case '<':
+		case '>':
+		case '"':
+			return True;
+		}
+	}
+	return False;
+}
+
+bool ms_has_wild_w(const smb_ucs2_t *s)
+{
+	smb_ucs2_t c;
+	if (!s) return False;
+	while ((c = *s++)) {
+		switch (c) {
+		case UCS2_CHAR('*'):
+		case UCS2_CHAR('?'):
+		case UCS2_CHAR('<'):
+		case UCS2_CHAR('>'):
+		case UCS2_CHAR('"'):
+			return True;
+		}
+	}
+	return False;
+}
+
+/*******************************************************************
+ A wrapper that handles case sensitivity and the special handling
+ of the ".." name.
+*******************************************************************/
+
+bool mask_match(const char *string, const char *pattern, bool is_case_sensitive)
+{
+	if (strcmp(string,"..") == 0)
+		string = ".";
+	if (strcmp(pattern,".") == 0)
+		return False;
+	
+	return ms_fnmatch(pattern, string, Protocol <= PROTOCOL_LANMAN2, is_case_sensitive) == 0;
+}
+
+/*******************************************************************
+ A wrapper that handles case sensitivity and the special handling
+ of the ".." name. Varient that is only called by old search code which requires
+ pattern translation.
+*******************************************************************/
+
+bool mask_match_search(const char *string, const char *pattern, bool is_case_sensitive)
+{
+	if (strcmp(string,"..") == 0)
+		string = ".";
+	if (strcmp(pattern,".") == 0)
+		return False;
+	
+	return ms_fnmatch(pattern, string, True, is_case_sensitive) == 0;
+}
+
+/*******************************************************************
+ A wrapper that handles a list of patters and calls mask_match()
+ on each.  Returns True if any of the patterns match.
+*******************************************************************/
+
+bool mask_match_list(const char *string, char **list, int listLen, bool is_case_sensitive)
+{
+       while (listLen-- > 0) {
+               if (mask_match(string, *list++, is_case_sensitive))
+                       return True;
+       }
+       return False;
+}
+
+/*********************************************************
+ Recursive routine that is called by unix_wild_match.
+*********************************************************/
+
+static bool unix_do_match(const char *regexp, const char *str)
+{
+	const char *p;
+
+	for( p = regexp; *p && *str; ) {
+
+		switch(*p) {
+			case '?':
+				str++;
+				p++;
+				break;
+
+			case '*':
+
+				/*
+				 * Look for a character matching 
+				 * the one after the '*'.
+				 */
+				p++;
+				if(!*p)
+					return true; /* Automatic match */
+				while(*str) {
+
+					while(*str && (*p != *str))
+						str++;
+
+					/*
+					 * Patch from weidel@multichart.de. In the case of the regexp
+					 * '*XX*' we want to ensure there are at least 2 'X' characters
+					 * in the string after the '*' for a match to be made.
+					 */
+
+					{
+						int matchcount=0;
+
+						/*
+						 * Eat all the characters that match, but count how many there were.
+						 */
+
+						while(*str && (*p == *str)) {
+							str++;
+							matchcount++;
+						}
+
+						/*
+						 * Now check that if the regexp had n identical characters that
+						 * matchcount had at least that many matches.
+						 */
+
+						while ( *(p+1) && (*(p+1) == *p)) {
+							p++;
+							matchcount--;
+						}
+
+						if ( matchcount <= 0 )
+							return false;
+					}
+
+					str--; /* We've eaten the match char after the '*' */
+
+					if(unix_do_match(p, str))
+						return true;
+
+					if(!*str)
+						return false;
+					else
+						str++;
+				}
+				return false;
+
+			default:
+				if(*str != *p)
+					return false;
+				str++;
+				p++;
+				break;
+		}
+	}
+
+	if(!*p && !*str)
+		return true;
+
+	if (!*p && str[0] == '.' && str[1] == 0)
+		return true;
+
+	if (!*str && *p == '?') {
+		while (*p == '?')
+			p++;
+		return(!*p);
+	}
+
+	if(!*str && (*p == '*' && p[1] == '\0'))
+		return true;
+
+	return false;
+}
+
+/*******************************************************************
+ Simple case insensitive interface to a UNIX wildcard matcher.
+ Returns True if match, False if not.
+*******************************************************************/
+
+bool unix_wild_match(const char *pattern, const char *string)
+{
+	TALLOC_CTX *ctx = talloc_stackframe();
+	char *p2;
+	char *s2;
+	char *p;
+	bool ret = false;
+
+	p2 = talloc_strdup(ctx,pattern);
+	s2 = talloc_strdup(ctx,string);
+	if (!p2 || !s2) {
+		TALLOC_FREE(ctx);
+		return false;
+	}
+	strlower_m(p2);
+	strlower_m(s2);
+
+	/* Remove any *? and ** from the pattern as they are meaningless */
+	for(p = p2; *p; p++) {
+		while( *p == '*' && (p[1] == '?' ||p[1] == '*')) {
+			memmove(&p[1], &p[2], strlen(&p[2])+1);
+		}
+	}
+
+	if (strequal(p2,"*")) {
+		TALLOC_FREE(ctx);
+		return true;
+	}
+
+	ret = unix_do_match(p2, s2);
+	TALLOC_FREE(ctx);
+	return ret;
+}
+
+/**********************************************************************
+ Converts a name to a fully qualified domain name.
+ Returns true if lookup succeeded, false if not (then fqdn is set to name)
+ Note we deliberately use gethostbyname here, not getaddrinfo as we want
+ to examine the h_aliases and I don't know how to do that with getaddrinfo.
+***********************************************************************/
+
+bool name_to_fqdn(fstring fqdn, const char *name)
+{
+	char *full = NULL;
+	struct hostent *hp = gethostbyname(name);
+
+	if (!hp || !hp->h_name || !*hp->h_name) {
+		DEBUG(10,("name_to_fqdn: lookup for %s failed.\n", name));
+		fstrcpy(fqdn, name);
+		return false;
+	}
+
+	/* Find out if the fqdn is returned as an alias
+	 * to cope with /etc/hosts files where the first
+	 * name is not the fqdn but the short name */
+	if (hp->h_aliases && (! strchr_m(hp->h_name, '.'))) {
+		int i;
+		for (i = 0; hp->h_aliases[i]; i++) {
+			if (strchr_m(hp->h_aliases[i], '.')) {
+				full = hp->h_aliases[i];
+				break;
+			}
+		}
+	}
+	if (full && (StrCaseCmp(full, "localhost.localdomain") == 0)) {
+		DEBUG(1, ("WARNING: your /etc/hosts file may be broken!\n"));
+		DEBUGADD(1, ("    Specifing the machine hostname for address 127.0.0.1 may lead\n"));
+		DEBUGADD(1, ("    to Kerberos authentication problems as localhost.localdomain\n"));
+		DEBUGADD(1, ("    may end up being used instead of the real machine FQDN.\n"));
+		full = hp->h_name;
+	}
+	if (!full) {
+		full = hp->h_name;
+	}
+
+	DEBUG(10,("name_to_fqdn: lookup for %s -> %s.\n", name, full));
+	fstrcpy(fqdn, full);
+	return true;
+}
+
+/**********************************************************************
+ Extension to talloc_get_type: Abort on type mismatch
+***********************************************************************/
+
+void *talloc_check_name_abort(const void *ptr, const char *name)
+{
+	void *result;
+
+	result = talloc_check_name(ptr, name);
+	if (result != NULL)
+		return result;
+
+	DEBUG(0, ("Talloc type mismatch, expected %s, got %s\n",
+		  name, talloc_get_name(ptr)));
+	smb_panic("talloc type mismatch");
+	/* Keep the compiler happy */
+	return NULL;
+}
+
+/**********************************************************************
+ Append a DATA_BLOB to a talloc'ed object
+***********************************************************************/
+
+void *talloc_append_blob(TALLOC_CTX *mem_ctx, void *buf, DATA_BLOB blob)
+{
+	size_t old_size = 0;
+	char *result;
+
+	if (blob.length == 0) {
+		return buf;
+	}
+
+	if (buf != NULL) {
+		old_size = talloc_get_size(buf);
+	}
+
+	result = (char *)TALLOC_REALLOC(mem_ctx, buf, old_size + blob.length);
+	if (result == NULL) {
+		return NULL;
+	}
+
+	memcpy(result + old_size, blob.data, blob.length);
+	return result;
+}
+
+uint32 map_share_mode_to_deny_mode(uint32 share_access, uint32 private_options)
+{
+	switch (share_access & ~FILE_SHARE_DELETE) {
+		case FILE_SHARE_NONE:
+			return DENY_ALL;
+		case FILE_SHARE_READ:
+			return DENY_WRITE;
+		case FILE_SHARE_WRITE:
+			return DENY_READ;
+		case FILE_SHARE_READ|FILE_SHARE_WRITE:
+			return DENY_NONE;
+	}
+	if (private_options & NTCREATEX_OPTIONS_PRIVATE_DENY_DOS) {
+		return DENY_DOS;
+	} else if (private_options & NTCREATEX_OPTIONS_PRIVATE_DENY_FCB) {
+		return DENY_FCB;
+	}
+
+	return (uint32)-1;
+}
+
+pid_t procid_to_pid(const struct server_id *proc)
+{
+	return proc->pid;
+}
+
+static uint32 my_vnn = NONCLUSTER_VNN;
+
+void set_my_vnn(uint32 vnn)
+{
+	DEBUG(10, ("vnn pid %d = %u\n", (int)sys_getpid(), (unsigned int)vnn));
+	my_vnn = vnn;
+}
+
+uint32 get_my_vnn(void)
+{
+	return my_vnn;
+}
+
+struct server_id pid_to_procid(pid_t pid)
+{
+	struct server_id result;
+	result.pid = pid;
+#ifdef CLUSTER_SUPPORT
+	result.vnn = my_vnn;
+#endif
+	return result;
+}
+
+struct server_id procid_self(void)
+{
+	return pid_to_procid(sys_getpid());
+}
+
+struct server_id server_id_self(void)
+{
+	return procid_self();
+}
+
+bool procid_equal(const struct server_id *p1, const struct server_id *p2)
+{
+	if (p1->pid != p2->pid)
+		return False;
+#ifdef CLUSTER_SUPPORT
+	if (p1->vnn != p2->vnn)
+		return False;
+#endif
+	return True;
+}
+
+bool cluster_id_equal(const struct server_id *id1,
+		      const struct server_id *id2)
+{
+	return procid_equal(id1, id2);
+}
+
+bool procid_is_me(const struct server_id *pid)
+{
+	if (pid->pid != sys_getpid())
+		return False;
+#ifdef CLUSTER_SUPPORT
+	if (pid->vnn != my_vnn)
+		return False;
+#endif
+	return True;
+}
+
+struct server_id interpret_pid(const char *pid_string)
+{
+#ifdef CLUSTER_SUPPORT
+	unsigned int vnn, pid;
+	struct server_id result;
+	if (sscanf(pid_string, "%u:%u", &vnn, &pid) == 2) {
+		result.vnn = vnn;
+		result.pid = pid;
+	}
+	else if (sscanf(pid_string, "%u", &pid) == 1) {
+		result.vnn = get_my_vnn();
+		result.pid = pid;
+	}
+	else {
+		result.vnn = NONCLUSTER_VNN;
+		result.pid = -1;
+	}
+	return result;
+#else
+	return pid_to_procid(atoi(pid_string));
+#endif
+}
+
+char *procid_str(TALLOC_CTX *mem_ctx, const struct server_id *pid)
+{
+#ifdef CLUSTER_SUPPORT
+	if (pid->vnn == NONCLUSTER_VNN) {
+		return talloc_asprintf(mem_ctx,
+				"%d",
+				(int)pid->pid);
+	}
+	else {
+		return talloc_asprintf(mem_ctx,
+					"%u:%d",
+					(unsigned)pid->vnn,
+					(int)pid->pid);
+	}
+#else
+	return talloc_asprintf(mem_ctx,
+			"%d",
+			(int)pid->pid);
+#endif
+}
+
+char *procid_str_static(const struct server_id *pid)
+{
+	return procid_str(talloc_tos(), pid);
+}
+
+bool procid_valid(const struct server_id *pid)
+{
+	return (pid->pid != -1);
+}
+
+bool procid_is_local(const struct server_id *pid)
+{
+#ifdef CLUSTER_SUPPORT
+	return pid->vnn == my_vnn;
+#else
+	return True;
+#endif
+}
+
+int this_is_smp(void)
+{
+#if defined(HAVE_SYSCONF)
+
+#if defined(SYSCONF_SC_NPROC_ONLN)
+        return (sysconf(_SC_NPROC_ONLN) > 1) ? 1 : 0;
+#elif defined(SYSCONF_SC_NPROCESSORS_ONLN)
+        return (sysconf(_SC_NPROCESSORS_ONLN) > 1) ? 1 : 0;
+#else
+	return 0;
+#endif
+
+#else
+	return 0;
+#endif
+}
+
+/****************************************************************
+ Check if an offset into a buffer is safe.
+ If this returns True it's safe to indirect into the byte at
+ pointer ptr+off.
+****************************************************************/
+
+bool is_offset_safe(const char *buf_base, size_t buf_len, char *ptr, size_t off)
+{
+	const char *end_base = buf_base + buf_len;
+	char *end_ptr = ptr + off;
+
+	if (!buf_base || !ptr) {
+		return False;
+	}
+
+	if (end_base < buf_base || end_ptr < ptr) {
+		return False; /* wrap. */
+	}
+
+	if (end_ptr < end_base) {
+		return True;
+	}
+	return False;
+}
+
+/****************************************************************
+ Return a safe pointer into a buffer, or NULL.
+****************************************************************/
+
+char *get_safe_ptr(const char *buf_base, size_t buf_len, char *ptr, size_t off)
+{
+	return is_offset_safe(buf_base, buf_len, ptr, off) ?
+			ptr + off : NULL;
+}
+
+/****************************************************************
+ Return a safe pointer into a string within a buffer, or NULL.
+****************************************************************/
+
+char *get_safe_str_ptr(const char *buf_base, size_t buf_len, char *ptr, size_t off)
+{
+	if (!is_offset_safe(buf_base, buf_len, ptr, off)) {
+		return NULL;
+	}
+	/* Check if a valid string exists at this offset. */
+	if (skip_string(buf_base,buf_len, ptr + off) == NULL) {
+		return NULL;
+	}
+	return ptr + off;
+}
+
+/****************************************************************
+ Return an SVAL at a pointer, or failval if beyond the end.
+****************************************************************/
+
+int get_safe_SVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, int failval)
+{
+	/*
+	 * Note we use off+1 here, not off+2 as SVAL accesses ptr[0] and ptr[1],
+ 	 * NOT ptr[2].
+ 	 */
+	if (!is_offset_safe(buf_base, buf_len, ptr, off+1)) {
+		return failval;
+	}
+	return SVAL(ptr,off);
+}
+
+/****************************************************************
+ Return an IVAL at a pointer, or failval if beyond the end.
+****************************************************************/
+
+int get_safe_IVAL(const char *buf_base, size_t buf_len, char *ptr, size_t off, int failval)
+{
+	/*
+	 * Note we use off+3 here, not off+4 as IVAL accesses 
+	 * ptr[0] ptr[1] ptr[2] ptr[3] NOT ptr[4].
+ 	 */
+	if (!is_offset_safe(buf_base, buf_len, ptr, off+3)) {
+		return failval;
+	}
+	return IVAL(ptr,off);
+}
+
+/****************************************************************
+ Split DOM\user into DOM and user. Do not mix with winbind variants of that
+ call (they take care of winbind separator and other winbind specific settings).
+****************************************************************/
+
+void split_domain_user(TALLOC_CTX *mem_ctx,
+		       const char *full_name,
+		       char **domain,
+		       char **user)
+{
+	const char *p = NULL;
+
+	p = strchr_m(full_name, '\\');
+
+	if (p != NULL) {
+		*domain = talloc_strndup(mem_ctx, full_name,
+					 PTR_DIFF(p, full_name));
+		*user = talloc_strdup(mem_ctx, p+1);
+	} else {
+		*domain = talloc_strdup(mem_ctx, "");
+		*user = talloc_strdup(mem_ctx, full_name);
+	}
+}
+
+#if 0
+
+Disable these now we have checked all code paths and ensured
+NULL returns on zero request. JRA.
+
+/****************************************************************
+ talloc wrapper functions that guarentee a null pointer return
+ if size == 0.
+****************************************************************/
+
+#ifndef MAX_TALLOC_SIZE
+#define MAX_TALLOC_SIZE 0x10000000
+#endif
+
+/*
+ *    talloc and zero memory.
+ *    - returns NULL if size is zero.
+ */
+
+void *_talloc_zero_zeronull(const void *ctx, size_t size, const char *name)
+{
+	void *p;
+
+	if (size == 0) {
+		return NULL;
+	}
+
+	p = talloc_named_const(ctx, size, name);
+
+	if (p) {
+		memset(p, '\0', size);
+	}
+
+	return p;
+}
+
+/*
+ *   memdup with a talloc.
+ *   - returns NULL if size is zero.
+ */
+
+void *_talloc_memdup_zeronull(const void *t, const void *p, size_t size, const char *name)
+{
+	void *newp;
+
+	if (size == 0) {
+		return NULL;
+	}
+
+	newp = talloc_named_const(t, size, name);
+	if (newp) {
+		memcpy(newp, p, size);
+	}
+
+	return newp;
+}
+
+/*
+ *   alloc an array, checking for integer overflow in the array size.
+ *   - returns NULL if count or el_size are zero.
+ */
+
+void *_talloc_array_zeronull(const void *ctx, size_t el_size, unsigned count, const char *name)
+{
+	if (count >= MAX_TALLOC_SIZE/el_size) {
+		return NULL;
+	}
+
+	if (el_size == 0 || count == 0) {
+		return NULL;
+	}
+
+	return talloc_named_const(ctx, el_size * count, name);
+}
+
+/*
+ *   alloc an zero array, checking for integer overflow in the array size
+ *   - returns NULL if count or el_size are zero.
+ */
+
+void *_talloc_zero_array_zeronull(const void *ctx, size_t el_size, unsigned count, const char *name)
+{
+	if (count >= MAX_TALLOC_SIZE/el_size) {
+		return NULL;
+	}
+
+	if (el_size == 0 || count == 0) {
+		return NULL;
+	}
+
+	return _talloc_zero(ctx, el_size * count, name);
+}
+
+/*
+ *   Talloc wrapper that returns NULL if size == 0.
+ */
+void *talloc_zeronull(const void *context, size_t size, const char *name)
+{
+	if (size == 0) {
+		return NULL;
+	}
+	return talloc_named_const(context, size, name);
+}
+#endif
+
+/* Split a path name into filename and stream name components. Canonicalise
+ * such that an implicit $DATA token is always explicit.
+ *
+ * The "specification" of this function can be found in the
+ * run_local_stream_name() function in torture.c, I've tried those
+ * combinations against a W2k3 server.
+ */
+
+NTSTATUS split_ntfs_stream_name(TALLOC_CTX *mem_ctx, const char *fname,
+				char **pbase, char **pstream)
+{
+	char *base = NULL;
+	char *stream = NULL;
+	char *sname; /* stream name */
+	const char *stype; /* stream type */
+
+	DEBUG(10, ("split_ntfs_stream_name called for [%s]\n", fname));
+
+	sname = strchr_m(fname, ':');
+
+	if (lp_posix_pathnames() || (sname == NULL)) {
+		if (pbase != NULL) {
+			base = talloc_strdup(mem_ctx, fname);
+			NT_STATUS_HAVE_NO_MEMORY(base);
+		}
+		goto done;
+	}
+
+	if (pbase != NULL) {
+		base = talloc_strndup(mem_ctx, fname, PTR_DIFF(sname, fname));
+		NT_STATUS_HAVE_NO_MEMORY(base);
+	}
+
+	sname += 1;
+
+	stype = strchr_m(sname, ':');
+
+	if (stype == NULL) {
+		sname = talloc_strdup(mem_ctx, sname);
+		stype = "$DATA";
+	}
+	else {
+		if (StrCaseCmp(stype, ":$DATA") != 0) {
+			/*
+			 * If there is an explicit stream type, so far we only
+			 * allow $DATA. Is there anything else allowed? -- vl
+			 */
+			DEBUG(10, ("[%s] is an invalid stream type\n", stype));
+			TALLOC_FREE(base);
+			return NT_STATUS_OBJECT_NAME_INVALID;
+		}
+		sname = talloc_strndup(mem_ctx, sname, PTR_DIFF(stype, sname));
+		stype += 1;
+	}
+
+	if (sname == NULL) {
+		TALLOC_FREE(base);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (sname[0] == '\0') {
+		/*
+		 * no stream name, so no stream
+		 */
+		goto done;
+	}
+
+	if (pstream != NULL) {
+		stream = talloc_asprintf(mem_ctx, "%s:%s", sname, stype);
+		if (stream == NULL) {
+			TALLOC_FREE(sname);
+			TALLOC_FREE(base);
+			return NT_STATUS_NO_MEMORY;
+		}
+		/*
+		 * upper-case the type field
+		 */
+		strupper_m(strchr_m(stream, ':')+1);
+	}
+
+ done:
+	if (pbase != NULL) {
+		*pbase = base;
+	}
+	if (pstream != NULL) {
+		*pstream = stream;
+	}
+	return NT_STATUS_OK;
+}
+
+bool is_valid_policy_hnd(const POLICY_HND *hnd)
+{
+	POLICY_HND tmp;
+	ZERO_STRUCT(tmp);
+	return (memcmp(&tmp, hnd, sizeof(tmp)) != 0);
+}
+
+bool policy_hnd_equal(const struct policy_handle *hnd1,
+		      const struct policy_handle *hnd2)
+{
+	if (!hnd1 || !hnd2) {
+		return false;
+	}
+
+	return (memcmp(hnd1, hnd2, sizeof(*hnd1)) == 0);
+}
+
+/****************************************************************
+ strip off leading '\\' from a hostname
+****************************************************************/
+
+const char *strip_hostname(const char *s)
+{
+	if (!s) {
+		return NULL;
+	}
+
+	if (strlen_m(s) < 3) {
+		return s;
+	}
+
+	if (s[0] == '\\') s++;
+	if (s[0] == '\\') s++;
+
+	return s;
+}
diff --git a/source3/lib/util_file.c b/source3/lib/util_file.c
new file mode 100644
index 0000000000..b628b06cc6
--- /dev/null
+++ b/source3/lib/util_file.c
@@ -0,0 +1,424 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * SMB parameters and setup
+ * Copyright (C) Andrew Tridgell 1992-1998 Modified by Jeremy Allison 1995.
+ * 
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 3 of the License, or (at your option)
+ * any later version.
+ * 
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ * 
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+#ifndef MAP_FAILED
+#define MAP_FAILED ((void *)-1)
+#endif
+
+/****************************************************************************
+ Read a line from a file with possible \ continuation chars. 
+ Blanks at the start or end of a line are stripped.
+ The string will be allocated if s2 is NULL.
+****************************************************************************/
+
+char *fgets_slash(char *s2,int maxlen,XFILE *f)
+{
+	char *s=s2;
+	int len = 0;
+	int c;
+	bool start_of_line = True;
+
+	if (x_feof(f)) {
+		return(NULL);
+	}
+
+	if (maxlen <2) {
+		return(NULL);
+	}
+
+	if (!s2) {
+		maxlen = MIN(maxlen,8);
+		s = (char *)SMB_MALLOC(maxlen);
+	}
+
+	if (!s) {
+		return(NULL);
+	}
+
+	*s = 0;
+
+	while (len < maxlen-1) {
+		c = x_getc(f);
+		switch (c) {
+			case '\r':
+				break;
+			case '\n':
+				while (len > 0 && s[len-1] == ' ') {
+					s[--len] = 0;
+				}
+				if (len > 0 && s[len-1] == '\\') {
+					s[--len] = 0;
+					start_of_line = True;
+					break;
+				}
+				return(s);
+			case EOF:
+				if (len <= 0 && !s2)  {
+					SAFE_FREE(s);
+				}
+				return(len>0?s:NULL);
+			case ' ':
+				if (start_of_line) {
+					break;
+				}
+			default:
+				start_of_line = False;
+				s[len++] = c;
+				s[len] = 0;
+		}
+
+		if (!s2 && len > maxlen-3) {
+			maxlen *= 2;
+			s = (char *)SMB_REALLOC(s,maxlen);
+			if (!s) {
+				DEBUG(0,("fgets_slash: failed to expand buffer!\n"));
+				return(NULL);
+			}
+		}
+	}
+	return(s);
+}
+
+/****************************************************************************
+ Load from a pipe into memory.
+****************************************************************************/
+
+static char *file_pload(char *syscmd, size_t *size)
+{
+	int fd, n;
+	char *p;
+	char buf[1024];
+	size_t total;
+
+	fd = sys_popen(syscmd);
+	if (fd == -1) {
+		return NULL;
+	}
+
+	p = NULL;
+	total = 0;
+
+	while ((n = read(fd, buf, sizeof(buf))) > 0) {
+		p = (char *)SMB_REALLOC(p, total + n + 1);
+		if (!p) {
+		        DEBUG(0,("file_pload: failed to expand buffer!\n"));
+			close(fd);
+			return NULL;
+		}
+		memcpy(p+total, buf, n);
+		total += n;
+	}
+
+	if (p) {
+		p[total] = 0;
+	}
+
+	/* FIXME: Perhaps ought to check that the command completed
+	 * successfully (returned 0); if not the data may be
+	 * truncated. */
+	sys_pclose(fd);
+
+	if (size) {
+		*size = total;
+	}
+
+	return p;
+}
+
+/****************************************************************************
+ Load a file into memory from a fd.
+ Truncate at maxsize. If maxsize == 0 - no limit.
+****************************************************************************/ 
+
+char *fd_load(int fd, size_t *psize, size_t maxsize)
+{
+	SMB_STRUCT_STAT sbuf;
+	size_t size;
+	char *p;
+
+	if (sys_fstat(fd, &sbuf) != 0) {
+		return NULL;
+	}
+
+	size = sbuf.st_size;
+	if (maxsize) {
+		size = MIN(size, maxsize);
+	}
+
+	p = (char *)SMB_MALLOC(size+1);
+	if (!p) {
+		return NULL;
+	}
+
+	if (read(fd, p, size) != size) {
+		SAFE_FREE(p);
+		return NULL;
+	}
+	p[size] = 0;
+
+	if (psize) {
+		*psize = size;
+	}
+
+	return p;
+}
+
+/****************************************************************************
+ Load a file into memory.
+****************************************************************************/
+
+char *file_load(const char *fname, size_t *size, size_t maxsize)
+{
+	int fd;
+	char *p;
+
+	if (!fname || !*fname) {
+		return NULL;
+	}
+	
+	fd = open(fname,O_RDONLY);
+	if (fd == -1) {
+		return NULL;
+	}
+
+	p = fd_load(fd, size, maxsize);
+	close(fd);
+	return p;
+}
+
+/*******************************************************************
+ unmap or free memory
+*******************************************************************/
+
+bool unmap_file(void* start, size_t size)
+{
+#ifdef HAVE_MMAP
+	if ( munmap( start, size ) != 0 ) {
+		DEBUG( 1, ("map_file: Failed to unmap address %p "
+			"of size %u - %s\n", 
+			start, (unsigned int)size, strerror(errno) ));
+		return False;
+	}
+	return True;
+#else
+	SAFE_FREE( start );
+	return True;
+#endif
+}
+
+/*******************************************************************
+ mmap (if possible) or read a file.
+********************************************************************/
+
+void *map_file(char *fname, size_t size)
+{
+	size_t s2 = 0;
+	void *p = NULL;
+#ifdef HAVE_MMAP
+	int fd;
+	fd = open(fname, O_RDONLY, 0);
+	if (fd == -1) {
+		DEBUG(2,("map_file: Failed to load %s - %s\n", fname, strerror(errno)));
+		return NULL;
+	}
+	p = mmap(NULL, size, PROT_READ, MAP_SHARED|MAP_FILE, fd, 0);
+	close(fd);
+	if (p == MAP_FAILED) {
+		DEBUG(1,("map_file: Failed to mmap %s - %s\n", fname, strerror(errno)));
+		return NULL;
+	}
+#endif
+	if (!p) {
+		p = file_load(fname, &s2, 0);
+		if (!p) {
+			return NULL;
+		}
+		if (s2 != size) {
+			DEBUG(1,("map_file: incorrect size for %s - got %lu expected %lu\n",
+				 fname, (unsigned long)s2, (unsigned long)size));
+			SAFE_FREE(p);	
+			return NULL;
+		}
+	}
+	return p;
+}
+
+/****************************************************************************
+ Parse a buffer into lines.
+****************************************************************************/
+
+static char **file_lines_parse(char *p, size_t size, int *numlines)
+{
+	int i;
+	char *s, **ret;
+
+	if (!p) {
+		return NULL;
+	}
+
+	for (s = p, i=0; s < p+size; s++) {
+		if (s[0] == '\n') i++;
+	}
+
+	ret = SMB_MALLOC_ARRAY(char *, i+2);
+	if (!ret) {
+		SAFE_FREE(p);
+		return NULL;
+	}	
+	memset(ret, 0, sizeof(ret[0])*(i+2));
+
+	ret[0] = p;
+	for (s = p, i=0; s < p+size; s++) {
+		if (s[0] == '\n') {
+			s[0] = 0;
+			i++;
+			ret[i] = s+1;
+		}
+		if (s[0] == '\r') {
+			s[0] = 0;
+		}
+	}
+
+	/* remove any blank lines at the end */
+	while (i > 0 && ret[i-1][0] == 0) {
+		i--;
+	}
+
+	if (numlines) {
+		*numlines = i;
+	}
+
+	return ret;
+}
+
+/****************************************************************************
+ Load a file into memory and return an array of pointers to lines in the file
+ must be freed with file_lines_free(). 
+****************************************************************************/
+
+char **file_lines_load(const char *fname, int *numlines, size_t maxsize)
+{
+	char *p;
+	size_t size = 0;
+
+	p = file_load(fname, &size, maxsize);
+	if (!p) {
+		return NULL;
+	}
+
+	return file_lines_parse(p, size, numlines);
+}
+
+/****************************************************************************
+ Load a fd into memory and return an array of pointers to lines in the file
+ must be freed with file_lines_free(). If convert is true calls unix_to_dos on
+ the list.
+****************************************************************************/
+
+char **fd_lines_load(int fd, int *numlines, size_t maxsize)
+{
+	char *p;
+	size_t size;
+
+	p = fd_load(fd, &size, maxsize);
+	if (!p) {
+		return NULL;
+	}
+
+	return file_lines_parse(p, size, numlines);
+}
+
+/****************************************************************************
+ Load a pipe into memory and return an array of pointers to lines in the data
+ must be freed with file_lines_free(). 
+****************************************************************************/
+
+char **file_lines_pload(char *syscmd, int *numlines)
+{
+	char *p;
+	size_t size;
+
+	p = file_pload(syscmd, &size);
+	if (!p) {
+		return NULL;
+	}
+
+	return file_lines_parse(p, size, numlines);
+}
+
+/****************************************************************************
+ Free lines loaded with file_lines_load.
+****************************************************************************/
+
+void file_lines_free(char **lines)
+{
+	if (!lines) {
+		return;
+	}
+	SAFE_FREE(lines[0]);
+	SAFE_FREE(lines);
+}
+
+/****************************************************************************
+ Take a list of lines and modify them to produce a list where \ continues
+ a line.
+****************************************************************************/
+
+void file_lines_slashcont(char **lines)
+{
+	int i, j;
+
+	for (i=0; lines[i];) {
+		int len = strlen(lines[i]);
+		if (lines[i][len-1] == '\\') {
+			lines[i][len-1] = ' ';
+			if (lines[i+1]) {
+				char *p = &lines[i][len];
+				while (p < lines[i+1]) {
+					*p++ = ' ';
+				}
+				for (j = i+1; lines[j]; j++) {
+					lines[j] = lines[j+1];
+				}
+			}
+		} else {
+			i++;
+		}
+	}
+}
+
+/****************************************************************************
+ Save a lump of data into a file. Mostly used for debugging.
+****************************************************************************/
+
+bool file_save(const char *fname, void *packet, size_t length)
+{
+	int fd;
+	fd = open(fname, O_WRONLY|O_CREAT|O_TRUNC, 0644);
+	if (fd == -1) {
+		return False;
+	}
+	if (write(fd, packet, length) != (size_t)length) {
+		return False;
+	}
+	close(fd);
+	return True;
+}
diff --git a/source3/lib/util_nscd.c b/source3/lib/util_nscd.c
new file mode 100644
index 0000000000..f019bdd70b
--- /dev/null
+++ b/source3/lib/util_nscd.c
@@ -0,0 +1,41 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba utility functions
+   Copyright (C) Guenther Deschner 2006
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+static void smb_nscd_flush_cache(const char *service)
+{
+#ifdef HAVE_NSCD_FLUSH_CACHE
+	if (!nscd_flush_cache(service)) {
+		DEBUG(10,("failed to flush nscd cache for '%s' service: %s. "
+			  "Is nscd running?\n",
+			  service, strerror(errno)));
+	}
+#endif
+}
+
+void smb_nscd_flush_user_cache(void)
+{
+	smb_nscd_flush_cache("passwd");
+}
+
+void smb_nscd_flush_group_cache(void)
+{
+	smb_nscd_flush_cache("group");
+}
diff --git a/source3/lib/util_nttoken.c b/source3/lib/util_nttoken.c
new file mode 100644
index 0000000000..774ef498b7
--- /dev/null
+++ b/source3/lib/util_nttoken.c
@@ -0,0 +1,117 @@
+/* 
+ *  Unix SMB/CIFS implementation.
+ *  Authentication utility functions
+ *  Copyright (C) Andrew Tridgell 1992-1998
+ *  Copyright (C) Andrew Bartlett 2001
+ *  Copyright (C) Jeremy Allison 2000-2001
+ *  Copyright (C) Rafal Szczesniak 2002
+ *  Copyright (C) Volker Lendecke 2006
+ *  Copyright (C) Michael Adam 2007
+ *  Copyright (C) Guenther Deschner 2007
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/* function(s) moved from auth/auth_util.c to minimize linker deps */
+
+#include "includes.h"
+
+/****************************************************************************
+ Duplicate a SID token.
+****************************************************************************/
+
+NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, const NT_USER_TOKEN *ptoken)
+{
+	NT_USER_TOKEN *token;
+
+	if (!ptoken)
+		return NULL;
+
+	token = TALLOC_ZERO_P(mem_ctx, NT_USER_TOKEN);
+	if (token == NULL) {
+		DEBUG(0, ("talloc failed\n"));
+		return NULL;
+	}
+
+	if (ptoken->user_sids && ptoken->num_sids) {
+		token->user_sids = (DOM_SID *)talloc_memdup(
+			token, ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids );
+
+		if (token->user_sids == NULL) {
+			DEBUG(0, ("talloc_memdup failed\n"));
+			TALLOC_FREE(token);
+			return NULL;
+		}
+		token->num_sids = ptoken->num_sids;
+	}
+	
+	/* copy the privileges; don't consider failure to be critical here */
+	
+	if ( !se_priv_copy( &token->privileges, &ptoken->privileges ) ) {
+		DEBUG(0,("dup_nt_token: Failure to copy SE_PRIV!.  "
+			 "Continuing with 0 privileges assigned.\n"));
+	}
+
+	return token;
+}
+
+/****************************************************************************
+ merge NT tokens
+****************************************************************************/
+
+NTSTATUS merge_nt_token(TALLOC_CTX *mem_ctx,
+			const struct nt_user_token *token_1,
+			const struct nt_user_token *token_2,
+			struct nt_user_token **token_out)
+{
+	struct nt_user_token *token = NULL;
+	NTSTATUS status;
+	int i;
+
+	if (!token_1 || !token_2 || !token_out) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	token = TALLOC_ZERO_P(mem_ctx, struct nt_user_token);
+	NT_STATUS_HAVE_NO_MEMORY(token);
+
+	for (i=0; i < token_1->num_sids; i++) {
+		status = add_sid_to_array_unique(mem_ctx,
+						 &token_1->user_sids[i],
+						 &token->user_sids,
+						 &token->num_sids);
+		if (!NT_STATUS_IS_OK(status)) {
+			TALLOC_FREE(token);
+			return status;
+		}
+	}
+
+	for (i=0; i < token_2->num_sids; i++) {
+		status = add_sid_to_array_unique(mem_ctx,
+						 &token_2->user_sids[i],
+						 &token->user_sids,
+						 &token->num_sids);
+		if (!NT_STATUS_IS_OK(status)) {
+			TALLOC_FREE(token);
+			return status;
+		}
+	}
+
+	se_priv_add(&token->privileges, &token_1->privileges);
+	se_priv_add(&token->privileges, &token_2->privileges);
+
+	*token_out = token;
+
+	return NT_STATUS_OK;
+}
diff --git a/source3/lib/util_pw.c b/source3/lib/util_pw.c
new file mode 100644
index 0000000000..428378505f
--- /dev/null
+++ b/source3/lib/util_pw.c
@@ -0,0 +1,89 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   Safe versions of getpw* calls
+
+   Copyright (C) Andrew Bartlett 2002
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+struct passwd *tcopy_passwd(TALLOC_CTX *mem_ctx, const struct passwd *from) 
+{
+	struct passwd *ret = TALLOC_P(mem_ctx, struct passwd);
+	if (!ret) {
+		return NULL;
+	}
+	ret->pw_name = talloc_strdup(ret, from->pw_name);
+	ret->pw_passwd = talloc_strdup(ret, from->pw_passwd);
+	ret->pw_uid = from->pw_uid;
+	ret->pw_gid = from->pw_gid;
+	ret->pw_gecos = talloc_strdup(ret, from->pw_gecos);
+	ret->pw_dir = talloc_strdup(ret, from->pw_dir);
+	ret->pw_shell = talloc_strdup(ret, from->pw_shell);
+	return ret;
+}
+
+void flush_pwnam_cache(void)
+{
+	memcache_flush(NULL, GETPWNAM_CACHE);
+}
+
+struct passwd *getpwnam_alloc(TALLOC_CTX *mem_ctx, const char *name)
+{
+	struct passwd *temp, *cached;
+
+	temp = (struct passwd *)memcache_lookup_talloc(
+		NULL, GETPWNAM_CACHE, data_blob_string_const(name));
+	if (temp != NULL) {
+		return tcopy_passwd(mem_ctx, temp);
+	}
+
+	temp = sys_getpwnam(name);
+	if (temp == NULL) {
+		return NULL;
+	}
+
+	cached = tcopy_passwd(NULL, temp);
+	if (cached == NULL) {
+		/*
+		 * Just don't add this into the cache, ignore the failure
+		 */
+		return temp;
+	}
+
+	memcache_add_talloc(NULL, GETPWNAM_CACHE, data_blob_string_const(name),
+			    cached);
+	return tcopy_passwd(mem_ctx, temp);
+}
+
+struct passwd *getpwuid_alloc(TALLOC_CTX *mem_ctx, uid_t uid) 
+{
+	struct passwd *temp;
+
+	temp = sys_getpwuid(uid);
+	
+	if (!temp) {
+#if 0
+		if (errno == ENOMEM) {
+			/* what now? */
+		}
+#endif
+		return NULL;
+	}
+
+	return tcopy_passwd(mem_ctx, temp);
+}
diff --git a/source3/lib/util_reg.c b/source3/lib/util_reg.c
new file mode 100644
index 0000000000..6570bb072d
--- /dev/null
+++ b/source3/lib/util_reg.c
@@ -0,0 +1,112 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Registry helper routines
+ * Copyright (C) Volker Lendecke 2006
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 3 of the License, or (at your option)
+ * any later version.
+ * 
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ * 
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_REGISTRY
+
+extern REGISTRY_OPS smbconf_reg_ops;
+
+const char *reg_type_lookup(enum winreg_Type type)
+{
+	const char *result;
+
+	switch(type) {
+	case REG_NONE:
+		result = "REG_NONE";
+		break;
+	case REG_SZ:
+		result = "REG_SZ";
+		break;
+	case REG_EXPAND_SZ:
+		result = "REG_EXPAND_SZ";
+		break;
+	case REG_BINARY:
+		result = "REG_BINARY";
+		break;
+	case REG_DWORD:
+		result = "REG_DWORD";
+		break;
+	case REG_DWORD_BIG_ENDIAN:
+		result = "REG_DWORD_BIG_ENDIAN";
+		break;
+	case REG_LINK:
+		result = "REG_LINK";
+		break;
+	case REG_MULTI_SZ:
+		result = "REG_MULTI_SZ";
+		break;
+	case REG_RESOURCE_LIST:
+		result = "REG_RESOURCE_LIST";
+		break;
+	case REG_FULL_RESOURCE_DESCRIPTOR:
+		result = "REG_FULL_RESOURCE_DESCRIPTOR";
+		break;
+	case REG_RESOURCE_REQUIREMENTS_LIST:
+		result = "REG_RESOURCE_REQUIREMENTS_LIST";
+		break;
+	case REG_QWORD:
+		result = "REG_QWORD";
+		break;
+	default:
+		result = "REG TYPE IS UNKNOWN";
+		break;
+	}
+	return result;
+}
+
+WERROR reg_pull_multi_sz(TALLOC_CTX *mem_ctx, const void *buf, size_t len,
+			 uint32 *num_values, char ***values)
+{
+	const smb_ucs2_t *p = (const smb_ucs2_t *)buf;
+	*num_values = 0;
+
+	/*
+	 * Make sure that a talloc context for the strings retrieved exists
+	 */
+
+	if (!(*values = TALLOC_ARRAY(mem_ctx, char *, 1))) {
+		return WERR_NOMEM;
+	}
+
+	len /= 2; 		/* buf is a set of UCS2 strings */
+
+	while (len > 0) {
+		char *val;
+		size_t dstlen, thislen;
+
+		thislen = strnlen_w(p, len) + 1;
+		if (!convert_string_allocate(*values, CH_UTF16LE, CH_UNIX,
+			p, thislen*2, (void *)&val, &dstlen, true)) {
+			TALLOC_FREE(*values);
+			return WERR_NOMEM;
+		}
+
+		ADD_TO_ARRAY(*values, char *, val, values, num_values);
+		if (*values == NULL) {
+			return WERR_NOMEM;
+		}
+
+		p += thislen;
+		len -= thislen;
+	}
+
+	return WERR_OK;
+}
diff --git a/source3/lib/util_reg_api.c b/source3/lib/util_reg_api.c
new file mode 100644
index 0000000000..8f28e9c282
--- /dev/null
+++ b/source3/lib/util_reg_api.c
@@ -0,0 +1,223 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Registry helper routines
+ * Copyright (C) Volker Lendecke 2006
+ * 
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 3 of the License, or (at your option)
+ * any later version.
+ * 
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ * 
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_REGISTRY
+
+WERROR registry_pull_value(TALLOC_CTX *mem_ctx,
+			   struct registry_value **pvalue,
+			   enum winreg_Type type, uint8 *data,
+			   uint32 size, uint32 length)
+{
+	struct registry_value *value;
+	WERROR err;
+
+	if (!(value = TALLOC_ZERO_P(mem_ctx, struct registry_value))) {
+		return WERR_NOMEM;
+	}
+
+	value->type = type;
+
+	switch (type) {
+	case REG_DWORD:
+		if ((size != 4) || (length != 4)) {
+			err = WERR_INVALID_PARAM;
+			goto error;
+		}
+		value->v.dword = IVAL(data, 0);
+		break;
+	case REG_SZ:
+	case REG_EXPAND_SZ:
+	{
+		/*
+		 * Make sure we get a NULL terminated string for
+		 * convert_string_talloc().
