Imported Upstream version 4.0.0+dfsg1upstream/4.0.0+dfsg1

25 files changed, 651 insertions, 185 deletions

diff --git a/nsswitch/libwbclient/ABI/wbclient-0.10.sigs b/nsswitch/libwbclient/ABI/wbclient-0.10.sigs
new file mode 100644
index 0000000000..eda96f467d
--- /dev/null
+++ b/nsswitch/libwbclient/ABI/wbclient-0.10.sigs
@@ -0,0 +1,76 @@
+wbcAddNamedBlob: wbcErr (size_t *, struct wbcNamedBlob **, const char *, uint32_t, uint8_t *, size_t)
+wbcAllocateGid: wbcErr (gid_t *)
+wbcAllocateMemory: void *(size_t, size_t, void (*)(void *))
+wbcAllocateStringArray: const char **(int)
+wbcAllocateUid: wbcErr (uid_t *)
+wbcAuthenticateUser: wbcErr (const char *, const char *)
+wbcAuthenticateUserEx: wbcErr (const struct wbcAuthUserParams *, struct wbcAuthUserInfo **, struct wbcAuthErrorInfo **)
+wbcChangeTrustCredentials: wbcErr (const char *, struct wbcAuthErrorInfo **)
+wbcChangeUserPassword: wbcErr (const char *, const char *, const char *)
+wbcChangeUserPasswordEx: wbcErr (const struct wbcChangePasswordParams *, struct wbcAuthErrorInfo **, enum wbcPasswordChangeRejectReason *, struct wbcUserPasswordPolicyInfo **)
+wbcCheckTrustCredentials: wbcErr (const char *, struct wbcAuthErrorInfo **)
+wbcCredentialCache: wbcErr (struct wbcCredentialCacheParams *, struct wbcCredentialCacheInfo **, struct wbcAuthErrorInfo **)
+wbcCredentialSave: wbcErr (const char *, const char *)
+wbcDcInfo: wbcErr (const char *, size_t *, const char ***, const char ***)
+wbcDomainInfo: wbcErr (const char *, struct wbcDomainInfo **)
+wbcEndgrent: wbcErr (void)
+wbcEndpwent: wbcErr (void)
+wbcErrorString: const char *(wbcErr)
+wbcFreeMemory: void (void *)
+wbcGetDisplayName: wbcErr (const struct wbcDomainSid *, char **, char **, enum wbcSidType *)
+wbcGetGroups: wbcErr (const char *, uint32_t *, gid_t **)
+wbcGetSidAliases: wbcErr (const struct wbcDomainSid *, struct wbcDomainSid *, uint32_t, uint32_t **, uint32_t *)
+wbcGetgrent: wbcErr (struct group **)
+wbcGetgrgid: wbcErr (gid_t, struct group **)
+wbcGetgrlist: wbcErr (struct group **)
+wbcGetgrnam: wbcErr (const char *, struct group **)
+wbcGetpwent: wbcErr (struct passwd **)
+wbcGetpwnam: wbcErr (const char *, struct passwd **)
+wbcGetpwsid: wbcErr (struct wbcDomainSid *, struct passwd **)
+wbcGetpwuid: wbcErr (uid_t, struct passwd **)
+wbcGidToSid: wbcErr (gid_t, struct wbcDomainSid *)
+wbcGuidToString: wbcErr (const struct wbcGuid *, char **)
+wbcInterfaceDetails: wbcErr (struct wbcInterfaceDetails **)
+wbcLibraryDetails: wbcErr (struct wbcLibraryDetails **)
+wbcListGroups: wbcErr (const char *, uint32_t *, const char ***)
+wbcListTrusts: wbcErr (struct wbcDomainInfo **, size_t *)
+wbcListUsers: wbcErr (const char *, uint32_t *, const char ***)
+wbcLogoffUser: wbcErr (const char *, uid_t, const char *)
+wbcLogoffUserEx: wbcErr (const struct wbcLogoffUserParams *, struct wbcAuthErrorInfo **)
+wbcLogonUser: wbcErr (const struct wbcLogonUserParams *, struct wbcLogonUserInfo **, struct wbcAuthErrorInfo **, struct wbcUserPasswordPolicyInfo **)
+wbcLookupDomainController: wbcErr (const char *, uint32_t, struct wbcDomainControllerInfo **)
+wbcLookupDomainControllerEx: wbcErr (const char *, struct wbcGuid *, const char *, uint32_t, struct wbcDomainControllerInfoEx **)
+wbcLookupName: wbcErr (const char *, const char *, struct wbcDomainSid *, enum wbcSidType *)
+wbcLookupRids: wbcErr (struct wbcDomainSid *, int, uint32_t *, const char **, const char ***, enum wbcSidType **)
+wbcLookupSid: wbcErr (const struct wbcDomainSid *, char **, char **, enum wbcSidType *)
+wbcLookupSids: wbcErr (const struct wbcDomainSid *, int, struct wbcDomainInfo **, int *, struct wbcTranslatedName **)
+wbcLookupUserSids: wbcErr (const struct wbcDomainSid *, bool, uint32_t *, struct wbcDomainSid **)
+wbcPing: wbcErr (void)
+wbcPingDc: wbcErr (const char *, struct wbcAuthErrorInfo **)
+wbcPingDc2: wbcErr (const char *, struct wbcAuthErrorInfo **, char **)
+wbcQueryGidToSid: wbcErr (gid_t, struct wbcDomainSid *)
+wbcQuerySidToGid: wbcErr (const struct wbcDomainSid *, gid_t *)
+wbcQuerySidToUid: wbcErr (const struct wbcDomainSid *, uid_t *)
+wbcQueryUidToSid: wbcErr (uid_t, struct wbcDomainSid *)
+wbcRemoveGidMapping: wbcErr (gid_t, const struct wbcDomainSid *)
+wbcRemoveUidMapping: wbcErr (uid_t, const struct wbcDomainSid *)
+wbcRequestResponse: wbcErr (int, struct winbindd_request *, struct winbindd_response *)
+wbcRequestResponsePriv: wbcErr (int, struct winbindd_request *, struct winbindd_response *)
+wbcResolveWinsByIP: wbcErr (const char *, char **)
+wbcResolveWinsByName: wbcErr (const char *, char **)
+wbcSetGidHwm: wbcErr (gid_t)
+wbcSetGidMapping: wbcErr (gid_t, const struct wbcDomainSid *)
+wbcSetUidHwm: wbcErr (uid_t)
+wbcSetUidMapping: wbcErr (uid_t, const struct wbcDomainSid *)
+wbcSetgrent: wbcErr (void)
+wbcSetpwent: wbcErr (void)
+wbcSidToGid: wbcErr (const struct wbcDomainSid *, gid_t *)
+wbcSidToString: wbcErr (const struct wbcDomainSid *, char **)
+wbcSidToStringBuf: int (const struct wbcDomainSid *, char *, int)
+wbcSidToUid: wbcErr (const struct wbcDomainSid *, uid_t *)
+wbcSidTypeString: const char *(enum wbcSidType)
+wbcSidsToUnixIds: wbcErr (const struct wbcDomainSid *, uint32_t, struct wbcUnixId *)
+wbcStrDup: char *(const char *)
+wbcStringToGuid: wbcErr (const char *, struct wbcGuid *)
+wbcStringToSid: wbcErr (const char *, struct wbcDomainSid *)
+wbcUidToSid: wbcErr (uid_t, struct wbcDomainSid *)
diff --git a/nsswitch/libwbclient/ABI/wbclient-0.11.sigs b/nsswitch/libwbclient/ABI/wbclient-0.11.sigs
new file mode 100644
index 0000000000..eda96f467d
--- /dev/null
+++ b/nsswitch/libwbclient/ABI/wbclient-0.11.sigs
@@ -0,0 +1,76 @@
+wbcAddNamedBlob: wbcErr (size_t *, struct wbcNamedBlob **, const char *, uint32_t, uint8_t *, size_t)
+wbcAllocateGid: wbcErr (gid_t *)
+wbcAllocateMemory: void *(size_t, size_t, void (*)(void *))
+wbcAllocateStringArray: const char **(int)
+wbcAllocateUid: wbcErr (uid_t *)
+wbcAuthenticateUser: wbcErr (const char *, const char *)
+wbcAuthenticateUserEx: wbcErr (const struct wbcAuthUserParams *, struct wbcAuthUserInfo **, struct wbcAuthErrorInfo **)
+wbcChangeTrustCredentials: wbcErr (const char *, struct wbcAuthErrorInfo **)
+wbcChangeUserPassword: wbcErr (const char *, const char *, const char *)
+wbcChangeUserPasswordEx: wbcErr (const struct wbcChangePasswordParams *, struct wbcAuthErrorInfo **, enum wbcPasswordChangeRejectReason *, struct wbcUserPasswordPolicyInfo **)
+wbcCheckTrustCredentials: wbcErr (const char *, struct wbcAuthErrorInfo **)
+wbcCredentialCache: wbcErr (struct wbcCredentialCacheParams *, struct wbcCredentialCacheInfo **, struct wbcAuthErrorInfo **)
+wbcCredentialSave: wbcErr (const char *, const char *)
+wbcDcInfo: wbcErr (const char *, size_t *, const char ***, const char ***)
+wbcDomainInfo: wbcErr (const char *, struct wbcDomainInfo **)
+wbcEndgrent: wbcErr (void)
+wbcEndpwent: wbcErr (void)
+wbcErrorString: const char *(wbcErr)
+wbcFreeMemory: void (void *)
+wbcGetDisplayName: wbcErr (const struct wbcDomainSid *, char **, char **, enum wbcSidType *)
+wbcGetGroups: wbcErr (const char *, uint32_t *, gid_t **)
+wbcGetSidAliases: wbcErr (const struct wbcDomainSid *, struct wbcDomainSid *, uint32_t, uint32_t **, uint32_t *)
+wbcGetgrent: wbcErr (struct group **)
+wbcGetgrgid: wbcErr (gid_t, struct group **)
+wbcGetgrlist: wbcErr (struct group **)
+wbcGetgrnam: wbcErr (const char *, struct group **)
+wbcGetpwent: wbcErr (struct passwd **)
+wbcGetpwnam: wbcErr (const char *, struct passwd **)
+wbcGetpwsid: wbcErr (struct wbcDomainSid *, struct passwd **)
+wbcGetpwuid: wbcErr (uid_t, struct passwd **)
+wbcGidToSid: wbcErr (gid_t, struct wbcDomainSid *)
+wbcGuidToString: wbcErr (const struct wbcGuid *, char **)
+wbcInterfaceDetails: wbcErr (struct wbcInterfaceDetails **)
+wbcLibraryDetails: wbcErr (struct wbcLibraryDetails **)
+wbcListGroups: wbcErr (const char *, uint32_t *, const char ***)
+wbcListTrusts: wbcErr (struct wbcDomainInfo **, size_t *)
+wbcListUsers: wbcErr (const char *, uint32_t *, const char ***)
+wbcLogoffUser: wbcErr (const char *, uid_t, const char *)
+wbcLogoffUserEx: wbcErr (const struct wbcLogoffUserParams *, struct wbcAuthErrorInfo **)
