Adding upstream version 2:4.20.0+dfsg.upstream/2%4.20.0+dfsg

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 5515 insertions, 0 deletions

diff --git a/source4/torture/smb2/replay.c b/source4/torture/smb2/replay.c
new file mode 100644
index 0000000..d84ced8
--- /dev/null
+++ b/source4/torture/smb2/replay.c
@@ -0,0 +1,5515 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   test suite for SMB2 replay
+
+   Copyright (C) Anubhav Rakshit 2014
+   Copyright (C) Stefan Metzmacher 2014
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "libcli/smb2/smb2.h"
+#include "libcli/smb2/smb2_calls.h"
+#include "torture/torture.h"
+#include "torture/smb2/proto.h"
+#include "../libcli/smb/smbXcli_base.h"
+#include "lib/cmdline/cmdline.h"
+#include "auth/credentials/credentials.h"
+#include "libcli/security/security.h"
+#include "libcli/resolve/resolve.h"
+#include "lib/param/param.h"
+#include "lib/events/events.h"
+#include "oplock_break_handler.h"
+#include "lease_break_handler.h"
+
+#define CHECK_VAL(v, correct) do { \
+	if ((v) != (correct)) { \
+		torture_result(tctx, TORTURE_FAIL, "(%s): wrong value for %s got 0x%x - should be 0x%x\n", \
+				__location__, #v, (int)v, (int)correct); \
+		ret = false; \
+		goto done; \
+	}} while (0)
+
+#define CHECK_STATUS(status, correct) do { \
+	if (!NT_STATUS_EQUAL(status, correct)) { \
+		torture_result(tctx, TORTURE_FAIL, __location__": Incorrect status %s - should be %s", \
+		       nt_errstr(status), nt_errstr(correct)); \
+		ret = false; \
+		goto done; \
+	}} while (0)
+
+#define CHECK_CREATED(__io, __created, __attribute)			\
+	do {								\
+		CHECK_VAL((__io)->out.create_action, NTCREATEX_ACTION_ ## __created); \
+		CHECK_VAL((__io)->out.size, 0);				\
+		CHECK_VAL((__io)->out.file_attr, (__attribute));	\
+		CHECK_VAL((__io)->out.reserved2, 0);			\
+	} while(0)
+
+#define CHECK_HANDLE(__h1, __h2)					\
+	do {								\
+		CHECK_VAL((__h1)->data[0], (__h2)->data[0]);		\
+		CHECK_VAL((__h1)->data[1], (__h2)->data[1]);		\
+	} while(0)
+
+#define __IO_OUT_VAL(__io1, __io2, __m) \
+	CHECK_VAL((__io1)->out.__m, (__io2)->out.__m)
+
+#define CHECK_CREATE_OUT(__io1, __io2)				\
+	do {							\
+		CHECK_HANDLE(&(__io1)->out.file.handle,		\
+			     &(__io2)->out.file.handle);	\
+		__IO_OUT_VAL(__io1, __io2, oplock_level);	\
+		__IO_OUT_VAL(__io1, __io2, create_action);	\
+		__IO_OUT_VAL(__io1, __io2, create_time);	\
+		__IO_OUT_VAL(__io1, __io2, access_time);	\
+		__IO_OUT_VAL(__io1, __io2, write_time);		\
+		__IO_OUT_VAL(__io1, __io2, change_time);	\
+		__IO_OUT_VAL(__io1, __io2, alloc_size);		\
+		__IO_OUT_VAL(__io1, __io2, size);		\
+		__IO_OUT_VAL(__io1, __io2, file_attr);		\
+		__IO_OUT_VAL(__io1, __io2, durable_open);	\
+		__IO_OUT_VAL(__io1, __io2, durable_open_v2);	\
+		__IO_OUT_VAL(__io1, __io2, persistent_open);	\
+		__IO_OUT_VAL(__io1, __io2, timeout);		\
+		__IO_OUT_VAL(__io1, __io2, blobs.num_blobs);	\
+		if ((__io1)->out.oplock_level == SMB2_OPLOCK_LEVEL_LEASE) { \
+			__IO_OUT_VAL(__io1, __io2, lease_response.lease_state);\
+			__IO_OUT_VAL(__io1, __io2, lease_response.lease_key.data[0]);\
+			__IO_OUT_VAL(__io1, __io2, lease_response.lease_key.data[1]);\
+		} \
+	} while(0)
+
+#define WAIT_FOR_ASYNC_RESPONSE(__tctx, __req) do { \
+	torture_comment((__tctx), "Waiting for async response: %s\n", #__req); \
+	while (!(__req)->cancel.can_cancel && (__req)->state <= SMB2_REQUEST_RECV) { \
+		if (tevent_loop_once((__tctx)->ev) != 0) { \
+			break; \
+		} \
+	} \
+} while(0)
+
+#define BASEDIR "replaytestdir"
+
+/**
+ * Test what happens when SMB2_FLAGS_REPLAY_OPERATION is enabled for various
+ * commands. We want to verify if the server returns an error code or not.
+ */
+static bool test_replay_commands(struct torture_context *tctx, struct smb2_tree *tree)
+{
+	bool ret = true;
+	NTSTATUS status;
+	struct smb2_handle h;
+	uint8_t buf[200];
+	struct smb2_read rd;
+	union smb_setfileinfo sfinfo;
+	union smb_fileinfo qfinfo;
+	union smb_ioctl ioctl;
+	struct smb2_lock lck;
+	struct smb2_lock_element el[2];
+	struct smb2_flush f;
+	TALLOC_CTX *tmp_ctx = talloc_new(tree);
+	const char *fname = BASEDIR "\\replay_commands.dat";
+	struct smb2_transport *transport = tree->session->transport;
+
+	if (smbXcli_conn_protocol(transport->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				   "Replay tests\n");
+	}
+
+	torture_reset_break_info(tctx, &break_info);
+	tree->session->transport->oplock.handler = torture_oplock_ack_handler;
+	tree->session->transport->oplock.private_data = tree;
+
+	status = torture_smb2_testdir(tree, BASEDIR, &h);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2_util_close(tree, h);
+
+	smb2cli_session_start_replay(tree->session->smbXcli);
+
+	torture_comment(tctx, "Try Commands with Replay Flags Enabled\n");
+
+	torture_comment(tctx, "Trying create\n");
+	status = torture_smb2_testfile(tree, fname, &h);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	CHECK_VAL(break_info.count, 0);
+	/*
+	 * Wireshark shows that the response has SMB2_FLAGS_REPLAY_OPERATION
+	 * flags set. The server should ignore this flag.
+	 */
+
+	torture_comment(tctx, "Trying write\n");
+	status = smb2_util_write(tree, h, buf, 0, ARRAY_SIZE(buf));
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	f = (struct smb2_flush) {
+		.in.file.handle = h
+	};
+	torture_comment(tctx, "Trying flush\n");
+	status = smb2_flush(tree, &f);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	rd = (struct smb2_read) {
+		.in.file.handle = h,
+		.in.length = 10,
+		.in.offset = 0,
+		.in.min_count = 1
+	};
+	torture_comment(tctx, "Trying read\n");
+	status = smb2_read(tree, tmp_ctx, &rd);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	CHECK_VAL(rd.out.data.length, 10);
+
+	sfinfo.generic.level = RAW_SFILEINFO_POSITION_INFORMATION;
+	sfinfo.position_information.in.file.handle = h;
+	sfinfo.position_information.in.position = 0x1000;
+	torture_comment(tctx, "Trying setinfo\n");
+	status = smb2_setinfo_file(tree, &sfinfo);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	qfinfo = (union smb_fileinfo) {
+		.generic.level = RAW_FILEINFO_POSITION_INFORMATION,
+		.generic.in.file.handle = h
+	};
+	torture_comment(tctx, "Trying getinfo\n");
+	status = smb2_getinfo_file(tree, tmp_ctx, &qfinfo);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	CHECK_VAL(qfinfo.position_information.out.position, 0x1000);
+
+	ioctl = (union smb_ioctl) {
+		.smb2.level = RAW_IOCTL_SMB2,
+		.smb2.in.file.handle = h,
+		.smb2.in.function = FSCTL_CREATE_OR_GET_OBJECT_ID,
+		.smb2.in.max_output_response = 64,
+		.smb2.in.flags = SMB2_IOCTL_FLAG_IS_FSCTL
+	};
+	torture_comment(tctx, "Trying ioctl\n");
+	status = smb2_ioctl(tree, tmp_ctx, &ioctl.smb2);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	lck = (struct smb2_lock) {
+		.in.locks = el,
+		.in.lock_count = 0x0001,
+		.in.lock_sequence = 0x00000000,
+		.in.file.handle	= h
+	};
+	el[0].reserved		= 0x00000000;
+	el[0].flags		= SMB2_LOCK_FLAG_EXCLUSIVE |
+		SMB2_LOCK_FLAG_FAIL_IMMEDIATELY;
+
+	torture_comment(tctx, "Trying lock\n");
+	el[0].offset		= 0x0000000000000000;
+	el[0].length		= 0x0000000000000100;
+	status = smb2_lock(tree, &lck);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	lck.in.file.handle	= h;
+	el[0].flags		= SMB2_LOCK_FLAG_UNLOCK;
+	status = smb2_lock(tree, &lck);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	CHECK_VAL(break_info.count, 0);
+done:
+	smb2cli_session_stop_replay(tree->session->smbXcli);
+	smb2_util_close(tree, h);
+	smb2_deltree(tree, BASEDIR);
+
+	talloc_free(tmp_ctx);
+
+	return ret;
+}
+
+/**
+ * Test replay detection without create GUID on single channel.
+ * Regular creates can not be replayed.
+ * The return code is unaffected of the REPLAY_OPERATION flag.
+ */
+static bool test_replay_regular(struct torture_context *tctx,
+				struct smb2_tree *tree)
+{
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	struct smb2_handle _h;
+	struct smb2_handle *h = NULL;
+	struct smb2_create io;
+	uint32_t perms = 0;
+	bool ret = true;
+	const char *fname = BASEDIR "\\replay_regular.dat";
+	struct smb2_transport *transport = tree->session->transport;
+
+	if (smbXcli_conn_protocol(transport->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				   "replay tests\n");
+	}
+
+	torture_reset_break_info(tctx, &break_info);
+	tree->session->transport->oplock.handler = torture_oplock_ack_handler;
+	tree->session->transport->oplock.private_data = tree;
+
+	smb2_util_unlink(tree, fname);
+	status = torture_smb2_testdir(tree, BASEDIR, &_h);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2_util_close(tree, _h);
+	CHECK_VAL(break_info.count, 0);
+
+	torture_comment(tctx, "No replay detection for regular create\n");
+
+	perms = SEC_STD_SYNCHRONIZE | SEC_STD_READ_CONTROL | SEC_STD_DELETE |
+		SEC_DIR_WRITE_ATTRIBUTE | SEC_DIR_READ_ATTRIBUTE |
+		SEC_DIR_WRITE_EA | SEC_FILE_APPEND_DATA |
+		SEC_FILE_WRITE_DATA;
+
+	io = (struct smb2_create) {
+		.in.desired_access  = perms,
+		.in.file_attributes = 0,
+		.in.create_disposition = NTCREATEX_DISP_CREATE,
+		.in.share_access    = NTCREATEX_SHARE_ACCESS_DELETE,
+		.in.create_options  = 0x0,
+		.in.fname   = fname
+	};
+
+	status = smb2_create(tree, tctx, &io);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	CHECK_VAL(break_info.count, 0);
+	_h = io.out.file.handle;
+	h = &_h;
+	CHECK_CREATED(&io, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+
+	smb2cli_session_start_replay(tree->session->smbXcli);
+	status = smb2_create(tree, tctx, &io);
+	smb2cli_session_stop_replay(tree->session->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_OBJECT_NAME_COLLISION);
+	CHECK_VAL(break_info.count, 0);
+
+	smb2_util_close(tree, *h);
+	h = NULL;
+	smb2_util_unlink(tree, fname);
+
+	/*
+	 * Same experiment with different create disposition.
+	 */
+	io.in.create_disposition = NTCREATEX_DISP_OPEN_IF;
+	status = smb2_create(tree, tctx, &io);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	CHECK_VAL(break_info.count, 0);
+	_h = io.out.file.handle;
+	h = &_h;
+	CHECK_CREATED(&io, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+
+	smb2cli_session_start_replay(tree->session->smbXcli);
+	status = smb2_create(tree, tctx, &io);
+	smb2cli_session_stop_replay(tree->session->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_SHARING_VIOLATION);
+	CHECK_VAL(break_info.count, 0);
+
+	smb2_util_close(tree, *h);
+	h = NULL;
+	smb2_util_unlink(tree, fname);
+
+	/*
+	 * Now with more generous share mode.
+	 */
+	io.in.share_access = smb2_util_share_access("RWD");
+	status = smb2_create(tree, tctx, &io);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	CHECK_VAL(break_info.count, 0);
+	_h = io.out.file.handle;
+	h = &_h;
+	CHECK_CREATED(&io, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+
+	smb2cli_session_start_replay(tree->session->smbXcli);
+	status = smb2_create(tree, tctx, &io);
+	smb2cli_session_stop_replay(tree->session->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	CHECK_VAL(break_info.count, 0);
+
+done:
+	if (h != NULL) {
+		smb2_util_close(tree, *h);
+	}
+	smb2_deltree(tree, BASEDIR);
+
+	talloc_free(tree);
+	talloc_free(mem_ctx);
+
+	return ret;
+}
+
+/**
+ * Test Durability V2 Create Replay Detection on Single Channel.
+ */
+static bool test_replay_dhv2_oplock1(struct torture_context *tctx,
+				     struct smb2_tree *tree)
+{
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	struct smb2_handle _h;
+	struct smb2_handle *h = NULL;
+	struct smb2_create io, ref1;
+	struct GUID create_guid = GUID_random();
+	bool ret = true;
+	const char *fname = BASEDIR "\\replay_dhv2_oplock1.dat";
+	struct smb2_transport *transport = tree->session->transport;
+	uint32_t share_capabilities;
+	bool share_is_so;
+
+	if (smbXcli_conn_protocol(transport->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				   "replay tests\n");
+	}
+
+	share_capabilities = smb2cli_tcon_capabilities(tree->smbXcli);
+	share_is_so = share_capabilities & SMB2_SHARE_CAP_SCALEOUT;
+
+	torture_reset_break_info(tctx, &break_info);
+	tree->session->transport->oplock.handler = torture_oplock_ack_handler;
+	tree->session->transport->oplock.private_data = tree;
+
+	torture_comment(tctx, "Replay of DurableHandleReqV2 on Single "
+			      "Channel\n");
+	smb2_util_unlink(tree, fname);
+	status = torture_smb2_testdir(tree, BASEDIR, &_h);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2_util_close(tree, _h);
+	CHECK_VAL(break_info.count, 0);
+
+	smb2_oplock_create_share(&io, fname,
+			smb2_util_share_access(""),
+			smb2_util_oplock_level("b"));
+	io.in.durable_open = false;
+	io.in.durable_open_v2 = true;
+	io.in.persistent_open = false;
+	io.in.create_guid = create_guid;
+	io.in.timeout = UINT32_MAX;
+
+	status = smb2_create(tree, mem_ctx, &io);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	ref1 = io;
+	_h = io.out.file.handle;
+	h = &_h;
+	CHECK_CREATED(&io, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(io.out.durable_open, false);
+	if (share_is_so) {
+		CHECK_VAL(io.out.oplock_level, smb2_util_oplock_level("s"));
+		CHECK_VAL(io.out.durable_open_v2, false);
+		CHECK_VAL(io.out.timeout, 0);
+	} else {
+		CHECK_VAL(io.out.oplock_level, smb2_util_oplock_level("b"));
+		CHECK_VAL(io.out.durable_open_v2, true);
+		CHECK_VAL(io.out.timeout, 300*1000);
+	}
+
+	/*
+	 * Replay Durable V2 Create on single channel
+	 */
+	smb2cli_session_start_replay(tree->session->smbXcli);
+	status = smb2_create(tree, mem_ctx, &io);
+	smb2cli_session_stop_replay(tree->session->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	CHECK_CREATE_OUT(&io, &ref1);
+	CHECK_VAL(break_info.count, 0);
+
+done:
+	if (h != NULL) {
+		smb2_util_close(tree, *h);
+	}
+	smb2_deltree(tree, BASEDIR);
+
+	talloc_free(tree);
+	talloc_free(mem_ctx);
+
+	return ret;
+}
+
+/**
+ * Test Durability V2 Create Replay Detection on Single Channel.
+ * Hand in a different oplock level in the replay.
+ * Server responds with the handed in oplock level and
+ * corresponding durable status, but does not change the
+ * oplock level or durable status of the opened file.
+ */
+static bool test_replay_dhv2_oplock2(struct torture_context *tctx,
+				      struct smb2_tree *tree)
+{
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	struct smb2_handle _h;
+	struct smb2_handle *h = NULL;
+	struct smb2_create io, ref1, ref2;
+	struct GUID create_guid = GUID_random();
+	bool ret = true;
+	const char *fname = BASEDIR "\\replay_dhv2_oplock2.dat";
+	struct smb2_transport *transport = tree->session->transport;
+	uint32_t share_capabilities;
+	bool share_is_so;
+
+	if (smbXcli_conn_protocol(transport->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				   "replay tests\n");
+	}
+
+	share_capabilities = smb2cli_tcon_capabilities(tree->smbXcli);
+	share_is_so = share_capabilities & SMB2_SHARE_CAP_SCALEOUT;
+
+	torture_reset_break_info(tctx, &break_info);
+	tree->session->transport->oplock.handler = torture_oplock_ack_handler;
+	tree->session->transport->oplock.private_data = tree;
+
+	torture_comment(tctx, "Replay of DurableHandleReqV2 on Single "
+			      "Channel\n");
+	smb2_util_unlink(tree, fname);
+	status = torture_smb2_testdir(tree, BASEDIR, &_h);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2_util_close(tree, _h);
+	CHECK_VAL(break_info.count, 0);
+
+	smb2_oplock_create_share(&io, fname,
+			smb2_util_share_access(""),
+			smb2_util_oplock_level("b"));
+	io.in.durable_open = false;
+	io.in.durable_open_v2 = true;
+	io.in.persistent_open = false;
+	io.in.create_guid = create_guid;
+	io.in.timeout = UINT32_MAX;
+
+	status = smb2_create(tree, mem_ctx, &io);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	ref1 = io;
+	_h = io.out.file.handle;
+	h = &_h;
+	CHECK_CREATED(&io, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(io.out.durable_open, false);
+	if (share_is_so) {
+		CHECK_VAL(io.out.oplock_level, smb2_util_oplock_level("s"));
+		CHECK_VAL(io.out.durable_open_v2, false);
+		CHECK_VAL(io.out.timeout, 0);
+	} else {
+		CHECK_VAL(io.out.oplock_level, smb2_util_oplock_level("b"));
+		CHECK_VAL(io.out.durable_open_v2, true);
+		CHECK_VAL(io.out.timeout, 300*1000);
+	}
+
+	/*
+	 * Replay durable v2 create on single channel:
+	 *
+	 * Replay the create with a different oplock (none).
+	 * The server replies with the requested oplock level
+	 * and also only replies with durable handle based
+	 * on whether it could have been granted based on
+	 * the requested oplock type.
+	 */
+	smb2_oplock_create_share(&io, fname,
+			smb2_util_share_access(""),
+			smb2_util_oplock_level(""));
+	io.in.durable_open = false;
+	io.in.durable_open_v2 = true;
+	io.in.persistent_open = false;
+	io.in.create_guid = create_guid;
+	io.in.timeout = UINT32_MAX;
+
+	/*
+	 * Adapt the response to the expected values
+	 */
+	ref2 = ref1;
+	ref2.out.oplock_level = smb2_util_oplock_level("");
+	ref2.out.durable_open_v2 = false;
+	ref2.out.timeout = 0;
+	ref2.out.blobs.num_blobs = 0;
+
+	smb2cli_session_start_replay(tree->session->smbXcli);
+	status = smb2_create(tree, mem_ctx, &io);
+	smb2cli_session_stop_replay(tree->session->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	CHECK_CREATE_OUT(&io, &ref2);
+	CHECK_VAL(break_info.count, 0);
+
+	/*
+	 * Prove that the open file still has a batch oplock
+	 * by breaking it with another open.
+	 */
+	smb2_oplock_create_share(&io, fname,
+			smb2_util_share_access(""),
+			smb2_util_oplock_level("b"));
+	io.in.durable_open = false;
+	io.in.durable_open_v2 = true;
+	io.in.persistent_open = false;
+	io.in.create_guid = GUID_random();
+	io.in.timeout = UINT32_MAX;
+	status = smb2_create(tree, mem_ctx, &io);
+	CHECK_STATUS(status, NT_STATUS_SHARING_VIOLATION);
+
+	if (!share_is_so) {
+		CHECK_VAL(break_info.count, 1);
+		CHECK_HANDLE(&break_info.handle, &ref1.out.file.handle);
+		CHECK_VAL(break_info.level, smb2_util_oplock_level("s"));
+		torture_reset_break_info(tctx, &break_info);
+	}
+
+done:
+	if (h != NULL) {
+		smb2_util_close(tree, *h);
+	}
+	smb2_deltree(tree, BASEDIR);
+
+	talloc_free(tree);
+	talloc_free(mem_ctx);
+
+	return ret;
+}
+
+/**
+ * Test Durability V2 Create Replay Detection on Single Channel.
+ * Replay with a different share mode. The share mode of
+ * the opened file is not changed by this.
+ */
+static bool test_replay_dhv2_oplock3(struct torture_context *tctx,
+				     struct smb2_tree *tree)
+{
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	struct smb2_handle _h;
+	struct smb2_handle *h = NULL;
+	struct smb2_create io, ref1;
+	struct GUID create_guid = GUID_random();
+	bool ret = true;
+	const char *fname = BASEDIR "\\replay_dhv2_oplock3.dat";
+	struct smb2_transport *transport = tree->session->transport;
+	uint32_t share_capabilities;
+	bool share_is_so;
+
+	if (smbXcli_conn_protocol(transport->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				   "replay tests\n");
+	}
+
+	share_capabilities = smb2cli_tcon_capabilities(tree->smbXcli);
+	share_is_so = share_capabilities & SMB2_SHARE_CAP_SCALEOUT;
+
+	torture_reset_break_info(tctx, &break_info);
+	tree->session->transport->oplock.handler = torture_oplock_ack_handler;
+	tree->session->transport->oplock.private_data = tree;
+
+	torture_comment(tctx, "Replay of DurableHandleReqV2 on Single "
+			      "Channel\n");
+	smb2_util_unlink(tree, fname);
+	status = torture_smb2_testdir(tree, BASEDIR, &_h);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2_util_close(tree, _h);
+	CHECK_VAL(break_info.count, 0);
+
+	smb2_oplock_create_share(&io, fname,
+			smb2_util_share_access(""),
+			smb2_util_oplock_level("b"));
+	io.in.durable_open = false;
+	io.in.durable_open_v2 = true;
+	io.in.persistent_open = false;
+	io.in.create_guid = create_guid;
+	io.in.timeout = UINT32_MAX;
+
+	status = smb2_create(tree, mem_ctx, &io);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	ref1 = io;
+	_h = io.out.file.handle;
+	h = &_h;
+	CHECK_CREATED(&io, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(io.out.durable_open, false);
+	if (share_is_so) {
+		CHECK_VAL(io.out.oplock_level, smb2_util_oplock_level("s"));
+		CHECK_VAL(io.out.durable_open_v2, false);
+		CHECK_VAL(io.out.timeout, 0);
+	} else {
+		CHECK_VAL(io.out.oplock_level, smb2_util_oplock_level("b"));
+		CHECK_VAL(io.out.durable_open_v2, true);
+		CHECK_VAL(io.out.timeout, 300*1000);
+	}
+
+	/*
+	 * Replay durable v2 create on single channel:
+	 *
+	 * Replay the create with a different share mode.
