docs: fix a typo in history file
[bbaumbach/samba-autobuild/.git] / source3 / passdb / passdb.c
index 0678181669d3e9259f2bc07650143359ed1f84bb..8b66a99226985dab3597374138e614288ef1cfd4 100644 (file)
@@ -1,4 +1,4 @@
-/* 
+/*
    Unix SMB/CIFS implementation.
    Password and authentication handling
    Copyright (C) Jeremy Allison                1996-2001
 */
 
 #include "includes.h"
+#include "passdb.h"
+#include "system/passwd.h"
 #include "../libcli/auth/libcli_auth.h"
+#include "secrets.h"
+#include "../libcli/security/security.h"
+#include "../lib/util/util_pw.h"
+#include "util_tdb.h"
+#include "auth/credentials/credentials.h"
+#include "lib/param/param.h"
+#include "lib/util/string_wrappers.h"
+#include "source3/lib/substitute.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_PASSDB
 
-/******************************************************************
- Get the default domain/netbios name to be used when
- testing authentication.
-
- LEGACY: this function provides the legacy domain mapping used with
-        the lp_map_untrusted_to_domain() parameter
-******************************************************************/
-
-const char *my_sam_name(void)
-{
-       /* Standalone servers can only use the local netbios name */
-       if ( lp_server_role() == ROLE_STANDALONE )
-               return global_myname();
-
-       /* Default to the DOMAIN name when not specified */
-       return lp_workgroup();
-}
-
 /**********************************************************************
 ***********************************************************************/
 
-static int samu_destroy(struct samu *user) 
+static int samu_destroy(struct samu *user)
 {
        data_blob_clear_free( &user->lm_pw );
        data_blob_clear_free( &user->nt_pw );
 
        if ( user->plaintext_pw )
-               memset( user->plaintext_pw, 0x0, strlen(user->plaintext_pw) );
+               BURN_STR(user->plaintext_pw);
 
        return 0;
 }
@@ -68,7 +60,7 @@ struct samu *samu_new( TALLOC_CTX *ctx )
 {
        struct samu *user;
 
-       if ( !(user = TALLOC_ZERO_P( ctx, struct samu )) ) {
+       if ( !(user = talloc_zero( ctx, struct samu )) ) {
                DEBUG(0,("samuser_new: Talloc failed!\n"));
                return NULL;
        }
@@ -87,7 +79,6 @@ struct samu *samu_new( TALLOC_CTX *ctx )
        user->pass_can_change_time  = (time_t)0;
        user->logoff_time           = get_time_t_max();
        user->kickoff_time          = get_time_t_max();
-       user->pass_must_change_time = get_time_t_max();
        user->fields_present        = 0x00ffffff;
        user->logon_divs = 168;         /* hours per week */
        user->hours_len = 21;           /* 21 times 8 bits = 168 */
@@ -96,7 +87,7 @@ struct samu *samu_new( TALLOC_CTX *ctx )
        user->logon_count = 0;
        user->unknown_6 = 0x000004ec; /* don't know */
 
-       /* Some parts of samba strlen their pdb_get...() returns, 
+       /* Some parts of samba strlen their pdb_get...() returns,
           so this keeps the interface unchanged for now. */
 
        user->username = "";
@@ -122,17 +113,32 @@ struct samu *samu_new( TALLOC_CTX *ctx )
        return user;
 }
 
+static int count_commas(const char *str)
+{
+       int num_commas = 0;
+       const char *comma = str;
+
+       while ((comma = strchr(comma, ',')) != NULL) {
+               comma += 1;
+               num_commas += 1;
+       }
+       return num_commas;
+}
+
 /*********************************************************************
- Initialize a struct samu from a struct passwd including the user 
+ Initialize a struct samu from a struct passwd including the user
  and group SIDs.  The *user structure is filled out with the Unix
  attributes and a user SID.
 *********************************************************************/
 
-static NTSTATUS samu_set_unix_internal(struct samu *user, const struct passwd *pwd, bool create)
+static NTSTATUS samu_set_unix_internal(struct pdb_methods *methods,
+                                      struct samu *user, const struct passwd *pwd, bool create)
 {
-       const char *guest_account = lp_guestaccount();
-       const char *domain = global_myname();
-       uint32 urid;
+       const char *guest_account = lp_guest_account();
+       const char *domain = lp_netbios_name();
+       char *fullname;
+       uint32_t urid;
+       bool ok;
 
        if ( !pwd ) {
                return NT_STATUS_NO_SUCH_USER;
@@ -140,13 +146,46 @@ static NTSTATUS samu_set_unix_internal(struct samu *user, const struct passwd *p
 
        /* Basic properties based upon the Unix account information */
 
-       pdb_set_username(user, pwd->pw_name, PDB_SET);
-       pdb_set_fullname(user, pwd->pw_gecos, PDB_SET);
-       pdb_set_domain (user, get_global_sam_name(), PDB_DEFAULT);
+       ok = pdb_set_username(user, pwd->pw_name, PDB_SET);
+       if (!ok) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       fullname = NULL;
+
+       if (count_commas(pwd->pw_gecos) == 3) {
+               /*
+                * Heuristic: This seems to be a gecos field that has been
+                * edited by chfn(1). Only use the part before the first
+                * comma. Fixes bug 5198.
+                */
+               fullname = talloc_strndup(
+                       talloc_tos(), pwd->pw_gecos,
+                       strchr(pwd->pw_gecos, ',') - pwd->pw_gecos);
+               if (fullname == NULL) {
+                       return NT_STATUS_NO_MEMORY;
+               }
+       }
+
+       if (fullname != NULL) {
+               ok = pdb_set_fullname(user, fullname, PDB_SET);
+       } else {
+               ok = pdb_set_fullname(user, pwd->pw_gecos, PDB_SET);
+       }
+       TALLOC_FREE(fullname);
+
+       if (!ok) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       ok = pdb_set_domain(user, get_global_sam_name(), PDB_DEFAULT);
+       if (!ok) {
+               return NT_STATUS_NO_MEMORY;
+       }
 #if 0
-       /* This can lead to a primary group of S-1-22-2-XX which 
-          will be rejected by other parts of the Samba code. 
-          Rely on pdb_get_group_sid() to "Do The Right Thing" (TM)  
+       /* This can lead to a primary group of S-1-22-2-XX which
+          will be rejected by other parts of the Samba code.
+          Rely on pdb_get_group_sid() to "Do The Right Thing" (TM)
           --jerry */
 
        gid_to_sid(&group_sid, pwd->pw_gid);
@@ -156,11 +195,14 @@ static NTSTATUS samu_set_unix_internal(struct samu *user, const struct passwd *p
        /* save the password structure for later use */
 
        user->unix_pw = tcopy_passwd( user, pwd );
+       if (user->unix_pw == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
 
        /* Special case for the guest account which must have a RID of 501 */
 
        if ( strequal( pwd->pw_name, guest_account ) ) {
-               if ( !pdb_set_user_sid_from_rid(user, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) {
+               if ( !pdb_set_user_sid_from_rid(user, DOMAIN_RID_GUEST, PDB_DEFAULT)) {
                        return NT_STATUS_NO_SUCH_USER;
                }
                return NT_STATUS_OK;
@@ -172,52 +214,86 @@ static NTSTATUS samu_set_unix_internal(struct samu *user, const struct passwd *p
                /* workstation */
 
                if (!pdb_set_acct_ctrl(user, ACB_WSTRUST, PDB_DEFAULT)) {
-                       DEBUG(1, ("Failed to set 'workstation account' flags for user %s.\n", 
+                       DEBUG(1, ("Failed to set 'workstation account' flags for user %s.\n",
                                pwd->pw_name));
                        return NT_STATUS_INVALID_COMPUTER_NAME;
-               }       
-       } 
+               }
+       }
        else {
                /* user */
 
                if (!pdb_set_acct_ctrl(user, ACB_NORMAL, PDB_DEFAULT)) {
-                       DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n", 
+                       DEBUG(1, ("Failed to set 'normal account' flags for user %s.\n",
                                pwd->pw_name));
                        return NT_STATUS_INVALID_ACCOUNT_NAME;
                }
 
                /* set some basic attributes */
 
-               pdb_set_profile_path(user, talloc_sub_specified(user, 
-                       lp_logon_path(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid), 
-                       PDB_DEFAULT);           
-               pdb_set_homedir(user, talloc_sub_specified(user, 
-                       lp_logon_home(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
+               ok = pdb_set_profile_path(
+                       user,
+                       talloc_sub_specified(
+                               user,
+                               lp_logon_path(),
+                               pwd->pw_name,
+                               NULL,
+                               domain,
+                               pwd->pw_uid,
+                               pwd->pw_gid),
                        PDB_DEFAULT);
-               pdb_set_dir_drive(user, talloc_sub_specified(user, 
-                       lp_logon_drive(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
+               ok &= pdb_set_homedir(
+                       user,
+                       talloc_sub_specified(
+                               user,
+                               lp_logon_home(),
+                               pwd->pw_name,
+                               NULL,
+                               domain,
+                               pwd->pw_uid,
+                               pwd->pw_gid),
                        PDB_DEFAULT);
-               pdb_set_logon_script(user, talloc_sub_specified(user, 
-                       lp_logon_script(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid), 
+               ok &= pdb_set_dir_drive(
+                       user,
+                       talloc_sub_specified(
+                               user,
+                               lp_logon_drive(),
+                               pwd->pw_name,
+                               NULL,
+                               domain,
+                               pwd->pw_uid,
+                               pwd->pw_gid),
                        PDB_DEFAULT);
+               ok &= pdb_set_logon_script(
+                       user,
+                       talloc_sub_specified(
+                               user,
+                               lp_logon_script(),
+                               pwd->pw_name,
+                               NULL,
+                               domain,
+                               pwd->pw_uid,
+                               pwd->pw_gid),
+                       PDB_DEFAULT);
+               if (!ok) {
+                       return NT_STATUS_NO_MEMORY;
+               }
        }
 
