git.samba.org / mat / samba.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
s4-torture: fix some build warnings in rpc samr test.
[mat/samba.git] / source4 / torture / rpc / samr.c
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index bb451cf3292a903eb07cb7d0070846374e8896a5..0cdd242b744239fa845089f61c6958250365b451 100644 (file)
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -4,6 +4,7 @@
 
    Copyright (C) Andrew Tridgell 2003
    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003
+   Copyright (C) Jelmer Vernooij 2005-2007
    Copyright (C) Guenther Deschner 2008-2010
 
    This program is free software; you can redistribute it and/or modify
@@ -24,6 +25,7 @@
 #include "torture/torture.h"
 #include <tevent.h>
 #include "system/time.h"
+#include "system/network.h"
 #include "librpc/gen_ndr/lsa.h"
 #include "librpc/gen_ndr/ndr_netlogon.h"
 #include "librpc/gen_ndr/ndr_netlogon_c.h"
@@ -32,14 +34,12 @@
 #include "../lib/crypto/crypto.h"
 #include "libcli/auth/libcli_auth.h"
 #include "libcli/security/security.h"
-#include "torture/rpc/rpc.h"
+#include "torture/rpc/torture_rpc.h"
 #include "param/param.h"
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_proto.h"
 #include "../libcli/auth/schannel.h"
 
-#include <unistd.h>
-
 #define TEST_ACCOUNT_NAME "samrtorturetest"
 #define TEST_ACCOUNT_NAME_PWD "samrpwdlastset"
 #define TEST_ALIASNAME "samrtorturetestalias"
@@ -130,7 +130,7 @@ static bool test_Shutdown(struct dcerpc_binding_handle *b,
 
        r.in.connect_handle = handle;
 
-       torture_comment(tctx, "testing samr_Shutdown\n");
+       torture_comment(tctx, "Testing samr_Shutdown\n");
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_Shutdown_r(b, tctx, &r),
                "Shutdown failed");
@@ -159,7 +159,7 @@ static bool test_SetDsrmPassword(struct dcerpc_binding_handle *b,
        r.in.unknown = 0;
        r.in.hash = &hash;
 
-       torture_comment(tctx, "testing samr_SetDsrmPassword\n");
+       torture_comment(tctx, "Testing samr_SetDsrmPassword\n");
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetDsrmPassword_r(b, tctx, &r),
                "SetDsrmPassword failed");
@@ -243,7 +243,7 @@ static bool test_SetUserInfo(struct dcerpc_binding_handle *b, struct torture_con
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_ ##call## _r(b, tctx, &r),\
                        #call " failed"); \
                if (!NT_STATUS_IS_OK(r.out.result)) { \
-                       torture_comment(tctx, #call " level %u failed - %s (%s)\n", \
+                       torture_result(tctx, TORTURE_FAIL, #call " level %u failed - %s (%s)\n", \
                               r.in.level, nt_errstr(r.out.result), __location__); \
                        ret = false; \
                        break; \
@@ -251,7 +251,7 @@ static bool test_SetUserInfo(struct dcerpc_binding_handle *b, struct torture_con
 
 #define STRING_EQUAL(s1, s2, field) \
                if ((s1 && !s2) || (s2 && !s1) || strcmp(s1, s2)) { \
-                       torture_comment(tctx, "Failed to set %s to '%s' (%s)\n", \
+                       torture_result(tctx, TORTURE_FAIL, "Failed to set %s to '%s' (%s)\n", \
                               #field, s2, __location__); \
                        ret = false; \
                        break; \
@@ -259,7 +259,7 @@ static bool test_SetUserInfo(struct dcerpc_binding_handle *b, struct torture_con
 
 #define MEM_EQUAL(s1, s2, length, field) \
                if ((s1 && !s2) || (s2 && !s1) || memcmp(s1, s2, length)) { \
-                       torture_comment(tctx, "Failed to set %s to '%s' (%s)\n", \
+                       torture_result(tctx, TORTURE_FAIL, "Failed to set %s to '%s' (%s)\n", \
                               #field, (const char *)s2, __location__); \
                        ret = false; \
                        break; \
@@ -267,7 +267,7 @@ static bool test_SetUserInfo(struct dcerpc_binding_handle *b, struct torture_con
 
 #define INT_EQUAL(i1, i2, field) \
                if (i1 != i2) { \
-                       torture_comment(tctx, "Failed to set %s to 0x%llx - got 0x%llx (%s)\n", \
+                       torture_result(tctx, TORTURE_FAIL, "Failed to set %s to 0x%llx - got 0x%llx (%s)\n", \
                               #field, (unsigned long long)i2, (unsigned long long)i1, __location__); \
                        ret = false; \
                        break; \
@@ -363,19 +363,19 @@ static bool test_SetUserInfo(struct dcerpc_binding_handle *b, struct torture_con
                           SAMR_FIELD_COMMENT);
 
        test_account_name = talloc_asprintf(tctx, "%sxx7-1", base_account_name);
-       TEST_USERINFO_STRING(7, account_name,  1, account_name, base_account_name, 0);
+       TEST_USERINFO_STRING(7, account_name,  1, account_name, test_account_name, 0);
        test_account_name = talloc_asprintf(tctx, "%sxx7-3", base_account_name);
-       TEST_USERINFO_STRING(7, account_name,  3, account_name, base_account_name, 0);
+       TEST_USERINFO_STRING(7, account_name,  3, account_name, test_account_name, 0);
        test_account_name = talloc_asprintf(tctx, "%sxx7-5", base_account_name);
-       TEST_USERINFO_STRING(7, account_name,  5, account_name, base_account_name, 0);
+       TEST_USERINFO_STRING(7, account_name,  5, account_name, test_account_name, 0);
        test_account_name = talloc_asprintf(tctx, "%sxx7-6", base_account_name);
-       TEST_USERINFO_STRING(7, account_name,  6, account_name, base_account_name, 0);
+       TEST_USERINFO_STRING(7, account_name,  6, account_name, test_account_name, 0);
        test_account_name = talloc_asprintf(tctx, "%sxx7-7", base_account_name);
-       TEST_USERINFO_STRING(7, account_name,  7, account_name, base_account_name, 0);
+       TEST_USERINFO_STRING(7, account_name,  7, account_name, test_account_name, 0);
        test_account_name = talloc_asprintf(tctx, "%sxx7-21", base_account_name);
-       TEST_USERINFO_STRING(7, account_name, 21, account_name, base_account_name, 0);
+       TEST_USERINFO_STRING(7, account_name, 21, account_name, test_account_name, 0);
        test_account_name = base_account_name;
-       TEST_USERINFO_STRING(21, account_name, 21, account_name, base_account_name,
+       TEST_USERINFO_STRING(21, account_name, 21, account_name, test_account_name,
                           SAMR_FIELD_ACCOUNT_NAME);
 
        TEST_USERINFO_STRING(6, full_name,  1, full_name, "xx6-1 full_name", 0);
@@ -456,7 +456,7 @@ static bool test_SetUserInfo(struct dcerpc_binding_handle *b, struct torture_con
        TEST_USERINFO_BINARYSTRING(21, parameters, 20, parameters, "",
                           SAMR_FIELD_PARAMETERS);
 
-       /* Samba 3 cannot store country_code and copy_page atm. - gd */
+       /* Samba 3 cannot store country_code and code_page atm. - gd */
        if (!torture_setting_bool(tctx, "samba3", false)) {
                TEST_USERINFO_INT(2, country_code, 2, country_code, __LINE__, 0);
                TEST_USERINFO_INT(2, country_code, 21, country_code, __LINE__, 0);
@@ -537,26 +537,26 @@ static bool test_SetUserInfo(struct dcerpc_binding_handle *b, struct torture_con
 
        /* Samba3 cannot store these atm */
        if (!torture_setting_bool(tctx, "samba3", false)) {
-       /* The 'store plaintext' flag does stick */
-       TEST_USERINFO_INT_EXP(16, acct_flags, 21, acct_flags,
-                             (base_acct_flags | ACB_DISABLED | ACB_ENC_TXT_PWD_ALLOWED),
-                             (base_acct_flags | ACB_DISABLED | ACB_ENC_TXT_PWD_ALLOWED | user_extra_flags),
-                             0);
-       /* The 'use DES' flag does stick */
-       TEST_USERINFO_INT_EXP(16, acct_flags, 21, acct_flags,
-                             (base_acct_flags | ACB_DISABLED | ACB_USE_DES_KEY_ONLY),
-                             (base_acct_flags | ACB_DISABLED | ACB_USE_DES_KEY_ONLY | user_extra_flags),
-                             0);
-       /* The 'don't require kerberos pre-authentication flag does stick */
-       TEST_USERINFO_INT_EXP(16, acct_flags, 21, acct_flags,
-                             (base_acct_flags | ACB_DISABLED | ACB_DONT_REQUIRE_PREAUTH),
-                             (base_acct_flags | ACB_DISABLED | ACB_DONT_REQUIRE_PREAUTH | user_extra_flags),
-                             0);
-       /* The 'no kerberos PAC required' flag sticks */
-       TEST_USERINFO_INT_EXP(16, acct_flags, 21, acct_flags,
-                             (base_acct_flags | ACB_DISABLED | ACB_NO_AUTH_DATA_REQD),
-                             (base_acct_flags | ACB_DISABLED | ACB_NO_AUTH_DATA_REQD | user_extra_flags),
-                             0);
+               /* The 'store plaintext' flag does stick */
+               TEST_USERINFO_INT_EXP(16, acct_flags, 21, acct_flags,
+                                     (base_acct_flags | ACB_DISABLED | ACB_ENC_TXT_PWD_ALLOWED),
+                                     (base_acct_flags | ACB_DISABLED | ACB_ENC_TXT_PWD_ALLOWED | user_extra_flags),
+                                     0);
+               /* The 'use DES' flag does stick */
+               TEST_USERINFO_INT_EXP(16, acct_flags, 21, acct_flags,
+                                     (base_acct_flags | ACB_DISABLED | ACB_USE_DES_KEY_ONLY),
+                                     (base_acct_flags | ACB_DISABLED | ACB_USE_DES_KEY_ONLY | user_extra_flags),
+                                     0);
+               /* The 'don't require kerberos pre-authentication flag does stick */
+               TEST_USERINFO_INT_EXP(16, acct_flags, 21, acct_flags,
+                                     (base_acct_flags | ACB_DISABLED | ACB_DONT_REQUIRE_PREAUTH),
+                                     (base_acct_flags | ACB_DISABLED | ACB_DONT_REQUIRE_PREAUTH | user_extra_flags),
+                                     0);
+               /* The 'no kerberos PAC required' flag sticks */
+               TEST_USERINFO_INT_EXP(16, acct_flags, 21, acct_flags,
+                                     (base_acct_flags | ACB_DISABLED | ACB_NO_AUTH_DATA_REQD),
+                                     (base_acct_flags | ACB_DISABLED | ACB_NO_AUTH_DATA_REQD | user_extra_flags),
+                                     0);
        }
        TEST_USERINFO_INT_EXP(21, acct_flags, 21, acct_flags,
                              (base_acct_flags | ACB_DISABLED),
@@ -653,7 +653,7 @@ static bool test_SetUserPass(struct dcerpc_pipe *p, struct torture_context *tctx
 
        status = dcerpc_fetch_session_key(p, &session_key);
        if (!NT_STATUS_IS_OK(status)) {
-               torture_warning(tctx, "SetUserInfo level %u - no session key - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n",
                       s.in.level, nt_errstr(status));
                return false;
        }
@@ -664,8 +664,11 @@ static bool test_SetUserPass(struct dcerpc_pipe *p, struct torture_context *tctx
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
                "SetUserInfo failed");
+       torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       newpass, nt_errstr(s.out.result));
        if (!NT_STATUS_IS_OK(s.out.result)) {
-               torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u failed - %s\n",
                       s.in.level, nt_errstr(s.out.result));
                ret = false;
        } else {
@@ -712,7 +715,7 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t
 
        status = dcerpc_fetch_session_key(p, &session_key);
        if (!NT_STATUS_IS_OK(status)) {
-               torture_warning(tctx, "SetUserInfo level %u - no session key - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n",
                       s.in.level, nt_errstr(status));
                return false;
        }
@@ -723,8 +726,11 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
                "SetUserInfo failed");
+       torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       newpass, nt_errstr(s.out.result));
        if (!NT_STATUS_IS_OK(s.out.result)) {
-               torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u failed - %s\n",
                       s.in.level, nt_errstr(s.out.result));
                ret = false;
        } else {
@@ -735,7 +741,7 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t
 
        status = dcerpc_fetch_session_key(p, &session_key);
        if (!NT_STATUS_IS_OK(status)) {
-               torture_warning(tctx, "SetUserInfo level %u - no session key - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n",
                       s.in.level, nt_errstr(status));
                return false;
        }
@@ -748,8 +754,11 @@ static bool test_SetUserPass_23(struct dcerpc_pipe *p, struct torture_context *t
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
                "SetUserInfo failed");
+       torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       newpass, nt_errstr(s.out.result));
        if (!NT_STATUS_EQUAL(s.out.result, NT_STATUS_WRONG_PASSWORD)) {
-               torture_warning(tctx, "SetUserInfo level %u should have failed with WRONG_PASSWORD- %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u should have failed with WRONG_PASSWORD- %s\n",
                       s.in.level, nt_errstr(s.out.result));
                ret = false;
        }
@@ -771,7 +780,7 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc
        uint8_t confounder[16];
        char *newpass;
        struct dcerpc_binding_handle *b = p->binding_handle;
-       struct MD5Context ctx;
+       MD5_CTX ctx;
        struct samr_GetUserPwInfo pwp;
        struct samr_PwInfo info;
        int policy_min_pw_len = 0;
@@ -798,7 +807,7 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc
 
        status = dcerpc_fetch_session_key(p, &session_key);
        if (!NT_STATUS_IS_OK(status)) {
-               torture_warning(tctx, "SetUserInfo level %u - no session key - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n",
                       s.in.level, nt_errstr(status));
                return false;
        }
@@ -817,8 +826,11 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
                "SetUserInfo failed");
+       torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       newpass, nt_errstr(s.out.result));
        if (!NT_STATUS_IS_OK(s.out.result)) {
-               torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u failed - %s\n",
                       s.in.level, nt_errstr(s.out.result));
                ret = false;
        } else {
@@ -835,8 +847,11 @@ static bool test_SetUserPassEx(struct dcerpc_pipe *p, struct torture_context *tc
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
                "SetUserInfo failed");
+       torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       newpass, nt_errstr(s.out.result));
        if (!NT_STATUS_EQUAL(s.out.result, NT_STATUS_WRONG_PASSWORD)) {
-               torture_warning(tctx, "SetUserInfo level %u should have failed with WRONG_PASSWORD: %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u should have failed with WRONG_PASSWORD: %s\n",
                       s.in.level, nt_errstr(s.out.result));
                ret = false;
        } else {
@@ -856,7 +871,7 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t
        bool ret = true;
        DATA_BLOB session_key;
        DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16);
-       struct MD5Context ctx;
+       MD5_CTX ctx;
        uint8_t confounder[16];
        char *newpass;
        struct dcerpc_binding_handle *b = p->binding_handle;
@@ -885,7 +900,7 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t
 
        status = dcerpc_fetch_session_key(p, &session_key);
        if (!NT_STATUS_IS_OK(status)) {
-               torture_warning(tctx, "SetUserInfo level %u - no session key - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n",
                       s.in.level, nt_errstr(status));
                return false;
        }
@@ -904,8 +919,11 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
                "SetUserInfo failed");
+       torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       newpass, nt_errstr(s.out.result));
        if (!NT_STATUS_IS_OK(s.out.result)) {
-               torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u failed - %s\n",
                       s.in.level, nt_errstr(s.out.result));
                ret = false;
        } else {
@@ -922,8 +940,11 @@ static bool test_SetUserPass_25(struct dcerpc_pipe *p, struct torture_context *t
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
                "SetUserInfo failed");
+       torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       newpass, nt_errstr(s.out.result));
        if (!NT_STATUS_EQUAL(s.out.result, NT_STATUS_WRONG_PASSWORD)) {
-               torture_warning(tctx, "SetUserInfo level %u should have failed with WRONG_PASSWORD- %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u should have failed with WRONG_PASSWORD- %s\n",
                       s.in.level, nt_errstr(s.out.result));
                ret = false;
        }
@@ -970,7 +991,7 @@ static bool test_SetUserPass_18(struct dcerpc_pipe *p, struct torture_context *t
 
        status = dcerpc_fetch_session_key(p, &session_key);
        if (!NT_STATUS_IS_OK(status)) {
-               torture_warning(tctx, "SetUserInfo level %u - no session key - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n",
                       s.in.level, nt_errstr(status));
                return false;
        }
@@ -995,7 +1016,7 @@ static bool test_SetUserPass_18(struct dcerpc_pipe *p, struct torture_context *t
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
                "SetUserInfo failed");
        if (!NT_STATUS_IS_OK(s.out.result)) {
-               torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u failed - %s\n",
                       s.in.level, nt_errstr(s.out.result));
                ret = false;
        } else {
@@ -1058,7 +1079,7 @@ static bool test_SetUserPass_21(struct dcerpc_pipe *p, struct torture_context *t
 
        status = dcerpc_fetch_session_key(p, &session_key);
        if (!NT_STATUS_IS_OK(status)) {
-               torture_warning(tctx, "SetUserInfo level %u - no session key - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n",
                       s.in.level, nt_errstr(status));
                return false;
        }
@@ -1086,7 +1107,7 @@ static bool test_SetUserPass_21(struct dcerpc_pipe *p, struct torture_context *t
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
                "SetUserInfo failed");
        if (!NT_STATUS_IS_OK(s.out.result)) {
-               torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u failed - %s\n",
                       s.in.level, nt_errstr(s.out.result));
                ret = false;
        } else {
@@ -1101,7 +1122,7 @@ static bool test_SetUserPass_21(struct dcerpc_pipe *p, struct torture_context *t
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
                        "SetUserInfo failed");
                if (!NT_STATUS_EQUAL(s.out.result, NT_STATUS_INVALID_PARAMETER)) {
-                       torture_warning(tctx, "SetUserInfo level %u should have failed with NT_STATUS_INVALID_PARAMETER - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u should have failed with NT_STATUS_INVALID_PARAMETER - %s\n",
                               s.in.level, nt_errstr(s.out.result));
                        ret = false;
                }
@@ -1114,7 +1135,7 @@ static bool test_SetUserPass_21(struct dcerpc_pipe *p, struct torture_context *t
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
                        "SetUserInfo failed");
                if (!NT_STATUS_EQUAL(s.out.result, NT_STATUS_INVALID_PARAMETER)) {
-                       torture_warning(tctx, "SetUserInfo level %u should have failed with NT_STATUS_INVALID_PARAMETER - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u should have failed with NT_STATUS_INVALID_PARAMETER - %s\n",
                               s.in.level, nt_errstr(s.out.result));
                        ret = false;
                }
@@ -1140,7 +1161,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
        bool ret = true;
        DATA_BLOB session_key;
        DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16);
-       struct MD5Context ctx;
+       MD5_CTX ctx;
        uint8_t confounder[16];
        char *newpass;
        struct dcerpc_binding_handle *b = p->binding_handle;
@@ -1171,7 +1192,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
        }
 
        if (fields_present & SAMR_FIELD_COMMENT) {
-               comment = talloc_asprintf(tctx, "comment: %ld\n", time(NULL));
+               comment = talloc_asprintf(tctx, "comment: %ld\n", (long int) time(NULL));
        }
 
        ZERO_STRUCT(u);
@@ -1244,7 +1265,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
 
        status = dcerpc_fetch_session_key(p, &session_key);
        if (!NT_STATUS_IS_OK(status)) {
-               torture_warning(tctx, "SetUserInfo level %u - no session key - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n",
                       s.in.level, nt_errstr(status));
                return false;
        }
@@ -1311,10 +1332,16 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
        if (use_setinfo2) {
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo2_r(b, tctx, &s2),
                        "SetUserInfo2 failed");
-               status = s2.out.result;
+               torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+                               __location__, __FUNCTION__,
+                               newpass, nt_errstr(s2.out.result));
+                       status = s2.out.result;
        } else {
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
                        "SetUserInfo failed");
+               torture_comment(tctx, "(%s:%s) new_password[%s] status[%s]\n",
+                               __location__, __FUNCTION__,
+                               newpass, nt_errstr(s.out.result));
                status = s.out.result;
        }
 
