s3-talloc Change TALLOC_ARRAY() to talloc_array()

[samba.git] / source3 / lib / netapi / user.c
diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c

index dba7542235e6dd7881e616351f8d32740711fb15..f1182100c7056eb6d0bc864d666290c4751225a2 100644 (file)
--- a/source3/lib/netapi/user.c
+++ b/source3/lib/netapi/user.c
@@ -23,6 +23,13 @@
  #include "lib/netapi/netapi.h"
  #include "lib/netapi/netapi_private.h"
  #include "lib/netapi/libnetapi.h"
+#include "../librpc/gen_ndr/ndr_samr_c.h"
+#include "rpc_client/init_samr.h"
+#include "../libds/common/flags.h"
+#include "rpc_client/init_lsa.h"
+#include "../libcli/security/security.h"
+#include "../libds/common/flag_mapping.h"
+#include "rpc_client/cli_pipe.h"
  
  /****************************************************************
  ****************************************************************/
@@ -46,14 +53,11 @@ static void convert_USER_INFO_X_to_samr_user_info21(struct USER_INFO_X *infoX,
                 fields_present |= SAMR_FIELD_ACCOUNT_NAME;
         }
         if (infoX->usriX_password) {
-               fields_present |= SAMR_FIELD_PASSWORD;
+               fields_present |= SAMR_FIELD_NT_PASSWORD_PRESENT;
         }
         if (infoX->usriX_flags) {
                 fields_present |= SAMR_FIELD_ACCT_FLAGS;
         }
-       if (infoX->usriX_name) {
-               fields_present |= SAMR_FIELD_FULL_NAME;
-       }
         if (infoX->usriX_home_dir) {
                 fields_present |= SAMR_FIELD_HOME_DIRECTORY;
         }
@@ -91,35 +95,41 @@ static void convert_USER_INFO_X_to_samr_user_info21(struct USER_INFO_X *infoX,
         unix_to_nt_time_abs(&password_age, infoX->usriX_password_age);
  
         /* TODO: infoX->usriX_priv */
-       init_samr_user_info21(info21,
-                             0,
-                             0,
-                             0,
-                             0,
-                             0,
-                             password_age,
-                             infoX->usriX_name,
-                             infoX->usriX_full_name,
-                             infoX->usriX_home_dir,
-                             infoX->usriX_home_dir_drive,
-                             infoX->usriX_script_path,
-                             infoX->usriX_profile,
-                             infoX->usriX_comment,
-                             infoX->usriX_workstations,
-                             infoX->usriX_usr_comment,
-                             &zero_parameters,
-                             0,
-                             infoX->usriX_primary_group_id,
-                             infoX->usriX_flags,
-                             fields_present,
-                             zero_logon_hours,
-                             0,
-                             0,
-                             infoX->usriX_country_code,
-                             0,
-                             0,
-                             0,
-                             0);
+
+       info21->last_logon              = 0;
+       info21->last_logoff             = 0;
+       info21->last_password_change    = 0;
+       info21->acct_expiry             = 0;
+       info21->allow_password_change   = 0;
+       info21->force_password_change   = 0;
+       info21->account_name.string     = infoX->usriX_name;
+       info21->full_name.string        = infoX->usriX_full_name;
+       info21->home_directory.string   = infoX->usriX_home_dir;
+       info21->home_drive.string       = infoX->usriX_home_dir_drive;
+       info21->logon_script.string     = infoX->usriX_script_path;
+       info21->profile_path.string     = infoX->usriX_profile;
+       info21->description.string      = infoX->usriX_comment;
+       info21->workstations.string     = infoX->usriX_workstations;
+       info21->comment.string          = infoX->usriX_usr_comment;
+       info21->parameters              = zero_parameters;
+       info21->lm_owf_password         = zero_parameters;
+       info21->nt_owf_password         = zero_parameters;
+       info21->private_data.string     = NULL;
+       info21->buf_count               = 0;
+       info21->buffer                  = NULL;
+       info21->rid                     = infoX->usriX_user_id;
+       info21->primary_gid             = infoX->usriX_primary_group_id;
+       info21->acct_flags              = infoX->usriX_flags;
+       info21->fields_present          = fields_present;
+       info21->logon_hours             = zero_logon_hours;
+       info21->bad_password_count      = infoX->usriX_bad_pw_count;
+       info21->logon_count             = infoX->usriX_num_logons;
+       info21->country_code            = infoX->usriX_country_code;
+       info21->code_page               = infoX->usriX_code_page;
+       info21->lm_password_set         = 0;
+       info21->nt_password_set         = 0;
+       info21->password_expired        = infoX->usriX_password_expired;
+       info21->private_data_sensitive  = 0;
  }
  
  /****************************************************************
@@ -132,6 +142,7 @@ static NTSTATUS construct_USER_INFO_X(uint32_t level,
         struct USER_INFO_0 *u0 = NULL;
         struct USER_INFO_1 *u1 = NULL;
         struct USER_INFO_2 *u2 = NULL;
+       struct USER_INFO_3 *u3 = NULL;
         struct USER_INFO_1003 *u1003 = NULL;
         struct USER_INFO_1006 *u1006 = NULL;
         struct USER_INFO_1007 *u1007 = NULL;
@@ -193,6 +204,37 @@ static NTSTATUS construct_USER_INFO_X(uint32_t level,
                         uX->usriX_country_code  = u2->usri2_country_code;
                         uX->usriX_code_page     = u2->usri2_code_page;
                         break;
+               case 3:
+                       u3 = (struct USER_INFO_3 *)buffer;
+                       uX->usriX_name          = u3->usri3_name;
+                       uX->usriX_password_age  = u3->usri3_password_age;
+                       uX->usriX_priv          = u3->usri3_priv;
+                       uX->usriX_home_dir      = u3->usri3_home_dir;
+                       uX->usriX_comment       = u3->usri3_comment;
+                       uX->usriX_flags         = u3->usri3_flags;
+                       uX->usriX_script_path   = u3->usri3_script_path;
+                       uX->usriX_auth_flags    = u3->usri3_auth_flags;
+                       uX->usriX_full_name     = u3->usri3_full_name;
+                       uX->usriX_usr_comment   = u3->usri3_usr_comment;
+                       uX->usriX_parms         = u3->usri3_parms;
+                       uX->usriX_workstations  = u3->usri3_workstations;
+                       uX->usriX_last_logon    = u3->usri3_last_logon;
+                       uX->usriX_last_logoff   = u3->usri3_last_logoff;
+                       uX->usriX_acct_expires  = u3->usri3_acct_expires;
+                       uX->usriX_max_storage   = u3->usri3_max_storage;
+                       uX->usriX_units_per_week= u3->usri3_units_per_week;
+                       uX->usriX_logon_hours   = u3->usri3_logon_hours;
+                       uX->usriX_bad_pw_count  = u3->usri3_bad_pw_count;
+                       uX->usriX_num_logons    = u3->usri3_num_logons;
+                       uX->usriX_logon_server  = u3->usri3_logon_server;
+                       uX->usriX_country_code  = u3->usri3_country_code;
+                       uX->usriX_code_page     = u3->usri3_code_page;
+                       uX->usriX_user_id       = u3->usri3_user_id;
+                       uX->usriX_primary_group_id = u3->usri3_primary_group_id;
+                       uX->usriX_profile       = u3->usri3_profile;
+                       uX->usriX_home_dir_drive = u3->usri3_home_dir_drive;
+                       uX->usriX_password_expired = u3->usri3_password_expired;
+                       break;
                 case 1003:
                         u1003 = (struct USER_INFO_1003 *)buffer;
                         uX->usriX_password      = u1003->usri1003_password;
@@ -237,7 +279,6 @@ static NTSTATUS construct_USER_INFO_X(uint32_t level,
                         u1053 = (struct USER_INFO_1053 *)buffer;
                         uX->usriX_home_dir_drive = u1053->usri1053_home_dir_drive;
                         break;
-               case 3:
                 case 4:
                 default:
                         return NT_STATUS_INVALID_INFO_CLASS;
@@ -257,7 +298,8 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx,
  {
         union samr_UserInfo user_info;
         struct samr_UserInfo21 info21;
-       NTSTATUS status;
+       NTSTATUS status, result;
+       struct dcerpc_binding_handle *b = pipe_cli->binding_handle;
  
         if (!uX) {
                 return NT_STATUS_INVALID_PARAMETER;
@@ -275,12 +317,12 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx,
                                           session_key,
                                           &user_info.info25.password);
  
-               status = rpccli_samr_SetUserInfo2(pipe_cli, ctx,
+               status = dcerpc_samr_SetUserInfo2(b, talloc_tos(),
                                                   user_handle,
                                                   25,
-                                                 &user_info);
-
-               if (NT_STATUS_EQUAL(status, NT_STATUS(DCERPC_FAULT_INVALID_TAG))) {
+                                                 &user_info,
+                                                 &result);
+               if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {
  
                         user_info.info23.info = info21;
  
@@ -288,22 +330,34 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx,
                                                 session_key,
                                                 &user_info.info23.password);
  
-                       status = rpccli_samr_SetUserInfo2(pipe_cli, ctx,
+                       status = dcerpc_samr_SetUserInfo2(b, talloc_tos(),
                                                           user_handle,
                                                           23,
-                                                         &user_info);
+                                                         &user_info,
+                                                         &result);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               return status;
+                       }
+               }
+
+               if (!NT_STATUS_IS_OK(status)) {
+                       return status;
                 }
         } else {
  
                 user_info.info21 = info21;
  
-               status = rpccli_samr_SetUserInfo(pipe_cli, ctx,
+               status = dcerpc_samr_SetUserInfo(b, talloc_tos(),
                                                  user_handle,
                                                  21,
-                                                &user_info);
+                                                &user_info,
+                                                &result);
+               if (!NT_STATUS_IS_OK(status)) {
+                       return status;
+               }
         }
  
-       return status;
+       return result;
  }
  
  /****************************************************************
@@ -312,11 +366,10 @@ static NTSTATUS set_user_info_USER_INFO_X(TALLOC_CTX *ctx,
  WERROR NetUserAdd_r(struct libnetapi_ctx *ctx,
                     struct NetUserAdd *r)
  {
-       struct cli_state *cli = NULL;
         struct rpc_pipe_client *pipe_cli = NULL;
-       NTSTATUS status;
+       NTSTATUS status, result;
         WERROR werr;
-       POLICY_HND connect_handle, domain_handle, user_handle;
+       struct policy_handle connect_handle, domain_handle, user_handle;
         struct lsa_String lsa_account_name;
         struct dom_sid2 *domain_sid = NULL;
         union samr_UserInfo *user_info = NULL;
@@ -324,6 +377,8 @@ WERROR NetUserAdd_r(struct libnetapi_ctx *ctx,
         uint32_t access_granted = 0;
         uint32_t rid = 0;
         struct USER_INFO_X uX;
+       struct dcerpc_binding_handle *b = NULL;
+       DATA_BLOB session_key;
  
         ZERO_STRUCT(connect_handle);
         ZERO_STRUCT(domain_handle);
@@ -346,12 +401,13 @@ WERROR NetUserAdd_r(struct libnetapi_ctx *ctx,
  
         werr = libnetapi_open_pipe(ctx, r->in.server_name,
                                    &ndr_table_samr.syntax_id,
-                                  &cli,
                                    &pipe_cli);
         if (!W_ERROR_IS_OK(werr)) {
                 goto done;
         }
  
+       b = pipe_cli->binding_handle;
+
         status = construct_USER_INFO_X(r->in.level, r->in.buffer, &uX);
         if (!NT_STATUS_IS_OK(status)) {
                 werr = ntstatus_to_werror(status);
@@ -360,7 +416,7 @@ WERROR NetUserAdd_r(struct libnetapi_ctx *ctx,
  
         werr = libnetapi_samr_open_domain(ctx, pipe_cli,
                                           SAMR_ACCESS_ENUM_DOMAINS |
-                                         SAMR_ACCESS_OPEN_DOMAIN,
+                                         SAMR_ACCESS_LOOKUP_DOMAIN,
                                           SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 |
                                           SAMR_DOMAIN_ACCESS_CREATE_USER |
                                           SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
@@ -373,7 +429,7 @@ WERROR NetUserAdd_r(struct libnetapi_ctx *ctx,
  
         init_lsa_String(&lsa_account_name, uX.usriX_name);
  
