Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-abartlet

(This used to be commit d7db5fe161429163a19d18c7e3045939897b9b2a)

11 files changed, 802 insertions, 173 deletions

diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index 8f8ce3074b..ef3a0bcb8a 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -45,14 +45,22 @@
 #include "dsdb/samdb/samdb.h"
 #include "librpc/ndr/libndr.h"
 #include "librpc/gen_ndr/ndr_drsblobs.h"
+#include "librpc/gen_ndr/lsa.h"
 #include "libcli/auth/libcli_auth.h"
 #include "param/param.h"
 #include "events/events.h"
 #include "kdc/kdc.h"
+#include "lib/crypto/md4.h"
 
 enum hdb_ldb_ent_type 
 { HDB_LDB_ENT_TYPE_CLIENT, HDB_LDB_ENT_TYPE_SERVER, 
-  HDB_LDB_ENT_TYPE_KRBTGT, HDB_LDB_ENT_TYPE_ANY };
+  HDB_LDB_ENT_TYPE_KRBTGT, HDB_LDB_ENT_TYPE_TRUST, HDB_LDB_ENT_TYPE_ANY };
+
+enum trust_direction {
+	UNKNOWN = 0,
+	INBOUND = LSA_TRUST_DIRECTION_INBOUND, 
+	OUTBOUND = LSA_TRUST_DIRECTION_OUTBOUND
+};
 
 static const char *realm_ref_attrs[] = {
 	"nCName", 
@@ -60,6 +68,18 @@ static const char *realm_ref_attrs[] = {
 	NULL
 };
 
+static const char *trust_attrs[] = {
+	"trustPartner",
+	"trustAuthIncoming",
+	"trustAuthOutgoing",
+	"whenCreated",
+	"msDS-SupportedEncryptionTypes",
+	"trustAttributes",
+	"trustDirection",
+	"trustType",
+	NULL
+};
+
 static KerberosTime ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, const char *attr, KerberosTime default_val)
 {
     const char *tmp;
@@ -675,6 +695,187 @@ out:
 	return ret;
 }
 
+/*
+ * Construct an hdb_entry from a directory entry.
+ */
+static krb5_error_code LDB_trust_message2entry(krb5_context context, HDB *db, 
+					       struct loadparm_context *lp_ctx,
+					       TALLOC_CTX *mem_ctx, krb5_const_principal principal,
+					       enum trust_direction direction,
+					       struct ldb_message *msg,
+					       hdb_entry_ex *entry_ex)
+{
+	
+	const char *dnsdomain;
+	char *realm;
+	char *strdup_realm;
+	DATA_BLOB password_utf16;
+	struct samr_Password password_hash;
+	const struct ldb_val *password_val;
+	struct trustAuthInOutBlob password_blob;
+	struct hdb_ldb_private *private;
+
+	enum ndr_err_code ndr_err;
+	int i, ret, trust_direction_flags;
+
+	private = talloc(mem_ctx, struct hdb_ldb_private);
+	if (!private) {
+		ret = ENOMEM;
+		goto out;
+	}
+
+	private->entry_ex = entry_ex;
+	private->iconv_convenience = lp_iconv_convenience(lp_ctx);
+	private->netbios_name = lp_netbios_name(lp_ctx);
+
+	talloc_set_destructor(private, hdb_ldb_destrutor);
+
+	entry_ex->ctx = private;
+	entry_ex->free_entry = hdb_ldb_free_entry;
+
+	/* use 'whenCreated' */
+	entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
+	/* use '???' */
+	entry_ex->entry.created_by.principal = NULL;
+
+	entry_ex->entry.valid_start = NULL;
+
+	trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
+
+	if (direction == INBOUND) {
+		realm = strupper_talloc(mem_ctx, lp_realm(lp_ctx));
+		password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
+
+	} else { /* OUTBOUND */
+		dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
+		realm = strupper_talloc(mem_ctx, dnsdomain);
+		password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
+	}
+
+	if (!password_val || !(trust_direction_flags & direction)) {
+		ret = ENOENT;
+		goto out;
+	}
+
+	ndr_err = ndr_pull_struct_blob_all(password_val, mem_ctx, private->iconv_convenience, &password_blob,
+					   (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		ret = EINVAL;
+		goto out;
+	}
+
+	for (i=0; i < password_blob.count; i++) {
+		if (password_blob.current->array[i].AuthType == TRUST_AUTH_TYPE_CLEAR) {
+			password_utf16 = data_blob_const(password_blob.current->array[i].AuthInfo.clear.password,
+							 password_blob.current->array[i].AuthInfo.clear.size);
+			/* In the future, generate all sorts of
+			 * hashes, but for now we can't safely convert
+			 * the random strings windows uses into
+			 * utf8 */
+
+			/* but as it is utf16 already, we can get the NT password/arcfour-hmac-md5 key */
+			mdfour(password_hash.hash, password_utf16.data, password_utf16.length);
+			break;
+		} else if (password_blob.current->array[i].AuthType == TRUST_AUTH_TYPE_NT4OWF) {
+			password_hash = password_blob.current->array[i].AuthInfo.nt4owf.password;
+			break;
+		}
+	}
+	entry_ex->entry.keys.len = 0;
+	entry_ex->entry.keys.val = NULL;
+
+	if (i < password_blob.count) {
+		Key key;
+		/* Must have found a cleartext or MD4 password */
+		entry_ex->entry.keys.val = calloc(1, sizeof(Key));
+
+		key.mkvno = 0;
+		key.salt = NULL; /* No salt for this enc type */
+
+		if (entry_ex->entry.keys.val == NULL) {
+			ret = ENOMEM;
+			goto out;
+		}
+		
+		ret = krb5_keyblock_init(context,
+					 ENCTYPE_ARCFOUR_HMAC_MD5,
+					 password_hash.hash, sizeof(password_hash.hash), 
+					 &key.key);
+		
+		entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
+		entry_ex->entry.keys.len++;
+	}
+		
+	ret = copy_Principal(principal, entry_ex->entry.principal);
+	if (ret) {
+		krb5_clear_error_string(context);
+		goto out;
+	}
+	
+	/* While we have copied the client principal, tests
+	 * show that Win2k3 returns the 'corrected' realm, not
+	 * the client-specified realm.  This code attempts to
+	 * replace the client principal's realm with the one
+	 * we determine from our records */
+	
+	/* this has to be with malloc() */
+	strdup_realm = strdup(realm);
+	if (!strdup_realm) {
+		ret = ENOMEM;
+		krb5_clear_error_string(context);
+		goto out;
+	}
+	free(*krb5_princ_realm(context, entry_ex->entry.principal));
+	krb5_princ_set_realm(context, entry_ex->entry.principal, &strdup_realm);
+	
+	entry_ex->entry.flags = int2HDBFlags(0);
+	entry_ex->entry.flags.immutable = 1;
+	entry_ex->entry.flags.invalid = 0;
+	entry_ex->entry.flags.server = 1;
+	entry_ex->entry.flags.require_preauth = 1;
+
+	entry_ex->entry.pw_end = NULL;
+			
+	entry_ex->entry.max_life = NULL;
+
+	entry_ex->entry.max_renew = NULL;
+
+	entry_ex->entry.generation = NULL;
+
+	entry_ex->entry.etypes = malloc(sizeof(*(entry_ex->entry.etypes)));
+	if (entry_ex->entry.etypes == NULL) {
+		krb5_clear_error_string(context);
+		ret = ENOMEM;
+		goto out;
+	}
+	entry_ex->entry.etypes->len = entry_ex->entry.keys.len;
+	entry_ex->entry.etypes->val = calloc(entry_ex->entry.etypes->len, sizeof(int));
+	if (entry_ex->entry.etypes->val == NULL) {
+		krb5_clear_error_string(context);
+		ret = ENOMEM;
+		goto out;
+	}
+	for (i=0; i < entry_ex->entry.etypes->len; i++) {
+		entry_ex->entry.etypes->val[i] = entry_ex->entry.keys.val[i].key.keytype;
+	}
+
+
+	private->msg = talloc_steal(private, msg);
+	private->realm_ref_msg = NULL;
+	private->samdb = (struct ldb_context *)db->hdb_db;
+	
+out:
+	if (ret != 0) {
+		/* This doesn't free ent itself, that is for the eventual caller to do */
+		hdb_free_entry(context, entry_ex);
+	} else {
+		talloc_steal(db, entry_ex->ctx);
+	}
+
+	return ret;
+
+}
+
 static krb5_error_code LDB_lookup_principal(krb5_context context, struct ldb_context *ldb_ctx, 					
 					    TALLOC_CTX *mem_ctx,
 					    krb5_const_principal principal,
@@ -709,8 +910,7 @@ static krb5_error_code LDB_lookup_principal(krb5_context context, struct ldb_con
 