@@ -1342,7 +1369,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
        }
 
        if (!NT_STATUS_IS_OK(status)) {
-               torture_warning(tctx, "SetUserInfo%s level %u failed - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo%s level %u failed - %s\n",
                       use_setinfo2 ? "2":"", level, nt_errstr(status));
                ret = false;
        } else {
@@ -1383,7 +1410,7 @@ static bool test_SetAliasInfo(struct dcerpc_binding_handle *b,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetAliasInfo_r(b, tctx, &r),
                        "SetAliasInfo failed");
                if (!NT_STATUS_IS_OK(r.out.result)) {
-                       torture_warning(tctx, "SetAliasInfo level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "SetAliasInfo level %u failed - %s\n",
                               levels[i], nt_errstr(r.out.result));
                        ret = false;
                }
@@ -1395,7 +1422,7 @@ static bool test_SetAliasInfo(struct dcerpc_binding_handle *b,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryAliasInfo_r(b, tctx, &q),
                        "QueryAliasInfo failed");
                if (!NT_STATUS_IS_OK(q.out.result)) {
-                       torture_warning(tctx, "QueryAliasInfo level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "QueryAliasInfo level %u failed - %s\n",
                               levels[i], nt_errstr(q.out.result));
                        ret = false;
                }
@@ -1411,7 +1438,7 @@ static bool test_GetGroupsForUser(struct dcerpc_binding_handle *b,
        struct samr_GetGroupsForUser r;
        struct samr_RidWithAttributeArray *rids = NULL;
 
-       torture_comment(tctx, "testing GetGroupsForUser\n");
+       torture_comment(tctx, "Testing GetGroupsForUser\n");
 
        r.in.user_handle = user_handle;
        r.out.rids = &rids;
@@ -1517,7 +1544,7 @@ static NTSTATUS test_LookupName(struct dcerpc_binding_handle *b,
                return status;
        }
        if (!NT_STATUS_EQUAL(n.out.result, STATUS_SOME_UNMAPPED)) {
-               torture_warning(tctx, "LookupNames[2] failed - %s\n", nt_errstr(n.out.result));
+               torture_result(tctx, TORTURE_FAIL, "LookupNames[2] failed - %s\n", nt_errstr(n.out.result));
                if (NT_STATUS_IS_OK(n.out.result)) {
                        return NT_STATUS_UNSUCCESSFUL;
                }
@@ -1530,7 +1557,7 @@ static NTSTATUS test_LookupName(struct dcerpc_binding_handle *b,
                return status;
        }
        if (!NT_STATUS_IS_OK(n.out.result)) {
-               torture_warning(tctx, "LookupNames[0] failed - %s\n", nt_errstr(status));
+               torture_result(tctx, TORTURE_FAIL, "LookupNames[0] failed - %s\n", nt_errstr(status));
                return n.out.result;
        }
 
@@ -1541,7 +1568,7 @@ static NTSTATUS test_LookupName(struct dcerpc_binding_handle *b,
                return status;
        }
        if (!NT_STATUS_EQUAL(n.out.result, NT_STATUS_NONE_MAPPED)) {
-               torture_warning(tctx, "LookupNames[1 bad name] failed - %s\n", nt_errstr(n.out.result));
+               torture_result(tctx, TORTURE_FAIL, "LookupNames[1 bad name] failed - %s\n", nt_errstr(n.out.result));
                if (NT_STATUS_IS_OK(n.out.result)) {
                        return NT_STATUS_UNSUCCESSFUL;
                }
@@ -1556,7 +1583,7 @@ static NTSTATUS test_LookupName(struct dcerpc_binding_handle *b,
                return status;
        }
        if (!NT_STATUS_EQUAL(n.out.result, NT_STATUS_NONE_MAPPED)) {
-               torture_warning(tctx, "LookupNames[2 bad names] failed - %s\n", nt_errstr(n.out.result));
+               torture_result(tctx, TORTURE_FAIL, "LookupNames[2 bad names] failed - %s\n", nt_errstr(n.out.result));
                if (NT_STATUS_IS_OK(n.out.result)) {
                        return NT_STATUS_UNSUCCESSFUL;
                }
@@ -1589,7 +1616,7 @@ static NTSTATUS test_OpenUser_byname(struct dcerpc_binding_handle *b,
                return status;
        }
        if (!NT_STATUS_IS_OK(r.out.result)) {
-               torture_warning(tctx, "OpenUser_byname(%s -> %d) failed - %s\n", name, rid, nt_errstr(r.out.result));
+               torture_result(tctx, TORTURE_FAIL, "OpenUser_byname(%s -> %d) failed - %s\n", name, rid, nt_errstr(r.out.result));
        }
 
        return r.out.result;
@@ -1647,7 +1674,7 @@ static bool test_ChangePasswordNT3(struct dcerpc_pipe *p,
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser_r(b, tctx, &r),
                "ChangePasswordUser failed");
        if (!NT_STATUS_IS_OK(r.out.result)) {
-               torture_warning(tctx, "ChangePasswordUser failed - %s\n", nt_errstr(r.out.result));
+               torture_result(tctx, TORTURE_FAIL, "ChangePasswordUser failed - %s\n", nt_errstr(r.out.result));
                ret = false;
        }
 
@@ -1714,8 +1741,8 @@ static bool test_ChangePasswordUser(struct dcerpc_binding_handle *b,
 
        r.in.user_handle = &user_handle;
        r.in.lm_present = 1;
-       /* Break the LM hash */
-       hash1.hash[0]++;
+       /* Break the NT hash */
+       hash3.hash[0]++;
        r.in.old_lm_crypted = &hash1;
        r.in.new_lm_crypted = &hash2;
        r.in.nt_present = 1;
@@ -1728,18 +1755,29 @@ static bool test_ChangePasswordUser(struct dcerpc_binding_handle *b,
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser_r(b, tctx, &r),
                "ChangePasswordUser failed");
-       torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_WRONG_PASSWORD,
-               "ChangePasswordUser failed: expected NT_STATUS_WRONG_PASSWORD because we broke the LM hash");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
 
-       /* Unbreak the LM hash */
-       hash1.hash[0]--;
+       /* Do not proceed if this call has been removed */
+       if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
+               torture_skip(tctx, "ValidatePassword not supported by server\n");
+       }
+
+       if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION)) {
+               torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_WRONG_PASSWORD,
+                       "ChangePasswordUser failed: expected NT_STATUS_WRONG_PASSWORD because we broke the LM hash");
+       }
+
+       /* Unbreak the NT hash */
+       hash3.hash[0]--;
 
        r.in.user_handle = &user_handle;
        r.in.lm_present = 1;
        r.in.old_lm_crypted = &hash1;
        r.in.new_lm_crypted = &hash2;
-       /* Break the NT hash */
-       hash3.hash[0]--;
+       /* Break the LM hash */
+       hash1.hash[0]--;
        r.in.nt_present = 1;
        r.in.old_nt_crypted = &hash3;
        r.in.new_nt_crypted = &hash4;
@@ -1750,8 +1788,13 @@ static bool test_ChangePasswordUser(struct dcerpc_binding_handle *b,
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser_r(b, tctx, &r),
                "ChangePasswordUser failed");
-       torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_WRONG_PASSWORD,
-               "expected NT_STATUS_WRONG_PASSWORD because we broke the NT hash");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
+       if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION)) {
+               torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_WRONG_PASSWORD,
+                       "expected NT_STATUS_WRONG_PASSWORD because we broke the NT hash");
+       }
 
        /* Unbreak the NT hash */
        hash3.hash[0]--;
@@ -1772,8 +1815,13 @@ static bool test_ChangePasswordUser(struct dcerpc_binding_handle *b,
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser_r(b, tctx, &r),
                "ChangePasswordUser failed");
-       if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_WRONG_PASSWORD)) {
-               torture_warning(tctx, "ChangePasswordUser failed: expected NT_STATUS_WRONG_PASSWORD because we broke the LM cross-hash, got %s\n", nt_errstr(r.out.result));
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
+       if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_WRONG_PASSWORD) &&
+           !NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION))
+       {
+               torture_result(tctx, TORTURE_FAIL, "ChangePasswordUser failed: expected NT_STATUS_WRONG_PASSWORD or NT_STATUS_PASSWORD_RESTRICTION because we broke the LM cross-hash, got %s\n", nt_errstr(r.out.result));
                ret = false;
        }
 
@@ -1796,8 +1844,13 @@ static bool test_ChangePasswordUser(struct dcerpc_binding_handle *b,
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser_r(b, tctx, &r),
                "ChangePasswordUser failed");
-       if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_WRONG_PASSWORD)) {
-               torture_warning(tctx, "ChangePasswordUser failed: expected NT_STATUS_WRONG_PASSWORD because we broke the NT cross-hash, got %s\n", nt_errstr(r.out.result));
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
+       if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_WRONG_PASSWORD) &&
+           !NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION))
+       {
+               torture_result(tctx, TORTURE_FAIL, "ChangePasswordUser failed: expected NT_STATUS_WRONG_PASSWORD or NT_STATUS_PASSWORD_RESTRICTION because we broke the NT cross-hash, got %s\n", nt_errstr(r.out.result));
                ret = false;
        }
 
@@ -1827,11 +1880,14 @@ static bool test_ChangePasswordUser(struct dcerpc_binding_handle *b,
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser_r(b, tctx, &r),
                "ChangePasswordUser failed");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
        if (NT_STATUS_IS_OK(r.out.result)) {
                changed = true;
                *password = newpass;
        } else if (!NT_STATUS_EQUAL(NT_STATUS_PASSWORD_RESTRICTION, r.out.result)) {
-               torture_warning(tctx, "ChangePasswordUser failed: expected NT_STATUS_OK, or at least NT_STATUS_PASSWORD_RESTRICTION, got %s\n", nt_errstr(r.out.result));
+               torture_result(tctx, TORTURE_FAIL, "ChangePasswordUser failed: expected NT_STATUS_OK, or at least NT_STATUS_PASSWORD_RESTRICTION, got %s\n", nt_errstr(r.out.result));
                ret = false;
        }
 
@@ -1866,11 +1922,14 @@ static bool test_ChangePasswordUser(struct dcerpc_binding_handle *b,
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser_r(b, tctx, &r),
                "ChangePasswordUser failed");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
        if (NT_STATUS_IS_OK(r.out.result)) {
                changed = true;
                *password = newpass;
        } else if (!NT_STATUS_EQUAL(NT_STATUS_PASSWORD_RESTRICTION, r.out.result)) {
-               torture_warning(tctx, "ChangePasswordUser failed: expected NT_STATUS_NT_CROSS_ENCRYPTION_REQUIRED, got %s\n", nt_errstr(r.out.result));
+               torture_result(tctx, TORTURE_FAIL, "ChangePasswordUser failed: expected NT_STATUS_OK, or at least NT_STATUS_PASSWORD_RESTRICTION, got %s\n", nt_errstr(r.out.result));
                ret = false;
        }
 
@@ -1905,10 +1964,13 @@ static bool test_ChangePasswordUser(struct dcerpc_binding_handle *b,
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser_r(b, tctx, &r),
                "ChangePasswordUser failed");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
        if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION)) {
                torture_comment(tctx, "ChangePasswordUser returned: %s perhaps min password age? (not fatal)\n", nt_errstr(r.out.result));
        } else  if (!NT_STATUS_IS_OK(r.out.result)) {
-               torture_warning(tctx, "ChangePasswordUser failed - %s\n", nt_errstr(r.out.result));
+               torture_result(tctx, TORTURE_FAIL, "ChangePasswordUser failed - %s\n", nt_errstr(r.out.result));
                ret = false;
        } else {
                changed = true;
@@ -1930,10 +1992,13 @@ static bool test_ChangePasswordUser(struct dcerpc_binding_handle *b,
        if (changed) {
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser_r(b, tctx, &r),
                        "ChangePasswordUser failed");
+               torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                               __location__, __FUNCTION__,
+                               oldpass, newpass, nt_errstr(r.out.result));
                if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION)) {
                        torture_comment(tctx, "ChangePasswordUser returned: %s perhaps min password age? (not fatal)\n", nt_errstr(r.out.result));
                } else if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_WRONG_PASSWORD)) {
-                       torture_warning(tctx, "ChangePasswordUser failed: expected NT_STATUS_WRONG_PASSWORD because we already changed the password, got %s\n", nt_errstr(r.out.result));
+                       torture_result(tctx, TORTURE_FAIL, "ChangePasswordUser failed: expected NT_STATUS_WRONG_PASSWORD because we already changed the password, got %s\n", nt_errstr(r.out.result));
                        ret = false;
                }
        }
@@ -2007,10 +2072,13 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p,
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_OemChangePasswordUser2_r(b, tctx, &r),
                "OemChangePasswordUser2 failed");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
 
        if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION)
            && !NT_STATUS_EQUAL(r.out.result, NT_STATUS_WRONG_PASSWORD)) {
-               torture_warning(tctx, "OemChangePasswordUser2 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalid password verifier - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "OemChangePasswordUser2 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalid password verifier - %s\n",
                        nt_errstr(r.out.result));
                ret = false;
        }
@@ -2030,10 +2098,13 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p,
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_OemChangePasswordUser2_r(b, tctx, &r),
                "OemChangePasswordUser2 failed");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
 
        if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION)
            && !NT_STATUS_EQUAL(r.out.result, NT_STATUS_WRONG_PASSWORD)) {
-               torture_warning(tctx, "OemChangePasswordUser2 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalidly encrpted password - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "OemChangePasswordUser2 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalidly encrpted password - %s\n",
                        nt_errstr(r.out.result));
                ret = false;
        }
@@ -2048,10 +2119,13 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p,
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_OemChangePasswordUser2_r(b, tctx, &r),
                "OemChangePasswordUser2 failed");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
 
        if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION)
            && !NT_STATUS_EQUAL(r.out.result, NT_STATUS_INVALID_PARAMETER)) {
-               torture_warning(tctx, "OemChangePasswordUser2 failed, should have returned INVALID_PARAMETER (or at least 'PASSWORD_RESTRICTON') for no supplied validation hash - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "OemChangePasswordUser2 failed, should have returned INVALID_PARAMETER (or at least 'PASSWORD_RESTRICTON') for no supplied validation hash - %s\n",
                        nt_errstr(r.out.result));
                ret = false;
        }
@@ -2062,9 +2136,12 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p,
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_OemChangePasswordUser2_r(b, tctx, &r),
                "OemChangePasswordUser2 failed");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
 
        if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_INVALID_PARAMETER)) {
-               torture_warning(tctx, "OemChangePasswordUser2 failed, should have returned INVALID_PARAMETER for no supplied validation hash and invalid user - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "OemChangePasswordUser2 failed, should have returned INVALID_PARAMETER for no supplied validation hash and invalid user - %s\n",
                        nt_errstr(r.out.result));
                ret = false;
        }
@@ -2077,9 +2154,12 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p,
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_OemChangePasswordUser2_r(b, tctx, &r),
                "OemChangePasswordUser2 failed");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
 
        if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_WRONG_PASSWORD)) {
-               torture_warning(tctx, "OemChangePasswordUser2 failed, should have returned WRONG_PASSWORD for invalid user - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "OemChangePasswordUser2 failed, should have returned WRONG_PASSWORD for invalid user - %s\n",
                        nt_errstr(r.out.result));
                ret = false;
        }
@@ -2092,9 +2172,12 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p,
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_OemChangePasswordUser2_r(b, tctx, &r),
                "OemChangePasswordUser2 failed");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
 
        if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_INVALID_PARAMETER)) {
-               torture_warning(tctx, "OemChangePasswordUser2 failed, should have returned INVALID_PARAMETER for no supplied password and invalid user - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "OemChangePasswordUser2 failed, should have returned INVALID_PARAMETER for no supplied password and invalid user - %s\n",
                        nt_errstr(r.out.result));
                ret = false;
        }
@@ -2113,11 +2196,14 @@ static bool test_OemChangePasswordUser2(struct dcerpc_pipe *p,
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_OemChangePasswordUser2_r(b, tctx, &r),
                "OemChangePasswordUser2 failed");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
 
        if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION)) {
                torture_comment(tctx, "OemChangePasswordUser2 returned: %s perhaps min password age? (not fatal)\n", nt_errstr(r.out.result));
        } else if (!NT_STATUS_IS_OK(r.out.result)) {
-               torture_warning(tctx, "OemChangePasswordUser2 failed - %s\n", nt_errstr(r.out.result));
+               torture_result(tctx, TORTURE_FAIL, "OemChangePasswordUser2 failed - %s\n", nt_errstr(r.out.result));
                ret = false;
        } else {
                *password = newpass;
@@ -2195,11 +2281,14 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser2_r(b, tctx, &r),
                "ChangePasswordUser2 failed");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
 
        if (allow_password_restriction && NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION)) {
                torture_comment(tctx, "ChangePasswordUser2 returned: %s perhaps min password age? (not fatal)\n", nt_errstr(r.out.result));
        } else if (!NT_STATUS_IS_OK(r.out.result)) {
-               torture_warning(tctx, "ChangePasswordUser2 failed - %s\n", nt_errstr(r.out.result));
+               torture_result(tctx, TORTURE_FAIL, "ChangePasswordUser2 failed - %s\n", nt_errstr(r.out.result));
                ret = false;
        } else {
                *password = newpass;
@@ -2209,6 +2298,83 @@ static bool test_ChangePasswordUser2(struct dcerpc_pipe *p, struct torture_conte
 }
 
 
+static bool test_ChangePasswordUser2_ntstatus(struct dcerpc_pipe *p, struct torture_context *tctx,
+                                             const char *acct_name,
+                                             const char *password, NTSTATUS status)
+{
+       struct samr_ChangePasswordUser2 r;
+       struct lsa_String server, account;
+       struct samr_CryptPassword nt_pass, lm_pass;
+       struct samr_Password nt_verifier, lm_verifier;
+       const char *oldpass;
+       struct dcerpc_binding_handle *b = p->binding_handle;
+       uint8_t old_nt_hash[16], new_nt_hash[16];
+       uint8_t old_lm_hash[16], new_lm_hash[16];
+
+       struct samr_GetDomPwInfo dom_pw_info;
+       struct samr_PwInfo info;
+
+       struct lsa_String domain_name;
+       char *newpass;
+       int policy_min_pw_len = 0;
+
+       domain_name.string = "";
+       dom_pw_info.in.domain_name = &domain_name;
+       dom_pw_info.out.info = &info;
+
+       torture_comment(tctx, "Testing ChangePasswordUser2 on %s\n", acct_name);
+
+       oldpass = password;
+
+       torture_assert_ntstatus_ok(tctx, dcerpc_samr_GetDomPwInfo_r(b, tctx, &dom_pw_info),
+                                  "GetDomPwInfo failed");
+       if (NT_STATUS_IS_OK(dom_pw_info.out.result)) {
+               policy_min_pw_len = dom_pw_info.out.info->min_password_length;
+       }
+
+       newpass = samr_rand_pass(tctx, policy_min_pw_len);
+
+       server.string = talloc_asprintf(tctx, "\\\\%s", dcerpc_server_name(p));
+       init_lsa_String(&account, acct_name);
+
+       E_md4hash(oldpass, old_nt_hash);
+       E_md4hash(newpass, new_nt_hash);
+
+       E_deshash(oldpass, old_lm_hash);
+       E_deshash(newpass, new_lm_hash);
+
+       encode_pw_buffer(lm_pass.data, newpass, STR_ASCII|STR_TERMINATE);
+       arcfour_crypt(lm_pass.data, old_lm_hash, 516);
+       E_old_pw_hash(new_nt_hash, old_lm_hash, lm_verifier.hash);
+
+       encode_pw_buffer(nt_pass.data, newpass, STR_UNICODE);
+       arcfour_crypt(nt_pass.data, old_nt_hash, 516);
+       E_old_pw_hash(new_nt_hash, old_nt_hash, nt_verifier.hash);
+
+       r.in.server = &server;
+       r.in.account = &account;
+       r.in.nt_password = &nt_pass;
+       r.in.nt_verifier = &nt_verifier;
+       r.in.lm_change = 1;
+       r.in.lm_password = &lm_pass;
+       r.in.lm_verifier = &lm_verifier;
+
+       torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser2_r(b, tctx, &r),
+               "ChangePasswordUser2 failed");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
+
+       if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION)) {
+               torture_comment(tctx, "ChangePasswordUser2 returned: %s perhaps min password age? (not fatal)\n", nt_errstr(r.out.result));
+       } else {
+               torture_assert_ntstatus_equal(tctx, r.out.result, status, "ChangePasswordUser2 returned unexpected value");
+       }
+
+       return true;
+}
+
+
 bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tctx,
                              const char *account_string,
                              int policy_min_pw_len,
@@ -2281,9 +2447,12 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser3_r(b, tctx, &r),
                "ChangePasswordUser3 failed");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
        if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION) &&
            (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_WRONG_PASSWORD))) {
-               torture_warning(tctx, "ChangePasswordUser3 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalid password verifier - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "ChangePasswordUser3 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalid password verifier - %s\n",
                        nt_errstr(r.out.result));
                ret = false;
        }
@@ -2313,9 +2482,12 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser3_r(b, tctx, &r),
                "ChangePasswordUser3 failed");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
        if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION) &&
            (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_WRONG_PASSWORD))) {
-               torture_warning(tctx, "ChangePasswordUser3 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalidly encrpted password - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "ChangePasswordUser3 failed, should have returned WRONG_PASSWORD (or at least 'PASSWORD_RESTRICTON') for invalidly encrpted password - %s\n",
                        nt_errstr(r.out.result));
                ret = false;
        }
@@ -2326,8 +2498,11 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
        r.in.account = &account_bad;
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser3_r(b, tctx, &r),
                "ChangePasswordUser3 failed");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
        if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_WRONG_PASSWORD)) {
-               torture_warning(tctx, "ChangePasswordUser3 failed, should have returned WRONG_PASSWORD for invalid username - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "ChangePasswordUser3 failed, should have returned WRONG_PASSWORD for invalid username - %s\n",
                        nt_errstr(r.out.result));
                ret = false;
        }
@@ -2361,6 +2536,18 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser3_r(b, tctx, &r),
                "ChangePasswordUser3 failed");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
+
+       torture_comment(tctx, "(%s): dominfo[%s], reject[%s], handle_reject_reason[%s], "
+                       "last_password_change[%s], dominfo->min_password_age[%lld]\n",
+                       __location__,
+                       (dominfo == NULL)? "NULL" : "present",
+                       reject ? "true" : "false",
+                       handle_reject_reason ? "true" : "false",
+                       null_nttime(last_password_change) ? "null" : "not null",
+                       dominfo ? (long long)dominfo->min_password_age : (long long)0);
 
        if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION)
            && dominfo
@@ -2370,7 +2557,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
                if (dominfo->password_properties & DOMAIN_REFUSE_PASSWORD_CHANGE ) {
 
