Changeset 745 for trunk/server/source4/rpc_server/samr

Timestamp:

Nov 27, 2012, 4:43:17 PM (13 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: updated trunk to 3.6.0

Location:

trunk/server

Files:

• . (modified) (1 prop)
• source4/rpc_server/samr/dcesrv_samr.c (modified) (204 diffs)
• source4/rpc_server/samr/dcesrv_samr.h (modified) (2 diffs)
• source4/rpc_server/samr/samr_password.c (modified) (34 diffs)

trunk/server/source4/rpc_server/samr/dcesrv_samr.c

@@ -1 @@
-/* 
+/*
    Unix SMB/CIFS implementation.
 
@@ -8 +8 @@
    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
    Copyright (C) Matthias Dieter Wallnöfer 2009
-   
+
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
-   
+
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
-   
+
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
@@ -29 +29 @@
 #include "rpc_server/samr/dcesrv_samr.h"
 #include "system/time.h"
-#include "lib/ldb/include/ldb.h"
-#include "lib/ldb/include/ldb_errors.h"
+#include <ldb.h>
+#include <ldb_errors.h>
 #include "../libds/common/flags.h"
 #include "dsdb/samdb/samdb.h"
+#include "dsdb/common/util.h"
 #include "libcli/ldap/ldap_ndr.h"
 #include "libcli/security/security.h"
@@ -38 +39 @@
 #include "../lib/util/util_ldb.h"
 #include "param/param.h"
+#include "lib/util/tsort.h"
+#include "libds/common/flag_mapping.h"
 
 /* these query macros make samr_Query[User|Group|Alias]Info a bit easier to read */
 
 #define QUERY_STRING(msg, field, attr) \
-        info->field.string = samdb_result_string(msg, attr, "");
+        info->field.string = ldb_msg_find_attr_as_string(msg, attr, "");
 #define QUERY_UINT(msg, field, attr) \
-        info->field = samdb_result_uint(msg, attr, 0);
+        info->field = ldb_msg_find_attr_as_uint(msg, attr, 0);
 #define QUERY_RID(msg, field, attr) \
         info->field = samdb_result_rid_from_sid(mem_ctx, msg, attr, 0);
 #define QUERY_UINT64(msg, field, attr) \
-        info->field = samdb_result_uint64(msg, attr, 0);
+        info->field = ldb_msg_find_attr_as_uint64(msg, attr, 0);
 #define QUERY_APASSC(msg, field, attr) \
         info->field = samdb_result_allow_password_change(sam_ctx, mem_ctx, \
@@ -69 +72 @@
         if (r->in.info->field.string == NULL) return NT_STATUS_INVALID_PARAMETER; \
         if (r->in.info->field.string[0] == '\0') {                      \
-                if (ldb_msg_add_empty(msg, attr, LDB_FLAG_MOD_DELETE, NULL)) { \
+                if (ldb_msg_add_empty(msg, attr, LDB_FLAG_MOD_DELETE, NULL) != LDB_SUCCESS) { \
                         return NT_STATUS_NO_MEMORY;                     \
                 }                                                       \
         }                                                               \
-        if (ldb_msg_add_string(msg, attr, r->in.info->field.string) != 0) { \
+        if (ldb_msg_add_string(msg, attr, r->in.info->field.string) != LDB_SUCCESS) { \
                 return NT_STATUS_NO_MEMORY;                             \
         }                                                               \
@@ -82 +85 @@
 #define SET_UINT(msg, field, attr) do {                                 \
         struct ldb_message_element *set_el;                             \
-        if (samdb_msg_add_uint(sam_ctx, mem_ctx, msg, attr, r->in.info->field) != 0) { \
+        if (samdb_msg_add_uint(sam_ctx, mem_ctx, msg, attr, r->in.info->field) != LDB_SUCCESS) { \
                 return NT_STATUS_NO_MEMORY;                             \
         }                                                               \
         set_el = ldb_msg_find_element(msg, attr);                       \
         set_el->flags = LDB_FLAG_MOD_REPLACE;                           \
-} while (0)                                                             
-                                                                        
+} while (0)
+
 #define SET_INT64(msg, field, attr) do {                                \
         struct ldb_message_element *set_el;                             \
-        if (samdb_msg_add_int64(sam_ctx, mem_ctx, msg, attr, r->in.info->field) != 0) { \
+        if (samdb_msg_add_int64(sam_ctx, mem_ctx, msg, attr, r->in.info->field) != LDB_SUCCESS) { \
                 return NT_STATUS_NO_MEMORY;                             \
         }                                                               \
         set_el = ldb_msg_find_element(msg, attr);                       \
         set_el->flags = LDB_FLAG_MOD_REPLACE;                           \
-} while (0)                                                             
-                                                                        
+} while (0)
+
 #define SET_UINT64(msg, field, attr) do {                               \
         struct ldb_message_element *set_el;                             \
-        if (samdb_msg_add_uint64(sam_ctx, mem_ctx, msg, attr, r->in.info->field) != 0) { \
+        if (samdb_msg_add_uint64(sam_ctx, mem_ctx, msg, attr, r->in.info->field) != LDB_SUCCESS) { \
                 return NT_STATUS_NO_MEMORY;                             \
         }                                                               \
         set_el = ldb_msg_find_element(msg, attr);                       \
         set_el->flags = LDB_FLAG_MOD_REPLACE;                           \
-} while (0)                                                             
+} while (0)
 
 #define CHECK_FOR_MULTIPLES(value, flag, poss_flags)    \
@@ -113 +116 @@
                 }                                                       \
         } while (0)                                                     \
-        
-/* Set account flags, discarding flags that cannot be set with SAMR */                                                          
+
+/* Set account flags, discarding flags that cannot be set with SAMR */
 #define SET_AFLAGS(msg, field, attr) do {                               \
         struct ldb_message_element *set_el;                             \
@@ -129 +132 @@
         set_el = ldb_msg_find_element(msg, attr);                       \
         set_el->flags = LDB_FLAG_MOD_REPLACE;                           \
-} while (0)                                                             
-                                                                        
+} while (0)
+
 #define SET_LHOURS(msg, field, attr) do {                               \
         struct ldb_message_element *set_el;                             \
-        if (samdb_msg_add_logon_hours(sam_ctx, mem_ctx, msg, attr, &r->in.info->field) != 0) { \
+        if (samdb_msg_add_logon_hours(sam_ctx, mem_ctx, msg, attr, &r->in.info->field) != LDB_SUCCESS) { \
                 return NT_STATUS_NO_MEMORY;                             \
         }                                                               \
@@ -143 +146 @@
         struct ldb_message_element *set_el;                             \
         if (r->in.info->field.length != 0) {                            \
-                if (samdb_msg_add_parameters(sam_ctx, mem_ctx, msg, attr, &r->in.info->field) != 0) { \
+                if (samdb_msg_add_parameters(sam_ctx, mem_ctx, msg, attr, &r->in.info->field) != LDB_SUCCESS) { \
                         return NT_STATUS_NO_MEMORY;                     \
                 }                                                       \
@@ -153 +156 @@
 
 
-/* 
-  samr_Connect 
+/*
+  samr_Connect
 
   create a connection to the SAM database
@@ -166 +169 @@
         ZERO_STRUCTP(r->out.connect_handle);
 
-        c_state = talloc(dce_call->conn, struct samr_connect_state);
+        c_state = talloc(mem_ctx, struct samr_connect_state);
         if (!c_state) {
                 return NT_STATUS_NO_MEMORY;
@@ -172 +175 @@
 
         /* make sure the sam database is accessible */
-        c_state->sam_ctx = samdb_connect(c_state, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info); 
+        c_state->sam_ctx = samdb_connect(c_state, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info, 0);
         if (c_state->sam_ctx == NULL) {
                 talloc_free(c_state);
@@ -194 +197 @@
 
 
-/* 
-  samr_Close 
+/*
+  samr_Close
 */
 static NTSTATUS dcesrv_samr_Close(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -214 +217 @@
 
 
-/* 
-  samr_SetSecurity 
+/*
+  samr_SetSecurity
 */
 static NTSTATUS dcesrv_samr_SetSecurity(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -224 +227 @@
 
 
-/* 
-  samr_QuerySecurity 
+/*
+  samr_QuerySecurity
 */
 static NTSTATUS dcesrv_samr_QuerySecurity(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -250 +253 @@
 
 
-/* 
-  samr_Shutdown 
+/*
+  samr_Shutdown
 
   we refuse this operation completely. If a admin wants to shutdown samr
@@ -263 +266 @@
 
 
-/* 
-  samr_LookupDomain 
+/*
+  samr_LookupDomain
 
   this maps from a domain name to a SID
@@ -292 +295 @@
                                    mem_ctx, NULL, &dom_msgs, dom_attrs,
                                    "(objectClass=builtinDomain)");
-        } else if (strcasecmp_m(r->in.domain_name->string, lp_sam_name(dce_call->conn->dce_ctx->lp_ctx)) == 0) {
+        } else if (strcasecmp_m(r->in.domain_name->string, lpcfg_sam_name(dce_call->conn->dce_ctx->lp_ctx)) == 0) {
                 ret = gendb_search_dn(c_state->sam_ctx,
-                                      mem_ctx, ldb_get_default_basedn(c_state->sam_ctx), 
+                                      mem_ctx, ldb_get_default_basedn(c_state->sam_ctx),
                                       &dom_msgs, dom_attrs);
         } else {
@@ -302 +305 @@
                 return NT_STATUS_NO_SUCH_DOMAIN;
         }
-        
+
         sid = samdb_result_dom_sid(mem_ctx, dom_msgs[0],
                                    "objectSid");
-                
+
         if (sid == NULL) {
                 return NT_STATUS_NO_SUCH_DOMAIN;
@@ -316 +319 @@
 
 
-/* 
-  samr_EnumDomains 
+/*
+  samr_EnumDomains
 
   list the domains in the SAM
@@ -327 +330 @@
         struct dcesrv_handle *h;
         struct samr_SamArray *array;
-        int i, start_i;
+        uint32_t i, start_i;
 
         *r->out.resume_handle = 0;
@@ -350 +353 @@
                 return NT_STATUS_NO_MEMORY;
         }
-                
+
         array->count = 0;
         array->entries = NULL;
@@ -362 +365 @@
                 array->entries[i].idx = start_i + i;
                 if (i == 0) {
-                        array->entries[i].name.string = lp_sam_name(dce_call->conn->dce_ctx->lp_ctx);
+                        array->entries[i].name.string = lpcfg_sam_name(dce_call->conn->dce_ctx->lp_ctx);
                 } else {
                         array->entries[i].name.string = "BUILTIN";
@@ -376 +379 @@
 
 
-/* 
-  samr_OpenDomain 
+/*
+  samr_OpenDomain
 */
 static NTSTATUS dcesrv_samr_OpenDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -399 +402 @@
         }
 
-        d_state = talloc(c_state, struct samr_domain_state);
+        d_state = talloc(mem_ctx, struct samr_domain_state);
         if (!d_state) {
                 return NT_STATUS_NO_MEMORY;
@@ -411 +414 @@
         } else {
                 d_state->builtin = false;
-                d_state->domain_name = lp_sam_name(dce_call->conn->dce_ctx->lp_ctx);
+                d_state->domain_name = lpcfg_sam_name(dce_call->conn->dce_ctx->lp_ctx);
         }
 
         ret = gendb_search(c_state->sam_ctx,
                            mem_ctx, ldb_get_default_basedn(c_state->sam_ctx), &dom_msgs, dom_attrs,
-                           "(objectSid=%s)", 
+                           "(objectSid=%s)",
                            ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid));
-        
+
         if (ret == 0) {
                 talloc_free(d_state);
@@ -432 +435 @@
 
         d_state->domain_dn = talloc_steal(d_state, dom_msgs[0]->dn);
-        d_state->role = lp_server_role(dce_call->conn->dce_ctx->lp_ctx);
+        d_state->role = lpcfg_server_role(dce_call->conn->dce_ctx->lp_ctx);
         d_state->connect_state = talloc_reference(d_state, c_state);
         d_state->sam_ctx = c_state->sam_ctx;
@@ -444 +447 @@
                 return NT_STATUS_NO_MEMORY;
         }
-        
+
         h_domain->data = talloc_steal(h_domain, d_state);
 
@@ -456 +459 @@
 */
 static NTSTATUS dcesrv_samr_info_DomInfo1(struct samr_domain_state *state,
-                                   TALLOC_CTX *mem_ctx,
-                                    struct ldb_message **dom_msgs,
-                                   struct samr_DomInfo1 *info)
+                                          TALLOC_CTX *mem_ctx,
+                                          struct ldb_message **dom_msgs,
+                                          struct samr_DomInfo1 *info)
 {
         info->min_password_length =
-                samdb_result_uint(dom_msgs[0], "minPwdLength", 0);
+                ldb_msg_find_attr_as_uint(dom_msgs[0], "minPwdLength", 0);
         info->password_history_length =
-                samdb_result_uint(dom_msgs[0], "pwdHistoryLength", 0);
-        info->password_properties = 
-                samdb_result_uint(dom_msgs[0], "pwdProperties", 0);
-        info->max_password_age = 
-                samdb_result_int64(dom_msgs[0], "maxPwdAge", 0);
-        info->min_password_age = 
-                samdb_result_int64(dom_msgs[0], "minPwdAge", 0);
+                ldb_msg_find_attr_as_uint(dom_msgs[0], "pwdHistoryLength", 0);
+        info->password_properties =
+                ldb_msg_find_attr_as_uint(dom_msgs[0], "pwdProperties", 0);
+        info->max_password_age =
+                ldb_msg_find_attr_as_int64(dom_msgs[0], "maxPwdAge", 0);
+        info->min_password_age =
+                ldb_msg_find_attr_as_int64(dom_msgs[0], "minPwdAge", 0);
 
         return NT_STATUS_OK;
@@ -477 +480 @@
   return DomInfo2
 */
-static NTSTATUS dcesrv_samr_info_DomGeneralInformation(struct samr_domain_state *state, 
+static NTSTATUS dcesrv_samr_info_DomGeneralInformation(struct samr_domain_state *state,
                                                        TALLOC_CTX *mem_ctx,
                                                        struct ldb_message **dom_msgs,
                                                        struct samr_DomGeneralInformation *info)
 {
-        /* This pulls the NetBIOS name from the 
-           cn=NTDS Settings,cn=<NETBIOS name of PDC>,....
-           string */
-        info->primary.string = samdb_result_fsmo_name(state->sam_ctx, mem_ctx, dom_msgs[0], "fSMORoleOwner");
-
-        if (!info->primary.string) {
-                info->primary.string = lp_netbios_name(state->lp_ctx);
-        }
-
-        info->force_logoff_time = ldb_msg_find_attr_as_uint64(dom_msgs[0], "forceLogoff", 
+        /* MS-SAMR 2.2.4.1 - ReplicaSourceNodeName: "domainReplica" attribute */
+        info->primary.string = ldb_msg_find_attr_as_string(dom_msgs[0],
+                                                           "domainReplica",
+                                                           "");
+
+        info->force_logoff_time = ldb_msg_find_attr_as_uint64(dom_msgs[0], "forceLogoff",
                                                             0x8000000000000000LL);
 
-        info->oem_information.string = samdb_result_string(dom_msgs[0], "oEMInformation", NULL);
+        info->oem_information.string = ldb_msg_find_attr_as_string(dom_msgs[0],
+                                                                   "oEMInformation",
+                                                                   "");
         info->domain_name.string  = state->domain_name;
 
-        info->sequence_num = ldb_msg_find_attr_as_uint64(dom_msgs[0], "modifiedCount", 
+        info->sequence_num = ldb_msg_find_attr_as_uint64(dom_msgs[0], "modifiedCount",
                                                  0);
         switch (state->role) {
         case ROLE_DOMAIN_CONTROLLER:
-                /* This pulls the NetBIOS name from the 
+                /* This pulls the NetBIOS name from the
                    cn=NTDS Settings,cn=<NETBIOS name of PDC>,....
                    string */
@@ -518 +519 @@
         }
 
-        /* No users in BUILTIN, and the LOCAL group types are only in builtin, and the global group type is never in BUILTIN */
-        info->num_users = samdb_search_count(state->sam_ctx, mem_ctx, state->domain_dn, 
+        info->num_users = samdb_search_count(state->sam_ctx, mem_ctx,
+                                             state->domain_dn,
                                              "(objectClass=user)");
-        info->num_groups = samdb_search_count(state->sam_ctx, mem_ctx, state->domain_dn,
-                                              "(&(objectClass=group)(sAMAccountType=%u))",
-                                              ATYPE_GLOBAL_GROUP);
-        info->num_aliases = samdb_search_count(state->sam_ctx, mem_ctx, state->domain_dn,
-                                               "(&(objectClass=group)(sAMAccountType=%u))",
-                                               ATYPE_LOCAL_GROUP);
+        info->num_groups = samdb_search_count(state->sam_ctx, mem_ctx,
+                                              state->domain_dn,
+                                              "(&(objectClass=group)(|(groupType=%d)(groupType=%d)))",
+                                              GTYPE_SECURITY_UNIVERSAL_GROUP,
+                                              GTYPE_SECURITY_GLOBAL_GROUP);
+        info->num_aliases = samdb_search_count(state->sam_ctx, mem_ctx,
+                                               state->domain_dn,
+                                               "(&(objectClass=group)(|(groupType=%d)(groupType=%d)))",
+                                               GTYPE_SECURITY_BUILTIN_LOCAL_GROUP,
+                                               GTYPE_SECURITY_DOMAIN_LOCAL_GROUP);
 
         return NT_STATUS_OK;
@@ -535 +540 @@
 */
 static NTSTATUS dcesrv_samr_info_DomInfo3(struct samr_domain_state *state,
-                                   TALLOC_CTX *mem_ctx,
-                                    struct ldb_message **dom_msgs,
-                                   struct samr_DomInfo3 *info)
-{
-        info->force_logoff_time = ldb_msg_find_attr_as_uint64(dom_msgs[0], "forceLogoff", 
+                                          TALLOC_CTX *mem_ctx,
+                                          struct ldb_message **dom_msgs,
+                                          struct samr_DomInfo3 *info)
+{
+        info->force_logoff_time = ldb_msg_find_attr_as_uint64(dom_msgs[0], "forceLogoff",
                                                       0x8000000000000000LL);
 
@@ -553 +558 @@
                                    struct samr_DomOEMInformation *info)
 {
-        info->oem_information.string = samdb_result_string(dom_msgs[0], "oEMInformation", NULL);
+        info->oem_information.string = ldb_msg_find_attr_as_string(dom_msgs[0],
+                                                                   "oEMInformation",
+                                                                   "");
 
         return NT_STATUS_OK;
@@ -562 +569 @@
 */
 static NTSTATUS dcesrv_samr_info_DomInfo5(struct samr_domain_state *state,
-                                   TALLOC_CTX *mem_ctx,
-                                    struct ldb_message **dom_msgs,
-                                   struct samr_DomInfo5 *info)
+                                          TALLOC_CTX *mem_ctx,
+                                          struct ldb_message **dom_msgs,
+                                          struct samr_DomInfo5 *info)
 {
         info->domain_name.string  = state->domain_name;
@@ -575 +582 @@
 */
 static NTSTATUS dcesrv_samr_info_DomInfo6(struct samr_domain_state *state,
-                                   TALLOC_CTX *mem_ctx,
-                                   struct ldb_message **dom_msgs,
-                                   struct samr_DomInfo6 *info)
-{
-        /* This pulls the NetBIOS name from the 
-           cn=NTDS Settings,cn=<NETBIOS name of PDC>,....
-           string */
-        info->primary.string = samdb_result_fsmo_name(state->sam_ctx, mem_ctx, 
-                                                      dom_msgs[0], "fSMORoleOwner");
-
-        if (!info->primary.string) {
-                info->primary.string = lp_netbios_name(state->lp_ctx);
-        }
+                                          TALLOC_CTX *mem_ctx,
+                                          struct ldb_message **dom_msgs,
+                                          struct samr_DomInfo6 *info)
+{
+        /* MS-SAMR 2.2.4.1 - ReplicaSourceNodeName: "domainReplica" attribute */
+        info->primary.string = ldb_msg_find_attr_as_string(dom_msgs[0],
+                                                           "domainReplica",
+                                                           "");
 
         return NT_STATUS_OK;
@@ -596 +598 @@
 */
 static NTSTATUS dcesrv_samr_info_DomInfo7(struct samr_domain_state *state,
-                                   TALLOC_CTX *mem_ctx,
-                                    struct ldb_message **dom_msgs,
-                                   struct samr_DomInfo7 *info)
+                                          TALLOC_CTX *mem_ctx,
+                                          struct ldb_message **dom_msgs,
+                                          struct samr_DomInfo7 *info)
 {
 
         switch (state->role) {
         case ROLE_DOMAIN_CONTROLLER:
-                /* This pulls the NetBIOS name from the 
+                /* This pulls the NetBIOS name from the
                    cn=NTDS Settings,cn=<NETBIOS name of PDC>,....
                    string */
@@ -627 +629 @@
 */
 static NTSTATUS dcesrv_samr_info_DomInfo8(struct samr_domain_state *state,
-                                   TALLOC_CTX *mem_ctx,
-                                    struct ldb_message **dom_msgs,
-                                   struct samr_DomInfo8 *info)
-{
-        info->sequence_num = ldb_msg_find_attr_as_uint64(dom_msgs[0], "modifiedCount", 
+                                          TALLOC_CTX *mem_ctx,
+                                          struct ldb_message **dom_msgs,
+                                          struct samr_DomInfo8 *info)
+{
+        info->sequence_num = ldb_msg_find_attr_as_uint64(dom_msgs[0], "modifiedCount",
                                                time(NULL));
 