+		 */
+
+		smb_ucs2_t *tmp;
+
+		if (length == 1) {
+			/* win2k regedit gives us a string of 1 byte when
+			 * creating a new value of type REG_SZ. this workaround
+			 * replaces the input by using the same string as
+			 * winxp delivers. */
+			length = 2;
+			if (!(tmp = SMB_MALLOC_ARRAY(smb_ucs2_t, 2))) {
+				err = WERR_NOMEM;
+				goto error;
+			}
+			tmp[0] = 0;
+			tmp[1] = 0;
+			DEBUG(10, ("got REG_SZ value of length 1 - workaround "
+				   "activated.\n"));
+		}
+		else if ((length % 2) != 0) {
+			err = WERR_INVALID_PARAM;
+			goto error;
+		}
+		else {
+			uint32 num_ucs2 = length / 2;
+			if (!(tmp = SMB_MALLOC_ARRAY(smb_ucs2_t, num_ucs2+1))) {
+				err = WERR_NOMEM;
+				goto error;
+			}
+
+			memcpy((void *)tmp, (const void *)data, length);
+			tmp[num_ucs2] = 0;
+		}
+
+		if (length + 2 < length) {
+			/* Integer wrap. */
+			SAFE_FREE(tmp);
+			err = WERR_INVALID_PARAM;
+			goto error;
+		}
+
+		if (!convert_string_talloc(value, CH_UTF16LE, CH_UNIX, tmp,
+					   length+2, &value->v.sz.str,
+					   &value->v.sz.len, False)) {
+			SAFE_FREE(tmp);
+			err = WERR_INVALID_PARAM;
+			goto error;
+		}
+
+		SAFE_FREE(tmp);
+		break;
+	}
+	case REG_MULTI_SZ:
+		err = reg_pull_multi_sz(value, (void *)data, length,
+					&value->v.multi_sz.num_strings,
+					&value->v.multi_sz.strings);
+		if (!(W_ERROR_IS_OK(err))) {
+			goto error;
+		}
+		break;
+	case REG_BINARY:
+		value->v.binary = data_blob_talloc(mem_ctx, data, length);
+		break;
+	default:
+		err = WERR_INVALID_PARAM;
+		goto error;
+	}
+
+	*pvalue = value;
+	return WERR_OK;
+
+ error:
+	TALLOC_FREE(value);
+	return err;
+}
+
+WERROR registry_push_value(TALLOC_CTX *mem_ctx,
+			   const struct registry_value *value,
+			   DATA_BLOB *presult)
+{
+	switch (value->type) {
+	case REG_DWORD: {
+		char buf[4];
+		SIVAL(buf, 0, value->v.dword);
+		*presult = data_blob_talloc(mem_ctx, (void *)buf, 4);
+		if (presult->data == NULL) {
+			return WERR_NOMEM;
+		}
+		break;
+	}
+	case REG_SZ:
+	case REG_EXPAND_SZ: {
+		if (!convert_string_talloc(mem_ctx, CH_UNIX, CH_UTF16LE,
+					   value->v.sz.str,
+					   MIN(value->v.sz.len,
+					       strlen(value->v.sz.str)+1),
+					   (void *)&(presult->data),
+					   &presult->length, False))
+		{
+			return WERR_NOMEM;
+		}
+		break;
+	}
+	case REG_MULTI_SZ: {
+		uint32_t count;
+		size_t len = 0;
+		char **strings;
+		size_t *string_lengths;
+		uint32_t ofs;
+		TALLOC_CTX *tmp_ctx = talloc_stackframe();
+
+		strings = TALLOC_ARRAY(tmp_ctx, char *,
+				       value->v.multi_sz.num_strings);
+		if (strings == NULL) {
+			return WERR_NOMEM;
+		}
+
+		string_lengths = TALLOC_ARRAY(tmp_ctx, size_t,
+					      value->v.multi_sz.num_strings);
+		if (string_lengths == NULL) {
+			TALLOC_FREE(tmp_ctx);
+			return WERR_NOMEM;
+		}
+
+		/* convert the single strings */
+		for (count = 0; count < value->v.multi_sz.num_strings; count++)
+		{
+			if (!convert_string_talloc(strings, CH_UNIX,
+				CH_UTF16LE, value->v.multi_sz.strings[count],
+				strlen(value->v.multi_sz.strings[count])+1,
+				(void *)&strings[count],
+				&string_lengths[count], false))
+			{
+
+				TALLOC_FREE(tmp_ctx);
+				return WERR_NOMEM;
+			}
+			len += string_lengths[count];
+		}
+
+		/* now concatenate all into the data blob */
+		presult->data = TALLOC_ARRAY(mem_ctx, uint8_t, len);
+		if (presult->data == NULL) {
+			TALLOC_FREE(tmp_ctx);
+			return WERR_NOMEM;
+		}
+		for (count = 0, ofs = 0;
+		     count < value->v.multi_sz.num_strings;
+		     count++)
+		{
+			memcpy(presult->data + ofs, strings[count],
+			       string_lengths[count]);
+			ofs += string_lengths[count];
+		}
+		presult->length = len;
+
+		TALLOC_FREE(tmp_ctx);
+
+		break;
+	}
+	case REG_BINARY:
+		*presult = data_blob_talloc(mem_ctx,
+					    value->v.binary.data,
+					    value->v.binary.length);
+		break;
+	default:
+		return WERR_INVALID_PARAM;
+	}
+
+	return WERR_OK;
+}
diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c
new file mode 100644
index 0000000000..87e70bb95b
--- /dev/null
+++ b/source3/lib/util_seaccess.c
@@ -0,0 +1,359 @@
+/*
+   Unix SMB/CIFS implementation.
+   Copyright (C) Luke Kenneth Casson Leighton 1996-2000.
+   Copyright (C) Tim Potter 2000.
+   Copyright (C) Re-written by Jeremy Allison 2000.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+extern NT_USER_TOKEN anonymous_token;
+
+/*********************************************************************************
+ Check an ACE against a SID.  We return the remaining needed permission
+ bits not yet granted. Zero means permission allowed (no more needed bits).
+**********************************************************************************/
+
+static uint32 check_ace(SEC_ACE *ace, const NT_USER_TOKEN *token, uint32 acc_desired, 
+			NTSTATUS *status)
+{
+	uint32 mask = ace->access_mask;
+
+	/*
+	 * Inherit only is ignored.
+	 */
+
+	if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
+		return acc_desired;
+	}
+
+	/*
+	 * If this ACE has no SID in common with the token,
+	 * ignore it as it cannot be used to make an access
+	 * determination.
+	 */
+
+	if (!token_sid_in_ace( token, ace))
+		return acc_desired;	
+
+	switch (ace->type) {
+		case SEC_ACE_TYPE_ACCESS_ALLOWED:
+			/*
+			 * This is explicitly allowed.
+			 * Remove the bits from the remaining
+			 * access required. Return the remaining
+			 * bits needed.
+			 */
+			acc_desired &= ~mask;
+			break;
+		case SEC_ACE_TYPE_ACCESS_DENIED:
+			/*
+			 * This is explicitly denied.
+			 * If any bits match terminate here,
+			 * we are denied.
+			 */
+			if (acc_desired & mask) {
+				*status = NT_STATUS_ACCESS_DENIED;
+				return 0xFFFFFFFF;
+			}
+			break;
+		case SEC_ACE_TYPE_SYSTEM_ALARM:
+		case SEC_ACE_TYPE_SYSTEM_AUDIT:
+			*status = NT_STATUS_NOT_IMPLEMENTED;
+			return 0xFFFFFFFF;
+		default:
+			*status = NT_STATUS_INVALID_PARAMETER;
+			return 0xFFFFFFFF;
+	}
+
+	return acc_desired;
+}
+
+/*********************************************************************************
+ Maximum access was requested. Calculate the max possible. Fail if it doesn't
+ include other bits requested.
+**********************************************************************************/ 
+
+static bool get_max_access( SEC_ACL *the_acl, const NT_USER_TOKEN *token, uint32 *granted, 
+			    uint32 desired, 
+			    NTSTATUS *status)
+{
+	uint32 acc_denied = 0;
+	uint32 acc_granted = 0;
+	size_t i;
+	
+	for ( i = 0 ; i < the_acl->num_aces; i++) {
+		SEC_ACE *ace = &the_acl->aces[i];
+		uint32 mask = ace->access_mask;
+
+		if (!token_sid_in_ace( token, ace))
+			continue;
+
+		switch (ace->type) {
+			case SEC_ACE_TYPE_ACCESS_ALLOWED:
+				acc_granted |= (mask & ~acc_denied);
+				break;
+			case SEC_ACE_TYPE_ACCESS_DENIED:
+				acc_denied |= (mask & ~acc_granted);
+				break;
+			case SEC_ACE_TYPE_SYSTEM_ALARM:
+			case SEC_ACE_TYPE_SYSTEM_AUDIT:
+				*status = NT_STATUS_NOT_IMPLEMENTED;
+				*granted = 0;
+				return False;
+			default:
+				*status = NT_STATUS_INVALID_PARAMETER;
+				*granted = 0;
+				return False;
+		}                           
+	}
+
+	/*
+	 * If we were granted no access, or we desired bits that we
+	 * didn't get, then deny.
+	 */
+
+	if ((acc_granted == 0) || ((acc_granted & desired) != desired)) {
+		*status = NT_STATUS_ACCESS_DENIED;
+		*granted = 0;
+		return False;
+	}
+
+	/*
+	 * Return the access we did get.
+	 */
+
+	*granted = acc_granted;
+	*status = NT_STATUS_OK;
+	return True;
+}
+
+/* Map generic access rights to object specific rights.  This technique is
+   used to give meaning to assigning read, write, execute and all access to
+   objects.  Each type of object has its own mapping of generic to object
+   specific access rights. */
+
+void se_map_generic(uint32 *access_mask, const struct generic_mapping *mapping)
+{
+	uint32 old_mask = *access_mask;
+
+	if (*access_mask & GENERIC_READ_ACCESS) {
+		*access_mask &= ~GENERIC_READ_ACCESS;
+		*access_mask |= mapping->generic_read;
+	}
+
+	if (*access_mask & GENERIC_WRITE_ACCESS) {
+		*access_mask &= ~GENERIC_WRITE_ACCESS;
+		*access_mask |= mapping->generic_write;
+	}
+
+	if (*access_mask & GENERIC_EXECUTE_ACCESS) {
+		*access_mask &= ~GENERIC_EXECUTE_ACCESS;
+		*access_mask |= mapping->generic_execute;
+	}
+
+	if (*access_mask & GENERIC_ALL_ACCESS) {
+		*access_mask &= ~GENERIC_ALL_ACCESS;
+		*access_mask |= mapping->generic_all;
+	}
+
+	if (old_mask != *access_mask) {
+		DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n",
+			   old_mask, *access_mask));
+	}
+}
+
+/* Map standard access rights to object specific rights.  This technique is
+   used to give meaning to assigning read, write, execute and all access to
+   objects.  Each type of object has its own mapping of standard to object
+   specific access rights. */
+
+void se_map_standard(uint32 *access_mask, struct standard_mapping *mapping)
+{
+	uint32 old_mask = *access_mask;
+
+	if (*access_mask & READ_CONTROL_ACCESS) {
+		*access_mask &= ~READ_CONTROL_ACCESS;
+		*access_mask |= mapping->std_read;
+	}
+
+	if (*access_mask & (DELETE_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS)) {
+		*access_mask &= ~(DELETE_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS);
+		*access_mask |= mapping->std_all;
+	}
+
+	if (old_mask != *access_mask) {
+		DEBUG(10, ("se_map_standard(): mapped mask 0x%08x to 0x%08x\n",
+			   old_mask, *access_mask));
+	}
+}
+
+/*****************************************************************************
+ Check access rights of a user against a security descriptor.  Look at
+ each ACE in the security descriptor until an access denied ACE denies
+ any of the desired rights to the user or any of the users groups, or one
+ or more ACEs explicitly grant all requested access rights.  See
+ "Access-Checking" document in MSDN.
+*****************************************************************************/ 
+
+bool se_access_check(const SEC_DESC *sd, const NT_USER_TOKEN *token,
+		     uint32 acc_desired, uint32 *acc_granted, 
+		     NTSTATUS *status)
+{
+	size_t i;
+	SEC_ACL *the_acl;
+	uint32 tmp_acc_desired = acc_desired;
+
+	if (!status || !acc_granted)
+		return False;
+
+	if (!token)
+		token = &anonymous_token;
+
+	*status = NT_STATUS_OK;
+	*acc_granted = 0;
+
+	DEBUG(10,("se_access_check: requested access 0x%08x, for NT token "
+		  "with %u entries and first sid %s.\n",
+		  (unsigned int)acc_desired, (unsigned int)token->num_sids,
+		  sid_string_dbg(&token->user_sids[0])));
+
+	/*
+	 * No security descriptor or security descriptor with no DACL
+	 * present allows all access.
+	 */
+
+	/* ACL must have something in it */
+
+	if (!sd || (sd && (!(sd->type & SEC_DESC_DACL_PRESENT) || sd->dacl == NULL))) {
+		*status = NT_STATUS_OK;
+		*acc_granted = acc_desired;
+		DEBUG(5, ("se_access_check: no sd or blank DACL, access allowed\n"));
+		return True;
+	}
+
+	/* The user sid is the first in the token */
+	if (DEBUGLVL(3)) {
+		DEBUG(3, ("se_access_check: user sid is %s\n",
+			  sid_string_dbg(
+				  &token->user_sids[PRIMARY_USER_SID_INDEX])));
+		
+		for (i = 1; i < token->num_sids; i++) {
+			DEBUGADD(3, ("se_access_check: also %s\n",
+				     sid_string_dbg(&token->user_sids[i])));
+		}
+	}
+
+	/* Is the token the owner of the SID ? */
+
+	if (sd->owner_sid) {
+		for (i = 0; i < token->num_sids; i++) {
+			if (sid_equal(&token->user_sids[i], sd->owner_sid)) {
+				/*
+				 * The owner always has SEC_RIGHTS_WRITE_DAC & READ_CONTROL.
+				 */
+				if (tmp_acc_desired & WRITE_DAC_ACCESS)
+					tmp_acc_desired &= ~WRITE_DAC_ACCESS;
+				if (tmp_acc_desired & READ_CONTROL_ACCESS)
+					tmp_acc_desired &= ~READ_CONTROL_ACCESS;
+			}
+		}
+	}
+
+	the_acl = sd->dacl;
+
+	if (tmp_acc_desired & MAXIMUM_ALLOWED_ACCESS) {
+		tmp_acc_desired &= ~MAXIMUM_ALLOWED_ACCESS;
+		return get_max_access( the_acl, token, acc_granted, tmp_acc_desired, 
+				       status);
+	}
+
+	for ( i = 0 ; i < the_acl->num_aces && tmp_acc_desired != 0; i++) {
+		SEC_ACE *ace = &the_acl->aces[i];
+
+		DEBUGADD(10,("se_access_check: ACE %u: type %d, flags = "
+			     "0x%02x, SID = %s mask = %x, current desired "
+			     "= %x\n", (unsigned int)i, ace->type, ace->flags,
+			     sid_string_dbg(&ace->trustee),
+			     (unsigned int) ace->access_mask,
+			     (unsigned int)tmp_acc_desired ));
+
+		tmp_acc_desired = check_ace( ace, token, tmp_acc_desired, status);
+		if (NT_STATUS_V(*status)) {
+			*acc_granted = 0;
+			DEBUG(5,("se_access_check: ACE %u denied with status %s.\n", (unsigned int)i, nt_errstr(*status)));
+			return False;
+		}
+	}
+
+	/*
+	 * If there are no more desired permissions left then
+	 * access was allowed.
+	 */
+
+	if (tmp_acc_desired == 0) {
+		*acc_granted = acc_desired;
+		*status = NT_STATUS_OK;
+		DEBUG(5,("se_access_check: access (%x) granted.\n", (unsigned int)acc_desired ));
+		return True;
+	}
+		
+	*acc_granted = 0;
+	*status = NT_STATUS_ACCESS_DENIED;
+	DEBUG(5,("se_access_check: access (%x) denied.\n", (unsigned int)acc_desired ));
+	return False;
+}
+
+
+/*******************************************************************
+ samr_make_sam_obj_sd
+ ********************************************************************/
+
+NTSTATUS samr_make_sam_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size)
+{
+	DOM_SID adm_sid;
+	DOM_SID act_sid;
+
+	SEC_ACE ace[3];
+	SEC_ACCESS mask;
+
+	SEC_ACL *psa = NULL;
+
+	sid_copy(&adm_sid, &global_sid_Builtin);
+	sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
+
+	sid_copy(&act_sid, &global_sid_Builtin);
+	sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
+
+	/*basic access for every one*/
+	init_sec_access(&mask, GENERIC_RIGHTS_SAM_EXECUTE | GENERIC_RIGHTS_SAM_READ);
+	init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
+
+	/*full access for builtin aliases Administrators and Account Operators*/
+	init_sec_access(&mask, GENERIC_RIGHTS_SAM_ALL_ACCESS);
+	init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
+	init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
+
+	if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL)
+		return NT_STATUS_NO_MEMORY;
+
+	if ((*psd = make_sec_desc(ctx, SECURITY_DESCRIPTOR_REVISION_1,
+				  SEC_DESC_SELF_RELATIVE, NULL, NULL, NULL,
+				  psa, sd_size)) == NULL)
+		return NT_STATUS_NO_MEMORY;
+
+	return NT_STATUS_OK;
+}
diff --git a/source3/lib/util_sec.c b/source3/lib/util_sec.c
new file mode 100644
index 0000000000..d7984ac999
--- /dev/null
+++ b/source3/lib/util_sec.c
@@ -0,0 +1,482 @@
+/*
+   Unix SMB/CIFS implementation.
+   Copyright (C) Jeremy Allison 1998.
+   rewritten for version 2.0.6 by Tridge
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef AUTOCONF_TEST
+#include "includes.h"
+#else
+/* we are running this code in autoconf test mode to see which type of setuid
+   function works */
+#if defined(HAVE_UNISTD_H)
+#include <unistd.h>
+#endif
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <errno.h>
+
+#ifdef HAVE_SYS_PRIV_H
+#include <sys/priv.h>
+#endif
+#ifdef HAVE_SYS_ID_H
+#include <sys/id.h>
+#endif
+
+#define DEBUG(x, y) printf y
+#define smb_panic(x) exit(1)
+#define bool int
+#endif
+
+/* are we running as non-root? This is used by the regresison test code,
+   and potentially also for sites that want non-root smbd */
+static uid_t initial_uid;
+static gid_t initial_gid;
+
+/****************************************************************************
+remember what uid we got started as - this allows us to run correctly
+as non-root while catching trapdoor systems
+****************************************************************************/
+
+void sec_init(void)
+{
+	static int initialized;
+
+	if (!initialized) {
+		initial_uid = geteuid();
+		initial_gid = getegid();
+		initialized = 1;
+	}
+}
+
+/****************************************************************************
+some code (eg. winbindd) needs to know what uid we started as
+****************************************************************************/
+uid_t sec_initial_uid(void)
+{
+	return initial_uid;
+}
+
+/****************************************************************************
+some code (eg. winbindd, profiling shm) needs to know what gid we started as
+****************************************************************************/
+gid_t sec_initial_gid(void)
+{
+	return initial_gid;
+}
+
+/****************************************************************************
+are we running in non-root mode?
+****************************************************************************/
+bool non_root_mode(void)
+{
+	return (initial_uid != (uid_t)0);
+}
+
+/****************************************************************************
+abort if we haven't set the uid correctly
+****************************************************************************/
+static void assert_uid(uid_t ruid, uid_t euid)
+{
+	if ((euid != (uid_t)-1 && geteuid() != euid) ||
+	    (ruid != (uid_t)-1 && getuid() != ruid)) {
+		if (!non_root_mode()) {
+			DEBUG(0,("Failed to set uid privileges to (%d,%d) now set to (%d,%d)\n",
+				 (int)ruid, (int)euid,
+				 (int)getuid(), (int)geteuid()));
+			smb_panic("failed to set uid\n");
+			exit(1);
+		}
+	}
+}
+
+/****************************************************************************
+abort if we haven't set the gid correctly
+****************************************************************************/
+static void assert_gid(gid_t rgid, gid_t egid)
+{
+	if ((egid != (gid_t)-1 && getegid() != egid) ||
+	    (rgid != (gid_t)-1 && getgid() != rgid)) {
+		if (!non_root_mode()) {
+			DEBUG(0,("Failed to set gid privileges to (%d,%d) now set to (%d,%d) uid=(%d,%d)\n",
+				 (int)rgid, (int)egid,
+				 (int)getgid(), (int)getegid(),
+				 (int)getuid(), (int)geteuid()));
+			smb_panic("failed to set gid\n");
+			exit(1);
+		}
+	}
+}
+
+/****************************************************************************
+ Gain root privilege before doing something. 
+ We want to end up with ruid==euid==0
+****************************************************************************/
+void gain_root_privilege(void)
+{	
+#if USE_SETRESUID
+	setresuid(0,0,0);
+#endif
+    
+#if USE_SETEUID
+	seteuid(0);
+#endif
+
+#if USE_SETREUID
+	setreuid(0, 0);
+#endif
+
+#if USE_SETUIDX
+	setuidx(ID_EFFECTIVE, 0);
+	setuidx(ID_REAL, 0);
+#endif
+
+	/* this is needed on some systems */
+	setuid(0);
+
+	assert_uid(0, 0);
+}
+
+
+/****************************************************************************
+ Ensure our real and effective groups are zero.
+ we want to end up with rgid==egid==0
+****************************************************************************/
+void gain_root_group_privilege(void)
+{
+#if USE_SETRESUID
+	setresgid(0,0,0);
+#endif
+
+#if USE_SETREUID
+	setregid(0,0);
+#endif
+
+#if USE_SETEUID
+	setegid(0);
+#endif
+
+#if USE_SETUIDX
+	setgidx(ID_EFFECTIVE, 0);
+	setgidx(ID_REAL, 0);
+#endif
+
+	setgid(0);
+
+	assert_gid(0, 0);
+}
+
+
+/****************************************************************************
+ Set effective uid, and possibly the real uid too.
+ We want to end up with either:
+  
+   ruid==uid and euid==uid
+
+ or
+
+   ruid==0 and euid==uid
+
+ depending on what the local OS will allow us to regain root from.
+****************************************************************************/
+void set_effective_uid(uid_t uid)
+{
+#if USE_SETRESUID
+        /* Set the effective as well as the real uid. */
+	if (setresuid(uid,uid,-1) == -1) {
+		if (errno == EAGAIN) {
+			DEBUG(0, ("setresuid failed with EAGAIN. uid(%d) "
+				  "might be over its NPROC limit\n",
+				  (int)uid));
+		}
+	}
+#endif
+
+#if USE_SETREUID
+	setreuid(-1,uid);
+#endif
+
+#if USE_SETEUID
+	seteuid(uid);
+#endif
+
+#if USE_SETUIDX
+	setuidx(ID_EFFECTIVE, uid);
+#endif
+
+	assert_uid(-1, uid);
+}
+
+/****************************************************************************
+ Set *only* the effective gid.
+ we want to end up with rgid==0 and egid==gid
+****************************************************************************/
+void set_effective_gid(gid_t gid)
+{
+#if USE_SETRESUID
+	setresgid(-1,gid,-1);
+#endif
+
+#if USE_SETREUID
+	setregid(-1,gid);
+#endif
+
+#if USE_SETEUID
+	setegid(gid);
+#endif
+
+#if USE_SETUIDX
+	setgidx(ID_EFFECTIVE, gid);
+#endif
+
+	assert_gid(-1, gid);
+}
+
+static uid_t saved_euid, saved_ruid;
+static gid_t saved_egid, saved_rgid;
+
+/****************************************************************************
+ save the real and effective uid for later restoration. Used by the quotas
+ code
+****************************************************************************/
+void save_re_uid(void)
+{
+	saved_ruid = getuid();
+	saved_euid = geteuid();
+}
+
+
+/****************************************************************************
+ and restore them!
+****************************************************************************/
+
+void restore_re_uid_fromroot(void)
+{
+#if USE_SETRESUID
+	setresuid(saved_ruid, saved_euid, -1);
+#elif USE_SETREUID
+	setreuid(saved_ruid, -1);
+	setreuid(-1,saved_euid);
+#elif USE_SETUIDX
+	setuidx(ID_REAL, saved_ruid);
+	setuidx(ID_EFFECTIVE, saved_euid);
+#else
+	set_effective_uid(saved_euid);
+	if (getuid() != saved_ruid)
+		setuid(saved_ruid);
+	set_effective_uid(saved_euid);
+#endif
+
+	assert_uid(saved_ruid, saved_euid);
+}
+
+void restore_re_uid(void)
+{
+	set_effective_uid(0);
+	restore_re_uid_fromroot();
+}
+
+/****************************************************************************
+ save the real and effective gid for later restoration. Used by the 
+ getgroups code
+****************************************************************************/
+void save_re_gid(void)
+{
+	saved_rgid = getgid();
+	saved_egid = getegid();
+}
+
+/****************************************************************************
+ and restore them!
+****************************************************************************/
+void restore_re_gid(void)
+{
+#if USE_SETRESUID
+	setresgid(saved_rgid, saved_egid, -1);
+#elif USE_SETREUID
+	setregid(saved_rgid, -1);
+	setregid(-1,saved_egid);
+#elif USE_SETUIDX
+	setgidx(ID_REAL, saved_rgid);
+	setgidx(ID_EFFECTIVE, saved_egid);
+#else
+	set_effective_gid(saved_egid);
+	if (getgid() != saved_rgid)
+		setgid(saved_rgid);
+	set_effective_gid(saved_egid);
+#endif
+
+	assert_gid(saved_rgid, saved_egid);
+}
+
+
+/****************************************************************************
+ set the real AND effective uid to the current effective uid in a way that
+ allows root to be regained.
+ This is only possible on some platforms.
+****************************************************************************/
+int set_re_uid(void)
+{
+	uid_t uid = geteuid();
+
+#if USE_SETRESUID
+	setresuid(geteuid(), -1, -1);
+#endif
+
+#if USE_SETREUID
+	setreuid(0, 0);
+	setreuid(uid, -1);
+	setreuid(-1, uid);
+#endif
+
+#if USE_SETEUID
+	/* can't be done */
+	return -1;
+#endif
+
+#if USE_SETUIDX
+	/* can't be done */
+	return -1;
+#endif
+
+	assert_uid(uid, uid);
+	return 0;
+}
+
+
+/****************************************************************************
+ Become the specified uid and gid - permanently !
+ there should be no way back if possible
+****************************************************************************/
+void become_user_permanently(uid_t uid, gid_t gid)
+{
+	/*
+	 * First - gain root privilege. We do this to ensure
+	 * we can lose it again.
+	 */
+
+	gain_root_privilege();
+	gain_root_group_privilege();
+
+#if USE_SETRESUID
+	setresgid(gid,gid,gid);
+	setgid(gid);
+	setresuid(uid,uid,uid);
+	setuid(uid);
+#endif
+
+#if USE_SETREUID
+	setregid(gid,gid);
+	setgid(gid);
+	setreuid(uid,uid);
+	setuid(uid);
+#endif
+
+#if USE_SETEUID
+	setegid(gid);
+	setgid(gid);
+	setuid(uid);
+	seteuid(uid);
+	setuid(uid);
+#endif
+
+#if USE_SETUIDX
+	setgidx(ID_REAL, gid);
+	setgidx(ID_EFFECTIVE, gid);
+	setgid(gid);
+	setuidx(ID_REAL, uid);
+	setuidx(ID_EFFECTIVE, uid);
+	setuid(uid);
+#endif
+	
+	assert_uid(uid, uid);
+	assert_gid(gid, gid);
+}
+
+#ifdef AUTOCONF_TEST
+
+/****************************************************************************
+this function just checks that we don't get ENOSYS back
+****************************************************************************/
+static int have_syscall(void)
+{
+	errno = 0;
+
+#if USE_SETRESUID
+	setresuid(-1,-1,-1);
+#endif
+
+#if USE_SETREUID
+	setreuid(-1,-1);
+#endif
+
+#if USE_SETEUID
+	seteuid(-1);
+#endif
+
+#if USE_SETUIDX
+	setuidx(ID_EFFECTIVE, -1);
+#endif
+
+	if (errno == ENOSYS) return -1;
+	
+	return 0;
+}
+
+main()
+{
+        if (getuid() != 0) {
+#if (defined(AIX) && defined(USE_SETREUID))
+		/* setreuid is badly broken on AIX 4.1, we avoid it completely */
+                fprintf(stderr,"avoiding possibly broken setreuid\n");
+		exit(1);
+#endif
+
+		/* if not running as root then at least check to see if we get ENOSYS - this 
+		   handles Linux 2.0.x with glibc 2.1 */
+                fprintf(stderr,"not running as root: checking for ENOSYS\n");
+		exit(have_syscall());
+	}
+
+	gain_root_privilege();
+	gain_root_group_privilege();
+	set_effective_gid(1);
+	set_effective_uid(1);
+	save_re_uid();
+	restore_re_uid();
+	gain_root_privilege();
+	gain_root_group_privilege();
+	become_user_permanently(1, 1);
+	setuid(0);
+	if (getuid() == 0) {
+		fprintf(stderr,"uid not set permanently\n");
+		exit(1);
+	}
+
+	printf("OK\n");
+
+	exit(0);
+}
+#endif
+
+/****************************************************************************
+Check if we are setuid root.  Used in libsmb and smbpasswd paranoia checks.
+****************************************************************************/
+bool is_setuid_root(void) 
+{
+	return (geteuid() == (uid_t)0) && (getuid() != (uid_t)0);
+}
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
new file mode 100644
index 0000000000..53614ed1ac
--- /dev/null
+++ b/source3/lib/util_sid.c
@@ -0,0 +1,751 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba utility functions
+   Copyright (C) Andrew Tridgell 		1992-1998
+   Copyright (C) Luke Kenneth Caseson Leighton 	1998-1999
+   Copyright (C) Jeremy Allison  		1999
+   Copyright (C) Stefan (metze) Metzmacher 	2002
+   Copyright (C) Simo Sorce 			2002
+   Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2005
+      
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/*
+ * Some useful sids, more well known sids can be found at
+ * http://support.microsoft.com/kb/243330/EN-US/
+ */
+
+
+const DOM_SID global_sid_World_Domain =               /* Everyone domain */
+{ 1, 0, {0,0,0,0,0,1}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_World =                      /* Everyone */
+{ 1, 1, {0,0,0,0,0,1}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_Creator_Owner_Domain =       /* Creator Owner domain */
+{ 1, 0, {0,0,0,0,0,3}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_NT_Authority =    		/* NT Authority */
+{ 1, 0, {0,0,0,0,0,5}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_System =			/* System */
+{ 1, 1, {0,0,0,0,0,5}, {18,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_NULL =            		/* NULL sid */
+{ 1, 1, {0,0,0,0,0,0}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_Authenticated_Users =	/* All authenticated rids */
+{ 1, 1, {0,0,0,0,0,5}, {11,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+#if 0
+/* for documentation */
+const DOM_SID global_sid_Restriced =			/* Restriced Code */
+{ 1, 1, {0,0,0,0,0,5}, {12,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+#endif
+const DOM_SID global_sid_Network =			/* Network rids */
+{ 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+
+const DOM_SID global_sid_Creator_Owner =		/* Creator Owner */
+{ 1, 1, {0,0,0,0,0,3}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_Creator_Group =		/* Creator Group */
+{ 1, 1, {0,0,0,0,0,3}, {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_Anonymous =			/* Anonymous login */
+{ 1, 1, {0,0,0,0,0,5}, {7,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+
+const DOM_SID global_sid_Builtin = 			/* Local well-known domain */
+{ 1, 1, {0,0,0,0,0,5}, {32,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_Builtin_Administrators =	/* Builtin administrators */
+{ 1, 2, {0,0,0,0,0,5}, {32,544,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_Builtin_Users =		/* Builtin users */
+{ 1, 2, {0,0,0,0,0,5}, {32,545,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_Builtin_Guests =		/* Builtin guest users */
+{ 1, 2, {0,0,0,0,0,5}, {32,546,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_Builtin_Power_Users =	/* Builtin power users */
+{ 1, 2, {0,0,0,0,0,5}, {32,547,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_Builtin_Account_Operators =	/* Builtin account operators */
+{ 1, 2, {0,0,0,0,0,5}, {32,548,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_Builtin_Server_Operators =	/* Builtin server operators */
+{ 1, 2, {0,0,0,0,0,5}, {32,549,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_Builtin_Print_Operators =	/* Builtin print operators */
+{ 1, 2, {0,0,0,0,0,5}, {32,550,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_Builtin_Backup_Operators =	/* Builtin backup operators */
+{ 1, 2, {0,0,0,0,0,5}, {32,551,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_Builtin_Replicator =		/* Builtin replicator */
+{ 1, 2, {0,0,0,0,0,5}, {32,552,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_Builtin_PreWin2kAccess =	/* Builtin pre win2k access */
+{ 1, 2, {0,0,0,0,0,5}, {32,554,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+
+const DOM_SID global_sid_Unix_Users =			/* Unmapped Unix users */
+{ 1, 1, {0,0,0,0,0,22}, {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_Unix_Groups =			/* Unmapped Unix groups */
+{ 1, 1, {0,0,0,0,0,22}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+
+/* Unused, left here for documentary purposes */
+#if 0
+#define SECURITY_NULL_SID_AUTHORITY    0
+#define SECURITY_WORLD_SID_AUTHORITY   1
+#define SECURITY_LOCAL_SID_AUTHORITY   2
+#define SECURITY_CREATOR_SID_AUTHORITY 3
+#define SECURITY_NT_AUTHORITY          5
+#endif
+
+/*
+ * An NT compatible anonymous token.
+ */
+
+static DOM_SID anon_sid_array[3] =
+{ { 1, 1, {0,0,0,0,0,1}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}},
+  { 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}},
+  { 1, 1, {0,0,0,0,0,5}, {7,0,0,0,0,0,0,0,0,0,0,0,0,0,0}} };
+NT_USER_TOKEN anonymous_token = { 3, anon_sid_array, SE_NONE };
+
+static DOM_SID system_sid_array[1] =
+{ { 1, 1, {0,0,0,0,0,5}, {18,0,0,0,0,0,0,0,0,0,0,0,0,0,0}} };
+NT_USER_TOKEN system_token = { 1, system_sid_array, SE_ALL_PRIVS };
+
+/****************************************************************************
+ Lookup string names for SID types.
+****************************************************************************/
+
+static const struct {
+	enum lsa_SidType sid_type;
+	const char *string;
+} sid_name_type[] = {
+	{SID_NAME_USER, "User"},
+	{SID_NAME_DOM_GRP, "Domain Group"},
+	{SID_NAME_DOMAIN, "Domain"},
+	{SID_NAME_ALIAS, "Local Group"},
+	{SID_NAME_WKN_GRP, "Well-known Group"},
+	{SID_NAME_DELETED, "Deleted Account"},
+	{SID_NAME_INVALID, "Invalid Account"},
+	{SID_NAME_UNKNOWN, "UNKNOWN"},
+	{SID_NAME_COMPUTER, "Computer"},
+
+ 	{(enum lsa_SidType)0, NULL}
+};
+
+const char *sid_type_lookup(uint32 sid_type) 
+{
+	int i = 0;
+
+	/* Look through list */
+	while(sid_name_type[i].sid_type != 0) {
+		if (sid_name_type[i].sid_type == sid_type)
+			return sid_name_type[i].string;
+		i++;
+	}
+
+	/* Default return */
+	return "SID *TYPE* is INVALID";
+}
+
+/**************************************************************************
+ Create the SYSTEM token.
+***************************************************************************/
+
+NT_USER_TOKEN *get_system_token(void) 
+{
+	return &system_token;
+}
+
+/******************************************************************
+ get the default domain/netbios name to be used when dealing 
+ with our passdb list of accounts
+******************************************************************/
+
+const char *get_global_sam_name(void) 
+{
+	if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) {
+		return lp_workgroup();
+	}
+	return global_myname();
+}
+
+/*****************************************************************
+ Convert a SID to an ascii string.
+*****************************************************************/
+
+char *sid_to_fstring(fstring sidstr_out, const DOM_SID *sid)
+{
+	char *str = sid_string_talloc(talloc_tos(), sid);
+	fstrcpy(sidstr_out, str);
+	TALLOC_FREE(str);
+	return sidstr_out;
+}
+
+/*****************************************************************
+ Essentially a renamed dom_sid_string from librpc/ndr with a
+ panic if it didn't work
+
+ This introduces a dependency on librpc/ndr/sid.o which can easily
+ be turned around if necessary
+*****************************************************************/
+
+char *sid_string_talloc(TALLOC_CTX *mem_ctx, const DOM_SID *sid)
+{
+	char *result = dom_sid_string(mem_ctx, sid);
+	SMB_ASSERT(result != NULL);
+	return result;
+}
+
+/*****************************************************************
+ Useful function for debug lines.
+*****************************************************************/
+
+char *sid_string_dbg(const DOM_SID *sid)
+{
+	return sid_string_talloc(debug_ctx(), sid);
+}
+
+/*****************************************************************
+ Use with care!
+*****************************************************************/
+
+char *sid_string_tos(const DOM_SID *sid)
+{
+	return sid_string_talloc(talloc_tos(), sid);
+}
+
+/*****************************************************************
+ Convert a string to a SID. Returns True on success, False on fail.
+*****************************************************************/  
+   
+bool string_to_sid(DOM_SID *sidout, const char *sidstr)
+{
+	const char *p;
+	char *q;
+	/* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
+	uint32 conv;
+  
+	if ((sidstr[0] != 'S' && sidstr[0] != 's') || sidstr[1] != '-') {
+		DEBUG(3,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr));
+		return False;
+	}
+
+	ZERO_STRUCTP(sidout);
+
+	/* Get the revision number. */
+	p = sidstr + 2;
+	conv = (uint32) strtoul(p, &q, 10);
+	if (!q || (*q != '-')) {
+		DEBUG(3,("string_to_sid: Sid %s is not in a valid format.\n", sidstr));
+		return False;
+	}
+	sidout->sid_rev_num = (uint8) conv;
+	q++;
+
+	/* get identauth */
+	conv = (uint32) strtoul(q, &q, 10);
+	if (!q || (*q != '-')) {
+		DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr));
+		return False;
+	}
+	/* identauth in decimal should be <  2^32 */
+	/* NOTE - the conv value is in big-endian format. */
+	sidout->id_auth[0] = 0;
+	sidout->id_auth[1] = 0;
+	sidout->id_auth[2] = (conv & 0xff000000) >> 24;
+	sidout->id_auth[3] = (conv & 0x00ff0000) >> 16;
+	sidout->id_auth[4] = (conv & 0x0000ff00) >> 8;
+	sidout->id_auth[5] = (conv & 0x000000ff);
+
+	q++;
+	sidout->num_auths = 0;
+
+	for(conv = (uint32) strtoul(q, &q, 10);
+	    q && (*q =='-' || *q =='\0') && (sidout->num_auths < MAXSUBAUTHS);
+	    conv = (uint32) strtoul(q, &q, 10)) {
+		sid_append_rid(sidout, conv);
+		if (*q == '\0')
+			break;
+		q++;
+	}
+		
+	return True;
+}
+
+DOM_SID *string_sid_talloc(TALLOC_CTX *mem_ctx, const char *sidstr)
+{
+	DOM_SID *result = TALLOC_P(mem_ctx, DOM_SID);
+
+	if (result == NULL)
+		return NULL;
+
+	if (!string_to_sid(result, sidstr))
+		return NULL;
+
+	return result;
+}
+
+/*****************************************************************
+ Add a rid to the end of a sid
+*****************************************************************/  
+
+bool sid_append_rid(DOM_SID *sid, uint32 rid)
+{
+	if (sid->num_auths < MAXSUBAUTHS) {
+		sid->sub_auths[sid->num_auths++] = rid;
+		return True;
+	}
+	return False;
+}
+
+bool sid_compose(DOM_SID *dst, const DOM_SID *domain_sid, uint32 rid)
+{
+	sid_copy(dst, domain_sid);
+	return sid_append_rid(dst, rid);
+}
+
+/*****************************************************************
+ Removes the last rid from the end of a sid
+*****************************************************************/  
+
+bool sid_split_rid(DOM_SID *sid, uint32 *rid)
+{
+	if (sid->num_auths > 0) {
+		sid->num_auths--;
+		*rid = sid->sub_auths[sid->num_auths];
+		return True;
+	}
+	return False;
+}
+
+/*****************************************************************
+ Return the last rid from the end of a sid
+*****************************************************************/  
+
+bool sid_peek_rid(const DOM_SID *sid, uint32 *rid)
+{
+	if (!sid || !rid)
+		return False;		
+	
+	if (sid->num_auths > 0) {
+		*rid = sid->sub_auths[sid->num_auths - 1];
+		return True;
+	}
+	return False;
+}
+
+/*****************************************************************
+ Return the last rid from the end of a sid
+ and check the sid against the exp_dom_sid  
+*****************************************************************/  
+
+bool sid_peek_check_rid(const DOM_SID *exp_dom_sid, const DOM_SID *sid, uint32 *rid)
+{
+	if (!exp_dom_sid || !sid || !rid)
+		return False;
+			
+	if (sid->num_auths != (exp_dom_sid->num_auths+1)) {
+		return False;
+	}
+
+	if (sid_compare_domain(exp_dom_sid, sid)!=0){
+		*rid=(-1);
+		return False;
+	}
+	
+	return sid_peek_rid(sid, rid);
+}
+
+/*****************************************************************
+ Copies a sid
+*****************************************************************/  
+
+void sid_copy(DOM_SID *dst, const DOM_SID *src)
+{
+	int i;
+
+	ZERO_STRUCTP(dst);
+
+	dst->sid_rev_num = src->sid_rev_num;
+	dst->num_auths = src->num_auths;
+
+	memcpy(&dst->id_auth[0], &src->id_auth[0], sizeof(src->id_auth));
+
+	for (i = 0; i < src->num_auths; i++)
+		dst->sub_auths[i] = src->sub_auths[i];
+}
+
+/*****************************************************************
+ Write a sid out into on-the-wire format.
+*****************************************************************/  
+
+bool sid_linearize(char *outbuf, size_t len, const DOM_SID *sid)
+{
+	size_t i;
+
+	if (len < ndr_size_dom_sid(sid, 0))
+		return False;
+
+	SCVAL(outbuf,0,sid->sid_rev_num);
+	SCVAL(outbuf,1,sid->num_auths);
+	memcpy(&outbuf[2], sid->id_auth, 6);
+	for(i = 0; i < sid->num_auths; i++)
+		SIVAL(outbuf, 8 + (i*4), sid->sub_auths[i]);
+
+	return True;
+}
+
+/*****************************************************************
+ Parse a on-the-wire SID to a DOM_SID.
+*****************************************************************/  
+
+bool sid_parse(const char *inbuf, size_t len, DOM_SID *sid)
+{
+	int i;
+	if (len < 8)
+		return False;
+
+	ZERO_STRUCTP(sid);
+
+	sid->sid_rev_num = CVAL(inbuf, 0);
+	sid->num_auths = CVAL(inbuf, 1);
+	memcpy(sid->id_auth, inbuf+2, 6);
+	if (len < 8 + sid->num_auths*4)
+		return False;
+	for (i=0;i<sid->num_auths;i++)
+		sid->sub_auths[i] = IVAL(inbuf, 8+i*4);
+	return True;
+}
+
+/*****************************************************************
+ Compare the auth portion of two sids.
+*****************************************************************/  
+
+static int sid_compare_auth(const DOM_SID *sid1, const DOM_SID *sid2)
+{
+	int i;
+
+	if (sid1 == sid2)
+		return 0;
+	if (!sid1)
+		return -1;
+	if (!sid2)
+		return 1;
+
+	if (sid1->sid_rev_num != sid2->sid_rev_num)
+		return sid1->sid_rev_num - sid2->sid_rev_num;
+
+	for (i = 0; i < 6; i++)
+		if (sid1->id_auth[i] != sid2->id_auth[i])
+			return sid1->id_auth[i] - sid2->id_auth[i];
+
+	return 0;
+}
+
+/*****************************************************************
+ Compare two sids.
+*****************************************************************/  
+
+int sid_compare(const DOM_SID *sid1, const DOM_SID *sid2)
+{
+	int i;
+
+	if (sid1 == sid2)
+		return 0;
+	if (!sid1)
+		return -1;
+	if (!sid2)
+		return 1;
+
+	/* Compare most likely different rids, first: i.e start at end */
+	if (sid1->num_auths != sid2->num_auths)
+		return sid1->num_auths - sid2->num_auths;
+
+	for (i = sid1->num_auths-1; i >= 0; --i)
+		if (sid1->sub_auths[i] != sid2->sub_auths[i])
+			return sid1->sub_auths[i] - sid2->sub_auths[i];
+
+	return sid_compare_auth(sid1, sid2);
+}
+
+/*****************************************************************
+ See if 2 SIDs are in the same domain
+ this just compares the leading sub-auths
+*****************************************************************/  
+
+int sid_compare_domain(const DOM_SID *sid1, const DOM_SID *sid2)
+{
+	int n, i;
+
+	n = MIN(sid1->num_auths, sid2->num_auths);
+
+	for (i = n-1; i >= 0; --i)
+		if (sid1->sub_auths[i] != sid2->sub_auths[i])
+			return sid1->sub_auths[i] - sid2->sub_auths[i];
+
+	return sid_compare_auth(sid1, sid2);
+}
+
+/*****************************************************************
+ Compare two sids.
+*****************************************************************/  
+
+bool sid_equal(const DOM_SID *sid1, const DOM_SID *sid2)
+{
+	return sid_compare(sid1, sid2) == 0;
+}
+
+/*****************************************************************
+ Returns true if SID is internal (and non-mappable).
