From 5f4d86f955d939e96ec9b81c8a9d080aab4354b6 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 4 May 2006 10:03:41 +0000
Subject: r15426: Implement SPNEGO as the default RPC authentication mechanism.
  Where this isn't supported, fallback to NTLM.

Also, where we get a failure as 'logon failure', try and do a '3
tries' for the password, like we already do for CIFS.  (Incomplete:
needs a mapping between RPC errors and the logon failure NTSTATUS).

Because we don't yet support Kerberos sign/seal to win2k3 SP1 for
DCE/RPC, disable this (causing SPNEGO to negotiate NTLM) when kerberos
isn't demanded.

Andrew Bartlett
(This used to be commit b3212d1fb91b26c1d326a289560106dffe1d2e80)
---
 source4/auth/gensec/gensec_gssapi.c      |   9 ++
 source4/libnet/libnet_join.c             |   4 +-
 source4/librpc/rpc/dcerpc.h              |   9 +-
 source4/librpc/rpc/dcerpc_connect.c      |  51 +++++-----
 source4/librpc/rpc/dcerpc_util.c         | 156 ++++++++++++++++++++++++++++---
 source4/script/tests/test_session_key.sh |  14 ++-
 source4/script/tests/test_w2k3.sh        |   2 +-
 source4/script/tests/tests_all.sh        |   2 +-
 source4/torture/rpc/bind.c               |   2 +-
 9 files changed, 201 insertions(+), 48 deletions(-)

(limited to 'source4')

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 4cc067ffde..070e83e97c 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -257,6 +257,15 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
+	if (((gensec_security->want_features & GENSEC_FEATURE_SIGN)
+	     || (gensec_security->want_features & GENSEC_FEATURE_SEAL))
+	    && (gensec_security->want_features & GENSEC_FEATURE_DCE_STYLE)
+	    && !lp_parm_bool(-1, "gensec_gssapi", "dce_signseal", 
+			     cli_credentials_get_kerberos_state(creds) == CRED_MUST_USE_KERBEROS)) {
+		DEBUG(2, ("GSSAPI sign/seal disabled for DCE/RPC. "));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	nt_status = gensec_gssapi_start(gensec_security);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
diff --git a/source4/libnet/libnet_join.c b/source4/libnet/libnet_join.c
index 9185015da0..743076ee72 100644
--- a/source4/libnet/libnet_join.c
+++ b/source4/libnet/libnet_join.c
@@ -481,9 +481,9 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru
 		return status;
 	}
 
-	samr_pipe = connect_with_info->out.dcerpc_pipe, 
+	samr_pipe = connect_with_info->out.dcerpc_pipe;
 
-	status = dcerpc_pipe_auth(samr_pipe,
+	status = dcerpc_pipe_auth(tmp_ctx, &samr_pipe,
 				  connect_with_info->out.dcerpc_pipe->binding, 
 				  &dcerpc_table_samr, ctx->cred);
 	if (!NT_STATUS_IS_OK(status)) {
diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h
index 4c8a615ce5..39de9fcaa8 100644
--- a/source4/librpc/rpc/dcerpc.h
+++ b/source4/librpc/rpc/dcerpc.h
@@ -144,16 +144,19 @@ struct dcerpc_pipe {
 /* set LIBNDR_FLAG_REF_ALLOC flag when decoding NDR */
 #define DCERPC_NDR_REF_ALLOC           (1<<14)
 
-#define DCERPC_AUTH_OPTIONS    (DCERPC_SEAL|DCERPC_SIGN|DCERPC_SCHANNEL|DCERPC_AUTH_SPNEGO|DCERPC_AUTH_KRB5)
+#define DCERPC_AUTH_OPTIONS    (DCERPC_SEAL|DCERPC_SIGN|DCERPC_SCHANNEL|DCERPC_AUTH_SPNEGO|DCERPC_AUTH_KRB5|DCERPC_AUTH_NTLM)
 
-/* enable spnego auth */
+/* select spnego auth */
 #define DCERPC_AUTH_SPNEGO             (1<<15)
 