@@ -644 +646 @@
 */
 static NTSTATUS dcesrv_samr_info_DomInfo9(struct samr_domain_state *state,
-                                   TALLOC_CTX *mem_ctx,
-                                    struct ldb_message **dom_msgs,
-                                   struct samr_DomInfo9 *info)
+                                          TALLOC_CTX *mem_ctx,
+                                          struct ldb_message **dom_msgs,
+                                          struct samr_DomInfo9 *info)
 {
         info->domain_server_state = DOMAIN_SERVER_ENABLED;
@@ -657 +659 @@
 */
 static NTSTATUS dcesrv_samr_info_DomGeneralInformation2(struct samr_domain_state *state,
-                                    TALLOC_CTX *mem_ctx,
-                                    struct ldb_message **dom_msgs,
-                                    struct samr_DomGeneralInformation2 *info)
+                                                        TALLOC_CTX *mem_ctx,
+                                                        struct ldb_message **dom_msgs,
+                                                        struct samr_DomGeneralInformation2 *info)
 {
         NTSTATUS status;
@@ -666 +668 @@
                 return status;
         }
-        
-        info->lockout_duration = ldb_msg_find_attr_as_int64(dom_msgs[0], "lockoutDuration", 
+
+        info->lockout_duration = ldb_msg_find_attr_as_int64(dom_msgs[0], "lockoutDuration",
                                                     -18000000000LL);
         info->lockout_window = ldb_msg_find_attr_as_int64(dom_msgs[0], "lockOutObservationWindow",
@@ -680 +682 @@
 */
 static NTSTATUS dcesrv_samr_info_DomInfo12(struct samr_domain_state *state,
-                                   TALLOC_CTX *mem_ctx,
-                                    struct ldb_message **dom_msgs,
-                                   struct samr_DomInfo12 *info)
-{
-        info->lockout_duration = ldb_msg_find_attr_as_int64(dom_msgs[0], "lockoutDuration", 
+                                           TALLOC_CTX *mem_ctx,
+                                           struct ldb_message **dom_msgs,
+                                           struct samr_DomInfo12 *info)
+{
+        info->lockout_duration = ldb_msg_find_attr_as_int64(dom_msgs[0], "lockoutDuration",
                                                     -18000000000LL);
         info->lockout_window = ldb_msg_find_attr_as_int64(dom_msgs[0], "lockOutObservationWindow",
@@ -697 +699 @@
 */
 static NTSTATUS dcesrv_samr_info_DomInfo13(struct samr_domain_state *state,
-                                    TALLOC_CTX *mem_ctx,
-                                    struct ldb_message **dom_msgs,
-                                    struct samr_DomInfo13 *info)
-{
-        info->sequence_num = ldb_msg_find_attr_as_uint64(dom_msgs[0], "modifiedCount", 
+                                           TALLOC_CTX *mem_ctx,
+                                           struct ldb_message **dom_msgs,
+                                           struct samr_DomInfo13 *info)
+{
+        info->sequence_num = ldb_msg_find_attr_as_uint64(dom_msgs[0], "modifiedCount",
                                                time(NULL));
 
@@ -712 +714 @@
 }
 
-/* 
-  samr_QueryDomainInfo 
-*/
-static NTSTATUS dcesrv_samr_QueryDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
-                                     struct samr_QueryDomainInfo *r)
+/*
+  samr_QueryDomainInfo
+*/
+static NTSTATUS dcesrv_samr_QueryDomainInfo(struct dcesrv_call_state *dce_call,
+                                            TALLOC_CTX *mem_ctx,
+                                            struct samr_QueryDomainInfo *r)
 {
         struct dcesrv_handle *h;
@@ -724 +727 @@
         struct ldb_message **dom_msgs;
         const char * const *attrs = NULL;
-        
+
         *r->out.info = NULL;
 
@@ -731 +734 @@
         d_state = h->data;
 
-        info = talloc(mem_ctx, union samr_DomainInfo);
-        if (!info) {
-                return NT_STATUS_NO_MEMORY;
-        }
-
         switch (r->in.level) {
-        case 1: 
+        case 1:
         {
                 static const char * const attrs2[] = { "minPwdLength",
@@ -751 +749 @@
         {
                 static const char * const attrs2[] = {"forceLogoff",
-                                                      "oEMInformation", 
-                                                      "modifiedCount", 
-                                                      "fSMORoleOwner",
+                                                      "oEMInformation",
+                                                      "modifiedCount",
+                                                      "domainReplica",
                                                       NULL};
                 attrs = attrs2;
@@ -760 +758 @@
         case 3:
         {
-                static const char * const attrs2[] = {"forceLogoff", 
+                static const char * const attrs2[] = {"forceLogoff",
                                                       NULL};
                 attrs = attrs2;
@@ -767 +765 @@
         case 4:
         {
-                static const char * const attrs2[] = {"oEMInformation", 
+                static const char * const attrs2[] = {"oEMInformation",
                                                       NULL};
                 attrs = attrs2;
@@ -779 +777 @@
         case 6:
         {
-                static const char * const attrs2[] = {"fSMORoleOwner", 
-                                                      NULL};
+                static const char * const attrs2[] = { "domainReplica",
+                                                       NULL };
                 attrs = attrs2;
                 break;
@@ -791 +789 @@
         case 8:
         {
-                static const char * const attrs2[] = { "modifiedCount", 
-                                                       "creationTime", 
+                static const char * const attrs2[] = { "modifiedCount",
+                                                       "creationTime",
                                                        NULL };
                 attrs = attrs2;
@@ -798 +796 @@
         }
         case 9:
+        {
                 attrs = NULL;
-                break;          
+                break;
+        }
         case 11:
         {
                 static const char * const attrs2[] = { "oEMInformation",
                                                        "forceLogoff",
-                                                       "modifiedCount", 
-                                                       "lockoutDuration", 
-                                                       "lockOutObservationWindow", 
-                                                       "lockoutThreshold", 
+                                                       "modifiedCount",
+                                                       "lockoutDuration",
+                                                       "lockOutObservationWindow",
+                                                       "lockoutThreshold",
                                                        NULL};
                 attrs = attrs2;
@@ -814 +814 @@
         case 12:
         {
-                static const char * const attrs2[] = { "lockoutDuration", 
-                                                       "lockOutObservationWindow", 
-                                                       "lockoutThreshold", 
+                static const char * const attrs2[] = { "lockoutDuration",
+                                                       "lockOutObservationWindow",
+                                                       "lockoutThreshold",
                                                        NULL};
                 attrs = attrs2;
@@ -823 +823 @@
         case 13:
         {
-                static const char * const attrs2[] = { "modifiedCount", 
-                                                       "creationTime", 
+                static const char * const attrs2[] = { "modifiedCount",
+                                                       "creationTime",
                                                        NULL };
                 attrs = attrs2;
                 break;
+        }
+        default:
+        {
+                return NT_STATUS_INVALID_INFO_CLASS;
         }
         }
@@ -836 +840 @@
                 ret = gendb_search_dn(d_state->sam_ctx, mem_ctx,
                                       d_state->domain_dn, &dom_msgs, attrs);
+                if (ret == 0) {
+                        return NT_STATUS_NO_SUCH_DOMAIN;
+                }
                 if (ret != 1) {
                         return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -841 +848 @@
         }
 
+        /* allocate the info structure */
+        info = talloc_zero(mem_ctx, union samr_DomainInfo);
+        if (info == NULL) {
+                return NT_STATUS_NO_MEMORY;
+        }
+
         *r->out.info = info;
-
-        ZERO_STRUCTP(info);
 
         switch (r->in.level) {
         case 1:
-                return dcesrv_samr_info_DomInfo1(d_state, mem_ctx, dom_msgs, 
+                return dcesrv_samr_info_DomInfo1(d_state, mem_ctx, dom_msgs,
                                                  &info->info1);
         case 2:
-                return dcesrv_samr_info_DomGeneralInformation(d_state, mem_ctx, dom_msgs, 
+                return dcesrv_samr_info_DomGeneralInformation(d_state, mem_ctx, dom_msgs,
                                                               &info->general);
         case 3:
-                return dcesrv_samr_info_DomInfo3(d_state, mem_ctx, dom_msgs, 
+                return dcesrv_samr_info_DomInfo3(d_state, mem_ctx, dom_msgs,
                                                  &info->info3);
         case 4:
-                return dcesrv_samr_info_DomOEMInformation(d_state, mem_ctx, dom_msgs, 
+                return dcesrv_samr_info_DomOEMInformation(d_state, mem_ctx, dom_msgs,
                                                           &info->oem);
         case 5:
-                return dcesrv_samr_info_DomInfo5(d_state, mem_ctx, dom_msgs, 
+                return dcesrv_samr_info_DomInfo5(d_state, mem_ctx, dom_msgs,
                                                  &info->info5);
         case 6:
-                return dcesrv_samr_info_DomInfo6(d_state, mem_ctx, dom_msgs, 
+                return dcesrv_samr_info_DomInfo6(d_state, mem_ctx, dom_msgs,
                                                  &info->info6);
         case 7:
-                return dcesrv_samr_info_DomInfo7(d_state, mem_ctx, dom_msgs, 
+                return dcesrv_samr_info_DomInfo7(d_state, mem_ctx, dom_msgs,
                                                  &info->info7);
         case 8:
-                return dcesrv_samr_info_DomInfo8(d_state, mem_ctx, dom_msgs, 
+                return dcesrv_samr_info_DomInfo8(d_state, mem_ctx, dom_msgs,
                                                  &info->info8);
         case 9:
-                return dcesrv_samr_info_DomInfo9(d_state, mem_ctx, dom_msgs, 
+                return dcesrv_samr_info_DomInfo9(d_state, mem_ctx, dom_msgs,
                                                  &info->info9);
         case 11:
-                return dcesrv_samr_info_DomGeneralInformation2(d_state, mem_ctx, dom_msgs, 
+                return dcesrv_samr_info_DomGeneralInformation2(d_state, mem_ctx, dom_msgs,
                                                                &info->general2);
         case 12:
-                return dcesrv_samr_info_DomInfo12(d_state, mem_ctx, dom_msgs, 
+                return dcesrv_samr_info_DomInfo12(d_state, mem_ctx, dom_msgs,
                                                   &info->info12);
         case 13:
-                return dcesrv_samr_info_DomInfo13(d_state, mem_ctx, dom_msgs, 
+                return dcesrv_samr_info_DomInfo13(d_state, mem_ctx, dom_msgs,
                                                   &info->info13);
-        }
-
-        return NT_STATUS_INVALID_INFO_CLASS;
-}
-
-
-/* 
-  samr_SetDomainInfo 
+        default:
+                return NT_STATUS_INVALID_INFO_CLASS;
+        }
+}
+
+
+/*
+  samr_SetDomainInfo
 */
 static NTSTATUS dcesrv_samr_SetDomainInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -937 +948 @@
 
         case 12:
-                
+                /*
+                 * It is not possible to set lockout_duration < lockout_window.
+                 * (The test is the other way around since the negative numbers
+                 *  are stored...)
+                 *
+                 * TODO:
+                 *   This check should be moved to the backend, i.e. to some
+                 *   ldb module under dsdb/samdb/ldb_modules/ .
+                 *
+                 * This constraint is documented here for the samr rpc service:
+                 * MS-SAMR 3.1.1.6 Attribute Constraints for Originating Updates
+                 * http://msdn.microsoft.com/en-us/library/cc245667%28PROT.10%29.aspx
+                 *
+                 * And here for the ldap backend:
+                 * MS-ADTS 3.1.1.5.3.2 Constraints
+                 * http://msdn.microsoft.com/en-us/library/cc223462(PROT.10).aspx
+                 */
+                if (r->in.info->info12.lockout_duration >
+                    r->in.info->info12.lockout_window)
+                {
+                        return NT_STATUS_INVALID_PARAMETER;
+                }
                 SET_INT64  (msg, info12.lockout_duration,      "lockoutDuration");
                 SET_INT64  (msg, info12.lockout_window,        "lockOutObservationWindow");
@@ -950 +982 @@
         /* modify the samdb record */
         ret = ldb_modify(sam_ctx, msg);
-        if (ret != 0) {
+        if (ret != LDB_SUCCESS) {
                 DEBUG(1,("Failed to modify record %s: %s\n",
                          ldb_dn_get_linearized(d_state->domain_dn),
@@ -962 +994 @@
 }
 
-/* 
-  samr_CreateDomainGroup 
+/*
+  samr_CreateDomainGroup
 */
 static NTSTATUS dcesrv_samr_CreateDomainGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
                                        struct samr_CreateDomainGroup *r)
 {
+        NTSTATUS status;
         struct samr_domain_state *d_state;
         struct samr_account_state *a_state;
         struct dcesrv_handle *h;
-        const char *name;
-        struct ldb_message *msg;
-        struct dom_sid *sid;
         const char *groupname;
+        struct dom_sid *group_sid;
+        struct ldb_dn *group_dn;
         struct dcesrv_handle *g_handle;
-        int ret;
 
         ZERO_STRUCTP(r->out.group_handle);
@@ -996 +1027 @@
         }
 
-        /* check if the group already exists */
-        name = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL, 
-                                   "sAMAccountName",
-                                   "(&(sAMAccountName=%s)(objectclass=group))",
-                                   ldb_binary_encode_string(mem_ctx, groupname));
-        if (name != NULL) {
-                return NT_STATUS_GROUP_EXISTS;
-        }
-
-        msg = ldb_msg_new(mem_ctx);
-        if (msg == NULL) {
-                return NT_STATUS_NO_MEMORY;
-        }
-
-        /* add core elements to the ldb_message for the user */
-        msg->dn = ldb_dn_copy(mem_ctx, d_state->domain_dn);
-        ldb_dn_add_child_fmt(msg->dn, "CN=%s,CN=Users", groupname);
-        if (!msg->dn) {
-                return NT_STATUS_NO_MEMORY;
-        }
-        samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "sAMAccountName", groupname);
-        samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "objectClass", "group");
-                             
-        /* create the group */
-        ret = ldb_add(d_state->sam_ctx, msg);
-        switch (ret) {
-        case  LDB_SUCCESS:
-                break;
-        case  LDB_ERR_ENTRY_ALREADY_EXISTS:
-                DEBUG(0,("Failed to create group record %s: %s\n",
-                         ldb_dn_get_linearized(msg->dn),
-                         ldb_errstring(d_state->sam_ctx)));
-                return NT_STATUS_GROUP_EXISTS;
-        case  LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
-                DEBUG(0,("Failed to create group record %s: %s\n",
-                         ldb_dn_get_linearized(msg->dn),
-                         ldb_errstring(d_state->sam_ctx)));
-                return NT_STATUS_ACCESS_DENIED;
-        default:
-                DEBUG(0,("Failed to create group record %s: %s\n",
-                         ldb_dn_get_linearized(msg->dn),
-                         ldb_errstring(d_state->sam_ctx)));
-                return NT_STATUS_INTERNAL_DB_CORRUPTION;
-        }
-
-        a_state = talloc(d_state, struct samr_account_state);
+        status = dsdb_add_domain_group(d_state->sam_ctx, mem_ctx, groupname, &group_sid, &group_dn);
+        if (!NT_STATUS_IS_OK(status)) {
+                return status;
+        }
+
+        a_state = talloc(mem_ctx, struct samr_account_state);
         if (!a_state) {
                 return NT_STATUS_NO_MEMORY;
@@ -1048 +1039 @@
         a_state->access_mask = r->in.access_mask;
         a_state->domain_state = talloc_reference(a_state, d_state);
-        a_state->account_dn = talloc_steal(a_state, msg->dn);
-
-        /* retrieve the sid for the group just created */
-        sid = samdb_search_dom_sid(d_state->sam_ctx, a_state,
-                                   msg->dn, "objectSid", NULL);
-        if (sid == NULL) {
-                return NT_STATUS_UNSUCCESSFUL;
-        }
-
-        a_state->account_name = talloc_strdup(a_state, groupname);
-        if (!a_state->account_name) {
-                return NT_STATUS_NO_MEMORY;
-        }
+        a_state->account_dn = talloc_steal(a_state, group_dn);
+
+        a_state->account_name = talloc_steal(a_state, groupname);
 
         /* create the policy handle */
@@ -1071 +1052 @@
 
         *r->out.group_handle = g_handle->wire_handle;
-        *r->out.rid = sid->sub_auths[sid->num_auths-1];
+        *r->out.rid = group_sid->sub_auths[group_sid->num_auths-1];
 
         return NT_STATUS_OK;
@@ -1085 +1066 @@
 }
 
-/* 
-  samr_EnumDomainGroups 
+/*
+  samr_EnumDomainGroups
 */
 static NTSTATUS dcesrv_samr_EnumDomainGroups(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -1094 +1075 @@
         struct samr_domain_state *d_state;
         struct ldb_message **res;
-        int ldb_cnt, count, i, first;
+        int i, ldb_cnt;
+        uint32_t first, count;
         struct samr_SamEntry *entries;
-        const char * const attrs[3] = { "objectSid", "sAMAccountName", NULL };
+        const char * const attrs[] = { "objectSid", "sAMAccountName", NULL };
         struct samr_SamArray *sam;
 
@@ -1112 +1094 @@
                                       d_state->domain_dn, &res, attrs,
                                       d_state->domain_sid,
-                                      "(&(grouptype=%d)(objectclass=group))",
+                                      "(&(|(groupType=%d)(groupType=%d))(objectClass=group))",
+                                      GTYPE_SECURITY_UNIVERSAL_GROUP,
                                       GTYPE_SECURITY_GLOBAL_GROUP);
-        if (ldb_cnt == -1) {
+        if (ldb_cnt < 0) {
                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
         }
@@ -1131 +1114 @@
                 group_sid = samdb_result_dom_sid(mem_ctx, res[i],
                                                  "objectSid");
-                if (group_sid == NULL)
-                        continue;
+                if (group_sid == NULL) {
+                        return NT_STATUS_INTERNAL_DB_CORRUPTION;
+                }
 
                 entries[count].idx =
                         group_sid->sub_auths[group_sid->num_auths-1];
                 entries[count].name.string =
-                        samdb_result_string(res[i], "sAMAccountName", "");
+                        ldb_msg_find_attr_as_string(res[i], "sAMAccountName", "");
                 count += 1;
         }
 
         /* sort the results by rid */
-        qsort(entries, count, sizeof(struct samr_SamEntry), 
-              (comparison_fn_t)compare_SamEntry);
+        TYPESAFE_QSORT(entries, count, compare_SamEntry);
 
