Changes from APPLIANCE_HEAD:

source/rpc_server/srv_spoolss_nt.c
        - Changed the se_access_check() call in _spoolss_open_printer_ex()
          to a print_access_check().  This allows the 'printer admins'
          smb.conf and other permission override parameters to affect the
          result of a printer open.
        - Don't perform access check when opening a handle on a print
          server as it breaks browsing the Printers folder.

source/rpc_server/srv_spoolss_nt.c

@@ -669,10 +669,8 @@ uint32 _spoolss_open_printer_ex( const UNISTR2 *printername,
 				 POLICY_HND *handle)
 {
 	uint32 result = NT_STATUS_NO_PROBLEMO;
-	SEC_DESC_BUF *sec_desc = NULL;
-	uint32 acc_granted, status;
 	fstring name;
-	extern struct current_user current_user;
+	int snum;
 	
 	if (printername == NULL) {
 		result = ERROR_INVALID_PRINTER_NAME;
@@ -729,29 +727,22 @@ uint32 _spoolss_open_printer_ex( const UNISTR2 *printername,
 	}
 
 	/* NT doesn't let us connect to a printer if the connecting user
-	   doesn't have print permission.  If no security descriptor just
-	   return OK. */
+	   doesn't have print permission.  */
 
-	if (!nt_printing_getsec(name, &sec_desc)) {
-		goto done;
-	}
-	
-	/* Yuck - we should use the pipe_user rather than current_user but
-	   it doesn't seem to be filled in correctly. )-: */
+	if (!handle_is_printserver(handle)) {
 
-	map_printer_permissions(sec_desc->sec);
+		if (!get_printer_snum(handle, &snum))
+			return ERROR_INVALID_HANDLE;
 
-	if (!se_access_check(sec_desc->sec, &current_user, PRINTER_ACCESS_USE,
-			     &acc_granted, &status)) {
-		DEBUG(3, ("access DENIED for printer open\n"));
-		close_printer_handle(handle);
-		result = ERROR_ACCESS_DENIED;
-		goto done;
+		if (!print_access_check(NULL, snum, PRINTER_ACCESS_USE)) {
+			DEBUG(3, ("access DENIED for printer open\n"));
+			close_printer_handle(handle);
+			result = ERROR_ACCESS_DENIED;
+			goto done;
+		}
 	}
 
  done:
-	free_sec_desc_buf(&sec_desc);
-
 	return result;
 }