.gitlab-ci-private.yml

+include:
+ - '/.gitlab-ci.yml'
+
+
+.private_template: &private_template
+  stage: build
+  tags:
+    - docker
+    - private
+
+build_samba:
+  <<: *private_template
+  script:
+    # this one takes about 4 hours to finish
+    - python script/autobuild.py samba            --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
+
+build_samba_nt4:
+  <<: *private_template
+  script:
+    # this one takes about 1 hours to finish
+    - python script/autobuild.py samba-nt4        --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
+
+build_samba_fileserver:
+  <<: *private_template
+  script:
+    # this one takes about 1 hours to finish
+    - python script/autobuild.py samba-fileserver --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
+
+build_samba_ad_dc:
+  <<: *private_template
+  script:
+    # this one takes about 1 hours to finish
+    - python script/autobuild.py samba-ad-dc     --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
+

.gitlab-ci.yml

 # see https://docs.gitlab.com/ce/ci/yaml/README.html for all available options
 
+image: registry.gitlab.com/samba-team/samba:latest
+
+variables:
+  GIT_STRATEGY: fetch
+  GIT_DEPTH: "3"
+
 before_script:
-  - echo "Build starting ..."
+  - echo "Build starting (preparing swap)..."
+  - if [ $(df -m / --output=avail | tail -n1) -gt 10240 ]; then
+      sudo dd if=/dev/zero of=/samba-swap bs=1M count=6144;
+      sudo mkswap /samba-swap;
+      sudo swapon /samba-swap;
+    fi
+
+after_script:
+  - tar -xf logs.tar.gz system-info.txt -O
 
-build_samba:
+.shared_template: &shared_template
   stage: build
   tags:
-    - autobuild
+    - docker
+    - shared
+
+build_samba_none_env:
+  <<: *shared_template
   script:
-    # this one takes about 4 hours to finish
-    - python script/autobuild.py samba            --verbose --tail --testbase /tmp/samba-testbase
+    # this one takes about 1 hours to finish
+    - python script/autobuild.py samba-none-env    --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
 
-build_samba_others:
-  stage: build
-  tags:
-    - autobuild
+build_samba_nopython:
+  <<: *shared_template
+  script:
+    - python script/autobuild.py samba-nopython   --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
+
+build_samba_systemkrb5:
+  <<: *shared_template
+  script:
+    - python script/autobuild.py samba-systemkrb5 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
+
+build_samba_xc:
+  <<: *shared_template
+  script:
+    - python script/autobuild.py samba-xc         --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
+
+build_samba_o3:
+  <<: *shared_template
   script:
-    - python script/autobuild.py samba-nopython   --verbose --tail --testbase /tmp/samba-testbase
-    - python script/autobuild.py samba-systemkrb5 --verbose --tail --testbase /tmp/samba-testbase
-    - python script/autobuild.py samba-xc         --verbose --tail --testbase /tmp/samba-testbase
-    - python script/autobuild.py samba-o3         --verbose --tail --testbase /tmp/samba-testbase
-    - python script/autobuild.py samba-libs       --verbose --tail --testbase /tmp/samba-testbase
-    - python script/autobuild.py samba-static     --verbose --tail --testbase /tmp/samba-testbase
+    - python script/autobuild.py samba-o3         --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
+
+build_samba_ad_dc_2:
+  <<: *shared_template
+  script:
+    # this one takes about 1 hours to finish
+    - python script/autobuild.py samba-ad-dc-2     --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
+
+build_samba_libs:
+  <<: *shared_template
+  script:
+    - python script/autobuild.py samba-libs       --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
+
+build_samba_static:
+  <<: *shared_template
+  script:
+    - python script/autobuild.py samba-static     --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
 
 build_ctdb:
-  stage: build
-  tags:
-    - autobuild
+  <<: *shared_template
+  script:
+    - python script/autobuild.py samba-ctdb       --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
+
+build_samba_ctdb:
+  <<: *shared_template
   script:
-    - python script/autobuild.py samba-ctdb       --verbose --tail --testbase /tmp/samba-testbase
-    - python script/autobuild.py ctdb             --verbose --tail --testbase /tmp/samba-testbase
+    - python script/autobuild.py ctdb             --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
 
