Merge branch 'master' of ssh://jra@git.samba.org/data/git/samba

6 files changed, 176 insertions, 68 deletions

diff --git a/source3/rpc_server/srv_eventlog_nt.c b/source3/rpc_server/srv_eventlog_nt.c
index e56a2e9095..3c7469f3ef 100644
--- a/source3/rpc_server/srv_eventlog_nt.c
+++ b/source3/rpc_server/srv_eventlog_nt.c
@@ -456,14 +456,14 @@ static bool sync_eventlog_params( EVENTLOG_INFO *info )
 	if ( !W_ERROR_IS_OK( wresult ) ) {
 		DEBUG( 4,
 		       ( "sync_eventlog_params: Failed to open key [%s] (%s)\n",
-			 path, dos_errstr( wresult ) ) );
+			 path, win_errstr( wresult ) ) );
 		return false;
 	}
 
 	wresult = reg_queryvalue(key, key, "Retention", &value);
 	if (!W_ERROR_IS_OK(wresult)) {
 		DEBUG(4, ("Failed to query value \"Retention\": %s\n",
-			  dos_errstr(wresult)));
+			  win_errstr(wresult)));
 		ret = false;
 		goto done;
 	}
@@ -472,7 +472,7 @@ static bool sync_eventlog_params( EVENTLOG_INFO *info )
 	wresult = reg_queryvalue(key, key, "MaxSize", &value);
 	if (!W_ERROR_IS_OK(wresult)) {
 		DEBUG(4, ("Failed to query value \"MaxSize\": %s\n",
-			  dos_errstr(wresult)));
+			  win_errstr(wresult)));
 		ret = false;
 		goto done;
 	}
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index 75fc99401e..45acd3ed48 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -981,7 +981,7 @@ NTSTATUS _netr_LogonSamLogon(pipes_struct *p,
 		memcpy(pipe_session_key, p->auth.a_u.schannel_auth->sess_key, 16);
 	}
 
-	status = serverinfo_to_SamInfo3(server_info, pipe_session_key, sam3);
+	status = serverinfo_to_SamInfo3(server_info, pipe_session_key, 16, sam3);
 	TALLOC_FREE(server_info);
 	return status;
 }
diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c
index b892755396..d359b9b339 100644
--- a/source3/rpc_server/srv_pipe_hnd.c
+++ b/source3/rpc_server/srv_pipe_hnd.c
@@ -20,6 +20,7 @@
  */
 
 #include "includes.h"
+#include "librpc/gen_ndr/ndr_named_pipe_auth.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_SRV
@@ -944,6 +945,17 @@ static struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx,
 	struct np_proxy_state *result;
 	struct sockaddr_un addr;
 	char *socket_path;
+	const char *socket_dir;
+
+	DATA_BLOB req_blob;
+	struct netr_SamInfo3 *info3;
+	struct named_pipe_auth_req req;
+	DATA_BLOB rep_blob;
+	uint8 rep_buf[20];
+	struct named_pipe_auth_rep rep;
+	enum ndr_err_code ndr_err;
+	NTSTATUS status;
+	ssize_t written;
 
 	result = talloc(mem_ctx, struct np_proxy_state);
 	if (result == NULL) {
@@ -961,8 +973,16 @@ static struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx,
 	ZERO_STRUCT(addr);
 	addr.sun_family = AF_UNIX;
 
-	socket_path = talloc_asprintf(talloc_tos(), "%s/%s",
-				      get_dyn_NCALRPCDIR(), "DEFAULT");
+	socket_dir = lp_parm_const_string(
+		GLOBAL_SECTION_SNUM, "external_rpc_pipe", "socket_dir",
+		get_dyn_NCALRPCDIR());
+	if (socket_dir == NULL) {
+		DEBUG(0, ("externan_rpc_pipe:socket_dir not set\n"));
+		goto fail;
+	}
+
+	socket_path = talloc_asprintf(talloc_tos(), "%s/np/%s",
+				      socket_dir, pipe_name);
 	if (socket_path == NULL) {
 		DEBUG(0, ("talloc_asprintf failed\n"));
 		goto fail;
@@ -970,11 +990,96 @@ static struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx,
 	strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path));
 	TALLOC_FREE(socket_path);
 
