9 files changed, 671 insertions, 383 deletions

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index b5f7b97ae8..a920a1b7ff 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -241,9 +241,16 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user,
 	return True;
 }
 
-static void set_cli_session_key (struct cli_state *cli, DATA_BLOB session_key) 
+/**
+ * Set the user session key for a connection
+ * @param cli The cli structure to add it too
+ * @param session_key The session key used.  (A copy of this is taken for the cli struct)
+ *
+ */
+
+static void cli_set_session_key (struct cli_state *cli, const DATA_BLOB session_key) 
 {
-	memcpy(cli->user_session_key, session_key.data, MIN(session_key.length, sizeof(cli->user_session_key)));
+	cli->user_session_key = data_blob(session_key.data, session_key.length);
 }
 
 /****************************************************************************
@@ -311,7 +318,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user,
 			session_key = data_blob(NULL, 16);
 			SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data);
 		}
-		cli_simple_set_signing(cli, session_key.data, nt_response); 
+		cli_simple_set_signing(cli, session_key, nt_response); 
 	} else {
 		/* pre-encrypted password supplied.  Only used for 
 		   security=server, can't do
@@ -373,14 +380,16 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user,
 
 	if (session_key.data) {
 		/* Have plaintext orginal */
-		set_cli_session_key(cli, session_key);
+		cli_set_session_key(cli, session_key);
 	}
 
 	ret = True;
 end:	
 	data_blob_free(&lm_response);
 	data_blob_free(&nt_response);
-	data_blob_free(&session_key);
+
+	if (!ret)
+		data_blob_free(&session_key);
 	return ret;
 }
 
@@ -484,19 +493,19 @@ static void use_in_memory_ccache(void) {
  Do a spnego/kerberos encrypted session setup.
 ****************************************************************************/
 
-static BOOL cli_session_setup_kerberos(struct cli_state *cli, const char *principal, const char *workgroup)
+static NTSTATUS cli_session_setup_kerberos(struct cli_state *cli, const char *principal, const char *workgroup)
 {
 	DATA_BLOB blob2, negTokenTarg;
-	unsigned char session_key_krb5[16];
+	DATA_BLOB session_key_krb5;
 	DATA_BLOB null_blob = data_blob(NULL, 0);
 	
 	DEBUG(2,("Doing kerberos session setup\n"));
 
 	/* generate the encapsulated kerberos5 ticket */
-	negTokenTarg = spnego_gen_negTokenTarg(principal, 0, session_key_krb5);
+	negTokenTarg = spnego_gen_negTokenTarg(principal, 0, &session_key_krb5);
 
 	if (!negTokenTarg.data)
-		return False;
+		return NT_STATUS_UNSUCCESSFUL;
 
 #if 0
 	file_save("negTokenTarg.dat", negTokenTarg.data, negTokenTarg.length);
@@ -509,9 +518,16 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, const char *princi
 	/* we don't need this blob for kerberos */
 	data_blob_free(&blob2);
 
+	cli_set_session_key(cli, session_key_krb5);
+
 	data_blob_free(&negTokenTarg);
 
-	return !cli_is_error(cli);
+	if (cli_is_error(cli)) {
+		if (NT_STATUS_IS_OK(cli_nt_error(cli))) {
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+	} 
+	return NT_STATUS_OK;
 }
 #endif	/* HAVE_KRB5 */
 
@@ -520,10 +536,10 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, const char *princi
  Do a spnego/NTLMSSP encrypted session setup.
 ****************************************************************************/
 
-static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, 
+static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, 
 				      const char *pass, const char *workgroup)
 {
-	struct ntlmssp_client_state *ntlmssp_state;
+	struct ntlmssp_state *ntlmssp_state;
 	NTSTATUS nt_status;
 	int turn = 1;
 	DATA_BLOB msg1;
@@ -534,21 +550,21 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
 	cli_temp_set_signing(cli);
 
 	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_client_start(&ntlmssp_state))) {
-		return False;
+		return nt_status;
 	}
 
 	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_username(ntlmssp_state, user))) {
-		return False;
+		return nt_status;
 	}
 	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_domain(ntlmssp_state, workgroup))) {
-		return False;
+		return nt_status;
 	}
 	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_password(ntlmssp_state, pass))) {
-		return False;
+		return nt_status;
 	}
 
 	do {
-		nt_status = ntlmssp_client_update(ntlmssp_state, 
+		nt_status = ntlmssp_update(ntlmssp_state, 
 						  blob_in, &blob_out);
 		data_blob_free(&blob_in);
 		if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
@@ -562,18 +578,27 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
 			}
 		
 			cli_simple_set_signing(cli, 
-					       ntlmssp_state->session_key.data, 
+					       data_blob(ntlmssp_state->session_key.data, ntlmssp_state->session_key.length), 
 					       null_blob); 
 			
 			/* now send that blob on its way */
 			if (!cli_session_setup_blob_send(cli, msg1)) {
-				return False;
+				DEBUG(3, ("Failed to send NTLMSSP/SPENGO blob to server!\n"));
+				nt_status = NT_STATUS_UNSUCCESSFUL;
+			} else {
+				data_blob_free(&msg1);
+				
+				blob = cli_session_setup_blob_receive(cli);
+				
+				nt_status = cli_nt_error(cli);
+				if (cli_is_error(cli) && NT_STATUS_IS_OK(nt_status)) {
+					if (cli->smb_rw_error == READ_BAD_SIG) {
+						nt_status = NT_STATUS_ACCESS_DENIED;
+					} else {
+						nt_status = NT_STATUS_UNSUCCESSFUL;
+					}
+				}
 			}
-			data_blob_free(&msg1);
-			
-			blob = cli_session_setup_blob_receive(cli);
-
-			nt_status = cli_nt_error(cli);
 		}
 		
 		if (!blob.length) {
@@ -606,24 +631,22 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
 
 	if (NT_STATUS_IS_OK(nt_status)) {
 		fstrcpy(cli->server_domain, ntlmssp_state->server_domain);
-		set_cli_session_key(cli, ntlmssp_state->session_key);
+		cli_set_session_key(cli, ntlmssp_state->session_key);
 	}
 
 	/* we have a reference conter on ntlmssp_state, if we are signing
 	   then the state will be kept by the signing engine */
 
-	if (!NT_STATUS_IS_OK(ntlmssp_client_end(&ntlmssp_state))) {
-		return False;
-	}
-	
-	return (NT_STATUS_IS_OK(nt_status));
+	ntlmssp_end(&ntlmssp_state);
+
+	return nt_status;
 }
 
 /****************************************************************************
  Do a spnego encrypted session setup.
 ****************************************************************************/
 
-BOOL cli_session_setup_spnego(struct cli_state *cli, const char *user, 
+NTSTATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, 
 			      const char *pass, const char *workgroup)
 {
 	char *principal;
@@ -651,7 +674,7 @@ BOOL cli_session_setup_spnego(struct cli_state *cli, const char *user,
 	   reply */
 	if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) {
 		data_blob_free(&blob);
-		return False;
+		return NT_STATUS_INVALID_PARAMETER;
 	}
 	data_blob_free(&blob);
 
@@ -681,7 +704,7 @@ BOOL cli_session_setup_spnego(struct cli_state *cli, const char *user,
 			
 			if (ret){
 				DEBUG(0, ("Kinit failed: %s\n", error_message(ret)));
-				return False;
+				return NT_STATUS_LOGON_FAILURE;
 			}
 		}
 		
@@ -773,8 +796,14 @@ BOOL cli_session_setup(struct cli_state *cli,
 
 	/* if the server supports extended security then use SPNEGO */
 
-	if (cli->capabilities & CAP_EXTENDED_SECURITY)
-		return cli_session_setup_spnego(cli, user, pass, workgroup);
+	if (cli->capabilities & CAP_EXTENDED_SECURITY) {
+		NTSTATUS nt_status;
+		if (!NT_STATUS_IS_OK(nt_status = cli_session_setup_spnego(cli, user, pass, workgroup))) {
+			DEBUG(3, ("SPENGO login failed: %s\n", get_friendly_nt_error_msg(nt_status)));
+			return False;
+		}
+		return True;
+	}
 
