Merge branch 'master' of ssh://jra@git.samba.org/data/git/samba

12 files changed, 393 insertions, 88 deletions

diff --git a/source4/torture/rpc/drsuapi.c b/source4/torture/rpc/drsuapi.c
index 174de5e981..8f6bbb163b 100644
--- a/source4/torture/rpc/drsuapi.c
+++ b/source4/torture/rpc/drsuapi.c
@@ -35,11 +35,46 @@ bool test_DsBind(struct dcerpc_pipe *p,
 {
 	NTSTATUS status;
 	struct drsuapi_DsBind r;
+	struct drsuapi_DsBindInfo28 *bind_info28;
+	struct drsuapi_DsBindInfoCtr bind_info_ctr;
+
+	ZERO_STRUCT(bind_info_ctr);
+	bind_info_ctr.length = 28;
+
+	bind_info28 = &bind_info_ctr.info.info28;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_BASE;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7;
+	bind_info28->supported_extensions	|= DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT;
 
 	GUID_from_string(DRSUAPI_DS_BIND_GUID, &priv->bind_guid);
 
 	r.in.bind_guid = &priv->bind_guid;
-	r.in.bind_info = NULL;
+	r.in.bind_info = &bind_info_ctr;
 	r.out.bind_handle = &priv->bind_handle;
 
 	torture_comment(tctx, "testing DsBind\n");
@@ -47,6 +82,9 @@ bool test_DsBind(struct dcerpc_pipe *p,
 	status = dcerpc_drsuapi_DsBind(p, tctx, &r);
 	torture_drsuapi_assert_call(tctx, p, status, &r, "dcerpc_drsuapi_DsBind");
 
+	/* cache server supported extensions, i.e. bind_info */
+	priv->srv_bind_info = r.out.bind_info->info.info28;
+
 	return true;
 }
 
@@ -416,51 +454,64 @@ static bool test_DsReplicaUpdateRefs(struct torture_context *tctx,
 {
 	NTSTATUS status;
 	struct dcerpc_pipe *p = priv->pipe;
-	int i;
 	struct drsuapi_DsReplicaUpdateRefs r;
 	struct drsuapi_DsReplicaObjectIdentifier nc;
 	struct GUID null_guid;
+	struct GUID dest_dsa_guid;
+	const char *dest_dsa_guid_str;
 	struct dom_sid null_sid;
-	struct {
-		int32_t level;
-	} array[] = {
-		{	
-			1
-		}
-	};
-
-	if (torture_setting_bool(tctx, "samba4", false)) {
-		torture_comment(tctx, "skipping DsReplicaUpdateRefs test against Samba4\n");
-		return true;
-	}
 
 	ZERO_STRUCT(null_guid);
 	ZERO_STRUCT(null_sid);
+	dest_dsa_guid = GUID_random();
+	dest_dsa_guid_str = GUID_string(tctx, &dest_dsa_guid);
 
