[SCM] Samba Shared Repository - branch master updated

Mon Mar 27 22:05:03 UTC 2017

The branch, master has been updated
       via  f55399f samba_dnsupdate: Add additional debugging
       via  2fc074b whitespace: remove in rootdse
       via  2eb487f selftest/target/Samba.pm: Remove whitespace
       via  a6c00ae getncchanges: remove whitespace
       via  8e82581 wbinfo: Prevent client segfault with given EOF
       via  73bd0eb selftest: Check that LDAP is available during RODC startup
       via  6c23c94 repl_secret: Error condition should sound harmless
       via  84204e9 selftest: Add more RODC tests to avoid regressions here
       via  6ccdd3f repl_secret: Prevent null deref on DEBUG
       via  12c7373 auth/sam: Remove lastLogonTimestamp from RODC success accounting
       via  a998c00 heimdal: Add initializer for stack pointers
       via  a2f6327 auth: Add SID_NT_NTLM_AUTHENTICATION / S-1-5-64-10 to the token during NTLM auth
      from  b6baf35 selftest: tests for vfs_fruite file-id behavior

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit f55399fb39da533c573b2ee82c26bed46aa55593
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon Feb 27 11:39:51 2017 +1300

    samba_dnsupdate: Add additional debugging
    
    Tests are still flapping, because it claims it needs a cache rebuild.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Tue Mar 28 00:04:54 CEST 2017 on sn-devel-144

commit 2fc074b6f5e2298d8ad55312d8a12a8cd80ce3b9
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Wed Oct 26 09:19:13 2016 +1300

    whitespace: remove in rootdse
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 2eb487fdbd800ad89086eaaeb698b274f8073290
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Wed Oct 12 18:00:34 2016 +1300

    selftest/target/Samba.pm: Remove whitespace
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit a6c00aed11bf0e5dbb551a97cfae5ada99e13d03
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Tue Oct 11 10:12:55 2016 +1300

    getncchanges: remove whitespace
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 8e82581f575bc8aacaf7d74deab77a21737ceab6
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon Mar 27 15:49:25 2017 +1300

    wbinfo: Prevent client segfault with given EOF
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 73bd0ebe5501dbbc3efef87209262f3a697b9115
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon Mar 27 15:26:48 2017 +1300

    selftest: Check that LDAP is available during RODC startup
    
    Because the check was for RID Set, this was never done. However, this caused breakages that we've likely seen before.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 6c23c94be38db043c395e103e37c637a66ae9b34
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon Mar 27 14:30:19 2017 +1300

    repl_secret: Error condition should sound harmless
    
    In the case it is not in the replication group, it it correct to deny
    the replication to succeed.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 84204e9716c6021b1d4d8f2691bbf836d163fa9f
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Mar 24 12:12:43 2017 +1300

    selftest: Add more RODC tests to avoid regressions here
    
    This ensures that the RODC can authenticatate users over wbinfo, normal services and SamLogon
    including in particular the important need-to-be-forwarded case
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit 6ccdd3f53cf7e52823772f5fdb80385e6ac6548e
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Tue Mar 21 15:02:50 2017 +1300

    repl_secret: Prevent null deref on DEBUG
    
    Code path with has_get_all_changes could not be exercised until
    recently.
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 12c7373e943dde864383455858d151d6e5f3c85d
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Thu Mar 23 16:04:04 2017 +1300

    auth/sam: Remove lastLogonTimestamp from RODC success accounting
    
    This is because it cannot be updated here (only SendToSAM) and prevents
    RODC from resetting the badPwdCount (as well as lockoutTime, which needs
    to be fixed to allow RODC local modification).
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit a998c0073f508437714f462661165309049c1b10
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Mar 20 15:15:39 2017 +1300

    heimdal: Add initializer for stack pointers
    
    This helps ensure we know these are NULL until set
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

commit a2f6327f9f6ee760ef28a024fb26a49ca2aa43e6
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Mar 6 12:11:18 2017 +1300

