Merge: clarify secure channel connection comment.
[kai/samba.git] / source / rpc_client / cli_pipe.c
index 0258c1a0e73ff62b1ab8d40dccd8e9ad815f1486..a5cb6d425eef64588f87310d9891453faf708255 100644 (file)
@@ -1,11 +1,10 @@
-
 /* 
- *  Unix SMB/Netbios implementation.
- *  Version 1.9.
+ *  Unix SMB/CIFS implementation.
  *  RPC Pipe client / server routines
  *  Copyright (C) Andrew Tridgell              1992-1998,
  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
  *  Copyright (C) Paul Ashton                       1998.
+ *  Copyright (C) Jeremy Allison                    1999.
  *  
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  */
 
-
-#ifdef SYSLOG
-#undef SYSLOG
-#endif
-
 #include "includes.h"
 
-extern int DEBUGLEVEL;
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_RPC_CLI
+
 extern struct pipe_id_info pipe_names[];
-extern fstring global_myworkgroup;
-extern pstring global_myname;
 
 /********************************************************************
- rpc pipe call id 
+ Rpc pipe call id.
  ********************************************************************/
+
 static uint32 get_rpc_call_id(void)
 {
-  static uint32 call_id = 1;
-  return ++call_id;
+       static uint32 call_id = 0;
+       return ++call_id;
 }
 
 /*******************************************************************
- uses SMBreadX to get rest of rpc data
+ Use SMBreadX to get rest of one fragment's worth of rpc data.
  ********************************************************************/
 
-static BOOL rpc_read(struct cli_state *cli, 
-                     prs_struct *rdata, uint32 data_to_read,
-                     uint32 rdata_offset)
+static BOOL rpc_read(struct cli_state *cli, prs_struct *rdata, uint32 data_to_read, uint32 *rdata_offset)
 {
-       int size = 0x1630;
-       int file_offset = rdata_offset;
+       size_t size = (size_t)cli->max_recv_frag;
+       int stream_offset = 0;
        int num_read;
-       char *data = rdata->data->data;
-       uint32 err;
-       uint32 new_data_size = rdata->data->data_used + data_to_read;
-
-       data += rdata_offset;
+       char *pdata;
+       int extra_data_size = ((int)*rdata_offset) + ((int)data_to_read) - (int)prs_data_size(rdata);
 
-       file_offset -= rdata_offset;
+       DEBUG(5,("rpc_read: data_to_read: %u rdata offset: %u extra_data_size: %d\n",
+               (int)data_to_read, (unsigned int)*rdata_offset, extra_data_size));
 
-       DEBUG(5,("rpc_read: data_to_read: %d data offset: %d file offset: %d\n",
-       data_to_read, rdata_offset, file_offset));
+       /*
+        * Grow the buffer if needed to accommodate the data to be read.
+        */
 
-       if (new_data_size > rdata->data->data_size)
-       {
-               mem_grow_data(&rdata->data, True, new_data_size, True);
-               DEBUG(5,("rpc_read: grow buffer to %d\n", rdata->data->data_used));
+       if (extra_data_size > 0) {
+               if(!prs_force_grow(rdata, (uint32)extra_data_size)) {
+                       DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", extra_data_size ));
+                       return False;
+               }
+               DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", extra_data_size, prs_data_size(rdata) ));
        }
 
+       pdata = prs_data_p(rdata) + *rdata_offset;
+
        do /* read data using SMBreadX */
        {
-               if (size > data_to_read)
-               size = data_to_read;
+               uint32 ecode;
+               uint8 eclass;
 
-               new_data_size = rdata->data->data_used + size;
+               if (size > (size_t)data_to_read)
+                       size = (size_t)data_to_read;
 
-               if (new_data_size > rdata->data->data_size)
-               {
-                       mem_grow_data(&rdata->data, True, new_data_size, True);
-                       DEBUG(5,("rpc_read: grow buffer to %d\n", rdata->data->data_used));
-               }
+               num_read = (int)cli_read(cli, cli->nt_pipe_fnum, pdata, (off_t)stream_offset, size);
 
-               num_read = cli_read(cli, cli->nt_pipe_fnum, data, file_offset + 0x100000, size);
+               DEBUG(5,("rpc_read: num_read = %d, read offset: %d, to read: %d\n",
+                         num_read, stream_offset, data_to_read));
 
-               DEBUG(5,("rpc_read: read offset: %d read: %d to read: %d\n",
-                         file_offset, num_read, data_to_read));
+               if (cli_is_dos_error(cli)) {
+                        cli_dos_error(cli, &eclass, &ecode);
+                        if (eclass != ERRDOS && ecode != ERRmoredata) {
+                                DEBUG(0,("rpc_read: Error %d/%u in cli_read\n",
+                                         eclass, (unsigned int)ecode));
+                                return False;
+                        }
+               }
 
                data_to_read -= num_read;
-               file_offset  += num_read;
-               data         += num_read;
-
-               if (cli_error(cli, NULL, &err)) return False;
+               stream_offset += num_read;
+               pdata += num_read;
 
        } while (num_read > 0 && data_to_read > 0);
        /* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */
 
-       mem_realloc_data(rdata->data, file_offset + rdata_offset);
-       rdata->data->offset.end = file_offset + rdata_offset;
-
-       DEBUG(5,("rpc_read: data supposedly left to read:0x%x\n", data_to_read));
+       /*
+        * Update the current offset into rdata by the amount read.
+        */
+       *rdata_offset += stream_offset;
 
-       return data_to_read == 0;
+       return True;
 }
 
 /****************************************************************************
- checks the header
+ Checks the header. This will set the endian bit in the rdata prs_struct. JRA.
  ****************************************************************************/
-static BOOL rpc_check_hdr(prs_struct *rdata, uint8 *pkt_type,
-                          BOOL *first, BOOL *last, int *len)
+
+static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr, 
+                          BOOL *first, BOOL *last, uint32 *len)
 {
-       RPC_HDR    rhdr;
+       DEBUG(5,("rpc_check_hdr: rdata->data_size = %u\n", (uint32)prs_data_size(rdata) ));
 
-       DEBUG(5,("rpc_check_hdr: rdata->data->data_used: %d\n", rdata->data->data_used));
+       /* Next call sets endian bit. */
 
-       smb_io_rpc_hdr   ("rpc_hdr   ", &rhdr   , rdata, 0);
+       if(!smb_io_rpc_hdr("rpc_hdr   ", rhdr, rdata, 0)) {
+               DEBUG(0,("rpc_check_hdr: Failed to unmarshall RPC_HDR.\n"));
+               return False;
+       }
 
-       if (!rdata->offset || rdata->offset != 0x10)
-       {
-               DEBUG(0,("cli_pipe: error in rpc header\n"));
+       if (prs_offset(rdata) != RPC_HEADER_LEN) {
+               DEBUG(0,("rpc_check_hdr: offset was %x, should be %x.\n", prs_offset(rdata), RPC_HEADER_LEN));
                return False;
        }
 
