ok. a test previously showed that joining an NT5rtm to a domain with

samrtdbd was failing, because the domain was opened read-only and then
the user was opened read-write for create.

_un_fortunately, i had created an entire domain-user database, which of
course was opened read-only, and then the create-user OF course, failed.

so i had to change this to a system of creating INDIVIDUAL user databases
ARGH.

now, it should be possible to open at the domain-level (which is just a
directory), and then open a user for write-create, and away we go.

6 files changed, 322 insertions, 370 deletions

diff --git a/source/include/proto.h b/source/include/proto.h
index 8a2d64fd32c..71ef7ae8027 100644
--- a/source/include/proto.h
+++ b/source/include/proto.h
@@ -4054,12 +4054,12 @@ BOOL set_tdbsid(struct policy_cache *cache, POLICY_HND *hnd,
 				TDB_CONTEXT *tdb, const DOM_SID *sid);
 BOOL get_tdbsid(struct policy_cache *cache, const POLICY_HND *hnd,
 				TDB_CONTEXT **tdb, DOM_SID *sid);
-uint32 samr_open_by_tdbrid( const POLICY_HND *parent_pol,
+TDB_CONTEXT *open_usr_db(const DOM_SID *sid, uint32 rid, int perms);
+uint32 samr_open_user_tdb( const POLICY_HND *parent_pol,
+				const DOM_SID *sid,
 				TDB_CONTEXT *usr_tdb,
-				TDB_CONTEXT *grp_tdb,
-				TDB_CONTEXT *als_tdb,
 				POLICY_HND *pol,
-				uint32 access_mask, uint32 rid);
+				uint32 ace_perms, uint32 rid);
 
 /*The following definitions come from  samrd/srv_samr_tdb_init.c  */
 
@@ -4097,6 +4097,7 @@ uint32 _samr_delete_dom_user(POLICY_HND *user_pol);
 
 /*The following definitions come from  samrd/srv_samr_usr_tdb.c  */
 
+BOOL tdb_lookup_user(TDB_CONTEXT *tdb, SAM_USER_INFO_21 *usr);
 uint32 _samr_get_usrdom_pwinfo(const POLICY_HND *user_pol,
 				uint32 *unknown_0,
 				uint32 *unknown_1);
diff --git a/source/samrd/srv_samr_dom_tdb.c b/source/samrd/srv_samr_dom_tdb.c
index 5f3159168f9..ad58c86c10b 100644
--- a/source/samrd/srv_samr_dom_tdb.c
+++ b/source/samrd/srv_samr_dom_tdb.c
@@ -36,24 +36,22 @@ typedef struct sam_data21_info
 	uint32 start_idx;
 	uint32 current_idx;;
 
-} SAM_DATA_21;
+}
+SAM_DATA_21;
 
 /******************************************************************
 makes a SAMR_R_ENUM_USERS structure.
 ********************************************************************/
-static int tdb_user21_traverse(TDB_CONTEXT *tdb,
-				TDB_DATA kbuf,
-				TDB_DATA dbuf,
-				void *state)
+static int tdb_user21_traverse(TDB_CONTEXT * tdb,
+			       TDB_DATA kbuf, TDB_DATA dbuf, void *state)
 {
 	prs_struct ps;
 	SAM_USER_INFO_21 *usr;
-	SAM_DATA_21 *data = (SAM_DATA_21*)state;
+	SAM_DATA_21 *data = (SAM_DATA_21 *) state;
 	uint32 num_sam_entries = data->num_sam_entries + 1;
 
-	DEBUG(5,("tdb_user21_traverse: idx: %d %d\n",
-					data->current_idx,
-					num_sam_entries));
+	DEBUG(5, ("tdb_user21_traverse: idx: %d %d\n",
+		  data->current_idx, num_sam_entries));
 
 	dump_data_pw("usr:\n", dbuf.dptr, dbuf.dsize);
 	dump_data_pw("rid:\n", kbuf.dptr, kbuf.dsize);
@@ -65,12 +63,13 @@ static int tdb_user21_traverse(TDB_CONTEXT *tdb,
 		return 0;
 	}
 
-	data->usr = (SAM_USER_INFO_21*)Realloc(data->usr,
-	                    num_sam_entries * sizeof(data->usr[0]));
+	data->usr = (SAM_USER_INFO_21 *) Realloc(data->usr,
+						 num_sam_entries *
+						 sizeof(data->usr[0]));
 
 	if (data->usr == NULL)
 	{
-		DEBUG(0,("NULL pointers in tdb_user21_traverse\n"));
+		DEBUG(0, ("NULL pointers in tdb_user21_traverse\n"));
 		return -1;
 	}
 
@@ -85,141 +84,35 @@ static int tdb_user21_traverse(TDB_CONTEXT *tdb,
 	return 0;
 }
 
-static uint32 open_dom_dbs(const DOM_SID *sid, int perms,
-			TDB_CONTEXT **usr_tdb,
-			TDB_CONTEXT **usg_tdb,
-			TDB_CONTEXT **usa_tdb,
-			TDB_CONTEXT **grp_tdb,
-			TDB_CONTEXT **als_tdb)
-{
-	fstring usr;
-	fstring usg;
-	fstring usa;
-	fstring grp;
-	fstring als;
-	fstring tmp;
-
-	sid_to_string(tmp, sid);
-
-	slprintf(usr, sizeof(usr)-1, "%s.usr.tdb", tmp);
-	slprintf(usg, sizeof(usg)-1, "%s.usg.tdb", tmp);
-	slprintf(usa, sizeof(usa)-1, "%s.usa.tdb", tmp);
-	slprintf(als, sizeof(als)-1, "%s.als.tdb", tmp);
-	slprintf(grp, sizeof(grp)-1, "%s.grp.tdb", tmp);
-
-	DEBUG(10,("opening domain %s with ", tmp));
-	DEBUGADD(10, ("rdonly: %s ", BOOLSTR(IS_BITS_SET_ALL(perms, O_RDONLY))));
-	DEBUGADD(10, ("wronly: %s", BOOLSTR(IS_BITS_SET_ALL(perms, O_WRONLY))));
-	DEBUGADD(10, ("rdwr: %s", BOOLSTR(IS_BITS_SET_ALL(perms, O_RDWR))));
-	DEBUGADD(10, ("\n"));
-
-	(*usr_tdb) = tdb_open(passdb_path(usr),0,0,perms, 0644);
-	(*usg_tdb) = tdb_open(passdb_path(usg),0,0,perms, 0644);
-	(*usa_tdb) = tdb_open(passdb_path(usa),0,0,perms, 0644);
-	(*grp_tdb) = tdb_open(passdb_path(grp),0,0,perms, 0644);
-	(*als_tdb) = tdb_open(passdb_path(als),0,0,perms, 0644);
-	if ((*usr_tdb) == NULL ||
-	    (*usg_tdb) == NULL || 
-	    (*usa_tdb) == NULL || 
-	    (*grp_tdb) == NULL || 
-	    (*als_tdb) == NULL)
-	{
-		tdb_close(*usr_tdb);
-		tdb_close(*usg_tdb);
-		tdb_close(*usa_tdb);
-		tdb_close(*grp_tdb);
-		tdb_close(*als_tdb);
-		return NT_STATUS_ACCESS_DENIED;
-	}
-	return NT_STATUS_NOPROBLEMO;
-}
-
 /*******************************************************************
  samr_reply_open_domain
  ********************************************************************/
 uint32 _samr_open_domain(const POLICY_HND *connect_pol,
-				uint32 ace_perms,
-				const DOM_SID *sid,
-				POLICY_HND *domain_pol)
+			 uint32 ace_perms,
+			 const DOM_SID * sid, POLICY_HND *domain_pol)
 {
-	TDB_CONTEXT *dom_tdb = NULL;
-	TDB_CONTEXT *usr_tdb = NULL;
-	TDB_CONTEXT *usg_tdb = NULL;
-	TDB_CONTEXT *usa_tdb = NULL;
-	TDB_CONTEXT *grp_tdb = NULL;
-	TDB_CONTEXT *als_tdb = NULL;
-
 	/* find the policy handle.  open a policy on it. */
-	if (!get_tdbsam(get_global_hnd_cache(), connect_pol, &dom_tdb))
+	if (!get_tdbsam(get_global_hnd_cache(), connect_pol, NULL))
 	{
 		return NT_STATUS_INVALID_HANDLE;
 	}
 
