s3: Use sid_check_is_domain instead of a direct sid_equal

[ira/wip.git] / source3 / rpc_server / srv_samr_nt.c
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c

index f1725e2454177c91bcf54cdf509a7954bb721270..3626cbdf2a04c2e90afc5c7705f91a7ecc939d62 100644 (file)
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -32,7 +32,9 @@
   */
  
  #include "includes.h"
+#include "smbd/globals.h"
  #include "../libcli/auth/libcli_auth.h"
+#include "../librpc/gen_ndr/srv_samr.h"
  
  #undef DBGC_CLASS
  #define DBGC_CLASS DBGC_RPC_SRV
@@ -77,7 +79,7 @@ typedef struct disp_info {
         struct pdb_search *groups; /* querydispinfo 3 and 5, enumgroups */
         struct pdb_search *aliases; /* enumaliases */
  
-       uint16 enum_acb_mask;
+       uint32_t enum_acb_mask;
         struct pdb_search *enum_users; /* enumusers with a mask */
  
         struct timed_event *cache_timeout_event; /* cache idle timeout
@@ -143,8 +145,8 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd
         /* Add Full Access for Domain Admins if we are a DC */
  
         if ( IS_DC ) {
-               sid_copy( &domadmin_sid, get_global_sam_sid() );
-               sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
+               sid_compose(&domadmin_sid, get_global_sam_sid(),
+                           DOMAIN_GROUP_RID_ADMINS);
                 init_sec_ace(&ace[i++], &domadmin_sid,
                         SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
         }
@@ -173,7 +175,7 @@ static NTSTATUS make_samr_object_sd( TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd
   level of access for further checks.
  ********************************************************************/
  
-static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
+NTSTATUS access_check_object( SEC_DESC *psd, NT_USER_TOKEN *token,
                                            SE_PRIV *rights, uint32 rights_mask,
                                            uint32 des_access, uint32 *acc_granted,
                                           const char *debug )
@@ -191,7 +193,7 @@ static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
                 saved_mask = (des_access & rights_mask);
                 des_access &= ~saved_mask;
  
-               DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
+               DEBUG(4,("access_check_object: user rights access mask [0x%x]\n",
                         rights_mask));
         }
  
@@ -235,27 +237,28 @@ done:
   Map any MAXIMUM_ALLOWED_ACCESS request to a valid access set.
  ********************************************************************/
  
-static void map_max_allowed_access(const NT_USER_TOKEN *token,
-                                       uint32_t *pacc_requested)
+void map_max_allowed_access(const NT_USER_TOKEN *nt_token,
+                           const struct unix_user_token *unix_token,
+                           uint32_t *pacc_requested)
  {
         if (!((*pacc_requested) & MAXIMUM_ALLOWED_ACCESS)) {
                 return;
         }
         *pacc_requested &= ~MAXIMUM_ALLOWED_ACCESS;
  
-       /* At least try for generic read. */
-       *pacc_requested = GENERIC_READ_ACCESS;
+       /* At least try for generic read|execute - Everyone gets that. */
+       *pacc_requested = GENERIC_READ_ACCESS|GENERIC_EXECUTE_ACCESS;
  
         /* root gets anything. */
-       if (geteuid() == sec_initial_uid()) {
+       if (unix_token->uid == sec_initial_uid()) {
                 *pacc_requested |= GENERIC_ALL_ACCESS;
                 return;
         }
  
         /* Full Access for 'BUILTIN\Administrators' and 'BUILTIN\Account Operators */
  
-       if (is_sid_in_token(token, &global_sid_Builtin_Administrators) ||
-                       is_sid_in_token(token, &global_sid_Builtin_Account_Operators)) {
+       if (is_sid_in_token(nt_token, &global_sid_Builtin_Administrators) ||
+                       is_sid_in_token(nt_token, &global_sid_Builtin_Account_Operators)) {
                 *pacc_requested |= GENERIC_ALL_ACCESS;
                 return;
         }
@@ -263,9 +266,9 @@ static void map_max_allowed_access(const NT_USER_TOKEN *token,
         /* Full access for DOMAIN\Domain Admins. */
         if ( IS_DC ) {
                 DOM_SID domadmin_sid;
-               sid_copy( &domadmin_sid, get_global_sam_sid() );
-               sid_append_rid( &domadmin_sid, DOMAIN_GROUP_RID_ADMINS );
-               if (is_sid_in_token(token, &domadmin_sid)) {
+               sid_compose(&domadmin_sid, get_global_sam_sid(),
+                           DOMAIN_GROUP_RID_ADMINS);
+               if (is_sid_in_token(nt_token, &domadmin_sid)) {
                         *pacc_requested |= GENERIC_ALL_ACCESS;
                         return;
                 }
@@ -549,7 +552,9 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p,
         }
  
         /*check if access can be granted as requested by client. */
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
  
         make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
         se_map_generic( &des_access, &dom_generic_mapping );
@@ -573,7 +578,7 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p,
                                 SAMR_DOMAIN_ACCESS_CREATE_ALIAS);
         }
  
-       status = access_check_samr_object( psd, p->server_info->ptok,
+       status = access_check_object( psd, p->server_info->ptok,
                 &se_rights, extra_access, des_access,
                 &acc_granted, "_samr_OpenDomain" );
  
@@ -635,9 +640,9 @@ NTSTATUS _samr_GetUserPwInfo(pipes_struct *p,
         switch (sid_type) {
                 case SID_NAME_USER:
                         become_root();
-                       pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
+                       pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN,
                                                &min_password_length);
-                       pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
+                       pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS,
                                                &password_properties);
                         unbecome_root();
  
@@ -769,7 +774,7 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p,
         struct samr_alias_info *ainfo;
         NTSTATUS status;
         SEC_DESC * psd = NULL;
-       size_t sd_size;
+       size_t sd_size = 0;
  
         cinfo = policy_handle_find(p, r->in.handle,
                                    STD_RIGHT_READ_CONTROL_ACCESS, NULL,
@@ -938,6 +943,12 @@ NTSTATUS _samr_EnumDomainUsers(pipes_struct *p,
                 return status;
         }
  
+       samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
+       if (!samr_array) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       *r->out.sam = samr_array;
+
         if (sid_check_is_builtin(&dinfo->sid)) {
                 /* No users in builtin. */
                 *r->out.resume_handle = *r->in.resume_handle;
@@ -945,12 +956,6 @@ NTSTATUS _samr_EnumDomainUsers(pipes_struct *p,
                 return status;
         }
  
-       samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
-       if (!samr_array) {
-               return NT_STATUS_NO_MEMORY;
-       }
-       *r->out.sam = samr_array;
-
         become_root();
  
         /* AS ROOT !!!! */
@@ -1073,6 +1078,12 @@ NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
  
         DEBUG(5,("_samr_EnumDomainGroups: %d\n", __LINE__));
  
+       samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
+       if (!samr_array) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       *r->out.sam = samr_array;
+
         if (sid_check_is_builtin(&dinfo->sid)) {
                 /* No groups in builtin. */
                 *r->out.resume_handle = *r->in.resume_handle;
@@ -1080,11 +1091,6 @@ NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
                 return status;
         }
  