-       /* Now deal with the user SID.  If we have a backend that can generate 
-          RIDs, then do so.  But sometimes the caller just wanted a structure 
-          initialized and will fill in these fields later (such as from a 
+       /* Now deal with the user SID.  If we have a backend that can generate
+          RIDs, then do so.  But sometimes the caller just wanted a structure
+          initialized and will fill in these fields later (such as from a
           netr_SamInfo3 structure) */
 
-       if ( create && (pdb_capabilities() & PDB_CAP_STORE_RIDS)) {
-               uint32 user_rid;
-               DOM_SID user_sid;
+       if ( create && (methods->capabilities(methods) & PDB_CAP_STORE_RIDS)) {
+               uint32_t user_rid;
+               struct dom_sid user_sid;
 
-               if ( !pdb_new_rid( &user_rid ) ) {
+               if ( !methods->new_rid(methods, &user_rid) ) {
                        DEBUG(3, ("Could not allocate a new RID\n"));
                        return NT_STATUS_ACCESS_DENIED;
                }
 
-               sid_copy( &user_sid, get_global_sam_sid() );
-               sid_append_rid( &user_sid, user_rid );
+               sid_compose(&user_sid, get_global_sam_sid(), user_rid);
 
                if ( !pdb_set_user_sid(user, &user_sid, PDB_SET) ) {
                        DEBUG(3, ("pdb_set_user_sid failed\n"));
@@ -244,12 +320,13 @@ static NTSTATUS samu_set_unix_internal(struct samu *user, const struct passwd *p
 
 NTSTATUS samu_set_unix(struct samu *user, const struct passwd *pwd)
 {
-       return samu_set_unix_internal( user, pwd, False );
+       return samu_set_unix_internal( NULL, user, pwd, False );
 }
 
-NTSTATUS samu_alloc_rid_unix(struct samu *user, const struct passwd *pwd)
+NTSTATUS samu_alloc_rid_unix(struct pdb_methods *methods,
+                            struct samu *user, const struct passwd *pwd)
 {
-       return samu_set_unix_internal( user, pwd, True );
+       return samu_set_unix_internal( methods, user, pwd, True );
 }
 
 /**********************************************************
@@ -272,7 +349,7 @@ char *pdb_encode_acct_ctrl(uint32_t acct_ctrl, size_t length)
        if (acct_ctrl & ACB_PWNOTREQ ) acct_str[i++] = 'N';
        if (acct_ctrl & ACB_DISABLED ) acct_str[i++] = 'D';
        if (acct_ctrl & ACB_HOMDIRREQ) acct_str[i++] = 'H';
-       if (acct_ctrl & ACB_TEMPDUP  ) acct_str[i++] = 'T'; 
+       if (acct_ctrl & ACB_TEMPDUP  ) acct_str[i++] = 'T';
        if (acct_ctrl & ACB_NORMAL   ) acct_str[i++] = 'U';
        if (acct_ctrl & ACB_MNS      ) acct_str[i++] = 'M';
        if (acct_ctrl & ACB_WSTRUST  ) acct_str[i++] = 'W';
@@ -291,7 +368,7 @@ char *pdb_encode_acct_ctrl(uint32_t acct_ctrl, size_t length)
        result = talloc_strdup(talloc_tos(), acct_str);
        SMB_ASSERT(result != NULL);
        return result;
-}     
+}
 
 /**********************************************************
  Decode the account control bits from a string.
@@ -315,18 +392,18 @@ uint32_t pdb_decode_acct_ctrl(const char *p)
                        case 'N': { acct_ctrl |= ACB_PWNOTREQ ; break; /* 'N'o password. */ }
                        case 'D': { acct_ctrl |= ACB_DISABLED ; break; /* 'D'isabled. */ }
                        case 'H': { acct_ctrl |= ACB_HOMDIRREQ; break; /* 'H'omedir required. */ }
-                       case 'T': { acct_ctrl |= ACB_TEMPDUP  ; break; /* 'T'emp account. */ } 
-                       case 'U': { acct_ctrl |= ACB_NORMAL   ; break; /* 'U'ser account (normal). */ } 
-                       case 'M': { acct_ctrl |= ACB_MNS      ; break; /* 'M'NS logon user account. What is this ? */ } 
-                       case 'W': { acct_ctrl |= ACB_WSTRUST  ; break; /* 'W'orkstation account. */ } 
-                       case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ } 
-                       case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ } 
-                       case 'X': { acct_ctrl |= ACB_PWNOEXP  ; break; /* No 'X'piry on password */ } 
+                       case 'T': { acct_ctrl |= ACB_TEMPDUP  ; break; /* 'T'emp account. */ }
+                       case 'U': { acct_ctrl |= ACB_NORMAL   ; break; /* 'U'ser account (normal). */ }
+                       case 'M': { acct_ctrl |= ACB_MNS      ; break; /* 'M'NS logon user account. What is this ? */ }
+                       case 'W': { acct_ctrl |= ACB_WSTRUST  ; break; /* 'W'orkstation account. */ }
+                       case 'S': { acct_ctrl |= ACB_SVRTRUST ; break; /* 'S'erver account. */ }
+                       case 'L': { acct_ctrl |= ACB_AUTOLOCK ; break; /* 'L'ocked account. */ }
+                       case 'X': { acct_ctrl |= ACB_PWNOEXP  ; break; /* No 'X'piry on password */ }
                        case 'I': { acct_ctrl |= ACB_DOMTRUST ; break; /* 'I'nterdomain trust account. */ }
             case ' ': { break; }
                        case ':':
                        case '\n':
-                       case '\0': 
+                       case '\0':
                        case ']':
                        default:  { finished = true; }
                }
@@ -339,17 +416,15 @@ uint32_t pdb_decode_acct_ctrl(const char *p)
  Routine to set 32 hex password characters from a 16 byte array.
 **************************************************************/
 
-void pdb_sethexpwd(char p[33], const unsigned char *pwd, uint32 acct_ctrl)
+void pdb_sethexpwd(char p[33], const unsigned char *pwd, uint32_t acct_ctrl)
 {
        if (pwd != NULL) {
-               int i;
-               for (i = 0; i < 16; i++)
-                       slprintf(&p[i*2], 3, "%02X", pwd[i]);
+               hex_encode_buf(p, pwd, 16);
        } else {
                if (acct_ctrl & ACB_PWNOTREQ)
-                       safe_strcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 32);
+                       strlcpy(p, "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", 33);
                else
-                       safe_strcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 32);
+                       strlcpy(p, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 33);
        }
 }
 
@@ -369,8 +444,8 @@ bool pdb_gethexpwd(const char *p, unsigned char *pwd)
                return false;
 
        for (i = 0; i < 32; i += 2) {
-               hinybble = toupper_ascii(p[i]);
-               lonybble = toupper_ascii(p[i + 1]);
+               hinybble = toupper_m(p[i]);
+               lonybble = toupper_m(p[i + 1]);
 
                p1 = strchr(hexchars, hinybble);
                p2 = strchr(hexchars, lonybble);
@@ -393,12 +468,9 @@ bool pdb_gethexpwd(const char *p, unsigned char *pwd)
 void pdb_sethexhours(char *p, const unsigned char *hours)
 {
        if (hours != NULL) {
-               int i;
-               for (i = 0; i < 21; i++) {
-                       slprintf(&p[i*2], 3, "%02X", hours[i]);
-               }
+               hex_encode_buf(p, hours, 21);
        } else {
-               safe_strcpy(p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 43);
+               strlcpy(p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", 44);
        }
 }
 
@@ -419,8 +491,8 @@ bool pdb_gethexhours(const char *p, unsigned char *hours)
        }
 
        for (i = 0; i < 42; i += 2) {
-               hinybble = toupper_ascii(p[i]);
-               lonybble = toupper_ascii(p[i + 1]);
+               hinybble = toupper_m(p[i]);
+               lonybble = toupper_m(p[i + 1]);
 
                p1 = strchr(hexchars, hinybble);
                p2 = strchr(hexchars, lonybble);
@@ -446,7 +518,7 @@ int algorithmic_rid_base(void)
 
        rid_offset = lp_algorithmic_rid_base();
 
-       if (rid_offset < BASE_RID) {  
+       if (rid_offset < BASE_RID) {
                /* Try to prevent admin foot-shooting, we can't put algorithmic
                   rids below 1000, that's the 'well known RIDs' on NT */
                DEBUG(0, ("'algorithmic rid base' must be equal to or above %ld\n", BASE_RID));
@@ -463,7 +535,7 @@ int algorithmic_rid_base(void)
  Converts NT user RID to a UNIX uid.
  ********************************************************************/
 
-uid_t algorithmic_pdb_user_rid_to_uid(uint32 user_rid)
+uid_t algorithmic_pdb_user_rid_to_uid(uint32_t user_rid)
 {
        int rid_offset = algorithmic_rid_base();
        return (uid_t)(((user_rid & (~USER_RID_TYPE)) - rid_offset)/RID_MULTIPLIER);
@@ -478,17 +550,17 @@ uid_t max_algorithmic_uid(void)
  converts UNIX uid to an NT User RID.
  ********************************************************************/
 