-	r.in.bind_handle	= &priv->bind_handle;
-
-	for (i=0; i < ARRAY_SIZE(array); i++) {
-		torture_comment(tctx, "testing DsReplicaUpdateRefs level %d\n",
-				array[i].level);
-
-		r.in.level = array[i].level;
-		switch(r.in.level) {
-		case 1:
-			nc.guid				= null_guid;
-			nc.sid				= null_sid;
-			nc.dn				= priv->domain_obj_dn ? priv->domain_obj_dn : "";
-
-			r.in.req.req1.naming_context	= &nc;
-			r.in.req.req1.dest_dsa_dns_name	= talloc_asprintf(tctx, "__some_dest_dsa_guid_string._msdn.%s",
-										priv->domain_dns_name);
-			r.in.req.req1.dest_dsa_guid	= null_guid;
-			r.in.req.req1.options		= 0;
-			break;
-		}
-
-		status = dcerpc_drsuapi_DsReplicaUpdateRefs(p, tctx, &r);
-		torture_drsuapi_assert_call(tctx, p, status, &r, "dcerpc_drsuapi_DsReplicaUpdateRefs");
-	}
+	r.in.bind_handle = &priv->bind_handle;
+	r.in.level	 = 1; /* Only version 1 is defined presently */
+
+	/* setup NC */
+	nc.guid		= priv->domain_obj_dn ? null_guid : priv->domain_guid;
+	nc.sid		= null_sid;
+	nc.dn		= priv->domain_obj_dn ? priv->domain_obj_dn : "";
+
+	/* default setup for request */
+	r.in.req.req1.naming_context	= &nc;
+	r.in.req.req1.dest_dsa_dns_name	= talloc_asprintf(tctx, "%s._msdn.%s",
+								dest_dsa_guid_str,
+								priv->domain_dns_name);
+	r.in.req.req1.dest_dsa_guid	= dest_dsa_guid;
+
+	/* 1. deleting replica dest should fail */
+	torture_comment(tctx, "delete: %s\n", r.in.req.req1.dest_dsa_dns_name);
+	r.in.req.req1.options		= DRSUAPI_DS_REPLICA_UPDATE_DELETE_REFERENCE;
+	status = dcerpc_drsuapi_DsReplicaUpdateRefs(p, tctx, &r);
+	torture_drsuapi_assert_call_werr(tctx, p,
+					 status, WERR_DS_DRA_REF_NOT_FOUND, &r,
+					 "dcerpc_drsuapi_DsReplicaUpdateRefs");
+
+	/* 2. hopefully adding random replica dest should succeed */
+	torture_comment(tctx, "add   : %s\n", r.in.req.req1.dest_dsa_dns_name);
+	r.in.req.req1.options		= DRSUAPI_DS_REPLICA_UPDATE_ADD_REFERENCE;
+	status = dcerpc_drsuapi_DsReplicaUpdateRefs(p, tctx, &r);
+	torture_drsuapi_assert_call_werr(tctx, p,
+					 status, WERR_OK, &r,
+					 "dcerpc_drsuapi_DsReplicaUpdateRefs");
+
+	/* 3. try adding same replica dest - should fail */
+	torture_comment(tctx, "add   : %s\n", r.in.req.req1.dest_dsa_dns_name);
+	r.in.req.req1.options		= DRSUAPI_DS_REPLICA_UPDATE_ADD_REFERENCE;
+	status = dcerpc_drsuapi_DsReplicaUpdateRefs(p, tctx, &r);
+	torture_drsuapi_assert_call_werr(tctx, p,
+					 status, WERR_DS_DRA_REF_ALREADY_EXISTS, &r,
+					 "dcerpc_drsuapi_DsReplicaUpdateRefs");
+
+	/* 4. delete random replicate added at step 2. */
+	torture_comment(tctx, "delete: %s\n", r.in.req.req1.dest_dsa_dns_name);
+	r.in.req.req1.options		= DRSUAPI_DS_REPLICA_UPDATE_DELETE_REFERENCE;
+	status = dcerpc_drsuapi_DsReplicaUpdateRefs(p, tctx, &r);
+	torture_drsuapi_assert_call_werr(tctx, p,
+					 status, WERR_OK, &r,
+					 "dcerpc_drsuapi_DsReplicaUpdateRefs");
 
 	return true;
 }
diff --git a/source4/torture/rpc/drsuapi.h b/source4/torture/rpc/drsuapi.h
index d32a35ee2c..a10ea5068e 100644
--- a/source4/torture/rpc/drsuapi.h
+++ b/source4/torture/rpc/drsuapi.h
@@ -30,6 +30,8 @@ struct DsPrivate {
 	struct dcerpc_pipe *pipe;
 	struct policy_handle bind_handle;
 	struct GUID bind_guid;
+	struct drsuapi_DsBindInfo28 srv_bind_info;
+
 	const char *domain_obj_dn;
 	const char *domain_guid_str;
 	const char *domain_dns_name;
@@ -45,10 +47,11 @@ struct DsPrivate {
  * \param _tctx torture context
  * \param _p DCERPC pipe handle
  * \param _ntstatus NTSTATUS for dcerpc_drsuapi_ call
- * \param _pr in/out DCEPRC request structure
+ * \param _werr_expected Expected windows error to be returned
+ * \param _pr in/out DCEPRC request structure - pointer
  * \param _msg error message prefix
  */
-#define torture_drsuapi_assert_call(_tctx, _p, _ntstat, _pr, _msg) \
+#define torture_drsuapi_assert_call_werr(_tctx, _p, _ntstat, _werr_expected, _pr, _msg) \
 	do { \
 		NTSTATUS __nt = _ntstat; \
 		if (!NT_STATUS_IS_OK(__nt)) { \
@@ -58,6 +61,18 @@ struct DsPrivate {
 			} \
 			torture_fail(tctx, talloc_asprintf(_tctx, "%s failed - %s", _msg, errstr)); \
 		} \
-		torture_assert_werr_ok(_tctx, (_pr)->out.result, _msg); \
+		torture_assert_werr_equal(_tctx, (_pr)->out.result, _werr_expected, _msg); \
 	} while(0)
 
