From Elrond@Wunder-Nett.org Tue Feb 29 05:53:10 2000

Date: Mon, 28 Feb 2000 17:29:48 +0100
From: Elrond <Elrond@Wunder-Nett.org>
To: Luke Kenneth Casson Leighton <lkcl@samba.org>
Subject: _samr_query_sec_obj

Hi Luke,

- moved the SD-generation code out of
  samrd/srv_samr_sam_tdb.c:_samr_query_sec_obj into its own
  samrd/samr_util.c
- updated the SD to have the same order and include
  Builtin\Account Operators, as seen on an nt4sp4 ws.
- used this function in samrpassd (which was broken here
  and usrmgr didn't work) and samrtdbd (for consistency)
  (I can't compile-check samrnt5ldap, so I will send Luke
  Howard a patch to inspect.)
- clean-up: Mainly policy-handles... but also other stuff
- debugging and type-checking of data associated with
  POLICY_HND in samrtdbd
  (I suspect, there's a problem in sam_query_sec_obj, see
  the new WARNING, that appears.)
- rpcclient/samedit: enumaliases has new option:
  [-d Domain], so I could do "enumaliases -d Builtin"


After this patch my usrmgr worked better, but now it looks
like it is thinking, it talks to a WS instead of a server.
I can't see the domain-groups, only aliases, and in the
user-properties, there are only 3 buttons for "Groups",
"Profiles" and "RAS", the others are missing... I tried a
long time to find out about it... I failed, so could you
have a look at this?

[lkcl: this because winregd is returning "i am a wksta"]

Okay, and another thing:

You seemed to look for the bit on the user-objects, that
allows password-changing: I think, it must be 0x0004,
cause:
Everyone has: 0x2035b
Normal user : 0x20044

0x20040 is included in the bits, everyone has, 0x0004 is
left over....

Just some thoughts...


    Elrond

15 files changed, 226 insertions, 132 deletions

diff --git a/source/Makefile.in b/source/Makefile.in
index 395df94e3c1..11aeccead22 100644
--- a/source/Makefile.in
+++ b/source/Makefile.in
@@ -307,19 +307,22 @@ SAMRTDBLIB_OBJ = lib/util_pwdb.o lib/domain_namemap.o \
 		samrd/srv_samr_usr_tdb.o \
 		samrd/srv_samr_grp_tdb.o \
 		samrd/srv_samr_als_tdb.o \
-		samrd/srv_samr_tdb.o
+		samrd/srv_samr_tdb.o \
+		samrd/samr_util.o
 
 SAMRNT5LDAPLIB_OBJ = lib/util_pwdb.o lib/domain_namemap.o \
 		samrd/srv_samr_usr_nt5ldap.o \
 		samrd/srv_samr_dom_nt5ldap.o \
-		samrd/srv_samr_nt5ldap.o
+		samrd/srv_samr_nt5ldap.o \
+		samrd/samr_util.o
 #		samrd/srv_samr_sam_nt5ldap.o \
 #		samrd/srv_samr_grp_nt5ldap.o \
 #		samrd/srv_samr_als_nt5ldap.o \
 
 SAMRPASSLIB_OBJ = rpc_server/srv_lookup.o \
 		samrd/srv_samr_passdb.o \
-		smbd/chgpasswd.o
+		smbd/chgpasswd.o \
+		samrd/samr_util.o
 
 SAMRD_OBJ1 = samrd/samrd.o \
 		rpc_server/srv_pipe_ntlmssp.o \
@@ -411,13 +414,17 @@ LIBSURS_OBJ = lib/surs.o lib/sursalgdomonly.o \
 		lib/sursalgnt5ldap.o \
 		lib/surstdb.o
 
-SAMRD_LIBS        = $(SAMBA_LIBS) $(UBIQXLIB) $(SAM_PWDB_LIB) $(LIBSURS)
+SAMRD_LIBS        = $(SAMBA_LIBS) $(UBIQXLIB) $(SAM_PWDB_LIB) \
+			$(LIBSURS)
 
-SAMRPASSD_LIBS     = $(SAMBA_LIBS) $(UBIQXLIB) $(SAMRPASSLIB) $(SMBPWLIB)
+SAMRPASSD_LIBS    = $(SAMBA_LIBS) $(UBIQXLIB) $(SAMRPASSLIB) $(SMBPWLIB) \
+			$(LIBSURS)
 
-SAMRTDBD_LIBS     = $(SAMBA_LIBS) $(UBIQXLIB) $(SAMRTDBLIB)
+SAMRTDBD_LIBS     = $(SAMBA_LIBS) $(UBIQXLIB) $(SAMRTDBLIB) \
+			$(LIBSURS)
 
-SAMRNT5LDAPD_LIBS = $(SAMBA_LIBS) $(UBIQXLIB) $(SAMRNT5LDAPLIB)
+SAMRNT5LDAPD_LIBS = $(SAMBA_LIBS) $(UBIQXLIB) $(SAMRNT5LDAPLIB) \
+			$(LIBSURS)
 
 NMBD_OBJ1 = nmbd/asyncdns.o nmbd/nmbd.o nmbd/nmbd_become_dmb.o \
             nmbd/nmbd_become_lmb.o nmbd/nmbd_browserdb.o \
diff --git a/source/include/sids.h b/source/include/sids.h
index f4a8d83b680..12ec6714e01 100644
--- a/source/include/sids.h
+++ b/source/include/sids.h
@@ -36,4 +36,6 @@ extern DOM_SID global_sid_S_1_3;    /* Creator Owner */
 extern DOM_SID global_sid_S_1_5;    /* NT Authority */
 extern DOM_SID global_sid_system;   /* SYSTEM */
 