-       DEBUG(5,("rpc_check_hdr: (after smb_io_rpc_hdr call) rdata->data->data_used: %d\n",
-                 rdata->data->data_used));
+       (*first) = ((rhdr->flags & RPC_FLG_FIRST) != 0);
+       (*last) = ((rhdr->flags & RPC_FLG_LAST ) != 0);
+       (*len) = (uint32)rhdr->frag_len - prs_data_size(rdata);
+
+       return (rhdr->pkt_type != RPC_FAULT);
+}
+
+static void NTLMSSPcalc_ap( struct cli_state *cli, unsigned char *data, uint32 len)
+{
+       unsigned char *hash = cli->ntlmssp_hash;
+       unsigned char index_i = hash[256];
+       unsigned char index_j = hash[257];
+       int ind;
+
+       for( ind = 0; ind < len; ind++) {
+               unsigned char tc;
+               unsigned char t;
+
+               index_i++;
+               index_j += hash[index_i];
+
+               tc = hash[index_i];
+               hash[index_i] = hash[index_j];
+               hash[index_j] = tc;
+
+               t = hash[index_i] + hash[index_j];
+               data[ind] = data[ind] ^ hash[t];
+       }
+
+       hash[256] = index_i;
+       hash[257] = index_j;
+}
+
+/****************************************************************************
+ Verify data on an rpc pipe.
+ The VERIFY & SEAL code is only executed on packets that look like this :
+
+ Request/Response PDU's look like the following...
+
+ |<------------------PDU len----------------------------------------------->|
+ |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
+
+ +------------+-----------------+-------------+---------------+-------------+
+ | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR      | AUTH DATA   |
+ +------------+-----------------+-------------+---------------+-------------+
+
+ Never on bind requests/responses.
+ ****************************************************************************/
+
+static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata, int len, int auth_len)
+{
+       /*
+        * The following is that length of the data we must sign or seal.
+        * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
+        * preceeding the auth_data.
+        */
+
+       int data_len = len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len;
+
+       /*
+        * The start of the data to sign/seal is just after the RPC headers.
+        */
+       char *reply_data = prs_data_p(rdata) + RPC_HEADER_LEN + RPC_HDR_REQ_LEN;
+
+       BOOL auth_verify = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SIGN) != 0);
+       BOOL auth_seal = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SEAL) != 0);
+       BOOL auth_schannel = (cli->saved_netlogon_pipe_fnum != 0);
+
+       DEBUG(5,("rpc_auth_pipe: len: %d auth_len: %d verify %s seal %s schannel %s\n",
+                 len, auth_len, BOOLSTR(auth_verify), BOOLSTR(auth_seal), BOOLSTR(auth_schannel)));
+
+       /*
+        * Unseal any sealed data in the PDU, not including the
+        * 8 byte auth_header or the auth_data.
+        */
+
+       if (auth_seal) {
+               DEBUG(10,("rpc_auth_pipe: unseal\n"));
+               dump_data(100, reply_data, data_len);
+               NTLMSSPcalc_ap(cli, (uchar*)reply_data, data_len);
+               dump_data(100, reply_data, data_len);
+       }
+
+       if (auth_verify || auth_seal) {
+               RPC_HDR_AUTH rhdr_auth; 
+               prs_struct auth_req;
+               char data[RPC_HDR_AUTH_LEN];
+               /*
+                * We set dp to be the end of the packet, minus the auth_len
+                * and the length of the header that preceeds the auth_data.
+                */
+               char *dp = prs_data_p(rdata) + len - auth_len - RPC_HDR_AUTH_LEN;
+
+               if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
+                       DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
+                       return False;
+               }
+
+               memcpy(data, dp, sizeof(data));
+               
+               prs_init(&auth_req , 0, cli->mem_ctx, UNMARSHALL);
+
+               /* The endianness must be preserved... JRA. */
+
+               prs_set_endian_data(&auth_req, rdata->bigendian_data);
+
+               prs_give_memory(&auth_req, data, RPC_HDR_AUTH_LEN, False);
+
+               /*
+                * Unmarshall the 8 byte auth_header that comes before the
+                * auth data.
+                */
+
+               if(!smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &auth_req, 0)) {
+                       DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_HDR_AUTH failed.\n"));
+                       return False;
+               }
+
+               if (!rpc_hdr_auth_chk(&rhdr_auth)) {
+                       DEBUG(0,("rpc_auth_pipe: rpc_hdr_auth_chk failed.\n"));
+                       return False;
+               }
+       }
+
+       /*
+        * Now unseal and check the auth verifier in the auth_data at
+        * then end of the packet. The 4 bytes skipped in the unseal
+        * seem to be a buffer pointer preceeding the sealed data.
+        */
+
+       if (auth_verify) {
+               RPC_AUTH_NTLMSSP_CHK chk;
+               uint32 crc32;
+               prs_struct auth_verf;
+               char data[RPC_AUTH_NTLMSSP_CHK_LEN];
+               char *dp = prs_data_p(rdata) + len - auth_len;
+
+               if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
+                       DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
+                       return False;
+               }
+
+               DEBUG(10,("rpc_auth_pipe: verify\n"));
+               dump_data(100, dp, auth_len);
+               NTLMSSPcalc_ap(cli, (uchar*)(dp+4), auth_len - 4);
+
+               memcpy(data, dp, RPC_AUTH_NTLMSSP_CHK_LEN);
+               dump_data(100, data, auth_len);
+
+               prs_init(&auth_verf, 0, cli->mem_ctx, UNMARSHALL);
+
+               /* The endinness must be preserved. JRA. */
+               prs_set_endian_data( &auth_verf, rdata->bigendian_data);
+
+               prs_give_memory(&auth_verf, data, RPC_AUTH_NTLMSSP_CHK_LEN, False);
+
+               if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0)) {
+                       DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_AUTH_NTLMSSP_CHK failed.\n"));
+                       return False;
+               }
+
+               crc32 = crc32_calc_buffer(reply_data, data_len);
+
+               if (!rpc_auth_ntlmssp_chk(&chk, crc32 , cli->ntlmssp_seq_num)) {
+                       DEBUG(0,("rpc_auth_pipe: rpc_auth_ntlmssp_chk failed.\n"));
+                       return False;
+               }
+               cli->ntlmssp_seq_num++;
+       }
+
+       if (auth_schannel) {
+               RPC_AUTH_NETSEC_CHK chk;
+               char data[RPC_AUTH_NETSEC_CHK_LEN];
+               char *dp = prs_data_p(rdata) + len - auth_len;
+               prs_struct auth_verf;
+
+               if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) {
+                       DEBUG(0,("rpc_auth_pipe: wrong schannel auth len %d\n", auth_len));
+                       return False;
+               }
+
+               if (dp - prs_data_p(rdata) > prs_data_size(rdata)) {
+                       DEBUG(0,("rpc_auth_pipe: schannel auth data > data size !\n"));
+                       return False;
+               }
+
+               DEBUG(10,("rpc_auth_pipe: schannel verify netsec\n"));
+               dump_data(100, dp, auth_len);
+
+               memcpy(data, dp, sizeof(data));
+               dump_data(100, data, sizeof(data));
 
-       (*first   ) = IS_BITS_SET_ALL(rhdr.flags, RPC_FLG_FIRST);
-       (*last    ) = IS_BITS_SET_ALL(rhdr.flags, RPC_FLG_LAST );
-       (*len     ) = rhdr.frag_len - rdata->data->data_used;
-       (*pkt_type) = rhdr.pkt_type;
+               prs_init(&auth_verf, 0, cli->mem_ctx, UNMARSHALL);
 
+               /* The endinness must be preserved. JRA. */
+               prs_set_endian_data( &auth_verf, rdata->bigendian_data);
+
+               prs_give_memory(&auth_verf, data, RPC_AUTH_NETSEC_CHK_LEN, False);
+
+               if (!smb_io_rpc_auth_netsec_chk("schannel_auth_sign", &chk, &auth_verf, 0)) {
+                       DEBUG(0, ("rpc_auth_pipe: schannel unmarshalling "
+                                 "RPC_AUTH_NETSECK_CHK failed\n"));
+                       return False;
+               }
+
+               cli->auth_info.seq_num++;
+
+               if (!netsec_decode(&cli->auth_info, &chk, reply_data, data_len)) {
+                       DEBUG(0, ("rpc_auth_pipe: Could not decode schannel\n"));
+                       return False;
+               }
+       }
        return True;
 }
 
+
 /****************************************************************************
send data on an rpc pipe, which *must* be in one fragment.
Send data on an rpc pipe via trans, which *must* be the last fragment.
  receive response data from an rpc pipe, which may be large...
 
read the first fragment: unfortunately have to use SMBtrans for the first
Read the first fragment: unfortunately have to use SMBtrans for the first
  bit, then SMBreadX for subsequent bits.
 
if first fragment received also wasn't the last fragment, continue
If first fragment received also wasn't the last fragment, continue
  getting fragments until we _do_ receive the last fragment.
 
- [note: from a data abstraction viewpoint, this function is marginally
-        complicated by the return side of cli_api_pipe getting in the way
-        (i.e, the SMB header stuff).  the proper way to do this is to split
-        cli_api_pipe down into receive / transmit.  oh, and split cli_readx
-        down.  in other words, state-based (kernel) techniques...]
+ Request/Response PDU's look like the following...
+
+ |<------------------PDU len----------------------------------------------->|
+ |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
+
+ +------------+-----------------+-------------+---------------+-------------+
+ | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR      | AUTH DATA   |
+ +------------+-----------------+-------------+---------------+-------------+
+
+ Where the presence of the AUTH_HDR and AUTH are dependent on the
+ signing & sealing being negotiated.
 
  ****************************************************************************/
 
-static BOOL rpc_api_pipe(struct cli_state *cli, uint16 cmd, 
-                  prs_struct *param , prs_struct *data,
-                  prs_struct *rparam, prs_struct *rdata)
+static BOOL rpc_api_pipe(struct cli_state *cli, prs_struct *data, prs_struct *rdata)
 {
-       int len;
-
-       uint16 setup[2]; /* only need 2 uint16 setup parameters */
-       uint32 err;
-       uint8 pkt_type = 0xff;
+       uint32 len;
+       char *rparam = NULL;
+       uint32 rparam_len = 0;
+       uint16 setup[2];
        BOOL first = True;
        BOOL last  = True;
+       RPC_HDR rhdr;
+       char *pdata = data ? prs_data_p(data) : NULL;
+       uint32 data_len = data ? prs_offset(data) : 0;
+       char *prdata = NULL;
+       uint32 rdata_len = 0;
+       uint32 current_offset = 0;
+       uint32 max_data = cli->max_xmit_frag ? cli->max_xmit_frag : 1024;
 
-       /*
-       * Setup the pointers from the incoming.
-       */
-       char *pparams = param ? param->data->data : NULL;
-       int params_len = param ? param->data->data_used : 0;
-       char *pdata = data ? data->data->data : NULL;
-       int data_len = data ? data->data->data_used : 0;
+       /* Create setup parameters - must be in native byte order. */
 
-       /*
-       * Setup the pointers to the outgoing.
-       */
-       char **pp_ret_params = rparam ? &rparam->data->data : NULL;
-       uint32 *p_ret_params_len = rparam ? &rparam->data->data_used : NULL;
+       setup[0] = TRANSACT_DCERPCCMD; 
+       setup[1] = cli->nt_pipe_fnum; /* Pipe file handle. */
 
-       char **pp_ret_data = rdata ? &rdata->data->data : NULL;
-       uint32 *p_ret_data_len = rdata ? &rdata->data->data_used : NULL;
+       DEBUG(5,("rpc_api_pipe: fnum:%x\n", (int)cli->nt_pipe_fnum));
 
