Changed again how the privilege list is handled in the group mapping code.

This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It
makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP
struct as some privilege showing in USRMGR.EXE are not real privs but a
bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT
3.1 box to verify, but I'm too lazy (yes I still have my CDs).

Added 3 more LSA calls: SetSystemAccount, AddPrivileges and
RemovePrivileges, we can manage all this privilege from UserManager.

Time to change the NT_USER_TOKEN struct and add checks in all the rpc
functions. Fun, fun, fun.

        J.F.
(This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)

3 files changed, 329 insertions, 38 deletions

diff --git a/source3/rpc_server/srv_lsa.c b/source3/rpc_server/srv_lsa.c
index 4331ffca8d..d2b2c60f45 100644
--- a/source3/rpc_server/srv_lsa.c
+++ b/source3/rpc_server/srv_lsa.c
@@ -482,27 +482,124 @@ static BOOL api_lsa_getsystemaccount(pipes_struct *p)
 
 
 /***************************************************************************
+ api_lsa_setsystemaccount
+ ***************************************************************************/
+
+static BOOL api_lsa_setsystemaccount(pipes_struct *p)
+{
+	LSA_Q_SETSYSTEMACCOUNT q_u;
+	LSA_R_SETSYSTEMACCOUNT r_u;
+	
+	prs_struct *data = &p->in_data.data;
+	prs_struct *rdata = &p->out_data.rdata;
+
+	ZERO_STRUCT(q_u);
+	ZERO_STRUCT(r_u);
+
+	if(!lsa_io_q_setsystemaccount("", &q_u, data, 0)) {
+		DEBUG(0,("api_lsa_setsystemaccount: failed to unmarshall LSA_Q_SETSYSTEMACCOUNT.\n"));
+		return False;
+	}
+
+	r_u.status = _lsa_setsystemaccount(p, &q_u, &r_u);
+
+	/* store the response in the SMB stream */
+	if(!lsa_io_r_setsystemaccount("", &r_u, rdata, 0)) {
+		DEBUG(0,("api_lsa_setsystemaccount: Failed to marshall LSA_R_SETSYSTEMACCOUNT.\n"));
+		return False;
+	}
+
+	return True;
+}
+
+/***************************************************************************
+ api_lsa_addprivs
+ ***************************************************************************/
+
+static BOOL api_lsa_addprivs(pipes_struct *p)
+{
+	LSA_Q_ADDPRIVS q_u;
+	LSA_R_ADDPRIVS r_u;
+	
+	prs_struct *data = &p->in_data.data;
+	prs_struct *rdata = &p->out_data.rdata;
+
+	ZERO_STRUCT(q_u);
+	ZERO_STRUCT(r_u);
+
+	if(!lsa_io_q_addprivs("", &q_u, data, 0)) {
+		DEBUG(0,("api_lsa_addprivs: failed to unmarshall LSA_Q_ADDPRIVS.\n"));
+		return False;
+	}
+
+	r_u.status = _lsa_addprivs(p, &q_u, &r_u);
+
+	/* store the response in the SMB stream */
+	if(!lsa_io_r_addprivs("", &r_u, rdata, 0)) {
+		DEBUG(0,("api_lsa_addprivs: Failed to marshall LSA_R_ADDPRIVS.\n"));
+		return False;
+	}
+
+	return True;
+}
+
+/***************************************************************************
+ api_lsa_removeprivs
+ ***************************************************************************/
+
+static BOOL api_lsa_removeprivs(pipes_struct *p)
+{
+	LSA_Q_REMOVEPRIVS q_u;
+	LSA_R_REMOVEPRIVS r_u;
+	
+	prs_struct *data = &p->in_data.data;
+	prs_struct *rdata = &p->out_data.rdata;
+
+	ZERO_STRUCT(q_u);
+	ZERO_STRUCT(r_u);
+
+	if(!lsa_io_q_removeprivs("", &q_u, data, 0)) {
+		DEBUG(0,("api_lsa_removeprivs: failed to unmarshall LSA_Q_REMOVEPRIVS.\n"));
+		return False;
+	}
+
+	r_u.status = _lsa_removeprivs(p, &q_u, &r_u);
+
+	/* store the response in the SMB stream */
+	if(!lsa_io_r_removeprivs("", &r_u, rdata, 0)) {
+		DEBUG(0,("api_lsa_removeprivs: Failed to marshall LSA_R_REMOVEPRIVS.\n"));
+		return False;
+	}
+
+	return True;
+}
+
+
+/***************************************************************************
  \PIPE\ntlsa commands
  ***************************************************************************/
 