 	/* get a (unique) handle.  open a policy on it. */
 	if (!open_policy_hnd_link(get_global_hnd_cache(),
-		connect_pol, domain_pol, ace_perms))
+				  connect_pol, domain_pol, ace_perms))
 	{
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	if (ace_perms == SEC_RIGHTS_MAXIMUM_ALLOWED)
-	{
-		uint32 status;
-
-		DEBUG(10,("_samr_open_domain: max perms requested\n"));
-
-		status = open_dom_dbs(sid, O_RDWR,
-		                      &usr_tdb, &usg_tdb, &usa_tdb,
-		                      &grp_tdb, &als_tdb);
-		if (status != 0x0)
-		{
-			status = open_dom_dbs(sid, O_RDONLY,
-			              &usr_tdb, &usg_tdb, &usa_tdb,
-		                      &grp_tdb, &als_tdb);
-		}
-		if (status != 0x0)
-		{
-			return status;
-		}
-	}
-	else
-	{
-		int perms = 0;
-		BOOL perms_read;
-		BOOL perms_write;
-		uint32 status;
-
-		perms_write = IS_BITS_SET_SOME(ace_perms,
-		                SEC_RIGHTS_WRITE_OWNER|SEC_RIGHTS_WRITE_DAC);
-		perms_read = IS_BITS_SET_ALL(ace_perms, SEC_RIGHTS_READ);
-
-		if (perms_write              ) perms = O_WRONLY;
-		if (perms_read               ) perms = O_RDONLY;
-		if (perms_write && perms_read) perms = O_RDWR;
-
-		status = open_dom_dbs(sid, perms,
-		                      &usr_tdb, &usg_tdb, &usa_tdb,
-		                      &grp_tdb, &als_tdb);
-		if (status != 0x0)
-		{
-			return status;
-		}
-	}
-
 	/* associate the domain SID with the (unique) handle. */
 	if (!set_tdbdomsid(get_global_hnd_cache(), domain_pol,
-	                   usr_tdb, usg_tdb, usa_tdb, grp_tdb, als_tdb, sid))
+			   NULL, NULL, NULL, NULL, NULL, sid))
 	{
-		tdb_close(usr_tdb);
-		tdb_close(usg_tdb);
-		tdb_close(usa_tdb);
-		tdb_close(grp_tdb);
-		tdb_close(als_tdb);
 		close_policy_hnd(get_global_hnd_cache(), domain_pol);
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	DEBUG(5,("_samr_open_domain: %d\n", __LINE__));
+	DEBUG(5, ("_samr_open_domain: %d\n", __LINE__));
 
 	return NT_STATUS_NOPROBLEMO;
 }
@@ -232,26 +125,24 @@ typedef struct sam_data_info
 	uint32 start_idx;
 	uint32 current_idx;;
 
-} SAM_DATA;
+}
+SAM_DATA;
 
 /******************************************************************
 makes a SAMR_R_ENUM_USERS structure.
 ********************************************************************/
-static int tdb_user_traverse(TDB_CONTEXT *tdb,
-				TDB_DATA kbuf,
-				TDB_DATA dbuf,
-				void *state)
+static int tdb_user_traverse(TDB_CONTEXT * tdb,
+			     TDB_DATA kbuf, TDB_DATA dbuf, void *state)
 {
 	prs_struct ps;
 	SAM_USER_INFO_21 usr;
-	SAM_DATA *data = (SAM_DATA*)state;
+	SAM_DATA *data = (SAM_DATA *) state;
 	uint32 num_sam_entries = data->num_sam_entries + 1;
 	SAM_ENTRY *sam;
 	UNISTR2 *str;
 
-	DEBUG(5,("tdb_user_traverse: idx: %d %d\n",
-					data->current_idx,
-					num_sam_entries));
+	DEBUG(5, ("tdb_user_traverse: idx: %d %d\n",
+		  data->current_idx, num_sam_entries));
 
 	dump_data_pw("usr:\n", dbuf.dptr, dbuf.dsize);
 	dump_data_pw("rid:\n", kbuf.dptr, kbuf.dsize);
@@ -263,14 +154,17 @@ static int tdb_user_traverse(TDB_CONTEXT *tdb,
 		return 0;
 	}
 
-	data->sam = (SAM_ENTRY*)Realloc(data->sam,
-	                    num_sam_entries * sizeof(data->sam[0]));
-	data->uni_name = (UNISTR2*)Realloc(data->uni_name,
-	                    num_sam_entries * sizeof(data->uni_name[0]));
+	data->sam = (SAM_ENTRY *) Realloc(data->sam,
+					  num_sam_entries *
+					  sizeof(data->sam[0]));
+	data->uni_name =
+		(UNISTR2 *) Realloc(data->uni_name,
+				    num_sam_entries *
+				    sizeof(data->uni_name[0]));
 
 	if (data->sam == NULL || data->uni_name == NULL)
 	{
-		DEBUG(0,("NULL pointers in tdb_user_traverse\n"));
+		DEBUG(0, ("NULL pointers in tdb_user_traverse\n"));
 		return -1;
 	}
 
@@ -297,28 +191,27 @@ static int tdb_user_traverse(TDB_CONTEXT *tdb,
 /*******************************************************************
  samr_reply_enum_dom_users
  ********************************************************************/
-uint32 _samr_enum_dom_users(  const POLICY_HND *pol, uint32 *start_idx, 
-				uint16 acb_mask, uint16 unk_1, uint32 size,
-				SAM_ENTRY **sam,
-				UNISTR2 **uni_acct_name,
-				uint32 *num_sam_users)
+uint32 _samr_enum_dom_users(const POLICY_HND *pol, uint32 * start_idx,
+			    uint16 acb_mask, uint16 unk_1, uint32 size,
+			    SAM_ENTRY ** sam,
+			    UNISTR2 ** uni_acct_name, uint32 * num_sam_users)
 {
 	TDB_CONTEXT *sam_tdb = NULL;
 	SAM_DATA state;
 
 	/* find the domain sid associated with the policy handle */
 	if (!get_tdbdomsid(get_global_hnd_cache(), pol, &sam_tdb,
-					NULL, NULL, NULL, NULL, NULL))
+			   NULL, NULL, NULL, NULL, NULL))
 	{
 		return NT_STATUS_INVALID_HANDLE;
 	}
 
-	DEBUG(5,("samr_reply_enum_users:\n"));
+	DEBUG(5, ("samr_reply_enum_users:\n"));
 
 	ZERO_STRUCT(state);
 
 	state.start_idx = (*start_idx);
-	tdb_traverse(sam_tdb, tdb_user_traverse, (void*)&state);
+	tdb_traverse(sam_tdb, tdb_user_traverse, (void *)&state);
 
 	(*sam) = state.sam;
 	(*uni_acct_name) = state.uni_name;
@@ -331,12 +224,12 @@ uint32 _samr_enum_dom_users(  const POLICY_HND *pol, uint32 *start_idx,
 /*******************************************************************
 makes a SAMR_R_ENUM_DOM_GROUPS structure.
 ********************************************************************/
-static void make_samr_dom_groups(SAM_ENTRY **sam, UNISTR2 **uni_grp_name,
-		uint32 num_sam_entries, DOMAIN_GRP *grps)
+static void make_samr_dom_groups(SAM_ENTRY ** sam, UNISTR2 ** uni_grp_name,
+				 uint32 num_sam_entries, DOMAIN_GRP * grps)
 {
 	uint32 i;
 
-	DEBUG(5,("make_samr_dom_groups\n"));
+	DEBUG(5, ("make_samr_dom_groups\n"));
 
 	(*sam) = NULL;
 	(*uni_grp_name) = NULL;
@@ -346,12 +239,16 @@ static void make_samr_dom_groups(SAM_ENTRY **sam, UNISTR2 **uni_grp_name,
 		return;
 	}
 
-	(*sam) = (SAM_ENTRY*)Realloc(NULL, num_sam_entries * sizeof((*sam)[0]));
-	(*uni_grp_name) = (UNISTR2*)Realloc(NULL, num_sam_entries * sizeof((*uni_grp_name)[0]));
+	(*sam) = (SAM_ENTRY *) Realloc(NULL, num_sam_entries * sizeof((*sam)[0]));
+
+	(*uni_grp_name) =
+		(UNISTR2 *) Realloc(NULL,
+				    num_sam_entries *
+				    sizeof((*uni_grp_name)[0]));
 
 	if ((*sam) == NULL || (*uni_grp_name) == NULL)
 	{
-		DEBUG(0,("NULL pointers in SAMR_R_ENUM_DOM_GROUPS\n"));
+		DEBUG(0, ("NULL pointers in SAMR_R_ENUM_DOM_GROUPS\n"));
 		return;
 	}
 