    auth: Add SID_NT_NTLM_AUTHENTICATION / S-1-5-64-10 to the token during NTLM auth
    
    So far this is only on the AD DC
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    Pair-Programmed-by: Gary Lockyer <gary at catalyst.net.nz>
    Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 auth/common_auth.h                              |  1 +
 auth/ntlmssp/gensec_ntlmssp_server.c            |  1 +
 nsswitch/wbinfo.c                               |  3 +-
 python/samba/tests/blackbox/samba_dnsupdate.py  |  8 +++---
 selftest/knownfail                              |  2 ++
 selftest/target/Samba.pm                        |  2 +-
 selftest/target/Samba4.pm                       | 37 ++++++++++++++-----------
 source3/auth/auth_generic.c                     |  3 +-
 source3/script/tests/test_rpcclient_samlogon.sh |  6 ++--
 source4/auth/pyauth.c                           |  1 +
 source4/auth/sam.c                              | 18 +++++++++---
 source4/auth/session.c                          |  9 ++++++
 source4/dsdb/repl/drepl_secret.c                | 10 +++++--
 source4/dsdb/samdb/ldb_modules/rootdse.c        |  6 ++--
 source4/dsdb/tests/python/token_group.py        | 16 ++++++++++-
 source4/heimdal/kdc/kerberos5.c                 |  4 +--
 source4/rpc_server/drsuapi/getncchanges.c       | 11 ++++----
 source4/scripting/bin/samba_dnsupdate           |  4 +++
 source4/selftest/tests.py                       | 18 ++++++++++--
 19 files changed, 114 insertions(+), 46 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/common_auth.h b/auth/common_auth.h
index 8cbfc54..95b36cd 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -39,6 +39,7 @@ enum auth_password_state {
 #define AUTH_SESSION_INFO_AUTHENTICATED      0x02 /* Add the user to the 'authenticated users' group */
 #define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES  0x04 /* Use a trivial map between users and privilages, rather than a DB */
 #define AUTH_SESSION_INFO_UNIX_TOKEN         0x08 /* The returned token must have the unix_token and unix_info elements provided */
+#define AUTH_SESSION_INFO_NTLM               0x10 /* The returned token must have authenticated-with-NTLM flag set */
 
 struct auth_usersupplied_info
 {
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
index da0cd50..561c7cf 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -62,6 +62,7 @@ NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
 	}
 
 	session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
+	session_info_flags |= AUTH_SESSION_INFO_NTLM;
 
 	if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info) {
 		nt_status = gensec_security->auth_context->generate_session_info(gensec_security->auth_context, mem_ctx, 
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 57f2b3b..67a97b5 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -1781,7 +1781,8 @@ static bool wbinfo_auth_crap(char *username, bool use_ntlmv2, bool use_lanman)
 						get_winbind_netbios_name(),
 						get_winbind_domain());
 
-		if (!SMBNTLMv2encrypt(NULL, name_user, name_domain, pass,
+		if (pass != NULL &&
+		    !SMBNTLMv2encrypt(NULL, name_user, name_domain, pass,
 				      &server_chal,
 				      &names_blob,
 				      &lm, &nt, NULL, NULL)) {
diff --git a/python/samba/tests/blackbox/samba_dnsupdate.py b/python/samba/tests/blackbox/samba_dnsupdate.py
index ee8ae26..7ddaab7 100644
--- a/python/samba/tests/blackbox/samba_dnsupdate.py
+++ b/python/samba/tests/blackbox/samba_dnsupdate.py
@@ -49,11 +49,11 @@ class SambaDnsUpdateTests(samba.tests.BlackboxTestCase):
 
         self.assertTrue("No DNS updates needed" in out, out)
         try:
-            out = self.check_output("samba_dnsupdate --verbose --use-samba-tool --rpc-server-ip=%s" % self.server_ip)
+            rpc_out = self.check_output("samba_dnsupdate --verbose --use-samba-tool --rpc-server-ip=%s" % self.server_ip)
         except samba.tests.BlackboxProcessError as e:
             self.fail("Error calling samba_dnsupdate: %s" % e)
 
