Changes from APPLIANCE_HEAD:

    source/Makefile.in
        - changes to ctags and etags rules that somehow got lost along the way.

    source/include/proto.h
        - make proto

    source/smbd/sec_ctx.c
    source/smbd/password.c
        - merge debugs for debugging user groups and NT token stuff.

    source/lib/util_str.c
        - capitalise domain name returned from parse_domain_user()

    source/nsswitch/wb_client.c
        - fix broken conditional in debug statement.

    source/include/rpc_secdes.h
    source/include/rpc_spoolss.h
    source/printing/nt_printing.c
    source/lib/util_seaccess.c
        - fix printer permission bugs related to ACE masks for printers.
          This adds mapping of generic access rights to object specific
          rights for NT printers.  Still need to work out whether or not to
          ignore ACEs with certain flags set, though. See comments in
          util_seaccess.c:check_ace() for details.

    source/printing/nt_printing.c
    source/printing/printing.c
        - use PRINTER_ACCESS_ADMINISTER instead of JOB_ACCESS_ADMINISTER
          until we sort out printer/printjob permission stuff.
(This used to be commit 1dba9c5cd1e6389734c648f6903abcb7c8d5b2f0)

2 files changed, 42 insertions, 75 deletions

diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index 91679235cd..699ddc60b2 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -35,6 +35,15 @@ static TDB_CONTEXT *tdb; /* used for driver files */
 
 #define DATABASE_VERSION 1
 
+/* Map generic permissions to printer object specific permissions */
+
+struct generic_mapping printer_generic_mapping = {
+	PRINTER_READ,
+	PRINTER_WRITE,
+	PRINTER_EXECUTE,
+	PRINTER_ALL_ACCESS
+};
+
 /* We need one default form to support our default printer. Msoft adds the
 forms it wants and in the ORDER it wants them (note: DEVMODE papersize is an
 array index). Letter is always first, so (for the current code) additions
@@ -2833,11 +2842,16 @@ BOOL nt_printing_getsec(char *printername, SEC_DESC_BUF **secdesc_ctr)
 	prs_struct ps;
 	TALLOC_CTX *mem_ctx = NULL;
 	fstring key;
+	char *temp;
 
 	mem_ctx = talloc_init();
 	if (mem_ctx == NULL)
 		return False;
 
+	if ((temp = strchr(printername + 2, '\\'))) {
+		printername = temp + 1;
+	}
+
 	/* Fetch security descriptor from tdb */
 
 	slprintf(key, sizeof(key), "SECDESC/%s", printername);
@@ -2910,8 +2924,9 @@ BOOL nt_printing_getsec(char *printername, SEC_DESC_BUF **secdesc_ctr)
 
 			sid_to_string(sid_str, &acl->ace[i].sid);
 
-			DEBUG(10, ("%s 0x%08x\n", sid_str, 
-				  acl->ace[i].info.mask));
+			DEBUG(10, ("%s %d %d 0x%08x\n", sid_str,
+				   acl->ace[i].type, acl->ace[i].flags, 
+				   acl->ace[i].info.mask)); 
 		}
 	}
 
@@ -2956,6 +2971,20 @@ jfm: I should use this comment for the text file to explain
 
 */
 
+/* Convert generic access rights to printer object specific access rights.
+   It turns out that NT4 security descriptors use generic access rights and
+   NT5 the object specific ones. */
+
+void map_printer_permissions(SEC_DESC *sd)
+{
+	int i;
+
+	for (i = 0; sd->dacl && i < sd->dacl->num_aces; i++) {
+		se_map_generic(&sd->dacl->ace[i].info.mask,
+			       &printer_generic_mapping);
+	}
+}
+
 /****************************************************************************
  Check a user has permissions to perform the given operation.  We use some
  constants defined in include/rpc_spoolss.h that look relevant to check
@@ -2969,7 +2998,7 @@ jfm: I should use this comment for the text file to explain
    PRINTER_ACCESS_USE:
        print_job_start
 
-   JOB_ACCESS_ADMINISTER:
+   PRINTER_ACCESS_ADMINISTER (should really be JOB_ACCESS_ADMINISTER):
        print_job_delete, print_job_pause, print_job_resume,
        print_queue_purge
 
@@ -2977,7 +3006,7 @@ jfm: I should use this comment for the text file to explain
 BOOL print_access_check(struct current_user *user, int snum, int access_type)
 {
 	SEC_DESC_BUF *secdesc = NULL;
-	uint32 access_granted, status, required_access = 0;
+	uint32 access_granted, status;
 	BOOL result;
 	char *pname;
 	extern struct current_user current_user;
@@ -3008,77 +3037,14 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type)
 	/* Get printer security descriptor */
 
