diff -Nru samba-3.4.7~dfsg/debian/changelog samba-3.4.7~dfsg/debian/changelog
--- samba-3.4.7~dfsg/debian/changelog	2011-02-23 18:20:00.000000000 +0000
+++ samba-3.4.7~dfsg/debian/changelog	2011-03-02 20:41:27.000000000 +0000
@@ -1,3 +1,11 @@
+samba (2:3.4.7~dfsg-1ubuntu3.5) lucid-proposed; urgency=low
+
+  * debian/patches/ntlm-auth-lp623342.patch: ntlm_auth returns an invalid
+    response key. (LP: #623342) Patch taken from upstream
+    (https://bugzilla.samba.org/show_bug.cgi?id=7568)
+
+ -- Stefano Rivera <stefanor@ubuntu.com>  Wed, 02 Mar 2011 22:35:59 +0200
+
 samba (2:3.4.7~dfsg-1ubuntu3.4) lucid-security; urgency=low
 
   * SECURITY UPDATE: denial of service via missing range checks on file
diff -Nru samba-3.4.7~dfsg/debian/patches/ntlm-auth-lp623342.patch samba-3.4.7~dfsg/debian/patches/ntlm-auth-lp623342.patch
--- samba-3.4.7~dfsg/debian/patches/ntlm-auth-lp623342.patch	1970-01-01 00:00:00.000000000 +0000
+++ samba-3.4.7~dfsg/debian/patches/ntlm-auth-lp623342.patch	2011-03-02 20:41:28.000000000 +0000
@@ -0,0 +1,63 @@
+From 35a93e0732dbecb2cd45357f756e2985aba97db6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Mon, 9 Aug 2010 14:31:24 +0200
+Subject: [PATCH] s3-winbind: Fix Bug #7568: Make sure cm_connect_lsa_tcp does not reset the secure channel.
+
+This is an important fix as the following could and is happening:
+
+* winbind authenticates a user via schannel secured netlogon samlogonex call,
+current secure channel cred state is stored in winbind state, winbind
+sucessfully decrypts session key from the info3
+
+* winbind sets up a new schannel ncacn_ip_tcp lsa pipe (and thereby resets the
+secure channel on the dc)
+
+* subsequent samlogonex calls use the new secure channel creds on the dc to
+encrypt info3 session key, while winbind tries to use old schannel creds for
+decryption
+
+Guenther
+(cherry picked from commit be396411a4e1f3a174f8a44b6c062d834135e70a)
+
+Origin: upstream, https://bugzilla.samba.org/attachment.cgi?id=5893
+Bug-Samba: https://bugzilla.samba.org/show_bug.cgi?id=7568
+Bug-Ubuntu: https://bugs.launchpad.net/samba/+bug/623342
+Last-Update: 2011-02-26
+
+--- a/source3/winbindd/winbindd_cm.c
++++ b/source3/winbindd/winbindd_cm.c
+@@ -2187,6 +2187,7 @@
+ 			    struct rpc_pipe_client **cli)
+ {
+ 	struct winbindd_cm_conn *conn;
++	struct dcinfo *dcinfo;
+ 	NTSTATUS status;
+ 
+ 	DEBUG(10,("cm_connect_lsa_tcp\n"));
+@@ -2206,14 +2207,19 @@
+ 
+ 	TALLOC_FREE(conn->lsa_pipe_tcp);
+ 
+-	status = cli_rpc_pipe_open_schannel(conn->cli,
+-					    &ndr_table_lsarpc.syntax_id,
+-					    NCACN_IP_TCP,
+-					    PIPE_AUTH_LEVEL_PRIVACY,
+-					    domain->name,
+-					    &conn->lsa_pipe_tcp);
++	if (!cm_get_schannel_dcinfo(domain, &dcinfo)) {
++		goto done;
++	}
++
++	status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
++						     &ndr_table_lsarpc.syntax_id,
++						     NCACN_IP_TCP,
++						     PIPE_AUTH_LEVEL_PRIVACY,
++						     domain->name,
++						     dcinfo,
++						     &conn->lsa_pipe_tcp);
+ 	if (!NT_STATUS_IS_OK(status)) {
+-		DEBUG(10,("cli_rpc_pipe_open_schannel failed: %s\n",
++		DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
+ 			nt_errstr(status)));
+ 		goto done;
+ 	}
diff -Nru samba-3.4.7~dfsg/debian/patches/series samba-3.4.7~dfsg/debian/patches/series
--- samba-3.4.7~dfsg/debian/patches/series	2011-02-23 18:19:11.000000000 +0000
+++ samba-3.4.7~dfsg/debian/patches/series	2011-03-02 20:41:28.000000000 +0000
@@ -17,5 +17,5 @@
 ubuntu-gecos-fix.patch
 security-CVE-2010-3069.patch
 spnego-auth-win7.patch
-
 security-CVE-2011-0719.patch
+ntlm-auth-lp623342.patch