8 files changed, 36 insertions, 14 deletions

diff --git a/source/include/rpc_lsa.h b/source/include/rpc_lsa.h
index a2bc72d2b2e..c0425271b32 100644
--- a/source/include/rpc_lsa.h
+++ b/source/include/rpc_lsa.h
@@ -207,7 +207,7 @@ typedef struct lsa_r_open_pol2_info
                             POLICY_VIEW_AUDIT_INFORMATION    |\
                             POLICY_GET_PRIVATE_INFORMATION)
 
-#define POLICY_WRITE      ( STANDARD_RIGHTS_WRITE_ACCESS     |\
+#define POLICY_WRITE      ( STD_RIGHT_READ_CONTROL_ACCESS     |\
                             POLICY_TRUST_ADMIN               |\
                             POLICY_CREATE_ACCOUNT            |\
                             POLICY_CREATE_SECRET             |\
diff --git a/source/include/rpc_secdes.h b/source/include/rpc_secdes.h
index 1279007220c..3e4c47dce9a 100644
--- a/source/include/rpc_secdes.h
+++ b/source/include/rpc_secdes.h
@@ -251,7 +251,10 @@ typedef struct standard_mapping {
 #define STANDARD_RIGHTS_ALL_ACCESS	STD_RIGHT_ALL_ACCESS /* 0x001f0000 */
 #define STANDARD_RIGHTS_EXECUTE_ACCESS	STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
 #define STANDARD_RIGHTS_READ_ACCESS	STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
-#define STANDARD_RIGHTS_WRITE_ACCESS	STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
+#define STANDARD_RIGHTS_WRITE_ACCESS \
+		(STD_RIGHT_WRITE_OWNER_ACCESS	| \
+		 STD_RIGHT_WRITE_DAC_ACCESS	| \
+		 STD_RIGHT_DELETE_ACCESS)	/* 0x000d0000 */
 #define STANDARD_RIGHTS_REQUIRED_ACCESS \
 		(STD_RIGHT_DELETE_ACCESS	| \
 		STD_RIGHT_READ_CONTROL_ACCESS	| \
diff --git a/source/include/smb.h b/source/include/smb.h
index 913061014db..c8946953785 100644
--- a/source/include/smb.h
+++ b/source/include/smb.h
@@ -1069,7 +1069,7 @@ struct bitmap {
 #define FILE_GENERIC_READ (STANDARD_RIGHTS_READ_ACCESS|FILE_READ_DATA|FILE_READ_ATTRIBUTES|\
 							FILE_READ_EA|SYNCHRONIZE_ACCESS)
 
-#define FILE_GENERIC_WRITE (STANDARD_RIGHTS_WRITE_ACCESS|FILE_WRITE_DATA|FILE_WRITE_ATTRIBUTES|\
+#define FILE_GENERIC_WRITE (STD_RIGHT_READ_CONTROL_ACCESS|FILE_WRITE_DATA|FILE_WRITE_ATTRIBUTES|\
 							FILE_WRITE_EA|FILE_APPEND_DATA|SYNCHRONIZE_ACCESS)
 
 #define FILE_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE_ACCESS|\
diff --git a/source/param/loadparm.c b/source/param/loadparm.c
index 8531b2fdd13..97d9389aa6c 100644
--- a/source/param/loadparm.c
+++ b/source/param/loadparm.c
@@ -1184,7 +1184,7 @@ static struct parm_struct parm_table[] = {
 	{"template shell", P_STRING, P_GLOBAL, &Globals.szTemplateShell, NULL, NULL, FLAG_ADVANCED}, 
 	{"winbind separator", P_STRING, P_GLOBAL, &Globals.szWinbindSeparator, NULL, NULL, FLAG_ADVANCED}, 
 	{"winbind cache time", P_INTEGER, P_GLOBAL, &Globals.winbind_cache_time, NULL, NULL, FLAG_ADVANCED}, 
-	{"winbind enable local accounts", P_BOOL, P_GLOBAL, &Globals.bWinbindEnableLocalAccounts, NULL, NULL, FLAG_ADVANCED}, 
+	{"winbind enable local accounts", P_BOOL, P_GLOBAL, &Globals.bWinbindEnableLocalAccounts, NULL, NULL, FLAG_ADVANCED|FLAG_DEPRECATED}, 
 	{"winbind enum users", P_BOOL, P_GLOBAL, &Globals.bWinbindEnumUsers, NULL, NULL, FLAG_ADVANCED}, 
 	{"winbind enum groups", P_BOOL, P_GLOBAL, &Globals.bWinbindEnumGroups, NULL, NULL, FLAG_ADVANCED}, 
 	{"winbind use default domain", P_BOOL, P_GLOBAL, &Globals.bWinbindUseDefaultDomain, NULL, NULL, FLAG_ADVANCED}, 
diff --git a/source/passdb/passdb.c b/source/passdb/passdb.c
index c7cd59a4c5f..6777149a8a5 100644
--- a/source/passdb/passdb.c
+++ b/source/passdb/passdb.c
@@ -794,6 +794,12 @@ BOOL local_lookup_sid(const DOM_SID *sid, char *name, enum SID_NAME_USE *psid_na
 		return True;
 	}
 
