9 files changed, 117 insertions, 39 deletions
diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c
index 83901db6a5..549c2691f0 100644
--- a/source4/auth/credentials/credentials.c
+++ b/source4/auth/credentials/credentials.c
@@ -37,12 +37,10 @@
 _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) 
 {
 	struct cli_credentials *cred = talloc(mem_ctx, struct cli_credentials);
-	if (!cred) {
+	if (cred == NULL) {
 		return cred;
 	}
 
-	cred->netlogon_creds = NULL;
-	cred->machine_account_pending = false;
 	cred->workstation_obtained = CRED_UNINITIALISED;
 	cred->username_obtained = CRED_UNINITIALISED;
 	cred->password_obtained = CRED_UNINITIALISED;
@@ -50,21 +48,51 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
 	cred->realm_obtained = CRED_UNINITIALISED;
 	cred->ccache_obtained = CRED_UNINITIALISED;
 	cred->client_gss_creds_obtained = CRED_UNINITIALISED;
-	cred->server_gss_creds_obtained = CRED_UNINITIALISED;
-	cred->keytab_obtained = CRED_UNINITIALISED;
 	cred->principal_obtained = CRED_UNINITIALISED;
+	cred->keytab_obtained = CRED_UNINITIALISED;
+	cred->server_gss_creds_obtained = CRED_UNINITIALISED;
 
 	cred->ccache_threshold = CRED_UNINITIALISED;
 	cred->client_gss_creds_threshold = CRED_UNINITIALISED;
 
+	cred->workstation = NULL;
+	cred->username = NULL;
+	cred->password = NULL;
 	cred->old_password = NULL;
-	cred->smb_krb5_context = NULL;
+	cred->domain = NULL;
+	cred->realm = NULL;
+	cred->principal = NULL;
 	cred->salt_principal = NULL;
-	cred->machine_account = false;
 
 	cred->bind_dn = NULL;
 
+	cred->nt_hash = NULL;
+
+	cred->ccache = NULL;
+	cred->client_gss_creds = NULL;
+	cred->keytab = NULL;
+	cred->server_gss_creds = NULL;
+
+	cred->workstation_cb = NULL;
+	cred->password_cb = NULL;
+	cred->username_cb = NULL;
+	cred->domain_cb = NULL;
+	cred->realm_cb = NULL;
+	cred->principal_cb = NULL;
+
+	cred->priv_data = NULL;
+
+	cred->netlogon_creds = NULL;
+
+	cred->smb_krb5_context = NULL;
+
+	cred->machine_account_pending = false;
+	cred->machine_account_pending_lp_ctx = NULL;
+
+	cred->machine_account = false;
+
 	cred->tries = 3;
+
 	cred->callback_running = false;
 
 	cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS);
@@ -722,6 +750,11 @@ _PUBLIC_ bool cli_credentials_is_anonymous(struct cli_credentials *cred)
 {
 	const char *username;
 	
+	/* if bind dn is set it's not anonymous */
+	if (cred->bind_dn) {
+		return false;
+	}
+
 	if (cred->machine_account_pending) {
 		cli_credentials_set_machine_account(cred,
 						    cred->machine_account_pending_lp_ctx);
diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c
index 3fe38d5cd1..42e8ea082a 100644
--- a/source4/auth/credentials/credentials_files.c
+++ b/source4/auth/credentials/credentials_files.c
@@ -266,6 +266,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
 				cli_credentials_set_anonymous(cred);
 				talloc_free(mem_ctx);
 				return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+			} else {
+				/* store bind dn in credentials */
+				cli_credentials_set_bind_dn(cred, ldap_bind_dn);
 			}
 		}
 	}
diff --git a/source4/auth/gensec/config.mk b/source4/auth/gensec/config.mk
index 65f5208e1a..aa52b184fc 100644
--- a/source4/auth/gensec/config.mk
+++ b/source4/auth/gensec/config.mk
@@ -86,7 +86,7 @@ SCHANNELDB_OBJ_FILES = $(addprefix $(gensecsrcdir)/, schannel_state.o)
 $(eval $(call proto_header_template,$(gensecsrcdir)/schannel_state.h,$(SCHANNELDB_OBJ_FILES:.o=.c)))
 