 	switch (ent_type) {
 	case HDB_LDB_ENT_TYPE_CLIENT:
-		/* Can't happen */
-		return EINVAL;
+	case HDB_LDB_ENT_TYPE_TRUST:
 	case HDB_LDB_ENT_TYPE_ANY:
 		/* Can't happen */
 		return EINVAL;
@@ -745,6 +945,40 @@ static krb5_error_code LDB_lookup_principal(krb5_context context, struct ldb_con
 	return 0;
 }
 
+static krb5_error_code LDB_lookup_trust(krb5_context context, struct ldb_context *ldb_ctx, 					
+					TALLOC_CTX *mem_ctx,
+					const char *realm,
+					struct ldb_dn *realm_dn,
+					struct ldb_message ***pmsg)
+{
+	int lret;
+	char *filter = NULL;
+	const char * const *attrs = trust_attrs;
+
+	struct ldb_result *res = NULL;
+	filter = talloc_asprintf(mem_ctx, "(&(objectClass=trustedDomain)(|(flatname=%s)(trustPartner=%s)))", realm, realm);
+
+	if (!filter) {
+		krb5_set_error_string(context, "talloc_asprintf: out of memory");
+		return ENOMEM;
+	}
+
+	lret = ldb_search(ldb_ctx, ldb_get_default_basedn(ldb_ctx), LDB_SCOPE_SUBTREE, filter, attrs, &res);
+
+	if (lret != LDB_SUCCESS) {
+		DEBUG(3, ("Failed to search for %s: %s\n", filter, ldb_errstring(ldb_ctx)));
+		return HDB_ERR_NOENTRY;
+	} else if (res->count == 0 || res->count > 1) {
+		DEBUG(3, ("Failed find a single entry for %s: got %d\n", filter, res->count));
+		talloc_free(res);
+		return HDB_ERR_NOENTRY;
+	}
+	talloc_steal(mem_ctx, res->msgs);
+	*pmsg = res->msgs;
+	talloc_free(res);
+	return 0;
+}
+
 static krb5_error_code LDB_lookup_realm(krb5_context context, struct ldb_context *ldb_ctx, 
 					TALLOC_CTX *mem_ctx,
 					const char *realm,
@@ -853,8 +1087,10 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
 {
 	krb5_error_code ret;
 	struct ldb_message **msg = NULL;
-	struct ldb_message **realm_ref_msg = NULL;
+	struct ldb_message **realm_ref_msg_1 = NULL;
+	struct ldb_message **realm_ref_msg_2 = NULL;
 	struct ldb_dn *realm_dn;
+	const char *realm;
 
 	krb5_principal alloc_principal = NULL;
 	if (principal->name.name_string.len != 2
@@ -864,14 +1100,18 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
 	}
 
 	/* krbtgt case.  Either us or a trusted realm */
+
 	if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
-			      mem_ctx, principal->name.name_string.val[1], &realm_ref_msg) == 0)) {
+			      mem_ctx, principal->realm, &realm_ref_msg_1) == 0)
+	    && (LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
+				 mem_ctx, principal->name.name_string.val[1], &realm_ref_msg_2) == 0)
+	    && (ldb_dn_compare(realm_ref_msg_1[0]->dn, realm_ref_msg_1[0]->dn) == 0)) {
 		/* us */		
  		/* Cludge, cludge cludge.  If the realm part of krbtgt/realm,
  		 * is in our db, then direct the caller at our primary
- 		 * krgtgt */
+ 		 * krbtgt */
  		
- 		const char *dnsdomain = ldb_msg_find_attr_as_string(realm_ref_msg[0], "dnsRoot", NULL);
+ 		const char *dnsdomain = ldb_msg_find_attr_as_string(realm_ref_msg_1[0], "dnsRoot", NULL);
  		char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain);
  		if (!realm_fixed) {
  			krb5_set_error_string(context, "strupper_talloc: out of memory");
@@ -891,31 +1131,69 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
  			return ENOMEM;
  		}
  		principal = alloc_principal;
-		realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db, mem_ctx, realm_ref_msg[0], "nCName", NULL);
+		realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db, mem_ctx, realm_ref_msg_1[0], "nCName", NULL);
+		
+		ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db, 
+					   mem_ctx, 
+					   principal, HDB_LDB_ENT_TYPE_KRBTGT, realm_dn, &msg);
+		
+		if (ret != 0) {
+			krb5_warnx(context, "LDB_fetch: could not find principal in DB");
+			krb5_set_error_string(context, "LDB_fetch: could not find principal in DB");
+			return ret;
+		}
+		
+		ret = LDB_message2entry(context, db, mem_ctx, 
+					principal, HDB_LDB_ENT_TYPE_KRBTGT, 
+					msg[0], realm_ref_msg_1[0], entry_ex);
+		if (ret != 0) {
+			krb5_warnx(context, "LDB_fetch: message2entry failed");	
+		}
+		return ret;
+
 	} else {
-		/* we should lookup trusted domains */
-		return HDB_ERR_NOENTRY;
-	}
+		enum trust_direction direction = UNKNOWN;
 
-	realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db, mem_ctx, realm_ref_msg[0], "nCName", NULL);
-	
-	ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db, 
-				   mem_ctx, 
-				   principal, HDB_LDB_ENT_TYPE_KRBTGT, realm_dn, &msg);
-	
-	if (ret != 0) {
-		krb5_warnx(context, "LDB_fetch: could not find principal in DB");
-		krb5_set_error_string(context, "LDB_fetch: could not find principal in DB");
+		struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(db->hdb_db, "loadparm"), struct loadparm_context);
+		/* Either an inbound or outbound trust */
+
+		if (strcasecmp(lp_realm(lp_ctx), principal->realm) == 0) {
+			/* look for inbound trust */
+			direction = INBOUND;
+			realm = principal->name.name_string.val[1];
+		}
+
+		if (strcasecmp(lp_realm(lp_ctx), principal->name.name_string.val[1]) == 0) {
+			/* look for outbound trust */
+			direction = OUTBOUND;
+			realm = principal->realm;
+		}
+
+		/* Trusted domains are under CN=system */
+		
+		ret = LDB_lookup_trust(context, (struct ldb_context *)db->hdb_db, 
+				       mem_ctx, 
+				       realm, realm_dn, &msg);
+		
+		if (ret != 0) {
+			krb5_warnx(context, "LDB_fetch: could not find principal in DB");
+			krb5_set_error_string(context, "LDB_fetch: could not find principal in DB");
+			return ret;
+		}
+		
+		ret = LDB_trust_message2entry(context, db, lp_ctx, mem_ctx, 
+					      principal, direction, 
+					      msg[0], entry_ex);
+		if (ret != 0) {
+			krb5_warnx(context, "LDB_fetch: message2entry failed");	
+		}
 		return ret;
-	}
 
