r10810: This adds the hooks required to communicate the current user from the

authenticated session down into LDB.  This associates a session info
structure with the open LDB, allowing a future ldb_ntacl module to
allow/deny operations on that basis.

Along the way, I cleaned up a few things, and added new helper functions
to assist.  In particular the LSA pipe uses simpler queries for some of
the setup.

In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't
been worked on (other than making it continue to compile) since January,
and I think the features of this module are being put into ldb anyway.

I have also changed the partitions in ldap_server to be initialised
after the connection, with the private pointer used to associate the ldb
with the incoming session.

Andrew Bartlett

source/auth/auth_sam.c

@@ -521,7 +521,7 @@ NTSTATUS sam_get_server_info(TALLOC_CTX *mem_ctx, const char *account_name, cons
 	struct ldb_message **domain_msgs;
 	void *sam_ctx;
 
-	sam_ctx = samdb_connect(mem_ctx);
+	sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
 	if (sam_ctx == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
@@ -558,7 +558,7 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
 		return NT_STATUS_NOT_IMPLEMENTED;
 	}
 
-	sam_ctx = samdb_connect(mem_ctx);
+	sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
 	if (sam_ctx == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}

source/auth/auth_util.c

@@ -427,6 +427,73 @@ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx, struct auth_serversuppl
 	return NT_STATUS_OK;
 }
 
+NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, struct auth_serversupplied_info **_server_info) 
+{
+	struct auth_serversupplied_info *server_info;
+	server_info = talloc(mem_ctx, struct auth_serversupplied_info);
+	NT_STATUS_HAVE_NO_MEMORY(server_info);
+
+	server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_SYSTEM);
+	NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
+
+	/* is this correct? */
+	server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS);
+	NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
+
+	server_info->n_domain_groups = 0;
+	server_info->domain_groups = NULL;
+
+	/* annoying, but the Anonymous really does have a session key, 
+	   and it is all zeros! */
+	server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
+	NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
+
+	server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
+	NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
+
+	data_blob_clear(&server_info->user_session_key);
+	data_blob_clear(&server_info->lm_session_key);
+
+	server_info->account_name = talloc_strdup(server_info, "sYSTEM");
+	NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
+
+	server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
+	NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
+
+	server_info->full_name = talloc_strdup(server_info, "System");
+	NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
+
+	server_info->logon_script = talloc_strdup(server_info, "");
+	NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
+
+	server_info->profile_path = talloc_strdup(server_info, "");
+	NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
+
+	server_info->home_directory = talloc_strdup(server_info, "");
+	NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
+
+	server_info->home_drive = talloc_strdup(server_info, "");
+	NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
+
+	server_info->last_logon = 0;
+	server_info->last_logoff = 0;
+	server_info->acct_expiry = 0;
+	server_info->last_password_change = 0;
+	server_info->allow_password_change = 0;
+	server_info->force_password_change = 0;
+
+	server_info->logon_count = 0;
+	server_info->bad_password_count = 0;
+
+	server_info->acct_flags = ACB_NORMAL;
+
+	server_info->authenticated = False;
+
+	*_server_info = server_info;
+
+	return NT_STATUS_OK;
+}
+
 NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, 
 				    struct auth_serversupplied_info *server_info, 
 				    struct auth_session_info **_session_info) 
@@ -482,6 +549,54 @@ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
 	return NT_STATUS_OK;
 }
 
+struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx) 
+{
+	NTSTATUS nt_status;
+	struct auth_session_info *session_info = NULL;
+	nt_status = auth_anonymous_session_info(mem_ctx, &session_info);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		return NULL;
+	}
+	return session_info;
+}
+
+NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, 
+				  struct auth_session_info **_session_info) 
+{
+	NTSTATUS nt_status;
+	struct auth_serversupplied_info *server_info = NULL;
+	struct auth_session_info *session_info = NULL;
+	TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
+	
+	nt_status = auth_system_server_info(mem_ctx,
+					    &server_info);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		talloc_free(mem_ctx);
+		return nt_status;
+	}
+
+	/* references the server_info into the session_info */
+	nt_status = auth_generate_session_info(parent_ctx, server_info, &session_info);
+	talloc_free(mem_ctx);
+
+	NT_STATUS_NOT_OK_RETURN(nt_status);
+
+	*_session_info = session_info;
+
+	return NT_STATUS_OK;
+}
+
+struct auth_session_info *system_session(TALLOC_CTX *mem_ctx) 
+{
+	NTSTATUS nt_status;
+	struct auth_session_info *session_info = NULL;
+	nt_status = auth_system_session_info(mem_ctx, &session_info);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		return NULL;
+	}
+	return session_info;
+}
+
 /****************************************************************************
  prints a struct auth_session_info security token to debug output.
 ****************************************************************************/

source/cldap_server/netlogon.c

@@ -56,7 +56,7 @@ static NTSTATUS cldapd_netlogon_fill(struct cldapd_server *cldapd,
 	const char *pdc_ip;
 
 	if (cldapd->samctx == NULL) {
-		cldapd->samctx = samdb_connect(cldapd);
+		cldapd->samctx = samdb_connect(cldapd, anonymous_session(cldapd));
 		if (cldapd->samctx == NULL) {
 			DEBUG(2,("Unable to open sam in cldap netlogon reply\n"));
 			return NT_STATUS_INTERNAL_DB_CORRUPTION;

source/dsdb/samdb/samdb.c

@@ -32,9 +32,14 @@
   connect to the SAM database
   return an opaque context pointer on success, or NULL on failure
  */
-struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx)
+struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx, struct auth_session_info *session_info)
 {
-	return ldb_wrap_connect(mem_ctx, lp_sam_url(), 0, NULL);
+	struct ldb_context *ldb;
+	ldb = ldb_wrap_connect(mem_ctx, lp_sam_url(), 0, NULL);
+	if (ldb_set_opaque(ldb, "sessionInfo", session_info)) {
+		return NULL;
+	}
+	return ldb;
 }
 
