removed dependency of smbd on the smb password database api.

the _only_ function smbd calls is pass_check(), and for some
_weird_ reason, that is in the passdb/ directory.

nasty debugging of an rpcclient incident.  the "usr_creds"
need to be told what they are dealing with (ptr_ntc = 1, for
NT creds to be used).  i forgot.  wasted an hour.

5 files changed, 275 insertions, 270 deletions

diff --git a/source/smbd/chgpasswd.c b/source/smbd/chgpasswd.c
index 8a8d090b997..dad895ed803 100644
--- a/source/smbd/chgpasswd.c
+++ b/source/smbd/chgpasswd.c
@@ -561,58 +561,13 @@ BOOL change_lanman_password(struct smb_passwd *smbpw, uchar *pass1, uchar *pass2
 }
 
 /***********************************************************
- Code to check and change the OEM hashed password.
-************************************************************/
-BOOL pass_oem_change(char *user,
-			uchar *lmdata, uchar *lmhash,
-			uchar *ntdata, uchar *nthash)
-{
-	UNISTR2 new_passwd;
-	struct smb_passwd *sampw;
-	BOOL ret = check_oem_password( user, lmdata, lmhash, ntdata, nthash,
-	                               &sampw, 
-	                               &new_passwd);
-
-	/* now we check to see if we are actually allowed to change the
-	   password. */
-	   
-	if (ret && (sampw->acct_ctrl & ACB_PWLOCK))
-	{
-		ret = False;
-	}
-	
-	/* 
-	 * At this point we have the new case-sensitive plaintext
-	 * password in the fstring new_passwd. If we wanted to synchronise
-	 * with UNIX passwords we would call a UNIX password changing 
-	 * function here. However it would have to be done as root
-	 * as the plaintext of the old users password is not 
-	 * available. JRA.
-	 */
-
-	if ( ret && lp_unix_password_sync())
-	{
-		ret = chgpasswd(user,"", (char*)new_passwd.buffer, True);
-	}
-
-	if (ret)
-	{
-		ret = change_oem_password( sampw, &new_passwd, False );
-	}
-
-	ZERO_STRUCT(new_passwd);
-
-	return ret;
-}
-
-/***********************************************************
  Code to check the OEM hashed password.
 
  this function ignores the 516 byte nt OEM hashed password
  but does use the lm OEM password to check the nt hashed-hash.
 
 ************************************************************/
-BOOL check_oem_password(char *user,
+static BOOL check_oem_password(char *user,
 			uchar *lmdata, uchar *lmhash,
 			uchar *ntdata, uchar *nthash,
                         struct smb_passwd **psmbpw, UNISTR2 *new_passwd)
@@ -630,7 +585,7 @@ BOOL check_oem_password(char *user,
 	BOOL nt_pass_set = (ntdata != NULL && nthash != NULL);
 
 	become_root(False);
-	*psmbpw = smbpw = getsmbpwnam(user);
+	(*psmbpw) = smbpw = getsmbpwnam(user);
 	unbecome_root(False);
 
 	if (smbpw == NULL)
@@ -639,7 +594,7 @@ BOOL check_oem_password(char *user,
 		return False;
 	}
 
-	if (smbpw->acct_ctrl & ACB_DISABLED)
+	if (IS_BITS_SET_ALL(smbpw->acct_ctrl, ACB_DISABLED))
 	{
 		DEBUG(0,("check_lanman_password: account %s disabled.\n", user));
 		return False;
@@ -753,31 +708,104 @@ BOOL check_oem_password(char *user,
 }
 
