5 files changed, 37 insertions, 34 deletions
diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h
index cbfe8478b2..df70580db3 100644
--- a/source4/librpc/rpc/dcerpc.h
+++ b/source4/librpc/rpc/dcerpc.h
@@ -100,6 +100,7 @@ struct dcerpc_pipe {
 	struct dcerpc_syntax_id transfer_syntax;
 
 	struct dcerpc_connection *conn;
+	struct dcerpc_binding *binding;
 
 	/* the last fault code from a DCERPC fault */
 	uint32_t last_fault_code;
diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
index bffa994abe..f0a7dc8ffe 100644
--- a/source4/librpc/rpc/dcerpc_auth.c
+++ b/source4/librpc/rpc/dcerpc_auth.c
@@ -168,7 +168,7 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
 						struct dcerpc_pipe *p,
 						const struct dcerpc_interface_table *table,
 						struct cli_credentials *credentials,
-						uint8_t auth_type,
+						uint8_t auth_type, uint8_t auth_level,
 						const char *service)
 {
 	struct composite_context *c, *creq;
@@ -233,8 +233,7 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
 	}
 
 	c->status = gensec_start_mech_by_authtype(sec->generic_state,
-						  auth_type,
-						  dcerpc_auth_level(p->conn));
+						  auth_type, auth_level);
 	if (!NT_STATUS_IS_OK(c->status)) {
 		DEBUG(1, ("Failed to start GENSEC client mechanism %s: %s\n",
 			  gensec_get_name_by_authtype(auth_type),
@@ -249,7 +248,7 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
 	}
 
 	sec->auth_info->auth_type = auth_type;
-	sec->auth_info->auth_level = dcerpc_auth_level(p->conn);
+	sec->auth_info->auth_level = auth_level,
 	sec->auth_info->auth_pad_length = 0;
 	sec->auth_info->auth_reserved = 0;
 	sec->auth_info->auth_context_id = random();
@@ -323,11 +322,11 @@ NTSTATUS dcerpc_bind_auth_recv(struct composite_context *creq)
 NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p,
 			  const struct dcerpc_interface_table *table,
 			  struct cli_credentials *credentials,
-			  uint8_t auth_type,
+			  uint8_t auth_type, uint8_t auth_level,
 			  const char *service)
 {
 	struct composite_context *creq;
 	creq = dcerpc_bind_auth_send(p, p, table, credentials,
-				     auth_type, service);
+				     auth_type, auth_level, service);
 	return dcerpc_bind_auth_recv(creq);
 }
diff --git a/source4/librpc/rpc/dcerpc_connect.c b/source4/librpc/rpc/dcerpc_connect.c
index 1c9ab8c0ed..67dfda6d7a 100644
--- a/source4/librpc/rpc/dcerpc_connect.c
+++ b/source4/librpc/rpc/dcerpc_connect.c
@@ -131,29 +131,19 @@ struct composite_context *dcerpc_pipe_connect_ncacn_np_smb_send(TALLOC_CTX *mem_
 	conn->in.called_name            = strupper_talloc(mem_ctx, s->io.binding->host);
 	conn->in.service                = "IPC$";
 	conn->in.service_type           = NULL;
-	conn->in.fallback_to_anonymous  = False;
 	conn->in.workgroup              = lp_workgroup();
 
 	/*
-	 * provide proper credentials - user supplied or anonymous in case this is
-	 * schannel connection
+	 * provide proper credentials - user supplied, but allow a
+	 * fallback to anonymous if this is an schannel connection
+	 * (might be NT4 not allowing machine logins at session
+	 * setup).
 	 */
+	s->conn.in.credentials = s->io.creds;
 	if (s->io.binding->flags & DCERPC_SCHANNEL) {
-		struct cli_credentials *anon_creds;
-
-		anon_creds = cli_credentials_init(mem_ctx);
-		if (!anon_creds) {
-			composite_error(c, NT_STATUS_NO_MEMORY);
-			goto done;
-		}
-
-		cli_credentials_set_anonymous(anon_creds);
-		cli_credentials_guess(anon_creds);
-
-		s->conn.in.credentials = anon_creds;
-
+		conn->in.fallback_to_anonymous  = True;
 	} else {
-		s->conn.in.credentials = s->io.creds;
+		conn->in.fallback_to_anonymous  = False;
 	}
 
