Imported Debian patch 4.0.5-6~numeezy

2016-02-17 15:07:45 +01:00
parent c44de33144
commit 10dfc9587b
1203 changed files with 53869 additions and 241462 deletions
--- a/daemons/ipa-sam/Makefile.am
+++ b/daemons/ipa-sam/Makefile.am
@@ -1,19 +1,16 @@
 NULL =
-LIBPDB_NAME = @LIBPDB_NAME@
 SAMBA40EXTRA_LIBS = $(SAMBA40EXTRA_LIBPATH)	\
 			-lsmbldap		\
-			-l$(LIBPDB_NAME)			\
+			-lpdb			\
 			-lsmbconf		\
 			$(NULL)

 KRB5_UTIL_DIR=../../util
 KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c $(KRB5_UTIL_DIR)/ipa_pwd_ntlm.c
-ASN1_UTIL_DIR=../../asn1

 AM_CPPFLAGS =						\
 	-I.						\
 	-I$(srcdir)					\
-	-I$(ASN1_UTIL_DIR)				\
 	-I/usr/include/samba-4.0			\
 	-DPREFIX=\""$(prefix)"\" 			\
 	-DBINDIR=\""$(bindir)"\"			\
@@ -56,7 +53,6 @@ ipasam_la_LIBADD = 		\
 	$(NDR_LIBS)		\
 	$(SAMBA40EXTRA_LIBS)	\
 	$(SSSIDMAP_LIBS)	\
-	$(ASN1_UTIL_DIR)/libipaasn1.la  \
 	$(NULL)

 EXTRA_DIST =			\
--- a/daemons/ipa-sam/Makefile.in
+++ b/daemons/ipa-sam/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.15 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@

-# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.

 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,17 +15,7 @@
@SET_MAKE@

 VPATH = @srcdir@
-am__is_gnu_make = { \
-  if test -z '$(MAKELEVEL)'; then \
-    false; \
-  elif test -n '$(MAKE_HOST)'; then \
-    true; \
-  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
-    true; \
-  else \
-    false; \
-  fi; \
-}
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
 am__make_running_with_option = \
  case $${target_option-} in \
      ?) ;; \
@@ -89,12 +79,13 @@ POST_UNINSTALL = :
 build_triplet = @build@
 host_triplet = @host@
 subdir = ipa-sam
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+	$(top_srcdir)/depcomp README
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/../version.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -134,7 +125,7 @@ ipasam_la_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \
-	$(ASN1_UTIL_DIR)/libipaasn1.la $(am__DEPENDENCIES_1)
+	$(am__DEPENDENCIES_1)
 am__objects_1 = ipa_krb5.lo ipa_pwd_ntlm.lo
 am__objects_2 =
 am_ipasam_la_OBJECTS = ipa_sam.lo $(am__objects_1) $(am__objects_2)
@@ -206,7 +197,6 @@ am__define_uniq_tagged_files = \
  done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
-am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp README
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
@@ -253,7 +243,6 @@ LDAP_CFLAGS = @LDAP_CFLAGS@
 LDAP_LIBS = @LDAP_LIBS@
 LDFLAGS = @LDFLAGS@
 LIBOBJS = @LIBOBJS@
-LIBPDB_NAME = @LIBPDB_NAME@
 LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
 LIBVERTO_CFLAGS = @LIBVERTO_CFLAGS@
@@ -261,7 +250,6 @@ LIBVERTO_LIBS = @LIBVERTO_LIBS@
 LIPO = @LIPO@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
-LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
 MAINT = @MAINT@
 MAKEINFO = @MAKEINFO@
 MANIFEST_TOOL = @MANIFEST_TOOL@
@@ -373,7 +361,6 @@ pythondir = @pythondir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
-subdirs = @subdirs@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 target_alias = @target_alias@
@@ -383,17 +370,15 @@ top_srcdir = @top_srcdir@
 NULL = 
 SAMBA40EXTRA_LIBS = $(SAMBA40EXTRA_LIBPATH)	\
 			-lsmbldap		\
-			-l$(LIBPDB_NAME)			\
+			-lpdb			\
 			-lsmbconf		\
 			$(NULL)