 static struct api_struct api_lsa_cmds[] =
 {
-	{ "LSA_OPENPOLICY2"     , LSA_OPENPOLICY2     , api_lsa_open_policy2   },
-	{ "LSA_OPENPOLICY"      , LSA_OPENPOLICY      , api_lsa_open_policy    },
-	{ "LSA_QUERYINFOPOLICY" , LSA_QUERYINFOPOLICY , api_lsa_query_info     },
-	{ "LSA_ENUMTRUSTDOM"    , LSA_ENUMTRUSTDOM    , api_lsa_enum_trust_dom },
-	{ "LSA_CLOSE"           , LSA_CLOSE           , api_lsa_close          },
-	{ "LSA_OPENSECRET"      , LSA_OPENSECRET      , api_lsa_open_secret    },
-	{ "LSA_LOOKUPSIDS"      , LSA_LOOKUPSIDS      , api_lsa_lookup_sids    },
-	{ "LSA_LOOKUPNAMES"     , LSA_LOOKUPNAMES     , api_lsa_lookup_names   },
-	{ "LSA_ENUM_PRIVS"      , LSA_ENUM_PRIVS      , api_lsa_enum_privs     },
+	{ "LSA_OPENPOLICY2"     , LSA_OPENPOLICY2     , api_lsa_open_policy2     },
+	{ "LSA_OPENPOLICY"      , LSA_OPENPOLICY      , api_lsa_open_policy      },
+	{ "LSA_QUERYINFOPOLICY" , LSA_QUERYINFOPOLICY , api_lsa_query_info       },
+	{ "LSA_ENUMTRUSTDOM"    , LSA_ENUMTRUSTDOM    , api_lsa_enum_trust_dom   },
+	{ "LSA_CLOSE"           , LSA_CLOSE           , api_lsa_close            },
+	{ "LSA_OPENSECRET"      , LSA_OPENSECRET      , api_lsa_open_secret      },
+	{ "LSA_LOOKUPSIDS"      , LSA_LOOKUPSIDS      , api_lsa_lookup_sids      },
+	{ "LSA_LOOKUPNAMES"     , LSA_LOOKUPNAMES     , api_lsa_lookup_names     },
+	{ "LSA_ENUM_PRIVS"      , LSA_ENUM_PRIVS      , api_lsa_enum_privs       },
 	{ "LSA_PRIV_GET_DISPNAME",LSA_PRIV_GET_DISPNAME,api_lsa_priv_get_dispname},
-	{ "LSA_ENUM_ACCOUNTS"   , LSA_ENUM_ACCOUNTS   , api_lsa_enum_accounts  },
-	{ "LSA_UNK_GET_CONNUSER", LSA_UNK_GET_CONNUSER, api_lsa_unk_get_connuser},
-	{ "LSA_OPENACCOUNT"     , LSA_OPENACCOUNT     , api_lsa_open_account    },
+	{ "LSA_ENUM_ACCOUNTS"   , LSA_ENUM_ACCOUNTS   , api_lsa_enum_accounts    },
+	{ "LSA_UNK_GET_CONNUSER", LSA_UNK_GET_CONNUSER, api_lsa_unk_get_connuser },
+	{ "LSA_OPENACCOUNT"     , LSA_OPENACCOUNT     , api_lsa_open_account     },
 	{ "LSA_ENUMPRIVSACCOUNT", LSA_ENUMPRIVSACCOUNT, api_lsa_enum_privsaccount},
-	{ "LSA_GETSYSTEMACCOUNT", LSA_GETSYSTEMACCOUNT, api_lsa_getsystemaccount},
-	{ NULL                  , 0                   , NULL                   }
+	{ "LSA_GETSYSTEMACCOUNT", LSA_GETSYSTEMACCOUNT, api_lsa_getsystemaccount },
+	{ "LSA_SETSYSTEMACCOUNT", LSA_SETSYSTEMACCOUNT, api_lsa_setsystemaccount },
+	{ "LSA_ADDPRIVS"        , LSA_ADDPRIVS        , api_lsa_addprivs         },
+	{ "LSA_REMOVEPRIVS"     , LSA_REMOVEPRIVS     , api_lsa_removeprivs      },
+	{ NULL                  , 0                   , NULL                     }
 };
 