 	/* otherwise do a NT1 style session setup */
 
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index 9b54acf775..0873700fc0 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -339,7 +339,7 @@ close the session
 void cli_nt_session_close(struct cli_state *cli)
 {
 	if (cli->ntlmssp_pipe_state) {
-		ntlmssp_client_end(&cli->ntlmssp_pipe_state);
+		ntlmssp_end(&cli->ntlmssp_pipe_state);
 	}
 
 	if (cli->nt_pipe_fnum != 0)
@@ -375,9 +375,10 @@ void cli_close_connection(struct cli_state *cli)
 
 	cli_free_signing_context(cli);
 	data_blob_free(&cli->secblob);
+	data_blob_free(&cli->user_session_key);
 
 	if (cli->ntlmssp_pipe_state) 
-		ntlmssp_client_end(&cli->ntlmssp_pipe_state);
+		ntlmssp_end(&cli->ntlmssp_pipe_state);
 
 	if (cli->mem_ctx) {
 		talloc_destroy(cli->mem_ctx);
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 1fccc04a01..5568b5e033 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -307,7 +307,7 @@ cleanup_princ:
 /*
   get a kerberos5 ticket for the given service 
 */
-DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset, unsigned char session_key_krb5[16])
+DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BLOB *session_key_krb5)
 {
 	krb5_error_code retval;
 	krb5_data packet;
@@ -369,7 +369,7 @@ failed:
 	return data_blob(NULL, 0);
 }
 
- BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, uint8 session_key[16], BOOL remote)
+ BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote)
  {
 	krb5_keyblock *skey;
 	krb5_error_code err;
@@ -383,11 +383,11 @@ failed:
 		err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
 	if (err == 0 && skey != NULL) {
 		DEBUG(10, ("Got KRB5 session key of length %d\n",  KRB5_KEY_LENGTH(skey)));
-		if (KRB5_KEY_LENGTH(skey) == 16) {
-			memcpy(session_key, KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
-			dump_data_pw("KRB5 Session Key:\n", session_key, 16);
-			ret = True;
-		}
+		*session_key = data_blob(KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
+		dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
+
+		ret = True;
+
 		krb5_free_keyblock(context, skey);
 	} else {
 		DEBUG(10, ("KRB5 error getting session key %d\n", err));
@@ -410,7 +410,7 @@ failed:
 
 #else /* HAVE_KRB5 */
  /* this saves a few linking headaches */
-DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset, unsigned char session_key_krb5[16])
+DATA_BLOB cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BLOB *session_key_krb5)
  {
 	 DEBUG(0,("NO KERBEROS SUPPORT\n"));
 	 return data_blob(NULL, 0);
diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index 63076a1a1c..92543736ff 100644
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -323,7 +323,7 @@ BOOL spnego_parse_krb5_wrap(DATA_BLOB blob, DATA_BLOB *ticket, uint8 tok_id[2])
    generate a SPNEGO negTokenTarg packet, ready for a EXTENDED_SECURITY
    kerberos session setup 
 */
-DATA_BLOB spnego_gen_negTokenTarg(const char *principal, int time_offset, unsigned char session_key_krb5[16])
+DATA_BLOB spnego_gen_negTokenTarg(const char *principal, int time_offset, DATA_BLOB *session_key_krb5)
 {
 	DATA_BLOB tkt, tkt_wrapped, targ;
 	const char *krb_mechs[] = {OID_KERBEROS5_OLD, OID_NTLMSSP, NULL};
diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
index c51b599b04..a0da1efcc1 100644
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -23,6 +23,35 @@
 
 #include "includes.h"
 
+static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, 
+				       DATA_BLOB reply, DATA_BLOB *next_request);
+static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
+					 const DATA_BLOB in, DATA_BLOB *out);
+static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, 
+					 const DATA_BLOB reply, DATA_BLOB *next_request);
+static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
+				    const DATA_BLOB request, DATA_BLOB *reply);
+
+/**
+ * Callbacks for NTLMSSP - for both client and server operating modes
+ * 
+ */
+
+static const struct ntlmssp_callbacks {
+	enum NTLMSSP_ROLE role;
+	enum NTLM_MESSAGE_TYPE ntlmssp_command;
+	NTSTATUS (*fn)(struct ntlmssp_state *ntlmssp_state, 
+		       DATA_BLOB in, DATA_BLOB *out);
+} ntlmssp_callbacks[] = {
+	{NTLMSSP_CLIENT, NTLMSSP_INITIAL, ntlmssp_client_initial},
+	{NTLMSSP_SERVER, NTLMSSP_NEGOTIATE, ntlmssp_server_negotiate},
+	{NTLMSSP_CLIENT, NTLMSSP_CHALLENGE, ntlmssp_client_challenge},
+	{NTLMSSP_SERVER, NTLMSSP_AUTH, ntlmssp_server_auth},
+	{NTLMSSP_CLIENT, NTLMSSP_UNKNOWN, NULL},
+	{NTLMSSP_SERVER, NTLMSSP_UNKNOWN, NULL}
+};
+
+
 /**
  * Print out the NTLMSSP flags for debugging 
  * @param neg_flags The flags from the packet
@@ -71,7 +100,7 @@ void debug_ntlmssp_flags(uint32 neg_flags)
  *
  */
    
-static const uint8 *get_challenge(struct ntlmssp_state *ntlmssp_state)
+static const uint8 *get_challenge(const struct ntlmssp_state *ntlmssp_state)
 {
 	static uchar chal[8];
 	generate_random_buffer(chal, sizeof(chal), False);
@@ -80,6 +109,188 @@ static const uint8 *get_challenge(struct ntlmssp_state *ntlmssp_state)
 }
 
 /**
+ * Default 'we can set the challenge to anything we like' implementation
+ *
+ */
+   
+static BOOL may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
+{
+	return True;
+}
+
+/**
+ * Default 'we can set the challenge to anything we like' implementation
+ *
+ * Does not actually do anything, as the value is always in the structure anyway.
+ *
+ */
+   
+static NTSTATUS set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
+{
+	SMB_ASSERT(challenge->length == 8);
+	return NT_STATUS_OK;
+}
+
+/** 
+ * Set a username on an NTLMSSP context - ensures it is talloc()ed 
+ *
+ */
+
+NTSTATUS ntlmssp_set_username(NTLMSSP_STATE *ntlmssp_state, const char *user) 
+{
+	ntlmssp_state->user = talloc_strdup(ntlmssp_state->mem_ctx, user);
+	if (!ntlmssp_state->user) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	return NT_STATUS_OK;
+}
+
+/** 
+ * Set a password on an NTLMSSP context - ensures it is talloc()ed 
+ *
+ */
+NTSTATUS ntlmssp_set_password(NTLMSSP_STATE *ntlmssp_state, const char *password) 
+{
+	if (!password) {
+		ntlmssp_state->password = NULL;
+	} else {
+		ntlmssp_state->password = talloc_strdup(ntlmssp_state->mem_ctx, password);
+		if (!ntlmssp_state->password) {
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+	return NT_STATUS_OK;
+}
+
+/** 
+ * Set a domain on an NTLMSSP context - ensures it is talloc()ed 
+ *
+ */
+NTSTATUS ntlmssp_set_domain(NTLMSSP_STATE *ntlmssp_state, const char *domain) 
+{
+	ntlmssp_state->domain = talloc_strdup(ntlmssp_state->mem_ctx, domain);
+	if (!ntlmssp_state->domain) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	return NT_STATUS_OK;
+}
+
+/** 
+ * Set a workstation on an NTLMSSP context - ensures it is talloc()ed 
+ *
+ */
+NTSTATUS ntlmssp_set_workstation(NTLMSSP_STATE *ntlmssp_state, const char *workstation) 
+{
+	ntlmssp_state->workstation = talloc_strdup(ntlmssp_state->mem_ctx, workstation);
+	if (!ntlmssp_state->domain) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	return NT_STATUS_OK;
+}
+
+/**
+ *  Store a DATA_BLOB containing an NTLMSSP response, for use later.
+ *  This copies the data blob
+ */
+
+NTSTATUS ntlmssp_store_response(NTLMSSP_STATE *ntlmssp_state,
+				DATA_BLOB response) 
+{
+	ntlmssp_state->stored_response = data_blob_talloc(ntlmssp_state->mem_ctx, 
+							  response.data, response.length);
+	return NT_STATUS_OK;
+}
+
+/**
+ * Next state function for the NTLMSSP state machine
+ * 
+ * @param ntlmssp_state NTLMSSP State
+ * @param in The packet in from the NTLMSSP partner, as a DATA_BLOB
+ * @param out The reply, as an allocated DATA_BLOB, caller to free.
+ * @return Errors, NT_STATUS_MORE_PROCESSING_REQUIRED or NT_STATUS_OK. 
+ */
+
+NTSTATUS ntlmssp_update(NTLMSSP_STATE *ntlmssp_state, 
+			const DATA_BLOB in, DATA_BLOB *out) 
+{
+	DATA_BLOB input;
+	uint32 ntlmssp_command;
+	int i;
+
+	*out = data_blob(NULL, 0);
+
+	if (!in.length && ntlmssp_state->stored_response.length) {
+		input = ntlmssp_state->stored_response;
+		
+		/* we only want to read the stored response once - overwrite it */
+		ntlmssp_state->stored_response = data_blob(NULL, 0);
+	} else {
+		input = in;
+	}
+
+	if (!input.length) {
+		switch (ntlmssp_state->role) {
+		case NTLMSSP_CLIENT:
+			ntlmssp_command = NTLMSSP_INITIAL;
+			break;
+		case NTLMSSP_SERVER:
+			/* 'datagram' mode - no neg packet */
+			ntlmssp_command = NTLMSSP_NEGOTIATE;
+			break;
+		}
+	} else {
+		if (!msrpc_parse(&input, "Cd",
+				 "NTLMSSP",
+				 &ntlmssp_command)) {
+			DEBUG(1, ("Failed to parse NTLMSSP packet, could not extract NTLMSSP command\n"));
+			dump_data(2, (const char *)input.data, input.length);
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+	}
+
+	if (ntlmssp_command != ntlmssp_state->expected_state) {
+		DEBUG(1, ("got NTLMSSP command %u, expected %u\n", ntlmssp_command, ntlmssp_state->expected_state));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	for (i=0; ntlmssp_callbacks[i].fn; i++) {
+		if (ntlmssp_callbacks[i].role == ntlmssp_state->role 
+		    && ntlmssp_callbacks[i].ntlmssp_command == ntlmssp_command) {
+			return ntlmssp_callbacks[i].fn(ntlmssp_state, input, out);
+		}
+	}
+
+	DEBUG(1, ("failed to find NTLMSSP callback for NTLMSSP mode %u, command %u\n", 
+		  ntlmssp_state->role, ntlmssp_command)); 
+
+	return NT_STATUS_INVALID_PARAMETER;
+}
+
+/**
+ * End an NTLMSSP state machine
+ * 
+ * @param ntlmssp_state NTLMSSP State, free()ed by this function
+ */
+
+void ntlmssp_end(NTLMSSP_STATE **ntlmssp_state)
+{
+	TALLOC_CTX *mem_ctx = (*ntlmssp_state)->mem_ctx;
+
+	(*ntlmssp_state)->ref_count--;
+
+	if ((*ntlmssp_state)->ref_count == 0) {
+		data_blob_free(&(*ntlmssp_state)->chal);
+		data_blob_free(&(*ntlmssp_state)->lm_resp);
+		data_blob_free(&(*ntlmssp_state)->nt_resp);
+
+		talloc_destroy(mem_ctx);
+	}
+
+	*ntlmssp_state = NULL;
+	return;
+}
+
+/**
  * Determine correct target name flags for reply, given server role 
  * and negotiated flags
  * 
@@ -107,6 +318,46 @@ static const char *ntlmssp_target_name(struct ntlmssp_state *ntlmssp_state,
 	}
 }
 