-        self.assertTrue(" DNS updates and" in out, out)
-        self.assertTrue(" DNS deletes needed" in out, out)
+        self.assertTrue(" DNS updates and" in rpc_out, rpc_out)
+        self.assertTrue(" DNS deletes needed" in rpc_out, rpc_out)
         out = self.check_output("samba_dnsupdate --verbose")
-        self.assertTrue("No DNS updates needed" in out, out)
+        self.assertTrue("No DNS updates needed" in out, out + rpc_out)
diff --git a/selftest/knownfail b/selftest/knownfail
index cfd4b35..b250380 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -217,6 +217,8 @@
 ^samba.wbinfo_simple.\(ad_dc:local\).--allocate-gid
 ^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-uid
 ^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-gid
+^samba.wbinfo_simple.\(rodc:local\).--allocate-uid
+^samba.wbinfo_simple.\(rodc:local\).--allocate-gid
 #
 # These do not work against winbindd in member mode for unknown reasons
 #
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index e5c7f93..9fc84b5 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -247,7 +247,7 @@ sub mk_realms_stanza($$$$)
 {
 	my ($realm, $dnsname, $domain, $kdc_ipv4) = @_;
 	my $lc_domain = lc($domain);
-	
+
 	my $realms_stanza = "
  $realm = {
   kdc = $kdc_ipv4:88
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 8b5e699..1209893 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -211,7 +211,7 @@ sub wait_for_start($$)
 	}
 
 	# Ensure we have the first RID Set before we start tests.  This makes the tests more reliable.
-	if ($testenv_vars->{SERVER_ROLE} eq "domain controller" and not ($testenv_vars->{NETBIOSNAME} eq "RODC")) {
+	if ($testenv_vars->{SERVER_ROLE} eq "domain controller") {
 		# Add hosts file for name lookups
 		$ENV{NSS_WRAPPER_HOSTS} = $testenv_vars->{NSS_WRAPPER_HOSTS};
 		if (defined($testenv_vars->{RESOLV_WRAPPER_CONF})) {
@@ -220,22 +220,27 @@ sub wait_for_start($$)
 			$ENV{RESOLV_WRAPPER_HOSTS} = $testenv_vars->{RESOLV_WRAPPER_HOSTS};
 		}
 
-	    print "waiting for working LDAP and a RID Set to be allocated\n";
-	    my $ldbsearch = Samba::bindir_path($self, "ldbsearch");
-	    my $count = 0;
-	    my $base_dn = "DC=".join(",DC=", split(/\./, $testenv_vars->{REALM}));
-	    my $rid_set_dn = "cn=RID Set,cn=$testenv_vars->{NETBIOSNAME},ou=domain controllers,$base_dn";
-	    my $max_wait = 60;
-	    my $cmd = "$ldbsearch $testenv_vars->{CONFIGURATION} -H ldap://$testenv_vars->{SERVER} -U$testenv_vars->{USERNAME}%$testenv_vars->{PASSWORD} -s base -b \"$rid_set_dn\" rIDAllocationPool";
-	    while (system("$cmd >/dev/null") != 0) {
-		$count++;
-		if ($count > $max_wait) {
-		    warn("Timed out ($max_wait sec) waiting for working LDAP and a RID Set to be allocated by $testenv_vars->{NETBIOSNAME} PID $testenv_vars->{SAMBA_PID}");
-		    $ret = -1;
-		    last;
+		print "waiting for working LDAP and a RID Set to be allocated\n";
+		my $ldbsearch = Samba::bindir_path($self, "ldbsearch");
+		my $count = 0;
+		my $base_dn = "DC=".join(",DC=", split(/\./, $testenv_vars->{REALM}));
+
+		my $search_dn = $base_dn;
+		if ($testenv_vars->{NETBIOSNAME} ne "RODC") {
+			# TODO currently no check for actual rIDAllocationPool
+			$search_dn = "cn=RID Set,cn=$testenv_vars->{NETBIOSNAME},ou=domain controllers,$base_dn";
+		}
+		my $max_wait = 60;
+		my $cmd = "$ldbsearch $testenv_vars->{CONFIGURATION} -H ldap://$testenv_vars->{SERVER} -U$testenv_vars->{USERNAME}%$testenv_vars->{PASSWORD} -s base -b \"$search_dn\"";
+		while (system("$cmd >/dev/null") != 0) {
+			$count++;
+			if ($count > $max_wait) {
+				warn("Timed out ($max_wait sec) waiting for working LDAP and a RID Set to be allocated by $testenv_vars->{NETBIOSNAME} PID $testenv_vars->{SAMBA_PID}");
+				$ret = -1;
+				last;
+			}
+			sleep(1);
 		}
-		sleep(1);
-	    }
 	}
 	print $self->getlog_env($testenv_vars);
 