 /***************************************************************************
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index bf5d24188e..b16e3836f6 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -563,7 +563,7 @@ NTSTATUS _lsa_enum_privs(pipes_struct *p, LSA_Q_ENUM_PRIVS *q_u, LSA_R_ENUM_PRIV
 			init_uni_hdr(&entry->hdr_name, strlen(privs[i+1].priv));
 			init_unistr2(&entry->name, privs[i+1].priv, strlen(privs[i+1].priv) );
 			entry->luid_low = privs[i+1].se_priv;
-			entry->luid_high = 1;
+			entry->luid_high = 0;
 		}
 	}
 
@@ -601,7 +601,7 @@ NTSTATUS _lsa_priv_get_dispname(pipes_struct *p, LSA_Q_PRIV_GET_DISPNAME *q_u, L
 		r_u->lang_id=q_u->lang_id;
 		return NT_STATUS_OK;
 	} else {
-		DEBUG(10,(": doesn't exist\n"));
+		DEBUG(10,("_lsa_priv_get_dispname: doesn't exist\n"));
 		r_u->ptr_info=0;
 		return NT_STATUS_NO_SUCH_PRIVILEGE;
 	}
@@ -717,7 +717,6 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LS
 {
 	struct lsa_info *info=NULL;
 	GROUP_MAP map;
-	uint32 count=0;
 	int i=0;
 
 	LUID_ATTR *set=NULL;
@@ -731,21 +730,26 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LS
 	if (!get_group_map_from_sid(info->sid, &map))
 		return NT_STATUS_NO_SUCH_GROUP;
 
-	for (i=1; privs[i].se_priv!=SE_PRIV_ALL; i++) {
-		if ( check_priv_in_privilege(map.privileges, privs[i].se_priv)) {
-			
-			set=(LUID_ATTR *)talloc_realloc(p->mem_ctx, set, (count+1)*sizeof(LUID_ATTR));
-			if (set == NULL) return NT_STATUS_NO_MEMORY;
-
-			set[count].luid.low=privs[i].se_priv;
-			set[count].luid.high=1;
-			set[count].attr=0;
-			
-			count++;		
+	DEBUG(10,("_lsa_enum_privsaccount: %d privileges\n", map.priv_set.count));
+	if (map.priv_set.count!=0) {
+	
+		set=(LUID_ATTR *)talloc(p->mem_ctx, map.priv_set.count*sizeof(LUID_ATTR));
+		if (set == NULL) {
+			free_privilege(&map.priv_set);	
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		for (i=0; i<map.priv_set.count; i++) {
+			set[i].luid.low=map.priv_set.set[i].luid.low;
+			set[i].luid.high=map.priv_set.set[i].luid.high;
+			set[i].attr=map.priv_set.set[i].attr;
+			DEBUG(10,("_lsa_enum_privsaccount: priv %d: %d:%d:%d\n", i, 
+				   set[i].luid.high, set[i].luid.low, set[i].attr));
 		}
 	}
 
-	init_lsa_r_enum_privsaccount(r_u, set, count, 0);	
+	init_lsa_r_enum_privsaccount(r_u, set, map.priv_set.count, 0);	
+	free_privilege(&map.priv_set);	
 
 	return r_u->status;
 }
@@ -756,13 +760,154 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LS
 
 NTSTATUS _lsa_getsystemaccount(pipes_struct *p, LSA_Q_GETSYSTEMACCOUNT *q_u, LSA_R_GETSYSTEMACCOUNT *r_u)
 {
+	struct lsa_info *info=NULL;
+	GROUP_MAP map;
 	r_u->status = NT_STATUS_OK;
 
