summaryrefslogtreecommitdiffstats
path: root/selftest
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
commit4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree8ce7b00f7a76baa386372422adebbe64510812d4 /selftest
parentInitial commit. (diff)
downloadsamba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz
samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'selftest')
-rw-r--r--selftest/README120
-rw-r--r--selftest/SocketWrapper.pm81
-rw-r--r--selftest/Subunit.pm114
-rw-r--r--selftest/TODO2
-rwxr-xr-xselftest/checkpassword_arg1.sh21
-rw-r--r--selftest/create_smb1_fail_skipfile.txt190
-rw-r--r--selftest/devel_env.sh11
-rwxr-xr-xselftest/filter-subunit115
-rw-r--r--selftest/flapping35
-rw-r--r--selftest/flapping.d/README14
-rw-r--r--selftest/flapping.d/dnsserver2
-rw-r--r--selftest/flapping.d/getdcname2
-rw-r--r--selftest/flapping.d/nbt_dgram9
-rw-r--r--selftest/flapping.d/rfc23071
-rw-r--r--selftest/flapping.d/samba_tool_drs_showrepl1
-rw-r--r--selftest/flapping.d/smb2_notify2
-rw-r--r--selftest/flapping.d/wbinfo1
-rw-r--r--selftest/flapping.d/whoami1
-rwxr-xr-xselftest/format-subunit52
-rw-r--r--selftest/format-subunit-json52
-rwxr-xr-xselftest/gdb_backtrace145
-rw-r--r--selftest/gdb_backtrace_test.c42
-rwxr-xr-xselftest/gdb_run21
-rw-r--r--selftest/gnupg/gpg.conf4
-rw-r--r--selftest/gnupg/pubring.gpgbin0 -> 1214 bytes
-rw-r--r--selftest/gnupg/secring.gpgbin0 -> 2516 bytes
-rw-r--r--selftest/gnupg/trustdb.gpgbin0 -> 1280 bytes
-rwxr-xr-xselftest/in_screen94
-rw-r--r--selftest/knownfail389
-rw-r--r--selftest/knownfail.d/README8
-rw-r--r--selftest/knownfail.d/bug-142360
-rw-r--r--selftest/knownfail.d/complex_expressions4
-rw-r--r--selftest/knownfail.d/dirsync13
-rw-r--r--selftest/knownfail.d/dns89
-rw-r--r--selftest/knownfail.d/dns-aging78
-rw-r--r--selftest/knownfail.d/dns_packet0
-rw-r--r--selftest/knownfail.d/durable-v2-delay2
-rw-r--r--selftest/knownfail.d/empty-domain-name7
-rw-r--r--selftest/knownfail.d/encrypted_secrets13
-rw-r--r--selftest/knownfail.d/getncchanges8
-rw-r--r--selftest/knownfail.d/initshutdown3
-rw-r--r--selftest/knownfail.d/kdc-salt1
-rw-r--r--selftest/knownfail.d/keytab0
-rw-r--r--selftest/knownfail.d/kinit_trust2
-rw-r--r--selftest/knownfail.d/krb5-no-preauth7
-rw-r--r--selftest/knownfail.d/labdc5
-rw-r--r--selftest/knownfail.d/ldap3
-rw-r--r--selftest/knownfail.d/ldap_spn1
-rw-r--r--selftest/knownfail.d/lm-hash-support-gone8
-rw-r--r--selftest/knownfail.d/lzxpress0
-rw-r--r--selftest/knownfail.d/modify-order8
-rw-r--r--selftest/knownfail.d/multichannel7
-rw-r--r--selftest/knownfail.d/netlogon4
-rw-r--r--selftest/knownfail.d/nt-hash-support-gone9
-rw-r--r--selftest/knownfail.d/ntlmv1-restrictions5
-rw-r--r--selftest/knownfail.d/ntlmv2-restrictions2
-rw-r--r--selftest/knownfail.d/oneway9
-rw-r--r--selftest/knownfail.d/priv_attr13
-rw-r--r--selftest/knownfail.d/protected_users2
-rw-r--r--selftest/knownfail.d/python-segfaults3
-rw-r--r--selftest/knownfail.d/quota12
-rw-r--r--selftest/knownfail.d/replica_sync8
-rw-r--r--selftest/knownfail.d/rpc-dfs2
-rw-r--r--selftest/knownfail.d/rpc-netlogon-zerologon4
-rw-r--r--selftest/knownfail.d/rw-invalid1
-rw-r--r--selftest/knownfail.d/s3-logging1
-rw-r--r--selftest/knownfail.d/s3-lsa-server1
-rw-r--r--selftest/knownfail.d/samba-4.5-emulation4
-rw-r--r--selftest/knownfail.d/samba3.vfs.fruit2
-rw-r--r--selftest/knownfail.d/sid-strings3
-rw-r--r--selftest/knownfail.d/smb1-tests52
-rw-r--r--selftest/knownfail.d/smb2.replay29
-rw-r--r--selftest/knownfail.d/smb2.session4
-rw-r--r--selftest/knownfail.d/smbcacls0
-rw-r--r--selftest/knownfail.d/smbclient-smb35
-rw-r--r--selftest/knownfail.d/source3-epmapper2
-rw-r--r--selftest/knownfail.d/srvsvc24
-rw-r--r--selftest/knownfail.d/uac_objectclass_restrict17
-rw-r--r--selftest/knownfail.d/upn_handling8
-rw-r--r--selftest/knownfail.d/usage35
-rw-r--r--selftest/knownfail.d/vlv2
-rw-r--r--selftest/knownfail.d/wkssvc25
-rw-r--r--selftest/knownfail_heimdal_kdc56
-rw-r--r--selftest/knownfail_mit_kdc2044
-rw-r--r--selftest/knownfail_mit_kdc_1_209
-rw-r--r--selftest/knownfail_mit_kdc_pre_1_20196
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.cerbin0 -> 2552 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem191
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem54
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf250
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private-key.pem51
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private.p12bin0 -> 5309 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-req.pem30
l---------selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-cert.pem1
l---------selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-private-key.pem1
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-cert.cerbin0 -> 2567 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-cert.pem191
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-key.pem54
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-openssl.cnf250
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-private-key.pem51
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-private.p12bin0 -> 5317 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-req.pem30
l---------selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-cert.pem1
l---------selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-private-key.pem1
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.cerbin0 -> 2543 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.pem190
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-key.pem54
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-openssl.cnf250
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private-key.pem51
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private.p12bin0 -> 5293 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-req.pem30
l---------selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-cert.pem1
l---------selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-private-key.pem1
-rw-r--r--selftest/manage-ca/CA-samba.example.com/NewCerts/00.pem190
-rw-r--r--selftest/manage-ca/CA-samba.example.com/NewCerts/01.pem169
-rw-r--r--selftest/manage-ca/CA-samba.example.com/NewCerts/02.pem191
-rw-r--r--selftest/manage-ca/CA-samba.example.com/NewCerts/03.pem169
-rw-r--r--selftest/manage-ca/CA-samba.example.com/NewCerts/04.pem168
-rw-r--r--selftest/manage-ca/CA-samba.example.com/NewCerts/05.pem168
-rw-r--r--selftest/manage-ca/CA-samba.example.com/NewCerts/06.pem191
-rw-r--r--selftest/manage-ca/CA-samba.example.com/NewCerts/07.pem169
-rw-r--r--selftest/manage-ca/CA-samba.example.com/NewCerts/08.pem169
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt1
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt.old1
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt9
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr1
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr.old1
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old8
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-openssl.cnf203
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-private-key.pem102
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt1
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old1
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.cerbin0 -> 2880 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.pem62
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.crlbin0 -> 1401 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.pem32
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-cert.cerbin0 -> 2335 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-cert.pem169
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-key.pem30
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-openssl.cnf242
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-private-key.pem27
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-private.p12bin0 -> 3933 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-req.pem19
l---------selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-cert.pem1
l---------selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-private-key.pem1
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.cerbin0 -> 2340 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.pem169
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-key.pem30
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-openssl.cnf242
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private-key.pem27
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private.p12bin0 -> 3941 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-req.pem19
l---------selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-cert.pem1
l---------selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-private-key.pem1
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-cert.cerbin0 -> 2305 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-cert.pem169
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-key.pem30
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-openssl.cnf242
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-private-key.pem27
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-private.p12bin0 -> 3909 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-req.pem19
l---------selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-cert.pem1
l---------selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-private-key.pem1
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.cerbin0 -> 2300 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.pem168
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-key.pem30
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-openssl.cnf242
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private-key.pem27
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private.p12bin0 -> 3901 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-req.pem19
l---------selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-cert.pem1
l---------selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-private-key.pem1
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-cert.cerbin0 -> 2305 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-cert.pem169
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-key.pem30
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-openssl.cnf242
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-private-key.pem27
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-private.p12bin0 -> 3909 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-req.pem19
l---------selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-cert.pem1
l---------selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-private-key.pem1
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.cerbin0 -> 2270 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.pem168
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-key.pem30
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-openssl.cnf242
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private-key.pem27
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private.p12bin0 -> 3869 bytes
-rw-r--r--selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-req.pem18
l---------selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-cert.pem1
l---------selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-private-key.pem1
-rw-r--r--selftest/manage-ca/manage-CA-samba.example.com.cnf21
-rw-r--r--selftest/manage-ca/manage-CA-samba.example.com.sh25
-rwxr-xr-xselftest/manage-ca/manage-ca.sh387
-rw-r--r--selftest/manage-ca/manage-ca.templates.d/manage-CA-example.com.cnf17
-rw-r--r--selftest/manage-ca/manage-ca.templates.d/openssl-BASE-template.cnf201
-rw-r--r--selftest/manage-ca/manage-ca.templates.d/openssl-CA-template.cnf2
-rw-r--r--selftest/manage-ca/manage-ca.templates.d/openssl-DC-template.cnf49
-rw-r--r--selftest/manage-ca/manage-ca.templates.d/openssl-USER-template.cnf41
-rw-r--r--selftest/no-python-tests.txt32
-rw-r--r--selftest/ns/README162
-rwxr-xr-xselftest/ns/add_bridge_iface.sh20
-rwxr-xr-xselftest/ns/create_bridge.sh17
-rwxr-xr-xselftest/ns/mk_nsenter.sh31
-rwxr-xr-xselftest/ns/nsenter-helper.sh29
-rwxr-xr-xselftest/ns/start_in_ns.sh61
-rw-r--r--selftest/perf_tests.py104
-rw-r--r--selftest/quick41
-rwxr-xr-xselftest/save.env.sh15
-rwxr-xr-xselftest/selftest.pl1017
-rw-r--r--selftest/selftest.pl.178
-rw-r--r--selftest/selftesthelpers.py229
-rw-r--r--selftest/skip150
-rw-r--r--selftest/skip.no-GSS_KRB5_CRED_NO_CI_FLAGS_X6
-rw-r--r--selftest/skip.opath-required9
-rw-r--r--selftest/skip_mit_kdc5
-rw-r--r--selftest/skip_mit_kdc_pre_1_202
-rw-r--r--selftest/slow9
-rw-r--r--selftest/slow-none23
-rw-r--r--selftest/subunithelper.py729
-rwxr-xr-xselftest/tap2subunit128
-rw-r--r--selftest/target/README137
-rw-r--r--selftest/target/Samba.pm1108
-rwxr-xr-xselftest/target/Samba3.pm4182
-rwxr-xr-xselftest/target/Samba4.pm3662
-rwxr-xr-xselftest/target/dns_hub.py250
-rw-r--r--selftest/tests.py477
-rw-r--r--selftest/todo_smb2_tests_to_port.list404
-rw-r--r--selftest/ubsan.supp6
-rwxr-xr-xselftest/valgrind_run13
-rw-r--r--selftest/wscript381
230 files changed, 25301 insertions, 0 deletions
diff --git a/selftest/README b/selftest/README
new file mode 100644
index 0000000..c898c3c
--- /dev/null
+++ b/selftest/README
@@ -0,0 +1,120 @@
+# vim: ft=rst
+
+This directory contains test scripts that are useful for running a
+bunch of tests all at once.
+
+There are two parts to this:
+
+ * The test runner (selftest/selftest.pl)
+ * The test formatter
+
+selftest.pl simply outputs subunit, which can then be formatted or analyzed
+by tools that understand the subunit protocol. One of these tools is
+format-subunit, which is used by default as part of "make test".
+
+Available testsuites
+====================
+The available testsuites are obtained from a script, usually
+source{3,4}/selftest/tests.py. This script should for each testsuite output
+the name of the test, the command to run and the environment that should be
+provided. Use the included "plantest" function to generate the required output.
+
+Testsuite behaviour
+===================
+
+Exit code
+------------
+The testsuites should exit with a non-zero exit code if at least one
+test failed. Skipped tests should not influence the exit code.
+
+Output format
+-------------
+Testsuites can simply use the exit code to indicate whether all of their
+tests have succeeded or one or more have failed. It is also possible to
+provide more granular information using the Subunit protocol.
+
+This protocol works by writing simple messages to standard output. Any
+messages that can not be interpreted by this protocol are considered comments
+for the last announced test.
+
+For a full description of the subunit protocol, see the README file in the subunit
+repository at http://github.com/testing-cabal/subunit.
+
+The following commands are Samba extensions to Subunit:
+
+start-testsuite
+~~~~~~~~~~~~~~~
+start-testsuite: name
+
+The testsuite name is used as prefix for all containing tests.
+
+skip-testsuite
+~~~~~~~~~~~~~~
+skip-testsuite: name
+
+Mark the testsuite with the specified name as skipped.
+
+testsuite-success
+~~~~~~~~~~~~~~~~~
+testsuite-success: name
+
+Indicate that the testsuite has succeeded successfully.
+
+testsuite-fail
+~~~~~~~~~~~~~~
+testsuite-fail: name
+
+Indicate that a testsuite has failed.
+
+Environments
+============
+Tests often need to run against a server with particular things set up,
+a "environment". This environment is provided by the test "target": Samba 3,
+Samba 4 or Windows.
+
+The environments are currently available include
+
+ - none: No server set up, no variables set.
+ - dc,s3dc: Domain controller set up. The following environment variables will
+ be set:
+
+ * USERNAME: Administrator user name
+ * PASSWORD: Administrator password
+ * DOMAIN: Domain name
+ * REALM: Realm name
+ * SERVER: DC host name
+ * SERVER_IP: DC IPv4 address
+ * SERVER_IPV6: DC IPv6 address
+ * NETBIOSNAME: DC NetBIOS name
+ * NETIOSALIAS: DC NetBIOS alias
+
+ - member,s4member,s3member: Domain controller and member server that is joined to it set up. The
+ following environment variables will be set:
+
+ * USERNAME: Domain administrator user name
+ * PASSWORD: Domain administrator password
+ * DOMAIN: Domain name
+ * REALM: Realm name
+ * SERVER: Name of the member server
+
+See Samba.pm, Samba3.pm and Samba4.pm for the full list.
+
+Running tests
+=============
+
+To run all the tests use::
+
+ make test
+
+To run a quicker subset run::
+
+ make quicktest
+
+To run a specific test, use this syntax::
+
+ make test TESTS=testname
+
+for example::
+
+ make test TESTS=samba4.BASE-DELETE
+
diff --git a/selftest/SocketWrapper.pm b/selftest/SocketWrapper.pm
new file mode 100644
index 0000000..67a4ec9
--- /dev/null
+++ b/selftest/SocketWrapper.pm
@@ -0,0 +1,81 @@
+#!/usr/bin/perl
+# Bootstrap Samba and run a number of tests against it.
+# Copyright (C) 2005-2007 Jelmer Vernooij <jelmer@samba.org>
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+
+
+package SocketWrapper;
+
+use Exporter;
+@ISA = qw(Exporter);
+@EXPORT_OK = qw(setup_dir setup_pcap set_default_iface);
+
+use strict;
+use warnings;
+use FindBin qw($RealBin);
+
+sub setup_dir($$)
+{
+ my ($dir, $pcap) = @_;
+ my $pcap_dir = undef;
+
+ if (defined($dir)) {
+ if ( -d $dir ) {
+ unlink <$dir/*>;
+ } else {
+ mkdir($dir, 0777);
+ }
+
+ if ($pcap) {
+ $pcap_dir = $dir."/pcap";
+
+ if ( -d $pcap_dir ) {
+ unlink <$pcap_dir/*>;
+ } else {
+ mkdir($pcap_dir, 0777);
+ }
+ }
+ }
+
+ if (defined($pcap_dir)) {
+ $ENV{SOCKET_WRAPPER_PCAP_DIR} = $pcap_dir;
+ } else {
+ delete $ENV{SOCKET_WRAPPER_PCAP_DIR};
+ }
+
+ if (defined($dir)) {
+ $ENV{SOCKET_WRAPPER_DIR} = $dir;
+ } else {
+ delete $ENV{SOCKET_WRAPPER_DIR};
+ }
+
+ return $dir;
+}
+
+sub setup_pcap($)
+{
+ my ($pcap_file) = @_;
+
+ $ENV{SOCKET_WRAPPER_PCAP_FILE} = $pcap_file;
+}
+
+sub set_default_iface($)
+{
+ my ($i) = @_;
+ $ENV{SOCKET_WRAPPER_DEFAULT_IFACE} = $i;
+}
+
+1;
diff --git a/selftest/Subunit.pm b/selftest/Subunit.pm
new file mode 100644
index 0000000..07f3ac2
--- /dev/null
+++ b/selftest/Subunit.pm
@@ -0,0 +1,114 @@
+# Perl module for parsing and generating the Subunit protocol
+# Copyright (C) 2008-2009 Jelmer Vernooij <jelmer@samba.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+package Subunit;
+use POSIX;
+use Time::HiRes;
+
+require Exporter;
+@ISA = qw(Exporter);
+
+use strict;
+use warnings;
+
+sub start_test($)
+{
+ my ($testname) = @_;
+ print "test: $testname\n";
+}
+
+sub end_test($$;$)
+{
+ my $name = shift;
+ my $result = shift;
+ my $reason = shift;
+ if ($reason) {
+ print "$result: $name [\n";
+ print $reason;
+ if (substr($reason, -1, 1) ne "\n") { print "\n"; }
+ print "]\n";
+ } else {
+ print "$result: $name\n";
+ }
+}
+
+sub report_time()
+{
+ my ($time) = @_;
+ $time = Time::HiRes::time() unless (defined($time));
+ my ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst) = gmtime($time);
+ $sec = ($time - int($time) + $sec);
+ my $msg = sprintf("%f", $sec);
+ if (substr($msg, 1, 1) eq ".") {
+ $msg = "0" . $msg;
+ }
+ printf "time: %04d-%02d-%02d %02d:%02d:%s\n", $year+1900, $mon+1, $mday, $hour, $min, $msg;
+}
+
+sub progress_pop()
+{
+ print "progress: pop\n";
+}
+
+sub progress_push()
+{
+ print "progress: push\n";
+}
+
+sub progress($;$)
+{
+ my ($count, $whence) = @_;
+
+ unless(defined($whence)) {
+ $whence = "";
+ }
+
+ print "progress: $whence$count\n";
+}
+
+# The following are Samba extensions:
+
+sub start_testsuite($)
+{
+ my ($name) = @_;
+ print "testsuite: $name\n";
+}
+
+sub skip_testsuite($;$)
+{
+ my ($name, $reason) = @_;
+ if ($reason) {
+ print "skip-testsuite: $name [\n$reason\n]\n";
+ } else {
+ print "skip-testsuite: $name\n";
+ }
+}
+
+sub end_testsuite($$;$)
+{
+ my $name = shift;
+ my $result = shift;
+ my $reason = shift;
+ if ($reason) {
+ print "testsuite-$result: $name [\n";
+ print "$reason\n";
+ print "]\n";
+ } else {
+ print "testsuite-$result: $name\n";
+ }
+}
+
+1;
diff --git a/selftest/TODO b/selftest/TODO
new file mode 100644
index 0000000..67776ff
--- /dev/null
+++ b/selftest/TODO
@@ -0,0 +1,2 @@
+- warn about unexpected successes
+- better way to detect that smbd has finished initialization
diff --git a/selftest/checkpassword_arg1.sh b/selftest/checkpassword_arg1.sh
new file mode 100755
index 0000000..ecaeb2e
--- /dev/null
+++ b/selftest/checkpassword_arg1.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+
+set -e
+set -u
+
+ACCOUNT_NAME="${SAMBA_CPS_ACCOUNT_NAME}"
+INVALIDPW="$1"
+NEWPW=$(cat -)
+
+echo -n "${NEWPW}" | grep -q "^${INVALIDPW}\$" && {
+ echo "Found invalid password" >&1
+ exit 1
+}
+
+echo -n "${NEWPW}" | grep -q "^${ACCOUNT_NAME}\$" && {
+ echo "Password includes ACCOUNT_NAME" >&1
+ exit 1
+}
+
+exit 0
diff --git a/selftest/create_smb1_fail_skipfile.txt b/selftest/create_smb1_fail_skipfile.txt
new file mode 100644
index 0000000..aea772f
--- /dev/null
+++ b/selftest/create_smb1_fail_skipfile.txt
@@ -0,0 +1,190 @@
+From a85b0a942ef07b6188255b2fee2fc379e9310409 Mon Sep 17 00:00:00 2001
+From: Noel Power <noel.power@suse.com>
+Date: Fri, 27 Sep 2019 15:24:25 +0100
+Subject: [PATCH] selftest: Generate a list of skip entries for SMB1
+
+The following changes prepare the test system so we can generate
+the list of tests that fail when SMB1 can no longer be negotiated
+
+1.
+Change the values of 'min protocol' set for the various test
+environments to be SMB2_02.
+
+Servers will only offer protocols starting with the min specified in the
+conf files, we don't need to change the client value here yet (until SMB1 is
+truely gone)
+
+2.
+The following environments will still negotiate SMB1
+ ad_dc_ntvfs, rpc_proxy & s4member
+
+3.
+Make test wont stop on first error
+
+Once this patch is applied either
+a. Commit to gitlab or
+b. Run a private autobuild
+
+For the failing test jobs gather the stdout logs and run the parser
+
+ source4/scripting/devel/test_errors_regrex.py logfile
+
+over the output. This script will generate lines suitable for a
+skipfile.
+
+It is a good idea as a final step to say create a file e.g.
+
+ selftest/skip_smb1_fails
+
+and then exclude those tests, running CI with patch similar to wscript
+below will verify that the list of tests is complete.
+
+--- a/selftest/wscript
++++ b/selftest/wscript
+@@ -179,6 +179,9 @@ def cmd_testonly(opt):
+ else:
+ env.FILTER_OPTIONS = '${FILTER_XFAIL}'
+
++ # Maybe this should be optional
++ env.OPTIONS += ' --exclude=${srcdir}/selftest/skip_smb1_fails'
++
+---
+ script/autobuild.py | 2 +-
+ selftest/target/Samba3.pm | 4 +--
+ selftest/target/Samba4.pm | 14 ++++++--
+ source4/scripting/devel/test_errors_regrex.py | 49 +++++++++++++++++++++++++++
+ 4 files changed, 63 insertions(+), 6 deletions(-)
+ create mode 100755 source4/scripting/devel/test_errors_regrex.py
+
+diff --git a/script/autobuild.py b/script/autobuild.py
+index 85167cfa993..5bf087f652c 100755
+--- a/script/autobuild.py
++++ b/script/autobuild.py
+@@ -184,7 +184,7 @@ def format_option(name, value=None):
+
+ def make_test(
+ cmd='make test',
+- FAIL_IMMEDIATELY=1,
++ FAIL_IMMEDIATELY=0,
+ TESTS='',
+ include_envs=None,
+ exclude_envs=None):
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 41d439ea91a..ca14f86e0a4 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -1708,8 +1708,8 @@ sub provision($$$$$$$$$)
+ panic action = cd $self->{srcdir} && $self->{srcdir}/selftest/gdb_backtrace %d %\$(MAKE_TEST_BINARY)
+ smbd:suicide mode = yes
+
+- client min protocol = CORE
+- server min protocol = LANMAN1
++ client min protocol = SMB2_02
++ server min protocol = SMB2_02
+
+ workgroup = $domain
+
+diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
+index 1310e2ff09f..dd7fc807703 100755
+--- a/selftest/target/Samba4.pm
++++ b/selftest/target/Samba4.pm
+@@ -713,8 +713,8 @@ sub provision_raw_step1($$)
+ log level = $ctx->{server_loglevel}
+ lanman auth = Yes
+ ntlm auth = Yes
+- client min protocol = CORE
+- server min protocol = LANMAN1
++ client min protocol = SMB2_02
++ server min protocol = SMB2_02
+ mangled names = yes
+ dns update command = $ctx->{samba_dnsupdate}
+ spn update command = $ctx->{python} $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_spnupdate -s $ctx->{smb_conf}
+@@ -1188,6 +1188,9 @@ rpc_server:winreg = embedded
+ rpc_server:spoolss = embedded
+ rpc_daemon:spoolssd = embedded
+ rpc_server:tcpip = no
++ # override the new SMB2 only default
++ client min protocol = CORE
++ server min protocol = LANMAN1
+ ";
+ if ($more_conf) {
+ $extra_smb_conf = $extra_smb_conf . $more_conf . "\n";
+@@ -1238,7 +1241,9 @@ sub provision_rpc_proxy($$$)
+ dcerpc endpoint servers = epmapper, remote
+ dcerpc_remote:interfaces = rpcecho
+ dcerpc_remote:allow_anonymous_fallback = yes
+-
++ # override the new SMB2 only default
++ client min protocol = CORE
++ server min protocol = LANMAN1
+ [cifs_to_dc]
+ path = /tmp/_ignore_cifs_to_dc_/_none_
+ read only = no
+@@ -1470,6 +1475,9 @@ sub provision_ad_dc_ntvfs($$$)
+ dsdb password event notification = true
+ dsdb group change notification = true
+ server schannel = auto
++ # override the new SMB2 only default
++ client min protocol = CORE
++ server min protocol = LANMAN1
+ ";
+ push (@{$extra_provision_options}, "--use-ntvfs");
+ my $ret = $self->provision($prefix,
+diff --git a/source4/scripting/devel/test_errors_regrex.py b/source4/scripting/devel/test_errors_regrex.py
+new file mode 100755
+index 00000000000..eedfdbb6c35
+--- /dev/null
++++ b/source4/scripting/devel/test_errors_regrex.py
+@@ -0,0 +1,49 @@
++#!/usr/bin/env python3
++#
++# Simple script to parse make test stdout results
++# to find the tests that are in error, the scrip
++# then creates a line for each error suitable for
++# putting into a skip file.
++# This scripts intended use is in SMB1 to SMB2 test
++# porting where it can be used to parse for failing
++# scripts in the case where the test envs are set
++# to not negotiate SMB1
++#
++import sys
++import re
++import os
++
++def parse_errors(infile):
++ all_tests = []
++ error_tests = []
++ # get all test lines
++ last_err = ""
++ for line in infile:
++ line = line.rstrip(os.linesep)
++ if re.match("^\[.* at .*\]", line):
++ test_info = line.split(',')
++ if len(test_info) > 1:
++ err = test_info[1].split()[0]
++ if err != last_err:
++ error_tests.append(all_tests[-1])
++ last_err = err
++ all_tests.append(line.split(']',1)[1].lstrip())
++ return error_tests
++
++def main():
++ if len(sys.argv) < 2:
++ print ("no args passed")
++ sys.exit(1)
++ print ("processing %s" % sys.argv[1])
++ inputf = sys.argv[1]
++ f = open(inputf, "r")
++ failing_tests = parse_errors(f)
++ f.close()
++ for t in failing_tests:
++ # adust t fo regex
++ t = t.replace('(', '\\(').replace(')', '\\)')
++ t = t.replace('[', '\\[').replace(']', '\\]')
++ t = "^" + t
++ print("%s" % t)
++if __name__ == '__main__':
++ main()
+--
+2.16.4
+
diff --git a/selftest/devel_env.sh b/selftest/devel_env.sh
new file mode 100644
index 0000000..d1c0736
--- /dev/null
+++ b/selftest/devel_env.sh
@@ -0,0 +1,11 @@
+# This file can be sourced using
+#
+# source selftest/devel_env.sh
+#
+# So that you can run 'make test' on your box with better
+# debugging and without syncs slowing down the tests.
+#
+export TDB_NO_FSYNC=1
+export NMBD_DONT_LOG_STDOUT=1
+export SMBD_DONT_LOG_STDOUT=1
+export WINBINDD_DONT_LOG_STDOUT=1
diff --git a/selftest/filter-subunit b/selftest/filter-subunit
new file mode 100755
index 0000000..99e1c41
--- /dev/null
+++ b/selftest/filter-subunit
@@ -0,0 +1,115 @@
+#!/usr/bin/env python3
+# Filter a subunit stream
+# Copyright (C) 2009-2011 Jelmer Vernooij <jelmer@samba.org>
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# NOTE: This script is a hack, meant as a placeholder until we can migrate
+# to upstream subunit's filtering tools.
+
+import optparse
+import sys
+import signal
+
+sys.path.insert(0, "bin/python")
+
+import subunithelper
+
+parser = optparse.OptionParser("filter-subunit [options] < instream > outstream")
+parser.add_option("--expected-failures", type="string", action="append",
+ help=("File or directory containing lists of regexes matching tests "
+ "to consider known failures"))
+parser.add_option("--flapping", type="string", action="append",
+ help=("File or directory containing lists of flapping tests, "
+ "of which to ignore results."))
+parser.add_option("--strip-passed-output", action="store_true",
+ help="Whether to strip output from tests that passed")
+parser.add_option("--fail-immediately", action="store_true",
+ help="Whether to stop on the first error", default=False)
+parser.add_option("--prefix", type="string", default='',
+ help="Add prefix to all test names")
+parser.add_option("--suffix", type="string", default='',
+ help="Add suffix to all test names")
+parser.add_option("--fail-on-empty", default=False,
+ action="store_true", help="Fail if there was no subunit output")
+parser.add_option("--list", default=False,
+ action="store_true", help="Operate in list mode")
+parser.add_option("--perf-test-output", default=False,
+ action="store_true", help="orientate output for performance measurement")
+opts, args = parser.parse_args()
+
+if opts.list:
+ for l in sys.stdin:
+ sys.stdout.write("%s%s%s\n" % (opts.prefix, l.rstrip(), opts.suffix))
+ sys.exit(0)
+
+if opts.perf_test_output:
+ bad_options = []
+ for bad_opt in ('fail_immediately', 'strip_passed_output',
+ 'flapping', 'expected_failures'):
+ if getattr(opts, bad_opt):
+ bad_options.append(bad_opt)
+ if bad_options:
+ print("--perf-test-output is incompatible with --%s" %
+ (', --'.join(x.replace('_', '-') for x in bad_options)),
+ file=sys.stderr)
+ sys.exit(1)
+
+if opts.expected_failures:
+ expected_failures = subunithelper.read_test_regexes(*opts.expected_failures)
+else:
+ expected_failures = {}
+
+
+if opts.flapping:
+ flapping = subunithelper.read_test_regexes(*opts.flapping)
+else:
+ flapping = {}
+
+statistics = {
+ 'TESTS_UNEXPECTED_OK': 0,
+ 'TESTS_EXPECTED_OK': 0,
+ 'TESTS_UNEXPECTED_FAIL': 0,
+ 'TESTS_EXPECTED_FAIL': 0,
+ 'TESTS_ERROR': 0,
+ 'TESTS_SKIP': 0,
+}
+
+def handle_sigint(sig, stack):
+ sys.exit(0)
+signal.signal(signal.SIGINT, handle_sigint)
+
+out = subunithelper.SubunitOps(sys.stdout)
+
+if opts.perf_test_output:
+ msg_ops = subunithelper.PerfFilterOps(out, opts.prefix, opts.suffix)
+else:
+ msg_ops = subunithelper.FilterOps(out, opts.prefix, opts.suffix,
+ expected_failures,
+ opts.strip_passed_output,
+ fail_immediately=opts.fail_immediately,
+ flapping=flapping)
+
+try:
+ from io import TextIOWrapper as TextIOWrapper
+ forgiving_stdin = TextIOWrapper(sys.stdin.buffer, errors='ignore', encoding='utf-8')
+ ret = subunithelper.parse_results(msg_ops, statistics, forgiving_stdin)
+except subunithelper.ImmediateFail:
+ sys.stdout.flush()
+ sys.exit(1)
+
+if opts.fail_on_empty and not msg_ops.seen_output:
+ sys.exit(1)
+else:
+ sys.exit(ret)
diff --git a/selftest/flapping b/selftest/flapping
new file mode 100644
index 0000000..8c3f9e8
--- /dev/null
+++ b/selftest/flapping
@@ -0,0 +1,35 @@
+# This file contains a list of regular expressions matching the names of
+# tests that are flapping. In other words, they sometimes succeed and
+# sometimes fail, depending on external factors.
+#
+# "make test" will not report failures or successes for tests listed here.
+#
+# DO NOT ADD TESTS HERE UNLESS THEY ARE ACTUALLY FLAPPING
+#
+# It is much better to add known failing tests to 'knownfail', so the
+# test system can warn when they actually start passing.
+^samba3.raw.mux.* #This test is flaky on the async lock time
+^samba3.smbtorture_s3.*OPLOCK4 # fails sometimes on sn-devel
+^samba4.nbt.winsreplication.owned # fails sometimes, timing related
+^samba3.rpc.spoolss.*printserver.enum_printers_old # fails on some hosts due to timing issues ?
+^samba3.rpc.spoolss.printer.*addprinterex.print_test # another intermittent failure
+^samba3.rap.printing # fails sometimes on sn-devel
+^samba3.rpc.spoolss.printer.*addprinter.print_test # fails on some hosts due to timing issues ?
+^samba3.rpc.spoolss.printer.addprinter.print_job_enum # fails on some hosts due to bug 10930
+^samba3.rpc.spoolss.printer.addprinterex.print_job_enum # fails on some hosts due to bug 10930
+^samba3.rpc.lsa.privileges.lsa.Privileges\(nt4_dc\) # fails sometimes on sn-devel
+^samba4.blackbox.gentest # is flakey due to timing
+^samba3.smb2.acls.INHERITANCE\(ad_dc\) # Seems to flap - succeeds on sn-devel, fails on Fedora 16
+^samba3.smb2.acls.DYNAMIC\(ad_dc\) # Seems to flap - succeeds on sn-devel, fails on Fedora 16
+^samba3.raw.acls.dynamic\(ad_dc\) # Seems to flap - succeeds on sn-devel, fails on Fedora 16
+^samba3.raw.acls.inheritance\(ad_dc\) # Seems to flap - succeeds on sn-devel, fails on Fedora 16
+^samba3.raw.samba3checkfsp.samba3checkfsp\(ad_dc_smb1\) # Seems to flap - succeeds on sn-devel, fails on Fedora 16
+^samba3.raw.samba3closeerr.samba3closeerr\(ad_dc_smb1\) # Seems to flap - succeeds on sn-devel, fails on Fedora 16
+^samba4.smb2.create.mkdir-dup\(ad_dc_ntvfs\) # This test (for bug 11486) involves a race, not always protected against in the NTVFS file server
+^samba4.winbind.struct.domain_info.ad_member # flakey on sn-devel-104 and sn-devel-144
+#
+# This test just is not reliable in finding the max search limit
+#
+^samba4.ldap.notification.python\(.*\).__main__.LDAPNotificationTest.test_max_search
+^samba3.blackbox.smbclient_s3.*.sending a message to the remote server # flakey on sn-devel-104 and sn-devel-144
+^samba3.blackbox.smbclient_s3.*.creating a good symlink and deleting it by path # flakey on sn-devel-104 and sn-devel-144
diff --git a/selftest/flapping.d/README b/selftest/flapping.d/README
new file mode 100644
index 0000000..cf32da2
--- /dev/null
+++ b/selftest/flapping.d/README
@@ -0,0 +1,14 @@
+# Files in this directory contain lists of regular expressions
+# matching the names of tests that are that are flapping. In other
+# words, they sometimes succeed and sometimes fail, depending on
+# external factors.
+#
+# "make test" will not report failures or successes for tests listed here.
+#
+# DO NOT ADD TESTS HERE UNLESS THEY ARE ACTUALLY FLAPPING
+#
+# It is much better to add known failing tests to 'knownfail', so the
+# test system can warn when they actually start passing.
+#
+# Empty lines and lines beginning with '#' are ignored.
+# Please don't add tests to this README!
diff --git a/selftest/flapping.d/dnsserver b/selftest/flapping.d/dnsserver
new file mode 100644
index 0000000..9b33e85
--- /dev/null
+++ b/selftest/flapping.d/dnsserver
@@ -0,0 +1,2 @@
+# This is not stable in samba due to a bug
+^samba.tests.dcerpc.dnsserver.samba.tests.dcerpc.dnsserver.DnsserverTests.test_enum_is_sorted_children \ No newline at end of file
diff --git a/selftest/flapping.d/getdcname b/selftest/flapping.d/getdcname
new file mode 100644
index 0000000..4c12e75
--- /dev/null
+++ b/selftest/flapping.d/getdcname
@@ -0,0 +1,2 @@
+# winbind appears to return inconsistent answers (depending on whether or not it uses NETBIOS queries or not)
+^samba.tests.getdcname.samba.tests.getdcname.GetDCNameEx.test_get_dc_over_winbind_with_site_netbios.fl2008r2dc:local.*
diff --git a/selftest/flapping.d/nbt_dgram b/selftest/flapping.d/nbt_dgram
new file mode 100644
index 0000000..bb35a7d
--- /dev/null
+++ b/selftest/flapping.d/nbt_dgram
@@ -0,0 +1,9 @@
+# following SMB1/SMB2 test env split it seems this test
+# fails randomly however it doesn't seem to be directly
+# related to the changes (e.g. not protocl negotiation
+# specific) Best guess is the order of test having being
+# changed (as a result of test moving env) or some other
+# strange env related side affect is causing this.
+^samba3.nbt.dgram.ntlogon\(ad_dc\)
+^samba3.nbt.dgram.netlogon\(ad_dc\)
+^samba3.nbt.dgram.netlogon2\(ad_dc\)
diff --git a/selftest/flapping.d/rfc2307 b/selftest/flapping.d/rfc2307
new file mode 100644
index 0000000..2e37edc
--- /dev/null
+++ b/selftest/flapping.d/rfc2307
@@ -0,0 +1 @@
+^idmap.rfc2307.Testing for expected group memberships
diff --git a/selftest/flapping.d/samba_tool_drs_showrepl b/selftest/flapping.d/samba_tool_drs_showrepl
new file mode 100644
index 0000000..eff8433
--- /dev/null
+++ b/selftest/flapping.d/samba_tool_drs_showrepl
@@ -0,0 +1 @@
+.+samba_tool_drs_showrepl.SambaToolDrsShowReplTests.test_samba_tool_showrepl_pull_summary_all_good
diff --git a/selftest/flapping.d/smb2_notify b/selftest/flapping.d/smb2_notify
new file mode 100644
index 0000000..7ff17f1
--- /dev/null
+++ b/selftest/flapping.d/smb2_notify
@@ -0,0 +1,2 @@
+# Added to flapping at Metze's request. He plans to follow this up soon
+^samba3.smb2.notify.valid-req\(
diff --git a/selftest/flapping.d/wbinfo b/selftest/flapping.d/wbinfo
new file mode 100644
index 0000000..8ccf2cb
--- /dev/null
+++ b/selftest/flapping.d/wbinfo
@@ -0,0 +1 @@
+^samba.blackbox.wbinfo\(ad_member:local\).confirm
diff --git a/selftest/flapping.d/whoami b/selftest/flapping.d/whoami
new file mode 100644
index 0000000..82f6356
--- /dev/null
+++ b/selftest/flapping.d/whoami
@@ -0,0 +1 @@
+^samba3.unix.whoami machine account.whoami\(nt4_member:local\)
diff --git a/selftest/format-subunit b/selftest/format-subunit
new file mode 100755
index 0000000..b27513a
--- /dev/null
+++ b/selftest/format-subunit
@@ -0,0 +1,52 @@
+#!/usr/bin/env python3
+# vim: expandtab
+# Pretty-format subunit output
+# Copyright (C) 2008-2010 Jelmer Vernooij <jelmer@samba.org>
+# Published under the GNU GPL, v3 or later
+
+import optparse
+import os
+import signal
+import sys
+
+sys.path.insert(0, "bin/python")
+
+import subunithelper
+
+parser = optparse.OptionParser("format-subunit [options]")
+parser.add_option("--verbose", action="store_true",
+ help="Be verbose")
+parser.add_option("--immediate", action="store_true",
+ help="Show failures immediately, don't wait until test run has finished")
+parser.add_option("--prefix", type="string", default=".",
+ help="Prefix to write summary to")
+
+opts, args = parser.parse_args()
+
+def handle_sigint(sig, stack):
+ sys.exit(0)
+
+signal.signal(signal.SIGINT, handle_sigint)
+
+statistics = {
+ 'SUITES_FAIL': 0,
+ 'TESTS_UNEXPECTED_OK': 0,
+ 'TESTS_EXPECTED_OK': 0,
+ 'TESTS_UNEXPECTED_FAIL': 0,
+ 'TESTS_EXPECTED_FAIL': 0,
+ 'TESTS_ERROR': 0,
+ 'TESTS_SKIP': 0,
+}
+
+msg_ops = subunithelper.PlainFormatter(opts.verbose, opts.immediate, statistics)
+
+expected_ret = subunithelper.parse_results(msg_ops, statistics, sys.stdin)
+
+summaryfile = os.path.join(opts.prefix, "summary")
+
+msg_ops.write_summary(summaryfile)
+
+print("\nA summary with detailed information can be found in:")
+print(" %s" % summaryfile)
+
+sys.exit(expected_ret)
diff --git a/selftest/format-subunit-json b/selftest/format-subunit-json
new file mode 100644
index 0000000..d9d912c
--- /dev/null
+++ b/selftest/format-subunit-json
@@ -0,0 +1,52 @@
+#!/usr/bin/env python3
+# Copyright (C) 2008-2010 Jelmer Vernooij <jelmer@samba.org>
+# Copyright (C) 2016 Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+# Published under the GNU GPL, v3 or later
+import optparse
+import os
+import signal
+import sys
+import json
+
+sys.path.insert(0, "bin/python")
+
+
+def json_formatter(src_f, dest_f):
+ """We're not even pretending to be a TestResult subclass; just read
+ from stdin and look for elapsed-time tags."""
+ results = {}
+
+ for line in src_f:
+ line = line.strip()
+ if line[:14] == 'elapsed-time: ':
+ name, time = line[14:].rsplit(':', 1)
+ results[name] = float(time)
+
+ json.dump(results, dest_f,
+ sort_keys=True, indent=2, separators=(',', ': '))
+
+
+def main():
+ parser = optparse.OptionParser("format-subunit-json [options]")
+ parser.add_option("--verbose", action="store_true",
+ help="ignored, for compatibility")
+ parser.add_option("--immediate", action="store_true",
+ help="ignored, for compatibility")
+ parser.add_option("--prefix", type="string", default=".",
+ help="Prefix to write summary.json to")
+ opts, args = parser.parse_args()
+
+ fn = os.path.join(opts.prefix, "summary.json")
+ f = open(fn, 'w')
+ json_formatter(sys.stdin, f)
+ f.close()
+ print()
+ print("A JSON file summarising these tests performance found in:")
+ print(" ", fn)
+
+
+def handle_sigint(sig, stack):
+ sys.exit(0)
+
+signal.signal(signal.SIGINT, handle_sigint)
+main()
diff --git a/selftest/gdb_backtrace b/selftest/gdb_backtrace
new file mode 100755
index 0000000..ec2396a
--- /dev/null
+++ b/selftest/gdb_backtrace
@@ -0,0 +1,145 @@
+#!/bin/sh
+
+BASENAME=$(basename $0)
+
+unset LD_PRELOAD
+
+if [ -n "$VALGRIND" -o -n "$SMBD_VALGRIND" ]; then
+ echo "${BASENAME}: Not running debugger under valgrind"
+ exit 1
+fi
+
+if [ "x$PLEASE_NO_GDB_BACKTRACE" != "x" ]; then
+ echo "${BASENAME}: Not running debugger because PLEASE_NO_GDB_BACKTRACE is set"
+ exit 0
+fi
+
+# we want everything on stderr, so the program is not disturbed
+exec 1>&2
+
+UNAME=$(uname)
+
+PID=$1
+BINARY=$2
+
+test x"${PID}" = x"" && {
+ echo "Usage: ${BASENAME} <pid> [<binary>]"
+ exit 1
+}
+
+DB_LIST="gdb"
+case "${UNAME}" in
+#
+# on Tru64 we need to try ladebug first
+# because gdb crashes itself...
+#
+OSF1)
+ DB_LIST="ladebug ${DB_LIST}"
+ ;;
+#
+# On solaris dbx is working way more better than gdb
+# let's try it first
+#
+SunOS)
+ DB_LIST="dbx ${DB_LIST}"
+ ;;
+#
+# FreeBSD comes with a flavor that works gdb66 and one that don't gdb
+# (gdb 6.1) let's try it first the one that works !
+#
+FreeBSD)
+ DB_LIST="gdb66 ${DB_LIST}"
+ ;;
+esac
+
+for DB in ${DB_LIST}; do
+ DB_BIN=$(which ${DB} 2>/dev/null | grep '^/')
+ test x"${DB_BIN}" != x"" && {
+ break
+ }
+done
+
+test x"${DB_BIN}" = x"" && {
+ echo "${BASENAME}: ERROR: No debugger found."
+ exit 1
+}
+
+need_binary="no"
+case "${DB}" in
+# These debuggers need the process binary specified:
+ladebug)
+ need_binary="yes"
+ ;;
+gdb66)
+ need_binary="yes"
+ ;;
+dbx)
+ need_binary="yes"
+ ;;
+esac
+
+test x"${need_binary}" = x"yes" && {
+
+ # we first try to use /proc/${PID}/exe or /proc/{$PID}/path for solaris
+ # then fallback to the binary from the commandline
+ # then we search for the commandline argument with
+ # 'which'
+ #
+ test -f "/proc/${PID}/exe" && BINARY="/proc/${PID}/exe"
+ test -f "/proc/${PID}/path/a.out" && BINARY=$(ls -l /proc/${PID}/path/a.out | sed 's/.*-> //')
+ test x"${BINARY}" = x"" && BINARY="/proc/${PID}/exe"
+ test -f "${BINARY}" || BINARY=$(which ${BINARY})
+
+ test -f "${BINARY}" || {
+ echo "${BASENAME}: ERROR: Cannot find binary '${BINARY}'."