                        if (reject && (reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR)) {
-                               torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+                               torture_result(tctx, TORTURE_FAIL, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
                                        SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
                                return false;
                        }
@@ -2385,11 +2572,11 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
 
                Guenther */
 
-               if ((dominfo->min_password_age > 0) && !null_nttime(last_password_change) &&
-                          (last_password_change + dominfo->min_password_age > t)) {
+               if ((dominfo->min_password_age < 0) && !null_nttime(last_password_change) &&
+                          (last_password_change - dominfo->min_password_age > t)) {
 
                        if (reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
-                               torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+                               torture_result(tctx, TORTURE_FAIL, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
                                        SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
                                return false;
                        }
@@ -2398,7 +2585,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
                           (strlen(newpass) < dominfo->min_password_length)) {
 
                        if (reject->extendedFailureReason != SAM_PWD_CHANGE_PASSWORD_TOO_SHORT) {
-                               torture_warning(tctx, "expected SAM_PWD_CHANGE_PASSWORD_TOO_SHORT (%d), got %d\n",
+                               torture_result(tctx, TORTURE_FAIL, "expected SAM_PWD_CHANGE_PASSWORD_TOO_SHORT (%d), got %d\n",
                                        SAM_PWD_CHANGE_PASSWORD_TOO_SHORT, reject->extendedFailureReason);
                                return false;
                        }
@@ -2407,14 +2594,14 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
                            strequal(oldpass, newpass)) {
 
                        if (reject->extendedFailureReason != SAM_PWD_CHANGE_PWD_IN_HISTORY) {
-                               torture_warning(tctx, "expected SAM_PWD_CHANGE_PWD_IN_HISTORY (%d), got %d\n",
+                               torture_result(tctx, TORTURE_FAIL, "expected SAM_PWD_CHANGE_PWD_IN_HISTORY (%d), got %d\n",
                                        SAM_PWD_CHANGE_PWD_IN_HISTORY, reject->extendedFailureReason);
                                return false;
                        }
                } else if (dominfo->password_properties & DOMAIN_PASSWORD_COMPLEX) {
 
                        if (reject->extendedFailureReason != SAM_PWD_CHANGE_NOT_COMPLEX) {
-                               torture_warning(tctx, "expected SAM_PWD_CHANGE_NOT_COMPLEX (%d), got %d\n",
+                               torture_result(tctx, TORTURE_FAIL, "expected SAM_PWD_CHANGE_NOT_COMPLEX (%d), got %d\n",
                                        SAM_PWD_CHANGE_NOT_COMPLEX, reject->extendedFailureReason);
                                return false;
                        }
@@ -2431,7 +2618,7 @@ bool test_ChangePasswordUser3(struct dcerpc_pipe *p, struct torture_context *tct
 
        } else if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION)) {
                if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
-                       torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+                       torture_result(tctx, TORTURE_FAIL, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
                               SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
                        return false;
                }
@@ -2458,7 +2645,7 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
        DATA_BLOB session_key;
        DATA_BLOB confounded_session_key = data_blob_talloc(tctx, NULL, 16);
        uint8_t confounder[16];
-       struct MD5Context ctx;
+       MD5_CTX ctx;
 
        bool ret = true;
        struct lsa_String server, account;
@@ -2494,7 +2681,7 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
 
        status = dcerpc_fetch_session_key(p, &session_key);
        if (!NT_STATUS_IS_OK(status)) {
-               torture_warning(tctx, "SetUserInfo level %u - no session key - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u - no session key - %s\n",
                       s.in.level, nt_errstr(status));
                return false;
        }
@@ -2513,8 +2700,11 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(b, tctx, &s),
                "SetUserInfo failed");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, "RANDOM", nt_errstr(s.out.result));
        if (!NT_STATUS_IS_OK(s.out.result)) {
-               torture_warning(tctx, "SetUserInfo level %u failed - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetUserInfo level %u failed - %s\n",
                       s.in.level, nt_errstr(s.out.result));
                ret = false;
        }
@@ -2546,17 +2736,20 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser3_r(b, tctx, &r),
                "ChangePasswordUser3 failed");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, "RANDOM", nt_errstr(r.out.result));
 
        if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION)) {
                if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
-                       torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+                       torture_result(tctx, TORTURE_FAIL, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
                               SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
                        return false;
                }
                /* Perhaps the server has a 'min password age' set? */
 
        } else if (!NT_STATUS_IS_OK(r.out.result)) {
-               torture_warning(tctx, "ChangePasswordUser3 failed - %s\n", nt_errstr(r.out.result));
+               torture_result(tctx, TORTURE_FAIL, "ChangePasswordUser3 failed - %s\n", nt_errstr(r.out.result));
                ret = false;
        }
 
@@ -2585,10 +2778,13 @@ bool test_ChangePasswordRandomBytes(struct dcerpc_pipe *p, struct torture_contex
 
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_ChangePasswordUser3_r(b, tctx, &r),
                "ChangePasswordUser3 failed");
+       torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
+                       __location__, __FUNCTION__,
+                       oldpass, newpass, nt_errstr(r.out.result));
 
        if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION)) {
                if (reject && reject->extendedFailureReason != SAM_PWD_CHANGE_NO_ERROR) {
-                       torture_warning(tctx, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
+                       torture_result(tctx, TORTURE_FAIL, "expected SAM_PWD_CHANGE_NO_ERROR (%d), got %d\n",
                               SAM_PWD_CHANGE_NO_ERROR, reject->extendedFailureReason);
                        return false;
                }
@@ -2633,7 +2829,7 @@ static bool test_AddMemberToAlias(struct dcerpc_binding_handle *b,
 
        sid = dom_sid_add_rid(tctx, domain_sid, 512);
 
-       torture_comment(tctx, "testing AddAliasMember\n");
+       torture_comment(tctx, "Testing AddAliasMember\n");
        r.in.alias_handle = alias_handle;
        r.in.sid = sid;
 
@@ -2659,7 +2855,7 @@ static bool test_AddMultipleMembersToAlias(struct dcerpc_binding_handle *b,
        struct samr_RemoveMultipleMembersFromAlias r;
        struct lsa_SidArray sids;
 
-       torture_comment(tctx, "testing AddMultipleMembersToAlias\n");
+       torture_comment(tctx, "Testing AddMultipleMembersToAlias\n");
        a.in.alias_handle = alias_handle;
        a.in.sids = &sids;
 
@@ -2675,7 +2871,7 @@ static bool test_AddMultipleMembersToAlias(struct dcerpc_binding_handle *b,
        torture_assert_ntstatus_ok(tctx, a.out.result, "AddMultipleMembersToAlias");
 
 
-       torture_comment(tctx, "testing RemoveMultipleMembersFromAlias\n");
+       torture_comment(tctx, "Testing RemoveMultipleMembersFromAlias\n");
        r.in.alias_handle = alias_handle;
        r.in.sids = &sids;
 
@@ -2705,14 +2901,9 @@ static bool test_GetAliasMembership(struct dcerpc_binding_handle *b,
        struct samr_GetAliasMembership r;
        struct lsa_SidArray sids;
        struct samr_Ids rids;
-       NTSTATUS status;
 
        torture_comment(tctx, "Testing GetAliasMembership\n");
 
-       if (torture_setting_bool(tctx, "samba4", false)) {
-               torture_skip(tctx, "skipping GetAliasMembership against s4");
-       }
-
        r.in.domain_handle      = domain_handle;
        r.in.sids               = &sids;
        r.out.rids              = &rids;
@@ -2778,7 +2969,7 @@ static bool test_QueryUserInfo_pwdlastset(struct dcerpc_binding_handle *b,
        NTSTATUS status;
        uint16_t levels[] = { /* 3, */ 5, 21 };
        int i;
-       NTTIME pwdlastset3 = 0;
+       /* NTTIME pwdlastset3 = 0; */
        NTTIME pwdlastset5 = 0;
        NTTIME pwdlastset21 = 0;
 
@@ -2810,14 +3001,14 @@ static bool test_QueryUserInfo_pwdlastset(struct dcerpc_binding_handle *b,
 
                if (!NT_STATUS_IS_OK(status) &&
                    !NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) {
-                       torture_warning(tctx, "QueryUserInfo%s level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "QueryUserInfo%s level %u failed - %s\n",
                               use_info2 ? "2":"", levels[i], nt_errstr(status));
                        return false;
                }
 
                switch (levels[i]) {
                case 3:
-                       pwdlastset3 = info->info3.last_password_change;
+                       /* pwdlastset3 = info->info3.last_password_change; */
                        break;
                case 5:
                        pwdlastset5 = info->info5.last_password_change;
@@ -2836,13 +3027,15 @@ static bool test_QueryUserInfo_pwdlastset(struct dcerpc_binding_handle *b,
 
        *pwdlastset = pwdlastset21;
 
-       torture_comment(tctx, "(pwdlastset: %lld)\n", *pwdlastset);
+       torture_comment(tctx, "(pwdlastset: %llu)\n",
+                       (unsigned long long) *pwdlastset);
 
        return true;
 }
 
 static bool test_SamLogon(struct torture_context *tctx,
                          struct dcerpc_pipe *p,
+                         struct cli_credentials *machine_credentials,
                          struct cli_credentials *test_credentials,
                          NTSTATUS expected_result,
                          bool interactive)
@@ -2862,13 +3055,13 @@ static bool test_SamLogon(struct torture_context *tctx,
        struct netr_Authenticator a;
        struct dcerpc_binding_handle *b = p->binding_handle;
 
-       torture_assert_ntstatus_ok(tctx, dcerpc_schannel_creds(p->conn->security_state.generic_state, tctx, &creds), "");
+       torture_assert(tctx, (creds = cli_credentials_get_netlogon_creds(machine_credentials)), "");
 
-       if (lp_client_lanman_auth(tctx->lp_ctx)) {
+       if (lpcfg_client_lanman_auth(tctx->lp_ctx)) {
                flags |= CLI_CRED_LANMAN_AUTH;
        }
 
-       if (lp_client_ntlmv2_auth(tctx->lp_ctx)) {
+       if (lpcfg_client_ntlmv2_auth(tctx->lp_ctx)) {
                flags |= CLI_CRED_NTLMv2_AUTH;
        }
 
@@ -2891,7 +3084,10 @@ static bool test_SamLogon(struct torture_context *tctx,
                }
                E_md4hash(cli_credentials_get_password(test_credentials), pinfo.ntpassword.hash);
 
-               if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+               if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+                       netlogon_creds_aes_encrypt(creds, pinfo.lmpassword.hash, 16);
+                       netlogon_creds_aes_encrypt(creds, pinfo.ntpassword.hash, 16);
+               } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
                        netlogon_creds_arcfour_crypt(creds, pinfo.lmpassword.hash, 16);
                        netlogon_creds_arcfour_crypt(creds, pinfo.ntpassword.hash, 16);
                } else {
@@ -2983,12 +3179,12 @@ static bool test_SamLogon_with_creds(struct torture_context *tctx,
        cli_credentials_set_password(test_credentials,
                                     password, CRED_SPECIFIED);
 
-       torture_comment(tctx, "testing samlogon (%s) as %s password: %s\n",
+       torture_comment(tctx, "Testing samlogon (%s) as %s password: %s\n",
                interactive ? "interactive" : "network", acct_name, password);
 
-       if (!test_SamLogon(tctx, p, test_credentials,
+       if (!test_SamLogon(tctx, p, machine_creds, test_credentials,
                            expected_samlogon_result, interactive)) {
-               torture_warning(tctx, "new password did not work\n");
+               torture_result(tctx, TORTURE_FAIL, "new password did not work\n");
                ret = false;
        }
 
@@ -3067,6 +3263,7 @@ static bool setup_schannel_netlogon_pipe(struct torture_context *tctx,
                                         struct dcerpc_pipe **p)
 {
        struct dcerpc_binding *b;
+       NTSTATUS status;
 
        torture_assert_ntstatus_ok(tctx, torture_rpc_binding(tctx, &b),
                "failed to get rpc binding");
@@ -3074,8 +3271,11 @@ static bool setup_schannel_netlogon_pipe(struct torture_context *tctx,
        /* We have to use schannel, otherwise the SamLogonEx fails
         * with INTERNAL_ERROR */
 
-       b->flags &= ~DCERPC_AUTH_OPTIONS;
-       b->flags |= DCERPC_SCHANNEL | DCERPC_SIGN | DCERPC_SCHANNEL_128;
+       status = dcerpc_binding_set_flags(b,
+                                         DCERPC_SCHANNEL | DCERPC_SIGN |
+                                         DCERPC_SCHANNEL_AUTO,
+                                         DCERPC_AUTH_OPTIONS);
+       torture_assert_ntstatus_ok(tctx, status, "set flags");
 
        torture_assert_ntstatus_ok(tctx,
                dcerpc_pipe_connect_b(tctx, p, b, &ndr_table_netlogon,
@@ -3116,7 +3316,8 @@ static bool test_SetPassword_pwdlastset(struct dcerpc_pipe *p,
        };
        struct dcerpc_pipe *np = NULL;
 
-       if (torture_setting_bool(tctx, "samba3", false)) {
+       if (torture_setting_bool(tctx, "samba3", false) ||
+           torture_setting_bool(tctx, "samba4", false)) {
                delay = 999999;
                torture_comment(tctx, "Samba3 has second granularity, setting delay to: %d\n",
                        delay);
@@ -3182,7 +3383,7 @@ static bool test_SetPassword_pwdlastset(struct dcerpc_pipe *p,
                                            password,
                                            machine_credentials,
                                            query_levels[q],
-                                           &pwdlastset_old,
+                                           &pwdlastset_new,
                                            expected_samlogon_result)) {
                        ret = false;
                }
@@ -3207,11 +3408,12 @@ static bool test_SetPassword_pwdlastset(struct dcerpc_pipe *p,
                                        "been set\n");
                                break;
                        }
+                       break;
                default:
                        if (pwdlastset_new != 0) {
-                               torture_warning(tctx, "pwdLastSet test failed: "
-                                       "expected pwdLastSet 0 but got %lld\n",
-                                       pwdlastset_old);
+                               torture_result(tctx, TORTURE_FAIL, "pwdLastSet test failed: "
+                                       "expected pwdLastSet 0 but got %llu\n",
+                                       (unsigned long long) pwdlastset_old);
                                ret = false;
                        }
                        break;
@@ -3225,19 +3427,14 @@ static bool test_SetPassword_pwdlastset(struct dcerpc_pipe *p,
                             (fields_present[f] & SAMR_FIELD_LM_PASSWORD_PRESENT)) &&
                             (pwdlastset_old > 0) && (pwdlastset_new > 0) &&
                             (pwdlastset_old >= pwdlastset_new)) {
-                               torture_warning(tctx, "pwdlastset not increasing\n");
-                               ret = false;
-                       }
-                       break;
-               default:
-                       if ((pwdlastset_old > 0) && (pwdlastset_new > 0) &&
-                           (pwdlastset_old >= pwdlastset_new)) {
-                               torture_warning(tctx, "pwdlastset not increasing\n");
+                               torture_result(tctx, TORTURE_FAIL, "pwdlastset not increasing\n");
                                ret = false;
                        }
                        break;
                }
 
+               pwdlastset_old = pwdlastset_new;
+
                usleep(delay);
 
                /* set #2 */
@@ -3267,7 +3464,6 @@ static bool test_SetPassword_pwdlastset(struct dcerpc_pipe *p,
                case 21:
                case 23:
                case 25:
-
                        /* SAMR_FIELD_EXPIRED_FLAG has not been set and no
                         * password has been changed, old and new pwdlastset
                         * need to be the same value */
@@ -3280,19 +3476,22 @@ static bool test_SetPassword_pwdlastset(struct dcerpc_pipe *p,
                                        pwdlastset_new, "pwdlastset must be equal");
                                break;
                        }
+                       break;
                default:
                        if (pwdlastset_old >= pwdlastset_new) {
-                               torture_warning(tctx, "pwdLastSet test failed: "
-                                       "expected last pwdlastset (%lld) < new pwdlastset (%lld)\n",
-                                       pwdlastset_old, pwdlastset_new);
+                               torture_result(tctx, TORTURE_FAIL, "pwdLastSet test failed: "
+                                       "expected last pwdlastset (%llu) < new pwdlastset (%llu)\n",
+                                       (unsigned long long) pwdlastset_old,
+                                       (unsigned long long) pwdlastset_new);
                                ret = false;
                        }
                        if (pwdlastset_new == 0) {
-                               torture_warning(tctx, "pwdLastSet test failed: "
-                                       "expected non-0 pwdlastset, got: %lld\n",
-                                       pwdlastset_new);
+                               torture_result(tctx, TORTURE_FAIL, "pwdLastSet test failed: "
+                                       "expected non-0 pwdlastset, got: %llu\n",
+                                       (unsigned long long) pwdlastset_new);
                                ret = false;
                        }
+                       break;
                }
 
                switch (levels[l]) {
@@ -3303,14 +3502,7 @@ static bool test_SetPassword_pwdlastset(struct dcerpc_pipe *p,
                             (fields_present[f] & SAMR_FIELD_LM_PASSWORD_PRESENT)) &&
                             (pwdlastset_old > 0) && (pwdlastset_new > 0) &&
                             (pwdlastset_old >= pwdlastset_new)) {
-                               torture_warning(tctx, "pwdlastset not increasing\n");
-                               ret = false;
-                       }
-                       break;
-               default:
-                       if ((pwdlastset_old > 0) && (pwdlastset_new > 0) &&
-                           (pwdlastset_old >= pwdlastset_new)) {
-                               torture_warning(tctx, "pwdlastset not increasing\n");
+                               torture_result(tctx, TORTURE_FAIL, "pwdlastset not increasing\n");
                                ret = false;
                        }
                        break;
@@ -3348,31 +3540,54 @@ static bool test_SetPassword_pwdlastset(struct dcerpc_pipe *p,
                case 23:
                case 25:
 
-                       /* if no password has been changed, old and new pwdlastset
+                       /* SAMR_FIELD_EXPIRED_FLAG has not been set and no
+                        * password has been changed, old and new pwdlastset
                         * need to be the same value */
 
