diff -Nru samba-3.4.7~dfsg/debian/changelog samba-3.4.7~dfsg/debian/changelog
--- samba-3.4.7~dfsg/debian/changelog	2010-09-09 16:58:53.000000000 +0300
+++ samba-3.4.7~dfsg/debian/changelog	2011-01-16 10:38:21.000000000 +0200
@@ -1,3 +1,12 @@
+samba (2:3.4.7~dfsg-1ubuntu3.3) lucid-proposed; urgency=low
+
+  * debian/patches/spnego-auth-win7.patch: SPNEGO auth fails when contacting Win7
+    system using Microsoft Live Sign-in Assistant. (LP: #458637). Patch taken
+    from upstream (https://bugzilla.samba.org/show_bug.cgi?id=7577)
+
+ -- PhobosK <phobosk@kbfx.net>  Fri, 16 Jan 2010 07:52:30 +0300
+
+
 samba (2:3.4.7~dfsg-1ubuntu3.2) lucid-security; urgency=low

   * SECURITY UPDATE: denial of service and possible arbitrary code
diff -Nru samba-3.4.7~dfsg/debian/patches/series samba-3.4.7~dfsg/debian/patches/series
--- samba-3.4.7~dfsg/debian/patches/series	2010-09-09 16:52:09.000000000 +0300
+++ samba-3.4.7~dfsg/debian/patches/series	2011-01-16 10:35:39.000000000 +0200
@@ -16,3 +16,5 @@
 security-CVE-2009-3297.patch
 ubuntu-gecos-fix.patch
 security-CVE-2010-3069.patch
+spnego-auth-win7.patch
+
diff -Nru samba-3.4.7~dfsg/debian/patches/spnego-auth-win7.patch samba-3.4.7~dfsg/debian/patches/spnego-auth-win7.patch
--- samba-3.4.7~dfsg/debian/patches/spnego-auth-win7.patch	1970-01-01 02:00:00.000000000 +0200
+++ samba-3.4.7~dfsg/debian/patches/spnego-auth-win7.patch	2011-01-16 10:00:25.000000000 +0200
@@ -0,0 +1,72 @@
+diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
+index 8e51e89..f091842 100644
+--- a/source3/libsmb/clispnego.c
++++ b/source3/libsmb/clispnego.c
+@@ -4,7 +4,7 @@
+    Copyright (C) Andrew Tridgell 2001
+    Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
+    Copyright (C) Luke Howard     2003
+-
++
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 3 of the License, or
+@@ -145,9 +145,16 @@ bool spnego_parse_negTokenInit(DATA_BLOB blob,
+ 	asn1_start_tag(data,ASN1_APPLICATION(0));
+
+ 	asn1_check_OID(data,OID_SPNEGO);
++
++	/* negTokenInit  [0]  NegTokenInit */
+ 	asn1_start_tag(data,ASN1_CONTEXT(0));
+ 	asn1_start_tag(data,ASN1_SEQUENCE(0));
+
++	/* mechTypes [0] MechTypeList  OPTIONAL */
++
++	/* Not really optional, we depend on this to decide
++	 * what mechanisms we have to work with. */
++
+ 	asn1_start_tag(data,ASN1_CONTEXT(0));
+ 	asn1_start_tag(data,ASN1_SEQUENCE(0));
+ 	for (i=0; asn1_tag_remaining(data) > 0 && i < ASN1_MAX_OIDS-1; i++) {
+@@ -160,7 +167,40 @@ bool spnego_parse_negTokenInit(DATA_BLOB blob,
+ 	asn1_end_tag(data);
+
+ 	*principal = NULL;
+-	if (asn1_tag_remaining(data) > 0) {
++
++
++	/*
++	  Win7 + Live Sign-in Assistant attaches a mechToken
++	  ASN1_CONTEXT(2) to the negTokenInit packet
++	  which breaks our negotiation if we just assume
++	  the next tag is ASN1_CONTEXT(3).
++	*/
++
++	if (asn1_peek_tag(data, ASN1_CONTEXT(1))) {
++		uint8 flags;
++
++		/* reqFlags [1] ContextFlags  OPTIONAL */
++		asn1_start_tag(data, ASN1_CONTEXT(1));
++		asn1_start_tag(data, ASN1_BITFIELD);
++		while (asn1_tag_remaining(data) > 0) {
++			asn1_read_uint8(data, &flags);
++		}
++		asn1_end_tag(data);
++		asn1_end_tag(data);
++	}
++
++	if (asn1_peek_tag(data, ASN1_CONTEXT(2))) {
++		/* mechToken [2] OCTET STRING  OPTIONAL */
++		DATA_BLOB token;
++		asn1_start_tag(data, ASN1_CONTEXT(2));
++		asn1_read_OctetString(data, NULL, &token);
++		asn1_end_tag(data);
++		/* Throw away the token - not used. */
++		data_blob_free(&token);
++	}
++
++	if (asn1_peek_tag(data, ASN1_CONTEXT(3))) {
++		/* mechListMIC [3] OCTET STRING  OPTIONAL */
+ 		asn1_start_tag(data, ASN1_CONTEXT(3));
+ 		asn1_start_tag(data, ASN1_SEQUENCE(0));
+ 		asn1_start_tag(data, ASN1_CONTEXT(0));