 /*

source/dsdb/samdb/samdb_privilege.c

@@ -75,11 +75,23 @@ static NTSTATUS samdb_privilege_setup_sid(void *samctx, TALLOC_CTX *mem_ctx,
 NTSTATUS samdb_privilege_setup(struct security_token *token)
 {
 	void *samctx;
-	TALLOC_CTX *mem_ctx = talloc_new(token);
+	TALLOC_CTX *mem_ctx;
 	int i;
 	NTSTATUS status;
 
-	samctx = samdb_connect(mem_ctx);
+	/* Shortcuts to prevent recursion and avoid lookups */
+	if (is_system_token(token)) {
+		token->privilege_mask = ~0;
+		return NT_STATUS_OK;
+	}
+
+	if (is_anonymous_token(token)) {
+		token->privilege_mask = 0;
+		return NT_STATUS_OK;
+	}
+
+	mem_ctx = talloc_new(token);
+	samctx = samdb_connect(mem_ctx, system_session(mem_ctx));
 	if (samctx == NULL) {
 		talloc_free(mem_ctx);
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;

source/kdc/hdb-ldb.c

@@ -1040,7 +1040,7 @@ krb5_error_code hdb_ldb_create(TALLOC_CTX *mem_ctx,
 	(*db)->hdb_db = NULL;
 
 	/* Setup the link to LDB */
-	(*db)->hdb_db = samdb_connect(db);
+	(*db)->hdb_db = samdb_connect(db, system_session(db));
 	if ((*db)->hdb_db == NULL) {
 		krb5_warnx(context, "hdb_ldb_create: samdb_connect failed!");
 		krb5_set_error_string(context, "samdb_connect failed!");

source/ldap_server/config.mk

@@ -8,8 +8,7 @@ INIT_OBJ_FILES = \
 		ldap_server/ldap_backend.o \
 		ldap_server/ldap_bind.o \
 		ldap_server/ldap_rootdse.o \
-		ldap_server/ldap_simple_ldb.o \
-		ldap_server/ldap_hacked_ldb.o
+		ldap_server/ldap_simple_ldb.o 
 REQUIRED_SUBSYSTEMS = \
 		LIBCLI_LDAP SAMDB
 # End SUBSYSTEM SMB

source/ldap_server/ldap_backend.c

@@ -53,10 +53,10 @@ struct ldapsrv_partition *ldapsrv_get_partition(struct ldapsrv_connection *conn,
 {
 	if (scope == LDAP_SEARCH_SCOPE_BASE
 	    && strcasecmp("", dn) == 0) {
-		return conn->service->rootDSE;
+		return conn->rootDSE;
 	}
 
-	return conn->service->default_partition;
+	return conn->default_partition;
 }
 
 NTSTATUS ldapsrv_unwilling(struct ldapsrv_call *call, int error)
@@ -257,15 +257,3 @@ NTSTATUS ldapsrv_do_call(struct ldapsrv_call *call)
 }
 
 
-/*
-  connect to the sam database
-*/
-struct ldb_context *ldapsrv_sam_connect(struct ldapsrv_call *call)
-{
-	const char *url;
-	url = lp_parm_string(-1, "ldapsrv", "samdb");
-	if (url) {
-		return ldb_wrap_connect(call, url, 0, NULL);
-	}
-	return samdb_connect(call);
-}

source/ldap_server/ldap_bind.c

@@ -32,6 +32,8 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call)
 
 	DEBUG(10, ("BindSimple dn: %s\n",req->dn));
 
+	/* When we add authentication here, we also need to handle telling the backends */
+
 	reply = ldapsrv_init_reply(call, LDAP_TAG_BindResponse);
 	if (!reply) {
 		return NT_STATUS_NO_MEMORY;
@@ -102,14 +104,33 @@ reply:
 		result = LDAP_SASL_BIND_IN_PROGRESS;
 		errstr = NULL;
 	} else if (NT_STATUS_IS_OK(status)) {
+		struct ldapsrv_partition *part;
+
 		result = LDAP_SUCCESS;
 		errstr = NULL;
 		if (gensec_have_feature(call->conn->gensec, GENSEC_FEATURE_SEAL) ||
 		    gensec_have_feature(call->conn->gensec, GENSEC_FEATURE_SIGN)) {
 			call->conn->enable_wrap = True;
 		}
+		status = gensec_session_info(call->conn->gensec, &call->conn->session_info);
+		if (!NT_STATUS_IS_OK(status)) {
+			result = LDAP_OPERATIONS_ERROR;
+			errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to get session info: %s", req->creds.SASL.mechanism, nt_errstr(status));
+		} else {
+			for (part = call->conn->partitions; part; part = part->next) {
+				if (!part->ops->Bind) {
+					continue;
+				}
+				status = part->ops->Bind(part, conn);
+				if (!NT_STATUS_IS_OK(status)) {
+					result = LDAP_OPERATIONS_ERROR;
+					errstr = talloc_asprintf(reply, "SASL:[%s]: Failed to advise partition %s of new credentials: %s", req->creds.SASL.mechanism, part->base_dn, nt_errstr(status));
+				}
+			}
+		}
 	} else {
-		result = 49;
+		status = auth_nt_status_squash(status);
+		result = LDAP_INVALID_CREDENTIALS;
 		errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status));
 	}
 

source/ldap_server/ldap_rootdse.c

@@ -52,25 +52,28 @@ static void rootdse_db_debug(void *context, enum ldb_debug_level level, const ch
 /*
   connect to the SAM database
  */
-static struct ldb_context *rootdse_db_connect(TALLOC_CTX *mem_ctx)
+NTSTATUS rootdse_Init(struct ldapsrv_partition *partition, struct ldapsrv_connection *conn)
 {
 	char *db_path;
 	struct ldb_context *ldb;
+	TALLOC_CTX *mem_ctx = talloc_new(partition);
 
 	db_path = talloc_asprintf(mem_ctx, "tdb://%s", 
 				  private_path(mem_ctx, "rootdse.ldb"));
 	if (db_path == NULL) {
-		return NULL;
+		return NT_STATUS_NO_MEMORY;
 	}
 
 	ldb = ldb_wrap_connect(mem_ctx, db_path, 0, NULL);
 	if (ldb == NULL) {
-		return NULL;
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}
 
 	ldb_set_debug(ldb, rootdse_db_debug, NULL);
 