+/**
+ * Custom torture macro to check dcerpc_drsuapi_ call
+ * return values printing more friendly messages
+ * \param _tctx torture context
+ * \param _p DCERPC pipe handle
+ * \param _ntstatus NTSTATUS for dcerpc_drsuapi_ call
+ * \param _pr in/out DCEPRC request structure
+ * \param _msg error message prefix
+ */
+#define torture_drsuapi_assert_call(_tctx, _p, _ntstat, _pr, _msg) \
+	torture_drsuapi_assert_call_werr(_tctx, _p, _ntstat, WERR_OK, _pr, _msg)
+
diff --git a/source4/torture/rpc/dssync.c b/source4/torture/rpc/dssync.c
index b47564cc91..a9341d569b 100644
--- a/source4/torture/rpc/dssync.c
+++ b/source4/torture/rpc/dssync.c
@@ -36,6 +36,9 @@
 #include "auth/gensec/gensec.h"
 #include "param/param.h"
 #include "dsdb/samdb/samdb.h"
+#include "torture/rpc/rpc.h"
+#include "torture/drs/proto.h"
+
 
 struct DsSyncBindInfo {
 	struct dcerpc_pipe *pipe;
@@ -489,6 +492,98 @@ static void test_analyse_objects(struct torture_context *tctx,
 	}
 }
 
+/**
+ * Fetch LDAP attribute name and DN by supplied OID
+ */
+static bool _drs_ldap_attr_by_oid(struct torture_context *tctx,
+					struct DsSyncTest *ctx,
+					const char *oid,
+					const char **attr_dn,
+					const char **attr_name)
+{
+	NTSTATUS status;
+	const char *config_dn;
+	const char *expression;
+	struct ldap_message **res_msg;
+	struct ldap_SearchResEntry *search_res;
+	TALLOC_CTX *tmp_ctx = NULL;
+	const char *search_attrs[] = {"lDAPDisplayName", NULL};
+
+	tmp_ctx = talloc_new(ctx);
+
+	config_dn = talloc_asprintf(tmp_ctx, "CN=Schema,CN=Configuration,%s", ctx->domain_dn);
+	expression = talloc_asprintf(tmp_ctx, "(attributeID=%s)", oid);
+
+	status = ildap_search(ctx->admin.ldap.conn,
+				config_dn, LDAP_SEARCH_SCOPE_SUB,
+				expression, search_attrs, false,
+				NULL, NULL, &res_msg);
+	torture_assert_ntstatus_ok(tctx, status, "LDAP search request failed");
+	torture_assert(tctx,
+			ildap_count_entries(ctx->admin.ldap.conn, res_msg) == 1,
+			talloc_asprintf(tmp_ctx, "Failed to find attribute with OID=%s", oid));
+
+	search_res = &res_msg[0]->r.SearchResultEntry;
+	torture_assert(tctx, search_res->num_attributes > 0, "No attributes returned!")
+	torture_assert(tctx, strequal(search_attrs[0], search_res->attributes[0].name),
+			"Requested attributes for attribute class not returned");
+
+	if (attr_dn) {
+		*attr_dn = search_res->dn;
+	}
+
+	if (attr_name) {
+		*attr_name = (const char *)search_res->attributes[0].values[0].data;
+	}
+
+	talloc_free(tmp_ctx);
+
+	return true;
+}
+
+/**
+ * Make Attribute OID and verify such Attribute exists in schema
+ */
+static bool _drs_util_verify_attids(struct torture_context *tctx,
+				    struct DsSyncTest *ctx,
+				    struct drsuapi_DsReplicaOIDMapping_Ctr *prefix_map,
+				    struct drsuapi_DsReplicaObjectListItemEx *cur)
+{
+	uint32_t i;
+
+	DEBUG(1,("drs_test_verify_attids:\n"));
+
+	for (; cur; cur = cur->next_object) {
+		const char *attr_dn = NULL;
+		const char *attr_name = NULL;
+		struct drsuapi_DsReplicaObject *obj = &cur->object;
+
+		DEBUG(1,("%3s %-10s: %s\n", "", "object_dn", obj->identifier->dn));
+
+		for (i = 0; i < obj->attribute_ctr.num_attributes; i++) {
+			int map_idx;
+			const char *oid = NULL;
+			struct drsuapi_DsReplicaAttribute *attr;
+
+			attr = &obj->attribute_ctr.attributes[i];
+			if (!drs_util_oid_from_attid(tctx, prefix_map, attr->attid, &oid, &map_idx)) {
+				return false;
+			}
+
+			if (!_drs_ldap_attr_by_oid(tctx, ctx, oid, &attr_dn, &attr_name)) {
+				return false;
+			}
+
+			DEBUG(1,("%7s attr[%2d]: %-22s {map_idx=%2d; attid=0x%06x; ldap_name=%-26s; idl_name=%s}\n", "",
+					i, oid, map_idx, attr->attid, attr_name,
+					drs_util_DsAttributeId_to_string(attr->attid)));
+		}
+	}
+
+	return true;
+}
+
+
 static bool test_FetchData(struct torture_context *tctx, struct DsSyncTest *ctx)
 {
 	NTSTATUS status;
@@ -670,6 +765,8 @@ static bool test_FetchData(struct torture_context *tctx, struct DsSyncTest *ctx)
 					(long long)ctr1->new_highwatermark.tmp_highest_usn,
 					(long long)ctr1->new_highwatermark.highest_usn));
 