+static void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+				      uint32 neg_flags, BOOL allow_lm) {
+	if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
+		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
+		ntlmssp_state->unicode = True;
+	} else {
+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
+		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
+		ntlmssp_state->unicode = False;
+	}
+
+	if (neg_flags & NTLMSSP_NEGOTIATE_LM_KEY && allow_lm) {
+		/* other end forcing us to use LM */
+		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
+		ntlmssp_state->use_ntlmv2 = False;
+	} else {
+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+	}
+
+	if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+	}
+
+	if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
+	}
+
+	if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
+	}
+
+	if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
+		ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
+	}
+	
+}
+
+
 /**
  * Next state function for the Negotiate packet
  * 
@@ -150,31 +401,27 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
 		debug_ntlmssp_flags(neg_flags);
 	}
 	
-	cryptkey = ntlmssp_state->get_challenge(ntlmssp_state);
+	ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, lp_lanman_auth());
 
-	data_blob_free(&ntlmssp_state->chal);
-	ntlmssp_state->chal = data_blob(cryptkey, 8);
-
-	/* Give them the challenge. For now, ignore neg_flags and just
-	   return the flags we want. Obviously this is not correct */
-	
-	chal_flags = 
-		NTLMSSP_NEGOTIATE_128 | 
-		NTLMSSP_NEGOTIATE_NTLM;
-	
-	if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
-		chal_flags |= NTLMSSP_NEGOTIATE_UNICODE;
-		ntlmssp_state->unicode = True;
-	} else {
-		chal_flags |= NTLMSSP_NEGOTIATE_OEM;
-	}
+	chal_flags = ntlmssp_state->neg_flags;
 
 	target_name = ntlmssp_target_name(ntlmssp_state, 
 					  neg_flags, &chal_flags); 
-
-	if (target_name == NULL)
+	if (target_name == NULL) 
 		return NT_STATUS_INVALID_PARAMETER;
 
+	/* Ask our caller what challenge they would like in the packet */
+	cryptkey = ntlmssp_state->get_challenge(ntlmssp_state);
+
+	/* Check if we may set the challenge */
+	if (!ntlmssp_state->may_set_challenge(ntlmssp_state)) {
+		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
+	}
+
+	ntlmssp_state->chal = data_blob_talloc(ntlmssp_state->mem_ctx, cryptkey, 8);
+	ntlmssp_state->internal_chal = data_blob_talloc(ntlmssp_state->mem_ctx, cryptkey, 8);
+	
+
 	/* This should be a 'netbios domain -> DNS domain' mapping */
 	dnsdomname[0] = '\0';
 	get_mydomname(dnsdomname);
@@ -184,6 +431,7 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
 	get_myfullname(dnsname);
 	strlower_m(dnsname);
 	
+	/* This creates the 'blob' of names that appears at the end of the packet */
 	if (chal_flags & NTLMSSP_CHAL_TARGET_INFO) 
 	{
 		const char *target_name_dns = "";
@@ -194,16 +442,17 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
 		}
 
 		msrpc_gen(&struct_blob, "aaaaa",
-			  ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_DOMAIN, target_name,
-			  ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_SERVER, ntlmssp_state->get_global_myname(),
-			  ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_DOMAIN_DNS, target_name_dns,
-			  ntlmssp_state->unicode, NTLMSSP_NAME_TYPE_SERVER_DNS, dnsdomname,
-			  ntlmssp_state->unicode, 0, "");
+			  NTLMSSP_NAME_TYPE_DOMAIN, target_name,
+			  NTLMSSP_NAME_TYPE_SERVER, ntlmssp_state->get_global_myname(),
+			  NTLMSSP_NAME_TYPE_DOMAIN_DNS, dnsdomname,
+			  NTLMSSP_NAME_TYPE_SERVER_DNS, dnsname,
+			  0, "");
 	} else {
 		struct_blob = data_blob(NULL, 0);
 	}
 
 	{
+		/* Marshel the packet in the right format, be it unicode or ASCII */
 		const char *gen_string;
 		if (ntlmssp_state->unicode) {
 			gen_string = "CdUdbddB";
@@ -240,13 +489,27 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
 static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
 				    const DATA_BLOB request, DATA_BLOB *reply) 
 {
-	DATA_BLOB sess_key;
-	uint32 ntlmssp_command, neg_flags;
+	DATA_BLOB encrypted_session_key = data_blob(NULL, 0);
+	DATA_BLOB nt_session_key = data_blob(NULL, 0);
+	DATA_BLOB lm_session_key = data_blob(NULL, 0);
+	DATA_BLOB session_key = data_blob(NULL, 0);
+	uint32 ntlmssp_command, auth_flags;
 	NTSTATUS nt_status;
 
+	/* used by NTLM2 */
+	BOOL doing_ntlm2 = False;
+
+	uchar session_nonce[16];
+	uchar session_nonce_hash[16];
+
 	const char *parse_string;
+	char *domain = NULL;
+	char *user = NULL;
+	char *workstation = NULL;
 
 	/* parse the NTLMSSP packet */
+	*reply = data_blob(NULL, 0);
+
 #if 0
 	file_save("ntlmssp_auth.dat", request.data, request.length);
 #endif
@@ -260,9 +523,9 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
 	data_blob_free(&ntlmssp_state->lm_resp);
 	data_blob_free(&ntlmssp_state->nt_resp);
 
-	SAFE_FREE(ntlmssp_state->user);
-	SAFE_FREE(ntlmssp_state->domain);
-	SAFE_FREE(ntlmssp_state->workstation);
+	ntlmssp_state->user = NULL;
+	ntlmssp_state->domain = NULL;
+	ntlmssp_state->workstation = NULL;
 