 	/* find the connection policy handle. */
-	if (!find_policy_by_hnd(p, &q_u->pol, NULL))
+	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
 		return NT_STATUS_INVALID_HANDLE;
 
-	r_u->access=3;
+	if (!get_group_map_from_sid(info->sid, &map))
+		return NT_STATUS_NO_SUCH_GROUP;
+
+	/*
+	  0x01 -> Log on locally
+	  0x02 -> Access this computer from network
+	  0x04 -> Log on as a batch job
+	  0x10 -> Log on as a service
+	  
+	  they can be ORed together
+	*/
+
+	r_u->access=map.systemaccount;
 
 	return r_u->status;
 }
+
+/***************************************************************************
+  update the systemaccount information
+ ***************************************************************************/
+
+NTSTATUS _lsa_setsystemaccount(pipes_struct *p, LSA_Q_SETSYSTEMACCOUNT *q_u, LSA_R_SETSYSTEMACCOUNT *r_u)
+{
+	struct lsa_info *info=NULL;
+	GROUP_MAP map;
+	r_u->status = NT_STATUS_OK;
+
+	/* find the connection policy handle. */
+	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
+		return NT_STATUS_INVALID_HANDLE;
+
+	if (!get_group_map_from_sid(info->sid, &map))
+		return NT_STATUS_NO_SUCH_GROUP;
+
+	map.systemaccount=q_u->access;
+
+	if(!add_mapping_entry(&map, TDB_REPLACE))
+		return NT_STATUS_NO_SUCH_GROUP;
+
+	return r_u->status;
+}
+
+/***************************************************************************
+ For a given SID, add some privileges.
+ ***************************************************************************/
+
+NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u)
+{
+	struct lsa_info *info=NULL;
+	GROUP_MAP map;
+	int i=0;
+
+	LUID_ATTR *luid_attr=NULL;
+	PRIVILEGE_SET *set=NULL;
+
+	r_u->status = NT_STATUS_OK;
+
+	/* find the connection policy handle. */
+	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
+		return NT_STATUS_INVALID_HANDLE;
+
+	if (!get_group_map_from_sid(info->sid, &map))
+		return NT_STATUS_NO_SUCH_GROUP;
+
+	set=&q_u->set;
+
+	for (i=0; i<set->count; i++) {
+		luid_attr=&set->set[i];
+		
+		/* check if the privilege is already there */
+		if (check_priv_in_privilege(&map.priv_set, *luid_attr)){
+			free_privilege(&map.priv_set);
+			return NT_STATUS_NO_SUCH_PRIVILEGE;
+		}
+		
+		add_privilege(&map.priv_set, *luid_attr);
+	}
+
+	if(!add_mapping_entry(&map, TDB_REPLACE))
+		return NT_STATUS_NO_SUCH_GROUP;
+	
+	free_privilege(&map.priv_set);	
+
+	return r_u->status;
+}
+
+/***************************************************************************
+ For a given SID, remove some privileges.
+ ***************************************************************************/
+
+NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEPRIVS *r_u)
+{
+	struct lsa_info *info=NULL;
+	GROUP_MAP map;
+	int i=0;
+
+	LUID_ATTR *luid_attr=NULL;
+	PRIVILEGE_SET *set=NULL;
+
+	r_u->status = NT_STATUS_OK;
+
+	/* find the connection policy handle. */
+	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
+		return NT_STATUS_INVALID_HANDLE;
+
+	if (!get_group_map_from_sid(info->sid, &map))
+		return NT_STATUS_NO_SUCH_GROUP;
+
+	if (q_u->allrights!=0) {
+		/* log it and return, until I see one myself don't do anything */
+		DEBUG(5,("_lsa_removeprivs: trying to remove all privileges ?\n"));
+		return NT_STATUS_OK;
+	}
+
+	if (q_u->ptr==0) {
+		/* log it and return, until I see one myself don't do anything */
+		DEBUG(5,("_lsa_removeprivs: no privileges to remove ?\n"));
+		return NT_STATUS_OK;
+	}
+
+	set=&q_u->set;
+
+	for (i=0; i<set->count; i++) {
+		luid_attr=&set->set[i];
+		
+		/* if we don't have the privilege, we're trying to remove, give up */
+		/* what else can we do ??? JFM. */
+		if (!check_priv_in_privilege(&map.priv_set, *luid_attr)){
+			free_privilege(&map.priv_set);
+			return NT_STATUS_NO_SUCH_PRIVILEGE;
+		}
+		
+		remove_privilege(&map.priv_set, *luid_attr);
+	}
+
+	if(!add_mapping_entry(&map, TDB_REPLACE))
+		return NT_STATUS_NO_SUCH_GROUP;
+	
+	free_privilege(&map.priv_set);	
+
+	return r_u->status;
+}
+
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 12b37834d8..112b1bb293 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -813,13 +813,16 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM
 		enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ONLY_MAPPED);
 		