+ exit 1
+ }
+}
+
+BATCHFILE_PRE=$(mktemp --tmpdir gdb_backtrace_pre.XXXXXXXXXX)
+test -n "${BATCHFILE_PRE}" || {
+ echo "mktemp doesn't work" 1>&2
+ exit 1
+}
+BATCHFILE_MAIN=$(mktemp --tmpdir gdb_backtrace_main.XXXXXXXXXX)
+test -n "${BATCHFILE_MAIN}" || {
+ echo "mktemp doesn't work" 1>&2
+ exit 1
+}
+case "${DB}" in
+ladebug)
+ cat <<EOF >${BATCHFILE_PRE}
+set \$stoponattach
+EOF
+
+ cat <<EOF >${BATCHFILE_MAIN}
+where
+quit
+EOF
+ ${DB_BIN} -c "${BATCHFILE_MAIN}" -i "${BATCHFILE_PRE}" -pid "${PID}" "${BINARY}"
+ ;;
+gdb66)
+ cat <<EOF >${BATCHFILE_MAIN}
+set height 1000
+bt full
+info locals
+kill
+quit
+EOF
+ ${DB_BIN} -x "${BATCHFILE_MAIN}" "${BINARY}" "${PID}"
+ ;;
+gdb)
+ cat <<EOF >${BATCHFILE_MAIN}
+set height 0
+bt full
+thread apply all bt full
+info locals
+quit
+EOF
+ ${DB_BIN} -batch -x "${BATCHFILE_MAIN}" --pid "${PID}" </dev/null
+ ;;
+dbx)
+ ${DB_BIN} "where;dump;kill;quit" "${BINARY}" "${PID}"
+ ;;
+esac
+/bin/rm -f ${BATCHFILE_PRE} ${BATCHFILE_MAIN}
diff --git a/selftest/gdb_backtrace_test.c b/selftest/gdb_backtrace_test.c
new file mode 100644
index 0000000..993596d
--- /dev/null
+++ b/selftest/gdb_backtrace_test.c
@@ -0,0 +1,42 @@
+/*
+
+add a useful tool to test the gdb_backtrace script
+
+just compile it with
+cc -g -o gdb_backtrace_test gdb_backtrace_test.c
+
+and run it in the same directory where your gdb_backtrace script is.
+
+2006 - Stefan Metzmacher <metze@samba.org>
+
+*/
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+
+static const char *prog;
+
+static void sig_fault(int sig)
+{
+ int ret;
+ char cmdstr[200];
+
+ snprintf(cmdstr, sizeof(cmdstr),
+ "./gdb_backtrace %u %s",
+ getpid(), prog);
+ printf("sig_fault start: %s\n", cmdstr);
+ ret = system(cmdstr);
+ printf("sig_fault end: %d\n", ret);
+}
+
+int main(int argc, const char **argv)
+{
+ prog = argv[0];
+
+ signal(SIGABRT, sig_fault);
+
+ abort();
+ return 0;
+}
diff --git a/selftest/gdb_run b/selftest/gdb_run
new file mode 100755
index 0000000..4cc26dd
--- /dev/null
+++ b/selftest/gdb_run
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+ENV="$1"
+
+shift 1
+
+TMPFILE=$(mktemp --tmpdir gdb_run.XXXXXXXXXX)
+test -n "${TMPFILE}" || {
+ echo "mktemp doesn't work" 1>&2
+ exit 1
+}
+
+cat <<EOF >$TMPFILE
+run
+bt
+EOF
+
+trap "/bin/rm -f $TMPFILE" EXIT
+CMD="gdb -x $TMPFILE --args $@"
+echo $CMD
+eval $ENV "$CMD"
diff --git a/selftest/gnupg/gpg.conf b/selftest/gnupg/gpg.conf
new file mode 100644
index 0000000..33b9f9f
--- /dev/null
+++ b/selftest/gnupg/gpg.conf
@@ -0,0 +1,4 @@
+
+keyid-format long
+fingerprint
+default-key 4952E40301FAB41A
diff --git a/selftest/gnupg/pubring.gpg b/selftest/gnupg/pubring.gpg
new file mode 100644
index 0000000..b3fa9cc
--- /dev/null
+++ b/selftest/gnupg/pubring.gpg
Binary files differ
diff --git a/selftest/gnupg/secring.gpg b/selftest/gnupg/secring.gpg
new file mode 100644
index 0000000..09dd9fd
--- /dev/null
+++ b/selftest/gnupg/secring.gpg
Binary files differ
diff --git a/selftest/gnupg/trustdb.gpg b/selftest/gnupg/trustdb.gpg
new file mode 100644
index 0000000..bfe8f06
--- /dev/null
+++ b/selftest/gnupg/trustdb.gpg
Binary files differ
diff --git a/selftest/in_screen b/selftest/in_screen
new file mode 100755
index 0000000..d7d1b53
--- /dev/null
+++ b/selftest/in_screen
@@ -0,0 +1,94 @@
+#!/usr/bin/env bash
+
+export TMPDIR="$SELFTEST_TMPDIR"
+
+SERVERNAME="$ENVNAME"
+[ -z "$SERVERNAME" ] && SERVERNAME="base"
+basedir=$TMPDIR
+
+[ -r $basedir/$SERVERNAME.pid ] && {
+ for i in {2..100}; do
+ if [ ! -r "$basedir/${SERVERNAME}-$i.pid" ]; then
+ SERVERNAME="${SERVERNAME}-$i"
+ break
+ fi
+ done
+}
+
+rm -f $basedir/$SERVERNAME.{launch,log,parent.pid,pid,status}
+
+# set most of the environment vars we have in the screen session too
+_ENV=""
+printenv |
+ egrep -v '^TERMCAP|^WINDOW|^SHELL|^STY|^SHLVL|^SAMBA_VALGRIND|\$' |
+ egrep '^[A-Z]' |
+ sed "s/\(^[^=]*=\)\(.*\)/export \1'\2'/g" >$basedir/$SERVERNAME.vars
+
+cat <<EOF >$basedir/$SERVERNAME.launch
+cd $PWD
+ echo \$\$ > $basedir/$SERVERNAME.pid
+ . $basedir/$SERVERNAME.vars
+ echo "\$(date) starting $SERVERNAME" >> $basedir/$SERVERNAME.log
+ $@
+ echo \$? > $basedir/$SERVERNAME.status
+ read parent < $basedir/$SERVERNAME.parent.pid
+ kill \$parent
+EOF
+pid=$$
+
+cleanup()
+{
+ trap "exit 1" SIGINT SIGTERM SIGPIPE
+ [ -r $basedir/$SERVERNAME.status ] && {
+ read status <$basedir/$SERVERNAME.status
+ echo "$(date) samba exited with status $status" >>$basedir/$SERVERNAME.log
+ exit $status
+ }
+
+ case $ENVNAME in
+ *.nmbd | *.smbd | *.winbindd | *.samba | *.samba_dcerpcd)
+ kill $(cat $basedir/../"${ENVNAME%\.*}"/pid/"${ENVNAME##*\.}".pid)
+ ;;
+ esac
+
+ read pid <$basedir/$SERVERNAME.pid
+ echo "$(date) Killing samba pid $pid from $$" >>$basedir/$SERVERNAME.log
+ if [ "$pid" = "$$" ]; then
+ exit 1
+ fi
+ kill -9 $pid 2>&1
+ exit 1
+}
+
+echo $$ >$basedir/$SERVERNAME.parent.pid
+trap cleanup SIGINT SIGTERM SIGPIPE
+
+if [[ "$TMUX" ]]; then
+ TMUX_CMD=tmux
+ if [[ $TMUX = *tmate* ]]; then
+ TMUX_CMD=tmate
+ fi
+
+ $TMUX_CMD new-window -n test:$SERVERNAME "bash $basedir/$SERVERNAME.launch"
+
+ # tmux seems to lag a bit for new sessions. Don't create them too
+ # quickly one after another
+ sleep .1
+else
+ screen -r -X screen -t test:$SERVERNAME bash $basedir/$SERVERNAME.launch
+fi
+echo "$(date) waiting in $$" >>$basedir/$SERVERNAME.log
+read stdin_var
+echo "$(date) EOF on stdin" >>$basedir/$SERVERNAME.log
+
+case $ENVNAME in
+*.nmbd | *.smbd | *.winbindd | *.samba | *.samba_dcerpcd)
+ kill $(cat $basedir/../"${ENVNAME%\.*}"/pid/"${ENVNAME##*\.}".pid)
+ ;;
+esac
+
+read pid <$basedir/$SERVERNAME.pid
+echo "$(date) killing $pid" >>$basedir/$SERVERNAME.log
+kill $pid 2>/dev/null
+echo "$(date) exiting" >>$basedir/$SERVERNAME.log
+exit 0
diff --git a/selftest/knownfail b/selftest/knownfail
new file mode 100644
index 0000000..a89616c
--- /dev/null
+++ b/selftest/knownfail
@@ -0,0 +1,389 @@
+# This file contains a list of regular expressions matching the names of
+# tests that are expected to fail.
+#
+# "make test" will not report failures for tests listed here and will consider
+# a successful run for any of these tests an error.
+
+^samba3.blackbox.failure.failure # this is designed to fail, for testing our test infrastructure
+.*driver.add_driver_timestamps # we only can store dates, not timestamps
+ ^samba3.smbtorture_s3.crypt_server\(nt4_dc\).SMB2-SESSION-REAUTH # expected to give ACCESS_DENIED SMB2.1 doesn't have encryption
+^samba3.smbtorture_s3.crypt_server\(nt4_dc\).SMB2-SESSION-RECONNECT # expected to give CONNECTION_DISCONNECTED, we need to fix the test
+^samba3.smbtorture_s3.plain.*SMB2-DIR-FSYNC.*\(ad_dc_ntvfs\)
+^samba3.smbtorture_s3.plain.*SMB2-PATH-SLASH.*\(ad_dc_ntvfs\)
+^samba3.smbtorture_s3.plain.LOCK11.*\(ad_dc_ntvfs\)
+^samba3.smb2.session enc.reconnect # expected to give CONNECTION_DISCONNECTED, we need to fix the test
+^samba3.raw.session enc # expected to give ACCESS_DENIED as SMB1 encryption isn't used
+^samba3.smbtorture_s3.crypt_server # expected to give ACCESS_DENIED as SMB1 encryption isn't used
+^samba3.smbtorture_s3.*.LOCK12.*\(fileserver_smb1\)
+^samba3.smbtorture_s3.*.LOCK12.*\(nt4_dc_smb1\)
+^samba3.nbt.dgram.*netlogon2\(nt4_dc\)
+^samba3.*rap.sam.*.useradd # Not provided by Samba 3
+^samba3.*rap.sam.*.userdelete # Not provided by Samba 3
+^samba3.libsmbclient.opendir # This requires a workgroup called 'WORKGROUP' and for netbios browse lists to have been registered
+# see bug 8412
+^samba3.smb2.rename.*.simple_nodelete
+^samba3.smb2.rename.*.no_share_delete_no_delete_access
+^samba3.blackbox.smbclient_machine_auth.plain.*nt4_dc:local # the NT4 DC does not currently set up a self-join
+^samba3.raw.samba3hide.samba3hide\(ad_dc_smb1\) # This test fails against the ad_dc environment.
+^samba3.raw.samba3closeerr.samba3closeerr\(nt4_dc_smb1\) # This test fails against an smbd environment with NT ACLs enabled
+^samba3.raw.samba3closeerr.samba3closeerr\(fileserver_smb1\) # This test fails against an smbd environment with NT ACLs enabled
+^samba3.raw.acls nfs4acl_xattr-simple-40.INHERITFLAGS\(nt4_dc_smb1\) # This (and the follow nfs4acl_xattr tests fail because our NFSv4 backend isn't a complete mapping yet.
+^samba3.raw.acls nfs4acl_xattr-simple-40.create_owner_file\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-simple-40.create_owner_dir\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-simple-40.nulldacl\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-simple-41.create_owner_file\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-simple-41.create_owner_dir\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-simple-41.nulldacl\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-special-40.INHERITFLAGS\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-special-40.create_owner_file\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-special-40.create_owner_dir\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-special-40.nulldacl\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-special-40.inherit_creator_owner\(nt4_d_smb1\)
+^samba3.raw.acls nfs4acl_xattr-special-40.inherit_creator_group\(nt4_dc\)
+^samba3.raw.acls nfs4acl_xattr-xdr-40.INHERITFLAGS\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-xdr-40.create_owner_file\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-xdr-40.create_owner_dir\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-xdr-40.nulldacl\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-xdr-40.inherit_creator_owner\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-xdr-40.inherit_creator_group\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-xdr-41.create_owner_file\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-xdr-41.create_owner_dir\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-xdr-41.nulldacl\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-nfs-40.INHERITFLAGS\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-nfs-40.create_owner_file\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-nfs-40.create_owner_dir\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-nfs-40.nulldacl\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-nfs-40.inherit_creator_owner\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-nfs-40.inherit_creator_group\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-nfs-41.create_owner_file\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-nfs-41.create_owner_dir\(nt4_dc_smb1\)
+^samba3.raw.acls nfs4acl_xattr-nfs-41.nulldacl\(nt4_dc_smb1\)
+^samba3.base.delete.deltest16a
+^samba3.base.delete.deltest17a
+^samba3.unix.whoami anonymous connection.whoami\(ad_dc_smb1\) # We need to resolve if we should be including SID_NT_WORLD and SID_NT_NETWORK in this token
+# smbclient4 behaves differently from smbclient (s3) when encountering
+# logon failures when possesing a valid ticket. Test below has been
+# changed to use smbclient (in order to support SMB2) and this part of the
+# test fails due to this difference
+^samba4.blackbox.chgdcpass.Test login with kerberos ccache after 2nd password change\(chgdcpass\)
+# these show that we still have some differences between our system
+# with our internal iconv because it passes except when we bypass our
+# internal iconv modules
+^samba4.local.convert_string_handle.system.iconv.gd_ascii
+^samba4.local.convert_string_handle.system.iconv.gd_iso8859_cp850
+^samba4..*base.delete.*.deltest17\(
+^samba4..*base.delete.*.deltest17b
+^samba4..*base.delete.*.deltest17c
+^samba4..*base.delete.*.deltest17e
+^samba4..*base.delete.*.deltest17f
+^samba4..*base.delete.*.deltest20a
+^samba4..*base.delete.*.deltest20b
+^samba4.raw.session.reauth
+^samba4.raw.session.expire1
+^samba4.raw.rename.*.osxrename
+^samba4.raw.rename.*.directory rename
+^samba4.rpc.winreg.*security
+^samba4.local.registry.*.(dir|ldb).check hive security
+^samba4.local.registry.*.local.security
+^samba4.rpc.wkssvc
+^samba4.rpc.handles.*.lsarpc-shared
+^samba4.rpc.epmapper.*.Lookup_simple
+^samba4.rpc.epmapper.*.Map_simple
+^samba4.rpc.epmapper.*.Map_full
+^samba3.rpc.epmapper.*.Map_full
+^samba4.rpc.lsalookup on ncalrpc
+^samba4.rpc.lsalookup on ncacn_np
+^samba4.rpc.lsalookup with seal,padcheck
+^samba4.rpc.lsalookup with validate
+^samba4.rpc.lsalookup with bigendian
+^samba4.rpc.lsa on ncacn_np with seal # This gives NT_STATUS_LOCAL_USER_SESSION_KEY
+^samba4.rpc.lsa with seal # This gives NT_STATUS_LOCAL_USER_SESSION_KEY
+^samba4.rpc.lsa.secrets.*seal # This gives NT_STATUS_LOCAL_USER_SESSION_KEY
+^samba4.rpc.netlogon.*.LogonUasLogon
+^samba4.rpc.netlogon.*.LogonUasLogoff
+^samba4.rpc.netlogon.*.DatabaseSync
+^samba4.rpc.netlogon.*.DatabaseSync2
+^samba4.rpc.netlogon.*.NetrEnumerateTrustedDomains
+^samba4.rpc.netlogon.*.NetrEnumerateTrustedDomainsEx
+^samba4.rpc.netlogon.*.GetPassword
+^samba4.rpc.netlogon.*.DatabaseRedo
+^samba4.rpc.netlogon.*.netlogon.lsa_over_netlogon\(ad_dc\) #Broken by split of \\pipe\lsass from \\pipe\netlogon in the IDL
+^samba4.rpc.netlogon.*.netlogon.SetupCredentialsDowngrade\(ad_dc_ntvfs\) # Broken by allowing NT4 crypto on this environment
+^samba4.rpc.netlogon.*.netlogon.SetupCredentialsDowngrade\(ad_dc_ntvfs:local\) # Broken by allowing NT4 crypto on this environment
+^samba4.rpc.drsuapi.*ncacn_ip_tcp.*validate # should only work with seal
+^samba4.rpc.drsuapi.*ncacn_ip_tcp.*bigendian # should only work with seal
+^samba4.rpc.samr.passwords.validate.*ncacn_ip_tcp.*with.validate # should only work with seal
+^samba4.rpc.samr.passwords.validate.*ncacn_ip_tcp.*with.bigendian # should only work with seal
+^samba4.base.charset.*.Testing partial surrogate
+^samba4.smb2.charset.*.Testing partial surrogate # This test is currently broken
+^samba3.smb2.charset.*.Testing partial surrogate # This test is currently broken
+^samba4.*.base.maximum_allowed # broken until we implement NTCREATEX_OPTIONS_BACKUP_INTENT
+^samba..*.smb2.maximum_allowed
+.*net.api.delshare.* # DelShare isn't implemented yet
+^samba4.smb2.oplock.doc
+^samba4.smb2.lock.valid-request
+^samba4.raw.lock.multilock6.ad_dc_ntvfs
+^samba4.ldap.python \(ad_dc_default\).Test add_ldif\(\) with BASE64 security descriptor input using WRONG domain SID\(.*\)$
+^samba4.raw.lock.*.async # bug 6960
+^samba4.raw.open.ntcreatex_supersede
+^samba4.smb2.lock.*.multiple-unlock # bug 6959
+^samba4.raw.sfileinfo.*.end-of-file\(.*\)$ # bug 6962
+^samba4.raw.oplock.*.batch22 # bug 6963
+^samba4.raw.oplock.*.doc1
+^samba4.raw.oplock.*.exclusive5
+^samba4.raw.oplock.*.exclusive9
+^samba4.raw.oplock.*.level_ii_1
+^samba4.raw.lock.*.zerobyteread # bug 6974
+^samba4.smb2.lock.*.zerobyteread # bug 6974
+^samba4.raw.streams.*.delete
+^samba4.raw.streams.*.createdisp
+^samba4.raw.streams.*.sumtab
+^samba4.raw.streams.*.perms
+^samba4.raw.acls.INHERITFLAGS
+^samba4.raw.acls.*.create_dir
+^samba4.raw.acls.*.create_owner_dir
+^samba4.raw.acls.*.create_owner_file
+^samba4.smb2.create.*.acldir
+^samba4.smb2.create.*.impersonation
+^samba4.smb2.create.quota-fake-file\(ad_dc_ntvfs\) # not supported by the NTVFS
+^samba4.smb2.create.dosattr_tmp_dir\(ad_dc_ntvfs\)
+^samba4.smb2.acls.*.generic
+^samba4.smb2.acls.*.inheritflags
+^samba4.smb2.acls.*.owner
+^samba4.smb2.acls.*.ACCESSBASED
+^samba4.ldap.dirsync.python.ad_dc_ntvfs..__main__.SimpleDirsyncTests.test_dirsync_deleted_items_OBJECT_SECURITY
+#^samba4.ldap.dirsync.python.ad_dc_ntvfs..__main__.ExtendedDirsyncTests.*
+^samba4.libsmbclient.opendir.(NT1|SMB3).opendir # This requires netbios browsing
+^samba4.rpc.drsuapi.*.drsuapi.DsGetDomainControllerInfo\(.*\)$
+^samba4.smb2.oplock.exclusive2\(.*\)$ # samba 4 oplocks are a mess
+^samba4.smb2.oplock.exclusive5\(.*\)$ # samba 4 oplocks are a mess
+^samba4.smb2.oplock.exclusive6\(.*\)$ # samba 4 oplocks are a mess
+^samba4.smb2.oplock.exclusive9\(.*\)$
+^samba4.smb2.oplock.brl3\(.*\)$ # samba 4 oplocks are a mess
+^samba4.smb2.oplock.levelii500\(.*\)$ # samba 4 oplocks are a mess
+^samba4.smb2.oplock.levelii502\(.*\)$ # samba 4 oplocks are a mess
+^samba4.smb2.oplock.brl1\(.*\)$ # samba 4 oplocks are a mess
+^samba4.smb2.oplock.batch22.\(.*\)$ # samba 4 oplocks are a mess
+^samba4.smb2.oplock.batch19\(.*\)$ # samba 4 oplocks are a mess
+^samba4.smb2.oplock.batch12\(.*\)$ # samba 4 oplocks are a mess
+^samba4.smb2.oplock.batch11\(.*\)$ # samba 4 oplocks are a mess
+^samba4.smb2.oplock.batch1\(.*\)$ # samba 4 oplocks are a mess
+^samba4.smb2.oplock.batch6\(.*\)$ # samba 4 oplocks are a mess
+^samba4.smb2.oplock.batch9\(.*\)$ # samba 4 oplocks are a mess
+^samba4.smb2.oplock.batch9a\(.*\)$ # samba 4 oplocks are a mess
+^samba4.smb2.oplock.batch10\(.*\)$ # samba 4 oplocks are a mess
+^samba4.smb2.oplock.batch20\(.*\)$ # samba 4 oplocks are a mess
+^samba4.smb2.oplock.batch26\(.*\)$
+^samba4.smb2.oplock.stream1 # samba 4 oplocks are a mess
+^samba4.smb2.oplock.statopen1\(ad_dc_ntvfs\)$ # fails with ACCESS_DENIED on a SYNCHRONIZE_ACCESS open
+^samba4.smb2.getinfo.complex # streams on directories does not work
+^samba4.smb2.getinfo.getinfo_access\(ad_dc_ntvfs\) # Access checks not implemented
+^samba4.smb2.getinfo.qfs_buffercheck # S4 does not do the INFO_LENGTH_MISMATCH/BUFFER_OVERFLOW thingy
+^samba4.smb2.getinfo.qfile_buffercheck # S4 does not do the INFO_LENGTH_MISMATCH/BUFFER_OVERFLOW thingy
+^samba4.smb2.getinfo.qsec_buffercheck # S4 does not do the BUFFER_TOO_SMALL thingy
+^samba4.smb2.sharemode.sharemode-access
+^samba4.smb2.sharemode.access-sharemode
+^samba4.ntvfs.cifs.krb5.base.createx_access.createx_access\(.*\)$
+^samba4.rpc.lsa.forest.trust #Not fully provided by Samba4
+^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects
+^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_full_sd\(none\) # Due to something rewriting the NT ACL on DNS objects
+^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects
+^samba4.raw.read.readx\(ad_dc_ntvfs\) # fails readx 16bit alignment requirement
+^samba3.smb2.create.gentest
+^samba3.smb2.create.blob
+^samba3.smb2.create.open
+^samba3.smb2.notify.rec
+^samba3.smb2.durable-open.delete_on_close2
+^samba3.smb2.durable-v2-open.app-instance
+^samba3.smb2.durable-open.reopen1a-lease\(ad_dc\)$
+^samba3.smb2.durable-open.stat-open\(ad_dc\)$
+^samba3.smb2.durable-v2-open.reopen1a-lease\(ad_dc\)$
+^samba4.smb2.ioctl.req_resume_key\(ad_dc_ntvfs\) # not supported by s4 ntvfs server
+^samba4.smb2.ioctl.req_two_resume_keys\(ad_dc_ntvfs\) # not supported by s4 ntvfs server
+^samba4.smb2.ioctl.copy_chunk_\w*\(ad_dc_ntvfs\) # not supported by s4 ntvfs server
+^samba4.smb2.ioctl.copy-chunk streams\(ad_dc_ntvfs\) # not supported by s4 ntvfs server
+^samba4.smb2.ioctl.bug14769\(ad_dc_ntvfs\) # not supported by s4 ntvfs server
+^samba4.smb2.ioctl-on-stream.ioctl-on-stream\(ad_dc_ntvfs\)
+^samba3.smb2.dir.one
+^samba3.smb2.dir.modify
+^samba3.smb2.oplock.batch20
+^samba3.smb2.oplock.stream1
+^samba3.smb2.streams.rename
+^samba3.smb2.streams.rename2
+^samba3.smb2.streams streams_xattr.rename\(nt4_dc\)
+^samba3.smb2.streams streams_xattr.rename2\(nt4_dc\)
+^samba3.smb2.getinfo.complex
+^samba3.smb2.getinfo.fsinfo # quotas don't work yet
+^samba3.smb2.setinfo.setinfo
+^samba3.smb2.session.*reauth5 # some special anonymous checks?
+^samba3.smb2.compound.interim2 # wrong return code (STATUS_CANCELLED)
+^samba3.smb2.compound.aio.interim2 # wrong return code (STATUS_CANCELLED)
+^samba3.smb2.lock.*replay_broken_windows # This tests the windows behaviour
+^samba3.smb2.lease.statopen3
+^samba3.smb2.lease.unlink # we currently do not downgrade RH lease to R after unlink
+^samba4.smb2.ioctl.compress_notsup.*\(ad_dc_ntvfs\)
+^samba3.raw.session.*reauth2 # maybe fix this?
+^samba3.rpc.lsa.secrets.seal # This gives NT_STATUS_LOCAL_USER_SESSION_KEY
+^samba3.rpc.samr.passwords.badpwdcount.samr.badPwdCount\(nt4_dc\) # We fail this test currently
+^samba3.rpc.samr.passwords.lockout.*\(nt4_dc\)$ # We fail this test currently
+^samba3.rpc.spoolss.printer.addprinter.driver_info_winreg # knownfail or flapping?
+^samba3.rpc.spoolss.printer.addprinterex.driver_info_winreg # knownfail or flapping?
+^samba3.rpc.spoolss.printer.*.publish_toggle\(.*\)$ # needs spoolss AD member env
+^samba3.rpc.spoolss.printer.*.log_jobinfo\(.*\)$ # not implemented yet
+^samba3.rpc.spoolss.printserver.*.addpermachineconnection\(.*\)$ # not implemented yet
+^samba3.rpc.spoolss.printserver.*.add_processor\(.*\)$
+^samba3.rpc.spoolss.printserver.*.get_core_printer_drivers\(.*\)$
+^samba3.rpc.spoolss.printserver.*.get_printer_driver_package_path\(.*\)$
+^samba4.rpc.fsrvp # fsrvp server only provided by smbd
+#
+# The following tests fail against ad_dc (aka s3fs) currently.
+# These need to be examined and either fixed or correctly categorised.
+# but in the interests of ensuring we do not regress, we run the tests
+# and list the current failures here.
+#
+^samba3.rpc.eventlog.eventlog.GetLogIntormation\(ad_dc\)
+^samba3.rpc.eventlog.eventlog.FlushEventLog\(ad_dc\)
+^samba3.rpc.eventlog.eventlog.ReportEventLog\(ad_dc\)
+^samba3.rpc.eventlog.eventlog.ReadEventLog\(ad_dc\)
+^samba3.rpc.eventlog.eventlog.GetNumRecords\(ad_dc\)
+^samba3.rpc.eventlog.eventlog.OpenEventLog\(ad_dc\)
+^samba3.rap.basic.netsessiongetinfo\(ad_dc_smb1\)
+# not implemented
+^samba3.rpc.svcctl.svcctl.ChangeServiceConfigW\(ad_dc\)
+^samba3.rpc.svcctl.svcctl.ChangeServiceConfigW\(nt4_dc\)
+#
+# This makes less sense when not running against an AD DC
+#
+^samba.blackbox.wbinfo\(ad_member:local\).wbinfo -U against ad_member
+^samba.blackbox.wbinfo\(ad_member:local\).wbinfo -G against ad_member
+^samba.blackbox.wbinfo\(ad_member:local\).wbinfo -U check for sane mapping
+^samba.blackbox.wbinfo\(ad_member:local\).wbinfo -G check for sane mapping
+^samba.wbinfo_simple.allocate-uid.wbinfo\(ad_dc_ntvfs:local\)
+^samba.wbinfo_simple.allocate-gid.wbinfo\(ad_dc_ntvfs:local\)
+^samba.wbinfo_simple.allocate-uid.wbinfo\(s4member:local\)
+^samba.wbinfo_simple.allocate-gid.wbinfo\(s4member:local\)
+^samba.wbinfo_simple.allocate-uid.wbinfo\(ad_dc:local\)
+^samba.wbinfo_simple.allocate-gid.wbinfo\(ad_dc:local\)
+^samba.wbinfo_simple.allocate-uid.wbinfo\(chgdcpass:local\)
+^samba.wbinfo_simple.allocate-gid.wbinfo\(chgdcpass:local\)
+^samba.wbinfo_simple.allocate-uid.wbinfo\(rodc:local\)
+^samba.wbinfo_simple.allocate-gid.wbinfo\(rodc:local\)
+#
+# These do not work against winbindd in member mode for unknown reasons
+#
+^samba4.winbind.struct.domain_info\(s4member:local\)
+^samba4.winbind.struct.getdcname\(s4member:local\)
+#
+# These fail since ad_dc_ntvfs assigns the local user's uid to SAMBADOMAIN/Administrator
+# hence we have a duplicate UID in nsswitch.
+#
+^samba3.local.nss.reentrant enumeration crosschecks\(ad_dc_ntvfs:local\)
+^samba3.local.nss.reentrant enumeration\(ad_dc_ntvfs:local\)
+^samba3.local.nss.enumeration\(ad_dc_ntvfs:local\)
+^samba3.local.nss.reentrant enumeration crosschecks\(ad_dc:local\)
+^samba3.local.nss.reentrant enumeration\(ad_dc:local\)
+^samba3.local.nss.enumeration\(ad_dc:local\)
+#
+# These do not work against winbindd in member mode for unknown reasons
+#
+^samba.blackbox.wbinfo\(ad_member:local\).wbinfo -U against ad_member\(ad_member:local\)
+^samba.blackbox.wbinfo\(ad_member:local\).wbinfo -U check for sane mapping\(ad_member:local\)
+^samba.blackbox.wbinfo\(ad_member:local\).wbinfo -G against ad_member\(ad_member:local\)
+^samba.blackbox.wbinfo\(ad_member:local\).wbinfo -G check for sane mapping\(ad_member:local\)
+^samba4.winbind.struct.getdcname\(ad_member:local\)
+^samba4.winbind.struct.lookup_name_sid\(ad_member:local\)
+^samba4.winbind.struct.getdcname\(nt4_member:local\) # Works in other modes, just not against the classic/NT4 DC
+#
+# This will fail against the classic DC, because it requires kerberos
+#
+^samba4.winbind.pac.*\(nt4_member:local\) # No KDC on a classic DC
+#
+# This fails because our python bindings create python Lists, not a type
+# we can watch for set methods on.
+#
+^samba.tests.dcerpc.integer.samba.tests.dcerpc.integer.IntegerTests.test_.*_into_uint8_list
+#
+# Samba sort takes a primative approach to unicode sort. These tests
+# match Windows 2012R2 behaviour.
+#
+^samba4.ldap.sort.python.+UnicodeSortTests
+#
+## We assert all "ldap server require strong auth" combinations
+#
+^samba4.ldb.simple.ldap with SIMPLE-BIND.*ad_dc_ntvfs # ldap server require strong auth = allow_sasl_over_tls
+^samba4.ldb.simple.ldap with SIMPLE-BIND.*fl2003dc # ldap server require strong auth = yes
+^samba4.ldb.simple.ldaps with SASL-BIND.*fl2003dc # ldap server require strong auth = yes
+# These are supposed to fail as we want to verify the "tls verify peer"
+# restrictions. Note that fl2008r2dc uses a self-signed certificate
+# with does not have a crl file.
+#
+^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=ca_and_name_if_available\(
+^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=ca_and_name\(
+^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=as_strict_as_possible\(
+^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=ca_and_name\(
+^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=as_strict_as_possible\(
+^samba4.ldb.simple.ldaps.*SERVER.REALM.*tlsverifypeer=as_strict_as_possible.*fl2008r2dc
+#
+# we don't allow auth_level_connect anymore...
+#
+^samba3.blackbox.rpcclient.*ncacn_np.*with.*connect.*rpcclient # we don't allow auth_level_connect anymore
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_two_chain_not_matching_qtype
+# ad_dc requires signing
+#
+^samba4.smb.signing.*disabled.*client-protection=off.*\(ad_dc\)
+# fl2000dc doesn't support AES
+^samba4.krb5.kdc.*as-req-aes.fl2000dc
+# nt4_member and ad_member don't support ntlmv1 (not even over SMB1)
+^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.member.creds.*as.user.*_member
+^samba3.blackbox.smbclient_auth.plain.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user.*_member
+#nt-vfs server blocks read with execute access
+^samba4.smb2.read.access
+#ntvfs server blocks copychunk with execute access on read handle
+^samba4.smb2.ioctl.copy_chunk_bad_access
+^samba4.drs.getnc_exop.python.*getnc_exop.DrsReplicaPrefixMapTestCase.test_regular_prefix_map_ex_attid.*
+# We don't support NDR64 yet, so we generate the wrong FAULT code
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_no_auth_presentation_ctx_invalid4
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_spnego_change_auth_type2
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_spnego_change_transfer
+# NETLOGON is disabled in any non-DC environments
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_2nd_cancel_requests\(ad_member\)
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_first_08_requests\(ad_member\)
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_first_cancel_requests\(ad_member\)
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_first_cmpx_requests\(ad_member\)
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_first_didnot_requests\(ad_member\)
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_first_maybe_requests\(ad_member\)
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_first_only_requests\(ad_member\)
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_fragmented_requests01\(ad_member\)
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_fragmented_requests02\(ad_member\)
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_fragmented_requests03\(ad_member\)
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_fragmented_requests04\(ad_member\)
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_fragmented_requests05\(ad_member\)
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_last_cancel_requests\(ad_member\)
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_last_only_requests\(ad_member\)
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_mix_requests\(ad_member\)
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_none_only_requests\(ad_member\)
+
+^samba4.rpc.echo.*on.*with.object.echo.doublepointer.*nt4_dc
+^samba4.rpc.echo.*on.*with.object.echo.surrounding.*nt4_dc
+^samba4.rpc.echo.*on.*with.object.echo.enum.*nt4_dc
+^samba4.rpc.echo.*on.*with.object.echo.testcall.*nt4_dc
+^samba4.rpc.echo.*on.*with.object.echo.testcall2.*nt4_dc
+^samba.tests.dcerpc.dnsserver.samba.tests.dcerpc.dnsserver.DnsserverTests.test_add_duplicate_different_type.*
+^samba.tests.dcerpc.dnsserver.samba.tests.dcerpc.dnsserver.DnsserverTests.test_rank_none.*
+^samba.tests.dcerpc.dnsserver.samba.tests.dcerpc.dnsserver.DnsserverTests.test_security_descriptor.*
+^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dbcheck_dangling_multi_valued_clean
+^samba4.blackbox.dbcheck-links.release-4-5-0-pre1.dangling_multi_valued_check_missing
+
+# We currently don't send referrals for LDAP modify of non-replicated attrs
+^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
+# NETLOGON is disabled in any non-DC environments
+^samba.tests.netlogonsvc.python\(ad_member\)
+^samba.tests.netlogonsvc.python\(simpleserver\)
+^samba.tests.netlogonsvc.python\(fileserver\)
+# NTLM authentication is (intentionally) disabled in ktest
+^samba.tests.ntlmdisabled.python\(ktest\).ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ktest\)
+^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ad_dc_no_ntlm\)
+# Disabling NTLM means you can't use samr to change the password
+^samba.tests.ntlmdisabled.python\(ktest\).ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\)
+^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)
+
diff --git a/selftest/knownfail.d/README b/selftest/knownfail.d/README
new file mode 100644
index 0000000..6f0262a
--- /dev/null
+++ b/selftest/knownfail.d/README
@@ -0,0 +1,8 @@
+# Files in this directory contain lists of regular expressions
+# matching the names of tests that are temporarily expected to fail.
+#
+# "make test" will not report failures for tests listed here and will consider
+# a successful run for any of these tests an error.
+#
+# Empty lines and lines beginning with '#' are ignored.
+# Please don't add tests to this README!
diff --git a/selftest/knownfail.d/bug-14236 b/selftest/knownfail.d/bug-14236
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/selftest/knownfail.d/bug-14236
diff --git a/selftest/knownfail.d/complex_expressions b/selftest/knownfail.d/complex_expressions
new file mode 100644
index 0000000..8ec468a
--- /dev/null
+++ b/selftest/knownfail.d/complex_expressions
@@ -0,0 +1,4 @@
+# Ldb accepts invalid search expressions and returns weird results.
+.*samba.tests.complex_expressions.ComplexExpressionTests.test_largeint_invalid_expressions.*
+.*samba.tests.complex_expressions.ComplexExpressionTests.test_enum_invalid_expressions.*
+.*samba.tests.complex_expressions.ComplexExpressionTests.test_invalid_expressions.*
diff --git a/selftest/knownfail.d/dirsync b/selftest/knownfail.d/dirsync
new file mode 100644
index 0000000..fcf4d46
--- /dev/null
+++ b/selftest/knownfail.d/dirsync
@@ -0,0 +1,13 @@
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_OBJECT_SECURITY_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_unicodePwd_OBJ_SEC_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_unicodePwd_with_GET_CHANGES_OBJ_SEC_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_unicodePwd_with_GET_CHANGES_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_with_GET_CHANGES_OBJECT_SECURITY_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialDirsyncTests.test_dirsync_with_GET_CHANGES\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialFilteredDirsyncTests.test_dirsync_OBJECT_SECURITY_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialFilteredDirsyncTests.test_dirsync_OBJECT_SECURITY_with_GET_CHANGES_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialFilteredDirsyncTests.test_dirsync_with_GET_CHANGES_attr\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.ConfidentialFilteredDirsyncTests.test_dirsync_with_GET_CHANGES_insist_on_empty_element\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.FilteredDirsyncTests.test_dirsync_with_GET_CHANGES\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.FilteredDirsyncTests.test_dirsync_with_GET_CHANGES_attr\(.*\)
+^samba4.ldap.dirsync.python\(.*\).__main__.FilteredDirsyncTests.test_dirsync_with_GET_CHANGES_insist_on_empty_element\(.*\)
diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns
new file mode 100644
index 0000000..fee2f2a
--- /dev/null
+++ b/selftest/knownfail.d/dns
@@ -0,0 +1,89 @@
+# These tests are expected to fail because we want to ensure that
+# unauthenicated updates are not permitted against the default
+# configuration, nor against an RODC
+
+samba.tests.dns.__main__.TestDNSUpdates.test_delete_record\(rodc:local\)
+samba.tests.dns.__main__.TestDNSUpdates.test_readd_record\(rodc:local\)
+samba.tests.dns.__main__.TestDNSUpdates.test_update_add_mx_record\(rodc:local\)
+samba.tests.dns.__main__.TestDNSUpdates.test_update_add_txt_record\(rodc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_update_add_empty_txt_records\(rodc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_update_add_hex_char_txt_record\(rodc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_update_add_null_char_txt_record\(rodc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_update_add_null_padded_txt_record\(rodc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_update_add_slash_txt_record\(rodc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_update_add_two_txt_records\(rodc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_rpc_self_referencing_cname\(rodc:local\)
+samba.tests.dns.__main__.TestDNSUpdates.test_delete_record\(vampire_dc:local\)
+samba.tests.dns.__main__.TestDNSUpdates.test_readd_record\(vampire_dc:local\)
+samba.tests.dns.__main__.TestDNSUpdates.test_update_add_mx_record\(vampire_dc:local\)
+samba.tests.dns.__main__.TestDNSUpdates.test_update_add_txt_record\(vampire_dc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_update_add_empty_txt_records\(vampire_dc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_update_add_hex_char_txt_record\(vampire_dc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_update_add_null_char_txt_record\(vampire_dc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_update_add_null_padded_txt_record\(vampire_dc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_update_add_slash_txt_record\(vampire_dc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_update_add_two_txt_records\(vampire_dc:local\)
+samba.tests.dns.__main__.TestComplexQueries.test_cname_two_chain\(rodc:local\)
+samba.tests.dns.__main__.TestComplexQueries.test_one_a_query\(rodc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_update_add_empty_rpc_to_dns\(rodc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_update_add_hex_rpc_to_dns\(rodc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_update_add_null_char_rpc_to_dns\(rodc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_update_add_padding_rpc_to_dns\(rodc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_update_add_slash_rpc_to_dns\(rodc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_update_add_two_rpc_to_dns\(rodc:local\)
+samba.tests.dns.__main__.TestRPCRoundtrip.test_update_add_txt_rpc_to_dns\(rodc:local\)
+
+samba.tests.dns.__main__.TestZones.test_set_aging_disabled\(rodc:local\)
+samba.tests.dns.__main__.TestZones.test_set_aging_disabled\(vampire_dc:local\)
+
+samba.tests.dns.__main__.TestZones.test_soa_query\(rodc:local\)
+samba.tests.dns.__main__.TestZones.test_set_aging\(rodc:local\)
+samba.tests.dns.__main__.TestZones.test_aging_update\(rodc:local\)
+samba.tests.dns.__main__.TestZones.test_aging_update_disabled\(rodc:local\)
+samba.tests.dns.__main__.TestZones.test_aging_refresh\(rodc:local\)
+samba.tests.dns.__main__.TestZones.test_rpc_add_no_timestamp\(rodc:local\)
+samba.tests.dns.__main__.TestZones.test_basic_scavenging\(rodc:local\)
+samba.tests.dns.__main__.TestZones.test_dns_tombstone_custom_match_rule\(rodc:local\)
+samba.tests.dns.__main__.TestZones.test_dns_tombstone_custom_match_rule_no_records\(rodc:local\)
+samba.tests.dns.__main__.TestZones.test_dns_tombstone_custom_match_rule_fail\(rodc:local\)
+samba.tests.dns.__main__.TestZones.test_dynamic_record_static_update\(rodc:local\)
+samba.tests.dns.__main__.TestZones.test_static_record_dynamic_update\(rodc:local\)
+samba.tests.dns.__main__.TestZones.test_fully_qualified_zone\(rodc:local\)
+
+samba.tests.dns.__main__.TestZones.test_set_aging\(vampire_dc:local\)
+samba.tests.dns.__main__.TestZones.test_aging_update\(vampire_dc:local\)
+samba.tests.dns.__main__.TestZones.test_aging_update_disabled\(vampire_dc:local\)
+samba.tests.dns.__main__.TestZones.test_aging_refresh\(vampire_dc:local\)
+samba.tests.dns.__main__.TestZones.test_basic_scavenging\(vampire_dc:local\)
+samba.tests.dns.__main__.TestZones.test_dns_tombstone_custom_match_rule\(vampire_dc:local\)
+samba.tests.dns.__main__.TestZones.test_dynamic_record_static_update\(vampire_dc:local\)
+samba.tests.dns.__main__.TestZones.test_static_record_dynamic_update\(vampire_dc:local\)
+
+samba.tests.dns.__main__.TestComplexQueries.test_cname_two_chain\(vampire_dc:local\)
+samba.tests.dns.__main__.TestComplexQueries.test_one_a_query\(vampire_dc:local\)
+
+# The SOA override should not pass against the RODC, it must not overstamp
+samba.tests.dns.__main__.TestSimpleQueries.test_one_SOA_query\(rodc:local\)
+
+#
+# rodc and vampire_dc require signed dns updates, so these tests' setups
+# fail, but they pass on fl2003dc
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(rodc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(vampire_dc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_A\(rodc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_A\(vampire_dc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_AAAA\(rodc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_AAAA\(vampire_dc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_SRV\(rodc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_record_limit_SRV\(vampire_dc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_limit\(vampire_dc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_limit\(rodc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_any_query\(vampire_dc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_any_query\(rodc:local\)
+
+# Tests for the dnsProperty parse issue do not pass here, but do against fl2003dc
+^samba.tests.dns.__main__.TestZones.test_enum_zones_while_dnsProperty_zero_length\(rodc:local\)
+^samba.tests.dns.__main__.TestZones.test_rpc_zone_update_while_dnsProperty_zero_length\(rodc:local\)
+^samba.tests.dns.__main__.TestZones.test_rpc_zone_update_while_other_dnsProperty_zero_length\(rodc:local\)
+^samba.tests.dns.__main__.TestZones.test_update_while_dnsProperty_zero_length\(rodc:local\)
+^samba.tests.dns.__main__.TestZones.test_update_while_dnsProperty_zero_length\(vampire_dc:local\) \ No newline at end of file
diff --git a/selftest/knownfail.d/dns-aging b/selftest/knownfail.d/dns-aging
new file mode 100644
index 0000000..dd6998d
--- /dev/null
+++ b/selftest/knownfail.d/dns-aging
@@ -0,0 +1,78 @@
+# known failures for python/samba/tests/dns_aging.py
+#
+# These all pass on Windows, apart from test_basic_scavenging, which
+# fails due to technical issues.
