r5349: After talking with Jerry, reverted the addition of account policies to

passdb in 3_0 (they are still in trunk).

Guenther
(This used to be commit fdf9bdbbac1d8d4f3b3e1fc7e49c1e659b9301b1)

15 files changed, 172 insertions, 846 deletions

diff --git a/source3/Makefile.in b/source3/Makefile.in
index f20584218a..466958b5ab 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -203,10 +203,10 @@ LIB_OBJ = $(VERSION_OBJ) lib/charcnv.o lib/debug.o lib/fault.o \
 	  lib/tallocmsg.o lib/dmallocmsg.o libsmb/smb_signing.o \
 	  lib/md5.o lib/hmacmd5.o lib/iconv.o \
 	  nsswitch/wb_client.o $(WBCOMMON_OBJ) \
-	  lib/pam_errors.o intl/lang_tdb.o \
+	  lib/pam_errors.o intl/lang_tdb.o lib/account_pol.o \
 	  lib/adt_tree.o lib/gencache.o $(TDB_OBJ) \
 	  lib/module.o lib/ldap_escape.o @CHARSET_STATIC@ \
-	  lib/secdesc.o lib/secace.o lib/secacl.o 
+	  lib/privileges.o lib/secdesc.o lib/secace.o lib/secacl.o
 
 LIB_NONSMBD_OBJ = $(LIB_OBJ) lib/dummysmbd.o
 
@@ -312,7 +312,7 @@ PASSDB_OBJ = $(PASSDB_GET_SET_OBJ) passdb/passdb.o passdb/pdb_interface.o \
 		passdb/util_sam_sid.o passdb/pdb_compat.o \
 		passdb/lookup_sid.o \
 		passdb/login_cache.o @PDB_STATIC@ passdb/pdb_sql.o \
-		lib/system_smbd.o lib/account_pol.o lib/privileges.o
+		lib/system_smbd.o
 
 XML_OBJ = passdb/pdb_xml.o
 MYSQL_OBJ = passdb/pdb_mysql.o
@@ -507,8 +507,8 @@ LIBSMBCLIENT_OBJ = libsmb/libsmbclient.o libsmb/libsmb_compat.o \
 		   libsmb/libsmb_cache.o \
 		   $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
 	  	   $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
-		   $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) \
-		   $(SECRETS_OBJ) $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) $(DUMMYROOT_OBJ)
+		   $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) $(PASSDB_GET_SET_OBJ) \
+		   $(SECRETS_OBJ) 
 
 # This shared library is intended for linking with unit test programs
 # to test Samba internals.  It's called libbigballofmud.so to
@@ -584,15 +584,13 @@ LOCKTEST2_OBJ = torture/locktest2.o $(PARAM_OBJ) $(LOCKING_OBJ) $(LIBSMB_OBJ) \
 
 SMBCACLS_OBJ = utils/smbcacls.o $(PARAM_OBJ) $(LIBSMB_OBJ) \
 			   $(KRBCLIENT_OBJ) $(LIB_NONSMBD_OBJ) $(RPC_PARSE_OBJ) \
-			   $(LIBMSRPC_OBJ) $(SECRETS_OBJ) \
-			   $(POPT_LIB_OBJ) $(DCUTIL_OBJ) $(LIBADS_OBJ) \
-			   $(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) $(DUMMYROOT_OBJ)
+			   $(PASSDB_GET_SET_OBJ) $(LIBMSRPC_OBJ) $(SECRETS_OBJ) \
+			   $(POPT_LIB_OBJ) $(DCUTIL_OBJ) $(LIBADS_OBJ)
 
 SMBCQUOTAS_OBJ = utils/smbcquotas.o $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
 		$(PARAM_OBJ) \
-		$(LIB_NONSMBD_OBJ) $(RPC_PARSE_OBJ) \
-		$(LIBMSRPC_OBJ) $(SECRETS_OBJ) $(POPT_LIB_OBJ) \
-		$(PASSDB_OBJ) $(SMBLDAP_OBJ) $(GROUPDB_OBJ) $(DUMMYROOT_OBJ)
+		$(LIB_NONSMBD_OBJ) $(RPC_PARSE_OBJ) $(PASSDB_GET_SET_OBJ) \
+		$(LIBMSRPC_OBJ) $(SECRETS_OBJ) $(POPT_LIB_OBJ)
 
 TALLOCTORT_OBJ = lib/talloctort.o $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) libsmb/nterr.o
 
diff --git a/source3/include/passdb.h b/source3/include/passdb.h
index eed3be1ff9..42f38e5b6a 100644
--- a/source3/include/passdb.h
+++ b/source3/include/passdb.h
@@ -334,12 +334,6 @@ typedef struct pdb_context
 					       DOM_SID **aliases,
 					       int *num_aliases);
 
-	NTSTATUS (*pdb_get_account_policy)(struct pdb_context *context,
-					   int policy_index, int *value);
-
-	NTSTATUS (*pdb_set_account_policy)(struct pdb_context *context,
-					   int policy_index, int value);
-
 	void (*free_fn)(struct pdb_context **);
 	
 	TALLOC_CTX *mem_ctx;
@@ -431,12 +425,6 @@ typedef struct pdb_methods
 					   int num_members,
 					   DOM_SID **aliases, int *num);
 
-	NTSTATUS (*get_account_policy)(struct pdb_methods *methods,
-				       int policy_index, int *value);
-
-	NTSTATUS (*set_account_policy)(struct pdb_methods *methods,
-				       int policy_index, int value);
-
 	void *private_data;  /* Private data of some kind */
 	
 	void (*free_private_data)(void **);
diff --git a/source3/include/smbldap.h b/source3/include/smbldap.h
index 9a116ab7e7..adb51430dc 100644
--- a/source3/include/smbldap.h
+++ b/source3/include/smbldap.h
@@ -38,7 +38,6 @@
 #define LDAP_OBJ_IDPOOL			"sambaUnixIdPool"
 #define LDAP_OBJ_IDMAP_ENTRY		"sambaIdmapEntry"
 #define LDAP_OBJ_SID_ENTRY		"sambaSidEntry"
-#define LDAP_OBJ_ACCOUNT_POLICY		"sambaAccountPolicy"
 
 #define LDAP_OBJ_ACCOUNT		"account"
 #define LDAP_OBJ_POSIXACCOUNT		"posixAccount"
@@ -98,8 +97,6 @@
 #define LDAP_ATTR_SID_LIST		40
 #define LDAP_ATTR_MOD_TIMESTAMP		41
 #define LDAP_ATTR_LOGON_HOURS		42
-#define LDAP_ATTR_ACCOUNT_POLICY_NAME	43
-#define LDAP_ATTR_ACCOUNT_POLICY_VAL	44
 
 typedef struct _attrib_map_entry {
 	int		attrib;
@@ -118,7 +115,6 @@ extern ATTRIB_MAP_ENTRY groupmap_attr_list[];
 extern ATTRIB_MAP_ENTRY groupmap_attr_list_to_delete[];
 extern ATTRIB_MAP_ENTRY idpool_attr_list[];
 extern ATTRIB_MAP_ENTRY sidmap_attr_list[];
-extern ATTRIB_MAP_ENTRY acctpol_attr_list[];
 
 /* Function declarations -- not included in proto.h so we don't
    have to worry about LDAP structure types */
diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c
index f6e3943993..5997d9180a 100644
--- a/source3/lib/account_pol.c
+++ b/source3/lib/account_pol.c
@@ -3,7 +3,6 @@
  *  account policy storage
  *  Copyright (C) Jean François Micouleau      1998-2001.
  *  Copyright (C) Andrew Bartlett              2002
- *  Copyright (C) Guenther Deschner            2004-2005
  *  
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -23,14 +22,7 @@
 #include "includes.h"
 static TDB_CONTEXT *tdb; 
 