-       status = rpccli_samr_CreateUser2(pipe_cli, ctx,
+       status = dcerpc_samr_CreateUser2(b, talloc_tos(),
                                          &domain_handle,
                                          &lsa_account_name,
                                          ACB_NORMAL,
@@ -384,29 +440,50 @@ WERROR NetUserAdd_r(struct libnetapi_ctx *ctx,
                                          SAMR_USER_ACCESS_GET_ATTRIBUTES,
                                          &user_handle,
                                          &access_granted,
-                                        &rid);
+                                        &rid,
+                                        &result);
         if (!NT_STATUS_IS_OK(status)) {
                 werr = ntstatus_to_werror(status);
                 goto done;
         }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
  
-       status = rpccli_samr_QueryUserInfo(pipe_cli, ctx,
+       status = dcerpc_samr_QueryUserInfo(b, talloc_tos(),
                                            &user_handle,
                                            16,
-                                          &user_info);
+                                          &user_info,
+                                          &result);
         if (!NT_STATUS_IS_OK(status)) {
                 werr = ntstatus_to_werror(status);
                 goto done;
         }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
  
         if (!(user_info->info16.acct_flags & ACB_NORMAL)) {
                 werr = WERR_INVALID_PARAM;
                 goto done;
         }
  
-       status = rpccli_samr_GetUserPwInfo(pipe_cli, ctx,
+       status = dcerpc_samr_GetUserPwInfo(b, talloc_tos(),
                                            &user_handle,
-                                          &pw_info);
+                                          &pw_info,
+                                          &result);
+       if (!NT_STATUS_IS_OK(status)) {
+               werr = ntstatus_to_werror(status);
+               goto done;
+       }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
+
+       status = cli_get_session_key(talloc_tos(), pipe_cli, &session_key);
         if (!NT_STATUS_IS_OK(status)) {
                 werr = ntstatus_to_werror(status);
                 goto done;
@@ -415,7 +492,7 @@ WERROR NetUserAdd_r(struct libnetapi_ctx *ctx,
         uX.usriX_flags |= ACB_NORMAL;
  
         status = set_user_info_USER_INFO_X(ctx, pipe_cli,
-                                          &cli->user_session_key,
+                                          &session_key,
                                            &user_handle,
                                            &uX);
         if (!NT_STATUS_IS_OK(status)) {
@@ -427,16 +504,13 @@ WERROR NetUserAdd_r(struct libnetapi_ctx *ctx,
         goto done;
  
   failed:
-       rpccli_samr_DeleteUser(pipe_cli, ctx,
-                              &user_handle);
+       dcerpc_samr_DeleteUser(b, talloc_tos(),
+                              &user_handle,
+                              &result);
  
   done:
-       if (!cli) {
-               return werr;
-       }
-
-       if (is_valid_policy_hnd(&user_handle)) {
-               rpccli_samr_Close(pipe_cli, ctx, &user_handle);
+       if (is_valid_policy_hnd(&user_handle) && b) {
+               dcerpc_samr_Close(b, talloc_tos(), &user_handle, &result);
         }
  
         if (ctx->disable_policy_handle_cache) {
@@ -462,15 +536,15 @@ WERROR NetUserAdd_l(struct libnetapi_ctx *ctx,
  WERROR NetUserDel_r(struct libnetapi_ctx *ctx,
                     struct NetUserDel *r)
  {
-       struct cli_state *cli = NULL;
         struct rpc_pipe_client *pipe_cli = NULL;
-       NTSTATUS status;
+       NTSTATUS status, result;
         WERROR werr;
-       POLICY_HND connect_handle, builtin_handle, domain_handle, user_handle;
+       struct policy_handle connect_handle, builtin_handle, domain_handle, user_handle;
         struct lsa_String lsa_account_name;
         struct samr_Ids user_rids, name_types;
         struct dom_sid2 *domain_sid = NULL;
         struct dom_sid2 user_sid;
+       struct dcerpc_binding_handle *b = NULL;
  
         ZERO_STRUCT(connect_handle);
         ZERO_STRUCT(builtin_handle);
@@ -479,16 +553,17 @@ WERROR NetUserDel_r(struct libnetapi_ctx *ctx,
  
         werr = libnetapi_open_pipe(ctx, r->in.server_name,
                                    &ndr_table_samr.syntax_id,
-                                  &cli,
                                    &pipe_cli);
  
         if (!W_ERROR_IS_OK(werr)) {
                 goto done;
         }
  
+       b = pipe_cli->binding_handle;
+
         werr = libnetapi_samr_open_domain(ctx, pipe_cli,
                                           SAMR_ACCESS_ENUM_DOMAINS |
-                                         SAMR_ACCESS_OPEN_DOMAIN,
+                                         SAMR_ACCESS_LOOKUP_DOMAIN,
                                           SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
                                           &connect_handle,
                                           &domain_handle,
@@ -497,65 +572,86 @@ WERROR NetUserDel_r(struct libnetapi_ctx *ctx,
                 goto done;
         }
  
-       status = rpccli_samr_OpenDomain(pipe_cli, ctx,
+       status = dcerpc_samr_OpenDomain(b, talloc_tos(),
                                         &connect_handle,
                                         SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
-                                       CONST_DISCARD(DOM_SID *, &global_sid_Builtin),
-                                       &builtin_handle);
+                                       discard_const_p(struct dom_sid, &global_sid_Builtin),
+                                       &builtin_handle,
+                                       &result);
         if (!NT_STATUS_IS_OK(status)) {
                 werr = ntstatus_to_werror(status);
                 goto done;
         }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
  
         init_lsa_String(&lsa_account_name, r->in.user_name);
  
-       status = rpccli_samr_LookupNames(pipe_cli, ctx,
+       status = dcerpc_samr_LookupNames(b, talloc_tos(),
                                          &domain_handle,
                                          1,
                                          &lsa_account_name,
                                          &user_rids,
-                                        &name_types);
+                                        &name_types,
+                                        &result);
         if (!NT_STATUS_IS_OK(status)) {
                 werr = ntstatus_to_werror(status);
                 goto done;
         }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
  
-       status = rpccli_samr_OpenUser(pipe_cli, ctx,
+       status = dcerpc_samr_OpenUser(b, talloc_tos(),
                                       &domain_handle,
-                                     STD_RIGHT_DELETE_ACCESS,
+                                     SEC_STD_DELETE,
                                       user_rids.ids[0],
-                                     &user_handle);
+                                     &user_handle,
+                                     &result);
         if (!NT_STATUS_IS_OK(status)) {
                 werr = ntstatus_to_werror(status);
                 goto done;
         }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
  
         sid_compose(&user_sid, domain_sid, user_rids.ids[0]);
  
-       status = rpccli_samr_RemoveMemberFromForeignDomain(pipe_cli, ctx,
+       status = dcerpc_samr_RemoveMemberFromForeignDomain(b, talloc_tos(),
                                                            &builtin_handle,
-                                                          &user_sid);
+                                                          &user_sid,
+                                                          &result);
         if (!NT_STATUS_IS_OK(status)) {
                 werr = ntstatus_to_werror(status);
                 goto done;
         }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
  
-       status = rpccli_samr_DeleteUser(pipe_cli, ctx,
-                                       &user_handle);
+       status = dcerpc_samr_DeleteUser(b, talloc_tos(),
+                                       &user_handle,
+                                       &result);
         if (!NT_STATUS_IS_OK(status)) {
                 werr = ntstatus_to_werror(status);
                 goto done;
         }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
  
         werr = WERR_OK;
  
   done:
-       if (!cli) {
-               return werr;
-       }
-
         if (is_valid_policy_hnd(&user_handle)) {
-               rpccli_samr_Close(pipe_cli, ctx, &user_handle);
+               dcerpc_samr_Close(b, talloc_tos(), &user_handle, &result);
         }
  
         if (ctx->disable_policy_handle_cache) {
@@ -584,12 +680,14 @@ static NTSTATUS libnetapi_samr_lookup_user(TALLOC_CTX *mem_ctx,
                                            struct policy_handle *domain_handle,
                                            struct policy_handle *builtin_handle,
                                            const char *user_name,
+                                          const struct dom_sid *domain_sid,
                                            uint32_t rid,
                                            uint32_t level,
                                            struct samr_UserInfo21 **info21,
-                                          struct sec_desc_buf **sec_desc)
+                                          struct sec_desc_buf **sec_desc,
+                                          uint32_t *auth_flag_p)
  {
-       NTSTATUS status;
+       NTSTATUS status, result;
  
         struct policy_handle user_handle;
         union samr_UserInfo *user_info = NULL;
@@ -597,16 +695,26 @@ static NTSTATUS libnetapi_samr_lookup_user(TALLOC_CTX *mem_ctx,
         uint32_t access_mask = SEC_STD_READ_CONTROL |
                                SAMR_USER_ACCESS_GET_ATTRIBUTES |
                                SAMR_USER_ACCESS_GET_NAME_ETC;
+       struct dcerpc_binding_handle *b = pipe_cli->binding_handle;
  
         ZERO_STRUCT(user_handle);
  
         switch (level) {
                 case 0:
+                       break;
                 case 1:
+                       access_mask |= SAMR_USER_ACCESS_GET_LOGONINFO |
+                                      SAMR_USER_ACCESS_GET_GROUPS;
+                       break;
                 case 2:
                 case 3:
-               case 10:
+               case 4:
                 case 11:
+                       access_mask |= SAMR_USER_ACCESS_GET_LOGONINFO |
+                                      SAMR_USER_ACCESS_GET_GROUPS |
+                                      SAMR_USER_ACCESS_GET_LOCALE;
+                       break;
+               case 10:
                 case 20:
                 case 23:
                         break;
@@ -618,55 +726,120 @@ static NTSTATUS libnetapi_samr_lookup_user(TALLOC_CTX *mem_ctx,
                 return NT_STATUS_OK;
         }
  
-       status = rpccli_samr_OpenUser(pipe_cli, mem_ctx,
+       status = dcerpc_samr_OpenUser(b, mem_ctx,
                                       domain_handle,
                                       access_mask,
                                       rid,
-                                     &user_handle);
+                                     &user_handle,
+                                     &result);
         if (!NT_STATUS_IS_OK(status)) {
                 goto done;
         }
+       if (!NT_STATUS_IS_OK(result)) {
+               status = result;
+               goto done;
+       }
  
-       status = rpccli_samr_QueryUserInfo(pipe_cli, mem_ctx,
+       status = dcerpc_samr_QueryUserInfo(b, mem_ctx,
                                            &user_handle,
                                            21,
-                                          &user_info);
+                                          &user_info,
+                                          &result);
         if (!NT_STATUS_IS_OK(status)) {
                 goto done;
         }
+       if (!NT_STATUS_IS_OK(result)) {
+               status = result;
+               goto done;
+       }
  
-       status = rpccli_samr_QuerySecurity(pipe_cli, mem_ctx,
+       status = dcerpc_samr_QuerySecurity(b, mem_ctx,
                                            &user_handle,
                                            SECINFO_DACL,
-                                          sec_desc);
+                                          sec_desc,
+                                          &result);
         if (!NT_STATUS_IS_OK(status)) {
                 goto done;
         }
+       if (!NT_STATUS_IS_OK(result)) {
+               status = result;
+               goto done;
+       }
+
+       if (access_mask & SAMR_USER_ACCESS_GET_GROUPS) {
  
-       if (level == 1) {
-               status = rpccli_samr_GetGroupsForUser(pipe_cli, mem_ctx,
+               struct lsa_SidArray sid_array;
+               struct samr_Ids alias_rids;
+               int i;
+               uint32_t auth_flag = 0;
+               struct dom_sid sid;
+
+               status = dcerpc_samr_GetGroupsForUser(b, mem_ctx,
                                                       &user_handle,
-                                                     &rid_array);
+                                                     &rid_array,
+                                                     &result);
                 if (!NT_STATUS_IS_OK(status)) {
                         goto done;
                 }
+               if (!NT_STATUS_IS_OK(result)) {
+                       status = result;
+                       goto done;
+               }
+
+               sid_array.num_sids = rid_array->count + 1;
+               sid_array.sids = talloc_array(mem_ctx, struct lsa_SidPtr,
+                                             sid_array.num_sids);
+               NT_STATUS_HAVE_NO_MEMORY(sid_array.sids);
+
+               for (i=0; i<rid_array->count; i++) {
+                       sid_compose(&sid, domain_sid, rid_array->rids[i].rid);
+                       sid_array.sids[i].sid = dom_sid_dup(mem_ctx, &sid);
+                       NT_STATUS_HAVE_NO_MEMORY(sid_array.sids[i].sid);
+               }
  
