r21619: * Pickup latest changes from SAMBA_3_0_25 (this will be it

  for 3.0.25pre1 unless something blows up)
* Update release notes some more

17 files changed, 477 insertions, 146 deletions

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b20af20a0c7..e472d4aee56 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -11,20 +11,21 @@ We would like to ask the Samba community for help in testing
 these changes as we work towards the next significant production
 upgrade Samba 3.0 release.
 
-Major Featuers included in the 3.0.25 code base include:
+Major Features included in the 3.0.25 code base include:
 
-  o Significant improvements in the winbind offline logon 
-    support
-  o Support for secure DDNS updates as part of the 'net 
-    ads join' process
-  o Rewriteen IdMap interface which allows for TTL based 
-    caching and per domain backends.
-  o Support for storing password policies in the passdb 
-    backend.
-
-Major bug fixes in 3.0.25pre1 include:
-
-  o Compatibilities issues with Windows Vista
+  o Significant improvements in the winbind off-line logon support
+  o Support for secure DDNS updates as part of the 'net ads join' 
+    process
+  o Rewritten IdMap interface which allows for TTL based caching and 
+    per domain backends.
+  o New plug-in interface for the "winbind nss info" parameter.
+  o New file change notify subsystem which is able to make use of 
+    inotify on Linux.
+  o Support for passing Windows security descriptors to a VFS 
+    plug-in allowing for multiple Unix ACL implements to running side 
+    by side on the Same server.
+  o Improved compatibility with Windows Vista clients.
+  o Man pages for VFS plugins.
 
 
 
@@ -40,88 +41,110 @@ smb.conf changes
 
     Parameter Name                      Description	  Default
     --------------                      -----------	  -------
+    change notify timeout		Removed 	n/a
+    change notify			New		Yes
+    fam change notify			Removed		n/a
+    idmap domains			New		""
+    idmap alloc backend			New		""
+    idmap expire time			New		900
+    idmap negative time			New		120
+    kernel change notify		Per share	Yes
+    max stat cache size 		Modified 	1024MB
+    printjob username			New		%U
+    winbind normalize names		New		no
 
-
+    
 commits
 -------
 
 
 o   Michael Adam <ma@sernet.de>
-    * Patch to lib/sysquotas_linux.c replacing some "get"s 
-      by "set"s.  This makes the difference between the get 
-      and set calls for SMB_USER_FS_QUOTA_TYPE and 
-      SMB_GROUP_FS_QUOTA_TYPE. 
-    * Prevent collision from config.h created by standalone
-      compnent builds.
+    * Patch to lib/sysquotas_linux.c replacing some "get"s by "set"s.  
+      This makes the difference between the get and set calls for
+      SMB_USER_FS_QUOTA_TYPE and SMB_GROUP_FS_QUOTA_TYPE. 
+    * Prevent collision from config.h created by stand alone component
+      builds.
 
 
 o   Jeremy Allison <jra@samba.org>
-    * winbind offline logon fixes.
+    * winbind off-line logon fixes.
     * Support for AD sites when locating domain controllers.
-    * Fix libsmbclient bug with Konqueror and NetApp filers
-      that need a leading / in OpenAndX calls. 
+    * Fix libsmbclient bug with Konqueror and NetApp filers that need 
+      a leading / in OpenAndX calls. 
     * BUG 4187: Possible crash in signing on/off code.
     * Fix memory leaks in pam_winbind.c.
-    * Fix a bugin the sequence number store/fetch routines in 
+    * Fix a bug in the sequence number store/fetch routines in
       winbindd_cache.tdb.
-    * Fix the problem with Linux clients requesting O_WRONLY
-      on write-only files.
-    * Fix a class of memory allocation bugs in the handling 
-      of user tokens.
-    * Fix crash bug in winbindd caused by a bug ni the 
-      messaging dispatch code.
-    * Fix memory bloat in trans calls caused by talloc()'ing 
-      memory off the wrong context.
+    * Fix the problem with Linux clients requesting O_WRONLY on write-only
+      files.
+    * Fix a class of memory allocation bugs in the handling of user tokens.
+    * Fix crash bug in winbindd caused by a bug in the messaging dispatch
+      code.
+    * Fix memory bloat in trans calls caused by talloc()'ing memory off the
+      wrong context.
     * Fix wildcard renames with SMBmv.
     * Fixes for pathname handling code.
     * Add in the wdel smbclient command to perform wildcard deletes.
-    * Fix a bug that causes smbd to 'hang' intermittently while
-      updatign the trusted domain cache.
-    * CLeanup error path processing in reduce_name().
+    * Fix a bug that causes smbd to 'hang' intermittently while updating
+      the trusted domain cache.
+    * Cleanup error path processing in reduce_name().
     * Fixes for smbtorture tests (BASE-DELETE, ...)
     * Delete on close fixes ("I completely understand it this time").
-    * Remove unneeded checks on incoming uid/gid for mknod 
-      (fifo) unix extensions code.
+    * Remove unneeded checks on incoming uid/gid for mknod (fifo) Unix
+      extensions code.
     * More fixes for Unix Extensions include support for POSIX locking.
     * NTLMv2 fixes for Vista clients.
-    * Add an optimized lookup for Domain Users and only report 
-      the current user (which is generally what the calling 
-      application wants to know anyways).
-    * Fixes for supporting the Vista backup utility based on work 
-      by Joe Meadows <jameadows@webopolis.com>.
+    * Add an optimized lookup for Domain Users and only report the current
+      user (which is generally what the calling application wants to know 
+      anyways).
+    * Fixes for supporting the Vista backup utility based on work by Joe
+      Meadows <jameadows@webopolis.com>.
     * Fix 4377: Fix rename of "foo" -> "Foo".
-   
+    * BUG 4188: Fix for Vista delete directory bug.
+    * BUG 4400: Add support for processing large Krb5 tickets in SMB
+      sesssetup&X.  Based on work by <todd.stecher@isilon.com>.
+    * Fix trans2 file size reporting for Linux CIFS client.
 
 
 o   Danilo Almeida <dalmeida@centeris.com>
     * Add additional debug support for pam_winbind.
-    * Add support for listing multiple groups in pam_winbind's
+    * Add support for listing multiple groups in pam_winbind's 
       require-membership-of option which act as a logical OR.
 
 
 o   Andrew Benham <andrew.benham@thus.net>
-    * BUG 4290: Properly compute time to password expiration 
-      in message from pam_winbind.
+    * BUG 4290: Properly compute time to password expiration in message
+      from pam_winbind.
 