         /* find the first entry to return */
@@ -1150 +1133 @@
              first++) ;
 
-        /* return the rest, limit by max_size. Note that we 
+        /* return the rest, limit by max_size. Note that we
            use the w2k3 element size value of 54 */
         *r->out.num_entries = count - first;
@@ -1166 +1149 @@
         *r->out.sam = sam;
 
+        if (first == count) {
+                return NT_STATUS_OK;
+        }
+
         if (*r->out.num_entries < count - first) {
                 *r->out.resume_handle = entries[first+*r->out.num_entries-1].idx;
@@ -1175 +1162 @@
 
 
-/* 
-  samr_CreateUser2 
+/*
+  samr_CreateUser2
 
   This call uses transactions to ensure we don't get a new conflicting
@@ -1185 +1172 @@
                                  struct samr_CreateUser2 *r)
 {
+        NTSTATUS status;
         struct samr_domain_state *d_state;
         struct samr_account_state *a_state;
         struct dcesrv_handle *h;
-        const char *name;
-        struct ldb_message *msg;
+        struct ldb_dn *dn;
         struct dom_sid *sid;
+        struct dcesrv_handle *u_handle;
         const char *account_name;
-        struct dcesrv_handle *u_handle;
-        int ret;
-        const char *container, *obj_class=NULL;
-        char *cn_name;
-        int cn_name_len;
-
-        const char *attrs[] = {
-                "objectSid", 
-                "userAccountControl",
-                NULL
-        };
-
-        uint32_t user_account_control;
-
-        struct ldb_message **msgs;
 
         ZERO_STRUCTP(r->out.user_handle);
@@ -1229 +1202 @@
         }
 
-        /*
-         * Start a transaction, so we can query and do a subsequent atomic
-         * modify
-         */
-
-        ret = ldb_transaction_start(d_state->sam_ctx);
-        if (ret != 0) {
-                DEBUG(0,("Failed to start a transaction for user creation: %s\n",
-                         ldb_errstring(d_state->sam_ctx)));
-                return NT_STATUS_INTERNAL_DB_CORRUPTION;
-        }
-
-        /* check if the user already exists */
-        name = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL, 
-                                   "sAMAccountName", 
-                                   "(&(sAMAccountName=%s)(objectclass=user))", 
-                                   ldb_binary_encode_string(mem_ctx, account_name));
-        if (name != NULL) {
-                ldb_transaction_cancel(d_state->sam_ctx);
-                return NT_STATUS_USER_EXISTS;
-        }
-
-        msg = ldb_msg_new(mem_ctx);
-        if (msg == NULL) {
-                ldb_transaction_cancel(d_state->sam_ctx);
-                return NT_STATUS_NO_MEMORY;
-        }
-
-        cn_name   = talloc_strdup(mem_ctx, account_name);
-        if (!cn_name) {
-                ldb_transaction_cancel(d_state->sam_ctx);
-                return NT_STATUS_NO_MEMORY;
-        }
-
-        cn_name_len = strlen(cn_name);
-
-        /* This must be one of these values *only* */
-        if (r->in.acct_flags == ACB_NORMAL) {
-                container = "CN=Users";
-                obj_class = "user";
-
-        } else if (r->in.acct_flags == ACB_WSTRUST) {
-                if (cn_name[cn_name_len - 1] != '$') {
-                        ldb_transaction_cancel(d_state->sam_ctx);
-                        return NT_STATUS_FOOBAR;
-                }
-                cn_name[cn_name_len - 1] = '\0';
-                container = "CN=Computers";
-                obj_class = "computer";
-                samdb_msg_add_int(d_state->sam_ctx, mem_ctx, msg,
-                        "primaryGroupID", DOMAIN_RID_DOMAIN_MEMBERS);
-
-        } else if (r->in.acct_flags == ACB_SVRTRUST) {
-                if (cn_name[cn_name_len - 1] != '$') {
-                        ldb_transaction_cancel(d_state->sam_ctx);
-                        return NT_STATUS_FOOBAR;                
-                }
-                cn_name[cn_name_len - 1] = '\0';
-                container = "OU=Domain Controllers";
-                obj_class = "computer";
-                samdb_msg_add_int(d_state->sam_ctx, mem_ctx, msg,
-                        "primaryGroupID", DOMAIN_RID_DCS);
-        } else {
-                ldb_transaction_cancel(d_state->sam_ctx);
-                return NT_STATUS_INVALID_PARAMETER;
-        }
-
-        /* add core elements to the ldb_message for the user */
-        msg->dn = ldb_dn_copy(mem_ctx, d_state->domain_dn);
-        if ( ! ldb_dn_add_child_fmt(msg->dn, "CN=%s,%s", cn_name, container)) {
-                ldb_transaction_cancel(d_state->sam_ctx);
-                return NT_STATUS_FOOBAR;
-        }
-
-        samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "sAMAccountName",
-                account_name);
-        samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "objectClass",
-                obj_class);
-
-        /* create the user */
-        ret = ldb_add(d_state->sam_ctx, msg);
-        switch (ret) {
-        case LDB_SUCCESS:
-                break;
-        case LDB_ERR_ENTRY_ALREADY_EXISTS:
-                ldb_transaction_cancel(d_state->sam_ctx);
-                DEBUG(0,("Failed to create user record %s: %s\n",
-                         ldb_dn_get_linearized(msg->dn),
-                         ldb_errstring(d_state->sam_ctx)));
-                return NT_STATUS_USER_EXISTS;
-        case LDB_ERR_UNWILLING_TO_PERFORM:
-        case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
-                ldb_transaction_cancel(d_state->sam_ctx);
-                DEBUG(0,("Failed to create user record %s: %s\n",
-                         ldb_dn_get_linearized(msg->dn),
-                         ldb_errstring(d_state->sam_ctx)));
-                return NT_STATUS_ACCESS_DENIED;
-        default:
-                ldb_transaction_cancel(d_state->sam_ctx);
-                DEBUG(0,("Failed to create user record %s: %s\n",
-                         ldb_dn_get_linearized(msg->dn),
-                         ldb_errstring(d_state->sam_ctx)));
-                return NT_STATUS_INTERNAL_DB_CORRUPTION;
-        }
-
-        a_state = talloc(d_state, struct samr_account_state);
+        status = dsdb_add_user(d_state->sam_ctx, mem_ctx, account_name, r->in.acct_flags, &sid, &dn);
+        if (!NT_STATUS_IS_OK(status)) {
+                return status;
+        }
+        a_state = talloc(mem_ctx, struct samr_account_state);
         if (!a_state) {
                 ldb_transaction_cancel(d_state->sam_ctx);
@@ -1342 +1214 @@
         a_state->access_mask = r->in.access_mask;
         a_state->domain_state = talloc_reference(a_state, d_state);
-        a_state->account_dn = talloc_steal(a_state, msg->dn);
-
-        /* retrieve the sid and account control bits for the user just created */
-        ret = gendb_search_dn(d_state->sam_ctx, a_state,
-                              msg->dn, &msgs, attrs);
-
-        if (ret != 1) {
-                ldb_transaction_cancel(d_state->sam_ctx);
-                DEBUG(0,("Apparently we failed to create an account record, as %s now doesn't exist\n",
-                         ldb_dn_get_linearized(msg->dn)));
-                return NT_STATUS_INTERNAL_DB_CORRUPTION;
-        }
-        sid = samdb_result_dom_sid(mem_ctx, msgs[0], "objectSid");
-        if (sid == NULL) {
-                ldb_transaction_cancel(d_state->sam_ctx);
-                DEBUG(0,("Apparently we failed to get the objectSid of the just created account record %s\n",
-                         ldb_dn_get_linearized(msg->dn)));
-                return NT_STATUS_INTERNAL_DB_CORRUPTION;
-        }
-
-        /* Change the account control to be the correct account type.
-         * The default is for a workstation account */
-        user_account_control = samdb_result_uint(msgs[0], "userAccountControl", 0);
-        user_account_control = (user_account_control & 
-                                ~(UF_NORMAL_ACCOUNT |
-                                  UF_INTERDOMAIN_TRUST_ACCOUNT | 
-                                  UF_WORKSTATION_TRUST_ACCOUNT | 
-                                  UF_SERVER_TRUST_ACCOUNT));
-        user_account_control |= ds_acb2uf(r->in.acct_flags);
-
-        talloc_free(msg);
-        msg = ldb_msg_new(mem_ctx);
-        if (msg == NULL) {
-                ldb_transaction_cancel(d_state->sam_ctx);
-                return NT_STATUS_NO_MEMORY;
-        }
-
-        msg->dn = ldb_dn_copy(msg, a_state->account_dn);
-
-        if (samdb_msg_add_uint(a_state->sam_ctx, mem_ctx, msg, 
-                               "userAccountControl", 
-                               user_account_control) != 0) { 
-                ldb_transaction_cancel(d_state->sam_ctx);
-                return NT_STATUS_NO_MEMORY; 
-        }
-
-        /* modify the samdb record */
-        ret = samdb_replace(a_state->sam_ctx, mem_ctx, msg);
-        if (ret != 0) {
-                DEBUG(0,("Failed to modify account record %s to set userAccountControl: %s\n",
-                         ldb_dn_get_linearized(msg->dn),
-                         ldb_errstring(d_state->sam_ctx)));
-                ldb_transaction_cancel(d_state->sam_ctx);
-
-                /* we really need samdb.c to return NTSTATUS */
-                return NT_STATUS_UNSUCCESSFUL;
-        }
-
-        ret = ldb_transaction_commit(d_state->sam_ctx);
-        if (ret != 0) {
-                DEBUG(0,("Failed to commit transaction to add and modify account record %s: %s\n",
-                         ldb_dn_get_linearized(msg->dn),
-                         ldb_errstring(d_state->sam_ctx)));
-                return NT_STATUS_INTERNAL_DB_CORRUPTION;
-        }
+        a_state->account_dn = talloc_steal(a_state, dn);
 
         a_state->account_name = talloc_steal(a_state, account_name);
@@ -1430 +1238 @@
 
 
-/* 
-  samr_CreateUser 
+/*
+  samr_CreateUser
 */
 static NTSTATUS dcesrv_samr_CreateUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -1452 +1260 @@
 }
 
-/* 
-  samr_EnumDomainUsers 
+/*
+  samr_EnumDomainUsers
 */
 static NTSTATUS dcesrv_samr_EnumDomainUsers(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -1460 +1268 @@
         struct dcesrv_handle *h;
         struct samr_domain_state *d_state;
-        struct ldb_result *res;
-        int ret, num_filtered_entries, i, first;
+        struct ldb_message **res;
+        int i, ldb_cnt;
+        uint32_t first, count;
         struct samr_SamEntry *entries;
         const char * const attrs[] = { "objectSid", "sAMAccountName",
@@ -1474 +1283 @@
 
         d_state = h->data;
-        
-        /* don't have to worry about users in the builtin domain, as there are none */
-        ret = ldb_search(d_state->sam_ctx, mem_ctx, &res, d_state->domain_dn, LDB_SCOPE_SUBTREE, attrs, "objectClass=user");
-
-        if (ret != LDB_SUCCESS) {
-                DEBUG(3, ("Failed to search for Domain Users in %s: %s\n", 
-                          ldb_dn_get_linearized(d_state->domain_dn), ldb_errstring(d_state->sam_ctx)));
+
+        /* search for all domain users in this domain. This could possibly be
+           cached and resumed on resume_key */
+        ldb_cnt = samdb_search_domain(d_state->sam_ctx, mem_ctx,
+                                      d_state->domain_dn,
+                                      &res, attrs,
+                                      d_state->domain_sid,
+                                      "(objectClass=user)");
+        if (ldb_cnt < 0) {
                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
         }
 
         /* convert to SamEntry format */
-        entries = talloc_array(mem_ctx, struct samr_SamEntry, res->count);
+        entries = talloc_array(mem_ctx, struct samr_SamEntry, ldb_cnt);
         if (!entries) {
                 return NT_STATUS_NO_MEMORY;
         }
-        num_filtered_entries = 0;
-        for (i=0;i<res->count;i++) {
+
+        count = 0;
+
+        for (i=0;i<ldb_cnt;i++) {
                 /* Check if a mask has been requested */
                 if (r->in.acct_flags
-                    && ((samdb_result_acct_flags(d_state->sam_ctx, mem_ctx, res->msgs[i], 
-                                                 d_state->domain_dn) & r->in.acct_flags) == 0)) {
+                    && ((samdb_result_acct_flags(d_state->sam_ctx, mem_ctx,
+                                                 res[i], d_state->domain_dn) & r->in.acct_flags) == 0)) {
                         continue;
                 }
-                entries[num_filtered_entries].idx = samdb_result_rid_from_sid(mem_ctx, res->msgs[i], "objectSid", 0);
-                entries[num_filtered_entries].name.string = samdb_result_string(res->msgs[i], "sAMAccountName", "");
-                num_filtered_entries++;
+                entries[count].idx = samdb_result_rid_from_sid(mem_ctx, res[i],
+                                                               "objectSid", 0);
+                entries[count].name.string = ldb_msg_find_attr_as_string(res[i],
+                                                                 "sAMAccountName", "");
+                count += 1;
         }
 
         /* sort the results by rid */
-        qsort(entries, num_filtered_entries, sizeof(struct samr_SamEntry), 
-              (comparison_fn_t)compare_SamEntry);
+        TYPESAFE_QSORT(entries, count, compare_SamEntry);
 
         /* find the first entry to return */
         for (first=0;
-             first<num_filtered_entries && entries[first].idx <= *r->in.resume_handle;
+             first<count && entries[first].idx <= *r->in.resume_handle;
              first++) ;
 
-        /* return the rest, limit by max_size. Note that we 
+        /* return the rest, limit by max_size. Note that we
            use the w2k3 element size value of 54 */
-        *r->out.num_entries = num_filtered_entries - first;
+        *r->out.num_entries = count - first;
         *r->out.num_entries = MIN(*r->out.num_entries,
                                  1+(r->in.max_size/SAMR_ENUM_USERS_MULTIPLIER));
@@ -1527 +1341 @@
         *r->out.sam = sam;
 
-        if (first == num_filtered_entries) {
+        if (first == count) {
                 return NT_STATUS_OK;
         }
 
-        if (*r->out.num_entries < num_filtered_entries - first) {
+        if (*r->out.num_entries < count - first) {
                 *r->out.resume_handle = entries[first+*r->out.num_entries-1].idx;
                 return STATUS_MORE_ENTRIES;
@@ -1540 +1354 @@
 
 
-/* 
-  samr_CreateDomAlias 
+/*
+  samr_CreateDomAlias
 */
 static NTSTATUS dcesrv_samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -1549 +1363 @@
         struct samr_account_state *a_state;
         struct dcesrv_handle *h;
-        const char *alias_name, *name;
-        struct ldb_message *msg;
+        const char *alias_name;
         struct dom_sid *sid;
         struct dcesrv_handle *a_handle;
-        int ret;
+        struct ldb_dn *dn;
+        NTSTATUS status;
 
         ZERO_STRUCTP(r->out.alias_handle);
@@ -1573 +1387 @@
         }
 
-        /* Check if alias already exists */
-        name = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL,
-                                   "sAMAccountName",
-                                   "(sAMAccountName=%s)(objectclass=group))",
-                                   ldb_binary_encode_string(mem_ctx, alias_name));
-
-        if (name != NULL) {
-                return NT_STATUS_ALIAS_EXISTS;
-        }
-
-        msg = ldb_msg_new(mem_ctx);
-        if (msg == NULL) {
-                return NT_STATUS_NO_MEMORY;
-        }
-
-        /* add core elements to the ldb_message for the alias */
-        msg->dn = ldb_dn_copy(mem_ctx, d_state->domain_dn);
-        ldb_dn_add_child_fmt(msg->dn, "CN=%s,CN=Users", alias_name);
-        if (!msg->dn) {
-                return NT_STATUS_NO_MEMORY;
-        }
-
-        samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "sAMAccountName", alias_name);
-        samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg, "objectClass", "group");
-        samdb_msg_add_int(d_state->sam_ctx, mem_ctx, msg, "groupType", GTYPE_SECURITY_DOMAIN_LOCAL_GROUP);
-
-        /* create the alias */
-        ret = ldb_add(d_state->sam_ctx, msg);
-        switch (ret) {
-        case LDB_SUCCESS:
-                break;
-        case LDB_ERR_ENTRY_ALREADY_EXISTS:
-                return NT_STATUS_ALIAS_EXISTS;
-        case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
-                return NT_STATUS_ACCESS_DENIED;
-        default:
-                DEBUG(0,("Failed to create alias record %s: %s\n",
-                         ldb_dn_get_linearized(msg->dn),
-                         ldb_errstring(d_state->sam_ctx)));
-                return NT_STATUS_INTERNAL_DB_CORRUPTION;
-        }
-
-        a_state = talloc(d_state, struct samr_account_state);
+        status = dsdb_add_domain_alias(d_state->sam_ctx, mem_ctx, alias_name, &sid, &dn);
+        if (!NT_STATUS_IS_OK(status)) {
+                return status;
+        }
+
+        a_state = talloc(mem_ctx, struct samr_account_state);
         if (!a_state) {
                 return NT_STATUS_NO_MEMORY;
@@ -1623 +1400 @@
         a_state->access_mask = r->in.access_mask;
         a_state->domain_state = talloc_reference(a_state, d_state);
-        a_state->account_dn = talloc_steal(a_state, msg->dn);
-
-        /* retrieve the sid for the alias just created */
-        sid = samdb_search_dom_sid(d_state->sam_ctx, a_state,
-                                   msg->dn, "objectSid", NULL);
-
-        a_state->account_name = talloc_strdup(a_state, alias_name);
-        if (!a_state->account_name) {
-                return NT_STATUS_NO_MEMORY;
-        }
+        a_state->account_dn = talloc_steal(a_state, dn);
+
+        a_state->account_name = talloc_steal(a_state, alias_name);
 
         /* create the policy handle */
@@ -1649 +1419 @@
 
 
-/* 
-  samr_EnumDomainAliases 
+/*
+  samr_EnumDomainAliases
 */
 static NTSTATUS dcesrv_samr_EnumDomainAliases(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -1658 +1428 @@
         struct samr_domain_state *d_state;
         struct ldb_message **res;
-        int ldb_cnt, count, i, first;
+        int i, ldb_cnt;
+        uint32_t first, count;
         struct samr_SamEntry *entries;
-        const char * const attrs[3] = { "objectSid", "sAMAccountName", NULL };
+        const char * const attrs[] = { "objectSid", "sAMAccountName", NULL };
         struct samr_SamArray *sam;
 
@@ -1671 +1442 @@
         d_state = h->data;
 
-        /* search for all domain groups in this domain. This could possibly be
+        /* search for all domain aliases in this domain. This could possibly be
            cached and resumed based on resume_key */
-        ldb_cnt = samdb_search_domain(d_state->sam_ctx, mem_ctx,
-                                      d_state->domain_dn,
-                                      &res, attrs, 
+        ldb_cnt = samdb_search_domain(d_state->sam_ctx, mem_ctx, NULL,
+                                      &res, attrs,
                                       d_state->domain_sid,
                                       "(&(|(grouptype=%d)(grouptype=%d)))"
@@ -1681 +1451 @@
                                       GTYPE_SECURITY_BUILTIN_LOCAL_GROUP,
                                       GTYPE_SECURITY_DOMAIN_LOCAL_GROUP);
-        if (ldb_cnt == -1) {
+        if (ldb_cnt < 0) {
                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
-        }
-        if (ldb_cnt == 0) {
-                return NT_STATUS_OK;
         }
 
@@ -1702 +1469 @@
                                                  "objectSid");
 
-                if (alias_sid == NULL)
-                        continue;
+                if (alias_sid == NULL) {
+                        return NT_STATUS_INTERNAL_DB_CORRUPTION;
+                }
 
                 entries[count].idx =
                         alias_sid->sub_auths[alias_sid->num_auths-1];
                 entries[count].name.string =
-                        samdb_result_string(res[i], "sAMAccountName", "");
+                        ldb_msg_find_attr_as_string(res[i], "sAMAccountName", "");
                 count += 1;
         }
 
