samba-mirror/source4/torture/rpc/lsa.c

/*
   Unix SMB/CIFS implementation.
   test suite for lsa rpc operations

   Copyright (C) Andrew Tridgell 2003
   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include "includes.h"
#include "torture/torture.h"
#include "source3/libads/netlogon_ping.h"
#include "../lib/tsocket/tsocket.h"
#include "librpc/gen_ndr/ndr_lsa_c.h"
#include "librpc/gen_ndr/netlogon.h"
#include "librpc/gen_ndr/ndr_drsblobs.h"
#include "librpc/gen_ndr/ndr_netlogon_c.h"
#include "lib/events/events.h"
#include "libcli/security/security.h"
#include "libcli/auth/libcli_auth.h"
#include "torture/rpc/torture_rpc.h"
#include "param/param.h"
#include "source4/auth/kerberos/kerberos.h"
#include "source4/auth/kerberos/kerberos_util.h"
#include "lib/util/util_net.h"
#include "libcli/resolve/resolve.h"
#include "source3/rpc_client/init_lsa.h"
#include "librpc/gen_ndr/ndr_lsa.h"
#include "librpc/rpc/dcerpc_lsa.h"

#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>

#define TEST_MACHINENAME "lsatestmach"
#define TRUSTPW "12345678"

static bool test_OpenPolicy(struct dcerpc_binding_handle *b,
			    struct torture_context *tctx)
{
	struct lsa_ObjectAttribute attr;
	struct policy_handle handle;
	struct lsa_QosInfo qos;
	struct lsa_OpenPolicy r;
	uint16_t system_name = '\\';

	torture_comment(tctx, "\nTesting OpenPolicy\n");

	qos.len = 0;
	qos.impersonation_level = 2;
	qos.context_mode = 1;
	qos.effective_only = 0;

	attr.len = 0;
	attr.root_dir = NULL;
	attr.object_name = NULL;
	attr.attributes = 0;
	attr.sec_desc = NULL;
	attr.sec_qos = &qos;

	r.in.system_name = &system_name;
	r.in.attr = &attr;
	r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
	r.out.handle = &handle;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenPolicy_r(b, tctx, &r),
				   "OpenPolicy failed");

	torture_assert_ntstatus_ok(tctx,
				   r.out.result,
				   "OpenPolicy failed");

	return true;
}

static bool test_OpenPolicy_fail(struct dcerpc_binding_handle *b,
				 struct torture_context *tctx)
{
	struct lsa_ObjectAttribute attr;
	struct policy_handle handle;
	struct lsa_QosInfo qos;
	struct lsa_OpenPolicy r;
	uint16_t system_name = '\\';
	NTSTATUS status;

	torture_comment(tctx, "\nTesting OpenPolicy_fail\n");

	qos.len = 0;
	qos.impersonation_level = 2;
	qos.context_mode = 1;
	qos.effective_only = 0;

	attr.len = 0;
	attr.root_dir = NULL;
	attr.object_name = NULL;
	attr.attributes = 0;
	attr.sec_desc = NULL;
	attr.sec_qos = &qos;

	r.in.system_name = &system_name;
	r.in.attr = &attr;
	r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
	r.out.handle = &handle;

	status = dcerpc_lsa_OpenPolicy_r(b, tctx, &r);
	if (!NT_STATUS_IS_OK(status)) {
		if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
			torture_comment(tctx,
					"OpenPolicy correctly returned with "
					"status: %s\n",
					nt_errstr(status));
			return true;
		}

		torture_assert_ntstatus_equal(tctx,
					      status,
					      NT_STATUS_ACCESS_DENIED,
					      "OpenPolicy return value should "
					      "be ACCESS_DENIED");
		return true;
	}

	if (!NT_STATUS_IS_OK(r.out.result)) {
		if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_ACCESS_DENIED) ||
		    NT_STATUS_EQUAL(r.out.result, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
			torture_comment(tctx,
					"OpenPolicy correctly returned with "
					"result: %s\n",
					nt_errstr(r.out.result));
			return true;
		}
	}

	torture_assert_ntstatus_equal(tctx,
				      r.out.result,
				      NT_STATUS_OK,
				      "OpenPolicy return value should be "
				      "ACCESS_DENIED");

	return false;
}


bool test_lsa_OpenPolicy2_ex(struct dcerpc_binding_handle *b,
			     struct torture_context *tctx,
			     struct policy_handle **handle,
			     NTSTATUS expected_status,
			     NTSTATUS expected_status2)
{
	struct lsa_ObjectAttribute attr;
	struct lsa_QosInfo qos;
	struct lsa_OpenPolicy2 r;
	NTSTATUS status;

	torture_comment(tctx, "\nTesting OpenPolicy2\n");

	*handle = talloc(tctx, struct policy_handle);
	torture_assert(tctx, *handle != NULL, "talloc(tctx, struct policy_handle)");

	qos.len = 0;
	qos.impersonation_level = 2;
	qos.context_mode = 1;
	qos.effective_only = 0;

	attr.len = 0;
	attr.root_dir = NULL;
	attr.object_name = NULL;
	attr.attributes = 0;
	attr.sec_desc = NULL;
	attr.sec_qos = &qos;

	r.in.system_name = "\\";
	r.in.attr = &attr;
	r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
	r.out.handle = *handle;

	status = dcerpc_lsa_OpenPolicy2_r(b, tctx, &r);

	/* Allow two possible failure status codes */
	if (!NT_STATUS_EQUAL(status, expected_status2)) {
		torture_assert_ntstatus_equal(tctx, status,
					      expected_status,
					      "OpenPolicy2 failed");
	}
	if (!NT_STATUS_IS_OK(expected_status) ||
	    !NT_STATUS_IS_OK(expected_status2)) {
		return true;
	}

	torture_assert_ntstatus_ok(tctx,
				   r.out.result,
				   "OpenPolicy2 failed");

	return true;
}


bool test_lsa_OpenPolicy2(struct dcerpc_binding_handle *b,
			  struct torture_context *tctx,
			  struct policy_handle **handle)
{
	return test_lsa_OpenPolicy2_ex(b, tctx, handle,
				       NT_STATUS_OK, NT_STATUS_OK);
}

static bool test_OpenPolicy2_fail(struct dcerpc_binding_handle *b,
				  struct torture_context *tctx)
{
	struct lsa_ObjectAttribute attr;
	struct policy_handle handle;
	struct lsa_QosInfo qos;
	struct lsa_OpenPolicy2 r;
	NTSTATUS status;

	torture_comment(tctx, "\nTesting OpenPolicy2_fail\n");

	qos.len = 0;
	qos.impersonation_level = 2;
	qos.context_mode = 1;
	qos.effective_only = 0;

	attr.len = 0;
	attr.root_dir = NULL;
	attr.object_name = NULL;
	attr.attributes = 0;
	attr.sec_desc = NULL;
	attr.sec_qos = &qos;

	r.in.system_name = "\\";
	r.in.attr = &attr;
	r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
	r.out.handle = &handle;

	status = dcerpc_lsa_OpenPolicy2_r(b, tctx, &r);
	if (!NT_STATUS_IS_OK(status)) {
		if (NT_STATUS_EQUAL(status, NT_STATUS_CONNECTION_DISCONNECTED) ||
		    NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
			torture_comment(tctx,
					"OpenPolicy2 correctly returned with "
					"status: %s\n",
					nt_errstr(status));
			return true;
		}

		torture_assert_ntstatus_equal(tctx,
					      status,
					      NT_STATUS_ACCESS_DENIED,
					      "OpenPolicy2 return value should "
					      "be ACCESS_DENIED");
		return true;
	}

	if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_ACCESS_DENIED) ||
	    NT_STATUS_EQUAL(r.out.result, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
		torture_comment(tctx,
				"OpenPolicy2 correctly returned with "
				"result: %s\n",
				nt_errstr(r.out.result));
		return true;
	}

	torture_fail(tctx,
		     "OpenPolicy2 return value should be "
		     "ACCESS_DENIED or RPC_PROTSEQ_NOT_SUPPORTED");

	return false;
}

bool test_lsa_OpenPolicy3_ex(struct dcerpc_binding_handle *b,
			     struct torture_context *tctx,
			     struct policy_handle **handle,
			     NTSTATUS expected_status,
			     NTSTATUS expected_status2)
{
	struct lsa_QosInfo qos = {
		.impersonation_level = 2,
		.context_mode = 1,
	};
	struct lsa_ObjectAttribute attr = {
		.len = 0,
		.sec_qos = &qos,
	};
	struct lsa_revision_info1 in_rinfo1 = {
		.revision = 1,
		.supported_features = LSA_FEATURE_TDO_AUTH_INFO_AES_CIPHER,
	};
	union lsa_revision_info in_rinfo = {
		.info1 = in_rinfo1,
	};
	struct lsa_revision_info1 out_rinfo1 = {
		.revision = 0,
	};
	union lsa_revision_info out_rinfo = {
		.info1 = out_rinfo1,
	};
	uint32_t out_version = 0;
	struct lsa_OpenPolicy3 r = {
		.in.system_name = "\\",
		.in.attr = &attr,
		.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED,
		.in.in_version = 1,
		.in.in_revision_info = &in_rinfo,
		.out.out_version = &out_version,
		.out.out_revision_info = &out_rinfo,
	};
	NTSTATUS status;

	torture_comment(tctx, "\nTesting OpenPolicy3\n");

	*handle = talloc(tctx, struct policy_handle);
	torture_assert(tctx,
		       *handle != NULL,
		       "talloc(tctx, struct policy_handle)");
	r.out.handle = *handle;

	status = dcerpc_lsa_OpenPolicy3_r(b, tctx, &r);

	/* Allow two possible failure status codes */
	if (!NT_STATUS_EQUAL(status, expected_status2)) {
		torture_assert_ntstatus_equal(tctx,
					      status,
					      expected_status,
					      "OpenPolicy3 failed");
	}
	if (!NT_STATUS_IS_OK(expected_status) ||
	    !NT_STATUS_IS_OK(expected_status2)) {
		return true;
	}

	torture_assert_ntstatus_ok(tctx, r.out.result, "OpenPolicy3 failed");
	torture_assert_int_equal(tctx, out_version, 1, "Invalid out_version");
	torture_assert_int_equal(tctx,
				 out_rinfo1.revision,
				 1,
				 "Invalid revision");
	torture_assert_int_equal(tctx,
				 out_rinfo1.supported_features,
				 LSA_FEATURE_TDO_AUTH_INFO_AES_CIPHER,
				 "Invalid supported feature set");

	return true;
}

bool test_lsa_OpenPolicy3(struct dcerpc_binding_handle *b,
			  struct torture_context *tctx,
			  struct policy_handle **handle)
{
	return test_lsa_OpenPolicy3_ex(b,
				       tctx,
				       handle,
				       NT_STATUS_OK,
				       NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE);
}

static bool test_OpenPolicy3_fail(struct dcerpc_binding_handle *b,
				  struct torture_context *tctx)
{
	struct policy_handle handle = {
		.handle_type = 0,
	};
	struct lsa_QosInfo qos = {
		.impersonation_level = 2,
		.context_mode = 1,
	};
	struct lsa_ObjectAttribute attr = {
		.len = 0,
		.sec_qos = &qos,
	};
	struct lsa_revision_info1 in_rinfo1 = {
		.revision = 0,
		.supported_features = 0,
	};
	union lsa_revision_info in_rinfo = {
		.info1 = in_rinfo1,
	};
	struct lsa_revision_info1 out_rinfo1 = {
		.revision = 0,
	};
	union lsa_revision_info out_rinfo = {
		.info1 = out_rinfo1,
	};
	uint32_t out_version = 0;
	struct lsa_OpenPolicy3 r = {
		.in.system_name = "\\",
		.in.attr = &attr,
		.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED,
		.in.in_version = 1,
		.in.in_revision_info = &in_rinfo,
		.out.out_version = &out_version,
		.out.out_revision_info = &out_rinfo,
		.out.handle = &handle,
	};
	NTSTATUS status;

	torture_comment(tctx, "\nTesting OpenPolicy3_fail\n");

	status = dcerpc_lsa_OpenPolicy3_r(b, tctx, &r);
	if (!NT_STATUS_IS_OK(status)) {
		if (NT_STATUS_EQUAL(status, NT_STATUS_CONNECTION_DISCONNECTED) ||
		    NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
		    NT_STATUS_EQUAL(status,
				    NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
			torture_comment(tctx,
					"OpenPolicy3 correctly returned with "
					"status: %s\n",
					nt_errstr(status));
			return true;
		}

		torture_assert_ntstatus_equal(tctx,
					      status,
					      NT_STATUS_ACCESS_DENIED,
					      "OpenPolicy3 return value should "
					      "be ACCESS_DENIED or CONNECTION_DISCONNECTED");
		return true;
	}

	if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_ACCESS_DENIED) ||
	    NT_STATUS_EQUAL(r.out.result,
			    NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
		torture_comment(tctx,
				"OpenPolicy3 correctly returned with "
				"result: %s\n",
				nt_errstr(r.out.result));
		return true;
	}

	torture_fail(tctx,
		     "OpenPolicy3 return value should be "
		     "ACCESS_DENIED or RPC_PROTSEQ_NOT_SUPPORTED");

	return false;
}

static bool test_LookupNames(struct dcerpc_binding_handle *b,
			     struct torture_context *tctx,
			     struct policy_handle *handle,
			     enum lsa_LookupNamesLevel level,
			     struct lsa_TransNameArray *tnames)
{
	struct lsa_LookupNames r;
	struct lsa_TransSidArray sids;
	struct lsa_RefDomainList *domains = NULL;
	struct lsa_String *names;
	uint32_t count = 0;
	int i;
	uint32_t *input_idx;

	torture_comment(tctx, "\nTesting LookupNames with %d names\n", tnames->count);

	sids.count = 0;
	sids.sids = NULL;


	r.in.num_names = 0;

	input_idx = talloc_array(tctx, uint32_t, tnames->count);
	names = talloc_array(tctx, struct lsa_String, tnames->count);

	for (i=0;i<tnames->count;i++) {
		if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) {
			init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string);
			input_idx[r.in.num_names] = i;
			r.in.num_names++;
		}
	}

	r.in.handle = handle;
	r.in.names = names;
	r.in.sids = &sids;
	r.in.level = level;
	r.in.count = &count;
	r.out.count = &count;
	r.out.sids = &sids;
	r.out.domains = &domains;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames_r(b, tctx, &r),
				   "LookupNames failed");
	if (NT_STATUS_EQUAL(r.out.result, STATUS_SOME_UNMAPPED) ||
	    NT_STATUS_EQUAL(r.out.result, NT_STATUS_NONE_MAPPED)) {
		for (i=0;i< r.in.num_names;i++) {
			if (i < count && sids.sids[i].sid_type == SID_NAME_UNKNOWN) {
				torture_comment(tctx, "LookupName of %s was unmapped\n",
				       tnames->names[i].name.string);
			} else if (i >=count) {
				torture_comment(tctx, "LookupName of %s failed to return a result\n",
				       tnames->names[i].name.string);
			}
		}
		torture_assert_ntstatus_ok(tctx, r.out.result,
					   "LookupNames failed");
	} else if (!NT_STATUS_IS_OK(r.out.result)) {
		torture_assert_ntstatus_ok(tctx, r.out.result,
					   "LookupNames failed");
	}

	for (i=0;i< r.in.num_names;i++) {
		torture_assert(tctx, (i < count),
			       talloc_asprintf(tctx,
			       "LookupName of %s failed to return a result\n",
			       tnames->names[input_idx[i]].name.string));

		torture_assert_int_equal(tctx,
					 sids.sids[i].sid_type,
					 tnames->names[input_idx[i]].sid_type,
					 talloc_asprintf(tctx,
					 "LookupName of %s got unexpected name type: %s\n",
					 tnames->names[input_idx[i]].name.string,
					 sid_type_lookup(sids.sids[i].sid_type)));
		if (sids.sids[i].sid_type != SID_NAME_DOMAIN) {
			continue;
		}
		torture_assert_int_equal(tctx,
					 sids.sids[i].rid,
					 UINT32_MAX,
					 talloc_asprintf(tctx,
					 "LookupName of %s got unexpected rid: %d\n",
					 tnames->names[input_idx[i]].name.string,
					 sids.sids[i].rid));
	}

	return true;
}

static bool test_LookupNames_bogus(struct dcerpc_binding_handle *b,
				   struct torture_context *tctx,
				   struct policy_handle *handle,
				   enum lsa_LookupNamesLevel level)
{
	struct lsa_LookupNames r;
	struct lsa_TransSidArray sids;
	struct lsa_RefDomainList *domains = NULL;
	struct lsa_String names[1];
	uint32_t count = 0;

	torture_comment(tctx, "\nTesting LookupNames with bogus name\n");

	sids.count = 0;
	sids.sids = NULL;

	init_lsa_String(&names[0], "NT AUTHORITY\\BOGUS");

	r.in.handle = handle;
	r.in.num_names = 1;
	r.in.names = names;
	r.in.sids = &sids;
	r.in.level = level;
	r.in.count = &count;
	r.out.count = &count;
	r.out.sids = &sids;
	r.out.domains = &domains;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames_r(b, tctx, &r),
				   "LookupNames bogus failed");
	if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_NONE_MAPPED)) {
		torture_comment(tctx, "LookupNames failed - %s\n",
				nt_errstr(r.out.result));
		return false;
	}

	torture_comment(tctx, "\n");

	return true;
}

static bool test_LookupNames_NULL(struct dcerpc_binding_handle *b,
				  struct torture_context *tctx,
				  struct policy_handle *handle,
				  enum lsa_LookupNamesLevel level)
{
	struct lsa_LookupNames r;
	struct lsa_TransSidArray sids;
	struct lsa_RefDomainList *domains = NULL;
	struct lsa_String names[1];
	uint32_t count = 0;

	torture_comment(tctx, "\nTesting LookupNames with NULL name\n");

	sids.count = 0;
	sids.sids = NULL;

	names[0].string = NULL;

	r.in.handle = handle;
	r.in.num_names = 1;
	r.in.names = names;
	r.in.sids = &sids;
	r.in.level = level;
	r.in.count = &count;
	r.out.count = &count;
	r.out.sids = &sids;
	r.out.domains = &domains;

	/* nt4 returns NT_STATUS_NONE_MAPPED with sid_type
	 * SID_NAME_UNKNOWN, rid 0, and sid_index -1;
	 *
	 * w2k3/w2k8 return NT_STATUS_OK with sid_type
	 * SID_NAME_DOMAIN, rid -1 and sid_index 0 and BUILTIN domain
	 */

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames_r(b, tctx, &r),
		"LookupNames with NULL name failed");
	torture_assert_ntstatus_ok(tctx, r.out.result,
		"LookupNames with NULL name failed");

	torture_comment(tctx, "\n");

	return true;
}

static bool test_LookupNames_wellknown(struct dcerpc_binding_handle *b,
				       struct torture_context *tctx,
				       struct policy_handle *handle,
				       enum lsa_LookupNamesLevel level)
{
	struct lsa_TranslatedName name;
	struct lsa_TransNameArray tnames;
	bool ret = true;

	torture_comment(tctx, "Testing LookupNames with well known names\n");

	tnames.names = &name;
	tnames.count = 1;
	name.name.string = "NT AUTHORITY\\SYSTEM";
	name.sid_type = SID_NAME_WKN_GRP;
	ret &= test_LookupNames(b, tctx, handle, level, &tnames);

	name.name.string = "NT AUTHORITY\\ANONYMOUS LOGON";
	name.sid_type = SID_NAME_WKN_GRP;
	ret &= test_LookupNames(b, tctx, handle, level, &tnames);

	name.name.string = "NT AUTHORITY\\Authenticated Users";
	name.sid_type = SID_NAME_WKN_GRP;
	ret &= test_LookupNames(b, tctx, handle, level, &tnames);

#if 0
	name.name.string = "NT AUTHORITY";
	ret &= test_LookupNames(b, tctx, handle, level, &tnames);

	name.name.string = "NT AUTHORITY\\";
	ret &= test_LookupNames(b, tctx, handle, level, &tnames);
#endif

	name.name.string = "BUILTIN\\";
	name.sid_type = SID_NAME_DOMAIN;
	ret &= test_LookupNames(b, tctx, handle, level, &tnames);

	name.name.string = "BUILTIN\\Administrators";
	name.sid_type = SID_NAME_ALIAS;
	ret &= test_LookupNames(b, tctx, handle, level, &tnames);

	name.name.string = "SYSTEM";
	name.sid_type = SID_NAME_WKN_GRP;
	ret &= test_LookupNames(b, tctx, handle, level, &tnames);

	name.name.string = "Everyone";
	name.sid_type = SID_NAME_WKN_GRP;
	ret &= test_LookupNames(b, tctx, handle, level, &tnames);
	return ret;
}

static bool test_LookupNames2(struct dcerpc_binding_handle *b,
			      struct torture_context *tctx,
			      struct policy_handle *handle,
			      enum lsa_LookupNamesLevel level,
			      struct lsa_TransNameArray2 *tnames,
			      bool check_result)
{
	struct lsa_LookupNames2 r;
	struct lsa_TransSidArray2 sids;
	struct lsa_RefDomainList *domains = NULL;
	struct lsa_String *names;
	uint32_t *input_idx;
	uint32_t count = 0;
	int i;

	torture_comment(tctx, "\nTesting LookupNames2 with %d names\n", tnames->count);

	sids.count = 0;
	sids.sids = NULL;

	r.in.num_names = 0;

	input_idx = talloc_array(tctx, uint32_t, tnames->count);
	names = talloc_array(tctx, struct lsa_String, tnames->count);

	for (i=0;i<tnames->count;i++) {
		if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) {
			init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string);
			input_idx[r.in.num_names] = i;
			r.in.num_names++;
		}
	}

	r.in.handle = handle;
	r.in.names = names;
	r.in.sids = &sids;
	r.in.level = level;
	r.in.count = &count;
	r.in.lookup_options = 0;
	r.in.client_revision = 0;
	r.out.count = &count;
	r.out.sids = &sids;
	r.out.domains = &domains;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames2_r(b, tctx, &r),
		"LookupNames2 failed");
	torture_assert_ntstatus_ok(tctx, r.out.result, "LookupNames2 failed");

	if (check_result) {
		torture_assert_int_equal(tctx, count, sids.count,
			"unexpected number of results returned");
		if (sids.count > 0) {
			torture_assert(tctx, sids.sids, "invalid sid buffer");
		}
	}

	torture_comment(tctx, "\n");

	return true;
}


static bool test_LookupNames3(struct dcerpc_binding_handle *b,
			      struct torture_context *tctx,
			      struct policy_handle *handle,
			      enum lsa_LookupNamesLevel level,
			      struct lsa_TransNameArray2 *tnames,
			      bool check_result)
{
	struct lsa_LookupNames3 r;
	struct lsa_TransSidArray3 sids;
	struct lsa_RefDomainList *domains = NULL;
	struct lsa_String *names;
	uint32_t count = 0;
	int i;
	uint32_t *input_idx;

	torture_comment(tctx, "\nTesting LookupNames3 with %d names\n", tnames->count);

	sids.count = 0;
	sids.sids = NULL;

	r.in.num_names = 0;

	input_idx = talloc_array(tctx, uint32_t, tnames->count);
	names = talloc_array(tctx, struct lsa_String, tnames->count);
	for (i=0;i<tnames->count;i++) {
		if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) {
			init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string);
			input_idx[r.in.num_names] = i;
			r.in.num_names++;
		}
	}

	r.in.handle = handle;
	r.in.names = names;
	r.in.sids = &sids;
	r.in.level = level;
	r.in.count = &count;
	r.in.lookup_options = 0;
	r.in.client_revision = 0;
	r.out.count = &count;
	r.out.sids = &sids;
	r.out.domains = &domains;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames3_r(b, tctx, &r),
		"LookupNames3 failed");
	torture_assert_ntstatus_ok(tctx, r.out.result,
		"LookupNames3 failed");

	if (check_result) {
		torture_assert_int_equal(tctx, count, sids.count,
			"unexpected number of results returned");
		if (sids.count > 0) {
			torture_assert(tctx, sids.sids, "invalid sid buffer");
		}
	}

	torture_comment(tctx, "\n");

	return true;
}

static bool test_LookupNames4(struct dcerpc_binding_handle *b,
			      struct torture_context *tctx,
			      enum lsa_LookupNamesLevel level,
			      struct lsa_TransNameArray2 *tnames,
			      bool check_result)
{
	struct lsa_LookupNames4 r;
	struct lsa_TransSidArray3 sids;
	struct lsa_RefDomainList *domains = NULL;
	struct lsa_String *names;
	uint32_t count = 0;
	int i;
	uint32_t *input_idx;