 /***********************************************************
+ Code to check and change the OEM hashed password.
+************************************************************/
+BOOL pass_oem_change(char *user,
+			uchar *lmdata, uchar *lmhash,
+			uchar *ntdata, uchar *nthash)
+{
+	UNISTR2 new_passwd;
+	struct smb_passwd *sampw = NULL;
+	BOOL ret = check_oem_password( user, lmdata, lmhash, ntdata, nthash,
+	                               &sampw, 
+	                               &new_passwd);
+
+	/* now we check to see if we are actually allowed to change the
+	   password. */
+	   
+	if (ret && (sampw == NULL ||
+	            IS_BITS_SET_ALL(sampw->acct_ctrl,ACB_PWLOCK)))
+	{
+		if (sampw == NULL)
+		{
+			DEBUG(3,("pass_oem_change: account %s not known\n",
+				user));
+		}
+		else
+		{
+			DEBUG(3,("pass_oem_change: account %s disabled (%x)\n",
+				user, sampw->acct_ctrl));
+		}
+		ret = False;
+	}
+	
+	/* 
+	 * At this point we have the new case-sensitive plaintext
+	 * password in the fstring new_passwd. If we wanted to synchronise
+	 * with UNIX passwords we would call a UNIX password changing 
+	 * function here. However it would have to be done as root
+	 * as the plaintext of the old users password is not 
+	 * available. JRA.
+	 */
+
+	if ( ret && lp_unix_password_sync())
+	{
+		ret = chgpasswd(user,"", (char*)new_passwd.buffer, True);
+	}
+
+	if (ret)
+	{
+		ret = change_oem_password( sampw, &new_passwd,
+		                           ntdata != NULL, False );
+	}
+
+	ZERO_STRUCT(new_passwd);
+
+	return ret;
+}
+
+/***********************************************************
  Code to change the oem password. Changes both the lanman
  and NT hashes.
  override = False, normal
  override = True, override XXXXXXXXXX'd password
 ************************************************************/
 
-BOOL change_oem_password(struct smb_passwd *smbpw, UNISTR2 *new_passwd, BOOL override)
+BOOL change_oem_password(struct smb_passwd *smbpw, UNISTR2 *new_passwd,
+				BOOL unicode, BOOL override)
 {
-  int ret;
-  uchar new_nt_p16[16];
-  uchar new_p16[16];
+	int ret;
+	uchar new_nt_p16[16];
+	uchar new_p16[16];
 
-  nt_lm_owf_genW(new_passwd, new_nt_p16, new_p16);
+	DEBUG(100,("change_oem_password: %d\n", __LINE__));
 
-  smbpw->smb_passwd = new_p16;
-  smbpw->smb_nt_passwd = new_nt_p16;
-  
-  /* Now write it into the file. */
-  become_root(0);
-  ret = mod_smbpwd_entry(smbpw,override);
-  unbecome_root(0);
+	if (unicode)
+	{
+		nt_lm_owf_genW(new_passwd, new_nt_p16, new_p16);
+	}
+	else
+	{
+		nt_lm_owf_gen((char*)new_passwd->buffer, new_nt_p16, new_p16);
+	}
 
- 	ZERO_STRUCTP(new_passwd);
+	DEBUG(100,("change_oem_password: %d\n", __LINE__));
+	dbgflush();
 
-  return ret;
+	smbpw->smb_passwd = new_p16;
+	smbpw->smb_nt_passwd = new_nt_p16;
+
+	DEBUG(100,("change_oem_password: %d\n", __LINE__));
+	dbgflush();
+
+	/* Now write it into the file. */
+	become_root(0);
+	ret = mod_smbpwd_entry(smbpw,override);
+	unbecome_root(0);
+
+	ZERO_STRUCTP(new_passwd);
+
+	return ret;
 }
 
 /****************************************************************************
@@ -803,7 +831,7 @@ BOOL update_smbpassword_file(char *user, char *password)
 
 	/* Here, the flag is one, because we want to ignore the
            XXXXXXX'd out password */
-	ret = change_oem_password( smbpw, &newpw, True);
+	ret = change_oem_password( smbpw, &newpw, True, True);
 	if (!ret)
 	{
 		DEBUG(3,("change_oem_password returned False\n"));
diff --git a/source/smbd/lanman.c b/source/smbd/lanman.c
index 3cb3a9e5494..0a2b847e808 100644
--- a/source/smbd/lanman.c
+++ b/source/smbd/lanman.c
@@ -523,7 +523,7 @@ static void fill_printq_info(connection_struct *conn, int snum, int uLevel,
       return;
     }
 