+				_drs_util_verify_attids(tctx, ctx, &ctr1->mapping_ctr, ctr1->first_object);
+
 				test_analyse_objects(tctx, ctx, &gensec_skey, ctr1->first_object);
 
 				if (ctr1->more_data) {
@@ -700,6 +797,8 @@ static bool test_FetchData(struct torture_context *tctx, struct DsSyncTest *ctx)
 					(long long)ctr6->new_highwatermark.tmp_highest_usn,
 					(long long)ctr6->new_highwatermark.highest_usn));
 
+				_drs_util_verify_attids(tctx, ctx, &ctr6->mapping_ctr, ctr6->first_object);
+
 				test_analyse_objects(tctx, ctx, &gensec_skey, ctr6->first_object);
 
 				if (ctr6->more_data) {
diff --git a/source4/torture/rpc/frsapi.c b/source4/torture/rpc/frsapi.c
index e9a19bcf96..24d769a310 100644
--- a/source4/torture/rpc/frsapi.c
+++ b/source4/torture/rpc/frsapi.c
@@ -193,8 +193,7 @@ static bool test_ForceReplication(struct torture_context *tctx,
 
 	r.in.replica_set_guid = NULL;
 	r.in.connection_guid = NULL;
-	r.in.replica_set_name = talloc_asprintf(tctx, "%s",
-						lp_realm(tctx->lp_ctx));
+	r.in.replica_set_name = lp_dnsdomain(tctx->lp_ctx);
 	r.in.partner_dns_name = dcerpc_server_name(p);
 
 	torture_assert_ntstatus_ok(tctx,
diff --git a/source4/torture/rpc/lsa_lookup.c b/source4/torture/rpc/lsa_lookup.c
index 0a4c9904d7..b1a348ce8a 100644
--- a/source4/torture/rpc/lsa_lookup.c
+++ b/source4/torture/rpc/lsa_lookup.c
@@ -227,8 +227,8 @@ bool torture_rpc_lsa_lookup(struct torture_context *torture)
         struct dcerpc_pipe *p;
 	bool ret = true;
 	struct policy_handle *handle;
-	struct dom_sid *dom_sid;
-	struct dom_sid *trusted_sid;
+	struct dom_sid *dom_sid = NULL;
+	struct dom_sid *trusted_sid = NULL;
 	struct dom_sid *sids[NUM_SIDS];
 
 	status = torture_rpc_connection(torture, &p, &ndr_table_lsarpc);
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index 35f1a5942f..f57c47b115 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -1567,6 +1567,49 @@ static bool test_GetDcName(struct torture_context *tctx,
 	return true;
 }
 
+static const char *function_code_str(TALLOC_CTX *mem_ctx,
+				     enum netr_LogonControlCode function_code)
+{
+	switch (function_code) {
+	case NETLOGON_CONTROL_QUERY:
+		return "NETLOGON_CONTROL_QUERY";
+	case NETLOGON_CONTROL_REPLICATE:
+		return "NETLOGON_CONTROL_REPLICATE";
+	case NETLOGON_CONTROL_SYNCHRONIZE:
+		return "NETLOGON_CONTROL_SYNCHRONIZE";
+	case NETLOGON_CONTROL_PDC_REPLICATE:
+		return "NETLOGON_CONTROL_PDC_REPLICATE";
+	case NETLOGON_CONTROL_REDISCOVER:
+		return "NETLOGON_CONTROL_REDISCOVER";
+	case NETLOGON_CONTROL_TC_QUERY:
+		return "NETLOGON_CONTROL_TC_QUERY";
+	case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
+		return "NETLOGON_CONTROL_TRANSPORT_NOTIFY";
+	case NETLOGON_CONTROL_FIND_USER:
+		return "NETLOGON_CONTROL_FIND_USER";
+	case NETLOGON_CONTROL_CHANGE_PASSWORD:
+		return "NETLOGON_CONTROL_CHANGE_PASSWORD";
+	case NETLOGON_CONTROL_TC_VERIFY:
+		return "NETLOGON_CONTROL_TC_VERIFY";
+	case NETLOGON_CONTROL_FORCE_DNS_REG:
+		return "NETLOGON_CONTROL_FORCE_DNS_REG";
+	case NETLOGON_CONTROL_QUERY_DNS_REG:
+		return "NETLOGON_CONTROL_QUERY_DNS_REG";
+	case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
+		return "NETLOGON_CONTROL_BACKUP_CHANGE_LOG";
+	case NETLOGON_CONTROL_TRUNCATE_LOG:
+		return "NETLOGON_CONTROL_TRUNCATE_LOG";
+	case NETLOGON_CONTROL_SET_DBFLAG:
+		return "NETLOGON_CONTROL_SET_DBFLAG";
+	case NETLOGON_CONTROL_BREAKPOINT:
+		return "NETLOGON_CONTROL_BREAKPOINT";
+	default:
+		return talloc_asprintf(mem_ctx, "unknown function code: %d",
+				       function_code);
+	}
+}
+
+
 /*
   try a netlogon LogonControl 
 */
@@ -1576,19 +1619,82 @@ static bool test_LogonControl(struct torture_context *tctx,
 	NTSTATUS status;
 	struct netr_LogonControl r;
 	union netr_CONTROL_QUERY_INFORMATION query;
-	int i;
+	int i,f;
+	uint32_t function_codes[] = {
+		NETLOGON_CONTROL_QUERY,
+		NETLOGON_CONTROL_REPLICATE,
+		NETLOGON_CONTROL_SYNCHRONIZE,
+		NETLOGON_CONTROL_PDC_REPLICATE,
+		NETLOGON_CONTROL_REDISCOVER,
+		NETLOGON_CONTROL_TC_QUERY,
+		NETLOGON_CONTROL_TRANSPORT_NOTIFY,
+		NETLOGON_CONTROL_FIND_USER,
+		NETLOGON_CONTROL_CHANGE_PASSWORD,
+		NETLOGON_CONTROL_TC_VERIFY,
+		NETLOGON_CONTROL_FORCE_DNS_REG,
+		NETLOGON_CONTROL_QUERY_DNS_REG,
+		NETLOGON_CONTROL_BACKUP_CHANGE_LOG,
+		NETLOGON_CONTROL_TRUNCATE_LOG,
+		NETLOGON_CONTROL_SET_DBFLAG,
+		NETLOGON_CONTROL_BREAKPOINT
+	};
 
