Merge: clarify secure channel connection comment.
[kai/samba.git] / source / rpc_client / cli_pipe.c
index 482dbe71cebd9df9ad37b4519de5a37ad6a41311..a5cb6d425eef64588f87310d9891453faf708255 100644 (file)
@@ -1,11 +1,10 @@
-
 /* 
- *  Unix SMB/Netbios implementation.
- *  Version 1.9.
+ *  Unix SMB/CIFS implementation.
  *  RPC Pipe client / server routines
  *  Copyright (C) Andrew Tridgell              1992-1998,
  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
  *  Copyright (C) Paul Ashton                       1998.
+ *  Copyright (C) Jeremy Allison                    1999.
  *  
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  */
 
-
-#ifdef SYSLOG
-#undef SYSLOG
-#endif
-
 #include "includes.h"
 
-extern int DEBUGLEVEL;
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_RPC_CLI
+
 extern struct pipe_id_info pipe_names[];
-extern pstring global_myname;
 
 /********************************************************************
- rpc pipe call id 
+ Rpc pipe call id.
  ********************************************************************/
+
 static uint32 get_rpc_call_id(void)
 {
-  static uint32 call_id = 0;
-  return ++call_id;
+       static uint32 call_id = 0;
+       return ++call_id;
 }
 
 /*******************************************************************
- uses SMBreadX to get rest of rpc data
+ Use SMBreadX to get rest of one fragment's worth of rpc data.
  ********************************************************************/
 
-static BOOL rpc_read(struct cli_state *cli, uint16 nt_pipe_fnum,
-                     prs_struct *rdata, uint32 data_to_read,
-                     uint32 rdata_offset)
+static BOOL rpc_read(struct cli_state *cli, prs_struct *rdata, uint32 data_to_read, uint32 *rdata_offset)
 {
-       int size = cli->max_recv_frag;
-       int file_offset = rdata_offset;
+       size_t size = (size_t)cli->max_recv_frag;
+       int stream_offset = 0;
        int num_read;
-       char *data;
-       uint32 err;
-       uint32 new_data_size = rdata->data->data_used + data_to_read;
+       char *pdata;
+       int extra_data_size = ((int)*rdata_offset) + ((int)data_to_read) - (int)prs_data_size(rdata);
 
-       file_offset -= rdata_offset;
+       DEBUG(5,("rpc_read: data_to_read: %u rdata offset: %u extra_data_size: %d\n",
+               (int)data_to_read, (unsigned int)*rdata_offset, extra_data_size));
 
-       DEBUG(5,("rpc_read: data_to_read: %d data offset: %d file offset: %d\n",
-       data_to_read, rdata_offset, file_offset));
+       /*
+        * Grow the buffer if needed to accommodate the data to be read.
+        */
 
-       if (new_data_size > rdata->data->data_size)
-       {
-               mem_grow_data(&rdata->data, True, new_data_size, True);
-               DEBUG(5,("rpc_read: grow buffer to %d\n", rdata->data->data_used));
+       if (extra_data_size > 0) {
+               if(!prs_force_grow(rdata, (uint32)extra_data_size)) {
+                       DEBUG(0,("rpc_read: Failed to grow parse struct by %d bytes.\n", extra_data_size ));
+                       return False;
+               }
+               DEBUG(5,("rpc_read: grew buffer by %d bytes to %u\n", extra_data_size, prs_data_size(rdata) ));
        }
 
-       data = rdata->data->data + rdata_offset;
+       pdata = prs_data_p(rdata) + *rdata_offset;
 
        do /* read data using SMBreadX */
        {
-               if (size > data_to_read)
-               size = data_to_read;
+               uint32 ecode;
+               uint8 eclass;
 
-               new_data_size = rdata->data->data_used + size;
+               if (size > (size_t)data_to_read)
+                       size = (size_t)data_to_read;
 
-               if (new_data_size > rdata->data->data_size)
-               {
-                       mem_grow_data(&rdata->data, True, new_data_size, True);
-                       DEBUG(5,("rpc_read: grow buffer to %d\n", rdata->data->data_used));
-               }
+               num_read = (int)cli_read(cli, cli->nt_pipe_fnum, pdata, (off_t)stream_offset, size);
 
-               num_read = cli_read(cli, nt_pipe_fnum, data, file_offset, size);
+               DEBUG(5,("rpc_read: num_read = %d, read offset: %d, to read: %d\n",
+                         num_read, stream_offset, data_to_read));
 
-               DEBUG(5,("rpc_read: read offset: %d read: %d to read: %d\n",
-                         file_offset, num_read, data_to_read));
+               if (cli_is_dos_error(cli)) {
+                        cli_dos_error(cli, &eclass, &ecode);
+                        if (eclass != ERRDOS && ecode != ERRmoredata) {
+                                DEBUG(0,("rpc_read: Error %d/%u in cli_read\n",
+                                         eclass, (unsigned int)ecode));
+                                return False;
+                        }
+               }
 
                data_to_read -= num_read;
-               file_offset  += num_read;
-               data         += num_read;
-
-               if (cli_error(cli, NULL, &err)) return False;
+               stream_offset += num_read;
+               pdata += num_read;
 
        } while (num_read > 0 && data_to_read > 0);
        /* && err == (0x80000000 | STATUS_BUFFER_OVERFLOW)); */
 
-       mem_realloc_data(rdata->data, file_offset + rdata_offset);
-       rdata->data->offset.end = file_offset + rdata_offset;
-
-       DEBUG(5,("rpc_read: offset end: 0x%x.  data left to read:0x%x\n",
-                 rdata->data->offset.end, data_to_read));
+       /*
+        * Update the current offset into rdata by the amount read.
+        */
+       *rdata_offset += stream_offset;
 
        return True;
 }
 
 /****************************************************************************
- checks the header
+ Checks the header. This will set the endian bit in the rdata prs_struct. JRA.
  ****************************************************************************/
+
 static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr, 
-                          BOOL *first, BOOL *last, int *len)
+                          BOOL *first, BOOL *last, uint32 *len)
 {
-       DEBUG(5,("rpc_check_hdr: rdata->data->data_used: %d\n", rdata->data->data_used));
+       DEBUG(5,("rpc_check_hdr: rdata->data_size = %u\n", (uint32)prs_data_size(rdata) ));
 
-       smb_io_rpc_hdr   ("rpc_hdr   ", rhdr   , rdata, 0);
+       /* Next call sets endian bit. */
 
-       if (!rdata->offset || rdata->offset != 0x10)
-       {
-               DEBUG(0,("cli_pipe: error in rpc header\n"));
+       if(!smb_io_rpc_hdr("rpc_hdr   ", rhdr, rdata, 0)) {
+               DEBUG(0,("rpc_check_hdr: Failed to unmarshall RPC_HDR.\n"));
                return False;
        }
 
-       DEBUG(5,("rpc_check_hdr: (after smb_io_rpc_hdr call) rdata->data->data_used: %d\n",
-                 rdata->data->data_used));
+       if (prs_offset(rdata) != RPC_HEADER_LEN) {
+               DEBUG(0,("rpc_check_hdr: offset was %x, should be %x.\n", prs_offset(rdata), RPC_HEADER_LEN));
+               return False;
+       }
 
-       (*first   ) = IS_BITS_SET_ALL(rhdr->flags, RPC_FLG_FIRST);
-       (*last    ) = IS_BITS_SET_ALL(rhdr->flags, RPC_FLG_LAST );
-       (*len     ) = rhdr->frag_len - rdata->data->data_used;
+       (*first) = ((rhdr->flags & RPC_FLG_FIRST) != 0);
+       (*last) = ((rhdr->flags & RPC_FLG_LAST ) != 0);
+       (*len) = (uint32)rhdr->frag_len - prs_data_size(rdata);
 
-       return rhdr->pkt_type != RPC_FAULT;
+       return (rhdr->pkt_type != RPC_FAULT);
 }
 
-static void NTLMSSPcalc_ap( struct cli_state *cli, unsigned char *data, int len)
+static void NTLMSSPcalc_ap( struct cli_state *cli, unsigned char *data, uint32 len)
 {
        unsigned char *hash = cli->ntlmssp_hash;
-    unsigned char index_i = hash[256];
-    unsigned char index_j = hash[257];
-    int ind;
+       unsigned char index_i = hash[256];
+       unsigned char index_j = hash[257];
+       int ind;
 
-    for( ind = 0; ind < len; ind++)
-    {
-        unsigned char tc;
-        unsigned char t;
+       for( ind = 0; ind < len; ind++) {
+               unsigned char tc;
+               unsigned char t;
 
-        index_i++;
-        index_j += hash[index_i];
+               index_i++;
+               index_j += hash[index_i];
 
-        tc = hash[index_i];
-        hash[index_i] = hash[index_j];
-        hash[index_j] = tc;
+               tc = hash[index_i];
+               hash[index_i] = hash[index_j];
+               hash[index_j] = tc;
 
-        t = hash[index_i] + hash[index_j];
-        data[ind] = data[ind] ^ hash[t];
-    }
+               t = hash[index_i] + hash[index_j];
+               data[ind] = data[ind] ^ hash[t];
+       }
 
-    hash[256] = index_i;
-    hash[257] = index_j;
+       hash[256] = index_i;
+       hash[257] = index_j;
 }
 
 /****************************************************************************
- decrypt data on an rpc pipe
+ Verify data on an rpc pipe.
+ The VERIFY & SEAL code is only executed on packets that look like this :
+
+ Request/Response PDU's look like the following...
+
+ |<------------------PDU len----------------------------------------------->|
+ |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
+
+ +------------+-----------------+-------------+---------------+-------------+
+ | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR      | AUTH DATA   |
+ +------------+-----------------+-------------+---------------+-------------+
+
+ Never on bind requests/responses.
  ****************************************************************************/
 
-static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata,
-                               int len, int auth_len)
+static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata, int len, int auth_len)
 {
-       RPC_AUTH_NTLMSSP_CHK chk;
-       uint32 crc32;
-       int data_len = len - 0x18 - auth_len - 8;
-       char *reply_data = mem_data(&rdata->data, 0x18);
+       /*
+        * The following is that length of the data we must sign or seal.
+        * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
+        * preceeding the auth_data.
+        */
 
-       BOOL auth_verify = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SIGN);
-       BOOL auth_seal   = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SEAL);
+       int data_len = len - RPC_HEADER_LEN - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - auth_len;
 
-       DEBUG(5,("rpc_auth_pipe: len: %d auth_len: %d verify %s seal %s\n",
-                 len, auth_len, BOOLSTR(auth_verify), BOOLSTR(auth_seal)));
+       /*
+        * The start of the data to sign/seal is just after the RPC headers.
+        */
+       char *reply_data = prs_data_p(rdata) + RPC_HEADER_LEN + RPC_HDR_REQ_LEN;
 
-       if (reply_data == NULL) return False;
+       BOOL auth_verify = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SIGN) != 0);
+       BOOL auth_seal = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SEAL) != 0);
+       BOOL auth_schannel = (cli->saved_netlogon_pipe_fnum != 0);
 