-#if 0
-               status = rpccli_samr_GetAliasMembership(pipe_cli, ctx,
-                                                       &builtin_handle,
-                                                       &sids,
-                                                       &rids);
+               sid_compose(&sid, domain_sid, rid);
+               sid_array.sids[i].sid = dom_sid_dup(mem_ctx, &sid);
+               NT_STATUS_HAVE_NO_MEMORY(sid_array.sids[i].sid);
+
+               status = dcerpc_samr_GetAliasMembership(b, mem_ctx,
+                                                       builtin_handle,
+                                                       &sid_array,
+                                                       &alias_rids,
+                                                       &result);
                 if (!NT_STATUS_IS_OK(status)) {
                         goto done;
                 }
-#endif
+               if (!NT_STATUS_IS_OK(result)) {
+                       status = result;
+                       goto done;
+               }
+
+               for (i=0; i<alias_rids.count; i++) {
+                       switch (alias_rids.ids[i]) {
+                               case 550: /* Print Operators */
+                                       auth_flag |= AF_OP_PRINT;
+                                       break;
+                               case 549: /* Server Operators */
+                                       auth_flag |= AF_OP_SERVER;
+                                       break;
+                               case 548: /* Account Operators */
+                                       auth_flag |= AF_OP_ACCOUNTS;
+                                       break;
+                               default:
+                                       break;
+                       }
+               }
+
+               if (auth_flag_p) {
+                       *auth_flag_p = auth_flag;
+               }
         }
  
         *info21 = &user_info->info21;
  
   done:
         if (is_valid_policy_hnd(&user_handle)) {
-               rpccli_samr_Close(pipe_cli, mem_ctx, &user_handle);
+               dcerpc_samr_Close(b, mem_ctx, &user_handle, &result);
         }
  
         return status;
@@ -675,6 +848,283 @@ static NTSTATUS libnetapi_samr_lookup_user(TALLOC_CTX *mem_ctx,
  /****************************************************************
  ****************************************************************/
  
+static uint32_t samr_rid_to_priv_level(uint32_t rid)
+{
+       switch (rid) {
+               case DOMAIN_RID_ADMINISTRATOR:
+                       return USER_PRIV_ADMIN;
+               case DOMAIN_RID_GUEST:
+                       return USER_PRIV_GUEST;
+               default:
+                       return USER_PRIV_USER;
+       }
+}
+
+/****************************************************************
+****************************************************************/
+
+static uint32_t samr_acb_flags_to_netapi_flags(uint32_t acb)
+{
+       uint32_t fl = UF_SCRIPT; /* god knows why */
+
+       fl |= ds_acb2uf(acb);
+
+       return fl;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS info21_to_USER_INFO_1(TALLOC_CTX *mem_ctx,
+                                     const struct samr_UserInfo21 *i21,
+                                     struct USER_INFO_1 *i)
+{
+       ZERO_STRUCTP(i);
+       i->usri1_name           = talloc_strdup(mem_ctx, i21->account_name.string);
+       NT_STATUS_HAVE_NO_MEMORY(i->usri1_name);
+       i->usri1_password       = NULL;
+       i->usri1_password_age   = time(NULL) - nt_time_to_unix(i21->last_password_change);
+       i->usri1_priv           = samr_rid_to_priv_level(i21->rid);
+       i->usri1_home_dir       = talloc_strdup(mem_ctx, i21->home_directory.string);
+       i->usri1_comment        = talloc_strdup(mem_ctx, i21->description.string);
+       i->usri1_flags          = samr_acb_flags_to_netapi_flags(i21->acct_flags);
+       i->usri1_script_path    = talloc_strdup(mem_ctx, i21->logon_script.string);
+
+       return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS info21_to_USER_INFO_2(TALLOC_CTX *mem_ctx,
+                                     const struct samr_UserInfo21 *i21,
+                                     uint32_t auth_flag,
+                                     struct USER_INFO_2 *i)
+{
+       ZERO_STRUCTP(i);
+
+       i->usri2_name           = talloc_strdup(mem_ctx, i21->account_name.string);
+       NT_STATUS_HAVE_NO_MEMORY(i->usri2_name);
+       i->usri2_password       = NULL;
+       i->usri2_password_age   = time(NULL) - nt_time_to_unix(i21->last_password_change);
+       i->usri2_priv           = samr_rid_to_priv_level(i21->rid);
+       i->usri2_home_dir       = talloc_strdup(mem_ctx, i21->home_directory.string);
+       i->usri2_comment        = talloc_strdup(mem_ctx, i21->description.string);
+       i->usri2_flags          = samr_acb_flags_to_netapi_flags(i21->acct_flags);
+       i->usri2_script_path    = talloc_strdup(mem_ctx, i21->logon_script.string);
+       i->usri2_auth_flags     = auth_flag;
+       i->usri2_full_name      = talloc_strdup(mem_ctx, i21->full_name.string);
+       i->usri2_usr_comment    = talloc_strdup(mem_ctx, i21->comment.string);
+       i->usri2_parms          = talloc_strndup(mem_ctx, (const char *)i21->parameters.array, i21->parameters.size/2);
+       i->usri2_workstations   = talloc_strdup(mem_ctx, i21->workstations.string);
+       i->usri2_last_logon     = nt_time_to_unix(i21->last_logon);
+       i->usri2_last_logoff    = nt_time_to_unix(i21->last_logoff);
+       i->usri2_acct_expires   = nt_time_to_unix(i21->acct_expiry);
+       i->usri2_max_storage    = USER_MAXSTORAGE_UNLIMITED; /* FIXME */
+       i->usri2_units_per_week = i21->logon_hours.units_per_week;
+       i->usri2_logon_hours    = (uint8_t *)talloc_memdup(mem_ctx, i21->logon_hours.bits, 21);
+       i->usri2_bad_pw_count   = i21->bad_password_count;
+       i->usri2_num_logons     = i21->logon_count;
+       i->usri2_logon_server   = talloc_strdup(mem_ctx, "\\\\*");
+       i->usri2_country_code   = i21->country_code;
+       i->usri2_code_page      = i21->code_page;
+
+       return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS info21_to_USER_INFO_3(TALLOC_CTX *mem_ctx,
+                                     const struct samr_UserInfo21 *i21,
+                                     uint32_t auth_flag,
+                                     struct USER_INFO_3 *i)
+{
+       ZERO_STRUCTP(i);
+
+       i->usri3_name           = talloc_strdup(mem_ctx, i21->account_name.string);
+       NT_STATUS_HAVE_NO_MEMORY(i->usri3_name);
+       i->usri3_password_age   = time(NULL) - nt_time_to_unix(i21->last_password_change);
+       i->usri3_priv           = samr_rid_to_priv_level(i21->rid);
+       i->usri3_home_dir       = talloc_strdup(mem_ctx, i21->home_directory.string);
+       i->usri3_comment        = talloc_strdup(mem_ctx, i21->description.string);
+       i->usri3_flags          = samr_acb_flags_to_netapi_flags(i21->acct_flags);
+       i->usri3_script_path    = talloc_strdup(mem_ctx, i21->logon_script.string);
+       i->usri3_auth_flags     = auth_flag;
+       i->usri3_full_name      = talloc_strdup(mem_ctx, i21->full_name.string);
+       i->usri3_usr_comment    = talloc_strdup(mem_ctx, i21->comment.string);
+       i->usri3_parms          = talloc_strndup(mem_ctx, (const char *)i21->parameters.array, i21->parameters.size/2);
+       i->usri3_workstations   = talloc_strdup(mem_ctx, i21->workstations.string);
+       i->usri3_last_logon     = nt_time_to_unix(i21->last_logon);
+       i->usri3_last_logoff    = nt_time_to_unix(i21->last_logoff);
+       i->usri3_acct_expires   = nt_time_to_unix(i21->acct_expiry);
+       i->usri3_max_storage    = USER_MAXSTORAGE_UNLIMITED; /* FIXME */
+       i->usri3_units_per_week = i21->logon_hours.units_per_week;
+       i->usri3_logon_hours    = (uint8_t *)talloc_memdup(mem_ctx, i21->logon_hours.bits, 21);
+       i->usri3_bad_pw_count   = i21->bad_password_count;
+       i->usri3_num_logons     = i21->logon_count;
+       i->usri3_logon_server   = talloc_strdup(mem_ctx, "\\\\*");
+       i->usri3_country_code   = i21->country_code;
+       i->usri3_code_page      = i21->code_page;
+       i->usri3_user_id        = i21->rid;
+       i->usri3_primary_group_id = i21->primary_gid;
+       i->usri3_profile        = talloc_strdup(mem_ctx, i21->profile_path.string);
+       i->usri3_home_dir_drive = talloc_strdup(mem_ctx, i21->home_drive.string);
+       i->usri3_password_expired = i21->password_expired;
+
+       return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS info21_to_USER_INFO_4(TALLOC_CTX *mem_ctx,
+                                     const struct samr_UserInfo21 *i21,
+                                     uint32_t auth_flag,
+                                     struct dom_sid *domain_sid,
+                                     struct USER_INFO_4 *i)
+{
+       struct dom_sid sid;
+
+       ZERO_STRUCTP(i);
+
+       i->usri4_name           = talloc_strdup(mem_ctx, i21->account_name.string);
+       NT_STATUS_HAVE_NO_MEMORY(i->usri4_name);
+       i->usri4_password_age   = time(NULL) - nt_time_to_unix(i21->last_password_change);
+       i->usri4_password       = NULL;
+       i->usri4_priv           = samr_rid_to_priv_level(i21->rid);
+       i->usri4_home_dir       = talloc_strdup(mem_ctx, i21->home_directory.string);
+       i->usri4_comment        = talloc_strdup(mem_ctx, i21->description.string);
+       i->usri4_flags          = samr_acb_flags_to_netapi_flags(i21->acct_flags);
+       i->usri4_script_path    = talloc_strdup(mem_ctx, i21->logon_script.string);
+       i->usri4_auth_flags     = auth_flag;
+       i->usri4_full_name      = talloc_strdup(mem_ctx, i21->full_name.string);
+       i->usri4_usr_comment    = talloc_strdup(mem_ctx, i21->comment.string);
+       i->usri4_parms          = talloc_strndup(mem_ctx, (const char *)i21->parameters.array, i21->parameters.size/2);
+       i->usri4_workstations   = talloc_strdup(mem_ctx, i21->workstations.string);
+       i->usri4_last_logon     = nt_time_to_unix(i21->last_logon);
+       i->usri4_last_logoff    = nt_time_to_unix(i21->last_logoff);
+       i->usri4_acct_expires   = nt_time_to_unix(i21->acct_expiry);
+       i->usri4_max_storage    = USER_MAXSTORAGE_UNLIMITED; /* FIXME */
+       i->usri4_units_per_week = i21->logon_hours.units_per_week;
+       i->usri4_logon_hours    = (uint8_t *)talloc_memdup(mem_ctx, i21->logon_hours.bits, 21);
+       i->usri4_bad_pw_count   = i21->bad_password_count;
+       i->usri4_num_logons     = i21->logon_count;
+       i->usri4_logon_server   = talloc_strdup(mem_ctx, "\\\\*");
+       i->usri4_country_code   = i21->country_code;
+       i->usri4_code_page      = i21->code_page;
+       if (!sid_compose(&sid, domain_sid, i21->rid)) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       i->usri4_user_sid       = (struct domsid *)dom_sid_dup(mem_ctx, &sid);
+       i->usri4_primary_group_id = i21->primary_gid;
+       i->usri4_profile        = talloc_strdup(mem_ctx, i21->profile_path.string);
+       i->usri4_home_dir_drive = talloc_strdup(mem_ctx, i21->home_drive.string);
+       i->usri4_password_expired = i21->password_expired;
+
+       return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS info21_to_USER_INFO_10(TALLOC_CTX *mem_ctx,
+                                      const struct samr_UserInfo21 *i21,
+                                      struct USER_INFO_10 *i)
+{
+       ZERO_STRUCTP(i);
+
+       i->usri10_name          = talloc_strdup(mem_ctx, i21->account_name.string);
+       NT_STATUS_HAVE_NO_MEMORY(i->usri10_name);
+       i->usri10_comment       = talloc_strdup(mem_ctx, i21->description.string);
+       i->usri10_full_name     = talloc_strdup(mem_ctx, i21->full_name.string);
+       i->usri10_usr_comment   = talloc_strdup(mem_ctx, i21->comment.string);
+
+       return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS info21_to_USER_INFO_11(TALLOC_CTX *mem_ctx,
+                                      const struct samr_UserInfo21 *i21,
+                                      uint32_t auth_flag,
+                                      struct USER_INFO_11 *i)
+{
+       ZERO_STRUCTP(i);
+
+       i->usri11_name          = talloc_strdup(mem_ctx, i21->account_name.string);
+       NT_STATUS_HAVE_NO_MEMORY(i->usri11_name);
+       i->usri11_comment       = talloc_strdup(mem_ctx, i21->description.string);
+       i->usri11_usr_comment   = talloc_strdup(mem_ctx, i21->comment.string);
+       i->usri11_full_name     = talloc_strdup(mem_ctx, i21->full_name.string);
+       i->usri11_priv          = samr_rid_to_priv_level(i21->rid);
+       i->usri11_auth_flags    = auth_flag;
+       i->usri11_password_age  = time(NULL) - nt_time_to_unix(i21->last_password_change);
+       i->usri11_home_dir      = talloc_strdup(mem_ctx, i21->home_directory.string);
+       i->usri11_parms         = talloc_strndup(mem_ctx, (const char *)i21->parameters.array, i21->parameters.size/2);
+       i->usri11_last_logon    = nt_time_to_unix(i21->last_logon);
+       i->usri11_last_logoff   = nt_time_to_unix(i21->last_logoff);
+       i->usri11_bad_pw_count  = i21->bad_password_count;
+       i->usri11_num_logons    = i21->logon_count;
+       i->usri11_logon_server  = talloc_strdup(mem_ctx, "\\\\*");
+       i->usri11_country_code  = i21->country_code;
+       i->usri11_workstations  = talloc_strdup(mem_ctx, i21->workstations.string);
+       i->usri11_max_storage   = USER_MAXSTORAGE_UNLIMITED; /* FIXME */
+       i->usri11_units_per_week = i21->logon_hours.units_per_week;
+       i->usri11_logon_hours   = (uint8_t *)talloc_memdup(mem_ctx, i21->logon_hours.bits, 21);
+       i->usri11_code_page     = i21->code_page;
+
+       return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS info21_to_USER_INFO_20(TALLOC_CTX *mem_ctx,
+                                      const struct samr_UserInfo21 *i21,
+                                      struct USER_INFO_20 *i)
+{
+       ZERO_STRUCTP(i);
+
+       i->usri20_name          = talloc_strdup(mem_ctx, i21->account_name.string);
+       NT_STATUS_HAVE_NO_MEMORY(i->usri20_name);
+       i->usri20_comment       = talloc_strdup(mem_ctx, i21->description.string);
+       i->usri20_full_name     = talloc_strdup(mem_ctx, i21->full_name.string);
+       i->usri20_flags         = samr_acb_flags_to_netapi_flags(i21->acct_flags);
+       i->usri20_user_id       = i21->rid;
+
+       return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS info21_to_USER_INFO_23(TALLOC_CTX *mem_ctx,
+                                      const struct samr_UserInfo21 *i21,
+                                      struct dom_sid *domain_sid,
+                                      struct USER_INFO_23 *i)
+{
+       struct dom_sid sid;
+
+       ZERO_STRUCTP(i);
+
+       i->usri23_name          = talloc_strdup(mem_ctx, i21->account_name.string);
+       NT_STATUS_HAVE_NO_MEMORY(i->usri23_name);
+       i->usri23_comment       = talloc_strdup(mem_ctx, i21->description.string);
+       i->usri23_full_name     = talloc_strdup(mem_ctx, i21->full_name.string);
+       i->usri23_flags         = samr_acb_flags_to_netapi_flags(i21->acct_flags);
+       if (!sid_compose(&sid, domain_sid, i21->rid)) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       i->usri23_user_sid      = (struct domsid *)dom_sid_dup(mem_ctx, &sid);
+
+       return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
  static NTSTATUS libnetapi_samr_lookup_user_map_USER_INFO(TALLOC_CTX *mem_ctx,
                                                          struct rpc_pipe_client *pipe_cli,
                                                          struct dom_sid *domain_sid,
@@ -690,10 +1140,15 @@ static NTSTATUS libnetapi_samr_lookup_user_map_USER_INFO(TALLOC_CTX *mem_ctx,
  