 KRB5_UTIL_DIR = ../../util
 KRB5_UTIL_SRCS = $(KRB5_UTIL_DIR)/ipa_krb5.c $(KRB5_UTIL_DIR)/ipa_pwd_ntlm.c
-ASN1_UTIL_DIR = ../../asn1
 AM_CPPFLAGS = \
 	-I.						\
 	-I$(srcdir)					\
-	-I$(ASN1_UTIL_DIR)				\
 	-I/usr/include/samba-4.0			\
 	-DPREFIX=\""$(prefix)"\" 			\
 	-DBINDIR=\""$(bindir)"\"			\
@@ -436,7 +421,6 @@ ipasam_la_LIBADD = \
 	$(NDR_LIBS)		\
 	$(SAMBA40EXTRA_LIBS)	\
 	$(SSSIDMAP_LIBS)	\
-	$(ASN1_UTIL_DIR)/libipaasn1.la  \
 	$(NULL)

 EXTRA_DIST = \
@@ -464,6 +448,7 @@ $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am  $(am__confi
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign ipa-sam/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --foreign ipa-sam/Makefile
+.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -779,8 +764,6 @@ uninstall-am: uninstall-pluginLTLIBRARIES
 	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
 	uninstall-pluginLTLIBRARIES

-.PRECIOUS: Makefile
-

 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -19,12 +19,6 @@
 #include <util/data_blob.h>
 #include <util/time.h>
 #include <util/debug.h>
-#include <util/talloc_stack.h>
-
-#ifndef _SAMBA_UTIL_H_
-bool trim_string(char *s, const char *front, const char *back);
-char *smb_xstrdup(const char *s);
-#endif

 #include <core/ntstatus.h>
 #include <gen_ndr/security.h>
@@ -37,7 +31,7 @@ char *smb_xstrdup(const char *s);
 #include <sasl/sasl.h>
 #include <krb5/krb5.h>
 #include <sss_idmap.h>
-#include "ipa_asn1.h"
+#include "ipa_krb5.h"
 #include "ipa_pwd.h"
 #include "ipa_mspac.h"

@@ -152,10 +146,7 @@ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_i
 #define LDAP_OBJ_KRB_PRINCIPAL "krbPrincipal"
 #define LDAP_OBJ_KRB_PRINCIPAL_AUX "krbPrincipalAux"
 #define LDAP_OBJ_KRB_TICKET_POLICY_AUX "krbTicketPolicyAux"
-#define LDAP_ATTRIBUTE_KRB_CANONICAL "krbCanonicalName"
 #define LDAP_ATTRIBUTE_KRB_PRINCIPAL "krbPrincipalName"
-#define LDAP_ATTRIBUTE_KRB_TICKET_FLAGS "krbTicketFlags"
-#define LDAP_ATTRIBUTE_IPAOPALLOW "ipaAllowedToPerform;read_keys"

 #define LDAP_OBJ_IPAOBJECT "ipaObject"
 #define LDAP_OBJ_IPAHOST "ipaHost"
@@ -166,13 +157,9 @@ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_i
 #define LDAP_OBJ_IPAUSERGROUP "ipaUserGroup"
 #define LDAP_OBJ_POSIXGROUP "posixGroup"
 #define LDAP_OBJ_DOMAINRELATED "domainRelatedObject"
-#define LDAP_OBJ_IPAOPALLOW "ipaAllowedOperations"

 #define LDAP_CN_REALM_DOMAINS "cn=Realm Domains,cn=ipa,cn=etc"