@@ -368,10 +265,10 @@ static void make_samr_dom_groups(SAM_ENTRY **sam, UNISTR2 **uni_grp_name,
  samr_reply_enum_dom_groups
  ********************************************************************/
 uint32 _samr_enum_dom_groups(const POLICY_HND *pol,
-				uint32 *start_idx, uint32 size,
-				SAM_ENTRY **sam,
-				UNISTR2 **uni_acct_name,
-				uint32 *num_sam_groups)
+			     uint32 * start_idx, uint32 size,
+			     SAM_ENTRY ** sam,
+			     UNISTR2 ** uni_acct_name,
+			     uint32 * num_sam_groups)
 {
 	DOMAIN_GRP *grps = NULL;
 	int num_entries = 0;
@@ -388,7 +285,7 @@ uint32 _samr_enum_dom_groups(const POLICY_HND *pol,
 
 	sid_to_string(sid_str, &sid);
 
-	DEBUG(5,("samr_reply_enum_dom_groups: sid %s\n", sid_str));
+	DEBUG(5, ("samr_reply_enum_dom_groups: sid %s\n", sid_str));
 
 	if (!sid_equal(&sid, &global_sam_sid))
 	{
@@ -418,12 +315,12 @@ uint32 _samr_enum_dom_groups(const POLICY_HND *pol,
 /*******************************************************************
 makes a SAMR_R_ENUM_DOM_ALIASES structure.
 ********************************************************************/
-static void make_samr_dom_aliases(SAM_ENTRY **sam, UNISTR2 **uni_grp_name,
-		uint32 num_sam_entries, LOCAL_GRP *alss)
+static void make_samr_dom_aliases(SAM_ENTRY ** sam, UNISTR2 ** uni_grp_name,
+				  uint32 num_sam_entries, LOCAL_GRP * alss)
 {
 	uint32 i;
 
-	DEBUG(5,("make_samr_r_enum_dom_aliases\n"));
+	DEBUG(5, ("make_samr_r_enum_dom_aliases\n"));
 
 	(*sam) = NULL;
 	(*uni_grp_name) = NULL;
@@ -433,12 +330,16 @@ static void make_samr_dom_aliases(SAM_ENTRY **sam, UNISTR2 **uni_grp_name,
 		return;
 	}
 
-	(*sam) = (SAM_ENTRY*)Realloc(NULL, num_sam_entries * sizeof((*sam)[0]));
-	(*uni_grp_name) = (UNISTR2*)Realloc(NULL, num_sam_entries * sizeof((*uni_grp_name)[0]));
+	(*sam) = (SAM_ENTRY *) Realloc(NULL, num_sam_entries * sizeof((*sam)[0]));
+
+	(*uni_grp_name) =
+		(UNISTR2 *) Realloc(NULL,
+				    num_sam_entries *
+				    sizeof((*uni_grp_name)[0]));
 
 	if ((*sam) == NULL || (*uni_grp_name) == NULL)
 	{
-		DEBUG(0,("NULL pointers in SAMR_R_ENUM_DOM_ALIASES\n"));
+		DEBUG(0, ("NULL pointers in SAMR_R_ENUM_DOM_ALIASES\n"));
 		return;
 	}
 
@@ -446,7 +347,7 @@ static void make_samr_dom_aliases(SAM_ENTRY **sam, UNISTR2 **uni_grp_name,
 	{
 		int len = strlen(alss[i].name);
 
-		make_sam_entry(&((*sam)[i]), len, alss[i].rid); 
+		make_sam_entry(&((*sam)[i]), len, alss[i].rid);
 		make_unistr2(&((*uni_grp_name)[i]), alss[i].name, len);
 	}
 }
@@ -455,10 +356,10 @@ static void make_samr_dom_aliases(SAM_ENTRY **sam, UNISTR2 **uni_grp_name,
  samr_reply_enum_dom_aliases
  ********************************************************************/
 uint32 _samr_enum_dom_aliases(const POLICY_HND *pol,
-					uint32 *start_idx, uint32 size,
-					SAM_ENTRY **sam,
-					UNISTR2 **uni_acct_name,
-					uint32 *num_sam_aliases)
+			      uint32 * start_idx, uint32 size,
+			      SAM_ENTRY ** sam,
+			      UNISTR2 ** uni_acct_name,
+			      uint32 * num_sam_aliases)
 {
 	LOCAL_GRP *alss = NULL;
 	int num_entries = 0;
@@ -468,14 +369,14 @@ uint32 _samr_enum_dom_aliases(const POLICY_HND *pol,
 
 	/* find the policy handle.  open a policy on it. */
 	if (!get_tdbdomsid(get_global_hnd_cache(), pol,
-	                   NULL, NULL, NULL, NULL, &als_tdb, &sid))
+			   NULL, NULL, NULL, NULL, &als_tdb, &sid))
 	{
 		return NT_STATUS_INVALID_HANDLE;
 	}
 
 	sid_to_string(sid_str, &sid);
 
-	DEBUG(5,("samr_reply_enum_dom_aliases: sid %s\n", sid_str));
+	DEBUG(5, ("samr_reply_enum_dom_aliases: sid %s\n", sid_str));
 
 	/* well-known aliases */
 	if (sid_equal(&sid, &global_sid_S_1_5_20))
@@ -508,7 +409,7 @@ uint32 _samr_enum_dom_aliases(const POLICY_HND *pol,
 			return NT_STATUS_ACCESS_DENIED;
 		}
 	}
-		
+
 	(*start_idx) += num_entries;
 	(*num_sam_aliases) = num_entries;
 
@@ -522,13 +423,12 @@ uint32 _samr_enum_dom_aliases(const POLICY_HND *pol,
 /*******************************************************************
  samr_reply_query_dispinfo
  ********************************************************************/
-uint32 _samr_query_dispinfo(  const POLICY_HND *domain_pol, uint16 level,
-					uint32 start_idx,
-					uint32 max_entries,
-					uint32 max_size,
-					uint32 *data_size,
-					uint32 *num_entries,
-					SAM_DISPINFO_CTR *ctr)
+uint32 _samr_query_dispinfo(const POLICY_HND *domain_pol, uint16 level,
+			    uint32 start_idx,
+			    uint32 max_entries,
+			    uint32 max_size,
+			    uint32 * data_size,
+			    uint32 * num_entries, SAM_DISPINFO_CTR * ctr)
 {
 	SAM_USER_INFO_21 *pass = NULL;
 	DOMAIN_GRP *grps = NULL;
@@ -541,12 +441,12 @@ uint32 _samr_query_dispinfo(  const POLICY_HND *domain_pol, uint16 level,
 
 	/* find the domain sid associated with the policy handle */
 	if (!get_tdbdomsid(get_global_hnd_cache(), domain_pol, &sam_tdb,
-					NULL, NULL, NULL, NULL, NULL))
+			   NULL, NULL, NULL, NULL, NULL))
 	{
 		return NT_STATUS_INVALID_HANDLE;
 	}
 
-	DEBUG(5,("samr_reply_query_dispinfo: %d\n", __LINE__));
+	DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__));
 
 	(*num_entries) = 0;
 	(*data_size) = 0;
@@ -554,7 +454,7 @@ uint32 _samr_query_dispinfo(  const POLICY_HND *domain_pol, uint16 level,
 	/* find the policy handle.  open a policy on it. */
 	if (find_policy_by_hnd(get_global_hnd_cache(), domain_pol) == -1)
 	{
-		DEBUG(5,("samr_reply_query_dispinfo: invalid handle\n"));
+		DEBUG(5, ("samr_reply_query_dispinfo: invalid handle\n"));
 		return NT_STATUS_INVALID_HANDLE;
 	}
 
@@ -574,8 +474,8 @@ uint32 _samr_query_dispinfo(  const POLICY_HND *domain_pol, uint16 level,
 
 			state.start_idx = start_idx;
 			total_entries = tdb_traverse(sam_tdb,
-			                             tdb_user21_traverse,
-			                             (void*)&state);
+						     tdb_user21_traverse,
+						     (void *)&state);
 
 			pass = state.usr;
 			start_idx += state.num_sam_entries;
@@ -598,10 +498,13 @@ uint32 _samr_query_dispinfo(  const POLICY_HND *domain_pol, uint16 level,
 				return NT_STATUS_ACCESS_DENIED;
 			}
 
-			if (start_idx < num_sam_entries) {
+			if (start_idx < num_sam_entries)
+			{
 				grps = sam_grps + start_idx;
 				num_sam_entries -= start_idx;
-			} else {
+			}
+			else
+			{
 				num_sam_entries = 0;
 			}
 			break;
@@ -670,7 +573,7 @@ uint32 _samr_query_dispinfo(  const POLICY_HND *domain_pol, uint16 level,
 		}
 	}
 