         struct samr_UserInfo21 *info21 = NULL;
         struct sec_desc_buf *sec_desc = NULL;
-       struct dom_sid sid;
+       uint32_t auth_flag = 0;
  
         struct USER_INFO_0 info0;
+       struct USER_INFO_1 info1;
+       struct USER_INFO_2 info2;
+       struct USER_INFO_3 info3;
+       struct USER_INFO_4 info4;
         struct USER_INFO_10 info10;
+       struct USER_INFO_11 info11;
         struct USER_INFO_20 info20;
         struct USER_INFO_23 info23;
  
@@ -702,6 +1157,7 @@ static NTSTATUS libnetapi_samr_lookup_user_map_USER_INFO(TALLOC_CTX *mem_ctx,
                 case 1:
                 case 2:
                 case 3:
+               case 4:
                 case 10:
                 case 11:
                 case 20:
@@ -725,73 +1181,86 @@ static NTSTATUS libnetapi_samr_lookup_user_map_USER_INFO(TALLOC_CTX *mem_ctx,
                                             domain_handle,
                                             builtin_handle,
                                             user_name,
+                                           domain_sid,
                                             rid,
                                             level,
                                             &info21,
-                                           &sec_desc);
+                                           &sec_desc,
+                                           &auth_flag);
  
         if (!NT_STATUS_IS_OK(status)) {
                 goto done;
         }
  
         switch (level) {
-               case 10:
-                       info10.usri10_name = talloc_strdup(mem_ctx, user_name);
-                       NT_STATUS_HAVE_NO_MEMORY(info10.usri10_name);
-
-                       info10.usri10_comment = talloc_strdup(mem_ctx,
-                               info21->description.string);
+               case 0:
+                       /* already returned above */
+                       break;
+               case 1:
+                       status = info21_to_USER_INFO_1(mem_ctx, info21, &info1);
+                       NT_STATUS_NOT_OK_RETURN(status);
  
-                       info10.usri10_full_name = talloc_strdup(mem_ctx,
-                               info21->full_name.string);
+                       ADD_TO_ARRAY(mem_ctx, struct USER_INFO_1, info1,
+                                    (struct USER_INFO_1 **)buffer, num_entries);
  
-                       info10.usri10_usr_comment = talloc_strdup(mem_ctx,
-                               info21->comment.string);
+                       break;
+               case 2:
+                       status = info21_to_USER_INFO_2(mem_ctx, info21, auth_flag, &info2);
+                       NT_STATUS_NOT_OK_RETURN(status);
  
-                       ADD_TO_ARRAY(mem_ctx, struct USER_INFO_10, info10,
-                                    (struct USER_INFO_10 **)buffer, num_entries);
+                       ADD_TO_ARRAY(mem_ctx, struct USER_INFO_2, info2,
+                                    (struct USER_INFO_2 **)buffer, num_entries);
  
                         break;
+               case 3:
+                       status = info21_to_USER_INFO_3(mem_ctx, info21, auth_flag, &info3);
+                       NT_STATUS_NOT_OK_RETURN(status);
  
-               case 20:
-                       info20.usri20_name = talloc_strdup(mem_ctx, user_name);
-                       NT_STATUS_HAVE_NO_MEMORY(info20.usri20_name);
+                       ADD_TO_ARRAY(mem_ctx, struct USER_INFO_3, info3,
+                                    (struct USER_INFO_3 **)buffer, num_entries);
  
-                       info20.usri20_comment = talloc_strdup(mem_ctx,
-                               info21->description.string);
+                       break;
+               case 4:
+                       status = info21_to_USER_INFO_4(mem_ctx, info21, auth_flag, domain_sid, &info4);
+                       NT_STATUS_NOT_OK_RETURN(status);
  
-                       info20.usri20_full_name = talloc_strdup(mem_ctx,
-                               info21->full_name.string);
+                       ADD_TO_ARRAY(mem_ctx, struct USER_INFO_4, info4,
+                                    (struct USER_INFO_4 **)buffer, num_entries);
  
-                       info20.usri20_flags = info21->acct_flags;
-                       info20.usri20_user_id = rid;
+                       break;
+               case 10:
+                       status = info21_to_USER_INFO_10(mem_ctx, info21, &info10);
+                       NT_STATUS_NOT_OK_RETURN(status);
  
-                       ADD_TO_ARRAY(mem_ctx, struct USER_INFO_20, info20,
-                                    (struct USER_INFO_20 **)buffer, num_entries);
+                       ADD_TO_ARRAY(mem_ctx, struct USER_INFO_10, info10,
+                                    (struct USER_INFO_10 **)buffer, num_entries);
  
                         break;
-               case 23:
-                       info23.usri23_name = talloc_strdup(mem_ctx, user_name);
-                       NT_STATUS_HAVE_NO_MEMORY(info23.usri23_name);
-
-                       info23.usri23_comment = talloc_strdup(mem_ctx,
-                               info21->description.string);
+               case 11:
+                       status = info21_to_USER_INFO_11(mem_ctx, info21, auth_flag, &info11);
+                       NT_STATUS_NOT_OK_RETURN(status);
  
-                       info23.usri23_full_name = talloc_strdup(mem_ctx,
-                               info21->full_name.string);
+                       ADD_TO_ARRAY(mem_ctx, struct USER_INFO_11, info11,
+                                    (struct USER_INFO_11 **)buffer, num_entries);
  
-                       info23.usri23_flags = info21->acct_flags;
+                       break;
+               case 20:
+                       status = info21_to_USER_INFO_20(mem_ctx, info21, &info20);
+                       NT_STATUS_NOT_OK_RETURN(status);
  
-                       if (!sid_compose(&sid, domain_sid, rid)) {
-                               return NT_STATUS_NO_MEMORY;
-                       }
+                       ADD_TO_ARRAY(mem_ctx, struct USER_INFO_20, info20,
+                                    (struct USER_INFO_20 **)buffer, num_entries);
  
-                       info23.usri23_user_sid =
-                               (struct domsid *)sid_dup_talloc(mem_ctx, &sid);
+                       break;
+               case 23:
+                       status = info21_to_USER_INFO_23(mem_ctx, info21, domain_sid, &info23);
+                       NT_STATUS_NOT_OK_RETURN(status);
  
                         ADD_TO_ARRAY(mem_ctx, struct USER_INFO_23, info23,
                                      (struct USER_INFO_23 **)buffer, num_entries);
                         break;
+               default:
+                       return NT_STATUS_INVALID_LEVEL;
         }
  
   done:
@@ -804,21 +1273,23 @@ static NTSTATUS libnetapi_samr_lookup_user_map_USER_INFO(TALLOC_CTX *mem_ctx,
  WERROR NetUserEnum_r(struct libnetapi_ctx *ctx,
                      struct NetUserEnum *r)
  {
-       struct cli_state *cli = NULL;
         struct rpc_pipe_client *pipe_cli = NULL;
         struct policy_handle connect_handle;
         struct dom_sid2 *domain_sid = NULL;
-       struct policy_handle domain_handle;
+       struct policy_handle domain_handle, builtin_handle;
         struct samr_SamArray *sam = NULL;
         uint32_t filter = ACB_NORMAL;
         int i;
         uint32_t entries_read = 0;
  
         NTSTATUS status = NT_STATUS_OK;
+       NTSTATUS result = NT_STATUS_OK;
         WERROR werr;
+       struct dcerpc_binding_handle *b = NULL;
  
         ZERO_STRUCT(connect_handle);
         ZERO_STRUCT(domain_handle);
+       ZERO_STRUCT(builtin_handle);
  
         if (!r->out.buffer) {
                 return WERR_INVALID_PARAM;
@@ -829,29 +1300,42 @@ WERROR NetUserEnum_r(struct libnetapi_ctx *ctx,
  
         switch (r->in.level) {
                 case 0:
-               case 10:
-               case 20:
-               case 23:
-                       break;
                 case 1:
                 case 2:
                 case 3:
+               case 4:
+               case 10:
                 case 11:
+               case 20:
+               case 23:
+                       break;
                 default:
-                       return WERR_NOT_SUPPORTED;
+                       return WERR_UNKNOWN_LEVEL;
         }
  
         werr = libnetapi_open_pipe(ctx, r->in.server_name,
                                    &ndr_table_samr.syntax_id,
-                                  &cli,
                                    &pipe_cli);
         if (!W_ERROR_IS_OK(werr)) {
                 goto done;
         }
  