+wbcLogonUser: wbcErr (const struct wbcLogonUserParams *, struct wbcLogonUserInfo **, struct wbcAuthErrorInfo **, struct wbcUserPasswordPolicyInfo **)
+wbcLookupDomainController: wbcErr (const char *, uint32_t, struct wbcDomainControllerInfo **)
+wbcLookupDomainControllerEx: wbcErr (const char *, struct wbcGuid *, const char *, uint32_t, struct wbcDomainControllerInfoEx **)
+wbcLookupName: wbcErr (const char *, const char *, struct wbcDomainSid *, enum wbcSidType *)
+wbcLookupRids: wbcErr (struct wbcDomainSid *, int, uint32_t *, const char **, const char ***, enum wbcSidType **)
+wbcLookupSid: wbcErr (const struct wbcDomainSid *, char **, char **, enum wbcSidType *)
+wbcLookupSids: wbcErr (const struct wbcDomainSid *, int, struct wbcDomainInfo **, int *, struct wbcTranslatedName **)
+wbcLookupUserSids: wbcErr (const struct wbcDomainSid *, bool, uint32_t *, struct wbcDomainSid **)
+wbcPing: wbcErr (void)
+wbcPingDc: wbcErr (const char *, struct wbcAuthErrorInfo **)
+wbcPingDc2: wbcErr (const char *, struct wbcAuthErrorInfo **, char **)
+wbcQueryGidToSid: wbcErr (gid_t, struct wbcDomainSid *)
+wbcQuerySidToGid: wbcErr (const struct wbcDomainSid *, gid_t *)
+wbcQuerySidToUid: wbcErr (const struct wbcDomainSid *, uid_t *)
+wbcQueryUidToSid: wbcErr (uid_t, struct wbcDomainSid *)
+wbcRemoveGidMapping: wbcErr (gid_t, const struct wbcDomainSid *)
+wbcRemoveUidMapping: wbcErr (uid_t, const struct wbcDomainSid *)
+wbcRequestResponse: wbcErr (int, struct winbindd_request *, struct winbindd_response *)
+wbcRequestResponsePriv: wbcErr (int, struct winbindd_request *, struct winbindd_response *)
+wbcResolveWinsByIP: wbcErr (const char *, char **)
+wbcResolveWinsByName: wbcErr (const char *, char **)
+wbcSetGidHwm: wbcErr (gid_t)
+wbcSetGidMapping: wbcErr (gid_t, const struct wbcDomainSid *)
+wbcSetUidHwm: wbcErr (uid_t)
+wbcSetUidMapping: wbcErr (uid_t, const struct wbcDomainSid *)
+wbcSetgrent: wbcErr (void)
+wbcSetpwent: wbcErr (void)
+wbcSidToGid: wbcErr (const struct wbcDomainSid *, gid_t *)
+wbcSidToString: wbcErr (const struct wbcDomainSid *, char **)
+wbcSidToStringBuf: int (const struct wbcDomainSid *, char *, int)
+wbcSidToUid: wbcErr (const struct wbcDomainSid *, uid_t *)
+wbcSidTypeString: const char *(enum wbcSidType)
+wbcSidsToUnixIds: wbcErr (const struct wbcDomainSid *, uint32_t, struct wbcUnixId *)
+wbcStrDup: char *(const char *)
+wbcStringToGuid: wbcErr (const char *, struct wbcGuid *)
+wbcStringToSid: wbcErr (const char *, struct wbcDomainSid *)
+wbcUidToSid: wbcErr (uid_t, struct wbcDomainSid *)
diff --git a/nsswitch/libwbclient/ABI/wbclient-0.9.sigs b/nsswitch/libwbclient/ABI/wbclient-0.9.sigs
new file mode 100644
index 0000000000..ec25e76b9c
--- /dev/null
+++ b/nsswitch/libwbclient/ABI/wbclient-0.9.sigs
@@ -0,0 +1,75 @@
+wbcAddNamedBlob: wbcErr (size_t *, struct wbcNamedBlob **, const char *, uint32_t, uint8_t *, size_t)
+wbcAllocateGid: wbcErr (gid_t *)
+wbcAllocateMemory: void *(size_t, size_t, void (*)(void *))
+wbcAllocateStringArray: const char **(int)
+wbcAllocateUid: wbcErr (uid_t *)
+wbcAuthenticateUser: wbcErr (const char *, const char *)
+wbcAuthenticateUserEx: wbcErr (const struct wbcAuthUserParams *, struct wbcAuthUserInfo **, struct wbcAuthErrorInfo **)
+wbcChangeTrustCredentials: wbcErr (const char *, struct wbcAuthErrorInfo **)
+wbcChangeUserPassword: wbcErr (const char *, const char *, const char *)
+wbcChangeUserPasswordEx: wbcErr (const struct wbcChangePasswordParams *, struct wbcAuthErrorInfo **, enum wbcPasswordChangeRejectReason *, struct wbcUserPasswordPolicyInfo **)
+wbcCheckTrustCredentials: wbcErr (const char *, struct wbcAuthErrorInfo **)
+wbcCredentialCache: wbcErr (struct wbcCredentialCacheParams *, struct wbcCredentialCacheInfo **, struct wbcAuthErrorInfo **)
+wbcCredentialSave: wbcErr (const char *, const char *)
+wbcDcInfo: wbcErr (const char *, size_t *, const char ***, const char ***)
+wbcDomainInfo: wbcErr (const char *, struct wbcDomainInfo **)
+wbcEndgrent: wbcErr (void)
+wbcEndpwent: wbcErr (void)
+wbcErrorString: const char *(wbcErr)
+wbcFreeMemory: void (void *)
+wbcGetDisplayName: wbcErr (const struct wbcDomainSid *, char **, char **, enum wbcSidType *)
+wbcGetGroups: wbcErr (const char *, uint32_t *, gid_t **)
+wbcGetSidAliases: wbcErr (const struct wbcDomainSid *, struct wbcDomainSid *, uint32_t, uint32_t **, uint32_t *)
+wbcGetgrent: wbcErr (struct group **)
+wbcGetgrgid: wbcErr (gid_t, struct group **)
+wbcGetgrlist: wbcErr (struct group **)
+wbcGetgrnam: wbcErr (const char *, struct group **)
+wbcGetpwent: wbcErr (struct passwd **)
+wbcGetpwnam: wbcErr (const char *, struct passwd **)
+wbcGetpwsid: wbcErr (struct wbcDomainSid *, struct passwd **)
+wbcGetpwuid: wbcErr (uid_t, struct passwd **)
+wbcGidToSid: wbcErr (gid_t, struct wbcDomainSid *)
+wbcGuidToString: wbcErr (const struct wbcGuid *, char **)
+wbcInterfaceDetails: wbcErr (struct wbcInterfaceDetails **)
+wbcLibraryDetails: wbcErr (struct wbcLibraryDetails **)
+wbcListGroups: wbcErr (const char *, uint32_t *, const char ***)
+wbcListTrusts: wbcErr (struct wbcDomainInfo **, size_t *)
+wbcListUsers: wbcErr (const char *, uint32_t *, const char ***)
+wbcLogoffUser: wbcErr (const char *, uid_t, const char *)
+wbcLogoffUserEx: wbcErr (const struct wbcLogoffUserParams *, struct wbcAuthErrorInfo **)
+wbcLogonUser: wbcErr (const struct wbcLogonUserParams *, struct wbcLogonUserInfo **, struct wbcAuthErrorInfo **, struct wbcUserPasswordPolicyInfo **)
+wbcLookupDomainController: wbcErr (const char *, uint32_t, struct wbcDomainControllerInfo **)
+wbcLookupDomainControllerEx: wbcErr (const char *, struct wbcGuid *, const char *, uint32_t, struct wbcDomainControllerInfoEx **)
+wbcLookupName: wbcErr (const char *, const char *, struct wbcDomainSid *, enum wbcSidType *)
+wbcLookupRids: wbcErr (struct wbcDomainSid *, int, uint32_t *, const char **, const char ***, enum wbcSidType **)
+wbcLookupSid: wbcErr (const struct wbcDomainSid *, char **, char **, enum wbcSidType *)
+wbcLookupSids: wbcErr (const struct wbcDomainSid *, int, struct wbcDomainInfo **, int *, struct wbcTranslatedName **)
+wbcLookupUserSids: wbcErr (const struct wbcDomainSid *, bool, uint32_t *, struct wbcDomainSid **)
+wbcPing: wbcErr (void)
+wbcPingDc: wbcErr (const char *, struct wbcAuthErrorInfo **)
+wbcQueryGidToSid: wbcErr (gid_t, struct wbcDomainSid *)
+wbcQuerySidToGid: wbcErr (const struct wbcDomainSid *, gid_t *)
+wbcQuerySidToUid: wbcErr (const struct wbcDomainSid *, uid_t *)
+wbcQueryUidToSid: wbcErr (uid_t, struct wbcDomainSid *)
+wbcRemoveGidMapping: wbcErr (gid_t, const struct wbcDomainSid *)
+wbcRemoveUidMapping: wbcErr (uid_t, const struct wbcDomainSid *)
+wbcRequestResponse: wbcErr (int, struct winbindd_request *, struct winbindd_response *)
+wbcRequestResponsePriv: wbcErr (int, struct winbindd_request *, struct winbindd_response *)
+wbcResolveWinsByIP: wbcErr (const char *, char **)
+wbcResolveWinsByName: wbcErr (const char *, char **)
+wbcSetGidHwm: wbcErr (gid_t)
+wbcSetGidMapping: wbcErr (gid_t, const struct wbcDomainSid *)
+wbcSetUidHwm: wbcErr (uid_t)
+wbcSetUidMapping: wbcErr (uid_t, const struct wbcDomainSid *)
+wbcSetgrent: wbcErr (void)
+wbcSetpwent: wbcErr (void)
+wbcSidToGid: wbcErr (const struct wbcDomainSid *, gid_t *)
+wbcSidToString: wbcErr (const struct wbcDomainSid *, char **)
+wbcSidToStringBuf: int (const struct wbcDomainSid *, char *, int)
+wbcSidToUid: wbcErr (const struct wbcDomainSid *, uid_t *)
+wbcSidTypeString: const char *(enum wbcSidType)
+wbcSidsToUnixIds: wbcErr (const struct wbcDomainSid *, uint32_t, struct wbcUnixId *)
+wbcStrDup: char *(const char *)
+wbcStringToGuid: wbcErr (const char *, struct wbcGuid *)
+wbcStringToSid: wbcErr (const char *, struct wbcDomainSid *)
+wbcUidToSid: wbcErr (uid_t, struct wbcDomainSid *)
diff --git a/nsswitch/libwbclient/tests/wbclient.c b/nsswitch/libwbclient/tests/wbclient.c
index c6ee531481..cd44d69262 100644
--- a/nsswitch/libwbclient/tests/wbclient.c
+++ b/nsswitch/libwbclient/tests/wbclient.c
@@ -28,27 +28,27 @@
 #include "lib/util/util_net.h"
 #include "lib/util/charset/charset.h"
 #include "libcli/auth/libcli_auth.h"
-#include "source4/param/param.h"
-#include "lib/util/util.h"
+#include "lib/param/param.h"
+#include "lib/util/samba_util.h"
 #include "lib/crypto/arcfour.h"
 