	torture_comment(tctx, "\nTesting LookupNames4 with %d names\n", tnames->count);

	sids.count = 0;
	sids.sids = NULL;

	r.in.num_names = 0;

	input_idx = talloc_array(tctx, uint32_t, tnames->count);
	names = talloc_array(tctx, struct lsa_String, tnames->count);
	for (i=0;i<tnames->count;i++) {
		if (tnames->names[i].sid_type != SID_NAME_UNKNOWN) {
			init_lsa_String(&names[r.in.num_names], tnames->names[i].name.string);
			input_idx[r.in.num_names] = i;
			r.in.num_names++;
		}
	}

	r.in.num_names = tnames->count;
	r.in.names = names;
	r.in.sids = &sids;
	r.in.level = level;
	r.in.count = &count;
	r.in.lookup_options = 0;
	r.in.client_revision = 0;
	r.out.count = &count;
	r.out.sids = &sids;
	r.out.domains = &domains;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames4_r(b, tctx, &r),
		"LookupNames4 failed");

	if (!NT_STATUS_IS_OK(r.out.result)) {
		if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NONE_MAPPED)) {
			torture_comment(tctx,
					"LookupNames4 failed: %s - not considered as an error",
					nt_errstr(r.out.result));

			return true;
		}
	}
	torture_assert_ntstatus_ok(tctx,
				   r.out.result,
				   "LookupNames4 failed");

	if (check_result) {
		torture_assert_int_equal(tctx, count, sids.count,
			"unexpected number of results returned");
		if (sids.count > 0) {
			torture_assert(tctx, sids.sids, "invalid sid buffer");
		}
	}

	torture_comment(tctx, "\n");

	return true;
}

static bool test_LookupNames4_fail(struct dcerpc_binding_handle *b,
				   struct torture_context *tctx,
				   enum lsa_LookupNamesLevel level)
{
	struct lsa_LookupNames4 r;
	struct lsa_TransSidArray3 sids;
	struct lsa_RefDomainList *domains = NULL;
	struct lsa_String *names = NULL;
	uint32_t count = 0;
	NTSTATUS status;

	torture_comment(tctx, "\nTesting LookupNames4_fail");

	sids.count = 0;
	sids.sids = NULL;

	r.in.num_names = 0;

	r.in.num_names = count;
	r.in.names = names;
	r.in.sids = &sids;
	r.in.level = level;
	r.in.count = &count;
	r.in.lookup_options = 0;
	r.in.client_revision = 0;
	r.out.count = &count;
	r.out.sids = &sids;
	r.out.domains = &domains;

	status = dcerpc_lsa_LookupNames4_r(b, tctx, &r);
	if (!NT_STATUS_IS_OK(status)) {
		if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
		    NT_STATUS_EQUAL(status, NT_STATUS_CONNECTION_DISCONNECTED)) {
			torture_comment(tctx,
					"LookupNames4 correctly returned with "
					"status: %s\n",
					nt_errstr(status));
			return true;
		}

		torture_assert_ntstatus_equal(tctx,
					      status,
					      NT_STATUS_ACCESS_DENIED,
					      "LookupNames4 return value should "
					      "be ACCESS_DENIED");
		return true;
	}

	if (!NT_STATUS_IS_OK(r.out.result)) {
		if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_ACCESS_DENIED) ||
		    NT_STATUS_EQUAL(r.out.result, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
			torture_comment(tctx,
					"LookupSids3 correctly returned with "
					"result: %s\n",
					nt_errstr(r.out.result));
			return true;
		}
	}

	torture_fail(tctx,
		     "LookupNames4 return value should be "
		     "ACCESS_DENIED or RPC_PROTSEQ_NOT_SUPPORTED");

	return false;
}


static bool test_LookupSids(struct dcerpc_binding_handle *b,
			    struct torture_context *tctx,
			    struct policy_handle *handle,
			    enum lsa_LookupNamesLevel level,
			    struct lsa_SidArray *sids)
{
	struct lsa_LookupSids r;
	struct lsa_TransNameArray names;
	struct lsa_RefDomainList *domains = NULL;
	uint32_t count = sids->num_sids;

	torture_comment(tctx, "\nTesting LookupSids\n");

	names.count = 0;
	names.names = NULL;

	r.in.handle = handle;
	r.in.sids = sids;
	r.in.names = &names;
	r.in.level = level;
	r.in.count = &count;
	r.out.count = &count;
	r.out.names = &names;
	r.out.domains = &domains;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupSids_r(b, tctx, &r),
		"LookupSids failed");
	if (!NT_STATUS_EQUAL(r.out.result, STATUS_SOME_UNMAPPED)) {
		torture_assert_ntstatus_ok(tctx, r.out.result,
			"LookupSids failed");
	}

	torture_comment(tctx, "\n");

	if (!test_LookupNames(b, tctx, handle, level, &names)) {
		return false;
	}

	return true;
}


static bool test_LookupSids2(struct dcerpc_binding_handle *b,
			    struct torture_context *tctx,
			    struct policy_handle *handle,
			    enum lsa_LookupNamesLevel level,
			    struct lsa_SidArray *sids)
{
	struct lsa_LookupSids2 r;
	struct lsa_TransNameArray2 names;
	struct lsa_RefDomainList *domains = NULL;
	uint32_t count = sids->num_sids;

	torture_comment(tctx, "\nTesting LookupSids2\n");

	names.count = 0;
	names.names = NULL;

	r.in.handle = handle;
	r.in.sids = sids;
	r.in.names = &names;
	r.in.level = level;
	r.in.count = &count;
	r.in.lookup_options = 0;
	r.in.client_revision = 0;
	r.out.count = &count;
	r.out.names = &names;
	r.out.domains = &domains;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupSids2_r(b, tctx, &r),
		"LookupSids2 failed");
	if (!NT_STATUS_IS_OK(r.out.result) &&
	    !NT_STATUS_EQUAL(r.out.result, STATUS_SOME_UNMAPPED)) {
		torture_comment(tctx, "LookupSids2 failed - %s\n",
				nt_errstr(r.out.result));
		return false;
	}

	torture_comment(tctx, "\n");

	if (!test_LookupNames2(b, tctx, handle, level, &names, false)) {
		return false;
	}

	if (!test_LookupNames3(b, tctx, handle, level, &names, false)) {
		return false;
	}

	return true;
}

static bool test_LookupSids3(struct dcerpc_binding_handle *b,
			    struct torture_context *tctx,
			    enum lsa_LookupNamesLevel level,
			    struct lsa_SidArray *sids)
{
	struct lsa_LookupSids3 r;
	struct lsa_TransNameArray2 names;
	struct lsa_RefDomainList *domains = NULL;
	uint32_t count = sids->num_sids;

	torture_comment(tctx, "\nTesting LookupSids3\n");

	names.count = 0;
	names.names = NULL;

	r.in.sids = sids;
	r.in.names = &names;
	r.in.level = level;
	r.in.count = &count;
	r.in.lookup_options = 0;
	r.in.client_revision = 0;
	r.out.domains = &domains;
	r.out.count = &count;
	r.out.names = &names;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupSids3_r(b, tctx, &r),
		"LookupSids3 failed");

	if (!NT_STATUS_IS_OK(r.out.result)) {
		if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NONE_MAPPED)) {
			torture_comment(tctx,
					"LookupSids3 failed: %s - not considered as an error",
					nt_errstr(r.out.result));

			return true;
		}

		torture_assert_ntstatus_ok(tctx,
					   r.out.result,
					   "LookupSids3 failed");

		return false;
	}

	torture_comment(tctx, "\n");

	if (!test_LookupNames4(b, tctx, level, &names, true)) {
		return false;
	}

	return true;
}

static bool test_LookupSids3_fail(struct dcerpc_binding_handle *b,
				  struct torture_context *tctx,
				  enum lsa_LookupNamesLevel level,
				  struct lsa_SidArray *sids)
{
	struct lsa_LookupSids3 r;
	struct lsa_TransNameArray2 names;
	struct lsa_RefDomainList *domains = NULL;
	uint32_t count = sids->num_sids;
	NTSTATUS status;

	torture_comment(tctx, "\nTesting LookupSids3\n");

	names.count = 0;
	names.names = NULL;

	r.in.sids = sids;
	r.in.names = &names;
	r.in.level = level;
	r.in.count = &count;
	r.in.lookup_options = 0;
	r.in.client_revision = 0;
	r.out.domains = &domains;
	r.out.count = &count;
	r.out.names = &names;

	status = dcerpc_lsa_LookupSids3_r(b, tctx, &r);
	if (!NT_STATUS_IS_OK(status)) {
		if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
		    NT_STATUS_EQUAL(status, NT_STATUS_CONNECTION_DISCONNECTED)) {
			torture_comment(tctx,
					"LookupSids3 correctly returned with "
					"status: %s\n",
					nt_errstr(status));
			return true;
		}

		torture_assert_ntstatus_equal(tctx,
					      status,
					      NT_STATUS_ACCESS_DENIED,
					      "LookupSids3 return value should "
					      "be ACCESS_DENIED");
		return true;
	}

	if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_ACCESS_DENIED) ||
	    NT_STATUS_EQUAL(r.out.result, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
		torture_comment(tctx,
				"LookupNames4 correctly returned with "
				"result: %s\n",
				nt_errstr(r.out.result));
		return true;
	}

	torture_fail(tctx,
		     "LookupSids3 return value should be "
		     "ACCESS_DENIED or RPC_PROTSEQ_NOT_SUPPORTED");

	return false;
}

bool test_many_LookupSids(struct dcerpc_pipe *p,
			  struct torture_context *tctx,
			  struct policy_handle *handle,
			  enum lsa_LookupNamesLevel level)
{
	uint32_t count;
	struct lsa_SidArray sids;
	int i;
	struct dcerpc_binding_handle *b = p->binding_handle;
	enum dcerpc_transport_t transport =
		dcerpc_binding_handle_get_transport(b);

	torture_comment(tctx, "\nTesting LookupSids with lots of SIDs\n");

	sids.num_sids = 100;

	sids.sids = talloc_array(tctx, struct lsa_SidPtr, sids.num_sids);

	for (i=0; i<sids.num_sids; i++) {
		const char *sidstr = "S-1-5-32-545";
		sids.sids[i].sid = dom_sid_parse_talloc(tctx, sidstr);
	}

	count = sids.num_sids;

	if (handle) {
		struct lsa_LookupSids r;
		struct lsa_TransNameArray names;
		struct lsa_RefDomainList *domains = NULL;
		names.count = 0;
		names.names = NULL;

		r.in.handle = handle;
		r.in.sids = &sids;
		r.in.names = &names;
		r.in.level = level;
		r.in.count = &names.count;
		r.out.count = &count;
		r.out.names = &names;
		r.out.domains = &domains;

		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupSids_r(b, tctx, &r),
			"LookupSids failed");
		if (!NT_STATUS_IS_OK(r.out.result)) {
			torture_comment(tctx, "LookupSids failed - %s\n",
					nt_errstr(r.out.result));
			return false;
		}

		torture_comment(tctx, "\n");

		if (!test_LookupNames(b, tctx, handle, level, &names)) {
			return false;
		}
	}

	if (transport == NCACN_NP) {
		if (!test_LookupSids3_fail(b, tctx, level, &sids)) {
			return false;
		}
		if (!test_LookupNames4_fail(b, tctx, level)) {
			return false;
		}
	} else if (transport == NCACN_IP_TCP) {
		struct lsa_TransNameArray2 names;
		enum dcerpc_AuthType auth_type;
		enum dcerpc_AuthLevel auth_level;

		names.count = 0;
		names.names = NULL;

		dcerpc_binding_handle_auth_info(p->binding_handle,
						&auth_type, &auth_level);

		if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
		    auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY) {
			if (!test_LookupSids3(b, tctx, level, &sids)) {
				return false;
			}
			if (!test_LookupNames4(b, tctx, level, &names, true)) {
				return false;
			}
		} else {
			/*
			 * If we don't have a secure channel these tests must
			 * fail with ACCESS_DENIED.
			 */
			if (!test_LookupSids3_fail(b, tctx, level, &sids)) {
				return false;
			}
			if (!test_LookupNames4_fail(b, tctx, level)) {
				return false;
			}
		}
	}

	torture_comment(tctx, "\n");



	return true;
}

static void lookupsids_cb(struct tevent_req *subreq)
{
	int *replies = (int *)tevent_req_callback_data_void(subreq);
	NTSTATUS status;

	status = dcerpc_lsa_LookupSids_r_recv(subreq, subreq);
	TALLOC_FREE(subreq);
	if (!NT_STATUS_IS_OK(status)) {
		printf("lookupsids returned %s\n", nt_errstr(status));
		*replies = -1;
	}

	if (*replies >= 0) {
		*replies += 1;
	}
}

static bool test_LookupSids_async(struct dcerpc_binding_handle *b,
				  struct torture_context *tctx,
				  struct policy_handle *handle,
				  enum lsa_LookupNamesLevel level)
{
	struct lsa_SidArray sids;
	struct lsa_SidPtr sidptr;
	uint32_t *count;
	struct lsa_TransNameArray *names;
	struct lsa_LookupSids *r;
	struct lsa_RefDomainList *domains = NULL;
	struct tevent_req **req;
	int i, replies;
	bool ret = true;
	const int num_async_requests = 50;

	count = talloc_array(tctx, uint32_t, num_async_requests);
	names = talloc_array(tctx, struct lsa_TransNameArray, num_async_requests);
	r = talloc_array(tctx, struct lsa_LookupSids, num_async_requests);

	torture_comment(tctx, "\nTesting %d async lookupsids request\n", num_async_requests);

	req = talloc_array(tctx, struct tevent_req *, num_async_requests);

	sids.num_sids = 1;
	sids.sids = &sidptr;
	sidptr.sid = dom_sid_parse_talloc(tctx, "S-1-5-32-545");

	replies = 0;

	for (i=0; i<num_async_requests; i++) {
		count[i] = 0;
		names[i].count = 0;
		names[i].names = NULL;

		r[i].in.handle = handle;
		r[i].in.sids = &sids;
		r[i].in.names = &names[i];
		r[i].in.level = level;
		r[i].in.count = &names[i].count;
		r[i].out.count = &count[i];
		r[i].out.names = &names[i];
		r[i].out.domains = &domains;

		req[i] = dcerpc_lsa_LookupSids_r_send(tctx, tctx->ev, b, &r[i]);
		if (req[i] == NULL) {
			ret = false;
			break;
		}

		tevent_req_set_callback(req[i], lookupsids_cb, &replies);
	}

	while (replies >= 0 && replies < num_async_requests) {
		tevent_loop_once(tctx->ev);
	}

	talloc_free(req);

	if (replies < 0) {
		ret = false;
	}

	return ret;
}

static bool test_LookupPrivValue(struct dcerpc_binding_handle *b,
				 struct torture_context *tctx,
				 struct policy_handle *handle,
				 struct lsa_String *name)
{
	struct lsa_LookupPrivValue r;
	struct lsa_LUID luid;

	r.in.handle = handle;
	r.in.name = name;
	r.out.luid = &luid;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupPrivValue_r(b, tctx, &r),
		"LookupPrivValue failed");
	torture_assert_ntstatus_ok(tctx, r.out.result,
		"LookupPrivValue failed");

	return true;
}

static bool test_LookupPrivName(struct dcerpc_binding_handle *b,
				struct torture_context *tctx,
				struct policy_handle *handle,
				struct lsa_LUID *luid)
{
	struct lsa_LookupPrivName r;
	struct lsa_StringLarge *name = NULL;

	r.in.handle = handle;
	r.in.luid = luid;
	r.out.name = &name;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupPrivName_r(b, tctx, &r),
		"LookupPrivName failed");
	torture_assert_ntstatus_ok(tctx, r.out.result, "LookupPrivName failed");

	return true;
}

static bool test_RemovePrivilegesFromAccount(struct dcerpc_binding_handle *b,
					     struct torture_context *tctx,
					     struct policy_handle *handle,
					     struct policy_handle *acct_handle,
					     struct lsa_LUID *luid)
{
	struct lsa_RemovePrivilegesFromAccount r;
	struct lsa_PrivilegeSet privs;
	bool ret = true;

	torture_comment(tctx, "\nTesting RemovePrivilegesFromAccount\n");

	r.in.handle = acct_handle;
	r.in.remove_all = 0;
	r.in.privs = &privs;

	privs.count = 1;
	privs.unknown = 0;
	privs.set = talloc_array(tctx, struct lsa_LUIDAttribute, 1);
	privs.set[0].luid = *luid;
	privs.set[0].attribute = 0;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_RemovePrivilegesFromAccount_r(b, tctx, &r),
		"RemovePrivilegesFromAccount failed");
	if (!NT_STATUS_IS_OK(r.out.result)) {

		struct lsa_LookupPrivName r_name;
		struct lsa_StringLarge *name = NULL;

		r_name.in.handle = handle;
		r_name.in.luid = luid;
		r_name.out.name = &name;

		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupPrivName_r(b, tctx, &r_name),
			"LookupPrivName failed");
		if (!NT_STATUS_IS_OK(r_name.out.result)) {
			torture_comment(tctx, "\nLookupPrivName failed - %s\n",
					nt_errstr(r_name.out.result));
			return false;
		}
		/* Windows 2008 does not allow this to be removed */
		if (strcmp("SeAuditPrivilege", name->string) == 0) {
			return ret;
		}

		torture_comment(tctx, "RemovePrivilegesFromAccount failed to remove %s - %s\n",
		       name->string,
		       nt_errstr(r.out.result));
		return false;
	}

	return ret;
}

static bool test_AddPrivilegesToAccount(struct dcerpc_binding_handle *b,
					struct torture_context *tctx,
					struct policy_handle *acct_handle,
					struct lsa_LUID *luid)
{
	struct lsa_AddPrivilegesToAccount r;
	struct lsa_PrivilegeSet privs;
	bool ret = true;

	torture_comment(tctx, "\nTesting AddPrivilegesToAccount\n");

	r.in.handle = acct_handle;
	r.in.privs = &privs;

	privs.count = 1;
	privs.unknown = 0;
	privs.set = talloc_array(tctx, struct lsa_LUIDAttribute, 1);
	privs.set[0].luid = *luid;
	privs.set[0].attribute = 0;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_AddPrivilegesToAccount_r(b, tctx, &r),
		"AddPrivilegesToAccount failed");
	torture_assert_ntstatus_ok(tctx, r.out.result,
		"AddPrivilegesToAccount failed");
	return ret;
}

static bool test_EnumPrivsAccount(struct dcerpc_binding_handle *b,
				  struct torture_context *tctx,
				  struct policy_handle *handle,
				  struct policy_handle *acct_handle)
{
	struct lsa_EnumPrivsAccount r;
	struct lsa_PrivilegeSet *privs = NULL;
	bool ret = true;

	torture_comment(tctx, "\nTesting EnumPrivsAccount\n");

	r.in.handle = acct_handle;
	r.out.privs = &privs;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumPrivsAccount_r(b, tctx, &r),
		"EnumPrivsAccount failed");
	torture_assert_ntstatus_ok(tctx, r.out.result,
		"EnumPrivsAccount failed");

	if (privs && privs->count > 0) {
		int i;
		for (i=0;i<privs->count;i++) {
			test_LookupPrivName(b, tctx, handle,
					    &privs->set[i].luid);
		}

		ret &= test_RemovePrivilegesFromAccount(b, tctx, handle, acct_handle,
							&privs->set[0].luid);
		ret &= test_AddPrivilegesToAccount(b, tctx, acct_handle,
						   &privs->set[0].luid);
	}

	return ret;
}

static bool test_GetSystemAccessAccount(struct dcerpc_binding_handle *b,
					struct torture_context *tctx,
					struct policy_handle *handle,
					struct policy_handle *acct_handle)
{
	uint32_t access_mask;
	struct lsa_GetSystemAccessAccount r;

	torture_comment(tctx, "\nTesting GetSystemAccessAccount\n");

	r.in.handle = acct_handle;
	r.out.access_mask = &access_mask;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_GetSystemAccessAccount_r(b, tctx, &r),
		"GetSystemAccessAccount failed");
	torture_assert_ntstatus_ok(tctx, r.out.result,
		"GetSystemAccessAccount failed");

	if (r.out.access_mask != NULL) {
		torture_comment(tctx, "Rights:");
		if (*(r.out.access_mask) & LSA_POLICY_MODE_INTERACTIVE)
			torture_comment(tctx, " LSA_POLICY_MODE_INTERACTIVE");
		if (*(r.out.access_mask) & LSA_POLICY_MODE_NETWORK)
			torture_comment(tctx, " LSA_POLICY_MODE_NETWORK");
		if (*(r.out.access_mask) & LSA_POLICY_MODE_BATCH)
			torture_comment(tctx, " LSA_POLICY_MODE_BATCH");
		if (*(r.out.access_mask) & LSA_POLICY_MODE_SERVICE)
			torture_comment(tctx, " LSA_POLICY_MODE_SERVICE");
		if (*(r.out.access_mask) & LSA_POLICY_MODE_PROXY)
			torture_comment(tctx, " LSA_POLICY_MODE_PROXY");
		if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_INTERACTIVE)
			torture_comment(tctx, " LSA_POLICY_MODE_DENY_INTERACTIVE");
		if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_NETWORK)
			torture_comment(tctx, " LSA_POLICY_MODE_DENY_NETWORK");
		if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_BATCH)
			torture_comment(tctx, " LSA_POLICY_MODE_DENY_BATCH");
		if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_SERVICE)
			torture_comment(tctx, " LSA_POLICY_MODE_DENY_SERVICE");
		if (*(r.out.access_mask) & LSA_POLICY_MODE_REMOTE_INTERACTIVE)
			torture_comment(tctx, " LSA_POLICY_MODE_REMOTE_INTERACTIVE");
		if (*(r.out.access_mask) & LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE)
			torture_comment(tctx, " LSA_POLICY_MODE_DENY_REMOTE_INTERACTIVE");
		if (*(r.out.access_mask) & LSA_POLICY_MODE_ALL)
			torture_comment(tctx, " LSA_POLICY_MODE_ALL");
		if (*(r.out.access_mask) & LSA_POLICY_MODE_ALL_NT4)
			torture_comment(tctx, " LSA_POLICY_MODE_ALL_NT4");
		torture_comment(tctx, "\n");
	}

	return true;
}

static bool test_Delete(struct dcerpc_binding_handle *b,
			struct torture_context *tctx,
			struct policy_handle *handle)
{
	struct lsa_Delete r;

	torture_comment(tctx, "\nTesting Delete\n");

	r.in.handle = handle;
	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_Delete_r(b, tctx, &r),
		"Delete failed");
	torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_NOT_SUPPORTED,
		"Delete should have failed NT_STATUS_NOT_SUPPORTED");

	return true;
}

static bool test_DeleteObject(struct dcerpc_binding_handle *b,
			      struct torture_context *tctx,
			      struct policy_handle *handle)
{
	struct lsa_DeleteObject r;

	torture_comment(tctx, "\nTesting DeleteObject\n");

	r.in.handle = handle;
	r.out.handle = handle;
	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_DeleteObject_r(b, tctx, &r),
		"DeleteObject failed");
	torture_assert_ntstatus_ok(tctx, r.out.result,
		"DeleteObject failed");

	return true;
}


static bool test_CreateAccount(struct dcerpc_binding_handle *b,
			       struct torture_context *tctx,
			       struct policy_handle *handle)
{
	struct lsa_CreateAccount r;
	struct dom_sid2 *newsid;
	struct policy_handle acct_handle;

	newsid = dom_sid_parse_talloc(tctx, "S-1-5-12349876-4321-2854");

	torture_comment(tctx, "\nTesting CreateAccount\n");

	r.in.handle = handle;
	r.in.sid = newsid;
	r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
	r.out.acct_handle = &acct_handle;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateAccount_r(b, tctx, &r),
		"CreateAccount failed");
	if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_OBJECT_NAME_COLLISION)) {
		struct lsa_OpenAccount r_o;
		r_o.in.handle = handle;
		r_o.in.sid = newsid;
		r_o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
		r_o.out.acct_handle = &acct_handle;