+       b = pipe_cli->binding_handle;
+
+       werr = libnetapi_samr_open_builtin_domain(ctx, pipe_cli,
+                                                 SAMR_ACCESS_ENUM_DOMAINS |
+                                                 SAMR_ACCESS_LOOKUP_DOMAIN,
+                                                 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
+                                                 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS,
+                                                 &connect_handle,
+                                                 &builtin_handle);
+       if (!W_ERROR_IS_OK(werr)) {
+               goto done;
+       }
+
         werr = libnetapi_samr_open_domain(ctx, pipe_cli,
                                           SAMR_ACCESS_ENUM_DOMAINS |
-                                         SAMR_ACCESS_OPEN_DOMAIN,
+                                         SAMR_ACCESS_LOOKUP_DOMAIN,
                                           SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 |
                                           SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
                                           SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
@@ -882,16 +1366,21 @@ WERROR NetUserEnum_r(struct libnetapi_ctx *ctx,
                         break;
         }
  
-       status = rpccli_samr_EnumDomainUsers(pipe_cli,
+       status = dcerpc_samr_EnumDomainUsers(b,
                                              ctx,
                                              &domain_handle,
                                              r->in.resume_handle,
                                              filter,
                                              &sam,
                                              r->in.prefmaxlen,
-                                            &entries_read);
-       werr = ntstatus_to_werror(status);
-       if (NT_STATUS_IS_ERR(status)) {
+                                            &entries_read,
+                                            &result);
+       if (!NT_STATUS_IS_OK(status)) {
+               werr = ntstatus_to_werror(status);
+               goto done;
+       }
+       werr = ntstatus_to_werror(result);
+       if (NT_STATUS_IS_ERR(result)) {
                 goto done;
         }
  
@@ -900,7 +1389,7 @@ WERROR NetUserEnum_r(struct libnetapi_ctx *ctx,
                 status = libnetapi_samr_lookup_user_map_USER_INFO(ctx, pipe_cli,
                                                                   domain_sid,
                                                                   &domain_handle,
-                                                                 NULL, /*&builtin_handle, */
+                                                                 &builtin_handle,
                                                                   sam->entries[i].name.string,
                                                                   sam->entries[i].idx,
                                                                   r->in.level,
@@ -913,16 +1402,13 @@ WERROR NetUserEnum_r(struct libnetapi_ctx *ctx,
         }
  
   done:
-       if (!cli) {
-               return werr;
-       }
-
         /* if last query */
-       if (NT_STATUS_IS_OK(status) ||
-           NT_STATUS_IS_ERR(status)) {
+       if (NT_STATUS_IS_OK(result) ||
+           NT_STATUS_IS_ERR(result)) {
  
                 if (ctx->disable_policy_handle_cache) {
                         libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+                       libnetapi_samr_close_builtin_handle(ctx, &builtin_handle);
                         libnetapi_samr_close_connect_handle(ctx, &connect_handle);
                 }
         }
@@ -1094,10 +1580,10 @@ static WERROR convert_samr_dispinfo_to_NET_DISPLAY(TALLOC_CTX *mem_ctx,
                                                                           entries_read,
                                                                           buffer);
                 default:
-                       return WERR_UNKNOWN_LEVEL;
+                       break;
         }
  
-       return WERR_OK;
+       return WERR_UNKNOWN_LEVEL;
  }
  
  /****************************************************************
@@ -1106,18 +1592,22 @@ static WERROR convert_samr_dispinfo_to_NET_DISPLAY(TALLOC_CTX *mem_ctx,
  WERROR NetQueryDisplayInformation_r(struct libnetapi_ctx *ctx,
                                     struct NetQueryDisplayInformation *r)
  {
-       struct cli_state *cli = NULL;
         struct rpc_pipe_client *pipe_cli = NULL;
         struct policy_handle connect_handle;
         struct dom_sid2 *domain_sid = NULL;
         struct policy_handle domain_handle;
         union samr_DispInfo info;
+       struct dcerpc_binding_handle *b = NULL;
  
         uint32_t total_size = 0;
         uint32_t returned_size = 0;
  
         NTSTATUS status = NT_STATUS_OK;
+       NTSTATUS result = NT_STATUS_OK;
         WERROR werr;
+       WERROR werr_tmp;
+
+       *r->out.entries_read = 0;
  
         ZERO_STRUCT(connect_handle);
         ZERO_STRUCT(domain_handle);
@@ -1133,15 +1623,16 @@ WERROR NetQueryDisplayInformation_r(struct libnetapi_ctx *ctx,
  
         werr = libnetapi_open_pipe(ctx, r->in.server_name,
                                    &ndr_table_samr.syntax_id,
-                                  &cli,
                                    &pipe_cli);
         if (!W_ERROR_IS_OK(werr)) {
                 goto done;
         }
  
+       b = pipe_cli->binding_handle;
+
         werr = libnetapi_samr_open_domain(ctx, pipe_cli,
                                           SAMR_ACCESS_ENUM_DOMAINS |
-                                         SAMR_ACCESS_OPEN_DOMAIN,
+                                         SAMR_ACCESS_LOOKUP_DOMAIN,
                                           SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 |
                                           SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
                                           SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
@@ -1152,7 +1643,7 @@ WERROR NetQueryDisplayInformation_r(struct libnetapi_ctx *ctx,
                 goto done;
         }
  
-       status = rpccli_samr_QueryDisplayInfo2(pipe_cli,
+       status = dcerpc_samr_QueryDisplayInfo2(b,
                                                ctx,
                                                &domain_handle,
                                                r->in.level,
@@ -1161,24 +1652,28 @@ WERROR NetQueryDisplayInformation_r(struct libnetapi_ctx *ctx,
                                                r->in.prefmaxlen,
                                                &total_size,
                                                &returned_size,
-                                              &info);
+                                              &info,
+                                              &result);
         if (!NT_STATUS_IS_OK(status)) {
                 werr = ntstatus_to_werror(status);
                 goto done;
         }
-
-       werr = convert_samr_dispinfo_to_NET_DISPLAY(ctx, &info,
-                                                   r->in.level,
-                                                   r->out.entries_read,
-                                                   r->out.buffer);
- done:
-       if (!cli) {
-               return werr;
+       werr = ntstatus_to_werror(result);
+       if (NT_STATUS_IS_ERR(result)) {
+               goto done;
         }
  
+       werr_tmp = convert_samr_dispinfo_to_NET_DISPLAY(ctx, &info,
+                                                       r->in.level,
+                                                       r->out.entries_read,
+                                                       r->out.buffer);
+       if (!W_ERROR_IS_OK(werr_tmp)) {
+               werr = werr_tmp;
+       }
+ done:
         /* if last query */
-       if (NT_STATUS_IS_OK(status) ||
-           NT_STATUS_IS_ERR(status)) {
+       if (NT_STATUS_IS_OK(result) ||
+           NT_STATUS_IS_ERR(result)) {
  
                 if (ctx->disable_policy_handle_cache) {
                         libnetapi_samr_close_domain_handle(ctx, &domain_handle);
@@ -1224,9 +1719,8 @@ WERROR NetUserChangePassword_l(struct libnetapi_ctx *ctx,
  WERROR NetUserGetInfo_r(struct libnetapi_ctx *ctx,
                         struct NetUserGetInfo *r)
  {
-       struct cli_state *cli = NULL;
         struct rpc_pipe_client *pipe_cli = NULL;
-       NTSTATUS status;
+       NTSTATUS status, result;
         WERROR werr;
  
         struct policy_handle connect_handle, domain_handle, builtin_handle, user_handle;
@@ -1234,6 +1728,7 @@ WERROR NetUserGetInfo_r(struct libnetapi_ctx *ctx,
         struct dom_sid2 *domain_sid = NULL;
         struct samr_Ids user_rids, name_types;
         uint32_t num_entries = 0;
+       struct dcerpc_binding_handle *b = NULL;
  
         ZERO_STRUCT(connect_handle);
         ZERO_STRUCT(domain_handle);
@@ -1246,27 +1741,32 @@ WERROR NetUserGetInfo_r(struct libnetapi_ctx *ctx,
  
         switch (r->in.level) {
                 case 0:
-               /* case 1: */
+               case 1:
+               case 2:
+               case 3:
+               case 4:
                 case 10:
+               case 11:
                 case 20:
                 case 23:
                         break;
                 default:
-                       werr = WERR_NOT_SUPPORTED;
+                       werr = WERR_UNKNOWN_LEVEL;
                         goto done;
         }
  
         werr = libnetapi_open_pipe(ctx, r->in.server_name,
                                    &ndr_table_samr.syntax_id,
-                                  &cli,
                                    &pipe_cli);
         if (!W_ERROR_IS_OK(werr)) {
                 goto done;
         }
  
+       b = pipe_cli->binding_handle;
+
         werr = libnetapi_samr_open_domain(ctx, pipe_cli,
                                           SAMR_ACCESS_ENUM_DOMAINS |
-                                         SAMR_ACCESS_OPEN_DOMAIN,
+                                         SAMR_ACCESS_LOOKUP_DOMAIN,
                                           SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
                                           &connect_handle,
                                           &domain_handle,
@@ -1277,7 +1777,7 @@ WERROR NetUserGetInfo_r(struct libnetapi_ctx *ctx,
  
         werr = libnetapi_samr_open_builtin_domain(ctx, pipe_cli,
                                                   SAMR_ACCESS_ENUM_DOMAINS |
-                                                 SAMR_ACCESS_OPEN_DOMAIN,
+                                                 SAMR_ACCESS_LOOKUP_DOMAIN,
                                                   SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
                                                   SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS,
                                                   &connect_handle,
@@ -1288,16 +1788,21 @@ WERROR NetUserGetInfo_r(struct libnetapi_ctx *ctx,
  
         init_lsa_String(&lsa_account_name, r->in.user_name);
  
-       status = rpccli_samr_LookupNames(pipe_cli, ctx,
+       status = dcerpc_samr_LookupNames(b, talloc_tos(),
                                          &domain_handle,
                                          1,
                                          &lsa_account_name,
                                          &user_rids,
-                                        &name_types);
+                                        &name_types,
+                                        &result);
         if (!NT_STATUS_IS_OK(status)) {
                 werr = ntstatus_to_werror(status);
                 goto done;
         }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
  
         status = libnetapi_samr_lookup_user_map_USER_INFO(ctx, pipe_cli,
                                                           domain_sid,
@@ -1314,12 +1819,8 @@ WERROR NetUserGetInfo_r(struct libnetapi_ctx *ctx,
         }
  
   done:
-       if (!cli) {
-               return werr;
-       }
-
-       if (is_valid_policy_hnd(&user_handle)) {
-               rpccli_samr_Close(pipe_cli, ctx, &user_handle);
+       if (is_valid_policy_hnd(&user_handle) && b) {
+               dcerpc_samr_Close(b, talloc_tos(), &user_handle, &result);
         }
  
         if (ctx->disable_policy_handle_cache) {
@@ -1345,9 +1846,8 @@ WERROR NetUserGetInfo_l(struct libnetapi_ctx *ctx,
  WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
                         struct NetUserSetInfo *r)
  {
-       struct cli_state *cli = NULL;
         struct rpc_pipe_client *pipe_cli = NULL;
-       NTSTATUS status;
+       NTSTATUS status, result;
         WERROR werr;
  
         struct policy_handle connect_handle, domain_handle, builtin_handle, user_handle;
@@ -1357,6 +1857,8 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
         uint32_t user_mask = 0;
  
         struct USER_INFO_X uX;
+       struct dcerpc_binding_handle *b = NULL;
+       DATA_BLOB session_key;
  