-       if (auth_seal)
-       {
-               DEBUG(10,("rpc_auth_pipe: seal\n"));
+       DEBUG(5,("rpc_auth_pipe: len: %d auth_len: %d verify %s seal %s schannel %s\n",
+                 len, auth_len, BOOLSTR(auth_verify), BOOLSTR(auth_seal), BOOLSTR(auth_schannel)));
+
+       /*
+        * Unseal any sealed data in the PDU, not including the
+        * 8 byte auth_header or the auth_data.
+        */
+
+       if (auth_seal) {
+               DEBUG(10,("rpc_auth_pipe: unseal\n"));
                dump_data(100, reply_data, data_len);
                NTLMSSPcalc_ap(cli, (uchar*)reply_data, data_len);
                dump_data(100, reply_data, data_len);
        }
 
-       if (auth_verify || auth_seal)
-       {
-               RPC_HDR_AUTH         rhdr_auth; 
+       if (auth_verify || auth_seal) {
+               RPC_HDR_AUTH rhdr_auth; 
                prs_struct auth_req;
-               char *data = mem_data(&rdata->data, len - auth_len - 8);
-               prs_init(&auth_req , 0x08, 4, 0, True);
-               memcpy(auth_req.data->data, data, 8);
-               smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &auth_req, 0);
-               prs_mem_free(&auth_req);
-
-               if (!rpc_hdr_auth_chk(&rhdr_auth))
-               {
+               char data[RPC_HDR_AUTH_LEN];
+               /*
+                * We set dp to be the end of the packet, minus the auth_len
+                * and the length of the header that preceeds the auth_data.
+                */
+               char *dp = prs_data_p(rdata) + len - auth_len - RPC_HDR_AUTH_LEN;
+
+               if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
+                       DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
+                       return False;
+               }
+
+               memcpy(data, dp, sizeof(data));
+               
+               prs_init(&auth_req , 0, cli->mem_ctx, UNMARSHALL);
+
+               /* The endianness must be preserved... JRA. */
+
+               prs_set_endian_data(&auth_req, rdata->bigendian_data);
+
+               prs_give_memory(&auth_req, data, RPC_HDR_AUTH_LEN, False);
+
+               /*
+                * Unmarshall the 8 byte auth_header that comes before the
+                * auth data.
+                */
+
+               if(!smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &auth_req, 0)) {
+                       DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_HDR_AUTH failed.\n"));
+                       return False;
+               }
+
+               if (!rpc_hdr_auth_chk(&rhdr_auth)) {
+                       DEBUG(0,("rpc_auth_pipe: rpc_hdr_auth_chk failed.\n"));
                        return False;
                }
        }
 
-       if (auth_verify)
-       {
+       /*
+        * Now unseal and check the auth verifier in the auth_data at
+        * then end of the packet. The 4 bytes skipped in the unseal
+        * seem to be a buffer pointer preceeding the sealed data.
+        */
+
+       if (auth_verify) {
+               RPC_AUTH_NTLMSSP_CHK chk;
+               uint32 crc32;
                prs_struct auth_verf;
-               char *data = mem_data(&rdata->data, len - auth_len);
-               if (data == NULL) return False;
+               char data[RPC_AUTH_NTLMSSP_CHK_LEN];
+               char *dp = prs_data_p(rdata) + len - auth_len;
+
+               if(dp - prs_data_p(rdata) > prs_data_size(rdata)) {
+                       DEBUG(0,("rpc_auth_pipe: auth data > data size !\n"));
+                       return False;
+               }
 
                DEBUG(10,("rpc_auth_pipe: verify\n"));
+               dump_data(100, dp, auth_len);
+               NTLMSSPcalc_ap(cli, (uchar*)(dp+4), auth_len - 4);
+
+               memcpy(data, dp, RPC_AUTH_NTLMSSP_CHK_LEN);
                dump_data(100, data, auth_len);
-               NTLMSSPcalc_ap(cli, (uchar*)(data+4), auth_len - 4);
-               prs_init(&auth_verf, 0x08, 4, 0, True);
-               memcpy(auth_verf.data->data, data, 16);
-               smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0);
-               dump_data(100, data, auth_len);
-               prs_mem_free(&auth_verf);
-       }
 
-       if (auth_verify)
-       {
-               crc32 = crc32_calc_buffer(data_len, reply_data);
-               if (!rpc_auth_ntlmssp_chk(&chk, crc32 , cli->ntlmssp_seq_num))
-               {
+               prs_init(&auth_verf, 0, cli->mem_ctx, UNMARSHALL);
+
+               /* The endinness must be preserved. JRA. */
+               prs_set_endian_data( &auth_verf, rdata->bigendian_data);
+
+               prs_give_memory(&auth_verf, data, RPC_AUTH_NTLMSSP_CHK_LEN, False);
+
+               if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0)) {
+                       DEBUG(0,("rpc_auth_pipe: unmarshalling RPC_AUTH_NTLMSSP_CHK failed.\n"));
+                       return False;
+               }
+
+               crc32 = crc32_calc_buffer(reply_data, data_len);
+
+               if (!rpc_auth_ntlmssp_chk(&chk, crc32 , cli->ntlmssp_seq_num)) {
+                       DEBUG(0,("rpc_auth_pipe: rpc_auth_ntlmssp_chk failed.\n"));
                        return False;
                }
                cli->ntlmssp_seq_num++;
        }
+
+       if (auth_schannel) {
+               RPC_AUTH_NETSEC_CHK chk;
+               char data[RPC_AUTH_NETSEC_CHK_LEN];
+               char *dp = prs_data_p(rdata) + len - auth_len;
+               prs_struct auth_verf;
+
+               if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) {
+                       DEBUG(0,("rpc_auth_pipe: wrong schannel auth len %d\n", auth_len));
+                       return False;
+               }
+
+               if (dp - prs_data_p(rdata) > prs_data_size(rdata)) {
+                       DEBUG(0,("rpc_auth_pipe: schannel auth data > data size !\n"));
+                       return False;
+               }
+
+               DEBUG(10,("rpc_auth_pipe: schannel verify netsec\n"));
+               dump_data(100, dp, auth_len);
+
+               memcpy(data, dp, sizeof(data));
+               dump_data(100, data, sizeof(data));
+
+               prs_init(&auth_verf, 0, cli->mem_ctx, UNMARSHALL);
+
+               /* The endinness must be preserved. JRA. */
+               prs_set_endian_data( &auth_verf, rdata->bigendian_data);
+
+               prs_give_memory(&auth_verf, data, RPC_AUTH_NETSEC_CHK_LEN, False);
+
+               if (!smb_io_rpc_auth_netsec_chk("schannel_auth_sign", &chk, &auth_verf, 0)) {
+                       DEBUG(0, ("rpc_auth_pipe: schannel unmarshalling "
+                                 "RPC_AUTH_NETSECK_CHK failed\n"));
+                       return False;
+               }
+
+               cli->auth_info.seq_num++;
+
+               if (!netsec_decode(&cli->auth_info, &chk, reply_data, data_len)) {
+                       DEBUG(0, ("rpc_auth_pipe: Could not decode schannel\n"));
+                       return False;
+               }
+       }
        return True;
 }
 
 
 /****************************************************************************
send data on an rpc pipe, which *must* be in one fragment.
Send data on an rpc pipe via trans, which *must* be the last fragment.
  receive response data from an rpc pipe, which may be large...
 
read the first fragment: unfortunately have to use SMBtrans for the first
Read the first fragment: unfortunately have to use SMBtrans for the first
  bit, then SMBreadX for subsequent bits.
 
if first fragment received also wasn't the last fragment, continue
If first fragment received also wasn't the last fragment, continue
  getting fragments until we _do_ receive the last fragment.
 
- [note: from a data abstraction viewpoint, this function is marginally
-        complicated by the return side of cli_api_pipe getting in the way
-        (i.e, the SMB header stuff).  the proper way to do this is to split
-        cli_api_pipe down into receive / transmit.  oh, and split cli_readx
-        down.  in other words, state-based (kernel) techniques...]
+ Request/Response PDU's look like the following...
+
+ |<------------------PDU len----------------------------------------------->|
+ |<-HDR_LEN-->|<--REQ LEN------>|.............|<-AUTH_HDRLEN->|<-AUTH_LEN-->|
+
+ +------------+-----------------+-------------+---------------+-------------+
+ | RPC HEADER | REQ/RESP HEADER | DATA ...... | AUTH_HDR      | AUTH DATA   |
+ +------------+-----------------+-------------+---------------+-------------+
+
+ Where the presence of the AUTH_HDR and AUTH are dependent on the
+ signing & sealing being negotiated.
 
  ****************************************************************************/
 
-static BOOL rpc_api_pipe(struct cli_state *cli, uint16 nt_pipe_fnum, uint16 cmd, 
-                  prs_struct *param , prs_struct *data,
-                  prs_struct *rparam, prs_struct *rdata)
+static BOOL rpc_api_pipe(struct cli_state *cli, prs_struct *data, prs_struct *rdata)
 {
-       int len;
-
-       uint16 setup[2]; /* only need 2 uint16 setup parameters */
-       uint32 err;
+       uint32 len;
+       char *rparam = NULL;
+       uint32 rparam_len = 0;
+       uint16 setup[2];
        BOOL first = True;
        BOOL last  = True;
-       RPC_HDR    rhdr;
-
-       /*
-       * Setup the pointers from the incoming.
-       */
-       char *pparams = param ? param->data->data : NULL;
-       int params_len = param ? param->data->data_used : 0;
-       char *pdata = data ? data->data->data : NULL;
-       int data_len = data ? data->data->data_used : 0;
+       RPC_HDR rhdr;
+       char *pdata = data ? prs_data_p(data) : NULL;
+       uint32 data_len = data ? prs_offset(data) : 0;
+       char *prdata = NULL;
+       uint32 rdata_len = 0;
+       uint32 current_offset = 0;
+       uint32 max_data = cli->max_xmit_frag ? cli->max_xmit_frag : 1024;
 
-       /*
-       * Setup the pointers to the outgoing.
-       */
-       char **pp_ret_params = rparam ? &rparam->data->data : NULL;
-       uint32 *p_ret_params_len = rparam ? &rparam->data->data_used : NULL;
+       /* Create setup parameters - must be in native byte order. */
 
-       char **pp_ret_data = rdata ? &rdata->data->data : NULL;
-       uint32 *p_ret_data_len = rdata ? &rdata->data->data_used : NULL;
+       setup[0] = TRANSACT_DCERPCCMD; 
+       setup[1] = cli->nt_pipe_fnum; /* Pipe file handle. */
 
-       /* create setup parameters. */
-       setup[0] = cmd; 
-       setup[1] = nt_pipe_fnum; /* pipe file handle.  got this from an SMBOpenX. */
+       DEBUG(5,("rpc_api_pipe: fnum:%x\n", (int)cli->nt_pipe_fnum));
 
-       DEBUG(5,("rpc_api_pipe: cmd:%x fnum:%x\n", cmd, nt_pipe_fnum));
+       /* Send the RPC request and receive a response.  For short RPC
+          calls (about 1024 bytes or so) the RPC request and response
+          appears in a SMBtrans request and response.  Larger RPC
+          responses are received further on. */
 
-       /* send the data: receive a response. */
-       if (!cli_api_pipe(cli, "\\PIPE\\\0\0\0", 8,
+       if (!cli_api_pipe(cli, "\\PIPE\\",
                  setup, 2, 0,                     /* Setup, length, max */
-                 pparams, params_len, 0,          /* Params, length, max */
-                 pdata, data_len, 1024,           /* data, length, max */                  
-                 pp_ret_params, p_ret_params_len, /* return params, len */
-                 pp_ret_data, p_ret_data_len))    /* return data, len */
+                 NULL, 0, 0,                      /* Params, length, max */
+                 pdata, data_len, max_data,       /* data, length, max */
+                 &rparam, &rparam_len,            /* return params, len */
+                 &prdata, &rdata_len))            /* return data, len */
        {
                DEBUG(0, ("cli_pipe: return critical error. Error was %s\n", cli_errstr(cli)));
                return False;
        }
 