 	/* now the NTLMSSP encoded auth hashes */
 	if (!msrpc_parse(&request, parse_string,
@@ -270,18 +533,73 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
 			 &ntlmssp_command, 
 			 &ntlmssp_state->lm_resp,
 			 &ntlmssp_state->nt_resp,
-			 &ntlmssp_state->domain, 
-			 &ntlmssp_state->user, 
-			 &ntlmssp_state->workstation,
-			 &sess_key,
-			 &neg_flags)) {
+			 &domain, 
+			 &user, 
+			 &workstation,
+			 &encrypted_session_key,
+			 &auth_flags)) {
 		DEBUG(1, ("ntlmssp_server_auth: failed to parse NTLMSSP:\n"));
 		dump_data(2, (const char *)request.data, request.length);
-		return NT_STATUS_INVALID_PARAMETER;
+		SAFE_FREE(domain);
+		SAFE_FREE(user);
+		SAFE_FREE(workstation);
+		data_blob_free(&encrypted_session_key);
+		auth_flags = 0;
+		
+		/* Try again with a shorter string (Win9X truncates this packet) */
+		if (ntlmssp_state->unicode) {
+			parse_string = "CdBBUUU";
+		} else {
+			parse_string = "CdBBAAA";
+		}
+
+		/* now the NTLMSSP encoded auth hashes */
+		if (!msrpc_parse(&request, parse_string,
+				 "NTLMSSP", 
+				 &ntlmssp_command, 
+				 &ntlmssp_state->lm_resp,
+				 &ntlmssp_state->nt_resp,
+				 &domain, 
+				 &user, 
+				 &workstation)) {
+			DEBUG(1, ("ntlmssp_server_auth: failed to parse NTLMSSP:\n"));
+			dump_data(2, (const char *)request.data, request.length);
+			SAFE_FREE(domain);
+			SAFE_FREE(user);
+			SAFE_FREE(workstation);
+
+			return NT_STATUS_INVALID_PARAMETER;
+		}
 	}
 
-	data_blob_free(&sess_key);
-	
+	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_domain(ntlmssp_state, domain))) {
+		SAFE_FREE(domain);
+		SAFE_FREE(user);
+		SAFE_FREE(workstation);
+		data_blob_free(&encrypted_session_key);
+		return nt_status;
+	}
+
+	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_username(ntlmssp_state, user))) {
+		SAFE_FREE(domain);
+		SAFE_FREE(user);
+		SAFE_FREE(workstation);
+		data_blob_free(&encrypted_session_key);
+		return nt_status;
+	}
+
+	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_workstation(ntlmssp_state, workstation))) {
+		SAFE_FREE(domain);
+		SAFE_FREE(user);
+		SAFE_FREE(workstation);
+		data_blob_free(&encrypted_session_key);
+		return nt_status;
+	}
+
+	SAFE_FREE(domain);
+	SAFE_FREE(user);
+	SAFE_FREE(workstation);
+
 	DEBUG(3,("Got user=[%s] domain=[%s] workstation=[%s] len1=%lu len2=%lu\n",
 		 ntlmssp_state->user, ntlmssp_state->domain, ntlmssp_state->workstation, (unsigned long)ntlmssp_state->lm_resp.length, (unsigned long)ntlmssp_state->nt_resp.length));
 
@@ -290,9 +608,98 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
 	file_save("lmhash1.dat",  &ntlmssp_state->lm_resp.data,  &ntlmssp_state->lm_resp.length);
 #endif
 
-	nt_status = ntlmssp_state->check_password(ntlmssp_state);
+	/* NTLM2 uses a 'challenge' that is made of up both the server challenge, and a 
+	   client challenge 
 	
-	*reply = data_blob(NULL, 0);
+	   However, the NTLM2 flag may still be set for the real NTLMv2 logins, be careful.
+	*/
+	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
+		if (ntlmssp_state->nt_resp.length == 24 && ntlmssp_state->lm_resp.length == 24) {
+			struct MD5Context md5_session_nonce_ctx;
+			SMB_ASSERT(ntlmssp_state->internal_chal.data && ntlmssp_state->internal_chal.length == 8);
+			
+			doing_ntlm2 = True;
+
+			memcpy(session_nonce, ntlmssp_state->internal_chal.data, 8);
+			memcpy(&session_nonce[8], ntlmssp_state->lm_resp.data, 8);
+			
+			MD5Init(&md5_session_nonce_ctx);
+			MD5Update(&md5_session_nonce_ctx, session_nonce, 16);
+			MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
+			
+			ntlmssp_state->chal = data_blob_talloc(ntlmssp_state->mem_ctx, session_nonce_hash, 8);
+
+			/* LM response is no longer useful */
+			data_blob_free(&ntlmssp_state->lm_resp);
+
+			/* We changed the effective challenge - set it */
+			if (!NT_STATUS_IS_OK(nt_status = ntlmssp_state->set_challenge(ntlmssp_state, &ntlmssp_state->chal))) {
+				data_blob_free(&encrypted_session_key);
+				return nt_status;
+			}
+		}
+	}
+
+	/* Finally, actually ask if the password is OK */
+	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_state->check_password(ntlmssp_state, &nt_session_key, &lm_session_key))) {
+		data_blob_free(&encrypted_session_key);
+		return nt_status;
+	}
+
+	dump_data_pw("NT session key:\n", nt_session_key.data, nt_session_key.length);
+	dump_data_pw("LM first-8:\n", lm_session_key.data, lm_session_key.length);
+
+	/* Handle the different session key derivation for NTLM2 */
+	if (doing_ntlm2) {
+		if (nt_session_key.data && nt_session_key.length == 16) {
+			session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16);
+			hmac_md5(nt_session_key.data, session_nonce, 
+				 sizeof(session_nonce), session_key.data);
+			dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
+
+		}
+	} else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
+		if (lm_session_key.data && lm_session_key.length >= 8 && 
+		    ntlmssp_state->lm_resp.data && ntlmssp_state->lm_resp.length == 24) {
+			session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16);
+			SMBsesskeygen_lmv1(lm_session_key.data, ntlmssp_state->lm_resp.data, 
+					   session_key.data);
+			dump_data_pw("LM session key:\n", session_key.data, session_key.length);
+		}
+	} else if (nt_session_key.data) {
+		session_key = nt_session_key;
+		dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
+	}
+
+	/* With KEY_EXCH, the client supplies the proposed session key, 
+	   but encrypts it with the long-term key */
+	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
+		if (!encrypted_session_key.data || encrypted_session_key.length != 16) {
+			data_blob_free(&encrypted_session_key);
+			DEBUG(1, ("Client-supplied KEY_EXCH session key was of invalid length (%u)!\n", 
+				  encrypted_session_key.length));
+			return NT_STATUS_INVALID_PARAMETER;
+		} else if (!session_key.data || session_key.length != 16) {
+			DEBUG(5, ("server session key is invalid (len == %u), cannot do KEY_EXCH!\n", 
+				  session_key.length));
+		} else {
+			dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
+			SamOEMhash(encrypted_session_key.data, 
+				   session_key.data, 
+				   encrypted_session_key.length);
+			ntlmssp_state->session_key = data_blob_talloc(ntlmssp_state->mem_ctx, 
+								      encrypted_session_key.data, 
+								      encrypted_session_key.length);
+			dump_data_pw("KEY_EXCH session key:\n", session_key.data, session_key.length);
+		}
+	} else {
+		ntlmssp_state->session_key = session_key;
+	}
+
+	data_blob_free(&encrypted_session_key);
+	
+	/* allow arbitarily many authentications */
+	ntlmssp_state->expected_state = NTLMSSP_AUTH;
 
 	return nt_status;
 }
@@ -316,8 +723,12 @@ NTSTATUS ntlmssp_server_start(NTLMSSP_STATE **ntlmssp_state)
 		return NT_STATUS_NO_MEMORY;
 	}
 
+	(*ntlmssp_state)->role = NTLMSSP_SERVER;
+
 	(*ntlmssp_state)->mem_ctx = mem_ctx;
 	(*ntlmssp_state)->get_challenge = get_challenge;
+	(*ntlmssp_state)->set_challenge = set_challenge;
+	(*ntlmssp_state)->may_set_challenge = may_set_challenge;
 
 	(*ntlmssp_state)->get_global_myname = global_myname;
 	(*ntlmssp_state)->get_domain = lp_workgroup;
@@ -325,73 +736,18 @@ NTSTATUS ntlmssp_server_start(NTLMSSP_STATE **ntlmssp_state)
 
 	(*ntlmssp_state)->expected_state = NTLMSSP_NEGOTIATE;
 
-	return NT_STATUS_OK;
-}
-
-/**
- * End an NTLMSSP state machine
- * 
- * @param ntlmssp_state NTLMSSP State, free()ed by this function
- */
-
-NTSTATUS ntlmssp_server_end(NTLMSSP_STATE **ntlmssp_state)
-{
-	TALLOC_CTX *mem_ctx = (*ntlmssp_state)->mem_ctx;
-
-	data_blob_free(&(*ntlmssp_state)->chal);
-	data_blob_free(&(*ntlmssp_state)->lm_resp);
-	data_blob_free(&(*ntlmssp_state)->nt_resp);
+	(*ntlmssp_state)->ref_count = 1;
 