-	ret = LDB_message2entry(context, db, mem_ctx, 
-				principal, HDB_LDB_ENT_TYPE_KRBTGT, 
-				msg[0], realm_ref_msg[0], entry_ex);
-	if (ret != 0) {
-		krb5_warnx(context, "LDB_fetch: message2entry failed");	
+		
+		/* we should lookup trusted domains */
+		return HDB_ERR_NOENTRY;
 	}
-	return ret;
+
 }
 
 static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db, 
@@ -1022,10 +1300,13 @@ static krb5_error_code LDB_fetch(krb5_context context, HDB *db,
 		if (ret != HDB_ERR_NOENTRY) goto done;
 	}
 	if (flags & HDB_F_GET_SERVER) {
-		ret = LDB_fetch_server(context, db, mem_ctx, principal, flags, entry_ex);
-		if (ret != HDB_ERR_NOENTRY) goto done;
+		/* krbtgt fits into this situation for trusted realms, and for resolving different versions of our own realm name */
 		ret = LDB_fetch_krbtgt(context, db, mem_ctx, principal, flags, entry_ex);
 		if (ret != HDB_ERR_NOENTRY) goto done;
+
+		/* We return 'no entry' if it does not start with krbtgt/, so move to the common case quickly */
+		ret = LDB_fetch_server(context, db, mem_ctx, principal, flags, entry_ex);
+		if (ret != HDB_ERR_NOENTRY) goto done;
 	}
 	if (flags & HDB_F_GET_KRBTGT) {
 		ret = LDB_fetch_krbtgt(context, db, mem_ctx, principal, flags, entry_ex);
diff --git a/source4/libcli/config.mk b/source4/libcli/config.mk
index affd8e277d..262a2cfa22 100644
--- a/source4/libcli/config.mk
+++ b/source4/libcli/config.mk
@@ -73,6 +73,14 @@ LIBCLI_NETLOGON_OBJ_FILES = $(addprefix $(libclisrcdir)/, \
 
 $(eval $(call proto_header_template,$(libclisrcdir)/netlogon_proto.h,$(LIBCLI_NETLOGON_OBJ_FILES:.o=.c)))
 
+[SUBSYSTEM::LIBCLI_DRSBLOBS]
+PUBLIC_DEPENDENCIES = LIBNDR 
+
+LIBCLI_DRSBLOBS_OBJ_FILES = $(addprefix $(libclisrcdir)/, \
+	drsblobs.o)
+
+$(eval $(call proto_header_template,$(libclisrcdir)/drsblobs_proto.h,$(LIBCLI_DRSBLOBS_OBJ_FILES:.o=.c)))
+
 [PYTHON::python_netbios]
 LIBRARY_REALNAME = samba/netbios.$(SHLIBEXT)
 PUBLIC_DEPENDENCIES = LIBCLI_NBT DYNCONFIG LIBSAMBA-HOSTCONFIG
diff --git a/source4/libcli/drsblobs.c b/source4/libcli/drsblobs.c
new file mode 100644
index 0000000000..126f2ccc40
--- /dev/null
+++ b/source4/libcli/drsblobs.c
@@ -0,0 +1,179 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   Manually parsed structures found in the DRS protocol
+
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "libcli/drsblobs.h"
+
+/* parser auto-generated by pidl, then hand-modified by abartlet */
+
+/* Modified to have 'count' specified */
+static enum ndr_err_code ndr_push_AuthenticationInformationArray_with_count(struct ndr_push *ndr, int ndr_flags, int count, 
+								 const struct AuthenticationInformationArray *r)
+{
+	uint32_t cntr_array_0;
+	if (ndr_flags & NDR_SCALARS) {
+		NDR_CHECK(ndr_push_align(ndr, 4));
+		for (cntr_array_0 = 0; cntr_array_0 < count; cntr_array_0++) {
+			NDR_CHECK(ndr_push_AuthenticationInformation(ndr, NDR_SCALARS, &r->array[cntr_array_0]));
+		}
+	}
+	if (ndr_flags & NDR_BUFFERS) {
+		for (cntr_array_0 = 0; cntr_array_0 < count; cntr_array_0++) {
+			NDR_CHECK(ndr_push_AuthenticationInformation(ndr, NDR_BUFFERS, &r->array[cntr_array_0]));
+		}
+	}
+	return NDR_ERR_SUCCESS;
+}
+
+/* Modified to have 'count' specified, and to allocate the array */
+static enum ndr_err_code ndr_pull_AuthenticationInformationArray_with_count(struct ndr_pull *ndr, int ndr_flags, int count, struct AuthenticationInformationArray *r)
+{
+	uint32_t cntr_array_0;
+	TALLOC_CTX *_mem_save_array_0;
+	if (ndr_flags & NDR_SCALARS) {
+		NDR_CHECK(ndr_pull_align(ndr, 4));
+		NDR_PULL_ALLOC_N(ndr, r->array, count);
+		_mem_save_array_0 = NDR_PULL_GET_MEM_CTX(ndr);
+		NDR_PULL_SET_MEM_CTX(ndr, r->array, 0);
+		for (cntr_array_0 = 0; cntr_array_0 < count; cntr_array_0++) {
+			NDR_CHECK(ndr_pull_AuthenticationInformation(ndr, NDR_SCALARS, &r->array[cntr_array_0]));
+		}
+		NDR_PULL_SET_MEM_CTX(ndr, _mem_save_array_0, 0);
+	}
+	if (ndr_flags & NDR_BUFFERS) {
+		for (cntr_array_0 = 0; cntr_array_0 < count; cntr_array_0++) {
+			NDR_CHECK(ndr_pull_AuthenticationInformation(ndr, NDR_BUFFERS, &r->array[cntr_array_0]));
+		}
+	}
+	return NDR_ERR_SUCCESS;
+}
+
+/* Modified to have 'count' specified */
+_PUBLIC_ void ndr_print_AuthenticationInformationArray_with_count(struct ndr_print *ndr, const char *name, int count, const struct AuthenticationInformationArray *r)
+{
+	uint32_t cntr_array_0;
+	ndr_print_struct(ndr, name, "AuthenticationInformationArray");
+	ndr->depth++;
+	ndr->print(ndr, "%s: ARRAY(%d)", "array", (int)1);
+	ndr->depth++;
+	for (cntr_array_0=0;cntr_array_0<count;cntr_array_0++) {
+		char *idx_0=NULL;
+		if (asprintf(&idx_0, "[%d]", cntr_array_0) != -1) {
+			ndr_print_AuthenticationInformation(ndr, "array", &r->array[cntr_array_0]);
+			free(idx_0);
+		}
+	}
+	ndr->depth--;
+	ndr->depth--;
+}
+
+/* Modified to call AuthenticationInformationArray with 'count' specified */
+_PUBLIC_ enum ndr_err_code ndr_push_trustAuthInOutBlob(struct ndr_push *ndr, int ndr_flags, const struct trustAuthInOutBlob *r)
+{
+	if (ndr_flags & NDR_SCALARS) {
+		NDR_CHECK(ndr_push_align(ndr, 4));
+		NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->count));
+		NDR_CHECK(ndr_push_relative_ptr1(ndr, r->current));
+		NDR_CHECK(ndr_push_relative_ptr1(ndr, r->previous));
+	}
+	if (ndr_flags & NDR_BUFFERS) {
+		if (r->current) {
+			NDR_CHECK(ndr_push_relative_ptr2(ndr, r->current));
+			NDR_CHECK(ndr_push_AuthenticationInformationArray_with_count(ndr, NDR_SCALARS|NDR_BUFFERS, r->count, r->current));
+		}
+		if (r->previous) {
+			NDR_CHECK(ndr_push_relative_ptr2(ndr, r->previous));
+			NDR_CHECK(ndr_push_AuthenticationInformationArray_with_count(ndr, NDR_SCALARS|NDR_BUFFERS, r->count, r->previous));
+		}
+	}
+	return NDR_ERR_SUCCESS;
+}
+
+_PUBLIC_ enum ndr_err_code ndr_pull_trustAuthInOutBlob(struct ndr_pull *ndr, int ndr_flags, struct trustAuthInOutBlob *r)
+{
+	uint32_t _ptr_current;
+	TALLOC_CTX *_mem_save_current_0;
+	uint32_t _ptr_previous;
+	TALLOC_CTX *_mem_save_previous_0;
+	if (ndr_flags & NDR_SCALARS) {
+		NDR_CHECK(ndr_pull_align(ndr, 4));
+		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->count));
+		NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_current));
+		if (_ptr_current) {
+			NDR_PULL_ALLOC(ndr, r->current);
+			NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->current, _ptr_current));
+		} else {
+			r->current = NULL;
+		}
+		NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_previous));
+		if (_ptr_previous) {
+			NDR_PULL_ALLOC(ndr, r->previous);
+			NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->previous, _ptr_previous));
+		} else {
+			r->previous = NULL;
+		}
+	}
+	if (ndr_flags & NDR_BUFFERS) {
+		if (r->current) {
+			uint32_t _relative_save_offset;
+			_relative_save_offset = ndr->offset;
+			NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->current));
+			_mem_save_current_0 = NDR_PULL_GET_MEM_CTX(ndr);
+			NDR_PULL_SET_MEM_CTX(ndr, r->current, 0);
+			NDR_CHECK(ndr_pull_AuthenticationInformationArray_with_count(ndr, NDR_SCALARS|NDR_BUFFERS, r->count, r->current));
+			NDR_PULL_SET_MEM_CTX(ndr, _mem_save_current_0, 0);
+			ndr->offset = _relative_save_offset;
+		}
+		if (r->previous) {
+			uint32_t _relative_save_offset;
+			_relative_save_offset = ndr->offset;
+			NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->previous));
+			_mem_save_previous_0 = NDR_PULL_GET_MEM_CTX(ndr);
+			NDR_PULL_SET_MEM_CTX(ndr, r->previous, 0);
+			NDR_CHECK(ndr_pull_AuthenticationInformationArray_with_count(ndr, NDR_SCALARS|NDR_BUFFERS, r->count, r->previous));
+			NDR_PULL_SET_MEM_CTX(ndr, _mem_save_previous_0, 0);
+			ndr->offset = _relative_save_offset;
+		}
+	}
+	return NDR_ERR_SUCCESS;
+}
+
+_PUBLIC_ void ndr_print_trustAuthInOutBlob(struct ndr_print *ndr, const char *name, const struct trustAuthInOutBlob *r)
+{
+	ndr_print_struct(ndr, name, "trustAuthInOutBlob");
+	ndr->depth++;
+	ndr_print_uint32(ndr, "count", r->count);
+	ndr_print_ptr(ndr, "current", r->current);
+	ndr->depth++;
+	if (r->current) {
+		ndr_print_AuthenticationInformationArray_with_count(ndr, "current", r->count, r->current);
+	}
+	ndr->depth--;
+	ndr_print_ptr(ndr, "previous", r->previous);
+	ndr->depth++;
+	if (r->previous) {
+		ndr_print_AuthenticationInformationArray_with_count(ndr, "previous", r->count, r->previous);
+	}
+	ndr->depth--;
+	ndr->depth--;
+}
+
+
diff --git a/source4/libcli/drsblobs.h b/source4/libcli/drsblobs.h
new file mode 100644
index 0000000000..8fee4114be
--- /dev/null
+++ b/source4/libcli/drsblobs.h
@@ -0,0 +1,28 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   Manually parsed structures found in the DRS protocol
+
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef __LIBCLI_DRSBLOBS_H__
+#define __LIBCLI_DRSBLOBS_H__
+
+#include "librpc/gen_ndr/ndr_drsblobs.h"
+
+#include "libcli/drsblobs_proto.h"
+#endif /* __CLDAP_SERVER_PROTO_H__ */
diff --git a/source4/librpc/config.mk b/source4/librpc/config.mk
index 09be67d5aa..b68d5e6a69 100644
--- a/source4/librpc/config.mk
+++ b/source4/librpc/config.mk
@@ -134,7 +134,7 @@ PUBLIC_DEPENDENCIES = LIBNDR NDR_COMPRESSION NDR_SECURITY NDR_SAMR ASN1_UTIL
 NDR_DRSUAPI_OBJ_FILES = $(gen_ndrsrcdir)/ndr_drsuapi.o $(ndrsrcdir)/ndr_drsuapi.o
 