-       /* create setup parameters. */
-       setup[0] = cmd; 
-       setup[1] = cli->nt_pipe_fnum; /* pipe file handle.  got this from an SMBOpenX. */
+       /* Send the RPC request and receive a response.  For short RPC
+          calls (about 1024 bytes or so) the RPC request and response
+          appears in a SMBtrans request and response.  Larger RPC
+          responses are received further on. */
 
-       /* send the data: receive a response. */
-       if (!cli_api_pipe(cli, "\\PIPE\\\0\0\0", 8,
+       if (!cli_api_pipe(cli, "\\PIPE\\",
                  setup, 2, 0,                     /* Setup, length, max */
-                 pparams, params_len, 0,          /* Params, length, max */
-                 pdata, data_len, 1024,           /* data, length, max */                  
-                 pp_ret_params, p_ret_params_len, /* return params, len */
-                 pp_ret_data, p_ret_data_len))    /* return data, len */
+                 NULL, 0, 0,                      /* Params, length, max */
+                 pdata, data_len, max_data,       /* data, length, max */
+                 &rparam, &rparam_len,            /* return params, len */
+                 &prdata, &rdata_len))            /* return data, len */
        {
                DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", cli_errstr(cli)));
                return False;
        }
 
-       if (rdata->data->data == NULL) return False;
+       /* Throw away returned params - we know we won't use them. */
 
-       /**** parse the header: check it's a response record */
+       SAFE_FREE(rparam);
 
-       rdata->data->offset.start = 0;
-       rdata->data->offset.end   = rdata->data->data_used;
-       rdata->offset = 0;
+       if (prdata == NULL) {
+               DEBUG(0,("rpc_api_pipe: pipe %x failed to return data.\n",
+                       (int)cli->nt_pipe_fnum));
+               return False;
+       }
 
-       /* cli_api_pipe does an ordinary Realloc - we have no margins now. */
-       rdata->data->margin = 0;
-       if (rparam) rparam->data->margin = 0;
+       /*
+        * Give this memory as dynamically allocated to the return parse
+        * struct.  
+        */
 
-       if (!rpc_check_hdr(rdata, &pkt_type, &first, &last, &len)) return False;
+       prs_give_memory(rdata, prdata, rdata_len, True);
+       current_offset = rdata_len;
 
-       if (pkt_type == RPC_RESPONSE)
-       {
+       /* This next call sets the endian bit correctly in rdata. */
+
+       if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len)) {
+               prs_mem_free(rdata);
+               return False;
+       }
+
+       if (rhdr.pkt_type == RPC_BINDACK) {
+               if (!last && !first) {
+                       DEBUG(5,("rpc_api_pipe: bug in server (AS/U?), setting fragment first/last ON.\n"));
+                       first = True;
+                       last = True;
+               }
+       }
+
+       if (rhdr.pkt_type == RPC_RESPONSE) {
                RPC_HDR_RESP rhdr_resp;
-               smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0);
+               if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0)) {
+                       DEBUG(5,("rpc_api_pipe: failed to unmarshal RPC_HDR_RESP.\n"));
+                       prs_mem_free(rdata);
+                       return False;
+               }
        }
 
-       DEBUG(5,("rpc_api_pipe: len left: %d smbtrans read: %d\n",
-                 len, rdata->data->data_used));
+       DEBUG(5,("rpc_api_pipe: len left: %u smbtrans read: %u\n",
+                 (unsigned int)len, (unsigned int)rdata_len ));
 
-       /* check if data to be sent back was too large for one SMB. */
-       /* err status is only informational: the _real_ check is on the length */
-       if (len > 0) /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
-       {
-               if (!rpc_read(cli, rdata, len, rdata->data->data_used))
-               {
+       /* check if data to be sent back was too large for one SMBtrans */
+       /* err status is only informational: the _real_ check is on the
+           length */
+
+       if (len > 0) { 
+               /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
+
+               /* Read the remaining part of the first response fragment */
+
+               if (!rpc_read(cli, rdata, len, &current_offset)) {
+                       prs_mem_free(rdata);
                        return False;
                }
        }
 
-       /* only one rpc fragment, and it has been read */
-       if (first && last)
-       {
+       /*
+        * Now we have a complete PDU, check the auth struct if any was sent.
+        */
+
+       if (rhdr.auth_len != 0) {
+               if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
+                       return False;
+               /*
+                * Drop the auth footers from the current offset.
+                * We need this if there are more fragments.
+                * The auth footers consist of the auth_data and the
+                * preceeding 8 byte auth_header.
+                */
+               current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN);
+       }
+       
+       /* 
+        * Only one rpc fragment, and it has been read.
+        */
+
+       if (first && last) {
                DEBUG(6,("rpc_api_pipe: fragment first and last both set\n"));
                return True;
        }
 
-       while (!last) /* read more fragments until we get the last one */
-       {
-               RPC_HDR      rhdr;
+       /*
+        * Read more fragments using SMBreadX until we get one with the
+        * last bit set.
+        */
+
+       while (!last) {
                RPC_HDR_RESP rhdr_resp;
                int num_read;
+               char hdr_data[RPC_HEADER_LEN+RPC_HDR_RESP_LEN];
                prs_struct hps;
+               uint8 eclass;
+               uint32 ecode;
+
+               /*
+                * First read the header of the next PDU.
+                */
 
-               prs_init(&hps, 0x18, 4, 0, True);
+               prs_init(&hps, 0, cli->mem_ctx, UNMARSHALL);
+               prs_give_memory(&hps, hdr_data, sizeof(hdr_data), False);
+
+               num_read = cli_read(cli, cli->nt_pipe_fnum, hdr_data, 0, RPC_HEADER_LEN+RPC_HDR_RESP_LEN);
+               if (cli_is_dos_error(cli)) {
+                        cli_dos_error(cli, &eclass, &ecode);
+                        if (eclass != ERRDOS && ecode != ERRmoredata) {
+                                DEBUG(0,("rpc_api_pipe: cli_read error : %d/%d\n", eclass, ecode));
+                                return False;
+                        }
+               }
 
-               num_read = cli_read(cli, cli->nt_pipe_fnum, hps.data->data, 0, 0x18);
                DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read));
 
-               if (num_read != 0x18) return False;
+               if (num_read != RPC_HEADER_LEN+RPC_HDR_RESP_LEN) {
+                       DEBUG(0,("rpc_api_pipe: Error : requested %d bytes, got %d.\n",
+                               RPC_HEADER_LEN+RPC_HDR_RESP_LEN, num_read ));
+                       return False;
+               }
+
+               /* This call sets the endianness in hps. */
 
-               smb_io_rpc_hdr     ("rpc_hdr     ", &rhdr     , &hps, 0);
-               smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0);
+               if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len))
+                       return False;
 
-               prs_mem_free(&hps);
+               /* Ensure the endianness in rdata is set correctly - must be same as hps. */
 
-               if (cli_error(cli, NULL, &err)) return False;
+               if (hps.bigendian_data != rdata->bigendian_data) {
+                       DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to %s\n",
+                               rdata->bigendian_data ? "big" : "little",
+                               hps.bigendian_data ? "big" : "little" ));
+                       return False;
+               }
 
-               first = IS_BITS_SET_ALL(rhdr.flags, RPC_FLG_FIRST);
-               last  = IS_BITS_SET_ALL(rhdr.flags, RPC_FLG_LAST );
+               if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0)) {
+                       DEBUG(0,("rpc_api_pipe: Error in unmarshalling RPC_HDR_RESP.\n"));
+                       return False;
+               }
 
-               if (first)
-               {
-                       DEBUG(0,("rpc_api_pipe: wierd rpc header received\n"));
+               if (first) {
+                       DEBUG(0,("rpc_api_pipe: secondary PDU rpc header has 'first' set !\n"));
                        return False;
                }
 
-               len = rhdr.frag_len - hps.offset;
-               if (!rpc_read(cli, rdata, len, rdata->data->data_used))
-               {
+               /*
+                * Now read the rest of the PDU.
+                */
+
+               if (!rpc_read(cli, rdata, len, &current_offset))
                        return False;
+
+               /*
+                * Verify any authentication footer.
+                */
+
+               if (rhdr.auth_len != 0 ) {
+                       if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
+                               return False;
+                       /*
+                        * Drop the auth footers from the current offset.
+                        * The auth footers consist of the auth_data and the
+                        * preceeding 8 byte auth_header.
+                        * We need this if there are more fragments.
+                        */
+                       current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN);
                }
        }
 
@@ -287,171 +586,579 @@ static BOOL rpc_api_pipe(struct cli_state *cli, uint16 cmd,
 
  ********************************************************************/
 
-static BOOL create_rpc_bind_req(prs_struct *rhdr,
-                                prs_struct *rhdr_rb,
-                                prs_struct *auth_req,
+static BOOL create_rpc_bind_req(prs_struct *rpc_out, BOOL do_auth, BOOL do_netsec, uint32 rpc_call_id,
                                 RPC_IFACE *abstract, RPC_IFACE *transfer,
-                                char *my_name, char *domain)
+                                const char *my_name, const char *domain, uint32 neg_flags)
 {
-       RPC_HDR_RB        hdr_rb;
-       RPC_HDR           hdr;
-       RPC_AUTH_NTLMSSP_REQ ntlmssp_req;
+       RPC_HDR hdr;
+       RPC_HDR_RB hdr_rb;
+       char buffer[4096];
+       prs_struct auth_info;
+       int auth_len = 0;
 
