git.samba.org / ira / wip.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
s3: Use sid_check_is_domain instead of a direct sid_equal
[ira/wip.git] / source3 / rpc_server / srv_samr_nt.c
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index e656e6c456958d9acefa23dc9b56d19139103726..3626cbdf2a04c2e90afc5c7705f91a7ecc939d62 100644 (file)
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -32,7 +32,9 @@
  */
 
 #include "includes.h"
+#include "smbd/globals.h"
 #include "../libcli/auth/libcli_auth.h"
+#include "../librpc/gen_ndr/srv_samr.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_SRV
@@ -77,7 +79,7 @@ typedef struct disp_info {
        struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
        struct pdb_search *aliases; /* enumaliases */
 
-       uint16 enum_acb_mask;
+       uint32_t enum_acb_mask;
        struct pdb_search *enum_users; /* enumusers with a mask */
 
        struct timed_event *cache_timeout_event; /* cache idle timeout
@@ -143,8 +145,8 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd
        /* Add Full Access for Domain Admins if we are a DC */
 
        if ( IS_DC ) {
-               sid_copy( &domadmin_sid, get_global_sam_sid() );
-               sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
+               sid_compose(&domadmin_sid, get_global_sam_sid(),
+                           DOMAIN_GROUP_RID_ADMINS);
                init_sec_ace(&ace[i++], &domadmin_sid,
                        SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
        }
@@ -173,7 +175,7 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd
  level of access for further checks.
 ********************************************************************/
 
-static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
+NTSTATUS access_check_object( SEC_DESC *psd, NT_USER_TOKEN *token,
                                           SE_PRIV *rights, uint32 rights_mask,
                                           uint32 des_access, uint32 *acc_granted,
                                          const char *debug )
@@ -185,12 +187,13 @@ static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
           by privileges (mostly having to do with creating/modifying/deleting
           users and groups) */
 
-       if ( rights && user_has_any_privilege( token, rights ) ) {
+       if (rights && !se_priv_equal(rights, &se_priv_none) &&
+                       user_has_any_privilege(token, rights)) {
 
                saved_mask = (des_access & rights_mask);
                des_access &= ~saved_mask;
 
-               DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
+               DEBUG(4,("access_check_object: user rights access mask [0x%x]\n",
                        rights_mask));
        }
 
@@ -234,27 +237,28 @@ done:
  Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
 ********************************************************************/
 
-static void map_max_allowed_access(const NT_USER_TOKEN *token,
-                                       uint32_t *pacc_requested)
+void map_max_allowed_access(const NT_USER_TOKEN *nt_token,
+                           const struct unix_user_token *unix_token,
+                           uint32_t *pacc_requested)
 {
        if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
                return;
        }
        *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
 
-       /* At least try for generic read. */
-       *pacc_requested = GENERIC_READ_ACCESS;
+       /* At least try for generic read|execute - Everyone gets that. */
+       *pacc_requested = GENERIC_READ_ACCESS|GENERIC_EXECUTE_ACCESS;
 
        /* root gets anything. */
-       if (geteuid() == sec_initial_uid()) {
+       if (unix_token->uid == sec_initial_uid()) {
                *pacc_requested |= GENERIC_ALL_ACCESS;
                return;
        }
 
        /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
 
-       if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
-                       is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
+       if (is_sid_in_token(nt_token, &global_sid_Builtin_Administrators) ||
+                       is_sid_in_token(nt_token, &global_sid_Builtin_Account_Operators)) {
                *pacc_requested |= GENERIC_ALL_ACCESS;
                return;
        }
@@ -262,9 +266,9 @@ static void map_max_allowed_access(const NT_USER_TOKEN *token,
        /* Full access for DOMAIN\Domain Admins. */
        if ( IS_DC ) {
                DOM_SID domadmin_sid;
-               sid_copy( &domadmin_sid, get_global_sam_sid() );
-               sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
-               if (is_sid_in_token(token, &domadmin_sid)) {
+               sid_compose(&domadmin_sid, get_global_sam_sid(),
+                           DOMAIN_GROUP_RID_ADMINS);
+               if (is_sid_in_token(nt_token, &domadmin_sid)) {
                        *pacc_requested |= GENERIC_ALL_ACCESS;
                        return;
                }
@@ -536,6 +540,7 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p,
        uint32    des_access = r->in.access_mask;
        NTSTATUS  status;
        size_t    sd_size;
+       uint32_t extra_access = SAMR_DOMAIN_ACCESS_CREATE_USER;
        SE_PRIV se_rights;
 
        /* find the connection policy handle. */
@@ -547,16 +552,34 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p,
        }
 
        /*check if access can be granted as requested by client. */
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
 
        make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
        se_map_generic( &des_access, &dom_generic_mapping );
 
+       /*
+        * Users with SeMachineAccount or SeAddUser get additional
+        * SAMR_DOMAIN_ACCESS_CREATE_USER access.
+        */
        se_priv_copy( &se_rights, &se_machine_account );
        se_priv_add( &se_rights, &se_add_users );
 
-       status = access_check_samr_object( psd, p->server_info->ptok,
-               &se_rights, GENERIC_RIGHTS_DOMAIN_WRITE, des_access,
+       /*
+        * Users with SeAddUser get the ability to manipulate groups
+        * and aliases.
+        */
+       if (user_has_any_privilege(p->server_info->ptok, &se_add_users)) {
+               extra_access |= (SAMR_DOMAIN_ACCESS_CREATE_GROUP |
+                               SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
+                               SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
+                               SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS |
+                               SAMR_DOMAIN_ACCESS_CREATE_ALIAS);
+       }
+
+       status = access_check_object( psd, p->server_info->ptok,
+               &se_rights, extra_access, des_access,
                &acc_granted, "_samr_OpenDomain" );
 
        if ( !NT_STATUS_IS_OK(status) )
@@ -617,9 +640,9 @@ NTSTATUS _samr_GetUserPwInfo(pipes_struct *p,
        switch (sid_type) {
                case SID_NAME_USER:
                        become_root();
-                       pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
+                       pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN,
                                               &min_password_length);
-                       pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
+                       pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS,
                                               &password_properties);
                        unbecome_root();
 
@@ -751,7 +774,7 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p,
        struct samr_alias_info *ainfo;
        NTSTATUS status;
        SEC_DESC * psd = NULL;
-       size_t sd_size;
+       size_t sd_size = 0;
 
        cinfo = policy_handle_find(p, r->in.handle,
                                   STD_RIGHT_READ_CONTROL_ACCESS, NULL,
@@ -920,6 +943,12 @@ NTSTATUS _samr_EnumDomainUsers(pipes_struct *p,
                return status;
        }
 
+       samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
+       if (!samr_array) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       *r->out.sam = samr_array;
+
        if (sid_check_is_builtin(&dinfo->sid)) {
                /* No users in builtin. */
                *r->out.resume_handle = *r->in.resume_handle;
@@ -927,12 +956,6 @@ NTSTATUS _samr_EnumDomainUsers(pipes_struct *p,
                return status;
        }
 
-       samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
-       if (!samr_array) {
-               return NT_STATUS_NO_MEMORY;
-       }
-       *r->out.sam = samr_array;
-
        become_root();
 
        /* AS ROOT !!!! */
@@ -1055,6 +1078,12 @@ NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
 
        DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
 
+       samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
+       if (!samr_array) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       *r->out.sam = samr_array;
+
        if (sid_check_is_builtin(&dinfo->sid)) {
                /* No groups in builtin. */
                *r->out.resume_handle = *r->in.resume_handle;
@@ -1062,11 +1091,6 @@ NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
                return status;
        }
 
-       samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
-       if (!samr_array) {
-               return NT_STATUS_NO_MEMORY;
-       }
-
        /* the domain group array is being allocated in the function below */
 
        become_root();
@@ -1091,10 +1115,15 @@ NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
        make_group_sam_entry_list(p->mem_ctx, &samr_entries,
                                  num_groups, groups);
 
+       if (MAX_SAM_ENTRIES <= num_groups) {
+               status = STATUS_MORE_ENTRIES;
+       } else {
+               status = NT_STATUS_OK;
+       }
+
        samr_array->count = num_groups;
        samr_array->entries = samr_entries;
 
-       *r->out.sam = samr_array;
        *r->out.num_entries = num_groups;
        *r->out.resume_handle = num_groups + *r->in.resume_handle;
 
@@ -1156,6 +1185,12 @@ NTSTATUS _samr_EnumDomainAliases(pipes_struct *p,
 
        DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
 
+       if (MAX_SAM_ENTRIES <= num_aliases) {
+               status = STATUS_MORE_ENTRIES;
+       } else {
+               status = NT_STATUS_OK;
+       }
+
        samr_array->count = num_aliases;
        samr_array->entries = samr_entries;
 
@@ -1376,12 +1411,10 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
        uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
 
        uint32 max_entries = r->in.max_entries;
-       uint32 enum_context = r->in.start_idx;
-       uint32 max_size = r->in.buf_size;
 
        union samr_DispInfo *disp_info = r->out.info;
 
-       uint32 temp_size=0, total_data_size=0;
+       uint32 temp_size=0;
        NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
        uint32 num_account = 0;
        enum remote_arch_types ra_type = get_remote_arch();
@@ -1437,9 +1470,9 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
        }
 
        /* first limit the number of entries we will return */
-       if(max_entries > max_sam_entries) {
+       if (r->in.max_entries > max_sam_entries) {
                DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
-                         "entries, limiting to %d\n", max_entries,
+                         "entries, limiting to %d\n", r->in.max_entries,
                          max_sam_entries));
                max_entries = max_sam_entries;
        }
@@ -1449,8 +1482,8 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
 
        temp_size=max_entries*struct_size;
 
-       if (temp_size>max_size) {
-               max_entries=MIN((max_size/struct_size),max_entries);;
+       if (temp_size > r->in.buf_size) {
+               max_entries = MIN((r->in.buf_size / struct_size),max_entries);;
                DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
                          "only %d entries\n", max_entries));
        }
@@ -1460,8 +1493,8 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
        /* THe following done as ROOT. Don't return without unbecome_root(). */
 
        switch (r->in.level) {
-       case 0x1:
-       case 0x4:
+       case 1:
+       case 4:
                if (dinfo->disp_info->users == NULL) {
                        dinfo->disp_info->users = pdb_search_users(
                                dinfo->disp_info, ACB_NORMAL);
@@ -1470,17 +1503,17 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
                                return NT_STATUS_ACCESS_DENIED;
                        }
                        DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
-                               (unsigned  int)enum_context ));
+                               (unsigned  int)r->in.start_idx));
                } else {
                        DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
-                               (unsigned  int)enum_context ));
+                               (unsigned  int)r->in.start_idx));
                }
 
                num_account = pdb_search_entries(dinfo->disp_info->users,
-                                                enum_context, max_entries,
+                                                r->in.start_idx, max_entries,
                                                 &entries);
                break;
-       case 0x2:
+       case 2:
                if (dinfo->disp_info->machines == NULL) {
                        dinfo->disp_info->machines = pdb_search_users(
                                dinfo->disp_info, ACB_WSTRUST|ACB_SVRTRUST);
@@ -1489,18 +1522,18 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
                                return NT_STATUS_ACCESS_DENIED;
                        }
                        DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
-                               (unsigned  int)enum_context ));
+                               (unsigned  int)r->in.start_idx));
                } else {
                        DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
-                               (unsigned  int)enum_context ));
+                               (unsigned  int)r->in.start_idx));
                }
 
                num_account = pdb_search_entries(dinfo->disp_info->machines,
-                                                enum_context, max_entries,
+                                                r->in.start_idx, max_entries,
                                                 &entries);
                break;
-       case 0x3:
-       case 0x5:
+       case 3:
+       case 5:
                if (dinfo->disp_info->groups == NULL) {
                        dinfo->disp_info->groups = pdb_search_groups(
                                dinfo->disp_info);
@@ -1509,14 +1542,14 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
                                return NT_STATUS_ACCESS_DENIED;
                        }
                        DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
-                               (unsigned  int)enum_context ));
+                               (unsigned  int)r->in.start_idx));
                } else {
                        DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
-                               (unsigned  int)enum_context ));
+                               (unsigned  int)r->in.start_idx));
                }
 
                num_account = pdb_search_entries(dinfo->disp_info->groups,
-                                                enum_context, max_entries,
+                                                r->in.start_idx, max_entries,
                                                 &entries);
                break;
        default:
@@ -1529,29 +1562,29 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
 