         /* sort the results by rid */
-        qsort(entries, count, sizeof(struct samr_SamEntry), 
-              (comparison_fn_t)compare_SamEntry);
+        TYPESAFE_QSORT(entries, count, compare_SamEntry);
 
         /* find the first entry to return */
@@ -1721 +1488 @@
              first++) ;
 
+        /* return the rest, limit by max_size. Note that we
+           use the w2k3 element size value of 54 */
+        *r->out.num_entries = count - first;
+        *r->out.num_entries = MIN(*r->out.num_entries,
+                                  1+(r->in.max_size/SAMR_ENUM_USERS_MULTIPLIER));
+
+        sam = talloc(mem_ctx, struct samr_SamArray);
+        if (!sam) {
+                return NT_STATUS_NO_MEMORY;
+        }
+
+        sam->entries = entries+first;
+        sam->count = *r->out.num_entries;
+
+        *r->out.sam = sam;
+
         if (first == count) {
                 return NT_STATUS_OK;
         }
-
-        *r->out.num_entries = count - first;
-        *r->out.num_entries = MIN(*r->out.num_entries, 1000);
-
-        sam = talloc(mem_ctx, struct samr_SamArray);
-        if (!sam) {
-                return NT_STATUS_NO_MEMORY;
-        }
-
-        sam->entries = entries+first;
-        sam->count = *r->out.num_entries;
-
-        *r->out.sam = sam;
 
         if (*r->out.num_entries < count - first) {
@@ -1748 +1518 @@
 
 
-/* 
-  samr_GetAliasMembership 
+/*
+  samr_GetAliasMembership
 */
 static NTSTATUS dcesrv_samr_GetAliasMembership(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -1756 +1526 @@
         struct dcesrv_handle *h;
         struct samr_domain_state *d_state;
+        const char *filter;
+        const char * const attrs[] = { "objectSid", NULL };
         struct ldb_message **res;
-        int i, count = 0;
+        uint32_t i;
+        int count = 0;
 
         DCESRV_PULL_HANDLE(h, r->in.domain_handle, SAMR_HANDLE_DOMAIN);
@@ -1763 +1536 @@
         d_state = h->data;
 
-        if (r->in.sids->num_sids > 0) {
-                const char *filter;
-                const char * const attrs[2] = { "objectSid", NULL };
-
-                filter = talloc_asprintf(mem_ctx,
-                                         "(&(|(grouptype=%d)(grouptype=%d))"
-                                         "(objectclass=group)(|",
-                                         GTYPE_SECURITY_BUILTIN_LOCAL_GROUP,
-                                         GTYPE_SECURITY_DOMAIN_LOCAL_GROUP);
-                if (filter == NULL)
+        filter = talloc_asprintf(mem_ctx,
+                                 "(&(|(grouptype=%d)(grouptype=%d))"
+                                 "(objectclass=group)(|",
+                                 GTYPE_SECURITY_BUILTIN_LOCAL_GROUP,
+                                 GTYPE_SECURITY_DOMAIN_LOCAL_GROUP);
+        if (filter == NULL) {
+                return NT_STATUS_NO_MEMORY;
+        }
+
+        for (i=0; i<r->in.sids->num_sids; i++) {
+                const char *memberdn;
+
+                memberdn = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL,
+                                               "distinguishedName",
+                                               "(objectSid=%s)",
+                                               ldap_encode_ndr_dom_sid(mem_ctx,
+                                                                       r->in.sids->sids[i].sid));
+                if (memberdn == NULL) {
+                        continue;
+                }
+
+                filter = talloc_asprintf(mem_ctx, "%s(member=%s)", filter,
+                                         memberdn);
+                if (filter == NULL) {
                         return NT_STATUS_NO_MEMORY;
-
-                for (i=0; i<r->in.sids->num_sids; i++) {
-                        const char *memberdn;
-
-                        memberdn = 
-                                samdb_search_string(d_state->sam_ctx,
-                                                    mem_ctx, NULL,
-                                                    "distinguishedName",
-                                                    "(objectSid=%s)",
-                                                    ldap_encode_ndr_dom_sid(mem_ctx, 
-                                                                            r->in.sids->sids[i].sid));
-
-                        if (memberdn == NULL)
-                                continue;
-
-                        filter = talloc_asprintf(mem_ctx, "%s(member=%s)",
-                                                 filter, memberdn);
-                        if (filter == NULL)
-                                return NT_STATUS_NO_MEMORY;
                 }
-
-                count = samdb_search_domain(d_state->sam_ctx, mem_ctx,
-                                            d_state->domain_dn, &res, attrs,
-                                            d_state->domain_sid, "%s))", filter);
-                if (count < 0)
+        }
+
+        /* Find out if we had at least one valid member SID passed - otherwise
+         * just skip the search. */
+        if (strstr(filter, "member") != NULL) {
+                count = samdb_search_domain(d_state->sam_ctx, mem_ctx, NULL,
+                                            &res, attrs, d_state->domain_sid,
+                                            "%s))", filter);
+                if (count < 0) {
                         return NT_STATUS_INTERNAL_DB_CORRUPTION;
+                }
         }
 
@@ -1811 +1584 @@
 
                 alias_sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
-
                 if (alias_sid == NULL) {
-                        DEBUG(0, ("Could not find objectSid\n"));
-                        continue;
+                        return NT_STATUS_INTERNAL_DB_CORRUPTION;
                 }
 
@@ -1826 +1597 @@
 
 
-/* 
-  samr_LookupNames 
+/*
+  samr_LookupNames
 */
 static NTSTATUS dcesrv_samr_LookupNames(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -1834 +1605 @@
         struct dcesrv_handle *h;
         struct samr_domain_state *d_state;
-        int i, num_mapped;
+        uint32_t i, num_mapped;
         NTSTATUS status = NT_STATUS_OK;
         const char * const attrs[] = { "sAMAccountType", "objectSid", NULL };
@@ -1868 +1639 @@
                 r->out.types->ids[i] = SID_NAME_UNKNOWN;
 
-                count = gendb_search(d_state->sam_ctx, mem_ctx, d_state->domain_dn, &res, attrs, 
-                                     "sAMAccountName=%s", 
+                count = gendb_search(d_state->sam_ctx, mem_ctx, d_state->domain_dn, &res, attrs,
+                                     "sAMAccountName=%s",
                                      ldb_binary_encode_string(mem_ctx, r->in.names[i].string));
                 if (count != 1) {
@@ -1881 +1652 @@
                         continue;
                 }
-                
-                atype = samdb_result_uint(res[0], "sAMAccountType", 0);
+
+                atype = ldb_msg_find_attr_as_uint(res[0], "sAMAccountType", 0);
                 if (atype == 0) {
                         status = STATUS_SOME_UNMAPPED;
@@ -1889 +1660 @@
 
                 rtype = ds_atype_map(atype);
-                
+
                 if (rtype == SID_NAME_UNKNOWN) {
                         status = STATUS_SOME_UNMAPPED;
@@ -1899 +1670 @@
                 num_mapped++;
         }
-        
+
         if (num_mapped == 0) {
                 return NT_STATUS_NONE_MAPPED;
@@ -1907 +1678 @@
 
 
-/* 
-  samr_LookupRids 
+/*
+  samr_LookupRids
 */
 static NTSTATUS dcesrv_samr_LookupRids(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
                        struct samr_LookupRids *r)
 {
+        NTSTATUS status;
         struct dcesrv_handle *h;
         struct samr_domain_state *d_state;
-        int i, total;
-        NTSTATUS status = NT_STATUS_OK;
-        struct lsa_String *names;
-        uint32_t *ids;
+        const char **names;
+        struct lsa_String *lsa_names;
+        enum lsa_SidType *ids;
 
         ZERO_STRUCTP(r->out.names);
@@ -1930 +1701 @@
                 return NT_STATUS_OK;
 
-        names = talloc_array(mem_ctx, struct lsa_String, r->in.num_rids);
-        ids = talloc_array(mem_ctx, uint32_t, r->in.num_rids);
-
-        if ((names == NULL) || (ids == NULL))
-                return NT_STATUS_NO_MEMORY;
-
-        total = 0;
-
-        for (i=0; i<r->in.num_rids; i++) {
-                struct ldb_message **res;
-                int count;
-                const char * const attrs[] = {  "sAMAccountType",
-                                                "sAMAccountName", NULL };
-                uint32_t atype;
-                struct dom_sid *sid;
-
-                ids[i] = SID_NAME_UNKNOWN;
-
-                sid = dom_sid_add_rid(mem_ctx, d_state->domain_sid,
-                        r->in.rids[i]);
-                if (sid == NULL) {
-                        names[i].string = NULL;
-                        status = STATUS_SOME_UNMAPPED;
-                        continue;
+        lsa_names = talloc_zero_array(mem_ctx, struct lsa_String, r->in.num_rids);
+        names = talloc_zero_array(mem_ctx, const char *, r->in.num_rids);
+        ids = talloc_zero_array(mem_ctx, enum lsa_SidType, r->in.num_rids);
+
+        if ((lsa_names == NULL) || (names == NULL) || (ids == NULL))
+                return NT_STATUS_NO_MEMORY;
+
+        r->out.names->names = lsa_names;
+        r->out.names->count = r->in.num_rids;
+
+        r->out.types->ids = (uint32_t *) ids;
+        r->out.types->count = r->in.num_rids;
+
+        status = dsdb_lookup_rids(d_state->sam_ctx, mem_ctx, d_state->domain_sid,
+                                  r->in.num_rids, r->in.rids, names, ids);
+        if (NT_STATUS_IS_OK(status) || NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) || NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
+                uint32_t i;
+                for (i = 0; i < r->in.num_rids; i++) {
+                        lsa_names[i].string = names[i];
                 }
-                
-                count = gendb_search(d_state->sam_ctx, mem_ctx,
-                                     d_state->domain_dn, &res, attrs,
-                                     "(objectSid=%s)", 
-                                     ldap_encode_ndr_dom_sid(mem_ctx, sid));
-                if (count != 1) {
-                        names[i].string = NULL;
-                        status = STATUS_SOME_UNMAPPED;
-                        continue;
-                }
-
-                names[i].string = samdb_result_string(res[0], "sAMAccountName",
-                                                      NULL);
-
-                atype = samdb_result_uint(res[0], "sAMAccountType", 0);
-                if (atype == 0) {
-                        status = STATUS_SOME_UNMAPPED;
-                        continue;
-                }
-
-                ids[i] = ds_atype_map(atype);
-                
-                if (ids[i] == SID_NAME_UNKNOWN) {
-                        status = STATUS_SOME_UNMAPPED;
-                        continue;
-                }
-        }
-
-        r->out.names->names = names;
-        r->out.names->count = r->in.num_rids;
-
-        r->out.types->ids = ids;
-        r->out.types->count = r->in.num_rids;
-
+        }
         return status;
 }
 
 
-/* 
-  samr_OpenGroup 
+/*
+  samr_OpenGroup
 */
 static NTSTATUS dcesrv_samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -2024 +1757 @@
         ret = gendb_search(d_state->sam_ctx,
                            mem_ctx, d_state->domain_dn, &msgs, attrs,
-                           "(&(objectSid=%s)(objectclass=group)"
-                           "(grouptype=%d))",
+                           "(&(objectSid=%s)(objectClass=group)"
+                           "(|(groupType=%d)(groupType=%d)))",
                            ldap_encode_ndr_dom_sid(mem_ctx, sid),
+                           GTYPE_SECURITY_UNIVERSAL_GROUP,
                            GTYPE_SECURITY_GLOBAL_GROUP);
         if (ret == 0) {
@@ -2032 +1766 @@
         }
         if (ret != 1) {
-                DEBUG(0,("Found %d records matching sid %s\n", 
+                DEBUG(0,("Found %d records matching sid %s\n",
                          ret, dom_sid_string(mem_ctx, sid)));
                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
         }
 
-        groupname = samdb_result_string(msgs[0], "sAMAccountName", NULL);
+        groupname = ldb_msg_find_attr_as_string(msgs[0], "sAMAccountName", NULL);
         if (groupname == NULL) {
-                DEBUG(0,("sAMAccountName field missing for sid %s\n", 
+                DEBUG(0,("sAMAccountName field missing for sid %s\n",
                          dom_sid_string(mem_ctx, sid)));
                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
         }
 
-        a_state = talloc(d_state, struct samr_account_state);
+        a_state = talloc(mem_ctx, struct samr_account_state);
         if (!a_state) {
                 return NT_STATUS_NO_MEMORY;
@@ -2071 +1805 @@
 }
 
-/* 
-  samr_QueryGroupInfo 
+/*
+  samr_QueryGroupInfo
 */
 static NTSTATUS dcesrv_samr_QueryGroupInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -2079 +1813 @@
         struct dcesrv_handle *h;
         struct samr_account_state *a_state;
-        struct ldb_message *msg;
-        struct ldb_result *res;
+        struct ldb_message *msg, **res;
         const char * const attrs[4] = { "sAMAccountName", "description",
                                         "numMembers", NULL };
@@ -2091 +1824 @@
 
         a_state = h->data;
-        
-        ret = ldb_search(a_state->sam_ctx, mem_ctx, &res, a_state->account_dn,
-                LDB_SCOPE_SUBTREE, attrs, "objectClass=*");
-        
-        if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+
+        /* pull all the group attributes */
+        ret = gendb_search_dn(a_state->sam_ctx, mem_ctx,
+                              a_state->account_dn, &res, attrs);
+        if (ret == 0) {
                 return NT_STATUS_NO_SUCH_GROUP;
-        } else if (ret != LDB_SUCCESS) {
-                DEBUG(2, ("Error reading group info: %s\n", ldb_errstring(a_state->sam_ctx)));
+        }
+        if (ret != 1) {
                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
         }
-
-        if (res->count != 1) {
-                DEBUG(2, ("Error finding group info, got %d entries\n", res->count));
-                
-                return NT_STATUS_INTERNAL_DB_CORRUPTION;
-        }
-        msg = res->msgs[0];
+        msg = res[0];
 
         /* allocate the info structure */
@@ -2149 +1876 @@
 
 
-/* 
-  samr_SetGroupInfo 
+/*
+  samr_SetGroupInfo
 */
 static NTSTATUS dcesrv_samr_SetGroupInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -2169 +1896 @@
         if (msg == NULL) {
                 return NT_STATUS_NO_MEMORY;
-        }       
+        }
 
         msg->dn = ldb_dn_copy(mem_ctx, g_state->account_dn);
@@ -2194 +1921 @@
         /* modify the samdb record */
         ret = ldb_modify(g_state->sam_ctx, msg);
-        if (ret != 0) {
+        if (ret != LDB_SUCCESS) {
                 /* we really need samdb.c to return NTSTATUS */
                 return NT_STATUS_UNSUCCESSFUL;
@@ -2203 +1930 @@
 
 
-/* 
-  samr_AddGroupMember 
+/*
+  samr_AddGroupMember
 */
 static NTSTATUS dcesrv_samr_AddGroupMember(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -2225 +1952 @@
 
         membersid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid);
-        if (membersid == NULL)
-                return NT_STATUS_NO_MEMORY;
-
-        /* In native mode, AD can also nest domain groups. Not sure yet
-         * whether this is also available via RPC. */
+        if (membersid == NULL) {
+                return NT_STATUS_NO_MEMORY;
+        }
+
+        /* according to MS-SAMR 3.1.5.8.2 all type of accounts are accepted */
         ret = ldb_search(d_state->sam_ctx, mem_ctx, &res,
-                                 d_state->domain_dn, LDB_SCOPE_SUBTREE, attrs,
-                                 "(&(objectSid=%s)(objectclass=user))",
-                                 ldap_encode_ndr_dom_sid(mem_ctx, membersid));
-
-        if (ret != 0) {
+                         d_state->domain_dn, LDB_SCOPE_SUBTREE, attrs,
+                         "(objectSid=%s)",
+                         ldap_encode_ndr_dom_sid(mem_ctx, membersid));
+
+        if (ret != LDB_SUCCESS) {
                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
         }
@@ -2242 +1969 @@
                 return NT_STATUS_NO_SUCH_USER;
         }
-                
+
         if (res->count > 1) {
                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -2259 +1986 @@
         mod->dn = talloc_reference(mem_ctx, a_state->account_dn);
 
-        if (samdb_msg_add_addval(d_state->sam_ctx, mem_ctx, mod, "member",
-                                 memberdn) != 0)
+        ret = samdb_msg_add_addval(d_state->sam_ctx, mem_ctx, mod, "member",
+                                                                memberdn);
+        if (ret != LDB_SUCCESS) {
                 return NT_STATUS_UNSUCCESSFUL;
+        }
 
         ret = ldb_modify(a_state->sam_ctx, mod);
@@ -2267 +1996 @@
         case LDB_SUCCESS:
                 return NT_STATUS_OK;
-        case LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS:
+        case LDB_ERR_ENTRY_ALREADY_EXISTS:
                 return NT_STATUS_MEMBER_IN_GROUP;
         case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
@@ -2274 +2003 @@
                 return NT_STATUS_UNSUCCESSFUL;
         }
-
-}
-
-
-/* 
-  samr_DeleteDomainGroup 
+}
+
+
+/*
+  samr_DeleteDomainGroup
 */
 static NTSTATUS dcesrv_samr_DeleteDomainGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -2295 +2023 @@
 
         ret = ldb_delete(a_state->sam_ctx, a_state->account_dn);
-        if (ret != 0) {
+        if (ret != LDB_SUCCESS) {
                 return NT_STATUS_UNSUCCESSFUL;
         }
 
+        talloc_free(h);
         ZERO_STRUCTP(r->out.group_handle);
 
@@ -2305 +2034 @@
 
 
-/* 
-  samr_DeleteGroupMember 
+/*
+  samr_DeleteGroupMember
 */
 static NTSTATUS dcesrv_samr_DeleteGroupMember(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -2327 +2056 @@
 
         membersid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid);
-        if (membersid == NULL)
-                return NT_STATUS_NO_MEMORY;
-
-        /* In native mode, AD can also nest domain groups. Not sure yet
-         * whether this is also available via RPC. */
+        if (membersid == NULL) {
+                return NT_STATUS_NO_MEMORY;
+        }
+
+        /* according to MS-SAMR 3.1.5.8.2 all type of accounts are accepted */
         ret = ldb_search(d_state->sam_ctx, mem_ctx, &res,
-                                 d_state->domain_dn, LDB_SCOPE_SUBTREE, attrs,
-                                 "(&(objectSid=%s)(objectclass=user))",
-                                 ldap_encode_ndr_dom_sid(mem_ctx, membersid));
-
-        if (ret != 0) {
+                         d_state->domain_dn, LDB_SCOPE_SUBTREE, attrs,
+                         "(objectSid=%s)",
+                         ldap_encode_ndr_dom_sid(mem_ctx, membersid));
+
+        if (ret != LDB_SUCCESS) {
                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
         }
@@ -2344 +2073 @@
                 return NT_STATUS_NO_SUCH_USER;
         }
-                
+
         if (res->count > 1) {
                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -2361 +2090 @@
         mod->dn = talloc_reference(mem_ctx, a_state->account_dn);
 
-        if (samdb_msg_add_delval(d_state->sam_ctx, mem_ctx, mod, "member",
-                                 memberdn) != 0) {
+        ret = samdb_msg_add_delval(d_state->sam_ctx, mem_ctx, mod, "member",
+                                                                memberdn);
+        if (ret != LDB_SUCCESS) {
                 return NT_STATUS_NO_MEMORY;
         }
@@ -2370 +2100 @@
         case LDB_SUCCESS:
                 return NT_STATUS_OK;
-        case LDB_ERR_NO_SUCH_ATTRIBUTE:
+        case LDB_ERR_UNWILLING_TO_PERFORM:
                 return NT_STATUS_MEMBER_NOT_IN_GROUP;
         case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
@@ -2380 +2110 @@
 