+extern const DOM_SID *global_sid_everyone;
+
 #endif /* _SIDS_H */
diff --git a/source/lib/sids.c b/source/lib/sids.c
index 56d6a9c21d4..3e66c09e213 100644
--- a/source/lib/sids.c
+++ b/source/lib/sids.c
@@ -2,7 +2,8 @@
    Unix SMB/Netbios implementation.
    Version 1.9.
    Samba utility functions
-   Copyright (C) Andrew Tridgell 1992-1998
+   Copyright (C) Andrew Tridgell 1992-2000,
+   Copyright (C) Elrond               2000
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -71,6 +72,8 @@ DOM_SID global_sid_S_1_5;    /* NT Authority */
 DOM_SID global_sid_system;   /* NT System */
 DOM_SID global_sid_S_1_1_0;  /* everyone */
 
+const DOM_SID *global_sid_everyone = NULL;
+
 struct sid_map
 {
 	DOM_SID *sid;
@@ -228,6 +231,8 @@ void generate_wellknown_sids(void)
 	string_to_sid(&global_sid_S_1_3   , "S-1-3"   );
 	string_to_sid(&global_sid_S_1_5   , "S-1-5"   );
 	string_to_sid(&global_sid_system  , "S-1-5-17");
+
+	global_sid_everyone = &global_sid_S_1_1_0;
 }
 
 /****************************************************************************
diff --git a/source/lib/util_hnd.c b/source/lib/util_hnd.c
index 6e0fd73c7ff..7715ba7aefc 100644
--- a/source/lib/util_hnd.c
+++ b/source/lib/util_hnd.c
@@ -5,6 +5,7 @@
  *  RPC Pipe client / server routines
  *  Copyright (C) Andrew Tridgell              1992-2000,
  *  Copyright (C) Luke Kenneth Casson Leighton 1996-2000,
+ *  Copyright (C) Elrond                            2000
  *  
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -313,7 +314,8 @@ BOOL set_policy_state(struct policy_cache *cache, POLICY_HND *hnd,
 
 	if (p && p->open)
 	{
-		DEBUG(3,("Setting policy state pnum=%x\n", p->pnum));
+		DEBUG(3, ("policy(pnum=%x %s): Setting policy state\n",
+			  p->pnum, pol_get_name(p)));
 
 		p->dev = dev;
 		p->free_fn = fn;
diff --git a/source/lib/util_sid.c b/source/lib/util_sid.c
index b0a82877146..9861aecf25a 100644
--- a/source/lib/util_sid.c
+++ b/source/lib/util_sid.c
@@ -47,7 +47,7 @@ char *sid_to_string(pstring sidstr_out, const DOM_SID *sid)
     pstrcat(sidstr_out, subauth);
   }
 
-  DEBUG(7,("sid_to_string returning %s\n", sidstr_out));
+  DEBUG(20, ("sid_to_string returning %s\n", sidstr_out));
   return sidstr_out;
 }
 
diff --git a/source/rpc_client/cli_samr.c b/source/rpc_client/cli_samr.c
index 64659327fa6..b233f70e15a 100644
--- a/source/rpc_client/cli_samr.c
+++ b/source/rpc_client/cli_samr.c
@@ -4,6 +4,7 @@
    NT Domain Authentication SMB / MSRPC client
    Copyright (C) Andrew Tridgell              1994-2000
    Copyright (C) Luke Kenneth Casson Leighton 1996-2000
+   Copyright (C) Elrond                            2000
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -331,6 +332,8 @@ uint32 samr_enum_dom_groups(  POLICY_HND *pol,
 		SAMR_R_ENUM_DOM_GROUPS r_e;
 		BOOL p;
 
+		ZERO_STRUCT(r_e);
+
 		samr_io_r_enum_dom_groups("", &r_e, &rdata, 0);
 
 		status = r_e.status;
@@ -2024,7 +2027,7 @@ BOOL samr_query_useraliases(  const POLICY_HND *pol,
 	prs_init(&rdata, 0, 4, True );
 
 	/* store the parameters */
-	make_samr_q_query_useraliases(&q_o, pol, ptr_sid, sid);
+	make_samr_q_query_useraliases(&q_o, pol, 1, ptr_sid, sid);
 
 	/* turn parameters into data stream */
 	if (samr_io_q_query_useraliases("", &q_o,  &data, 0) &&
diff --git a/source/rpc_parse/parse_samr.c b/source/rpc_parse/parse_samr.c
index 1d4b8950029..1e92b235b82 100644
--- a/source/rpc_parse/parse_samr.c
+++ b/source/rpc_parse/parse_samr.c
@@ -2,9 +2,10 @@
  *  Unix SMB/Netbios implementation.
  *  Version 1.9.
  *  RPC Pipe client / server routines
- *  Copyright (C) Andrew Tridgell              1992-1999,
- *  Copyright (C) Luke Kenneth Casson Leighton 1996-1999,
- *  Copyright (C) Paul Ashton                  1997-1999.
+ *  Copyright (C) Andrew Tridgell              1992-2000,
+ *  Copyright (C) Luke Kenneth Casson Leighton 1996-2000,
+ *  Copyright (C) Paul Ashton                  1997-2000,
+ *  Copyright (C) Elrond                            2000
  *  
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -367,7 +368,7 @@ BOOL make_samr_q_query_sec_obj(SAMR_Q_QUERY_SEC_OBJ *q_u,
 