+
+samba.tests.dns_aging.__main__.TestDNSAging.test_aging_refresh
+samba.tests.dns_aging.+test_dns_add_sibling_0_0_days_aging
+samba.tests.dns_aging.+test_dns_add_sibling_0_0_days_aging_touch
+samba.tests.dns_aging.+test_dns_add_sibling_0_0_days_no_aging
+samba.tests.dns_aging.+test_dns_add_sibling_0_0_days_no_aging_touch
+samba.tests.dns_aging.+test_dns_add_sibling_0_7_days_aging
+samba.tests.dns_aging.+test_dns_add_sibling_0_7_days_aging_touch
+samba.tests.dns_aging.+test_dns_add_sibling_0_7_days_no_aging
+samba.tests.dns_aging.+test_dns_add_sibling_0_7_days_no_aging_touch
+samba.tests.dns_aging.+test_dns_add_sibling_10_0_days_aging
+samba.tests.dns_aging.+test_dns_add_sibling_10_0_days_aging_touch
+samba.tests.dns_aging.+test_dns_add_sibling_10_0_days_no_aging_touch
+samba.tests.dns_aging.+test_dns_add_sibling_112_7_days_aging
+samba.tests.dns_aging.+test_dns_add_sibling_112_7_days_aging_touch
+samba.tests.dns_aging.+test_dns_add_sibling_112_7_days_no_aging_touch
+samba.tests.dns_aging.+test_dns_add_sibling_12_113_days_aging
+samba.tests.dns_aging.+test_dns_add_sibling_12_113_days_aging_touch
+samba.tests.dns_aging.+test_dns_add_sibling_12_113_days_no_aging_touch
+samba.tests.dns_aging.+test_dns_add_sibling_12_3_days_aging
+samba.tests.dns_aging.+test_dns_add_sibling_12_3_days_aging_touch
+samba.tests.dns_aging.+test_dns_add_sibling_12_3_days_no_aging_touch
+samba.tests.dns_aging.+test_dns_add_sibling_12_7_days_aging
+samba.tests.dns_aging.+test_dns_add_sibling_12_7_days_aging_touch
+samba.tests.dns_aging.+test_dns_add_sibling_12_7_days_no_aging_touch
+samba.tests.dns_aging.+test_dns_add_sibling_2_7_days_aging
+samba.tests.dns_aging.+test_dns_add_sibling_2_7_days_aging_touch
+samba.tests.dns_aging.+test_dns_add_sibling_2_7_days_no_aging_touch
+samba.tests.dns_aging.+test_add_update_dwSerial
+samba.tests.dns_aging.+test_add_update_dwSerial_2
+samba.tests.dns_aging.+test_add_update_many
+samba.tests.dns_aging.+test_add_update_ttl_serial
+samba.tests.dns_aging.+test_dns_delete_simple_0_0_days_no_aging_touch
+samba.tests.dns_aging.+test_dns_delete_simple_0_113_days_no_aging_touch
+samba.tests.dns_aging.+test_dns_delete_simple_10_0_days_aging
+samba.tests.dns_aging.+test_dns_delete_simple_10_0_days_aging_touch
+samba.tests.dns_aging.+test_dns_delete_simple_10_0_days_no_aging_touch
+samba.tests.dns_aging.+test_dns_delete_simple_112_113_days_aging
+samba.tests.dns_aging.+test_dns_delete_simple_112_113_days_aging_touch
+samba.tests.dns_aging.+test_dns_delete_simple_112_113_days_no_aging_touch
+samba.tests.dns_aging.+test_dns_delete_simple_12_13_days_aging
+samba.tests.dns_aging.+test_dns_delete_simple_12_13_days_aging_touch
+samba.tests.dns_aging.+test_dns_delete_simple_12_13_days_no_aging_touch
+samba.tests.dns_aging.+test_dns_delete_simple_2_13_days_no_aging_touch
+samba.tests.dns_aging.+test_dns_delete_simple_2_3_days_no_aging_touch
+samba.tests.dns_aging.+test_dynamic_record_static_update
+samba.tests.dns_aging.+test_multi_records_delete_aging
+samba.tests.dns_aging.+test_static_record_dynamic_update
+samba.tests.dns_aging.+test_update_aging_disabled\b
+samba.tests.dns_aging.+test_update_aging_disabled_beyond_refresh_window
+samba.tests.dns_aging.+test_update_aging_disabled_in_eighteenth_century
+samba.tests.dns_aging.+test_update_aging_disabled_in_no_refresh_window
+samba.tests.dns_aging.+test_update_aging_disabled_in_refresh_window
+samba.tests.dns_aging.+test_update_aging_disabled_on_no_refresh_boundary
+samba.tests.dns_aging.+test_update_aging_disabled_static
+samba.tests.dns_aging.+test_update_aging_enabled
+samba.tests.dns_aging.+test_update_aging_enabled_beyond_refresh_window
+samba.tests.dns_aging.+test_update_aging_enabled_in_eighteenth_century
+samba.tests.dns_aging.+test_update_aging_enabled_in_no_refresh_window
+samba.tests.dns_aging.+test_update_aging_enabled_in_refresh_window
+samba.tests.dns_aging.+test_update_aging_enabled_on_no_refresh_boundary
+samba.tests.dns_aging.+test_update_static_stickiness
+samba.tests.dns_aging.+test_update_timestamp_weirdness_no_refresh_no_aging
+samba.tests.dns_aging.+test_update_timestamp_weirdness_refresh_no_aging
+samba.tests.dns_aging.+test_AAAA_5_days_AAAA_6_days_aging
+samba.tests.dns_aging.+test_A_10_days_AAAA_5_days_aging
+samba.tests.dns_aging.+test_A_10_days_AAAA_5_days_no_aging
+samba.tests.dns_aging.+test_A_10_days_AAAA_9_days_aging
+samba.tests.dns_aging.+test_A_20_days_AAAA_2_days_aging
+samba.tests.dns_aging.+test_A_5_days_AAAA_10_days_aging
+samba.tests.dns_aging.+test_A_5_days_AAAA_5_days_aging
+samba.tests.dns_aging.+test_A_5_days_A_5_days_aging
+samba.tests.dns_aging.+test_A_9_days_AAAA_10_days_no_aging
+samba.tests.dns_aging.+test_samba_scavenging
diff --git a/selftest/knownfail.d/dns_packet b/selftest/knownfail.d/dns_packet
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/selftest/knownfail.d/dns_packet
diff --git a/selftest/knownfail.d/durable-v2-delay b/selftest/knownfail.d/durable-v2-delay
new file mode 100644
index 0000000..2a84749
--- /dev/null
+++ b/selftest/knownfail.d/durable-v2-delay
@@ -0,0 +1,2 @@
+# In the ad_dc env leases are disabled
+^samba3.smb2.durable-v2-delay.durable_v2_reconnect_delay_msec\(ad_dc\)
diff --git a/selftest/knownfail.d/empty-domain-name b/selftest/knownfail.d/empty-domain-name
new file mode 100644
index 0000000..a1ffcaf
--- /dev/null
+++ b/selftest/knownfail.d/empty-domain-name
@@ -0,0 +1,7 @@
+^samba3.blackbox.smbclient_auth.empty_domain.domain_creds.smbclient.*as.user.*nt4_member
+^samba3.blackbox.smbclient_auth.empty_domain.domain_creds.smbclient.*as.user.*ad_member
+^samba3.blackbox.smbclient_auth.dot_domain.domain_creds.smbclient.*as.user.*nt4_member
+^samba3.blackbox.smbclient_auth.dot_domain.domain_creds.smbclient.*as.user.*ad_member
+^samba3.blackbox.smbclient_auth.upn.domain_creds.smbclient.*as.*user.*nt4_member
+^samba3.blackbox.smbclient_auth.upn.member_creds.smbclient.*as.*user.*nt4_member
+^samba3.blackbox.smbclient_auth.upn.member_creds.smbclient.*as.*user.*ad_member
diff --git a/selftest/knownfail.d/encrypted_secrets b/selftest/knownfail.d/encrypted_secrets
new file mode 100644
index 0000000..e25a68d
--- /dev/null
+++ b/selftest/knownfail.d/encrypted_secrets
@@ -0,0 +1,13 @@
+# The fl2000dc environment is provisioned with the --plaintext-secrets option
+# running the ecnrypted secrets tests on it and expecting them to fail.
+# verifies that:
+# * --plaintext-secrets option correctly provisions a domain
+# * the dsdb operational module correctly handles unencrypted secrets
+# * secrets are not stored as encrypted text when this option is specified
+^samba.tests.encrypted_secrets.samba.tests.encrypted_secrets.EncryptedSecretsTests.test_encrypted_secrets\(fl2000dc:local\)
+^samba.tests.encrypted_secrets.samba.tests.encrypted_secrets.EncryptedSecretsTests.test_required_features\(fl2000dc:local\)
+#
+# The tests for bug 13563 https://bugzilla.samba.org/show_bug.cgi?id=13653
+# should fail in the mdb case, as sam.ldb is currently a tdb file.
+#
+^samba.tests.blackbox.bug13653.samba.tests.blackbox.bug13653.Bug13653Tests.test_mdb_scheme
diff --git a/selftest/knownfail.d/getncchanges b/selftest/knownfail.d/getncchanges
new file mode 100644
index 0000000..bda9b31
--- /dev/null
+++ b/selftest/knownfail.d/getncchanges
@@ -0,0 +1,8 @@
+# GET_TGT tests currently only work for testenvs that send the links at the
+# same time as the source objects. Currently this is only the vampire_dc
+samba4.drs.getncchanges.python\(promoted_dc\).getncchanges.DrsReplicaSyncIntegrityTestCase.test_repl_get_tgt\(promoted_dc\)
+samba4.drs.getncchanges.python\(promoted_dc\).getncchanges.DrsReplicaSyncIntegrityTestCase.test_repl_get_tgt_chain\(promoted_dc\)
+samba4.drs.getncchanges.python\(promoted_dc\).getncchanges.DrsReplicaSyncIntegrityTestCase.test_repl_get_tgt_and_anc\(promoted_dc\)
+samba4.drs.getncchanges.python\(promoted_dc\).getncchanges.DrsReplicaSyncIntegrityTestCase.test_repl_get_tgt_multivalued_links\(promoted_dc\)
+# Samba chooses to always increment the USN for the NC root at the point where it would otherwise show up.
+samba4.drs.getncchanges.python\(.*\).getncchanges.DrsReplicaSyncIntegrityTestCase.test_repl_nc_is_first_nc_change_only\(
diff --git a/selftest/knownfail.d/initshutdown b/selftest/knownfail.d/initshutdown
new file mode 100644
index 0000000..0e8d76a
--- /dev/null
+++ b/selftest/knownfail.d/initshutdown
@@ -0,0 +1,3 @@
+# the initshutdown pipe is not provided by the AD DC
+^samba3.rpc.initshutdown.initshutdown.InitEx\(ad_dc\)
+^samba3.rpc.initshutdown.initshutdown.Init\(ad_dc\)
diff --git a/selftest/knownfail.d/kdc-salt b/selftest/knownfail.d/kdc-salt
new file mode 100644
index 0000000..a671e4d
--- /dev/null
+++ b/selftest/knownfail.d/kdc-salt
@@ -0,0 +1 @@
+^samba.tests.krb5.salt_tests.samba.tests.krb5.salt_tests.SaltTests.test_salt_upn_at_realm_user
diff --git a/selftest/knownfail.d/keytab b/selftest/knownfail.d/keytab
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/selftest/knownfail.d/keytab
diff --git a/selftest/knownfail.d/kinit_trust b/selftest/knownfail.d/kinit_trust
new file mode 100644
index 0000000..c4ac2ca
--- /dev/null
+++ b/selftest/knownfail.d/kinit_trust
@@ -0,0 +1,2 @@
+^samba4.blackbox.kinit_trust.Test login with.*kerberos ccache \(smbclient4\)\(fl2008r2dc:local\)
+^samba4.blackbox.kinit_trust.Test login with.* kerberos ccache \(smbclient4\)\(fl2003dc:local\)
diff --git a/selftest/knownfail.d/krb5-no-preauth b/selftest/knownfail.d/krb5-no-preauth
new file mode 100644
index 0000000..d6f20d0
--- /dev/null
+++ b/selftest/knownfail.d/krb5-no-preauth
@@ -0,0 +1,7 @@
+#
+# MIT and Heimdal currently fails some as_req_no_preauth tests against FL 2003. It is unclear if we should care.
+#
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_aes128_rc4.*fl2003dc
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_mac_aes128_rc4.*fl2003dc
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth.*aes.*rc4.*fl2003dc
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth.*rc4.*aes.*fl2003dc
diff --git a/selftest/knownfail.d/labdc b/selftest/knownfail.d/labdc
new file mode 100644
index 0000000..65eafd5
--- /dev/null
+++ b/selftest/knownfail.d/labdc
@@ -0,0 +1,5 @@
+# Because the lab-DC testenv scrubs all user info (apart from the Admin),
+# we expect tests relying on other users' credentials to fail.
+# These tests fail because they use testallowed and testdenied users.
+^samba4.rpc.echo.testallowed.*labdc.*
+^samba4.rpc.echo.testdenied.*labdc.*
diff --git a/selftest/knownfail.d/ldap b/selftest/knownfail.d/ldap
new file mode 100644
index 0000000..0331d36
--- /dev/null
+++ b/selftest/knownfail.d/ldap
@@ -0,0 +1,3 @@
+# the attributes too long test returns the wrong error
+^samba4.ldap.python.+test_attribute_ranges_too_long
+samba4.ldap.python\(ad_dc_default\).*__main__.BasicTests.test_ldapSearchNoAttributes
diff --git a/selftest/knownfail.d/ldap_spn b/selftest/knownfail.d/ldap_spn
new file mode 100644
index 0000000..63f9fe0
--- /dev/null
+++ b/selftest/knownfail.d/ldap_spn
@@ -0,0 +1 @@
+samba.tests.ldap_spn.+LdapSpnTest.test_spn_dodgy_spns
diff --git a/selftest/knownfail.d/lm-hash-support-gone b/selftest/knownfail.d/lm-hash-support-gone
new file mode 100644
index 0000000..cced585
--- /dev/null
+++ b/selftest/knownfail.d/lm-hash-support-gone
@@ -0,0 +1,8 @@
+^samba4.blackbox.smbclient .*LANMAN*
+^samba.tests.ntlm_auth.samba.tests.ntlm_auth.NTLMAuthHelpersTests.test_diagnostics_lm\(ad_dc:local\)
+^samba.tests.ntlm_auth.samba.tests.ntlm_auth.NTLMAuthHelpersTests.test_diagnostics_lm\(ad_member:local\)
+^samba.tests.ntlm_auth.samba.tests.ntlm_auth.NTLMAuthHelpersTests.test_diagnostics_lm\(chgdcpass:local\)
+^samba.tests.ntlm_auth.samba.tests.ntlm_auth.NTLMAuthHelpersTests.test_diagnostics_lm\(rodc:local\)
+# These fail as they expect no LM support (compared with the _lm test test does)
+^samba.tests.ntlm_auth.samba.tests.ntlm_auth.NTLMAuthHelpersTests.test_diagnostics\(nt4_dc:local\)
+^samba.tests.ntlm_auth.samba.tests.ntlm_auth.NTLMAuthHelpersTests.test_diagnostics\(nt4_member:local\)
diff --git a/selftest/knownfail.d/lzxpress b/selftest/knownfail.d/lzxpress
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/selftest/knownfail.d/lzxpress
diff --git a/selftest/knownfail.d/modify-order b/selftest/knownfail.d/modify-order
new file mode 100644
index 0000000..76d538e
--- /dev/null
+++ b/selftest/knownfail.d/modify-order
@@ -0,0 +1,8 @@
+samba4.ldap_modify_order.python.+ModifyOrderTests.test_modify_order_account_locality_device
+samba4.ldap_modify_order.python.+ModifyOrderTests.test_modify_order_container_flags_multivalue
+samba4.ldap_modify_order.python.+ModifyOrderTests.test_modify_order_objectclass2
+samba4.ldap_modify_order.python.+ModifyOrderTests.test_modify_order_singlevalue
+samba4.ldap_modify_order.normal_user.+ModifyOrderTests.test_modify_order_account_locality_device
+samba4.ldap_modify_order.normal_user.+ModifyOrderTests.test_modify_order_container_flags[^_]
+samba4.ldap_modify_order.normal_user.+ModifyOrderTests.test_modify_order_objectclass[^2]
+samba4.ldap_modify_order.normal_user.+ModifyOrderTests.test_modify_order_objectclass2
diff --git a/selftest/knownfail.d/multichannel b/selftest/knownfail.d/multichannel
new file mode 100644
index 0000000..6c91b55
--- /dev/null
+++ b/selftest/knownfail.d/multichannel
@@ -0,0 +1,7 @@
+^samba3.smb2.multichannel.oplocks.test2.nt4_dc # expects windows behavior => smb2 disable oplock break retry = yes
+^samba3.smb2.multichannel.oplocks.test3_windows.nt4_dc # expects windows behavior => smb2 disable oplock break retry = yes
+^samba3.smb2.multichannel.oplocks.test3_specification.ad_dc # expects samba (MS-SMB2) behavior
+^samba3.smb2.multichannel.leases.test1.ad_dc # requires lease support
+^samba3.smb2.multichannel.leases.test2.ad_dc # requires lease support
+^samba3.smb2.multichannel.leases.test3.ad_dc # requires lease support
+^samba3.smb2.multichannel.leases.test4.ad_dc # requires lease support
diff --git a/selftest/knownfail.d/netlogon b/selftest/knownfail.d/netlogon
new file mode 100644
index 0000000..b51bf88
--- /dev/null
+++ b/selftest/knownfail.d/netlogon
@@ -0,0 +1,4 @@
+# This test passes against Windows 2008R2, but not Samba as we
+# keep a per-socket cache in addition to the name cache, which is
+# not invalidated if the name-based global cache is used.
+^samba4\.rpc\.netlogon.*\.netlogon\.ServerReqChallengeReuseGlobal3 \ No newline at end of file
diff --git a/selftest/knownfail.d/nt-hash-support-gone b/selftest/knownfail.d/nt-hash-support-gone
new file mode 100644
index 0000000..55ec47d
--- /dev/null
+++ b/selftest/knownfail.d/nt-hash-support-gone
@@ -0,0 +1,9 @@
+^samba4.ldap.login_basics.python.ad_dc_no_ntlm..__main__.BasicUserAuthTests.test_login_basics_ntlm.ad_dc_no_ntlm
+^samba4.ldap.passwords.python.ad_dc_no_ntlm..__main__.PasswordTests.test_old_password_rename_attempt_reuse_2.ad_dc_no_ntlm
+^samba4.ldap.passwords.python.ad_dc_no_ntlm..__main__.PasswordTests.test_old_password_rename_simple_bind_2.ad_dc_no_ntlm
+^samba4.ldap.passwords.python.fl2003dc..__main__.PasswordTests.test_old_password_attempt_reuse.fl2003dc
+^samba4.ldap.passwords.python.fl2003dc..__main__.PasswordTests.test_old_password_rename_attempt_reuse.fl2003dc
+^samba4.ldap.passwords.python.fl2003dc..__main__.PasswordTests.test_old_password_rename_attempt_reuse_2.fl2003dc
+^samba4.ldap.passwords.python.fl2003dc..__main__.PasswordTests.test_old_password_rename_simple_bind.fl2003dc
+^samba4.ldap.passwords.python.fl2003dc..__main__.PasswordTests.test_old_password_rename_simple_bind_2.fl2003dc
+^samba4.ldap.passwords.python.fl2003dc..__main__.PasswordTests.test_old_password_simple_bind.fl2003dc
diff --git a/selftest/knownfail.d/ntlmv1-restrictions b/selftest/knownfail.d/ntlmv1-restrictions
new file mode 100644
index 0000000..c5e915a
--- /dev/null
+++ b/selftest/knownfail.d/ntlmv1-restrictions
@@ -0,0 +1,5 @@
+# These tests should fail in these environments, as we restrict NTLMv1
+# in both of these, with vampire_dc however allowing MSCHAPv2
+samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_SamLogonExNTLM\(vampire_dc\)
+samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_SamLogonExMSCHAPv2\(promoted_dc\)
+samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_SamLogonExNTLM\(promoted_dc\)
diff --git a/selftest/knownfail.d/ntlmv2-restrictions b/selftest/knownfail.d/ntlmv2-restrictions
new file mode 100644
index 0000000..cc67df8
--- /dev/null
+++ b/selftest/knownfail.d/ntlmv2-restrictions
@@ -0,0 +1,2 @@
+# 'raw NTLMv2 auth' is not enabled on ad_member
+^samba4.smb.signing disabled on with -k no --option=clientusespnego=no --client-protection=off domain-creds.xcopy\(ad_member\)
diff --git a/selftest/knownfail.d/oneway b/selftest/knownfail.d/oneway
new file mode 100644
index 0000000..4a182f0
--- /dev/null
+++ b/selftest/knownfail.d/oneway
@@ -0,0 +1,9 @@
+# One way trust, the first one is weird (smbclient4), the rest are logical
+^samba4.blackbox.kinit_trust.Test login with user kerberos ccache \(smbclient4\)\(fl2000dc:local\)
+^samba4.blackbox.kinit_trust.Test user login with the first outgoing secret\(fl2000dc:local\)
+^samba4.blackbox.kinit_trust.Test user login with the changed outgoing secret\(fl2000dc:local\)
+# More one-way trust
+^samba4.blackbox.trust_utils\(fl2000dc:local\).validate trust default both\(fl2000dc:local\)
+^samba4.blackbox.trust_utils\(fl2000dc:local\).validate trust reverse both\(fl2000dc:local\)
+^samba4.blackbox.trust_utils\(fl2000dc:local\).validate trust reverse local\(fl2000dc:local\)
+^samba4.blackbox.trust_utils\(fl2000dc:local\).namespaces own default\(fl2000dc:local\)
diff --git a/selftest/knownfail.d/priv_attr b/selftest/knownfail.d/priv_attr
new file mode 100644
index 0000000..5d3713e
--- /dev/null
+++ b/selftest/knownfail.d/priv_attr
@@ -0,0 +1,13 @@
+# These priv_attrs tests would be good to fix, but are not fatal as
+# the testsuite is run twice, once with and once without STRICT_CHECKING=0
+#
+# These knownfails show that we can improve our error matching against Windows.
+#
+samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_sidHistory_add_CC_WP_computer
+samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_sidHistory_add_CC_WP_user
+samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_sidHistory_add_CC_default_computer
+samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_sidHistory_add_CC_default_user
+samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_sidHistory_add_admin-add_WP_computer
+samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_sidHistory_add_admin-add_WP_user
+samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_sidHistory_add_admin-add_default_computer
+samba4.priv_attrs.strict.python\(.*\).__main__.PrivAttrsTests.test_priv_attr_sidHistory_add_admin-add_default_user
diff --git a/selftest/knownfail.d/protected_users b/selftest/knownfail.d/protected_users
new file mode 100644
index 0000000..1ada787
--- /dev/null
+++ b/selftest/knownfail.d/protected_users
@@ -0,0 +1,2 @@
+^samba4.ldap.password_lockout.python\(ad_dc_slowtests\).__main__.PasswordTestsWithoutSleep.test_samr_change_password_protected.ad_dc_slowtests
+^samba4.ldap.password_lockout.python\(ad_dc_slowtests\).__main__.PasswordTestsWithoutSleep.test_samr_set_password_protected.ad_dc_slowtests
diff --git a/selftest/knownfail.d/python-segfaults b/selftest/knownfail.d/python-segfaults
new file mode 100644
index 0000000..d129dab
--- /dev/null
+++ b/selftest/knownfail.d/python-segfaults
@@ -0,0 +1,3 @@
+samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_net_replicate_init__3
+samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_dnsp_string_list
+samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_dns_record
diff --git a/selftest/knownfail.d/quota1 b/selftest/knownfail.d/quota1
new file mode 100644
index 0000000..a36f325
--- /dev/null
+++ b/selftest/knownfail.d/quota1
@@ -0,0 +1,2 @@
+# ntvfs returns NT_STATUS_NOT_SUPPORTED
+^samba3.smbtorture_s3.plain.SMB2-QUOTA1.smbtorture\(ad_dc_ntvfs\)
diff --git a/selftest/knownfail.d/replica_sync b/selftest/knownfail.d/replica_sync
new file mode 100644
index 0000000..1ef77b0
--- /dev/null
+++ b/selftest/knownfail.d/replica_sync
@@ -0,0 +1,8 @@
+# Samba currently picks a different winner of object conflicts compared to Windows.
+# Samba uses the version number whereas Windows always takes the most recent change
+samba4.drs.replica_sync.python\(vampire_dc\).replica_sync.DrsReplicaSyncTestCase.test_ReplConflictsRenamedVsNewRemoteWin\(vampire_dc:local\)
+samba4.drs.replica_sync.python\(promoted_dc\).replica_sync.DrsReplicaSyncTestCase.test_ReplConflictsRenamedVsNewRemoteWin\(promoted_dc:local\)
+samba4.drs.replica_sync.python\(vampire_dc\).replica_sync.DrsReplicaSyncTestCase.test_ReplConflictsRenamedVsNewLocalWin\(vampire_dc:local\)
+samba4.drs.replica_sync.python\(promoted_dc\).replica_sync.DrsReplicaSyncTestCase.test_ReplConflictsRenamedVsNewLocalWin\(promoted_dc:local\)
+samba4.drs.replica_sync.python\(vampire_dc\).replica_sync.DrsReplicaSyncTestCase.test_ReplReanimationConflict\(vampire_dc:local\)
+samba4.drs.replica_sync.python\(promoted_dc\).replica_sync.DrsReplicaSyncTestCase.test_ReplReanimationConflict\(promoted_dc:local\)
diff --git a/selftest/knownfail.d/rpc-dfs b/selftest/knownfail.d/rpc-dfs
new file mode 100644
index 0000000..8ab72ff
--- /dev/null
+++ b/selftest/knownfail.d/rpc-dfs
@@ -0,0 +1,2 @@
+#_dfs_EnumEx() is not implemented on RPC server side
+^samba3.blackbox.rpcclient_dfs.dfsenumex
diff --git a/selftest/knownfail.d/rpc-netlogon-zerologon b/selftest/knownfail.d/rpc-netlogon-zerologon
new file mode 100644
index 0000000..29d2e6e
--- /dev/null
+++ b/selftest/knownfail.d/rpc-netlogon-zerologon
@@ -0,0 +1,4 @@
+#
+# Due to differences in the way UTF-16 strings are handled by the source4 and
+# source3 rpc servers, this test fails on the source3 rpc server
+^samba3.rpc.netlogon.zerologon.netlogon.test_SetPassword2_maximum_length_password\(nt4_dc\)
diff --git a/selftest/knownfail.d/rw-invalid b/selftest/knownfail.d/rw-invalid
new file mode 100644
index 0000000..ac5fe57
--- /dev/null
+++ b/selftest/knownfail.d/rw-invalid
@@ -0,0 +1 @@
+samba4.smb2.rw.invalid.ad_dc_ntvfs
diff --git a/selftest/knownfail.d/s3-logging b/selftest/knownfail.d/s3-logging
new file mode 100644
index 0000000..76466dc
--- /dev/null
+++ b/selftest/knownfail.d/s3-logging
@@ -0,0 +1 @@
+samba.tests.logfiles.*S3LoggingTests.test_all_different_ways_cmdline_d\b
diff --git a/selftest/knownfail.d/s3-lsa-server b/selftest/knownfail.d/s3-lsa-server
new file mode 100644
index 0000000..de1244f
--- /dev/null
+++ b/selftest/knownfail.d/s3-lsa-server
@@ -0,0 +1 @@
+^samba4.blackbox.trust_ntlm.Test08.rpcclient.lookupnames.with.ADDOM.SAMBA.EXAMPLE.COM\(ad_member:local\)
diff --git a/selftest/knownfail.d/samba-4.5-emulation b/selftest/knownfail.d/samba-4.5-emulation
new file mode 100644
index 0000000..1fc7936
--- /dev/null
+++ b/selftest/knownfail.d/samba-4.5-emulation
@@ -0,0 +1,4 @@
+# This fails as there is no second DC in this enviroment, so it is always the owner
+samba4.drs.getnc_exop.python\(chgdcpass\).getnc_exop.DrsReplicaSyncTestCase.test_FSMONotOwner\(chgdcpass\)
+# This fails because GET_ANC is now poorly implemented (matching Samba 4.5)
+^samba4.drs.getnc_exop.python\(chgdcpass\).getnc_exop.DrsReplicaSyncTestCase.test_link_utdv_hwm\(chgdcpass\)
diff --git a/selftest/knownfail.d/samba3.vfs.fruit b/selftest/knownfail.d/samba3.vfs.fruit
new file mode 100644
index 0000000..6307e2b
--- /dev/null
+++ b/selftest/knownfail.d/samba3.vfs.fruit
@@ -0,0 +1,2 @@
+^samba3.vfs.fruit streams_depot.OS X AppleDouble file conversion\(nt4_dc\)
+^samba3.vfs.fruit streams_depot.OS X AppleDouble file conversion without embedded xattr\(nt4_dc\)
diff --git a/selftest/knownfail.d/sid-strings b/selftest/knownfail.d/sid-strings
new file mode 100644
index 0000000..6953643
--- /dev/null
+++ b/selftest/knownfail.d/sid-strings
@@ -0,0 +1,3 @@
+^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_Aa.ad_dc
+^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_aA.ad_dc
+^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_aa.ad_dc
diff --git a/selftest/knownfail.d/smb1-tests b/selftest/knownfail.d/smb1-tests
new file mode 100644
index 0000000..b5263f2
--- /dev/null
+++ b/selftest/knownfail.d/smb1-tests
@@ -0,0 +1,52 @@
+^samba3.blackbox.smbclient_ntlm.plain.*NT1.smbclient username.password.NT1OLD\((ad_member|fl2000dc|nt4_member)\)
+^samba3.blackbox.smbclient_ntlm.plain.*NT1.smbclient username.password.NT1NEW\((ad_member|fl2000dc|nt4_member)\)
+^samba3.blackbox.smbclient_ntlm.plain.*NT1.smbclient anonymous.nopassword.NT1OLD\((ad_member|fl2000dc|nt4_member)\)
+^samba3.blackbox.smbclient_ntlm.plain.*NT1.smbclient anonymous.nopassword.NT1NEW\((ad_member|fl2000dc|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.smbclient -L.*\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.smbclient -L LOCALADMEMBER -I.*\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.noninteractive smbclient does not prompt\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.noninteractive smbclient -l does not prompt\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.interactive smbclient prompts on stdout\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.interactive smbclient -l prompts on stdout\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.creating a bad symlink and deleting it\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.Accessing an MS-DFS link\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.del on MS-DFS share\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.deltree on MS-DFS share\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.Ensure archive bit is set correctly on file/dir rename\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.ccache access works for smbclient\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.using an authentication file\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.list with backup privilege\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.list a share with bad names \(won't convert\)\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.list a share with a mangled name \+ acl_xattr object\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.server-side file copy\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.Ensure widelinks are restricted\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.stream_xattr attributes\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.follow symlinks = no\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.smbclient deltree command\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.server os message\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.test server quiet message\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.setmode test\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.utimes\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.rename_dotdot\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.volume\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.delete a non empty directory\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.Recursive ls across MS-DFS links\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.Hardlink on MS-DFS share\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.NT1.(plain|sign).member_creds.Rename on MS-DFS share\((ad_member|nt4_member)\)
+^samba3.blackbox.smbclient_s3.*valid.users.nt4.*
+^samba3.blackbox.smbclient_s3.NT1.*valid.users.*
+^samba3.unix.whoami machine account.whoami\(ad_member:local\)
+^samba3.unix.whoami.whoami\(nt4_member\)
+^samba3.unix.whoami anonymous connection.whoami\(nt4_member\)
+^samba3.unix.whoami.whoami\(ad_member\)
+^samba3.unix.whoami kerberos connection.whoami\(ad_member\)
+^samba3.unix.whoami anonymous connection.whoami\(ad_member\)
+^samba3.unix.whoami ntlm user@realm.whoami\(ad_member\)
+^samba4.smb.signing disabled on with -k no --client-protection=off domain-creds.xcopy\(ad_member\)
+^samba4.smb.signing disabled on with -k no --option=gensec:spengo=no --client-protection=off domain-creds.xcopy\(ad_member\)
+^samba4.smb.signing disabled on with -k yes --client-protection=off domain-creds.xcopy\(ad_member\)
+^samba4.blackbox.smbclient\(ad_member:local\).Test login with --machine-pass without kerberos\(ad_member:local\)
+^samba4.blackbox.smbclient\(ad_member:local\).Test login with --machine-pass and kerberos\(ad_member:local\)
+^samba4.blackbox.smbclient\(chgdcpass:local\).Test login with --machine-pass without kerberos\(chgdcpass:local\)
+^samba4.blackbox.smbclient\(chgdcpass:local\).Test login with --machine-pass and kerberos\(chgdcpass:local\)
+^samba3.blackbox.smbclient_basic.NT1.smbclient as NT4SCHANNEL.*\(nt4_dc_schannel\)
diff --git a/selftest/knownfail.d/smb2.replay b/selftest/knownfail.d/smb2.replay
new file mode 100644
index 0000000..4cac807
--- /dev/null
+++ b/selftest/knownfail.d/smb2.replay
@@ -0,0 +1,29 @@
+# These tests demonstrate the broken Windows behavior
+# and check for ACCESS_DENIED instead of FILE_NOT_AVAILABLE
+# See https://bugzilla.samba.org/show_bug.cgi?id=14449
+^samba3.smb2.replay.dhv2-pending1n-vs-violation-lease-close-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending1n-vs-violation-lease-ack-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending1n-vs-oplock-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending1n-vs-lease-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending1l-vs-oplock-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending1l-vs-lease-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending1o-vs-oplock-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending1o-vs-lease-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending2n-vs-oplock-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending2n-vs-lease-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending2l-vs-oplock-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending2l-vs-lease-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending2o-vs-oplock-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending2o-vs-lease-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending3n-vs-oplock-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending3n-vs-lease-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending3l-vs-oplock-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending3l-vs-lease-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending3o-vs-oplock-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending3o-vs-lease-windows.nt4_dc
+^samba3.smb2.replay.dhv2-pending1n-vs-oplock-windows.ad_dc
+^samba3.smb2.replay.dhv2-pending1o-vs-oplock-windows.ad_dc
+^samba3.smb2.replay.dhv2-pending2n-vs-oplock-windows.ad_dc
+^samba3.smb2.replay.dhv2-pending2o-vs-oplock-windows.ad_dc
+^samba3.smb2.replay.dhv2-pending3n-vs-oplock-windows.ad_dc
+^samba3.smb2.replay.dhv2-pending3o-vs-oplock-windows.ad_dc
diff --git a/selftest/knownfail.d/smb2.session b/selftest/knownfail.d/smb2.session
new file mode 100644
index 0000000..a85fb37
--- /dev/null
+++ b/selftest/knownfail.d/smb2.session
@@ -0,0 +1,4 @@
+# These tests fail with INVALID_PARAMETER as
+# we required the same client guid for session binds
+^samba3.smb2.session.*.bind_negative_smb3signCtoHd
+^samba3.smb2.session.*.bind_negative_smb3signHtoCd
diff --git a/selftest/knownfail.d/smbcacls b/selftest/knownfail.d/smbcacls
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/selftest/knownfail.d/smbcacls
diff --git a/selftest/knownfail.d/smbclient-smb3 b/selftest/knownfail.d/smbclient-smb3
new file mode 100644
index 0000000..119e93e
--- /dev/null
+++ b/selftest/knownfail.d/smbclient-smb3
@@ -0,0 +1,5 @@
+^samba3.blackbox.smbclient_s3.SMB3.*.creating.a.bad.symlink.and.deleting.it
+^samba3.blackbox.acl_xattr.SMB3.nt_affects_posix
+^samba3.blackbox.acl_xattr.SMB3.nt_affects_chown
+^samba3.blackbox.acl_xattr.SMB3.nt_affects_chgrp
+^samba3.blackbox.inherit_owner.*.SMB3.*unix.owner
diff --git a/selftest/knownfail.d/source3-epmapper b/selftest/knownfail.d/source3-epmapper
new file mode 100644
index 0000000..0a731ec
--- /dev/null
+++ b/selftest/knownfail.d/source3-epmapper
@@ -0,0 +1,2 @@
+^samba3.rpc.epmapper\ over\ ncalrpc.epmapper.Map_full\(nt4_dc:local\)
+^samba3.rpc.epmapper\ over\ ncalrpc.epmapper.Insert_noreplace\(nt4_dc:local\)
diff --git a/selftest/knownfail.d/srvsvc b/selftest/knownfail.d/srvsvc
new file mode 100644
index 0000000..63444c8
--- /dev/null
+++ b/selftest/knownfail.d/srvsvc
@@ -0,0 +1,24 @@
+# Except where noted these are missing RPCs with just give a simple
+# fault (mapped to NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE\)
+^samba3.rpc.srvsvc.srvsvc \(admin access\).NetShareGetInfo\(ad_member\)
+# Level 501 is supported in the s3 srvsrv server
+^samba3.rpc.srvsvc.srvsvc \(admin access\).NetShareEnum\(ad_member\)
+^samba3.rpc.srvsvc.srvsvc \(admin access\).NetTransportEnum\(ad_member\)
+^samba3.rpc.srvsvc.srvsvc \(admin access\).NetShareEnumAll\(ad_member\)
+^samba3.rpc.srvsvc.srvsvc \(admin access\).NetCharDevQEnum\(ad_member\)
+^samba3.rpc.srvsvc.srvsvc \(admin access\).NetCharDevEnum\(ad_member\)
+^samba3.rpc.srvsvc.srvsvc anonymous access.NetShareGetInfo\(ad_member\)
+^samba3.rpc.srvsvc.srvsvc anonymous access.NetShareEnum\(ad_member\)
+^samba3.rpc.srvsvc.srvsvc anonymous access.NetShareEnumAll\(ad_member\)
+^samba3.rpc.srvsvc.srvsvc \(admin access\).NetShareGetInfo\(ad_dc\)
+# Level 501 is supported in the s3 srvsrv server
+^samba3.rpc.srvsvc.srvsvc \(admin access\).NetShareEnum\(ad_dc\)
+^samba3.rpc.srvsvc.srvsvc \(admin access\).NetTransportEnum\(ad_dc\)
+^samba3.rpc.srvsvc.srvsvc \(admin access\).NetShareEnumAll\(ad_dc\)
+^samba3.rpc.srvsvc.srvsvc \(admin access\).NetCharDevQEnum\(ad_dc\)
+^samba3.rpc.srvsvc.srvsvc \(admin access\).NetCharDevEnum\(ad_dc\)
+# These should be fixed by setting 'restrict anonymous = 2' by default
+# per https://bugzilla.samba.org/show_bug.cgi?id=12775
+^samba3.rpc.srvsvc.srvsvc anonymous access.NetShareGetInfo\(ad_dc\)
+^samba3.rpc.srvsvc.srvsvc anonymous access.NetShareEnum\(ad_dc\)
+^samba3.rpc.srvsvc.srvsvc anonymous access.NetShareEnumAll\(ad_dc\)
diff --git a/selftest/knownfail.d/uac_objectclass_restrict b/selftest/knownfail.d/uac_objectclass_restrict
new file mode 100644
index 0000000..a9ed5e8
--- /dev/null
+++ b/selftest/knownfail.d/uac_objectclass_restrict
@@ -0,0 +1,17 @@
+# Knownfail entries due to restricting the creation of computer/user
+# accounts (in terms of userAccountControl) that do not match the objectclass
+#
+# All these tests need to be fixed and the entries here removed
+
+^samba4.priv_attrs.strict.python\(ad_dc_default\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-DC_add_CC_WP_user\(ad_dc_default\)
+^samba4.priv_attrs.strict.python\(ad_dc_default\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-DC_add_CC_default_user\(ad_dc_default\)
+^samba4.priv_attrs.strict.python\(ad_dc_default\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-user_add_CC_WP_computer\(ad_dc_default\)
+^samba4.priv_attrs.strict.python\(ad_dc_default\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-user_add_CC_default_computer\(ad_dc_default\)
+^samba4.priv_attrs.strict.python\(ad_dc_default\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-user_mod-del-add_CC_default_computer\(ad_dc_default\)
+^samba4.priv_attrs.strict.python\(ad_dc_default\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-a2d-user_mod-replace_CC_default_computer\(ad_dc_default\)
+^samba4.priv_attrs.strict.python\(ad_dc_default\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-t4d-user_add_CC_WP_computer\(ad_dc_default\)
+^samba4.priv_attrs.strict.python\(ad_dc_default\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-t4d-user_add_CC_default_computer\(ad_dc_default\)
+^samba4.priv_attrs.strict.python\(ad_dc_default\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-t4d-user_mod-del-add_CC_default_computer\(ad_dc_default\)
+^samba4.priv_attrs.strict.python\(ad_dc_default\).__main__.PrivAttrsTests.test_priv_attr_userAccountControl-t4d-user_mod-replace_CC_default_computer\(ad_dc_default\)
+^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_add_computer_sd_cc\(ad_dc_default\)
+^samba4.user_account_control.python\(ad_dc_default\).__main__.UserAccountControlTests.test_mod_computer_cc\(ad_dc_default\)
diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling
new file mode 100644
index 0000000..bcbedb4
--- /dev/null
+++ b/selftest/knownfail.d/upn_handling
@@ -0,0 +1,8 @@
+^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
+^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
+^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
+^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc
+^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc
+^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc
+^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc
+^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc
diff --git a/selftest/knownfail.d/usage b/selftest/knownfail.d/usage
new file mode 100644
index 0000000..b8e0bbc
--- /dev/null
+++ b/selftest/knownfail.d/usage
@@ -0,0 +1,35 @@
+samba.tests.usage.samba.tests.usage.PythonScriptHelpTests.test_autobuild_py.none.
+samba.tests.usage.samba.tests.usage.PythonScriptHelpTests.test_compare_cc_results_py.none.
+samba.tests.usage.samba.tests.usage.PythonScriptHelpTests.test_config_base.none.
+samba.tests.usage.samba.tests.usage.PythonScriptHelpTests.test_ctdb_etcd_lock.none.
+samba.tests.usage.samba.tests.usage.PythonScriptHelpTests.test_depfilter_py.none.
+samba.tests.usage.samba.tests.usage.PythonScriptHelpTests.test_dns_hub_py.none.
+samba.tests.usage.samba.tests.usage.PythonScriptHelpTests.test_gen_hresult_py.none.
+samba.tests.usage.samba.tests.usage.PythonScriptHelpTests.test_repl_cleartext_pwd_py.none.
+samba.tests.usage.samba.tests.usage.PythonScriptHelpTests.test_run_py.none.
+samba.tests.usage.samba.tests.usage.PythonScriptHelpTests.test_run_py_.none.
+samba.tests.usage.samba.tests.usage.PythonScriptHelpTests.test_smbstatus.none.
+samba.tests.usage.samba.tests.usage.PythonScriptHelpTests.test_tests_py.none.
+samba.tests.usage.samba.tests.usage.PythonScriptHelpTests.test_tests_py_.none.
+samba.tests.usage.samba.tests.usage.PythonScriptHelpTests.test_waf.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_chgtdcpass.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_findprovisionusnranges.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_machineaccountpw.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_rebuildextendeddn.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_renamedc.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_repl_cleartext_pwd_py.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_rodcdns.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_gpupdate.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_gpupdate_.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_kcc.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_kcc_.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_spnupdate.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_spnupdate_.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_upgradedns.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_upgradedns_.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_upgradeprovision.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_samba_upgradeprovision_.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_smbstatus.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_test_s3_py.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_test_s4_howto_py.none.
+samba.tests.usage.samba.tests.usage.PythonScriptUsageTests.test_traffic_learner.none.
diff --git a/selftest/knownfail.d/vlv b/selftest/knownfail.d/vlv
new file mode 100644
index 0000000..7ae02ba
--- /dev/null
+++ b/selftest/knownfail.d/vlv
@@ -0,0 +1,2 @@
+samba4.ldap.vlv.python.*__main__.VLVTests.test_vlv_change_search_expr
+samba4.ldap.vlv.python.*__main__.PagedResultsTestsRW.test_paged_cant_change_controls_data
diff --git a/selftest/knownfail.d/wkssvc b/selftest/knownfail.d/wkssvc
new file mode 100644
index 0000000..37a0e67
--- /dev/null
+++ b/selftest/knownfail.d/wkssvc
@@ -0,0 +1,25 @@
+# We do not have a full implementation of wkssvc in source3, but we
+# have something worth testing
+samba3.rpc.wkssvc.wkssvc.NetrMessageBufferSend\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrWorkstationStatisticsGet\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrGetJoinableOus2\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrGetJoinableOus\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrGetJoinInformation\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrUnjoinDomain\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrJoinDomain\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrEnumerateComputerNames\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrAddAlternateComputerName\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrRemoveAlternateComputerName\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrLogonDomainNameAdd\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrLogonDomainNameDel\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrValidateName2\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrValidateName\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrUseAdd\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrUseEnum\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrUseGetInfo\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrUseDel\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrWkstaUserGetInfo\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrWkstaTransportAdd\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetrWkstaTransportDel\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetWkstaTransportEnum\(ad_member\)
+samba3.rpc.wkssvc.wkssvc.NetWkstaGetInfo\(ad_member\)
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
new file mode 100644
index 0000000..4ae27ea
--- /dev/null
+++ b/selftest/knownfail_heimdal_kdc
@@ -0,0 +1,56 @@
+#
+# We expect all the MIT specific compatability tests to fail on heimdal
+# kerberos
+^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_mit_
+#
+# Heimdal currently fails the following MS-KILE client principal lookup
+# tests
+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_6_a
+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_enterprise_principal_step_6_b
+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_a
+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_b
+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_c
+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_6_c
+#
+# FAST tests
+#
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_hide_client_names.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor_enc_pa_rep.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_enc_pa_rep.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_enc_pa_rep.ad_dc
+#
+# S4U tests
+#
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_bronze_bit_rbcd_old_checksum
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_existing_delegation_info
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_missing_client_checksum
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_a
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_b
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_client_checksum
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed
+#
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_a
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_b
+#
+# https://bugzilla.samba.org/show_bug.cgi?id=14886: Tests for accounts not revealed to the RODC
+#
+# The KDC should not accept tickets from an RODC for accounts not in the msDS-RevealedUsers list.
+#
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_not_revealed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_not_revealed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_not_revealed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_not_revealed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_not_revealed
+#
+# Protected Users tests
+#
+# This test fails, which is fine, as we have an alternate test that considers a policy error as successful.
