Merge branch 'master' of git://git.samba.org/samba into convenience

13 files changed, 175 insertions, 94 deletions

diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h
index 9d96392777..e89253554e 100644
--- a/libcli/security/dom_sid.h
+++ b/libcli/security/dom_sid.h
@@ -23,6 +23,8 @@
 #ifndef _DOM_SID_H_
 #define _DOM_SID_H_
 
+#include "librpc/gen_ndr/security.h"
+
 int dom_sid_compare(const struct dom_sid *sid1, const struct dom_sid *sid2);
 bool dom_sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2);
 bool dom_sid_parse(const char *sidstr, struct dom_sid *ret);
diff --git a/source3/lib/secace.c b/libcli/security/secace.c
index 878fac252b..4e8eddcb0b 100644
--- a/source3/lib/secace.c
+++ b/libcli/security/secace.c
@@ -1,6 +1,6 @@
 /* 
  *  Unix SMB/Netbios implementation.
- *  SEC_ACE handling functions
+ *  struct security_ace handling functions
  *  Copyright (C) Andrew Tridgell              1992-1998,
  *  Copyright (C) Jeremy R. Allison            1995-2003.
  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
@@ -21,56 +21,58 @@
  */
 
 #include "includes.h"
+#include "librpc/gen_ndr/ndr_security.h"
+#include "libcli/security/security.h"
 
-/*******************************************************************
- Check if ACE has OBJECT type.
-********************************************************************/
+#define  SEC_ACE_HEADER_SIZE (2 * sizeof(uint8_t) + sizeof(uint16_t) + sizeof(uint32_t))
 
-bool sec_ace_object(uint8 type)
+/**
+ * Check if ACE has OBJECT type.
+ */
+bool sec_ace_object(uint8_t type)
 {
 	if (type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
             type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT ||
             type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT ||
             type == SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT) {
-		return True;
+		return true;
 	}
-	return False;
+	return false;
 }
 
-/*******************************************************************
- copy a SEC_ACE structure.
-********************************************************************/
-void sec_ace_copy(SEC_ACE *ace_dest, SEC_ACE *ace_src)
+/**
+ * copy a struct security_ace structure.
+ */
+void sec_ace_copy(struct security_ace *ace_dest, struct security_ace *ace_src)
 {
 	ace_dest->type  = ace_src->type;
 	ace_dest->flags = ace_src->flags;
 	ace_dest->size  = ace_src->size;
 	ace_dest->access_mask = ace_src->access_mask;
 	ace_dest->object = ace_src->object;
-	sid_copy(&ace_dest->trustee, &ace_src->trustee);
+	ace_dest->trustee = ace_src->trustee;
 }
 
 /*******************************************************************
- Sets up a SEC_ACE structure.
+ Sets up a struct security_ace structure.
 ********************************************************************/
 
-void init_sec_ace(SEC_ACE *t, const DOM_SID *sid, enum security_ace_type type,
-		  uint32_t mask, uint8 flag)
+void init_sec_ace(struct security_ace *t, const struct dom_sid *sid, enum security_ace_type type,
+		  uint32_t mask, uint8_t flag)
 {
 	t->type = type;
 	t->flags = flag;
 	t->size = ndr_size_dom_sid(sid, NULL, 0) + 8;
 	t->access_mask = mask;
 
-	ZERO_STRUCTP(&t->trustee);
-	sid_copy(&t->trustee, sid);
+	t->trustee = *sid;
 }
 
 /*******************************************************************
  adds new SID with its permissions to ACE list
 ********************************************************************/
 
-NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, unsigned *num, DOM_SID *sid, uint32 mask)
+NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, struct security_ace **pp_new, struct security_ace *old, unsigned *num, struct dom_sid *sid, uint32_t mask)
 {
 	unsigned int i = 0;
 	
@@ -78,7 +80,7 @@ NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, unsign
 
 	*num += 1;
 	