 		if (num_entries != 0) {
+			for (i=0; i<num_entries; i++)
+				free_privilege(&(map[i].priv_set));
+		
 			*d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP));
 			if (*d_grp==NULL)
 				return NT_STATUS_NO_MEMORY;
 			
 			for(i=0; i<num_entries && i<max_entries; i++) {
 				fstrcpy((*d_grp)[i].name, map[i+start_idx].nt_name);
-				sid_split_rid(&map[i].sid, &(*d_grp)[i].rid);
+				sid_split_rid(&map[i+start_idx].sid, &(*d_grp)[i].rid);
 				
 			}
 		}
@@ -851,6 +854,12 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM
 				continue;
 			}
 
+			/*
+			 * free early the privilege struct as it's not used
+			 * and prevent leaking mem.
+			 */
+			free_privilege(&smap.priv_set);
+			
 			if (smap.sid_name_use!=SID_NAME_ALIAS) {
 				continue;
 			}
@@ -873,8 +882,9 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM
 				if ( (*d_grp)[i].rid == trid )
 					break;
 
-			if ( i < num_entries )
+			if ( i < num_entries ) {
 				continue; /* rid was there, dup! */
+			}
 
 			/* JRA - added this for large group db enumeration... */
 
@@ -925,6 +935,13 @@ static NTSTATUS get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DO
 	*p_num_entries = 0;
 
 	enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED);
+			
+	/*
+	 * free early the privilege struct as it's not used
+	 * and prevent leaking mem.
+	 */
+	for (i=0; i<group_entries; i++)
+		free_privilege(&(map[i].priv_set));
 
 	num_entries=group_entries-start_idx;
 
@@ -2702,6 +2719,8 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_
 		}
 	}
 
+	free_privilege(&map.priv_set);
+
 	if(!get_uid_list_of_group(map.gid, &uid, &num_uids))
 		return NT_STATUS_NO_SUCH_ALIAS;
 
@@ -2762,6 +2781,8 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_
 	if(!get_domain_group_from_sid(group_sid, &map))
 		return NT_STATUS_NO_SUCH_GROUP;
 
+	free_privilege(&map.priv_set);
+
 	if(!get_uid_list_of_group(map.gid, &uid, &num_uids))
 		return NT_STATUS_NO_SUCH_GROUP;
 
@@ -2817,7 +2838,9 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD
 		} else
 			return NT_STATUS_NO_SUCH_ALIAS;
 	}
-	
+
+	free_privilege(&map.priv_set);
+
 	sid_split_rid(&q_u->sid.sid, &rid);
 	uid=pdb_user_rid_to_uid(rid);
 
@@ -2885,6 +2908,8 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD
 	if(!get_domain_group_from_sid(group_sid, &map))
 		return NT_STATUS_NO_SUCH_GROUP;
 
+	free_privilege(&map.priv_set);
+
 	if ((pwd=getpwuid(pdb_user_rid_to_uid(q_u->rid))) ==NULL)
 		return NT_STATUS_NO_SUCH_USER;
 
@@ -2968,6 +2993,8 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S
 	if(!get_domain_group_from_sid(group_sid, &map))
 		return NT_STATUS_NO_SUCH_ALIAS;
 