-uint32 algorithmic_pdb_uid_to_user_rid(uid_t uid)
+uint32_t algorithmic_pdb_uid_to_user_rid(uid_t uid)
 {
        int rid_offset = algorithmic_rid_base();
-       return (((((uint32)uid)*RID_MULTIPLIER) + rid_offset) | USER_RID_TYPE);
+       return (((((uint32_t)uid)*RID_MULTIPLIER) + rid_offset) | USER_RID_TYPE);
 }
 
 /*******************************************************************
  Converts NT group RID to a UNIX gid.
  ********************************************************************/
 
-gid_t pdb_group_rid_to_gid(uint32 group_rid)
+gid_t pdb_group_rid_to_gid(uint32_t group_rid)
 {
        int rid_offset = algorithmic_rid_base();
        return (gid_t)(((group_rid & (~GROUP_RID_TYPE))- rid_offset)/RID_MULTIPLIER);
@@ -501,23 +573,23 @@ gid_t max_algorithmic_gid(void)
 
 /*******************************************************************
  converts NT Group RID to a UNIX uid.
+
  warning: you must not call that function only
  you must do a call to the group mapping first.
  there is not anymore a direct link between the gid and the rid.
  ********************************************************************/
 
-uint32 algorithmic_pdb_gid_to_group_rid(gid_t gid)
+uint32_t algorithmic_pdb_gid_to_group_rid(gid_t gid)
 {
        int rid_offset = algorithmic_rid_base();
-       return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
+       return (((((uint32_t)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
 }
 
 /*******************************************************************
  Decides if a RID is a well known RID.
  ********************************************************************/
 
-static bool rid_is_well_known(uint32 rid)
+static bool rid_is_well_known(uint32_t rid)
 {
        /* Not using rid_offset here, because this is the actual
           NT fixed value (1000) */
@@ -529,14 +601,14 @@ static bool rid_is_well_known(uint32 rid)
  Decides if a RID is a user or group RID.
  ********************************************************************/
 
-bool algorithmic_pdb_rid_is_user(uint32 rid)
+bool algorithmic_pdb_rid_is_user(uint32_t rid)
 {
        if ( rid_is_well_known(rid) ) {
                /*
-                * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
-                * and DOMAIN_USER_RID_GUEST.
+                * The only well known user RIDs are DOMAIN_RID_ADMINISTRATOR
+                * and DOMAIN_RID_GUEST.
                 */
-               if(rid == DOMAIN_USER_RID_ADMIN || rid == DOMAIN_USER_RID_GUEST)
+               if(rid == DOMAIN_RID_ADMINISTRATOR || rid == DOMAIN_RID_GUEST)
                        return True;
        } else if((rid & RID_TYPE_MASK) == USER_RID_TYPE) {
                return True;
@@ -551,16 +623,16 @@ bool algorithmic_pdb_rid_is_user(uint32 rid)
 bool lookup_global_sam_name(const char *name, int flags, uint32_t *rid,
                            enum lsa_SidType *type)
 {
-       GROUP_MAP map;
+       GROUP_MAP *map;
        bool ret;
 
-       /* Windows treats "MACHINE\None" as a special name for 
+       /* Windows treats "MACHINE\None" as a special name for
           rid 513 on non-DCs.  You cannot create a user or group
-          name "None" on Windows.  You will get an error that 
+          name "None" on Windows.  You will get an error that
           the group already exists. */
 
        if ( strequal( name, "None" ) ) {
-               *rid = DOMAIN_GROUP_RID_USERS;
+               *rid = DOMAIN_RID_USERS;
                *type = SID_NAME_DOM_GRP;
 
                return True;
@@ -572,7 +644,7 @@ bool lookup_global_sam_name(const char *name, int flags, uint32_t *rid,
 
        if ((flags & LOOKUP_NAME_GROUP) == 0) {
                struct samu *sam_account = NULL;
-               DOM_SID user_sid;
+               struct dom_sid user_sid;
 
                if ( !(sam_account = samu_new( NULL )) ) {
                        return False;
@@ -589,9 +661,12 @@ bool lookup_global_sam_name(const char *name, int flags, uint32_t *rid,
                TALLOC_FREE(sam_account);
 
                if (ret) {
-                       if (!sid_check_is_in_our_domain(&user_sid)) {
-                               DEBUG(0, ("User %s with invalid SID %s in passdb\n",
-                                         name, sid_string_dbg(&user_sid)));
+                       if (!sid_check_is_in_our_sam(&user_sid)) {
+                               struct dom_sid_buf buf;
+                               DBG_ERR("User %s with invalid SID %s"
+                                       " in passdb\n",
+                                       name,
+                                       dom_sid_str_buf(&user_sid, &buf));
                                return False;
                        }
 
@@ -605,24 +680,35 @@ bool lookup_global_sam_name(const char *name, int flags, uint32_t *rid,
         * Maybe it is a group ?
         */
 
+       map = talloc_zero(NULL, GROUP_MAP);
+       if (!map) {
+               return false;
+       }
+
        become_root();
-       ret = pdb_getgrnam(&map, name);
+       ret = pdb_getgrnam(map, name);
        unbecome_root();
 
        if (!ret) {
+               TALLOC_FREE(map);
                return False;
        }
 
        /* BUILTIN groups are looked up elsewhere */
-       if (!sid_check_is_in_our_domain(&map.sid)) {
+       if (!sid_check_is_in_our_sam(&map->sid)) {
+               struct dom_sid_buf buf;
                DEBUG(10, ("Found group %s (%s) not in our domain -- "
-                          "ignoring.", name, sid_string_dbg(&map.sid)));
+                          "ignoring.\n",
+                          name,
+                          dom_sid_str_buf(&map->sid, &buf)));
+               TALLOC_FREE(map);
                return False;
        }
 
        /* yes it's a mapped group */
-       sid_peek_rid(&map.sid, rid);
-       *type = map.sid_name_use;
+       sid_peek_rid(&map->sid, rid);
+       *type = map->sid_name_use;
+       TALLOC_FREE(map);
        return True;
 }
 
@@ -639,7 +725,7 @@ bool lookup_global_sam_name(const char *name, int flags, uint32_t *rid,
 
 NTSTATUS local_password_change(const char *user_name,
                                int local_flags,
-                               const char *new_passwd, 
+                               const char *new_passwd,
                                char **pp_err_str,
                                char **pp_msg_str)
 {
@@ -666,7 +752,7 @@ NTSTATUS local_password_change(const char *user_name,
        user_exists = pdb_getsampwnam(sam_pass, user_name);
 
        /* Check delete first, we don't need to do anything else if we
-        * are going to delete the acocunt */
+        * are going to delete the account */
        if (user_exists && (local_flags & LOCAL_DELETE_USER)) {
 
                result = pdb_delete_user(tosctx, sam_pass);
@@ -893,13 +979,13 @@ done:
 /*********************************************************************
 *********************************************************************/
 
-static bool init_samu_from_buffer_v0(struct samu *sampass, uint8 *buf, uint32 buflen)
+static bool init_samu_from_buffer_v0(struct samu *sampass, uint8_t *buf, uint32_t buflen)
 {
 
        /* times are stored as 32bit integer
           take care on system with 64bit wide time_t
           --SSS */
-       uint32  logon_time,
+       uint32_t        logon_time,
                logoff_time,
                kickoff_time,
                pass_last_set_time,
@@ -917,18 +1003,18 @@ static bool init_samu_from_buffer_v0(struct samu *sampass, uint8 *buf, uint32 bu
        char *profile_path = NULL;
        char *acct_desc = NULL;
        char *workstations = NULL;
-       uint32  username_len, domain_len, nt_username_len,
+       uint32_t        username_len, domain_len, nt_username_len,
                dir_drive_len, unknown_str_len, munged_dial_len,
                fullname_len, homedir_len, logon_script_len,
                profile_path_len, acct_desc_len, workstations_len;
 
-       uint32  user_rid, group_rid, remove_me, hours_len, unknown_6;
-       uint16  acct_ctrl, logon_divs;
-       uint16  bad_password_count, logon_count;
-       uint8   *hours = NULL;
-       uint8   *lm_pw_ptr = NULL, *nt_pw_ptr = NULL;
-       uint32          len = 0;
-       uint32          lm_pw_len, nt_pw_len, hourslen;
+       uint32_t        user_rid, group_rid, remove_me, hours_len, unknown_6;
+       uint16_t        acct_ctrl, logon_divs;
+       uint16_t        bad_password_count, logon_count;
+       uint8_t *hours = NULL;
+       uint8_t *lm_pw_ptr = NULL, *nt_pw_ptr = NULL;
+       uint32_t                len = 0;
+       uint32_t                lm_pw_len, nt_pw_len, hourslen;
        bool ret = True;
 
        if(sampass == NULL || buf == NULL) {
@@ -971,7 +1057,7 @@ static bool init_samu_from_buffer_v0(struct samu *sampass, uint8 *buf, uint32 bu
                &logon_count,                                           /* w */
                &unknown_6);                                            /* d */
 
-       if (len == (uint32) -1)  {
+       if (len == (uint32_t) -1)  {
                ret = False;
                goto done;
        }
@@ -980,10 +1066,9 @@ static bool init_samu_from_buffer_v0(struct samu *sampass, uint8 *buf, uint32 bu
        pdb_set_logoff_time(sampass, logoff_time, PDB_SET);
        pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
        pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
-       pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
        pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
 