-	if((pp_new[0] = TALLOC_ZERO_ARRAY(ctx, SEC_ACE, *num )) == 0)
+	if((pp_new[0] = talloc_zero_array(ctx, struct security_ace, *num )) == 0)
 		return NT_STATUS_NO_MEMORY;
 
 	for (i = 0; i < *num - 1; i ++)
@@ -88,7 +90,7 @@ NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, unsign
 	(*pp_new)[i].flags = 0;
 	(*pp_new)[i].size  = SEC_ACE_HEADER_SIZE + ndr_size_dom_sid(sid, NULL, 0);
 	(*pp_new)[i].access_mask = mask;
-	sid_copy(&(*pp_new)[i].trustee, sid);
+	(*pp_new)[i].trustee = *sid;
 	return NT_STATUS_OK;
 }
 
@@ -96,14 +98,14 @@ NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, unsign
   modify SID's permissions at ACL 
 ********************************************************************/
 
-NTSTATUS sec_ace_mod_sid(SEC_ACE *ace, size_t num, DOM_SID *sid, uint32 mask)
+NTSTATUS sec_ace_mod_sid(struct security_ace *ace, size_t num, struct dom_sid *sid, uint32_t mask)
 {
 	unsigned int i = 0;
 
 	if (!ace || !sid)  return NT_STATUS_INVALID_PARAMETER;
 
 	for (i = 0; i < num; i ++) {
-		if (sid_compare(&ace[i].trustee, sid) == 0) {
+		if (dom_sid_equal(&ace[i].trustee, sid)) {
 			ace[i].access_mask = mask;
 			return NT_STATUS_OK;
 		}
@@ -115,7 +117,7 @@ NTSTATUS sec_ace_mod_sid(SEC_ACE *ace, size_t num, DOM_SID *sid, uint32 mask)
  delete SID from ACL
 ********************************************************************/
 
-NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, uint32 *num, DOM_SID *sid)
+NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, struct security_ace **pp_new, struct security_ace *old, uint32_t *num, struct dom_sid *sid)
 {
 	unsigned int i     = 0;
 	unsigned int n_del = 0;
@@ -123,14 +125,14 @@ NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, uint32
 	if (!ctx || !pp_new || !old || !sid || !num)  return NT_STATUS_INVALID_PARAMETER;
 
 	if (*num) {
-		if((pp_new[0] = TALLOC_ZERO_ARRAY(ctx, SEC_ACE, *num )) == 0)
+		if((pp_new[0] = talloc_zero_array(ctx, struct security_ace, *num )) == 0)
 			return NT_STATUS_NO_MEMORY;
 	} else {
 		pp_new[0] = NULL;
 	}
 
 	for (i = 0; i < *num; i ++) {
-		if (sid_compare(&old[i].trustee, sid) != 0)
+		if (!dom_sid_equal(&old[i].trustee, sid))
 			sec_ace_copy(&(*pp_new)[i], &old[i]);
 		else
 			n_del ++;
@@ -144,38 +146,38 @@ NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, uint32
 }
 
 /*******************************************************************
- Compares two SEC_ACE structures
+ Compares two struct security_ace structures
 ********************************************************************/
 
-bool sec_ace_equal(SEC_ACE *s1, SEC_ACE *s2)
+bool sec_ace_equal(struct security_ace *s1, struct security_ace *s2)
 {
 	/* Trivial case */
 
 	if (!s1 && !s2) {
-		return True;
+		return true;
 	}
 
 	if (!s1 || !s2) {
-		return False;
+		return false;
 	}
 
 	/* Check top level stuff */
 
 	if (s1->type != s2->type || s1->flags != s2->flags ||
 	    s1->access_mask != s2->access_mask) {
-		return False;
+		return false;
 	}
 
 	/* Check SID */
 
-	if (!sid_equal(&s1->trustee, &s2->trustee)) {
-		return False;
+	if (!dom_sid_equal(&s1->trustee, &s2->trustee)) {
+		return false;
 	}
 
-	return True;
+	return true;
 }
 
-int nt_ace_inherit_comp( SEC_ACE *a1, SEC_ACE *a2)
+int nt_ace_inherit_comp( struct security_ace *a1, struct security_ace *a2)
 {
 	int a1_inh = a1->flags & SEC_ACE_FLAG_INHERITED_ACE;
 	int a2_inh = a2->flags & SEC_ACE_FLAG_INHERITED_ACE;
@@ -192,7 +194,7 @@ int nt_ace_inherit_comp( SEC_ACE *a1, SEC_ACE *a2)
   Comparison function to apply the order explained below in a group.
 *******************************************************************/
 