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 875b7ff..b7b9527 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -403,7 +403,8 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context,
 								server_info,
 								user_info->client.account_name,
 								AUTH_SESSION_INFO_UNIX_TOKEN |
-								AUTH_SESSION_INFO_DEFAULT_GROUPS,
+								AUTH_SESSION_INFO_DEFAULT_GROUPS |
+								AUTH_SESSION_INFO_NTLM,
 								session_info);
 		TALLOC_FREE(server_info);
 	}
diff --git a/source3/script/tests/test_rpcclient_samlogon.sh b/source3/script/tests/test_rpcclient_samlogon.sh
index a41ae44..26f0f88 100755
--- a/source3/script/tests/test_rpcclient_samlogon.sh
+++ b/source3/script/tests/test_rpcclient_samlogon.sh
@@ -10,16 +10,16 @@ fi
 USERNAME="$1"
 PASSWORD="$2"
 shift 2
-ADDARGS="$*"
+ADDARGS="$@"
 
 rpcclient_samlogon_schannel_seal()
 {
-	$VALGRIND $BINDIR/rpcclient -U% -c "schannel;samlogon $USERNAME $PASSWORD;samlogon $USERNAME $PASSWORD" $@
+	$VALGRIND $BINDIR/rpcclient -U% -c "schannel;samlogon '$USERNAME' '$PASSWORD';samlogon '$USERNAME' '$PASSWORD'" $@
 }
 
 rpcclient_samlogon_schannel_sign()
 {
-	$VALGRIND $BINDIR/rpcclient -U% -c "schannelsign;samlogon $USERNAME $PASSWORD;samlogon $USERNAME $PASSWORD" $@
+	$VALGRIND $BINDIR/rpcclient -U% -c "schannelsign;samlogon '$USERNAME' '$PASSWORD';samlogon '$USERNAME' '$PASSWORD'" $@
 }
 
 incdir=`dirname $0`/../../../testprogs/blackbox
diff --git a/source4/auth/pyauth.c b/source4/auth/pyauth.c
index 2d82760..4cb12f8 100644
--- a/source4/auth/pyauth.c
+++ b/source4/auth/pyauth.c
@@ -333,6 +333,7 @@ MODULE_INIT_FUNC(auth)
 	ADD_FLAG(AUTH_SESSION_INFO_DEFAULT_GROUPS);
 	ADD_FLAG(AUTH_SESSION_INFO_AUTHENTICATED);
 	ADD_FLAG(AUTH_SESSION_INFO_SIMPLE_PRIVILEGES);
+	ADD_FLAG(AUTH_SESSION_INFO_NTLM);
 
 	return m;
 }
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 759585e..7df23d5 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -831,6 +831,7 @@ NTSTATUS authsam_logon_success_accounting(struct ldb_context *sam_ctx,
 	struct timeval tv_now;
 	NTTIME now;
 	NTTIME lastLogonTimestamp;
+	bool am_rodc = false;
 
 	mem_ctx = talloc_new(msg);
 	if (mem_ctx == NULL) {
@@ -902,11 +903,20 @@ NTSTATUS authsam_logon_success_accounting(struct ldb_context *sam_ctx,
 		}
 	}
 