 [PYTHON::pygensec]
-PRIVATE_DEPENDENCIES = gensec PYTALLOC
+PRIVATE_DEPENDENCIES = gensec PYTALLOC pyparam_util
 LIBRARY_REALNAME = samba/gensec.$(SHLIBEXT)
 
 pygensec_OBJ_FILES = $(gensecsrcdir)/pygensec.o
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index a23f913264..2759ab41c3 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -147,6 +147,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
 	struct gensec_gssapi_state *gensec_gssapi_state;
 	krb5_error_code ret;
 	struct gsskrb5_send_to_kdc send_to_kdc;
+	const char *realm;
 
 	gensec_gssapi_state = talloc(gensec_security, struct gensec_gssapi_state);
 	if (!gensec_gssapi_state) {
@@ -226,15 +227,10 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
 		talloc_free(gensec_gssapi_state);
 		return NT_STATUS_INTERNAL_ERROR;
 	}
-	if (lp_realm(gensec_security->settings->lp_ctx) && *lp_realm(gensec_security->settings->lp_ctx)) {
-		char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm(gensec_security->settings->lp_ctx));
-		if (!upper_realm) {
-			DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm(gensec_security->settings->lp_ctx)));
-			talloc_free(gensec_gssapi_state);
-			return NT_STATUS_NO_MEMORY;
-		}
-		ret = gsskrb5_set_default_realm(upper_realm);
-		talloc_free(upper_realm);
+
+	realm = lp_realm(gensec_security->settings->lp_ctx);
+	if (realm != NULL) {
+		ret = gsskrb5_set_default_realm(realm);
 		if (ret) {
 			DEBUG(1,("gensec_krb5_start: gsskrb5_set_default_realm failed\n"));
 			talloc_free(gensec_gssapi_state);
diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c
index efa97e0184..d6d1f63ef1 100644
--- a/source4/auth/gensec/pygensec.c
+++ b/source4/auth/gensec/pygensec.c
@@ -19,8 +19,10 @@
 #include "includes.h"
 #include <Python.h>
 #include "param/param.h"
+#include "param/pyparam.h"
 #include "auth/gensec/gensec.h"
 #include "libcli/util/pyerrors.h"
+#include "scripting/python/modules.h"
 #include "pytalloc.h"
 #include <tevent.h>
 
@@ -46,9 +48,35 @@ static PyObject *py_get_name_by_authtype(PyObject *self, PyObject *args)
 	return PyString_FromString(name);
 }
 
-static struct gensec_settings *settings_from_object(PyObject *object)
+static struct gensec_settings *settings_from_object(TALLOC_CTX *mem_ctx, PyObject *object)
 {
-	return NULL; /* FIXME */
+	struct gensec_settings *s;
+	PyObject *py_hostname, *py_lp_ctx;
+
+	if (!PyDict_Check(object)) {
+		PyErr_SetString(PyExc_ValueError, "settings should be a dictionary");
+		return NULL;
+	}
+
+	s = talloc_zero(mem_ctx, struct gensec_settings);
+	if (!s) return NULL;
+
+	py_hostname = PyDict_GetItemString(object, "target_hostname");
+	if (!py_hostname) {
+		PyErr_SetString(PyExc_ValueError, "settings.target_hostname not found");
+		return NULL;
+	}
+
+	py_lp_ctx = PyDict_GetItemString(object, "lp_ctx");
+	if (!py_lp_ctx) {
+		PyErr_SetString(PyExc_ValueError, "settings.lp_ctx not found");
+		return NULL;
+	}
+	
+	s->target_hostname = PyString_AsString(py_hostname);
+	s->lp_ctx = lp_from_py_object(py_lp_ctx);
+	s->iconv_convenience = py_iconv_convenience(s);
+	return s;
 }
 
 static PyObject *py_gensec_start_client(PyTypeObject *type, PyObject *args, PyObject *kwargs)
@@ -60,13 +88,9 @@ static PyObject *py_gensec_start_client(PyTypeObject *type, PyObject *args, PyOb
 	PyObject *py_settings;
 	struct tevent_context *ev;
 
-	if (!PyArg_ParseTupleAndKeywords(args, kwargs, "O", kwnames, &py_settings))
+	if (!PyArg_ParseTupleAndKeywords(args, kwargs, "O", discard_const_p(char *, kwnames), &py_settings))
 		return NULL;
 