 
+o   Alexander Bokovoy <ab@samba.org>
+    * Add GPFS-provided DMAPI support
+
 
 o   Kai Blin <kai.blin@gmail.com>
     * Match Windows NTLMSSP flags.
 
 
 o   Gerald (Jerry) Carter <jerry@samba.org>
-    * Implement plugable "winbind nss info" interface.
+    * Implement pluggable "winbind nss info" interface.
     * Removal of unmaintained smbwrapper utility.
-    * Fix server affinity bugs in the 'net ads join' 
-      code to include support for AD sites.
+    * Fix server affinity bugs in the 'net ads join' code to include
+      support for AD sites.
     * Implement DDNS update client code.
     * Upper case the host/sAMAccountName in the keytab file.
-    * Fix lookupname call in winbindd when joined to a child 
-      domain and trying to resolve a SID in a sibling domain.
+    * Fix lookupname call in winbindd when joined to a child domain and
+      trying to resolve a SID in a sibling domain.
     * Fix password changes against a Windows 2000 DC using pam_winbind.
     * Fix crash in "pdbedit -L -w"
     * Add "winbind normalize names" option.
-
+    * BUG 4093: Make %a resolve correctly for Windows Vista and Windows 
+      XP 64bit clients.
+    * Printing fixes for Windows Vista.
+    * Protect the sasl bind against a NULL principal string in the 
+      SPNEGO negTokenInit
+    * Fix some "cannot access LDAP when no root" bugs.
+    * NSS and PAM fixes on AIX.
+    * Cached credentials and Krb5 ticket renewal fixes in winbindd.
 
 
 o   Mathias Dietz <mdietz@de.ibm.com>
@@ -131,18 +154,19 @@ o   Mathias Dietz <mdietz@de.ibm.com>
 
 
 o   Guenther Deschner <gd@samba.org>
-    * winbind offline logon fixes.
+    * winbind off-line logon fixes.
     * Support for AD sites when locating domain controllers.
     * Various fixes for 'net ads' user management functions.
-    * Add an CLDAP client written in perl.
+    * Add an CLDAP client written in Perl.
     * Cleanups to the Krb5 ticket refresh code in winbindd.
     * Fixes for various error messages from pam_winbind when password
       policies are being enforced.
     * Implement grace logons for offline authentications in pam_winbind.
     * Fixes for idmap_ad.
     * Memory leak fixes.
-    * BUG 4009: Fixes leaking file descriptors (CLOSE_WAIT) in 
-      winbindd with short lived service tickets
+    * BUG 4009: Fixes leaking file descriptors (CLOSE_WAIT) in winbindd
+      with short lived service tickets
+    * Implement basic AD group policy library
 
 
 o   dleonard@vintela.com
@@ -150,78 +174,97 @@ o   dleonard@vintela.com
 
 
 o   SATOH Fumiyasu <fumiyas@osstech.co.jp>
-    * BUG 3319: Ensure that 'hide unreadable' does not filter
-      MS-DFS links.
+    * BUG 3319: Ensure that 'hide unreadable' does not filter MS-DFS links.
 
 
 o   Krishna Ganugapati <krishnag@centeris.com>
     * Implement DDNS update client code.
-   
+
 
 o   YAMASAKI Hiroyuki <h-yamasaki@pd.jp.nec.com>
     * BUG 4346: Fix type reported for hidden shares via MS-RPC.
 
 
 o   David Hu <david.hu@hp.com>
-    * BUG 4267: Fix memory leaks in ldpasam.
+    * BUG 4267: Fix memory leaks in ldapsam.
 
 
 o   Bjoern Jacke <bj@sernet.de>
     * BUG 4244: Limit stat cache to a default of 1MB.
 
 
+o   William Jojo <jojowil@hvcc.edu>
+    * BUG 3713: Re-add reporting what the profiles tool does (-v).
+
+
+o   Zack Kirsch <zack.kirsch@isilon.com>
+    * Fix memory leaks on some error paths.
+
+
 o   Volker Lendecke <vl@samba.org>
-    * Allow changing of the hashsize when runing tdbbackup.
+    * Replace snum references with a structure based array.
+    * Allow changing of the hashsize when running tdbbackup.
     * Implement secure DDNS update code
-    * Klocwork, Covrity, and IBM Checker fixes.
+    * Klocwork, Coverity, and IBM Checker fixes.
     * BUG 4273: Fix crash in 'net rpc vampire'
     * Refactor older SMB file serving code.
     * Refactor open directory file serving code.
-    * Implement support for inotify when serving CIFS change 
-      notification requests.
-    * Fixes to allow Samba 3.0 to pass various smbtorture tests
-      (RAW-OPEN, RAW-UNLINK, RAW-CLOSE, ...)
+    * Implement support for inotify when serving CIFS change notification
+      requests (includes merge work from SAMBA_4_0).
+    * Fixes to allow Samba 3.0 to pass various smbtorture tests (RAW-OPEN,
+      RAW-UNLINK, RAW-CLOSE, ...)
     * Refactor delete on close file server code.
     * MS-DFS fixes for Vista clients.
+    * BUG 4372: Long timeout in LDAP setup when accessing files after 
+      10 secs.
+    * Change the static array for the in-memory mirrors of the hash chain
+      locks to a dynamically allocated one.
+    * Use inotify for file change notification on Linux.
+    * Revert "msdfs root" to default to "no".
+    * Refactor AIO code.
+    * Fix memory leaks when returning user lists to clients via SAMR calls.
 
 
 o   Herb Lewis <herb@samba.org>
     * Cleanups to sharesec utility.
-    * Compilter warning cleanups.
+    * Compiler warning cleanups.
 
 
 o   Jim McDonough <jmcd@us.ibm.com>
     * Bug fixes for GPFS VFS module.
 
 
-
 o   Stefan Metzmacher <metze@samba.org>
     [merges from SAMBA_4_0]
     * Portability fixes for dlopen()
     * Sync libreplace
-   
 
 
 o   Gomati Mohanan <gomati.mohanan@in.ibm.com>
     * Work on NFSv4 ACL VFS plugin.
 