+	if (rid == DOMAIN_USER_RID_ADMIN) {
+		*psid_name_use = SID_NAME_USER;
+		fstrcpy(name, "Administrator");
+		return True;
+	}
+
 	if (algorithmic_pdb_rid_is_user(rid)) {
 		uid_t uid;
 		struct passwd *pw = NULL;
diff --git a/source/rpc_server/srv_lsa_nt.c b/source/rpc_server/srv_lsa_nt.c
index 13053d9877b..da00d2d6c43 100644
--- a/source/rpc_server/srv_lsa_nt.c
+++ b/source/rpc_server/srv_lsa_nt.c
@@ -1134,16 +1134,21 @@ NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u
 	struct lsa_info *info = NULL;
 	SE_PRIV mask;
 	PRIVILEGE_SET *set = NULL;
+	struct current_user user;
 
 	/* find the connection policy handle. */
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
 		return NT_STATUS_INVALID_HANDLE;
 		
-	/* check to see if the pipe_user is a Domain Admin since 
+	/* check to see if the pipe_user is root or a Domain Admin since 
 	   account_pol.tdb was already opened as root, this is all we have */
-	   
-	if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+
+	get_current_user( &user, p );
+	if ( user.uid != sec_initial_uid() 
+		&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+	{
 		return NT_STATUS_ACCESS_DENIED;
+	}
 
 	set = &q_u->set;
 
@@ -1170,16 +1175,21 @@ NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEP
 	struct lsa_info *info = NULL;
 	SE_PRIV mask;
 	PRIVILEGE_SET *set = NULL;
+	struct current_user user;
 
 	/* find the connection policy handle. */
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
 		return NT_STATUS_INVALID_HANDLE;
 
-	/* check to see if the pipe_user is a Domain Admin since 
+	/* check to see if the pipe_user is root or a Domain Admin since 
 	   account_pol.tdb was already opened as root, this is all we have */
-	   
-	if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+
+	get_current_user( &user, p );
+	if ( user.uid != sec_initial_uid()
+		&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) 
+	{
 		return NT_STATUS_ACCESS_DENIED;
+	}
 
 	set = &q_u->set;
 
diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c
index 3742e213832..7a1c7b79e38 100644
--- a/source/rpc_server/srv_samr_nt.c
+++ b/source/rpc_server/srv_samr_nt.c
@@ -270,8 +270,8 @@ static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
 		saved_mask = (des_access & rights_mask);
 		des_access &= ~saved_mask;
 		
-		DEBUG(4,("access_check_samr_object: user rights saved access mask [0x%x]\n",
-			saved_mask));
+		DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
+			rights_mask));
 	}
 		
 	
@@ -296,9 +296,9 @@ static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
 	
 done:
 	/* add in any bits saved during the privilege check (only 
-	   matters is syayus is ok) */
+	   matters is status is ok) */
 	
-	*acc_granted |= saved_mask;
+	*acc_granted |= rights_mask;
 
 	DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n", 
 		debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED", 
diff --git a/source/utils/testprns.c b/source/utils/testprns.c
index 1525ab11d0f..5af40b06d19 100644
--- a/source/utils/testprns.c
+++ b/source/utils/testprns.c
@@ -41,6 +41,9 @@ int main(int argc, char *argv[])
 {
    setup_logging(argv[0],True);
 
+   printf("NOTICE: This program is now deprecated and will be removed \n");
+   printf("in a future Samba release.\n\n");
+
    if (argc != 2)
       printf("Usage: testprns printername\n");
    else