-#define LDAP_CN_ADTRUST_AGENTS "cn=adtrust agents,cn=sysaccounts,cn=etc"
-#define LDAP_CN_ADTRUST_ADMINS "cn=trust admins,cn=groups,cn=accounts"
-
 #define HAS_KRB_PRINCIPAL (1<<0)
 #define HAS_KRB_PRINCIPAL_AUX (1<<1)
 #define HAS_IPAOBJECT (1<<2)
@@ -184,9 +171,6 @@ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_i
 #define HAS_POSIXGROUP (1<<8)
 #define HAS_KRB_TICKET_POLICY_AUX (1<<9)

-/* krbTicketFlags flag to don't allow issuing any ticket, keep in decimal form for LDAP use*/
-#define IPASAM_DISALLOW_ALL_TIX 64
-
 const struct dom_sid global_sid_Builtin = { 1, 1, {0,0,0,0,0,5},
 					   {32,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};

@@ -1023,22 +1007,6 @@ done:
 	return ret;
 }

-#if PASSDB_INTERFACE_VERSION >= 24
-/* Since version 24, uid_to_sid() and gid_to_sid() were removed in favor of id_to_sid() */
-static bool ipasam_id_to_sid(struct pdb_methods *methods, struct unixid *id, struct dom_sid *sid)
-{
-	bool result = false;
-
-	if (id->type != ID_TYPE_GID) {
-		result = ldapsam_uid_to_sid(methods, id->id, sid);
-	}
-	if (!result && id->type != ID_TYPE_UID) {
-		result = ldapsam_gid_to_sid(methods, id->id, sid);
-	}
-
-	return result;
-}
-#endif

 static char *get_ldap_filter(TALLOC_CTX *mem_ctx, const char *username)
 {
@@ -1693,41 +1661,61 @@ static bool search_krb_princ(struct ldapsam_privates *ldap_state,
 	return true;
 }

-#define DEF_ENCTYPE_NUM 3
-long default_enctypes[DEF_ENCTYPE_NUM] = {
-    ENCTYPE_AES256_CTS_HMAC_SHA1_96,
-    ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-    ENCTYPE_ARCFOUR_HMAC
-};
-
 static int set_cross_realm_pw(struct ldapsam_privates *ldap_state,
-			      const char *princ,
-			      const char *pwd)
+			      TALLOC_CTX *mem_ctx,
+			      const char *princ, const char *pwd,
+			      const char *base_dn)
 {
 	int ret;
-        size_t buflen;
-        void *buffer = NULL;
-	struct berval reqdata = { 0 };
+	krb5_error_code krberr;
+	krb5_context krbctx;
+	krb5_principal service_princ;
+	struct keys_container keys = {0, NULL};
+	char *err_msg;
+	struct berval *reqdata = NULL;
 	struct berval *retdata = NULL;
        char *retoid;

-        ret = ipaasn1_enc_getkt(true, princ, pwd,
-                                default_enctypes, DEF_ENCTYPE_NUM,
-                                &buffer, &buflen);
-        if (!ret) goto done;
+	krberr = krb5_init_context(&krbctx);
+	if (krberr != 0) {
+		DEBUG(1, ("krb5_init_context failed.\n"));
+		ret = krberr;
+		goto done;
+	}

-        reqdata.bv_len = buflen;
-        reqdata.bv_val = buffer;
+	krberr = krb5_parse_name(krbctx, princ, &service_princ);
+	if (krberr != 0) {
+		DEBUG(1, ("Invalid Service Principal Name [%s]\n", princ));
+		ret = krberr;
+		goto done;
+	}
+
+	ret = create_keys(krbctx, service_princ, discard_const(pwd), NULL,
+                          &keys, &err_msg);
+	krb5_free_principal(krbctx, service_princ);
+	if (!ret) {
+		if (err_msg != NULL) {
+			DEBUG(1, ("create_keys returned [%s]\n", err_msg));
+		}
+		goto done;
+	}
+
+	reqdata = create_key_control(&keys, princ);
+	if (reqdata == NULL) {
+		DEBUG(1, ("Failed to create reqdata!\n"));
+		ret= ENOMEM;
+		goto done;
+	}

 	ret = smbldap_extended_operation(ldap_state->smbldap_state,
-					 KEYTAB_GET_OID, &reqdata, NULL, NULL,
+					 KEYTAB_SET_OID, reqdata, NULL, NULL,
 					 &retoid, &retdata);
 	if (ret != LDAP_SUCCESS) {
 		DEBUG(1, ("smbldap_extended_operation failed!\n"));
 		goto done;
 	}