 build_others:
-  stage: build
-  tags:
-    - autobuild
+  <<: *shared_template
   script:
-    - python script/autobuild.py ldb              --verbose --tail --testbase /tmp/samba-testbase
-    - python script/autobuild.py pidl             --verbose --tail --testbase /tmp/samba-testbase
-    - python script/autobuild.py replace          --verbose --tail --testbase /tmp/samba-testbase
-    - python script/autobuild.py talloc           --verbose --tail --testbase /tmp/samba-testbase
-    - python script/autobuild.py tdb              --verbose --tail --testbase /tmp/samba-testbase
-    - python script/autobuild.py tevent           --verbose --tail --testbase /tmp/samba-testbase
+    - python script/autobuild.py ldb              --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
+    - python script/autobuild.py pidl             --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
+    - python script/autobuild.py replace          --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
+    - python script/autobuild.py talloc           --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
+    - python script/autobuild.py tdb              --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
+    - python script/autobuild.py tevent           --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
 
-after_script:
-  - echo "Build finished!"

.travis.yml

@@ -12,8 +12,13 @@ env:
   - TASK=samba-libs
   - TASK=samba-static
   - TASK=samba-o3
+  - TASK=samba-none-env
   - TASK=samba-nopython
   - TASK=samba-systemkrb5
+  - TASK=samba-nt4
+  - TASK=samba-fileserver
+  - TASK=samba-ad-dc
+  - TASK=samba-ad-dc-2
   - TASK=ldb
   - TASK=tdb
   - TASK=talloc
@@ -27,8 +32,14 @@ matrix:
 
 before_install:
  - sudo apt-get update -qq
- - sudo apt-get install --assume-yes acl attr autoconf bind9utils bison build-essential debhelper dnsutils docbook-xml docbook-xsl flex gdb libjansson-dev krb5-user libacl1-dev libaio-dev libarchive-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls-dev libgpgme11-dev libjson-perl libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev nettle-dev perl perl-modules pkg-config python-all-dev python-crypto python-dbg python-dev python-dnspython python3-dnspython python-gpgme python3-gpgme python-markdown python3-markdown python3-dev xsltproc zlib1g-dev
+ - sudo apt-get install --assume-yes acl attr autoconf bind9utils bison build-essential ccache curl debhelper dnsutils docbook-xml docbook-xsl emacs24-nox flex gdb git htop jed krb5-user libacl1-dev libaio-dev libarchive-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls-dev libgpgme11-dev libjansson-dev libjson-perl libldap2-dev liblmdb-dev/trusty-backports libncurses5-dev libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev linux-tools-generic lmdb-utils/trusty-backports nettle-dev perl perl-modules pkg-config psmisc python3-dev python3-dnspython python3-gpgme python3-markdown python3-matplotlib python-all-dev python-crypto python-crypto python-dbg python-dev python-dnspython python-gpgme python-markdown python-novaclient python-pexpect rng-tools screen tshark xsltproc zlib1g-dev
+ - sudo apt-get install --assume-yes binutils-gold
+ - sudo update-alternatives --install "/usr/bin/ld" "ld" "/usr/bin/ld.gold" 20
+ - sudo update-alternatives --install "/usr/bin/ld" "ld" "/usr/bin/ld.bfd" 10
+ - sudo update-alternatives --set ld /usr/bin/ld.gold
 
 script:
- - git fetch --unshallow
+ - if [ $TASK = "pidl" ]; then
+    git fetch --unshallow;
+   fi
  - ./script/autobuild.py --tail --testbase=/tmp $TASK

.ycm_extra_conf.py

@@ -47,6 +47,7 @@ flags = [
     '-D_XOPEN_SOURCE_EXTENDED=1',
     '-DAD_DC_BUILD_IS_ENABLED=1',
     '-DHAVE_IPV6=1',
+    '-DFALL_THROUGH',
     '-I/usr/local/include',
     '-I.',
     '-Iauth',

README.Coding

@@ -16,15 +16,15 @@ style should never outweigh coding itself and so the guidelines
 described here are hopefully easy enough to follow as they are very
 common and supported by tools and editors.
 
-The basic style for C code, also mentioned in prog_guide4.txt, is the Linux kernel
-coding style (See Documentation/CodingStyle in the kernel source tree). This
-closely matches what most Samba developers use already anyways, with a few
-exceptions as mentioned below.
+The basic style for C code is the Linux kernel coding style (See
+Documentation/CodingStyle in the kernel source tree). This closely matches
+what most Samba developers use already anyways, with a few exceptions as
+mentioned below.
 