        /* Now create reply structure */
        switch (r->in.level) {
-       case 0x1:
+       case 1:
                disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1,
-                                               num_account, enum_context,
+                                               num_account, r->in.start_idx,
                                                entries);
                break;
-       case 0x2:
+       case 2:
                disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2,
-                                               num_account, enum_context,
+                                               num_account, r->in.start_idx,
                                                entries);
                break;
-       case 0x3:
+       case 3:
                disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3,
-                                               num_account, enum_context,
+                                               num_account, r->in.start_idx,
                                                entries);
                break;
-       case 0x4:
+       case 4:
                disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4,
-                                               num_account, enum_context,
+                                               num_account, r->in.start_idx,
                                                entries);
                break;
-       case 0x5:
+       case 5:
                disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5,
-                                               num_account, enum_context,
+                                               num_account, r->in.start_idx,
                                                entries);
                break;
        default:
@@ -1562,9 +1595,6 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
        if (!NT_STATUS_IS_OK(disp_ret))
                return disp_ret;
 
-       /* calculate the total size */
-       total_data_size=num_account*struct_size;
-
        if (max_entries <= num_account) {
                status = STATUS_MORE_ENTRIES;
        } else {
@@ -1576,8 +1606,8 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
 
        DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__));
 
-       *r->out.total_size = total_data_size;
-       *r->out.returned_size = temp_size;
+       *r->out.total_size = num_account * struct_size;
+       *r->out.returned_size = num_account ? temp_size : 0;
 
        return status;
 }
@@ -1671,6 +1701,9 @@ NTSTATUS _samr_QueryAliasInfo(pipes_struct *p,
                alias_info->all.num_members             = 1; /* ??? */
                alias_info->all.description.string      = alias_description;
                break;
+       case ALIASINFONAME:
+               alias_info->name.string                 = alias_name;
+               break;
        case ALIASINFODESCRIPTION:
                alias_info->description.string          = alias_description;
                break;
@@ -1769,6 +1802,117 @@ NTSTATUS _samr_LookupNames(pipes_struct *p,
        return status;
 }
 
+/****************************************************************
+ _samr_ChangePasswordUser
+****************************************************************/
+
+NTSTATUS _samr_ChangePasswordUser(pipes_struct *p,
+                                 struct samr_ChangePasswordUser *r)
+{
+       NTSTATUS status;
+       bool ret = false;
+       struct samr_user_info *uinfo;
+       struct samu *pwd;
+       struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash;
+       struct samr_Password lm_pwd, nt_pwd;
+
+       uinfo = policy_handle_find(p, r->in.user_handle,
+                                  SAMR_USER_ACCESS_SET_PASSWORD, NULL,
+                                  struct samr_user_info, &status);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       DEBUG(5,("_samr_ChangePasswordUser: sid:%s\n",
+                 sid_string_dbg(&uinfo->sid)));
+
+       if (!(pwd = samu_new(NULL))) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       become_root();
+       ret = pdb_getsampwsid(pwd, &uinfo->sid);
+       unbecome_root();
+
+       if (!ret) {
+               TALLOC_FREE(pwd);
+               return NT_STATUS_WRONG_PASSWORD;
+       }
+
+       {
+               const uint8_t *lm_pass, *nt_pass;
+
+               lm_pass = pdb_get_lanman_passwd(pwd);
+               nt_pass = pdb_get_nt_passwd(pwd);
+
+               if (!lm_pass || !nt_pass) {
+                       status = NT_STATUS_WRONG_PASSWORD;
+                       goto out;
+               }
+
+               memcpy(&lm_pwd.hash, lm_pass, sizeof(lm_pwd.hash));
+               memcpy(&nt_pwd.hash, nt_pass, sizeof(nt_pwd.hash));
+       }
+
+       /* basic sanity checking on parameters.  Do this before any database ops */
+       if (!r->in.lm_present || !r->in.nt_present ||
+           !r->in.old_lm_crypted || !r->in.new_lm_crypted ||
+           !r->in.old_nt_crypted || !r->in.new_nt_crypted) {
+               /* we should really handle a change with lm not
+                  present */
+               status = NT_STATUS_INVALID_PARAMETER_MIX;
+               goto out;
+       }
+
+       /* decrypt and check the new lm hash */
+       D_P16(lm_pwd.hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash);
+       D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash);
+       if (memcmp(checkHash.hash, lm_pwd.hash, 16) != 0) {
+               status = NT_STATUS_WRONG_PASSWORD;
+               goto out;
+       }
+
+       /* decrypt and check the new nt hash */
+       D_P16(nt_pwd.hash, r->in.new_nt_crypted->hash, new_ntPwdHash.hash);
+       D_P16(new_ntPwdHash.hash, r->in.old_nt_crypted->hash, checkHash.hash);
+       if (memcmp(checkHash.hash, nt_pwd.hash, 16) != 0) {
+               status = NT_STATUS_WRONG_PASSWORD;
+               goto out;
+       }
+
+       /* The NT Cross is not required by Win2k3 R2, but if present
+          check the nt cross hash */
+       if (r->in.cross1_present && r->in.nt_cross) {
+               D_P16(lm_pwd.hash, r->in.nt_cross->hash, checkHash.hash);
+               if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
+                       status = NT_STATUS_WRONG_PASSWORD;
+                       goto out;
+               }
+       }
+
+       /* The LM Cross is not required by Win2k3 R2, but if present
+          check the lm cross hash */
+       if (r->in.cross2_present && r->in.lm_cross) {
+               D_P16(nt_pwd.hash, r->in.lm_cross->hash, checkHash.hash);
+               if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
+                       status = NT_STATUS_WRONG_PASSWORD;
+                       goto out;
+               }
+       }
+
+       if (!pdb_set_nt_passwd(pwd, new_ntPwdHash.hash, PDB_CHANGED) ||
+           !pdb_set_lanman_passwd(pwd, new_lmPwdHash.hash, PDB_CHANGED)) {
+               status = NT_STATUS_ACCESS_DENIED;
+               goto out;
+       }
+
+       status = pdb_update_sam_account(pwd);
+ out:
+       TALLOC_FREE(pwd);
+
+       return status;
+}
+
 /*******************************************************************
  _samr_ChangePasswordUser2
  ********************************************************************/
@@ -1776,6 +1920,7 @@ NTSTATUS _samr_LookupNames(pipes_struct *p,
 NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
                                   struct samr_ChangePasswordUser2 *r)
 {
+       struct smbd_server_connection *sconn = smbd_server_conn;
        NTSTATUS status;
        fstring user_name;
        fstring wks;
@@ -1792,7 +1937,7 @@ NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
         * function.
         */
 
-       (void)map_username(user_name);
+       (void)map_username(sconn, user_name);
 
        /*
         * UNIX username case mangling not required, pass_oem_change
@@ -1808,6 +1953,63 @@ NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
 
        DEBUG(5,("_samr_ChangePasswordUser2: %d\n", __LINE__));
 
+       if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+               return NT_STATUS_WRONG_PASSWORD;
+       }
+
+       return status;
+}
+
+/****************************************************************
+ _samr_OemChangePasswordUser2
+****************************************************************/
+
+NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p,
+                                     struct samr_OemChangePasswordUser2 *r)
+{
+       struct smbd_server_connection *sconn = smbd_server_conn;
+       NTSTATUS status;
+       fstring user_name;
+       const char *wks = NULL;
+
+       DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__));
+
+       fstrcpy(user_name, r->in.account->string);
+       if (r->in.server && r->in.server->string) {
+               wks = r->in.server->string;
+       }
+
+       DEBUG(5,("_samr_OemChangePasswordUser2: user: %s wks: %s\n", user_name, wks));
+
+       /*
+        * Pass the user through the NT -> unix user mapping
+        * function.
+        */
+
+       (void)map_username(sconn, user_name);
+
+       /*
+        * UNIX username case mangling not required, pass_oem_change
+        * is case insensitive.
+        */
+
+       if (!r->in.hash || !r->in.password) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
+       status = pass_oem_change(user_name,
+                                r->in.password->data,
+                                r->in.hash->hash,
+                                0,
+                                0,
+                                NULL);
+
+       if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+               return NT_STATUS_WRONG_PASSWORD;
+       }
+
+       DEBUG(5,("_samr_OemChangePasswordUser2: %d\n", __LINE__));
+
        return status;
 }
 
@@ -1818,12 +2020,13 @@ NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
 NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
                                   struct samr_ChangePasswordUser3 *r)
 {
+       struct smbd_server_connection *sconn = smbd_server_conn;
        NTSTATUS status;
        fstring user_name;
        const char *wks = NULL;
-       uint32 reject_reason;
+       enum samPwdChangeReason reject_reason;
        struct samr_DomInfo1 *dominfo = NULL;
-       struct samr_ChangeReject *reject = NULL;
+       struct userPwdChangeFailureInformation *reject = NULL;
        uint32_t tmp;
 
        DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
@@ -1840,7 +2043,7 @@ NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
         * function.
         */
 
-       (void)map_username(user_name);
+       (void)map_username(sconn, user_name);
 
        /*
         * UNIX username case mangling not required, pass_oem_change
@@ -1853,6 +2056,9 @@ NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
                                 r->in.nt_password->data,
                                 r->in.nt_verifier->hash,
                                 &reject_reason);
+       if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+               return NT_STATUS_WRONG_PASSWORD;
+       }
 
        if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) ||
            NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_RESTRICTION)) {
@@ -1865,7 +2071,8 @@ NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
                        return NT_STATUS_NO_MEMORY;
                }
 
-               reject = TALLOC_ZERO_P(p->mem_ctx, struct samr_ChangeReject);
+               reject = TALLOC_ZERO_P(p->mem_ctx,
+                               struct userPwdChangeFailureInformation);
                if (!reject) {
                        return NT_STATUS_NO_MEMORY;
                }
@@ -1874,19 +2081,19 @@ NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
 
                /* AS ROOT !!! */
 
-               pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &tmp);
+               pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN, &tmp);
                dominfo->min_password_length = tmp;
 
-               pdb_get_account_policy(AP_PASSWORD_HISTORY, &tmp);
+               pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &tmp);
                dominfo->password_history_length = tmp;
 
-               pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
+               pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS,
                                       &dominfo->password_properties);
 
-               pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
+               pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, &account_policy_temp);
                u_expire = account_policy_temp;
 
-               pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
+               pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_AGE, &account_policy_temp);
                u_min_age = account_policy_temp;
 
                /* !AS ROOT */
@@ -1900,7 +2107,7 @@ NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
                        dominfo->password_properties |= DOMAIN_PASSWORD_COMPLEX;
                }
 
-               reject->reason = reject_reason;
+               reject->extendedFailureReason = reject_reason;
 
                *r->out.dominfo = dominfo;
                *r->out.reject = reject;
@@ -2034,6 +2241,7 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
        SEC_DESC *psd = NULL;
        uint32    acc_granted;
        uint32    des_access = r->in.access_mask;
+       uint32_t extra_access = 0;
        size_t    sd_size;
        bool ret;
        NTSTATUS nt_status;
@@ -2057,32 +2265,92 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
                return NT_STATUS_NO_SUCH_USER;
 
        /* check if access can be granted as requested by client. */
-
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
 
        make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
        se_map_generic(&des_access, &usr_generic_mapping);
 