-       /* create the bind request RPC_HDR_RB */
-       make_rpc_hdr_rb(&hdr_rb, 0x1630, 0x1630, 0x0,
-       0x1, 0x0, 0x1, abstract, transfer);
+       prs_init(&auth_info, 0, prs_get_mem_context(rpc_out), MARSHALL);
 
-       /* stream the bind request data */
-       smb_io_rpc_hdr_rb("", &hdr_rb,  rhdr_rb, 0);
-       mem_realloc_data(rhdr_rb->data, rhdr_rb->offset);
+       if (do_auth) {
+               RPC_HDR_AUTH hdr_auth;
+               RPC_AUTH_VERIFIER auth_verifier;
+               RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
 
-       if (auth_req != NULL)
-       {
                /*
-                * I have a feeling this is broken right now... JRA.
+                * Create the auth structs we will marshall.
                 */
-               make_rpc_auth_ntlmssp_req(&ntlmssp_req, "NTLMSSP", 0x1,
-                      0x0000b2b3, my_name, domain);
-               smb_io_rpc_auth_ntlmssp_req("", &ntlmssp_req, auth_req, 0);
-               mem_realloc_data(auth_req->data, auth_req->offset);
-       }
 
-       /* create the request RPC_HDR */
-       make_rpc_hdr(&hdr, RPC_BIND, 0x0, get_rpc_call_id(),
-                    rhdr_rb->offset + 0x10,
-                    auth_req != NULL ? auth_req->offset : 0);
+               init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00, 1);
+               init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_NEGOTIATE);
+               init_rpc_auth_ntlmssp_neg(&ntlmssp_neg, neg_flags, my_name, domain);
+
+               /*
+                * Use the 4k buffer to store the auth info.
+                */
 
-       smb_io_rpc_hdr("hdr"   , &hdr   , rhdr, 0);
-       mem_realloc_data(rhdr->data, rhdr->offset);
+               prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
 
-       if (rhdr->data == NULL || rhdr_rb->data == NULL) return False;
+               /*
+                * Now marshall the data into the temporary parse_struct.
+                */
 
-       /***/
-       /*** link rpc header, bind acknowledgment and authentication responses ***/
-       /***/
+               if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) {
+                       DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_AUTH.\n"));
+                       return False;
+               }
 
-       rhdr->data->offset.start = 0;
-       rhdr->data->offset.end   = rhdr->offset;
-       rhdr->data->next         = rhdr_rb->data;
+               if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
+                       DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_VERIFIER.\n"));
+                       return False;
+               }
 
-       if (auth_req != NULL)
-       {
-               rhdr_rb->data->offset.start = rhdr->offset;
-               rhdr_rb->data->offset.end   = rhdr->offset + rhdr_rb->offset;
-               rhdr_rb->data->next         = auth_req->data;
+               if(!smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg, &auth_info, 0)) {
+                       DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_NTLMSSP_NEG.\n"));
+                       return False;
+               }
 
-               auth_req->data->offset.start = rhdr->offset + rhdr_rb->offset;
-               auth_req->data->offset.end   = rhdr->offset + auth_req->offset + rhdr_rb->offset;
-               auth_req->data->next         = NULL;
-       }
-       else
-       {
-               rhdr_rb->data->offset.start = rhdr->offset;
-               rhdr_rb->data->offset.end   = rhdr->offset + rhdr_rb->offset;
-               rhdr_rb->data->next         = NULL;
+               /* Auth len in the rpc header doesn't include auth_header. */
+               auth_len = prs_offset(&auth_info) - RPC_HDR_AUTH_LEN;
        }
 
-       return True;
-}
+       if (do_netsec) {
+               RPC_HDR_AUTH hdr_auth;
+               RPC_AUTH_NETSEC_NEG netsec_neg;
 
+               /*
+                * Create the auth structs we will marshall.
+                */
 
-/*******************************************************************
- creates a DCE/RPC bind request
+               init_rpc_hdr_auth(&hdr_auth, NETSEC_AUTH_TYPE, NETSEC_AUTH_LEVEL,
+                                 0x00, 1);
+               init_rpc_auth_netsec_neg(&netsec_neg, domain, my_name);
 
- - initialises the parse structure.
- - dynamically allocates the header data structure
- - caller is expected to free the header data structure once used.
+               /*
+                * Use the 4k buffer to store the auth info.
+                */
 
- ********************************************************************/
+               prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
 
-static BOOL create_rpc_request(prs_struct *rhdr, uint8 op_num, int data_len)
-{
-       RPC_HDR_REQ hdr_req;
-       RPC_HDR     hdr;
+               /*
+                * Now marshall the data into the temporary parse_struct.
+                */
+
+               if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) {
+                       DEBUG(0,("Failed to marshall RPC_HDR_AUTH.\n"));
+                       return False;
+               }
 
-       DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n",
-       op_num, data_len));
+               if(!smb_io_rpc_auth_netsec_neg("netsec_neg",
+                                              &netsec_neg, &auth_info, 0)) {
+                       DEBUG(0,("Failed to marshall RPC_AUTH_NETSEC_NEG.\n"));
+                       return False;
+               }
 
-       /* create the rpc header RPC_HDR */
-       make_rpc_hdr(&hdr   , RPC_REQUEST, RPC_FLG_FIRST | RPC_FLG_LAST,
-                    get_rpc_call_id(), data_len, 0);
+               /* Auth len in the rpc header doesn't include auth_header. */
+               auth_len = prs_offset(&auth_info) - RPC_HDR_AUTH_LEN;
+       }
 
-       /* create the rpc request RPC_HDR_REQ */
-       make_rpc_hdr_req(&hdr_req, data_len, op_num);
+       /* create the request RPC_HDR */
+       init_rpc_hdr(&hdr, RPC_BIND, 0x3, rpc_call_id, 
+               RPC_HEADER_LEN + RPC_HDR_RB_LEN + prs_offset(&auth_info),
+               auth_len);
 
-       /* stream-time... */
-       smb_io_rpc_hdr    ("hdr    ", &hdr    , rhdr, 0);
-       smb_io_rpc_hdr_req("hdr_req", &hdr_req, rhdr, 0);
+       if(!smb_io_rpc_hdr("hdr"   , &hdr, rpc_out, 0)) {
+               DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR.\n"));
+               return False;
+       }
+
+       /* create the bind request RPC_HDR_RB */
+       init_rpc_hdr_rb(&hdr_rb, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN, 0x0,
+                       0x1, 0x0, 0x1, abstract, transfer);
+
+       /* Marshall the bind request data */
+       if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_out, 0)) {
+               DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_RB.\n"));
+               return False;
+       }
 
-       if (rhdr->data == NULL || rhdr->offset != 0x18) return False;
+       /*
+        * Grow the outgoing buffer to store any auth info.
+        */
 
-       rhdr->data->offset.start = 0;
-       rhdr->data->offset.end   = rhdr->offset;
+       if(hdr.auth_len != 0) {
+               if(!prs_append_prs_data( rpc_out, &auth_info)) {
+                       DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
+                       return False;
+               }
+       }
 
        return True;
 }
 
+/*******************************************************************
+ Creates a DCE/RPC bind authentication response.
+ This is the packet that is sent back to the server once we
+ have received a BIND-ACK, to finish the third leg of
+ the authentication handshake.
+ ********************************************************************/
 
-/****************************************************************************
- send a request on an rpc pipe.
- ****************************************************************************/
-BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num,
-                      prs_struct *data, prs_struct *rdata)
+static BOOL create_rpc_bind_resp(struct pwd_info *pwd,
+                               const char *domain, const char *user_name, const char *my_name,
+                               uint32 ntlmssp_cli_flgs,
+                               uint32 rpc_call_id,
+                               prs_struct *rpc_out)
 {
-       /* fudge this, at the moment: create the header; memcpy the data.  oops. */
-       prs_struct rparam;
-       prs_struct hdr;
-       int data_len;
-       BOOL ret;
+       unsigned char lm_owf[24];
+       unsigned char nt_owf[24];
+       RPC_HDR hdr;
+       RPC_HDR_AUTHA hdr_autha;
+       RPC_AUTH_VERIFIER auth_verifier;
+       RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
+       char buffer[4096];
+       prs_struct auth_info;
 
-       data_len               = data->offset + 0x18;
-       data->data->offset.end = data->offset;
+       /*
+        * Marshall the variable length data into a temporary parse
+        * struct, pointing into a 4k local buffer.
+        */
+       prs_init(&auth_info, 0, prs_get_mem_context(rpc_out), MARSHALL);
 
-       prs_init(&hdr   , data_len, 4, SAFETY_MARGIN, False);
-       prs_init(&rparam, 0       , 4, 0            , True );
+       /*
+        * Use the 4k buffer to store the auth info.
+        */
 
-       create_rpc_request(&hdr, op_num, data_len);
+       prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
 
-       mem_realloc_data(hdr.data, data_len);
-       hdr.data->offset.end = data_len;
-       mem_buf_copy(mem_data(&(hdr.data), 0x18), data->data, 0, data->offset);
+       /*
+        * Create the variable length auth_data.
+        */
 
-       ret = rpc_api_pipe(cli, 0x0026, NULL, &hdr, &rparam, rdata);
+       init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH);
 