-	SAFE_FREE((*ntlmssp_state)->user);
-	SAFE_FREE((*ntlmssp_state)->domain);
-	SAFE_FREE((*ntlmssp_state)->workstation);
+	(*ntlmssp_state)->neg_flags = 
+		NTLMSSP_NEGOTIATE_128 |
+		NTLMSSP_NEGOTIATE_NTLM |
+		NTLMSSP_NEGOTIATE_NTLM2 |
+		NTLMSSP_NEGOTIATE_KEY_EXCH |
+		NTLMSSP_NEGOTIATE_SIGN;
 
-	talloc_destroy(mem_ctx);
-	*ntlmssp_state = NULL;
 	return NT_STATUS_OK;
 }
 
-/**
- * Next state function for the NTLMSSP state machine
- * 
- * @param ntlmssp_state NTLMSSP State
- * @param request The request, as a DATA_BLOB
- * @param request The reply, as an allocated DATA_BLOB, caller to free.
- * @return Errors, NT_STATUS_MORE_PROCESSING_REQUIRED or NT_STATUS_OK. 
- */
-
-NTSTATUS ntlmssp_server_update(NTLMSSP_STATE *ntlmssp_state, 
-			       const DATA_BLOB request, DATA_BLOB *reply) 
-{
-	uint32 ntlmssp_command;
-	*reply = data_blob(NULL, 0);
-
-	if (request.length) {
-		if (!msrpc_parse(&request, "Cd",
-				 "NTLMSSP",
-				 &ntlmssp_command)) {
-			return NT_STATUS_INVALID_PARAMETER;
-		}
-	} else {
-		/* 'datagram' mode - no neg packet */
-		ntlmssp_command = NTLMSSP_NEGOTIATE;
-	}
-
-	if (ntlmssp_command != ntlmssp_state->expected_state) {
-		DEBUG(1, ("got NTLMSSP command %u, expected %u\n", ntlmssp_command, ntlmssp_state->expected_state));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	if (ntlmssp_command == NTLMSSP_NEGOTIATE) {
-		return ntlmssp_server_negotiate(ntlmssp_state, request, reply);
-	} else if (ntlmssp_command == NTLMSSP_AUTH) {
-		return ntlmssp_server_auth(ntlmssp_state, request, reply);
-	} else {
-		DEBUG(1, ("unknown NTLMSSP command %u, expected %u\n", ntlmssp_command, ntlmssp_state->expected_state));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-}
-
 /*********************************************************************
  Client side NTLMSSP
 *********************************************************************/
@@ -405,11 +761,13 @@ NTSTATUS ntlmssp_server_update(NTLMSSP_STATE *ntlmssp_state,
  * @return Errors or NT_STATUS_OK. 
  */
 
-static NTSTATUS ntlmssp_client_initial(struct ntlmssp_client_state *ntlmssp_state, 
+static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state, 
 				  DATA_BLOB reply, DATA_BLOB *next_request) 
 {
 	if (ntlmssp_state->unicode) {
 		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
+	} else {
+		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
 	}
 	
 	if (ntlmssp_state->use_ntlmv2) {
@@ -426,6 +784,8 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_client_state *ntlmssp_stat
 		  ntlmssp_state->get_domain(), 
 		  ntlmssp_state->get_global_myname());
 
+	ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
+
 	return NT_STATUS_MORE_PROCESSING_REQUIRED;
 }
 
@@ -438,7 +798,7 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_client_state *ntlmssp_stat
  * @return Errors or NT_STATUS_OK. 
  */
 
-static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_state, 
+static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, 
 					 const DATA_BLOB reply, DATA_BLOB *next_request) 
 {
 	uint32 chal_flags, ntlmssp_command, unkn1, unkn2;
@@ -469,17 +829,16 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_st
 	DEBUG(3, ("Got challenge flags:\n"));
 	debug_ntlmssp_flags(chal_flags);
 
-	if (chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
+	ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth());
+
+	if (ntlmssp_state->unicode) {
 		if (chal_flags & NTLMSSP_CHAL_TARGET_INFO) {
 			chal_parse_string = "CdUdbddB";
 		} else {
 			chal_parse_string = "CdUdbdd";
 		}
 		auth_gen_string = "CdBBUUUBd";
-		ntlmssp_state->unicode = True;
-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
-		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
-	} else if (chal_flags & NTLMSSP_NEGOTIATE_OEM) {
+	} else {
 		if (chal_flags & NTLMSSP_CHAL_TARGET_INFO) {
 			chal_parse_string = "CdAdbddB";
 		} else {
@@ -487,32 +846,6 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_st
 		}
 
 		auth_gen_string = "CdBBAAABd";
-
-		ntlmssp_state->unicode = False;
-		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
-	} else {
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	if (chal_flags & NTLMSSP_NEGOTIATE_LM_KEY && lp_client_lanman_auth()) {
-		/* server forcing us to use LM */
-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
-		ntlmssp_state->use_ntlmv2 = False;
-	} else {
-		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
-	}
-
-	if (!(chal_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
-		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
-	}
-
-	if (!(chal_flags & NTLMSSP_NEGOTIATE_128)) {
-		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
-	}
-
-	if (!(chal_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
-		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
 	}
 
 	DEBUG(3, ("NTLMSSP: Set final flags:\n"));
@@ -546,6 +879,7 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_st
 
 		if (!struct_blob.length) {
 			/* be lazy, match win2k - we can't do NTLMv2 without it */
+			DEBUG(1, ("Server did not provide 'target information', required for NTLMv2\n"));
 			return NT_STATUS_INVALID_PARAMETER;
 		}
 
@@ -569,7 +903,7 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_st
 		uchar nt_session_key[16];
 		E_md4hash(ntlmssp_state->password, nt_hash);
 		
-		lm_response = data_blob(NULL, 24);
+		lm_response = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 24);
 		generate_random_buffer(lm_response.data, 8, False);
 		memset(lm_response.data+8, 0, 16);
 
@@ -580,16 +914,21 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_st
 		MD5Update(&md5_session_nonce_ctx, challenge_blob.data, 8);
 		MD5Update(&md5_session_nonce_ctx, lm_response.data, 8);
 		MD5Final(session_nonce_hash, &md5_session_nonce_ctx);
+
+		DEBUG(5, ("NTLMSSP challenge set by NTLM2\n"));
+		DEBUG(5, ("challenge is: \n"));
+		dump_data(5, session_nonce_hash, 8);
 		
-		nt_response = data_blob(NULL, 24);
+		nt_response = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 24);
 		SMBNTencrypt(ntlmssp_state->password,
 			     session_nonce_hash,
 			     nt_response.data);
 
-		session_key = data_blob(NULL, 16);
+		session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16);
 
 		SMBsesskeygen_ntv1(nt_hash, NULL, nt_session_key);
 		hmac_md5(nt_session_key, session_nonce, sizeof(session_nonce), session_key.data);
+		dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
 	} else {
 		
 		
@@ -600,22 +939,24 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_st
 		
 		/* lanman auth is insecure, it may be disabled */
 		if (lp_client_lanman_auth()) {
-			lm_response = data_blob(NULL, 24);
+			lm_response = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 24);
 			SMBencrypt(ntlmssp_state->password,challenge_blob.data,
 				   lm_response.data);
-			}
+		}
 		
-		nt_response = data_blob(NULL, 24);
+		nt_response = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 24);
 		SMBNTencrypt(ntlmssp_state->password,challenge_blob.data,
 			     nt_response.data);
 		
-		session_key = data_blob(NULL, 16);
+		session_key = data_blob_talloc(ntlmssp_state->mem_ctx, NULL, 16);
 		if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) 
 		    && lp_client_lanman_auth()) {
 			SMBsesskeygen_lmv1(lm_hash, lm_response.data, 
 					   session_key.data);
+			dump_data_pw("LM session key\n", session_key.data, session_key.length);
 		} else {
 			SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data);
+			dump_data_pw("NT session key:\n", session_key.data, session_key.length);
 		}
 	}
 	data_blob_free(&struct_blob);
@@ -627,9 +968,12 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_st
 		
 		generate_random_buffer(client_session_key, sizeof(client_session_key), False);	
 		encrypted_session_key = data_blob(client_session_key, sizeof(client_session_key));
+		dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
+
 		SamOEMhash(encrypted_session_key.data, session_key.data, encrypted_session_key.length);
 		data_blob_free(&session_key);
-		session_key = data_blob(client_session_key, sizeof(client_session_key));
+		session_key = data_blob_talloc(ntlmssp_state->mem_ctx, client_session_key, sizeof(client_session_key));
+		dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
 	}
 
 	/* this generates the actual auth packet */
@@ -644,28 +988,24 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_st
 		       encrypted_session_key.data, encrypted_session_key.length,
 		       ntlmssp_state->neg_flags)) {
 		