-       se_priv_copy( &se_rights, &se_machine_account );
-       se_priv_add( &se_rights, &se_add_users );
+       /*
+        * Get the sampass first as we need to check privileges
+        * based on what kind of user object this is.
+        * But don't reveal info too early if it didn't exist.
+        */
+
+       become_root();
+       ret=pdb_getsampwsid(sampass, &sid);
+       unbecome_root();
+
+       se_priv_copy(&se_rights, &se_priv_none);
+
+       /*
+        * We do the override access checks on *open*, not at
+        * SetUserInfo time.
+        */
+       if (ret) {
+               uint32_t acb_info = pdb_get_acct_ctrl(sampass);
+
+               if ((acb_info & ACB_WSTRUST) &&
+                               user_has_any_privilege(p->server_info->ptok,
+                                               &se_machine_account)) {
+                       /*
+                        * SeMachineAccount is needed to add
+                        * GENERIC_RIGHTS_USER_WRITE to a machine
+                        * account.
+                        */
+                       se_priv_add(&se_rights, &se_machine_account);
+                       DEBUG(10,("_samr_OpenUser: adding machine account "
+                               "rights to handle for user %s\n",
+                               pdb_get_username(sampass) ));
+               }
+               if ((acb_info & ACB_NORMAL) &&
+                               user_has_any_privilege(p->server_info->ptok,
+                                               &se_add_users)) {
+                       /*
+                        * SeAddUsers is needed to add
+                        * GENERIC_RIGHTS_USER_WRITE to a normal
+                        * account.
+                        */
+                       se_priv_add(&se_rights, &se_add_users);
+                       DEBUG(10,("_samr_OpenUser: adding add user "
+                               "rights to handle for user %s\n",
+                               pdb_get_username(sampass) ));
+               }
+               /*
+                * Cheat - allow GENERIC_RIGHTS_USER_WRITE if pipe user is
+                * in DOMAIN_GROUP_RID_ADMINS. This is almost certainly not
+                * what Windows does but is a hack for people who haven't
+                * set up privileges on groups in Samba.
+                */
+               if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
+                       if (lp_enable_privileges() && nt_token_check_domain_rid(p->server_info->ptok,
+                                                       DOMAIN_GROUP_RID_ADMINS)) {
+                               des_access &= ~GENERIC_RIGHTS_USER_WRITE;
+                               extra_access = GENERIC_RIGHTS_USER_WRITE;
+                               DEBUG(4,("_samr_OpenUser: Allowing "
+                                       "GENERIC_RIGHTS_USER_WRITE for "
+                                       "rid admins\n"));
+                       }
+               }
+       }
+
+       TALLOC_FREE(sampass);
 
-       nt_status = access_check_samr_object(psd, p->server_info->ptok,
+       nt_status = access_check_object(psd, p->server_info->ptok,
                &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
                &acc_granted, "_samr_OpenUser");
 
        if ( !NT_STATUS_IS_OK(nt_status) )
                return nt_status;
 
-       become_root();
-       ret=pdb_getsampwsid(sampass, &sid);
-       unbecome_root();
-
        /* check that the SID exists in our domain. */
        if (ret == False) {
                return NT_STATUS_NO_SUCH_USER;
        }
 
-       TALLOC_FREE(sampass);
+       /* If we did the rid admins hack above, allow access. */
+       acc_granted |= extra_access;
 
        uinfo = policy_handle_create(p, r->out.user_handle, acc_granted,
                                     struct samr_user_info, &nt_status);
@@ -2475,7 +2743,7 @@ static NTSTATUS get_user_info_18(pipes_struct *p,
                return NT_STATUS_ACCESS_DENIED;
        }
 
-       if (p->auth.auth_level != PIPE_AUTH_LEVEL_PRIVACY) {
+       if (p->auth.auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
                return NT_STATUS_ACCESS_DENIED;
        }
 
@@ -2492,7 +2760,7 @@ static NTSTATUS get_user_info_18(pipes_struct *p,
        if (ret == False) {
                DEBUG(4, ("User %s not found\n", sid_string_dbg(user_sid)));
                TALLOC_FREE(smbpass);
-               return (geteuid() == (uid_t)0) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
+               return (geteuid() == sec_initial_uid()) ? NT_STATUS_NO_SUCH_USER : NT_STATUS_ACCESS_DENIED;
        }
 
        DEBUG(3,("User:[%s] 0x%x\n", pdb_get_username(smbpass), pdb_get_acct_ctrl(smbpass) ));
@@ -2558,7 +2826,8 @@ static NTSTATUS get_user_info_20(TALLOC_CTX *mem_ctx,
 static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx,
                                 struct samr_UserInfo21 *r,
                                 struct samu *pw,
-                                DOM_SID *domain_sid)
+                                DOM_SID *domain_sid,
+                                uint32_t acc_granted)
 {
        NTSTATUS status;
        const DOM_SID *sid_user, *sid_group;
@@ -2678,9 +2947,76 @@ NTSTATUS _samr_QueryUserInfo(pipes_struct *p,
        uint32 rid;
        bool ret = false;
        struct samu *pwd = NULL;
+       uint32_t acc_required, acc_granted;
+
+       switch (r->in.level) {
+       case 1: /* UserGeneralInformation */
+               /* USER_READ_GENERAL */
+               acc_required = SAMR_USER_ACCESS_GET_NAME_ETC;
+               break;
+       case 2: /* UserPreferencesInformation */
+               /* USER_READ_PREFERENCES | USER_READ_GENERAL */
+               acc_required = SAMR_USER_ACCESS_GET_LOCALE |
+                              SAMR_USER_ACCESS_GET_NAME_ETC;
+               break;
+       case 3: /* UserLogonInformation */
+               /* USER_READ_GENERAL | USER_READ_PREFERENCES | USER_READ_LOGON | USER_READ_ACCOUNT */
+               acc_required = SAMR_USER_ACCESS_GET_NAME_ETC |
+                              SAMR_USER_ACCESS_GET_LOCALE |
+                              SAMR_USER_ACCESS_GET_LOGONINFO |
+                              SAMR_USER_ACCESS_GET_ATTRIBUTES;
+               break;
+       case 4: /* UserLogonHoursInformation */
+               /* USER_READ_LOGON */
+               acc_required = SAMR_USER_ACCESS_GET_LOGONINFO;
+               break;
+       case 5: /* UserAccountInformation */
+               /* USER_READ_GENERAL | USER_READ_PREFERENCES | USER_READ_LOGON | USER_READ_ACCOUNT */
+               acc_required = SAMR_USER_ACCESS_GET_NAME_ETC |
+                              SAMR_USER_ACCESS_GET_LOCALE |
+                              SAMR_USER_ACCESS_GET_LOGONINFO |
+                              SAMR_USER_ACCESS_GET_ATTRIBUTES;
+               break;
+       case 6: /* UserNameInformation */
+       case 7: /* UserAccountNameInformation */
+       case 8: /* UserFullNameInformation */
+       case 9: /* UserPrimaryGroupInformation */
+       case 13: /* UserAdminCommentInformation */
+               /* USER_READ_GENERAL */
+               acc_required = SAMR_USER_ACCESS_GET_NAME_ETC;
+               break;
+       case 10: /* UserHomeInformation */
+       case 11: /* UserScriptInformation */
+       case 12: /* UserProfileInformation */
+       case 14: /* UserWorkStationsInformation */
+               /* USER_READ_LOGON */
+               acc_required = SAMR_USER_ACCESS_GET_LOGONINFO;
+               break;
+       case 16: /* UserControlInformation */
+       case 17: /* UserExpiresInformation */
+       case 20: /* UserParametersInformation */
+               /* USER_READ_ACCOUNT */
+               acc_required = SAMR_USER_ACCESS_GET_ATTRIBUTES;
+               break;
+       case 21: /* UserAllInformation */
+               /* FIXME! - gd */
+               acc_required = SAMR_USER_ACCESS_GET_ATTRIBUTES;
+               break;
+       case 18: /* UserInternal1Information */
+               /* FIXME! - gd */
+               acc_required = SAMR_USER_ACCESS_GET_ATTRIBUTES;
+               break;
+       case 23: /* UserInternal4Information */
+       case 24: /* UserInternal4InformationNew */
+       case 25: /* UserInternal4InformationNew */
+       case 26: /* UserInternal5InformationNew */
+       default:
+               return NT_STATUS_INVALID_INFO_CLASS;
+               break;
+       }
 
        uinfo = policy_handle_find(p, r->in.user_handle,
-                                  SAMR_USER_ACCESS_GET_ATTRIBUTES, NULL,
+                                  acc_required, &acc_granted,
                                   struct samr_user_info, &status);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
@@ -2779,17 +3115,22 @@ NTSTATUS _samr_QueryUserInfo(pipes_struct *p,
                status = get_user_info_20(p->mem_ctx, &user_info->info20, pwd);
                break;
        case 21:
-               status = get_user_info_21(p->mem_ctx, &user_info->info21, pwd, &domain_sid);
+               status = get_user_info_21(p->mem_ctx, &user_info->info21, pwd, &domain_sid, acc_granted);
                break;
        default:
                status = NT_STATUS_INVALID_INFO_CLASS;
                break;
        }
 
-       TALLOC_FREE(pwd);
+       if (!NT_STATUS_IS_OK(status)) {
+               goto done;
+       }
 
        *r->out.info = user_info;
 
+ done:
+       TALLOC_FREE(pwd);
+
        DEBUG(5,("_samr_QueryUserInfo: %d\n", __LINE__));
 
        return status;
@@ -2940,200 +3281,418 @@ NTSTATUS _samr_GetGroupsForUser(pipes_struct *p,
 }
 
 /*******************************************************************
- _samr_QueryDomainInfo
  ********************************************************************/
 
-NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
-                              struct samr_QueryDomainInfo *r)
+static uint32_t samr_get_server_role(void)
 {
-       NTSTATUS status = NT_STATUS_OK;
-       struct samr_domain_info *dinfo;
-       union samr_DomainInfo *dom_info;
-       time_t u_expire, u_min_age;
+       uint32_t role = ROLE_DOMAIN_PDC;
 
-       time_t u_lock_duration, u_reset_time;
-       uint32_t u_logout;
+       if (lp_server_role() == ROLE_DOMAIN_BDC) {
+               role = ROLE_DOMAIN_BDC;
+       }
 
-       uint32 account_policy_temp;
+       return role;
+}
 
-       time_t seq_num;
-       uint32 server_role;
+/*******************************************************************
+ ********************************************************************/
 
-       DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
+static NTSTATUS query_dom_info_1(TALLOC_CTX *mem_ctx,
+                                struct samr_DomInfo1 *r)
+{
+       uint32_t account_policy_temp;
+       time_t u_expire, u_min_age;
 
-       dinfo = policy_handle_find(p, r->in.domain_handle,
-                                  SAMR_ACCESS_LOOKUP_DOMAIN, NULL,
-                                  struct samr_domain_info, &status);
-       if (!NT_STATUS_IS_OK(status)) {
-               return status;
-       }
+       become_root();
 
-       dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo);
-       if (!dom_info) {
-               return NT_STATUS_NO_MEMORY;
-       }
+       /* AS ROOT !!! */
 
-       switch (r->in.level) {
-               case 0x01:
+       pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN, &account_policy_temp);
+       r->min_password_length = account_policy_temp;
 
-                       become_root();
+       pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &account_policy_temp);
+       r->password_history_length = account_policy_temp;
 
-                       /* AS ROOT !!! */
+       pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS,
+                              &r->password_properties);
 
-                       pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
-                                              &account_policy_temp);
-                       dom_info->info1.min_password_length = account_policy_temp;
+       pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, &account_policy_temp);
+       u_expire = account_policy_temp;
 
-                       pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
-                       dom_info->info1.password_history_length = account_policy_temp;
+       pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_AGE, &account_policy_temp);
+       u_min_age = account_policy_temp;
 
-                       pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
-                               &dom_info->info1.password_properties);
+       /* !AS ROOT */
 
-                       pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
-                       u_expire = account_policy_temp;
+       unbecome_root();
 
-                       pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
-                       u_min_age = account_policy_temp;
+       unix_to_nt_time_abs((NTTIME *)&r->max_password_age, u_expire);
+       unix_to_nt_time_abs((NTTIME *)&r->min_password_age, u_min_age);
 
-                       /* !AS ROOT */
+       if (lp_check_password_script() && *lp_check_password_script()) {
+               r->password_properties |= DOMAIN_PASSWORD_COMPLEX;
+       }
 
-                       unbecome_root();
+       return NT_STATUS_OK;
+}
 
-                       unix_to_nt_time_abs((NTTIME *)&dom_info->info1.max_password_age, u_expire);
-                       unix_to_nt_time_abs((NTTIME *)&dom_info->info1.min_password_age, u_min_age);
+/*******************************************************************
+ ********************************************************************/
 
-                       if (lp_check_password_script() && *lp_check_password_script()) {
-                               dom_info->info1.password_properties |= DOMAIN_PASSWORD_COMPLEX;
-                       }
+static NTSTATUS query_dom_info_2(TALLOC_CTX *mem_ctx,
+                                struct samr_DomGeneralInformation *r,
+                                struct samr_domain_info *dinfo)
+{
+       uint32_t u_logout;
+       time_t seq_num;
 
-                       break;
-               case 0x02:
+       become_root();
 
-                       become_root();
+       /* AS ROOT !!! */
 
-                       /* AS ROOT !!! */
+       r->num_users    = count_sam_users(dinfo->disp_info, ACB_NORMAL);
+       r->num_groups   = count_sam_groups(dinfo->disp_info);
+       r->num_aliases  = count_sam_aliases(dinfo->disp_info);
 
