r23311: Updating the samba4 winbind protocol to version 18.

nsswitch/winbindd_nss.h is just copied from SAMBA_3_0.
nsswitch/winbind_nss_config.h is copied from SAMBA_3_0, too, but I had to
drop some of the defines to make things build again.

Kai
(This used to be commit 553b7e146f52975b45941ba850140e312a280513)

7 files changed, 343 insertions, 165 deletions

diff --git a/source4/auth/auth_winbind.c b/source4/auth/auth_winbind.c
index 05183d65d06..52d525acd8d 100644
--- a/source4/auth/auth_winbind.c
+++ b/source4/auth/auth_winbind.c
@@ -36,7 +36,7 @@ static NTSTATUS get_info3_from_ndr(TALLOC_CTX *mem_ctx, struct winbindd_response
 		NTSTATUS status;
 		DATA_BLOB blob;
 		blob.length = len - 4;
-		blob.data = (uint8_t *)(((char *)response->extra_data) + 4);
+		blob.data = (uint8_t *)(((char *)response->extra_data.data) + 4);
 
 		status = ndr_pull_struct_blob(&blob, mem_ctx, info3,
 					      (ndr_pull_flags_fn_t)ndr_pull_netr_SamInfo3);
@@ -91,12 +91,12 @@ static NTSTATUS winbind_check_password_samba3(struct auth_method_context *ctx,
 
 	request.data.auth_crap.logon_parameters = user_info->logon_parameters;
 
-	winbind_strcpy(request.data.auth_crap.user, 
-		       user_info->client.account_name);
-	winbind_strcpy(request.data.auth_crap.domain, 
-		       user_info->client.domain_name);
-	winbind_strcpy(request.data.auth_crap.workstation, 
-		       user_info->workstation_name);
+	safe_strcpy(request.data.auth_crap.user,
+		       user_info->client.account_name, sizeof(fstring));
+	safe_strcpy(request.data.auth_crap.domain,
+		       user_info->client.domain_name, sizeof(fstring));
+	safe_strcpy(request.data.auth_crap.workstation,
+		       user_info->workstation_name, sizeof(fstring));
 
 	memcpy(request.data.auth_crap.chal, ctx->auth_ctx->challenge.data.data, sizeof(request.data.auth_crap.chal));
 
@@ -115,11 +115,11 @@ static NTSTATUS winbind_check_password_samba3(struct auth_method_context *ctx,
 	nt_status = NT_STATUS(response.data.auth.nt_status);
 	NT_STATUS_NOT_OK_RETURN(nt_status);
 
-	if (result == NSS_STATUS_SUCCESS && response.extra_data) {
+	if (result == NSS_STATUS_SUCCESS && response.extra_data.data) {
 		union netr_Validation validation;
 
 		nt_status = get_info3_from_ndr(mem_ctx, &response, &info3);
-		SAFE_FREE(response.extra_data);
+		SAFE_FREE(response.extra_data.data);
 		NT_STATUS_NOT_OK_RETURN(nt_status); 
 
 		validation.sam3 = &info3;
@@ -128,7 +128,7 @@ static NTSTATUS winbind_check_password_samba3(struct auth_method_context *ctx,
 								 3, &validation,
 								 server_info);
 		return nt_status;
-	} else if (result == NSS_STATUS_SUCCESS && !response.extra_data) {
+	} else if (result == NSS_STATUS_SUCCESS && !response.extra_data.data) {
 		DEBUG(0, ("Winbindd authenticated the user [%s]\\[%s], "
 			  "but did not include the required info3 reply!\n", 
 			  user_info->client.domain_name, user_info->client.account_name));
diff --git a/source4/nsswitch/wb_common.c b/source4/nsswitch/wb_common.c
index e8c317b5982..51f9deb5b0e 100644
--- a/source4/nsswitch/wb_common.c
+++ b/source4/nsswitch/wb_common.c
@@ -38,7 +38,7 @@ void free_response(struct winbindd_response *response)
 	/* Free any allocated extra_data */
 
 	if (response)
-		SAFE_FREE(response->extra_data);
+		SAFE_FREE(response->extra_data.data);
 }
 
 /* Initialise a request structure */
@@ -324,13 +324,13 @@ int winbind_open_pipe_sock(void)
 
 	if (winbindd_request(WINBINDD_PRIV_PIPE_DIR, &request, &response) == NSS_STATUS_SUCCESS) {
 		int fd;
-		if ((fd = winbind_named_pipe_sock(response.extra_data)) != -1) {
+		if ((fd = winbind_named_pipe_sock(response.extra_data.data)) != -1) {
 			close(winbindd_fd);
 			winbindd_fd = fd;
 		}
 	}
 