+	become_root();
 	if (sys_connect(result->fd, (struct sockaddr *)&addr) == -1) {
+		unbecome_root();
 		DEBUG(0, ("connect(%s) failed: %s\n", addr.sun_path,
 			  strerror(errno)));
 		goto fail;
 	}
+	unbecome_root();
+
+	info3 = talloc(talloc_tos(), struct netr_SamInfo3);
+	if (info3 == NULL) {
+		DEBUG(0, ("talloc failed\n"));
+		goto fail;
+	}
+
+	status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(info3);
+		DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n",
+			  nt_errstr(status)));
+		goto fail;
+	}
+
+	req.level = 1;
+	req.info.info1 = *info3;
+
+	ndr_err = ndr_push_struct_blob(
+		&req_blob, talloc_tos(), NULL, &req,
+		(ndr_push_flags_fn_t)ndr_push_named_pipe_auth_req);
+
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		DEBUG(10, ("ndr_push_named_pipe_auth_req failed: %s\n",
+			   ndr_errstr(ndr_err)));
+		goto fail;
+	}
+
+	DEBUG(10, ("named_pipe_auth_req(client)[%u]\n", (uint32_t)req_blob.length));
+	dump_data(10, req_blob.data, req_blob.length);
+
+	written = write_data(result->fd, (char *)req_blob.data,
+			     req_blob.length);
+	if (written == -1) {
+		DEBUG(3, ("Could not write auth req data to RPC server\n"));
+		goto fail;
+	}
+
+	status = read_data(result->fd, (char *)rep_buf, sizeof(rep_buf));
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(3, ("Could not read auth result\n"));
+		goto fail;
+	}
+
+	rep_blob = data_blob_const(rep_buf, sizeof(rep_buf));
+
+	DEBUG(10,("name_pipe_auth_rep(client)[%u]\n", (uint32_t)rep_blob.length));
+	dump_data(10, rep_blob.data, rep_blob.length);
+
+	ndr_err = ndr_pull_struct_blob(
+		&rep_blob, talloc_tos(), NULL, &rep,
+		(ndr_pull_flags_fn_t)ndr_pull_named_pipe_auth_rep);
+
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		DEBUG(0, ("ndr_pull_named_pipe_auth_rep failed: %s\n",
+			  ndr_errstr(ndr_err)));
+		goto fail;
+	}
+
+	if (rep.length != 16) {
+		DEBUG(0, ("req invalid length: %u != 16\n",
+			  rep.length));
+		goto fail;
+	}
+
+	if (strcmp(NAMED_PIPE_AUTH_MAGIC, rep.magic) != 0) {
+		DEBUG(0, ("req invalid magic: %s != %s\n",
+			  rep.magic, NAMED_PIPE_AUTH_MAGIC));
+		goto fail;
+	}
+
+	if (!NT_STATUS_IS_OK(rep.status)) {
+		DEBUG(0, ("req failed: %s\n",
+			  nt_errstr(rep.status)));
+		goto fail;
+	}
+
+	if (rep.level != 1) {
+		DEBUG(0, ("req invalid level: %u != 1\n",
+			  rep.level));
+		goto fail;
+	}
 
 	return result;
 
@@ -1046,7 +1151,7 @@ NTSTATUS np_open(struct smb_request *smb_req, struct connection_struct *conn,
 	return NT_STATUS_OK;
 }
 
-NTSTATUS np_write(struct files_struct *fsp, uint8_t *data, size_t len,
+NTSTATUS np_write(struct files_struct *fsp, const uint8_t *data, size_t len,
 		  ssize_t *nwritten)
 {
 	if (!fsp_is_np(fsp)) {
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 97da3a4f3d..62ac1cb5c3 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -38,13 +38,16 @@
 
 #define SAMR_USR_RIGHTS_WRITE_PW \
 		( READ_CONTROL_ACCESS		| \
-		  SA_RIGHT_USER_CHANGE_PASSWORD	| \
-		  SA_RIGHT_USER_SET_LOC_COM )
+		  SAMR_USER_ACCESS_CHANGE_PASSWORD	| \
+		  SAMR_USER_ACCESS_SET_LOC_COM)
 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
-		( READ_CONTROL_ACCESS | SA_RIGHT_USER_SET_LOC_COM )
+		( READ_CONTROL_ACCESS | SAMR_USER_ACCESS_SET_LOC_COM )
 
