s4-torture: fixed a pipe leak

[ira/wip.git] / source4 / torture / rpc / samr.c
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c

index 40d57bc7878770bf808b5c5153389fd2410ed055..41de9d8c6d050e28ae45689fde97fe6ad4167fac 100644 (file)
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -4,6 +4,7 @@
  
     Copyright (C) Andrew Tridgell 2003
     Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
+   Copyright (C) Guenther Deschner 2008,2009
  
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -26,6 +27,7 @@
  #include "librpc/gen_ndr/ndr_netlogon.h"
  #include "librpc/gen_ndr/ndr_netlogon_c.h"
  #include "librpc/gen_ndr/ndr_samr_c.h"
+#include "librpc/gen_ndr/ndr_lsa_c.h"
  #include "../lib/crypto/crypto.h"
  #include "libcli/auth/libcli_auth.h"
  #include "libcli/security/security.h"
@@ -45,7 +47,11 @@ enum torture_samr_choice {
         TORTURE_SAMR_PASSWORDS,
         TORTURE_SAMR_PASSWORDS_PWDLASTSET,
         TORTURE_SAMR_USER_ATTRIBUTES,
-       TORTURE_SAMR_OTHER
+       TORTURE_SAMR_USER_PRIVILEGES,
+       TORTURE_SAMR_OTHER,
+       TORTURE_SAMR_MANY_ACCOUNTS,
+       TORTURE_SAMR_MANY_GROUPS,
+       TORTURE_SAMR_MANY_ALIASES
  };
  
  static bool test_QueryUserInfo(struct dcerpc_pipe *p,
@@ -70,6 +76,11 @@ static void init_lsa_String(struct lsa_String *string, const char *s)
         string->string = s;
  }
  
+static void init_lsa_StringLarge(struct lsa_StringLarge *string, const char *s)
+{
+       string->string = s;
+}
+
  static void init_lsa_BinaryString(struct lsa_BinaryString *string, const char *s, uint32_t length)
  {
         string->length = length;
@@ -328,13 +339,10 @@ static bool test_SetUserInfo(struct dcerpc_pipe *p, struct torture_context *tctx
         q0.in.level = 12;
         do { TESTCALL(QueryUserInfo, q0) } while (0);
  
-       /* Samba 3 cannot store comment fields atm. - gd */
-       if (!torture_setting_bool(tctx, "samba3", false)) {
-               TEST_USERINFO_STRING(2, comment,  1, comment, "xx2-1 comment", 0);
-               TEST_USERINFO_STRING(2, comment, 21, comment, "xx2-21 comment", 0);
-               TEST_USERINFO_STRING(21, comment, 21, comment, "xx21-21 comment",
-                                  SAMR_FIELD_COMMENT);
-       }
+       TEST_USERINFO_STRING(2, comment,  1, comment, "xx2-1 comment", 0);
+       TEST_USERINFO_STRING(2, comment, 21, comment, "xx2-21 comment", 0);
+       TEST_USERINFO_STRING(21, comment, 21, comment, "xx21-21 comment",
+                          SAMR_FIELD_COMMENT);
  
         test_account_name = talloc_asprintf(tctx, "%sxx7-1", base_account_name);
         TEST_USERINFO_STRING(7, account_name,  1, account_name, base_account_name, 0);
@@ -625,7 +633,7 @@ static bool test_SetUserPass(struct dcerpc_pipe *p, struct torture_context *tctx
  
         status = dcerpc_fetch_session_key(p, &session_key);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("SetUserInfo level %u - no session key - %s\n",
+               torture_warning(tctx, "SetUserInfo level %u - no session key - %s\n",
                        s.in.level, nt_errstr(status));
                 return false;
         }
@@ -636,7 +644,7 @@ static bool test_SetUserPass(struct dcerpc_pipe *p, struct torture_context *tctx
  
         status = dcerpc_samr_SetUserInfo(p, tctx, &s);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("SetUserInfo level %u failed - %s\n",
+               torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
                        s.in.level, nt_errstr(status));
                 ret = false;
         } else {
@@ -681,7 +689,7 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t
  
         status = dcerpc_fetch_session_key(p, &session_key);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("SetUserInfo level %u - no session key - %s\n",
+               torture_warning(tctx, "SetUserInfo level %u - no session key - %s\n",
                        s.in.level, nt_errstr(status));
                 return false;
         }
@@ -692,7 +700,7 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t
  
         status = dcerpc_samr_SetUserInfo(p, tctx, &s);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("SetUserInfo level %u failed - %s\n",
+               torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
                        s.in.level, nt_errstr(status));
                 ret = false;
         } else {
@@ -703,7 +711,7 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t
  
         status = dcerpc_fetch_session_key(p, &session_key);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("SetUserInfo level %u - no session key - %s\n",
+               torture_warning(tctx, "SetUserInfo level %u - no session key - %s\n",
                        s.in.level, nt_errstr(status));
                 return false;
         }
@@ -716,7 +724,7 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t
  
         status = dcerpc_samr_SetUserInfo(p, tctx, &s);
         if (!NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
-               printf("SetUserInfo level %u should have failed with WRONG_PASSWORD- %s\n",
+               torture_warning(tctx, "SetUserInfo level %u should have failed with WRONG_PASSWORD- %s\n",
                        s.in.level, nt_errstr(status));
                 ret = false;
         }
@@ -763,7 +771,7 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc
  
         status = dcerpc_fetch_session_key(p, &session_key);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("SetUserInfo level %u - no session key - %s\n",
+               torture_warning(tctx, "SetUserInfo level %u - no session key - %s\n",
                        s.in.level, nt_errstr(status));
                 return false;
         }
@@ -782,7 +790,7 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc
  
         status = dcerpc_samr_SetUserInfo(p, tctx, &s);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("SetUserInfo level %u failed - %s\n",
+               torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
                        s.in.level, nt_errstr(status));
                 ret = false;
         } else {
@@ -799,7 +807,7 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc
  
         status = dcerpc_samr_SetUserInfo(p, tctx, &s);
         if (!NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
-               printf("SetUserInfo level %u should have failed with WRONG_PASSWORD: %s\n",
+               torture_warning(tctx, "SetUserInfo level %u should have failed with WRONG_PASSWORD: %s\n",
                        s.in.level, nt_errstr(status));
                 ret = false;
         } else {
@@ -846,7 +854,7 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t
  
         status = dcerpc_fetch_session_key(p, &session_key);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("SetUserInfo level %u - no session key - %s\n",
+               torture_warning(tctx, "SetUserInfo level %u - no session key - %s\n",
                        s.in.level, nt_errstr(status));
                 return false;
         }
@@ -865,7 +873,7 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t
  
         status = dcerpc_samr_SetUserInfo(p, tctx, &s);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("SetUserInfo level %u failed - %s\n",
+               torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
                        s.in.level, nt_errstr(status));
                 ret = false;
         } else {
@@ -882,7 +890,7 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t
  
         status = dcerpc_samr_SetUserInfo(p, tctx, &s);
         if (!NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
-               printf("SetUserInfo level %u should have failed with WRONG_PASSWORD- %s\n",
+               torture_warning(tctx, "SetUserInfo level %u should have failed with WRONG_PASSWORD- %s\n",
                        s.in.level, nt_errstr(status));
                 ret = false;
         }
@@ -927,7 +935,7 @@ static bool test_SetUserPass_18(struct dcerpc_pipe *p, struct torture_context *t
  
         status = dcerpc_fetch_session_key(p, &session_key);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("SetUserInfo level %u - no session key - %s\n",
+               torture_warning(tctx, "SetUserInfo level %u - no session key - %s\n",
                        s.in.level, nt_errstr(status));
                 return false;
         }
@@ -951,7 +959,7 @@ static bool test_SetUserPass_18(struct dcerpc_pipe *p, struct torture_context *t
  
         status = dcerpc_samr_SetUserInfo(p, tctx, &s);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("SetUserInfo level %u failed - %s\n",
+               torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
                        s.in.level, nt_errstr(status));
                 ret = false;
         } else {
@@ -1012,7 +1020,7 @@ static bool test_SetUserPass_21(struct dcerpc_pipe *p, struct torture_context *t
  
         status = dcerpc_fetch_session_key(p, &session_key);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("SetUserInfo level %u - no session key - %s\n",
+               torture_warning(tctx, "SetUserInfo level %u - no session key - %s\n",
                        s.in.level, nt_errstr(status));
                 return false;
         }
@@ -1039,7 +1047,7 @@ static bool test_SetUserPass_21(struct dcerpc_pipe *p, struct torture_context *t
  
         status = dcerpc_samr_SetUserInfo(p, tctx, &s);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("SetUserInfo level %u failed - %s\n",
+               torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
                        s.in.level, nt_errstr(status));
                 ret = false;
         } else {
@@ -1054,7 +1062,7 @@ static bool test_SetUserPass_21(struct dcerpc_pipe *p, struct torture_context *t
                 status = dcerpc_samr_SetUserInfo(p, tctx, &s);
  
                 if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
-                       printf("SetUserInfo level %u should have failed with NT_STATUS_INVALID_PARAMETER - %s\n",
+                       torture_warning(tctx, "SetUserInfo level %u should have failed with NT_STATUS_INVALID_PARAMETER - %s\n",
                                s.in.level, nt_errstr(status));
                         ret = false;
                 }
@@ -1067,7 +1075,7 @@ static bool test_SetUserPass_21(struct dcerpc_pipe *p, struct torture_context *t
                 status = dcerpc_samr_SetUserInfo(p, tctx, &s);
  
                 if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
-                       printf("SetUserInfo level %u should have failed with NT_STATUS_INVALID_PARAMETER - %s\n",
+                       torture_warning(tctx, "SetUserInfo level %u should have failed with NT_STATUS_INVALID_PARAMETER - %s\n",
                                s.in.level, nt_errstr(status));
                         ret = false;
                 }
@@ -1195,7 +1203,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
  
         status = dcerpc_fetch_session_key(p, &session_key);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("SetUserInfo level %u - no session key - %s\n",
+               torture_warning(tctx, "SetUserInfo level %u - no session key - %s\n",
                        s.in.level, nt_errstr(status));
                 return false;
         }
@@ -1289,7 +1297,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
         }
  
         if (!NT_STATUS_IS_OK(status)) {
-               printf("SetUserInfo%s level %u failed - %s\n",
+               torture_warning(tctx, "SetUserInfo%s level %u failed - %s\n",
                        use_setinfo2 ? "2":"", level, nt_errstr(status));
                 ret = false;
         } else {
@@ -1324,12 +1332,12 @@ static bool test_SetAliasInfo(struct dcerpc_pipe *p, struct torture_context *tct
                     case ALIASINFONAME: init_lsa_String(&r.in.info->name,TEST_ALIASNAME); break;
                     case ALIASINFODESCRIPTION: init_lsa_String(&r.in.info->description,
                                 "Test Description, should test I18N as well"); break;
-                   case ALIASINFOALL: printf("ALIASINFOALL ignored\n"); break;
+                   case ALIASINFOALL: torture_comment(tctx, "ALIASINFOALL ignored\n"); break;
                 }
  
                 status = dcerpc_samr_SetAliasInfo(p, tctx, &r);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("SetAliasInfo level %u failed - %s\n",
+                       torture_warning(tctx, "SetAliasInfo level %u failed - %s\n",
                                levels[i], nt_errstr(status));
                         ret = false;
                 }
@@ -1340,7 +1348,7 @@ static bool test_SetAliasInfo(struct dcerpc_pipe *p, struct torture_context *tct
  
                 status = dcerpc_samr_QueryAliasInfo(p, tctx, &q);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("QueryAliasInfo level %u failed - %s\n",
+                       torture_warning(tctx, "QueryAliasInfo level %u failed - %s\n",
                                levels[i], nt_errstr(status));
                         ret = false;
                 }
@@ -1449,7 +1457,7 @@ static NTSTATUS test_LookupName(struct dcerpc_pipe *p, struct torture_context *t
         n.in.num_names = 2;
         status = dcerpc_samr_LookupNames(p, tctx, &n);
         if (!NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
-               printf("LookupNames[2] failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "LookupNames[2] failed - %s\n", nt_errstr(status));
                 if (NT_STATUS_IS_OK(status)) {
                         return NT_STATUS_UNSUCCESSFUL;
                 }
@@ -1459,7 +1467,7 @@ static NTSTATUS test_LookupName(struct dcerpc_pipe *p, struct torture_context *t
         n.in.num_names = 0;
         status = dcerpc_samr_LookupNames(p, tctx, &n);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("LookupNames[0] failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "LookupNames[0] failed - %s\n", nt_errstr(status));
                 return status;
         }
  
@@ -1467,7 +1475,7 @@ static NTSTATUS test_LookupName(struct dcerpc_pipe *p, struct torture_context *t
         n.in.num_names = 1;
         status = dcerpc_samr_LookupNames(p, tctx, &n);
         if (!NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
-               printf("LookupNames[1 bad name] failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "LookupNames[1 bad name] failed - %s\n", nt_errstr(status));
                 if (NT_STATUS_IS_OK(status)) {
                         return NT_STATUS_UNSUCCESSFUL;
                 }
@@ -1479,7 +1487,7 @@ static NTSTATUS test_LookupName(struct dcerpc_pipe *p, struct torture_context *t
         n.in.num_names = 2;
         status = dcerpc_samr_LookupNames(p, tctx, &n);
         if (!NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
-               printf("LookupNames[2 bad names] failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "LookupNames[2 bad names] failed - %s\n", nt_errstr(status));
                 if (NT_STATUS_IS_OK(status)) {
                         return NT_STATUS_UNSUCCESSFUL;
                 }
@@ -1509,7 +1517,7 @@ static NTSTATUS test_OpenUser_byname(struct dcerpc_pipe *p,
         r.out.user_handle = user_handle;
         status = dcerpc_samr_OpenUser(p, tctx, &r);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("OpenUser_byname(%s -> %d) failed - %s\n", name, rid, nt_errstr(status));
+               torture_warning(tctx, "OpenUser_byname(%s -> %d) failed - %s\n", name, rid, nt_errstr(status));
         }
  
         return status;
@@ -1535,10 +1543,10 @@ static bool test_ChangePasswordNT3(struct dcerpc_pipe *p,
                 return false;
         }
  
-       printf("Testing ChangePasswordUser for user 'testuser'\n");
+       torture_comment(tctx, "Testing ChangePasswordUser for user 'testuser'\n");
  
-       printf("old password: %s\n", oldpass);
-       printf("new password: %s\n", newpass);
+       torture_comment(tctx, "old password: %s\n", oldpass);
+       torture_comment(tctx, "new password: %s\n", newpass);
  
         E_md4hash(oldpass, old_nt_hash);
         E_md4hash(newpass, new_nt_hash);
@@ -1566,7 +1574,7 @@ static bool test_ChangePasswordNT3(struct dcerpc_pipe *p,
  
         status = dcerpc_samr_ChangePasswordUser(p, tctx, &r);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("ChangePasswordUser failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "ChangePasswordUser failed - %s\n", nt_errstr(status));
                 ret = false;
         }
  
@@ -1687,7 +1695,7 @@ static bool test_ChangePasswordUser(struct dcerpc_pipe *p, struct torture_contex
  
         status = dcerpc_samr_ChangePasswordUser(p, tctx, &r);
         if (!NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
-               printf("ChangePasswordUser failed: expected NT_STATUS_WRONG_PASSWORD because we broke the LM cross-hash, got %s\n", nt_errstr(status));
+               torture_warning(tctx, "ChangePasswordUser failed: expected NT_STATUS_WRONG_PASSWORD because we broke the LM cross-hash, got %s\n", nt_errstr(status));
                 ret = false;
         }
  
@@ -1710,7 +1718,7 @@ static bool test_ChangePasswordUser(struct dcerpc_pipe *p, struct torture_contex
  
         status = dcerpc_samr_ChangePasswordUser(p, tctx, &r);
         if (!NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
-               printf("ChangePasswordUser failed: expected NT_STATUS_WRONG_PASSWORD because we broke the NT cross-hash, got %s\n", nt_errstr(status));
+               torture_warning(tctx, "ChangePasswordUser failed: expected NT_STATUS_WRONG_PASSWORD because we broke the NT cross-hash, got %s\n", nt_errstr(status));
                 ret = false;
         }
  
@@ -1743,7 +1751,7 @@ static bool test_ChangePasswordUser(struct dcerpc_pipe *p, struct torture_contex
                 changed = true;
                 *password = newpass;
         } else if (!NT_STATUS_EQUAL(NT_STATUS_PASSWORD_RESTRICTION, status)) {
-               printf("ChangePasswordUser failed: expected NT_STATUS_OK, or at least NT_STATUS_PASSWORD_RESTRICTION, got %s\n", nt_errstr(status));
+               torture_warning(tctx, "ChangePasswordUser failed: expected NT_STATUS_OK, or at least NT_STATUS_PASSWORD_RESTRICTION, got %s\n", nt_errstr(status));
                 ret = false;
         }
  
@@ -1781,7 +1789,7 @@ static bool test_ChangePasswordUser(struct dcerpc_pipe *p, struct torture_contex
                 changed = true;
                 *password = newpass;
         } else if (!NT_STATUS_EQUAL(NT_STATUS_PASSWORD_RESTRICTION, status)) {
-               printf("ChangePasswordUser failed: expected NT_STATUS_NT_CROSS_ENCRYPTION_REQUIRED, got %s\n", nt_errstr(status));
+               torture_warning(tctx, "ChangePasswordUser failed: expected NT_STATUS_NT_CROSS_ENCRYPTION_REQUIRED, got %s\n", nt_errstr(status));
                 ret = false;
         }
  