 
-/* 
-  samr_QueryGroupMember 
+/*
+  samr_QueryGroupMember
 */
 static NTSTATUS dcesrv_samr_QueryGroupMember(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -2388 +2118 @@
         struct dcesrv_handle *h;
         struct samr_account_state *a_state;
-        struct ldb_message **res;
-        struct ldb_message_element *el;
-        struct samr_RidTypeArray *array;
-        const char * const attrs[2] = { "member", NULL };
-        int ret;
+        struct samr_domain_state *d_state;
+        struct samr_RidAttrArray *array;
+        unsigned int i, num_members;
+        struct dom_sid *members;
+        NTSTATUS status;
 
         DCESRV_PULL_HANDLE(h, r->in.group_handle, SAMR_HANDLE_GROUP);
 
         a_state = h->data;
-
-        /* pull the member attribute */
-        ret = gendb_search_dn(a_state->sam_ctx, mem_ctx,
-                              a_state->account_dn, &res, attrs);
-
-        if (ret != 1) {
-                return NT_STATUS_INTERNAL_DB_CORRUPTION;
-        }
-
-        array = talloc(mem_ctx, struct samr_RidTypeArray);
-
-        if (array == NULL)
-                return NT_STATUS_NO_MEMORY;
-
-        ZERO_STRUCTP(array);
-
-        el = ldb_msg_find_element(res[0], "member");
-
-        if (el != NULL) {
-                int i;
-
-                array->count = el->num_values;
-
-                array->rids = talloc_array(mem_ctx, uint32_t,
-                                             el->num_values);
-                if (array->rids == NULL)
-                        return NT_STATUS_NO_MEMORY;
-
-                array->types = talloc_array(mem_ctx, uint32_t,
-                                            el->num_values);
-                if (array->types == NULL)
-                        return NT_STATUS_NO_MEMORY;
-
-                for (i=0; i<el->num_values; i++) {
-                        struct ldb_message **res2;
-                        const char * const attrs2[2] = { "objectSid", NULL };
-                        ret = gendb_search_dn(a_state->sam_ctx, mem_ctx,
-                                           ldb_dn_from_ldb_val(mem_ctx, a_state->sam_ctx, &el->values[i]),
-                                           &res2, attrs2);
-                        if (ret != 1)
-                                return NT_STATUS_INTERNAL_DB_CORRUPTION;
-
-                        array->rids[i] =
-                                samdb_result_rid_from_sid(mem_ctx, res2[0],
-                                                          "objectSid", 0);
-
-                        if (array->rids[i] == 0)
-                                return NT_STATUS_INTERNAL_DB_CORRUPTION;
-
-                        array->types[i] = 7; /* RID type of some kind, not sure what the value means. */
+        d_state = a_state->domain_state;
+
+        status = dsdb_enum_group_mem(d_state->sam_ctx, mem_ctx,
+                                     a_state->account_dn, &members,
+                                     &num_members);
+        if (!NT_STATUS_IS_OK(status)) {
+                return status;
+        }
+
+        array = talloc_zero(mem_ctx, struct samr_RidAttrArray);
+        if (array == NULL) {
+                return NT_STATUS_NO_MEMORY;
+        }
+
+        if (num_members == 0) {
+                *r->out.rids = array;
+
+                return NT_STATUS_OK;
+        }
+
+        array->rids = talloc_array(array, uint32_t, num_members);
+        if (array->rids == NULL) {
+                return NT_STATUS_NO_MEMORY;
+        }
+
+        array->attributes = talloc_array(array, uint32_t, num_members);
+        if (array->attributes == NULL) {
+                return NT_STATUS_NO_MEMORY;
+        }
+
+        array->count = 0;
+        for (i=0; i<num_members; i++) {
+                if (!dom_sid_in_domain(d_state->domain_sid, &members[i])) {
+                        continue;
                 }
+
+                status = dom_sid_split_rid(NULL, &members[i], NULL,
+                                           &array->rids[array->count]);
+                if (!NT_STATUS_IS_OK(status)) {
+                        return status;
+                }
+
+                array->attributes[array->count] = SE_GROUP_MANDATORY |
+                                                  SE_GROUP_ENABLED_BY_DEFAULT |
+                                                  SE_GROUP_ENABLED;
+                array->count++;
         }
 
@@ -2456 +2181 @@
 
 
-/* 
-  samr_SetMemberAttributesOfGroup 
+/*
+  samr_SetMemberAttributesOfGroup
 */
 static NTSTATUS dcesrv_samr_SetMemberAttributesOfGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -2466 +2191 @@
 
 
-/* 
-  samr_OpenAlias 
+/*
+  samr_OpenAlias
 */
 static NTSTATUS dcesrv_samr_OpenAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -2494 +2219 @@
 
         /* search for the group record */
-        ret = gendb_search(d_state->sam_ctx,
-                           mem_ctx, d_state->domain_dn, &msgs, attrs,
+        ret = gendb_search(d_state->sam_ctx, mem_ctx, NULL, &msgs, attrs,
                            "(&(objectSid=%s)(objectclass=group)"
                            "(|(grouptype=%d)(grouptype=%d)))",
@@ -2505 +2229 @@
         }
         if (ret != 1) {
-                DEBUG(0,("Found %d records matching sid %s\n", 
+                DEBUG(0,("Found %d records matching sid %s\n",
                          ret, dom_sid_string(mem_ctx, sid)));
                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
         }
 
-        alias_name = samdb_result_string(msgs[0], "sAMAccountName", NULL);
+        alias_name = ldb_msg_find_attr_as_string(msgs[0], "sAMAccountName", NULL);
         if (alias_name == NULL) {
-                DEBUG(0,("sAMAccountName field missing for sid %s\n", 
+                DEBUG(0,("sAMAccountName field missing for sid %s\n",
                          dom_sid_string(mem_ctx, sid)));
                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
         }
 
-        a_state = talloc(d_state, struct samr_account_state);
+        a_state = talloc(mem_ctx, struct samr_account_state);
         if (!a_state) {
                 return NT_STATUS_NO_MEMORY;
@@ -2545 +2269 @@
 
 
-/* 
-  samr_QueryAliasInfo 
+/*
+  samr_QueryAliasInfo
 */
 static NTSTATUS dcesrv_samr_QueryAliasInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -2567 +2291 @@
         /* pull all the alias attributes */
         ret = gendb_search_dn(a_state->sam_ctx, mem_ctx,
-                              a_state->account_dn ,&res, attrs);
+                              a_state->account_dn, &res, attrs);
+        if (ret == 0) {
+                return NT_STATUS_NO_SUCH_ALIAS;
+        }
         if (ret != 1) {
                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -2602 +2329 @@
 
 
-/* 
-  samr_SetAliasInfo 
+/*
+  samr_SetAliasInfo
 */
 static NTSTATUS dcesrv_samr_SetAliasInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -2644 +2371 @@
         /* modify the samdb record */
         ret = ldb_modify(a_state->sam_ctx, msg);
-        if (ret != 0) {
+        if (ret != LDB_SUCCESS) {
                 /* we really need samdb.c to return NTSTATUS */
                 return NT_STATUS_UNSUCCESSFUL;
@@ -2653 +2380 @@
 
 
-/* 
-  samr_DeleteDomAlias 
+/*
+  samr_DeleteDomAlias
 */
 static NTSTATUS dcesrv_samr_DeleteDomAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -2670 +2397 @@
 
         ret = ldb_delete(a_state->sam_ctx, a_state->account_dn);
-        if (ret != 0) {
+        if (ret != LDB_SUCCESS) {
                 return NT_STATUS_UNSUCCESSFUL;
         }
 
+        talloc_free(h);
         ZERO_STRUCTP(r->out.alias_handle);
 
@@ -2680 +2408 @@
 
 
-/* 
-  samr_AddAliasMember 
+/*
+  samr_AddAliasMember
 */
 static NTSTATUS dcesrv_samr_AddAliasMember(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -2702 +2430 @@
 
         ret = gendb_search(d_state->sam_ctx, mem_ctx, NULL,
-                           &msgs, attrs, "(objectsid=%s)", 
+                           &msgs, attrs, "(objectsid=%s)",
                            ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid));
 
         if (ret == 1) {
                 memberdn = msgs[0]->dn;
-        } else  if (ret > 1) {
-                DEBUG(0,("Found %d records matching sid %s\n", 
-                         ret, dom_sid_string(mem_ctx, r->in.sid)));
-                return NT_STATUS_INTERNAL_DB_CORRUPTION;
         } else if (ret == 0) {
                 status = samdb_create_foreign_security_principal(
@@ -2718 +2442 @@
                 }
         } else {
-                DEBUG(0, ("samdb_search returned %d: %s\n", ret, ldb_errstring(d_state->sam_ctx)));
+                DEBUG(0,("Found %d records matching sid %s\n",
+                         ret, dom_sid_string(mem_ctx, r->in.sid)));
+                return NT_STATUS_INTERNAL_DB_CORRUPTION;
         }
 
@@ -2733 +2459 @@
         mod->dn = talloc_reference(mem_ctx, a_state->account_dn);
 
-        if (samdb_msg_add_addval(d_state->sam_ctx, mem_ctx, mod, "member",
-                                 ldb_dn_alloc_linearized(mem_ctx, memberdn)) != 0)
+        ret = samdb_msg_add_addval(d_state->sam_ctx, mem_ctx, mod, "member",
+                                 ldb_dn_alloc_linearized(mem_ctx, memberdn));
+        if (ret != LDB_SUCCESS) {
                 return NT_STATUS_UNSUCCESSFUL;
-
-        if (ldb_modify(a_state->sam_ctx, mod) != 0)
+        }
+
+        ret = ldb_modify(a_state->sam_ctx, mod);
+        switch (ret) {
+        case LDB_SUCCESS:
+                return NT_STATUS_OK;
+        case LDB_ERR_ENTRY_ALREADY_EXISTS:
+                return NT_STATUS_MEMBER_IN_GROUP;
+        case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
+                return NT_STATUS_ACCESS_DENIED;
+        default:
                 return NT_STATUS_UNSUCCESSFUL;
-
-        return NT_STATUS_OK;
-}
-
-
-/* 
-  samr_DeleteAliasMember 
+        }
+}
+
+
+/*
+  samr_DeleteAliasMember
 */
 static NTSTATUS dcesrv_samr_DeleteAliasMember(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -2755 +2490 @@
         struct ldb_message *mod;
         const char *memberdn;
+        int ret;
 
         DCESRV_PULL_HANDLE(h, r->in.alias_handle, SAMR_HANDLE_ALIAS);
@@ -2762 +2498 @@
 
         memberdn = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL,
-                                       "distinguishedName", "(objectSid=%s)", 
+                                       "distinguishedName", "(objectSid=%s)",
                                        ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid));
-
-        if (memberdn == NULL)
+        if (memberdn == NULL) {
                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+        }
 
         mod = ldb_msg_new(mem_ctx);
@@ -2775 +2511 @@
         mod->dn = talloc_reference(mem_ctx, a_state->account_dn);
 
-        if (samdb_msg_add_delval(d_state->sam_ctx, mem_ctx, mod, "member",
-                                 memberdn) != 0)
+        ret = samdb_msg_add_delval(d_state->sam_ctx, mem_ctx, mod, "member",
+                                                                 memberdn);
+        if (ret != LDB_SUCCESS) {
                 return NT_STATUS_UNSUCCESSFUL;
-
-        if (ldb_modify(a_state->sam_ctx, mod) != 0)
+        }
+
+        ret = ldb_modify(a_state->sam_ctx, mod);
+        switch (ret) {
+        case LDB_SUCCESS:
+                return NT_STATUS_OK;
+        case LDB_ERR_UNWILLING_TO_PERFORM:
+                return NT_STATUS_MEMBER_NOT_IN_GROUP;
+        case LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS:
+                return NT_STATUS_ACCESS_DENIED;
+        default:
                 return NT_STATUS_UNSUCCESSFUL;
-
-        return NT_STATUS_OK;
-}
-
-
-/* 
-  samr_GetMembersInAlias 
+        }
+}
+
+
+/*
+  samr_GetMembersInAlias
 */
 static NTSTATUS dcesrv_samr_GetMembersInAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -2795 +2540 @@
         struct samr_account_state *a_state;
         struct samr_domain_state *d_state;
-        struct ldb_message **msgs;
-        struct lsa_SidPtr *sids;
-        struct ldb_message_element *el;
-        const char * const attrs[2] = { "member", NULL};
-        int ret;
+        struct lsa_SidPtr *array;
+        unsigned int i, num_members;
+        struct dom_sid *members;
+        NTSTATUS status;
 
         DCESRV_PULL_HANDLE(h, r->in.alias_handle, SAMR_HANDLE_ALIAS);
@@ -2806 +2550 @@
         d_state = a_state->domain_state;
 
-        ret = gendb_search_dn(d_state->sam_ctx, mem_ctx,
-                              a_state->account_dn, &msgs, attrs);
-
-        if (ret == -1) {
-                return NT_STATUS_INTERNAL_DB_CORRUPTION;
-        } else if (ret == 0) {
-                return NT_STATUS_OBJECT_NAME_NOT_FOUND;
-        } else if (ret != 1) {
-                return NT_STATUS_INTERNAL_DB_CORRUPTION;
-        }
-
-        r->out.sids->num_sids = 0;
-        r->out.sids->sids = NULL;
-
-        el = ldb_msg_find_element(msgs[0], "member");
-
-        if (el != NULL) {
-                int i;
-
-                sids = talloc_array(mem_ctx, struct lsa_SidPtr,
-                                      el->num_values);
-
-                if (sids == NULL)
-                        return NT_STATUS_NO_MEMORY;
-
-                for (i=0; i<el->num_values; i++) {
-                        struct ldb_message **msgs2;
-                        const char * const attrs2[2] = { "objectSid", NULL };
-                        ret = gendb_search_dn(a_state->sam_ctx, mem_ctx,
-                                              ldb_dn_from_ldb_val(mem_ctx, a_state->sam_ctx, &el->values[i]),
-                                              &msgs2, attrs2);
-                        if (ret != 1)
-                                return NT_STATUS_INTERNAL_DB_CORRUPTION;
-
-                        sids[i].sid = samdb_result_dom_sid(mem_ctx, msgs2[0],
-                                                           "objectSid");
-
-                        if (sids[i].sid == NULL)
-                                return NT_STATUS_INTERNAL_DB_CORRUPTION;
-                }
-                r->out.sids->num_sids = el->num_values;
-                r->out.sids->sids = sids;
-        }
-
-        return NT_STATUS_OK;
-}
-
-/* 
-  samr_OpenUser 
+        status = dsdb_enum_group_mem(d_state->sam_ctx, mem_ctx,
+                                     a_state->account_dn, &members,
+                                     &num_members);
+        if (!NT_STATUS_IS_OK(status)) {
+                return status;
+        }
+
+        if (num_members == 0) {
+                r->out.sids->sids = NULL;
+
+                return NT_STATUS_OK;
+        }
+
+        array = talloc_array(mem_ctx, struct lsa_SidPtr, num_members);
+        if (array == NULL) {
+                return NT_STATUS_NO_MEMORY;
+        }
+
+        for (i=0; i<num_members; i++) {
+                array[i].sid = &members[i];
+        }
+
+        r->out.sids->num_sids = num_members;
+        r->out.sids->sids = array;
+
+        return NT_STATUS_OK;
+}
+
+/*
+  samr_OpenUser
 */
 static NTSTATUS dcesrv_samr_OpenUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -2884 +2609 @@
         ret = gendb_search(d_state->sam_ctx,
                            mem_ctx, d_state->domain_dn, &msgs, attrs,
-                           "(&(objectSid=%s)(objectclass=user))", 
+                           "(&(objectSid=%s)(objectclass=user))",
                            ldap_encode_ndr_dom_sid(mem_ctx, sid));
         if (ret == 0) {
@@ -2890 +2615 @@
         }
         if (ret != 1) {
-                DEBUG(0,("Found %d records matching sid %s\n", ret, 
+                DEBUG(0,("Found %d records matching sid %s\n", ret,
                          dom_sid_string(mem_ctx, sid)));
                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
         }
 
-        account_name = samdb_result_string(msgs[0], "sAMAccountName", NULL);
+        account_name = ldb_msg_find_attr_as_string(msgs[0], "sAMAccountName", NULL);
         if (account_name == NULL) {
-                DEBUG(0,("sAMAccountName field missing for sid %s\n", 
+                DEBUG(0,("sAMAccountName field missing for sid %s\n",
                          dom_sid_string(mem_ctx, sid)));
                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -2931 +2656 @@
 
 
-/* 
-  samr_DeleteUser 
+/*
+  samr_DeleteUser
 */
 static NTSTATUS dcesrv_samr_DeleteUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -2948 +2673 @@
 
         ret = ldb_delete(a_state->sam_ctx, a_state->account_dn);
-        if (ret != 0) {
-                DEBUG(1, ("Failed to delete user: %s: %s\n", 
-                          ldb_dn_get_linearized(a_state->account_dn), 
+        if (ret != LDB_SUCCESS) {
+                DEBUG(1, ("Failed to delete user: %s: %s\n",
+                          ldb_dn_get_linearized(a_state->account_dn),
                           ldb_errstring(a_state->sam_ctx)));
                 return NT_STATUS_UNSUCCESSFUL;
         }
 
+        talloc_free(h);
         ZERO_STRUCTP(r->out.user_handle);
 
@@ -2961 +2687 @@
 
 
-/* 
-  samr_QueryUserInfo 
+/*
+  samr_QueryUserInfo
 */
 static NTSTATUS dcesrv_samr_QueryUserInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -3036 +2762 @@
         case 5:
         {
-                static const char * const attrs2[] = {"sAMAccountName", 
+                static const char * const attrs2[] = {"sAMAccountName",
                                                       "displayName",
                                                       "objectSid",
@@ -3042 +2768 @@
                                                       "homeDirectory",
                                                       "homeDrive",
-                                                      "scriptPath", 
+                                                      "scriptPath",
                                                       "profilePath",
                                                       "description",
@@ -3137 +2863 @@
                 attrs = attrs2;
                 break;
+        }
+        case 18:
+        {
+                return NT_STATUS_NOT_SUPPORTED;
         }
         case 20:
@@ -3173 +2903 @@
                 break;
         }
+        case 23:
+        case 24:
+        case 25:
+        case 26:
+        {
+                return NT_STATUS_NOT_SUPPORTED;
+        }
+        default:
+        {
+                return NT_STATUS_INVALID_INFO_CLASS;
+        }
         }
 
         /* pull all the user attributes */
         ret = gendb_search_dn(a_state->sam_ctx, mem_ctx,
-                              a_state->account_dn ,&res, attrs);
+                              a_state->account_dn, &res, attrs);
+        if (ret == 0) {
+                return NT_STATUS_NO_SUCH_USER;
+        }
         if (ret != 1) {
                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -3321 +3065 @@
                 QUERY_UINT  (msg, info21.primary_gid,          "primaryGroupID");
                 QUERY_AFLAGS(msg, info21.acct_flags,           "userAccountControl");
-                info->info21.fields_present = 0x00FFFFFF;
+                info->info21.fields_present = 0x08FFFFFF;
                 QUERY_LHOURS(msg, info21.logon_hours,          "logonHours");
                 QUERY_UINT  (msg, info21.bad_password_count,   "badPwdCount");
                 QUERY_UINT  (msg, info21.logon_count,          "logonCount");
+                if ((info->info21.acct_flags & ACB_PW_EXPIRED) != 0) {
+                        info->info21.password_expired = PASS_MUST_CHANGE_AT_NEXT_LOGON;
+                } else {
+                        info->info21.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
+                }
                 QUERY_UINT  (msg, info21.country_code,         "countryCode");
                 QUERY_UINT  (msg, info21.code_page,            "codePage");
                 break;
-                
+
 
         default:
@@ -3341 +3090 @@
 
 
-/* 
-  samr_SetUserInfo 
+/*
+  samr_SetUserInfo
 */
 static NTSTATUS dcesrv_samr_SetUserInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -3426 +3175 @@
                 break;
 