-                       if (!((fields_present[f] & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
+                       if (!(fields_present[f] & SAMR_FIELD_EXPIRED_FLAG) &&
+                           !((fields_present[f] & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
                              (fields_present[f] & SAMR_FIELD_LM_PASSWORD_PRESENT)))
                        {
                                torture_assert_int_equal(tctx, pwdlastset_old,
                                        pwdlastset_new, "pwdlastset must be equal");
                                break;
                        }
+                       break;
                default:
                        if (pwdlastset_old >= pwdlastset_new) {
-                               torture_warning(tctx, "pwdLastSet test failed: "
-                                       "expected last pwdlastset (%lld) < new pwdlastset (%lld)\n",
-                                       pwdlastset_old, pwdlastset_new);
+                               torture_result(tctx, TORTURE_FAIL, "pwdLastSet test failed: "
+                                       "expected last pwdlastset (%llu) < new pwdlastset (%llu)\n",
+                                       (unsigned long long) pwdlastset_old,
+                                       (unsigned long long) pwdlastset_new);
                                ret = false;
                        }
                        if (pwdlastset_new == 0) {
-                               torture_warning(tctx, "pwdLastSet test failed: "
-                                       "expected non-0 pwdlastset, got: %lld\n",
-                                       pwdlastset_new);
+                               torture_result(tctx, TORTURE_FAIL, "pwdLastSet test failed: "
+                                       "expected non-0 pwdlastset, got: %llu\n",
+                                       (unsigned long long) pwdlastset_new);
                                ret = false;
                        }
+                       break;
                }
 
+               switch (levels[l]) {
+               case 21:
+               case 23:
+               case 25:
+                       if (((fields_present[f] & SAMR_FIELD_NT_PASSWORD_PRESENT) ||
+                            (fields_present[f] & SAMR_FIELD_LM_PASSWORD_PRESENT)) &&
+                            (pwdlastset_old > 0) && (pwdlastset_new > 0) &&
+                            (pwdlastset_old >= pwdlastset_new)) {
+                               torture_result(tctx, TORTURE_FAIL, "pwdlastset not increasing\n");
+                               ret = false;
+                       }
+                       break;
+               }
+
+               pwdlastset_old = pwdlastset_new;
+
+               usleep(delay);
+
                /* set #3 */
 
                /* set a password and force password change (pwdlastset 0) by
@@ -3421,19 +3636,12 @@ static bool test_SetPassword_pwdlastset(struct dcerpc_pipe *p,
                                        pwdlastset_new, "pwdlastset must be equal");
                                break;
                        }
+                       break;
                default:
-
-                       if (pwdlastset_old == pwdlastset_new) {
-                               torture_warning(tctx, "pwdLastSet test failed: "
-                                       "expected last pwdlastset (%lld) != new pwdlastset (%lld)\n",
-                                       pwdlastset_old, pwdlastset_new);
-                               ret = false;
-                       }
-
                        if (pwdlastset_new != 0) {
-                               torture_warning(tctx, "pwdLastSet test failed: "
-                                       "expected pwdLastSet 0, got %lld\n",
-                                       pwdlastset_old);
+                               torture_result(tctx, TORTURE_FAIL, "pwdLastSet test failed: "
+                                       "expected pwdLastSet 0, got %llu\n",
+                                       (unsigned long long) pwdlastset_old);
                                ret = false;
                        }
                        break;
@@ -3447,14 +3655,7 @@ static bool test_SetPassword_pwdlastset(struct dcerpc_pipe *p,
                             (fields_present[f] & SAMR_FIELD_LM_PASSWORD_PRESENT)) &&
                             (pwdlastset_old > 0) && (pwdlastset_new > 0) &&
                             (pwdlastset_old >= pwdlastset_new)) {
-                               torture_warning(tctx, "pwdlastset not increasing\n");
-                               ret = false;
-                       }
-                       break;
-               default:
-                       if ((pwdlastset_old > 0) && (pwdlastset_new > 0) &&
-                           (pwdlastset_old >= pwdlastset_new)) {
-                               torture_warning(tctx, "pwdlastset not increasing\n");
+                               torture_result(tctx, TORTURE_FAIL, "pwdlastset not increasing\n");
                                ret = false;
                        }
                        break;
@@ -3646,8 +3847,14 @@ static bool test_Password_badpwdcount(struct dcerpc_pipe *p,
        uint32_t badpwdcount, tmp;
        uint32_t password_history_length = 12;
        uint32_t lockout_threshold = 15;
+       uint32_t lockout_seconds = 5;
+       uint64_t delta_time_factor = 10 * 1000 * 1000;
        struct dcerpc_binding_handle *b = p->binding_handle;
 
+       if (torture_setting_bool(tctx, "samba3", false)) {
+               lockout_seconds = 60;
+       }
+
        torture_comment(tctx, "\nTesting bad pwd count with: %s\n", comment);
 
        torture_assert(tctx, password_history_length < lockout_threshold,
@@ -3658,15 +3865,20 @@ static bool test_Password_badpwdcount(struct dcerpc_pipe *p,
 
        info.info1 = *info1;
        info.info1.password_history_length = password_history_length;
+       info.info1.min_password_age = 0;
 
        torture_assert(tctx,
                       test_SetDomainInfo(b, tctx, domain_handle,
                                          DomainPasswordInformation, &info),
-                      "failed to set password history length");
+                      "failed to set password history length and min passwd age");
 
        info.info12 = *info12;
        info.info12.lockout_threshold = lockout_threshold;
 
+       /* set lockout duration of 5 seconds */
+       info.info12.lockout_duration = ~(lockout_seconds * delta_time_factor);
+       info.info12.lockout_window = ~(lockout_seconds * delta_time_factor);
+
        torture_assert(tctx,
                       test_SetDomainInfo(b, tctx, domain_handle,
                                          DomainLockoutInformation, &info),
@@ -3768,7 +3980,9 @@ static bool test_Password_badpwdcount(struct dcerpc_pipe *p,
                        if (!test_SamLogon_with_creds(tctx, np, machine_credentials,
                                                      acct_name, passwords[i],
                                                      expected_success_status, interactive)) {
-                               torture_fail(tctx, talloc_asprintf(tctx, "succeeded to authenticate with old password (#%d of #%d in history)", i, password_history_length));
+                               torture_fail(tctx, talloc_asprintf(tctx, "did not successfully to obtain %s for %s login with old password (#%d of #%d in history)",
+                                                                  nt_errstr(expected_success_status),
+                                                                  interactive ? "interactive" : "network", i, password_history_length));
                        }
 
                        torture_assert(tctx,
@@ -3895,16 +4109,16 @@ static bool test_Password_badpwdcount_wrap(struct dcerpc_pipe *p,
                        continue;
                }
 
-               ret &= test_Password_badpwdcount(p, np, tctx, acct_flags, acct_name,
-                                                domain_handle, user_handle, password,
-                                                machine_credentials,
-                                                creds[i].comment,
-                                                creds[i].disabled,
-                                                creds[i].interactive,
-                                                creds[i].expected_success_status,
-                                                &_info1, &_info12);
-               if (!ret) {
-                       torture_warning(tctx, "TEST #%d (%s) failed\n", i, creds[i].comment);
+               if (!test_Password_badpwdcount(p, np, tctx, acct_flags, acct_name,
+                                              domain_handle, user_handle, password,
+                                              machine_credentials,
+                                              creds[i].comment,
+                                              creds[i].disabled,
+                                              creds[i].interactive,
+                                              creds[i].expected_success_status,
+                                              &_info1, &_info12)) {
+                       torture_result(tctx, TORTURE_FAIL, "TEST #%d (%s) failed\n", i, creds[i].comment);
+                       ret = false;
                } else {
                        torture_comment(tctx, "TEST #%d (%s) succeeded\n", i, creds[i].comment);
                }
@@ -3929,28 +4143,95 @@ static bool test_Password_badpwdcount_wrap(struct dcerpc_pipe *p,
        return ret;
 }
 
-static bool test_QueryUserInfo_acct_flags(struct dcerpc_binding_handle *b,
-                                         struct torture_context *tctx,
-                                         struct policy_handle *handle,
-                                         uint32_t *acct_flags)
+static bool test_QueryUserInfo_lockout(struct dcerpc_binding_handle *b,
+                                      struct torture_context *tctx,
+                                      struct policy_handle *domain_handle,
+                                      const char *acct_name,
+                                      uint16_t raw_bad_password_count,
+                                      uint16_t effective_bad_password_count,
+                                      uint32_t effective_acb_lockout)
 {
-       union samr_UserInfo *info;
+       struct policy_handle user_handle;
+       union samr_UserInfo *i;
        struct samr_QueryUserInfo r;
 
-       r.in.user_handle = handle;
-       r.in.level = 16;
-       r.out.info = &info;
+       NTSTATUS status = test_OpenUser_byname(b, tctx, domain_handle, acct_name, &user_handle);
+       if (!NT_STATUS_IS_OK(status)) {
+               return false;
+       }
+
+       r.in.user_handle = &user_handle;
+       r.in.level = 3;
+       r.out.info = &i;
+       torture_comment(tctx, "Testing QueryUserInfo level %d", r.in.level);
+       torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryUserInfo_r(b, tctx, &r),
+               "failed to query userinfo");
+       torture_assert_ntstatus_ok(tctx, r.out.result,
+               "failed to query userinfo");
+       torture_comment(tctx, "  (acct_flags: 0x%08x) (raw_bad_pwd_count: %u)\n",
+                       i->info3.acct_flags, i->info3.bad_password_count);
+       torture_assert_int_equal(tctx, i->info3.bad_password_count,
+                                raw_bad_password_count,
+                                "raw badpwdcount");
+       torture_assert_int_equal(tctx, i->info3.acct_flags & ACB_AUTOLOCK,
+                                effective_acb_lockout,
+                                "effective acb_lockout");
+       TALLOC_FREE(i);
 
+       r.in.user_handle = &user_handle;
+       r.in.level = 5;
+       r.out.info = &i;
        torture_comment(tctx, "Testing QueryUserInfo level %d", r.in.level);
+       torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryUserInfo_r(b, tctx, &r),
+               "failed to query userinfo");
+       torture_assert_ntstatus_ok(tctx, r.out.result,
+               "failed to query userinfo");
+       torture_comment(tctx, "  (acct_flags: 0x%08x) (effective_bad_pwd_count: %u)\n",
+                       i->info5.acct_flags, i->info5.bad_password_count);
+       torture_assert_int_equal(tctx, i->info5.bad_password_count,
+                                effective_bad_password_count,
+                                "effective badpwdcount");
+       torture_assert_int_equal(tctx, i->info5.acct_flags & ACB_AUTOLOCK,
+                                effective_acb_lockout,
+                                "effective acb_lockout");
+       TALLOC_FREE(i);
 
+       r.in.user_handle = &user_handle;
+       r.in.level = 16;
+       r.out.info = &i;
+       torture_comment(tctx, "Testing QueryUserInfo level %d", r.in.level);
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryUserInfo_r(b, tctx, &r),
                "failed to query userinfo");
        torture_assert_ntstatus_ok(tctx, r.out.result,
                "failed to query userinfo");
+       torture_comment(tctx, "  (acct_flags: 0x%08x)\n",
+                       i->info16.acct_flags);
+       torture_assert_int_equal(tctx, i->info16.acct_flags & ACB_AUTOLOCK,
+                                effective_acb_lockout,
+                                "effective acb_lockout");
+       TALLOC_FREE(i);
 
-       *acct_flags = info->info16.acct_flags;
+       r.in.user_handle = &user_handle;
+       r.in.level = 21;
+       r.out.info = &i;
+       torture_comment(tctx, "Testing QueryUserInfo level %d", r.in.level);
+       torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryUserInfo_r(b, tctx, &r),
+               "failed to query userinfo");
+       torture_assert_ntstatus_ok(tctx, r.out.result,
+               "failed to query userinfo");
+       torture_comment(tctx, "  (acct_flags: 0x%08x) (effective_bad_pwd_count: %u)\n",
+                       i->info21.acct_flags, i->info21.bad_password_count);
+       torture_assert_int_equal(tctx, i->info21.bad_password_count,
+                                effective_bad_password_count,
+                                "effective badpwdcount");
+       torture_assert_int_equal(tctx, i->info21.acct_flags & ACB_AUTOLOCK,
+                                effective_acb_lockout,
+                                "effective acb_lockout");
+       TALLOC_FREE(i);
 
-       torture_comment(tctx, "  (acct_flags: 0x%08x)\n", *acct_flags);
+       if (!test_samr_handle_Close(b, tctx, &user_handle)) {
+               return false;
+       }
 
        return true;
 }
@@ -3967,27 +4248,33 @@ static bool test_Password_lockout(struct dcerpc_pipe *p,
                                  const char *comment,
                                  bool disable,
                                  bool interactive,
+                                 uint32_t password_history_length,
                                  NTSTATUS expected_success_status,
                                  struct samr_DomInfo1 *info1,
                                  struct samr_DomInfo12 *info12)
 {
        union samr_DomainInfo info;
-       uint32_t badpwdcount;
-       uint32_t password_history_length = 1;
        uint64_t lockout_threshold = 1;
        uint32_t lockout_seconds = 5;
        uint64_t delta_time_factor = 10 * 1000 * 1000;
        struct dcerpc_binding_handle *b = p->binding_handle;
 
+       if (torture_setting_bool(tctx, "samba3", false)) {
+               lockout_seconds = 60;
+       }
+
        torture_comment(tctx, "\nTesting account lockout: %s\n", comment);
 
        /* set policies */
 
        info.info1 = *info1;
 
-       torture_comment(tctx, "setting password history length.\n");
+       torture_comment(tctx, "setting password history length to %d.\n", password_history_length);
        info.info1.password_history_length = password_history_length;
 
+       torture_comment(tctx, "setting min password again.\n");
+       info.info1.min_password_age = 0;
+
        torture_assert(tctx,
                       test_SetDomainInfo(b, tctx, domain_handle,
                                          DomainPasswordInformation, &info),
@@ -4054,9 +4341,9 @@ static bool test_Password_lockout(struct dcerpc_pipe *p,
        }
 
        torture_assert(tctx,
-               test_QueryUserInfo_badpwdcount(b, tctx, user_handle, &badpwdcount), "");
-       torture_assert_int_equal(tctx, badpwdcount, 0, "expected badpwdcount to be 0");
-
+               test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                       0, 0, 0),
+               "expected account to not be locked");
 
        /* test with wrong password ==> lockout */
 
@@ -4066,15 +4353,14 @@ static bool test_Password_lockout(struct dcerpc_pipe *p,
                torture_fail(tctx, "succeeded to authenticate with wrong password");
        }
 
+       /*
+        * curiously, windows does _not_ return fresh values of
+        * effective bad_password_count and ACB_AUTOLOCK.
+        */
        torture_assert(tctx,
-               test_QueryUserInfo_badpwdcount(b, tctx, user_handle, &badpwdcount), "");
-       torture_assert_int_equal(tctx, badpwdcount, 1, "expected badpwdcount to be 1");
-
-       torture_assert(tctx,
-               test_QueryUserInfo_acct_flags(b, tctx, user_handle, &acct_flags), "");
-       torture_assert_int_equal(tctx, acct_flags & ACB_AUTOLOCK, 0,
-                                "expected account to be locked");
-
+               test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                       1, 1, ACB_AUTOLOCK),
+               "expected account to not be locked");
 
        /* test with good password */
 
@@ -4087,15 +4373,30 @@ static bool test_Password_lockout(struct dcerpc_pipe *p,
 
        /* bad pwd count should not get updated */
        torture_assert(tctx,
-               test_QueryUserInfo_badpwdcount(b, tctx, user_handle, &badpwdcount), "");
-       torture_assert_int_equal(tctx, badpwdcount, 1, "expected badpwdcount to be 1");
+               test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                       1, 1, ACB_AUTOLOCK),
+               "expected account to be locked");
+
+       torture_assert(tctx,
+                      test_ChangePasswordUser2_ntstatus(p, tctx, acct_name, *password,
+                                                        NT_STATUS_ACCOUNT_LOCKED_OUT),
+                      "got wrong status from ChangePasswordUser2");
+
+       /* bad pwd count should not get updated */
+       torture_assert(tctx,
+               test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                       1, 1, ACB_AUTOLOCK),
+               "expected account to be locked");
 
-       /* curiously, windows does _not_ set the autlock flag */
        torture_assert(tctx,
-               test_QueryUserInfo_acct_flags(b, tctx, user_handle, &acct_flags), "");
-       torture_assert_int_equal(tctx, acct_flags & ACB_AUTOLOCK, 0,
-                                "expected account to be locked");
+                      test_ChangePasswordUser2_ntstatus(p, tctx, acct_name, "random_crap", NT_STATUS_ACCOUNT_LOCKED_OUT),
+                      "got wrong status from ChangePasswordUser2");
 
+       /* bad pwd count should not get updated */
+       torture_assert(tctx,
+               test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                       1, 1, ACB_AUTOLOCK),
+               "expected account to be locked");
 
        /* with bad password */
 
@@ -4108,21 +4409,76 @@ static bool test_Password_lockout(struct dcerpc_pipe *p,
 
        /* bad pwd count should not get updated */
        torture_assert(tctx,
-               test_QueryUserInfo_badpwdcount(b, tctx, user_handle, &badpwdcount), "");
-       torture_assert_int_equal(tctx, badpwdcount, 1, "expected badpwdcount to be 1");
+               test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                       1, 1, ACB_AUTOLOCK),
+               "expected account to be locked");
+
+       /* let lockout duration expire ==> unlock */
+
+       torture_comment(tctx, "let lockout duration expire...\n");
+       sleep(lockout_seconds + 1);
 
-       /* curiously, windows does _not_ set the autlock flag */
        torture_assert(tctx,
-               test_QueryUserInfo_acct_flags(b, tctx, user_handle, &acct_flags), "");
-       torture_assert_int_equal(tctx, acct_flags & ACB_AUTOLOCK, 0,
-                                "expected account to be locked");
+               test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                       1, 0, 0),
+               "expected account to not be locked");
+
+       if (!test_SamLogon_with_creds(tctx, np, machine_credentials, acct_name,
+                                    *password,
+                                    expected_success_status, interactive))
+       {
+               torture_fail(tctx, "failed to authenticate after lockout expired");
+       }
 
+       if (NT_STATUS_IS_OK(expected_success_status)) {
+               torture_assert(tctx,
+                       test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                               0, 0, 0),
+                       "expected account to not be locked");
+       } else {
+               torture_assert(tctx,
+                       test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                               1, 0, 0),
+                       "expected account to not be locked");
+       }
+
+       torture_assert(tctx,
+                      test_ChangePasswordUser2_ntstatus(p, tctx, acct_name, "random_crap", NT_STATUS_WRONG_PASSWORD),
+                      "got wrong status from ChangePasswordUser2");
+
+       torture_assert(tctx,
+               test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                       1, 1, ACB_AUTOLOCK),
+               "expected account to be locked");
+
+       torture_assert(tctx,
+                      test_ChangePasswordUser2_ntstatus(p, tctx, acct_name, *password, NT_STATUS_ACCOUNT_LOCKED_OUT),
+                      "got wrong status from ChangePasswordUser2");
+
+       torture_assert(tctx,
+               test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                       1, 1, ACB_AUTOLOCK),
+               "expected account to be locked");
+
+       torture_assert(tctx,
+                      test_ChangePasswordUser2_ntstatus(p, tctx, acct_name, "random_crap", NT_STATUS_ACCOUNT_LOCKED_OUT),
+                      "got wrong status from ChangePasswordUser2");
+
+       torture_assert(tctx,
+               test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                       1, 1, ACB_AUTOLOCK),
+               "expected account to be locked");
 
        /* let lockout duration expire ==> unlock */
 
        torture_comment(tctx, "let lockout duration expire...\n");
        sleep(lockout_seconds + 1);
 
+       torture_assert(tctx,
+               test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                       1, 0, 0),
+               "expected account to not be locked");
+
        if (!test_SamLogon_with_creds(tctx, np, machine_credentials, acct_name,
                                     *password,
                                     expected_success_status, interactive))
@@ -4130,10 +4486,116 @@ static bool test_Password_lockout(struct dcerpc_pipe *p,
                torture_fail(tctx, "failed to authenticate after lockout expired");
        }
 