@@ -1816,9 +1824,9 @@ static bool test_ChangePasswordUser(struct dcerpc_pipe *p, struct torture_contex
  
         status = dcerpc_samr_ChangePasswordUser(p, tctx, &r);
         if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
-               printf("ChangePasswordUser returned: %s perhaps min password age? (not fatal)\n", nt_errstr(status));
+               torture_comment(tctx, "ChangePasswordUser returned: %s perhaps min password age? (not fatal)\n", nt_errstr(status));
         } else  if (!NT_STATUS_IS_OK(status)) {
-               printf("ChangePasswordUser failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "ChangePasswordUser failed - %s\n", nt_errstr(status));
                 ret = false;
         } else {
                 changed = true;
@@ -1840,9 +1848,9 @@ static bool test_ChangePasswordUser(struct dcerpc_pipe *p, struct torture_contex
         if (changed) {
                 status = dcerpc_samr_ChangePasswordUser(p, tctx, &r);
                 if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
-                       printf("ChangePasswordUser returned: %s perhaps min password age? (not fatal)\n", nt_errstr(status));
+                       torture_comment(tctx, "ChangePasswordUser returned: %s perhaps min password age? (not fatal)\n", nt_errstr(status));
                 } else if (!NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
-                       printf("ChangePasswordUser failed: expected NT_STATUS_WRONG_PASSWORD because we already changed the password, got %s\n", nt_errstr(status));
+                       torture_warning(tctx, "ChangePasswordUser failed: expected NT_STATUS_WRONG_PASSWORD because we already changed the password, got %s\n", nt_errstr(status));
                         ret = false;
                 }
         }
@@ -1916,7 +1924,7 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p, struct torture_co
  
         if (!NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)
             && !NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
-               printf("OemChangePasswordUser2 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalid password verifier - %s\n",
+               torture_warning(tctx, "OemChangePasswordUser2 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalid password verifier - %s\n",
                         nt_errstr(status));
                 ret = false;
         }
@@ -1938,7 +1946,7 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p, struct torture_co
  
         if (!NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)
             && !NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
-               printf("OemChangePasswordUser2 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalidly encrpted password - %s\n",
+               torture_warning(tctx, "OemChangePasswordUser2 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalidly encrpted password - %s\n",
                         nt_errstr(status));
                 ret = false;
         }
@@ -1955,7 +1963,7 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p, struct torture_co
  
         if (!NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)
             && !NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
-               printf("OemChangePasswordUser2 failed, should have returned INVALID_PARAMETER (or at least 'PASSWORD_RESTRICTON') for no supplied validation hash - %s\n",
+               torture_warning(tctx, "OemChangePasswordUser2 failed, should have returned INVALID_PARAMETER (or at least 'PASSWORD_RESTRICTON') for no supplied validation hash - %s\n",
                         nt_errstr(status));
                 ret = false;
         }
@@ -1967,7 +1975,7 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p, struct torture_co
         status = dcerpc_samr_OemChangePasswordUser2(p, tctx, &r);
  
         if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
-               printf("OemChangePasswordUser2 failed, should have returned INVALID_PARAMETER for no supplied validation hash and invalid user - %s\n",
+               torture_warning(tctx, "OemChangePasswordUser2 failed, should have returned INVALID_PARAMETER for no supplied validation hash and invalid user - %s\n",
                         nt_errstr(status));
                 ret = false;
         }
@@ -1981,7 +1989,7 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p, struct torture_co
         status = dcerpc_samr_OemChangePasswordUser2(p, tctx, &r);
  
         if (!NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
-               printf("OemChangePasswordUser2 failed, should have returned WRONG_PASSWORD for invalid user - %s\n",
+               torture_warning(tctx, "OemChangePasswordUser2 failed, should have returned WRONG_PASSWORD for invalid user - %s\n",
                         nt_errstr(status));
                 ret = false;
         }
@@ -1995,7 +2003,7 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p, struct torture_co
         status = dcerpc_samr_OemChangePasswordUser2(p, tctx, &r);
  
         if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
-               printf("OemChangePasswordUser2 failed, should have returned INVALID_PARAMETER for no supplied password and invalid user - %s\n",
+               torture_warning(tctx, "OemChangePasswordUser2 failed, should have returned INVALID_PARAMETER for no supplied password and invalid user - %s\n",
                         nt_errstr(status));
                 ret = false;
         }
@@ -2014,9 +2022,9 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p, struct torture_co
  
         status = dcerpc_samr_OemChangePasswordUser2(p, tctx, &r);
         if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
-               printf("OemChangePasswordUser2 returned: %s perhaps min password age? (not fatal)\n", nt_errstr(status));
+               torture_comment(tctx, "OemChangePasswordUser2 returned: %s perhaps min password age? (not fatal)\n", nt_errstr(status));
         } else if (!NT_STATUS_IS_OK(status)) {
-               printf("OemChangePasswordUser2 failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "OemChangePasswordUser2 failed - %s\n", nt_errstr(status));
                 ret = false;
         } else {
                 *password = newpass;
@@ -2093,9 +2101,9 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte
  
         status = dcerpc_samr_ChangePasswordUser2(p, tctx, &r);
         if (allow_password_restriction && NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
-               printf("ChangePasswordUser2 returned: %s perhaps min password age? (not fatal)\n", nt_errstr(status));
+               torture_comment(tctx, "ChangePasswordUser2 returned: %s perhaps min password age? (not fatal)\n", nt_errstr(status));
         } else if (!NT_STATUS_IS_OK(status)) {
-               printf("ChangePasswordUser2 failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "ChangePasswordUser2 failed - %s\n", nt_errstr(status));
                 ret = false;
         } else {
                 *password = newpass;
@@ -2124,7 +2132,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
         uint8_t old_lm_hash[16], new_lm_hash[16];
         NTTIME t;
         struct samr_DomInfo1 *dominfo = NULL;
-       struct samr_ChangeReject *reject = NULL;
+       struct userPwdChangeFailureInformation *reject = NULL;
  
         torture_comment(tctx, "Testing ChangePasswordUser3\n");
  
@@ -2178,7 +2186,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
         status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r);
         if (!NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) &&
             (!NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD))) {
-               printf("ChangePasswordUser3 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalid password verifier - %s\n",
+               torture_warning(tctx, "ChangePasswordUser3 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalid password verifier - %s\n",
                         nt_errstr(status));
                 ret = false;
         }
@@ -2209,7 +2217,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
         status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r);
         if (!NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION) &&
             (!NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD))) {
-               printf("ChangePasswordUser3 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalidly encrpted password - %s\n",
+               torture_warning(tctx, "ChangePasswordUser3 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalidly encrpted password - %s\n",
                         nt_errstr(status));
                 ret = false;
         }
@@ -2220,7 +2228,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
         r.in.account = &account_bad;
         status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r);
         if (!NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
-               printf("ChangePasswordUser3 failed, should have returned WRONG_PASSWORD for invalid username - %s\n",
+               torture_warning(tctx, "ChangePasswordUser3 failed, should have returned WRONG_PASSWORD for invalid username - %s\n",
                         nt_errstr(status));
                 ret = false;
         }
@@ -2261,9 +2269,9 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
             && (!null_nttime(last_password_change) || !dominfo->min_password_age)) {
                 if (dominfo->password_properties & DOMAIN_REFUSE_PASSWORD_CHANGE ) {
  
-                       if (reject && (reject->reason != SAMR_REJECT_OTHER)) {
-                               printf("expected SAMR_REJECT_OTHER (%d), got %d\n",
-                                       SAMR_REJECT_OTHER, reject->reason);
+                       if (reject && (reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR)) {
+                               torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+                                       SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
                                 return false;
                         }
                 }
@@ -2280,40 +2288,40 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
                 if ((dominfo->min_password_age > 0) && !null_nttime(last_password_change) &&
                            (last_password_change + dominfo->min_password_age > t)) {
  
-                       if (reject->reason != SAMR_REJECT_OTHER) {
-                               printf("expected SAMR_REJECT_OTHER (%d), got %d\n",
-                                       SAMR_REJECT_OTHER, reject->reason);
+                       if (reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
+                               torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+                                       SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
                                 return false;
                         }
  
                 } else if ((dominfo->min_password_length > 0) &&
                            (strlen(newpass) < dominfo->min_password_length)) {
  
-                       if (reject->reason != SAMR_REJECT_TOO_SHORT) {
-                               printf("expected SAMR_REJECT_TOO_SHORT (%d), got %d\n",
-                                       SAMR_REJECT_TOO_SHORT, reject->reason);
+                       if (reject->extendedFailureReason != SAM_PWD_CHANGE_PASSWORD_TOO_SHORT) {
+                               torture_warning(tctx, "expected SAM_PWD_CHANGE_PASSWORD_TOO_SHORT (%d), got %d\n",
+                                       SAM_PWD_CHANGE_PASSWORD_TOO_SHORT, reject->extendedFailureReason);
                                 return false;
                         }
  
                 } else if ((dominfo->password_history_length > 0) &&
                             strequal(oldpass, newpass)) {
  
-                       if (reject->reason != SAMR_REJECT_IN_HISTORY) {
-                               printf("expected SAMR_REJECT_IN_HISTORY (%d), got %d\n",
-                                       SAMR_REJECT_IN_HISTORY, reject->reason);
+                       if (reject->extendedFailureReason != SAM_PWD_CHANGE_PWD_IN_HISTORY) {
+                               torture_warning(tctx, "expected SAM_PWD_CHANGE_PWD_IN_HISTORY (%d), got %d\n",
+                                       SAM_PWD_CHANGE_PWD_IN_HISTORY, reject->extendedFailureReason);
                                 return false;
                         }
                 } else if (dominfo->password_properties & DOMAIN_PASSWORD_COMPLEX) {
  
-                       if (reject->reason != SAMR_REJECT_COMPLEXITY) {
-                               printf("expected SAMR_REJECT_COMPLEXITY (%d), got %d\n",
-                                       SAMR_REJECT_COMPLEXITY, reject->reason);
+                       if (reject->extendedFailureReason != SAM_PWD_CHANGE_NOT_COMPLEX) {
+                               torture_warning(tctx, "expected SAM_PWD_CHANGE_NOT_COMPLEX (%d), got %d\n",
+                                       SAM_PWD_CHANGE_NOT_COMPLEX, reject->extendedFailureReason);
                                 return false;
                         }
  
                 }
  
-               if (reject->reason == SAMR_REJECT_TOO_SHORT) {
+               if (reject->extendedFailureReason == SAM_PWD_CHANGE_PASSWORD_TOO_SHORT) {
                         /* retry with adjusted size */
                         return test_ChangePasswordUser3(p, tctx, account_string,
                                                         dominfo->min_password_length,
@@ -2322,9 +2330,9 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
                 }
  
         } else if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
-               if (reject && reject->reason != SAMR_REJECT_OTHER) {
-                       printf("expected SAMR_REJECT_OTHER (%d), got %d\n",
-                              SAMR_REJECT_OTHER, reject->reason);
+               if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
+                       torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+                              SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
                         return false;
                 }
                 /* Perhaps the server has a 'min password age' set? */
@@ -2361,7 +2369,7 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
         uint8_t old_nt_hash[16], new_nt_hash[16];
         NTTIME t;
         struct samr_DomInfo1 *dominfo = NULL;
-       struct samr_ChangeReject *reject = NULL;
+       struct userPwdChangeFailureInformation *reject = NULL;
  
         new_random_pass = samr_very_rand_pass(tctx, 128);
  
@@ -2384,7 +2392,7 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
  
         status = dcerpc_fetch_session_key(p, &session_key);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("SetUserInfo level %u - no session key - %s\n",
+               torture_warning(tctx, "SetUserInfo level %u - no session key - %s\n",
                        s.in.level, nt_errstr(status));
                 return false;
         }
@@ -2403,7 +2411,7 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
  
         status = dcerpc_samr_SetUserInfo(p, tctx, &s);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("SetUserInfo level %u failed - %s\n",
+               torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
                        s.in.level, nt_errstr(status));
                 ret = false;
         }
@@ -2436,15 +2444,15 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
         status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r);
  
         if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
-               if (reject && reject->reason != SAMR_REJECT_OTHER) {
-                       printf("expected SAMR_REJECT_OTHER (%d), got %d\n",
-                              SAMR_REJECT_OTHER, reject->reason);
+               if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
+                       torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+                              SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
                         return false;
                 }
                 /* Perhaps the server has a 'min password age' set? */
  
         } else if (!NT_STATUS_IS_OK(status)) {
-               printf("ChangePasswordUser3 failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "ChangePasswordUser3 failed - %s\n", nt_errstr(status));
                 ret = false;
         }
  
@@ -2474,9 +2482,9 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
         status = dcerpc_samr_ChangePasswordUser3(p, tctx, &r);
  
         if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
-               if (reject && reject->reason != SAMR_REJECT_OTHER) {
-                       printf("expected SAMR_REJECT_OTHER (%d), got %d\n",
-                              SAMR_REJECT_OTHER, reject->reason);
+               if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
+                       torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+                              SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
                         return false;
                 }
                 /* Perhaps the server has a 'min password age' set? */
@@ -2631,7 +2639,7 @@ static bool test_QueryUserInfo_pwdlastset(struct dcerpc_pipe *p,
  
                 if (!NT_STATUS_IS_OK(status) &&
                     !NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) {
-                       printf("QueryUserInfo%s level %u failed - %s\n",
+                       torture_warning(tctx, "QueryUserInfo%s level %u failed - %s\n",
                                use_info2 ? "2":"", levels[i], nt_errstr(status));
                         return false;
                 }
@@ -2662,21 +2670,20 @@ static bool test_QueryUserInfo_pwdlastset(struct dcerpc_pipe *p,
         return true;
  }
  
-static bool test_SamLogon_Creds(struct dcerpc_pipe *p, struct torture_context *tctx,
-                               struct cli_credentials *machine_credentials,
-                               struct cli_credentials *test_credentials,
-                               struct netlogon_creds_CredentialState *creds,
-                               NTSTATUS expected_result)
+static bool test_SamLogon(struct torture_context *tctx,
+                         struct dcerpc_pipe *p,
+                         struct cli_credentials *test_credentials,
+                         NTSTATUS expected_result)
  {
         NTSTATUS status;
-       struct netr_LogonSamLogon r;
-       struct netr_Authenticator auth, auth2;
+       struct netr_LogonSamLogonEx r;
         union netr_LogonLevel logon;
         union netr_Validation validation;
         uint8_t authoritative;
         struct netr_NetworkInfo ninfo;
         DATA_BLOB names_blob, chal, lm_resp, nt_resp;
         int flags = CLI_CRED_NTLM_AUTH;
+       uint32_t samlogon_flags = 0;
  
         if (lp_client_lanman_auth(tctx->lp_ctx)) {
                 flags |= CLI_CRED_LANMAN_AUTH;
@@ -2695,8 +2702,8 @@ static bool test_SamLogon_Creds(struct dcerpc_pipe *p, struct torture_context *t
         chal = data_blob_const(ninfo.challenge,
                                sizeof(ninfo.challenge));
  
-       names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(machine_credentials),
-                                               cli_credentials_get_domain(machine_credentials));
+       names_blob = NTLMv2_generate_names_blob(tctx, cli_credentials_get_workstation(test_credentials),
+                                               cli_credentials_get_domain(test_credentials));
  
         status = cli_credentials_get_ntlm_response(test_credentials, tctx,
                                                    &flags,
@@ -2717,56 +2724,38 @@ static bool test_SamLogon_Creds(struct dcerpc_pipe *p, struct torture_context *t
                 MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
         ninfo.identity_info.logon_id_low = 0;
         ninfo.identity_info.logon_id_high = 0;
-       ninfo.identity_info.workstation.string = cli_credentials_get_workstation(machine_credentials);
+       ninfo.identity_info.workstation.string = cli_credentials_get_workstation(test_credentials);
  
         logon.network = &ninfo;
  
         r.in.server_name = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
-       r.in.computer_name = cli_credentials_get_workstation(machine_credentials);
-       r.in.credential = &auth;
-       r.in.return_authenticator = &auth2;
-       r.in.logon_level = 2;
+       r.in.computer_name = cli_credentials_get_workstation(test_credentials);
+       r.in.logon_level = NetlogonNetworkInformation;
         r.in.logon = &logon;
+       r.in.flags = &samlogon_flags;
+       r.out.flags = &samlogon_flags;
         r.out.validation = &validation;
         r.out.authoritative = &authoritative;
  
-       d_printf("Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
+       torture_comment(tctx, "Testing LogonSamLogon with name %s\n", ninfo.identity_info.account_name.string);
  
-       ZERO_STRUCT(auth2);
-       netlogon_creds_client_authenticator(creds, &auth);
+       r.in.validation_level = 6;
  
-       r.in.validation_level = 2;
-
-       status = dcerpc_netr_LogonSamLogon(p, tctx, &r);
+       status = dcerpc_netr_LogonSamLogonEx(p, tctx, &r);
+       if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) {
+               r.in.validation_level = 3;
+               status = dcerpc_netr_LogonSamLogonEx(p, tctx, &r);
+       }
         if (!NT_STATUS_IS_OK(status)) {
-               torture_assert_ntstatus_equal(tctx, status, expected_result, "LogonSamLogon failed");
+               torture_assert_ntstatus_equal(tctx, status, expected_result, "LogonSamLogonEx failed");
                 return true;
         } else {
-               torture_assert_ntstatus_ok(tctx, status, "LogonSamLogon failed");
+               torture_assert_ntstatus_ok(tctx, status, "LogonSamLogonEx failed");
         }
  
-       torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
-                       "Credential chaining failed");
-
         return true;
  }
  