 #define WBC_ERROR_EQUAL(x,y) (x == y)
 
-#define torture_assert_wbc_equal(torture_ctx, got, expected, cmt) \
+#define torture_assert_wbc_equal(torture_ctx, got, expected, cmt, cmt_arg)	\
 	do { wbcErr __got = got, __expected = expected; \
 	if (!WBC_ERROR_EQUAL(__got, __expected)) { \
-		torture_result(torture_ctx, TORTURE_FAIL, __location__": "#got" was %s, expected %s: %s", wbcErrorString(__got), wbcErrorString(__expected), cmt); \
+		torture_result(torture_ctx, TORTURE_FAIL, __location__": "#got" was %s, expected %s: " cmt, wbcErrorString(__got), wbcErrorString(__expected), cmt_arg); \
 		return false; \
 	} \
 	} while (0)
 
-#define torture_assert_wbc_ok(torture_ctx,expr,cmt) \
-		torture_assert_wbc_equal(torture_ctx,expr,WBC_ERR_SUCCESS,cmt)
+#define torture_assert_wbc_ok(torture_ctx,expr,cmt,cmt_arg)			\
+	torture_assert_wbc_equal(torture_ctx,expr,WBC_ERR_SUCCESS,cmt,cmt_arg)
 
 static bool test_wbc_ping(struct torture_context *tctx)
 {
 	torture_assert_wbc_ok(tctx, wbcPing(),
-		"wbcPing failed");
+		"%s", "wbcPing failed");
 
 	return true;
 }
@@ -56,9 +56,22 @@ static bool test_wbc_ping(struct torture_context *tctx)
 static bool test_wbc_pingdc(struct torture_context *tctx)
 {
 	torture_assert_wbc_equal(tctx, wbcPingDc("random_string", NULL), WBC_ERR_NOT_IMPLEMENTED,
-		"wbcPingDc failed");
+				 "%s", "wbcPingDc failed");
 	torture_assert_wbc_ok(tctx, wbcPingDc(NULL, NULL),
-		"wbcPingDc failed");
+		"%s", "wbcPingDc failed");
+
+	return true;
+}
+
+static bool test_wbc_pingdc2(struct torture_context *tctx)
+{
+	char *name = NULL;
+
+	torture_assert_wbc_equal(tctx, wbcPingDc2("random_string", NULL, &name),
+				 WBC_ERR_NOT_IMPLEMENTED, "%s",
+				 "wbcPingDc2 failed");
+	torture_assert_wbc_ok(tctx, wbcPingDc2(NULL, NULL, &name), "%s",
+			      "wbcPingDc2 failed");
 
 	return true;
 }
@@ -68,7 +81,7 @@ static bool test_wbc_library_details(struct torture_context *tctx)
 	struct wbcLibraryDetails *details;
 
 	torture_assert_wbc_ok(tctx, wbcLibraryDetails(&details),
-		"wbcLibraryDetails failed");
+		"%s", "wbcLibraryDetails failed");
 	torture_assert(tctx, details,
 		"wbcLibraryDetails returned NULL pointer");
 
@@ -82,9 +95,9 @@ static bool test_wbc_interface_details(struct torture_context *tctx)
 	struct wbcInterfaceDetails *details;
 
 	torture_assert_wbc_ok(tctx, wbcInterfaceDetails(&details),
-		"wbcInterfaceDetails failed");
+		"%s", "wbcInterfaceDetails failed");
 	torture_assert(tctx, details,
-		"wbcInterfaceDetails returned NULL pointer");
+		       "wbcInterfaceDetails returned NULL pointer");
 
 	wbcFreeMemory(details);
 
@@ -112,7 +125,7 @@ static bool test_wbc_sidtypestring(struct torture_context *tctx)
 	torture_assert_str_equal(tctx, wbcSidTypeString(WBC_SID_NAME_UNKNOWN),
 				 "SID_UNKNOWN", "SID_UNKNOWN failed");
 	torture_assert_str_equal(tctx, wbcSidTypeString(WBC_SID_NAME_COMPUTER),
-				 "SID_COMPUTER", "SID_COMPUTER failed");
+				 "SID_COMPUTER",  "SID_COMPUTER failed");
 	return true;
 }
 
@@ -123,9 +136,9 @@ static bool test_wbc_sidtostring(struct torture_context *tctx)
 	char *sid_string2;
 
 	torture_assert_wbc_ok(tctx, wbcStringToSid(sid_string, &sid),
-		"wbcStringToSid failed");
+			      "wbcStringToSid of %s failed", sid_string);
 	torture_assert_wbc_ok(tctx, wbcSidToString(&sid, &sid_string2),
-		"wbcSidToString failed");
+			      "wbcSidToString of %s failed", sid_string);
 	torture_assert_str_equal(tctx, sid_string, sid_string2,
 		"sid strings differ");
 	wbcFreeMemory(sid_string2);
@@ -140,11 +153,11 @@ static bool test_wbc_guidtostring(struct torture_context *tctx)
 	char *guid_string2;
 
 	torture_assert_wbc_ok(tctx, wbcStringToGuid(guid_string, &guid),
-		"wbcStringToGuid failed");
+			      "wbcStringToGuid of %s failed", guid_string);
 	torture_assert_wbc_ok(tctx, wbcGuidToString(&guid, &guid_string2),
-		"wbcGuidToString failed");
+			      "wbcGuidToString of %s failed", guid_string);
 	torture_assert_str_equal(tctx, guid_string, guid_string2,
-		"guid strings differ");
+				 "guid strings differ");
 	wbcFreeMemory(guid_string2);
 
 	return true;
@@ -156,10 +169,10 @@ static bool test_wbc_domain_info(struct torture_context *tctx)
 	struct wbcInterfaceDetails *details;
 
 	torture_assert_wbc_ok(tctx, wbcInterfaceDetails(&details),
-		"wbcInterfaceDetails failed");
+		"%s", "wbcInterfaceDetails failed");
 	torture_assert_wbc_ok(
 		tctx, wbcDomainInfo(details->netbios_domain, &info),
-		"wbcDomainInfo failed");
+		"%s", "wbcDomainInfo failed");
 	wbcFreeMemory(details);
 
 	torture_assert(tctx, info,
@@ -178,13 +191,13 @@ static bool test_wbc_users(struct torture_context *tctx)
 	struct wbcInterfaceDetails *details;
 
 	torture_assert_wbc_ok(tctx, wbcInterfaceDetails(&details),
-		"wbcInterfaceDetails failed");
+		"%s", "wbcInterfaceDetails failed");
 
 	domain_name = talloc_strdup(tctx, details->netbios_domain);
 	wbcFreeMemory(details);
 
 	torture_assert_wbc_ok(tctx, wbcListUsers(domain_name, &num_users, &users),
-		"wbcListUsers failed");
+		"%s", "wbcListUsers failed");
 	torture_assert(tctx, !(num_users > 0 && !users),
 		"wbcListUsers returned invalid results");
 
@@ -194,29 +207,32 @@ static bool test_wbc_users(struct torture_context *tctx)
 		enum wbcSidType name_type;
 		char *domain;
 		char *name;
+		char *sid_string;
 		uint32_t num_sids;
 
 		torture_assert_wbc_ok(tctx, wbcLookupName(domain_name, users[i], &sid, &name_type),
-			"wbcLookupName failed");
+				      "wbcLookupName of %s failed", users[i]);
 		torture_assert_int_equal(tctx, name_type, WBC_SID_NAME_USER,
-			"wbcLookupName expected WBC_SID_NAME_USER");
+					 "wbcLookupName expected WBC_SID_NAME_USER");
+		wbcSidToString(&sid, &sid_string);
 		torture_assert_wbc_ok(tctx, wbcLookupSid(&sid, &domain, &name, &name_type),
-			"wbcLookupSid failed");
+				      "wbcLookupSid of %s failed", sid_string);
 		torture_assert_int_equal(tctx, name_type, WBC_SID_NAME_USER,
-			"wbcLookupSid expected WBC_SID_NAME_USER");
+					 "wbcLookupSid of expected WBC_SID_NAME_USER");
 		torture_assert(tctx, name,
 			"wbcLookupSid returned no name");
 		wbcFreeMemory(domain);
 		wbcFreeMemory(name);
 		torture_assert_wbc_ok(tctx, wbcLookupUserSids(&sid, true, &num_sids, &sids),
-			"wbcLookupUserSids failed");
+			"wbcLookupUserSids of %s failed", sid_string);
 		torture_assert_wbc_ok(
 			tctx, wbcGetDisplayName(&sid, &domain, &name,
 						&name_type),
-			"wbcGetDisplayName failed");
+			"wbcGetDisplayName of %s failed", sid_string);
 		wbcFreeMemory(domain);
 		wbcFreeMemory(name);
 		wbcFreeMemory(sids);
+		wbcFreeMemory(sid_string);
 	}
 	wbcFreeMemory(users);
 
@@ -232,15 +248,15 @@ static bool test_wbc_groups(struct torture_context *tctx)
 	struct wbcInterfaceDetails *details;
 
 	torture_assert_wbc_ok(tctx, wbcInterfaceDetails(&details),
-		"wbcInterfaceDetails failed");
+			      "%s", "wbcInterfaceDetails failed");
 
 	domain_name = talloc_strdup(tctx, details->netbios_domain);
 	wbcFreeMemory(details);
 
 	torture_assert_wbc_ok(tctx, wbcListGroups(domain_name, &num_groups, &groups),
-		"wbcListGroups failed");
+			      "wbcListGroups in %s failed", domain_name);
 	torture_assert(tctx, !(num_groups > 0 && !groups),
-		"wbcListGroups returned invalid results");
+		       "wbcListGroups returned invalid results");
 
 	for (i=0; i < MIN(num_groups,100); i++) {
 
@@ -248,11 +264,14 @@ static bool test_wbc_groups(struct torture_context *tctx)
 		enum wbcSidType name_type;
 		char *domain;
 		char *name;
+		char *sid_string;
 
 		torture_assert_wbc_ok(tctx, wbcLookupName(domain_name, groups[i], &sid, &name_type),
-			"wbcLookupName failed");
+				      "wbcLookupName for %s failed", domain_name);
+		wbcSidToString(&sid, &sid_string);
 		torture_assert_wbc_ok(tctx, wbcLookupSid(&sid, &domain, &name, &name_type),
-			"wbcLookupSid failed");
+				      "wbcLookupSid of %s failed", sid_string);
+		wbcFreeMemory(sid_string);
 		torture_assert(tctx, name,
 			"wbcLookupSid returned no name");
 	}
@@ -268,7 +287,7 @@ static bool test_wbc_trusts(struct torture_context *tctx)
 	int i;
 
 	torture_assert_wbc_ok(tctx, wbcListTrusts(&domains, &num_domains),
-		"wbcListTrusts failed");
+			      "%s", "wbcListTrusts failed");
 	torture_assert(tctx, !(num_domains > 0 && !domains),
 		"wbcListTrusts returned invalid results");
 
