diff --git a/samba-3.5.4-winbind-schannel.patch b/samba-3.5.4-winbind-schannel.patch
index 210523d..5bb68dc 100644
--- a/samba-3.5.4-winbind-schannel.patch
+++ b/samba-3.5.4-winbind-schannel.patch
@@ -85,83 +85,83 @@ index f8e49cc..f466a94 100644
 @@ -2016,30 +2016,30 @@ static void set_dc_type_and_flags( struct winbindd_domain *domain )
  /**********************************************************************
  ***********************************************************************/
-
+ 
 -static bool cm_get_schannel_creds(struct winbindd_domain *domain,
 +static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
-				   struct netlogon_creds_CredentialState **ppdc)
+ 				   struct netlogon_creds_CredentialState **ppdc)
  {
 -	NTSTATUS result;
 +	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
-	struct rpc_pipe_client *netlogon_pipe;
-
-	if (lp_client_schannel() == False) {
+ 	struct rpc_pipe_client *netlogon_pipe;
+ 
+ 	if (lp_client_schannel() == False) {
 -		return False;
 +		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;;
-	}
-
-	result = cm_connect_netlogon(domain, &netlogon_pipe);
-	if (!NT_STATUS_IS_OK(result)) {
+ 	}
+ 
+ 	result = cm_connect_netlogon(domain, &netlogon_pipe);
+ 	if (!NT_STATUS_IS_OK(result)) {
 -		return False;
 +		return result;
-	}
-
-	/* Return a pointer to the struct netlogon_creds_CredentialState from the
-	   netlogon pipe. */
-
-	if (!domain->conn.netlogon_pipe->dc) {
+ 	}
+ 
+ 	/* Return a pointer to the struct netlogon_creds_CredentialState from the
+ 	   netlogon pipe. */
+ 
+ 	if (!domain->conn.netlogon_pipe->dc) {
 -		return false;
 +		return NT_STATUS_INTERNAL_ERROR; /* This shouldn't happen. */
-	}
-
-	*ppdc = domain->conn.netlogon_pipe->dc;
+ 	}
+ 
+ 	*ppdc = domain->conn.netlogon_pipe->dc;
 -	return True;
 +	return NT_STATUS_OK;
  }
-
+ 
  NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 @@ -2136,10 +2136,13 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
-
-	/* Fall back to schannel if it's a W2K pre-SP1 box. */
-
+ 
+ 	/* Fall back to schannel if it's a W2K pre-SP1 box. */
+ 
 -	if (!cm_get_schannel_creds(domain, &p_creds)) {
 +	result = cm_get_schannel_creds(domain, &p_creds);
 +	if (!NT_STATUS_IS_OK(result)) {
-		/* If this call fails - conn->cli can now be NULL ! */
-		DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
+ 		/* If this call fails - conn->cli can now be NULL ! */
+ 		DEBUG(10, ("cm_connect_sam: Could not get schannel auth info "
 -			   "for domain %s, trying anon\n", domain->name));
 +			   "for domain %s (error %s), trying anon\n",
 +			domain->name,
 +			nt_errstr(result) ));
-		goto anonymous;
-	}
-	result = cli_rpc_pipe_open_schannel_with_key
+ 		goto anonymous;
+ 	}
+ 	result = cli_rpc_pipe_open_schannel_with_key
 @@ -2252,7 +2255,8 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
-
-	TALLOC_FREE(conn->lsa_pipe_tcp);
-
+ 
+ 	TALLOC_FREE(conn->lsa_pipe_tcp);
+ 
 -	if (!cm_get_schannel_creds(domain, &creds)) {
 +	status = cm_get_schannel_creds(domain, &creds);
 +	if (!NT_STATUS_IS_OK(status)) {
-		goto done;
-	}
-
+ 		goto done;
+ 	}
+ 
 @@ -2344,10 +2348,13 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
-
-	/* Fall back to schannel if it's a W2K pre-SP1 box. */
-
+ 
+ 	/* Fall back to schannel if it's a W2K pre-SP1 box. */
+ 
 -	if (!cm_get_schannel_creds(domain, &p_creds)) {
 +	result = cm_get_schannel_creds(domain, &p_creds);
 +	if (!NT_STATUS_IS_OK(result)) {
-		/* If this call fails - conn->cli can now be NULL ! */
-		DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
+ 		/* If this call fails - conn->cli can now be NULL ! */