-    if((p=(char *)malloc(8192*sizeof(char))) == NULL) {
+    if ((p=(char *)malloc(8192*sizeof(char))) == NULL) {
       DEBUG(0,("fill_printq_info: malloc fail !\n"));
       desc->errcode=NERR_notsupported;
       fclose(f);
@@ -628,7 +628,7 @@ static int get_printerdrivernumber(int snum)
     return(0);
   }
 
-  if((p=(char *)malloc(8192*sizeof(char))) == NULL) {
+  if ((p=(char *)malloc(8192*sizeof(char))) == NULL) {
     DEBUG(3,("get_printerdrivernumber: malloc fail !\n"));
     fclose(f);
     return 0;
@@ -723,7 +723,7 @@ static BOOL api_DosPrintQGetInfo(connection_struct *conn,
   if (init_package(&desc,1,count)) {
 	  desc.subcount = count;
 	  fill_printq_info(conn,snum,uLevel,&desc,count,queue,&status);
-  } else if(uLevel == 0) {
+  } else if (uLevel == 0) {
 	/*
 	 * This is a *disgusting* hack.
 	 * This is *so* bad that even I'm embarrassed (and I
@@ -794,17 +794,17 @@ static BOOL api_DosPrintQEnum(connection_struct *conn, uint16 vuid, char* param,
     if (lp_snum_ok(i) && lp_print_ok(i) && lp_browseable(i))
       queuecnt++;
   if (uLevel > 0) {
-    if((queue = (print_queue_struct**)malloc(queuecnt*sizeof(print_queue_struct*))) == NULL) {
+    if ((queue = (print_queue_struct**)malloc(queuecnt*sizeof(print_queue_struct*))) == NULL) {
       DEBUG(0,("api_DosPrintQEnum: malloc fail !\n"));
       return False;
     }
     memset(queue,0,queuecnt*sizeof(print_queue_struct*));
-    if((status = (print_status_struct*)malloc(queuecnt*sizeof(print_status_struct))) == NULL) {
+    if ((status = (print_status_struct*)malloc(queuecnt*sizeof(print_status_struct))) == NULL) {
       DEBUG(0,("api_DosPrintQEnum: malloc fail !\n"));
       return False;
     }
     memset(status,0,queuecnt*sizeof(print_status_struct));
-    if((subcntarr = (int*)malloc(queuecnt*sizeof(int))) == NULL) {
+    if ((subcntarr = (int*)malloc(queuecnt*sizeof(int))) == NULL) {
       DEBUG(0,("api_DosPrintQEnum: malloc fail !\n"));
       return False;
     }
@@ -951,7 +951,7 @@ static int get_server_info(uint32 servertype,
 	/* Filter the servers/domains we return based on what was asked for. */
 
 	/* Check to see if we are being asked for a local list only. */
-	if(local_list_only && ((s->type & SV_TYPE_LOCAL_LIST_ONLY) == 0)) {
+	if (local_list_only && ((s->type & SV_TYPE_LOCAL_LIST_ONLY) == 0)) {
 	  DEBUG(4,("r: local list only"));
 	  ok = False;
 	}
@@ -1519,6 +1519,9 @@ static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid, char *param
   char *p = skip_string(param+2,2);
   fstring user;
   fstring pass1,pass2;
+  uchar pwbuf[516];
+  uchar nt_pw[16];
+  uchar lm_pw[16];
 
   fstrcpy(user,p);
 
@@ -1554,12 +1557,11 @@ static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid, char *param
    * Older versions of Windows seem to do this.
    */
 