+*****************************************************************/
+
+bool non_mappable_sid(DOM_SID *sid)
+{
+	DOM_SID dom;
+	uint32 rid;
+
+	sid_copy(&dom, sid);
+	sid_split_rid(&dom, &rid);
+
+	if (sid_equal(&dom, &global_sid_Builtin))
+		return True;
+
+	if (sid_equal(&dom, &global_sid_NT_Authority))
+		return True;
+
+	return False;
+}
+
+/*****************************************************************
+ Return the binary string representation of a DOM_SID.
+ Caller must free.
+*****************************************************************/
+
+char *sid_binstring(const DOM_SID *sid)
+{
+	char *buf, *s;
+	int len = ndr_size_dom_sid(sid, 0);
+	buf = (char *)SMB_MALLOC(len);
+	if (!buf)
+		return NULL;
+	sid_linearize(buf, len, sid);
+	s = binary_string_rfc2254(buf, len);
+	free(buf);
+	return s;
+}
+
+/*****************************************************************
+ Return the binary string representation of a DOM_SID.
+ Caller must free.
+*****************************************************************/
+
+char *sid_binstring_hex(const DOM_SID *sid)
+{
+	char *buf, *s;
+	int len = ndr_size_dom_sid(sid, 0);
+	buf = (char *)SMB_MALLOC(len);
+	if (!buf)
+		return NULL;
+	sid_linearize(buf, len, sid);
+	s = binary_string(buf, len);
+	free(buf);
+	return s;
+}
+
+/*******************************************************************
+ Tallocs a duplicate SID. 
+********************************************************************/ 
+
+DOM_SID *sid_dup_talloc(TALLOC_CTX *ctx, const DOM_SID *src)
+{
+	DOM_SID *dst;
+	
+	if(!src)
+		return NULL;
+	
+	if((dst = TALLOC_ZERO_P(ctx, DOM_SID)) != NULL) {
+		sid_copy( dst, src);
+	}
+	
+	return dst;
+}
+
+/********************************************************************
+ Add SID to an array SIDs
+********************************************************************/
+
+NTSTATUS add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
+			  DOM_SID **sids, size_t *num)
+{
+	*sids = TALLOC_REALLOC_ARRAY(mem_ctx, *sids, DOM_SID,
+					     (*num)+1);
+	if (*sids == NULL) {
+		*num = 0;
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	sid_copy(&((*sids)[*num]), sid);
+	*num += 1;
+
+	return NT_STATUS_OK;
+}
+
+
+/********************************************************************
+ Add SID to an array SIDs ensuring that it is not already there
+********************************************************************/
+
+NTSTATUS add_sid_to_array_unique(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
+				 DOM_SID **sids, size_t *num_sids)
+{
+	size_t i;
+
+	for (i=0; i<(*num_sids); i++) {
+		if (sid_compare(sid, &(*sids)[i]) == 0)
+			return NT_STATUS_OK;
+	}
+
+	return add_sid_to_array(mem_ctx, sid, sids, num_sids);
+}
+
+/********************************************************************
+ Remove SID from an array
+********************************************************************/
+
+void del_sid_from_array(const DOM_SID *sid, DOM_SID **sids, size_t *num)
+{
+	DOM_SID *sid_list = *sids;
+	size_t i;
+
+	for ( i=0; i<*num; i++ ) {
+
+		/* if we find the SID, then decrement the count
+		   and break out of the loop */
+
+		if ( sid_equal(sid, &sid_list[i]) ) {
+			*num -= 1;
+			break;
+		}
+	}
+
+	/* This loop will copy the remainder of the array 
+	   if i < num of sids ni the array */
+
+	for ( ; i<*num; i++ ) 
+		sid_copy( &sid_list[i], &sid_list[i+1] );
+	
+	return;
+}
+
+bool add_rid_to_array_unique(TALLOC_CTX *mem_ctx,
+				    uint32 rid, uint32 **pp_rids, size_t *p_num)
+{
+	size_t i;
+
+	for (i=0; i<*p_num; i++) {
+		if ((*pp_rids)[i] == rid)
+			return True;
+	}
+	
+	*pp_rids = TALLOC_REALLOC_ARRAY(mem_ctx, *pp_rids, uint32, *p_num+1);
+
+	if (*pp_rids == NULL) {
+		*p_num = 0;
+		return False;
+	}
+
+	(*pp_rids)[*p_num] = rid;
+	*p_num += 1;
+	return True;
+}
+
+bool is_null_sid(const DOM_SID *sid)
+{
+	static const DOM_SID null_sid = {0};
+	return sid_equal(sid, &null_sid);
+}
+
+NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
+			      const struct netr_SamInfo3 *info3,
+			      DOM_SID **user_sids,
+			      size_t *num_user_sids,
+			      bool include_user_group_rid,
+			      bool skip_ressource_groups)
+{
+	NTSTATUS status;
+	DOM_SID sid;
+	DOM_SID *sid_array = NULL;
+	size_t num_sids = 0;
+	int i;
+
+	if (include_user_group_rid) {
+		if (!sid_compose(&sid, info3->base.domain_sid, info3->base.rid)) {
+			DEBUG(3, ("could not compose user SID from rid 0x%x\n",
+				  info3->base.rid));
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+		status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids);
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(3, ("could not append user SID from rid 0x%x\n",
+				  info3->base.rid));
+			return status;
+		}
+	}
+
+	if (!sid_compose(&sid, info3->base.domain_sid, info3->base.primary_gid)) {
+		DEBUG(3, ("could not compose group SID from rid 0x%x\n",
+			  info3->base.primary_gid));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+	status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(3, ("could not append group SID from rid 0x%x\n",
+			  info3->base.rid));
+		return status;
+	}
+
+	for (i = 0; i < info3->base.groups.count; i++) {
+		/* Don't add the primary group sid twice. */
+		if (info3->base.primary_gid == info3->base.groups.rids[i].rid) {
+			continue;
+		}
+		if (!sid_compose(&sid, info3->base.domain_sid,
+				 info3->base.groups.rids[i].rid)) {
+			DEBUG(3, ("could not compose SID from additional group "
+				  "rid 0x%x\n", info3->base.groups.rids[i].rid));
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+		status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids);
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(3, ("could not append SID from additional group "
+				  "rid 0x%x\n", info3->base.groups.rids[i].rid));
+			return status;
+		}
+	}
+
+	/* Copy 'other' sids.  We need to do sid filtering here to
+ 	   prevent possible elevation of privileges.  See:
+
+           http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
+         */
+
+	for (i = 0; i < info3->sidcount; i++) {
+
+		if (skip_ressource_groups &&
+		    (info3->sids[i].attributes & SE_GROUP_RESOURCE)) {
+			continue;
+		}
+
+		status = add_sid_to_array(mem_ctx, info3->sids[i].sid,
+				      &sid_array, &num_sids);
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(3, ("could not add SID to array: %s\n",
+				  sid_string_dbg(info3->sids[i].sid)));
+			return status;
+		}
+	}
+
+	*user_sids = sid_array;
+	*num_user_sids = num_sids;
+
+	return NT_STATUS_OK;
+}
diff --git a/source3/lib/util_sock.c b/source3/lib/util_sock.c
new file mode 100644
index 0000000000..e20768ed89
--- /dev/null
+++ b/source3/lib/util_sock.c
@@ -0,0 +1,2104 @@
+/*
+   Unix SMB/CIFS implementation.
+   Samba utility functions
+   Copyright (C) Andrew Tridgell 1992-1998
+   Copyright (C) Tim Potter      2000-2001
+   Copyright (C) Jeremy Allison  1992-2007
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/****************************************************************************
+ Return true if a string could be an IPv4 address.
+****************************************************************************/
+
+bool is_ipaddress_v4(const char *str)
+{
+	int ret = -1;
+	struct in_addr dest;
+
+	ret = inet_pton(AF_INET, str, &dest);
+	if (ret > 0) {
+		return true;
+	}
+	return false;
+}
+
+/****************************************************************************
+ Return true if a string could be an IPv4 or IPv6 address.
+****************************************************************************/
+
+bool is_ipaddress(const char *str)
+{
+#if defined(HAVE_IPV6)
+	int ret = -1;
+
+	if (strchr_m(str, ':')) {
+		char addr[INET6_ADDRSTRLEN];
+		struct in6_addr dest6;
+		const char *sp = str;
+		char *p = strchr_m(str, '%');
+
+		/*
+		 * Cope with link-local.
+		 * This is IP:v6:addr%ifname.
+		 */
+
+		if (p && (p > str) && (if_nametoindex(p+1) != 0)) {
+			strlcpy(addr, str,
+				MIN(PTR_DIFF(p,str)+1,
+					sizeof(addr)));
+			sp = addr;
+		}
+		ret = inet_pton(AF_INET6, sp, &dest6);
+		if (ret > 0) {
+			return true;
+		}
+	}
+#endif
+	return is_ipaddress_v4(str);
+}
+
+/****************************************************************************
+ Is a sockaddr_storage a broadcast address ?
+****************************************************************************/
+
+bool is_broadcast_addr(const struct sockaddr_storage *pss)
+{
+#if defined(HAVE_IPV6)
+	if (pss->ss_family == AF_INET6) {
+		const struct in6_addr *sin6 =
+			&((const struct sockaddr_in6 *)pss)->sin6_addr;
+		return IN6_IS_ADDR_MULTICAST(sin6);
+	}
+#endif
+	if (pss->ss_family == AF_INET) {
+		uint32_t addr =
+		ntohl(((const struct sockaddr_in *)pss)->sin_addr.s_addr);
+		return addr == INADDR_BROADCAST;
+	}
+	return false;
+}
+
+/*******************************************************************
+ Wrap getaddrinfo...
+******************************************************************/
+
+static bool interpret_string_addr_internal(struct addrinfo **ppres,
+					const char *str, int flags)
+{
+	int ret;
+	struct addrinfo hints;
+
+	memset(&hints, '\0', sizeof(hints));
+	/* By default make sure it supports TCP. */
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_flags = flags;
+
+	/* Linux man page on getaddinfo() says port will be
+	   uninitialized when service string in NULL */
+
+	ret = getaddrinfo(str, NULL,
+			&hints,
+			ppres);
+
+	if (ret) {
+		DEBUG(3,("interpret_string_addr_internal: getaddrinfo failed "
+			"for name %s [%s]\n",
+			str,
+			gai_strerror(ret) ));
+		return false;
+	}
+	return true;
+}
+
+/****************************************************************************
+ Interpret an internet address or name into an IP address in 4 byte form.
+ RETURNS IN NETWORK BYTE ORDER (big endian).
+****************************************************************************/
+
+uint32 interpret_addr(const char *str)
+{
+	uint32 ret;
+
+	/* If it's in the form of an IP address then
+	 * get the lib to interpret it */
+	if (is_ipaddress_v4(str)) {
+		struct in_addr dest;
+
+		if (inet_pton(AF_INET, str, &dest) <= 0) {
+			/* Error - this shouldn't happen ! */
+			DEBUG(0,("interpret_addr: inet_pton failed "
+				"host %s\n",
+				str));
+			return 0;
+		}
+		ret = dest.s_addr; /* NETWORK BYTE ORDER ! */
+	} else {
+		/* Otherwise assume it's a network name of some sort and use
+			getadddrinfo. */
+		struct addrinfo *res = NULL;
+		struct addrinfo *res_list = NULL;
+		if (!interpret_string_addr_internal(&res_list,
+					str,
+					AI_ADDRCONFIG)) {
+			DEBUG(3,("interpret_addr: Unknown host. %s\n",str));
+			return 0;
+		}
+
+		/* Find the first IPv4 address. */
+		for (res = res_list; res; res = res->ai_next) {
+			if (res->ai_family != AF_INET) {
+				continue;
+			}
+			if (res->ai_addr == NULL) {
+				continue;
+			}
+			break;
+		}
+		if(res == NULL) {
+			DEBUG(3,("interpret_addr: host address is "
+				"invalid for host %s\n",str));
+			if (res_list) {
+				freeaddrinfo(res_list);
+			}
+			return 0;
+		}
+		putip((char *)&ret,
+			&((struct sockaddr_in *)res->ai_addr)->sin_addr.s_addr);
+		if (res_list) {
+			freeaddrinfo(res_list);
+		}
+	}
+
+	/* This is so bogus - all callers need fixing... JRA. */
+	if (ret == (uint32)-1) {
+		return 0;
+	}
+
+	return ret;
+}
+
+/*******************************************************************
+ A convenient addition to interpret_addr().
+******************************************************************/
+
+struct in_addr *interpret_addr2(struct in_addr *ip, const char *str)
+{
+	uint32 a = interpret_addr(str);
+	ip->s_addr = a;
+	return ip;
+}
+
+/*******************************************************************
+ Map a text hostname or IP address (IPv4 or IPv6) into a
+ struct sockaddr_storage.
+******************************************************************/
+
+bool interpret_string_addr(struct sockaddr_storage *pss,
+		const char *str,
+		int flags)
+{
+	struct addrinfo *res = NULL;
+#if defined(HAVE_IPV6)
+	char addr[INET6_ADDRSTRLEN];
+	unsigned int scope_id = 0;
+
+	if (strchr_m(str, ':')) {
+		char *p = strchr_m(str, '%');
+
+		/*
+		 * Cope with link-local.
+		 * This is IP:v6:addr%ifname.
+		 */
+
+		if (p && (p > str) && ((scope_id = if_nametoindex(p+1)) != 0)) {
+			strlcpy(addr, str,
+				MIN(PTR_DIFF(p,str)+1,
+					sizeof(addr)));
+			str = addr;
+		}
+	}
+#endif
+
+	zero_addr(pss);
+
+	if (!interpret_string_addr_internal(&res, str, flags|AI_ADDRCONFIG)) {
+		return false;
+	}
+	if (!res) {
+		return false;
+	}
+	/* Copy the first sockaddr. */
+	memcpy(pss, res->ai_addr, res->ai_addrlen);
+
+#if defined(HAVE_IPV6)
+	if (pss->ss_family == AF_INET6 && scope_id) {
+		struct sockaddr_in6 *ps6 = (struct sockaddr_in6 *)pss;
+		if (IN6_IS_ADDR_LINKLOCAL(&ps6->sin6_addr) &&
+				ps6->sin6_scope_id == 0) {
+			ps6->sin6_scope_id = scope_id;
+		}
+	}
+#endif
+
+	freeaddrinfo(res);
+	return true;
+}
+
+/*******************************************************************
+ Check if an IPv7 is 127.0.0.1
+******************************************************************/
+
+bool is_loopback_ip_v4(struct in_addr ip)
+{
+	struct in_addr a;
+	a.s_addr = htonl(INADDR_LOOPBACK);
+	return(ip.s_addr == a.s_addr);
+}
+
+/*******************************************************************
+ Check if a struct sockaddr_storage is the loopback address.
+******************************************************************/
+
+bool is_loopback_addr(const struct sockaddr_storage *pss)
+{
+#if defined(HAVE_IPV6)
+	if (pss->ss_family == AF_INET6) {
+		struct in6_addr *pin6 =
+			&((struct sockaddr_in6 *)pss)->sin6_addr;
+		return IN6_IS_ADDR_LOOPBACK(pin6);
+	}
+#endif
+	if (pss->ss_family == AF_INET) {
+		struct in_addr *pin = &((struct sockaddr_in *)pss)->sin_addr;
+		return is_loopback_ip_v4(*pin);
+	}
+	return false;
+}
+
+/*******************************************************************
+ Check if an IPv4 is 0.0.0.0.
+******************************************************************/
+
+bool is_zero_ip_v4(struct in_addr ip)
+{
+	uint32 a;
+	putip((char *)&a,(char *)&ip);
+	return(a == 0);
+}
+
+/*******************************************************************
+ Check if a struct sockaddr_storage has an unspecified address.
+******************************************************************/
+
+bool is_zero_addr(const struct sockaddr_storage *pss)
+{
+#if defined(HAVE_IPV6)
+	if (pss->ss_family == AF_INET6) {
+		struct in6_addr *pin6 =
+			&((struct sockaddr_in6 *)pss)->sin6_addr;
+		return IN6_IS_ADDR_UNSPECIFIED(pin6);
+	}
+#endif
+	if (pss->ss_family == AF_INET) {
+		struct in_addr *pin = &((struct sockaddr_in *)pss)->sin_addr;
+		return is_zero_ip_v4(*pin);
+	}
+	return false;
+}
+
+/*******************************************************************
+ Set an IP to 0.0.0.0.
+******************************************************************/
+
+void zero_ip_v4(struct in_addr *ip)
+{
+	memset(ip, '\0', sizeof(struct in_addr));
+}
+
+/*******************************************************************
+ Set an address to INADDR_ANY.
+******************************************************************/
+
+void zero_addr(struct sockaddr_storage *pss)
+{
+	memset(pss, '\0', sizeof(*pss));
+	/* Ensure we're at least a valid sockaddr-storage. */
+	pss->ss_family = AF_INET;
+}
+
+/*******************************************************************
+ Are two IPs on the same subnet - IPv4 version ?
+********************************************************************/
+
+bool same_net_v4(struct in_addr ip1,struct in_addr ip2,struct in_addr mask)
+{
+	uint32 net1,net2,nmask;
+
+	nmask = ntohl(mask.s_addr);
+	net1  = ntohl(ip1.s_addr);
+	net2  = ntohl(ip2.s_addr);
+
+	return((net1 & nmask) == (net2 & nmask));
+}
+
+/*******************************************************************
+ Convert an IPv4 struct in_addr to a struct sockaddr_storage.
+********************************************************************/
+
+void in_addr_to_sockaddr_storage(struct sockaddr_storage *ss,
+		struct in_addr ip)
+{
+	struct sockaddr_in *sa = (struct sockaddr_in *)ss;
+	memset(ss, '\0', sizeof(*ss));
+	sa->sin_family = AF_INET;
+	sa->sin_addr = ip;
+}
+
+#if defined(HAVE_IPV6)
+/*******************************************************************
+ Convert an IPv6 struct in_addr to a struct sockaddr_storage.
+********************************************************************/
+
+ void in6_addr_to_sockaddr_storage(struct sockaddr_storage *ss,
+		struct in6_addr ip)
+{
+	struct sockaddr_in6 *sa = (struct sockaddr_in6 *)ss;
+	memset(ss, '\0', sizeof(*ss));
+	sa->sin6_family = AF_INET6;
+	sa->sin6_addr = ip;
+}
+#endif
+
+/*******************************************************************
+ Are two IPs on the same subnet?
+********************************************************************/
+
+bool same_net(const struct sockaddr_storage *ip1,
+		const struct sockaddr_storage *ip2,
+		const struct sockaddr_storage *mask)
+{
+	if (ip1->ss_family != ip2->ss_family) {
+		/* Never on the same net. */
+		return false;
+	}
+
+#if defined(HAVE_IPV6)
+	if (ip1->ss_family == AF_INET6) {
+		struct sockaddr_in6 ip1_6 = *(struct sockaddr_in6 *)ip1;
+		struct sockaddr_in6 ip2_6 = *(struct sockaddr_in6 *)ip2;
+		struct sockaddr_in6 mask_6 = *(struct sockaddr_in6 *)mask;
+		char *p1 = (char *)&ip1_6.sin6_addr;
+		char *p2 = (char *)&ip2_6.sin6_addr;
+		char *m = (char *)&mask_6.sin6_addr;
+		int i;
+
+		for (i = 0; i < sizeof(struct in6_addr); i++) {
+			*p1++ &= *m;
+			*p2++ &= *m;
+			m++;
+		}
+		return (memcmp(&ip1_6.sin6_addr,
+				&ip2_6.sin6_addr,
+				sizeof(struct in6_addr)) == 0);
+	}
+#endif
+	if (ip1->ss_family == AF_INET) {
+		return same_net_v4(((const struct sockaddr_in *)ip1)->sin_addr,
+				((const struct sockaddr_in *)ip2)->sin_addr,
+				((const struct sockaddr_in *)mask)->sin_addr);
+	}
+	return false;
+}
+
+/*******************************************************************
+ Are two sockaddr_storage's the same family and address ? Ignore port etc.
+********************************************************************/
+
+bool addr_equal(const struct sockaddr_storage *ip1,
+		const struct sockaddr_storage *ip2)
+{
+	if (ip1->ss_family != ip2->ss_family) {
+		/* Never the same. */
+		return false;
+	}
+
+#if defined(HAVE_IPV6)
+	if (ip1->ss_family == AF_INET6) {
+		return (memcmp(&((const struct sockaddr_in6 *)ip1)->sin6_addr,
+				&((const struct sockaddr_in6 *)ip2)->sin6_addr,
+				sizeof(struct in6_addr)) == 0);
+	}
+#endif
+	if (ip1->ss_family == AF_INET) {
+		return (memcmp(&((const struct sockaddr_in *)ip1)->sin_addr,
+				&((const struct sockaddr_in *)ip2)->sin_addr,
+				sizeof(struct in_addr)) == 0);
+	}
+	return false;
+}
+
+/****************************************************************************
+ Is an IP address the INADDR_ANY or in6addr_any value ?
+****************************************************************************/
+
+bool is_address_any(const struct sockaddr_storage *psa)
+{
+#if defined(HAVE_IPV6)
+	if (psa->ss_family == AF_INET6) {
+		struct sockaddr_in6 *si6 = (struct sockaddr_in6 *)psa;
+		if (memcmp(&in6addr_any,
+				&si6->sin6_addr,
+				sizeof(in6addr_any)) == 0) {
+			return true;
+		}
+		return false;
+	}
+#endif
+	if (psa->ss_family == AF_INET) {
+		struct sockaddr_in *si = (struct sockaddr_in *)psa;
+		if (si->sin_addr.s_addr == INADDR_ANY) {
+			return true;
+		}
+		return false;
+	}
+	return false;
+}
+
+/****************************************************************************
+ Get a port number in host byte order from a sockaddr_storage.
+****************************************************************************/
+
+uint16_t get_sockaddr_port(const struct sockaddr_storage *pss)
+{
+	uint16_t port = 0;
+
+	if (pss->ss_family != AF_INET) {
+#if defined(HAVE_IPV6)
+		/* IPv6 */
+		const struct sockaddr_in6 *sa6 =
+			(const struct sockaddr_in6 *)pss;
+		port = ntohs(sa6->sin6_port);
+#endif
+	} else {
+		const struct sockaddr_in *sa =
+			(const struct sockaddr_in *)pss;
+		port = ntohs(sa->sin_port);
+	}
+	return port;
+}
+
+/****************************************************************************
+ Print out an IPv4 or IPv6 address from a struct sockaddr_storage.
+****************************************************************************/
+
+static char *print_sockaddr_len(char *dest,
+			size_t destlen,
+			const struct sockaddr_storage *psa,
+			socklen_t psalen)
+{
+	if (destlen > 0) {
+		dest[0] = '\0';
+	}
+	(void)sys_getnameinfo((const struct sockaddr *)psa,
+			psalen,
+			dest, destlen,
+			NULL, 0,
+			NI_NUMERICHOST);
+	return dest;
+}
+
+/****************************************************************************
+ Print out an IPv4 or IPv6 address from a struct sockaddr_storage.
+****************************************************************************/
+
+char *print_sockaddr(char *dest,
+			size_t destlen,
+			const struct sockaddr_storage *psa)
+{
+	return print_sockaddr_len(dest, destlen, psa,
+			sizeof(struct sockaddr_storage));
+}
+
+/****************************************************************************
+ Print out a canonical IPv4 or IPv6 address from a struct sockaddr_storage.
+****************************************************************************/
+
+char *print_canonical_sockaddr(TALLOC_CTX *ctx,
+			const struct sockaddr_storage *pss)
+{
+	char addr[INET6_ADDRSTRLEN];
+	char *dest = NULL;
+	int ret;
+
+	/* Linux getnameinfo() man pages says port is unitialized if
+	   service name is NULL. */
+
+	ret = sys_getnameinfo((const struct sockaddr *)pss,
+			sizeof(struct sockaddr_storage),
+			addr, sizeof(addr),
+			NULL, 0,
+			NI_NUMERICHOST);
+	if (ret != 0) {
+		return NULL;
+	}
+
+	if (pss->ss_family != AF_INET) {
+#if defined(HAVE_IPV6)
+		dest = talloc_asprintf(ctx, "[%s]", addr);
+#else
+		return NULL;
+#endif
+	} else {
+		dest = talloc_asprintf(ctx, "%s", addr);
+	}
+	
+	return dest;
+}
+
+/****************************************************************************
+ Return the string of an IP address (IPv4 or IPv6).
+****************************************************************************/
+
+static const char *get_socket_addr(int fd, char *addr_buf, size_t addr_len)
+{
+	struct sockaddr_storage sa;
+	socklen_t length = sizeof(sa);
+
+	/* Ok, returning a hard coded IPv4 address
+ 	 * is bogus, but it's just as bogus as a
+ 	 * zero IPv6 address. No good choice here.
+ 	 */
+
+	strlcpy(addr_buf, "0.0.0.0", addr_len);
+
+	if (fd == -1) {
+		return addr_buf;
+	}
+
+	if (getsockname(fd, (struct sockaddr *)&sa, &length) < 0) {
+		DEBUG(0,("getsockname failed. Error was %s\n",
+			strerror(errno) ));
+		return addr_buf;
+	}
+
+	return print_sockaddr_len(addr_buf, addr_len, &sa, length);
+}
+
+#if 0
+/* Not currently used. JRA. */
+/****************************************************************************
+ Return the port number we've bound to on a socket.
+****************************************************************************/
+
+static int get_socket_port(int fd)
+{
+	struct sockaddr_storage sa;
+	socklen_t length = sizeof(sa);
+
+	if (fd == -1) {
+		return -1;
+	}
+
+	if (getsockname(fd, (struct sockaddr *)&sa, &length) < 0) {
+		DEBUG(0,("getpeername failed. Error was %s\n",
+			strerror(errno) ));
+		return -1;
+	}
+
+#if defined(HAVE_IPV6)
+	if (sa.ss_family == AF_INET6) {
+		return ntohs(((struct sockaddr_in6 *)&sa)->sin6_port);
+	}
+#endif
+	if (sa.ss_family == AF_INET) {
+		return ntohs(((struct sockaddr_in *)&sa)->sin_port);
+	}
+	return -1;
+}
+#endif
+
+void set_sockaddr_port(struct sockaddr_storage *psa, uint16 port)
+{
+#if defined(HAVE_IPV6)
+	if (psa->ss_family == AF_INET6) {
+		((struct sockaddr_in6 *)psa)->sin6_port = htons(port);
+	}
+#endif
+	if (psa->ss_family == AF_INET) {
+		((struct sockaddr_in *)psa)->sin_port = htons(port);
+	}
+}
+
+const char *client_name(int fd)
+{
+	return get_peer_name(fd,false);
+}
+
+const char *client_addr(int fd, char *addr, size_t addrlen)
+{
+	return get_peer_addr(fd,addr,addrlen);
+}
+
+const char *client_socket_addr(int fd, char *addr, size_t addr_len)
+{
+	return get_socket_addr(fd, addr, addr_len);
+}
+
+#if 0
+/* Not currently used. JRA. */
+int client_socket_port(int fd)
+{
+	return get_socket_port(fd);
+}
+#endif
+
+/****************************************************************************
+ Accessor functions to make thread-safe code easier later...
+****************************************************************************/
+
+void set_smb_read_error(enum smb_read_errors *pre,
+			enum smb_read_errors newerr)
+{
+	if (pre) {
+		*pre = newerr;
+	}
+}
+
+void cond_set_smb_read_error(enum smb_read_errors *pre,
+			enum smb_read_errors newerr)
+{
+	if (pre && *pre == SMB_READ_OK) {
+		*pre = newerr;
+	}
+}
+
+/****************************************************************************
+ Determine if a file descriptor is in fact a socket.
+****************************************************************************/
+
+bool is_a_socket(int fd)
+{
+	int v;
+	socklen_t l;
+	l = sizeof(int);
+	return(getsockopt(fd, SOL_SOCKET, SO_TYPE, (char *)&v, &l) == 0);
+}
+
+enum SOCK_OPT_TYPES {OPT_BOOL,OPT_INT,OPT_ON};
+
+typedef struct smb_socket_option {
+	const char *name;
+	int level;
+	int option;
+	int value;
+	int opttype;
+} smb_socket_option;
+
+static const smb_socket_option socket_options[] = {
+  {"SO_KEEPALIVE", SOL_SOCKET, SO_KEEPALIVE, 0, OPT_BOOL},
+  {"SO_REUSEADDR", SOL_SOCKET, SO_REUSEADDR, 0, OPT_BOOL},
+  {"SO_BROADCAST", SOL_SOCKET, SO_BROADCAST, 0, OPT_BOOL},
+#ifdef TCP_NODELAY
+  {"TCP_NODELAY", IPPROTO_TCP, TCP_NODELAY, 0, OPT_BOOL},
+#endif
+#ifdef TCP_KEEPCNT
+  {"TCP_KEEPCNT", IPPROTO_TCP, TCP_KEEPCNT, 0, OPT_INT},
+#endif
+#ifdef TCP_KEEPIDLE
+  {"TCP_KEEPIDLE", IPPROTO_TCP, TCP_KEEPIDLE, 0, OPT_INT},
+#endif
+#ifdef TCP_KEEPINTVL
+  {"TCP_KEEPINTVL", IPPROTO_TCP, TCP_KEEPINTVL, 0, OPT_INT},
+#endif
+#ifdef IPTOS_LOWDELAY
+  {"IPTOS_LOWDELAY", IPPROTO_IP, IP_TOS, IPTOS_LOWDELAY, OPT_ON},
+#endif
+#ifdef IPTOS_THROUGHPUT
+  {"IPTOS_THROUGHPUT", IPPROTO_IP, IP_TOS, IPTOS_THROUGHPUT, OPT_ON},
+#endif
+#ifdef SO_REUSEPORT
+  {"SO_REUSEPORT", SOL_SOCKET, SO_REUSEPORT, 0, OPT_BOOL},
+#endif
+#ifdef SO_SNDBUF
+  {"SO_SNDBUF", SOL_SOCKET, SO_SNDBUF, 0, OPT_INT},
+#endif
+#ifdef SO_RCVBUF
+  {"SO_RCVBUF", SOL_SOCKET, SO_RCVBUF, 0, OPT_INT},
+#endif
+#ifdef SO_SNDLOWAT
+  {"SO_SNDLOWAT", SOL_SOCKET, SO_SNDLOWAT, 0, OPT_INT},
+#endif
+#ifdef SO_RCVLOWAT
+  {"SO_RCVLOWAT", SOL_SOCKET, SO_RCVLOWAT, 0, OPT_INT},
+#endif
+#ifdef SO_SNDTIMEO
+  {"SO_SNDTIMEO", SOL_SOCKET, SO_SNDTIMEO, 0, OPT_INT},
+#endif
+#ifdef SO_RCVTIMEO
+  {"SO_RCVTIMEO", SOL_SOCKET, SO_RCVTIMEO, 0, OPT_INT},
+#endif
+#ifdef TCP_FASTACK
+  {"TCP_FASTACK", IPPROTO_TCP, TCP_FASTACK, 0, OPT_INT},
+#endif
+  {NULL,0,0,0,0}};
+
+/****************************************************************************
+ Print socket options.
+****************************************************************************/
+
+static void print_socket_options(int s)
+{
+	int value;
+	socklen_t vlen = 4;
+	const smb_socket_option *p = &socket_options[0];
+
+	/* wrapped in if statement to prevent streams
+	 * leak in SCO Openserver 5.0 */
+	/* reported on samba-technical  --jerry */
+	if ( DEBUGLEVEL >= 5 ) {
+		for (; p->name != NULL; p++) {
+			if (getsockopt(s, p->level, p->option,
+						(void *)&value, &vlen) == -1) {
+				DEBUG(5,("Could not test socket option %s.\n",
+							p->name));
+			} else {
+				DEBUG(5,("socket option %s = %d\n",
+							p->name,value));
+			}
+		}
+	}
+ }
+
+/****************************************************************************
+ Set user socket options.
+****************************************************************************/
+
+void set_socket_options(int fd, const char *options)
+{
+	TALLOC_CTX *ctx = talloc_stackframe();
+	char *tok;
+
+	while (next_token_talloc(ctx, &options, &tok," \t,")) {
+		int ret=0,i;
+		int value = 1;
+		char *p;
+		bool got_value = false;
+
+		if ((p = strchr_m(tok,'='))) {
+			*p = 0;
+			value = atoi(p+1);
+			got_value = true;
+		}
+
+		for (i=0;socket_options[i].name;i++)
+			if (strequal(socket_options[i].name,tok))
+				break;
+
+		if (!socket_options[i].name) {
+			DEBUG(0,("Unknown socket option %s\n",tok));
+			continue;
+		}
+
+		switch (socket_options[i].opttype) {
+		case OPT_BOOL:
+		case OPT_INT:
+			ret = setsockopt(fd,socket_options[i].level,
+					socket_options[i].option,
+					(char *)&value,sizeof(int));
+			break;
+
+		case OPT_ON:
+			if (got_value)
+				DEBUG(0,("syntax error - %s "
+					"does not take a value\n",tok));
+
+			{
+				int on = socket_options[i].value;
+				ret = setsockopt(fd,socket_options[i].level,
+					socket_options[i].option,
+					(char *)&on,sizeof(int));
+			}
+			break;
+		}
+
+		if (ret != 0) {
+			/* be aware that some systems like Solaris return
+			 * EINVAL to a setsockopt() call when the client
+			 * sent a RST previously - no need to worry */
+			DEBUG(2,("Failed to set socket option %s (Error %s)\n",
+				tok, strerror(errno) ));
+		}
+	}
+
+	TALLOC_FREE(ctx);
+	print_socket_options(fd);
+}
+
+/****************************************************************************
+ Read from a socket.
+****************************************************************************/
+
+ssize_t read_udp_v4_socket(int fd,
+			char *buf,
+			size_t len,
+			struct sockaddr_storage *psa)
+{
+	ssize_t ret;
+	socklen_t socklen = sizeof(*psa);
+	struct sockaddr_in *si = (struct sockaddr_in *)psa;
+
+	memset((char *)psa,'\0',socklen);
+
+	ret = (ssize_t)sys_recvfrom(fd,buf,len,0,
+			(struct sockaddr *)psa,&socklen);
+	if (ret <= 0) {
+		/* Don't print a low debug error for a non-blocking socket. */
+		if (errno == EAGAIN) {
+			DEBUG(10,("read_udp_v4_socket: returned EAGAIN\n"));
+		} else {
+			DEBUG(2,("read_udp_v4_socket: failed. errno=%s\n",
+				strerror(errno)));
+		}
+		return 0;
+	}
+
+	if (psa->ss_family != AF_INET) {
+		DEBUG(2,("read_udp_v4_socket: invalid address family %d "
+			"(not IPv4)\n", (int)psa->ss_family));
+		return 0;
+	}
+
+	DEBUG(10,("read_udp_v4_socket: ip %s port %d read: %lu\n",
+			inet_ntoa(si->sin_addr),
+			si->sin_port,
+			(unsigned long)ret));
+
+	return ret;
+}
+
+/****************************************************************************
+ Read data from a socket with a timout in msec.
+ mincount = if timeout, minimum to read before returning
+ maxcount = number to be read.
+ time_out = timeout in milliseconds
+****************************************************************************/
+
+NTSTATUS read_socket_with_timeout(int fd, char *buf,
+				  size_t mincnt, size_t maxcnt,
+				  unsigned int time_out,
+				  size_t *size_ret)
+{
+	fd_set fds;
+	int selrtn;
+	ssize_t readret;
+	size_t nread = 0;
+	struct timeval timeout;
+	char addr[INET6_ADDRSTRLEN];
+
+	/* just checking .... */
+	if (maxcnt <= 0)
+		return NT_STATUS_OK;
+
+	/* Blocking read */
+	if (time_out == 0) {
+		if (mincnt == 0) {
+			mincnt = maxcnt;
+		}
+
+		while (nread < mincnt) {
+			readret = sys_read(fd, buf + nread, maxcnt - nread);
+
+			if (readret == 0) {
+				DEBUG(5,("read_socket_with_timeout: "
+					"blocking read. EOF from client.\n"));
+				return NT_STATUS_END_OF_FILE;
+			}
+
+			if (readret == -1) {
+				if (fd == get_client_fd()) {
+					/* Try and give an error message
+					 * saying what client failed. */
+					DEBUG(0,("read_socket_with_timeout: "
+						"client %s read error = %s.\n",
+						get_peer_addr(fd,addr,sizeof(addr)),
+						strerror(errno) ));
+				} else {
+					DEBUG(0,("read_socket_with_timeout: "
+						"read error = %s.\n",
+						strerror(errno) ));
+				}
+				return map_nt_error_from_unix(errno);
+			}
+			nread += readret;
+		}
+		goto done;
+	}
+
+	/* Most difficult - timeout read */
+	/* If this is ever called on a disk file and
+	   mincnt is greater then the filesize then
+	   system performance will suffer severely as
+	   select always returns true on disk files */
+
+	/* Set initial timeout */
+	timeout.tv_sec = (time_t)(time_out / 1000);
+	timeout.tv_usec = (long)(1000 * (time_out % 1000));
+
+	for (nread=0; nread < mincnt; ) {
+		FD_ZERO(&fds);
+		FD_SET(fd,&fds);
+
+		selrtn = sys_select_intr(fd+1,&fds,NULL,NULL,&timeout);
+
+		/* Check if error */
+		if (selrtn == -1) {
+			/* something is wrong. Maybe the socket is dead? */
+			if (fd == get_client_fd()) {
+				/* Try and give an error message saying
+				 * what client failed. */
+				DEBUG(0,("read_socket_with_timeout: timeout "
+				"read for client %s. select error = %s.\n",
+				get_peer_addr(fd,addr,sizeof(addr)),
+				strerror(errno) ));
+			} else {
+				DEBUG(0,("read_socket_with_timeout: timeout "
+				"read. select error = %s.\n",
+				strerror(errno) ));
+			}
+			return map_nt_error_from_unix(errno);
+		}
+
+		/* Did we timeout ? */
+		if (selrtn == 0) {
+			DEBUG(10,("read_socket_with_timeout: timeout read. "
+				"select timed out.\n"));
+			return NT_STATUS_IO_TIMEOUT;
+		}
+
+		readret = sys_read(fd, buf+nread, maxcnt-nread);
+
+		if (readret == 0) {
+			/* we got EOF on the file descriptor */
+			DEBUG(5,("read_socket_with_timeout: timeout read. "
+				"EOF from client.\n"));
+			return NT_STATUS_END_OF_FILE;
+		}
+
+		if (readret == -1) {
+			/* the descriptor is probably dead */
+			if (fd == get_client_fd()) {
+				/* Try and give an error message
+				 * saying what client failed. */
+				DEBUG(0,("read_socket_with_timeout: timeout "
+					"read to client %s. read error = %s.\n",
+					get_peer_addr(fd,addr,sizeof(addr)),
+					strerror(errno) ));
+			} else {
+				DEBUG(0,("read_socket_with_timeout: timeout "
+					"read. read error = %s.\n",
+					strerror(errno) ));
+			}
+			return map_nt_error_from_unix(errno);
+		}
+
+		nread += readret;
+	}
+
+ done:
+	/* Return the number we got */
+	if (size_ret) {
+		*size_ret = nread;
+	}
+	return NT_STATUS_OK;
+}
+
+/****************************************************************************
+ Read data from the client, reading exactly N bytes.
+****************************************************************************/
+
+NTSTATUS read_data(int fd, char *buffer, size_t N)
+{
+	return read_socket_with_timeout(fd, buffer, N, N, 0, NULL);
+}
+
+/****************************************************************************
+ Write data to a fd.
+****************************************************************************/
+
+ssize_t write_data(int fd, const char *buffer, size_t N)
+{
+	size_t total=0;
+	ssize_t ret;
+	char addr[INET6_ADDRSTRLEN];
+
+	while (total < N) {
+		ret = sys_write(fd,buffer + total,N - total);
+
+		if (ret == -1) {
+			if (fd == get_client_fd()) {
+				/* Try and give an error message saying
+				 * what client failed. */
+				DEBUG(0,("write_data: write failure in "
+					"writing to client %s. Error %s\n",
+					get_peer_addr(fd,addr,sizeof(addr)),
+					strerror(errno) ));
+			} else {
+				DEBUG(0,("write_data: write failure. "
+					"Error = %s\n", strerror(errno) ));
+			}
+			return -1;
+		}
+
+		if (ret == 0) {
+			return total;
+		}
+
+		total += ret;
+	}
+	return (ssize_t)total;
+}
+
+/****************************************************************************
+ Send a keepalive packet (rfc1002).
+****************************************************************************/
+
+bool send_keepalive(int client)
+{
+	unsigned char buf[4];
+
+	buf[0] = SMBkeepalive;
+	buf[1] = buf[2] = buf[3] = 0;
+
+	return(write_data(client,(char *)buf,4) == 4);
+}
+
+/****************************************************************************
+ Read 4 bytes of a smb packet and return the smb length of the packet.
+ Store the result in the buffer.
+ This version of the function will return a length of zero on receiving
+ a keepalive packet.
+ Timeout is in milliseconds.
+****************************************************************************/
+
+NTSTATUS read_smb_length_return_keepalive(int fd, char *inbuf,
+					  unsigned int timeout,
+					  size_t *len)
+{
+	int msg_type;
+	NTSTATUS status;
+
+	status = read_socket_with_timeout(fd, inbuf, 4, 4, timeout, NULL);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	*len = smb_len(inbuf);
+	msg_type = CVAL(inbuf,0);
+
+	if (msg_type == SMBkeepalive) {
+		DEBUG(5,("Got keepalive packet\n"));
+	}
+
+	DEBUG(10,("got smb length of %lu\n",(unsigned long)(*len)));
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************************
+ Read 4 bytes of a smb packet and return the smb length of the packet.
+ Store the result in the buffer. This version of the function will
+ never return a session keepalive (length of zero).
+ Timeout is in milliseconds.
+****************************************************************************/
+
+NTSTATUS read_smb_length(int fd, char *inbuf, unsigned int timeout,
+			 size_t *len)
+{
+	uint8_t msgtype = SMBkeepalive;
+
+	while (msgtype == SMBkeepalive) {
+		NTSTATUS status;
+
+		status = read_smb_length_return_keepalive(fd, inbuf, timeout,
+							  len);
+		if (!NT_STATUS_IS_OK(status)) {
+			return status;
+		}
+
+		msgtype = CVAL(inbuf, 0);
+	}
+
+	DEBUG(10,("read_smb_length: got smb length of %lu\n",
+		  (unsigned long)len));
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************************
+ Read an smb from a fd.
+ The timeout is in milliseconds.
+ This function will return on receipt of a session keepalive packet.
+ maxlen is the max number of bytes to return, not including the 4 byte
+ length. If zero it means buflen limit.
+ Doesn't check the MAC on signed packets.
+****************************************************************************/
+
+NTSTATUS receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned int timeout,
+			 size_t maxlen, size_t *p_len)
+{
+	size_t len;
+	NTSTATUS status;
+
+	status = read_smb_length_return_keepalive(fd,buffer,timeout,&len);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10, ("receive_smb_raw: %s!\n", nt_errstr(status)));
+		return status;
+	}
+
+	if (len > buflen) {
+		DEBUG(0,("Invalid packet length! (%lu bytes).\n",
+					(unsigned long)len));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if(len > 0) {
+		if (maxlen) {
+			len = MIN(len,maxlen);
+		}
+
+		status = read_socket_with_timeout(
+			fd, buffer+4, len, len, timeout, &len);
+
+		if (!NT_STATUS_IS_OK(status)) {
+			return status;
+		}
+
+		/* not all of samba3 properly checks for packet-termination
+		 * of strings. This ensures that we don't run off into
+		 * empty space. */
+		SSVAL(buffer+4,len, 0);
+	}
+
+	*p_len = len;
+	return NT_STATUS_OK;
+}
+
+/****************************************************************************
+ Open a socket of the specified type, port, and address for incoming data.