-/* cache all entries for 60 seconds for to save ldap-queries (cache is updated
- * after this period if admins do not use pdbedit or usermanager but manipulate
- * ldap directly) - gd */
-
-#define DATABASE_VERSION 	3
-#define AP_LASTSET 		"LAST_CACHE_UPDATE"
-#define AP_MIGRATED 		"ACCOUNT POLICIES WERE MIGRATED TO PASSDB"
-#define AP_TTL			60
+#define DATABASE_VERSION 2
 
 extern DOM_SID global_sid_World;
 extern DOM_SID global_sid_Builtin_Administrators;
@@ -40,35 +32,100 @@ extern DOM_SID global_sid_Builtin_Print_Operators;
 extern DOM_SID global_sid_Builtin_Backup_Operators;
 
 
-struct ap_table {
+/****************************************************************************
+ Set default for a field if it is empty
+****************************************************************************/
+
+static void set_default_on_empty(int field, uint32 value)
+{
+	if (account_policy_get(field, NULL))
+		return;
+	account_policy_set(field, value);
+	return;
+}
+
+/****************************************************************************
+ Open the account policy tdb.
+****************************************************************************/
+
+BOOL init_account_policy(void)
+{
+	const char *vstring = "INFO/version";
+	uint32 version;
+
+	if (tdb)
+		return True;
+	tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
+	if (!tdb) {
+		DEBUG(0,("Failed to open account policy database\n"));
+		return False;
+	}
+
+	/* handle a Samba upgrade */
+	tdb_lock_bystring(tdb, vstring,0);
+	if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) {
+		tdb_store_uint32(tdb, vstring, DATABASE_VERSION);
+		
+		set_default_on_empty(
+			AP_MIN_PASSWORD_LEN, 
+			MINPASSWDLENGTH);/* 5 chars minimum             */
+		set_default_on_empty(
+			AP_PASSWORD_HISTORY, 
+			0);		/* don't keep any old password	*/
+		set_default_on_empty(
+			AP_USER_MUST_LOGON_TO_CHG_PASS, 
+			0);		/* don't force user to logon	*/
+		set_default_on_empty(
+			AP_MAX_PASSWORD_AGE, 
+			(uint32)-1);	/* don't expire			*/
+		set_default_on_empty(
+			AP_MIN_PASSWORD_AGE, 
+			0);		/* 0 days                      */
+		set_default_on_empty(
+			AP_LOCK_ACCOUNT_DURATION, 
+			30);		/* lockout for 30 minutes      */
+		set_default_on_empty(
+			AP_RESET_COUNT_TIME, 
+			30);		/* reset after 30 minutes      */
+		set_default_on_empty(
+			AP_BAD_ATTEMPT_LOCKOUT, 
+			0);		/* don't lockout               */
+		set_default_on_empty(
+			AP_TIME_TO_LOGOUT, 
+			-1);		/* don't force logout          */
+		set_default_on_empty(
+			AP_REFUSE_MACHINE_PW_CHANGE, 
+			0);		/* allow machine pw changes    */
+	}
+	tdb_unlock_bystring(tdb, vstring);
+
+	/* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */
+
+	privilege_create_account( &global_sid_World );
+	privilege_create_account( &global_sid_Builtin_Administrators );
+	privilege_create_account( &global_sid_Builtin_Account_Operators );
+	privilege_create_account( &global_sid_Builtin_Server_Operators );
+	privilege_create_account( &global_sid_Builtin_Print_Operators );
+	privilege_create_account( &global_sid_Builtin_Backup_Operators );
+	
+	return True;
+}
+
+static const struct {
 	int field;
 	const char *string;
-	uint32 default_val;
-	const char *comment;
-};
-
-static const struct ap_table account_policy_names[] = {
-	{AP_MIN_PASSWORD_LEN, "min password length", MINPASSWDLENGTH, 
-		"Minimal password length (default: 5)"},
-	{AP_PASSWORD_HISTORY, "password history", 0,
-		"Length of Password History Entries (default: 0 => off)" },
-	{AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password", 0,
-		"Force Users to logon for password change (default: 0 => off, 2 => on)"},
-	{AP_MAX_PASSWORD_AGE, "maximum password age", (uint32)-1,
-		"Maximum password age, in seconds (default: -1 => never expire passwords)"},
-	{AP_MIN_PASSWORD_AGE,"minimum password age", 0,
-		"Minimal password age, in seconds (default: 0 => allow immediate password change)"},
-	{AP_LOCK_ACCOUNT_DURATION, "lockout duration", 30,
-		"Lockout duration in minutes (default: 30, -1 => forever)"},
-	{AP_RESET_COUNT_TIME, "reset count minutes", 30,
-		"Reset time after lockout in minutes (default: 30)"},
-	{AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt", 0,
-		"Lockout users after bad logon attempts (default: 0 => off)"},
-	{AP_TIME_TO_LOGOUT, "disconnect time", -1,
-		"Disconnect Users outside logon hours (default: -1 => off, 0 => on)"}, 
-	{AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change", 0,
-		"Allow Machine Password changes (default: 0 => off)"},
-	{0, NULL, 0, ""}
+} account_policy_names[] = {
+	{AP_MIN_PASSWORD_LEN, "min password length"},
+	{AP_PASSWORD_HISTORY, "password history"},
+	{AP_USER_MUST_LOGON_TO_CHG_PASS, "user must logon to change password"},
+	{AP_MAX_PASSWORD_AGE, "maximum password age (seconds since 1970)"},
+	{AP_MIN_PASSWORD_AGE,"minimum password age (seconds since 1970)"},
+	{AP_LOCK_ACCOUNT_DURATION, "lockout duration"},
+	{AP_RESET_COUNT_TIME, "reset count minutes"},
+	{AP_BAD_ATTEMPT_LOCKOUT, "bad lockout attempt"},
+	{AP_TIME_TO_LOGOUT, "disconnect time"},
+	{AP_REFUSE_MACHINE_PW_CHANGE, "refuse machine password change"},
+	{0, NULL}
 };
 
 char *account_policy_names_list(void)
@@ -99,7 +156,7 @@ char *account_policy_names_list(void)
 Get the account policy name as a string from its #define'ed number
 ****************************************************************************/
 
-const char *decode_account_policy_name(int field)
+static const char *decode_account_policy_name(int field)
 {
 	int i;
 	for (i=0; account_policy_names[i].string; i++) {
@@ -111,21 +168,6 @@ const char *decode_account_policy_name(int field)
 }
 
 /****************************************************************************
-Get the account policy comment as a string from its #define'ed number
-****************************************************************************/
-
-const char *account_policy_get_comment(int field)
-{
-	int i;
-	for (i=0; account_policy_names[i].string; i++) {
-		if (field == account_policy_names[i].field)
-			return account_policy_names[i].comment;
-	}
-	return NULL;
-
-}
-
-/****************************************************************************
 Get the account policy name as a string from its #define'ed number
 ****************************************************************************/
 
@@ -140,222 +182,15 @@ int account_policy_name_to_fieldnum(const char *name)
 