-                       dom_info->general.num_users     = count_sam_users(
-                               dinfo->disp_info, ACB_NORMAL);
-                       dom_info->general.num_groups    = count_sam_groups(
-                               dinfo->disp_info);
-                       dom_info->general.num_aliases   = count_sam_aliases(
-                               dinfo->disp_info);
+       pdb_get_account_policy(PDB_POLICY_TIME_TO_LOGOUT, &u_logout);
 
-                       pdb_get_account_policy(AP_TIME_TO_LOGOUT, &u_logout);
+       unix_to_nt_time_abs(&r->force_logoff_time, u_logout);
 
-                       unix_to_nt_time_abs(&dom_info->general.force_logoff_time, u_logout);
+       if (!pdb_get_seq_num(&seq_num)) {
+               seq_num = time(NULL);
+       }
 
-                       if (!pdb_get_seq_num(&seq_num))
-                               seq_num = time(NULL);
+       /* !AS ROOT */
 
-                       /* !AS ROOT */
+       unbecome_root();
 
-                       unbecome_root();
+       r->oem_information.string       = lp_serverstring();
+       r->domain_name.string           = lp_workgroup();
+       r->primary.string               = global_myname();
+       r->sequence_num                 = seq_num;
+       r->domain_server_state          = DOMAIN_SERVER_ENABLED;
+       r->role                         = samr_get_server_role();
+       r->unknown3                     = 1;
 
-                       server_role = ROLE_DOMAIN_PDC;
-                       if (lp_server_role() == ROLE_DOMAIN_BDC)
-                               server_role = ROLE_DOMAIN_BDC;
+       return NT_STATUS_OK;
+}
 
-                       dom_info->general.oem_information.string        = lp_serverstring();
-                       dom_info->general.domain_name.string            = lp_workgroup();
-                       dom_info->general.primary.string                = global_myname();
-                       dom_info->general.sequence_num                  = seq_num;
-                       dom_info->general.domain_server_state           = DOMAIN_SERVER_ENABLED;
-                       dom_info->general.role                          = server_role;
-                       dom_info->general.unknown3                      = 1;
+/*******************************************************************
+ ********************************************************************/
 
-                       break;
-               case 0x03:
+static NTSTATUS query_dom_info_3(TALLOC_CTX *mem_ctx,
+                                struct samr_DomInfo3 *r)
+{
+       uint32_t u_logout;
 
-                       become_root();
+       become_root();
 
-                       /* AS ROOT !!! */
+       /* AS ROOT !!! */
 
-                       {
-                               uint32 ul;
-                               pdb_get_account_policy(AP_TIME_TO_LOGOUT, &ul);
-                               u_logout = (time_t)ul;
-                       }
+       {
+               uint32_t ul;
+               pdb_get_account_policy(PDB_POLICY_TIME_TO_LOGOUT, &ul);
+               u_logout = (time_t)ul;
+       }
 
-                       /* !AS ROOT */
+       /* !AS ROOT */
 
-                       unbecome_root();
+       unbecome_root();
 
-                       unix_to_nt_time_abs(&dom_info->info3.force_logoff_time, u_logout);
+       unix_to_nt_time_abs(&r->force_logoff_time, u_logout);
 
-                       break;
-               case 0x04:
-                       dom_info->oem.oem_information.string = lp_serverstring();
-                       break;
-               case 0x05:
-                       dom_info->info5.domain_name.string = get_global_sam_name();
-                       break;
-               case 0x06:
-                       /* NT returns its own name when a PDC. win2k and later
-                        * only the name of the PDC if itself is a BDC (samba4
-                        * idl) */
-                       dom_info->info6.primary.string = global_myname();
-                       break;
-               case 0x07:
-                       server_role = ROLE_DOMAIN_PDC;
-                       if (lp_server_role() == ROLE_DOMAIN_BDC)
-                               server_role = ROLE_DOMAIN_BDC;
+       return NT_STATUS_OK;
+}
 
-                       dom_info->info7.role = server_role;
-                       break;
-               case 0x08:
+/*******************************************************************
+ ********************************************************************/
 
-                       become_root();
+static NTSTATUS query_dom_info_4(TALLOC_CTX *mem_ctx,
+                                struct samr_DomOEMInformation *r)
+{
+       r->oem_information.string = lp_serverstring();
 
-                       /* AS ROOT !!! */
+       return NT_STATUS_OK;
+}
 
-                       if (!pdb_get_seq_num(&seq_num)) {
-                               seq_num = time(NULL);
-                       }
+/*******************************************************************
+ ********************************************************************/
 
-                       /* !AS ROOT */
+static NTSTATUS query_dom_info_5(TALLOC_CTX *mem_ctx,
+                                struct samr_DomInfo5 *r)
+{
+       r->domain_name.string = get_global_sam_name();
 
-                       unbecome_root();
+       return NT_STATUS_OK;
+}
 
-                       dom_info->info8.sequence_num = seq_num;
-                       dom_info->info8.domain_create_time = 0;
+/*******************************************************************
+ ********************************************************************/
 
-                       break;
-               case 0x0c:
+static NTSTATUS query_dom_info_6(TALLOC_CTX *mem_ctx,
+                                struct samr_DomInfo6 *r)
+{
+       /* NT returns its own name when a PDC. win2k and later
+        * only the name of the PDC if itself is a BDC (samba4
+        * idl) */
+       r->primary.string = global_myname();
 
-                       become_root();
+       return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ ********************************************************************/
 
-                       /* AS ROOT !!! */
+static NTSTATUS query_dom_info_7(TALLOC_CTX *mem_ctx,
+                                struct samr_DomInfo7 *r)
+{
+       r->role = samr_get_server_role();
 
-                       pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
-                       u_lock_duration = account_policy_temp;
-                       if (u_lock_duration != -1) {
-                               u_lock_duration *= 60;
-                       }
+       return NT_STATUS_OK;
+}
 
-                       pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
-                       u_reset_time = account_policy_temp * 60;
+/*******************************************************************
+ ********************************************************************/
 
-                       pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT,
-                                              &account_policy_temp);
-                       dom_info->info12.lockout_threshold = account_policy_temp;
+static NTSTATUS query_dom_info_8(TALLOC_CTX *mem_ctx,
+                                struct samr_DomInfo8 *r)
+{
+       time_t seq_num;
 
-                       /* !AS ROOT */
+       become_root();
 
-                       unbecome_root();
+       /* AS ROOT !!! */
+
+       if (!pdb_get_seq_num(&seq_num)) {
+               seq_num = time(NULL);
+       }
+
+       /* !AS ROOT */
+
+       unbecome_root();
+
+       r->sequence_num = seq_num;
+       r->domain_create_time = 0;
+
+       return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ ********************************************************************/
+
+static NTSTATUS query_dom_info_9(TALLOC_CTX *mem_ctx,
+                                struct samr_DomInfo9 *r)
+{
+       r->domain_server_state = DOMAIN_SERVER_ENABLED;
+
+       return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ ********************************************************************/
+
+static NTSTATUS query_dom_info_11(TALLOC_CTX *mem_ctx,
+                                 struct samr_DomGeneralInformation2 *r,
+                                 struct samr_domain_info *dinfo)
+{
+       NTSTATUS status;
+       uint32_t account_policy_temp;
+       time_t u_lock_duration, u_reset_time;
+
+       status = query_dom_info_2(mem_ctx, &r->general, dinfo);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       /* AS ROOT !!! */
+
+       become_root();
+
+       pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION, &account_policy_temp);
+       u_lock_duration = account_policy_temp;
+       if (u_lock_duration != -1) {
+               u_lock_duration *= 60;
+       }
+
+       pdb_get_account_policy(PDB_POLICY_RESET_COUNT_TIME, &account_policy_temp);
+       u_reset_time = account_policy_temp * 60;
+
+       pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
+       r->lockout_threshold = account_policy_temp;
+
+       /* !AS ROOT */
+
+       unbecome_root();
+
+       unix_to_nt_time_abs(&r->lockout_duration, u_lock_duration);
+       unix_to_nt_time_abs(&r->lockout_window, u_reset_time);
+
+       return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ ********************************************************************/
+
+static NTSTATUS query_dom_info_12(TALLOC_CTX *mem_ctx,
+                                 struct samr_DomInfo12 *r)
+{
+       uint32_t account_policy_temp;
+       time_t u_lock_duration, u_reset_time;
+
+       become_root();
+
+       /* AS ROOT !!! */
+
+       pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION, &account_policy_temp);
+       u_lock_duration = account_policy_temp;
+       if (u_lock_duration != -1) {
+               u_lock_duration *= 60;
+       }
+
+       pdb_get_account_policy(PDB_POLICY_RESET_COUNT_TIME, &account_policy_temp);
+       u_reset_time = account_policy_temp * 60;
+
+       pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
+       r->lockout_threshold = account_policy_temp;
+
+       /* !AS ROOT */
+
+       unbecome_root();
+
+       unix_to_nt_time_abs(&r->lockout_duration, u_lock_duration);
+       unix_to_nt_time_abs(&r->lockout_window, u_reset_time);
+
+       return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ ********************************************************************/
+
+static NTSTATUS query_dom_info_13(TALLOC_CTX *mem_ctx,
+                                 struct samr_DomInfo13 *r)
+{
+       time_t seq_num;
+
+       become_root();
+
+       /* AS ROOT !!! */
+
+       if (!pdb_get_seq_num(&seq_num)) {
+               seq_num = time(NULL);
+       }
+
+       /* !AS ROOT */
+
+       unbecome_root();
+
+       r->sequence_num = seq_num;
+       r->domain_create_time = 0;
+       r->modified_count_at_last_promotion = 0;
+
+       return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ _samr_QueryDomainInfo
+ ********************************************************************/
+
+NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
+                              struct samr_QueryDomainInfo *r)
+{
+       NTSTATUS status = NT_STATUS_OK;
+       struct samr_domain_info *dinfo;
+       union samr_DomainInfo *dom_info;
+
+       uint32_t acc_required;
+
+       DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
+
+       switch (r->in.level) {
+       case 1: /* DomainPasswordInformation */
+       case 12: /* DomainLockoutInformation */
+               /* DOMAIN_READ_PASSWORD_PARAMETERS */
+               acc_required = SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1;
+               break;
+       case 11: /* DomainGeneralInformation2 */
+               /* DOMAIN_READ_PASSWORD_PARAMETERS |
+                * DOMAIN_READ_OTHER_PARAMETERS */
+               acc_required = SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 |
+                              SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2;
+               break;
+       case 2: /* DomainGeneralInformation */
+       case 3: /* DomainLogoffInformation */
+       case 4: /* DomainOemInformation */
+       case 5: /* DomainReplicationInformation */
+       case 6: /* DomainReplicationInformation */
+       case 7: /* DomainServerRoleInformation */
+       case 8: /* DomainModifiedInformation */
+       case 9: /* DomainStateInformation */
+       case 10: /* DomainUasInformation */
+       case 13: /* DomainModifiedInformation2 */
+               /* DOMAIN_READ_OTHER_PARAMETERS */
+               acc_required = SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2;
+               break;
+       default:
+               return NT_STATUS_INVALID_INFO_CLASS;
+       }
+
+       dinfo = policy_handle_find(p, r->in.domain_handle,
+                                  acc_required, NULL,
+                                  struct samr_domain_info, &status);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
 
-                       unix_to_nt_time_abs(&dom_info->info12.lockout_duration,
-                                           u_lock_duration);
-                       unix_to_nt_time_abs(&dom_info->info12.lockout_window,
-                                           u_reset_time);
+       dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo);
+       if (!dom_info) {
+               return NT_STATUS_NO_MEMORY;
+       }
 