-static bool test_SamLogon(struct torture_context *tctx,
-                         struct dcerpc_pipe *p,
-                         struct cli_credentials *machine_credentials,
-                         struct cli_credentials *test_credentials,
-                         NTSTATUS expected_result)
-{
-       struct netlogon_creds_CredentialState *creds;
-
-       if (!test_SetupCredentials(p, tctx, machine_credentials, &creds)) {
-               return false;
-       }
-
-       return test_SamLogon_Creds(p, tctx, machine_credentials, test_credentials,
-                                  creds, expected_result);
-}
-
  static bool test_SamLogon_with_creds(struct torture_context *tctx,
                                      struct dcerpc_pipe *p,
                                      struct cli_credentials *machine_creds,
@@ -2780,19 +2769,18 @@ static bool test_SamLogon_with_creds(struct torture_context *tctx,
         test_credentials = cli_credentials_init(tctx);
  
         cli_credentials_set_workstation(test_credentials,
-                                       TEST_ACCOUNT_NAME_PWD, CRED_SPECIFIED);
+                                       cli_credentials_get_workstation(machine_creds), CRED_SPECIFIED);
         cli_credentials_set_domain(test_credentials,
-                                  lp_workgroup(tctx->lp_ctx), CRED_SPECIFIED);
+                                  cli_credentials_get_domain(machine_creds), CRED_SPECIFIED);
         cli_credentials_set_username(test_credentials,
                                      acct_name, CRED_SPECIFIED);
         cli_credentials_set_password(test_credentials,
                                      password, CRED_SPECIFIED);
-       cli_credentials_set_secure_channel_type(test_credentials, SEC_CHAN_BDC);
  
-       printf("testing samlogon as %s@%s password: %s\n",
-               acct_name, TEST_ACCOUNT_NAME_PWD, password);
+       torture_comment(tctx, "testing samlogon as %s password: %s\n",
+               acct_name, password);
  
-       if (!test_SamLogon(tctx, p, machine_creds, test_credentials,
+       if (!test_SamLogon(tctx, p, test_credentials,
                            expected_samlogon_result)) {
                 torture_warning(tctx, "new password did not work\n");
                 ret = false;
@@ -2875,11 +2863,12 @@ static bool test_SetPassword_pwdlastset(struct dcerpc_pipe *p,
                                         struct cli_credentials *machine_credentials)
  {
         int s = 0, q = 0, f = 0, l = 0, z = 0;
+       struct dcerpc_binding *b;
         bool ret = true;
-       int delay = 500000;
+       int delay = 50000;
         bool set_levels[] = { false, true };
         bool query_levels[] = { false, true };
-       uint32_t levels[] = { 18, 21, 23, 24, 25, 26 };
+       uint32_t levels[] = { 18, 21, 26, 23, 24, 25 }; /* Second half only used when TEST_ALL_LEVELS defined */
         uint32_t nonzeros[] = { 1, 24 };
         uint32_t fields_present[] = {
                 0,
@@ -2899,24 +2888,46 @@ static bool test_SetPassword_pwdlastset(struct dcerpc_pipe *p,
         struct dcerpc_pipe *np = NULL;
  
         if (torture_setting_bool(tctx, "samba3", false)) {
-               delay = 1000000;
-               printf("Samba3 has second granularity, setting delay to: %d\n",
+               delay = 999999;
+               torture_comment(tctx, "Samba3 has second granularity, setting delay to: %d\n",
                         delay);
         }
  
-       status = torture_rpc_connection(tctx, &np, &ndr_table_netlogon);
+       status = torture_rpc_binding(tctx, &b);
         if (!NT_STATUS_IS_OK(status)) {
-               return false;
+               ret = false;
+               return ret;
+       }
+
+       /* We have to use schannel, otherwise the SamLogonEx fails
+        * with INTERNAL_ERROR */
+
+       b->flags &= ~DCERPC_AUTH_OPTIONS;
+       b->flags |= DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128;
+
+       status = dcerpc_pipe_connect_b(tctx, &np, b,
+                                      &ndr_table_netlogon,
+                                      machine_credentials, tctx->ev, tctx->lp_ctx);
+
+       if (!NT_STATUS_IS_OK(status)) {
+               torture_warning(tctx, "RPC pipe connect as domain member failed: %s\n", nt_errstr(status));
+               ret = false;
+               return ret;
         }
  
         /* set to 1 to enable testing for all possible opcode
            (SetUserInfo, SetUserInfo2, QueryUserInfo, QueryUserInfo2)
            combinations */
  #if 0
+#define TEST_ALL_LEVELS 1
  #define TEST_SET_LEVELS 1
  #define TEST_QUERY_LEVELS 1
  #endif
+#ifdef TEST_ALL_LEVELS
         for (l=0; l<ARRAY_SIZE(levels); l++) {
+#else
+       for (l=0; l<(ARRAY_SIZE(levels))/2; l++) {
+#endif
         for (z=0; z<ARRAY_SIZE(nonzeros); z++) {
         for (f=0; f<ARRAY_SIZE(fields_present); f++) {
  #ifdef TEST_SET_LEVELS
@@ -3264,6 +3275,304 @@ static bool test_SetPassword_pwdlastset(struct dcerpc_pipe *p,
  #undef TEST_SET_LEVELS
  #undef TEST_QUERY_LEVELS
  
+       talloc_free(np);
+
+       return ret;
+}
+
+static bool test_DeleteUser_with_privs(struct dcerpc_pipe *p,
+                                      struct dcerpc_pipe *lp,
+                                      struct torture_context *tctx,
+                                      struct policy_handle *domain_handle,
+                                      struct policy_handle *lsa_handle,
+                                      struct policy_handle *user_handle,
+                                      const struct dom_sid *domain_sid,
+                                      uint32_t rid,
+                                      struct cli_credentials *machine_credentials)
+{
+       NTSTATUS status;
+       bool ret = true;
+
+       struct policy_handle lsa_acct_handle;
+       struct dom_sid *user_sid;
+
+       user_sid = dom_sid_add_rid(tctx, domain_sid, rid);
+
+       {
+               struct lsa_EnumAccountRights r;
+               struct lsa_RightSet rights;
+
+               torture_comment(tctx, "Testing LSA EnumAccountRights\n");
+
+               r.in.handle = lsa_handle;
+               r.in.sid = user_sid;
+               r.out.rights = &rights;
+
+               status = dcerpc_lsa_EnumAccountRights(lp, tctx, &r);
+               torture_assert_ntstatus_equal(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
+                       "Expected enum rights for account to fail");
+       }
+
+       {
+               struct lsa_RightSet rights;
+               struct lsa_StringLarge names[2];
+               struct lsa_AddAccountRights r;
+
+               torture_comment(tctx, "Testing LSA AddAccountRights\n");
+
+               init_lsa_StringLarge(&names[0], "SeMachineAccountPrivilege");
+               init_lsa_StringLarge(&names[1], NULL);
+
+               rights.count = 1;
+               rights.names = names;
+
+               r.in.handle = lsa_handle;
+               r.in.sid = user_sid;
+               r.in.rights = &rights;
+
+               status = dcerpc_lsa_AddAccountRights(lp, tctx, &r);
+               torture_assert_ntstatus_ok(tctx, status,
+                       "Failed to add privileges");
+       }
+
+       {
+               struct lsa_EnumAccounts r;
+               uint32_t resume_handle = 0;
+               struct lsa_SidArray lsa_sid_array;
+               int i;
+               bool found_sid = false;
+
+               torture_comment(tctx, "Testing LSA EnumAccounts\n");
+
+               r.in.handle = lsa_handle;
+               r.in.num_entries = 0x1000;
+               r.in.resume_handle = &resume_handle;
+               r.out.sids = &lsa_sid_array;
+               r.out.resume_handle = &resume_handle;
+
+               status = dcerpc_lsa_EnumAccounts(lp, tctx, &r);
+               torture_assert_ntstatus_ok(tctx, status,
+                       "Failed to enum accounts");
+
+               for (i=0; i < lsa_sid_array.num_sids; i++) {
+                       if (dom_sid_equal(user_sid, lsa_sid_array.sids[i].sid)) {
+                               found_sid = true;
+                       }
+               }
+
+               torture_assert(tctx, found_sid,
+                       "failed to list privileged account");
+       }
+
+       {
+               struct lsa_EnumAccountRights r;
+               struct lsa_RightSet user_rights;
+
+               torture_comment(tctx, "Testing LSA EnumAccountRights\n");
+
+               r.in.handle = lsa_handle;
+               r.in.sid = user_sid;
+               r.out.rights = &user_rights;
+
+               status = dcerpc_lsa_EnumAccountRights(lp, tctx, &r);
+               torture_assert_ntstatus_ok(tctx, status,
+                       "Failed to enum rights for account");
+
+               if (user_rights.count < 1) {
+                       torture_warning(tctx, "failed to find newly added rights");
+                       return false;
+               }
+       }
+
+       {
+               struct lsa_OpenAccount r;
+
+               torture_comment(tctx, "Testing LSA OpenAccount\n");
+
+               r.in.handle = lsa_handle;
+               r.in.sid = user_sid;
+               r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+               r.out.acct_handle = &lsa_acct_handle;
+
+               status = dcerpc_lsa_OpenAccount(lp, tctx, &r);
+               torture_assert_ntstatus_ok(tctx, status,
+                       "Failed to open lsa account");
+       }
+
+       {
+               struct lsa_GetSystemAccessAccount r;
+               uint32_t access_mask;
+
+               torture_comment(tctx, "Testing LSA GetSystemAccessAccount\n");
+
+               r.in.handle = &lsa_acct_handle;
+               r.out.access_mask = &access_mask;
+
+               status = dcerpc_lsa_GetSystemAccessAccount(lp, tctx, &r);
+               torture_assert_ntstatus_ok(tctx, status,
+                       "Failed to get lsa system access account");
+       }
+
+       {
+               struct lsa_Close r;
+
+               torture_comment(tctx, "Testing LSA Close\n");
+
+               r.in.handle = &lsa_acct_handle;
+               r.out.handle = &lsa_acct_handle;
+
+               status = dcerpc_lsa_Close(lp, tctx, &r);
+               torture_assert_ntstatus_ok(tctx, status,
+                       "Failed to close lsa");
+       }
+
+       {
+               struct samr_DeleteUser r;
+
+               torture_comment(tctx, "Testing SAMR DeleteUser\n");
+
+               r.in.user_handle = user_handle;
+               r.out.user_handle = user_handle;
+
+               status = dcerpc_samr_DeleteUser(p, tctx, &r);
+               torture_assert_ntstatus_ok(tctx, status, "Delete User failed");
+       }
+
+       {
+               struct lsa_EnumAccounts r;
+               uint32_t resume_handle = 0;
+               struct lsa_SidArray lsa_sid_array;
+               int i;
+               bool found_sid = false;
+
+               torture_comment(tctx, "Testing LSA EnumAccounts\n");
+
+               r.in.handle = lsa_handle;
+               r.in.num_entries = 0x1000;
+               r.in.resume_handle = &resume_handle;
+               r.out.sids = &lsa_sid_array;
+               r.out.resume_handle = &resume_handle;
+
+               status = dcerpc_lsa_EnumAccounts(lp, tctx, &r);
+               torture_assert_ntstatus_ok(tctx, status,
+                       "Failed to enum accounts");
+
+               for (i=0; i < lsa_sid_array.num_sids; i++) {
+                       if (dom_sid_equal(user_sid, lsa_sid_array.sids[i].sid)) {
+                               found_sid = true;
+                       }
+               }
+
+               torture_assert(tctx, found_sid,
+                       "failed to list privileged account");
+       }
+
+       {
+               struct lsa_EnumAccountRights r;
+               struct lsa_RightSet user_rights;
+
+               torture_comment(tctx, "Testing LSA EnumAccountRights\n");
+
+               r.in.handle = lsa_handle;
+               r.in.sid = user_sid;
+               r.out.rights = &user_rights;
+
+               status = dcerpc_lsa_EnumAccountRights(lp, tctx, &r);
+               torture_assert_ntstatus_ok(tctx, status,
+                       "Failed to enum rights for account");
+
+               if (user_rights.count < 1) {
+                       torture_warning(tctx, "failed to find newly added rights");
+                       return false;
+               }
+       }
+
+       {
+               struct lsa_OpenAccount r;
+
+               torture_comment(tctx, "Testing LSA OpenAccount\n");
+
+               r.in.handle = lsa_handle;
+               r.in.sid = user_sid;
+               r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+               r.out.acct_handle = &lsa_acct_handle;
+
+               status = dcerpc_lsa_OpenAccount(lp, tctx, &r);
+               torture_assert_ntstatus_ok(tctx, status,
+                       "Failed to open lsa account");
+       }
+
+       {
+               struct lsa_GetSystemAccessAccount r;
+               uint32_t access_mask;
+
+               torture_comment(tctx, "Testing LSA GetSystemAccessAccount\n");
+
+               r.in.handle = &lsa_acct_handle;
+               r.out.access_mask = &access_mask;
+
+               status = dcerpc_lsa_GetSystemAccessAccount(lp, tctx, &r);
+               torture_assert_ntstatus_ok(tctx, status,
+                       "Failed to get lsa system access account");
+       }
+
+       {
+               struct lsa_DeleteObject r;
+
+               torture_comment(tctx, "Testing LSA DeleteObject\n");
+
+               r.in.handle = &lsa_acct_handle;
+               r.out.handle = &lsa_acct_handle;
+
+               status = dcerpc_lsa_DeleteObject(lp, tctx, &r);
+               torture_assert_ntstatus_ok(tctx, status,
+                       "Failed to delete object");
+       }
+
+       {
+               struct lsa_EnumAccounts r;
+               uint32_t resume_handle = 0;
+               struct lsa_SidArray lsa_sid_array;
+               int i;
+               bool found_sid = false;
+
+               torture_comment(tctx, "Testing LSA EnumAccounts\n");
+
+               r.in.handle = lsa_handle;
+               r.in.num_entries = 0x1000;
+               r.in.resume_handle = &resume_handle;
+               r.out.sids = &lsa_sid_array;
+               r.out.resume_handle = &resume_handle;
+
+               status = dcerpc_lsa_EnumAccounts(lp, tctx, &r);
+               torture_assert_ntstatus_ok(tctx, status,
+                       "Failed to enum accounts");
+
+               for (i=0; i < lsa_sid_array.num_sids; i++) {
+                       if (dom_sid_equal(user_sid, lsa_sid_array.sids[i].sid)) {
+                               found_sid = true;
+                       }
+               }
+
+               torture_assert(tctx, !found_sid,
+                       "should not have listed privileged account");
+       }
+
+       {
+               struct lsa_EnumAccountRights r;
+               struct lsa_RightSet user_rights;
+
+               torture_comment(tctx, "Testing LSA EnumAccountRights\n");
+
+               r.in.handle = lsa_handle;
+               r.in.sid = user_sid;
+               r.out.rights = &user_rights;
+
+               status = dcerpc_lsa_EnumAccountRights(lp, tctx, &r);
+               torture_assert_ntstatus_equal(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND,
+                       "Failed to enum rights for account");
+       }
+
         return ret;
  }
  
@@ -3271,6 +3580,7 @@ static bool test_user_ops(struct dcerpc_pipe *p,
                           struct torture_context *tctx,
                           struct policy_handle *user_handle,
                           struct policy_handle *domain_handle,
+                         const struct dom_sid *domain_sid,
                           uint32_t base_acct_flags,
                           const char *base_acct_name, enum torture_samr_choice which_ops,
                           struct cli_credentials *machine_credentials)
@@ -3334,7 +3644,7 @@ static bool test_user_ops(struct dcerpc_pipe *p,
                         ZERO_STRUCT(simple_pass);
                         memset(simple_pass, *v, sizeof(simple_pass) - 1);
  
-                       printf("Testing machine account password policy rules\n");
+                       torture_comment(tctx, "Testing machine account password policy rules\n");
  
                         /* Workstation trust accounts don't seem to need to honour password quality policy */
                         if (!test_SetUserPassEx(p, tctx, user_handle, true, &password)) {
@@ -3392,7 +3702,7 @@ static bool test_user_ops(struct dcerpc_pipe *p,
                 }
  
                 if (torture_setting_bool(tctx, "samba4", false)) {
-                       printf("skipping Set Password level 18 and 21 against Samba4\n");
+                       torture_comment(tctx, "skipping Set Password level 18 and 21 against Samba4\n");
                 } else {
  
                         if (!test_SetUserPass_18(p, tctx, user_handle, &password)) {
@@ -3428,13 +3738,13 @@ static bool test_user_ops(struct dcerpc_pipe *p,
  
                 status = dcerpc_samr_QueryUserInfo(p, tctx, &q);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("QueryUserInfo level %u failed - %s\n",
+                       torture_warning(tctx, "QueryUserInfo level %u failed - %s\n",
                                q.in.level, nt_errstr(status));
                         ret = false;
                 } else {
                         uint32_t expected_flags = (base_acct_flags | ACB_PWNOTREQ | ACB_DISABLED);
                         if ((info->info5.acct_flags) != expected_flags) {
-                               printf("QuerUserInfo level 5 failed, it returned 0x%08x when we expected flags of 0x%08x\n",
+                               torture_warning(tctx, "QuerUserInfo level 5 failed, it returned 0x%08x when we expected flags of 0x%08x\n",
                                        info->info5.acct_flags,
                                        expected_flags);
                                 /* FIXME: GD */
@@ -3443,7 +3753,7 @@ static bool test_user_ops(struct dcerpc_pipe *p,
                                 }
                         }
                         if (info->info5.rid != rid) {
-                               printf("QuerUserInfo level 5 failed, it returned %u when we expected rid of %u\n",
+                               torture_warning(tctx, "QuerUserInfo level 5 failed, it returned %u when we expected rid of %u\n",
                                        info->info5.rid, rid);
  
                         }
@@ -3469,6 +3779,35 @@ static bool test_user_ops(struct dcerpc_pipe *p,
  
                 break;
  