-	DEBUG(5,("samr_reply_query_dispinfo: %d\n", __LINE__));
+	DEBUG(5, ("samr_reply_query_dispinfo: %d\n", __LINE__));
 
 	safe_free(sam_grps);
 	safe_free(grps);
@@ -692,38 +595,23 @@ typedef struct tdb_name_info
 	uint32 num_names;
 	BOOL found_one;
 
-} TDB_NAME_INFO;
+}
+TDB_NAME_INFO;
 
 /******************************************************************
 tdb_userlookup_names
 ********************************************************************/
-static int tdb_userlookup_names(TDB_CONTEXT *tdb,
-				TDB_DATA kbuf,
-				TDB_DATA dbuf,
-				void *state)
+static int tdb_userlookup_names(TDB_CONTEXT * tdb, void *state)
 {
-	prs_struct ps;
 	SAM_USER_INFO_21 usr;
-	TDB_NAME_INFO *data = (TDB_NAME_INFO*)state;
-	uint32 rid;
+	TDB_NAME_INFO *data = (TDB_NAME_INFO *) state;
 	int i;
 
-	DEBUG(5,("tdb_userlookup_names\n"));
-
-	dump_data_pw("usr:\n", dbuf.dptr, dbuf.dsize);
-	dump_data_pw("rid:\n", kbuf.dptr, kbuf.dsize);
+	DEBUG(5, ("tdb_userlookup_names\n"));
 
-	prs_create(&ps, dbuf.dptr, dbuf.dsize, 4, True);
-	if (!sam_io_user_info21("usr", &usr, &ps, 0))
+	if (!tdb_lookup_user(tdb, &usr))
 	{
-		DEBUG(5,("tdb_userlookup_names: user convert failed\n"));
-		return 0;
-	}
-	prs_create(&ps, kbuf.dptr, kbuf.dsize, 4, True);
-	if (!_prs_uint32("rid", &ps, 0, &rid))
-	{
-		DEBUG(5,("tdb_userlookup_names: rid convert failed\n"));
-		return 0;
+		return -1;
 	}
 
 	for (i = 0; i < data->num_names; i++)
@@ -731,10 +619,10 @@ static int tdb_userlookup_names(TDB_CONTEXT *tdb,
 		const UNISTR2 *str = &data->uni_name[i];
 		if (unistr2equal(str, &usr.uni_user_name))
 		{
-			DEBUG(10,("found user rid[i]: %d\n", i));
+			DEBUG(10, ("found user rid[i]: %d\n", i));
 
 			data->types[i] = SID_NAME_USER;
-			data->rids[i] = rid;
+			data->rids[i] = usr.user_rid;
 			data->found_one = True;
 
 			return 0;
@@ -744,29 +632,68 @@ static int tdb_userlookup_names(TDB_CONTEXT *tdb,
 	return 0;
 }
 
+BOOL dom_user_traverse(const DOM_SID * dom_sid,
+		       int (*fn) (TDB_CONTEXT *, void *), void *state)
+{
+	DIR *dirp;
+	char *dpname;
+	pstring tmp;
+	pstring dirname;
+
+	sid_to_string(tmp, dom_sid);
+	slprintf(dirname, sizeof(dirname) - 1, "%s/usr", tmp);
+
+	dirp = opendir(passdb_path(dirname));
+
+	if (dirp == NULL)
+	{
+		DEBUG(2, ("Error opening directory [%s]\n", dirname));
+		return False;
+	}
+
+	while ((dpname = readdirname(dirp)) != NULL)
+	{
+		TDB_CONTEXT *usr_tdb;
+		uint32 rid = strtoul(dpname, (char **)NULL, 16);
+
+		DEBUG(10,("dom_user_traverse: %s\n", dpname));
+
+		if (rid == 0)
+		{
+			continue;
+		}
+		usr_tdb = open_usr_db(dom_sid, rid, O_RDONLY);
+		if (usr_tdb != NULL && fn(usr_tdb, state) != 0)
+		{
+			tdb_close(usr_tdb);
+			break;
+		}
+		tdb_close(usr_tdb);
+	}
+	closedir(dirp);
+
+	return True;
+}
+
 /*******************************************************************
  samr_reply_lookup_names
  ********************************************************************/
 uint32 _samr_lookup_names(const POLICY_HND *dom_pol,
-				
-			uint32 num_names,
-			uint32 flags,
-			uint32 ptr,
-			const UNISTR2 *uni_name,
-
-			uint32 *num_rids,
-			uint32 rid[MAX_SAM_ENTRIES],
-			uint32 *num_types,
-			uint32 type[MAX_SAM_ENTRIES])
+			  uint32 num_names,
+			  uint32 flags,
+			  uint32 ptr,
+			  const UNISTR2 * uni_name,
+			  uint32 * num_rids,
+			  uint32 rid[MAX_SAM_ENTRIES],
+			  uint32 * num_types, uint32 type[MAX_SAM_ENTRIES])
 {
-	TDB_CONTEXT *usr_tdb = NULL;
 	DOM_SID dom_sid;
 	TDB_NAME_INFO state;
 
-	DEBUG(5,("samr_lookup_names: %d\n", __LINE__));
+	DEBUG(5, ("samr_lookup_names: %d\n", __LINE__));
 
 	if (!get_tdbdomsid(get_global_hnd_cache(), dom_pol,
-	                   &usr_tdb, NULL, NULL, NULL, NULL, &dom_sid))
+			   NULL, NULL, NULL, NULL, NULL, &dom_sid))
 	{
 		return NT_STATUS_INVALID_HANDLE;
 	}
@@ -785,14 +712,17 @@ uint32 _samr_lookup_names(const POLICY_HND *dom_pol,
 	state.uni_name = uni_name;
 
 	if (state.rids == NULL ||
-	    state.types == NULL ||
-	    state.uni_name == NULL)
+	    state.types == NULL || state.uni_name == NULL)
 	{
 		return NT_STATUS_NO_MEMORY;
 	}
 
 	/* lookups */
-	tdb_traverse(usr_tdb, tdb_userlookup_names, (void*)&state);
+	if (!dom_user_traverse
+	    (&dom_sid, tdb_userlookup_names, (void *)&state))
+	{
+		return NT_STATUS_ACCESS_DENIED;
+	}
 
 	if (!state.found_one)
 	{
@@ -801,7 +731,6 @@ uint32 _samr_lookup_names(const POLICY_HND *dom_pol,
 
 	(*num_types) = num_names;
 	(*num_rids) = num_names;
-
 	return NT_STATUS_NOPROBLEMO;
 }
 
@@ -813,38 +742,31 @@ typedef struct tdb_rid_info
 	UNISTR2 *uni_name;
 	uint32 num_rids;
 	BOOL found_one;
-
 } TDB_RID_INFO;
-
 /******************************************************************
 tdb_userlookup_rids
 ********************************************************************/
-static int tdb_userlookup_rids(TDB_CONTEXT *tdb,
-				TDB_DATA kbuf,
-				TDB_DATA dbuf,
-				void *state)
+static int tdb_userlookup_rids(TDB_CONTEXT * tdb,
+			       TDB_DATA kbuf, TDB_DATA dbuf, void *state)
 {
 	prs_struct ps;
 	SAM_USER_INFO_21 usr;
-	TDB_RID_INFO *data = (TDB_RID_INFO*)state;
+	TDB_RID_INFO *data = (TDB_RID_INFO *) state;
 	uint32 rid;
 	int i;
-
-	DEBUG(5,("tdb_userlookup_rids\n"));
-
+	DEBUG(5, ("tdb_userlookup_rids\n"));
 	dump_data_pw("usr:\n", dbuf.dptr, dbuf.dsize);
 	dump_data_pw("rid:\n", kbuf.dptr, kbuf.dsize);
-
 	prs_create(&ps, dbuf.dptr, dbuf.dsize, 4, True);
 	if (!sam_io_user_info21("usr", &usr, &ps, 0))
 	{
-		DEBUG(5,("tdb_userlookup_rids: user convert failed\n"));
+		DEBUG(5, ("tdb_userlookup_rids: user convert failed\n"));
 		return 0;
 	}
 	prs_create(&ps, kbuf.dptr, kbuf.dsize, 4, True);
 	if (!_prs_uint32("rid", &ps, 0, &rid))
 	{
-		DEBUG(5,("tdb_userlookup_rids: rid convert failed\n"));
+		DEBUG(5, ("tdb_userlookup_rids: rid convert failed\n"));
 		return 0;
 	}
 
