Merge branch 'master' of ssh://git.samba.org/data/git/samba into abartlet-devel

[tprouty/samba.git] / source4 / rpc_server / dcerpc_server.c

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 35b37b3af6c070372b19e513d091c0cbe34162be..d27a8b90de7069daf1ab5dcf87d1a227b8b64837 100644 (file)
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -24,26 +24,30 @@
 #include "librpc/gen_ndr/ndr_dcerpc.h"
 #include "auth/auth.h"
 #include "auth/gensec/gensec.h"
-#include "lib/util/dlinklist.h"
+#include "../lib/util/dlinklist.h"
 #include "rpc_server/dcerpc_server.h"
+#include "rpc_server/dcerpc_server_proto.h"
+#include "librpc/rpc/dcerpc_proto.h"
 #include "lib/events/events.h"
 #include "smbd/service_task.h"
 #include "smbd/service_stream.h"
 #include "smbd/service.h"
 #include "system/filesys.h"
 #include "libcli/security/security.h"
-#include "build.h"
+#include "param/param.h"
+
+#define SAMBA_ASSOC_GROUP 0x12345678
 
 extern const struct dcesrv_interface dcesrv_mgmt_interface;
 
 /*
   see if two endpoints match
 */
-static BOOL endpoints_match(const struct dcerpc_binding *ep1,
+static bool endpoints_match(const struct dcerpc_binding *ep1,
                            const struct dcerpc_binding *ep2)
 {
        if (ep1->transport != ep2->transport) {
-               return False;
+               return false;
        }
 
        if (!ep1->endpoint || !ep2->endpoint) {
@@ -51,9 +55,9 @@ static BOOL endpoints_match(const struct dcerpc_binding *ep1,
        }
 
        if (strcasecmp(ep1->endpoint, ep2->endpoint) != 0) 
-               return False;
+               return false;
 
-       return True;
+       return true;
 }
 
 /*
@@ -87,7 +91,7 @@ static struct dcesrv_connection_context *dcesrv_find_context(struct dcesrv_conne
 /*
   see if a uuid and if_version match to an interface
 */
-static BOOL interface_match(const struct dcesrv_interface *if1,
+static bool interface_match(const struct dcesrv_interface *if1,
                                                        const struct dcesrv_interface *if2)
 {
        return (if1->syntax_id.if_version == if2->syntax_id.if_version && 
@@ -112,7 +116,7 @@ static const struct dcesrv_interface *find_interface(const struct dcesrv_endpoin
 /*
   see if a uuid and if_version match to an interface
 */
-static BOOL interface_match_by_uuid(const struct dcesrv_interface *iface,
+static bool interface_match_by_uuid(const struct dcesrv_interface *iface,
                                    const struct GUID *uuid, uint32_t if_version)
 {
        return (iface->syntax_id.if_version == if_version && 
@@ -159,7 +163,7 @@ _PUBLIC_ NTSTATUS dcesrv_interface_register(struct dcesrv_context *dce_ctx,
        struct dcesrv_endpoint *ep;
        struct dcesrv_if_list *ifl;
        struct dcerpc_binding *binding;
-       BOOL add_ep = False;
+       bool add_ep = false;
        NTSTATUS status;
        
        status = dcerpc_parse_binding(dce_ctx, ep_name, &binding);
@@ -178,7 +182,7 @@ _PUBLIC_ NTSTATUS dcesrv_interface_register(struct dcesrv_context *dce_ctx,
                }
                ZERO_STRUCTP(ep);
                ep->ep_description = talloc_reference(ep, binding);
-               add_ep = True;
+               add_ep = true;
 
                /* add mgmt interface */
                ifl = talloc(dce_ctx, struct dcesrv_if_list);
@@ -247,8 +251,8 @@ _PUBLIC_ NTSTATUS dcesrv_interface_register(struct dcesrv_context *dce_ctx,
        return NT_STATUS_OK;
 }
 
-static NTSTATUS dcesrv_inherited_session_key(struct dcesrv_connection *p,
-                                             DATA_BLOB *session_key)
+NTSTATUS dcesrv_inherited_session_key(struct dcesrv_connection *p,
+                                     DATA_BLOB *session_key)
 {
        if (p->auth_state.session_info->session_key.length) {
                *session_key = p->auth_state.session_info->session_key;
@@ -268,37 +272,26 @@ NTSTATUS dcesrv_generic_session_key(struct dcesrv_connection *p,
 