 #define DISP_INFO_CACHE_TIMEOUT 10
 
+#define MAX_SAM_ENTRIES_W2K 0x400 /* 1024 */
+#define MAX_SAM_ENTRIES_W95 50
+
 typedef struct disp_info {
 	DOM_SID sid; /* identify which domain this is. */
 	bool builtin_domain; /* Quick flag to check if this is the builtin domain. */
@@ -91,7 +94,7 @@ static const struct generic_mapping usr_generic_mapping = {
 static const struct generic_mapping usr_nopwchange_generic_mapping = {
 	GENERIC_RIGHTS_USER_READ,
 	GENERIC_RIGHTS_USER_WRITE,
-	GENERIC_RIGHTS_USER_EXECUTE & ~SA_RIGHT_USER_CHANGE_PASSWORD,
+	GENERIC_RIGHTS_USER_EXECUTE & ~SAMR_USER_ACCESS_CHANGE_PASSWORD,
 	GENERIC_RIGHTS_USER_ALL_ACCESS};
 static const struct generic_mapping grp_generic_mapping = {
 	GENERIC_RIGHTS_GROUP_READ,
@@ -622,7 +625,7 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(info->acc_granted,
-					    SA_RIGHT_SAM_OPEN_DOMAIN,
+					    SAMR_ACCESS_OPEN_DOMAIN,
 					    "_samr_OpenDomain" );
 
 	if ( !NT_STATUS_IS_OK(status) )
@@ -791,7 +794,7 @@ NTSTATUS _samr_SetSecurity(pipes_struct *p,
 		if (sid_equal(&pol_sid, &dacl->aces[i].trustee)) {
 			ret = pdb_set_pass_can_change(sampass,
 				(dacl->aces[i].access_mask &
-				 SA_RIGHT_USER_CHANGE_PASSWORD) ?
+				 SAMR_USER_ACCESS_CHANGE_PASSWORD) ?
 						      True: False);
 			break;
 		}
@@ -803,7 +806,7 @@ NTSTATUS _samr_SetSecurity(pipes_struct *p,
 	}
 
 	status = access_check_samr_function(acc_granted,
-					    SA_RIGHT_USER_SET_ATTRIBUTES,
+					    SAMR_USER_ACCESS_SET_ATTRIBUTES,
 					    "_samr_SetSecurity");
 	if (NT_STATUS_IS_OK(status)) {
 		become_root();
@@ -990,7 +993,7 @@ NTSTATUS _samr_EnumDomainUsers(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(info->acc_granted,
-					    SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
+					    SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
 					    "_samr_EnumDomainUsers");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -1129,7 +1132,7 @@ NTSTATUS _samr_EnumDomainGroups(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(info->acc_granted,
-					    SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
+					    SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
 					    "_samr_EnumDomainGroups");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -1209,7 +1212,7 @@ NTSTATUS _samr_EnumDomainAliases(pipes_struct *p,
 		 sid_string_dbg(&info->sid)));
 
 	status = access_check_samr_function(info->acc_granted,
-					    SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
+					    SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
 					    "_samr_EnumDomainAliases");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -1482,7 +1485,7 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(info->acc_granted,
-					    SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
+					    SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
 					    "_samr_QueryDisplayInfo");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -1737,7 +1740,7 @@ NTSTATUS _samr_QueryAliasInfo(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(acc_granted,
-					    SA_RIGHT_ALIAS_LOOKUP_INFO,
+					    SAMR_ALIAS_ACCESS_LOOKUP_INFO,
 					    "_samr_QueryAliasInfo");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -2062,8 +2065,8 @@ NTSTATUS _samr_LookupRids(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(acc_granted,
-					    SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
-					    "_samr__LookupRids");
+					    SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
+					    "_samr_LookupRids");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -2146,7 +2149,7 @@ NTSTATUS _samr_OpenUser(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	nt_status = access_check_samr_function(acc_granted,
-					       SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
+					       SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
 					       "_samr_OpenUser" );
 