 The coding style for Python code is documented in PEP8,
-http://www.python.org/pep/pep8 (with spaces). 
-If you have ever worked on another free software Python project, you are
-probably already familiar with it.
+https://www.python.org/dev/peps/pep-0008/. New Python code should be compatible
+with Python 2.6, 2.7, and Python 3.4 onwards. This means using Python 3 syntax
+with the appropriate 'from __future__' imports.
 
 But to save you the trouble of reading the Linux kernel style guide, here
 are the highlights.
@@ -99,6 +99,8 @@ BreakBeforeBraces: Linux
 AllowShortIfStatementsOnASingleLine: false
 IndentCaseLabels: false
 BinPackParameters: false
+BinPackArguments: false
+SortIncludes: false
 
 
 =========================
@@ -201,8 +203,8 @@ parameters across lines and not as encourage for gratuitous line
 splitting.  Never split a line before columns 70 - 79 unless you
 have a really good reason. Be smart about formatting.
 
-One exception to the previous rule is function declarations and
-definitions. In function declarations and definitions, either the
+One exception to the previous rule is function calls, declarations, and
+definitions. In function calls, declarations, and definitions, either the
 declaration is a one-liner, or each parameter is listed on its own
 line. The rationale is that if there are many parameters, each one
 should be on its own line to make tracking interface changes easier.

VERSION

@@ -24,7 +24,7 @@
 #  ->  "3.0.0"                                         #
 ########################################################
 SAMBA_VERSION_MAJOR=4
-SAMBA_VERSION_MINOR=8
+SAMBA_VERSION_MINOR=9
 SAMBA_VERSION_RELEASE=1
 
 ########################################################

auth/common_auth.h

@@ -122,6 +122,9 @@ struct auth4_context {
 	/* SAM database for this local machine - to fill in local groups, or to authenticate local NTLM users */
 	struct ldb_context *sam_ctx;
 
+	/* The time this authentication started */
+	struct timeval start_time;
+
 	/* Private data for the callbacks on this auth context */
 	void *private_data;
 
@@ -178,6 +181,7 @@ struct auth4_context {
  */
 void log_authentication_event(struct imessaging_context *msg_ctx,
 			      struct loadparm_context *lp_ctx,
+			      const struct timeval *start_time,
 			      const struct auth_usersupplied_info *ui,
 			      NTSTATUS status,
 			      const char *account_name,

auth/credentials/credentials.c

@@ -1277,17 +1277,21 @@ _PUBLIC_ bool cli_credentials_parse_password_fd(struct cli_credentials *credenti
 				*++p = '\0'; /* advance p, and null-terminate pass */
 				break;
 			}
-			/* fall through */
+
+			FALL_THROUGH;
 		case 0:
 			if (p - pass) {
 				*p = '\0'; /* null-terminate it, just in case... */
 				p = NULL; /* then force the loop condition to become false */
 				break;
-			} else {
-				fprintf(stderr, "Error reading password from file descriptor %d: %s\n", fd, "empty password\n");
-				return false;
 			}
 
+			fprintf(stderr,
+				"Error reading password from file descriptor "
+				"%d: empty password\n",
+				fd);
+			return false;
+
 		default:
 			fprintf(stderr, "Error reading password from file descriptor %d: %s\n",
 					fd, strerror(errno));

auth/credentials/credentials_krb5.c

@@ -34,6 +34,7 @@
 #include "auth/kerberos/kerberos_util.h"
 #include "auth/kerberos/pac_utils.h"
 #include "param/param.h"
+#include "../libds/common/flags.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
@@ -974,7 +975,7 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
 	const char *upn = NULL;
 	const char *realm = cli_credentials_get_realm(cred);
 	char *salt_principal = NULL;
-	bool is_computer = false;
+	uint32_t uac_flags = 0;
 
 	if (cred->keytab_obtained >= (MAX(cred->principal_obtained, 
 					  cred->username_obtained))) {
@@ -999,9 +1000,15 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
 