-  if (password_ok(user, global_myworkgroup, pass1,strlen(pass1), NULL, 0,
-                   NULL, NULL) &&
-      chgpasswd(user,pass1,pass2,False))
-  {
-    SSVAL(*rparam,0,NERR_Success);
-  }
+	nt_lm_owf_gen(pass1, nt_pw, lm_pw);
+	if (msrpc_sam_ntchange_pwd("\\\\.", user, lm_pw, nt_pw, pass2))
+	{
+		SSVAL(*rparam,0,NERR_Success);
+	}
 
   /*
    * If the plaintext change failed, attempt
@@ -1567,21 +1569,22 @@ static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid, char *param
    * after trying the samr method.
    */
 
-  if(SVAL(*rparam,0) != NERR_Success)
-  {
-    struct smb_passwd *sampw = NULL;
+	if (SVAL(*rparam,0) != NERR_Success)
+	{
+		if (make_oem_passwd_hash(pwbuf, pass1, 16, NULL, False) &&
+		    msrpc_sam_ntpasswd_set("\\\\.", user, 
+			     pwbuf, pass2, /* lm pw */
+			     NULL, NULL)) /* nt pw */
+		{
+			SSVAL(*rparam,0,NERR_Success);
+		}
+	}
 
-    if(check_lanman_password(user,(unsigned char *)pass1,(unsigned char *)pass2, &sampw) && 
-       change_lanman_password(sampw,(unsigned char *)pass1,(unsigned char *)pass2))
-    {
-      SSVAL(*rparam,0,NERR_Success);
-    }
-  }
+	ZERO_STRUCT(pwbuf);
+	ZERO_STRUCT(pass1);
+	ZERO_STRUCT(pass2);
 
-  bzero(pass1,sizeof(fstring));
-  bzero(pass2,sizeof(fstring));	 
-	 
-  return(True);
+	return(True);
 }
 
 /****************************************************************************
@@ -1605,13 +1608,13 @@ static BOOL api_SamOEMChangePassword(connection_struct *conn,uint16 vuid, char *
   /*
    * Check the parameter definition is correct.
    */
-  if(!strequal(param + 2, "zsT")) {
+  if (!strequal(param + 2, "zsT")) {
     DEBUG(0,("api_SamOEMChangePassword: Invalid parameter string %s\n", param + 2));
     return False;
   }
   p = skip_string(p, 1);
 
-  if(!strequal(p, "B516B16")) {
+  if (!strequal(p, "B516B16")) {
     DEBUG(0,("api_SamOEMChangePassword: Invalid data parameter string %s\n", p));
     return False;
   }
@@ -1634,7 +1637,9 @@ static BOOL api_SamOEMChangePassword(connection_struct *conn,uint16 vuid, char *
    */
   (void)Get_Pwnam( user, True);
 
-  if (pass_oem_change(user, (uchar*) data, (uchar *)&data[516], NULL, NULL))
+  if (msrpc_sam_ntpasswd_set("\\\\.", user, 
+                             (uchar*) data, (uchar *)&data[516], /* lm pw */
+                             NULL, NULL)) /* nt pw */
   {
     SSVAL(*rparam,0,NERR_Success);
   }
@@ -2264,7 +2269,7 @@ static BOOL api_RNetUserGetInfo(connection_struct *conn,uint16 vuid, char *param
     /* With share level security vuid will always be zero.
        Don't depend on vuser being non-null !!. JRA */
     user_struct *vuser = get_valid_user_struct(vuid);
-    if(vuser != NULL)
+    if (vuser != NULL)
       DEBUG(3,("  Username of UID %d is %s\n", (int)vuser->uid, vuser->name));
 
     *rparam_len = 6;
@@ -3114,7 +3119,7 @@ int api_reply(connection_struct *conn,uint16 vuid,char *outbuf,char *data,char *
   rdata = (char *)malloc(1024); if (rdata) bzero(rdata,1024);
   rparam = (char *)malloc(1024); if (rparam) bzero(rparam,1024);
 