 }
 
-/*****************************************************************************
-Update LAST-Set counter inside the cache
-*****************************************************************************/
-
-static BOOL account_policy_cache_timestamp(uint32 *value, BOOL update)
-{
-	pstring key;
-	uint32 val = 0;
-	time_t now;
-
-	slprintf(key, sizeof(key)-1, "%s", AP_LASTSET);
-
-	if (!init_account_policy())
-		return False;
-
-	if (!tdb_fetch_uint32(tdb, key, &val) && !update) {
-		DEBUG(10,("failed to get last set timestamp of cache\n"));
-		return False;
-	}
-
-	*value = val;
-
-	DEBUG(10, ("account policy cache lastset was: %s\n", http_timestring(val)));
-
-	if (update) {
-
-		now = time(NULL);
-
-		if (!tdb_store_uint32(tdb, key, (uint32)now)) {
-			DEBUG(1, ("tdb_store_uint32 failed for %s\n", key));
-			return False;
-		}
-		DEBUG(10, ("account policy cache lastset now: %s\n", http_timestring(now)));
-		*value = now;
-	}
-
-	return True;
-}
-
-/*****************************************************************************
-Get default value for account policy
-*****************************************************************************/
-
-BOOL account_policy_get_default(int account_policy, uint32 *val)
-{
-	int i;
-	for (i=0; account_policy_names[i].field; i++) {
-		if (account_policy_names[i].field == account_policy) {
-			*val = account_policy_names[i].default_val;
-			return True;
-		}
-	}
-	DEBUG(0,("no default for account_policy index %d found. This should never happen\n", 
-		account_policy));
-	return False;
-}
-
-/*****************************************************************************
- Set default for a field if it is empty
-*****************************************************************************/
-
-static BOOL account_policy_set_default_on_empty(int account_policy)
-{
-
-	uint32 value;
-
-	if (!account_policy_get(account_policy, &value) && 
-	    !account_policy_get_default(account_policy, &value)) {
-		return False;
-	}
-
-	return account_policy_set(account_policy, value);
-}
-
-/*****************************************************************************
-Check migration success, set marker if required
-*****************************************************************************/
-
-static BOOL already_migrated_account_policies(BOOL store_migration_success)
-{
-	pstring key;
-	uint32 value;
-
-	slprintf(key, sizeof(key)-1, "%s", AP_MIGRATED);
-
-	if (tdb_fetch_uint32(tdb, key, &value)) {
-		return True;
-	}
-
-	if (store_migration_success) {
-
-		if (!tdb_store_uint32(tdb, key, 1)) {
-			DEBUG(1, ("tdb_store_uint32 failed for %s\n", key));
-			return False;
-		}
-		return True;
-	}
-
-	return False;
-}
-
-/*****************************************************************************
-Migrate account policies to passdb
-*****************************************************************************/
-
-static BOOL migrate_account_policy_names_to_passdb(void)
-{
-	int i, tmp_val;
-	BOOL got_pol;
-
-	if (already_migrated_account_policies(False)) {
-		return True;
-	}
-
-	DEBUG(1,("start migrating account policies into passdb\n"));
-
-	for (i=1; decode_account_policy_name(i) != NULL; i++) {
-
-		got_pol = False;
-
-		if (pdb_get_account_policy(i, &tmp_val)) {
-			DEBUG(10,("account policy already in passdb\n"));
-			got_pol = True;
-		}
-
-		if (!got_pol && !account_policy_get(i, &tmp_val)) {
-			DEBUG(0,("very weird: could not get value for account policy\n"));
-			return False;
-		}
-
-		DEBUGADD(1,("\tmigrating account policy (#%d: %s with value: %d) to passdb\n", 
-			i, decode_account_policy_name(i), tmp_val));
-
-		/* set policy via new passdb api */
-		if (!pdb_set_account_policy(i, tmp_val)) {
-			DEBUG(0,("failed to set account_policy\n"));
-			return False;
-		}
-
-	}
-
-	if (!already_migrated_account_policies(True)) {
-		DEBUG(0,("could not store marker for account policy migration in the tdb\n"));
-		return False;
-	}
-		
-	DEBUGADD(1,("succesfully migrated account policies into passdb\n"));
-
-	return True;
-}
-
-/*****************************************************************************
- Open the account policy tdb.
-***`*************************************************************************/
-
-BOOL init_account_policy(void)
-{
-
-	const char *vstring = "INFO/version";
-	uint32 version;
-	int i;
-
-	if (tdb)
-		return True;
-
-	tdb = tdb_open_log(lock_path("account_policy.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
-	if (!tdb) {
-		DEBUG(0,("Failed to open account policy database\n"));
-		return False;
-	}
-
-	/* handle a Samba upgrade */
-	tdb_lock_bystring(tdb, vstring,0);
-	if (!tdb_fetch_uint32(tdb, vstring, &version) || version != DATABASE_VERSION) {
-
-		tdb_store_uint32(tdb, vstring, DATABASE_VERSION);
-
-		for (i=0; account_policy_names[i].field; i++) {
-
-			if (!account_policy_set_default_on_empty(account_policy_names[i].field)) {
-				DEBUG(0,("failed to set default value in account policy tdb\n"));
-				return False;
-			}
-		}
-	}
-
-	if (!migrate_account_policy_names_to_passdb()) {
-		DEBUG(0,("Could not migrate account policy tdb to passdb.\n"));
-		return False;
-	}
-
-	tdb_unlock_bystring(tdb, vstring);
-
-	/* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */
-
-	privilege_create_account( &global_sid_World );
-	privilege_create_account( &global_sid_Builtin_Administrators );
-	privilege_create_account( &global_sid_Builtin_Account_Operators );
-	privilege_create_account( &global_sid_Builtin_Server_Operators );
-	privilege_create_account( &global_sid_Builtin_Print_Operators );
-	privilege_create_account( &global_sid_Builtin_Backup_Operators );
-
-	return True;
-}
-
-/*****************************************************************************
-Internal function
-*****************************************************************************/
+/****************************************************************************
+****************************************************************************/
 
 BOOL account_policy_get(int field, uint32 *value)
 {
 	fstring name;
 	uint32 regval;
 
-	if (!init_account_policy())
-		return False;
+	if(!init_account_policy())return False;
 
 	if (value)
 		*value = 0;
@@ -378,15 +213,12 @@ BOOL account_policy_get(int field, uint32 *value)
 
 
 /****************************************************************************
-Get an account policy from a (migrated tdb)
 ****************************************************************************/
-
 BOOL account_policy_set(int field, uint32 value)
 {
 	fstring name;
 
-	if (!init_account_policy())
-		return False;
+	if(!init_account_policy())return False;
 
 	fstrcpy(name, decode_account_policy_name(field));
 	if (!*name) {
@@ -395,7 +227,7 @@ BOOL account_policy_set(int field, uint32 value)
 	}
 
 	if (!tdb_store_uint32(tdb, name, value)) {
-		DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u\n", field, name, value));
+		DEBUG(1, ("tdb_store_uint32 failed for field %d (%s) on value %u", field, name, value));
 		return False;
 	}
 
@@ -405,64 +237,6 @@ BOOL account_policy_set(int field, uint32 value)
 }
 
 /****************************************************************************
-Set an account policy in the cache 
-****************************************************************************/
-
-BOOL cache_account_policy_set(int field, uint32 value)
-{
-	uint32 lastset, i;
-
-	for (i=0; account_policy_names[i].field; i++) {
-
-		if (account_policy_names[i].field == field) {
-
-			DEBUG(10,("cache_account_policy_set: updating account pol cache\n"));
-
-			if (!account_policy_set(field, value)) {
-				return False;
-			}
-
-			if (!account_policy_cache_timestamp(&lastset, True)) {
-				DEBUG(10,("cache_account_policy_set: failed to get lastest cache update timestamp\n"));
-				return False;
-			}
-
-			DEBUG(10,("cache_account_policy_set: cache valid until: %s\n", http_timestring(lastset+AP_TTL)));
-		}
-	}
-
-	return True;
-}
-
-/*****************************************************************************
-Get an account policy from the cache 
-*****************************************************************************/
-
-BOOL cache_account_policy_get(int field, uint32 *value)
-{
-	uint32 lastset, i;
-
-	if (!account_policy_cache_timestamp(&lastset, False)) {
-		DEBUG(10,("cache_account_policy_get: failed to get latest cache update timestamp\n"));
-		return False;
-	}
-
-	if ((lastset + AP_TTL) < (uint32)time(NULL) ) {
-		DEBUG(10,("cache_account_policy_get: no valid cache entry (cache expired)\n"));
-		return False;
-	} 
-
-	for (i=0; account_policy_names[i].field; i++) {
-		if (account_policy_names[i].field == field) {
-			return account_policy_get(field, value);
-		}
-	}
-
-	return False;
-}
-
-
-/****************************************************************************
 ****************************************************************************/
 