 /*
   fetch the user session key - may be default (above) or the SMB session key
+
+  The key is always truncated to 16 bytes 
 */
 _PUBLIC_ NTSTATUS dcesrv_fetch_session_key(struct dcesrv_connection *p,
                                  DATA_BLOB *session_key)
 {
-       return p->auth_state.session_key(p, session_key);
-}
-
-
-/*
-  destroy a link to an endpoint
-*/
-static int dcesrv_endpoint_destructor(struct dcesrv_connection *p)
-{
-       while (p->contexts) {
-               struct dcesrv_connection_context *c = p->contexts;
-
-               DLIST_REMOVE(p->contexts, c);
-
-               if (c->iface) {
-                       c->iface->unbind(c, c->iface);
-               }
+       NTSTATUS status = p->auth_state.session_key(p, session_key);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
        }
 
-       return 0;
-}
+       session_key->length = MIN(session_key->length, 16);
 
+       return NT_STATUS_OK;
+}
 
 /*
   connect to a dcerpc endpoint
 */
-NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
+_PUBLIC_ NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
                                 TALLOC_CTX *mem_ctx,
                                 const struct dcesrv_endpoint *ep,
                                 struct auth_session_info *session_info,
@@ -326,6 +319,7 @@ NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
        p->endpoint = ep;
        p->contexts = NULL;
        p->call_list = NULL;
+       p->packet_log_dir = lp_lockdir(dce_ctx->lp_ctx);
        p->incoming_fragmented_call_list = NULL;
        p->pending_call_list = NULL;
        p->cli_max_recv_frag = 0;
@@ -337,12 +331,10 @@ NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
        p->event_ctx = event_ctx;
        p->msg_ctx = msg_ctx;
        p->server_id = server_id;
-       p->processing = False;
+       p->processing = false;
        p->state_flags = state_flags;
        ZERO_STRUCT(p->transport);
 
-       talloc_set_destructor(p, dcesrv_endpoint_destructor);
-
        *_p = p;
        return NT_STATUS_OK;
 }
@@ -385,11 +377,11 @@ _PUBLIC_ NTSTATUS dcesrv_endpoint_search_connect(struct dcesrv_context *dce_ctx,
 }
 
 
-static void dcesrv_init_hdr(struct ncacn_packet *pkt)
+static void dcesrv_init_hdr(struct ncacn_packet *pkt, bool bigendian)
 {
        pkt->rpc_vers = 5;
        pkt->rpc_vers_minor = 0;
-       if (lp_rpc_big_endian()) {
+       if (bigendian) {
                pkt->drep[0] = 0;
        } else {
                pkt->drep[0] = DCERPC_DREP_LE;
@@ -443,10 +435,11 @@ static NTSTATUS dcesrv_fault(struct dcesrv_call_state *call, uint32_t fault_code
 {
        struct ncacn_packet pkt;
        struct data_blob_list_item *rep;
+       uint8_t zeros[4];
        NTSTATUS status;
 
        /* setup a bind_ack */
-       dcesrv_init_hdr(&pkt);
+       dcesrv_init_hdr(&pkt, lp_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
        pkt.auth_length = 0;
        pkt.call_id = call->pkt.call_id;
        pkt.ptype = DCERPC_PKT_FAULT;
@@ -456,12 +449,15 @@ static NTSTATUS dcesrv_fault(struct dcesrv_call_state *call, uint32_t fault_code
        pkt.u.fault.cancel_count = 0;
        pkt.u.fault.status = fault_code;
 
+       ZERO_STRUCT(zeros);
+       pkt.u.fault._pad = data_blob_const(zeros, sizeof(zeros));
+
        rep = talloc(call, struct data_blob_list_item);
        if (!rep) {
                return NT_STATUS_NO_MEMORY;
        }
 
-       status = ncacn_push_auth(&rep->blob, call, &pkt, NULL);
+       status = ncacn_push_auth(&rep->blob, call, lp_iconv_convenience(call->conn->dce_ctx->lp_ctx), &pkt, NULL);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
@@ -485,7 +481,7 @@ static NTSTATUS dcesrv_bind_nak(struct dcesrv_call_state *call, uint32_t reason)
        NTSTATUS status;
 