 
-o   James Peach <jpeach@samba.org>
+o   Lars Mueller <lmuelle@samba.org>
+    * Provide better feedback about deprecated use of multiple passdb
+      backends.
+
+
+o   James Peach <jpeach@apple.com>
     * Replace exit_server with exit_server_cleanly where appropriate.
     * Add docs for VFS modules.
     * Portability fixes for autoconf and character set modules on 
       OS X.
-    * Only attempt to reload the config file atfer the fork point 
+    * Only attempt to reload the config file after the fork point 
       if we are in daemon mode.
 
 
 o   J Raynor <raynorj@mn.rr.com>
-    * Make sure we are privileged when doing DMAPI operations 
-      on systems that don't have capability support.
+    * Make sure we are privileged when doing DMAPI operations on systems
+      that don't have capability support.
 
 
 o   Jiri Sasek <Jiri.Sasek@Sun.COM>
-    Fix possible NULL dereference in adt_tree.c
+    I Fix possible NULL dereference in adt_tree.c
 
 
 o   Karolin Seeger <ks@sernet.de>
@@ -231,17 +274,15 @@ o   Karolin Seeger <ks@sernet.de>
 
 o   Simo Sorce <idra@samba.org>
     * Initial implementation of new IdMap interface.
-    * Fix crash in pam_winbind caused by referencing a 
-      pointer after the memory had been freed.
+    * Fix crash in pam_winbind caused by referencing a pointer after the 
+      memory had been freed.
+    * Implement escaping function for ldap RDN values.
 
 
 o   Peter Somogyi <SOMOGYI@de.ibm.com>
     * Work on NFSv4 ACL VFS plugin.
 
 
-o   Andrew Tridgell <tridge@samba.org>
-
-
 o   Jelmer Vernooij <jelmer@samba.org>
     * Implement support for IDL autogenerated code to
       handle the MS-RPC parsing functions.
diff --git a/source/Makefile.in b/source/Makefile.in
index 4de8f74082c..3f3aa5ea57a 100644
--- a/source/Makefile.in
+++ b/source/Makefile.in
@@ -1277,8 +1277,8 @@ bin/winbindd@EXEEXT@: $(WINBINDD_OBJ) @BUILD_POPT@ bin/.dummy
 
 bin/pam_winbind.@SHLIBEXT@: $(PAM_WINBIND_OBJ) bin/.dummy
 	@echo "Linking shared library $@"
-	@$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_WINBIND_OBJ) \
-		@SONAMEFLAG@`basename $@` -lpam @INIPARSERLIBS@
+	@$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_WINBIND_OBJ) -lpam @INIPARSERLIBS@ $(GPLIBS) \
+		@SONAMEFLAG@`basename $@` 
 
 bin/builtin.@SHLIBEXT@: $(AUTH_BUILTIN_OBJ)
 	@echo "Building plugin $@"
diff --git a/source/configure.in b/source/configure.in
index 8f07871bbe9..f54c9bd2982 100644
--- a/source/configure.in
+++ b/source/configure.in
@@ -46,7 +46,7 @@ AC_ARG_WITH(fhs,
     logfilebase="\${VARDIR}/log/samba"
     privatedir="\${CONFIGDIR}/private"
     libdir="\${prefix}/lib/samba"
-    configdir="${sysconfdir}/samba"
+    configdir="\${sysconfdir}/samba"
     swatdir="\${DATADIR}/samba/swat"
     ;;
   esac])
diff --git a/source/libsmb/clifile.c b/source/libsmb/clifile.c
index 6328a1720a6..2fe9eb17259 100644
--- a/source/libsmb/clifile.c
+++ b/source/libsmb/clifile.c
@@ -330,6 +330,8 @@ static BOOL cli_unix_chmod_chown_internal(struct cli_state *cli, const char *fna
 	p += clistr_push(cli, p, fname, -1, STR_TERMINATE);
 	param_len = PTR_DIFF(p, param);
 
+	memset(data, 0xff, 40); /* Set all sizes/times to no change. */
+
 	SIVAL(data,40,uid);
 	SIVAL(data,48,gid);
 	SIVAL(data,84,mode);
diff --git a/source/nsswitch/idmap.c b/source/nsswitch/idmap.c
index d69fd68e103..a58959afe4c 100644
--- a/source/nsswitch/idmap.c
+++ b/source/nsswitch/idmap.c
@@ -225,9 +225,36 @@ NTSTATUS idmap_close(void)
 
 static const char *idmap_default_domain[] = { "default domain", NULL };
 
+/****************************************************************************
+ ****************************************************************************/
+
+NTSTATUS idmap_init_cache(void)
+{	
+	/* Always initialize the cache.  We'll have to delay initialization
+	   of backends if we are offline */
+
+	if ( idmap_ctx ) {
+		return NT_STATUS_OK;
+	}	
+	
+	if ( (idmap_ctx = talloc_named_const(NULL, 0, "idmap_ctx")) == NULL ) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if ( (idmap_cache = idmap_cache_init(idmap_ctx)) == NULL ) {
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	return NT_STATUS_OK;
+}
+
+/****************************************************************************
+ ****************************************************************************/
+
 NTSTATUS idmap_init(void)
 {	
 	NTSTATUS ret;
+	static NTSTATUS backend_init_status = NT_STATUS_UNSUCCESSFUL;	
 	struct idmap_domain *dom;
 	char *compat_backend = NULL;
 	char *compat_params = NULL;
@@ -238,16 +265,23 @@ NTSTATUS idmap_init(void)
 	int compat = 0;
 	int i;
 
-	if (idmap_ctx) {
-		return NT_STATUS_OK;
-	}
+	/* Always initialize the cache.  We'll have to delay initialization
+	   of backends if we are offline */
 
-	if ( (idmap_ctx = talloc_named_const(NULL, 0, "idmap_ctx")) == NULL ) {
-		return NT_STATUS_NO_MEMORY;
+	ret = idmap_init_cache();
+	if ( !NT_STATUS_IS_OK(ret) )
+		return ret;
+
+	if ( NT_STATUS_IS_OK(backend_init_status) ) {
+		return NT_STATUS_OK;
 	}
+	
+	/* We can't reliably call intialization code here unless 
+	   we are online */
 
-	if ( (idmap_cache = idmap_cache_init(idmap_ctx)) == NULL ) {
-		return NT_STATUS_UNSUCCESSFUL;
+	if ( get_global_winbindd_state_offline() ) {
+		backend_init_status = NT_STATUS_FILE_IS_OFFLINE;
+		return backend_init_status;		
 	}
 
 	static_init_idmap;
@@ -559,11 +593,17 @@ NTSTATUS idmap_init(void)
 	/* cleanpu temporary strings */
 	TALLOC_FREE( compat_backend );
 	
+	backend_init_status = NT_STATUS_OK;
+	
 	return NT_STATUS_OK;
 
 done:
 	DEBUG(0, ("Aborting IDMAP Initialization ...\n"));
 	idmap_close();
+
+	/* save the init status for later checks */
+	backend_init_status = ret;
+	
 	return ret;
 }
 
@@ -1067,6 +1107,14 @@ NTSTATUS idmap_unixids_to_sids(struct id_map **ids)
 