 [SUBSYSTEM::NDR_DRSBLOBS]
-PUBLIC_DEPENDENCIES = LIBNDR NDR_MISC NDR_DRSUAPI
+PUBLIC_DEPENDENCIES = LIBNDR NDR_MISC NDR_DRSUAPI LIBCLI_DRSBLOBS
 
 NDR_DRSBLOBS_OBJ_FILES = $(gen_ndrsrcdir)/ndr_drsblobs.o
 
diff --git a/source4/librpc/idl/drsblobs.idl b/source4/librpc/idl/drsblobs.idl
index b0cddfcdf9..eb85989eda 100644
--- a/source4/librpc/idl/drsblobs.idl
+++ b/source4/librpc/idl/drsblobs.idl
@@ -401,7 +401,7 @@ interface drsblobs {
 		[case(TRUST_AUTH_TYPE_VERSION)] AuthInfoVersion version;
 	} AuthInfo;
 
-	typedef struct {
+	typedef [public] struct {
 		NTTIME LastUpdateTime;
 		trustAuthType AuthType;
 		
@@ -422,32 +422,15 @@ interface drsblobs {
 		[flag(NDR_ALIGN4)] DATA_BLOB _pad;
 	} AuthenticationInformation;
 
-	typedef struct {
-		AuthenticationInformation info[1];
-	} AuthenticationInformation1;
-
-	typedef struct {
-		AuthenticationInformation info[2];
-	} AuthenticationInformation2;
-
-	typedef struct {
-		[relative] AuthenticationInformation1 *current;
-		[relative] AuthenticationInformation1 *previous;
-	} AuthenticationInformationCtr1;
-
-	typedef struct {
-		[relative] AuthenticationInformation2 *current;
-		[relative] AuthenticationInformation2 *previous;
-	} AuthenticationInformationCtr2;
+	typedef [nopull,nopush,noprint] struct {
+		/* sizeis here is bogus, but this is here just for the structure */
+		[size_is(1)] AuthenticationInformation array[];
+	} AuthenticationInformationArray;
 
-	typedef [nodiscriminant] union {
-		[case(1)] AuthenticationInformationCtr1 info1;
-		[case(2)] AuthenticationInformationCtr2 info2;
-	} AuthenticationInformationCtr;
-
-	typedef [public] struct {
+	typedef [public,nopull,nopush,noprint] struct {
 		uint32 count;
-		[switch_is(count)] AuthenticationInformationCtr auth;
+		[relative] AuthenticationInformationArray *current;
+		[relative] AuthenticationInformationArray *previous;
 	} trustAuthInOutBlob;
 
 	void decode_trustAuthInOut(
diff --git a/source4/librpc/idl/lsa.idl b/source4/librpc/idl/lsa.idl
index 93cfdee201..408956b3fa 100644
--- a/source4/librpc/idl/lsa.idl
+++ b/source4/librpc/idl/lsa.idl
@@ -14,6 +14,7 @@ import "misc.idl", "security.idl";
 ] interface lsarpc
 {
 	typedef bitmap security_secinfo security_secinfo;
+	typedef bitmap kerb_EncTypes kerb_EncTypes;
 
 	typedef [public,noejs] struct {
 		[value(2*strlen_m(string))] uint16 length;
@@ -507,22 +508,53 @@ import "misc.idl", "security.idl";
 	} lsa_DATA_BUF2;
 
 	typedef enum {
-		LSA_TRUSTED_DOMAIN_INFO_NAME             = 1,
-		LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS_INFO = 2,
-		LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET     = 3,
-		LSA_TRUSTED_DOMAIN_INFO_PASSWORD         = 4,
-		LSA_TRUSTED_DOMAIN_INFO_BASIC            = 5,
-		LSA_TRUSTED_DOMAIN_INFO_INFO_EX          = 6,
-		LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO        = 7,
-		LSA_TRUSTED_DOMAIN_INFO_FULL_INFO        = 8,
-		LSA_TRUSTED_DOMAIN_INFO_11               = 11,
-		LSA_TRUSTED_DOMAIN_INFO_INFO_ALL         = 12
+		LSA_TRUSTED_DOMAIN_INFO_NAME                  = 1,
+		LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS           = 2,
+		LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET          = 3,
+		LSA_TRUSTED_DOMAIN_INFO_PASSWORD              = 4,
+		LSA_TRUSTED_DOMAIN_INFO_BASIC                 = 5,
+		LSA_TRUSTED_DOMAIN_INFO_INFO_EX               = 6,
+		LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO             = 7,
+		LSA_TRUSTED_DOMAIN_INFO_FULL_INFO             = 8,
+		LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO_INTERNAL    = 9,
+		LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_INTERNAL    = 10,
+		LSA_TRUSTED_DOMAIN_INFO_INFO_EX2_INTERNAL     = 11,
+		LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL  = 12,
+		LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRTYPION_TYPES = 13
 	} lsa_TrustDomInfoEnum;
 