+****************************************************************************/
+
+int open_socket_in(int type,
+		uint16_t port,
+		int dlevel,
+		const struct sockaddr_storage *psock,
+		bool rebind)
+{
+	struct sockaddr_storage sock;
+	int res;
+	socklen_t slen = sizeof(struct sockaddr_in);
+
+	sock = *psock;
+
+#if defined(HAVE_IPV6)
+	if (sock.ss_family == AF_INET6) {
+		((struct sockaddr_in6 *)&sock)->sin6_port = htons(port);
+		slen = sizeof(struct sockaddr_in6);
+	}
+#endif
+	if (sock.ss_family == AF_INET) {
+		((struct sockaddr_in *)&sock)->sin_port = htons(port);
+	}
+
+	res = socket(sock.ss_family, type, 0 );
+	if( res == -1 ) {
+		if( DEBUGLVL(0) ) {
+			dbgtext( "open_socket_in(): socket() call failed: " );
+			dbgtext( "%s\n", strerror( errno ) );
+		}
+		return -1;
+	}
+
+	/* This block sets/clears the SO_REUSEADDR and possibly SO_REUSEPORT. */
+	{
+		int val = rebind ? 1 : 0;
+		if( setsockopt(res,SOL_SOCKET,SO_REUSEADDR,
+					(char *)&val,sizeof(val)) == -1 ) {
+			if( DEBUGLVL( dlevel ) ) {
+				dbgtext( "open_socket_in(): setsockopt: " );
+				dbgtext( "SO_REUSEADDR = %s ",
+						val?"true":"false" );
+				dbgtext( "on port %d failed ", port );
+				dbgtext( "with error = %s\n", strerror(errno) );
+			}
+		}
+#ifdef SO_REUSEPORT
+		if( setsockopt(res,SOL_SOCKET,SO_REUSEPORT,
+					(char *)&val,sizeof(val)) == -1 ) {
+			if( DEBUGLVL( dlevel ) ) {
+				dbgtext( "open_socket_in(): setsockopt: ");
+				dbgtext( "SO_REUSEPORT = %s ",
+						val?"true":"false");
+				dbgtext( "on port %d failed ", port);
+				dbgtext( "with error = %s\n", strerror(errno));
+			}
+		}
+#endif /* SO_REUSEPORT */
+	}
+
+	/* now we've got a socket - we need to bind it */
+	if (bind(res, (struct sockaddr *)&sock, slen) == -1 ) {
+		if( DEBUGLVL(dlevel) && (port == SMB_PORT1 ||
+				port == SMB_PORT2 || port == NMB_PORT) ) {
+			char addr[INET6_ADDRSTRLEN];
+			print_sockaddr(addr, sizeof(addr),
+					&sock);
+			dbgtext( "bind failed on port %d ", port);
+			dbgtext( "socket_addr = %s.\n", addr);
+			dbgtext( "Error = %s\n", strerror(errno));
+		}
+		close(res);
+		return -1;
+	}
+
+	DEBUG( 10, ( "bind succeeded on port %d\n", port ) );
+	return( res );
+ }
+
+/****************************************************************************
+ Create an outgoing socket. timeout is in milliseconds.
+**************************************************************************/
+
+int open_socket_out(int type,
+		const struct sockaddr_storage *pss,
+		uint16_t port,
+		int timeout)
+{
+	char addr[INET6_ADDRSTRLEN];
+	struct sockaddr_storage sock_out = *pss;
+	int res,ret;
+	int connect_loop = 10;
+	int increment = 10;
+
+	/* create a socket to write to */
+	res = socket(pss->ss_family, type, 0);
+	if (res == -1) {
+                DEBUG(0,("socket error (%s)\n", strerror(errno)));
+		return -1;
+	}
+
+	if (type != SOCK_STREAM) {
+		return res;
+	}
+
+#if defined(HAVE_IPV6)
+	if (pss->ss_family == AF_INET6) {
+		struct sockaddr_in6 *psa6 = (struct sockaddr_in6 *)&sock_out;
+		psa6->sin6_port = htons(port);
+		if (psa6->sin6_scope_id == 0 &&
+				IN6_IS_ADDR_LINKLOCAL(&psa6->sin6_addr)) {
+			setup_linklocal_scope_id(&sock_out);
+		}
+	}
+#endif
+	if (pss->ss_family == AF_INET) {
+		struct sockaddr_in *psa = (struct sockaddr_in *)&sock_out;
+		psa->sin_port = htons(port);
+	}
+
+	/* set it non-blocking */
+	set_blocking(res,false);
+
+	print_sockaddr(addr, sizeof(addr), &sock_out);
+	DEBUG(3,("Connecting to %s at port %u\n",
+				addr,
+				(unsigned int)port));
+
+	/* and connect it to the destination */
+  connect_again:
+
+	ret = sys_connect(res, (struct sockaddr *)&sock_out);
+
+	/* Some systems return EAGAIN when they mean EINPROGRESS */
+	if (ret < 0 && (errno == EINPROGRESS || errno == EALREADY ||
+			errno == EAGAIN) && (connect_loop < timeout) ) {
+		smb_msleep(connect_loop);
+		timeout -= connect_loop;
+		connect_loop += increment;
+		if (increment < 250) {
+			/* After 8 rounds we end up at a max of 255 msec */
+			increment *= 1.5;
+		}
+		goto connect_again;
+	}
+
+	if (ret < 0 && (errno == EINPROGRESS || errno == EALREADY ||
+			errno == EAGAIN)) {
+		DEBUG(1,("timeout connecting to %s:%u\n",
+					addr,
+					(unsigned int)port));
+		close(res);
+		return -1;
+	}
+
+#ifdef EISCONN
+	if (ret < 0 && errno == EISCONN) {
+		errno = 0;
+		ret = 0;
+	}
+#endif
+
+	if (ret < 0) {
+		DEBUG(2,("error connecting to %s:%d (%s)\n",
+				addr,
+				(unsigned int)port,
+				strerror(errno)));
+		close(res);
+		return -1;
+	}
+
+	/* set it blocking again */
+	set_blocking(res,true);
+
+	return res;
+}
+
+/*******************************************************************
+ Create an outgoing TCP socket to the first addr that connects.
+
+ This is for simultaneous connection attempts to port 445 and 139 of a host
+ or for simultatneous connection attempts to multiple DCs at once.  We return
+ a socket fd of the first successful connection.
+
+ @param[in] addrs list of Internet addresses and ports to connect to
+ @param[in] num_addrs number of address/port pairs in the addrs list
+ @param[in] timeout time after which we stop waiting for a socket connection
+            to succeed, given in milliseconds
+ @param[out] fd_index the entry in addrs which we successfully connected to
+ @param[out] fd fd of the open and connected socket
+ @return true on a successful connection, false if all connection attempts
+         failed or we timed out
+*******************************************************************/
+
+bool open_any_socket_out(struct sockaddr_storage *addrs, int num_addrs,
+			 int timeout, int *fd_index, int *fd)
+{
+	int i, resulting_index, res;
+	int *sockets;
+	bool good_connect;
+
+	fd_set r_fds, wr_fds;
+	struct timeval tv;
+	int maxfd;
+
+	int connect_loop = 10000; /* 10 milliseconds */
+
+	timeout *= 1000; 	/* convert to microseconds */
+
+	sockets = SMB_MALLOC_ARRAY(int, num_addrs);
+
+	if (sockets == NULL)
+		return false;
+
+	resulting_index = -1;
+
+	for (i=0; i<num_addrs; i++)
+		sockets[i] = -1;
+
+	for (i=0; i<num_addrs; i++) {
+		sockets[i] = socket(addrs[i].ss_family, SOCK_STREAM, 0);
+		if (sockets[i] < 0)
+			goto done;
+		set_blocking(sockets[i], false);
+	}
+
+ connect_again:
+	good_connect = false;
+
+	for (i=0; i<num_addrs; i++) {
+		const struct sockaddr * a = 
+		    (const struct sockaddr *)&(addrs[i]);
+
+		if (sockets[i] == -1)
+			continue;
+
+		if (sys_connect(sockets[i], a) == 0) {
+			/* Rather unlikely as we are non-blocking, but it
+			 * might actually happen. */
+			resulting_index = i;
+			goto done;
+		}
+
+		if (errno == EINPROGRESS || errno == EALREADY ||
+#ifdef EISCONN
+			errno == EISCONN ||
+#endif
+		    errno == EAGAIN || errno == EINTR) {
+			/* These are the error messages that something is
+			   progressing. */
+			good_connect = true;
+		} else if (errno != 0) {
+			/* There was a direct error */
+			close(sockets[i]);
+			sockets[i] = -1;
+		}
+	}
+
+	if (!good_connect) {
+		/* All of the connect's resulted in real error conditions */
+		goto done;
+	}
+
+	/* Lets see if any of the connect attempts succeeded */
+
+	maxfd = 0;
+	FD_ZERO(&wr_fds);
+	FD_ZERO(&r_fds);
+
+	for (i=0; i<num_addrs; i++) {
+		if (sockets[i] == -1)
+			continue;
+		FD_SET(sockets[i], &wr_fds);
+		FD_SET(sockets[i], &r_fds);
+		if (sockets[i]>maxfd)
+			maxfd = sockets[i];
+	}
+
+	tv.tv_sec = 0;
+	tv.tv_usec = connect_loop;
+
+	res = sys_select_intr(maxfd+1, &r_fds, &wr_fds, NULL, &tv);
+
+	if (res < 0)
+		goto done;
+
+	if (res == 0)
+		goto next_round;
+
+	for (i=0; i<num_addrs; i++) {
+
+		if (sockets[i] == -1)
+			continue;
+
+		/* Stevens, Network Programming says that if there's a
+		 * successful connect, the socket is only writable. Upon an
+		 * error, it's both readable and writable. */
+
+		if (FD_ISSET(sockets[i], &r_fds) &&
+		    FD_ISSET(sockets[i], &wr_fds)) {
+			/* readable and writable, so it's an error */
+			close(sockets[i]);
+			sockets[i] = -1;
+			continue;
+		}
+
+		if (!FD_ISSET(sockets[i], &r_fds) &&
+		    FD_ISSET(sockets[i], &wr_fds)) {
+			/* Only writable, so it's connected */
+			resulting_index = i;
+			goto done;
+		}
+	}
+
+ next_round:
+
+	timeout -= connect_loop;
+	if (timeout <= 0)
+		goto done;
+	connect_loop *= 1.5;
+	if (connect_loop > timeout)
+		connect_loop = timeout;
+	goto connect_again;
+
+ done:
+	for (i=0; i<num_addrs; i++) {
+		if (i == resulting_index)
+			continue;
+		if (sockets[i] >= 0)
+			close(sockets[i]);
+	}
+
+	if (resulting_index >= 0) {
+		*fd_index = resulting_index;
+		*fd = sockets[*fd_index];
+		set_blocking(*fd, true);
+	}
+
+	free(sockets);
+
+	return (resulting_index >= 0);
+}
+/****************************************************************************
+ Open a connected UDP socket to host on port
+**************************************************************************/
+
+int open_udp_socket(const char *host, int port)
+{
+	int type = SOCK_DGRAM;
+	struct sockaddr_in sock_out;
+	int res;
+	struct in_addr addr;
+
+	(void)interpret_addr2(&addr, host);
+
+	res = socket(PF_INET, type, 0);
+	if (res == -1) {
+		return -1;
+	}
+
+	memset((char *)&sock_out,'\0',sizeof(sock_out));
+	putip((char *)&sock_out.sin_addr,(char *)&addr);
+	sock_out.sin_port = htons(port);
+	sock_out.sin_family = PF_INET;
+
+	if (sys_connect(res,(struct sockaddr *)&sock_out)) {
+		close(res);
+		return -1;
+	}
+
+	return res;
+}
+
+/*******************************************************************
+ Return the IP addr of the remote end of a socket as a string.
+ Optionally return the struct sockaddr_storage.
+ ******************************************************************/
+
+static const char *get_peer_addr_internal(int fd,
+				char *addr_buf,
+				size_t addr_buf_len,
+				struct sockaddr_storage *pss,
+				socklen_t *plength)
+{
+	struct sockaddr_storage ss;
+	socklen_t length = sizeof(ss);
+
+	strlcpy(addr_buf,"0.0.0.0",addr_buf_len);
+
+	if (fd == -1) {
+		return addr_buf;
+	}
+
+	if (pss == NULL) {
+		pss = &ss;
+	}
+	if (plength == NULL) {
+		plength = &length;
+	}
+
+	if (getpeername(fd, (struct sockaddr *)pss, plength) < 0) {
+		DEBUG(0,("getpeername failed. Error was %s\n",
+					strerror(errno) ));
+		return addr_buf;
+	}
+
+	print_sockaddr_len(addr_buf,
+			addr_buf_len,
+			pss,
+			*plength);
+	return addr_buf;
+}
+
+/*******************************************************************
+ Matchname - determine if host name matches IP address. Used to
+ confirm a hostname lookup to prevent spoof attacks.
+******************************************************************/
+
+static bool matchname(const char *remotehost,
+		const struct sockaddr_storage *pss,
+		socklen_t len)
+{
+	struct addrinfo *res = NULL;
+	struct addrinfo *ailist = NULL;
+	char addr_buf[INET6_ADDRSTRLEN];
+	bool ret = interpret_string_addr_internal(&ailist,
+			remotehost,
+			AI_ADDRCONFIG|AI_CANONNAME);
+
+	if (!ret || ailist == NULL) {
+		DEBUG(3,("matchname: getaddrinfo failed for "
+			"name %s [%s]\n",
+			remotehost,
+			gai_strerror(ret) ));
+		return false;
+	}
+
+	/*
+	 * Make sure that getaddrinfo() returns the "correct" host name.
+	 */
+
+	if (ailist->ai_canonname == NULL ||
+		(!strequal(remotehost, ailist->ai_canonname) &&
+		 !strequal(remotehost, "localhost"))) {
+		DEBUG(0,("matchname: host name/name mismatch: %s != %s\n",
+			 remotehost,
+			 ailist->ai_canonname ?
+				 ailist->ai_canonname : "(NULL)"));
+		freeaddrinfo(ailist);
+		return false;
+	}
+
+	/* Look up the host address in the address list we just got. */
+	for (res = ailist; res; res = res->ai_next) {
+		if (!res->ai_addr) {
+			continue;
+		}
+		if (addr_equal((const struct sockaddr_storage *)res->ai_addr,
+					pss)) {
+			freeaddrinfo(ailist);
+			return true;
+		}
+	}
+
+	/*
+	 * The host name does not map to the original host address. Perhaps
+	 * someone has compromised a name server. More likely someone botched
+	 * it, but that could be dangerous, too.
+	 */
+
+	DEBUG(0,("matchname: host name/address mismatch: %s != %s\n",
+		print_sockaddr_len(addr_buf,
+			sizeof(addr_buf),
+			pss,
+			len),
+		 ailist->ai_canonname ? ailist->ai_canonname : "(NULL)"));
+
+	if (ailist) {
+		freeaddrinfo(ailist);
+	}
+	return false;
+}
+
+/*******************************************************************
+ Deal with the singleton cache.
+******************************************************************/
+
+struct name_addr_pair {
+	struct sockaddr_storage ss;
+	const char *name;
+};
+
+/*******************************************************************
+ Lookup a name/addr pair. Returns memory allocated from memcache.
+******************************************************************/
+
+static bool lookup_nc(struct name_addr_pair *nc)
+{
+	DATA_BLOB tmp;
+
+	ZERO_STRUCTP(nc);
+
+	if (!memcache_lookup(
+			NULL, SINGLETON_CACHE,
+			data_blob_string_const("get_peer_name"),
+			&tmp)) {
+		return false;
+	}
+
+	memcpy(&nc->ss, tmp.data, sizeof(nc->ss));
+	nc->name = (const char *)tmp.data + sizeof(nc->ss);
+	return true;
+}
+
+/*******************************************************************
+ Save a name/addr pair.
+******************************************************************/
+
+static void store_nc(const struct name_addr_pair *nc)
+{
+	DATA_BLOB tmp;
+	size_t namelen = strlen(nc->name);
+
+	tmp = data_blob(NULL, sizeof(nc->ss) + namelen + 1);
+	if (!tmp.data) {
+		return;
+	}
+	memcpy(tmp.data, &nc->ss, sizeof(nc->ss));
+	memcpy(tmp.data+sizeof(nc->ss), nc->name, namelen+1);
+
+	memcache_add(NULL, SINGLETON_CACHE,
+			data_blob_string_const("get_peer_name"),
+			tmp);
+	data_blob_free(&tmp);
+}
+
+/*******************************************************************
+ Return the DNS name of the remote end of a socket.
+******************************************************************/
+
+const char *get_peer_name(int fd, bool force_lookup)
+{
+	struct name_addr_pair nc;
+	char addr_buf[INET6_ADDRSTRLEN];
+	struct sockaddr_storage ss;
+	socklen_t length = sizeof(ss);
+	const char *p;
+	int ret;
+	char name_buf[MAX_DNS_NAME_LENGTH];
+	char tmp_name[MAX_DNS_NAME_LENGTH];
+
+	/* reverse lookups can be *very* expensive, and in many
+	   situations won't work because many networks don't link dhcp
+	   with dns. To avoid the delay we avoid the lookup if
+	   possible */
+	if (!lp_hostname_lookups() && (force_lookup == false)) {
+		length = sizeof(nc.ss);
+		nc.name = get_peer_addr_internal(fd, addr_buf, sizeof(addr_buf),
+			&nc.ss, &length);
+		store_nc(&nc);
+		lookup_nc(&nc);
+		return nc.name ? nc.name : "UNKNOWN";
+	}
+
+	lookup_nc(&nc);
+
+	memset(&ss, '\0', sizeof(ss));
+	p = get_peer_addr_internal(fd, addr_buf, sizeof(addr_buf), &ss, &length);
+
+	/* it might be the same as the last one - save some DNS work */
+	if (addr_equal(&ss, &nc.ss)) {
+		return nc.name ? nc.name : "UNKNOWN";
+	}
+
+	/* Not the same. We need to lookup. */
+	if (fd == -1) {
+		return "UNKNOWN";
+	}
+
+	/* Look up the remote host name. */
+	ret = sys_getnameinfo((struct sockaddr *)&ss,
+			length,
+			name_buf,
+			sizeof(name_buf),
+			NULL,
+			0,
+			0);
+
+	if (ret) {
+		DEBUG(1,("get_peer_name: getnameinfo failed "
+			"for %s with error %s\n",
+			p,
+			gai_strerror(ret)));
+		strlcpy(name_buf, p, sizeof(name_buf));
+	} else {
+		if (!matchname(name_buf, &ss, length)) {
+			DEBUG(0,("Matchname failed on %s %s\n",name_buf,p));
+			strlcpy(name_buf,"UNKNOWN",sizeof(name_buf));
+		}
+	}
+
+	/* can't pass the same source and dest strings in when you
+	   use --enable-developer or the clobber_region() call will
+	   get you */
+
+	strlcpy(tmp_name, name_buf, sizeof(tmp_name));
+	alpha_strcpy(name_buf, tmp_name, "_-.", sizeof(name_buf));
+	if (strstr(name_buf,"..")) {
+		strlcpy(name_buf, "UNKNOWN", sizeof(name_buf));
+	}
+
+	nc.name = name_buf;
+	nc.ss = ss;
+
+	store_nc(&nc);
+	lookup_nc(&nc);
+	return nc.name ? nc.name : "UNKNOWN";
+}
+
+/*******************************************************************
+ Return the IP addr of the remote end of a socket as a string.
+ ******************************************************************/
+
+const char *get_peer_addr(int fd, char *addr, size_t addr_len)
+{
+	return get_peer_addr_internal(fd, addr, addr_len, NULL, NULL);
+}
+
+/*******************************************************************
+ Create protected unix domain socket.
+
+ Some unixes cannot set permissions on a ux-dom-sock, so we
+ have to make sure that the directory contains the protection
+ permissions instead.
+ ******************************************************************/
+
+int create_pipe_sock(const char *socket_dir,
+		     const char *socket_name,
+		     mode_t dir_perms)
+{
+#ifdef HAVE_UNIXSOCKET
+	struct sockaddr_un sunaddr;
+	struct stat st;
+	int sock;
+	mode_t old_umask;
+	char *path = NULL;
+
+	old_umask = umask(0);
+
+	/* Create the socket directory or reuse the existing one */
+
+	if (lstat(socket_dir, &st) == -1) {
+		if (errno == ENOENT) {
+			/* Create directory */
+			if (mkdir(socket_dir, dir_perms) == -1) {
+				DEBUG(0, ("error creating socket directory "
+					"%s: %s\n", socket_dir,
+					strerror(errno)));
+				goto out_umask;
+			}
+		} else {
+			DEBUG(0, ("lstat failed on socket directory %s: %s\n",
+				socket_dir, strerror(errno)));
+			goto out_umask;
+		}
+	} else {
+		/* Check ownership and permission on existing directory */
+		if (!S_ISDIR(st.st_mode)) {
+			DEBUG(0, ("socket directory %s isn't a directory\n",
+				socket_dir));
+			goto out_umask;
+		}
+		if ((st.st_uid != sec_initial_uid()) ||
+				((st.st_mode & 0777) != dir_perms)) {
+			DEBUG(0, ("invalid permissions on socket directory "
+				"%s\n", socket_dir));
+			goto out_umask;
+		}
+	}
+
+	/* Create the socket file */
+
+	sock = socket(AF_UNIX, SOCK_STREAM, 0);
+
+	if (sock == -1) {
+		DEBUG(0, ("create_pipe_sock: socket error %s\n",
+			strerror(errno) ));
+                goto out_close;
+	}
+
+	if (asprintf(&path, "%s/%s", socket_dir, socket_name) == -1) {
+                goto out_close;
+	}
+
+	unlink(path);
+	memset(&sunaddr, 0, sizeof(sunaddr));
+	sunaddr.sun_family = AF_UNIX;
+	strlcpy(sunaddr.sun_path, path, sizeof(sunaddr.sun_path));
+
+	if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) == -1) {
+		DEBUG(0, ("bind failed on pipe socket %s: %s\n", path,
+			strerror(errno)));
+		goto out_close;
+	}
+
+	if (listen(sock, 5) == -1) {
+		DEBUG(0, ("listen failed on pipe socket %s: %s\n", path,
+			strerror(errno)));
+		goto out_close;
+	}
+
+	SAFE_FREE(path);
+
+	umask(old_umask);
+	return sock;
+
+out_close:
+	SAFE_FREE(path);
+	if (sock != -1)
+		close(sock);
+
+out_umask:
+	umask(old_umask);
+	return -1;
+
+#else
+        DEBUG(0, ("create_pipe_sock: No Unix sockets on this system\n"));
+        return -1;
+#endif /* HAVE_UNIXSOCKET */
+}
+
+/****************************************************************************
+ Get my own canonical name, including domain.
+****************************************************************************/
+
+const char *get_mydnsfullname(void)
+{
+	struct addrinfo *res = NULL;
+	char my_hostname[HOST_NAME_MAX];
+	bool ret;
+	DATA_BLOB tmp;
+
+	if (memcache_lookup(NULL, SINGLETON_CACHE,
+			data_blob_string_const("get_mydnsfullname"),
+			&tmp)) {
+		SMB_ASSERT(tmp.length > 0);
+		return (const char *)tmp.data;
+	}
+
+	/* get my host name */
+	if (gethostname(my_hostname, sizeof(my_hostname)) == -1) {
+		DEBUG(0,("get_mydnsfullname: gethostname failed\n"));
+		return NULL;
+	}
+
+	/* Ensure null termination. */
+	my_hostname[sizeof(my_hostname)-1] = '\0';
+
+	ret = interpret_string_addr_internal(&res,
+				my_hostname,
+				AI_ADDRCONFIG|AI_CANONNAME);
+
+	if (!ret || res == NULL) {
+		DEBUG(3,("get_mydnsfullname: getaddrinfo failed for "
+			"name %s [%s]\n",
+			my_hostname,
+			gai_strerror(ret) ));
+		return NULL;
+	}
+
+	/*
+	 * Make sure that getaddrinfo() returns the "correct" host name.
+	 */
+
+	if (res->ai_canonname == NULL) {
+		DEBUG(3,("get_mydnsfullname: failed to get "
+			"canonical name for %s\n",
+			my_hostname));
+		freeaddrinfo(res);
+		return NULL;
+	}
+
+	/* This copies the data, so we must do a lookup
+	 * afterwards to find the value to return.
+	 */
+
+	memcache_add(NULL, SINGLETON_CACHE,
+			data_blob_string_const("get_mydnsfullname"),
+			data_blob_string_const(res->ai_canonname));
+
+	if (!memcache_lookup(NULL, SINGLETON_CACHE,
+			data_blob_string_const("get_mydnsfullname"),
+			&tmp)) {
+		tmp = data_blob_talloc(talloc_tos(), res->ai_canonname,
+				strlen(res->ai_canonname) + 1);
+	}
+
+	freeaddrinfo(res);
+
+	return (const char *)tmp.data;
+}
+
+/************************************************************
+ Is this my name ?
+************************************************************/
+
+bool is_myname_or_ipaddr(const char *s)
+{
+	TALLOC_CTX *ctx = talloc_tos();
+	char *name = NULL;
+	const char *dnsname;
+	char *servername = NULL;
+
+	if (!s) {
+		return false;
+	}
+
+	/* Santize the string from '\\name' */
+	name = talloc_strdup(ctx, s);
+	if (!name) {
+		return false;
+	}
+
+	servername = strrchr_m(name, '\\' );
+	if (!servername) {
+		servername = name;
+	} else {
+		servername++;
+	}
+
+	/* Optimize for the common case */
+	if (strequal(servername, global_myname())) {
+		return true;
+	}
+
+	/* Check for an alias */
+	if (is_myname(servername)) {
+		return true;
+	}
+
+	/* Check for loopback */
+	if (strequal(servername, "127.0.0.1") ||
+			strequal(servername, "::1")) {
+		return true;
+	}
+
+	if (strequal(servername, "localhost")) {
+		return true;
+	}
+
+	/* Maybe it's my dns name */
+	dnsname = get_mydnsfullname();
+	if (dnsname && strequal(servername, dnsname)) {
+		return true;
+	}
+
+	/* Handle possible CNAME records - convert to an IP addr. */
+	if (!is_ipaddress(servername)) {
+		/* Use DNS to resolve the name, but only the first address */
+		struct sockaddr_storage ss;
+		if (interpret_string_addr(&ss, servername,0)) {
+			print_sockaddr(name,
+					sizeof(name),
+					&ss);
+			servername = name;
+		}
+	}
+
+	/* Maybe its an IP address? */
+	if (is_ipaddress(servername)) {
+		struct sockaddr_storage ss;
+		struct iface_struct *nics;
+		int i, n;
+
+		if (!interpret_string_addr(&ss, servername, AI_NUMERICHOST)) {
+			return false;
+		}
+
+		if (is_zero_addr(&ss) || is_loopback_addr(&ss)) {
+			return false;
+		}
+
+		nics = TALLOC_ARRAY(ctx, struct iface_struct,
+					MAX_INTERFACES);
+		if (!nics) {
+			return false;
+		}
+		n = get_interfaces(nics, MAX_INTERFACES);
+		for (i=0; i<n; i++) {
+			if (addr_equal(&nics[i].ip, &ss)) {
+				TALLOC_FREE(nics);
+				return true;
+			}
+		}
+		TALLOC_FREE(nics);
+	}
+
+	/* No match */
+	return false;
+}
diff --git a/source3/lib/util_str.c b/source3/lib/util_str.c
new file mode 100644
index 0000000000..9f952abf10
--- /dev/null
+++ b/source3/lib/util_str.c
@@ -0,0 +1,2897 @@
+/*
+   Unix SMB/CIFS implementation.
+   Samba utility functions
+
+   Copyright (C) Andrew Tridgell 1992-2001
+   Copyright (C) Simo Sorce      2001-2002
+   Copyright (C) Martin Pool     2003
+   Copyright (C) James Peach	 2006
+   Copyright (C) Jeremy Allison  1992-2007
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+char toupper_ascii_fast_table[128] = {
+	0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf,
+	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+	0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+	0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
+	0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
+	0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
+	0x60, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
+	0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f
+};
+
+/**
+ * @file
+ * @brief String utilities.
+ **/
+
+static bool next_token_internal_talloc(TALLOC_CTX *ctx,
+				const char **ptr,
+                                char **pp_buff,
+                                const char *sep,
+                                bool ltrim)
+{
+	char *s;
+	char *saved_s;
+	char *pbuf;
+	bool quoted;
+	size_t len=1;
+
+	*pp_buff = NULL;
+	if (!ptr) {
+		return(false);
+	}
+
+	s = (char *)*ptr;
+
+	/* default to simple separators */
+	if (!sep) {
+		sep = " \t\n\r";
+	}
+
+	/* find the first non sep char, if left-trimming is requested */
+	if (ltrim) {
+		while (*s && strchr_m(sep,*s)) {
+			s++;
+		}
+	}
+
+	/* nothing left? */
+	if (!*s) {
+		return false;
+	}
+
+	/* When restarting we need to go from here. */
+	saved_s = s;
+
+	/* Work out the length needed. */
+	for (quoted = false; *s &&
+			(quoted || !strchr_m(sep,*s)); s++) {
+		if (*s == '\"') {
+			quoted = !quoted;
+		} else {
+			len++;
+		}
+	}
+
+	/* We started with len = 1 so we have space for the nul. */
+	*pp_buff = TALLOC_ARRAY(ctx, char, len);
+	if (!*pp_buff) {
+		return false;
+	}
+
+	/* copy over the token */
+	pbuf = *pp_buff;
+	s = saved_s;
+	for (quoted = false; *s &&
+			(quoted || !strchr_m(sep,*s)); s++) {
+		if ( *s == '\"' ) {
+			quoted = !quoted;
+		} else {
+			*pbuf++ = *s;
+		}
+	}
+
+	*ptr = (*s) ? s+1 : s;
+	*pbuf = 0;
+
+	return true;
+}
+
+#if 0
+/*
+ * Get the next token from a string, return false if none found.  Handles
+ * double-quotes.  This version trims leading separator characters before
+ * looking for a token.
+ */
+bool next_token(const char **ptr, char *buff, const char *sep, size_t bufsize)
+{
+	return next_token_internal(ptr, buff, sep, bufsize, true);
+}
+#endif
+
+bool next_token_talloc(TALLOC_CTX *ctx,
+			const char **ptr,
+			char **pp_buff,
+			const char *sep)
+{
+	return next_token_internal_talloc(ctx, ptr, pp_buff, sep, true);
+}
+
+/*
+ * Get the next token from a string, return false if none found.  Handles
+ * double-quotes.  This version does not trim leading separator characters
+ * before looking for a token.
+ */
+
+bool next_token_no_ltrim_talloc(TALLOC_CTX *ctx,
+			const char **ptr,
+			char **pp_buff,
+			const char *sep)
+{
+	return next_token_internal_talloc(ctx, ptr, pp_buff, sep, false);
+}
+
+/**
+ * Case insensitive string compararison.
+ *
+ * iconv does not directly give us a way to compare strings in
+ * arbitrary unix character sets -- all we can is convert and then
+ * compare.  This is expensive.
+ *
+ * As an optimization, we do a first pass that considers only the
+ * prefix of the strings that is entirely 7-bit.  Within this, we
+ * check whether they have the same value.
+ *
+ * Hopefully this will often give the answer without needing to copy.
+ * In particular it should speed comparisons to literal ascii strings
+ * or comparisons of strings that are "obviously" different.
+ *
+ * If we find a non-ascii character we fall back to converting via
+ * iconv.
+ *
+ * This should never be slower than convering the whole thing, and
+ * often faster.
+ *
+ * A different optimization would be to compare for bitwise equality
+ * in the binary encoding.  (It would be possible thought hairy to do
+ * both simultaneously.)  But in that case if they turn out to be
+ * different, we'd need to restart the whole thing.
+ *
+ * Even better is to implement strcasecmp for each encoding and use a
+ * function pointer.
+ **/
+int StrCaseCmp(const char *s, const char *t)
+{
+
+	const char *ps, *pt;
+	size_t size;
+	smb_ucs2_t *buffer_s, *buffer_t;
+	int ret;
+
+	for (ps = s, pt = t; ; ps++, pt++) {
+		char us, ut;
+
+		if (!*ps && !*pt)
+			return 0; /* both ended */
+ 		else if (!*ps)
+			return -1; /* s is a prefix */
+		else if (!*pt)
+			return +1; /* t is a prefix */
+		else if ((*ps & 0x80) || (*pt & 0x80))
+			/* not ascii anymore, do it the hard way
+			 * from here on in */
+			break;
+
+		us = toupper_ascii_fast(*ps);
+		ut = toupper_ascii_fast(*pt);
+		if (us == ut)
+			continue;
+		else if (us < ut)
+			return -1;
+		else if (us > ut)
+			return +1;
+	}
+
+	if (!push_ucs2_allocate(&buffer_s, ps, &size)) {
+		return strcmp(ps, pt);
+		/* Not quite the right answer, but finding the right one
+		   under this failure case is expensive, and it's pretty
+		   close */
+	}
+
+	if (!push_ucs2_allocate(&buffer_t, pt, &size)) {
+		SAFE_FREE(buffer_s);
+		return strcmp(ps, pt);
+		/* Not quite the right answer, but finding the right one
+		   under this failure case is expensive, and it's pretty
+		   close */
+	}
+
+	ret = strcasecmp_w(buffer_s, buffer_t);
+	SAFE_FREE(buffer_s);
+	SAFE_FREE(buffer_t);
+	return ret;
+}
+
+
+/**
+ Case insensitive string compararison, length limited.
+**/
+int StrnCaseCmp(const char *s, const char *t, size_t len)
+{
+	size_t n = 0;
+	const char *ps, *pt;
+	size_t size;
+	smb_ucs2_t *buffer_s, *buffer_t;
+	int ret;
+
+	for (ps = s, pt = t; n < len ; ps++, pt++, n++) {
+		char us, ut;
+
+		if (!*ps && !*pt)
+			return 0; /* both ended */
+ 		else if (!*ps)
+			return -1; /* s is a prefix */
+		else if (!*pt)
+			return +1; /* t is a prefix */
+		else if ((*ps & 0x80) || (*pt & 0x80))
+			/* not ascii anymore, do it the
+			 * hard way from here on in */
+			break;
+
+		us = toupper_ascii_fast(*ps);
+		ut = toupper_ascii_fast(*pt);
+		if (us == ut)
+			continue;
+		else if (us < ut)
+			return -1;
+		else if (us > ut)
+			return +1;
+	}
+
+	if (n == len) {
+		return 0;
+	}
+
+	if (!push_ucs2_allocate(&buffer_s, ps, &size)) {
+		return strncmp(ps, pt, len-n);
+		/* Not quite the right answer, but finding the right one
+		   under this failure case is expensive,
+		   and it's pretty close */
+	}
+
+	if (!push_ucs2_allocate(&buffer_t, pt, &size)) {
+		SAFE_FREE(buffer_s);
+		return strncmp(ps, pt, len-n);
+		/* Not quite the right answer, but finding the right one
+		   under this failure case is expensive,
+		   and it's pretty close */
+	}
+
+	ret = strncasecmp_w(buffer_s, buffer_t, len-n);
+	SAFE_FREE(buffer_s);
+	SAFE_FREE(buffer_t);
+	return ret;
+}
+
+/**
+ * Compare 2 strings.
+ *
+ * @note The comparison is case-insensitive.
+ **/
+bool strequal(const char *s1, const char *s2)
+{
+	if (s1 == s2)
+		return(true);
+	if (!s1 || !s2)
+		return(false);
+
+	return(StrCaseCmp(s1,s2)==0);
+}
+
+/**
+ * Compare 2 strings up to and including the nth char.
+ *
+ * @note The comparison is case-insensitive.
+ **/
+bool strnequal(const char *s1,const char *s2,size_t n)
+{
+	if (s1 == s2)
+		return(true);
+	if (!s1 || !s2 || !n)
+		return(false);
+
+	return(StrnCaseCmp(s1,s2,n)==0);
+}
+
+/**
+ Compare 2 strings (case sensitive).
+**/
+
+bool strcsequal(const char *s1,const char *s2)
+{
+	if (s1 == s2)
+		return(true);
+	if (!s1 || !s2)
+		return(false);
+
+	return(strcmp(s1,s2)==0);
+}
+
+/**
+Do a case-insensitive, whitespace-ignoring string compare.
+**/
+
+int strwicmp(const char *psz1, const char *psz2)
+{
+	/* if BOTH strings are NULL, return TRUE, if ONE is NULL return */
+	/* appropriate value. */
+	if (psz1 == psz2)
+		return (0);
+	else if (psz1 == NULL)
+		return (-1);
+	else if (psz2 == NULL)
+		return (1);
+
+	/* sync the strings on first non-whitespace */
+	while (1) {
+		while (isspace((int)*psz1))
+			psz1++;
+		while (isspace((int)*psz2))
+			psz2++;
+		if (toupper_ascii(*psz1) != toupper_ascii(*psz2) ||
+				*psz1 == '\0' || *psz2 == '\0')
+			break;
+		psz1++;
+		psz2++;
+	}
+	return (*psz1 - *psz2);
+}
+
+/**
+ Convert a string to "normal" form.
+**/
+
+void strnorm(char *s, int case_default)
+{
+	if (case_default == CASE_UPPER)
+		strupper_m(s);
+	else
+		strlower_m(s);
+}
+
+/**
+ Check if a string is in "normal" case.
+**/
+
+bool strisnormal(const char *s, int case_default)
+{
+	if (case_default == CASE_UPPER)
+		return(!strhaslower(s));
+
+	return(!strhasupper(s));
+}
+
+
+/**
+ String replace.
+ NOTE: oldc and newc must be 7 bit characters
+**/
+void string_replace( char *s, char oldc, char newc )
+{
+	char *p;
+
+	/* this is quite a common operation, so we want it to be
+	   fast. We optimise for the ascii case, knowing that all our
+	   supported multi-byte character sets are ascii-compatible
+	   (ie. they match for the first 128 chars) */
+
+	for (p = s; *p; p++) {
+		if (*p & 0x80) /* mb string - slow path. */
+			break;
+		if (*p == oldc) {
+			*p = newc;
+		}
+	}
+
+	if (!*p)
+		return;
+
+	/* Slow (mb) path. */
+#ifdef BROKEN_UNICODE_COMPOSE_CHARACTERS
+	/* With compose characters we must restart from the beginning. JRA. */
+	p = s;
+#endif
+
+	while (*p) {
+		size_t c_size;
+		next_codepoint(p, &c_size);
+
+		if (c_size == 1) {
+			if (*p == oldc) {
+				*p = newc;
+			}
+		}
+		p += c_size;
+	}
+}
+
+/**
+ *  Skip past some strings in a buffer - old version - no checks.
+ *  **/
+
+char *push_skip_string(char *buf)
+{
+	buf += strlen(buf) + 1;
+	return(buf);
+}
+
+/**
+ Skip past a string in a buffer. Buffer may not be
+ null terminated. end_ptr points to the first byte after
+ then end of the buffer.
+**/
+
+char *skip_string(const char *base, size_t len, char *buf)
+{
+	const char *end_ptr = base + len;
+
+	if (end_ptr < base || !base || !buf || buf >= end_ptr) {
+		return NULL;
+	}
+
+	/* Skip the string */
+	while (*buf) {
+		buf++;
+		if (buf >= end_ptr) {
+			return NULL;
+		}
+	}
+	/* Skip the '\0' */
+	buf++;
+	return buf;
+}
+
+/**
+ Count the number of characters in a string. Normally this will
+ be the same as the number of bytes in a string for single byte strings,
+ but will be different for multibyte.
+**/
+
+size_t str_charnum(const char *s)
+{
+	size_t ret, converted_size;
+	smb_ucs2_t *tmpbuf2 = NULL;
+	if (!push_ucs2_allocate(&tmpbuf2, s, &converted_size)) {
+		return 0;
+	}
+	ret = strlen_w(tmpbuf2);
+	SAFE_FREE(tmpbuf2);
+	return ret;
+}
+
+/**
+ Count the number of characters in a string. Normally this will
+ be the same as the number of bytes in a string for single byte strings,
+ but will be different for multibyte.
+**/
+
+size_t str_ascii_charnum(const char *s)
+{
+	size_t ret, converted_size;
+	char *tmpbuf2 = NULL;
+	if (!push_ascii_allocate(&tmpbuf2, s, &converted_size)) {
+		return 0;
+	}
+	ret = strlen(tmpbuf2);
+	SAFE_FREE(tmpbuf2);
+	return ret;
+}
+
+bool trim_char(char *s,char cfront,char cback)
+{
+	bool ret = false;
+	char *ep;
+	char *fp = s;
+
+	/* Ignore null or empty strings. */
+	if (!s || (s[0] == '\0'))
+		return false;
+
+	if (cfront) {
+		while (*fp && *fp == cfront)
+			fp++;
+		if (!*fp) {
+			/* We ate the string. */
+			s[0] = '\0';
+			return true;
+		}
+		if (fp != s)
+			ret = true;
+	}
+
+	ep = fp + strlen(fp) - 1;
+	if (cback) {
+		/* Attempt ascii only. Bail for mb strings. */
+		while ((ep >= fp) && (*ep == cback)) {
+			ret = true;
+			if ((ep > fp) && (((unsigned char)ep[-1]) & 0x80)) {
+				/* Could be mb... bail back to tim_string. */
+				char fs[2], bs[2];
+				if (cfront) {
+					fs[0] = cfront;
+					fs[1] = '\0';
+				}
+				bs[0] = cback;
+				bs[1] = '\0';
+				return trim_string(s, cfront ? fs : NULL, bs);
+			} else {
+				ep--;
+			}
+		}
+		if (ep < fp) {
+			/* We ate the string. */
+			s[0] = '\0';
+			return true;
+		}
+	}
+
+	ep[1] = '\0';
+	memmove(s, fp, ep-fp+2);
+	return ret;
+}
+
+/**
+ Trim the specified elements off the front and back of a string.
+**/
+
+bool trim_string(char *s,const char *front,const char *back)
+{
+	bool ret = false;
+	size_t front_len;
+	size_t back_len;
+	size_t len;
+
+	/* Ignore null or empty strings. */
+	if (!s || (s[0] == '\0'))
+		return false;
+
+	front_len	= front? strlen(front) : 0;
+	back_len	= back? strlen(back) : 0;
+
+	len = strlen(s);
+
+	if (front_len) {
+		while (len && strncmp(s, front, front_len)==0) {
+			/* Must use memmove here as src & dest can
+			 * easily overlap. Found by valgrind. JRA. */
+			memmove(s, s+front_len, (len-front_len)+1);
+			len -= front_len;
+			ret=true;
+		}
+	}
+
+	if (back_len) {
+		while ((len >= back_len) &&
+				strncmp(s+len-back_len,back,back_len)==0) {
+			s[len-back_len]='\0';
+			len -= back_len;
+			ret=true;
+		}
+	}
+	return ret;
+}
+
+/**
+ Does a string have any uppercase chars in it?
+**/
+
+bool strhasupper(const char *s)
+{
+	smb_ucs2_t *tmp, *p;
+	bool ret;
+	size_t converted_size;
+
+	if (!push_ucs2_allocate(&tmp, s, &converted_size)) {
+		return false;
+	}
+
+	for(p = tmp; *p != 0; p++) {
+		if(isupper_w(*p)) {
+			break;
+		}
+	}
+
+	ret = (*p != 0);
+	SAFE_FREE(tmp);
+	return ret;
+}
+
+/**
+ Does a string have any lowercase chars in it?
+**/
+
+bool strhaslower(const char *s)
+{
+	smb_ucs2_t *tmp, *p;
+	bool ret;
+	size_t converted_size;
+
+	if (!push_ucs2_allocate(&tmp, s, &converted_size)) {
+		return false;
+	}
+
+	for(p = tmp; *p != 0; p++) {
+		if(islower_w(*p)) {
+			break;
+		}
+	}
+
+	ret = (*p != 0);
+	SAFE_FREE(tmp);
+	return ret;
+}
+
+/**
+ Find the number of 'c' chars in a string
+**/
+
+size_t count_chars(const char *s,char c)
+{
+	smb_ucs2_t *ptr;
+	int count;
+	smb_ucs2_t *alloc_tmpbuf = NULL;
+	size_t converted_size;
+
+	if (!push_ucs2_allocate(&alloc_tmpbuf, s, &converted_size)) {
+		return 0;
+	}
+
+	for(count=0,ptr=alloc_tmpbuf;*ptr;ptr++)
+		if(*ptr==UCS2_CHAR(c))
+			count++;
+
+	SAFE_FREE(alloc_tmpbuf);
+	return(count);
+}
+
+/**
+ Safe string copy into a known length string. maxlength does not
+ include the terminating zero.
+**/
+
+char *safe_strcpy_fn(const char *fn,
+		int line,
+		char *dest,
+		const char *src,
+		size_t maxlength)
+{
+	size_t len;
+
+	if (!dest) {
+		DEBUG(0,("ERROR: NULL dest in safe_strcpy, "
+			"called from [%s][%d]\n", fn, line));
+		return NULL;
+	}
+
+#ifdef DEVELOPER
+	clobber_region(fn,line,dest, maxlength+1);
+#endif
+
+	if (!src) {
+		*dest = 0;
+		return dest;
+	}
+
+	len = strnlen(src, maxlength+1);
+
+	if (len > maxlength) {
+		DEBUG(0,("ERROR: string overflow by "
+			"%lu (%lu - %lu) in safe_strcpy [%.50s]\n",
+			 (unsigned long)(len-maxlength), (unsigned long)len,
+			 (unsigned long)maxlength, src));
+		len = maxlength;
+	}
+
+	memmove(dest, src, len);
+	dest[len] = 0;
+	return dest;
+}
+
+/**
+ Safe string cat into a string. maxlength does not
+ include the terminating zero.