+       case TORTURE_SAMR_USER_PRIVILEGES: {
+
+               struct dcerpc_pipe *lp;
+               struct policy_handle *lsa_handle;
+
+               status = torture_rpc_connection(tctx, &lp, &ndr_table_lsarpc);
+               torture_assert_ntstatus_ok(tctx, status, "Failed to open LSA pipe");
+
+               if (!test_lsa_OpenPolicy2(lp, tctx, &lsa_handle)) {
+                       ret = false;
+               }
+
+               if (!test_DeleteUser_with_privs(p, lp, tctx,
+                                               domain_handle, lsa_handle, user_handle,
+                                               domain_sid, rid,
+                                               machine_credentials)) {
+                       ret = false;
+               }
+
+               if (!test_lsa_Close(lp, tctx, lsa_handle)) {
+                       ret = false;
+               }
+
+               if (!ret) {
+                       torture_warning(tctx, "privileged user delete test failed\n");
+               }
+
+               break;
+       }
         case TORTURE_SAMR_OTHER:
                 /* We just need the account to exist */
                 break;
@@ -3500,8 +3839,9 @@ static bool test_alias_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
                 ret = false;
         }
  
-       if (torture_setting_bool(tctx, "samba4", false)) {
-               printf("skipping MultipleMembers Alias tests against Samba4\n");
+       if (torture_setting_bool(tctx, "samba3", false) ||
+           torture_setting_bool(tctx, "samba4", false)) {
+               torture_comment(tctx, "skipping MultipleMembers Alias tests against Samba\n");
                 return ret;
         }
  
@@ -3558,7 +3898,7 @@ bool test_DeleteUser_byname(struct dcerpc_pipe *p,
         return true;
  
  failed:
-       printf("DeleteUser_byname(%s) failed - %s\n", name, nt_errstr(status));
+       torture_warning(tctx, "DeleteUser_byname(%s) failed - %s\n", name, nt_errstr(status));
         return false;
  }
  
@@ -3597,7 +3937,7 @@ static bool test_DeleteGroup_byname(struct dcerpc_pipe *p,
         return true;
  
  failed:
-       printf("DeleteGroup_byname(%s) failed - %s\n", name, nt_errstr(status));
+       torture_warning(tctx, "DeleteGroup_byname(%s) failed - %s\n", name, nt_errstr(status));
         return false;
  }
  
@@ -3613,7 +3953,7 @@ static bool test_DeleteAlias_byname(struct dcerpc_pipe *p,
         struct policy_handle alias_handle;
         uint32_t rid;
  
-       printf("testing DeleteAlias_byname\n");
+       torture_comment(tctx, "testing DeleteAlias_byname\n");
  
         status = test_LookupName(p, tctx, domain_handle, name, &rid);
         if (!NT_STATUS_IS_OK(status)) {
@@ -3639,7 +3979,7 @@ static bool test_DeleteAlias_byname(struct dcerpc_pipe *p,
         return true;
  
  failed:
-       printf("DeleteAlias_byname(%s) failed - %s\n", name, nt_errstr(status));
+       torture_warning(tctx, "DeleteAlias_byname(%s) failed - %s\n", name, nt_errstr(status));
         return false;
  }
  
@@ -3650,14 +3990,15 @@ static bool test_DeleteAlias(struct dcerpc_pipe *p,
         struct samr_DeleteDomAlias d;
         NTSTATUS status;
         bool ret = true;
-       printf("Testing DeleteAlias\n");
+
+       torture_comment(tctx, "Testing DeleteAlias\n");
  
         d.in.alias_handle = alias_handle;
         d.out.alias_handle = alias_handle;
  
         status = dcerpc_samr_DeleteDomAlias(p, tctx, &d);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("DeleteAlias failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "DeleteAlias failed - %s\n", nt_errstr(status));
                 ret = false;
         }
  
@@ -3665,9 +4006,11 @@ static bool test_DeleteAlias(struct dcerpc_pipe *p,
  }
  
  static bool test_CreateAlias(struct dcerpc_pipe *p, struct torture_context *tctx,
-                           struct policy_handle *domain_handle,
+                            struct policy_handle *domain_handle,
+                            const char *alias_name,
                              struct policy_handle *alias_handle,
-                            const struct dom_sid *domain_sid)
+                            const struct dom_sid *domain_sid,
+                            bool test_alias)
  {
         NTSTATUS status;
         struct samr_CreateDomAlias r;
@@ -3675,23 +4018,23 @@ static bool test_CreateAlias(struct dcerpc_pipe *p, struct torture_context *tctx
         uint32_t rid;
         bool ret = true;
  
-       init_lsa_String(&name, TEST_ALIASNAME);
+       init_lsa_String(&name, alias_name);
         r.in.domain_handle = domain_handle;
         r.in.alias_name = &name;
         r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
         r.out.alias_handle = alias_handle;
         r.out.rid = &rid;
  
-       printf("Testing CreateAlias (%s)\n", r.in.alias_name->string);
+       torture_comment(tctx, "Testing CreateAlias (%s)\n", r.in.alias_name->string);
  
         status = dcerpc_samr_CreateDomAlias(p, tctx, &r);
  
         if (dom_sid_equal(domain_sid, dom_sid_parse_talloc(tctx, SID_BUILTIN))) {
                 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
-                       printf("Server correctly refused create of '%s'\n", r.in.alias_name->string);
+                       torture_comment(tctx, "Server correctly refused create of '%s'\n", r.in.alias_name->string);
                         return true;
                 } else {
-                       printf("Server should have refused create of '%s', got %s instead\n", r.in.alias_name->string,
+                       torture_warning(tctx, "Server should have refused create of '%s', got %s instead\n", r.in.alias_name->string,
                                nt_errstr(status));
                         return false;
                 }
@@ -3705,10 +4048,14 @@ static bool test_CreateAlias(struct dcerpc_pipe *p, struct torture_context *tctx
         }
  
         if (!NT_STATUS_IS_OK(status)) {
-               printf("CreateAlias failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "CreateAlias failed - %s\n", nt_errstr(status));
                 return false;
         }
  
+       if (!test_alias) {
+               return ret;
+       }
+
         if (!test_alias_ops(p, tctx, alias_handle, domain_sid)) {
                 ret = false;
         }
@@ -3773,7 +4120,7 @@ static bool test_ChangePassword(struct dcerpc_pipe *p,
                 r.in.level = 1;
                 r.out.info = &info;
  
-               printf("testing samr_QueryDomainInfo level 1\n");
+               torture_comment(tctx, "testing samr_QueryDomainInfo level 1\n");
                 status = dcerpc_samr_QueryDomainInfo(p, tctx, &r);
                 if (!NT_STATUS_IS_OK(status)) {
                         return false;
@@ -3793,13 +4140,13 @@ static bool test_ChangePassword(struct dcerpc_pipe *p,
                 min_pwd_age_old = s.in.info->info1.min_password_age;
                 s.in.info->info1.min_password_age = 0;
  
-               printf("testing samr_SetDomainInfo level 1\n");
+               torture_comment(tctx, "testing samr_SetDomainInfo level 1\n");
                 status = dcerpc_samr_SetDomainInfo(p, tctx, &s);
                 if (!NT_STATUS_IS_OK(status)) {
                         return false;
                 }
  
-               printf("calling test_ChangePasswordUser3 with too short password\n");
+               torture_comment(tctx, "calling test_ChangePasswordUser3 with too short password\n");
  
                 if (!test_ChangePasswordUser3(p, tctx, acct_name, len - 1, password, NULL, 0, true)) {
                         ret = false;
@@ -3809,7 +4156,7 @@ static bool test_ChangePassword(struct dcerpc_pipe *p,
                 s.in.info->info1.password_properties = pwd_prop_old;
                 s.in.info->info1.min_password_age = min_pwd_age_old;
  
-               printf("testing samr_SetDomainInfo level 1\n");
+               torture_comment(tctx, "testing samr_SetDomainInfo level 1\n");
                 status = dcerpc_samr_SetDomainInfo(p, tctx, &s);
                 if (!NT_STATUS_IS_OK(status)) {
                         return false;
@@ -3835,7 +4182,7 @@ static bool test_ChangePassword(struct dcerpc_pipe *p,
  
                 status = dcerpc_samr_LookupNames(p, tctx, &n);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("LookupNames failed - %s\n", nt_errstr(status));
+                       torture_warning(tctx, "LookupNames failed - %s\n", nt_errstr(status));
                         return false;
                 }
  
@@ -3846,7 +4193,7 @@ static bool test_ChangePassword(struct dcerpc_pipe *p,
  
                 status = dcerpc_samr_OpenUser(p, tctx, &r);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("OpenUser(%u) failed - %s\n", n.out.rids->ids[0], nt_errstr(status));
+                       torture_warning(tctx, "OpenUser(%u) failed - %s\n", n.out.rids->ids[0], nt_errstr(status));
                         return false;
                 }
  
@@ -3856,11 +4203,11 @@ static bool test_ChangePassword(struct dcerpc_pipe *p,
  
                 status = dcerpc_samr_QueryUserInfo(p, tctx, &q);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("QueryUserInfo failed - %s\n", nt_errstr(status));
+                       torture_warning(tctx, "QueryUserInfo failed - %s\n", nt_errstr(status));
                         return false;
                 }
  
-               printf("calling test_ChangePasswordUser3 with too early password change\n");
+               torture_comment(tctx, "calling test_ChangePasswordUser3 with too early password change\n");
  
                 if (!test_ChangePasswordUser3(p, tctx, acct_name, 0, password, NULL,
                                               info->info5.last_password_change, true)) {
@@ -3883,10 +4230,12 @@ static bool test_ChangePassword(struct dcerpc_pipe *p,
  
  static bool test_CreateUser(struct dcerpc_pipe *p, struct torture_context *tctx,
                             struct policy_handle *domain_handle,
+                           const char *user_name,
                             struct policy_handle *user_handle_out,
                             struct dom_sid *domain_sid,
                             enum torture_samr_choice which_ops,
-                           struct cli_credentials *machine_credentials)
+                           struct cli_credentials *machine_credentials,
+                           bool test_user)
  {
  
         TALLOC_CTX *user_ctx;
@@ -3905,7 +4254,7 @@ static bool test_CreateUser(struct dcerpc_pipe *p, struct torture_context *tctx,
  
         struct policy_handle user_handle;
         user_ctx = talloc_named(tctx, 0, "test_CreateUser2 per-user context");
-       init_lsa_String(&name, TEST_ACCOUNT_NAME);
+       init_lsa_String(&name, user_name);
  
         r.in.domain_handle = domain_handle;
         r.in.account_name = &name;
@@ -3913,16 +4262,16 @@ static bool test_CreateUser(struct dcerpc_pipe *p, struct torture_context *tctx,
         r.out.user_handle = &user_handle;
         r.out.rid = &rid;
  
-       printf("Testing CreateUser(%s)\n", r.in.account_name->string);
+       torture_comment(tctx, "Testing CreateUser(%s)\n", r.in.account_name->string);
  
         status = dcerpc_samr_CreateUser(p, user_ctx, &r);
  
         if (dom_sid_equal(domain_sid, dom_sid_parse_talloc(tctx, SID_BUILTIN))) {
                 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) || NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
-                       printf("Server correctly refused create of '%s'\n", r.in.account_name->string);
+                       torture_comment(tctx, "Server correctly refused create of '%s'\n", r.in.account_name->string);
                         return true;
                 } else {
-                       printf("Server should have refused create of '%s', got %s instead\n", r.in.account_name->string,
+                       torture_warning(tctx, "Server should have refused create of '%s', got %s instead\n", r.in.account_name->string,
                                nt_errstr(status));
                         return false;
                 }
@@ -3935,23 +4284,33 @@ static bool test_CreateUser(struct dcerpc_pipe *p, struct torture_context *tctx,
                 }
                 status = dcerpc_samr_CreateUser(p, user_ctx, &r);
         }
+
         if (!NT_STATUS_IS_OK(status)) {
                 talloc_free(user_ctx);
-               printf("CreateUser failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "CreateUser failed - %s\n", nt_errstr(status));
                 return false;
-       } else {
+       }
+
+       if (!test_user) {
+               if (user_handle_out) {
+                       *user_handle_out = user_handle;
+               }
+               return ret;
+       }
+
+       {
                 q.in.user_handle = &user_handle;
                 q.in.level = 16;
                 q.out.info = &info;
  
                 status = dcerpc_samr_QueryUserInfo(p, user_ctx, &q);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("QueryUserInfo level %u failed - %s\n",
+                       torture_warning(tctx, "QueryUserInfo level %u failed - %s\n",
                                q.in.level, nt_errstr(status));
                         ret = false;
                 } else {
                         if ((info->info16.acct_flags & acct_flags) != acct_flags) {
-                               printf("QuerUserInfo level 16 failed, it returned 0x%08x when we expected flags of 0x%08x\n",
+                               torture_warning(tctx, "QuerUserInfo level 16 failed, it returned 0x%08x when we expected flags of 0x%08x\n",
                                        info->info16.acct_flags,
                                        acct_flags);
                                 ret = false;
@@ -3959,7 +4318,7 @@ static bool test_CreateUser(struct dcerpc_pipe *p, struct torture_context *tctx,
                 }
  
                 if (!test_user_ops(p, tctx, &user_handle, domain_handle,
-                                  acct_flags, name.string, which_ops,
+                                  domain_sid, acct_flags, name.string, which_ops,
                                    machine_credentials)) {
                         ret = false;
                 }
@@ -3967,14 +4326,14 @@ static bool test_CreateUser(struct dcerpc_pipe *p, struct torture_context *tctx,
                 if (user_handle_out) {
                         *user_handle_out = user_handle;
                 } else {
-                       printf("Testing DeleteUser (createuser test)\n");
+                       torture_comment(tctx, "Testing DeleteUser (createuser test)\n");
  
                         d.in.user_handle = &user_handle;
                         d.out.user_handle = &user_handle;
  
                         status = dcerpc_samr_DeleteUser(p, user_ctx, &d);
                         if (!NT_STATUS_IS_OK(status)) {
-                               printf("DeleteUser failed - %s\n", nt_errstr(status));
+                               torture_warning(tctx, "DeleteUser failed - %s\n", nt_errstr(status));
                                 ret = false;
                         }
                 }
@@ -4018,7 +4377,7 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx
                 { ACB_SVRTRUST, TEST_MACHINENAME, NT_STATUS_OK },
                 { ACB_SVRTRUST | ACB_DISABLED, TEST_MACHINENAME, NT_STATUS_INVALID_PARAMETER },
                 { ACB_SVRTRUST | ACB_PWNOEXP, TEST_MACHINENAME, NT_STATUS_INVALID_PARAMETER },
-               { ACB_DOMTRUST, TEST_DOMAINNAME, NT_STATUS_OK },
+               { ACB_DOMTRUST, TEST_DOMAINNAME, NT_STATUS_ACCESS_DENIED },
                 { ACB_DOMTRUST | ACB_DISABLED, TEST_DOMAINNAME, NT_STATUS_INVALID_PARAMETER },
                 { ACB_DOMTRUST | ACB_PWNOEXP, TEST_DOMAINNAME, NT_STATUS_INVALID_PARAMETER },
                 { 0, TEST_ACCOUNT_NAME, NT_STATUS_INVALID_PARAMETER },
@@ -4041,16 +4400,16 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx
                 r.out.access_granted = &access_granted;
                 r.out.rid = &rid;
  
-               printf("Testing CreateUser2(%s, 0x%x)\n", r.in.account_name->string, acct_flags);
+               torture_comment(tctx, "Testing CreateUser2(%s, 0x%x)\n", r.in.account_name->string, acct_flags);
  
                 status = dcerpc_samr_CreateUser2(p, user_ctx, &r);
  
                 if (dom_sid_equal(domain_sid, dom_sid_parse_talloc(tctx, SID_BUILTIN))) {
                         if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) || NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
-                               printf("Server correctly refused create of '%s'\n", r.in.account_name->string);
+                               torture_comment(tctx, "Server correctly refused create of '%s'\n", r.in.account_name->string);
                                 continue;
                         } else {
-                               printf("Server should have refused create of '%s', got %s instead\n", r.in.account_name->string,
+                               torture_warning(tctx, "Server should have refused create of '%s', got %s instead\n", r.in.account_name->string,
                                        nt_errstr(status));
                                 ret = false;
                                 continue;
@@ -4067,7 +4426,7 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx
  
                 }
                 if (!NT_STATUS_EQUAL(status, account_types[i].nt_status)) {
-                       printf("CreateUser2 failed gave incorrect error return - %s (should be %s)\n",
+                       torture_warning(tctx, "CreateUser2 failed gave incorrect error return - %s (should be %s)\n",
                                nt_errstr(status), nt_errstr(account_types[i].nt_status));
                         ret = false;
                 }
@@ -4079,7 +4438,7 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx
  
                         status = dcerpc_samr_QueryUserInfo(p, user_ctx, &q);
                         if (!NT_STATUS_IS_OK(status)) {
-                               printf("QueryUserInfo level %u failed - %s\n",
+                               torture_warning(tctx, "QueryUserInfo level %u failed - %s\n",
                                        q.in.level, nt_errstr(status));
                                 ret = false;
                         } else {
@@ -4088,7 +4447,7 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx
                                         expected_flags |= ACB_PW_EXPIRED;
                                 }
                                 if ((info->info5.acct_flags) != expected_flags) {
-                                       printf("QuerUserInfo level 5 failed, it returned 0x%08x when we expected flags of 0x%08x\n",
+                                       torture_warning(tctx, "QuerUserInfo level 5 failed, it returned 0x%08x when we expected flags of 0x%08x\n",
                                                info->info5.acct_flags,
                                                expected_flags);
                                         ret = false;
@@ -4096,21 +4455,21 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx
                                 switch (acct_flags) {
                                 case ACB_SVRTRUST:
                                         if (info->info5.primary_gid != DOMAIN_RID_DCS) {
-                                               printf("QuerUserInfo level 5: DC should have had Primary Group %d, got %d\n",
+                                               torture_warning(tctx, "QuerUserInfo level 5: DC should have had Primary Group %d, got %d\n",
                                                        DOMAIN_RID_DCS, info->info5.primary_gid);
                                                 ret = false;
                                         }
                                         break;
                                 case ACB_WSTRUST:
                                         if (info->info5.primary_gid != DOMAIN_RID_DOMAIN_MEMBERS) {
-                                               printf("QuerUserInfo level 5: Domain Member should have had Primary Group %d, got %d\n",
+                                               torture_warning(tctx, "QuerUserInfo level 5: Domain Member should have had Primary Group %d, got %d\n",
                                                        DOMAIN_RID_DOMAIN_MEMBERS, info->info5.primary_gid);
                                                 ret = false;
                                         }
                                         break;
                                 case ACB_NORMAL:
                                         if (info->info5.primary_gid != DOMAIN_RID_USERS) {
-                                               printf("QuerUserInfo level 5: Users should have had Primary Group %d, got %d\n",
+                                               torture_warning(tctx, "QuerUserInfo level 5: Users should have had Primary Group %d, got %d\n",
                                                        DOMAIN_RID_USERS, info->info5.primary_gid);
                                                 ret = false;
                                         }
@@ -4119,20 +4478,22 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx
                         }
  