+	typedef [public,bitmap32bit] bitmap {
+		LSA_TRUST_DIRECTION_INBOUND  = 0x00000001,
+		LSA_TRUST_DIRECTION_OUTBOUND = 0x00000002
+	} lsa_TrustDirection;
+
+	typedef [v1_enum] enum {
+		LSA_TRUST_TYPE_DOWNLEVEL  = 0x00000001,
+		LSA_TRUST_TYPE_UPLEVEL    = 0x00000002,
+		LSA_TRUST_TYPE_MIT        = 0x00000003
+	} lsa_TrustType;
+
+	typedef [public,bitmap32bit] bitmap {
+		LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE      = 0x00000001,
+		LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY        = 0x00000002,
+		LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN  = 0x00000004,
+		LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE   = 0x00000008,
+		LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION  = 0x00000010,
+		LSA_TRUST_ATTRIBUTE_WITHIN_FOREST       = 0x00000020,
+		LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL   = 0x00000040,
+		LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION = 0x00000080
+	} lsa_TrustAttributes;
+
 	typedef struct {
 		lsa_StringLarge  netbios_name;
 	} lsa_TrustDomainInfoName;
 
+
+	typedef struct {
+		uint32 entries;
+		[size_is(entries)] lsa_StringLarge  *netbios_names;
+	} lsa_TrustDomainInfoControllers;
+
 	typedef struct {
 		uint32         posix_offset;
 	} lsa_TrustDomainInfoPosixOffset;
@@ -540,10 +572,10 @@ import "misc.idl", "security.idl";
 	typedef struct {
 		lsa_StringLarge     domain_name;
 		lsa_StringLarge     netbios_name;
-		dom_sid2      *sid;
-		uint32         trust_direction;
-		uint32         trust_type;
-		uint32         trust_attributes;
+		dom_sid2           *sid;
+		lsa_TrustDirection  trust_direction;
+		lsa_TrustType       trust_type;
+		lsa_TrustAttributes trust_attributes;
 	} lsa_TrustDomainInfoInfoEx;
 
 	typedef struct {
@@ -570,25 +602,46 @@ import "misc.idl", "security.idl";
 	typedef struct {
 		lsa_TrustDomainInfoInfoEx      info_ex;
 		lsa_DATA_BUF2                  data1;
-	} lsa_TrustDomainInfo11;
+	} lsa_TrustDomainInfoInfoEx2Internal;
 
 	typedef struct {
 		lsa_TrustDomainInfoInfoEx      info_ex;
 		lsa_DATA_BUF2                  data1;
 		lsa_TrustDomainInfoPosixOffset posix_offset;
 		lsa_TrustDomainInfoAuthInfo    auth_info;
-	} lsa_TrustDomainInfoInfoAll;
+	} lsa_TrustDomainInfoInfo2Internal;
+
+	typedef struct {
+		kerb_EncTypes enc_types;
+	} lsa_TrustDomainInfoSupportedEncTypes;
 
 	typedef [switch_type(lsa_TrustDomInfoEnum)] union {
-		[case(LSA_TRUSTED_DOMAIN_INFO_NAME)]         lsa_TrustDomainInfoName        name;
-		[case(LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET)] lsa_TrustDomainInfoPosixOffset posix_offset;
-		[case(LSA_TRUSTED_DOMAIN_INFO_PASSWORD)]     lsa_TrustDomainInfoPassword    password;
-		[case(LSA_TRUSTED_DOMAIN_INFO_BASIC)]        lsa_TrustDomainInfoBasic       info_basic;
-		[case(LSA_TRUSTED_DOMAIN_INFO_INFO_EX)]      lsa_TrustDomainInfoInfoEx      info_ex;
-		[case(LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO)]    lsa_TrustDomainInfoAuthInfo    auth_info;
-		[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)]    lsa_TrustDomainInfoFullInfo    full_info;
-		[case(LSA_TRUSTED_DOMAIN_INFO_11)]           lsa_TrustDomainInfo11          info11;
-		[case(LSA_TRUSTED_DOMAIN_INFO_INFO_ALL)]     lsa_TrustDomainInfoInfoAll     info_all;
+		[case(LSA_TRUSTED_DOMAIN_INFO_NAME)]
+		        lsa_TrustDomainInfoName              name;
+		[case(LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS)]
+		        lsa_TrustDomainInfoControllers   controllers;
+		[case(LSA_TRUSTED_DOMAIN_INFO_POSIX_OFFSET)]
+		        lsa_TrustDomainInfoPosixOffset       posix_offset;
+		[case(LSA_TRUSTED_DOMAIN_INFO_PASSWORD)]
+		        lsa_TrustDomainInfoPassword          password;
+		[case(LSA_TRUSTED_DOMAIN_INFO_BASIC)]
+		        lsa_TrustDomainInfoBasic             info_basic;
+		[case(LSA_TRUSTED_DOMAIN_INFO_INFO_EX)]
+		        lsa_TrustDomainInfoInfoEx            info_ex;
+		[case(LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO)]
+		        lsa_TrustDomainInfoAuthInfo          auth_info;
+		[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)]
+		        lsa_TrustDomainInfoFullInfo          full_info;
+		[case(LSA_TRUSTED_DOMAIN_INFO_AUTH_INFO_INTERNAL)]
+		        lsa_TrustDomainInfoAuthInfo          auth_info_internal;
+		[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_INTERNAL)]
+		        lsa_TrustDomainInfoFullInfo          full_info_internal;
+		[case(LSA_TRUSTED_DOMAIN_INFO_INFO_EX2_INTERNAL)]
+		        lsa_TrustDomainInfoInfoEx2Internal   info_ex2_internal;
+		[case(LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL)]
+		        lsa_TrustDomainInfoInfo2Internal     info2_internal;
+		[case(LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRTYPION_TYPES)]
+		        lsa_TrustDomainInfoSupportedEncTypes enc_types;
 	} lsa_TrustedDomainInfo;
 
 	/* Function:       0x1a */
@@ -658,8 +711,12 @@ import "misc.idl", "security.idl";
 		[in]         uint16 unknown
 		);
 
-	/* Function:        0x22 */
-	[todo] NTSTATUS lsa_DeleteObject();
+	/*******************/
+	/* Function:  0x22 */
+	NTSTATUS lsa_DeleteObject (
+		[in,out]     policy_handle *handle
+		);
+
 