        /* setup a bind_nak */
-       dcesrv_init_hdr(&pkt);
+       dcesrv_init_hdr(&pkt, lp_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
        pkt.auth_length = 0;
        pkt.call_id = call->pkt.call_id;
        pkt.ptype = DCERPC_PKT_BIND_NAK;
@@ -500,7 +496,7 @@ static NTSTATUS dcesrv_bind_nak(struct dcesrv_call_state *call, uint32_t reason)
                return NT_STATUS_NO_MEMORY;
        }
 
-       status = ncacn_push_auth(&rep->blob, call, &pkt, NULL);
+       status = ncacn_push_auth(&rep->blob, call, lp_iconv_convenience(call->conn->dce_ctx->lp_ctx), &pkt, NULL);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
@@ -513,6 +509,16 @@ static NTSTATUS dcesrv_bind_nak(struct dcesrv_call_state *call, uint32_t reason)
        return NT_STATUS_OK;    
 }
 
+static int dcesrv_connection_context_destructor(struct dcesrv_connection_context *c)
+{
+       DLIST_REMOVE(c->conn->contexts, c);
+
+       if (c->iface) {
+               c->iface->unbind(c, c->iface);
+       }
+
+       return 0;
+}
 
 /*
   handle a bind request
@@ -527,8 +533,21 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
        uint32_t result=0, reason=0;
        uint32_t context_id;
        const struct dcesrv_interface *iface;
-
-       if (call->pkt.u.bind.assoc_group_id != 0) {
+       uint32_t extra_flags = 0;
+
+       /*
+        * Association groups allow policy handles to be shared across
+        * multiple client connections.  We don't implement this yet.
+        *
+        * So we just allow 0 if the client wants to create a new
+        * association group.
+        *
+        * And we allow the 0x12345678 value, we give away as
+        * assoc_group_id back to the clients
+        */
+       if (call->pkt.u.bind.assoc_group_id != 0 &&
+           lp_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","assoc group checking", true) &&
+           call->pkt.u.bind.assoc_group_id != SAMBA_ASSOC_GROUP) {
                return dcesrv_bind_nak(call, 0);        
        }
 
@@ -579,31 +598,70 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
                context->conn = call->conn;
                context->iface = iface;
                context->context_id = context_id;
+               /*
+                * we need to send a non zero assoc_group_id here to make longhorn happy,
+                * it also matches samba3
+                */
+               context->assoc_group_id = SAMBA_ASSOC_GROUP;
                context->private = NULL;
                context->handles = NULL;
                DLIST_ADD(call->conn->contexts, context);
                call->context = context;
+               talloc_set_destructor(context, dcesrv_connection_context_destructor);
+
+               status = iface->bind(call, iface);
+               if (!NT_STATUS_IS_OK(status)) {
+                       char *uuid_str = GUID_string(call, &uuid);
+                       DEBUG(2,("Request for dcerpc interface %s/%d rejected: %s\n",
+                                uuid_str, if_version, nt_errstr(status)));
+                       talloc_free(uuid_str);
+                       /* we don't want to trigger the iface->unbind() hook */
+                       context->iface = NULL;
+                       talloc_free(call->context);
+                       call->context = NULL;
+                       return dcesrv_bind_nak(call, 0);
+               }
        }
 
        if (call->conn->cli_max_recv_frag == 0) {
                call->conn->cli_max_recv_frag = call->pkt.u.bind.max_recv_frag;
        }
 
+       if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) &&
+           lp_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", false)) {
+               call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
+               extra_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
+       }
+
        /* handle any authentication that is being requested */
        if (!dcesrv_auth_bind(call)) {
+               talloc_free(call->context);
+               call->context = NULL;
                return dcesrv_bind_nak(call, DCERPC_BIND_REASON_INVALID_AUTH_TYPE);
        }
 