-	SAFE_FREE(response.extra_data);
+	SAFE_FREE(response.extra_data.data);
 
 	return winbindd_fd;
 #else
@@ -488,7 +488,7 @@ int read_reply(struct winbindd_response *response)
 	   the server.  This has no meaning in the client's address space
 	   so we clear it out. */
 
-	response->extra_data = NULL;
+	response->extra_data.data = NULL;
 
 	/* Read variable length response */
 	
@@ -498,11 +498,11 @@ int read_reply(struct winbindd_response *response)
 		
 		/* Mallocate memory for extra data */
 		
-		if (!(response->extra_data = malloc(extra_data_len))) {
+		if (!(response->extra_data.data = malloc(extra_data_len))) {
 			return -1;
 		}
 		
-		if ((result2 = read_sock(response->extra_data, extra_data_len))
+		if ((result2 = read_sock(response->extra_data.data, extra_data_len))
 		    == -1) {
 			free_response(response);
 			return -1;
diff --git a/source4/nsswitch/winbind_nss_config.h b/source4/nsswitch/winbind_nss_config.h
index 345e8d32289..65cf7b232b5 100644
--- a/source4/nsswitch/winbind_nss_config.h
+++ b/source4/nsswitch/winbind_nss_config.h
@@ -24,78 +24,75 @@
 #ifndef _WINBIND_NSS_CONFIG_H
 #define _WINBIND_NSS_CONFIG_H
 
-/* Include header files from data in config.h file */
-
-#ifndef NO_CONFIG_H
-#include <config.h>
+/* shutup the compiler warnings due to krb5.h on 64-bit sles9 */
+#ifdef SIZEOF_LONG
+#undef SIZEOF_LONG
 #endif
 
-#include <stdio.h>
 
-#ifdef HAVE_STDLIB_H
-#include <stdlib.h>
-#endif
+/* Include header files from data in config.h file */
 
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
+#ifndef NO_CONFIG_H
+#include "lib/replace/replace.h"
 #endif
 
-#ifdef HAVE_SYS_SELECT_H
-#include <sys/select.h>
-#endif
+#include "system/passwd.h"
+#include "system/filesys.h"
+#include "system/network.h"
 
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
+#include "nsswitch/winbind_nss.h"
 
-#ifdef HAVE_UNIXSOCKET
-#include <sys/un.h>
-#endif
+/* I'm trying really hard not to include anything from smb.h with the
+   result of some silly looking redeclaration of structures. */
 
-#ifdef HAVE_SYS_TIME_H
-#include <sys/time.h>
+#ifndef _PSTRING
+#define _PSTRING
+#define PSTRING_LEN 1024
+#define FSTRING_LEN 256
+typedef char pstring[PSTRING_LEN];
+typedef char fstring[FSTRING_LEN];
 #endif
 
-#ifdef HAVE_GRP_H
-#include <grp.h>
+#if !defined(uint32)
+#if (SIZEOF_INT == 4)
+#define uint32 unsigned int
+#elif (SIZEOF_LONG == 4)
+#define uint32 unsigned long
+#elif (SIZEOF_SHORT == 4)
+#define uint32 unsigned short
 #endif
-
-#ifdef HAVE_STRING_H
-#include <string.h>
 #endif
 
-#ifdef HAVE_FCNTL_H
-#include <fcntl.h>
-#else
-#ifdef HAVE_SYS_FCNTL_H
-#include <sys/fcntl.h>
+#if !defined(uint16)
+#if (SIZEOF_SHORT == 4)
+#define uint16 __ERROR___CANNOT_DETERMINE_TYPE_FOR_INT16;
+#else /* SIZEOF_SHORT != 4 */
+#define uint16 unsigned short
+#endif /* SIZEOF_SHORT != 4 */
 #endif
-#endif
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <errno.h>
 
-#ifdef HAVE_PWD_H
-#include <pwd.h>
+#ifndef uint8
+#define uint8 unsigned char
 #endif
-#include "nsswitch/winbind_nss.h"
 
-#ifndef Auto
-#define False (0)
-#define True (1)
-#define Auto (2)
-typedef int BOOL;
-#endif
+/*
+ * check for 8 byte long long
+ */
 
-/* zero a structure */
-#ifndef ZERO_STRUCT
-#define ZERO_STRUCT(x) memset((char *)&(x), 0, sizeof(x))
+#if !defined(uint64)
+#if (SIZEOF_LONG == 8)
+#define uint64 unsigned long
+#elif (SIZEOF_LONG_LONG == 8)
+#define uint64 unsigned long long
+#endif  /* don't lie.  If we don't have it, then don't use it */
 #endif
 