 	
 	/*******************/
diff --git a/source4/librpc/idl/security.idl b/source4/librpc/idl/security.idl
index f8e9e9e110..80efe46453 100644
--- a/source4/librpc/idl/security.idl
+++ b/source4/librpc/idl/security.idl
@@ -386,4 +386,12 @@ interface security
 		SECINFO_PROTECTED_SACL	     = 0x40000000,
 		SECINFO_PROTECTED_DACL	     = 0x80000000
 	} security_secinfo;
+
+	typedef [public,bitmap32bit] bitmap {
+		KERB_ENCTYPE_DES_CBC_CRC             = 0x00000001,
+		KERB_ENCTYPE_DES_CBC_MD5             = 0x00000002,
+		KERB_ENCTYPE_RC4_HMAC_MD5            = 0x00000004,
+		KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
+		KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
+	} kerb_EncTypes;
 }
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index f02e2325a0..f67b5dee10 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -23,6 +23,8 @@
 #include "rpc_server/lsa/lsa.h"
 #include "util/util_ldb.h"
 #include "libcli/ldap/ldap_ndr.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
 
 /*
   this type allows us to distinguish handle types
@@ -95,6 +97,16 @@ static NTSTATUS dcesrv_lsa_Close(struct dcesrv_call_state *dce_call, TALLOC_CTX
 static NTSTATUS dcesrv_lsa_Delete(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
 			   struct lsa_Delete *r)
 {
+	return NT_STATUS_NOT_SUPPORTED;
+}
+
+
+/* 
+  lsa_DeleteObject
+*/
+static NTSTATUS dcesrv_lsa_DeleteObject(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+		       struct lsa_DeleteObject *r)
+{
 	struct dcesrv_handle *h;
 	int ret;
 
@@ -121,6 +133,8 @@ static NTSTATUS dcesrv_lsa_Delete(struct dcesrv_call_state *dce_call, TALLOC_CTX
 			return NT_STATUS_INVALID_HANDLE;
 		}
 
+		ZERO_STRUCTP(r->out.handle);
+
 		return NT_STATUS_OK;
 	} else if (h->wire_handle.handle_type == LSA_HANDLE_TRUSTED_DOMAIN) {
 		struct lsa_trusted_domain_state *trusted_domain_state = h->data;
@@ -131,6 +145,8 @@ static NTSTATUS dcesrv_lsa_Delete(struct dcesrv_call_state *dce_call, TALLOC_CTX
 			return NT_STATUS_INVALID_HANDLE;
 		}
 
+		ZERO_STRUCTP(r->out.handle);
+
 		return NT_STATUS_OK;
 	} else if (h->wire_handle.handle_type == LSA_HANDLE_ACCOUNT) {
 		struct lsa_RightSet *rights;
@@ -167,6 +183,8 @@ static NTSTATUS dcesrv_lsa_Delete(struct dcesrv_call_state *dce_call, TALLOC_CTX
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
 		}
+
+		ZERO_STRUCTP(r->out.handle);
 	} 
 	
 	return NT_STATUS_INVALID_HANDLE;
@@ -861,7 +879,7 @@ static NTSTATUS dcesrv_lsa_DeleteTrustedDomain(struct dcesrv_call_state *dce_cal
 {
 	NTSTATUS status;
 	struct lsa_OpenTrustedDomain open;
-	struct lsa_Delete delete;
+	struct lsa_DeleteObject delete;
 	struct dcesrv_handle *h;
 
 	open.in.handle = r->in.handle;
@@ -880,7 +898,8 @@ static NTSTATUS dcesrv_lsa_DeleteTrustedDomain(struct dcesrv_call_state *dce_cal
 	talloc_steal(mem_ctx, h);
 
 	delete.in.handle = open.out.trustdom_handle;
-	status = dcesrv_lsa_Delete(dce_call, mem_ctx, &delete);
+	delete.out.handle = open.out.trustdom_handle;
+	status = dcesrv_lsa_DeleteObject(dce_call, mem_ctx, &delete);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -924,6 +943,7 @@ static NTSTATUS dcesrv_lsa_QueryTrustedDomainInfo(struct dcesrv_call_state *dce_
 		"trustDirection",
 		"trustType",
 		"trustAttributes", 
+		"msDs-supportedEncryptionTypes",
 		NULL
 	};
 
@@ -967,12 +987,19 @@ static NTSTATUS dcesrv_lsa_QueryTrustedDomainInfo(struct dcesrv_call_state *dce_
 		ZERO_STRUCT(r->out.info->full_info);
 		return fill_trust_domain_ex(mem_ctx, msg, &r->out.info->full_info.info_ex);
 
-	case LSA_TRUSTED_DOMAIN_INFO_INFO_ALL:
-		ZERO_STRUCT(r->out.info->info_all);
-		return fill_trust_domain_ex(mem_ctx, msg, &r->out.info->info_all.info_ex);
+	case LSA_TRUSTED_DOMAIN_INFO_FULL_INFO_2_INTERNAL:
+		ZERO_STRUCT(r->out.info->info2_internal);
+		r->out.info->info2_internal.posix_offset.posix_offset
+			= samdb_result_uint(msg, "posixOffset", 0);					   
+		return fill_trust_domain_ex(mem_ctx, msg, &r->out.info->info2_internal.info_ex);
+		
+	case LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRTYPION_TYPES:
+		r->out.info->enc_types.enc_types
+			= samdb_result_uint(msg, "msDs-supportedEncryptionTypes", KERB_ENCTYPE_RC4_HMAC_MD5);
+		break;
 
-	case LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS_INFO:
-	case LSA_TRUSTED_DOMAIN_INFO_11:
+	case LSA_TRUSTED_DOMAIN_INFO_CONTROLLERS:
+	case LSA_TRUSTED_DOMAIN_INFO_INFO_EX2_INTERNAL:
 		/* oops, we don't want to return the info after all */
 		talloc_free(r->out.info);
 		r->out.info = NULL;
@@ -1986,22 +2013,14 @@ static NTSTATUS dcesrv_lsa_SetSecret(struct dcesrv_call_state *dce_call, TALLOC_
 		}
 
 		if (!r->in.new_val) {
-			/* This behaviour varies depending of if this is a local, or a global secret... */
-			if (secret_state->global) {
-				/* set old value mtime */
-				if (samdb_msg_add_uint64(secret_state->sam_ldb, 
-							 mem_ctx, msg, "lastSetTime", nt_now) != 0) { 
-					return NT_STATUS_NO_MEMORY; 
-				}
-			} else {
-				if (samdb_msg_add_delete(secret_state->sam_ldb, 
-							 mem_ctx, msg, "currentValue")) {
-					return NT_STATUS_NO_MEMORY;
-				}
-				if (samdb_msg_add_delete(secret_state->sam_ldb, 
-							 mem_ctx, msg, "lastSetTime")) {
-					return NT_STATUS_NO_MEMORY;
-				}
+			/* set old value mtime */
+			if (samdb_msg_add_uint64(secret_state->sam_ldb, 
+						 mem_ctx, msg, "lastSetTime", nt_now) != 0) { 
+				return NT_STATUS_NO_MEMORY; 
+			}
+			if (samdb_msg_add_delete(secret_state->sam_ldb, 
+						 mem_ctx, msg, "currentValue")) {
+				return NT_STATUS_NO_MEMORY;
 			}
 		}
 	}
@@ -2311,16 +2330,6 @@ static NTSTATUS dcesrv_lsa_LookupPrivDisplayName(struct dcesrv_call_state *dce_c
 