 	switch (cred->secure_channel_type) {
 	case SEC_CHAN_WKSTA:
-	case SEC_CHAN_BDC:
 	case SEC_CHAN_RODC:
-		is_computer = true;
+		uac_flags = UF_WORKSTATION_TRUST_ACCOUNT;
+		break;
+	case SEC_CHAN_BDC:
+		uac_flags = UF_SERVER_TRUST_ACCOUNT;
+		break;
+	case SEC_CHAN_DOMAIN:
+	case SEC_CHAN_DNS_DOMAIN:
+		uac_flags = UF_INTERDOMAIN_TRUST_ACCOUNT;
 		break;
 	default:
 		upn = cli_credentials_get_principal(cred, mem_ctx);
@@ -1009,13 +1016,14 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
 			TALLOC_FREE(mem_ctx);
 			return ENOMEM;
 		}
+		uac_flags = UF_NORMAL_ACCOUNT;
 		break;
 	}
 
 	ret = smb_krb5_salt_principal(realm,
 				      username, /* sAMAccountName */
 				      upn, /* userPrincipalName */
-				      is_computer,
+				      uac_flags,
 				      mem_ctx,
 				      &salt_principal);
 	if (ret) {

auth/credentials/credentials_secrets.c

@@ -109,7 +109,7 @@ static NTSTATUS cli_credentials_set_secrets_lct(struct cli_credentials *cred,
 
 	whenChanged = ldb_msg_find_ldb_val(msg, "whenChanged");
 	if (!whenChanged || ldb_val_to_time(whenChanged, &lct) != LDB_SUCCESS) {
-		/* This attribute is mandetory */
+		/* This attribute is mandatory */
 		talloc_free(mem_ctx);
 		return NT_STATUS_NOT_FOUND;
 	}
@@ -120,7 +120,10 @@ static NTSTATUS cli_credentials_set_secrets_lct(struct cli_credentials *cred,
 		return NT_STATUS_NOT_FOUND;
 	}
 
-	if (lct == secrets_tdb_last_change_time && secrets_tdb_password && strcmp(password, secrets_tdb_password) != 0) {
+	if ((lct == secrets_tdb_last_change_time) &&
+	    (secrets_tdb_password != NULL) &&
+	    (password != NULL) &&
+	    (strcmp(password, secrets_tdb_password) != 0)) {
 		talloc_free(mem_ctx);
 		return NT_STATUS_NOT_FOUND;
 	}
@@ -235,16 +238,25 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
 {
 	struct db_context *db_ctx;
 	char *secrets_tdb_path;
+	int hash_size, tdb_flags;
 
 	secrets_tdb_path = lpcfg_private_db_path(cred, lp_ctx, "secrets");
 	if (secrets_tdb_path == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb_path, 0,
-				   TDB_DEFAULT, O_RDWR, 0600,
-				   DBWRAP_LOCK_ORDER_1,
-				   DBWRAP_FLAG_NONE);
+	hash_size = lpcfg_tdb_hash_size(lp_ctx, secrets_tdb_path);
+	tdb_flags = lpcfg_tdb_flags(lp_ctx, TDB_DEFAULT);
+
+	db_ctx = dbwrap_local_open(
+		cred,
+		secrets_tdb_path,
+		hash_size,
+		tdb_flags,
+		O_RDWR,
+		0600,
+		DBWRAP_LOCK_ORDER_1,
+		DBWRAP_FLAG_NONE);
 	TALLOC_FREE(secrets_tdb_path);
 
 	/*
@@ -372,7 +384,8 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
 				if (security != SEC_ADS) {
 					break;
 				}
-				/* fall through */
+
+				FALL_THROUGH;
 			case ROLE_ACTIVE_DIRECTORY_DC:
 				use_kerberos = CRED_AUTO_USE_KERBEROS;
 				break;

auth/credentials/pycredentials.c

@@ -130,7 +130,7 @@ static PyObject *py_creds_get_ntlm_response(PyObject *self, PyObject *args, PyOb
 	ret = Py_BuildValue("{sis" PYARG_BYTES_LEN "s" PYARG_BYTES_LEN
 			            "s" PYARG_BYTES_LEN "s" PYARG_BYTES_LEN "}",
 			    "flags", flags,
-			    "lm_reponse",
+			    "lm_response",
 			    (const char *)lm_response.data, lm_response.length,
 			    "nt_response",
 			    (const char *)nt_response.data, nt_response.length,
@@ -680,6 +680,16 @@ static PyObject *py_creds_set_secure_channel_type(PyObject *self, PyObject *args
 	Py_RETURN_NONE;
 }
 