-int nt_ace_canon_comp( SEC_ACE *a1, SEC_ACE *a2)
+int nt_ace_canon_comp( struct security_ace *a1, struct security_ace *a2)
 {
 	if ((a1->type == SEC_ACE_TYPE_ACCESS_DENIED) &&
 				(a2->type != SEC_ACE_TYPE_ACCESS_DENIED))
@@ -247,7 +249,7 @@ The following describes the preferred order:
 
 ********************************************************************/
 
-void dacl_sort_into_canonical_order(SEC_ACE *srclist, unsigned int num_aces)
+void dacl_sort_into_canonical_order(struct security_ace *srclist, unsigned int num_aces)
 {
 	unsigned int i;
 
@@ -259,7 +261,7 @@ void dacl_sort_into_canonical_order(SEC_ACE *srclist, unsigned int num_aces)
 
 	/* Find the boundary between non-inherited ACEs. */
 	for (i = 0; i < num_aces; i++ ) {
-		SEC_ACE *curr_ace = &srclist[i];
+		struct security_ace *curr_ace = &srclist[i];
 
 		if (curr_ace->flags & SEC_ACE_FLAG_INHERITED_ACE)
 			break;
@@ -276,18 +278,4 @@ void dacl_sort_into_canonical_order(SEC_ACE *srclist, unsigned int num_aces)
 		qsort( &srclist[i], num_aces - i, sizeof(srclist[0]), QSORT_CAST nt_ace_canon_comp);
 }
 
-/*******************************************************************
- Check if this ACE has a SID in common with the token.
-********************************************************************/
-
-bool token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace)
-{
-	size_t i;
 
-	for (i = 0; i < token->num_sids; i++) {
-		if (sid_equal(&ace->trustee, &token->user_sids[i]))
-			return True;
-	}
-
-	return False;
-}
diff --git a/libcli/security/secace.h b/libcli/security/secace.h
new file mode 100644
index 0000000000..8b6625d07d
--- /dev/null
+++ b/libcli/security/secace.h
@@ -0,0 +1,39 @@
+/*
+   Unix SMB/CIFS implementation.
+   Samba utility functions
+
+   Copyright (C) 2009 Jelmer Vernooij <jelmer@samba.org>
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _ACE_H_
+#define _ACE_H_
+
+#include "librpc/gen_ndr/security.h"
+
+bool sec_ace_object(uint8_t type);
+void sec_ace_copy(struct security_ace *ace_dest, struct security_ace *ace_src);
+void init_sec_ace(struct security_ace *t, const struct dom_sid *sid, enum security_ace_type type,
+		  uint32_t mask, uint8_t flag);
+NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, struct security_ace **pp_new, struct security_ace *old, unsigned *num, struct dom_sid *sid, uint32_t mask);
+NTSTATUS sec_ace_mod_sid(struct security_ace *ace, size_t num, struct dom_sid *sid, uint32_t mask);
+NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, struct security_ace **pp_new, struct security_ace *old, uint32_t *num, struct dom_sid *sid);
+bool sec_ace_equal(struct security_ace *s1, struct security_ace *s2);
+int nt_ace_inherit_comp( struct security_ace *a1, struct security_ace *a2);
+int nt_ace_canon_comp( struct security_ace *a1, struct security_ace *a2);
+void dacl_sort_into_canonical_order(struct security_ace *srclist, unsigned int num_aces);
+
+#endif /*_ACE_H_*/
+
diff --git a/source3/lib/secacl.c b/libcli/security/secacl.c
index 5e82242e1b..45640773b0 100644
--- a/source3/lib/secacl.c
+++ b/libcli/security/secacl.c
@@ -21,18 +21,22 @@
  */
 
 #include "includes.h"
+#include "libcli/security/security.h"
+
+#define  SEC_ACL_HEADER_SIZE (2 * sizeof(uint16_t) + sizeof(uint32_t))
 
 /*******************************************************************
  Create a SEC_ACL structure.  
 ********************************************************************/
 