 	/* let's see if there is any id mapping to be retieved from the backends */
 	if (bi) {
+		/* Only do query if we are online */
+		if ( lp_winbind_offline_logon() &&
+		     get_global_winbindd_state_offline() )
+		{
+			ret = NT_STATUS_FILE_IS_OFFLINE;
+			goto done;
+		}
+
 		ret = idmap_backends_unixids_to_sids(bids);
 		IDMAP_CHECK_RET(ret);
 
@@ -1132,7 +1180,8 @@ NTSTATUS idmap_sids_to_unixids(struct id_map **ids)
 		if ( ! NT_STATUS_IS_OK(ret)) {
 
 			if ( ! bids) {
-				/* alloc space for ids to be resolved by backends (realloc ten by ten) */
+				/* alloc space for ids to be resolved
+				   by backends (realloc ten by ten) */
 				bids = talloc_array(ctx, struct id_map *, 10);
 				if ( ! bids) {
 					DEBUG(1, ("Out of memory!\n"));
@@ -1164,6 +1213,14 @@ NTSTATUS idmap_sids_to_unixids(struct id_map **ids)
 
 	/* let's see if there is any id mapping to be retieved from the backends */
 	if (bids) {
+		/* Only do query if we are online */
+		if ( lp_winbind_offline_logon() &&
+		     get_global_winbindd_state_offline() )
+		{
+			ret = NT_STATUS_FILE_IS_OFFLINE;
+			goto done;
+		}
+		
 		ret = idmap_backends_sids_to_unixids(bids);
 		IDMAP_CHECK_RET(ret);
 
diff --git a/source/nsswitch/idmap_cache.c b/source/nsswitch/idmap_cache.c
index 897dd9c4f5b..caf5fe72b3a 100644
--- a/source/nsswitch/idmap_cache.c
+++ b/source/nsswitch/idmap_cache.c
@@ -22,6 +22,7 @@
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.*/
 
 #include "includes.h"
+#include "winbindd.h"
 
 #define TIMEOUT_LEN 12
 #define IDMAP_CACHE_DATA_FMT	"%12u/%s"
@@ -418,14 +419,34 @@ NTSTATUS idmap_cache_map_sid(struct idmap_cache_ctx *cache, struct id_map *id)
 		/* here ret == NT_STATUS_OK and id->status = ID_MAPPED */
 
 		if (t <= time(NULL)) {
-			/* We're expired, set an error code for upper layer */
-			ret = NT_STATUS_SYNCHRONIZATION_REQUIRED;
+			/* If we've been told to be offline - stay in 
+			   that state... */
+			if (lp_winbind_offline_logon() && 
+			    get_global_winbindd_state_offline()) 
+			{
+				DEBUG(10,("idmap_cache_map_sid: winbindd is "
+					  "globally offline.\n"));
+			} else {
+				/* We're expired, set an error code
+				   for upper layer */
+				ret = NT_STATUS_SYNCHRONIZATION_REQUIRED;
+			}			
 		}
 	} else {
 		if (t <= time(NULL)) {
-			/* We're expired, delete the entry and return not mapped */
-			tdb_delete(cache->tdb, keybuf);
-			ret = NT_STATUS_NONE_MAPPED;
+			/* If we've been told to be offline - stay in 
+			   that state... */
+			if (lp_winbind_offline_logon() && 
+			    get_global_winbindd_state_offline()) 
+			{
+				DEBUG(10,("idmap_cache_map_sid: winbindd is "
+					  "globally offline.\n"));
+			} else {				
+				/* We're expired, delete the entry and return
+				   not mapped */
+				tdb_delete(cache->tdb, keybuf);
+				ret = NT_STATUS_NONE_MAPPED;
+			}			
 		} else {
 			/* this is not mapped as it was a negative cache hit */
 			id->status = ID_UNMAPPED;
@@ -508,14 +529,34 @@ NTSTATUS idmap_cache_map_id(struct idmap_cache_ctx *cache, struct id_map *id)
 		/* here ret == NT_STATUS_OK and id->mapped = True */
 
 		if (t <= time(NULL)) {
-			/* We're expired, set an error code for upper layer */
-			ret = NT_STATUS_SYNCHRONIZATION_REQUIRED;
+			/* If we've been told to be offline - stay in
+			   that state... */
+			if (lp_winbind_offline_logon() && 
+			    get_global_winbindd_state_offline()) 
+			{
+				DEBUG(10,("idmap_cache_map_sid: winbindd is "
+					  "globally offline.\n"));
+			} else {
+				/* We're expired, set an error code
+				   for upper layer */
+				ret = NT_STATUS_SYNCHRONIZATION_REQUIRED;
+			}			
 		}
 	} else {
 		if (t <= time(NULL)) {
-			/* We're expired, delete the entry and return not mapped */
-			tdb_delete(cache->tdb, keybuf);
-			ret = NT_STATUS_NONE_MAPPED;
+			/* If we've been told to be offline - stay in
+			   that state... */
+			if (lp_winbind_offline_logon() && 
+			    get_global_winbindd_state_offline()) 
+			{
+				DEBUG(10,("idmap_cache_map_sid: winbindd is "
+					  "globally offline.\n"));
+			} else {
+				/* We're expired, delete the entry and
+				   return not mapped */
+				tdb_delete(cache->tdb, keybuf);
+				ret = NT_STATUS_NONE_MAPPED;
+			}			
 		} else {
 			/* this is not mapped is it was a negative cache hit */
 			id->status = ID_UNMAPPED;
diff --git a/source/nsswitch/nss_info.c b/source/nsswitch/nss_info.c
index 0b0caeee022..d2516296629 100644
--- a/source/nsswitch/nss_info.c
+++ b/source/nsswitch/nss_info.c
@@ -131,11 +131,17 @@ static BOOL parse_nss_parm( const char *config, char **backend, char **domain )
  NTSTATUS nss_init( const char **nss_list )
 {
 	NTSTATUS status;
+	static NTSTATUS nss_initialized = NT_STATUS_UNSUCCESSFUL;
 	int i;
 	char *backend, *domain;
 	struct nss_function_entry *nss_backend;
 	struct nss_domain_entry *nss_domain;
 
+	/* check for previous successful initializations */
+
+	if ( NT_STATUS_IS_OK(nss_initialized) )
+		return NT_STATUS_OK;
+	
 	/* The "template" backend should alqays be registered as it
 	   is a static module */
 
@@ -207,20 +213,25 @@ static BOOL parse_nss_parm( const char *config, char **backend, char **domain )
 	}
 	
 		
+	nss_initialized = NT_STATUS_OK;
+	
 	return NT_STATUS_OK;
 }
 
 /********************************************************************
  *******************************************************************/
 