-/* enable krb5 auth */
+/* select krb5 auth */
 #define DCERPC_AUTH_KRB5               (1<<16)
 
 #define DCERPC_SMB2                    (1<<17)
 
+/* select NTLM auth */
+#define DCERPC_AUTH_NTLM               (1<<18)
+
 /*
   this is used to find pointers to calls
 */
diff --git a/source4/librpc/rpc/dcerpc_connect.c b/source4/librpc/rpc/dcerpc_connect.c
index 2b40935be6..64bb78ec60 100644
--- a/source4/librpc/rpc/dcerpc_connect.c
+++ b/source4/librpc/rpc/dcerpc_connect.c
@@ -28,6 +28,7 @@
 #include "smb.h"
 #include "libcli/composite/composite.h"
 #include "libcli/smb_composite/smb_composite.h"
+#include "lib/events/events.h"
 #include "libcli/smb2/smb2.h"
 #include "libcli/smb2/smb2_calls.h"
 #include "auth/credentials/credentials.h"
@@ -762,8 +763,9 @@ static void continue_pipe_auth(struct composite_context *ctx)
 {
 	struct composite_context *c = talloc_get_type(ctx->async.private_data,
 						      struct composite_context);
+	struct pipe_connect_state *s = talloc_get_type(c->private_data, struct pipe_connect_state);
 
-	c->status = dcerpc_pipe_auth_recv(ctx);
+	c->status = dcerpc_pipe_auth_recv(ctx, s, &s->pipe);
 	if (!composite_is_ok(c)) return;
 
 	composite_done(c);
@@ -775,7 +777,6 @@ static void continue_pipe_auth(struct composite_context *ctx)
   specified binding structure to determine the endpoint and options
 */
 struct composite_context* dcerpc_pipe_connect_b_send(TALLOC_CTX *parent_ctx,
-						     struct dcerpc_pipe **pp,
 						     struct dcerpc_binding *binding,
 						     const struct dcerpc_interface_table *table,
 						     struct cli_credentials *credentials,
@@ -796,16 +797,19 @@ struct composite_context* dcerpc_pipe_connect_b_send(TALLOC_CTX *parent_ctx,
 	c->state = COMPOSITE_STATE_IN_PROGRESS;
 	c->private_data = s;
 
-	(*pp) = NULL;
+	if (ev == NULL) {
+		ev = event_context_init(c);
+		if (ev == NULL) {
+			talloc_free(c);
+			return NULL;
+		}
+	}
+	c->event_ctx = ev;
 
 	/* initialise dcerpc pipe structure */
 	s->pipe = dcerpc_pipe_init(c, ev);
 	if (composite_nomem(s->pipe, c)) return c;
 
-	/* get event context from initialised dcerpc pipe */
-	c->event_ctx = s->pipe->conn->event_ctx;
-	(*pp) = s->pipe;
-
 	/* store parameters in state structure */
 	s->binding      = binding;
 	s->table        = table;
@@ -842,12 +846,10 @@ NTSTATUS dcerpc_pipe_connect_b_recv(struct composite_context *c, TALLOC_CTX *mem
 	
 	status = composite_wait(c);
 	
-	if (NT_STATUS_IS_OK(status) && p) {
-		s = talloc_get_type(c->private_data, struct pipe_connect_state);
-		talloc_steal(mem_ctx, s->pipe);
-		*p = s->pipe;
-	}
-	
+	s = talloc_get_type(c->private_data, struct pipe_connect_state);
+	talloc_steal(mem_ctx, s->pipe);
+	*p = s->pipe;
+
 	talloc_free(c);
 	return status;
 }
@@ -866,7 +868,7 @@ NTSTATUS dcerpc_pipe_connect_b(TALLOC_CTX *parent_ctx,
 {
 	struct composite_context *c;
 	