-		data_blob_free(&lm_response);
-		data_blob_free(&nt_response);
-		data_blob_free(&session_key);
 		return NT_STATUS_NO_MEMORY;
 	}
 
 	data_blob_free(&encrypted_session_key);
 
 	data_blob_free(&ntlmssp_state->chal);
-	data_blob_free(&ntlmssp_state->lm_resp);
-	data_blob_free(&ntlmssp_state->nt_resp);
-	data_blob_free(&ntlmssp_state->session_key);
 
 	ntlmssp_state->chal = challenge_blob;
 	ntlmssp_state->lm_resp = lm_response;
 	ntlmssp_state->nt_resp = nt_response;
 	ntlmssp_state->session_key = session_key;
 
+	ntlmssp_state->expected_state = NTLMSSP_UNKNOWN;
+
 	return NT_STATUS_MORE_PROCESSING_REQUIRED;
 }
 
-NTSTATUS ntlmssp_client_start(NTLMSSP_CLIENT_STATE **ntlmssp_state)
+NTSTATUS ntlmssp_client_start(NTLMSSP_STATE **ntlmssp_state)
 {
 	TALLOC_CTX *mem_ctx;
 
@@ -678,6 +1018,8 @@ NTSTATUS ntlmssp_client_start(NTLMSSP_CLIENT_STATE **ntlmssp_state)
 		return NT_STATUS_NO_MEMORY;
 	}
 
+	(*ntlmssp_state)->role = NTLMSSP_CLIENT;
+
 	(*ntlmssp_state)->mem_ctx = mem_ctx;
 
 	(*ntlmssp_state)->get_global_myname = global_myname;
@@ -687,6 +1029,10 @@ NTSTATUS ntlmssp_client_start(NTLMSSP_CLIENT_STATE **ntlmssp_state)
 
 	(*ntlmssp_state)->use_ntlmv2 = lp_client_ntlmv2_auth();
 
+	(*ntlmssp_state)->expected_state = NTLMSSP_INITIAL;
+
+	(*ntlmssp_state)->ref_count = 1;
+
 	(*ntlmssp_state)->neg_flags = 
 		NTLMSSP_NEGOTIATE_128 |
 		NTLMSSP_NEGOTIATE_NTLM |
@@ -700,101 +1046,6 @@ NTSTATUS ntlmssp_client_start(NTLMSSP_CLIENT_STATE **ntlmssp_state)
 		NTLMSSP_NEGOTIATE_SIGN |
 		NTLMSSP_REQUEST_TARGET;
 
-	(*ntlmssp_state)->ref_count = 1;
-
-	return NT_STATUS_OK;
-}
-
-NTSTATUS ntlmssp_client_end(NTLMSSP_CLIENT_STATE **ntlmssp_state)
-{
-	TALLOC_CTX *mem_ctx = (*ntlmssp_state)->mem_ctx;
-
-	(*ntlmssp_state)->ref_count--;
-
-	if ((*ntlmssp_state)->ref_count == 0) {
-		data_blob_free(&(*ntlmssp_state)->chal);
-		data_blob_free(&(*ntlmssp_state)->lm_resp);
-		data_blob_free(&(*ntlmssp_state)->nt_resp);
-		data_blob_free(&(*ntlmssp_state)->session_key);
-		data_blob_free(&(*ntlmssp_state)->stored_response);
-		talloc_destroy(mem_ctx);
-	}
-
-	*ntlmssp_state = NULL;
 	return NT_STATUS_OK;
 }
 
-NTSTATUS ntlmssp_client_update(NTLMSSP_CLIENT_STATE *ntlmssp_state, 
-			       DATA_BLOB reply, DATA_BLOB *next_request) 
-{
-	NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
-	uint32 ntlmssp_command;
-	*next_request = data_blob(NULL, 0);
-
-	if (!reply.length) {
-		/* If there is a cached reply, use it - otherwise this is the first packet */
-		if (!ntlmssp_state->stored_response.length) {
-			return ntlmssp_client_initial(ntlmssp_state, reply, next_request);
-		}
-		
-		reply = ntlmssp_state->stored_response;
-	}
-
-	if (!msrpc_parse(&reply, "Cd",
-			 "NTLMSSP",
-			 &ntlmssp_command)) {
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	if (ntlmssp_command == NTLMSSP_CHALLENGE) {
-		nt_status = ntlmssp_client_challenge(ntlmssp_state, reply, next_request);
-	}
-	if (ntlmssp_state->stored_response.length) {
-		data_blob_free(&ntlmssp_state->stored_response);
-	}
-	return nt_status;
-}
-
-NTSTATUS ntlmssp_set_username(NTLMSSP_CLIENT_STATE *ntlmssp_state, const char *user) 
-{
-	ntlmssp_state->user = talloc_strdup(ntlmssp_state->mem_ctx, user);
-	if (!ntlmssp_state->user) {
-		return NT_STATUS_NO_MEMORY;
-	}
-	return NT_STATUS_OK;
-}
-
-NTSTATUS ntlmssp_set_password(NTLMSSP_CLIENT_STATE *ntlmssp_state, const char *password) 
-{
-	if (!password) {
-		ntlmssp_state->password = NULL;
-	} else {
-		ntlmssp_state->password = talloc_strdup(ntlmssp_state->mem_ctx, password);
-		if (!ntlmssp_state->password) {
-			return NT_STATUS_NO_MEMORY;
-		}
-	}
-	return NT_STATUS_OK;
-}
-
-NTSTATUS ntlmssp_set_domain(NTLMSSP_CLIENT_STATE *ntlmssp_state, const char *domain) 
-{
-	ntlmssp_state->domain = talloc_strdup(ntlmssp_state->mem_ctx, domain);
-	if (!ntlmssp_state->domain) {
-		return NT_STATUS_NO_MEMORY;
-	}
-	return NT_STATUS_OK;
-}
-
-/**
- *  Store a DATA_BLOB containing an NTLMSSP response, for use later.
- *  This 'keeps' the data blob - the caller must *not* free it.
- */
-
-NTSTATUS ntlmssp_client_store_response(NTLMSSP_CLIENT_STATE *ntlmssp_state,
-				       DATA_BLOB response) 
-{
-	data_blob_free(&ntlmssp_state->stored_response);
-	ntlmssp_state->stored_response = response;
-	return NT_STATUS_OK;
-}
diff --git a/source3/libsmb/ntlmssp_parse.c b/source3/libsmb/ntlmssp_parse.c
index b136dacf5a..3444db0306 100644
--- a/source3/libsmb/ntlmssp_parse.c
+++ b/source3/libsmb/ntlmssp_parse.c
@@ -31,7 +31,7 @@
   format specifiers are:
 
   U = unicode string (input is unix string)
-  a = address (input is BOOL unicode, char *unix_string)
+  a = address (input is char *unix_string)
       (1 byte type, 1 byte length, unicode/ASCII string, all inline)
   A = ASCII string (input is unix string)
   B = data blob (pointer + length)
@@ -49,7 +49,6 @@ BOOL msrpc_gen(DATA_BLOB *blob,
 	uint8 *b;
 	int head_size=0, data_size=0;
 	int head_ofs, data_ofs;
-	BOOL unicode;
 
 	/* first scan the format to work out the header and body size */
 	va_start(ap, format);
@@ -66,14 +65,9 @@ BOOL msrpc_gen(DATA_BLOB *blob,
 			data_size += str_ascii_charnum(s);
 			break;
 		case 'a':
-			unicode = va_arg(ap, BOOL);
 			n = va_arg(ap, int);
 			s = va_arg(ap, char *);
-			if (unicode) {
-				data_size += (str_charnum(s) * 2) + 4;
-			} else {
-				data_size += (str_ascii_charnum(s)) + 4;
-			}
+			data_size += (str_charnum(s) * 2) + 4;
 			break;
 		case 'B':
 			b = va_arg(ap, uint8 *);
@@ -124,27 +118,16 @@ BOOL msrpc_gen(DATA_BLOB *blob,
 			data_ofs += n;
 			break;
 		case 'a':
-			unicode = va_arg(ap, BOOL);
 			n = va_arg(ap, int);
 			SSVAL(blob->data, data_ofs, n); data_ofs += 2;
 			s = va_arg(ap, char *);
-			if (unicode) {
-				n = str_charnum(s);
-				SSVAL(blob->data, data_ofs, n*2); data_ofs += 2;
-				if (0 < n) {
-					push_string(NULL, blob->data+data_ofs, s, n*2,
-						    STR_UNICODE|STR_NOALIGN);
-				}
-				data_ofs += n*2;
-			} else {
-				n = str_ascii_charnum(s);
-				SSVAL(blob->data, data_ofs, n); data_ofs += 2;
-				if (0 < n) {
-					push_string(NULL, blob->data+data_ofs, s, n,
-						    STR_ASCII|STR_NOALIGN);
-				}
-				data_ofs += n;
+			n = str_charnum(s);
+			SSVAL(blob->data, data_ofs, n*2); data_ofs += 2;
+			if (0 < n) {
+				push_string(NULL, blob->data+data_ofs, s, n*2,
+					    STR_UNICODE|STR_NOALIGN);
 			}
+			data_ofs += n*2;
 			break;
 
 		case 'B':
diff --git a/source3/libsmb/ntlmssp_sign.c b/source3/libsmb/ntlmssp_sign.c
index 153c234d1f..ea1a7037c9 100644
--- a/source3/libsmb/ntlmssp_sign.c
+++ b/source3/libsmb/ntlmssp_sign.c
@@ -102,7 +102,7 @@ enum ntlmssp_direction {
 	NTLMSSP_RECEIVE
 };
 