- NTSTATUS nss_get_info( const char *domain, const DOM_SID *user_sid,
-		       TALLOC_CTX *ctx,
-		       ADS_STRUCT *ads, LDAPMessage *msg,
-		       char **homedir, char **shell, char **gecos,
-		       gid_t *p_gid)
+static struct nss_domain_entry *find_nss_domain( const char *domain )
 {
+	NTSTATUS status;	
 	struct nss_domain_entry *p;
-	struct nss_info_methods *m;
+
+	status = nss_init( lp_winbind_nss_info() );
+	if ( !NT_STATUS_IS_OK(status) ) {
+		DEBUG(4,("nss_get_info: Failed to init nss_info API (%s)!\n",
+			 nt_errstr(status)));
+		return NULL;
+	}
 	
 	for ( p=nss_domain_list; p; p=p->next ) {
 		if ( strequal( p->domain, domain ) )
@@ -231,12 +242,33 @@ static BOOL parse_nss_parm( const char *config, char **backend, char **domain )
 
 	if ( !p ) {
 		if ( !nss_domain_list ) {
-			return NT_STATUS_NOT_FOUND;
+			return NULL;
 		}
 		
 		p = nss_domain_list;		
 	}
 
+	return p;
+}
+
+/********************************************************************
+ *******************************************************************/
+
+ NTSTATUS nss_get_info( const char *domain, const DOM_SID *user_sid,
+		       TALLOC_CTX *ctx,
+		       ADS_STRUCT *ads, LDAPMessage *msg,
+		       char **homedir, char **shell, char **gecos,
+		       gid_t *p_gid)
+{
+	struct nss_domain_entry *p;
+	struct nss_info_methods *m;
+
+	if ( (p = find_nss_domain( domain )) == NULL ) {
+		DEBUG(4,("nss_get_info: Failed to find nss domain pointer for %s\n",
+			 domain ));
+		return NT_STATUS_NOT_FOUND;
+	}
+		
 	m = p->backend->methods;
 
 	return m->get_nss_info( p, user_sid, ctx, ads, msg, 
diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c
index ac87fcf32ee..d21c985feee 100644
--- a/source/nsswitch/pam_winbind.c
+++ b/source/nsswitch/pam_winbind.c
@@ -1517,6 +1517,8 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
 	dictionary *d = NULL;
 	char *username_ret = NULL;
 	char *new_authtok_required = NULL;
+	char *combined_member = NULL;
+	const char *real_username = NULL;
 
 	/* parse arguments */
 	int ctrl = _pam_parse(pamh, flags, argc, argv, &d);
@@ -1535,6 +1537,30 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
 		goto out;
 	}
 
+#if defined(AIX)
+	/* Decode the user name since AIX does not support logn user
+	   names by default.  The name is encoded as _#uid.  */
+
+	if ( username[0] == '_' ) {
+		uid_t id = atoi( &username[1] );
+		struct passwd *pw = NULL;		
+
+		if ( (id!=0) && ((pw = getpwuid( id )) != NULL) ) {
+			real_username = strdup( pw->pw_name );
+		}
+	}
+#endif
+
+	if ( !real_username ) {
+		/* Just making a copy of the username we got from PAM */
+		if ( (real_username = strdup( username )) == NULL ) {
+			_pam_log_debug(pamh, ctrl, LOG_DEBUG, 
+				       "memory allocation failure when copying username");
+			retval = PAM_SERVICE_ERR;
+			goto out;
+		}
+	}	
+
 	retval = _winbind_read_password(pamh, ctrl, NULL, 
 					"Password: ", NULL,
 					&password);
@@ -1549,9 +1575,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
 
 #ifdef DEBUG_PASSWORD
 	_pam_log_debug(pamh, ctrl, LOG_INFO, "Verify user '%s' with password '%s'", 
-		       username, password);
+		       real_username, password);
 #else
-	_pam_log_debug(pamh, ctrl, LOG_INFO, "Verify user '%s'", username);
+	_pam_log_debug(pamh, ctrl, LOG_INFO, "Verify user '%s'", real_username);
 #endif
 
 	member = get_member_from_config(pamh, argc, argv, ctrl, d);
@@ -1594,6 +1620,10 @@ out:
 		free(username_ret);
 	}
 
+	if ( real_username ) {		
+		free( real_username );
+	}	
+			
 	if (d) {
 		iniparser_freedict(d);
 	}
diff --git a/source/nsswitch/winbind_nss_aix.c b/source/nsswitch/winbind_nss_aix.c
index 6a39b4b7c41..bc0f252d79b 100644
--- a/source/nsswitch/winbind_nss_aix.c
+++ b/source/nsswitch/winbind_nss_aix.c
@@ -48,6 +48,11 @@
 #include "winbind_client.h"
 #include <usersec.h>
 
+/* enable this to log which entry points have not been
+  completed yet */
+#define LOG_UNIMPLEMENTED_CALLS 0
+
+
 #define WB_AIX_ENCODED '_'
 
 static int debug_enabled;
@@ -566,14 +571,12 @@ static attrval_t pwd_to_groupsids(struct passwd *pwd)
 	attrval_t r;
 	char *s, *p;
 
-	s = wb_aix_getgrset(pwd->pw_name);
-	if (!s) {
+	if ( (s = wb_aix_getgrset(pwd->pw_name)) == NULL ) {
 		r.attr_flag = EINVAL;
 		return r;
 	}
 
-	p = malloc(strlen(s)+2);
-	if (!p) {
+	if ( (p = malloc(strlen(s)+2)) == NULL ) {
 		r.attr_flag = ENOMEM;
 		return r;
 	}
@@ -626,6 +629,8 @@ static int wb_aix_user_attrib(const char *key, char *attributes[],
 