-       if (rdata->data->data == NULL) return False;
+       /* Throw away returned params - we know we won't use them. */
 
-       /**** parse the header: check it's a response record */
+       SAFE_FREE(rparam);
 
-       rdata->data->offset.start = 0;
-       rdata->data->offset.end   = rdata->data->data_used;
-       rdata->offset = 0;
+       if (prdata == NULL) {
+               DEBUG(0,("rpc_api_pipe: pipe %x failed to return data.\n",
+                       (int)cli->nt_pipe_fnum));
+               return False;
+       }
 
-       /* cli_api_pipe does an ordinary Realloc - we have no margins now. */
-       rdata->data->margin = 0;
-       if (rparam) rparam->data->margin = 0;
+       /*
+        * Give this memory as dynamically allocated to the return parse
+        * struct.  
+        */
 
-       if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len))
-       {
+       prs_give_memory(rdata, prdata, rdata_len, True);
+       current_offset = rdata_len;
+
+       /* This next call sets the endian bit correctly in rdata. */
+
+       if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len)) {
+               prs_mem_free(rdata);
                return False;
        }
 
-       if (rhdr.pkt_type == RPC_BINDACK)
-       {
-               if (!last && !first)
-               {
-                       DEBUG(5,("rpc_api_pipe: bug in AS/U, setting fragment first/last ON\n"));
+       if (rhdr.pkt_type == RPC_BINDACK) {
+               if (!last && !first) {
+                       DEBUG(5,("rpc_api_pipe: bug in server (AS/U?), setting fragment first/last ON.\n"));
                        first = True;
                        last = True;
                }
        }
 
-       if (rhdr.pkt_type == RPC_RESPONSE)
-       {
+       if (rhdr.pkt_type == RPC_RESPONSE) {
                RPC_HDR_RESP rhdr_resp;
-               smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0);
+               if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0)) {
+                       DEBUG(5,("rpc_api_pipe: failed to unmarshal RPC_HDR_RESP.\n"));
+                       prs_mem_free(rdata);
+                       return False;
+               }
        }
 
-       DEBUG(5,("rpc_api_pipe: len left: %d smbtrans read: %d\n",
-                 len, rdata->data->data_used));
+       DEBUG(5,("rpc_api_pipe: len left: %u smbtrans read: %u\n",
+                 (unsigned int)len, (unsigned int)rdata_len ));
 
-       /* check if data to be sent back was too large for one SMB. */
-       /* err status is only informational: the _real_ check is on the length */
-       if (len > 0) /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
-       {
-               if (!rpc_read(cli, nt_pipe_fnum, rdata, len, rdata->data->data_used))
-               {
+       /* check if data to be sent back was too large for one SMBtrans */
+       /* err status is only informational: the _real_ check is on the
+           length */
+
+       if (len > 0) { 
+               /* || err == (0x80000000 | STATUS_BUFFER_OVERFLOW)) */
+
+               /* Read the remaining part of the first response fragment */
+
+               if (!rpc_read(cli, rdata, len, &current_offset)) {
+                       prs_mem_free(rdata);
                        return False;
                }
        }
 
-       if (rhdr.auth_len != 0 && !rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
-       {
-               return False;
+       /*
+        * Now we have a complete PDU, check the auth struct if any was sent.
+        */
+
+       if (rhdr.auth_len != 0) {
+               if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
+                       return False;
+               /*
+                * Drop the auth footers from the current offset.
+                * We need this if there are more fragments.
+                * The auth footers consist of the auth_data and the
+                * preceeding 8 byte auth_header.
+                */
+               current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN);
        }
+       
+       /* 
+        * Only one rpc fragment, and it has been read.
+        */
 
-       /* only one rpc fragment, and it has been read */
-       if (first && last)
-       {
+       if (first && last) {
                DEBUG(6,("rpc_api_pipe: fragment first and last both set\n"));
                return True;
        }
 
-       while (!last) /* read more fragments until we get the last one */
-       {
+       /*
+        * Read more fragments using SMBreadX until we get one with the
+        * last bit set.
+        */
+
+       while (!last) {
                RPC_HDR_RESP rhdr_resp;
                int num_read;
+               char hdr_data[RPC_HEADER_LEN+RPC_HDR_RESP_LEN];
                prs_struct hps;
+               uint8 eclass;
+               uint32 ecode;
+
+               /*
+                * First read the header of the next PDU.
+                */
+
+               prs_init(&hps, 0, cli->mem_ctx, UNMARSHALL);
+               prs_give_memory(&hps, hdr_data, sizeof(hdr_data), False);
+
+               num_read = cli_read(cli, cli->nt_pipe_fnum, hdr_data, 0, RPC_HEADER_LEN+RPC_HDR_RESP_LEN);
+               if (cli_is_dos_error(cli)) {
+                        cli_dos_error(cli, &eclass, &ecode);
+                        if (eclass != ERRDOS && ecode != ERRmoredata) {
+                                DEBUG(0,("rpc_api_pipe: cli_read error : %d/%d\n", eclass, ecode));
+                                return False;
+                        }
+               }
 
-               prs_init(&hps, 0x18, 4, 0, True);
-
-               num_read = cli_read(cli, nt_pipe_fnum, hps.data->data, 0, 0x18);
                DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read));
 
-               if (num_read != 0x18) return False;
-
-               if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len))
-               {
+               if (num_read != RPC_HEADER_LEN+RPC_HDR_RESP_LEN) {
+                       DEBUG(0,("rpc_api_pipe: Error : requested %d bytes, got %d.\n",
+                               RPC_HEADER_LEN+RPC_HDR_RESP_LEN, num_read ));
                        return False;
                }
 
-               smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0);
+               /* This call sets the endianness in hps. */
+
+               if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len))
+                       return False;
 
-               prs_mem_free(&hps);
+               /* Ensure the endianness in rdata is set correctly - must be same as hps. */
 
-               if (cli_error(cli, NULL, &err)) return False;
+               if (hps.bigendian_data != rdata->bigendian_data) {
+                       DEBUG(0,("rpc_api_pipe: Error : Endianness changed from %s to %s\n",
+                               rdata->bigendian_data ? "big" : "little",
+                               hps.bigendian_data ? "big" : "little" ));
+                       return False;
+               }
 
-               if (first)
-               {
-                       DEBUG(0,("rpc_api_pipe: wierd rpc header received\n"));
+               if(!smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0)) {
+                       DEBUG(0,("rpc_api_pipe: Error in unmarshalling RPC_HDR_RESP.\n"));
                        return False;
                }
 
-               if (!rpc_read(cli, nt_pipe_fnum, rdata, len, rdata->data->data_used))
-               {
+               if (first) {
+                       DEBUG(0,("rpc_api_pipe: secondary PDU rpc header has 'first' set !\n"));
                        return False;
                }
 
-               if (rhdr.auth_len != 0 && !rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
-               {
+               /*
+                * Now read the rest of the PDU.
+                */
+
+               if (!rpc_read(cli, rdata, len, &current_offset))
                        return False;
+
+               /*
+                * Verify any authentication footer.
+                */
+
+               if (rhdr.auth_len != 0 ) {
+                       if(!rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len))
+                               return False;
+                       /*
+                        * Drop the auth footers from the current offset.
+                        * The auth footers consist of the auth_data and the
+                        * preceeding 8 byte auth_header.
+                        * We need this if there are more fragments.
+                        */
+                       current_offset -= (rhdr.auth_len + RPC_HDR_AUTH_LEN);
                }
        }
 
@@ -407,296 +585,557 @@ static BOOL rpc_api_pipe(struct cli_state *cli, uint16 nt_pipe_fnum, uint16 cmd,
  - caller is expected to free the header data structure once used.
 
  ********************************************************************/
-static BOOL create_rpc_bind_req(prs_struct *rhdr,
-                                prs_struct *rhdr_rb,
-                                prs_struct *rhdr_auth,
-                                prs_struct *auth_req,
-                                prs_struct *auth_ntlm,
-                               uint32 rpc_call_id,
+
+static BOOL create_rpc_bind_req(prs_struct *rpc_out, BOOL do_auth, BOOL do_netsec, uint32 rpc_call_id,
                                 RPC_IFACE *abstract, RPC_IFACE *transfer,
-                                char *my_name, char *domain, uint32 neg_flags)
+                                const char *my_name, const char *domain, uint32 neg_flags)
 {
-       RPC_HDR_RB           hdr_rb;
-       RPC_HDR              hdr;
-       RPC_HDR_AUTH         hdr_auth;
-       RPC_AUTH_VERIFIER    auth_verifier;
-       RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
+       RPC_HDR hdr;
+       RPC_HDR_RB hdr_rb;
+       char buffer[4096];
+       prs_struct auth_info;
+       int auth_len = 0;
 
-       /* create the bind request RPC_HDR_RB */
-       make_rpc_hdr_rb(&hdr_rb, 0x1630, 0x1630, 0x0,
-                       0x1, 0x0, 0x1, abstract, transfer);
+       prs_init(&auth_info, 0, prs_get_mem_context(rpc_out), MARSHALL);
 
-       /* stream the bind request data */
-       smb_io_rpc_hdr_rb("", &hdr_rb,  rhdr_rb, 0);
-       mem_realloc_data(rhdr_rb->data, rhdr_rb->offset);
+       if (do_auth) {
+               RPC_HDR_AUTH hdr_auth;
+               RPC_AUTH_VERIFIER auth_verifier;
+               RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
 
-       if (auth_req != NULL && rhdr_auth != NULL && auth_ntlm != NULL)
-       {
-               make_rpc_hdr_auth(&hdr_auth, 0x0a, 0x06, 0x00, 1);
-               smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rhdr_auth, 0);
-               mem_realloc_data(rhdr_auth->data, rhdr_auth->offset);
+               /*
+                * Create the auth structs we will marshall.
+                */
 
-               make_rpc_auth_verifier(&auth_verifier,
-                                      "NTLMSSP", NTLMSSP_NEGOTIATE);
+               init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00, 1);
+               init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_NEGOTIATE);
+               init_rpc_auth_ntlmssp_neg(&ntlmssp_neg, neg_flags, my_name, domain);
 
-               smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, auth_req, 0);
-               mem_realloc_data(auth_req->data, auth_req->offset);
+               /*
+                * Use the 4k buffer to store the auth info.
+                */
 
-               make_rpc_auth_ntlmssp_neg(&ntlmssp_neg,
-                                      neg_flags, my_name, domain);
+               prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
+
+               /*
+                * Now marshall the data into the temporary parse_struct.
+                */
+
+               if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) {
+                       DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_AUTH.\n"));
+                       return False;
+               }
 
-               smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg, auth_req, 0);
-               mem_realloc_data(auth_req->data, auth_req->offset);
+               if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
+                       DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_VERIFIER.\n"));
+                       return False;
+               }
+
+               if(!smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg, &auth_info, 0)) {
+                       DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_AUTH_NTLMSSP_NEG.\n"));
+                       return False;
+               }
+
+               /* Auth len in the rpc header doesn't include auth_header. */
+               auth_len = prs_offset(&auth_info) - RPC_HDR_AUTH_LEN;
        }
 