         ZERO_STRUCT(connect_handle);
         ZERO_STRUCT(domain_handle);
@@ -1369,6 +1871,8 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
  
         switch (r->in.level) {
                 case 0:
+                       user_mask = SAMR_USER_ACCESS_SET_ATTRIBUTES;
+                       break;
                 case 1003:
                         user_mask = SAMR_USER_ACCESS_SET_PASSWORD;
                         break;
@@ -1388,22 +1892,44 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
                         user_mask = SAMR_USER_ACCESS_SET_ATTRIBUTES |
                                     SAMR_USER_ACCESS_GET_GROUPS;
                         break;
-               default:
+               case 3:
+                       user_mask = SEC_STD_READ_CONTROL |
+                                   SEC_STD_WRITE_DAC |
+                                   SAMR_USER_ACCESS_GET_GROUPS |
+                                   SAMR_USER_ACCESS_SET_PASSWORD |
+                                   SAMR_USER_ACCESS_SET_ATTRIBUTES |
+                                   SAMR_USER_ACCESS_GET_ATTRIBUTES |
+                                   SAMR_USER_ACCESS_SET_LOC_COM;
+                       break;
+               case 1:
+               case 2:
+               case 4:
+               case 21:
+               case 22:
+               case 1005:
+               case 1008:
+               case 1010:
+               case 1017:
+               case 1020:
                         werr = WERR_NOT_SUPPORTED;
                         goto done;
+               default:
+                       werr = WERR_UNKNOWN_LEVEL;
+                       goto done;
         }
  
         werr = libnetapi_open_pipe(ctx, r->in.server_name,
                                    &ndr_table_samr.syntax_id,
-                                  &cli,
                                    &pipe_cli);
         if (!W_ERROR_IS_OK(werr)) {
                 goto done;
         }
  
+       b = pipe_cli->binding_handle;
+
         werr = libnetapi_samr_open_domain(ctx, pipe_cli,
                                           SAMR_ACCESS_ENUM_DOMAINS |
-                                         SAMR_ACCESS_OPEN_DOMAIN,
+                                         SAMR_ACCESS_LOOKUP_DOMAIN,
                                           SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 |
                                           SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
                                           &connect_handle,
@@ -1415,7 +1941,7 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
  
         werr = libnetapi_samr_open_builtin_domain(ctx, pipe_cli,
                                                   SAMR_ACCESS_ENUM_DOMAINS |
-                                                 SAMR_ACCESS_OPEN_DOMAIN,
+                                                 SAMR_ACCESS_LOOKUP_DOMAIN,
                                                   SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
                                                   SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS,
                                                   &connect_handle,
@@ -1426,26 +1952,36 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
  
         init_lsa_String(&lsa_account_name, r->in.user_name);
  
-       status = rpccli_samr_LookupNames(pipe_cli, ctx,
+       status = dcerpc_samr_LookupNames(b, talloc_tos(),
                                          &domain_handle,
                                          1,
                                          &lsa_account_name,
                                          &user_rids,
-                                        &name_types);
+                                        &name_types,
+                                        &result);
         if (!NT_STATUS_IS_OK(status)) {
                 werr = ntstatus_to_werror(status);
                 goto done;
         }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
  
-       status = rpccli_samr_OpenUser(pipe_cli, ctx,
+       status = dcerpc_samr_OpenUser(b, talloc_tos(),
                                       &domain_handle,
                                       user_mask,
                                       user_rids.ids[0],
-                                     &user_handle);
+                                     &user_handle,
+                                     &result);
         if (!NT_STATUS_IS_OK(status)) {
                 werr = ntstatus_to_werror(status);
                 goto done;
         }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
  
         status = construct_USER_INFO_X(r->in.level, r->in.buffer, &uX);
         if (!NT_STATUS_IS_OK(status)) {
@@ -1453,8 +1989,14 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
                 goto done;
         }
  
+       status = cli_get_session_key(talloc_tos(), pipe_cli, &session_key);
+       if (!NT_STATUS_IS_OK(status)) {
+               werr = ntstatus_to_werror(status);
+               goto done;
+       }
+
         status = set_user_info_USER_INFO_X(ctx, pipe_cli,
-                                          &cli->user_session_key,
+                                          &session_key,
                                            &user_handle,
                                            &uX);
         if (!NT_STATUS_IS_OK(status)) {
@@ -1465,12 +2007,8 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
         werr = WERR_OK;
  
   done:
-       if (!cli) {
-               return werr;
-       }
-
-       if (is_valid_policy_hnd(&user_handle)) {
-               rpccli_samr_Close(pipe_cli, ctx, &user_handle);
+       if (is_valid_policy_hnd(&user_handle) && b) {
+               dcerpc_samr_Close(b, talloc_tos(), &user_handle, &result);
         }
  
         if (ctx->disable_policy_handle_cache) {
@@ -1504,65 +2042,78 @@ static NTSTATUS query_USER_MODALS_INFO_rpc(TALLOC_CTX *mem_ctx,
                                            struct samr_DomInfo7 *info7,
                                            struct samr_DomInfo12 *info12)
  {
-       NTSTATUS status;
+       NTSTATUS status, result;
         union samr_DomainInfo *dom_info = NULL;
+       struct dcerpc_binding_handle *b = pipe_cli->binding_handle;
  
         if (info1) {
-               status = rpccli_samr_QueryDomainInfo(pipe_cli, mem_ctx,
+               status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
                                                      domain_handle,
                                                      1,
-                                                    &dom_info);
+                                                    &dom_info,
+                                                    &result);
                 NT_STATUS_NOT_OK_RETURN(status);
+               NT_STATUS_NOT_OK_RETURN(result);
  
                 *info1 = dom_info->info1;
         }
  
         if (info3) {
-               status = rpccli_samr_QueryDomainInfo(pipe_cli, mem_ctx,
+               status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
                                                      domain_handle,
                                                      3,
-                                                    &dom_info);
+                                                    &dom_info,
+                                                    &result);
                 NT_STATUS_NOT_OK_RETURN(status);
+               NT_STATUS_NOT_OK_RETURN(result);
  
                 *info3 = dom_info->info3;
         }
  
         if (info5) {
-               status = rpccli_samr_QueryDomainInfo(pipe_cli, mem_ctx,
+               status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
                                                      domain_handle,
                                                      5,
-                                                    &dom_info);
+                                                    &dom_info,
+                                                    &result);
                 NT_STATUS_NOT_OK_RETURN(status);
+               NT_STATUS_NOT_OK_RETURN(result);
  
                 *info5 = dom_info->info5;
         }
  
         if (info6) {
-               status = rpccli_samr_QueryDomainInfo(pipe_cli, mem_ctx,
+               status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
                                                      domain_handle,
                                                      6,
-                                                    &dom_info);
+                                                    &dom_info,
+                                                    &result);
                 NT_STATUS_NOT_OK_RETURN(status);
+               NT_STATUS_NOT_OK_RETURN(result);
  
                 *info6 = dom_info->info6;
         }
  
         if (info7) {
-               status = rpccli_samr_QueryDomainInfo(pipe_cli, mem_ctx,
+               status = dcerpc_samr_QueryDomainInfo(b, mem_ctx,
                                                      domain_handle,
                                                      7,
-                                                    &dom_info);
+                                                    &dom_info,
+                                                    &result);
                 NT_STATUS_NOT_OK_RETURN(status);
+               NT_STATUS_NOT_OK_RETURN(result);
  
                 *info7 = dom_info->info7;
         }
  
         if (info12) {
-               status = rpccli_samr_QueryDomainInfo2(pipe_cli, mem_ctx,
+               status = dcerpc_samr_QueryDomainInfo2(b, mem_ctx,
                                                       domain_handle,
                                                       12,
-                                                     &dom_info);
+                                                     &dom_info,
+                                                     &result);
                 NT_STATUS_NOT_OK_RETURN(status);
+               NT_STATUS_NOT_OK_RETURN(result);
  
                 *info12 = dom_info->info12;
         }
@@ -1667,7 +2218,7 @@ static NTSTATUS query_USER_MODALS_INFO_2(TALLOC_CTX *mem_ctx,
         info2->usrmod2_domain_name =
                 talloc_strdup(mem_ctx, dom_info5.domain_name.string);
         info2->usrmod2_domain_id =
-               (struct domsid *)sid_dup_talloc(mem_ctx, domain_sid);
+               (struct domsid *)dom_sid_dup(mem_ctx, domain_sid);
  
         NT_STATUS_HAVE_NO_MEMORY(info2->usrmod2_domain_name);
         NT_STATUS_HAVE_NO_MEMORY(info2->usrmod2_domain_id);
@@ -1786,7 +2337,6 @@ static NTSTATUS query_USER_MODALS_INFO_to_buffer(TALLOC_CTX *mem_ctx,
  WERROR NetUserModalsGet_r(struct libnetapi_ctx *ctx,
                           struct NetUserModalsGet *r)
  {
-       struct cli_state *cli = NULL;
         struct rpc_pipe_client *pipe_cli = NULL;
         NTSTATUS status;
         WERROR werr;
@@ -1821,7 +2371,6 @@ WERROR NetUserModalsGet_r(struct libnetapi_ctx *ctx,
  
         werr = libnetapi_open_pipe(ctx, r->in.server_name,
                                    &ndr_table_samr.syntax_id,
-                                  &cli,
                                    &pipe_cli);
         if (!W_ERROR_IS_OK(werr)) {
                 goto done;
@@ -1829,7 +2378,7 @@ WERROR NetUserModalsGet_r(struct libnetapi_ctx *ctx,
  
         werr = libnetapi_samr_open_domain(ctx, pipe_cli,
                                           SAMR_ACCESS_ENUM_DOMAINS |
-                                         SAMR_ACCESS_OPEN_DOMAIN,
+                                         SAMR_ACCESS_LOOKUP_DOMAIN,
                                           access_mask,
                                           &connect_handle,
                                           &domain_handle,
@@ -1855,10 +2404,6 @@ WERROR NetUserModalsGet_r(struct libnetapi_ctx *ctx,
         }
  
   done:
-       if (!cli) {
-               return werr;
-       }
-
         if (ctx->disable_policy_handle_cache) {
                 libnetapi_samr_close_domain_handle(ctx, &domain_handle);
                 libnetapi_samr_close_connect_handle(ctx, &connect_handle);
@@ -1886,8 +2431,9 @@ static NTSTATUS set_USER_MODALS_INFO_rpc(TALLOC_CTX *mem_ctx,
                                          struct samr_DomInfo3 *info3,
                                          struct samr_DomInfo12 *info12)
  {
-       NTSTATUS status;
+       NTSTATUS status, result;
         union samr_DomainInfo dom_info;
+       struct dcerpc_binding_handle *b = pipe_cli->binding_handle;
  
         if (info1) {
  
@@ -1895,11 +2441,13 @@ static NTSTATUS set_USER_MODALS_INFO_rpc(TALLOC_CTX *mem_ctx,
  
                 dom_info.info1 = *info1;
  
-               status = rpccli_samr_SetDomainInfo(pipe_cli, mem_ctx,
+               status = dcerpc_samr_SetDomainInfo(b, mem_ctx,
                                                    domain_handle,
                                                    1,
-                                                  &dom_info);
+                                                  &dom_info,
+                                                  &result);
                 NT_STATUS_NOT_OK_RETURN(status);
+               NT_STATUS_NOT_OK_RETURN(result);
         }
  
         if (info3) {
@@ -1908,12 +2456,14 @@ static NTSTATUS set_USER_MODALS_INFO_rpc(TALLOC_CTX *mem_ctx,
  
                 dom_info.info3 = *info3;
  
-               status = rpccli_samr_SetDomainInfo(pipe_cli, mem_ctx,
+               status = dcerpc_samr_SetDomainInfo(b, mem_ctx,
                                                    domain_handle,
                                                    3,
-                                                  &dom_info);
+                                                  &dom_info,
+                                                  &result);
  
                 NT_STATUS_NOT_OK_RETURN(status);
+               NT_STATUS_NOT_OK_RETURN(result);
         }
  
         if (info12) {
@@ -1922,12 +2472,14 @@ static NTSTATUS set_USER_MODALS_INFO_rpc(TALLOC_CTX *mem_ctx,
  
                 dom_info.info12 = *info12;
  
-               status = rpccli_samr_SetDomainInfo(pipe_cli, mem_ctx,
+               status = dcerpc_samr_SetDomainInfo(b, mem_ctx,
                                                    domain_handle,
                                                    12,
-                                                  &dom_info);
+                                                  &dom_info,
+                                                  &result);
  