                         if (!test_user_ops(p, tctx, &user_handle, domain_handle,
-                                          acct_flags, name.string, which_ops,
+                                          domain_sid, acct_flags, name.string, which_ops,
                                            machine_credentials)) {
                                 ret = false;
                         }
  
-                       printf("Testing DeleteUser (createuser2 test)\n");
+                       if (!policy_handle_empty(&user_handle)) {
+                               torture_comment(tctx, "Testing DeleteUser (createuser2 test)\n");
  
-                       d.in.user_handle = &user_handle;
-                       d.out.user_handle = &user_handle;
+                               d.in.user_handle = &user_handle;
+                               d.out.user_handle = &user_handle;
  
-                       status = dcerpc_samr_DeleteUser(p, user_ctx, &d);
-                       if (!NT_STATUS_IS_OK(status)) {
-                               printf("DeleteUser failed - %s\n", nt_errstr(status));
-                               ret = false;
+                               status = dcerpc_samr_DeleteUser(p, user_ctx, &d);
+                               if (!NT_STATUS_IS_OK(status)) {
+                                       torture_warning(tctx, "DeleteUser failed - %s\n", nt_errstr(status));
+                                       ret = false;
+                               }
                         }
                 }
                 talloc_free(user_ctx);
@@ -4153,7 +4514,7 @@ static bool test_QueryAliasInfo(struct dcerpc_pipe *p,
         bool ret = true;
  
         for (i=0;i<ARRAY_SIZE(levels);i++) {
-               printf("Testing QueryAliasInfo level %u\n", levels[i]);
+               torture_comment(tctx, "Testing QueryAliasInfo level %u\n", levels[i]);
  
                 r.in.alias_handle = handle;
                 r.in.level = levels[i];
@@ -4161,7 +4522,7 @@ static bool test_QueryAliasInfo(struct dcerpc_pipe *p,
  
                 status = dcerpc_samr_QueryAliasInfo(p, tctx, &r);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("QueryAliasInfo level %u failed - %s\n",
+                       torture_warning(tctx, "QueryAliasInfo level %u failed - %s\n",
                                levels[i], nt_errstr(status));
                         ret = false;
                 }
@@ -4182,7 +4543,7 @@ static bool test_QueryGroupInfo(struct dcerpc_pipe *p,
         bool ret = true;
  
         for (i=0;i<ARRAY_SIZE(levels);i++) {
-               printf("Testing QueryGroupInfo level %u\n", levels[i]);
+               torture_comment(tctx, "Testing QueryGroupInfo level %u\n", levels[i]);
  
                 r.in.group_handle = handle;
                 r.in.level = levels[i];
@@ -4190,7 +4551,7 @@ static bool test_QueryGroupInfo(struct dcerpc_pipe *p,
  
                 status = dcerpc_samr_QueryGroupInfo(p, tctx, &r);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("QueryGroupInfo level %u failed - %s\n",
+                       torture_warning(tctx, "QueryGroupInfo level %u failed - %s\n",
                                levels[i], nt_errstr(status));
                         ret = false;
                 }
@@ -4208,14 +4569,14 @@ static bool test_QueryGroupMember(struct dcerpc_pipe *p,
         struct samr_RidTypeArray *rids = NULL;
         bool ret = true;
  
-       printf("Testing QueryGroupMember\n");
+       torture_comment(tctx, "Testing QueryGroupMember\n");
  
         r.in.group_handle = handle;
         r.out.rids = &rids;
  
         status = dcerpc_samr_QueryGroupMember(p, tctx, &r);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("QueryGroupInfo failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "QueryGroupInfo failed - %s\n", nt_errstr(status));
                 ret = false;
         }
  
@@ -4237,7 +4598,7 @@ static bool test_SetGroupInfo(struct dcerpc_pipe *p,
         bool ret = true;
  
         for (i=0;i<ARRAY_SIZE(levels);i++) {
-               printf("Testing QueryGroupInfo level %u\n", levels[i]);
+               torture_comment(tctx, "Testing QueryGroupInfo level %u\n", levels[i]);
  
                 r.in.group_handle = handle;
                 r.in.level = levels[i];
@@ -4245,12 +4606,12 @@ static bool test_SetGroupInfo(struct dcerpc_pipe *p,
  
                 status = dcerpc_samr_QueryGroupInfo(p, tctx, &r);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("QueryGroupInfo level %u failed - %s\n",
+                       torture_warning(tctx, "QueryGroupInfo level %u failed - %s\n",
                                levels[i], nt_errstr(status));
                         ret = false;
                 }
  
-               printf("Testing SetGroupInfo level %u\n", levels[i]);
+               torture_comment(tctx, "Testing SetGroupInfo level %u\n", levels[i]);
  
                 s.in.group_handle = handle;
                 s.in.level = levels[i];
@@ -4273,14 +4634,14 @@ static bool test_SetGroupInfo(struct dcerpc_pipe *p,
                 status = dcerpc_samr_SetGroupInfo(p, tctx, &s);
                 if (set_ok[i]) {
                         if (!NT_STATUS_IS_OK(status)) {
-                               printf("SetGroupInfo level %u failed - %s\n",
+                               torture_warning(tctx, "SetGroupInfo level %u failed - %s\n",
                                        r.in.level, nt_errstr(status));
                                 ret = false;
                                 continue;
                         }
                 } else {
                         if (!NT_STATUS_EQUAL(NT_STATUS_INVALID_INFO_CLASS, status)) {
-                               printf("SetGroupInfo level %u gave %s - should have been NT_STATUS_INVALID_INFO_CLASS\n",
+                               torture_warning(tctx, "SetGroupInfo level %u gave %s - should have been NT_STATUS_INVALID_INFO_CLASS\n",
                                        r.in.level, nt_errstr(status));
                                 ret = false;
                                 continue;
@@ -4304,7 +4665,7 @@ static bool test_QueryUserInfo(struct dcerpc_pipe *p,
         bool ret = true;
  
         for (i=0;i<ARRAY_SIZE(levels);i++) {
-               printf("Testing QueryUserInfo level %u\n", levels[i]);
+               torture_comment(tctx, "Testing QueryUserInfo level %u\n", levels[i]);
  
                 r.in.user_handle = handle;
                 r.in.level = levels[i];
@@ -4312,7 +4673,7 @@ static bool test_QueryUserInfo(struct dcerpc_pipe *p,
  
                 status = dcerpc_samr_QueryUserInfo(p, tctx, &r);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("QueryUserInfo level %u failed - %s\n",
+                       torture_warning(tctx, "QueryUserInfo level %u failed - %s\n",
                                levels[i], nt_errstr(status));
                         ret = false;
                 }
@@ -4334,7 +4695,7 @@ static bool test_QueryUserInfo2(struct dcerpc_pipe *p,
         bool ret = true;
  
         for (i=0;i<ARRAY_SIZE(levels);i++) {
-               printf("Testing QueryUserInfo2 level %u\n", levels[i]);
+               torture_comment(tctx, "Testing QueryUserInfo2 level %u\n", levels[i]);
  
                 r.in.user_handle = handle;
                 r.in.level = levels[i];
@@ -4342,7 +4703,7 @@ static bool test_QueryUserInfo2(struct dcerpc_pipe *p,
  
                 status = dcerpc_samr_QueryUserInfo2(p, tctx, &r);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("QueryUserInfo2 level %u failed - %s\n",
+                       torture_warning(tctx, "QueryUserInfo2 level %u failed - %s\n",
                                levels[i], nt_errstr(status));
                         ret = false;
                 }
@@ -4360,7 +4721,7 @@ static bool test_OpenUser(struct dcerpc_pipe *p,
         struct policy_handle user_handle;
         bool ret = true;
  
-       printf("Testing OpenUser(%u)\n", rid);
+       torture_comment(tctx, "Testing OpenUser(%u)\n", rid);
  
         r.in.domain_handle = handle;
         r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
@@ -4369,7 +4730,7 @@ static bool test_OpenUser(struct dcerpc_pipe *p,
  
         status = dcerpc_samr_OpenUser(p, tctx, &r);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("OpenUser(%u) failed - %s\n", rid, nt_errstr(status));
+               torture_warning(tctx, "OpenUser(%u) failed - %s\n", rid, nt_errstr(status));
                 return false;
         }
  
@@ -4409,7 +4770,7 @@ static bool test_OpenGroup(struct dcerpc_pipe *p,
         struct policy_handle group_handle;
         bool ret = true;
  
-       printf("Testing OpenGroup(%u)\n", rid);
+       torture_comment(tctx, "Testing OpenGroup(%u)\n", rid);
  
         r.in.domain_handle = handle;
         r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
@@ -4418,7 +4779,7 @@ static bool test_OpenGroup(struct dcerpc_pipe *p,
  
         status = dcerpc_samr_OpenGroup(p, tctx, &r);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("OpenGroup(%u) failed - %s\n", rid, nt_errstr(status));
+               torture_warning(tctx, "OpenGroup(%u) failed - %s\n", rid, nt_errstr(status));
                 return false;
         }
  
@@ -4460,7 +4821,7 @@ static bool test_OpenAlias(struct dcerpc_pipe *p, struct torture_context *tctx,
  
         status = dcerpc_samr_OpenAlias(p, tctx, &r);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("OpenAlias(%u) failed - %s\n", rid, nt_errstr(status));
+               torture_warning(tctx, "OpenAlias(%u) failed - %s\n", rid, nt_errstr(status));
                 return false;
         }
  
@@ -4505,7 +4866,7 @@ static bool check_mask(struct dcerpc_pipe *p, struct torture_context *tctx,
  
         status = dcerpc_samr_OpenUser(p, tctx, &r);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("OpenUser(%u) failed - %s\n", rid, nt_errstr(status));
+               torture_warning(tctx, "OpenUser(%u) failed - %s\n", rid, nt_errstr(status));
                 return false;
         }
  
@@ -4515,12 +4876,12 @@ static bool check_mask(struct dcerpc_pipe *p, struct torture_context *tctx,
  
         status = dcerpc_samr_QueryUserInfo(p, tctx, &q);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("QueryUserInfo level 16 failed - %s\n",
+               torture_warning(tctx, "QueryUserInfo level 16 failed - %s\n",
                        nt_errstr(status));
                 ret = false;
         } else {
                 if ((acct_flag_mask & info->info16.acct_flags) == 0) {
-                       printf("Server failed to filter for 0x%x, allowed 0x%x (%d) on EnumDomainUsers\n",
+                       torture_warning(tctx, "Server failed to filter for 0x%x, allowed 0x%x (%d) on EnumDomainUsers\n",
                                acct_flag_mask, info->info16.acct_flags, rid);
                         ret = false;
                 }
@@ -4533,8 +4894,9 @@ static bool check_mask(struct dcerpc_pipe *p, struct torture_context *tctx,
         return ret;
  }
  
-static bool test_EnumDomainUsers(struct dcerpc_pipe *p, struct torture_context *tctx,
-                                struct policy_handle *handle)
+static bool test_EnumDomainUsers_all(struct dcerpc_pipe *p,
+                                    struct torture_context *tctx,
+                                    struct policy_handle *handle)
  {
         NTSTATUS status = STATUS_MORE_ENTRIES;
         struct samr_EnumDomainUsers r;
@@ -4553,7 +4915,7 @@ static bool test_EnumDomainUsers(struct dcerpc_pipe *p, struct torture_context *
                             ACB_SVRTRUST | ACB_DOMTRUST | ACB_WSTRUST,
                             ACB_PWNOEXP, 0};
  
-       printf("Testing EnumDomainUsers\n");
+       torture_comment(tctx, "Testing EnumDomainUsers\n");
  
         for (mask_idx=0;mask_idx<ARRAY_SIZE(masks);mask_idx++) {
                 r.in.domain_handle = handle;
@@ -4567,7 +4929,7 @@ static bool test_EnumDomainUsers(struct dcerpc_pipe *p, struct torture_context *
                 status = dcerpc_samr_EnumDomainUsers(p, tctx, &r);
                 if (!NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES) &&
                     !NT_STATUS_IS_OK(status)) {
-                       printf("EnumDomainUsers failed - %s\n", nt_errstr(status));
+                       torture_warning(tctx, "EnumDomainUsers failed - %s\n", nt_errstr(status));
                         return false;
                 }
  
@@ -4588,7 +4950,7 @@ static bool test_EnumDomainUsers(struct dcerpc_pipe *p, struct torture_context *
                 }
         }
  
-       printf("Testing LookupNames\n");
+       torture_comment(tctx, "Testing LookupNames\n");
         n.in.domain_handle = handle;
         n.in.num_names = sam->count;
         n.in.names = talloc_array(tctx, struct lsa_String, sam->count);
@@ -4599,12 +4961,12 @@ static bool test_EnumDomainUsers(struct dcerpc_pipe *p, struct torture_context *
         }
         status = dcerpc_samr_LookupNames(p, tctx, &n);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("LookupNames failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "LookupNames failed - %s\n", nt_errstr(status));
                 ret = false;
         }
  
  
-       printf("Testing LookupRids\n");
+       torture_comment(tctx, "Testing LookupRids\n");
         lr.in.domain_handle = handle;
         lr.in.num_rids = sam->count;
         lr.in.rids = talloc_array(tctx, uint32_t, sam->count);
@@ -4651,7 +5013,7 @@ static bool test_EnumDomainUsers_async(struct dcerpc_pipe *p, struct torture_con
         for (i=0;i<ASYNC_COUNT;i++) {
                 status = dcerpc_ndr_request_recv(req[i]);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("EnumDomainUsers[%d] failed - %s\n",
+                       torture_warning(tctx, "EnumDomainUsers[%d] failed - %s\n",
                                i, nt_errstr(status));
                         return false;
                 }
@@ -4662,9 +5024,9 @@ static bool test_EnumDomainUsers_async(struct dcerpc_pipe *p, struct torture_con
         return true;
  }
  
-static bool test_EnumDomainGroups(struct dcerpc_pipe *p,
-                                 struct torture_context *tctx,
-                                 struct policy_handle *handle)
+static bool test_EnumDomainGroups_all(struct dcerpc_pipe *p,
+                                     struct torture_context *tctx,
+                                     struct policy_handle *handle)
  {
         NTSTATUS status;
         struct samr_EnumDomainGroups r;
@@ -4674,7 +5036,7 @@ static bool test_EnumDomainGroups(struct dcerpc_pipe *p,
         int i;
         bool ret = true;
  
-       printf("Testing EnumDomainGroups\n");
+       torture_comment(tctx, "Testing EnumDomainGroups\n");
  
         r.in.domain_handle = handle;
         r.in.resume_handle = &resume_handle;
@@ -4685,7 +5047,7 @@ static bool test_EnumDomainGroups(struct dcerpc_pipe *p,
  
         status = dcerpc_samr_EnumDomainGroups(p, tctx, &r);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("EnumDomainGroups failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "EnumDomainGroups failed - %s\n", nt_errstr(status));
                 return false;
         }
  
@@ -4702,9 +5064,9 @@ static bool test_EnumDomainGroups(struct dcerpc_pipe *p,
         return ret;
  }
  
-static bool test_EnumDomainAliases(struct dcerpc_pipe *p,
-                                  struct torture_context *tctx,
-                                  struct policy_handle *handle)
+static bool test_EnumDomainAliases_all(struct dcerpc_pipe *p,
+                                      struct torture_context *tctx,
+                                      struct policy_handle *handle)
  {
         NTSTATUS status;
         struct samr_EnumDomainAliases r;
@@ -4714,7 +5076,7 @@ static bool test_EnumDomainAliases(struct dcerpc_pipe *p,
         int i;
         bool ret = true;
  
-       printf("Testing EnumDomainAliases\n");
+       torture_comment(tctx, "Testing EnumDomainAliases\n");
  
         r.in.domain_handle = handle;
         r.in.resume_handle = &resume_handle;
@@ -4725,7 +5087,7 @@ static bool test_EnumDomainAliases(struct dcerpc_pipe *p,
  
         status = dcerpc_samr_EnumDomainAliases(p, tctx, &r);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("EnumDomainAliases failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "EnumDomainAliases failed - %s\n", nt_errstr(status));
                 return false;
         }
  
@@ -4756,7 +5118,7 @@ static bool test_GetDisplayEnumerationIndex(struct dcerpc_pipe *p,
         int i;
  
         for (i=0;i<ARRAY_SIZE(levels);i++) {
-               printf("Testing GetDisplayEnumerationIndex level %u\n", levels[i]);
+               torture_comment(tctx, "Testing GetDisplayEnumerationIndex level %u\n", levels[i]);
  
                 init_lsa_String(&name, TEST_ACCOUNT_NAME);
  