+	 * The server replies with the requested share
+	 * mode instead of that which is associated to
+	 * the handle.
+	 */
+	smb2_oplock_create_share(&io, fname,
+			smb2_util_share_access("RWD"),
+			smb2_util_oplock_level("b"));
+	io.in.durable_open = false;
+	io.in.durable_open_v2 = true;
+	io.in.persistent_open = false;
+	io.in.create_guid = create_guid;
+	io.in.timeout = UINT32_MAX;
+
+	smb2cli_session_start_replay(tree->session->smbXcli);
+	status = smb2_create(tree, mem_ctx, &io);
+	smb2cli_session_stop_replay(tree->session->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	CHECK_CREATE_OUT(&io, &ref1);
+	CHECK_VAL(break_info.count, 0);
+
+	/*
+	 * In order to prove that the different share mode in the
+	 * replayed create had no effect on the open file handle,
+	 * show that a new create yields NT_STATUS_SHARING_VIOLATION.
+	 */
+	smb2_oplock_create_share(&io, fname,
+			smb2_util_share_access(""),
+			smb2_util_oplock_level("b"));
+	io.in.durable_open = false;
+	io.in.durable_open_v2 = true;
+	io.in.persistent_open = false;
+	io.in.create_guid = GUID_random();
+	io.in.timeout = UINT32_MAX;
+	status = smb2_create(tree, mem_ctx, &io);
+	CHECK_STATUS(status, NT_STATUS_SHARING_VIOLATION);
+
+	if (!share_is_so) {
+		CHECK_VAL(break_info.count, 1);
+		CHECK_HANDLE(&break_info.handle, &ref1.out.file.handle);
+		CHECK_VAL(break_info.level, smb2_util_oplock_level("s"));
+		torture_reset_break_info(tctx, &break_info);
+	}
+
+done:
+	if (h != NULL) {
+		smb2_util_close(tree, *h);
+	}
+	smb2_deltree(tree, BASEDIR);
+
+	talloc_free(tree);
+	talloc_free(mem_ctx);
+
+	return ret;
+}
+
+/**
+ * Test Durability V2 Create Replay Detection on Single Channel.
+ * Create with an oplock, and replay with a lease.
+ */
+static bool test_replay_dhv2_oplock_lease(struct torture_context *tctx,
+					  struct smb2_tree *tree)
+{
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	struct smb2_handle _h;
+	struct smb2_handle *h = NULL;
+	struct smb2_create io;
+	struct GUID create_guid = GUID_random();
+	bool ret = true;
+	const char *fname = BASEDIR "\\replay_dhv2_oplock1.dat";
+	struct smb2_transport *transport = tree->session->transport;
+	uint32_t share_capabilities;
+	bool share_is_so;
+	uint32_t server_capabilities;
+	struct smb2_lease ls;
+	uint64_t lease_key;
+
+	if (smbXcli_conn_protocol(transport->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				   "replay tests\n");
+	}
+
+	server_capabilities = smb2cli_conn_server_capabilities(transport->conn);
+	if (!(server_capabilities & SMB2_CAP_LEASING)) {
+		torture_skip(tctx, "leases are not supported");
+	}
+
+	share_capabilities = smb2cli_tcon_capabilities(tree->smbXcli);
+	share_is_so = share_capabilities & SMB2_SHARE_CAP_SCALEOUT;
+
+	torture_reset_break_info(tctx, &break_info);
+	tree->session->transport->oplock.handler = torture_oplock_ack_handler;
+	tree->session->transport->oplock.private_data = tree;
+
+	torture_comment(tctx, "Replay of DurableHandleReqV2 on Single "
+			      "Channel\n");
+	smb2_util_unlink(tree, fname);
+	status = torture_smb2_testdir(tree, BASEDIR, &_h);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2_util_close(tree, _h);
+	CHECK_VAL(break_info.count, 0);
+
+	smb2_oplock_create_share(&io, fname,
+			smb2_util_share_access(""),
+			smb2_util_oplock_level("b"));
+	io.in.durable_open = false;
+	io.in.durable_open_v2 = true;
+	io.in.persistent_open = false;
+	io.in.create_guid = create_guid;
+	io.in.timeout = UINT32_MAX;
+
+	status = smb2_create(tree, mem_ctx, &io);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	_h = io.out.file.handle;
+	h = &_h;
+	CHECK_CREATED(&io, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(io.out.durable_open, false);
+	if (share_is_so) {
+		CHECK_VAL(io.out.oplock_level, smb2_util_oplock_level("s"));
+		CHECK_VAL(io.out.durable_open_v2, false);
+		CHECK_VAL(io.out.timeout, 0);
+	} else {
+		CHECK_VAL(io.out.oplock_level, smb2_util_oplock_level("b"));
+		CHECK_VAL(io.out.durable_open_v2, true);
+		CHECK_VAL(io.out.timeout, 300*1000);
+	}
+
+	/*
+	 * Replay Durable V2 Create on single channel
+	 * but replay it with a lease instead of an oplock.
+	 */
+	lease_key = random();
+	smb2_lease_create(&io, &ls, false /* dir */, fname,
+			lease_key, smb2_util_lease_state("RH"));
+	io.in.durable_open = false;
+	io.in.durable_open_v2 = true;
+	io.in.persistent_open = false;
+	io.in.create_guid = create_guid;
+	io.in.timeout = UINT32_MAX;
+
+	smb2cli_session_start_replay(tree->session->smbXcli);
+	status = smb2_create(tree, mem_ctx, &io);
+	smb2cli_session_stop_replay(tree->session->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+
+done:
+	if (h != NULL) {
+		smb2_util_close(tree, *h);
+	}
+	smb2_deltree(tree, BASEDIR);
+
+	talloc_free(tree);
+	talloc_free(mem_ctx);
+
+	return ret;
+}
+
+
+/**
+ * Test durability v2 create replay detection on single channel.
+ * Variant with leases instead of oplocks:
+ * - open a file with a rh lease
+ * - upgrade to a rwh lease with a second create
+ * - replay the first create.
+ *   ==> it gets back the upgraded lease level
+ */
+static bool test_replay_dhv2_lease1(struct torture_context *tctx,
+				    struct smb2_tree *tree)
+{
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	struct smb2_handle _h1;
+	struct smb2_handle *h1 = NULL;
+	struct smb2_handle _h2;
+	struct smb2_handle *h2 = NULL;
+	struct smb2_create io1, io2, ref1;
+	struct GUID create_guid = GUID_random();
+	bool ret = true;
+	const char *fname = BASEDIR "\\replay2_lease1.dat";
+	struct smb2_transport *transport = tree->session->transport;
+	uint32_t share_capabilities;
+	bool share_is_so;
+	uint32_t server_capabilities;
+	struct smb2_lease ls1, ls2;
+	uint64_t lease_key;
+
+	if (smbXcli_conn_protocol(transport->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				   "replay tests\n");
+	}
+
+	server_capabilities = smb2cli_conn_server_capabilities(transport->conn);
+	if (!(server_capabilities & SMB2_CAP_LEASING)) {
+		torture_skip(tctx, "leases are not supported");
+	}
+
+	share_capabilities = smb2cli_tcon_capabilities(tree->smbXcli);
+	share_is_so = share_capabilities & SMB2_SHARE_CAP_SCALEOUT;
+
+	torture_reset_break_info(tctx, &break_info);
+	tree->session->transport->oplock.handler = torture_oplock_ack_handler;
+	tree->session->transport->oplock.private_data = tree;
+
+	torture_comment(tctx, "Replay of DurableHandleReqV2 with Lease "
+			      "on Single Channel\n");
+	smb2_util_unlink(tree, fname);
+	status = torture_smb2_testdir(tree, BASEDIR, &_h1);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2_util_close(tree, _h1);
+	CHECK_VAL(break_info.count, 0);
+
+	lease_key = random();
+
+	smb2_lease_create(&io1, &ls1, false /* dir */, fname,
+			lease_key, smb2_util_lease_state("RH"));
+	io1.in.durable_open = false;
+	io1.in.durable_open_v2 = true;
+	io1.in.persistent_open = false;
+	io1.in.create_guid = create_guid;
+	io1.in.timeout = UINT32_MAX;
+
+	status = smb2_create(tree, mem_ctx, &io1);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	ref1 = io1;
+	_h1 = io1.out.file.handle;
+	h1 = &_h1;
+	CHECK_CREATED(&io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(io1.out.durable_open, false);
+	CHECK_VAL(io1.out.oplock_level, SMB2_OPLOCK_LEVEL_LEASE);
+	CHECK_VAL(io1.out.lease_response.lease_key.data[0], lease_key);
+	CHECK_VAL(io1.out.lease_response.lease_key.data[1], ~lease_key);
+	if (share_is_so) {
+		CHECK_VAL(io1.out.lease_response.lease_state,
+			  smb2_util_lease_state("R"));
+		CHECK_VAL(io1.out.durable_open_v2, false);
+		CHECK_VAL(io1.out.timeout, 0);
+	} else {
+		CHECK_VAL(io1.out.lease_response.lease_state,
+			  smb2_util_lease_state("RH"));
+		CHECK_VAL(io1.out.durable_open_v2, true);
+		CHECK_VAL(io1.out.timeout, 300*1000);
+	}
+
+	/*
+	 * Upgrade the lease to RWH
+	 */
+	smb2_lease_create(&io2, &ls2, false /* dir */, fname,
+			lease_key, smb2_util_lease_state("RHW"));
+	io2.in.durable_open = false;
+	io2.in.durable_open_v2 = true;
+	io2.in.persistent_open = false;
+	io2.in.create_guid = GUID_random(); /* new guid... */
+	io2.in.timeout = UINT32_MAX;
+
+	status = smb2_create(tree, mem_ctx, &io2);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	_h2 = io2.out.file.handle;
+	h2 = &_h2;
+
+	/*
+	 * Replay Durable V2 Create on single channel.
+	 * We get the io from open #1 but with the
+	 * upgraded lease.
+	 */
+
+	/* adapt expected lease in response */
+	if (!share_is_so) {
+		ref1.out.lease_response.lease_state =
+			smb2_util_lease_state("RHW");
+	}
+
+	smb2cli_session_start_replay(tree->session->smbXcli);
+	status = smb2_create(tree, mem_ctx, &io1);
+	smb2cli_session_stop_replay(tree->session->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	CHECK_CREATE_OUT(&io1, &ref1);
+	CHECK_VAL(break_info.count, 0);
+
+done:
+	smb2cli_session_stop_replay(tree->session->smbXcli);
+
+	if (h1 != NULL) {
+		smb2_util_close(tree, *h1);
+	}
+	if (h2 != NULL) {
+		smb2_util_close(tree, *h2);
+	}
+	smb2_deltree(tree, BASEDIR);
+
+	talloc_free(tree);
+	talloc_free(mem_ctx);
+
+	return ret;
+}
+
+/**
+ * Test durability v2 create replay detection on single channel.
+ * Variant with leases instead of oplocks, where the
+ * replay does not specify the original lease level but
+ * just a "R" lease. This still gives the upgraded lease
+ * level in the reply.
+ * - open a file with a rh lease
+ * - upgrade to a rwh lease with a second create
+ * - replay the first create.
+ *   ==> it gets back the upgraded lease level
+ */
+static bool test_replay_dhv2_lease2(struct torture_context *tctx,
+				    struct smb2_tree *tree)
+{
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	struct smb2_handle _h1;
+	struct smb2_handle *h1 = NULL;
+	struct smb2_handle _h2;
+	struct smb2_handle *h2 = NULL;
+	struct smb2_create io1, io2, ref1;
+	struct GUID create_guid = GUID_random();
+	bool ret = true;
+	const char *fname = BASEDIR "\\replay2_lease2.dat";
+	struct smb2_transport *transport = tree->session->transport;
+	uint32_t share_capabilities;
+	bool share_is_so;
+	uint32_t server_capabilities;
+	struct smb2_lease ls1, ls2;
+	uint64_t lease_key;
+
+	if (smbXcli_conn_protocol(transport->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				   "replay tests\n");
+	}
+
+	server_capabilities = smb2cli_conn_server_capabilities(transport->conn);
+	if (!(server_capabilities & SMB2_CAP_LEASING)) {
+		torture_skip(tctx, "leases are not supported");
+	}
+
+	share_capabilities = smb2cli_tcon_capabilities(tree->smbXcli);
+	share_is_so = share_capabilities & SMB2_SHARE_CAP_SCALEOUT;
+
+	torture_reset_break_info(tctx, &break_info);
+	tree->session->transport->oplock.handler = torture_oplock_ack_handler;
+	tree->session->transport->oplock.private_data = tree;
+
+	torture_comment(tctx, "Replay of DurableHandleReqV2 with Lease "
+			      "on Single Channel\n");
+	smb2_util_unlink(tree, fname);
+	status = torture_smb2_testdir(tree, BASEDIR, &_h1);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2_util_close(tree, _h1);
+	CHECK_VAL(break_info.count, 0);
+
+	lease_key = random();
+
+	smb2_lease_create(&io1, &ls1, false /* dir */, fname,
+			lease_key, smb2_util_lease_state("RH"));
+	io1.in.durable_open = false;
+	io1.in.durable_open_v2 = true;
+	io1.in.persistent_open = false;
+	io1.in.create_guid = create_guid;
+	io1.in.timeout = UINT32_MAX;
+
+	status = smb2_create(tree, mem_ctx, &io1);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	CHECK_CREATED(&io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(io1.out.durable_open, false);
+	CHECK_VAL(io1.out.oplock_level, SMB2_OPLOCK_LEVEL_LEASE);
+	CHECK_VAL(io1.out.lease_response.lease_key.data[0], lease_key);
+	CHECK_VAL(io1.out.lease_response.lease_key.data[1], ~lease_key);
+	if (share_is_so) {
+		CHECK_VAL(io1.out.lease_response.lease_state,
+			  smb2_util_lease_state("R"));
+		CHECK_VAL(io1.out.durable_open_v2, false);
+		CHECK_VAL(io1.out.timeout, 0);
+	} else {
+		CHECK_VAL(io1.out.lease_response.lease_state,
+			  smb2_util_lease_state("RH"));
+		CHECK_VAL(io1.out.durable_open_v2, true);
+		CHECK_VAL(io1.out.timeout, 300*1000);
+	}
+	ref1 = io1;
+	_h1 = io1.out.file.handle;
+	h1 = &_h1;
+
+	/*
+	 * Upgrade the lease to RWH
+	 */
+	smb2_lease_create(&io2, &ls2, false /* dir */, fname,
+			lease_key, smb2_util_lease_state("RHW"));
+	io2.in.durable_open = false;
+	io2.in.durable_open_v2 = true;
+	io2.in.persistent_open = false;
+	io2.in.create_guid = GUID_random(); /* new guid... */
+	io2.in.timeout = UINT32_MAX;
+
+	status = smb2_create(tree, mem_ctx, &io2);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	_h2 = io2.out.file.handle;
+	h2 = &_h2;
+
+	/*
+	 * Replay Durable V2 Create on single channel.
+	 * Changing the requested lease level to "R"
+	 * does not change the response:
+	 * We get the reply from open #1 but with the
+	 * upgraded lease.
+	 */
+
+	/* adapt the expected response */
+	if (!share_is_so) {
+		ref1.out.lease_response.lease_state =
+					smb2_util_lease_state("RHW");
+	}
+
+	smb2_lease_create(&io1, &ls1, false /* dir */, fname,
+			lease_key, smb2_util_lease_state("R"));
+	io1.in.durable_open = false;
+	io1.in.durable_open_v2 = true;
+	io1.in.persistent_open = false;
+	io1.in.create_guid = create_guid;
+	io1.in.timeout = UINT32_MAX;
+
+	smb2cli_session_start_replay(tree->session->smbXcli);
+	status = smb2_create(tree, mem_ctx, &io1);
+	smb2cli_session_stop_replay(tree->session->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	CHECK_CREATE_OUT(&io1, &ref1);
+	CHECK_VAL(break_info.count, 0);
+
+done:
+	smb2cli_session_stop_replay(tree->session->smbXcli);
+
+	if (h1 != NULL) {
+		smb2_util_close(tree, *h1);
+	}
+	if (h2 != NULL) {
+		smb2_util_close(tree, *h2);
+	}
+	smb2_deltree(tree, BASEDIR);
+
+	talloc_free(tree);
+	talloc_free(mem_ctx);
+
+	return ret;
+}
+
+/**
+ * Test durability v2 create replay detection on single channel.
+ * create with a lease, and replay with a different lease key
+ */
+static bool test_replay_dhv2_lease3(struct torture_context *tctx,
+				    struct smb2_tree *tree)
+{
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	struct smb2_handle _h1;
+	struct smb2_handle *h1 = NULL;
+	struct smb2_handle _h2;
+	struct smb2_handle *h2 = NULL;
+	struct smb2_create io1, io2;
+	struct GUID create_guid = GUID_random();
+	bool ret = true;
+	const char *fname = BASEDIR "\\replay2_lease2.dat";
+	struct smb2_transport *transport = tree->session->transport;
+	uint32_t share_capabilities;
+	bool share_is_so;
+	uint32_t server_capabilities;
+	struct smb2_lease ls1, ls2;
+	uint64_t lease_key;
+
+	if (smbXcli_conn_protocol(transport->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				   "replay tests\n");
+	}
+
+	server_capabilities = smb2cli_conn_server_capabilities(transport->conn);
+	if (!(server_capabilities & SMB2_CAP_LEASING)) {
+		torture_skip(tctx, "leases are not supported");
+	}
+
+	share_capabilities = smb2cli_tcon_capabilities(tree->smbXcli);
+	share_is_so = share_capabilities & SMB2_SHARE_CAP_SCALEOUT;
+
+	torture_reset_break_info(tctx, &break_info);
+	tree->session->transport->oplock.handler = torture_oplock_ack_handler;
+	tree->session->transport->oplock.private_data = tree;
+
+	torture_comment(tctx, "Replay of DurableHandleReqV2 with Lease "
+			      "on Single Channel\n");
+	smb2_util_unlink(tree, fname);
+	status = torture_smb2_testdir(tree, BASEDIR, &_h1);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2_util_close(tree, _h1);
+	CHECK_VAL(break_info.count, 0);
+
+	lease_key = random();
+
+	smb2_lease_create(&io1, &ls1, false /* dir */, fname,
+			lease_key, smb2_util_lease_state("RH"));
+	io1.in.durable_open = false;
+	io1.in.durable_open_v2 = true;
+	io1.in.persistent_open = false;
+	io1.in.create_guid = create_guid;
+	io1.in.timeout = UINT32_MAX;
+
+	status = smb2_create(tree, mem_ctx, &io1);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	CHECK_CREATED(&io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(io1.out.durable_open, false);
+	CHECK_VAL(io1.out.oplock_level, SMB2_OPLOCK_LEVEL_LEASE);
+	CHECK_VAL(io1.out.lease_response.lease_key.data[0], lease_key);
+	CHECK_VAL(io1.out.lease_response.lease_key.data[1], ~lease_key);
+	if (share_is_so) {
+		CHECK_VAL(io1.out.lease_response.lease_state,
+			  smb2_util_lease_state("R"));
+		CHECK_VAL(io1.out.durable_open_v2, false);
+		CHECK_VAL(io1.out.timeout, 0);
+	} else {
+		CHECK_VAL(io1.out.lease_response.lease_state,
+			  smb2_util_lease_state("RH"));
+		CHECK_VAL(io1.out.durable_open_v2, true);
+		CHECK_VAL(io1.out.timeout, 300*1000);
+	}
+	_h1 = io1.out.file.handle;
+	h1 = &_h1;
+
+	/*
+	 * Upgrade the lease to RWH
+	 */
+	smb2_lease_create(&io2, &ls2, false /* dir */, fname,
+			lease_key, smb2_util_lease_state("RHW"));
+	io2.in.durable_open = false;
+	io2.in.durable_open_v2 = true;
+	io2.in.persistent_open = false;
+	io2.in.create_guid = GUID_random(); /* new guid... */
+	io2.in.timeout = UINT32_MAX;
+
+	status = smb2_create(tree, mem_ctx, &io2);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	_h2 = io2.out.file.handle;
+	h2 = &_h2;
+
+	/*
+	 * Replay Durable V2 Create on single channel.
+	 * use a different lease key.
+	 */
+
+	smb2_lease_create(&io1, &ls1, false /* dir */, fname,
+			random() /* lease key */,
+			smb2_util_lease_state("RH"));
+	io1.in.durable_open = false;
+	io1.in.durable_open_v2 = true;
+	io1.in.persistent_open = false;
+	io1.in.create_guid = create_guid;
+	io1.in.timeout = UINT32_MAX;
+
+	smb2cli_session_start_replay(tree->session->smbXcli);
+	status = smb2_create(tree, mem_ctx, &io1);
+	smb2cli_session_stop_replay(tree->session->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+
+done:
+	smb2cli_session_stop_replay(tree->session->smbXcli);
+
+	if (h1 != NULL) {
+		smb2_util_close(tree, *h1);
+	}
+	if (h2 != NULL) {
+		smb2_util_close(tree, *h2);
+	}
+	smb2_deltree(tree, BASEDIR);
+
+	talloc_free(tree);
+	talloc_free(mem_ctx);
+
+	return ret;
+}
+
+/**
+ * Test durability v2 create replay detection on single channel.
+ * Do the original create with a lease, and do the replay
+ * with an oplock.