        /* setup a bind_ack */
-       dcesrv_init_hdr(&pkt);
+       dcesrv_init_hdr(&pkt, lp_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
        pkt.auth_length = 0;
        pkt.call_id = call->pkt.call_id;
        pkt.ptype = DCERPC_PKT_BIND_ACK;
-       pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
+       pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | extra_flags;
        pkt.u.bind_ack.max_xmit_frag = 0x2000;
        pkt.u.bind_ack.max_recv_frag = 0x2000;
-       /* we need to send a non zero assoc_group_id here to make longhorn happy, it also matches samba3 */
-       pkt.u.bind_ack.assoc_group_id = 0x12345678;
+
+       /*
+         make it possible for iface->bind() to specify the assoc_group_id
+         This helps the openchange mapiproxy plugin to work correctly.
+         
+         metze
+       */
+       if (call->context) {
+               pkt.u.bind_ack.assoc_group_id = call->context->assoc_group_id;
+       } else {
+               /* we better pick something - this chosen so as to send a non zero assoc_group_id (matching windows), it also matches samba3 */
+               pkt.u.bind_ack.assoc_group_id = SAMBA_ASSOC_GROUP;
+       }
+
        if (iface) {
                /* FIXME: Use pipe name as specified by endpoint instead of interface name */
                pkt.u.bind_ack.secondary_address = talloc_asprintf(call, "\\PIPE\\%s", iface->name);
@@ -613,6 +671,8 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
        pkt.u.bind_ack.num_results = 1;
        pkt.u.bind_ack.ctx_list = talloc(call, struct dcerpc_ack_ctx);
        if (!pkt.u.bind_ack.ctx_list) {
+               talloc_free(call->context);
+               call->context = NULL;
                return NT_STATUS_NO_MEMORY;
        }
        pkt.u.bind_ack.ctx_list[0].result = result;
@@ -622,28 +682,22 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
 
        status = dcesrv_auth_bind_ack(call, &pkt);
        if (!NT_STATUS_IS_OK(status)) {
+               talloc_free(call->context);
+               call->context = NULL;
                return dcesrv_bind_nak(call, 0);
        }
 
-       if (iface) {
-               status = iface->bind(call, iface);
-               if (!NT_STATUS_IS_OK(status)) {
-                       char *uuid_str = GUID_string(call, &uuid);
-                       DEBUG(2,("Request for dcerpc interface %s/%d rejected: %s\n", 
-                                uuid_str, if_version, nt_errstr(status)));
-                       talloc_free(uuid_str);
-                       return dcesrv_bind_nak(call, 0);
-               }
-       }
-
        rep = talloc(call, struct data_blob_list_item);
        if (!rep) {
+               talloc_free(call->context);
+               call->context = NULL;
                return NT_STATUS_NO_MEMORY;
        }
 
-       status = ncacn_push_auth(&rep->blob, call, &pkt, 
-                                 call->conn->auth_state.auth_info);
+       status = ncacn_push_auth(&rep->blob, call, lp_iconv_convenience(call->conn->dce_ctx->lp_ctx), &pkt, call->conn->auth_state.auth_info);
        if (!NT_STATUS_IS_OK(status)) {
+               talloc_free(call->context);
+               call->context = NULL;
                return status;
        }
 
@@ -683,6 +737,7 @@ static NTSTATUS dcesrv_alter_new_context(struct dcesrv_call_state *call, uint32_
        struct dcesrv_connection_context *context;
        const struct dcesrv_interface *iface;
        struct GUID uuid, *transfer_syntax_uuid;
+       NTSTATUS status;
 
        if_version = call->pkt.u.alter.ctx_list[0].abstract_syntax.if_version;
        uuid = call->pkt.u.alter.ctx_list[0].abstract_syntax.uuid;
@@ -711,10 +766,21 @@ static NTSTATUS dcesrv_alter_new_context(struct dcesrv_call_state *call, uint32_
        context->conn = call->conn;
        context->iface = iface;
        context->context_id = context_id;
+       context->assoc_group_id = SAMBA_ASSOC_GROUP;
        context->private = NULL;
        context->handles = NULL;
        DLIST_ADD(call->conn->contexts, context);
        call->context = context;
+       talloc_set_destructor(context, dcesrv_connection_context_destructor);
+
+       status = iface->bind(call, iface);
+       if (!NT_STATUS_IS_OK(status)) {
+               /* we don't want to trigger the iface->unbind() hook */
+               context->iface = NULL;
+               talloc_free(context);
+               call->context = NULL;
+               return status;
+       }
 
        return NT_STATUS_OK;
 }
@@ -741,24 +807,39 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
        context_id = call->pkt.u.alter.ctx_list[0].context_id;
 