-       pdb_set_username(sampass, username, PDB_SET); 
+       pdb_set_username(sampass, username, PDB_SET);
        pdb_set_domain(sampass, domain, PDB_SET);
        pdb_set_nt_username(sampass, nt_username, PDB_SET);
        pdb_set_fullname(sampass, fullname, PDB_SET);
@@ -992,34 +1077,34 @@ static bool init_samu_from_buffer_v0(struct samu *sampass, uint8 *buf, uint32 bu
                pdb_set_homedir(sampass, homedir, PDB_SET);
        }
        else {
-               pdb_set_homedir(sampass, 
+               pdb_set_homedir(sampass,
                        talloc_sub_basic(sampass, username, domain,
                                         lp_logon_home()),
                        PDB_DEFAULT);
        }
 
-       if (dir_drive)  
+       if (dir_drive)
                pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
        else {
-               pdb_set_dir_drive(sampass, 
+               pdb_set_dir_drive(sampass,
                        talloc_sub_basic(sampass, username, domain,
                                         lp_logon_drive()),
                        PDB_DEFAULT);
        }
 
-       if (logon_script) 
+       if (logon_script)
                pdb_set_logon_script(sampass, logon_script, PDB_SET);
        else {
-               pdb_set_logon_script(sampass, 
+               pdb_set_logon_script(sampass,
                        talloc_sub_basic(sampass, username, domain,
                                         lp_logon_script()),
                        PDB_DEFAULT);
        }
 
-       if (profile_path) {     
+       if (profile_path) {
                pdb_set_profile_path(sampass, profile_path, PDB_SET);
        } else {
-               pdb_set_profile_path(sampass, 
+               pdb_set_profile_path(sampass,
                        talloc_sub_basic(sampass, username, domain,
                                         lp_logon_path()),
                        PDB_DEFAULT);
@@ -1052,7 +1137,7 @@ static bool init_samu_from_buffer_v0(struct samu *sampass, uint8 *buf, uint32 bu
        pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
        pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
        pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
-       pdb_set_hours(sampass, hours, PDB_SET);
+       pdb_set_hours(sampass, hours, hours_len, PDB_SET);
 
 done:
 
@@ -1078,13 +1163,13 @@ done:
 /*********************************************************************
 *********************************************************************/
 
-static bool init_samu_from_buffer_v1(struct samu *sampass, uint8 *buf, uint32 buflen)
+static bool init_samu_from_buffer_v1(struct samu *sampass, uint8_t *buf, uint32_t buflen)
 {
 
        /* times are stored as 32bit integer
           take care on system with 64bit wide time_t
           --SSS */
-       uint32  logon_time,
+       uint32_t        logon_time,
                logoff_time,
                kickoff_time,
                bad_password_time,
@@ -1103,18 +1188,18 @@ static bool init_samu_from_buffer_v1(struct samu *sampass, uint8 *buf, uint32 bu
        char *profile_path = NULL;
        char *acct_desc = NULL;
        char *workstations = NULL;
-       uint32  username_len, domain_len, nt_username_len,
+       uint32_t        username_len, domain_len, nt_username_len,
                dir_drive_len, unknown_str_len, munged_dial_len,
                fullname_len, homedir_len, logon_script_len,
                profile_path_len, acct_desc_len, workstations_len;
 
-       uint32  user_rid, group_rid, remove_me, hours_len, unknown_6;
-       uint16  acct_ctrl, logon_divs;
-       uint16  bad_password_count, logon_count;
-       uint8   *hours = NULL;
-       uint8   *lm_pw_ptr = NULL, *nt_pw_ptr = NULL;
-       uint32          len = 0;
-       uint32          lm_pw_len, nt_pw_len, hourslen;
+       uint32_t        user_rid, group_rid, remove_me, hours_len, unknown_6;
+       uint16_t        acct_ctrl, logon_divs;
+       uint16_t        bad_password_count, logon_count;
+       uint8_t *hours = NULL;
+       uint8_t *lm_pw_ptr = NULL, *nt_pw_ptr = NULL;
+       uint32_t                len = 0;
+       uint32_t                lm_pw_len, nt_pw_len, hourslen;
        bool ret = True;
 
        if(sampass == NULL || buf == NULL) {
@@ -1159,7 +1244,7 @@ static bool init_samu_from_buffer_v1(struct samu *sampass, uint8 *buf, uint32 bu
                &logon_count,                                           /* w */
                &unknown_6);                                            /* d */
 
-       if (len == (uint32) -1)  {
+       if (len == (uint32_t) -1)  {
                ret = False;
                goto done;
        }
@@ -1171,10 +1256,9 @@ static bool init_samu_from_buffer_v1(struct samu *sampass, uint8 *buf, uint32 bu
        /* Change from V0 is addition of bad_password_time field. */
        pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
        pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
-       pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
        pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
 
-       pdb_set_username(sampass, username, PDB_SET); 
+       pdb_set_username(sampass, username, PDB_SET);
        pdb_set_domain(sampass, domain, PDB_SET);
        pdb_set_nt_username(sampass, nt_username, PDB_SET);
        pdb_set_fullname(sampass, fullname, PDB_SET);
@@ -1183,34 +1267,34 @@ static bool init_samu_from_buffer_v1(struct samu *sampass, uint8 *buf, uint32 bu
                pdb_set_homedir(sampass, homedir, PDB_SET);
        }
        else {
-               pdb_set_homedir(sampass, 
+               pdb_set_homedir(sampass,
                        talloc_sub_basic(sampass, username, domain,
                                         lp_logon_home()),
                        PDB_DEFAULT);
        }
 
-       if (dir_drive)  
+       if (dir_drive)
                pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
        else {
-               pdb_set_dir_drive(sampass, 
+               pdb_set_dir_drive(sampass,
                        talloc_sub_basic(sampass, username, domain,
                                         lp_logon_drive()),
                        PDB_DEFAULT);
        }
 
-       if (logon_script) 
+       if (logon_script)
                pdb_set_logon_script(sampass, logon_script, PDB_SET);
        else {
-               pdb_set_logon_script(sampass, 
+               pdb_set_logon_script(sampass,
                        talloc_sub_basic(sampass, username, domain,
                                         lp_logon_script()),
                        PDB_DEFAULT);
        }
 
-       if (profile_path) {     
+       if (profile_path) {
                pdb_set_profile_path(sampass, profile_path, PDB_SET);
        } else {
-               pdb_set_profile_path(sampass, 
+               pdb_set_profile_path(sampass,
                        talloc_sub_basic(sampass, username, domain,
                                         lp_logon_path()),
                        PDB_DEFAULT);
@@ -1244,7 +1328,7 @@ static bool init_samu_from_buffer_v1(struct samu *sampass, uint8 *buf, uint32 bu
        pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
        pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
        pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
-       pdb_set_hours(sampass, hours, PDB_SET);
+       pdb_set_hours(sampass, hours, hours_len, PDB_SET);
 
 done:
 
@@ -1267,13 +1351,13 @@ done:
        return ret;
 }
 
-static bool init_samu_from_buffer_v2(struct samu *sampass, uint8 *buf, uint32 buflen)
+static bool init_samu_from_buffer_v2(struct samu *sampass, uint8_t *buf, uint32_t buflen)
 {
 
        /* times are stored as 32bit integer
           take care on system with 64bit wide time_t
           --SSS */
-       uint32  logon_time,
+       uint32_t        logon_time,
                logoff_time,
                kickoff_time,
                bad_password_time,
@@ -1292,19 +1376,19 @@ static bool init_samu_from_buffer_v2(struct samu *sampass, uint8 *buf, uint32 bu
        char *profile_path = NULL;
        char *acct_desc = NULL;
        char *workstations = NULL;
-       uint32  username_len, domain_len, nt_username_len,
+       uint32_t        username_len, domain_len, nt_username_len,
                dir_drive_len, unknown_str_len, munged_dial_len,
                fullname_len, homedir_len, logon_script_len,
                profile_path_len, acct_desc_len, workstations_len;
 
-       uint32  user_rid, group_rid, hours_len, unknown_6;
-       uint16  acct_ctrl, logon_divs;
-       uint16  bad_password_count, logon_count;
-       uint8   *hours = NULL;
-       uint8   *lm_pw_ptr = NULL, *nt_pw_ptr = NULL, *nt_pw_hist_ptr = NULL;
-       uint32          len = 0;
-       uint32          lm_pw_len, nt_pw_len, nt_pw_hist_len, hourslen;
-       uint32 pwHistLen = 0;
+       uint32_t        user_rid, group_rid, hours_len, unknown_6;
+       uint16_t        acct_ctrl, logon_divs;
+       uint16_t        bad_password_count, logon_count;
+       uint8_t *hours = NULL;
+       uint8_t *lm_pw_ptr = NULL, *nt_pw_ptr = NULL, *nt_pw_hist_ptr = NULL;
+       uint32_t                len = 0;
+       uint32_t                lm_pw_len, nt_pw_len, nt_pw_hist_len, hourslen;
+       uint32_t pwHistLen = 0;
        bool ret = True;
        fstring tmp_string;
        bool expand_explicit = lp_passdb_expand_explicit();
@@ -1352,7 +1436,7 @@ static bool init_samu_from_buffer_v2(struct samu *sampass, uint8 *buf, uint32 bu
                &logon_count,                                           /* w */
                &unknown_6);                                            /* d */
 