 	if ( !NT_STATUS_IS_OK(nt_status) )
@@ -2641,7 +2644,7 @@ NTSTATUS _samr_QueryUserInfo(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(info->acc_granted,
-					    SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
+					    SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
 					    "_samr_QueryUserInfo");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -2764,7 +2767,7 @@ NTSTATUS _samr_GetGroupsForUser(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	result = access_check_samr_function(acc_granted,
-					    SA_RIGHT_USER_GET_GROUPS,
+					    SAMR_USER_ACCESS_GET_GROUPS,
 					    "_samr_GetGroupsForUser");
 	if (!NT_STATUS_IS_OK(result)) {
 		return result;
@@ -2891,7 +2894,7 @@ NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
 	}
 
 	status = access_check_samr_function(info->acc_granted,
-					    SA_RIGHT_SAM_OPEN_DOMAIN,
+					    SAMR_ACCESS_OPEN_DOMAIN,
 					    "_samr_QueryDomainInfo" );
 
 	if ( !NT_STATUS_IS_OK(status) )
@@ -3147,7 +3150,7 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	nt_status = access_check_samr_function(acc_granted,
-					       SA_RIGHT_DOMAIN_CREATE_USER,
+					       SAMR_DOMAIN_ACCESS_CREATE_USER,
 					       "_samr_CreateUser2");
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
@@ -3284,14 +3287,14 @@ NTSTATUS _samr_Connect(pipes_struct *p,
 	if ((info = get_samr_info_by_sid(NULL)) == NULL)
 		return NT_STATUS_NO_MEMORY;
 
-	/* don't give away the farm but this is probably ok.  The SA_RIGHT_SAM_ENUM_DOMAINS
+	/* don't give away the farm but this is probably ok.  The SAMR_ACCESS_ENUM_DOMAINS
 	   was observed from a win98 client trying to enumerate users (when configured
 	   user level access control on shares)   --jerry */
 
 	map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
 
 	se_map_generic( &des_access, &sam_generic_mapping );
-	info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN);
+	info->acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS|SAMR_ACCESS_OPEN_DOMAIN);
 
 	/* get a (unique) handle.  open a policy on it. */
 	if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
@@ -3474,11 +3477,11 @@ NTSTATUS _samr_LookupDomain(pipes_struct *p,
 	if (!find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info))
 		return NT_STATUS_INVALID_HANDLE;
 
-	/* win9x user manager likes to use SA_RIGHT_SAM_ENUM_DOMAINS here.
+	/* win9x user manager likes to use SAMR_ACCESS_ENUM_DOMAINS here.
 	   Reverted that change so we will work with RAS servers again */
 
 	status = access_check_samr_function(info->acc_granted,
-					    SA_RIGHT_SAM_OPEN_DOMAIN,
+					    SAMR_ACCESS_OPEN_DOMAIN,
 					    "_samr_LookupDomain");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -3524,7 +3527,7 @@ NTSTATUS _samr_EnumDomains(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(info->acc_granted,
-					    SA_RIGHT_SAM_ENUM_DOMAINS,
+					    SAMR_ACCESS_ENUM_DOMAINS,
 					    "_samr_EnumDomains");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -3582,7 +3585,7 @@ NTSTATUS _samr_OpenAlias(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(acc_granted,
-					    SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
+					    SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
 					    "_samr_OpenAlias");
 
 	if ( !NT_STATUS_IS_OK(status) )
@@ -4109,9 +4112,9 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
 	}
 
 	/* This is tricky.  A WinXP domain join sets
-	  (SA_RIGHT_USER_SET_PASSWORD|SA_RIGHT_USER_SET_ATTRIBUTES|SA_RIGHT_USER_ACCT_FLAGS_EXPIRY)
+	  (SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_GET_ATTRIBUTES)
 	  The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser().  But the
-	  standard Win32 API calls just ask for SA_RIGHT_USER_SET_PASSWORD in the SamrOpenUser().
+	  standard Win32 API calls just ask for SAMR_USER_ACCESS_SET_PASSWORD in the SamrOpenUser().
 	  This should be enough for levels 18, 24, 25,& 26.  Info level 23 can set more so
 	  we'll use the set from the WinXP join as the basis. */
 