@@ -4770,7 +5132,7 @@ static bool test_GetDisplayEnumerationIndex(struct dcerpc_pipe *p,
                 if (ok_lvl[i] &&
                     !NT_STATUS_IS_OK(status) &&
                     !NT_STATUS_EQUAL(NT_STATUS_NO_MORE_ENTRIES, status)) {
-                       printf("GetDisplayEnumerationIndex level %u failed - %s\n",
+                       torture_warning(tctx, "GetDisplayEnumerationIndex level %u failed - %s\n",
                                levels[i], nt_errstr(status));
                         ret = false;
                 }
@@ -4780,7 +5142,7 @@ static bool test_GetDisplayEnumerationIndex(struct dcerpc_pipe *p,
                 status = dcerpc_samr_GetDisplayEnumerationIndex(p, tctx, &r);
  
                 if (ok_lvl[i] && !NT_STATUS_EQUAL(NT_STATUS_NO_MORE_ENTRIES, status)) {
-                       printf("GetDisplayEnumerationIndex level %u failed - %s\n",
+                       torture_warning(tctx, "GetDisplayEnumerationIndex level %u failed - %s\n",
                                levels[i], nt_errstr(status));
                         ret = false;
                 }
@@ -4803,7 +5165,7 @@ static bool test_GetDisplayEnumerationIndex2(struct dcerpc_pipe *p,
         int i;
  
         for (i=0;i<ARRAY_SIZE(levels);i++) {
-               printf("Testing GetDisplayEnumerationIndex2 level %u\n", levels[i]);
+               torture_comment(tctx, "Testing GetDisplayEnumerationIndex2 level %u\n", levels[i]);
  
                 init_lsa_String(&name, TEST_ACCOUNT_NAME);
  
@@ -4816,7 +5178,7 @@ static bool test_GetDisplayEnumerationIndex2(struct dcerpc_pipe *p,
                 if (ok_lvl[i] &&
                     !NT_STATUS_IS_OK(status) &&
                     !NT_STATUS_EQUAL(NT_STATUS_NO_MORE_ENTRIES, status)) {
-                       printf("GetDisplayEnumerationIndex2 level %u failed - %s\n",
+                       torture_warning(tctx, "GetDisplayEnumerationIndex2 level %u failed - %s\n",
                                levels[i], nt_errstr(status));
                         ret = false;
                 }
@@ -4825,7 +5187,7 @@ static bool test_GetDisplayEnumerationIndex2(struct dcerpc_pipe *p,
  
                 status = dcerpc_samr_GetDisplayEnumerationIndex2(p, tctx, &r);
                 if (ok_lvl[i] && !NT_STATUS_EQUAL(NT_STATUS_NO_MORE_ENTRIES, status)) {
-                       printf("GetDisplayEnumerationIndex2 level %u failed - %s\n",
+                       torture_warning(tctx, "GetDisplayEnumerationIndex2 level %u failed - %s\n",
                                levels[i], nt_errstr(status));
                         ret = false;
                 }
@@ -4838,13 +5200,13 @@ static bool test_GetDisplayEnumerationIndex2(struct dcerpc_pipe *p,
         if (s1.string == NULL && s2.string != NULL && s2.string[0] == '\0') { \
                 /* odd, but valid */                                            \
         } else if ((s1.string && !s2.string) || (s2.string && !s1.string) || strcmp(s1.string, s2.string)) { \
-                       printf("%s mismatch for %s: %s != %s (%s)\n", \
+                       torture_warning(tctx, "%s mismatch for %s: %s != %s (%s)\n", \
                                #s1, user.string,  s1.string, s2.string, __location__);   \
                         ret = false; \
         }
  #define INT_EQUAL_QUERY(s1, s2, user)          \
                 if (s1 != s2) { \
-                       printf("%s mismatch for %s: 0x%llx != 0x%llx (%s)\n", \
+                       torture_warning(tctx, "%s mismatch for %s: 0x%llx != 0x%llx (%s)\n", \
                                #s1, user.string, (unsigned long long)s1, (unsigned long long)s2, __location__); \
                         ret = false; \
                 }
@@ -4891,7 +5253,7 @@ static bool test_each_DisplayInfo_user(struct dcerpc_pipe *p,
                 case 2:
                         status = dcerpc_samr_OpenUser(p, tctx, &r);
                         if (!NT_STATUS_IS_OK(status)) {
-                               printf("OpenUser(%u) failed - %s\n", r.in.rid, nt_errstr(status));
+                               torture_warning(tctx, "OpenUser(%u) failed - %s\n", r.in.rid, nt_errstr(status));
                                 return false;
                         }
                 }
@@ -4901,7 +5263,7 @@ static bool test_each_DisplayInfo_user(struct dcerpc_pipe *p,
                 q.out.info = &info;
                 status = dcerpc_samr_QueryUserInfo(p, tctx, &q);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("QueryUserInfo(%u) failed - %s\n", r.in.rid, nt_errstr(status));
+                       torture_warning(tctx, "QueryUserInfo(%u) failed - %s\n", r.in.rid, nt_errstr(status));
                         return false;
                 }
  
@@ -4933,12 +5295,12 @@ static bool test_each_DisplayInfo_user(struct dcerpc_pipe *p,
                                         info->info21.acct_flags, info->info21.account_name);
  
                         if (!(querydisplayinfo->out.info->info2.entries[i].acct_flags & ACB_NORMAL)) {
-                               printf("Missing ACB_NORMAL in querydisplayinfo->out.info.info2.entries[i].acct_flags on %s\n",
+                               torture_warning(tctx, "Missing ACB_NORMAL in querydisplayinfo->out.info.info2.entries[i].acct_flags on %s\n",
                                        info->info21.account_name.string);
                         }
  
                         if (!(info->info21.acct_flags & (ACB_WSTRUST | ACB_SVRTRUST))) {
-                               printf("Found non-trust account %s in trust account listing: 0x%x 0x%x\n",
+                               torture_warning(tctx, "Found non-trust account %s in trust account listing: 0x%x 0x%x\n",
                                        info->info21.account_name.string,
                                        querydisplayinfo->out.info->info2.entries[i].acct_flags,
                                        info->info21.acct_flags);
@@ -4973,7 +5335,7 @@ static bool test_QueryDisplayInfo(struct dcerpc_pipe *p,
  
  
         for (i=0;i<ARRAY_SIZE(levels);i++) {
-               printf("Testing QueryDisplayInfo level %u\n", levels[i]);
+               torture_comment(tctx, "Testing QueryDisplayInfo level %u\n", levels[i]);
  
                 r.in.start_idx = 0;
                 status = STATUS_MORE_ENTRIES;
@@ -4988,7 +5350,7 @@ static bool test_QueryDisplayInfo(struct dcerpc_pipe *p,
  
                         status = dcerpc_samr_QueryDisplayInfo(p, tctx, &r);
                         if (!NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES) && !NT_STATUS_IS_OK(status)) {
-                               printf("QueryDisplayInfo level %u failed - %s\n",
+                               torture_warning(tctx, "QueryDisplayInfo level %u failed - %s\n",
                                        levels[i], nt_errstr(status));
                                 ret = false;
                         }
@@ -5023,7 +5385,7 @@ static bool test_QueryDisplayInfo(struct dcerpc_pipe *p,
                 /* Check number of users returned is correct */
                 status = dcerpc_samr_QueryDomainInfo(p, tctx, &dom_info);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("QueryDomainInfo level %u failed - %s\n",
+                       torture_warning(tctx, "QueryDomainInfo level %u failed - %s\n",
                                r.in.level, nt_errstr(status));
                                 ret = false;
                                 break;
@@ -5032,7 +5394,7 @@ static bool test_QueryDisplayInfo(struct dcerpc_pipe *p,
                 case 1:
                 case 4:
                         if (info->general.num_users < r.in.start_idx) {
-                               printf("QueryDomainInfo indicates that QueryDisplayInfo returned more users (%d/%d) than the domain %s is said to contain!\n",
+                               torture_warning(tctx, "QueryDomainInfo indicates that QueryDisplayInfo returned more users (%d/%d) than the domain %s is said to contain!\n",
                                        r.in.start_idx, info->general.num_groups,
                                        info->general.domain_name.string);
                                 ret = false;
@@ -5040,7 +5402,7 @@ static bool test_QueryDisplayInfo(struct dcerpc_pipe *p,
                         if (!seen_testuser) {
                                 struct policy_handle user_handle;
                                 if (NT_STATUS_IS_OK(test_OpenUser_byname(p, tctx, handle, TEST_ACCOUNT_NAME, &user_handle))) {
-                                       printf("Didn't find test user " TEST_ACCOUNT_NAME " in enumeration of %s\n",
+                                       torture_warning(tctx, "Didn't find test user " TEST_ACCOUNT_NAME " in enumeration of %s\n",
                                                info->general.domain_name.string);
                                         ret = false;
                                         test_samr_handle_Close(p, tctx, &user_handle);
@@ -5050,7 +5412,7 @@ static bool test_QueryDisplayInfo(struct dcerpc_pipe *p,
                 case 3:
                 case 5:
                         if (info->general.num_groups != r.in.start_idx) {
-                               printf("QueryDomainInfo indicates that QueryDisplayInfo didn't return all (%d/%d) the groups in %s\n",
+                               torture_warning(tctx, "QueryDomainInfo indicates that QueryDisplayInfo didn't return all (%d/%d) the groups in %s\n",
                                        r.in.start_idx, info->general.num_groups,
                                        info->general.domain_name.string);
                                 ret = false;
@@ -5078,7 +5440,7 @@ static bool test_QueryDisplayInfo2(struct dcerpc_pipe *p,
         union samr_DispInfo info;
  
         for (i=0;i<ARRAY_SIZE(levels);i++) {
-               printf("Testing QueryDisplayInfo2 level %u\n", levels[i]);
+               torture_comment(tctx, "Testing QueryDisplayInfo2 level %u\n", levels[i]);
  
                 r.in.domain_handle = handle;
                 r.in.level = levels[i];
@@ -5091,7 +5453,7 @@ static bool test_QueryDisplayInfo2(struct dcerpc_pipe *p,
  
                 status = dcerpc_samr_QueryDisplayInfo2(p, tctx, &r);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("QueryDisplayInfo2 level %u failed - %s\n",
+                       torture_warning(tctx, "QueryDisplayInfo2 level %u failed - %s\n",
                                levels[i], nt_errstr(status));
                         ret = false;
                 }
@@ -5126,7 +5488,7 @@ static bool test_QueryDisplayInfo3(struct dcerpc_pipe *p, struct torture_context
  
                 status = dcerpc_samr_QueryDisplayInfo3(p, tctx, &r);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("QueryDisplayInfo3 level %u failed - %s\n",
+                       torture_warning(tctx, "QueryDisplayInfo3 level %u failed - %s\n",
                                levels[i], nt_errstr(status));
                         ret = false;
                 }
@@ -5147,7 +5509,7 @@ static bool test_QueryDisplayInfo_continue(struct dcerpc_pipe *p,
         uint32_t returned_size;
         union samr_DispInfo info;
  
-       printf("Testing QueryDisplayInfo continuation\n");
+       torture_comment(tctx, "Testing QueryDisplayInfo continuation\n");
  
         r.in.domain_handle = handle;
         r.in.level = 1;
@@ -5162,7 +5524,7 @@ static bool test_QueryDisplayInfo_continue(struct dcerpc_pipe *p,
                 status = dcerpc_samr_QueryDisplayInfo(p, tctx, &r);
                 if (NT_STATUS_IS_OK(status) && *r.out.returned_size != 0) {
                         if (r.out.info->info1.entries[0].idx != r.in.start_idx + 1) {
-                               printf("expected idx %d but got %d\n",
+                               torture_warning(tctx, "expected idx %d but got %d\n",
                                        r.in.start_idx + 1,
                                        r.out.info->info1.entries[0].idx);
                                 break;
@@ -5170,7 +5532,7 @@ static bool test_QueryDisplayInfo_continue(struct dcerpc_pipe *p,
                 }
                 if (!NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES) &&
                     !NT_STATUS_IS_OK(status)) {
-                       printf("QueryDisplayInfo level %u failed - %s\n",
+                       torture_warning(tctx, "QueryDisplayInfo level %u failed - %s\n",
                                r.in.level, nt_errstr(status));
                         ret = false;
                         break;
@@ -5205,7 +5567,7 @@ static bool test_QueryDomainInfo(struct dcerpc_pipe *p, struct torture_context *
         s.in.info->oem.oem_information.string = domain_comment;
         status = dcerpc_samr_SetDomainInfo(p, tctx, &s);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("SetDomainInfo level %u (set comment) failed - %s\n",
+               torture_warning(tctx, "SetDomainInfo level %u (set comment) failed - %s\n",
                        s.in.level, nt_errstr(status));
                 return false;
         }
@@ -5219,7 +5581,7 @@ static bool test_QueryDomainInfo(struct dcerpc_pipe *p, struct torture_context *
  
                 status = dcerpc_samr_QueryDomainInfo(p, tctx, &r);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("QueryDomainInfo level %u failed - %s\n",
+                       torture_warning(tctx, "QueryDomainInfo level %u failed - %s\n",
                                r.in.level, nt_errstr(status));
                         ret = false;
                         continue;
@@ -5228,40 +5590,46 @@ static bool test_QueryDomainInfo(struct dcerpc_pipe *p, struct torture_context *
                 switch (levels[i]) {
                 case 2:
                         if (strcmp(info->general.oem_information.string, domain_comment) != 0) {
-                               printf("QueryDomainInfo level %u returned different oem_information (comment) (%s, expected %s)\n",
+                               torture_warning(tctx, "QueryDomainInfo level %u returned different oem_information (comment) (%s, expected %s)\n",
                                        levels[i], info->general.oem_information.string, domain_comment);
-                               ret = false;
+                               if (!torture_setting_bool(tctx, "samba3", false)) {
+                                       ret = false;
+                               }
                         }
                         if (!info->general.primary.string) {
-                               printf("QueryDomainInfo level %u returned no PDC name\n",
+                               torture_warning(tctx, "QueryDomainInfo level %u returned no PDC name\n",
                                        levels[i]);
                                 ret = false;
                         } else if (info->general.role == SAMR_ROLE_DOMAIN_PDC) {
                                 if (dcerpc_server_name(p) && strcasecmp_m(dcerpc_server_name(p), info->general.primary.string) != 0) {
-                                       printf("QueryDomainInfo level %u returned different PDC name (%s) compared to server name (%s), despite claiming to be the PDC\n",
+                                       torture_warning(tctx, "QueryDomainInfo level %u returned different PDC name (%s) compared to server name (%s), despite claiming to be the PDC\n",
                                                levels[i], info->general.primary.string, dcerpc_server_name(p));
                                 }
                         }
                         break;
                 case 4:
                         if (strcmp(info->oem.oem_information.string, domain_comment) != 0) {
-                               printf("QueryDomainInfo level %u returned different oem_information (comment) (%s, expected %s)\n",
+                               torture_warning(tctx, "QueryDomainInfo level %u returned different oem_information (comment) (%s, expected %s)\n",
                                        levels[i], info->oem.oem_information.string, domain_comment);
-                               ret = false;
+                               if (!torture_setting_bool(tctx, "samba3", false)) {
+                                       ret = false;
+                               }
                         }
                         break;
                 case 6:
                         if (!info->info6.primary.string) {
-                               printf("QueryDomainInfo level %u returned no PDC name\n",
+                               torture_warning(tctx, "QueryDomainInfo level %u returned no PDC name\n",
                                        levels[i]);
                                 ret = false;
                         }
                         break;
                 case 11:
                         if (strcmp(info->general2.general.oem_information.string, domain_comment) != 0) {
-                               printf("QueryDomainInfo level %u returned different comment (%s, expected %s)\n",
+                               torture_warning(tctx, "QueryDomainInfo level %u returned different comment (%s, expected %s)\n",
                                        levels[i], info->general2.general.oem_information.string, domain_comment);
-                               ret = false;
+                               if (!torture_setting_bool(tctx, "samba3", false)) {
+                                       ret = false;
+                               }
                         }
                         break;
                 }
@@ -5275,14 +5643,14 @@ static bool test_QueryDomainInfo(struct dcerpc_pipe *p, struct torture_context *
                 status = dcerpc_samr_SetDomainInfo(p, tctx, &s);
                 if (set_ok[i]) {
                         if (!NT_STATUS_IS_OK(status)) {
-                               printf("SetDomainInfo level %u failed - %s\n",
+                               torture_warning(tctx, "SetDomainInfo level %u failed - %s\n",
                                        r.in.level, nt_errstr(status));
                                 ret = false;
                                 continue;
                         }
                 } else {
                         if (!NT_STATUS_EQUAL(NT_STATUS_INVALID_INFO_CLASS, status)) {
-                               printf("SetDomainInfo level %u gave %s - should have been NT_STATUS_INVALID_INFO_CLASS\n",
+                               torture_warning(tctx, "SetDomainInfo level %u gave %s - should have been NT_STATUS_INVALID_INFO_CLASS\n",
                                        r.in.level, nt_errstr(status));
                                 ret = false;
                                 continue;
@@ -5291,7 +5659,7 @@ static bool test_QueryDomainInfo(struct dcerpc_pipe *p, struct torture_context *
  
                 status = dcerpc_samr_QueryDomainInfo(p, tctx, &r);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("QueryDomainInfo level %u failed - %s\n",
+                       torture_warning(tctx, "QueryDomainInfo level %u failed - %s\n",
                                r.in.level, nt_errstr(status));
                         ret = false;
                         continue;
@@ -5313,7 +5681,7 @@ static bool test_QueryDomainInfo2(struct dcerpc_pipe *p, struct torture_context
         bool ret = true;
  
         for (i=0;i<ARRAY_SIZE(levels);i++) {
-               printf("Testing QueryDomainInfo2 level %u\n", levels[i]);
+               torture_comment(tctx, "Testing QueryDomainInfo2 level %u\n", levels[i]);
  
                 r.in.domain_handle = handle;
                 r.in.level = levels[i];
@@ -5321,7 +5689,7 @@ static bool test_QueryDomainInfo2(struct dcerpc_pipe *p, struct torture_context
  
                 status = dcerpc_samr_QueryDomainInfo2(p, tctx, &r);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("QueryDomainInfo2 level %u failed - %s\n",
+                       torture_warning(tctx, "QueryDomainInfo2 level %u failed - %s\n",
                                r.in.level, nt_errstr(status));
                         ret = false;
                         continue;
@@ -5411,7 +5779,7 @@ static bool test_GroupList(struct dcerpc_pipe *p, struct torture_context *tctx,
                         }
  