-static NTSTATUS ntlmssp_make_packet_signature(NTLMSSP_CLIENT_STATE *ntlmssp_state,
+static NTSTATUS ntlmssp_make_packet_signature(NTLMSSP_STATE *ntlmssp_state,
 					      const uchar *data, size_t length, 
 					      enum ntlmssp_direction direction,
 					      DATA_BLOB *sig) 
@@ -113,7 +113,7 @@ static NTSTATUS ntlmssp_make_packet_signature(NTLMSSP_CLIENT_STATE *ntlmssp_stat
 		uchar digest[16];
 		SIVAL(seq_num, 0, ntlmssp_state->ntlmssp_seq_num);
 
-		hmac_md5_init_limK_to_64((const unsigned char *)(ntlmssp_state->cli_sign_const), 16, &ctx);
+		hmac_md5_init_limK_to_64((const unsigned char *)(ntlmssp_state->send_sign_const), 16, &ctx);
 		hmac_md5_update((const unsigned char *)seq_num, 4, &ctx);
 		hmac_md5_update(data, length, &ctx);
 		hmac_md5_final(digest, &ctx);
@@ -124,10 +124,10 @@ static NTSTATUS ntlmssp_make_packet_signature(NTLMSSP_CLIENT_STATE *ntlmssp_stat
 		}
 		switch (direction) {
 		case NTLMSSP_SEND:
-			NTLMSSPcalc_ap(ntlmssp_state->cli_sign_hash,  sig->data+4, sig->length-4);
+			NTLMSSPcalc_ap(ntlmssp_state->send_sign_hash,  sig->data+4, sig->length-4);
 			break;
 		case NTLMSSP_RECEIVE:
-			NTLMSSPcalc_ap(ntlmssp_state->srv_sign_hash,  sig->data+4, sig->length-4);
+			NTLMSSPcalc_ap(ntlmssp_state->recv_sign_hash,  sig->data+4, sig->length-4);
 			break;
 		}
 	} else {
@@ -144,9 +144,9 @@ static NTSTATUS ntlmssp_make_packet_signature(NTLMSSP_CLIENT_STATE *ntlmssp_stat
 	return NT_STATUS_OK;
 }
 
-NTSTATUS ntlmssp_client_sign_packet(NTLMSSP_CLIENT_STATE *ntlmssp_state,
-					   const uchar *data, size_t length, 
-					   DATA_BLOB *sig) 
+NTSTATUS ntlmssp_sign_packet(NTLMSSP_STATE *ntlmssp_state,
+				    const uchar *data, size_t length, 
+				    DATA_BLOB *sig) 
 {
 	NTSTATUS nt_status = ntlmssp_make_packet_signature(ntlmssp_state, data, length, NTLMSSP_SEND, sig);
 
@@ -161,9 +161,9 @@ NTSTATUS ntlmssp_client_sign_packet(NTLMSSP_CLIENT_STATE *ntlmssp_state,
  *
  */
 
-NTSTATUS ntlmssp_client_check_packet(NTLMSSP_CLIENT_STATE *ntlmssp_state,
-				     const uchar *data, size_t length, 
-				     const DATA_BLOB *sig) 
+NTSTATUS ntlmssp_check_packet(NTLMSSP_STATE *ntlmssp_state,
+			      const uchar *data, size_t length, 
+			      const DATA_BLOB *sig) 
 {
 	DATA_BLOB local_sig;
 	NTSTATUS nt_status;
@@ -204,11 +204,11 @@ NTSTATUS ntlmssp_client_check_packet(NTLMSSP_CLIENT_STATE *ntlmssp_state,
  *
  */
 
-NTSTATUS ntlmssp_client_seal_packet(NTLMSSP_CLIENT_STATE *ntlmssp_state,
-				    uchar *data, size_t length,
-				    DATA_BLOB *sig)
+NTSTATUS ntlmssp_seal_packet(NTLMSSP_STATE *ntlmssp_state,
+			     uchar *data, size_t length,
+			     DATA_BLOB *sig)
 {	
-	DEBUG(10,("ntlmssp_client_seal_data: seal\n"));
+	DEBUG(10,("ntlmssp_seal_data: seal\n"));
 	dump_data_pw("ntlmssp clear data\n", data, length);
 	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
 		HMACMD5Context ctx;
@@ -216,7 +216,7 @@ NTSTATUS ntlmssp_client_seal_packet(NTLMSSP_CLIENT_STATE *ntlmssp_state,
 		uchar digest[16];
 		SIVAL(seq_num, 0, ntlmssp_state->ntlmssp_seq_num);
 
-		hmac_md5_init_limK_to_64((const unsigned char *)(ntlmssp_state->cli_sign_const), 16, &ctx);
+		hmac_md5_init_limK_to_64((const unsigned char *)(ntlmssp_state->send_sign_const), 16, &ctx);
 		hmac_md5_update((const unsigned char *)seq_num, 4, &ctx);
 		hmac_md5_update(data, length, &ctx);
 		hmac_md5_final(digest, &ctx);
@@ -227,13 +227,13 @@ NTSTATUS ntlmssp_client_seal_packet(NTLMSSP_CLIENT_STATE *ntlmssp_state,
 		}
 
 		dump_data_pw("ntlmssp client sealing hash:\n", 
-			     ntlmssp_state->cli_seal_hash,
-			     sizeof(ntlmssp_state->cli_seal_hash));
-		NTLMSSPcalc_ap(ntlmssp_state->cli_seal_hash, data, length);
+			     ntlmssp_state->send_seal_hash,
+			     sizeof(ntlmssp_state->send_seal_hash));
+		NTLMSSPcalc_ap(ntlmssp_state->send_seal_hash, data, length);
 		dump_data_pw("ntlmssp client signing hash:\n", 
-			     ntlmssp_state->cli_sign_hash,
-			     sizeof(ntlmssp_state->cli_sign_hash));
-		NTLMSSPcalc_ap(ntlmssp_state->cli_sign_hash,  sig->data+4, sig->length-4);
+			     ntlmssp_state->send_sign_hash,
+			     sizeof(ntlmssp_state->send_sign_hash));
+		NTLMSSPcalc_ap(ntlmssp_state->send_sign_hash,  sig->data+4, sig->length-4);
 	} else {
 		uint32 crc;
 		crc = crc32_calc_buffer((const char *)data, length);
@@ -266,14 +266,14 @@ NTSTATUS ntlmssp_client_seal_packet(NTLMSSP_CLIENT_STATE *ntlmssp_state,
  *
  */
 
-NTSTATUS ntlmssp_client_unseal_packet(NTLMSSP_CLIENT_STATE *ntlmssp_state,
+NTSTATUS ntlmssp_unseal_packet(NTLMSSP_STATE *ntlmssp_state,
 				      uchar *data, size_t length,
 				      DATA_BLOB *sig)
 {
-	DEBUG(10,("ntlmssp_client_unseal_data: seal\n"));
+	DEBUG(10,("ntlmssp__unseal_data: seal\n"));
 	dump_data_pw("ntlmssp sealed data\n", data, length);
 	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
-		NTLMSSPcalc_ap(ntlmssp_state->srv_seal_hash, data, length);
+		NTLMSSPcalc_ap(ntlmssp_state->recv_seal_hash, data, length);
 	} else {
 		dump_data_pw("ntlmssp hash:\n", ntlmssp_state->ntlmssp_hash,
 			     sizeof(ntlmssp_state->ntlmssp_hash));
@@ -281,13 +281,13 @@ NTSTATUS ntlmssp_client_unseal_packet(NTLMSSP_CLIENT_STATE *ntlmssp_state,
 	}
 	dump_data_pw("ntlmssp clear data\n", data, length);
 
-	return ntlmssp_client_check_packet(ntlmssp_state, data, length, sig);
+	return ntlmssp_check_packet(ntlmssp_state, data, length, sig);
 }
 
 /**
    Initialise the state for NTLMSSP signing.
 */
-NTSTATUS ntlmssp_client_sign_init(NTLMSSP_CLIENT_STATE *ntlmssp_state)
+NTSTATUS ntlmssp_sign_init(NTLMSSP_STATE *ntlmssp_state)
 {
 	unsigned char p24[24];
 	ZERO_STRUCT(p24);
@@ -297,34 +297,54 @@ NTSTATUS ntlmssp_client_sign_init(NTLMSSP_CLIENT_STATE *ntlmssp_state)
 