-	c = dcerpc_pipe_connect_b_send(parent_ctx, pp, binding, table,
+	c = dcerpc_pipe_connect_b_send(parent_ctx, binding, table,
 				       credentials, ev);
 	return dcerpc_pipe_connect_b_recv(c, parent_ctx, pp);
 }
@@ -908,6 +910,15 @@ struct composite_context* dcerpc_pipe_connect_send(TALLOC_CTX *parent_ctx,
 	c->state = COMPOSITE_STATE_IN_PROGRESS;
 	c->private_data = s;
 
+	if (ev == NULL) {
+		ev = event_context_init(c);
+		if (ev == NULL) {
+			talloc_free(c);
+			return NULL;
+		}
+	}
+	c->event_ctx = ev;
+
 	/* parse binding string to the structure */
 	status = dcerpc_parse_binding(c, binding, &b);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -922,12 +933,9 @@ struct composite_context* dcerpc_pipe_connect_send(TALLOC_CTX *parent_ctx,
 	   start connecting to a rpc pipe after binding structure
 	   is established
 	 */
-	pipe_conn_req = dcerpc_pipe_connect_b_send(c, &s->pipe, b, table,
+	pipe_conn_req = dcerpc_pipe_connect_b_send(c, b, table,
 						   credentials, ev);
 
-	/* event context for created dcerpc_pipe would be useful... */
-	c->event_ctx = s->pipe->conn->event_ctx;
-
 	if (composite_nomem(pipe_conn_req, c)) return c;
 
 	composite_continue(c, pipe_conn_req, continue_pipe_connect_b, c);
@@ -947,6 +955,7 @@ static void continue_pipe_connect_b(struct composite_context *ctx)
 						    struct pipe_conn_state);
 
 	c->status = dcerpc_pipe_connect_b_recv(ctx, c, &s->pipe);
+	talloc_steal(s, s->pipe);
 	if (!composite_is_ok(c)) return;
 
 	composite_done(c);
@@ -965,10 +974,8 @@ NTSTATUS dcerpc_pipe_connect_recv(struct composite_context *c,
 	struct pipe_conn_state *s;
 
 	status = composite_wait(c);
-	if (NT_STATUS_IS_OK(status) && pp) {
-		s = talloc_get_type(c->private_data, struct pipe_conn_state);
-		*pp = talloc_steal(mem_ctx, s->pipe);
-	}
+	s = talloc_get_type(c->private_data, struct pipe_conn_state);
+	*pp = talloc_steal(mem_ctx, s->pipe);
 
 	talloc_free(c);
 	return status;
diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
index dc2eded967..6c8ed7ecd8 100644
--- a/source4/librpc/rpc/dcerpc_util.c
+++ b/source4/librpc/rpc/dcerpc_util.c
@@ -141,6 +141,7 @@ static const struct {
 	{"seal", DCERPC_SEAL},
 	{"connect", DCERPC_CONNECT},
 	{"spnego", DCERPC_AUTH_SPNEGO},
+	{"ntlm", DCERPC_AUTH_NTLM},
 	{"krb5", DCERPC_AUTH_KRB5},
 	{"validate", DCERPC_DEBUG_VALIDATE_BOTH},
 	{"print", DCERPC_DEBUG_PRINT_BOTH},
@@ -936,7 +937,7 @@ struct composite_context *dcerpc_epm_map_binding_send(TALLOC_CTX *mem_ctx,
 	epmapper_binding->endpoint   = NULL;
 
 	/* initiate rpc pipe connection */
-	pipe_connect_req = dcerpc_pipe_connect_b_send(c, &s->pipe, epmapper_binding, &dcerpc_table_epmapper,
+	pipe_connect_req = dcerpc_pipe_connect_b_send(c, epmapper_binding, &dcerpc_table_epmapper,
 						      anon_creds, c->event_ctx);
 	if (composite_nomem(pipe_connect_req, c)) return c;
 	
@@ -981,6 +982,8 @@ struct pipe_auth_state {
 static void continue_auth_schannel(struct composite_context *ctx);
 static void continue_auth(struct composite_context *ctx);
 static void continue_auth_none(struct composite_context *ctx);
+static void continue_ntlmssp_connection(struct composite_context *ctx);
+static void continue_spnego_after_wrong_pass(struct composite_context *ctx);
 