-       samr_array = TALLOC_ZERO_P(p->mem_ctx, struct samr_SamArray);
-       if (!samr_array) {
-               return NT_STATUS_NO_MEMORY;
-       }
-
         /* the domain group array is being allocated in the function below */
  
         become_root();
@@ -1109,10 +1115,15 @@ NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
         make_group_sam_entry_list(p->mem_ctx, &samr_entries,
                                   num_groups, groups);
  
+       if (MAX_SAM_ENTRIES <= num_groups) {
+               status = STATUS_MORE_ENTRIES;
+       } else {
+               status = NT_STATUS_OK;
+       }
+
         samr_array->count = num_groups;
         samr_array->entries = samr_entries;
  
-       *r->out.sam = samr_array;
         *r->out.num_entries = num_groups;
         *r->out.resume_handle = num_groups + *r->in.resume_handle;
  
@@ -1174,6 +1185,12 @@ NTSTATUS _samr_EnumDomainAliases(pipes_struct *p,
  
         DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
  
+       if (MAX_SAM_ENTRIES <= num_aliases) {
+               status = STATUS_MORE_ENTRIES;
+       } else {
+               status = NT_STATUS_OK;
+       }
+
         samr_array->count = num_aliases;
         samr_array->entries = samr_entries;
  
@@ -1394,12 +1411,10 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
         uint32 struct_size=0x20; /* W2K always reply that, client doesn't care */
  
         uint32 max_entries = r->in.max_entries;
-       uint32 enum_context = r->in.start_idx;
-       uint32 max_size = r->in.buf_size;
  
         union samr_DispInfo *disp_info = r->out.info;
  
-       uint32 temp_size=0, total_data_size=0;
+       uint32 temp_size=0;
         NTSTATUS disp_ret = NT_STATUS_UNSUCCESSFUL;
         uint32 num_account = 0;
         enum remote_arch_types ra_type = get_remote_arch();
@@ -1455,9 +1470,9 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
         }
  
         /* first limit the number of entries we will return */
-       if(max_entries > max_sam_entries) {
+       if (r->in.max_entries > max_sam_entries) {
                 DEBUG(5, ("_samr_QueryDisplayInfo: client requested %d "
-                         "entries, limiting to %d\n", max_entries,
+                         "entries, limiting to %d\n", r->in.max_entries,
                           max_sam_entries));
                 max_entries = max_sam_entries;
         }
@@ -1467,8 +1482,8 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
  
         temp_size=max_entries*struct_size;
  
-       if (temp_size>max_size) {
-               max_entries=MIN((max_size/struct_size),max_entries);;
+       if (temp_size > r->in.buf_size) {
+               max_entries = MIN((r->in.buf_size / struct_size),max_entries);;
                 DEBUG(5, ("_samr_QueryDisplayInfo: buffer size limits to "
                           "only %d entries\n", max_entries));
         }
@@ -1488,14 +1503,14 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
                                 return NT_STATUS_ACCESS_DENIED;
                         }
                         DEBUG(10,("_samr_QueryDisplayInfo: starting user enumeration at index %u\n",
-                               (unsigned  int)enum_context ));
+                               (unsigned  int)r->in.start_idx));
                 } else {
                         DEBUG(10,("_samr_QueryDisplayInfo: using cached user enumeration at index %u\n",
-                               (unsigned  int)enum_context ));
+                               (unsigned  int)r->in.start_idx));
                 }
  
                 num_account = pdb_search_entries(dinfo->disp_info->users,
-                                                enum_context, max_entries,
+                                                r->in.start_idx, max_entries,
                                                  &entries);
                 break;
         case 2:
@@ -1507,14 +1522,14 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
                                 return NT_STATUS_ACCESS_DENIED;
                         }
                         DEBUG(10,("_samr_QueryDisplayInfo: starting machine enumeration at index %u\n",
-                               (unsigned  int)enum_context ));
+                               (unsigned  int)r->in.start_idx));
                 } else {
                         DEBUG(10,("_samr_QueryDisplayInfo: using cached machine enumeration at index %u\n",
-                               (unsigned  int)enum_context ));
+                               (unsigned  int)r->in.start_idx));
                 }
  
                 num_account = pdb_search_entries(dinfo->disp_info->machines,
-                                                enum_context, max_entries,
+                                                r->in.start_idx, max_entries,
                                                  &entries);
                 break;
         case 3:
@@ -1527,14 +1542,14 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
                                 return NT_STATUS_ACCESS_DENIED;
                         }
                         DEBUG(10,("_samr_QueryDisplayInfo: starting group enumeration at index %u\n",
-                               (unsigned  int)enum_context ));
+                               (unsigned  int)r->in.start_idx));
                 } else {
                         DEBUG(10,("_samr_QueryDisplayInfo: using cached group enumeration at index %u\n",
-                               (unsigned  int)enum_context ));
+                               (unsigned  int)r->in.start_idx));
                 }
  
                 num_account = pdb_search_entries(dinfo->disp_info->groups,
-                                                enum_context, max_entries,
+                                                r->in.start_idx, max_entries,
                                                  &entries);
                 break;
         default:
@@ -1549,27 +1564,27 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
         switch (r->in.level) {
         case 1:
                 disp_ret = init_samr_dispinfo_1(p->mem_ctx, &disp_info->info1,
-                                               num_account, enum_context,
+                                               num_account, r->in.start_idx,
                                                 entries);
                 break;
         case 2:
                 disp_ret = init_samr_dispinfo_2(p->mem_ctx, &disp_info->info2,
-                                               num_account, enum_context,
+                                               num_account, r->in.start_idx,
                                                 entries);
                 break;
         case 3:
                 disp_ret = init_samr_dispinfo_3(p->mem_ctx, &disp_info->info3,
-                                               num_account, enum_context,
+                                               num_account, r->in.start_idx,
                                                 entries);
                 break;
         case 4:
                 disp_ret = init_samr_dispinfo_4(p->mem_ctx, &disp_info->info4,
-                                               num_account, enum_context,
+                                               num_account, r->in.start_idx,
                                                 entries);
                 break;
         case 5:
                 disp_ret = init_samr_dispinfo_5(p->mem_ctx, &disp_info->info5,
-                                               num_account, enum_context,
+                                               num_account, r->in.start_idx,
                                                 entries);
                 break;
         default:
@@ -1580,9 +1595,6 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
         if (!NT_STATUS_IS_OK(disp_ret))
                 return disp_ret;
  
-       /* calculate the total size */
-       total_data_size=num_account*struct_size;
-
         if (max_entries <= num_account) {
                 status = STATUS_MORE_ENTRIES;
         } else {
@@ -1594,8 +1606,8 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
  
         DEBUG(5, ("_samr_QueryDisplayInfo: %d\n", __LINE__));
  
-       *r->out.total_size = total_data_size;
-       *r->out.returned_size = temp_size;
+       *r->out.total_size = num_account * struct_size;
+       *r->out.returned_size = num_account ? temp_size : 0;
  
         return status;
  }
@@ -1908,6 +1920,7 @@ NTSTATUS _samr_ChangePasswordUser(pipes_struct *p,
  NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
                                    struct samr_ChangePasswordUser2 *r)
  {
+       struct smbd_server_connection *sconn = smbd_server_conn;
         NTSTATUS status;
         fstring user_name;
         fstring wks;
@@ -1924,7 +1937,7 @@ NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
          * function.
          */
  
-       (void)map_username(user_name);
+       (void)map_username(sconn, user_name);
  