 TDB_CONTEXT *get_account_pol_tdb( void )
diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c
index 2fc71b1402..7aeecb89d6 100644
--- a/source3/lib/smbldap.c
+++ b/source3/lib/smbldap.c
@@ -208,15 +208,6 @@ ATTRIB_MAP_ENTRY sidmap_attr_list[] = {
 	{ LDAP_ATTR_LIST_END,		NULL			}	
 };
 
-/* attributes used for account policies */
-
-ATTRIB_MAP_ENTRY acctpol_attr_list[] = {
-	{ LDAP_ATTR_OBJCLASS,		"objectClass"			},
-	{ LDAP_ATTR_ACCOUNT_POLICY_NAME,"sambaAccountPolicyName"	},
-	{ LDAP_ATTR_ACCOUNT_POLICY_VAL,	"sambaAccountPolicyValue"	},
-	{ LDAP_ATTR_LIST_END,		NULL				},
-};
-
 /**********************************************************************
  perform a simple table lookup and return the attribute name 
  **********************************************************************/
@@ -1254,82 +1245,6 @@ NTSTATUS smbldap_init(TALLOC_CTX *mem_ctx, const char *location, struct smbldap_
 }
 
 /**********************************************************************
- Add the account-policies below the sambaDomain object to LDAP, 
-*********************************************************************/
-static NTSTATUS add_new_domain_account_policies(struct smbldap_state *ldap_state,
-						const char *domain_name)
-{
-	NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
-	int i, ldap_op, policy_default, rc;
-	const char *policy_string = NULL;
-	const char *policy_comment = NULL;
-	pstring dn;
-	fstring policy_default_str;
-
-	DEBUG(3,("Adding new account policies for domain\n"));
-	ldap_op = LDAP_MOD_ADD;
-
-	for (i=1; decode_account_policy_name(i) != NULL; i++) {
-		LDAPMod **mods = NULL;
-
-		policy_string = decode_account_policy_name(i);
-		if (!policy_string) {
-			DEBUG(0,("add_new_domain_account_policies: ops. no policy!\n"));
-			return ntstatus;
-		}
-
-		policy_comment = account_policy_get_comment(i);
-		if (!policy_comment) {
-			DEBUG(0,("add_new_domain_account_policies: no description for policy found\n"));
-			return ntstatus;
-		}
-
-		if (!account_policy_get_default(i, &policy_default)) {
-			DEBUG(0,("add_new_domain_account_policies: failed to get default account policy\n"));
-			return ntstatus;
-		}
-
-		slprintf(policy_default_str, sizeof(policy_default_str) - 1, "%i", policy_default);
-
-		pstr_sprintf(dn, "%s=%s,%s=%s,%s",
- 			get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), policy_string,
-			get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), get_global_sam_name(),
-			lp_ldap_suffix());
-
-		smbldap_set_mod( &mods, ldap_op, "objectClass", LDAP_OBJ_ACCOUNT_POLICY );
-
-		smbldap_set_mod( &mods, ldap_op,
-			get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), 
-			policy_string);
-
-		smbldap_set_mod( &mods, ldap_op,
-			get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL), 
-			policy_default_str);
-
-		smbldap_set_mod( &mods, ldap_op, "description", policy_comment);
-
-		rc = smbldap_add(ldap_state, dn, mods);
-
-		if (rc!=LDAP_SUCCESS) {
-			char *ld_error = NULL;
-			ldap_get_option(ldap_state->ldap_struct, LDAP_OPT_ERROR_STRING, &ld_error);
-			DEBUG(1,("failed to add account policy dn= %s with: %s\n\t%s\n",
-			       dn, ldap_err2string(rc),
-			       ld_error?ld_error:"unknown"));
-			SAFE_FREE(ld_error);
-
-			ldap_mods_free(mods, True);
-			return ntstatus;
-		}
-
-		DEBUG(2,("added: domain account policy = [%s] in the LDAP database\n", policy_string));
-		ldap_mods_free(mods, True);
-	}
-
-	return NT_STATUS_OK;
-}
-
-/**********************************************************************
  Add the sambaDomain to LDAP, so we don't have to search for this stuff
  again.  This is a once-add operation for now.
 
@@ -1483,8 +1398,7 @@ NTSTATUS smbldap_search_domain_info(struct smbldap_state *ldap_state,
 		DEBUG(3, ("Got no domain info entries for domain\n"));
 		ldap_msgfree(*result);
 		*result = NULL;
-		if (try_add && NT_STATUS_IS_OK(ret = add_new_domain_info(ldap_state, domain_name)) 
-			    && NT_STATUS_IS_OK(ret = add_new_domain_account_policies(ldap_state, domain_name))) {
+		if (try_add && NT_STATUS_IS_OK(ret = add_new_domain_info(ldap_state, domain_name))) {
 			return smbldap_search_domain_info(ldap_state, result, domain_name, False);
 		} 
 		else {
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index d2e1eacdd2..715eb9ed4c 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -1890,7 +1890,7 @@ BOOL init_sam_from_buffer_v2(SAM_ACCOUNT *sampass, uint8 *buf, uint32 buflen)
 	}
 
 	/* Change from V1 is addition of password history field. */
-	pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
+	account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
 	if (pwHistLen) {
 		char *pw_hist = SMB_MALLOC(pwHistLen * PW_HISTORY_ENTRY_LEN);
 		if (!pw_hist) {
@@ -2098,7 +2098,7 @@ uint32 init_buffer_from_sam_v2 (uint8 **buf, const SAM_ACCOUNT *sampass, BOOL si
 		nt_pw_len = 0;
 	}
 
-	pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
+	account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
 	nt_pw_hist =  pdb_get_pw_history(sampass, &nt_pw_hist_len);
 	if (pwHistLen && nt_pw_hist && nt_pw_hist_len) {
 		nt_pw_hist_len *= PW_HISTORY_ENTRY_LEN;
@@ -2307,8 +2307,8 @@ BOOL pdb_update_bad_password_count(SAM_ACCOUNT *sampass, BOOL *updated)
 		return True;
 	}
 
-	if (!pdb_get_account_policy(AP_RESET_COUNT_TIME, &resettime)) {
-		DEBUG(0, ("pdb_update_bad_password_count: pdb_get_account_policy failed.\n"));
+	if (!account_policy_get(AP_RESET_COUNT_TIME, &resettime)) {
+		DEBUG(0, ("pdb_update_bad_password_count: account_policy_get failed.\n"));
 		return False;
 	}
 
@@ -2349,8 +2349,8 @@ BOOL pdb_update_autolock_flag(SAM_ACCOUNT *sampass, BOOL *updated)
 		return True;
 	}
 
-	if (!pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &duration)) {
-		DEBUG(0, ("pdb_update_autolock_flag: pdb_get_account_policy failed.\n"));
+	if (!account_policy_get(AP_LOCK_ACCOUNT_DURATION, &duration)) {
+		DEBUG(0, ("pdb_update_autolock_flag: account_policy_get failed.\n"));
 		return False;
 	}
 
@@ -2398,9 +2398,9 @@ BOOL pdb_increment_bad_password_count(SAM_ACCOUNT *sampass)
 		return False;
 
 	/* Retrieve the account lockout policy */
-	if (!pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT,
+	if (!account_policy_get(AP_BAD_ATTEMPT_LOCKOUT,
 				&account_policy_lockout)) {
-		DEBUG(0, ("pdb_increment_bad_password_count: pdb_get_account_policy failed.\n"));
+		DEBUG(0, ("pdb_increment_bad_password_count: account_policy_get failed.\n"));
 		return False;
 	}
 
diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c
index e0fc0ef280..4b59b5fdf9 100644
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -1123,7 +1123,7 @@ BOOL pdb_set_pass_changed_now (SAM_ACCOUNT *sampass)
 	if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED))
 		return False;
 