-       prs_mem_free(&rparam);
-       prs_mem_free(&hdr);
+       pwd_get_lm_nt_owf(pwd, lm_owf, nt_owf);
+                       
+       init_rpc_auth_ntlmssp_resp(&ntlmssp_resp,
+                                lm_owf, nt_owf,
+                                domain, user_name, my_name,
+                                ntlmssp_cli_flgs);
 
-       return ret;
-}
+       /*
+        * Marshall the variable length auth_data into a temp parse_struct.
+        */
 
+       if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
+               DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_VERIFIER.\n"));
+               return False;
+       }
 
-/****************************************************************************
-do an rpc bind
-****************************************************************************/
+       if(!smb_io_rpc_auth_ntlmssp_resp("ntlmssp_resp", &ntlmssp_resp, &auth_info, 0)) {
+               DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_NTLMSSP_RESP.\n"));
+               return False;
+       }
 
-static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, char *pipe_name, uint16 device_state)
-{
-       BOOL state_set = False;
-       char param[2];
-       uint16 setup[2]; /* only need 2 uint16 setup parameters */
-       char *rparam = NULL;
-       char *rdata = NULL;
-       uint32 rparam_len, rdata_len;
+       /* Create the request RPC_HDR */
+       init_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id,
+                       RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN + prs_offset(&auth_info),
+                       prs_offset(&auth_info) );
 
-       if (pipe_name == NULL) return False;
+       /* Marshall it. */
+       if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) {
+               DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR.\n"));
+               return False;
+       }
 
-       DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
-       cli->nt_pipe_fnum, pipe_name, device_state));
+       /* Create the request RPC_HDR_AUTHA */
+       init_rpc_hdr_autha(&hdr_autha, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN,
+                       NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00);
 
-       /* create parameters: device state */
-       SSVAL(param, 0, device_state);
+       if(!smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rpc_out, 0)) {
+               DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR_AUTHA.\n"));
+               return False;
+       }
 
-       /* create setup parameters. */
+       /*
+        * Append the auth data to the outgoing buffer.
+        */
+
+       if(!prs_append_prs_data(rpc_out, &auth_info)) {
+               DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
+               return False;
+       }
+
+       return True;
+}
+
+
+/*******************************************************************
+ Creates a DCE/RPC request.
+ ********************************************************************/
+
+static uint32 create_rpc_request(prs_struct *rpc_out, uint8 op_num, int data_len, int auth_len, uint8 flags, uint32 oldid, uint32 data_left)
+{
+       uint32 alloc_hint;
+       RPC_HDR     hdr;
+       RPC_HDR_REQ hdr_req;
+       uint32 callid = oldid ? oldid : get_rpc_call_id();
+
+       DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n", op_num, data_len));
+
+       /* create the rpc header RPC_HDR */
+       init_rpc_hdr(&hdr, RPC_REQUEST, flags,
+                    callid, data_len, auth_len);
+
+       /*
+        * The alloc hint should be the amount of data, not including 
+        * RPC headers & footers.
+        */
+
+       if (auth_len != 0)
+               alloc_hint = data_len - RPC_HEADER_LEN - RPC_HDR_AUTH_LEN - auth_len;
+       else
+               alloc_hint = data_len - RPC_HEADER_LEN;
+
+       DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n",
+                  data_len, auth_len, alloc_hint));
+
+       /* Create the rpc request RPC_HDR_REQ */
+       init_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
+
+       /* stream-time... */
+       if(!smb_io_rpc_hdr("hdr    ", &hdr, rpc_out, 0))
+               return 0;
+
+       if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, rpc_out, 0))
+               return 0;
+
+       if (prs_offset(rpc_out) != RPC_HEADER_LEN + RPC_HDR_REQ_LEN)
+               return 0;
+
+       return callid;
+}
+
+/*******************************************************************
+ Puts an NTLMSSP auth header into an rpc request.
+ ********************************************************************/
+
+static BOOL create_ntlmssp_auth_hdr(prs_struct *outgoing_packet, BOOL auth_verify)
+{
+       RPC_HDR_AUTH hdr_auth;
+
+       init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE,
+                         NTLMSSP_AUTH_LEVEL, 0x08, 
+                         (auth_verify ? 1 : 0));
+       if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, 
+                               outgoing_packet, 0)) {
+               DEBUG(0,("create_auth_hdr:Failed to marshal RPC_HDR_AUTH.\n"));
+               return False;
+       }
+       return True;
+}
+
+/*******************************************************************
+ Puts a NETLOGON schannel auth header into an rpc request.
+ ********************************************************************/
+
+static BOOL create_netsec_auth_hdr(prs_struct *outgoing_packet, int padding)
+{
+       RPC_HDR_AUTH hdr_auth;
+
+       init_rpc_hdr_auth(&hdr_auth, NETSEC_AUTH_TYPE,
+                         NETSEC_AUTH_LEVEL, padding, 1);
+       if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, 
+                               outgoing_packet, 0)) {
+               DEBUG(0,("create_auth_hdr:Failed to marshal RPC_HDR_AUTH.\n"));
+               return False;
+       }
+       return True;
+}
+
+/*******************************************************************
+ Puts auth data into an rpc request.
+ ********************************************************************/
+
+static BOOL create_auth_data(struct cli_state *cli, uint32 crc32, 
+                            prs_struct *outgoing_packet)
+{
+       char *pdata_out = prs_data_p(outgoing_packet);
+       RPC_AUTH_NTLMSSP_CHK chk;
+       uint32 current_offset = prs_offset(outgoing_packet);
+
+       init_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION, 
+                                 crc32, cli->ntlmssp_seq_num++);
+       if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, 
+                                       outgoing_packet, 0)) {
+               DEBUG(0,("create_auth_data: Failed to marshal RPC_AUTH_NTLMSSP_CHK.\n"));
+               return False;
+       }
+       NTLMSSPcalc_ap(cli, (unsigned char*)
+                      &pdata_out[current_offset+4], 
+                      RPC_AUTH_NTLMSSP_CHK_LEN - 4);
+       return True;
+}
+
+/**
+ * Send a request on an RPC pipe and get a response.
+ *
+ * @param data NDR contents of the request to be sent.
+ * @param rdata Unparsed NDR response data.
+**/
+
+BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num,
+                      prs_struct *data, prs_struct *rdata)
+{
+       uint32 auth_len, max_data, data_left, data_sent;
+       BOOL ret = False;
+       BOOL auth_verify, auth_seal, auth_schannel;
+       uint32 callid = 0;
+       fstring dump_name;
+
+       auth_verify = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SIGN) != 0);
+       auth_seal   = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SEAL) != 0);
+       auth_schannel = (cli->saved_netlogon_pipe_fnum != 0);
+
+       auth_len = 0;
+
+       if (auth_verify)
+               auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
+
+       if (auth_schannel)
+               auth_len = RPC_AUTH_NETSEC_CHK_LEN;
+
+       /*
+        * calc how much actual data we can send in a PDU fragment
+        */
+       max_data = cli->max_xmit_frag - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
+               (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len - 8;
+
+       for (data_left = prs_offset(data), data_sent = 0; data_left > 0;) {
+               prs_struct outgoing_packet;
+               uint32 data_len, send_size;
+               uint8 flags = 0;
+               uint32 crc32 = 0;
+               uint32 auth_padding = 0;
+               RPC_AUTH_NETSEC_CHK verf;
+
+               /*
+                * how much will we send this time
+                */
+               send_size = MIN(data_left, max_data);
+
+               /*
+                * NT expects the data that is sealed to be 8-byte
+                * aligned. The padding must be encrypted as well and
+                * taken into account when generating the
+                * authentication verifier. The amount of padding must
+                * be stored in the auth header.
+                */
+
+               if (auth_schannel)
+                       auth_padding = 8 - (send_size & 7);
+
+               data_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + send_size +
+                       ((auth_verify|auth_schannel) ? RPC_HDR_AUTH_LEN : 0) +
+                       auth_len + auth_padding;
+
+               /*
+                * Malloc parse struct to hold it (and enough for alignments).
+                */
+               if(!prs_init(&outgoing_packet, data_len + 8, 
+                            cli->mem_ctx, MARSHALL)) {
+                       DEBUG(0,("rpc_api_pipe_req: Failed to malloc %u bytes.\n", (unsigned int)data_len ));
+                       return False;
+               }
+
+               if (data_left == prs_offset(data))
+                       flags |= RPC_FLG_FIRST;
+
+               if (data_left <= max_data)
+                       flags |= RPC_FLG_LAST;
+               /*
+                * Write out the RPC header and the request header.
+                */
+               if(!(callid = create_rpc_request(&outgoing_packet, op_num, 
+                                                data_len, auth_len, flags, 
+                                                callid, data_left))) {
+                       DEBUG(0,("rpc_api_pipe_req: Failed to create RPC request.\n"));
+                       prs_mem_free(&outgoing_packet);
+                       return False;
+               }
+
+               /*
+                * Seal the outgoing data if requested.
+                */
+               if (auth_seal) {
+                       crc32 = crc32_calc_buffer(prs_data_p(data) + data_sent,
+                                                 send_size);
+                       NTLMSSPcalc_ap(cli, (unsigned char*)prs_data_p(data) +
+                                      data_sent, send_size);
+               }
+
+               /*
+                * Now copy the data into the outgoing packet.
+                */
+
+               if (auth_schannel) {
+                       static const uchar netsec_sig[8] = NETSEC_SIGNATURE;
+                       static const uchar nullbytes[8] = { 0,0,0,0,0,0,0,0 };
+                       uchar sign[8];
+                       prs_struct netsec_blob;
+
+                       if ((cli->auth_info.seq_num & 1) != 0) {
+                               DEBUG(0,("SCHANNEL ERROR: seq_num must be even in client (seq_num=%d)\n",
+                                       cli->auth_info.seq_num));
+                       }
+
+                       DEBUG(10,("SCHANNEL seq_num=%d\n", cli->auth_info.seq_num));
+
+                       RSIVAL(sign, 0, cli->auth_info.seq_num);
+                       SIVAL(sign, 4, 0x80);
+
+                       if (!prs_init(&netsec_blob, send_size+auth_padding,
+                                     cli->mem_ctx, MARSHALL)) {
+                               DEBUG(0,("Could not malloc %u bytes",
+                                        send_size+auth_padding));
+                               prs_mem_free(&outgoing_packet);
+                               return False;
+                       }
+
+                       if(!prs_append_some_prs_data(&netsec_blob, data, 
+                                                    data_sent, send_size)) {
+                               DEBUG(0,("Failed to append data to netsec blob\n"));
+                               prs_mem_free(&outgoing_packet);
+                               return False;
+                       }
+
+                       netsec_blob.align = 8;
+
+                       if (!prs_align(&netsec_blob)) {
+                               DEBUG(0,("Could not align netsec blob\n"));
+                               prs_mem_free(&outgoing_packet);
+                               return False;
+                       }
+
+                       init_rpc_auth_netsec_chk(&verf, netsec_sig, nullbytes,
+                                                sign, nullbytes);
+
+                       netsec_encode(&cli->auth_info, &verf,
+                                     prs_data_p(&netsec_blob),
+                                     prs_data_size(&netsec_blob));
+
+                       prs_append_prs_data(&outgoing_packet, &netsec_blob);
+                       prs_mem_free(&netsec_blob);
+
+                       cli->auth_info.seq_num++;
+
+               } else {
+                       if(!prs_append_some_prs_data(&outgoing_packet, data, 
+                                                    data_sent, send_size)) {
+                               DEBUG(0,("rpc_api_pipe_req: Failed to append "
+                                        "data to outgoing packet.\n"));
+                               prs_mem_free(&outgoing_packet);
+                               return False;
+                       }
+               }
+
+               /*
+                * Add a trailing auth_verifier if needed.
+                */
+               if (auth_seal || auth_verify) {
+                       if(!create_ntlmssp_auth_hdr(&outgoing_packet, auth_verify)) {
+                               prs_mem_free(&outgoing_packet);
+                               return False;
+                       }
+               }
+
+               /*
+                * Finally the auth data itself.
+                */
+               if (auth_verify) {
+                       if (!create_auth_data(cli, crc32, &outgoing_packet)) {
+                               prs_mem_free(&outgoing_packet);
+                               return False;
+                       }
+               }
+
+               if (auth_schannel) {
+
+                       if (!create_netsec_auth_hdr(&outgoing_packet,
+                                                   auth_padding)) {
+                               prs_mem_free(&outgoing_packet);
+                               return False;
+                       }
+
+                       if (!smb_io_rpc_auth_netsec_chk("", &verf,
+                                                       &outgoing_packet, 0)) {
+                               prs_mem_free(&outgoing_packet);
+                               return False;
+                       }
+               }
+
+               DEBUG(100,("data_len: %x data_calc_len: %x\n", data_len, 
+                          prs_offset(&outgoing_packet)));
+               
+               if (flags & RPC_FLG_LAST)
+                       ret = rpc_api_pipe(cli, &outgoing_packet, rdata);
+               else {
+                       cli_write(cli, cli->nt_pipe_fnum, 0x0008,
+                                  prs_data_p(&outgoing_packet),
+                                  data_sent, data_len);
+               }
+               prs_mem_free(&outgoing_packet);
+               data_sent += send_size;
+               data_left -= send_size;
+       }
+       /* Also capture received data */
+       slprintf(dump_name, sizeof(dump_name) - 1, "reply_%s",
+                cli_pipe_get_name(cli));
+       prs_dump(dump_name, op_num, rdata);
+
+       return ret;
+}
+
+/****************************************************************************
+ Set the handle state.
+****************************************************************************/
+
+static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, const char *pipe_name, uint16 device_state)
+{
+       BOOL state_set = False;
+       char param[2];
+       uint16 setup[2]; /* only need 2 uint16 setup parameters */
+       char *rparam = NULL;
+       char *rdata = NULL;
+       uint32 rparam_len, rdata_len;
+
+       if (pipe_name == NULL)
+               return False;
+
+       DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
+       cli->nt_pipe_fnum, pipe_name, device_state));
+
+       /* create parameters: device state */
+       SSVAL(param, 0, device_state);
+
+       /* create setup parameters. */
        setup[0] = 0x0001; 
        setup[1] = cli->nt_pipe_fnum; /* pipe file handle.  got this from an SMBOpenX. */
 