@@ -853,40 +775,35 @@ static int tdb_userlookup_rids(TDB_CONTEXT *tdb,
 		if (rid == data->rids[i])
 		{
 			UNISTR2 *str = &data->uni_name[i];
-			UNIHDR  *hdr = &data->hdr_name[i];
-
-			DEBUG(10,("found user rid[i]: %d\n", i));
-
+			UNIHDR *hdr = &data->hdr_name[i];
+			DEBUG(10, ("found user rid[i]: %d\n", i));
 			data->types[i] = SID_NAME_USER;
 			copy_unistr2(str, &usr.uni_user_name);
 			make_uni_hdr(hdr, str->uni_str_len);
-
 			data->found_one = True;
-
 			return 0;
 		}
 	}
 
 	return 0;
 }
+
 /*******************************************************************
  samr_reply_lookup_rids
  ********************************************************************/
 uint32 _samr_lookup_rids(const POLICY_HND *dom_pol,
-				uint32 num_rids, uint32 flags,
-				const uint32 *rids,
-				uint32 *num_names,
-				UNIHDR **hdr_name, UNISTR2** uni_name,
-				uint32 **types)
+			 uint32 num_rids, uint32 flags,
+			 const uint32 * rids,
+			 uint32 * num_names,
+			 UNIHDR ** hdr_name, UNISTR2 ** uni_name,
+			 uint32 ** types)
 {
 	TDB_CONTEXT *usr_tdb = NULL;
 	DOM_SID dom_sid;
 	TDB_RID_INFO state;
-
-	DEBUG(5,("samr_lookup_rids: %d\n", __LINE__));
-
+	DEBUG(5, ("samr_lookup_rids: %d\n", __LINE__));
 	if (!get_tdbdomsid(get_global_hnd_cache(), dom_pol,
-	                   &usr_tdb, NULL, NULL, NULL, NULL, &dom_sid))
+			   &usr_tdb, NULL, NULL, NULL, NULL, &dom_sid))
 	{
 		return NT_STATUS_INVALID_HANDLE;
 	}
@@ -897,29 +814,26 @@ uint32 _samr_lookup_rids(const POLICY_HND *dom_pol,
 	state.num_rids = num_rids;
 	state.rids = rids;
 	state.types = malloc(num_rids * sizeof(*state.types));
-	state.hdr_name = (UNIHDR*)malloc(num_rids * sizeof(*state.hdr_name));
-	state.uni_name = (UNISTR2*)malloc(num_rids * sizeof(*state.uni_name));
-
-	if (state.types == NULL ||
-	    state.hdr_name == NULL ||
-	    state.uni_name == NULL)
+	state.hdr_name =
+		(UNIHDR *) malloc(num_rids * sizeof(*state.hdr_name));
+	state.uni_name =
+		(UNISTR2 *) malloc(num_rids * sizeof(*state.uni_name));
+	if (state.types == NULL || state.hdr_name == NULL
+	    || state.uni_name == NULL)
 	{
 		safe_free(state.types);
 		safe_free(state.hdr_name);
 		safe_free(state.uni_name);
-
 		return NT_STATUS_NO_MEMORY;
 	}
 
 	/* lookups */
-	tdb_traverse(usr_tdb, tdb_userlookup_rids, (void*)&state);
-
+	tdb_traverse(usr_tdb, tdb_userlookup_rids, (void *)&state);
 	if (!state.found_one)
 	{
 		safe_free(state.types);
 		safe_free(state.hdr_name);
 		safe_free(state.uni_name);
-
 		return NT_STATUS_NONE_MAPPED;
 	}
 
@@ -927,7 +841,6 @@ uint32 _samr_lookup_rids(const POLICY_HND *dom_pol,
 	(*types) = state.types;
 	(*hdr_name) = state.hdr_name;
 	(*uni_name) = state.uni_name;
-
 	return NT_STATUS_NOPROBLEMO;
 }
 
@@ -935,13 +848,12 @@ uint32 _samr_lookup_rids(const POLICY_HND *dom_pol,
  _samr_query_dom_info
  ********************************************************************/
 uint32 _samr_query_dom_info(const POLICY_HND *domain_pol,
-				uint16 switch_value,
-				SAM_UNK_CTR *ctr)
+			    uint16 switch_value, SAM_UNK_CTR * ctr)
 {
 	/* find the policy handle.  open a policy on it. */
 	if (find_policy_by_hnd(get_global_hnd_cache(), domain_pol) == -1)
 	{
-		DEBUG(5,("samr_reply_query_dom_info: invalid handle\n"));
+		DEBUG(5, ("samr_reply_query_dom_info: invalid handle\n"));
 		return NT_STATUS_INVALID_HANDLE;
 	}
 
@@ -966,7 +878,8 @@ uint32 _samr_query_dom_info(const POLICY_HND *domain_pol,
 		{
 			extern fstring global_sam_name;
 			extern pstring global_myname;
-			make_unk_info2(&(ctr->info.inf2), global_sam_name, global_myname);
+			make_unk_info2(&(ctr->info.inf2), global_sam_name,
+				       global_myname);
 			break;
 		}
 		case 0x01:
@@ -987,8 +900,8 @@ uint32 _samr_query_dom_info(const POLICY_HND *domain_pol,
 /*******************************************************************
  samr_reply_unknown_2d
  ********************************************************************/
-uint32 _samr_unknown_2d(const POLICY_HND *domain_pol, const DOM_SID *sid)
+uint32 _samr_unknown_2d(const POLICY_HND *domain_pol, const DOM_SID * sid)
 {
-	DEBUG(0,("_samr_unknown_2d: not implemented, returning OK\n"));
+	DEBUG(0, ("_samr_unknown_2d: not implemented, returning OK\n"));
 	return NT_STATUS_NOPROBLEMO;
 }
diff --git a/source/samrd/srv_samr_grp_tdb.c b/source/samrd/srv_samr_grp_tdb.c
index b708e74d269..095eaebf78e 100644
--- a/source/samrd/srv_samr_grp_tdb.c
+++ b/source/samrd/srv_samr_grp_tdb.c
@@ -509,6 +509,7 @@ uint32 _samr_create_dom_group(const POLICY_HND *domain_pol,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
+	return NT_STATUS_ACCESS_DENIED;
 #if 0
 	if (!tdb_store_group_mem(tdb_usg, (*group_rid), 0, NULL, 0, NULL))
 	{
@@ -516,9 +517,9 @@ uint32 _samr_create_dom_group(const POLICY_HND *domain_pol,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-#endif
 	return samr_open_by_tdbrid(domain_pol, NULL, tdb_grp, NULL,
 	                           group_pol, access_mask, *group_rid);
+#endif
 }
 
 /*******************************************************************
@@ -544,9 +545,12 @@ uint32 _samr_open_group(const POLICY_HND *domain_pol, uint32 access_mask,
 		return NT_STATUS_NO_SUCH_GROUP;
 	}
 
+	return NT_STATUS_NO_SUCH_GROUP;
+#if 0
 	return samr_open_by_tdbrid(domain_pol,
 	                           NULL, tdb_grp, NULL, 
 	                           group_pol, access_mask, group_rid);
+#endif
 }
 
 
diff --git a/source/samrd/srv_samr_tdb.c b/source/samrd/srv_samr_tdb.c
index d94a010e89a..ba602475a30 100644
--- a/source/samrd/srv_samr_tdb.c
+++ b/source/samrd/srv_samr_tdb.c
@@ -390,26 +390,69 @@ BOOL get_tdbsid(struct policy_cache *cache, const POLICY_HND *hnd,
 	return False;
 }
 