		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenAccount_r(b, tctx, &r_o),
			"OpenAccount failed");
		torture_assert_ntstatus_ok(tctx, r_o.out.result,
			"OpenAccount failed");
	} else {
		torture_assert_ntstatus_ok(tctx, r.out.result,
					   "CreateAccount failed");
	}

	if (!test_Delete(b, tctx, &acct_handle)) {
		return false;
	}

	if (!test_DeleteObject(b, tctx, &acct_handle)) {
		return false;
	}

	return true;
}

static bool test_DeleteTrustedDomain(struct dcerpc_binding_handle *b,
				     struct torture_context *tctx,
				     struct policy_handle *handle,
				     struct lsa_StringLarge name)
{
	struct lsa_OpenTrustedDomainByName r;
	struct policy_handle trustdom_handle;

	r.in.handle = handle;
	r.in.name.string = name.string;
	r.in.access_mask = SEC_STD_DELETE;
	r.out.trustdom_handle = &trustdom_handle;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenTrustedDomainByName_r(b, tctx, &r),
		"OpenTrustedDomainByName failed");
	torture_assert_ntstatus_ok(tctx, r.out.result,
		"OpenTrustedDomainByName failed");

	if (!test_Delete(b, tctx, &trustdom_handle)) {
		return false;
	}

	if (!test_DeleteObject(b, tctx, &trustdom_handle)) {
		return false;
	}

	return true;
}

static bool test_DeleteTrustedDomainBySid(struct dcerpc_binding_handle *b,
					  struct torture_context *tctx,
					  struct policy_handle *handle,
					  struct dom_sid *sid)
{
	struct lsa_DeleteTrustedDomain r;

	r.in.handle = handle;
	r.in.dom_sid = sid;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_DeleteTrustedDomain_r(b, tctx, &r),
		"DeleteTrustedDomain failed");
	torture_assert_ntstatus_ok(tctx, r.out.result,
		"DeleteTrustedDomain failed");

	return true;
}


static bool test_CreateSecret(struct dcerpc_pipe *p,
			      struct torture_context *tctx,
			      struct policy_handle *handle)
{
	struct lsa_CreateSecret r;
	struct lsa_OpenSecret r2;
	struct lsa_SetSecret r3;
	struct lsa_QuerySecret r4;
	struct lsa_SetSecret r5;
	struct lsa_QuerySecret r6;
	struct lsa_SetSecret r7;
	struct lsa_QuerySecret r8;
	struct policy_handle sec_handle, sec_handle2, sec_handle3;
	struct lsa_DeleteObject d_o;
	struct lsa_DATA_BUF buf1;
	struct lsa_DATA_BUF_PTR bufp1;
	struct lsa_DATA_BUF_PTR bufp2;
	DATA_BLOB enc_key;
	bool ret = true;
	DATA_BLOB session_key;
	NTTIME old_mtime, new_mtime;
	DATA_BLOB blob1;
	const char *secret1 = "abcdef12345699qwerty";
	char *secret2;
 	const char *secret3 = "ABCDEF12345699QWERTY";
	char *secret4;
 	const char *secret5 = "NEW-SAMBA4-SECRET";
	char *secret6;
	char *secname[2];
	int i;
	const int LOCAL = 0;
	const int GLOBAL = 1;
	struct dcerpc_binding_handle *b = p->binding_handle;

	secname[LOCAL] = talloc_asprintf(tctx, "torturesecret-%u", (unsigned int)random());
	secname[GLOBAL] = talloc_asprintf(tctx, "G$torturesecret-%u", (unsigned int)random());

	for (i=0; i< 2; i++) {
		torture_comment(tctx, "\nTesting CreateSecret of %s\n", secname[i]);

		init_lsa_String(&r.in.name, secname[i]);

		r.in.handle = handle;
		r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
		r.out.sec_handle = &sec_handle;

		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateSecret_r(b, tctx, &r),
			"CreateSecret failed");
		torture_assert_ntstatus_ok(tctx, r.out.result,
			"CreateSecret failed");

		r.in.handle = handle;
		r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
		r.out.sec_handle = &sec_handle3;

		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateSecret_r(b, tctx, &r),
			"CreateSecret failed");
		torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_OBJECT_NAME_COLLISION,
					      "CreateSecret should have failed OBJECT_NAME_COLLISION");

		r2.in.handle = handle;
		r2.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
		r2.in.name = r.in.name;
		r2.out.sec_handle = &sec_handle2;

		torture_comment(tctx, "Testing OpenSecret\n");

		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenSecret_r(b, tctx, &r2),
			"OpenSecret failed");
		torture_assert_ntstatus_ok(tctx, r2.out.result,
					   "OpenSecret failed");

		torture_assert_ntstatus_ok(tctx,
			dcerpc_binding_handle_transport_session_key(b, tctx, &session_key),
			"transport_session_key failed");

		enc_key = sess_encrypt_string(secret1, &session_key);

		r3.in.sec_handle = &sec_handle;
		r3.in.new_val = &buf1;
		r3.in.old_val = NULL;
		r3.in.new_val->data = enc_key.data;
		r3.in.new_val->length = enc_key.length;
		r3.in.new_val->size = enc_key.length;

		torture_comment(tctx, "Testing SetSecret\n");

		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_SetSecret_r(b, tctx, &r3),
			"SetSecret failed");
		torture_assert_ntstatus_ok(tctx, r3.out.result,
			"SetSecret failed");

		r3.in.sec_handle = &sec_handle;
		r3.in.new_val = &buf1;
		r3.in.old_val = NULL;
		r3.in.new_val->data = enc_key.data;
		r3.in.new_val->length = enc_key.length;
		r3.in.new_val->size = enc_key.length;

		/* break the encrypted data */
		enc_key.data[0]++;

		torture_comment(tctx, "Testing SetSecret with broken key\n");

		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_SetSecret_r(b, tctx, &r3),
					   "SetSecret failed");
		torture_assert_ntstatus_equal(tctx, r3.out.result, NT_STATUS_UNKNOWN_REVISION,
					      "SetSecret should have failed UNKNOWN_REVISION");

		data_blob_free(&enc_key);

		ZERO_STRUCT(new_mtime);
		ZERO_STRUCT(old_mtime);

		/* fetch the secret back again */
		r4.in.sec_handle = &sec_handle;
		r4.in.new_val = &bufp1;
		r4.in.new_mtime = &new_mtime;
		r4.in.old_val = NULL;
		r4.in.old_mtime = NULL;

		bufp1.buf = NULL;

		torture_comment(tctx, "Testing QuerySecret\n");
		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QuerySecret_r(b, tctx, &r4),
			"QuerySecret failed");
		if (!NT_STATUS_IS_OK(r4.out.result)) {
			torture_comment(tctx, "QuerySecret failed - %s\n", nt_errstr(r4.out.result));
			ret = false;
		} else {
			if (r4.out.new_val == NULL || r4.out.new_val->buf == NULL) {
				torture_comment(tctx, "No secret buffer returned\n");
				ret = false;
			} else {
				blob1.data = r4.out.new_val->buf->data;
				blob1.length = r4.out.new_val->buf->size;

				secret2 = sess_decrypt_string(tctx,
							      &blob1, &session_key);

				if (strcmp(secret1, secret2) != 0) {
					torture_comment(tctx, "Returned secret (r4) '%s' doesn't match '%s'\n",
					       secret2, secret1);
					ret = false;
				}
			}
		}

		enc_key = sess_encrypt_string(secret3, &session_key);

		r5.in.sec_handle = &sec_handle;
		r5.in.new_val = &buf1;
		r5.in.old_val = NULL;
		r5.in.new_val->data = enc_key.data;
		r5.in.new_val->length = enc_key.length;
		r5.in.new_val->size = enc_key.length;


		smb_msleep(200);
		torture_comment(tctx, "Testing SetSecret (existing value should move to old)\n");

		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_SetSecret_r(b, tctx, &r5),
			"SetSecret failed");
		if (!NT_STATUS_IS_OK(r5.out.result)) {
			torture_comment(tctx, "SetSecret failed - %s\n", nt_errstr(r5.out.result));
			ret = false;
		}

		data_blob_free(&enc_key);

		ZERO_STRUCT(new_mtime);
		ZERO_STRUCT(old_mtime);

		/* fetch the secret back again */
		r6.in.sec_handle = &sec_handle;
		r6.in.new_val = &bufp1;
		r6.in.new_mtime = &new_mtime;
		r6.in.old_val = &bufp2;
		r6.in.old_mtime = &old_mtime;

		bufp1.buf = NULL;
		bufp2.buf = NULL;

		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QuerySecret_r(b, tctx, &r6),
			"QuerySecret failed");
		if (!NT_STATUS_IS_OK(r6.out.result)) {
			torture_comment(tctx, "QuerySecret failed - %s\n", nt_errstr(r6.out.result));
			ret = false;
			secret4 = NULL;
		} else {

			if (r6.out.new_val->buf == NULL || r6.out.old_val->buf == NULL
				|| r6.out.new_mtime == NULL || r6.out.old_mtime == NULL) {
				torture_comment(tctx, "Both secret buffers and both times not returned\n");
				ret = false;
				secret4 = NULL;
			} else {
				blob1.data = r6.out.new_val->buf->data;
				blob1.length = r6.out.new_val->buf->size;

				secret4 = sess_decrypt_string(tctx,
							      &blob1, &session_key);

				if (strcmp(secret3, secret4) != 0) {
					torture_comment(tctx, "Returned NEW secret %s doesn't match %s\n", secret4, secret3);
					ret = false;
				}

				blob1.data = r6.out.old_val->buf->data;
				blob1.length = r6.out.old_val->buf->length;

				secret2 = sess_decrypt_string(tctx,
							      &blob1, &session_key);

				if (strcmp(secret1, secret2) != 0) {
					torture_comment(tctx, "Returned OLD secret %s doesn't match %s\n", secret2, secret1);
					ret = false;
				}

				if (*r6.out.new_mtime == *r6.out.old_mtime) {
					torture_comment(tctx, "Returned secret (r6-%d) %s must not have same mtime for both secrets: %s != %s\n",
					       i,
					       secname[i],
					       nt_time_string(tctx, *r6.out.old_mtime),
					       nt_time_string(tctx, *r6.out.new_mtime));
					ret = false;
				}
			}
		}

		enc_key = sess_encrypt_string(secret5, &session_key);

		r7.in.sec_handle = &sec_handle;
		r7.in.old_val = &buf1;
		r7.in.old_val->data = enc_key.data;
		r7.in.old_val->length = enc_key.length;
		r7.in.old_val->size = enc_key.length;
		r7.in.new_val = NULL;

		torture_comment(tctx, "Testing SetSecret of old Secret only\n");

		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_SetSecret_r(b, tctx, &r7),
			"SetSecret failed");
		if (!NT_STATUS_IS_OK(r7.out.result)) {
			torture_comment(tctx, "SetSecret failed - %s\n", nt_errstr(r7.out.result));
			ret = false;
		}

		data_blob_free(&enc_key);

		/* fetch the secret back again */
		r8.in.sec_handle = &sec_handle;
		r8.in.new_val = &bufp1;
		r8.in.new_mtime = &new_mtime;
		r8.in.old_val = &bufp2;
		r8.in.old_mtime = &old_mtime;

		bufp1.buf = NULL;
		bufp2.buf = NULL;

		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QuerySecret_r(b, tctx, &r8),
			"QuerySecret failed");
		if (!NT_STATUS_IS_OK(r8.out.result)) {
			torture_comment(tctx, "QuerySecret failed - %s\n", nt_errstr(r8.out.result));
			ret = false;
		} else {
			if (!r8.out.new_val || !r8.out.old_val) {
				torture_comment(tctx, "in/out pointers not returned, despite being set on in for QuerySecret\n");
				ret = false;
			} else if (r8.out.new_val->buf != NULL) {
				torture_comment(tctx, "NEW secret buffer must not be returned after OLD set\n");
				ret = false;
			} else if (r8.out.old_val->buf == NULL) {
				torture_comment(tctx, "OLD secret buffer was not returned after OLD set\n");
				ret = false;
			} else if (r8.out.new_mtime == NULL || r8.out.old_mtime == NULL) {
				torture_comment(tctx, "Both times not returned after OLD set\n");
				ret = false;
			} else {
				blob1.data = r8.out.old_val->buf->data;
				blob1.length = r8.out.old_val->buf->size;

				secret6 = sess_decrypt_string(tctx,
							      &blob1, &session_key);

				if (strcmp(secret5, secret6) != 0) {
					torture_comment(tctx, "Returned OLD secret %s doesn't match %s\n", secret5, secret6);
					ret = false;
				}

				if (*r8.out.new_mtime != *r8.out.old_mtime) {
					torture_comment(tctx, "Returned secret (r8) %s did not had same mtime for both secrets: %s != %s\n",
					       secname[i],
					       nt_time_string(tctx, *r8.out.old_mtime),
					       nt_time_string(tctx, *r8.out.new_mtime));
					ret = false;
				}
			}
		}

		if (!test_Delete(b, tctx, &sec_handle)) {
			ret = false;
		}

		if (!test_DeleteObject(b, tctx, &sec_handle)) {
			return false;
		}

		d_o.in.handle = &sec_handle2;
		d_o.out.handle = &sec_handle2;
		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_DeleteObject_r(b, tctx, &d_o),
			"DeleteObject failed");
		torture_assert_ntstatus_equal(tctx, d_o.out.result, NT_STATUS_INVALID_HANDLE,
					      "OpenSecret expected INVALID_HANDLE");

		torture_comment(tctx, "Testing OpenSecret of just-deleted secret\n");

		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenSecret_r(b, tctx, &r2),
					   "OpenSecret failed");
		torture_assert_ntstatus_equal(tctx, r2.out.result, NT_STATUS_OBJECT_NAME_NOT_FOUND,
					      "OpenSecret expected OBJECT_NAME_NOT_FOUND");
	}
	return ret;
}


static bool test_EnumAccountRights(struct dcerpc_binding_handle *b,
				   struct torture_context *tctx,
				   struct policy_handle *acct_handle,
				   struct dom_sid *sid)
{
	struct lsa_EnumAccountRights r;
	struct lsa_RightSet rights;

	torture_comment(tctx, "\nTesting EnumAccountRights\n");

	r.in.handle = acct_handle;
	r.in.sid = sid;
	r.out.rights = &rights;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumAccountRights_r(b, tctx, &r),
		"EnumAccountRights failed");
	if (!NT_STATUS_IS_OK(r.out.result)) {
		torture_comment(tctx, "EnumAccountRights of %s failed - %s\n",
		       dom_sid_string(tctx, sid), nt_errstr(r.out.result));
	}
	torture_assert_ntstatus_ok(tctx, r.out.result,
		"EnumAccountRights failed");

	return true;
}


static bool test_QuerySecurity(struct dcerpc_binding_handle *b,
			     struct torture_context *tctx,
			     struct policy_handle *handle,
			     struct policy_handle *acct_handle)
{
	struct lsa_QuerySecurity r;
	struct sec_desc_buf *sdbuf = NULL;

	if (torture_setting_bool(tctx, "samba4", false)) {
		torture_comment(tctx, "\nskipping QuerySecurity test against Samba4\n");
		return true;
	}

	torture_comment(tctx, "\nTesting QuerySecurity\n");

	r.in.handle = acct_handle;
	r.in.sec_info = SECINFO_OWNER |
			SECINFO_GROUP |
			SECINFO_DACL;
	r.out.sdbuf = &sdbuf;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QuerySecurity_r(b, tctx, &r),
		"QuerySecurity failed");
	if (!NT_STATUS_IS_OK(r.out.result)) {
		torture_comment(tctx, "QuerySecurity failed - %s\n", nt_errstr(r.out.result));
		return false;
	}

	return true;
}

static bool test_OpenAccount(struct dcerpc_binding_handle *b,
			     struct torture_context *tctx,
			     struct policy_handle *handle,
			     struct dom_sid *sid)
{
	struct lsa_OpenAccount r;
	struct policy_handle acct_handle;

	torture_comment(tctx, "\nTesting OpenAccount\n");

	r.in.handle = handle;
	r.in.sid = sid;
	r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
	r.out.acct_handle = &acct_handle;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenAccount_r(b, tctx, &r),
		"OpenAccount failed");
	torture_assert_ntstatus_ok(tctx, r.out.result,
		"OpenAccount failed");

	if (!test_EnumPrivsAccount(b, tctx, handle, &acct_handle)) {
		return false;
	}

	if (!test_GetSystemAccessAccount(b, tctx, handle, &acct_handle)) {
		return false;
	}

	if (!test_QuerySecurity(b, tctx, handle, &acct_handle)) {
		return false;
	}

	return true;
}

static bool test_EnumAccounts(struct dcerpc_binding_handle *b,
			      struct torture_context *tctx,
			      struct policy_handle *handle)
{
	struct lsa_EnumAccounts r;
	struct lsa_SidArray sids1, sids2;
	uint32_t resume_handle = 0;
	int i;
	bool ret = true;

	torture_comment(tctx, "\nTesting EnumAccounts\n");

	r.in.handle = handle;
	r.in.resume_handle = &resume_handle;
	r.in.num_entries = 100;
	r.out.resume_handle = &resume_handle;
	r.out.sids = &sids1;

	resume_handle = 0;
	while (true) {
		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumAccounts_r(b, tctx, &r),
			"EnumAccounts failed");
		if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NO_MORE_ENTRIES)) {
			break;
		}
		torture_assert_ntstatus_ok(tctx, r.out.result,
			"EnumAccounts failed");

		if (!test_LookupSids(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &sids1)) {
			return false;
		}

		if (!test_LookupSids2(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &sids1)) {
			return false;
		}

		/* Can't test lookupSids3 here, as clearly we must not
		 * be on schannel, or we would not be able to do the
		 * rest */

		torture_comment(tctx, "Testing all accounts\n");
		for (i=0;i<sids1.num_sids;i++) {
			ret &= test_OpenAccount(b, tctx, handle, sids1.sids[i].sid);
			ret &= test_EnumAccountRights(b, tctx, handle, sids1.sids[i].sid);
		}
		torture_comment(tctx, "\n");
	}

	if (sids1.num_sids < 3) {
		return ret;
	}

	torture_comment(tctx, "Trying EnumAccounts partial listing (asking for 1 at 2)\n");
	resume_handle = 2;
	r.in.num_entries = 1;
	r.out.sids = &sids2;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumAccounts_r(b, tctx, &r),
		"EnumAccounts failed");
	torture_assert_ntstatus_ok(tctx, r.out.result,
		"EnumAccounts failed");

	if (sids2.num_sids != 1) {
		torture_comment(tctx, "Returned wrong number of entries (%d)\n", sids2.num_sids);
		return false;
	}

	return true;
}

static bool test_LookupPrivDisplayName(struct dcerpc_binding_handle *b,
				       struct torture_context *tctx,
				       struct policy_handle *handle,
				       struct lsa_String *priv_name)
{
	struct lsa_LookupPrivDisplayName r;
	/* produce a reasonable range of language output without screwing up
	   terminals */
	uint16_t language_id = (random() % 4) + 0x409;
	uint16_t returned_language_id = 0;
	struct lsa_StringLarge *disp_name = NULL;

	torture_comment(tctx, "\nTesting LookupPrivDisplayName(%s)\n", priv_name->string);

	r.in.handle = handle;
	r.in.name = priv_name;
	r.in.language_id = language_id;
	r.in.language_id_sys = 0;
	r.out.returned_language_id = &returned_language_id;
	r.out.disp_name = &disp_name;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupPrivDisplayName_r(b, tctx, &r),
		"LookupPrivDisplayName failed");
	if (!NT_STATUS_IS_OK(r.out.result)) {
		torture_comment(tctx, "LookupPrivDisplayName failed - %s\n", nt_errstr(r.out.result));
		return false;
	}
	torture_comment(tctx, "%s -> \"%s\"  (language 0x%x/0x%x)\n",
	       priv_name->string, disp_name->string,
	       r.in.language_id, *r.out.returned_language_id);

	return true;
}

static bool test_EnumAccountsWithUserRight(struct dcerpc_binding_handle *b,
					   struct torture_context *tctx,
					   struct policy_handle *handle,
					   struct lsa_String *priv_name)
{
	struct lsa_EnumAccountsWithUserRight r;
	struct lsa_SidArray sids;

	ZERO_STRUCT(sids);

	torture_comment(tctx, "\nTesting EnumAccountsWithUserRight(%s)\n", priv_name->string);

	r.in.handle = handle;
	r.in.name = priv_name;
	r.out.sids = &sids;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumAccountsWithUserRight_r(b, tctx, &r),
		"EnumAccountsWithUserRight failed");

	/* NT_STATUS_NO_MORE_ENTRIES means no one has this privilege */
	if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NO_MORE_ENTRIES)) {
		return true;
	}

	if (!NT_STATUS_IS_OK(r.out.result)) {
		torture_comment(tctx, "EnumAccountsWithUserRight failed - %s\n", nt_errstr(r.out.result));
		return false;
	}

	return true;
}


static bool test_EnumPrivs(struct dcerpc_binding_handle *b,
			   struct torture_context *tctx,
			   struct policy_handle *handle)
{
	struct lsa_EnumPrivs r;
	struct lsa_PrivArray privs1;
	uint32_t resume_handle = 0;
	int i;
	bool ret = true;

	torture_comment(tctx, "\nTesting EnumPrivs\n");

	r.in.handle = handle;
	r.in.resume_handle = &resume_handle;
	r.in.max_count = 100;
	r.out.resume_handle = &resume_handle;
	r.out.privs = &privs1;

	resume_handle = 0;
	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumPrivs_r(b, tctx, &r),
		"EnumPrivs failed");
	torture_assert_ntstatus_ok(tctx, r.out.result,
		"EnumPrivs failed");

	for (i = 0; i< privs1.count; i++) {
		test_LookupPrivDisplayName(b, tctx, handle, (struct lsa_String *)&privs1.privs[i].name);
		test_LookupPrivValue(b, tctx, handle, (struct lsa_String *)&privs1.privs[i].name);
		if (!test_EnumAccountsWithUserRight(b, tctx, handle, (struct lsa_String *)&privs1.privs[i].name)) {
			ret = false;
		}
	}

	return ret;
}

static bool test_QueryForestTrustInformation(struct dcerpc_binding_handle *b,
					     struct torture_context *tctx,
					     struct policy_handle *handle,
					     const char *trusted_domain_name)
{
	bool ret = true;
	struct lsa_lsaRQueryForestTrustInformation r;
	struct lsa_String string;
	struct lsa_ForestTrustInformation info, *info_ptr;

	torture_comment(tctx, "\nTesting lsaRQueryForestTrustInformation\n");

	if (torture_setting_bool(tctx, "samba4", false)) {
		torture_comment(tctx, "skipping QueryForestTrustInformation against Samba4\n");
		return true;
	}