 	DEBUG(5,("samr_make_samr_q_query_sec_obj\n"));
 
-	memcpy(&q_u->user_pol, user_pol, sizeof(q_u->user_pol));
+	q_u->user_pol = *user_pol;
 	q_u->sec_info = sec_info;
 
 	return True;
@@ -404,7 +405,7 @@ BOOL make_samr_q_query_dom_info(SAMR_Q_QUERY_DOMAIN_INFO *q_u,
 
 	DEBUG(5,("samr_make_samr_q_query_dom_info\n"));
 
-	memcpy(&q_u->domain_pol, domain_pol, sizeof(q_u->domain_pol));
+	q_u->domain_pol = *domain_pol;
 	q_u->switch_value = switch_value;
 
 	return True;
@@ -762,11 +763,11 @@ static BOOL sam_io_sam_str1(char *desc,  SAM_STR1 *sam, uint32 acct_buf, uint32
 
 	prs_align(ps);
 
-	smb_io_unistr2("unistr2", &(sam->uni_acct_name), acct_buf, ps, depth); /* account name unicode string */
+	smb_io_unistr2("name", &(sam->uni_acct_name), acct_buf, ps, depth); /* account name unicode string */
 	prs_align(ps);
-	smb_io_unistr2("unistr2", &(sam->uni_full_name), name_buf, ps, depth); /* full name unicode string */
+	smb_io_unistr2("full_name", &(sam->uni_full_name), name_buf, ps, depth); /* full name unicode string */
 	prs_align(ps);
-	smb_io_unistr2("unistr2", &(sam->uni_acct_desc), desc_buf, ps, depth); /* account desc unicode string */
+	smb_io_unistr2("desc", &(sam->uni_acct_desc), desc_buf, ps, depth); /* account desc unicode string */
 	prs_align(ps);
 
 	return True;
@@ -1063,7 +1064,7 @@ BOOL make_samr_q_enum_dom_users(SAMR_Q_ENUM_DOM_USERS *q_e, POLICY_HND *pol,
 
 	DEBUG(5,("make_samr_q_enum_dom_users\n"));
 
-	memcpy(&(q_e->pol), pol, sizeof(*pol));
+	q_e->pol = *pol;
 
 	q_e->start_idx = start_idx; /* zero indicates lots */
 	q_e->acb_mask  = acb_mask;
@@ -1201,7 +1202,7 @@ BOOL make_samr_q_query_dispinfo(SAMR_Q_QUERY_DISPINFO *q_e, POLICY_HND *pol,
 
 	DEBUG(5,("make_samr_q_query_dispinfo\n"));
 
-	memcpy(&(q_e->domain_pol), pol, sizeof(*pol));
+	q_e->domain_pol = *pol;
 
 	q_e->switch_level = switch_level;
 
@@ -1709,7 +1710,7 @@ BOOL make_samr_q_open_group(SAMR_Q_OPEN_GROUP *q_c,
 
 	DEBUG(5,("make_samr_q_open_group\n"));
 
-	memcpy(&(q_c->domain_pol), hnd, sizeof(q_c->domain_pol));
+	q_c->domain_pol = *hnd;
 	q_c->access_mask = access_mask;
 	q_c->rid_group = rid;
 
@@ -1898,7 +1899,7 @@ BOOL make_samr_q_create_dom_group(SAMR_Q_CREATE_DOM_GROUP *q_e,
 
 	DEBUG(5,("make_samr_q_create_dom_group\n"));
 
-	memcpy(&(q_e->pol), pol, sizeof(*pol));
+	q_e->pol = *pol;
 
 	make_uni_hdr(&(q_e->hdr_acct_desc), acct_len);
 	make_unistr2(&(q_e->uni_acct_desc), acct_desc, acct_len);
@@ -1963,7 +1964,7 @@ BOOL make_samr_q_delete_dom_group(SAMR_Q_DELETE_DOM_GROUP *q_c, POLICY_HND *hnd)
 
 	DEBUG(5,("make_samr_q_delete_dom_group\n"));
 
-	memcpy(&(q_c->group_pol), hnd, sizeof(q_c->group_pol));
+	q_c->group_pol = *hnd;
 
 	return True;
 }
@@ -2015,14 +2016,13 @@ BOOL make_samr_q_del_groupmem(SAMR_Q_DEL_GROUPMEM *q_e,
 
 	DEBUG(5,("make_samr_q_del_groupmem\n"));
 
-	memcpy(&(q_e->pol), pol, sizeof(*pol));
+	q_e->pol = *pol;
 
 	q_e->rid = rid;
 
 	return True;
 }
 
-
 /*******************************************************************
 reads or writes a structure.
 ********************************************************************/
@@ -2089,7 +2089,7 @@ BOOL make_samr_q_add_groupmem(SAMR_Q_ADD_GROUPMEM *q_e,
 
 	DEBUG(5,("make_samr_q_add_groupmem\n"));
 
-	memcpy(&(q_e->pol), pol, sizeof(*pol));
+	q_e->pol = *pol;
 
 	q_e->rid = rid;
 	q_e->unknown = 0x0005;
@@ -2164,7 +2164,7 @@ BOOL make_samr_q_set_groupinfo(SAMR_Q_SET_GROUPINFO *q_e,
 