+static PyObject *py_creds_get_secure_channel_type(PyObject *self, PyObject *args)
+{
+	enum netr_SchannelType channel_type = SEC_CHAN_NULL;
+
+	channel_type = cli_credentials_get_secure_channel_type(
+		PyCredentials_AsCliCredentials(self));
+
+	return PyInt_FromLong(channel_type);
+}
+
 static PyObject *py_creds_encrypt_netr_crypt_password(PyObject *self,
 						      PyObject *args)
 {
@@ -815,6 +825,8 @@ static PyMethodDef py_creds_methods[] = {
 		"Get a new client NETLOGON_AUTHENTICATOR"},
 	{ "set_secure_channel_type", py_creds_set_secure_channel_type,
 	  METH_VARARGS, NULL },
+	{ "get_secure_channel_type", py_creds_get_secure_channel_type,
+	  METH_VARARGS },
 	{ "encrypt_netr_crypt_password",
 		py_creds_encrypt_netr_crypt_password,
 		METH_VARARGS,

auth/credentials/tests/bind.py

@@ -2,6 +2,7 @@
 # -*- coding: utf-8 -*-
 # This is unit with tests for LDAP access checks
 
+from __future__ import print_function
 import optparse
 import sys
 import base64
@@ -95,13 +96,13 @@ operatingSystem: Windows Server 2003
 dn: """ + self.computer_dn + """
 changetype: modify
 replace: unicodePwd
-unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """
+unicodePwd:: """ + base64.b64encode(u"\"P@ssw0rd\"".encode('utf-16-le')).decode('utf8') + """
 """)
 
         # do a simple bind and search with the machine account
         creds_machine.set_bind_dn(self.computer_dn)
         creds_machine.set_password(self.password)
-        print "BindTest with: " + creds_machine.get_bind_dn()
+        print("BindTest with: " + creds_machine.get_bind_dn())
         ldb_machine = samba.tests.connect_samdb(host, credentials=creds_machine,
                                                 lp=lp, ldap_only=True)
         res = ldb_machine.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
@@ -119,7 +120,7 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """
         # do a simple bind and search with the user account in format user@realm
         creds_user1.set_bind_dn(self.username + "@" + creds.get_realm())
         creds_user1.set_password(self.password)
-        print "BindTest with: " + creds_user1.get_bind_dn()
+        print("BindTest with: " + creds_user1.get_bind_dn())
         ldb_user1 = samba.tests.connect_samdb(host, credentials=creds_user1,
                                               lp=lp, ldap_only=True)
         res = ldb_user1.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
@@ -127,7 +128,7 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """
         # do a simple bind and search with the user account in format domain\user
         creds_user2.set_bind_dn(creds.get_domain() + "\\" + self.username)
         creds_user2.set_password(self.password)
-        print "BindTest with: " + creds_user2.get_bind_dn()
+        print("BindTest with: " + creds_user2.get_bind_dn())
         ldb_user2 = samba.tests.connect_samdb(host, credentials=creds_user2,
                                               lp=lp, ldap_only=True)
         res = ldb_user2.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
@@ -135,7 +136,7 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """
         # do a simple bind and search with the user account DN
         creds_user3.set_bind_dn(str(user_dn))
         creds_user3.set_password(self.password)
-        print "BindTest with: " + creds_user3.get_bind_dn()
+        print("BindTest with: " + creds_user3.get_bind_dn())
         ldb_user3 = samba.tests.connect_samdb(host, credentials=creds_user3,
                                               lp=lp, ldap_only=True)
         res = ldb_user3.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
@@ -154,7 +155,7 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """
         creds_user4.set_password(self.password)
         creds_user4.set_domain('')
         creds_user4.set_workstation('')
-        print "BindTest (no domain) with: " + self.username
+        print("BindTest (no domain) with: " + self.username)
         try:
             ldb_user4 = samba.tests.connect_samdb(host, credentials=creds_user4,
                                               lp=lp, ldap_only=True)

auth/credentials/wscript_build

@@ -25,8 +25,11 @@ bld.SAMBA_SUBSYSTEM('CREDENTIALS_NTLM',
 	deps='samba-credentials')
 