+**/
+char *safe_strcat_fn(const char *fn,
+		int line,
+		char *dest,
+		const char *src,
+		size_t maxlength)
+{
+	size_t src_len, dest_len;
+
+	if (!dest) {
+		DEBUG(0,("ERROR: NULL dest in safe_strcat, "
+			"called from [%s][%d]\n", fn, line));
+		return NULL;
+	}
+
+	if (!src)
+		return dest;
+
+	src_len = strnlen(src, maxlength + 1);
+	dest_len = strnlen(dest, maxlength + 1);
+
+#ifdef DEVELOPER
+	clobber_region(fn, line, dest + dest_len, maxlength + 1 - dest_len);
+#endif
+
+	if (src_len + dest_len > maxlength) {
+		DEBUG(0,("ERROR: string overflow by %d "
+			"in safe_strcat [%.50s]\n",
+			 (int)(src_len + dest_len - maxlength), src));
+		if (maxlength > dest_len) {
+			memcpy(&dest[dest_len], src, maxlength - dest_len);
+		}
+		dest[maxlength] = 0;
+		return NULL;
+	}
+
+	memcpy(&dest[dest_len], src, src_len);
+	dest[dest_len + src_len] = 0;
+	return dest;
+}
+
+/**
+ Paranoid strcpy into a buffer of given length (includes terminating
+ zero. Strips out all but 'a-Z0-9' and the character in other_safe_chars
+ and replaces with '_'. Deliberately does *NOT* check for multibyte
+ characters. Don't change it !
+**/
+
+char *alpha_strcpy_fn(const char *fn,
+		int line,
+		char *dest,
+		const char *src,
+		const char *other_safe_chars,
+		size_t maxlength)
+{
+	size_t len, i;
+
+#ifdef DEVELOPER
+	clobber_region(fn, line, dest, maxlength);
+#endif
+
+	if (!dest) {
+		DEBUG(0,("ERROR: NULL dest in alpha_strcpy, "
+			"called from [%s][%d]\n", fn, line));
+		return NULL;
+	}
+
+	if (!src) {
+		*dest = 0;
+		return dest;
+	}
+
+	len = strlen(src);
+	if (len >= maxlength)
+		len = maxlength - 1;
+
+	if (!other_safe_chars)
+		other_safe_chars = "";
+
+	for(i = 0; i < len; i++) {
+		int val = (src[i] & 0xff);
+		if (isupper_ascii(val) || islower_ascii(val) ||
+				isdigit(val) || strchr_m(other_safe_chars, val))
+			dest[i] = src[i];
+		else
+			dest[i] = '_';
+	}
+
+	dest[i] = '\0';
+
+	return dest;
+}
+
+/**
+ Like strncpy but always null terminates. Make sure there is room!
+ The variable n should always be one less than the available size.
+**/
+char *StrnCpy_fn(const char *fn, int line,char *dest,const char *src,size_t n)
+{
+	char *d = dest;
+
+#ifdef DEVELOPER
+	clobber_region(fn, line, dest, n+1);
+#endif
+
+	if (!dest) {
+		DEBUG(0,("ERROR: NULL dest in StrnCpy, "
+			"called from [%s][%d]\n", fn, line));
+		return(NULL);
+	}
+
+	if (!src) {
+		*dest = 0;
+		return(dest);
+	}
+
+	while (n-- && (*d = *src)) {
+		d++;
+		src++;
+	}
+
+	*d = 0;
+	return(dest);
+}
+
+#if 0
+/**
+ Like strncpy but copies up to the character marker.  always null terminates.
+ returns a pointer to the character marker in the source string (src).
+**/
+
+static char *strncpyn(char *dest, const char *src, size_t n, char c)
+{
+	char *p;
+	size_t str_len;
+
+#ifdef DEVELOPER
+	clobber_region(dest, n+1);
+#endif
+	p = strchr_m(src, c);
+	if (p == NULL) {
+		DEBUG(5, ("strncpyn: separator character (%c) not found\n", c));
+		return NULL;
+	}
+
+	str_len = PTR_DIFF(p, src);
+	strncpy(dest, src, MIN(n, str_len));
+	dest[str_len] = '\0';
+
+	return p;
+}
+#endif
+
+/**
+ Routine to get hex characters and turn them into a 16 byte array.
+ the array can be variable length, and any non-hex-numeric
+ characters are skipped.  "0xnn" or "0Xnn" is specially catered
+ for.
+
+ valid examples: "0A5D15"; "0x15, 0x49, 0xa2"; "59\ta9\te3\n"
+
+**/
+
+size_t strhex_to_str(char *buf, size_t buf_len, const char *strhex, size_t strhex_len)
+{
+	size_t i;
+	size_t num_chars = 0;
+	unsigned char   lonybble, hinybble;
+	const char     *hexchars = "0123456789ABCDEF";
+	char           *p1 = NULL, *p2 = NULL;
+
+	for (i = 0; i < strhex_len && strhex[i] != 0; i++) {
+		if (strnequal(hexchars, "0x", 2)) {
+			i++; /* skip two chars */
+			continue;
+		}
+
+		if (!(p1 = strchr_m(hexchars, toupper_ascii(strhex[i]))))
+			break;
+
+		i++; /* next hex digit */
+
+		if (!(p2 = strchr_m(hexchars, toupper_ascii(strhex[i]))))
+			break;
+
+		/* get the two nybbles */
+		hinybble = PTR_DIFF(p1, hexchars);
+		lonybble = PTR_DIFF(p2, hexchars);
+
+		if (num_chars >= buf_len) {
+			break;
+		}
+		buf[num_chars] = (hinybble << 4) | lonybble;
+		num_chars++;
+
+		p1 = NULL;
+		p2 = NULL;
+	}
+	return num_chars;
+}
+
+DATA_BLOB strhex_to_data_blob(TALLOC_CTX *mem_ctx, const char *strhex)
+{
+	DATA_BLOB ret_blob;
+
+	if (mem_ctx != NULL)
+		ret_blob = data_blob_talloc(mem_ctx, NULL, strlen(strhex)/2+1);
+	else
+		ret_blob = data_blob(NULL, strlen(strhex)/2+1);
+
+	ret_blob.length = strhex_to_str((char*)ret_blob.data,
+					ret_blob.length,
+					strhex,
+					strlen(strhex));
+
+	return ret_blob;
+}
+
+/**
+ * Routine to print a buffer as HEX digits, into an allocated string.
+ */
+
+char *hex_encode(TALLOC_CTX *mem_ctx, const unsigned char *buff_in, size_t len)
+{
+	int i;
+	char *hex_buffer;
+
+	hex_buffer = TALLOC_ARRAY(mem_ctx, char, (len*2)+1);
+
+	for (i = 0; i < len; i++)
+		slprintf(&hex_buffer[i*2], 3, "%02X", buff_in[i]);
+
+	return hex_buffer;
+}
+
+/**
+ Check if a string is part of a list.
+**/
+
+bool in_list(const char *s, const char *list, bool casesensitive)
+{
+	char *tok = NULL;
+	bool ret = false;
+	TALLOC_CTX *frame;
+
+	if (!list) {
+		return false;
+	}
+
+	frame = talloc_stackframe();
+	while (next_token_talloc(frame, &list, &tok,LIST_SEP)) {
+		if (casesensitive) {
+			if (strcmp(tok,s) == 0) {
+				ret = true;
+				break;
+			}
+		} else {
+			if (StrCaseCmp(tok,s) == 0) {
+				ret = true;
+				break;
+			}
+		}
+	}
+	TALLOC_FREE(frame);
+	return ret;
+}
+
+/* this is used to prevent lots of mallocs of size 1 */
+static const char null_string[] = "";
+
+/**
+ Set a string value, allocing the space for the string
+**/
+
+static bool string_init(char **dest,const char *src)
+{
+	size_t l;
+
+	if (!src)
+		src = "";
+
+	l = strlen(src);
+
+	if (l == 0) {
+		*dest = CONST_DISCARD(char*, null_string);
+	} else {
+		(*dest) = SMB_STRDUP(src);
+		if ((*dest) == NULL) {
+			DEBUG(0,("Out of memory in string_init\n"));
+			return false;
+		}
+	}
+	return(true);
+}
+
+/**
+ Free a string value.
+**/
+
+void string_free(char **s)
+{
+	if (!s || !(*s))
+		return;
+	if (*s == null_string)
+		*s = NULL;
+	SAFE_FREE(*s);
+}
+
+/**
+ Set a string value, deallocating any existing space, and allocing the space
+ for the string
+**/
+
+bool string_set(char **dest,const char *src)
+{
+	string_free(dest);
+	return(string_init(dest,src));
+}
+
+/**
+ Substitute a string for a pattern in another string. Make sure there is
+ enough room!
+
+ This routine looks for pattern in s and replaces it with
+ insert. It may do multiple replacements or just one.
+
+ Any of " ; ' $ or ` in the insert string are replaced with _
+ if len==0 then the string cannot be extended. This is different from the old
+ use of len==0 which was for no length checks to be done.
+**/
+
+void string_sub2(char *s,const char *pattern, const char *insert, size_t len,
+		 bool remove_unsafe_characters, bool replace_once,
+		 bool allow_trailing_dollar)
+{
+	char *p;
+	ssize_t ls,lp,li, i;
+
+	if (!insert || !pattern || !*pattern || !s)
+		return;
+
+	ls = (ssize_t)strlen(s);
+	lp = (ssize_t)strlen(pattern);
+	li = (ssize_t)strlen(insert);
+
+	if (len == 0)
+		len = ls + 1; /* len is number of *bytes* */
+
+	while (lp <= ls && (p = strstr_m(s,pattern))) {
+		if (ls + (li-lp) >= len) {
+			DEBUG(0,("ERROR: string overflow by "
+				"%d in string_sub(%.50s, %d)\n",
+				 (int)(ls + (li-lp) - len),
+				 pattern, (int)len));
+			break;
+		}
+		if (li != lp) {
+			memmove(p+li,p+lp,strlen(p+lp)+1);
+		}
+		for (i=0;i<li;i++) {
+			switch (insert[i]) {
+			case '`':
+			case '"':
+			case '\'':
+			case ';':
+			case '$':
+				/* allow a trailing $
+				 * (as in machine accounts) */
+				if (allow_trailing_dollar && (i == li - 1 )) {
+					p[i] = insert[i];
+					break;
+				}
+			case '%':
+			case '\r':
+			case '\n':
+				if ( remove_unsafe_characters ) {
+					p[i] = '_';
+					/* yes this break should be here
+					 * since we want to fall throw if
+					 * not replacing unsafe chars */
+					break;
+				}
+			default:
+				p[i] = insert[i];
+			}
+		}
+		s = p + li;
+		ls += (li-lp);
+
+		if (replace_once)
+			break;
+	}
+}
+
+void string_sub_once(char *s, const char *pattern,
+		const char *insert, size_t len)
+{
+	string_sub2( s, pattern, insert, len, true, true, false );
+}
+
+void string_sub(char *s,const char *pattern, const char *insert, size_t len)
+{
+	string_sub2( s, pattern, insert, len, true, false, false );
+}
+
+void fstring_sub(char *s,const char *pattern,const char *insert)
+{
+	string_sub(s, pattern, insert, sizeof(fstring));
+}
+
+/**
+ Similar to string_sub2, but it will accept only allocated strings
+ and may realloc them so pay attention at what you pass on no
+ pointers inside strings, no const may be passed
+ as string.
+**/
+
+char *realloc_string_sub2(char *string,
+			const char *pattern,
+			const char *insert,
+			bool remove_unsafe_characters,
+			bool allow_trailing_dollar)
+{
+	char *p, *in;
+	char *s;
+	ssize_t ls,lp,li,ld, i;
+
+	if (!insert || !pattern || !*pattern || !string || !*string)
+		return NULL;
+
+	s = string;
+
+	in = SMB_STRDUP(insert);
+	if (!in) {
+		DEBUG(0, ("realloc_string_sub: out of memory!\n"));
+		return NULL;
+	}
+	ls = (ssize_t)strlen(s);
+	lp = (ssize_t)strlen(pattern);
+	li = (ssize_t)strlen(insert);
+	ld = li - lp;
+	for (i=0;i<li;i++) {
+		switch (in[i]) {
+			case '`':
+			case '"':
+			case '\'':
+			case ';':
+			case '$':
+				/* allow a trailing $
+				 * (as in machine accounts) */
+				if (allow_trailing_dollar && (i == li - 1 )) {
+					break;
+				}
+			case '%':
+			case '\r':
+			case '\n':
+				if ( remove_unsafe_characters ) {
+					in[i] = '_';
+					break;
+				}
+			default:
+				/* ok */
+				break;
+		}
+	}
+
+	while ((p = strstr_m(s,pattern))) {
+		if (ld > 0) {
+			int offset = PTR_DIFF(s,string);
+			string = (char *)SMB_REALLOC(string, ls + ld + 1);
+			if (!string) {
+				DEBUG(0, ("realloc_string_sub: "
+					"out of memory!\n"));
+				SAFE_FREE(in);
+				return NULL;
+			}
+			p = string + offset + (p - s);
+		}
+		if (li != lp) {
+			memmove(p+li,p+lp,strlen(p+lp)+1);
+		}
+		memcpy(p, in, li);
+		s = p + li;
+		ls += ld;
+	}
+	SAFE_FREE(in);
+	return string;
+}
+
+char *realloc_string_sub(char *string,
+			const char *pattern,
+			const char *insert)
+{
+	return realloc_string_sub2(string, pattern, insert, true, false);
+}
+
+/*
+ * Internal guts of talloc_string_sub and talloc_all_string_sub.
+ * talloc version of string_sub2.
+ */
+
+char *talloc_string_sub2(TALLOC_CTX *mem_ctx, const char *src,
+			const char *pattern,
+			const char *insert,
+			bool remove_unsafe_characters,
+			bool replace_once,
+			bool allow_trailing_dollar)
+{
+	char *p, *in;
+	char *s;
+	char *string;
+	ssize_t ls,lp,li,ld, i;
+
+	if (!insert || !pattern || !*pattern || !src) {
+		return NULL;
+	}
+
+	string = talloc_strdup(mem_ctx, src);
+	if (string == NULL) {
+		DEBUG(0, ("talloc_string_sub2: "
+			"talloc_strdup failed\n"));
+		return NULL;
+	}
+
+	s = string;
+
+	in = SMB_STRDUP(insert);
+	if (!in) {
+		DEBUG(0, ("talloc_string_sub2: ENOMEM\n"));
+		return NULL;
+	}
+	ls = (ssize_t)strlen(s);
+	lp = (ssize_t)strlen(pattern);
+	li = (ssize_t)strlen(insert);
+	ld = li - lp;
+
+	for (i=0;i<li;i++) {
+		switch (in[i]) {
+			case '`':
+			case '"':
+			case '\'':
+			case ';':
+			case '$':
+				/* allow a trailing $
+				 * (as in machine accounts) */
+				if (allow_trailing_dollar && (i == li - 1 )) {
+					break;
+				}
+			case '%':
+			case '\r':
+			case '\n':
+				if (remove_unsafe_characters) {
+					in[i] = '_';
+					break;
+				}
+			default:
+				/* ok */
+				break;
+		}
+	}
+
+	while ((p = strstr_m(s,pattern))) {
+		if (ld > 0) {
+			int offset = PTR_DIFF(s,string);
+			string = (char *)TALLOC_REALLOC(mem_ctx, string,
+							ls + ld + 1);
+			if (!string) {
+				DEBUG(0, ("talloc_string_sub: out of "
+					  "memory!\n"));
+				SAFE_FREE(in);
+				return NULL;
+			}
+			p = string + offset + (p - s);
+		}
+		if (li != lp) {
+			memmove(p+li,p+lp,strlen(p+lp)+1);
+		}
+		memcpy(p, in, li);
+		s = p + li;
+		ls += ld;
+
+		if (replace_once) {
+			break;
+		}
+	}
+	SAFE_FREE(in);
+	return string;
+}
+
+/* Same as string_sub, but returns a talloc'ed string */
+
+char *talloc_string_sub(TALLOC_CTX *mem_ctx,
+			const char *src,
+			const char *pattern,
+			const char *insert)
+{
+	return talloc_string_sub2(mem_ctx, src, pattern, insert,
+			true, false, false);
+}
+
+/**
+ Similar to string_sub() but allows for any character to be substituted.
+ Use with caution!
+ if len==0 then the string cannot be extended. This is different from the old
+ use of len==0 which was for no length checks to be done.
+**/
+
+void all_string_sub(char *s,const char *pattern,const char *insert, size_t len)
+{
+	char *p;
+	ssize_t ls,lp,li;
+
+	if (!insert || !pattern || !s)
+		return;
+
+	ls = (ssize_t)strlen(s);
+	lp = (ssize_t)strlen(pattern);
+	li = (ssize_t)strlen(insert);
+
+	if (!*pattern)
+		return;
+
+	if (len == 0)
+		len = ls + 1; /* len is number of *bytes* */
+
+	while (lp <= ls && (p = strstr_m(s,pattern))) {
+		if (ls + (li-lp) >= len) {
+			DEBUG(0,("ERROR: string overflow by "
+				"%d in all_string_sub(%.50s, %d)\n",
+				 (int)(ls + (li-lp) - len),
+				 pattern, (int)len));
+			break;
+		}
+		if (li != lp) {
+			memmove(p+li,p+lp,strlen(p+lp)+1);
+		}
+		memcpy(p, insert, li);
+		s = p + li;
+		ls += (li-lp);
+	}
+}
+
+char *talloc_all_string_sub(TALLOC_CTX *ctx,
+				const char *src,
+				const char *pattern,
+				const char *insert)
+{
+	return talloc_string_sub2(ctx, src, pattern, insert,
+			false, false, false);
+}
+
+/**
+ Write an octal as a string.
+**/
+
+char *octal_string(int i)
+{
+	char *result;
+	if (i == -1) {
+		result = talloc_strdup(talloc_tos(), "-1");
+	}
+	else {
+		result = talloc_asprintf(talloc_tos(), "0%o", i);
+	}
+	SMB_ASSERT(result != NULL);
+	return result;
+}
+
+
+/**
+ Truncate a string at a specified length.
+**/
+
+char *string_truncate(char *s, unsigned int length)
+{
+	if (s && strlen(s) > length)
+		s[length] = 0;
+	return s;
+}
+
+/**
+ Strchr and strrchr_m are very hard to do on general multi-byte strings.
+ We convert via ucs2 for now.
+**/
+
+char *strchr_m(const char *src, char c)
+{
+	smb_ucs2_t *ws = NULL;
+	char *s2 = NULL;
+	smb_ucs2_t *p;
+	const char *s;
+	char *ret;
+	size_t converted_size;
+
+	/* characters below 0x3F are guaranteed to not appear in
+	   non-initial position in multi-byte charsets */
+	if ((c & 0xC0) == 0) {
+		return strchr(src, c);
+	}
+
+	/* this is quite a common operation, so we want it to be
+	   fast. We optimise for the ascii case, knowing that all our
+	   supported multi-byte character sets are ascii-compatible
+	   (ie. they match for the first 128 chars) */
+
+	for (s = src; *s && !(((unsigned char)s[0]) & 0x80); s++) {
+		if (*s == c)
+			return (char *)s;
+	}
+
+	if (!*s)
+		return NULL;
+
+#ifdef BROKEN_UNICODE_COMPOSE_CHARACTERS
+	/* With compose characters we must restart from the beginning. JRA. */
+	s = src;
+#endif
+
+	if (!push_ucs2_allocate(&ws, s, &converted_size)) {
+		/* Wrong answer, but what can we do... */
+		return strchr(src, c);
+	}
+	p = strchr_w(ws, UCS2_CHAR(c));
+	if (!p) {
+		SAFE_FREE(ws);
+		return NULL;
+	}
+	*p = 0;
+	if (!pull_ucs2_allocate(&s2, ws, &converted_size)) {
+		SAFE_FREE(ws);
+		/* Wrong answer, but what can we do... */
+		return strchr(src, c);
+	}
+	ret = (char *)(s+strlen(s2));
+	SAFE_FREE(ws);
+	SAFE_FREE(s2);
+	return ret;
+}
+
+char *strrchr_m(const char *s, char c)
+{
+	/* characters below 0x3F are guaranteed to not appear in
+	   non-initial position in multi-byte charsets */
+	if ((c & 0xC0) == 0) {
+		return strrchr(s, c);
+	}
+
+	/* this is quite a common operation, so we want it to be
+	   fast. We optimise for the ascii case, knowing that all our
+	   supported multi-byte character sets are ascii-compatible
+	   (ie. they match for the first 128 chars). Also, in Samba
+	   we only search for ascii characters in 'c' and that
+	   in all mb character sets with a compound character
+	   containing c, if 'c' is not a match at position
+	   p, then p[-1] > 0x7f. JRA. */
+
+	{
+		size_t len = strlen(s);
+		const char *cp = s;
+		bool got_mb = false;
+
+		if (len == 0)
+			return NULL;
+		cp += (len - 1);
+		do {
+			if (c == *cp) {
+				/* Could be a match. Part of a multibyte ? */
+			       	if ((cp > s) &&
+					(((unsigned char)cp[-1]) & 0x80)) {
+					/* Yep - go slow :-( */
+					got_mb = true;
+					break;
+				}
+				/* No - we have a match ! */
+			       	return (char *)cp;
+			}
+		} while (cp-- != s);
+		if (!got_mb)
+			return NULL;
+	}
+
+	/* String contained a non-ascii char. Slow path. */
+	{
+		smb_ucs2_t *ws = NULL;
+		char *s2 = NULL;
+		smb_ucs2_t *p;
+		char *ret;
+		size_t converted_size;
+
+		if (!push_ucs2_allocate(&ws, s, &converted_size)) {
+			/* Wrong answer, but what can we do. */
+			return strrchr(s, c);
+		}
+		p = strrchr_w(ws, UCS2_CHAR(c));
+		if (!p) {
+			SAFE_FREE(ws);
+			return NULL;
+		}
+		*p = 0;
+		if (!pull_ucs2_allocate(&s2, ws, &converted_size)) {
+			SAFE_FREE(ws);
+			/* Wrong answer, but what can we do. */
+			return strrchr(s, c);
+		}
+		ret = (char *)(s+strlen(s2));
+		SAFE_FREE(ws);
+		SAFE_FREE(s2);
+		return ret;
+	}
+}
+
+/***********************************************************************
+ Return the equivalent of doing strrchr 'n' times - always going
+ backwards.
+***********************************************************************/
+
+char *strnrchr_m(const char *s, char c, unsigned int n)
+{
+	smb_ucs2_t *ws = NULL;
+	char *s2 = NULL;
+	smb_ucs2_t *p;
+	char *ret;
+	size_t converted_size;
+
+	if (!push_ucs2_allocate(&ws, s, &converted_size)) {
+		/* Too hard to try and get right. */
+		return NULL;
+	}
+	p = strnrchr_w(ws, UCS2_CHAR(c), n);
+	if (!p) {
+		SAFE_FREE(ws);
+		return NULL;
+	}
+	*p = 0;
+	if (!pull_ucs2_allocate(&s2, ws, &converted_size)) {
+		SAFE_FREE(ws);
+		/* Too hard to try and get right. */
+		return NULL;
+	}
+	ret = (char *)(s+strlen(s2));
+	SAFE_FREE(ws);
+	SAFE_FREE(s2);
+	return ret;
+}
+
+/***********************************************************************
+ strstr_m - We convert via ucs2 for now.
+***********************************************************************/
+
+char *strstr_m(const char *src, const char *findstr)
+{
+	smb_ucs2_t *p;
+	smb_ucs2_t *src_w, *find_w;
+	const char *s;
+	char *s2;
+	char *retp;
+
+	size_t converted_size, findstr_len = 0;
+
+	/* for correctness */
+	if (!findstr[0]) {
+		return (char*)src;
+	}
+
+	/* Samba does single character findstr calls a *lot*. */
+	if (findstr[1] == '\0')
+		return strchr_m(src, *findstr);
+
+	/* We optimise for the ascii case, knowing that all our
+	   supported multi-byte character sets are ascii-compatible
+	   (ie. they match for the first 128 chars) */
+
+	for (s = src; *s && !(((unsigned char)s[0]) & 0x80); s++) {
+		if (*s == *findstr) {
+			if (!findstr_len)
+				findstr_len = strlen(findstr);
+
+			if (strncmp(s, findstr, findstr_len) == 0) {
+				return (char *)s;
+			}
+		}
+	}
+
+	if (!*s)
+		return NULL;
+
+#if 1 /* def BROKEN_UNICODE_COMPOSE_CHARACTERS */
+	/* 'make check' fails unless we do this */
+
+	/* With compose characters we must restart from the beginning. JRA. */
+	s = src;
+#endif
+
+	if (!push_ucs2_allocate(&src_w, src, &converted_size)) {
+		DEBUG(0,("strstr_m: src malloc fail\n"));
+		return NULL;
+	}
+
+	if (!push_ucs2_allocate(&find_w, findstr, &converted_size)) {
+		SAFE_FREE(src_w);
+		DEBUG(0,("strstr_m: find malloc fail\n"));
+		return NULL;
+	}
+
+	p = strstr_w(src_w, find_w);
+
+	if (!p) {
+		SAFE_FREE(src_w);
+		SAFE_FREE(find_w);
+		return NULL;
+	}
+
+	*p = 0;
+	if (!pull_ucs2_allocate(&s2, src_w, &converted_size)) {
+		SAFE_FREE(src_w);
+		SAFE_FREE(find_w);
+		DEBUG(0,("strstr_m: dest malloc fail\n"));
+		return NULL;
+	}
+	retp = (char *)(s+strlen(s2));
+	SAFE_FREE(src_w);
+	SAFE_FREE(find_w);
+	SAFE_FREE(s2);
+	return retp;
+}
+
+/**
+ Convert a string to lower case.
+**/
+
+void strlower_m(char *s)
+{
+	size_t len;
+	int errno_save;
+
+	/* this is quite a common operation, so we want it to be
+	   fast. We optimise for the ascii case, knowing that all our
+	   supported multi-byte character sets are ascii-compatible
+	   (ie. they match for the first 128 chars) */
+
+	while (*s && !(((unsigned char)s[0]) & 0x80)) {
+		*s = tolower_ascii((unsigned char)*s);
+		s++;
+	}
+
+	if (!*s)
+		return;
+
+	/* I assume that lowercased string takes the same number of bytes
+	 * as source string even in UTF-8 encoding. (VIV) */
+	len = strlen(s) + 1;
+	errno_save = errno;
+	errno = 0;
+	unix_strlower(s,len,s,len);
+	/* Catch mb conversion errors that may not terminate. */
+	if (errno)
+		s[len-1] = '\0';
+	errno = errno_save;
+}
+
+/**
+ Convert a string to upper case.
+**/
+
+void strupper_m(char *s)
+{
+	size_t len;
+	int errno_save;
+
+	/* this is quite a common operation, so we want it to be
+	   fast. We optimise for the ascii case, knowing that all our
+	   supported multi-byte character sets are ascii-compatible
+	   (ie. they match for the first 128 chars) */
+
+	while (*s && !(((unsigned char)s[0]) & 0x80)) {
+		*s = toupper_ascii_fast((unsigned char)*s);
+		s++;
+	}
+
+	if (!*s)
+		return;
+
+	/* I assume that lowercased string takes the same number of bytes
+	 * as source string even in multibyte encoding. (VIV) */
+	len = strlen(s) + 1;
+	errno_save = errno;
+	errno = 0;
+	unix_strupper(s,len,s,len);
+	/* Catch mb conversion errors that may not terminate. */
+	if (errno)
+		s[len-1] = '\0';
+	errno = errno_save;
+}
+
+/**
+ Count the number of UCS2 characters in a string. Normally this will
+ be the same as the number of bytes in a string for single byte strings,
+ but will be different for multibyte.
+**/
+
+size_t strlen_m(const char *s)
+{
+	size_t count = 0;
+
+	if (!s) {
+		return 0;
+	}
+
+	while (*s && !(((uint8_t)*s) & 0x80)) {
+		s++;
+		count++;
+	}
+
+	if (!*s) {
+		return count;
+	}
+
+	while (*s) {
+		size_t c_size;
+		codepoint_t c = next_codepoint(s, &c_size);
+		if (c < 0x10000) {
+			/* Unicode char fits into 16 bits. */
+			count += 1;
+		} else {
+			/* Double-width unicode char - 32 bits. */
+			count += 2;
+		}
+		s += c_size;
+	}
+
+	return count;
+}
+
+/**
+ Count the number of UCS2 characters in a string including the null
+ terminator.
+**/
+
+size_t strlen_m_term(const char *s)
+{
+	if (!s) {
+		return 0;
+	}
+	return strlen_m(s) + 1;
+}
+
+/*
+ * Weird helper routine for the winreg pipe: If nothing is around, return 0,
+ * if a string is there, include the terminator.
+ */
+
+size_t strlen_m_term_null(const char *s)
+{
+	size_t len;
+	if (!s) {
+		return 0;
+	}
+	len = strlen_m(s);
+	if (len == 0) {
+		return 0;
+	}
+
+	return len+1;
+}
+/**
+ Return a RFC2254 binary string representation of a buffer.
+ Used in LDAP filters.
+ Caller must free.
+**/
+
+char *binary_string_rfc2254(char *buf, int len)
+{
+	char *s;
+	int i, j;
+	const char *hex = "0123456789ABCDEF";
+	s = (char *)SMB_MALLOC(len * 3 + 1);
+	if (!s)
+		return NULL;
+	for (j=i=0;i<len;i++) {
+		s[j] = '\\';
+		s[j+1] = hex[((unsigned char)buf[i]) >> 4];
+		s[j+2] = hex[((unsigned char)buf[i]) & 0xF];
+		j += 3;
+	}
+	s[j] = 0;
+	return s;
+}
+
+char *binary_string(char *buf, int len)
+{
+	char *s;
+	int i, j;
+	const char *hex = "0123456789ABCDEF";
+	s = (char *)SMB_MALLOC(len * 2 + 1);
+	if (!s)
+		return NULL;
+	for (j=i=0;i<len;i++) {
+		s[j]   = hex[((unsigned char)buf[i]) >> 4];
+		s[j+1] = hex[((unsigned char)buf[i]) & 0xF];
+		j += 2;
+	}
+	s[j] = 0;
+	return s;
+}
+
+/**
+ Just a typesafety wrapper for snprintf into a fstring.
+**/
+
+int fstr_sprintf(fstring s, const char *fmt, ...)
+{
+	va_list ap;
+	int ret;
+
+	va_start(ap, fmt);
+	ret = vsnprintf(s, FSTRING_LEN, fmt, ap);
+	va_end(ap);
+	return ret;
+}
+
+/**
+ List of Strings manipulation functions
+**/
+
+#define S_LIST_ABS 16 /* List Allocation Block Size */
+
+char **str_list_make(TALLOC_CTX *mem_ctx, const char *string, const char *sep)
+{
+	char **list;
+	const char *str;
+	char *s;
+	int num, lsize;
+	char *tok;
+
+	if (!string || !*string)
+		return NULL;
+
+	list = TALLOC_ARRAY(mem_ctx, char *, S_LIST_ABS+1);
+	if (list == NULL) {
+		return NULL;
+	}
+	lsize = S_LIST_ABS;
+
+	s = talloc_strdup(list, string);
+	if (s == NULL) {
+		DEBUG(0,("str_list_make: Unable to allocate memory"));
+		TALLOC_FREE(list);
+		return NULL;
+	}
+	if (!sep) sep = LIST_SEP;
+
+	num = 0;
+	str = s;
+
+	while (next_token_talloc(list, &str, &tok, sep)) {
+
+		if (num == lsize) {
+			char **tmp;
+
+			lsize += S_LIST_ABS;
+
+			tmp = TALLOC_REALLOC_ARRAY(mem_ctx, list, char *,
+						   lsize + 1);
+			if (tmp == NULL) {
+				DEBUG(0,("str_list_make: "
+					"Unable to allocate memory"));
+				TALLOC_FREE(list);
+				return NULL;
+			}
+
+			list = tmp;
+
+			memset (&list[num], 0,
+				((sizeof(char**)) * (S_LIST_ABS +1)));
+		}
+
+		list[num] = tok;
+		num += 1;
+	}
+
+	list[num] = NULL;
+
+	TALLOC_FREE(s);
+	return list;
+}
+
+bool str_list_copy(TALLOC_CTX *mem_ctx, char ***dest, const char **src)
+{
+	char **list;
+	int i, num;
+
+	*dest = NULL;
+	if (!src)
+		return false;
+
+	num = 0;
+	while (src[num] != NULL) {
+		num += 1;
+	}
+
+	list = TALLOC_ARRAY(mem_ctx, char *, num+1);
+	if (list == NULL) {
+		return false;
+	}
+
+	for (i=0; i<num; i++) {
+		list[i] = talloc_strdup(list, src[i]);
+		if (list[i] == NULL) {
+			TALLOC_FREE(list);
+			return false;
+		}
+	}
+	list[i] = NULL;
+	*dest = list;
+	return true;
+}
+
+/**
+ * Return true if all the elements of the list match exactly.
+ **/
+bool str_list_compare(char **list1, char **list2)
+{
+	int num;
+
+	if (!list1 || !list2)
+		return (list1 == list2);
+
+	for (num = 0; list1[num]; num++) {
+		if (!list2[num])
+			return false;
+		if (!strcsequal(list1[num], list2[num]))
+			return false;
+	}
+	if (list2[num])
+		return false; /* if list2 has more elements than list1 fail */
+
+	return true;
+}
+
+/******************************************************************************
+ *****************************************************************************/
+
+int str_list_count( const char **list )
+{
+	int i = 0;
+
+	if ( ! list )
+		return 0;
+
+	/* count the number of list members */
+
+	for ( i=0; *list; i++, list++ );
+
+	return i;
+}
+
+/******************************************************************************
+ version of standard_sub_basic() for string lists; uses talloc_sub_basic()
+ for the work
+ *****************************************************************************/
+
+bool str_list_sub_basic( char **list, const char *smb_name,
+			 const char *domain_name )
+{
+	TALLOC_CTX *ctx = list;
+	char *s, *tmpstr;
+
+	while ( *list ) {
+		s = *list;
+		tmpstr = talloc_sub_basic(ctx, smb_name, domain_name, s);
+		if ( !tmpstr ) {
+			DEBUG(0,("str_list_sub_basic: "
+				"alloc_sub_basic() return NULL!\n"));
+			return false;
+		}
+
+		TALLOC_FREE(*list);
+		*list = tmpstr;
+
+		list++;
+	}
+
+	return true;
+}
+
+/******************************************************************************
+ substritute a specific pattern in a string list
+ *****************************************************************************/
+
+bool str_list_substitute(char **list, const char *pattern, const char *insert)
+{
+	TALLOC_CTX *ctx = list;
+	char *p, *s, *t;
+	ssize_t ls, lp, li, ld, i, d;
+
+	if (!list)
+		return false;
+	if (!pattern)
+		return false;
+	if (!insert)
+		return false;
+
+	lp = (ssize_t)strlen(pattern);
+	li = (ssize_t)strlen(insert);
+	ld = li -lp;
+
+	while (*list) {
+		s = *list;
+		ls = (ssize_t)strlen(s);
+
+		while ((p = strstr_m(s, pattern))) {
+			t = *list;
+			d = p -t;
+			if (ld) {
+				t = TALLOC_ARRAY(ctx, char, ls +ld +1);
+				if (!t) {
+					DEBUG(0,("str_list_substitute: "
+						"Unable to allocate memory"));
+					return false;
+				}
+				memcpy(t, *list, d);
+				memcpy(t +d +li, p +lp, ls -d -lp +1);
+				TALLOC_FREE(*list);
+				*list = t;
+				ls += ld;
+				s = t +d +li;
+			}
+
+			for (i = 0; i < li; i++) {
+				switch (insert[i]) {
+					case '`':
+					case '"':
+					case '\'':
+					case ';':
+					case '$':
+					case '%':
+					case '\r':
+					case '\n':
+						t[d +i] = '_';
+						break;
+					default:
+						t[d +i] = insert[i];
+				}
+			}
+		}
+
+		list++;
+	}
+
+	return true;
+}
+
+
+#define IPSTR_LIST_SEP	","
+#define IPSTR_LIST_CHAR	','
+
+/**
+ * Add ip string representation to ipstr list. Used also
+ * as part of @function ipstr_list_make
+ *
+ * @param ipstr_list pointer to string containing ip list;
+ *        MUST BE already allocated and IS reallocated if necessary
+ * @param ipstr_size pointer to current size of ipstr_list (might be changed
+ *        as a result of reallocation)
+ * @param ip IP address which is to be added to list
+ * @return pointer to string appended with new ip and possibly
+ *         reallocated to new length
+ **/
+
+static char *ipstr_list_add(char **ipstr_list, const struct ip_service *service)
+{
+	char *new_ipstr = NULL;
+	char addr_buf[INET6_ADDRSTRLEN];
+	int ret;
+
+	/* arguments checking */
+	if (!ipstr_list || !service) {
+		return NULL;
+	}
+
+	print_sockaddr(addr_buf,
+			sizeof(addr_buf),
+			&service->ss);
+
+	/* attempt to convert ip to a string and append colon separator to it */
+	if (*ipstr_list) {
+		if (service->ss.ss_family == AF_INET) {
+			/* IPv4 */
+			ret = asprintf(&new_ipstr, "%s%s%s:%d",	*ipstr_list,
+				       IPSTR_LIST_SEP, addr_buf,
+				       service->port);
+		} else {
+			/* IPv6 */
+			ret = asprintf(&new_ipstr, "%s%s[%s]:%d", *ipstr_list,
+				       IPSTR_LIST_SEP, addr_buf,
+				       service->port);
+		}
+		SAFE_FREE(*ipstr_list);
+	} else {
+		if (service->ss.ss_family == AF_INET) {
+			/* IPv4 */
+			ret = asprintf(&new_ipstr, "%s:%d", addr_buf,
+				       service->port);
+		} else {
+			/* IPv6 */
+			ret = asprintf(&new_ipstr, "[%s]:%d", addr_buf,
+				       service->port);
+		}
+	}
+	if (ret == -1) {
+		return NULL;
+	}
+	*ipstr_list = new_ipstr;
+	return *ipstr_list;
+}
+
+/**
+ * Allocate and initialise an ipstr list using ip adresses
+ * passed as arguments.
+ *
+ * @param ipstr_list pointer to string meant to be allocated and set
+ * @param ip_list array of ip addresses to place in the list
+ * @param ip_count number of addresses stored in ip_list
+ * @return pointer to allocated ip string
+ **/
+
+char *ipstr_list_make(char **ipstr_list,
+			const struct ip_service *ip_list,
+			int ip_count)
+{
+	int i;
+
+	/* arguments checking */
+	if (!ip_list || !ipstr_list) {
+		return 0;
+	}
+
+	*ipstr_list = NULL;
+
+	/* process ip addresses given as arguments */
+	for (i = 0; i < ip_count; i++) {
+		*ipstr_list = ipstr_list_add(ipstr_list, &ip_list[i]);
+	}
+
+	return (*ipstr_list);
+}
+
+
+/**
+ * Parse given ip string list into array of ip addresses
+ * (as ip_service structures)
+ *    e.g. [IPv6]:port,192.168.1.100:389,192.168.1.78, ...
+ *
+ * @param ipstr ip string list to be parsed
+ * @param ip_list pointer to array of ip addresses which is
+ *        allocated by this function and must be freed by caller
+ * @return number of successfully parsed addresses
+ **/
+
+int ipstr_list_parse(const char *ipstr_list, struct ip_service **ip_list)
+{
+	TALLOC_CTX *frame;
+	char *token_str = NULL;
+	size_t count;
+	int i;
+
+	if (!ipstr_list || !ip_list)
+		return 0;
+
+	count = count_chars(ipstr_list, IPSTR_LIST_CHAR) + 1;
+	if ( (*ip_list = SMB_MALLOC_ARRAY(struct ip_service, count)) == NULL ) {
+		DEBUG(0,("ipstr_list_parse: malloc failed for %lu entries\n",
+					(unsigned long)count));
+		return 0;
+	}
+
+	frame = talloc_stackframe();
+	for ( i=0; next_token_talloc(frame, &ipstr_list, &token_str,
+				IPSTR_LIST_SEP) && i<count; i++ ) {
+		char *s = token_str;
+		char *p = strrchr(token_str, ':');
+
+		if (p) {
+			*p = 0;
+			(*ip_list)[i].port = atoi(p+1);
+		}
+
+		/* convert single token to ip address */
+		if (token_str[0] == '[') {
+			/* IPv6 address. */
+			s++;
+			p = strchr(token_str, ']');
+			if (!p) {
+				continue;
+			}
+			*p = '\0';
+		}
+		if (!interpret_string_addr(&(*ip_list)[i].ss,
+					s,
+					AI_NUMERICHOST)) {
+			continue;
+		}
+	}
+	TALLOC_FREE(frame);
+	return count;
+}
+
+/**
+ * Safely free ip string list
+ *
+ * @param ipstr_list ip string list to be freed
+ **/
+
+void ipstr_list_free(char* ipstr_list)
+{
+	SAFE_FREE(ipstr_list);
+}
+
+/**
+ Unescape a URL encoded string, in place.
+**/
+
+void rfc1738_unescape(char *buf)
+{
+	char *p=buf;
+
+	while (p && *p && (p=strchr_m(p,'%'))) {
+		int c1 = p[1];
+		int c2 = p[2];
+
+		if (c1 >= '0' && c1 <= '9')
+			c1 = c1 - '0';
+		else if (c1 >= 'A' && c1 <= 'F')
+			c1 = 10 + c1 - 'A';
+		else if (c1 >= 'a' && c1 <= 'f')
+			c1 = 10 + c1 - 'a';
+		else {p++; continue;}
+
+		if (c2 >= '0' && c2 <= '9')
+			c2 = c2 - '0';
+		else if (c2 >= 'A' && c2 <= 'F')
+			c2 = 10 + c2 - 'A';
+		else if (c2 >= 'a' && c2 <= 'f')
+			c2 = 10 + c2 - 'a';
+		else {p++; continue;}
+
+		*p = (c1<<4) | c2;
+
+		memmove(p+1, p+3, strlen(p+3)+1);
+		p++;
+	}
+}
+
+static const char b64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+/**
+ * Decode a base64 string into a DATA_BLOB - simple and slow algorithm
+ **/
+DATA_BLOB base64_decode_data_blob(const char *s)
+{
+	int bit_offset, byte_offset, idx, i, n;
+	DATA_BLOB decoded = data_blob(s, strlen(s)+1);
+	unsigned char *d = decoded.data;
+	char *p;
+
+	n=i=0;
+
+	while (*s && (p=strchr_m(b64,*s))) {
+		idx = (int)(p - b64);
+		byte_offset = (i*6)/8;
+		bit_offset = (i*6)%8;
+		d[byte_offset] &= ~((1<<(8-bit_offset))-1);
+		if (bit_offset < 3) {
+			d[byte_offset] |= (idx << (2-bit_offset));
+			n = byte_offset+1;
+		} else {
+			d[byte_offset] |= (idx >> (bit_offset-2));
+			d[byte_offset+1] = 0;
+			d[byte_offset+1] |= (idx << (8-(bit_offset-2))) & 0xFF;
+			n = byte_offset+2;
+		}
+		s++; i++;
+	}
+
+	if ((n > 0) && (*s == '=')) {
+		n -= 1;
+	}
+
+	/* fix up length */
+	decoded.length = n;
+	return decoded;
+}
+
+/**
+ * Decode a base64 string in-place - wrapper for the above
+ **/
+void base64_decode_inplace(char *s)
+{
+	DATA_BLOB decoded = base64_decode_data_blob(s);
+
+	if ( decoded.length != 0 ) {
+		memcpy(s, decoded.data, decoded.length);
+
+		/* null terminate */
+		s[decoded.length] = '\0';
+	} else {
+		*s = '\0';
+	}
+
+	data_blob_free(&decoded);
+}
+
+/**
+ * Encode a base64 string into a talloc()ed string caller to free.