        /* see if they are asking for a new interface */
-       if (result == 0 &&
-           dcesrv_find_context(call->conn, context_id) == NULL) {
-               status = dcesrv_alter_new_context(call, context_id);
-               if (!NT_STATUS_IS_OK(status)) {
-                       result = DCERPC_BIND_PROVIDER_REJECT;
-                       reason = DCERPC_BIND_REASON_ASYNTAX;            
+       if (result == 0) {
+               call->context = dcesrv_find_context(call->conn, context_id);
+               if (!call->context) {
+                       status = dcesrv_alter_new_context(call, context_id);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               result = DCERPC_BIND_PROVIDER_REJECT;
+                               reason = DCERPC_BIND_REASON_ASYNTAX;
+                       }
                }
        }
 
+       if (result == 0 &&
+           call->pkt.u.alter.assoc_group_id != 0 &&
+           lp_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","assoc group checking", true) &&
+           call->pkt.u.alter.assoc_group_id != call->context->assoc_group_id) {
+               /* TODO: work out what to return here */
+               result = DCERPC_BIND_PROVIDER_REJECT;
+               reason = DCERPC_BIND_REASON_ASYNTAX;
+       }
+
        /* setup a alter_resp */
-       dcesrv_init_hdr(&pkt);
+       dcesrv_init_hdr(&pkt, lp_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
        pkt.auth_length = 0;
        pkt.call_id = call->pkt.call_id;
        pkt.ptype = DCERPC_PKT_ALTER_RESP;
        pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
        pkt.u.alter_resp.max_xmit_frag = 0x2000;
        pkt.u.alter_resp.max_recv_frag = 0x2000;
-       pkt.u.alter_resp.assoc_group_id = call->pkt.u.alter.assoc_group_id;
+       if (result == 0) {
+               pkt.u.alter_resp.assoc_group_id = call->context->assoc_group_id;
+       } else {
+               pkt.u.alter_resp.assoc_group_id = 0;
+       }
        pkt.u.alter_resp.num_results = 1;
        pkt.u.alter_resp.ctx_list = talloc_array(call, struct dcerpc_ack_ctx, 1);
        if (!pkt.u.alter_resp.ctx_list) {
@@ -786,8 +867,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
                return NT_STATUS_NO_MEMORY;
        }
 
-       status = ncacn_push_auth(&rep->blob, call, &pkt, 
-                                 call->conn->auth_state.auth_info);
+       status = ncacn_push_auth(&rep->blob, call, lp_iconv_convenience(call->conn->dce_ctx->lp_ctx), &pkt, call->conn->auth_state.auth_info);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
@@ -820,7 +900,8 @@ static NTSTATUS dcesrv_request(struct dcesrv_call_state *call)
                return dcesrv_fault(call, DCERPC_FAULT_UNK_IF);
        }
 
-       pull = ndr_pull_init_blob(&call->pkt.u.request.stub_and_verifier, call);
+       pull = ndr_pull_init_blob(&call->pkt.u.request.stub_and_verifier, call,
+                                 lp_iconv_convenience(call->conn->dce_ctx->lp_ctx));
        NT_STATUS_HAVE_NO_MEMORY(pull);
 
        pull->flags |= LIBNDR_FLAG_REF_ALLOC;
@@ -828,10 +909,6 @@ static NTSTATUS dcesrv_request(struct dcesrv_call_state *call)
        call->context   = context;
        call->ndr_pull  = pull;
 
-       if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
-               pull->flags |= LIBNDR_FLAG_OBJECT_PRESENT;
-       }
-
        if (!(call->pkt.drep[0] & DCERPC_DREP_LE)) {
                pull->flags |= LIBNDR_FLAG_BIGENDIAN;
        }
@@ -873,8 +950,9 @@ _PUBLIC_ NTSTATUS dcesrv_reply(struct dcesrv_call_state *call)
        struct ndr_push *push;
        NTSTATUS status;
        DATA_BLOB stub;
-       uint32_t total_length;
+       uint32_t total_length, chunk_size;
        struct dcesrv_connection_context *context = call->context;
+       size_t sig_size = 0;
 
        /* call the reply function */
        status = context->iface->reply(call, call, call->r);
@@ -883,7 +961,7 @@ _PUBLIC_ NTSTATUS dcesrv_reply(struct dcesrv_call_state *call)
        }
 