-	return ldb;
+	talloc_steal(partition, ldb);
+	partition->private = ldb;
+	return NT_STATUS_OK;
 }
 
 
@@ -258,7 +261,7 @@ static NTSTATUS fill_dynamic_values(void *mem_ctx, struct ldb_message_element *a
 }
 
 static NTSTATUS rootdse_Search(struct ldapsrv_partition *partition, struct ldapsrv_call *call,
-				     struct ldap_SearchRequest *r)
+			       struct ldap_SearchRequest *r)
 {
 	NTSTATUS status;
 	void *local_ctx;
@@ -279,8 +282,7 @@ static NTSTATUS rootdse_Search(struct ldapsrv_partition *partition, struct ldaps
 	local_ctx = talloc_named(call, 0, "rootdse_Search local memory context");
 	NT_STATUS_HAVE_NO_MEMORY(local_ctx);
 
-	ldb = rootdse_db_connect(local_ctx);
-	NT_STATUS_HAVE_NO_MEMORY(ldb);
+	ldb = partition->private;
 
 	if (r->num_attributes >= 1) {
 		attrs = talloc_array(ldb, const char *, r->num_attributes+1);
@@ -359,6 +361,7 @@ queue_reply:
 }
 
 static const struct ldapsrv_partition_ops rootdse_ops = {
+	.Init           = rootdse_Init,
 	.Search		= rootdse_Search
 };
 

source/ldap_server/ldap_server.c

@@ -356,6 +356,8 @@ static void ldapsrv_send(struct stream_connection *c, uint16_t flags)
 */
 static void ldapsrv_accept(struct stream_connection *c)
 {
+	struct ldapsrv_partition *rootDSE_part;
+	struct ldapsrv_partition *part;
 	struct ldapsrv_service *ldapsrv_service = 
 		talloc_get_type(c->private, struct ldapsrv_service);
 	struct ldapsrv_connection *conn;
@@ -386,6 +388,42 @@ static void ldapsrv_accept(struct stream_connection *c)
 		return;
 	}
 
+	/* Connections start out anonymous */
+	if (!NT_STATUS_IS_OK(auth_anonymous_session_info(conn, &conn->session_info))) {
+		ldapsrv_terminate_connection(conn, "failed to setup anonymous session info");
+		return;
+	}
+
+	rootDSE_part = talloc(conn, struct ldapsrv_partition);
+	if (rootDSE_part == NULL) {
+		ldapsrv_terminate_connection(conn, "talloc failed");
+		return;
+	}
+
+	rootDSE_part->base_dn = ""; /* RootDSE */
+	rootDSE_part->ops = ldapsrv_get_rootdse_partition_ops();
+	if (!NT_STATUS_IS_OK(rootDSE_part->ops->Init(rootDSE_part, conn))) {
+		ldapsrv_terminate_connection(conn, "rootDSE Init failed");
+	}
+
+	conn->rootDSE = rootDSE_part;
+	DLIST_ADD_END(conn->partitions, rootDSE_part, struct ldapsrv_partition *);
+
+	part = talloc(conn, struct ldapsrv_partition);
+	if (part == NULL) {
+		ldapsrv_terminate_connection(conn, "talloc failed");
+		return;
+	}
+
+	part->base_dn = "*"; /* default partition */
+	part->ops = ldapsrv_get_sldb_partition_ops();
+	if (!NT_STATUS_IS_OK(part->ops->Init(part, conn))) {
+		ldapsrv_terminate_connection(conn, "default partition Init failed");
+	}
+
+	conn->default_partition = part;
+	DLIST_ADD_END(conn->partitions, part, struct ldapsrv_partition *);
+
 	irpc_add_name(c->msg_ctx, "ldap_server");
 }
 
@@ -433,8 +471,6 @@ static NTSTATUS add_socket(struct event_context *event_context,
 static void ldapsrv_task_init(struct task_server *task)
 {	
 	struct ldapsrv_service *ldap_service;
-	struct ldapsrv_partition *rootDSE_part;
-	struct ldapsrv_partition *part;
 	NTSTATUS status;
 
 	ldap_service = talloc_zero(task, struct ldapsrv_service);
@@ -443,28 +479,6 @@ static void ldapsrv_task_init(struct task_server *task)
 	ldap_service->tls_params = tls_initialise(ldap_service);
 	if (ldap_service->tls_params == NULL) goto failed;
 
-	rootDSE_part = talloc(ldap_service, struct ldapsrv_partition);
-	if (rootDSE_part == NULL) goto failed;
-
-	rootDSE_part->base_dn = ""; /* RootDSE */
-	rootDSE_part->ops = ldapsrv_get_rootdse_partition_ops();
-
-	ldap_service->rootDSE = rootDSE_part;
-	DLIST_ADD_END(ldap_service->partitions, rootDSE_part, struct ldapsrv_partition *);
-
-	part = talloc(ldap_service, struct ldapsrv_partition);
-	if (part == NULL) goto failed;
-
-	part->base_dn = "*"; /* default partition */
-	if (lp_parm_bool(-1, "ldapsrv", "hacked", False)) {
-		part->ops = ldapsrv_get_hldb_partition_ops();
-	} else {
-		part->ops = ldapsrv_get_sldb_partition_ops();
-	}
-
-	ldap_service->default_partition = part;
-	DLIST_ADD_END(ldap_service->partitions, part, struct ldapsrv_partition *);
-
 	if (lp_interfaces() && lp_bind_interfaces_only()) {
 		int num_interfaces = iface_count();
 		int i;

source/ldap_server/ldap_server.h

@@ -27,6 +27,9 @@ struct ldapsrv_connection {
 	struct auth_session_info *session_info;
 	struct ldapsrv_service *service;
 	struct tls_context *tls;
+	struct ldapsrv_partition *rootDSE;
+	struct ldapsrv_partition *default_partition;
+	struct ldapsrv_partition *partitions;
 