-       /* create the request RPC_HDR */
-       make_rpc_hdr(&hdr, RPC_BIND, 0x0, rpc_call_id,
-                    (auth_req  != NULL ? auth_req ->offset : 0) +
-                    (auth_ntlm != NULL ? auth_ntlm->offset : 0) +
-                    (rhdr_auth != NULL ? rhdr_auth->offset : 0) +
-                    rhdr_rb->offset + 0x10,
-                    (auth_req  != NULL ? auth_req ->offset : 0) +
-                    (auth_ntlm != NULL ? auth_ntlm->offset : 0));
+       if (do_netsec) {
+               RPC_HDR_AUTH hdr_auth;
+               RPC_AUTH_NETSEC_NEG netsec_neg;
 
-       smb_io_rpc_hdr("hdr"   , &hdr   , rhdr, 0);
-       mem_realloc_data(rhdr->data, rhdr->offset);
+               /*
+                * Create the auth structs we will marshall.
+                */
 
-       if (rhdr->data == NULL || rhdr_rb->data == NULL) return False;
+               init_rpc_hdr_auth(&hdr_auth, NETSEC_AUTH_TYPE, NETSEC_AUTH_LEVEL,
+                                 0x00, 1);
+               init_rpc_auth_netsec_neg(&netsec_neg, domain, my_name);
 
-       /***/
-       /*** link rpc header, bind acknowledgment and authentication responses ***/
-       /***/
+               /*
+                * Use the 4k buffer to store the auth info.
+                */
 
-       if (auth_req != NULL)
-       {
-               prs_link(NULL     , rhdr      , rhdr_rb  );
-               prs_link(rhdr     , rhdr_rb   , rhdr_auth);
-               prs_link(rhdr_rb  , rhdr_auth , auth_req );
-               prs_link(rhdr_auth, auth_req  , auth_ntlm);
-               prs_link(auth_req , auth_ntlm , NULL     );
+               prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
+
+               /*
+                * Now marshall the data into the temporary parse_struct.
+                */
+
+               if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, &auth_info, 0)) {
+                       DEBUG(0,("Failed to marshall RPC_HDR_AUTH.\n"));
+                       return False;
+               }
+
+               if(!smb_io_rpc_auth_netsec_neg("netsec_neg",
+                                              &netsec_neg, &auth_info, 0)) {
+                       DEBUG(0,("Failed to marshall RPC_AUTH_NETSEC_NEG.\n"));
+                       return False;
+               }
+
+               /* Auth len in the rpc header doesn't include auth_header. */
+               auth_len = prs_offset(&auth_info) - RPC_HDR_AUTH_LEN;
        }
-       else
-       {
-               prs_link(NULL, rhdr   , rhdr_rb);
-               prs_link(rhdr, rhdr_rb, NULL   );
+
+       /* create the request RPC_HDR */
+       init_rpc_hdr(&hdr, RPC_BIND, 0x3, rpc_call_id, 
+               RPC_HEADER_LEN + RPC_HDR_RB_LEN + prs_offset(&auth_info),
+               auth_len);
+
+       if(!smb_io_rpc_hdr("hdr"   , &hdr, rpc_out, 0)) {
+               DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR.\n"));
+               return False;
        }
 
-       return True;
-}
+       /* create the bind request RPC_HDR_RB */
+       init_rpc_hdr_rb(&hdr_rb, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN, 0x0,
+                       0x1, 0x0, 0x1, abstract, transfer);
 
+       /* Marshall the bind request data */
+       if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_out, 0)) {
+               DEBUG(0,("create_rpc_bind_req: failed to marshall RPC_HDR_RB.\n"));
+               return False;
+       }
 
-/*******************************************************************
- creates a DCE/RPC bind authentication response
+       /*
+        * Grow the outgoing buffer to store any auth info.
+        */
 
- - initialises the parse structure.
- - dynamically allocates the header data structure
- - caller is expected to free the header data structure once used.
+       if(hdr.auth_len != 0) {
+               if(!prs_append_prs_data( rpc_out, &auth_info)) {
+                       DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
+                       return False;
+               }
+       }
 
+       return True;
+}
+
+/*******************************************************************
+ Creates a DCE/RPC bind authentication response.
+ This is the packet that is sent back to the server once we
+ have received a BIND-ACK, to finish the third leg of
+ the authentication handshake.
  ********************************************************************/
+
 static BOOL create_rpc_bind_resp(struct pwd_info *pwd,
-                               char *domain, char *user_name, char *my_name,
+                               const char *domain, const char *user_name, const char *my_name,
                                uint32 ntlmssp_cli_flgs,
                                uint32 rpc_call_id,
-                               prs_struct *rhdr,
-                                prs_struct *rhdr_autha,
-                                prs_struct *auth_resp)
+                               prs_struct *rpc_out)
 {
        unsigned char lm_owf[24];
        unsigned char nt_owf[24];
-       RPC_HDR               hdr;
-       RPC_HDR_AUTHA         hdr_autha;
-       RPC_AUTH_VERIFIER     auth_verifier;
+       RPC_HDR hdr;
+       RPC_HDR_AUTHA hdr_autha;
+       RPC_AUTH_VERIFIER auth_verifier;
        RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
+       char buffer[4096];
+       prs_struct auth_info;
 
-       make_rpc_hdr_autha(&hdr_autha, 0x1630, 0x1630, 0x0a, 0x06, 0x00);
-       smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rhdr_autha, 0);
-       mem_realloc_data(rhdr_autha->data, rhdr_autha->offset);
+       /*
+        * Marshall the variable length data into a temporary parse
+        * struct, pointing into a 4k local buffer.
+        */
+       prs_init(&auth_info, 0, prs_get_mem_context(rpc_out), MARSHALL);
 
-       make_rpc_auth_verifier(&auth_verifier,
-                              "NTLMSSP", NTLMSSP_AUTH);
+       /*
+        * Use the 4k buffer to store the auth info.
+        */
 
-       smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, auth_resp, 0);
-       mem_realloc_data(auth_resp->data, auth_resp->offset);
+       prs_give_memory( &auth_info, buffer, sizeof(buffer), False);
+
+       /*
+        * Create the variable length auth_data.
+        */
+
+       init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH);
 
        pwd_get_lm_nt_owf(pwd, lm_owf, nt_owf);
                        
-       make_rpc_auth_ntlmssp_resp(&ntlmssp_resp,
+       init_rpc_auth_ntlmssp_resp(&ntlmssp_resp,
                                 lm_owf, nt_owf,
                                 domain, user_name, my_name,
                                 ntlmssp_cli_flgs);
 
-       smb_io_rpc_auth_ntlmssp_resp("ntlmssp_resp", &ntlmssp_resp, auth_resp, 0);
-       mem_realloc_data(auth_resp->data, auth_resp->offset);
+       /*
+        * Marshall the variable length auth_data into a temp parse_struct.
+        */
 
-       /* create the request RPC_HDR */
-       make_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id,
-                    auth_resp->offset + rhdr_autha->offset + 0x10,
-                    auth_resp->offset);
+       if(!smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, &auth_info, 0)) {
+               DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_VERIFIER.\n"));
+               return False;
+       }
+
+       if(!smb_io_rpc_auth_ntlmssp_resp("ntlmssp_resp", &ntlmssp_resp, &auth_info, 0)) {
+               DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_AUTH_NTLMSSP_RESP.\n"));
+               return False;
+       }
 
-       smb_io_rpc_hdr("hdr"   , &hdr   , rhdr, 0);
-       mem_realloc_data(rhdr->data, rhdr->offset);
+       /* Create the request RPC_HDR */
+       init_rpc_hdr(&hdr, RPC_BINDRESP, 0x0, rpc_call_id,
+                       RPC_HEADER_LEN + RPC_HDR_AUTHA_LEN + prs_offset(&auth_info),
+                       prs_offset(&auth_info) );
 
-       if (rhdr->data == NULL || rhdr_autha->data == NULL) return False;
+       /* Marshall it. */
+       if(!smb_io_rpc_hdr("hdr", &hdr, rpc_out, 0)) {
+               DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR.\n"));
+               return False;
+       }
 
-       /***/
-       /*** link rpc header and authentication responses ***/
-       /***/
+       /* Create the request RPC_HDR_AUTHA */
+       init_rpc_hdr_autha(&hdr_autha, MAX_PDU_FRAG_LEN, MAX_PDU_FRAG_LEN,
+                       NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 0x00);
 
-       prs_link(NULL      , rhdr       , rhdr_autha);
-       prs_link(rhdr      , rhdr_autha , auth_resp );
-       prs_link(rhdr_autha, auth_resp  , NULL );
+       if(!smb_io_rpc_hdr_autha("hdr_autha", &hdr_autha, rpc_out, 0)) {
+               DEBUG(0,("create_rpc_bind_resp: failed to marshall RPC_HDR_AUTHA.\n"));
+               return False;
+       }
+
+       /*
+        * Append the auth data to the outgoing buffer.
+        */
+
+       if(!prs_append_prs_data(rpc_out, &auth_info)) {
+               DEBUG(0,("create_rpc_bind_req: failed to grow parse struct to add auth.\n"));
+               return False;
+       }
 
        return True;
 }
 
 
 /*******************************************************************
- creates a DCE/RPC bind request
-
- - initialises the parse structure.
- - dynamically allocates the header data structure
- - caller is expected to free the header data structure once used.
-
+ Creates a DCE/RPC request.
  ********************************************************************/
 
-static BOOL create_rpc_request(prs_struct *rhdr, uint8 op_num, int data_len,
-                               int auth_len)
+static uint32 create_rpc_request(prs_struct *rpc_out, uint8 op_num, int data_len, int auth_len, uint8 flags, uint32 oldid, uint32 data_left)
 {
        uint32 alloc_hint;
-       RPC_HDR_REQ hdr_req;
        RPC_HDR     hdr;
+       RPC_HDR_REQ hdr_req;
+       uint32 callid = oldid ? oldid : get_rpc_call_id();
 
-       DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n",
-       op_num, data_len));
+       DEBUG(5,("create_rpc_request: opnum: 0x%x data_len: 0x%x\n", op_num, data_len));
 
        /* create the rpc header RPC_HDR */
-       make_rpc_hdr(&hdr   , RPC_REQUEST, RPC_FLG_FIRST | RPC_FLG_LAST,
-                    get_rpc_call_id(), data_len, auth_len);
+       init_rpc_hdr(&hdr, RPC_REQUEST, flags,
+                    callid, data_len, auth_len);
+
+       /*
+        * The alloc hint should be the amount of data, not including 
+        * RPC headers & footers.
+        */
 
        if (auth_len != 0)
-       {
-               alloc_hint = data_len - 0x18 - auth_len - 16;
-       }
+               alloc_hint = data_len - RPC_HEADER_LEN - RPC_HDR_AUTH_LEN - auth_len;
        else
-       {
-               alloc_hint = data_len - 0x18;
-       }
+               alloc_hint = data_len - RPC_HEADER_LEN;
 
        DEBUG(10,("create_rpc_request: data_len: %x auth_len: %x alloc_hint: %x\n",
                   data_len, auth_len, alloc_hint));
 