 
 /*
@@ -1011,6 +1014,111 @@ static void continue_auth(struct composite_context *ctx)
 	
 	composite_done(c);
 }
+/*
+  Stage 2 of pipe_auth: Receive result of authenticated bind request, but handle fallbacks:
+  SPNEGO -> NTLMSSP
+*/
+static void continue_auth_auto(struct composite_context *ctx)
+{
+	struct composite_context *c = talloc_get_type(ctx->async.private_data,
+						      struct composite_context);
+
+	c->status = dcerpc_bind_auth_recv(ctx);
+	if (NT_STATUS_EQUAL(c->status, NT_STATUS_INVALID_PARAMETER)) {
+		struct pipe_auth_state *s = talloc_get_type(c->private_data, struct pipe_auth_state);
+		struct composite_context *sec_conn_req;
+
+		/* send a request for secondary rpc connection */
+		sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
+								s->binding);
+		if (composite_nomem(sec_conn_req, c)) return;
+		
+		composite_continue(c, sec_conn_req, continue_ntlmssp_connection, c);
+		
+		return;
+	} else if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
+		struct pipe_auth_state *s = talloc_get_type(c->private_data, struct pipe_auth_state);
+		struct composite_context *sec_conn_req;
+		if (cli_credentials_wrong_password(s->credentials)) {
+			/* send a request for secondary rpc connection */
+			sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
+									s->binding);
+			if (composite_nomem(sec_conn_req, c)) return;
+			
+			composite_continue(c, sec_conn_req, continue_spnego_after_wrong_pass, c);
+		}
+	}
+
+	if (!composite_is_ok(c)) return;
+	
+	composite_done(c);
+}
+
+/*
+  Stage 3 of pipe_auth (fallback to NTLMSSP case): Receive secondary
+  rpc connection (the first one can't be used any more, due to the
+  bind nak) and perform authenticated bind request
+*/
+static void continue_ntlmssp_connection(struct composite_context *ctx)
+{
+	struct composite_context *c;
+	struct pipe_auth_state *s;
+	struct composite_context *auth_req;
+	struct dcerpc_pipe *p2;
+
+	c = talloc_get_type(ctx->async.private_data, struct composite_context);
+	s = talloc_get_type(c->private_data, struct pipe_auth_state);
+
+	/* receive secondary rpc connection */
+	c->status = dcerpc_secondary_connection_recv(ctx, &p2);
+	talloc_steal(s, p2);
+	talloc_steal(p2, s->pipe);
+	s->pipe = p2;
+
+	if (!composite_is_ok(c)) return;
+
+	/* initiate a authenticated bind */
+	auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
+					 s->credentials, DCERPC_AUTH_TYPE_NTLMSSP,
+					 dcerpc_auth_level(s->pipe->conn),
+					 s->table->authservices->names[0]);
+	if (composite_nomem(auth_req, c)) return;
+		
+	composite_continue(c, auth_req, continue_auth, c);
+}
+
+/*
+  Stage 3 of pipe_auth (retry on wrong password): Receive secondary
+  rpc connection (the first one can't be used any more, due to the
+  bind nak) and perform authenticated bind request
+*/
+static void continue_spnego_after_wrong_pass(struct composite_context *ctx)
+{
+	struct composite_context *c;
+	struct pipe_auth_state *s;
+	struct composite_context *auth_req;
+	struct dcerpc_pipe *p2;
+
+	c = talloc_get_type(ctx->async.private_data, struct composite_context);
+	s = talloc_get_type(c->private_data, struct pipe_auth_state);
+
+	/* receive secondary rpc connection */
+	c->status = dcerpc_secondary_connection_recv(ctx, &p2);
+	talloc_steal(s, p2);
+	talloc_steal(p2, s->pipe);
+	s->pipe = p2;
+
+	if (!composite_is_ok(c)) return;
+
+	/* initiate a authenticated bind */
+	auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
+					 s->credentials, DCERPC_AUTH_TYPE_SPNEGO,
+					 dcerpc_auth_level(s->pipe->conn),
+					 s->table->authservices->names[0]);
+	if (composite_nomem(auth_req, c)) return;
+		
+	composite_continue(c, auth_req, continue_auth, c);
+}
 