 	/* partially received request */
 	DATA_BLOB partial;
@@ -58,6 +61,7 @@ struct ldapsrv_partition;
 struct ldapsrv_partition_ops {
 	const char *name;
 	NTSTATUS (*Init)(struct ldapsrv_partition *partition, struct ldapsrv_connection *conn);
+	NTSTATUS (*Bind)(struct ldapsrv_partition *partition, struct ldapsrv_connection *conn);
 	NTSTATUS (*Search)(struct ldapsrv_partition *partition, struct ldapsrv_call *call, struct ldap_SearchRequest *r);
 	NTSTATUS (*Modify)(struct ldapsrv_partition *partition, struct ldapsrv_call *call, struct ldap_ModifyRequest *r);
 	NTSTATUS (*Add)(struct ldapsrv_partition *partition, struct ldapsrv_call *call, struct ldap_AddRequest *r);
@@ -71,15 +75,12 @@ struct ldapsrv_partition_ops {
 struct ldapsrv_partition {
 	struct ldapsrv_partition *prev,*next;
 
-	void *private_data;
+	void *private;
 	const struct ldapsrv_partition_ops *ops;
 
 	const char *base_dn;
 };
 
 struct ldapsrv_service {
-	struct ldapsrv_partition *rootDSE;
-	struct ldapsrv_partition *default_partition;
-	struct ldapsrv_partition *partitions;
 	struct tls_params *tls_params;
 };

source/ldap_server/ldap_simple_ldb.c

@@ -22,6 +22,7 @@
 #include "includes.h"
 #include "ldap_server/ldap_server.h"
 #include "lib/ldb/include/ldb.h"
+#include "auth/auth.h"
 #include "db_wrap.h"
 
 #define VALID_DN_SYNTAX(dn,i) do {\
@@ -34,8 +35,61 @@
 	}\
 } while(0)
 
+/*
+  connect to the sam database
+*/
+NTSTATUS sldb_Init(struct ldapsrv_partition *partition, struct ldapsrv_connection *conn) 
+{
+	TALLOC_CTX *mem_ctx = talloc_new(partition);
+	struct ldb_context *ldb;
+	const char *url;
+	url = lp_parm_string(-1, "ldapsrv", "samdb");
+	if (url) {
+
+		ldb = ldb_wrap_connect(mem_ctx, url, 0, NULL);
+		if (ldb == NULL) {
+			talloc_free(mem_ctx);
+			return NT_STATUS_INTERNAL_DB_CORRUPTION;
+		}
+		if (ldb_set_opaque(ldb, "sessionInfo", conn->session_info)) {
+			talloc_free(mem_ctx);
+			return NT_STATUS_NO_MEMORY;
+		}
+		talloc_steal(partition, ldb);
+		partition->private = ldb;
+		talloc_free(mem_ctx);
+		return NT_STATUS_OK;
+	}
+	
+	ldb = samdb_connect(mem_ctx, conn->session_info);
+	if (ldb == NULL) {
+		talloc_free(mem_ctx);
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+	talloc_steal(partition, ldb);
+	partition->private = ldb;
+	talloc_free(mem_ctx);
+	return NT_STATUS_OK;
+}
+
+/*
+  Re-connect to the ldb after a bind (this does not handle the bind
+  itself, but just notes the change in credentials)
+*/
+NTSTATUS sldb_Bind(struct ldapsrv_partition *partition, struct ldapsrv_connection *conn) 
+{
+	struct ldb_context *samdb = partition->private;
+	NTSTATUS status;
+	status = sldb_Init(partition, conn);
+	if (NT_STATUS_IS_OK(status)) {
+		/* don't leak the old LDB */
+		talloc_free(samdb);
+	}
+	return status;
+}
+
 static NTSTATUS sldb_Search(struct ldapsrv_partition *partition, struct ldapsrv_call *call,
-				     struct ldap_SearchRequest *r)
+			    struct ldap_SearchRequest *r)
 {
 	void *local_ctx;
 	struct ldb_dn *basedn;
@@ -54,8 +108,7 @@ static NTSTATUS sldb_Search(struct ldapsrv_partition *partition, struct ldapsrv_
 	local_ctx = talloc_named(call, 0, "sldb_Search local memory context");
 	NT_STATUS_HAVE_NO_MEMORY(local_ctx);
 
-	samdb = ldapsrv_sam_connect(call);
-	NT_STATUS_HAVE_NO_MEMORY(samdb);
+	samdb = partition->private;
 
 	basedn = ldb_dn_explode(local_ctx, r->basedn);
 	VALID_DN_SYNTAX(basedn, 0);
@@ -182,8 +235,7 @@ static NTSTATUS sldb_Add(struct ldapsrv_partition *partition, struct ldapsrv_cal
 	local_ctx = talloc_named(call, 0, "sldb_Add local memory context");
 	NT_STATUS_HAVE_NO_MEMORY(local_ctx);
 
-	samdb = ldapsrv_sam_connect(call);
-	NT_STATUS_HAVE_NO_MEMORY(samdb);
+	samdb = partition->private;
 
 	dn = ldb_dn_explode(local_ctx, r->dn);
 	VALID_DN_SYNTAX(dn,1);
@@ -280,8 +332,7 @@ static NTSTATUS sldb_Del(struct ldapsrv_partition *partition, struct ldapsrv_cal
 	local_ctx = talloc_named(call, 0, "sldb_Del local memory context");
 	NT_STATUS_HAVE_NO_MEMORY(local_ctx);
 
-	samdb = ldapsrv_sam_connect(call);
-	NT_STATUS_HAVE_NO_MEMORY(samdb);
+	samdb = partition->private;
 
 	dn = ldb_dn_explode(local_ctx, r->dn);
 	VALID_DN_SYNTAX(dn,1);
@@ -335,8 +386,7 @@ static NTSTATUS sldb_Modify(struct ldapsrv_partition *partition, struct ldapsrv_
 	local_ctx = talloc_named(call, 0, "sldb_Modify local memory context");
 	NT_STATUS_HAVE_NO_MEMORY(local_ctx);
 