-	if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &expire) 
+	if (!account_policy_get(AP_MAX_PASSWORD_AGE, &expire) 
 	    || (expire==(uint32)-1) || (expire == 0)) {
 		if (!pdb_set_pass_must_change_time (sampass, get_time_t_max(), PDB_CHANGED))
 			return False;
@@ -1134,7 +1134,7 @@ BOOL pdb_set_pass_changed_now (SAM_ACCOUNT *sampass)
 			return False;
 	}
 	
-	if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &min_age) 
+	if (!account_policy_get(AP_MIN_PASSWORD_AGE, &min_age) 
 	    || (min_age==(uint32)-1)) {
 		if (!pdb_set_pass_can_change_time (sampass, 0, PDB_CHANGED))
 			return False;
@@ -1189,7 +1189,7 @@ BOOL pdb_set_plaintext_passwd (SAM_ACCOUNT *sampass, const char *plaintext)
 	if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL) {
 		uchar *pwhistory;
 		uint32 pwHistLen;
-		pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
+		account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
 		if (pwHistLen != 0){
 			uint32 current_history_len;
 			/* We need to make sure we don't have a race condition here - the
diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c
index 938622abff..382c028b0c 100644
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@@ -622,35 +622,6 @@ static NTSTATUS context_enum_alias_memberships(struct pdb_context *context,
 				       num_members, aliases, num);
 }
 
-static NTSTATUS context_get_account_policy(struct pdb_context *context,
-					   int policy_index, int *value)
-{
-	NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-
-	if ((!context) || (!context->pdb_methods)) {
-		DEBUG(0, ("invalid pdb_context specified!\n"));
-		return ret;
-	}
-
-	return context->pdb_methods->get_account_policy(context->pdb_methods,
-							policy_index, value);
-}
-
-static NTSTATUS context_set_account_policy(struct pdb_context *context,
-					   int policy_index, int value)
-{
-	NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-
-	if ((!context) || (!context->pdb_methods)) {
-		DEBUG(0, ("invalid pdb_context specified!\n"));
-		return ret;
-	}
-
-	return context->pdb_methods->set_account_policy(context->pdb_methods,
-							policy_index, value);
-}
-
-	
 /******************************************************************
   Free and cleanup a pdb context, any associated data and anything
   that the attached modules might have associated.
@@ -779,9 +750,6 @@ static NTSTATUS make_pdb_context(struct pdb_context **context)
 	(*context)->pdb_enum_aliasmem = context_enum_aliasmem;
 	(*context)->pdb_enum_alias_memberships = context_enum_alias_memberships;
 
-	(*context)->pdb_get_account_policy = context_get_account_policy;
-	(*context)->pdb_set_account_policy = context_set_account_policy;
-
 	(*context)->free_fn = free_pdb_context;
 
 	return NT_STATUS_OK;
@@ -1234,30 +1202,6 @@ BOOL pdb_enum_alias_memberships(const DOM_SID *members, int num_members,
 							  aliases, num));
 }
 
-BOOL pdb_get_account_policy(int policy_index, int *value)
-{
-	struct pdb_context *pdb_context = pdb_get_static_context(False);
-
-	if (!pdb_context) {
-		return False;
-	}
-
-	return NT_STATUS_IS_OK(pdb_context->
-			       pdb_get_account_policy(pdb_context, policy_index, value));
-}
-
-BOOL pdb_set_account_policy(int policy_index, int value)
-{
-	struct pdb_context *pdb_context = pdb_get_static_context(False);
-
-	if (!pdb_context) {
-		return False;
-	}
-
-	return NT_STATUS_IS_OK(pdb_context->
-			       pdb_set_account_policy(pdb_context, policy_index, value));
-}
-
 /***************************************************************
   Initialize the static context (at smbd startup etc). 
 
@@ -1315,16 +1259,6 @@ static void pdb_default_endsampwent(struct pdb_methods *methods)
 	return; /* NT_STATUS_NOT_IMPLEMENTED; */
 }
 
-static NTSTATUS pdb_default_get_account_policy(struct pdb_methods *methods, int policy_index, int *value)
-{
-	return account_policy_get(policy_index, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
-}
-
-static NTSTATUS pdb_default_set_account_policy(struct pdb_methods *methods, int policy_index, int value)
-{
-	return account_policy_set(policy_index, value) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
-}
-
 NTSTATUS make_pdb_methods(TALLOC_CTX *mem_ctx, PDB_METHODS **methods) 
 {
 	*methods = TALLOC_P(mem_ctx, struct pdb_methods);
@@ -1362,8 +1296,6 @@ NTSTATUS make_pdb_methods(TALLOC_CTX *mem_ctx, PDB_METHODS **methods)
 	(*methods)->del_aliasmem = pdb_default_del_aliasmem;
 	(*methods)->enum_aliasmem = pdb_default_enum_aliasmem;
 	(*methods)->enum_alias_memberships = pdb_default_alias_memberships;
-	(*methods)->get_account_policy = pdb_default_get_account_policy;
-	(*methods)->set_account_policy = pdb_default_set_account_policy;
 
 	return NT_STATUS_OK;
 }
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 6fdf80074c..ff99b21f1f 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -729,7 +729,7 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
 		ZERO_STRUCT(smbntpwd);
 	}
 
-	pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
+	account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
 	if (pwHistLen > 0){
 		uint8 *pwhist = NULL;
 		int i;
@@ -1073,7 +1073,7 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
 
 		if (need_update(sampass, PDB_PWHISTORY)) {
 			int pwHistLen = 0;
-			pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen);
+			account_policy_get(AP_PASSWORD_HISTORY, &pwHistLen);
 			if (pwHistLen == 0) {
 				/* Remove any password history from the LDAP store. */
 				memset(temp, '0', 64); /* NOTE !!!! '0' *NOT '\0' */
@@ -1138,7 +1138,7 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
 		uint16 badcount = pdb_get_bad_password_count(sampass);
 		time_t badtime = pdb_get_bad_password_time(sampass);
 		uint32 pol;
-		pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &pol);
+		account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &pol);
 
 		DEBUG(3, ("updating bad password fields, policy=%u, count=%u, time=%u\n",
 			(unsigned int)pol, (unsigned int)badcount, (unsigned int)badtime));
@@ -2880,252 +2880,6 @@ static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods,
 	return NT_STATUS_OK;
 }
 