 	DEBUG(5,("make_samr_q_set_groupinfo\n"));
 
-	memcpy(&(q_e->pol), pol, sizeof(*pol));
+	q_e->pol = *pol;
 	q_e->ctr = ctr;
 
 	return True;
@@ -2236,7 +2236,7 @@ BOOL make_samr_q_query_groupinfo(SAMR_Q_QUERY_GROUPINFO *q_e,
 
 	DEBUG(5,("make_samr_q_query_groupinfo\n"));
 
-	memcpy(&(q_e->pol), pol, sizeof(*pol));
+	q_e->pol = *pol;
 
 	q_e->switch_level = switch_level;
 
@@ -2282,7 +2282,6 @@ BOOL make_samr_r_query_groupinfo(SAMR_R_QUERY_GROUPINFO *r_u, GROUP_INFO_CTR *ct
 	return True;
 }
 
-
 /*******************************************************************
 reads or writes a structure.
 ********************************************************************/
@@ -2317,7 +2316,7 @@ BOOL make_samr_q_query_groupmem(SAMR_Q_QUERY_GROUPMEM *q_c, POLICY_HND *hnd)
 
 	DEBUG(5,("make_samr_q_query_groupmem\n"));
 
-	memcpy(&(q_c->group_pol), hnd, sizeof(q_c->group_pol));
+	q_c->group_pol = *hnd;
 
 	return True;
 }
@@ -2608,14 +2607,15 @@ BOOL samr_io_r_query_usergroups(char *desc, SAMR_R_QUERY_USERGROUPS *r_u, prs_st
 /*******************************************************************
 makes a SAMR_Q_ENUM_DOMAINS structure.
 ********************************************************************/
-BOOL make_samr_q_enum_domains(SAMR_Q_ENUM_DOMAINS *q_e, POLICY_HND *pol,
-				uint32 start_idx, uint32 size)
+BOOL make_samr_q_enum_domains(SAMR_Q_ENUM_DOMAINS *q_e,
+			      const POLICY_HND *pol,
+			      uint32 start_idx, uint32 size)
 {
 	if (q_e == NULL || pol == NULL) return False;
 
 	DEBUG(5,("make_samr_q_enum_domains\n"));
 
-	memcpy(&(q_e->pol), pol, sizeof(*pol));
+	q_e->pol = *pol;
 
 	q_e->start_idx = start_idx;
 	q_e->max_size = size;
@@ -2623,7 +2623,6 @@ BOOL make_samr_q_enum_domains(SAMR_Q_ENUM_DOMAINS *q_e, POLICY_HND *pol,
 	return True;
 }
 
-
 /*******************************************************************
 reads or writes a structure.
 ********************************************************************/
@@ -2741,17 +2740,19 @@ BOOL samr_io_r_enum_domains(char *desc, SAMR_R_ENUM_DOMAINS *r_u, prs_struct *ps
 	return True;
 }
 
+
 /*******************************************************************
 makes a SAMR_Q_ENUM_DOM_GROUPS structure.
 ********************************************************************/
-BOOL make_samr_q_enum_dom_groups(SAMR_Q_ENUM_DOM_GROUPS *q_e, POLICY_HND *pol,
-				uint32 start_idx, uint32 size)
+BOOL make_samr_q_enum_dom_groups(SAMR_Q_ENUM_DOM_GROUPS *q_e,
+				 const POLICY_HND *pol,
+				 uint32 start_idx, uint32 size)
 {
 	if (q_e == NULL || pol == NULL) return False;
 
 	DEBUG(5,("make_samr_q_enum_dom_groups\n"));
 
-	memcpy(&(q_e->pol), pol, sizeof(*pol));
+	q_e->pol = *pol;
 
 	q_e->start_idx = start_idx;
 	q_e->max_size = size;
@@ -2759,7 +2760,6 @@ BOOL make_samr_q_enum_dom_groups(SAMR_Q_ENUM_DOM_GROUPS *q_e, POLICY_HND *pol,
 	return True;
 }
 
-
 /*******************************************************************
 reads or writes a structure.
 ********************************************************************/
@@ -2883,7 +2883,7 @@ BOOL make_samr_q_enum_dom_aliases(SAMR_Q_ENUM_DOM_ALIASES *q_e, POLICY_HND *pol,
 
 	DEBUG(5,("make_samr_q_enum_dom_aliases\n"));
 
-	memcpy(&(q_e->pol), pol, sizeof(*pol));
+	q_e->pol = *pol;
 
 	q_e->start_idx = start_idx;
 	q_e->max_size = size;
@@ -3023,7 +3023,6 @@ BOOL make_samr_alias_info3(ALIAS_INFO3 *al3, const char *acct_desc)
 	return True;
 }
 
-
 /*******************************************************************
 reads or writes a structure.
 ********************************************************************/
@@ -3080,21 +3079,19 @@ BOOL samr_alias_info_ctr(char *desc,  ALIAS_INFO_CTR *ctr, prs_struct *ps, int d
 makes a SAMR_Q_QUERY_ALIASINFO structure.
 ********************************************************************/
 BOOL make_samr_q_query_aliasinfo(SAMR_Q_QUERY_ALIASINFO *q_e,
-				POLICY_HND *pol,
-				uint16 switch_level)
+				 const POLICY_HND *pol, uint16 switch_level)
 {
 	if (q_e == NULL || pol == NULL) return False;
 