 	nt_printing_getsec(pname, &secdesc);
-
-	/* Check against NT4 ACE mask values.  From observation these
-	   values are:
-
-	       Access Type       ACE Mask    Constant
-	       -------------------------------------
-	       Full Control      0x10000000  PRINTER_ACE_FULL_CONTROL
-	       Print             0xe0000000  PRINTER_ACE_PRINT
-	       Manage Documents  0x00020000  PRINTER_ACE_MANAGE_DOCUMENTS
-	*/
-
-    switch (access_type) {
-    case PRINTER_ACCESS_USE:
-	    required_access = PRINTER_ACE_PRINT;
-	    break;
-    case PRINTER_ACCESS_ADMINISTER:
-		/* 
-		 * This should be set to PRINTER_ACE_FULL_CONTROL, not to
-		 * (PRINTER_ACE_PRINT | PRINTER_ACE_MANAGE_DOCUMENTS).
-		 * Doing the latter gives anyone with both PRINTER_ACE_PRINT
-		 * and PRINTER_ACE_MANAGE_DOCUMENTS (in any combination of ACLs)
-		 * full control over all printer functions.  This isn't what 
-		 * we want.
-		 */
-		required_access = PRINTER_ACE_FULL_CONTROL; 
-		break;
-	case JOB_ACCESS_ADMINISTER:
-		required_access = PRINTER_ACE_MANAGE_DOCUMENTS;
-		break;
-	default:
-		DEBUG(0, ("invalid value passed to print_access_check()\n"));
-		result = False;
-		goto done;
-	}	
 	
-	if ((result = se_access_check(secdesc->sec, user, required_access,
-				      &access_granted, &status))) {
-		goto done;
-	}
-
-	/* Check against NT5 ACE mask values.  From observation these
-	   values are:
-
-	       Access Type       ACE Mask    Constant
-	       -------------------------------------
-	       Full Control      0x000f000c  PRINTER_ACE_NT5_FULL_CONTROL
-	       Print             0x00020008  PRINTER_ACE_NT5_PRINT
-	       Manage Documents  0x00020000  PRINTER_ACE_NT5_MANAGE_DOCUMENTS
-
-	   NT5 likes to rewrite the security descriptor and change the ACE
-	   masks from NT4 format to NT5 format making them unreadable by
-	   NT4 clients. */
-
-	switch (access_type) {
-	case PRINTER_ACCESS_USE:
-		required_access = PRINTER_ACE_NT5_PRINT;
-		break;
-	case PRINTER_ACCESS_ADMINISTER:
-		required_access = PRINTER_ACE_NT5_FULL_CONTROL;
-		break;
-	case JOB_ACCESS_ADMINISTER:
-		required_access = PRINTER_ACE_NT5_MANAGE_DOCUMENTS;
-		break;
-	}	
-
-	result = se_access_check(secdesc->sec, user, required_access,
+	map_printer_permissions(secdesc->sec);
+
+	result = se_access_check(secdesc->sec, user, access_type,
 				 &access_granted, &status);
 
 	/* Check access */
 	
- done:
 	DEBUG(4, ("access check was %s\n", result ? "SUCCESS" : "FAILURE"));
 	
 	/* Free mallocated memory */
diff --git a/source3/printing/printing.c b/source3/printing/printing.c
index 842b97f9c5..57d0c2b8a3 100644
--- a/source3/printing/printing.c
+++ b/source3/printing/printing.c
@@ -575,7 +575,7 @@ BOOL print_job_delete(struct current_user *user, int jobid, int *errcode)
 	   owns their job. */
 
 	if (!owner && 
-	    !print_access_check(user, snum, JOB_ACCESS_ADMINISTER)) {
+	    !print_access_check(user, snum, PRINTER_ACCESS_ADMINISTER)) {
 		DEBUG(3, ("delete denied by security descriptor\n"));
 		*errcode = ERROR_ACCESS_DENIED;
 		return False;
@@ -617,7 +617,7 @@ BOOL print_job_pause(struct current_user *user, int jobid, int *errcode)
 	owner = is_owner(user, jobid);
 
 	if (!owner &&
-	    !print_access_check(user, snum, JOB_ACCESS_ADMINISTER)) {
+	    !print_access_check(user, snum, PRINTER_ACCESS_ADMINISTER)) {
 		DEBUG(3, ("pause denied by security descriptor\n"));
 		*errcode = ERROR_ACCESS_DENIED;
 		return False;
@@ -668,7 +668,7 @@ BOOL print_job_resume(struct current_user *user, int jobid, int *errcode)
 	owner = is_owner(user, jobid);
 
 	if (!is_owner(user, jobid) &&
-	    !print_access_check(user, snum, JOB_ACCESS_ADMINISTER)) {
+	    !print_access_check(user, snum, PRINTER_ACCESS_ADMINISTER)) {
 		DEBUG(3, ("resume denied by security descriptor\n"));
 		*errcode = ERROR_ACCESS_DENIED;
 		return False;
@@ -807,7 +807,7 @@ int print_job_start(struct current_user *user, int snum, char *jobname)
 		return -1;
 	}
 
-	if (print_queue_length(snum) > lp_maxprintjobs(snum)) {
+	if (lp_maxprintjobs(snum) && print_queue_length(snum) > lp_maxprintjobs(snum)) {
 		errno = ENOSPC;
 		return -1;
 	}
@@ -1202,7 +1202,8 @@ BOOL print_queue_purge(struct current_user *user, int snum, int *errcode)
 
 	njobs = print_queue_status(snum, &queue, &status);
 	for (i=0;i<njobs;i++) {
-		if (print_access_check(user, snum, JOB_ACCESS_ADMINISTER)) {
+		if (print_access_check(user, snum, 
+				       PRINTER_ACCESS_ADMINISTER)) {
 			print_job_delete1(queue[i].job);
 		}
 	}