         /*
          * UNIX username case mangling not required, pass_oem_change
@@ -1954,6 +1967,7 @@ NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p,
  NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p,
                                       struct samr_OemChangePasswordUser2 *r)
  {
+       struct smbd_server_connection *sconn = smbd_server_conn;
         NTSTATUS status;
         fstring user_name;
         const char *wks = NULL;
@@ -1972,7 +1986,7 @@ NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p,
          * function.
          */
  
-       (void)map_username(user_name);
+       (void)map_username(sconn, user_name);
  
         /*
          * UNIX username case mangling not required, pass_oem_change
@@ -2006,12 +2020,13 @@ NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p,
  NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
                                    struct samr_ChangePasswordUser3 *r)
  {
+       struct smbd_server_connection *sconn = smbd_server_conn;
         NTSTATUS status;
         fstring user_name;
         const char *wks = NULL;
-       uint32 reject_reason;
+       enum samPwdChangeReason reject_reason;
         struct samr_DomInfo1 *dominfo = NULL;
-       struct samr_ChangeReject *reject = NULL;
+       struct userPwdChangeFailureInformation *reject = NULL;
         uint32_t tmp;
  
         DEBUG(5,("_samr_ChangePasswordUser3: %d\n", __LINE__));
@@ -2028,7 +2043,7 @@ NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
          * function.
          */
  
-       (void)map_username(user_name);
+       (void)map_username(sconn, user_name);
  
         /*
          * UNIX username case mangling not required, pass_oem_change
@@ -2056,7 +2071,8 @@ NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
                         return NT_STATUS_NO_MEMORY;
                 }
  
-               reject = TALLOC_ZERO_P(p->mem_ctx, struct samr_ChangeReject);
+               reject = TALLOC_ZERO_P(p->mem_ctx,
+                               struct userPwdChangeFailureInformation);
                 if (!reject) {
                         return NT_STATUS_NO_MEMORY;
                 }
@@ -2065,19 +2081,19 @@ NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
  
                 /* AS ROOT !!! */
  
-               pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &tmp);
+               pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN, &tmp);
                 dominfo->min_password_length = tmp;
  
-               pdb_get_account_policy(AP_PASSWORD_HISTORY, &tmp);
+               pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &tmp);
                 dominfo->password_history_length = tmp;
  
-               pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
+               pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS,
                                        &dominfo->password_properties);
  
-               pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
+               pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, &account_policy_temp);
                 u_expire = account_policy_temp;
  
-               pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
+               pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_AGE, &account_policy_temp);
                 u_min_age = account_policy_temp;
  
                 /* !AS ROOT */
@@ -2091,7 +2107,7 @@ NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p,
                         dominfo->password_properties |= DOMAIN_PASSWORD_COMPLEX;
                 }
  
-               reject->reason = reject_reason;
+               reject->extendedFailureReason = reject_reason;
  
                 *r->out.dominfo = dominfo;
                 *r->out.reject = reject;
@@ -2249,14 +2265,15 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
                 return NT_STATUS_NO_SUCH_USER;
  
         /* check if access can be granted as requested by client. */
-
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
  
         make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
         se_map_generic(&des_access, &usr_generic_mapping);
  
         /*
-        * Get the sampass first as we need to check privilages
+        * Get the sampass first as we need to check privileges
          * based on what kind of user object this is.
          * But don't reveal info too early if it didn't exist.
          */
@@ -2304,7 +2321,7 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
                  * Cheat - allow GENERIC_RIGHTS_USER_WRITE if pipe user is
                  * in DOMAIN_GROUP_RID_ADMINS. This is almost certainly not
                  * what Windows does but is a hack for people who haven't
-                * set up privilages on groups in Samba.
+                * set up privileges on groups in Samba.
                  */
                 if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
                         if (lp_enable_privileges() && nt_token_check_domain_rid(p->server_info->ptok,
@@ -2320,7 +2337,7 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
  
         TALLOC_FREE(sampass);
  
-       nt_status = access_check_samr_object(psd, p->server_info->ptok,
+       nt_status = access_check_object(psd, p->server_info->ptok,
                 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
                 &acc_granted, "_samr_OpenUser");
  
@@ -2726,7 +2743,7 @@ static NTSTATUS get_user_info_18(pipes_struct *p,
                 return NT_STATUS_ACCESS_DENIED;
         }
  
-       if (p->auth.auth_level != PIPE_AUTH_LEVEL_PRIVACY) {
+       if (p->auth.auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
                 return NT_STATUS_ACCESS_DENIED;
         }
  
@@ -3264,309 +3281,418 @@ NTSTATUS _samr_GetGroupsForUser(pipes_struct *p,
  }
  
  /*******************************************************************
- _samr_QueryDomainInfo
   ********************************************************************/
  
-NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
-                              struct samr_QueryDomainInfo *r)
+static uint32_t samr_get_server_role(void)
  {
-       NTSTATUS status = NT_STATUS_OK;
-       struct samr_domain_info *dinfo;
-       union samr_DomainInfo *dom_info;
+       uint32_t role = ROLE_DOMAIN_PDC;
+
+       if (lp_server_role() == ROLE_DOMAIN_BDC) {
+               role = ROLE_DOMAIN_BDC;
+       }
+
+       return role;
+}
+
+/*******************************************************************
+ ********************************************************************/
+
+static NTSTATUS query_dom_info_1(TALLOC_CTX *mem_ctx,
+                                struct samr_DomInfo1 *r)
+{
+       uint32_t account_policy_temp;
         time_t u_expire, u_min_age;
  
-       time_t u_lock_duration, u_reset_time;
-       uint32_t u_logout;
+       become_root();
  
-       uint32 account_policy_temp;
+       /* AS ROOT !!! */
  
-       time_t seq_num;
-       uint32 server_role;
-       uint32_t acc_required;
+       pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN, &account_policy_temp);
+       r->min_password_length = account_policy_temp;
  
-       DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
+       pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &account_policy_temp);
+       r->password_history_length = account_policy_temp;
  
-       switch (r->in.level) {
-       case 1: /* DomainPasswordInformation */
-       case 12: /* DomainLockoutInformation */
-               /* DOMAIN_READ_PASSWORD_PARAMETERS */
-               acc_required = SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1;
-               break;
-       case 11: /* DomainGeneralInformation2 */
-               /* DOMAIN_READ_PASSWORD_PARAMETERS |
-                * DOMAIN_READ_OTHER_PARAMETERS */
-               acc_required = SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 |
-                              SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2;
-               break;
-       case 2: /* DomainGeneralInformation */
-       case 3: /* DomainLogoffInformation */
-       case 4: /* DomainOemInformation */
-       case 5: /* DomainReplicationInformation */
-       case 6: /* DomainReplicationInformation */
-       case 7: /* DomainServerRoleInformation */
-       case 8: /* DomainModifiedInformation */
-       case 9: /* DomainStateInformation */
-       case 10: /* DomainUasInformation */
-       case 13: /* DomainModifiedInformation2 */
-               /* DOMAIN_READ_OTHER_PARAMETERS */
-               acc_required = SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2;
-               break;
-       default:
-               return NT_STATUS_INVALID_INFO_CLASS;
-       }
+       pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS,
+                              &r->password_properties);
  