@@ -4120,12 +4123,12 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
 	case 24:
 	case 25:
 	case 26:
-		acc_required = SA_RIGHT_USER_SET_PASSWORD;
+		acc_required = SAMR_USER_ACCESS_SET_PASSWORD;
 		break;
 	default:
-		acc_required = SA_RIGHT_USER_SET_PASSWORD |
-			       SA_RIGHT_USER_SET_ATTRIBUTES |
-			       SA_RIGHT_USER_ACCT_FLAGS_EXPIRY;
+		acc_required = SAMR_USER_ACCESS_SET_PASSWORD |
+			       SAMR_USER_ACCESS_SET_ATTRIBUTES |
+			       SAMR_USER_ACCESS_GET_ATTRIBUTES;
 		break;
 	}
 
@@ -4342,10 +4345,10 @@ NTSTATUS _samr_GetAliasMembership(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	ntstatus1 = access_check_samr_function(info->acc_granted,
-					       SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM,
+					       SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS,
 					       "_samr_GetAliasMembership");
 	ntstatus2 = access_check_samr_function(info->acc_granted,
-					       SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
+					       SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
 					       "_samr_GetAliasMembership");
 
 	if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) {
@@ -4412,7 +4415,7 @@ NTSTATUS _samr_GetMembersInAlias(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(acc_granted,
-					    SA_RIGHT_ALIAS_GET_MEMBERS,
+					    SAMR_ALIAS_ACCESS_GET_MEMBERS,
 					    "_samr_GetMembersInAlias");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -4480,7 +4483,7 @@ NTSTATUS _samr_QueryGroupMember(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(acc_granted,
-					    SA_RIGHT_GROUP_GET_MEMBERS,
+					    SAMR_GROUP_ACCESS_GET_MEMBERS,
 					    "_samr_QueryGroupMember");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -4544,7 +4547,7 @@ NTSTATUS _samr_AddAliasMember(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(acc_granted,
-					    SA_RIGHT_ALIAS_ADD_MEMBER,
+					    SAMR_ALIAS_ACCESS_ADD_MEMBER,
 					    "_samr_AddAliasMember");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -4593,7 +4596,7 @@ NTSTATUS _samr_DeleteAliasMember(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(acc_granted,
-					    SA_RIGHT_ALIAS_REMOVE_MEMBER,
+					    SAMR_ALIAS_ACCESS_REMOVE_MEMBER,
 					    "_samr_DeleteAliasMember");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -4644,7 +4647,7 @@ NTSTATUS _samr_AddGroupMember(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(acc_granted,
-					    SA_RIGHT_GROUP_ADD_MEMBER,
+					    SAMR_GROUP_ACCESS_ADD_MEMBER,
 					    "_samr_AddGroupMember");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -4704,7 +4707,7 @@ NTSTATUS _samr_DeleteGroupMember(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(acc_granted,
-					    SA_RIGHT_GROUP_REMOVE_MEMBER,
+					    SAMR_GROUP_ACCESS_REMOVE_MEMBER,
 					    "_samr_DeleteGroupMember");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -4985,7 +4988,7 @@ NTSTATUS _samr_CreateDomainGroup(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(acc_granted,
-					    SA_RIGHT_DOMAIN_CREATE_GROUP,
+					    SAMR_DOMAIN_ACCESS_CREATE_GROUP,
 					    "_samr_CreateDomainGroup");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -5067,7 +5070,7 @@ NTSTATUS _samr_CreateDomAlias(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	result = access_check_samr_function(acc_granted,
-					    SA_RIGHT_DOMAIN_CREATE_ALIAS,
+					    SAMR_DOMAIN_ACCESS_CREATE_ALIAS,
 					    "_samr_CreateDomAlias");
 	if (!NT_STATUS_IS_OK(result)) {
 		return result;
@@ -5159,7 +5162,7 @@ NTSTATUS _samr_QueryGroupInfo(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(acc_granted,
-					    SA_RIGHT_GROUP_LOOKUP_INFO,
+					    SAMR_GROUP_ACCESS_LOOKUP_INFO,
 					    "_samr_QueryGroupInfo");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -5265,7 +5268,7 @@ NTSTATUS _samr_SetGroupInfo(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(acc_granted,
-					    SA_RIGHT_GROUP_SET_INFO,
+					    SAMR_GROUP_ACCESS_SET_INFO,
 					    "_samr_SetGroupInfo");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -5330,7 +5333,7 @@ NTSTATUS _samr_SetAliasInfo(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(acc_granted,
-					    SA_RIGHT_ALIAS_SET_INFO,
+					    SAMR_ALIAS_ACCESS_SET_INFO,
 					    "_samr_SetAliasInfo");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -5474,7 +5477,7 @@ NTSTATUS _samr_OpenGroup(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	status = access_check_samr_function(acc_granted,
-					    SA_RIGHT_DOMAIN_OPEN_ACCOUNT,
+					    SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
 					    "_samr_OpenGroup");
 