        /* form the reply NDR */
-       push = ndr_push_init_ctx(call);
+       push = ndr_push_init_ctx(call, lp_iconv_convenience(call->conn->dce_ctx->lp_ctx));
        NT_STATUS_HAVE_NO_MEMORY(push);
 
        /* carry over the pointer count to the reply in case we are
@@ -891,7 +969,7 @@ _PUBLIC_ NTSTATUS dcesrv_reply(struct dcesrv_call_state *call)
           pointers */
        push->ptr_count = call->ndr_pull->ptr_count;
 
-       if (lp_rpc_big_endian()) {
+       if (lp_rpc_big_endian(call->conn->dce_ctx->lp_ctx)) {
                push->flags |= LIBNDR_FLAG_BIGENDIAN;
        }
 
@@ -904,6 +982,21 @@ _PUBLIC_ NTSTATUS dcesrv_reply(struct dcesrv_call_state *call)
 
        total_length = stub.length;
 
+       /* we can write a full max_recv_frag size, minus the dcerpc
+          request header size */
+       chunk_size = call->conn->cli_max_recv_frag;
+       chunk_size -= DCERPC_REQUEST_LENGTH;
+       if (call->conn->auth_state.auth_info &&
+           call->conn->auth_state.gensec_security) {
+               sig_size = gensec_sig_size(call->conn->auth_state.gensec_security,
+                                          call->conn->cli_max_recv_frag);
+               if (sig_size) {
+                       chunk_size -= DCERPC_AUTH_TRAILER_LENGTH;
+                       chunk_size -= sig_size;
+               }
+       }
+       chunk_size -= (chunk_size % 16);
+
        do {
                uint32_t length;
                struct data_blob_list_item *rep;
@@ -912,15 +1005,10 @@ _PUBLIC_ NTSTATUS dcesrv_reply(struct dcesrv_call_state *call)
                rep = talloc(call, struct data_blob_list_item);
                NT_STATUS_HAVE_NO_MEMORY(rep);
 
-               length = stub.length;
-               if (length + DCERPC_RESPONSE_LENGTH > call->conn->cli_max_recv_frag) {
-                       /* the 32 is to cope with signing data */
-                       length = call->conn->cli_max_recv_frag - 
-                               (DCERPC_MAX_SIGN_SIZE+DCERPC_RESPONSE_LENGTH);
-               }
+               length = MIN(chunk_size, stub.length);
 
                /* form the dcerpc response packet */
-               dcesrv_init_hdr(&pkt);
+               dcesrv_init_hdr(&pkt, lp_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
                pkt.auth_length = 0;
                pkt.call_id = call->pkt.call_id;
                pkt.ptype = DCERPC_PKT_RESPONSE;
@@ -937,7 +1025,7 @@ _PUBLIC_ NTSTATUS dcesrv_reply(struct dcesrv_call_state *call)
                pkt.u.response.stub_and_verifier.data = stub.data;
                pkt.u.response.stub_and_verifier.length = length;
 
-               if (!dcesrv_auth_response(call, &rep->blob, &pkt)) {
+               if (!dcesrv_auth_response(call, &rep->blob, sig_size, &pkt)) {
                        return dcesrv_fault(call, DCERPC_FAULT_OTHER);          
                }
 
@@ -982,15 +1070,15 @@ _PUBLIC_ struct socket_address *dcesrv_connection_get_peer_addr(struct dcesrv_co
 /*
   work out if we have a full packet yet
 */
-static BOOL dce_full_packet(const DATA_BLOB *data)
+static bool dce_full_packet(const DATA_BLOB *data)
 {
        if (data->length < DCERPC_FRAG_LEN_OFFSET+2) {
-               return False;
+               return false;
        }
        if (dcerpc_get_frag_length(data) > data->length) {
-               return False;
+               return false;
        }
-       return True;
+       return true;
 }
 
 /*
@@ -1026,6 +1114,7 @@ static int dcesrv_call_dequeue(struct dcesrv_call_state *call)
 NTSTATUS dcesrv_input_process(struct dcesrv_connection *dce_conn)
 {
        struct ndr_pull *ndr;
+       enum ndr_err_code ndr_err;
        NTSTATUS status;
        struct dcesrv_call_state *call;
        DATA_BLOB blob;
@@ -1047,7 +1136,7 @@ NTSTATUS dcesrv_input_process(struct dcesrv_connection *dce_conn)
        blob = dce_conn->partial_input;
        blob.length = dcerpc_get_frag_length(&blob);
 