-SEC_ACL *make_sec_acl(TALLOC_CTX *ctx, enum security_acl_revision revision,
-		      int num_aces, SEC_ACE *ace_list)
+struct security_acl *make_sec_acl(TALLOC_CTX *ctx, 
+								  enum security_acl_revision revision,
+								  int num_aces, struct security_ace *ace_list)
 {
-	SEC_ACL *dst;
+	struct security_acl *dst;
 	int i;
 
-	if((dst = TALLOC_ZERO_P(ctx,SEC_ACL)) == NULL)
+	if((dst = talloc_zero(ctx, struct security_acl)) == NULL)
 		return NULL;
 
 	dst->revision = revision;
@@ -46,7 +50,7 @@ SEC_ACL *make_sec_acl(TALLOC_CTX *ctx, enum security_acl_revision revision,
 	   positive number. */
 
 	if ((num_aces) && 
-            ((dst->aces = TALLOC_ARRAY(ctx, SEC_ACE, num_aces)) 
+            ((dst->aces = talloc_array(ctx, struct security_ace, num_aces)) 
              == NULL)) {
 		return NULL;
 	}
@@ -63,7 +67,7 @@ SEC_ACL *make_sec_acl(TALLOC_CTX *ctx, enum security_acl_revision revision,
  Duplicate a SEC_ACL structure.  
 ********************************************************************/
 
-SEC_ACL *dup_sec_acl(TALLOC_CTX *ctx, SEC_ACL *src)
+struct security_acl *dup_sec_acl(TALLOC_CTX *ctx, struct security_acl *src)
 {
 	if(src == NULL)
 		return NULL;
@@ -75,44 +79,44 @@ SEC_ACL *dup_sec_acl(TALLOC_CTX *ctx, SEC_ACL *src)
  Compares two SEC_ACL structures
 ********************************************************************/
 
-bool sec_acl_equal(SEC_ACL *s1, SEC_ACL *s2)
+bool sec_acl_equal(struct security_acl *s1, struct security_acl *s2)
 {
 	unsigned int i, j;
 
 	/* Trivial cases */
 
-	if (!s1 && !s2) return True;
-	if (!s1 || !s2) return False;
+	if (!s1 && !s2) return true;
+	if (!s1 || !s2) return false;
 
 	/* Check top level stuff */
 
 	if (s1->revision != s2->revision) {
 		DEBUG(10, ("sec_acl_equal(): revision differs (%d != %d)\n",
 			   s1->revision, s2->revision));
-		return False;
+		return false;
 	}
 
 	if (s1->num_aces != s2->num_aces) {
 		DEBUG(10, ("sec_acl_equal(): num_aces differs (%d != %d)\n",
 			   s1->revision, s2->revision));
-		return False;
+		return false;
 	}
 
 	/* The ACEs could be in any order so check each ACE in s1 against 
 	   each ACE in s2. */
 
 	for (i = 0; i < s1->num_aces; i++) {
-		bool found = False;
+		bool found = false;
 
 		for (j = 0; j < s2->num_aces; j++) {
 			if (sec_ace_equal(&s1->aces[i], &s2->aces[j])) {
-				found = True;
+				found = true;
 				break;
 			}
 		}
 