+       if (NT_STATUS_IS_OK(expected_success_status)) {
+               torture_assert(tctx,
+                       test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                               0, 0, 0),
+                       "expected account to not be locked");
+       } else {
+               torture_assert(tctx,
+                       test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                               1, 0, 0),
+                       "expected account to not be locked");
+       }
+
+       /* Testing ChangePasswordUser behaviour with 3 attempts */
+       info.info12.lockout_threshold = 3;
+
+       torture_assert(tctx,
+                      test_SetDomainInfo(b, tctx, domain_handle,
+                                         DomainLockoutInformation, &info),
+                      "failed to set lockout threshold to 3");
+
+       if (NT_STATUS_IS_OK(expected_success_status)) {
+               torture_assert(tctx,
+                       test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                               0, 0, 0),
+                       "expected account to not be locked");
+       } else {
+               torture_assert(tctx,
+                       test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                               1, 0, 0),
+                       "expected account to not be locked");
+       }
+
+       torture_assert(tctx,
+                      test_ChangePasswordUser2_ntstatus(p, tctx, acct_name, "random_crap", NT_STATUS_WRONG_PASSWORD),
+                      "got wrong status from ChangePasswordUser2");
+
+       /* bad pwd count will get updated */
+       torture_assert(tctx,
+               test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                       1, 1, 0),
+               "expected account to not be locked");
+
        torture_assert(tctx,
-               test_QueryUserInfo_acct_flags(b, tctx, user_handle, &acct_flags), "");
-       torture_assert_int_equal(tctx, acct_flags & ACB_AUTOLOCK, 0,
-                                "expected account not to be locked");
+                      test_ChangePasswordUser2_ntstatus(p, tctx, acct_name, "random_crap", NT_STATUS_WRONG_PASSWORD),
+                      "got wrong status from ChangePasswordUser2");
+
+       /* bad pwd count will get updated */
+       torture_assert(tctx,
+               test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                       2, 2, 0),
+               "expected account to not be locked");
+
+       torture_assert(tctx,
+                      test_ChangePasswordUser2_ntstatus(p, tctx, acct_name, "random_crap", NT_STATUS_WRONG_PASSWORD),
+                      "got wrong status from ChangePasswordUser2");
+
+       /* bad pwd count should get updated */
+       torture_assert(tctx,
+               test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                       3, 3, ACB_AUTOLOCK),
+               "expected account to be locked");
+
+       torture_assert(tctx,
+                      test_ChangePasswordUser2_ntstatus(p, tctx, acct_name, *password, NT_STATUS_ACCOUNT_LOCKED_OUT),
+                      "got wrong status from ChangePasswordUser2");
+
+       /* bad pwd count should not get updated */
+       torture_assert(tctx,
+               test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                       3, 3, ACB_AUTOLOCK),
+               "expected account to be locked");
+
+       /* let lockout duration expire ==> unlock */
+
+       torture_comment(tctx, "let lockout duration expire...\n");
+       sleep(lockout_seconds + 1);
+
+       torture_assert(tctx,
+               test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                       3, 0, 0),
+               "expected account to not be locked");
+
+       torture_assert(tctx,
+                      test_ChangePasswordUser2(p, tctx, acct_name, password, NULL, false),
+                      "got wrong status from ChangePasswordUser2");
+
+       torture_assert(tctx,
+               test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                       3, 0, 0),
+               "expected account to not be locked");
+
+       /* Used to reset the badPwdCount for the other tests */
+       if (!test_SamLogon_with_creds(tctx, np, machine_credentials, acct_name,
+                                     *password,
+                                     expected_success_status, interactive))
+       {
+               torture_fail(tctx, "failed to authenticate after lockout expired");
+       }
+
+       if (NT_STATUS_IS_OK(expected_success_status)) {
+               torture_assert(tctx,
+                       test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                               0, 0, 0),
+                       "expected account to not be locked");
+       } else {
+               torture_assert(tctx,
+                       test_QueryUserInfo_lockout(b, tctx, domain_handle, acct_name,
+                               3, 0, 0),
+                       "expected account to not be locked");
+       }
 
        return true;
 }
@@ -4159,6 +4621,7 @@ static bool test_Password_lockout_wrap(struct dcerpc_pipe *p,
                const char *comment;
                bool disabled;
                bool interactive;
+               uint32_t password_history_length;
                NTSTATUS expected_success_status;
        } creds[] = {
                {
@@ -4173,6 +4636,13 @@ static bool test_Password_lockout_wrap(struct dcerpc_pipe *p,
                        .interactive            = false,
                        .expected_success_status= NT_STATUS_OK
                },
+               {
+                       .comment                = "network logon (enabled account, history len = 1)",
+                       .disabled               = false,
+                       .interactive            = false,
+                       .expected_success_status= NT_STATUS_OK,
+                       .password_history_length = 1
+               },
                {
                        .comment                = "interactive logon (disabled account)",
                        .disabled               = true,
@@ -4185,6 +4655,13 @@ static bool test_Password_lockout_wrap(struct dcerpc_pipe *p,
                        .interactive            = true,
                        .expected_success_status= NT_STATUS_OK
                },
+               {
+                       .comment                = "interactive logon (enabled account, history len = 1)",
+                       .disabled               = false,
+                       .interactive            = true,
+                       .expected_success_status= NT_STATUS_OK,
+                       .password_history_length = 1
+               },
        };
 
        torture_assert(tctx, setup_schannel_netlogon_pipe(tctx, machine_credentials, &np), "");
@@ -4210,7 +4687,7 @@ static bool test_Password_lockout_wrap(struct dcerpc_pipe *p,
        /* run tests */
 
        for (i=0; i < ARRAY_SIZE(creds); i++) {
-
+               bool test_passed;
                /* skip trust tests for now */
                if (acct_flags & ACB_WSTRUST ||
                    acct_flags & ACB_SVRTRUST ||
@@ -4218,16 +4695,19 @@ static bool test_Password_lockout_wrap(struct dcerpc_pipe *p,
                        continue;
                }
 
-               ret &= test_Password_lockout(p, np, tctx, acct_flags, acct_name,
+               test_passed = test_Password_lockout(p, np, tctx, acct_flags, acct_name,
                                             domain_handle, user_handle, password,
                                             machine_credentials,
                                             creds[i].comment,
                                             creds[i].disabled,
                                             creds[i].interactive,
+                                            creds[i].password_history_length,
                                             creds[i].expected_success_status,
                                             &_info1, &_info12);
-               if (!ret) {
-                       torture_warning(tctx, "TEST #%d (%s) failed\n", i, creds[i].comment);
+               ret &= test_passed;
+               if (!test_passed) {
+                       torture_result(tctx, TORTURE_FAIL, "TEST #%d (%s) failed\n", i, creds[i].comment);
+                       break;
                } else {
                        torture_comment(tctx, "TEST #%d (%s) succeeded\n", i, creds[i].comment);
                }
@@ -4356,7 +4836,7 @@ static bool test_DeleteUser_with_privs(struct dcerpc_pipe *p,
                        "Failed to enum rights for account");
 
                if (user_rights.count < 1) {
-                       torture_warning(tctx, "failed to find newly added rights");
+                       torture_result(tctx, TORTURE_FAIL, "failed to find newly added rights");
                        return false;
                }
        }
@@ -4466,7 +4946,7 @@ static bool test_DeleteUser_with_privs(struct dcerpc_pipe *p,
                        "Failed to enum rights for account");
 
                if (user_rights.count < 1) {
-                       torture_warning(tctx, "failed to find newly added rights");
+                       torture_result(tctx, TORTURE_FAIL, "failed to find newly added rights");
                        return false;
                }
        }
@@ -4691,34 +5171,29 @@ static bool test_user_ops(struct dcerpc_pipe *p,
                        ret = false;
                }
 
-               if (torture_setting_bool(tctx, "samba4", false)) {
-                       torture_comment(tctx, "skipping Set Password level 18 and 21 against Samba4\n");
-               } else {
+               if (!test_SetUserPass_18(p, tctx, user_handle, &password)) {
+                       ret = false;
+               }
 
-                       if (!test_SetUserPass_18(p, tctx, user_handle, &password)) {
-                               ret = false;
+               if (!test_ChangePasswordUser3(p, tctx, base_acct_name, 0, &password, NULL, 0, false)) {
+                       ret = false;
+               }
+
+               for (i = 0; password_fields[i]; i++) {
+
+                       if (password_fields[i] == SAMR_FIELD_LM_PASSWORD_PRESENT) {
+                               /* we need to skip as that would break
+                                * the ChangePasswordUser3 verify */
+                               continue;
                        }
 
-                       if (!test_ChangePasswordUser3(p, tctx, base_acct_name, 0, &password, NULL, 0, false)) {
+                       if (!test_SetUserPass_21(p, tctx, user_handle, password_fields[i], &password)) {
                                ret = false;
                        }
 
-                       for (i = 0; password_fields[i]; i++) {
-
-                               if (password_fields[i] == SAMR_FIELD_LM_PASSWORD_PRESENT) {
-                                       /* we need to skip as that would break
-                                        * the ChangePasswordUser3 verify */
-                                       continue;
-                               }
-
-                               if (!test_SetUserPass_21(p, tctx, user_handle, password_fields[i], &password)) {
-                                       ret = false;
-                               }
-
-                               /* check it was set right */
-                               if (!test_ChangePasswordUser3(p, tctx, base_acct_name, 0, &password, NULL, 0, false)) {
-                                       ret = false;
-                               }
+                       /* check it was set right */
+                       if (!test_ChangePasswordUser3(p, tctx, base_acct_name, 0, &password, NULL, 0, false)) {
+                               ret = false;
                        }
                }
 
@@ -4729,22 +5204,22 @@ static bool test_user_ops(struct dcerpc_pipe *p,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryUserInfo_r(b, tctx, &q),
                        "QueryUserInfo failed");
                if (!NT_STATUS_IS_OK(q.out.result)) {
-                       torture_warning(tctx, "QueryUserInfo level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "QueryUserInfo level %u failed - %s\n",
                               q.in.level, nt_errstr(q.out.result));
                        ret = false;
                } else {
                        uint32_t expected_flags = (base_acct_flags | ACB_PWNOTREQ | ACB_DISABLED);
                        if ((info->info5.acct_flags) != expected_flags) {
-                               torture_warning(tctx, "QuerUserInfo level 5 failed, it returned 0x%08x when we expected flags of 0x%08x\n",
-                                      info->info5.acct_flags,
-                                      expected_flags);
                                /* FIXME: GD */
                                if (!torture_setting_bool(tctx, "samba3", false)) {
+                                       torture_result(tctx, TORTURE_FAIL, "QueryUserInfo level 5 failed, it returned 0x%08x when we expected flags of 0x%08x\n",
+                                                     info->info5.acct_flags,
+                                                     expected_flags);
                                        ret = false;
                                }
                        }
                        if (info->info5.rid != rid) {
-                               torture_warning(tctx, "QuerUserInfo level 5 failed, it returned %u when we expected rid of %u\n",
+                               torture_result(tctx, TORTURE_FAIL, "QueryUserInfo level 5 failed, it returned %u when we expected rid of %u\n",
                                       info->info5.rid, rid);
 
                        }
@@ -4755,57 +5230,32 @@ static bool test_user_ops(struct dcerpc_pipe *p,
        case TORTURE_SAMR_PASSWORDS_PWDLASTSET:
 
                /* test last password change timestamp behaviour */
-               if (!test_SetPassword_pwdlastset(p, tctx, base_acct_flags,
-                                                base_acct_name,
-                                                user_handle, &password,
-                                                machine_credentials)) {
-                       ret = false;
-               }
-
-               if (ret == true) {
-                       torture_comment(tctx, "pwdLastSet test succeeded\n");
-               } else {
-                       torture_warning(tctx, "pwdLastSet test failed\n");
-               }
-
+               torture_assert(tctx, test_SetPassword_pwdlastset(p, tctx, base_acct_flags,
+                                                                base_acct_name,
+                                                                user_handle, &password,
+                                                                machine_credentials),
+                              "pwdLastSet test failed\n");
                break;
 
        case TORTURE_SAMR_PASSWORDS_BADPWDCOUNT:
 
                /* test bad pwd count change behaviour */
-               if (!test_Password_badpwdcount_wrap(p, tctx, base_acct_flags,
-                                                   base_acct_name,
-                                                   domain_handle,
-                                                   user_handle, &password,
-                                                   machine_credentials)) {
-                       ret = false;
-               }
-
-               if (ret == true) {
-                       torture_comment(tctx, "badPwdCount test succeeded\n");
-               } else {
-                       torture_warning(tctx, "badPwdCount test failed\n");
-               }
-
+               torture_assert(tctx, test_Password_badpwdcount_wrap(p, tctx, base_acct_flags,
+                                                                   base_acct_name,
+                                                                   domain_handle,
+                                                                   user_handle, &password,
+                                                                   machine_credentials),
+                              "badPwdCount test failed\n");
                break;
 
        case TORTURE_SAMR_PASSWORDS_LOCKOUT:
 
-               if (!test_Password_lockout_wrap(p, tctx, base_acct_flags,
-                                               base_acct_name,
-                                               domain_handle,
-                                               user_handle, &password,
-                                               machine_credentials))
-               {
-                       ret = false;
-               }
-
-               if (ret == true) {
-                       torture_comment(tctx, "lockout test succeeded\n");
-               } else {
-                       torture_warning(tctx, "lockout test failed\n");
-               }
-
+               torture_assert(tctx, test_Password_lockout_wrap(p, tctx, base_acct_flags,
+                                                               base_acct_name,
+                                                               domain_handle,
+                                                               user_handle, &password,
+                                                               machine_credentials),
+                              "Lockout test failed");
                break;
 
 
@@ -4835,7 +5285,7 @@ static bool test_user_ops(struct dcerpc_pipe *p,
                }
 
                if (!ret) {
-                       torture_warning(tctx, "privileged user delete test failed\n");
+                       torture_result(tctx, TORTURE_FAIL, "privileged user delete test failed\n");
                }
 
                break;
@@ -4937,7 +5387,7 @@ bool test_DeleteUser_byname(struct dcerpc_binding_handle *b,
        return true;
 
 failed:
-       torture_warning(tctx, "DeleteUser_byname(%s) failed - %s\n", name, nt_errstr(status));
+       torture_result(tctx, TORTURE_FAIL, "DeleteUser_byname(%s) failed - %s\n", name, nt_errstr(status));
        return false;
 }
 
@@ -4980,7 +5430,7 @@ static bool test_DeleteGroup_byname(struct dcerpc_binding_handle *b,
        return true;
 
 failed:
-       torture_warning(tctx, "DeleteGroup_byname(%s) failed - %s\n", name, nt_errstr(status));
+       torture_result(tctx, TORTURE_FAIL, "DeleteGroup_byname(%s) failed - %s\n", name, nt_errstr(status));
        return false;
 }
 
@@ -4996,7 +5446,7 @@ static bool test_DeleteAlias_byname(struct dcerpc_binding_handle *b,
        struct policy_handle alias_handle;
        uint32_t rid;
 
-       torture_comment(tctx, "testing DeleteAlias_byname\n");
+       torture_comment(tctx, "Testing DeleteAlias_byname\n");
 
        status = test_LookupName(b, tctx, domain_handle, name, &rid);
        if (!NT_STATUS_IS_OK(status)) {
@@ -5026,7 +5476,7 @@ static bool test_DeleteAlias_byname(struct dcerpc_binding_handle *b,
        return true;
 
 failed:
-       torture_warning(tctx, "DeleteAlias_byname(%s) failed - %s\n", name, nt_errstr(status));
+       torture_result(tctx, TORTURE_FAIL, "DeleteAlias_byname(%s) failed - %s\n", name, nt_errstr(status));
        return false;
 }
 
@@ -5045,7 +5495,7 @@ static bool test_DeleteAlias(struct dcerpc_binding_handle *b,
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_DeleteDomAlias_r(b, tctx, &d),
                "DeleteDomAlias failed");
        if (!NT_STATUS_IS_OK(d.out.result)) {
-               torture_warning(tctx, "DeleteAlias failed - %s\n", nt_errstr(d.out.result));
+               torture_result(tctx, TORTURE_FAIL, "DeleteAlias failed - %s\n", nt_errstr(d.out.result));
                ret = false;
        }
 
@@ -5082,7 +5532,7 @@ static bool test_CreateAlias(struct dcerpc_binding_handle *b,
                        torture_comment(tctx, "Server correctly refused create of '%s'\n", r.in.alias_name->string);
                        return true;
                } else {
-                       torture_warning(tctx, "Server should have refused create of '%s', got %s instead\n", r.in.alias_name->string,
+                       torture_result(tctx, TORTURE_FAIL, "Server should have refused create of '%s', got %s instead\n", r.in.alias_name->string,
                               nt_errstr(r.out.result));
                        return false;
                }
@@ -5097,7 +5547,7 @@ static bool test_CreateAlias(struct dcerpc_binding_handle *b,
        }
 
        if (!NT_STATUS_IS_OK(r.out.result)) {
-               torture_warning(tctx, "CreateAlias failed - %s\n", nt_errstr(r.out.result));
+               torture_result(tctx, TORTURE_FAIL, "CreateAlias failed - %s\n", nt_errstr(r.out.result));
                return false;
        }
 
@@ -5169,7 +5619,7 @@ static bool test_ChangePassword(struct dcerpc_pipe *p,
                r.in.level = 1;
                r.out.info = &info;
 
-               torture_comment(tctx, "testing samr_QueryDomainInfo level 1\n");
+               torture_comment(tctx, "Testing samr_QueryDomainInfo level 1\n");
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryDomainInfo_r(b, tctx, &r),
                        "QueryDomainInfo failed");
                if (!NT_STATUS_IS_OK(r.out.result)) {
@@ -5190,7 +5640,7 @@ static bool test_ChangePassword(struct dcerpc_pipe *p,
                min_pwd_age_old = s.in.info->info1.min_password_age;
                s.in.info->info1.min_password_age = 0;
 
-               torture_comment(tctx, "testing samr_SetDomainInfo level 1\n");
+               torture_comment(tctx, "Testing samr_SetDomainInfo level 1\n");
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetDomainInfo_r(b, tctx, &s),
                        "SetDomainInfo failed");
                if (!NT_STATUS_IS_OK(s.out.result)) {
@@ -5207,7 +5657,7 @@ static bool test_ChangePassword(struct dcerpc_pipe *p,
                s.in.info->info1.password_properties = pwd_prop_old;
                s.in.info->info1.min_password_age = min_pwd_age_old;
 
-               torture_comment(tctx, "testing samr_SetDomainInfo level 1\n");
+               torture_comment(tctx, "Testing samr_SetDomainInfo level 1\n");
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetDomainInfo_r(b, tctx, &s),
                        "SetDomainInfo failed");
                if (!NT_STATUS_IS_OK(s.out.result)) {
@@ -5234,7 +5684,7 @@ static bool test_ChangePassword(struct dcerpc_pipe *p,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_LookupNames_r(b, tctx, &n),
                        "LookupNames failed");
                if (!NT_STATUS_IS_OK(n.out.result)) {
-                       torture_warning(tctx, "LookupNames failed - %s\n", nt_errstr(n.out.result));
+                       torture_result(tctx, TORTURE_FAIL, "LookupNames failed - %s\n", nt_errstr(n.out.result));
                        return false;
                }
 
@@ -5246,7 +5696,7 @@ static bool test_ChangePassword(struct dcerpc_pipe *p,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_OpenUser_r(b, tctx, &r),
                        "OpenUser failed");
                if (!NT_STATUS_IS_OK(r.out.result)) {
-                       torture_warning(tctx, "OpenUser(%u) failed - %s\n", n.out.rids->ids[0], nt_errstr(r.out.result));
+                       torture_result(tctx, TORTURE_FAIL, "OpenUser(%u) failed - %s\n", n.out.rids->ids[0], nt_errstr(r.out.result));
                        return false;
                }
 
@@ -5257,7 +5707,7 @@ static bool test_ChangePassword(struct dcerpc_pipe *p,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryUserInfo_r(b, tctx, &q),
                        "QueryUserInfo failed");
                if (!NT_STATUS_IS_OK(q.out.result)) {
-                       torture_warning(tctx, "QueryUserInfo failed - %s\n", nt_errstr(q.out.result));
+                       torture_result(tctx, TORTURE_FAIL, "QueryUserInfo failed - %s\n", nt_errstr(q.out.result));
                        return false;
                }
 
@@ -5326,7 +5776,7 @@ static bool test_CreateUser(struct dcerpc_pipe *p, struct torture_context *tctx,
                        torture_comment(tctx, "Server correctly refused create of '%s'\n", r.in.account_name->string);
                        return true;
                } else {
-                       torture_warning(tctx, "Server should have refused create of '%s', got %s instead\n", r.in.account_name->string,
+                       torture_result(tctx, TORTURE_FAIL, "Server should have refused create of '%s', got %s instead\n", r.in.account_name->string,
                               nt_errstr(r.out.result));
                        return false;
                }
@@ -5343,7 +5793,7 @@ static bool test_CreateUser(struct dcerpc_pipe *p, struct torture_context *tctx,
 
        if (!NT_STATUS_IS_OK(r.out.result)) {
                talloc_free(user_ctx);
-               torture_warning(tctx, "CreateUser failed - %s\n", nt_errstr(r.out.result));
+               torture_result(tctx, TORTURE_FAIL, "CreateUser failed - %s\n", nt_errstr(r.out.result));
                return false;
        }
 