-	samdb = ldapsrv_sam_connect(call);
-	NT_STATUS_HAVE_NO_MEMORY(samdb);
+	samdb = partition->private;
 
 	dn = ldb_dn_explode(local_ctx, r->dn);
 	VALID_DN_SYNTAX(dn, 1);
@@ -447,8 +497,7 @@ static NTSTATUS sldb_Compare(struct ldapsrv_partition *partition, struct ldapsrv
 	local_ctx = talloc_named(call, 0, "sldb_Compare local_memory_context");
 	NT_STATUS_HAVE_NO_MEMORY(local_ctx);
 
-	samdb = ldapsrv_sam_connect(call);
-	NT_STATUS_HAVE_NO_MEMORY(samdb);
+	samdb = partition->private;
 
 	dn = ldb_dn_explode(local_ctx, r->dn);
 	VALID_DN_SYNTAX(dn, 1);
@@ -515,8 +564,7 @@ static NTSTATUS sldb_ModifyDN(struct ldapsrv_partition *partition, struct ldapsr
 	local_ctx = talloc_named(call, 0, "sldb_ModifyDN local memory context");
 	NT_STATUS_HAVE_NO_MEMORY(local_ctx);
 
-	samdb = ldapsrv_sam_connect(call);
-	NT_STATUS_HAVE_NO_MEMORY(samdb);
+	samdb = partition->private;
 
 	olddn = ldb_dn_explode(local_ctx, r->dn);
 	VALID_DN_SYNTAX(olddn, 2);
@@ -591,6 +639,8 @@ reply:
 }
 
 static const struct ldapsrv_partition_ops sldb_ops = {
+	.Init           = sldb_Init,
+	.Bind           = sldb_Bind,
 	.Search		= sldb_Search,
 	.Add		= sldb_Add,
 	.Del		= sldb_Del,

source/lib/ldb/tools/cmdline.c

@@ -75,6 +75,11 @@ struct ldb_cmdline *ldb_cmdline_process(struct ldb_context *ldb, int argc, const
 	if (r != 0) {
 		goto failed;
 	}
+
+	if (ldb_set_opaque(ldb, "securityToken", system_session(ldb))) {
+		goto failed;
+	}
+
 #endif
 
 	ret = talloc_zero(ldb, struct ldb_cmdline);

source/libcli/security/security_token.c

@@ -165,3 +165,28 @@ void security_token_debug(int dbg_lev, const struct security_token *token)
 
 	talloc_free(mem_ctx);
 }
+
+/* These really should be cheaper... */
+
+BOOL is_system_token(struct security_token *token) 
+{
+	TALLOC_CTX *mem_ctx = talloc_new(token);
+	if (dom_sid_equal(token->user_sid, dom_sid_parse_talloc(mem_ctx, SID_NT_SYSTEM))) {
+		talloc_free(mem_ctx);
+		return True;
+	}
+	talloc_free(mem_ctx);
+	return False;
+}
+
+BOOL is_anonymous_token(struct security_token *token) 
+{
+	TALLOC_CTX *mem_ctx = talloc_new(token);
+	if (dom_sid_equal(token->user_sid, dom_sid_parse_talloc(mem_ctx, SID_NT_ANONYMOUS))) {
+		talloc_free(mem_ctx);
+		return True;
+	}
+	talloc_free(mem_ctx);
+	return False;
+}
+

source/libnet/libnet_join.c

@@ -701,6 +701,8 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru
 	domain_sid = lsa_query_info.out.info->domain.sid;
 	domain_name = lsa_query_info.out.info->domain.name.string;
 
+	DEBUG(0, ("Joining domain %s\n", domain_name));
+
 	/*
 	  establish a SAMR connection, on the same CIFS transport
 	*/

source/libnet/libnet_samsync_ldb.c

@@ -1069,9 +1069,7 @@ static NTSTATUS libnet_samsync_ldb_netlogon(struct libnet_context *ctx, TALLOC_C
 	state->secrets = NULL;
 	state->trusted_domains = NULL;
 
-	state->sam_ldb = samdb_connect(state);
-
-	
+	state->sam_ldb = samdb_connect(state, system_session(state));
 
 	r2.error_string = NULL;
 	r2.delta_fn = libnet_samsync_ldb_fn;

source/nbt_server/dgram/netlogon.c

@@ -48,7 +48,7 @@ static void nbtd_netlogon_getdc(struct dgram_mailslot_handler *dgmslot,
 		return;
 	}
 
-	samctx = samdb_connect(packet);
+	samctx = samdb_connect(packet, anonymous_session(packet));
 	if (samctx == NULL) {
 		DEBUG(2,("Unable to open sam in getdc reply\n"));
 		return;
@@ -108,7 +108,7 @@ static void nbtd_netlogon_getdc2(struct dgram_mailslot_handler *dgmslot,
 		return;
 	}
 
-	samctx = samdb_connect(packet);
+	samctx = samdb_connect(packet, anonymous_session(packet));
 	if (samctx == NULL) {
 		DEBUG(2,("Unable to open sam in getdc reply\n"));
 		return;

source/ntvfs/common/sidmap.c

@@ -52,7 +52,7 @@ struct sidmap_context *sidmap_open(TALLOC_CTX *mem_ctx)
 	if (sidmap == NULL) {
 		return NULL;
 	}
-	sidmap->samctx = samdb_connect(sidmap);
+	sidmap->samctx = samdb_connect(sidmap, system_session(sidmap));
 	if (sidmap->samctx == NULL) {
 		talloc_free(sidmap);
 		return NULL;

source/rpc_server/drsuapi/dcesrv_drsuapi.c

@@ -25,6 +25,7 @@
 #include "rpc_server/dcerpc_server.h"
 #include "rpc_server/common/common.h"
 #include "rpc_server/drsuapi/dcesrv_drsuapi.h"
+#include "auth/auth.h"
 
 /* 
   drsuapi_DsBind 
@@ -43,7 +44,7 @@ static WERROR drsuapi_DsBind(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem
 	b_state = talloc(dce_call->conn, struct drsuapi_bind_state);
 	WERR_TALLOC_CHECK(b_state);
 