 	DEBUG(5,("make_samr_q_query_aliasinfo\n"));
 
-	memcpy(&(q_e->pol), pol, sizeof(*pol));
+	q_e->pol = *pol;
 
 	q_e->switch_level = switch_level;
 
 	return True;
 }
 
-
 /*******************************************************************
 reads or writes a structure.
 ********************************************************************/
@@ -3115,12 +3112,11 @@ BOOL samr_io_q_query_aliasinfo(char *desc,  SAMR_Q_QUERY_ALIASINFO *q_e, prs_str
 	return True;
 }
 
-
 /*******************************************************************
 makes a SAMR_R_QUERY_ALIASINFO structure.
 ********************************************************************/
-BOOL make_samr_r_query_aliasinfo(SAMR_R_QUERY_ALIASINFO *r_u, ALIAS_INFO_CTR *ctr,
-		uint32 status)
+BOOL make_samr_r_query_aliasinfo(SAMR_R_QUERY_ALIASINFO *r_u,
+				 ALIAS_INFO_CTR *ctr, uint32 status)
 {
 	if (r_u == NULL) return False;
 
@@ -3133,7 +3129,6 @@ BOOL make_samr_r_query_aliasinfo(SAMR_R_QUERY_ALIASINFO *r_u, ALIAS_INFO_CTR *ct
 	return True;
 }
 
-
 /*******************************************************************
 reads or writes a structure.
 ********************************************************************/
@@ -3162,20 +3157,20 @@ BOOL samr_io_r_query_aliasinfo(char *desc,  SAMR_R_QUERY_ALIASINFO *r_u, prs_str
 /*******************************************************************
 makes a SAMR_Q_SET_ALIASINFO structure.
 ********************************************************************/
-BOOL make_samr_q_set_aliasinfo(SAMR_Q_SET_ALIASINFO *q_u, POLICY_HND *hnd,
-				ALIAS_INFO_CTR *ctr)
+BOOL make_samr_q_set_aliasinfo(SAMR_Q_SET_ALIASINFO *q_u,
+			       const POLICY_HND *hnd,
+			       ALIAS_INFO_CTR *ctr)
 {
 	if (q_u == NULL) return False;
 
 	DEBUG(5,("make_samr_q_set_aliasinfo\n"));
 
-	memcpy(&(q_u->alias_pol), hnd, sizeof(q_u->alias_pol));
+	q_u->alias_pol = *hnd;
 	q_u->ctr = ctr;
 
 	return True;
 }
 
-
 /*******************************************************************
 reads or writes a structure.
 ********************************************************************/
@@ -3211,23 +3206,23 @@ BOOL samr_io_r_set_aliasinfo(char *desc,  SAMR_R_SET_ALIASINFO *r_u, prs_struct
 }
 
 
-
 /*******************************************************************
 makes a SAMR_Q_QUERY_USERALIASES structure.
 ********************************************************************/
 BOOL make_samr_q_query_useraliases(SAMR_Q_QUERY_USERALIASES *q_u,
-				const POLICY_HND *hnd,
-				uint32 *ptr_sid, DOM_SID2 *sid)
+				   const POLICY_HND *hnd,
+				   uint32  num_sids,
+				   uint32 *ptr_sid, DOM_SID2 *sid)
 {
 	if (q_u == NULL || hnd == NULL) return False;
 
 	DEBUG(5,("make_samr_q_query_useraliases\n"));
 
-	memcpy(&(q_u->pol), hnd, sizeof(q_u->pol));
+	q_u->pol = *hnd;
 
-	q_u->num_sids1 = 1;
+	q_u->num_sids1 = num_sids;
 	q_u->ptr = 1;
-	q_u->num_sids2 = 1;
+	q_u->num_sids2 = num_sids;
 
 	q_u->ptr_sid = ptr_sid;
 	q_u->sid = sid;
diff --git a/source/rpc_server/srv_samr.c b/source/rpc_server/srv_samr.c
index d92e299cb50..23553722cf8 100644
--- a/source/rpc_server/srv_samr.c
+++ b/source/rpc_server/srv_samr.c
@@ -28,12 +28,6 @@
 
 extern int DEBUGLEVEL;
 
-extern fstring global_sam_name;
-extern pstring global_myname;
-extern DOM_SID global_sam_sid;
-extern DOM_SID global_sid_S_1_1;
-extern DOM_SID global_sid_S_1_5_20;
-
 /*******************************************************************
  api_samr_close_hnd
  ********************************************************************/
@@ -123,6 +117,10 @@ static BOOL api_samr_query_sec_obj( rpcsrv_struct *p, prs_struct *data, prs_stru
 	}
 
 	r_u.status = _samr_query_sec_obj(&q_u.user_pol, &r_u.buf);
+	if (r_u.buf.len == 0)
+	{
+		return False;
+	}
 	r_u.ptr = 1; /* man, we don't have any choice!  NT bombs otherwise! */
 	return samr_io_r_query_sec_obj("", &r_u, rdata, 0);
 }
diff --git a/source/rpcclient/cmd_samr.c b/source/rpcclient/cmd_samr.c
index 874761644b8..cb010396e9e 100644
--- a/source/rpcclient/cmd_samr.c
+++ b/source/rpcclient/cmd_samr.c
@@ -3040,19 +3040,16 @@ void cmd_sam_enum_aliases(struct client_info *info, int argc, char *argv[])
 	sid_to_string(sid, &sid1);
 	fstrcpy(domain, info->dom.level5_dom);
 