+       switch (r->in.level) {
+               case 1:
+                       status = query_dom_info_1(p->mem_ctx, &dom_info->info1);
+                       break;
+               case 2:
+                       status = query_dom_info_2(p->mem_ctx, &dom_info->general, dinfo);
+                       break;
+               case 3:
+                       status = query_dom_info_3(p->mem_ctx, &dom_info->info3);
+                       break;
+               case 4:
+                       status = query_dom_info_4(p->mem_ctx, &dom_info->oem);
+                       break;
+               case 5:
+                       status = query_dom_info_5(p->mem_ctx, &dom_info->info5);
+                       break;
+               case 6:
+                       status = query_dom_info_6(p->mem_ctx, &dom_info->info6);
+                       break;
+               case 7:
+                       status = query_dom_info_7(p->mem_ctx, &dom_info->info7);
+                       break;
+               case 8:
+                       status = query_dom_info_8(p->mem_ctx, &dom_info->info8);
+                       break;
+               case 9:
+                       status = query_dom_info_9(p->mem_ctx, &dom_info->info9);
+                       break;
+               case 11:
+                       status = query_dom_info_11(p->mem_ctx, &dom_info->general2, dinfo);
+                       break;
+               case 12:
+                       status = query_dom_info_12(p->mem_ctx, &dom_info->info12);
+                       break;
+               case 13:
+                       status = query_dom_info_13(p->mem_ctx, &dom_info->info13);
                        break;
                default:
                        return NT_STATUS_INVALID_INFO_CLASS;
        }
 
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
        *r->out.info = dom_info;
 
        DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
@@ -3231,47 +3790,44 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
 
        /* determine which user right we need to check based on the acb_info */
 
-       if ( acb_info & ACB_WSTRUST )
-       {
-               se_priv_copy( &se_rights, &se_machine_account );
+       if (geteuid() == sec_initial_uid()) {
+               se_priv_copy(&se_rights, &se_priv_none);
+               can_add_account = true;
+       } else if (acb_info & ACB_WSTRUST) {
+               se_priv_copy(&se_rights, &se_machine_account);
                can_add_account = user_has_privileges(
                        p->server_info->ptok, &se_rights );
-       }
-       /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
-          account for domain trusts and changes the ACB flags later */
-       else if ( acb_info & ACB_NORMAL &&
-                 (account[strlen(account)-1] != '$') )
-       {
-               se_priv_copy( &se_rights, &se_add_users );
+       } else if (acb_info & ACB_NORMAL &&
+                 (account[strlen(account)-1] != '$')) {
+               /* usrmgr.exe (and net rpc trustdom grant) creates a normal user
+                  account for domain trusts and changes the ACB flags later */
+               se_priv_copy(&se_rights, &se_add_users);
                can_add_account = user_has_privileges(
                        p->server_info->ptok, &se_rights );
-       }
-       else    /* implicit assumption of a BDC or domain trust account here
+       } else if (lp_enable_privileges()) {
+               /* implicit assumption of a BDC or domain trust account here
                 * (we already check the flags earlier) */
-       {
-               if ( lp_enable_privileges() ) {
-                       /* only Domain Admins can add a BDC or domain trust */
-                       se_priv_copy( &se_rights, &se_priv_none );
-                       can_add_account = nt_token_check_domain_rid(
-                               p->server_info->ptok,
-                               DOMAIN_GROUP_RID_ADMINS );
-               }
+               /* only Domain Admins can add a BDC or domain trust */
+               se_priv_copy(&se_rights, &se_priv_none);
+               can_add_account = nt_token_check_domain_rid(
+                       p->server_info->ptok,
+                       DOMAIN_GROUP_RID_ADMINS );
        }
 
        DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
                  uidtoname(p->server_info->utok.uid),
                  can_add_account ? "True":"False" ));
 
-       /********** BEGIN Admin BLOCK **********/
+       if (!can_add_account) {
+               return NT_STATUS_ACCESS_DENIED;
+       }
 
-       if ( can_add_account )
-               become_root();
+       /********** BEGIN Admin BLOCK **********/
 
+       become_root();
        nt_status = pdb_create_user(p->mem_ctx, account, acb_info,
                                    r->out.rid);
-
-       if ( can_add_account )
-               unbecome_root();
+       unbecome_root();
 
        /********** END Admin BLOCK **********/
 
@@ -3284,13 +3840,22 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
 
        sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
 
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
 
        make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
                            &sid, SAMR_USR_RIGHTS_WRITE_PW);
        se_map_generic(&des_access, &usr_generic_mapping);
 
-       nt_status = access_check_samr_object(psd, p->server_info->ptok,
+       /*
+        * JRA - TESTME. We just created this user so we
+        * had rights to create them. Do we need to check
+        * any further access on this object ? Can't we
+        * just assume we have all the rights we need ?
+        */
+
+       nt_status = access_check_object(psd, p->server_info->ptok,
                &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
                &acc_granted, "_samr_CreateUser2");
 
@@ -3357,7 +3922,9 @@ NTSTATUS _samr_Connect(pipes_struct *p,
           was observed from a win98 client trying to enumerate users (when configured
           user level access control on shares)   --jerry */
 
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
 
        se_map_generic( &des_access, &sam_generic_mapping );
 
@@ -3417,12 +3984,14 @@ NTSTATUS _samr_Connect2(pipes_struct *p,
                return NT_STATUS_ACCESS_DENIED;
        }
 
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
 
        make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
        se_map_generic(&des_access, &sam_generic_mapping);
 
-       nt_status = access_check_samr_object(psd, p->server_info->ptok,
+       nt_status = access_check_object(psd, p->server_info->ptok,
                NULL, 0, des_access, &acc_granted, fn);
 
        if ( !NT_STATUS_IS_OK(nt_status) )
@@ -3630,17 +4199,18 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p,
 
        /*check if access can be granted as requested by client. */
 
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
 
        make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
        se_map_generic(&des_access,&ali_generic_mapping);
 
        se_priv_copy( &se_rights, &se_add_users );
 
-
-       status = access_check_samr_object(psd, p->server_info->ptok,
-               &se_rights, GENERIC_RIGHTS_ALIAS_WRITE, des_access,
-               &acc_granted, "_samr_OpenAlias");
+       status = access_check_object(psd, p->server_info->ptok,
+               &se_rights, GENERIC_RIGHTS_ALIAS_ALL_ACCESS,
+               des_access, &acc_granted, "_samr_OpenAlias");
 
        if ( !NT_STATUS_IS_OK(status) )
                return status;
@@ -3761,6 +4331,12 @@ static NTSTATUS set_user_info_7(TALLOC_CTX *mem_ctx,
           code (like UNSUCCESSFUL instead of ALREADY_EXISTS). */
 
        rc = can_create(mem_ctx, id7->account_name.string);
+
+       /* when there is nothing to change, we're done here */
+       if (NT_STATUS_EQUAL(rc, NT_STATUS_USER_EXISTS) &&
+           strequal(id7->account_name.string, pdb_get_username(pwd))) {
+               return NT_STATUS_OK;
+       }
        if (!NT_STATUS_IS_OK(rc)) {
                return rc;
        }
@@ -4387,6 +4963,73 @@ static NTSTATUS set_user_info_26(TALLOC_CTX *mem_ctx,
        return NT_STATUS_OK;
 }
 
+/*************************************************************
+**************************************************************/
+
+static uint32_t samr_set_user_info_map_fields_to_access_mask(uint32_t fields)
+{
+       uint32_t acc_required = 0;
+
+       /* USER_ALL_USERNAME */
+       if (fields & SAMR_FIELD_ACCOUNT_NAME)
+               acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+       /* USER_ALL_FULLNAME */
+       if (fields & SAMR_FIELD_FULL_NAME)
+               acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+       /* USER_ALL_PRIMARYGROUPID */
+       if (fields & SAMR_FIELD_PRIMARY_GID)
+               acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+       /* USER_ALL_HOMEDIRECTORY */
+       if (fields & SAMR_FIELD_HOME_DIRECTORY)
+               acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+       /* USER_ALL_HOMEDIRECTORYDRIVE */
+       if (fields & SAMR_FIELD_HOME_DRIVE)
+               acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+       /* USER_ALL_SCRIPTPATH */
+       if (fields & SAMR_FIELD_LOGON_SCRIPT)
+               acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+       /* USER_ALL_PROFILEPATH */
+       if (fields & SAMR_FIELD_PROFILE_PATH)
+               acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+       /* USER_ALL_ADMINCOMMENT */
+       if (fields & SAMR_FIELD_COMMENT)
+               acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+       /* USER_ALL_WORKSTATIONS */
+       if (fields & SAMR_FIELD_WORKSTATIONS)
+               acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+       /* USER_ALL_LOGONHOURS */
+       if (fields & SAMR_FIELD_LOGON_HOURS)
+               acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+       /* USER_ALL_ACCOUNTEXPIRES */
+       if (fields & SAMR_FIELD_ACCT_EXPIRY)
+               acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+       /* USER_ALL_USERACCOUNTCONTROL */
+       if (fields & SAMR_FIELD_ACCT_FLAGS)
+               acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+       /* USER_ALL_PARAMETERS */
+       if (fields & SAMR_FIELD_PARAMETERS)
+               acc_required |= SAMR_USER_ACCESS_SET_ATTRIBUTES;
+       /* USER_ALL_USERCOMMENT */
+       if (fields & SAMR_FIELD_COMMENT)
+               acc_required |= SAMR_USER_ACCESS_SET_LOC_COM;
+       /* USER_ALL_COUNTRYCODE */
+       if (fields & SAMR_FIELD_COUNTRY_CODE)
+               acc_required |= SAMR_USER_ACCESS_SET_LOC_COM;
+       /* USER_ALL_CODEPAGE */
+       if (fields & SAMR_FIELD_CODE_PAGE)
+               acc_required |= SAMR_USER_ACCESS_SET_LOC_COM;
+       /* USER_ALL_NTPASSWORDPRESENT */
+       if (fields & SAMR_FIELD_NT_PASSWORD_PRESENT)
+               acc_required |= SAMR_USER_ACCESS_SET_PASSWORD;
+       /* USER_ALL_LMPASSWORDPRESENT */
+       if (fields & SAMR_FIELD_LM_PASSWORD_PRESENT)
+               acc_required |= SAMR_USER_ACCESS_SET_PASSWORD;
+       /* USER_ALL_PASSWORDEXPIRED */
+       if (fields & SAMR_FIELD_EXPIRED_FLAG)
+               acc_required |= SAMR_USER_ACCESS_SET_PASSWORD;
+
+       return acc_required;
+}
 
 /*******************************************************************
  samr_SetUserInfo
@@ -4399,11 +5042,9 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
        NTSTATUS status;
        struct samu *pwd = NULL;
        union samr_UserInfo *info = r->in.info;
-       uint16_t switch_value = r->in.level;
-       uint32_t acc_required;
+       uint32_t acc_required = 0;
+       uint32_t fields = 0;
        bool ret;
-       bool has_enough_rights = False;
-       uint32_t acb_info;
 
        DEBUG(5,("_samr_SetUserInfo: %d\n", __LINE__));
 
@@ -4414,18 +5055,49 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
          This should be enough for levels 18, 24, 25,& 26.  Info level 23 can set more so
          we'll use the set from the WinXP join as the basis. */
 
-       switch (switch_value) {
-       case 18:
-       case 24:
-       case 25:
-       case 26:
+       switch (r->in.level) {
+       case 2: /* UserPreferencesInformation */
+               /* USER_WRITE_ACCOUNT | USER_WRITE_PREFERENCES */
+               acc_required = SAMR_USER_ACCESS_SET_ATTRIBUTES | SAMR_USER_ACCESS_SET_LOC_COM;
+               break;
+       case 4: /* UserLogonHoursInformation */
+       case 6: /* UserNameInformation */
+       case 7: /* UserAccountNameInformation */
+       case 8: /* UserFullNameInformation */
+       case 9: /* UserPrimaryGroupInformation */
+       case 10: /* UserHomeInformation */
+       case 11: /* UserScriptInformation */
+       case 12: /* UserProfileInformation */
+       case 13: /* UserAdminCommentInformation */
+       case 14: /* UserWorkStationsInformation */
+       case 16: /* UserControlInformation */
+       case 17: /* UserExpiresInformation */
+       case 20: /* UserParametersInformation */
+               /* USER_WRITE_ACCOUNT */
+               acc_required = SAMR_USER_ACCESS_SET_ATTRIBUTES;
+               break;
+       case 18: /* UserInternal1Information */
+               /* FIXME: gd, this is a guess */
                acc_required = SAMR_USER_ACCESS_SET_PASSWORD;
                break;
-       default:
-               acc_required = SAMR_USER_ACCESS_SET_PASSWORD |
-                              SAMR_USER_ACCESS_SET_ATTRIBUTES |
-                              SAMR_USER_ACCESS_GET_ATTRIBUTES;
+       case 21: /* UserAllInformation */
+               fields = info->info21.fields_present;
+               acc_required = samr_set_user_info_map_fields_to_access_mask(fields);
+               break;
+       case 23: /* UserInternal4Information */
+               fields = info->info23.info.fields_present;
+               acc_required = samr_set_user_info_map_fields_to_access_mask(fields);
+               break;
+       case 25: /* UserInternal4InformationNew */
+               fields = info->info25.info.fields_present;
+               acc_required = samr_set_user_info_map_fields_to_access_mask(fields);
                break;
+       case 24: /* UserInternal5Information */
+       case 26: /* UserInternal5InformationNew */
+               acc_required = SAMR_USER_ACCESS_SET_PASSWORD;
+               break;
+       default:
+               return NT_STATUS_INVALID_INFO_CLASS;
        }
 
        uinfo = policy_handle_find(p, r->in.user_handle, acc_required, NULL,
@@ -4435,7 +5107,7 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
        }
 