+ */
+static bool test_replay_dhv2_lease_oplock(struct torture_context *tctx,
+					  struct smb2_tree *tree)
+{
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	struct smb2_handle _h1;
+	struct smb2_handle *h1 = NULL;
+	struct smb2_handle _h2;
+	struct smb2_handle *h2 = NULL;
+	struct smb2_create io1, io2, ref1;
+	struct GUID create_guid = GUID_random();
+	bool ret = true;
+	const char *fname = BASEDIR "\\replay2_lease1.dat";
+	struct smb2_transport *transport = tree->session->transport;
+	uint32_t share_capabilities;
+	bool share_is_so;
+	uint32_t server_capabilities;
+	struct smb2_lease ls1, ls2;
+	uint64_t lease_key;
+
+	if (smbXcli_conn_protocol(transport->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				   "replay tests\n");
+	}
+
+	server_capabilities = smb2cli_conn_server_capabilities(transport->conn);
+	if (!(server_capabilities & SMB2_CAP_LEASING)) {
+		torture_skip(tctx, "leases are not supported");
+	}
+
+	share_capabilities = smb2cli_tcon_capabilities(tree->smbXcli);
+	share_is_so = share_capabilities & SMB2_SHARE_CAP_SCALEOUT;
+
+	torture_reset_break_info(tctx, &break_info);
+	tree->session->transport->oplock.handler = torture_oplock_ack_handler;
+	tree->session->transport->oplock.private_data = tree;
+
+	torture_comment(tctx, "Replay of DurableHandleReqV2 with Lease "
+			      "on Single Channel\n");
+	smb2_util_unlink(tree, fname);
+	status = torture_smb2_testdir(tree, BASEDIR, &_h1);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2_util_close(tree, _h1);
+	CHECK_VAL(break_info.count, 0);
+
+	lease_key = random();
+
+	smb2_lease_create(&io1, &ls1, false /* dir */, fname,
+			lease_key, smb2_util_lease_state("RH"));
+	io1.in.durable_open = false;
+	io1.in.durable_open_v2 = true;
+	io1.in.persistent_open = false;
+	io1.in.create_guid = create_guid;
+	io1.in.timeout = UINT32_MAX;
+
+	status = smb2_create(tree, mem_ctx, &io1);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	ref1 = io1;
+	_h1 = io1.out.file.handle;
+	h1 = &_h1;
+	CHECK_CREATED(&io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(io1.out.durable_open, false);
+	CHECK_VAL(io1.out.oplock_level, SMB2_OPLOCK_LEVEL_LEASE);
+	CHECK_VAL(io1.out.lease_response.lease_key.data[0], lease_key);
+	CHECK_VAL(io1.out.lease_response.lease_key.data[1], ~lease_key);
+	if (share_is_so) {
+		CHECK_VAL(io1.out.lease_response.lease_state,
+			  smb2_util_lease_state("R"));
+		CHECK_VAL(io1.out.durable_open_v2, false);
+		CHECK_VAL(io1.out.timeout, 0);
+	} else {
+		CHECK_VAL(io1.out.lease_response.lease_state,
+			  smb2_util_lease_state("RH"));
+		CHECK_VAL(io1.out.durable_open_v2, true);
+		CHECK_VAL(io1.out.timeout, 300*1000);
+	}
+
+	/*
+	 * Upgrade the lease to RWH
+	 */
+	smb2_lease_create(&io2, &ls2, false /* dir */, fname,
+			lease_key, smb2_util_lease_state("RHW"));
+	io2.in.durable_open = false;
+	io2.in.durable_open_v2 = true;
+	io2.in.persistent_open = false;
+	io2.in.create_guid = GUID_random(); /* new guid... */
+	io2.in.timeout = UINT32_MAX;
+
+	status = smb2_create(tree, mem_ctx, &io2);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	_h2 = io2.out.file.handle;
+	h2 = &_h2;
+
+	/*
+	 * Replay Durable V2 Create on single channel.
+	 * We get the io from open #1 but with the
+	 * upgraded lease.
+	 */
+
+	smb2_oplock_create_share(&io2, fname,
+			smb2_util_share_access(""),
+			smb2_util_oplock_level("b"));
+	io2.in.durable_open = false;
+	io2.in.durable_open_v2 = true;
+	io2.in.persistent_open = false;
+	io2.in.create_guid = create_guid;
+	io2.in.timeout = UINT32_MAX;
+
+	/* adapt expected lease in response */
+	if (!share_is_so) {
+		ref1.out.lease_response.lease_state =
+			smb2_util_lease_state("RHW");
+	}
+
+	smb2cli_session_start_replay(tree->session->smbXcli);
+	status = smb2_create(tree, mem_ctx, &io1);
+	smb2cli_session_stop_replay(tree->session->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	CHECK_CREATE_OUT(&io1, &ref1);
+	CHECK_VAL(break_info.count, 0);
+
+done:
+	smb2cli_session_stop_replay(tree->session->smbXcli);
+
+	if (h1 != NULL) {
+		smb2_util_close(tree, *h1);
+	}
+	if (h2 != NULL) {
+		smb2_util_close(tree, *h2);
+	}
+	smb2_deltree(tree, BASEDIR);
+
+	talloc_free(tree);
+	talloc_free(mem_ctx);
+
+	return ret;
+}
+
+/**
+ * This tests replay with a pending open on a single
+ * channel. It tests the case where the client2 open
+ * is deferred because it conflicts with a HANDLE lease,
+ * which is broken because the operation should otherwise
+ * return NT_STATUS_SHARING_VIOLATION.
+ *
+ * With a durablev2 request containing a create_guid:
+ * - client2_level = NONE:
+ *   but without asking for an oplock nor a lease.
+ * - client2_level = BATCH:
+ *   and asking for a batch oplock.
+ * - client2_level = LEASE
+ *   and asking for an RWH lease.
+ *
+ * While another client holds a batch oplock or
+ * RWH lease. (client1_level => LEASE or BATCH).
+ *
+ * There are two modes of this test one, with releaseing
+ * the oplock/lease of client1 via close or ack.
+ * (release_op SMB2_OP_CLOSE/SMB2_OP_BREAK).
+ *
+ * Windows doesn't detect replays in this case and
+ * always result in NT_STATUS_SHARING_VIOLATION.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ */
+static bool _test_dhv2_pending1_vs_violation(struct torture_context *tctx,
+					     const char *testname,
+					     struct smb2_tree *tree1,
+					     uint8_t client1_level,
+					     uint8_t release_op,
+					     struct smb2_tree *tree2,
+					     uint8_t client2_level,
+					     NTSTATUS orig21_reject_status,
+					     NTSTATUS replay22_reject_status,
+					     NTSTATUS replay23_reject_status)
+{
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	struct smb2_handle _h1;
+	struct smb2_handle *h1 = NULL;
+	struct smb2_handle *h2f = NULL;
+	struct smb2_handle _h21;
+	struct smb2_handle *h21 = NULL;
+	struct smb2_handle _h23;
+	struct smb2_handle *h23 = NULL;
+	struct smb2_handle _h24;
+	struct smb2_handle *h24 = NULL;
+	struct smb2_create io1, io21, io22, io23, io24;
+	struct GUID create_guid1 = GUID_random();
+	struct GUID create_guid2 = GUID_random();
+	struct smb2_request *req21 = NULL;
+	struct smb2_request *req22 = NULL;
+	bool ret = true;
+	char fname[256];
+	struct smb2_transport *transport1 = tree1->session->transport;
+	uint32_t server_capabilities;
+	uint32_t share_capabilities;
+	struct smb2_lease ls1;
+	uint64_t lease_key1;
+	uint16_t lease_epoch1 = 0;
+	struct smb2_break op_ack1;
+	struct smb2_lease_break_ack lb_ack1;
+	struct smb2_lease ls2;
+	uint64_t lease_key2;
+	uint16_t lease_epoch2 = 0;
+	bool share_is_so;
+	struct smb2_transport *transport2 = tree2->session->transport;
+	int request_timeout2 = transport2->options.request_timeout;
+	struct smb2_session *session2 = tree2->session;
+	const char *hold_name = NULL;
+
+	switch (client1_level) {
+	case SMB2_OPLOCK_LEVEL_LEASE:
+		hold_name = "RWH Lease";
+		break;
+	case SMB2_OPLOCK_LEVEL_BATCH:
+		hold_name = "BATCH Oplock";
+		break;
+	default:
+		smb_panic(__location__);
+		break;
+	}
+
+	if (smbXcli_conn_protocol(transport1->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				   "replay tests\n");
+	}
+
+	server_capabilities = smb2cli_conn_server_capabilities(transport1->conn);
+	if (!(server_capabilities & SMB2_CAP_LEASING)) {
+		if (client1_level == SMB2_OPLOCK_LEVEL_LEASE ||
+		    client2_level == SMB2_OPLOCK_LEVEL_LEASE) {
+			torture_skip(tctx, "leases are not supported");
+		}
+	}
+
+	share_capabilities = smb2cli_tcon_capabilities(tree1->smbXcli);
+	share_is_so = share_capabilities & SMB2_SHARE_CAP_SCALEOUT;
+	if (share_is_so) {
+		torture_skip(tctx, talloc_asprintf(tctx,
+			     "%s not supported on SCALEOUT share",
+			     hold_name));
+	}
+
+	/* Add some random component to the file name. */
+	snprintf(fname, sizeof(fname), "%s\\%s_%s.dat",
+		 BASEDIR, testname, generate_random_str(tctx, 8));
+
+	torture_reset_break_info(tctx, &break_info);
+	break_info.oplock_skip_ack = true;
+	ZERO_STRUCT(op_ack1);
+	torture_reset_lease_break_info(tctx, &lease_break_info);
+	lease_break_info.lease_skip_ack = true;
+	ZERO_STRUCT(lb_ack1);
+	transport1->oplock.handler = torture_oplock_ack_handler;
+	transport1->oplock.private_data = tree1;
+	transport1->lease.handler = torture_lease_handler;
+	transport1->lease.private_data = tree1;
+	smb2_keepalive(transport1);
+	transport2->oplock.handler = torture_oplock_ack_handler;
+	transport2->oplock.private_data = tree2;
+	transport2->lease.handler = torture_lease_handler;
+	transport2->lease.private_data = tree2;
+	smb2_keepalive(transport2);
+
+	smb2_util_unlink(tree1, fname);
+	status = torture_smb2_testdir(tree1, BASEDIR, &_h1);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2_util_close(tree1, _h1);
+	CHECK_VAL(break_info.count, 0);
+
+	lease_key1 = random();
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		smb2_lease_v2_create(&io1, &ls1, false /* dir */, fname,
+			lease_key1, NULL, smb2_util_lease_state("RWH"), lease_epoch1++);
+	} else {
+		smb2_oplock_create(&io1, fname, SMB2_OPLOCK_LEVEL_BATCH);
+	}
+	io1.in.share_access = 0;
+	io1.in.desired_access = SEC_RIGHTS_FILE_ALL;
+	io1.in.durable_open = false;
+	io1.in.durable_open_v2 = true;
+	io1.in.persistent_open = false;
+	io1.in.create_guid = create_guid1;
+	io1.in.timeout = UINT32_MAX;
+
+	status = smb2_create(tree1, mem_ctx, &io1);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	_h1 = io1.out.file.handle;
+	h1 = &_h1;
+	CHECK_CREATED(&io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(io1.out.durable_open, false);
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		CHECK_VAL(io1.out.oplock_level, SMB2_OPLOCK_LEVEL_LEASE);
+		CHECK_VAL(io1.out.lease_response_v2.lease_key.data[0], lease_key1);
+		CHECK_VAL(io1.out.lease_response_v2.lease_key.data[1], ~lease_key1);
+		CHECK_VAL(io1.out.lease_response_v2.lease_epoch, lease_epoch1);
+		CHECK_VAL(io1.out.lease_response_v2.lease_state,
+			  smb2_util_lease_state("RWH"));
+	} else {
+		CHECK_VAL(io1.out.oplock_level, SMB2_OPLOCK_LEVEL_BATCH);
+	}
+	CHECK_VAL(io1.out.durable_open_v2, true);
+	CHECK_VAL(io1.out.timeout, 300*1000);
+
+	lease_key2 = random();
+	if (client2_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		smb2_lease_v2_create(&io21, &ls2, false /* dir */, fname,
+			lease_key2, NULL, smb2_util_lease_state("RWH"), lease_epoch2++);
+	} else {
+		smb2_oplock_create(&io21, fname, client2_level);
+	}
+	io21.in.share_access = 0;
+	io21.in.desired_access = SEC_RIGHTS_FILE_ALL;
+	io21.in.desired_access = SEC_RIGHTS_FILE_READ;
+	io21.in.durable_open = false;
+	io21.in.durable_open_v2 = true;
+	io21.in.persistent_open = false;
+	io21.in.create_guid = create_guid2;
+	io21.in.timeout = UINT32_MAX;
+	io24 = io23 = io22 = io21;
+
+	req21 = smb2_create_send(tree2, &io21);
+	torture_assert(tctx, req21 != NULL, "req21");
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		const struct smb2_lease_break *lb =
+			&lease_break_info.lease_break;
+		const struct smb2_lease *l = &lb->current_lease;
+		const struct smb2_lease_key *k = &l->lease_key;
+
+		torture_wait_for_lease_break(tctx);
+		CHECK_VAL(break_info.count, 0);
+		CHECK_VAL(lease_break_info.count, 1);
+
+		torture_assert(tctx,
+			lease_break_info.lease_transport == transport1,
+			"expect lease break on transport1\n");
+		CHECK_VAL(k->data[0], lease_key1);
+		CHECK_VAL(k->data[1], ~lease_key1);
+		/*
+		 * With share none the handle lease
+		 * is broken.
+		 */
+		CHECK_VAL(lb->new_lease_state,
+			  smb2_util_lease_state("RW"));
+		CHECK_VAL(lb->break_flags,
+			  SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED);
+		CHECK_VAL(lb->new_epoch, lease_epoch1+1);
+		lease_epoch1 += 1;
+
+		lb_ack1.in.lease.lease_key = lb->current_lease.lease_key;
+		lb_ack1.in.lease.lease_state = lb->new_lease_state;
+	} else {
+		torture_wait_for_oplock_break(tctx);
+		CHECK_VAL(break_info.count, 1);
+		CHECK_VAL(lease_break_info.count, 0);
+
+		torture_assert(tctx,
+			break_info.received_transport == transport1,
+			"expect oplock break on transport1\n");
+		CHECK_VAL(break_info.handle.data[0], _h1.data[0]);
+		CHECK_VAL(break_info.handle.data[1], _h1.data[1]);
+		CHECK_VAL(break_info.level, SMB2_OPLOCK_LEVEL_II);
+
+		op_ack1.in = break_info.br.in;
+	}
+
+	torture_reset_break_info(tctx, &break_info);
+	break_info.oplock_skip_ack = true;
+	torture_reset_lease_break_info(tctx, &lease_break_info);
+	lease_break_info.lease_skip_ack = true;
+
+	WAIT_FOR_ASYNC_RESPONSE(tctx, req21);
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+	if (NT_STATUS_EQUAL(replay22_reject_status, NT_STATUS_SHARING_VIOLATION)) {
+		/*
+		 * The server is broken and doesn't
+		 * detect a replay, so we start an async
+		 * request and send a lease break ack
+		 * after 5 seconds in order to avoid
+		 * the 35 second delay.
+		 */
+		torture_comment(tctx, "Starting ASYNC Replay req22 expecting %s\n",
+				nt_errstr(replay22_reject_status));
+		smb2cli_session_start_replay(session2->smbXcli);
+		transport2->options.request_timeout = 15;
+		req22 = smb2_create_send(tree2, &io22);
+		torture_assert(tctx, req22 != NULL, "req22");
+		transport2->options.request_timeout = request_timeout2;
+		smb2cli_session_stop_replay(session2->smbXcli);
+
+		WAIT_FOR_ASYNC_RESPONSE(tctx, req22);
+	} else {
+		torture_comment(tctx, "SYNC Replay io22 expecting %s\n",
+				nt_errstr(replay22_reject_status));
+		smb2cli_session_start_replay(session2->smbXcli);
+		transport2->options.request_timeout = 5;
+		status = smb2_create(tree2, tctx, &io22);
+		CHECK_STATUS(status, replay22_reject_status);
+		transport2->options.request_timeout = request_timeout2;
+		smb2cli_session_stop_replay(session2->smbXcli);
+	}
+
+	/*
+	 * We don't expect any action for 35 seconds
+	 *
+	 * But we sleep just 5 seconds before we
+	 * ack the break.
+	 */
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+		torture_wait_for_lease_break(tctx);
+		torture_wait_for_lease_break(tctx);
+		torture_wait_for_lease_break(tctx);
+		torture_wait_for_lease_break(tctx);
+		CHECK_VAL(break_info.count, 0);
+		CHECK_VAL(lease_break_info.count, 0);
+
+		if (release_op == SMB2_OP_CLOSE) {
+			torture_comment(tctx, "Closing h1\n");
+			smb2_util_close(tree1, _h1);
+			h1 = NULL;
+		} else {
+			torture_comment(tctx, "Acking lease_key1\n");
+			status = smb2_lease_break_ack(tree1, &lb_ack1);
+			CHECK_STATUS(status, NT_STATUS_OK);
+			CHECK_VAL(lb_ack1.out.lease.lease_flags, 0);
+			CHECK_VAL(lb_ack1.out.lease.lease_state, lb_ack1.in.lease.lease_state);
+			CHECK_VAL(lb_ack1.out.lease.lease_key.data[0], lease_key1);
+			CHECK_VAL(lb_ack1.out.lease.lease_key.data[1], ~lease_key1);
+			CHECK_VAL(lb_ack1.out.lease.lease_duration, 0);
+		}
+	} else {
+		torture_wait_for_oplock_break(tctx);
+		torture_wait_for_oplock_break(tctx);
+		torture_wait_for_oplock_break(tctx);
+		torture_wait_for_oplock_break(tctx);
+		torture_wait_for_oplock_break(tctx);
+		CHECK_VAL(break_info.count, 0);
+		CHECK_VAL(lease_break_info.count, 0);
+
+		if (release_op == SMB2_OP_CLOSE) {
+			torture_comment(tctx, "Closing h1\n");
+			smb2_util_close(tree1, _h1);
+			h1 = NULL;
+		} else {
+			torture_comment(tctx, "Acking break h1\n");
+			status = smb2_break(tree1, &op_ack1);
+			CHECK_STATUS(status, NT_STATUS_OK);
+			CHECK_VAL(op_ack1.out.oplock_level, op_ack1.in.oplock_level);
+		}
+	}
+
+	torture_comment(tctx, "Checking req21 expecting %s\n",
+			nt_errstr(orig21_reject_status));
+	status = smb2_create_recv(req21, tctx, &io21);
+	CHECK_STATUS(status, orig21_reject_status);
+	if (NT_STATUS_IS_OK(orig21_reject_status)) {
+		_h21 = io21.out.file.handle;
+		h21 = &_h21;
+		if (h2f == NULL) {
+			h2f = h21;
+		}
+		CHECK_VAL(h21->data[0], h2f->data[0]);
+		CHECK_VAL(h21->data[1], h2f->data[1]);
+		CHECK_CREATED(&io21, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
+		CHECK_VAL(io21.out.oplock_level, client2_level);
+		CHECK_VAL(io21.out.durable_open, false);
+		if (client2_level == SMB2_OPLOCK_LEVEL_LEASE) {
+			CHECK_VAL(io21.out.lease_response_v2.lease_key.data[0], lease_key2);
+			CHECK_VAL(io21.out.lease_response_v2.lease_key.data[1], ~lease_key2);
+			CHECK_VAL(io21.out.lease_response_v2.lease_epoch, lease_epoch2);
+			CHECK_VAL(io21.out.lease_response_v2.lease_state,
+				  smb2_util_lease_state("RHW"));
+			CHECK_VAL(io21.out.durable_open_v2, true);
+			CHECK_VAL(io21.out.timeout, 300*1000);
+		} else if (client2_level == SMB2_OPLOCK_LEVEL_BATCH) {
+			CHECK_VAL(io21.out.durable_open_v2, true);
+			CHECK_VAL(io21.out.timeout, 300*1000);
+		} else {
+			CHECK_VAL(io21.out.durable_open_v2, false);
+		}
+	}
+
+	if (NT_STATUS_EQUAL(replay22_reject_status, NT_STATUS_SHARING_VIOLATION)) {
+		torture_comment(tctx, "Checking req22 expecting %s\n",
+				nt_errstr(replay22_reject_status));
+		status = smb2_create_recv(req22, tctx, &io22);
+		CHECK_STATUS(status, replay22_reject_status);
+	}
+
+	torture_comment(tctx, "SYNC Replay io23 expecting %s\n",
+			nt_errstr(replay23_reject_status));
+	smb2cli_session_start_replay(session2->smbXcli);
+	transport2->options.request_timeout = 5;
+	status = smb2_create(tree2, tctx, &io23);
+	transport2->options.request_timeout = request_timeout2;
+	CHECK_STATUS(status, replay23_reject_status);
+	smb2cli_session_stop_replay(session2->smbXcli);
+	if (NT_STATUS_IS_OK(replay23_reject_status)) {
+		_h23 = io23.out.file.handle;
+		h23 = &_h23;
+		if (h2f == NULL) {
+			h2f = h23;
+		}
+		CHECK_VAL(h23->data[0], h2f->data[0]);
+		CHECK_VAL(h23->data[1], h2f->data[1]);
+		CHECK_CREATED(&io23, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
+		CHECK_VAL(io23.out.oplock_level, client2_level);
+		CHECK_VAL(io23.out.durable_open, false);
+		if (client2_level == SMB2_OPLOCK_LEVEL_LEASE) {
+			CHECK_VAL(io23.out.lease_response_v2.lease_key.data[0], lease_key2);
+			CHECK_VAL(io23.out.lease_response_v2.lease_key.data[1], ~lease_key2);
+			CHECK_VAL(io23.out.lease_response_v2.lease_epoch, lease_epoch2);
+			CHECK_VAL(io23.out.lease_response_v2.lease_state,
+				  smb2_util_lease_state("RHW"));
+			CHECK_VAL(io23.out.durable_open_v2, true);
+			CHECK_VAL(io23.out.timeout, 300*1000);
+		} else if (client2_level == SMB2_OPLOCK_LEVEL_BATCH) {
+			CHECK_VAL(io23.out.durable_open_v2, true);
+			CHECK_VAL(io23.out.timeout, 300*1000);
+		} else {
+			CHECK_VAL(io23.out.durable_open_v2, false);
+		}
+	}
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+	if (h1 != NULL) {
+		torture_comment(tctx, "Closing h1\n");
+		smb2_util_close(tree1, _h1);
+		h1 = NULL;
+	}
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+	torture_comment(tctx, "SYNC Replay io24 expecting %s\n",
+			nt_errstr(NT_STATUS_OK));
+	smb2cli_session_start_replay(session2->smbXcli);
+	transport2->options.request_timeout = 5;
+	status = smb2_create(tree2, tctx, &io24);
+	transport2->options.request_timeout = request_timeout2;
+	smb2cli_session_stop_replay(session2->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	_h24 = io24.out.file.handle;
+	h24 = &_h24;
+	if (h2f == NULL) {
+		h2f = h24;
+	}
+	CHECK_VAL(h24->data[0], h2f->data[0]);
+	CHECK_VAL(h24->data[1], h2f->data[1]);
+	CHECK_CREATED(&io24, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(io24.out.oplock_level, client2_level);
+	CHECK_VAL(io24.out.durable_open, false);
+	if (client2_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		CHECK_VAL(io24.out.lease_response_v2.lease_key.data[0], lease_key2);
+		CHECK_VAL(io24.out.lease_response_v2.lease_key.data[1], ~lease_key2);
+		CHECK_VAL(io24.out.lease_response_v2.lease_epoch, lease_epoch2);
+		CHECK_VAL(io24.out.lease_response_v2.lease_state,
+			  smb2_util_lease_state("RHW"));
+		CHECK_VAL(io24.out.durable_open_v2, true);
+		CHECK_VAL(io24.out.timeout, 300*1000);
+	} else if (client2_level == SMB2_OPLOCK_LEVEL_BATCH) {
+		CHECK_VAL(io24.out.durable_open_v2, true);
+		CHECK_VAL(io24.out.timeout, 300*1000);
+	} else {
+		CHECK_VAL(io24.out.durable_open_v2, false);
+	}
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+	status = smb2_util_close(tree2, *h24);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	h24 = NULL;
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+done:
+
+	smbXcli_conn_disconnect(transport2->conn, NT_STATUS_LOCAL_DISCONNECT);
+
+	if (h1 != NULL) {
+		smb2_util_close(tree1, *h1);
+	}
+
+	smb2_deltree(tree1, BASEDIR);
+
+	TALLOC_FREE(tree1);
+	talloc_free(mem_ctx);
+
+	return ret;
+}
+
+/*
+ * This tests replay with a pending open on a single
+ * channel. It tests the case where the client2 open
+ * is deferred because it conflicts with a HANDLE lease,
+ * which is broken because the operation should otherwise
+ * return NT_STATUS_SHARING_VIOLATION.