        /* send the data on \PIPE\ */
-       if (cli_api_pipe(cli, "\\PIPE\\\0\0\0", 8,
+       if (cli_api_pipe(cli, "\\PIPE\\",
                    setup, 2, 0,                /* setup, length, max */
                    param, 2, 0,                /* param, length, max */
                    NULL, 0, 1024,              /* data, length, max */
@@ -462,8 +1169,8 @@ static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, char *pipe_name, uint1
                state_set = True;
        }
 
-       if (rparam) free(rparam);
-       if (rdata ) free(rdata );
+       SAFE_FREE(rparam);
+       SAFE_FREE(rdata);
 
        return state_set;
 }
@@ -472,33 +1179,46 @@ static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, char *pipe_name, uint1
  check the rpc bind acknowledge response
 ****************************************************************************/
 
-static BOOL valid_pipe_name(char *pipe_name, RPC_IFACE *abstract, RPC_IFACE *transfer)
+int get_pipe_index( const char *pipe_name )
 {
        int pipe_idx = 0;
 
-       while (pipe_names[pipe_idx].client_pipe != NULL)
-       {
-               if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe ))
-               {
-                       DEBUG(5,("Bind Abstract Syntax: "));    
-                       dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax), 
-                                 sizeof(pipe_names[pipe_idx].abstr_syntax));
-                       DEBUG(5,("Bind Transfer Syntax: "));
-                       dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
-                                 sizeof(pipe_names[pipe_idx].trans_syntax));
-
-                       /* copy the required syntaxes out so we can do the right bind */
-                       memcpy(transfer, &(pipe_names[pipe_idx].trans_syntax),
-                              sizeof(pipe_names[pipe_idx].trans_syntax));
-                       memcpy(abstract, &(pipe_names[pipe_idx].abstr_syntax),
-                              sizeof(pipe_names[pipe_idx].abstr_syntax));
-
-                       return True;
-               }
+       while (pipe_names[pipe_idx].client_pipe != NULL) {
+               if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe )) 
+                       return pipe_idx;
                pipe_idx++;
        };
 
-       DEBUG(5,("Bind RPC Pipe[%s] unsupported\n", pipe_name));
+       return -1;
+}
+
+
+/****************************************************************************
+ check the rpc bind acknowledge response
+****************************************************************************/
+
+const char* get_pipe_name_from_index( const int pipe_index )
+{
+
+       if ( (pipe_index < 0) || (pipe_index >= PI_MAX_PIPES) )
+               return NULL;
+
+       return pipe_names[pipe_index].client_pipe;              
+}
+
+/****************************************************************************
+ Check to see if this pipe index points to one of 
+ the pipes only supported by Win2k
+ ****************************************************************************/
+
+BOOL is_win2k_pipe( const int pipe_idx )
+{
+       switch ( pipe_idx )
+       {
+               case PI_LSARPC_DS:
+                       return True;
+       }
+       
        return False;
 }
 
@@ -506,55 +1226,63 @@ static BOOL valid_pipe_name(char *pipe_name, RPC_IFACE *abstract, RPC_IFACE *tra
  check the rpc bind acknowledge response
 ****************************************************************************/
 
-static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, char *pipe_name, RPC_IFACE *transfer)
+static BOOL valid_pipe_name(const int pipe_idx, RPC_IFACE *abstract, RPC_IFACE *transfer)
+{
+       if ( pipe_idx >= PI_MAX_PIPES ) {
+               DEBUG(0,("valid_pipe_name: Programmer error!  Invalid pipe index [%d]\n",
+                       pipe_idx));
+               return False;
+       }
+
+       DEBUG(5,("Bind Abstract Syntax: "));    
+       dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax), 
+                 sizeof(pipe_names[pipe_idx].abstr_syntax));
+       DEBUG(5,("Bind Transfer Syntax: "));
+       dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
+                 sizeof(pipe_names[pipe_idx].trans_syntax));
+
+       /* copy the required syntaxes out so we can do the right bind */
+       
+       *transfer = pipe_names[pipe_idx].trans_syntax;
+       *abstract = pipe_names[pipe_idx].abstr_syntax;
+
+       return True;
+}
+
+/****************************************************************************
+ check the rpc bind acknowledge response
+****************************************************************************/
+
+static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, const int pipe_idx, RPC_IFACE *transfer)
 {
        int i = 0;
 