	ZERO_STRUCT(string);

	if (trusted_domain_name) {
		init_lsa_String(&string, trusted_domain_name);
	}

	info_ptr = &info;

	r.in.handle = handle;
	r.in.trusted_domain_name = &string;
	r.in.highest_record_type = LSA_FOREST_TRUST_TOP_LEVEL_NAME;
	r.out.forest_trust_info = &info_ptr;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_lsaRQueryForestTrustInformation_r(b, tctx, &r),
		"lsaRQueryForestTrustInformation failed");

	if (!NT_STATUS_IS_OK(r.out.result)) {
		torture_comment(tctx, "lsaRQueryForestTrustInformation of %s failed - %s\n", trusted_domain_name, nt_errstr(r.out.result));
		ret = false;
	}

	return ret;
}

static bool test_query_each_TrustDomEx(struct dcerpc_binding_handle *b,
				       struct torture_context *tctx,
				       struct policy_handle *handle,
				       struct lsa_DomainListEx *domains)
{
	int i;
	bool ret = true;

	for (i=0; i< domains->count; i++) {

		if (domains->domains[i].trust_attributes & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
			ret &= test_QueryForestTrustInformation(b, tctx, handle,
								domains->domains[i].domain_name.string);
		}
	}

	return ret;
}

static bool test_query_each_TrustDom(struct dcerpc_binding_handle *b,
				     struct torture_context *tctx,
				     struct policy_handle *handle,
				     struct lsa_DomainList *domains)
{
	int i,j;
	bool ret = true;

	torture_comment(tctx, "\nTesting OpenTrustedDomain, OpenTrustedDomainByName and QueryInfoTrustedDomain\n");
	for (i=0; i< domains->count; i++) {
		struct lsa_OpenTrustedDomain trust;
		struct lsa_OpenTrustedDomainByName trust_by_name;
		struct policy_handle trustdom_handle;
		struct policy_handle handle2;
		struct lsa_Close c;
		struct lsa_CloseTrustedDomainEx c_trust;
		int levels [] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13};
		int ok[]      = {1, 0, 1, 0, 0, 1, 0, 1, 0,  0,  0,  1, 1};

		if (domains->domains[i].sid) {
			trust.in.handle = handle;
			trust.in.sid = domains->domains[i].sid;
			trust.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
			trust.out.trustdom_handle = &trustdom_handle;

			torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenTrustedDomain_r(b, tctx, &trust),
				"OpenTrustedDomain failed");

			if (NT_STATUS_EQUAL(trust.out.result, NT_STATUS_NO_SUCH_DOMAIN)) {
				torture_comment(tctx, "DOMAIN(%s, %s) not a direct trust?\n",
						domains->domains[i].name.string,
						dom_sid_string(tctx, domains->domains[i].sid));
				continue;
			}
			if (!NT_STATUS_IS_OK(trust.out.result)) {
				torture_comment(tctx, "OpenTrustedDomain failed - %s\n", nt_errstr(trust.out.result));
				return false;
			}

			c.in.handle = &trustdom_handle;
			c.out.handle = &handle2;

			c_trust.in.handle = &trustdom_handle;
			c_trust.out.handle = &handle2;

			for (j=0; j < ARRAY_SIZE(levels); j++) {
				struct lsa_QueryTrustedDomainInfo q;
				union lsa_TrustedDomainInfo *info = NULL;
				q.in.trustdom_handle = &trustdom_handle;
				q.in.level = levels[j];
				q.out.info = &info;
				torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfo_r(b, tctx, &q),
					"QueryTrustedDomainInfo failed");
				if (!NT_STATUS_IS_OK(q.out.result) && ok[j]) {
					torture_comment(tctx, "QueryTrustedDomainInfo level %d failed - %s\n",
					       levels[j], nt_errstr(q.out.result));
					ret = false;
				} else if (NT_STATUS_IS_OK(q.out.result) && !ok[j]) {
					torture_comment(tctx, "QueryTrustedDomainInfo level %d unexpectedly succeeded - %s\n",
					       levels[j], nt_errstr(q.out.result));
					ret = false;
				}
			}

			torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CloseTrustedDomainEx_r(b, tctx, &c_trust),
				"CloseTrustedDomainEx failed");
			if (!NT_STATUS_EQUAL(c_trust.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
				torture_comment(tctx, "Expected CloseTrustedDomainEx to return NT_STATUS_NOT_IMPLEMENTED, instead - %s\n", nt_errstr(c_trust.out.result));
				return false;
			}

			c.in.handle = &trustdom_handle;
			c.out.handle = &handle2;

			torture_assert_ntstatus_ok(tctx, dcerpc_lsa_Close_r(b, tctx, &c),
				"Close failed");
			if (!NT_STATUS_IS_OK(c.out.result)) {
				torture_comment(tctx, "Close of trusted domain failed - %s\n", nt_errstr(c.out.result));
				return false;
			}

			for (j=0; j < ARRAY_SIZE(levels); j++) {
				struct lsa_QueryTrustedDomainInfoBySid q;
				union lsa_TrustedDomainInfo *info = NULL;

				if (!domains->domains[i].sid) {
					continue;
				}

				q.in.handle  = handle;
				q.in.dom_sid = domains->domains[i].sid;
				q.in.level   = levels[j];
				q.out.info   = &info;

				torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfoBySid_r(b, tctx, &q),
					"lsa_QueryTrustedDomainInfoBySid failed");
				if (!NT_STATUS_IS_OK(q.out.result) && ok[j]) {
					torture_comment(tctx, "QueryTrustedDomainInfoBySid level %d failed - %s\n",
					       levels[j], nt_errstr(q.out.result));
					ret = false;
				} else if (NT_STATUS_IS_OK(q.out.result) && !ok[j]) {
					torture_comment(tctx, "QueryTrustedDomainInfoBySid level %d unexpectedly succeeded - %s\n",
					       levels[j], nt_errstr(q.out.result));
					ret = false;
				}
			}
		}

		trust_by_name.in.handle = handle;
		trust_by_name.in.name.string = domains->domains[i].name.string;
		trust_by_name.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
		trust_by_name.out.trustdom_handle = &trustdom_handle;

		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_OpenTrustedDomainByName_r(b, tctx, &trust_by_name),
			"OpenTrustedDomainByName failed");

		if (NT_STATUS_EQUAL(trust_by_name.out.result, NT_STATUS_NO_SUCH_DOMAIN)) {
			torture_comment(tctx, "DOMAIN(%s, %s) not a direct trust?\n",
					domains->domains[i].name.string,
					dom_sid_string(tctx, domains->domains[i].sid));
			continue;
		}
		if (!NT_STATUS_IS_OK(trust_by_name.out.result)) {
			torture_comment(tctx, "OpenTrustedDomainByName failed - %s\n", nt_errstr(trust_by_name.out.result));
			return false;
		}

		for (j=0; j < ARRAY_SIZE(levels); j++) {
			struct lsa_QueryTrustedDomainInfo q;
			union lsa_TrustedDomainInfo *info = NULL;
			q.in.trustdom_handle = &trustdom_handle;
			q.in.level = levels[j];
			q.out.info = &info;
			torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfo_r(b, tctx, &q),
				"QueryTrustedDomainInfo failed");
			if (!NT_STATUS_IS_OK(q.out.result) && ok[j]) {
				torture_comment(tctx, "QueryTrustedDomainInfo level %d failed - %s\n",
				       levels[j], nt_errstr(q.out.result));
				ret = false;
			} else if (NT_STATUS_IS_OK(q.out.result) && !ok[j]) {
				torture_comment(tctx, "QueryTrustedDomainInfo level %d unexpectedly succeeded - %s\n",
				       levels[j], nt_errstr(q.out.result));
				ret = false;
			}
		}

		c.in.handle = &trustdom_handle;
		c.out.handle = &handle2;

		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_Close_r(b, tctx, &c),
			"Close failed");
		if (!NT_STATUS_IS_OK(c.out.result)) {
			torture_comment(tctx, "Close of trusted domain failed - %s\n", nt_errstr(c.out.result));
			return false;
		}

		for (j=0; j < ARRAY_SIZE(levels); j++) {
			struct lsa_QueryTrustedDomainInfoByName q;
			union lsa_TrustedDomainInfo *info = NULL;
			struct lsa_String name;

			name.string = domains->domains[i].name.string;

			q.in.handle         = handle;
			q.in.trusted_domain = &name;
			q.in.level          = levels[j];
			q.out.info          = &info;
			torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfoByName_r(b, tctx, &q),
				"QueryTrustedDomainInfoByName failed");
			if (!NT_STATUS_IS_OK(q.out.result) && ok[j]) {
				torture_comment(tctx, "QueryTrustedDomainInfoByName level %d failed - %s\n",
				       levels[j], nt_errstr(q.out.result));
				ret = false;
			} else if (NT_STATUS_IS_OK(q.out.result) && !ok[j]) {
				torture_comment(tctx, "QueryTrustedDomainInfoByName level %d unexpectedly succeeded - %s\n",
				       levels[j], nt_errstr(q.out.result));
				ret = false;
			}
		}
	}
	return ret;
}

static bool test_EnumTrustDom(struct dcerpc_binding_handle *b,
			      struct torture_context *tctx,
			      struct policy_handle *handle)
{
	struct lsa_EnumTrustDom r;
	uint32_t in_resume_handle = 0;
	uint32_t out_resume_handle;
	struct lsa_DomainList domains;
	bool ret = true;

	torture_comment(tctx, "\nTesting EnumTrustDom\n");

	r.in.handle = handle;
	r.in.resume_handle = &in_resume_handle;
	r.in.max_size = 0;
	r.out.domains = &domains;
	r.out.resume_handle = &out_resume_handle;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumTrustDom_r(b, tctx, &r),
		"lsa_EnumTrustDom failed");

	/* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
	 * always be larger than the previous input resume handle, in
	 * particular when hitting the last query it is vital to set the
	 * resume handle correctly to avoid infinite client loops, as
	 * seen e.g.  with Windows XP SP3 when resume handle is 0 and
	 * status is NT_STATUS_OK - gd */

	if (NT_STATUS_IS_OK(r.out.result) ||
	    NT_STATUS_EQUAL(r.out.result, NT_STATUS_NO_MORE_ENTRIES) ||
	    NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
	{
		if (out_resume_handle <= in_resume_handle) {
			torture_comment(tctx, "EnumTrustDom failed - should have returned output resume_handle (0x%08x) larger than input resume handle (0x%08x)\n",
				out_resume_handle, in_resume_handle);
			return false;
		}
	}

	if (NT_STATUS_IS_OK(r.out.result)) {
		if (domains.count == 0) {
			torture_comment(tctx, "EnumTrustDom failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n");
			return false;
		}
	} else if (!(NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES) || NT_STATUS_EQUAL(r.out.result, NT_STATUS_NO_MORE_ENTRIES))) {
		torture_comment(tctx, "EnumTrustDom of zero size failed - %s\n", nt_errstr(r.out.result));
		return false;
	}

	/* Start from the bottom again */
	in_resume_handle = 0;

	do {
		r.in.handle = handle;
		r.in.resume_handle = &in_resume_handle;
		r.in.max_size = LSA_ENUM_TRUST_DOMAIN_MULTIPLIER * 3;
		r.out.domains = &domains;
		r.out.resume_handle = &out_resume_handle;

		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumTrustDom_r(b, tctx, &r),
			"EnumTrustDom failed");

		/* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
		 * always be larger than the previous input resume handle, in
		 * particular when hitting the last query it is vital to set the
		 * resume handle correctly to avoid infinite client loops, as
		 * seen e.g.  with Windows XP SP3 when resume handle is 0 and
		 * status is NT_STATUS_OK - gd */

		if (NT_STATUS_IS_OK(r.out.result) ||
		    NT_STATUS_EQUAL(r.out.result, NT_STATUS_NO_MORE_ENTRIES) ||
		    NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES))
		{
			if (out_resume_handle <= in_resume_handle) {
				torture_comment(tctx, "EnumTrustDom failed - should have returned output resume_handle (0x%08x) larger than input resume handle (0x%08x)\n",
					out_resume_handle, in_resume_handle);
				return false;
			}
		}

		/* NO_MORE_ENTRIES is allowed */
		if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NO_MORE_ENTRIES)) {
			if (domains.count == 0) {
				return true;
			}
			torture_comment(tctx, "EnumTrustDom failed - should have returned 0 trusted domains with 'NT_STATUS_NO_MORE_ENTRIES'\n");
			return false;
		} else if (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES)) {
			/* Windows 2003 gets this off by one on the first run */
			if (r.out.domains->count < 3 || r.out.domains->count > 4) {
				torture_comment(tctx, "EnumTrustDom didn't fill the buffer we "
				       "asked it to (got %d, expected %d / %d == %d entries)\n",
				       r.out.domains->count, LSA_ENUM_TRUST_DOMAIN_MULTIPLIER * 3,
				       LSA_ENUM_TRUST_DOMAIN_MULTIPLIER, r.in.max_size);
				ret = false;
			}
		} else if (!NT_STATUS_IS_OK(r.out.result)) {
			torture_comment(tctx, "EnumTrustDom failed - %s\n", nt_errstr(r.out.result));
			return false;
		}

		if (domains.count == 0) {
			torture_comment(tctx, "EnumTrustDom failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n");
			return false;
		}

		ret &= test_query_each_TrustDom(b, tctx, handle, &domains);

		in_resume_handle = out_resume_handle;

	} while (NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES));

	return ret;
}

static bool test_EnumTrustDomEx(struct dcerpc_binding_handle *b,
				struct torture_context *tctx,
				struct policy_handle *handle)
{
	struct lsa_EnumTrustedDomainsEx r_ex;
	uint32_t in_resume_handle = 0;
	uint32_t out_resume_handle;
	struct lsa_DomainListEx domains_ex;
	bool ret = true;

	torture_comment(tctx, "\nTesting EnumTrustedDomainsEx\n");

	r_ex.in.handle = handle;
	r_ex.in.resume_handle = &in_resume_handle;
	r_ex.in.max_size = 0;
	r_ex.out.domains = &domains_ex;
	r_ex.out.resume_handle = &out_resume_handle;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumTrustedDomainsEx_r(b, tctx, &r_ex),
		"EnumTrustedDomainsEx failed");

	/* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
	 * always be larger than the previous input resume handle, in
	 * particular when hitting the last query it is vital to set the
	 * resume handle correctly to avoid infinite client loops, as
	 * seen e.g.  with Windows XP SP3 when resume handle is 0 and
	 * status is NT_STATUS_OK - gd */

	if (NT_STATUS_IS_OK(r_ex.out.result) ||
	    NT_STATUS_EQUAL(r_ex.out.result, NT_STATUS_NO_MORE_ENTRIES) ||
	    NT_STATUS_EQUAL(r_ex.out.result, STATUS_MORE_ENTRIES))
	{
		if (out_resume_handle <= in_resume_handle) {
			torture_comment(tctx, "EnumTrustDomEx failed - should have returned output resume_handle (0x%08x) larger than input resume handle (0x%08x)\n",
				out_resume_handle, in_resume_handle);
			return false;
		}
	}

	if (NT_STATUS_IS_OK(r_ex.out.result)) {
		if (domains_ex.count == 0) {
			torture_comment(tctx, "EnumTrustDom failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n");
			return false;
		}
	} else if (!(NT_STATUS_EQUAL(r_ex.out.result, STATUS_MORE_ENTRIES) ||
		    NT_STATUS_EQUAL(r_ex.out.result, NT_STATUS_NO_MORE_ENTRIES))) {
		torture_comment(tctx, "EnumTrustDom of zero size failed - %s\n",
				nt_errstr(r_ex.out.result));
		return false;
	}

	in_resume_handle = 0;
	do {
		r_ex.in.handle = handle;
		r_ex.in.resume_handle = &in_resume_handle;
		r_ex.in.max_size = LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER * 3;
		r_ex.out.domains = &domains_ex;
		r_ex.out.resume_handle = &out_resume_handle;

		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_EnumTrustedDomainsEx_r(b, tctx, &r_ex),
			"EnumTrustedDomainsEx failed");

		in_resume_handle = out_resume_handle;

		/* NO_MORE_ENTRIES is allowed */
		if (NT_STATUS_EQUAL(r_ex.out.result, NT_STATUS_NO_MORE_ENTRIES)) {
			if (domains_ex.count == 0) {
				return true;
			}
			torture_comment(tctx, "EnumTrustDomainsEx failed - should have returned 0 trusted domains with 'NT_STATUS_NO_MORE_ENTRIES'\n");
			return false;
		} else if (NT_STATUS_EQUAL(r_ex.out.result, STATUS_MORE_ENTRIES)) {
			/* Windows 2003 gets this off by one on the first run */
			if (r_ex.out.domains->count < 3 || r_ex.out.domains->count > 4) {
				torture_comment(tctx, "EnumTrustDom didn't fill the buffer we "
				       "asked it to (got %d, expected %d / %d == %d entries)\n",
				       r_ex.out.domains->count,
				       r_ex.in.max_size,
				       LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER,
				       r_ex.in.max_size / LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER);
			}
		} else if (!NT_STATUS_IS_OK(r_ex.out.result)) {
			torture_comment(tctx, "EnumTrustedDomainEx failed - %s\n", nt_errstr(r_ex.out.result));
			return false;
		}

		if (domains_ex.count == 0) {
			torture_comment(tctx, "EnumTrustDomainEx failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n");
			return false;
		}

		ret &= test_query_each_TrustDomEx(b, tctx, handle, &domains_ex);

	} while (NT_STATUS_EQUAL(r_ex.out.result, STATUS_MORE_ENTRIES));

	return ret;
}


static bool test_CreateTrustedDomain(struct dcerpc_binding_handle *b,
				     struct torture_context *tctx,
				     struct policy_handle *handle,
				     uint32_t num_trusts)
{
	bool ret = true;
	struct lsa_CreateTrustedDomain r;
	struct lsa_DomainInfo trustinfo;
	struct dom_sid **domsid;
	struct policy_handle *trustdom_handle;
	struct lsa_QueryTrustedDomainInfo q;
	union lsa_TrustedDomainInfo *info = NULL;
	int i;

	torture_comment(tctx, "\nTesting CreateTrustedDomain for %d domains\n", num_trusts);

	if (!test_EnumTrustDom(b, tctx, handle)) {
		ret = false;
	}

	if (!test_EnumTrustDomEx(b, tctx, handle)) {
		ret = false;
	}

	domsid = talloc_array(tctx, struct dom_sid *, num_trusts);
	trustdom_handle = talloc_array(tctx, struct policy_handle, num_trusts);

	for (i=0; i< num_trusts; i++) {
		char *trust_name = talloc_asprintf(tctx, "TORTURE1%02d", i);
		char *trust_sid = talloc_asprintf(tctx, "S-1-5-21-97398-379795-1%02d", i);

		domsid[i] = dom_sid_parse_talloc(tctx, trust_sid);

		trustinfo.sid = domsid[i];
		init_lsa_String((struct lsa_String *)&trustinfo.name, trust_name);

		r.in.policy_handle = handle;
		r.in.info = &trustinfo;
		r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
		r.out.trustdom_handle = &trustdom_handle[i];

		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateTrustedDomain_r(b, tctx, &r),
			"CreateTrustedDomain failed");
		if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_OBJECT_NAME_COLLISION)) {
			test_DeleteTrustedDomain(b, tctx, handle, trustinfo.name);
			torture_assert_ntstatus_ok(tctx, dcerpc_lsa_CreateTrustedDomain_r(b, tctx, &r),
				"CreateTrustedDomain failed");
		}
		if (!NT_STATUS_IS_OK(r.out.result)) {
			torture_comment(tctx, "CreateTrustedDomain failed - %s\n", nt_errstr(r.out.result));
			ret = false;
		} else {

			q.in.trustdom_handle = &trustdom_handle[i];
			q.in.level = LSA_TRUSTED_DOMAIN_INFO_INFO_EX;
			q.out.info = &info;
			torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfo_r(b, tctx, &q),
				"QueryTrustedDomainInfo failed");
			if (!NT_STATUS_IS_OK(q.out.result)) {
				torture_comment(tctx, "QueryTrustedDomainInfo level %d failed - %s\n", q.in.level, nt_errstr(q.out.result));
				ret = false;
			} else if (!q.out.info) {
				ret = false;
			} else {
				if (strcmp(info->info_ex.domain_name.string, trustinfo.name.string) != 0) {
					torture_comment(tctx, "QueryTrustedDomainInfo returned inconsistent long name: %s != %s\n",
					       info->info_ex.domain_name.string, trustinfo.name.string);
					ret = false;
				}
				if (strcmp(info->info_ex.netbios_name.string, trustinfo.name.string) != 0) {
					torture_comment(tctx, "QueryTrustedDomainInfo returned inconsistent short name: %s != %s\n",
					       info->info_ex.netbios_name.string, trustinfo.name.string);
					ret = false;
				}
				if (info->info_ex.trust_type != LSA_TRUST_TYPE_DOWNLEVEL) {
					torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust type %d != %d\n",
					       trust_name, info->info_ex.trust_type, LSA_TRUST_TYPE_DOWNLEVEL);
					ret = false;
				}
				if (info->info_ex.trust_attributes != 0) {
					torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust attributes %d != %d\n",
					       trust_name, info->info_ex.trust_attributes, 0);
					ret = false;
				}
				if (info->info_ex.trust_direction != LSA_TRUST_DIRECTION_OUTBOUND) {
					torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust direction %d != %d\n",
					       trust_name, info->info_ex.trust_direction, LSA_TRUST_DIRECTION_OUTBOUND);
					ret = false;
				}
			}
		}
	}

	/* now that we have some domains to look over, we can test the enum calls */
	if (!test_EnumTrustDom(b, tctx, handle)) {
		ret = false;
	}

	if (!test_EnumTrustDomEx(b, tctx, handle)) {
		ret = false;
	}

	for (i=0; i<num_trusts; i++) {
		if (!test_DeleteTrustedDomainBySid(b, tctx, handle, domsid[i])) {
			ret = false;
		}
	}

	return ret;
}

static bool gen_authinfo(TALLOC_CTX *mem_ctx,
			 const char *incoming_old, const char *incoming_new,
			 const char *outgoing_old, const char *outgoing_new,
			 struct lsa_TrustDomainInfoAuthInfo **_authinfo)
{
	struct lsa_TrustDomainInfoAuthInfo *authinfo;
	struct lsa_TrustDomainInfoBuffer *in_buffer;
	struct lsa_TrustDomainInfoBuffer *io_buffer;
	struct lsa_TrustDomainInfoBuffer *on_buffer;
	struct lsa_TrustDomainInfoBuffer *oo_buffer;
	size_t converted_size;
	bool ok;

	authinfo = talloc_zero(mem_ctx, struct lsa_TrustDomainInfoAuthInfo);
	if (authinfo == NULL) {
		return false;
	}

	in_buffer = talloc_zero(authinfo, struct lsa_TrustDomainInfoBuffer);
	if (in_buffer == NULL) {
		return false;
	}
	in_buffer->AuthType = TRUST_AUTH_TYPE_CLEAR;
	ok = convert_string_talloc(in_buffer, CH_UNIX, CH_UTF16,
				   incoming_new,
				   strlen(incoming_new),
				   &in_buffer->data.data,
				   &converted_size);
	if (!ok) {
		return false;
	}
	in_buffer->data.size = converted_size;

	io_buffer = talloc_zero(authinfo, struct lsa_TrustDomainInfoBuffer);
	if (io_buffer == NULL) {
		return false;
	}
	io_buffer->AuthType = TRUST_AUTH_TYPE_CLEAR;
	ok = convert_string_talloc(io_buffer, CH_UNIX, CH_UTF16,
				   incoming_old,
				   strlen(incoming_old),
				   &io_buffer->data.data,
				   &converted_size);
	if (!ok) {
		return false;
	}
	io_buffer->data.size = converted_size;

	on_buffer = talloc_zero(authinfo, struct lsa_TrustDomainInfoBuffer);
	if (on_buffer == NULL) {
		return false;
	}
	on_buffer->AuthType = TRUST_AUTH_TYPE_CLEAR;
	ok = convert_string_talloc(on_buffer, CH_UNIX, CH_UTF16,
				   outgoing_new,
				   strlen(outgoing_new),
				   &on_buffer->data.data,
				   &converted_size);
	if (!ok) {
		return false;
	}
	on_buffer->data.size = converted_size;

	oo_buffer = talloc_zero(authinfo, struct lsa_TrustDomainInfoBuffer);
	if (oo_buffer == NULL) {
		return false;
	}
	oo_buffer->AuthType = TRUST_AUTH_TYPE_CLEAR;
	ok = convert_string_talloc(oo_buffer, CH_UNIX, CH_UTF16,
				   outgoing_old,
				   strlen(outgoing_old),
				   &oo_buffer->data.data,
				   &converted_size);
	if (!ok) {
		return false;
	}
	oo_buffer->data.size = converted_size;

	authinfo->incoming_count = 1;
	authinfo->incoming_current_auth_info = in_buffer;
	authinfo->incoming_previous_auth_info = io_buffer;
	authinfo->outgoing_count = 1;
	authinfo->outgoing_current_auth_info = on_buffer;
	authinfo->outgoing_previous_auth_info = oo_buffer;