-	/* So far we do not care about the result */
+	/* So far we do not care abot the result */
 	ldap_memfree(retoid);
 	if (retdata != NULL) {
 		ber_bvfree(retdata);
@@ -1735,20 +1723,19 @@ static int set_cross_realm_pw(struct ldapsam_privates *ldap_state,

 	ret = 0;
 done:
-        free(buffer);
+	if (reqdata != NULL) {
+	    ber_bvfree(reqdata);
+	}
+	free_keys_contents(krbctx, &keys);
+	krb5_free_context(krbctx);
+
 	return ret;
 }

-#define KRB_PRINC_CREATE_DEFAULT            0x00000000
-#define KRB_PRINC_CREATE_DISABLED           0x00000001
-#define KRB_PRINC_CREATE_AGENT_PERMISSION   0x00000002
-
 static bool set_krb_princ(struct ldapsam_privates *ldap_state,
 			  TALLOC_CTX *mem_ctx,
-			  const char *princ, const char *saltprinc,
-			  const char *pwd,
-			  const char *base_dn,
-			  uint32_t   create_flags)
+			  const char *princ, const char *pwd,
+			  const char *base_dn)
 {
 	LDAPMessage *entry = NULL;
 	LDAPMod **mods = NULL;
@@ -1799,41 +1786,8 @@ static bool set_krb_princ(struct ldapsam_privates *ldap_state,
 				LDAP_OBJ_KRB_TICKET_POLICY_AUX);
 	}

-	smbldap_set_mod(&mods, LDAP_MOD_ADD,
-			 LDAP_ATTRIBUTE_KRB_CANONICAL, princ);
-	smbldap_set_mod(&mods, LDAP_MOD_ADD,
+	smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
 			 LDAP_ATTRIBUTE_KRB_PRINCIPAL, princ);
-        if (saltprinc) {
-	    smbldap_set_mod(&mods, LDAP_MOD_ADD,
-			    LDAP_ATTRIBUTE_KRB_PRINCIPAL, saltprinc);
-        }
-
-	if ((create_flags & KRB_PRINC_CREATE_DISABLED)) {
-		smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
-				LDAP_ATTRIBUTE_KRB_TICKET_FLAGS, __TALLOC_STRING_LINE2__(IPASAM_DISALLOW_ALL_TIX));
-	}
-
-	if ((create_flags & KRB_PRINC_CREATE_AGENT_PERMISSION)) {
-		char *agent_dn = NULL;
-		agent_dn = talloc_asprintf(mem_ctx, LDAP_CN_ADTRUST_AGENTS",%s", ldap_state->ipasam_privates->base_dn);
-		if (agent_dn == NULL) {
-			DEBUG(1, ("error configuring cross realm principal data!\n"));
-			return false;
-		}
-		smbldap_set_mod(&mods, LDAP_MOD_ADD,
-				LDAP_ATTRIBUTE_OBJECTCLASS,
-				LDAP_OBJ_IPAOPALLOW);
-		smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
-				LDAP_ATTRIBUTE_IPAOPALLOW, agent_dn);
-		agent_dn = talloc_asprintf(mem_ctx, LDAP_CN_ADTRUST_ADMINS",%s", ldap_state->ipasam_privates->base_dn);
-		if (agent_dn == NULL) {
-			DEBUG(1, ("error configuring cross realm principal data for trust admins!\n"));
-			return false;
-		}
-		smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
-				LDAP_ATTRIBUTE_IPAOPALLOW, agent_dn);
-	}
-

 	if (entry == NULL) {
 		ret = smbldap_add(ldap_state->smbldap_state, dn, mods);
@@ -1845,7 +1799,7 @@ static bool set_krb_princ(struct ldapsam_privates *ldap_state,
 		return false;
 	}