+ 		DEBUG(10, ("cm_connect_lsa: Could not get schannel auth info "
 -			   "for domain %s, trying anon\n", domain->name));
 +			   "for domain %s (error %s), trying anon\n",
 +			domain->name,
 +			nt_errstr(result) ));
-		goto anonymous;
-	}
-	result = cli_rpc_pipe_open_schannel_with_key
---
+ 		goto anonymous;
+ 	}
+ 	result = cli_rpc_pipe_open_schannel_with_key
+-- 
 1.7.2.1
 
 
@@ -197,22 +197,22 @@ index 87d1866..504f594 100644
  #include "../lib/crypto/crypto.h"
  #include "libcli/auth/libcli_auth.h"
 +#include "../libcli/security/dom_sid.h"
-
+ 
  static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds,
-				      const struct netr_Credential *in,
+ 				      const struct netr_Credential *in,
 @@ -202,7 +203,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *me
-								  struct netr_Credential *initial_credential,
-								  uint32_t negotiate_flags)
+ 								  struct netr_Credential *initial_credential,
+ 								  uint32_t negotiate_flags)
  {
 -	struct netlogon_creds_CredentialState *creds = talloc(mem_ctx, struct netlogon_creds_CredentialState);
 +	struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
-
-	if (!creds) {
-		return NULL;
+ 	
+ 	if (!creds) {
+ 		return NULL;
 @@ -453,3 +454,46 @@ void netlogon_creds_decrypt_samlogon(struct netlogon_creds_CredentialState *cred
-	}
- }
-
+ 	}
+ }	
+ 
 +/*
 +  copy a netlogon_creds_CredentialState struct
 +*/
@@ -261,12 +261,12 @@ index e09cdee..c3878f5 100644
 --- a/libcli/auth/proto.h
 +++ b/libcli/auth/proto.h
 @@ -35,6 +35,8 @@ void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *
-				struct netr_Authenticator *next);
+ 				struct netr_Authenticator *next);
  bool netlogon_creds_client_check(struct netlogon_creds_CredentialState *creds,
-			const struct netr_Credential *received_credentials);
+ 			const struct netr_Credential *received_credentials);
 +struct netlogon_creds_CredentialState *netlogon_creds_copy(TALLOC_CTX *mem_ctx,
 +							   struct netlogon_creds_CredentialState *creds_in);
-
+ 
  /*****************************************************************
  The above functions are common to the client and server interface
 diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
@@ -274,29 +274,30 @@ index ee60c1d..06b9c5d 100644
 --- a/source3/rpc_client/cli_pipe.c
 +++ b/source3/rpc_client/cli_pipe.c
 @@ -3213,7 +3213,7 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
-	result->a_u.schannel_auth->state = SCHANNEL_STATE_START;
-	result->a_u.schannel_auth->seq_num = 0;
-	result->a_u.schannel_auth->initiator = true;
+ 	result->a_u.schannel_auth->state = SCHANNEL_STATE_START;
+ 	result->a_u.schannel_auth->seq_num = 0;
+ 	result->a_u.schannel_auth->initiator = true;
 -	result->a_u.schannel_auth->creds = creds;
 +	result->a_u.schannel_auth->creds = netlogon_creds_copy(result, creds);
-
-	*presult = result;
-	return NT_STATUS_OK;
+ 
+ 	*presult = result;
+ 	return NT_STATUS_OK;
 @@ -4044,9 +4044,13 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
-
-	/*
-	 * The credentials on a new netlogon pipe are the ones we are passed
+ 
+ 	/*
+ 	 * The credentials on a new netlogon pipe are the ones we are passed
 -	 * in - reference them in
 +	 * in - copy them over
-	 */
+ 	 */
 -	result->dc = talloc_move(result, pdc);
 +	result->dc = netlogon_creds_copy(result, *pdc);
 +	if (result->dc == NULL) {
 +		TALLOC_FREE(result);
 +		return NT_STATUS_NO_MEMORY;
 +	}
-
-	DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
-		  "for domain %s and bound using schannel.\n",
---
+ 
+ 	DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
+ 		  "for domain %s and bound using schannel.\n",
+-- 
 1.7.2.1
+