	*_authinfo = authinfo;

	return true;
}

static bool check_pw_with_ServerAuthenticate3(struct dcerpc_pipe *p,
					     struct torture_context *tctx,
					     uint32_t negotiate_flags,
					     const char *server_name,
					     struct cli_credentials *machine_credentials,
					     struct netlogon_creds_CredentialState **creds_out)
{
	struct netr_ServerReqChallenge r;
	struct netr_ServerAuthenticate3 a;
	struct netr_Credential credentials1, credentials2, credentials3;
	struct netlogon_creds_CredentialState *creds;
	const struct samr_Password *new_password = NULL;
	const struct samr_Password *old_password = NULL;
	uint32_t rid;
	struct dcerpc_binding_handle *b = p->binding_handle;

	new_password = cli_credentials_get_nt_hash(machine_credentials, tctx);
	old_password = cli_credentials_get_old_nt_hash(machine_credentials, tctx);

	r.in.server_name = server_name;
	r.in.computer_name = cli_credentials_get_workstation(machine_credentials);
	r.in.credentials = &credentials1;
	r.out.return_credentials = &credentials2;

	netlogon_creds_random_challenge(&credentials1);

	torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
		"ServerReqChallenge failed");
	torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");

	a.in.server_name = server_name;
	a.in.account_name = cli_credentials_get_username(machine_credentials);
	a.in.secure_channel_type = cli_credentials_get_secure_channel_type(machine_credentials);
	a.in.computer_name = cli_credentials_get_workstation(machine_credentials);
	a.in.negotiate_flags = &negotiate_flags;
	a.in.credentials = &credentials3;
	a.out.return_credentials = &credentials3;
	a.out.negotiate_flags = &negotiate_flags;
	a.out.rid = &rid;

	creds = netlogon_creds_client_init(tctx, a.in.account_name,
					   a.in.computer_name,
					   a.in.secure_channel_type,
					   &credentials1, &credentials2,
					   new_password, &credentials3,
					   negotiate_flags,
					   negotiate_flags);

	torture_assert(tctx, creds != NULL, "memory allocation");

	torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b, tctx, &a),
		"ServerAuthenticate3 failed");
	if (!NT_STATUS_IS_OK(a.out.result)) {
		if (!NT_STATUS_EQUAL(a.out.result, NT_STATUS_ACCESS_DENIED)) {
			torture_assert_ntstatus_ok(tctx, a.out.result,
						   "ServerAuthenticate3 failed");
		}
		return false;
	}
	torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");

	if (old_password != NULL) {
		torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
			"ServerReqChallenge failed");
		torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");

		creds = netlogon_creds_client_init(tctx, a.in.account_name,
						   a.in.computer_name,
						   a.in.secure_channel_type,
						   &credentials1, &credentials2,
						   old_password, &credentials3,
						   negotiate_flags,
						   negotiate_flags);

		torture_assert(tctx, creds != NULL, "memory allocation");

		torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerAuthenticate3_r(b, tctx, &a),
			"ServerAuthenticate3 failed");
		if (!NT_STATUS_IS_OK(a.out.result)) {
			if (!NT_STATUS_EQUAL(a.out.result, NT_STATUS_ACCESS_DENIED)) {
				torture_assert_ntstatus_ok(tctx, a.out.result,
							   "ServerAuthenticate3 (old) failed");
			}
			return false;
		}
		torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential (old) chaining failed");
	}

	/* Prove that requesting a challenge again won't break it */
	torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
		"ServerReqChallenge failed");
	torture_assert_ntstatus_ok(tctx, r.out.result, "ServerReqChallenge failed");

	*creds_out = creds;
	return true;
}

#ifdef SAMBA4_USES_HEIMDAL

/*
 * This function is set in torture_krb5_init_context as krb5
 * send_and_recv function.  This allows us to override what server the
 * test is aimed at, and to inspect the packets just before they are
 * sent to the network, and before they are processed on the recv
 * side.
 *
 * The torture_krb5_pre_send_test() and torture_krb5_post_recv_test()
 * functions are implement the actual tests.
 *
 * When this asserts, the caller will get a spurious 'cannot contact
 * any KDC' message.
 *
 */
struct check_pw_with_krb5_ctx {
	struct addrinfo *server;
	const char *server_nb_domain;
	const char *server_dns_domain;
	struct {
		unsigned io;
		unsigned fail;
		unsigned errors;
		unsigned error_io;
		unsigned ok;
	} counts;
	krb5_error error;
	struct smb_krb5_context *smb_krb5_context;
	krb5_get_init_creds_opt *krb_options;
	krb5_creds my_creds;
	krb5_get_creds_opt opt_canon;
	krb5_get_creds_opt opt_nocanon;
	krb5_principal upn_realm;
	krb5_principal upn_dns;
	krb5_principal upn_netbios;
	krb5_ccache krbtgt_ccache;
	krb5_principal krbtgt_trust_realm;
	krb5_creds *krbtgt_trust_realm_creds;
	krb5_principal krbtgt_trust_dns;
	krb5_creds *krbtgt_trust_dns_creds;
	krb5_principal krbtgt_trust_netbios;
	krb5_creds *krbtgt_trust_netbios_creds;
	krb5_principal cifs_trust_dns;
	krb5_creds *cifs_trust_dns_creds;
	krb5_principal cifs_trust_netbios;
	krb5_creds *cifs_trust_netbios_creds;
	krb5_principal drs_trust_dns;
	krb5_creds *drs_trust_dns_creds;
	krb5_principal drs_trust_netbios;
	krb5_creds *drs_trust_netbios_creds;
	krb5_principal four_trust_dns;
	krb5_creds *four_trust_dns_creds;
	krb5_creds krbtgt_referral_creds;
	Ticket krbtgt_referral_ticket;
	krb5_keyblock krbtgt_referral_keyblock;
	EncTicketPart krbtgt_referral_enc_part;
};

static krb5_error_code check_pw_with_krb5_send_to_realm(
					struct smb_krb5_context *smb_krb5_context,
					void *data, /* struct check_pw_with_krb5_ctx */
					krb5_const_realm realm,
					time_t timeout,
					const krb5_data *send_buf,
					krb5_data *recv_buf)
{
	struct check_pw_with_krb5_ctx *ctx =
		talloc_get_type_abort(data, struct check_pw_with_krb5_ctx);
	krb5_error_code k5ret;
	size_t used;
	int ret;

	SMB_ASSERT(smb_krb5_context == ctx->smb_krb5_context);

	if (!strequal_m(realm, ctx->server_nb_domain) &&
	    !strequal_m(realm, ctx->server_dns_domain))
	{
		return KRB5_KDC_UNREACH;
	}

	krb5_free_error_contents(ctx->smb_krb5_context->krb5_context,
				 &ctx->error);
	ctx->counts.io++;

	k5ret = smb_krb5_send_and_recv_func_forced_tcp(ctx->smb_krb5_context,
						       ctx->server,
						       timeout, send_buf, recv_buf);
	if (k5ret != 0) {
		ctx->counts.fail++;
		return k5ret;
	}

	ret = decode_KRB_ERROR(recv_buf->data, recv_buf->length,
			       &ctx->error, &used);
	if (ret == 0) {
		ctx->counts.errors++;
		ctx->counts.error_io = ctx->counts.io;
	} else {
		ctx->counts.ok++;
	}

	return k5ret;
}

static int check_pw_with_krb5_ctx_destructor(struct check_pw_with_krb5_ctx *ctx)
{
	if (ctx->server != NULL) {
		freeaddrinfo(ctx->server);
		ctx->server = NULL;
	}

	if (ctx->krb_options != NULL) {
		krb5_get_init_creds_opt_free(ctx->smb_krb5_context->krb5_context,
					     ctx->krb_options);
		ctx->krb_options = NULL;
	}

	krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context,
				&ctx->my_creds);

	if (ctx->opt_canon != NULL) {
		krb5_get_creds_opt_free(ctx->smb_krb5_context->krb5_context,
					ctx->opt_canon);
		ctx->opt_canon = NULL;
	}

	if (ctx->opt_nocanon != NULL) {
		krb5_get_creds_opt_free(ctx->smb_krb5_context->krb5_context,
					ctx->opt_nocanon);
		ctx->opt_nocanon = NULL;
	}

	if (ctx->krbtgt_ccache != NULL) {
		krb5_cc_close(ctx->smb_krb5_context->krb5_context,
			      ctx->krbtgt_ccache);
		ctx->krbtgt_ccache = NULL;
	}

	if (ctx->upn_realm != NULL) {
		krb5_free_principal(ctx->smb_krb5_context->krb5_context,
				    ctx->upn_realm);
		ctx->upn_realm = NULL;
	}

	if (ctx->upn_dns != NULL) {
		krb5_free_principal(ctx->smb_krb5_context->krb5_context,
				    ctx->upn_dns);
		ctx->upn_dns = NULL;
	}

	if (ctx->upn_netbios != NULL) {
		krb5_free_principal(ctx->smb_krb5_context->krb5_context,
				    ctx->upn_netbios);
		ctx->upn_netbios = NULL;
	}

	if (ctx->krbtgt_trust_realm != NULL) {
		krb5_free_principal(ctx->smb_krb5_context->krb5_context,
				    ctx->krbtgt_trust_realm);
		ctx->krbtgt_trust_realm = NULL;
	}

	if (ctx->krbtgt_trust_realm_creds != NULL) {
		krb5_free_creds(ctx->smb_krb5_context->krb5_context,
				ctx->krbtgt_trust_realm_creds);
		ctx->krbtgt_trust_realm_creds = NULL;
	}

	if (ctx->krbtgt_trust_dns != NULL) {
		krb5_free_principal(ctx->smb_krb5_context->krb5_context,
				    ctx->krbtgt_trust_dns);
		ctx->krbtgt_trust_dns = NULL;
	}

	if (ctx->krbtgt_trust_dns_creds != NULL) {
		krb5_free_creds(ctx->smb_krb5_context->krb5_context,
				ctx->krbtgt_trust_dns_creds);
		ctx->krbtgt_trust_dns_creds = NULL;
	}

	if (ctx->krbtgt_trust_netbios != NULL) {
		krb5_free_principal(ctx->smb_krb5_context->krb5_context,
				    ctx->krbtgt_trust_netbios);
		ctx->krbtgt_trust_netbios = NULL;
	}

	if (ctx->krbtgt_trust_netbios_creds != NULL) {
		krb5_free_creds(ctx->smb_krb5_context->krb5_context,
				ctx->krbtgt_trust_netbios_creds);
		ctx->krbtgt_trust_netbios_creds = NULL;
	}

	if (ctx->cifs_trust_dns != NULL) {
		krb5_free_principal(ctx->smb_krb5_context->krb5_context,
				    ctx->cifs_trust_dns);
		ctx->cifs_trust_dns = NULL;
	}

	if (ctx->cifs_trust_dns_creds != NULL) {
		krb5_free_creds(ctx->smb_krb5_context->krb5_context,
				ctx->cifs_trust_dns_creds);
		ctx->cifs_trust_dns_creds = NULL;
	}

	if (ctx->cifs_trust_netbios != NULL) {
		krb5_free_principal(ctx->smb_krb5_context->krb5_context,
				    ctx->cifs_trust_netbios);
		ctx->cifs_trust_netbios = NULL;
	}

	if (ctx->cifs_trust_netbios_creds != NULL) {
		krb5_free_creds(ctx->smb_krb5_context->krb5_context,
				ctx->cifs_trust_netbios_creds);
		ctx->cifs_trust_netbios_creds = NULL;
	}

	if (ctx->drs_trust_dns != NULL) {
		krb5_free_principal(ctx->smb_krb5_context->krb5_context,
				    ctx->drs_trust_dns);
		ctx->drs_trust_dns = NULL;
	}

	if (ctx->drs_trust_dns_creds != NULL) {
		krb5_free_creds(ctx->smb_krb5_context->krb5_context,
				ctx->drs_trust_dns_creds);
		ctx->drs_trust_dns_creds = NULL;
	}

	if (ctx->drs_trust_netbios != NULL) {
		krb5_free_principal(ctx->smb_krb5_context->krb5_context,
				    ctx->drs_trust_netbios);
		ctx->drs_trust_netbios = NULL;
	}

	if (ctx->drs_trust_netbios_creds != NULL) {
		krb5_free_creds(ctx->smb_krb5_context->krb5_context,
				ctx->drs_trust_netbios_creds);
		ctx->drs_trust_netbios_creds = NULL;
	}

	if (ctx->four_trust_dns != NULL) {
		krb5_free_principal(ctx->smb_krb5_context->krb5_context,
				    ctx->four_trust_dns);
		ctx->four_trust_dns = NULL;
	}

	if (ctx->four_trust_dns_creds != NULL) {
		krb5_free_creds(ctx->smb_krb5_context->krb5_context,
				ctx->four_trust_dns_creds);
		ctx->four_trust_dns_creds = NULL;
	}

	krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context,
				&ctx->krbtgt_referral_creds);

	free_Ticket(&ctx->krbtgt_referral_ticket);

	krb5_free_keyblock_contents(ctx->smb_krb5_context->krb5_context,
				    &ctx->krbtgt_referral_keyblock);

	free_EncTicketPart(&ctx->krbtgt_referral_enc_part);

	krb5_free_error_contents(ctx->smb_krb5_context->krb5_context,
				 &ctx->error);

	talloc_unlink(ctx, ctx->smb_krb5_context);
	ctx->smb_krb5_context = NULL;
	return 0;
}

static bool check_pw_with_krb5(struct torture_context *tctx,
			       struct cli_credentials *credentials,
			       const struct lsa_TrustDomainInfoInfoEx *trusted)
{
	const char *trusted_dns_name = trusted->domain_name.string;
	const char *trusted_netbios_name = trusted->netbios_name.string;
	char *trusted_realm_name = NULL;
	krb5_principal principal = NULL;
	enum credentials_obtained obtained;
	const char *error_string = NULL;
	const char *workstation = cli_credentials_get_workstation(credentials);
	const char *password = cli_credentials_get_password(credentials);
#ifndef USING_EMBEDDED_HEIMDAL
	const struct samr_Password *nthash = NULL;
	const struct samr_Password *old_nthash = NULL;
#endif
	const char *old_password = cli_credentials_get_old_password(credentials);
#ifndef USING_EMBEDDED_HEIMDAL
	int kvno = cli_credentials_get_kvno(credentials);
	int expected_kvno = 0;
	krb5uint32 t_kvno = 0;
#endif
	const char *host = torture_setting_string(tctx, "host", NULL);
	krb5_error_code k5ret;
	krb5_boolean k5ok;
	int type;
	bool ok;
	struct check_pw_with_krb5_ctx *ctx = NULL;
	char *assertion_message = NULL;
	const char *realm = NULL;
	char *upn_realm_string = NULL;
	char *upn_dns_string = NULL;
	char *upn_netbios_string = NULL;
	char *krbtgt_cc_name = NULL;
	char *krbtgt_trust_realm_string = NULL;
	char *krbtgt_trust_dns_string = NULL;
	char *krbtgt_trust_netbios_string = NULL;
	char *cifs_trust_dns_string = NULL;
	char *cifs_trust_netbios_string = NULL;
	char *drs_trust_dns_string = NULL;
	char *drs_trust_netbios_string = NULL;
	char *four_trust_dns_string = NULL;

	ctx = talloc_zero(tctx, struct check_pw_with_krb5_ctx);
	torture_assert(tctx, ctx != NULL, "Failed to allocate");

	realm = cli_credentials_get_realm(credentials);
	trusted_realm_name = strupper_talloc(tctx, trusted_dns_name);

#ifndef USING_EMBEDDED_HEIMDAL
	nthash = cli_credentials_get_nt_hash(credentials, ctx);
	old_nthash = cli_credentials_get_old_nt_hash(credentials, ctx);
#endif

	k5ret = smb_krb5_init_context(ctx, tctx->lp_ctx, &ctx->smb_krb5_context);
	torture_assert_int_equal(tctx, k5ret, 0, "smb_krb5_init_context failed");

	ctx->server_nb_domain = cli_credentials_get_domain(credentials);
	ctx->server_dns_domain = cli_credentials_get_realm(credentials);

	ok = interpret_string_addr_internal(&ctx->server, host, 0);
	torture_assert(tctx, ok, "Failed to parse target server");
	talloc_set_destructor(ctx, check_pw_with_krb5_ctx_destructor);

	set_sockaddr_port(ctx->server->ai_addr, 88);

	k5ret = smb_krb5_set_send_to_kdc_func(ctx->smb_krb5_context,
					      check_pw_with_krb5_send_to_realm,
					      NULL, /* send_to_kdc */
					      ctx);
	torture_assert_int_equal(tctx, k5ret, 0, "krb5_set_send_to_kdc_func failed");

	torture_assert_int_equal(tctx,
			krb5_get_init_creds_opt_alloc(ctx->smb_krb5_context->krb5_context,
						      &ctx->krb_options),
			0, "krb5_get_init_creds_opt_alloc failed");
	torture_assert_int_equal(tctx,
			krb5_get_init_creds_opt_set_pac_request(
				ctx->smb_krb5_context->krb5_context,
				ctx->krb_options, true),
			0, "krb5_get_init_creds_opt_set_pac_request failed");

	upn_realm_string = talloc_asprintf(ctx, "user@%s",
					   trusted_realm_name);
	torture_assert_int_equal(tctx,
			smb_krb5_make_principal(ctx->smb_krb5_context->krb5_context,
						&ctx->upn_realm,
						realm, upn_realm_string, NULL),
			0, "smb_krb5_make_principal failed");
	smb_krb5_principal_set_type(ctx->smb_krb5_context->krb5_context,
				    ctx->upn_realm, KRB5_NT_ENTERPRISE_PRINCIPAL);

	upn_dns_string = talloc_asprintf(ctx, "user@%s",
					 trusted_dns_name);
	torture_assert_int_equal(tctx,
			smb_krb5_make_principal(ctx->smb_krb5_context->krb5_context,
						&ctx->upn_dns,
						realm, upn_dns_string, NULL),
			0, "smb_krb5_make_principal failed");
	smb_krb5_principal_set_type(ctx->smb_krb5_context->krb5_context,
				    ctx->upn_dns, KRB5_NT_ENTERPRISE_PRINCIPAL);

	upn_netbios_string = talloc_asprintf(ctx, "user@%s",
					 trusted_netbios_name);
	torture_assert_int_equal(tctx,
			smb_krb5_make_principal(ctx->smb_krb5_context->krb5_context,
						&ctx->upn_netbios,
						realm, upn_netbios_string, NULL),
			0, "smb_krb5_make_principal failed");
	smb_krb5_principal_set_type(ctx->smb_krb5_context->krb5_context,
				    ctx->upn_netbios, KRB5_NT_ENTERPRISE_PRINCIPAL);

	k5ret = principal_from_credentials(ctx, credentials, ctx->smb_krb5_context,
					   &principal, &obtained,  &error_string);
	torture_assert_int_equal(tctx, k5ret, 0, error_string);

	ZERO_STRUCT(ctx->counts);
	k5ret = krb5_get_init_creds_password(ctx->smb_krb5_context->krb5_context,
					     &ctx->my_creds, ctx->upn_realm,
					     "_none_", NULL, NULL, 0,
					     NULL, ctx->krb_options);
	assertion_message = talloc_asprintf(ctx,
				"krb5_get_init_creds_password(%s, canon) for failed: "
				"(%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u/%u,ok=%u]",
				upn_realm_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx),
				trusted->trust_direction,
				trusted->trust_type,
				trusted->trust_attributes,
				ctx->counts.io, ctx->counts.error_io, ctx->counts.errors, ctx->counts.ok);
	torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.error_io, 1, assertion_message);
	torture_assert_int_equal(tctx, KRB5_ERROR_CODE(&ctx->error), 68, assertion_message);
	torture_assert(tctx, ctx->error.crealm != NULL, assertion_message);
	torture_assert_str_equal(tctx, *ctx->error.crealm, trusted_realm_name, assertion_message);
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert(tctx, ctx->error.cname != NULL, assertion_message);
	torture_assert_int_equal(tctx, ctx->error.cname->name_type, KRB5_NT_ENTERPRISE_PRINCIPAL, assertion_message);
	torture_assert_int_equal(tctx, ctx->error.cname->name_string.len, 1, assertion_message);
	torture_assert_str_equal(tctx, ctx->error.cname->name_string.val[0], upn_realm_string, assertion_message);
#else
	torture_assert(tctx, ctx->error.cname == NULL, assertion_message);
#endif
	torture_assert_str_equal(tctx, ctx->error.realm, realm, assertion_message);

	ZERO_STRUCT(ctx->counts);
	k5ret = krb5_get_init_creds_password(ctx->smb_krb5_context->krb5_context,
					     &ctx->my_creds, ctx->upn_dns,
					     "_none_", NULL, NULL, 0,
					     NULL, ctx->krb_options);
	assertion_message = talloc_asprintf(ctx,
				"krb5_get_init_creds_password(%s, canon) for failed: "
				"(%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u/%u,ok=%u]",
				upn_dns_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx),
				trusted->trust_direction,
				trusted->trust_type,
				trusted->trust_attributes,
				ctx->counts.io, ctx->counts.error_io, ctx->counts.errors, ctx->counts.ok);
	torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.error_io, 1, assertion_message);
	torture_assert_int_equal(tctx, KRB5_ERROR_CODE(&ctx->error), 68, assertion_message);
	torture_assert(tctx, ctx->error.crealm != NULL, assertion_message);
	torture_assert_str_equal(tctx, *ctx->error.crealm, trusted_realm_name, assertion_message);
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert(tctx, ctx->error.cname != NULL, assertion_message);
	torture_assert_int_equal(tctx, ctx->error.cname->name_type, KRB5_NT_ENTERPRISE_PRINCIPAL, assertion_message);
	torture_assert_int_equal(tctx, ctx->error.cname->name_string.len, 1, assertion_message);
	torture_assert_str_equal(tctx, ctx->error.cname->name_string.val[0], upn_dns_string, assertion_message);
#else
	torture_assert(tctx, ctx->error.cname == NULL, assertion_message);
#endif
	torture_assert_str_equal(tctx, ctx->error.realm, realm, assertion_message);

	ZERO_STRUCT(ctx->counts);
	k5ret = krb5_get_init_creds_password(ctx->smb_krb5_context->krb5_context,
					     &ctx->my_creds, ctx->upn_netbios,
					     "_none_", NULL, NULL, 0,
					     NULL, ctx->krb_options);
	assertion_message = talloc_asprintf(ctx,
				"krb5_get_init_creds_password(%s, canon) for failed: "
				"(%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u/%u,ok=%u]",
				upn_netbios_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx),
				trusted->trust_direction,
				trusted->trust_type,
				trusted->trust_attributes,
				ctx->counts.io, ctx->counts.error_io, ctx->counts.errors, ctx->counts.ok);
	torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.error_io, 1, assertion_message);
	torture_assert_int_equal(tctx, KRB5_ERROR_CODE(&ctx->error), 68, assertion_message);
	torture_assert(tctx, ctx->error.crealm != NULL, assertion_message);
	torture_assert_str_equal(tctx, *ctx->error.crealm, trusted_realm_name, assertion_message);
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert(tctx, ctx->error.cname != NULL, assertion_message);
	torture_assert_int_equal(tctx, ctx->error.cname->name_type, KRB5_NT_ENTERPRISE_PRINCIPAL, assertion_message);
	torture_assert_int_equal(tctx, ctx->error.cname->name_string.len, 1, assertion_message);
	torture_assert_str_equal(tctx, ctx->error.cname->name_string.val[0], upn_netbios_string, assertion_message);
#else
	torture_assert(tctx, ctx->error.cname == NULL, assertion_message);
#endif
	torture_assert_str_equal(tctx, ctx->error.realm, realm, assertion_message);

	torture_comment(tctx, "(%s:%s) password[%s] old_password[%s]\n",
			__location__, __FUNCTION__,
			password, old_password);
	if (old_password != NULL) {
		k5ret = krb5_get_init_creds_password(ctx->smb_krb5_context->krb5_context,
						     &ctx->my_creds, principal,
						     old_password, NULL, NULL, 0,
						     NULL, ctx->krb_options);
		torture_assert_int_equal(tctx, k5ret, KRB5KDC_ERR_PREAUTH_FAILED,
					 "preauth should fail with old password");
	}

	k5ret = krb5_get_init_creds_password(ctx->smb_krb5_context->krb5_context,
					     &ctx->my_creds, principal,
					     password, NULL, NULL, 0,
					     NULL, ctx->krb_options);
	if (k5ret == KRB5KDC_ERR_PREAUTH_FAILED) {
		TALLOC_FREE(ctx);
		return false;
	}

	assertion_message = talloc_asprintf(ctx,
				"krb5_get_init_creds_password for failed: %s",
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx));
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);

	torture_assert_int_equal(tctx,
			krb5_get_creds_opt_alloc(ctx->smb_krb5_context->krb5_context,
						 &ctx->opt_canon),
			0, "krb5_get_creds_opt_alloc");

	krb5_get_creds_opt_add_options(ctx->smb_krb5_context->krb5_context,
				       ctx->opt_canon,
				       KRB5_GC_CANONICALIZE);

	krb5_get_creds_opt_add_options(ctx->smb_krb5_context->krb5_context,
				       ctx->opt_canon,
				       KRB5_GC_NO_STORE);

	torture_assert_int_equal(tctx,
			krb5_get_creds_opt_alloc(ctx->smb_krb5_context->krb5_context,
						 &ctx->opt_nocanon),
			0, "krb5_get_creds_opt_alloc");

	krb5_get_creds_opt_add_options(ctx->smb_krb5_context->krb5_context,
				       ctx->opt_nocanon,
				       KRB5_GC_NO_STORE);

	krbtgt_cc_name = talloc_asprintf(ctx, "MEMORY:%p.krbtgt", ctx->smb_krb5_context);
	torture_assert_int_equal(tctx,
			krb5_cc_resolve(ctx->smb_krb5_context->krb5_context,
					krbtgt_cc_name,
					&ctx->krbtgt_ccache),
			0, "krb5_cc_resolve failed");

	torture_assert_int_equal(tctx,
			krb5_cc_initialize(ctx->smb_krb5_context->krb5_context,
					   ctx->krbtgt_ccache,
					   ctx->my_creds.client),
			0, "krb5_cc_initialize failed");

	torture_assert_int_equal(tctx,
			krb5_cc_store_cred(ctx->smb_krb5_context->krb5_context,
					   ctx->krbtgt_ccache,
					   &ctx->my_creds),
			0, "krb5_cc_store_cred failed");

	krbtgt_trust_realm_string = talloc_asprintf(ctx, "krbtgt/%s@%s",
						    trusted_realm_name, realm);
	torture_assert_int_equal(tctx,
			smb_krb5_make_principal(ctx->smb_krb5_context->krb5_context,
						&ctx->krbtgt_trust_realm,
						realm, "krbtgt",
						trusted_realm_name, NULL),
			0, "smb_krb5_make_principal failed");

	krbtgt_trust_dns_string = talloc_asprintf(ctx, "krbtgt/%s@%s",
						  trusted_dns_name, realm);
	torture_assert_int_equal(tctx,
			smb_krb5_make_principal(ctx->smb_krb5_context->krb5_context,
						&ctx->krbtgt_trust_dns,
						realm, "krbtgt",
						trusted_dns_name, NULL),
			0, "smb_krb5_make_principal failed");

	krbtgt_trust_netbios_string = talloc_asprintf(ctx, "krbtgt/%s@%s",
						      trusted_netbios_name, realm);
	torture_assert_int_equal(tctx,
			smb_krb5_make_principal(ctx->smb_krb5_context->krb5_context,
						&ctx->krbtgt_trust_netbios,
						realm, "krbtgt",
						trusted_netbios_name, NULL),
			0, "smb_krb5_make_principal failed");