@@ -5362,12 +5812,12 @@ static bool test_CreateUser(struct dcerpc_pipe *p, struct torture_context *tctx,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryUserInfo_r(b, user_ctx, &q),
                        "QueryUserInfo failed");
                if (!NT_STATUS_IS_OK(q.out.result)) {
-                       torture_warning(tctx, "QueryUserInfo level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "QueryUserInfo level %u failed - %s\n",
                               q.in.level, nt_errstr(q.out.result));
                        ret = false;
                } else {
                        if ((info->info16.acct_flags & acct_flags) != acct_flags) {
-                               torture_warning(tctx, "QuerUserInfo level 16 failed, it returned 0x%08x when we expected flags of 0x%08x\n",
+                               torture_result(tctx, TORTURE_FAIL, "QueryUserInfo level 16 failed, it returned 0x%08x when we expected flags of 0x%08x\n",
                                       info->info16.acct_flags,
                                       acct_flags);
                                ret = false;
@@ -5391,7 +5841,7 @@ static bool test_CreateUser(struct dcerpc_pipe *p, struct torture_context *tctx,
                        torture_assert_ntstatus_ok(tctx, dcerpc_samr_DeleteUser_r(b, user_ctx, &d),
                                "DeleteUser failed");
                        if (!NT_STATUS_IS_OK(d.out.result)) {
-                               torture_warning(tctx, "DeleteUser failed - %s\n", nt_errstr(d.out.result));
+                               torture_result(tctx, TORTURE_FAIL, "DeleteUser failed - %s\n", nt_errstr(d.out.result));
                                ret = false;
                        }
                }
@@ -5468,7 +5918,7 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx
                                torture_comment(tctx, "Server correctly refused create of '%s'\n", r.in.account_name->string);
                                continue;
                        } else {
-                               torture_warning(tctx, "Server should have refused create of '%s', got %s instead\n", r.in.account_name->string,
+                               torture_result(tctx, TORTURE_FAIL, "Server should have refused create of '%s', got %s instead\n", r.in.account_name->string,
                                       nt_errstr(r.out.result));
                                ret = false;
                                continue;
@@ -5486,7 +5936,7 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx
 
                }
                if (!NT_STATUS_EQUAL(r.out.result, account_types[i].nt_status)) {
-                       torture_warning(tctx, "CreateUser2 failed gave incorrect error return - %s (should be %s)\n",
+                       torture_result(tctx, TORTURE_FAIL, "CreateUser2 failed gave incorrect error return - %s (should be %s)\n",
                               nt_errstr(r.out.result), nt_errstr(account_types[i].nt_status));
                        ret = false;
                }
@@ -5499,7 +5949,7 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx
                        torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryUserInfo_r(b, user_ctx, &q),
                                "QueryUserInfo failed");
                        if (!NT_STATUS_IS_OK(q.out.result)) {
-                               torture_warning(tctx, "QueryUserInfo level %u failed - %s\n",
+                               torture_result(tctx, TORTURE_FAIL, "QueryUserInfo level %u failed - %s\n",
                                       q.in.level, nt_errstr(q.out.result));
                                ret = false;
                        } else {
@@ -5508,7 +5958,7 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx
                                        expected_flags |= ACB_PW_EXPIRED;
                                }
                                if ((info->info5.acct_flags) != expected_flags) {
-                                       torture_warning(tctx, "QuerUserInfo level 5 failed, it returned 0x%08x when we expected flags of 0x%08x\n",
+                                       torture_result(tctx, TORTURE_FAIL, "QueryUserInfo level 5 failed, it returned 0x%08x when we expected flags of 0x%08x\n",
                                               info->info5.acct_flags,
                                               expected_flags);
                                        ret = false;
@@ -5516,21 +5966,21 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx
                                switch (acct_flags) {
                                case ACB_SVRTRUST:
                                        if (info->info5.primary_gid != DOMAIN_RID_DCS) {
-                                               torture_warning(tctx, "QuerUserInfo level 5: DC should have had Primary Group %d, got %d\n",
+                                               torture_result(tctx, TORTURE_FAIL, "QueryUserInfo level 5: DC should have had Primary Group %d, got %d\n",
                                                       DOMAIN_RID_DCS, info->info5.primary_gid);
                                                ret = false;
                                        }
                                        break;
                                case ACB_WSTRUST:
                                        if (info->info5.primary_gid != DOMAIN_RID_DOMAIN_MEMBERS) {
-                                               torture_warning(tctx, "QuerUserInfo level 5: Domain Member should have had Primary Group %d, got %d\n",
+                                               torture_result(tctx, TORTURE_FAIL, "QueryUserInfo level 5: Domain Member should have had Primary Group %d, got %d\n",
                                                       DOMAIN_RID_DOMAIN_MEMBERS, info->info5.primary_gid);
                                                ret = false;
                                        }
                                        break;
                                case ACB_NORMAL:
                                        if (info->info5.primary_gid != DOMAIN_RID_USERS) {
-                                               torture_warning(tctx, "QuerUserInfo level 5: Users should have had Primary Group %d, got %d\n",
+                                               torture_result(tctx, TORTURE_FAIL, "QueryUserInfo level 5: Users should have had Primary Group %d, got %d\n",
                                                       DOMAIN_RID_USERS, info->info5.primary_gid);
                                                ret = false;
                                        }
@@ -5544,7 +5994,7 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx
                                ret = false;
                        }
 
-                       if (!policy_handle_empty(&user_handle)) {
+                       if (!ndr_policy_handle_empty(&user_handle)) {
                                torture_comment(tctx, "Testing DeleteUser (createuser2 test)\n");
 
                                d.in.user_handle = &user_handle;
@@ -5553,7 +6003,7 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx
                                torture_assert_ntstatus_ok(tctx, dcerpc_samr_DeleteUser_r(b, user_ctx, &d),
                                        "DeleteUser failed");
                                if (!NT_STATUS_IS_OK(d.out.result)) {
-                                       torture_warning(tctx, "DeleteUser failed - %s\n", nt_errstr(d.out.result));
+                                       torture_result(tctx, TORTURE_FAIL, "DeleteUser failed - %s\n", nt_errstr(d.out.result));
                                        ret = false;
                                }
                        }
@@ -5584,7 +6034,7 @@ static bool test_QueryAliasInfo(struct dcerpc_binding_handle *b,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryAliasInfo_r(b, tctx, &r),
                        "QueryAliasInfo failed");
                if (!NT_STATUS_IS_OK(r.out.result)) {
-                       torture_warning(tctx, "QueryAliasInfo level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "QueryAliasInfo level %u failed - %s\n",
                               levels[i], nt_errstr(r.out.result));
                        ret = false;
                }
@@ -5613,7 +6063,7 @@ static bool test_QueryGroupInfo(struct dcerpc_binding_handle *b,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryGroupInfo_r(b, tctx, &r),
                        "QueryGroupInfo failed");
                if (!NT_STATUS_IS_OK(r.out.result)) {
-                       torture_warning(tctx, "QueryGroupInfo level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "QueryGroupInfo level %u failed - %s\n",
                               levels[i], nt_errstr(r.out.result));
                        ret = false;
                }
@@ -5627,7 +6077,7 @@ static bool test_QueryGroupMember(struct dcerpc_binding_handle *b,
                                  struct policy_handle *handle)
 {
        struct samr_QueryGroupMember r;
-       struct samr_RidTypeArray *rids = NULL;
+       struct samr_RidAttrArray *rids = NULL;
        bool ret = true;
 
        torture_comment(tctx, "Testing QueryGroupMember\n");
@@ -5638,7 +6088,7 @@ static bool test_QueryGroupMember(struct dcerpc_binding_handle *b,
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryGroupMember_r(b, tctx, &r),
                "QueryGroupMember failed");
        if (!NT_STATUS_IS_OK(r.out.result)) {
-               torture_warning(tctx, "QueryGroupInfo failed - %s\n", nt_errstr(r.out.result));
+               torture_result(tctx, TORTURE_FAIL, "QueryGroupMember failed - %s\n", nt_errstr(r.out.result));
                ret = false;
        }
 
@@ -5668,7 +6118,7 @@ static bool test_SetGroupInfo(struct dcerpc_binding_handle *b,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryGroupInfo_r(b, tctx, &r),
                        "QueryGroupInfo failed");
                if (!NT_STATUS_IS_OK(r.out.result)) {
-                       torture_warning(tctx, "QueryGroupInfo level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "QueryGroupInfo level %u failed - %s\n",
                               levels[i], nt_errstr(r.out.result));
                        ret = false;
                }
@@ -5697,14 +6147,14 @@ static bool test_SetGroupInfo(struct dcerpc_binding_handle *b,
                        "SetGroupInfo failed");
                if (set_ok[i]) {
                        if (!NT_STATUS_IS_OK(s.out.result)) {
-                               torture_warning(tctx, "SetGroupInfo level %u failed - %s\n",
+                               torture_result(tctx, TORTURE_FAIL, "SetGroupInfo level %u failed - %s\n",
                                       r.in.level, nt_errstr(s.out.result));
                                ret = false;
                                continue;
                        }
                } else {
                        if (!NT_STATUS_EQUAL(NT_STATUS_INVALID_INFO_CLASS, s.out.result)) {
-                               torture_warning(tctx, "SetGroupInfo level %u gave %s - should have been NT_STATUS_INVALID_INFO_CLASS\n",
+                               torture_result(tctx, TORTURE_FAIL, "SetGroupInfo level %u gave %s - should have been NT_STATUS_INVALID_INFO_CLASS\n",
                                       r.in.level, nt_errstr(s.out.result));
                                ret = false;
                                continue;
@@ -5736,7 +6186,7 @@ static bool test_QueryUserInfo(struct dcerpc_binding_handle *b,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryUserInfo_r(b, tctx, &r),
                        "QueryUserInfo failed");
                if (!NT_STATUS_IS_OK(r.out.result)) {
-                       torture_warning(tctx, "QueryUserInfo level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "QueryUserInfo level %u failed - %s\n",
                               levels[i], nt_errstr(r.out.result));
                        ret = false;
                }
@@ -5766,7 +6216,7 @@ static bool test_QueryUserInfo2(struct dcerpc_binding_handle *b,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryUserInfo2_r(b, tctx, &r),
                        "QueryUserInfo2 failed");
                if (!NT_STATUS_IS_OK(r.out.result)) {
-                       torture_warning(tctx, "QueryUserInfo2 level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "QueryUserInfo2 level %u failed - %s\n",
                               levels[i], nt_errstr(r.out.result));
                        ret = false;
                }
@@ -5793,7 +6243,7 @@ static bool test_OpenUser(struct dcerpc_binding_handle *b,
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_OpenUser_r(b, tctx, &r),
                "OpenUser failed");
        if (!NT_STATUS_IS_OK(r.out.result)) {
-               torture_warning(tctx, "OpenUser(%u) failed - %s\n", rid, nt_errstr(r.out.result));
+               torture_result(tctx, TORTURE_FAIL, "OpenUser(%u) failed - %s\n", rid, nt_errstr(r.out.result));
                return false;
        }
 
@@ -5842,7 +6292,7 @@ static bool test_OpenGroup(struct dcerpc_binding_handle *b,
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_OpenGroup_r(b, tctx, &r),
                "OpenGroup failed");
        if (!NT_STATUS_IS_OK(r.out.result)) {
-               torture_warning(tctx, "OpenGroup(%u) failed - %s\n", rid, nt_errstr(r.out.result));
+               torture_result(tctx, TORTURE_FAIL, "OpenGroup(%u) failed - %s\n", rid, nt_errstr(r.out.result));
                return false;
        }
 
@@ -5885,7 +6335,7 @@ static bool test_OpenAlias(struct dcerpc_binding_handle *b,
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_OpenAlias_r(b, tctx, &r),
                "OpenAlias failed");
        if (!NT_STATUS_IS_OK(r.out.result)) {
-               torture_warning(tctx, "OpenAlias(%u) failed - %s\n", rid, nt_errstr(r.out.result));
+               torture_result(tctx, TORTURE_FAIL, "OpenAlias(%u) failed - %s\n", rid, nt_errstr(r.out.result));
                return false;
        }
 
@@ -5931,7 +6381,7 @@ static bool check_mask(struct dcerpc_binding_handle *b,
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_OpenUser_r(b, tctx, &r),
                "OpenUser failed");
        if (!NT_STATUS_IS_OK(r.out.result)) {
-               torture_warning(tctx, "OpenUser(%u) failed - %s\n", rid, nt_errstr(r.out.result));
+               torture_result(tctx, TORTURE_FAIL, "OpenUser(%u) failed - %s\n", rid, nt_errstr(r.out.result));
                return false;
        }
 
@@ -5942,12 +6392,12 @@ static bool check_mask(struct dcerpc_binding_handle *b,
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryUserInfo_r(b, tctx, &q),
                "QueryUserInfo failed");
        if (!NT_STATUS_IS_OK(q.out.result)) {
-               torture_warning(tctx, "QueryUserInfo level 16 failed - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "QueryUserInfo level 16 failed - %s\n",
                       nt_errstr(q.out.result));
                ret = false;
        } else {
                if ((acct_flag_mask & info->info16.acct_flags) == 0) {
-                       torture_warning(tctx, "Server failed to filter for 0x%x, allowed 0x%x (%d) on EnumDomainUsers\n",
+                       torture_result(tctx, TORTURE_FAIL, "Server failed to filter for 0x%x, allowed 0x%x (%d) on EnumDomainUsers\n",
                               acct_flag_mask, info->info16.acct_flags, rid);
                        ret = false;
                }
@@ -5995,7 +6445,7 @@ static bool test_EnumDomainUsers_all(struct dcerpc_binding_handle *b,
                        "EnumDomainUsers failed");
                if (!NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES) &&
                    !NT_STATUS_IS_OK(r.out.result)) {
-                       torture_warning(tctx, "EnumDomainUsers failed - %s\n", nt_errstr(r.out.result));
+                       torture_result(tctx, TORTURE_FAIL, "EnumDomainUsers failed - %s\n", nt_errstr(r.out.result));
                        return false;
                }
 
@@ -6028,7 +6478,7 @@ static bool test_EnumDomainUsers_all(struct dcerpc_binding_handle *b,
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_LookupNames_r(b, tctx, &n),
                "LookupNames failed");
        if (!NT_STATUS_IS_OK(n.out.result)) {
-               torture_warning(tctx, "LookupNames failed - %s\n", nt_errstr(n.out.result));
+               torture_result(tctx, TORTURE_FAIL, "LookupNames failed - %s\n", nt_errstr(n.out.result));
                ret = false;
        }
 
@@ -6113,7 +6563,7 @@ static bool test_EnumDomainGroups_all(struct dcerpc_binding_handle *b,
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_EnumDomainGroups_r(b, tctx, &r),
                "EnumDomainGroups failed");
        if (!NT_STATUS_IS_OK(r.out.result)) {
-               torture_warning(tctx, "EnumDomainGroups failed - %s\n", nt_errstr(r.out.result));
+               torture_result(tctx, TORTURE_FAIL, "EnumDomainGroups failed - %s\n", nt_errstr(r.out.result));
                return false;
        }
 
@@ -6167,7 +6617,7 @@ static bool test_EnumDomainAliases_all(struct dcerpc_binding_handle *b,
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_EnumDomainAliases_r(b, tctx, &r),
                "EnumDomainAliases failed");
        if (!NT_STATUS_IS_OK(r.out.result)) {
-               torture_warning(tctx, "EnumDomainAliases failed - %s\n", nt_errstr(r.out.result));
+               torture_result(tctx, TORTURE_FAIL, "EnumDomainAliases failed - %s\n", nt_errstr(r.out.result));
                return false;
        }
 
@@ -6212,7 +6662,7 @@ static bool test_GetDisplayEnumerationIndex(struct dcerpc_binding_handle *b,
                if (ok_lvl[i] &&
                    !NT_STATUS_IS_OK(r.out.result) &&
                    !NT_STATUS_EQUAL(NT_STATUS_NO_MORE_ENTRIES, r.out.result)) {
-                       torture_warning(tctx, "GetDisplayEnumerationIndex level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "GetDisplayEnumerationIndex level %u failed - %s\n",
                               levels[i], nt_errstr(r.out.result));
                        ret = false;
                }
@@ -6223,7 +6673,7 @@ static bool test_GetDisplayEnumerationIndex(struct dcerpc_binding_handle *b,
                        "GetDisplayEnumerationIndex failed");
 
                if (ok_lvl[i] && !NT_STATUS_EQUAL(NT_STATUS_NO_MORE_ENTRIES, r.out.result)) {
-                       torture_warning(tctx, "GetDisplayEnumerationIndex level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "GetDisplayEnumerationIndex level %u failed - %s\n",
                               levels[i], nt_errstr(r.out.result));
                        ret = false;
                }
@@ -6259,7 +6709,7 @@ static bool test_GetDisplayEnumerationIndex2(struct dcerpc_binding_handle *b,
                if (ok_lvl[i] &&
                    !NT_STATUS_IS_OK(r.out.result) &&
                    !NT_STATUS_EQUAL(NT_STATUS_NO_MORE_ENTRIES, r.out.result)) {
-                       torture_warning(tctx, "GetDisplayEnumerationIndex2 level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "GetDisplayEnumerationIndex2 level %u failed - %s\n",
                               levels[i], nt_errstr(r.out.result));
                        ret = false;
                }
@@ -6269,7 +6719,7 @@ static bool test_GetDisplayEnumerationIndex2(struct dcerpc_binding_handle *b,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_GetDisplayEnumerationIndex2_r(b, tctx, &r),
                        "GetDisplayEnumerationIndex2 failed");
                if (ok_lvl[i] && !NT_STATUS_EQUAL(NT_STATUS_NO_MORE_ENTRIES, r.out.result)) {
-                       torture_warning(tctx, "GetDisplayEnumerationIndex2 level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "GetDisplayEnumerationIndex2 level %u failed - %s\n",
                               levels[i], nt_errstr(r.out.result));
                        ret = false;
                }
@@ -6282,13 +6732,13 @@ static bool test_GetDisplayEnumerationIndex2(struct dcerpc_binding_handle *b,
        if (s1.string == NULL && s2.string != NULL && s2.string[0] == '\0') { \
                /* odd, but valid */                                            \
        } else if ((s1.string && !s2.string) || (s2.string && !s1.string) || strcmp(s1.string, s2.string)) { \
-                       torture_warning(tctx, "%s mismatch for %s: %s != %s (%s)\n", \
+                       torture_result(tctx, TORTURE_FAIL, "%s mismatch for %s: %s != %s (%s)\n", \
                               #s1, user.string,  s1.string, s2.string, __location__);   \
                        ret = false; \
        }
 #define INT_EQUAL_QUERY(s1, s2, user)          \
                if (s1 != s2) { \
-                       torture_warning(tctx, "%s mismatch for %s: 0x%llx != 0x%llx (%s)\n", \
+                       torture_result(tctx, TORTURE_FAIL, "%s mismatch for %s: 0x%llx != 0x%llx (%s)\n", \
                               #s1, user.string, (unsigned long long)s1, (unsigned long long)s2, __location__); \
                        ret = false; \
                }
@@ -6335,7 +6785,7 @@ static bool test_each_DisplayInfo_user(struct dcerpc_binding_handle *b,
                        torture_assert_ntstatus_ok(tctx, dcerpc_samr_OpenUser_r(b, tctx, &r),
                                "OpenUser failed");
                        if (!NT_STATUS_IS_OK(r.out.result)) {
-                               torture_warning(tctx, "OpenUser(%u) failed - %s\n", r.in.rid, nt_errstr(r.out.result));
+                               torture_result(tctx, TORTURE_FAIL, "OpenUser(%u) failed - %s\n", r.in.rid, nt_errstr(r.out.result));
                                return false;
                        }
                }
@@ -6346,7 +6796,7 @@ static bool test_each_DisplayInfo_user(struct dcerpc_binding_handle *b,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryUserInfo_r(b, tctx, &q),
                        "QueryUserInfo failed");
                if (!NT_STATUS_IS_OK(r.out.result)) {
-                       torture_warning(tctx, "QueryUserInfo(%u) failed - %s\n", r.in.rid, nt_errstr(r.out.result));
+                       torture_result(tctx, TORTURE_FAIL, "QueryUserInfo(%u) failed - %s\n", r.in.rid, nt_errstr(r.out.result));
                        return false;
                }
 
@@ -6378,12 +6828,12 @@ static bool test_each_DisplayInfo_user(struct dcerpc_binding_handle *b,
                                        info->info21.acct_flags, info->info21.account_name);
 
                        if (!(querydisplayinfo->out.info->info2.entries[i].acct_flags & ACB_NORMAL)) {
-                               torture_warning(tctx, "Missing ACB_NORMAL in querydisplayinfo->out.info.info2.entries[i].acct_flags on %s\n",
+                               torture_result(tctx, TORTURE_FAIL, "Missing ACB_NORMAL in querydisplayinfo->out.info.info2.entries[i].acct_flags on %s\n",
                                       info->info21.account_name.string);
                        }
 