-		if (!found) return False;
+		if (!found) return false;
 	}
 
-	return True;
+	return true;
 }
diff --git a/libcli/security/secacl.h b/libcli/security/secacl.h
new file mode 100644
index 0000000000..9f1e8fa183
--- /dev/null
+++ b/libcli/security/secacl.h
@@ -0,0 +1,33 @@
+/*
+   Unix SMB/CIFS implementation.
+   Samba utility functions
+
+   Copyright (C) 2009 Jelmer Vernooij <jelmer@samba.org>
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _SECACL_H_
+#define _SECACL_H_
+
+#include "librpc/gen_ndr/security.h"
+
+struct security_acl *make_sec_acl(TALLOC_CTX *ctx, enum security_acl_revision revision,
+		      int num_aces, struct security_ace *ace_list);
+struct security_acl *dup_sec_acl(TALLOC_CTX *ctx, struct security_acl *src);
+bool sec_acl_equal(struct security_acl *s1, struct security_acl *s2);
+
+
+#endif /*_SECACL_H_*/
+
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 8723b4f63f..abf6cfb5f7 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -370,7 +370,8 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) \
 	  lib/conn_tdb.o lib/adt_tree.o lib/gencache.o \
 	  lib/module.o lib/events.o @LIBTEVENT_OBJ0@ \
 	  lib/ldap_escape.o @CHARSET_STATIC@ \
-	  lib/secdesc.o lib/util_seaccess.o lib/secace.o lib/secacl.o \
+	  lib/secdesc.o lib/util_seaccess.o ../libcli/security/secace.o \
+	  ../libcli/security/secacl.o \
 	  libads/krb5_errs.o lib/system_smbd.o lib/audit.o $(LIBNDR_OBJ) \
 	  lib/file_id.o lib/idmap_cache.o \
 	  ../libcli/security/dom_sid.o
diff --git a/source3/include/includes.h b/source3/include/includes.h
index 7f8c408265..63c77ec182 100644
--- a/source3/include/includes.h
+++ b/source3/include/includes.h
@@ -594,7 +594,7 @@ struct smb_iconv_convenience *lp_iconv_convenience(void *lp_ctx);
 #include "trans2.h"
 #include "../libcli/util/error.h"
 #include "ntioctl.h"
-#include "../lib/util/charset/charset.h"
+#include "charset.h"
 #include "dynconfig.h"
 #include "util_getent.h"
 #include "debugparse.h"
@@ -703,6 +703,8 @@ enum flush_reason_enum {
 #ifndef NO_PROTO_H
 #include "proto.h"
 #endif
+#include "libcli/security/secace.h"
+#include "libcli/security/secacl.h"
 
 #if defined(HAVE_POSIX_ACLS)
 #include "modules/vfs_posixacl.h"
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 0e6446be84..e1eab8dc16 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -651,28 +651,6 @@ ssize_t sys_recvfile(int fromfd,
 			size_t count);
 ssize_t drain_socket(int sockfd, size_t count);
 
-/* The following definitions come from lib/secace.c  */
-
-bool sec_ace_object(uint8 type);
-void sec_ace_copy(SEC_ACE *ace_dest, SEC_ACE *ace_src);
-void init_sec_ace(SEC_ACE *t, const DOM_SID *sid, enum security_ace_type type,
-		  uint32 mask, uint8 flag);
-NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, unsigned *num, DOM_SID *sid, uint32 mask);
-NTSTATUS sec_ace_mod_sid(SEC_ACE *ace, size_t num, DOM_SID *sid, uint32 mask);
-NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, uint32 *num, DOM_SID *sid);
-bool sec_ace_equal(SEC_ACE *s1, SEC_ACE *s2);
-int nt_ace_inherit_comp( SEC_ACE *a1, SEC_ACE *a2);
-int nt_ace_canon_comp( SEC_ACE *a1, SEC_ACE *a2);
-void dacl_sort_into_canonical_order(SEC_ACE *srclist, unsigned int num_aces);
-bool token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace);
-
-/* The following definitions come from lib/secacl.c  */
-
-SEC_ACL *make_sec_acl(TALLOC_CTX *ctx, enum security_acl_revision revision,
-		      int num_aces, SEC_ACE *ace_list);
-SEC_ACL *dup_sec_acl(TALLOC_CTX *ctx, SEC_ACL *src);
-bool sec_acl_equal(SEC_ACL *s1, SEC_ACL *s2);
-
 /* The following definitions come from lib/secdesc.c  */
 
 bool sec_desc_equal(SEC_DESC *s1, SEC_DESC *s2);
@@ -1253,6 +1231,7 @@ NTSTATUS merge_nt_token(TALLOC_CTX *mem_ctx,
 			const struct nt_user_token *token_1,
 			const struct nt_user_token *token_2,
 			struct nt_user_token **token_out);
+bool token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace);
 
 /* The following definitions come from lib/util_pw.c  */
 
diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h
index 4bf0d9cb9d..c74d621f35 100644
--- a/source3/include/rpc_secdes.h
+++ b/source3/include/rpc_secdes.h
@@ -69,7 +69,6 @@
 
 /* SEC_ACE */
 typedef struct security_ace SEC_ACE;
-#define  SEC_ACE_HEADER_SIZE (2 * sizeof(uint8) + sizeof(uint16) + sizeof(uint32))
 