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_proxiable_as_protected.ad_dc
+#
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_samr_change_password_protected.ad_dc
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
new file mode 100644
index 0000000..93ff633
--- /dev/null
+++ b/selftest/knownfail_mit_kdc
@@ -0,0 +1,2044 @@
+#
+# We expect all the heimdal specific compatability tests to fail on MIT
+# kerberos
+^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_heimdal_
+#
+# Currently MOST but not quite all the Canonicalization tests fail on the
+# MIT KDC
+#
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar_AsReqSelf\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UPN_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_UPN_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_UPN_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN_RemoveDollar\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_NetbiosRealm\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_NetbiosRealm_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperRealm_NetbiosRealm\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperRealm_NetbiosRealm_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperRealm_UpperUserName_NetbiosRealm\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm_UPN\(
+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\(ad_dc
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_RemoveDollar_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN_RemoveDollar_AsReqSelf\(
+#
+# MIT currently returns an error code of 12 KRB5KDC_ERR_POLICY: KDC policy rejects request, to the
+# following tests
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_ldap_service_ticket\(ad_dc\)
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_get_ticket_for_host_service_of_machine_account\(ad_dc\)
+#
+# KDC TGS PAC tests
+#
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_no_pac_service_no_auth_data_required\(ad_dc\)
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac\(ad_dc\)
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_client_no_auth_data_required\(ad_dc\)
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_service_no_auth_data_required\(ad_dc\)
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_request_no_pac\(ad_dc\)
+#
+# MIT currently fails the following MS-KILE tests.
+#
+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_1_3
+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_4
+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_5
+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_6_a
+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_enterprise_principal_step_6_b
+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_1
+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_2
+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_3
+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_a
+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_b
+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_c
+^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_6_c
+#
+# MIT currently fails some as_req_no_preauth tests.
+#
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_aes128_rc4.*fl2003dc
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_mac_aes128_rc4.*fl2003dc
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth.*aes.*rc4.*fl2003dc
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth.*rc4.*aes.*fl2003dc
+# Differences in our KDC compared to windows
+#
+^samba4.krb5.kdc .*.as-req-pac-request # We should reply to a request for a PAC over UDP with KRB5KRB_ERR_RESPONSE_TOO_BIG unconditionally
+#
+# fl2000dc doesn't support AES
+^samba4.krb5.kdc.*as-req-aes.*fl2000dc
+#
+# FAST tests
+#
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_ad_fx_fast_armor_ticket.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_authdata_fast_not_used.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_enc_timestamp.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_clock_skew.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_no_fast.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_wrong_key_kdc.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_checksum_tgt.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_invalid_tgt_mach.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor_enc_pa_rep.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor_session_key.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_enc_pa_rep.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self_no_auth_data.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_enc_pa_rep.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_sname.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_inner_no_sname.ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_inner_no_sname.ad_dc
+#
+# PAC tests
+#
+^samba4.blackbox.pkinit_pac.STEP1 remote.pac verification.ad_dc:local
+^samba4.blackbox.pkinit_pac.netr-bdc-aes.verify-sig-aes.ad_dc:local
+^samba4.blackbox.pkinit_pac.netr-mem-aes.s4u2proxy-aes.ad_dc:local
+^samba4.blackbox.pkinit_pac.netr-mem-aes.verify-sig-aes.ad_dc:local
+^samba4.blackbox.pkinit_pac.netr-mem-arcfour.s4u2proxy-arcfour.ad_dc:local
+^samba4.blackbox.pkinit_pac.netr-mem-arcfour.verify-sig-arcfour.ad_dc:local
+^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2000dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2003dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2008dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2008r2dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2000dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2003dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2008dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2008r2dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2000dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2003dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2008dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2008r2dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2000dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2003dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2008dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2008r2dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2000dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2003dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2008dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2008r2dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2000dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2003dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008r2dc
+#
+# Alias tests
+#
+^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_create_alias_delete
+^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_create_alias_rename
+^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_dc_alias_delete
+^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_dc_alias_rename
+#
+# KDC TGT tests
+#
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_authdata_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_pac_request_false
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_pac_request_none
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_pac_request_true
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rc4.ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_req
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_req_invalid
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_allowed_denied
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_denied
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_no_krbtgt_link
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_no_partial_secrets
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_not_allowed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_pac_request_true
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_req
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_allowed_denied
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_denied
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_no_krbtgt_link
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_no_partial_secrets
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_not_allowed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_not_revealed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_service_ticket
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_false
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_none
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_true
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_false
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_none
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_true
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_allowed_denied
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_denied
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_no_krbtgt_link
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_no_partial_secrets
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_not_allowed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_not_revealed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_revealed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_authdata_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rename
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_allowed_denied
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_denied
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_no_krbtgt_link
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_no_partial_secrets
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_not_allowed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_not_revealed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_revealed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_sname
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rc4.ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_req_invalid
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_allowed_denied
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_denied
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_no_krbtgt_link
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_no_partial_secrets
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_not_allowed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_not_revealed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_revealed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_tgt_cname_host
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname_krbtgt
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_srealm
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_authdata_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_pac_request_true
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_req
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_allowed_denied
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_denied
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_no_krbtgt_link
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_no_partial_secrets
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_not_allowed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_not_revealed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_service_ticket
+#
+# PAC attributes tests
+#
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_false
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_renew_false
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_renew_true
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_rodc_renew_false
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_rodc_renew_none
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_rodc_renew_true
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_renew_false
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_renew_true
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_false
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_none
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_true
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_true
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_false
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_true
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_pac_attrs
+#
+# PAC request tests
+#
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_none
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_true
+#
+# PAC requester SID tests
+#
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_validate
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_nonexisting
+#
+# Protected Users tests
+#
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_proxiable_as_protected_policy_error.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_mac_protected_aes256_preauth.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_mac_protected_rc4_preauth.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_protected_aes256_preauth.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_protected_rc4_preauth.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_samr_change_password_protected.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes128_mac_not_protected.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes128_mac_protected.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes128_not_protected.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes128_protected.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_rc4_mac_not_protected.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_rc4_mac_protected.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_rc4_not_protected.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_rc4_protected.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_rc4_protected_nested.ad_dc
+#
+# Kpasswd tests
+#
+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc
+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc
+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc
+#
+# Lockout tests
+#
+^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_bad_pwd_count_transaction_kdc.ad_dc:local
+^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_bad_pwd_count_transaction_rename_kdc.ad_dc:local
+^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_race_kdc.ad_dc:local
+^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_bad_pwd_kdc.ad_dc:local
+^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_kdc.ad_dc:local
+^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_rename_kdc.ad_dc:local
+^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_logon_kdc.ad_dc:local
+#
+# Encryption type tests
+#
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_aes_supported_aes_requested.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_aes_supported_aes_requested.promoted_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_aes_supported_aes_session_aes_requested.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_aes_supported_aes_session_aes_requested.promoted_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_aes_supported_aes_session_rc4_requested.promoted_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_aes_supported_rc4_requested.promoted_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_rc4_supported_aes_session_aes_requested.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_rc4_supported_aes_session_aes_requested.promoted_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_rc4_supported_aes_session_rc4_requested.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_rc4_supported_aes_session_rc4_requested.promoted_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_rc4_supported_rc4_requested.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_rc4_supported_rc4_requested.promoted_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_23_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_23_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_23__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_23_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_23_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_23__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_23_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_23_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_23__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_23_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_23_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_23__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_23_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_23_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_23__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_23_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_23_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_23__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_23_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_23_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_23__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10000_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10000_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10000_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10000_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10000_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10000_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10000_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10000_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10000_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10000_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10004_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10004_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10004_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10004_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10004_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10004_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10004_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10004_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10004_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10004_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10010_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10010_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10010_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10010_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10010_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10010_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10010_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10010_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10010_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10010_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10010_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10010_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10010_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10010_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10010_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10010_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10010_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10020_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10020_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10020_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10020_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10020_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10020_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10020_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10020_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10020_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10020_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x14_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x14_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x14_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x14_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x14_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x14_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x14_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x14_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x14_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x14_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x14_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x14_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x14_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x14_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x14_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x14_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x14_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x18_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x1C_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x20_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x20_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x20_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x20_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x20_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x20_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x20_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x20_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x20_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x20_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x38_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x3C_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x4_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x4_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x4_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x4_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x4_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x4_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x4_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x4_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x4_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x4_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x8_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x8_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x8_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x8_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x8_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x8_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x8_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x8_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x8_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x8_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x8_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x8_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x8_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x8_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x8_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x8_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x8_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0xC_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0xC_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0xC_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0xC_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0xC_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0xC_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0xC_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0xC_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0xC_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0xC_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0xC_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0xC_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0xC_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0xC_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0xC_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0xC_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0xC_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18_17_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18_17_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18_23_17_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18_23_17_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18_23_requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18_23_requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18__requested_dc_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18__requested_member_account_stored_rc4_only.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_tgs_aes_supported_aes_session_rc4_requested.promoted_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_tgs_aes_supported_rc4_requested.promoted_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_tgs_rc4_supported_aes_session_aes_requested.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_tgs_rc4_supported_aes_session_aes_requested.promoted_dc
+#
+# KDC compatibility
+#
+^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_full_signature.ad_dc
+^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_full_signature.fl2003dc
+#
+# S4U tests
+#
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_authentication_asserted_identity.fl2003dc:local
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_rc4_client_checksum.fl2003dc:local
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_service_asserted_identity.fl2003dc:local
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_asserted_identity.fl2003dc:local
+#
+# etype tests
+#
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_17__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_18__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10000_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10004_supported_23__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_18__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_23_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_23_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10010_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10020_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_18__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_23_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_23_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x10_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_18__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x14_supported_23__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_17__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_18__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_23_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_23_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x18_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_17__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_18__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x1C_supported_23__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x20_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_17__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_18__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x24_supported_23__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_17__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_18__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_23_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_23_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x28_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_17__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_18__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x2C_supported_23__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_17__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_18__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_23_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_23_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x30_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_17__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_18__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x34_supported_23__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_17__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_18__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_23_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_23_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x38_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_17__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_18__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x3C_supported_23__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x4_supported_23__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_17__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_23_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_23_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x8_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_17__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0xC_supported_23__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_17__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18_17_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18_23_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_18__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23_17_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23_18_17_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23_18_requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23__requested_dc_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_18__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_17__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x24_supported_18__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_18__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_23_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x28_supported_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x2C_supported_18__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_17__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_23_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x30_supported_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x34_supported_17__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_23_18_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17__requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18_17_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18_23_17_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18_23_requested_member_account_stored_aes_rc4
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18__requested_member_account_stored_aes_rc4
diff --git a/selftest/knownfail_mit_kdc_1_20 b/selftest/knownfail_mit_kdc_1_20
new file mode 100644
index 0000000..4a47ab9
--- /dev/null
+++ b/selftest/knownfail_mit_kdc_1_20
@@ -0,0 +1,9 @@
+^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_mit_pre_1_20_ticket_signature
+#
+# FAST tests
+# https://github.com/krb5/krb5/pull/1225#issuecomment-996418770
+#
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_encrypted_challenge_as_req_self\(
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self\(
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self_pac_request_none\(
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self_pac_request_true\(
diff --git a/selftest/knownfail_mit_kdc_pre_1_20 b/selftest/knownfail_mit_kdc_pre_1_20
new file mode 100644
index 0000000..a32ae4c
--- /dev/null
+++ b/selftest/knownfail_mit_kdc_pre_1_20
@@ -0,0 +1,196 @@
+#
+# MIT KDC
+#
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_UPN_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UPN_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UPN_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_UPN_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_NetbiosRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperUserName\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperUserName_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_NetbiosRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_NetbiosRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_NetbiosRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UpperUserName\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UpperUserName_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperUserName\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperUserName_NetbiosRealm\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperUserName_UPN\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_RemoveDollar\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_AsReqSelf\(
+^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UPN_AsReqSelf\(
+#
+# KDC AS REQ tests
+#
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_spn(?!_)
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_spn_realm
+#
+# KDC COMPATABLITY
+#
+samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_ticket_signature
+#
+# KDC TGS PAC tests
+#
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_client_no_auth_data_required\(ad_dc\)
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_no_pac_client_no_auth_data_required\(ad_dc\)
+#
+# KDC TGT tests
+#
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac
+#
+# PAC tests
+#
+^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2000dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2003dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2008dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2008r2dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2000dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2003dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2008dc
+^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2008r2dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2000dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2003dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2008dc
+^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2008r2dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2000dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2003dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008dc
+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008r2dc
+#
+# PAC attributes tests
+#
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req(?!_invalid)
+#
+# PAC request tests
+#
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_none
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_true
+#
+# S4U tests
+#
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_bronze_bit_constrained_delegation_old_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_bronze_bit_rbcd_old_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_existing_delegation_info\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_missing_client_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_missing_service_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_client_pac\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_service_pac\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_service_pac_no_auth_data_required\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_pac_options_rbcd\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_unkeyed_client_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_unkeyed_service_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_zeroed_client_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_zeroed_service_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_missing_client_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_missing_service_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_a\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_b\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_a\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_b\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_service_pac\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_service_pac_no_auth_data_required\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_client_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_client_not_delegated\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_crc32_unkeyed_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_hmac_md5_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_md5_unkeyed_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_auth_data_required\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_pac\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_forwardable\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_nonempty_allowed\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_sha1_unkeyed_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_trusted_empty_allowed\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_trusted_nonempty_allowed\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_without_forwardable\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_wrong_sname\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_existing_delegation_info\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum\(
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.cer b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.cer
new file mode 100644
index 0000000..15001a3
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.cer
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem
new file mode 100644
index 0000000..2e2a8b9
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem
@@ -0,0 +1,191 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 2 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Mar 16 23:29:25 2016 GMT
+ Not After : Mar 11 23:29:25 2036 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Domain Controllers, CN=addc.addom.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (4096 bit)
+ Modulus:
+ 00:a6:c4:a9:bf:75:ea:4c:8d:3b:fd:8a:0f:b0:a2:
+ b6:c7:a8:1f:e4:0e:3e:41:ef:d6:10:48:77:7b:4e:
+ 4c:59:e1:bf:6d:c7:18:7b:a8:01:a7:d5:d2:2c:21:
+ 3e:d0:1a:da:58:03:e8:42:f1:53:0e:a7:91:b9:2c:
+ b9:e7:7a:c9:de:5e:ed:4c:93:6b:cc:dd:17:d0:c7:
+ d1:f1:7c:3d:0d:6f:df:5d:53:5a:b1:1f:a3:7b:5b:
+ 41:65:0c:7c:ea:53:df:bb:da:41:15:da:49:e3:b9:
+ 2d:bb:b5:af:ef:8c:b8:84:74:d0:18:16:8e:5c:e4:
+ c2:e7:a1:87:8f:e3:87:8b:0b:bb:90:30:e8:e0:f3:
+ eb:c0:50:5f:b5:7f:54:9a:1b:34:43:fd:be:5a:80:
+ 6e:0f:63:a2:b3:79:42:4a:85:c8:07:c7:82:55:23:
+ 88:d4:4e:03:2f:f1:95:bd:ed:15:2d:3e:16:cd:ff:
+ c7:9b:03:29:36:a6:5d:c9:1a:1e:89:a5:ba:66:83:
+ 0f:96:a8:07:9f:24:b9:1b:8f:02:9a:b8:50:29:8b:
+ be:63:45:fa:45:c3:38:23:a0:98:3a:b4:6b:42:99:
+ 13:36:4b:84:ef:27:89:39:34:79:f8:67:16:7b:9c:
+ 2a:03:41:15:63:46:e4:db:2f:f2:3e:6d:fe:7c:20:
+ 1e:9f:02:48:a4:bc:15:42:a6:f8:38:86:dc:6b:7c:
+ 4e:67:a3:31:81:8e:b6:30:1a:eb:3d:08:25:19:5f:
+ 42:dc:39:ec:79:1d:30:0a:fb:16:8f:3d:19:14:cc:
+ f5:af:d7:c6:75:cf:b3:96:a2:b2:9b:d9:03:01:a3:
+ ca:88:1d:72:ed:6f:d1:bf:57:56:8e:b9:07:9b:b9:
+ 04:13:1e:0b:5a:06:6b:2b:43:a2:dc:d5:b7:f4:ba:
+ d3:ae:9d:ad:fd:d3:8a:7c:2f:87:32:fa:89:88:58:
+ 00:ae:16:2b:9c:1d:58:82:4d:e5:21:da:d5:6c:f7:
+ a8:40:8b:c7:02:d5:36:30:ef:3f:09:9b:a6:d2:31:
+ a3:bf:20:d4:a2:9e:26:c4:b4:c3:0f:0b:6c:00:d1:
+ 2c:16:b1:2a:eb:06:d9:d5:98:c3:cd:cb:20:68:ad:
+ 0a:2c:a1:2f:27:41:5c:91:de:49:62:ed:d8:3a:ef:
+ 68:1c:6d:fe:94:c3:28:68:32:60:08:65:cd:02:9f:
+ 97:96:2f:0f:87:27:3d:b9:0f:85:62:e8:2b:9a:b4:
+ f4:d3:d7:c1:93:96:27:23:29:88:b1:39:99:53:3a:
+ 20:aa:88:44:3b:4a:24:2a:8b:e0:b4:8d:dd:66:30:
+ df:a6:6e:b7:fc:21:43:16:9e:3e:12:20:c8:7a:30:
+ c1:3d:ab
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Server
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Domain Controller Certificate addc.addom.samba.example.com
+ X509v3 Subject Key Identifier:
+ 3D:BC:70:0C:74:D4:B8:85:49:1D:08:84:C4:1B:27:F2:AF:72:37:D3
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ DNS:addc.addom.samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, TLS Web Server Authentication, msKDC
+ Signature Algorithm: sha256WithRSAEncryption
+ 9e:8b:bb:0a:7a:dc:c0:94:33:bc:18:a5:e6:4a:1f:ff:8e:21:
+ b1:8f:33:f0:3e:8b:6c:72:55:c4:47:71:5f:ce:e7:31:ef:5b:
+ 62:04:b7:57:8f:a8:27:9f:ed:69:d2:ec:a8:0d:e2:76:33:8d:
+ 41:3a:67:61:5c:53:60:c7:53:ed:d7:99:72:29:1d:ae:d3:ee:
+ c9:76:1c:6d:18:47:e9:94:dd:2e:97:3f:99:af:b5:f4:a1:7c:
+ 92:f6:4d:b5:c1:7a:0c:38:ba:d1:b6:19:9a:9f:e2:02:84:d4:
+ 54:01:38:7b:55:86:4a:ee:3d:85:48:01:da:34:09:69:43:25:
+ 7e:6e:06:73:e0:b9:7c:b5:9c:4e:9c:b5:52:85:32:62:62:25:
+ 39:fa:02:4b:51:2e:df:8e:52:17:02:50:f4:99:29:bf:7e:97:
+ 53:91:12:85:9a:69:62:45:59:c4:5b:3f:af:18:e6:7b:e4:86:
+ 5d:f1:9e:5a:2b:3e:14:6e:7e:d4:47:24:ef:d9:a8:ec:d9:a6:
+ cb:b8:4f:1a:86:d9:43:20:41:16:15:5f:81:0d:fe:6b:31:53:
+ c1:f6:84:4c:f3:03:64:d2:e6:44:3d:7a:60:79:d7:37:6f:33:
+ de:c0:a8:b9:6e:fe:b2:79:ac:b4:53:92:b8:0a:59:2b:cc:6b:
+ 37:c4:6f:c6:44:02:f7:7c:c5:c6:a6:6f:c2:ad:de:78:1e:48:
+ 96:cc:fe:59:2e:53:ce:34:d6:e8:f0:56:43:30:32:90:6f:f9:
+ 47:76:ab:99:63:e3:e8:a3:f3:83:98:e9:05:2b:ea:f9:f9:9d:
+ 66:70:c7:2c:00:c2:9e:57:3e:31:43:50:50:c8:db:a8:2d:21:
+ 4e:6f:39:c2:bd:ef:d8:47:99:27:0d:48:b2:58:f1:be:45:bd:
+ fe:c4:a2:56:fc:06:02:dc:19:33:85:53:ed:38:59:01:16:bc:
+ aa:c5:d3:4b:37:54:83:1b:e5:c1:4b:dd:34:6b:e5:d8:35:86:
+ 95:e6:9f:d2:22:84:b1:e2:4f:a7:2e:4d:e6:9c:eb:db:df:42:
+ e1:b4:66:e6:58:d3:28:10:34:97:f3:9c:6b:5f:05:2c:47:2c:
+ e3:75:eb:6f:74:0a:ec:d7:1d:30:80:56:44:12:26:f6:4e:5f:
+ ff:92:f4:62:02:36:9c:62:eb:39:98:53:68:68:95:fb:94:68:
+ 69:b8:3c:66:1a:ce:78:c4:cf:c4:6f:21:ac:a8:a6:f4:ab:69:
+ 2a:2e:00:5d:f7:67:06:b1:4f:97:58:88:55:d8:6e:eb:a5:98:
+ 50:36:21:70:3d:b0:a4:f5:3b:21:b3:1c:f5:a9:dd:c6:4a:c2:
+ 89:b8:5a:b3:bc:1f:21:ce:4c:68:5f:98:d8:39:70:d2:7e:a0:
+ 90:df:ad:a3:13:eb:3c:93:f6:b8:f4:d9:a7:51:b3:0d:ea:ee:
+ d4:57:aa:db:ca:7c:8a:a0:08:c3:98:9a:3a:b7:ba:2a:50:92:
+ 26:c2:e3:11:ba:12:60:24:b9:59:df:62:a8:d7:4d:a3:cb:ea:
+ 46:e8:39:f9:83:14:a8:5c:44:75:71:6b:7f:99:bd:68:58:d9:
+ 6b:d1:cd:c7:45:95:9e:44:1e:85:35:c0:30:2b:18:aa:eb:2f:
+ 93:d5:be:66:5d:70:ed:1d:04:f2:c1:1e:b5:ec:45:0c:04:f6:
+ 9d:88:d3:0c:20:5e:5b:23:df:34:a1:f5:ea:b4:a1:44:c0:da:
+ d5:ea:89:e8:b5:cb:dc:f8:92:ee:ac:8d:61:ed:bf:74:2b:28:
+ 79:1f:f4:9a:ff:63:bd:e6:aa:79:1d:2c:26:4a:b2:26:53:57:
+ ba:88:0e:eb:19:57:c0:10:a0:1e:81:2a:c0:56:2e:c3:2a:81:
+ bf:c1:5a:e7:48:ce:c1:6a:b9:6c:41:cc:44:a6:b8:70:e2:57:
+ 0e:6d:41:d6:61:da:bf:ac:20:2c:a7:2a:67:23:98:00:ba:ce:
+ 8b:a8:c2:45:66:a7:08:eb:7f:0a:b5:e7:9b:d6:f4:07:d5:b3:
+ 43:cd:27:d4:fa:c9:40:8f:af:b2:36:1c:e7:44:b4:4e:cc:5a:
+ 2b:73:ad:8f:c4:d9:47:a6:fb:2c:7d:1a:80:2a:55:b3:80:34:
+ 6f:8e:17:27:93:05:21:40:e9:8f:bf:47:6a:52:f5:2e:b5:18:
+ d1:8c:1d:83:04:80:55:fd:21:28:dc:7c:be:c8:c1:5f:e4:40:
+ d3:13:e4:66:bf:ad:92:4e:9b:db:c1:be:a3:42:74:da:c3:2c:
+ 0a:da:3f:94:14:ad:7e:de:81:c6:01:6a:f7:7a:b4:25:51:b0:
+ ab:cd:b3:3a:77:bf:c3:6b:04:44:30:73:41:ad:93:49:67:ee:
+ 43:d1:96:8e:36:83:2b:1b:6c:e7:cc:3e:d6:16:b9:88:4a:ab:
+ 56:c0:76:00:f6:9a:6a:8a:e3:e0:41:75:9d:3b:47:0f:c9:0a:
+ 8e:9f:9c:00:92:bb:ae:d8:42:56:35:64:eb:59:13:da:2c:63:
+ 83:c3:ec:68:91:b5:f3:71:85:48:54:c3:9d:a1:c8:63:f3:de:
+ 5d:a5:34:a9:1e:85:2c:2c:b5:d8:a9:62:8d:26:1f:b2:9e:a7:
+ 83:4d:df:69:63:b5:b7:e5:dd:e7:3b:18:e5:b3:77:df:c5:47:
+ b3:f7:8c:e7:5e:87:2e:46:e3:8f:b1:2b:9b:c6:26:2d:1a:28:
+ 30:13:10:86:5b:46:87:b1:2d:12:ce:b6:fe:1c:4e:44
+-----BEGIN CERTIFICATE-----
+MIIJ9DCCBdygAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjAz
+MTYyMzI5MjVaFw0zNjAzMTEyMzI5MjVaMIG4MQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEbMBkGA1UE
+CwwSRG9tYWluIENvbnRyb2xsZXJzMSUwIwYDVQQDDBxhZGRjLmFkZG9tLnNhbWJh
+LmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkBFiZjYS1zYW1iYS5leGFtcGxlLmNv
+bUBzYW1iYS5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBAKbEqb916kyNO/2KD7CitseoH+QOPkHv1hBId3tOTFnhv23HGHuoAafV0iwh
+PtAa2lgD6ELxUw6nkbksued6yd5e7UyTa8zdF9DH0fF8PQ1v311TWrEfo3tbQWUM
+fOpT37vaQRXaSeO5Lbu1r++MuIR00BgWjlzkwuehh4/jh4sLu5Aw6ODz68BQX7V/
+VJobNEP9vlqAbg9jorN5QkqFyAfHglUjiNROAy/xlb3tFS0+Fs3/x5sDKTamXcka
+HomlumaDD5aoB58kuRuPApq4UCmLvmNF+kXDOCOgmDq0a0KZEzZLhO8niTk0efhn
+FnucKgNBFWNG5Nsv8j5t/nwgHp8CSKS8FUKm+DiG3Gt8TmejMYGOtjAa6z0IJRlf
+Qtw57HkdMAr7Fo89GRTM9a/XxnXPs5aispvZAwGjyogdcu1v0b9XVo65B5u5BBMe
+C1oGaytDotzVt/S6066drf3TinwvhzL6iYhYAK4WK5wdWIJN5SHa1Wz3qECLxwLV
+NjDvPwmbptIxo78g1KKeJsS0ww8LbADRLBaxKusG2dWYw83LIGitCiyhLydBXJHe
+SWLt2DrvaBxt/pTDKGgyYAhlzQKfl5YvD4cnPbkPhWLoK5q09NPXwZOWJyMpiLE5
+mVM6IKqIRDtKJCqL4LSN3WYw36Zut/whQxaePhIgyHowwT2rAgMBAAGjggH3MIIB
+8zAJBgNVHRMEAjAAME8GA1UdHwRIMEYwRKBCoECGPmh0dHA6Ly93d3cuc2FtYmEu
+ZXhhbXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFtcGxlLmNvbS1jcmwuY3JsMBEG
+CWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwSQYJYIZIAYb4QgENBDwWOkRv
+bWFpbiBDb250cm9sbGVyIENlcnRpZmljYXRlIGFkZGMuYWRkb20uc2FtYmEuZXhh
+bXBsZS5jb20wHQYDVR0OBBYEFD28cAx01LiFSR0IhMQbJ/KvcjfTMB8GA1UdIwQY
+MBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+MEAGA1UdEQQ5MDeCHGFkZGMuYWRkb20u
+c2FtYmEuZXhhbXBsZS5jb22gFwYJKwYBBAGCNxkBoAoECAEjRWeJq83vMDEGA1Ud
+EgQqMCiBJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0G
+CWCGSAGG+EIBBARAFj5odHRwOi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMv
+Q0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAmBgNVHSUEHzAdBggrBgEFBQcD
+AgYIKwYBBQUHAwEGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggQBAJ6Luwp63MCU
+M7wYpeZKH/+OIbGPM/A+i2xyVcRHcV/O5zHvW2IEt1ePqCef7WnS7KgN4nYzjUE6
+Z2FcU2DHU+3XmXIpHa7T7sl2HG0YR+mU3S6XP5mvtfShfJL2TbXBegw4utG2GZqf
+4gKE1FQBOHtVhkruPYVIAdo0CWlDJX5uBnPguXy1nE6ctVKFMmJiJTn6AktRLt+O
+UhcCUPSZKb9+l1OREoWaaWJFWcRbP68Y5nvkhl3xnlorPhRuftRHJO/ZqOzZpsu4
+TxqG2UMgQRYVX4EN/msxU8H2hEzzA2TS5kQ9emB51zdvM97AqLlu/rJ5rLRTkrgK
+WSvMazfEb8ZEAvd8xcamb8Kt3ngeSJbM/lkuU8401ujwVkMwMpBv+Ud2q5lj4+ij
+84OY6QUr6vn5nWZwxywAwp5XPjFDUFDI26gtIU5vOcK979hHmScNSLJY8b5Fvf7E
+olb8BgLcGTOFU+04WQEWvKrF00s3VIMb5cFL3TRr5dg1hpXmn9IihLHiT6cuTeac
+69vfQuG0ZuZY0ygQNJfznGtfBSxHLON16290CuzXHTCAVkQSJvZOX/+S9GICNpxi
+6zmYU2holfuUaGm4PGYaznjEz8RvIayopvSraSouAF33ZwaxT5dYiFXYbuulmFA2
+IXA9sKT1OyGzHPWp3cZKwom4WrO8HyHOTGhfmNg5cNJ+oJDfraMT6zyT9rj02adR
+sw3q7tRXqtvKfIqgCMOYmjq3uipQkibC4xG6EmAkuVnfYqjXTaPL6kboOfmDFKhc
+RHVxa3+ZvWhY2WvRzcdFlZ5EHoU1wDArGKrrL5PVvmZdcO0dBPLBHrXsRQwE9p2I
+0wwgXlsj3zSh9eq0oUTA2tXqiei1y9z4ku6sjWHtv3QrKHkf9Jr/Y73mqnkdLCZK
+siZTV7qIDusZV8AQoB6BKsBWLsMqgb/BWudIzsFquWxBzESmuHDiVw5tQdZh2r+s
+ICynKmcjmAC6zouowkVmpwjrfwq155vW9AfVs0PNJ9T6yUCPr7I2HOdEtE7MWitz
+rY/E2Uem+yx9GoAqVbOANG+OFyeTBSFA6Y+/R2pS9S61GNGMHYMEgFX9ISjcfL7I
+wV/kQNMT5Ga/rZJOm9vBvqNCdNrDLAraP5QUrX7egcYBavd6tCVRsKvNszp3v8Nr
+BEQwc0Gtk0ln7kPRlo42gysbbOfMPtYWuYhKq1bAdgD2mmqK4+BBdZ07Rw/JCo6f
+nACSu67YQlY1ZOtZE9osY4PD7GiRtfNxhUhUw52hyGPz3l2lNKkehSwstdipYo0m
+H7Kep4NN32ljtbfl3ec7GOWzd9/FR7P3jOdehy5G44+xK5vGJi0aKDATEIZbRoex
+LRLOtv4cTkQ=
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem
new file mode 100644
index 0000000..6f11ced
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem
@@ -0,0 +1,54 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJjjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIpUlK4cdzu/UCAggA
+MBQGCCqGSIb3DQMHBAju3WkqK++BQgSCCUit3hNjGErKHafSn7CLnhKlNTzvtaAv
+PwTStReWMNULMJ6Z1Rhm0jO8x5BBStEHy3A4h1GmWNSyIzOhZqGi3K2SqpBa9+TP
+SSYzeNKCsv/06QeQ3GTJJF2GTKLw8I2tZOJnNy5wYprGDuz92AAncj645C8xBYb/
+RgN1YyHh3B2tkPlOVZZU8z8hH9iaDwKiXfY0+EgVDSCj1pHWKEzGzhx4UtyKhCc5
+1J4fyPA+8SzJ0tRAohLHdrm9KIn/tawbbS6Ce8iwLBad6A4k73WgYW4ZawMA+n1X
+OIhyCR/dfIlPRPcojyN4c2O5uPmGCDErt6awUY7LyctZPRAUBbk83i69HbRvK/kq
+JuyhTIWUbhVpvt6HZxCC0cFBy7tlSeOL3LXlu1JoWAEqCVm8vHQPs3WTwTTrShHP
+kauortTdLstddxqPwWKmUcSLcviK+IfD54y3fJGYMr5goLdXCGfb7XZQoXANIYKP
+di/jXOn6PTjKdC7/J8G0UZmRmjEvxp5CBPiNqr07YJUfu7IN4KxEKRf/aDyJ1npw
+JEaMFiBvFx0Vr5nm7trQ43TdkuHbn7MY6nkPMbzC8a8KcKFGbnU/n6TIyeGYo2o5
+2ICW3QmXjzhrWiDzU+cEbSEs77UAQJNrSxRVuKKuwLEnuy6/pRhlxex6Hp6nNCOd
+dTZKDeqHsntRa6zTuOleh+XOMHeSuHjhJdThxEszHPFsYzH/EtE8TaKiBQE9kecy
+M+nbxfMqRTYitsl8wTPiuoTgrzDjUJcAAsS/jDNYUA63NCG2BT9Gq9qY48DwfWGM
+YPMYj6CfRwsyAPSeC7hV31olnGAp15kBhM2TpxE6KqUnGuxL0ET9LJsHjaRsP+r1
+KMjNmibQSy948LIvHhEtdfg5/Jn5jv6JHmmSBktma4C+MUfQKBinzy6MM1IAaZlZ
+hUdL14VnERFh9OGLjZGBOBlk/9FU2Yf4lfAtLgT95GezlYQIOqpG/Pkm04wH71+W
+bfW+53gBQqcaSexM5QFsqRspq7yyLX0mElG6z5gOmEJN3rV+DZ2d+84dxKQ5rX++
++mLYlfQKe1K/1F8HVXH/1ZMeAkzvxk1Odlm6fhwcTHciX3CSESAtJeLSD3PNgSE1
+f0Lep/CteZecOnM63T454jC4V49qXYgQBD32WuOHIbFhHd/lQ5Zj+3T5LgKlE5H3
+5oTUU/+DFgqFrwHlM5f1Ha9G8rjuHucjHyQ7ix7jNjEIoG82It8ESisIOoOwb3bc
+Jjkfj3v7f5Axi0wyD94KLFntBCI64uhyTk+JuvagA2KnLQ5uWEFRgqhMXRNg3kbI
+STOAopjoB2bnIvQZxQ8hxOT67EjKd7iJJXh2zfBAQ7dvnVKznvdSamTcB/Uh3IQR
+RjOZE3ej3lEb4XCM2NCyqZvFgoU+Og4yg+4yainCE+6Jt1jYNvms2iabxC+ZQZ3t
+/vCgVDvnULX5FJvphGK/Idua5FFIeSNLOoK9qjfrBNL9kdFVMWCyMyK0cIdsZFRp
+2at32a9n8OU1rRYgFn8kaWK4JQqKelm1qVCixcHLUtI/cyp+t7vvjOGRnDrbfoK0
+ae+pt0De0aBsOMKmUetn3CXFXIyQa/FJ3W8X7yl82ctS3ZZmWcND0Lqhoa1JADdj
+vbxxGzh1rJPsuPePwIXAVqtbVJD84i+dP0+i1oR/e5jNgRKj0tJcfZnnsvmSIldY
+FvxDpIX2h/tDrTKfwQzFHBBuPA00ZuGfftGc4LD7SOVjVb6CF2GMX/0+zmKlPf56
+FvxvGl+GwLPz/BaSGlT/4DApF0HJEZ1AeSvzHGhdgWecbk4s/lMAnv17vH2YWql1
+uJ54FgDAT0ufzAb0aHAl3YO8pYDOOXGqHaqWRMJvtuh15FB52HYvt+Ojo2mzPu4j
+lvUcOBRMzgPl8zcs0L/WgE0SggC6DpXGU+rK1/J91qlNRBJ664R6j0iyskPvdzYN
+aJ8ZZSJ+yQPralfSD/Sd+RcRviP2draINoyVbFHSH2zvvhcZc0ETL24tNI/tSXpR
+Cw86CajiN7T691pC3eZyQLSQJnMSY/0F0i12KU3J+1kq6eeMSoPc5EKItfH5wxjw
+RPnJAU84HGIQEAhEn6Ht1XaZcMfo9xyr9WMpmyH4OoTLt1+gFGgSCfbjsusl9aNl
+EDhcYmav8OFHE48qvEoYyHD7S3fwsxKFSCJpYTRweBRQaEzpq1z90tVxzhLZFpJe
+A7sw/HpiOuty0hDHQ5JaiRBsQ+CiOsVdWZXzaI/H0aoaPbLbpursuTPPPG5OFqvL
+WIIDfFYZ9rhy8t/YaAeTyFoLx1VU7m88ZZndyaVXhnqp7iaU14NXlelPeyKJ3ZXc
+pd6gZ4l1XAJHbeyiBx+6khtZb6JTLbYpwfbjTqPmDtNw2PVb5rwF0ZSeP6LXKOEM
++WntayDMbWK67yUCBlkPTpY4k+8nV8pJ+th9sR8LlL7d9rZgbSjmxG8XgjC7HHg+
+4I2O7poGQMVgtMeIsGZRIS0cTpm1dpCRfFQPR0DOB6+wjDRPIRNNiTZQYdkpfHQ1
+QSpCskaWG9HzJQGSu+meN4LdaKEoXwNMMz77fCTWhXXkvy6Ujm44EpOOfaHXpg7T
+AQagXzyII0xXj+rAFkqmnyygWgxpou6f3MkoWxIC/qYocC4Ci3oWMAZVssWfnhoP
+T/ZormTZN3uQCZYtfwTjbjh5efFQc4I9THxkHV6eyhGE7MQO/D/5zjBzkwmNsU6b
+GttZyyHto+oKlXMF9dNKxLkQbtVO8ZDIDuNP+sb/m7wj3GG2MNoklp6Cd7lckimv
+PqkQP7PQa8h6EeFXmTKqi7vfgsQAEIzTfOLJDvfHhLC54pjbFPR8vY0T5Y2Dwe8w
+rMPwFenW1ae6DjeGDHij3+QbQmTYZeu8Hblhs5DNhy7wtZX05IUsioVfJLC9QngN
+Y5u7OuMGQLPdcPjWHBuZsl/lMdii1lOB/PrExrEIsybSGPQonDfK6x1pOeyIJsbr
+fDnevcamxLpG6BU8U7AqE1QHa/sJGNO/lgsHGLrb5A2id1J+VttSxSG09sML49uw
+T+vmgdVbVjsYRvMSjMfwRrVp4NARlXph5FUA2DxAKXvr1reicAleVgQDcokAHhLi
+vGZ34XFIZHB+YZvHxd3tZxLcKvAMZQJTPlO6RdD9cx+84DEfevaJilUjyu6Ga4ty
+HjA=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf
new file mode 100644
index 0000000..bdd0364
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf
@@ -0,0 +1,250 @@
+#
+# Based on the OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
+CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
+scardLogin=1.3.6.1.4.1.311.20.2.2
+# Used in a smart card login certificate's subject alternative name
+msUPN=1.3.6.1.4.1.311.20.2.3
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
+msKDC=1.3.6.1.5.2.3.5
+# Identifies the AD GUID
+msADGUID=1.3.6.1.4.1.311.25.1
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = CA-samba.example.com # Where everything is kept
+certs = $dir/_none_certs # Where the issued certs are kept
+crl_dir = $dir/_none_crl # Where the issued crl are kept
+database = $dir/Private/CA-samba.example.com-index.txt # database index file.
+unique_subject = yes # Set to 'no' to allow creation of
+ # several certificates with same subject.
+new_certs_dir = $dir/NewCerts # default place for new certs.
+
+certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate
+serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number
+crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number
+ # must be commented out to leave a V1 CRL
+
+#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL
+crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL
+private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key
+RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file
+
+#x509_extensions = # The extensions to add to the cert
+x509_extensions = template_x509_extensions
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+crl_extensions = crl_ext
+
+default_days = 7300 # how long to certify for
+default_crl_days= 7300 # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = match
+stateOrProvinceName = match
+localityName = match
+organizationName = match
+organizationalUnitName = match
+commonName = supplied
+emailAddress = supplied
+
+####################################################################
+[ req ]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = SambaState
+
+localityName = Locality Name (eg, city)
+localityName_default = SambaCity
+
+organizationName = Organization Name (eg, company)
+organizationName_default = SambaSelfTesting
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default = Domain Controllers
+
+commonName = Common Name (eg, YOUR name)
+commonName_default = addc.addom.samba.example.com
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_default = ca-samba.example.com@samba.example.com
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+#challengePassword = A challenge password
+#challengePassword_min = 4
+#challengePassword_max = 20
+#
+#unstructuredName = An optional company name
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate.
+keyUsage = cRLSign, keyCertSign
+
+crlDistributionPoints=URI:$CRLDISTPT
+
+# Some might want this also
+nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+subjectAltName=email:copy
+# Copy issuer details
+issuerAltName=issuer:copy
+
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+#[ usr_cert_mskdc ]
+[ template_x509_extensions ]
+
+# These extensions are added when 'ca' signs a request for a domain controller certificate.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+crlDistributionPoints=URI:$CRLDISTPT
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+nsCertType = server
+
+# This is typical in keyUsage for a client certificate.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "Domain Controller Certificate addc.addom.samba.example.com"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+
+subjectAltName=@dc_subjalt
+
+# Copy subject details
+issuerAltName=issuer:copy
+
+nsCaRevocationUrl = $CRLDISTPT
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+#Extended Key requirements for our domain controller certs
+# serverAuth - says cert can be used to identify an ssl/tls server
+# msKDC - says cert can be used to identify a Kerberos Domain Controller.