-	ret = set_cross_realm_pw(ldap_state, saltprinc ? saltprinc : princ, pwd);
+	ret = set_cross_realm_pw(ldap_state, mem_ctx, princ, pwd, base_dn);
 	if (ret != 0) {
 		DEBUG(1, ("set_cross_realm_pw failed.\n"));
 		return false;
@@ -1888,14 +1842,11 @@ enum princ_mod {

 static bool handle_cross_realm_princs(struct ldapsam_privates *ldap_state,
 				      const char *domain, const char *pwd,
-				      uint32_t trust_direction,
 				      enum princ_mod mod)
 {
 	char *trusted_dn;
 	char *princ_l;
 	char *princ_r;
-	char *princ_tdo;
-	char *saltprinc_tdo;
 	char *remote_realm;
 	bool ok;
 	TALLOC_CTX *tmp_ctx;
@@ -1918,40 +1869,27 @@ static bool handle_cross_realm_princs(struct ldapsam_privates *ldap_state,
 	princ_r = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s",
 			ldap_state->ipasam_privates->realm, remote_realm);

-	princ_tdo = talloc_asprintf(tmp_ctx, "%s$@%s",
-			ldap_state->ipasam_privates->flat_name, remote_realm);
-
-	saltprinc_tdo = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s",
-			ldap_state->ipasam_privates->flat_name, remote_realm);
-
-	if (trusted_dn == NULL || princ_l == NULL ||
-	    princ_r == NULL || princ_tdo == NULL || saltprinc_tdo == NULL) {
+	if (trusted_dn == NULL || princ_l == NULL || princ_r == NULL) {
 		ok = false;
 		goto done;
 	}

 	switch (mod) {
 		case SET_PRINC:
-			/* Create Kerberos principal for inbound trust, enabled by default */
-			ok   = set_krb_princ(ldap_state, tmp_ctx, princ_r, NULL, pwd, trusted_dn, KRB_PRINC_CREATE_DEFAULT);
-			/* Create Kerberos principal corresponding to TDO in AD for SSSD usage, disabled by default */
-			ok |= set_krb_princ(ldap_state, tmp_ctx, princ_tdo, saltprinc_tdo, pwd, trusted_dn,
-					    KRB_PRINC_CREATE_DISABLED | KRB_PRINC_CREATE_AGENT_PERMISSION);
-			if ((trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) != 0) {
-				/* Create Kerberos principal for outbound trust, enabled by default */
-				ok |= set_krb_princ(ldap_state, tmp_ctx, princ_l, NULL, pwd, trusted_dn, KRB_PRINC_CREATE_DEFAULT);
-			}
-			if (!ok) {
+			if (!set_krb_princ(ldap_state, tmp_ctx, princ_l, pwd,
+					   trusted_dn) ||
+			    !set_krb_princ(ldap_state, tmp_ctx, princ_r, pwd,
+					   trusted_dn)) {
+				ok = false;
 				goto done;
 			}
 			break;
 		case DEL_PRINC:
-			ok  = del_krb_princ(ldap_state, tmp_ctx, princ_r, trusted_dn);
-			ok |= del_krb_princ(ldap_state, tmp_ctx, princ_tdo, trusted_dn);
-			if ((trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) != 0) {
-				ok |= del_krb_princ(ldap_state, tmp_ctx, princ_l, trusted_dn);
-			}
-			if (!ok) {
+			if (!del_krb_princ(ldap_state, tmp_ctx, princ_l,
+					   trusted_dn) ||
+			    !del_krb_princ(ldap_state, tmp_ctx, princ_r,
+					   trusted_dn)) {
+				ok = false;
 				goto done;
 			}
 			break;
@@ -1968,16 +1906,15 @@ done:
 }