 	r.in.logon_server = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
 	r.in.function_code = 1;
 	r.out.query = &query;
 
-	for (i=1;i<4;i++) {
+	for (f=0;f<ARRAY_SIZE(function_codes); f++) {
+	for (i=1;i<5;i++) {
+
+		r.in.function_code = function_codes[f];
 		r.in.level = i;
 
-		torture_comment(tctx, "Testing LogonControl level %d\n", i);
+		torture_comment(tctx, "Testing LogonControl function code %s (%d) level %d\n",
+				function_code_str(tctx, r.in.function_code), r.in.function_code, r.in.level);
 
 		status = dcerpc_netr_LogonControl(p, tctx, &r);
 		torture_assert_ntstatus_ok(tctx, status, "LogonControl");
+
+		switch (r.in.level) {
+		case 1:
+			switch (r.in.function_code) {
+			case NETLOGON_CONTROL_REPLICATE:
+			case NETLOGON_CONTROL_SYNCHRONIZE:
+			case NETLOGON_CONTROL_PDC_REPLICATE:
+			case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
+			case NETLOGON_CONTROL_TRUNCATE_LOG:
+			case NETLOGON_CONTROL_BREAKPOINT:
+				torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED,
+					"LogonControl returned unexpected error code");
+				break;
+			case NETLOGON_CONTROL_REDISCOVER:
+			case NETLOGON_CONTROL_TC_QUERY:
+			case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
+			case NETLOGON_CONTROL_FIND_USER:
+			case NETLOGON_CONTROL_CHANGE_PASSWORD:
+			case NETLOGON_CONTROL_TC_VERIFY:
+			case NETLOGON_CONTROL_FORCE_DNS_REG:
+			case NETLOGON_CONTROL_QUERY_DNS_REG:
+			case NETLOGON_CONTROL_SET_DBFLAG:
+				torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
+					"LogonControl returned unexpected error code");
+				break;
+			default:
+				torture_assert_werr_ok(tctx, r.out.result,
+					"LogonControl returned unexpected result");
+				break;
+			}
+			break;
+		case 2:
+			torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED,
+				"LogonControl returned unexpected error code");
+			break;
+		default:
+			torture_assert_werr_equal(tctx, r.out.result, WERR_UNKNOWN_LEVEL,
+				"LogonControl returned unexpected error code");
+			break;
+		}
+	}
 	}
 
 	return true;
@@ -1991,7 +2097,7 @@ static bool test_netr_DsRGetDCName(struct torture_context *tctx,
 	struct netr_DsRGetDCNameInfo *info = NULL;
 
 	r.in.server_unc		= talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
-	r.in.domain_name	= talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
+	r.in.domain_name	= lp_dnsdomain(tctx->lp_ctx);
 	r.in.domain_guid	= NULL;
 	r.in.site_guid	        = NULL;
 	r.in.flags		= DS_RETURN_DNS_NAME;
@@ -2016,7 +2122,7 @@ static bool test_netr_DsRGetDCNameEx(struct torture_context *tctx,
 	struct netr_DsRGetDCNameInfo *info = NULL;
 