+ *
+ * With a durablev2 request containing a create_guid,
+ * but without asking for an oplock nor a lease.
+ *
+ * While another client holds an RWH lease,
+ * which is released by a close.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_SHARING_VIOLATION to the replay (after
+ * 35 seconds), and this tests reports NT_STATUS_IO_TIMEOUT,
+ * as it expects a NT_STATUS_FILE_NOT_AVAILABLE within 5 seconds.
+ * see test_dhv2_pending1n_vs_violation_lease_close_windows().
+ */
+static bool test_dhv2_pending1n_vs_violation_lease_close_sane(struct torture_context *tctx,
+							      struct smb2_tree *tree1,
+							      struct smb2_tree *tree2)
+{
+	return _test_dhv2_pending1_vs_violation(tctx, __func__,
+						tree1,
+						SMB2_OPLOCK_LEVEL_LEASE,
+						SMB2_OP_CLOSE,
+						tree2,
+						SMB2_OPLOCK_LEVEL_NONE,
+						NT_STATUS_OK,
+						NT_STATUS_FILE_NOT_AVAILABLE,
+						NT_STATUS_OK);
+}
+
+/*
+ * This tests replay with a pending open on a single
+ * channel. It tests the case where the client2 open
+ * is deferred because it conflicts with a HANDLE lease,
+ * which is broken because the operation should otherwise
+ * return NT_STATUS_SHARING_VIOLATION.
+ *
+ * With a durablev2 request containing a create_guid,
+ * but without asking for an oplock nor a lease.
+ *
+ * While another client holds an RWH lease,
+ * which is released by a close.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange behavior of ignoring the
+ * replay, which is returned done by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE
+ * see test_dhv2_pending1n_vs_violation_lease_close_sane().
+ */
+static bool test_dhv2_pending1n_vs_violation_lease_close_windows(struct torture_context *tctx,
+								 struct smb2_tree *tree1,
+								 struct smb2_tree *tree2)
+{
+	return _test_dhv2_pending1_vs_violation(tctx, __func__,
+						tree1,
+						SMB2_OPLOCK_LEVEL_LEASE,
+						SMB2_OP_CLOSE,
+						tree2,
+						SMB2_OPLOCK_LEVEL_NONE,
+						NT_STATUS_OK,
+						NT_STATUS_SHARING_VIOLATION,
+						NT_STATUS_OK);
+}
+
+/*
+ * This tests replay with a pending open on a single
+ * channel. It tests the case where the client2 open
+ * is deferred because it conflicts with a HANDLE lease,
+ * which is broken because the operation should otherwise
+ * return NT_STATUS_SHARING_VIOLATION.
+ *
+ * With a durablev2 request containing a create_guid,
+ * but without asking for an oplock nor a lease.
+ *
+ * While another client holds an RWH lease,
+ * which is released by a lease break ack.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_SHARING_VIOLATION to the replay (after
+ * 35 seconds), and this tests reports NT_STATUS_IO_TIMEOUT,
+ * as it expects a NT_STATUS_FILE_NOT_AVAILABLE within 5 seconds.
+ * see test_dhv2_pending1n_vs_violation_lease_ack_windows().
+ */
+static bool test_dhv2_pending1n_vs_violation_lease_ack_sane(struct torture_context *tctx,
+							    struct smb2_tree *tree1,
+							    struct smb2_tree *tree2)
+{
+	return _test_dhv2_pending1_vs_violation(tctx, __func__,
+						tree1,
+						SMB2_OPLOCK_LEVEL_LEASE,
+						SMB2_OP_BREAK,
+						tree2,
+						SMB2_OPLOCK_LEVEL_NONE,
+						NT_STATUS_SHARING_VIOLATION,
+						NT_STATUS_FILE_NOT_AVAILABLE,
+						NT_STATUS_SHARING_VIOLATION);
+}
+
+/*
+ * This tests replay with a pending open on a single
+ * channel. It tests the case where the client2 open
+ * is deferred because it conflicts with a HANDLE lease,
+ * which is broken because the operation should otherwise
+ * return NT_STATUS_SHARING_VIOLATION.
+ *
+ * With a durablev2 request containing a create_guid,
+ * but without asking for an oplock nor a lease.
+ *
+ * While another client holds an RWH lease,
+ * which is released by a close.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange behavior of ignoring the
+ * replay, which is returned done by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE
+ * see test_dhv2_pending1n_vs_violation_lease_ack_sane().
+ */
+static bool test_dhv2_pending1n_vs_violation_lease_ack_windows(struct torture_context *tctx,
+							       struct smb2_tree *tree1,
+							       struct smb2_tree *tree2)
+{
+	return _test_dhv2_pending1_vs_violation(tctx, __func__,
+						tree1,
+						SMB2_OPLOCK_LEVEL_LEASE,
+						SMB2_OP_BREAK,
+						tree2,
+						SMB2_OPLOCK_LEVEL_NONE,
+						NT_STATUS_SHARING_VIOLATION,
+						NT_STATUS_SHARING_VIOLATION,
+						NT_STATUS_SHARING_VIOLATION);
+}
+
+/**
+ * This tests replay with a pending open on a single
+ * channel.
+ *
+ * With a durablev2 request containing a create_guid and
+ * a share_access of READ/WRITE/DELETE:
+ * - client2_level = NONE:
+ *   but without asking for an oplock nor a lease.
+ * - client2_level = BATCH:
+ *   and asking for a batch oplock.
+ * - client2_level = LEASE
+ *   and asking for an RWH lease.
+ *
+ * While another client holds a batch oplock or
+ * RWH lease. (client1_level => LEASE or BATCH).
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ */
+static bool _test_dhv2_pending1_vs_hold(struct torture_context *tctx,
+					const char *testname,
+					uint8_t client1_level,
+					uint8_t client2_level,
+					NTSTATUS reject_status,
+					struct smb2_tree *tree1,
+					struct smb2_tree *tree2)
+{
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	struct smb2_handle _h1;
+	struct smb2_handle *h1 = NULL;
+	struct smb2_handle _h21;
+	struct smb2_handle *h21 = NULL;
+	struct smb2_handle _h24;
+	struct smb2_handle *h24 = NULL;
+	struct smb2_create io1, io21, io22, io23, io24;
+	struct GUID create_guid1 = GUID_random();
+	struct GUID create_guid2 = GUID_random();
+	struct smb2_request *req21 = NULL;
+	bool ret = true;
+	char fname[256];
+	struct smb2_transport *transport1 = tree1->session->transport;
+	uint32_t server_capabilities;
+	uint32_t share_capabilities;
+	struct smb2_lease ls1;
+	uint64_t lease_key1;
+	uint16_t lease_epoch1 = 0;
+	struct smb2_lease ls2;
+	uint64_t lease_key2;
+	uint16_t lease_epoch2 = 0;
+	bool share_is_so;
+	struct smb2_transport *transport2 = tree2->session->transport;
+	int request_timeout2 = transport2->options.request_timeout;
+	struct smb2_session *session2 = tree2->session;
+	const char *hold_name = NULL;
+
+	switch (client1_level) {
+	case SMB2_OPLOCK_LEVEL_LEASE:
+		hold_name = "RWH Lease";
+		break;
+	case SMB2_OPLOCK_LEVEL_BATCH:
+		hold_name = "BATCH Oplock";
+		break;
+	default:
+		smb_panic(__location__);
+		break;
+	}
+
+	if (smbXcli_conn_protocol(transport1->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				   "replay tests\n");
+	}
+
+	server_capabilities = smb2cli_conn_server_capabilities(transport1->conn);
+	if (!(server_capabilities & SMB2_CAP_LEASING)) {
+		if (client1_level == SMB2_OPLOCK_LEVEL_LEASE ||
+		    client2_level == SMB2_OPLOCK_LEVEL_LEASE) {
+			torture_skip(tctx, "leases are not supported");
+		}
+	}
+
+	share_capabilities = smb2cli_tcon_capabilities(tree1->smbXcli);
+	share_is_so = share_capabilities & SMB2_SHARE_CAP_SCALEOUT;
+	if (share_is_so) {
+		torture_skip(tctx, talloc_asprintf(tctx,
+			     "%s not supported on SCALEOUT share",
+			     hold_name));
+	}
+
+	/* Add some random component to the file name. */
+	snprintf(fname, sizeof(fname), "%s\\%s_%s.dat",
+		 BASEDIR, testname, generate_random_str(tctx, 8));
+
+	torture_reset_break_info(tctx, &break_info);
+	break_info.oplock_skip_ack = true;
+	torture_reset_lease_break_info(tctx, &lease_break_info);
+	lease_break_info.lease_skip_ack = true;
+	transport1->oplock.handler = torture_oplock_ack_handler;
+	transport1->oplock.private_data = tree1;
+	transport1->lease.handler = torture_lease_handler;
+	transport1->lease.private_data = tree1;
+	smb2_keepalive(transport1);
+	transport2->oplock.handler = torture_oplock_ack_handler;
+	transport2->oplock.private_data = tree2;
+	transport2->lease.handler = torture_lease_handler;
+	transport2->lease.private_data = tree2;
+	smb2_keepalive(transport2);
+
+	smb2_util_unlink(tree1, fname);
+	status = torture_smb2_testdir(tree1, BASEDIR, &_h1);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2_util_close(tree1, _h1);
+	CHECK_VAL(break_info.count, 0);
+
+	lease_key1 = random();
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		smb2_lease_v2_create(&io1, &ls1, false /* dir */, fname,
+			lease_key1, NULL, smb2_util_lease_state("RWH"), lease_epoch1++);
+	} else {
+		smb2_oplock_create(&io1, fname, SMB2_OPLOCK_LEVEL_BATCH);
+	}
+	io1.in.share_access = smb2_util_share_access("RWD");
+	io1.in.durable_open = false;
+	io1.in.durable_open_v2 = true;
+	io1.in.persistent_open = false;
+	io1.in.create_guid = create_guid1;
+	io1.in.timeout = UINT32_MAX;
+
+	status = smb2_create(tree1, mem_ctx, &io1);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	_h1 = io1.out.file.handle;
+	h1 = &_h1;
+	CHECK_CREATED(&io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(io1.out.durable_open, false);
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		CHECK_VAL(io1.out.oplock_level, SMB2_OPLOCK_LEVEL_LEASE);
+		CHECK_VAL(io1.out.lease_response_v2.lease_key.data[0], lease_key1);
+		CHECK_VAL(io1.out.lease_response_v2.lease_key.data[1], ~lease_key1);
+		CHECK_VAL(io1.out.lease_response_v2.lease_epoch, lease_epoch1);
+		CHECK_VAL(io1.out.lease_response_v2.lease_state,
+			  smb2_util_lease_state("RHW"));
+	} else {
+		CHECK_VAL(io1.out.oplock_level, SMB2_OPLOCK_LEVEL_BATCH);
+	}
+	CHECK_VAL(io1.out.durable_open_v2, true);
+	CHECK_VAL(io1.out.timeout, 300*1000);
+
+	lease_key2 = random();
+	if (client2_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		smb2_lease_v2_create(&io21, &ls2, false /* dir */, fname,
+			lease_key2, NULL, smb2_util_lease_state("RWH"), lease_epoch2++);
+	} else {
+		smb2_oplock_create(&io21, fname, client2_level);
+	}
+	io21.in.share_access = smb2_util_share_access("RWD");
+	io21.in.durable_open = false;
+	io21.in.durable_open_v2 = true;
+	io21.in.persistent_open = false;
+	io21.in.create_guid = create_guid2;
+	io21.in.timeout = UINT32_MAX;
+	io24 = io23 = io22 = io21;
+
+	req21 = smb2_create_send(tree2, &io21);
+	torture_assert(tctx, req21 != NULL, "req21");
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		const struct smb2_lease_break *lb =
+			&lease_break_info.lease_break;
+		const struct smb2_lease *l = &lb->current_lease;
+		const struct smb2_lease_key *k = &l->lease_key;
+
+		torture_wait_for_lease_break(tctx);
+		CHECK_VAL(break_info.count, 0);
+		CHECK_VAL(lease_break_info.count, 1);
+
+		torture_assert(tctx,
+			lease_break_info.lease_transport == transport1,
+			"expect lease break on transport1\n");
+		CHECK_VAL(k->data[0], lease_key1);
+		CHECK_VAL(k->data[1], ~lease_key1);
+		CHECK_VAL(lb->new_lease_state,
+			  smb2_util_lease_state("RH"));
+		CHECK_VAL(lb->break_flags,
+			  SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED);
+		CHECK_VAL(lb->new_epoch, lease_epoch1+1);
+		lease_epoch1 += 1;
+	} else {
+		torture_wait_for_oplock_break(tctx);
+		CHECK_VAL(break_info.count, 1);
+		CHECK_VAL(lease_break_info.count, 0);
+
+		torture_assert(tctx,
+			break_info.received_transport == transport1,
+			"expect oplock break on transport1\n");
+		CHECK_VAL(break_info.handle.data[0], _h1.data[0]);
+		CHECK_VAL(break_info.handle.data[1], _h1.data[1]);
+		CHECK_VAL(break_info.level, SMB2_OPLOCK_LEVEL_II);
+	}
+
+	torture_reset_break_info(tctx, &break_info);
+	break_info.oplock_skip_ack = true;
+	torture_reset_lease_break_info(tctx, &lease_break_info);
+	lease_break_info.lease_skip_ack = true;
+
+	WAIT_FOR_ASYNC_RESPONSE(tctx, req21);
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+	smb2cli_session_start_replay(session2->smbXcli);
+	transport2->options.request_timeout = 5;
+	status = smb2_create(tree2, tctx, &io22);
+	transport2->options.request_timeout = request_timeout2;
+	CHECK_STATUS(status, reject_status);
+	smb2cli_session_stop_replay(session2->smbXcli);
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+	smb2cli_session_start_replay(session2->smbXcli);
+	transport2->options.request_timeout = 5;
+	status = smb2_create(tree2, tctx, &io23);
+	transport2->options.request_timeout = request_timeout2;
+	CHECK_STATUS(status, reject_status);
+	smb2cli_session_stop_replay(session2->smbXcli);
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+	smb2_util_close(tree1, _h1);
+	h1 = NULL;
+
+	status = smb2_create_recv(req21, tctx, &io21);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	_h21 = io21.out.file.handle;
+	h21 = &_h21;
+	CHECK_CREATED(&io21, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(io21.out.oplock_level, client2_level);
+	CHECK_VAL(io21.out.durable_open, false);
+	if (client2_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		CHECK_VAL(io21.out.lease_response_v2.lease_key.data[0], lease_key2);
+		CHECK_VAL(io21.out.lease_response_v2.lease_key.data[1], ~lease_key2);
+		CHECK_VAL(io21.out.lease_response_v2.lease_epoch, lease_epoch2);
+		CHECK_VAL(io21.out.lease_response_v2.lease_state,
+			  smb2_util_lease_state("RHW"));
+		CHECK_VAL(io21.out.durable_open_v2, true);
+		CHECK_VAL(io21.out.timeout, 300*1000);
+	} else if (client2_level == SMB2_OPLOCK_LEVEL_BATCH) {
+		CHECK_VAL(io21.out.durable_open_v2, true);
+		CHECK_VAL(io21.out.timeout, 300*1000);
+	} else {
+		CHECK_VAL(io21.out.durable_open_v2, false);
+	}
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+	smb2cli_session_start_replay(session2->smbXcli);
+	status = smb2_create(tree2, tctx, &io24);
+	smb2cli_session_stop_replay(session2->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	_h24 = io24.out.file.handle;
+	h24 = &_h24;
+	CHECK_CREATED(&io24, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(h24->data[0], h21->data[0]);
+	CHECK_VAL(h24->data[1], h21->data[1]);
+	CHECK_VAL(io24.out.oplock_level, client2_level);
+	CHECK_VAL(io24.out.durable_open, false);
+	if (client2_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		CHECK_VAL(io24.out.lease_response_v2.lease_key.data[0], lease_key2);
+		CHECK_VAL(io24.out.lease_response_v2.lease_key.data[1], ~lease_key2);
+		CHECK_VAL(io24.out.lease_response_v2.lease_epoch, lease_epoch2);
+		CHECK_VAL(io24.out.lease_response_v2.lease_state,
+			  smb2_util_lease_state("RHW"));
+		CHECK_VAL(io24.out.durable_open_v2, true);
+		CHECK_VAL(io24.out.timeout, 300*1000);
+	} else if (client2_level == SMB2_OPLOCK_LEVEL_BATCH) {
+		CHECK_VAL(io24.out.durable_open_v2, true);
+		CHECK_VAL(io24.out.timeout, 300*1000);
+	} else {
+		CHECK_VAL(io24.out.durable_open_v2, false);
+	}
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+	status = smb2_util_close(tree2, *h24);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	h24 = NULL;
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+done:
+
+	smbXcli_conn_disconnect(transport2->conn, NT_STATUS_LOCAL_DISCONNECT);
+
+	if (h1 != NULL) {
+		smb2_util_close(tree1, *h1);
+	}
+
+	smb2_deltree(tree1, BASEDIR);
+
+	TALLOC_FREE(tree1);
+	talloc_free(mem_ctx);
+
+	return ret;
+}
+
+/**
+ * This tests replay with a pending open on a single
+ * channel.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * but without asking for an oplock nor a lease.
+ *
+ * While another client holds a batch oplock.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_ACCESS_DENIED see
+ * test_dhv2_pending1n_vs_oplock_windows().
+ */
+static bool test_dhv2_pending1n_vs_oplock_sane(struct torture_context *tctx,
+					       struct smb2_tree *tree1,
+					       struct smb2_tree *tree2)
+{
+	return _test_dhv2_pending1_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   SMB2_OPLOCK_LEVEL_NONE,
+					   NT_STATUS_FILE_NOT_AVAILABLE,
+					   tree1, tree2);
+}
+
+/**
+ * This tests replay with a pending open on a single
+ * channel.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * but without asking for an oplock nor a lease.
+ *
+ * While another client holds a batch oplock.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange reject status of
+ * NT_STATUS_ACCESS_DENIED, which is returned
+ * by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE. see
+ * test_dhv2_pending1n_vs_oplock_sane.
+ */
+static bool test_dhv2_pending1n_vs_oplock_windows(struct torture_context *tctx,
+						  struct smb2_tree *tree1,
+						  struct smb2_tree *tree2)
+{
+	return _test_dhv2_pending1_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   SMB2_OPLOCK_LEVEL_NONE,
+					   NT_STATUS_ACCESS_DENIED,
+					   tree1, tree2);
+}
+
+/**
+ * This tests replay with a pending open on a single
+ * channel.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * but without asking for an oplock nor a lease.
+ *
+ * While another client holds an RWH lease.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_ACCESS_DENIED see
+ * test_dhv2_pending1n_vs_lease_windows().
+ */
+static bool test_dhv2_pending1n_vs_lease_sane(struct torture_context *tctx,
+					      struct smb2_tree *tree1,
+					      struct smb2_tree *tree2)
+{
+	return _test_dhv2_pending1_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   SMB2_OPLOCK_LEVEL_NONE,
+					   NT_STATUS_FILE_NOT_AVAILABLE,
+					   tree1, tree2);
+}
+
+/**
+ * This tests replay with a pending open on a single
+ * channel.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * but without asking for an oplock nor a lease.
+ *
+ * While another client holds an RWH lease.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange reject status of
+ * NT_STATUS_ACCESS_DENIED, which is returned
+ * by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE. see
+ * test_dhv2_pending1n_vs_lease_sane.
+ */
+static bool test_dhv2_pending1n_vs_lease_windows(struct torture_context *tctx,
+						 struct smb2_tree *tree1,
+						 struct smb2_tree *tree2)
+{
+	return _test_dhv2_pending1_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   SMB2_OPLOCK_LEVEL_NONE,
+					   NT_STATUS_ACCESS_DENIED,
+					   tree1, tree2);
+}
+
+/**
+ * This tests replay with a pending open on a single
+ * channel.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a v2 lease.
+ *
+ * While another client holds a batch oplock.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_ACCESS_DENIED see
+ * test_dhv2_pending1l_vs_oplock_windows().
+ */
+static bool test_dhv2_pending1l_vs_oplock_sane(struct torture_context *tctx,
+					       struct smb2_tree *tree1,
+					       struct smb2_tree *tree2)
+{
+	return _test_dhv2_pending1_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   NT_STATUS_FILE_NOT_AVAILABLE,
+					   tree1, tree2);
+}
+
+/**
+ * This tests replay with a pending open on a single
+ * channel.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a v2 lease.
+ *
+ * While another client holds a batch oplock.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange reject status of
+ * NT_STATUS_ACCESS_DENIED, which is returned
+ * by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE. see
+ * test_dhv2_pending1l_vs_oplock_sane.
+ */
+static bool test_dhv2_pending1l_vs_oplock_windows(struct torture_context *tctx,
+						  struct smb2_tree *tree1,
+						  struct smb2_tree *tree2)
+{
+	return _test_dhv2_pending1_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   NT_STATUS_ACCESS_DENIED,
+					   tree1, tree2);
+}
+
+/**
+ * This tests replay with a pending open on a single
+ * channel.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a v2 lease.
+ *
+ * While another client holds an RWH lease.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_ACCESS_DENIED see
+ * test_dhv2_pending1l_vs_lease_windows().
+ */
+static bool test_dhv2_pending1l_vs_lease_sane(struct torture_context *tctx,
+					      struct smb2_tree *tree1,
+					      struct smb2_tree *tree2)
+{
+	return _test_dhv2_pending1_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   NT_STATUS_FILE_NOT_AVAILABLE,
+					   tree1, tree2);
+}
+
+/**
+ * This tests replay with a pending open on a single
+ * channel.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a v2 lease.
+ *
+ * While another client holds an RWH lease.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange reject status of
+ * NT_STATUS_ACCESS_DENIED, which is returned
+ * by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE. see
+ * test_dhv2_pending1l_vs_lease_sane.
+ */
+static bool test_dhv2_pending1l_vs_lease_windows(struct torture_context *tctx,
+						 struct smb2_tree *tree1,
+						 struct smb2_tree *tree2)
+{
+	return _test_dhv2_pending1_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   NT_STATUS_ACCESS_DENIED,
+					   tree1, tree2);
+}
+
+/**
+ * This tests replay with a pending open on a single
+ * channel.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a batch oplock.
+ *
+ * While another client holds a batch oplock.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_ACCESS_DENIED see
+ * test_dhv2_pending1o_vs_oplock_windows().