 
 /* 
-  lsa_DeleteObject
-*/
-static NTSTATUS dcesrv_lsa_DeleteObject(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
-		       struct lsa_DeleteObject *r)
-{
-	DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-}
-
-
-/* 
   lsa_EnumAccountsWithUserRight
 */
 static NTSTATUS dcesrv_lsa_EnumAccountsWithUserRight(struct dcesrv_call_state *dce_call, 
@@ -2495,7 +2504,42 @@ static NTSTATUS dcesrv_lsa_QueryDomainInformationPolicy(struct dcesrv_call_state
 						 TALLOC_CTX *mem_ctx,
 						 struct lsa_QueryDomainInformationPolicy *r)
 {
-	DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+	r->out.info = talloc(mem_ctx, union lsa_DomainInformationPolicy);
+	if (!r->out.info) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	switch (r->in.level) {
+	case LSA_DOMAIN_INFO_POLICY_EFS:
+		talloc_free(r->out.info);
+		r->out.info = NULL;
+		return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+	case LSA_DOMAIN_INFO_POLICY_KERBEROS:
+	{
+		struct lsa_DomainInfoKerberos *k = &r->out.info->kerberos_info;
+		struct smb_krb5_context *smb_krb5_context;
+		int ret = smb_krb5_init_context(mem_ctx, 
+							dce_call->event_ctx, 
+							dce_call->conn->dce_ctx->lp_ctx,
+							&smb_krb5_context);
+		if (ret != 0) {
+			talloc_free(r->out.info);
+			r->out.info = NULL;
+			return NT_STATUS_INTERNAL_ERROR;
+		}
+		k->enforce_restrictions = 0; /* FIXME, details missing from MS-LSAD 2.2.53 */
+		k->service_tkt_lifetime = 0; /* Need to find somewhere to store this, and query in KDC too */
+		k->user_tkt_lifetime = 0;    /* Need to find somewhere to store this, and query in KDC too */
+		k->user_tkt_renewaltime = 0; /* Need to find somewhere to store this, and query in KDC too */
+		k->clock_skew = krb5_get_max_time_skew(smb_krb5_context->krb5_context);
+		talloc_free(smb_krb5_context);
+		return NT_STATUS_OK;
+	}
+	default:
+		talloc_free(r->out.info);
+		r->out.info = NULL;
+		return NT_STATUS_INVALID_INFO_CLASS;
+	}
 }
 
 /*
diff --git a/source4/torture/nbt/dgram.c b/source4/torture/nbt/dgram.c
index 665a08bd5c..eac2b1fe30 100644
--- a/source4/torture/nbt/dgram.c
+++ b/source4/torture/nbt/dgram.c
@@ -291,6 +291,10 @@ static bool nbt_test_netlogon2(struct torture_context *tctx)
 	join_ctx = torture_join_domain(tctx, TEST_NAME, 
 				       ACB_WSTRUST, &machine_credentials);
 
+	torture_assert(tctx, join_ctx != NULL,
+		       talloc_asprintf(tctx, "Failed to join domain %s as %s\n",
+		       		       lp_workgroup(tctx->lp_ctx), TEST_NAME));
+
 	dom_sid = torture_join_sid(join_ctx);
 
 	/* setup (another) temporary mailslot listener for replies */
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index 4fb459ea25..ec74426ac6 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -28,7 +28,6 @@
 #include "libcli/auth/libcli_auth.h"
 #include "torture/rpc/rpc.h"
 #include "param/param.h"
-
 #define TEST_MACHINENAME "lsatestmach"
 
 static void init_lsa_String(struct lsa_String *name, const char *s)
@@ -614,7 +613,8 @@ bool test_many_LookupSids(struct dcerpc_pipe *p,
 		if (!test_LookupNames(p, mem_ctx, handle, &names)) {
 			return false;
 		}
-	} else {
+	} else if (p->conn->security_state.auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
+		   p->conn->security_state.auth_info->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY) {
 		struct lsa_LookupSids3 r;
 		struct lsa_TransNameArray2 names;
 
@@ -779,6 +779,7 @@ static bool test_LookupPrivName(struct dcerpc_pipe *p,
 
 static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p, 
 					     TALLOC_CTX *mem_ctx, 				  
+					     struct policy_handle *handle,
 					     struct policy_handle *acct_handle,
 					     struct lsa_LUID *luid)
 {
@@ -801,7 +802,25 @@ static bool test_RemovePrivilegesFromAccount(struct dcerpc_pipe *p,
 
 	status = dcerpc_lsa_RemovePrivilegesFromAccount(p, mem_ctx, &r);
 	if (!NT_STATUS_IS_OK(status)) {
-		printf("RemovePrivilegesFromAccount failed - %s\n", nt_errstr(status));
+		
+		struct lsa_LookupPrivName r_name;
+		
+		r_name.in.handle = handle;
+		r_name.in.luid = luid;
+		
+		status = dcerpc_lsa_LookupPrivName(p, mem_ctx, &r_name);
+		if (!NT_STATUS_IS_OK(status)) {
+			printf("\nLookupPrivName failed - %s\n", nt_errstr(status));
+			return false;
+		}
+		/* Windows 2008 does not allow this to be removed */
+		if (strcmp("SeAuditPrivilege", r_name.out.name->string) == 0) {
+			return ret;
+		}
+
+		printf("RemovePrivilegesFromAccount failed to remove %s - %s\n", 
+		       r_name.out.name->string, 
+		       nt_errstr(status));
 		return false;
 	}
 
@@ -864,7 +883,7 @@ static bool test_EnumPrivsAccount(struct dcerpc_pipe *p,
 					    &r.out.privs->set[i].luid);
 		}
 
-		ret &= test_RemovePrivilegesFromAccount(p, mem_ctx, acct_handle, 
+		ret &= test_RemovePrivilegesFromAccount(p, mem_ctx, handle, acct_handle, 
 							&r.out.privs->set[0].luid);
 		ret &= test_AddPrivilegesToAccount(p, mem_ctx, acct_handle, 
 						   &r.out.privs->set[0].luid);
@@ -884,6 +903,26 @@ static bool test_Delete(struct dcerpc_pipe *p,
 
 	r.in.handle = handle;
 	status = dcerpc_lsa_Delete(p, mem_ctx, &r);
+	if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+		printf("Delete should have failed NT_STATUS_NOT_SUPPORTED - %s\n", nt_errstr(status));
+		return false;
+	}
+
+	return true;
+}
+
+static bool test_DeleteObject(struct dcerpc_pipe *p, 
+			      TALLOC_CTX *mem_ctx, 
+			      struct policy_handle *handle)
+{
+	NTSTATUS status;
+	struct lsa_DeleteObject r;
+
+	printf("testing DeleteObject\n");
+
+	r.in.handle = handle;
+	r.out.handle = handle;
+	status = dcerpc_lsa_DeleteObject(p, mem_ctx, &r);
 	if (!NT_STATUS_IS_OK(status)) {
 		printf("Delete failed - %s\n", nt_errstr(status));
 		return false;
@@ -912,7 +951,19 @@ static bool test_CreateAccount(struct dcerpc_pipe *p,
 	r.out.acct_handle = &acct_handle;
 
 	status = dcerpc_lsa_CreateAccount(p, mem_ctx, &r);
-	if (!NT_STATUS_IS_OK(status)) {
+	if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_COLLISION)) {
+		struct lsa_OpenAccount r_o;
+		r_o.in.handle = handle;
+		r_o.in.sid = newsid;
+		r_o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+		r_o.out.acct_handle = &acct_handle;
+		
+		status = dcerpc_lsa_OpenAccount(p, mem_ctx, &r_o);
+		if (!NT_STATUS_IS_OK(status)) {
+			printf("OpenAccount failed - %s\n", nt_errstr(status));
+			return false;
+		}
+	} else if (!NT_STATUS_IS_OK(status)) {
 		printf("CreateAccount failed - %s\n", nt_errstr(status));
 		return false;
 	}
@@ -921,6 +972,10 @@ static bool test_CreateAccount(struct dcerpc_pipe *p,
 		return false;
 	}
 
+	if (!test_DeleteObject(p, mem_ctx, &acct_handle)) {
+		return false;
+	}
+
 	return true;
 }
 
@@ -948,6 +1003,10 @@ static bool test_DeleteTrustedDomain(struct dcerpc_pipe *p,
 		return false;
 	}
 
+	if (!test_DeleteObject(p, mem_ctx, &trustdom_handle)) {
+		return false;
+	}
+
 	return true;
 }
 