-       if (len == (uint32) -1)  {
+       if (len == (uint32_t) -1)  {
                ret = False;
                goto done;
        }
@@ -1362,10 +1446,9 @@ static bool init_samu_from_buffer_v2(struct samu *sampass, uint8 *buf, uint32 bu
        pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET);
        pdb_set_bad_password_time(sampass, bad_password_time, PDB_SET);
        pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET);
-       pdb_set_pass_must_change_time(sampass, pass_must_change_time, PDB_SET);
        pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET);
 
-       pdb_set_username(sampass, username, PDB_SET); 
+       pdb_set_username(sampass, username, PDB_SET);
        pdb_set_domain(sampass, domain, PDB_SET);
        pdb_set_nt_username(sampass, nt_username, PDB_SET);
        pdb_set_fullname(sampass, fullname, PDB_SET);
@@ -1379,13 +1462,13 @@ static bool init_samu_from_buffer_v2(struct samu *sampass, uint8 *buf, uint32 bu
                pdb_set_homedir(sampass, tmp_string, PDB_SET);
        }
        else {
-               pdb_set_homedir(sampass, 
+               pdb_set_homedir(sampass,
                        talloc_sub_basic(sampass, username, domain,
                                         lp_logon_home()),
                        PDB_DEFAULT);
        }
 
-       if (dir_drive)  
+       if (dir_drive)
                pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
        else
                pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
@@ -1399,22 +1482,22 @@ static bool init_samu_from_buffer_v2(struct samu *sampass, uint8 *buf, uint32 bu
                pdb_set_logon_script(sampass, tmp_string, PDB_SET);
        }
        else {
-               pdb_set_logon_script(sampass, 
+               pdb_set_logon_script(sampass,
                        talloc_sub_basic(sampass, username, domain,
                                         lp_logon_script()),
                        PDB_DEFAULT);
        }
 
-       if (profile_path) {     
+       if (profile_path) {
                fstrcpy( tmp_string, profile_path );
                if (expand_explicit) {
                        standard_sub_basic( username, domain, tmp_string,
                                            sizeof(tmp_string) );
                }
                pdb_set_profile_path(sampass, tmp_string, PDB_SET);
-       } 
+       }
        else {
-               pdb_set_profile_path(sampass, 
+               pdb_set_profile_path(sampass,
                        talloc_sub_basic(sampass, username, domain,
                                         lp_logon_path()),
                        PDB_DEFAULT);
@@ -1441,7 +1524,7 @@ static bool init_samu_from_buffer_v2(struct samu *sampass, uint8 *buf, uint32 bu
        /* Change from V1 is addition of password history field. */
        pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
        if (pwHistLen) {
-               uint8 *pw_hist = SMB_MALLOC_ARRAY(uint8, pwHistLen * PW_HISTORY_ENTRY_LEN);
+               uint8_t *pw_hist = SMB_MALLOC_ARRAY(uint8_t, pwHistLen * PW_HISTORY_ENTRY_LEN);
                if (!pw_hist) {
                        ret = False;
                        goto done;
@@ -1475,7 +1558,7 @@ static bool init_samu_from_buffer_v2(struct samu *sampass, uint8 *buf, uint32 bu
        pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
        pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
        pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
-       pdb_set_hours(sampass, hours, PDB_SET);
+       pdb_set_hours(sampass, hours, hours_len, PDB_SET);
 
 done:
 
@@ -1502,13 +1585,13 @@ done:
 /*********************************************************************
 *********************************************************************/
 
-static bool init_samu_from_buffer_v3(struct samu *sampass, uint8 *buf, uint32 buflen)
+static bool init_samu_from_buffer_v3(struct samu *sampass, uint8_t *buf, uint32_t buflen)
 {
 
        /* times are stored as 32bit integer
           take care on system with 64bit wide time_t
           --SSS */
-       uint32  logon_time,
+       uint32_t        logon_time,
                logoff_time,
                kickoff_time,
                bad_password_time,
@@ -1527,19 +1610,19 @@ static bool init_samu_from_buffer_v3(struct samu *sampass, uint8 *buf, uint32 bu
        char *profile_path = NULL;
        char *acct_desc = NULL;
        char *workstations = NULL;
-       uint32  username_len, domain_len, nt_username_len,
+       uint32_t        username_len, domain_len, nt_username_len,
                dir_drive_len, comment_len, munged_dial_len,
                fullname_len, homedir_len, logon_script_len,
                profile_path_len, acct_desc_len, workstations_len;
 
-       uint32  user_rid, group_rid, hours_len, unknown_6, acct_ctrl;
-       uint16  logon_divs;
-       uint16  bad_password_count, logon_count;
-       uint8   *hours = NULL;
-       uint8   *lm_pw_ptr = NULL, *nt_pw_ptr = NULL, *nt_pw_hist_ptr = NULL;
-       uint32          len = 0;
-       uint32          lm_pw_len, nt_pw_len, nt_pw_hist_len, hourslen;
-       uint32 pwHistLen = 0;
+       uint32_t        user_rid, group_rid, hours_len, unknown_6, acct_ctrl;
+       uint16_t  logon_divs;
+       uint16_t        bad_password_count, logon_count;
+       uint8_t *hours = NULL;
+       uint8_t *lm_pw_ptr = NULL, *nt_pw_ptr = NULL, *nt_pw_hist_ptr = NULL;
+       uint32_t                len = 0;
+       uint32_t                lm_pw_len, nt_pw_len, nt_pw_hist_len, hourslen;
+       uint32_t pwHistLen = 0;
        bool ret = True;
        fstring tmp_string;
        bool expand_explicit = lp_passdb_expand_explicit();
@@ -1578,7 +1661,7 @@ static bool init_samu_from_buffer_v3(struct samu *sampass, uint8 *buf, uint32 bu
                &nt_pw_len, &nt_pw_ptr,                                 /* B */
                /* Change from V1 is addition of password history field. */
                &nt_pw_hist_len, &nt_pw_hist_ptr,                       /* B */
-               /* Change from V2 is the uint32 acb_mask */
+               /* Change from V2 is the uint32_t acb_mask */
                &acct_ctrl,                                             /* d */
                /* Also "remove_me" field was removed. */
                &logon_divs,                                            /* w */
@@ -1588,20 +1671,19 @@ static bool init_samu_from_buffer_v3(struct samu *sampass, uint8 *buf, uint32 bu
                &logon_count,                                           /* w */
                &unknown_6);                                            /* d */
 
-       if (len == (uint32) -1)  {
+       if (len == (uint32_t) -1)  {
                ret = False;
                goto done;
        }
 
-       pdb_set_logon_time(sampass, convert_uint32_to_time_t(logon_time), PDB_SET);
-       pdb_set_logoff_time(sampass, convert_uint32_to_time_t(logoff_time), PDB_SET);
-       pdb_set_kickoff_time(sampass, convert_uint32_to_time_t(kickoff_time), PDB_SET);
-       pdb_set_bad_password_time(sampass, convert_uint32_to_time_t(bad_password_time), PDB_SET);
-       pdb_set_pass_can_change_time(sampass, convert_uint32_to_time_t(pass_can_change_time), PDB_SET);
-       pdb_set_pass_must_change_time(sampass, convert_uint32_to_time_t(pass_must_change_time), PDB_SET);
-       pdb_set_pass_last_set_time(sampass, convert_uint32_to_time_t(pass_last_set_time), PDB_SET);
+       pdb_set_logon_time(sampass, convert_uint32_t_to_time_t(logon_time), PDB_SET);
+       pdb_set_logoff_time(sampass, convert_uint32_t_to_time_t(logoff_time), PDB_SET);
+       pdb_set_kickoff_time(sampass, convert_uint32_t_to_time_t(kickoff_time), PDB_SET);
+       pdb_set_bad_password_time(sampass, convert_uint32_t_to_time_t(bad_password_time), PDB_SET);
+       pdb_set_pass_can_change_time(sampass, convert_uint32_t_to_time_t(pass_can_change_time), PDB_SET);
+       pdb_set_pass_last_set_time(sampass, convert_uint32_t_to_time_t(pass_last_set_time), PDB_SET);
 
-       pdb_set_username(sampass, username, PDB_SET); 
+       pdb_set_username(sampass, username, PDB_SET);
        pdb_set_domain(sampass, domain, PDB_SET);
        pdb_set_nt_username(sampass, nt_username, PDB_SET);
        pdb_set_fullname(sampass, fullname, PDB_SET);
@@ -1615,13 +1697,13 @@ static bool init_samu_from_buffer_v3(struct samu *sampass, uint8 *buf, uint32 bu
                pdb_set_homedir(sampass, tmp_string, PDB_SET);
        }
        else {
-               pdb_set_homedir(sampass, 
+               pdb_set_homedir(sampass,
                        talloc_sub_basic(sampass, username, domain,
                                         lp_logon_home()),
                        PDB_DEFAULT);
        }
 
-       if (dir_drive)  
+       if (dir_drive)
                pdb_set_dir_drive(sampass, dir_drive, PDB_SET);
        else
                pdb_set_dir_drive(sampass, lp_logon_drive(), PDB_DEFAULT );
@@ -1635,22 +1717,22 @@ static bool init_samu_from_buffer_v3(struct samu *sampass, uint8 *buf, uint32 bu
                pdb_set_logon_script(sampass, tmp_string, PDB_SET);
        }
        else {
-               pdb_set_logon_script(sampass, 
+               pdb_set_logon_script(sampass,
                        talloc_sub_basic(sampass, username, domain,
                                         lp_logon_script()),
                        PDB_DEFAULT);
        }
 