-/* zero a structure given a pointer to the structure */
-#ifndef ZERO_STRUCTP
-#define ZERO_STRUCTP(x) { if ((x) != NULL) memset((char *)(x), 0, sizeof(*(x))); }
+#if !defined(int64)
+#if (SIZEOF_LONG == 8)
+#define int64 long
+#elif (SIZEOF_LONG_LONG == 8)
+#define int64 long long
+#endif  /* don't lie.  If we don't have it, then don't use it */
 #endif
 
 /* Some systems (SCO) treat UNIX domain sockets as FIFOs */
@@ -108,4 +105,9 @@ typedef int BOOL;
 #define S_ISSOCK(mode)  ((mode & S_IFSOCK) == S_IFSOCK)
 #endif
 
+#ifndef HAVE_SOCKLEN_T
+#define HAVE_SOCKLEN_T
+typedef int socklen_t;
+#endif
+
 #endif
diff --git a/source4/nsswitch/winbindd_nss.h b/source4/nsswitch/winbindd_nss.h
index 37695c6aa6b..ae8a6846a3e 100644
--- a/source4/nsswitch/winbindd_nss.h
+++ b/source4/nsswitch/winbindd_nss.h
@@ -4,6 +4,7 @@
    Winbind daemon for ntdom nss module
 
    Copyright (C) Tim Potter 2000
+   Copyright (C) Gerald Carter 2006
    
    You are free to use this interface definition in any way you see
    fit, including without restriction, using this header in your own
@@ -27,19 +28,32 @@
 #define _WINBINDD_NTDOM_H
 
 #define WINBINDD_SOCKET_NAME "pipe"            /* Name of PF_UNIX socket */
+
+/* Let the build environment override the public winbindd socket location. This
+ * is needed for launchd support -- jpeach.
+ */
 #ifndef WINBINDD_SOCKET_DIR
 #define WINBINDD_SOCKET_DIR  "/tmp/.winbindd"  /* Name of PF_UNIX dir */
 #endif
+
 #define WINBINDD_PRIV_SOCKET_SUBDIR "winbindd_privileged" /* name of subdirectory of lp_lockdir() to hold the 'privileged' pipe */
 #define WINBINDD_DOMAIN_ENV  "WINBINDD_DOMAIN" /* Environment variables */
 #define WINBINDD_DONT_ENV    "_NO_WINBINDD"
 
-typedef char winbind_string[256];
-#define winbind_strcpy(d,s) safe_strcpy((d),(s),sizeof(winbind_string));
-
 /* Update this when you change the interface.  */
 
-#define WINBIND_INTERFACE_VERSION 11
+#define WINBIND_INTERFACE_VERSION 18
+
+/* Have to deal with time_t being 4 or 8 bytes due to structure alignment.
+   On a 64bit Linux box, we have to support a constant structure size
+   between /lib/libnss_winbind.so.2 and /li64/libnss_winbind.so.2.
+   The easiest way to do this is to always use 8byte values for time_t. */
+
+#if defined(int64)
+#  define SMB_TIME_T int64
+#else
+#  define SMB_TIME_T time_t
+#endif
 
 /* Socket commands */
 
@@ -69,6 +83,8 @@ enum winbindd_cmd {
 	WINBINDD_PAM_AUTH,
 	WINBINDD_PAM_AUTH_CRAP,
 	WINBINDD_PAM_CHAUTHTOK,
+	WINBINDD_PAM_LOGOFF,
+	WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP,
 
 	/* List various things */
 
@@ -80,18 +96,25 @@ enum winbindd_cmd {
 
 	WINBINDD_LOOKUPSID,
 	WINBINDD_LOOKUPNAME,
+	WINBINDD_LOOKUPRIDS,
 
 	/* Lookup functions */
 
-	WINBINDD_SID_TO_UID,       
+	WINBINDD_SID_TO_UID,
 	WINBINDD_SID_TO_GID,
+	WINBINDD_SIDS_TO_XIDS,
 	WINBINDD_UID_TO_SID,
 	WINBINDD_GID_TO_SID,
-	WINBINDD_ALLOCATE_RID,
-	WINBINDD_ALLOCATE_RID_AND_GID,
+
+	WINBINDD_ALLOCATE_UID,
+	WINBINDD_ALLOCATE_GID,
+	WINBINDD_SET_MAPPING,
+	WINBINDD_SET_HWM,
 