 	r.in.server_unc		= talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
-	r.in.domain_name	= talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
+	r.in.domain_name	= lp_dnsdomain(tctx->lp_ctx);
 	r.in.domain_guid	= NULL;
 	r.in.site_name	        = NULL;
 	r.in.flags		= DS_RETURN_DNS_NAME;
@@ -2043,7 +2149,7 @@ static bool test_netr_DsRGetDCNameEx2(struct torture_context *tctx,
 	r.in.server_unc		= talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
 	r.in.client_account	= NULL;
 	r.in.mask		= 0x00000000;
-	r.in.domain_name	= talloc_asprintf(tctx, "%s", lp_realm(tctx->lp_ctx));
+	r.in.domain_name	= lp_dnsdomain(tctx->lp_ctx);
 	r.in.domain_guid	= NULL;
 	r.in.site_name		= NULL;
 	r.in.flags		= DS_RETURN_DNS_NAME;
diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
index 65d251013b..4a529d38f6 100644
--- a/source4/torture/rpc/samba3rpc.c
+++ b/source4/torture/rpc/samba3rpc.c
@@ -2616,7 +2616,7 @@ static NTSTATUS find_printers(TALLOC_CTX *ctx, struct loadparm_context *lp_ctx,
 	return NT_STATUS_OK;
 }
 
-static bool enumprinters(TALLOC_CTX *mem_ctx, struct dcerpc_pipe *pipe,
+static bool enumprinters(TALLOC_CTX *mem_ctx, struct dcerpc_pipe *p,
 			 const char *servername, int level, int *num_printers)
 {
 	struct spoolss_EnumPrinters r;
@@ -2635,7 +2635,7 @@ static bool enumprinters(TALLOC_CTX *mem_ctx, struct dcerpc_pipe *pipe,
 	r.out.count = &count;
 	r.out.info = &info;
 
-	status = dcerpc_spoolss_EnumPrinters(pipe, mem_ctx, &r);
+	status = dcerpc_spoolss_EnumPrinters(p, mem_ctx, &r);
 	if (!NT_STATUS_IS_OK(status)) {
 		d_printf("(%s) dcerpc_spoolss_EnumPrinters failed: %s\n",
 			 __location__, nt_errstr(status));
@@ -2658,7 +2658,7 @@ static bool enumprinters(TALLOC_CTX *mem_ctx, struct dcerpc_pipe *pipe,
 	r.in.buffer = &blob;
 	r.in.offered = needed;
 
-	status = dcerpc_spoolss_EnumPrinters(pipe, mem_ctx, &r);
+	status = dcerpc_spoolss_EnumPrinters(p, mem_ctx, &r);
 	if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(r.out.result)) {
 		d_printf("(%s) dcerpc_spoolss_EnumPrinters failed: %s, "
 			 "%s\n", __location__, nt_errstr(status),
@@ -2671,7 +2671,7 @@ static bool enumprinters(TALLOC_CTX *mem_ctx, struct dcerpc_pipe *pipe,
 	return true;
 }
 
-static NTSTATUS getprinterinfo(TALLOC_CTX *ctx, struct dcerpc_pipe *pipe,
+static NTSTATUS getprinterinfo(TALLOC_CTX *ctx, struct dcerpc_pipe *p,
 			       struct policy_handle *handle, int level,
 			       union spoolss_PrinterInfo **res)
 {
@@ -2692,7 +2692,7 @@ static NTSTATUS getprinterinfo(TALLOC_CTX *ctx, struct dcerpc_pipe *pipe,
 	r.in.offered = 0;
 	r.out.needed = &needed;
 
-	status = dcerpc_spoolss_GetPrinter(pipe, mem_ctx, &r);
+	status = dcerpc_spoolss_GetPrinter(p, mem_ctx, &r);
 	if (!NT_STATUS_IS_OK(status)) {
 		d_printf("(%s) dcerpc_spoolss_GetPrinter failed: %s\n",
 			 __location__, nt_errstr(status));
@@ -2719,7 +2719,7 @@ static NTSTATUS getprinterinfo(TALLOC_CTX *ctx, struct dcerpc_pipe *pipe,
 	r.in.buffer = &blob;
 	r.in.offered = needed;
 
-	status = dcerpc_spoolss_GetPrinter(pipe, mem_ctx, &r);
+	status = dcerpc_spoolss_GetPrinter(p, mem_ctx, &r);
 	if (!NT_STATUS_IS_OK(status) || !W_ERROR_IS_OK(r.out.result)) {
 		d_printf("(%s) dcerpc_spoolss_GetPrinter failed: %s, "
 			 "%s\n", __location__, nt_errstr(status),
diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c
index 8318930989..8e6c88425c 100644
--- a/source4/torture/rpc/samlogon.c
+++ b/source4/torture/rpc/samlogon.c
@@ -29,7 +29,7 @@
 #include "../lib/crypto/crypto.h"
 #include "lib/cmdline/popt_common.h"
 #include "torture/rpc/rpc.h"
-#include "auth/gensec/schannel_proto.h"
+#include "../libcli/auth/schannel.h"
 #include "auth/gensec/gensec.h"
 #include "libcli/auth/libcli_auth.h"
 #include "param/param.h"
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index f8853c1093..c448b3bb83 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -2132,7 +2132,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
 	uint8_t old_lm_hash[16], new_lm_hash[16];
 	NTTIME t;
 	struct samr_DomInfo1 *dominfo = NULL;
-	struct samr_ChangeReject *reject = NULL;
+	struct userPwdChangeFailureInformation *reject = NULL;
 
 	torture_comment(tctx, "Testing ChangePasswordUser3\n");
 