 for env in bld.gen_python_environments():
+        pytalloc_util = bld.pyembed_libname('pytalloc-util')
+        pyparam_util = bld.pyembed_libname('pyparam_util')
+
 	bld.SAMBA_PYTHON('pycredentials',
 		source='pycredentials.c',
-		public_deps='samba-credentials cmdline-credentials pytalloc-util pyparam_util CREDENTIALS_KRB5 CREDENTIALS_SECRETS',
+		public_deps='samba-credentials cmdline-credentials %s %s CREDENTIALS_KRB5 CREDENTIALS_SECRETS' % (pytalloc_util, pyparam_util),
 		realname='samba/credentials.so'
 		)

auth/gensec/spnego.c

@@ -1649,7 +1649,7 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
 			return tevent_req_post(req, ev);
 		}
 
-		/* fall through */
+		FALL_THROUGH;
 	case SPNEGO_CLIENT_START:
 	case SPNEGO_SERVER_START:
 

auth/kerberos/gssapi_pac.c

@@ -165,7 +165,7 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
 		DEBUG(1, ("unable to obtain a PAC against this GSSAPI library.  "
 			  "GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8\n"));
 	} else if (gss_maj != 0) {
-		DEBUG(2, ("obtaining PAC via GSSAPI gss_inqiure_sec_context_by_oid (Heimdal OID) failed: %s\n",
+		DEBUG(2, ("obtaining PAC via GSSAPI gss_inquire_sec_context_by_oid (Heimdal OID) failed: %s\n",
 			  gssapi_error_string(mem_ctx, gss_maj, gss_min, gss_mech_krb5)));
 	} else {
 		if (set == GSS_C_NO_BUFFER_SET) {

auth/ntlmssp/gensec_ntlmssp_server.c

@@ -179,25 +179,6 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
 	ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
 	ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
 
-	if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
-	}
-	if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
-
-		if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) {
-			/*
-			 * We need to handle NTLMSSP_NEGOTIATE_SIGN as
-			 * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
-			 * is requested.
-			 */
-			ntlmssp_state->force_wrap_seal = true;
-		}
-	}
-	if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
-	}
 
 	if (role == ROLE_STANDALONE) {
 		ntlmssp_state->server.is_standalone = true;

auth/ntlmssp/ntlmssp_client.c

@@ -777,7 +777,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
 
 	ntlmssp_state->unicode = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "unicode", true);
 
-	ntlmssp_state->use_nt_response = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "send_nt_reponse", true);
+	ntlmssp_state->use_nt_response = \
+		gensec_setting_bool(gensec_security->settings,
+				    "ntlmssp_client",
+				    "send_nt_response",
+				    true);
 
 	ntlmssp_state->allow_lm_response = lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx);
 
@@ -865,13 +869,23 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
 			 * is requested.
 			 */
 			ntlmssp_state->force_wrap_seal = true;
-			/*
-			 * We want also work against old Samba servers
-			 * which didn't had GENSEC_FEATURE_LDAP_STYLE
-			 * we negotiate SEAL too. We may remove this
-			 * in a few years. As all servers should have
-			 * GENSEC_FEATURE_LDAP_STYLE by then.
-			 */
+		}
+	}
+	if (ntlmssp_state->force_wrap_seal) {
+		bool ret;
+
+		/*
+		 * We want also work against old Samba servers
+		 * which didn't had GENSEC_FEATURE_LDAP_STYLE
+		 * we negotiate SEAL too. We may remove this
+		 * in a few years. As all servers should have
+		 * GENSEC_FEATURE_LDAP_STYLE by then.
+		 */
+		ret = gensec_setting_bool(gensec_security->settings,
+					  "ntlmssp_client",
+					  "ldap_style_send_seal",
+					  true);
+		if (ret) {
 			ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
 		}
 	}

auth/ntlmssp/ntlmssp_server.c

@@ -1080,6 +1080,14 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
 	data_blob_free(&ntlmssp_state->challenge_blob);
 
 	if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+		if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) {
+			/*
+			 * We need to handle NTLMSSP_NEGOTIATE_SIGN as
+			 * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
+			 * is requested.
+			 */
+			ntlmssp_state->force_wrap_seal = true;
+		}
 		nt_status = ntlmssp_sign_init(ntlmssp_state);
 	}