 	/* Miscellaneous other stuff */
 
+	WINBINDD_DUMP_MAPS,
+
 	WINBINDD_CHECK_MACHACC,     /* Check machine account pw works */
 	WINBINDD_PING,              /* Just tell me winbind is running */
 	WINBINDD_INFO,              /* Various bit of info.  Currently just tidbits */
@@ -119,7 +142,7 @@ enum winbindd_cmd {
 	/* return a list of group sids for a user sid */
 	WINBINDD_GETUSERSIDS,
 
-	/* Return the domain groups a user is in */
+	/* Various group queries */
 	WINBINDD_GETUSERDOMGROUPS,
 
 	/* Initialize connection in a child */
@@ -129,7 +152,12 @@ enum winbindd_cmd {
 	 * between parent and children */
 	WINBINDD_DUAL_SID2UID,
 	WINBINDD_DUAL_SID2GID,
-	WINBINDD_DUAL_IDMAPSET,
+	WINBINDD_DUAL_SIDS2XIDS,
+	WINBINDD_DUAL_UID2SID,
+	WINBINDD_DUAL_GID2SID,
+	WINBINDD_DUAL_SET_MAPPING,
+	WINBINDD_DUAL_SET_HWM,
+	WINBINDD_DUAL_DUMP_MAPS,
 
 	/* Wrapper around possibly blocking unix nss calls */
 	WINBINDD_DUAL_UID2NAME,
@@ -140,27 +168,30 @@ enum winbindd_cmd {
 	WINBINDD_DUAL_USERINFO,
 	WINBINDD_DUAL_GETSIDALIASES,
 
+	/* Complete the challenge phase of the NTLM authentication
+	   protocol using cached password. */
+	WINBINDD_CCACHE_NTLMAUTH,
+
 	WINBINDD_NUM_CMDS
 };
 
 typedef struct winbindd_pw {
-	winbind_string pw_name;
-	winbind_string pw_passwd;
+	fstring pw_name;
+	fstring pw_passwd;
 	uid_t pw_uid;
 	gid_t pw_gid;
-	winbind_string pw_gecos;
-	winbind_string pw_dir;
-	winbind_string pw_shell;
+	fstring pw_gecos;
+	fstring pw_dir;
+	fstring pw_shell;
 } WINBINDD_PW;
 
 
 typedef struct winbindd_gr {
-	winbind_string gr_name;
-	winbind_string gr_passwd;
+	fstring gr_name;
+	fstring gr_passwd;
 	gid_t gr_gid;
-	int num_gr_mem;
-	int gr_mem_ofs;   /* offset to group membership */
-	char **gr_mem;
+	uint32 num_gr_mem;
+	uint32 gr_mem_ofs;   /* offset to group membership */
 } WINBINDD_GR;
 
 
@@ -170,7 +201,6 @@ typedef struct winbindd_gr {
 #define WBFLAG_PAM_LMKEY      		0x0008
 #define WBFLAG_PAM_CONTACT_TRUSTDOM 	0x0010
 #define WBFLAG_QUERY_ONLY		0x0020
-#define WBFLAG_ALLOCATE_RID		0x0040
 #define WBFLAG_PAM_UNIX_NAME            0x0080
 #define WBFLAG_PAM_AFS_TOKEN            0x0100
 #define WBFLAG_PAM_NT_STATUS_SQUASH     0x0200
@@ -180,74 +210,131 @@ typedef struct winbindd_gr {
 /* Flag to say this is a winbindd internal send - don't recurse. */
 #define WBFLAG_RECURSE			0x0800
 
+#define WBFLAG_PAM_KRB5			0x1000
+#define WBFLAG_PAM_FALLBACK_AFTER_KRB5	0x2000
+#define WBFLAG_PAM_CACHED_LOGIN		0x4000
+#define WBFLAG_PAM_GET_PWD_POLICY	0x8000	/* not used */
+
+#define WINBINDD_MAX_EXTRA_DATA (128*1024)
+
 /* Winbind request structure */
 
+/*******************************************************************************
+ * This structure MUST be the same size in the 32bit and 64bit builds
+ * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
+ * 
+ * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
+ * A 64BIT WINBINDD    --jerry
+ ******************************************************************************/
+
 struct winbindd_request {
-	uint32_t length;
+	uint32 length;
 	enum winbindd_cmd cmd;   /* Winbindd command to execute */
+	enum winbindd_cmd original_cmd;   /* Original Winbindd command
+					     issued to parent process */
 	pid_t pid;               /* pid of calling process */
-	uint32_t flags;            /* flags relavant to a given request */
-	winbind_string domain_name;	/* name of domain for which the request applies */
+	uint32 flags;            /* flags relavant to a given request */
+	fstring domain_name;	/* name of domain for which the request applies */
 