@@ -2269,9 +2269,9 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
 	    && (!null_nttime(last_password_change) || !dominfo->min_password_age)) {
 		if (dominfo->password_properties & DOMAIN_REFUSE_PASSWORD_CHANGE ) {
 
-			if (reject && (reject->reason != SAMR_REJECT_OTHER)) {
-				torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n",
-					SAMR_REJECT_OTHER, reject->reason);
+			if (reject && (reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR)) {
+				torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+					SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
 				return false;
 			}
 		}
@@ -2288,40 +2288,40 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
 		if ((dominfo->min_password_age > 0) && !null_nttime(last_password_change) &&
 			   (last_password_change + dominfo->min_password_age > t)) {
 
-			if (reject->reason != SAMR_REJECT_OTHER) {
-				torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n",
-					SAMR_REJECT_OTHER, reject->reason);
+			if (reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
+				torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+					SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
 				return false;
 			}
 
 		} else if ((dominfo->min_password_length > 0) &&
 			   (strlen(newpass) < dominfo->min_password_length)) {
 
-			if (reject->reason != SAMR_REJECT_TOO_SHORT) {
-				torture_warning(tctx, "expected SAMR_REJECT_TOO_SHORT (%d), got %d\n",
-					SAMR_REJECT_TOO_SHORT, reject->reason);
+			if (reject->extendedFailureReason != SAM_PWD_CHANGE_PASSWORD_TOO_SHORT) {
+				torture_warning(tctx, "expected SAM_PWD_CHANGE_PASSWORD_TOO_SHORT (%d), got %d\n",
+					SAM_PWD_CHANGE_PASSWORD_TOO_SHORT, reject->extendedFailureReason);
 				return false;
 			}
 
 		} else if ((dominfo->password_history_length > 0) &&
 			    strequal(oldpass, newpass)) {
 
-			if (reject->reason != SAMR_REJECT_IN_HISTORY) {
-				torture_warning(tctx, "expected SAMR_REJECT_IN_HISTORY (%d), got %d\n",
-					SAMR_REJECT_IN_HISTORY, reject->reason);
+			if (reject->extendedFailureReason != SAM_PWD_CHANGE_PWD_IN_HISTORY) {
+				torture_warning(tctx, "expected SAM_PWD_CHANGE_PWD_IN_HISTORY (%d), got %d\n",
+					SAM_PWD_CHANGE_PWD_IN_HISTORY, reject->extendedFailureReason);
 				return false;
 			}
 		} else if (dominfo->password_properties & DOMAIN_PASSWORD_COMPLEX) {
 
-			if (reject->reason != SAMR_REJECT_COMPLEXITY) {
-				torture_warning(tctx, "expected SAMR_REJECT_COMPLEXITY (%d), got %d\n",
-					SAMR_REJECT_COMPLEXITY, reject->reason);
+			if (reject->extendedFailureReason != SAM_PWD_CHANGE_NOT_COMPLEX) {
+				torture_warning(tctx, "expected SAM_PWD_CHANGE_NOT_COMPLEX (%d), got %d\n",
+					SAM_PWD_CHANGE_NOT_COMPLEX, reject->extendedFailureReason);
 				return false;
 			}
 
 		}
 
-		if (reject->reason == SAMR_REJECT_TOO_SHORT) {
+		if (reject->extendedFailureReason == SAM_PWD_CHANGE_PASSWORD_TOO_SHORT) {
 			/* retry with adjusted size */
 			return test_ChangePasswordUser3(p, tctx, account_string,
 							dominfo->min_password_length,
@@ -2330,9 +2330,9 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
 		}
 
 	} else if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
-		if (reject && reject->reason != SAMR_REJECT_OTHER) {
-			torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n",
-			       SAMR_REJECT_OTHER, reject->reason);
+		if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
+			torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+			       SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
 			return false;
 		}
 		/* Perhaps the server has a 'min password age' set? */
@@ -2369,7 +2369,7 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
 	uint8_t old_nt_hash[16], new_nt_hash[16];
 	NTTIME t;
 	struct samr_DomInfo1 *dominfo = NULL;
-	struct samr_ChangeReject *reject = NULL;
+	struct userPwdChangeFailureInformation *reject = NULL;
 
 	new_random_pass = samr_very_rand_pass(tctx, 128);
 