-	status = authsam_update_lastlogon_timestamp(sam_ctx, msg_mod, domain_dn,
-						    lastLogonTimestamp, now);
-	if (!NT_STATUS_IS_OK(status)) {
+	ret = samdb_rodc(sam_ctx, &am_rodc);
+	if (ret != LDB_SUCCESS) {
 		TALLOC_FREE(mem_ctx);
-		return NT_STATUS_NO_MEMORY;
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	if (!am_rodc) {
+		/* TODO Perform the (async) SendToSAM calls for MS-SAMS */
+		status = authsam_update_lastlogon_timestamp(sam_ctx, msg_mod, domain_dn,
+							    lastLogonTimestamp, now);
+		if (!NT_STATUS_IS_OK(status)) {
+			TALLOC_FREE(mem_ctx);
+			return NT_STATUS_NO_MEMORY;
+		}
 	}
 
 	if (msg_mod->num_elements > 0) {
diff --git a/source4/auth/session.c b/source4/auth/session.c
index 3d8714c..982d51d 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -154,6 +154,15 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 		num_sids++;
 	}
 
+	if (session_info_flags & AUTH_SESSION_INFO_NTLM) {
+		sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 1);
+		NT_STATUS_HAVE_NO_MEMORY(sids);
+
+		if (!dom_sid_parse(SID_NT_NTLM_AUTHENTICATION, &sids[num_sids])) {
+			return NT_STATUS_INTERNAL_ERROR;
+		}
+		num_sids++;
+	}
 
 
 	if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &sids[PRIMARY_USER_SID_INDEX])) {
diff --git a/source4/dsdb/repl/drepl_secret.c b/source4/dsdb/repl/drepl_secret.c
index 7c8f8b7..b7f3680 100644
--- a/source4/dsdb/repl/drepl_secret.c
+++ b/source4/dsdb/repl/drepl_secret.c
@@ -42,8 +42,14 @@ static void drepl_repl_secret_callback(struct dreplsrv_service *service,
 {
 	struct repl_secret_state *state = talloc_get_type_abort(cb_data, struct repl_secret_state);
 	if (!W_ERROR_IS_OK(werr)) {
-		DEBUG(3,(__location__ ": repl secret failed for user %s - %s: extended_ret[0x%X]\n",
-			 state->user_dn, win_errstr(werr), ext_err));
+		if (W_ERROR_EQUAL(werr, WERR_DS_DRA_SECRETS_DENIED)) {
+			DEBUG(3,(__location__ ": repl secret disallowed for user "
+				 "%s - not in allowed replication group\n",
+				 state->user_dn));
+		} else {
+			DEBUG(3,(__location__ ": repl secret failed for user %s - %s: extended_ret[0x%X]\n",
+				 state->user_dn, win_errstr(werr), ext_err));
+		}
 	} else {
 		DEBUG(3,(__location__ ": repl secret completed OK for '%s'\n", state->user_dn));
 	}
diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c
index 86ca89f..d3483fc 100644
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -217,7 +217,7 @@ static int dsdb_module_we_are_master(struct ldb_module *module, struct ldb_dn *d
 		talloc_free(tmp_ctx);
 		return ret;
 	}
-	
+
 	talloc_free(tmp_ctx);
 	return LDB_SUCCESS;
 }
@@ -738,11 +738,11 @@ static int rootdse_filter_operations(struct ldb_module *module, struct ldb_reque
 	if (session_info) {
 		is_anonymous = security_token_is_anonymous(session_info->security_token);
 	}
-	
+
 	if (is_anonymous == false || (priv && priv->block_anonymous == false)) {
 		return LDB_SUCCESS;
 	}
-	
+
 	if (req->operation == LDB_SEARCH) {
 		if (req->op.search.scope == LDB_SCOPE_BASE && ldb_dn_is_null(req->op.search.base)) {
 			return LDB_SUCCESS;
diff --git a/source4/dsdb/tests/python/token_group.py b/source4/dsdb/tests/python/token_group.py
index e3a7586..6a9c867 100755
--- a/source4/dsdb/tests/python/token_group.py
+++ b/source4/dsdb/tests/python/token_group.py
@@ -24,7 +24,7 @@ from samba.dsdb import GTYPE_SECURITY_GLOBAL_GROUP, GTYPE_SECURITY_UNIVERSAL_GRO
 import samba.tests
 from samba.tests import delete_force
 from samba.dcerpc import samr, security
-from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
+from samba.auth import AUTH_SESSION_INFO_DEFAULT_GROUPS, AUTH_SESSION_INFO_AUTHENTICATED, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, AUTH_SESSION_INFO_NTLM
 