	/* Confirm if we can do a TGS for krbtgt/trusted_realm */
	ZERO_STRUCT(ctx->counts);
	k5ret = krb5_get_creds(ctx->smb_krb5_context->krb5_context,
			       ctx->opt_nocanon,
			       ctx->krbtgt_ccache,
			       ctx->krbtgt_trust_realm,
			       &ctx->krbtgt_trust_realm_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_get_creds(%s, canon) for failed: "
				"(%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u]",
				krbtgt_trust_realm_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx),
				trusted->trust_direction,
				trusted->trust_type,
				trusted->trust_attributes,
				ctx->counts.io, ctx->counts.errors, ctx->counts.ok);
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message);

	k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_trust_realm_creds->server,
				      ctx->krbtgt_trust_realm);
	torture_assert(tctx, k5ok, assertion_message);
	type = smb_krb5_principal_get_type(ctx->smb_krb5_context->krb5_context,
					   ctx->krbtgt_trust_realm_creds->server);
	torture_assert_int_equal(tctx, type, KRB5_NT_SRV_INST, assertion_message);

	/* Confirm if we have no referral ticket in the cache */
	krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context,
				&ctx->krbtgt_referral_creds);
	k5ret = krb5_cc_retrieve_cred(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_ccache,
				      0,
				      ctx->krbtgt_trust_realm_creds,
				      &ctx->krbtgt_referral_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_cc_retrieve_cred(%s) for failed: (%d) %s",
				krbtgt_trust_realm_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx));
	torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message);

	/* Confirm if we can do a TGS for krbtgt/trusted_dns with CANON */
	ZERO_STRUCT(ctx->counts);
	k5ret = krb5_get_creds(ctx->smb_krb5_context->krb5_context,
			       ctx->opt_canon,
			       ctx->krbtgt_ccache,
			       ctx->krbtgt_trust_dns,
			       &ctx->krbtgt_trust_dns_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_get_creds(%s, canon) for failed: "
				"(%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u]",
				krbtgt_trust_dns_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx),
				trusted->trust_direction,
				trusted->trust_type,
				trusted->trust_attributes,
				ctx->counts.io, ctx->counts.errors, ctx->counts.ok);
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
#else
	torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message);
#endif
	torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message);

	/* Confirm if we have the referral ticket in the cache */
	krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context,
				&ctx->krbtgt_referral_creds);
	k5ret = krb5_cc_retrieve_cred(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_ccache,
				      0,
				      ctx->krbtgt_trust_realm_creds,
				      &ctx->krbtgt_referral_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_cc_retrieve_cred(%s) for failed: (%d) %s",
				krbtgt_trust_realm_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx));
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message);
#else
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);

	k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_referral_creds.server,
				      ctx->krbtgt_trust_realm);
	torture_assert(tctx, k5ok, assertion_message);
	type = smb_krb5_principal_get_type(ctx->smb_krb5_context->krb5_context,
					   ctx->krbtgt_referral_creds.server);
	torture_assert_int_equal(tctx, type, KRB5_NT_SRV_INST, assertion_message);
	k5ret = decode_Ticket(ctx->krbtgt_referral_creds.ticket.data,
			      ctx->krbtgt_referral_creds.ticket.length,
			      &ctx->krbtgt_referral_ticket, NULL);
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
	if (kvno > 0) {
		expected_kvno = kvno - 1;
	}
	if (ctx->krbtgt_referral_ticket.enc_part.kvno != NULL) {
		t_kvno = *ctx->krbtgt_referral_ticket.enc_part.kvno;
		assertion_message = talloc_asprintf(ctx,
				"krbtgt_referral_ticket(%s) kvno(%u) expected(%u) current(%u)",
				krbtgt_trust_realm_string,
				(unsigned)t_kvno, (unsigned)expected_kvno,(unsigned)kvno);
		torture_comment(tctx, "%s\n", assertion_message);
		torture_assert_int_not_equal(tctx, t_kvno, 0, assertion_message);
	} else {
		assertion_message = talloc_asprintf(ctx,
				"krbtgt_referral_ticket(%s) kvno(NULL) expected(%u) current(%u)",
				krbtgt_trust_realm_string,
				(unsigned)expected_kvno,(unsigned)kvno);
		torture_comment(tctx, "%s\n", assertion_message);
	}
	torture_assert_int_equal(tctx, t_kvno, expected_kvno, assertion_message);

	if (old_nthash != NULL && expected_kvno != kvno) {
		torture_comment(tctx, "old_nthash: %s\n", assertion_message);
		k5ret = smb_krb5_keyblock_init_contents(ctx->smb_krb5_context->krb5_context,
							ENCTYPE_ARCFOUR_HMAC,
							old_nthash->hash,
							sizeof(old_nthash->hash),
							&ctx->krbtgt_referral_keyblock);
		torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
	} else {
		torture_comment(tctx, "nthash: %s\n", assertion_message);
		k5ret = smb_krb5_keyblock_init_contents(ctx->smb_krb5_context->krb5_context,
							ENCTYPE_ARCFOUR_HMAC,
							nthash->hash,
							sizeof(nthash->hash),
							&ctx->krbtgt_referral_keyblock);
		torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
	}
	k5ret = krb5_decrypt_ticket(ctx->smb_krb5_context->krb5_context,
				    &ctx->krbtgt_referral_ticket,
				    &ctx->krbtgt_referral_keyblock,
				    &ctx->krbtgt_referral_enc_part,
				    0);
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);

	/* Delete the referral ticket from the cache */
	k5ret = krb5_cc_remove_cred(ctx->smb_krb5_context->krb5_context,
				    ctx->krbtgt_ccache,
				    0,
				    &ctx->krbtgt_referral_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_cc_remove_cred(%s) for failed: (%d) %s",
				krbtgt_trust_realm_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx));
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
#endif

	/* Confirm if we can do a TGS for krbtgt/trusted_dns no CANON */
	ZERO_STRUCT(ctx->counts);
	k5ret = krb5_get_creds(ctx->smb_krb5_context->krb5_context,
			       ctx->opt_nocanon,
			       ctx->krbtgt_ccache,
			       ctx->krbtgt_trust_dns,
			       &ctx->krbtgt_trust_dns_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_get_creds(%s, nocanon) for failed: "
				"(%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u]",
				krbtgt_trust_dns_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx),
				trusted->trust_direction,
				trusted->trust_type,
				trusted->trust_attributes,
				ctx->counts.io, ctx->counts.errors, ctx->counts.ok);
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message);
#else
	torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.ok, 2, assertion_message);
#endif

	k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_trust_dns_creds->server,
#ifdef USING_EMBEDDED_HEIMDAL
				      ctx->krbtgt_trust_dns);
#else
				      ctx->krbtgt_trust_realm);
#endif
	torture_assert(tctx, k5ok, assertion_message);
	type = smb_krb5_principal_get_type(ctx->smb_krb5_context->krb5_context,
					   ctx->krbtgt_trust_dns_creds->server);
	torture_assert_int_equal(tctx, type, KRB5_NT_SRV_INST, assertion_message);

	/* Confirm if we have the referral ticket in the cache */
	krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context,
				&ctx->krbtgt_referral_creds);
	k5ret = krb5_cc_retrieve_cred(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_ccache,
				      0,
				      ctx->krbtgt_trust_realm_creds,
				      &ctx->krbtgt_referral_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_cc_retrieve_cred(%s) for failed: (%d) %s",
				krbtgt_trust_realm_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx));
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message);
#else
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);

	k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_referral_creds.server,
				      ctx->krbtgt_trust_realm);
	torture_assert(tctx, k5ok, assertion_message);
	type = smb_krb5_principal_get_type(ctx->smb_krb5_context->krb5_context,
					   ctx->krbtgt_referral_creds.server);
	torture_assert_int_equal(tctx, type, KRB5_NT_SRV_INST, assertion_message);

	/* Delete the referral ticket from the cache */
	k5ret = krb5_cc_remove_cred(ctx->smb_krb5_context->krb5_context,
				    ctx->krbtgt_ccache,
				    0,
				    &ctx->krbtgt_referral_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_cc_remove_cred(%s) for failed: (%d) %s",
				krbtgt_trust_realm_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx));
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
#endif

	/* Confirm if we can do a TGS for krbtgt/NETBIOS with CANON */
	ZERO_STRUCT(ctx->counts);
	k5ret = krb5_get_creds(ctx->smb_krb5_context->krb5_context,
			       ctx->opt_canon,
			       ctx->krbtgt_ccache,
			       ctx->krbtgt_trust_netbios,
			       &ctx->krbtgt_trust_netbios_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_get_creds(%s, canon) for failed: "
				"(%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u]",
				krbtgt_trust_netbios_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx),
				trusted->trust_direction,
				trusted->trust_type,
				trusted->trust_attributes,
				ctx->counts.io, ctx->counts.errors, ctx->counts.ok);
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
#else
	torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message);
#endif
	torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message);

	/* Confirm if we have the referral ticket in the cache */
	krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context,
				&ctx->krbtgt_referral_creds);
	k5ret = krb5_cc_retrieve_cred(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_ccache,
				      0,
				      ctx->krbtgt_trust_realm_creds,
				      &ctx->krbtgt_referral_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_cc_retrieve_cred(%s) for failed: (%d) %s",
				krbtgt_trust_netbios_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx));
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message);
#else
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);

	k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_referral_creds.server,
				      ctx->krbtgt_trust_realm);
	torture_assert(tctx, k5ok, assertion_message);
	type = smb_krb5_principal_get_type(ctx->smb_krb5_context->krb5_context,
					   ctx->krbtgt_referral_creds.server);
	torture_assert_int_equal(tctx, type, KRB5_NT_SRV_INST, assertion_message);

	/* Delete the referral ticket from the cache */
	k5ret = krb5_cc_remove_cred(ctx->smb_krb5_context->krb5_context,
				    ctx->krbtgt_ccache,
				    0,
				    &ctx->krbtgt_referral_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_cc_remove_cred(%s) for failed: (%d) %s",
				krbtgt_trust_realm_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx));
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
#endif

	/* Confirm if we can do a TGS for krbtgt/NETBIOS no CANON */
	ZERO_STRUCT(ctx->counts);
	k5ret = krb5_get_creds(ctx->smb_krb5_context->krb5_context,
			       ctx->opt_nocanon,
			       ctx->krbtgt_ccache,
			       ctx->krbtgt_trust_netbios,
			       &ctx->krbtgt_trust_netbios_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_get_creds(%s, nocanon) for failed: "
				"(%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u]",
				krbtgt_trust_netbios_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx),
				trusted->trust_direction,
				trusted->trust_type,
				trusted->trust_attributes,
				ctx->counts.io, ctx->counts.errors, ctx->counts.ok);
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message);
#else
	torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.ok, 2, assertion_message);
#endif

	k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_trust_netbios_creds->server,
#ifdef USING_EMBEDDED_HEIMDAL
				      ctx->krbtgt_trust_netbios);
#else
				      ctx->krbtgt_trust_realm);
#endif
	torture_assert(tctx, k5ok, assertion_message);
	type = smb_krb5_principal_get_type(ctx->smb_krb5_context->krb5_context,
					   ctx->krbtgt_trust_netbios_creds->server);
	torture_assert_int_equal(tctx, type, KRB5_NT_SRV_INST, assertion_message);

	/* Confirm if we have the referral ticket in the cache */
	krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context,
				&ctx->krbtgt_referral_creds);
	k5ret = krb5_cc_retrieve_cred(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_ccache,
				      0,
				      ctx->krbtgt_trust_realm_creds,
				      &ctx->krbtgt_referral_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_cc_retrieve_cred(%s) for failed: (%d) %s",
				krbtgt_trust_realm_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx));
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message);
#else
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);

	k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_referral_creds.server,
				      ctx->krbtgt_trust_realm);
	torture_assert(tctx, k5ok, assertion_message);
	type = smb_krb5_principal_get_type(ctx->smb_krb5_context->krb5_context,
					   ctx->krbtgt_referral_creds.server);
	torture_assert_int_equal(tctx, type, KRB5_NT_SRV_INST, assertion_message);

	/* Delete the referral ticket from the cache */
	k5ret = krb5_cc_remove_cred(ctx->smb_krb5_context->krb5_context,
				    ctx->krbtgt_ccache,
				    0,
				    &ctx->krbtgt_referral_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_cc_remove_cred(%s) for failed: (%d) %s",
				krbtgt_trust_realm_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx));
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
#endif

	cifs_trust_dns_string = talloc_asprintf(ctx, "cifs/%s@%s",
						trusted_dns_name, realm);
	torture_assert_int_equal(tctx,
			smb_krb5_make_principal(ctx->smb_krb5_context->krb5_context,
						&ctx->cifs_trust_dns,
						realm, "cifs",
						trusted_dns_name, NULL),
			0, "smb_krb5_make_principal failed");

	/* Confirm if we get krbtgt/trusted_realm back when asking for cifs/trusted_realm */
	ZERO_STRUCT(ctx->counts);
	k5ret = krb5_get_creds(ctx->smb_krb5_context->krb5_context,
			       ctx->opt_canon,
			       ctx->krbtgt_ccache,
			       ctx->cifs_trust_dns,
			       &ctx->cifs_trust_dns_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_get_creds(%s) for failed: (%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u]",
				cifs_trust_dns_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx),
				trusted->trust_direction,
				trusted->trust_type,
				trusted->trust_attributes,
				ctx->counts.io, ctx->counts.errors, ctx->counts.ok);
	torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message);
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.ok, 2, assertion_message);
#else
	torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message);
#endif

	/* Confirm if we have the referral ticket in the cache */
	krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context,
				&ctx->krbtgt_referral_creds);
	k5ret = krb5_cc_retrieve_cred(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_ccache,
				      0,
				      ctx->krbtgt_trust_realm_creds,
				      &ctx->krbtgt_referral_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_cc_retrieve_cred(%s) for failed: (%d) %s",
				krbtgt_trust_realm_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx));
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message);
#else
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);

	k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_referral_creds.server,
				      ctx->krbtgt_trust_realm);
	torture_assert(tctx, k5ok, assertion_message);
	type = smb_krb5_principal_get_type(ctx->smb_krb5_context->krb5_context,
					   ctx->krbtgt_referral_creds.server);
	torture_assert_int_equal(tctx, type, KRB5_NT_SRV_INST, assertion_message);

	/* Delete the referral ticket from the cache */
	k5ret = krb5_cc_remove_cred(ctx->smb_krb5_context->krb5_context,
				    ctx->krbtgt_ccache,
				    0,
				    &ctx->krbtgt_referral_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_cc_remove_cred(%s) for failed: (%d) %s",
				krbtgt_trust_realm_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx));
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
#endif

	cifs_trust_netbios_string = talloc_asprintf(ctx, "cifs/%s@%s",
						trusted_netbios_name, realm);
	torture_assert_int_equal(tctx,
			smb_krb5_make_principal(ctx->smb_krb5_context->krb5_context,
						&ctx->cifs_trust_netbios,
						realm, "cifs",
						trusted_netbios_name, NULL),
			0, "smb_krb5_make_principal failed");

	/* Confirm if we get krbtgt/trusted_realm back when asking for cifs/trusted_realm */
	ZERO_STRUCT(ctx->counts);
	k5ret = krb5_get_creds(ctx->smb_krb5_context->krb5_context,
			       ctx->opt_canon,
			       ctx->krbtgt_ccache,
			       ctx->cifs_trust_netbios,
			       &ctx->cifs_trust_netbios_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_get_creds(%s) for failed: (%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u]",
				cifs_trust_netbios_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx),
				trusted->trust_direction,
				trusted->trust_type,
				trusted->trust_attributes,
				ctx->counts.io, ctx->counts.errors, ctx->counts.ok);
	torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message);
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.ok, 2, assertion_message);
#else
	torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message);
#endif

	/* Confirm if we have the referral ticket in the cache */
	krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context,
				&ctx->krbtgt_referral_creds);
	k5ret = krb5_cc_retrieve_cred(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_ccache,
				      0,
				      ctx->krbtgt_trust_realm_creds,
				      &ctx->krbtgt_referral_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_cc_retrieve_cred(%s) for failed: (%d) %s",
				krbtgt_trust_realm_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx));
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message);
#else
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);

	k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_referral_creds.server,
				      ctx->krbtgt_trust_realm);
	torture_assert(tctx, k5ok, assertion_message);
	type = smb_krb5_principal_get_type(ctx->smb_krb5_context->krb5_context,
					   ctx->krbtgt_referral_creds.server);
	torture_assert_int_equal(tctx, type, KRB5_NT_SRV_INST, assertion_message);

	/* Delete the referral ticket from the cache */
	k5ret = krb5_cc_remove_cred(ctx->smb_krb5_context->krb5_context,
				    ctx->krbtgt_ccache,
				    0,
				    &ctx->krbtgt_referral_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_cc_remove_cred(%s) for failed: (%d) %s",
				krbtgt_trust_realm_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx));
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
#endif

	drs_trust_dns_string = talloc_asprintf(ctx,
			"E3514235-4B06-11D1-AB04-00C04FC2DCD2/%s/%s@%s",
			workstation, trusted_dns_name, realm);
	torture_assert_int_equal(tctx,
			smb_krb5_make_principal(ctx->smb_krb5_context->krb5_context,
						&ctx->drs_trust_dns,
						realm, "E3514235-4B06-11D1-AB04-00C04FC2DCD2",
						workstation, trusted_dns_name, NULL),
			0, "smb_krb5_make_principal failed");

	/* Confirm if we get krbtgt/trusted_realm back when asking for a 3 part principal */
	ZERO_STRUCT(ctx->counts);
	k5ret = krb5_get_creds(ctx->smb_krb5_context->krb5_context,
			       ctx->opt_canon,
			       ctx->krbtgt_ccache,
			       ctx->drs_trust_dns,
			       &ctx->drs_trust_dns_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_get_creds(%s) for failed: (%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u]",
				drs_trust_dns_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx),
				trusted->trust_direction,
				trusted->trust_type,
				trusted->trust_attributes,
				ctx->counts.io, ctx->counts.errors, ctx->counts.ok);
	torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message);
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.ok, 2, assertion_message);
#else
	torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message);
#endif

	/* Confirm if we have the referral ticket in the cache */
	krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context,
				&ctx->krbtgt_referral_creds);
	k5ret = krb5_cc_retrieve_cred(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_ccache,
				      0,
				      ctx->krbtgt_trust_realm_creds,
				      &ctx->krbtgt_referral_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_cc_retrieve_cred(%s) for failed: (%d) %s",
				krbtgt_trust_realm_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx));
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message);
#else
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);

	k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_referral_creds.server,
				      ctx->krbtgt_trust_realm);
	torture_assert(tctx, k5ok, assertion_message);
	type = smb_krb5_principal_get_type(ctx->smb_krb5_context->krb5_context,
					   ctx->krbtgt_referral_creds.server);
	torture_assert_int_equal(tctx, type, KRB5_NT_SRV_INST, assertion_message);

	/* Delete the referral ticket from the cache */
	k5ret = krb5_cc_remove_cred(ctx->smb_krb5_context->krb5_context,
				    ctx->krbtgt_ccache,
				    0,
				    &ctx->krbtgt_referral_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_cc_remove_cred(%s) for failed: (%d) %s",
				krbtgt_trust_realm_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx));
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
#endif

	drs_trust_netbios_string = talloc_asprintf(ctx,
			"E3514235-4B06-11D1-AB04-00C04FC2DCD2/%s/%s@%s",
			workstation, trusted_netbios_name, realm);
	torture_assert_int_equal(tctx,
			smb_krb5_make_principal(ctx->smb_krb5_context->krb5_context,
						&ctx->drs_trust_netbios,
						realm, "E3514235-4B06-11D1-AB04-00C04FC2DCD2",
						workstation, trusted_netbios_name, NULL),
			0, "smb_krb5_make_principal failed");

	/* Confirm if we get krbtgt/trusted_realm back when asking for a 3 part principal */
	ZERO_STRUCT(ctx->counts);
	k5ret = krb5_get_creds(ctx->smb_krb5_context->krb5_context,
			       ctx->opt_canon,
			       ctx->krbtgt_ccache,
			       ctx->drs_trust_netbios,
			       &ctx->drs_trust_netbios_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_get_creds(%s) for failed: (%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u]",
				drs_trust_netbios_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx),
				trusted->trust_direction,
				trusted->trust_type,
				trusted->trust_attributes,
				ctx->counts.io, ctx->counts.errors, ctx->counts.ok);
	torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message);
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.ok, 2, assertion_message);
#else
	torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message);
#endif

	/* Confirm if we have the referral ticket in the cache */
	krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context,
				&ctx->krbtgt_referral_creds);
	k5ret = krb5_cc_retrieve_cred(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_ccache,
				      0,
				      ctx->krbtgt_trust_realm_creds,
				      &ctx->krbtgt_referral_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_cc_retrieve_cred(%s) for failed: (%d) %s",
				krbtgt_trust_realm_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx));
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message);
#else
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);

	k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_referral_creds.server,
				      ctx->krbtgt_trust_realm);
	torture_assert(tctx, k5ok, assertion_message);
	type = smb_krb5_principal_get_type(ctx->smb_krb5_context->krb5_context,
					   ctx->krbtgt_referral_creds.server);
	torture_assert_int_equal(tctx, type, KRB5_NT_SRV_INST, assertion_message);

	/* Delete the referral ticket from the cache */
	k5ret = krb5_cc_remove_cred(ctx->smb_krb5_context->krb5_context,
				    ctx->krbtgt_ccache,
				    0,
				    &ctx->krbtgt_referral_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_cc_remove_cred(%s) for failed: (%d) %s",
				krbtgt_trust_realm_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx));
	torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
#endif

	four_trust_dns_string = talloc_asprintf(ctx, "four/tree/two/%s@%s",
						trusted_dns_name, realm);
	torture_assert_int_equal(tctx,
			smb_krb5_make_principal(ctx->smb_krb5_context->krb5_context,
						&ctx->four_trust_dns,
						realm, "four", "tree", "two",
						trusted_dns_name, NULL),
			0, "smb_krb5_make_principal failed");