-       if (profile_path) {     
+       if (profile_path) {
                fstrcpy( tmp_string, profile_path );
                if (expand_explicit) {
                        standard_sub_basic( username, domain, tmp_string,
                                            sizeof(tmp_string) );
                }
                pdb_set_profile_path(sampass, tmp_string, PDB_SET);
-       } 
+       }
        else {
-               pdb_set_profile_path(sampass, 
+               pdb_set_profile_path(sampass,
                        talloc_sub_basic(sampass, username, domain, lp_logon_path()),
                        PDB_DEFAULT);
        }
@@ -1676,7 +1758,7 @@ static bool init_samu_from_buffer_v3(struct samu *sampass, uint8 *buf, uint32 bu
 
        pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen);
        if (pwHistLen) {
-               uint8 *pw_hist = (uint8 *)SMB_MALLOC(pwHistLen * PW_HISTORY_ENTRY_LEN);
+               uint8_t *pw_hist = (uint8_t *)SMB_MALLOC(pwHistLen * PW_HISTORY_ENTRY_LEN);
                if (!pw_hist) {
                        ret = False;
                        goto done;
@@ -1707,10 +1789,10 @@ static bool init_samu_from_buffer_v3(struct samu *sampass, uint8 *buf, uint32 bu
        pdb_set_bad_password_count(sampass, bad_password_count, PDB_SET);
        pdb_set_logon_count(sampass, logon_count, PDB_SET);
        pdb_set_unknown_6(sampass, unknown_6, PDB_SET);
-       /* Change from V2 is the uint32 acct_ctrl */
+       /* Change from V2 is the uint32_t acct_ctrl */
        pdb_set_acct_ctrl(sampass, acct_ctrl, PDB_SET);
        pdb_set_logon_divs(sampass, logon_divs, PDB_SET);
-       pdb_set_hours(sampass, hours, PDB_SET);
+       pdb_set_hours(sampass, hours, hours_len, PDB_SET);
 
 done:
 
@@ -1737,14 +1819,14 @@ done:
 /*********************************************************************
 *********************************************************************/
 
-static uint32 init_buffer_from_samu_v3 (uint8 **buf, struct samu *sampass, bool size_only)
+static uint32_t init_buffer_from_samu_v3 (uint8_t **buf, struct samu *sampass, bool size_only)
 {
        size_t len, buflen;
 
        /* times are stored as 32bit integer
           take care on system with 64bit wide time_t
           --SSS */
-       uint32  logon_time,
+       uint32_t        logon_time,
                logoff_time,
                kickoff_time,
                bad_password_time,
@@ -1752,7 +1834,7 @@ static uint32 init_buffer_from_samu_v3 (uint8 **buf, struct samu *sampass, bool
                pass_can_change_time,
                pass_must_change_time;
 
-       uint32  user_rid, group_rid;
+       uint32_t  user_rid, group_rid;
 
        const char *username;
        const char *domain;
@@ -1766,29 +1848,29 @@ static uint32 init_buffer_from_samu_v3 (uint8 **buf, struct samu *sampass, bool
        const char *profile_path;
        const char *acct_desc;
        const char *workstations;
-       uint32  username_len, domain_len, nt_username_len,
+       uint32_t        username_len, domain_len, nt_username_len,
                dir_drive_len, comment_len, munged_dial_len,
                fullname_len, homedir_len, logon_script_len,
                profile_path_len, acct_desc_len, workstations_len;
 
-       const uint8 *lm_pw;
-       const uint8 *nt_pw;
-       const uint8 *nt_pw_hist;
-       uint32  lm_pw_len = 16;
-       uint32  nt_pw_len = 16;
-       uint32  nt_pw_hist_len;
-       uint32 pwHistLen = 0;
+       const uint8_t *lm_pw;
+       const uint8_t *nt_pw;
+       const uint8_t *nt_pw_hist;
+       uint32_t        lm_pw_len = 16;
+       uint32_t        nt_pw_len = 16;
+       uint32_t  nt_pw_hist_len;
+       uint32_t pwHistLen = 0;
 
        *buf = NULL;
        buflen = 0;
 
-       logon_time = convert_time_t_to_uint32(pdb_get_logon_time(sampass));
-       logoff_time = convert_time_t_to_uint32(pdb_get_logoff_time(sampass));
-       kickoff_time = convert_time_t_to_uint32(pdb_get_kickoff_time(sampass));
-       bad_password_time = convert_time_t_to_uint32(pdb_get_bad_password_time(sampass));
-       pass_can_change_time = convert_time_t_to_uint32(pdb_get_pass_can_change_time_noncalc(sampass));
-       pass_must_change_time = convert_time_t_to_uint32(pdb_get_pass_must_change_time(sampass));
-       pass_last_set_time = convert_time_t_to_uint32(pdb_get_pass_last_set_time(sampass));
+       logon_time = convert_time_t_to_uint32_t(pdb_get_logon_time(sampass));
+       logoff_time = convert_time_t_to_uint32_t(pdb_get_logoff_time(sampass));
+       kickoff_time = convert_time_t_to_uint32_t(pdb_get_kickoff_time(sampass));
+       bad_password_time = convert_time_t_to_uint32_t(pdb_get_bad_password_time(sampass));
+       pass_can_change_time = convert_time_t_to_uint32_t(pdb_get_pass_can_change_time_noncalc(sampass));
+       pass_must_change_time = convert_time_t_to_uint32_t(pdb_get_pass_must_change_time(sampass));
+       pass_last_set_time = convert_time_t_to_uint32_t(pdb_get_pass_last_set_time(sampass));
 
        user_rid = pdb_get_user_rid(sampass);
        group_rid = pdb_get_group_rid(sampass);
@@ -1912,7 +1994,7 @@ static uint32 init_buffer_from_samu_v3 (uint8 **buf, struct samu *sampass, bool
        if (munged_dial) {
                munged_dial_len = strlen(munged_dial) +1;
        } else {
-               munged_dial_len = 0;    
+               munged_dial_len = 0;
        }
 
 /* SAMU_BUFFER_FORMAT_V3       "dddddddBBBBBBBBBBBBddBBBdwdBwwd" */
@@ -1956,7 +2038,7 @@ static uint32 init_buffer_from_samu_v3 (uint8 **buf, struct samu *sampass, bool
        }
 
        /* malloc the space needed */
-       if ( (*buf=(uint8*)SMB_MALLOC(len)) == NULL) {
+       if ( (*buf=(uint8_t*)SMB_MALLOC(len)) == NULL) {
                DEBUG(0,("init_buffer_from_samu_v3: Unable to malloc() memory for buffer!\n"));
                return (-1);
        }
@@ -1997,8 +2079,8 @@ static uint32 init_buffer_from_samu_v3 (uint8 **buf, struct samu *sampass, bool
 
        /* check to make sure we got it correct */
        if (buflen != len) {
-               DEBUG(0, ("init_buffer_from_samu_v3: somthing odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n", 
-                         (unsigned long)buflen, (unsigned long)len));  
+               DEBUG(0, ("init_buffer_from_samu_v3: something odd is going on here: bufflen (%lu) != len (%lu) in tdb_pack operations!\n",
+                         (unsigned long)buflen, (unsigned long)len));
                /* error */
                SAFE_FREE (*buf);
                return (-1);
@@ -2007,13 +2089,13 @@ static uint32 init_buffer_from_samu_v3 (uint8 **buf, struct samu *sampass, bool
        return (buflen);
 }
 
-static bool init_samu_from_buffer_v4(struct samu *sampass, uint8 *buf, uint32 buflen)
+static bool init_samu_from_buffer_v4(struct samu *sampass, uint8_t *buf, uint32_t buflen)
 {
        /* nothing changed between V3 and V4 */
        return init_samu_from_buffer_v3(sampass, buf, buflen);
 }
 
-static uint32 init_buffer_from_samu_v4(uint8 **buf, struct samu *sampass, bool size_only)
+static uint32_t init_buffer_from_samu_v4(uint8_t **buf, struct samu *sampass, bool size_only)
 {
        /* nothing changed between V3 and V4 */
        return init_buffer_from_samu_v3(buf, sampass, size_only);
@@ -2024,7 +2106,7 @@ static uint32 init_buffer_from_samu_v4(uint8 **buf, struct samu *sampass, bool s
  *********************************************************************/
 
 bool init_samu_from_buffer(struct samu *sampass, uint32_t level,
-                          uint8 *buf, uint32 buflen)
+                          uint8_t *buf, uint32_t buflen)
 {
        switch (level) {
        case SAMU_BUFFER_V0:
@@ -2046,7 +2128,7 @@ bool init_samu_from_buffer(struct samu *sampass, uint32_t level,
  Intialize a BYTE buffer from a struct samu struct
  *********************************************************************/
 
-uint32 init_buffer_from_samu (uint8 **buf, struct samu *sampass, bool size_only)
+uint32_t init_buffer_from_samu (uint8_t **buf, struct samu *sampass, bool size_only)
 {
        return init_buffer_from_samu_v4(buf, sampass, size_only);
 }
@@ -2056,7 +2138,7 @@ uint32 init_buffer_from_samu (uint8 **buf, struct samu *sampass, bool size_only)
 
 bool pdb_copy_sam_account(struct samu *dst, struct samu *src )
 {
-       uint8 *buf = NULL;
+       uint8_t *buf = NULL;
        int len;
 
        len = init_buffer_from_samu(&buf, src, False);
@@ -2080,6 +2162,10 @@ bool pdb_copy_sam_account(struct samu *dst, struct samu *src )
                }
        }
 