 	if ( !NT_STATUS_IS_OK(status) )
@@ -5628,11 +5631,11 @@ NTSTATUS _samr_SetDomainInfo(pipes_struct *p,
 	 * levels here, but we're really just looking for
 	 * GENERIC_RIGHTS_DOMAIN_WRITE access. Unfortunately
 	 * this maps to different specific bits. So
-	 * assume if we have SA_RIGHT_DOMAIN_SET_INFO_1
+	 * assume if we have SAMR_DOMAIN_ACCESS_SET_INFO_1
 	 * set we are ok. */
 
 	result = access_check_samr_function(info->acc_granted,
-					    SA_RIGHT_DOMAIN_SET_INFO_1,
+					    SAMR_DOMAIN_ACCESS_SET_INFO_1,
 					    "_samr_SetDomainInfo");
 
 	if (!NT_STATUS_IS_OK(result))
@@ -5705,7 +5708,7 @@ NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p,
 	}
 
 	status = access_check_samr_function(info->acc_granted,
-					    SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
+					    SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
 					    "_samr_GetDisplayEnumerationIndex");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c
index cafe9fc9af..577f7f1ded 100644
--- a/source3/rpc_server/srv_spoolss_nt.c
+++ b/source3/rpc_server/srv_spoolss_nt.c
@@ -171,7 +171,7 @@ static void srv_spoolss_replycloseprinter(int snum, POLICY_HND *handle)
 
 	if (!W_ERROR_IS_OK(result))
 		DEBUG(0,("srv_spoolss_replycloseprinter: reply_close_printer failed [%s].\n",
-			dos_errstr(result)));
+			win_errstr(result)));
 
 	/* if it's the last connection, deconnect the IPC$ share */
 	if (smb_connections==1) {
@@ -541,7 +541,7 @@ static bool set_printer_hnd_name(Printer_entry *Printer, char *handlename)
 		result = get_a_printer_search( NULL, &printer, 2, sname );
 		if ( !W_ERROR_IS_OK(result) ) {
 			DEBUG(0,("set_printer_hnd_name: failed to lookup printer [%s] -- result [%s]\n",
-				sname, dos_errstr(result)));
+				sname, win_errstr(result)));
 			continue;
 		}
 
@@ -1284,7 +1284,7 @@ void do_drv_upgrade_printer(struct messaging_context *msg,
 				result = mod_a_printer(printer, 2);
 				if (!W_ERROR_IS_OK(result)) {
 					DEBUG(3,("do_drv_upgrade_printer: mod_a_printer() failed with status [%s]\n",
-						dos_errstr(result)));
+						win_errstr(result)));
 				}
 			}
 
@@ -2677,7 +2677,7 @@ static bool srv_spoolss_replyopenprinter(int snum, const char *printer,
 
 	if (!W_ERROR_IS_OK(result))
 		DEBUG(5,("srv_spoolss_reply_open_printer: Client RPC returned [%s]\n",
-			dos_errstr(result)));
+			win_errstr(result)));
 
 	return (W_ERROR_IS_OK(result));
 }
@@ -5376,12 +5376,12 @@ static WERROR construct_printer_driver_info_3(DRIVER_INFO_3 *info, int snum, con
 	ZERO_STRUCT(driver);
 
 	status=get_a_printer(NULL, &printer, 2, lp_const_servicename(snum) );
-	DEBUG(8,("construct_printer_driver_info_3: status: %s\n", dos_errstr(status)));
+	DEBUG(8,("construct_printer_driver_info_3: status: %s\n", win_errstr(status)));
 	if (!W_ERROR_IS_OK(status))
 		return WERR_INVALID_PRINTER_NAME;
 
 	status=get_a_printer_driver(&driver, 3, printer->info_2->drivername, architecture, version);
-	DEBUG(8,("construct_printer_driver_info_3: status: %s\n", dos_errstr(status)));
+	DEBUG(8,("construct_printer_driver_info_3: status: %s\n", win_errstr(status)));
 