 	union {
-		winbind_string winsreq;     /* WINS request */
-		winbind_string username;    /* getpwnam */
-		winbind_string groupname;   /* getgrnam */
+		fstring winsreq;     /* WINS request */
+		fstring username;    /* getpwnam */
+		fstring groupname;   /* getgrnam */
 		uid_t uid;           /* getpwuid, uid_to_sid */
 		gid_t gid;           /* getgrgid, gid_to_sid */
 		struct {
 			/* We deliberatedly don't split into domain/user to
                            avoid having the client know what the separator
                            character is. */	
-			winbind_string user;
-			winbind_string pass;
-		        winbind_string require_membership_of_sid;
+			fstring user;
+			fstring pass;
+			pstring require_membership_of_sid;
+			fstring krb5_cc_type;
+			uid_t uid;
 		} auth;              /* pam_winbind auth module */
                 struct {
                         unsigned char chal[8];
-			uint32_t logon_parameters;
-                        winbind_string user;
-                        winbind_string domain;
-                        winbind_string lm_resp;
-                        uint16_t lm_resp_len;
-                        winbind_string nt_resp;
-                        uint16_t nt_resp_len;
-			winbind_string workstation;
-		        winbind_string require_membership_of_sid;
+			uint32 logon_parameters;
+                        fstring user;
+                        fstring domain;
+                        fstring lm_resp;
+                        uint32 lm_resp_len;
+                        fstring nt_resp;
+                        uint32 nt_resp_len;
+			fstring workstation;
+		        fstring require_membership_of_sid;
                 } auth_crap;
                 struct {
-                    winbind_string user;
-                    winbind_string oldpass;
-                    winbind_string newpass;
+                    fstring user;
+                    fstring oldpass;
+                    fstring newpass;
                 } chauthtok;         /* pam_winbind passwd module */
-		winbind_string sid;         /* lookupsid, sid_to_[ug]id */
 		struct {
-			winbind_string dom_name;       /* lookupname */
-			winbind_string name;       
+			fstring user;
+			fstring domain;
+			unsigned char new_nt_pswd[516];
+			uint16	new_nt_pswd_len;
+			unsigned char old_nt_hash_enc[16];
+			uint16 	old_nt_hash_enc_len;
+			unsigned char new_lm_pswd[516];
+			uint16	new_lm_pswd_len;
+			unsigned char old_lm_hash_enc[16];
+			uint16	old_lm_hash_enc_len;
+		} chng_pswd_auth_crap;/* pam_winbind passwd module */
+		struct {
+			fstring user;
+			fstring krb5ccname;
+			uid_t uid;
+		} logoff;              /* pam_winbind session module */
+		fstring sid;         /* lookupsid, sid_to_[ug]id */
+		struct {
+			fstring dom_name;       /* lookupname */
+			fstring name;       
 		} name;
-		uint32_t num_entries;  /* getpwent, getgrent */
+		uint32 num_entries;  /* getpwent, getgrent */
 		struct {
-			winbind_string username;
-			winbind_string groupname;
+			fstring username;
+			fstring groupname;
 		} acct_mgt;
 		struct {
 			BOOL is_primary;
-			winbind_string dcname;
+			fstring dcname;
 		} init_conn;
 		struct {
-			winbind_string sid;
-			winbind_string name;
-			BOOL alloc;
+			fstring sid;
+			fstring name;
 		} dual_sid2id;
 		struct {
-			int type;
-			uid_t uid;
-			gid_t gid;
-			winbind_string sid;
+			fstring sid;
+			uint32 type;
+			uint32 id;
 		} dual_idmapset;
+		BOOL list_all_domains;
+
+		struct {
+			uid_t uid;
+			fstring user;
+			/* the effective uid of the client, must be the uid for 'user'.
+			   This is checked by the main daemon, trusted by children. */
+			/* if the blobs are length zero, then this doesn't
+			   produce an actual challenge response. It merely
+			   succeeds if there are cached credentials available
+			   that could be used. */
+			uint32 initial_blob_len; /* blobs in extra_data */
+			uint32 challenge_blob_len;
+		} ccache_ntlm_auth;
+
+		/* padding -- needed to fix alignment between 32bit and 64bit libs.
+		   The size is the sizeof the union without the padding aligned on 
+		   an 8 byte boundary.   --jerry */
+
+		char padding[1560];
 	} data;
-	char *extra_data;
-	size_t extra_len;
+	union {
+		SMB_TIME_T padding;
+		char *data;
+	} extra_data;
+	uint32 extra_len;
 	char null_term;
 };
 