@@ -282,7 +301,7 @@ static bool test_wbc_trusts(struct torture_context *tctx)
 		char *name;
 		*/
 		torture_assert_wbc_ok(tctx, wbcCheckTrustCredentials(domains[i].short_name, &error),
-			"wbcCheckTrustCredentials failed");
+				      "%s", "wbcCheckTrustCredentials failed");
 		/*
 		torture_assert_wbc_ok(tctx, wbcLookupName(domains[i].short_name, NULL, &sid, &name_type),
 			"wbcLookupName failed");
@@ -308,13 +327,13 @@ static bool test_wbc_lookupdc(struct torture_context *tctx)
 	struct wbcDomainControllerInfo *dc_info;
 
 	torture_assert_wbc_ok(tctx, wbcInterfaceDetails(&details),
-		"wbcInterfaceDetails failed");
+		"%s", "wbcInterfaceDetails failed");
 
 	domain_name = talloc_strdup(tctx, details->netbios_domain);
 	wbcFreeMemory(details);
 
 	torture_assert_wbc_ok(tctx, wbcLookupDomainController(domain_name, 0, &dc_info),
-		"wbcLookupDomainController failed");
+			      "wbcLookupDomainController for %s failed", domain_name);
 	wbcFreeMemory(dc_info);
 
 	return true;
@@ -327,13 +346,13 @@ static bool test_wbc_lookupdcex(struct torture_context *tctx)
 	struct wbcDomainControllerInfoEx *dc_info;
 
 	torture_assert_wbc_ok(tctx, wbcInterfaceDetails(&details),
-		"wbcInterfaceDetails failed");
+		"%s", "wbcInterfaceDetails failed");
 
 	domain_name = talloc_strdup(tctx, details->netbios_domain);
 	wbcFreeMemory(details);
 
 	torture_assert_wbc_ok(tctx, wbcLookupDomainControllerEx(domain_name, NULL, NULL, 0, &dc_info),
-		"wbcLookupDomainControllerEx failed");
+		"wbcLookupDomainControllerEx for %s failed", domain_name);
 	wbcFreeMemory(dc_info);
 
 	return true;
@@ -350,9 +369,9 @@ static bool test_wbc_resolve_winsbyname(struct torture_context *tctx)
 	ret = wbcResolveWinsByName(name, &ip);
 
 	if (is_ipaddress(name)) {
-		torture_assert_wbc_equal(tctx, ret, WBC_ERR_DOMAIN_NOT_FOUND, "wbcResolveWinsByName failed");
+		torture_assert_wbc_equal(tctx, ret, WBC_ERR_DOMAIN_NOT_FOUND, "wbcResolveWinsByName of %s failed", name);
 	} else {
-		torture_assert_wbc_ok(tctx, ret, "wbcResolveWinsByName failed");
+		torture_assert_wbc_ok(tctx, ret, "wbcResolveWinsByName for %s failed", name);
 	}
 
 	return true;
@@ -368,7 +387,7 @@ static bool test_wbc_resolve_winsbyip(struct torture_context *tctx)
 
 	ret = wbcResolveWinsByIP(ip, &name);
 
-	torture_assert_wbc_ok(tctx, ret, "wbcResolveWinsByIP failed");
+	torture_assert_wbc_ok(tctx, ret, "wbcResolveWinsByIP for %s failed", ip);
 
 	wbcFreeMemory(name);
 
@@ -387,7 +406,7 @@ static bool test_wbc_lookup_rids(struct torture_context *tctx)
 
 	ret = wbcLookupRids(&builtin, 2, rids, &domain_name, &names,
 			    &types);
-	torture_assert_wbc_ok(tctx, ret, "wbcLookupRids failed");
+	torture_assert_wbc_ok(tctx, ret, "%s", "wbcLookupRids for 544 and 545 failed");
 
 	torture_assert_str_equal(
 		tctx, names[0], "Administrators",
@@ -395,7 +414,7 @@ static bool test_wbc_lookup_rids(struct torture_context *tctx)
 	torture_assert_str_equal(
 		tctx, names[1], "Users", "S-1-5-32-545 not mapped to 'Users'");
 
-	wbcFreeMemory((char *)domain_name);
+	wbcFreeMemory(discard_const_p(char ,domain_name));
 	wbcFreeMemory(names);
 	wbcFreeMemory(types);
 
@@ -413,10 +432,10 @@ static bool test_wbc_get_sidaliases(struct torture_context *tctx)
 	wbcErr ret;
 
 	torture_assert_wbc_ok(tctx, wbcInterfaceDetails(&details),
-		"wbcInterfaceDetails failed");
+			      "%s", "wbcInterfaceDetails failed");
 	torture_assert_wbc_ok(
 		tctx, wbcDomainInfo(details->netbios_domain, &info),
-		"wbcDomainInfo failed");
+		"wbcDomainInfo of %s failed", details->netbios_domain);
 	wbcFreeMemory(details);
 
 	sids[0] = info->sid;
@@ -427,10 +446,10 @@ static bool test_wbc_get_sidaliases(struct torture_context *tctx)
 
 	torture_assert_wbc_ok(
 		tctx, wbcStringToSid("S-1-5-32", &builtin),
-		"wbcStringToSid failed");
+		"wbcStringToSid of %s failed", "S-1-5-32");
 
 	ret = wbcGetSidAliases(&builtin, sids, 2, &rids, &num_rids);
-	torture_assert_wbc_ok(tctx, ret, "wbcGetSidAliases failed");
+	torture_assert_wbc_ok(tctx, ret, "%s", "wbcGetSidAliases failed");
 
 	wbcFreeMemory(rids);
 
@@ -447,7 +466,7 @@ static bool test_wbc_authenticate_user_int(struct torture_context *tctx,
 
 	ret = wbcAuthenticateUser(getenv("USERNAME"), correct_password);
 	torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
-				 "wbcAuthenticateUser failed");
+				 "wbcAuthenticateUser of %s failed", getenv("USERNAME"));
 
 	ZERO_STRUCT(params);
 	params.account_name		= getenv("USERNAME");
@@ -456,7 +475,7 @@ static bool test_wbc_authenticate_user_int(struct torture_context *tctx,
 
 	ret = wbcAuthenticateUserEx(&params, &info, &error);
 	torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
-				 "wbcAuthenticateUserEx failed");
+				 "wbcAuthenticateUserEx of %s failed", params.account_name);
 	wbcFreeMemory(info);
 	info = NULL;
 
@@ -466,8 +485,8 @@ static bool test_wbc_authenticate_user_int(struct torture_context *tctx,
 	params.password.plaintext       = "wrong";
 	ret = wbcAuthenticateUserEx(&params, &info, &error);
 	torture_assert_wbc_equal(tctx, ret, WBC_ERR_AUTH_ERROR,
-				 "wbcAuthenticateUserEx succeeded where it "
-				 "should have failed");
+				 "wbcAuthenticateUserEx for %s succeeded where it "
+				 "should have failed", params.account_name);
 	wbcFreeMemory(info);
 	info = NULL;
 
@@ -555,7 +574,7 @@ static bool test_wbc_change_password(struct torture_context *tctx)
 
 	ret = wbcChangeUserPasswordEx(&params, NULL, NULL, NULL);
 	torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
-				 "wbcChangeUserPassword failed");
+				 "wbcChangeUserPassword for %s failed", params.account_name);
 
 	if (!test_wbc_authenticate_user_int(tctx, "Koo8irei")) {
 		return false;
@@ -564,7 +583,7 @@ static bool test_wbc_change_password(struct torture_context *tctx)
 	ret = wbcChangeUserPassword(getenv("USERNAME"), "Koo8irei",
 				    getenv("PASSWORD"));
 	torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
-				 "wbcChangeUserPassword failed");
+				 "wbcChangeUserPassword for %s failed", params.account_name);
 
 	return test_wbc_authenticate_user_int(tctx, getenv("PASSWORD"));
 }
@@ -585,7 +604,7 @@ static bool test_wbc_logon_user(struct torture_context *tctx)
 
 	ret = wbcLogonUser(&params, &info, &error, &policy);
 	torture_assert_wbc_equal(tctx, ret, WBC_ERR_INVALID_PARAM,
-				 "wbcLogonUser succeeded where it should "
+				 "%s", "wbcLogonUser succeeded for NULL where it should "
 				 "have failed");
 
 	params.username = getenv("USERNAME");
@@ -594,11 +613,11 @@ static bool test_wbc_logon_user(struct torture_context *tctx)
 	ret = wbcAddNamedBlob(&params.num_blobs, &params.blobs,
 			      "foo", 0, discard_const_p(uint8_t, "bar"), 4);
 	torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
-				 "wbcAddNamedBlob failed");
+				 "%s", "wbcAddNamedBlob failed");
 
 	ret = wbcLogonUser(&params, &info, &error, &policy);
 	torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
-				 "wbcLogonUser failed");
+				 "wbcLogonUser for %s failed", params.username);
 	wbcFreeMemory(info); info = NULL;
 	wbcFreeMemory(error); error = NULL;
 	wbcFreeMemory(policy); policy = NULL;
@@ -607,8 +626,8 @@ static bool test_wbc_logon_user(struct torture_context *tctx)
 
 	ret = wbcLogonUser(&params, &info, &error, &policy);
 	torture_assert_wbc_equal(tctx, ret, WBC_ERR_AUTH_ERROR,
-				 "wbcLogonUser should have failed with "
-				 "WBC_ERR_AUTH_ERROR");
+				 "wbcLogonUser for %s should have failed with "
+				 "WBC_ERR_AUTH_ERROR", params.username);
 	wbcFreeMemory(info); info = NULL;
 	wbcFreeMemory(error); error = NULL;
 	wbcFreeMemory(policy); policy = NULL;
@@ -618,12 +637,12 @@ static bool test_wbc_logon_user(struct torture_context *tctx)
 			      discard_const_p(uint8_t, "S-1-2-3-4"),
 			      strlen("S-1-2-3-4")+1);
 	torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
-				 "wbcAddNamedBlob failed");
+				 "%s", "wbcAddNamedBlob failed");
 	params.password = getenv("PASSWORD");
 	ret = wbcLogonUser(&params, &info, &error, &policy);
 	torture_assert_wbc_equal(tctx, ret, WBC_ERR_AUTH_ERROR,
-				 "wbcLogonUser should have failed with "
-				 "WBC_ERR_AUTH_ERROR");
+				 "wbcLogonUser for %s should have failed with "
+				 "WBC_ERR_AUTH_ERROR", params.username);
 	wbcFreeMemory(info); info = NULL;
 	wbcFreeMemory(error); error = NULL;
 	wbcFreeMemory(policy); policy = NULL;
@@ -632,28 +651,28 @@ static bool test_wbc_logon_user(struct torture_context *tctx)
 
 	ret = wbcInterfaceDetails(&iface);
 	torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
-				 "wbcInterfaceDetails failed");
+				 "%s", "wbcInterfaceDetails failed");
 
 	ret = wbcLookupName(iface->netbios_domain, getenv("USERNAME"), &sid,
 			    &sidtype);
 	wbcFreeMemory(iface);
 	torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
-				 "wbcLookupName failed");
+				 "wbcLookupName for %s failed", getenv("USERNAME"));
 
 	ret = wbcSidToString(&sid, &sidstr);
 	torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
-				 "wbcSidToString failed");
+				 "%s", "wbcSidToString failed");
 
 	ret = wbcAddNamedBlob(&params.num_blobs, &params.blobs,
 			      "membership_of", 0,
 			      (uint8_t *)sidstr, strlen(sidstr)+1);
 	torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
-				 "wbcAddNamedBlob failed");
+				 "%s", "wbcAddNamedBlob failed");
 	wbcFreeMemory(sidstr);
 	params.password = getenv("PASSWORD");
 	ret = wbcLogonUser(&params, &info, &error, &policy);
 	torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
-				 "wbcLogonUser failed");
+				 "wbcLogonUser for %s failed", params.username);
 	wbcFreeMemory(info); info = NULL;
 	wbcFreeMemory(error); error = NULL;
 	wbcFreeMemory(policy); policy = NULL;
@@ -671,7 +690,7 @@ static bool test_wbc_getgroups(struct torture_context *tctx)
 
 	ret = wbcGetGroups(getenv("USERNAME"), &num_groups, &groups);
 	torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
-				 "wbcGetGroups failed");
+				 "wbcGetGroups for %s failed", getenv("USERNAME"));
 	wbcFreeMemory(groups);
 	return true;
 }
@@ -682,6 +701,7 @@ struct torture_suite *torture_wbclient(void)
 