        DEBUG(5, ("_samr_SetUserInfo: sid:%s, level:%d\n",
-                 sid_string_dbg(&uinfo->sid), switch_value));
+                 sid_string_dbg(&uinfo->sid), r->in.level));
 
        if (info == NULL) {
                DEBUG(5, ("_samr_SetUserInfo: NULL info level\n"));
@@ -4455,36 +5127,13 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
                return NT_STATUS_NO_SUCH_USER;
        }
 
-       /* deal with machine password changes differently from userinfo changes */
-       /* check to see if we have the sufficient rights */
-
-       acb_info = pdb_get_acct_ctrl(pwd);
-       if (acb_info & ACB_WSTRUST)
-               has_enough_rights = user_has_privileges(p->server_info->ptok,
-                                                       &se_machine_account);
-       else if (acb_info & ACB_NORMAL)
-               has_enough_rights = user_has_privileges(p->server_info->ptok,
-                                                       &se_add_users);
-       else if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
-               if (lp_enable_privileges()) {
-                       has_enough_rights = nt_token_check_domain_rid(p->server_info->ptok,
-                                                                     DOMAIN_GROUP_RID_ADMINS);
-               }
-       }
-
-       DEBUG(5, ("_samr_SetUserInfo: %s does%s possess sufficient rights\n",
-                 uidtoname(p->server_info->utok.uid),
-                 has_enough_rights ? "" : " not"));
+       /* ================ BEGIN Privilege BLOCK ================ */
 
-       /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
-
-       if (has_enough_rights) {
-               become_root();
-       }
+       become_root();
 
        /* ok!  user info levels (lots: see MSDEV help), off we go... */
 
-       switch (switch_value) {
+       switch (r->in.level) {
 
                case 2:
                        status = set_user_info_2(p->mem_ctx,
@@ -4627,11 +5276,9 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
 
        TALLOC_FREE(pwd);
 
-       if (has_enough_rights) {
-               unbecome_root();
-       }
+       unbecome_root();
 
-       /* ================ END SeMachineAccountPrivilege BLOCK ================ */
+       /* ================ END Privilege BLOCK ================ */
 
        if (NT_STATUS_IS_OK(status)) {
                force_flush_samr_cache(&uinfo->sid);
@@ -4714,6 +5361,14 @@ NTSTATUS _samr_GetAliasMembership(pipes_struct *p,
        r->out.rids->count = num_alias_rids;
        r->out.rids->ids = alias_rids;
 
+       if (r->out.rids->ids == NULL) {
+               /* Windows domain clients don't accept a NULL ptr here */
+               r->out.rids->ids = talloc_zero(p->mem_ctx, uint32_t);
+       }
+       if (r->out.rids->ids == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
        return NT_STATUS_OK;
 }
 
@@ -4741,7 +5396,8 @@ NTSTATUS _samr_GetMembersInAlias(pipes_struct *p,
        DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo->sid)));
 
        become_root();
-       status = pdb_enum_aliasmem(&ainfo->sid, &pdb_sids, &num_sids);
+       status = pdb_enum_aliasmem(&ainfo->sid, talloc_tos(), &pdb_sids,
+                                  &num_sids);
        unbecome_root();
 
        if (!NT_STATUS_IS_OK(status)) {
@@ -4847,8 +5503,6 @@ NTSTATUS _samr_AddAliasMember(pipes_struct *p,
                              struct samr_AddAliasMember *r)
 {
        struct samr_alias_info *ainfo;
-       SE_PRIV se_rights;
-       bool can_add_accounts;
        NTSTATUS status;
 
        ainfo = policy_handle_find(p, r->in.alias_handle,
@@ -4860,18 +5514,11 @@ NTSTATUS _samr_AddAliasMember(pipes_struct *p,
 
        DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo->sid)));
 
-       se_priv_copy( &se_rights, &se_add_users );
-       can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
-
        /******** BEGIN SeAddUsers BLOCK *********/
 
-       if ( can_add_accounts )
-               become_root();
-
+       become_root();
        status = pdb_add_aliasmem(&ainfo->sid, r->in.sid);
-
-       if ( can_add_accounts )
-               unbecome_root();
+       unbecome_root();
 
        /******** END SeAddUsers BLOCK *********/
 
@@ -4890,8 +5537,6 @@ NTSTATUS _samr_DeleteAliasMember(pipes_struct *p,
                                 struct samr_DeleteAliasMember *r)
 {
        struct samr_alias_info *ainfo;
-       SE_PRIV se_rights;
-       bool can_add_accounts;
        NTSTATUS status;
 
        ainfo = policy_handle_find(p, r->in.alias_handle,
@@ -4904,18 +5549,11 @@ NTSTATUS _samr_DeleteAliasMember(pipes_struct *p,
        DEBUG(10, ("_samr_del_aliasmem:sid is %s\n",
                   sid_string_dbg(&ainfo->sid)));
 
-       se_priv_copy( &se_rights, &se_add_users );
-       can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
-
        /******** BEGIN SeAddUsers BLOCK *********/
 
-       if ( can_add_accounts )
-               become_root();
-
+       become_root();
        status = pdb_del_aliasmem(&ainfo->sid, r->in.sid);
-
-       if ( can_add_accounts )
-               unbecome_root();
+       unbecome_root();
 
        /******** END SeAddUsers BLOCK *********/
 
@@ -4936,8 +5574,6 @@ NTSTATUS _samr_AddGroupMember(pipes_struct *p,
        struct samr_group_info *ginfo;
        NTSTATUS status;
        uint32 group_rid;
-       SE_PRIV se_rights;
-       bool can_add_accounts;
 
        ginfo = policy_handle_find(p, r->in.group_handle,
                                   SAMR_GROUP_ACCESS_ADD_MEMBER, NULL,
@@ -4953,18 +5589,11 @@ NTSTATUS _samr_AddGroupMember(pipes_struct *p,
                return NT_STATUS_INVALID_HANDLE;
        }
 
-       se_priv_copy( &se_rights, &se_add_users );
-       can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
-
        /******** BEGIN SeAddUsers BLOCK *********/
 
-       if ( can_add_accounts )
-               become_root();
-
+       become_root();
        status = pdb_add_groupmem(p->mem_ctx, group_rid, r->in.rid);
-
-       if ( can_add_accounts )
-               unbecome_root();
+       unbecome_root();
 
        /******** END SeAddUsers BLOCK *********/
 
@@ -4984,8 +5613,6 @@ NTSTATUS _samr_DeleteGroupMember(pipes_struct *p,
        struct samr_group_info *ginfo;
        NTSTATUS status;
        uint32 group_rid;
-       SE_PRIV se_rights;
-       bool can_add_accounts;
 
        /*
         * delete the group member named r->in.rid
@@ -5005,18 +5632,11 @@ NTSTATUS _samr_DeleteGroupMember(pipes_struct *p,
                return NT_STATUS_INVALID_HANDLE;
        }
 
-       se_priv_copy( &se_rights, &se_add_users );
-       can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
-
        /******** BEGIN SeAddUsers BLOCK *********/
 
-       if ( can_add_accounts )
-               become_root();
-
+       become_root();
        status = pdb_del_groupmem(p->mem_ctx, group_rid, r->in.rid);
-
-       if ( can_add_accounts )
-               unbecome_root();
+       unbecome_root();
 
        /******** END SeAddUsers BLOCK *********/
 
@@ -5035,8 +5655,6 @@ NTSTATUS _samr_DeleteUser(pipes_struct *p,
        struct samr_user_info *uinfo;
        NTSTATUS status;
        struct samu *sam_pass=NULL;
-       bool can_add_accounts;
-       uint32 acb_info;
        bool ret;
 
        DEBUG(5, ("_samr_DeleteUser: %d\n", __LINE__));
@@ -5060,31 +5678,18 @@ NTSTATUS _samr_DeleteUser(pipes_struct *p,
        ret = pdb_getsampwsid(sam_pass, &uinfo->sid);
        unbecome_root();
 
-       if( !ret ) {
+       if(!ret) {
                DEBUG(5,("_samr_DeleteUser: User %s doesn't exist.\n",
                        sid_string_dbg(&uinfo->sid)));
                TALLOC_FREE(sam_pass);
                return NT_STATUS_NO_SUCH_USER;
        }
 
-       acb_info = pdb_get_acct_ctrl(sam_pass);
-
-       /* For machine accounts it's the SeMachineAccountPrivilege that counts. */
-       if ( acb_info & ACB_WSTRUST ) {
-               can_add_accounts = user_has_privileges( p->server_info->ptok, &se_machine_account );
-       } else {
-               can_add_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
-       }
-
        /******** BEGIN SeAddUsers BLOCK *********/
 
-       if ( can_add_accounts )
-               become_root();
-
+       become_root();
        status = pdb_delete_user(p->mem_ctx, sam_pass);
-
-       if ( can_add_accounts )
-               unbecome_root();
+       unbecome_root();
 
        /******** END SeAddUsers BLOCK *********/
 
@@ -5099,13 +5704,13 @@ NTSTATUS _samr_DeleteUser(pipes_struct *p,
 
        TALLOC_FREE(sam_pass);
 
+       force_flush_samr_cache(&uinfo->sid);
+
        if (!close_policy_hnd(p, r->in.user_handle))
                return NT_STATUS_OBJECT_NAME_INVALID;
 
        ZERO_STRUCTP(r->out.user_handle);
 
-       force_flush_samr_cache(&uinfo->sid);
-
        return NT_STATUS_OK;
 }
 
@@ -5119,8 +5724,6 @@ NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p,
        struct samr_group_info *ginfo;
        NTSTATUS status;
        uint32 group_rid;
-       SE_PRIV se_rights;
-       bool can_add_accounts;
 
        DEBUG(5, ("samr_DeleteDomainGroup: %d\n", __LINE__));
 
@@ -5138,18 +5741,11 @@ NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p,
                return NT_STATUS_NO_SUCH_GROUP;
        }
 
-       se_priv_copy( &se_rights, &se_add_users );
-       can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
-
        /******** BEGIN SeAddUsers BLOCK *********/
 
-       if ( can_add_accounts )
-               become_root();
-
+       become_root();
        status = pdb_delete_dom_group(p->mem_ctx, group_rid);
-
-       if ( can_add_accounts )
-               unbecome_root();
+       unbecome_root();
 
        /******** END SeAddUsers BLOCK *********/
 
@@ -5161,11 +5757,11 @@ NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p,
                return status;
        }
 
+       force_flush_samr_cache(&ginfo->sid);
+
        if (!close_policy_hnd(p, r->in.group_handle))
                return NT_STATUS_OBJECT_NAME_INVALID;
 
-       force_flush_samr_cache(&ginfo->sid);
-
        return NT_STATUS_OK;
 }
 
@@ -5177,8 +5773,6 @@ NTSTATUS _samr_DeleteDomAlias(pipes_struct *p,
                              struct samr_DeleteDomAlias *r)
 {
        struct samr_alias_info *ainfo;
-       SE_PRIV se_rights;
-       bool can_add_accounts;
        NTSTATUS status;
 
        DEBUG(5, ("_samr_DeleteDomAlias: %d\n", __LINE__));
@@ -5203,30 +5797,23 @@ NTSTATUS _samr_DeleteDomAlias(pipes_struct *p,
 
        DEBUG(10, ("lookup on Local SID\n"));
 
-       se_priv_copy( &se_rights, &se_add_users );
-       can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
-
        /******** BEGIN SeAddUsers BLOCK *********/
 
-       if ( can_add_accounts )
-               become_root();
-
+       become_root();
        /* Have passdb delete the alias */
        status = pdb_delete_alias(&ainfo->sid);
-
-       if ( can_add_accounts )
-               unbecome_root();
+       unbecome_root();
 