 
 /*
@@ -1042,6 +1150,7 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
 	struct composite_context *auth_schannel_req;
 	struct composite_context *auth_req;
 	struct composite_context *auth_none_req;
+	struct dcerpc_connection *conn;
 
 	/* composite context allocation and setup */
 	c = talloc_zero(NULL, struct composite_context);
@@ -1060,10 +1169,11 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
 	s->credentials  = credentials;
 	s->pipe         = p;
 
-	s->pipe->conn->flags = binding->flags;
+	conn = s->pipe->conn;
+	conn->flags = binding->flags;
 	
 	/* remember the binding string for possible secondary connections */
-	s->pipe->conn->binding_string = dcerpc_binding_string(p, binding);
+	conn->binding_string = dcerpc_binding_string(p, binding);
 
 	if (!cli_credentials_is_anonymous(s->credentials) &&
 	    (binding->flags & DCERPC_SCHANNEL) &&
@@ -1074,13 +1184,13 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
 		 * first */
 		auth_schannel_req = dcerpc_bind_auth_schannel_send(c, s->pipe, s->table,
 								   s->credentials,
-								   dcerpc_auth_level(s->pipe->conn));
+								   dcerpc_auth_level(conn));
 		if (composite_nomem(auth_schannel_req, c)) return c;
 
 		composite_continue(c, auth_schannel_req, continue_auth_schannel, c);
 
 	} else if (!cli_credentials_is_anonymous(s->credentials) &&
-		   !(s->pipe->conn->transport.transport == NCACN_NP &&
+		   !(conn->transport.transport == NCACN_NP &&
 		     !(s->binding->flags & DCERPC_SIGN) &&
 		     !(s->binding->flags & DCERPC_SEAL))) {
 
@@ -1092,7 +1202,7 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
 		
 		uint8_t auth_type;
 
-		if ((s->pipe->conn->flags & (DCERPC_SIGN|DCERPC_SEAL)) == 0) {
+		if ((conn->flags & (DCERPC_SIGN|DCERPC_SEAL)) == 0) {
 			/*
 			  we are doing an authenticated connection,
 			  but not using sign or seal. We must force
@@ -1100,7 +1210,7 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
 			  type doesn't allow authentication
 			  information to be passed.
 			*/
-			s->pipe->conn->flags |= DCERPC_CONNECT;
+			conn->flags |= DCERPC_CONNECT;
 		}
 
 		if (s->binding->flags & DCERPC_AUTH_SPNEGO) {
@@ -1112,13 +1222,22 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
 		} else if (s->binding->flags & DCERPC_SCHANNEL) {
 			auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
 
-		} else {
+		} else if (s->binding->flags & DCERPC_AUTH_NTLM) {
 			auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
+		} else {
+			auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
+							 s->credentials, DCERPC_AUTH_TYPE_SPNEGO,
+							 dcerpc_auth_level(conn),
+							 s->table->authservices->names[0]);
+			if (composite_nomem(auth_req, c)) return c;
+			
+			composite_continue(c, auth_req, continue_auth_auto, c);
+			return c;
 		}
 		
 		auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
 						 s->credentials, auth_type,
-						 dcerpc_auth_level(s->pipe->conn),
+						 dcerpc_auth_level(conn),
 						 s->table->authservices->names[0]);
 		if (composite_nomem(auth_req, c)) return c;
 		
@@ -1137,8 +1256,13 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
 
 /*
   Receive result of authenticated bind request on dcerpc pipe
+
+  This returns *p, which may be different to the one originally
+  supllied, as it rebinds to a new pipe due to authentication fallback
+
 */
-NTSTATUS dcerpc_pipe_auth_recv(struct composite_context *c)
+NTSTATUS dcerpc_pipe_auth_recv(struct composite_context *c, TALLOC_CTX *mem_ctx, 
+			       struct dcerpc_pipe **p)
 {
 	NTSTATUS status;
 