+ */
+static bool test_dhv2_pending1o_vs_oplock_sane(struct torture_context *tctx,
+					      struct smb2_tree *tree1,
+					      struct smb2_tree *tree2)
+{
+	return _test_dhv2_pending1_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   NT_STATUS_FILE_NOT_AVAILABLE,
+					   tree1, tree2);
+}
+
+/**
+ * This tests replay with a pending open on a single
+ * channel.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a batch oplock.
+ *
+ * While another client holds a batch oplock.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange reject status of
+ * NT_STATUS_ACCESS_DENIED, which is returned
+ * by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE. see
+ * test_dhv2_pending1o_vs_oplock_sane.
+ */
+static bool test_dhv2_pending1o_vs_oplock_windows(struct torture_context *tctx,
+						  struct smb2_tree *tree1,
+						  struct smb2_tree *tree2)
+{
+	return _test_dhv2_pending1_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   NT_STATUS_ACCESS_DENIED,
+					   tree1, tree2);
+}
+
+/**
+ * This tests replay with a pending open on a single
+ * channel.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a batch oplock.
+ *
+ * While another client holds an RWH lease.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_ACCESS_DENIED see
+ * test_dhv2_pending1o_vs_lease_windows().
+ */
+static bool test_dhv2_pending1o_vs_lease_sane(struct torture_context *tctx,
+					      struct smb2_tree *tree1,
+					      struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending1_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   NT_STATUS_FILE_NOT_AVAILABLE,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open on a single
+ * channel.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a batch oplock.
+ *
+ * While another client holds an RWH lease.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange reject status of
+ * NT_STATUS_ACCESS_DENIED, which is returned
+ * by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE. see
+ * test_dhv2_pending1o_vs_lease_sane.
+ */
+static bool test_dhv2_pending1o_vs_lease_windows(struct torture_context *tctx,
+						 struct smb2_tree *tree1,
+						 struct smb2_tree *tree2)
+{
+	return _test_dhv2_pending1_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   NT_STATUS_ACCESS_DENIED,
+					   tree1, tree2);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and closed transports on the client and server side.
+ *
+ * With a durablev2 request containing a create_guid and
+ * a share_access of READ/WRITE/DELETE:
+ * - client2_level = NONE:
+ *   but without asking for an oplock nor a lease.
+ * - client2_level = BATCH:
+ *   and asking for a batch oplock.
+ * - client2_level = LEASE
+ *   and asking for an RWH lease.
+ *
+ * While another client holds a batch oplock or
+ * RWH lease. (client1_level => LEASE or BATCH).
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ */
+static bool _test_dhv2_pending2_vs_hold(struct torture_context *tctx,
+					const char *testname,
+					uint8_t client1_level,
+					uint8_t client2_level,
+					NTSTATUS reject_status,
+					struct smb2_tree *tree1,
+					struct smb2_tree *tree2_1)
+{
+	const char *host = torture_setting_string(tctx, "host", NULL);
+	const char *share = torture_setting_string(tctx, "share", NULL);
+	struct cli_credentials *credentials = samba_cmdline_get_creds();
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	struct smb2_handle _h1;
+	struct smb2_handle *h1 = NULL;
+	struct smb2_handle _h24;
+	struct smb2_handle *h24 = NULL;
+	struct smb2_create io1, io21, io22, io23, io24;
+	struct GUID create_guid1 = GUID_random();
+	struct GUID create_guid2 = GUID_random();
+	struct smb2_request *req21 = NULL;
+	bool ret = true;
+	char fname[256];
+	struct smb2_transport *transport1 = tree1->session->transport;
+	uint32_t server_capabilities;
+	uint32_t share_capabilities;
+	struct smb2_lease ls1;
+	uint64_t lease_key1;
+	uint16_t lease_epoch1 = 0;
+	struct smb2_lease ls2;
+	uint64_t lease_key2;
+	uint16_t lease_epoch2 = 0;
+	bool share_is_so;
+	struct smb2_transport *transport2_1 = tree2_1->session->transport;
+	int request_timeout2 = transport2_1->options.request_timeout;
+	struct smbcli_options options2x;
+	struct smb2_tree *tree2_2 = NULL;
+	struct smb2_tree *tree2_3 = NULL;
+	struct smb2_tree *tree2_4 = NULL;
+	struct smb2_transport *transport2_2 = NULL;
+	struct smb2_transport *transport2_3 = NULL;
+	struct smb2_transport *transport2_4 = NULL;
+	struct smb2_session *session2_1 = tree2_1->session;
+	struct smb2_session *session2_2 = NULL;
+	struct smb2_session *session2_3 = NULL;
+	struct smb2_session *session2_4 = NULL;
+	uint16_t csn2 = 1;
+	const char *hold_name = NULL;
+
+	switch (client1_level) {
+	case SMB2_OPLOCK_LEVEL_LEASE:
+		hold_name = "RWH Lease";
+		break;
+	case SMB2_OPLOCK_LEVEL_BATCH:
+		hold_name = "BATCH Oplock";
+		break;
+	default:
+		smb_panic(__location__);
+		break;
+	}
+
+	if (smbXcli_conn_protocol(transport1->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				   "replay tests\n");
+	}
+
+	server_capabilities = smb2cli_conn_server_capabilities(transport1->conn);
+	if (!(server_capabilities & SMB2_CAP_MULTI_CHANNEL)) {
+		torture_skip(tctx, "MULTI_CHANNEL are not supported");
+	}
+	if (!(server_capabilities & SMB2_CAP_LEASING)) {
+		if (client1_level == SMB2_OPLOCK_LEVEL_LEASE ||
+		    client2_level == SMB2_OPLOCK_LEVEL_LEASE) {
+			torture_skip(tctx, "leases are not supported");
+		}
+	}
+
+	share_capabilities = smb2cli_tcon_capabilities(tree1->smbXcli);
+	share_is_so = share_capabilities & SMB2_SHARE_CAP_SCALEOUT;
+	if (share_is_so) {
+		torture_skip(tctx, talloc_asprintf(tctx,
+			     "%s not supported on SCALEOUT share",
+			     hold_name));
+	}
+
+	/* Add some random component to the file name. */
+	snprintf(fname, sizeof(fname), "%s\\%s_%s.dat",
+		 BASEDIR, testname, generate_random_str(tctx, 8));
+
+	options2x = transport2_1->options;
+	options2x.only_negprot = true;
+
+	status = smb2_connect(tctx,
+			      host,
+			      lpcfg_smb_ports(tctx->lp_ctx),
+			      share,
+			      lpcfg_resolve_context(tctx->lp_ctx),
+			      credentials,
+			      &tree2_2,
+			      tctx->ev,
+			      &options2x,
+			      lpcfg_socket_options(tctx->lp_ctx),
+			      lpcfg_gensec_settings(tctx, tctx->lp_ctx)
+			      );
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_connect failed");
+	transport2_2 = tree2_2->session->transport;
+
+	session2_2 = smb2_session_channel(transport2_2,
+					  lpcfg_gensec_settings(tctx, tctx->lp_ctx),
+					  tctx,
+					  session2_1);
+	torture_assert(tctx, session2_2 != NULL, "smb2_session_channel failed");
+
+	status = smb2_session_setup_spnego(session2_2,
+					   credentials,
+					   0 /* previous_session_id */);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_session_setup_spnego failed");
+	tree2_2->smbXcli = tree2_1->smbXcli;
+	tree2_2->session = session2_2;
+
+	status = smb2_connect(tctx,
+			      host,
+			      lpcfg_smb_ports(tctx->lp_ctx),
+			      share,
+			      lpcfg_resolve_context(tctx->lp_ctx),
+			      credentials,
+			      &tree2_3,
+			      tctx->ev,
+			      &options2x,
+			      lpcfg_socket_options(tctx->lp_ctx),
+			      lpcfg_gensec_settings(tctx, tctx->lp_ctx)
+			      );
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_connect failed");
+	transport2_3 = tree2_3->session->transport;
+
+	session2_3 = smb2_session_channel(transport2_3,
+					  lpcfg_gensec_settings(tctx, tctx->lp_ctx),
+					  tctx,
+					  session2_1);
+	torture_assert(tctx, session2_3 != NULL, "smb2_session_channel failed");
+
+	status = smb2_session_setup_spnego(session2_3,
+					   credentials,
+					   0 /* previous_session_id */);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_session_setup_spnego failed");
+	tree2_3->smbXcli = tree2_1->smbXcli;
+	tree2_3->session = session2_3;
+
+	status = smb2_connect(tctx,
+			      host,
+			      lpcfg_smb_ports(tctx->lp_ctx),
+			      share,
+			      lpcfg_resolve_context(tctx->lp_ctx),
+			      credentials,
+			      &tree2_4,
+			      tctx->ev,
+			      &options2x,
+			      lpcfg_socket_options(tctx->lp_ctx),
+			      lpcfg_gensec_settings(tctx, tctx->lp_ctx)
+			      );
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_connect failed");
+	transport2_4 = tree2_4->session->transport;
+
+	session2_4 = smb2_session_channel(transport2_4,
+					  lpcfg_gensec_settings(tctx, tctx->lp_ctx),
+					  tctx,
+					  session2_1);
+	torture_assert(tctx, session2_4 != NULL, "smb2_session_channel failed");
+
+	status = smb2_session_setup_spnego(session2_4,
+					   credentials,
+					   0 /* previous_session_id */);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_session_setup_spnego failed");
+	tree2_4->smbXcli = tree2_1->smbXcli;
+	tree2_4->session = session2_4;
+
+	smb2cli_session_reset_channel_sequence(session2_2->smbXcli, csn2++);
+
+	torture_reset_break_info(tctx, &break_info);
+	break_info.oplock_skip_ack = true;
+	torture_reset_lease_break_info(tctx, &lease_break_info);
+	lease_break_info.lease_skip_ack = true;
+	transport1->oplock.handler = torture_oplock_ack_handler;
+	transport1->oplock.private_data = tree1;
+	transport1->lease.handler = torture_lease_handler;
+	transport1->lease.private_data = tree1;
+	smb2_keepalive(transport1);
+	transport2_1->oplock.handler = torture_oplock_ack_handler;
+	transport2_1->oplock.private_data = tree2_1;
+	transport2_1->lease.handler = torture_lease_handler;
+	transport2_1->lease.private_data = tree2_1;
+	smb2_keepalive(transport2_1);
+	transport2_2->oplock.handler = torture_oplock_ack_handler;
+	transport2_2->oplock.private_data = tree2_2;
+	transport2_2->lease.handler = torture_lease_handler;
+	transport2_2->lease.private_data = tree2_2;
+	smb2_keepalive(transport2_2);
+	transport2_3->oplock.handler = torture_oplock_ack_handler;
+	transport2_3->oplock.private_data = tree2_3;
+	transport2_3->lease.handler = torture_lease_handler;
+	transport2_3->lease.private_data = tree2_3;
+	smb2_keepalive(transport2_3);
+	transport2_4->oplock.handler = torture_oplock_ack_handler;
+	transport2_4->oplock.private_data = tree2_4;
+	transport2_4->lease.handler = torture_lease_handler;
+	transport2_4->lease.private_data = tree2_4;
+	smb2_keepalive(transport2_4);
+
+	smb2_util_unlink(tree1, fname);
+	status = torture_smb2_testdir(tree1, BASEDIR, &_h1);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2_util_close(tree1, _h1);
+	CHECK_VAL(break_info.count, 0);
+
+	lease_key1 = random();
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		smb2_lease_v2_create(&io1, &ls1, false /* dir */, fname,
+			lease_key1, NULL, smb2_util_lease_state("RWH"), lease_epoch1++);
+	} else {
+		smb2_oplock_create(&io1, fname, SMB2_OPLOCK_LEVEL_BATCH);
+	}
+	io1.in.durable_open = false;
+	io1.in.durable_open_v2 = true;
+	io1.in.persistent_open = false;
+	io1.in.create_guid = create_guid1;
+	io1.in.timeout = UINT32_MAX;
+
+	status = smb2_create(tree1, mem_ctx, &io1);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	_h1 = io1.out.file.handle;
+	h1 = &_h1;
+	CHECK_CREATED(&io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(io1.out.durable_open, false);
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		CHECK_VAL(io1.out.oplock_level, SMB2_OPLOCK_LEVEL_LEASE);
+		CHECK_VAL(io1.out.lease_response_v2.lease_key.data[0], lease_key1);
+		CHECK_VAL(io1.out.lease_response_v2.lease_key.data[1], ~lease_key1);
+		CHECK_VAL(io1.out.lease_response_v2.lease_epoch, lease_epoch1);
+		CHECK_VAL(io1.out.lease_response_v2.lease_state,
+			  smb2_util_lease_state("RHW"));
+	} else {
+		CHECK_VAL(io1.out.oplock_level, SMB2_OPLOCK_LEVEL_BATCH);
+	}
+	CHECK_VAL(io1.out.durable_open_v2, true);
+	CHECK_VAL(io1.out.timeout, 300*1000);
+
+	lease_key2 = random();
+	if (client2_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		smb2_lease_v2_create(&io21, &ls2, false /* dir */, fname,
+			lease_key2, NULL, smb2_util_lease_state("RWH"), lease_epoch2++);
+	} else {
+		smb2_oplock_create(&io21, fname, client2_level);
+	}
+	io21.in.durable_open = false;
+	io21.in.durable_open_v2 = true;
+	io21.in.persistent_open = false;
+	io21.in.create_guid = create_guid2;
+	io21.in.timeout = UINT32_MAX;
+	io24 = io23 = io22 = io21;
+
+	req21 = smb2_create_send(tree2_1, &io21);
+	torture_assert(tctx, req21 != NULL, "req21");
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		const struct smb2_lease_break *lb =
+			&lease_break_info.lease_break;
+		const struct smb2_lease *l = &lb->current_lease;
+		const struct smb2_lease_key *k = &l->lease_key;
+
+		torture_wait_for_lease_break(tctx);
+		CHECK_VAL(break_info.count, 0);
+		CHECK_VAL(lease_break_info.count, 1);
+
+		torture_assert(tctx,
+			lease_break_info.lease_transport == transport1,
+			"expect lease break on transport1\n");
+		CHECK_VAL(k->data[0], lease_key1);
+		CHECK_VAL(k->data[1], ~lease_key1);
+		CHECK_VAL(lb->new_lease_state,
+			  smb2_util_lease_state("RH"));
+		CHECK_VAL(lb->break_flags,
+			  SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED);
+		CHECK_VAL(lb->new_epoch, lease_epoch1+1);
+		lease_epoch1 += 1;
+	} else {
+		torture_wait_for_oplock_break(tctx);
+		CHECK_VAL(break_info.count, 1);
+		CHECK_VAL(lease_break_info.count, 0);
+
+		torture_assert(tctx,
+			break_info.received_transport == transport1,
+			"expect oplock break on transport1\n");
+		CHECK_VAL(break_info.handle.data[0], _h1.data[0]);
+		CHECK_VAL(break_info.handle.data[1], _h1.data[1]);
+		CHECK_VAL(break_info.level, SMB2_OPLOCK_LEVEL_II);
+	}
+
+	torture_reset_break_info(tctx, &break_info);
+	break_info.oplock_skip_ack = true;
+	torture_reset_lease_break_info(tctx, &lease_break_info);
+	lease_break_info.lease_skip_ack = true;
+
+	WAIT_FOR_ASYNC_RESPONSE(tctx, req21);
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+	smbXcli_conn_disconnect(transport2_1->conn, NT_STATUS_LOCAL_DISCONNECT);
+	smb2cli_session_reset_channel_sequence(session2_1->smbXcli, csn2++);
+
+	smb2cli_session_start_replay(session2_2->smbXcli);
+	transport2_2->options.request_timeout = 5;
+	status = smb2_create(tree2_2, tctx, &io22);
+	transport2_2->options.request_timeout = request_timeout2;
+	CHECK_STATUS(status, reject_status);
+	smb2cli_session_stop_replay(session2_2->smbXcli);
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+	smbXcli_conn_disconnect(transport2_2->conn, NT_STATUS_LOCAL_DISCONNECT);
+	smb2cli_session_reset_channel_sequence(session2_2->smbXcli, csn2++);
+
+	smb2cli_session_start_replay(session2_3->smbXcli);
+	transport2_3->options.request_timeout = 5;
+	status = smb2_create(tree2_3, tctx, &io23);
+	transport2_3->options.request_timeout = request_timeout2;
+	CHECK_STATUS(status, reject_status);
+	smb2cli_session_stop_replay(session2_3->smbXcli);
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+	smb2_util_close(tree1, _h1);
+	h1 = NULL;
+
+	status = smb2_create_recv(req21, tctx, &io21);
+	CHECK_STATUS(status, NT_STATUS_LOCAL_DISCONNECT);
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+	smbXcli_conn_disconnect(transport2_3->conn, NT_STATUS_LOCAL_DISCONNECT);
+	smb2cli_session_reset_channel_sequence(session2_3->smbXcli, csn2++);
+
+	smb2cli_session_start_replay(session2_4->smbXcli);
+	status = smb2_create(tree2_4, tctx, &io24);
+	smb2cli_session_stop_replay(session2_4->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	_h24 = io24.out.file.handle;
+	h24 = &_h24;
+	CHECK_CREATED(&io24, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(io24.out.oplock_level, client2_level);
+	CHECK_VAL(io24.out.durable_open, false);
+	if (client2_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		CHECK_VAL(io24.out.lease_response_v2.lease_key.data[0], lease_key2);
+		CHECK_VAL(io24.out.lease_response_v2.lease_key.data[1], ~lease_key2);
+		CHECK_VAL(io24.out.lease_response_v2.lease_epoch, lease_epoch2);
+		CHECK_VAL(io24.out.lease_response_v2.lease_state,
+			  smb2_util_lease_state("RHW"));
+		CHECK_VAL(io24.out.durable_open_v2, true);
+		CHECK_VAL(io24.out.timeout, 300*1000);
+	} else if (client2_level == SMB2_OPLOCK_LEVEL_BATCH) {
+		CHECK_VAL(io24.out.durable_open_v2, true);
+		CHECK_VAL(io24.out.timeout, 300*1000);
+	} else {
+		CHECK_VAL(io24.out.durable_open_v2, false);
+	}
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+	status = smb2_util_close(tree2_4, *h24);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	h24 = NULL;
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+done:
+
+	smbXcli_conn_disconnect(transport2_1->conn, NT_STATUS_LOCAL_DISCONNECT);
+	smbXcli_conn_disconnect(transport2_2->conn, NT_STATUS_LOCAL_DISCONNECT);
+	smbXcli_conn_disconnect(transport2_3->conn, NT_STATUS_LOCAL_DISCONNECT);
+	smbXcli_conn_disconnect(transport2_4->conn, NT_STATUS_LOCAL_DISCONNECT);
+
+	if (h1 != NULL) {
+		smb2_util_close(tree1, *h1);
+	}
+
+	smb2_deltree(tree1, BASEDIR);
+
+	TALLOC_FREE(tree1);
+	talloc_free(mem_ctx);
+
+	return ret;
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and closed transports on the client and server side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * but without asking for an oplock nor a lease.
+ *
+ * While another client holds an RWH lease.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_ACCESS_DENIED see
+ * test_dhv2_pending2n_vs_lease_windows().
+ */
+static bool test_dhv2_pending2n_vs_lease_sane(struct torture_context *tctx,
+					      struct smb2_tree *tree1,
+					      struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending2_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   SMB2_OPLOCK_LEVEL_NONE,
+					   NT_STATUS_FILE_NOT_AVAILABLE,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and closed transports on the client and server side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * but without asking for an oplock nor a lease.
+ *
+ * While another client holds an RWH lease.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange reject status of
+ * NT_STATUS_ACCESS_DENIED, which is returned
+ * by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE. see
+ * test_dhv2_pending2n_vs_lease_sane().
+ */
+static bool test_dhv2_pending2n_vs_lease_windows(struct torture_context *tctx,
+						 struct smb2_tree *tree1,
+						 struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending2_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   SMB2_OPLOCK_LEVEL_NONE,
+					   NT_STATUS_ACCESS_DENIED,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and closed transports on the client and server side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * but without asking for an oplock nor a lease.
+ *
+ * While another client holds a batch oplock.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_ACCESS_DENIED see
+ * test_dhv2_pending2n_vs_oplock_windows().
+ */
+static bool test_dhv2_pending2n_vs_oplock_sane(struct torture_context *tctx,
+					       struct smb2_tree *tree1,
+					       struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending2_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   SMB2_OPLOCK_LEVEL_NONE,
+					   NT_STATUS_FILE_NOT_AVAILABLE,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and closed transports on the client and server side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * but without asking for an oplock nor a lease.
+ *
+ * While another client holds a batch oplock.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange reject status of
+ * NT_STATUS_ACCESS_DENIED, which is returned
+ * by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE. see
+ * test_dhv2_pending2n_vs_oplock_sane().
+ */
+static bool test_dhv2_pending2n_vs_oplock_windows(struct torture_context *tctx,
+						  struct smb2_tree *tree1,
+						  struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending2_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   SMB2_OPLOCK_LEVEL_NONE,
+					   NT_STATUS_ACCESS_DENIED,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and closed transports on the client and server side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a v2 lease.
+ *
+ * While another client holds a batch oplock.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_ACCESS_DENIED see
+ * test_dhv2_pending2l_vs_oplock_windows().
+ */
+static bool test_dhv2_pending2l_vs_oplock_sane(struct torture_context *tctx,
+					       struct smb2_tree *tree1,
+					       struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending2_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   NT_STATUS_FILE_NOT_AVAILABLE,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and closed transports on the client and server side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a v2 lease.
+ *
+ * While another client holds a batch oplock.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange reject status of
+ * NT_STATUS_ACCESS_DENIED, which is returned
+ * by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE. see
+ * test_dhv2_pending2l_vs_oplock_sane().
+ */
+static bool test_dhv2_pending2l_vs_oplock_windows(struct torture_context *tctx,
+						  struct smb2_tree *tree1,
+						  struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending2_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   NT_STATUS_ACCESS_DENIED,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and closed transports on the client and server side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a v2 lease.
+ *
+ * While another client holds an RWH lease.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_ACCESS_DENIED see
+ * test_dhv2_pending2l_vs_oplock_windows().
+ */
+static bool test_dhv2_pending2l_vs_lease_sane(struct torture_context *tctx,
+					      struct smb2_tree *tree1,
+					      struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending2_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   NT_STATUS_FILE_NOT_AVAILABLE,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and closed transports on the client and server side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a v2 lease.
+ *
+ * While another client holds an RWH lease.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange reject status of
+ * NT_STATUS_ACCESS_DENIED, which is returned
+ * by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE. see
+ * test_dhv2_pending2l_vs_oplock_sane().
+ */
+static bool test_dhv2_pending2l_vs_lease_windows(struct torture_context *tctx,
+						 struct smb2_tree *tree1,
+						 struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending2_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   NT_STATUS_ACCESS_DENIED,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and closed transports on the client and server side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a batch oplock
+ *
+ * While another client holds a batch oplock.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_ACCESS_DENIED see
+ * test_dhv2_pending2o_vs_oplock_windows().
+ */
+static bool test_dhv2_pending2o_vs_oplock_sane(struct torture_context *tctx,
+					       struct smb2_tree *tree1,
+					       struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending2_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   NT_STATUS_FILE_NOT_AVAILABLE,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and closed transports on the client and server side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a batch oplock.