@@ -261,11 +348,19 @@ enum winbindd_result {
 
 /* Winbind response structure */
 
+/*******************************************************************************
+ * This structure MUST be the same size in the 32bit and 64bit builds
+ * for compatibility between /lib64/libnss_winbind.so and /lib/libnss_winbind.so
+ * 
+ * DO NOT CHANGE THIS STRUCTURE WITHOUT TESTING THE 32BIT NSS LIB AGAINST
+ * A 64BIT WINBINDD    --jerry
+ ******************************************************************************/
+
 struct winbindd_response {
     
 	/* Header information */
 
-	uint32_t length;                        /* Length of response */
+	uint32 length;                        /* Length of response */
 	enum winbindd_result result;          /* Result code */
 
 	/* Fixed length return data */
@@ -273,7 +368,7 @@ struct winbindd_response {
 	union {
 		int interface_version;  /* Try to ensure this is always in the same spot... */
 		
-		winbind_string winsresp;		/* WINS response */
+		fstring winsresp;		/* WINS response */
 
 		/* getpwnam, getpwuid */
 		
@@ -283,60 +378,125 @@ struct winbindd_response {
 
 		struct winbindd_gr gr;
 
-		uint32_t num_entries; /* getpwent, getgrent */
+		uint32 num_entries; /* getpwent, getgrent */
 		struct winbindd_sid {
-			winbind_string sid;        /* lookupname, [ug]id_to_sid */
+			fstring sid;        /* lookupname, [ug]id_to_sid */
 			int type;
 		} sid;
 		struct winbindd_name {
-			winbind_string dom_name;       /* lookupsid */
-			winbind_string name;       
+			fstring dom_name;       /* lookupsid */
+			fstring name;
 			int type;
 		} name;
 		uid_t uid;          /* sid_to_uid */
 		gid_t gid;          /* sid_to_gid */
 		struct winbindd_info {
 			char winbind_separator;
-			winbind_string samba_version;
+			fstring samba_version;
 		} info;
-		winbind_string domain_name;
-		winbind_string netbios_name;
-		winbind_string dc_name;
+		fstring domain_name;
+		fstring netbios_name;
+		fstring dc_name;
 
 		struct auth_reply {
-			uint32_t nt_status;
-			winbind_string nt_status_string;
-			winbind_string error_string;
+			uint32 nt_status;
+			fstring nt_status_string;
+			fstring error_string;
 			int pam_error;
 			char user_session_key[16];
 			char first_8_lm_hash[8];
+			fstring krb5ccname;
+			uint32 reject_reason;
+			uint32 padding;
+			struct policy_settings {
+				uint32 min_length_password;
+				uint32 password_history;
+				uint32 password_properties;
+				uint32 padding;
+				SMB_TIME_T expire;
+				SMB_TIME_T min_passwordage;
+			} policy;
+			struct info3_text {
+				SMB_TIME_T logon_time;
+				SMB_TIME_T logoff_time;
+				SMB_TIME_T kickoff_time;
+				SMB_TIME_T pass_last_set_time;
+				SMB_TIME_T pass_can_change_time;
+				SMB_TIME_T pass_must_change_time;
+				uint32 logon_count;
+				uint32 bad_pw_count;
+				uint32 user_rid;
+				uint32 group_rid;
+				uint32 num_groups;
+				uint32 user_flgs;
+				uint32 acct_flags;
+				uint32 num_other_sids;
+				fstring dom_sid;
+				fstring user_name;
+				fstring full_name;
+				fstring logon_script;
+				fstring profile_path;
+				fstring home_dir;
+				fstring dir_drive;
+				fstring logon_srv;
+				fstring logon_dom;
+			} info3;
 		} auth;
-		uint32_t rid;	/* create user or group or allocate rid */
 		struct {
-			uint32_t rid;
-			gid_t gid;
-		} rid_and_gid;
-		struct {
-			winbind_string name;
-			winbind_string alt_name;
-			winbind_string sid;
+			fstring name;
+			fstring alt_name;
+			fstring sid;
 			BOOL native_mode;
 			BOOL active_directory;
 			BOOL primary;
-			uint32_t sequence_number;
+			uint32 sequence_number;
 		} domain_info;
 		struct {
-			winbind_string acct_name;
-			winbind_string full_name;
-			winbind_string homedir;
-			winbind_string shell;
-			uint32_t group_rid;
+			fstring acct_name;
+			fstring full_name;
+			fstring homedir;
+			fstring shell;
+			uint32 primary_gid;			
+			uint32 group_rid;
 		} user_info;
+		struct {
+			uint32 auth_blob_len; /* blob in extra_data */
+		} ccache_ntlm_auth;
 	} data;
 