	/* Confirm if we get an error back for a 4 part principal */
	ZERO_STRUCT(ctx->counts);
	k5ret = krb5_get_creds(ctx->smb_krb5_context->krb5_context,
			       ctx->opt_canon,
			       ctx->krbtgt_ccache,
			       ctx->four_trust_dns,
			       &ctx->four_trust_dns_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_get_creds(%s) for failed: (%d) %s; t[d=0x%x,t=0x%x,a=0x%x] [io=%u,error=%u,ok=%u]",
				four_trust_dns_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx),
				trusted->trust_direction,
				trusted->trust_type,
				trusted->trust_attributes,
				ctx->counts.io, ctx->counts.errors, ctx->counts.ok);
	torture_assert_int_equal(tctx, k5ret, KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, assertion_message);
#ifdef USING_EMBEDDED_HEIMDAL
	torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.error_io, 2, assertion_message);
#else
	torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
	torture_assert_int_equal(tctx, ctx->counts.error_io, 1, assertion_message);
#endif
	torture_assert_int_equal(tctx, KRB5_ERROR_CODE(&ctx->error), 7, assertion_message);

	/* Confirm if we have no referral ticket in the cache */
	krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context,
				&ctx->krbtgt_referral_creds);
	k5ret = krb5_cc_retrieve_cred(ctx->smb_krb5_context->krb5_context,
				      ctx->krbtgt_ccache,
				      0,
				      ctx->krbtgt_trust_realm_creds,
				      &ctx->krbtgt_referral_creds);
	assertion_message = talloc_asprintf(ctx,
				"krb5_cc_retrieve_cred(%s) for failed: (%d) %s",
				krbtgt_trust_realm_string,
				k5ret,
				smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
							   k5ret, ctx));
	torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message);

	TALLOC_FREE(ctx);
	return true;
}
#endif

static bool check_dom_trust_pw(struct dcerpc_pipe *p,
			       struct torture_context *tctx,
			       const char *our_netbios_name,
			       const char *our_dns_name,
			       enum netr_SchannelType secure_channel_type,
			       const struct lsa_TrustDomainInfoInfoEx *trusted,
			       const char *previous_password,
			       const char *current_password,
			       uint32_t current_version,
			       const char *next_password,
			       uint32_t next_version,
			       bool expected_result)
{
	struct cli_credentials *incoming_creds;
	char *server_name = NULL;
	char *account = NULL;
	char *principal = NULL;
	char *workstation = NULL;
	const char *binding = torture_setting_string(tctx, "binding", NULL);
	const char *host = torture_setting_string(tctx, "host", NULL);
	const char *ip;
	struct nbt_name nbt_name;
	struct dcerpc_binding *b2;
	struct netlogon_creds_CredentialState *creds;
	struct samr_CryptPassword samr_crypt_password;
	struct netr_CryptPassword netr_crypt_password;
	struct netr_Authenticator req_auth;
	struct netr_Authenticator rep_auth;
	struct netr_ServerPasswordSet2 s;
	struct dcerpc_pipe *p1 = NULL;
	struct dcerpc_pipe *p2 = NULL;
	NTSTATUS status;
	bool ok;
	int rc;
	const char *trusted_netbios_name = trusted->netbios_name.string;
	const char *trusted_dns_name = trusted->domain_name.string;
	struct tsocket_address *dest_addr;
	struct netlogon_samlogon_response **responses = NULL;
	struct netlogon_samlogon_response *resp = NULL;
	enum dcerpc_AuthType auth_type;
	enum dcerpc_AuthLevel auth_level;

	incoming_creds = cli_credentials_init(tctx);
	torture_assert(tctx, incoming_creds, "cli_credentials_init");

	cli_credentials_set_domain(incoming_creds, our_netbios_name, CRED_SPECIFIED);
	cli_credentials_set_realm(incoming_creds, our_dns_name, CRED_SPECIFIED);

	if (secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
		account = talloc_asprintf(tctx, "%s.", trusted_dns_name);
		torture_assert(tctx, account, __location__);

		principal = talloc_asprintf(tctx, "%s$@%s",
					    trusted_netbios_name,
					    cli_credentials_get_realm(incoming_creds));
		torture_assert(tctx, principal, __location__);

		workstation = talloc_asprintf(tctx, "%sUP",
					      trusted_netbios_name);
		torture_assert(tctx, workstation, __location__);
	} else {
		account = talloc_asprintf(tctx, "%s$", trusted_netbios_name);
		torture_assert(tctx, account, __location__);

		workstation = talloc_asprintf(tctx, "%sDOWN",
					      trusted_netbios_name);
		torture_assert(tctx, workstation, __location__);
	}

	cli_credentials_set_username(incoming_creds, account, CRED_SPECIFIED);
	if (principal != NULL) {
		cli_credentials_set_principal(incoming_creds, principal,
					      CRED_SPECIFIED);
	}
	cli_credentials_set_kvno(incoming_creds, current_version);
	cli_credentials_set_password(incoming_creds, current_password, CRED_SPECIFIED);
	cli_credentials_set_old_password(incoming_creds, previous_password, CRED_SPECIFIED);
	cli_credentials_set_workstation(incoming_creds, workstation, CRED_SPECIFIED);
	cli_credentials_set_secure_channel_type(incoming_creds, secure_channel_type);

	make_nbt_name_server(&nbt_name, host);

	status = resolve_name_ex(lpcfg_resolve_context(tctx->lp_ctx),
				 0, 0, &nbt_name, tctx, &ip, tctx->ev);
	torture_assert_ntstatus_ok(tctx, status,
			talloc_asprintf(tctx,"Failed to resolve %s: %s",
					nbt_name.name, nt_errstr(status)));

	rc = tsocket_address_inet_from_strings(
		tctx, "ip", ip, 389, &dest_addr);
	torture_assert_int_equal(
		tctx,
		rc,
		0,
		talloc_asprintf(tctx,
				"tsocket_address_inet_from_strings failed "
				"parsing %s:%d",
				host,
				389));

	status = netlogon_pings(tctx, /* mem_ctx */
				lpcfg_client_netlogon_ping_protocol(
					tctx->lp_ctx), /* proto */
				&dest_addr,	       /* servers */
				1,		       /* num_servers */
				(struct netlogon_ping_filter){
					.ntversion = NETLOGON_NT_VERSION_5 |
						     NETLOGON_NT_VERSION_5EX,
					.acct_ctrl = (secure_channel_type ==
						      SEC_CHAN_DNS_DOMAIN)
							     ? ACB_AUTOLOCK
							     : ACB_DOMTRUST,
					.user = account,
				},
				1, /* min_servers */
				tevent_timeval_current_ofs(2, 0), /* timeout */
				&responses);
	torture_assert_ntstatus_ok(tctx, status, "netlogon_pings");

	resp = responses[0];

	torture_assert_int_equal(tctx,
				 resp->ntver,
				 NETLOGON_NT_VERSION_5EX,
				 "ntver");
	torture_assert_int_equal(tctx,
				 resp->data.nt5_ex.nt_version,
				 NETLOGON_NT_VERSION_1 |
					 NETLOGON_NT_VERSION_5EX,
				 "nt_version");
	torture_assert_int_equal(tctx,
				 resp->data.nt5_ex.command,
				 LOGON_SAM_LOGON_RESPONSE_EX,
				 "command");
	torture_assert_str_equal(tctx,
				 resp->data.nt5_ex.user_name,
				 account,
				 "user_name");
	server_name = talloc_asprintf(tctx,
				      "\\\\%s",
				      resp->data.nt5_ex.pdc_dns_name);
	torture_assert(tctx, server_name, __location__);

	status = dcerpc_parse_binding(tctx, binding, &b2);
	torture_assert_ntstatus_ok(tctx, status, "Bad binding string");

	status = dcerpc_pipe_connect_b(tctx, &p1, b2,
				       &ndr_table_netlogon,
				       cli_credentials_init_anon(tctx),
				       tctx->ev, tctx->lp_ctx);
	torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b");

	ok = check_pw_with_ServerAuthenticate3(p1, tctx,
					       NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
					       server_name,
					       incoming_creds, &creds);
	torture_assert_int_equal(tctx, ok, expected_result,
				 "check_pw_with_ServerAuthenticate3");
	if (expected_result == true) {
		ok = test_SetupCredentialsPipe(p1, tctx, incoming_creds, creds,
					       DCERPC_SIGN | DCERPC_SEAL, &p2);
		torture_assert_int_equal(tctx, ok, true,
					 "test_SetupCredentialsPipe");
	}
	TALLOC_FREE(p1);

	if (trusted->trust_type != LSA_TRUST_TYPE_DOWNLEVEL) {
#ifdef SAMBA4_USES_HEIMDAL
		ok = check_pw_with_krb5(tctx, incoming_creds, trusted);
		torture_assert_int_equal(tctx, ok, expected_result,
					 "check_pw_with_krb5");
#else
		torture_comment(tctx, "skipping check_pw_with_krb5 for MIT Kerberos build");
#endif
	}

	if (expected_result != true || next_password == NULL) {
		TALLOC_FREE(p2);
		return true;
	}

	/*
	 * netr_ServerPasswordSet2
	 */
	ok = encode_pw_buffer(samr_crypt_password.data,
			      next_password, STR_UNICODE);
	torture_assert(tctx, ok, "encode_pw_buffer");

	if (next_version != 0) {
		struct NL_PASSWORD_VERSION version;
		uint32_t len = IVAL(samr_crypt_password.data, 512);
		uint32_t ofs = 512 - len;
		uint8_t *ptr;

		ofs -= 12;

		version.ReservedField = 0;
		version.PasswordVersionNumber = next_version;
		version.PasswordVersionPresent =
			NETLOGON_PASSWORD_VERSION_NUMBER_PRESENT;

		ptr = samr_crypt_password.data + ofs;
		SIVAL(ptr, 0, version.ReservedField);
		SIVAL(ptr, 4, version.PasswordVersionNumber);
		SIVAL(ptr, 8, version.PasswordVersionPresent);
	}

	netlogon_creds_client_authenticator(creds, &req_auth);
	ZERO_STRUCT(rep_auth);

	dcerpc_binding_handle_auth_info(p2->binding_handle,
					&auth_type,
					&auth_level);
	status = netlogon_creds_encrypt_samr_CryptPassword(creds,
							   &samr_crypt_password,
							   auth_type,
							   auth_level);
	torture_assert_ntstatus_ok(tctx, status, "encrypt_samr_CryptPassword");

	memcpy(netr_crypt_password.data,
	       samr_crypt_password.data, 512);
	netr_crypt_password.length = IVAL(samr_crypt_password.data, 512);


	s.in.server_name = server_name;
	s.in.account_name = cli_credentials_get_username(incoming_creds);
	s.in.secure_channel_type = cli_credentials_get_secure_channel_type(incoming_creds);
	s.in.computer_name = cli_credentials_get_workstation(incoming_creds);
	s.in.credential = &req_auth;
	s.in.new_password = &netr_crypt_password;
	s.out.return_authenticator = &rep_auth;
	status = dcerpc_netr_ServerPasswordSet2_r(p2->binding_handle, tctx, &s);
	torture_assert_ntstatus_ok(tctx, status, "failed to set password");

	ok = netlogon_creds_client_check(creds, &rep_auth.cred);
	torture_assert(tctx, ok, "netlogon_creds_client_check");

	cli_credentials_set_kvno(incoming_creds, next_version);
	cli_credentials_set_password(incoming_creds, next_password, CRED_SPECIFIED);
	cli_credentials_set_old_password(incoming_creds, current_password, CRED_SPECIFIED);

	TALLOC_FREE(p2);
	status = dcerpc_pipe_connect_b(tctx, &p2, b2,
				       &ndr_table_netlogon,
				       cli_credentials_init_anon(tctx),
				       tctx->ev, tctx->lp_ctx);
	torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b");

	ok = check_pw_with_ServerAuthenticate3(p2, tctx,
					       NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
					       server_name,
					       incoming_creds, &creds);
	torture_assert(tctx, ok, "check_pw_with_ServerAuthenticate3 with changed password");

	if (trusted->trust_type != LSA_TRUST_TYPE_DOWNLEVEL) {
#if SAMBA4_USES_HEIMDAL
		ok = check_pw_with_krb5(tctx, incoming_creds, trusted);
		torture_assert(tctx, ok, "check_pw_with_krb5 with changed password");
#else
		torture_comment(tctx, "skipping check_pw_with_krb5 for MIT Kerberos build");
#endif
	}

	TALLOC_FREE(p2);
	return true;
}

enum ex_call {
	CREATE_TRUSTED_DOMAIN_EX1 = 1,
	CREATE_TRUSTED_DOMAIN_EX2 = 2,
	CREATE_TRUSTED_DOMAIN_EX3 = 3,
};

static bool test_CreateTrustedDomainEx_common(struct dcerpc_pipe *p,
					      struct torture_context *tctx,
					      struct policy_handle *handle,
					      uint32_t num_trusts,
					      enum ex_call ex_call)
{
	NTSTATUS status;
	bool ret = true;
	struct lsa_QueryInfoPolicy2 p2;
	union lsa_PolicyInformation *our_info = NULL;
	struct lsa_CreateTrustedDomainEx r;
	struct lsa_CreateTrustedDomainEx2 r2;
	struct lsa_CreateTrustedDomainEx3 r3 = {
		.in = {
			.access_mask = 0,
		}
	};
	struct lsa_TrustDomainInfoInfoEx trustinfo;
	struct lsa_TrustDomainInfoAuthInfoInternal *authinfo_internal = NULL;
	struct lsa_TrustDomainInfoAuthInfoInternalAES
		*authinfo_internal_aes = NULL;
	struct lsa_TrustDomainInfoAuthInfo *authinfo = NULL;
	struct dom_sid **domsid;
	struct policy_handle *trustdom_handle;
	struct lsa_QueryTrustedDomainInfo q;
	union lsa_TrustedDomainInfo *info = NULL;
	DATA_BLOB session_key;
	int i;
	struct dcerpc_binding_handle *b = p->binding_handle;
	const char *id = "0";
	const char *incoming_v00 = TRUSTPW "InV00";
	const char *incoming_v0 = TRUSTPW "InV0";
	const char *incoming_v1 = TRUSTPW "InV1";
	const char *incoming_v2 = TRUSTPW "InV2";
	const char *incoming_v40 = TRUSTPW "InV40";
	const char *outgoing_v00 = TRUSTPW "OutV00";
	const char *outgoing_v0 = TRUSTPW "OutV0";

	switch (ex_call) {
	case CREATE_TRUSTED_DOMAIN_EX3:
		torture_comment(
			tctx,
			"\nTesting CreateTrustedDomainEx3 for %d domains\n",
			num_trusts
		);
		id = "4";
		break;
	case CREATE_TRUSTED_DOMAIN_EX2:
		torture_comment(
			tctx,
			"\nTesting CreateTrustedDomainEx2 for %d domains\n",
			num_trusts
		);
		id = "3";
		break;
	case CREATE_TRUSTED_DOMAIN_EX1:
		torture_comment(
			tctx,
			"\nTesting CreateTrustedDomainEx for %d domains\n",
			num_trusts
		);
		id = "2";
		break;
	}

	domsid = talloc_array(tctx, struct dom_sid *, num_trusts);
	trustdom_handle = talloc_array(tctx, struct policy_handle, num_trusts);

	status = dcerpc_binding_handle_transport_session_key(b, tctx, &session_key);
	if (!NT_STATUS_IS_OK(status)) {
		torture_comment(tctx, "transport_session_key failed - %s\n", nt_errstr(status));
		return false;
	}

	ZERO_STRUCT(p2);
	p2.in.handle = handle;
	p2.in.level = LSA_POLICY_INFO_DNS;
	p2.out.info = &our_info;

	torture_assert_ntstatus_ok(tctx,
				dcerpc_lsa_QueryInfoPolicy2_r(b, tctx, &p2),
				"lsa_QueryInfoPolicy2 failed");
	torture_assert_ntstatus_ok(tctx, p2.out.result,
				"lsa_QueryInfoPolicy2 failed");
	torture_assert(tctx, our_info != NULL, "lsa_QueryInfoPolicy2 our_info");

	for (i=0; i< num_trusts; i++) {
		char *trust_name = talloc_asprintf(tctx, "TORTURE%s%02d", id, i);
		char *trust_name_dns = talloc_asprintf(tctx, "torturedom%s%02d.samba._none_.example.com", id, i);
		char *trust_sid = talloc_asprintf(tctx, "S-1-5-21-97398-379795-%s%02d", id, i);
		bool ok;

		domsid[i] = dom_sid_parse_talloc(tctx, trust_sid);

		trustinfo.sid = domsid[i];
		trustinfo.netbios_name.string = trust_name;
		trustinfo.domain_name.string = trust_name_dns;

		/* Create inbound, some outbound, and some
		 * bi-directional trusts in a repeating pattern based
		 * on i */

		/* 1 == inbound, 2 == outbound, 3 == both */
		trustinfo.trust_direction = (i % 3) + 1;

		/* Try different trust types too */

		/* 1 == downlevel (NT4), 2 == uplevel (ADS), 3 == MIT (kerberos but not AD) */
		trustinfo.trust_type = (((i / 3) + 1) % 3) + 1;

		trustinfo.trust_attributes = LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION;

		switch(ex_call) {
		case CREATE_TRUSTED_DOMAIN_EX3:
			ok = rpc_lsa_encrypt_trustdom_info_aes(
				tctx,
				incoming_v00,
				incoming_v0,
				outgoing_v00,
				outgoing_v0,
				session_key,
				&authinfo_internal_aes);
			if (!ok) {
				torture_comment(tctx,
						"gen_authinfo_internal failed");
				ret = false;
			}

			r3.in.policy_handle = handle;
			r3.in.info = &trustinfo;
			r3.in.auth_info_internal = authinfo_internal_aes;
			r3.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
			r3.out.trustdom_handle = &trustdom_handle[i];

			torture_assert_ntstatus_ok(
				tctx,
				dcerpc_lsa_CreateTrustedDomainEx3_r(b,
								    tctx,
								    &r3),
				"CreateTrustedDomainEx3 failed");

			status = r3.out.result;
			break;
		case CREATE_TRUSTED_DOMAIN_EX2:
			ok = rpc_lsa_encrypt_trustdom_info(tctx,
							   incoming_v00,
							   incoming_v0,
							   outgoing_v00,
							   outgoing_v0,
							   session_key,
							   &authinfo_internal);
			if (!ok) {
				torture_comment(
					tctx,
					"rpc_lsa_encrypt_trustdom_info failed");
				ret = false;
			}

			r2.in.policy_handle = handle;
			r2.in.info = &trustinfo;
			r2.in.auth_info_internal = authinfo_internal;
			r2.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
			r2.out.trustdom_handle = &trustdom_handle[i];

			torture_assert_ntstatus_ok(tctx,
				dcerpc_lsa_CreateTrustedDomainEx2_r(b, tctx, &r2),
				"CreateTrustedDomainEx2 failed");

			status = r2.out.result;
			break;
		case CREATE_TRUSTED_DOMAIN_EX1:
			ok = gen_authinfo(tctx,
					  incoming_v00,
					  incoming_v0,
					  outgoing_v00,
					  outgoing_v0,
					  &authinfo);
			if (!ok) {
				torture_comment(tctx, "gen_authinfonfo failed");
				ret = false;
			}

			r.in.policy_handle = handle;
			r.in.info = &trustinfo;
			r.in.auth_info = authinfo;
			r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
			r.out.trustdom_handle = &trustdom_handle[i];

			torture_assert_ntstatus_ok(tctx,
				dcerpc_lsa_CreateTrustedDomainEx_r(b, tctx, &r),
				"CreateTrustedDomainEx failed");

			status = r.out.result;
			break;
		}

		if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_COLLISION)) {
			test_DeleteTrustedDomain(b, tctx, handle, trustinfo.netbios_name);

			switch (ex_call) {
			case CREATE_TRUSTED_DOMAIN_EX3:
				torture_assert_ntstatus_ok(
					tctx,
					dcerpc_lsa_CreateTrustedDomainEx3_r(
						b, tctx, &r3),
					"CreateTrustedDomainEx3 failed");
				status = r3.out.result;
				break;
			case CREATE_TRUSTED_DOMAIN_EX2:
				torture_assert_ntstatus_ok(
					tctx,
					dcerpc_lsa_CreateTrustedDomainEx2_r(
						b, tctx, &r2),
					"CreateTrustedDomainEx2 failed");
				status = r2.out.result;
				break;
			case CREATE_TRUSTED_DOMAIN_EX1:
				torture_assert_ntstatus_ok(
					tctx,
					dcerpc_lsa_CreateTrustedDomainEx_r(b,
									   tctx,
									   &r),
					"CreateTrustedDomainEx failed");
				status = r.out.result;
				break;
			}
		}
		if (!NT_STATUS_IS_OK(status)) {
			torture_comment(tctx,
					"CreateTrustedDomainEx(2|3) failed "
					"with status: %s\n",
					nt_errstr(status));
			ret = false;
		} else { /* For outbound and MIT trusts there is no trust account */
			if (trustinfo.trust_direction != 2 &&
			    trustinfo.trust_type != 3) {

				if (torture_setting_bool(tctx, "samba3", false)) {
					torture_comment(tctx, "skipping trusted domain auth tests against samba3\n");
				} else if (ex_call == CREATE_TRUSTED_DOMAIN_EX1 &&
					   torture_setting_bool(tctx, "samba4", false)) {
					torture_comment(tctx, "skipping CreateTrustedDomainEx trusted domain auth tests against samba4\n");

				} else {
					ok = check_dom_trust_pw(p, tctx,
								our_info->dns.name.string,
								our_info->dns.dns_domain.string,
								SEC_CHAN_DOMAIN,
								&trustinfo,
								NULL,
								"x" TRUSTPW "x", 0,
								NULL, 0,
								false);
					if (!ok) {
						torture_comment(tctx, "Password check passed unexpectedly\n");
						ret = false;
					}
					ok = check_dom_trust_pw(p, tctx,
								our_info->dns.name.string,
								our_info->dns.dns_domain.string,
								SEC_CHAN_DOMAIN,
								&trustinfo,
								incoming_v00,
								incoming_v0, 0,
								incoming_v1, 1,
								true);
					if (!ok) {
						torture_comment(tctx, "Password check failed (SEC_CHAN_DOMAIN)\n");
						ret = false;
					}
					ok = check_dom_trust_pw(p, tctx,
								our_info->dns.name.string,
								our_info->dns.dns_domain.string,
								SEC_CHAN_DNS_DOMAIN,
								&trustinfo,
								incoming_v0,
								incoming_v1, 1,
								incoming_v2, 2,
								true);
					if (!ok) {
						torture_comment(tctx, "Password check failed v2 (SEC_CHAN_DNS_DOMAIN)\n");
						ret = false;
					}
					ok = check_dom_trust_pw(p, tctx,
								our_info->dns.name.string,
								our_info->dns.dns_domain.string,
								SEC_CHAN_DNS_DOMAIN,
								&trustinfo,
								incoming_v1,
								incoming_v2, 2,
								incoming_v40, 40,
								true);
					if (!ok) {
						torture_comment(tctx, "Password check failed v4 (SEC_CHAN_DNS_DOMAIN)\n");
						ret = false;
					}
				}
			}

			q.in.trustdom_handle = &trustdom_handle[i];
			q.in.level = LSA_TRUSTED_DOMAIN_INFO_INFO_EX;
			q.out.info = &info;
			torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryTrustedDomainInfo_r(b, tctx, &q),
				"QueryTrustedDomainInfo failed");
			if (!NT_STATUS_IS_OK(q.out.result)) {
				torture_comment(tctx, "QueryTrustedDomainInfo level 1 failed - %s\n", nt_errstr(q.out.result));
				ret = false;
			} else if (!q.out.info) {
				torture_comment(tctx, "QueryTrustedDomainInfo level 1 failed to return an info pointer\n");
				ret = false;
			} else {
				if (strcmp(info->info_ex.domain_name.string, trustinfo.domain_name.string) != 0) {
					torture_comment(tctx, "QueryTrustedDomainInfo returned inconsistent long name: %s != %s\n",
					       info->info_ex.domain_name.string, trustinfo.domain_name.string);
					ret = false;
				}
				if (strcmp(info->info_ex.netbios_name.string, trustinfo.netbios_name.string) != 0) {
					torture_comment(tctx, "QueryTrustedDomainInfo returned inconsistent short name: %s != %s\n",
					       info->info_ex.netbios_name.string, trustinfo.netbios_name.string);
					ret = false;
				}
				if (info->info_ex.trust_type != trustinfo.trust_type) {
					torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust type %d != %d\n",
					       trust_name, info->info_ex.trust_type, trustinfo.trust_type);
					ret = false;
				}
				if (info->info_ex.trust_attributes != LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION) {
					torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust attributes %d != %d\n",
					       trust_name, info->info_ex.trust_attributes, LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION);
					ret = false;
				}
				if (info->info_ex.trust_direction != trustinfo.trust_direction) {
					torture_comment(tctx, "QueryTrustedDomainInfo of %s returned incorrect trust direction %d != %d\n",
					       trust_name, info->info_ex.trust_direction, trustinfo.trust_direction);
					ret = false;
				}
			}
		}
	}