+        case 18:
+                status = samr_set_password_buffers(dce_call,
+                                                   a_state->sam_ctx,
+                                                   a_state->account_dn,
+                                                   a_state->domain_state->domain_dn,
+                                                   mem_ctx,
+                                                   r->in.info->info18.lm_pwd_active ? r->in.info->info18.lm_pwd.hash : NULL,
+                                                   r->in.info->info18.nt_pwd_active ? r->in.info->info18.nt_pwd.hash : NULL);
+                if (!NT_STATUS_IS_OK(status)) {
+                        return status;
+                }
+
+                if (r->in.info->info18.password_expired > 0) {
+                        struct ldb_message_element *set_el;
+                        if (samdb_msg_add_uint64(sam_ctx, mem_ctx, msg, "pwdLastSet", 0) != LDB_SUCCESS) {
+                                return NT_STATUS_NO_MEMORY;
+                        }
+                        set_el = ldb_msg_find_element(msg, "pwdLastSet");
+                        set_el->flags = LDB_FLAG_MOD_REPLACE;
+                }
+                break;
+
         case 20:
                 SET_PARAMETERS(msg, info20.parameters,      "userParameters");
@@ -3431 +3202 @@
 
         case 21:
+                if (r->in.info->info21.fields_present == 0)
+                        return NT_STATUS_INVALID_PARAMETER;
+
 #define IFSET(bit) if (bit & r->in.info->info21.fields_present)
+                IFSET(SAMR_FIELD_LAST_LOGON)
+                        SET_UINT64(msg, info21.last_logon,     "lastLogon");
+                IFSET(SAMR_FIELD_LAST_LOGOFF)
+                        SET_UINT64(msg, info21.last_logoff,    "lastLogoff");
                 IFSET(SAMR_FIELD_ACCT_EXPIRY)
                         SET_UINT64(msg, info21.acct_expiry,    "accountExpires");
-                IFSET(SAMR_FIELD_ACCOUNT_NAME)         
+                IFSET(SAMR_FIELD_ACCOUNT_NAME)
                         SET_STRING(msg, info21.account_name,   "samAccountName");
-                IFSET(SAMR_FIELD_FULL_NAME) 
+                IFSET(SAMR_FIELD_FULL_NAME)
                         SET_STRING(msg, info21.full_name,      "displayName");
                 IFSET(SAMR_FIELD_HOME_DIRECTORY)
@@ -3452 +3230 @@
                 IFSET(SAMR_FIELD_COMMENT)
                         SET_STRING(msg, info21.comment,        "comment");
-                IFSET(SAMR_FIELD_PARAMETERS)   
+                IFSET(SAMR_FIELD_PARAMETERS)
                         SET_PARAMETERS(msg, info21.parameters, "userParameters");
                 IFSET(SAMR_FIELD_PRIMARY_GID)
@@ -3460 +3238 @@
                 IFSET(SAMR_FIELD_LOGON_HOURS)
                         SET_LHOURS(msg, info21.logon_hours,    "logonHours");
+                IFSET(SAMR_FIELD_BAD_PWD_COUNT)
+                        SET_UINT  (msg, info21.bad_password_count, "badPwdCount");
+                IFSET(SAMR_FIELD_NUM_LOGONS)
+                        SET_UINT  (msg, info21.logon_count,    "logonCount");
                 IFSET(SAMR_FIELD_COUNTRY_CODE)
                         SET_UINT  (msg, info21.country_code,   "countryCode");
                 IFSET(SAMR_FIELD_CODE_PAGE)
                         SET_UINT  (msg, info21.code_page,      "codePage");
+
+                /* password change fields */
+                IFSET(SAMR_FIELD_LAST_PWD_CHANGE)
+                        return NT_STATUS_ACCESS_DENIED;
+
+                IFSET((SAMR_FIELD_LM_PASSWORD_PRESENT
+                                        | SAMR_FIELD_NT_PASSWORD_PRESENT)) {
+                        uint8_t *lm_pwd_hash = NULL, *nt_pwd_hash = NULL;
+
+                        if (r->in.info->info21.lm_password_set) {
+                                if ((r->in.info->info21.lm_owf_password.length != 16)
+                                 || (r->in.info->info21.lm_owf_password.size != 16)) {
+                                        return NT_STATUS_INVALID_PARAMETER;
+                                }
+
+                                lm_pwd_hash = (uint8_t *) r->in.info->info21.lm_owf_password.array;
+                        }
+                        if (r->in.info->info21.nt_password_set) {
+                                if ((r->in.info->info21.nt_owf_password.length != 16)
+                                 || (r->in.info->info21.nt_owf_password.size != 16)) {
+                                        return NT_STATUS_INVALID_PARAMETER;
+                                }
+
+                                nt_pwd_hash = (uint8_t *) r->in.info->info21.nt_owf_password.array;
+                        }
+                        status = samr_set_password_buffers(dce_call,
+                                                           a_state->sam_ctx,
+                                                           a_state->account_dn,
+                                                           a_state->domain_state->domain_dn,
+                                                           mem_ctx,
+                                                           lm_pwd_hash,
+                                                           nt_pwd_hash);
+                        if (!NT_STATUS_IS_OK(status)) {
+                                return status;
+                        }
+                }
+
+
+                IFSET(SAMR_FIELD_EXPIRED_FLAG) {
+                        NTTIME t = 0;
+                        struct ldb_message_element *set_el;
+                        if (r->in.info->info21.password_expired
+                                        == PASS_DONT_CHANGE_AT_NEXT_LOGON) {
+                                unix_to_nt_time(&t, time(NULL));
+                        }
+                        if (samdb_msg_add_uint64(sam_ctx, mem_ctx, msg,
+                                                 "pwdLastSet", t) != LDB_SUCCESS) {
+                                return NT_STATUS_NO_MEMORY;
+                        }
+                        set_el = ldb_msg_find_element(msg, "pwdLastSet");
+                        set_el->flags = LDB_FLAG_MOD_REPLACE;
+                }
 #undef IFSET
                 break;
 
         case 23:
+                if (r->in.info->info23.info.fields_present == 0)
+                        return NT_STATUS_INVALID_PARAMETER;
+
 #define IFSET(bit) if (bit & r->in.info->info23.info.fields_present)
+                IFSET(SAMR_FIELD_LAST_LOGON)
+                        SET_UINT64(msg, info23.info.last_logon,     "lastLogon");
+                IFSET(SAMR_FIELD_LAST_LOGOFF)
+                        SET_UINT64(msg, info23.info.last_logoff,    "lastLogoff");
                 IFSET(SAMR_FIELD_ACCT_EXPIRY)
                         SET_UINT64(msg, info23.info.acct_expiry,    "accountExpires");
-                IFSET(SAMR_FIELD_ACCOUNT_NAME)         
+                IFSET(SAMR_FIELD_ACCOUNT_NAME)
                         SET_STRING(msg, info23.info.account_name,   "samAccountName");
                 IFSET(SAMR_FIELD_FULL_NAME)
@@ -3497 +3338 @@
                 IFSET(SAMR_FIELD_LOGON_HOURS)
                         SET_LHOURS(msg, info23.info.logon_hours,    "logonHours");
+                IFSET(SAMR_FIELD_BAD_PWD_COUNT)
+                        SET_UINT  (msg, info23.info.bad_password_count, "badPwdCount");
+                IFSET(SAMR_FIELD_NUM_LOGONS)
+                        SET_UINT  (msg, info23.info.logon_count,    "logonCount");
+
                 IFSET(SAMR_FIELD_COUNTRY_CODE)
                         SET_UINT  (msg, info23.info.country_code,   "countryCode");
                 IFSET(SAMR_FIELD_CODE_PAGE)
                         SET_UINT  (msg, info23.info.code_page,      "codePage");
+
+                /* password change fields */
+                IFSET(SAMR_FIELD_LAST_PWD_CHANGE)
+                        return NT_STATUS_ACCESS_DENIED;
 
                 IFSET(SAMR_FIELD_NT_PASSWORD_PRESENT) {
@@ -3507 +3357 @@
                                                    a_state->account_dn,
                                                    a_state->domain_state->domain_dn,
-                                                   mem_ctx, msg, 
+                                                   mem_ctx,
                                                    &r->in.info->info23.password);
                 } else IFSET(SAMR_FIELD_LM_PASSWORD_PRESENT) {
@@ -3514 +3364 @@
                                                    a_state->account_dn,
                                                    a_state->domain_state->domain_dn,
-                                                   mem_ctx, msg, 
+                                                   mem_ctx,
                                                    &r->in.info->info23.password);
+                }
+                if (!NT_STATUS_IS_OK(status)) {
+                        return status;
+                }
+
+                IFSET(SAMR_FIELD_EXPIRED_FLAG) {
+                        NTTIME t = 0;
+                        struct ldb_message_element *set_el;
+                        if (r->in.info->info23.info.password_expired
+                                        == PASS_DONT_CHANGE_AT_NEXT_LOGON) {
+                                unix_to_nt_time(&t, time(NULL));
+                        }
+                        if (samdb_msg_add_uint64(sam_ctx, mem_ctx, msg,
+                                                 "pwdLastSet", t) != LDB_SUCCESS) {
+                                return NT_STATUS_NO_MEMORY;
+                        }
+                        set_el = ldb_msg_find_element(msg, "pwdLastSet");
+                        set_el->flags = LDB_FLAG_MOD_REPLACE;
                 }
 #undef IFSET
@@ -3526 +3394 @@
                                            a_state->account_dn,
                                            a_state->domain_state->domain_dn,
-                                           mem_ctx, msg, 
+                                           mem_ctx,
                                            &r->in.info->info24.password);
+                if (!NT_STATUS_IS_OK(status)) {
+                        return status;
+                }
+
+                if (r->in.info->info24.password_expired > 0) {
+                        struct ldb_message_element *set_el;
+                        if (samdb_msg_add_uint64(sam_ctx, mem_ctx, msg, "pwdLastSet", 0) != LDB_SUCCESS) {
+                                return NT_STATUS_NO_MEMORY;
+                        }
+                        set_el = ldb_msg_find_element(msg, "pwdLastSet");
+                        set_el->flags = LDB_FLAG_MOD_REPLACE;
+                }
                 break;
 
         case 25:
+                if (r->in.info->info25.info.fields_present == 0)
+                        return NT_STATUS_INVALID_PARAMETER;
+
 #define IFSET(bit) if (bit & r->in.info->info25.info.fields_present)
+                IFSET(SAMR_FIELD_LAST_LOGON)
+                        SET_UINT64(msg, info25.info.last_logon,     "lastLogon");
+                IFSET(SAMR_FIELD_LAST_LOGOFF)
+                        SET_UINT64(msg, info25.info.last_logoff,    "lastLogoff");
                 IFSET(SAMR_FIELD_ACCT_EXPIRY)
                         SET_UINT64(msg, info25.info.acct_expiry,    "accountExpires");
-                IFSET(SAMR_FIELD_ACCOUNT_NAME)         
+                IFSET(SAMR_FIELD_ACCOUNT_NAME)
                         SET_STRING(msg, info25.info.account_name,   "samAccountName");
                 IFSET(SAMR_FIELD_FULL_NAME)
@@ -3560 +3447 @@
                 IFSET(SAMR_FIELD_LOGON_HOURS)
                         SET_LHOURS(msg, info25.info.logon_hours,    "logonHours");
+                IFSET(SAMR_FIELD_BAD_PWD_COUNT)
+                        SET_UINT  (msg, info25.info.bad_password_count, "badPwdCount");
+                IFSET(SAMR_FIELD_NUM_LOGONS)
+                        SET_UINT  (msg, info25.info.logon_count,    "logonCount");
                 IFSET(SAMR_FIELD_COUNTRY_CODE)
                         SET_UINT  (msg, info25.info.country_code,   "countryCode");
                 IFSET(SAMR_FIELD_CODE_PAGE)
                         SET_UINT  (msg, info25.info.code_page,      "codePage");
+
+                /* password change fields */
+                IFSET(SAMR_FIELD_LAST_PWD_CHANGE)
+                        return NT_STATUS_ACCESS_DENIED;
 
                 IFSET(SAMR_FIELD_NT_PASSWORD_PRESENT) {
@@ -3570 +3465 @@
                                                       a_state->account_dn,
                                                       a_state->domain_state->domain_dn,
-                                                      mem_ctx, msg, 
+                                                      mem_ctx,
                                                       &r->in.info->info25.password);
                 } else IFSET(SAMR_FIELD_LM_PASSWORD_PRESENT) {
@@ -3577 +3472 @@
                                                       a_state->account_dn,
                                                       a_state->domain_state->domain_dn,
-                                                      mem_ctx, msg, 
+                                                      mem_ctx,
                                                       &r->in.info->info25.password);
+                }
+                if (!NT_STATUS_IS_OK(status)) {
+                        return status;
+                }
+
+                IFSET(SAMR_FIELD_EXPIRED_FLAG) {
+                        NTTIME t = 0;
+                        struct ldb_message_element *set_el;
+                        if (r->in.info->info25.info.password_expired
+                                        == PASS_DONT_CHANGE_AT_NEXT_LOGON) {
+                                unix_to_nt_time(&t, time(NULL));
+                        }
+                        if (samdb_msg_add_uint64(sam_ctx, mem_ctx, msg,
+                                                 "pwdLastSet", t) != LDB_SUCCESS) {
+                                return NT_STATUS_NO_MEMORY;
+                        }
+                        set_el = ldb_msg_find_element(msg, "pwdLastSet");
+                        set_el->flags = LDB_FLAG_MOD_REPLACE;
                 }
 #undef IFSET
@@ -3589 +3502 @@
                                               a_state->account_dn,
                                               a_state->domain_state->domain_dn,
-                                              mem_ctx, msg, 
+                                              mem_ctx,
                                               &r->in.info->info26.password);
-                break;
-                
+                if (!NT_STATUS_IS_OK(status)) {
+                        return status;
+                }
+
+                if (r->in.info->info26.password_expired > 0) {
+                        struct ldb_message_element *set_el;
+                        if (samdb_msg_add_uint64(sam_ctx, mem_ctx, msg, "pwdLastSet", 0) != LDB_SUCCESS) {
+                                return NT_STATUS_NO_MEMORY;
+                        }
+                        set_el = ldb_msg_find_element(msg, "pwdLastSet");
+                        set_el->flags = LDB_FLAG_MOD_REPLACE;
+                }
+                break;
 
         default:
@@ -3604 +3528 @@
 
         /* modify the samdb record */
-        ret = ldb_modify(a_state->sam_ctx, msg);
-        if (ret != 0) {
-                DEBUG(1,("Failed to modify record %s: %s\n",
-                         ldb_dn_get_linearized(a_state->account_dn),
-                         ldb_errstring(a_state->sam_ctx)));
-
-                /* we really need samdb.c to return NTSTATUS */
-                return NT_STATUS_UNSUCCESSFUL;
-        }
-
-        return NT_STATUS_OK;
-}
-
-
-/* 
-  samr_GetGroupsForUser 
+        if (msg->num_elements > 0) {
+                ret = ldb_modify(a_state->sam_ctx, msg);
+                if (ret != LDB_SUCCESS) {
+                        DEBUG(1,("Failed to modify record %s: %s\n",
+                                 ldb_dn_get_linearized(a_state->account_dn),
+                                 ldb_errstring(a_state->sam_ctx)));
+
+                        /* we really need samdb.c to return NTSTATUS */
+                        return NT_STATUS_UNSUCCESSFUL;
+                }
+        }
+
+        return NT_STATUS_OK;
+}
+
+
+/*
+  samr_GetGroupsForUser
 */
 static NTSTATUS dcesrv_samr_GetGroupsForUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -3640 +3566 @@
                                     d_state->domain_dn, &res,
                                     attrs, d_state->domain_sid,
-                                    "(&(member=%s)(grouptype=%d)(objectclass=group))",
+                                    "(&(member=%s)(|(grouptype=%d)(grouptype=%d))(objectclass=group))",
                                     ldb_dn_get_linearized(a_state->account_dn),
+                                    GTYPE_SECURITY_UNIVERSAL_GROUP,
                                     GTYPE_SECURITY_GLOBAL_GROUP);
         if (count < 0)
@@ -3672 +3599 @@
                 group_sid = samdb_result_dom_sid(mem_ctx, res[i], "objectSid");
                 if (group_sid == NULL) {
-                        DEBUG(0, ("Couldn't find objectSid attrib\n"));
-                        continue;
+                        return NT_STATUS_INTERNAL_DB_CORRUPTION;
                 }
 
@@ -3689 +3615 @@
 
 
-/* 
-  samr_QueryDisplayInfo 
+/*
+  samr_QueryDisplayInfo
 */
 static NTSTATUS dcesrv_samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -3697 +3623 @@
         struct dcesrv_handle *h;
         struct samr_domain_state *d_state;
-        struct ldb_message **res;
-        int ldb_cnt, count, i;
+        struct ldb_result *res;
+        unsigned int i;
+        uint32_t count;
         const char * const attrs[] = { "objectSid", "sAMAccountName",
                 "displayName", "description", "userAccountControl",
@@ -3707 +3634 @@
         struct samr_DispEntryGeneral *entriesGeneral = NULL;
         const char *filter;
+        int ret;
 
         DCESRV_PULL_HANDLE(h, r->in.domain_handle, SAMR_HANDLE_DOMAIN);
@@ -3716 +3644 @@
         case 4:
                 filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)"
-                                         "(sAMAccountType=%u))",
+                                         "(sAMAccountType=%d))",
                                          ATYPE_NORMAL_ACCOUNT);
                 break;
         case 2:
                 filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)"
-                                         "(sAMAccountType=%u))",
+                                         "(sAMAccountType=%d))",
                                          ATYPE_WORKSTATION_TRUST);
                 break;
         case 3:
         case 5:
-                filter = talloc_asprintf(mem_ctx, "(&(grouptype=%d)"
-                                         "(objectclass=group))",
+                filter = talloc_asprintf(mem_ctx,
+                                         "(&(|(groupType=%d)(groupType=%d))"
+                                         "(objectClass=group))",
+                                         GTYPE_SECURITY_UNIVERSAL_GROUP,
                                          GTYPE_SECURITY_GLOBAL_GROUP);
                 break;
@@ -3734 +3664 @@
         }
 
-        /* search for all requested objects in this domain. This could
+        /* search for all requested objects in all domains. This could
            possibly be cached and resumed based on resume_key */
-        ldb_cnt = samdb_search_domain(d_state->sam_ctx, mem_ctx,
-                                      d_state->domain_dn, &res, attrs,
-                                      d_state->domain_sid, "%s", filter);
-        if (ldb_cnt == -1) {
+        ret = dsdb_search(d_state->sam_ctx, mem_ctx, &res, NULL,
+                          LDB_SCOPE_SUBTREE, attrs, 0, "%s", filter);
+        if (ret != LDB_SUCCESS) {
                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
         }
-        if (ldb_cnt == 0 || r->in.max_entries == 0) {
+        if ((res->count == 0) || (r->in.max_entries == 0)) {
                 return NT_STATUS_OK;
         }
@@ -3749 +3678 @@
         case 1:
                 entriesGeneral = talloc_array(mem_ctx,
-                                             struct samr_DispEntryGeneral,
-                                             ldb_cnt);
+                                              struct samr_DispEntryGeneral,
+                                              res->count);
                 break;
         case 2:
                 entriesFull = talloc_array(mem_ctx,
-                                             struct samr_DispEntryFull,
-                                             ldb_cnt);
+                                           struct samr_DispEntryFull,
+                                           res->count);
                 break;
         case 3:
                 entriesFullGroup = talloc_array(mem_ctx,
-                                             struct samr_DispEntryFullGroup,
-                                             ldb_cnt);
+                                                struct samr_DispEntryFullGroup,
+                                                res->count);
                 break;
         case 4:
         case 5:
                 entriesAscii = talloc_array(mem_ctx,
-                                              struct samr_DispEntryAscii,
-                                              ldb_cnt);
+                                            struct samr_DispEntryAscii,
+                                            res->count);
                 break;
         }
@@ -3776 +3705 @@
         count = 0;
 
-        for (i=0; i<ldb_cnt; i++) {
+        for (i = 0; i < res->count; i++) {
                 struct dom_sid *objectsid;
 