 	torture_suite_add_simple_test(suite, "wbcPing", test_wbc_ping);
 	torture_suite_add_simple_test(suite, "wbcPingDc", test_wbc_pingdc);
+	torture_suite_add_simple_test(suite, "wbcPingDc2", test_wbc_pingdc);
 	torture_suite_add_simple_test(suite, "wbcLibraryDetails", test_wbc_library_details);
 	torture_suite_add_simple_test(suite, "wbcInterfaceDetails", test_wbc_interface_details);
 	torture_suite_add_simple_test(suite, "wbcSidTypeString", test_wbc_sidtypestring);
diff --git a/nsswitch/libwbclient/wbc_idmap.c b/nsswitch/libwbclient/wbc_idmap.c
index ad3cfe6770..04e7d02995 100644
--- a/nsswitch/libwbclient/wbc_idmap.c
+++ b/nsswitch/libwbclient/wbc_idmap.c
@@ -370,12 +370,16 @@ wbcErr wbcSidsToUnixIds(const struct wbcDomainSid *sids, uint32_t num_sids,
 			id->type = WBC_ID_TYPE_GID;
 			id->id.gid = strtoul(p+1, &q, 10);
 			break;
+		case 'B':
+			id->type = WBC_ID_TYPE_BOTH;
+			id->id.uid = strtoul(p+1, &q, 10);
+			break;
 		default:
 			id->type = WBC_ID_TYPE_NOT_SPECIFIED;
-			q = p;
+			q = strchr(p, '\n');
 			break;
 		};
-		if (q[0] != '\n') {
+		if (q == NULL || q[0] != '\n') {
 			goto wbc_err_invalid;
 		}
 		p = q+1;
diff --git a/nsswitch/libwbclient/wbc_pam.c b/nsswitch/libwbclient/wbc_pam.c
index 21f2c5d050..f183cc61b1 100644
--- a/nsswitch/libwbclient/wbc_pam.c
+++ b/nsswitch/libwbclient/wbc_pam.c
@@ -23,6 +23,7 @@
 
 /* Required Headers */
 
+#define UID_WRAPPER_NOT_REPLACE
 #include "replace.h"
 #include "libwbclient.h"
 #include "../winbind_client.h"
@@ -363,7 +364,7 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params,
 		BAIL_ON_WBC_ERROR(wbc_status);
 	}
 
-	if (!params->account_name) {
+	if (params->level != WBC_AUTH_USER_LEVEL_PAC && !params->account_name) {
 		wbc_status = WBC_ERR_INVALID_PARAM;
 		BAIL_ON_WBC_ERROR(wbc_status);
 	}
@@ -490,6 +491,20 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params,
 			       request.data.auth_crap.nt_resp_len);
 		}
 		break;
+
+	case WBC_AUTH_USER_LEVEL_PAC:
+		cmd = WINBINDD_PAM_AUTH_CRAP;
+		request.flags = WBFLAG_PAM_AUTH_PAC | WBFLAG_PAM_INFO3_TEXT;
+		request.extra_data.data = malloc(params->password.pac.length);
+		if (request.extra_data.data == NULL) {
+			wbc_status = WBC_ERR_NO_MEMORY;
+			BAIL_ON_WBC_ERROR(wbc_status);
+		}
+		memcpy(request.extra_data.data, params->password.pac.data,
+		       params->password.pac.length);
+		request.extra_len = params->password.pac.length;
+		break;
+
 	default:
 		break;
 	}
@@ -611,6 +626,16 @@ wbcErr wbcChangeTrustCredentials(const char *domain,
  */
 wbcErr wbcPingDc(const char *domain, struct wbcAuthErrorInfo **error)
 {
+	return wbcPingDc2(domain, error, NULL);
+}
+
+/*
+ * Trigger a no-op NETLOGON call. Lightweight version of
+ * wbcCheckTrustCredentials, optionally return attempted DC
+ */
+wbcErr wbcPingDc2(const char *domain, struct wbcAuthErrorInfo **error,
+		  char **dcname)
+{
 	struct winbindd_request request;
 	struct winbindd_response response;
 	wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
@@ -632,6 +657,17 @@ wbcErr wbcPingDc(const char *domain, struct wbcAuthErrorInfo **error)
 	wbc_status = wbcRequestResponse(WINBINDD_PING_DC,
 					&request,
 					&response);
+
+	if (dcname && response.extra_data.data) {
+		size_t len;
+
+		len = response.length - sizeof(struct winbindd_response);
+		*dcname = wbcAllocateMemory(1, len, NULL);
+		BAIL_ON_PTR_ERROR(*dcname, wbc_status);
+
+		strlcpy(*dcname, response.extra_data.data, len);
+	}
+
 	if (response.data.auth.nt_status != 0) {
 		if (error) {
 			wbc_status = wbc_create_error_info(&response,
@@ -1160,9 +1196,8 @@ wbcErr wbcCredentialCache(struct wbcCredentialCacheParams *params,
 	ZERO_STRUCT(request);
 	ZERO_STRUCT(response);
 
-	if (info != NULL) {
-		*info = NULL;
-	}
+	*info = NULL;
+
 	if (error != NULL) {
 		*error = NULL;
 	}
diff --git a/nsswitch/libwbclient/wbc_sid.c b/nsswitch/libwbclient/wbc_sid.c
index 6df8a3c375..bab6933108 100644
--- a/nsswitch/libwbclient/wbc_sid.c
+++ b/nsswitch/libwbclient/wbc_sid.c
@@ -295,7 +295,7 @@ static void wbcTranslatedNamesDestructor(void *ptr)
 	struct wbcTranslatedName *n = (struct wbcTranslatedName *)ptr;
 
 	while (n->name != NULL) {
-		free(n->name);
+		wbcFreeMemory(n->name);
 		n += 1;
 	}
 }
diff --git a/nsswitch/libwbclient/wbc_util.c b/nsswitch/libwbclient/wbc_util.c
index d783ba36d8..af134ba7e5 100644
--- a/nsswitch/libwbclient/wbc_util.c
+++ b/nsswitch/libwbclient/wbc_util.c
@@ -623,13 +623,13 @@ static void wbcDomainControllerInfoExDestructor(void *ptr)
 {
 	struct wbcDomainControllerInfoEx *i =
 		(struct wbcDomainControllerInfoEx *)ptr;
-	free((char *)(i->dc_unc));
-	free((char *)(i->dc_address));
-	free((char *)(i->domain_guid));
-	free((char *)(i->domain_name));
-	free((char *)(i->forest_name));
-	free((char *)(i->dc_site_name));
-	free((char *)(i->client_site_name));
+	free(discard_const_p(char, i->dc_unc));
+	free(discard_const_p(char, i->dc_address));
+	free(discard_const_p(char, i->domain_guid));
+	free(discard_const_p(char, i->domain_name));
+	free(discard_const_p(char, i->forest_name));
+	free(discard_const_p(char, i->dc_site_name));
+	free(discard_const_p(char, i->client_site_name));
 }
 
 static wbcErr wbc_create_domain_controller_info_ex(const struct winbindd_response *resp,
@@ -758,7 +758,7 @@ static void wbcNamedBlobDestructor(void *ptr)
 	struct wbcNamedBlob *b = (struct wbcNamedBlob *)ptr;
 
 	while (b->name != NULL) {
-		free((char *)(b->name));
+		free(discard_const_p(char, b->name));
 		free(b->blob.data);
 		b += 1;
 	}
diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h
index c5f3b77ed8..a72d09e1d3 100644
--- a/nsswitch/libwbclient/wbclient.h
+++ b/nsswitch/libwbclient/wbclient.h
@@ -68,9 +68,12 @@ const char *wbcErrorString(wbcErr error);
  *  0.6: Made struct wbcInterfaceDetails char* members non-const
  *  0.7: Added wbcSidToStringBuf()
  *  0.8: Added wbcSidsToUnixIds() and wbcLookupSids()
+ *  0.9: Added support for WBC_ID_TYPE_BOTH
+ *  0.10: Added wbcPingDc2()
+ *  0.11: Extended wbcAuthenticateUserEx to provide PAC parsing
  **/
 #define WBCLIENT_MAJOR_VERSION 0
-#define WBCLIENT_MINOR_VERSION 8
+#define WBCLIENT_MINOR_VERSION 11
 #define WBCLIENT_VENDOR_VERSION "Samba libwbclient"
 struct wbcLibraryDetails {
 	uint16_t major_version;
@@ -195,6 +198,25 @@ struct wbcDomainInfo {
 #define WBC_DOMINFO_TRUSTTYPE_EXTERNAL   0x00000003
 
 /**
+ * @brief Generic Blob
+ **/
+
+struct wbcBlob {
+	uint8_t *data;
+	size_t length;
+};
+
+/**
+ * @brief Named Blob
+ **/
+
+struct wbcNamedBlob {
+	const char *name;
+	uint32_t flags;
+	struct wbcBlob blob;
+};
+
+/**
  * @brief Auth User Parameters
  **/
 
@@ -210,7 +232,8 @@ struct wbcAuthUserParams {
 	enum wbcAuthUserLevel {
 		WBC_AUTH_USER_LEVEL_PLAIN = 1,
 		WBC_AUTH_USER_LEVEL_HASH = 2,
-		WBC_AUTH_USER_LEVEL_RESPONSE = 3
+		WBC_AUTH_USER_LEVEL_RESPONSE = 3,
+		WBC_AUTH_USER_LEVEL_PAC = 4
 	} level;
 	union {
 		const char *plaintext;
@@ -225,29 +248,11 @@ struct wbcAuthUserParams {
 			uint32_t lm_length;
 			uint8_t *lm_data;
 		} response;
+		struct wbcBlob pac;
 	} password;
 };
 
 /**
- * @brief Generic Blob
- **/
-
-struct wbcBlob {
-	uint8_t *data;
-	size_t length;
-};
-
-/**
- * @brief Named Blob
- **/
-
-struct wbcNamedBlob {
-	const char *name;
-	uint32_t flags;
-	struct wbcBlob blob;
-};
-
-/**
  * @brief Logon User Parameters
  **/
 
@@ -796,7 +801,8 @@ wbcErr wbcQueryGidToSid(gid_t gid,
 enum wbcIdType {
 	WBC_ID_TYPE_NOT_SPECIFIED,
 	WBC_ID_TYPE_UID,
-	WBC_ID_TYPE_GID
+	WBC_ID_TYPE_GID,
+	WBC_ID_TYPE_BOTH
 };
 
 union wbcUnixIdContainer {
@@ -1325,6 +1331,21 @@ wbcErr wbcChangeTrustCredentials(const char *domain,
  **/
 wbcErr wbcPingDc(const char *domain, struct wbcAuthErrorInfo **error);
 