 
 parser = optparse.OptionParser("token_group.py [options] <host>")
@@ -71,6 +71,9 @@ class StaticTokenTest(samba.tests.TestCase):
         session_info_flags = ( AUTH_SESSION_INFO_DEFAULT_GROUPS |
                                AUTH_SESSION_INFO_AUTHENTICATED |
                                AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
+        if creds.get_kerberos_state() == DONT_USE_KERBEROS:
+            session_info_flags |= AUTH_SESSION_INFO_NTLM
+
         session = samba.auth.user_session(self.ldb, lp_ctx=lp, dn=self.user_sid_dn,
                                           session_info_flags=session_info_flags)
 
@@ -118,6 +121,9 @@ class StaticTokenTest(samba.tests.TestCase):
             self.fail(msg="calculated groups don't match against user DN tokenGroups")
 
     def test_pac_groups(self):
+        if creds.get_kerberos_state() == DONT_USE_KERBEROS:
+            self.skipTest("Kerberos disabled, skipping PAC test")
+
         settings = {}
         settings["lp_ctx"] = lp
         settings["target_hostname"] = lp.get("netbios name")
@@ -276,6 +282,10 @@ class DynamicTokenTest(samba.tests.TestCase):
         session_info_flags = ( AUTH_SESSION_INFO_DEFAULT_GROUPS |
                                AUTH_SESSION_INFO_AUTHENTICATED |
                                AUTH_SESSION_INFO_SIMPLE_PRIVILEGES)
+
+        if creds.get_kerberos_state() == DONT_USE_KERBEROS:
+            session_info_flags |= AUTH_SESSION_INFO_NTLM
+
         session = samba.auth.user_session(self.ldb, lp_ctx=lp, dn=self.user_sid_dn,
                                           session_info_flags=session_info_flags)
 
@@ -336,6 +346,10 @@ class DynamicTokenTest(samba.tests.TestCase):
 
         sidset1 = set(dn_tokengroups)
         sidset2 = set(self.user_sids)
+
+        # The SIDs on the DN do not include the NTLM authentication SID
+        sidset2.discard(samba.dcerpc.security.SID_NT_NTLM_AUTHENTICATION)
+
         if len(sidset1.difference(sidset2)):
             print("token sids don't match")
             print("difference : %s" % sidset1.difference(sidset2))
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 3282d5e..bd339b3 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -966,7 +966,7 @@ _kdc_as_rep(krb5_context context,
     AS_REP rep;
     KDCOptions f = b->kdc_options;
     hdb_entry_ex *client = NULL, *server = NULL;
-    HDB *clientdb;
+    HDB *clientdb = NULL;
     krb5_enctype setype, sessionetype;
     krb5_data e_data;
     EncTicketPart et;
@@ -976,7 +976,7 @@ _kdc_as_rep(krb5_context context,
     krb5_error_code ret = 0;
     const char *e_text = NULL;
     krb5_crypto crypto;
-    Key *skey;
+    Key *skey = NULL;
     EncryptionKey *reply_key = NULL, session_key;
     int flags = HDB_F_FOR_AS_REQ;
 #ifdef PKINIT
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 4ee6285..3f2ef8d 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -135,7 +135,6 @@ static bool udv_filter(const struct drsuapi_DsReplicaCursorCtrEx *udv,
 		return true;
 	}
 	return false;
-
 }
 