-	if (sid1.num_auths == 0)
-	{
-		if (msrpc_sam_get_first_domain(srv_name, domain, &sid1) != 0x0)
-		{
-			report(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
-			return;
-		}
-	}
-
-	while ((opt = getopt(argc, argv, "ma")) != EOF)
+	while ((opt = getopt(argc, argv, "mad:")) != EOF)
 	{
 		switch (opt)
 		{
+			case 'd':
+			{
+				fill_domain_sid(srv_name, optarg,
+						domain, &sid1);
+				break;
+			}
 			case 'm':
 			{
 				request_member_info  = True;
@@ -3066,6 +3063,15 @@ void cmd_sam_enum_aliases(struct client_info *info, int argc, char *argv[])
 		}
 	}
 
+	if (sid1.num_auths == 0)
+	{
+		if (msrpc_sam_get_first_domain(srv_name, domain, &sid1) != 0x0)
+		{
+			report(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n");
+			return;
+		}
+	}
+
 	report(out_hnd, "SAM Enumerate Aliases\n");
 
 	msrpc_sam_enum_aliases(srv_name, domain, &sid1, 
diff --git a/source/rpcclient/display_sec.c b/source/rpcclient/display_sec.c
index 1916bdcb88d..e0e3bf0831c 100644
--- a/source/rpcclient/display_sec.c
+++ b/source/rpcclient/display_sec.c
@@ -21,12 +21,13 @@
 */
 
 #include "includes.h"
+#include "rpcclient.h"
 
 
 /****************************************************************************
 convert a security permissions into a string
 ****************************************************************************/
-char *get_sec_mask_str(uint32 type)
+static const char *get_sec_mask_str(uint32 type)
 {
 	static fstring typestr;
 	int i;
@@ -90,7 +91,7 @@ char *get_sec_mask_str(uint32 type)
 /****************************************************************************
  display sec_access structure
  ****************************************************************************/
-void display_sec_access(FILE *out_hnd, enum action_type action, SEC_ACCESS *const info)
+static void display_sec_access(FILE *out_hnd, enum action_type action, SEC_ACCESS *const info)
 {
 	switch (action)
 	{
@@ -113,7 +114,7 @@ void display_sec_access(FILE *out_hnd, enum action_type action, SEC_ACCESS *cons
 /****************************************************************************
  display sec_ace structure
  ****************************************************************************/
-void display_sec_ace(FILE *out_hnd, enum action_type action, SEC_ACE *const ace)
+static void display_sec_ace(FILE *out_hnd, enum action_type action, SEC_ACE *const ace)
 {
 	switch (action)
 	{
@@ -126,6 +127,11 @@ void display_sec_ace(FILE *out_hnd, enum action_type action, SEC_ACE *const ace)
 		{
 			fstring sid_str;
 