+ *
+ * From SQUID: adopted from http://ftp.sunet.se/pub2/gnu/vm/base64-encode.c
+ * with adjustments
+ **/
+
+char *base64_encode_data_blob(TALLOC_CTX *mem_ctx, DATA_BLOB data)
+{
+	int bits = 0;
+	int char_count = 0;
+	size_t out_cnt, len, output_len;
+	char *result;
+
+        if (!data.length || !data.data)
+		return NULL;
+
+	out_cnt = 0;
+	len = data.length;
+	output_len = data.length * 2 + 4; /* Account for closing bytes. 4 is
+					   * random but should be enough for
+					   * the = and \0 */
+	result = TALLOC_ARRAY(mem_ctx, char, output_len); /* get us plenty of space */
+	SMB_ASSERT(result != NULL);
+
+	while (len-- && out_cnt < (data.length * 2) - 5) {
+		int c = (unsigned char) *(data.data++);
+		bits += c;
+		char_count++;
+		if (char_count == 3) {
+			result[out_cnt++] = b64[bits >> 18];
+			result[out_cnt++] = b64[(bits >> 12) & 0x3f];
+			result[out_cnt++] = b64[(bits >> 6) & 0x3f];
+			result[out_cnt++] = b64[bits & 0x3f];
+			bits = 0;
+			char_count = 0;
+		} else {
+			bits <<= 8;
+		}
+	}
+	if (char_count != 0) {
+		bits <<= 16 - (8 * char_count);
+		result[out_cnt++] = b64[bits >> 18];
+		result[out_cnt++] = b64[(bits >> 12) & 0x3f];
+		if (char_count == 1) {
+			result[out_cnt++] = '=';
+			result[out_cnt++] = '=';
+		} else {
+			result[out_cnt++] = b64[(bits >> 6) & 0x3f];
+			result[out_cnt++] = '=';
+		}
+	}
+	result[out_cnt] = '\0';	/* terminate */
+	return result;
+}
+
+/* read a SMB_BIG_UINT from a string */
+SMB_BIG_UINT STR_TO_SMB_BIG_UINT(const char *nptr, const char **entptr)
+{
+
+	SMB_BIG_UINT val = -1;
+	const char *p = nptr;
+
+	if (!p) {
+		if (entptr) {
+			*entptr = p;
+		}
+		return val;
+	}
+
+	while (*p && isspace(*p))
+		p++;
+
+#ifdef LARGE_SMB_OFF_T
+	sscanf(p,"%llu",&val);
+#else /* LARGE_SMB_OFF_T */
+	sscanf(p,"%lu",&val);
+#endif /* LARGE_SMB_OFF_T */
+	if (entptr) {
+		while (*p && isdigit(*p))
+			p++;
+		*entptr = p;
+	}
+
+	return val;
+}
+
+/* Convert a size specification to a count of bytes. We accept the following
+ * suffixes:
+ *	    bytes if there is no suffix
+ *	kK  kibibytes
+ *	mM  mebibytes
+ *	gG  gibibytes
+ *	tT  tibibytes
+ *	pP  whatever the ISO name for petabytes is
+ *
+ *  Returns 0 if the string can't be converted.
+ */
+SMB_OFF_T conv_str_size(const char * str)
+{
+        SMB_OFF_T lval;
+	char * end;
+
+        if (str == NULL || *str == '\0') {
+                return 0;
+        }
+
+#ifdef HAVE_STRTOULL
+	if (sizeof(SMB_OFF_T) == 8) {
+	    lval = strtoull(str, &end, 10 /* base */);
+	} else {
+	    lval = strtoul(str, &end, 10 /* base */);
+	}
+#else
+	lval = strtoul(str, &end, 10 /* base */);
+#endif
+
+        if (end == NULL || end == str) {
+                return 0;
+        }
+
+        if (*end) {
+		SMB_OFF_T lval_orig = lval;
+
+                if (strwicmp(end, "K") == 0) {
+                        lval *= (SMB_OFF_T)1024;
+                } else if (strwicmp(end, "M") == 0) {
+                        lval *= ((SMB_OFF_T)1024 * (SMB_OFF_T)1024);
+                } else if (strwicmp(end, "G") == 0) {
+                        lval *= ((SMB_OFF_T)1024 * (SMB_OFF_T)1024 *
+				(SMB_OFF_T)1024);
+                } else if (strwicmp(end, "T") == 0) {
+                        lval *= ((SMB_OFF_T)1024 * (SMB_OFF_T)1024 *
+				(SMB_OFF_T)1024 * (SMB_OFF_T)1024);
+                } else if (strwicmp(end, "P") == 0) {
+                        lval *= ((SMB_OFF_T)1024 * (SMB_OFF_T)1024 *
+				(SMB_OFF_T)1024 * (SMB_OFF_T)1024 *
+				(SMB_OFF_T)1024);
+                } else {
+                        return 0;
+                }
+
+		/* Primitive attempt to detect wrapping on platforms with
+		 * 4-byte SMB_OFF_T. It's better to let the caller handle
+		 * a failure than some random number.
+		 */
+		if (lval_orig <= lval) {
+			return 0;
+		}
+        }
+
+	return lval;
+}
+
+void string_append(char **left, const char *right)
+{
+	int new_len = strlen(right) + 1;
+
+	if (*left == NULL) {
+		*left = (char *)SMB_MALLOC(new_len);
+		*left[0] = '\0';
+	} else {
+		new_len += strlen(*left);
+		*left = (char *)SMB_REALLOC(*left, new_len);
+	}
+
+	if (*left == NULL) {
+		return;
+	}
+
+	safe_strcat(*left, right, new_len-1);
+}
+
+bool add_string_to_array(TALLOC_CTX *mem_ctx,
+			 const char *str, const char ***strings,
+			 int *num)
+{
+	char *dup_str = talloc_strdup(mem_ctx, str);
+
+	*strings = TALLOC_REALLOC_ARRAY(mem_ctx, *strings,
+			const char *, (*num)+1);
+
+	if ((*strings == NULL) || (dup_str == NULL)) {
+		*num = 0;
+		return false;
+	}
+
+	(*strings)[*num] = dup_str;
+	*num += 1;
+	return true;
+}
+
+/* Append an sprintf'ed string. Double buffer size on demand. Usable without
+ * error checking in between. The indiation that something weird happened is
+ * string==NULL */
+
+void sprintf_append(TALLOC_CTX *mem_ctx, char **string, ssize_t *len,
+		    size_t *bufsize, const char *fmt, ...)
+{
+	va_list ap;
+	char *newstr;
+	int ret;
+	bool increased;
+
+	/* len<0 is an internal marker that something failed */
+	if (*len < 0)
+		goto error;
+
+	if (*string == NULL) {
+		if (*bufsize == 0)
+			*bufsize = 128;
+
+		*string = TALLOC_ARRAY(mem_ctx, char, *bufsize);
+		if (*string == NULL)
+			goto error;
+	}
+
+	va_start(ap, fmt);
+	ret = vasprintf(&newstr, fmt, ap);
+	va_end(ap);
+
+	if (ret < 0)
+		goto error;
+
+	increased = false;
+
+	while ((*len)+ret >= *bufsize) {
+		increased = true;
+		*bufsize *= 2;
+		if (*bufsize >= (1024*1024*256))
+			goto error;
+	}
+
+	if (increased) {
+		*string = TALLOC_REALLOC_ARRAY(mem_ctx, *string, char,
+					       *bufsize);
+		if (*string == NULL) {
+			goto error;
+		}
+	}
+
+	StrnCpy((*string)+(*len), newstr, ret);
+	(*len) += ret;
+	free(newstr);
+	return;
+
+ error:
+	*len = -1;
+	*string = NULL;
+}
+
+/*
+ * asprintf into a string and strupper_m it after that.
+ */
+
+int asprintf_strupper_m(char **strp, const char *fmt, ...)
+{
+	va_list ap;
+	char *result;
+	int ret;
+
+	va_start(ap, fmt);
+	ret = vasprintf(&result, fmt, ap);
+	va_end(ap);
+
+	if (ret == -1)
+		return -1;
+
+	strupper_m(result);
+	*strp = result;
+	return ret;
+}
+
+char *talloc_asprintf_strupper_m(TALLOC_CTX *t, const char *fmt, ...)
+{
+	va_list ap;
+	char *ret;
+
+	va_start(ap, fmt);
+	ret = talloc_vasprintf(t, fmt, ap);
+	va_end(ap);
+
+	if (ret == NULL) {
+		return NULL;
+	}
+	strupper_m(ret);
+	return ret;
+}
+
+char *talloc_asprintf_strlower_m(TALLOC_CTX *t, const char *fmt, ...)
+{
+	va_list ap;
+	char *ret;
+
+	va_start(ap, fmt);
+	ret = talloc_vasprintf(t, fmt, ap);
+	va_end(ap);
+
+	if (ret == NULL) {
+		return NULL;
+	}
+	strlower_m(ret);
+	return ret;
+}
+
+
+/*
+   Returns the substring from src between the first occurrence of
+   the char "front" and the first occurence of the char "back".
+   Mallocs the return string which must be freed.  Not for use
+   with wide character strings.
+*/
+char *sstring_sub(const char *src, char front, char back)
+{
+	char *temp1, *temp2, *temp3;
+	ptrdiff_t len;
+
+	temp1 = strchr(src, front);
+	if (temp1 == NULL) return NULL;
+	temp2 = strchr(src, back);
+	if (temp2 == NULL) return NULL;
+	len = temp2 - temp1;
+	if (len <= 0) return NULL;
+	temp3 = (char*)SMB_MALLOC(len);
+	if (temp3 == NULL) {
+		DEBUG(1,("Malloc failure in sstring_sub\n"));
+		return NULL;
+	}
+	memcpy(temp3, temp1+1, len-1);
+	temp3[len-1] = '\0';
+	return temp3;
+}
+
+/********************************************************************
+ Check a string for any occurrences of a specified list of invalid
+ characters.
+********************************************************************/
+
+bool validate_net_name( const char *name,
+		const char *invalid_chars,
+		int max_len)
+{
+	int i;
+
+	for ( i=0; i<max_len && name[i]; i++ ) {
+		/* fail if strchr_m() finds one of the invalid characters */
+		if ( name[i] && strchr_m( invalid_chars, name[i] ) ) {
+			return false;
+		}
+	}
+
+	return true;
+}
+
+
+/**
+return the number of bytes occupied by a buffer in ASCII format
+the result includes the null termination
+limited by 'n' bytes
+**/
+size_t ascii_len_n(const char *src, size_t n)
+{
+	size_t len;
+
+	len = strnlen(src, n);
+	if (len+1 <= n) {
+		len += 1;
+	}
+
+	return len;
+}
+
+/**
+return the number of bytes occupied by a buffer in CH_UTF16 format
+the result includes the null termination
+**/
+size_t utf16_len(const void *buf)
+{
+	size_t len;
+
+	for (len = 0; SVAL(buf,len); len += 2) ;
+
+	return len + 2;
+}
+
+/**
+return the number of bytes occupied by a buffer in CH_UTF16 format
+the result includes the null termination
+limited by 'n' bytes
+**/
+size_t utf16_len_n(const void *src, size_t n)
+{
+	size_t len;
+
+	for (len = 0; (len+2 < n) && SVAL(src, len); len += 2) ;
+
+	if (len+2 <= n) {
+		len += 2;
+	}
+
+	return len;
+}
+
+/*******************************************************************
+ Add a shell escape character '\' to any character not in a known list
+ of characters. UNIX charset format.
+*******************************************************************/
+
+#define INCLUDE_LIST "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_/ \t.,"
+#define INSIDE_DQUOTE_LIST "$`\n\"\\"
+
+char *escape_shell_string(const char *src)
+{
+	size_t srclen = strlen(src);
+	char *ret = SMB_MALLOC_ARRAY(char, (srclen * 2) + 1);
+	char *dest = ret;
+	bool in_s_quote = false;
+	bool in_d_quote = false;
+	bool next_escaped = false;
+
+	if (!ret) {
+		return NULL;
+	}
+
+	while (*src) {
+		size_t c_size;
+		codepoint_t c = next_codepoint(src, &c_size);
+
+		if (c == INVALID_CODEPOINT) {
+			SAFE_FREE(ret);
+			return NULL;
+		}
+
+		if (c_size > 1) {
+			memcpy(dest, src, c_size);
+			src += c_size;
+			dest += c_size;
+			next_escaped = false;
+			continue;
+		}
+
+		/*
+		 * Deal with backslash escaped state.
+		 * This only lasts for one character.
+		 */
+
+		if (next_escaped) {
+			*dest++ = *src++;
+			next_escaped = false;
+			continue;
+		}
+
+		/*
+		 * Deal with single quote state. The
+		 * only thing we care about is exiting
+		 * this state.
+		 */
+
+		if (in_s_quote) {
+			if (*src == '\'') {
+				in_s_quote = false;
+			}
+			*dest++ = *src++;
+			continue;
+		}
+
+		/*
+		 * Deal with double quote state. The most
+		 * complex state. We must cope with \, meaning
+		 * possibly escape next char (depending what it
+		 * is), ", meaning exit this state, and possibly
+		 * add an \ escape to any unprotected character
+		 * (listed in INSIDE_DQUOTE_LIST).
+		 */
+
+		if (in_d_quote) {
+			if (*src == '\\') {
+				/*
+				 * Next character might be escaped.
+				 * We have to peek. Inside double
+				 * quotes only INSIDE_DQUOTE_LIST
+				 * characters are escaped by a \.
+				 */
+
+				char nextchar;
+
+				c = next_codepoint(&src[1], &c_size);
+				if (c == INVALID_CODEPOINT) {
+					SAFE_FREE(ret);
+					return NULL;
+				}
+				if (c_size > 1) {
+					/*
+					 * Don't escape the next char.
+					 * Just copy the \.
+					 */
+					*dest++ = *src++;
+					continue;
+				}
+
+				nextchar = src[1];
+
+				if (nextchar && strchr(INSIDE_DQUOTE_LIST,
+							(int)nextchar)) {
+					next_escaped = true;
+				}
+				*dest++ = *src++;
+				continue;
+			}
+
+			if (*src == '\"') {
+				/* Exit double quote state. */
+				in_d_quote = false;
+				*dest++ = *src++;
+				continue;
+			}
+
+			/*
+			 * We know the character isn't \ or ",
+			 * so escape it if it's any of the other
+			 * possible unprotected characters.
+			 */
+
+	       		if (strchr(INSIDE_DQUOTE_LIST, (int)*src)) {
+				*dest++ = '\\';
+			}
+			*dest++ = *src++;
+			continue;
+		}
+
+		/*
+		 * From here to the end of the loop we're
+		 * not in the single or double quote state.
+		 */
+
+		if (*src == '\\') {
+			/* Next character must be escaped. */
+			next_escaped = true;
+			*dest++ = *src++;
+			continue;
+		}
+
+		if (*src == '\'') {
+			/* Go into single quote state. */
+			in_s_quote = true;
+			*dest++ = *src++;
+			continue;
+		}
+
+		if (*src == '\"') {
+			/* Go into double quote state. */
+			in_d_quote = true;
+			*dest++ = *src++;
+			continue;
+		}
+
+		/* Check if we need to escape the character. */
+
+	       	if (!strchr(INCLUDE_LIST, (int)*src)) {
+			*dest++ = '\\';
+		}
+		*dest++ = *src++;
+	}
+	*dest++ = '\0';
+	return ret;
+}
diff --git a/source3/lib/util_tdb.c b/source3/lib/util_tdb.c
new file mode 100644
index 0000000000..8257232667
--- /dev/null
+++ b/source3/lib/util_tdb.c
@@ -0,0 +1,1481 @@
+/* 
+   Unix SMB/CIFS implementation.
+   tdb utility functions
+   Copyright (C) Andrew Tridgell   1992-1998
+   Copyright (C) Rafal Szczesniak  2002
+   Copyright (C) Michael Adam      2007
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#undef malloc
+#undef realloc
+#undef calloc
+#undef strdup
+
+/* these are little tdb utility functions that are meant to make
+   dealing with a tdb database a little less cumbersome in Samba */
+
+static SIG_ATOMIC_T gotalarm;
+
+/***************************************************************
+ Signal function to tell us we timed out.
+****************************************************************/
+
+static void gotalarm_sig(void)
+{
+	gotalarm = 1;
+}
+
+/***************************************************************
+ Make a TDB_DATA and keep the const warning in one place
+****************************************************************/
+
+TDB_DATA make_tdb_data(const uint8 *dptr, size_t dsize)
+{
+	TDB_DATA ret;
+	ret.dptr = CONST_DISCARD(uint8 *, dptr);
+	ret.dsize = dsize;
+	return ret;
+}
+
+TDB_DATA string_tdb_data(const char *string)
+{
+	return make_tdb_data((const uint8 *)string, string ? strlen(string) : 0 );
+}
+
+TDB_DATA string_term_tdb_data(const char *string)
+{
+	return make_tdb_data((const uint8 *)string, string ? strlen(string) + 1 : 0);
+}
+
+/****************************************************************************
+ Lock a chain with timeout (in seconds).
+****************************************************************************/
+
+static int tdb_chainlock_with_timeout_internal( TDB_CONTEXT *tdb, TDB_DATA key, unsigned int timeout, int rw_type)
+{
+	/* Allow tdb_chainlock to be interrupted by an alarm. */
+	int ret;
+	gotalarm = 0;
+
+	if (timeout) {
+		CatchSignal(SIGALRM, SIGNAL_CAST gotalarm_sig);
+		tdb_setalarm_sigptr(tdb, &gotalarm);
+		alarm(timeout);
+	}
+
+	if (rw_type == F_RDLCK)
+		ret = tdb_chainlock_read(tdb, key);
+	else
+		ret = tdb_chainlock(tdb, key);
+
+	if (timeout) {
+		alarm(0);
+		tdb_setalarm_sigptr(tdb, NULL);
+		CatchSignal(SIGALRM, SIGNAL_CAST SIG_IGN);
+		if (gotalarm) {
+			DEBUG(0,("tdb_chainlock_with_timeout_internal: alarm (%u) timed out for key %s in tdb %s\n",
+				timeout, key.dptr, tdb_name(tdb)));
+			/* TODO: If we time out waiting for a lock, it might
+			 * be nice to use F_GETLK to get the pid of the
+			 * process currently holding the lock and print that
+			 * as part of the debugging message. -- mbp */
+			return -1;
+		}
+	}
+
+	return ret;
+}
+
+/****************************************************************************
+ Write lock a chain. Return -1 if timeout or lock failed.
+****************************************************************************/
+
+int tdb_chainlock_with_timeout( TDB_CONTEXT *tdb, TDB_DATA key, unsigned int timeout)
+{
+	return tdb_chainlock_with_timeout_internal(tdb, key, timeout, F_WRLCK);
+}
+
+/****************************************************************************
+ Lock a chain by string. Return -1 if timeout or lock failed.
+****************************************************************************/
+
+int tdb_lock_bystring(TDB_CONTEXT *tdb, const char *keyval)
+{
+	TDB_DATA key = string_term_tdb_data(keyval);
+	
+	return tdb_chainlock(tdb, key);
+}
+
+int tdb_lock_bystring_with_timeout(TDB_CONTEXT *tdb, const char *keyval,
+				   int timeout)
+{
+	TDB_DATA key = string_term_tdb_data(keyval);
+	
+	return tdb_chainlock_with_timeout(tdb, key, timeout);
+}
+
+/****************************************************************************
+ Unlock a chain by string.
+****************************************************************************/
+
+void tdb_unlock_bystring(TDB_CONTEXT *tdb, const char *keyval)
+{
+	TDB_DATA key = string_term_tdb_data(keyval);
+
+	tdb_chainunlock(tdb, key);
+}
+
+/****************************************************************************
+ Read lock a chain by string. Return -1 if timeout or lock failed.
+****************************************************************************/
+
+int tdb_read_lock_bystring_with_timeout(TDB_CONTEXT *tdb, const char *keyval, unsigned int timeout)
+{
+	TDB_DATA key = string_term_tdb_data(keyval);
+	
+	return tdb_chainlock_with_timeout_internal(tdb, key, timeout, F_RDLCK);
+}
+
+/****************************************************************************
+ Read unlock a chain by string.
+****************************************************************************/
+
+void tdb_read_unlock_bystring(TDB_CONTEXT *tdb, const char *keyval)
+{
+	TDB_DATA key = string_term_tdb_data(keyval);
+	
+	tdb_chainunlock_read(tdb, key);
+}
+
+
+/****************************************************************************
+ Fetch a int32 value by a arbitrary blob key, return -1 if not found.
+ Output is int32 in native byte order.
+****************************************************************************/
+
+int32 tdb_fetch_int32_byblob(TDB_CONTEXT *tdb, TDB_DATA key)
+{
+	TDB_DATA data;
+	int32 ret;
+
+	data = tdb_fetch(tdb, key);
+	if (!data.dptr || data.dsize != sizeof(int32)) {
+		SAFE_FREE(data.dptr);
+		return -1;
+	}
+
+	ret = IVAL(data.dptr,0);
+	SAFE_FREE(data.dptr);
+	return ret;
+}
+
+/****************************************************************************
+ Fetch a int32 value by string key, return -1 if not found.
+ Output is int32 in native byte order.
+****************************************************************************/
+
+int32 tdb_fetch_int32(TDB_CONTEXT *tdb, const char *keystr)
+{
+	TDB_DATA key = string_term_tdb_data(keystr);
+
+	return tdb_fetch_int32_byblob(tdb, key);
+}
+
+/****************************************************************************
+ Store a int32 value by an arbitary blob key, return 0 on success, -1 on failure.
+ Input is int32 in native byte order. Output in tdb is in little-endian.
+****************************************************************************/
+
+int tdb_store_int32_byblob(TDB_CONTEXT *tdb, TDB_DATA key, int32 v)
+{
+	TDB_DATA data;
+	int32 v_store;
+
+	SIVAL(&v_store,0,v);
+	data.dptr = (uint8 *)&v_store;
+	data.dsize = sizeof(int32);
+
+	return tdb_store(tdb, key, data, TDB_REPLACE);
+}
+
+/****************************************************************************
+ Store a int32 value by string key, return 0 on success, -1 on failure.
+ Input is int32 in native byte order. Output in tdb is in little-endian.
+****************************************************************************/
+
+int tdb_store_int32(TDB_CONTEXT *tdb, const char *keystr, int32 v)
+{
+	TDB_DATA key = string_term_tdb_data(keystr);
+
+	return tdb_store_int32_byblob(tdb, key, v);
+}
+
+/****************************************************************************
+ Fetch a uint32 value by a arbitrary blob key, return -1 if not found.
+ Output is uint32 in native byte order.
+****************************************************************************/
+
+bool tdb_fetch_uint32_byblob(TDB_CONTEXT *tdb, TDB_DATA key, uint32 *value)
+{
+	TDB_DATA data;
+
+	data = tdb_fetch(tdb, key);
+	if (!data.dptr || data.dsize != sizeof(uint32)) {
+		SAFE_FREE(data.dptr);
+		return False;
+	}
+
+	*value = IVAL(data.dptr,0);
+	SAFE_FREE(data.dptr);
+	return True;
+}
+
+/****************************************************************************
+ Fetch a uint32 value by string key, return -1 if not found.
+ Output is uint32 in native byte order.
+****************************************************************************/
+
+bool tdb_fetch_uint32(TDB_CONTEXT *tdb, const char *keystr, uint32 *value)
+{
+	TDB_DATA key = string_term_tdb_data(keystr);
+
+	return tdb_fetch_uint32_byblob(tdb, key, value);
+}
+
+/****************************************************************************
+ Store a uint32 value by an arbitary blob key, return 0 on success, -1 on failure.
+ Input is uint32 in native byte order. Output in tdb is in little-endian.
+****************************************************************************/
+
+bool tdb_store_uint32_byblob(TDB_CONTEXT *tdb, TDB_DATA key, uint32 value)
+{
+	TDB_DATA data;
+	uint32 v_store;
+	bool ret = True;
+
+	SIVAL(&v_store, 0, value);
+	data.dptr = (uint8 *)&v_store;
+	data.dsize = sizeof(uint32);
+
+	if (tdb_store(tdb, key, data, TDB_REPLACE) == -1)
+		ret = False;
+
+	return ret;
+}
+
+/****************************************************************************
+ Store a uint32 value by string key, return 0 on success, -1 on failure.
+ Input is uint32 in native byte order. Output in tdb is in little-endian.
+****************************************************************************/
+
+bool tdb_store_uint32(TDB_CONTEXT *tdb, const char *keystr, uint32 value)
+{
+	TDB_DATA key = string_term_tdb_data(keystr);
+
+	return tdb_store_uint32_byblob(tdb, key, value);
+}
+/****************************************************************************
+ Store a buffer by a null terminated string key.  Return 0 on success, -1
+ on failure.
+****************************************************************************/
+
+int tdb_store_bystring(TDB_CONTEXT *tdb, const char *keystr, TDB_DATA data, int flags)
+{
+	TDB_DATA key = string_term_tdb_data(keystr);
+
+	return tdb_store(tdb, key, data, flags);
+}
+
+int tdb_trans_store_bystring(TDB_CONTEXT *tdb, const char *keystr,
+			     TDB_DATA data, int flags)
+{
+	TDB_DATA key = string_term_tdb_data(keystr);
+	
+	return tdb_trans_store(tdb, key, data, flags);
+}
+
+/****************************************************************************
+ Fetch a buffer using a null terminated string key.  Don't forget to call
+ free() on the result dptr.
+****************************************************************************/
+
+TDB_DATA tdb_fetch_bystring(TDB_CONTEXT *tdb, const char *keystr)
+{
+	TDB_DATA key = string_term_tdb_data(keystr);
+
+	return tdb_fetch(tdb, key);
+}
+
+/****************************************************************************
+ Delete an entry using a null terminated string key. 
+****************************************************************************/
+
+int tdb_delete_bystring(TDB_CONTEXT *tdb, const char *keystr)
+{
+	TDB_DATA key = string_term_tdb_data(keystr);
+
+	return tdb_delete(tdb, key);
+}
+
+/****************************************************************************
+ Atomic integer change. Returns old value. To create, set initial value in *oldval. 
+****************************************************************************/
+
+int32 tdb_change_int32_atomic(TDB_CONTEXT *tdb, const char *keystr, int32 *oldval, int32 change_val)
+{
+	int32 val;
+	int32 ret = -1;
+
+	if (tdb_lock_bystring(tdb, keystr) == -1)
+		return -1;
+
+	if ((val = tdb_fetch_int32(tdb, keystr)) == -1) {
+		/* The lookup failed */
+		if (tdb_error(tdb) != TDB_ERR_NOEXIST) {
+			/* but not because it didn't exist */
+			goto err_out;
+		}
+		
+		/* Start with 'old' value */
+		val = *oldval;
+
+	} else {
+		/* It worked, set return value (oldval) to tdb data */
+		*oldval = val;
+	}
+
+	/* Increment value for storage and return next time */
+	val += change_val;
+		
+	if (tdb_store_int32(tdb, keystr, val) == -1)
+		goto err_out;
+
+	ret = 0;
+
+  err_out:
+
+	tdb_unlock_bystring(tdb, keystr);
+	return ret;
+}
+
+/****************************************************************************
+ Atomic unsigned integer change. Returns old value. To create, set initial value in *oldval. 
+****************************************************************************/
+
+bool tdb_change_uint32_atomic(TDB_CONTEXT *tdb, const char *keystr, uint32 *oldval, uint32 change_val)
+{
+	uint32 val;
+	bool ret = False;
+
+	if (tdb_lock_bystring(tdb, keystr) == -1)
+		return False;
+
+	if (!tdb_fetch_uint32(tdb, keystr, &val)) {
+		/* It failed */
+		if (tdb_error(tdb) != TDB_ERR_NOEXIST) { 
+			/* and not because it didn't exist */
+			goto err_out;
+		}
+
+		/* Start with 'old' value */
+		val = *oldval;
+
+	} else {
+		/* it worked, set return value (oldval) to tdb data */
+		*oldval = val;
+
+	}
+
+	/* get a new value to store */
+	val += change_val;
+		
+	if (!tdb_store_uint32(tdb, keystr, val))
+		goto err_out;
+
+	ret = True;
+
+  err_out:
+
+	tdb_unlock_bystring(tdb, keystr);
+	return ret;
+}
+
+/****************************************************************************
+ Useful pair of routines for packing/unpacking data consisting of
+ integers and strings.
+****************************************************************************/
+
+static size_t tdb_pack_va(uint8 *buf, int bufsize, const char *fmt, va_list ap)
+{
+	uint8 bt;
+	uint16 w;
+	uint32 d;
+	int i;
+	void *p;
+	int len;
+	char *s;
+	char c;
+	uint8 *buf0 = buf;
+	const char *fmt0 = fmt;
+	int bufsize0 = bufsize;
+
+	while (*fmt) {
+		switch ((c = *fmt++)) {
+		case 'b': /* unsigned 8-bit integer */
+			len = 1;
+			bt = (uint8)va_arg(ap, int);
+			if (bufsize && bufsize >= len)
+				SSVAL(buf, 0, bt);
+			break;
+		case 'w': /* unsigned 16-bit integer */
+			len = 2;
+			w = (uint16)va_arg(ap, int);
+			if (bufsize && bufsize >= len)
+				SSVAL(buf, 0, w);
+			break;
+		case 'd': /* signed 32-bit integer (standard int in most systems) */
+			len = 4;
+			d = va_arg(ap, uint32);
+			if (bufsize && bufsize >= len)
+				SIVAL(buf, 0, d);
+			break;
+		case 'p': /* pointer */
+			len = 4;
+			p = va_arg(ap, void *);
+			d = p?1:0;
+			if (bufsize && bufsize >= len)
+				SIVAL(buf, 0, d);
+			break;
+		case 'P': /* null-terminated string */
+			s = va_arg(ap,char *);
+			w = strlen(s);
+			len = w + 1;
+			if (bufsize && bufsize >= len)
+				memcpy(buf, s, len);
+			break;
+		case 'f': /* null-terminated string */
+			s = va_arg(ap,char *);
+			w = strlen(s);
+			len = w + 1;
+			if (bufsize && bufsize >= len)
+				memcpy(buf, s, len);
+			break;
+		case 'B': /* fixed-length string */
+			i = va_arg(ap, int);
+			s = va_arg(ap, char *);
+			len = 4+i;
+			if (bufsize && bufsize >= len) {
+				SIVAL(buf, 0, i);
+				memcpy(buf+4, s, i);
+			}
+			break;
+		default:
+			DEBUG(0,("Unknown tdb_pack format %c in %s\n", 
+				 c, fmt));
+			len = 0;
+			break;
+		}
+
+		buf += len;
+		if (bufsize)
+			bufsize -= len;
+		if (bufsize < 0)
+			bufsize = 0;
+	}
+
+	DEBUG(18,("tdb_pack_va(%s, %d) -> %d\n", 
+		 fmt0, bufsize0, (int)PTR_DIFF(buf, buf0)));
+	
+	return PTR_DIFF(buf, buf0);
+}
+
+size_t tdb_pack(uint8 *buf, int bufsize, const char *fmt, ...)
+{
+	va_list ap;
+	size_t result;
+
+	va_start(ap, fmt);
+	result = tdb_pack_va(buf, bufsize, fmt, ap);
+	va_end(ap);
+	return result;
+}
+
+bool tdb_pack_append(TALLOC_CTX *mem_ctx, uint8 **buf, size_t *len,
+		     const char *fmt, ...)
+{
+	va_list ap;
+	size_t len1, len2;
+
+	va_start(ap, fmt);
+	len1 = tdb_pack_va(NULL, 0, fmt, ap);
+	va_end(ap);
+
+	if (mem_ctx != NULL) {
+		*buf = TALLOC_REALLOC_ARRAY(mem_ctx, *buf, uint8,
+					    (*len) + len1);
+	} else {
+		*buf = SMB_REALLOC_ARRAY(*buf, uint8, (*len) + len1);
+	}
+
+	if (*buf == NULL) {
+		return False;
+	}
+
+	va_start(ap, fmt);
+	len2 = tdb_pack_va((*buf)+(*len), len1, fmt, ap);
+	va_end(ap);
+
+	if (len1 != len2) {
+		return False;
+	}
+
+	*len += len2;
+
+	return True;
+}
+
+/****************************************************************************
+ Useful pair of routines for packing/unpacking data consisting of
+ integers and strings.
+****************************************************************************/
+
+int tdb_unpack(const uint8 *buf, int bufsize, const char *fmt, ...)
+{
+	va_list ap;
+	uint8 *bt;
+	uint16 *w;
+	uint32 *d;
+	int len;
+	int *i;
+	void **p;
+	char *s, **b, **ps;
+	char c;
+	const uint8 *buf0 = buf;
+	const char *fmt0 = fmt;
+	int bufsize0 = bufsize;
+
+	va_start(ap, fmt);
+
+	while (*fmt) {
+		switch ((c=*fmt++)) {
+		case 'b':
+			len = 1;
+			bt = va_arg(ap, uint8 *);
+			if (bufsize < len)
+				goto no_space;
+			*bt = SVAL(buf, 0);
+			break;
+		case 'w':
+			len = 2;
+			w = va_arg(ap, uint16 *);
+			if (bufsize < len)
+				goto no_space;
+			*w = SVAL(buf, 0);
+			break;
+		case 'd':
+			len = 4;
+			d = va_arg(ap, uint32 *);
+			if (bufsize < len)
+				goto no_space;
+			*d = IVAL(buf, 0);
+			break;
+		case 'p':
+			len = 4;
+			p = va_arg(ap, void **);
+			if (bufsize < len)
+				goto no_space;
+			/*
+			 * This isn't a real pointer - only a token (1 or 0)
+			 * to mark the fact a pointer is present.
+			 */
+
+			*p = (void *)(IVAL(buf, 0) ? (void *)1 : NULL);
+			break;
+		case 'P':
+			/* Return malloc'ed string. */
+			ps = va_arg(ap,char **);
+			len = strlen((const char *)buf) + 1;
+			*ps = SMB_STRDUP((const char *)buf);
+			break;
+		case 'f':
+			s = va_arg(ap,char *);
+			len = strlen((const char *)buf) + 1;
+			if (bufsize < len || len > sizeof(fstring))
+				goto no_space;
+			memcpy(s, buf, len);
+			break;
+		case 'B':
+			i = va_arg(ap, int *);
+			b = va_arg(ap, char **);
+			len = 4;
+			if (bufsize < len)
+				goto no_space;
+			*i = IVAL(buf, 0);
+			if (! *i) {
+				*b = NULL;
+				break;
+			}
+			len += *i;
+			if (bufsize < len)
+				goto no_space;
+			*b = (char *)SMB_MALLOC(*i);
+			if (! *b)
+				goto no_space;
+			memcpy(*b, buf+4, *i);
+			break;
+		default:
+			DEBUG(0,("Unknown tdb_unpack format %c in %s\n",
+				 c, fmt));
+
+			len = 0;
+			break;
+		}
+
+		buf += len;
+		bufsize -= len;
+	}
+
+	va_end(ap);
+
+	DEBUG(18,("tdb_unpack(%s, %d) -> %d\n",
+		 fmt0, bufsize0, (int)PTR_DIFF(buf, buf0)));
+
+	return PTR_DIFF(buf, buf0);
+
+ no_space:
+	va_end(ap);
+	return -1;
+}
+
+
+/****************************************************************************
+ Log tdb messages via DEBUG().
+****************************************************************************/
+
+static void tdb_log(TDB_CONTEXT *tdb, enum tdb_debug_level level, const char *format, ...)
+{
+	va_list ap;
+	char *ptr = NULL;
+	int ret;
+
+	va_start(ap, format);
+	ret = vasprintf(&ptr, format, ap);
+	va_end(ap);
+
+	if ((ret == -1) || !*ptr)
+		return;
+
+	DEBUG((int)level, ("tdb(%s): %s", tdb_name(tdb) ? tdb_name(tdb) : "unnamed", ptr));
+	SAFE_FREE(ptr);
+}
+
+/****************************************************************************
+ Like tdb_open() but also setup a logging function that redirects to
+ the samba DEBUG() system.
+****************************************************************************/
+
+TDB_CONTEXT *tdb_open_log(const char *name, int hash_size, int tdb_flags,
+			  int open_flags, mode_t mode)
+{
+	TDB_CONTEXT *tdb;
+	struct tdb_logging_context log_ctx;
+
+	if (!lp_use_mmap())
+		tdb_flags |= TDB_NOMMAP;
+
+	log_ctx.log_fn = tdb_log;
+	log_ctx.log_private = NULL;
+
+	if ((hash_size == 0) && (name != NULL)) {
+		const char *base = strrchr_m(name, '/');
+		if (base != NULL) {
+			base += 1;
+		}
+		else {
+			base = name;
+		}
+		hash_size = lp_parm_int(-1, "tdb_hashsize", base, 0);
+	}
+
+	tdb = tdb_open_ex(name, hash_size, tdb_flags, 
+			  open_flags, mode, &log_ctx, NULL);
+	if (!tdb)
+		return NULL;
+
+	return tdb;
+}
+
+
+/**
+ * Search across the whole tdb for keys that match the given pattern
+ * return the result as a list of keys
+ *
+ * @param tdb pointer to opened tdb file context
+ * @param pattern searching pattern used by fnmatch(3) functions
+ *
+ * @return list of keys found by looking up with given pattern
+ **/
+TDB_LIST_NODE *tdb_search_keys(TDB_CONTEXT *tdb, const char* pattern)
+{
+	TDB_DATA key, next;
+	TDB_LIST_NODE *list = NULL;
+	TDB_LIST_NODE *rec = NULL;
+	
+	for (key = tdb_firstkey(tdb); key.dptr; key = next) {
+		/* duplicate key string to ensure null-termination */
+		char *key_str = SMB_STRNDUP((const char *)key.dptr, key.dsize);
+		if (!key_str) {
+			DEBUG(0, ("tdb_search_keys: strndup() failed!\n"));
+			smb_panic("strndup failed!\n");
+		}
+		
+		DEBUG(18, ("checking %s for match to pattern %s\n", key_str, pattern));
+		
+		next = tdb_nextkey(tdb, key);
+
+		/* do the pattern checking */
+		if (fnmatch(pattern, key_str, 0) == 0) {
+			rec = SMB_MALLOC_P(TDB_LIST_NODE);
+			ZERO_STRUCTP(rec);
+
+			rec->node_key = key;
+	
+			DLIST_ADD_END(list, rec, TDB_LIST_NODE *);
+		
+			DEBUG(18, ("checking %s matched pattern %s\n", key_str, pattern));
+		} else {
+			free(key.dptr);
+		}
+		
+		/* free duplicated key string */
+		free(key_str);
+	}
+	
+	return list;
+
+}
+
+
+/**
+ * Free the list returned by tdb_search_keys
+ *
+ * @param node list of results found by tdb_search_keys
+ **/
+void tdb_search_list_free(TDB_LIST_NODE* node)
+{
+	TDB_LIST_NODE *next_node;
+	
+	while (node) {
+		next_node = node->next;
+		SAFE_FREE(node->node_key.dptr);
+		SAFE_FREE(node);
+		node = next_node;
+	};
+}
+
+/****************************************************************************
+ tdb_store, wrapped in a transaction. This way we make sure that a process
+ that dies within writing does not leave a corrupt tdb behind.
+****************************************************************************/
+
+int tdb_trans_store(struct tdb_context *tdb, TDB_DATA key, TDB_DATA dbuf,
+		    int flag)
+{
+	int res;
+
+	if ((res = tdb_transaction_start(tdb)) != 0) {
+		DEBUG(5, ("tdb_transaction_start failed\n"));
+		return res;
+	}
+
+	if ((res = tdb_store(tdb, key, dbuf, flag)) != 0) {
+		DEBUG(10, ("tdb_store failed\n"));
+		if (tdb_transaction_cancel(tdb) != 0) {
+			smb_panic("Cancelling transaction failed");
+		}
+		return res;
+	}
+
+	if ((res = tdb_transaction_commit(tdb)) != 0) {
+		DEBUG(5, ("tdb_transaction_commit failed\n"));
+	}
+
+	return res;
+}
+
+/****************************************************************************
+ tdb_delete, wrapped in a transaction. This way we make sure that a process
+ that dies within deleting does not leave a corrupt tdb behind.
+****************************************************************************/
+
+int tdb_trans_delete(struct tdb_context *tdb, TDB_DATA key)
+{
+	int res;
+
+	if ((res = tdb_transaction_start(tdb)) != 0) {
+		DEBUG(5, ("tdb_transaction_start failed\n"));
+		return res;
+	}
+
+	if ((res = tdb_delete(tdb, key)) != 0) {
+		DEBUG(10, ("tdb_delete failed\n"));
+		if (tdb_transaction_cancel(tdb) != 0) {
+			smb_panic("Cancelling transaction failed");
+		}
+		return res;
+	}
+
+	if ((res = tdb_transaction_commit(tdb)) != 0) {
+		DEBUG(5, ("tdb_transaction_commit failed\n"));
+	}
+
+	return res;
+}
+
+/*
+ Log tdb messages via DEBUG().
+*/
+static void tdb_wrap_log(TDB_CONTEXT *tdb, enum tdb_debug_level level, 
+			 const char *format, ...) PRINTF_ATTRIBUTE(3,4);
+
+static void tdb_wrap_log(TDB_CONTEXT *tdb, enum tdb_debug_level level, 
+			 const char *format, ...)
+{
+	va_list ap;
+	char *ptr = NULL;
+	int debuglevel = 0;
+	int ret;
+
+	switch (level) {
+	case TDB_DEBUG_FATAL:
+		debuglevel = 0;
+		break;
+	case TDB_DEBUG_ERROR:
+		debuglevel = 1;
+		break;
+	case TDB_DEBUG_WARNING:
+		debuglevel = 2;
+		break;
+	case TDB_DEBUG_TRACE:
+		debuglevel = 5;
+		break;
+	default:
+		debuglevel = 0;
+	}		
+
+	va_start(ap, format);
+	ret = vasprintf(&ptr, format, ap);
+	va_end(ap);
+
+	if (ret != -1) {
+		const char *name = tdb_name(tdb);
+		DEBUG(debuglevel, ("tdb(%s): %s", name ? name : "unnamed", ptr));
+		free(ptr);
+	}
+}
+
+static struct tdb_wrap *tdb_list;
+
+/* destroy the last connection to a tdb */
+static int tdb_wrap_destructor(struct tdb_wrap *w)
+{
+	tdb_close(w->tdb);
+	DLIST_REMOVE(tdb_list, w);
+	return 0;
+}				 
+
+/*
+  wrapped connection to a tdb database
+  to close just talloc_free() the tdb_wrap pointer
+ */
+struct tdb_wrap *tdb_wrap_open(TALLOC_CTX *mem_ctx,
+			       const char *name, int hash_size, int tdb_flags,
+			       int open_flags, mode_t mode)
+{
+	struct tdb_wrap *w;
+	struct tdb_logging_context log_ctx;
+	log_ctx.log_fn = tdb_wrap_log;
+
+	if (!lp_use_mmap())
+		tdb_flags |= TDB_NOMMAP;
+
+	for (w=tdb_list;w;w=w->next) {
+		if (strcmp(name, w->name) == 0) {
+			/*
+			 * Yes, talloc_reference is exactly what we want
+			 * here. Otherwise we would have to implement our own
+			 * reference counting.
+			 */
+			return talloc_reference(mem_ctx, w);
+		}
+	}
+
+	w = talloc(mem_ctx, struct tdb_wrap);
+	if (w == NULL) {
+		return NULL;
+	}
+
+	if (!(w->name = talloc_strdup(w, name))) {
+		talloc_free(w);
+		return NULL;
+	}
+
+	if ((hash_size == 0) && (name != NULL)) {
+		const char *base = strrchr_m(name, '/');
+		if (base != NULL) {
+			base += 1;
+		}
+		else {
+			base = name;
+		}
+		hash_size = lp_parm_int(-1, "tdb_hashsize", base, 0);
+	}
+
+	w->tdb = tdb_open_ex(name, hash_size, tdb_flags, 
+			     open_flags, mode, &log_ctx, NULL);
+	if (w->tdb == NULL) {
+		talloc_free(w);
+		return NULL;
+	}
+
+	talloc_set_destructor(w, tdb_wrap_destructor);
+
+	DLIST_ADD(tdb_list, w);
+
+	return w;
+}
+
+NTSTATUS map_nt_error_from_tdb(enum TDB_ERROR err)
+{
+	struct { enum TDB_ERROR err; NTSTATUS status; }	map[] =
+		{ { TDB_SUCCESS,	NT_STATUS_OK },
+		  { TDB_ERR_CORRUPT,	NT_STATUS_INTERNAL_DB_CORRUPTION },
+		  { TDB_ERR_IO,		NT_STATUS_UNEXPECTED_IO_ERROR },
+		  { TDB_ERR_OOM,	NT_STATUS_NO_MEMORY },
+		  { TDB_ERR_EXISTS,	NT_STATUS_OBJECT_NAME_COLLISION },
+
+		  /*
+		   * TDB_ERR_LOCK is very broad, we could for example
+		   * distinguish between fcntl locks and invalid lock
+		   * sequences. So NT_STATUS_FILE_LOCK_CONFLICT is a
+		   * compromise.