+extendedKeyUsage = clientAuth,serverAuth,msKDC
+
+[dc_subjalt]
+DNS=addc.addom.samba.example.com
+otherName=msADGUID;FORMAT:HEX,OCTETSTRING:0123456789ABCDEF
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private-key.pem b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private-key.pem
new file mode 100644
index 0000000..eec21e4
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private-key.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJJwIBAAKCAgEApsSpv3XqTI07/YoPsKK2x6gf5A4+Qe/WEEh3e05MWeG/bccY
+e6gBp9XSLCE+0BraWAPoQvFTDqeRuSy553rJ3l7tTJNrzN0X0MfR8Xw9DW/fXVNa
+sR+je1tBZQx86lPfu9pBFdpJ47ktu7Wv74y4hHTQGBaOXOTC56GHj+OHiwu7kDDo
+4PPrwFBftX9Umhs0Q/2+WoBuD2Ois3lCSoXIB8eCVSOI1E4DL/GVve0VLT4Wzf/H
+mwMpNqZdyRoeiaW6ZoMPlqgHnyS5G48CmrhQKYu+Y0X6RcM4I6CYOrRrQpkTNkuE
+7yeJOTR5+GcWe5wqA0EVY0bk2y/yPm3+fCAenwJIpLwVQqb4OIbca3xOZ6MxgY62
+MBrrPQglGV9C3DnseR0wCvsWjz0ZFMz1r9fGdc+zlqKym9kDAaPKiB1y7W/Rv1dW
+jrkHm7kEEx4LWgZrK0Oi3NW39LrTrp2t/dOKfC+HMvqJiFgArhYrnB1Ygk3lIdrV
+bPeoQIvHAtU2MO8/CZum0jGjvyDUop4mxLTDDwtsANEsFrEq6wbZ1ZjDzcsgaK0K
+LKEvJ0Fckd5JYu3YOu9oHG3+lMMoaDJgCGXNAp+Xli8Phyc9uQ+FYugrmrT009fB
+k5YnIymIsTmZUzogqohEO0okKovgtI3dZjDfpm63/CFDFp4+EiDIejDBPasCAwEA
+AQKCAgAloAU0PyRHdS3tu/JiRbO7RAE98MC3G6dOMStT1IyBUt9foyWw8Gy/Mwyi
+DDYhuY09glQqlkvI6KGGB8NBqIBW/U/IkRInPFKdNhf1xbP4jh707VNu1taJhEMy
+yyh7rcSym0FH7uHw0NyylwFEqJkQuVIhvSUNbEdU/yqYmhsAkfsVQxOnfSDZWMjf
+KAUsZ6rZFCyYOpWaPz58A4WjTp+csbSEBOpgC+HINVc1bIH0nSeD/otIO+RWgh5y
+usPdBlkRu8wOj4Z4r05cG13ZDnB3jyG7QBSBHNRTpW3zALWaZvLgsxUg5+ib0W0b
+UBbQeKE57rsmlN4ZXa3ny+U4l/6QQDSMtrWPNBCMrkt1Q/52gQk1IGeONUAQdLQT
+uBx0Vdn5ZvIFRBnkQl2KWOBWTdD2v0qxIHhXlsWX7tGVU7eh3GIAPoFzQZFHpPhA
+RObE8fNg/3HMVGDUwXnd4k+6c1t+Ioa17FuLJE4lr5c55Klq2lJ4Oq2Jd6AfoGjv
+anA45ChI6lrg2Kt7OhUEHIIHyZmm7eNmBHoGA3r+YJyiQQIGSiNjH+Up54KWa88z
+p+ZY1u3VdOiNuKVlRn79q85Th4HyMlx7wuY+t8HAj42Vt03Uy7iDaaTfuPxehMyS
+MqcRWR5MhavR5ShTtsIXwvUgWj/YcqaOb9Zfe2Y1RgFURKN3YQKCAQEA0I1hTnGs
+KE5l9dGowKm2io6pZr8J2B8ITjp8pdAaY46Ws1tfcTkbbpBUvyrflCIgLIP9KTP3
+6cc4HrK11mf8rPD1pHNWJd7CjPTLQFMYu+h8YlBqKwrgA8owLzUWG4omS0vehCnG
+6OIPi8ceUc2u6XW+TGKP4n8GXJrrKaw9hw83u6h9YQCpgfwF4QpwX8LzTMKnI7te
+HxUQFlhKX3vci+dP4n29c6yGl57830E7LeQGRfjo/NAV3pAAcHk79cEzOJQCN1Wy
+bNU2kcoOA3tGTI8tCfBdwpN11Sz2/tu4ytJE2weP5S7r9xOTq8t+iKQ9+NLhAvJU
+8S2mIkyFAi8tWQKCAQEAzLWsJ3qxyaLHv4tOFTqenSj0CbB25OIzDQNLT++L4fYn
+YAqL6/G83bRVbdYvfJ3ZdZdnseluGrR8ZcxdqioLCws66+O1vC8GkHI5aBKZt4MD
+Um+SzD6ZnARYcTbtRmPUJHxIdny2dbYLe5dDlqTFIV+olWDR+1YMSzXt/VW+jx9I
+tHhw8LJAxhMhDt0Gh+CxNFHQYdkdK/OuNTBufT/rxeT3E5t3TbSG29pU/F2Rce1G
+CCy0nbFsTMjPusSzwFJILWHdvBAYJceOajvqZhlaTV11u/qrj9gb+nJkH+rKvJnA
+pK2YyFWqomnGCZB61Y5LOfjk2b1BfVGCdqpRrBCOowKCAQBun3/NB1jlbGiDEvor
+cBpmtrO+z3jeTd+u9zElFxTYWEsxyjb/LOaTKDX7zTcZMVzVoBGKaImJVOY8yljP
+6QrLhWkXGSLKJbYW5MZnUWyeR/yqfbNDL5qSCA61C7i1VPtpF05p1msvHrJWV4GK
+rMqqBY2yoNlnsC9ksbwpt7ZPTNAoV4BiEuLXEyLfMxVWhmdeASZ9Oqb7X8XPxHd2
+3JGpGEJ0hnQWxp4CERBbMBO/DOQS+6xCZfIjw0ioYHZgrmGIEmJ2jZt+RT6T6JS0
+XhB1DcE7M2fYjTWEpTxDBbOoyg5CDGnUjKYXwiejieaNfmls8hbu5DIQWEF2khY/
+iVzJAoIBAENOiGgCo2oUp3CHMQkx2Oz7hiGZb74Z0Yc5yg1iSa/l61Rco1zUgrCy
+llQi1EI49EMBoQqSIa2OIkimRTWp1S+wZZMhr6NMIvBjXhSl6Py5iuIT5URaYM83
+bozq7mDyedH1Oy4aGzPgwy3DsmlZi6dJeHiE+QWWaTxhYvqksp8EPjd4UkoRkdKO
+f5QPgBI1Ao6dR9KkPD8zQ9ghMHLmDXNnsQU1XKij7qNiygagDS5UQW52pHwk1eL5
+M7PI8QEPDMQ/JVSsRgRF9MFhKdSgCVzemdNQvA/zkl9qNRl5bWdNdlWu7kkQQaZc
++Mw0QO7udjV9bGFbJKk7n5W8slXMq9kCggEAJ2yzyZKdQZtuXpf6WN6sNqRJ6CHo
+k9en+acEg9Y+5lVt2CRblprQxhdUV2KyN7G8GxV0hMwmHtMTeB4j6jhdZrAAZGVW
+upqCfY2vSYQ/svCeB0Fs5DMEI4iCS5Drn8gKKi/zWAbox9sb+zaYT/Ot5p2Ki/HH
+YIh+p8EE6IFWE3jChabPQieXVOC7tg/qaxWVHTv7Qe2fdZTY3XifTcN7hVghf/bH
+Vn+VdU2u/7hE7X3y9YNETNSin5U3F0BSm1tUQimUzU50+9Nl2UGPBI39e+15qRz7
+JHocpq9h9+k3T7qWwJxX74YhcTqdb1pGsKUEmo7r6rPR4L5h5nCF3OgR9g==
+-----END RSA PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private.p12 b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private.p12
new file mode 100644
index 0000000..994cba3
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private.p12
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-req.pem b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-req.pem
new file mode 100644
index 0000000..5b356fa
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-req.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIFEjCCAvoCAQAwgcwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl
+MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx
+GzAZBgNVBAsMEkRvbWFpbiBDb250cm9sbGVyczElMCMGA1UEAwwcYWRkYy5hZGRv
+bS5zYW1iYS5leGFtcGxlLmNvbTE1MDMGCSqGSIb3DQEJARYmY2Etc2FtYmEuZXhh
+bXBsZS5jb21Ac2FtYmEuZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4IC
+DwAwggIKAoICAQCmxKm/depMjTv9ig+worbHqB/kDj5B79YQSHd7TkxZ4b9txxh7
+qAGn1dIsIT7QGtpYA+hC8VMOp5G5LLnnesneXu1Mk2vM3RfQx9HxfD0Nb99dU1qx
+H6N7W0FlDHzqU9+72kEV2knjuS27ta/vjLiEdNAYFo5c5MLnoYeP44eLC7uQMOjg
+8+vAUF+1f1SaGzRD/b5agG4PY6KzeUJKhcgHx4JVI4jUTgMv8ZW97RUtPhbN/8eb
+Ayk2pl3JGh6Jpbpmgw+WqAefJLkbjwKauFApi75jRfpFwzgjoJg6tGtCmRM2S4Tv
+J4k5NHn4ZxZ7nCoDQRVjRuTbL/I+bf58IB6fAkikvBVCpvg4htxrfE5nozGBjrYw
+Gus9CCUZX0LcOex5HTAK+xaPPRkUzPWv18Z1z7OWorKb2QMBo8qIHXLtb9G/V1aO
+uQebuQQTHgtaBmsrQ6Lc1bf0utOuna3904p8L4cy+omIWACuFiucHViCTeUh2tVs
+96hAi8cC1TYw7z8Jm6bSMaO/INSinibEtMMPC2wA0SwWsSrrBtnVmMPNyyBorQos
+oS8nQVyR3kli7dg672gcbf6UwyhoMmAIZc0Cn5eWLw+HJz25D4Vi6CuatPTT18GT
+licjKYixOZlTOiCqiEQ7SiQqi+C0jd1mMN+mbrf8IUMWnj4SIMh6MME9qwIDAQAB
+oAAwDQYJKoZIhvcNAQELBQADggIBADLgdZz1gvzpnZPwd5KCxjwKgiotlUGBh6t6
+cLhyomCN02adMr0PPJP/n3r1Zsaq2db/zktP8J5fUYqA9vJZzYukzkKRHbl+rdHS
+JVEvHmbsG3729V9cy40kuL0EAM0weBbfQZaeFxfcLxl5v14QOxvldrmYSK5GaLh8
+WSEz4uljrI8ee3q8Cn08xlZ2Dr3MoHI9unEcLJFXkpCwVBALFhw5dG8od3jl8AyS
+WeMVbdD9fm4jnHE/RDSPDqUqMCGIYmrB5amGO5rSLDTWxDxrcHFRM7sa359nW2IA
+GoZd+r8Vf2AZ8i/KRgH7uIFB2BJm4L0QiVlajy3odW3zhQIVXNh9p58aGzOFQGkq
+Gsld4WI3gZZeSvGgGIjoB2+AYRjxTzUn5qSFVev5sFLK3cNdPZo66xltuPBhfXB/
+v/+/TQC80oZ8oZGdgYvBBT1IEg4pwB5Myqeps9J7kbJVmtxR2EGlq/aGN0yE/fy9
+S8ners0iXBJP18suSwbjj2unZQMBYLIgHLkzztxAMGYBlfEljSAvDfFCsK5Rkmya
+soxd1qHHMG8Ap+WZagpkK9tv42HwmbYKVeDArGAHr53aC4ripgrSBnzpmkiSyi4p
+mb3L5K/ZSOxo3xrS0wERq3p6FalF8/AhctgzWOgMvikVoTUy0xPsG/hulXPyk2UG
+rYn+WPQz
+-----END CERTIFICATE REQUEST-----
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-cert.pem b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-cert.pem
new file mode 120000
index 0000000..43b4b51
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-cert.pem
@@ -0,0 +1 @@
+DC-addc.addom.samba.example.com-S02-cert.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-private-key.pem b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-private-key.pem
new file mode 120000
index 0000000..3170fe7
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-private-key.pem
@@ -0,0 +1 @@
+DC-addc.addom.samba.example.com-S02-private-key.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-cert.cer b/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-cert.cer
new file mode 100644
index 0000000..f68d26d
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-cert.cer
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-cert.pem b/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-cert.pem
new file mode 100644
index 0000000..6b25079
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-cert.pem
@@ -0,0 +1,191 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 6 (0x6)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Feb 28 13:30:28 2020 GMT
+ Not After : Feb 23 13:30:28 2040 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Domain Controllers, CN=addcsmb1.addom2.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (4096 bit)
+ Modulus:
+ 00:de:fe:5d:7a:30:99:bb:1e:11:56:ac:b0:d4:01:
+ 50:30:83:e1:71:0f:aa:3e:1a:b4:f7:9d:ea:93:69:
+ fc:be:51:19:4c:37:f7:a3:b3:3c:90:13:62:63:14:
+ 9d:b8:54:66:17:65:4a:67:8e:ce:96:7f:4d:c2:c6:
+ 6e:fd:3c:ae:bb:e2:5b:6c:ee:51:7b:db:37:17:94:
+ 99:02:3a:2f:a9:cb:d0:23:29:b7:43:33:08:fc:3f:
+ 15:3b:ed:3c:eb:69:5b:95:45:18:1e:85:5e:aa:31:
+ b6:3e:18:c8:2f:3a:48:2d:cc:c6:69:28:b6:5c:ac:
+ 24:03:b1:83:e8:e6:96:a7:06:6d:fe:73:13:04:d2:
+ 18:0f:d4:72:f7:88:22:40:5b:ab:68:a4:89:e2:3d:
+ c0:ca:e5:a7:ae:b6:f8:ea:8a:8c:39:9c:6d:1b:89:
+ ab:72:2c:04:27:40:7e:f5:d3:3f:5d:d8:0d:71:67:
+ 65:1d:e3:3d:65:b0:97:7f:14:ad:92:43:2f:3f:04:
+ ab:1e:31:52:07:7f:df:48:ac:9a:c0:28:d1:ab:eb:
+ f2:79:b3:d2:44:5f:e8:2d:92:d7:d8:be:03:fe:db:
+ 55:2b:4b:f8:9c:b4:ce:02:78:07:72:0f:d5:32:cd:
+ 01:1e:3d:b2:6e:25:29:fa:09:49:49:ab:ed:dc:2b:
+ 10:c5:3d:19:3c:c4:1e:da:ee:95:c2:ff:f8:50:b4:
+ f7:47:9a:a4:7d:1c:9a:8d:77:da:b6:a2:e6:4f:cd:
+ 80:b9:b1:f2:1d:dc:90:60:37:6f:39:5e:a6:03:e2:
+ 8b:44:d7:a4:45:fd:7e:4f:43:14:f0:68:0d:e6:84:
+ 8f:21:20:53:f6:b4:67:bd:fc:5d:f4:48:2a:95:1d:
+ 7d:79:ba:a1:ee:b8:f0:83:83:7f:ab:b1:eb:38:4e:
+ 3c:4b:8a:93:80:15:63:4c:43:1d:81:4b:c1:e6:d5:
+ b0:9f:6c:49:9d:04:92:66:6c:9f:7c:d3:62:50:72:
+ fc:77:65:87:39:d9:d0:ef:5e:53:49:32:4a:d3:1b:
+ 4a:88:45:f0:0f:a2:5e:33:29:bd:ab:3d:6b:3d:23:
+ bc:c6:9c:9d:98:9c:9d:8d:cc:32:3e:e1:8c:98:19:
+ 1c:44:ee:17:43:b3:b0:47:a5:fe:15:49:aa:5a:b7:
+ 76:43:4c:df:9a:e8:33:3d:52:e8:6c:2c:dd:3e:d8:
+ a9:e9:2d:36:c2:3a:43:75:b2:bc:d5:bd:81:8b:fc:
+ 63:37:61:88:24:bb:76:35:19:00:44:7a:3e:30:a8:
+ 9e:8f:df:74:14:09:0b:f5:8b:c9:b0:ed:be:d0:cf:
+ c0:7f:61:41:07:f8:6c:7d:0a:05:96:4f:6e:5f:cc:
+ 40:f3:f5
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Server
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Domain Controller Certificate addcsmb1.addom2.samba.example.com
+ X509v3 Subject Key Identifier:
+ 5B:85:11:27:BF:F7:A6:2B:8F:51:93:D8:29:4E:0E:A2:67:AA:9D:80
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ DNS:addcsmb1.addom2.samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, TLS Web Server Authentication, msKDC
+ Signature Algorithm: sha256WithRSAEncryption
+ 73:de:7a:35:bc:15:ac:32:44:5b:98:60:64:12:af:ea:42:46:
+ 7d:fb:b2:88:b3:47:61:c3:0b:6d:d1:68:92:3d:44:cd:37:86:
+ da:10:d2:18:db:19:29:03:31:1a:26:cd:70:d1:ec:13:ac:59:
+ 84:cd:be:9f:2b:c6:2d:10:aa:4b:4d:78:39:d3:6b:e1:4d:e8:
+ 10:a0:3e:97:d3:1c:19:11:e4:0f:26:7f:96:d7:26:17:23:02:
+ d9:4b:47:0c:af:c7:ef:28:ae:1c:28:e5:d2:7a:61:46:70:3b:
+ 49:5e:d0:65:54:4c:ae:14:27:c0:e4:17:41:2c:1a:42:0d:86:
+ 6c:37:48:65:80:02:21:b3:2b:1f:4f:34:a5:ce:7b:b0:fe:06:
+ a6:fe:c5:1b:ca:e5:e6:7e:d5:dc:01:d2:50:c4:f8:5e:73:6c:
+ 2c:56:81:d0:a4:73:bf:82:cb:d8:76:ca:7e:44:99:3a:5f:a9:
+ 97:89:a8:5c:5b:1b:38:0d:4d:cb:02:49:69:82:13:68:a6:be:
+ 4b:a3:57:a6:a6:e3:f0:dc:ad:1c:30:00:bf:ed:15:ca:c3:3d:
+ 5c:7b:dc:6d:e6:cb:bb:bc:a1:22:e7:32:95:e0:0f:6a:ab:40:
+ 0c:43:ed:f3:98:63:7c:2f:15:63:49:4e:5c:82:65:13:f2:53:
+ 26:d7:4c:c6:f8:7e:fa:bc:a8:22:44:f1:fb:a6:bb:27:64:ec:
+ 94:28:19:4a:af:09:7e:01:8e:9d:3e:43:e5:79:fd:16:ed:24:
+ b4:ab:58:02:e2:9e:f8:a1:b0:45:25:6d:2f:be:bb:88:90:c7:
+ d8:45:31:48:65:26:33:86:cc:46:69:53:6b:f1:d6:35:df:b1:
+ 39:ed:81:e1:23:f1:01:de:99:10:11:f0:3f:4d:5d:d3:8a:0c:
+ 44:78:f6:27:4a:32:1d:ab:0c:63:d0:71:25:62:67:f5:0c:7e:
+ 2c:7c:a4:ec:8d:de:00:6d:5f:69:5d:bf:e6:c7:59:75:87:5e:
+ 2c:12:dc:a5:1b:dd:c1:7a:c9:56:63:6a:3b:c6:9a:b7:fc:15:
+ 01:53:4d:c8:ca:c7:c8:81:50:a0:65:43:33:fb:aa:55:64:a0:
+ c3:2e:e2:f9:08:64:e5:75:ab:98:b3:38:ba:8d:53:e8:08:47:
+ ef:cf:a9:f2:16:25:1b:20:78:2d:6f:f5:83:ee:35:d4:b5:c5:
+ d6:d7:81:17:bf:9c:45:43:d1:88:74:22:1a:32:b2:45:73:a2:
+ 28:d4:da:ff:85:f9:75:1c:4f:84:6a:a5:1a:41:eb:8b:e0:1d:
+ 49:69:07:2f:5b:5e:e3:7b:00:f8:4b:67:5b:42:d7:51:de:1c:
+ 18:89:2f:f8:36:e7:b5:a3:6c:39:e3:88:dc:5d:7f:2f:d9:52:
+ b6:6b:9c:e9:1d:df:d0:18:68:25:70:7e:71:fb:b3:40:28:75:
+ e9:24:38:6f:70:5b:1a:f9:bf:e9:43:bd:4b:51:e3:df:e3:25:
+ 11:ae:30:4e:7e:55:58:43:b3:65:05:11:2d:0e:a4:3c:b8:8a:
+ 0c:f9:93:ab:27:28:c0:b2:17:76:52:9b:18:82:b7:fd:a6:4f:
+ 6e:a1:74:2b:19:59:ac:b1:d8:5e:fb:f3:69:37:16:59:01:4c:
+ fa:a9:57:52:04:d4:45:8f:10:08:8a:ab:88:aa:96:46:9a:aa:
+ 94:b5:c6:bf:e9:9e:9a:cd:40:f3:2a:ed:23:ff:a6:f7:9b:18:
+ 02:d9:ab:76:96:ac:15:6f:04:5d:92:d2:49:4c:4b:62:da:3d:
+ 2a:a4:59:22:1a:75:cd:6e:fb:62:50:da:ae:9d:28:7d:4d:32:
+ 2f:d8:cd:37:67:f9:1d:c1:d5:76:40:ba:34:f6:8c:92:5b:c0:
+ 65:f6:3c:90:6c:5b:67:09:0d:d3:14:90:38:03:82:06:c3:b7:
+ 85:74:7f:15:f4:5b:de:66:5f:71:a9:f1:ed:15:9b:a0:72:ee:
+ 05:d7:b3:92:30:65:2e:82:90:21:fe:f0:07:34:11:d3:87:41:
+ f4:35:04:0c:b4:28:f5:73:b8:d5:0e:e3:2a:53:ab:9a:3f:4d:
+ 59:f9:18:68:f0:31:90:1d:d6:25:c6:8b:33:e8:dc:06:93:7b:
+ cb:01:de:8b:1e:87:5a:26:a0:0d:5e:f6:6a:36:43:54:53:6d:
+ 87:10:ca:a8:15:1a:4a:37:95:a5:67:93:74:ba:c3:59:9b:f8:
+ b5:ab:10:98:fc:ff:d6:d2:61:17:5d:90:7e:b1:2a:16:ec:d5:
+ da:80:67:02:13:41:d7:bc:a2:af:0b:54:08:b3:2e:1b:05:50:
+ 80:f6:c7:9a:8c:ac:89:49:4a:f4:4b:71:73:bc:e7:8c:6f:0c:
+ 70:62:73:3d:ed:07:14:35:f0:15:0c:bb:d8:c3:f6:19:43:b7:
+ 45:a5:33:80:17:1f:c3:39:28:3d:6a:7c:d6:e0:37:66:58:bd:
+ e8:64:2c:ad:b7:e0:25:f5:41:ac:ae:cb:ca:c1:eb:5b:8b:e1:
+ 3d:1e:cc:09:63:d6:6c:c8:eb:b8:ae:6f:4b:02:98:4a:2a:1a:
+ 94:26:e7:a3:23:7c:e9:e5:02:e0:1f:f5:88:f9:14:74:81:01:
+ 1d:cd:7e:46:35:7c:1d:e3:64:60:88:a4:ed:86:06:0e:af:3a:
+ 2b:1d:f8:45:fe:53:8e:56:89:95:98:ff:2c:8a:fb:3a:7a:0c:
+ 46:6a:3d:32:78:ad:58:69:ba:3b:d5:95:51:55:f3:72
+-----BEGIN CERTIFICATE-----
+MIIKAzCCBeugAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0yMDAy
+MjgxMzMwMjhaFw00MDAyMjMxMzMwMjhaMIG9MQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEbMBkGA1UE
+CwwSRG9tYWluIENvbnRyb2xsZXJzMSowKAYDVQQDDCFhZGRjc21iMS5hZGRvbTIu
+c2FtYmEuZXhhbXBsZS5jb20xNTAzBgkqhkiG9w0BCQEWJmNhLXNhbWJhLmV4YW1w
+bGUuY29tQHNhbWJhLmV4YW1wbGUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
+MIICCgKCAgEA3v5dejCZux4RVqyw1AFQMIPhcQ+qPhq0953qk2n8vlEZTDf3o7M8
+kBNiYxSduFRmF2VKZ47Oln9NwsZu/Tyuu+JbbO5Re9s3F5SZAjovqcvQIym3QzMI
+/D8VO+0862lblUUYHoVeqjG2PhjILzpILczGaSi2XKwkA7GD6OaWpwZt/nMTBNIY
+D9Ry94giQFuraKSJ4j3AyuWnrrb46oqMOZxtG4mrciwEJ0B+9dM/XdgNcWdlHeM9
+ZbCXfxStkkMvPwSrHjFSB3/fSKyawCjRq+vyebPSRF/oLZLX2L4D/ttVK0v4nLTO
+AngHcg/VMs0BHj2ybiUp+glJSavt3CsQxT0ZPMQe2u6Vwv/4ULT3R5qkfRyajXfa
+tqLmT82AubHyHdyQYDdvOV6mA+KLRNekRf1+T0MU8GgN5oSPISBT9rRnvfxd9Egq
+lR19ebqh7rjwg4N/q7HrOE48S4qTgBVjTEMdgUvB5tWwn2xJnQSSZmyffNNiUHL8
+d2WHOdnQ715TSTJK0xtKiEXwD6JeMym9qz1rPSO8xpydmJydjcwyPuGMmBkcRO4X
+Q7OwR6X+FUmqWrd2Q0zfmugzPVLobCzdPtip6S02wjpDdbK81b2Bi/xjN2GIJLt2
+NRkARHo+MKiej990FAkL9YvJsO2+0M/Af2FBB/hsfQoFlk9uX8xA8/UCAwEAAaOC
+AgEwggH9MAkGA1UdEwQCMAAwTwYDVR0fBEgwRjBEoEKgQIY+aHR0cDovL3d3dy5z
+YW1iYS5leGFtcGxlLmNvbS9jcmxzL0NBLXNhbWJhLmV4YW1wbGUuY29tLWNybC5j
+cmwwEQYJYIZIAYb4QgEBBAQDAgZAMAsGA1UdDwQEAwIF4DBOBglghkgBhvhCAQ0E
+QRY/RG9tYWluIENvbnRyb2xsZXIgQ2VydGlmaWNhdGUgYWRkY3NtYjEuYWRkb20y
+LnNhbWJhLmV4YW1wbGUuY29tMB0GA1UdDgQWBBRbhREnv/emK49Rk9gpTg6iZ6qd
+gDAfBgNVHSMEGDAWgBSiPgIqo6dNObQITZnMDHU26ifDPjBFBgNVHREEPjA8giFh
+ZGRjc21iMS5hZGRvbTIuc2FtYmEuZXhhbXBsZS5jb22gFwYJKwYBBAGCNxkBoAoE
+CAEjRWeJq83vMDEGA1UdEgQqMCiBJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJh
+LmV4YW1wbGUuY29tME0GCWCGSAGG+EIBBARAFj5odHRwOi8vd3d3LnNhbWJhLmV4
+YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAmBgNV
+HSUEHzAdBggrBgEFBQcDAgYIKwYBBQUHAwEGBysGAQUCAwUwDQYJKoZIhvcNAQEL
+BQADggQBAHPeejW8FawyRFuYYGQSr+pCRn37soizR2HDC23RaJI9RM03htoQ0hjb
+GSkDMRomzXDR7BOsWYTNvp8rxi0QqktNeDnTa+FN6BCgPpfTHBkR5A8mf5bXJhcj
+AtlLRwyvx+8orhwo5dJ6YUZwO0le0GVUTK4UJ8DkF0EsGkINhmw3SGWAAiGzKx9P
+NKXOe7D+Bqb+xRvK5eZ+1dwB0lDE+F5zbCxWgdCkc7+Cy9h2yn5EmTpfqZeJqFxb
+GzgNTcsCSWmCE2imvkujV6am4/DcrRwwAL/tFcrDPVx73G3my7u8oSLnMpXgD2qr
+QAxD7fOYY3wvFWNJTlyCZRPyUybXTMb4fvq8qCJE8fumuydk7JQoGUqvCX4Bjp0+
+Q+V5/RbtJLSrWALinvihsEUlbS++u4iQx9hFMUhlJjOGzEZpU2vx1jXfsTntgeEj
+8QHemRAR8D9NXdOKDER49idKMh2rDGPQcSViZ/UMfix8pOyN3gBtX2ldv+bHWXWH
+XiwS3KUb3cF6yVZjajvGmrf8FQFTTcjKx8iBUKBlQzP7qlVkoMMu4vkIZOV1q5iz
+OLqNU+gIR+/PqfIWJRsgeC1v9YPuNdS1xdbXgRe/nEVD0Yh0IhoyskVzoijU2v+F
++XUcT4RqpRpB64vgHUlpBy9bXuN7APhLZ1tC11HeHBiJL/g257WjbDnjiNxdfy/Z
+UrZrnOkd39AYaCVwfnH7s0AodekkOG9wWxr5v+lDvUtR49/jJRGuME5+VVhDs2UF
+ES0OpDy4igz5k6snKMCyF3ZSmxiCt/2mT26hdCsZWayx2F7782k3FlkBTPqpV1IE
+1EWPEAiKq4iqlkaaqpS1xr/pnprNQPMq7SP/pvebGALZq3aWrBVvBF2S0klMS2La
+PSqkWSIadc1u+2JQ2q6dKH1NMi/YzTdn+R3B1XZAujT2jJJbwGX2PJBsW2cJDdMU
+kDgDggbDt4V0fxX0W95mX3Gp8e0Vm6By7gXXs5IwZS6CkCH+8Ac0EdOHQfQ1BAy0
+KPVzuNUO4ypTq5o/TVn5GGjwMZAd1iXGizPo3AaTe8sB3oseh1omoA1e9mo2Q1RT
+bYcQyqgVGko3laVnk3S6w1mb+LWrEJj8/9bSYRddkH6xKhbs1dqAZwITQde8oq8L
+VAizLhsFUID2x5qMrIlJSvRLcXO854xvDHBicz3tBxQ18BUMu9jD9hlDt0WlM4AX
+H8M5KD1qfNbgN2ZYvehkLK234CX1Qayuy8rB61uL4T0ezAlj1mzI67iub0sCmEoq
+GpQm56MjfOnlAuAf9Yj5FHSBAR3NfkY1fB3jZGCIpO2GBg6vOisd+EX+U45WiZWY
+/yyK+zp6DEZqPTJ4rVhpujvVlVFV83I=
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-key.pem b/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-key.pem
new file mode 100644
index 0000000..98aae6c
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-key.pem
@@ -0,0 +1,54 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJjjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI9PC/3NcJal0CAggA
+MBQGCCqGSIb3DQMHBAiLhharWWs8/QSCCUglchvaoRZ2KDAOpx1om+BnWFdmElQz
+h/3v5NMjNzMrgjSkSU4blpuQdPj4xbyzlxIDJGQFRgcDouNl7FU59Eb1duPnIud/
+6zWBgQgnTbVgH1h+zhHhbpmqAYPAxwf+H5NVEWQva2uAGWrKMApuUPn1IpgesPRz
+9WsWwdOyHkj0hQd5slbVdsxJL5wcHwBip9vzrH4IV+WM/vtem4+0629KGFl6hisW
+iZD6D2nJHejIlVJMNy6Jkqa5hnJeMH7djaRFp8f22C7/5EbE1a+DGwh6RQG1SfvO
+Z7ZTQKkPuq3MvKSb5tp5ArOyHvmQsphPD2TzTtWJD2LiBl5pe1zIiDNSMXWUPmbP
+bfSNBswcATWweYUmL/9kuIqaZvNVjJpd1QuVQPMmhFyJyfDyM8WA/6kbeIjwuzku
+BSBsBB1CMN26AHBEBxqmA5ml9ZBhL+kKJziYIJs3sdQcQWi+CiyQXKVzzXMhLFF9
+1VgrREMY7d49db3O4I8V4R0sVk5KxqCGULcPy7sMYgRuPr9hBD4i3oRVdokUyKRy
+5XmZij7cHVS0pYrpdklkgjNFv4fNjA6goEM39JkzXkBbz0poYjNx/PXAx9wz6Ykc
+X29HU6xyE76iwH8UNdqooe+9T75iihb6kccnEWC6uUi106rO5OGbyvtqEHcMlZic
+ttfXUxtQT4n8BVK4GTji+o4U2Xfqf75W48ZnrLHMZpC028rrHXP0WMKtweYBCOtN
+wt/T5fEqS29tCrnvYBUhlTyEECyfSBuxL9lBDUiS+opw338uGN/3ODXFwc3YCiUY
+OoxhVnoLkJPMjIzMmBpIGnjvtVZ4t2FtTQXZMbDQwFJIkW2d70XMuPk86sjh2MWf
+jd0rbd+6BrgDVlzxAOWQhXiVTiY7Y3Z8a4CkbyrbpxaNMnZn0DUYhF/LaUm3ylIM
+vxXbcm2nTCqi9ly9jP98ZZI7uTAH65W1uhD6+SrOly0sijlZrg4lbdqY3isOuC4Y
+BZuqHFWEKLx3J0SwtlV8aJvUAL8KFis5ktTEVO7WWkpODz6IUtiZ/eHbbNUeRyi2
+LmiQx7ywjuy0YIGRE9DeoLsURqtcTGtOkRGgRu8Pa+knl4N2rbuw9JY3ejh2Y775
+obIqyPPT/EgudHfywF4hsjn7i/4L14o/ZjQA53P+qC1swf7sz5LAspTbhHCCe/go
+mT2ospx/XIoHLqxmYptKBMYHl5JR5kK8GAdoVzD1vv+MiIGZOHObsJ93X/DaEtT6
+/4/rlAC1ws8Mws4+kVDK0UXfADJLIipq2RP0FkapTQ51+ocIBDnXarAANhTpyokz
+5gHLGrbQp1HOQQNnZfVEssJznjm/jiD0MxP/kXFjQuOThZCoKLTkfsjnKTMJE3HN
+z96fo1kPemDQ4PUoac3LKUBUDIPxmwFCrcBcwDlrTHm1NmAb60cMUyDMZ073OwNL
+3p16tcjn4j7HJ4g/BJ2HvnT5xVavNlFewELaQGN+Ywfl+5DSTNtyAvjgthOYps2F
+Zl9sZ8qXL4c+GyaSUk8Rio+6Kggybvo75xdB/Ia5yp3IUC8z0+jVsaoCYf/fddyd
+UaVFQvWdeN1tB+nTV7Ntki2LOxek417UV6BtH58zJCibDF2uld9LsIXySIFYvvqe
+21kUWUWE7rlaCrDRJ2jwUtU+QYtBHl36WgwSf0C4HkeevRT8hLcFPyhKe6hYVcQL
+sqFldps0VAMrfFzCwY8z5Vc1aehmOd9OXVBf/Fn04XBjUEoG46tkSdL18dBfJXI5
+RsfE6TAbB5LOEd7agmoGHJolL3rYwODDVKQWOj0519HR/xt1E7SgCfH/BisGl4Gr
+4ZRUJG9unpEBsigN31JEbnXUbfx+rjXZM65F3HM9ir89ofIcVGPuJYflw2IPm1GI
+ajEh+nDCt/hwvV66aBI/+JaQ7bHvqbC8tBMWXdlesSjJmWlB2mYdYqIhmqhy+0oj
+ryKbsAT+7Fco5ymQACEG4Otw6y+weRTW/IFbibtjDui+P5arl5dRPIn4kCrV+ZMn
+wuZVAw83mxSe05efsCt6YCoth64bIgPXVvl7EhGotheYsKfuOFI1Jvw1tDsgtoxk
+v+6TnK3xJDMVkdV3dg/glAENdeo1NnHrvIb0Hq9ERMr5wmImQkGoL18r4HoUGin/
+HPi8Q+znxiw3NARCpm7RBwxCUzuYWQ88CKpxDtvGmJfpSNUQ3ETVs1rY9VlBP026
+Uufu5aMz9BURc8iaS4dl/oT0QjrhszeAdsXAoilY+SlmBUuAUieKAnaxLU48hqkX
+FID6A/v/LxXm+VYgObFijv4i+ETUGNklhERTdkZ+YfwCWLqCLbGMK6ufVF3YPI9c
+nLQ0/gPTW7YH8k1DQ7ehRdSEM3QcdE3x16x2q+dXRqOR1BG9uOsayhofQQWvlN66
+p4gbN8XgwSgf2SLaYUFbeiAiOuEsObPcTYyTekyuRbGcL7CKHY4tHb15VhqUJ0SA
+7kiU1hC5cUxaMOKuWCOlqvBdfp+IowEbah2SKxZBWq1D8BKiT1es21NX6FEeJyWC
+f+08KHLZWQL/OYrKof8dCcHVwMdQE05/6cXIn5xVMG0QbCyvC2izklQsaH+y4oy+
+iptmdBvXOE+t6wFJsT/jjbFGIbjAXT6xrc9nsL9lBoWJidfhREfzBrmW1LVbIE6L
+8ltsECJ5NJ/OMm9Zj5MuQEc9kxsM9sAzk9KXP8xq5mJziTPoYK9QydtLRl/EJkW1
+P4Wp364sHiDnErHYkzsP/DpJ41BkJexEBLnzID/P6YTKfB0bDlnNbb/XQssEPQ7m
+5nVBktXVV1UY0we/ACEkqmV6+7yE77ZF/hrzZuCu+M3aE8GjOSrSEpF4KP4V2n5W
+ukD+Q5IZJkShjT6kG9lQELotChlU5n9YS147Y9C4HT//wNcQk1neEhUUf4L1cN62
+7JvKqVZTMyWbIIBEjMrKhQKRFAaf5AcFgx+scpGn0rZOY8wguSqHjLxMFrlc9/F7
+CpeM8QUGi9u9I61SiEY9Gmc+wDoONqSu6O9O+pWwWw7/Wh0qjK4TaRXSlVpS+1bK
+umgkl3/Y1pDY6pCbHZ3O7AD1JaCZWP0k7oawIejkuV1UuLeFjodLfYkAh6y5Hlfv
+/BJ2gHkAEePKibplUpudmOTkWlQChQtzmy3ZReqLydvrxK0H8eh9J/tB8cRP0M/j
++GU=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-openssl.cnf
new file mode 100644
index 0000000..23c5e41
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-openssl.cnf
@@ -0,0 +1,250 @@
+#
+# Based on the OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
+CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
+scardLogin=1.3.6.1.4.1.311.20.2.2
+# Used in a smart card login certificate's subject alternative name
+msUPN=1.3.6.1.4.1.311.20.2.3
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
+msKDC=1.3.6.1.5.2.3.5
+# Identifies the AD GUID
+msADGUID=1.3.6.1.4.1.311.25.1
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = CA-samba.example.com # Where everything is kept
+certs = $dir/_none_certs # Where the issued certs are kept
+crl_dir = $dir/_none_crl # Where the issued crl are kept
+database = $dir/Private/CA-samba.example.com-index.txt # database index file.
+unique_subject = yes # Set to 'no' to allow creation of
+ # several certificates with same subject.
+new_certs_dir = $dir/NewCerts # default place for new certs.
+
+certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate
+serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number
+crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number
+ # must be commented out to leave a V1 CRL
+
+#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL
+crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL
+private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key
+RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file
+
+#x509_extensions = # The extensions to add to the cert
+x509_extensions = template_x509_extensions
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+crl_extensions = crl_ext
+
+default_days = 7300 # how long to certify for
+default_crl_days= 7300 # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = match
+stateOrProvinceName = match
+localityName = match
+organizationName = match
+organizationalUnitName = match
+commonName = supplied
+emailAddress = supplied
+
+####################################################################
+[ req ]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = SambaState
+
+localityName = Locality Name (eg, city)
+localityName_default = SambaCity
+
+organizationName = Organization Name (eg, company)
+organizationName_default = SambaSelfTesting
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default = Domain Controllers
+
+commonName = Common Name (eg, YOUR name)
+commonName_default = addcsmb1.addom2.samba.example.com
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_default = ca-samba.example.com@samba.example.com
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+#challengePassword = A challenge password
+#challengePassword_min = 4
+#challengePassword_max = 20
+#
+#unstructuredName = An optional company name
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate.
+keyUsage = cRLSign, keyCertSign
+
+crlDistributionPoints=URI:$CRLDISTPT
+
+# Some might want this also
+nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+subjectAltName=email:copy
+# Copy issuer details
+issuerAltName=issuer:copy
+
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+#[ usr_cert_mskdc ]
+[ template_x509_extensions ]
+
+# These extensions are added when 'ca' signs a request for a domain controller certificate.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+crlDistributionPoints=URI:$CRLDISTPT
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+nsCertType = server
+
+# This is typical in keyUsage for a client certificate.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "Domain Controller Certificate addcsmb1.addom2.samba.example.com"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+
+subjectAltName=@dc_subjalt
+
+# Copy subject details
+issuerAltName=issuer:copy
+
+nsCaRevocationUrl = $CRLDISTPT
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+#Extended Key requirements for our domain controller certs
+# serverAuth - says cert can be used to identify an ssl/tls server
+# msKDC - says cert can be used to identify a Kerberos Domain Controller.