 #ifndef ACL_REVISION
 #define ACL_REVISION 0x3
@@ -78,7 +77,6 @@ typedef struct security_ace SEC_ACE;
 #ifndef _SEC_ACL
 /* SEC_ACL */
 typedef struct security_acl SEC_ACL;
-#define  SEC_ACL_HEADER_SIZE (2 * sizeof(uint16) + sizeof(uint32))
 #define _SEC_ACL
 #endif
 
diff --git a/source3/include/smb.h b/source3/include/smb.h
index 59c3c32346..5c2bd12df0 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -165,6 +165,10 @@ typedef union unid_t {
 #define COPY_UCS2_CHAR(dest,src) (((unsigned char *)(dest))[0] = ((unsigned char *)(src))[0],\
 				((unsigned char *)(dest))[1] = ((unsigned char *)(src))[1], (dest))
 
+/* Large data type for manipulating uint32 unicode codepoints */
+typedef uint32 codepoint_t;
+#define INVALID_CODEPOINT ((codepoint_t)-1)
+
 /* pipe string names */
 #define PIPE_LANMAN   "\\PIPE\\LANMAN"
 
@@ -1825,6 +1829,18 @@ struct unix_error_map {
 
 #define SAFE_NETBIOS_CHARS ". -_"
 
+/* generic iconv conversion structure */
+typedef struct _smb_iconv_t {
+	size_t (*direct)(void *cd, const char **inbuf, size_t *inbytesleft,
+			 char **outbuf, size_t *outbytesleft);
+	size_t (*pull)(void *cd, const char **inbuf, size_t *inbytesleft,
+		       char **outbuf, size_t *outbytesleft);
+	size_t (*push)(void *cd, const char **inbuf, size_t *inbytesleft,
+		       char **outbuf, size_t *outbytesleft);
+	void *cd_direct, *cd_pull, *cd_push;
+	char *from_name, *to_name;
+} *smb_iconv_t;
+
 /* The maximum length of a trust account password.
    Used when we randomly create it, 15 char passwords
    exceed NT4's max password length */
diff --git a/source3/lib/util_nttoken.c b/source3/lib/util_nttoken.c
index 774ef498b7..76e7402422 100644
--- a/source3/lib/util_nttoken.c
+++ b/source3/lib/util_nttoken.c
@@ -115,3 +115,19 @@ NTSTATUS merge_nt_token(TALLOC_CTX *mem_ctx,
 
 	return NT_STATUS_OK;
 }
+
+/*******************************************************************
+ Check if this ACE has a SID in common with the token.
+********************************************************************/
+
+bool token_sid_in_ace(const NT_USER_TOKEN *token, const struct security_ace *ace)
+{
+	size_t i;
+
+	for (i = 0; i < token->num_sids; i++) {
+		if (sid_equal(&ace->trustee, &token->user_sids[i]))
+			return true;
+	}
+
+	return false;
+}
diff --git a/source4/libcli/security/config.mk b/source4/libcli/security/config.mk
index cd5b75bb81..d6d9ad5545 100644
--- a/source4/libcli/security/config.mk
+++ b/source4/libcli/security/config.mk
@@ -3,6 +3,8 @@ PUBLIC_DEPENDENCIES = LIBNDR LIBSECURITY_COMMON
 
 LIBSECURITY_OBJ_FILES = $(addprefix $(libclisrcdir)/security/, \
 					   security_token.o security_descriptor.o \
-					   access_check.o privilege.o sddl.o)
+					   access_check.o privilege.o sddl.o) \
+					   ../libcli/security/secace.o \
+					   ../libcli/security/secacl.o
 
 $(eval $(call proto_header_template,$(libclisrcdir)/security/proto.h,$(LIBSECURITY_OBJ_FILES:.o=.c)))
diff --git a/source4/libcli/security/security.h b/source4/libcli/security/security.h
index 517f3e8ebe..2608c9f7ed 100644
--- a/source4/libcli/security/security.h
+++ b/source4/libcli/security/security.h
@@ -30,5 +30,6 @@ struct auth_session_info;
 
 /* Moved the dom_sid functions to the top level dir with manual proto header */
 #include "libcli/security/dom_sid.h"
-
+#include "libcli/security/secace.h"
+#include "libcli/security/secacl.h"
 #include "libcli/security/proto.h"