+       if (src->group_sid) {
+               pdb_set_group_sid(dst, src->group_sid, PDB_SET);
+       }
+
        free(buf);
        return True;
 }
@@ -2091,8 +2177,8 @@ bool pdb_copy_sam_account(struct samu *dst, struct samu *src )
 bool pdb_update_bad_password_count(struct samu *sampass, bool *updated)
 {
        time_t LastBadPassword;
-       uint16 BadPasswordCount;
-       uint32 resettime; 
+       uint16_t BadPasswordCount;
+       uint32_t resettime;
        bool res;
 
        BadPasswordCount = pdb_get_bad_password_count(sampass);
@@ -2111,15 +2197,15 @@ bool pdb_update_bad_password_count(struct samu *sampass, bool *updated)
        }
 
        /* First, check if there is a reset time to compare */
-       if ((resettime == (uint32) -1) || (resettime == 0)) {
+       if ((resettime == (uint32_t) -1) || (resettime == 0)) {
                DEBUG(9, ("No reset time, can't reset bad pw count\n"));
                return True;
        }
 
        LastBadPassword = pdb_get_bad_password_time(sampass);
-       DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n", 
-                  (uint32) LastBadPassword, resettime, (uint32)time(NULL)));
-       if (time(NULL) > (LastBadPassword + convert_uint32_to_time_t(resettime)*60)){
+       DEBUG(7, ("LastBadPassword=%d, resettime=%d, current time=%d.\n",
+                  (uint32_t) LastBadPassword, resettime, (uint32_t)time(NULL)));
+       if (time(NULL) > (LastBadPassword + convert_uint32_t_to_time_t(resettime)*60)){
                pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
                pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
                if (updated) {
@@ -2136,7 +2222,7 @@ bool pdb_update_bad_password_count(struct samu *sampass, bool *updated)
 
 bool pdb_update_autolock_flag(struct samu *sampass, bool *updated)
 {
-       uint32 duration;
+       uint32_t duration;
        time_t LastBadPassword;
        bool res;
 
@@ -2156,14 +2242,14 @@ bool pdb_update_autolock_flag(struct samu *sampass, bool *updated)
        }
 
        /* First, check if there is a duration to compare */
-       if ((duration == (uint32) -1)  || (duration == 0)) {
+       if ((duration == (uint32_t) -1)  || (duration == 0)) {
                DEBUG(9, ("pdb_update_autolock_flag: No reset duration, can't reset autolock\n"));
                return True;
        }
 
        LastBadPassword = pdb_get_bad_password_time(sampass);
        DEBUG(7, ("pdb_update_autolock_flag: Account %s, LastBadPassword=%d, duration=%d, current time =%d.\n",
-                 pdb_get_username(sampass), (uint32)LastBadPassword, duration*60, (uint32)time(NULL)));
+                 pdb_get_username(sampass), (uint32_t)LastBadPassword, duration*60, (uint32_t)time(NULL)));
 
        if (LastBadPassword == (time_t)0) {
                DEBUG(1,("pdb_update_autolock_flag: Account %s "
@@ -2173,7 +2259,7 @@ bool pdb_update_autolock_flag(struct samu *sampass, bool *updated)
                return True;
        }
 
-       if ((time(NULL) > (LastBadPassword + convert_uint32_to_time_t(duration) * 60))) {
+       if ((time(NULL) > (LastBadPassword + convert_uint32_t_to_time_t(duration) * 60))) {
                pdb_set_acct_ctrl(sampass,
                                  pdb_get_acct_ctrl(sampass) & ~ACB_AUTOLOCK,
                                  PDB_CHANGED);
@@ -2188,12 +2274,12 @@ bool pdb_update_autolock_flag(struct samu *sampass, bool *updated)
 }
 
 /*********************************************************************
- Increment the bad_password_count 
+ Increment the bad_password_count
 *********************************************************************/
 
 bool pdb_increment_bad_password_count(struct samu *sampass)
 {
-       uint32 account_policy_lockout;
+       uint32_t account_policy_lockout;
        bool autolock_updated = False, badpw_updated = False;
        bool ret;
 
@@ -2221,24 +2307,24 @@ bool pdb_increment_bad_password_count(struct samu *sampass)
                return False;
 
        /*
-         Ok, now we can assume that any resetting that needs to be 
+         Ok, now we can assume that any resetting that needs to be
          done has been done, and just get on with incrementing
          and autolocking if necessary
        */
 
-       pdb_set_bad_password_count(sampass, 
+       pdb_set_bad_password_count(sampass,
                                   pdb_get_bad_password_count(sampass)+1,
                                   PDB_CHANGED);
        pdb_set_bad_password_time(sampass, time(NULL), PDB_CHANGED);
 
 
-       if (pdb_get_bad_password_count(sampass) < account_policy_lockout) 
+       if (pdb_get_bad_password_count(sampass) < account_policy_lockout)
                return True;
 
        if (!pdb_set_acct_ctrl(sampass,
                               pdb_get_acct_ctrl(sampass) | ACB_AUTOLOCK,
                               PDB_CHANGED)) {
-               DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n")); 
+               DEBUG(1, ("pdb_increment_bad_password_count:failed to set 'autolock' flag. \n"));
                return False;
        }
 
@@ -2256,12 +2342,26 @@ bool is_dc_trusted_domain_situation(const char *domain_name)
  Caller must free password, but not account_name.
 *******************************************************************/
 
-bool get_trust_pw_clear(const char *domain, char **ret_pwd,
-                       const char **account_name, uint32 *channel)
+static bool get_trust_pw_clear2(const char *domain,
+                               const char **account_name,
+                               enum netr_SchannelType *channel,
+                               char **cur_pw,
+                               time_t *_last_set_time,
+                               char **prev_pw)
 {
        char *pwd;
        time_t last_set_time;
 
+       if (cur_pw != NULL) {
+               *cur_pw = NULL;
+       }
+       if (_last_set_time != NULL) {
+               *_last_set_time = 0;
+       }
+       if (prev_pw != NULL) {
+               *prev_pw = NULL;
+       }
+
        /* if we are a DC and this is not our domain, then lookup an account
         * for the domain trust */
 
@@ -2270,7 +2370,7 @@ bool get_trust_pw_clear(const char *domain, char **ret_pwd,
                        return false;
                }
 
-               if (!pdb_get_trusteddom_pw(domain, ret_pwd, NULL,
+               if (!pdb_get_trusteddom_pw(domain, cur_pw, NULL,
                                           &last_set_time))
                {
                        DEBUG(0, ("get_trust_pw: could not fetch trust "
@@ -2287,6 +2387,10 @@ bool get_trust_pw_clear(const char *domain, char **ret_pwd,
                        *account_name = lp_workgroup();
                }
 
+               if (_last_set_time != NULL) {
+                       *_last_set_time = last_set_time;
+               }
+
                return true;
        }
 
@@ -2310,33 +2414,98 @@ bool get_trust_pw_clear(const char *domain, char **ret_pwd,
        pwd = secrets_fetch_machine_password(lp_workgroup(), &last_set_time, channel);
 
        if (pwd != NULL) {
-               *ret_pwd = pwd;
+               struct timeval expire;
+
+               *cur_pw = pwd;
+
                if (account_name != NULL) {
-                       *account_name = global_myname();
+                       *account_name = lp_netbios_name();
+               }
+
+               if (_last_set_time != NULL) {
+                       *_last_set_time = last_set_time;
+               }
+
+               if (prev_pw == NULL) {
+                       return true;
+               }
+
+               ZERO_STRUCT(expire);
+               expire.tv_sec = lp_machine_password_timeout();
+               expire.tv_sec /= 2;
+               expire.tv_sec += last_set_time;
+               if (timeval_expired(&expire)) {
+                       return true;
+               }
+
+               pwd = secrets_fetch_prev_machine_password(lp_workgroup());
+               if (pwd != NULL) {
+                       *prev_pw = pwd;
                }
 
                return true;
        }
 
-       DEBUG(5, ("get_trust_pw_clear: could not fetch clear text trust "
+       DEBUG(5, ("get_trust_pw_clear2: could not fetch clear text trust "
                  "account password for domain %s\n", domain));
        return false;
 }
 
+bool get_trust_pw_clear(const char *domain, char **ret_pwd,
+                       const char **account_name,
+                       enum netr_SchannelType *channel)
+{
+       return get_trust_pw_clear2(domain,
+                                  account_name,
+                                  channel,
+                                  ret_pwd,
+                                  NULL,
+                                  NULL);
+}
+
 /*******************************************************************
  Wrapper around retrieving the trust account password.
  appropriate account name is stored in account_name.
 *******************************************************************/
 
-bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16],
-                      const char **account_name, uint32 *channel)
+static bool get_trust_pw_hash2(const char *domain,
+                              const char **account_name,
+                              enum netr_SchannelType *channel,
+                              struct samr_Password *current_nt_hash,
+                              time_t *last_set_time,
+                              struct samr_Password **_previous_nt_hash)
 {
-       char *pwd = NULL;
-       time_t last_set_time;
+       char *cur_pw = NULL;
+       char *prev_pw = NULL;
+       char **_prev_pw = NULL;
+       bool ok;
+
+       if (_previous_nt_hash != NULL) {
+               *_previous_nt_hash = NULL;
+               _prev_pw = &prev_pw;
+       }
+
+       ok = get_trust_pw_clear2(domain, account_name, channel,
+                                &cur_pw, last_set_time, _prev_pw);
+       if (ok) {
+               struct samr_Password *previous_nt_hash = NULL;
+
+               E_md4hash(cur_pw, current_nt_hash->hash);
+               BURN_FREE_STR(cur_pw);
+
+               if (prev_pw == NULL) {
+                       return true;
+               }
+
+               previous_nt_hash = SMB_MALLOC_P(struct samr_Password);
+               if (previous_nt_hash == NULL) {
+                       return false;
+               }
+
+               E_md4hash(prev_pw, previous_nt_hash->hash);
+               BURN_FREE_STR(prev_pw);
 
-       if (get_trust_pw_clear(domain, &pwd, account_name, channel)) {
-               E_md4hash(pwd, ret_pwd);
-               SAFE_FREE(pwd);
+               *_previous_nt_hash = previous_nt_hash;
                return true;
        } else if (is_dc_trusted_domain_situation(domain)) {
                return false;
@@ -2344,12 +2513,13 @@ bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16],
 
        /* as a fallback, try to get the hashed pwd directly from the tdb... */
 
-       if (secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
-                                                       &last_set_time,
+       if (secrets_fetch_trust_account_password_legacy(domain,
+                                                       current_nt_hash->hash,
+                                                       last_set_time,
                                                        channel))
        {
                if (account_name != NULL) {
-                       *account_name = global_myname();
+                       *account_name = lp_netbios_name();
                }
 
                return true;
@@ -2360,25 +2530,226 @@ bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16],
        return False;
 }
 
-struct samr_LogonHours get_logon_hours_from_pdb(TALLOC_CTX *mem_ctx,
-                                               struct samu *pw)
+bool get_trust_pw_hash(const char *domain, uint8_t ret_pwd[16],
+                      const char **account_name,
+                      enum netr_SchannelType *channel)
 {
-       struct samr_LogonHours hours;
-       const int units_per_week = 168;
+       struct samr_Password current_nt_hash;
+       bool ok;
 
-       ZERO_STRUCT(hours);
-       hours.bits = talloc_array(mem_ctx, uint8_t, units_per_week);
-       if (!hours.bits) {
-               return hours;
+       ok = get_trust_pw_hash2(domain, account_name, channel,
+                               &current_nt_hash, NULL, NULL);
+       if (!ok) {
+               return false;
        }
 
-       hours.units_per_week = units_per_week;
-       memset(hours.bits, 0xFF, units_per_week);
+       memcpy(ret_pwd, current_nt_hash.hash, sizeof(current_nt_hash.hash));
+       return true;
+}
+
+NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
+                                  const char *dns_domain, /* optional */
+                                  TALLOC_CTX *mem_ctx,
+                                  struct cli_credentials **_creds)
+{
+       TALLOC_CTX *frame = talloc_stackframe();
+       NTSTATUS status;
+       struct loadparm_context *lp_ctx;
+       enum netr_SchannelType channel;
+       time_t last_set_time;
+       const char *_account_name;
+       const char *account_name;
+       char *cur_pw = NULL;
+       char *prev_pw = NULL;
+       struct samr_Password cur_nt_hash;
+       struct cli_credentials *creds = NULL;
+       bool ok;
+
+       /*
+        * If this is our primary trust relationship, use the common
+        * code to read the secrets.ldb or secrets.tdb file.
+        */
+       if (strequal(netbios_domain, lp_workgroup())) {
+               struct db_context *db_ctx = secrets_db_ctx();
+               if (db_ctx == NULL) {
+                       DEBUG(1, ("failed to open secrets.tdb to obtain our trust credentials for %s\n",
+                                 netbios_domain));
+                       status = NT_STATUS_INTERNAL_ERROR;
+                       goto fail;
+               }
+
+               lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
+               if (lp_ctx == NULL) {
+                       DEBUG(1, ("loadparm_init_s3 failed\n"));
+                       status = NT_STATUS_INTERNAL_ERROR;
+                       goto fail;
+               }
 
-       if (pdb_get_hours(pw)) {
-               memcpy(hours.bits, pdb_get_hours(pw),
-                      MIN(pdb_get_hours_len(pw), units_per_week));
+               creds = cli_credentials_init(mem_ctx);
+               if (creds == NULL) {
+                       status = NT_STATUS_NO_MEMORY;
+                       goto fail;
+               }
+
+               ok = cli_credentials_set_conf(creds, lp_ctx);
+               if (!ok) {
+                       status = NT_STATUS_INTERNAL_ERROR;
+                       goto fail;
+               }
+
+               ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
+               if (!ok) {
+                       status = NT_STATUS_NO_MEMORY;
+                       goto fail;
+               }
+
+               status = cli_credentials_set_machine_account_db_ctx(creds,
+                                                                   lp_ctx,
+                                                                   db_ctx);
+               if (!NT_STATUS_IS_OK(status)) {
+                       goto fail;
+               }
+               goto done;
+       } else if (!IS_DC) {
+               DEBUG(1, ("Refusing to get trust account info for %s, "
+                         "which is not our primary domain %s, "
+                         "as we are not a DC\n",
+                         netbios_domain, lp_workgroup()));
+               status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+               goto fail;
+       }
+
+       status = pdb_get_trusteddom_creds(netbios_domain, mem_ctx, &creds);
+       if (NT_STATUS_IS_OK(status)) {
+               goto done;
+       }
+       if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+               goto fail;
+       }
+
+       ok = get_trust_pw_clear2(netbios_domain,
+                                &_account_name,
+                                &channel,
+                                &cur_pw,
+                                &last_set_time,
+                                &prev_pw);
+       if (!ok) {
+               ok = get_trust_pw_hash2(netbios_domain,
+                                       &_account_name,
+                                       &channel,
+                                       &cur_nt_hash,
+                                       &last_set_time,
+                                       NULL);
+               if (!ok) {
+                       DEBUG(1, ("get_trust_pw_*2 failed for domain[%s]\n",
+                                 netbios_domain));
+                       status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+                       goto fail;
+               }
+       }
+
+       account_name = talloc_asprintf(frame, "%s$", _account_name);
+       if (account_name == NULL) {
+               status = NT_STATUS_NO_MEMORY;
+               goto fail;
+       }
+
+       lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
+       if (lp_ctx == NULL) {
+               DEBUG(1, ("loadparm_init_s3 failed\n"));
+               status = NT_STATUS_INTERNAL_ERROR;
+               goto fail;
+       }
+
+       creds = cli_credentials_init(mem_ctx);
+       if (creds == NULL) {
+               status = NT_STATUS_NO_MEMORY;
+               goto fail;
+       }
+
+       ok = cli_credentials_set_conf(creds, lp_ctx);
+       if (!ok) {
+               status = NT_STATUS_INTERNAL_ERROR;
+               goto fail;
+       }
+
+       cli_credentials_set_secure_channel_type(creds, channel);
+       cli_credentials_set_password_last_changed_time(creds, last_set_time);
+
+       ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
+       if (!ok) {
+               status = NT_STATUS_NO_MEMORY;
+               goto fail;
+       }
+
+       if (dns_domain != NULL) {
+               ok = cli_credentials_set_realm(creds, dns_domain, CRED_SPECIFIED);
+               if (!ok) {
+                       status = NT_STATUS_NO_MEMORY;
+                       goto fail;
+               }
+
+               /*
+                * It's not possible to use NTLMSSP with a domain trust account.
+                */
+               cli_credentials_set_kerberos_state(creds,
+                                                  CRED_USE_KERBEROS_REQUIRED,
+                                                  CRED_SPECIFIED);
+       } else {
+               /*
+                * We can't use kerberos against an NT4 domain.
+                *
+                * We should have a mode that also disallows NTLMSSP here,
+                * as only NETLOGON SCHANNEL is possible.
+                */
+               cli_credentials_set_kerberos_state(creds,
+                                                  CRED_USE_KERBEROS_DISABLED,
+                                                  CRED_SPECIFIED);
+       }
+
+       ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED);
+       if (!ok) {
+               status = NT_STATUS_NO_MEMORY;
+               goto fail;
+       }
+
+       if (cur_pw == NULL) {
+               ok = cli_credentials_set_nt_hash(creds, &cur_nt_hash, CRED_SPECIFIED);
+               if (!ok) {
+                       status = NT_STATUS_NO_MEMORY;
+                       goto fail;
+               }
+               /*
+                * We currently can't do kerberos just with an NTHASH.
+                */
+               cli_credentials_set_kerberos_state(creds,
+                                                  CRED_USE_KERBEROS_DISABLED,
+                                                  CRED_SPECIFIED);
+               goto done;
+       }
+
+       ok = cli_credentials_set_password(creds, cur_pw, CRED_SPECIFIED);
+       if (!ok) {
+               status = NT_STATUS_NO_MEMORY;
+               goto fail;
+       }
+
+       if (prev_pw != NULL) {
+               ok = cli_credentials_set_old_password(creds, prev_pw, CRED_SPECIFIED);
+               if (!ok) {
+                       status = NT_STATUS_NO_MEMORY;
+                       goto fail;
+               }
        }
 
-       return hours;
+ done:
+       *_creds = creds;
+       creds = NULL;
+       status = NT_STATUS_OK;
+ fail:
+       TALLOC_FREE(creds);
+       SAFE_FREE(cur_pw);
+       SAFE_FREE(prev_pw);
+       TALLOC_FREE(frame);
+       return status;
 }