 		if (strcmp(attributes[i], S_ID) == 0) {
 			results[i].attr_un.au_int = pwd->pw_uid;
+		} else if (strcmp(attributes[i], S_PGID) == 0) {
+			results[i].attr_un.au_int = pwd->pw_gid;
 		} else if (strcmp(attributes[i], S_PWD) == 0) {
 			results[i].attr_un.au_char = strdup(pwd->pw_passwd);
 		} else if (strcmp(attributes[i], S_HOME) == 0) {
@@ -744,21 +749,69 @@ static void wb_aix_close(void *token)
 */
 static attrlist_t **wb_aix_attrlist(void)
 {
-	attrlist_t **ret;
+	/* pretty confusing but we are allocating the array of pointers
+	   and the structures we'll be pointing to all at once.  So
+ 	   you need N+1 pointers and N structures. */
+
+	attrlist_t **ret = NULL;
+	attrlist_t *offset = NULL;
+	int i;
+	int n;
+	size_t size;
+
+	struct attr_types {
+		const char *name;
+		int flags;
+		int type;
+	} attr_list[] = {
+		/* user attributes */
+		{S_ID, 		AL_USERATTR, 	SEC_INT},
+		{S_PGRP, 	AL_USERATTR,	SEC_CHAR},
+		{S_HOME, 	AL_USERATTR, 	SEC_CHAR},
+		{S_SHELL, 	AL_USERATTR,	SEC_CHAR},
+		{S_PGID, 	AL_USERATTR,	SEC_INT},
+		{S_GECOS, 	AL_USERATTR,	SEC_CHAR},
+		{S_SHELL, 	AL_USERATTR,	SEC_CHAR},
+		{S_PGRP, 	AL_USERATTR,	SEC_CHAR},
+		{S_GROUPS, 	AL_USERATTR, 	SEC_LIST},
+		{"SID", 	AL_USERATTR,	SEC_CHAR},
+
+		/* group attributes */
+		{S_ID, 		AL_GROUPATTR,	SEC_INT}
+	};
+
 	logit("method attrlist called\n");
-	ret = malloc(2*sizeof(attrlist_t *) + sizeof(attrlist_t));
-	if (!ret) {
+
+	n = sizeof(attr_list) / sizeof(struct attr_types);
+	size = (n*sizeof(attrlist_t *));
+
+	if ( (ret = malloc( size )) == NULL ) {
 		errno = ENOMEM;
 		return NULL;
 	}
 
-	ret[0] = (attrlist_t *)(ret+2);
+	/* offset to where the structures start in the buffer */
 
-	/* just one extra attribute - the windows SID */
-	ret[0]->al_name = strdup("SID");
-	ret[0]->al_flags = AL_USERATTR;
-	ret[0]->al_type = SEC_CHAR;
-	ret[1] = NULL;
+	offset = (attrlist_t *)(ret + n);
+
+	/* now loop over the user_attr_list[] array and add
+	   all the members */
+
+	for ( i=0; i<n; i++ ) {
+		attrlist_t *a = malloc(sizeof(attrlist_t));
+
+		if ( !a ) {
+			/* this is bad.  Just bail */
+			return NULL;
+		}
+
+		a->al_name  = strdup(attr_list[i].name);
+		a->al_flags = attr_list[i].flags;
+		a->al_type  = attr_list[i].type;
+
+		ret[i] = a;
+	}
+	ret[n] = NULL;
 
 	return ret;
 }
diff --git a/source/nsswitch/winbindd.c b/source/nsswitch/winbindd.c
index b4570f2525a..e0b126f9f2f 100644
--- a/source/nsswitch/winbindd.c
+++ b/source/nsswitch/winbindd.c
@@ -1011,14 +1011,10 @@ int main(int argc, char **argv, char **envp)
 
 	/* Winbind daemon initialisation */
 
-	if ( ! NT_STATUS_IS_OK(idmap_init()) ) {
-		DEBUG(1, ("Could not init idmap! - Sid/[UG]id mapping will not be available\n"));
+	if ( ! NT_STATUS_IS_OK(idmap_init_cache()) ) {
+		DEBUG(1, ("Could not init idmap cache!\n"));		
 	}
 
-#ifdef WITH_ADS
-	nss_init( lp_winbind_nss_info() );
-#endif
-
 	/* Unblock all signals we are interested in as they may have been
 	   blocked by the parent process. */
 
@@ -1084,6 +1080,7 @@ int main(int argc, char **argv, char **envp)
 		DEBUG(0,("unable to initalize domain list\n"));
 		exit(1);
 	}
+#endif
 
 	init_idmap_child();
 
diff --git a/source/nsswitch/winbindd_async.c b/source/nsswitch/winbindd_async.c
index cafaf1cb056..aa48f513e97 100644
--- a/source/nsswitch/winbindd_async.c
+++ b/source/nsswitch/winbindd_async.c
@@ -535,7 +535,7 @@ void winbindd_sid2gid_async(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
 	request.cmd = WINBINDD_DUAL_SID2GID;
 	sid_to_string(request.data.dual_sid2id.sid, sid);
 
-	DEBUG(7,("idmap_sid2gid_async: Resolving %s to a gid\n", 
+	DEBUG(7,("winbindd_sid2gid_async: Resolving %s to a gid\n", 
 		request.data.dual_sid2id.sid));
 
 	do_async(mem_ctx, idmap_child(), &request, winbindd_sid2gid_recv,
diff --git a/source/nsswitch/winbindd_cache.c b/source/nsswitch/winbindd_cache.c
index 908d6ed19ae..ff5f93bfedd 100644
--- a/source/nsswitch/winbindd_cache.c
+++ b/source/nsswitch/winbindd_cache.c
@@ -2119,7 +2119,7 @@ void wcache_invalidate_cache(void)
 	}
 }
 
-static BOOL init_wcache(void)
+BOOL init_wcache(void)
 {
 	if (wcache == NULL) {
 		wcache = SMB_XMALLOC_P(struct winbind_cache);
diff --git a/source/nsswitch/winbindd_cred_cache.c b/source/nsswitch/winbindd_cred_cache.c
index 0847ac9e271..600409420ae 100644
--- a/source/nsswitch/winbindd_cred_cache.c
+++ b/source/nsswitch/winbindd_cred_cache.c
@@ -215,7 +215,8 @@ static void krb5_ticket_gain_handler(struct event_context *event_ctx,
 		DEBUG(10,("krb5_ticket_gain_handler: successful kinit for: %s in ccache: %s\n",
 			entry->principal_name, entry->ccname));
 
-		new_start = entry->refresh_time;
+		/* Renew at 1/2 the expiration time */
+		new_start = entry->refresh_time / 2;
 
 		goto got_ticket;
 	}
@@ -369,8 +370,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
 						krb5_ticket_gain_handler,
 						entry);
 		} else {
+			/* Renew at 1/2 the ticket expiration time */
 			entry->event = event_add_timed(winbind_event_context(), entry,
-						timeval_set((ticket_end - 1), 0),
+						timeval_set((ticket_end - 1)/2, 0),
 						"krb5_ticket_refresh_handler",
 						krb5_ticket_refresh_handler,
 						entry);
@@ -494,6 +496,17 @@ static NTSTATUS store_memory_creds(struct WINBINDD_MEMORY_CREDS *memcredp, const
 		memcredp->len += strlen(pass)+1;
 	}
 