-	b_state->sam_ctx = samdb_connect(b_state);
+	b_state->sam_ctx = samdb_connect(b_state, dce_call->conn->auth_state.session_info); 
 	if (!b_state->sam_ctx) {
 		talloc_free(b_state);
 		return WERR_FOOBAR;

source/rpc_server/drsuapi/drsuapi_cracknames.c

@@ -41,6 +41,11 @@ static WERROR DsCrackNameOneName(struct drsuapi_bind_state *b_state, TALLOC_CTX
 				 uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
 				 const char *name, struct drsuapi_DsNameInfo1 *info1);
 
+static WERROR DsCrackNameOneSyntactical(TALLOC_CTX *mem_ctx,
+					uint32_t format_offered, uint32_t format_desired,
+					const struct ldb_dn *name_dn, const char *name, 
+					struct drsuapi_DsNameInfo1 *info1);
+
 static enum drsuapi_DsNameStatus LDB_lookup_spn_alias(krb5_context context, struct ldb_context *ldb_ctx, 
 				   TALLOC_CTX *mem_ctx,
 				   const char *alias_from,
@@ -349,6 +354,14 @@ static WERROR DsCrackNameOneName(struct drsuapi_bind_state *b_state, TALLOC_CTX
 		WERR_TALLOC_CHECK(result_filter);
 		break;
 	}
+	case DRSUAPI_DS_NAME_FORMAT_DISPLAY: {
+		domain_filter = NULL;
+
+		result_filter = talloc_asprintf(mem_ctx, "(|(displayName=%s)(samAccountName=%s))",
+						name, name);
+		WERR_TALLOC_CHECK(result_filter);
+		break;
+	}
 	
 	case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY: {
 		struct dom_sid *sid = dom_sid_parse_talloc(mem_ctx, name);
@@ -424,6 +437,11 @@ static WERROR DsCrackNameOneName(struct drsuapi_bind_state *b_state, TALLOC_CTX
 	}
 
 	}
+
+	if (format_flags & DRSUAPI_DS_NAME_FLAG_SYNTACTICAL_ONLY) {
+		return DsCrackNameOneSyntactical(mem_ctx, format_offered, format_desired,
+						 name_dn, name, info1);
+	}
 	
 	return DsCrackNameOneFilter(b_state, mem_ctx, 
 				    smb_krb5_context, 
@@ -433,6 +451,32 @@ static WERROR DsCrackNameOneName(struct drsuapi_bind_state *b_state, TALLOC_CTX
 				    info1);
 }
 
+static WERROR DsCrackNameOneSyntactical(TALLOC_CTX *mem_ctx,
+					uint32_t format_offered, uint32_t format_desired,
+					const struct ldb_dn *name_dn, const char *name, 
+					struct drsuapi_DsNameInfo1 *info1)
+{
+	if (format_offered != DRSUAPI_DS_NAME_FORMAT_FQDN_1779) {
+		info1->status = DRSUAPI_DS_NAME_STATUS_NO_SYNTACTICAL_MAPPING;
+		return WERR_OK;
+	}
+
+	switch (format_desired) {
+	case DRSUAPI_DS_NAME_FORMAT_CANONICAL: 
+		break;
+	case DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX:
+		break;
+	default:
+		info1->status = DRSUAPI_DS_NAME_STATUS_NO_SYNTACTICAL_MAPPING;
+		return WERR_OK;
+	}
+
+	
+	
+	return WERR_OK;	
+	
+}
+
 static WERROR DsCrackNameOneFilter(struct drsuapi_bind_state *b_state, TALLOC_CTX *mem_ctx,
 				   struct smb_krb5_context *smb_krb5_context,
 				   uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
@@ -616,6 +660,17 @@ static WERROR DsCrackNameOneFilter(struct drsuapi_bind_state *b_state, TALLOC_CT
 		info1->status		= DRSUAPI_DS_NAME_STATUS_OK;
 		return WERR_OK;
 	}
+	case DRSUAPI_DS_NAME_FORMAT_DISPLAY: {
+		info1->result_name	= samdb_result_string(result_res[0], "displayName", NULL);
+		if (!info1->result_name) {
+			info1->result_name	= samdb_result_string(result_res[0], "sAMAccountName", NULL);
+		} 
+		if (!info1->result_name) {
+			info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
+		} else {
+			info1->status = DRSUAPI_DS_NAME_STATUS_OK;
+		}
+	}
 	default:
 		return WERR_OK;
 	}

source/rpc_server/dssetup/dcesrv_dssetup.c

@@ -25,8 +25,7 @@
 #include "librpc/gen_ndr/ndr_samr.h"
 #include "librpc/gen_ndr/ndr_dssetup.h"
 #include "rpc_server/common/common.h"
-
-
+#include "ldb/include/ldb.h"
 /* 
   dssetup_DsRoleGetPrimaryDomainInformation 
 */
@@ -82,13 +81,12 @@ static WERROR dssetup_DsRoleGetPrimaryDomainInformation(struct dcesrv_call_state
 			break;
 		case ROLE_DOMAIN_BDC:
 		case ROLE_DOMAIN_PDC:
-			sam_ctx = samdb_connect(mem_ctx);
+			sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info); 
 			if (!sam_ctx) {
 				return WERR_SERVER_UNAVAILABLE;
 			}
 
-			ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs,
-					   "(&(objectClass=domainDNS)(!(objectClass=builtinDomain)))");
+			ret = gendb_search_dn(sam_ctx, mem_ctx, samdb_base_dn(mem_ctx), &res, attrs);
 			if (ret != 1) {
 				return WERR_SERVER_UNAVAILABLE;
 			}
@@ -96,15 +94,18 @@ static WERROR dssetup_DsRoleGetPrimaryDomainInformation(struct dcesrv_call_state
 			flags		= DS_ROLE_PRIMARY_DS_RUNNING;
 
 			if (samdb_result_uint(res[0], "nTMixedDomain", 0) == 1) {
-				flags		|= DS_ROLE_PRIMARY_DS_MIXED_MODE;
+				flags	|= DS_ROLE_PRIMARY_DS_MIXED_MODE;
 			}
-
-			domain		= samdb_result_string(res[0], "name", NULL);
+			
+			domain		= samdb_search_string(sam_ctx, mem_ctx, NULL, "nETBIOSName", 
+							      "(&(objectclass=crossRef)(ncName=%s))", 
+							      ldb_dn_linearize(mem_ctx, samdb_base_dn(mem_ctx)));
+	
 			dns_domain	= samdb_result_string(res[0], "dnsDomain", NULL);
 			forest		= samdb_result_string(res[0], "dnsDomain", NULL);
 