@@ -1149,6 +1273,9 @@ NTSTATUS dcerpc_pipe_auth_recv(struct composite_context *c)
 		char *uuid_str = GUID_string(s->pipe, &s->table->syntax_id.uuid);
 		DEBUG(0, ("Failed to bind to uuid %s - %s\n", uuid_str, nt_errstr(status)));
 		talloc_free(uuid_str);
+	} else {
+		talloc_steal(mem_ctx, s->pipe);
+		*p = s->pipe;
 	}
 
 	talloc_free(c);
@@ -1158,16 +1285,19 @@ NTSTATUS dcerpc_pipe_auth_recv(struct composite_context *c)
 
 /* 
    Perform an authenticated bind if needed - sync version
+
+   This may change *p, as it rebinds to a new pipe due to authentication fallback
 */
-NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p, 
+NTSTATUS dcerpc_pipe_auth(TALLOC_CTX *mem_ctx,
+			  struct dcerpc_pipe **p, 
 			  struct dcerpc_binding *binding,
 			  const struct dcerpc_interface_table *table,
 			  struct cli_credentials *credentials)
 {
 	struct composite_context *c;
 
-	c = dcerpc_pipe_auth_send(p, binding, table, credentials);
-	return dcerpc_pipe_auth_recv(c);
+	c = dcerpc_pipe_auth_send(*p, binding, table, credentials);
+	return dcerpc_pipe_auth_recv(c, mem_ctx, p);
 }
 
 
diff --git a/source4/script/tests/test_session_key.sh b/source4/script/tests/test_session_key.sh
index 74de90f479..5dbb4052ee 100755
--- a/source4/script/tests/test_session_key.sh
+++ b/source4/script/tests/test_session_key.sh
@@ -2,7 +2,7 @@
 
 if [ $# -lt 4 ]; then
 cat <<EOF
-Usage: test_session_key.sh SERVER USERNAME PASSWORD DOMAIN
+Usage: test_session_key.sh SERVER USERNAME PASSWORD DOMAIN NETBIOSNAME
 EOF
 exit 1;
 fi
@@ -11,7 +11,8 @@ server="$1"
 username="$2"
 password="$3"
 domain="$4"
-shift 4
+netbios_name="$5"
+shift 5
 
 incdir=`dirname $0`
 . $incdir/test_functions.sh
@@ -33,13 +34,16 @@ for bindoptions in validate seal; do
         "-k no --option=usespnego=yes --option=clientntlmv2auth=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=yes" \
         "-k no --option=usespnego=no --option=clientntlmv2auth=yes" \
         "-k no --option=gensec:spnego=no --option=clientntlmv2auth=yes" \
-        "-k no --option=usespnego=no" \
-    ; do
+        "-k no --option=usespnego=no"; do
    name="RPC-SECRETS on $transport:$server[$bindoptions] with NTLM2:$ntlm2 KEYEX:$keyexchange LM_KEY:$lm_key $ntlmoptions"
-   testit "$name" bin/smbtorture $TORTURE_OPTIONS $transport:"$server[$bindoptions]" --option=ntlmssp_client:keyexchange=$keyexchange --option=ntlmssp_client:ntlm2=$ntlm2 --option=ntlmssp_client:lm_key=$lm_key $ntlmoptions -U"$username"%"$password" -W $domain RPC-SECRETS "$*" || failed=`expr $failed + 1`
+   testit "$name" bin/smbtorture $TORTURE_OPTIONS $transport:"$server[$bindoptions]" --option=ntlmssp_client:keyexchange=$keyexchange --option=ntlmssp_client:ntlm2=$ntlm2 --option=ntlmssp_client:lm_key=$lm_key $ntlmoptions -U"$username"%"$password" -W $domain --option=gensec:target_hostname=$netbios_name RPC-SECRETS "$*" || failed=`expr $failed + 1`
   done
  done
  done
  done
+ name="RPC-SECRETS on $transport:$server[$bindoptions] with Kerberos"
+ testit "$name" bin/smbtorture $TORTURE_OPTIONS $transport:"$server[$bindoptions]" -k yes -U"$username"%"$password" -W $domain "--option=gensec:target_hostname=$netbios_name" RPC-SECRETS "$*" || failed=`expr $failed + 1`
+ name="RPC-SECRETS on $transport:$server[$bindoptions] with Kerberos (use target principal)"
+ testit "$name" bin/smbtorture $TORTURE_OPTIONS $transport:"$server[$bindoptions]" -k yes -U"$username"%"$password" -W $domain "--option=clientusespnegoprincipal=yes" "--option=gensec:target_hostname=$netbios_name" RPC-SECRETS "$*" || failed=`expr $failed + 1`
 done
 testok $0 $failed
diff --git a/source4/script/tests/test_w2k3.sh b/source4/script/tests/test_w2k3.sh
index 3e7da590c0..d3192e7bc9 100755
--- a/source4/script/tests/test_w2k3.sh
+++ b/source4/script/tests/test_w2k3.sh
@@ -31,7 +31,7 @@ failed=0
 name="RPC-SPOOLSS on ncacn_np"
 testit "$name" bin/smbtorture $TORTURE_OPTIONS ncacn_np:"$server" $OPTIONS RPC-SPOOLSS "$*" || failed=`expr $failed + 1`
 