-       /* create the rpc request RPC_HDR_REQ */
-       make_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
+       /* Create the rpc request RPC_HDR_REQ */
+       init_rpc_hdr_req(&hdr_req, alloc_hint, op_num);
 
        /* stream-time... */
-       smb_io_rpc_hdr    ("hdr    ", &hdr    , rhdr, 0);
-       smb_io_rpc_hdr_req("hdr_req", &hdr_req, rhdr, 0);
+       if(!smb_io_rpc_hdr("hdr    ", &hdr, rpc_out, 0))
+               return 0;
 
-       if (rhdr->data == NULL || rhdr->offset != 0x18) return False;
+       if(!smb_io_rpc_hdr_req("hdr_req", &hdr_req, rpc_out, 0))
+               return 0;
 
-       rhdr->data->offset.start = 0;
-       rhdr->data->offset.end   = rhdr->offset;
+       if (prs_offset(rpc_out) != RPC_HEADER_LEN + RPC_HDR_REQ_LEN)
+               return 0;
 
+       return callid;
+}
+
+/*******************************************************************
+ Puts an NTLMSSP auth header into an rpc request.
+ ********************************************************************/
+
+static BOOL create_ntlmssp_auth_hdr(prs_struct *outgoing_packet, BOOL auth_verify)
+{
+       RPC_HDR_AUTH hdr_auth;
+
+       init_rpc_hdr_auth(&hdr_auth, NTLMSSP_AUTH_TYPE,
+                         NTLMSSP_AUTH_LEVEL, 0x08, 
+                         (auth_verify ? 1 : 0));
+       if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, 
+                               outgoing_packet, 0)) {
+               DEBUG(0,("create_auth_hdr:Failed to marshal RPC_HDR_AUTH.\n"));
+               return False;
+       }
        return True;
 }
 
+/*******************************************************************
+ Puts a NETLOGON schannel auth header into an rpc request.
+ ********************************************************************/
 
-/****************************************************************************
- send a request on an rpc pipe.
- ****************************************************************************/
-BOOL rpc_api_pipe_req(struct cli_state *cli, uint16 nt_pipe_fnum, uint8 op_num,
-                      prs_struct *data, prs_struct *rdata)
+static BOOL create_netsec_auth_hdr(prs_struct *outgoing_packet, int padding)
 {
-       /* fudge this, at the moment: create the header; memcpy the data.  oops. */
-       prs_struct dataa;
-       prs_struct rparam;
-       prs_struct hdr;
-       prs_struct hdr_auth;
-       prs_struct auth_verf;
-       int data_len;
-       int auth_len;
-       BOOL ret;
-       BOOL auth_verify;
-       BOOL auth_seal;
-       uint32 crc32 = 0;
-
-       auth_verify = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SIGN);
-       auth_seal   = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SEAL);
-
-       /* happen to know that NTLMSSP authentication verifier is 16 bytes */
-       auth_len               = (auth_verify ? 16 : 0);
-       data_len               = data->offset + auth_len + (auth_verify ? 8 : 0) + 0x18;
-       data->data->offset.end = data->offset;
-
-       prs_init(&hdr      , data_len, 4, SAFETY_MARGIN, False);
-       prs_init(&hdr_auth , 8       , 4, SAFETY_MARGIN, False);
-       prs_init(&auth_verf, auth_len, 4, SAFETY_MARGIN, False);
-       prs_init(&rparam   , 0       , 4, 0            , True );
-
-       create_rpc_request(&hdr, op_num, data_len, auth_len);
-
-       if (auth_seal)
-       {
-               crc32 = crc32_calc_buffer(data->offset, mem_data(&data->data, 0));
-               NTLMSSPcalc_ap(cli, (uchar*)mem_data(&data->data, 0), data->offset);
+       RPC_HDR_AUTH hdr_auth;
+
+       init_rpc_hdr_auth(&hdr_auth, NETSEC_AUTH_TYPE,
+                         NETSEC_AUTH_LEVEL, padding, 1);
+       if(!smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, 
+                               outgoing_packet, 0)) {
+               DEBUG(0,("create_auth_hdr:Failed to marshal RPC_HDR_AUTH.\n"));
+               return False;
        }
+       return True;
+}
 
-       if (auth_seal || auth_verify)
-       {
-               RPC_HDR_AUTH         rhdr_auth;
+/*******************************************************************
+ Puts auth data into an rpc request.
+ ********************************************************************/
+
+static BOOL create_auth_data(struct cli_state *cli, uint32 crc32, 
+                            prs_struct *outgoing_packet)
+{
+       char *pdata_out = prs_data_p(outgoing_packet);
+       RPC_AUTH_NTLMSSP_CHK chk;
+       uint32 current_offset = prs_offset(outgoing_packet);
 
-               make_rpc_hdr_auth(&rhdr_auth, 0x0a, 0x06, 0x08, (auth_verify ? 1 : 0));
-               smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &hdr_auth, 0);
+       init_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION, 
+                                 crc32, cli->ntlmssp_seq_num++);
+       if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, 
+                                       outgoing_packet, 0)) {
+               DEBUG(0,("create_auth_data: Failed to marshal RPC_AUTH_NTLMSSP_CHK.\n"));
+               return False;
        }
+       NTLMSSPcalc_ap(cli, (unsigned char*)
+                      &pdata_out[current_offset+4], 
+                      RPC_AUTH_NTLMSSP_CHK_LEN - 4);
+       return True;
+}
+
+/**
+ * Send a request on an RPC pipe and get a response.
+ *
+ * @param data NDR contents of the request to be sent.
+ * @param rdata Unparsed NDR response data.
+**/
+
+BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num,
+                      prs_struct *data, prs_struct *rdata)
+{
+       uint32 auth_len, max_data, data_left, data_sent;
+       BOOL ret = False;
+       BOOL auth_verify, auth_seal, auth_schannel;
+       uint32 callid = 0;
+       fstring dump_name;
+
+       auth_verify = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SIGN) != 0);
+       auth_seal   = ((cli->ntlmssp_srv_flgs & NTLMSSP_NEGOTIATE_SEAL) != 0);
+       auth_schannel = (cli->saved_netlogon_pipe_fnum != 0);
+
+       auth_len = 0;
 
        if (auth_verify)
-       {
-               RPC_AUTH_NTLMSSP_CHK chk;
+               auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
 
-               make_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION, crc32, cli->ntlmssp_seq_num++);
-               smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0);
-               NTLMSSPcalc_ap(cli, (uchar*)mem_data(&auth_verf.data, 4), 12);
-       }
+       if (auth_schannel)
+               auth_len = RPC_AUTH_NETSEC_CHK_LEN;
 
-       if (auth_seal || auth_verify)
-       {
-               prs_link(NULL     , &hdr      , data      );
-               prs_link(&hdr     , data      , &hdr_auth );
-               prs_link(data     , &hdr_auth , &auth_verf);
-               prs_link(&hdr_auth, &auth_verf, NULL      );
-       }
-       else
-       {
-               prs_link(NULL, &hdr, data);
-               prs_link(&hdr, data, NULL);
-       }
+       /*
+        * calc how much actual data we can send in a PDU fragment
+        */
+       max_data = cli->max_xmit_frag - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
+               (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len - 8;
+
+       for (data_left = prs_offset(data), data_sent = 0; data_left > 0;) {
+               prs_struct outgoing_packet;
+               uint32 data_len, send_size;
+               uint8 flags = 0;
+               uint32 crc32 = 0;
+               uint32 auth_padding = 0;
+               RPC_AUTH_NETSEC_CHK verf;
+
+               /*
+                * how much will we send this time
+                */
+               send_size = MIN(data_left, max_data);
+
+               /*
+                * NT expects the data that is sealed to be 8-byte
+                * aligned. The padding must be encrypted as well and
+                * taken into account when generating the
+                * authentication verifier. The amount of padding must
+                * be stored in the auth header.
+                */
+
+               if (auth_schannel)
+                       auth_padding = 8 - (send_size & 7);
+
+               data_len = RPC_HEADER_LEN + RPC_HDR_REQ_LEN + send_size +
+                       ((auth_verify|auth_schannel) ? RPC_HDR_AUTH_LEN : 0) +
+                       auth_len + auth_padding;
+
+               /*
+                * Malloc parse struct to hold it (and enough for alignments).
+                */
+               if(!prs_init(&outgoing_packet, data_len + 8, 
+                            cli->mem_ctx, MARSHALL)) {
+                       DEBUG(0,("rpc_api_pipe_req: Failed to malloc %u bytes.\n", (unsigned int)data_len ));
+                       return False;
+               }
 
-       mem_realloc_data(hdr.data, data_len);
+               if (data_left == prs_offset(data))
+                       flags |= RPC_FLG_FIRST;
+
+               if (data_left <= max_data)
+                       flags |= RPC_FLG_LAST;
+               /*
+                * Write out the RPC header and the request header.
+                */
+               if(!(callid = create_rpc_request(&outgoing_packet, op_num, 
+                                                data_len, auth_len, flags, 
+                                                callid, data_left))) {
+                       DEBUG(0,("rpc_api_pipe_req: Failed to create RPC request.\n"));
+                       prs_mem_free(&outgoing_packet);
+                       return False;
+               }
+
+               /*
+                * Seal the outgoing data if requested.
+                */
+               if (auth_seal) {
+                       crc32 = crc32_calc_buffer(prs_data_p(data) + data_sent,
+                                                 send_size);
+                       NTLMSSPcalc_ap(cli, (unsigned char*)prs_data_p(data) +
+                                      data_sent, send_size);
+               }
+
+               /*
+                * Now copy the data into the outgoing packet.
+                */
+
+               if (auth_schannel) {
+                       static const uchar netsec_sig[8] = NETSEC_SIGNATURE;
+                       static const uchar nullbytes[8] = { 0,0,0,0,0,0,0,0 };
+                       uchar sign[8];
+                       prs_struct netsec_blob;
+
+                       if ((cli->auth_info.seq_num & 1) != 0) {
+                               DEBUG(0,("SCHANNEL ERROR: seq_num must be even in client (seq_num=%d)\n",
+                                       cli->auth_info.seq_num));
+                       }
+
+                       DEBUG(10,("SCHANNEL seq_num=%d\n", cli->auth_info.seq_num));
+
+                       RSIVAL(sign, 0, cli->auth_info.seq_num);
+                       SIVAL(sign, 4, 0x80);
+
+                       if (!prs_init(&netsec_blob, send_size+auth_padding,
+                                     cli->mem_ctx, MARSHALL)) {
+                               DEBUG(0,("Could not malloc %u bytes",
+                                        send_size+auth_padding));
+                               prs_mem_free(&outgoing_packet);
+                               return False;
+                       }
+
+                       if(!prs_append_some_prs_data(&netsec_blob, data, 
+                                                    data_sent, send_size)) {
+                               DEBUG(0,("Failed to append data to netsec blob\n"));
+                               prs_mem_free(&outgoing_packet);
+                               return False;
+                       }
+
+                       netsec_blob.align = 8;
+
+                       if (!prs_align(&netsec_blob)) {
+                               DEBUG(0,("Could not align netsec blob\n"));
+                               prs_mem_free(&outgoing_packet);
+                               return False;
+                       }
+
+                       init_rpc_auth_netsec_chk(&verf, netsec_sig, nullbytes,
+                                                sign, nullbytes);
 