-			flags		|= DS_ROLE_PRIMARY_DOMAIN_GUID_PRESENT;
 			domain_guid	= samdb_result_guid(res[0], "objectGUID");
+			flags	|= DS_ROLE_PRIMARY_DOMAIN_GUID_PRESENT;
 			break;
 		}
 

source/rpc_server/lsa/dcesrv_lsa.c

@@ -27,9 +27,9 @@
 #include "rpc_server/dcerpc_server.h"
 #include "rpc_server/common/common.h"
 #include "lib/ldb/include/ldb.h"
-#include "auth/auth.h"
 #include "system/time.h"
 #include "db_wrap.h"
+#include "auth/auth.h"
 
 /*
   this type allows us to distinguish handle types
@@ -220,9 +220,6 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
 				     struct lsa_policy_state **_state)
 {
 	struct lsa_policy_state *state;
-	const char *domain_attrs[] =  {"nETBIOSName", "nCName", NULL};
-	int ret_domain;
-	struct ldb_message **msgs_domain;
 
 	state = talloc(mem_ctx, struct lsa_policy_state);
 	if (!state) {
@@ -230,7 +227,7 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
 	}
 
 	/* make sure the sam database is accessible */
-	state->sam_ldb = samdb_connect(state);
+	state->sam_ldb = samdb_connect(state, dce_call->conn->auth_state.session_info); 
 	if (state->sam_ldb == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
@@ -247,16 +244,14 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
 		return NT_STATUS_NO_MEMORY;		
 	}
 
-	ret_domain = gendb_search(state->sam_ldb, mem_ctx, NULL, &msgs_domain, domain_attrs,
-				  "(&(objectclass=crossRef)(ncName=%s))", ldb_dn_linearize(mem_ctx, state->domain_dn));
+	state->domain_name
+		= samdb_search_string(state->sam_ldb, mem_ctx, NULL, "nETBIOSName", 
+				      "(&(objectclass=crossRef)(ncName=%s))", ldb_dn_linearize(mem_ctx, state->domain_dn));
 	
-	if (ret_domain == -1) {
-		return NT_STATUS_INTERNAL_DB_CORRUPTION;
-	}
-		
-	if (ret_domain != 1) {
+	if (!state->domain_name) {
 		return NT_STATUS_NO_SUCH_DOMAIN;		
 	}
+	talloc_steal(state, state->domain_name);
 
 	/* work out the builtin_dn - useful for so many calls its worth
 	   fetching here */
@@ -273,23 +268,20 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
 		return NT_STATUS_NO_SUCH_DOMAIN;		
 	}
 
-	state->domain_sid = talloc_steal(state, 
-					 samdb_search_dom_sid(state->sam_ldb, state,
-							      state->domain_dn, "objectSid", "dn=%s",
-							      ldb_dn_linearize(mem_ctx, state->domain_dn)));
+	state->domain_sid = samdb_search_dom_sid(state->sam_ldb, state,
+						 state->domain_dn, "objectSid", "dn=%s",
+						 ldb_dn_linearize(mem_ctx, state->domain_dn));
 	if (!state->domain_sid) {
 		return NT_STATUS_NO_SUCH_DOMAIN;		
 	}
 
+	talloc_steal(state, state->domain_sid);
+
 	state->builtin_sid = dom_sid_parse_talloc(state, SID_BUILTIN);
 	if (!state->builtin_sid) {
 		return NT_STATUS_NO_SUCH_DOMAIN;		
 	}
 
-	state->domain_name = talloc_strdup(state, 
-					   samdb_result_string(msgs_domain[0], "nETBIOSName", 
-							       lp_workgroup()));
-
 	*_state = state;
 
 	return NT_STATUS_OK;
@@ -2426,14 +2418,6 @@ static NTSTATUS lsa_GetUserName(struct dcesrv_call_state *dce_call, TALLOC_CTX *
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	/* TODO: this check should go and we should rely on the calling code that this is valid */
-	if (!dce_call->conn->auth_state.session_info ||
-	    !dce_call->conn->auth_state.session_info->server_info ||
-	    !dce_call->conn->auth_state.session_info->server_info->account_name ||
-	    !dce_call->conn->auth_state.session_info->server_info->domain_name) {
-	    	return NT_STATUS_INTERNAL_ERROR;
-	}
-
 	account_name = talloc_reference(mem_ctx, dce_call->conn->auth_state.session_info->server_info->account_name);
 	authority_name = talloc_reference(mem_ctx, dce_call->conn->auth_state.session_info->server_info->domain_name);
 

source/rpc_server/netlogon/dcerpc_netlogon.c

@@ -26,8 +26,8 @@
 #include "rpc_server/dcerpc_server.h"
 #include "rpc_server/common/common.h"
 #include "librpc/gen_ndr/ndr_dcom.h"
-#include "auth/auth.h"
 #include "lib/ldb/include/ldb.h"
+#include "auth/auth.h"
 
 struct server_pipe_state {
 	struct netr_Credential client_challenge;
@@ -147,7 +147,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	sam_ctx = samdb_connect(mem_ctx);
+	sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
 	if (sam_ctx == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
@@ -159,7 +159,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL
 	if (num_records == 0) {
 		DEBUG(3,("Couldn't find user [%s] in samdb.\n", 
 			 r->in.account_name));
-		return NT_STATUS_NO_SUCH_USER;
+		return NT_STATUS_ACCESS_DENIED;
 	}
 
 	if (num_records > 1) {
@@ -322,7 +322,7 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO
 	nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator);
 	NT_STATUS_NOT_OK_RETURN(nt_status);
 