 static int uint32_t_cmp(uint32_t a1, uint32_t a2)
@@ -1266,7 +1265,7 @@ static WERROR getncchanges_repl_secret(struct drsuapi_bind_state *b_state,
 	int ret;
 	const char *rodc_attrs[] = { "msDS-KrbTgtLink", "msDS-NeverRevealGroup", "msDS-RevealOnDemandGroup", "objectGUID", NULL };
 	const char *obj_attrs[] = { "tokenGroups", "objectSid", "UserAccountControl", "msDS-KrbTgtLinkBL", NULL };
-	struct ldb_result *rodc_res, *obj_res;
+	struct ldb_result *rodc_res = NULL, *obj_res = NULL;
 	const struct dom_sid **never_reveal_sids, **reveal_sids, **token_sids;
 	const struct dom_sid *object_sid = NULL;
 	WERROR werr;
@@ -1334,13 +1333,13 @@ static WERROR getncchanges_repl_secret(struct drsuapi_bind_state *b_state,
 	 * Which basically means that if you have GET_ALL_CHANGES rights (~== RWDC)
 	 * then you can do EXOP_REPL_SECRETS
 	 */
+	obj_dn = drs_ObjectIdentifier_to_dn(mem_ctx, b_state->sam_ctx_system, ncRoot);
+	if (!ldb_dn_validate(obj_dn)) goto failed;
+
 	if (has_get_all_changes) {
 		goto allowed;
 	}
 
-	obj_dn = drs_ObjectIdentifier_to_dn(mem_ctx, b_state->sam_ctx_system, ncRoot);
-	if (!ldb_dn_validate(obj_dn)) goto failed;
-
 	rodc_dn = ldb_dn_new_fmt(mem_ctx, b_state->sam_ctx_system, "<SID=%s>",
 				 dom_sid_string(mem_ctx, user_sid));
 	if (!ldb_dn_validate(rodc_dn)) goto failed;
@@ -1433,7 +1432,7 @@ denied:
 allowed:
 	DEBUG(2,(__location__ ": Allowed single object with secret replication for %s by %s %s\n",
 		 ldb_dn_get_linearized(obj_dn), has_get_all_changes?"RWDC":"RODC",
-		 ldb_dn_get_linearized(rodc_res->msgs[0]->dn)));
+		 ldb_dn_get_linearized(*machine_dn)));
 	ctr6->extended_ret = DRSUAPI_EXOP_ERR_SUCCESS;
 	req10->highwatermark.highest_usn = 0;
 	return WERR_OK;
diff --git a/source4/scripting/bin/samba_dnsupdate b/source4/scripting/bin/samba_dnsupdate
index 1633561..0687703 100755
--- a/source4/scripting/bin/samba_dnsupdate
+++ b/source4/scripting/bin/samba_dnsupdate
@@ -749,6 +749,8 @@ for d in dns_list:
             break
     if not found:
         rebuild_cache = True
+        if opts.verbose:
+            print "need cache add: %s" % d
     if opts.all_names:
         update_list.append(d)
         if opts.verbose:
@@ -768,6 +770,8 @@ for c in cache_list:
     if found:
         continue
     rebuild_cache = True
+    if opts.verbose:
+        print "need cache remove: %s" % c
     if not opts.all_names and not check_dns_name(c):
         continue
     delete_list.append(c)
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 7bd8ab0..890d41e 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -484,7 +484,7 @@ for env in ["nt4_dc", "fl2003dc"]:
     for t in winbind_wbclient_tests:
         plansmbtorture4testsuite(t, "%s:local" % env, '//$SERVER/tmp -U$DC_USERNAME%$DC_PASSWORD')
 