@@ -986,7 +1045,7 @@ static bool test_CreateSecret(struct dcerpc_pipe *p,
 	struct lsa_SetSecret r7;
 	struct lsa_QuerySecret r8;
 	struct policy_handle sec_handle, sec_handle2, sec_handle3;
-	struct lsa_Delete d;
+	struct lsa_DeleteObject d_o;
 	struct lsa_DATA_BUF buf1;
 	struct lsa_DATA_BUF_PTR bufp1;
 	struct lsa_DATA_BUF_PTR bufp2;
@@ -1121,7 +1180,7 @@ static bool test_CreateSecret(struct dcerpc_pipe *p,
 							      &blob1, &session_key);
 				
 				if (strcmp(secret1, secret2) != 0) {
-					printf("Returned secret '%s' doesn't match '%s'\n", 
+					printf("Returned secret (r4) '%s' doesn't match '%s'\n", 
 					       secret2, secret1);
 					ret = false;
 				}
@@ -1136,7 +1195,9 @@ static bool test_CreateSecret(struct dcerpc_pipe *p,
 		r5.in.new_val->data = enc_key.data;
 		r5.in.new_val->length = enc_key.length;
 		r5.in.new_val->size = enc_key.length;
-		
+
+
+		msleep(200);
 		printf("Testing SetSecret (existing value should move to old)\n");
 		
 		status = dcerpc_lsa_SetSecret(p, mem_ctx, &r5);
@@ -1200,8 +1261,10 @@ static bool test_CreateSecret(struct dcerpc_pipe *p,
 				}
 				
 				if (*r6.out.new_mtime == *r6.out.old_mtime) {
-					printf("Returned secret %s had same mtime for both secrets: %s\n", 
+					printf("Returned secret (r6-%d) %s must not have same mtime for both secrets: %s != %s\n", 
+					       i,
 					       secname[i],
+					       nt_time_string(mem_ctx, *r6.out.old_mtime), 
 					       nt_time_string(mem_ctx, *r6.out.new_mtime));
 					ret = false;
 				}
@@ -1245,35 +1308,16 @@ static bool test_CreateSecret(struct dcerpc_pipe *p,
 			if (!r8.out.new_val || !r8.out.old_val) {
 				printf("in/out pointers not returned, despite being set on in for QuerySecret\n");
 				ret = false;
-			} else if (r8.out.new_val->buf == NULL) {
-				if (i != LOCAL) { 
-					printf("NEW secret buffer not returned after GLOBAL OLD set\n");
-					ret = false;
-				}
+			} else if (r8.out.new_val->buf != NULL) {
+				printf("NEW secret buffer must not be returned after OLD set\n");
+				ret = false;
 			} else if (r8.out.old_val->buf == NULL) {
-				printf("OLD secret buffer not returned after OLD set\n");
+				printf("OLD secret buffer was not returned after OLD set\n");
 				ret = false;
 			} else if (r8.out.new_mtime == NULL || r8.out.old_mtime == NULL) {
 				printf("Both times not returned after OLD set\n");
 				ret = false;
 			} else {
-				if (i == LOCAL) { 
-					printf("NEW secret buffer should not be returned after LOCAL OLD set\n");
-					ret = false;
-				}
-				blob1.data = r8.out.new_val->buf->data;
-				blob1.length = r8.out.new_val->buf->length;
-				
-				blob2 = data_blob_talloc(mem_ctx, NULL, blob1.length);
-				
-				secret6 = sess_decrypt_string(mem_ctx,
-							      &blob1, &session_key);
-				
-				if (strcmp(secret3, secret4) != 0) {
-					printf("Returned NEW secret '%s' doesn't match '%s'\n", secret4, secret3);
-					ret = false;
-				}
-
 				blob1.data = r8.out.old_val->buf->data;
 				blob1.length = r8.out.old_val->buf->size;
 				
@@ -1287,15 +1331,8 @@ static bool test_CreateSecret(struct dcerpc_pipe *p,
 					ret = false;
 				}
 				
-				if (*r8.out.new_mtime == *r8.out.old_mtime) {
-					if (i != GLOBAL) { 
-						printf("Returned secret %s had same mtime for both secrets: %s\n", 
-						       secname[i],
-						       nt_time_string(mem_ctx, *r8.out.new_mtime));
-						ret = false;
-					}
-				} else {
-					printf("Returned secret %s should have had same mtime for both secrets: %s != %s\n", 
+				if (*r8.out.new_mtime != *r8.out.old_mtime) {
+					printf("Returned secret (r8) %s did not had same mtime for both secrets: %s != %s\n", 
 					       secname[i],
 					       nt_time_string(mem_ctx, *r8.out.old_mtime),
 					       nt_time_string(mem_ctx, *r8.out.new_mtime));
@@ -1308,8 +1345,13 @@ static bool test_CreateSecret(struct dcerpc_pipe *p,
 			ret = false;
 		}
 		
-		d.in.handle = &sec_handle2;
-		status = dcerpc_lsa_Delete(p, mem_ctx, &d);
+		if (!test_DeleteObject(p, mem_ctx, &sec_handle)) {
+			return false;
+		}
+
+		d_o.in.handle = &sec_handle2;
+		d_o.out.handle = &sec_handle2;
+		status = dcerpc_lsa_DeleteObject(p, mem_ctx, &d_o);
 		if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
 			printf("Second delete expected INVALID_HANDLE - %s\n", nt_errstr(status));
 			ret = false;
@@ -1454,9 +1496,9 @@ static bool test_EnumAccounts(struct dcerpc_pipe *p,
 			return false;
 		}
 
-		if (!test_LookupSids3(p, mem_ctx, &sids1)) {
-			return false;
-		}
+		/* Can't test lookupSids3 here, as clearly we must not
+		 * be on schannel, or we would not be able to do the
+		 * rest */
 
 		printf("testing all accounts\n");
 		for (i=0;i<sids1.num_sids;i++) {
@@ -1667,8 +1709,8 @@ static bool test_query_each_TrustDom(struct dcerpc_pipe *p,
 		struct policy_handle handle2;
 		struct lsa_Close c;
 		struct lsa_CloseTrustedDomainEx c_trust;
-		int levels [] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12};
-		int ok[]      = {1, 0, 1, 0, 0, 1, 0, 1, 0,  0,  0,  1};
+		int levels [] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13};
+		int ok[]      = {1, 0, 1, 0, 0, 1, 0, 1, 0,  0,  0,  1, 1};
 
 		if (domains->domains[i].sid) {
 			trust.in.handle = handle;
@@ -1912,8 +1954,6 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p,
 				       r_ex.in.max_size,
 				       LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER, 
 				       r_ex.in.max_size / LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER);
-				ret = false;
-				exit(1);
 			}
 		} else if (!NT_STATUS_IS_OK(enum_status)) {
 			printf("EnumTrustedDomainEx failed - %s\n", nt_errstr(enum_status));
@@ -2015,10 +2055,6 @@ static bool test_QueryDomainInfoPolicy(struct dcerpc_pipe *p,
 	NTSTATUS status;
 	int i;
 	bool ret = true;
-	if (torture_setting_bool(tctx, "samba4", false)) {
-		printf("skipping QueryDomainInformationPolicy test against Samba4\n");
-		return true;
-	}
 
 	printf("\nTesting QueryDomainInformationPolicy\n");
 
@@ -2030,7 +2066,10 @@ static bool test_QueryDomainInfoPolicy(struct dcerpc_pipe *p,
 
 		status = dcerpc_lsa_QueryDomainInformationPolicy(p, tctx, &r);
 
-		if (!NT_STATUS_IS_OK(status)) {
+		/* If the server does not support EFS, then this is the correct return */
+		if (i == LSA_DOMAIN_INFO_POLICY_EFS && NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+			continue;
+		} else if (!NT_STATUS_IS_OK(status)) {
 			printf("QueryDomainInformationPolicy failed - %s\n", nt_errstr(status));
 			ret = false;
 			continue;
@@ -2311,11 +2350,9 @@ bool torture_rpc_lsa(struct torture_context *tctx)
 			ret = false;
 		}
 		
-#if 0
 		if (!test_Delete(p, tctx, handle)) {
 			ret = false;
 		}
-#endif
 		
 		if (!test_many_LookupSids(p, tctx, handle)) {
 			ret = false;