	/* now that we have some domains to look over, we can test the enum calls */
	if (!test_EnumTrustDom(b, tctx, handle)) {
		torture_comment(tctx, "test_EnumTrustDom failed\n");
		ret = false;
	}

	if (!test_EnumTrustDomEx(b, tctx, handle)) {
		torture_comment(tctx, "test_EnumTrustDomEx failed\n");
		ret = false;
	}

	for (i=0; i<num_trusts; i++) {
		if (!test_DeleteTrustedDomainBySid(b, tctx, handle, domsid[i])) {
			torture_comment(tctx, "test_DeleteTrustedDomainBySid failed\n");
			ret = false;
		}
	}

	return ret;
}

static bool test_CreateTrustedDomainEx3(struct dcerpc_pipe *p,
					struct torture_context *tctx,
					struct policy_handle *handle,
					uint32_t num_trusts)
{
	return test_CreateTrustedDomainEx_common(
		p,
		tctx,
		handle,
		num_trusts,
		CREATE_TRUSTED_DOMAIN_EX3
	);
}

static bool test_CreateTrustedDomainEx2(struct dcerpc_pipe *p,
					struct torture_context *tctx,
					struct policy_handle *handle,
					uint32_t num_trusts)
{
	return test_CreateTrustedDomainEx_common(
		p,
		tctx,
		handle,
		num_trusts,
		CREATE_TRUSTED_DOMAIN_EX2
	);
}

static bool test_CreateTrustedDomainEx(struct dcerpc_pipe *p,
				       struct torture_context *tctx,
				       struct policy_handle *handle,
				       uint32_t num_trusts)
{
	return test_CreateTrustedDomainEx_common(
		p,
		tctx,
		handle,
		num_trusts,
		CREATE_TRUSTED_DOMAIN_EX1
	);
}

static bool test_QueryDomainInfoPolicy(struct dcerpc_binding_handle *b,
				 struct torture_context *tctx,
				 struct policy_handle *handle)
{
	struct lsa_QueryDomainInformationPolicy r;
	union lsa_DomainInformationPolicy *info = NULL;
	int i;
	bool ret = true;

	if (torture_setting_bool(tctx, "samba3", false)) {
		torture_skip(tctx, "skipping QueryDomainInformationPolicy test\n");
	}

	torture_comment(tctx, "\nTesting QueryDomainInformationPolicy\n");

	for (i=2;i<4;i++) {
		r.in.handle = handle;
		r.in.level = i;
		r.out.info = &info;

		torture_comment(tctx, "\nTrying QueryDomainInformationPolicy level %d\n", i);

		torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryDomainInformationPolicy_r(b, tctx, &r),
			"QueryDomainInformationPolicy failed");

		/* If the server does not support EFS, then this is the correct return */
		if (i == LSA_DOMAIN_INFO_POLICY_EFS && NT_STATUS_EQUAL(r.out.result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
			continue;
		} else if (!NT_STATUS_IS_OK(r.out.result)) {
			torture_comment(tctx, "QueryDomainInformationPolicy failed - %s\n", nt_errstr(r.out.result));
			ret = false;
			continue;
		}
	}

	return ret;
}


static bool test_QueryInfoPolicyCalls(	bool version2,
					struct dcerpc_binding_handle *b,
					struct torture_context *tctx,
					struct policy_handle *handle)
{
	struct lsa_QueryInfoPolicy r;
	union lsa_PolicyInformation *info = NULL;
	int i;
	bool ret = true;
	const char *call = talloc_asprintf(tctx, "QueryInfoPolicy%s", version2 ? "2":"");

	torture_comment(tctx, "\nTesting %s\n", call);

	if (version2 && torture_setting_bool(tctx, "samba3", false)) {
		torture_skip(tctx, "skipping QueryInfoPolicy2 tests\n");
	}

	for (i=1;i<=14;i++) {
		r.in.handle = handle;
		r.in.level = i;
		r.out.info = &info;

		torture_comment(tctx, "\nTrying %s level %d\n", call, i);

		if (version2)
			/* We can perform the cast, because both types are
			   structurally equal */
			torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryInfoPolicy2_r(b, tctx,
				 (struct lsa_QueryInfoPolicy2*) &r),
				 "QueryInfoPolicy2 failed");
		else
			torture_assert_ntstatus_ok(tctx, dcerpc_lsa_QueryInfoPolicy_r(b, tctx, &r),
				"QueryInfoPolicy2 failed");

		switch (i) {
		case LSA_POLICY_INFO_MOD:
		case LSA_POLICY_INFO_AUDIT_FULL_SET:
		case LSA_POLICY_INFO_AUDIT_FULL_QUERY:
			if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_INVALID_PARAMETER)) {
				torture_comment(tctx, "Server should have failed level %u: %s\n", i, nt_errstr(r.out.result));
				ret = false;
			}
			break;
		case LSA_POLICY_INFO_DOMAIN:
		case LSA_POLICY_INFO_ACCOUNT_DOMAIN:
		case LSA_POLICY_INFO_REPLICA:
		case LSA_POLICY_INFO_QUOTA:
		case LSA_POLICY_INFO_ROLE:
		case LSA_POLICY_INFO_AUDIT_LOG:
		case LSA_POLICY_INFO_AUDIT_EVENTS:
		case LSA_POLICY_INFO_PD:
			if (!NT_STATUS_IS_OK(r.out.result)) {
				torture_comment(tctx, "%s failed - %s\n", call, nt_errstr(r.out.result));
				ret = false;
			}
			break;
		case LSA_POLICY_INFO_L_ACCOUNT_DOMAIN:
		case LSA_POLICY_INFO_DNS_INT:
		case LSA_POLICY_INFO_DNS:
			if (torture_setting_bool(tctx, "samba3", false)) {
				/* Other levels not implemented yet */
				if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_INVALID_INFO_CLASS)) {
					torture_comment(tctx, "%s failed - %s\n", call, nt_errstr(r.out.result));
					ret = false;
				}
			} else if (!NT_STATUS_IS_OK(r.out.result)) {
				torture_comment(tctx, "%s failed - %s\n", call, nt_errstr(r.out.result));
				ret = false;
			}
			break;
		default:
			if (torture_setting_bool(tctx, "samba4", false)) {
				/* Other levels not implemented yet */
				if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_INVALID_INFO_CLASS)) {
					torture_comment(tctx, "%s failed - %s\n", call, nt_errstr(r.out.result));
					ret = false;
				}
			} else if (!NT_STATUS_IS_OK(r.out.result)) {
				torture_comment(tctx, "%s failed - %s\n", call, nt_errstr(r.out.result));
				ret = false;
			}
			break;
		}

		if (NT_STATUS_IS_OK(r.out.result) && (i == LSA_POLICY_INFO_DNS
			|| i == LSA_POLICY_INFO_DNS_INT)) {
			/* Let's look up some of these names */

			struct lsa_TransNameArray tnames, dnames;
			tnames.count = 14;
			tnames.names = talloc_zero_array(tctx, struct lsa_TranslatedName, tnames.count);
			tnames.names[0].name.string = info->dns.name.string;
			tnames.names[0].sid_type = SID_NAME_DOMAIN;
			tnames.names[1].name.string = info->dns.dns_domain.string;
			tnames.names[1].sid_type = SID_NAME_DOMAIN;
			tnames.names[2].name.string = talloc_asprintf(tctx, "%s\\", info->dns.name.string);
			tnames.names[2].sid_type = SID_NAME_DOMAIN;
			tnames.names[3].name.string = talloc_asprintf(tctx, "%s\\", info->dns.dns_domain.string);
			tnames.names[3].sid_type = SID_NAME_DOMAIN;
			tnames.names[4].name.string = talloc_asprintf(tctx, "%s\\guest", info->dns.name.string);
			tnames.names[4].sid_type = SID_NAME_USER;
			tnames.names[5].name.string = talloc_asprintf(tctx, "%s\\krbtgt", info->dns.name.string);
			tnames.names[5].sid_type = SID_NAME_USER;
			tnames.names[6].name.string = talloc_asprintf(tctx, "%s\\guest", info->dns.dns_domain.string);
			tnames.names[6].sid_type = SID_NAME_USER;
			tnames.names[7].name.string = talloc_asprintf(tctx, "%s\\krbtgt", info->dns.dns_domain.string);
			tnames.names[7].sid_type = SID_NAME_USER;
			tnames.names[8].name.string = talloc_asprintf(tctx, "krbtgt@%s", info->dns.name.string);
			tnames.names[8].sid_type = SID_NAME_USER;
			tnames.names[9].name.string = talloc_asprintf(tctx, "krbtgt@%s", info->dns.dns_domain.string);
			tnames.names[9].sid_type = SID_NAME_USER;
			tnames.names[10].name.string = talloc_asprintf(tctx, "%s\\"TEST_MACHINENAME "$", info->dns.name.string);
			tnames.names[10].sid_type = SID_NAME_USER;
			tnames.names[11].name.string = talloc_asprintf(tctx, "%s\\"TEST_MACHINENAME "$", info->dns.dns_domain.string);
			tnames.names[11].sid_type = SID_NAME_USER;
			tnames.names[12].name.string = talloc_asprintf(tctx, TEST_MACHINENAME "$@%s", info->dns.name.string);
			tnames.names[12].sid_type = SID_NAME_USER;
			tnames.names[13].name.string = talloc_asprintf(tctx, TEST_MACHINENAME "$@%s", info->dns.dns_domain.string);
			tnames.names[13].sid_type = SID_NAME_USER;
			ret &= test_LookupNames(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames);

			/* Try to use in-forest search for the test machine */
			dnames.count = 1;
			dnames.names = talloc_zero_array(tctx, struct lsa_TranslatedName, dnames.count);
			dnames.names[0].name.string = talloc_asprintf(tctx, "%s\\"TEST_MACHINENAME "$", info->dns.name.string);
			dnames.names[0].sid_type = SID_NAME_USER;
			ret &= test_LookupNames(b, tctx, handle, LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2, &dnames);
		}
	}

	return ret;
}

static bool test_QueryInfoPolicy(struct dcerpc_binding_handle *b,
				 struct torture_context *tctx,
				 struct policy_handle *handle)
{
	return test_QueryInfoPolicyCalls(false, b, tctx, handle);
}

static bool test_QueryInfoPolicy2(struct dcerpc_binding_handle *b,
				  struct torture_context *tctx,
				  struct policy_handle *handle)
{
	return test_QueryInfoPolicyCalls(true, b, tctx, handle);
}

static bool test_GetUserName(struct dcerpc_binding_handle *b,
			     struct torture_context *tctx)
{
	struct lsa_GetUserName r;
	struct lsa_String *authority_name_p = NULL;
	struct lsa_String *account_name_p = NULL;

	torture_comment(tctx, "\nTesting GetUserName\n");

	r.in.system_name	= "\\";
	r.in.account_name	= &account_name_p;
	r.in.authority_name	= NULL;
	r.out.account_name	= &account_name_p;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_GetUserName_r(b, tctx, &r),
		"GetUserName failed");
	torture_assert_ntstatus_ok(tctx, r.out.result,
		"GetUserName result failed");
	torture_assert_not_null(tctx, r.out.account_name, "r.out.account_name");
	torture_assert_not_null(tctx, *r.out.account_name, "*r.out.account_name");
	torture_assert(tctx, r.out.authority_name == NULL, "r.out.authority_name");

	account_name_p = NULL;
	r.in.account_name	= &account_name_p;
	r.in.authority_name	= &authority_name_p;
	r.out.account_name	= &account_name_p;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_GetUserName_r(b, tctx, &r),
		"GetUserName failed");
	torture_assert_ntstatus_ok(tctx, r.out.result,
		"GetUserName result failed");
	torture_assert_not_null(tctx, r.out.account_name, "r.out.account_name");
	torture_assert_not_null(tctx, *r.out.account_name, "*r.out.account_name");
	torture_assert_not_null(tctx, r.out.authority_name, "r.out.authority_name");
	torture_assert_not_null(tctx, *r.out.authority_name, "*r.out.authority_name");

	torture_comment(tctx,
			"Account Name: %s, Authority Name: %s\n",
			(*r.out.account_name)->string,
			(*r.out.authority_name)->string);

	return true;
}

static bool test_GetUserName_fail(struct dcerpc_binding_handle *b,
				  struct torture_context *tctx)
{
	struct lsa_GetUserName r;
	struct lsa_String *account_name_p = NULL;
	NTSTATUS status;

	torture_comment(tctx, "\nTesting GetUserName_fail\n");

	r.in.system_name	= "\\";
	r.in.account_name	= &account_name_p;
	r.in.authority_name	= NULL;
	r.out.account_name	= &account_name_p;

	status = dcerpc_lsa_GetUserName_r(b, tctx, &r);
	if (!NT_STATUS_IS_OK(status)) {
		if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
			torture_comment(tctx,
					"GetUserName correctly returned with "
					"status: %s\n",
					nt_errstr(status));
			return true;
		}

		torture_assert_ntstatus_equal(tctx,
					      status,
					      NT_STATUS_ACCESS_DENIED,
					      "GetUserName return value should "
					      "be ACCESS_DENIED");
		return true;
	}

	if (!NT_STATUS_IS_OK(r.out.result)) {
		if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_ACCESS_DENIED) ||
		    NT_STATUS_EQUAL(r.out.result, NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED)) {
			torture_comment(tctx,
					"GetUserName correctly returned with "
					"result: %s\n",
					nt_errstr(r.out.result));
			return true;
		}
	}

	torture_assert_ntstatus_equal(tctx,
				      r.out.result,
				      NT_STATUS_OK,
				      "GetUserName return value should be "
				      "ACCESS_DENIED");

	return false;
}

bool test_lsa_Close(struct dcerpc_binding_handle *b,
		    struct torture_context *tctx,
		    struct policy_handle *handle)
{
	struct lsa_Close r;
	struct policy_handle handle2;

	torture_comment(tctx, "\nTesting Close\n");

	r.in.handle = handle;
	r.out.handle = &handle2;

	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_Close_r(b, tctx, &r),
		"Close failed");
	torture_assert_ntstatus_ok(tctx, r.out.result,
		"Close failed");

	torture_assert_ntstatus_equal(tctx, dcerpc_lsa_Close_r(b, tctx, &r),
		NT_STATUS_RPC_SS_CONTEXT_MISMATCH, "Close should failed");

	torture_comment(tctx, "\n");

	return true;
}

bool torture_rpc_lsa(struct torture_context *tctx)
{
        NTSTATUS status;
        struct dcerpc_pipe *p;
	bool ret = true;
	struct policy_handle *handle = NULL;
	struct test_join *join = NULL;
	struct cli_credentials *machine_creds;
	struct dcerpc_binding_handle *b;
	enum dcerpc_transport_t transport;

	status = torture_rpc_connection(tctx, &p, &ndr_table_lsarpc);
	torture_assert_ntstatus_ok(tctx, status, "Error connecting to server");

	b = p->binding_handle;
	transport = dcerpc_binding_handle_get_transport(b);

	/* Test lsaLookupSids3 and lsaLookupNames4 over tcpip */
	if (transport == NCACN_IP_TCP) {
		if (!test_OpenPolicy_fail(b, tctx)) {
			ret = false;
		}

		if (!test_OpenPolicy2_fail(b, tctx)) {
			ret = false;
		}

		if (!test_OpenPolicy3_fail(b, tctx)) {
			ret = false;
		}

		if (!test_many_LookupSids(p, tctx, handle, LSA_LOOKUP_NAMES_ALL)) {
			ret = false;
		}

		return ret;
	}

	if (!test_OpenPolicy(b, tctx)) {
		ret = false;
	}

	if (!test_lsa_OpenPolicy2(b, tctx, &handle)) {
		ret = false;
	}

	if (!test_lsa_OpenPolicy3(b, tctx, &handle)) {
		ret = false;
	}

	if (handle) {
		join = torture_join_domain(tctx, TEST_MACHINENAME, ACB_WSTRUST, &machine_creds);
		if (!join) {
			ret = false;
		}

		if (!test_LookupSids_async(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) {
			ret = false;
		}

		if (!test_QueryDomainInfoPolicy(b, tctx, handle)) {
			ret = false;
		}

		if (!test_CreateSecret(p, tctx, handle)) {
			ret = false;
		}

		if (!test_QueryInfoPolicy(b, tctx, handle)) {
			ret = false;
		}

		if (!test_QueryInfoPolicy2(b, tctx, handle)) {
			ret = false;
		}

		if (!test_Delete(b, tctx, handle)) {
			ret = false;
		}

		if (!test_many_LookupSids(p, tctx, handle, LSA_LOOKUP_NAMES_ALL)) {
			ret = false;
		}

		if (!test_lsa_Close(b, tctx, handle)) {
			ret = false;
		}

		torture_leave_domain(tctx, join);

	} else {
		if (!test_many_LookupSids(p, tctx, handle, LSA_LOOKUP_NAMES_ALL)) {
			ret = false;
		}
	}

	if (!test_GetUserName(b, tctx)) {
		ret = false;
	}

	return ret;
}

bool torture_rpc_lsa_get_user(struct torture_context *tctx)
{
        NTSTATUS status;
        struct dcerpc_pipe *p;
	bool ret = true;
	struct dcerpc_binding_handle *b;
	enum dcerpc_transport_t transport;

	status = torture_rpc_connection(tctx, &p, &ndr_table_lsarpc);
	torture_assert_ntstatus_ok(tctx, status, "Error connecting to server");

	b = p->binding_handle;
	transport = dcerpc_binding_handle_get_transport(b);

	if (transport == NCACN_IP_TCP) {
		if (!test_GetUserName_fail(b, tctx)) {
			ret = false;
		}
		return ret;
	}

	if (!test_GetUserName(b, tctx)) {
		ret = false;
	}

	return ret;
}

static bool testcase_LookupNames(struct torture_context *tctx,
				 struct dcerpc_pipe *p)
{
	bool ret = true;
	struct policy_handle *handle;
	struct lsa_TransNameArray tnames;
	struct lsa_TransNameArray2 tnames2;
	struct dcerpc_binding_handle *b = p->binding_handle;
	enum dcerpc_transport_t transport = dcerpc_binding_handle_get_transport(b);

	if (transport != NCACN_NP && transport != NCALRPC) {
		torture_comment(tctx, "testcase_LookupNames is only available "
				"over NCACN_NP or NCALRPC");
		return true;
	}

	if (!test_OpenPolicy(b, tctx)) {
		ret = false;
	}

	if (!test_lsa_OpenPolicy2(b, tctx, &handle)) {
		ret = false;
	}

	if (!handle) {
		ret = false;
	}

	tnames.count = 1;
	tnames.names = talloc_array(tctx, struct lsa_TranslatedName, tnames.count);
	ZERO_STRUCT(tnames.names[0]);
	tnames.names[0].name.string = "BUILTIN";
	tnames.names[0].sid_type = SID_NAME_DOMAIN;

	if (!test_LookupNames(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames)) {
		ret = false;
	}

	tnames2.count = 1;
	tnames2.names = talloc_array(tctx, struct lsa_TranslatedName2, tnames2.count);
	ZERO_STRUCT(tnames2.names[0]);
	tnames2.names[0].name.string = "BUILTIN";
	tnames2.names[0].sid_type = SID_NAME_DOMAIN;

	if (!test_LookupNames2(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames2, true)) {
		ret = false;
	}

	if (!test_LookupNames3(b, tctx, handle, LSA_LOOKUP_NAMES_ALL, &tnames2, true)) {
		ret = false;
	}

	if (!test_LookupNames_wellknown(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) {
		ret = false;
	}

	if (!test_LookupNames_NULL(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) {
		ret = false;
	}

	if (!test_LookupNames_bogus(b, tctx, handle, LSA_LOOKUP_NAMES_ALL)) {
		ret = false;
	}

	if (!test_lsa_Close(b, tctx, handle)) {
		ret = false;
	}

	return ret;
}

struct torture_suite *torture_rpc_lsa_lookup_names(TALLOC_CTX *mem_ctx)
{
	struct torture_suite *suite;
	struct torture_rpc_tcase *tcase;

	suite = torture_suite_create(mem_ctx, "lsa.lookupnames");

	tcase = torture_suite_add_rpc_iface_tcase(suite, "lsa",
						  &ndr_table_lsarpc);
	torture_rpc_tcase_add_test(tcase, "LookupNames",
				   testcase_LookupNames);

	return suite;
}

struct lsa_trustdom_state {
	uint32_t num_trusts;
};

static bool testcase_TrustedDomains(struct torture_context *tctx,
				    struct dcerpc_pipe *p,
				    void *data)
{
	bool ret = true;
	struct policy_handle *handle;
	struct lsa_trustdom_state *state =
		talloc_get_type_abort(data, struct lsa_trustdom_state);
	struct dcerpc_binding_handle *b = p->binding_handle;
	enum dcerpc_transport_t transport = dcerpc_binding_handle_get_transport(b);

	if (transport != NCACN_NP && transport != NCALRPC) {
		torture_comment(tctx, "testcase_TrustedDomains is only available "
				"over NCACN_NP or NCALRPC");
		return true;
	}

	torture_comment(tctx, "Testing %d domains\n", state->num_trusts);

	if (!test_OpenPolicy(b, tctx)) {
		ret = false;
	}

	if (!test_lsa_OpenPolicy2(b, tctx, &handle)) {
		ret = false;
	}

	if (!test_lsa_OpenPolicy3(b, tctx, &handle)) {
		ret = false;
	}

	if (!handle) {
		ret = false;
	}

	if (!test_CreateTrustedDomain(b, tctx, handle, state->num_trusts)) {
		ret = false;
	}

	if (!test_CreateTrustedDomainEx(p, tctx, handle, state->num_trusts)) {
		ret = false;
	}

	if (!test_CreateTrustedDomainEx2(p, tctx, handle, state->num_trusts)) {
		ret = false;
	}

	if (!test_CreateTrustedDomainEx3(p, tctx, handle, state->num_trusts)) {
		ret = false;
	}

	if (!test_lsa_Close(b, tctx, handle)) {
		ret = false;
	}

	return ret;
}

struct torture_suite *torture_rpc_lsa_trusted_domains(TALLOC_CTX *mem_ctx)
{
	struct torture_suite *suite;
	struct torture_rpc_tcase *tcase;
	struct lsa_trustdom_state *state;

	state = talloc(mem_ctx, struct lsa_trustdom_state);

	state->num_trusts = 12;

	suite = torture_suite_create(mem_ctx, "lsa.trusted.domains");

	tcase = torture_suite_add_rpc_iface_tcase(suite, "lsa",
						  &ndr_table_lsarpc);
	torture_rpc_tcase_add_test_ex(tcase, "TrustedDomains",
				      testcase_TrustedDomains,
				      state);

	return suite;
}

static bool testcase_Privileges(struct torture_context *tctx,
				struct dcerpc_pipe *p)
{
	struct policy_handle *handle;
	struct dcerpc_binding_handle *b = p->binding_handle;
	enum dcerpc_transport_t transport = dcerpc_binding_handle_get_transport(b);

	if (transport != NCACN_NP && transport != NCALRPC) {
		torture_skip(tctx, "testcase_Privileges is only available "
				"over NCACN_NP or NCALRPC");
	}

	if (!test_OpenPolicy(b, tctx)) {
		return false;
	}

	if (!test_lsa_OpenPolicy2(b, tctx, &handle)) {
		return false;
	}

	if (!handle) {
		return false;
	}

	if (!test_CreateAccount(b, tctx, handle)) {
		return false;
	}

	if (!test_EnumAccounts(b, tctx, handle)) {
		return false;
	}

	if (!test_EnumPrivs(b, tctx, handle)) {
		return false;
	}

	if (!test_lsa_Close(b, tctx, handle)) {
		return false;
	}

	return true;
}


struct torture_suite *torture_rpc_lsa_privileges(TALLOC_CTX *mem_ctx)
{
	struct torture_suite *suite;
	struct torture_rpc_tcase *tcase;

	suite = torture_suite_create(mem_ctx, "lsa.privileges");

	tcase = torture_suite_add_rpc_iface_tcase(suite, "lsa",
						  &ndr_table_lsarpc);
	torture_rpc_tcase_add_test(tcase, "Privileges",
				   testcase_Privileges);

	return suite;
}