-       dinfo = policy_handle_find(p, r->in.domain_handle,
-                                  acc_required, NULL,
-                                  struct samr_domain_info, &status);
-       if (!NT_STATUS_IS_OK(status)) {
-               return status;
+       pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, &account_policy_temp);
+       u_expire = account_policy_temp;
+
+       pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_AGE, &account_policy_temp);
+       u_min_age = account_policy_temp;
+
+       /* !AS ROOT */
+
+       unbecome_root();
+
+       unix_to_nt_time_abs((NTTIME *)&r->max_password_age, u_expire);
+       unix_to_nt_time_abs((NTTIME *)&r->min_password_age, u_min_age);
+
+       if (lp_check_password_script() && *lp_check_password_script()) {
+               r->password_properties |= DOMAIN_PASSWORD_COMPLEX;
         }
  
-       dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo);
-       if (!dom_info) {
-               return NT_STATUS_NO_MEMORY;
+       return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ ********************************************************************/
+
+static NTSTATUS query_dom_info_2(TALLOC_CTX *mem_ctx,
+                                struct samr_DomGeneralInformation *r,
+                                struct samr_domain_info *dinfo)
+{
+       uint32_t u_logout;
+       time_t seq_num;
+
+       become_root();
+
+       /* AS ROOT !!! */
+
+       r->num_users    = count_sam_users(dinfo->disp_info, ACB_NORMAL);
+       r->num_groups   = count_sam_groups(dinfo->disp_info);
+       r->num_aliases  = count_sam_aliases(dinfo->disp_info);
+
+       pdb_get_account_policy(PDB_POLICY_TIME_TO_LOGOUT, &u_logout);
+
+       unix_to_nt_time_abs(&r->force_logoff_time, u_logout);
+
+       if (!pdb_get_seq_num(&seq_num)) {
+               seq_num = time(NULL);
         }
  
-       switch (r->in.level) {
-               case 1:
+       /* !AS ROOT */
  
-                       become_root();
+       unbecome_root();
  
-                       /* AS ROOT !!! */
+       r->oem_information.string       = lp_serverstring();
+       r->domain_name.string           = lp_workgroup();
+       r->primary.string               = global_myname();
+       r->sequence_num                 = seq_num;
+       r->domain_server_state          = DOMAIN_SERVER_ENABLED;
+       r->role                         = samr_get_server_role();
+       r->unknown3                     = 1;
  
-                       pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
-                                              &account_policy_temp);
-                       dom_info->info1.min_password_length = account_policy_temp;
+       return NT_STATUS_OK;
+}
  
-                       pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
-                       dom_info->info1.password_history_length = account_policy_temp;
+/*******************************************************************
+ ********************************************************************/
  
-                       pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
-                               &dom_info->info1.password_properties);
+static NTSTATUS query_dom_info_3(TALLOC_CTX *mem_ctx,
+                                struct samr_DomInfo3 *r)
+{
+       uint32_t u_logout;
  
-                       pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
-                       u_expire = account_policy_temp;
+       become_root();
  
-                       pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
-                       u_min_age = account_policy_temp;
+       /* AS ROOT !!! */
  
-                       /* !AS ROOT */
+       {
+               uint32_t ul;
+               pdb_get_account_policy(PDB_POLICY_TIME_TO_LOGOUT, &ul);
+               u_logout = (time_t)ul;
+       }
  
-                       unbecome_root();
+       /* !AS ROOT */
  
-                       unix_to_nt_time_abs((NTTIME *)&dom_info->info1.max_password_age, u_expire);
-                       unix_to_nt_time_abs((NTTIME *)&dom_info->info1.min_password_age, u_min_age);
+       unbecome_root();
  
-                       if (lp_check_password_script() && *lp_check_password_script()) {
-                               dom_info->info1.password_properties |= DOMAIN_PASSWORD_COMPLEX;
-                       }
+       unix_to_nt_time_abs(&r->force_logoff_time, u_logout);
  
-                       break;
-               case 2:
+       return NT_STATUS_OK;
+}
  
-                       become_root();
+/*******************************************************************
+ ********************************************************************/
  
-                       /* AS ROOT !!! */
+static NTSTATUS query_dom_info_4(TALLOC_CTX *mem_ctx,
+                                struct samr_DomOEMInformation *r)
+{
+       r->oem_information.string = lp_serverstring();
  
-                       dom_info->general.num_users     = count_sam_users(
-                               dinfo->disp_info, ACB_NORMAL);
-                       dom_info->general.num_groups    = count_sam_groups(
-                               dinfo->disp_info);
-                       dom_info->general.num_aliases   = count_sam_aliases(
-                               dinfo->disp_info);
+       return NT_STATUS_OK;
+}
  
-                       pdb_get_account_policy(AP_TIME_TO_LOGOUT, &u_logout);
+/*******************************************************************
+ ********************************************************************/
  
-                       unix_to_nt_time_abs(&dom_info->general.force_logoff_time, u_logout);
+static NTSTATUS query_dom_info_5(TALLOC_CTX *mem_ctx,
+                                struct samr_DomInfo5 *r)
+{
+       r->domain_name.string = get_global_sam_name();
  
-                       if (!pdb_get_seq_num(&seq_num))
-                               seq_num = time(NULL);
+       return NT_STATUS_OK;
+}
  
-                       /* !AS ROOT */
+/*******************************************************************
+ ********************************************************************/
  
-                       unbecome_root();
+static NTSTATUS query_dom_info_6(TALLOC_CTX *mem_ctx,
+                                struct samr_DomInfo6 *r)
+{
+       /* NT returns its own name when a PDC. win2k and later
+        * only the name of the PDC if itself is a BDC (samba4
+        * idl) */
+       r->primary.string = global_myname();
  
-                       server_role = ROLE_DOMAIN_PDC;
-                       if (lp_server_role() == ROLE_DOMAIN_BDC)
-                               server_role = ROLE_DOMAIN_BDC;
+       return NT_STATUS_OK;
+}
  
-                       dom_info->general.oem_information.string        = lp_serverstring();
-                       dom_info->general.domain_name.string            = lp_workgroup();
-                       dom_info->general.primary.string                = global_myname();
-                       dom_info->general.sequence_num                  = seq_num;
-                       dom_info->general.domain_server_state           = DOMAIN_SERVER_ENABLED;
-                       dom_info->general.role                          = server_role;
-                       dom_info->general.unknown3                      = 1;
+/*******************************************************************
+ ********************************************************************/
  
-                       break;
-               case 3:
+static NTSTATUS query_dom_info_7(TALLOC_CTX *mem_ctx,
+                                struct samr_DomInfo7 *r)
+{
+       r->role = samr_get_server_role();
  
-                       become_root();
+       return NT_STATUS_OK;
+}
  
-                       /* AS ROOT !!! */
+/*******************************************************************
+ ********************************************************************/
  
-                       {
-                               uint32 ul;
-                               pdb_get_account_policy(AP_TIME_TO_LOGOUT, &ul);
-                               u_logout = (time_t)ul;
-                       }
+static NTSTATUS query_dom_info_8(TALLOC_CTX *mem_ctx,
+                                struct samr_DomInfo8 *r)
+{
+       time_t seq_num;
  
-                       /* !AS ROOT */
+       become_root();
  
-                       unbecome_root();
+       /* AS ROOT !!! */
  
-                       unix_to_nt_time_abs(&dom_info->info3.force_logoff_time, u_logout);
+       if (!pdb_get_seq_num(&seq_num)) {
+               seq_num = time(NULL);
+       }
  