                 NT_STATUS_NOT_OK_RETURN(status);
+               NT_STATUS_NOT_OK_RETURN(result);
         }
  
         return NT_STATUS_OK;
@@ -2257,7 +2809,6 @@ static NTSTATUS set_USER_MODALS_INFO_buffer(TALLOC_CTX *mem_ctx,
  WERROR NetUserModalsSet_r(struct libnetapi_ctx *ctx,
                           struct NetUserModalsSet *r)
  {
-       struct cli_state *cli = NULL;
         struct rpc_pipe_client *pipe_cli = NULL;
         NTSTATUS status;
         WERROR werr;
@@ -2305,7 +2856,6 @@ WERROR NetUserModalsSet_r(struct libnetapi_ctx *ctx,
  
         werr = libnetapi_open_pipe(ctx, r->in.server_name,
                                    &ndr_table_samr.syntax_id,
-                                  &cli,
                                    &pipe_cli);
         if (!W_ERROR_IS_OK(werr)) {
                 goto done;
@@ -2313,7 +2863,7 @@ WERROR NetUserModalsSet_r(struct libnetapi_ctx *ctx,
  
         werr = libnetapi_samr_open_domain(ctx, pipe_cli,
                                           SAMR_ACCESS_ENUM_DOMAINS |
-                                         SAMR_ACCESS_OPEN_DOMAIN,
+                                         SAMR_ACCESS_LOOKUP_DOMAIN,
                                           access_mask,
                                           &connect_handle,
                                           &domain_handle,
@@ -2334,10 +2884,6 @@ WERROR NetUserModalsSet_r(struct libnetapi_ctx *ctx,
         }
  