+TDB_CONTEXT *open_usr_db(const DOM_SID *sid, uint32 rid, int perms)
+{
+	pstring tmp;
+	pstring usr;
+
+	sid_to_string(tmp, sid);
+	slprintf(usr, sizeof(usr)-1, "%s/usr/%x", tmp, rid);
+
+	return tdb_open(passdb_path(usr),0,0,perms, 0644);
+}
+
 /*******************************************************************
  opens a samr entiry by rid, returns a policy handle.
  ********************************************************************/
-uint32 samr_open_by_tdbrid( const POLICY_HND *parent_pol,
+uint32 samr_open_user_tdb( const POLICY_HND *parent_pol,
+				const DOM_SID *sid,
 				TDB_CONTEXT *usr_tdb,
-				TDB_CONTEXT *grp_tdb,
-				TDB_CONTEXT *als_tdb,
 				POLICY_HND *pol,
-				uint32 access_mask, uint32 rid)
+				uint32 ace_perms, uint32 rid)
 {
 	/* get a (unique) handle.  open a policy on it. */
 	if (!open_policy_hnd_link(get_global_hnd_cache(),
-		parent_pol, pol, access_mask))
+		parent_pol, pol, ace_perms))
+	{
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	if (usr_tdb == NULL && ace_perms == SEC_RIGHTS_MAXIMUM_ALLOWED)
+	{
+		DEBUG(10,("samr_open_user_tdb: max perms requested\n"));
+
+		usr_tdb = open_usr_db(sid, rid, O_RDWR);
+		if (usr_tdb == NULL)
+		{
+			usr_tdb = open_usr_db(sid, rid, O_RDONLY);
+		}
+	}
+
+	if (usr_tdb == NULL)
+	{
+		int perms = 0;
+		BOOL perms_read;
+		BOOL perms_write;
+
+		perms_write = IS_BITS_SET_SOME(ace_perms,
+		                SEC_RIGHTS_WRITE_OWNER|SEC_RIGHTS_WRITE_DAC);
+		perms_read = IS_BITS_SET_ALL(ace_perms, SEC_RIGHTS_READ);
+
+		if (perms_write              ) perms = O_WRONLY;
+		if (perms_read               ) perms = O_RDONLY;
+		if (perms_write && perms_read) perms = O_RDWR;
+
+		usr_tdb = open_usr_db(sid, rid, O_RDWR);
+	}
+
+	if (usr_tdb == NULL)
 	{
+		close_policy_hnd(get_global_hnd_cache(), pol);
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	/* associate a RID with the (unique) handle. */
-	if (!set_tdbrid(get_global_hnd_cache(), pol,
-	                usr_tdb, grp_tdb, als_tdb, rid))
+	/* associate a SID with the (unique) handle. */
+	if (!set_tdbsam(get_global_hnd_cache(), pol, usr_tdb))
 	{
 		/* close the policy in case we can't associate a group SID */
 		close_policy_hnd(get_global_hnd_cache(), pol);
diff --git a/source/samrd/srv_samr_tdb_init.c b/source/samrd/srv_samr_tdb_init.c
index 4740d6b371f..fbf162c6790 100644
--- a/source/samrd/srv_samr_tdb_init.c
+++ b/source/samrd/srv_samr_tdb_init.c
@@ -30,29 +30,23 @@ extern int DEBUGLEVEL;
 uint32 initialise_dom_tdb(const DOM_SID *sid)
 {
 	pstring usr;
-	pstring usg;
-	pstring usa;
 	pstring grp;
 	pstring als;
 	fstring tmp;
 
 	sid_to_string(tmp, sid);
 
-	slprintf(usr, sizeof(usr)-1, "%s.usr.tdb", tmp);
-	slprintf(usg, sizeof(usg)-1, "%s.usg.tdb", tmp);
-	slprintf(usa, sizeof(usa)-1, "%s.usa.tdb", tmp);
-	slprintf(grp, sizeof(grp)-1, "%s.grp.tdb", tmp);
-	slprintf(als, sizeof(als)-1, "%s.als.tdb", tmp);
+	mkdir(passdb_path(tmp), 0755);
+
+	slprintf(usr, sizeof(usr)-1, "%s/usr", tmp);
+	mkdir(passdb_path(usr), 0755);
+
+	slprintf(grp, sizeof(grp)-1, "%s/grp", tmp);
+	mkdir(passdb_path(grp), 0755);
+
+	slprintf(als, sizeof(als)-1, "%s/als", tmp);
+	mkdir(passdb_path(als), 0755);
 
-	/* create if not-exist with root-readwrite, all others read */
-	if (tdb_close(tdb_open(passdb_path(usr),0,0,O_RDWR|O_CREAT,0644)) ||
-	    tdb_close(tdb_open(passdb_path(usg),0,0,O_RDWR|O_CREAT,0644)) ||
-	    tdb_close(tdb_open(passdb_path(usa),0,0,O_RDWR|O_CREAT,0644)) ||
-	    tdb_close(tdb_open(passdb_path(grp),0,0,O_RDWR|O_CREAT,0644)) ||
-	    tdb_close(tdb_open(passdb_path(als),0,0,O_RDWR|O_CREAT,0644)))
-	{
-		return NT_STATUS_ACCESS_DENIED;
-	}
 	return NT_STATUS_NOPROBLEMO;
 }
 
diff --git a/source/samrd/srv_samr_usr_tdb.c b/source/samrd/srv_samr_usr_tdb.c
index 6ed9cf60c9c..4db5fe77dd2 100644
--- a/source/samrd/srv_samr_usr_tdb.c
+++ b/source/samrd/srv_samr_usr_tdb.c
@@ -29,6 +29,7 @@
 
 extern int DEBUGLEVEL;
 
+#if 0
 static BOOL tdb_lookup_user_als(TDB_CONTEXT *tdb,
 				const DOM_SID *sid,
 				uint32 *num_rids,
@@ -89,15 +90,15 @@ static BOOL tdb_lookup_user_grps(TDB_CONTEXT *tdb,
 	return True;
 }
 
-static BOOL tdb_lookup_user(TDB_CONTEXT *tdb,
-				uint32 rid,
-				SAM_USER_INFO_21 *usr)
+#endif
+BOOL tdb_lookup_user(TDB_CONTEXT *tdb, SAM_USER_INFO_21 *usr)
 {
 	prs_struct key;
 	prs_struct data;
+	uint8 k = 0;
 
 	prs_init(&key, 0, 4, False);
-	if (!_prs_uint32("rid", &key, 0, &rid))
+	if (!_prs_uint8("usr", &key, 0, &k))
 	{
 		return False;
 	}
@@ -117,6 +118,7 @@ static BOOL tdb_lookup_user(TDB_CONTEXT *tdb,
 	return True;
 }
 
+#if 0
 static BOOL tdb_store_user_grps(TDB_CONTEXT *tdb,
 				uint32 rid, uint32 num_gids,
 				DOM_GID *gids)
@@ -177,17 +179,18 @@ static BOOL tdb_store_user_als(TDB_CONTEXT *tdb,
 	return True;
 }
 
-static BOOL tdb_store_user(TDB_CONTEXT *tdb, uint32 rid, SAM_USER_INFO_21 *usr)
+#endif
+
+static BOOL tdb_store_user(TDB_CONTEXT *tdb, SAM_USER_INFO_21 *usr)
 {
 	prs_struct key;
 	prs_struct data;
-
-	DEBUG(10,("storing user %x\n", rid));
+	uint8 k = 0;
 
 	prs_init(&key, 0, 4, False);
 	prs_init(&data, 0, 4, False);
 
-	if (!_prs_uint32("rid", &key, 0, &rid) ||
+	if (!_prs_uint8("usr", &key, 0, &k) ||
 	    !sam_io_user_info21("usr", usr, &data, 0) ||
 	     prs_tdb_store(tdb, TDB_REPLACE, &key, &data) != 0)
 	{
@@ -201,8 +204,7 @@ static BOOL tdb_store_user(TDB_CONTEXT *tdb, uint32 rid, SAM_USER_INFO_21 *usr)
 	return True;
 }
 
-static BOOL tdb_set_userinfo_10(TDB_CONTEXT *tdb, uint32 rid,
-				uint16 acb_info)
+static BOOL tdb_set_userinfo_10(TDB_CONTEXT *tdb, uint16 acb_info)
 {
 	SAM_USER_INFO_21 usr;
 
@@ -211,7 +213,7 @@ static BOOL tdb_set_userinfo_10(TDB_CONTEXT *tdb, uint32 rid,
 		return False;
 	}
 
-	if (!tdb_lookup_user(tdb, rid, &usr))
+	if (!tdb_lookup_user(tdb, &usr))
 	{
 		tdb_writeunlock(tdb);
 		return False;
@@ -219,7 +221,7 @@ static BOOL tdb_set_userinfo_10(TDB_CONTEXT *tdb, uint32 rid,
 
 	usr.acb_info = acb_info;
 
-	if (!tdb_store_user(tdb, rid, &usr))
+	if (!tdb_store_user(tdb, &usr))
 	{
 		tdb_writeunlock(tdb);
 		return False;
@@ -229,7 +231,7 @@ static BOOL tdb_set_userinfo_10(TDB_CONTEXT *tdb, uint32 rid,
 	return True;
 }
 
-static BOOL tdb_set_userinfo_pwds(TDB_CONTEXT *tdb, uint32 rid,
+static BOOL tdb_set_userinfo_pwds(TDB_CONTEXT *tdb, 
 				const uchar lm_pwd[16], const uchar nt_pwd[16])
 {
 	SAM_USER_INFO_21 usr;
@@ -240,7 +242,7 @@ static BOOL tdb_set_userinfo_pwds(TDB_CONTEXT *tdb, uint32 rid,
 		return False;
 	}
 