 	/* Variable length return data */
 
-	void *extra_data;               /* getgrnam, getgrgid, getgrent */
+	union {
+		SMB_TIME_T padding;
+		void *data;
+	} extra_data;
+};
+
+struct WINBINDD_MEMORY_CREDS {
+	struct WINBINDD_MEMORY_CREDS *next, *prev;
+	const char *username; /* lookup key. */
+	uid_t uid;
+	int ref_count;
+	size_t len;
+	unsigned char *nt_hash; /* Base pointer for the following 2 */
+	unsigned char *lm_hash;
+	char *pass;
+};
+
+struct WINBINDD_CCACHE_ENTRY {
+	struct WINBINDD_CCACHE_ENTRY *next, *prev;
+	const char *principal_name;
+	const char *ccname;
+	const char *service;
+	const char *username;
+	const char *realm;
+	struct WINBINDD_MEMORY_CREDS *cred_ptr;
+	int ref_count;
+	uid_t uid;
+	time_t create_time;
+	time_t renew_until;
+	time_t refresh_time;
+	struct timed_event *event;
 };
 
 #endif
diff --git a/source4/winbind/wb_samba3_cmd.c b/source4/winbind/wb_samba3_cmd.c
index 7989bec1722..f60c65a1d46 100644
--- a/source4/winbind/wb_samba3_cmd.c
+++ b/source4/winbind/wb_samba3_cmd.c
@@ -22,6 +22,7 @@
 */
 
 #include "includes.h"
+#include "nsswitch/winbind_nss_config.h"
 #include "nsswitch/winbindd_nss.h"
 #include "winbind/wb_server.h"
 #include "winbind/wb_async_helpers.h"
@@ -111,9 +112,9 @@ NTSTATUS wbsrv_samba3_netbios_name(struct wbsrv_samba3_call *s3call)
 NTSTATUS wbsrv_samba3_priv_pipe_dir(struct wbsrv_samba3_call *s3call)
 {
 	s3call->response.result			= WINBINDD_OK;
-	s3call->response.extra_data =
+	s3call->response.extra_data.data =
 		smbd_tmp_path(s3call, WINBINDD_SAMBA3_PRIVILEGED_SOCKET);
-	NT_STATUS_HAVE_NO_MEMORY(s3call->response.extra_data);
+	NT_STATUS_HAVE_NO_MEMORY(s3call->response.extra_data.data);
 	return NT_STATUS_OK;
 }
 
@@ -262,7 +263,7 @@ static void userdomgroups_recv_groups(struct composite_context *ctx)
 	}
 
 	s3call->response.result = WINBINDD_OK;
-	s3call->response.extra_data = sids_string;
+	s3call->response.extra_data.data = sids_string;
 	s3call->response.length += strlen(sids_string)+1;
 	s3call->response.data.num_entries = num_sids;
 
@@ -328,7 +329,7 @@ static void usersids_recv_sids(struct composite_context *ctx)
 	}
 
 	s3call->response.result = WINBINDD_OK;
-	s3call->response.extra_data = sids_string;
+	s3call->response.extra_data.data = sids_string;
 	s3call->response.length += strlen(sids_string);
 	s3call->response.data.num_entries = num_sids;
 
@@ -510,7 +511,7 @@ static void pam_auth_crap_recv(struct composite_context *ctx)
 	}
 
 	if (s3call->request.flags & WBFLAG_PAM_INFO3_NDR) {
-		s3call->response.extra_data = info3.data;
+		s3call->response.extra_data.data = info3.data;
 		s3call->response.length += info3.length;
 	}
 
@@ -521,7 +522,7 @@ static void pam_auth_crap_recv(struct composite_context *ctx)
 	}
 	
 	if (s3call->request.flags & WBFLAG_PAM_UNIX_NAME) {
-		s3call->response.extra_data = unix_username;
+		s3call->response.extra_data.data = unix_username;
 		s3call->response.length += strlen(unix_username)+1;
 	}
 
@@ -654,7 +655,7 @@ static void list_trustdom_recv_doms(struct composite_context *ctx)
 
 	s3call->response.result = WINBINDD_OK;
 	if (num_domains > 0) {
-		s3call->response.extra_data = result;
+		s3call->response.extra_data.data = result;
 		s3call->response.length += strlen(result)+1;
 	}
 
diff --git a/source4/winbind/wb_samba3_protocol.c b/source4/winbind/wb_samba3_protocol.c
index 8580f2a163f..da3e404c1e6 100644
--- a/source4/winbind/wb_samba3_protocol.c
+++ b/source4/winbind/wb_samba3_protocol.c
@@ -21,6 +21,7 @@
 */
 