-                       break;
-               case 4:
-                       dom_info->oem.oem_information.string = lp_serverstring();
-                       break;
-               case 5:
-                       dom_info->info5.domain_name.string = get_global_sam_name();
-                       break;
-               case 6:
-                       /* NT returns its own name when a PDC. win2k and later
-                        * only the name of the PDC if itself is a BDC (samba4
-                        * idl) */
-                       dom_info->info6.primary.string = global_myname();
-                       break;
-               case 7:
-                       server_role = ROLE_DOMAIN_PDC;
-                       if (lp_server_role() == ROLE_DOMAIN_BDC)
-                               server_role = ROLE_DOMAIN_BDC;
+       /* !AS ROOT */
  
-                       dom_info->info7.role = server_role;
-                       break;
-               case 8:
+       unbecome_root();
  
-                       become_root();
+       r->sequence_num = seq_num;
+       r->domain_create_time = 0;
  
-                       /* AS ROOT !!! */
+       return NT_STATUS_OK;
+}
  
-                       if (!pdb_get_seq_num(&seq_num)) {
-                               seq_num = time(NULL);
-                       }
+/*******************************************************************
+ ********************************************************************/
  
-                       /* !AS ROOT */
+static NTSTATUS query_dom_info_9(TALLOC_CTX *mem_ctx,
+                                struct samr_DomInfo9 *r)
+{
+       r->domain_server_state = DOMAIN_SERVER_ENABLED;
  
-                       unbecome_root();
+       return NT_STATUS_OK;
+}
  
-                       dom_info->info8.sequence_num = seq_num;
-                       dom_info->info8.domain_create_time = 0;
+/*******************************************************************
+ ********************************************************************/
  
-                       break;
-               case 9:
+static NTSTATUS query_dom_info_11(TALLOC_CTX *mem_ctx,
+                                 struct samr_DomGeneralInformation2 *r,
+                                 struct samr_domain_info *dinfo)
+{
+       NTSTATUS status;
+       uint32_t account_policy_temp;
+       time_t u_lock_duration, u_reset_time;
  
-                       dom_info->info9.domain_server_state             = DOMAIN_SERVER_ENABLED;
+       status = query_dom_info_2(mem_ctx, &r->general, dinfo);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
  
-                       break;
-               case 11:
+       /* AS ROOT !!! */
  
-                       /* AS ROOT !!! */
+       become_root();
  
-                       become_root();
+       pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION, &account_policy_temp);
+       u_lock_duration = account_policy_temp;
+       if (u_lock_duration != -1) {
+               u_lock_duration *= 60;
+       }
  
-                       dom_info->general2.general.num_users    = count_sam_users(
-                               dinfo->disp_info, ACB_NORMAL);
-                       dom_info->general2.general.num_groups   = count_sam_groups(
-                               dinfo->disp_info);
-                       dom_info->general2.general.num_aliases  = count_sam_aliases(
-                               dinfo->disp_info);
+       pdb_get_account_policy(PDB_POLICY_RESET_COUNT_TIME, &account_policy_temp);
+       u_reset_time = account_policy_temp * 60;
  
-                       pdb_get_account_policy(AP_TIME_TO_LOGOUT, &u_logout);
+       pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
+       r->lockout_threshold = account_policy_temp;
  
-                       unix_to_nt_time_abs(&dom_info->general2.general.force_logoff_time, u_logout);
+       /* !AS ROOT */
  
-                       if (!pdb_get_seq_num(&seq_num))
-                               seq_num = time(NULL);
+       unbecome_root();
  
-                       pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
-                       u_lock_duration = account_policy_temp;
-                       if (u_lock_duration != -1) {
-                               u_lock_duration *= 60;
-                       }
+       unix_to_nt_time_abs(&r->lockout_duration, u_lock_duration);
+       unix_to_nt_time_abs(&r->lockout_window, u_reset_time);
  
-                       pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
-                       u_reset_time = account_policy_temp * 60;
+       return NT_STATUS_OK;
+}
  
-                       pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT,
-                                              &account_policy_temp);
-                       dom_info->general2.lockout_threshold = account_policy_temp;
+/*******************************************************************
+ ********************************************************************/
  
-                       /* !AS ROOT */
+static NTSTATUS query_dom_info_12(TALLOC_CTX *mem_ctx,
+                                 struct samr_DomInfo12 *r)
+{
+       uint32_t account_policy_temp;
+       time_t u_lock_duration, u_reset_time;
  
-                       unbecome_root();
+       become_root();
  
-                       server_role = ROLE_DOMAIN_PDC;
-                       if (lp_server_role() == ROLE_DOMAIN_BDC)
-                               server_role = ROLE_DOMAIN_BDC;
+       /* AS ROOT !!! */
  
-                       dom_info->general2.general.oem_information.string       = lp_serverstring();
-                       dom_info->general2.general.domain_name.string           = lp_workgroup();
-                       dom_info->general2.general.primary.string               = global_myname();
-                       dom_info->general2.general.sequence_num                 = seq_num;
-                       dom_info->general2.general.domain_server_state          = DOMAIN_SERVER_ENABLED;
-                       dom_info->general2.general.role                         = server_role;
-                       dom_info->general2.general.unknown3                     = 1;
+       pdb_get_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION, &account_policy_temp);
+       u_lock_duration = account_policy_temp;
+       if (u_lock_duration != -1) {
+               u_lock_duration *= 60;
+       }
  
-                       unix_to_nt_time_abs(&dom_info->general2.lockout_duration,
-                                           u_lock_duration);
-                       unix_to_nt_time_abs(&dom_info->general2.lockout_window,
-                                           u_reset_time);
+       pdb_get_account_policy(PDB_POLICY_RESET_COUNT_TIME, &account_policy_temp);
+       u_reset_time = account_policy_temp * 60;
  
-                       break;
-               case 12:
+       pdb_get_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
+       r->lockout_threshold = account_policy_temp;
  
-                       become_root();
+       /* !AS ROOT */
  
-                       /* AS ROOT !!! */
+       unbecome_root();
  
-                       pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
-                       u_lock_duration = account_policy_temp;
-                       if (u_lock_duration != -1) {
-                               u_lock_duration *= 60;
-                       }
+       unix_to_nt_time_abs(&r->lockout_duration, u_lock_duration);
+       unix_to_nt_time_abs(&r->lockout_window, u_reset_time);
  
-                       pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
-                       u_reset_time = account_policy_temp * 60;
+       return NT_STATUS_OK;
+}
  
-                       pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT,
-                                              &account_policy_temp);
-                       dom_info->info12.lockout_threshold = account_policy_temp;
+/*******************************************************************
+ ********************************************************************/
  
-                       /* !AS ROOT */
+static NTSTATUS query_dom_info_13(TALLOC_CTX *mem_ctx,
+                                 struct samr_DomInfo13 *r)
+{
+       time_t seq_num;
  
-                       unbecome_root();
+       become_root();
  
-                       unix_to_nt_time_abs(&dom_info->info12.lockout_duration,
-                                           u_lock_duration);
-                       unix_to_nt_time_abs(&dom_info->info12.lockout_window,
-                                           u_reset_time);
+       /* AS ROOT !!! */
  
-                       break;
-               case 13:
+       if (!pdb_get_seq_num(&seq_num)) {
+               seq_num = time(NULL);
+       }
  