-       DEBUG(100,("data_len: %x data_calc_len: %x\n",
-               data_len, mem_buf_len(data->data)));
+                       netsec_encode(&cli->auth_info, &verf,
+                                     prs_data_p(&netsec_blob),
+                                     prs_data_size(&netsec_blob));
 
-       /* this is a hack due to limitations in rpc_api_pipe */
-       prs_init(&dataa, mem_buf_len(hdr.data), 4, 0x0, False);
-       mem_buf_copy(dataa.data->data, hdr.data, 0, mem_buf_len(hdr.data));
+                       prs_append_prs_data(&outgoing_packet, &netsec_blob);
+                       prs_mem_free(&netsec_blob);
 
-       ret = rpc_api_pipe(cli, nt_pipe_fnum, 0x0026, NULL, &dataa, &rparam, rdata);
+                       cli->auth_info.seq_num++;
+
+               } else {
+                       if(!prs_append_some_prs_data(&outgoing_packet, data, 
+                                                    data_sent, send_size)) {
+                               DEBUG(0,("rpc_api_pipe_req: Failed to append "
+                                        "data to outgoing packet.\n"));
+                               prs_mem_free(&outgoing_packet);
+                               return False;
+                       }
+               }
 
-       prs_mem_free(&hdr_auth );
-       prs_mem_free(&auth_verf);
-       prs_mem_free(&rparam   );
-       prs_mem_free(&hdr      );
-       prs_mem_free(&dataa    );
+               /*
+                * Add a trailing auth_verifier if needed.
+                */
+               if (auth_seal || auth_verify) {
+                       if(!create_ntlmssp_auth_hdr(&outgoing_packet, auth_verify)) {
+                               prs_mem_free(&outgoing_packet);
+                               return False;
+                       }
+               }
+
+               /*
+                * Finally the auth data itself.
+                */
+               if (auth_verify) {
+                       if (!create_auth_data(cli, crc32, &outgoing_packet)) {
+                               prs_mem_free(&outgoing_packet);
+                               return False;
+                       }
+               }
+
+               if (auth_schannel) {
+
+                       if (!create_netsec_auth_hdr(&outgoing_packet,
+                                                   auth_padding)) {
+                               prs_mem_free(&outgoing_packet);
+                               return False;
+                       }
+
+                       if (!smb_io_rpc_auth_netsec_chk("", &verf,
+                                                       &outgoing_packet, 0)) {
+                               prs_mem_free(&outgoing_packet);
+                               return False;
+                       }
+               }
+
+               DEBUG(100,("data_len: %x data_calc_len: %x\n", data_len, 
+                          prs_offset(&outgoing_packet)));
+               
+               if (flags & RPC_FLG_LAST)
+                       ret = rpc_api_pipe(cli, &outgoing_packet, rdata);
+               else {
+                       cli_write(cli, cli->nt_pipe_fnum, 0x0008,
+                                  prs_data_p(&outgoing_packet),
+                                  data_sent, data_len);
+               }
+               prs_mem_free(&outgoing_packet);
+               data_sent += send_size;
+               data_left -= send_size;
+       }
+       /* Also capture received data */
+       slprintf(dump_name, sizeof(dump_name) - 1, "reply_%s",
+                cli_pipe_get_name(cli));
+       prs_dump(dump_name, op_num, rdata);
 
        return ret;
 }
 
 /****************************************************************************
-do an rpc bind
+ Set the handle state.
 ****************************************************************************/
 
-static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, uint16 nt_pipe_fnum,
-                               char *pipe_name, uint16 device_state)
+static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, const char *pipe_name, uint16 device_state)
 {
        BOOL state_set = False;
        char param[2];
@@ -705,20 +1144,21 @@ static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, uint16 nt_pipe_fnum,
        char *rdata = NULL;
        uint32 rparam_len, rdata_len;
 
-       if (pipe_name == NULL) return False;
+       if (pipe_name == NULL)
+               return False;
 
        DEBUG(5,("Set Handle state Pipe[%x]: %s - device state:%x\n",
-                 nt_pipe_fnum, pipe_name, device_state));
+       cli->nt_pipe_fnum, pipe_name, device_state));
 
        /* create parameters: device state */
        SSVAL(param, 0, device_state);
 
        /* create setup parameters. */
        setup[0] = 0x0001; 
-       setup[1] = nt_pipe_fnum; /* pipe file handle.  got this from an SMBOpenX. */
+       setup[1] = cli->nt_pipe_fnum; /* pipe file handle.  got this from an SMBOpenX. */
 
        /* send the data on \PIPE\ */
-       if (cli_api_pipe(cli, "\\PIPE\\\0\0\0", 8,
+       if (cli_api_pipe(cli, "\\PIPE\\",
                    setup, 2, 0,                /* setup, length, max */
                    param, 2, 0,                /* param, length, max */
                    NULL, 0, 1024,              /* data, length, max */
@@ -729,8 +1169,8 @@ static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, uint16 nt_pipe_fnum,
                state_set = True;
        }
 
-       if (rparam) free(rparam);
-       if (rdata ) free(rdata );
+       SAFE_FREE(rparam);
+       SAFE_FREE(rdata);
 
        return state_set;
 }
@@ -739,33 +1179,46 @@ static BOOL rpc_pipe_set_hnd_state(struct cli_state *cli, uint16 nt_pipe_fnum,
  check the rpc bind acknowledge response
 ****************************************************************************/
 
-static BOOL valid_pipe_name(char *pipe_name, RPC_IFACE *abstract, RPC_IFACE *transfer)
+int get_pipe_index( const char *pipe_name )
 {
        int pipe_idx = 0;
 
-       while (pipe_names[pipe_idx].client_pipe != NULL)
-       {
-               if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe ))
-               {
-                       DEBUG(5,("Bind Abstract Syntax: "));    
-                       dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax), 
-                                 sizeof(pipe_names[pipe_idx].abstr_syntax));
-                       DEBUG(5,("Bind Transfer Syntax: "));
-                       dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
-                                 sizeof(pipe_names[pipe_idx].trans_syntax));
-
-                       /* copy the required syntaxes out so we can do the right bind */
-                       memcpy(transfer, &(pipe_names[pipe_idx].trans_syntax),
-                              sizeof(pipe_names[pipe_idx].trans_syntax));
-                       memcpy(abstract, &(pipe_names[pipe_idx].abstr_syntax),
-                              sizeof(pipe_names[pipe_idx].abstr_syntax));
-
-                       return True;
-               }
+       while (pipe_names[pipe_idx].client_pipe != NULL) {
+               if (strequal(pipe_name, pipe_names[pipe_idx].client_pipe )) 
+                       return pipe_idx;
                pipe_idx++;
        };
 
-       DEBUG(5,("Bind RPC Pipe[%s] unsupported\n", pipe_name));
+       return -1;
+}
+
+
+/****************************************************************************
+ check the rpc bind acknowledge response
+****************************************************************************/
+
+const char* get_pipe_name_from_index( const int pipe_index )
+{
+
+       if ( (pipe_index < 0) || (pipe_index >= PI_MAX_PIPES) )
+               return NULL;
+
+       return pipe_names[pipe_index].client_pipe;              
+}
+
+/****************************************************************************
+ Check to see if this pipe index points to one of 
+ the pipes only supported by Win2k
+ ****************************************************************************/
+
+BOOL is_win2k_pipe( const int pipe_idx )
+{
+       switch ( pipe_idx )
+       {
+               case PI_LSARPC_DS:
+                       return True;
+       }
+       
        return False;
 }
 
@@ -773,55 +1226,63 @@ static BOOL valid_pipe_name(char *pipe_name, RPC_IFACE *abstract, RPC_IFACE *tra
  check the rpc bind acknowledge response
 ****************************************************************************/
 
-static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, char *pipe_name, RPC_IFACE *transfer)
+static BOOL valid_pipe_name(const int pipe_idx, RPC_IFACE *abstract, RPC_IFACE *transfer)
+{
+       if ( pipe_idx >= PI_MAX_PIPES ) {
+               DEBUG(0,("valid_pipe_name: Programmer error!  Invalid pipe index [%d]\n",
+                       pipe_idx));
+               return False;
+       }
+
+       DEBUG(5,("Bind Abstract Syntax: "));    
+       dump_data(5, (char*)&(pipe_names[pipe_idx].abstr_syntax), 
+                 sizeof(pipe_names[pipe_idx].abstr_syntax));
+       DEBUG(5,("Bind Transfer Syntax: "));
+       dump_data(5, (char*)&(pipe_names[pipe_idx].trans_syntax),
+                 sizeof(pipe_names[pipe_idx].trans_syntax));
+
+       /* copy the required syntaxes out so we can do the right bind */
+       
+       *transfer = pipe_names[pipe_idx].trans_syntax;
+       *abstract = pipe_names[pipe_idx].abstr_syntax;
+
+       return True;
+}
+
+/****************************************************************************
+ check the rpc bind acknowledge response
+****************************************************************************/
+
+static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, const int pipe_idx, RPC_IFACE *transfer)
 {
        int i = 0;
 
-       while ((pipe_names[i].client_pipe != NULL) && hdr_ba->addr.len > 0)
+       if ( hdr_ba->addr.len <= 0)
+               return False;
+               
+       if ( !strequal(hdr_ba->addr.str, pipe_names[pipe_idx].server_pipe )) 
        {
-               DEBUG(6,("bind_rpc_pipe: searching pipe name: client:%s server:%s\n",
-               pipe_names[i].client_pipe , pipe_names[i].server_pipe ));
-
-               if ((strequal(pipe_name, pipe_names[i].client_pipe )))
-               {
-                       if (strequal(hdr_ba->addr.str, pipe_names[i].server_pipe ))
-                       {
-                               DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n",
-                                        pipe_names[i].server_pipe ));
-                               break;
-                       }
-                       else
-                       {
-                               DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s.  oh well!\n",
-                                        pipe_names[i].server_pipe ,
-                                        hdr_ba->addr.str));
-                               break;
-                       }
-               }
-               else
-               {
-                       i++;
-               }
+               DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s.  oh well!\n",
+                        pipe_names[i].server_pipe ,hdr_ba->addr.str));
+               return False;
        }
+       
+       DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n", pipe_names[i].server_pipe ));
 
-       if (pipe_names[i].server_pipe == NULL)
-       {
+       if (pipe_names[pipe_idx].server_pipe == NULL) {
                DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
                return False;
        }
 
        /* check the transfer syntax */
-       if (!((hdr_ba->transfer.version == transfer->version) &&
-            (memcmp(hdr_ba->transfer.data, transfer->data,
-                    sizeof(transfer->version)) ==0)))
-       {
-               DEBUG(0,("bind_rpc_pipe: transfer syntax differs\n"));
+       if ((hdr_ba->transfer.version != transfer->version) ||
+            (memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
+               DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
                return False;
        }
 
        /* lkclXXXX only accept one result: check the result(s) */
-       if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0)
-       {
+       if (hdr_ba->res.num_results != 0x1 || hdr_ba->res.result != 0) {
                DEBUG(2,("bind_rpc_pipe: bind denied results: %d reason: %x\n",
                          hdr_ba->res.num_results, hdr_ba->res.reason));
        }
@@ -831,255 +1292,220 @@ static BOOL check_bind_response(RPC_HDR_BA *hdr_ba, char *pipe_name, RPC_IFACE *
 }
 
 /****************************************************************************
-do an rpc bind
+ Create and send the third packet in an RPC auth.
 ****************************************************************************/
 