-static NTSTATUS ldapsam_get_account_policy(struct pdb_methods *methods, int policy_index, int *value)
-{
-	NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
-	LDAPMessage *result = NULL;
-	LDAPMessage *entry = NULL;
-	int count;
-	int rc;
-	pstring filter;
-	char **vals;
-	const char *policy_string = NULL;
-	int tmp_val;
-	BOOL found_tdb = False;
-
-	struct ldapsam_privates *ldap_state =
-		(struct ldapsam_privates *)methods->private_data;
-
-	const char *attrs[] = {
-		NULL,
-		NULL,
-		NULL 
-	};
-
-	attrs[0] = get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME);
-	attrs[1] = get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL);
-
-	if (cache_account_policy_get(policy_index, value)) {
-		DEBUG(11,("ldapsam_get_account_policy: got valid value from cache\n"));
-		return NT_STATUS_OK;
-	}
-
-	policy_string = decode_account_policy_name(policy_index);
-	if (!policy_string) {
-		DEBUG(0,("ldapsam_get_account_policy: invalid policy index: %d\n", policy_index));
-		return ntstatus;
-	}
-
-	pstr_sprintf(filter, "(&(objectclass=%s)(%s=%s))",
-		     LDAP_OBJ_ACCOUNT_POLICY, 
-		     get_attr_key2string(acctpol_attr_list,
-					 LDAP_ATTR_ACCOUNT_POLICY_NAME), policy_string);
-	
-	if (!ldap_state->domain_dn) {
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-search:		
-	rc = smbldap_search(ldap_state->smbldap_state, ldap_state->domain_dn,
-			    LDAP_SCOPE_ONELEVEL, filter, attrs, 0, &result);
-
-	if (rc != LDAP_SUCCESS) 
-		return ntstatus;
-
-	count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
-				   result);
-
-	/* handle deleted ldap-entries (migrate on the fly, use a default as last resort) - gd */
-	if (count < 1 && !found_tdb) {
-
-		found_tdb = False;
-
-		DEBUG(3,("ldapsam_get_account_policy: no entry for that policy in ldap found\n"));
-
-		if (!account_policy_get(policy_index, &tmp_val)) {
-			DEBUG(10,("ldapsam_get_account_policy: failed to get account_policy from tdb\n"));
-			found_tdb = True;
-		}
-
-		if (!found_tdb && !account_policy_get_default(policy_index, &tmp_val)) {
-			ldap_msgfree(result);
-			return ntstatus;
-		}
-
-		if (!pdb_set_account_policy(policy_index, tmp_val)) {
-			DEBUG(1,("ldapsam_get_account_policy: failed to set account_policy\n"));
-			ldap_msgfree(result);
-			return ntstatus;
-		}
-
-		DEBUG(3,("ldapsam_get_account_policy: set account policy value based on %s value.\n", 
-			found_tdb ? "tdb":"default"));
-
-		ldap_msgfree(result);
-		goto search;
-	}
-
-	entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
-
-	if (!entry) {
-		ldap_msgfree(result);
-		return NT_STATUS_UNSUCCESSFUL;
-	}
-
-	vals = ldap_get_values(ldap_state->smbldap_state->ldap_struct, entry, 
-		get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL));
-
-	if (vals == NULL) 
-		goto out;
-
-	*value = (uint32)atol(vals[0]);
-
-	if (!cache_account_policy_set(policy_index, *value)) {
-		DEBUG(0,("ldapsam_get_account_policy: failed to update local tdb as a cache\n"));
-		return ntstatus;
-	}
-
-	ntstatus = NT_STATUS_OK;
-
-out:
-	ldap_value_free(vals);
-	ldap_msgfree(result);
-
-	return ntstatus;
-}
-
-static NTSTATUS ldapsam_set_account_policy(struct pdb_methods *methods, int policy_index, int value)
-{
-	NTSTATUS ntstatus = NT_STATUS_UNSUCCESSFUL;
-	LDAPMessage *result = NULL;
-	LDAPMessage *entry = NULL;
-	int count;
-	int rc;
-	pstring filter, dn;
-	int modop;
-	LDAPMod **mods = NULL;
-	fstring value_string;
-	char *old_dn = NULL;
-	const char *policy_string = NULL;
-	const char *policy_description = NULL;
-
-	struct ldapsam_privates *ldap_state =
-		(struct ldapsam_privates *)methods->private_data;
-
-	const char *attrs[] = {
-		NULL,
-		NULL,
-		NULL 
-	};
-
-	attrs[0] = get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), 
-	attrs[1] = get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL), 
-
-	policy_string = decode_account_policy_name(policy_index);
-	if (!policy_string) {
-		DEBUG(0,("ldapsam_set_account_policy: invalid policy\n"));
-		return ntstatus;
-	}
-
-	policy_description = account_policy_get_comment(policy_index);
-	if (!policy_description) {
-		DEBUG(0,("ldapsam_set_account_policy: no description for policy found\n"));
-		return ntstatus;
-	}
-
-	pstr_sprintf(filter, "(&(objectclass=%s)(%s=%s))",
-		     LDAP_OBJ_ACCOUNT_POLICY, 
-		     get_attr_key2string(acctpol_attr_list,
-					 LDAP_ATTR_ACCOUNT_POLICY_NAME), policy_string);
-
-	if (!ldap_state->domain_dn) {
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	rc = smbldap_search(ldap_state->smbldap_state, ldap_state->domain_dn,
-			    LDAP_SCOPE_ONELEVEL, filter, attrs, 0, &result);
-
-	if (rc != LDAP_SUCCESS) 
-		return ntstatus;
-
-	count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
-
-	slprintf(value_string, sizeof(value_string) - 1, "%i", value);
-
-	if (count == 1) {
-
-		modop = LDAP_MOD_REPLACE;
-
-		entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result);
-
-		if (!entry) {
-			ldap_msgfree(result);
-			return NT_STATUS_UNSUCCESSFUL;
-		}
-
-		old_dn = smbldap_get_dn(ldap_state->smbldap_state->ldap_struct, entry);
-		if (!old_dn) {
-			ldap_msgfree(result);
-			return ntstatus;
-		}
-
-		smbldap_set_mod(&mods, modop,
-			get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL), 
-			value_string);
-
-		rc = smbldap_modify(ldap_state->smbldap_state, old_dn, mods);
-
-	} else {
-
-		modop = LDAP_MOD_ADD;
-
-		pstr_sprintf(dn, "%s=%s,%s",
- 			get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), policy_string,
-			ldap_state->domain_dn);
-
-		smbldap_set_mod( &mods, modop, "objectClass", LDAP_OBJ_ACCOUNT_POLICY );
-
-		smbldap_make_mod( ldap_state->smbldap_state->ldap_struct, entry, &mods, 
-			get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_NAME), 
-			policy_string);
-
-		smbldap_make_mod( ldap_state->smbldap_state->ldap_struct, entry, &mods, 
-			get_attr_key2string(acctpol_attr_list, LDAP_ATTR_ACCOUNT_POLICY_VAL), 
-			value_string);
-
-		smbldap_make_mod( ldap_state->smbldap_state->ldap_struct, entry, &mods, 
-			"description", 
-			policy_description);
-
-		rc = smbldap_add(ldap_state->smbldap_state, dn, mods);
-	}
-
-	ldap_mods_free(mods, True);
-	ldap_msgfree(result);
-
-	if (rc != LDAP_SUCCESS) {
-		char *ld_error = NULL;
-		ldap_get_option(ldap_state->smbldap_state->ldap_struct,
-				LDAP_OPT_ERROR_STRING,&ld_error);
-		
-		DEBUG(0, ("ldapsam_set_account_policy: Could not set account policy "
-			  "for %s, error: %s (%s)\n", dn, ldap_err2string(rc),
-			  ld_error?ld_error:"unknown"));
-		SAFE_FREE(ld_error);
-		SAFE_FREE(old_dn);
-		return ntstatus;
-	}
-
-	SAFE_FREE(old_dn);
-
-	if (!cache_account_policy_set(policy_index, value)) {
-		DEBUG(0,("ldapsam_set_account_policy: failed to update local tdb cache\n"));
-		return ntstatus;
-	}
-
-	return NT_STATUS_OK;
-}
-
 /**********************************************************************
  Housekeeping
  *********************************************************************/
@@ -3183,9 +2937,6 @@ static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **
 	(*pdb_method)->enum_group_mapping = ldapsam_enum_group_mapping;
 	(*pdb_method)->enum_group_memberships = ldapsam_enum_group_memberships;
 
-	(*pdb_method)->get_account_policy = ldapsam_get_account_policy;
-	(*pdb_method)->set_account_policy = ldapsam_set_account_policy;
-
 	/* TODO: Setup private data and free */
 
 	ldap_state = TALLOC_ZERO_P(pdb_context->mem_ctx, struct ldapsam_privates);
diff --git a/source3/rpc_server/srv_reg_nt.c b/source3/rpc_server/srv_reg_nt.c
index 3a5c965820..c11e0d59a0 100644
--- a/source3/rpc_server/srv_reg_nt.c
+++ b/source3/rpc_server/srv_reg_nt.c
@@ -380,7 +380,7 @@ WERROR _reg_info(pipes_struct *p, REG_Q_INFO *q_u, REG_R_INFO *r_u)
 			return WERR_NOMEM;
 		}
 