-	if (!tdb_lookup_user(tdb, rid, &usr))
+	if (!tdb_lookup_user(tdb, &usr))
 	{
 		tdb_writeunlock(tdb);
 		return False;
@@ -249,7 +251,7 @@ static BOOL tdb_set_userinfo_pwds(TDB_CONTEXT *tdb, uint32 rid,
 	memcpy(usr.lm_pwd, lm_pwd, sizeof(usr.lm_pwd));
 	memcpy(usr.nt_pwd, nt_pwd, sizeof(usr.nt_pwd));
 
-	if (!tdb_store_user(tdb, rid, &usr))
+	if (!tdb_store_user(tdb, &usr))
 	{
 		tdb_writeunlock(tdb);
 		return False;
@@ -259,7 +261,7 @@ static BOOL tdb_set_userinfo_pwds(TDB_CONTEXT *tdb, uint32 rid,
 	return True;
 }
 
-static BOOL tdb_set_userinfo_23(TDB_CONTEXT *tdb, uint32 rid,
+static BOOL tdb_set_userinfo_23(TDB_CONTEXT *tdb, 
 				const SAM_USER_INFO_23 *usr23,
 				const uchar lm_pwd[16], const uchar nt_pwd[16])
 {
@@ -270,7 +272,7 @@ static BOOL tdb_set_userinfo_23(TDB_CONTEXT *tdb, uint32 rid,
 		return False;
 	}
 
-	if (!tdb_lookup_user(tdb, rid, &usr))
+	if (!tdb_lookup_user(tdb, &usr))
 	{
 		tdb_writeunlock(tdb);
 		return False;
@@ -311,7 +313,7 @@ static BOOL tdb_set_userinfo_23(TDB_CONTEXT *tdb, uint32 rid,
 		return False;
 	}
 
-	if (!tdb_store_user(tdb, rid, &usr))
+	if (!tdb_store_user(tdb, &usr))
 	{
 		tdb_writeunlock(tdb);
 		return False;
@@ -353,9 +355,10 @@ uint32 _samr_query_usergroups(const POLICY_HND *pol,
 				uint32 *num_groups,
 				DOM_GID **gids)
 {
+#if 0
 	uint32 rid;
+#endif
 	TDB_CONTEXT *usr_tdb = NULL;
-	TDB_CONTEXT *usg_tdb = NULL;
 
 	(*gids) = NULL;
 	(*num_groups) = 0;
@@ -363,16 +366,17 @@ uint32 _samr_query_usergroups(const POLICY_HND *pol,
 	DEBUG(5,("samr_query_usergroups: %d\n", __LINE__));
 
 	/* find the policy handle.  open a policy on it. */
-	if (!get_tdbrid(get_global_hnd_cache(), pol, &usr_tdb, 
-	                                       &usg_tdb, NULL, &rid))
+	if (!get_tdbsam(get_global_hnd_cache(), pol, &usr_tdb))
 	{
 		return NT_STATUS_INVALID_HANDLE;
 	}
 
+#if 0
 	if (!tdb_lookup_user_grps(usg_tdb, rid, num_groups, gids))
 	{
 		return NT_STATUS_NO_SUCH_USER;
 	}
+#endif
 
 	return NT_STATUS_NOPROBLEMO;
 }
@@ -383,8 +387,10 @@ uint32 _samr_query_useraliases(const POLICY_HND *domain_pol,
 				const uint32 *ptr_sid, const DOM_SID2 *sid,
 				uint32 *num_aliases, uint32 **rid)
 {
+#if 0
 	TDB_CONTEXT *tdb = NULL;
 	DOM_SID dom_sid;
+#endif
 
 	DEBUG(5,("samr_query_useraliases: %d\n", __LINE__));
 
@@ -396,14 +402,14 @@ uint32 _samr_query_useraliases(const POLICY_HND *domain_pol,
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
+#if 0
 	/* find the policy handle.  open a policy on it. */
-	if (!get_tdbdomsid(get_global_hnd_cache(), domain_pol,
+	if (!get_tdbsam(get_global_hnd_cache(), domain_pol,
 	                     NULL, NULL, &tdb, NULL, NULL, &dom_sid))
 	{
 		return NT_STATUS_INVALID_HANDLE;
 	}
 
-#if 0
 	if (!tdb_lookup_user_als(tdb, &sid->sid, num_aliases, rid))
 	{
 		return NT_STATUS_NO_SUCH_USER;
@@ -419,26 +425,16 @@ uint32 _samr_open_user(const POLICY_HND *domain_pol,
 					uint32 access_mask, uint32 user_rid, 
 					POLICY_HND *user_pol)
 {
-	TDB_CONTEXT *tdb_usr = NULL;
-	TDB_CONTEXT *tdb_usg = NULL;
-	TDB_CONTEXT *tdb_usa = NULL;
 	DOM_SID dom_sid;
-	SAM_USER_INFO_21 usr;
 
 	if (!get_tdbdomsid(get_global_hnd_cache(), domain_pol,
-					&tdb_usr, &tdb_usg, &tdb_usa, 
+					NULL, NULL, NULL,
 					NULL, NULL, &dom_sid))
 	{
 		return NT_STATUS_INVALID_HANDLE;
 	}
 
-	if (!tdb_lookup_user(tdb_usr, user_rid, &usr))
-	{
-		return NT_STATUS_NO_SUCH_USER;
-	}
-
-	return samr_open_by_tdbrid(domain_pol,
-	                           tdb_usr, tdb_usg, tdb_usa, 
+	return samr_open_user_tdb(domain_pol, &dom_sid, NULL,
 	                           user_pol, access_mask, user_rid);
 }
 
@@ -449,21 +445,19 @@ uint32 _samr_query_userinfo(const POLICY_HND *pol, uint16 switch_value,
 				SAM_USERINFO_CTR *ctr)
 {
 	TDB_CONTEXT *tdb_usr = NULL;
-	uint32 rid = 0x0;
 	SAM_USER_INFO_21 usr;
 
 	/* find the policy handle.  open a policy on it. */
-	if (!get_tdbrid(get_global_hnd_cache(), pol, &tdb_usr, 
-	                                             NULL, NULL, &rid))
+	if (!get_tdbsam(get_global_hnd_cache(), pol, &tdb_usr))
 	{
 		return NT_STATUS_INVALID_HANDLE;
 	}
-	if (!tdb_lookup_user(tdb_usr, rid, &usr))
+	if (!tdb_lookup_user(tdb_usr, &usr))
 	{
 		return NT_STATUS_NO_SUCH_USER;
 	}
 
-	DEBUG(5,("samr_reply_query_userinfo: rid:0x%x\n", rid));
+	DEBUG(5,("samr_reply_query_userinfo\n"));
 
 	return make_samr_userinfo_ctr_usr21(ctr, switch_value, &usr);
 }
@@ -471,7 +465,7 @@ uint32 _samr_query_userinfo(const POLICY_HND *pol, uint16 switch_value,
 /*******************************************************************
  set_user_info_24
  ********************************************************************/
-static BOOL set_user_info_24(TDB_CONTEXT *usr_tdb, uint32 rid,
+static BOOL set_user_info_24(TDB_CONTEXT *usr_tdb, 
 				const SAM_USER_INFO_24 *id24)
 {
 	static uchar nt_hash[16];
@@ -489,22 +483,22 @@ static BOOL set_user_info_24(TDB_CONTEXT *usr_tdb, uint32 rid,
 
 	nt_lm_owf_genW(&new_pw, nt_hash, lm_hash);
 
-	return tdb_set_userinfo_pwds(usr_tdb, rid, lm_hash, nt_hash);
+	return tdb_set_userinfo_pwds(usr_tdb, lm_hash, nt_hash);
 }
 
 /*******************************************************************
  set_user_info_12
  ********************************************************************/
-static BOOL set_user_info_12(TDB_CONTEXT *usr_tdb, uint32 rid,
+static BOOL set_user_info_12(TDB_CONTEXT *usr_tdb, 
 				const SAM_USER_INFO_12 *id12)
 {
-	return tdb_set_userinfo_pwds(usr_tdb, rid, id12->lm_pwd, id12->nt_pwd);
+	return tdb_set_userinfo_pwds(usr_tdb, id12->lm_pwd, id12->nt_pwd);
 }
 
 /*******************************************************************
  set_user_info_23
  ********************************************************************/
-static BOOL set_user_info_23(TDB_CONTEXT *usr_tdb, uint32 rid,
+static BOOL set_user_info_23(TDB_CONTEXT *usr_tdb, 
 				const SAM_USER_INFO_23 *id23)
 {
 	static uchar nt_hash[16];
@@ -528,7 +522,7 @@ static BOOL set_user_info_23(TDB_CONTEXT *usr_tdb, uint32 rid,
 
 	nt_lm_owf_genW(&new_pw, nt_hash, lm_hash);
 