-  if(!rdata || !rparam) {
+  if (!rdata || !rparam) {
     DEBUG(0,("api_reply: malloc fail !\n"));
     return -1;
   }
diff --git a/source/smbd/password.c b/source/smbd/password.c
index 2d45c372298..5a1605f35bf 100644
--- a/source/smbd/password.c
+++ b/source/smbd/password.c
@@ -54,6 +54,114 @@ void add_session_user(char *user)
     }
 }
 
+/****************************************************************************
+validate a password with the password server
+****************************************************************************/
+static BOOL check_server_security(char *user, char *domain, 
+		     char *pass, int passlen,
+		     char *ntpass, int ntpasslen)
+{
+  struct cli_state *cli;
+  static unsigned char badpass[24];
+  static BOOL tested_password_server = False;
+  static BOOL bad_password_server = False;
+
+  if(lp_security() != SEC_SERVER)
+    return False;
+
+  DEBUG(10,("check_server_security\n"));
+
+  cli = server_client();
+
+  if (!cli->initialised)
+  {
+    DEBUG(1,("password server %s is not connected\n", cli->desthost));
+    return False;
+  }  
+
+  if(badpass[0] == 0)
+    memset(badpass, 0x1f, sizeof(badpass));
+
+  if((passlen == sizeof(badpass)) && !memcmp(badpass, pass, passlen)) {
+    /* 
+     * Very unlikely, our random bad password is the same as the users
+     * password. */
+    memset(badpass, badpass[0]+1, sizeof(badpass));
+  }
+
+  /*
+   * Attempt a session setup with a totally incorrect password.
+   * If this succeeds with the guest bit *NOT* set then the password
+   * server is broken and is not correctly setting the guest bit. We
+   * need to detect this as some versions of NT4.x are broken. JRA.
+   */
+
+  if(!tested_password_server) {
+    if (cli_session_setup(cli, global_myname,
+	                       user, (char *)badpass, sizeof(badpass), 
+                              (char *)badpass, sizeof(badpass), domain)) {
+
+      /*
+       * We connected to the password server so we
+       * can say we've tested it.
+       */
+      tested_password_server = True;
+
+      if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
+        DEBUG(0,("server_validate: password server %s allows users as non-guest \
+with a bad password.\n", cli->desthost));
+        DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
+use this machine as the password server.\n"));
+        cli_ulogoff(cli);
+
+        /*
+         * Password server has the bug.
+         */
+        bad_password_server = True;
+        return False;
+      }
+      cli_ulogoff(cli);
+    }
+  } else {
+
+    /*
+     * We have already tested the password server.
+     * Fail immediately if it has the bug.
+     */
+
+    if(bad_password_server) {
+      DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \
+with a bad password.\n", cli->desthost));
+      DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \
+use this machine as the password server.\n"));
+      return False;
+    }
+  }
+
+  /*
+   * Now we know the password server will correctly set the guest bit, or is
+   * not guest enabled, we can try with the real password.
+   */
+
+  if (!cli_session_setup(cli, global_myname,
+	                       user, pass, passlen, ntpass, ntpasslen, domain)) {
+    DEBUG(1,("password server %s rejected the password\n", cli->desthost));
+    return False;
+  }
+
+  /* if logged in as guest then reject */
+  if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
+    DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
+    cli_ulogoff(cli);
+    return False;
+  }
+
+
+  cli_ulogoff(cli);
+
+  return(True);
+}
+
 
 /****************************************************************************
 check if a username/password pair is OK either via the system password
@@ -513,111 +621,3 @@ struct cli_state *server_cryptkey(void)
 	return NULL;
 }
 