-	sam_ctx = samdb_connect(mem_ctx);
+	sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
 	if (sam_ctx == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
@@ -937,7 +937,7 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL
 		return status;
 	}
 
-	sam_ctx = samdb_connect(mem_ctx);
+	sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info);
 	if (sam_ctx == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
@@ -1034,7 +1034,7 @@ static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALL
 	nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator);
 	NT_STATUS_NOT_OK_RETURN(nt_status);
 
-	sam_ctx = samdb_connect(mem_ctx);
+	sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
 	if (sam_ctx == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
@@ -1167,7 +1167,7 @@ static WERROR netr_DrsGetDCNameEx2(struct dcesrv_call_state *dce_call, TALLOC_CT
 
 	ZERO_STRUCT(r->out);
 
-	sam_ctx = samdb_connect(mem_ctx);
+	sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info);
 	if (sam_ctx == NULL) {
 		return WERR_DS_SERVICE_UNAVAILABLE;
 	}
@@ -1256,13 +1256,12 @@ static WERROR netr_DsrEnumerateDomainTrusts(struct dcesrv_call_state *dce_call,
 
 	ZERO_STRUCT(r->out);
 
-	sam_ctx = samdb_connect(mem_ctx);
+	sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info);
 	if (sam_ctx == NULL) {
 		return WERR_GENERAL_FAILURE;
 	}
 
-	ret = gendb_search(sam_ctx, mem_ctx, NULL, &dom_res, dom_attrs,
-			   "(&(objectClass=domainDNS)(dnsDomain=%s))", lp_realm());
+	ret = gendb_search_dn(sam_ctx, mem_ctx, samdb_base_dn(mem_ctx), &dom_res, dom_attrs);
 	if (ret == -1) {
 		return WERR_GENERAL_FAILURE;		
 	}

source/rpc_server/samr/dcesrv_samr.c

@@ -60,12 +60,13 @@ static NTSTATUS samr_Connect(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem
 	}
 
 	/* make sure the sam database is accessible */
-	c_state->sam_ctx = samdb_connect(c_state);
+	c_state->sam_ctx = samdb_connect(c_state, dce_call->conn->auth_state.session_info); 
 	if (c_state->sam_ctx == NULL) {
 		talloc_free(c_state);
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
 
+
 	handle = dcesrv_handle_new(dce_call->context, SAMR_HANDLE_CONNECT);
 	if (!handle) {
 		talloc_free(c_state);
@@ -3305,7 +3306,7 @@ static NTSTATUS samr_GetDomPwInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX
 
 	ZERO_STRUCT(r->out.info);
 
-	sam_ctx = samdb_connect(mem_ctx);
+	sam_ctx = samdb_connect(mem_ctx, dce_call->conn->auth_state.session_info); 
 	if (sam_ctx == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}

source/rpc_server/samr/samr_password.c

@@ -38,6 +38,7 @@ NTSTATUS samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALLOC_CTX
 {
 	struct dcesrv_handle *h;
 	struct samr_account_state *a_state;
+	struct ldb_context *sam_ctx;
 	struct ldb_message **res, *msg;
 	int ret;
 	struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash;
@@ -49,8 +50,14 @@ NTSTATUS samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALLOC_CTX
 
 	a_state = h->data;
 
+	/* To change a password we need to open as system */
+	sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
+	if (sam_ctx == NULL) {
+		return NT_STATUS_INVALID_SYSTEM_SERVICE;
+	}
+
 	/* fetch the old hashes */
-	ret = gendb_search_dn(a_state->sam_ctx, mem_ctx,
+	ret = gendb_search_dn(sam_ctx, mem_ctx,
 			      a_state->account_dn, &res, attrs);
 	if (ret != 1) {
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -113,7 +120,7 @@ NTSTATUS samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALLOC_CTX
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	status = samdb_set_password(a_state->sam_ctx, mem_ctx,
+	status = samdb_set_password(sam_ctx, mem_ctx,
 				    a_state->account_dn, a_state->domain_state->domain_dn,
 				    msg, NULL, &new_lmPwdHash, &new_ntPwdHash, 
 				    True, /* this is a user password change */
@@ -124,7 +131,7 @@ NTSTATUS samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, TALLOC_CTX
 	}
 
 	/* modify the samdb record */
-	ret = samdb_replace(a_state->sam_ctx, mem_ctx, msg);
+	ret = samdb_replace(sam_ctx, mem_ctx, msg);
 	if (ret != 0) {
 		return NT_STATUS_UNSUCCESSFUL;
 	}
@@ -142,7 +149,7 @@ NTSTATUS samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_
 	char new_pass[512];
 	uint32_t new_pass_len;
 	struct samr_CryptPassword *pwbuf = r->in.password;
-	void *sam_ctx;
+	struct ldb_context *sam_ctx;
 	const struct ldb_dn *user_dn, *domain_dn;
 	int ret;
 	struct ldb_message **res, *mod;
@@ -157,9 +164,8 @@ NTSTATUS samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_
 		return NT_STATUS_WRONG_PASSWORD;
 	}
 
-	/* this call doesn't take a policy handle, so we need to open
-	   the sam db from scratch */
-	sam_ctx = samdb_connect(mem_ctx);
+	/* To change a password we need to open as system */
+	sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
 	if (sam_ctx == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
@@ -260,7 +266,7 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
 	NTSTATUS status;
 	char new_pass[512];
 	uint32_t new_pass_len;
-	void *sam_ctx = NULL;
+	struct ldb_context *sam_ctx;
 	const struct ldb_dn *user_dn, *domain_dn = NULL;
 	int ret;
 	struct ldb_message **res, *mod;
@@ -285,11 +291,10 @@ NTSTATUS samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
 		goto failed;
 	}
 
-	/* this call doesn't take a policy handle, so we need to open
-	   the sam db from scratch */
-	sam_ctx = samdb_connect(mem_ctx);
+	/* To change a password we need to open as system */
+	sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
 	if (sam_ctx == NULL) {
-		status = NT_STATUS_INVALID_SYSTEM_SERVICE;
+		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 		goto failed;
 	}