-                       become_root();
+       /* !AS ROOT */
  
-                       /* AS ROOT !!! */
+       unbecome_root();
  
-                       if (!pdb_get_seq_num(&seq_num)) {
-                               seq_num = time(NULL);
-                       }
+       r->sequence_num = seq_num;
+       r->domain_create_time = 0;
+       r->modified_count_at_last_promotion = 0;
  
-                       /* !AS ROOT */
+       return NT_STATUS_OK;
+}
  
-                       unbecome_root();
+/*******************************************************************
+ _samr_QueryDomainInfo
+ ********************************************************************/
  
-                       dom_info->info13.sequence_num = seq_num;
-                       dom_info->info13.domain_create_time = 0;
-                       dom_info->info13.modified_count_at_last_promotion = 0;
+NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
+                              struct samr_QueryDomainInfo *r)
+{
+       NTSTATUS status = NT_STATUS_OK;
+       struct samr_domain_info *dinfo;
+       union samr_DomainInfo *dom_info;
+
+       uint32_t acc_required;
+
+       DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
+
+       switch (r->in.level) {
+       case 1: /* DomainPasswordInformation */
+       case 12: /* DomainLockoutInformation */
+               /* DOMAIN_READ_PASSWORD_PARAMETERS */
+               acc_required = SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1;
+               break;
+       case 11: /* DomainGeneralInformation2 */
+               /* DOMAIN_READ_PASSWORD_PARAMETERS |
+                * DOMAIN_READ_OTHER_PARAMETERS */
+               acc_required = SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 |
+                              SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2;
+               break;
+       case 2: /* DomainGeneralInformation */
+       case 3: /* DomainLogoffInformation */
+       case 4: /* DomainOemInformation */
+       case 5: /* DomainReplicationInformation */
+       case 6: /* DomainReplicationInformation */
+       case 7: /* DomainServerRoleInformation */
+       case 8: /* DomainModifiedInformation */
+       case 9: /* DomainStateInformation */
+       case 10: /* DomainUasInformation */
+       case 13: /* DomainModifiedInformation2 */
+               /* DOMAIN_READ_OTHER_PARAMETERS */
+               acc_required = SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2;
+               break;
+       default:
+               return NT_STATUS_INVALID_INFO_CLASS;
+       }
+
+       dinfo = policy_handle_find(p, r->in.domain_handle,
+                                  acc_required, NULL,
+                                  struct samr_domain_info, &status);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       dom_info = TALLOC_ZERO_P(p->mem_ctx, union samr_DomainInfo);
+       if (!dom_info) {
+               return NT_STATUS_NO_MEMORY;
+       }
  
+       switch (r->in.level) {
+               case 1:
+                       status = query_dom_info_1(p->mem_ctx, &dom_info->info1);
+                       break;
+               case 2:
+                       status = query_dom_info_2(p->mem_ctx, &dom_info->general, dinfo);
+                       break;
+               case 3:
+                       status = query_dom_info_3(p->mem_ctx, &dom_info->info3);
+                       break;
+               case 4:
+                       status = query_dom_info_4(p->mem_ctx, &dom_info->oem);
+                       break;
+               case 5:
+                       status = query_dom_info_5(p->mem_ctx, &dom_info->info5);
+                       break;
+               case 6:
+                       status = query_dom_info_6(p->mem_ctx, &dom_info->info6);
+                       break;
+               case 7:
+                       status = query_dom_info_7(p->mem_ctx, &dom_info->info7);
+                       break;
+               case 8:
+                       status = query_dom_info_8(p->mem_ctx, &dom_info->info8);
+                       break;
+               case 9:
+                       status = query_dom_info_9(p->mem_ctx, &dom_info->info9);
+                       break;
+               case 11:
+                       status = query_dom_info_11(p->mem_ctx, &dom_info->general2, dinfo);
+                       break;
+               case 12:
+                       status = query_dom_info_12(p->mem_ctx, &dom_info->info12);
+                       break;
+               case 13:
+                       status = query_dom_info_13(p->mem_ctx, &dom_info->info13);
                         break;
                 default:
                         return NT_STATUS_INVALID_INFO_CLASS;
         }
  
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
         *r->out.info = dom_info;
  
         DEBUG(5,("_samr_QueryDomainInfo: %d\n", __LINE__));
@@ -3714,7 +3840,9 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
  
         sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
  
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
  
         make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
                             &sid, SAMR_USR_RIGHTS_WRITE_PW);
@@ -3727,7 +3855,7 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
          * just assume we have all the rights we need ?
          */
  
-       nt_status = access_check_samr_object(psd, p->server_info->ptok,
+       nt_status = access_check_object(psd, p->server_info->ptok,
                 &se_rights, GENERIC_RIGHTS_USER_WRITE, des_access,
                 &acc_granted, "_samr_CreateUser2");
  
@@ -3794,7 +3922,9 @@ NTSTATUS _samr_Connect(pipes_struct *p,
            was observed from a win98 client trying to enumerate users (when configured
            user level access control on shares)   --jerry */
  
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
  
         se_map_generic( &des_access, &sam_generic_mapping );
  
@@ -3854,12 +3984,14 @@ NTSTATUS _samr_Connect2(pipes_struct *p,
                 return NT_STATUS_ACCESS_DENIED;
         }
  
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
  
         make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
         se_map_generic(&des_access, &sam_generic_mapping);
  
-       nt_status = access_check_samr_object(psd, p->server_info->ptok,
+       nt_status = access_check_object(psd, p->server_info->ptok,
                 NULL, 0, des_access, &acc_granted, fn);
  
         if ( !NT_STATUS_IS_OK(nt_status) )
@@ -4067,15 +4199,17 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p,
  
         /*check if access can be granted as requested by client. */
  
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
  
         make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
         se_map_generic(&des_access,&ali_generic_mapping);
  
         se_priv_copy( &se_rights, &se_add_users );
  
-       status = access_check_samr_object(psd, p->server_info->ptok,
-               &se_rights, SAMR_ALIAS_ACCESS_ADD_MEMBER,
+       status = access_check_object(psd, p->server_info->ptok,
+               &se_rights, GENERIC_RIGHTS_ALIAS_ALL_ACCESS,
                 des_access, &acc_granted, "_samr_OpenAlias");
  
         if ( !NT_STATUS_IS_OK(status) )
@@ -5227,6 +5361,14 @@ NTSTATUS _samr_GetAliasMembership(pipes_struct *p,
         r->out.rids->count = num_alias_rids;
         r->out.rids->ids = alias_rids;
  
+       if (r->out.rids->ids == NULL) {
+               /* Windows domain clients don't accept a NULL ptr here */
+               r->out.rids->ids = talloc_zero(p->mem_ctx, uint32_t);
+       }
+       if (r->out.rids->ids == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
         return NT_STATUS_OK;
  }
  
@@ -5254,7 +5396,8 @@ NTSTATUS _samr_GetMembersInAlias(pipes_struct *p,
         DEBUG(10, ("sid is %s\n", sid_string_dbg(&ainfo->sid)));
  
         become_root();
-       status = pdb_enum_aliasmem(&ainfo->sid, &pdb_sids, &num_sids);
+       status = pdb_enum_aliasmem(&ainfo->sid, talloc_tos(), &pdb_sids,
+                                  &num_sids);
         unbecome_root();
  
         if (!NT_STATUS_IS_OK(status)) {
@@ -5561,13 +5704,13 @@ NTSTATUS _samr_DeleteUser(pipes_struct *p,
  