-       ndr = ndr_pull_init_blob(&blob, call);
+       ndr = ndr_pull_init_blob(&blob, call, lp_iconv_convenience(call->conn->dce_ctx->lp_ctx));
        if (!ndr) {
                talloc_free(dce_conn->partial_input.data);
                talloc_free(call);
@@ -1058,11 +1147,15 @@ NTSTATUS dcesrv_input_process(struct dcesrv_connection *dce_conn)
                ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
        }
 
-       status = ndr_pull_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, &call->pkt);
-       if (!NT_STATUS_IS_OK(status)) {
+       if (CVAL(blob.data, DCERPC_PFC_OFFSET) & DCERPC_PFC_FLAG_OBJECT_UUID) {
+               ndr->flags |= LIBNDR_FLAG_OBJECT_PRESENT;
+       }
+
+       ndr_err = ndr_pull_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, &call->pkt);
+       if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
                talloc_free(dce_conn->partial_input.data);
                talloc_free(call);
-               return status;
+               return ndr_map_error2ntstatus(ndr_err);
        }
 
        /* we have to check the signing here, before combining the
@@ -1246,7 +1339,9 @@ _PUBLIC_ NTSTATUS dcesrv_output(struct dcesrv_connection *dce_conn,
        return status;
 }
 
-static NTSTATUS dcesrv_init_context(TALLOC_CTX *mem_ctx, const char **endpoint_servers, struct dcesrv_context **_dce_ctx)
+_PUBLIC_ NTSTATUS dcesrv_init_context(TALLOC_CTX *mem_ctx, 
+                                     struct loadparm_context *lp_ctx,
+                                     const char **endpoint_servers, struct dcesrv_context **_dce_ctx)
 {
        NTSTATUS status;
        struct dcesrv_context *dce_ctx;
@@ -1260,6 +1355,7 @@ static NTSTATUS dcesrv_init_context(TALLOC_CTX *mem_ctx, const char **endpoint_s
        dce_ctx = talloc(mem_ctx, struct dcesrv_context);
        NT_STATUS_HAVE_NO_MEMORY(dce_ctx);
        dce_ctx->endpoint_list  = NULL;
+       dce_ctx->lp_ctx = lp_ctx;
 
        for (i=0;endpoint_servers[i];i++) {
                const struct dcesrv_endpoint_server *ep_server;
@@ -1282,21 +1378,6 @@ static NTSTATUS dcesrv_init_context(TALLOC_CTX *mem_ctx, const char **endpoint_s
        return NT_STATUS_OK;
 }
 
-/*
-  initialise the dcerpc server context for ncacn_np based services
-*/
-_PUBLIC_ NTSTATUS dcesrv_init_ipc_context(TALLOC_CTX *mem_ctx, struct dcesrv_context **_dce_ctx)
-{
-       NTSTATUS status;
-       struct dcesrv_context *dce_ctx;
-
-       status = dcesrv_init_context(mem_ctx, lp_dcerpc_endpoint_servers(), &dce_ctx);
-       NT_STATUS_NOT_OK_RETURN(status);
-
-       *_dce_ctx = dce_ctx;
-       return NT_STATUS_OK;
-}
-
 /* the list of currently registered DCERPC endpoint servers.
  */
 static struct ep_server {
@@ -1355,6 +1436,38 @@ const struct dcesrv_endpoint_server *dcesrv_ep_server_byname(const char *name)
        return NULL;
 }
 