 	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2)
 	{
+		const char *send_sign_const;
+		const char *send_seal_const;
+		const char *recv_sign_const;
+		const char *recv_seal_const;
+
+		switch (ntlmssp_state->role) {
+		case NTLMSSP_CLIENT:
+			send_sign_const = CLI_SIGN;
+			send_seal_const = CLI_SEAL;
+			recv_sign_const = SRV_SIGN;
+			recv_seal_const = SRV_SEAL;
+			break;
+		case NTLMSSP_SERVER:
+			send_sign_const = SRV_SIGN;
+			send_seal_const = SRV_SEAL;
+			recv_sign_const = CLI_SIGN;
+			recv_seal_const = CLI_SEAL;
+			break;
+		}
+
+		calc_ntlmv2_hash(ntlmssp_state->send_sign_hash, 
+				 ntlmssp_state->send_sign_const, 
+				 ntlmssp_state->session_key, send_sign_const);
+		dump_data_pw("NTLMSSP send sign hash:\n", 
+			     ntlmssp_state->send_sign_hash, 
+			     sizeof(ntlmssp_state->send_sign_hash));
+
+		calc_ntlmv2_hash(ntlmssp_state->send_seal_hash, 
+				 ntlmssp_state->send_seal_const, 
+				 ntlmssp_state->session_key, send_seal_const);
+		dump_data_pw("NTLMSSP send sesl hash:\n", 
+			     ntlmssp_state->send_seal_hash, 
+			     sizeof(ntlmssp_state->send_seal_hash));
+
+		calc_ntlmv2_hash(ntlmssp_state->recv_sign_hash, 
+				 ntlmssp_state->recv_sign_const, 
+				 ntlmssp_state->session_key, send_sign_const);
+		dump_data_pw("NTLMSSP receive sign hash:\n", 
+			     ntlmssp_state->recv_sign_hash, 
+			     sizeof(ntlmssp_state->recv_sign_hash));
+
+		calc_ntlmv2_hash(ntlmssp_state->recv_seal_hash, 
+				 ntlmssp_state->recv_seal_const, 
+				 ntlmssp_state->session_key, send_seal_const);
+		dump_data_pw("NTLMSSP receive seal hash:\n", 
+			     ntlmssp_state->recv_sign_hash, 
+			     sizeof(ntlmssp_state->recv_sign_hash));
 
-		calc_ntlmv2_hash(ntlmssp_state->cli_sign_hash, 
-				 ntlmssp_state->cli_sign_const, 
-				 ntlmssp_state->session_key, CLI_SIGN);
-		dump_data_pw("NTLMSSP client sign hash:\n", 
-			     ntlmssp_state->cli_sign_hash, 
-			     sizeof(ntlmssp_state->cli_sign_hash));
-
-		calc_ntlmv2_hash(ntlmssp_state->cli_seal_hash, 
-				 ntlmssp_state->cli_seal_const, 
-				 ntlmssp_state->session_key, CLI_SEAL);
-		dump_data_pw("NTLMSSP client sesl hash:\n", 
-			     ntlmssp_state->cli_seal_hash, 
-			     sizeof(ntlmssp_state->cli_seal_hash));
-
-		calc_ntlmv2_hash(ntlmssp_state->srv_sign_hash, 
-				 ntlmssp_state->srv_sign_const, 
-				 ntlmssp_state->session_key, SRV_SIGN);
-		dump_data_pw("NTLMSSP server sign hash:\n", 
-			     ntlmssp_state->srv_sign_hash, 
-			     sizeof(ntlmssp_state->srv_sign_hash));
-
-		calc_ntlmv2_hash(ntlmssp_state->srv_seal_hash, 
-				 ntlmssp_state->srv_seal_const, 
-				 ntlmssp_state->session_key, SRV_SEAL);
-		dump_data_pw("NTLMSSP server seal hash:\n", 
-			     ntlmssp_state->cli_sign_hash, 
-			     sizeof(ntlmssp_state->cli_sign_hash));
 	} 
 	else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
 		if (!ntlmssp_state->session_key.data || ntlmssp_state->session_key.length < 8) {
diff --git a/source3/libsmb/smb_signing.c b/source3/libsmb/smb_signing.c
index 91509f0fb8..eec991072d 100644
--- a/source3/libsmb/smb_signing.c
+++ b/source3/libsmb/smb_signing.c
@@ -405,11 +405,11 @@ static void simple_free_signing_context(struct smb_sign_info *si)
  SMB signing - Simple implementation - setup the MAC key.
 ************************************************************/
 
-BOOL cli_simple_set_signing(struct cli_state *cli, const uchar user_session_key[16], const DATA_BLOB response)
+BOOL cli_simple_set_signing(struct cli_state *cli, const DATA_BLOB user_session_key, const DATA_BLOB response)
 {
 	struct smb_basic_signing_context *data;
 
-	if (!user_session_key)
+	if (!user_session_key.length)
 		return False;
 
 	if (!cli_set_smb_signing_common(cli)) {
@@ -425,21 +425,23 @@ BOOL cli_simple_set_signing(struct cli_state *cli, const uchar user_session_key[
 
 	cli->sign_info.signing_context = data;
 	
-	data->mac_key = data_blob(NULL, response.length + 16);
+	data->mac_key = data_blob(NULL, response.length + user_session_key.length);
 
-	memcpy(&data->mac_key.data[0], user_session_key, 16);
+	memcpy(&data->mac_key.data[0], user_session_key.data, user_session_key.length);
 
 	DEBUG(10, ("cli_simple_set_signing: user_session_key\n"));
-	dump_data(10, (const char *)user_session_key, 16);
+	dump_data(10, (const char *)user_session_key.data, user_session_key.length);
 
 	if (response.length) {
-		memcpy(&data->mac_key.data[16],response.data, response.length);
+		memcpy(&data->mac_key.data[user_session_key.length],response.data, response.length);
 		DEBUG(10, ("cli_simple_set_signing: response_data\n"));
 		dump_data(10, (const char *)response.data, response.length);
 	} else {
 		DEBUG(10, ("cli_simple_set_signing: NULL response_data\n"));
 	}
 
+	dump_data_pw("MAC ssession key is:\n", data->mac_key.data, data->mac_key.length);
+
 	/* Initialise the sequence number */
 	data->send_seq_num = 0;
 
@@ -928,11 +930,11 @@ data->send_seq_num = %u\n",
  Turn on signing from this packet onwards. 
 ************************************************************/
 
-void srv_set_signing(const uchar user_session_key[16], const DATA_BLOB response)
+void srv_set_signing(const DATA_BLOB user_session_key, const DATA_BLOB response)
 {
 	struct smb_basic_signing_context *data;
 
-	if (!user_session_key)
+	if (!user_session_key.length)
 		return;
 
 	if (!srv_sign_info.negotiated_smb_signing && !srv_sign_info.mandatory_signing) {
@@ -957,11 +959,13 @@ void srv_set_signing(const uchar user_session_key[16], const DATA_BLOB response)
 
 	srv_sign_info.signing_context = data;
 	
-	data->mac_key = data_blob(NULL, response.length + 16);
+	data->mac_key = data_blob(NULL, response.length + user_session_key.length);
 
-	memcpy(&data->mac_key.data[0], user_session_key, 16);
+	memcpy(&data->mac_key.data[0], user_session_key.data, user_session_key.length);
 	if (response.length)
-		memcpy(&data->mac_key.data[16],response.data, response.length);
+		memcpy(&data->mac_key.data[user_session_key.length],response.data, response.length);
+
+	dump_data_pw("MAC ssession key is:\n", data->mac_key.data, data->mac_key.length);
 
 	/* Initialise the sequence number */
 	data->send_seq_num = 0;
diff --git a/source3/libsmb/smbencrypt.c b/source3/libsmb/smbencrypt.c
index ec31bb5dba..2d02a23394 100644
--- a/source3/libsmb/smbencrypt.c
+++ b/source3/libsmb/smbencrypt.c
@@ -331,9 +331,9 @@ DATA_BLOB NTLMv2_generate_names_blob(const char *hostname,
 	DATA_BLOB names_blob = data_blob(NULL, 0);
 	
 	msrpc_gen(&names_blob, "aaa", 
-		  True, NTLMSSP_NAME_TYPE_DOMAIN, domain,
-		  True, NTLMSSP_NAME_TYPE_SERVER, hostname,
-		  True, 0, "");
+		  NTLMSSP_NAME_TYPE_DOMAIN, domain,
+		  NTLMSSP_NAME_TYPE_SERVER, hostname,
+		  0, "");
 	return names_blob;
 }