-                objectsid = samdb_result_dom_sid(mem_ctx, res[i],
+                objectsid = samdb_result_dom_sid(mem_ctx, res->msgs[i],
                                                  "objectSid");
                 if (objectsid == NULL)
@@ -3787 +3716 @@
                 case 1:
                         entriesGeneral[count].idx = count + 1;
-                        entriesGeneral[count].rid = 
+                        entriesGeneral[count].rid =
                                 objectsid->sub_auths[objectsid->num_auths-1];
                         entriesGeneral[count].acct_flags =
-                                samdb_result_acct_flags(d_state->sam_ctx, mem_ctx,
-                                                        res[i], 
+                                samdb_result_acct_flags(d_state->sam_ctx,
+                                                        mem_ctx,
+                                                        res->msgs[i],
                                                         d_state->domain_dn);
                         entriesGeneral[count].account_name.string =
-                                samdb_result_string(res[i],
-                                                    "sAMAccountName", "");
+                                ldb_msg_find_attr_as_string(res->msgs[i],
+                                                            "sAMAccountName", "");
                         entriesGeneral[count].full_name.string =
-                                samdb_result_string(res[i], "displayName", "");
+                                ldb_msg_find_attr_as_string(res->msgs[i],
+                                                            "displayName", "");
                         entriesGeneral[count].description.string =
-                                samdb_result_string(res[i], "description", "");
+                                ldb_msg_find_attr_as_string(res->msgs[i],
+                                                            "description", "");
                         break;
                 case 2:
@@ -3808 +3740 @@
                         /* No idea why we need to or in ACB_NORMAL here, but this is what Win2k3 seems to do... */
                         entriesFull[count].acct_flags =
-                                samdb_result_acct_flags(d_state->sam_ctx, mem_ctx,
-                                                        res[i], 
+                                samdb_result_acct_flags(d_state->sam_ctx,
+                                                        mem_ctx,
+                                                        res->msgs[i],
                                                         d_state->domain_dn) | ACB_NORMAL;
                         entriesFull[count].account_name.string =
-                                samdb_result_string(res[i], "sAMAccountName",
-                                                    "");
+                                ldb_msg_find_attr_as_string(res->msgs[i],
+                                                            "sAMAccountName", "");
                         entriesFull[count].description.string =
-                                samdb_result_string(res[i], "description", "");
+                                ldb_msg_find_attr_as_string(res->msgs[i],
+                                                            "description", "");
                         break;
                 case 3:
@@ -3825 +3759 @@
                                 = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
                         entriesFullGroup[count].account_name.string =
-                                samdb_result_string(res[i], "sAMAccountName",
-                                                    "");
+                                ldb_msg_find_attr_as_string(res->msgs[i],
+                                                            "sAMAccountName", "");
                         entriesFullGroup[count].description.string =
-                                samdb_result_string(res[i], "description", "");
+                                ldb_msg_find_attr_as_string(res->msgs[i],
+                                                            "description", "");
                         break;
                 case 4:
@@ -3834 +3769 @@
                         entriesAscii[count].idx = count + 1;
                         entriesAscii[count].account_name.string =
-                                samdb_result_string(res[i], "sAMAccountName",
-                                                    "");
+                                ldb_msg_find_attr_as_string(res->msgs[i],
+                                                            "sAMAccountName", "");
                         break;
                 }
@@ -3905 +3840 @@
 
 
-/* 
-  samr_GetDisplayEnumerationIndex 
+/*
+  samr_GetDisplayEnumerationIndex
 */
 static NTSTATUS dcesrv_samr_GetDisplayEnumerationIndex(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -3915 +3850 @@
 
 
-/* 
-  samr_TestPrivateFunctionsDomain 
+/*
+  samr_TestPrivateFunctionsDomain
 */
 static NTSTATUS dcesrv_samr_TestPrivateFunctionsDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -3925 +3860 @@
 
 
-/* 
-  samr_TestPrivateFunctionsUser 
+/*
+  samr_TestPrivateFunctionsUser
 */
 static NTSTATUS dcesrv_samr_TestPrivateFunctionsUser(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -3935 +3870 @@
 
 
-/* 
-  samr_GetUserPwInfo 
+/*
+  samr_GetUserPwInfo
 */
 static NTSTATUS dcesrv_samr_GetUserPwInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -3960 +3895 @@
 
 
-/* 
-  samr_RemoveMemberFromForeignDomain 
-*/
-static NTSTATUS dcesrv_samr_RemoveMemberFromForeignDomain(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
-                       struct samr_RemoveMemberFromForeignDomain *r)
+/*
+  samr_RemoveMemberFromForeignDomain
+*/
+static NTSTATUS dcesrv_samr_RemoveMemberFromForeignDomain(struct dcesrv_call_state *dce_call,
+                                                          TALLOC_CTX *mem_ctx,
+                                                          struct samr_RemoveMemberFromForeignDomain *r)
 {
         struct dcesrv_handle *h;
@@ -3970 +3906 @@
         const char *memberdn;
         struct ldb_message **res;
-        const char * const attrs[3] = { "distinguishedName", "objectSid", NULL };
+        const char *no_attrs[] = { NULL };
         int i, count;
 
@@ -3978 +3914 @@
 
         memberdn = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL,
-                                       "distinguishedName", "(objectSid=%s)", 
+                                       "distinguishedName", "(objectSid=%s)",
                                        ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid));
         /* Nothing to do */
@@ -3985 +3921 @@
         }
 
-        /* TODO: Does this call only remove alias members, or does it do this
-         * for domain groups as well? */
-
         count = samdb_search_domain(d_state->sam_ctx, mem_ctx,
-                                    d_state->domain_dn, &res, attrs,
+                                    d_state->domain_dn, &res, no_attrs,
                                     d_state->domain_sid,
                                     "(&(member=%s)(objectClass=group)"
@@ -4008 +3941 @@
                 }
 
-                mod->dn = samdb_result_dn(d_state->sam_ctx, mod, res[i], "distinguishedName", NULL);
-                if (mod->dn == NULL) {
-                        talloc_free(mod);
-                        continue;
-                }
+                mod->dn = res[i]->dn;
 
                 if (samdb_msg_add_delval(d_state->sam_ctx, mem_ctx, mod,
-                                         "member", memberdn) != 0)
+                                         "member", memberdn) != LDB_SUCCESS)
                         return NT_STATUS_NO_MEMORY;
 
-                if (ldb_modify(d_state->sam_ctx, mod) != 0)
+                if (ldb_modify(d_state->sam_ctx, mod) != LDB_SUCCESS)
                         return NT_STATUS_UNSUCCESSFUL;
 
@@ -4028 +3957 @@
 
 
-/* 
-  samr_QueryDomainInfo2 
+/*
+  samr_QueryDomainInfo2
 
   just an alias for samr_QueryDomainInfo
@@ -4045 +3974 @@
 
         status = dcesrv_samr_QueryDomainInfo(dce_call, mem_ctx, &r1);
-        
+
         return status;
 }
 
 
-/* 
-  samr_QueryUserInfo2 
+/*
+  samr_QueryUserInfo2
 
   just an alias for samr_QueryUserInfo
@@ -4064 +3993 @@
         r1.in.level  = r->in.level;
         r1.out.info  = r->out.info;
-        
+
         status = dcesrv_samr_QueryUserInfo(dce_call, mem_ctx, &r1);
 
@@ -4071 +4000 @@
 
 
-/* 
-  samr_QueryDisplayInfo2 
+/*
+  samr_QueryDisplayInfo2
 */
 static NTSTATUS dcesrv_samr_QueryDisplayInfo2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -4095 +4024 @@
 
 
-/* 
-  samr_GetDisplayEnumerationIndex2 
+/*
+  samr_GetDisplayEnumerationIndex2
 */
 static NTSTATUS dcesrv_samr_GetDisplayEnumerationIndex2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -4105 +4034 @@
 
 
-/* 
-  samr_QueryDisplayInfo3 
+/*
+  samr_QueryDisplayInfo3
 */
 static NTSTATUS dcesrv_samr_QueryDisplayInfo3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -4129 +4058 @@
 
 
-/* 
-  samr_AddMultipleMembersToAlias 
+/*
+  samr_AddMultipleMembersToAlias
 */
 static NTSTATUS dcesrv_samr_AddMultipleMembersToAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -4139 +4068 @@
 
 
-/* 
-  samr_RemoveMultipleMembersFromAlias 
+/*
+  samr_RemoveMultipleMembersFromAlias
 */
 static NTSTATUS dcesrv_samr_RemoveMultipleMembersFromAlias(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -4149 +4078 @@
 
 
-/* 
-  samr_GetDomPwInfo 
+/*
+  samr_GetDomPwInfo
 
   this fetches the default password properties for a domain
 
-  note that w2k3 completely ignores the domain name in this call, and 
+  note that w2k3 completely ignores the domain name in this call, and
   always returns the information for the servers primary domain
 */
@@ -4167 +4096 @@
         ZERO_STRUCTP(r->out.info);
 
-        sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, dce_call->conn->auth_state.session_info); 
+        sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
+                                         dce_call->conn->dce_ctx->lp_ctx,
+                                         dce_call->conn->auth_state.session_info, 0);
         if (sam_ctx == NULL) {
                 return NT_STATUS_INVALID_SYSTEM_SERVICE;
@@ -4173 +4104 @@
 
         /* The domain name in this call is ignored */
-        ret = gendb_search_dn(sam_ctx, 
+        ret = gendb_search_dn(sam_ctx,
                            mem_ctx, NULL, &msgs, attrs);
         if (ret <= 0) {
+                talloc_free(sam_ctx);
+
                 return NT_STATUS_NO_SUCH_DOMAIN;
         }
         if (ret > 1) {
                 talloc_free(msgs);
+                talloc_free(sam_ctx);
+
                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
         }
 
-        r->out.info->min_password_length = samdb_result_uint(msgs[0],
+        r->out.info->min_password_length = ldb_msg_find_attr_as_uint(msgs[0],
                 "minPwdLength", 0);
-        r->out.info->password_properties = samdb_result_uint(msgs[0],
+        r->out.info->password_properties = ldb_msg_find_attr_as_uint(msgs[0],
                 "pwdProperties", 1);
 
         talloc_free(msgs);
-
-        talloc_free(sam_ctx);
-        return NT_STATUS_OK;
-}
-
-
-/* 
-  samr_Connect2 
+        talloc_unlink(mem_ctx, sam_ctx);
+
+        return NT_STATUS_OK;
+}
+
+
+/*
+  samr_Connect2
 */
 static NTSTATUS dcesrv_samr_Connect2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -4211 +4146 @@
 
 
-/* 
-  samr_SetUserInfo2 
+/*
+  samr_SetUserInfo2
 
   just an alias for samr_SetUserInfo
@@ -4229 +4164 @@
 
 
-/* 
-  samr_SetBootKeyInformation 
+/*
+  samr_SetBootKeyInformation
 */
 static NTSTATUS dcesrv_samr_SetBootKeyInformation(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -4239 +4174 @@
 
 
-/* 
-  samr_GetBootKeyInformation 
+/*
+  samr_GetBootKeyInformation
 */
 static NTSTATUS dcesrv_samr_GetBootKeyInformation(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
                        struct samr_GetBootKeyInformation *r)
 {
-        DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
-}
-
-
-/* 
-  samr_Connect3 
+        /* Windows Server 2008 returns this */
+        return NT_STATUS_NOT_SUPPORTED;
+}
+
+
+/*
+  samr_Connect3
 */
 static NTSTATUS dcesrv_samr_Connect3(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -4265 +4201 @@
 
 
-/* 
-  samr_Connect4 
+/*
+  samr_Connect4
 */
 static NTSTATUS dcesrv_samr_Connect4(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -4281 +4217 @@
 
 
-/* 
-  samr_Connect5 
+/*
+  samr_Connect5
 */
 static NTSTATUS dcesrv_samr_Connect5(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -4304 +4240 @@
 
 
-/* 
-  samr_RidToSid 
+/*
+  samr_RidToSid
 */
 static NTSTATUS dcesrv_samr_RidToSid(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -4327 +4263 @@
 
 
-/* 
-  samr_SetDsrmPassword 
+/*
+  samr_SetDsrmPassword
 */
 static NTSTATUS dcesrv_samr_SetDsrmPassword(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
@@ -4337 +4273 @@
 
 
-/* 
-  samr_ValidatePassword 
-*/
-static NTSTATUS dcesrv_samr_ValidatePassword(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
-                                      struct samr_ValidatePassword *r)
-{
-        DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+/*
+  samr_ValidatePassword
+
+  For now the call checks the password complexity (if active) and the minimum
+  password length on level 2 and 3. Level 1 is ignored for now.
+*/
+static NTSTATUS dcesrv_samr_ValidatePassword(struct dcesrv_call_state *dce_call,
+                                             TALLOC_CTX *mem_ctx,
+                                             struct samr_ValidatePassword *r)
+{
+        struct samr_GetDomPwInfo r2;
+        struct samr_PwInfo pwInfo;
+        DATA_BLOB password;
+        enum samr_ValidationStatus res;
+        NTSTATUS status;
+
+        (*r->out.rep) = talloc_zero(mem_ctx, union samr_ValidatePasswordRep);
+
+        r2.in.domain_name = NULL;
+        r2.out.info = &pwInfo;
+        status = dcesrv_samr_GetDomPwInfo(dce_call, mem_ctx, &r2);
+        if (!NT_STATUS_IS_OK(status)) {
+                return status;
+        }
+
+        switch (r->in.level) {
+        case NetValidateAuthentication:
+                /* we don't support this yet */
+                return NT_STATUS_NOT_SUPPORTED;
+        break;
+        case NetValidatePasswordChange:
+                password = data_blob_const(r->in.req->req2.password.string,
+                                           r->in.req->req2.password.length);
+                res = samdb_check_password(&password,
+                                           pwInfo.password_properties,
+                                           pwInfo.min_password_length);
+                (*r->out.rep)->ctr2.status = res;
+        break;
+        case NetValidatePasswordReset:
+                password = data_blob_const(r->in.req->req3.password.string,
+                                           r->in.req->req3.password.length);
+                res = samdb_check_password(&password,
+                                           pwInfo.password_properties,
+                                           pwInfo.min_password_length);
+                (*r->out.rep)->ctr3.status = res;
+        break;
+        default:
+                return NT_STATUS_INVALID_INFO_CLASS;
+        break;
+        }
+
+        return NT_STATUS_OK;
 }
 

trunk/server/source4/rpc_server/samr/dcesrv_samr.h

@@ -1 @@
-/* 
+/*
    Unix SMB/CIFS implementation.
 
@@ -5 +5 @@
 
    Copyright (C) Andrew Tridgell 2004
-   
+
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
-   
+
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
-   
+
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.

trunk/server/source4/rpc_server/samr/samr_password.c

@@ -1 @@
-/* 
+/*
    Unix SMB/CIFS implementation.
 
@@ -6 +6 @@
    Copyright (C) Andrew Tridgell 2004
    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
-   
+
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
-   
+
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
-   
+
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
@@ -31 +31 @@
 #include "../lib/util/util_ldb.h"
 
-/* 
-  samr_ChangePasswordUser 
-*/
-NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, 
+/*
+  samr_ChangePasswordUser
+*/
+NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call,
                                         TALLOC_CTX *mem_ctx,
                                         struct samr_ChangePasswordUser *r)
@@ -41 +41 @@
         struct samr_account_state *a_state;
         struct ldb_context *sam_ctx;
-        struct ldb_message **res, *msg;
+        struct ldb_message **res;
         int ret;
         struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash;
@@ -61 +61 @@
         }
 
-        /* To change a password we need to open as system */
-        sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
+        /* Connect to a SAMDB with system privileges for fetching the old pw
+         * hashes. */
+        sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
+                                dce_call->conn->dce_ctx->lp_ctx,
+                                system_session(dce_call->conn->dce_ctx->lp_ctx), 0);
         if (sam_ctx == NULL) {
                 return NT_STATUS_INVALID_SYSTEM_SERVICE;
-        }
-
-        ret = ldb_transaction_start(sam_ctx);
-        if (ret) {
-                DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(sam_ctx)));
-                return NT_STATUS_TRANSACTION_ABORTED;
         }
 
@@ -77 +74 @@
                               a_state->account_dn, &res, attrs);
         if (ret != 1) {
-                ldb_transaction_cancel(sam_ctx);
-                return NT_STATUS_WRONG_PASSWORD;
-        }
-        msg = res[0];
-
-        status = samdb_result_passwords(mem_ctx, dce_call->conn->dce_ctx->lp_ctx,
-                                        msg, &lm_pwd, &nt_pwd);
+                return NT_STATUS_WRONG_PASSWORD;
+        }
+
+        status = samdb_result_passwords(mem_ctx,
+                                        dce_call->conn->dce_ctx->lp_ctx,
+                                        res[0], &lm_pwd, &nt_pwd);
         if (!NT_STATUS_IS_OK(status) || !nt_pwd) {
-                ldb_transaction_cancel(sam_ctx);
                 return NT_STATUS_WRONG_PASSWORD;
         }
@@ -94 +89 @@
                 D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash);
                 if (memcmp(checkHash.hash, lm_pwd, 16) != 0) {
-                        ldb_transaction_cancel(sam_ctx);
                         return NT_STATUS_WRONG_PASSWORD;
                 }
@@ -103 +97 @@
         D_P16(new_ntPwdHash.hash, r->in.old_nt_crypted->hash, checkHash.hash);
         if (memcmp(checkHash.hash, nt_pwd, 16) != 0) {
-                ldb_transaction_cancel(sam_ctx);
-                return NT_STATUS_WRONG_PASSWORD;
-        }
-        
+                return NT_STATUS_WRONG_PASSWORD;
+        }
+
         /* The NT Cross is not required by Win2k3 R2, but if present
            check the nt cross hash */
@@ -112 +105 @@
                 D_P16(lm_pwd->hash, r->in.nt_cross->hash, checkHash.hash);
                 if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
-                        ldb_transaction_cancel(sam_ctx);
                         return NT_STATUS_WRONG_PASSWORD;
                 }
@@ -122 +114 @@
                 D_P16(nt_pwd->hash, r->in.lm_cross->hash, checkHash.hash);
                 if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
-                        ldb_transaction_cancel(sam_ctx);
                         return NT_STATUS_WRONG_PASSWORD;
                 }
         }
 
-        msg = ldb_msg_new(mem_ctx);
-        if (msg == NULL) {
-                ldb_transaction_cancel(sam_ctx);
-                return NT_STATUS_NO_MEMORY;
-        }
-
-        msg->dn = ldb_dn_copy(msg, a_state->account_dn);
-        if (!msg->dn) {
-                ldb_transaction_cancel(sam_ctx);
-                return NT_STATUS_NO_MEMORY;
-        }
-
-        /* setup password modify mods on the user DN specified.  This may fail
-         * due to password policies.  */
+        /* Start a SAM with user privileges for the password change */
+        sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
+                                dce_call->conn->dce_ctx->lp_ctx,
+                                dce_call->conn->auth_state.session_info, 0);
+        if (sam_ctx == NULL) {
+                return NT_STATUS_INVALID_SYSTEM_SERVICE;
+        }
+
+        /* Start transaction */
+        ret = ldb_transaction_start(sam_ctx);
+        if (ret != LDB_SUCCESS) {
+                DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(sam_ctx)));
+                return NT_STATUS_TRANSACTION_ABORTED;
+        }
+
+        /* Performs the password modification. We pass the old hashes read out
+         * from the database since they were already checked against the user-
+         * provided ones. */
         status = samdb_set_password(sam_ctx, mem_ctx,
-                                    a_state->account_dn, a_state->domain_state->domain_dn,
-                                    msg, NULL, &new_lmPwdHash, &new_ntPwdHash, 
-                                    true, /* this is a user password change */
+                                    a_state->account_dn,
+                                    a_state->domain_state->domain_dn,
+                                    NULL, &new_lmPwdHash, &new_ntPwdHash,
+                                    lm_pwd, nt_pwd, /* this is a user password change */
                                     NULL,
                                     NULL);
@@ -152 +148 @@
         }
 