   done:
-       if (!cli) {
-               return werr;
-       }
-
         if (ctx->disable_policy_handle_cache) {
                 libnetapi_samr_close_domain_handle(ctx, &domain_handle);
                 libnetapi_samr_close_connect_handle(ctx, &connect_handle);
@@ -2354,3 +2900,794 @@ WERROR NetUserModalsSet_l(struct libnetapi_ctx *ctx,
  {
         LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetUserModalsSet);
  }
+
+/****************************************************************
+****************************************************************/
+
+NTSTATUS add_GROUP_USERS_INFO_X_buffer(TALLOC_CTX *mem_ctx,
+                                      uint32_t level,
+                                      const char *group_name,
+                                      uint32_t attributes,
+                                      uint8_t **buffer,
+                                      uint32_t *num_entries)
+{
+       struct GROUP_USERS_INFO_0 u0;
+       struct GROUP_USERS_INFO_1 u1;
+
+       switch (level) {
+               case 0:
+                       if (group_name) {
+                               u0.grui0_name = talloc_strdup(mem_ctx, group_name);
+                               NT_STATUS_HAVE_NO_MEMORY(u0.grui0_name);
+                       } else {
+                               u0.grui0_name = NULL;
+                       }
+
+                       ADD_TO_ARRAY(mem_ctx, struct GROUP_USERS_INFO_0, u0,
+                                    (struct GROUP_USERS_INFO_0 **)buffer, num_entries);
+                       break;
+               case 1:
+                       if (group_name) {
+                               u1.grui1_name = talloc_strdup(mem_ctx, group_name);
+                               NT_STATUS_HAVE_NO_MEMORY(u1.grui1_name);
+                       } else {
+                               u1.grui1_name = NULL;
+                       }
+
+                       u1.grui1_attributes = attributes;
+
+                       ADD_TO_ARRAY(mem_ctx, struct GROUP_USERS_INFO_1, u1,
+                                    (struct GROUP_USERS_INFO_1 **)buffer, num_entries);
+                       break;
+               default:
+                       return NT_STATUS_INVALID_INFO_CLASS;
+       }
+
+       return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserGetGroups_r(struct libnetapi_ctx *ctx,
+                         struct NetUserGetGroups *r)
+{
+       struct rpc_pipe_client *pipe_cli = NULL;
+       struct policy_handle connect_handle, domain_handle, user_handle;
+       struct lsa_String lsa_account_name;
+       struct dom_sid2 *domain_sid = NULL;
+       struct samr_Ids user_rids, name_types;
+       struct samr_RidWithAttributeArray *rid_array = NULL;
+       struct lsa_Strings names;
+       struct samr_Ids types;
+       uint32_t *rids = NULL;
+
+       int i;
+       uint32_t entries_read = 0;
+
+       NTSTATUS status = NT_STATUS_OK;
+       NTSTATUS result = NT_STATUS_OK;
+       WERROR werr;
+       struct dcerpc_binding_handle *b = NULL;
+
+       ZERO_STRUCT(connect_handle);
+       ZERO_STRUCT(domain_handle);
+
+       if (!r->out.buffer) {
+               return WERR_INVALID_PARAM;
+       }
+
+       *r->out.buffer = NULL;
+       *r->out.entries_read = 0;
+       *r->out.total_entries = 0;
+
+       switch (r->in.level) {
+               case 0:
+               case 1:
+                       break;
+               default:
+                       return WERR_UNKNOWN_LEVEL;
+       }
+
+       werr = libnetapi_open_pipe(ctx, r->in.server_name,
+                                  &ndr_table_samr.syntax_id,
+                                  &pipe_cli);
+       if (!W_ERROR_IS_OK(werr)) {
+               goto done;
+       }
+
+       b = pipe_cli->binding_handle;
+
+       werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+                                         SAMR_ACCESS_ENUM_DOMAINS |
+                                         SAMR_ACCESS_LOOKUP_DOMAIN,
+                                         SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+                                         &connect_handle,
+                                         &domain_handle,
+                                         &domain_sid);
+       if (!W_ERROR_IS_OK(werr)) {
+               goto done;
+       }
+
+       init_lsa_String(&lsa_account_name, r->in.user_name);
+
+       status = dcerpc_samr_LookupNames(b, talloc_tos(),
+                                        &domain_handle,
+                                        1,
+                                        &lsa_account_name,
+                                        &user_rids,
+                                        &name_types,
+                                        &result);
+       if (!NT_STATUS_IS_OK(status)) {
+               werr = ntstatus_to_werror(status);
+               goto done;
+       }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
+
+       status = dcerpc_samr_OpenUser(b, talloc_tos(),
+                                     &domain_handle,
+                                     SAMR_USER_ACCESS_GET_GROUPS,
+                                     user_rids.ids[0],
+                                     &user_handle,
+                                     &result);
+       if (!NT_STATUS_IS_OK(status)) {
+               werr = ntstatus_to_werror(status);
+               goto done;
+       }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
+
+       status = dcerpc_samr_GetGroupsForUser(b, talloc_tos(),
+                                             &user_handle,
+                                             &rid_array,
+                                             &result);
+       if (!NT_STATUS_IS_OK(status)) {
+               werr = ntstatus_to_werror(status);
+               goto done;
+       }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
+
+       rids = talloc_array(ctx, uint32_t, rid_array->count);
+       if (!rids) {
+               werr = WERR_NOMEM;
+               goto done;
+       }
+
+       for (i=0; i < rid_array->count; i++) {
+               rids[i] = rid_array->rids[i].rid;
+       }
+
+       status = dcerpc_samr_LookupRids(b, talloc_tos(),
+                                       &domain_handle,
+                                       rid_array->count,
+                                       rids,
+                                       &names,
+                                       &types,
+                                       &result);
+       if (!NT_STATUS_IS_OK(status)) {
+               werr = ntstatus_to_werror(status);
+               goto done;
+       }
+       if (!NT_STATUS_IS_OK(result) &&
+           !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
+
+       for (i=0; i < names.count; i++) {
+               status = add_GROUP_USERS_INFO_X_buffer(ctx,
+                                                      r->in.level,
+                                                      names.names[i].string,
+                                                      rid_array->rids[i].attributes,
+                                                      r->out.buffer,
+                                                      &entries_read);
+               if (!NT_STATUS_IS_OK(status)) {
+                       werr = ntstatus_to_werror(status);
+                       goto done;
+               }
+       }
+
+       *r->out.entries_read = entries_read;
+       *r->out.total_entries = entries_read;
+
+ done:
+       if (ctx->disable_policy_handle_cache) {
+               libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+               libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+       }
+
+       return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserGetGroups_l(struct libnetapi_ctx *ctx,
+                         struct NetUserGetGroups *r)
+{
+       LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetUserGetGroups);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserSetGroups_r(struct libnetapi_ctx *ctx,
+                         struct NetUserSetGroups *r)
+{
+       struct rpc_pipe_client *pipe_cli = NULL;
+       struct policy_handle connect_handle, domain_handle, user_handle, group_handle;
+       struct lsa_String lsa_account_name;
+       struct dom_sid2 *domain_sid = NULL;
+       struct samr_Ids user_rids, name_types;
+       struct samr_Ids group_rids;
+       struct samr_RidWithAttributeArray *rid_array = NULL;
+       struct lsa_String *lsa_names = NULL;
+
+       uint32_t *add_rids = NULL;
+       uint32_t *del_rids = NULL;
+       size_t num_add_rids = 0;
+       size_t num_del_rids = 0;
+
+       uint32_t *member_rids = NULL;
+
+       struct GROUP_USERS_INFO_0 *i0 = NULL;
+       struct GROUP_USERS_INFO_1 *i1 = NULL;
+
+       int i, k;
+
+       NTSTATUS status = NT_STATUS_OK;
+       NTSTATUS result = NT_STATUS_OK;
+       WERROR werr;
+       struct dcerpc_binding_handle *b = NULL;
+
+       ZERO_STRUCT(connect_handle);
+       ZERO_STRUCT(domain_handle);
+
+       if (!r->in.buffer) {
+               return WERR_INVALID_PARAM;
+       }
+
+       switch (r->in.level) {
+               case 0:
+               case 1:
+                       break;
+               default:
+                       return WERR_UNKNOWN_LEVEL;
+       }
+
+       werr = libnetapi_open_pipe(ctx, r->in.server_name,
+                                  &ndr_table_samr.syntax_id,
+                                  &pipe_cli);
+       if (!W_ERROR_IS_OK(werr)) {
+               goto done;
+       }
+
+       b = pipe_cli->binding_handle;
+
+       werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+                                         SAMR_ACCESS_ENUM_DOMAINS |
+                                         SAMR_ACCESS_LOOKUP_DOMAIN,
+                                         SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
+                                         &connect_handle,
+                                         &domain_handle,
+                                         &domain_sid);
+       if (!W_ERROR_IS_OK(werr)) {
+               goto done;
+       }
+
+       init_lsa_String(&lsa_account_name, r->in.user_name);
+
+       status = dcerpc_samr_LookupNames(b, talloc_tos(),
+                                        &domain_handle,
+                                        1,
+                                        &lsa_account_name,
+                                        &user_rids,
+                                        &name_types,
+                                        &result);
+       if (!NT_STATUS_IS_OK(status)) {
+               werr = ntstatus_to_werror(status);
+               goto done;
+       }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
+
+       status = dcerpc_samr_OpenUser(b, talloc_tos(),
+                                     &domain_handle,
+                                     SAMR_USER_ACCESS_GET_GROUPS,
+                                     user_rids.ids[0],
+                                     &user_handle,
+                                     &result);
+       if (!NT_STATUS_IS_OK(status)) {
+               werr = ntstatus_to_werror(status);
+               goto done;
+       }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
+
+       switch (r->in.level) {
+               case 0:
+                       i0 = (struct GROUP_USERS_INFO_0 *)r->in.buffer;
+                       break;
+               case 1:
+                       i1 = (struct GROUP_USERS_INFO_1 *)r->in.buffer;
+                       break;
+       }
+
+       lsa_names = talloc_array(ctx, struct lsa_String, r->in.num_entries);
+       if (!lsa_names) {
+               werr = WERR_NOMEM;
+               goto done;
+       }
+
+       for (i=0; i < r->in.num_entries; i++) {
+
+               switch (r->in.level) {
+                       case 0:
+                               init_lsa_String(&lsa_names[i], i0->grui0_name);
+                               i0++;
+                               break;
+                       case 1:
+                               init_lsa_String(&lsa_names[i], i1->grui1_name);
+                               i1++;
+                               break;
+               }
+       }
+
+       status = dcerpc_samr_LookupNames(b, talloc_tos(),
+                                        &domain_handle,
+                                        r->in.num_entries,
+                                        lsa_names,
+                                        &group_rids,
+                                        &name_types,
+                                        &result);
+       if (!NT_STATUS_IS_OK(status)) {
+               werr = ntstatus_to_werror(status);
+               goto done;
+       }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
+
+       member_rids = group_rids.ids;
+
+       status = dcerpc_samr_GetGroupsForUser(b, talloc_tos(),
+                                             &user_handle,
+                                             &rid_array,
+                                             &result);
+       if (!NT_STATUS_IS_OK(status)) {
+               werr = ntstatus_to_werror(status);
+               goto done;
+       }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
+
+       /* add list */
+
+       for (i=0; i < r->in.num_entries; i++) {
+               bool already_member = false;
+               for (k=0; k < rid_array->count; k++) {
+                       if (member_rids[i] == rid_array->rids[k].rid) {
+                               already_member = true;
+                               break;
+                       }
+               }
+               if (!already_member) {
+                       if (!add_rid_to_array_unique(ctx,
+                                                    member_rids[i],
+                                                    &add_rids, &num_add_rids)) {
+                               werr = WERR_GENERAL_FAILURE;
+                               goto done;
+                       }
+               }
+       }
+
+       /* del list */
+
+       for (k=0; k < rid_array->count; k++) {
+               bool keep_member = false;
+               for (i=0; i < r->in.num_entries; i++) {
+                       if (member_rids[i] == rid_array->rids[k].rid) {
+                               keep_member = true;
+                               break;
+                       }
+               }
+               if (!keep_member) {
+                       if (!add_rid_to_array_unique(ctx,
+                                                    rid_array->rids[k].rid,
+                                                    &del_rids, &num_del_rids)) {
+                               werr = WERR_GENERAL_FAILURE;
+                               goto done;
+                       }
+               }
+       }
+
+       /* add list */
+
+       for (i=0; i < num_add_rids; i++) {
+               status = dcerpc_samr_OpenGroup(b, talloc_tos(),
+                                              &domain_handle,
+                                              SAMR_GROUP_ACCESS_ADD_MEMBER,
+                                              add_rids[i],
+                                              &group_handle,
+                                              &result);
+               if (!NT_STATUS_IS_OK(status)) {
+                       werr = ntstatus_to_werror(status);
+                       goto done;
+               }
+               if (!NT_STATUS_IS_OK(result)) {
+                       werr = ntstatus_to_werror(result);
+                       goto done;
+               }
+
+               status = dcerpc_samr_AddGroupMember(b, talloc_tos(),
+                                                   &group_handle,
+                                                   user_rids.ids[0],
+                                                   7 /* ? */,
+                                                   &result);
+               if (!NT_STATUS_IS_OK(status)) {
+                       werr = ntstatus_to_werror(status);
+                       goto done;
+               }
+               if (!NT_STATUS_IS_OK(result)) {
+                       werr = ntstatus_to_werror(result);
+                       goto done;
+               }
+
+               if (is_valid_policy_hnd(&group_handle)) {
+                       dcerpc_samr_Close(b, talloc_tos(), &group_handle, &result);
+               }
+       }
+
+       /* del list */
+
+       for (i=0; i < num_del_rids; i++) {
+               status = dcerpc_samr_OpenGroup(b, talloc_tos(),
+                                              &domain_handle,
+                                              SAMR_GROUP_ACCESS_REMOVE_MEMBER,
+                                              del_rids[i],
+                                              &group_handle,
+                                              &result);
+               if (!NT_STATUS_IS_OK(status)) {
+                       werr = ntstatus_to_werror(status);
+                       goto done;
+               }
+               if (!NT_STATUS_IS_OK(result)) {
+                       werr = ntstatus_to_werror(result);
+                       goto done;
+               }
+
+               status = dcerpc_samr_DeleteGroupMember(b, talloc_tos(),
+                                                      &group_handle,
+                                                      user_rids.ids[0],
+                                                      &result);
+               if (!NT_STATUS_IS_OK(status)) {
+                       werr = ntstatus_to_werror(status);
+                       goto done;
+               }
+               if (!NT_STATUS_IS_OK(result)) {
+                       werr = ntstatus_to_werror(result);
+                       goto done;
+               }
+
+               if (is_valid_policy_hnd(&group_handle)) {
+                       dcerpc_samr_Close(b, talloc_tos(), &group_handle, &result);
+               }
+       }
+
+       werr = WERR_OK;
+
+ done:
+       if (is_valid_policy_hnd(&group_handle)) {
+               dcerpc_samr_Close(b, talloc_tos(), &group_handle, &result);
+       }
+
+       if (ctx->disable_policy_handle_cache) {
+               libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+               libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+       }
+
+       return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserSetGroups_l(struct libnetapi_ctx *ctx,
+                         struct NetUserSetGroups *r)
+{
+       LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetUserSetGroups);
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS add_LOCALGROUP_USERS_INFO_X_buffer(TALLOC_CTX *mem_ctx,
+                                                  uint32_t level,
+                                                  const char *group_name,
+                                                  uint8_t **buffer,
+                                                  uint32_t *num_entries)
+{
+       struct LOCALGROUP_USERS_INFO_0 u0;
+
+       switch (level) {
+               case 0:
+                       u0.lgrui0_name = talloc_strdup(mem_ctx, group_name);
+                       NT_STATUS_HAVE_NO_MEMORY(u0.lgrui0_name);
+
+                       ADD_TO_ARRAY(mem_ctx, struct LOCALGROUP_USERS_INFO_0, u0,
+                                    (struct LOCALGROUP_USERS_INFO_0 **)buffer, num_entries);
+                       break;
+               default:
+                       return NT_STATUS_INVALID_INFO_CLASS;
+       }
+
+       return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserGetLocalGroups_r(struct libnetapi_ctx *ctx,
+                              struct NetUserGetLocalGroups *r)
+{
+       struct rpc_pipe_client *pipe_cli = NULL;
+       struct policy_handle connect_handle, domain_handle, user_handle,
+       builtin_handle;
+       struct lsa_String lsa_account_name;
+       struct dom_sid2 *domain_sid = NULL;
+       struct samr_Ids user_rids, name_types;
+       struct samr_RidWithAttributeArray *rid_array = NULL;
+       struct lsa_Strings names;
+       struct samr_Ids types;
+       uint32_t *rids = NULL;
+       size_t num_rids = 0;
+       struct dom_sid user_sid;
+       struct lsa_SidArray sid_array;
+       struct samr_Ids domain_rids;
+       struct samr_Ids builtin_rids;
+
+       int i;
+       uint32_t entries_read = 0;
+
+       NTSTATUS status = NT_STATUS_OK;
+       NTSTATUS result = NT_STATUS_OK;
+       WERROR werr;
+       struct dcerpc_binding_handle *b = NULL;
+
+       ZERO_STRUCT(connect_handle);
+       ZERO_STRUCT(domain_handle);
+
+       if (!r->out.buffer) {
+               return WERR_INVALID_PARAM;
+       }
+
+       *r->out.buffer = NULL;
+       *r->out.entries_read = 0;
+       *r->out.total_entries = 0;
+
+       switch (r->in.level) {
+               case 0:
+               case 1:
+                       break;
+               default:
+                       return WERR_UNKNOWN_LEVEL;
+       }
+
+       werr = libnetapi_open_pipe(ctx, r->in.server_name,
+                                  &ndr_table_samr.syntax_id,
+                                  &pipe_cli);
+       if (!W_ERROR_IS_OK(werr)) {
+               goto done;
+       }
+
+       b = pipe_cli->binding_handle;
+
+       werr = libnetapi_samr_open_domain(ctx, pipe_cli,
+                                         SAMR_ACCESS_ENUM_DOMAINS |
+                                         SAMR_ACCESS_LOOKUP_DOMAIN,
+                                         SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
+                                         SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS,
+                                         &connect_handle,
+                                         &domain_handle,
+                                         &domain_sid);
+       if (!W_ERROR_IS_OK(werr)) {
+               goto done;
+       }
+
+       werr = libnetapi_samr_open_builtin_domain(ctx, pipe_cli,
+                                                 SAMR_ACCESS_ENUM_DOMAINS |
+                                                 SAMR_ACCESS_LOOKUP_DOMAIN,
+                                                 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
+                                                 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS,
+                                                 &connect_handle,
+                                                 &builtin_handle);
+       if (!W_ERROR_IS_OK(werr)) {
+               goto done;
+       }
+
+       init_lsa_String(&lsa_account_name, r->in.user_name);
+
+       status = dcerpc_samr_LookupNames(b, talloc_tos(),
+                                        &domain_handle,
+                                        1,
+                                        &lsa_account_name,
+                                        &user_rids,
+                                        &name_types,
+                                        &result);
+       if (!NT_STATUS_IS_OK(status)) {
+               werr = ntstatus_to_werror(status);
+               goto done;
+       }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
+
+       status = dcerpc_samr_OpenUser(b, talloc_tos(),
+                                     &domain_handle,
+                                     SAMR_USER_ACCESS_GET_GROUPS,
+                                     user_rids.ids[0],
+                                     &user_handle,
+                                     &result);
+       if (!NT_STATUS_IS_OK(status)) {
+               werr = ntstatus_to_werror(status);
+               goto done;
+       }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
+
+       status = dcerpc_samr_GetGroupsForUser(b, talloc_tos(),
+                                             &user_handle,
+                                             &rid_array,
+                                             &result);
+       if (!NT_STATUS_IS_OK(status)) {
+               werr = ntstatus_to_werror(status);
+               goto done;
+       }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
+
+       if (!sid_compose(&user_sid, domain_sid, user_rids.ids[0])) {
+               werr = WERR_NOMEM;
+               goto done;
+       }
+
+       sid_array.num_sids = rid_array->count + 1;
+       sid_array.sids = talloc_array(ctx, struct lsa_SidPtr, sid_array.num_sids);
+       if (!sid_array.sids) {
+               werr = WERR_NOMEM;
+               goto done;
+       }
+
+       sid_array.sids[0].sid = dom_sid_dup(ctx, &user_sid);
+       if (!sid_array.sids[0].sid) {
+               werr = WERR_NOMEM;
+               goto done;
+       }
+
+       for (i=0; i < rid_array->count; i++) {
+               struct dom_sid sid;
+
+               if (!sid_compose(&sid, domain_sid, rid_array->rids[i].rid)) {
+                       werr = WERR_NOMEM;
+                       goto done;
+               }
+
+               sid_array.sids[i+1].sid = dom_sid_dup(ctx, &sid);
+               if (!sid_array.sids[i+1].sid) {
+                       werr = WERR_NOMEM;
+                       goto done;
+               }
+       }
+
+       status = dcerpc_samr_GetAliasMembership(b, talloc_tos(),
+                                               &domain_handle,
+                                               &sid_array,
+                                               &domain_rids,
+                                               &result);
+       if (!NT_STATUS_IS_OK(status)) {
+               werr = ntstatus_to_werror(status);
+               goto done;
+       }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
+
+       for (i=0; i < domain_rids.count; i++) {
+               if (!add_rid_to_array_unique(ctx, domain_rids.ids[i],
+                                            &rids, &num_rids)) {
+                       werr = WERR_NOMEM;
+                       goto done;
+               }
+       }
+
+       status = dcerpc_samr_GetAliasMembership(b, talloc_tos(),
+                                               &builtin_handle,
+                                               &sid_array,
+                                               &builtin_rids,
+                                               &result);
+       if (!NT_STATUS_IS_OK(status)) {
+               werr = ntstatus_to_werror(status);
+               goto done;
+       }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
+
+       for (i=0; i < builtin_rids.count; i++) {
+               if (!add_rid_to_array_unique(ctx, builtin_rids.ids[i],
+                                            &rids, &num_rids)) {
+                       werr = WERR_NOMEM;
+                       goto done;
+               }
+       }
+
+       status = dcerpc_samr_LookupRids(b, talloc_tos(),
+                                       &builtin_handle,
+                                       num_rids,
+                                       rids,
+                                       &names,
+                                       &types,
+                                       &result);
+       if (!NT_STATUS_IS_OK(status)) {
+               werr = ntstatus_to_werror(status);
+               goto done;
+       }
+       if (!NT_STATUS_IS_OK(result)) {
+               werr = ntstatus_to_werror(result);
+               goto done;
+       }
+
+       for (i=0; i < names.count; i++) {
+               status = add_LOCALGROUP_USERS_INFO_X_buffer(ctx,
+                                                           r->in.level,
+                                                           names.names[i].string,
+                                                           r->out.buffer,
+                                                           &entries_read);
+               if (!NT_STATUS_IS_OK(status)) {
+                       werr = ntstatus_to_werror(status);
+                       goto done;
+               }
+       }
+
+       *r->out.entries_read = entries_read;
+       *r->out.total_entries = entries_read;
+
+ done:
+       if (ctx->disable_policy_handle_cache) {
+               libnetapi_samr_close_domain_handle(ctx, &domain_handle);
+               libnetapi_samr_close_connect_handle(ctx, &connect_handle);
+       }
+
+       return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR NetUserGetLocalGroups_l(struct libnetapi_ctx *ctx,
+                              struct NetUserGetLocalGroups *r)
+{
+       LIBNETAPI_REDIRECT_TO_LOCALHOST(ctx, r, NetUserGetLocalGroups);
+}