-		if (!pdb_get_account_policy(AP_REFUSE_MACHINE_PW_CHANGE, &dwValue))
+		if (!account_policy_get(AP_REFUSE_MACHINE_PW_CHANGE, &dwValue))
 			dwValue = 0;
 		regval_ctr_addvalue(&regvals, "RefusePasswordChange", 
 				    REG_DWORD,
diff --git a/source3/rpc_server/srv_samr.c b/source3/rpc_server/srv_samr.c
index 971f5ed40c..ffb7882e11 100644
--- a/source3/rpc_server/srv_samr.c
+++ b/source3/rpc_server/srv_samr.c
@@ -785,6 +785,7 @@ static BOOL api_samr_set_userinfo(pipes_struct *p)
 	if (!samr_io_q_set_userinfo("", &q_u, data, 0)) {
 		DEBUG(0,("api_samr_set_userinfo: Unable to unmarshall SAMR_Q_SET_USERINFO.\n"));
 		/* Fix for W2K SP2 */
+		/* what is that status-code ? - gd */
 		if (q_u.switch_value == 0x1a) {
 			setup_fault_pdu(p, NT_STATUS(0x1c000006));
 			return True;
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 9c8a35045f..291d8713d5 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -2092,19 +2092,19 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA
 	switch (q_u->switch_value) {
 		case 0x01:
 			
-			pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
+			account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp);
 			min_pass_len = account_policy_temp;
 
-			pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
+			account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp);
 			pass_hist = account_policy_temp;
 
-			pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
+			account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
 			flag = account_policy_temp;
 
-			pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
+			account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp);
 			u_expire = account_policy_temp;
 
-			pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
+			account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp);
 			u_min_age = account_policy_temp;
 			
 			unix_to_nt_time_abs(&nt_expire, u_expire);
@@ -2132,7 +2132,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA
 			num_groups=info->disp_info.num_group_account;
 			free_samr_db(info);
 
-			pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
+			account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp);
 			u_logout = account_policy_temp;
 
 			unix_to_nt_time_abs(&nt_logout, u_logout);
@@ -2146,7 +2146,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA
 				       num_users, num_groups, num_aliases, nt_logout, server_role);
 			break;
 		case 0x03:
-			pdb_get_account_policy(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout);
+			account_policy_get(AP_TIME_TO_LOGOUT, (unsigned int *)&u_logout);
 			unix_to_nt_time_abs(&nt_logout, u_logout);
 			
 			init_unk_info3(&ctr->info.inf3, nt_logout);
@@ -2168,15 +2168,15 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA
 			init_unk_info8(&ctr->info.inf8, (uint32) time(NULL));
 			break;
 		case 0x0c:
-			pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
+			account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
 			u_lock_duration = account_policy_temp;
 			if (u_lock_duration != -1)
 				u_lock_duration *= 60;
 
-			pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
+			account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp);
 			u_reset_time = account_policy_temp * 60;
 
-			pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
+			account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
 			lockout = account_policy_temp;
 
 			unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
@@ -4572,19 +4572,19 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW
 
 	switch (q_u->switch_value) {
 		case 0x01:
-			pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &account_policy_temp);
+			account_policy_get(AP_MIN_PASSWORD_LEN, &account_policy_temp);
 			min_pass_len = account_policy_temp;
 
-			pdb_get_account_policy(AP_PASSWORD_HISTORY, &account_policy_temp);
+			account_policy_get(AP_PASSWORD_HISTORY, &account_policy_temp);
 			pass_hist = account_policy_temp;
 
-			pdb_get_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
+			account_policy_get(AP_USER_MUST_LOGON_TO_CHG_PASS, &account_policy_temp);
 			flag = account_policy_temp;
 
-			pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &account_policy_temp);
+			account_policy_get(AP_MAX_PASSWORD_AGE, &account_policy_temp);
 			u_expire = account_policy_temp;
 
-			pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &account_policy_temp);
+			account_policy_get(AP_MIN_PASSWORD_AGE, &account_policy_temp);
 			u_min_age = account_policy_temp;
 
 			unix_to_nt_time_abs(&nt_expire, u_expire);
@@ -4612,7 +4612,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW
 			num_groups=info->disp_info.num_group_account;
 			free_samr_db(info);
 
-			pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
+			account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp);
 			u_logout = account_policy_temp;
 
 			unix_to_nt_time_abs(&nt_logout, u_logout);
@@ -4626,7 +4626,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW
 				       num_users, num_groups, num_aliases, nt_logout, server_role);
 			break;
 		case 0x03:
-			pdb_get_account_policy(AP_TIME_TO_LOGOUT, &account_policy_temp);
+			account_policy_get(AP_TIME_TO_LOGOUT, &account_policy_temp);
 			u_logout = account_policy_temp;
 
 			unix_to_nt_time_abs(&nt_logout, u_logout);
@@ -4649,15 +4649,15 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW
 			init_unk_info8(&ctr->info.inf8, (uint32) time(NULL));
 			break;
 		case 0x0c:
-			pdb_get_account_policy(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
+			account_policy_get(AP_LOCK_ACCOUNT_DURATION, &account_policy_temp);
 			u_lock_duration = account_policy_temp;
 			if (u_lock_duration != -1)
 				u_lock_duration *= 60;
 
-			pdb_get_account_policy(AP_RESET_COUNT_TIME, &account_policy_temp);
+			account_policy_get(AP_RESET_COUNT_TIME, &account_policy_temp);
 			u_reset_time = account_policy_temp * 60;
 
-			pdb_get_account_policy(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
+			account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, &account_policy_temp);
 			lockout = account_policy_temp;
 	
 			unix_to_nt_time_abs(&nt_lock_duration, u_lock_duration);
@@ -4701,17 +4701,17 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R
 			u_expire=nt_time_to_unix_abs(&q_u->ctr->info.inf1.expire);
 			u_min_age=nt_time_to_unix_abs(&q_u->ctr->info.inf1.min_passwordage);
 			
-			pdb_set_account_policy(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password);
-			pdb_set_account_policy(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history);
-			pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag);
-			pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (int)u_expire);
-			pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (int)u_min_age);
+			account_policy_set(AP_MIN_PASSWORD_LEN, (uint32)q_u->ctr->info.inf1.min_length_password);
+			account_policy_set(AP_PASSWORD_HISTORY, (uint32)q_u->ctr->info.inf1.password_history);
+			account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, (uint32)q_u->ctr->info.inf1.flag);
+			account_policy_set(AP_MAX_PASSWORD_AGE, (int)u_expire);
+			account_policy_set(AP_MIN_PASSWORD_AGE, (int)u_min_age);
             		break;
         	case 0x02:
 			break;
 		case 0x03:
 			u_logout=nt_time_to_unix_abs(&q_u->ctr->info.inf3.logout);
-			pdb_set_account_policy(AP_TIME_TO_LOGOUT, (int)u_logout);
+			account_policy_set(AP_TIME_TO_LOGOUT, (int)u_logout);
 			break;
 		case 0x05:
 			break;
@@ -4726,9 +4726,9 @@ NTSTATUS _samr_set_dom_info(pipes_struct *p, SAMR_Q_SET_DOMAIN_INFO *q_u, SAMR_R
 
 			u_reset_time=nt_time_to_unix_abs(&q_u->ctr->info.inf12.reset_count)/60;
 			
-			pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
-			pdb_set_account_policy(AP_RESET_COUNT_TIME, (int)u_reset_time);
-			pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout);
+			account_policy_set(AP_LOCK_ACCOUNT_DURATION, (int)u_lock_duration);
+			account_policy_set(AP_RESET_COUNT_TIME, (int)u_reset_time);
+			account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, (uint32)q_u->ctr->info.inf12.bad_attempt_lockout);
 			break;
 		default:
 			return NT_STATUS_INVALID_INFO_CLASS;
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index 3765b7d38f..540acfc225 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -945,7 +945,7 @@ static BOOL check_passwd_history(SAM_ACCOUNT *sampass, const char *plaintext)
 	BOOL found = False;
 	int i, pwHisLen, curr_pwHisLen;
 