                        if (!(info->info21.acct_flags & (ACB_WSTRUST | ACB_SVRTRUST))) {
-                               torture_warning(tctx, "Found non-trust account %s in trust account listing: 0x%x 0x%x\n",
+                               torture_result(tctx, TORTURE_FAIL, "Found non-trust account %s in trust account listing: 0x%x 0x%x\n",
                                       info->info21.account_name.string,
                                       querydisplayinfo->out.info->info2.entries[i].acct_flags,
                                       info->info21.acct_flags);
@@ -6433,7 +6883,7 @@ static bool test_QueryDisplayInfo(struct dcerpc_binding_handle *b,
                        torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryDisplayInfo_r(b, tctx, &r),
                                "QueryDisplayInfo failed");
                        if (!NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES) && !NT_STATUS_IS_OK(r.out.result)) {
-                               torture_warning(tctx, "QueryDisplayInfo level %u failed - %s\n",
+                               torture_result(tctx, TORTURE_FAIL, "QueryDisplayInfo level %u failed - %s\n",
                                       levels[i], nt_errstr(r.out.result));
                                ret = false;
                        }
@@ -6469,7 +6919,7 @@ static bool test_QueryDisplayInfo(struct dcerpc_binding_handle *b,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryDomainInfo_r(b, tctx, &dom_info),
                        "QueryDomainInfo failed");
                if (!NT_STATUS_IS_OK(dom_info.out.result)) {
-                       torture_warning(tctx, "QueryDomainInfo level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "QueryDomainInfo level %u failed - %s\n",
                               r.in.level, nt_errstr(dom_info.out.result));
                        ret = false;
                        break;
@@ -6483,7 +6933,7 @@ static bool test_QueryDisplayInfo(struct dcerpc_binding_handle *b,
                                 * global groups, QueryDomainInfo only global
                                 * ones. */
                                if (torture_setting_bool(tctx, "samba3", false)) {
-                                       torture_warning(tctx, "QueryDomainInfo indicates that QueryDisplayInfo returned more users (%d/%d) than the domain %s is said to contain!\n",
+                                       torture_result(tctx, TORTURE_FAIL, "QueryDomainInfo indicates that QueryDisplayInfo returned more users (%d/%d) than the domain %s is said to contain!\n",
                                               r.in.start_idx, info->general.num_groups,
                                               info->general.domain_name.string);
                                        ret = false;
@@ -6492,7 +6942,7 @@ static bool test_QueryDisplayInfo(struct dcerpc_binding_handle *b,
                        if (!seen_testuser) {
                                struct policy_handle user_handle;
                                if (NT_STATUS_IS_OK(test_OpenUser_byname(b, tctx, handle, TEST_ACCOUNT_NAME, &user_handle))) {
-                                       torture_warning(tctx, "Didn't find test user " TEST_ACCOUNT_NAME " in enumeration of %s\n",
+                                       torture_result(tctx, TORTURE_FAIL, "Didn't find test user " TEST_ACCOUNT_NAME " in enumeration of %s\n",
                                               info->general.domain_name.string);
                                        ret = false;
                                        test_samr_handle_Close(b, tctx, &user_handle);
@@ -6507,7 +6957,7 @@ static bool test_QueryDisplayInfo(struct dcerpc_binding_handle *b,
                                 * global groups, QueryDomainInfo only global
                                 * ones. */
                                if (torture_setting_bool(tctx, "samba3", false)) {
-                                       torture_warning(tctx, "QueryDomainInfo indicates that QueryDisplayInfo didn't return all (%d/%d) the groups in %s\n",
+                                       torture_result(tctx, TORTURE_FAIL, "QueryDomainInfo indicates that QueryDisplayInfo didn't return all (%d/%d) the groups in %s\n",
                                               r.in.start_idx, info->general.num_groups,
                                               info->general.domain_name.string);
                                        ret = false;
@@ -6549,7 +6999,7 @@ static bool test_QueryDisplayInfo2(struct dcerpc_binding_handle *b,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryDisplayInfo2_r(b, tctx, &r),
                        "QueryDisplayInfo2 failed");
                if (!NT_STATUS_IS_OK(r.out.result)) {
-                       torture_warning(tctx, "QueryDisplayInfo2 level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "QueryDisplayInfo2 level %u failed - %s\n",
                               levels[i], nt_errstr(r.out.result));
                        ret = false;
                }
@@ -6585,7 +7035,7 @@ static bool test_QueryDisplayInfo3(struct dcerpc_binding_handle *b,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryDisplayInfo3_r(b, tctx, &r),
                        "QueryDisplayInfo3 failed");
                if (!NT_STATUS_IS_OK(r.out.result)) {
-                       torture_warning(tctx, "QueryDisplayInfo3 level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "QueryDisplayInfo3 level %u failed - %s\n",
                               levels[i], nt_errstr(r.out.result));
                        ret = false;
                }
@@ -6621,7 +7071,7 @@ static bool test_QueryDisplayInfo_continue(struct dcerpc_binding_handle *b,
                        "QueryDisplayInfo failed");
                if (NT_STATUS_IS_OK(r.out.result) && *r.out.returned_size != 0) {
                        if (r.out.info->info1.entries[0].idx != r.in.start_idx + 1) {
-                               torture_warning(tctx, "expected idx %d but got %d\n",
+                               torture_result(tctx, TORTURE_FAIL, "expected idx %d but got %d\n",
                                       r.in.start_idx + 1,
                                       r.out.info->info1.entries[0].idx);
                                break;
@@ -6629,7 +7079,7 @@ static bool test_QueryDisplayInfo_continue(struct dcerpc_binding_handle *b,
                }
                if (!NT_STATUS_EQUAL(r.out.result, STATUS_MORE_ENTRIES) &&
                    !NT_STATUS_IS_OK(r.out.result)) {
-                       torture_warning(tctx, "QueryDisplayInfo level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "QueryDisplayInfo level %u failed - %s\n",
                               r.in.level, nt_errstr(r.out.result));
                        ret = false;
                        break;
@@ -6666,7 +7116,7 @@ static bool test_QueryDomainInfo(struct dcerpc_pipe *p,
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetDomainInfo_r(b, tctx, &s),
                "SetDomainInfo failed");
        if (!NT_STATUS_IS_OK(s.out.result)) {
-               torture_warning(tctx, "SetDomainInfo level %u (set comment) failed - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "SetDomainInfo level %u (set comment) failed - %s\n",
                       s.in.level, nt_errstr(s.out.result));
                return false;
        }
@@ -6681,7 +7131,7 @@ static bool test_QueryDomainInfo(struct dcerpc_pipe *p,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryDomainInfo_r(b, tctx, &r),
                        "QueryDomainInfo failed");
                if (!NT_STATUS_IS_OK(r.out.result)) {
-                       torture_warning(tctx, "QueryDomainInfo level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "QueryDomainInfo level %u failed - %s\n",
                               r.in.level, nt_errstr(r.out.result));
                        ret = false;
                        continue;
@@ -6690,26 +7140,28 @@ static bool test_QueryDomainInfo(struct dcerpc_pipe *p,
                switch (levels[i]) {
                case 2:
                        if (strcmp(info->general.oem_information.string, domain_comment) != 0) {
-                               torture_warning(tctx, "QueryDomainInfo level %u returned different oem_information (comment) (%s, expected %s)\n",
+                               torture_result(tctx, TORTURE_FAIL, "QueryDomainInfo level %u returned different oem_information (comment) (%s, expected %s)\n",
                                       levels[i], info->general.oem_information.string, domain_comment);
                                if (!torture_setting_bool(tctx, "samba3", false)) {
                                        ret = false;
                                }
                        }
                        if (!info->general.primary.string) {
-                               torture_warning(tctx, "QueryDomainInfo level %u returned no PDC name\n",
+                               torture_result(tctx, TORTURE_FAIL, "QueryDomainInfo level %u returned no PDC name\n",
                                       levels[i]);
                                ret = false;
                        } else if (info->general.role == SAMR_ROLE_DOMAIN_PDC) {
                                if (dcerpc_server_name(p) && strcasecmp_m(dcerpc_server_name(p), info->general.primary.string) != 0) {
-                                       torture_warning(tctx, "QueryDomainInfo level %u returned different PDC name (%s) compared to server name (%s), despite claiming to be the PDC\n",
-                                              levels[i], info->general.primary.string, dcerpc_server_name(p));
+                                       if (torture_setting_bool(tctx, "samba3", false)) {
+                                               torture_result(tctx, TORTURE_FAIL, "QueryDomainInfo level %u returned different PDC name (%s) compared to server name (%s), despite claiming to be the PDC\n",
+                                                      levels[i], info->general.primary.string, dcerpc_server_name(p));
+                                       }
                                }
                        }
                        break;
                case 4:
                        if (strcmp(info->oem.oem_information.string, domain_comment) != 0) {
-                               torture_warning(tctx, "QueryDomainInfo level %u returned different oem_information (comment) (%s, expected %s)\n",
+                               torture_result(tctx, TORTURE_FAIL, "QueryDomainInfo level %u returned different oem_information (comment) (%s, expected %s)\n",
                                       levels[i], info->oem.oem_information.string, domain_comment);
                                if (!torture_setting_bool(tctx, "samba3", false)) {
                                        ret = false;
@@ -6718,14 +7170,14 @@ static bool test_QueryDomainInfo(struct dcerpc_pipe *p,
                        break;
                case 6:
                        if (!info->info6.primary.string) {
-                               torture_warning(tctx, "QueryDomainInfo level %u returned no PDC name\n",
+                               torture_result(tctx, TORTURE_FAIL, "QueryDomainInfo level %u returned no PDC name\n",
                                       levels[i]);
                                ret = false;
                        }
                        break;
                case 11:
                        if (strcmp(info->general2.general.oem_information.string, domain_comment) != 0) {
-                               torture_warning(tctx, "QueryDomainInfo level %u returned different comment (%s, expected %s)\n",
+                               torture_result(tctx, TORTURE_FAIL, "QueryDomainInfo level %u returned different comment (%s, expected %s)\n",
                                       levels[i], info->general2.general.oem_information.string, domain_comment);
                                if (!torture_setting_bool(tctx, "samba3", false)) {
                                        ret = false;
@@ -6744,14 +7196,14 @@ static bool test_QueryDomainInfo(struct dcerpc_pipe *p,
                        "SetDomainInfo failed");
                if (set_ok[i]) {
                        if (!NT_STATUS_IS_OK(s.out.result)) {
-                               torture_warning(tctx, "SetDomainInfo level %u failed - %s\n",
+                               torture_result(tctx, TORTURE_FAIL, "SetDomainInfo level %u failed - %s\n",
                                       r.in.level, nt_errstr(s.out.result));
                                ret = false;
                                continue;
                        }
                } else {
                        if (!NT_STATUS_EQUAL(NT_STATUS_INVALID_INFO_CLASS, s.out.result)) {
-                               torture_warning(tctx, "SetDomainInfo level %u gave %s - should have been NT_STATUS_INVALID_INFO_CLASS\n",
+                               torture_result(tctx, TORTURE_FAIL, "SetDomainInfo level %u gave %s - should have been NT_STATUS_INVALID_INFO_CLASS\n",
                                       r.in.level, nt_errstr(s.out.result));
                                ret = false;
                                continue;
@@ -6761,7 +7213,7 @@ static bool test_QueryDomainInfo(struct dcerpc_pipe *p,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryDomainInfo_r(b, tctx, &r),
                        "QueryDomainInfo failed");
                if (!NT_STATUS_IS_OK(r.out.result)) {
-                       torture_warning(tctx, "QueryDomainInfo level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "QueryDomainInfo level %u failed - %s\n",
                               r.in.level, nt_errstr(r.out.result));
                        ret = false;
                        continue;
@@ -6792,20 +7244,21 @@ static bool test_QueryDomainInfo2(struct dcerpc_binding_handle *b,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryDomainInfo2_r(b, tctx, &r),
                        "QueryDomainInfo2 failed");
                if (!NT_STATUS_IS_OK(r.out.result)) {
-                       torture_warning(tctx, "QueryDomainInfo2 level %u failed - %s\n",
+                       torture_result(tctx, TORTURE_FAIL, "QueryDomainInfo2 level %u failed - %s\n",
                               r.in.level, nt_errstr(r.out.result));
                        ret = false;
                        continue;
                }
        }
 
-       return true;
+       return ret;
 }
 
 /* Test whether querydispinfo level 5 and enumdomgroups return the same
    set of group names. */
 static bool test_GroupList(struct dcerpc_binding_handle *b,
                           struct torture_context *tctx,
+                          struct dom_sid *domain_sid,
                           struct policy_handle *handle)
 {
        struct samr_EnumDomainGroups q1;
@@ -6823,6 +7276,9 @@ static bool test_GroupList(struct dcerpc_binding_handle *b,
        int num_names = 0;
        const char **names = NULL;
 
+       bool builtin_domain = dom_sid_compare(domain_sid,
+                                             &global_sid_Builtin) == 0;
+
        torture_comment(tctx, "Testing coherency of querydispinfo vs enumdomgroups\n");
 
        q1.in.domain_handle = handle;
@@ -6853,6 +7309,11 @@ static bool test_GroupList(struct dcerpc_binding_handle *b,
 
        torture_assert(tctx, sam, "EnumDomainGroups failed to return sam");
 
+       if (builtin_domain) {
+               torture_assert(tctx, num_names == 0,
+                              "EnumDomainGroups shouldn't return any group in the builtin domain!");
+       }
+
        q2.in.domain_handle = handle;
        q2.in.level = 5;
        q2.in.start_idx = 0;
@@ -6885,8 +7346,8 @@ static bool test_GroupList(struct dcerpc_binding_handle *b,
                                }
                        }
 
-                       if (!found) {
-                               torture_warning(tctx, "QueryDisplayInfo gave name [%s] that EnumDomainGroups did not\n",
+                       if ((!found) && (!builtin_domain)) {
+                               torture_result(tctx, TORTURE_FAIL, "QueryDisplayInfo gave name [%s] that EnumDomainGroups did not\n",
                                       name);
                                ret = false;
                        }
@@ -6895,14 +7356,19 @@ static bool test_GroupList(struct dcerpc_binding_handle *b,
        }
 
        if (!NT_STATUS_IS_OK(status)) {
-               torture_warning(tctx, "QueryDisplayInfo level 5 failed - %s\n",
+               torture_result(tctx, TORTURE_FAIL, "QueryDisplayInfo level 5 failed - %s\n",
                       nt_errstr(status));
                ret = false;
        }
 
+       if (builtin_domain) {
+               torture_assert(tctx, q2.in.start_idx != 0,
+                              "QueryDisplayInfo should return all domain groups also on the builtin domain handle!");
+       }
+
        for (i=0; i<num_names; i++) {
                if (names[i] != NULL) {
-                       torture_warning(tctx, "EnumDomainGroups gave name [%s] that QueryDisplayInfo did not\n",
+                       torture_result(tctx, TORTURE_FAIL, "EnumDomainGroups gave name [%s] that QueryDisplayInfo did not\n",
                               names[i]);
                        ret = false;
                }
@@ -6969,13 +7435,13 @@ static bool test_RidToSid(struct dcerpc_binding_handle *b,
                torture_assert_ntstatus_ok(tctx, dcerpc_samr_RidToSid_r(b, tctx, &r),
                        "RidToSid failed");
                if (!NT_STATUS_IS_OK(r.out.result)) {
-                       torture_warning(tctx, "RidToSid for %d failed - %s\n", rids[i], nt_errstr(r.out.result));
+                       torture_result(tctx, TORTURE_FAIL, "RidToSid for %d failed - %s\n", rids[i], nt_errstr(r.out.result));
                        ret = false;
                } else {
                        calc_sid = dom_sid_add_rid(calc_sid, calc_sid, rids[i]);
 
                        if (!dom_sid_equal(calc_sid, out_sid)) {
-                               torture_warning(tctx, "RidToSid for %d failed - got %s, expected %s\n", rids[i],
+                               torture_result(tctx, TORTURE_FAIL, "RidToSid for %d failed - got %s, expected %s\n", rids[i],
                                       dom_sid_string(tctx, out_sid),
                                       dom_sid_string(tctx, calc_sid));
                                ret = false;
@@ -7021,7 +7487,7 @@ static bool test_AddGroupMember(struct dcerpc_binding_handle *b,
        struct samr_AddGroupMember r;
        struct samr_DeleteGroupMember d;
        struct samr_QueryGroupMember q;
-       struct samr_RidTypeArray *rids = NULL;
+       struct samr_RidAttrArray *rids = NULL;
        struct samr_SetMemberAttributesOfGroup s;
        uint32_t rid;
        bool found_member = false;
@@ -7142,7 +7608,7 @@ static bool test_CreateDomainGroup(struct dcerpc_binding_handle *b,
                        torture_comment(tctx, "Server correctly refused create of '%s'\n", r.in.name->string);
                        return true;
                } else {
-                       torture_warning(tctx, "Server should have refused create of '%s', got %s instead\n", r.in.name->string,
+                       torture_result(tctx, TORTURE_FAIL, "Server should have refused create of '%s', got %s instead\n", r.in.name->string,
                               nt_errstr(r.out.result));
                        return false;
                }
@@ -7150,7 +7616,7 @@ static bool test_CreateDomainGroup(struct dcerpc_binding_handle *b,
 
        if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_GROUP_EXISTS)) {
                if (!test_DeleteGroup_byname(b, tctx, domain_handle, r.in.name->string)) {
-                       torture_warning(tctx, "CreateDomainGroup failed: Could not delete domain group %s - %s\n", r.in.name->string,
+                       torture_result(tctx, TORTURE_FAIL, "CreateDomainGroup failed: Could not delete domain group %s - %s\n", r.in.name->string,
                               nt_errstr(r.out.result));
                        return false;
                }
@@ -7160,7 +7626,7 @@ static bool test_CreateDomainGroup(struct dcerpc_binding_handle *b,
        if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_USER_EXISTS)) {
                if (!test_DeleteUser_byname(b, tctx, domain_handle, r.in.name->string)) {
 
-                       torture_warning(tctx, "CreateDomainGroup failed: Could not delete user %s - %s\n", r.in.name->string,
+                       torture_result(tctx, TORTURE_FAIL, "CreateDomainGroup failed: Could not delete user %s - %s\n", r.in.name->string,
                               nt_errstr(r.out.result));
                        return false;
                }
@@ -7174,7 +7640,7 @@ static bool test_CreateDomainGroup(struct dcerpc_binding_handle *b,
        }
 
        if (!test_AddGroupMember(b, tctx, domain_handle, group_handle)) {
-               torture_warning(tctx, "CreateDomainGroup failed - %s\n", nt_errstr(r.out.result));
+               torture_result(tctx, TORTURE_FAIL, "CreateDomainGroup failed - %s\n", nt_errstr(r.out.result));
                ret = false;
        }
 
@@ -7235,6 +7701,7 @@ static bool test_EnumDomainUsers(struct dcerpc_binding_handle *b,
                        torture_assert_ntstatus_ok(tctx, r.out.result,
                                "failed to enumerate users");
                }
+               status = r.out.result;
 
                total_num_entries += num_entries;
        } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
@@ -7275,6 +7742,7 @@ static bool test_EnumDomainGroups(struct dcerpc_binding_handle *b,
                        torture_assert_ntstatus_ok(tctx, r.out.result,
                                "failed to enumerate groups");
                }
+               status = r.out.result;
 
                total_num_entries += num_entries;
        } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
@@ -7315,6 +7783,7 @@ static bool test_EnumDomainAliases(struct dcerpc_binding_handle *b,
                        torture_assert_ntstatus_ok(tctx, r.out.result,
                                "failed to enumerate aliases");
                }
+               status = r.out.result;
 
                total_num_entries += num_entries;
        } while (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES));
@@ -7359,6 +7828,7 @@ static bool test_QueryDisplayInfo_level(struct dcerpc_binding_handle *b,
                        torture_assert_ntstatus_ok(tctx, r.out.result,
                                "failed to query displayinfo");
                }
+               status = r.out.result;
 
                if (*r.out.returned_size == 0) {
                        break;
@@ -7409,7 +7879,6 @@ static bool test_ManyObjects(struct dcerpc_pipe *p,
        uint32_t num_disp = 0;
        uint32_t num_created = 0;
        uint32_t num_anounced = 0;
-       bool ret = true;
        uint32_t i;
        struct dcerpc_binding_handle *b = p->binding_handle;
 