+			report(out_hnd,
+			       "\t\tType:%2x  Flags:%2x  Perms:%04x\n",
+			       ace->type, ace->flags,
+			       (uint32) ace->info.mask);
+
 			display_sec_access(out_hnd, ACTION_HEADER   , &ace->info);
 			display_sec_access(out_hnd, ACTION_ENUMERATE, &ace->info);
 			display_sec_access(out_hnd, ACTION_FOOTER   , &ace->info);
@@ -143,7 +149,7 @@ void display_sec_ace(FILE *out_hnd, enum action_type action, SEC_ACE *const ace)
 /****************************************************************************
  display sec_acl structure
  ****************************************************************************/
-void display_sec_acl(FILE *out_hnd, enum action_type action, SEC_ACL *const sec_acl)
+static void display_sec_acl(FILE *out_hnd, enum action_type action, SEC_ACL *const sec_acl)
 {
 	if (sec_acl == NULL)
 	{
diff --git a/source/samrd/samr_util.c b/source/samrd/samr_util.c
new file mode 100644
index 00000000000..2d1c2f06b8d
--- /dev/null
+++ b/source/samrd/samr_util.c
@@ -0,0 +1,89 @@
+/* 
+ *  Unix SMB/Netbios implementation.
+ *  Version 1.9.
+ *  RPC Pipe client / server routines
+ *  Copyright (C) Andrew Tridgell              1992-2000,
+ *  Copyright (C) Luke Kenneth Casson Leighton 1996-2000,
+ *  Copyright (C) Sander Striker                    2000,
+ *  Copyright (C) Elrond                            2000
+ *  
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+
+#include "includes.h"
+#include "rpc_parse.h"
+#include "nterr.h"
+#include "sids.h"
+
+extern int DEBUGLEVEL;
+
+
+/*******************************************************************
+ samr_make_usr_obj_sd
+ ********************************************************************/
+uint32 samr_make_usr_obj_sd(SEC_DESC_BUF *buf, DOM_SID *usr_sid)
+{
+	DOM_SID adm_sid;
+	DOM_SID act_sid;
+	DOM_SID glb_sid;
+
+	SEC_ACL *dacl = NULL;
+	SEC_ACE *dace = NULL;
+	SEC_ACCESS mask;
+	SEC_DESC *sec = NULL;
+	int len;
+
+	DEBUG(15, ("samr_make_usr_obj_sd: %d\n", __LINE__));
+
+	dacl = malloc(sizeof(*dacl));
+	dace = malloc(4 * sizeof(*dace));
+	sec = malloc(sizeof(*sec));
+
+	if (dacl == NULL || dace == NULL || sec == NULL)
+	{
+		safe_free(dacl);
+		safe_free(dace);
+		safe_free(sec);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	sid_copy(&adm_sid, &global_sid_S_1_5_20);
+	sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
+
+	sid_copy(&act_sid, &global_sid_S_1_5_20);
+	sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
+
+	sid_copy(&glb_sid, global_sid_everyone);
+
+	mask.mask = 0x2035b;
+	make_sec_ace(&dace[0], &glb_sid, 0, mask, 0);
+	mask.mask = 0xf07ff;
+	make_sec_ace(&dace[1], &adm_sid, 0, mask, 0);
+	make_sec_ace(&dace[2], &act_sid, 0, mask, 0);
+	mask.mask = 0x20044;
+	make_sec_ace(&dace[3], usr_sid, 0, mask, 0);
+
+	make_sec_acl(dacl, 2, 4, dace);
+
+	len = make_sec_desc(sec, 1,
+	              SEC_DESC_DACL_PRESENT|SEC_DESC_SELF_RELATIVE,
+	              NULL, NULL, NULL, dacl);
+
+	make_sec_desc_buf(buf, len, sec);
+	buf->undoc = 0x1;
+
+	return NT_STATUS_NOPROBLEMO;
+}
diff --git a/source/samrd/srv_samr_dom_tdb.c b/source/samrd/srv_samr_dom_tdb.c
index 32d1c256a14..72ff69cf943 100644
--- a/source/samrd/srv_samr_dom_tdb.c
+++ b/source/samrd/srv_samr_dom_tdb.c
@@ -104,6 +104,8 @@ uint32 _samr_open_domain(const POLICY_HND *connect_pol,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
+	policy_hnd_set_name(get_global_hnd_cache(), domain_pol, "domain_pol");
+
 	/* associate the domain SID with the (unique) handle. */
 	if (!set_tdbdomsid(get_global_hnd_cache(), domain_pol,
 			   NULL, NULL, NULL, NULL, NULL, sid))
diff --git a/source/samrd/srv_samr_passdb.c b/source/samrd/srv_samr_passdb.c
index d866fb696f0..5359d2895eb 100644
--- a/source/samrd/srv_samr_passdb.c
+++ b/source/samrd/srv_samr_passdb.c
@@ -193,12 +193,9 @@ static uint32 samr_open_by_sid( const POLICY_HND *parent_pol,
  ********************************************************************/
 uint32 _samr_close(POLICY_HND *hnd)
 {
-	/* set up the SAMR unknown_1 response */
-
 	/* close the policy handle */
 	if (close_policy_hnd(get_global_hnd_cache(), hnd))
 	{
-		bzero(hnd, sizeof(*hnd));
 		return NT_STATUS_NOPROBLEMO;
 	}
 	return NT_STATUS_OBJECT_NAME_INVALID;
@@ -311,7 +308,7 @@ uint32 _samr_query_sec_obj(const POLICY_HND *user_pol, SEC_DESC_BUF *buf)
 #endif
 	DEBUG(5,("samr_query_sec_obj: %d\n", __LINE__));
 
-	return NT_STATUS_NOPROBLEMO;
+	return samr_make_usr_obj_sd(buf, &usr_sid);
 }
 
 /*******************************************************************
diff --git a/source/samrd/srv_samr_sam_tdb.c b/source/samrd/srv_samr_sam_tdb.c
index 2f81392ab5e..d8379100629 100644
--- a/source/samrd/srv_samr_sam_tdb.c
+++ b/source/samrd/srv_samr_sam_tdb.c
@@ -143,6 +143,8 @@ static uint32 tdb_samr_connect( POLICY_HND *pol, uint32 ace_perms)
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
+	policy_hnd_set_name(get_global_hnd_cache(), pol, "sam_connect");
+
 	become_root(True);
 	sam_tdb = tdb_open(passdb_path("sam.tdb"), 0, 0, O_RDONLY, 0644);
 	unbecome_root(True);
@@ -306,14 +308,7 @@ uint32 _samr_query_sec_obj(const POLICY_HND *pol, SEC_DESC_BUF *buf)
 {
 	uint32 rid;
 	DOM_SID usr_sid;
-	DOM_SID adm_sid;
-	DOM_SID glb_sid;
 	TDB_CONTEXT *tdb = NULL;
-	SEC_ACL *dacl = NULL;
-	SEC_ACE *dace = NULL;
-	SEC_ACCESS mask;
-	SEC_DESC *sec = NULL;
-	int len;
 
 	/* find the policy handle.  open a policy on it. */
 	if (!get_tdbrid(get_global_hnd_cache(), pol, &tdb, NULL, NULL, &rid))
@@ -321,45 +316,10 @@ uint32 _samr_query_sec_obj(const POLICY_HND *pol, SEC_DESC_BUF *buf)
 		return NT_STATUS_INVALID_HANDLE;
 	}
 
-	dacl = malloc(sizeof(*dacl));
-	dace = malloc(3 * sizeof(*dace));
-	sec = malloc(sizeof(*sec));
-
-	if (dacl == NULL || dace == NULL || sec == NULL)
-	{
-		safe_free(dacl);
-		safe_free(dace);
-		safe_free(sec);
-		return NT_STATUS_NO_MEMORY;
-	}
-
 	sid_copy(&usr_sid, &global_sam_sid);
 	sid_append_rid(&usr_sid, rid);
 