 	/* send smb connect request */
diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index 108b678188..64cf6748e8 100644
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -55,16 +55,15 @@ static NTSTATUS dcerpc_schannel_key(TALLOC_CTX *tmp_ctx,
 	  step 1 - establish a netlogon connection, with no authentication
 	*/
 
-	/* Find the original binding string */
-	status = dcerpc_parse_binding(tmp_ctx, p->conn->binding_string, &b);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0,("Failed to parse dcerpc binding '%s'\n", p->conn->binding_string));
-		return status;
+	b = talloc(tmp_ctx, struct dcerpc_binding);
+	if (!b) {
+		return NT_STATUS_NO_MEMORY;
 	}
+	*b = *p->binding;
 
 	/* Make binding string for netlogon, not the other pipe */
 	status = dcerpc_epm_map_binding(tmp_ctx, b, 
-									&dcerpc_table_netlogon,
+					&dcerpc_table_netlogon,
 					p->conn->event_ctx);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n", 
@@ -141,7 +140,8 @@ static NTSTATUS dcerpc_schannel_key(TALLOC_CTX *tmp_ctx,
 NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx, 
 				   struct dcerpc_pipe *p,
 				   const struct dcerpc_interface_table *table,
-				   struct cli_credentials *credentials)
+				   struct cli_credentials *credentials,
+				   uint8_t auth_level)
 {
 	NTSTATUS status;
 
@@ -156,7 +156,8 @@ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
 		return status;
 	}
 
-	return dcerpc_bind_auth(p, table, credentials, DCERPC_AUTH_TYPE_SCHANNEL,
+	return dcerpc_bind_auth(p, table, credentials, 
+				DCERPC_AUTH_TYPE_SCHANNEL, auth_level,
 				NULL);
 }
 
diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
index 15a45ed3f0..6ef91b87b0 100644
--- a/source4/librpc/rpc/dcerpc_util.c
+++ b/source4/librpc/rpc/dcerpc_util.c
@@ -889,9 +889,10 @@ NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p,
 		/* If we don't already have netlogon credentials for
 		 * the schannel bind, then we have to get these
 		 * first */
-		status = dcerpc_bind_auth_schannel(tmp_ctx, p, table, credentials);
+		status = dcerpc_bind_auth_schannel(tmp_ctx, p, table, credentials,
+						   dcerpc_auth_level(p->conn));
 	} else if (!cli_credentials_is_anonymous(credentials) &&
-		!(binding->transport == NCACN_NP &&
+		!(p->conn->transport.transport == NCACN_NP &&
 		  !(binding->flags & DCERPC_SIGN) &&
 		  !(binding->flags & DCERPC_SEAL))) { 	
 	
@@ -925,7 +926,9 @@ NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p,
 		}
 
 		status = dcerpc_bind_auth(p, table,
-					  credentials, auth_type, table->authservices->names[0]);
+					  credentials, auth_type, 
+					  dcerpc_auth_level(p->conn),
+					  table->authservices->names[0]);
 	} else {
 		status = dcerpc_bind_auth_none(p, table);
 	}
@@ -1099,6 +1102,11 @@ NTSTATUS dcerpc_pipe_connect_b(TALLOC_CTX *parent_ctx,
 		return status;
 	}
 
+	p->binding = binding;
+	if (!talloc_reference(p, binding)) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
 	status = dcerpc_pipe_auth(p, binding, table, credentials);
 	if (!NT_STATUS_IS_OK(status)) {
 		talloc_free(p);
@@ -1195,6 +1203,10 @@ NTSTATUS dcerpc_secondary_connection(struct dcerpc_pipe *p, struct dcerpc_pipe *
 	}
 
 	(*p2)->conn->flags = p->conn->flags;
+	(*p2)->binding = b;
+	if (!talloc_reference(*p2, b)) {
+		return NT_STATUS_NO_MEMORY;
+	}
 
 	return NT_STATUS_OK;
 }