-/****************************************************************************
-validate a password with the password server
-****************************************************************************/
-BOOL check_server_security(char *user, char *domain, 
-		     char *pass, int passlen,
-		     char *ntpass, int ntpasslen)
-{
-  struct cli_state *cli;
-  static unsigned char badpass[24];
-  static BOOL tested_password_server = False;
-  static BOOL bad_password_server = False;
-
-  if(lp_security() != SEC_SERVER)
-    return False;
-
-  DEBUG(10,("check_server_security\n"));
-
-  cli = server_client();
-
-  if (!cli->initialised)
-  {
-    DEBUG(1,("password server %s is not connected\n", cli->desthost));
-    return False;
-  }  
-
-  if(badpass[0] == 0)
-    memset(badpass, 0x1f, sizeof(badpass));
-
-  if((passlen == sizeof(badpass)) && !memcmp(badpass, pass, passlen)) {
-    /* 
-     * Very unlikely, our random bad password is the same as the users
-     * password. */
-    memset(badpass, badpass[0]+1, sizeof(badpass));
-  }
-
-  /*
-   * Attempt a session setup with a totally incorrect password.
-   * If this succeeds with the guest bit *NOT* set then the password
-   * server is broken and is not correctly setting the guest bit. We
-   * need to detect this as some versions of NT4.x are broken. JRA.
-   */
-
-  if(!tested_password_server) {
-    if (cli_session_setup(cli, global_myname,
-	                       user, (char *)badpass, sizeof(badpass), 
-                              (char *)badpass, sizeof(badpass), domain)) {
-
-      /*
-       * We connected to the password server so we
-       * can say we've tested it.
-       */
-      tested_password_server = True;
-
-      if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
-        DEBUG(0,("server_validate: password server %s allows users as non-guest \
-with a bad password.\n", cli->desthost));
-        DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
-use this machine as the password server.\n"));
-        cli_ulogoff(cli);
-
-        /*
-         * Password server has the bug.
-         */
-        bad_password_server = True;
-        return False;
-      }
-      cli_ulogoff(cli);
-    }
-  } else {
-
-    /*
-     * We have already tested the password server.
-     * Fail immediately if it has the bug.
-     */
-
-    if(bad_password_server) {
-      DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \
-with a bad password.\n", cli->desthost));
-      DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \
-use this machine as the password server.\n"));
-      return False;
-    }
-  }
-
-  /*
-   * Now we know the password server will correctly set the guest bit, or is
-   * not guest enabled, we can try with the real password.
-   */
-
-  if (!cli_session_setup(cli, global_myname,
-	                       user, pass, passlen, ntpass, ntpasslen, domain)) {
-    DEBUG(1,("password server %s rejected the password\n", cli->desthost));
-    return False;
-  }
-
-  /* if logged in as guest then reject */
-  if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
-    DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
-    cli_ulogoff(cli);
-    return False;
-  }
-
-
-  cli_ulogoff(cli);
-
-  return(True);
-}
-
diff --git a/source/smbd/reply.c b/source/smbd/reply.c
index f4cee156f86..e706479d581 100644
--- a/source/smbd/reply.c
+++ b/source/smbd/reply.c
@@ -66,6 +66,7 @@ static void overflow_attack(int len)
 ****************************************************************************/
 static void map_nt_and_unix_username(const char *domain, char *user)
 {
+#if 0
 	DOM_NAME_MAP gmep;
 	fstring nt_username;
 
@@ -73,7 +74,7 @@ static void map_nt_and_unix_username(const char *domain, char *user)
 	 * Pass the user through the NT -> unix user mapping
 	 * function.
 	 */
-   
+
 	if (lp_server_role() != ROLE_DOMAIN_NONE)
 	{
 		memset(nt_username, 0, sizeof(nt_username));
@@ -92,6 +93,9 @@ static void map_nt_and_unix_username(const char *domain, char *user)
 			fstrcpy(user, gmep.unix_name);
 		}
 	}
+#else
+	DEBUG(1,("map_nt_and_unix_username: NT->Unix map DISABLED\n"));
+#endif
 
 	/*
 	 * Pass the user through the unix -> unix user mapping
@@ -644,52 +648,46 @@ user %s attempted down-level SMB connection\n", user));
   if(!guest && strequal(user,lp_guestaccount(-1)) && (*smb_apasswd == 0))
     guest = True;
 