         TALLOC_FREE(sam_pass);
  
+       force_flush_samr_cache(&uinfo->sid);
+
         if (!close_policy_hnd(p, r->in.user_handle))
                 return NT_STATUS_OBJECT_NAME_INVALID;
  
         ZERO_STRUCTP(r->out.user_handle);
  
-       force_flush_samr_cache(&uinfo->sid);
-
         return NT_STATUS_OK;
  }
  
@@ -5614,11 +5757,11 @@ NTSTATUS _samr_DeleteDomainGroup(pipes_struct *p,
                 return status;
         }
  
+       force_flush_samr_cache(&ginfo->sid);
+
         if (!close_policy_hnd(p, r->in.group_handle))
                 return NT_STATUS_OBJECT_NAME_INVALID;
  
-       force_flush_samr_cache(&ginfo->sid);
-
         return NT_STATUS_OK;
  }
  
@@ -5666,11 +5809,11 @@ NTSTATUS _samr_DeleteDomAlias(pipes_struct *p,
         if ( !NT_STATUS_IS_OK(status))
                 return status;
  
+       force_flush_samr_cache(&ainfo->sid);
+
         if (!close_policy_hnd(p, r->in.alias_handle))
                 return NT_STATUS_OBJECT_NAME_INVALID;
  
-       force_flush_samr_cache(&ainfo->sid);
-
         return NT_STATUS_OK;
  }
  
@@ -5694,8 +5837,9 @@ NTSTATUS _samr_CreateDomainGroup(pipes_struct *p,
                 return status;
         }
  
-       if (!sid_equal(&dinfo->sid, get_global_sam_sid()))
+       if (!sid_check_is_domain(&dinfo->sid)) {
                 return NT_STATUS_ACCESS_DENIED;
+       }
  
         name = r->in.name->string;
         if (name == NULL) {
@@ -5755,8 +5899,9 @@ NTSTATUS _samr_CreateDomAlias(pipes_struct *p,
                 return result;
         }
  
-       if (!sid_equal(&dinfo->sid, get_global_sam_sid()))
+       if (!sid_check_is_domain(&dinfo->sid)) {
                 return NT_STATUS_ACCESS_DENIED;
+       }
  
         name = r->in.alias_name->string;
  
@@ -5936,12 +6081,11 @@ NTSTATUS _samr_SetGroupInfo(pipes_struct *p,
                 return NT_STATUS_NO_SUCH_GROUP;
  
         switch (r->in.level) {
-               case 1:
-                       fstrcpy(map.comment, r->in.info->all.description.string);
-                       break;
                 case 2:
-                       /* group rename is not supported yet */
-                       return NT_STATUS_NOT_SUPPORTED;
+                       fstrcpy(map.nt_name, r->in.info->name.string);
+                       break;
+               case 3:
+                       break;
                 case 4:
                         fstrcpy(map.comment, r->in.info->description.string);
                         break;
@@ -6073,9 +6217,9 @@ NTSTATUS _samr_GetDomPwInfo(pipes_struct *p,
         }
  
         become_root();
-       pdb_get_account_policy(AP_MIN_PASSWORD_LEN,
+       pdb_get_account_policy(PDB_POLICY_MIN_PASSWORD_LEN,
                                &min_password_length);
-       pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS,
+       pdb_get_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS,
                                &password_properties);
         unbecome_root();
  
@@ -6117,15 +6261,17 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p,
         }
  
         /*check if access can be granted as requested by client. */
-       map_max_allowed_access(p->server_info->ptok, &des_access);
+       map_max_allowed_access(p->server_info->ptok,
+                              &p->server_info->utok,
+                              &des_access);
  
         make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
         se_map_generic(&des_access,&grp_generic_mapping);
  
         se_priv_copy( &se_rights, &se_add_users );
  
-       status = access_check_samr_object(psd, p->server_info->ptok,
-               &se_rights, SAMR_GROUP_ACCESS_ADD_MEMBER,
+       status = access_check_object(psd, p->server_info->ptok,
+               &se_rights, GENERIC_RIGHTS_GROUP_ALL_ACCESS,
                 des_access, &acc_granted, "_samr_OpenGroup");
  
         if ( !NT_STATUS_IS_OK(status) )
@@ -6133,8 +6279,9 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p,
  
         /* this should not be hard-coded like this */
  
-       if (!sid_equal(&dinfo->sid, get_global_sam_sid()))
+       if (!sid_check_is_domain(&dinfo->sid)) {
                 return NT_STATUS_ACCESS_DENIED;
+       }
  
         sid_compose(&info_sid, &dinfo->sid, r->in.rid);
  
@@ -6149,7 +6296,7 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p,
                 return NT_STATUS_NO_SUCH_GROUP;
  
         ginfo = policy_handle_create(p, r->out.group_handle,
-                                    GENERIC_RIGHTS_GROUP_ALL_ACCESS,
+                                    acc_granted,
                                      struct samr_group_info, &status);
          if (!NT_STATUS_IS_OK(status)) {
                  return status;
@@ -6231,6 +6378,67 @@ NTSTATUS _samr_QueryDomainInfo2(pipes_struct *p,
         return _samr_QueryDomainInfo(p, &q);
  }
  
+/*******************************************************************
+ ********************************************************************/
+
+static NTSTATUS set_dom_info_1(TALLOC_CTX *mem_ctx,
+                              struct samr_DomInfo1 *r)
+{
+       time_t u_expire, u_min_age;
+
+       u_expire = nt_time_to_unix_abs((NTTIME *)&r->max_password_age);
+       u_min_age = nt_time_to_unix_abs((NTTIME *)&r->min_password_age);
+
+       pdb_set_account_policy(PDB_POLICY_MIN_PASSWORD_LEN,
+                              (uint32_t)r->min_password_length);
+       pdb_set_account_policy(PDB_POLICY_PASSWORD_HISTORY,
+                              (uint32_t)r->password_history_length);
+       pdb_set_account_policy(PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS,
+                              (uint32_t)r->password_properties);
+       pdb_set_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, (int)u_expire);
+       pdb_set_account_policy(PDB_POLICY_MIN_PASSWORD_AGE, (int)u_min_age);
+
+       return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ ********************************************************************/
+
+static NTSTATUS set_dom_info_3(TALLOC_CTX *mem_ctx,
+                              struct samr_DomInfo3 *r)
+{
+       time_t u_logout;
+
+       u_logout = nt_time_to_unix_abs((NTTIME *)&r->force_logoff_time);
+
+       pdb_set_account_policy(PDB_POLICY_TIME_TO_LOGOUT, (int)u_logout);
+
+       return NT_STATUS_OK;
+}
+
+/*******************************************************************
+ ********************************************************************/
+
+static NTSTATUS set_dom_info_12(TALLOC_CTX *mem_ctx,
+                               struct samr_DomInfo12 *r)
+{
+       time_t u_lock_duration, u_reset_time;
+
+       u_lock_duration = nt_time_to_unix_abs((NTTIME *)&r->lockout_duration);
+       if (u_lock_duration != -1) {
+               u_lock_duration /= 60;
+       }
+
+       u_reset_time = nt_time_to_unix_abs((NTTIME *)&r->lockout_window)/60;
+
+       pdb_set_account_policy(PDB_POLICY_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
+       pdb_set_account_policy(PDB_POLICY_RESET_COUNT_TIME, (int)u_reset_time);
+       pdb_set_account_policy(PDB_POLICY_BAD_ATTEMPT_LOCKOUT,
+                              (uint32_t)r->lockout_threshold);
+
+       return NT_STATUS_OK;
+}
+
  /*******************************************************************
   _samr_SetDomainInfo
   ********************************************************************/
@@ -6239,10 +6447,7 @@ NTSTATUS _samr_SetDomainInfo(pipes_struct *p,
                              struct samr_SetDomainInfo *r)
  {
         struct samr_domain_info *dinfo;
-       time_t u_expire, u_min_age;
-       time_t u_logout;
-       time_t u_lock_duration, u_reset_time;
-       NTSTATUS result;
+       NTSTATUS status;
         uint32_t acc_required = 0;
  
         DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
@@ -6270,26 +6475,19 @@ NTSTATUS _samr_SetDomainInfo(pipes_struct *p,
  
         dinfo = policy_handle_find(p, r->in.domain_handle,
                                    acc_required, NULL,
-                                  struct samr_domain_info, &result);
-       if (!NT_STATUS_IS_OK(result)) {
-               return result;
+                                  struct samr_domain_info, &status);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
         }
  
         DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r->in.level));
  
         switch (r->in.level) {
                 case 1:
-                       u_expire=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.max_password_age);
-                       u_min_age=nt_time_to_unix_abs((NTTIME *)&r->in.info->info1.min_password_age);
-                       pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)r->in.info->info1.min_password_length);
-                       pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)r->in.info->info1.password_history_length);
-                       pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)r->in.info->info1.password_properties);
-                       pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire);
-                       pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age);
+                       status = set_dom_info_1(p->mem_ctx, &r->in.info->info1);
                         break;
                 case 3:
-                       u_logout=nt_time_to_unix_abs((NTTIME *)&r->in.info->info3.force_logoff_time);
-                       pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout);
+                       status = set_dom_info_3(p->mem_ctx, &r->in.info->info3);
                         break;
                 case 4:
                         break;
@@ -6300,20 +6498,16 @@ NTSTATUS _samr_SetDomainInfo(pipes_struct *p,
                 case 9:
                         break;
                 case 12:
-                       u_lock_duration=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_duration);
-                       if (u_lock_duration != -1)
-                               u_lock_duration /= 60;
-
-                       u_reset_time=nt_time_to_unix_abs((NTTIME *)&r->in.info->info12.lockout_window)/60;
-
-                       pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
-                       pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time);
-                       pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)r->in.info->info12.lockout_threshold);
+                       status = set_dom_info_12(p->mem_ctx, &r->in.info->info12);
                         break;
                 default:
                         return NT_STATUS_INVALID_INFO_CLASS;
         }
  
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
         DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
  
         return NT_STATUS_OK;
@@ -6496,6 +6690,124 @@ NTSTATUS _samr_RidToSid(pipes_struct *p,
  /****************************************************************
  ****************************************************************/
  
+static enum samr_ValidationStatus samr_ValidatePassword_Change(TALLOC_CTX *mem_ctx,
+                                                              const struct samr_PwInfo *dom_pw_info,
+                                                              const struct samr_ValidatePasswordReq2 *req,
+                                                              struct samr_ValidatePasswordRepCtr *rep)
+{
+       NTSTATUS status;
+
+       if (req->password.string) {
+               if (strlen(req->password.string) < dom_pw_info->min_password_length) {
+                       ZERO_STRUCT(rep->info);
+                       return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT;
+               }
+               if (dom_pw_info->password_properties & DOMAIN_PASSWORD_COMPLEX) {
+                       status = check_password_complexity(req->account.string,
+                                                          req->password.string,
+                                                          NULL);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               ZERO_STRUCT(rep->info);
+                               return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
+                       }
+               }
+       }
+
+       return SAMR_VALIDATION_STATUS_SUCCESS;
+}
+
+/****************************************************************
+****************************************************************/
+
+static enum samr_ValidationStatus samr_ValidatePassword_Reset(TALLOC_CTX *mem_ctx,
+                                                             const struct samr_PwInfo *dom_pw_info,
+                                                             const struct samr_ValidatePasswordReq3 *req,
+                                                             struct samr_ValidatePasswordRepCtr *rep)
+{
+       NTSTATUS status;
+
+       if (req->password.string) {
+               if (strlen(req->password.string) < dom_pw_info->min_password_length) {
+                       ZERO_STRUCT(rep->info);
+                       return SAMR_VALIDATION_STATUS_PWD_TOO_SHORT;
+               }
+               if (dom_pw_info->password_properties & DOMAIN_PASSWORD_COMPLEX) {
+                       status = check_password_complexity(req->account.string,
+                                                          req->password.string,
+                                                          NULL);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               ZERO_STRUCT(rep->info);
+                               return SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH;
+                       }
+               }
+       }
+
+       return SAMR_VALIDATION_STATUS_SUCCESS;
+}
+
+/****************************************************************
+ _samr_ValidatePassword
+****************************************************************/
+
+NTSTATUS _samr_ValidatePassword(pipes_struct *p,
+                               struct samr_ValidatePassword *r)
+{
+       union samr_ValidatePasswordRep *rep;
+       NTSTATUS status;
+       struct samr_GetDomPwInfo pw;
+       struct samr_PwInfo dom_pw_info;
+
+       if (r->in.level < 1 || r->in.level > 3) {
+               return NT_STATUS_INVALID_INFO_CLASS;
+       }
+
+       pw.in.domain_name = NULL;
+       pw.out.info = &dom_pw_info;
+
+       status = _samr_GetDomPwInfo(p, &pw);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       rep = talloc_zero(p->mem_ctx, union samr_ValidatePasswordRep);
+       if (!rep) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       switch (r->in.level) {
+       case 1:
+               status = NT_STATUS_NOT_SUPPORTED;
+               break;
+       case 2:
+               rep->ctr2.status = samr_ValidatePassword_Change(p->mem_ctx,
+                                                               &dom_pw_info,
+                                                               &r->in.req->req2,
+                                                               &rep->ctr2);
+               break;
+       case 3:
+               rep->ctr3.status = samr_ValidatePassword_Reset(p->mem_ctx,
+                                                              &dom_pw_info,
+                                                              &r->in.req->req3,
+                                                              &rep->ctr3);
+               break;
+       default:
+               status = NT_STATUS_INVALID_INFO_CLASS;
+               break;
+       }
+
+       if (!NT_STATUS_IS_OK(status)) {
+               talloc_free(rep);
+               return status;
+       }
+
+       *r->out.rep = rep;
+
+       return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
  NTSTATUS _samr_Shutdown(pipes_struct *p,
                         struct samr_Shutdown *r)
  {
@@ -6580,13 +6892,3 @@ NTSTATUS _samr_SetDsrmPassword(pipes_struct *p,
         p->rng_fault_state = true;
         return NT_STATUS_NOT_IMPLEMENTED;
  }
-
-/****************************************************************
-****************************************************************/
-
-NTSTATUS _samr_ValidatePassword(pipes_struct *p,
-                               struct samr_ValidatePassword *r)
-{
-       p->rng_fault_state = true;
-       return NT_STATUS_NOT_IMPLEMENTED;
-}