@@ -7453,20 +7922,26 @@ static bool test_ManyObjects(struct dcerpc_pipe *p,
                switch (ctx->choice) {
                case TORTURE_SAMR_MANY_ACCOUNTS:
                        name = talloc_asprintf(tctx, "%s%04d", TEST_ACCOUNT_NAME, i);
-                       ret &= test_CreateUser(p, tctx, domain_handle, name, &handles[i], domain_sid, 0, NULL, false);
+                       torture_assert(tctx,
+                               test_CreateUser(p, tctx, domain_handle, name, &handles[i], domain_sid, 0, NULL, false),
+                               "failed to create user");
                        break;
                case TORTURE_SAMR_MANY_GROUPS:
                        name = talloc_asprintf(tctx, "%s%04d", TEST_GROUPNAME, i);
-                       ret &= test_CreateDomainGroup(b, tctx, domain_handle, name, &handles[i], domain_sid, false);
+                       torture_assert(tctx,
+                               test_CreateDomainGroup(b, tctx, domain_handle, name, &handles[i], domain_sid, false),
+                               "failed to create group");
                        break;
                case TORTURE_SAMR_MANY_ALIASES:
                        name = talloc_asprintf(tctx, "%s%04d", TEST_ALIASNAME, i);
-                       ret &= test_CreateAlias(b, tctx, domain_handle, name, &handles[i], domain_sid, false);
+                       torture_assert(tctx,
+                               test_CreateAlias(b, tctx, domain_handle, name, &handles[i], domain_sid, false),
+                               "failed to create alias");
                        break;
                default:
                        return false;
                }
-               if (!policy_handle_empty(&handles[i])) {
+               if (!ndr_policy_handle_empty(&handles[i])) {
                        num_created++;
                }
        }
@@ -7475,13 +7950,19 @@ static bool test_ManyObjects(struct dcerpc_pipe *p,
 
        switch (ctx->choice) {
        case TORTURE_SAMR_MANY_ACCOUNTS:
-               ret &= test_EnumDomainUsers(b, tctx, domain_handle, &num_enum);
+               torture_assert(tctx,
+                       test_EnumDomainUsers(b, tctx, domain_handle, &num_enum),
+                       "failed to enum users");
                break;
        case TORTURE_SAMR_MANY_GROUPS:
-               ret &= test_EnumDomainGroups(b, tctx, domain_handle, &num_enum);
+               torture_assert(tctx,
+                       test_EnumDomainGroups(b, tctx, domain_handle, &num_enum),
+                       "failed to enum groups");
                break;
        case TORTURE_SAMR_MANY_ALIASES:
-               ret &= test_EnumDomainAliases(b, tctx, domain_handle, &num_enum);
+               torture_assert(tctx,
+                       test_EnumDomainAliases(b, tctx, domain_handle, &num_enum),
+                       "failed to enum aliases");
                break;
        default:
                return false;
@@ -7491,10 +7972,14 @@ static bool test_ManyObjects(struct dcerpc_pipe *p,
 
        switch (ctx->choice) {
        case TORTURE_SAMR_MANY_ACCOUNTS:
-               ret &= test_QueryDisplayInfo_level(b, tctx, domain_handle, 1, &num_disp);
+               torture_assert(tctx,
+                       test_QueryDisplayInfo_level(b, tctx, domain_handle, 1, &num_disp),
+                       "failed to query display info");
                break;
        case TORTURE_SAMR_MANY_GROUPS:
-               ret &= test_QueryDisplayInfo_level(b, tctx, domain_handle, 3, &num_disp);
+               torture_assert(tctx,
+                       test_QueryDisplayInfo_level(b, tctx, domain_handle, 3, &num_disp),
+                       "failed to query display info");
                break;
        case TORTURE_SAMR_MANY_ALIASES:
                /* no aliases in dispinfo */
@@ -7507,22 +7992,30 @@ static bool test_ManyObjects(struct dcerpc_pipe *p,
 
        for (i=0; i < num_total; i++) {
 
-               if (policy_handle_empty(&handles[i])) {
+               if (ndr_policy_handle_empty(&handles[i])) {
                        continue;
                }
 
                if (torture_setting_bool(tctx, "samba3", false)) {
-                       ret &= test_samr_handle_Close(b, tctx, &handles[i]);
+                       torture_assert(tctx,
+                               test_samr_handle_Close(b, tctx, &handles[i]),
+                               "failed to close handle");
                } else {
                        switch (ctx->choice) {
                        case TORTURE_SAMR_MANY_ACCOUNTS:
-                               ret &= test_DeleteUser(b, tctx, &handles[i]);
+                               torture_assert(tctx,
+                                       test_DeleteUser(b, tctx, &handles[i]),
+                                       "failed to delete user");
                                break;
                        case TORTURE_SAMR_MANY_GROUPS:
-                               ret &= test_DeleteDomainGroup(b, tctx, &handles[i]);
+                               torture_assert(tctx,
+                                       test_DeleteDomainGroup(b, tctx, &handles[i]),
+                                       "failed to delete group");
                                break;
                        case TORTURE_SAMR_MANY_ALIASES:
-                               ret &= test_DeleteAlias(b, tctx, &handles[i]);
+                               torture_assert(tctx,
+                                       test_DeleteAlias(b, tctx, &handles[i]),
+                                       "failed to delete alias");
                                break;
                        default:
                                return false;
@@ -7541,7 +8034,8 @@ static bool test_ManyObjects(struct dcerpc_pipe *p,
                                "unexpected number of results (%u) returned in dispinfo, call, expected %u\n",
                                num_disp, num_anounced + num_created);
        }
-       return ret;
+
+       return true;
 }
 
 static bool test_Connect(struct dcerpc_binding_handle *b,
@@ -7587,7 +8081,7 @@ static bool test_OpenDomain(struct dcerpc_pipe *p, struct torture_context *tctx,
                }
                ret &= test_CreateUser(p, tctx, &domain_handle, TEST_ACCOUNT_NAME, &user_handle, sid, ctx->choice, NULL, true);
                if (!ret) {
-                       torture_warning(tctx, "Testing PASSWORDS or PRIVILEGES on domain %s failed!\n", dom_sid_string(tctx, sid));
+                       torture_result(tctx, TORTURE_FAIL, "Testing PASSWORDS or PRIVILEGES on domain %s failed!\n", dom_sid_string(tctx, sid));
                }
                break;
        case TORTURE_SAMR_USER_ATTRIBUTES:
@@ -7598,7 +8092,7 @@ static bool test_OpenDomain(struct dcerpc_pipe *p, struct torture_context *tctx,
                /* This test needs 'complex' users to validate */
                ret &= test_QueryDisplayInfo(b, tctx, &domain_handle);
                if (!ret) {
-                       torture_warning(tctx, "Testing ATTRIBUTES on domain %s failed!\n", dom_sid_string(tctx, sid));
+                       torture_result(tctx, TORTURE_FAIL, "Testing ATTRIBUTES on domain %s failed!\n", dom_sid_string(tctx, sid));
                }
                break;
        case TORTURE_SAMR_PASSWORDS_PWDLASTSET:
@@ -7609,7 +8103,7 @@ static bool test_OpenDomain(struct dcerpc_pipe *p, struct torture_context *tctx,
                }
                ret &= test_CreateUser(p, tctx, &domain_handle, TEST_ACCOUNT_NAME, &user_handle, sid, ctx->choice, ctx->machine_credentials, true);
                if (!ret) {
-                       torture_warning(tctx, "Testing PASSWORDS PWDLASTSET or BADPWDCOUNT on domain %s failed!\n", dom_sid_string(tctx, sid));
+                       torture_result(tctx, TORTURE_FAIL, "Testing PASSWORDS PWDLASTSET or BADPWDCOUNT on domain %s failed!\n", dom_sid_string(tctx, sid));
                }
                break;
        case TORTURE_SAMR_MANY_ACCOUNTS:
@@ -7617,13 +8111,13 @@ static bool test_OpenDomain(struct dcerpc_pipe *p, struct torture_context *tctx,
        case TORTURE_SAMR_MANY_ALIASES:
                ret &= test_ManyObjects(p, tctx, &domain_handle, sid, ctx);
                if (!ret) {
-                       torture_warning(tctx, "Testing MANY-{ACCOUNTS,GROUPS,ALIASES} on domain %s failed!\n", dom_sid_string(tctx, sid));
+                       torture_result(tctx, TORTURE_FAIL, "Testing MANY-{ACCOUNTS,GROUPS,ALIASES} on domain %s failed!\n", dom_sid_string(tctx, sid));
                }
                break;
        case TORTURE_SAMR_OTHER:
                ret &= test_CreateUser(p, tctx, &domain_handle, TEST_ACCOUNT_NAME, &user_handle, sid, ctx->choice, NULL, true);
                if (!ret) {
-                       torture_warning(tctx, "Failed to CreateUser in SAMR-OTHER on domain %s!\n", dom_sid_string(tctx, sid));
+                       torture_result(tctx, TORTURE_FAIL, "Failed to CreateUser in SAMR-OTHER on domain %s!\n", dom_sid_string(tctx, sid));
                }
                if (!torture_setting_bool(tctx, "samba3", false)) {
                        ret &= test_QuerySecurity(b, tctx, &domain_handle);
@@ -7648,7 +8142,7 @@ static bool test_OpenDomain(struct dcerpc_pipe *p, struct torture_context *tctx,
                        ret &= test_GetDisplayEnumerationIndex(b, tctx, &domain_handle);
                        ret &= test_GetDisplayEnumerationIndex2(b, tctx, &domain_handle);
                }
-               ret &= test_GroupList(b, tctx, &domain_handle);
+               ret &= test_GroupList(b, tctx, sid, &domain_handle);
                ret &= test_TestPrivateFunctionsDomain(b, tctx, &domain_handle);
                ret &= test_RidToSid(b, tctx, sid, &domain_handle);
                ret &= test_GetBootKeyInformation(b, tctx, &domain_handle);
@@ -7658,17 +8152,17 @@ static bool test_OpenDomain(struct dcerpc_pipe *p, struct torture_context *tctx,
                break;
        }
 
-       if (!policy_handle_empty(&user_handle) &&
+       if (!ndr_policy_handle_empty(&user_handle) &&
            !test_DeleteUser(b, tctx, &user_handle)) {
                ret = false;
        }
 
-       if (!policy_handle_empty(&alias_handle) &&
+       if (!ndr_policy_handle_empty(&alias_handle) &&
            !test_DeleteAlias(b, tctx, &alias_handle)) {
                ret = false;
        }
 
-       if (!policy_handle_empty(&group_handle) &&
+       if (!ndr_policy_handle_empty(&group_handle) &&
            !test_DeleteDomainGroup(b, tctx, &group_handle)) {
                ret = false;
        }
@@ -7679,7 +8173,7 @@ static bool test_OpenDomain(struct dcerpc_pipe *p, struct torture_context *tctx,
        /* reconnect the main handle */
 
        if (!ret) {
-               torture_warning(tctx, "Testing domain %s failed!\n", dom_sid_string(tctx, sid));
+               torture_result(tctx, TORTURE_FAIL, "Testing domain %s failed!\n", dom_sid_string(tctx, sid));
        }
 
        return ret;
@@ -7789,9 +8283,9 @@ static bool test_Connect(struct dcerpc_binding_handle *b,
        uint32_t level_out = 0;
        bool ret = true, got_handle = false;
 
-       torture_comment(tctx, "testing samr_Connect\n");
+       torture_comment(tctx, "Testing samr_Connect\n");
 
-       r.in.system_name = 0;
+       r.in.system_name = NULL;
        r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
        r.out.connect_handle = &h;
 
@@ -7805,7 +8299,7 @@ static bool test_Connect(struct dcerpc_binding_handle *b,
                *handle = h;
        }
 
-       torture_comment(tctx, "testing samr_Connect2\n");
+       torture_comment(tctx, "Testing samr_Connect2\n");
 
        r2.in.system_name = NULL;
        r2.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
@@ -7824,7 +8318,7 @@ static bool test_Connect(struct dcerpc_binding_handle *b,
                *handle = h;
        }
 
-       torture_comment(tctx, "testing samr_Connect3\n");
+       torture_comment(tctx, "Testing samr_Connect3\n");
 
        r3.in.system_name = NULL;
        r3.in.unknown = 0;
@@ -7834,7 +8328,7 @@ static bool test_Connect(struct dcerpc_binding_handle *b,
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_Connect3_r(b, tctx, &r3),
                "Connect3 failed");
        if (!NT_STATUS_IS_OK(r3.out.result)) {
-               torture_warning(tctx, "Connect3 failed - %s\n", nt_errstr(r3.out.result));
+               torture_result(tctx, TORTURE_FAIL, "Connect3 failed - %s\n", nt_errstr(r3.out.result));
                ret = false;
        } else {
                if (got_handle) {
@@ -7844,7 +8338,7 @@ static bool test_Connect(struct dcerpc_binding_handle *b,
                *handle = h;
        }
 
-       torture_comment(tctx, "testing samr_Connect4\n");
+       torture_comment(tctx, "Testing samr_Connect4\n");
 
        r4.in.system_name = "";
        r4.in.client_version = 0;
@@ -7854,7 +8348,7 @@ static bool test_Connect(struct dcerpc_binding_handle *b,
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_Connect4_r(b, tctx, &r4),
                "Connect4 failed");
        if (!NT_STATUS_IS_OK(r4.out.result)) {
-               torture_warning(tctx, "Connect4 failed - %s\n", nt_errstr(r4.out.result));
+               torture_result(tctx, TORTURE_FAIL, "Connect4 failed - %s\n", nt_errstr(r4.out.result));
                ret = false;
        } else {
                if (got_handle) {
@@ -7864,7 +8358,7 @@ static bool test_Connect(struct dcerpc_binding_handle *b,
                *handle = h;
        }
 
-       torture_comment(tctx, "testing samr_Connect5\n");
+       torture_comment(tctx, "Testing samr_Connect5\n");
 
        info.info1.client_version = 0;
        info.info1.unknown2 = 0;
@@ -7880,7 +8374,7 @@ static bool test_Connect(struct dcerpc_binding_handle *b,
        torture_assert_ntstatus_ok(tctx, dcerpc_samr_Connect5_r(b, tctx, &r5),
                "Connect5 failed");
        if (!NT_STATUS_IS_OK(r5.out.result)) {
-               torture_warning(tctx, "Connect5 failed - %s\n", nt_errstr(r5.out.result));
+               torture_result(tctx, TORTURE_FAIL, "Connect5 failed - %s\n", nt_errstr(r5.out.result));
                ret = false;
        } else {
                if (got_handle) {
@@ -7894,8 +8388,8 @@ static bool test_Connect(struct dcerpc_binding_handle *b,
 }
 
 
-static bool test_samr_ValidatePassword(struct dcerpc_pipe *p,
-                                      struct torture_context *tctx)
+static bool test_samr_ValidatePassword(struct torture_context *tctx,
+                                      struct dcerpc_pipe *p)
 {
        struct samr_ValidatePassword r;
        union samr_ValidatePasswordReq req;
@@ -7905,7 +8399,11 @@ static bool test_samr_ValidatePassword(struct dcerpc_pipe *p,
        int i;
        struct dcerpc_binding_handle *b = p->binding_handle;
 
-       torture_comment(tctx, "testing samr_ValidatePassword\n");
+       torture_comment(tctx, "Testing samr_ValidatePassword\n");
+
+       if (p->conn->transport.transport != NCACN_IP_TCP) {
+               torture_comment(tctx, "samr_ValidatePassword only should succeed over NCACN_IP_TCP!\n");
+       }
 
        ZERO_STRUCT(r);
        r.in.level = NetValidatePasswordReset;
@@ -7913,17 +8411,19 @@ static bool test_samr_ValidatePassword(struct dcerpc_pipe *p,
        r.out.rep = &repp;
 
        ZERO_STRUCT(req);
-       req.req3.account.string = "non-existant-account-aklsdji";
+       req.req3.account.string = "non-existent-account-aklsdji";
 
        for (i=0; passwords[i]; i++) {
                req.req3.password.string = passwords[i];
-               torture_assert_ntstatus_ok(tctx, dcerpc_samr_ValidatePassword_r(b, tctx, &r),
-                       "ValidatePassword failed");
-               if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT) &&
-                   p->last_fault_code == DCERPC_FAULT_OP_RNG_ERROR) {
+
+               status = dcerpc_samr_ValidatePassword_r(b, tctx, &r);
+               if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
                        torture_skip(tctx, "ValidatePassword not supported by server\n");
                }
-               torture_assert_ntstatus_ok(tctx, r.out.result, "samr_ValidatePassword");
+               torture_assert_ntstatus_ok(tctx, status,
+                                          "samr_ValidatePassword failed");
+               torture_assert_ntstatus_ok(tctx, r.out.result,
+                                          "samr_ValidatePassword failed");
                torture_comment(tctx, "Server %s password '%s' with code %i\n",
                                repp->ctr3.status==SAMR_VALIDATION_STATUS_SUCCESS?"allowed":"refused",
                                req.req3.password.string, repp->ctr3.status);
@@ -8028,8 +8528,6 @@ bool torture_rpc_samr_passwords(struct torture_context *torture)
 
        ret &= test_samr_handle_Close(b, torture, &ctx->handle);
 
-       ret &= test_samr_ValidatePassword(p, torture);
-
        return ret;
 }
 
@@ -8065,7 +8563,7 @@ static bool torture_rpc_samr_pwdlastset(struct torture_context *torture,
 
 struct torture_suite *torture_rpc_samr_passwords_pwdlastset(TALLOC_CTX *mem_ctx)
 {
-       struct torture_suite *suite = torture_suite_create(mem_ctx, "SAMR-PASSWORDS-PWDLASTSET");
+       struct torture_suite *suite = torture_suite_create(mem_ctx, "samr.passwords.pwdlastset");
        struct torture_rpc_tcase *tcase;
 
        tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "samr",
@@ -8110,7 +8608,7 @@ static bool torture_rpc_samr_users_privileges_delete_user(struct torture_context
 
 struct torture_suite *torture_rpc_samr_user_privileges(TALLOC_CTX *mem_ctx)
 {
-       struct torture_suite *suite = torture_suite_create(mem_ctx, "SAMR-USERS-PRIVILEGES");
+       struct torture_suite *suite = torture_suite_create(mem_ctx, "samr.users.privileges");
        struct torture_rpc_tcase *tcase;
 
        tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "samr",
@@ -8215,7 +8713,7 @@ static bool torture_rpc_samr_many_aliases(struct torture_context *torture,
 
 struct torture_suite *torture_rpc_samr_large_dc(TALLOC_CTX *mem_ctx)
 {
-       struct torture_suite *suite = torture_suite_create(mem_ctx, "SAMR-LARGE-DC");
+       struct torture_suite *suite = torture_suite_create(mem_ctx, "samr.large-dc");
        struct torture_rpc_tcase *tcase;
        struct torture_samr_context *ctx;
 
@@ -8266,7 +8764,7 @@ static bool torture_rpc_samr_badpwdcount(struct torture_context *torture,
 
 struct torture_suite *torture_rpc_samr_passwords_badpwdcount(TALLOC_CTX *mem_ctx)
 {
-       struct torture_suite *suite = torture_suite_create(mem_ctx, "SAMR-PASSWORDS-BADPWDCOUNT");
+       struct torture_suite *suite = torture_suite_create(mem_ctx, "samr.passwords.badpwdcount");
        struct torture_rpc_tcase *tcase;
 
        tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "samr",
@@ -8311,7 +8809,7 @@ static bool torture_rpc_samr_lockout(struct torture_context *torture,
 
 struct torture_suite *torture_rpc_samr_passwords_lockout(TALLOC_CTX *mem_ctx)
 {
-       struct torture_suite *suite = torture_suite_create(mem_ctx, "SAMR-PASSWORDS-LOCKOUT");
+       struct torture_suite *suite = torture_suite_create(mem_ctx, "samr.passwords.lockout");
        struct torture_rpc_tcase *tcase;
 
        tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "samr",
@@ -8324,4 +8822,15 @@ struct torture_suite *torture_rpc_samr_passwords_lockout(TALLOC_CTX *mem_ctx)
        return suite;
 }
 
+struct torture_suite *torture_rpc_samr_passwords_validate(TALLOC_CTX *mem_ctx)
+{
+       struct torture_suite *suite = torture_suite_create(mem_ctx, "samr.passwords.validate");
+       struct torture_rpc_tcase *tcase;
+
+       tcase = torture_suite_add_rpc_iface_tcase(suite, "samr",
+                                                 &ndr_table_samr);
+       torture_rpc_tcase_add_test(tcase, "validate",
+                                  test_samr_ValidatePassword);
 
+       return suite;
+}
Default public repo for matthieu