                         if (!found) {
-                               printf("QueryDisplayInfo gave name [%s] that EnumDomainGroups did not\n",
+                               torture_warning(tctx, "QueryDisplayInfo gave name [%s] that EnumDomainGroups did not\n",
                                        name);
                                 ret = false;
                         }
@@ -5420,14 +5788,14 @@ static bool test_GroupList(struct dcerpc_pipe *p, struct torture_context *tctx,
         }
  
         if (!NT_STATUS_IS_OK(status)) {
-               printf("QueryDisplayInfo level 5 failed - %s\n",
+               torture_warning(tctx, "QueryDisplayInfo level 5 failed - %s\n",
                        nt_errstr(status));
                 ret = false;
         }
  
         for (i=0; i<num_names; i++) {
                 if (names[i] != NULL) {
-                       printf("EnumDomainGroups gave name [%s] that QueryDisplayInfo did not\n",
+                       torture_warning(tctx, "EnumDomainGroups gave name [%s] that QueryDisplayInfo did not\n",
                                names[i]);
                         ret = false;
                 }
@@ -5491,13 +5859,13 @@ static bool test_RidToSid(struct dcerpc_pipe *p, struct torture_context *tctx,
  
                 status = dcerpc_samr_RidToSid(p, tctx, &r);
                 if (!NT_STATUS_IS_OK(status)) {
-                       printf("RidToSid for %d failed - %s\n", rids[i], nt_errstr(status));
+                       torture_warning(tctx, "RidToSid for %d failed - %s\n", rids[i], nt_errstr(status));
                         ret = false;
                 } else {
                         calc_sid = dom_sid_add_rid(calc_sid, calc_sid, rids[i]);
  
                         if (!dom_sid_equal(calc_sid, out_sid)) {
-                               printf("RidToSid for %d failed - got %s, expected %s\n", rids[i],
+                               torture_warning(tctx, "RidToSid for %d failed - got %s, expected %s\n", rids[i],
                                        dom_sid_string(tctx, out_sid),
                                        dom_sid_string(tctx, calc_sid));
                                 ret = false;
@@ -5541,6 +5909,8 @@ static bool test_AddGroupMember(struct dcerpc_pipe *p, struct torture_context *t
         struct samr_RidTypeArray *rids = NULL;
         struct samr_SetMemberAttributesOfGroup s;
         uint32_t rid;
+       bool found_member = false;
+       int i;
  
         status = test_LookupName(p, tctx, domain_handle, TEST_ACCOUNT_NAME, &rid);
         torture_assert_ntstatus_ok(tctx, status, "test_AddGroupMember looking up name " TEST_ACCOUNT_NAME);
@@ -5549,7 +5919,7 @@ static bool test_AddGroupMember(struct dcerpc_pipe *p, struct torture_context *t
         r.in.rid = rid;
         r.in.flags = 0; /* ??? */
  
-       torture_comment(tctx, "Testing AddGroupMember and DeleteGroupMember\n");
+       torture_comment(tctx, "Testing AddGroupMember, QueryGroupMember and DeleteGroupMember\n");
  
         d.in.group_handle = group_handle;
         d.in.rid = rid;
@@ -5563,8 +5933,9 @@ static bool test_AddGroupMember(struct dcerpc_pipe *p, struct torture_context *t
         status = dcerpc_samr_AddGroupMember(p, tctx, &r);
         torture_assert_ntstatus_equal(tctx, NT_STATUS_MEMBER_IN_GROUP, status, "AddGroupMember");
  
-       if (torture_setting_bool(tctx, "samba4", false)) {
-               torture_comment(tctx, "skipping SetMemberAttributesOfGroup test against Samba4\n");
+       if (torture_setting_bool(tctx, "samba4", false) ||
+           torture_setting_bool(tctx, "samba3", false)) {
+               torture_comment(tctx, "skipping SetMemberAttributesOfGroup test against Samba\n");
         } else {
                 /* this one is quite strange. I am using random inputs in the
                    hope of triggering an error that might give us a clue */
@@ -5582,10 +5953,34 @@ static bool test_AddGroupMember(struct dcerpc_pipe *p, struct torture_context *t
  
         status = dcerpc_samr_QueryGroupMember(p, tctx, &q);
         torture_assert_ntstatus_ok(tctx, status, "QueryGroupMember");
+       torture_assert(tctx, rids, "QueryGroupMember did not fill in rids structure");
+
+       for (i=0; i < rids->count; i++) {
+               if (rids->rids[i] == rid) {
+                       found_member = true;
+               }
+       }
+
+       torture_assert(tctx, found_member, "QueryGroupMember did not list newly added member");
  
         status = dcerpc_samr_DeleteGroupMember(p, tctx, &d);
         torture_assert_ntstatus_ok(tctx, status, "DeleteGroupMember");
  
+       rids = NULL;
+       found_member = false;
+
+       status = dcerpc_samr_QueryGroupMember(p, tctx, &q);
+       torture_assert_ntstatus_ok(tctx, status, "QueryGroupMember");
+       torture_assert(tctx, rids, "QueryGroupMember did not fill in rids structure");
+
+       for (i=0; i < rids->count; i++) {
+               if (rids->rids[i] == rid) {
+                       found_member = true;
+               }
+       }
+
+       torture_assert(tctx, !found_member, "QueryGroupMember does still list removed member");
+
         status = dcerpc_samr_AddGroupMember(p, tctx, &r);
         torture_assert_ntstatus_ok(tctx, status, "AddGroupMember");
  
@@ -5594,10 +5989,12 @@ static bool test_AddGroupMember(struct dcerpc_pipe *p, struct torture_context *t
  
  
  static bool test_CreateDomainGroup(struct dcerpc_pipe *p,
-                                                                  struct torture_context *tctx,
+                                  struct torture_context *tctx,
                                    struct policy_handle *domain_handle,
+                                  const char *group_name,
                                    struct policy_handle *group_handle,
-                                  struct dom_sid *domain_sid)
+                                  struct dom_sid *domain_sid,
+                                  bool test_group)
  {
         NTSTATUS status;
         struct samr_CreateDomainGroup r;
@@ -5605,7 +6002,7 @@ static bool test_CreateDomainGroup(struct dcerpc_pipe *p,
         struct lsa_String name;
         bool ret = true;
  
-       init_lsa_String(&name, TEST_GROUPNAME);
+       init_lsa_String(&name, group_name);
  
         r.in.domain_handle = domain_handle;
         r.in.name = &name;
@@ -5613,7 +6010,7 @@ static bool test_CreateDomainGroup(struct dcerpc_pipe *p,
         r.out.group_handle = group_handle;
         r.out.rid = &rid;
  
-       printf("Testing CreateDomainGroup(%s)\n", r.in.name->string);
+       torture_comment(tctx, "Testing CreateDomainGroup(%s)\n", r.in.name->string);
  
         status = dcerpc_samr_CreateDomainGroup(p, tctx, &r);
  
@@ -5622,7 +6019,7 @@ static bool test_CreateDomainGroup(struct dcerpc_pipe *p,
                         torture_comment(tctx, "Server correctly refused create of '%s'\n", r.in.name->string);
                         return true;
                 } else {
-                       printf("Server should have refused create of '%s', got %s instead\n", r.in.name->string,
+                       torture_warning(tctx, "Server should have refused create of '%s', got %s instead\n", r.in.name->string,
                                nt_errstr(status));
                         return false;
                 }
@@ -5630,7 +6027,7 @@ static bool test_CreateDomainGroup(struct dcerpc_pipe *p,
  
         if (NT_STATUS_EQUAL(status, NT_STATUS_GROUP_EXISTS)) {
                 if (!test_DeleteGroup_byname(p, tctx, domain_handle, r.in.name->string)) {
-                       printf("CreateDomainGroup failed: Could not delete domain group %s - %s\n", r.in.name->string,
+                       torture_warning(tctx, "CreateDomainGroup failed: Could not delete domain group %s - %s\n", r.in.name->string,
                                nt_errstr(status));
                         return false;
                 }
@@ -5639,7 +6036,7 @@ static bool test_CreateDomainGroup(struct dcerpc_pipe *p,
         if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
                 if (!test_DeleteUser_byname(p, tctx, domain_handle, r.in.name->string)) {
  
-                       printf("CreateDomainGroup failed: Could not delete user %s - %s\n", r.in.name->string,
+                       torture_warning(tctx, "CreateDomainGroup failed: Could not delete user %s - %s\n", r.in.name->string,
                                nt_errstr(status));
                         return false;
                 }
@@ -5647,8 +6044,12 @@ static bool test_CreateDomainGroup(struct dcerpc_pipe *p,
         }
         torture_assert_ntstatus_ok(tctx, status, "CreateDomainGroup");
  
+       if (!test_group) {
+               return ret;
+       }
+
         if (!test_AddGroupMember(p, tctx, domain_handle, group_handle)) {
-               printf("CreateDomainGroup failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "CreateDomainGroup failed - %s\n", nt_errstr(status));
                 ret = false;
         }
  
@@ -5679,8 +6080,340 @@ static bool test_RemoveMemberFromForeignDomain(struct dcerpc_pipe *p,
         return true;
  }
  
+static bool test_EnumDomainUsers(struct dcerpc_pipe *p,
+                                struct torture_context *tctx,
+                                struct policy_handle *domain_handle,
+                                uint32_t *total_num_entries_p)
+{
+       NTSTATUS status;
+       struct samr_EnumDomainUsers r;
+       uint32_t resume_handle = 0;
+       uint32_t num_entries = 0;
+       uint32_t total_num_entries = 0;
+       struct samr_SamArray *sam;
+
+       r.in.domain_handle = domain_handle;
+       r.in.acct_flags = 0;
+       r.in.max_size = (uint32_t)-1;
+       r.in.resume_handle = &resume_handle;
+
+       r.out.sam = &sam;
+       r.out.num_entries = &num_entries;
+       r.out.resume_handle = &resume_handle;
+
+       torture_comment(tctx, "Testing EnumDomainUsers\n");
+
+       do {
+               status = dcerpc_samr_EnumDomainUsers(p, tctx, &r);
+               if (NT_STATUS_IS_ERR(status)) {
+                       torture_assert_ntstatus_ok(tctx, status,
+                               "failed to enumerate users");
+               }
+
+               total_num_entries += num_entries;
+       } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
+
+       if (total_num_entries_p) {
+               *total_num_entries_p = total_num_entries;
+       }
+
+       return true;
+}
+
+static bool test_EnumDomainGroups(struct dcerpc_pipe *p,
+                                 struct torture_context *tctx,
+                                 struct policy_handle *domain_handle,
+                                 uint32_t *total_num_entries_p)
+{
+       NTSTATUS status;
+       struct samr_EnumDomainGroups r;
+       uint32_t resume_handle = 0;
+       uint32_t num_entries = 0;
+       uint32_t total_num_entries = 0;
+       struct samr_SamArray *sam;
+
+       r.in.domain_handle = domain_handle;
+       r.in.max_size = (uint32_t)-1;
+       r.in.resume_handle = &resume_handle;
+
+       r.out.sam = &sam;
+       r.out.num_entries = &num_entries;
+       r.out.resume_handle = &resume_handle;
+
+       torture_comment(tctx, "Testing EnumDomainGroups\n");
+
+       do {
+               status = dcerpc_samr_EnumDomainGroups(p, tctx, &r);
+               if (NT_STATUS_IS_ERR(status)) {
+                       torture_assert_ntstatus_ok(tctx, status,
+                               "failed to enumerate groups");
+               }
+
+               total_num_entries += num_entries;
+       } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
+
+       if (total_num_entries_p) {
+               *total_num_entries_p = total_num_entries;
+       }
+
+       return true;
+}
+
+static bool test_EnumDomainAliases(struct dcerpc_pipe *p,
+                                  struct torture_context *tctx,
+                                  struct policy_handle *domain_handle,
+                                  uint32_t *total_num_entries_p)
+{
+       NTSTATUS status;
+       struct samr_EnumDomainAliases r;
+       uint32_t resume_handle = 0;
+       uint32_t num_entries = 0;
+       uint32_t total_num_entries = 0;
+       struct samr_SamArray *sam;
+
+       r.in.domain_handle = domain_handle;
+       r.in.max_size = (uint32_t)-1;
+       r.in.resume_handle = &resume_handle;
+
+       r.out.sam = &sam;
+       r.out.num_entries = &num_entries;
+       r.out.resume_handle = &resume_handle;
+
+       torture_comment(tctx, "Testing EnumDomainAliases\n");
+
+       do {
+               status = dcerpc_samr_EnumDomainAliases(p, tctx, &r);
+               if (NT_STATUS_IS_ERR(status)) {
+                       torture_assert_ntstatus_ok(tctx, status,
+                               "failed to enumerate aliases");
+               }
+
+               total_num_entries += num_entries;
+       } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
+
+       if (total_num_entries_p) {
+               *total_num_entries_p = total_num_entries;
+       }
+
+       return true;
+}
+
+static bool test_QueryDisplayInfo_level(struct dcerpc_pipe *p,
+                                       struct torture_context *tctx,
+                                       struct policy_handle *handle,
+                                       uint16_t level,
+                                       uint32_t *total_num_entries_p)
+{
+       NTSTATUS status;
+       struct samr_QueryDisplayInfo r;
+       uint32_t total_num_entries = 0;
+
+       r.in.domain_handle = handle;
+       r.in.level = level;
+       r.in.start_idx = 0;
+       r.in.max_entries = (uint32_t)-1;
+       r.in.buf_size = (uint32_t)-1;
+
+       torture_comment(tctx, "Testing QueryDisplayInfo\n");
+
+       do {
+               uint32_t total_size;
+               uint32_t returned_size;
+               union samr_DispInfo info;
+
+               r.out.total_size = &total_size;
+               r.out.returned_size = &returned_size;
+               r.out.info = &info;
+
+               status = dcerpc_samr_QueryDisplayInfo(p, tctx, &r);
+               if (NT_STATUS_IS_ERR(status)) {
+                       torture_assert_ntstatus_ok(tctx, status,
+                               "failed to query displayinfo");
+               }
+
+               if (*r.out.returned_size == 0) {
+                       break;
+               }
+
+               switch (r.in.level) {
+               case 1:
+                       total_num_entries += info.info1.count;
+                       r.in.start_idx += info.info1.entries[info.info1.count - 1].idx + 1;
+                       break;
+               case 2:
+                       total_num_entries += info.info2.count;
+                       r.in.start_idx += info.info2.entries[info.info2.count - 1].idx + 1;
+                       break;
+               case 3:
+                       total_num_entries += info.info3.count;
+                       r.in.start_idx += info.info3.entries[info.info3.count - 1].idx + 1;
+                       break;
+               case 4:
+                       total_num_entries += info.info4.count;
+                       r.in.start_idx += info.info4.entries[info.info4.count - 1].idx + 1;
+                       break;
+               case 5:
+                       total_num_entries += info.info5.count;
+                       r.in.start_idx += info.info5.entries[info.info5.count - 1].idx + 1;
+                       break;
+               default:
+                       return false;
+               }
+
+       } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
+
+       if (total_num_entries_p) {
+               *total_num_entries_p = total_num_entries;
+       }
+
+       return true;
+}
+
+static bool test_ManyObjects(struct dcerpc_pipe *p,
+                            struct torture_context *tctx,
+                            struct policy_handle *domain_handle,
+                            struct dom_sid *domain_sid,
+                            enum torture_samr_choice which_ops)
+{
+       uint32_t num_total = 1500;
+       uint32_t num_enum = 0;
+       uint32_t num_disp = 0;
+       uint32_t num_created = 0;
+       uint32_t num_anounced = 0;
+       bool ret = true;
+       NTSTATUS status;
+       uint32_t i;
+
+       struct policy_handle *handles = talloc_zero_array(tctx, struct policy_handle, num_total);
+
+       /* query */
+
+       {
+               struct samr_QueryDomainInfo2 r;
+               union samr_DomainInfo *info;
+               r.in.domain_handle = domain_handle;
+               r.in.level = 2;
+               r.out.info = &info;
+
+               status = dcerpc_samr_QueryDomainInfo2(p, tctx, &r);
+               torture_assert_ntstatus_ok(tctx, status,
+                       "failed to query domain info");
+
+               switch (which_ops) {
+               case TORTURE_SAMR_MANY_ACCOUNTS:
+                       num_anounced = info->general.num_users;
+                       break;
+               case TORTURE_SAMR_MANY_GROUPS:
+                       num_anounced = info->general.num_groups;
+                       break;
+               case TORTURE_SAMR_MANY_ALIASES:
+                       num_anounced = info->general.num_aliases;
+                       break;
+               default:
+                       return false;
+               }
+       }
+
+       /* create */
+
+       for (i=0; i < num_total; i++) {
+
+               const char *name = NULL;
+
+               switch (which_ops) {
+               case TORTURE_SAMR_MANY_ACCOUNTS:
+                       name = talloc_asprintf(tctx, "%s%04d", TEST_ACCOUNT_NAME, i);
+                       ret &= test_CreateUser(p, tctx, domain_handle, name, &handles[i], domain_sid, 0, NULL, false);
+                       break;
+               case TORTURE_SAMR_MANY_GROUPS:
+                       name = talloc_asprintf(tctx, "%s%04d", TEST_GROUPNAME, i);
+                       ret &= test_CreateDomainGroup(p, tctx, domain_handle, name, &handles[i], domain_sid, false);
+                       break;
+               case TORTURE_SAMR_MANY_ALIASES:
+                       name = talloc_asprintf(tctx, "%s%04d", TEST_ALIASNAME, i);
+                       ret &= test_CreateAlias(p, tctx, domain_handle, name, &handles[i], domain_sid, false);
+                       break;
+               default:
+                       return false;
+               }
+               if (!policy_handle_empty(&handles[i])) {
+                       num_created++;
+               }
+       }
+
+       /* enum */
+
+       switch (which_ops) {
+       case TORTURE_SAMR_MANY_ACCOUNTS:
+               ret &= test_EnumDomainUsers(p, tctx, domain_handle, &num_enum);
+               break;
+       case TORTURE_SAMR_MANY_GROUPS:
+               ret &= test_EnumDomainGroups(p, tctx, domain_handle, &num_enum);
+               break;
+       case TORTURE_SAMR_MANY_ALIASES:
+               ret &= test_EnumDomainAliases(p, tctx, domain_handle, &num_enum);
+               break;
+       default:
+               return false;
+       }
+
+       /* dispinfo */
+
+       switch (which_ops) {
+       case TORTURE_SAMR_MANY_ACCOUNTS:
+               ret &= test_QueryDisplayInfo_level(p, tctx, domain_handle, 1, &num_disp);
+               break;
+       case TORTURE_SAMR_MANY_GROUPS:
+               ret &= test_QueryDisplayInfo_level(p, tctx, domain_handle, 3, &num_disp);
+               break;
+       case TORTURE_SAMR_MANY_ALIASES:
+               /* no aliases in dispinfo */
+               break;
+       default:
+               return false;
+       }
+
+       /* close or delete */
+
+       for (i=0; i < num_total; i++) {
+
+               if (policy_handle_empty(&handles[i])) {
+                       continue;
+               }
+
+               if (torture_setting_bool(tctx, "samba3", false)) {
+                       ret &= test_samr_handle_Close(p, tctx, &handles[i]);
+               } else {
+                       switch (which_ops) {
+                       case TORTURE_SAMR_MANY_ACCOUNTS:
+                               ret &= test_DeleteUser(p, tctx, &handles[i]);
+                               break;
+                       case TORTURE_SAMR_MANY_GROUPS:
+                               ret &= test_DeleteDomainGroup(p, tctx, &handles[i]);
+                               break;
+                       case TORTURE_SAMR_MANY_ALIASES:
+                               ret &= test_DeleteAlias(p, tctx, &handles[i]);
+                               break;
+                       default:
+                               return false;
+                       }
+               }
+       }
+
+       talloc_free(handles);
+
+       if (which_ops == TORTURE_SAMR_MANY_ACCOUNTS && num_enum != num_anounced + num_created) {
+               torture_comment(tctx,
+                               "unexpected number of results (%u) returned in enum call, expected %u\n",
+                               num_enum, num_anounced + num_created);
+
+               torture_comment(tctx,
+                               "unexpected number of results (%u) returned in dispinfo, call, expected %u\n",
+                               num_disp, num_anounced + num_created);
+       }
+       return ret;
+}
  