+#if defined(LINUX)
+	/* aligning the memory on on x86_64 and compiling 
+	   with gcc 4.1 using -O2 causes a segv in the 
+	   next memset()  --jerry */
+	memcredp->nt_hash = SMB_MALLOC_ARRAY(unsigned char, memcredp->len);
+#else
+	/* On non-linux platforms, mlock()'d memory must be aligned */
+	memcredp->nt_hash = SMB_MEMALIGN_ARRAY(unsigned char, 
+					       getpagesize(), memcredp->len);
+#endif
+
 	/* On non-linux platforms, mlock()'d memory must be aligned */
 
 	memcredp->nt_hash = SMB_MEMALIGN_ARRAY(unsigned char, psize, 
diff --git a/source/nsswitch/winbindd_dual.c b/source/nsswitch/winbindd_dual.c
index edb4fa504b1..6324de9a2d9 100644
--- a/source/nsswitch/winbindd_dual.c
+++ b/source/nsswitch/winbindd_dual.c
@@ -502,10 +502,26 @@ void winbind_msg_offline(int msg_type, struct process_id src,
 		}
 		DEBUG(5,("winbind_msg_offline: marking %s offline.\n", domain->name));
 		set_domain_offline(domain);
+
+		/* Send an offline message to the idmap child when our
+		   primary domain goes offline */
+
+		if ( domain->primary ) {
+			struct winbindd_child *idmap = idmap_child();
+
+			if ( idmap->pid != 0 ) {
+				message_send_pid(pid_to_procid(idmap->pid), 
+						 MSG_WINBIND_OFFLINE, 
+						 domain->name, 
+						 strlen(domain->name)+1, 
+						 False);
+			}			
+		}
 	}
 
 	for (child = children; child != NULL; child = child->next) {
-		/* Don't send message to idmap child. */
+		/* Don't send message to idmap child.  We've already
+		   done so above. */
 		if (!child->domain || (child == idmap_child())) {
 			continue;
 		}
@@ -556,6 +572,22 @@ void winbind_msg_online(int msg_type, struct process_id src,
 
 		winbindd_flush_negative_conn_cache(domain);
 		set_domain_online_request(domain);
+
+		/* Send an offline message to the idmap child when our
+		   primary domain goes offline */
+
+		if ( domain->primary ) {
+			struct winbindd_child *idmap = idmap_child();
+			
+			if ( idmap->pid != 0 ) {
+				message_send_pid(pid_to_procid(idmap->pid), 
+						 MSG_WINBIND_ONLINE,
+						 domain->name,
+						 strlen(domain->name)+1, 
+						 False);
+			}
+			
+		}
 	}
 
 	for (child = children; child != NULL; child = child->next) {
diff --git a/source/nsswitch/winbindd_user.c b/source/nsswitch/winbindd_user.c
index 9df3a6a3bc1..47a7364e3a7 100644
--- a/source/nsswitch/winbindd_user.c
+++ b/source/nsswitch/winbindd_user.c
@@ -41,20 +41,21 @@ static BOOL fillup_pw_field(const char *lp_template,
 	if (out == NULL)
 		return False;
 
-	if ( in && !strequal(in,"") && lp_security() == SEC_ADS ) {
-		safe_strcpy(out, in, sizeof(fstring) - 1);
-		return True;
-	}
-
-	/* Home directory and shell - use template config parameters.  The
-	   defaults are /tmp for the home directory and /bin/false for
-	   shell. */
-	
-	/* The substitution of %U and %D in the 'template homedir' is done
-	   by talloc_sub_specified() below. */
+	/* The substitution of %U and %D in the 'template 
+	   homedir' is done by talloc_sub_specified() below.
+	   If we have an in string (which means the value has already
+	   been set in the nss_info backend), then use that.
+	   Otherwise use the template value passed in. */
 
-	templ = talloc_sub_specified(NULL, lp_template, username, domname,
+	if ( in && !strequal(in,"") && lp_security() == SEC_ADS ) {
+		templ = talloc_sub_specified(NULL, in, 
+					     username, domname,
 				     uid, gid);
+	} else {
+		templ = talloc_sub_specified(NULL, lp_template, 
+					     username, domname,
+					     uid, gid);		
+	}
 		
 	if (!templ)
 		return False;
diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c
index 584345a906a..5bbd618231b 100644
--- a/source/smbd/trans2.c
+++ b/source/smbd/trans2.c
@@ -2882,7 +2882,7 @@ static char *store_file_unix_basic(connection_struct *conn,
 	SOFF_T(pdata,0,get_allocation_size(conn,fsp,psbuf)); /* Number of bytes used on disk - 64 Bit */
 	pdata += 8;
 
-	put_long_date_timespec(pdata,get_ctimespec(psbuf));       /* Creation Time 64 Bit */
+	put_long_date_timespec(pdata,get_ctimespec(psbuf));       /* Change Time 64 Bit */
 	put_long_date_timespec(pdata+8,get_atimespec(psbuf));     /* Last access time 64 Bit */
 	put_long_date_timespec(pdata+16,get_mtimespec(psbuf));    /* Last modification time 64 Bit */
 	pdata += 24;
@@ -4805,6 +4805,16 @@ size = %.0f, uid = %u, gid = %u, raw perms = 0%o\n",
 		delete_on_fail = True;
 	}
 
+#if 1
+	/* Horrible backwards compatibility hack as an old server bug
+	 * allowed a CIFS client bug to remain unnoticed :-(. JRA.
+	 * */
+
+	if (!size) {
+		size = get_file_size(*psbuf);
+	}
+#endif
+
 	/*
 	 * Deal with the UNIX specific mode set.
 	 */
diff --git a/source/utils/net_rpc.c b/source/utils/net_rpc.c
index 9678036d523..34e87ddbd21 100644
--- a/source/utils/net_rpc.c
+++ b/source/utils/net_rpc.c
@@ -5683,6 +5683,7 @@ static int rpc_trustdom_establish(int argc, const char **argv)
 	if (!pipe_hnd) {
 		DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n", nt_errstr(nt_status) ));
 		cli_shutdown(cli);
+		talloc_destroy(mem_ctx);
 		return -1;
 	}
 
@@ -5692,6 +5693,7 @@ static int rpc_trustdom_establish(int argc, const char **argv)
 		DEBUG(0, ("Couldn't open policy handle. Error was %s\n",
 			nt_errstr(nt_status)));
 		cli_shutdown(cli);
+		talloc_destroy(mem_ctx);
 		return -1;
 	}
 
@@ -5704,6 +5706,7 @@ static int rpc_trustdom_establish(int argc, const char **argv)
 		DEBUG(0, ("LSA Query Info failed. Returned error was %s\n",
 			nt_errstr(nt_status)));
 		cli_shutdown(cli);
+		talloc_destroy(mem_ctx);
 		return -1;
 	}
 