+/**
+ * @brief Trigger a no-op call through the NETLOGON pipe. Low-cost
+ *        version of wbcCheckTrustCredentials
+ *
+ * @param *domain      The name of the domain, only NULL for the default domain is
+ *                     supported yet. Other values than NULL will result in
+ *                     WBC_ERR_NOT_IMPLEMENTED.
+ * @param error        Output details on WBC_ERR_AUTH_ERROR
+ * @param dcname       DC that was attempted to ping
+ *
+ * @return #wbcErr
+ **/
+wbcErr wbcPingDc2(const char *domain, struct wbcAuthErrorInfo **error,
+		  char **dcname);
+
 /**********************************************************
  * Helper functions
  **********************************************************/
diff --git a/nsswitch/libwbclient/wbclient.pc.in b/nsswitch/libwbclient/wbclient.pc.in
new file mode 100644
index 0000000000..c7b199b4c0
--- /dev/null
+++ b/nsswitch/libwbclient/wbclient.pc.in
@@ -0,0 +1,11 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+modulesdir=${prefix}/modules/gensec
+
+Name: wbclient
+Description: Winbind client
+Version: @PACKAGE_VERSION@
+Libs: @LIB_RPATH@ -L${libdir} -lwbclient
+Cflags: -I${includedir}  -DHAVE_IMMEDIATE_STRUCTURES=1
diff --git a/nsswitch/libwbclient/wscript b/nsswitch/libwbclient/wscript
new file mode 100644
index 0000000000..9c4da16720
--- /dev/null
+++ b/nsswitch/libwbclient/wscript
@@ -0,0 +1,45 @@
+#!/usr/bin/env python
+
+import Options, Logs
+
+# Remember to also update wbclient.h
+VERSION="0.11"
+
+# It may be useful at some point to allow Samba to build against a
+# system libwbclient, such as the one provided by Likewise.  To to
+# this, not only must the check below be activated but this must only
+# be activated with an off-by-default option to disable the internal
+# build of both winbindd implementations, and all the internal
+# references to libwbclient.h will need to be fixed to point at the
+# system libwbclient.  Finally, as a system libwbclient would probably
+# not use the same version scheme as Samba, so this would need to
+# reference Likewise version numbers instead.
+#
+#def configure(conf):
+#    if conf.CHECK_BUNDLED_SYSTEM_PKG('wbclient', minversion=VERSION):
+#        conf.define('USING_SYSTEM_LIBWBCLIENT', 1)
+#
+
+def build(bld):
+#    if bld.CONFIG_SET('USING_SYSTEM_LIBWBCLIENT'):
+#        Logs.info("\tSelected system libwbclient build")
+#        return
+#
+#    Logs.info("\tSelected embedded libwbclient build")
+
+    abi_match = 'wbc*'
+    bld.SAMBA_LIBRARY('wbclient',
+                      source='''
+                             wbc_guid.c
+                             wbc_idmap.c
+                             wbclient.c
+                             wbc_pam.c
+                             wbc_pwd.c
+                             wbc_sid.c
+                             wbc_util.c''',
+                      deps='winbind-client',
+                      pc_files='wbclient.pc',
+                      public_headers='wbclient.h',
+                      abi_directory='ABI',
+                      abi_match=abi_match,
+                      vnum=VERSION)
diff --git a/nsswitch/libwbclient/wscript_build b/nsswitch/libwbclient/wscript_build
deleted file mode 100644
index d9255159d0..0000000000
--- a/nsswitch/libwbclient/wscript_build
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/usr/bin/env python
-
-bld.SAMBA_LIBRARY('wbclient',
-	source='wbc_guid.c wbc_idmap.c wbclient.c wbc_pam.c wbc_pwd.c wbc_sid.c wbc_util.c',
-	deps='winbind-client',
-	public_headers='wbclient.h',
-	vnum='0'
-	)
diff --git a/nsswitch/nsstest.c b/nsswitch/nsstest.c
index d84e028513..39d03424fa 100644
--- a/nsswitch/nsstest.c
+++ b/nsswitch/nsstest.c
@@ -370,7 +370,7 @@ static void nss_test_initgroups(char *name, gid_t gid)
 	int i;
 	NSS_STATUS status;
 
-	groups = (gid_t *)malloc(size);
+	groups = (gid_t *)malloc(sizeof(gid_t) * size);
 	groups[0] = gid;
 
 	status = nss_initgroups(name, gid, &groups, &start, &size);
@@ -451,25 +451,25 @@ static void nss_test_errors(void)
 	pwd = getpwnam("nosuchname");
 	if (pwd || last_error != NSS_STATUS_NOTFOUND) {
 		total_errors++;
-		printf("ERROR Non existant user gave error %d\n", last_error);
+		printf("ERROR Non existent user gave error %d\n", last_error);
 	}
 
 	pwd = getpwuid(0xFFF0);
 	if (pwd || last_error != NSS_STATUS_NOTFOUND) {
 		total_errors++;
-		printf("ERROR Non existant uid gave error %d\n", last_error);
+		printf("ERROR Non existent uid gave error %d\n", last_error);
 	}
 
 	grp = getgrnam("nosuchgroup");
 	if (grp || last_error != NSS_STATUS_NOTFOUND) {
 		total_errors++;
-		printf("ERROR Non existant group gave error %d\n", last_error);
+		printf("ERROR Non existent group gave error %d\n", last_error);
 	}
 
 	grp = getgrgid(0xFFF0);
 	if (grp || last_error != NSS_STATUS_NOTFOUND) {
 		total_errors++;
-		printf("ERROR Non existant gid gave error %d\n", last_error);
+		printf("ERROR Non existent gid gave error %d\n", last_error);
 	}
 }
 
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index d1264943a7..29d6f7c7bc 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -10,9 +10,9 @@
    <sopwith@redhat.com> (see copyright below for full details)
 */
 
-#include "pam_winbind.h"
-#define CONST_DISCARD(type,ptr) ((type)(void *)ptr)
+#define UID_WRAPPER_NOT_REPLACE
 
+#include "pam_winbind.h"
 
 static int wbc_error_to_pam_error(wbcErr status)
 {
@@ -412,51 +412,51 @@ static int _pam_parse(const pam_handle_t *pamh,
 		config_file = PAM_WINBIND_CONFIG_FILE;
 	}
 
-	d = iniparser_load(CONST_DISCARD(char *, config_file));
+	d = iniparser_load(discard_const_p(char, config_file));
 	if (d == NULL) {
 		goto config_from_pam;
 	}
 
-	if (iniparser_getboolean(d, CONST_DISCARD(char *, "global:debug"), false)) {
+	if (iniparser_getboolean(d, discard_const_p(char, "global:debug"), false)) {
 		ctrl |= WINBIND_DEBUG_ARG;
 	}
 
-	if (iniparser_getboolean(d, CONST_DISCARD(char *, "global:debug_state"), false)) {
+	if (iniparser_getboolean(d, discard_const_p(char, "global:debug_state"), false)) {
 		ctrl |= WINBIND_DEBUG_STATE;
 	}
 
-	if (iniparser_getboolean(d, CONST_DISCARD(char *, "global:cached_login"), false)) {
+	if (iniparser_getboolean(d, discard_const_p(char, "global:cached_login"), false)) {
 		ctrl |= WINBIND_CACHED_LOGIN;
 	}
 
-	if (iniparser_getboolean(d, CONST_DISCARD(char *, "global:krb5_auth"), false)) {
+	if (iniparser_getboolean(d, discard_const_p(char, "global:krb5_auth"), false)) {
 		ctrl |= WINBIND_KRB5_AUTH;
 	}
 
-	if (iniparser_getboolean(d, CONST_DISCARD(char *, "global:silent"), false)) {
+	if (iniparser_getboolean(d, discard_const_p(char, "global:silent"), false)) {
 		ctrl |= WINBIND_SILENT;
 	}
 
-	if (iniparser_getstring(d, CONST_DISCARD(char *, "global:krb5_ccache_type"), NULL) != NULL) {
+	if (iniparser_getstring(d, discard_const_p(char, "global:krb5_ccache_type"), NULL) != NULL) {
 		ctrl |= WINBIND_KRB5_CCACHE_TYPE;
 	}
 
-	if ((iniparser_getstring(d, CONST_DISCARD(char *, "global:require-membership-of"), NULL)
+	if ((iniparser_getstring(d, discard_const_p(char, "global:require-membership-of"), NULL)
 	     != NULL) ||
-	    (iniparser_getstring(d, CONST_DISCARD(char *, "global:require_membership_of"), NULL)
+	    (iniparser_getstring(d, discard_const_p(char, "global:require_membership_of"), NULL)
 	     != NULL)) {
 		ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
 	}
 
-	if (iniparser_getboolean(d, CONST_DISCARD(char *, "global:try_first_pass"), false)) {
+	if (iniparser_getboolean(d, discard_const_p(char, "global:try_first_pass"), false)) {
 		ctrl |= WINBIND_TRY_FIRST_PASS_ARG;
 	}
 
-	if (iniparser_getint(d, CONST_DISCARD(char *, "global:warn_pwd_expire"), 0)) {
+	if (iniparser_getint(d, discard_const_p(char, "global:warn_pwd_expire"), 0)) {
 		ctrl |= WINBIND_WARN_PWD_EXPIRE;
 	}
 
-	if (iniparser_getboolean(d, CONST_DISCARD(char *, "global:mkhomedir"), false)) {
+	if (iniparser_getboolean(d, discard_const_p(char, "global:mkhomedir"), false)) {
 		ctrl |= WINBIND_MKHOMEDIR;
 	}
 
@@ -538,7 +538,7 @@ static int _pam_winbind_init_context(pam_handle_t *pamh,
 	textdomain_init();
 #endif
 
-	r = TALLOC_ZERO_P(NULL, struct pwb_context);
+	r = talloc_zero(NULL, struct pwb_context);
 	if (!r) {
 		return PAM_BUF_ERR;
 	}
@@ -1214,7 +1214,7 @@ out:
 static void _pam_setup_krb5_env(struct pwb_context *ctx,
 				struct wbcLogonUserInfo *info)
 {
-	char var[PATH_MAX];
+	char *var = NULL;
 	int ret;
 	uint32_t i;
 	const char *krb5ccname = NULL;
@@ -1241,7 +1241,7 @@ static void _pam_setup_krb5_env(struct pwb_context *ctx,
 	_pam_log_debug(ctx, LOG_DEBUG,
 		       "request returned KRB5CCNAME: %s", krb5ccname);
 
-	if (snprintf(var, sizeof(var), "KRB5CCNAME=%s", krb5ccname) == -1) {
+	if (asprintf(&var, "KRB5CCNAME=%s", krb5ccname) == -1) {
 		return;
 	}
 
@@ -1251,6 +1251,7 @@ static void _pam_setup_krb5_env(struct pwb_context *ctx,
 			 "failed to set KRB5CCNAME to %s: %s",
 			 var, pam_strerror(ctx->pamh, ret));
 	}
+	free(var);
 }
 
 /**
@@ -1764,7 +1765,7 @@ static int winbind_auth_request(struct pwb_context *ctx,
 					     &logon.blobs,
 					     "krb5_cc_type",
 					     0,
-					     (uint8_t *)cctype,
+					     discard_const_p(uint8_t, cctype),
 					     strlen(cctype)+1);
 		if (!WBC_ERROR_IS_OK(wbc_status)) {
 			goto done;
@@ -1945,7 +1946,7 @@ static int winbind_chauthtok_request(struct pwb_context *ctx,
 	}
 
 	params.account_name		= user;
-	params.level			= WBC_AUTH_USER_LEVEL_PLAIN;
+	params.level			= WBC_CHANGE_PASSWORD_LEVEL_PLAIN;
 	params.old_password.plaintext	= oldpass;
 	params.new_password.plaintext	= newpass;
 	params.flags			= flags;
@@ -2448,7 +2449,7 @@ static char* winbind_upn_to_username(struct pwb_context *ctx,
 		return NULL;
 	}
 