@@ -2444,9 +2444,9 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
 	status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r);
 
 	if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
-		if (reject && reject->reason != SAMR_REJECT_OTHER) {
-			torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n",
-			       SAMR_REJECT_OTHER, reject->reason);
+		if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
+			torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+			       SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
 			return false;
 		}
 		/* Perhaps the server has a 'min password age' set? */
@@ -2482,9 +2482,9 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
 	status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r);
 
 	if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
-		if (reject && reject->reason != SAMR_REJECT_OTHER) {
-			torture_warning(tctx, "expected SAMR_REJECT_OTHER (%d), got %d\n",
-			       SAMR_REJECT_OTHER, reject->reason);
+		if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
+			torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+			       SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
 			return false;
 		}
 		/* Perhaps the server has a 'min password age' set? */
@@ -6754,6 +6754,35 @@ static bool test_Connect(struct dcerpc_pipe *p, struct torture_context *tctx,
 }
 
 
+static bool test_samr_ValidatePassword(struct dcerpc_pipe *p, struct torture_context *tctx)
+{
+	struct samr_ValidatePassword r;
+	union samr_ValidatePasswordReq req;
+	union samr_ValidatePasswordRep *repp = NULL;
+	NTSTATUS status;
+	const char *passwords[] = { "penguin", "p@ssw0rd", "p@ssw0rd123$", NULL };
+	int i;
+
+	ZERO_STRUCT(r);
+	r.in.level = NetValidatePasswordReset;
+	r.in.req = &req;
+	r.out.rep = &repp;
+	
+	ZERO_STRUCT(req);
+	req.req3.account.string = "non-existant-account-aklsdji";
+
+	for (i=0; passwords[i]; i++) {
+		req.req3.password.string = passwords[i];
+		status = dcerpc_samr_ValidatePassword(p, tctx, &r);
+		torture_assert_ntstatus_ok(tctx, status, "samr_ValidatePassword");
+		torture_comment(tctx, "Server %s password '%s'\n", 
+				repp->ctr3.status==SAMR_VALIDATION_STATUS_SUCCESS?"allowed":"refused",
+				req.req3.password.string);
+	}
+
+	return true;	
+}
+
 bool torture_rpc_samr(struct torture_context *torture)
 {
 	NTSTATUS status;
@@ -6766,6 +6795,11 @@ bool torture_rpc_samr(struct torture_context *torture)
 		return false;
 	}
 
+
+	if (torture_setting_bool(torture, "dangerous", false)) {
+		ret &= test_samr_ValidatePassword(p, torture);
+	}
+
 	ret &= test_Connect(p, torture, &handle);
 
 	if (!torture_setting_bool(torture, "samba3", false)) {
@@ -7008,3 +7042,4 @@ struct torture_suite *torture_rpc_samr_large_dc(TALLOC_CTX *mem_ctx)
 
 	return suite;
 }
+
diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c
index 4cecab4017..2ee8e59e5a 100644
--- a/source4/torture/rpc/samsync.c
+++ b/source4/torture/rpc/samsync.c
@@ -28,7 +28,7 @@
 #include "../lib/crypto/crypto.h"
 #include "system/time.h"
 #include "torture/rpc/rpc.h"
-#include "auth/gensec/schannel_proto.h"
+#include "../libcli/auth/schannel.h"
 #include "auth/gensec/gensec.h"
 #include "libcli/auth/libcli_auth.h"
 #include "libcli/samsync/samsync.h"
diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
index 6c539b6117..0ada20d888 100644
--- a/source4/torture/rpc/schannel.c
+++ b/source4/torture/rpc/schannel.c
@@ -26,7 +26,7 @@
 #include "auth/credentials/credentials.h"
 #include "torture/rpc/rpc.h"
 #include "lib/cmdline/popt_common.h"
-#include "auth/gensec/schannel_proto.h"
+#include "../libcli/auth/schannel.h"
 #include "libcli/auth/libcli_auth.h"
 #include "libcli/security/security.h"
 #include "system/filesys.h"
diff --git a/source4/torture/rpc/wkssvc.c b/source4/torture/rpc/wkssvc.c
index 06b1d05ee4..d5ef0a4fda 100644
--- a/source4/torture/rpc/wkssvc.c
+++ b/source4/torture/rpc/wkssvc.c
@@ -1132,7 +1132,7 @@ static bool test_NetrJoinDomain(struct torture_context *tctx,
 					user);
 
 	r.in.server_name = dcerpc_server_name(p);
-	r.in.domain_name = lp_realm(tctx->lp_ctx);
+	r.in.domain_name = lp_dnsdomain(tctx->lp_ctx);
 	r.in.account_ou = NULL;
 	r.in.Account = admin_account;
 	r.in.password = NULL;