-	pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHisLen);
+	account_policy_get(AP_PASSWORD_HISTORY, &pwHisLen);
 	if (pwHisLen == 0) {
 		return False;
 	}
@@ -1017,7 +1017,7 @@ NTSTATUS change_oem_password(SAM_ACCOUNT *hnd, char *old_passwd, char *new_passw
 	}
 
 	/* FIXME: AP_MIN_PASSWORD_LEN and lp_min_passwd_length() need to be merged - gd */
-	if (pdb_get_account_policy(AP_MIN_PASSWORD_LEN, &min_len) && (str_charnum(new_passwd) < min_len)) {
+	if (account_policy_get(AP_MIN_PASSWORD_LEN, &min_len) && (str_charnum(new_passwd) < min_len)) {
 		DEBUG(1, ("user %s cannot change password - password too short\n", 
 			  username));
 		DEBUGADD(1, (" account policy min password len = %d\n", min_len));
diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
index cc81719b6a..49aef2a23c 100644
--- a/source3/utils/net_rpc_samsync.c
+++ b/source3/utils/net_rpc_samsync.c
@@ -1000,34 +1000,34 @@ static NTSTATUS fetch_domain_info(uint32 rid, SAM_DOMAIN_INFO *delta)
 	}
 
 
-	if (!pdb_set_account_policy(AP_PASSWORD_HISTORY, delta->pwd_history_len))
+	if (!account_policy_set(AP_PASSWORD_HISTORY, delta->pwd_history_len))
 		return nt_status;
 
-	if (!pdb_set_account_policy(AP_MIN_PASSWORD_LEN, delta->min_pwd_len))
+	if (!account_policy_set(AP_MIN_PASSWORD_LEN, delta->min_pwd_len))
 		return nt_status;
 
-	if (!pdb_set_account_policy(AP_MAX_PASSWORD_AGE, (uint32)u_max_age))
+	if (!account_policy_set(AP_MAX_PASSWORD_AGE, (uint32)u_max_age))
 		return nt_status;
 
-	if (!pdb_set_account_policy(AP_MIN_PASSWORD_AGE, (uint32)u_min_age))
+	if (!account_policy_set(AP_MIN_PASSWORD_AGE, (uint32)u_min_age))
 		return nt_status;
 
-	if (!pdb_set_account_policy(AP_TIME_TO_LOGOUT, (uint32)u_logout))
+	if (!account_policy_set(AP_TIME_TO_LOGOUT, (uint32)u_logout))
 		return nt_status;
 
-	if (!pdb_set_account_policy(AP_BAD_ATTEMPT_LOCKOUT, delta->account_lockout.bad_attempt_lockout))
+	if (!account_policy_set(AP_BAD_ATTEMPT_LOCKOUT, delta->account_lockout.bad_attempt_lockout))
 		return nt_status;
 
-	if (!pdb_set_account_policy(AP_RESET_COUNT_TIME, (uint32)u_lockoutreset/60))
+	if (!account_policy_set(AP_RESET_COUNT_TIME, (uint32)u_lockoutreset/60))
 		return nt_status;
 
 	if (u_lockouttime != -1)
 		u_lockouttime /= 60;
 
-	if (!pdb_set_account_policy(AP_LOCK_ACCOUNT_DURATION, (uint32)u_lockouttime))
+	if (!account_policy_set(AP_LOCK_ACCOUNT_DURATION, (uint32)u_lockouttime))
 		return nt_status;
 
-	if (!pdb_set_account_policy(AP_USER_MUST_LOGON_TO_CHG_PASS, delta->logon_chgpass))
+	if (!account_policy_set(AP_USER_MUST_LOGON_TO_CHG_PASS, delta->logon_chgpass))
 		return nt_status;
 
 	return NT_STATUS_OK;
diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c
index d29b6ea66c..3584ef0367 100644
--- a/source3/utils/pdbedit.c
+++ b/source3/utils/pdbedit.c
@@ -119,27 +119,6 @@ static int export_groups (struct pdb_context *in, struct pdb_context *out) {
 }
 
 /*********************************************************
- Add all currently available account policy from tdb to one backend
- ********************************************************/
-
-static int export_account_policies (struct pdb_context *in, struct pdb_context *out) 
-{
-	int i;
-
-	for (i=1; decode_account_policy_name(i) != NULL; i++) {
-		uint32 policy_value;
-		if (NT_STATUS_IS_ERR(in->pdb_get_account_policy(in, i, &policy_value))) {
-			fprintf(stderr, "Can't get account policy from tdb\n");
-			return -1;
-		}
-		out->pdb_set_account_policy(out, i, policy_value);
-	}
-
-	return 0;
-}
-
-
-/*********************************************************
  Print info from sam structure
 **********************************************************/
 
@@ -669,7 +648,6 @@ int main (int argc, char **argv)
 	static char *backend_in = NULL;
 	static char *backend_out = NULL;
 	static BOOL transfer_groups = False;
-	static BOOL transfer_account_policies = False;
 	static BOOL  force_initialised_password = False;
 	static char *logon_script = NULL;
 	static char *profile_path = NULL;
@@ -710,7 +688,6 @@ int main (int argc, char **argv)
 		{"import",	'i', POPT_ARG_STRING, &backend_in, 0, "import user accounts from this backend", NULL},
 		{"export",	'e', POPT_ARG_STRING, &backend_out, 0, "export user accounts to this backend", NULL},
 		{"group",	'g', POPT_ARG_NONE, &transfer_groups, 0, "use -i and -e for groups", NULL},
-		{"policies",	'y', POPT_ARG_NONE, &transfer_account_policies, 0, "use -i and -e to move account policies between backends", NULL},
 		{"account-policy",	'P', POPT_ARG_STRING, &account_policy, 0,"value of an account policy (like maximum password age)",NULL},
 		{"value",       'C', POPT_ARG_LONG, &account_policy_value, 'C',"set the account policy to this value", NULL},
 		{"account-control",	'c', POPT_ARG_STRING, &account_control, 0, "Values of account control", NULL},
@@ -810,22 +787,20 @@ int main (int argc, char **argv)
 			SAFE_FREE(apn);
 			exit(1);
 		}
-		if (!pdb_get_account_policy(field, &value)) {
+		if (!account_policy_get(field, &value)) {
 			fprintf(stderr, "valid account policy, but unable to fetch value!\n");
-			if (!account_policy_value_set)
-				exit(1);
+			exit(1);
 		}
-		printf("account policy \"%s\" description: %s\n", account_policy, account_policy_get_comment(field));
 		if (account_policy_value_set) {
-			printf("account policy \"%s\" value was: %u\n", account_policy, value);
-			if (!pdb_set_account_policy(field, account_policy_value)) {
+			printf("account policy value for %s was %u\n", account_policy, value);
+			if (!account_policy_set(field, account_policy_value)) {
 				fprintf(stderr, "valid account policy, but unable to set value!\n");
 				exit(1);
 			}
-			printf("account policy \"%s\" value is now: %lu\n", account_policy, account_policy_value);
+			printf("account policy value for %s is now %lu\n", account_policy, account_policy_value);
 			exit(0);
 		} else {
-			printf("account policy \"%s\" value is: %u\n", account_policy, value);
+			printf("account policy value for %s is %u\n", account_policy, value);
 			exit(0);
 		}
 	}
@@ -849,10 +824,7 @@ int main (int argc, char **argv)
 		} else {
 			bout = bdef;
 		}
-		if (transfer_account_policies) {
-			if (!(checkparms & BIT_USER))
-				return export_account_policies(bin, bout);
-		} else 	if (transfer_groups) {
+		if (transfer_groups) {
 			if (!(checkparms & BIT_USER))
 				return export_groups(bin, bout);
 		} else {