-static BOOL rpc_pipe_bind(struct cli_state *cli, uint16 nt_pipe_fnum,
-                               char *pipe_name,
-                               RPC_IFACE *abstract, RPC_IFACE *transfer, 
-                               char *my_name)
+static BOOL rpc_send_auth_reply(struct cli_state *cli, prs_struct *rdata, uint32 rpc_call_id)
 {
-       prs_struct hdr;
-       prs_struct hdr_rb;
-       prs_struct hdr_auth;
-       prs_struct auth_req;
-       prs_struct auth_ntlm;
-       prs_struct data;
-       prs_struct rdata;
-       prs_struct rparam;
+       RPC_HDR_AUTH rhdr_auth;
+       RPC_AUTH_VERIFIER rhdr_verf;
+       RPC_AUTH_NTLMSSP_CHAL rhdr_chal;
+       char buffer[MAX_PDU_FRAG_LEN];
+       prs_struct rpc_out;
+       ssize_t ret;
+
+       unsigned char p24[24];
+       unsigned char lm_owf[24];
+       unsigned char lm_hash[16];
 
-       BOOL valid_ack = False;
-       BOOL ntlmssp_auth = cli->ntlmssp_cli_flgs != 0;
-       uint32 rpc_call_id;
+       if(!smb_io_rpc_hdr_auth("", &rhdr_auth, rdata, 0)) {
+               DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_HDR_AUTH.\n"));
+               return False;
+       }
+       if(!smb_io_rpc_auth_verifier("", &rhdr_verf, rdata, 0)) {
+               DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_VERIFIER.\n"));
+               return False;
+       }
+       if(!smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, rdata, 0)) {
+               DEBUG(0,("rpc_send_auth_reply: Failed to unmarshall RPC_AUTH_NTLMSSP_CHAL.\n"));
+               return False;
+       }
+
+       cli->ntlmssp_cli_flgs = rhdr_chal.neg_flags;
+
+       pwd_make_lm_nt_owf(&cli->pwd, rhdr_chal.challenge);
+
+       prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
+
+       prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
+
+       create_rpc_bind_resp(&cli->pwd, cli->domain,
+                            cli->user_name, global_myname(), 
+                            cli->ntlmssp_cli_flgs, rpc_call_id,
+                            &rpc_out);
+                                           
+       pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL);
+       pwd_get_lm_nt_16(&cli->pwd, lm_hash, NULL);
+
+       NTLMSSPOWFencrypt(lm_hash, lm_owf, p24);
 
-       if (pipe_name == NULL || abstract == NULL || transfer == NULL)
        {
+               unsigned char j = 0;
+               int ind;
+               unsigned char k2[8];
+
+               memcpy(k2, p24, 5);
+               k2[5] = 0xe5;
+               k2[6] = 0x38;
+               k2[7] = 0xb0;
+
+               for (ind = 0; ind < 256; ind++)
+                       cli->ntlmssp_hash[ind] = (unsigned char)ind;
+
+               for( ind = 0; ind < 256; ind++) {
+                       unsigned char tc;
+
+                       j += (cli->ntlmssp_hash[ind] + k2[ind%8]);
+
+                       tc = cli->ntlmssp_hash[ind];
+                       cli->ntlmssp_hash[ind] = cli->ntlmssp_hash[j];
+                       cli->ntlmssp_hash[j] = tc;
+               }
+
+               cli->ntlmssp_hash[256] = 0;
+               cli->ntlmssp_hash[257] = 0;
+       }
+
+       memset((char *)lm_hash, '\0', sizeof(lm_hash));
+
+       if ((ret = cli_write(cli, cli->nt_pipe_fnum, 0x8, prs_data_p(&rpc_out), 
+                       0, (size_t)prs_offset(&rpc_out))) != (ssize_t)prs_offset(&rpc_out)) {
+               DEBUG(0,("rpc_send_auth_reply: cli_write failed. Return was %d\n", (int)ret));
                return False;
        }
 
-       DEBUG(5,("Bind RPC Pipe[%x]: %s\n", nt_pipe_fnum, pipe_name));
+       cli->ntlmssp_srv_flgs = rhdr_chal.neg_flags;
+       return True;
+}
 
-       if (!valid_pipe_name(pipe_name, abstract, transfer)) return False;
+/****************************************************************************
+ Do an rpc bind.
+****************************************************************************/
 
-       prs_init(&hdr      , 0x10                     , 4, 0x0          , False);
-       prs_init(&hdr_rb   , 1024                     , 4, SAFETY_MARGIN, False);
-       prs_init(&hdr_auth , (ntlmssp_auth ?    8 : 0), 4, SAFETY_MARGIN, False);
-       prs_init(&auth_req , (ntlmssp_auth ? 1024 : 0), 4, SAFETY_MARGIN, False);
-       prs_init(&auth_ntlm, (ntlmssp_auth ? 1024 : 0), 4, SAFETY_MARGIN, False);
+static BOOL rpc_pipe_bind(struct cli_state *cli, int pipe_idx, const char *my_name,
+                         BOOL do_netsec)
+{
+       RPC_IFACE abstract;
+       RPC_IFACE transfer;
+       prs_struct rpc_out;
+       prs_struct rdata;
+       BOOL do_auth = (cli->ntlmssp_cli_flgs != 0);
+       uint32 rpc_call_id;
+       char buffer[MAX_PDU_FRAG_LEN];
+
+       if ( (pipe_idx < 0) || (pipe_idx >= PI_MAX_PIPES) )
+               return False;
 
-       prs_init(&rdata    , 0   , 4, SAFETY_MARGIN, True);
-       prs_init(&rparam   , 0   , 4, SAFETY_MARGIN, True);
+       DEBUG(5,("Bind RPC Pipe[%x]: %s\n", cli->nt_pipe_fnum, pipe_names[pipe_idx].client_pipe));
+
+       if (!valid_pipe_name(pipe_idx, &abstract, &transfer))
+               return False;
+
+       prs_init(&rpc_out, 0, cli->mem_ctx, MARSHALL);
+
+       /*
+        * Use the MAX_PDU_FRAG_LEN buffer to store the bind request.
+        */
+
+       prs_give_memory( &rpc_out, buffer, sizeof(buffer), False);
 
        rpc_call_id = get_rpc_call_id();
-       create_rpc_bind_req(&hdr, &hdr_rb,
-                           ntlmssp_auth ? &hdr_auth : NULL,
-                           ntlmssp_auth ? &auth_req : NULL,
-                           ntlmssp_auth ? &auth_ntlm : NULL,
-                           rpc_call_id,
-                           abstract, transfer,
-                           global_myname, cli->domain, cli->ntlmssp_cli_flgs);
-
-       /* this is a hack due to limitations in rpc_api_pipe */
-       prs_init(&data, mem_buf_len(hdr.data), 4, 0x0, False);
-       mem_buf_copy(data.data->data, hdr.data, 0, mem_buf_len(hdr.data));
+
+       /* Marshall the outgoing data. */
+       create_rpc_bind_req(&rpc_out, do_auth, do_netsec, rpc_call_id,
+                           &abstract, &transfer,
+                           global_myname(), cli->domain, cli->ntlmssp_cli_flgs);
+
+       /* Initialize the incoming data struct. */
+       prs_init(&rdata, 0, cli->mem_ctx, UNMARSHALL);
 
        /* send data on \PIPE\.  receive a response */
-       if (rpc_api_pipe(cli, nt_pipe_fnum, 0x0026, NULL, &data, &rparam, &rdata))
-       {
+       if (rpc_api_pipe(cli, &rpc_out, &rdata)) {
                RPC_HDR_BA   hdr_ba;
-               RPC_HDR_AUTH rhdr_auth;
-               RPC_AUTH_VERIFIER rhdr_verf;
-               RPC_AUTH_NTLMSSP_CHAL rhdr_chal;
 
-               DEBUG(5, ("rpc_api_pipe: return OK\n"));
+               DEBUG(5, ("rpc_pipe_bind: rpc_api_pipe returned OK.\n"));
 
-               smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0);
-
-               if (rdata.offset != 0)
-               {
-                       valid_ack = check_bind_response(&hdr_ba, pipe_name, transfer);
-               }
-
-               if (valid_ack)
-               {
-                       cli->max_xmit_frag = hdr_ba.bba.max_tsize;
-                       cli->max_recv_frag = hdr_ba.bba.max_rsize;
+               if(!smb_io_rpc_hdr_ba("", &hdr_ba, &rdata, 0)) {
+                       DEBUG(0,("rpc_pipe_bind: Failed to unmarshall RPC_HDR_BA.\n"));
+                       prs_mem_free(&rdata);
+                       return False;
                }
 
-               if (valid_ack && ntlmssp_auth)
-               {
-                       smb_io_rpc_hdr_auth("", &rhdr_auth, &rdata, 0);
-                       if (rdata.offset == 0) valid_ack = False;
+               if(!check_bind_response(&hdr_ba, pipe_idx, &transfer)) {
+                       DEBUG(2,("rpc_pipe_bind: check_bind_response failed.\n"));
+                       prs_mem_free(&rdata);
+                       return False;
                }
 
-               if (valid_ack && ntlmssp_auth)
-               {
-                       smb_io_rpc_auth_verifier("", &rhdr_verf, &rdata, 0);
-                       if (rdata.offset == 0) valid_ack = False;
-               }
-               if (valid_ack && ntlmssp_auth)
-               {
-                       smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, &rdata, 0);
-                       if (rdata.offset == 0) valid_ack = False;
-               }
-               if (valid_ack && ntlmssp_auth)
-               {
-                       unsigned char p24[24];
-                       unsigned char lm_owf[24];
-                       unsigned char lm_hash[16];
-
-                       prs_struct hdra;
-                       prs_struct hdr_autha;
-                       prs_struct auth_resp;
-                       prs_struct dataa;
-
-                       cli->ntlmssp_cli_flgs = rhdr_chal.neg_flags;
-
-                       prs_init(&hdra     , 0x10, 4, 0x0          , False);
-                       prs_init(&hdr_autha, 1024, 4, SAFETY_MARGIN, False);
-                       prs_init(&auth_resp, 1024, 4, SAFETY_MARGIN, False);
-
-                       pwd_make_lm_nt_owf(&cli->pwd, rhdr_chal.challenge);
-
-                       create_rpc_bind_resp(&cli->pwd, cli->domain,
-                                            cli->user_name, global_myname, 
-                                            cli->ntlmssp_cli_flgs,
-                                            rpc_call_id,
-                                            &hdra, &hdr_autha, &auth_resp);
-                                           
-                       pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL);
-                       pwd_get_lm_nt_16(&cli->pwd, lm_hash, NULL);
-                       NTLMSSPOWFencrypt(lm_hash, lm_owf, p24);
-                       {
-                               unsigned char j = 0;
-                               int ind;
-                               unsigned char k2[8];
-
-                               memcpy(k2, p24, 5);
-                               k2[5] = 0xe5;
-                               k2[6] = 0x38;
-                               k2[7] = 0xb0;
-
-                               for (ind = 0; ind < 256; ind++)
-                               {
-                                       cli->ntlmssp_hash[ind] = (unsigned char)ind;
-                               }
-
-                               for( ind = 0; ind < 256; ind++)
-                               {
-                                       unsigned char tc;
-
-                                       j += (cli->ntlmssp_hash[ind] + k2[ind%8]);
-
-                                       tc = cli->ntlmssp_hash[ind];
-                                       cli->ntlmssp_hash[ind] = cli->ntlmssp_hash[j];
-                                       cli->ntlmssp_hash[j] = tc;
-                               }
-
-                               cli->ntlmssp_hash[256] = 0;
-                               cli->ntlmssp_hash[257] = 0;
-                       }
-/*                     NTLMSSPhash(cli->ntlmssp_hash, p24); */
-                       bzero(lm_hash, sizeof(lm_hash));
-
-                       /* this is a hack due to limitations in rpc_api_pipe */
-                       prs_init(&dataa, mem_buf_len(hdra.data), 4, 0x0, False);
-                       mem_buf_copy(dataa.data->data, hdra.data, 0, mem_buf_len(hdra.data));
-
-                       if (cli_write(cli, nt_pipe_fnum, 0x0008,
-                                 dataa.data->data, 0,
-                                 dataa.data->data_used) < 0)
-                       {
-                               valid_ack = False;
-                       }
+               cli->max_xmit_frag = hdr_ba.bba.max_tsize;
+               cli->max_recv_frag = hdr_ba.bba.max_rsize;
 