+extendedKeyUsage = clientAuth,serverAuth,msKDC
+
+[dc_subjalt]
+DNS=addcsmb1.addom2.samba.example.com
+otherName=msADGUID;FORMAT:HEX,OCTETSTRING:0123456789ABCDEF
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-private-key.pem b/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-private-key.pem
new file mode 100644
index 0000000..82ccc60
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-private-key.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJJwIBAAKCAgEA3v5dejCZux4RVqyw1AFQMIPhcQ+qPhq0953qk2n8vlEZTDf3
+o7M8kBNiYxSduFRmF2VKZ47Oln9NwsZu/Tyuu+JbbO5Re9s3F5SZAjovqcvQIym3
+QzMI/D8VO+0862lblUUYHoVeqjG2PhjILzpILczGaSi2XKwkA7GD6OaWpwZt/nMT
+BNIYD9Ry94giQFuraKSJ4j3AyuWnrrb46oqMOZxtG4mrciwEJ0B+9dM/XdgNcWdl
+HeM9ZbCXfxStkkMvPwSrHjFSB3/fSKyawCjRq+vyebPSRF/oLZLX2L4D/ttVK0v4
+nLTOAngHcg/VMs0BHj2ybiUp+glJSavt3CsQxT0ZPMQe2u6Vwv/4ULT3R5qkfRya
+jXfatqLmT82AubHyHdyQYDdvOV6mA+KLRNekRf1+T0MU8GgN5oSPISBT9rRnvfxd
+9EgqlR19ebqh7rjwg4N/q7HrOE48S4qTgBVjTEMdgUvB5tWwn2xJnQSSZmyffNNi
+UHL8d2WHOdnQ715TSTJK0xtKiEXwD6JeMym9qz1rPSO8xpydmJydjcwyPuGMmBkc
+RO4XQ7OwR6X+FUmqWrd2Q0zfmugzPVLobCzdPtip6S02wjpDdbK81b2Bi/xjN2GI
+JLt2NRkARHo+MKiej990FAkL9YvJsO2+0M/Af2FBB/hsfQoFlk9uX8xA8/UCAwEA
+AQKCAgBi3WOUSPffffUx+F5toCdtWwsYlVllL3IMVncp5FOqDUqqACZK7axsNCvq
+wbkrgD/DH6VdRHNTRh2zvUZ3/+94XWMraH236/kA+2DbG/EF1tbwwA4APSA+tbk0
+WHop5Qw1oeyPm5Hc4y1pWpNmXPCjXaaZ+PLhI3DUMl/JYnJomvEpXtuPx5Xjbs2J
+8VE+N2ZHfqujIr3XNvqg+35gfgytfizhiKf6dolg3bdsRbxSXveWz8CE/7q42xJP
+xVsu/Zp01h0HxdYYfRkBn4T8rRxInNNkIdWXeu31RqVr8tLSq2uXRpdy4rZzYcPr
+Thm37CwSvEffjZqOwI89mnxaoL1N4UxlIVTk8qapArHCZaucgxYr9acLT9H4sWCO
+EgSc0nS1eHogUDZquNvdypJ++EmLAvNtBluRcuQC0DQqOlKPsqVyapTbEOscvk3m
+SZ+JRQZi8qgN5nqNNAQAAy60krPGUDJCFOaONVQdjQljPJsg/112y5cBrQPXsknQ
+o8u8TMcp9+I8Dp7qSCI7u5TDdERCWjg+wQxw5AzimcWDNRRN52yKzfEekrF6kV+l
+eCcWMUv/eeWhJXCKNHAdVGQlHkSld3FdQRtr9PVQn8rSrb81HpodQhqPAUNW3NYf
+hhxHimy3y5MLcLNU9A+ut+/lrDwD0enVlXhOiK4b7QqCv6ywAQKCAQEA90JbFJl7
+Ckfy1XpYtZQPVY+Zbv7Mukupin4+u9B1Ywd0j/RGTImNcQYEhQw1OM1FSSvpIzCS
+H2JpJWCF0gG3PXYR0xn9JrErVXgh3hxOT9Ynk8ltUQwFAqeJXP1NqJdP0ipOEbyX
+XYwBGXBDq42SXnj5TQgfQs/kc8UKBgFZ0LEaDcy5r3eXBi0SCPpFpQ7RWMS5orAt
+e+NlthAJItSb6PVBrQUZ1JPZTfsR/35wSnlUQnHsf93wZ477O3g+wuTMmhTLFfU/
+JmcaV7QDIV/mRRO+O6KgSnoQ1sn4ay1b7jXCHOA+VApSxTZsPmuKHyvMpIwmqr5G
+/wWJiNT6CI+r3QKCAQEA5uBpLVFxTjXi+TLtpDK1Cf3rd99o2y+uVaWIuq/aqPuB
+/mAcpVcOMKsTU3woVgZW3hAArnomVSsEPf4pjqGqjiibGopmcg3f1J1Ee3vfznZ7
+kyOhfh52jNbWahLi5+4phC/wD++S44qDh4Kmi8g7kz0n0KmU9Xt5qCjJXSWTFO7z
+8aLbhzdf/R0tRBmBLKZ5w/5CJ0tP9eRuVLgeFWxFZ7lKoSF9ZF4VOg7yVuGh9m6f
+Nzo7ox+yEiv+81ZL14736u12vRmkxA+e1be+YDPytFtZ4t4JRWehJ+CeszDaBqLd
+DXpB8Dlo6cbWqWqytMuI4zY5RjpMlt8FxSH/nO5S+QKCAQA8JHrNDuwbuxZ5ELJl
+MGduc2hp1DZuFhteIYkW3ATBmr2iilNTKJ4r4L/WsPp9H4j73F9v/M9+LMzQl6LV
+Sy+MFp0NUSP/dlbJCliKky4FQ10LGJKrhRXu6FuEL+Tk3jE/OKUWsV3MFlLqIiGD
+qALzUc+qChC4iqLR+hqPDWMQXROuSZ7c7GTizrG1V1L7bBhF1EwnI11c5hoGZ+4g
+98AYsRdRg40d5PyVeD2PfOzJYKu7IcTZ8V0Zg3DerUfu1gJidC5V3/qFV8zTimi8
+hHwZT00VamA83WYdKLFxOG5FCfR2W6EthflOGQfJQxUssdWsLJ73JyNTwsAKdWuA
+C5pNAoIBAAXUjvNlBh56f+PZJGUsHqRE9EhPrP80AgwJpR1JyZTQ3SSGWtLWEvap
+q1BFZ2Ncv57V+p5tWUB3WKEUJQqEDKGQZvJRomqo7Qkae5s+spUtKsu5b5+Wt1mx
+JzMAjRhcTFIZP8+3Nhdm7RFj/D61bMO4HKRJVAiq+JSFiyg+BavWqPRmL3MHs/XZ
+YcZBeqCdB6AqcJM7dKZ6AUtEZwYVeN84r6jIBrmdIp4XuIj3I7bsbjrfzpe8+is5
+TzPn7vxfkOUu3/vAhQeqeVFeVYFqbmudjvSKtOM6zbgLFRbjWe4m+LwZZUbivEKD
+EfKvThoAtdE/Ek0ytbJtqWCkDidxYUkCggEAB2DIXKQb9OphTQf+18OGnslAa3b6
+vLZPcmv4ZskCApi9AM2AX6q42luovaYR3ul3IJKM3SKa30ZBdprb0epsrW/aJ6Fm
++ri1NrQ34zLNun/cX+Q+EzFbq1wNsCj4Wj0my8q5oyg+KtofeWYFYJmn75rGuZVz
+UrmIC6MjrXi9tvh4BK3pfPzSGizPlLk+vXSQgU36bfUY3P6SZFu9W+IMfDJKKip7
+0MqQCVE3aMoFi1/1pJt7qWiHvYqLIjldJEdQpszTr7IeNsYo7OFJtOaHp6G7mZOU
+/P+GGZiS4h20hS+y/IPBWqFmFiwy38z1L4lUi7W26oytuKYuiUZt3cy2IA==
+-----END RSA PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-private.p12 b/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-private.p12
new file mode 100644
index 0000000..d44a18e
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-private.p12
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-req.pem b/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-req.pem
new file mode 100644
index 0000000..a4d061e
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-S06-req.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIFFzCCAv8CAQAwgdExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl
+MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx
+GzAZBgNVBAsMEkRvbWFpbiBDb250cm9sbGVyczEqMCgGA1UEAwwhYWRkY3NtYjEu
+YWRkb20yLnNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkBFiZjYS1zYW1i
+YS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEB
+BQADggIPADCCAgoCggIBAN7+XXowmbseEVassNQBUDCD4XEPqj4atPed6pNp/L5R
+GUw396OzPJATYmMUnbhUZhdlSmeOzpZ/TcLGbv08rrviW2zuUXvbNxeUmQI6L6nL
+0CMpt0MzCPw/FTvtPOtpW5VFGB6FXqoxtj4YyC86SC3MxmkotlysJAOxg+jmlqcG
+bf5zEwTSGA/UcveIIkBbq2ikieI9wMrlp662+OqKjDmcbRuJq3IsBCdAfvXTP13Y
+DXFnZR3jPWWwl38UrZJDLz8Eqx4xUgd/30ismsAo0avr8nmz0kRf6C2S19i+A/7b
+VStL+Jy0zgJ4B3IP1TLNAR49sm4lKfoJSUmr7dwrEMU9GTzEHtrulcL/+FC090ea
+pH0cmo132rai5k/NgLmx8h3ckGA3bzlepgPii0TXpEX9fk9DFPBoDeaEjyEgU/a0
+Z738XfRIKpUdfXm6oe648IODf6ux6zhOPEuKk4AVY0xDHYFLwebVsJ9sSZ0EkmZs
+n3zTYlBy/HdlhznZ0O9eU0kyStMbSohF8A+iXjMpvas9az0jvMacnZicnY3MMj7h
+jJgZHETuF0OzsEel/hVJqlq3dkNM35roMz1S6Gws3T7YqektNsI6Q3WyvNW9gYv8
+YzdhiCS7djUZAER6PjCono/fdBQJC/WLybDtvtDPwH9hQQf4bH0KBZZPbl/MQPP1
+AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEAve93Lch8SWFi9pmWZgmcStRFALjR
+RRa9iUSIpIgHmJWKAjIq2APh5xWfp4Ouh7DO6KIwHLbgQEXWpxehukhyUl4VlIMV
+y50nVK9ibiu5X7MO0HMHGnULZvLDS7i64siX9e030xvP5cOwRg16TS84Ex4VVoaz
+1t1yE083OoD4jqMvDvgMJ0OpnyZXUZctDLCc0aADkhJKC/V4q/mruPY1lZ0Nxl3T
+Q06GhJtEaR87BLIoNUqD6SwyZm6F2Y96bLqdzgaGHYNGhGGeDpXp0l8grlRvpu+9
+zFdTsALPAwt6KSNmk4GsNuNyu7DS6v33+yaT0ZbbulbPZ6uVFjXrnFFXYBAcFJs+
+YFELavoIRtEOcBfJ5RL6Hcr3P1/4I70u5Uucesv5C/loNHnZPAo2s2KFtBtVgGHp
+OYeFjzDvG3fLz2ZGjIDxTEh0fD/9wRL2CVtjEfN6V7tKmd3f7IEBtCw+7Hdu4uSN
+GrjWrbzQWhyTT6lyDfCKsmQlCevI1MW9oDkVmaBkHwYuWTc4U6wL77wDKyShTKV7
+RFWyhfnhYp1Xpm/pZmCszUZc7Si7eGGJiKohH7K+3YnpcfPMq2t83SBeFMmaBBJX
+I1KOjT5grWAzVIsIdFgFvoPqXNWmizEddBTtExnmhK3tAzudJL7bv+PhYSQ0wTOP
+n2KpBr/vsEs9LeM=
+-----END CERTIFICATE REQUEST-----
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-cert.pem b/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-cert.pem
new file mode 120000
index 0000000..97e86e7
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-cert.pem
@@ -0,0 +1 @@
+DC-addcsmb1.addom2.samba.example.com-S06-cert.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-private-key.pem b/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-private-key.pem
new file mode 120000
index 0000000..7259e86
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/addcsmb1.addom2.samba.example.com/DC-addcsmb1.addom2.samba.example.com-private-key.pem
@@ -0,0 +1 @@
+DC-addcsmb1.addom2.samba.example.com-S06-private-key.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.cer b/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.cer
new file mode 100644
index 0000000..4d7a875
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.cer
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.pem b/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.pem
new file mode 100644
index 0000000..7b1b6a1
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.pem
@@ -0,0 +1,190 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 0 (0x0)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Mar 16 23:28:44 2016 GMT
+ Not After : Mar 11 23:28:44 2036 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Domain Controllers, CN=localdc.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (4096 bit)
+ Modulus:
+ 00:e6:a4:76:ce:e8:63:fe:57:f9:a3:ae:e0:ad:4d:
+ e2:15:8e:d8:27:c8:7d:7f:2b:b1:e8:aa:50:8f:94:
+ f9:c7:71:3f:52:32:91:d1:6d:52:22:5f:cd:8d:cc:
+ 62:16:7a:8b:58:65:ed:07:f7:ea:24:d3:88:d8:26:
+ ca:eb:ec:16:a7:84:1c:7e:15:46:64:09:22:46:b9:
+ dd:5c:07:84:50:a7:4e:31:3f:01:23:d1:f8:36:04:
+ 1a:bb:d4:e5:b6:d4:1b:5c:16:c9:9e:37:8a:3e:a9:
+ 7d:30:24:40:b2:b5:44:40:fa:5c:6f:d5:3e:ff:32:
+ c2:e7:24:0a:e4:e4:aa:9f:ff:4c:ac:be:37:58:22:
+ 08:16:0e:f6:a7:2f:b5:6c:4f:ac:7b:a4:82:a8:9f:
+ 38:64:17:6e:72:b6:7c:4c:c5:44:2a:0a:b4:25:0d:
+ b0:0c:ab:98:4a:f9:1a:1a:c9:a6:59:f4:00:a5:0a:
+ 6f:0a:d0:a5:34:ca:0f:f4:0e:fb:ba:d7:bb:3e:2c:
+ 7c:0c:68:6b:26:ff:1c:29:fe:77:f9:30:85:0d:44:
+ 8c:af:90:8a:70:93:5d:3a:b6:18:8b:a5:85:11:5c:
+ a3:5d:57:16:dd:c7:c8:00:f1:05:71:c2:6e:07:3c:
+ 37:69:36:7c:12:c5:9e:1b:69:11:45:44:1e:eb:b9:
+ b2:96:b1:89:cd:4d:fa:89:eb:92:49:f2:46:35:f3:
+ 9d:87:3c:be:e4:f8:b7:31:a7:36:4b:81:76:9b:b2:
+ 04:d5:80:7d:4f:e6:02:ed:24:4c:a0:03:c4:9d:00:
+ 9f:9d:71:93:0d:a5:b8:37:62:2b:03:c3:bd:24:25:
+ 2c:c3:43:d4:c8:27:b0:6d:05:d4:c6:c5:d8:5b:09:
+ 94:e8:27:6b:d9:6d:b7:bc:de:76:bf:d5:9c:36:26:
+ 04:b9:97:1d:f0:c9:8d:91:93:82:32:0d:b7:16:97:
+ 41:31:9a:22:0b:2e:ba:99:51:28:6b:f5:04:ba:c9:
+ 3d:57:0c:72:e8:e1:24:1a:d4:2a:6a:e7:e3:b6:b9:
+ 94:61:e3:4e:42:81:e5:43:e4:1e:ef:6d:c4:5d:a4:
+ f9:b4:ec:3a:8a:34:fe:b5:c7:a8:fe:19:8d:cf:7d:
+ 1b:60:21:ba:25:6f:35:cd:4f:72:28:42:7d:87:08:
+ aa:da:33:7e:63:e6:5b:5f:e7:01:a8:e3:0b:d3:08:
+ 5a:a6:df:ea:e7:2b:13:48:a7:83:32:96:c4:ba:d1:
+ ff:15:66:52:33:86:46:5f:c2:9f:59:4a:00:98:b7:
+ 1b:a1:87:25:df:ad:68:5b:f7:26:17:2b:eb:84:62:
+ 9d:c3:bd:99:67:6a:02:5d:70:72:3e:18:92:99:8c:
+ bd:d9:4f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Server
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Domain Controller Certificate localdc.samba.example.com
+ X509v3 Subject Key Identifier:
+ E1:DF:73:0B:F1:3E:86:43:A4:B3:E9:8D:44:7D:3C:B2:19:C1:BC:F2
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ DNS:localdc.samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, TLS Web Server Authentication, msKDC
+ Signature Algorithm: sha256WithRSAEncryption
+ 89:2c:57:98:17:c1:73:a6:10:02:6f:a6:ac:47:1c:37:2d:1d:
+ a1:3c:c5:29:b6:3a:e6:e8:14:ec:3b:74:ee:da:db:2d:97:3e:
+ d3:8c:9d:42:7e:b0:46:e9:54:74:4f:34:df:9e:34:7f:9e:8a:
+ 9d:4d:b2:cf:fb:71:3f:cb:32:e6:45:e7:b4:d3:9e:e8:ca:a5:
+ cf:16:7b:76:b5:4e:e0:b9:bb:79:b1:82:a7:d3:23:cb:3c:46:
+ 63:63:96:b3:5b:62:9e:99:dc:02:17:f9:07:63:86:76:06:1a:
+ 02:1b:9a:df:1d:cd:e7:46:fe:9a:13:87:47:dd:e2:77:58:50:
+ a2:6c:c9:a0:f8:14:1f:3b:d7:59:9c:89:bd:2e:2d:ce:60:f4:
+ c6:2c:e3:63:cf:34:84:61:d9:90:2e:90:fc:5b:4f:a2:00:87:
+ e7:40:e0:fc:d1:24:8b:d0:28:01:d3:53:ac:b1:58:7f:87:29:
+ 38:56:93:dd:a2:14:4a:9a:94:b9:f8:94:b2:04:47:db:b8:38:
+ e6:85:2b:cf:d4:72:88:8b:0d:8e:a0:69:f9:9f:10:22:82:9c:
+ c5:ec:01:e3:07:a1:69:37:94:25:3a:cd:17:29:37:8d:24:d3:
+ 27:0f:4d:bf:b0:31:36:b8:c6:a8:69:0b:df:28:f8:e2:dc:da:
+ 95:3e:7f:d7:3f:a5:8f:92:6a:7d:ad:3a:ac:af:73:2b:5f:f1:
+ b3:22:92:ef:da:71:84:9e:4b:23:7b:69:b7:29:fc:c5:05:84:
+ 4b:ff:06:92:ee:f5:9b:14:2a:af:be:ef:02:e1:e7:d0:e8:d0:
+ 29:7c:48:40:f1:95:bb:08:b2:30:c5:81:80:a8:91:5b:2e:08:
+ 3b:30:44:07:b5:c4:0b:07:74:ca:5d:37:3d:75:f9:bc:6d:21:
+ a6:e0:91:d8:f9:27:88:05:58:a7:f4:36:eb:ba:40:63:36:15:
+ 42:98:0b:e2:d1:c9:11:0b:29:81:e1:c7:02:7e:fa:05:65:51:
+ 7b:d6:1a:33:46:fc:a5:d4:fd:64:e8:c8:11:d4:d1:41:d9:39:
+ 18:08:a3:ed:15:70:d9:14:f5:ba:c9:bb:3e:96:8d:5d:cc:c3:
+ 5c:b6:c8:79:02:2e:e2:a1:06:ba:a5:21:1c:bf:16:7f:2d:d9:
+ 93:07:92:b1:fa:ee:3f:e3:56:35:f3:30:aa:11:54:d3:71:cb:
+ 29:d4:60:e1:6c:ae:c4:24:e3:00:4f:5f:52:b0:3f:f4:76:f3:
+ 6d:db:bc:d8:65:c4:37:be:1a:87:9b:65:c4:20:dd:da:a9:4c:
+ 9f:86:33:2b:49:a6:f7:aa:ce:da:98:3b:e3:5f:ac:b8:1b:45:
+ 0e:56:59:fb:49:38:0f:b7:d4:49:f8:7b:ac:fa:d8:b8:1d:16:
+ db:b2:4c:15:d8:e7:eb:6b:38:ff:d2:69:26:a6:f6:50:15:45:
+ 2f:12:b2:05:d4:bf:6f:53:79:64:9b:d5:8b:a1:08:3e:43:ee:
+ 08:fe:9b:ea:83:89:8a:6a:53:98:1e:c5:91:4c:7a:99:2b:6d:
+ 97:dc:96:1b:de:27:c5:af:0f:dd:42:5c:23:7d:bc:6b:5b:ab:
+ 47:29:98:35:8f:9e:e6:e1:5f:96:6a:bd:cf:3c:47:89:8b:ad:
+ 21:de:20:da:99:82:c1:0e:9b:7c:38:21:d8:b1:1c:34:c5:4e:
+ f7:fe:7d:5e:a4:2f:f8:7d:5c:30:2c:9e:e6:5a:4f:d3:15:90:
+ e6:6f:69:ea:51:93:8f:2c:dd:a7:c3:3c:50:a8:d1:ba:0b:5c:
+ cc:2e:4e:57:71:21:08:a1:2c:bd:a7:20:4b:ae:5c:02:7a:cd:
+ 9a:fe:1e:db:ec:ce:3b:12:37:cb:96:20:7b:3b:b1:5a:2e:84:
+ 03:f9:0b:32:43:c0:4e:e3:ea:79:e7:9a:13:54:e5:a8:1a:17:
+ c4:79:78:25:63:ab:67:39:39:a0:6c:c4:c5:94:ac:16:92:3d:
+ f0:1a:1a:9e:ca:7a:84:1b:c1:5a:5f:4c:65:8a:30:a6:5e:6c:
+ 0e:ae:bf:ac:09:97:0f:83:5c:92:ce:e4:43:de:06:4b:96:f5:
+ 46:3b:7d:a8:e3:0f:d3:fe:00:c7:d4:79:4e:5f:bd:ec:59:12:
+ f9:65:23:fa:e7:97:a2:a6:39:3b:a3:1e:da:47:c5:18:5b:8d:
+ a7:7b:29:1c:5a:7a:06:c6:92:9e:b7:3b:f0:c5:56:e8:cf:84:
+ cd:dd:61:0f:21:25:f4:1e:2b:40:b6:74:28:8d:41:f6:2c:1d:
+ ce:b4:39:d1:e1:be:15:78:c9:d7:99:a1:9d:50:43:da:ec:40:
+ 69:6a:3b:17:af:28:22:09:e0:7d:38:9e:a7:ca:b7:f7:94:8a:
+ 2a:1b:32:4e:28:6d:18:95:ca:42:67:c8:bb:13:24:31:43:84:
+ 3e:95:66:08:5c:15:7f:6b:93:cc:8f:b8:76:7a:fd:74:4a:d6:
+ 6f:64:74:df:72:f7:34:a3:50:f0:db:bf:0a:2b:1b:48:b7:c9:
+ c0:97:23:27:b1:56:5b:9e:10:12:5a:bf:ff:38:61:da:41:75:
+ 15:c5:03:c2:20:fd:7f:84:c0:94:8e:11:ed:01:ba:f1:19:b5:
+ 05:1d:bf:89:ea:c9:38:4e:d2:cf:5b:24:c6:37:a1:8e:60:89:
+ 5c:52:ff:7d:5e:2d:c9:f8:b1:79:07:4c:2f:18:85:e8:ba:bf:
+ 3e:da:59:43:df:29:79:7e:00:38:d2:fc:a9:8e:3b:9d
+-----BEGIN CERTIFICATE-----
+MIIJ6zCCBdOgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjAz
+MTYyMzI4NDRaFw0zNjAzMTEyMzI4NDRaMIG1MQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEbMBkGA1UE
+CwwSRG9tYWluIENvbnRyb2xsZXJzMSIwIAYDVQQDDBlsb2NhbGRjLnNhbWJhLmV4
+YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkBFiZjYS1zYW1iYS5leGFtcGxlLmNvbUBz
+YW1iYS5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+AOakds7oY/5X+aOu4K1N4hWO2CfIfX8rseiqUI+U+cdxP1IykdFtUiJfzY3MYhZ6
+i1hl7Qf36iTTiNgmyuvsFqeEHH4VRmQJIka53VwHhFCnTjE/ASPR+DYEGrvU5bbU
+G1wWyZ43ij6pfTAkQLK1RED6XG/VPv8ywuckCuTkqp//TKy+N1giCBYO9qcvtWxP
+rHukgqifOGQXbnK2fEzFRCoKtCUNsAyrmEr5GhrJpln0AKUKbwrQpTTKD/QO+7rX
+uz4sfAxoayb/HCn+d/kwhQ1EjK+QinCTXTq2GIulhRFco11XFt3HyADxBXHCbgc8
+N2k2fBLFnhtpEUVEHuu5spaxic1N+onrkknyRjXznYc8vuT4tzGnNkuBdpuyBNWA
+fU/mAu0kTKADxJ0An51xkw2luDdiKwPDvSQlLMND1MgnsG0F1MbF2FsJlOgna9lt
+t7zedr/VnDYmBLmXHfDJjZGTgjINtxaXQTGaIgsuuplRKGv1BLrJPVcMcujhJBrU
+Kmrn47a5lGHjTkKB5UPkHu9txF2k+bTsOoo0/rXHqP4Zjc99G2AhuiVvNc1PcihC
+fYcIqtozfmPmW1/nAajjC9MIWqbf6ucrE0ingzKWxLrR/xVmUjOGRl/Cn1lKAJi3
+G6GHJd+taFv3Jhcr64RincO9mWdqAl1wcj4YkpmMvdlPAgMBAAGjggHxMIIB7TAJ
+BgNVHRMEAjAAME8GA1UdHwRIMEYwRKBCoECGPmh0dHA6Ly93d3cuc2FtYmEuZXhh
+bXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFtcGxlLmNvbS1jcmwuY3JsMBEGCWCG
+SAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwRgYJYIZIAYb4QgENBDkWN0RvbWFp
+biBDb250cm9sbGVyIENlcnRpZmljYXRlIGxvY2FsZGMuc2FtYmEuZXhhbXBsZS5j
+b20wHQYDVR0OBBYEFOHfcwvxPoZDpLPpjUR9PLIZwbzyMB8GA1UdIwQYMBaAFKI+
+Aiqjp005tAhNmcwMdTbqJ8M+MD0GA1UdEQQ2MDSCGWxvY2FsZGMuc2FtYmEuZXhh
+bXBsZS5jb22gFwYJKwYBBAGCNxkBoAoECAEjRWeJq83vMDEGA1UdEgQqMCiBJmNh
+LXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0GCWCGSAGG+EIB
+BARAFj5odHRwOi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEu
+ZXhhbXBsZS5jb20tY3JsLmNybDAmBgNVHSUEHzAdBggrBgEFBQcDAgYIKwYBBQUH
+AwEGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggQBAIksV5gXwXOmEAJvpqxHHDct
+HaE8xSm2OuboFOw7dO7a2y2XPtOMnUJ+sEbpVHRPNN+eNH+eip1Nss/7cT/LMuZF
+57TTnujKpc8We3a1TuC5u3mxgqfTI8s8RmNjlrNbYp6Z3AIX+QdjhnYGGgIbmt8d
+zedG/poTh0fd4ndYUKJsyaD4FB8711mcib0uLc5g9MYs42PPNIRh2ZAukPxbT6IA
+h+dA4PzRJIvQKAHTU6yxWH+HKThWk92iFEqalLn4lLIER9u4OOaFK8/UcoiLDY6g
+afmfECKCnMXsAeMHoWk3lCU6zRcpN40k0ycPTb+wMTa4xqhpC98o+OLc2pU+f9c/
+pY+San2tOqyvcytf8bMiku/acYSeSyN7abcp/MUFhEv/BpLu9ZsUKq++7wLh59Do
+0Cl8SEDxlbsIsjDFgYCokVsuCDswRAe1xAsHdMpdNz11+bxtIabgkdj5J4gFWKf0
+Nuu6QGM2FUKYC+LRyRELKYHhxwJ++gVlUXvWGjNG/KXU/WToyBHU0UHZORgIo+0V
+cNkU9brJuz6WjV3Mw1y2yHkCLuKhBrqlIRy/Fn8t2ZMHkrH67j/jVjXzMKoRVNNx
+yynUYOFsrsQk4wBPX1KwP/R2823bvNhlxDe+GoebZcQg3dqpTJ+GMytJpveqztqY
+O+NfrLgbRQ5WWftJOA+31En4e6z62LgdFtuyTBXY5+trOP/SaSam9lAVRS8SsgXU
+v29TeWSb1YuhCD5D7gj+m+qDiYpqU5gexZFMepkrbZfclhveJ8WvD91CXCN9vGtb
+q0cpmDWPnubhX5Zqvc88R4mLrSHeINqZgsEOm3w4IdixHDTFTvf+fV6kL/h9XDAs
+nuZaT9MVkOZvaepRk48s3afDPFCo0boLXMwuTldxIQihLL2nIEuuXAJ6zZr+Htvs
+zjsSN8uWIHs7sVouhAP5CzJDwE7j6nnnmhNU5agaF8R5eCVjq2c5OaBsxMWUrBaS
+PfAaGp7KeoQbwVpfTGWKMKZebA6uv6wJlw+DXJLO5EPeBkuW9UY7fajjD9P+AMfU
+eU5fvexZEvllI/rnl6KmOTujHtpHxRhbjad7KRxaegbGkp63O/DFVujPhM3dYQ8h
+JfQeK0C2dCiNQfYsHc60OdHhvhV4ydeZoZ1QQ9rsQGlqOxevKCIJ4H04nqfKt/eU
+iiobMk4obRiVykJnyLsTJDFDhD6VZghcFX9rk8yPuHZ6/XRK1m9kdN9y9zSjUPDb
+vworG0i3ycCXIyexVlueEBJav/84YdpBdRXFA8Ig/X+EwJSOEe0BuvEZtQUdv4nq
+yThO0s9bJMY3oY5giVxS/31eLcn4sXkHTC8Yhei6vz7aWUPfKXl+ADjS/KmOO50=
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-key.pem b/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-key.pem
new file mode 100644
index 0000000..3443a50
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-key.pem
@@ -0,0 +1,54 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIJjjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIc8U9D3UAcEQCAggA
+MBQGCCqGSIb3DQMHBAiv8rBzGS//TQSCCUieV5YQyWsn3FFhKYI425pOXfnTsSUb
+VEe7wO2H7D/S0RFfT5gILYv57TTH8Z9uAeX/wU5msKA4PZt16aMutNl2NWell8hy
+IX5R4n6IzSP6IobZKsyFR5u/h683Eli1pBd4BbLJuYu94sxelB4HQdRp0QJIvIvO
+TWqTyD7UmqqG/IVhTMQpzcepY/S4SGI6GODJtDLPRgv3x5/Z0/NsxiMKrXMi7HKc
+Rzg8jm2mausukN+sSyPcvlEufQjRJgJXtCIX98FMLp0pkOq1rsVUSNg8Qza6tbyE
+XhweHWbV9YZCVfmnhUalLt7CIoA7QeOQZbwTNpTo/4mSEA7lv1knvFSdMc9JvR6J
+bZQOk5rPzuX2W84UQ3CkIwaRB2iFUv0gJy5Z2xbhWgAR5KZIhGTKupHBYOmD29QU
+whgjXq4McdYWKquxELzSW5jXVPNwvREhEuKR1mt6g0NqXCbCeQHw7DWH1OGPz7jM
+HXsCGVWpXqeWvRHhdF+NRfHa41hqGS3Onq29UJtgcMpNYpGQYY6Exq6hVVsmddwt
+QU4COPfozJzeAlkUEem5AKnuh1JUxo/RieNP99sv1/8g8icc+oPXOIu/6HI3JGYB
+4WTVBp1OccEcNlnUYhxcL3ODYXcLUhiLZh2DS+IDLS3Pbp0v1qz/JuzDxiYBnEYt
+4Q5NWdhPF/TSS7wQHRl35LAyHHhBIu1kuDhnXjdq87h7ioNiffZ0DgSW4HFUzslk
+4UZGFTKaDpepBfIp1qnYGPKCMv+MLaMWU3LOfVGT3ecntkMxUtntNMZ6qGaXhzda
+65LD9xYJUrbo+qQSBiTNAhMOy6lHlwIulmML0j1YEcVc2EwgqdfbBeT9v9gh6If4
+85ba1Wvy4W/FN/xo/ECflLAvozjyYND8LMcZ73eJs4ncZkMZAkjfP3sg/qvTAtbf
+D6c+SRQbxRJv0ZUb9NN7wx4flsyypscKNqk78mytUN7gGf2xJIOvMS/zH/Zf9EpD
+bEY+lOY2llYtXhoEj95tnRPFhKaQeGZdkISsmoU5olLsw/tRkquGdAokh+fl+NtZ
+WxgJF8Ft8NT4iXhEBRfgFO5ubGq565c66ayA6R6K00pg/IvS8OXPuxT+/e8EKqUO
+R9RyWR5n+W8hWw5+pQWGNvwhLFLJFfCxHw2ucSyNCvtcb6ijV5yvi4cI+UuVnh3s
+WW3mMaMOYIcbh/thp8wBs/dpAOGUWX7XBfaGsQ0D+ff0ufcUobhXVZgtC0LhgfrN
+ZeHQF4bUXycyaAGWvstNb6Xj2QFVDG98eNDGmYDTD+0XwpPc/6/Ge4BLPAVcBpQw
+DMCKUqSkPPWCqfipbQmpBxswhYmzx+DjdfRxHExWeGk1pwyfH4GBhO5fkcpYVtU+
+RyruFu0YNnQ+2Y4eg8+3IyJndxkUHmwsB1DB0P8XvJ0n/NnAnZ0sIpE0x3dOFhb+
+SK0dj8fo2aEHOimrTHc2EJ2ZscpSCVNQ1BsScM36FCWxRWbTr8rBFsdUJ5CMZ2hN
+qHBtf38SgNkD3qBUmiPetsYt6qTKY9Rv25D4zL5IR2ZnV99oW6MTDhc49cxYn8Dy
+MKlyzV3upykqGBMSKBKbafDI3sO8gB3upUetnogi1TMaNyu4qNzq8oNRfdf+RD1R
+Rg4++U14UbYNvWRQnCqjJGUXDnVc8Gp9K8Z6p5eXihsFfpol1OGu0td1e0FRi3AH
+INW9UEpfRbmbEPHhYQRNAyRlcQXJ1FBnxUCk6qgfkD0ziJk2VD4oFoaSlqy7l21z
+zoH0Vp6PZGZEIs/mAODvtH5jsTEMUE8uuRmPqgnFqbi/gfQ5FJLR6dfCb8MJ2iJM
+Hw4791wi7tS1aCYoHneDtxNFeWuuEmw1uMoA+C5euGNv86XAH5AV2OrTIt8SLFPN
+mLBLQ3J9Kkitsy1JFz9IdJ5uY3K2CvpOaP+sx3l1Q4YVuSza8r7zRfTC1wPfbsvk
+64zZQzA57WvRvpaZU49HbMV9/zDOlQfLtL7TdAbqLYjlVRpO5pHHEqLRR9eGQ2UY
+zhfMFfcJahH4lDbgHf6EVjHnEuoW9fU8hLRVzUcQCVDsf36Et+g5G1JMhFnlVzdv
+MaKiN9tzKeIqxUSlXMHYm+oIb849pshNo+KRzZ0K+r+wExnpIfCfVOjAvSQU+6y9
+1uIIQlJfk6uPFVriaooyUDrW9/83AgzJDrkpSMTnVmo/MTS8cAe8Ox5cr+mHqJko
+cnHzBNI9Q0z59SpJdXucPVyk5MYPUdfyI2ouicm+nKidNvlp36O7UHMw0pJdeqDg
+03vhaVif5uN8FNjBLp6xIipX6lor6XCOnkGR/zkis602sTAkE4nemOw9zy3rIBr+
+hYnSY7vMFCVYIERjqSOLE0k0d5RyOsGjSYr8yQMvpTGusla34qVPjrrpJ+OuczK/
+6KJeHV+WUw42g8JSs67j8YJ2ejc9gr9AVSRiES99QL+tlFnOTY28N40OjXqFJjYK
+A0x0By1O6h4PMKtYchTuJAoEOB2KOP1Ta+NlL80zM4nWwv7NdO0AR/ATfUfix1GS
+NiMC10C7eurYdAfxly3p9NgjQq+vaKsnSy0TbXPCgW8YTegnxKTUWJm+BEiYaE4M
+A0c1CySusV+JO1catlXSeCB6ajddi/SKXsW26lJ3Q+8QqhA3EMivCE3Zh2Q5c1yp
+gCV7IXtdryPdK16qmirO9LKkm6sCfBdhgBgi+IcyUhqxwHCwxrPqzEs75Sa3U/6k
+kV3AqFwhHYtUj2fBNlfJ1efV8fW+WLboJkHbi2LXmL4NBvHTNjK3NprffFrQ/QJU
+oYsMQdeWQZD+3p8w1fPb0sXEDL6LQgjAjyDaqOiX8XrQ8nr3n4FpTI38/OIIfS69
+IHtgo5yv0CMfN+C6LAHOE0aDHRoY6+TVVgr1Z/X2VqJQJONii0dQ5ttDHYnUpzu0
+vWsdvVjsyhkLa2yhUB7UyWusZo0HZRSAcf1pNlpp5rCtJad9to7OvOL3qb5GluAK
+/5eZE6RzgyGOjtOx0IgQ+l4ThQCTbkoVEtB59IEeP/+Sq2RmFfdGiGgC3Wnrga8b
+gkuXXbjZboptSku6N1ZO1r99wd0qIHzrtVCONGLGfVBy7X6nDO2pC9IUOXycMji7
+B5J0toyDWt6UzlLQasmz8Be7NZJCkDd2jlSKorZtdynsXbRkX1H4by9kI8kEcgK7
+ICE=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-openssl.cnf
new file mode 100644
index 0000000..bf4131f
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-openssl.cnf
@@ -0,0 +1,250 @@
+#
+# Based on the OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
+CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
+scardLogin=1.3.6.1.4.1.311.20.2.2
+# Used in a smart card login certificate's subject alternative name
+msUPN=1.3.6.1.4.1.311.20.2.3
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
+msKDC=1.3.6.1.5.2.3.5
+# Identifies the AD GUID
+msADGUID=1.3.6.1.4.1.311.25.1
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = CA-samba.example.com # Where everything is kept
+certs = $dir/_none_certs # Where the issued certs are kept
+crl_dir = $dir/_none_crl # Where the issued crl are kept
+database = $dir/Private/CA-samba.example.com-index.txt # database index file.
+unique_subject = yes # Set to 'no' to allow creation of
+ # several certificates with same subject.
+new_certs_dir = $dir/NewCerts # default place for new certs.
+
+certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate
+serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number
+crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number
+ # must be commented out to leave a V1 CRL
+
+#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL
+crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL
+private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key
+RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file
+
+#x509_extensions = # The extensions to add to the cert
+x509_extensions = template_x509_extensions
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+crl_extensions = crl_ext
+
+default_days = 7300 # how long to certify for
+default_crl_days= 7300 # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = match
+stateOrProvinceName = match
+localityName = match
+organizationName = match
+organizationalUnitName = match
+commonName = supplied
+emailAddress = supplied
+
+####################################################################
+[ req ]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = SambaState
+
+localityName = Locality Name (eg, city)
+localityName_default = SambaCity
+
+organizationName = Organization Name (eg, company)
+organizationName_default = SambaSelfTesting
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default = Domain Controllers
+
+commonName = Common Name (eg, YOUR name)
+commonName_default = localdc.samba.example.com
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_default = ca-samba.example.com@samba.example.com
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+#challengePassword = A challenge password
+#challengePassword_min = 4
+#challengePassword_max = 20
+#
+#unstructuredName = An optional company name
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate.
+keyUsage = cRLSign, keyCertSign
+
+crlDistributionPoints=URI:$CRLDISTPT
+
+# Some might want this also
+nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+subjectAltName=email:copy
+# Copy issuer details
+issuerAltName=issuer:copy
+
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+#[ usr_cert_mskdc ]
+[ template_x509_extensions ]
+
+# These extensions are added when 'ca' signs a request for a domain controller certificate.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+crlDistributionPoints=URI:$CRLDISTPT
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+nsCertType = server
+
+# This is typical in keyUsage for a client certificate.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "Domain Controller Certificate localdc.samba.example.com"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+
+subjectAltName=@dc_subjalt
+
+# Copy subject details
+issuerAltName=issuer:copy
+
+nsCaRevocationUrl = $CRLDISTPT
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+#Extended Key requirements for our domain controller certs
+# serverAuth - says cert can be used to identify an ssl/tls server
+# msKDC - says cert can be used to identify a Kerberos Domain Controller.
+extendedKeyUsage = clientAuth,serverAuth,msKDC
+
+[dc_subjalt]
+DNS=localdc.samba.example.com
+otherName=msADGUID;FORMAT:HEX,OCTETSTRING:0123456789ABCDEF
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private-key.pem b/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private-key.pem
new file mode 100644
index 0000000..546b292
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private-key.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJJwIBAAKCAgEA5qR2zuhj/lf5o67grU3iFY7YJ8h9fyux6KpQj5T5x3E/UjKR
+0W1SIl/NjcxiFnqLWGXtB/fqJNOI2CbK6+wWp4QcfhVGZAkiRrndXAeEUKdOMT8B
+I9H4NgQau9TlttQbXBbJnjeKPql9MCRAsrVEQPpcb9U+/zLC5yQK5OSqn/9MrL43
+WCIIFg72py+1bE+se6SCqJ84ZBducrZ8TMVEKgq0JQ2wDKuYSvkaGsmmWfQApQpv
+CtClNMoP9A77ute7Pix8DGhrJv8cKf53+TCFDUSMr5CKcJNdOrYYi6WFEVyjXVcW
+3cfIAPEFccJuBzw3aTZ8EsWeG2kRRUQe67mylrGJzU36ieuSSfJGNfOdhzy+5Pi3
+Mac2S4F2m7IE1YB9T+YC7SRMoAPEnQCfnXGTDaW4N2IrA8O9JCUsw0PUyCewbQXU
+xsXYWwmU6Cdr2W23vN52v9WcNiYEuZcd8MmNkZOCMg23FpdBMZoiCy66mVEoa/UE
+usk9Vwxy6OEkGtQqaufjtrmUYeNOQoHlQ+Qe723EXaT5tOw6ijT+tceo/hmNz30b
+YCG6JW81zU9yKEJ9hwiq2jN+Y+ZbX+cBqOML0whapt/q5ysTSKeDMpbEutH/FWZS
+M4ZGX8KfWUoAmLcboYcl361oW/cmFyvrhGKdw72ZZ2oCXXByPhiSmYy92U8CAwEA
+AQKCAgBqVMxJW64t5lU69zax70QZ+D8DKFVjObvNridx6pa1MiqlNJcxXBsPqedU
+RjO6dUikumjq0Yrq63MdY9UNq0xOcoPIRPqsx+E7hhjdgsGnhVpxLcDSyMyL6pyA
+mAhHn8X1ULQm8ygS94S1myEQwqzy3/mZvVBLyxU8BsvW9u0K0mKBCTjustHTiZaB
+QWd8xcaZQiDSqIUQ8BSFYkgwBIoGb+TZaFQPo1SUy/8S9oBw3CMn84V6EPL5QWbV
+d8rqOuciJNQTzFgKJHbRjXW2Nn5Avae2kQaiG+5RUP5D801D0denAq2SFbbJaFTA
+O4kKYOKS6QGOjfj0Xh4ONveiaXxBSPpIJSvbjAV+Nq92NVkZ35jiPqGZzebhzzoD
+mU6mMvRoL/FHs9PKNZF1Cd4EP1SdLhiImj+1eajfYvHAlz6kIJxTue0BFkh13uwp
+amx48wB7e/W8t8lqixICf1HlCv+EQGN6aka5dHMqJobXhkt9npz53+AYdpc8Sjs9
+QlFplYoOgkaHvzLv9yeZPOT5Xr32weE6KpM+SwvpVxfttbkvqrWoOoEcDARuVqiS
+TRzS/ZDiEn+Kcgm7pJ3i2nTAIBzwC4z91HJbeVXNpptkZJEgjXM8XjSArHjDrkl1
+EGKARlkTn576XMGWSkF/bmEBiG0KIhTu+DmwsQvR+564tjV98QKCAQEA+aS7ygjL
+aRj5JZKMt3VWZRntK20m04iY0wGDNs+p+nFRJjCDAUhTTOl9++vlJYe8HO9iXzUv
+O51tGnzrck9+gUVlFghrw0dJ+mY0+1bSt2aLNUmlfvv1uRpm9Pd3xbQ6e3Kpf/r1
+ew6IpG8I6pvpVJXJ3FQZpSOlTP9dyRxMNzdILGzzPrb+2r0j6Oc/y3+adBiXB3Yg
+QPfFJRJZA4k2Wk/qSi9NR/yWHaY0krO68l8l2zn1AKaIoVVqtxVTQ7qUBWNXzVMe
+ULtAvO1Bonh+C+zYcNJjSBeYWeJ7pbp/ozDe6M2DuJMv4aW6oV6tGcMF9NOd1pFx
+qiC8vIVPZ3rJ9QKCAQEA7IPf9CAaDUScu2/Ry9z1RaISU4BMi/30poc80Zy2hC18
+vP8aiHVlQdkdzdKYGweaYNQpszGeBcHK51y6V11vwCNQRrCoUp9VbICp7ok2O4y8
+w9r+q4GcYthHeMhEnHDo4R/uHKEJCYS012RLlLSXMa0Dfl1sOv8mVuIEaZoRJrAq
+Xzxz9KX7MFv5Zb8TvVL6fHEXmdMmmoiZnyNplH+3LMj6duoNaxjtsoixCkuRTXE7
+Cav118q+QWae+yhIonF+HRIa/G0doqHa+P9rl18FUnxfAf91Z70SSJ2oOtuWjd1J
+37eG4d7skpAoWWdXNpCqpJnsPLlSlBqKmYrN5CM3swKCAQBAfV/Np0v00HC8Vgln
+8zXoVDRCfaYEC0t/ZuqgpDDC87cE6I9PK4HpYoAbLis58MCVsPl2ouSav+ZJa2/f
+Tc3eUzDz6iT8g1QHDZQuQZWZrzHTCD1qemhV8w4Zxjv4pMBe15YV65yyt2RxJgXl
+pXU3VqKY+ljNolG3fFib9WVy9iL85wBHeTqJA0ddiS+fwE0EJL4PPWLDpb4V/5Fj
+KnUSC4b4txN9vzCAZEk8hJWMuyuqYGR8UIkHNGum9ClYW8CVS76I2ioArP7iT2Af
+OoVFS1/2dUMUgpPm1G0guPb0D1HmTgDzE4LRBeEagryw5QKK5oflwBje3ColgUKr
+9rppAoIBAH9t9gXkHeU0KHXco16BaCziS5ltsNBkPaJTjvMoyjWhBGoX0EXhanL1
+9dblNkqp6AVviiAgBZH4fcf17/gOQZ116VSM7cPGURIqqGP6zZt8EmA756akKIwh