+		   */
+		  { TDB_ERR_LOCK,	NT_STATUS_FILE_LOCK_CONFLICT },
+		  /*
+		   * The next two ones in the enum are not actually used
+		   */
+		  { TDB_ERR_NOLOCK,	NT_STATUS_FILE_LOCK_CONFLICT },
+		  { TDB_ERR_LOCK_TIMEOUT, NT_STATUS_FILE_LOCK_CONFLICT },
+		  { TDB_ERR_NOEXIST,	NT_STATUS_NOT_FOUND },
+		  { TDB_ERR_EINVAL,	NT_STATUS_INVALID_PARAMETER },
+		  { TDB_ERR_RDONLY,	NT_STATUS_ACCESS_DENIED }
+		};
+
+	int i;
+
+	for (i=0; i < sizeof(map) / sizeof(map[0]); i++) {
+		if (err == map[i].err) {
+			return map[i].status;
+		}
+	}
+
+	return NT_STATUS_INTERNAL_ERROR;
+}
+
+
+/*********************************************************************
+ * the following is a generic validation mechanism for tdbs.
+ *********************************************************************/
+
+/* 
+ * internal validation function, executed by the child.  
+ */
+static int tdb_validate_child(struct tdb_context *tdb,
+			      tdb_validate_data_func validate_fn)
+{
+	int ret = 1;
+	int num_entries = 0;
+	struct tdb_validation_status v_status;
+
+	v_status.tdb_error = False;
+	v_status.bad_freelist = False;
+	v_status.bad_entry = False;
+	v_status.unknown_key = False;
+	v_status.success = True;
+
+	if (!tdb) {
+		v_status.tdb_error = True;
+		v_status.success = False;
+		goto out;
+	}
+
+	/* Check if the tdb's freelist is good. */
+	if (tdb_validate_freelist(tdb, &num_entries) == -1) {
+		v_status.bad_freelist = True;
+		v_status.success = False;
+		goto out;
+	}
+
+	DEBUG(10,("tdb_validate_child: tdb %s freelist has %d entries\n",
+		  tdb_name(tdb), num_entries));
+
+	/* Now traverse the tdb to validate it. */
+	num_entries = tdb_traverse(tdb, validate_fn, (void *)&v_status);
+	if (!v_status.success) {
+		goto out;
+	} else if (num_entries == -1) {
+		v_status.tdb_error = True;
+		v_status.success = False;
+		goto out;
+	}
+
+	DEBUG(10,("tdb_validate_child: tdb %s is good with %d entries\n",
+		  tdb_name(tdb), num_entries));
+	ret = 0; /* Cache is good. */
+
+out:
+	DEBUG(10,   ("tdb_validate_child: summary of validation status:\n"));
+	DEBUGADD(10,(" * tdb error: %s\n", v_status.tdb_error ? "yes" : "no"));
+	DEBUGADD(10,(" * bad freelist: %s\n",v_status.bad_freelist?"yes":"no"));
+	DEBUGADD(10,(" * bad entry: %s\n", v_status.bad_entry ? "yes" : "no"));
+	DEBUGADD(10,(" * unknown key: %s\n", v_status.unknown_key?"yes":"no"));
+	DEBUGADD(10,(" => overall success: %s\n", v_status.success?"yes":"no"));
+
+	return ret;
+}
+
+/*
+ * tdb validation function.
+ * returns 0 if tdb is ok, != 0 if it isn't.
+ * this function expects an opened tdb.
+ */
+int tdb_validate(struct tdb_context *tdb, tdb_validate_data_func validate_fn)
+{
+	pid_t child_pid = -1;
+	int child_status = 0;
+	int wait_pid = 0;
+	int ret = 1;
+
+	if (tdb == NULL) {
+		DEBUG(1, ("Error: tdb_validate called with tdb == NULL\n"));
+		return ret;
+	}
+
+	DEBUG(5, ("tdb_validate called for tdb '%s'\n", tdb_name(tdb)));
+
+	/* fork and let the child do the validation.
+	 * benefit: no need to twist signal handlers and panic functions.
+	 * just let the child panic. we catch the signal. */
+
+	DEBUG(10, ("tdb_validate: forking to let child do validation.\n"));
+	child_pid = sys_fork();
+	if (child_pid == 0) {
+		/* child code */
+		DEBUG(10, ("tdb_validate (validation child): created\n"));
+		DEBUG(10, ("tdb_validate (validation child): "
+			   "calling tdb_validate_child\n"));
+		exit(tdb_validate_child(tdb, validate_fn));
+	}
+	else if (child_pid < 0) {
+		DEBUG(1, ("tdb_validate: fork for validation failed.\n"));
+		goto done;
+	}
+
+	/* parent */
+
+	DEBUG(10, ("tdb_validate: fork succeeded, child PID = %d\n",child_pid));
+
+	DEBUG(10, ("tdb_validate: waiting for child to finish...\n"));
+	while  ((wait_pid = sys_waitpid(child_pid, &child_status, 0)) < 0) {
+		if (errno == EINTR) {
+			DEBUG(10, ("tdb_validate: got signal during waitpid, "
+				   "retrying\n"));
+			errno = 0;
+			continue;
+		}
+		DEBUG(1, ("tdb_validate: waitpid failed with error '%s'.\n",
+			  strerror(errno)));
+		goto done;
+	}
+	if (wait_pid != child_pid) {
+		DEBUG(1, ("tdb_validate: waitpid returned pid %d, "
+			  "but %d was expected\n", wait_pid, child_pid));
+		goto done;
+	}
+
+	DEBUG(10, ("tdb_validate: validating child returned.\n"));
+	if (WIFEXITED(child_status)) {
+		DEBUG(10, ("tdb_validate: child exited, code %d.\n",
+			   WEXITSTATUS(child_status)));
+		ret = WEXITSTATUS(child_status);
+	}
+	if (WIFSIGNALED(child_status)) {
+		DEBUG(10, ("tdb_validate: child terminated by signal %d\n",
+			   WTERMSIG(child_status)));
+#ifdef WCOREDUMP
+		if (WCOREDUMP(child_status)) {
+			DEBUGADD(10, ("core dumped\n"));
+		}
+#endif
+		ret = WTERMSIG(child_status);
+	}
+	if (WIFSTOPPED(child_status)) {
+		DEBUG(10, ("tdb_validate: child was stopped by signal %d\n",
+			   WSTOPSIG(child_status)));
+		ret = WSTOPSIG(child_status);
+	}
+
+done:
+	DEBUG(5, ("tdb_validate returning code '%d' for tdb '%s'\n", ret,
+		  tdb_name(tdb)));
+
+	return ret;
+}
+
+/*
+ * tdb validation function.
+ * returns 0 if tdb is ok, != 0 if it isn't.
+ * this is a wrapper around the actual validation function that opens and closes
+ * the tdb.
+ */
+int tdb_validate_open(const char *tdb_path, tdb_validate_data_func validate_fn)
+{
+	TDB_CONTEXT *tdb = NULL;
+	int ret = 1;
+
+	DEBUG(5, ("tdb_validate_open called for tdb '%s'\n", tdb_path));
+
+	tdb = tdb_open_log(tdb_path, 0, TDB_DEFAULT, O_RDONLY, 0);
+	if (!tdb) {
+		DEBUG(1, ("Error opening tdb %s\n", tdb_path));
+		return ret;
+	}
+
+	ret = tdb_validate(tdb, validate_fn);
+	tdb_close(tdb);
+	return ret;
+}
+
+/*
+ * tdb backup function and helpers for tdb_validate wrapper with backup
+ * handling.
+ */
+
+/* this structure eliminates the need for a global overall status for
+ * the traverse-copy */
+struct tdb_copy_data {
+	struct tdb_context *dst;
+	bool success;
+};
+
+static int traverse_copy_fn(struct tdb_context *tdb, TDB_DATA key,
+			    TDB_DATA dbuf, void *private_data)
+{
+	struct tdb_copy_data *data = (struct tdb_copy_data *)private_data;
+
+	if (tdb_store(data->dst, key, dbuf, TDB_INSERT) != 0) {
+		DEBUG(4, ("Failed to insert into %s: %s\n", tdb_name(data->dst),
+			  strerror(errno)));
+		data->success = False;
+		return 1;
+	}
+	return 0;
+}
+
+static int tdb_copy(struct tdb_context *src, struct tdb_context *dst)
+{
+	struct tdb_copy_data data;
+	int count;
+
+	data.dst = dst;
+	data.success = True;
+
+	count = tdb_traverse(src, traverse_copy_fn, (void *)(&data));
+	if ((count < 0) || (data.success == False)) {
+		return -1;
+	}
+	return count;
+}
+
+static int tdb_verify_basic(struct tdb_context *tdb)
+{
+	return tdb_traverse(tdb, NULL, NULL);
+}
+
+/* this backup function is essentially taken from lib/tdb/tools/tdbbackup.tdb
+ */
+static int tdb_backup(TALLOC_CTX *ctx, const char *src_path,
+		      const char *dst_path, int hash_size)
+{
+	struct tdb_context *src_tdb = NULL;
+	struct tdb_context *dst_tdb = NULL;
+	char *tmp_path = NULL;
+	struct stat st;
+	int count1, count2;
+	int saved_errno = 0;
+	int ret = -1;
+
+	if (stat(src_path, &st) != 0) {
+		DEBUG(3, ("Could not stat '%s': %s\n", src_path,
+			  strerror(errno)));
+		goto done;
+	}
+
+	/* open old tdb RDWR - so we can lock it */
+	src_tdb = tdb_open_log(src_path, 0, TDB_DEFAULT, O_RDWR, 0);
+	if (src_tdb == NULL) {
+		DEBUG(3, ("Failed to open tdb '%s'\n", src_path));
+		goto done;
+	}
+
+	if (tdb_lockall(src_tdb) != 0) {
+		DEBUG(3, ("Failed to lock tdb '%s'\n", src_path));
+		goto done;
+	}
+
+	tmp_path = talloc_asprintf(ctx, "%s%s", dst_path, ".tmp");
+	unlink(tmp_path);
+	dst_tdb = tdb_open_log(tmp_path,
+			       hash_size ? hash_size : tdb_hash_size(src_tdb),
+			       TDB_DEFAULT, O_RDWR | O_CREAT | O_EXCL,
+			       st.st_mode & 0777);
+	if (dst_tdb == NULL) {
+		DEBUG(3, ("Error creating tdb '%s': %s\n", tmp_path,
+			  strerror(errno)));
+		saved_errno = errno;
+		unlink(tmp_path);
+		goto done;
+	}
+
+	count1 = tdb_copy(src_tdb, dst_tdb);
+	if (count1 < 0) {
+		DEBUG(3, ("Failed to copy tdb '%s': %s\n", src_path,
+			  strerror(errno)));
+		tdb_close(dst_tdb);
+		goto done;
+	}
+
+	/* reopen ro and do basic verification */
+	tdb_close(dst_tdb);
+	dst_tdb = tdb_open_log(tmp_path, 0, TDB_DEFAULT, O_RDONLY, 0);
+	if (!dst_tdb) {
+		DEBUG(3, ("Failed to reopen tdb '%s': %s\n", tmp_path,
+			  strerror(errno)));
+		goto done;
+	}
+	count2 = tdb_verify_basic(dst_tdb);
+	if (count2 != count1) {
+		DEBUG(3, ("Failed to verify result of copying tdb '%s'.\n",
+			  src_path));
+		tdb_close(dst_tdb);
+		goto done;
+	}
+
+	DEBUG(10, ("tdb_backup: successfully copied %d entries\n", count1));
+
+	/* make sure the new tdb has reached stable storage
+	 * then rename it to its destination */
+	fsync(tdb_fd(dst_tdb));
+	tdb_close(dst_tdb);
+	unlink(dst_path);
+	if (rename(tmp_path, dst_path) != 0) {
+		DEBUG(3, ("Failed to rename '%s' to '%s': %s\n",
+			  tmp_path, dst_path, strerror(errno)));
+		goto done;
+	}
+
+	/* success */
+	ret = 0;
+
+done:
+	if (src_tdb != NULL) {
+		tdb_close(src_tdb);
+	}
+	if (tmp_path != NULL) {
+		unlink(tmp_path);
+		TALLOC_FREE(tmp_path);
+	}
+	if (saved_errno != 0) {
+		errno = saved_errno;
+	}
+	return ret;
+}
+
+static int rename_file_with_suffix(TALLOC_CTX *ctx, const char *path,
+				   const char *suffix)
+{
+	int ret = -1;
+	char *dst_path;
+
+	dst_path = talloc_asprintf(ctx, "%s%s", path, suffix);
+
+	ret = (rename(path, dst_path) != 0);
+
+	if (ret == 0) {
+		DEBUG(5, ("moved '%s' to '%s'\n", path, dst_path));
+	} else if (errno == ENOENT) {
+		DEBUG(3, ("file '%s' does not exist - so not moved\n", path));
+		ret = 0;
+	} else {
+		DEBUG(3, ("error renaming %s to %s: %s\n", path, dst_path,
+			  strerror(errno)));
+	}
+
+	TALLOC_FREE(dst_path);
+	return ret;
+}
+
+/*
+ * do a backup of a tdb, moving the destination out of the way first
+ */
+static int tdb_backup_with_rotate(TALLOC_CTX *ctx, const char *src_path,
+		      		  const char *dst_path, int hash_size,
+				  const char *rotate_suffix,
+				  bool retry_norotate_if_nospc,
+				  bool rename_as_last_resort_if_nospc)
+{
+	int ret;
+
+        rename_file_with_suffix(ctx, dst_path, rotate_suffix);
+
+        ret = tdb_backup(ctx, src_path, dst_path, hash_size);
+
+	if (ret != 0) {
+		DEBUG(10, ("backup of %s failed: %s\n", src_path, strerror(errno)));
+	}
+        if ((ret != 0) && (errno == ENOSPC) && retry_norotate_if_nospc)
+        {
+                char *rotate_path = talloc_asprintf(ctx, "%s%s", dst_path,
+                                                    rotate_suffix);
+                DEBUG(10, ("backup of %s failed due to lack of space\n",
+			   src_path));
+                DEBUGADD(10, ("trying to free some space by removing rotated "
+			      "dst %s\n", rotate_path));
+                if (unlink(rotate_path) == -1) {
+                        DEBUG(10, ("unlink of %s failed: %s\n", rotate_path,
+				   strerror(errno)));
+                } else {
+                        ret = tdb_backup(ctx, src_path, dst_path, hash_size);
+                }
+                TALLOC_FREE(rotate_path);
+        }
+
+        if ((ret != 0) && (errno == ENOSPC) && rename_as_last_resort_if_nospc)
+        {
+                DEBUG(10, ("backup of %s failed due to lack of space\n", 
+			   src_path));
+                DEBUGADD(10, ("using 'rename' as a last resort\n"));
+                ret = rename(src_path, dst_path);
+        }
+
+        return ret;
+}
+
+/*
+ * validation function with backup handling:
+ *
+ *  - calls tdb_validate
+ *  - if the tdb is ok, create a backup "name.bak", possibly moving
+ *    existing backup to name.bak.old,
+ *    return 0 (success) even if the backup fails
+ *  - if the tdb is corrupt:
+ *    - move the tdb to "name.corrupt"
+ *    - check if there is valid backup.
+ *      if so, restore the backup.
+ *      if restore is successful, return 0 (success),
+ *    - otherwise return -1 (failure)
+ */
+int tdb_validate_and_backup(const char *tdb_path,
+			    tdb_validate_data_func validate_fn)
+{
+	int ret = -1;
+	const char *backup_suffix = ".bak";
+	const char *corrupt_suffix = ".corrupt";
+	const char *rotate_suffix = ".old";
+	char *tdb_path_backup;
+	struct stat st;
+	TALLOC_CTX *ctx = NULL;
+
+	ctx = talloc_new(NULL);
+	if (ctx == NULL) {
+		DEBUG(0, ("tdb_validate_and_backup: out of memory\n"));
+		goto done;
+	}
+
+	tdb_path_backup = talloc_asprintf(ctx, "%s%s", tdb_path, backup_suffix);
+
+	ret = tdb_validate_open(tdb_path, validate_fn);
+
+	if (ret == 0) {
+		DEBUG(1, ("tdb '%s' is valid\n", tdb_path));
+		ret = tdb_backup_with_rotate(ctx, tdb_path, tdb_path_backup, 0,
+					     rotate_suffix, True, False);
+		if (ret != 0) {
+			DEBUG(1, ("Error creating backup of tdb '%s'\n",
+				  tdb_path));
+			/* the actual validation was successful: */
+			ret = 0;
+		} else {
+			DEBUG(1, ("Created backup '%s' of tdb '%s'\n",
+				  tdb_path_backup, tdb_path));
+		}
+	} else {
+		DEBUG(1, ("tdb '%s' is invalid\n", tdb_path));
+
+		ret =stat(tdb_path_backup, &st);
+		if (ret != 0) {
+			DEBUG(5, ("Could not stat '%s': %s\n", tdb_path_backup,
+				  strerror(errno)));
+			DEBUG(1, ("No backup found.\n"));
+		} else {
+			DEBUG(1, ("backup '%s' found.\n", tdb_path_backup));
+			ret = tdb_validate_open(tdb_path_backup, validate_fn);
+			if (ret != 0) {
+				DEBUG(1, ("Backup '%s' is invalid.\n",
+					  tdb_path_backup));
+			}
+		}
+
+		if (ret != 0) {
+			int renamed = rename_file_with_suffix(ctx, tdb_path,
+							      corrupt_suffix);
+			if (renamed != 0) {
+				DEBUG(1, ("Error moving tdb to '%s%s'\n",
+					  tdb_path, corrupt_suffix));
+			} else {
+				DEBUG(1, ("Corrupt tdb stored as '%s%s'\n",
+					  tdb_path, corrupt_suffix));
+			}
+			goto done;
+		}
+
+		DEBUG(1, ("valid backup '%s' found\n", tdb_path_backup));
+		ret = tdb_backup_with_rotate(ctx, tdb_path_backup, tdb_path, 0,
+					     corrupt_suffix, True, True);
+		if (ret != 0) {
+			DEBUG(1, ("Error restoring backup from '%s'\n",
+				  tdb_path_backup));
+		} else {
+			DEBUG(1, ("Restored tdb backup from '%s'\n",
+				  tdb_path_backup));
+		}
+	}
+
+done:
+	TALLOC_FREE(ctx);
+	return ret;
+}
diff --git a/source3/lib/util_transfer_file.c b/source3/lib/util_transfer_file.c
new file mode 100644
index 0000000000..1e3b76fc77
--- /dev/null
+++ b/source3/lib/util_transfer_file.c
@@ -0,0 +1,110 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Utility functions to transfer files.
+ *
+ * Copyright (C) Jeremy Allison 2001-2002
+ * Copyright (C) Michael Adam 2008
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+
+#include <includes.h>
+
+/****************************************************************************
+ Transfer some data between two fd's.
+****************************************************************************/
+
+#ifndef TRANSFER_BUF_SIZE
+#define TRANSFER_BUF_SIZE 65536
+#endif
+
+
+ssize_t transfer_file_internal(void *in_file,
+			       void *out_file,
+			       size_t n,
+			       ssize_t (*read_fn)(void *, void *, size_t),
+			       ssize_t (*write_fn)(void *, const void *, size_t))
+{
+	char *buf;
+	size_t total = 0;
+	ssize_t read_ret;
+	ssize_t write_ret;
+	size_t num_to_read_thistime;
+	size_t num_written = 0;
+
+	if ((buf = SMB_MALLOC_ARRAY(char, TRANSFER_BUF_SIZE)) == NULL) {
+		return -1;
+	}
+
+	while (total < n) {
+		num_to_read_thistime = MIN((n - total), TRANSFER_BUF_SIZE);
+
+		read_ret = (*read_fn)(in_file, buf, num_to_read_thistime);
+		if (read_ret == -1) {
+			DEBUG(0,("transfer_file_internal: read failure. "
+				 "Error = %s\n", strerror(errno) ));
+			SAFE_FREE(buf);
+			return -1;
+		}
+		if (read_ret == 0) {
+			break;
+		}
+
+		num_written = 0;
+
+		while (num_written < read_ret) {
+			write_ret = (*write_fn)(out_file, buf + num_written,
+					        read_ret - num_written);
+
+			if (write_ret == -1) {
+				DEBUG(0,("transfer_file_internal: "
+					 "write failure. Error = %s\n",
+					 strerror(errno) ));
+				SAFE_FREE(buf);
+				return -1;
+			}
+			if (write_ret == 0) {
+				return (ssize_t)total;
+			}
+
+			num_written += (size_t)write_ret;
+		}
+
+		total += (size_t)read_ret;
+	}
+
+	SAFE_FREE(buf);
+	return (ssize_t)total;
+}
+
+static ssize_t sys_read_fn(void *file, void *buf, size_t len)
+{
+	int *fd = (int *)file;
+
+	return sys_read(*fd, buf, len);
+}
+
+static ssize_t sys_write_fn(void *file, const void *buf, size_t len)
+{
+	int *fd = (int *)file;
+
+	return sys_write(*fd, buf, len);
+}
+
+SMB_OFF_T transfer_file(int infd, int outfd, SMB_OFF_T n)
+{
+	return (SMB_OFF_T)transfer_file_internal(&infd, &outfd, (size_t)n,
+						 sys_read_fn, sys_write_fn);
+}
diff --git a/source3/lib/util_unistr.c b/source3/lib/util_unistr.c
new file mode 100644
index 0000000000..4e78d1b064
--- /dev/null
+++ b/source3/lib/util_unistr.c
@@ -0,0 +1,1104 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba utility functions
+   Copyright (C) Andrew Tridgell 1992-2001
+   Copyright (C) Simo Sorce 2001
+   Copyright (C) Jeremy Allison 2005
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#ifndef MAXUNI
+#define MAXUNI 1024
+#endif
+
+/* these 3 tables define the unicode case handling.  They are loaded
+   at startup either via mmap() or read() from the lib directory */
+static smb_ucs2_t *upcase_table;
+static smb_ucs2_t *lowcase_table;
+static uint8 *valid_table;
+static bool upcase_table_use_unmap;
+static bool lowcase_table_use_unmap;
+static bool valid_table_use_unmap;
+static bool initialized;
+
+/**
+ * Destroy global objects allocated by load_case_tables()
+ **/
+void gfree_case_tables(void)
+{
+	if ( upcase_table ) {
+		if ( upcase_table_use_unmap )
+			unmap_file(upcase_table, 0x20000);
+		else
+			SAFE_FREE(upcase_table);
+	}
+
+	if ( lowcase_table ) {
+		if ( lowcase_table_use_unmap )
+			unmap_file(lowcase_table, 0x20000);
+		else
+			SAFE_FREE(lowcase_table);
+	}
+
+	if ( valid_table ) {
+		if ( valid_table_use_unmap )
+			unmap_file(valid_table, 0x10000);
+		else
+			SAFE_FREE(valid_table);
+	}
+	initialized = false;
+}
+
+/**
+ * Load or generate the case handling tables.
+ *
+ * The case tables are defined in UCS2 and don't depend on any
+ * configured parameters, so they never need to be reloaded.
+ **/
+
+void load_case_tables(void)
+{
+	char *old_locale = NULL, *saved_locale = NULL;
+	int i;
+	TALLOC_CTX *frame = NULL;
+
+	if (initialized) {
+		return;
+	}
+	initialized = true;
+
+	frame = talloc_stackframe();
+
+	upcase_table = (smb_ucs2_t *)map_file(data_path("upcase.dat"),
+					      0x20000);
+	upcase_table_use_unmap = ( upcase_table != NULL );
+
+	lowcase_table = (smb_ucs2_t *)map_file(data_path("lowcase.dat"),
+					       0x20000);
+	lowcase_table_use_unmap = ( lowcase_table != NULL );
+
+#ifdef HAVE_SETLOCALE
+	/* Get the name of the current locale.  */
+	old_locale = setlocale(LC_ALL, NULL);
+
+	if (old_locale) {
+		/* Save it as it is in static storage. */
+		saved_locale = SMB_STRDUP(old_locale);
+	}
+
+	/* We set back the locale to C to get ASCII-compatible toupper/lower functions. */
+	setlocale(LC_ALL, "C");
+#endif
+
+	/* we would like Samba to limp along even if these tables are
+	   not available */
+	if (!upcase_table) {
+		DEBUG(1,("creating lame upcase table\n"));
+		upcase_table = (smb_ucs2_t *)SMB_MALLOC(0x20000);
+		for (i=0;i<0x10000;i++) {
+			smb_ucs2_t v;
+			SSVAL(&v, 0, i);
+			upcase_table[v] = i;
+		}
+		for (i=0;i<256;i++) {
+			smb_ucs2_t v;
+			SSVAL(&v, 0, UCS2_CHAR(i));
+			upcase_table[v] = UCS2_CHAR(islower(i)?toupper(i):i);
+		}
+	}
+
+	if (!lowcase_table) {
+		DEBUG(1,("creating lame lowcase table\n"));
+		lowcase_table = (smb_ucs2_t *)SMB_MALLOC(0x20000);
+		for (i=0;i<0x10000;i++) {
+			smb_ucs2_t v;
+			SSVAL(&v, 0, i);
+			lowcase_table[v] = i;
+		}
+		for (i=0;i<256;i++) {
+			smb_ucs2_t v;
+			SSVAL(&v, 0, UCS2_CHAR(i));
+			lowcase_table[v] = UCS2_CHAR(isupper(i)?tolower(i):i);
+		}
+	}
+
+#ifdef HAVE_SETLOCALE
+	/* Restore the old locale. */
+	if (saved_locale) {
+		setlocale (LC_ALL, saved_locale);
+		SAFE_FREE(saved_locale);
+	}
+#endif
+	TALLOC_FREE(frame);
+}
+
+static int check_dos_char_slowly(smb_ucs2_t c)
+{
+	char buf[10];
+	smb_ucs2_t c2 = 0;
+	int len1, len2;
+
+	len1 = convert_string(CH_UTF16LE, CH_DOS, &c, 2, buf, sizeof(buf),False);
+	if (len1 == 0) {
+		return 0;
+	}
+	len2 = convert_string(CH_DOS, CH_UTF16LE, buf, len1, &c2, 2,False);
+	if (len2 != 2) {
+		return 0;
+	}
+	return (c == c2);
+}
+
+/**
+ * Load the valid character map table from <tt>valid.dat</tt> or
+ * create from the configured codepage.
+ *
+ * This function is called whenever the configuration is reloaded.
+ * However, the valid character table is not changed if it's loaded
+ * from a file, because we can't unmap files.
+ **/
+
+void init_valid_table(void)
+{
+	static int mapped_file;
+	int i;
+	const char *allowed = ".!#$%&'()_-@^`~";
+	uint8 *valid_file;
+
+	if (mapped_file) {
+		/* Can't unmap files, so stick with what we have */
+		return;
+	}
+
+	valid_file = (uint8 *)map_file(data_path("valid.dat"), 0x10000);
+	if (valid_file) {
+		valid_table = valid_file;
+		mapped_file = 1;
+		valid_table_use_unmap = True;
+		return;
+	}
+
+	/* Otherwise, we're using a dynamically created valid_table.
+	 * It might need to be regenerated if the code page changed.
+	 * We know that we're not using a mapped file, so we can
+	 * free() the old one. */
+	SAFE_FREE(valid_table);
+
+	/* use free rather than unmap */
+	valid_table_use_unmap = False;
+
+	DEBUG(2,("creating default valid table\n"));
+	valid_table = (uint8 *)SMB_MALLOC(0x10000);
+	SMB_ASSERT(valid_table != NULL);
+	for (i=0;i<128;i++) {
+		valid_table[i] = isalnum(i) || strchr(allowed,i);
+	}
+
+	lazy_initialize_conv();
+
+	for (;i<0x10000;i++) {
+		smb_ucs2_t c;
+		SSVAL(&c, 0, i);
+		valid_table[i] = check_dos_char_slowly(c);
+	}
+}
+
+/*******************************************************************
+ Write a string in (little-endian) unicode format. src is in
+ the current DOS codepage. len is the length in bytes of the
+ string pointed to by dst.
+
+ if null_terminate is True then null terminate the packet (adds 2 bytes)
+
+ the return value is the length in bytes consumed by the string, including the
+ null termination if applied
+********************************************************************/
+
+size_t dos_PutUniCode(char *dst,const char *src, size_t len, bool null_terminate)
+{
+	int flags = null_terminate ? STR_UNICODE|STR_NOALIGN|STR_TERMINATE
+				   : STR_UNICODE|STR_NOALIGN;
+	return push_ucs2(NULL, dst, src, len, flags);
+}
+
+
+/*******************************************************************
+ Skip past a unicode string, but not more than len. Always move
+ past a terminating zero if found.
+********************************************************************/
+
+char *skip_unibuf(char *src, size_t len)
+{
+	char *srcend = src + len;
+
+	while (src < srcend && SVAL(src,0)) {
+		src += 2;
+	}
+
+	if(!SVAL(src,0)) {
+		src += 2;
+	}
+
+	return src;
+}
+
+/* Copy a string from little-endian or big-endian unicode source (depending
+ * on flags) to internal samba format destination
+ */ 
+
+int rpcstr_pull(char* dest, void *src, int dest_len, int src_len, int flags)
+{
+	if (!src) {
+		dest[0] = 0;
+		return 0;
+	}
+	if(dest_len==-1) {
+		dest_len=MAXUNI-3;
+	}
+	return pull_ucs2(NULL, dest, src, dest_len, src_len, flags|STR_UNICODE|STR_NOALIGN);
+}
+
+/* Copy a string from little-endian or big-endian unicode source (depending
+ * on flags) to internal samba format destination. Allocates on talloc ctx.
+ */
+
+int rpcstr_pull_talloc(TALLOC_CTX *ctx,
+			char **dest,
+			void *src,
+			int src_len,
+			int flags)
+{
+	return pull_ucs2_base_talloc(ctx,
+			NULL,
+			dest,
+			src,
+			src_len,
+			flags|STR_UNICODE|STR_NOALIGN);
+
+}
+
+/* Copy a string from a unistr2 source to internal samba format
+   destination.  Use this instead of direct calls to rpcstr_pull() to avoid
+   having to determine whether the source string is null terminated. */
+
+int rpcstr_pull_unistr2_fstring(char *dest, UNISTR2 *src)
+{
+        return pull_ucs2(NULL, dest, src->buffer, sizeof(fstring),
+                         src->uni_str_len * 2, 0);
+}
+
+/* Helper function to return a talloc'ed string. I have implemented it with a
+ * copy because I don't really know how pull_ucs2 and friends calculate the
+ * target size. If this turns out to be a major bottleneck someone with deeper
+ * multi-byte knowledge needs to revisit this.
+ * I just did (JRA :-). No longer uses copy.
+ * My (VL) use is dsr_getdcname, which returns 6 strings, the alternative would
+ * have been to manually talloc_strdup them in rpc_client/cli_netlogon.c.
+ */
+
+char *rpcstr_pull_unistr2_talloc(TALLOC_CTX *ctx, const UNISTR2 *src)
+{
+	char *dest = NULL;
+	size_t dest_len;
+
+	if (!convert_string_talloc(ctx, CH_UTF16LE, CH_UNIX, src->buffer,
+				   src->uni_str_len * 2, (void *)&dest,
+				   &dest_len, true))
+	{
+		return NULL;
+	}
+
+	/* Ensure we're returning a null terminated string. */
+	if (dest_len) {
+		/* Did we already process the terminating zero ? */
+		if (dest[dest_len-1] != 0) {
+			size_t size = talloc_get_size(dest);
+			/* Have we got space to append the '\0' ? */
+			if (size <= dest_len) {
+				/* No, realloc. */
+				dest = TALLOC_REALLOC_ARRAY(ctx, dest, char,
+						dest_len+1);
+				if (!dest) {
+					/* talloc fail. */
+					dest_len = (size_t)-1;
+					return NULL;
+				}
+			}
+			/* Yay - space ! */
+			dest[dest_len] = '\0';
+			dest_len++;
+		}
+	} else if (dest) {
+		dest[0] = 0;
+	}
+
+	return dest;
+}
+
+/* Converts a string from internal samba format to unicode
+ */
+
+int rpcstr_push(void *dest, const char *src, size_t dest_len, int flags)
+{
+	return push_ucs2(NULL, dest, src, dest_len, flags|STR_UNICODE|STR_NOALIGN);
+}
+
+/* Converts a string from internal samba format to unicode. Always terminates.
+ * Actually just a wrapper round push_ucs2_talloc().
+ */
+
+int rpcstr_push_talloc(TALLOC_CTX *ctx, smb_ucs2_t **dest, const char *src)
+{
+	size_t size;
+	if (push_ucs2_talloc(ctx, dest, src, &size))
+		return size;
+	else
+		return -1;
+}
+
+/*******************************************************************
+ Convert a (little-endian) UNISTR2 structure to an ASCII string.
+********************************************************************/
+
+void unistr2_to_ascii(char *dest, const UNISTR2 *str, size_t maxlen)
+{
+	if ((str == NULL) || (str->uni_str_len == 0)) {
+		*dest='\0';
+		return;
+	}
+	pull_ucs2(NULL, dest, str->buffer, maxlen, str->uni_str_len*2, STR_NOALIGN);
+}
+
+#if 0
+/*******************************************************************
+ Convert a (little-endian) UNISTR3 structure to an ASCII string.
+********************************************************************/
+
+void unistr3_to_ascii(char *dest, const UNISTR3 *str, size_t maxlen)
+{
+	if ((str == NULL) || (str->uni_str_len == 0)) {
+		*dest='\0';
+		return;
+	}
+	pull_ucs2(NULL, dest, str->str.buffer, maxlen, str->uni_str_len*2,
+	          STR_NOALIGN);
+}
+#endif
+
+/*******************************************************************
+ Duplicate a UNISTR2 string into a null terminated char*
+ using a talloc context.
+********************************************************************/
+
+char *unistr2_to_ascii_talloc(TALLOC_CTX *ctx, const UNISTR2 *str)
+{
+	char *s = NULL;
+
+	if (!str || !str->buffer) {
+		return NULL;
+	}
+	if (pull_ucs2_base_talloc(ctx,
+				NULL,
+				&s,
+				str->buffer,
+				str->uni_str_len*2,
+				STR_NOALIGN) == (size_t)-1) {
+		return NULL;
+	}
+	return s;
+}
+
+/*******************************************************************
+ Return a string for displaying a UNISTR2. Guarentees to return a
+ valid string - "" if nothing else.
+ Changed to use talloc_tos() under the covers.... JRA.
+********************************************************************/
+
+const char *unistr2_static(const UNISTR2 *str)
+{
+	char *dest = NULL;
+
+	if ((str == NULL) || (str->uni_str_len == 0)) {
+		return "";
+	}
+
+	dest = unistr2_to_ascii_talloc(talloc_tos(), str);
+	if (!dest) {
+		return "";
+	}
+
+	return dest;
+}
+
+/*******************************************************************
+ Convert a wchar to upper case.
+********************************************************************/
+
+smb_ucs2_t toupper_w(smb_ucs2_t val)
+{
+	return upcase_table[SVAL(&val,0)];
+}
+
+/*******************************************************************
+ Convert a wchar to lower case.
+********************************************************************/
+
+smb_ucs2_t tolower_w( smb_ucs2_t val )
+{
+	return lowcase_table[SVAL(&val,0)];
+}
+
+/*******************************************************************
+ Determine if a character is lowercase.
+********************************************************************/
+
+bool islower_w(smb_ucs2_t c)
+{
+	return upcase_table[SVAL(&c,0)] != c;
+}
+
+/*******************************************************************
+ Determine if a character is uppercase.
+********************************************************************/
+
+bool isupper_w(smb_ucs2_t c)
+{
+	return lowcase_table[SVAL(&c,0)] != c;
+}
+
+/*******************************************************************
+ Determine if a character is valid in a 8.3 name.
+********************************************************************/
+
+bool isvalid83_w(smb_ucs2_t c)
+{
+	return valid_table[SVAL(&c,0)] != 0;
+}
+
+/*******************************************************************
+ Count the number of characters in a smb_ucs2_t string.
+********************************************************************/
+
+size_t strlen_w(const smb_ucs2_t *src)
+{
+	size_t len;
+	smb_ucs2_t c;
+
+	for(len = 0; *(COPY_UCS2_CHAR(&c,src)); src++, len++) {
+		;
+	}
+
+	return len;
+}
+
+/*******************************************************************
+ Count up to max number of characters in a smb_ucs2_t string.
+********************************************************************/
+
+size_t strnlen_w(const smb_ucs2_t *src, size_t max)
+{
+	size_t len;
+	smb_ucs2_t c;
+
+	for(len = 0; (len < max) && *(COPY_UCS2_CHAR(&c,src)); src++, len++) {
+		;
+	}
+
+	return len;
+}
+
+/*******************************************************************
+ Wide strchr().
+********************************************************************/
+
+smb_ucs2_t *strchr_w(const smb_ucs2_t *s, smb_ucs2_t c)
+{
+	smb_ucs2_t cp;
+	while (*(COPY_UCS2_CHAR(&cp,s))) {
+		if (c == cp) {
+			return (smb_ucs2_t *)s;
+		}
+		s++;
+	}
+	if (c == cp) {
+		return (smb_ucs2_t *)s;
+	}
+
+	return NULL;
+}
+
+smb_ucs2_t *strchr_wa(const smb_ucs2_t *s, char c)
+{
+	return strchr_w(s, UCS2_CHAR(c));
+}
+
+/*******************************************************************
+ Wide strrchr().
+********************************************************************/
+
+smb_ucs2_t *strrchr_w(const smb_ucs2_t *s, smb_ucs2_t c)
+{
+	smb_ucs2_t cp;
+	const smb_ucs2_t *p = s;
+	int len = strlen_w(s);
+
+	if (len == 0) {
+		return NULL;
+	}
+	p += (len - 1);
+	do {
+		if (c == *(COPY_UCS2_CHAR(&cp,p))) {
+			return (smb_ucs2_t *)p;
+		}
+	} while (p-- != s);
+	return NULL;
+}
+
+/*******************************************************************
+ Wide version of strrchr that returns after doing strrchr 'n' times.
+********************************************************************/
+
+smb_ucs2_t *strnrchr_w(const smb_ucs2_t *s, smb_ucs2_t c, unsigned int n)
+{
+	smb_ucs2_t cp;
+	const smb_ucs2_t *p = s;
+	int len = strlen_w(s);
+
+	if (len == 0 || !n) {
+		return NULL;
+	}
+	p += (len - 1);
+	do {
+		if (c == *(COPY_UCS2_CHAR(&cp,p))) {
+			n--;
+		}
+
+		if (!n) {
+			return (smb_ucs2_t *)p;
+		}
+	} while (p-- != s);
+	return NULL;
+}
+
+/*******************************************************************
+ Wide strstr().
+********************************************************************/
+
+smb_ucs2_t *strstr_w(const smb_ucs2_t *s, const smb_ucs2_t *ins)
+{
+	smb_ucs2_t *r;
+	size_t inslen;
+
+	if (!s || !*s || !ins || !*ins) {
+		return NULL;
+	}
+
+	inslen = strlen_w(ins);
+	r = (smb_ucs2_t *)s;
+
+	while ((r = strchr_w(r, *ins))) {
+		if (strncmp_w(r, ins, inslen) == 0) {
+			return r;
+		}
+		r++;
+	}
+
+	return NULL;
+}
+
+/*******************************************************************
+ Convert a string to lower case.
+ return True if any char is converted
+********************************************************************/
+
+bool strlower_w(smb_ucs2_t *s)
+{
+	smb_ucs2_t cp;
+	bool ret = False;
+
+	while (*(COPY_UCS2_CHAR(&cp,s))) {
+		smb_ucs2_t v = tolower_w(cp);
+		if (v != cp) {
+			COPY_UCS2_CHAR(s,&v);
+			ret = True;
+		}
+		s++;
+	}
+	return ret;
+}
+
+/*******************************************************************
+ Convert a string to upper case.
+ return True if any char is converted
+********************************************************************/
+
+bool strupper_w(smb_ucs2_t *s)
+{
+	smb_ucs2_t cp;
+	bool ret = False;
+	while (*(COPY_UCS2_CHAR(&cp,s))) {
+		smb_ucs2_t v = toupper_w(cp);
+		if (v != cp) {
+			COPY_UCS2_CHAR(s,&v);
+			ret = True;
+		}
+		s++;
+	}
+	return ret;
+}
+
+/*******************************************************************
+ Convert a string to "normal" form.
+********************************************************************/
+
+void strnorm_w(smb_ucs2_t *s, int case_default)
+{
+	if (case_default == CASE_UPPER) {
+		strupper_w(s);
+	} else {
+		strlower_w(s);
+	}
+}
+
+int strcmp_w(const smb_ucs2_t *a, const smb_ucs2_t *b)
+{
+	smb_ucs2_t cpa, cpb;
+
+	while ((*(COPY_UCS2_CHAR(&cpb,b))) && (*(COPY_UCS2_CHAR(&cpa,a)) == cpb)) {
+		a++;
+		b++;
+	}
+	return (*(COPY_UCS2_CHAR(&cpa,a)) - *(COPY_UCS2_CHAR(&cpb,b)));
+	/* warning: if *a != *b and both are not 0 we return a random
+		greater or lesser than 0 number not realted to which
+		string is longer */
+}
+
+int strncmp_w(const smb_ucs2_t *a, const smb_ucs2_t *b, size_t len)
+{
+	smb_ucs2_t cpa, cpb;
+	size_t n = 0;
+
+	while ((n < len) && (*(COPY_UCS2_CHAR(&cpb,b))) && (*(COPY_UCS2_CHAR(&cpa,a)) == cpb)) {
+		a++;
+		b++;
+		n++;
+	}
+	return (len - n)?(*(COPY_UCS2_CHAR(&cpa,a)) - *(COPY_UCS2_CHAR(&cpb,b))):0;
+}
+
+/*******************************************************************
+ Case insensitive string comparison.
+********************************************************************/
+
+int strcasecmp_w(const smb_ucs2_t *a, const smb_ucs2_t *b)
+{
+	smb_ucs2_t cpa, cpb;
+
+	while ((*COPY_UCS2_CHAR(&cpb,b)) && toupper_w(*(COPY_UCS2_CHAR(&cpa,a))) == toupper_w(cpb)) {
+		a++;
+		b++;
+	}
+	return (tolower_w(*(COPY_UCS2_CHAR(&cpa,a))) - tolower_w(*(COPY_UCS2_CHAR(&cpb,b))));
+}
+
+/*******************************************************************
+ Case insensitive string comparison, length limited.
+********************************************************************/
+
+int strncasecmp_w(const smb_ucs2_t *a, const smb_ucs2_t *b, size_t len)
+{
+	smb_ucs2_t cpa, cpb;
+	size_t n = 0;
+
+	while ((n < len) && *COPY_UCS2_CHAR(&cpb,b) && (toupper_w(*(COPY_UCS2_CHAR(&cpa,a))) == toupper_w(cpb))) {
+		a++;
+		b++;
+		n++;
+	}
+	return (len - n)?(tolower_w(*(COPY_UCS2_CHAR(&cpa,a))) - tolower_w(*(COPY_UCS2_CHAR(&cpb,b)))):0;
+}
+
+/*******************************************************************
+ Compare 2 strings.
+********************************************************************/
+
+bool strequal_w(const smb_ucs2_t *s1, const smb_ucs2_t *s2)
+{
+	if (s1 == s2) {
+		return(True);
+	}
+	if (!s1 || !s2) {
+		return(False);
+	}
+  
+	return(strcasecmp_w(s1,s2)==0);
+}
+
+/*******************************************************************
+ Compare 2 strings up to and including the nth char.
+******************************************************************/
+
+bool strnequal_w(const smb_ucs2_t *s1,const smb_ucs2_t *s2,size_t n)
+{
+	if (s1 == s2) {
+		return(True);
+	}
+	if (!s1 || !s2 || !n) {
+		return(False);
+	}
+  
+	return(strncasecmp_w(s1,s2,n)==0);
+}
+
+/*******************************************************************
+ Duplicate string.