@@ -5719,6 +5722,7 @@ static int rpc_trustdom_establish(int argc, const char **argv)
 						   domain_sid)) {
 		DEBUG(0, ("Storing password for trusted domain failed.\n"));
 		cli_shutdown(cli);
+		talloc_destroy(mem_ctx);
 		return -1;
 	}
 	
@@ -5731,6 +5735,7 @@ static int rpc_trustdom_establish(int argc, const char **argv)
 		DEBUG(0, ("Couldn't close LSA pipe. Error was %s\n",
 			nt_errstr(nt_status)));
 		cli_shutdown(cli);
+		talloc_destroy(mem_ctx);
 		return -1;
 	}
 
@@ -5916,6 +5921,7 @@ static int rpc_trustdom_vampire(int argc, const char **argv)
 	/* open \PIPE\lsarpc and open policy handle */
 	if (!(cli = net_make_ipc_connection(NET_FLAGS_PDC))) {
 		DEBUG(0, ("Couldn't connect to domain controller\n"));
+		talloc_destroy(mem_ctx);
 		return -1;
 	};
 
@@ -5924,6 +5930,7 @@ static int rpc_trustdom_vampire(int argc, const char **argv)
 		DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
 			nt_errstr(nt_status) ));
 		cli_shutdown(cli);
+		talloc_destroy(mem_ctx);
 		return -1;
 	};
 
@@ -5933,6 +5940,7 @@ static int rpc_trustdom_vampire(int argc, const char **argv)
 		DEBUG(0, ("Couldn't open policy handle. Error was %s\n",
  			nt_errstr(nt_status)));
 		cli_shutdown(cli);
+		talloc_destroy(mem_ctx);
 		return -1;
 	};
 
@@ -5945,6 +5953,7 @@ static int rpc_trustdom_vampire(int argc, const char **argv)
 		DEBUG(0, ("LSA Query Info failed. Returned error was %s\n",
 			nt_errstr(nt_status)));
 		cli_shutdown(cli);
+		talloc_destroy(mem_ctx);
 		return -1;
 	}
 
@@ -5964,6 +5973,7 @@ static int rpc_trustdom_vampire(int argc, const char **argv)
 			DEBUG(0, ("Couldn't enumerate trusted domains. Error was %s\n",
 				nt_errstr(nt_status)));
 			cli_shutdown(cli);
+			talloc_destroy(mem_ctx);
 			return -1;
 		};
 		
@@ -5975,6 +5985,7 @@ static int rpc_trustdom_vampire(int argc, const char **argv)
 							   domain_sids[i], trusted_dom_names[i]);
 			if (!NT_STATUS_IS_OK(nt_status)) {
 				cli_shutdown(cli);
+				talloc_destroy(mem_ctx);
 				return -1;
 			}
 		};
@@ -5993,6 +6004,7 @@ static int rpc_trustdom_vampire(int argc, const char **argv)
 		DEBUG(0, ("Couldn't properly close lsa policy handle. Error was %s\n",
 			nt_errstr(nt_status)));
 		cli_shutdown(cli);
+		talloc_destroy(mem_ctx);
 		return -1;
 	};
 
@@ -6052,6 +6064,7 @@ static int rpc_trustdom_list(int argc, const char **argv)
 	/* open \PIPE\lsarpc and open policy handle */
 	if (!(cli = net_make_ipc_connection(NET_FLAGS_PDC))) {
 		DEBUG(0, ("Couldn't connect to domain controller\n"));
+		talloc_destroy(mem_ctx);
 		return -1;
 	};
 
@@ -6059,6 +6072,7 @@ static int rpc_trustdom_list(int argc, const char **argv)
 	if (!pipe_hnd) {
 		DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
 			nt_errstr(nt_status) ));
+		talloc_destroy(mem_ctx);
 		return -1;
 	};
 
@@ -6067,6 +6081,7 @@ static int rpc_trustdom_list(int argc, const char **argv)
 	if (NT_STATUS_IS_ERR(nt_status)) {
 		DEBUG(0, ("Couldn't open policy handle. Error was %s\n",
  			nt_errstr(nt_status)));
+		talloc_destroy(mem_ctx);
 		return -1;
 	};
 	
@@ -6078,6 +6093,7 @@ static int rpc_trustdom_list(int argc, const char **argv)
 	if (NT_STATUS_IS_ERR(nt_status)) {
 		DEBUG(0, ("LSA Query Info failed. Returned error was %s\n",
 			nt_errstr(nt_status)));
+		talloc_destroy(mem_ctx);
 		return -1;
 	}
 		
@@ -6096,6 +6112,7 @@ static int rpc_trustdom_list(int argc, const char **argv)
 		if (NT_STATUS_IS_ERR(nt_status)) {
 			DEBUG(0, ("Couldn't enumerate trusted domains. Error was %s\n",
 				nt_errstr(nt_status)));
+			talloc_destroy(mem_ctx);
 			return -1;
 		};
 		
@@ -6116,6 +6133,7 @@ static int rpc_trustdom_list(int argc, const char **argv)
 	if (NT_STATUS_IS_ERR(nt_status)) {
 		DEBUG(0, ("Couldn't properly close lsa policy handle. Error was %s\n",
 			nt_errstr(nt_status)));
+		talloc_destroy(mem_ctx);
 		return -1;
 	};
 	
@@ -6133,6 +6151,7 @@ static int rpc_trustdom_list(int argc, const char **argv)
 	pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &nt_status);
 	if (!pipe_hnd) {
 		DEBUG(0, ("Could not initialise samr pipe. Error was %s\n", nt_errstr(nt_status)));
+		talloc_destroy(mem_ctx);
 		return -1;
 	};
 	
@@ -6142,6 +6161,7 @@ static int rpc_trustdom_list(int argc, const char **argv)
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0, ("Couldn't open SAMR policy handle. Error was %s\n",
 			nt_errstr(nt_status)));
+		talloc_destroy(mem_ctx);
 		return -1;
 	};
 	
@@ -6153,6 +6173,7 @@ static int rpc_trustdom_list(int argc, const char **argv)
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0, ("Couldn't open domain object. Error was %s\n",
 			nt_errstr(nt_status)));
+		talloc_destroy(mem_ctx);
 		return -1;
 	};
 	
@@ -6170,6 +6191,7 @@ static int rpc_trustdom_list(int argc, const char **argv)
 		if (NT_STATUS_IS_ERR(nt_status)) {
 			DEBUG(0, ("Couldn't enumerate accounts. Error was: %s\n",
 				nt_errstr(nt_status)));
+			talloc_destroy(mem_ctx);
 			return -1;
 		};