+FzD+Rek79F0HBRWrteDI/V5njUlLm4KKQy2cTCnlOtTo5ZO4DLGZjNrPCXKw0wuV
+ImQtdQc2Y/sUO7EHUO9F1e8l90apIRoiFsBnDl+7iKX+e9SeLmVZMoPdgJGJjMRT
+9ChB5hCPsXEcRinm6GataftqMp/V9Foi5FWBO9JuziENwIwlr5Izvg+pJCUiJLg6
+r2KsCRM/EpGo1N1KxDFDs5VScegPCX0CggEAWCJ0+KmHbA4F+vDjYW1wNE1MBKee
+4Q+nnX45oEHDM+J5da2Ov2IhblzVX/vJaVtI2rwSXCkM3x7ByAXwewNa4BA/eGG/
+v2MPs21f9GcLkpLv0xz+pILkeeNk+e0yIYE4jWQGFMlYh7cNLStDSw6XNU/9IKeO
+r2gQjAqS/pMGBMS3FOcd2S+/gMjJom2GaWLhGdJAGdmtGh2EbFku5+WDL76pyAaN
+BHEGD91PSER5nEGS9ho81IPDrIm0LVcp6xMRD6PWput/0gcC3Zun1ZDo9oJA1AsS
+NMnm6c14ASh/1KQUx9XkC1hUmBVhb4UA4EshT4oXffTHpDMlA6yWqlkReg==
+-----END RSA PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private.p12 b/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private.p12
new file mode 100644
index 0000000..1d2e431
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private.p12
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-req.pem b/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-req.pem
new file mode 100644
index 0000000..d2647cc
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-req.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIFDzCCAvcCAQAwgckxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl
+MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx
+GzAZBgNVBAsMEkRvbWFpbiBDb250cm9sbGVyczEiMCAGA1UEAwwZbG9jYWxkYy5z
+YW1iYS5leGFtcGxlLmNvbTE1MDMGCSqGSIb3DQEJARYmY2Etc2FtYmEuZXhhbXBs
+ZS5jb21Ac2FtYmEuZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
+ggIKAoICAQDmpHbO6GP+V/mjruCtTeIVjtgnyH1/K7HoqlCPlPnHcT9SMpHRbVIi
+X82NzGIWeotYZe0H9+ok04jYJsrr7BanhBx+FUZkCSJGud1cB4RQp04xPwEj0fg2
+BBq71OW21BtcFsmeN4o+qX0wJECytURA+lxv1T7/MsLnJArk5Kqf/0ysvjdYIggW
+DvanL7VsT6x7pIKonzhkF25ytnxMxUQqCrQlDbAMq5hK+RoayaZZ9AClCm8K0KU0
+yg/0Dvu617s+LHwMaGsm/xwp/nf5MIUNRIyvkIpwk106thiLpYURXKNdVxbdx8gA
+8QVxwm4HPDdpNnwSxZ4baRFFRB7rubKWsYnNTfqJ65JJ8kY1852HPL7k+LcxpzZL
+gXabsgTVgH1P5gLtJEygA8SdAJ+dcZMNpbg3YisDw70kJSzDQ9TIJ7BtBdTGxdhb
+CZToJ2vZbbe83na/1Zw2JgS5lx3wyY2Rk4IyDbcWl0ExmiILLrqZUShr9QS6yT1X
+DHLo4SQa1Cpq5+O2uZRh405CgeVD5B7vbcRdpPm07DqKNP61x6j+GY3PfRtgIbol
+bzXNT3IoQn2HCKraM35j5ltf5wGo4wvTCFqm3+rnKxNIp4MylsS60f8VZlIzhkZf
+wp9ZSgCYtxuhhyXfrWhb9yYXK+uEYp3DvZlnagJdcHI+GJKZjL3ZTwIDAQABoAAw
+DQYJKoZIhvcNAQELBQADggIBAFRI0PRZO7XlWIpWUC0wc3KjVvTGxieaalJdPC/j
+dxT7lBkSTHGjbeLIkqjVAuhONziKT2RP9QxzK2sa9jxIi5zR1byZv500suTez+96
+KkqSnFTgM4nwJdv2S8x0uBPmlREL4K1I0FGZX29wd0bqFhBQqSzVQvQqGSiqSJfU
+KkIys1tAIrC7DfNvfhogIrupuN8clluLe0T25qxGeaqXN+EYB7U/O+4FZccpGoeP
+dHO2zYeRib0oGTlnk1noRmlqgXPEKfzoWMJ2cUkexlRy1ajW0r1rvcIgc1rPnB8h
+6c6YhFGwbYW54/I6tLxJc5pyWCQNH/uYEeFnGs/w85lPKvLM0RXsQ7rfnDRv3LOj
+Mex+3whmIs5dAVdQQMy0ngsbPpaR+5Ry8eWAPmwnRXwVaysGgmTysVCzFGqSO3ul
+7FgbKEEM1cNe4+Gvl2LEl+aJ5CB1DBslDjXMQVwLMpAU2sthJurhujx3/j598IUp
+why48F4056Uf33CncLSEriykIEFXUionXUxtDsCaS13+CfKw+gUJJRsg4ZWqrY6M
+b0KHAtzq4g7lFZ+XaXpGdxntqGOrgxfcgWBRhJnp35ILoMFNV2OHjySnF6SWDJvP
+AY9IQsUDiMruNjCS9s5zaH7KqmJJ+pgcjVSholozUEI2J3hUpq3KFsE20Cyi+YbO
+kTlo
+-----END CERTIFICATE REQUEST-----
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-cert.pem b/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-cert.pem
new file mode 120000
index 0000000..b7549bb
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-cert.pem
@@ -0,0 +1 @@
+DC-localdc.samba.example.com-S00-cert.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-private-key.pem b/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-private-key.pem
new file mode 120000
index 0000000..21601b4
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-private-key.pem
@@ -0,0 +1 @@
+DC-localdc.samba.example.com-S00-private-key.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/NewCerts/00.pem b/selftest/manage-ca/CA-samba.example.com/NewCerts/00.pem
new file mode 100644
index 0000000..7b1b6a1
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/NewCerts/00.pem
@@ -0,0 +1,190 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 0 (0x0)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Mar 16 23:28:44 2016 GMT
+ Not After : Mar 11 23:28:44 2036 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Domain Controllers, CN=localdc.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (4096 bit)
+ Modulus:
+ 00:e6:a4:76:ce:e8:63:fe:57:f9:a3:ae:e0:ad:4d:
+ e2:15:8e:d8:27:c8:7d:7f:2b:b1:e8:aa:50:8f:94:
+ f9:c7:71:3f:52:32:91:d1:6d:52:22:5f:cd:8d:cc:
+ 62:16:7a:8b:58:65:ed:07:f7:ea:24:d3:88:d8:26:
+ ca:eb:ec:16:a7:84:1c:7e:15:46:64:09:22:46:b9:
+ dd:5c:07:84:50:a7:4e:31:3f:01:23:d1:f8:36:04:
+ 1a:bb:d4:e5:b6:d4:1b:5c:16:c9:9e:37:8a:3e:a9:
+ 7d:30:24:40:b2:b5:44:40:fa:5c:6f:d5:3e:ff:32:
+ c2:e7:24:0a:e4:e4:aa:9f:ff:4c:ac:be:37:58:22:
+ 08:16:0e:f6:a7:2f:b5:6c:4f:ac:7b:a4:82:a8:9f:
+ 38:64:17:6e:72:b6:7c:4c:c5:44:2a:0a:b4:25:0d:
+ b0:0c:ab:98:4a:f9:1a:1a:c9:a6:59:f4:00:a5:0a:
+ 6f:0a:d0:a5:34:ca:0f:f4:0e:fb:ba:d7:bb:3e:2c:
+ 7c:0c:68:6b:26:ff:1c:29:fe:77:f9:30:85:0d:44:
+ 8c:af:90:8a:70:93:5d:3a:b6:18:8b:a5:85:11:5c:
+ a3:5d:57:16:dd:c7:c8:00:f1:05:71:c2:6e:07:3c:
+ 37:69:36:7c:12:c5:9e:1b:69:11:45:44:1e:eb:b9:
+ b2:96:b1:89:cd:4d:fa:89:eb:92:49:f2:46:35:f3:
+ 9d:87:3c:be:e4:f8:b7:31:a7:36:4b:81:76:9b:b2:
+ 04:d5:80:7d:4f:e6:02:ed:24:4c:a0:03:c4:9d:00:
+ 9f:9d:71:93:0d:a5:b8:37:62:2b:03:c3:bd:24:25:
+ 2c:c3:43:d4:c8:27:b0:6d:05:d4:c6:c5:d8:5b:09:
+ 94:e8:27:6b:d9:6d:b7:bc:de:76:bf:d5:9c:36:26:
+ 04:b9:97:1d:f0:c9:8d:91:93:82:32:0d:b7:16:97:
+ 41:31:9a:22:0b:2e:ba:99:51:28:6b:f5:04:ba:c9:
+ 3d:57:0c:72:e8:e1:24:1a:d4:2a:6a:e7:e3:b6:b9:
+ 94:61:e3:4e:42:81:e5:43:e4:1e:ef:6d:c4:5d:a4:
+ f9:b4:ec:3a:8a:34:fe:b5:c7:a8:fe:19:8d:cf:7d:
+ 1b:60:21:ba:25:6f:35:cd:4f:72:28:42:7d:87:08:
+ aa:da:33:7e:63:e6:5b:5f:e7:01:a8:e3:0b:d3:08:
+ 5a:a6:df:ea:e7:2b:13:48:a7:83:32:96:c4:ba:d1:
+ ff:15:66:52:33:86:46:5f:c2:9f:59:4a:00:98:b7:
+ 1b:a1:87:25:df:ad:68:5b:f7:26:17:2b:eb:84:62:
+ 9d:c3:bd:99:67:6a:02:5d:70:72:3e:18:92:99:8c:
+ bd:d9:4f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Server
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Domain Controller Certificate localdc.samba.example.com
+ X509v3 Subject Key Identifier:
+ E1:DF:73:0B:F1:3E:86:43:A4:B3:E9:8D:44:7D:3C:B2:19:C1:BC:F2
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ DNS:localdc.samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, TLS Web Server Authentication, msKDC
+ Signature Algorithm: sha256WithRSAEncryption
+ 89:2c:57:98:17:c1:73:a6:10:02:6f:a6:ac:47:1c:37:2d:1d:
+ a1:3c:c5:29:b6:3a:e6:e8:14:ec:3b:74:ee:da:db:2d:97:3e:
+ d3:8c:9d:42:7e:b0:46:e9:54:74:4f:34:df:9e:34:7f:9e:8a:
+ 9d:4d:b2:cf:fb:71:3f:cb:32:e6:45:e7:b4:d3:9e:e8:ca:a5:
+ cf:16:7b:76:b5:4e:e0:b9:bb:79:b1:82:a7:d3:23:cb:3c:46:
+ 63:63:96:b3:5b:62:9e:99:dc:02:17:f9:07:63:86:76:06:1a:
+ 02:1b:9a:df:1d:cd:e7:46:fe:9a:13:87:47:dd:e2:77:58:50:
+ a2:6c:c9:a0:f8:14:1f:3b:d7:59:9c:89:bd:2e:2d:ce:60:f4:
+ c6:2c:e3:63:cf:34:84:61:d9:90:2e:90:fc:5b:4f:a2:00:87:
+ e7:40:e0:fc:d1:24:8b:d0:28:01:d3:53:ac:b1:58:7f:87:29:
+ 38:56:93:dd:a2:14:4a:9a:94:b9:f8:94:b2:04:47:db:b8:38:
+ e6:85:2b:cf:d4:72:88:8b:0d:8e:a0:69:f9:9f:10:22:82:9c:
+ c5:ec:01:e3:07:a1:69:37:94:25:3a:cd:17:29:37:8d:24:d3:
+ 27:0f:4d:bf:b0:31:36:b8:c6:a8:69:0b:df:28:f8:e2:dc:da:
+ 95:3e:7f:d7:3f:a5:8f:92:6a:7d:ad:3a:ac:af:73:2b:5f:f1:
+ b3:22:92:ef:da:71:84:9e:4b:23:7b:69:b7:29:fc:c5:05:84:
+ 4b:ff:06:92:ee:f5:9b:14:2a:af:be:ef:02:e1:e7:d0:e8:d0:
+ 29:7c:48:40:f1:95:bb:08:b2:30:c5:81:80:a8:91:5b:2e:08:
+ 3b:30:44:07:b5:c4:0b:07:74:ca:5d:37:3d:75:f9:bc:6d:21:
+ a6:e0:91:d8:f9:27:88:05:58:a7:f4:36:eb:ba:40:63:36:15:
+ 42:98:0b:e2:d1:c9:11:0b:29:81:e1:c7:02:7e:fa:05:65:51:
+ 7b:d6:1a:33:46:fc:a5:d4:fd:64:e8:c8:11:d4:d1:41:d9:39:
+ 18:08:a3:ed:15:70:d9:14:f5:ba:c9:bb:3e:96:8d:5d:cc:c3:
+ 5c:b6:c8:79:02:2e:e2:a1:06:ba:a5:21:1c:bf:16:7f:2d:d9:
+ 93:07:92:b1:fa:ee:3f:e3:56:35:f3:30:aa:11:54:d3:71:cb:
+ 29:d4:60:e1:6c:ae:c4:24:e3:00:4f:5f:52:b0:3f:f4:76:f3:
+ 6d:db:bc:d8:65:c4:37:be:1a:87:9b:65:c4:20:dd:da:a9:4c:
+ 9f:86:33:2b:49:a6:f7:aa:ce:da:98:3b:e3:5f:ac:b8:1b:45:
+ 0e:56:59:fb:49:38:0f:b7:d4:49:f8:7b:ac:fa:d8:b8:1d:16:
+ db:b2:4c:15:d8:e7:eb:6b:38:ff:d2:69:26:a6:f6:50:15:45:
+ 2f:12:b2:05:d4:bf:6f:53:79:64:9b:d5:8b:a1:08:3e:43:ee:
+ 08:fe:9b:ea:83:89:8a:6a:53:98:1e:c5:91:4c:7a:99:2b:6d:
+ 97:dc:96:1b:de:27:c5:af:0f:dd:42:5c:23:7d:bc:6b:5b:ab:
+ 47:29:98:35:8f:9e:e6:e1:5f:96:6a:bd:cf:3c:47:89:8b:ad:
+ 21:de:20:da:99:82:c1:0e:9b:7c:38:21:d8:b1:1c:34:c5:4e:
+ f7:fe:7d:5e:a4:2f:f8:7d:5c:30:2c:9e:e6:5a:4f:d3:15:90:
+ e6:6f:69:ea:51:93:8f:2c:dd:a7:c3:3c:50:a8:d1:ba:0b:5c:
+ cc:2e:4e:57:71:21:08:a1:2c:bd:a7:20:4b:ae:5c:02:7a:cd:
+ 9a:fe:1e:db:ec:ce:3b:12:37:cb:96:20:7b:3b:b1:5a:2e:84:
+ 03:f9:0b:32:43:c0:4e:e3:ea:79:e7:9a:13:54:e5:a8:1a:17:
+ c4:79:78:25:63:ab:67:39:39:a0:6c:c4:c5:94:ac:16:92:3d:
+ f0:1a:1a:9e:ca:7a:84:1b:c1:5a:5f:4c:65:8a:30:a6:5e:6c:
+ 0e:ae:bf:ac:09:97:0f:83:5c:92:ce:e4:43:de:06:4b:96:f5:
+ 46:3b:7d:a8:e3:0f:d3:fe:00:c7:d4:79:4e:5f:bd:ec:59:12:
+ f9:65:23:fa:e7:97:a2:a6:39:3b:a3:1e:da:47:c5:18:5b:8d:
+ a7:7b:29:1c:5a:7a:06:c6:92:9e:b7:3b:f0:c5:56:e8:cf:84:
+ cd:dd:61:0f:21:25:f4:1e:2b:40:b6:74:28:8d:41:f6:2c:1d:
+ ce:b4:39:d1:e1:be:15:78:c9:d7:99:a1:9d:50:43:da:ec:40:
+ 69:6a:3b:17:af:28:22:09:e0:7d:38:9e:a7:ca:b7:f7:94:8a:
+ 2a:1b:32:4e:28:6d:18:95:ca:42:67:c8:bb:13:24:31:43:84:
+ 3e:95:66:08:5c:15:7f:6b:93:cc:8f:b8:76:7a:fd:74:4a:d6:
+ 6f:64:74:df:72:f7:34:a3:50:f0:db:bf:0a:2b:1b:48:b7:c9:
+ c0:97:23:27:b1:56:5b:9e:10:12:5a:bf:ff:38:61:da:41:75:
+ 15:c5:03:c2:20:fd:7f:84:c0:94:8e:11:ed:01:ba:f1:19:b5:
+ 05:1d:bf:89:ea:c9:38:4e:d2:cf:5b:24:c6:37:a1:8e:60:89:
+ 5c:52:ff:7d:5e:2d:c9:f8:b1:79:07:4c:2f:18:85:e8:ba:bf:
+ 3e:da:59:43:df:29:79:7e:00:38:d2:fc:a9:8e:3b:9d
+-----BEGIN CERTIFICATE-----
+MIIJ6zCCBdOgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjAz
+MTYyMzI4NDRaFw0zNjAzMTEyMzI4NDRaMIG1MQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEbMBkGA1UE
+CwwSRG9tYWluIENvbnRyb2xsZXJzMSIwIAYDVQQDDBlsb2NhbGRjLnNhbWJhLmV4
+YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkBFiZjYS1zYW1iYS5leGFtcGxlLmNvbUBz
+YW1iYS5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+AOakds7oY/5X+aOu4K1N4hWO2CfIfX8rseiqUI+U+cdxP1IykdFtUiJfzY3MYhZ6
+i1hl7Qf36iTTiNgmyuvsFqeEHH4VRmQJIka53VwHhFCnTjE/ASPR+DYEGrvU5bbU
+G1wWyZ43ij6pfTAkQLK1RED6XG/VPv8ywuckCuTkqp//TKy+N1giCBYO9qcvtWxP
+rHukgqifOGQXbnK2fEzFRCoKtCUNsAyrmEr5GhrJpln0AKUKbwrQpTTKD/QO+7rX
+uz4sfAxoayb/HCn+d/kwhQ1EjK+QinCTXTq2GIulhRFco11XFt3HyADxBXHCbgc8
+N2k2fBLFnhtpEUVEHuu5spaxic1N+onrkknyRjXznYc8vuT4tzGnNkuBdpuyBNWA
+fU/mAu0kTKADxJ0An51xkw2luDdiKwPDvSQlLMND1MgnsG0F1MbF2FsJlOgna9lt
+t7zedr/VnDYmBLmXHfDJjZGTgjINtxaXQTGaIgsuuplRKGv1BLrJPVcMcujhJBrU
+Kmrn47a5lGHjTkKB5UPkHu9txF2k+bTsOoo0/rXHqP4Zjc99G2AhuiVvNc1PcihC
+fYcIqtozfmPmW1/nAajjC9MIWqbf6ucrE0ingzKWxLrR/xVmUjOGRl/Cn1lKAJi3
+G6GHJd+taFv3Jhcr64RincO9mWdqAl1wcj4YkpmMvdlPAgMBAAGjggHxMIIB7TAJ
+BgNVHRMEAjAAME8GA1UdHwRIMEYwRKBCoECGPmh0dHA6Ly93d3cuc2FtYmEuZXhh
+bXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFtcGxlLmNvbS1jcmwuY3JsMBEGCWCG
+SAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwRgYJYIZIAYb4QgENBDkWN0RvbWFp
+biBDb250cm9sbGVyIENlcnRpZmljYXRlIGxvY2FsZGMuc2FtYmEuZXhhbXBsZS5j
+b20wHQYDVR0OBBYEFOHfcwvxPoZDpLPpjUR9PLIZwbzyMB8GA1UdIwQYMBaAFKI+
+Aiqjp005tAhNmcwMdTbqJ8M+MD0GA1UdEQQ2MDSCGWxvY2FsZGMuc2FtYmEuZXhh
+bXBsZS5jb22gFwYJKwYBBAGCNxkBoAoECAEjRWeJq83vMDEGA1UdEgQqMCiBJmNh
+LXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0GCWCGSAGG+EIB
+BARAFj5odHRwOi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEu
+ZXhhbXBsZS5jb20tY3JsLmNybDAmBgNVHSUEHzAdBggrBgEFBQcDAgYIKwYBBQUH
+AwEGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggQBAIksV5gXwXOmEAJvpqxHHDct
+HaE8xSm2OuboFOw7dO7a2y2XPtOMnUJ+sEbpVHRPNN+eNH+eip1Nss/7cT/LMuZF
+57TTnujKpc8We3a1TuC5u3mxgqfTI8s8RmNjlrNbYp6Z3AIX+QdjhnYGGgIbmt8d
+zedG/poTh0fd4ndYUKJsyaD4FB8711mcib0uLc5g9MYs42PPNIRh2ZAukPxbT6IA
+h+dA4PzRJIvQKAHTU6yxWH+HKThWk92iFEqalLn4lLIER9u4OOaFK8/UcoiLDY6g
+afmfECKCnMXsAeMHoWk3lCU6zRcpN40k0ycPTb+wMTa4xqhpC98o+OLc2pU+f9c/
+pY+San2tOqyvcytf8bMiku/acYSeSyN7abcp/MUFhEv/BpLu9ZsUKq++7wLh59Do
+0Cl8SEDxlbsIsjDFgYCokVsuCDswRAe1xAsHdMpdNz11+bxtIabgkdj5J4gFWKf0
+Nuu6QGM2FUKYC+LRyRELKYHhxwJ++gVlUXvWGjNG/KXU/WToyBHU0UHZORgIo+0V
+cNkU9brJuz6WjV3Mw1y2yHkCLuKhBrqlIRy/Fn8t2ZMHkrH67j/jVjXzMKoRVNNx
+yynUYOFsrsQk4wBPX1KwP/R2823bvNhlxDe+GoebZcQg3dqpTJ+GMytJpveqztqY
+O+NfrLgbRQ5WWftJOA+31En4e6z62LgdFtuyTBXY5+trOP/SaSam9lAVRS8SsgXU
+v29TeWSb1YuhCD5D7gj+m+qDiYpqU5gexZFMepkrbZfclhveJ8WvD91CXCN9vGtb
+q0cpmDWPnubhX5Zqvc88R4mLrSHeINqZgsEOm3w4IdixHDTFTvf+fV6kL/h9XDAs
+nuZaT9MVkOZvaepRk48s3afDPFCo0boLXMwuTldxIQihLL2nIEuuXAJ6zZr+Htvs
+zjsSN8uWIHs7sVouhAP5CzJDwE7j6nnnmhNU5agaF8R5eCVjq2c5OaBsxMWUrBaS
+PfAaGp7KeoQbwVpfTGWKMKZebA6uv6wJlw+DXJLO5EPeBkuW9UY7fajjD9P+AMfU
+eU5fvexZEvllI/rnl6KmOTujHtpHxRhbjad7KRxaegbGkp63O/DFVujPhM3dYQ8h
+JfQeK0C2dCiNQfYsHc60OdHhvhV4ydeZoZ1QQ9rsQGlqOxevKCIJ4H04nqfKt/eU
+iiobMk4obRiVykJnyLsTJDFDhD6VZghcFX9rk8yPuHZ6/XRK1m9kdN9y9zSjUPDb
+vworG0i3ycCXIyexVlueEBJav/84YdpBdRXFA8Ig/X+EwJSOEe0BuvEZtQUdv4nq
+yThO0s9bJMY3oY5giVxS/31eLcn4sXkHTC8Yhei6vz7aWUPfKXl+ADjS/KmOO50=
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/NewCerts/01.pem b/selftest/manage-ca/CA-samba.example.com/NewCerts/01.pem
new file mode 100644
index 0000000..4ab5d5a
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/NewCerts/01.pem
@@ -0,0 +1,169 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 1 (0x1)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Mar 16 23:29:04 2016 GMT
+ Not After : Mar 11 23:29:04 2036 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=administrator@samba.example.com/emailAddress=administrator@samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:af:87:9e:1e:7f:c0:ab:da:47:22:74:d0:df:01:
+ f1:67:6c:ac:c4:b7:d9:18:97:e5:7a:62:76:33:b6:
+ 52:f2:92:90:75:ac:a3:94:7e:0c:29:75:c9:83:2f:
+ 19:66:60:84:45:ff:d5:a9:bd:c5:3a:a2:d8:25:cf:
+ 15:8a:23:3e:09:73:2f:99:1d:24:1f:e6:96:7e:7b:
+ c4:1e:8d:55:5b:c1:18:69:cd:1d:b4:22:d5:7b:db:
+ 5e:7c:91:f2:8e:c1:03:30:ee:63:46:5a:54:d5:40:
+ ac:79:55:00:71:07:8d:3e:0e:ed:ff:93:6c:f1:2d:
+ 84:c1:51:a3:7c:49:cf:ff:85:7b:c0:64:c1:ba:c8:
+ 66:7a:ff:17:2a:74:ea:16:6a:1d:97:c0:27:57:10:
+ be:76:f5:9a:63:56:c7:25:c6:fc:a7:5e:00:a6:1a:
+ 3d:21:bd:7a:f9:e3:03:60:ce:df:16:06:fc:05:bc:
+ d1:c8:5d:e7:33:ed:52:8b:60:5b:60:c5:70:13:1d:
+ c1:b3:08:13:09:3b:05:e8:02:40:12:45:89:af:87:
+ 1f:6a:8f:62:ce:1e:17:13:34:82:81:86:e9:bb:85:
+ 5b:75:1d:f4:3a:02:b4:a6:58:23:fe:c3:3a:35:09:
+ 95:bb:f7:79:bc:e3:97:e6:6d:77:24:aa:2d:51:50:
+ 37:69
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Client, S/MIME
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Smart Card Login Certificate for administrator@samba.example.com
+ X509v3 Subject Key Identifier:
+ 45:DA:4B:8D:05:9C:62:4E:62:C3:D7:5C:5F:D3:D9:85:B4:9B:F2:2C
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ email:administrator@samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, scardLogin
+ Signature Algorithm: sha256WithRSAEncryption
+ a2:bb:e6:97:67:3c:b6:6e:6e:dd:34:99:16:c6:80:91:08:bf:
+ 91:ba:51:62:5d:76:2f:e5:53:91:3d:99:03:18:a9:84:69:73:
+ 76:66:c3:eb:56:d7:c5:40:91:15:da:de:b2:76:48:7d:8a:8c:
+ 80:79:3c:e6:da:0e:a6:c3:53:d6:74:ee:5f:29:b7:03:46:de:
+ 89:32:14:22:03:30:68:2e:7e:06:d4:ac:9e:82:c0:02:16:7f:
+ 81:ba:ee:7a:e7:8b:f7:fb:99:7f:8c:eb:78:54:97:4e:28:44:
+ da:f4:e2:1b:f8:3e:ac:ca:cc:e3:e3:71:90:91:47:9c:78:ed:
+ 6f:bc:b7:98:12:ea:75:e5:15:f7:26:56:a7:5c:d6:74:a8:13:
+ 7b:23:35:4e:6a:01:f6:a9:f5:5b:9b:d0:ea:ba:0f:c3:c4:1a:
+ e0:b9:a3:ed:5d:28:cb:7f:1d:3e:8a:9a:af:4c:88:00:3c:10:
+ f0:49:85:24:60:e6:cb:d6:9e:00:46:78:4d:90:22:68:4f:10:
+ 39:84:3b:e2:7c:3d:ed:23:41:19:7e:6f:45:59:89:a9:9f:26:
+ c1:f9:7d:4d:0a:b4:10:f9:31:7d:cc:87:d0:4b:62:14:70:86:
+ c8:7d:14:ff:e4:68:e2:de:42:ca:01:c7:aa:2d:5a:a5:72:64:
+ f1:4c:fa:6e:60:15:22:08:68:e6:c6:6a:75:63:24:b5:54:76:
+ d1:97:4f:e0:e8:bc:eb:d0:62:84:4a:b4:3a:07:38:5f:b9:a6:
+ 6a:31:14:47:33:81:bd:d0:a4:a2:da:2b:92:0d:dc:42:c4:0f:
+ 28:0d:b6:1b:33:b5:88:df:1b:a8:d8:90:9a:11:ce:df:d4:14:
+ e9:ac:94:94:95:bb:bc:6e:f1:be:85:29:3f:17:ab:41:14:d8:
+ 20:ba:e0:a2:a3:d3:d4:8b:1e:4b:32:22:8d:0d:c1:e6:39:1a:
+ ce:cd:f3:1d:f1:82:85:d5:e7:80:34:90:a4:0e:d4:af:32:c8:
+ 79:4e:25:32:b6:1e:06:3a:26:42:38:47:1a:32:96:71:5b:fe:
+ 5b:b0:ef:7d:fe:58:ca:eb:b5:c9:4b:2f:12:cb:89:36:22:7c:
+ a6:39:ab:20:c1:2d:cd:6b:34:e1:cd:bc:ed:45:45:12:4a:65:
+ 4b:ab:45:f2:6d:7a:9d:f8:b5:52:78:1b:da:2f:e0:ce:f7:e2:
+ b0:fa:6f:40:3d:dd:e9:39:c3:63:68:ab:77:53:be:3b:dd:9a:
+ bc:d7:d7:fa:6a:bf:bf:74:f7:11:80:87:f9:d3:45:eb:1e:8e:
+ d1:a9:a0:2e:66:e7:20:67:1c:4c:22:43:77:85:ff:1a:23:37:
+ cc:49:de:51:ee:f2:04:2f:a8:98:88:0f:b6:18:53:eb:e2:49:
+ 15:5e:02:8b:1e:7b:e6:c5:d1:0c:df:84:4e:d9:bd:fe:21:48:
+ d4:a4:11:01:27:57:51:d6:c1:b2:a1:1c:11:9a:a7:d1:ab:f0:
+ 99:16:b2:c8:3f:74:25:68:0b:1a:cf:58:0d:cd:cc:1a:6d:8b:
+ ec:1f:70:82:02:40:97:0f:75:2c:53:87:c1:42:5c:d1:7e:19:
+ 78:2c:2c:88:73:33:81:63:38:84:07:0f:16:bb:7c:54:59:03:
+ 94:e7:b8:85:d7:f8:5e:53:35:65:2e:e5:27:65:be:f0:89:65:
+ f6:ab:3f:6e:a5:bd:c1:1a:9e:31:30:68:6e:50:af:54:4c:33:
+ f8:73:2f:41:60:4f:4c:85:1b:ad:7d:db:62:42:dc:87:96:b4:
+ cf:ce:12:50:ed:6c:01:5f:e2:f9:03:f5:f7:4c:6c:8f:2b:5b:
+ 7a:64:7d:19:e8:20:f2:e9:10:58:f3:71:0e:1e:58:68:f2:59:
+ 3c:06:53:7a:f3:60:62:5b:c7:b7:83:58:1d:3d:a6:17:db:33:
+ cc:91:14:af:d6:b9:08:bf:60:af:ac:3e:fe:8b:74:71:20:c7:
+ e7:31:5e:26:6c:28:52:67:12:1e:c3:9b:89:23:5d:88:ee:b0:
+ 6b:db:cc:94:8b:9b:1b:40:b7:66:bc:7d:1d:e1:08:00:20:ba:
+ 41:cd:17:d6:4c:7b:c4:5a:fd:cf:6b:20:e2:b8:86:9c:31:17:
+ c2:d7:7f:1c:3a:d0:fc:1d:f5:7f:c9:96:04:27:de:b8:ef:8d:
+ 38:9a:b3:56:60:ac:c2:07:38:64:19:39:9e:73:6f:ba:59:15:
+ ac:45:42:4d:bb:79:60:7f:ae:c3:8d:63:4a:27:16:0a:ca:92:
+ 7f:f7:a2:02:76:f5:e6:7c:ec:ba:ea:18:cd:9c:3b:ee:37:2c:
+ 9d:78:4e:c9:40:6d:94:cc:ce:ca:f4:33:fc:a4:dd:05:62:d6:
+ 0f:1e:19:63:af:10:c3:ff:02:1a:0a:48:fd:af:f2:a4:0e:64:
+ dd:90:f4:4f:14:1b:90:1f:9e:29:b0:0b:94:a4:d1:2a:87:b9:
+ 3a:76:c2:b6:af:c3:d4:84:6e:85:1c:64:73:46:d0:df:72:c0:
+ 3c:42:91:c4:30:10:11:18:36:bc:e5:17:36:22:5f:c2:3f:ac:
+ 1d:2e:9d:87:11:be:a7:ac:b2:62:35:74:b9:27:27:95:bc:c1:
+ 11:44:f8:64:36:60:74:06:a2:e7:e9:76:be:a7:86:5e:18:1e:
+ bd:dc:b0:aa:ae:92:d6:dd:d6:25:80:d6:c1:be:c1:21:1c:01:
+ 6f:83:20:ae:b7:54:4f:3d:2d:12:fc:a2:cc:49:fd:59
+-----BEGIN CERTIFICATE-----
+MIII/TCCBOWgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjAz
+MTYyMzI5MDRaFw0zNjAzMTEyMzI5MDRaMIGnMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
+CwwFVXNlcnMxKDAmBgNVBAMMH2FkbWluaXN0cmF0b3JAc2FtYmEuZXhhbXBsZS5j
+b20xLjAsBgkqhkiG9w0BCQEWH2FkbWluaXN0cmF0b3JAc2FtYmEuZXhhbXBsZS5j
+b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvh54ef8Cr2kcidNDf
+AfFnbKzEt9kYl+V6YnYztlLykpB1rKOUfgwpdcmDLxlmYIRF/9WpvcU6otglzxWK
+Iz4Jcy+ZHSQf5pZ+e8QejVVbwRhpzR20ItV72158kfKOwQMw7mNGWlTVQKx5VQBx
+B40+Du3/k2zxLYTBUaN8Sc//hXvAZMG6yGZ6/xcqdOoWah2XwCdXEL529ZpjVscl
+xvynXgCmGj0hvXr54wNgzt8WBvwFvNHIXecz7VKLYFtgxXATHcGzCBMJOwXoAkAS
+RYmvhx9qj2LOHhcTNIKBhum7hVt1HfQ6ArSmWCP+wzo1CZW793m845fmbXckqi1R
+UDdpAgMBAAGjggIRMIICDTAJBgNVHRMEAjAAME8GA1UdHwRIMEYwRKBCoECGPmh0
+dHA6Ly93d3cuc2FtYmEuZXhhbXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFtcGxl
+LmNvbS1jcmwuY3JsMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBeAwTwYJ
+YIZIAYb4QgENBEIWQFNtYXJ0IENhcmQgTG9naW4gQ2VydGlmaWNhdGUgZm9yIGFk
+bWluaXN0cmF0b3JAc2FtYmEuZXhhbXBsZS5jb20wHQYDVR0OBBYEFEXaS40FnGJO
+YsPXXF/T2YW0m/IsMB8GA1UdIwQYMBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+MFsG
+A1UdEQRUMFKBH2FkbWluaXN0cmF0b3JAc2FtYmEuZXhhbXBsZS5jb22gLwYKKwYB
+BAGCNxQCA6AhDB9hZG1pbmlzdHJhdG9yQHNhbWJhLmV4YW1wbGUuY29tMDEGA1Ud
+EgQqMCiBJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0G
+CWCGSAGG+EIBBARAFj5odHRwOi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMv
+Q0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAfBgNVHSUEGDAWBggrBgEFBQcD
+AgYKKwYBBAGCNxQCAjANBgkqhkiG9w0BAQsFAAOCBAEAorvml2c8tm5u3TSZFsaA
+kQi/kbpRYl12L+VTkT2ZAxiphGlzdmbD61bXxUCRFdresnZIfYqMgHk85toOpsNT
+1nTuXym3A0beiTIUIgMwaC5+BtSsnoLAAhZ/gbrueueL9/uZf4zreFSXTihE2vTi
+G/g+rMrM4+NxkJFHnHjtb7y3mBLqdeUV9yZWp1zWdKgTeyM1TmoB9qn1W5vQ6roP
+w8Qa4Lmj7V0oy38dPoqar0yIADwQ8EmFJGDmy9aeAEZ4TZAiaE8QOYQ74nw97SNB
+GX5vRVmJqZ8mwfl9TQq0EPkxfcyH0EtiFHCGyH0U/+Ro4t5CygHHqi1apXJk8Uz6
+bmAVIgho5sZqdWMktVR20ZdP4Oi869BihEq0Ogc4X7mmajEURzOBvdCkotorkg3c
+QsQPKA22GzO1iN8bqNiQmhHO39QU6ayUlJW7vG7xvoUpPxerQRTYILrgoqPT1Ise
+SzIijQ3B5jkazs3zHfGChdXngDSQpA7UrzLIeU4lMrYeBjomQjhHGjKWcVv+W7Dv
+ff5Yyuu1yUsvEsuJNiJ8pjmrIMEtzWs04c287UVFEkplS6tF8m16nfi1Ungb2i/g
+zvfisPpvQD3d6TnDY2ird1O+O92avNfX+mq/v3T3EYCH+dNF6x6O0amgLmbnIGcc
+TCJDd4X/GiM3zEneUe7yBC+omIgPthhT6+JJFV4Cix575sXRDN+ETtm9/iFI1KQR
+ASdXUdbBsqEcEZqn0avwmRayyD90JWgLGs9YDc3MGm2L7B9wggJAlw91LFOHwUJc
+0X4ZeCwsiHMzgWM4hAcPFrt8VFkDlOe4hdf4XlM1ZS7lJ2W+8Ill9qs/bqW9wRqe
+MTBoblCvVEwz+HMvQWBPTIUbrX3bYkLch5a0z84SUO1sAV/i+QP190xsjytbemR9
+Gegg8ukQWPNxDh5YaPJZPAZTevNgYlvHt4NYHT2mF9szzJEUr9a5CL9gr6w+/ot0
+cSDH5zFeJmwoUmcSHsObiSNdiO6wa9vMlIubG0C3Zrx9HeEIACC6Qc0X1kx7xFr9
+z2sg4riGnDEXwtd/HDrQ/B31f8mWBCfeuO+NOJqzVmCswgc4ZBk5nnNvulkVrEVC
+Tbt5YH+uw41jSicWCsqSf/eiAnb15nzsuuoYzZw77jcsnXhOyUBtlMzOyvQz/KTd
+BWLWDx4ZY68Qw/8CGgpI/a/ypA5k3ZD0TxQbkB+eKbALlKTRKoe5OnbCtq/D1IRu
+hRxkc0bQ33LAPEKRxDAQERg2vOUXNiJfwj+sHS6dhxG+p6yyYjV0uScnlbzBEUT4
+ZDZgdAai5+l2vqeGXhgevdywqq6S1t3WJYDWwb7BIRwBb4MgrrdUTz0tEvyizEn9
+WQ==
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/NewCerts/02.pem b/selftest/manage-ca/CA-samba.example.com/NewCerts/02.pem
new file mode 100644
index 0000000..2e2a8b9
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/NewCerts/02.pem
@@ -0,0 +1,191 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 2 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Mar 16 23:29:25 2016 GMT
+ Not After : Mar 11 23:29:25 2036 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Domain Controllers, CN=addc.addom.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (4096 bit)
+ Modulus:
+ 00:a6:c4:a9:bf:75:ea:4c:8d:3b:fd:8a:0f:b0:a2:
+ b6:c7:a8:1f:e4:0e:3e:41:ef:d6:10:48:77:7b:4e:
+ 4c:59:e1:bf:6d:c7:18:7b:a8:01:a7:d5:d2:2c:21:
+ 3e:d0:1a:da:58:03:e8:42:f1:53:0e:a7:91:b9:2c:
+ b9:e7:7a:c9:de:5e:ed:4c:93:6b:cc:dd:17:d0:c7:
+ d1:f1:7c:3d:0d:6f:df:5d:53:5a:b1:1f:a3:7b:5b:
+ 41:65:0c:7c:ea:53:df:bb:da:41:15:da:49:e3:b9:
+ 2d:bb:b5:af:ef:8c:b8:84:74:d0:18:16:8e:5c:e4:
+ c2:e7:a1:87:8f:e3:87:8b:0b:bb:90:30:e8:e0:f3:
+ eb:c0:50:5f:b5:7f:54:9a:1b:34:43:fd:be:5a:80:
+ 6e:0f:63:a2:b3:79:42:4a:85:c8:07:c7:82:55:23:
+ 88:d4:4e:03:2f:f1:95:bd:ed:15:2d:3e:16:cd:ff:
+ c7:9b:03:29:36:a6:5d:c9:1a:1e:89:a5:ba:66:83:
+ 0f:96:a8:07:9f:24:b9:1b:8f:02:9a:b8:50:29:8b:
+ be:63:45:fa:45:c3:38:23:a0:98:3a:b4:6b:42:99:
+ 13:36:4b:84:ef:27:89:39:34:79:f8:67:16:7b:9c:
+ 2a:03:41:15:63:46:e4:db:2f:f2:3e:6d:fe:7c:20:
+ 1e:9f:02:48:a4:bc:15:42:a6:f8:38:86:dc:6b:7c:
+ 4e:67:a3:31:81:8e:b6:30:1a:eb:3d:08:25:19:5f:
+ 42:dc:39:ec:79:1d:30:0a:fb:16:8f:3d:19:14:cc:
+ f5:af:d7:c6:75:cf:b3:96:a2:b2:9b:d9:03:01:a3:
+ ca:88:1d:72:ed:6f:d1:bf:57:56:8e:b9:07:9b:b9:
+ 04:13:1e:0b:5a:06:6b:2b:43:a2:dc:d5:b7:f4:ba:
+ d3:ae:9d:ad:fd:d3:8a:7c:2f:87:32:fa:89:88:58:
+ 00:ae:16:2b:9c:1d:58:82:4d:e5:21:da:d5:6c:f7:
+ a8:40:8b:c7:02:d5:36:30:ef:3f:09:9b:a6:d2:31:
+ a3:bf:20:d4:a2:9e:26:c4:b4:c3:0f:0b:6c:00:d1:
+ 2c:16:b1:2a:eb:06:d9:d5:98:c3:cd:cb:20:68:ad:
+ 0a:2c:a1:2f:27:41:5c:91:de:49:62:ed:d8:3a:ef:
+ 68:1c:6d:fe:94:c3:28:68:32:60:08:65:cd:02:9f:
+ 97:96:2f:0f:87:27:3d:b9:0f:85:62:e8:2b:9a:b4:
+ f4:d3:d7:c1:93:96:27:23:29:88:b1:39:99:53:3a:
+ 20:aa:88:44:3b:4a:24:2a:8b:e0:b4:8d:dd:66:30:
+ df:a6:6e:b7:fc:21:43:16:9e:3e:12:20:c8:7a:30:
+ c1:3d:ab
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Server
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Domain Controller Certificate addc.addom.samba.example.com
+ X509v3 Subject Key Identifier:
+ 3D:BC:70:0C:74:D4:B8:85:49:1D:08:84:C4:1B:27:F2:AF:72:37:D3
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ DNS:addc.addom.samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, TLS Web Server Authentication, msKDC
+ Signature Algorithm: sha256WithRSAEncryption
+ 9e:8b:bb:0a:7a:dc:c0:94:33:bc:18:a5:e6:4a:1f:ff:8e:21:
+ b1:8f:33:f0:3e:8b:6c:72:55:c4:47:71:5f:ce:e7:31:ef:5b:
+ 62:04:b7:57:8f:a8:27:9f:ed:69:d2:ec:a8:0d:e2:76:33:8d:
+ 41:3a:67:61:5c:53:60:c7:53:ed:d7:99:72:29:1d:ae:d3:ee:
+ c9:76:1c:6d:18:47:e9:94:dd:2e:97:3f:99:af:b5:f4:a1:7c:
+ 92:f6:4d:b5:c1:7a:0c:38:ba:d1:b6:19:9a:9f:e2:02:84:d4:
+ 54:01:38:7b:55:86:4a:ee:3d:85:48:01:da:34:09:69:43:25:
+ 7e:6e:06:73:e0:b9:7c:b5:9c:4e:9c:b5:52:85:32:62:62:25:
+ 39:fa:02:4b:51:2e:df:8e:52:17:02:50:f4:99:29:bf:7e:97:
+ 53:91:12:85:9a:69:62:45:59:c4:5b:3f:af:18:e6:7b:e4:86:
+ 5d:f1:9e:5a:2b:3e:14:6e:7e:d4:47:24:ef:d9:a8:ec:d9:a6:
+ cb:b8:4f:1a:86:d9:43:20:41:16:15:5f:81:0d:fe:6b:31:53:
+ c1:f6:84:4c:f3:03:64:d2:e6:44:3d:7a:60:79:d7:37:6f:33:
+ de:c0:a8:b9:6e:fe:b2:79:ac:b4:53:92:b8:0a:59:2b:cc:6b:
+ 37:c4:6f:c6:44:02:f7:7c:c5:c6:a6:6f:c2:ad:de:78:1e:48:
+ 96:cc:fe:59:2e:53:ce:34:d6:e8:f0:56:43:30:32:90:6f:f9:
+ 47:76:ab:99:63:e3:e8:a3:f3:83:98:e9:05:2b:ea:f9:f9:9d:
+ 66:70:c7:2c:00:c2:9e:57:3e:31:43:50:50:c8:db:a8:2d:21:
+ 4e:6f:39:c2:bd:ef:d8:47:99:27:0d:48:b2:58:f1:be:45:bd:
+ fe:c4:a2:56:fc:06:02:dc:19:33:85:53:ed:38:59:01:16:bc:
+ aa:c5:d3:4b:37:54:83:1b:e5:c1:4b:dd:34:6b:e5:d8:35:86:
+ 95:e6:9f:d2:22:84:b1:e2:4f:a7:2e:4d:e6:9c:eb:db:df:42:
+ e1:b4:66:e6:58:d3:28:10:34:97:f3:9c:6b:5f:05:2c:47:2c:
+ e3:75:eb:6f:74:0a:ec:d7:1d:30:80:56:44:12:26:f6:4e:5f:
+ ff:92:f4:62:02:36:9c:62:eb:39:98:53:68:68:95:fb:94:68:
+ 69:b8:3c:66:1a:ce:78:c4:cf:c4:6f:21:ac:a8:a6:f4:ab:69:
+ 2a:2e:00:5d:f7:67:06:b1:4f:97:58:88:55:d8:6e:eb:a5:98:
+ 50:36:21:70:3d:b0:a4:f5:3b:21:b3:1c:f5:a9:dd:c6:4a:c2:
+ 89:b8:5a:b3:bc:1f:21:ce:4c:68:5f:98:d8:39:70:d2:7e:a0:
+ 90:df:ad:a3:13:eb:3c:93:f6:b8:f4:d9:a7:51:b3:0d:ea:ee:
+ d4:57:aa:db:ca:7c:8a:a0:08:c3:98:9a:3a:b7:ba:2a:50:92:
+ 26:c2:e3:11:ba:12:60:24:b9:59:df:62:a8:d7:4d:a3:cb:ea:
+ 46:e8:39:f9:83:14:a8:5c:44:75:71:6b:7f:99:bd:68:58:d9:
+ 6b:d1:cd:c7:45:95:9e:44:1e:85:35:c0:30:2b:18:aa:eb:2f:
+ 93:d5:be:66:5d:70:ed:1d:04:f2:c1:1e:b5:ec:45:0c:04:f6:
+ 9d:88:d3:0c:20:5e:5b:23:df:34:a1:f5:ea:b4:a1:44:c0:da:
+ d5:ea:89:e8:b5:cb:dc:f8:92:ee:ac:8d:61:ed:bf:74:2b:28:
+ 79:1f:f4:9a:ff:63:bd:e6:aa:79:1d:2c:26:4a:b2:26:53:57:
+ ba:88:0e:eb:19:57:c0:10:a0:1e:81:2a:c0:56:2e:c3:2a:81:
+ bf:c1:5a:e7:48:ce:c1:6a:b9:6c:41:cc:44:a6:b8:70:e2:57:
+ 0e:6d:41:d6:61:da:bf:ac:20:2c:a7:2a:67:23:98:00:ba:ce:
+ 8b:a8:c2:45:66:a7:08:eb:7f:0a:b5:e7:9b:d6:f4:07:d5:b3:
+ 43:cd:27:d4:fa:c9:40:8f:af:b2:36:1c:e7:44:b4:4e:cc:5a:
+ 2b:73:ad:8f:c4:d9:47:a6:fb:2c:7d:1a:80:2a:55:b3:80:34:
+ 6f:8e:17:27:93:05:21:40:e9:8f:bf:47:6a:52:f5:2e:b5:18:
+ d1:8c:1d:83:04:80:55:fd:21:28:dc:7c:be:c8:c1:5f:e4:40:
+ d3:13:e4:66:bf:ad:92:4e:9b:db:c1:be:a3:42:74:da:c3:2c:
+ 0a:da:3f:94:14:ad:7e:de:81:c6:01:6a:f7:7a:b4:25:51:b0:
+ ab:cd:b3:3a:77:bf:c3:6b:04:44:30:73:41:ad:93:49:67:ee:
+ 43:d1:96:8e:36:83:2b:1b:6c:e7:cc:3e:d6:16:b9:88:4a:ab:
+ 56:c0:76:00:f6:9a:6a:8a:e3:e0:41:75:9d:3b:47:0f:c9:0a:
+ 8e:9f:9c:00:92:bb:ae:d8:42:56:35:64:eb:59:13:da:2c:63:
+ 83:c3:ec:68:91:b5:f3:71:85:48:54:c3:9d:a1:c8:63:f3:de:
+ 5d:a5:34:a9:1e:85:2c:2c:b5:d8:a9:62:8d:26:1f:b2:9e:a7:
+ 83:4d:df:69:63:b5:b7:e5:dd:e7:3b:18:e5:b3:77:df:c5:47:
+ b3:f7:8c:e7:5e:87:2e:46:e3:8f:b1:2b:9b:c6:26:2d:1a:28:
+ 30:13:10:86:5b:46:87:b1:2d:12:ce:b6:fe:1c:4e:44
+-----BEGIN CERTIFICATE-----
+MIIJ9DCCBdygAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjAz
+MTYyMzI5MjVaFw0zNjAzMTEyMzI5MjVaMIG4MQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEbMBkGA1UE