-
  static bool test_Connect(struct dcerpc_pipe *p, struct torture_context *tctx,
                          struct policy_handle *handle);
  
@@ -5714,47 +6447,64 @@ static bool test_OpenDomain(struct dcerpc_pipe *p, struct torture_context *tctx,
  
         /* run the domain tests with the main handle closed - this tests
            the servers reference counting */
-       ret &= test_samr_handle_Close(p, tctx, handle);
+       torture_assert(tctx, test_samr_handle_Close(p, tctx, handle), "Failed to close SAMR handle");
  
         switch (which_ops) {
-       case TORTURE_SAMR_USER_ATTRIBUTES:
         case TORTURE_SAMR_PASSWORDS:
+       case TORTURE_SAMR_USER_PRIVILEGES:
+               if (!torture_setting_bool(tctx, "samba3", false)) {
+                       ret &= test_CreateUser2(p, tctx, &domain_handle, sid, which_ops, NULL);
+               }
+               ret &= test_CreateUser(p, tctx, &domain_handle, TEST_ACCOUNT_NAME, &user_handle, sid, which_ops, NULL, true);
+               if (!ret) {
+                       torture_warning(tctx, "Testing PASSWORDS or PRIVILEGES on domain %s failed!\n", dom_sid_string(tctx, sid));
+               }
+               break;
+       case TORTURE_SAMR_USER_ATTRIBUTES:
                 if (!torture_setting_bool(tctx, "samba3", false)) {
                         ret &= test_CreateUser2(p, tctx, &domain_handle, sid, which_ops, NULL);
                 }
-               ret &= test_CreateUser(p, tctx, &domain_handle, &user_handle, sid, which_ops, NULL);
+               ret &= test_CreateUser(p, tctx, &domain_handle, TEST_ACCOUNT_NAME, &user_handle, sid, which_ops, NULL, true);
                 /* This test needs 'complex' users to validate */
                 ret &= test_QueryDisplayInfo(p, tctx, &domain_handle);
                 if (!ret) {
-                       printf("Testing PASSWORDS or ATTRIBUTES on domain %s failed!\n", dom_sid_string(tctx, sid));
+                       torture_warning(tctx, "Testing ATTRIBUTES on domain %s failed!\n", dom_sid_string(tctx, sid));
                 }
                 break;
         case TORTURE_SAMR_PASSWORDS_PWDLASTSET:
                 if (!torture_setting_bool(tctx, "samba3", false)) {
                         ret &= test_CreateUser2(p, tctx, &domain_handle, sid, which_ops, machine_credentials);
                 }
-               ret &= test_CreateUser(p, tctx, &domain_handle, &user_handle, sid, which_ops, machine_credentials);
+               ret &= test_CreateUser(p, tctx, &domain_handle, TEST_ACCOUNT_NAME, &user_handle, sid, which_ops, machine_credentials, true);
                 if (!ret) {
-                       printf("Testing PASSWORDS PWDLASTSET on domain %s failed!\n", dom_sid_string(tctx, sid));
+                       torture_warning(tctx, "Testing PASSWORDS PWDLASTSET on domain %s failed!\n", dom_sid_string(tctx, sid));
+               }
+               break;
+       case TORTURE_SAMR_MANY_ACCOUNTS:
+       case TORTURE_SAMR_MANY_GROUPS:
+       case TORTURE_SAMR_MANY_ALIASES:
+               ret &= test_ManyObjects(p, tctx, &domain_handle, sid, which_ops);
+               if (!ret) {
+                       torture_warning(tctx, "Testing MANY-{ACCOUNTS,GROUPS,ALIASES} on domain %s failed!\n", dom_sid_string(tctx, sid));
                 }
                 break;
         case TORTURE_SAMR_OTHER:
-               ret &= test_CreateUser(p, tctx, &domain_handle, &user_handle, sid, which_ops, NULL);
+               ret &= test_CreateUser(p, tctx, &domain_handle, TEST_ACCOUNT_NAME, &user_handle, sid, which_ops, NULL, true);
                 if (!ret) {
-                       printf("Failed to CreateUser in SAMR-OTHER on domain %s!\n", dom_sid_string(tctx, sid));
+                       torture_warning(tctx, "Failed to CreateUser in SAMR-OTHER on domain %s!\n", dom_sid_string(tctx, sid));
                 }
                 if (!torture_setting_bool(tctx, "samba3", false)) {
                         ret &= test_QuerySecurity(p, tctx, &domain_handle);
                 }
                 ret &= test_RemoveMemberFromForeignDomain(p, tctx, &domain_handle);
-               ret &= test_CreateAlias(p, tctx, &domain_handle, &alias_handle, sid);
-               ret &= test_CreateDomainGroup(p, tctx, &domain_handle, &group_handle, sid);
+               ret &= test_CreateAlias(p, tctx, &domain_handle, TEST_ALIASNAME, &alias_handle, sid, true);
+               ret &= test_CreateDomainGroup(p, tctx, &domain_handle, TEST_GROUPNAME, &group_handle, sid, true);
                 ret &= test_QueryDomainInfo(p, tctx, &domain_handle);
                 ret &= test_QueryDomainInfo2(p, tctx, &domain_handle);
-               ret &= test_EnumDomainUsers(p, tctx, &domain_handle);
+               ret &= test_EnumDomainUsers_all(p, tctx, &domain_handle);
                 ret &= test_EnumDomainUsers_async(p, tctx, &domain_handle);
-               ret &= test_EnumDomainGroups(p, tctx, &domain_handle);
-               ret &= test_EnumDomainAliases(p, tctx, &domain_handle);
+               ret &= test_EnumDomainGroups_all(p, tctx, &domain_handle);
+               ret &= test_EnumDomainAliases_all(p, tctx, &domain_handle);
                 ret &= test_QueryDisplayInfo2(p, tctx, &domain_handle);
                 ret &= test_QueryDisplayInfo3(p, tctx, &domain_handle);
                 ret &= test_QueryDisplayInfo_continue(p, tctx, &domain_handle);
@@ -5790,13 +6540,13 @@ static bool test_OpenDomain(struct dcerpc_pipe *p, struct torture_context *tctx,
                 ret = false;
         }
  
-       ret &= test_samr_handle_Close(p, tctx, &domain_handle);
+       torture_assert(tctx, test_samr_handle_Close(p, tctx, &domain_handle), "Failed to close SAMR domain handle");
  
+       torture_assert(tctx, test_Connect(p, tctx, handle), "Faile to re-connect SAMR handle");
         /* reconnect the main handle */
-       ret &= test_Connect(p, tctx, handle);
  
         if (!ret) {
-               printf("Testing domain %s failed!\n", dom_sid_string(tctx, sid));
+               torture_warning(tctx, "Testing domain %s failed!\n", dom_sid_string(tctx, sid));
         }
  
         return ret;
@@ -5948,7 +6698,7 @@ static bool test_Connect(struct dcerpc_pipe *p, struct torture_context *tctx,
  
         status = dcerpc_samr_Connect3(p, tctx, &r3);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("Connect3 failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "Connect3 failed - %s\n", nt_errstr(status));
                 ret = false;
         } else {
                 if (got_handle) {
@@ -5967,7 +6717,7 @@ static bool test_Connect(struct dcerpc_pipe *p, struct torture_context *tctx,
  
         status = dcerpc_samr_Connect4(p, tctx, &r4);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("Connect4 failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "Connect4 failed - %s\n", nt_errstr(status));
                 ret = false;
         } else {
                 if (got_handle) {
@@ -5992,7 +6742,7 @@ static bool test_Connect(struct dcerpc_pipe *p, struct torture_context *tctx,
  
         status = dcerpc_samr_Connect5(p, tctx, &r5);
         if (!NT_STATUS_IS_OK(status)) {
-               printf("Connect5 failed - %s\n", nt_errstr(status));
+               torture_warning(tctx, "Connect5 failed - %s\n", nt_errstr(status));
                 ret = false;
         } else {
                 if (got_handle) {
@@ -6006,6 +6756,35 @@ static bool test_Connect(struct dcerpc_pipe *p, struct torture_context *tctx,
  }
  
  
+static bool test_samr_ValidatePassword(struct dcerpc_pipe *p, struct torture_context *tctx)
+{
+       struct samr_ValidatePassword r;
+       union samr_ValidatePasswordReq req;
+       union samr_ValidatePasswordRep *repp = NULL;
+       NTSTATUS status;
+       const char *passwords[] = { "penguin", "p@ssw0rd", "p@ssw0rd123$", NULL };
+       int i;
+
+       ZERO_STRUCT(r);
+       r.in.level = NetValidatePasswordReset;
+       r.in.req = &req;
+       r.out.rep = &repp;
+       
+       ZERO_STRUCT(req);
+       req.req3.account.string = "non-existant-account-aklsdji";
+
+       for (i=0; passwords[i]; i++) {
+               req.req3.password.string = passwords[i];
+               status = dcerpc_samr_ValidatePassword(p, tctx, &r);
+               torture_assert_ntstatus_ok(tctx, status, "samr_ValidatePassword");
+               torture_comment(tctx, "Server %s password '%s'\n", 
+                               repp->ctr3.status==SAMR_VALIDATION_STATUS_SUCCESS?"allowed":"refused",
+                               req.req3.password.string);
+       }
+
+       return true;    
+}
+
  bool torture_rpc_samr(struct torture_context *torture)
  {
         NTSTATUS status;
@@ -6018,6 +6797,11 @@ bool torture_rpc_samr(struct torture_context *torture)
                 return false;
         }
  
+
+       if (torture_setting_bool(torture, "dangerous", false)) {
+               ret &= test_samr_ValidatePassword(p, torture);
+       }
+
         ret &= test_Connect(p, torture, &handle);
  
         if (!torture_setting_bool(torture, "samba3", false)) {
@@ -6112,12 +6896,12 @@ static bool torture_rpc_samr_pwdlastset(struct torture_context *torture,
         return ret;
  }
  
-struct torture_suite *torture_rpc_samr_passwords_pwdlastset(struct torture_context *tctx)
+struct torture_suite *torture_rpc_samr_passwords_pwdlastset(TALLOC_CTX *mem_ctx)
  {
-       struct torture_suite *suite = torture_suite_create(tctx, "SAMR-PASSWORDS-PWDLASTSET");
+       struct torture_suite *suite = torture_suite_create(mem_ctx, "SAMR-PASSWORDS-PWDLASTSET");
         struct torture_rpc_tcase *tcase;
  
-       tcase = torture_suite_add_machine_rpc_iface_tcase(suite, "samr",
+       tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "samr",
                                                           &ndr_table_samr,
                                                           TEST_ACCOUNT_NAME_PWD);
  
@@ -6126,3 +6910,138 @@ struct torture_suite *torture_rpc_samr_passwords_pwdlastset(struct torture_conte
  
         return suite;
  }
+
+static bool torture_rpc_samr_users_privileges_delete_user(struct torture_context *torture,
+                                                         struct dcerpc_pipe *p2,
+                                                         struct cli_credentials *machine_credentials)
+{
+       NTSTATUS status;
+       struct dcerpc_pipe *p;
+       bool ret = true;
+       struct policy_handle handle;
+
+       status = torture_rpc_connection(torture, &p, &ndr_table_samr);
+       if (!NT_STATUS_IS_OK(status)) {
+               return false;
+       }
+
+       ret &= test_Connect(p, torture, &handle);
+
+       ret &= test_EnumDomains(p, torture, &handle,
+                               TORTURE_SAMR_USER_PRIVILEGES,
+                               machine_credentials);
+
+       ret &= test_samr_handle_Close(p, torture, &handle);
+
+       return ret;
+}
+
+struct torture_suite *torture_rpc_samr_user_privileges(TALLOC_CTX *mem_ctx)
+{
+       struct torture_suite *suite = torture_suite_create(mem_ctx, "SAMR-USERS-PRIVILEGES");
+       struct torture_rpc_tcase *tcase;
+
+       tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "samr",
+                                                         &ndr_table_samr,
+                                                         TEST_ACCOUNT_NAME_PWD);
+
+       torture_rpc_tcase_add_test_creds(tcase, "delete_privileged_user",
+                                        torture_rpc_samr_users_privileges_delete_user);
+
+       return suite;
+}
+
+static bool torture_rpc_samr_many_accounts(struct torture_context *torture,
+                                          struct dcerpc_pipe *p2,
+                                          struct cli_credentials *machine_credentials)
+{
+       NTSTATUS status;
+       struct dcerpc_pipe *p;
+       bool ret = true;
+       struct policy_handle handle;
+
+       status = torture_rpc_connection(torture, &p, &ndr_table_samr);
+       if (!NT_STATUS_IS_OK(status)) {
+               return false;
+       }
+
+       ret &= test_Connect(p, torture, &handle);
+
+       ret &= test_EnumDomains(p, torture, &handle,
+                               TORTURE_SAMR_MANY_ACCOUNTS,
+                               machine_credentials);
+
+       ret &= test_samr_handle_Close(p, torture, &handle);
+
+       return ret;
+}
+
+static bool torture_rpc_samr_many_groups(struct torture_context *torture,
+                                        struct dcerpc_pipe *p2,
+                                        struct cli_credentials *machine_credentials)
+{
+       NTSTATUS status;
+       struct dcerpc_pipe *p;
+       bool ret = true;
+       struct policy_handle handle;
+
+       status = torture_rpc_connection(torture, &p, &ndr_table_samr);
+       if (!NT_STATUS_IS_OK(status)) {
+               return false;
+       }
+
+       ret &= test_Connect(p, torture, &handle);
+
+       ret &= test_EnumDomains(p, torture, &handle,
+                               TORTURE_SAMR_MANY_GROUPS,
+                               machine_credentials);
+
+       ret &= test_samr_handle_Close(p, torture, &handle);
+
+       return ret;
+}
+
+static bool torture_rpc_samr_many_aliases(struct torture_context *torture,
+                                         struct dcerpc_pipe *p2,
+                                         struct cli_credentials *machine_credentials)
+{
+       NTSTATUS status;
+       struct dcerpc_pipe *p;
+       bool ret = true;
+       struct policy_handle handle;
+
+       status = torture_rpc_connection(torture, &p, &ndr_table_samr);
+       if (!NT_STATUS_IS_OK(status)) {
+               return false;
+       }
+
+       ret &= test_Connect(p, torture, &handle);
+
+       ret &= test_EnumDomains(p, torture, &handle,
+                               TORTURE_SAMR_MANY_ALIASES,
+                               machine_credentials);
+
+       ret &= test_samr_handle_Close(p, torture, &handle);
+
+       return ret;
+}
+
+struct torture_suite *torture_rpc_samr_large_dc(TALLOC_CTX *mem_ctx)
+{
+       struct torture_suite *suite = torture_suite_create(mem_ctx, "SAMR-LARGE-DC");
+       struct torture_rpc_tcase *tcase;
+
+       tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "samr",
+                                                         &ndr_table_samr,
+                                                         TEST_ACCOUNT_NAME);
+
+       torture_rpc_tcase_add_test_creds(tcase, "many_aliases",
+                                        torture_rpc_samr_many_aliases);
+       torture_rpc_tcase_add_test_creds(tcase, "many_groups",
+                                        torture_rpc_samr_many_groups);
+       torture_rpc_tcase_add_test_creds(tcase, "many_accounts",
+                                        torture_rpc_samr_many_accounts);
+
+       return suite;
+}
+