3 files changed, 34 insertions, 10 deletions
diff --git a/source3/smbd/aio.c b/source3/smbd/aio.c
index 6b19e098e5..cfa4b430eb 100644
--- a/source3/smbd/aio.c
+++ b/source3/smbd/aio.c
@@ -347,7 +347,7 @@ static int handle_aio_read_complete(struct aio_extra *aio_ex)
 		/* If errno is ECANCELED then don't return anything to the
 		 * client. */
 		if (errno == ECANCELED) {
-			srv_cancel_sign_response(aio_ex->req->mid);
+			srv_cancel_sign_response(aio_ex->req->mid, false);
 			return 0;
 		}
 
@@ -441,7 +441,7 @@ static int handle_aio_write_complete(struct aio_extra *aio_ex)
 		/* If errno is ECANCELED then don't return anything to the
 		 * client. */
 		if (errno == ECANCELED) {
-			srv_cancel_sign_response(aio_ex->req->mid);
+			srv_cancel_sign_response(aio_ex->req->mid, false);
 			return 0;
 		}
 
@@ -534,7 +534,7 @@ void smbd_aio_complete_mid(unsigned int mid)
 	if (!aio_ex) {
 		DEBUG(3,("smbd_aio_complete_mid: Can't find record to "
 			 "match mid %u.\n", mid));
-		srv_cancel_sign_response(mid);
+		srv_cancel_sign_response(mid, false);
 		return;
 	}
 
@@ -544,7 +544,7 @@ void smbd_aio_complete_mid(unsigned int mid)
 		 * ignore. */
 		DEBUG( 3,( "smbd_aio_complete_mid: file closed whilst "
 			   "aio outstanding (mid[%u]).\n", mid));
-		srv_cancel_sign_response(mid);
+		srv_cancel_sign_response(mid, false);
 		return;
 	}
 
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 86a46505a2..9c7fb1914e 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -1131,7 +1131,7 @@ void reply_ntcancel(struct smb_request *req)
 	START_PROFILE(SMBntcancel);
 	remove_pending_change_notify_requests_by_mid(req->mid);
 	remove_pending_lock_requests_by_mid(req->mid);
-	srv_cancel_sign_response(req->mid);
+	srv_cancel_sign_response(req->mid, true);
 
 	DEBUG(3,("reply_ntcancel: cancel called on mid = %d.\n", req->mid));
 
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index acd347520d..c8cc2e64a3 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -2386,6 +2386,14 @@ static NTSTATUS open_directory(connection_struct *conn,
 		return status;
 	}
 
+	/* We need to support SeSecurityPrivilege for this. */
+	if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) {
+		DEBUG(10, ("open_directory: open on %s "
+			"failed - SEC_RIGHT_SYSTEM_SECURITY denied.\n",
+			fname));
+		return NT_STATUS_PRIVILEGE_NOT_HELD;
+	}
+
 	switch( create_disposition ) {
 		case FILE_OPEN:
 
@@ -2719,7 +2727,7 @@ struct case_semantics_state *set_posix_case_semantics(TALLOC_CTX *mem_ctx,
  * If that works, delete them all by setting the delete on close and close.
  */
 
-static NTSTATUS open_streams_for_delete(connection_struct *conn,
+NTSTATUS open_streams_for_delete(connection_struct *conn,
 					const char *fname)
 {
 	struct stream_struct *stream_info;
@@ -2777,13 +2785,15 @@ static NTSTATUS open_streams_for_delete(connection_struct *conn,
 			goto fail;
 		}
 
-		status = create_file_unixpath
-			(conn,			/* conn */
+		status = SMB_VFS_CREATE_FILE(
+			 conn,			/* conn */
 			 NULL,			/* req */
+			 0,			/* root_dir_fid */
 			 streamname,		/* fname */
+			 0,			/* create_file_flags */
 			 DELETE_ACCESS,		/* access_mask */
-			 FILE_SHARE_READ | FILE_SHARE_WRITE
-			 | FILE_SHARE_DELETE,	/* share_access */
+			 (FILE_SHARE_READ |	/* share_access */
+			     FILE_SHARE_WRITE | FILE_SHARE_DELETE),
 			 FILE_OPEN,		/* create_disposition*/
 			 NTCREATEX_OPTIONS_PRIVATE_STREAM_DELETE, /* create_options */
 			 FILE_ATTRIBUTE_NORMAL,	/* file_attributes */
@@ -2929,6 +2939,20 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
 		status = NT_STATUS_PRIVILEGE_NOT_HELD;
 		goto fail;
 	}
+#else
+	/* We need to support SeSecurityPrivilege for this. */
+	if (access_mask & SEC_RIGHT_SYSTEM_SECURITY) {
+		status = NT_STATUS_PRIVILEGE_NOT_HELD;
+		goto fail;
+	}
+	/* Don't allow a SACL set from an NTtrans create until we
+	 * support SeSecurityPrivilege. */
+	if (!VALID_STAT(sbuf) &&
+			lp_nt_acl_support(SNUM(conn)) &&
+			sd && (sd->sacl != NULL)) {
+		status = NT_STATUS_PRIVILEGE_NOT_HELD;
+		goto fail;
+	}
 #endif
 
 	if ((conn->fs_capabilities & FILE_NAMED_STREAMS)