+ *
+ * While another client holds a batch oplock.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange reject status of
+ * NT_STATUS_ACCESS_DENIED, which is returned
+ * by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE. see
+ * test_dhv2_pending2o_vs_oplock_sane().
+ */
+static bool test_dhv2_pending2o_vs_oplock_windows(struct torture_context *tctx,
+						  struct smb2_tree *tree1,
+						  struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending2_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   NT_STATUS_ACCESS_DENIED,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and closed transports on the client and server side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a batch oplock
+ *
+ * While another client holds an RWH lease.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_ACCESS_DENIED see
+ * test_dhv2_pending2o_vs_lease_windows().
+ */
+static bool test_dhv2_pending2o_vs_lease_sane(struct torture_context *tctx,
+					      struct smb2_tree *tree1,
+					      struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending2_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   NT_STATUS_FILE_NOT_AVAILABLE,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and closed transports on the client and server side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a batch oplock.
+ *
+ * While another client holds an RWH lease.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange reject status of
+ * NT_STATUS_ACCESS_DENIED, which is returned
+ * by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE. see
+ * test_dhv2_pending2o_vs_lease_sane().
+ */
+static bool test_dhv2_pending2o_vs_lease_windows(struct torture_context *tctx,
+						 struct smb2_tree *tree1,
+						 struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending2_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   NT_STATUS_ACCESS_DENIED,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and blocked transports on the client side.
+ *
+ * With a durablev2 request containing a create_guid and
+ * a share_access of READ/WRITE/DELETE:
+ * - client2_level = NONE:
+ *   but without asking for an oplock nor a lease.
+ * - client2_level = BATCH:
+ *   and asking for a batch oplock.
+ * - client2_level = LEASE
+ *   and asking for an RWH lease.
+ *
+ * While another client holds a batch oplock or
+ * RWH lease. (client1_level => LEASE or BATCH).
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ */
+static bool _test_dhv2_pending3_vs_hold(struct torture_context *tctx,
+					const char *testname,
+					uint8_t client1_level,
+					uint8_t client2_level,
+					NTSTATUS reject_status,
+					struct smb2_tree *tree1,
+					struct smb2_tree *tree2_1)
+{
+	const char *host = torture_setting_string(tctx, "host", NULL);
+	const char *share = torture_setting_string(tctx, "share", NULL);
+	struct cli_credentials *credentials = samba_cmdline_get_creds();
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	struct smb2_handle _h1;
+	struct smb2_handle *h1 = NULL;
+	struct smb2_handle _h21;
+	struct smb2_handle *h21 = NULL;
+	struct smb2_handle _h24;
+	struct smb2_handle *h24 = NULL;
+	struct smb2_create io1, io21, io22, io23, io24;
+	struct GUID create_guid1 = GUID_random();
+	struct GUID create_guid2 = GUID_random();
+	struct smb2_request *req21 = NULL;
+	bool ret = true;
+	char fname[256];
+	struct smb2_transport *transport1 = tree1->session->transport;
+	uint32_t server_capabilities;
+	uint32_t share_capabilities;
+	struct smb2_lease ls1;
+	uint64_t lease_key1;
+	uint16_t lease_epoch1 = 0;
+	struct smb2_lease ls2;
+	uint64_t lease_key2;
+	uint16_t lease_epoch2 = 0;
+	bool share_is_so;
+	struct smb2_transport *transport2_1 = tree2_1->session->transport;
+	int request_timeout2 = transport2_1->options.request_timeout;
+	struct smbcli_options options2x;
+	struct smb2_tree *tree2_2 = NULL;
+	struct smb2_tree *tree2_3 = NULL;
+	struct smb2_tree *tree2_4 = NULL;
+	struct smb2_transport *transport2_2 = NULL;
+	struct smb2_transport *transport2_3 = NULL;
+	struct smb2_transport *transport2_4 = NULL;
+	struct smb2_session *session2_1 = tree2_1->session;
+	struct smb2_session *session2_2 = NULL;
+	struct smb2_session *session2_3 = NULL;
+	struct smb2_session *session2_4 = NULL;
+	bool block_setup = false;
+	bool blocked2_1 = false;
+	bool blocked2_2 = false;
+	bool blocked2_3 = false;
+	uint16_t csn2 = 1;
+	const char *hold_name = NULL;
+
+	switch (client1_level) {
+	case SMB2_OPLOCK_LEVEL_LEASE:
+		hold_name = "RWH Lease";
+		break;
+	case SMB2_OPLOCK_LEVEL_BATCH:
+		hold_name = "BATCH Oplock";
+		break;
+	default:
+		smb_panic(__location__);
+		break;
+	}
+
+	if (smbXcli_conn_protocol(transport1->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				   "replay tests\n");
+	}
+
+	server_capabilities = smb2cli_conn_server_capabilities(transport1->conn);
+	if (!(server_capabilities & SMB2_CAP_MULTI_CHANNEL)) {
+		torture_skip(tctx, "MULTI_CHANNEL are not supported");
+	}
+	if (!(server_capabilities & SMB2_CAP_LEASING)) {
+		if (client1_level == SMB2_OPLOCK_LEVEL_LEASE ||
+		    client2_level == SMB2_OPLOCK_LEVEL_LEASE) {
+			torture_skip(tctx, "leases are not supported");
+		}
+	}
+
+	share_capabilities = smb2cli_tcon_capabilities(tree1->smbXcli);
+	share_is_so = share_capabilities & SMB2_SHARE_CAP_SCALEOUT;
+	if (share_is_so) {
+		torture_skip(tctx, talloc_asprintf(tctx,
+			     "%s not supported on SCALEOUT share",
+			     hold_name));
+	}
+
+	/* Add some random component to the file name. */
+	snprintf(fname, sizeof(fname), "%s\\%s_%s.dat",
+		 BASEDIR, testname, generate_random_str(tctx, 8));
+
+	options2x = transport2_1->options;
+	options2x.only_negprot = true;
+
+	status = smb2_connect(tctx,
+			      host,
+			      lpcfg_smb_ports(tctx->lp_ctx),
+			      share,
+			      lpcfg_resolve_context(tctx->lp_ctx),
+			      credentials,
+			      &tree2_2,
+			      tctx->ev,
+			      &options2x,
+			      lpcfg_socket_options(tctx->lp_ctx),
+			      lpcfg_gensec_settings(tctx, tctx->lp_ctx)
+			      );
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_connect failed");
+	transport2_2 = tree2_2->session->transport;
+
+	session2_2 = smb2_session_channel(transport2_2,
+					  lpcfg_gensec_settings(tctx, tctx->lp_ctx),
+					  tctx,
+					  session2_1);
+	torture_assert(tctx, session2_2 != NULL, "smb2_session_channel failed");
+
+	status = smb2_session_setup_spnego(session2_2,
+					   credentials,
+					   0 /* previous_session_id */);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_session_setup_spnego failed");
+	tree2_2->smbXcli = tree2_1->smbXcli;
+	tree2_2->session = session2_2;
+
+	status = smb2_connect(tctx,
+			      host,
+			      lpcfg_smb_ports(tctx->lp_ctx),
+			      share,
+			      lpcfg_resolve_context(tctx->lp_ctx),
+			      credentials,
+			      &tree2_3,
+			      tctx->ev,
+			      &options2x,
+			      lpcfg_socket_options(tctx->lp_ctx),
+			      lpcfg_gensec_settings(tctx, tctx->lp_ctx)
+			      );
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_connect failed");
+	transport2_3 = tree2_3->session->transport;
+
+	session2_3 = smb2_session_channel(transport2_3,
+					  lpcfg_gensec_settings(tctx, tctx->lp_ctx),
+					  tctx,
+					  session2_1);
+	torture_assert(tctx, session2_3 != NULL, "smb2_session_channel failed");
+
+	status = smb2_session_setup_spnego(session2_3,
+					   credentials,
+					   0 /* previous_session_id */);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_session_setup_spnego failed");
+	tree2_3->smbXcli = tree2_1->smbXcli;
+	tree2_3->session = session2_3;
+
+	status = smb2_connect(tctx,
+			      host,
+			      lpcfg_smb_ports(tctx->lp_ctx),
+			      share,
+			      lpcfg_resolve_context(tctx->lp_ctx),
+			      credentials,
+			      &tree2_4,
+			      tctx->ev,
+			      &options2x,
+			      lpcfg_socket_options(tctx->lp_ctx),
+			      lpcfg_gensec_settings(tctx, tctx->lp_ctx)
+			      );
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_connect failed");
+	transport2_4 = tree2_4->session->transport;
+
+	session2_4 = smb2_session_channel(transport2_4,
+					  lpcfg_gensec_settings(tctx, tctx->lp_ctx),
+					  tctx,
+					  session2_1);
+	torture_assert(tctx, session2_4 != NULL, "smb2_session_channel failed");
+
+	status = smb2_session_setup_spnego(session2_4,
+					   credentials,
+					   0 /* previous_session_id */);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_session_setup_spnego failed");
+	tree2_4->smbXcli = tree2_1->smbXcli;
+	tree2_4->session = session2_4;
+
+	smb2cli_session_reset_channel_sequence(session2_2->smbXcli, csn2++);
+
+	torture_reset_break_info(tctx, &break_info);
+	break_info.oplock_skip_ack = true;
+	torture_reset_lease_break_info(tctx, &lease_break_info);
+	lease_break_info.lease_skip_ack = true;
+	transport1->oplock.handler = torture_oplock_ack_handler;
+	transport1->oplock.private_data = tree1;
+	transport1->lease.handler = torture_lease_handler;
+	transport1->lease.private_data = tree1;
+	smb2_keepalive(transport1);
+	transport2_1->oplock.handler = torture_oplock_ack_handler;
+	transport2_1->oplock.private_data = tree2_1;
+	transport2_1->lease.handler = torture_lease_handler;
+	transport2_1->lease.private_data = tree2_1;
+	smb2_keepalive(transport2_1);
+	transport2_2->oplock.handler = torture_oplock_ack_handler;
+	transport2_2->oplock.private_data = tree2_2;
+	transport2_2->lease.handler = torture_lease_handler;
+	transport2_2->lease.private_data = tree2_2;
+	smb2_keepalive(transport2_2);
+	transport2_3->oplock.handler = torture_oplock_ack_handler;
+	transport2_3->oplock.private_data = tree2_3;
+	transport2_3->lease.handler = torture_lease_handler;
+	transport2_3->lease.private_data = tree2_3;
+	smb2_keepalive(transport2_3);
+	transport2_4->oplock.handler = torture_oplock_ack_handler;
+	transport2_4->oplock.private_data = tree2_4;
+	transport2_4->lease.handler = torture_lease_handler;
+	transport2_4->lease.private_data = tree2_4;
+	smb2_keepalive(transport2_4);
+
+	smb2_util_unlink(tree1, fname);
+	status = torture_smb2_testdir(tree1, BASEDIR, &_h1);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2_util_close(tree1, _h1);
+	CHECK_VAL(break_info.count, 0);
+
+	lease_key1 = random();
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		smb2_lease_v2_create(&io1, &ls1, false /* dir */, fname,
+			lease_key1, NULL, smb2_util_lease_state("RWH"), lease_epoch1++);
+	} else {
+		smb2_oplock_create(&io1, fname, SMB2_OPLOCK_LEVEL_BATCH);
+	}
+	io1.in.durable_open = false;
+	io1.in.durable_open_v2 = true;
+	io1.in.persistent_open = false;
+	io1.in.create_guid = create_guid1;
+	io1.in.timeout = UINT32_MAX;
+
+	status = smb2_create(tree1, mem_ctx, &io1);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	_h1 = io1.out.file.handle;
+	h1 = &_h1;
+	CHECK_CREATED(&io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(io1.out.durable_open, false);
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		CHECK_VAL(io1.out.oplock_level, SMB2_OPLOCK_LEVEL_LEASE);
+		CHECK_VAL(io1.out.lease_response_v2.lease_key.data[0], lease_key1);
+		CHECK_VAL(io1.out.lease_response_v2.lease_key.data[1], ~lease_key1);
+		CHECK_VAL(io1.out.lease_response_v2.lease_epoch, lease_epoch1);
+		CHECK_VAL(io1.out.lease_response_v2.lease_state,
+			  smb2_util_lease_state("RHW"));
+	} else {
+		CHECK_VAL(io1.out.oplock_level, SMB2_OPLOCK_LEVEL_BATCH);
+	}
+	CHECK_VAL(io1.out.durable_open_v2, true);
+	CHECK_VAL(io1.out.timeout, 300*1000);
+
+	lease_key2 = random();
+	if (client2_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		smb2_lease_v2_create(&io21, &ls2, false /* dir */, fname,
+			lease_key2, NULL, smb2_util_lease_state("RWH"), lease_epoch2++);
+	} else {
+		smb2_oplock_create(&io21, fname, client2_level);
+	}
+	io21.in.durable_open = false;
+	io21.in.durable_open_v2 = true;
+	io21.in.persistent_open = false;
+	io21.in.create_guid = create_guid2;
+	io21.in.timeout = UINT32_MAX;
+	io24 = io23 = io22 = io21;
+
+	req21 = smb2_create_send(tree2_1, &io21);
+	torture_assert(tctx, req21 != NULL, "req21");
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		const struct smb2_lease_break *lb =
+			&lease_break_info.lease_break;
+		const struct smb2_lease *l = &lb->current_lease;
+		const struct smb2_lease_key *k = &l->lease_key;
+
+		torture_wait_for_lease_break(tctx);
+		CHECK_VAL(break_info.count, 0);
+		CHECK_VAL(lease_break_info.count, 1);
+
+		torture_assert(tctx,
+			lease_break_info.lease_transport == transport1,
+			"expect lease break on transport1\n");
+		CHECK_VAL(k->data[0], lease_key1);
+		CHECK_VAL(k->data[1], ~lease_key1);
+		CHECK_VAL(lb->new_lease_state,
+			  smb2_util_lease_state("RH"));
+		CHECK_VAL(lb->break_flags,
+			  SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED);
+		CHECK_VAL(lb->new_epoch, lease_epoch1+1);
+		lease_epoch1 += 1;
+	} else {
+		torture_wait_for_oplock_break(tctx);
+		CHECK_VAL(break_info.count, 1);
+		CHECK_VAL(lease_break_info.count, 0);
+
+		torture_assert(tctx,
+			break_info.received_transport == transport1,
+			"expect oplock break on transport1\n");
+		CHECK_VAL(break_info.handle.data[0], _h1.data[0]);
+		CHECK_VAL(break_info.handle.data[1], _h1.data[1]);
+		CHECK_VAL(break_info.level, SMB2_OPLOCK_LEVEL_II);
+	}
+
+	torture_reset_break_info(tctx, &break_info);
+	break_info.oplock_skip_ack = true;
+	torture_reset_lease_break_info(tctx, &lease_break_info);
+	lease_break_info.lease_skip_ack = true;
+
+	WAIT_FOR_ASYNC_RESPONSE(tctx, req21);
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+	block_setup = test_setup_blocked_transports(tctx);
+	torture_assert(tctx, block_setup, "test_setup_blocked_transports");
+
+	blocked2_1 = _test_block_smb2_transport(tctx, transport2_1, "transport2_1");
+	torture_assert_goto(tctx, blocked2_1, ret, done, "we could not block tcp transport");
+	smb2cli_session_reset_channel_sequence(session2_1->smbXcli, csn2++);
+
+	smb2cli_session_start_replay(session2_2->smbXcli);
+	transport2_2->options.request_timeout = 5;
+	status = smb2_create(tree2_2, tctx, &io22);
+	transport2_2->options.request_timeout = request_timeout2;
+	CHECK_STATUS(status, reject_status);
+	smb2cli_session_stop_replay(session2_2->smbXcli);
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+	blocked2_2 = _test_block_smb2_transport(tctx, transport2_2, "transport2_2");
+	torture_assert_goto(tctx, blocked2_2, ret, done, "we could not block tcp transport");
+	smb2cli_session_reset_channel_sequence(session2_2->smbXcli, csn2++);
+
+	smb2cli_session_start_replay(session2_3->smbXcli);
+	transport2_3->options.request_timeout = 5;
+	status = smb2_create(tree2_3, tctx, &io23);
+	transport2_3->options.request_timeout = request_timeout2;
+	CHECK_STATUS(status, reject_status);
+	smb2cli_session_stop_replay(session2_3->smbXcli);
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+	smb2_util_close(tree1, _h1);
+	h1 = NULL;
+
+	status = smb2_create_recv(req21, tctx, &io21);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	_h21 = io21.out.file.handle;
+	h21 = &_h21;
+	CHECK_CREATED(&io21, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(io21.out.oplock_level, client2_level);
+	CHECK_VAL(io21.out.durable_open, false);
+	if (client2_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		CHECK_VAL(io21.out.lease_response_v2.lease_key.data[0], lease_key2);
+		CHECK_VAL(io21.out.lease_response_v2.lease_key.data[1], ~lease_key2);
+		CHECK_VAL(io21.out.lease_response_v2.lease_epoch, lease_epoch2);
+		CHECK_VAL(io21.out.lease_response_v2.lease_state,
+			  smb2_util_lease_state("RHW"));
+		CHECK_VAL(io21.out.durable_open_v2, true);
+		CHECK_VAL(io21.out.timeout, 300*1000);
+	} else if (client2_level == SMB2_OPLOCK_LEVEL_BATCH) {
+		CHECK_VAL(io21.out.durable_open_v2, true);
+		CHECK_VAL(io21.out.timeout, 300*1000);
+	} else {
+		CHECK_VAL(io21.out.durable_open_v2, false);
+	}
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+	blocked2_3 = _test_block_smb2_transport(tctx, transport2_3, "transport2_3");
+	torture_assert_goto(tctx, blocked2_3, ret, done, "we could not block tcp transport");
+	smb2cli_session_reset_channel_sequence(session2_3->smbXcli, csn2++);
+
+	smb2cli_session_start_replay(session2_4->smbXcli);
+	status = smb2_create(tree2_4, tctx, &io24);
+	smb2cli_session_stop_replay(session2_4->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	_h24 = io24.out.file.handle;
+	h24 = &_h24;
+	CHECK_CREATED(&io24, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(h24->data[0], h21->data[0]);
+	CHECK_VAL(h24->data[1], h21->data[1]);
+	if (client2_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		CHECK_VAL(io24.out.lease_response_v2.lease_key.data[0], lease_key2);
+		CHECK_VAL(io24.out.lease_response_v2.lease_key.data[1], ~lease_key2);
+		CHECK_VAL(io24.out.lease_response_v2.lease_epoch, lease_epoch2);
+		CHECK_VAL(io24.out.lease_response_v2.lease_state,
+			  smb2_util_lease_state("RHW"));
+		CHECK_VAL(io24.out.durable_open_v2, true);
+		CHECK_VAL(io24.out.timeout, 300*1000);
+	} else if (client2_level == SMB2_OPLOCK_LEVEL_BATCH) {
+		CHECK_VAL(io24.out.durable_open_v2, true);
+		CHECK_VAL(io24.out.timeout, 300*1000);
+	} else {
+		CHECK_VAL(io24.out.durable_open_v2, false);
+	}
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+	status = smb2_util_close(tree2_4, *h24);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	h24 = NULL;
+
+	if (client1_level == SMB2_OPLOCK_LEVEL_LEASE) {
+		torture_wait_for_lease_break(tctx);
+	} else {
+		torture_wait_for_oplock_break(tctx);
+	}
+	CHECK_VAL(break_info.count, 0);
+	CHECK_VAL(lease_break_info.count, 0);
+
+done:
+
+	if (blocked2_3) {
+		_test_unblock_smb2_transport(tctx, transport2_3, "transport2_3");
+	}
+	if (blocked2_2) {
+		_test_unblock_smb2_transport(tctx, transport2_2, "transport2_2");
+	}
+	if (blocked2_1) {
+		_test_unblock_smb2_transport(tctx, transport2_1, "transport2_1");
+	}
+	if (block_setup) {
+		test_cleanup_blocked_transports(tctx);
+	}
+
+	smbXcli_conn_disconnect(transport2_1->conn, NT_STATUS_LOCAL_DISCONNECT);
+	smbXcli_conn_disconnect(transport2_2->conn, NT_STATUS_LOCAL_DISCONNECT);
+	smbXcli_conn_disconnect(transport2_3->conn, NT_STATUS_LOCAL_DISCONNECT);
+	smbXcli_conn_disconnect(transport2_4->conn, NT_STATUS_LOCAL_DISCONNECT);
+
+	if (h1 != NULL) {
+		smb2_util_close(tree1, *h1);
+	}
+
+	smb2_deltree(tree1, BASEDIR);
+
+	TALLOC_FREE(tree1);
+	talloc_free(mem_ctx);
+
+	return ret;
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and blocked transports on the client side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * but without asking for an oplock nor a lease.
+ *
+ * While another client holds an RWH lease.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_ACCESS_DENIED see
+ * test_dhv2_pending3n_vs_lease_windows().
+ */
+static bool test_dhv2_pending3n_vs_lease_sane(struct torture_context *tctx,
+					      struct smb2_tree *tree1,
+					      struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending3_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   SMB2_OPLOCK_LEVEL_NONE,
+					   NT_STATUS_FILE_NOT_AVAILABLE,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and blocked transports on the client side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * but without asking for an oplock nor a lease.
+ *
+ * While another client holds an RWH lease.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange reject status of
+ * NT_STATUS_ACCESS_DENIED, which is returned
+ * by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE. see
+ * test_dhv2_pending3n_vs_lease_sane.
+ */
+static bool test_dhv2_pending3n_vs_lease_windows(struct torture_context *tctx,
+						 struct smb2_tree *tree1,
+						 struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending3_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   SMB2_OPLOCK_LEVEL_NONE,
+					   NT_STATUS_ACCESS_DENIED,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and blocked transports on the client side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * but without asking for an oplock nor a lease.
+ *
+ * While another client holds a batch oplock.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_ACCESS_DENIED see
+ * test_dhv2_pending3n_vs_oplock_windows().
+ */
+static bool test_dhv2_pending3n_vs_oplock_sane(struct torture_context *tctx,
+					       struct smb2_tree *tree1,
+					       struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending3_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   SMB2_OPLOCK_LEVEL_NONE,
+					   NT_STATUS_FILE_NOT_AVAILABLE,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and blocked transports on the client side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * but without asking for an oplock nor a lease.
+ *
+ * While another client holds a batch oplock.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange reject status of
+ * NT_STATUS_ACCESS_DENIED, which is returned
+ * by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE. see
+ * test_dhv2_pending3n_vs_oplock_sane.
+ */
+static bool test_dhv2_pending3n_vs_oplock_windows(struct torture_context *tctx,
+						  struct smb2_tree *tree1,
+						  struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending3_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   SMB2_OPLOCK_LEVEL_NONE,
+					   NT_STATUS_ACCESS_DENIED,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and blocked transports on the client side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a v2 lease.
+ *
+ * While another client holds a batch oplock.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_ACCESS_DENIED see
+ * test_dhv2_pending3l_vs_oplock_windows().
+ */
+static bool test_dhv2_pending3l_vs_oplock_sane(struct torture_context *tctx,
+					       struct smb2_tree *tree1,
+					       struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending3_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   NT_STATUS_FILE_NOT_AVAILABLE,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and blocked transports on the client side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a v2 lease.