 #if 0	/* JERRY */
 
@@ -5401,7 +5401,7 @@ static WERROR construct_printer_driver_info_3(DRIVER_INFO_3 *info, int snum, con
 			/* Yes - try again with a WinNT driver. */
 			version = 2;
 			status=get_a_printer_driver(&driver, 3, printer->info_2->drivername, architecture, version);
-			DEBUG(8,("construct_printer_driver_info_3: status: %s\n", dos_errstr(status)));
+			DEBUG(8,("construct_printer_driver_info_3: status: %s\n", win_errstr(status)));
 		}
 #endif
 
@@ -5519,14 +5519,14 @@ static WERROR construct_printer_driver_info_6(DRIVER_INFO_6 *info, int snum,
 
 	status=get_a_printer(NULL, &printer, 2, lp_const_servicename(snum) );
 
-	DEBUG(8,("construct_printer_driver_info_6: status: %s\n", dos_errstr(status)));
+	DEBUG(8,("construct_printer_driver_info_6: status: %s\n", win_errstr(status)));
 
 	if (!W_ERROR_IS_OK(status))
 		return WERR_INVALID_PRINTER_NAME;
 
 	status = get_a_printer_driver(&driver, 3, printer->info_2->drivername, architecture, version);
 
-	DEBUG(8,("construct_printer_driver_info_6: status: %s\n", dos_errstr(status)));
+	DEBUG(8,("construct_printer_driver_info_6: status: %s\n", win_errstr(status)));
 
 	if (!W_ERROR_IS_OK(status))
 	{
@@ -5542,7 +5542,7 @@ static WERROR construct_printer_driver_info_6(DRIVER_INFO_6 *info, int snum,
 		/* Yes - try again with a WinNT driver. */
 		version = 2;
 		status=get_a_printer_driver(&driver, 3, printer->info_2->drivername, architecture, version);
-		DEBUG(8,("construct_printer_driver_info_6: status: %s\n", dos_errstr(status)));
+		DEBUG(8,("construct_printer_driver_info_6: status: %s\n", win_errstr(status)));
 		if (!W_ERROR_IS_OK(status)) {
 			free_a_printer(&printer,2);
 			return WERR_UNKNOWN_PRINTER_DRIVER;
@@ -7544,7 +7544,7 @@ static WERROR enumports_level_1(RPC_BUFFER *buffer, uint32 offered, uint32 *need
 	if(numlines) {
 		if((ports=SMB_MALLOC_ARRAY( PORT_INFO_1, numlines )) == NULL) {
 			DEBUG(10,("Returning WERR_NOMEM [%s]\n",
-				  dos_errstr(WERR_NOMEM)));
+				  win_errstr(WERR_NOMEM)));
 			TALLOC_FREE(qlines);
 			return WERR_NOMEM;
 		}
diff --git a/source3/rpc_server/srv_wkssvc_nt.c b/source3/rpc_server/srv_wkssvc_nt.c
index c96439cc1a..0a54b0dd3f 100644
--- a/source3/rpc_server/srv_wkssvc_nt.c
+++ b/source3/rpc_server/srv_wkssvc_nt.c
@@ -349,7 +349,7 @@ WERROR _wkssvc_NetrJoinDomain2(pipes_struct *p,
 	if (!W_ERROR_IS_OK(werr)) {
 		DEBUG(5,("_wkssvc_NetrJoinDomain2: libnet_Join failed with: %s\n",
 			j->out.error_string ? j->out.error_string :
-			dos_errstr(werr)));
+			win_errstr(werr)));
 	}
 
 	TALLOC_FREE(j);
@@ -415,7 +415,7 @@ WERROR _wkssvc_NetrUnjoinDomain2(pipes_struct *p,
 	if (!W_ERROR_IS_OK(werr)) {
 		DEBUG(5,("_wkssvc_NetrUnjoinDomain2: libnet_Unjoin failed with: %s\n",
 			u->out.error_string ? u->out.error_string :
-			dos_errstr(werr)));
+			win_errstr(werr)));
 	}
 
 	TALLOC_FREE(u);