 #include "includes.h"
+#include "nsswitch/winbind_nss_config.h"
 #include "nsswitch/winbindd_nss.h"
 #include "winbind/wb_server.h"
 #include "smbd/service_stream.h"
@@ -138,14 +139,21 @@ NTSTATUS wbsrv_samba3_handle_call(struct wbsrv_samba3_call *s3call)
 	case WINBINDD_ENDGRENT:
 	case WINBINDD_GETGRENT:
 	case WINBINDD_PAM_CHAUTHTOK:
+	case WINBINDD_PAM_LOGOFF:
+	case WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP:
 	case WINBINDD_LIST_USERS:
 	case WINBINDD_LIST_GROUPS:
+	case WINBINDD_LOOKUPRIDS:
 	case WINBINDD_SID_TO_UID:
 	case WINBINDD_SID_TO_GID:
+	case WINBINDD_SIDS_TO_XIDS:
 	case WINBINDD_UID_TO_SID:
 	case WINBINDD_GID_TO_SID:
-	case WINBINDD_ALLOCATE_RID:
-	case WINBINDD_ALLOCATE_RID_AND_GID:
+	case WINBINDD_ALLOCATE_UID:
+	case WINBINDD_ALLOCATE_GID:
+	case WINBINDD_SET_MAPPING:
+	case WINBINDD_SET_HWM:
+	case WINBINDD_DUMP_MAPS:
 	case WINBINDD_CHECK_MACHACC:
 	case WINBINDD_DOMAIN_INFO:
 	case WINBINDD_SHOW_SEQUENCE:
@@ -155,13 +163,19 @@ NTSTATUS wbsrv_samba3_handle_call(struct wbsrv_samba3_call *s3call)
 	case WINBINDD_INIT_CONNECTION:
 	case WINBINDD_DUAL_SID2UID:
 	case WINBINDD_DUAL_SID2GID:
-	case WINBINDD_DUAL_IDMAPSET:
+	case WINBINDD_DUAL_SIDS2XIDS:
+	case WINBINDD_DUAL_UID2SID:
+	case WINBINDD_DUAL_GID2SID:
+	case WINBINDD_DUAL_SET_MAPPING:
+	case WINBINDD_DUAL_SET_HWM:
+	case WINBINDD_DUAL_DUMP_MAPS:
 	case WINBINDD_DUAL_UID2NAME:
 	case WINBINDD_DUAL_NAME2UID:
 	case WINBINDD_DUAL_GID2NAME:
 	case WINBINDD_DUAL_NAME2GID:
 	case WINBINDD_DUAL_USERINFO:
 	case WINBINDD_DUAL_GETSIDALIASES:
+	case WINBINDD_CCACHE_NTLMAUTH:
 	case WINBINDD_NUM_CMDS:
 		DEBUG(10, ("Unimplemented winbind samba3 request %d\n", 
 			   s3call->request.cmd));
@@ -178,7 +192,7 @@ static NTSTATUS wbsrv_samba3_push_reply(struct wbsrv_samba3_call *call, TALLOC_C
 	uint8_t *extra_data;
 	size_t extra_data_len = 0;
 
-	extra_data = call->response.extra_data;
+	extra_data = call->response.extra_data.data;
 	if (extra_data) {
 		extra_data_len = call->response.length -
 			sizeof(call->response);
@@ -189,11 +203,11 @@ static NTSTATUS wbsrv_samba3_push_reply(struct wbsrv_samba3_call *call, TALLOC_C
 
 	/* don't push real pointer values into sockets */
 	if (extra_data) {
-		call->response.extra_data = (void *)0xFFFFFFFF;
+		call->response.extra_data.data = (void *)0xFFFFFFFF;
 	}
 	memcpy(blob.data, &call->response, sizeof(call->response));
 	/* set back the pointer */
-	call->response.extra_data = extra_data;
+	call->response.extra_data.data = extra_data;
 
 	if (extra_data) {
 		memcpy(blob.data + sizeof(call->response), extra_data, extra_data_len);
diff --git a/source4/winbind/wb_server.h b/source4/winbind/wb_server.h
index 3e851fbccc6..4099e32d705 100644
--- a/source4/winbind/wb_server.h
+++ b/source4/winbind/wb_server.h
@@ -20,6 +20,7 @@
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 */
 
+#include "nsswitch/winbind_nss_config.h"
 #include "nsswitch/winbindd_nss.h"