-	return talloc_asprintf(ctx, "%s%c%s", domain, sep, name);
+	return talloc_asprintf(ctx, "%s\\%s", domain, name);
 }
 
 static int _pam_delete_cred(pam_handle_t *pamh, int flags,
@@ -2517,7 +2518,7 @@ static int _pam_delete_cred(pam_handle_t *pamh, int flags,
 						     &logoff.blobs,
 						     "ccfilename",
 						     0,
-						     (uint8_t *)ccname,
+						     discard_const_p(uint8_t, ccname),
 						     strlen(ccname)+1);
 			if (!WBC_ERROR_IS_OK(wbc_status)) {
 				goto out;
diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
index b344f718c5..461d7801c2 100755
--- a/nsswitch/tests/test_wbinfo.sh
+++ b/nsswitch/tests/test_wbinfo.sh
@@ -14,8 +14,8 @@ TARGET=$4
 shift 4
 
 failed=0
-samba4bindir="$BUILDDIR/bin"
-wbinfo="$VALGRIND $samba4bindir/wbinfo$EXEEXT"
+samba4bindir="$BINDIR"
+wbinfo="$VALGRIND $samba4bindir/wbinfo"
 
 . `dirname $0`/../../testprogs/blackbox/subunit.sh
 
@@ -185,6 +185,8 @@ else
 	failed=`expr $failed + 1`
 fi
 
+testfail "wbinfo --group-info against $TARGET with $USERNAME" $wbinfo --group-info $USERNAME && failed=`expr $failed + 1`
+
 gid=`echo $rawgid | sed 's/.*:\([0-9][0-9]*\):/\1/'`
 testit "wbinfo --gid-info against $TARGET" $wbinfo --gid-info $gid || failed=`expr $failed + 1`
 
diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
index dcfc8a5156..c56a76f826 100644
--- a/nsswitch/wb_common.c
+++ b/nsswitch/wb_common.c
@@ -22,6 +22,8 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
+#define UID_WRAPPER_NOT_REPLACE
+
 #include "replace.h"
 #include "system/select.h"
 #include "winbind_client.h"
@@ -369,13 +371,14 @@ static int winbind_open_pipe_sock(int recursing, int need_priv)
 static int winbind_write_sock(void *buffer, int count, int recursing,
 			      int need_priv)
 {
-	int result, nwritten;
+	int fd, result, nwritten;
 
 	/* Open connection to winbind daemon */
 
  restart:
 
-	if (winbind_open_pipe_sock(recursing, need_priv) == -1) {
+	fd = winbind_open_pipe_sock(recursing, need_priv);
+	if (fd == -1) {
 		errno = ENOENT;
 		return -1;
 	}
@@ -391,7 +394,7 @@ static int winbind_write_sock(void *buffer, int count, int recursing,
 		/* Catch pipe close on other end by checking if a read()
 		   call would not block by calling poll(). */
 
-		pfd.fd = winbindd_fd;
+		pfd.fd = fd;
 		pfd.events = POLLIN|POLLHUP;
 
 		ret = poll(&pfd, 1, 0);
@@ -412,8 +415,7 @@ static int winbind_write_sock(void *buffer, int count, int recursing,
 
 		/* Do the write */
 
-		result = write(winbindd_fd,
-			       (char *)buffer + nwritten,
+		result = write(fd, (char *)buffer + nwritten,
 			       count - nwritten);
 
 		if ((result == -1) || (result == 0)) {
@@ -434,10 +436,12 @@ static int winbind_write_sock(void *buffer, int count, int recursing,
 
 static int winbind_read_sock(void *buffer, int count)
 {
+	int fd;
 	int nread = 0;
 	int total_time = 0;
 
-	if (winbindd_fd == -1) {
+	fd = winbind_open_pipe_sock(false, false);
+	if (fd == -1) {
 		return -1;
 	}
 
@@ -449,7 +453,7 @@ static int winbind_read_sock(void *buffer, int count)
 		/* Catch pipe close on other end by checking if a read()
 		   call would not block by calling poll(). */
 
-		pfd.fd = winbindd_fd;
+		pfd.fd = fd;
 		pfd.events = POLLIN|POLLHUP;
 
 		/* Wait for 5 seconds for a reply. May need to parameterise this... */
@@ -475,7 +479,7 @@ static int winbind_read_sock(void *buffer, int count)
 
 			/* Do the Read */
 
-			int result = read(winbindd_fd, (char *)buffer + nread,
+			int result = read(fd, (char *)buffer + nread,
 			      count - nread);
 
 			if ((result == -1) || (result == 0)) {
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 9d25f59b8c..aee4004e57 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -22,13 +22,14 @@
 */
 
 #include "includes.h"
-#include "popt_common.h"
 #include "winbind_client.h"
 #include "libwbclient/wbclient.h"
 #include "lib/popt/popt.h"
 #include "../libcli/auth/libcli_auth.h"
 #if (_SAMBA_BUILD_) >= 4
 #include "lib/cmdline/popt_common.h"
+#else
+#include "popt_common.h"
 #endif
 
 #ifdef DBGC_CLASS
@@ -134,7 +135,6 @@ static bool parse_wbinfo_domain_user(const char *domuser, fstring domain,
 	fstrcpy(user, p+1);
 	fstrcpy(domain, domuser);
 	domain[PTR_DIFF(p, domuser)] = 0;
-	strupper_m(domain);
 
 	return true;
 }
@@ -519,7 +519,7 @@ static bool wbinfo_list_domains(bool list_all_domains, bool verbose)
 	}
 
 	if (print_all) {
-		d_printf("%-16s%-24s%-12s%-12s%-5s%-5s\n",
+		d_printf("%-16s%-65s%-12s%-12s%-5s%-5s\n",
 			 "Domain Name", "DNS Domain", "Trust Type",
 			 "Transitive", "In", "Out");
 	}
@@ -533,7 +533,7 @@ static bool wbinfo_list_domains(bool list_all_domains, bool verbose)
 			continue;
 		}
 
-		d_printf("%-24s", domain_list[i].dns_name);
+		d_printf("%-65s", domain_list[i].dns_name);
 
 		switch(domain_list[i].trust_type) {
 		case WBC_DOMINFO_TRUSTTYPE_NONE:
@@ -831,16 +831,19 @@ static bool wbinfo_ping_dc(void)
 {
 	wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
 	struct wbcAuthErrorInfo *error = NULL;
+	char *dcname = NULL;
 
-	wbc_status = wbcPingDc(NULL, &error);
+	wbc_status = wbcPingDc2(NULL, &error, &dcname);
 
-	d_printf("checking the NETLOGON dc connection %s\n",
+	d_printf("checking the NETLOGON dc connection to \"%s\" %s\n",
+		 dcname ? dcname : "",
 		 WBC_ERROR_IS_OK(wbc_status) ? "succeeded" : "failed");
 
 	if (wbc_status == WBC_ERR_AUTH_ERROR) {
 		d_fprintf(stderr, "error code was %s (0x%x)\n",
 			  error->nt_string, error->nt_status);
 		wbcFreeMemory(error);
+		return false;
 	}
 	if (!WBC_ERROR_IS_OK(wbc_status)) {
 		d_fprintf(stderr, "failed to call wbcPingDc: %s\n",
@@ -1019,6 +1022,9 @@ static bool wbinfo_sids_to_unix_ids(const char *arg)
 		case WBC_ID_TYPE_GID:
 			d_printf("%s -> gid %d\n", sidstr, unix_ids[i].id.gid);
 			break;
+		case WBC_ID_TYPE_BOTH:
+			d_printf("%s -> uid/gid %d\n", sidstr, unix_ids[i].id.uid);
+			break;
 		default:
 			d_printf("%s -> unmapped\n", sidstr);
 			break;
@@ -1386,6 +1392,8 @@ static bool wbinfo_lookup_sids(const char *arg)
 			 domains[names[i].domain_index].short_name,
 			 names[i].name, names[i].type);
 	}
+	wbcFreeMemory(names);
+	wbcFreeMemory(domains);
 	return true;
 }
 
@@ -1728,7 +1736,7 @@ static bool wbinfo_pam_logon(char *username)
 {
 	wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
 	struct wbcLogonUserParams params;
-	struct wbcAuthErrorInfo *error = NULL;
+	struct wbcAuthErrorInfo *error;
 	char *s = NULL;
 	char *p = NULL;
 	TALLOC_CTX *frame = talloc_tos();
@@ -1779,15 +1787,16 @@ static bool wbinfo_pam_logon(char *username)
 	d_printf("plaintext password authentication %s\n",
 		 WBC_ERROR_IS_OK(wbc_status) ? "succeeded" : "failed");
 
-	if (!WBC_ERROR_IS_OK(wbc_status) && (error != NULL)) {
+	if (!WBC_ERROR_IS_OK(wbc_status)) {
 		d_fprintf(stderr,
 			  "error code was %s (0x%x)\nerror message was: %s\n",
 			  error->nt_string,
 			  (int)error->nt_status,
 			  error->display_string);
 		wbcFreeMemory(error);
+		return false;
 	}
-	return WBC_ERROR_IS_OK(wbc_status);
+	return true;
 }
 
 /* Save creds with winbind */
@@ -2365,7 +2374,6 @@ int main(int argc, char **argv, char **envp)
 			break;
 		case 'P':
 			if (!wbinfo_ping_dc()) {
-				d_fprintf(stderr, "Could not ping our DC\n");
 				goto done;
 			}
 			break;
diff --git a/nsswitch/winbind_nss_config.h b/nsswitch/winbind_nss_config.h
index 3e2ce68252..e1ad3f6463 100644
--- a/nsswitch/winbind_nss_config.h
+++ b/nsswitch/winbind_nss_config.h
@@ -54,7 +54,13 @@
 #ifndef FSTRING_LEN
 #define FSTRING_LEN 256
 typedef char fstring[FSTRING_LEN];
-#define fstrcpy(d,s) safe_strcpy((d),(s),sizeof(fstring)-1)
+#ifndef fstrcpy
+#define fstrcpy(d,s) \
+do { \
+        const char *_fstrcpy_src = (const char *)(s); \
+        strlcpy((d),_fstrcpy_src ? _fstrcpy_src : "",sizeof(fstring)); \
+} while (0)
+#endif
 #endif
 
 /* Some systems (SCO) treat UNIX domain sockets as FIFOs */
diff --git a/nsswitch/winbind_nss_linux.c b/nsswitch/winbind_nss_linux.c
index 7b16752043..8d66a740a6 100644
--- a/nsswitch/winbind_nss_linux.c
+++ b/nsswitch/winbind_nss_linux.c
@@ -322,7 +322,7 @@ static NSS_STATUS fill_grent(struct group *result, struct winbindd_gr *gr,
 
 	/* Group membership */
 
-	if ((gr->num_gr_mem < 0) || !gr_mem) {
+	if (!gr_mem) {
 		gr->num_gr_mem = 0;
 	}
 
diff --git a/nsswitch/winbind_nss_solaris.c b/nsswitch/winbind_nss_solaris.c
index 5fb37643ce..92da8591b7 100644
--- a/nsswitch/winbind_nss_solaris.c
+++ b/nsswitch/winbind_nss_solaris.c
@@ -26,6 +26,7 @@
 
 #undef DEVELOPER
 
+
 #include "winbind_client.h"
 #include <stdlib.h>
 #include <sys/types.h>
@@ -34,6 +35,7 @@
 #include <pwd.h>
 #include "includes.h"
 #include <syslog.h>
+
 #if !defined(HPUX)
 #include <sys/syslog.h>
 #endif /*hpux*/
@@ -48,6 +50,10 @@
 #define NSS_DEBUG(str) ;
 #endif
 