-  /* 
-   * Check with orig_user for security=server and
-   * security=domain.
-   */
-
-  if (!guest && !check_hosts_equiv(user))
-  {
+	if (!guest && !check_hosts_equiv(user))
+	{
+		/* 
+		 * Check with orig_user for security=server and
+		 * security=domain.
+		 */
 
-    /* 
-     * If we get here then the user wasn't guest and the remote
-     * authentication methods failed. Check the SMB authentication
-     * methods on this local server.
-     *
-     */
+		DEBUG(10,("Checking SMB password, user %s domain %s\n",
+			   user, domain));
+		if(!password_ok(orig_user, domain,
+				smb_apasswd,smb_apasslen,
+				smb_ntpasswd,smb_ntpasslen,
+				NULL, user_sess_key))
+		{
+			DEBUG(0,("SMB LM/NT Password did not match!\n"));
 
-      DEBUG(10,("Checking SMB password\n"));
-      if(!password_ok(user, domain,
-                      smb_apasswd,smb_apasslen,
-                      smb_ntpasswd,smb_ntpasslen,
-                      NULL, user_sess_key))
-    {
-        DEBUG(0,("SMB LM/NT Password did not match!\n"));
+			if (lp_security() >= SEC_USER) 
+			{
+				if (lp_map_to_guest() == NEVER_MAP_TO_GUEST)
+					return(ERROR(ERRSRV,ERRbadpw));
 
-      if (lp_security() >= SEC_USER) 
-      {
-        if (lp_map_to_guest() == NEVER_MAP_TO_GUEST)
-          return(ERROR(ERRSRV,ERRbadpw));
+				if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER)
+				{
+					if (Get_Pwnam(user,True))
+						return(ERROR(ERRSRV,ERRbadpw));
+				}
 
-        if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER)
-        {
-         if (Get_Pwnam(user,True))
-            return(ERROR(ERRSRV,ERRbadpw));
-        }
+				/*
+				 * ..else if lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD
+				 * Then always map to guest account - as done below.
+				 */
+			}
 
-        /*
-         * ..else if lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD
-         * Then always map to guest account - as done below.
-         */
-      }
+			if (*smb_apasswd || !Get_Pwnam(user,True))
+				pstrcpy(user,lp_guestaccount(-1));
+			DEBUG(3,("Registered username %s for guest access\n",user));
+			guest = True;
+		}
 
-      if (*smb_apasswd || !Get_Pwnam(user,True))
-         pstrcpy(user,lp_guestaccount(-1));
-      DEBUG(3,("Registered username %s for guest access\n",user));
-      guest = True;
-    }
-  }
+	}
 
   if (!Get_Pwnam(user,True)) {
     DEBUG(3,("No such user %s - using guest account\n",user));
diff --git a/source/smbd/server.c b/source/smbd/server.c
index ab55081e4cb..3ec4e93c3ff 100644
--- a/source/smbd/server.c
+++ b/source/smbd/server.c
@@ -679,36 +679,10 @@ static void usage(char *pname)
 
 	codepage_initialise(lp_client_code_page());
 
-	if (!pwdb_initialise(True) || !initialise_password_db())
+	if (!pwdb_initialise(True))
 	{
 		exit(1);
 	}
-
-	if(!initialise_sam_password_db())
-	{
-		exit(1);
-	}
-
-	if(!initialise_passgrp_db())
-	{
-		exit(1);
-	}
-
-	if(!initialise_group_db())
-	{
-		exit(1);
-	}
-
-	if(!initialise_alias_db())
-	{
-		exit(1);
-	}
-
-	if(!initialise_builtin_db())
-	{
-		exit(1);
-	}
-
 	if (!get_member_domain_sid())
 	{
 		DEBUG(0,("ERROR: Samba cannot obtain PDC SID from PDC(s) %s.\n",