+void dcerpc_server_init(struct loadparm_context *lp_ctx)
+{
+       static bool initialized;
+       extern NTSTATUS dcerpc_server_wkssvc_init(void);
+       extern NTSTATUS dcerpc_server_drsuapi_init(void);
+       extern NTSTATUS dcerpc_server_winreg_init(void);
+       extern NTSTATUS dcerpc_server_spoolss_init(void);
+       extern NTSTATUS dcerpc_server_epmapper_init(void);
+       extern NTSTATUS dcerpc_server_srvsvc_init(void);
+       extern NTSTATUS dcerpc_server_netlogon_init(void);
+       extern NTSTATUS dcerpc_server_rpcecho_init(void);
+       extern NTSTATUS dcerpc_server_unixinfo_init(void);
+       extern NTSTATUS dcerpc_server_samr_init(void);
+       extern NTSTATUS dcerpc_server_remote_init(void);
+       extern NTSTATUS dcerpc_server_lsa_init(void);
+       extern NTSTATUS dcerpc_server_browser_init(void);
+       init_module_fn static_init[] = { STATIC_dcerpc_server_MODULES };
+       init_module_fn *shared_init;
+
+       if (initialized) {
+               return;
+       }
+       initialized = true;
+
+       shared_init = load_samba_modules(NULL, lp_ctx, "dcerpc_server");
+
+       run_init_functions(static_init);
+       run_init_functions(shared_init);
+
+       talloc_free(shared_init);
+}
+
 /*
   return the DCERPC module version, and the size of some critical types
   This can be used by endpoint server modules to either detect compilation errors, or provide
@@ -1379,78 +1492,21 @@ const struct dcesrv_critical_sizes *dcerpc_module_version(void)
 }
 
 /*
-  open the dcerpc server sockets
+  initialise the dcerpc server context for ncacn_np based services
 */
-static void dcesrv_task_init(struct task_server *task)
+_PUBLIC_ NTSTATUS dcesrv_init_ipc_context(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx,
+                                         struct dcesrv_context **_dce_ctx)
 {
        NTSTATUS status;
        struct dcesrv_context *dce_ctx;
-       struct dcesrv_endpoint *e;
-
-       task_server_set_title(task, "task[dcesrv]");
-
-       status = dcesrv_init_context(task->event_ctx,
-                                    lp_dcerpc_endpoint_servers(),
-                                    &dce_ctx);
-       if (!NT_STATUS_IS_OK(status)) goto failed;
 
-       /* Make sure the directory for NCALRPC exists */
-       if (!directory_exist(lp_ncalrpc_dir())) {
-               mkdir(lp_ncalrpc_dir(), 0755);
-       }
-
-       for (e=dce_ctx->endpoint_list;e;e=e->next) {
-               switch (e->ep_description->transport) {
-               case NCACN_UNIX_STREAM:
-                       status = dcesrv_add_ep_unix(dce_ctx, e, task->event_ctx, task->model_ops);
-                       if (!NT_STATUS_IS_OK(status)) goto failed;
-                       break;
-               
-               case NCALRPC:
-                       status = dcesrv_add_ep_ncalrpc(dce_ctx, e, task->event_ctx, task->model_ops);
-                       if (!NT_STATUS_IS_OK(status)) goto failed;
-                       break;
-
-               case NCACN_IP_TCP:
-                       status = dcesrv_add_ep_tcp(dce_ctx, e, task->event_ctx, task->model_ops);
-                       if (!NT_STATUS_IS_OK(status)) goto failed;
-                       break;
-                       
-               case NCACN_NP:
-                       status = dcesrv_add_ep_np(dce_ctx, e, task->event_ctx, task->model_ops);
-                       if (!NT_STATUS_IS_OK(status)) goto failed;
-                       break;
-
-               default:
-                       status = NT_STATUS_NOT_SUPPORTED;
-                       if (!NT_STATUS_IS_OK(status)) goto failed;
-               }
-       }
+       dcerpc_server_init(lp_ctx);
 
-       return;
-failed:
-       task_server_terminate(task, "Failed to startup dcerpc server task");    
-}
+       status = dcesrv_init_context(mem_ctx, lp_ctx, lp_dcerpc_endpoint_servers(lp_ctx), &dce_ctx);
+       NT_STATUS_NOT_OK_RETURN(status);
 
-/*
-  called on startup of the smb server service It's job is to start
-  listening on all configured sockets
-*/
-static NTSTATUS dcesrv_init(struct event_context *event_context, 
-                           const struct model_ops *model_ops)
-{      
-       return task_server_startup(event_context, model_ops, dcesrv_task_init);
+       *_dce_ctx = dce_ctx;
+       return NT_STATUS_OK;
 }
 
-NTSTATUS server_service_rpc_init(void)
-{
-       init_module_fn static_init[] = STATIC_dcerpc_server_MODULES;
-       init_module_fn *shared_init = load_samba_modules(NULL, "dcerpc_server");
-
-       run_init_functions(static_init);
-       run_init_functions(shared_init);
 
-       talloc_free(shared_init);
-       
-       return register_server_service("rpc", dcesrv_init);
-}