-                       if (valid_ack)
-                       {
-                               cli->ntlmssp_srv_flgs = rhdr_chal.neg_flags;
-                       }
+               /*
+                * If we're doing NTLMSSP auth we need to send a reply to
+                * the bind-ack to complete the 3-way challenge response
+                * handshake.
+                */
 
-                       prs_mem_free(&hdra);
-                       prs_mem_free(&dataa);
-                       prs_mem_free(&hdr_autha);
-                       prs_mem_free(&auth_resp);
+               if (do_auth && !rpc_send_auth_reply(cli, &rdata, rpc_call_id)) {
+                       DEBUG(0,("rpc_pipe_bind: rpc_send_auth_reply failed.\n"));
+                       prs_mem_free(&rdata);
+                       return False;
                }
        }
 
-       prs_mem_free(&data     );
-       prs_mem_free(&hdr      );
-       prs_mem_free(&hdr_rb   );
-       prs_mem_free(&hdr_auth );
-       prs_mem_free(&auth_req );
-       prs_mem_free(&auth_ntlm);
-       prs_mem_free(&rdata    );
-       prs_mem_free(&rparam   );
-
-       return valid_ack;
+       prs_mem_free(&rdata);
+       return True;
 }
 
 /****************************************************************************
- set ntlmssp negotiation flags
+ Open a session.
  ****************************************************************************/
 
-void cli_nt_set_ntlmssp_flgs(struct cli_state *cli, uint32 ntlmssp_flgs)
+BOOL cli_nt_session_open(struct cli_state *cli, const int pipe_idx)
 {
-       cli->ntlmssp_cli_flgs = ntlmssp_flgs;
-}
+       int fnum;
 
+       /* At the moment we can't have more than one pipe open over
+           a cli connection. )-: */
 
-/****************************************************************************
- open a session
****************************************************************************/
+       SMB_ASSERT(cli->nt_pipe_fnum == 0);
+       
      /* The pipe index must fall within our array */
 
-BOOL cli_nt_session_open(struct cli_state *cli, char *pipe_name, uint16* nt_pipe_fnum)
-{
-       RPC_IFACE abstract;
-       RPC_IFACE transfer;
-       int fnum;
+       SMB_ASSERT((pipe_idx >= 0) && (pipe_idx < PI_MAX_PIPES));
 
-       /******************* open the pipe *****************/
-       if (IS_BITS_SET_ALL(cli->capabilities, CAP_NT_SMBS))
-       {
-               if ((fnum = cli_nt_create(cli, &(pipe_name[5]))) == -1)
-               {
+       if (cli->capabilities & CAP_NT_SMBS) {
+               if ((fnum = cli_nt_create(cli, &pipe_names[pipe_idx].client_pipe[5], DESIRED_ACCESS_PIPE)) == -1) {
                        DEBUG(0,("cli_nt_session_open: cli_nt_create failed on pipe %s to machine %s.  Error was %s\n",
-                                &(pipe_name[5]), cli->desthost, cli_errstr(cli)));
+                                &pipe_names[pipe_idx].client_pipe[5], cli->desthost, cli_errstr(cli)));
                        return False;
                }
 
-               *nt_pipe_fnum = (uint16)fnum;
-       }
-       else
-       {
-               if ((fnum = cli_open(cli, pipe_name, O_CREAT|O_RDWR, DENY_NONE)) == -1)
-               {
+               cli->nt_pipe_fnum = (uint16)fnum;
+       } else {
+               if ((fnum = cli_open(cli, pipe_names[pipe_idx].client_pipe, O_CREAT|O_RDWR, DENY_NONE)) == -1) {
                        DEBUG(0,("cli_nt_session_open: cli_open failed on pipe %s to machine %s.  Error was %s\n",
-                                pipe_name, cli->desthost, cli_errstr(cli)));
+                                pipe_names[pipe_idx].client_pipe, cli->desthost, cli_errstr(cli)));
                        return False;
                }
 
-               *nt_pipe_fnum = (uint16)fnum;
+               cli->nt_pipe_fnum = (uint16)fnum;
 
                /**************** Set Named Pipe State ***************/
-               if (!rpc_pipe_set_hnd_state(cli, *nt_pipe_fnum, pipe_name, 0x4300))
-               {
+               if (!rpc_pipe_set_hnd_state(cli, pipe_names[pipe_idx].client_pipe, 0x4300)) {
                        DEBUG(0,("cli_nt_session_open: pipe hnd state failed.  Error was %s\n",
                                  cli_errstr(cli)));
-                       cli_close(cli, *nt_pipe_fnum);
+                       cli_close(cli, cli->nt_pipe_fnum);
                        return False;
                }
-
        }
 
        /******************* bind request on pipe *****************/
 
-       if (!rpc_pipe_bind(cli, *nt_pipe_fnum, pipe_name,
-                          &abstract, &transfer,
-                          global_myname))
-       {
-               DEBUG(0,("cli_nt_session_open: rpc bind failed. Error was %s\n",
-                         cli_errstr(cli)));
-               cli_close(cli, *nt_pipe_fnum);
+       if (!rpc_pipe_bind(cli, pipe_idx, global_myname(), False)) {
+               DEBUG(2,("cli_nt_session_open: rpc bind to %s failed\n",
+                        get_pipe_name_from_index(pipe_idx)));
+               cli_close(cli, cli->nt_pipe_fnum);
                return False;
        }
 
@@ -1092,21 +1518,136 @@ BOOL cli_nt_session_open(struct cli_state *cli, char *pipe_name, uint16* nt_pipe
        strupper(cli->srv_name_slash);
 
        fstrcpy(cli->clnt_name_slash, "\\\\");
-       fstrcat(cli->clnt_name_slash, global_myname);
+       fstrcat(cli->clnt_name_slash, global_myname());
        strupper(cli->clnt_name_slash);
 
-       fstrcpy(cli->mach_acct, global_myname);
+       fstrcpy(cli->mach_acct, global_myname());
        fstrcat(cli->mach_acct, "$");
        strupper(cli->mach_acct);
 
+       /* Remember which pipe we're talking to */
+       fstrcpy(cli->pipe_name, pipe_names[pipe_idx].client_pipe);
+
+       return True;
+}
+
+
+/****************************************************************************
+ Open a session to the NETLOGON pipe using schannel.
+ ****************************************************************************/
+
+BOOL cli_nt_open_netlogon(struct cli_state *cli, const char *trust_password,
+                         int sec_chan)
+{
+       NTSTATUS result;
+       uint32 neg_flags = 0x000001ff;
+       int fnum;
+
+       if (lp_client_schannel() != False)
+               neg_flags |= NETLOGON_NEG_SCHANNEL;
+
+
+       if (!cli_nt_session_open(cli, PI_NETLOGON)) {
+               return False;
+       }
+
+       if (!secrets_init()) {
+               DEBUG(3,("Failed to init secrets.tdb\n"));
+               return False;
+       }
+
+       result = cli_nt_setup_creds(cli, sec_chan, trust_password,
+                                   &neg_flags, 2);
+
+       if (!NT_STATUS_IS_OK(result)) {
+               cli_nt_session_close(cli);
+               return False;
+       }
+
+       if ((lp_client_schannel() == True) &&
+           ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+
+               DEBUG(3, ("Server did not offer schannel\n"));
+               cli_nt_session_close(cli);
+               return False;
+       }
+
+       if ((lp_client_schannel() == False) ||
+           ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+               return True;
+       }
+
+       /* Server offered schannel, so try it. */
+
+       cli->auth_info.seq_num = 0;
+       memcpy(cli->auth_info.sess_key, cli->sess_key,
+              sizeof(cli->auth_info.sess_key));
+
+       cli->saved_netlogon_pipe_fnum = cli->nt_pipe_fnum;
+
+       if (cli->capabilities & CAP_NT_SMBS) {
+
+               /* The secure channel connection must be opened on the same 
+                   session (TCP connection) as the one the challenge was
+                   requested from. */
+
+               if ((fnum = cli_nt_create(cli, PIPE_NETLOGON_PLAIN,
+                                         DESIRED_ACCESS_PIPE)) == -1) {
+                       DEBUG(0,("cli_nt_create failed to %s machine %s. "
+                                "Error was %s\n",
+                                PIPE_NETLOGON, cli->desthost,
+                                cli_errstr(cli)));
+                       return False;
+               }
+               
+               cli->nt_pipe_fnum = (uint16)fnum;
+       } else {
+               if ((fnum = cli_open(cli, PIPE_NETLOGON,
+                                    O_CREAT|O_RDWR, DENY_NONE)) == -1) {
+                       DEBUG(0,("cli_open failed on pipe %s to machine %s. "
+                                "Error was %s\n",
+                                PIPE_NETLOGON, cli->desthost,
+                                cli_errstr(cli)));
+                       return False;
+               }
+
+               cli->nt_pipe_fnum = (uint16)fnum;
+
+               /**************** Set Named Pipe State ***************/
+               if (!rpc_pipe_set_hnd_state(cli, PIPE_NETLOGON, 0x4300)) {
+                       DEBUG(0,("Pipe hnd state failed.  Error was %s\n",
+                                 cli_errstr(cli)));
+                       cli_close(cli, cli->nt_pipe_fnum);
+                       return False;
+               }
+       }
+
+       if (!rpc_pipe_bind(cli, PI_NETLOGON, global_myname(), True)) {
+               DEBUG(2,("rpc bind to %s failed\n", PIPE_NETLOGON));
+               cli_close(cli, cli->nt_pipe_fnum);
+               return False;
+       }
+
        return True;
 }
 
+
+const char *cli_pipe_get_name(struct cli_state *cli)
+{
+       return cli->pipe_name;
+}
+
+
 /****************************************************************************
 close the session
 ****************************************************************************/
 
-void cli_nt_session_close(struct cli_state *cli, uint16 nt_pipe_fnum)
+void cli_nt_session_close(struct cli_state *cli)
 {
-       cli_close(cli, nt_pipe_fnum);
+       if (cli->saved_netlogon_pipe_fnum != 0) {
+               cli_close(cli, cli->saved_netlogon_pipe_fnum);
+               cli->saved_netlogon_pipe_fnum = 0;
+       }
+       cli_close(cli, cli->nt_pipe_fnum);
+       cli->nt_pipe_fnum = 0;
 }