-        /* The above call only setup the modifications, this actually
-         * makes the write to the database. */
-        ret = samdb_replace(sam_ctx, mem_ctx, msg);
-        if (ret != 0) {
-                DEBUG(2,("Failed to modify record to change password on %s: %s\n",
-                         ldb_dn_get_linearized(a_state->account_dn),
-                         ldb_errstring(sam_ctx)));
-                ldb_transaction_cancel(sam_ctx);
-                return NT_STATUS_INTERNAL_DB_CORRUPTION;
-        }
-
         /* And this confirms it in a transaction commit */
         ret = ldb_transaction_commit(sam_ctx);
-        if (ret != 0) {
+        if (ret != LDB_SUCCESS) {
                 DEBUG(1,("Failed to commit transaction to change password on %s: %s\n",
                          ldb_dn_get_linearized(a_state->account_dn),
@@ -175 +160 @@
 }
 
-/* 
-  samr_OemChangePasswordUser2 
-*/
-NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
-                                     struct samr_OemChangePasswordUser2 *r)
+/*
+  samr_OemChangePasswordUser2
+*/
+NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
+                                            TALLOC_CTX *mem_ctx,
+                                            struct samr_OemChangePasswordUser2 *r)
 {
         NTSTATUS status;
@@ -188 +174 @@
         struct ldb_dn *user_dn;
         int ret;
-        struct ldb_message **res, *mod;
+        struct ldb_message **res;
         const char * const attrs[] = { "objectSid", "dBCSPwd", NULL };
         struct samr_Password *lm_pwd;
@@ -205 +191 @@
 
         /* this call can only work with lanman auth */
-        if (!lp_lanman_auth(dce_call->conn->dce_ctx->lp_ctx)) {
-                return NT_STATUS_NOT_SUPPORTED;
-        }
-
-        /* To change a password we need to open as system */
-        sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
+        if (!lpcfg_lanman_auth(dce_call->conn->dce_ctx->lp_ctx)) {
+                return NT_STATUS_WRONG_PASSWORD;
+        }
+
+        /* Connect to a SAMDB with system privileges for fetching the old pw
+         * hashes. */
+        sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
+                                dce_call->conn->dce_ctx->lp_ctx,
+                                system_session(dce_call->conn->dce_ctx->lp_ctx), 0);
         if (sam_ctx == NULL) {
                 return NT_STATUS_INVALID_SYSTEM_SERVICE;
-        }
-
-        ret = ldb_transaction_start(sam_ctx);
-        if (ret) {
-                DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(sam_ctx)));
-                return NT_STATUS_TRANSACTION_ABORTED;
         }
 
@@ -224 +207 @@
            user SID). We also need the current lm password hash in
            order to decrypt the incoming password */
-        ret = gendb_search(sam_ctx, 
+        ret = gendb_search(sam_ctx,
                            mem_ctx, NULL, &res, attrs,
                            "(&(sAMAccountName=%s)(objectclass=user))",
                            r->in.account->string);
         if (ret != 1) {
-                ldb_transaction_cancel(sam_ctx);
                 /* Don't give the game away:  (don't allow anonymous users to prove the existance of usernames) */
                 return NT_STATUS_WRONG_PASSWORD;
@@ -239 +221 @@
                                         res[0], &lm_pwd, NULL);
         if (!NT_STATUS_IS_OK(status) || !lm_pwd) {
-                ldb_transaction_cancel(sam_ctx);
                 return NT_STATUS_WRONG_PASSWORD;
         }
 
         /* decrypt the password we have been given */
-        lm_pwd_blob = data_blob(lm_pwd->hash, sizeof(lm_pwd->hash)); 
+        lm_pwd_blob = data_blob(lm_pwd->hash, sizeof(lm_pwd->hash));
         arcfour_crypt_blob(pwbuf->data, 516, &lm_pwd_blob);
         data_blob_free(&lm_pwd_blob);
-        
+
         if (!extract_pw_from_buffer(mem_ctx, pwbuf->data, &new_password)) {
-                ldb_transaction_cancel(sam_ctx);
                 DEBUG(3,("samr: failed to decode password buffer\n"));
                 return NT_STATUS_WRONG_PASSWORD;
         }
-                
-        if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx), 
-                                  CH_DOS, CH_UNIX, 
-                                  (const char *)new_password.data, 
+
+        if (!convert_string_talloc_convenience(mem_ctx, lpcfg_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx),
+                                  CH_DOS, CH_UNIX,
+                                  (const char *)new_password.data,
                                   new_password.length,
                                   (void **)&new_pass, NULL, false)) {
                 DEBUG(3,("samr: failed to convert incoming password buffer to unix charset\n"));
-                ldb_transaction_cancel(sam_ctx);
-                return NT_STATUS_WRONG_PASSWORD;
-        }
-
-        if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx), 
-                                               CH_DOS, CH_UTF16, 
-                                               (const char *)new_password.data, 
+                return NT_STATUS_WRONG_PASSWORD;
+        }
+
+        if (!convert_string_talloc_convenience(mem_ctx, lpcfg_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx),
+                                               CH_DOS, CH_UTF16,
+                                               (const char *)new_password.data,
                                                new_password.length,
                                                (void **)&new_unicode_password.data, &unicode_pw_len, false)) {
                 DEBUG(3,("samr: failed to convert incoming password buffer to UTF16 charset\n"));
-                ldb_transaction_cancel(sam_ctx);
                 return NT_STATUS_WRONG_PASSWORD;
         }
@@ -278 +256 @@
         E_old_pw_hash(new_lm_hash, lm_pwd->hash, lm_verifier.hash);
         if (memcmp(lm_verifier.hash, r->in.hash->hash, 16) != 0) {
-                ldb_transaction_cancel(sam_ctx);
-                return NT_STATUS_WRONG_PASSWORD;
-        }
-
-        mod = ldb_msg_new(mem_ctx);
-        if (mod == NULL) {
-                ldb_transaction_cancel(sam_ctx);
-                return NT_STATUS_NO_MEMORY;
-        }
-
-        mod->dn = ldb_dn_copy(mod, user_dn);
-        if (!mod->dn) {
-                ldb_transaction_cancel(sam_ctx);
-                return NT_STATUS_NO_MEMORY;
-        }
-
-        /* set the password on the user DN specified.  This may fail
-         * due to password policies */
+                return NT_STATUS_WRONG_PASSWORD;
+        }
+
+        /* Connect to a SAMDB with user privileges for the password change */
+        sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
+                                dce_call->conn->dce_ctx->lp_ctx,
+                                dce_call->conn->auth_state.session_info, 0);
+        if (sam_ctx == NULL) {
+                return NT_STATUS_INVALID_SYSTEM_SERVICE;
+        }
+
+        /* Start transaction */
+        ret = ldb_transaction_start(sam_ctx);
+        if (ret != LDB_SUCCESS) {
+                DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(sam_ctx)));
+                return NT_STATUS_TRANSACTION_ABORTED;
+        }
+
+        /* Performs the password modification. We pass the old hashes read out
+         * from the database since they were already checked against the user-
+         * provided ones. */
         status = samdb_set_password(sam_ctx, mem_ctx,
-                                    user_dn, NULL, 
-                                    mod, &new_unicode_password, 
+                                    user_dn, NULL,
+                                    &new_unicode_password,
                                     NULL, NULL,
-                                    true, /* this is a user password change */
-                                    NULL, 
+                                    lm_pwd, NULL, /* this is a user password change */
+                                    NULL,
                                     NULL);
         if (!NT_STATUS_IS_OK(status)) {
@@ -308 +289 @@
         }
 
-        /* The above call only setup the modifications, this actually
-         * makes the write to the database. */
-        ret = samdb_replace(sam_ctx, mem_ctx, mod);
-        if (ret != 0) {
-                DEBUG(2,("Failed to modify record to change password on %s: %s\n",
-                         ldb_dn_get_linearized(user_dn),
-                         ldb_errstring(sam_ctx)));
-                ldb_transaction_cancel(sam_ctx);
-                return NT_STATUS_INTERNAL_DB_CORRUPTION;
-        }
-
         /* And this confirms it in a transaction commit */
         ret = ldb_transaction_commit(sam_ctx);
-        if (ret != 0) {
+        if (ret != LDB_SUCCESS) {
                 DEBUG(1,("Failed to commit transaction to change password on %s: %s\n",
                          ldb_dn_get_linearized(user_dn),
@@ -332 +302 @@
 
 
-/* 
-  samr_ChangePasswordUser3 
-*/
-NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, 
-                                  TALLOC_CTX *mem_ctx,
-                                  struct samr_ChangePasswordUser3 *r)
-{       
+/*
+  samr_ChangePasswordUser3
+*/
+NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
+                                         TALLOC_CTX *mem_ctx,
+                                         struct samr_ChangePasswordUser3 *r)
+{
         NTSTATUS status;
         DATA_BLOB new_password;
@@ -344 +314 @@
         struct ldb_dn *user_dn;
         int ret;
-        struct ldb_message **res, *mod;
+        struct ldb_message **res;
         const char * const attrs[] = { "unicodePwd", "dBCSPwd", NULL };
         struct samr_Password *nt_pwd, *lm_pwd;
         DATA_BLOB nt_pwd_blob;
         struct samr_DomInfo1 *dominfo = NULL;
-        struct samr_ChangeReject *reject = NULL;
-        enum samr_RejectReason reason = SAMR_REJECT_OTHER;
+        struct userPwdChangeFailureInformation *reject = NULL;
+        enum samPwdChangeReason reason = SAM_PWD_CHANGE_NO_ERROR;
         uint8_t new_nt_hash[16], new_lm_hash[16];
         struct samr_Password nt_verifier, lm_verifier;
@@ -362 +332 @@
         }
 
-        /* To change a password we need to open as system */
-        sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
+        /* Connect to a SAMDB with system privileges for fetching the old pw
+         * hashes. */
+        sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
+                                dce_call->conn->dce_ctx->lp_ctx,
+                                system_session(dce_call->conn->dce_ctx->lp_ctx), 0);
         if (sam_ctx == NULL) {
                 return NT_STATUS_INVALID_SYSTEM_SERVICE;
-        }
-
-        ret = ldb_transaction_start(sam_ctx);
-        if (ret) {
-                talloc_free(sam_ctx);
-                DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(sam_ctx)));
-                return NT_STATUS_TRANSACTION_ABORTED;
         }
 
@@ -378 +344 @@
            user SID). We also need the current lm and nt password hashes
            in order to decrypt the incoming passwords */
-        ret = gendb_search(sam_ctx, 
+        ret = gendb_search(sam_ctx,
                            mem_ctx, NULL, &res, attrs,
                            "(&(sAMAccountName=%s)(objectclass=user))",
@@ -390 +356 @@
         user_dn = res[0]->dn;
 
-        status = samdb_result_passwords(mem_ctx, dce_call->conn->dce_ctx->lp_ctx, 
+        status = samdb_result_passwords(mem_ctx, dce_call->conn->dce_ctx->lp_ctx,
                                         res[0], &lm_pwd, &nt_pwd);
         if (!NT_STATUS_IS_OK(status) ) {
@@ -407 +373 @@
 
         if (!extract_pw_from_buffer(mem_ctx, r->in.nt_password->data, &new_password)) {
-                ldb_transaction_cancel(sam_ctx);
                 DEBUG(3,("samr: failed to decode password buffer\n"));
-                return NT_STATUS_WRONG_PASSWORD;
-        }
-                
+                status =  NT_STATUS_WRONG_PASSWORD;
+                goto failed;
+        }
+
         if (r->in.nt_verifier == NULL) {
                 status = NT_STATUS_WRONG_PASSWORD;
@@ -431 +397 @@
         if (lm_pwd && r->in.lm_verifier != NULL) {
                 char *new_pass;
-                if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx), 
-                                          CH_UTF16, CH_UNIX, 
-                                          (const char *)new_password.data, 
+                if (!convert_string_talloc_convenience(mem_ctx, lpcfg_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx),
+                                          CH_UTF16, CH_UNIX,
+                                          (const char *)new_password.data,
                                           new_password.length,
                                           (void **)&new_pass, NULL, false)) {
@@ -445 +411 @@
         }
 
-        mod = ldb_msg_new(mem_ctx);
-        if (mod == NULL) {
-                status = NT_STATUS_NO_MEMORY;
-                goto failed;
-        }
-
-        mod->dn = ldb_dn_copy(mod, user_dn);
-        if (!mod->dn) {
-                status = NT_STATUS_NO_MEMORY;
-                goto failed;
-        }
-
-        /* set the password on the user DN specified.  This may fail
-         * due to password policies */
+        /* Connect to a SAMDB with user privileges for the password change */
+        sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
+                                dce_call->conn->dce_ctx->lp_ctx,
+                                dce_call->conn->auth_state.session_info, 0);
+        if (sam_ctx == NULL) {
+                return NT_STATUS_INVALID_SYSTEM_SERVICE;
+        }
+
+        ret = ldb_transaction_start(sam_ctx);
+        if (ret != LDB_SUCCESS) {
+                DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(sam_ctx)));
+                return NT_STATUS_TRANSACTION_ABORTED;
+        }
+
+        /* Performs the password modification. We pass the old hashes read out
+         * from the database since they were already checked against the user-
+         * provided ones. */
         status = samdb_set_password(sam_ctx, mem_ctx,
-                                    user_dn, NULL, 
-                                    mod, &new_password, 
+                                    user_dn, NULL,
+                                    &new_password,
                                     NULL, NULL,
-                                    true, /* this is a user password change */
-                                    &reason, 
+                                    lm_pwd, nt_pwd, /* this is a user password change */
+                                    &reason,
                                     &dominfo);
+
         if (!NT_STATUS_IS_OK(status)) {
-                goto failed;
-        }
-
-        /* The above call only setup the modifications, this actually
-         * makes the write to the database. */
-        ret = samdb_replace(sam_ctx, mem_ctx, mod);
-        if (ret != 0) {
-                DEBUG(2,("samdb_replace failed to change password for %s: %s\n",
-                         ldb_dn_get_linearized(user_dn),
-                         ldb_errstring(sam_ctx)));
-                status = NT_STATUS_UNSUCCESSFUL;
+                ldb_transaction_cancel(sam_ctx);
                 goto failed;
         }
@@ -483 +443 @@
         /* And this confirms it in a transaction commit */
         ret = ldb_transaction_commit(sam_ctx);
-        if (ret != 0) {
+        if (ret != LDB_SUCCESS) {
                 DEBUG(1,("Failed to commit transaction to change password on %s: %s\n",
                          ldb_dn_get_linearized(user_dn),
@@ -494 +454 @@
 
 failed:
-        ldb_transaction_cancel(sam_ctx);
-        talloc_free(sam_ctx);
-
-        reject = talloc(mem_ctx, struct samr_ChangeReject);
+        reject = talloc_zero(mem_ctx, struct userPwdChangeFailureInformation);
+        if (reject != NULL) {
+                reject->extendedFailureReason = reason;
+
+                *r->out.reject = reject;
+        }
+
         *r->out.dominfo = dominfo;
-        *r->out.reject = reject;
-
-        if (reject == NULL) {
-                return status;
-        }
-        ZERO_STRUCTP(reject);
-
-        reject->reason = reason;
 
         return status;
@@ -512 +467 @@
 
 
-/* 
-  samr_ChangePasswordUser2 
+/*
+  samr_ChangePasswordUser2
 
   easy - just a subset of samr_ChangePasswordUser3
 */
-NTSTATUS dcesrv_samr_ChangePasswordUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
-                                  struct samr_ChangePasswordUser2 *r)
+NTSTATUS dcesrv_samr_ChangePasswordUser2(struct dcesrv_call_state *dce_call,
+                                         TALLOC_CTX *mem_ctx,
+                                         struct samr_ChangePasswordUser2 *r)
 {
         struct samr_ChangePasswordUser3 r2;
         struct samr_DomInfo1 *dominfo = NULL;
-        struct samr_ChangeReject *reject = NULL;
+        struct userPwdChangeFailureInformation *reject = NULL;
 
         r2.in.server = r->in.server;
@@ -541 +497 @@
 /*
   set password via a samr_CryptPassword buffer
-  this will in the 'msg' with modify operations that will update the user
-  password when applied
 */
 NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call,
-                           void *sam_ctx,
+                           struct ldb_context *sam_ctx,
                            struct ldb_dn *account_dn, struct ldb_dn *domain_dn,
                            TALLOC_CTX *mem_ctx,
-                           struct ldb_message *msg, 
                            struct samr_CryptPassword *pwbuf)
 {
@@ -566 +519 @@
                 return NT_STATUS_WRONG_PASSWORD;
         }
-                
+
         /* set the password - samdb needs to know both the domain and user DNs,
            so the domain password policy can be used */
         return samdb_set_password(sam_ctx, mem_ctx,
-                                  account_dn, domain_dn, 
-                                  msg, &new_password, 
+                                  account_dn, domain_dn,
+                                  &new_password,
                                   NULL, NULL,
-                                  false, /* This is a password set, not change */
+                                  NULL, NULL, /* This is a password set, not change */
                                   NULL, NULL);
 }
@@ -580 +533 @@
 /*
   set password via a samr_CryptPasswordEx buffer
-  this will in the 'msg' with modify operations that will update the user
-  password when applied
 */
 NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call,
                               struct ldb_context *sam_ctx,
-                              struct ldb_dn *account_dn, struct ldb_dn *domain_dn,
+                              struct ldb_dn *account_dn,
+                              struct ldb_dn *domain_dn,
                               TALLOC_CTX *mem_ctx,
-                              struct ldb_message *msg, 
                               struct samr_CryptPasswordEx *pwbuf)
 {
@@ -610 +561 @@
         MD5Update(&ctx, session_key.data, session_key.length);
         MD5Final(co_session_key.data, &ctx);
-        
+
         arcfour_crypt_blob(pwbuf->data, 516, &co_session_key);
 
@@ -617 +568 @@
                 return NT_STATUS_WRONG_PASSWORD;
         }
-                
+
         /* set the password - samdb needs to know both the domain and user DNs,
            so the domain password policy can be used */
         return samdb_set_password(sam_ctx, mem_ctx,
-                                  account_dn, domain_dn, 
-                                  msg, &new_password, 
+                                  account_dn, domain_dn,
+                                  &new_password,
                                   NULL, NULL,
-                                  false, /* This is a password set, not change */
+                                  NULL, NULL, /* This is a password set, not change */
                                   NULL, NULL);
 }
 
-
+/*
+  set password via encrypted NT and LM hash buffers
+*/
+NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call,
+                                   struct ldb_context *sam_ctx,
+                                   struct ldb_dn *account_dn,
+                                   struct ldb_dn *domain_dn,
+                                   TALLOC_CTX *mem_ctx,
+                                   const uint8_t *lm_pwd_hash,
+                                   const uint8_t *nt_pwd_hash)
+{
+        struct samr_Password *d_lm_pwd_hash = NULL, *d_nt_pwd_hash = NULL;
+        DATA_BLOB session_key = data_blob(NULL, 0);
+        DATA_BLOB in, out;
+        NTSTATUS nt_status = NT_STATUS_OK;
+
+        nt_status = dcesrv_fetch_session_key(dce_call->conn, &session_key);
+        if (!NT_STATUS_IS_OK(nt_status)) {
+                return nt_status;
+        }
+
+        if (lm_pwd_hash != NULL) {
+                in = data_blob_const(lm_pwd_hash, 16);
+                out = data_blob_talloc_zero(mem_ctx, 16);
+
+                sess_crypt_blob(&out, &in, &session_key, false);
+
+                d_lm_pwd_hash = (struct samr_Password *) out.data;
+        }
+        if (nt_pwd_hash != NULL) {
+                in = data_blob_const(nt_pwd_hash, 16);
+                out = data_blob_talloc_zero(mem_ctx, 16);
+
+                sess_crypt_blob(&out, &in, &session_key, false);
+
+                d_nt_pwd_hash = (struct samr_Password *) out.data;
+        }
+
+        if ((d_lm_pwd_hash != NULL) || (d_nt_pwd_hash != NULL)) {
+                nt_status = samdb_set_password(sam_ctx, mem_ctx, account_dn,
+                                               domain_dn, NULL,
+                                               d_lm_pwd_hash, d_nt_pwd_hash,
+                                               NULL, NULL, /* this is a password set */
+                                               NULL, NULL);
+        }
+
+        return nt_status;
+}