+ *
+ * While another client holds a batch oplock.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange reject status of
+ * NT_STATUS_ACCESS_DENIED, which is returned
+ * by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE. see
+ * test_dhv2_pending3l_vs_oplock_sane.
+ */
+static bool test_dhv2_pending3l_vs_oplock_windows(struct torture_context *tctx,
+						  struct smb2_tree *tree1,
+						  struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending3_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   NT_STATUS_ACCESS_DENIED,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and blocked transports on the client side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a v2 lease.
+ *
+ * While another client holds an RWH lease.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_ACCESS_DENIED see
+ * test_dhv2_pending3l_vs_lease_windows().
+ */
+static bool test_dhv2_pending3l_vs_lease_sane(struct torture_context *tctx,
+					      struct smb2_tree *tree1,
+					      struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending3_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   NT_STATUS_FILE_NOT_AVAILABLE,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and blocked transports on the client side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a v2 lease.
+ *
+ * While another client holds an RWH lease.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange reject status of
+ * NT_STATUS_ACCESS_DENIED, which is returned
+ * by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE. see
+ * test_dhv2_pending3l_vs_lease_sane().
+ */
+static bool test_dhv2_pending3l_vs_lease_windows(struct torture_context *tctx,
+						 struct smb2_tree *tree1,
+						 struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending3_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   NT_STATUS_ACCESS_DENIED,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and blocked transports on the client side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a batch oplock.
+ *
+ * While another client holds a batch oplock.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_ACCESS_DENIED see
+ * test_dhv2_pending3o_vs_oplock_windows().
+ */
+static bool test_dhv2_pending3o_vs_oplock_sane(struct torture_context *tctx,
+					       struct smb2_tree *tree1,
+					       struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending3_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   NT_STATUS_FILE_NOT_AVAILABLE,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and blocked transports on the client side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a batch oplock.
+ *
+ * While another client holds a batch oplock.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange reject status of
+ * NT_STATUS_ACCESS_DENIED, which is returned
+ * by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE. see
+ * test_dhv2_pending3o_vs_oplock_sane().
+ */
+static bool test_dhv2_pending3o_vs_oplock_windows(struct torture_context *tctx,
+						  struct smb2_tree *tree1,
+						  struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending3_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   NT_STATUS_ACCESS_DENIED,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and blocked transports on the client side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a batch oplock.
+ *
+ * While another client holds an RWH lease.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the sane reject status of
+ * NT_STATUS_FILE_NOT_AVAILABLE.
+ *
+ * It won't pass against Windows as it returns
+ * NT_STATUS_ACCESS_DENIED see
+ * test_dhv2_pending3o_vs_lease_windows().
+ */
+static bool test_dhv2_pending3o_vs_lease_sane(struct torture_context *tctx,
+					      struct smb2_tree *tree1,
+					      struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending3_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   NT_STATUS_FILE_NOT_AVAILABLE,
+					   tree1, tree2_1);
+}
+
+/**
+ * This tests replay with a pending open with 4 channels
+ * and blocked transports on the client side.
+ *
+ * With a durablev2 request containing a create_guid,
+ * a share_access of READ/WRITE/DELETE,
+ * and asking for a batch oplock.
+ *
+ * While another client holds an RWH lease.
+ * And allows share_access of READ/WRITE/DELETE.
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=14449
+ *
+ * This expects the strange reject status of
+ * NT_STATUS_ACCESS_DENIED, which is returned
+ * by Windows Servers.
+ *
+ * It won't pass against Samba as it returns
+ * NT_STATUS_FILE_NOT_AVAILABLE. see
+ * test_dhv2_pending3o_vs_lease_sane().
+ */
+static bool test_dhv2_pending3o_vs_lease_windows(struct torture_context *tctx,
+						 struct smb2_tree *tree1,
+						 struct smb2_tree *tree2_1)
+{
+	return _test_dhv2_pending3_vs_hold(tctx, __func__,
+					   SMB2_OPLOCK_LEVEL_LEASE,
+					   SMB2_OPLOCK_LEVEL_BATCH,
+					   NT_STATUS_ACCESS_DENIED,
+					   tree1, tree2_1);
+}
+
+static bool test_channel_sequence_table(struct torture_context *tctx,
+					struct smb2_tree *tree,
+					bool do_replay,
+					uint16_t opcode)
+{
+	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	struct smb2_handle handle;
+	struct smb2_handle *phandle = NULL;
+	struct smb2_create io;
+	struct GUID create_guid = GUID_random();
+	bool ret = true;
+	const char *fname = BASEDIR "\\channel_sequence.dat";
+	uint16_t csn = 0;
+	uint16_t limit = UINT16_MAX - 0x7fff;
+	int i;
+	struct {
+		uint16_t csn;
+		bool csn_rand_low;
+		bool csn_rand_high;
+		NTSTATUS expected_status;
+	} tests[] = {
+		{
+			.csn			= 0,
+			.expected_status	= NT_STATUS_OK,
+		},{
+			.csn			= 0x7fff + 1,
+			.expected_status	= NT_STATUS_FILE_NOT_AVAILABLE,
+		},{
+			.csn			= 0x7fff + 2,
+			.expected_status	= NT_STATUS_FILE_NOT_AVAILABLE,
+		},{
+			.csn			= -1,
+			.csn_rand_high		= true,
+			.expected_status	= NT_STATUS_FILE_NOT_AVAILABLE,
+		},{
+			.csn			= 0xffff,
+			.expected_status	= NT_STATUS_FILE_NOT_AVAILABLE,
+		},{
+			.csn			= 0x7fff,
+			.expected_status	= NT_STATUS_OK,
+		},{
+			.csn			= 0x7ffe,
+			.expected_status	= NT_STATUS_FILE_NOT_AVAILABLE,
+		},{
+			.csn			= 0,
+			.expected_status	= NT_STATUS_FILE_NOT_AVAILABLE,
+		},{
+			.csn			= -1,
+			.csn_rand_low		= true,
+			.expected_status	= NT_STATUS_FILE_NOT_AVAILABLE,
+		},{
+			.csn			= 0x7fff + 1,
+			.expected_status	= NT_STATUS_OK,
+		},{
+			.csn			= 0xffff,
+			.expected_status	= NT_STATUS_OK,
+		},{
+			.csn			= 0,
+			.expected_status	= NT_STATUS_OK,
+		},{
+			.csn			= 1,
+			.expected_status	= NT_STATUS_OK,
+		},{
+			.csn			= 0,
+			.expected_status	= NT_STATUS_FILE_NOT_AVAILABLE,
+		},{
+			.csn			= 1,
+			.expected_status	= NT_STATUS_OK,
+		},{
+			.csn			= 0xffff,
+			.expected_status	= NT_STATUS_FILE_NOT_AVAILABLE,
+		}
+	};
+
+	smb2cli_session_reset_channel_sequence(tree->session->smbXcli, 0);
+
+	csn = smb2cli_session_current_channel_sequence(tree->session->smbXcli);
+	torture_comment(tctx, "Testing create with channel sequence number: 0x%04x\n", csn);
+
+	smb2_oplock_create_share(&io, fname,
+			smb2_util_share_access("RWD"),
+			smb2_util_oplock_level("b"));
+	io.in.durable_open = false;
+	io.in.durable_open_v2 = true;
+	io.in.create_guid = create_guid;
+	io.in.timeout = UINT32_MAX;
+
+	torture_assert_ntstatus_ok_goto(tctx,
+		smb2_create(tree, mem_ctx, &io),
+		ret, done, "failed to call smb2_create");
+
+	handle = io.out.file.handle;
+	phandle = &handle;
+
+	for (i=0; i <ARRAY_SIZE(tests); i++) {
+
+		const char *opstr = "";
+		union smb_fileinfo qfinfo;
+
+		csn = tests[i].csn;
+
+		if (tests[i].csn_rand_low) {
+			csn = rand() % limit;
+		} else if (tests[i].csn_rand_high) {
+			csn = rand() % limit + 0x7fff;
+		}
+
+		switch (opcode) {
+		case SMB2_OP_WRITE:
+			opstr = "write";
+			break;
+		case SMB2_OP_IOCTL:
+			opstr = "ioctl";
+			break;
+		case SMB2_OP_SETINFO:
+			opstr = "setinfo";
+			break;
+		default:
+			break;
+		}
+
+		smb2cli_session_reset_channel_sequence(tree->session->smbXcli, csn);
+		csn = smb2cli_session_current_channel_sequence(tree->session->smbXcli);
+
+		torture_comment(tctx, "Testing %s (replay: %s) with CSN 0x%04x, expecting: %s\n",
+			opstr, do_replay ? "true" : "false", csn,
+			nt_errstr(tests[i].expected_status));
+
+		if (do_replay) {
+			smb2cli_session_start_replay(tree->session->smbXcli);
+		}
+
+		switch (opcode) {
+		case SMB2_OP_WRITE: {
+			DATA_BLOB blob = data_blob_talloc(tctx, NULL, 255);
+
+			generate_random_buffer(blob.data, blob.length);
+
+			status = smb2_util_write(tree, handle, blob.data, 0, blob.length);
+			if (NT_STATUS_IS_OK(status)) {
+				struct smb2_read rd;
+
+				rd = (struct smb2_read) {
+					.in.file.handle = handle,
+					.in.length = blob.length,
+					.in.offset = 0
+				};
+
+				torture_assert_ntstatus_ok_goto(tctx,
+					smb2_read(tree, tree, &rd),
+					ret, done, "failed to read after write");
+
+				torture_assert_data_blob_equal(tctx,
+					rd.out.data, blob,
+					"read/write mismatch");
+			}
+			break;
+		}
+		case SMB2_OP_IOCTL: {
+			union smb_ioctl ioctl;
+			ioctl = (union smb_ioctl) {
+				.smb2.level = RAW_IOCTL_SMB2,
+				.smb2.in.file.handle = handle,
+				.smb2.in.function = FSCTL_CREATE_OR_GET_OBJECT_ID,
+				.smb2.in.max_output_response = 64,
+				.smb2.in.flags = SMB2_IOCTL_FLAG_IS_FSCTL
+			};
+			status = smb2_ioctl(tree, mem_ctx, &ioctl.smb2);
+			break;
+		}
+		case SMB2_OP_SETINFO: {
+			union smb_setfileinfo sfinfo;
+			ZERO_STRUCT(sfinfo);
+			sfinfo.generic.level = RAW_SFILEINFO_POSITION_INFORMATION;
+			sfinfo.generic.in.file.handle = handle;
+			sfinfo.position_information.in.position = 0x1000;
+			status = smb2_setinfo_file(tree, &sfinfo);
+			break;
+		}
+		default:
+			break;
+		}
+
+		qfinfo = (union smb_fileinfo) {
+			.generic.level = RAW_FILEINFO_POSITION_INFORMATION,
+			.generic.in.file.handle = handle
+		};
+
+		torture_assert_ntstatus_ok_goto(tctx,
+			smb2_getinfo_file(tree, mem_ctx, &qfinfo),
+			ret, done, "failed to read after write");
+
+		if (do_replay) {
+			smb2cli_session_stop_replay(tree->session->smbXcli);
+		}
+
+		torture_assert_ntstatus_equal_goto(tctx,
+			status, tests[i].expected_status,
+			ret, done, "got unexpected failure code");
+
+	}
+done:
+	if (phandle != NULL) {
+		smb2_util_close(tree, *phandle);
+	}
+
+	smb2_util_unlink(tree, fname);
+
+	return ret;
+}
+
+static bool test_channel_sequence(struct torture_context *tctx,
+				  struct smb2_tree *tree)
+{
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	bool ret = true;
+	const char *fname = BASEDIR "\\channel_sequence.dat";
+	struct smb2_transport *transport1 = tree->session->transport;
+	struct smb2_handle handle;
+	uint16_t opcodes[] = { SMB2_OP_WRITE, SMB2_OP_IOCTL, SMB2_OP_SETINFO };
+	int i;
+
+	if (smbXcli_conn_protocol(transport1->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				   "Replay tests\n");
+	}
+
+	torture_comment(tctx, "Testing channel sequence numbers\n");
+
+	smbXcli_conn_set_force_channel_sequence(transport1->conn, true);
+
+	torture_assert_ntstatus_ok_goto(tctx,
+		torture_smb2_testdir(tree, BASEDIR, &handle),
+		ret, done, "failed to setup test directory");
+
+	smb2_util_close(tree, handle);
+	smb2_util_unlink(tree, fname);
+
+	for (i=0; i <ARRAY_SIZE(opcodes); i++) {
+		torture_assert(tctx,
+			test_channel_sequence_table(tctx, tree, false, opcodes[i]),
+			"failed to test CSN without replay flag");
+		torture_assert(tctx,
+			test_channel_sequence_table(tctx, tree, true, opcodes[i]),
+			"failed to test CSN with replay flag");
+	}
+
+done:
+
+	smb2_util_unlink(tree, fname);
+	smb2_deltree(tree, BASEDIR);
+
+	talloc_free(tree);
+	talloc_free(mem_ctx);
+
+	return ret;
+}
+
+/**
+ * Test Durability V2 Create Replay Detection on Multi Channel
+ */
+static bool test_replay3(struct torture_context *tctx, struct smb2_tree *tree1)
+{
+	const char *host = torture_setting_string(tctx, "host", NULL);
+	const char *share = torture_setting_string(tctx, "share", NULL);
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	struct smb2_handle _h;
+	struct smb2_handle *h = NULL;
+	struct smb2_create io;
+	struct GUID create_guid = GUID_random();
+	bool ret = true;
+	const char *fname = BASEDIR "\\replay3.dat";
+	struct smb2_tree *tree2 = NULL;
+	struct smb2_transport *transport1 = tree1->session->transport;
+	struct smb2_transport *transport2 = NULL;
+	struct smb2_session *session1_1 = tree1->session;
+	struct smb2_session *session1_2 = NULL;
+	uint32_t share_capabilities;
+	bool share_is_so;
+	uint32_t server_capabilities;
+
+	if (smbXcli_conn_protocol(transport1->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				   "Replay tests\n");
+	}
+
+	server_capabilities = smb2cli_conn_server_capabilities(
+					tree1->session->transport->conn);
+	if (!(server_capabilities & SMB2_CAP_MULTI_CHANNEL)) {
+		torture_skip(tctx,
+			     "Server does not support multi-channel.");
+	}
+
+	share_capabilities = smb2cli_tcon_capabilities(tree1->smbXcli);
+	share_is_so = share_capabilities & SMB2_SHARE_CAP_SCALEOUT;
+
+	torture_reset_break_info(tctx, &break_info);
+	transport1->oplock.handler = torture_oplock_ack_handler;
+	transport1->oplock.private_data = tree1;
+
+	torture_comment(tctx, "Replay of DurableHandleReqV2 on Multi "
+			      "Channel\n");
+	status = torture_smb2_testdir(tree1, BASEDIR, &_h);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2_util_close(tree1, _h);
+	smb2_util_unlink(tree1, fname);
+	CHECK_VAL(break_info.count, 0);
+
+	/*
+	 * use the 1st channel, 1st session
+	 */
+	smb2_oplock_create_share(&io, fname,
+			smb2_util_share_access(""),
+			smb2_util_oplock_level("b"));
+	io.in.durable_open = false;
+	io.in.durable_open_v2 = true;
+	io.in.persistent_open = false;
+	io.in.create_guid = create_guid;
+	io.in.timeout = UINT32_MAX;
+
+	tree1->session = session1_1;
+	status = smb2_create(tree1, mem_ctx, &io);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	_h = io.out.file.handle;
+	h = &_h;
+	CHECK_CREATED(&io, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+	if (share_is_so) {
+		CHECK_VAL(io.out.oplock_level, smb2_util_oplock_level("s"));
+		CHECK_VAL(io.out.durable_open_v2, false);
+		CHECK_VAL(io.out.timeout, 0);
+	} else {
+		CHECK_VAL(io.out.oplock_level, smb2_util_oplock_level("b"));
+		CHECK_VAL(io.out.durable_open_v2, true);
+		CHECK_VAL(io.out.timeout, 300*1000);
+	}
+	CHECK_VAL(io.out.durable_open, false);
+	CHECK_VAL(break_info.count, 0);
+
+	status = smb2_connect(tctx,
+			host,
+			lpcfg_smb_ports(tctx->lp_ctx),
+			share,
+			lpcfg_resolve_context(tctx->lp_ctx),
+			samba_cmdline_get_creds(),
+			&tree2,
+			tctx->ev,
+			&transport1->options,
+			lpcfg_socket_options(tctx->lp_ctx),
+			lpcfg_gensec_settings(tctx, tctx->lp_ctx)
+			);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+			"smb2_connect failed");
+	transport2 = tree2->session->transport;
+
+	transport2->oplock.handler = torture_oplock_ack_handler;
+	transport2->oplock.private_data = tree2;
+
+	/*
+	 * Now bind the 1st session to 2nd transport channel
+	 */
+	session1_2 = smb2_session_channel(transport2,
+			lpcfg_gensec_settings(tctx, tctx->lp_ctx),
+			tree2, session1_1);
+	torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
+
+	status = smb2_session_setup_spnego(session1_2,
+			samba_cmdline_get_creds(),
+			0 /* previous_session_id */);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	/*
+	 * use the 2nd channel, 1st session
+	 */
+	tree1->session = session1_2;
+	smb2cli_session_start_replay(tree1->session->smbXcli);
+	status = smb2_create(tree1, mem_ctx, &io);
+	smb2cli_session_stop_replay(tree1->session->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	_h = io.out.file.handle;
+	h = &_h;
+	CHECK_CREATED(&io, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+	if (share_is_so) {
+		CHECK_VAL(io.out.oplock_level, smb2_util_oplock_level("s"));
+		CHECK_VAL(io.out.durable_open_v2, false);
+		CHECK_VAL(io.out.timeout, 0);
+	} else {
+		CHECK_VAL(io.out.oplock_level, smb2_util_oplock_level("b"));
+		CHECK_VAL(io.out.durable_open_v2, true);
+		CHECK_VAL(io.out.timeout, 300*1000);
+	}
+	CHECK_VAL(io.out.durable_open, false);
+	CHECK_VAL(break_info.count, 0);
+
+	tree1->session = session1_1;
+	smb2_util_close(tree1, *h);
+	h = NULL;
+
+done:
+	talloc_free(tree2);
+	tree1->session = session1_1;
+
+	if (h != NULL) {
+		smb2_util_close(tree1, *h);
+	}
+
+	smb2_util_unlink(tree1, fname);
+	smb2_deltree(tree1, BASEDIR);
+
+	talloc_free(tree1);
+	talloc_free(mem_ctx);
+
+	return ret;
+}
+
+/**
+ * Test Multichannel IO Ordering using ChannelSequence/Channel Epoch number
+ */
+static bool test_replay4(struct torture_context *tctx, struct smb2_tree *tree1)
+{
+	const char *host = torture_setting_string(tctx, "host", NULL);
+	const char *share = torture_setting_string(tctx, "share", NULL);
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	struct smb2_handle _h1;
+	struct smb2_handle *h1 = NULL;
+	struct smb2_create io;
+	struct GUID create_guid = GUID_random();
+	uint8_t buf[64];
+	struct smb2_read rd;
+	union smb_setfileinfo sfinfo;
+	bool ret = true;
+	const char *fname = BASEDIR "\\replay4.dat";
+	struct smb2_tree *tree2 = NULL;
+	struct smb2_transport *transport1 = tree1->session->transport;
+	struct smb2_transport *transport2 = NULL;
+	struct smb2_session *session1_1 = tree1->session;
+	struct smb2_session *session1_2 = NULL;
+	uint16_t curr_cs;
+	uint32_t share_capabilities;
+	bool share_is_so;
+	uint32_t server_capabilities;
+
+	if (smbXcli_conn_protocol(transport1->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				   "Replay tests\n");
+	}
+
+	server_capabilities = smb2cli_conn_server_capabilities(
+					tree1->session->transport->conn);
+	if (!(server_capabilities & SMB2_CAP_MULTI_CHANNEL)) {
+		torture_skip(tctx,
+			     "Server does not support multi-channel.");
+	}
+
+	share_capabilities = smb2cli_tcon_capabilities(tree1->smbXcli);
+	share_is_so = share_capabilities & SMB2_SHARE_CAP_SCALEOUT;
+
+	torture_reset_break_info(tctx, &break_info);
+	transport1->oplock.handler = torture_oplock_ack_handler;
+	transport1->oplock.private_data = tree1;
+
+	torture_comment(tctx, "IO Ordering for Multi Channel\n");
+	status = torture_smb2_testdir(tree1, BASEDIR, &_h1);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2_util_close(tree1, _h1);
+	smb2_util_unlink(tree1, fname);
+	CHECK_VAL(break_info.count, 0);
+
+	/*
+	 * use the 1st channel, 1st session
+	 */
+
+	smb2_oplock_create_share(&io, fname,
+			smb2_util_share_access(""),
+			smb2_util_oplock_level("b"));
+	io.in.durable_open = false;
+	io.in.durable_open_v2 = true;
+	io.in.persistent_open = false;
+	io.in.create_guid = create_guid;
+	io.in.timeout = UINT32_MAX;
+
+	tree1->session = session1_1;
+	status = smb2_create(tree1, mem_ctx, &io);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	_h1 = io.out.file.handle;
+	h1 = &_h1;
+	CHECK_CREATED(&io, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+	if (share_is_so) {
+		CHECK_VAL(io.out.oplock_level, smb2_util_oplock_level("s"));
+		CHECK_VAL(io.out.durable_open_v2, false);
+		CHECK_VAL(io.out.timeout, 0);
+	} else {
+		CHECK_VAL(io.out.oplock_level, smb2_util_oplock_level("b"));
+		CHECK_VAL(io.out.durable_open_v2, true);
+		CHECK_VAL(io.out.timeout, 300*1000);
+	}
+	CHECK_VAL(io.out.durable_open, false);
+	CHECK_VAL(break_info.count, 0);
+
+	status = smb2_util_write(tree1, *h1, buf, 0, ARRAY_SIZE(buf));
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	/*
+	 * Increment ChannelSequence so that server thinks that there's a
+	 * Channel Failure
+	 */
+	smb2cli_session_increment_channel_sequence(tree1->session->smbXcli);
+
+	/*
+	 * Perform a Read with incremented ChannelSequence
+	 */
+	rd = (struct smb2_read) {
+		.in.file.handle = *h1,
+		.in.length = sizeof(buf),
+		.in.offset = 0
+	};
+	status = smb2_read(tree1, tree1, &rd);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	/*
+	 * Performing a Write with Stale ChannelSequence is not allowed by
+	 * server
+	 */
+	curr_cs = smb2cli_session_reset_channel_sequence(
+						tree1->session->smbXcli, 0);
+	status = smb2_util_write(tree1, *h1, buf, 0, ARRAY_SIZE(buf));
+	CHECK_STATUS(status, NT_STATUS_FILE_NOT_AVAILABLE);
+
+	/*
+	 * Performing a Write Replay with Stale ChannelSequence is not allowed
+	 * by server
+	 */
+	smb2cli_session_start_replay(tree1->session->smbXcli);
+	smb2cli_session_reset_channel_sequence(tree1->session->smbXcli, 0);
+	status = smb2_util_write(tree1, *h1, buf, 0, ARRAY_SIZE(buf));
+	smb2cli_session_stop_replay(tree1->session->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_FILE_NOT_AVAILABLE);
+
+	/*
+	 * Performing a SetInfo with stale ChannelSequence is not allowed by
+	 * server
+	 */
+	ZERO_STRUCT(sfinfo);
+	sfinfo.generic.level = RAW_SFILEINFO_POSITION_INFORMATION;
+	sfinfo.generic.in.file.handle = *h1;
+	sfinfo.position_information.in.position = 0x1000;
+	status = smb2_setinfo_file(tree1, &sfinfo);
+	CHECK_STATUS(status, NT_STATUS_FILE_NOT_AVAILABLE);
+
+	/*
+	 * Performing a Read with stale ChannelSequence is allowed
+	 */
+	rd = (struct smb2_read) {
+		.in.file.handle = *h1,
+		.in.length = ARRAY_SIZE(buf),
+		.in.offset = 0
+	};
+	status = smb2_read(tree1, tree1, &rd);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	status = smb2_connect(tctx,
+			host,
+			lpcfg_smb_ports(tctx->lp_ctx),
+			share,
+			lpcfg_resolve_context(tctx->lp_ctx),
+			samba_cmdline_get_creds(),
+			&tree2,
+			tctx->ev,
+			&transport1->options,
+			lpcfg_socket_options(tctx->lp_ctx),
+			lpcfg_gensec_settings(tctx, tctx->lp_ctx)
+			);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+			"smb2_connect failed");
+	transport2 = tree2->session->transport;
+
+	transport2->oplock.handler = torture_oplock_ack_handler;
+	transport2->oplock.private_data = tree2;
+
+	/*
+	 * Now bind the 1st session to 2nd transport channel
+	 */
+	session1_2 = smb2_session_channel(transport2,
+			lpcfg_gensec_settings(tctx, tctx->lp_ctx),
+			tree2, session1_1);
+	torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
+
+	status = smb2_session_setup_spnego(session1_2,
+			samba_cmdline_get_creds(),
+			0 /* previous_session_id */);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	/*
+	 * use the 2nd channel, 1st session
+	 */
+	tree1->session = session1_2;
+
+	/*
+	 * Write Replay with Correct ChannelSequence is allowed by the server
+	 */
+	smb2cli_session_start_replay(tree1->session->smbXcli);
+	smb2cli_session_reset_channel_sequence(tree1->session->smbXcli,
+					       curr_cs);
+	status = smb2_util_write(tree1, *h1, buf, 0, ARRAY_SIZE(buf));
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2cli_session_stop_replay(tree1->session->smbXcli);
+
+	/*
+	 * See what happens if we change the Buffer and perform a Write Replay.