-       while ((pipe_names[i].client_pipe != NULL))
+       if ( hdr_ba->addr.len <= 0)
+               return False;
+               
+       if ( !strequal(hdr_ba->addr.str, pipe_names[pipe_idx].server_pipe )) 
        {
-               DEBUG(6,("bind_rpc_pipe: searching pipe name: client:%s server:%s\n",
-               pipe_names[i].client_pipe , pipe_names[i].server_pipe ));
-
-               if ((strequal(pipe_name, pipe_names[i].client_pipe )))
-               {
-                       if (strequal(hdr_ba->addr.str, pipe_names[i].server_pipe ))
-                       {
-                               DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n",
-                                        pipe_names[i].server_pipe ));
-                               break;
-                       }
-                       else
-                       {
-                               DEBUG(2,("bind_rpc_pipe: pipe_name %s != expected pipe %s\n",
-                                        pipe_names[i].server_pipe ,
-                                        hdr_ba->addr.str));
-                               return False;
-                       }
-               }
-               else
-               {
-                       i++;
-               }
+               DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s.  oh well!\n",
+                        pipe_names[i].server_pipe ,hdr_ba->addr.str));
+               return False;
        }
+       
+       DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n", pipe_names[i].server_pipe ));
 
-       if (pipe_names[i].server_pipe == NULL)
-       {
+       if (pipe_names[pipe_idx].server_pipe == NULL) {
                DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
                return False;
        }
 
        /* check the transfer syntax */
-       if (!((hdr_ba->transfer.version == transfer->version) &&
-            (memcmp(hdr_ba->transfer.data, transfer->data,
-                    sizeof(transfer->version)) ==0)))
-       {
-               DEBUG(0,("bind_rpc_pipe: transfer syntax differs\n"));
+       if ((hdr_ba->transfer.version != transfer->version) ||
+            (memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
+               DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
                return False;
        }
 
        /* lkclXXXX only accept one result: check the result(s) */
-       if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0)
-       {
+       if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) {
                DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
                          hdr_ba->res.num_results, hdr_ba->res.reason));
        }
@@ -564,129 +1292,362 @@ static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, char *pipe_name, RPC_IFACE *
 }
 
 /****************************************************************************
-do an rpc bind
+ Create and send the third packet in an RPC auth.
 ****************************************************************************/
 
-static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name,
-                   RPC_IFACE *abstract, RPC_IFACE *transfer, BOOL ntlmssp_auth)
+static BOOL rpc_send_auth_reply(struct cli_state *cli, prs_struct *rdata, uint32 rpc_call_id)
 {
-       prs_struct hdr;
-       prs_struct hdr_rb;
-       prs_struct auth_req;
-       prs_struct data;
-       prs_struct rdata;
-       prs_struct rparam;
+       RPC_HDR_AUTH rhdr_auth;
+       RPC_AUTH_VERIFIER rhdr_verf;
+       RPC_AUTH_NTLMSSP_CHAL rhdr_chal;
+       char buffer[MAX_PDU_FRAG_LEN];
+       prs_struct rpc_out;
+       ssize_t ret;
+
+       unsigned char p24[24];
+       unsigned char lm_owf[24];
+       unsigned char lm_hash[16];
+
+       if(!smb_io_rpc_hdr_auth("", &rhdr_auth, rdata, 0)) {
+               DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_HDR_AUTH.\n"));
+               return False;
+       }
+       if(!smb_io_rpc_auth_verifier("", &rhdr_verf, rdata, 0)) {
+               DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_VERIFIER.\n"));
+               return False;
+       }
+       if(!smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, rdata, 0)) {
+               DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_NTLMSSP_CHAL.\n"));
+               return False;
+       }
 
-       BOOL valid_ack = False;
+       cli->ntlmssp_cli_flgs = rhdr_chal.neg_flags;
 
-       if (pipe_name == NULL || abstract == NULL || transfer == NULL)
-       return False;
+       pwd_make_lm_nt_owf(&cli->pwd, rhdr_chal.challenge);
 
-       DEBUG(5,("Bind RPC Pipe[%x]: %s\n", cli->nt_pipe_fnum, pipe_name));
+       prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
 
-       if (!valid_pipe_name(pipe_name, abstract, transfer)) return False;
+       prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
 
-       prs_init(&hdr     , 0x10                   , 4, 0x0          , False);
-       prs_init(&hdr_rb  , 1024                   , 4, SAFETY_MARGIN, False);
-       prs_init(&auth_req, ntlmssp_auth ? 1024 : 0, 4, SAFETY_MARGIN, False);
+       create_rpc_bind_resp(&cli->pwd, cli->domain,
+                            cli->user_name, global_myname(), 
+                            cli->ntlmssp_cli_flgs, rpc_call_id,
+                            &rpc_out);
+                                           
+       pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL);
+       pwd_get_lm_nt_16(&cli->pwd, lm_hash, NULL);
 
-       prs_init(&rdata , 0   , 4, SAFETY_MARGIN, True );
-       prs_init(&rparam, 0   , 4, SAFETY_MARGIN, True );
+       NTLMSSPOWFencrypt(lm_hash, lm_owf, p24);
 
-       create_rpc_bind_req(&hdr, &hdr_rb, ntlmssp_auth ? &auth_req : NULL,
-       abstract, transfer, global_myname, global_myworkgroup);
+       {
+               unsigned char j = 0;
+               int ind;
+               unsigned char k2[8];
 
-       /* this is a hack due to limitations in rpc_api_pipe */
-       prs_init(&data, mem_buf_len(hdr.data), 4, 0x0, False);
-       mem_buf_copy(data.data->data, hdr.data, 0, mem_buf_len(hdr.data));
+               memcpy(k2, p24, 5);
+               k2[5] = 0xe5;
+               k2[6] = 0x38;
+               k2[7] = 0xb0;
 
-       /* send data on \PIPE\.  receive a response */
-       if (rpc_api_pipe(cli, 0x0026, NULL, &data, &rparam, &rdata))
-       {
-               RPC_HDR_BA hdr_ba;
+               for (ind = 0; ind < 256; ind++)
+                       cli->ntlmssp_hash[ind] = (unsigned char)ind;
 
-               DEBUG(5, ("rpc_api_pipe: return OK\n"));
+               for( ind = 0; ind < 256; ind++) {
+                       unsigned char tc;
 
-               smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0);
+                       j += (cli->ntlmssp_hash[ind] + k2[ind%8]);
 
-               if (rdata.offset != 0)
-               {
-                       valid_ack = check_bind_response(&hdr_ba, pipe_name, transfer);
+                       tc = cli->ntlmssp_hash[ind];
+                       cli->ntlmssp_hash[ind] = cli->ntlmssp_hash[j];
+                       cli->ntlmssp_hash[j] = tc;
                }
+
+               cli->ntlmssp_hash[256] = 0;
+               cli->ntlmssp_hash[257] = 0;
        }
 
-       prs_mem_free(&data    );
-       prs_mem_free(&hdr     );
-       prs_mem_free(&hdr_rb  );
-       prs_mem_free(&auth_req);
-       prs_mem_free(&rdata   );
-       prs_mem_free(&rparam  );
+       memset((char *)lm_hash, '\0', sizeof(lm_hash));
 
-       return valid_ack;
+       if ((ret = cli_write(cli, cli->nt_pipe_fnum, 0x8, prs_data_p(&rpc_out), 
+                       0, (size_t)prs_offset(&rpc_out))) != (ssize_t)prs_offset(&rpc_out)) {
+               DEBUG(0,("rpc_send_auth_reply: cli_write failed. Return was %d\n", (int)ret));
+               return False;
+       }
+
+       cli->ntlmssp_srv_flgs = rhdr_chal.neg_flags;
+       return True;
 }
 
 /****************************************************************************
- open a session
- ****************************************************************************/
+ Do an rpc bind.
+****************************************************************************/
 
-BOOL cli_nt_session_open(struct cli_state *cli, char *pipe_name, BOOL encrypted)
+static BOOL rpc_pipe_bind(struct cli_state *cli, int pipe_idx, const char *my_name,
+                         BOOL do_netsec)
 {
        RPC_IFACE abstract;
        RPC_IFACE transfer;
-       int fnum;
+       prs_struct rpc_out;
+       prs_struct rdata;
+       BOOL do_auth = (cli->ntlmssp_cli_flgs != 0);
+       uint32 rpc_call_id;
+       char buffer[MAX_PDU_FRAG_LEN];
 
-       /******************* open the pipe *****************/
-       if ((fnum = cli_open(cli, pipe_name, O_CREAT|O_RDWR, DENY_NONE)) == -1)
-       {
-               DEBUG(0,("cli_nt_session_open: cli_open failed on pipe %s to machine %s.  Error was %s\n",
-                        pipe_name, cli->desthost, cli_errstr(cli)));
+       if ( (pipe_idx < 0) || (pipe_idx >= PI_MAX_PIPES) )
                return False;
-       }
 
-       cli->nt_pipe_fnum = (uint16)fnum;
+       DEBUG(5,("Bind RPC Pipe[%x]: %s\n", cli->nt_pipe_fnum, pipe_names[pipe_idx].client_pipe));
 