-for env in ["nt4_dc", "nt4_member", "ad_dc", "ad_member", "s4member", "chgdcpass"]:
+for env in ["nt4_dc", "nt4_member", "ad_dc", "ad_member", "s4member", "chgdcpass", "rodc"]:
     tests = ["--ping", "--separator",
              "--own-domain",
              "--all-domains",
@@ -591,7 +591,8 @@ planoldpythontestsuite("ad_dc_ntvfs", "samba.tests.dcerpc.dnsserver", extra_args
 planoldpythontestsuite("ad_dc", "samba.tests.dcerpc.dnsserver", extra_args=['-U"$USERNAME%$PASSWORD"'])
 planoldpythontestsuite("ad_dc", "samba.tests.dcerpc.raw_protocol", extra_args=['-U"$USERNAME%$PASSWORD"'])
 plantestsuite_loadlist("samba4.ldap.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(samba4srcdir, "dsdb/tests/python/ldap.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
-plantestsuite_loadlist("samba4.tokengroups.python(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [python, os.path.join(samba4srcdir, "dsdb/tests/python/token_group.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
+plantestsuite_loadlist("samba4.tokengroups.krb5.python(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [python, os.path.join(samba4srcdir, "dsdb/tests/python/token_group.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '-k', 'yes', '$LOADLIST', '$LISTOPT'])
+plantestsuite_loadlist("samba4.tokengroups.ntlm.python(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [python, os.path.join(samba4srcdir, "dsdb/tests/python/token_group.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN', '-k', 'no', '$LOADLIST', '$LISTOPT'])
 plantestsuite("samba4.sam.python(fl2008r2dc)", "fl2008r2dc", [python, os.path.join(samba4srcdir, "dsdb/tests/python/sam.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN'])
 plantestsuite("samba4.sam.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(samba4srcdir, "dsdb/tests/python/sam.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN'])
 plantestsuite("samba4.user_account_control.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(samba4srcdir, "dsdb/tests/python/user_account_control.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN'])
@@ -660,8 +661,21 @@ plansmbtorture4testsuite(t, "vampire_dc", ['$SERVER', '-U$USERNAME%$PASSWORD', '
 for env in ['rodc']:
     plansmbtorture4testsuite('rpc.echo', env, ['ncacn_np:$SERVER', "-k", "yes", '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], modname="samba4.rpc.echo")
     plansmbtorture4testsuite('rpc.echo', "%s:local" % env, ['ncacn_np:$SERVER', "-k", "yes", '-P', '--workgroup=$DOMAIN'], modname="samba4.rpc.echo")
+    plansmbtorture4testsuite('rpc.echo', "%s:local" % env, ['ncacn_np:$SERVER', "-k", "no", '-Utestallowed\ account%$DC_PASSWORD', '--workgroup=$DOMAIN'], modname="samba4.rpc.echo.testallowed")
+    plansmbtorture4testsuite('rpc.echo', "%s:local" % env, ['ncacn_np:$SERVER', "-k", "no", '-Utestdenied%$DC_PASSWORD', '--workgroup=$DOMAIN'], modname="samba4.rpc.echo.testdenied")
 planpythontestsuite("rodc:local", "samba.tests.samba_tool.rodc")
 
+plantestsuite("samba.blackbox.rpcclient_samlogon", "rodc:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient_samlogon.sh"),
+								  "$DC_USERNAME", "$DC_PASSWORD", "ncacn_np:$SERVER", configuration])
+
+plantestsuite("samba.blackbox.rpcclient_samlogon_testallowed", "rodc:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient_samlogon.sh"),
+								              "testallowed\ account", "$DC_PASSWORD", "ncacn_np:$SERVER", configuration])
+
+plantestsuite("samba.blackbox.rpcclient_samlogon_testdenied", "rodc:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient_samlogon.sh"),
+								             "testdenied", "$DC_PASSWORD", "ncacn_np:$SERVER", configuration])
+
+
+
 plantestsuite("samba4.blackbox.provision-backend", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_provision-backend.sh"), '$PREFIX/provision'])
 
 # Test renaming the DC


-- 
Samba Shared Repository