-for bindoptions in padcheck connect sign seal spnego,sign spnego,seal validate bigendian; do
+for bindoptions in padcheck connect sign seal ntlm,sign ntlm,seal validate bigendian; do
    for transport in ncacn_ip_tcp ncacn_np; do
      case $transport in
 	 ncacn_np) tests=$ncacn_np_tests ;;
diff --git a/source4/script/tests/tests_all.sh b/source4/script/tests/tests_all.sh
index d5d20d8f92..a93614b91c 100755
--- a/source4/script/tests/tests_all.sh
+++ b/source4/script/tests/tests_all.sh
@@ -3,7 +3,7 @@
  $SRCDIR/script/tests/test_nbt.sh $SERVER || failed=`expr $failed + $?`
  $SRCDIR/script/tests/test_quick.sh //$SERVER/cifs $USERNAME $PASSWORD "" || failed=`expr $failed + $?`
  $SRCDIR/script/tests/test_rpc.sh $SERVER $USERNAME $PASSWORD $DOMAIN || failed=`expr $failed + $?`
- $SRCDIR/script/tests/test_session_key.sh $SERVER $USERNAME $PASSWORD $DOMAIN || failed=`expr $failed + $?`
+ $SRCDIR/script/tests/test_session_key.sh $SERVER $USERNAME $PASSWORD $DOMAIN $NETBIOSNAME || failed=`expr $failed + $?`
  $SRCDIR/script/tests/test_binding_string.sh $SERVER $USERNAME $PASSWORD $DOMAIN || failed=`expr $failed + $?`
  $SRCDIR/script/tests/test_echo.sh $SERVER $USERNAME $PASSWORD $DOMAIN || failed=`expr $failed + $?`
  $SRCDIR/script/tests/test_posix.sh //$SERVER/tmp $USERNAME $PASSWORD "" || failed=`expr $failed + $?`
diff --git a/source4/torture/rpc/bind.c b/source4/torture/rpc/bind.c
index 56f3e9a040..17580737f8 100644
--- a/source4/torture/rpc/bind.c
+++ b/source4/torture/rpc/bind.c
@@ -63,7 +63,7 @@ BOOL torture_multi_bind(struct torture_context *torture)
 		return False;
 	}
 
-	status = dcerpc_pipe_auth(p, binding, &dcerpc_table_lsarpc, cmdline_credentials);
+	status = dcerpc_pipe_auth(mem_ctx, &p, binding, &dcerpc_table_lsarpc, cmdline_credentials);
 
 	if (NT_STATUS_IS_OK(status)) {
 		printf("(incorrectly) allowed re-bind to uuid %s - %s\n", 
-- 
cgit