-	return tdb_set_userinfo_23(usr_tdb, rid, id23, lm_hash, nt_hash);
+	return tdb_set_userinfo_23(usr_tdb, id23, lm_hash, nt_hash);
 }
 
 /*******************************************************************
@@ -539,19 +533,15 @@ uint32 _samr_set_userinfo(const POLICY_HND *pol, uint16 switch_value,
 {
 	TDB_CONTEXT *tdb_usr = NULL;
 	uchar user_sess_key[16];
-	uint32 rid = 0x0;
 
 	DEBUG(5,("samr_reply_set_userinfo: %d\n", __LINE__));
 
 	/* find the domain rid associated with the policy handle */
-	if (!get_tdbrid(get_global_hnd_cache(), pol, &tdb_usr, 
-	                                       NULL, NULL, &rid))
+	if (!get_tdbsam(get_global_hnd_cache(), pol, &tdb_usr))
 	{
 		return NT_STATUS_INVALID_HANDLE;
 	}
 
-	DEBUG(5,("samr_reply_set_userinfo: rid:0x%x\n", rid));
-
 	if (!pol_get_usr_sesskey(get_global_hnd_cache(), pol, user_sess_key))
 	{
 		return NT_STATUS_INVALID_HANDLE;
@@ -569,7 +559,7 @@ uint32 _samr_set_userinfo(const POLICY_HND *pol, uint16 switch_value,
 		case 0x12:
 		{
 			SAM_USER_INFO_12 *id12 = ctr->info.id12;
-			if (!set_user_info_12(tdb_usr, rid, id12))
+			if (!set_user_info_12(tdb_usr, id12))
 			{
 				DEBUG(10,("_samr_set_userinfo 0x12 failed\n"));
 				return NT_STATUS_ACCESS_DENIED;
@@ -581,7 +571,7 @@ uint32 _samr_set_userinfo(const POLICY_HND *pol, uint16 switch_value,
 		{
 			SAM_USER_INFO_24 *id24 = ctr->info.id24;
 			SamOEMhash(id24->pass, user_sess_key, True);
-			if (!set_user_info_24(tdb_usr, rid, id24))
+			if (!set_user_info_24(tdb_usr, id24))
 			{
 				DEBUG(10,("_samr_set_userinfo 0x18 failed\n"));
 				return NT_STATUS_ACCESS_DENIED;
@@ -597,7 +587,7 @@ uint32 _samr_set_userinfo(const POLICY_HND *pol, uint16 switch_value,
 			              id23->pass, sizeof(id23->pass));
 			dbgflush();
 
-			if (!set_user_info_23(tdb_usr, rid, id23))
+			if (!set_user_info_23(tdb_usr, id23))
 			{
 				return NT_STATUS_ACCESS_DENIED;
 			}
@@ -616,10 +606,10 @@ uint32 _samr_set_userinfo(const POLICY_HND *pol, uint16 switch_value,
 /*******************************************************************
  set_user_info_10
  ********************************************************************/
-static BOOL set_user_info_10(TDB_CONTEXT *usr_tdb, uint32 rid,
+static BOOL set_user_info_10(TDB_CONTEXT *usr_tdb, 
 				const SAM_USER_INFO_10 *id16)
 {
-	return tdb_set_userinfo_10(usr_tdb, rid, id16->acb_info);
+	return tdb_set_userinfo_10(usr_tdb, id16->acb_info);
 }
 
 /*******************************************************************
@@ -629,16 +619,14 @@ uint32 _samr_set_userinfo2(const POLICY_HND *pol, uint16 switch_value,
 				SAM_USERINFO_CTR *ctr)
 {
 	TDB_CONTEXT *tdb_usr = NULL;
-	uint32 rid = 0x0;
 
 	/* find the domain sid associated with the policy handle */
-	if (!get_tdbrid(get_global_hnd_cache(), pol, &tdb_usr, 
-	                                       NULL, NULL, &rid))
+	if (!get_tdbsam(get_global_hnd_cache(), pol, &tdb_usr))
 	{
 		return NT_STATUS_INVALID_HANDLE;
 	}
 
-	DEBUG(5,("samr_reply_set_userinfo2: rid:0x%x\n", rid));
+	DEBUG(5,("samr_reply_set_userinfo2\n"));
 
 	if (ctr == NULL)
 	{
@@ -654,7 +642,7 @@ uint32 _samr_set_userinfo2(const POLICY_HND *pol, uint16 switch_value,
 		case 16:
 		{
 			SAM_USER_INFO_10 *id10 = ctr->info.id10;
-			if (!set_user_info_10(tdb_usr, rid, id10))
+			if (!set_user_info_10(tdb_usr, id10))
 			{
 				return NT_STATUS_ACCESS_DENIED;
 			}
@@ -736,8 +724,6 @@ uint32 _samr_create_user(const POLICY_HND *domain_pol,
 	DOM_SID sid;
 	DOM_SID grp_sid;
 	TDB_CONTEXT *tdb_usr = NULL;
-	TDB_CONTEXT *tdb_usg = NULL;
-	TDB_CONTEXT *tdb_usa = NULL;
 
 	SAM_USER_INFO_21 usr;
 	uint32 status1;
@@ -749,11 +735,13 @@ uint32 _samr_create_user(const POLICY_HND *domain_pol,
 	struct passwd *pass = NULL;
 	uint32 group_rid;
 
+#if 0
 	uint32 num_gids = 0;
 	DOM_GID *gids = NULL;
 
 	uint32 num_alss = 0;
 	uint32 *als_rids = NULL;
+#endif
 
 	(*unknown_0) = 0x30;
 	(*user_rid) = 0x0;
@@ -766,7 +754,7 @@ uint32 _samr_create_user(const POLICY_HND *domain_pol,
 
 	/* find the domain sid associated with the policy handle */
 	if (!get_tdbdomsid(get_global_hnd_cache(), domain_pol,
-					&tdb_usr, &tdb_usg, &tdb_usa,
+					NULL, NULL, NULL,
 					NULL, NULL, &dom_sid))
 	{
 		return NT_STATUS_INVALID_HANDLE;
@@ -797,9 +785,11 @@ uint32 _samr_create_user(const POLICY_HND *domain_pol,
 	}
 
 	{
+#if 0
 		int i;
 		int n_groups = 0;
 		gid_t *groups = NULL;
+#endif
 		fstring user_name;
 		unistr2_to_ascii(user_name, uni_username, sizeof(user_name)-1);
 		pass = Get_Pwnam(user_name, False);
@@ -810,6 +800,7 @@ uint32 _samr_create_user(const POLICY_HND *domain_pol,
 			          user_name));
 			return NT_STATUS_ACCESS_DENIED;
 		}
+#if 0
 		get_unixgroups(user_name,pass->pw_uid,pass->pw_gid,
 				&n_groups,
 		       		&groups);
@@ -852,6 +843,7 @@ uint32 _samr_create_user(const POLICY_HND *domain_pol,
 				}
 			}
 		}
+#endif
 	}
 
 	/* create a User SID for the unix user */
@@ -895,13 +887,18 @@ uint32 _samr_create_user(const POLICY_HND *domain_pol,
 	create_user_info_21(&usr, uni_username, acb_info,
 	                    (*user_rid), group_rid);
 
-	if (!tdb_store_user(tdb_usr, usr.user_rid, &usr))
+	tdb_usr = open_usr_db(&dom_sid, (*user_rid), O_RDWR | O_CREAT);
+
+	if (tdb_usr == NULL)
 	{
-		/* account doesn't exist: say so */
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-
+	if (!tdb_store_user(tdb_usr, &usr))
+	{
+		return NT_STATUS_ACCESS_DENIED;
+	}
+#if 0
 	if (!tdb_store_user_grps(tdb_usg, usr.user_rid, num_gids, gids))
 	{
 		/* account doesn't exist: say so */
@@ -913,11 +910,11 @@ uint32 _samr_create_user(const POLICY_HND *domain_pol,
 		/* account doesn't exist: say so */
 		return NT_STATUS_ACCESS_DENIED;
 	}
+#endif
 
 	*unknown_0 = 0x000703ff;
 
-	return samr_open_by_tdbrid(domain_pol, tdb_usr, tdb_usg,
-	                           tdb_usa, 
+	return samr_open_user_tdb(domain_pol, &dom_sid, tdb_usr,
 	                           user_pol, access_mask, *user_rid);
 }