-       /**************** Set Named Pipe State ***************/
-       if (!rpc_pipe_set_hnd_state(cli, pipe_name, 0x4300))
-       {
-               DEBUG(0,("cli_nt_session_open: pipe hnd state failed.  Error was %s\n",
-                         cli_errstr(cli)));
-               cli_close(cli, cli->nt_pipe_fnum);
+       if (!valid_pipe_name(pipe_idx, &abstract, &transfer))
                return False;
+
+       prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
+
+       /*
+        * Use the MAX_PDU_FRAG_LEN buffer to store the bind request.
+        */
+
+       prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
+
+       rpc_call_id = get_rpc_call_id();
+
+       /* Marshall the outgoing data. */
+       create_rpc_bind_req(&rpc_out, do_auth, do_netsec, rpc_call_id,
+                           &abstract, &transfer,
+                           global_myname(), cli->domain, cli->ntlmssp_cli_flgs);
+
+       /* Initialize the incoming data struct. */
+       prs_init(&rdata, 0, cli->mem_ctx, UNMARSHALL);
+
+       /* send data on \PIPE\.  receive a response */
+       if (rpc_api_pipe(cli, &rpc_out, &rdata)) {
+               RPC_HDR_BA   hdr_ba;
+
+               DEBUG(5, ("rpc_pipe_bind: rpc_api_pipe returned OK.\n"));
+
+               if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0)) {
+                       DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n"));
+                       prs_mem_free(&rdata);
+                       return False;
+               }
+
+               if(!check_bind_response(&hdr_ba, pipe_idx, &transfer)) {
+                       DEBUG(2,("rpc_pipe_bind: check_bind_response failed.\n"));
+                       prs_mem_free(&rdata);
+                       return False;
+               }
+
+               cli->max_xmit_frag = hdr_ba.bba.max_tsize;
+               cli->max_recv_frag = hdr_ba.bba.max_rsize;
+
+               /*
+                * If we're doing NTLMSSP auth we need to send a reply to
+                * the bind-ack to complete the 3-way challenge response
+                * handshake.
+                */
+
+               if (do_auth && !rpc_send_auth_reply(cli, &rdata, rpc_call_id)) {
+                       DEBUG(0,("rpc_pipe_bind: rpc_send_auth_reply failed.\n"));
+                       prs_mem_free(&rdata);
+                       return False;
+               }
+       }
+
+       prs_mem_free(&rdata);
+       return True;
+}
+
+/****************************************************************************
+ Open a session.
+ ****************************************************************************/
+
+BOOL cli_nt_session_open(struct cli_state *cli, const int pipe_idx)
+{
+       int fnum;
+
+       /* At the moment we can't have more than one pipe open over
+           a cli connection. )-: */
+
+       SMB_ASSERT(cli->nt_pipe_fnum == 0);
+       
+       /* The pipe index must fall within our array */
+
+       SMB_ASSERT((pipe_idx >= 0) && (pipe_idx < PI_MAX_PIPES));
+
+       if (cli->capabilities & CAP_NT_SMBS) {
+               if ((fnum = cli_nt_create(cli, &pipe_names[pipe_idx].client_pipe[5], DESIRED_ACCESS_PIPE)) == -1) {
+                       DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s.  Error was %s\n",
+                                &pipe_names[pipe_idx].client_pipe[5], cli->desthost, cli_errstr(cli)));
+                       return False;
+               }
+
+               cli->nt_pipe_fnum = (uint16)fnum;
+       } else {
+               if ((fnum = cli_open(cli, pipe_names[pipe_idx].client_pipe, O_CREAT|O_RDWR, DENY_NONE)) == -1) {
+                       DEBUG(0,("cli_nt_session_open: cli_open failed on pipe %s to machine %s.  Error was %s\n",
+                                pipe_names[pipe_idx].client_pipe, cli->desthost, cli_errstr(cli)));
+                       return False;
+               }
+
+               cli->nt_pipe_fnum = (uint16)fnum;
+
+               /**************** Set Named Pipe State ***************/
+               if (!rpc_pipe_set_hnd_state(cli, pipe_names[pipe_idx].client_pipe, 0x4300)) {
+                       DEBUG(0,("cli_nt_session_open: pipe hnd state failed.  Error was %s\n",
+                                 cli_errstr(cli)));
+                       cli_close(cli, cli->nt_pipe_fnum);
+                       return False;
+               }
        }
 
        /******************* bind request on pipe *****************/
-       if (!rpc_pipe_bind(cli, pipe_name, &abstract, &transfer, encrypted))
-       {
-               DEBUG(0,("cli_nt_session_open: rpc bind failed. Error was %s\n",
-                         cli_errstr(cli)));
+
+       if (!rpc_pipe_bind(cli, pipe_idx, global_myname(), False)) {
+               DEBUG(2,("cli_nt_session_open: rpc bind to %s failed\n",
+                        get_pipe_name_from_index(pipe_idx)));
                cli_close(cli, cli->nt_pipe_fnum);
                return False;
        }
 
        /* 
-       * Setup the remote server name prefixed by \ and the machine account name.
-       */
+        * Setup the remote server name prefixed by \ and the machine account name.
+        */
 
        fstrcpy(cli->srv_name_slash, "\\\\");
        fstrcat(cli->srv_name_slash, cli->desthost);
        strupper(cli->srv_name_slash);
 
        fstrcpy(cli->clnt_name_slash, "\\\\");
-       fstrcat(cli->clnt_name_slash, global_myname);
+       fstrcat(cli->clnt_name_slash, global_myname());
        strupper(cli->clnt_name_slash);
 
-       fstrcpy(cli->mach_acct, global_myname);
+       fstrcpy(cli->mach_acct, global_myname());
        fstrcat(cli->mach_acct, "$");
        strupper(cli->mach_acct);
 
+       /* Remember which pipe we're talking to */
+       fstrcpy(cli->pipe_name, pipe_names[pipe_idx].client_pipe);
+
+       return True;
+}
+
+
+/****************************************************************************
+ Open a session to the NETLOGON pipe using schannel.
+ ****************************************************************************/
+
+BOOL cli_nt_open_netlogon(struct cli_state *cli, const char *trust_password,
+                         int sec_chan)
+{
+       NTSTATUS result;
+       uint32 neg_flags = 0x000001ff;
+       int fnum;
+
+       if (lp_client_schannel() != False)
+               neg_flags |= NETLOGON_NEG_SCHANNEL;
+
+
+       if (!cli_nt_session_open(cli, PI_NETLOGON)) {
+               return False;
+       }
+
+       if (!secrets_init()) {
+               DEBUG(3,("Failed to init secrets.tdb\n"));
+               return False;
+       }
+
+       result = cli_nt_setup_creds(cli, sec_chan, trust_password,
+                                   &neg_flags, 2);
+
+       if (!NT_STATUS_IS_OK(result)) {
+               cli_nt_session_close(cli);
+               return False;
+       }
+
+       if ((lp_client_schannel() == True) &&
+           ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+
+               DEBUG(3, ("Server did not offer schannel\n"));
+               cli_nt_session_close(cli);
+               return False;
+       }
+
+       if ((lp_client_schannel() == False) ||
+           ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+               return True;
+       }
+
+       /* Server offered schannel, so try it. */
+
+       cli->auth_info.seq_num = 0;
+       memcpy(cli->auth_info.sess_key, cli->sess_key,
+              sizeof(cli->auth_info.sess_key));
+
+       cli->saved_netlogon_pipe_fnum = cli->nt_pipe_fnum;
+
+       if (cli->capabilities & CAP_NT_SMBS) {
+
+               /* The secure channel connection must be opened on the same 
+                   session (TCP connection) as the one the challenge was
+                   requested from. */
+
+               if ((fnum = cli_nt_create(cli, PIPE_NETLOGON_PLAIN,
+                                         DESIRED_ACCESS_PIPE)) == -1) {
+                       DEBUG(0,("cli_nt_create failed to %s machine %s. "
+                                "Error was %s\n",
+                                PIPE_NETLOGON, cli->desthost,
+                                cli_errstr(cli)));
+                       return False;
+               }
+               
+               cli->nt_pipe_fnum = (uint16)fnum;
+       } else {
+               if ((fnum = cli_open(cli, PIPE_NETLOGON,
+                                    O_CREAT|O_RDWR, DENY_NONE)) == -1) {
+                       DEBUG(0,("cli_open failed on pipe %s to machine %s. "
+                                "Error was %s\n",
+                                PIPE_NETLOGON, cli->desthost,
+                                cli_errstr(cli)));
+                       return False;
+               }
+
+               cli->nt_pipe_fnum = (uint16)fnum;
+
+               /**************** Set Named Pipe State ***************/
+               if (!rpc_pipe_set_hnd_state(cli, PIPE_NETLOGON, 0x4300)) {
+                       DEBUG(0,("Pipe hnd state failed.  Error was %s\n",
+                                 cli_errstr(cli)));
+                       cli_close(cli, cli->nt_pipe_fnum);
+                       return False;
+               }
+       }
+
+       if (!rpc_pipe_bind(cli, PI_NETLOGON, global_myname(), True)) {
+               DEBUG(2,("rpc bind to %s failed\n", PIPE_NETLOGON));
+               cli_close(cli, cli->nt_pipe_fnum);
+               return False;
+       }
+
        return True;
 }
 
+
+const char *cli_pipe_get_name(struct cli_state *cli)
+{
+       return cli->pipe_name;
+}
+
+
 /****************************************************************************
 close the session
 ****************************************************************************/
 
 void cli_nt_session_close(struct cli_state *cli)
 {
+       if (cli->saved_netlogon_pipe_fnum != 0) {
+               cli_close(cli, cli->saved_netlogon_pipe_fnum);
+               cli->saved_netlogon_pipe_fnum = 0;
+       }
        cli_close(cli, cli->nt_pipe_fnum);
+       cli->nt_pipe_fnum = 0;
 }