-	settings = settings_from_object(py_settings);
-	if (settings == NULL)
-		return NULL;
-	
 	self = (py_talloc_Object*)type->tp_alloc(type, 0);
 	if (self == NULL) {
 		PyErr_NoMemory();
@@ -77,12 +101,27 @@ static PyObject *py_gensec_start_client(PyTypeObject *type, PyObject *args, PyOb
 		PyErr_NoMemory();
 		return NULL;
 	}
+
+	settings = settings_from_object(self->talloc_ctx, py_settings);
+	if (settings == NULL) {
+		PyObject_DEL(self);
+		return NULL;
+	}
+	
 	ev = tevent_context_init(self->talloc_ctx);
 	if (ev == NULL) {
 		PyErr_NoMemory();
 		PyObject_Del(self);
 		return NULL;
 	}
+
+	status = gensec_init(settings->lp_ctx);
+	if (!NT_STATUS_IS_OK(status)) {
+		PyErr_SetNTSTATUS(status);
+		PyObject_DEL(self);
+		return NULL;
+	}
+
 	status = gensec_client_start(self->talloc_ctx, 
 		(struct gensec_security **)&self->ptr, ev, settings);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -98,6 +137,10 @@ static PyObject *py_gensec_session_info(PyObject *self)
 	NTSTATUS status;
 	struct gensec_security *security = (struct gensec_security *)py_talloc_get_ptr(self);
 	struct auth_session_info *info;
+	if (security->ops == NULL) {
+		PyErr_SetString(PyExc_ValueError, "gensec not fully initialised - ask Andrew");
+		return NULL;
+	}
 	status = gensec_session_info(security, &info);
 	if (NT_STATUS_IS_ERR(status)) {
 		PyErr_SetNTSTATUS(status);
diff --git a/source4/auth/gensec/tests/bindings.py b/source4/auth/gensec/tests/bindings.py
index 95d7833e4a..f88fa82ae1 100644
--- a/source4/auth/gensec/tests/bindings.py
+++ b/source4/auth/gensec/tests/bindings.py
@@ -25,11 +25,15 @@ the functionality, that's already done in other tests.
 
 import unittest
 from samba import gensec
+from samba.tests import cmdline_loadparm
 
 class CredentialsTests(unittest.TestCase):
 
     def setUp(self):
-        self.gensec = gensec.Security.start_client()
+        settings = {}
+        settings["target_hostname"] = "localhost"
+        settings["lp_ctx"] = cmdline_loadparm
+        self.gensec = gensec.Security.start_client(settings)
 
     def test_info(self):
         self.assertEquals(None, self.gensec.session_info())
diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c
index 04f0718a62..c00d7b1618 100644
--- a/source4/auth/kerberos/krb5_init_context.c
+++ b/source4/auth/kerberos/krb5_init_context.c
@@ -368,7 +368,7 @@ krb5_error_code smb_krb5_init_context(void *parent_ctx,
 	krb5_error_code ret;
 	TALLOC_CTX *tmp_ctx;
 	char **config_files;
-	const char *config_file;
+	const char *config_file, *realm;
 	
 	initialize_krb5_error_table();
 	
@@ -415,14 +415,9 @@ krb5_error_code smb_krb5_init_context(void *parent_ctx,
 		return ret;
 	}
 						
-	if (lp_realm(lp_ctx) && *lp_realm(lp_ctx)) {
-		char *upper_realm = strupper_talloc(tmp_ctx, lp_realm(lp_ctx));
-		if (!upper_realm) {
-			DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm(lp_ctx)));
-			talloc_free(tmp_ctx);
-			return ENOMEM;
-		}
-		ret = krb5_set_default_realm((*smb_krb5_context)->krb5_context, upper_realm);
+	realm = lp_realm(lp_ctx);
+	if (realm != NULL) {
+		ret = krb5_set_default_realm((*smb_krb5_context)->krb5_context, realm);
 		if (ret) {
 			DEBUG(1,("krb5_set_default_realm failed (%s)\n", 
 				 smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index a64c56d920..58a21d2d22 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -332,6 +332,7 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx,
 	nt_status = sam_get_results_principal(sam_ctx, tmp_ctx, principal, 
 					      user_attrs, &domain_dn, &msg);
 	if (!NT_STATUS_IS_OK(nt_status)) {
+		talloc_free(tmp_ctx);
 		return nt_status;
 	}
 
@@ -342,11 +343,15 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx,
 					     msg,
 					     user_sess_key, lm_sess_key,
 					     server_info);
-	if (NT_STATUS_IS_OK(nt_status)) {
-		talloc_steal(mem_ctx, *server_info);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		talloc_free(tmp_ctx);
+		return nt_status;
 	}
+
+	talloc_steal(mem_ctx, *server_info);
 	talloc_free(tmp_ctx);
-	return nt_status;
+
+	return NT_STATUS_OK;
 }
 
 static const struct auth_operations sam_ignoredomain_ops = {
diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c
index b55c1cd930..a56b21a1a2 100644
--- a/source4/auth/ntlmssp/ntlmssp_server.c
+++ b/source4/auth/ntlmssp/ntlmssp_server.c
@@ -186,8 +186,7 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security,
 
 		/* Find out the DNS domain name */
 		dnsdomname[0] = '\0';
-		safe_strcpy(dnsdomname, lp_realm(gensec_security->settings->lp_ctx), sizeof(dnsdomname) - 1);
-		strlower_m(dnsdomname);
+		safe_strcpy(dnsdomname, lp_dnsdomain(gensec_security->settings->lp_ctx), sizeof(dnsdomname) - 1);
 
 		/* Find out the DNS host name */
 		safe_strcpy(dnsname, gensec_ntlmssp_state->server_name, sizeof(dnsname) - 1);