        /******** END SeAddUsers BLOCK *********/
 
        if ( !NT_STATUS_IS_OK(status))
                return status;
 
+       force_flush_samr_cache(&ainfo->sid);
+
        if (!close_policy_hnd(p, r->in.alias_handle))
                return NT_STATUS_OBJECT_NAME_INVALID;
 
-       force_flush_samr_cache(&ainfo->sid);
-
        return NT_STATUS_OK;
 }
 
@@ -5242,8 +5829,6 @@ NTSTATUS _samr_CreateDomainGroup(pipes_struct *p,
        const char *name;
        struct samr_domain_info *dinfo;
        struct samr_group_info *ginfo;
-       SE_PRIV se_rights;
-       bool can_add_accounts;
 
        dinfo = policy_handle_find(p, r->in.domain_handle,
                                   SAMR_DOMAIN_ACCESS_CREATE_GROUP, NULL,
@@ -5252,8 +5837,9 @@ NTSTATUS _samr_CreateDomainGroup(pipes_struct *p,
                return status;
        }
 
-       if (!sid_equal(&dinfo->sid, get_global_sam_sid()))
+       if (!sid_check_is_domain(&dinfo->sid)) {
                return NT_STATUS_ACCESS_DENIED;
+       }
 
        name = r->in.name->string;
        if (name == NULL) {
@@ -5265,20 +5851,12 @@ NTSTATUS _samr_CreateDomainGroup(pipes_struct *p,
                return status;
        }
 
-       se_priv_copy( &se_rights, &se_add_users );
-       can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
-
        /******** BEGIN SeAddUsers BLOCK *********/
 
-       if ( can_add_accounts )
-               become_root();
-
+       become_root();
        /* check that we successfully create the UNIX group */
-
        status = pdb_create_dom_group(p->mem_ctx, name, r->out.rid);
-
-       if ( can_add_accounts )
-               unbecome_root();
+       unbecome_root();
 
        /******** END SeAddUsers BLOCK *********/
 
@@ -5313,8 +5891,6 @@ NTSTATUS _samr_CreateDomAlias(pipes_struct *p,
        struct samr_alias_info *ainfo;
        gid_t gid;
        NTSTATUS result;
-       SE_PRIV se_rights;
-       bool can_add_accounts;
 
        dinfo = policy_handle_find(p, r->in.domain_handle,
                                   SAMR_DOMAIN_ACCESS_CREATE_ALIAS, NULL,
@@ -5323,14 +5899,12 @@ NTSTATUS _samr_CreateDomAlias(pipes_struct *p,
                return result;
        }
 
-       if (!sid_equal(&dinfo->sid, get_global_sam_sid()))
+       if (!sid_check_is_domain(&dinfo->sid)) {
                return NT_STATUS_ACCESS_DENIED;
+       }
 
        name = r->in.alias_name->string;
 
-       se_priv_copy( &se_rights, &se_add_users );
-       can_add_accounts = user_has_privileges( p->server_info->ptok, &se_rights );
-
        result = can_create(p->mem_ctx, name);
        if (!NT_STATUS_IS_OK(result)) {
                return result;
@@ -5338,14 +5912,10 @@ NTSTATUS _samr_CreateDomAlias(pipes_struct *p,
 
        /******** BEGIN SeAddUsers BLOCK *********/
 
-       if ( can_add_accounts )
-               become_root();
-
+       become_root();
        /* Have passdb create the alias */
        result = pdb_create_alias(name, r->out.rid);
-
-       if ( can_add_accounts )
-               unbecome_root();
+       unbecome_root();
 
        /******** END SeAddUsers BLOCK *********/
 
@@ -5364,8 +5934,8 @@ NTSTATUS _samr_CreateDomAlias(pipes_struct *p,
 
        /* check if the group has been successfully created */
        if ( getgrgid(gid) == NULL ) {
-               DEBUG(10, ("getgrgid(%d) of just created alias failed\n",
-                          gid));
+               DEBUG(10, ("getgrgid(%u) of just created alias failed\n",
+                          (unsigned int)gid));
                return NT_STATUS_ACCESS_DENIED;
        }
 
@@ -5496,7 +6066,6 @@ NTSTATUS _samr_SetGroupInfo(pipes_struct *p,
        GROUP_MAP map;
        NTSTATUS status;
        bool ret;
-       bool can_mod_accounts;
 
        ginfo = policy_handle_find(p, r->in.group_handle,
                                   SAMR_GROUP_ACCESS_SET_INFO, NULL,
@@ -5512,12 +6081,11 @@ NTSTATUS _samr_SetGroupInfo(pipes_struct *p,
                return NT_STATUS_NO_SUCH_GROUP;
 
        switch (r->in.level) {
-               case 1:
-                       fstrcpy(map.comment, r->in.info->all.description.string);
-                       break;
                case 2:
-                       /* group rename is not supported yet */
-                       return NT_STATUS_NOT_SUPPORTED;
+                       fstrcpy(map.nt_name, r->in.info->name.string);
+                       break;
+               case 3:
+                       break;
                case 4:
                        fstrcpy(map.comment, r->in.info->description.string);
                        break;
@@ -5525,17 +6093,11 @@ NTSTATUS _samr_SetGroupInfo(pipes_struct *p,
                        return NT_STATUS_INVALID_INFO_CLASS;
        }
 
-       can_mod_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
-
        /******** BEGIN SeAddUsers BLOCK *********/
 
-       if ( can_mod_accounts )
-               become_root();
-
+       become_root();
        status = pdb_update_group_mapping_entry(&map);
-
-       if ( can_mod_accounts )
-               unbecome_root();
+       unbecome_root();
 
        /******** End SeAddUsers BLOCK *********/
 
@@ -5555,7 +6117,6 @@ NTSTATUS _samr_SetAliasInfo(pipes_struct *p,
 {
        struct samr_alias_info *ainfo;
        struct acct_info info;
-       bool can_mod_accounts;
        NTSTATUS status;
 
        ainfo = policy_handle_find(p, r->in.alias_handle,
@@ -5622,17 +6183,11 @@ NTSTATUS _samr_SetAliasInfo(pipes_struct *p,
                        return NT_STATUS_INVALID_INFO_CLASS;
        }
 
-        can_mod_accounts = user_has_privileges( p->server_info->ptok, &se_add_users );
-
         /******** BEGIN SeAddUsers BLOCK *********/
 
-        if ( can_mod_accounts )
-                become_root();
-
+       become_root();
         status = pdb_set_aliasinfo( &ainfo->sid, &info );
-
-        if ( can_mod_accounts )
-                unbecome_root();
+       unbecome_root();
 
         /******** End SeAddUsers BLOCK *********/
 
@@ -5662,9 +6217,9 @@ NTSTATUS _samr_GetDomPwInfo(pipes_struct *p,
        }
 
        become_root();
-       pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
+       pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN,
                               &min_password_length);
-       pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
+       pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS,
                               &password_properties);
        unbecome_root();
 
@@ -5706,24 +6261,27 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p,
        }
 
        /*check if access can be granted as requested by client. */
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
 
        make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
        se_map_generic(&des_access,&grp_generic_mapping);
 
        se_priv_copy( &se_rights, &se_add_users );
 
-       status = access_check_samr_object(psd, p->server_info->ptok,
-               &se_rights, GENERIC_RIGHTS_GROUP_WRITE, des_access,
-               &acc_granted, "_samr_OpenGroup");
+       status = access_check_object(psd, p->server_info->ptok,
+               &se_rights, GENERIC_RIGHTS_GROUP_ALL_ACCESS,
+               des_access, &acc_granted, "_samr_OpenGroup");
 
        if ( !NT_STATUS_IS_OK(status) )
                return status;
 
        /* this should not be hard-coded like this */
 
-       if (!sid_equal(&dinfo->sid, get_global_sam_sid()))
+       if (!sid_check_is_domain(&dinfo->sid)) {
                return NT_STATUS_ACCESS_DENIED;
+       }
 
        sid_compose(&info_sid, &dinfo->sid, r->in.rid);
 
@@ -5738,7 +6296,7 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p,
                return NT_STATUS_NO_SUCH_GROUP;
 
        ginfo = policy_handle_create(p, r->out.group_handle,
-                                    GENERIC_RIGHTS_GROUP_ALL_ACCESS,
+                                    acc_granted,
                                     struct samr_group_info, &status);
         if (!NT_STATUS_IS_OK(status)) {
                 return status;
@@ -5764,7 +6322,7 @@ NTSTATUS _samr_RemoveMemberFromForeignDomain(pipes_struct *p,
        /* Find the policy handle. Open a policy on it. */
 
        dinfo = policy_handle_find(p, r->in.domain_handle,
-                                  STD_RIGHT_DELETE_ACCESS, NULL,
+                                  SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, NULL,
                                   struct samr_domain_info, &result);
        if (!NT_STATUS_IS_OK(result)) {
                return result;
@@ -5820,6 +6378,67 @@ NTSTATUS _samr_QueryDomainInfo2(pipes_struct *p,
        return _samr_QueryDomainInfo(p, &q);
 }
 
+/*******************************************************************
+ ********************************************************************/
+
+static NTSTATUS set_dom_info_1(TALLOC_CTX *mem_ctx,
+                              struct samr_DomInfo1 *r)
+{
+       time_t u_expire, u_min_age;
+
+       u_expire = nt_time_to_unix_abs((NTTIME *)&r->max_password_age);
+       u_min_age = nt_time_to_unix_abs((NTTIME *)&r->min_password_age);
+
+       pdb_set_account_policy(PDB_POLICY_MIN_PASSWORD_LEN,
+                              (uint32_t)r->min_password_length);
+       pdb_set_account_policy(PDB_POLICY_PASSWORD_HISTORY,
+                              (uint32_t)r->password_history_length);
+       pdb_set_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS,
+                              (uint32_t)r->password_properties);
+       pdb_set_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, (int)u_expire);
+       pdb_set_account_policy(PDB_POLICY_MIN_PASSWORD_AGE, (int)u_min_age);
+
+       return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ ********************************************************************/
+
+static NTSTATUS set_dom_info_3(TALLOC_CTX *mem_ctx,
+                              struct samr_DomInfo3 *r)
+{
+       time_t u_logout;
+
+       u_logout = nt_time_to_unix_abs((NTTIME *)&r->force_logoff_time);
+
+       pdb_set_account_policy(PDB_POLICY_TIME_TO_LOGOUT, (int)u_logout);
+
+       return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ ********************************************************************/
+
+static NTSTATUS set_dom_info_12(TALLOC_CTX *mem_ctx,
+                               struct samr_DomInfo12 *r)
+{
+       time_t u_lock_duration, u_reset_time;
+
+       u_lock_duration = nt_time_to_unix_abs((NTTIME *)&r->lockout_duration);
+       if (u_lock_duration != -1) {
+               u_lock_duration /= 60;
+       }
+
+       u_reset_time = nt_time_to_unix_abs((NTTIME *)&r->lockout_window)/60;
+
+       pdb_set_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
+       pdb_set_account_policy(PDB_POLICY_RESET_COUNT_TIME, (int)u_reset_time);
+       pdb_set_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT,
+                              (uint32_t)r->lockout_threshold);
+
+       return NT_STATUS_OK;
+}
+
 /*******************************************************************
  _samr_SetDomainInfo
  ********************************************************************/
@@ -5828,66 +6447,67 @@ NTSTATUS _samr_SetDomainInfo(pipes_struct *p,
                             struct samr_SetDomainInfo *r)
 {
        struct samr_domain_info *dinfo;
-       time_t u_expire, u_min_age;
-       time_t u_logout;
-       time_t u_lock_duration, u_reset_time;
-       NTSTATUS result;
+       NTSTATUS status;
+       uint32_t acc_required = 0;
 
        DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
 
-       /* We do have different access bits for info
-        * levels here, but we're really just looking for
-        * GENERIC_RIGHTS_DOMAIN_WRITE access. Unfortunately
-        * this maps to different specific bits. So
-        * assume if we have SAMR_DOMAIN_ACCESS_SET_INFO_1
-        * set we are ok. */
+       switch (r->in.level) {
+       case 1: /* DomainPasswordInformation */
+       case 12: /* DomainLockoutInformation */
+               /* DOMAIN_WRITE_PASSWORD_PARAMETERS */
+               acc_required = SAMR_DOMAIN_ACCESS_SET_INFO_1;
+               break;
+       case 3: /* DomainLogoffInformation */
+       case 4: /* DomainOemInformation */
+               /* DOMAIN_WRITE_OTHER_PARAMETERS */
+               acc_required = SAMR_DOMAIN_ACCESS_SET_INFO_2;
+               break;
+       case 6: /* DomainReplicationInformation */
+       case 9: /* DomainStateInformation */
+       case 7: /* DomainServerRoleInformation */
+               /* DOMAIN_ADMINISTER_SERVER */
+               acc_required = SAMR_DOMAIN_ACCESS_SET_INFO_3;
+               break;
+       default:
+               return NT_STATUS_INVALID_INFO_CLASS;
+       }
 
        dinfo = policy_handle_find(p, r->in.domain_handle,
-                                  SAMR_DOMAIN_ACCESS_SET_INFO_1, NULL,
-                                  struct samr_domain_info, &result);
-       if (!NT_STATUS_IS_OK(result)) {
-               return result;
+                                  acc_required, NULL,
+                                  struct samr_domain_info, &status);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
        }
 
        DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r->in.level));
 
        switch (r->in.level) {
-               case 0x01:
-                       u_expire=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.max_password_age);
-                       u_min_age=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.min_password_age);
-                       pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)r->in.info->info1.min_password_length);
-                       pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)r->in.info->info1.password_history_length);
-                       pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)r->in.info->info1.password_properties);
-                       pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire);
-                       pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age);
+               case 1:
+                       status = set_dom_info_1(p->mem_ctx, &r->in.info->info1);
                        break;
-               case 0x02:
+               case 3:
+                       status = set_dom_info_3(p->mem_ctx, &r->in.info->info3);
                        break;
-               case 0x03:
-                       u_logout=nt_time_to_unix_abs((NTTIME *)&r->in.info->info3.force_logoff_time);
-                       pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout);
+               case 4:
                        break;
-               case 0x05:
+               case 6:
                        break;
-               case 0x06:
+               case 7:
                        break;
-               case 0x07:
+               case 9:
                        break;
-               case 0x0c:
-                       u_lock_duration=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_duration);
-                       if (u_lock_duration != -1)
-                               u_lock_duration /= 60;
-
-                       u_reset_time=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_window)/60;
-
-                       pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
-                       pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time);
-                       pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)r->in.info->info12.lockout_threshold);
+               case 12:
+                       status = set_dom_info_12(p->mem_ctx, &r->in.info->info12);
                        break;
                default:
                        return NT_STATUS_INVALID_INFO_CLASS;
        }
 
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
        DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
 
        return NT_STATUS_OK;
@@ -6038,59 +6658,168 @@ NTSTATUS _samr_GetDisplayEnumerationIndex2(pipes_struct *p,
 }
 
 /****************************************************************
+ _samr_RidToSid
 ****************************************************************/
 
-NTSTATUS _samr_Shutdown(pipes_struct *p,
-                       struct samr_Shutdown *r)
+NTSTATUS _samr_RidToSid(pipes_struct *p,
+                       struct samr_RidToSid *r)
 {
-       p->rng_fault_state = true;
-       return NT_STATUS_NOT_IMPLEMENTED;
+       struct samr_domain_info *dinfo;
+       NTSTATUS status;
+       struct dom_sid sid;
+
+       dinfo = policy_handle_find(p, r->in.domain_handle,
+                                  0, NULL,
+                                  struct samr_domain_info, &status);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       if (!sid_compose(&sid, &dinfo->sid, r->in.rid)) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       *r->out.sid = sid_dup_talloc(p->mem_ctx, &sid);
+       if (!*r->out.sid) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       return NT_STATUS_OK;
 }
 
 /****************************************************************
 ****************************************************************/
 
-NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p,
-                                         struct samr_SetMemberAttributesOfGroup *r)
+static enum samr_ValidationStatus samr_ValidatePassword_Change(TALLOC_CTX *mem_ctx,
+                                                              const struct samr_PwInfo *dom_pw_info,
+                                                              const struct samr_ValidatePasswordReq2 *req,
+                                                              struct samr_ValidatePasswordRepCtr *rep)
 {
-       p->rng_fault_state = true;
-       return NT_STATUS_NOT_IMPLEMENTED;
+       NTSTATUS status;
+
+       if (req->password.string) {
+               if (strlen(req->password.string) < dom_pw_info->min_password_length) {
+                       ZERO_STRUCT(rep->info);
+                       return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT;
+               }
+               if (dom_pw_info->password_properties & DOMAIN_PASSWORD_COMPLEX) {
+                       status = check_password_complexity(req->account.string,
+                                                          req->password.string,
+                                                          NULL);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               ZERO_STRUCT(rep->info);
+                               return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
+                       }
+               }
+       }
+
+       return SAMR_VALIDATION_STATUS_SUCCESS;
 }
 
 /****************************************************************
 ****************************************************************/
 
-NTSTATUS _samr_ChangePasswordUser(pipes_struct *p,
-                                 struct samr_ChangePasswordUser *r)
+static enum samr_ValidationStatus samr_ValidatePassword_Reset(TALLOC_CTX *mem_ctx,
+                                                             const struct samr_PwInfo *dom_pw_info,
+                                                             const struct samr_ValidatePasswordReq3 *req,
+                                                             struct samr_ValidatePasswordRepCtr *rep)
 {
-       p->rng_fault_state = true;
-       return NT_STATUS_NOT_IMPLEMENTED;
+       NTSTATUS status;
+
+       if (req->password.string) {
+               if (strlen(req->password.string) < dom_pw_info->min_password_length) {
+                       ZERO_STRUCT(rep->info);
+                       return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT;
+               }
+               if (dom_pw_info->password_properties & DOMAIN_PASSWORD_COMPLEX) {
+                       status = check_password_complexity(req->account.string,
+                                                          req->password.string,
+                                                          NULL);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               ZERO_STRUCT(rep->info);
+                               return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
+                       }
+               }
+       }
+
+       return SAMR_VALIDATION_STATUS_SUCCESS;
 }
 
 /****************************************************************
+ _samr_ValidatePassword
 ****************************************************************/
 
-NTSTATUS _samr_TestPrivateFunctionsDomain(pipes_struct *p,
-                                         struct samr_TestPrivateFunctionsDomain *r)
+NTSTATUS _samr_ValidatePassword(pipes_struct *p,
+                               struct samr_ValidatePassword *r)
 {
-       p->rng_fault_state = true;
-       return NT_STATUS_NOT_IMPLEMENTED;
+       union samr_ValidatePasswordRep *rep;
+       NTSTATUS status;
+       struct samr_GetDomPwInfo pw;
+       struct samr_PwInfo dom_pw_info;
+
+       if (r->in.level < 1 || r->in.level > 3) {
+               return NT_STATUS_INVALID_INFO_CLASS;
+       }
+
+       pw.in.domain_name = NULL;
+       pw.out.info = &dom_pw_info;
+
+       status = _samr_GetDomPwInfo(p, &pw);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       rep = talloc_zero(p->mem_ctx, union samr_ValidatePasswordRep);
+       if (!rep) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       switch (r->in.level) {
+       case 1:
+               status = NT_STATUS_NOT_SUPPORTED;
+               break;
+       case 2:
+               rep->ctr2.status = samr_ValidatePassword_Change(p->mem_ctx,
+                                                               &dom_pw_info,
+                                                               &r->in.req->req2,
+                                                               &rep->ctr2);
+               break;
+       case 3:
+               rep->ctr3.status = samr_ValidatePassword_Reset(p->mem_ctx,
+                                                              &dom_pw_info,
+                                                              &r->in.req->req3,
+                                                              &rep->ctr3);
+               break;
+       default:
+               status = NT_STATUS_INVALID_INFO_CLASS;
+               break;
+       }
+
+       if (!NT_STATUS_IS_OK(status)) {
+               talloc_free(rep);
+               return status;
+       }
+
+       *r->out.rep = rep;
+
+       return NT_STATUS_OK;
 }
 
 /****************************************************************
 ****************************************************************/
 
-NTSTATUS _samr_TestPrivateFunctionsUser(pipes_struct *p,
-                                       struct samr_TestPrivateFunctionsUser *r)
+NTSTATUS _samr_Shutdown(pipes_struct *p,
+                       struct samr_Shutdown *r)
 {
+       p->rng_fault_state = true;
        return NT_STATUS_NOT_IMPLEMENTED;
 }
 
 /****************************************************************
 ****************************************************************/
 
-NTSTATUS _samr_AddMultipleMembersToAlias(pipes_struct *p,
-                                        struct samr_AddMultipleMembersToAlias *r)
+NTSTATUS _samr_SetMemberAttributesOfGroup(pipes_struct *p,
+                                         struct samr_SetMemberAttributesOfGroup *r)
 {
        p->rng_fault_state = true;
        return NT_STATUS_NOT_IMPLEMENTED;
@@ -6099,28 +6828,26 @@ NTSTATUS _samr_AddMultipleMembersToAlias(pipes_struct *p,
 /****************************************************************
 ****************************************************************/
 
-NTSTATUS _samr_RemoveMultipleMembersFromAlias(pipes_struct *p,
-                                             struct samr_RemoveMultipleMembersFromAlias *r)
+NTSTATUS _samr_TestPrivateFunctionsDomain(pipes_struct *p,
+                                         struct samr_TestPrivateFunctionsDomain *r)
 {
-       p->rng_fault_state = true;
        return NT_STATUS_NOT_IMPLEMENTED;
 }
 
 /****************************************************************
 ****************************************************************/
 
-NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p,
-                                     struct samr_OemChangePasswordUser2 *r)
+NTSTATUS _samr_TestPrivateFunctionsUser(pipes_struct *p,
+                                       struct samr_TestPrivateFunctionsUser *r)
 {
-       p->rng_fault_state = true;
        return NT_STATUS_NOT_IMPLEMENTED;
 }
 
 /****************************************************************
 ****************************************************************/
 
-NTSTATUS _samr_SetBootKeyInformation(pipes_struct *p,
-                                    struct samr_SetBootKeyInformation *r)
+NTSTATUS _samr_AddMultipleMembersToAlias(pipes_struct *p,
+                                        struct samr_AddMultipleMembersToAlias *r)
 {
        p->rng_fault_state = true;
        return NT_STATUS_NOT_IMPLEMENTED;
@@ -6129,8 +6856,8 @@ NTSTATUS _samr_SetBootKeyInformation(pipes_struct *p,
 /****************************************************************
 ****************************************************************/
 
-NTSTATUS _samr_GetBootKeyInformation(pipes_struct *p,
-                                    struct samr_GetBootKeyInformation *r)
+NTSTATUS _samr_RemoveMultipleMembersFromAlias(pipes_struct *p,
+                                             struct samr_RemoveMultipleMembersFromAlias *r)
 {
        p->rng_fault_state = true;
        return NT_STATUS_NOT_IMPLEMENTED;
@@ -6139,8 +6866,8 @@ NTSTATUS _samr_GetBootKeyInformation(pipes_struct *p,
 /****************************************************************
 ****************************************************************/
 
-NTSTATUS _samr_RidToSid(pipes_struct *p,
-                       struct samr_RidToSid *r)
+NTSTATUS _samr_SetBootKeyInformation(pipes_struct *p,
+                                    struct samr_SetBootKeyInformation *r)
 {
        p->rng_fault_state = true;
        return NT_STATUS_NOT_IMPLEMENTED;
@@ -6149,8 +6876,8 @@ NTSTATUS _samr_RidToSid(pipes_struct *p,
 /****************************************************************
 ****************************************************************/
 
-NTSTATUS _samr_SetDsrmPassword(pipes_struct *p,
-                              struct samr_SetDsrmPassword *r)
+NTSTATUS _samr_GetBootKeyInformation(pipes_struct *p,
+                                    struct samr_GetBootKeyInformation *r)
 {
        p->rng_fault_state = true;
        return NT_STATUS_NOT_IMPLEMENTED;
@@ -6159,8 +6886,8 @@ NTSTATUS _samr_SetDsrmPassword(pipes_struct *p,
 /****************************************************************
 ****************************************************************/
 
-NTSTATUS _samr_ValidatePassword(pipes_struct *p,
-                               struct samr_ValidatePassword *r)
+NTSTATUS _samr_SetDsrmPassword(pipes_struct *p,
+                              struct samr_SetDsrmPassword *r)
 {
        p->rng_fault_state = true;
        return NT_STATUS_NOT_IMPLEMENTED;
Unnamed repository; edit this file 'description' to name the repository.