-	sid_copy(&adm_sid, &global_sid_S_1_5_20);
-	sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS);
-
-	sid_copy(&glb_sid, &global_sid_S_1_1);
-	sid_append_rid(&glb_sid, 0x0);
-
-
-	mask.mask = 0x20044;
-	make_sec_ace(&dace[0], &usr_sid, 0, mask, 0);
-	mask.mask = 0xf07ff;
-	make_sec_ace(&dace[1], &adm_sid, 0, mask, 0);
-	mask.mask = 0x2035b;
-	make_sec_ace(&dace[2], &glb_sid, 0, mask, 0);
-
-	make_sec_acl(dacl, 2, 3, dace);
-
-	len = make_sec_desc(sec, 1,
-	              SEC_DESC_DACL_PRESENT|SEC_DESC_SELF_RELATIVE,
-	              NULL, NULL, NULL, dacl);
-
-	make_sec_desc_buf(buf, len, sec);
-	buf->undoc = 0x1;
-
 	DEBUG(5,("samr_query_sec_obj: %d\n", __LINE__));
 
-	return NT_STATUS_NOPROBLEMO;
+	return samr_make_usr_obj_sd(buf, &usr_sid);;
 }
diff --git a/source/samrd/srv_samr_tdb.c b/source/samrd/srv_samr_tdb.c
index bd905f48f17..3d9df8abd18 100644
--- a/source/samrd/srv_samr_tdb.c
+++ b/source/samrd/srv_samr_tdb.c
@@ -65,6 +65,11 @@ typedef struct tdb_sam_info
 }
 TDB_SAM_INFO;
 
+
+#define POL_TYPE_TDBRID  1
+#define POL_TYPE_TDBSAM  2
+
+
 static void free_tdbdom_info(void *dev)
 {
 	TDB_DOM_INFO *tdbi = (TDB_DOM_INFO *) dev;
@@ -152,6 +157,8 @@ BOOL set_tdbrid(struct policy_cache *cache, POLICY_HND *hnd,
 				     (void *)dev))
 		{
 			DEBUG(3, ("Service setting policy rid=%x\n", rid));
+			policy_hnd_set_state_type(cache, hnd,
+						  POL_TYPE_TDBRID);
 			return True;
 		}
 		free(dev);
@@ -168,8 +175,14 @@ BOOL get_tdbrid(struct policy_cache *cache, const POLICY_HND *hnd,
 		TDB_CONTEXT ** usr_tdb,
 		TDB_CONTEXT ** grp_tdb, TDB_CONTEXT ** als_tdb, uint32 * rid)
 {
-	TDB_RID_INFO *dev =
-		(TDB_RID_INFO *) get_policy_state_info(cache, hnd);
+	TDB_RID_INFO *dev;
+
+	if (!policy_hnd_check_state_type(cache, hnd, POL_TYPE_TDBRID))
+	{
+		DEBUG(1, ("WARNING: get_tdbrid: handle has wrong type!\n"));
+	}
+
+	dev = (TDB_RID_INFO *) get_policy_state_info(cache, hnd);
 
 	if (dev != NULL)
 	{
@@ -203,7 +216,6 @@ BOOL get_tdbrid(struct policy_cache *cache, const POLICY_HND *hnd,
 BOOL set_tdbsam(struct policy_cache *cache, POLICY_HND *hnd,
 		TDB_CONTEXT * tdb)
 {
-	pstring sidstr;
 	TDB_SAM_INFO *dev = malloc(sizeof(*dev));
 
 	if (dev != NULL)
@@ -213,7 +225,9 @@ BOOL set_tdbsam(struct policy_cache *cache, POLICY_HND *hnd,
 		if (set_policy_state
 		    (cache, hnd, free_tdbsam_info, (void *)dev))
 		{
-			DEBUG(3, ("Service setting policy sid=%s\n", sidstr));
+			DEBUG(3, ("Service setting policy sam\n"));
+			policy_hnd_set_state_type(cache, hnd,
+						  POL_TYPE_TDBSAM);
 			return True;
 		}
 		free(dev);
@@ -229,8 +243,14 @@ BOOL set_tdbsam(struct policy_cache *cache, POLICY_HND *hnd,
 BOOL get_tdbsam(struct policy_cache *cache, const POLICY_HND *hnd,
 		TDB_CONTEXT ** tdb)
 {
-	TDB_SAM_INFO *dev =
-		(TDB_SAM_INFO *) get_policy_state_info(cache, hnd);
+	TDB_SAM_INFO *dev;
+
+	if (!policy_hnd_check_state_type(cache, hnd, POL_TYPE_TDBSAM))
+	{
+		DEBUG(1, ("WARNING: get_tdbsam: handle has wrong type!\n"));
+	}
+
+	dev = (TDB_SAM_INFO *) get_policy_state_info(cache, hnd);
 
 	if (dev != NULL)
 	{
@@ -427,6 +447,8 @@ uint32 samr_open_user_tdb(const POLICY_HND *parent_pol,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
+	policy_hnd_set_name(get_global_hnd_cache(), pol, "sam_user");
+
 	if (usr_tdb == NULL && ace_perms == SEC_RIGHTS_MAXIMUM_ALLOWED)
 	{
 		DEBUG(10, ("samr_open_user_tdb: max perms requested\n"));