+#if !defined(SMB_MALLOC_P)
+#define SMB_MALLOC_P(type) (type *)malloc(sizeof(type))
+#endif
+
 #define NSS_ARGS(args) ((nss_XbyY_args_t *)args)
 
 #ifdef HPUX
diff --git a/nsswitch/winbind_nss_solaris.h b/nsswitch/winbind_nss_solaris.h
index 011330576d..f0cc099cf2 100644
--- a/nsswitch/winbind_nss_solaris.h
+++ b/nsswitch/winbind_nss_solaris.h
@@ -25,6 +25,7 @@
 #include <nss_common.h>
 #include <nss_dbdefs.h>
 #include <nsswitch.h>
+#include "system/passwd.h"
 
 typedef nss_status_t NSS_STATUS;
 
diff --git a/nsswitch/winbind_struct_protocol.h b/nsswitch/winbind_struct_protocol.h
index e5ed8e1b3a..c1704c8e0b 100644
--- a/nsswitch/winbind_struct_protocol.h
+++ b/nsswitch/winbind_struct_protocol.h
@@ -218,6 +218,7 @@ typedef struct winbindd_gr {
 #define WBFLAG_PAM_FALLBACK_AFTER_KRB5	0x00002000
 #define WBFLAG_PAM_CACHED_LOGIN		0x00004000
 #define WBFLAG_PAM_GET_PWD_POLICY	0x00008000
+#define WBFLAG_PAM_AUTH_PAC		0x00010000
 
 /* generic request flags */
 #define WBFLAG_QUERY_ONLY		0x00000020	/* not used */
diff --git a/nsswitch/wins.c b/nsswitch/wins.c
index f5fd7a775e..d63968b2bc 100644
--- a/nsswitch/wins.c
+++ b/nsswitch/wins.c
@@ -59,8 +59,10 @@ static void nss_wins_init(void)
 
 static struct in_addr *lookup_byname_backend(const char *name, int *count)
 {
-	struct ip_service *address = NULL;
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct sockaddr_storage *address = NULL;
 	struct in_addr *ret = NULL;
+	NTSTATUS status;
 	int j;
 
 	if (!initialised) {
@@ -70,19 +72,21 @@ static struct in_addr *lookup_byname_backend(const char *name, int *count)
 	*count = 0;
 
 	/* always try with wins first */
-	if (NT_STATUS_IS_OK(resolve_wins(name,0x00,&address,count))) {
+	status = resolve_wins(name, 0x00, talloc_tos(),
+			      &address, count);
+	if (NT_STATUS_IS_OK(status)) {
 		if ( (ret = SMB_MALLOC_P(struct in_addr)) == NULL ) {
-			free( address );
+			TALLOC_FREE(frame);
 			return NULL;
 		}
-		if (address[0].ss.ss_family != AF_INET) {
-			free(address);
+		if (address[0].ss_family != AF_INET) {
 			free(ret);
+			TALLOC_FREE(frame);
 			return NULL;
 		}
-		*ret = ((struct sockaddr_in *)(void *)&address[0].ss)
+		*ret = ((struct sockaddr_in *)(void *)address)
 			->sin_addr;
-		free( address );
+		TALLOC_FREE(frame);
 		return ret;
 	}
 
@@ -91,24 +95,23 @@ static struct in_addr *lookup_byname_backend(const char *name, int *count)
 		const struct in_addr *bcast = iface_n_bcast_v4(j);
 		struct sockaddr_storage ss;
 		struct sockaddr_storage *pss;
-		NTSTATUS status;
 
 		if (!bcast) {
 			continue;
 		}
 		in_addr_to_sockaddr_storage(&ss, *bcast);
 		status = name_query(name, 0x00, True, True, &ss,
-				    NULL, &pss, count, NULL);
+				    talloc_tos(), &pss, count, NULL);
 		if (NT_STATUS_IS_OK(status) && (*count > 0)) {
 			if ((ret = SMB_MALLOC_P(struct in_addr)) == NULL) {
+				TALLOC_FREE(frame);
 				return NULL;
 			}
 			*ret = ((struct sockaddr_in *)pss)->sin_addr;
-			TALLOC_FREE(pss);
 			break;
 		}
 	}
-
+	TALLOC_FREE(frame);
 	return ret;
 }
 
@@ -180,7 +183,7 @@ int lookup(nsd_file_t *rq)
 	 * response needs to be a string of the following format
 	 * ip_address[ ip_address]*\tname[ alias]*
 	 */
-	if (StrCaseCmp(map,"hosts.byaddr") == 0) {
+	if (strcasecmp_m(map,"hosts.byaddr") == 0) {
 		if ( status = lookup_byaddr_backend(key, &count)) {
 		    size = strlen(key) + 1;
 		    if (size > len) {
@@ -208,7 +211,7 @@ int lookup(nsd_file_t *rq)
 		    response[strlen(response)-1] = '\n';
 		    talloc_free(status);
 		}
-	} else if (StrCaseCmp(map,"hosts.byname") == 0) {
+	} else if (strcasecmp_m(map,"hosts.byname") == 0) {
 	    if (ip_list = lookup_byname_backend(key, &count)) {
 		for (i = count; i ; i--) {
 		    addr = inet_ntoa(ip_list[i-1]);
diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
index 83b10a7969..1efee55497 100644
--- a/nsswitch/wscript_build
+++ b/nsswitch/wscript_build
@@ -1,4 +1,7 @@
 #!/usr/bin/env python
+import Utils
+import sys
+host_os = sys.platform
 
 bld.SAMBA_LIBRARY('winbind-client',
 	source='wb_common.c',
@@ -9,33 +12,93 @@ bld.SAMBA_LIBRARY('winbind-client',
 
 
 bld.SAMBA_BINARY('nsstest',
-	source='nsstest.c',
-	deps='replace dl'
-	)
+		 source='nsstest.c',
+		 deps='replace dl',
+                 install=False
+		 )
+
+# The nss_wrapper code relies strictly on the linux implementation and
+# name, so compile but do not install a copy under this name.
+bld.SAMBA_LIBRARY('nss_wrapper_winbind',
+		  source='winbind_nss_linux.c',
+		  deps='winbind-client',
+		  realname='libnss_wrapper_winbind.so.2',
+		  install=False,
+		  vnum='2')
+
+# FIXME: original was *linux* | gnu* | k*bsd*-gnu | kopensolaris*-gnu)
+# the search for .rfind('gnu') covers gnu* and *-gnu is that too broad?
 
+if (Utils.unversioned_sys_platform() == 'linux' or (host_os.rfind('gnu') > -1)):
+	bld.SAMBA_LIBRARY('nss_winbind',
+			  source='winbind_nss_linux.c',
+			  deps='winbind-client',
+			  realname='libnss_winbind.so.2',
+			  soname='libnss_winbind.so',
+			  vnum='2')
+elif (host_os.rfind('freebsd') > -1):
+	# FreeBSD winbind client is implemented as a wrapper around
+	# the Linux version.
+	bld.SAMBA_LIBRARY('nss_winbind',
+			  source='winbind_nss_linux.c winbind_nss_freebsd.c',
+			  deps='winbind-client',
+			  realname='libnss_winbind.so.1',
+			  vnum='1')
 
-bld.SAMBA_LIBRARY('nss_winbind',
-	source='winbind_nss_linux.c',
-	deps='winbind-client',
-	realname='libnss_winbind.so.2',
-	vnum='2')
+elif (host_os.rfind('netbsd') > -1):
+	# NetBSD winbind client is implemented as a wrapper
+	# around the Linux version. It needs getpwent_r() to
+	# indicate libc's use of the correct nsdispatch API.
 
+	if bld.CONFIG_SET("HAVE_GETPWENT_R"):
+		bld.SAMBA_LIBRARY('nss_winbind',
+				  source='winbind_nss_linux.c winbind_nss_netbsd.c',
+				  deps='winbind-client', 
+				  realname='libnss_winbind.so')
+elif (host_os.rfind('irix') > -1):
+	bld.SAMBA_LIBRARY('ns_winbind',
+			  source='winbind_nss_irix.c',
+			  deps='winbind-client', 
+			  realname='libns_winbind.so')
 
-if bld.CONFIG_SET('WITH_PAM_MODULES') or bld.CONFIG_SET('HAVE_PAM_START'):
+elif Utils.unversioned_sys_platform() == 'sunos':
+	bld.SAMBA_LIBRARY('nss_winbind',
+			  source='winbind_nss_solaris.c winbind_nss_linux.c',
+			  deps='winbind-client',
+			  realname='nss_winbind.so.1',
+			  vnum='1')
+elif (host_os.rfind('hpux') > -1):
+	bld.SAMBA_LIBRARY('nss_winbind',
+			  source='winbind_nss_linux.c',
+			  deps='winbind-client', 
+			  realname='libnss_winbind.so')
+elif (host_os.rfind('aix') > -1):
+	bld.SAMBA_LIBRARY('nss_winbind',
+			  source='winbind_nss_aix.c',
+			  deps='winbind-client', 
+			  realname='libnss_winbind.so')
+
+if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'):
 	bld.SAMBA_LIBRARY('pamwinbind',
 		source='pam_winbind.c',
-		deps='intl talloc wbclient winbind-client LIBINIPARSER pam',
+		deps='intl talloc wbclient winbind-client iniparser pam',
 		cflags='-DLOCALEDIR=\"%s/locale\"' % bld.env.DATADIR,
 		realname='pam_winbind.so',
+		install_path='${PAMMODULESDIR}'
 		)
 
 if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
 	bld.SAMBA_LIBRARY('winbind_krb5_locator',
 		source='winbind_krb5_locator.c',
-		deps='wbclient krb5',
+		deps='wbclient krb5 com_err',
 		realname='winbind_krb5_locator.so')
 
 bld.SAMBA_SUBSYSTEM('WB_REQTRANS',
 	source='wb_reqtrans.c',
 	deps='talloc tevent LIBASYNC_REQ'
 	)
+
+bld.SAMBA_BINARY('wbinfo',
+	source='wbinfo.c',
+	deps='samba-util LIBCLI_AUTH popt POPT_SAMBA wbclient LIBAFS_SETTOKEN'
+	)
diff --git a/nsswitch/wscript_configure b/nsswitch/wscript_configure
index 7d6ea82879..3048f48c24 100644
--- a/nsswitch/wscript_configure
+++ b/nsswitch/wscript_configure
@@ -4,3 +4,19 @@ conf.CHECK_HEADERS('nss.h nss_common.h ns_api.h')
 
 conf.CHECK_HEADERS('security/pam_appl.h security/pam_modules.h pam/pam_modules.h', together=True)
 conf.CHECK_FUNCS_IN('pam_start', 'pam', checklibc=True, headers='security/pam_appl.h')
+
+# Solaris 10 does have new member in nss_XbyY_key
+conf.CHECK_STRUCTURE_MEMBER('union nss_XbyY_key', 'ipnode.af_family', 
+                            define='HAVE_NSS_XBYY_KEY_IPNODE',
+                            headers='nss_dbdefs.h')
+
+# Solaris has some extra fields in struct passwd that need to be
+# initialised otherwise nscd crashes.
+
+conf.CHECK_STRUCTURE_MEMBER('struct passwd', 'pw_comment',
+                            define='HAVE_PASSWD_PW_COMMENT',
+                            headers='pwd.h')
+
+conf.CHECK_STRUCTURE_MEMBER('struct passwd', 'pw_age',
+                            define='HAVE_PASSWD_PW_AGE',
+                            headers='pwd.h')