+	free_privilege(&map.priv_set);
+
 	gid=map.gid;
 
 	/* check if group really exists */
@@ -3025,6 +3052,8 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S
 	if(!get_local_group_from_sid(alias_sid, &map))
 		return NT_STATUS_NO_SUCH_ALIAS;
 
+	free_privilege(&map.priv_set);
+
 	gid=map.gid;
 
 	/* check if group really exists */
@@ -3059,6 +3088,9 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S
 	fstring sid_string;
 	struct group *grp;
 	struct samr_info *info;
+	PRIVILEGE_SET priv_set;
+
+	init_privilege(&priv_set);
 
 	/* Find the policy handle. Open a policy on it. */
 	if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid)) 
@@ -3085,7 +3117,7 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S
 	r_u->rid=pdb_gid_to_group_rid(grp->gr_gid);
 
 	/* add the group to the mapping table */
-	if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL, SE_PRIV_NONE))
+	if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL, priv_set, PR_ACCESS_FROM_NETWORK))
 		return NT_STATUS_ACCESS_DENIED;
 
 	if ((info = (struct samr_info *)malloc(sizeof(struct samr_info))) == NULL)
@@ -3115,6 +3147,9 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S
 	fstring sid_string;
 	struct group *grp;
 	struct samr_info *info;
+	PRIVILEGE_SET priv_set;
+
+	init_privilege(&priv_set);
 
 	/* Find the policy handle. Open a policy on it. */
 	if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid)) 
@@ -3150,7 +3185,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S
 	sid_to_string(sid_string, &info->sid);
 
 	/* add the group to the mapping table */
-	if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_ALIAS, name, NULL, SE_PRIV_NONE))
+	if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_ALIAS, name, NULL, priv_set, PR_ACCESS_FROM_NETWORK))
 		return NT_STATUS_ACCESS_DENIED;
 
 	/* get a (unique) handle.  open a policy on it. */
@@ -3180,6 +3215,8 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM
 
 	if (!get_domain_group_from_sid(group_sid, &map))
 		return NT_STATUS_INVALID_HANDLE;
+
+	free_privilege(&map.priv_set);
 	
 	ctr=(GROUP_INFO_CTR *)talloc_zero(p->mem_ctx, sizeof(GROUP_INFO_CTR));
 	if (ctr==NULL)
@@ -3234,11 +3271,16 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_
 			unistr2_to_ascii(map.comment, &(ctr->group.info4.uni_acct_desc), sizeof(map.comment)-1);
 			break;
 		default:
+			free_privilege(&map.priv_set);
 			return NT_STATUS_INVALID_INFO_CLASS;
 	}
 
-	if(!add_mapping_entry(&map, TDB_REPLACE))
+	if(!add_mapping_entry(&map, TDB_REPLACE)) {
+		free_privilege(&map.priv_set);
 		return NT_STATUS_NO_SUCH_GROUP;
+	}
+
+	free_privilege(&map.priv_set);
 
 	return NT_STATUS_OK;
 }
@@ -3268,11 +3310,16 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_
 			unistr2_to_ascii(map.comment, &(ctr->alias.info3.uni_acct_desc), sizeof(map.comment)-1);
 			break;
 		default:
+			free_privilege(&map.priv_set);
 			return NT_STATUS_INVALID_INFO_CLASS;
 	}
 
-	if(!add_mapping_entry(&map, TDB_REPLACE))
+	if(!add_mapping_entry(&map, TDB_REPLACE)) {
+		free_privilege(&map.priv_set);
 		return NT_STATUS_NO_SUCH_GROUP;
+	}
+
+	free_privilege(&map.priv_set);
 
 	return NT_STATUS_OK;
 }
@@ -3320,6 +3367,8 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G
 	if (!get_domain_group_from_sid(info->sid, &map))
 		return NT_STATUS_NO_SUCH_USER;
 
+	free_privilege(&map.priv_set);
+
 	/* get a (unique) handle.  open a policy on it. */
 	if (!create_policy_hnd(p, &r_u->pol, free_samr_info, (void *)info))
 		return NT_STATUS_OBJECT_NAME_NOT_FOUND;