+	 * This is to show that Write Replay does not really care about the data
+	 */
+	memset(buf, 'r', ARRAY_SIZE(buf));
+	smb2cli_session_start_replay(tree1->session->smbXcli);
+	status = smb2_util_write(tree1, *h1, buf, 0, ARRAY_SIZE(buf));
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2cli_session_stop_replay(tree1->session->smbXcli);
+
+	/*
+	 * Read back from File to verify what was written
+	 */
+	rd = (struct smb2_read) {
+		.in.file.handle = *h1,
+		.in.length = ARRAY_SIZE(buf),
+		.in.offset = 0
+	};
+	status = smb2_read(tree1, tree1, &rd);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	if ((rd.out.data.length != ARRAY_SIZE(buf)) ||
+			memcmp(rd.out.data.data, buf, ARRAY_SIZE(buf))) {
+		torture_comment(tctx, "Write Replay Data Mismatch\n");
+	}
+
+	tree1->session = session1_1;
+	smb2_util_close(tree1, *h1);
+	h1 = NULL;
+
+	if (share_is_so) {
+		CHECK_VAL(break_info.count, 1);
+	} else {
+		CHECK_VAL(break_info.count, 0);
+	}
+done:
+	talloc_free(tree2);
+	tree1->session = session1_1;
+
+	if (h1 != NULL) {
+		smb2_util_close(tree1, *h1);
+	}
+
+	smb2_util_unlink(tree1, fname);
+	smb2_deltree(tree1, BASEDIR);
+
+	talloc_free(tree1);
+	talloc_free(mem_ctx);
+
+	return ret;
+}
+
+/**
+ * Test Durability V2 Persistent Create Replay on a Single Channel
+ */
+static bool test_replay5(struct torture_context *tctx, struct smb2_tree *tree)
+{
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	struct smb2_handle _h;
+	struct smb2_handle *h = NULL;
+	struct smb2_create io;
+	struct GUID create_guid = GUID_random();
+	bool ret = true;
+	uint32_t share_capabilities;
+	bool share_is_ca;
+	bool share_is_so;
+	uint32_t server_capabilities;
+	const char *fname = BASEDIR "\\replay5.dat";
+	struct smb2_transport *transport = tree->session->transport;
+	struct smbcli_options options = tree->session->transport->options;
+	uint8_t expect_oplock = smb2_util_oplock_level("b");
+	NTSTATUS expect_status = NT_STATUS_DUPLICATE_OBJECTID;
+
+	if (smbXcli_conn_protocol(transport->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				"Replay tests\n");
+	}
+
+	server_capabilities = smb2cli_conn_server_capabilities(
+					tree->session->transport->conn);
+	if (!(server_capabilities & SMB2_CAP_PERSISTENT_HANDLES)) {
+		torture_skip(tctx,
+			     "Server does not support persistent handles.");
+	}
+
+	share_capabilities = smb2cli_tcon_capabilities(tree->smbXcli);
+
+	share_is_ca = share_capabilities & SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY;
+	if (!share_is_ca) {
+		torture_skip(tctx, "Share is not continuously available.");
+	}
+
+	share_is_so = share_capabilities & SMB2_SHARE_CAP_SCALEOUT;
+	if (share_is_so) {
+		expect_oplock = smb2_util_oplock_level("s");
+		expect_status = NT_STATUS_FILE_NOT_AVAILABLE;
+	}
+
+	torture_reset_break_info(tctx, &break_info);
+	transport->oplock.handler = torture_oplock_ack_handler;
+	transport->oplock.private_data = tree;
+
+	torture_comment(tctx, "Replay of Persistent DurableHandleReqV2 on Single "
+			"Channel\n");
+	status = torture_smb2_testdir(tree, BASEDIR, &_h);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2_util_close(tree, _h);
+	smb2_util_unlink(tree, fname);
+	CHECK_VAL(break_info.count, 0);
+
+	smb2_oplock_create_share(&io, fname,
+			smb2_util_share_access("RWD"),
+			smb2_util_oplock_level("b"));
+	io.in.durable_open = false;
+	io.in.durable_open_v2 = true;
+	io.in.persistent_open = true;
+	io.in.create_guid = create_guid;
+	io.in.timeout = UINT32_MAX;
+
+	status = smb2_create(tree, mem_ctx, &io);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	_h = io.out.file.handle;
+	h = &_h;
+	CHECK_CREATED(&io, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(io.out.oplock_level, expect_oplock);
+	CHECK_VAL(io.out.durable_open, false);
+	CHECK_VAL(io.out.durable_open_v2, true);
+	CHECK_VAL(io.out.persistent_open, true);
+	CHECK_VAL(io.out.timeout, 300*1000);
+	CHECK_VAL(break_info.count, 0);
+
+	/* disconnect, leaving the durable open */
+	TALLOC_FREE(tree);
+
+	if (!torture_smb2_connection_ext(tctx, 0, &options, &tree)) {
+		torture_warning(tctx, "couldn't reconnect, bailing\n");
+		ret = false;
+		goto done;
+	}
+
+	/* a re-open of a persistent handle causes an error */
+	status = smb2_create(tree, mem_ctx, &io);
+	CHECK_STATUS(status, expect_status);
+
+	/* SMB2_FLAGS_REPLAY_OPERATION must be set to open the Persistent Handle */
+	smb2cli_session_start_replay(tree->session->smbXcli);
+	smb2cli_session_increment_channel_sequence(tree->session->smbXcli);
+	status = smb2_create(tree, mem_ctx, &io);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	CHECK_CREATED(&io, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(io.out.durable_open, false);
+	CHECK_VAL(io.out.persistent_open, true);
+	CHECK_VAL(io.out.oplock_level, expect_oplock);
+	_h = io.out.file.handle;
+	h = &_h;
+
+	smb2_util_close(tree, *h);
+	h = NULL;
+done:
+	if (h != NULL) {
+		smb2_util_close(tree, *h);
+	}
+
+	smb2_util_unlink(tree, fname);
+	smb2_deltree(tree, BASEDIR);
+
+	talloc_free(tree);
+	talloc_free(mem_ctx);
+
+	return ret;
+}
+
+
+/**
+ * Test Error Codes when a DurableHandleReqV2 with matching CreateGuid is
+ * re-sent with or without SMB2_FLAGS_REPLAY_OPERATION
+ */
+static bool test_replay6(struct torture_context *tctx, struct smb2_tree *tree)
+{
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	struct smb2_handle _h;
+	struct smb2_handle *h = NULL;
+	struct smb2_create io, ref1;
+	union smb_fileinfo qfinfo;
+	struct GUID create_guid = GUID_random();
+	bool ret = true;
+	const char *fname = BASEDIR "\\replay6.dat";
+	struct smb2_transport *transport = tree->session->transport;
+
+	if (smbXcli_conn_protocol(transport->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				   "replay tests\n");
+	}
+
+	torture_reset_break_info(tctx, &break_info);
+	tree->session->transport->oplock.handler = torture_oplock_ack_handler;
+	tree->session->transport->oplock.private_data = tree;
+
+	torture_comment(tctx, "Error Codes for DurableHandleReqV2 Replay\n");
+	smb2_util_unlink(tree, fname);
+	status = torture_smb2_testdir(tree, BASEDIR, &_h);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	smb2_util_close(tree, _h);
+	torture_wait_for_oplock_break(tctx);
+	CHECK_VAL(break_info.count, 0);
+	torture_reset_break_info(tctx, &break_info);
+
+	smb2_oplock_create_share(&io, fname,
+			smb2_util_share_access("RWD"),
+			smb2_util_oplock_level("b"));
+	io.in.durable_open = false;
+	io.in.durable_open_v2 = true;
+	io.in.persistent_open = false;
+	io.in.create_guid = create_guid;
+	io.in.timeout = UINT32_MAX;
+
+	status = smb2_create(tree, mem_ctx, &io);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	ref1 = io;
+	_h = io.out.file.handle;
+	h = &_h;
+	CHECK_CREATED(&io, CREATED, FILE_ATTRIBUTE_ARCHIVE);
+	CHECK_VAL(io.out.oplock_level, smb2_util_oplock_level("b"));
+	CHECK_VAL(io.out.durable_open, false);
+	CHECK_VAL(io.out.durable_open_v2, true);
+
+	io.in.file_attributes = FILE_ATTRIBUTE_DIRECTORY;
+	io.in.create_disposition = NTCREATEX_DISP_OPEN;
+	smb2cli_session_start_replay(tree->session->smbXcli);
+	status = smb2_create(tree, mem_ctx, &io);
+	smb2cli_session_stop_replay(tree->session->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	CHECK_CREATE_OUT(&io, &ref1);
+	torture_wait_for_oplock_break(tctx);
+	CHECK_VAL(break_info.count, 0);
+	torture_reset_break_info(tctx, &break_info);
+
+	qfinfo = (union smb_fileinfo) {
+		.generic.level = RAW_FILEINFO_POSITION_INFORMATION,
+		.generic.in.file.handle = *h
+	};
+	torture_comment(tctx, "Trying getinfo\n");
+	status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	CHECK_VAL(qfinfo.position_information.out.position, 0);
+
+	smb2cli_session_start_replay(tree->session->smbXcli);
+	status = smb2_create(tree, mem_ctx, &io);
+	smb2cli_session_stop_replay(tree->session->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	torture_assert_u64_not_equal_goto(tctx,
+		io.out.file.handle.data[0],
+		ref1.out.file.handle.data[0],
+		ret, done, "data 0");
+	torture_assert_u64_not_equal_goto(tctx,
+		io.out.file.handle.data[1],
+		ref1.out.file.handle.data[1],
+		ret, done, "data 1");
+	torture_wait_for_oplock_break(tctx);
+	CHECK_VAL(break_info.count, 1);
+	CHECK_VAL(break_info.level, smb2_util_oplock_level("s"));
+	torture_reset_break_info(tctx, &break_info);
+
+	/*
+	 * Resend the matching Durable V2 Create without
+	 * SMB2_FLAGS_REPLAY_OPERATION. This triggers an oplock break and still
+	 * gets NT_STATUS_DUPLICATE_OBJECTID
+	 */
+	status = smb2_create(tree, mem_ctx, &io);
+	CHECK_STATUS(status, NT_STATUS_DUPLICATE_OBJECTID);
+	torture_wait_for_oplock_break(tctx);
+	CHECK_VAL(break_info.count, 0);
+	torture_reset_break_info(tctx, &break_info);
+
+	/*
+	 * According to MS-SMB2 3.3.5.9.10 if Durable V2 Create is replayed and
+	 * FileAttributes or CreateDisposition do not match the earlier Create
+	 * request the Server fails request with
+	 * NT_STATUS_INVALID_PARAMETER. But through this test we see that server
+	 * does not really care about changed FileAttributes or
+	 * CreateDisposition.
+	 */
+	io.in.file_attributes = FILE_ATTRIBUTE_DIRECTORY;
+	io.in.create_disposition = NTCREATEX_DISP_OPEN;
+	smb2cli_session_start_replay(tree->session->smbXcli);
+	status = smb2_create(tree, mem_ctx, &io);
+	smb2cli_session_stop_replay(tree->session->smbXcli);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	torture_assert_u64_not_equal_goto(tctx,
+		io.out.file.handle.data[0],
+		ref1.out.file.handle.data[0],
+		ret, done, "data 0");
+	torture_assert_u64_not_equal_goto(tctx,
+		io.out.file.handle.data[1],
+		ref1.out.file.handle.data[1],
+		ret, done, "data 1");
+	torture_wait_for_oplock_break(tctx);
+	CHECK_VAL(break_info.count, 0);
+
+done:
+	if (h != NULL) {
+		smb2_util_close(tree, *h);
+	}
+
+	smb2_util_unlink(tree, fname);
+	smb2_deltree(tree, BASEDIR);
+
+	talloc_free(tree);
+	talloc_free(mem_ctx);
+
+	return ret;
+}
+
+static bool test_replay7(struct torture_context *tctx, struct smb2_tree *tree)
+{
+	TALLOC_CTX *mem_ctx = talloc_new(tctx);
+	struct smb2_transport *transport = tree->session->transport;
+	NTSTATUS status;
+	struct smb2_handle _dh;
+	struct smb2_handle *dh = NULL;
+	struct smb2_notify notify;
+	struct smb2_request *req;
+	union smb_fileinfo qfinfo;
+	bool ret = false;
+
+	if (smbXcli_conn_protocol(transport->conn) < PROTOCOL_SMB3_00) {
+		torture_skip(tctx, "SMB 3.X Dialect family required for "
+				   "replay tests\n");
+	}
+
+	torture_comment(tctx, "Notify across increment/decrement of csn\n");
+
+	smbXcli_conn_set_force_channel_sequence(transport->conn, true);
+
+	status = torture_smb2_testdir(tree, BASEDIR, &_dh);
+	CHECK_STATUS(status, NT_STATUS_OK);
+	dh = &_dh;
+
+	notify.in.recursive		= 0x0000;
+	notify.in.buffer_size	= 0xffff;
+	notify.in.file.handle	= _dh;
+	notify.in.completion_filter	= FILE_NOTIFY_CHANGE_FILE_NAME;
+	notify.in.unknown		= 0x00000000;
+
+	/*
+	 * This posts a long-running request with csn==0 to "dh". Now
+	 * op->request_count==1 in smb2_server.c.
+	 */
+	smb2cli_session_reset_channel_sequence(tree->session->smbXcli, 0);
+	req = smb2_notify_send(tree, &notify);
+
+	qfinfo = (union smb_fileinfo) {
+		.generic.level = RAW_FILEINFO_POSITION_INFORMATION,
+		.generic.in.file.handle = _dh
+	};
+
+	/*
+	 * This sequence of 2 dummy requests moves
+	 * op->request_count==1 to op->pre_request_count. The numbers
+	 * used avoid int16 overflow.
+	 */
+
+	smb2cli_session_reset_channel_sequence(tree->session->smbXcli, 30000);
+	status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	smb2cli_session_reset_channel_sequence(tree->session->smbXcli, 60000);
+	status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	/*
+	 * This final request turns the op->global->channel_sequence
+	 * to the same as we had when sending the notify above. The
+	 * notify's request count has in the meantime moved to
+	 * op->pre_request_count.
+	 */
+
+	smb2cli_session_reset_channel_sequence(tree->session->smbXcli, 0);
+	status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	/*
+	 * At this point op->request_count==0.
+	 *
+	 * The next cancel makes us reply to the notify. Because the
+	 * csn we currently use is the same as we used when sending
+	 * the notify, smbd thinks it must decrement op->request_count
+	 * and not op->pre_request_count.
+	 */
+
+	status = smb2_cancel(req);
+	CHECK_STATUS(status, NT_STATUS_OK);
+
+	status = smb2_notify_recv(req, mem_ctx, &notify);
+	CHECK_STATUS(status, NT_STATUS_CANCELLED);
+
+	ret = true;
+
+done:
+	if (dh != NULL) {
+		smb2_util_close(tree, _dh);
+	}
+	smb2_deltree(tree, BASEDIR);
+	talloc_free(tree);
+	talloc_free(mem_ctx);
+
+	return ret;
+}
+
+struct torture_suite *torture_smb2_replay_init(TALLOC_CTX *ctx)
+{
+	struct torture_suite *suite =
+		torture_suite_create(ctx, "replay");
+
+	torture_suite_add_1smb2_test(suite, "replay-commands", test_replay_commands);
+	torture_suite_add_1smb2_test(suite, "replay-regular", test_replay_regular);
+	torture_suite_add_1smb2_test(suite, "replay-dhv2-oplock1", test_replay_dhv2_oplock1);
+	torture_suite_add_1smb2_test(suite, "replay-dhv2-oplock2", test_replay_dhv2_oplock2);
+	torture_suite_add_1smb2_test(suite, "replay-dhv2-oplock3", test_replay_dhv2_oplock3);
+	torture_suite_add_1smb2_test(suite, "replay-dhv2-oplock-lease", test_replay_dhv2_oplock_lease);
+	torture_suite_add_1smb2_test(suite, "replay-dhv2-lease1",  test_replay_dhv2_lease1);
+	torture_suite_add_1smb2_test(suite, "replay-dhv2-lease2",  test_replay_dhv2_lease2);
+	torture_suite_add_1smb2_test(suite, "replay-dhv2-lease3",  test_replay_dhv2_lease3);
+	torture_suite_add_1smb2_test(suite, "replay-dhv2-lease-oplock",  test_replay_dhv2_lease_oplock);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending1n-vs-violation-lease-close-sane", test_dhv2_pending1n_vs_violation_lease_close_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending1n-vs-violation-lease-ack-sane", test_dhv2_pending1n_vs_violation_lease_ack_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending1n-vs-violation-lease-close-windows", test_dhv2_pending1n_vs_violation_lease_close_windows);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending1n-vs-violation-lease-ack-windows", test_dhv2_pending1n_vs_violation_lease_ack_windows);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending1n-vs-oplock-sane", test_dhv2_pending1n_vs_oplock_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending1n-vs-oplock-windows", test_dhv2_pending1n_vs_oplock_windows);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending1n-vs-lease-sane", test_dhv2_pending1n_vs_lease_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending1n-vs-lease-windows",  test_dhv2_pending1n_vs_lease_windows);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending1l-vs-oplock-sane", test_dhv2_pending1l_vs_oplock_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending1l-vs-oplock-windows", test_dhv2_pending1l_vs_oplock_windows);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending1l-vs-lease-sane", test_dhv2_pending1l_vs_lease_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending1l-vs-lease-windows", test_dhv2_pending1l_vs_lease_windows);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending1o-vs-oplock-sane", test_dhv2_pending1o_vs_oplock_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending1o-vs-oplock-windows", test_dhv2_pending1o_vs_oplock_windows);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending1o-vs-lease-sane", test_dhv2_pending1o_vs_lease_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending1o-vs-lease-windows", test_dhv2_pending1o_vs_lease_windows);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending2n-vs-oplock-sane", test_dhv2_pending2n_vs_oplock_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending2n-vs-oplock-windows", test_dhv2_pending2n_vs_oplock_windows);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending2n-vs-lease-sane", test_dhv2_pending2n_vs_lease_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending2n-vs-lease-windows", test_dhv2_pending2n_vs_lease_windows);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending2l-vs-oplock-sane", test_dhv2_pending2l_vs_oplock_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending2l-vs-oplock-windows", test_dhv2_pending2l_vs_oplock_windows);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending2l-vs-lease-sane", test_dhv2_pending2l_vs_lease_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending2l-vs-lease-windows", test_dhv2_pending2l_vs_lease_windows);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending2o-vs-oplock-sane", test_dhv2_pending2o_vs_oplock_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending2o-vs-oplock-windows", test_dhv2_pending2o_vs_oplock_windows);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending2o-vs-lease-sane", test_dhv2_pending2o_vs_lease_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending2o-vs-lease-windows", test_dhv2_pending2o_vs_lease_windows);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending3n-vs-oplock-sane", test_dhv2_pending3n_vs_oplock_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending3n-vs-oplock-windows", test_dhv2_pending3n_vs_oplock_windows);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending3n-vs-lease-sane", test_dhv2_pending3n_vs_lease_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending3n-vs-lease-windows", test_dhv2_pending3n_vs_lease_windows);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending3l-vs-oplock-sane",  test_dhv2_pending3l_vs_oplock_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending3l-vs-oplock-windows",  test_dhv2_pending3l_vs_oplock_windows);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending3l-vs-lease-sane",  test_dhv2_pending3l_vs_lease_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending3l-vs-lease-windows",  test_dhv2_pending3l_vs_lease_windows);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending3o-vs-oplock-sane",  test_dhv2_pending3o_vs_oplock_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending3o-vs-oplock-windows",  test_dhv2_pending3o_vs_oplock_windows);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending3o-vs-lease-sane",  test_dhv2_pending3o_vs_lease_sane);
+	torture_suite_add_2smb2_test(suite, "dhv2-pending3o-vs-lease-windows",  test_dhv2_pending3o_vs_lease_windows);
+	torture_suite_add_1smb2_test(suite, "channel-sequence", test_channel_sequence);
+	torture_suite_add_1smb2_test(suite, "replay3", test_replay3);
+	torture_suite_add_1smb2_test(suite, "replay4", test_replay4);
+	torture_suite_add_1smb2_test(suite, "replay5", test_replay5);
+	torture_suite_add_1smb2_test(suite, "replay6", test_replay6);
+	torture_suite_add_1smb2_test(suite, "replay7", test_replay7);
+
+	suite->description = talloc_strdup(suite, "SMB2 REPLAY tests");
+
+	return suite;
+}