+********************************************************************/
+
+smb_ucs2_t *strdup_w(const smb_ucs2_t *src)
+{
+	return strndup_w(src, 0);
+}
+
+/* if len == 0 then duplicate the whole string */
+
+smb_ucs2_t *strndup_w(const smb_ucs2_t *src, size_t len)
+{
+	smb_ucs2_t *dest;
+	
+	if (!len) {
+		len = strlen_w(src);
+	}
+	dest = SMB_MALLOC_ARRAY(smb_ucs2_t, len + 1);
+	if (!dest) {
+		DEBUG(0,("strdup_w: out of memory!\n"));
+		return NULL;
+	}
+
+	memcpy(dest, src, len * sizeof(smb_ucs2_t));
+	dest[len] = 0;
+	return dest;
+}
+
+/*******************************************************************
+ Copy a string with max len.
+********************************************************************/
+
+smb_ucs2_t *strncpy_w(smb_ucs2_t *dest, const smb_ucs2_t *src, const size_t max)
+{
+	smb_ucs2_t cp;
+	size_t len;
+	
+	if (!dest || !src) {
+		return NULL;
+	}
+	
+	for (len = 0; (*COPY_UCS2_CHAR(&cp,(src+len))) && (len < max); len++) {
+		cp = *COPY_UCS2_CHAR(dest+len,src+len);
+	}
+	cp = 0;
+	for ( /*nothing*/ ; len < max; len++ ) {
+		cp = *COPY_UCS2_CHAR(dest+len,&cp);
+	}
+	
+	return dest;
+}
+
+/*******************************************************************
+ Append a string of len bytes and add a terminator.
+********************************************************************/
+
+smb_ucs2_t *strncat_w(smb_ucs2_t *dest, const smb_ucs2_t *src, const size_t max)
+{	
+	size_t start;
+	size_t len;	
+	smb_ucs2_t z = 0;
+
+	if (!dest || !src) {
+		return NULL;
+	}
+	
+	start = strlen_w(dest);
+	len = strnlen_w(src, max);
+
+	memcpy(&dest[start], src, len*sizeof(smb_ucs2_t));			
+	z = *COPY_UCS2_CHAR(dest+start+len,&z);
+
+	return dest;
+}
+
+smb_ucs2_t *strcat_w(smb_ucs2_t *dest, const smb_ucs2_t *src)
+{	
+	size_t start;
+	size_t len;	
+	smb_ucs2_t z = 0;
+	
+	if (!dest || !src) {
+		return NULL;
+	}
+	
+	start = strlen_w(dest);
+	len = strlen_w(src);
+
+	memcpy(&dest[start], src, len*sizeof(smb_ucs2_t));			
+	z = *COPY_UCS2_CHAR(dest+start+len,&z);
+	
+	return dest;
+}
+
+
+/*******************************************************************
+ Replace any occurence of oldc with newc in unicode string.
+********************************************************************/
+
+void string_replace_w(smb_ucs2_t *s, smb_ucs2_t oldc, smb_ucs2_t newc)
+{
+	smb_ucs2_t cp;
+
+	for(;*(COPY_UCS2_CHAR(&cp,s));s++) {
+		if(cp==oldc) {
+			COPY_UCS2_CHAR(s,&newc);
+		}
+	}
+}
+
+/*******************************************************************
+ Trim unicode string.
+********************************************************************/
+
+bool trim_string_w(smb_ucs2_t *s, const smb_ucs2_t *front,
+				  const smb_ucs2_t *back)
+{
+	bool ret = False;
+	size_t len, front_len, back_len;
+
+	if (!s) {
+		return False;
+	}
+
+	len = strlen_w(s);
+
+	if (front && *front) {
+		front_len = strlen_w(front);
+		while (len && strncmp_w(s, front, front_len) == 0) {
+			memmove(s, (s + front_len), (len - front_len + 1) * sizeof(smb_ucs2_t));
+			len -= front_len;
+			ret = True;
+		}
+	}
+	
+	if (back && *back) {
+		back_len = strlen_w(back);
+		while (len && strncmp_w((s + (len - back_len)), back, back_len) == 0) {
+			s[len - back_len] = 0;
+			len -= back_len;
+			ret = True;
+		}
+	}
+
+	return ret;
+}
+
+/*
+  The *_wa() functions take a combination of 7 bit ascii
+  and wide characters They are used so that you can use string
+  functions combining C string constants with ucs2 strings
+
+  The char* arguments must NOT be multibyte - to be completely sure
+  of this only pass string constants */
+
+int strcmp_wa(const smb_ucs2_t *a, const char *b)
+{
+	smb_ucs2_t cp = 0;
+
+	while (*b && *(COPY_UCS2_CHAR(&cp,a)) == UCS2_CHAR(*b)) {
+		a++;
+		b++;
+	}
+	return (*(COPY_UCS2_CHAR(&cp,a)) - UCS2_CHAR(*b));
+}
+
+int strncmp_wa(const smb_ucs2_t *a, const char *b, size_t len)
+{
+	smb_ucs2_t cp = 0;
+	size_t n = 0;
+
+	while ((n < len) && *b && *(COPY_UCS2_CHAR(&cp,a)) == UCS2_CHAR(*b)) {
+		a++;
+		b++;
+		n++;
+	}
+	return (len - n)?(*(COPY_UCS2_CHAR(&cp,a)) - UCS2_CHAR(*b)):0;
+}
+
+smb_ucs2_t *strpbrk_wa(const smb_ucs2_t *s, const char *p)
+{
+	smb_ucs2_t cp;
+
+	while (*(COPY_UCS2_CHAR(&cp,s))) {
+		int i;
+		for (i=0; p[i] && cp != UCS2_CHAR(p[i]); i++) 
+			;
+		if (p[i]) {
+			return (smb_ucs2_t *)s;
+		}
+		s++;
+	}
+	return NULL;
+}
+
+smb_ucs2_t *strstr_wa(const smb_ucs2_t *s, const char *ins)
+{
+	smb_ucs2_t *r;
+	size_t inslen;
+
+	if (!s || !ins) { 
+		return NULL;
+	}
+
+	inslen = strlen(ins);
+	r = (smb_ucs2_t *)s;
+
+	while ((r = strchr_w(r, UCS2_CHAR(*ins)))) {
+		if (strncmp_wa(r, ins, inslen) == 0) 
+			return r;
+		r++;
+	}
+
+	return NULL;
+}
+
+/*******************************************************************
+ Returns the length in number of wide characters.
+******************************************************************/
+
+int unistrlen(uint16 *s)
+{
+	int len;
+
+	if (!s) {
+		return -1;
+	}
+
+	for (len=0; SVAL(s,0); s++,len++) {
+		;
+	}
+
+	return len;
+}
+
+/*******************************************************************
+ Strcpy for unicode strings. Returns length (in num of wide chars).
+ Not odd align safe.
+********************************************************************/
+
+int unistrcpy(uint16 *dst, uint16 *src)
+{
+	int num_wchars = 0;
+
+	while (SVAL(src,0)) {
+		*dst++ = *src++;
+		num_wchars++;
+	}
+	*dst = 0;
+
+	return num_wchars;
+}
+
+/**
+ * Samba ucs2 type to UNISTR2 conversion
+ *
+ * @param ctx Talloc context to create the dst strcture (if null) and the 
+ *            contents of the unicode string.
+ * @param dst UNISTR2 destination. If equals null, then it's allocated.
+ * @param src smb_ucs2_t source.
+ * @param max_len maximum number of unicode characters to copy. If equals
+ *        null, then null-termination of src is taken
+ *
+ * @return copied UNISTR2 destination
+ **/
+
+UNISTR2* ucs2_to_unistr2(TALLOC_CTX *ctx, UNISTR2* dst, smb_ucs2_t* src)
+{
+	size_t len;
+
+	if (!src) {
+		return NULL;
+	}
+
+	len = strlen_w(src);
+	
+	/* allocate UNISTR2 destination if not given */
+	if (!dst) {
+		dst = TALLOC_P(ctx, UNISTR2);
+		if (!dst)
+			return NULL;
+	}
+	if (!dst->buffer) {
+		dst->buffer = TALLOC_ARRAY(ctx, uint16, len + 1);
+		if (!dst->buffer)
+			return NULL;
+	}
+	
+	/* set UNISTR2 parameters */
+	dst->uni_max_len = len + 1;
+	dst->offset = 0;
+	dst->uni_str_len = len;
+	
+	/* copy the actual unicode string */
+	strncpy_w(dst->buffer, src, dst->uni_max_len);
+	
+	return dst;
+}
+
+/*************************************************************
+ ascii only toupper - saves the need for smbd to be in C locale.
+*************************************************************/
+
+int toupper_ascii(int c)
+{
+	smb_ucs2_t uc = toupper_w(UCS2_CHAR(c));
+	return UCS2_TO_CHAR(uc);
+}
+
+/*************************************************************
+ ascii only tolower - saves the need for smbd to be in C locale.
+*************************************************************/
+
+int tolower_ascii(int c)
+{
+	smb_ucs2_t uc = tolower_w(UCS2_CHAR(c));
+	return UCS2_TO_CHAR(uc);
+}
+
+/*************************************************************
+ ascii only isupper - saves the need for smbd to be in C locale.
+*************************************************************/
+
+int isupper_ascii(int c)
+{
+	return isupper_w(UCS2_CHAR(c));
+}
+
+/*************************************************************
+ ascii only islower - saves the need for smbd to be in C locale.
+*************************************************************/
+
+int islower_ascii(int c)
+{
+	return islower_w(UCS2_CHAR(c));
+}
diff --git a/source3/lib/util_uuid.c b/source3/lib/util_uuid.c
new file mode 100644
index 0000000000..3a8f7b3f4f
--- /dev/null
+++ b/source3/lib/util_uuid.c
@@ -0,0 +1,131 @@
+/* 
+ *  Unix SMB/CIFS implementation.
+ *  UUID server routines
+ *  Copyright (C) Theodore Ts'o               1996, 1997,
+ *  Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002, 2003
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 3 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+/*
+ * Offset between 15-Oct-1582 and 1-Jan-70
+ */
+#define TIME_OFFSET_HIGH 0x01B21DD2
+#define TIME_OFFSET_LOW  0x13814000
+
+void smb_uuid_pack(const struct GUID uu, UUID_FLAT *ptr)
+{
+	SIVAL(ptr->info, 0, uu.time_low);
+	SSVAL(ptr->info, 4, uu.time_mid);
+	SSVAL(ptr->info, 6, uu.time_hi_and_version);
+	memcpy(ptr->info+8, uu.clock_seq, 2);
+	memcpy(ptr->info+10, uu.node, 6);
+}
+
+void smb_uuid_unpack(const UUID_FLAT in, struct GUID *uu)
+{
+	uu->time_low = IVAL(in.info, 0);
+	uu->time_mid = SVAL(in.info, 4);
+	uu->time_hi_and_version = SVAL(in.info, 6);
+	memcpy(uu->clock_seq, in.info+8, 2);
+	memcpy(uu->node, in.info+10, 6);
+}
+
+void smb_uuid_generate_random(struct GUID *uu)
+{
+	UUID_FLAT tmp;
+
+	generate_random_buffer(tmp.info, sizeof(tmp.info));
+	smb_uuid_unpack(tmp, uu);
+
+	uu->clock_seq[0] = (uu->clock_seq[0] & 0x3F) | 0x80;
+	uu->time_hi_and_version = (uu->time_hi_and_version & 0x0FFF) | 0x4000;
+}
+
+const char *smb_uuid_string(TALLOC_CTX *mem_ctx, const struct GUID uu)
+{
+	char *result;
+
+	result = talloc_asprintf(
+		mem_ctx,
+		"%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
+		uu.time_low, uu.time_mid, uu.time_hi_and_version,
+		uu.clock_seq[0], uu.clock_seq[1],
+		uu.node[0], uu.node[1], uu.node[2], 
+		uu.node[3], uu.node[4], uu.node[5]);
+
+	SMB_ASSERT(result != NULL);
+	return result;
+}
+
+bool smb_string_to_uuid(const char *in, struct GUID* uu)
+{
+	bool ret = False;
+	const char *ptr = in;
+	char *end = (char *)in;
+	int i;
+	unsigned v1, v2;
+
+	if (!in || !uu) goto out;
+
+	uu->time_low = strtoul(ptr, &end, 16);
+	if ((end - ptr) != 8 || *end != '-') goto out;
+	ptr = (end + 1);
+
+	uu->time_mid = strtoul(ptr, &end, 16);
+	if ((end - ptr) != 4 || *end != '-') goto out;
+	ptr = (end + 1);
+
+	uu->time_hi_and_version = strtoul(ptr, &end, 16);
+	if ((end - ptr) != 4 || *end != '-') goto out;
+	ptr = (end + 1);
+
+	if (sscanf(ptr, "%02x%02x", &v1, &v2) != 2) {
+		goto out;
+	}
+	uu->clock_seq[0] = v1;
+	uu->clock_seq[1] = v2;
+	ptr += 4;
+
+	if (*ptr != '-') goto out;
+	ptr++;
+
+	for (i = 0; i < 6; i++) {
+		if (sscanf(ptr, "%02x", &v1) != 1) {
+			goto out;
+		}
+		uu->node[i] = v1;
+		ptr += 2;
+	}
+
+	ret = True;
+out:
+        return ret;
+}
+
+/*****************************************************************
+ Return the binary string representation of a GUID.
+ Caller must free.
+*****************************************************************/
+
+char *guid_binstring(const struct GUID *guid)
+{
+	UUID_FLAT guid_flat;
+
+	smb_uuid_pack(*guid, &guid_flat);
+
+	return binary_string_rfc2254((char *)guid_flat.info, UUID_FLAT_SIZE);
+}
diff --git a/source3/lib/version.c b/source3/lib/version.c
new file mode 100644
index 0000000000..55fb53c5db
--- /dev/null
+++ b/source3/lib/version.c
@@ -0,0 +1,27 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Samba Version functions
+   
+   Copyright (C) Stefan Metzmacher	2003
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include <assert.h>
+
+const char *samba_version_string(void)
+{
+	return SAMBA_VERSION_STRING;
+}
diff --git a/source3/lib/winbind_util.c b/source3/lib/winbind_util.c
new file mode 100644
index 0000000000..14356b09cf
--- /dev/null
+++ b/source3/lib/winbind_util.c
@@ -0,0 +1,321 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Winbind Utility functions
+
+   Copyright (C) Gerald (Jerry) Carter   2007
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#if defined(WITH_WINBIND)
+
+#include "nsswitch/libwbclient/wbclient.h"
+
+/* Call winbindd to convert a name to a sid */
+
+bool winbind_lookup_name(const char *dom_name, const char *name, DOM_SID *sid, 
+                         enum lsa_SidType *name_type)
+{
+	struct wbcDomainSid dom_sid;
+	wbcErr result;
+	enum wbcSidType type;	
+
+	result = wbcLookupName(dom_name, name, &dom_sid, &type);
+	if (result != WBC_ERR_SUCCESS)
+		return false;
+
+	memcpy(sid, &dom_sid, sizeof(DOM_SID));	
+	*name_type = (enum lsa_SidType)type;	
+
+	return true;	
+}
+
+/* Call winbindd to convert sid to name */
+
+bool winbind_lookup_sid(TALLOC_CTX *mem_ctx, const DOM_SID *sid, 
+			const char **domain, const char **name,
+                        enum lsa_SidType *name_type)
+{
+	struct wbcDomainSid dom_sid;
+	wbcErr result;
+	enum wbcSidType type;
+	char *domain_name = NULL;
+	char *account_name = NULL;
+
+	memcpy(&dom_sid, sid, sizeof(dom_sid));	
+
+	result = wbcLookupSid(&dom_sid, &domain_name, &account_name, &type);
+	if (result != WBC_ERR_SUCCESS)
+		return false;
+
+	/* Copy out result */
+
+	if (domain) {		
+		*domain = talloc_strdup(mem_ctx, domain_name);
+	}
+	if (name) {
+		*name = talloc_strdup(mem_ctx, account_name);
+	}
+	*name_type = (enum lsa_SidType)type;
+
+	DEBUG(10, ("winbind_lookup_sid: SUCCESS: SID %s -> %s %s\n", 
+		   sid_string_dbg(sid), domain_name, account_name));
+
+	wbcFreeMemory(domain_name);
+	wbcFreeMemory(account_name);
+	
+	if ((domain && !*domain) || (name && !*name)) {		
+		DEBUG(0,("winbind_lookup_sid: talloc() failed!\n"));
+		return false;
+	}	
+
+
+	return true;
+}
+
+/* Ping winbindd to see it is alive */
+
+bool winbind_ping(void)
+{
+	wbcErr result = wbcPing();
+
+	return (result == WBC_ERR_SUCCESS);
+}
+
+/* Call winbindd to convert SID to uid */
+
+bool winbind_sid_to_uid(uid_t *puid, const DOM_SID *sid)
+{
+	struct wbcDomainSid dom_sid;
+	wbcErr result;
+
+	memcpy(&dom_sid, sid, sizeof(dom_sid));	
+
+	result = wbcSidToUid(&dom_sid, puid);	
+
+	return (result == WBC_ERR_SUCCESS);	
+}
+
+/* Call winbindd to convert uid to sid */
+
+bool winbind_uid_to_sid(DOM_SID *sid, uid_t uid)
+{
+	struct wbcDomainSid dom_sid;
+	wbcErr result;
+
+	result = wbcUidToSid(uid, &dom_sid);
+	if (result == WBC_ERR_SUCCESS) {
+		memcpy(sid, &dom_sid, sizeof(DOM_SID));
+	} else {
+		sid_copy(sid, &global_sid_NULL);
+	}
+
+	return (result == WBC_ERR_SUCCESS);
+}
+
+/* Call winbindd to convert SID to gid */
+
+bool winbind_sid_to_gid(gid_t *pgid, const DOM_SID *sid)
+{
+	struct wbcDomainSid dom_sid;
+	wbcErr result;
+
+	memcpy(&dom_sid, sid, sizeof(dom_sid));	
+
+	result = wbcSidToGid(&dom_sid, pgid);	
+
+	return (result == WBC_ERR_SUCCESS);	
+}
+
+/* Call winbindd to convert gid to sid */
+
+bool winbind_gid_to_sid(DOM_SID *sid, gid_t gid)
+{
+	struct wbcDomainSid dom_sid;
+	wbcErr result;
+
+	result = wbcGidToSid(gid, &dom_sid);
+	if (result == WBC_ERR_SUCCESS) {
+		memcpy(sid, &dom_sid, sizeof(DOM_SID));
+	} else {
+		sid_copy(sid, &global_sid_NULL);
+	}
+
+	return (result == WBC_ERR_SUCCESS);
+}
+
+/* Check for a trusted domain */
+
+wbcErr wb_is_trusted_domain(const char *domain)
+{
+	wbcErr result;
+	struct wbcDomainInfo *info = NULL;
+	
+	result = wbcDomainInfo(domain, &info);
+
+	if (WBC_ERROR_IS_OK(result)) {
+		wbcFreeMemory(info);
+	}
+
+	return result;	
+}
+
+/* Lookup a set of rids in a given domain */
+
+bool winbind_lookup_rids(TALLOC_CTX *mem_ctx,
+			 const DOM_SID *domain_sid,
+			 int num_rids, uint32 *rids,
+			 const char **domain_name,
+			 const char ***names, enum lsa_SidType **types)
+{
+	const char *dom_name = NULL;
+	const char **namelist = NULL;
+	enum wbcSidType *name_types = NULL;
+	struct wbcDomainSid dom_sid;
+	wbcErr ret;
+	int i;	
+	
+	memcpy(&dom_sid, domain_sid, sizeof(struct wbcDomainSid));
+	
+	ret = wbcLookupRids(&dom_sid, num_rids, rids,
+			    &dom_name, &namelist, &name_types);
+	if (ret != WBC_ERR_SUCCESS) {		
+		return false;
+	}	
+	
+	*domain_name = talloc_strdup(mem_ctx, dom_name);
+	*names       = TALLOC_ARRAY(mem_ctx, const char*, num_rids);
+	*types       = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_rids);
+
+	for(i=0; i<num_rids; i++) {
+		(*names)[i] = talloc_strdup(*names, namelist[i]);
+		(*types)[i] = (enum lsa_SidType)name_types[i];
+	}
+
+	wbcFreeMemory(CONST_DISCARD(char*, dom_name));
+	wbcFreeMemory(namelist);
+	wbcFreeMemory(name_types);
+	
+	return true;	
+}
+
+/* Ask Winbind to allocate a new uid for us */
+
+bool winbind_allocate_uid(uid_t *uid)
+{
+	wbcErr ret;
+	
+	ret = wbcAllocateUid(uid);
+	
+	return (ret == WBC_ERR_SUCCESS);
+}
+
+/* Ask Winbind to allocate a new gid for us */
+
+bool winbind_allocate_gid(gid_t *gid)
+{
+	wbcErr ret;
+	
+	ret = wbcAllocateGid(gid);
+	
+	return (ret == WBC_ERR_SUCCESS);
+}
+
+#else      /* WITH_WINBIND */
+
+bool winbind_lookup_name(const char *dom_name, const char *name, DOM_SID *sid, 
+                         enum lsa_SidType *name_type)
+{
+	return false;
+}
+
+/* Call winbindd to convert sid to name */
+
+bool winbind_lookup_sid(TALLOC_CTX *mem_ctx, const DOM_SID *sid, 
+			const char **domain, const char **name,
+                        enum lsa_SidType *name_type)
+{
+	return false;
+}
+
+/* Ping winbindd to see it is alive */
+
+bool winbind_ping(void)
+{
+	return false;
+}
+
+/* Call winbindd to convert SID to uid */
+
+bool winbind_sid_to_uid(uid_t *puid, const DOM_SID *sid)
+{
+	return false;
+}
+
+/* Call winbindd to convert uid to sid */
+
+bool winbind_uid_to_sid(DOM_SID *sid, uid_t uid)
+{
+	return false;
+}
+
+/* Call winbindd to convert SID to gid */
+
+bool winbind_sid_to_gid(gid_t *pgid, const DOM_SID *sid)
+{
+	return false;	
+}
+
+/* Call winbindd to convert gid to sid */
+
+bool winbind_gid_to_sid(DOM_SID *sid, gid_t gid)
+{
+	return false;
+}
+
+/* Check for a trusted domain */
+
+wbcErr wb_is_trusted_domain(const char *domain)
+{
+	return WBC_ERR_UNKNOWN_FAILURE;
+}
+
+/* Lookup a set of rids in a given domain */
+
+bool winbind_lookup_rids(TALLOC_CTX *mem_ctx,
+			 const DOM_SID *domain_sid,
+			 int num_rids, uint32 *rids,
+			 const char **domain_name,
+			 const char ***names, enum lsa_SidType **types)
+{
+	return false;
+}
+
+/* Ask Winbind to allocate a new uid for us */
+
+bool winbind_allocate_uid(uid_t *uid)
+{
+	return false;
+}
+
+/* Ask Winbind to allocate a new gid for us */
+
+bool winbind_allocate_gid(gid_t *gid)
+{
+	return false;
+}
+
+#endif     /* WITH_WINBIND */
diff --git a/source3/lib/wins_srv.c b/source3/lib/wins_srv.c
new file mode 100644
index 0000000000..0e184a6b7c
--- /dev/null
+++ b/source3/lib/wins_srv.c
@@ -0,0 +1,361 @@
+/*
+   Unix SMB/CIFS implementation.
+   Samba wins server helper functions
+   Copyright (C) Andrew Tridgell 1992-2002
+   Copyright (C) Christopher R. Hertel 2000
+   Copyright (C) Tim Potter 2003
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+/*
+  This is pretty much a complete rewrite of the earlier code. The main
+  aim of the rewrite is to add support for having multiple wins server
+  lists, so Samba can register with multiple groups of wins servers
+  and each group has a failover list of wins servers.
+
+  Central to the way it all works is the idea of a wins server
+  'tag'. A wins tag is a label for a group of wins servers. For
+  example if you use
+
+      wins server = fred:192.168.2.10 mary:192.168.3.199 fred:192.168.2.61
+
+  then you would have two groups of wins servers, one tagged with the
+  name 'fred' and the other with the name 'mary'. I would usually
+  recommend using interface names instead of 'fred' and 'mary' but
+  they can be any alpha string.
+
+  Now, how does it all work. Well, nmbd needs to register each of its
+  IPs with each of its names once with each group of wins servers. So
+  it tries registering with the first one mentioned in the list, then
+  if that fails it marks that WINS server dead and moves onto the next
+  one. 
+
+  In the client code things are a bit different. As each of the groups
+  of wins servers is a separate name space we need to try each of the
+  groups until we either succeed or we run out of wins servers to
+  try. If we get a negative response from a wins server then that
+  means the name doesn't exist in that group, so we give up on that
+  group and move to the next group. If we don't get a response at all
+  then maybe the wins server is down, in which case we need to
+  failover to the next one for that group.
+
+  confused yet? (tridge)
+*/
+
+/* how long a server is marked dead for */
+#define DEATH_TIME 600
+
+/* The list of dead wins servers is stored in gencache.tdb.  Each server is
+   marked dead from the point of view of a given source address. We keep a 
+   separate dead list for each src address to cope with multiple interfaces 
+   that are not routable to each other.
+  */
+
+#define WINS_SRV_FMT "WINS_SRV_DEAD/%s,%s" /* wins_ip,src_ip */
+
+static char *wins_srv_keystr(struct in_addr wins_ip, struct in_addr src_ip)
+{
+	char *keystr = NULL, *wins_ip_addr = NULL, *src_ip_addr = NULL;
+
+	wins_ip_addr = SMB_STRDUP(inet_ntoa(wins_ip));
+	src_ip_addr = SMB_STRDUP(inet_ntoa(src_ip));
+
+	if ( !wins_ip_addr || !src_ip_addr ) {
+		DEBUG(0,("wins_srv_keystr: malloc error\n"));
+		goto done;
+	}
+
+	if (asprintf(&keystr, WINS_SRV_FMT, wins_ip_addr, src_ip_addr) == -1) {
+		DEBUG(0, (": ns_srv_keystr: malloc error for key string\n"));
+	}
+
+done:
+	SAFE_FREE(wins_ip_addr);
+	SAFE_FREE(src_ip_addr);
+
+	return keystr;
+}
+
+/*
+  see if an ip is on the dead list
+*/
+
+bool wins_srv_is_dead(struct in_addr wins_ip, struct in_addr src_ip)
+{
+	char *keystr = wins_srv_keystr(wins_ip, src_ip);
+	bool result;
+
+	/* If the key exists then the WINS server has been marked as dead */
+
+	result = gencache_get(keystr, NULL, NULL);
+	SAFE_FREE(keystr);
+
+	DEBUG(4, ("wins_srv_is_dead: %s is %s\n", inet_ntoa(wins_ip),
+		  result ? "dead" : "alive"));
+
+	return result;
+}
+
+
+/*
+  mark a wins server as being alive (for the moment)
+*/
+void wins_srv_alive(struct in_addr wins_ip, struct in_addr src_ip)
+{
+	char *keystr = wins_srv_keystr(wins_ip, src_ip);
+
+	gencache_del(keystr);
+	SAFE_FREE(keystr);
+
+	DEBUG(4, ("wins_srv_alive: marking wins server %s alive\n", 
+		  inet_ntoa(wins_ip)));
+}
+
+/*
+  mark a wins server as temporarily dead
+*/
+void wins_srv_died(struct in_addr wins_ip, struct in_addr src_ip)
+{
+	char *keystr;
+
+	if (is_zero_ip_v4(wins_ip) || wins_srv_is_dead(wins_ip, src_ip))
+		return;
+
+	keystr = wins_srv_keystr(wins_ip, src_ip);
+
+	gencache_set(keystr, "DOWN", time(NULL) + DEATH_TIME);
+
+	SAFE_FREE(keystr);
+
+	DEBUG(4,("Marking wins server %s dead for %u seconds from source %s\n",
+		 inet_ntoa(wins_ip), DEATH_TIME, inet_ntoa(src_ip)));
+}
+
+/*
+  return the total number of wins servers, dead or not
+*/
+unsigned wins_srv_count(void)
+{
+	const char **list;
+	int count = 0;
+
+	if (lp_wins_support()) {
+		/* simple - just talk to ourselves */
+		return 1;
+	}
+
+	list = lp_wins_server_list();
+	for (count=0; list && list[count]; count++)
+		/* nop */ ;
+
+	return count;
+}
+
+/* an internal convenience structure for an IP with a short string tag
+   attached */
+struct tagged_ip {
+	fstring tag;
+	struct in_addr ip;
+};
+
+/*
+  parse an IP string that might be in tagged format
+  the result is a tagged_ip structure containing the tag
+  and the ip in in_addr format. If there is no tag then
+  use the tag '*'
+*/
+static void parse_ip(struct tagged_ip *ip, const char *str)
+{
+	char *s = strchr(str, ':');
+	if (!s) {
+		fstrcpy(ip->tag, "*");
+		(void)interpret_addr2(&ip->ip,str);
+		return;
+	} 
+
+	(void)interpret_addr2(&ip->ip,s+1);
+	fstrcpy(ip->tag, str);
+	s = strchr(ip->tag, ':');
+	if (s) {
+		*s = 0;
+	}
+}
+
+
+
+/*
+  return the list of wins server tags. A 'tag' is used to distinguish
+  wins server as either belonging to the same name space or a separate
+  name space. Usually you would setup your 'wins server' option to
+  list one or more wins server per interface and use the interface
+  name as your tag, but you are free to use any tag you like.
+*/
+char **wins_srv_tags(void)
+{
+	char **ret = NULL;
+	int count=0, i, j;
+	const char **list;
+
+	if (lp_wins_support()) {
+		/* give the caller something to chew on. This makes
+		   the rest of the logic simpler (ie. less special cases) */
+		ret = SMB_MALLOC_ARRAY(char *, 2);
+		if (!ret) return NULL;
+		ret[0] = SMB_STRDUP("*");
+		ret[1] = NULL;
+		return ret;
+	}
+
+	list = lp_wins_server_list();
+	if (!list)
+		return NULL;
+
+	/* yes, this is O(n^2) but n is very small */
+	for (i=0;list[i];i++) {
+		struct tagged_ip t_ip;
+		
+		parse_ip(&t_ip, list[i]);
+
+		/* see if we already have it */
+		for (j=0;j<count;j++) {
+			if (strcmp(ret[j], t_ip.tag) == 0) {
+				break;
+			}
+		}
+
+		if (j != count) {
+			/* we already have it. Move along */
+			continue;
+		}
+
+		/* add it to the list */
+		ret = SMB_REALLOC_ARRAY(ret, char *, count+2);
+		if (!ret) {
+			return NULL;
+		}
+		ret[count] = SMB_STRDUP(t_ip.tag);
+		if (!ret[count]) break;
+		count++;
+	}
+
+	if (count) {
+		/* make sure we null terminate */
+		ret[count] = NULL;
+	}
+
+	return ret;
+}
+
+/* free a list of wins server tags given by wins_srv_tags */
+void wins_srv_tags_free(char **list)
+{
+	int i;
+	if (!list) return;
+	for (i=0; list[i]; i++) {
+		free(list[i]);
+	}
+	free(list);
+}
+
+
+/*
+  return the IP of the currently active wins server for the given tag,
+  or the zero IP otherwise
+*/
+struct in_addr wins_srv_ip_tag(const char *tag, struct in_addr src_ip)
+{
+	const char **list;
+	int i;
+	struct tagged_ip t_ip;
+
+	/* if we are a wins server then we always just talk to ourselves */
+	if (lp_wins_support()) {
+		struct in_addr loopback_ip;
+		loopback_ip.s_addr = htonl(INADDR_LOOPBACK);
+		return loopback_ip;
+	}
+
+	list = lp_wins_server_list();
+	if (!list || !list[0]) {
+		struct in_addr ip;
+		zero_ip_v4(&ip);
+		return ip;
+	}
+
+	/* find the first live one for this tag */
+	for (i=0; list[i]; i++) {
+		parse_ip(&t_ip, list[i]);
+		if (strcmp(tag, t_ip.tag) != 0) {
+			/* not for the right tag. Move along */
+			continue;
+		}
+		if (!wins_srv_is_dead(t_ip.ip, src_ip)) {
+			fstring src_name;
+			fstrcpy(src_name, inet_ntoa(src_ip));
+			DEBUG(6,("Current wins server for tag '%s' with source %s is %s\n", 
+				 tag, 
+				 src_name,
+				 inet_ntoa(t_ip.ip)));
+			return t_ip.ip;
+		}
+	}
+	
+	/* they're all dead - try the first one until they revive */
+	for (i=0; list[i]; i++) {
+		parse_ip(&t_ip, list[i]);
+		if (strcmp(tag, t_ip.tag) != 0) {
+			continue;
+		}
+		return t_ip.ip;
+	}
+
+	/* this can't happen?? */
+	zero_ip_v4(&t_ip.ip);
+	return t_ip.ip;
+}
+
+
+/*
+  return a count of the number of IPs for a particular tag, including
+  dead ones
+*/
+unsigned wins_srv_count_tag(const char *tag)
+{
+	const char **list;
+	int i, count=0;
+
+	/* if we are a wins server then we always just talk to ourselves */
+	if (lp_wins_support()) {
+		return 1;
+	}
+
+	list = lp_wins_server_list();
+	if (!list || !list[0]) {
+		return 0;
+	}
+
+	/* find the first live one for this tag */
+	for (i=0; list[i]; i++) {
+		struct tagged_ip t_ip;
+		parse_ip(&t_ip, list[i]);
+		if (strcmp(tag, t_ip.tag) == 0) {
+			count++;
+		}
+	}
+
+	return count;
+}
diff --git a/source3/lib/xfile.c b/source3/lib/xfile.c
new file mode 100644
index 0000000000..e44a92d34d
--- /dev/null
+++ b/source3/lib/xfile.c
@@ -0,0 +1,417 @@
+/* 
+   Unix SMB/CIFS implementation.
+   stdio replacement
+   Copyright (C) Andrew Tridgell 2001
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/*
+  stdio is very convenient, but on some systems the file descriptor
+  in FILE* is 8 bits, so it fails when more than 255 files are open. 
+
+  XFILE replaces stdio. It is less efficient, but at least it works
+  when you have lots of files open
+
+  The main restriction on XFILE is that it doesn't support seeking,
+  and doesn't support O_RDWR. That keeps the code simple.
+*/
+
+#include "includes.h"
+
+#define XBUFSIZE BUFSIZ
+
+static XFILE _x_stdin =  { 0, NULL, NULL, XBUFSIZE, 0, O_RDONLY, X_IOFBF, 0 };
+static XFILE _x_stdout = { 1, NULL, NULL, XBUFSIZE, 0, O_WRONLY, X_IOLBF, 0 };
+static XFILE _x_stderr = { 2, NULL, NULL, 0, 0, O_WRONLY, X_IONBF, 0 };
+
+XFILE *x_stdin = &_x_stdin;
+XFILE *x_stdout = &_x_stdout;
+XFILE *x_stderr = &_x_stderr;
+
+#define X_FLAG_EOF 1
+#define X_FLAG_ERROR 2
+#define X_FLAG_EINVAL 3
+
+/* simulate setvbuf() */
+int x_setvbuf(XFILE *f, char *buf, int mode, size_t size)
+{
+	if (x_fflush(f) != 0) return -1;
+	if (f->bufused) return -1;
+
+	/* on files being read full buffering is the only option */
+	if ((f->open_flags & O_ACCMODE) == O_RDONLY) {
+		mode = X_IOFBF;
+	}
+
+	/* destroy any earlier buffer */
+	SAFE_FREE(f->buf);
+	f->buf = 0;
+	f->bufsize = 0;
+	f->next = NULL;
+	f->bufused = 0;
+	f->buftype = mode;
+
+	if (f->buftype == X_IONBF) return 0;
+
+	/* if buffering then we need some size */
+	if (size == 0) size = XBUFSIZE;
+
+	f->bufsize = size;
+	f->bufused = 0;
+
+	return 0;
+}
+
+/* allocate the buffer */
+static int x_allocate_buffer(XFILE *f)
+{
+	if (f->buf) return 1;
+	if (f->bufsize == 0) return 0;
+	f->buf = (char *)SMB_MALLOC(f->bufsize);
+	if (!f->buf) return 0;
+	f->next = f->buf;
+	return 1;
+}
+
+
+/* this looks more like open() than fopen(), but that is quite deliberate.
+   I want programmers to *think* about O_EXCL, O_CREAT etc not just
+   get them magically added 
+*/
+XFILE *x_fopen(const char *fname, int flags, mode_t mode)
+{
+	XFILE *ret;
+
+	ret = SMB_MALLOC_P(XFILE);
+	if (!ret) {
+		return NULL;
+	}
+
+	memset(ret, 0, sizeof(XFILE));
+
+	if ((flags & O_ACCMODE) == O_RDWR) {
+		/* we don't support RDWR in XFILE - use file 
+		   descriptors instead */
+		SAFE_FREE(ret);
+		errno = EINVAL;
+		return NULL;
+	}
+
+	ret->open_flags = flags;
+
+	ret->fd = sys_open(fname, flags, mode);
+	if (ret->fd == -1) {
+		SAFE_FREE(ret);
+		return NULL;
+	}
+
+	x_setvbuf(ret, NULL, X_IOFBF, XBUFSIZE);
+	
+	return ret;
+}
+
+XFILE *x_fdup(const XFILE *f)
+{
+	XFILE *ret;
+	int fd;
+
+	fd = dup(x_fileno(f));
+	if (fd < 0) {
+		return NULL;
+	}
+
+	ret = SMB_CALLOC_ARRAY(XFILE, 1);
+	if (!ret) {
+		close(fd);
+		return NULL;
+	}
+
+	ret->fd = fd;
+	ret->open_flags = f->open_flags;
+	x_setvbuf(ret, NULL, X_IOFBF, XBUFSIZE);
+	return ret;
+}
+
+/* simulate fclose() */
+int x_fclose(XFILE *f)
+{
+	int ret;
+
+	/* make sure we flush any buffered data */
+	(void)x_fflush(f);
+
+	ret = close(f->fd);
+	f->fd = -1;
+	if (f->buf) {
+		/* make sure data can't leak into a later malloc */
+		memset(f->buf, 0, f->bufsize);
+		SAFE_FREE(f->buf);
+	}
+	/* check the file descriptor given to the function is NOT one of the static
+	 * descriptor of this libreary or we will free unallocated memory
+	 * --sss */
+	if (f != x_stdin && f != x_stdout && f != x_stderr) {
+		SAFE_FREE(f);
+	}
+	return ret;
+}
+
+/* simulate fwrite() */
+size_t x_fwrite(const void *p, size_t size, size_t nmemb, XFILE *f)
+{
+	ssize_t ret;
+	size_t total=0;
+
+	/* we might be writing unbuffered */
+	if (f->buftype == X_IONBF || 
+	    (!f->buf && !x_allocate_buffer(f))) {
+		ret = write(f->fd, p, size*nmemb);
+		if (ret == -1) return -1;
+		return ret/size;
+	} 
+
+
+	while (total < size*nmemb) {
+		size_t n = f->bufsize - f->bufused;
+		n = MIN(n, (size*nmemb)-total);
+
+		if (n == 0) {
+			/* it's full, flush it */
+			if (x_fflush(f) != 0) {
+				return -1;
+			}
+			continue;
+		}
+
+		memcpy(f->buf + f->bufused, total+(const char *)p, n);
+		f->bufused += n;
+		total += n;
+	}
+
+	/* when line buffered we need to flush at the last linefeed. This can
+	   flush a bit more than necessary, but that is harmless */
+	if (f->buftype == X_IOLBF && f->bufused) {
+		int i;
+		for (i=(size*nmemb)-1; i>=0; i--) {
+			if (*(i+(const char *)p) == '\n') {
+				if (x_fflush(f) != 0) {
+					return -1;
+				}
+				break;
+			}
+		}
+	}
+
+	return total/size;
+}
+
+/* thank goodness for asprintf() */
+ int x_vfprintf(XFILE *f, const char *format, va_list ap)
+{
+	char *p;
+	int len, ret;
+	va_list ap2;
+
+	VA_COPY(ap2, ap);
+
+	len = vasprintf(&p, format, ap2);
+	if (len <= 0) {
+		va_end(ap2);
+		return len;
+	}
+	ret = x_fwrite(p, 1, len, f);
+	SAFE_FREE(p);
+
+	va_end(ap2);
+
+	return ret;
+}
+
+ int x_fprintf(XFILE *f, const char *format, ...)
+{
+	va_list ap;
+	int ret;
+
+	va_start(ap, format);
+	ret = x_vfprintf(f, format, ap);
+	va_end(ap);
+	return ret;
+}
+
+/* at least fileno() is simple! */
+int x_fileno(const XFILE *f)
+{
+	return f->fd;
+}
+
+/* simulate fflush() */
+int x_fflush(XFILE *f)
+{
+	int ret;
+
+	if (f->flags & X_FLAG_ERROR) return -1;
+
+	if (f->bufused == 0 || !f->buf) return 0;
+
+	if ((f->open_flags & O_ACCMODE) != O_WRONLY) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	ret = write(f->fd, f->buf, f->bufused);
+	if (ret == -1) return -1;
+	
+	f->bufused -= ret;
+	if (f->bufused > 0) {
+		f->flags |= X_FLAG_ERROR;
+		memmove(f->buf, ret + (char *)f->buf, f->bufused);
+		return -1;
+	}
+
+	return 0;
+}
+
+/* simulate setbuffer() */
+void x_setbuffer(XFILE *f, char *buf, size_t size)
+{
+	x_setvbuf(f, buf, buf?X_IOFBF:X_IONBF, size);
+}
+
+/* simulate setbuf() */
+void x_setbuf(XFILE *f, char *buf)
+{
+	x_setvbuf(f, buf, buf?X_IOFBF:X_IONBF, XBUFSIZE);
+}
+
+/* simulate setlinebuf() */
+void x_setlinebuf(XFILE *f)
+{
+	x_setvbuf(f, NULL, X_IOLBF, 0);
+}
+
+
+/* simulate feof() */
+int x_feof(XFILE *f)
+{
+	if (f->flags & X_FLAG_EOF) return 1;
+	return 0;
+}
+
+/* simulate ferror() */
+int x_ferror(XFILE *f)
+{
+	if (f->flags & X_FLAG_ERROR) return 1;
+	return 0;
+}
+
+/* fill the read buffer */
+static void x_fillbuf(XFILE *f)
+{
+	int n;
+
+	if (f->bufused) return;
+
+	if (!f->buf && !x_allocate_buffer(f)) return;
+
+	n = read(f->fd, f->buf, f->bufsize);
+	if (n <= 0) return;
+	f->bufused = n;
+	f->next = f->buf;
+}
+
+/* simulate fgetc() */
+int x_fgetc(XFILE *f)
+{
+	int ret;
+
+	if (f->flags & (X_FLAG_EOF | X_FLAG_ERROR)) return EOF;
+	
+	if (f->bufused == 0) x_fillbuf(f);
+
+	if (f->bufused == 0) {
+		f->flags |= X_FLAG_EOF;
+		return EOF;
+	}
+
+	ret = *(unsigned char *)(f->next);
+	f->next++;
+	f->bufused--;
+	return ret;
+}
+
+/* simulate fread */
+size_t x_fread(void *p, size_t size, size_t nmemb, XFILE *f)
+{
+	size_t total = 0;
+	while (total < size*nmemb) {
+		int c = x_fgetc(f);
+		if (c == EOF) break;
+		(total+(char *)p)[0] = (char)c;
+		total++;
+	}
+	return total/size;
+}
+
+/* simulate fgets() */
+char *x_fgets(char *s, int size, XFILE *stream) 
+{
+	char *s0 = s;
+	int l = size;
+	while (l>1) {
+		int c = x_fgetc(stream);
+		if (c == EOF) break;
+		*s++ = (char)c;
+		l--;
+		if (c == '\n') break;
+	}
+	if (l==size || x_ferror(stream)) {
+		return 0;
+	}
+	*s = 0;
+	return s0;
+}
+
+/* trivial seek, works only for SEEK_SET and SEEK_END if SEEK_CUR is
+ * set then an error is returned */
+off_t x_tseek(XFILE *f, off_t offset, int whence)
+{
+	if (f->flags & X_FLAG_ERROR)
+		return -1;
+
+	/* only SEEK_SET and SEEK_END are supported */
+	/* SEEK_CUR needs internal offset counter */
+	if (whence != SEEK_SET && whence != SEEK_END) {
+		f->flags |= X_FLAG_EINVAL;
+		errno = EINVAL;
+		return -1;
+	}
+
+	/* empty the buffer */
+	switch (f->open_flags & O_ACCMODE) {
+	case O_RDONLY:
+		f->bufused = 0;
+		break;
+	case O_WRONLY:
+		if (x_fflush(f) != 0)
+			return -1;
+		break;
+	default:
+		errno = EINVAL;
+		return -1;
+	}
+
+	f->flags &= ~X_FLAG_EOF;
+	return (off_t)sys_lseek(f->fd, offset, whence);
+}