 static bool set_cross_realm_princs(struct ldapsam_privates *ldap_state,
-				   const char *domain, const char *pwd, uint32_t trust_direction)
+				   const char *domain, const char *pwd)
 {
-	return handle_cross_realm_princs(ldap_state, domain, pwd, trust_direction, SET_PRINC);
+	return handle_cross_realm_princs(ldap_state, domain, pwd, SET_PRINC);
 }

 static bool del_cross_realm_princs(struct ldapsam_privates *ldap_state,
 				   const char *domain)
 {
-	uint32_t trust_direction = LSA_TRUST_DIRECTION_INBOUND | LSA_TRUST_DIRECTION_OUTBOUND;
-	return handle_cross_realm_princs(ldap_state, domain, NULL, trust_direction, DEL_PRINC);
+	return handle_cross_realm_princs(ldap_state, domain, NULL, DEL_PRINC);
 }

 static bool get_trusted_domain_int(struct ldapsam_privates *ldap_state,
@@ -2086,12 +2023,11 @@ static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates *ldap_state,
 	}

 	l = strtoul(dummy, &endptr, 10);
+	TALLOC_FREE(dummy);

 	if (l < 0 || l > UINT32_MAX || *endptr != '\0') {
-		TALLOC_FREE(dummy);
 		return false;
 	}
-	TALLOC_FREE(dummy);

 	*val = l;

@@ -2566,7 +2502,7 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
 			goto done;
 		}
 		res = set_cross_realm_princs(ldap_state, td->domain_name,
-					     trustpw, td->trust_direction);
+					     trustpw);
 		memset(trustpw, 0, strlen(trustpw));
 		if (!res) {
 			DEBUG(1, ("error writing cross realm principals!\n"));
@@ -3011,16 +2947,14 @@ static int ipasam_get_sid_by_gid(struct ldapsam_privates *ldap_state,
 	enum idmap_error_code err;
 	struct unixid id;

-	tmp_ctx = talloc_init("ipasam_get_sid_by_gid");
+	tmp_ctx = talloc_new("ipasam_get_sid_by_gid");
 	if (tmp_ctx == NULL) {
 		return ENOMEM;
 	}

-	filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)(%s=%s)(%s=%lu))",
+	filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)(%s=%lu))",
 					  LDAP_ATTRIBUTE_OBJECTCLASS,
 					  LDAP_OBJ_POSIXGROUP,
-					  LDAP_ATTRIBUTE_OBJECTCLASS,
-					  LDAP_OBJ_GROUPMAP,
 					  LDAP_ATTRIBUTE_GIDNUMBER,
 					  (unsigned long) gid);
 	if (filter == NULL) {
@@ -4299,7 +4233,7 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, vo
 	krb5_free_principal(data.context, in_creds.server);
 	krb5_free_principal(data.context, in_creds.client);

-	if (rc != 0 && rc != KRB5KRB_AP_ERR_TKT_NYV && rc != KRB5KRB_AP_ERR_TKT_EXPIRED) {
+	if (rc) {
 		rc = bind_callback_obtain_creds(&data);
 		if (rc) {
 			bind_callback_cleanup(&data, rc);
@@ -4645,13 +4579,8 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
 	(*pdb_method)->search_aliases = ldapsam_search_aliases;
 	(*pdb_method)->lookup_rids = ldapsam_lookup_rids;
 	(*pdb_method)->sid_to_id = ldapsam_sid_to_id;
-#if PASSDB_INTERFACE_VERSION >= 24
-/* Since version 24, uid_to_sid() and gid_to_sid() were removed in favor of id_to_sid() */
-	(*pdb_method)->id_to_sid = ipasam_id_to_sid;
-#else
 	(*pdb_method)->uid_to_sid = ldapsam_uid_to_sid;
 	(*pdb_method)->gid_to_sid = ldapsam_gid_to_sid;
-#endif

 	(*pdb_method)->capabilities = pdb_ipasam_capabilities;
 	(*pdb_method)->get_domain_info = pdb_ipasam_get_domain_info;