+CwwSRG9tYWluIENvbnRyb2xsZXJzMSUwIwYDVQQDDBxhZGRjLmFkZG9tLnNhbWJh
+LmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkBFiZjYS1zYW1iYS5leGFtcGxlLmNv
+bUBzYW1iYS5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBAKbEqb916kyNO/2KD7CitseoH+QOPkHv1hBId3tOTFnhv23HGHuoAafV0iwh
+PtAa2lgD6ELxUw6nkbksued6yd5e7UyTa8zdF9DH0fF8PQ1v311TWrEfo3tbQWUM
+fOpT37vaQRXaSeO5Lbu1r++MuIR00BgWjlzkwuehh4/jh4sLu5Aw6ODz68BQX7V/
+VJobNEP9vlqAbg9jorN5QkqFyAfHglUjiNROAy/xlb3tFS0+Fs3/x5sDKTamXcka
+HomlumaDD5aoB58kuRuPApq4UCmLvmNF+kXDOCOgmDq0a0KZEzZLhO8niTk0efhn
+FnucKgNBFWNG5Nsv8j5t/nwgHp8CSKS8FUKm+DiG3Gt8TmejMYGOtjAa6z0IJRlf
+Qtw57HkdMAr7Fo89GRTM9a/XxnXPs5aispvZAwGjyogdcu1v0b9XVo65B5u5BBMe
+C1oGaytDotzVt/S6066drf3TinwvhzL6iYhYAK4WK5wdWIJN5SHa1Wz3qECLxwLV
+NjDvPwmbptIxo78g1KKeJsS0ww8LbADRLBaxKusG2dWYw83LIGitCiyhLydBXJHe
+SWLt2DrvaBxt/pTDKGgyYAhlzQKfl5YvD4cnPbkPhWLoK5q09NPXwZOWJyMpiLE5
+mVM6IKqIRDtKJCqL4LSN3WYw36Zut/whQxaePhIgyHowwT2rAgMBAAGjggH3MIIB
+8zAJBgNVHRMEAjAAME8GA1UdHwRIMEYwRKBCoECGPmh0dHA6Ly93d3cuc2FtYmEu
+ZXhhbXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFtcGxlLmNvbS1jcmwuY3JsMBEG
+CWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBeAwSQYJYIZIAYb4QgENBDwWOkRv
+bWFpbiBDb250cm9sbGVyIENlcnRpZmljYXRlIGFkZGMuYWRkb20uc2FtYmEuZXhh
+bXBsZS5jb20wHQYDVR0OBBYEFD28cAx01LiFSR0IhMQbJ/KvcjfTMB8GA1UdIwQY
+MBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+MEAGA1UdEQQ5MDeCHGFkZGMuYWRkb20u
+c2FtYmEuZXhhbXBsZS5jb22gFwYJKwYBBAGCNxkBoAoECAEjRWeJq83vMDEGA1Ud
+EgQqMCiBJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0G
+CWCGSAGG+EIBBARAFj5odHRwOi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMv
+Q0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAmBgNVHSUEHzAdBggrBgEFBQcD
+AgYIKwYBBQUHAwEGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggQBAJ6Luwp63MCU
+M7wYpeZKH/+OIbGPM/A+i2xyVcRHcV/O5zHvW2IEt1ePqCef7WnS7KgN4nYzjUE6
+Z2FcU2DHU+3XmXIpHa7T7sl2HG0YR+mU3S6XP5mvtfShfJL2TbXBegw4utG2GZqf
+4gKE1FQBOHtVhkruPYVIAdo0CWlDJX5uBnPguXy1nE6ctVKFMmJiJTn6AktRLt+O
+UhcCUPSZKb9+l1OREoWaaWJFWcRbP68Y5nvkhl3xnlorPhRuftRHJO/ZqOzZpsu4
+TxqG2UMgQRYVX4EN/msxU8H2hEzzA2TS5kQ9emB51zdvM97AqLlu/rJ5rLRTkrgK
+WSvMazfEb8ZEAvd8xcamb8Kt3ngeSJbM/lkuU8401ujwVkMwMpBv+Ud2q5lj4+ij
+84OY6QUr6vn5nWZwxywAwp5XPjFDUFDI26gtIU5vOcK979hHmScNSLJY8b5Fvf7E
+olb8BgLcGTOFU+04WQEWvKrF00s3VIMb5cFL3TRr5dg1hpXmn9IihLHiT6cuTeac
+69vfQuG0ZuZY0ygQNJfznGtfBSxHLON16290CuzXHTCAVkQSJvZOX/+S9GICNpxi
+6zmYU2holfuUaGm4PGYaznjEz8RvIayopvSraSouAF33ZwaxT5dYiFXYbuulmFA2
+IXA9sKT1OyGzHPWp3cZKwom4WrO8HyHOTGhfmNg5cNJ+oJDfraMT6zyT9rj02adR
+sw3q7tRXqtvKfIqgCMOYmjq3uipQkibC4xG6EmAkuVnfYqjXTaPL6kboOfmDFKhc
+RHVxa3+ZvWhY2WvRzcdFlZ5EHoU1wDArGKrrL5PVvmZdcO0dBPLBHrXsRQwE9p2I
+0wwgXlsj3zSh9eq0oUTA2tXqiei1y9z4ku6sjWHtv3QrKHkf9Jr/Y73mqnkdLCZK
+siZTV7qIDusZV8AQoB6BKsBWLsMqgb/BWudIzsFquWxBzESmuHDiVw5tQdZh2r+s
+ICynKmcjmAC6zouowkVmpwjrfwq155vW9AfVs0PNJ9T6yUCPr7I2HOdEtE7MWitz
+rY/E2Uem+yx9GoAqVbOANG+OFyeTBSFA6Y+/R2pS9S61GNGMHYMEgFX9ISjcfL7I
+wV/kQNMT5Ga/rZJOm9vBvqNCdNrDLAraP5QUrX7egcYBavd6tCVRsKvNszp3v8Nr
+BEQwc0Gtk0ln7kPRlo42gysbbOfMPtYWuYhKq1bAdgD2mmqK4+BBdZ07Rw/JCo6f
+nACSu67YQlY1ZOtZE9osY4PD7GiRtfNxhUhUw52hyGPz3l2lNKkehSwstdipYo0m
+H7Kep4NN32ljtbfl3ec7GOWzd9/FR7P3jOdehy5G44+xK5vGJi0aKDATEIZbRoex
+LRLOtv4cTkQ=
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/NewCerts/03.pem b/selftest/manage-ca/CA-samba.example.com/NewCerts/03.pem
new file mode 100644
index 0000000..7486a63
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/NewCerts/03.pem
@@ -0,0 +1,169 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 3 (0x3)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Mar 16 23:29:41 2016 GMT
+ Not After : Mar 11 23:29:41 2036 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=administrator@addom.samba.example.com/emailAddress=administrator@addom.samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:be:91:64:f2:1b:2b:ed:9b:40:bc:0d:46:23:49:
+ 77:32:74:fe:cb:9a:46:86:33:1e:56:bd:c8:da:dd:
+ e6:2a:07:34:61:1c:f0:b8:71:29:24:2b:90:f3:43:
+ 99:6f:69:f6:ff:8d:b9:b7:3f:f3:36:6a:99:90:90:
+ d6:95:63:4e:88:5a:d7:41:89:7f:73:13:64:49:c7:
+ de:42:65:08:5d:ca:04:b2:68:3a:40:7f:6a:05:df:
+ 56:30:2f:ac:1b:8b:0f:c3:15:3c:38:0f:90:50:44:
+ 00:bb:59:40:f6:d2:e8:5b:73:03:0d:f6:7d:38:5d:
+ 2f:99:c3:0d:13:0f:74:d0:9e:ef:1e:92:42:c4:46:
+ 7c:dc:85:7e:e9:af:91:4e:9d:5f:82:af:58:60:18:
+ a5:ac:91:6e:dd:cf:a7:32:3c:d2:f4:e9:81:be:80:
+ 9e:0c:ca:1f:1a:be:98:c4:fe:e6:25:c1:89:fe:16:
+ 0a:30:90:d3:d4:e5:af:89:24:64:12:d0:4f:19:e2:
+ 1b:86:fb:06:a9:63:d1:47:10:89:dc:2b:52:24:dc:
+ 66:a9:56:c2:cb:f4:ec:35:12:f4:ad:5e:fc:ff:86:
+ e9:b1:f9:1f:b3:ce:44:fb:be:04:af:8d:42:9b:56:
+ a5:02:7f:c5:cf:5f:23:41:1c:69:ee:33:97:7a:81:
+ 50:8b
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Client, S/MIME
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Smart Card Login Certificate for administrator@addom.samba.example.com
+ X509v3 Subject Key Identifier:
+ 30:10:6E:1F:7E:52:33:8C:C8:85:E5:92:74:5D:76:7E:E9:33:5B:36
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ email:administrator@addom.samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, scardLogin
+ Signature Algorithm: sha256WithRSAEncryption
+ 53:3e:51:d2:5d:2c:69:23:5b:dd:05:1a:23:ff:39:5d:54:63:
+ e5:da:e1:4b:60:8c:09:7c:4e:8e:da:8a:bb:63:5d:bc:2d:a0:
+ d4:ce:9e:d2:ce:38:d7:32:67:ba:4a:a6:d1:1d:c4:c7:50:e8:
+ 9a:9e:44:56:1a:9c:f4:8f:b9:8e:39:84:21:db:0f:60:8a:60:
+ b4:0f:4f:3c:35:a0:d2:37:3d:88:e8:0a:18:a7:a7:2d:19:e3:
+ aa:d3:8e:18:8f:35:ef:3e:4a:95:c4:d3:9b:f4:cf:89:c2:70:
+ b9:8c:5c:ef:8a:9e:7a:56:73:13:eb:8b:b7:d9:e1:88:5b:c4:
+ 62:47:42:45:8d:7b:2d:cf:71:83:1b:48:9d:84:8f:65:66:97:
+ 61:fc:f6:30:34:e8:88:2a:34:91:48:dc:7a:b7:65:bc:9c:98:
+ 00:4c:e7:49:fe:4d:a9:56:ea:87:d6:6c:46:39:f2:98:5b:56:
+ 14:82:f2:9e:b8:ad:fd:89:36:48:87:4e:5c:ef:3f:e0:35:ff:
+ 72:5f:5b:e1:c2:fd:d9:6e:40:2b:35:ad:50:08:74:94:87:89:
+ c4:cd:c7:ab:a7:19:4e:ba:f2:1d:83:0f:b0:cf:9c:e6:df:73:
+ 36:88:cf:42:9c:a3:72:27:0f:f7:bf:5b:cc:6b:e5:20:03:b5:
+ 4a:1c:f3:7d:ae:92:43:aa:bb:13:07:a4:3a:77:3d:34:01:00:
+ f1:89:aa:e8:1b:09:7b:b8:b0:e1:54:03:ff:3d:8d:be:35:b9:
+ 13:b2:59:58:32:48:93:f8:e7:d7:3d:49:70:01:44:e6:2b:21:
+ b3:75:49:ae:44:7a:50:15:b8:65:f3:c3:48:96:df:c8:d9:2a:
+ f7:c5:2a:7e:2c:68:77:af:2d:78:1b:fc:1a:d8:f4:8b:a6:86:
+ 35:d2:f0:87:e9:d6:30:0a:76:65:f8:71:e9:80:0d:1f:16:86:
+ 89:92:81:34:d9:be:9b:41:25:ec:65:a9:0a:56:b2:03:91:54:
+ 02:21:97:99:74:61:8c:4a:2e:f4:d0:b1:8b:f1:e6:26:52:bc:
+ f6:f2:e0:bd:96:66:22:c3:4e:51:2f:c3:c4:65:65:c7:97:b5:
+ 1b:29:23:7a:c0:7b:fb:49:33:a0:a9:6a:b7:2f:f3:44:6b:5b:
+ 0c:2c:0d:75:f2:50:d5:82:ba:9a:ab:e0:89:0a:b6:b5:8a:5e:
+ 1a:67:ab:d9:a7:21:22:75:61:1e:d7:21:36:15:6a:da:a8:39:
+ 4d:95:50:2b:e6:ac:c4:f6:38:74:c9:c5:ac:ce:2f:b3:c8:d4:
+ ad:18:a7:93:d4:1a:be:c2:be:9e:39:e6:a7:b1:0e:93:d0:9e:
+ cf:b0:ac:53:7d:08:1f:9d:a5:98:2b:4e:f6:80:e4:df:ea:43:
+ a2:f9:64:bf:84:b2:ff:1c:93:36:60:74:08:4e:5b:d6:24:9a:
+ f8:ac:c7:81:f9:2a:a9:00:28:44:15:6a:31:b9:b5:08:89:c8:
+ 31:15:1e:8f:9d:2c:d0:e3:a8:32:2c:68:42:41:19:6c:43:8e:
+ 69:c0:44:01:ba:1c:c4:ea:f4:ff:c8:57:03:ba:df:3f:5e:a5:
+ 03:da:75:31:2e:07:67:a7:5c:02:55:c3:6f:8f:11:f5:8c:56:
+ a1:f7:4b:bb:46:d0:e5:ff:68:c1:77:3d:0d:35:12:f5:40:af:
+ cd:05:5c:53:74:ff:54:e0:c0:c6:10:5c:e8:33:06:0a:50:47:
+ 7e:71:3a:36:66:aa:f8:de:97:2a:ae:bf:8d:6d:d4:39:c4:fd:
+ b3:03:1d:a5:9c:47:39:8c:c0:b3:73:f8:3a:d6:34:ac:49:4f:
+ b3:87:74:11:20:8f:c0:aa:24:a7:30:20:0c:c0:d9:1c:44:ee:
+ ae:c8:b8:13:63:e5:f8:5e:8f:b0:5a:46:c5:83:3d:41:62:06:
+ e4:62:a6:0a:40:cc:8e:59:ad:8a:36:4e:20:e6:f2:32:04:6e:
+ ee:4e:7d:97:88:dc:ea:74:90:c4:ab:a8:b5:bc:6c:81:b1:64:
+ 77:a6:93:34:44:e4:60:38:b1:0c:2b:29:3a:4a:f7:17:d7:3a:
+ c8:42:7e:db:4d:5f:09:92:ae:6c:90:e1:7d:9f:96:9c:1a:82:
+ bd:45:02:76:29:62:e5:b9:14:53:01:53:c0:5a:d5:34:53:7a:
+ 25:49:3e:3d:db:19:7e:29:57:80:78:67:ea:21:3e:3d:59:36:
+ e0:8b:da:75:57:9b:c8:9d:a1:18:18:e2:5c:35:35:9e:62:2c:
+ f5:0f:c0:8f:55:16:a5:d4:9e:cd:0e:78:87:9d:53:d3:01:e1:
+ 18:61:36:1c:06:c3:3a:43:f3:8a:13:e6:4e:52:32:fd:46:21:
+ cd:62:18:1f:ae:f5:f2:1a:ea:7a:01:3b:a1:3f:1d:16:00:91:
+ 5e:94:78:f4:60:33:54:a9:fc:1c:0a:75:f9:17:aa:dd:12:91:
+ 66:4b:f0:d1:60:25:d4:06:d1:99:9c:c5:64:01:4b:ba:d9:66:
+ ba:9c:f7:68:75:fd:11:3a:eb:6e:fb:8f:a6:17:8a:cd:bc:1a:
+ 59:f9:a9:cd:33:db:7d:71:26:7d:c7:be:de:eb:2e:c0:7e:db:
+ 29:08:0e:82:63:1e:8c:8f:e6:21:1c:b1:49:13:9e:df:78:3b:
+ 68:01:17:0f:df:97:96:58:32:48:1e:5c:ff:fa:db:90:b5:05:
+ 84:68:fd:7c:c0:a5:35:d9:75:1e:ea:cc:25:25:3f:6e
+-----BEGIN CERTIFICATE-----
+MIIJGzCCBQOgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjAz
+MTYyMzI5NDFaFw0zNjAzMTEyMzI5NDFaMIGzMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
+CwwFVXNlcnMxLjAsBgNVBAMMJWFkbWluaXN0cmF0b3JAYWRkb20uc2FtYmEuZXhh
+bXBsZS5jb20xNDAyBgkqhkiG9w0BCQEWJWFkbWluaXN0cmF0b3JAYWRkb20uc2Ft
+YmEuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+
+kWTyGyvtm0C8DUYjSXcydP7LmkaGMx5Wvcja3eYqBzRhHPC4cSkkK5DzQ5lvafb/
+jbm3P/M2apmQkNaVY06IWtdBiX9zE2RJx95CZQhdygSyaDpAf2oF31YwL6wbiw/D
+FTw4D5BQRAC7WUD20uhbcwMN9n04XS+Zww0TD3TQnu8ekkLERnzchX7pr5FOnV+C
+r1hgGKWskW7dz6cyPNL06YG+gJ4Myh8avpjE/uYlwYn+FgowkNPU5a+JJGQS0E8Z
+4huG+wapY9FHEIncK1Ik3GapVsLL9Ow1EvStXvz/humx+R+zzkT7vgSvjUKbVqUC
+f8XPXyNBHGnuM5d6gVCLAgMBAAGjggIjMIICHzAJBgNVHRMEAjAAME8GA1UdHwRI
+MEYwRKBCoECGPmh0dHA6Ly93d3cuc2FtYmEuZXhhbXBsZS5jb20vY3Jscy9DQS1z
+YW1iYS5leGFtcGxlLmNvbS1jcmwuY3JsMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNV
+HQ8EBAMCBeAwVQYJYIZIAYb4QgENBEgWRlNtYXJ0IENhcmQgTG9naW4gQ2VydGlm
+aWNhdGUgZm9yIGFkbWluaXN0cmF0b3JAYWRkb20uc2FtYmEuZXhhbXBsZS5jb20w
+HQYDVR0OBBYEFDAQbh9+UjOMyIXlknRddn7pM1s2MB8GA1UdIwQYMBaAFKI+Aiqj
+p005tAhNmcwMdTbqJ8M+MGcGA1UdEQRgMF6BJWFkbWluaXN0cmF0b3JAYWRkb20u
+c2FtYmEuZXhhbXBsZS5jb22gNQYKKwYBBAGCNxQCA6AnDCVhZG1pbmlzdHJhdG9y
+QGFkZG9tLnNhbWJhLmV4YW1wbGUuY29tMDEGA1UdEgQqMCiBJmNhLXNhbWJhLmV4
+YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0GCWCGSAGG+EIBBARAFj5odHRw
+Oi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEuZXhhbXBsZS5j
+b20tY3JsLmNybDAfBgNVHSUEGDAWBggrBgEFBQcDAgYKKwYBBAGCNxQCAjANBgkq
+hkiG9w0BAQsFAAOCBAEAUz5R0l0saSNb3QUaI/85XVRj5drhS2CMCXxOjtqKu2Nd
+vC2g1M6e0s441zJnukqm0R3Ex1Domp5EVhqc9I+5jjmEIdsPYIpgtA9PPDWg0jc9
+iOgKGKenLRnjqtOOGI817z5KlcTTm/TPicJwuYxc74qeelZzE+uLt9nhiFvEYkdC
+RY17Lc9xgxtInYSPZWaXYfz2MDToiCo0kUjcerdlvJyYAEznSf5NqVbqh9ZsRjny
+mFtWFILynrit/Yk2SIdOXO8/4DX/cl9b4cL92W5AKzWtUAh0lIeJxM3Hq6cZTrry
+HYMPsM+c5t9zNojPQpyjcicP979bzGvlIAO1Shzzfa6SQ6q7EwekOnc9NAEA8Ymq
+6BsJe7iw4VQD/z2NvjW5E7JZWDJIk/jn1z1JcAFE5ishs3VJrkR6UBW4ZfPDSJbf
+yNkq98Uqfixod68teBv8Gtj0i6aGNdLwh+nWMAp2Zfhx6YANHxaGiZKBNNm+m0El
+7GWpClayA5FUAiGXmXRhjEou9NCxi/HmJlK89vLgvZZmIsNOUS/DxGVlx5e1Gykj
+esB7+0kzoKlqty/zRGtbDCwNdfJQ1YK6mqvgiQq2tYpeGmer2achInVhHtchNhVq
+2qg5TZVQK+asxPY4dMnFrM4vs8jUrRink9QavsK+njnmp7EOk9Cez7CsU30IH52l
+mCtO9oDk3+pDovlkv4Sy/xyTNmB0CE5b1iSa+KzHgfkqqQAoRBVqMbm1CInIMRUe
+j50s0OOoMixoQkEZbEOOacBEAbocxOr0/8hXA7rfP16lA9p1MS4HZ6dcAlXDb48R
+9YxWofdLu0bQ5f9owXc9DTUS9UCvzQVcU3T/VODAxhBc6DMGClBHfnE6Nmaq+N6X
+Kq6/jW3UOcT9swMdpZxHOYzAs3P4OtY0rElPs4d0ESCPwKokpzAgDMDZHETursi4
+E2Pl+F6PsFpGxYM9QWIG5GKmCkDMjlmtijZOIObyMgRu7k59l4jc6nSQxKuotbxs
+gbFkd6aTNETkYDixDCspOkr3F9c6yEJ+201fCZKubJDhfZ+WnBqCvUUCdili5bkU
+UwFTwFrVNFN6JUk+PdsZfilXgHhn6iE+PVk24IvadVebyJ2hGBjiXDU1nmIs9Q/A
+j1UWpdSezQ54h51T0wHhGGE2HAbDOkPzihPmTlIy/UYhzWIYH6718hrqegE7oT8d
+FgCRXpR49GAzVKn8HAp1+Req3RKRZkvw0WAl1AbRmZzFZAFLutlmupz3aHX9ETrr
+bvuPpheKzbwaWfmpzTPbfXEmfce+3usuwH7bKQgOgmMejI/mIRyxSROe33g7aAEX
+D9+XllgySB5c//rbkLUFhGj9fMClNdl1HurMJSU/bg==
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/NewCerts/04.pem b/selftest/manage-ca/CA-samba.example.com/NewCerts/04.pem
new file mode 100644
index 0000000..730b824
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/NewCerts/04.pem
@@ -0,0 +1,168 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4 (0x4)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Jun 3 19:30:29 2016 GMT
+ Not After : May 29 19:30:29 2036 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=pkinit@samba.example.com/emailAddress=pkinit@samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:dd:c4:48:44:a5:e9:6b:b4:41:03:6a:dc:34:1f:
+ d6:41:ce:f7:cb:b2:44:a7:a3:0e:89:16:ff:0d:62:
+ 23:e0:8b:24:db:82:82:68:29:22:1b:57:44:12:c6:
+ ea:10:2d:6f:3a:4b:75:b1:2e:76:62:01:62:ff:ba:
+ 3d:67:e1:39:0d:12:38:b0:fc:b3:e5:0e:dd:77:73:
+ 2b:99:25:86:d5:15:84:08:be:b0:8b:38:d7:64:9d:
+ d6:e7:dc:4d:9a:fb:ea:17:41:bb:d1:cf:1a:b9:5b:
+ 0b:8a:e5:8c:5a:b7:2d:ab:bd:f7:c3:91:ae:26:c2:
+ e3:97:27:ea:3f:be:c9:22:af:d6:76:35:45:b0:72:
+ 86:f2:bd:bf:e2:d3:e3:e3:68:52:26:db:f0:a6:6a:
+ 0e:63:05:9b:17:6d:13:ee:c4:15:41:96:27:06:90:
+ fd:10:b5:f9:6c:74:be:b0:a8:bb:70:f7:a2:25:da:
+ f7:f1:91:c2:69:6c:40:c4:63:e8:06:83:e0:1d:b7:
+ 2b:29:d3:75:d1:df:c1:d2:90:af:b9:81:47:78:f3:
+ f1:1a:c9:20:e3:1b:6f:e4:fd:2e:0b:65:a7:6f:b1:
+ b2:a0:d3:e3:d2:2f:2b:ef:fd:01:5b:27:e7:1b:c1:
+ 0e:bc:bd:f0:7b:b2:34:a9:9b:4d:2c:c8:65:33:c8:
+ 33:17
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Client, S/MIME
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Smart Card Login Certificate for pkinit@samba.example.com
+ X509v3 Subject Key Identifier:
+ E9:67:66:B8:3D:F1:39:AB:1A:4D:00:9D:EC:CE:FF:4B:50:D8:5D:A2
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ email:pkinit@samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, scardLogin
+ Signature Algorithm: sha256WithRSAEncryption
+ 88:3e:f3:98:08:ef:cd:53:3a:07:d5:1c:fd:26:7c:f1:96:2e:
+ b9:06:87:f2:5b:e2:be:d1:04:6e:38:59:14:49:9d:46:ef:7e:
+ 6c:08:02:3e:18:09:09:61:a8:1d:a9:da:59:40:58:5f:d2:ca:
+ 4f:76:0e:7e:01:db:05:03:fb:78:c7:89:86:aa:1b:dc:02:bb:
+ 86:a5:02:7c:01:54:dd:ad:e0:43:c5:d9:ec:86:c2:47:b5:5a:
+ 1c:8c:06:0e:fe:11:ad:a5:57:37:f5:0a:35:65:a4:f2:27:14:
+ 2f:bf:53:48:66:e1:da:b9:58:95:a2:d1:95:9c:ae:0a:ca:29:
+ a6:ef:7a:58:74:86:40:ea:2a:c6:18:9f:1a:d9:70:e2:a8:aa:
+ 8d:f1:22:bf:b6:e4:61:d4:21:ee:bf:17:e1:aa:d1:cf:0b:35:
+ 82:c7:3f:a1:be:d1:a5:bd:4e:04:0d:cf:11:2d:d6:0c:7e:47:
+ 5c:5e:84:d2:10:60:7e:97:d7:52:be:a1:cd:2d:85:da:b2:dd:
+ 68:88:12:a4:88:5f:16:0c:ae:6f:60:7f:da:58:5f:91:bd:8d:
+ 15:20:c2:74:94:0b:93:65:80:7c:77:15:a2:70:bb:98:be:41:
+ 1a:2e:c5:78:52:64:e7:44:03:3f:64:97:10:a9:1b:17:f3:79:
+ f9:51:0c:4c:58:e7:03:e7:bb:fd:34:ff:c0:4a:ad:b1:7a:ba:
+ 97:3c:f8:e0:9e:30:3d:e7:5f:be:ac:6a:b3:c1:1e:50:7c:cd:
+ ce:18:bd:96:73:fb:9c:90:e7:ae:e0:be:c5:65:29:9a:1c:da:
+ c3:64:2a:99:dc:93:61:32:9a:70:1a:45:83:72:38:0f:57:de:
+ 0d:f5:64:71:97:de:b5:64:99:43:30:6d:3f:25:82:b5:3e:a1:
+ ba:39:d2:fc:b8:df:7e:57:da:fc:be:c2:84:2e:99:41:52:a2:
+ 18:f4:99:c7:e2:b9:af:2a:84:32:5c:cb:ba:26:86:6b:8e:58:
+ 30:d8:4f:5b:60:34:fd:30:de:c5:a0:7a:8c:e7:34:2b:bc:81:
+ 6d:4c:a8:b5:ba:b5:52:b9:42:e5:d8:7e:be:31:a3:8e:b0:c3:
+ f6:16:28:92:e7:9d:3f:c8:cf:a0:4a:b0:3a:ae:75:59:ab:19:
+ 91:e4:2e:76:57:3f:58:88:5f:2e:7b:c5:8f:11:25:0f:cd:8f:
+ e3:91:80:2f:d4:7b:5a:80:c3:c9:7c:0a:aa:01:bf:5c:8c:0e:
+ 57:84:bf:72:ad:7b:0a:b9:95:27:0f:aa:9b:96:08:8e:bb:63:
+ 56:5a:1d:ad:0c:5b:1c:04:38:ae:2b:88:d4:d1:68:20:f2:a0:
+ 9b:77:9c:95:db:17:cb:cf:79:4a:13:66:c9:34:36:f6:c6:f9:
+ 8b:4b:92:5e:59:a3:5d:75:4e:fa:f2:fa:d5:d9:66:80:82:a4:
+ 8d:e2:d8:b6:ed:c5:a3:ca:a2:70:64:9c:b9:1c:49:b2:2f:46:
+ b3:13:3b:88:a7:5a:8e:22:b7:90:f5:74:27:21:06:a4:94:bb:
+ b1:cb:e7:e4:92:f0:e9:80:15:94:82:1a:97:34:d0:cf:aa:37:
+ b1:27:a5:38:39:7c:8d:ba:a1:12:dd:30:48:44:90:0c:35:0f:
+ cc:e6:13:e7:c9:06:36:1d:b0:c9:be:28:0f:47:1c:b0:47:a3:
+ 20:d1:bb:a1:85:1a:80:c2:9b:70:61:9f:a7:82:46:3c:80:28:
+ 0c:17:f6:fc:75:83:be:ff:5c:da:bc:be:2c:65:a6:c0:fc:c1:
+ 32:ae:9a:bf:d1:7c:fb:b3:26:3b:77:03:fe:a9:e9:ae:4c:72:
+ 58:a9:6e:ce:ad:c0:1f:30:b2:06:32:65:af:5f:db:3d:2b:ab:
+ c5:46:5c:0a:df:50:b5:7e:31:c8:b0:7e:50:e2:aa:d8:01:8e:
+ ea:e7:3c:8b:90:73:de:77:9f:47:ea:af:16:0d:a5:c0:89:6f:
+ 86:a4:84:f7:1f:03:fd:7d:f8:a8:7d:9c:9a:f1:13:c8:d5:5b:
+ 9c:2f:71:c1:c0:c2:17:89:39:6d:28:2d:20:31:ca:60:cf:7f:
+ 78:42:5c:a3:28:76:19:a8:ca:e6:07:22:6d:7f:04:b1:20:ab:
+ 70:40:33:e9:a3:fa:da:b5:7c:ee:70:0b:c6:a2:6a:90:1a:10:
+ fe:8a:9b:56:5c:44:85:f1:b4:41:67:0b:c1:a3:68:2f:ff:b1:
+ 48:f3:38:4b:28:4e:52:36:0c:9b:37:aa:7e:82:63:c3:61:33:
+ a9:05:b3:af:13:07:b3:9e:4d:4c:3c:c4:47:34:ce:f3:6e:55:
+ 69:d7:af:dc:e4:82:34:9b:fe:cc:d9:db:1f:08:3e:3c:3a:9b:
+ ac:a7:7e:61:3f:5f:01:0c:d8:f3:63:31:31:07:e2:05:84:30:
+ 65:f4:b0:a6:cc:ad:63:fe:06:db:d7:e9:2f:9d:db:2c:64:af:
+ d6:d1:cc:9e:c3:11:09:ad:7d:e2:06:6d:21:ad:a5:4f:a6:87:
+ 9b:ee:db:6c:e9:69:a7:6a:eb:93:67:e2:e9:6f:23:f8:2e:95:
+ 78:5f:a8:66:ae:7e:2c:5e:6b:07:3e:02:ad:20:af:61:9c:0e:
+ 1d:c6:7a:31:5a:33:bd:61:1a:67:5b:a9:42:3c:17:67:f8:dd:
+ 80:e3:ab:62:a0:42:53:33:1f:f7:79:ea:32:d1:26:dd:bb:c6:
+ 26:aa:2c:ac:16:7e:24:b4:ae:7d:ce:77:e8:5f:2d:97
+-----BEGIN CERTIFICATE-----
+MIII2jCCBMKgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjA2
+MDMxOTMwMjlaFw0zNjA1MjkxOTMwMjlaMIGZMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
+CwwFVXNlcnMxITAfBgNVBAMMGHBraW5pdEBzYW1iYS5leGFtcGxlLmNvbTEnMCUG
+CSqGSIb3DQEJARYYcGtpbml0QHNhbWJhLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3cRIRKXpa7RBA2rcNB/WQc73y7JEp6MOiRb/
+DWIj4Isk24KCaCkiG1dEEsbqEC1vOkt1sS52YgFi/7o9Z+E5DRI4sPyz5Q7dd3Mr
+mSWG1RWECL6wizjXZJ3W59xNmvvqF0G70c8auVsLiuWMWrctq733w5GuJsLjlyfq
+P77JIq/WdjVFsHKG8r2/4tPj42hSJtvwpmoOYwWbF20T7sQVQZYnBpD9ELX5bHS+
+sKi7cPeiJdr38ZHCaWxAxGPoBoPgHbcrKdN10d/B0pCvuYFHePPxGskg4xtv5P0u
+C2Wnb7GyoNPj0i8r7/0BWyfnG8EOvL3we7I0qZtNLMhlM8gzFwIDAQABo4IB/DCC
+AfgwCQYDVR0TBAIwADBPBgNVHR8ESDBGMESgQqBAhj5odHRwOi8vd3d3LnNhbWJh
+LmV4YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAR
+BglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMEgGCWCGSAGG+EIBDQQ7FjlT
+bWFydCBDYXJkIExvZ2luIENlcnRpZmljYXRlIGZvciBwa2luaXRAc2FtYmEuZXhh
+bXBsZS5jb20wHQYDVR0OBBYEFOlnZrg98TmrGk0AnezO/0tQ2F2iMB8GA1UdIwQY
+MBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+ME0GA1UdEQRGMESBGHBraW5pdEBzYW1i
+YS5leGFtcGxlLmNvbaAoBgorBgEEAYI3FAIDoBoMGHBraW5pdEBzYW1iYS5leGFt
+cGxlLmNvbTAxBgNVHRIEKjAogSZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5l
+eGFtcGxlLmNvbTBNBglghkgBhvhCAQQEQBY+aHR0cDovL3d3dy5zYW1iYS5leGFt
+cGxlLmNvbS9jcmxzL0NBLXNhbWJhLmV4YW1wbGUuY29tLWNybC5jcmwwHwYDVR0l
+BBgwFgYIKwYBBQUHAwIGCisGAQQBgjcUAgIwDQYJKoZIhvcNAQELBQADggQBAIg+
+85gI781TOgfVHP0mfPGWLrkGh/Jb4r7RBG44WRRJnUbvfmwIAj4YCQlhqB2p2llA
+WF/Syk92Dn4B2wUD+3jHiYaqG9wCu4alAnwBVN2t4EPF2eyGwke1WhyMBg7+Ea2l
+Vzf1CjVlpPInFC+/U0hm4dq5WJWi0ZWcrgrKKabvelh0hkDqKsYYnxrZcOKoqo3x
+Ir+25GHUIe6/F+Gq0c8LNYLHP6G+0aW9TgQNzxEt1gx+R1xehNIQYH6X11K+oc0t
+hdqy3WiIEqSIXxYMrm9gf9pYX5G9jRUgwnSUC5NlgHx3FaJwu5i+QRouxXhSZOdE
+Az9klxCpGxfzeflRDExY5wPnu/00/8BKrbF6upc8+OCeMD3nX76sarPBHlB8zc4Y
+vZZz+5yQ567gvsVlKZoc2sNkKpnck2EymnAaRYNyOA9X3g31ZHGX3rVkmUMwbT8l
+grU+obo50vy4335X2vy+woQumUFSohj0mcfiua8qhDJcy7omhmuOWDDYT1tgNP0w
+3sWgeoznNCu8gW1MqLW6tVK5QuXYfr4xo46ww/YWKJLnnT/Iz6BKsDqudVmrGZHk
+LnZXP1iIXy57xY8RJQ/Nj+ORgC/Ue1qAw8l8CqoBv1yMDleEv3Ktewq5lScPqpuW
+CI67Y1ZaHa0MWxwEOK4riNTRaCDyoJt3nJXbF8vPeUoTZsk0NvbG+YtLkl5Zo111
+Tvry+tXZZoCCpI3i2LbtxaPKonBknLkcSbIvRrMTO4inWo4it5D1dCchBqSUu7HL
+5+SS8OmAFZSCGpc00M+qN7EnpTg5fI26oRLdMEhEkAw1D8zmE+fJBjYdsMm+KA9H
+HLBHoyDRu6GFGoDCm3Bhn6eCRjyAKAwX9vx1g77/XNq8vixlpsD8wTKumr/RfPuz
+Jjt3A/6p6a5Mclipbs6twB8wsgYyZa9f2z0rq8VGXArfULV+MciwflDiqtgBjurn
+PIuQc953n0fqrxYNpcCJb4akhPcfA/19+Kh9nJrxE8jVW5wvccHAwheJOW0oLSAx
+ymDPf3hCXKModhmoyuYHIm1/BLEgq3BAM+mj+tq1fO5wC8aiapAaEP6Km1ZcRIXx
+tEFnC8GjaC//sUjzOEsoTlI2DJs3qn6CY8NhM6kFs68TB7OeTUw8xEc0zvNuVWnX
+r9zkgjSb/szZ2x8IPjw6m6ynfmE/XwEM2PNjMTEH4gWEMGX0sKbMrWP+BtvX6S+d
+2yxkr9bRzJ7DEQmtfeIGbSGtpU+mh5vu22zpaadq65Nn4ulvI/gulXhfqGaufixe
+awc+Aq0gr2GcDh3GejFaM71hGmdbqUI8F2f43YDjq2KgQlMzH/d56jLRJt27xiaq
+LKwWfiS0rn3Od+hfLZc=
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/NewCerts/05.pem b/selftest/manage-ca/CA-samba.example.com/NewCerts/05.pem
new file mode 100644
index 0000000..997dfd3
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/NewCerts/05.pem
@@ -0,0 +1,168 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 5 (0x5)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Jun 3 19:30:47 2016 GMT
+ Not After : May 29 19:30:47 2036 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=pkinit@addom.samba.example.com/emailAddress=pkinit@addom.samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:b3:a4:e8:bd:c8:4f:6a:71:c6:15:a8:dd:00:d6:
+ 61:74:00:e4:8f:b5:c4:0e:98:d9:51:aa:aa:4f:c7:
+ 8c:f9:6c:37:5c:60:55:da:7c:55:9c:d3:cd:e2:f1:
+ ed:51:39:25:d5:fa:69:7e:a7:67:9c:a9:61:1b:5c:
+ 73:50:d0:6f:ba:ce:3a:df:fe:ae:95:95:8e:97:ab:
+ c6:bb:6a:c3:60:0b:ca:c2:9c:31:ff:c6:2f:52:bb:
+ cb:2f:f6:2c:4d:be:20:e1:16:49:d3:22:36:66:4f:
+ 5c:c4:30:12:07:34:8b:00:4e:5b:51:7d:40:35:81:
+ dc:5c:0e:af:be:78:63:80:69:67:87:53:97:d0:3f:
+ d7:66:8d:26:8a:0a:24:95:f9:db:dd:93:0e:48:54:
+ c8:30:e4:77:0d:65:ef:a4:6a:de:29:91:77:97:40:
+ 5c:2e:ed:35:5e:b9:0f:37:ad:d9:70:76:99:77:45:
+ 8c:4a:65:63:13:72:d5:c4:53:37:57:85:0a:6d:74:
+ 30:8c:69:7f:83:f0:7f:f5:67:05:79:80:27:d4:38:
+ 6d:49:2f:8d:2a:97:2e:33:1f:d0:e0:c1:76:1b:bf:
+ bf:b1:75:8a:c9:b1:3f:3f:f2:4e:c5:b0:68:5e:76:
+ 8a:7e:9c:57:b2:ec:3d:18:83:e2:65:d5:30:5e:b5:
+ f4:c7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Client, S/MIME
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Smart Card Login Certificate for pkinit@addom.samba.example.com
+ X509v3 Subject Key Identifier:
+ 3E:81:65:A1:E3:7E:18:BE:80:FE:15:93:CC:20:15:FD:08:D4:A4:3D
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ email:pkinit@addom.samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, scardLogin
+ Signature Algorithm: sha256WithRSAEncryption
+ 7b:47:4c:55:7c:77:8b:8f:ca:23:3e:51:6a:51:c1:49:44:0d:
+ 72:56:27:79:f7:54:48:ef:74:37:5e:2a:33:68:dc:04:8a:de:
+ b2:8e:7b:26:6f:67:f5:bc:0a:e1:ec:74:12:86:5a:6b:56:7d:
+ 75:24:d0:df:c7:1e:c4:28:e8:a5:c0:e5:3a:a0:74:f8:95:70:
+ 61:44:a1:9c:e3:54:d8:cf:1b:e2:2f:35:d3:ca:1a:5f:07:e9:
+ ce:fe:79:e1:20:ac:9e:94:74:a5:80:2e:38:75:bc:bc:d7:2d:
+ e0:54:c1:17:9a:8e:07:42:7e:5f:2e:17:93:63:ab:ae:ed:c6:
+ 29:0f:91:c8:8a:99:ad:21:5b:52:a7:dd:0c:2f:32:dc:0d:36:
+ 9c:98:02:aa:eb:8f:2d:3a:86:1a:cf:f8:f5:da:0b:70:7e:14:
+ 9c:79:bc:8a:6c:c7:06:8d:3e:3b:26:2a:50:a1:05:ca:47:79:
+ d1:ba:55:06:cd:d2:3a:10:27:8d:cb:ee:b4:f7:90:ff:f2:fb:
+ 67:f0:73:0b:4f:51:5e:0b:8d:e4:94:cb:da:56:2d:18:91:b8:
+ 51:0f:ee:48:99:cc:ae:8b:6b:ac:d8:38:1e:5e:5e:d9:1a:29:
+ 52:04:52:49:49:30:60:3b:fa:4e:c9:0c:a0:67:20:e1:4a:9f:
+ 84:44:c8:ca:35:d5:28:a6:06:7e:dc:c3:81:8d:40:12:3d:ae:
+ 0d:51:42:5a:16:92:78:2e:70:0b:ba:7f:8e:52:b7:2e:a8:f1:
+ 72:32:ba:6f:30:92:1e:40:0f:bf:09:14:5b:63:c6:1d:b3:ac:
+ eb:e7:69:f0:1b:3c:b8:4a:ec:a2:22:e2:58:ad:ef:22:77:9c:
+ e2:51:ec:38:bf:47:d8:1e:43:77:61:3d:60:54:c7:ba:6a:be:
+ 87:ea:f7:9e:46:74:90:70:c3:d9:74:21:be:90:78:12:2f:30:
+ d2:56:3b:9a:24:27:17:1b:d0:8c:49:e7:65:a8:d2:d9:0f:f8:
+ e9:5e:51:8c:97:cf:90:37:e5:ad:dc:88:ac:c1:54:57:7a:9a:
+ f4:5a:80:25:85:7c:d0:b7:17:03:8c:b3:43:20:59:c7:f3:68:
+ 72:f5:53:75:df:a0:00:12:f0:28:d5:dc:70:ec:9e:c2:33:bd:
+ 73:e9:8c:62:b8:2f:0d:55:a3:3d:d2:21:59:4f:3a:d7:50:aa:
+ 43:72:25:05:a0:2f:e0:f1:79:59:2a:57:e6:b9:91:21:b9:9f:
+ 07:f9:49:fc:d7:97:f7:be:a7:81:69:ac:6c:9a:7c:25:5e:6b:
+ 48:37:90:89:ac:37:02:b5:be:41:01:56:93:71:f4:e9:75:3c:
+ aa:0a:9b:d6:a3:09:64:51:30:d7:2c:1a:dd:bc:83:2e:45:b5:
+ 90:a5:ad:16:ba:18:56:1c:88:73:b5:ee:77:6d:65:3e:11:dc:
+ 36:45:6a:08:99:5d:24:86:93:da:45:95:2a:de:80:96:2e:db:
+ d7:87:b3:f1:70:3c:b5:56:eb:ca:62:dc:3c:49:84:3c:f8:6d:
+ d9:44:e0:81:33:5e:f7:22:27:8b:09:05:12:a6:c1:79:56:c7:
+ 7f:e2:80:d6:ab:4d:e5:1a:ff:ae:9a:fd:3b:7b:aa:15:ca:10:
+ c2:6a:98:c4:70:63:6e:7d:94:8e:87:0a:24:bd:b1:59:85:67:
+ 5b:e8:2e:ff:d7:43:8c:46:06:1a:a8:ba:72:e7:0d:ef:5f:6c:
+ 2d:5c:14:56:ad:5d:56:a5:21:09:7b:16:44:4a:74:9d:1a:03:
+ aa:1a:41:29:e5:78:e4:7c:9e:53:18:61:d8:5a:d1:e8:a8:0e:
+ f4:d3:40:d6:6b:cd:c9:e4:a3:3d:51:54:c3:d6:09:4c:48:9e:
+ 34:2a:23:ad:83:ab:9a:99:c2:bf:7b:85:98:d7:b6:21:fc:c4:
+ 17:6c:56:46:95:98:da:e8:6c:f3:67:4e:33:fc:68:b8:af:86:
+ 07:8b:8e:f3:16:2c:ec:82:e7:b8:47:64:5c:f5:bd:37:75:b5:
+ 94:d3:09:3c:3d:6a:6d:47:81:e0:1b:df:5e:d7:6c:92:7d:23:
+ 91:3e:29:06:21:5b:52:62:47:87:e8:7e:20:ab:fa:cb:3f:9e:
+ ab:7e:55:7e:d2:76:7d:3e:ce:49:f5:ad:a1:f8:13:ba:9a:d6:
+ 54:bb:e9:f0:e0:a6:77:27:95:33:84:48:ff:29:87:fc:65:94:
+ d4:56:44:88:fc:40:0a:64:32:15:13:36:bf:fb:10:65:35:94:
+ 66:ad:d7:e4:16:08:c5:8b:2f:c7:a1:14:99:60:69:66:39:3f:
+ 8d:f3:d3:46:ae:c9:ad:85:94:9b:06:6f:7e:f9:84:b4:e7:fb:
+ 7c:79:1b:75:00:f7:10:19:86:57:48:ea:d5:24:eb:f5:d6:42:
+ 43:73:36:db:9a:15:73:01:75:db:e5:4f:d0:68:3a:3b:35:ce:
+ 19:ab:08:e8:75:c4:7d:b0:d8:c9:64:f9:de:e4:ae:df:a5:24:
+ 19:dd:b8:d1:88:40:48:2a:13:6c:ad:72:23:46:45:2c:78:0c:
+ d4:68:15:11:7f:e2:47:2d:ce:d0:ce:ae:43:8b:08:af:42:12:
+ 85:6f:4d:8b:39:e0:a1:d9:65:08:b1:dc:00:e2:e8:f0:e1:f6:
+ 8f:21:8e:81:cd:de:8a:d0:92:58:22:d0:b0:29:fa:f8:98:6f:
+ c6:e0:68:37:b4:57:90:c2:c4:7c:38:64:51:d7:61:5a
+-----BEGIN CERTIFICATE-----
+MIII+DCCBOCgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjA2
+MDMxOTMwNDdaFw0zNjA1MjkxOTMwNDdaMIGlMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
+CwwFVXNlcnMxJzAlBgNVBAMMHnBraW5pdEBhZGRvbS5zYW1iYS5leGFtcGxlLmNv
+bTEtMCsGCSqGSIb3DQEJARYecGtpbml0QGFkZG9tLnNhbWJhLmV4YW1wbGUuY29t
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs6TovchPanHGFajdANZh
+dADkj7XEDpjZUaqqT8eM+Ww3XGBV2nxVnNPN4vHtUTkl1fppfqdnnKlhG1xzUNBv
+us463/6ulZWOl6vGu2rDYAvKwpwx/8YvUrvLL/YsTb4g4RZJ0yI2Zk9cxDASBzSL
+AE5bUX1ANYHcXA6vvnhjgGlnh1OX0D/XZo0migoklfnb3ZMOSFTIMOR3DWXvpGre
+KZF3l0BcLu01XrkPN63ZcHaZd0WMSmVjE3LVxFM3V4UKbXQwjGl/g/B/9WcFeYAn
+1DhtSS+NKpcuMx/Q4MF2G7+/sXWKybE/P/JOxbBoXnaKfpxXsuw9GIPiZdUwXrX0
+xwIDAQABo4ICDjCCAgowCQYDVR0TBAIwADBPBgNVHR8ESDBGMESgQqBAhj5odHRw
+Oi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEuZXhhbXBsZS5j
+b20tY3JsLmNybDARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgME4GCWCG
+SAGG+EIBDQRBFj9TbWFydCBDYXJkIExvZ2luIENlcnRpZmljYXRlIGZvciBwa2lu
+aXRAYWRkb20uc2FtYmEuZXhhbXBsZS5jb20wHQYDVR0OBBYEFD6BZaHjfhi+gP4V
+k8wgFf0I1KQ9MB8GA1UdIwQYMBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+MFkGA1Ud
+EQRSMFCBHnBraW5pdEBhZGRvbS5zYW1iYS5leGFtcGxlLmNvbaAuBgorBgEEAYI3
+FAIDoCAMHnBraW5pdEBhZGRvbS5zYW1iYS5leGFtcGxlLmNvbTAxBgNVHRIEKjAo
+gSZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTBNBglghkgB
+hvhCAQQEQBY+aHR0cDovL3d3dy5zYW1iYS5leGFtcGxlLmNvbS9jcmxzL0NBLXNh
+bWJhLmV4YW1wbGUuY29tLWNybC5jcmwwHwYDVR0lBBgwFgYIKwYBBQUHAwIGCisG
+AQQBgjcUAgIwDQYJKoZIhvcNAQELBQADggQBAHtHTFV8d4uPyiM+UWpRwUlEDXJW
+J3n3VEjvdDdeKjNo3ASK3rKOeyZvZ/W8CuHsdBKGWmtWfXUk0N/HHsQo6KXA5Tqg
+dPiVcGFEoZzjVNjPG+IvNdPKGl8H6c7+eeEgrJ6UdKWALjh1vLzXLeBUwReajgdC
+fl8uF5Njq67txikPkciKma0hW1Kn3QwvMtwNNpyYAqrrjy06hhrP+PXaC3B+FJx5
+vIpsxwaNPjsmKlChBcpHedG6VQbN0joQJ43L7rT3kP/y+2fwcwtPUV4LjeSUy9pW
+LRiRuFEP7kiZzK6La6zYOB5eXtkaKVIEUklJMGA7+k7JDKBnIOFKn4REyMo11Sim
+Bn7cw4GNQBI9rg1RQloWkngucAu6f45Sty6o8XIyum8wkh5AD78JFFtjxh2zrOvn
+afAbPLhK7KIi4lit7yJ3nOJR7Di/R9geQ3dhPWBUx7pqvofq955GdJBww9l0Ib6Q
+eBIvMNJWO5okJxcb0IxJ52Wo0tkP+OleUYyXz5A35a3ciKzBVFd6mvRagCWFfNC3
+FwOMs0MgWcfzaHL1U3XfoAAS8CjV3HDsnsIzvXPpjGK4Lw1Voz3SIVlPOtdQqkNy
+JQWgL+DxeVkqV+a5kSG5nwf5SfzXl/e+p4FprGyafCVea0g3kImsNwK1vkEBVpNx
+9Ol1PKoKm9ajCWRRMNcsGt28gy5FtZClrRa6GFYciHO17ndtZT4R3DZFagiZXSSG
+k9pFlSregJYu29eHs/FwPLVW68pi3DxJhDz4bdlE4IEzXvciJ4sJBRKmwXlWx3/i
+gNarTeUa/66a/Tt7qhXKEMJqmMRwY259lI6HCiS9sVmFZ1voLv/XQ4xGBhqounLn
+De9fbC1cFFatXValIQl7FkRKdJ0aA6oaQSnleOR8nlMYYdha0eioDvTTQNZrzcnk
+oz1RVMPWCUxInjQqI62Dq5qZwr97hZjXtiH8xBdsVkaVmNrobPNnTjP8aLivhgeL
+jvMWLOyC57hHZFz1vTd1tZTTCTw9am1HgeAb317XbJJ9I5E+KQYhW1JiR4fofiCr
++ss/nqt+VX7Sdn0+zkn1raH4E7qa1lS76fDgpncnlTOESP8ph/xllNRWRIj8QApk
+MhUTNr/7EGU1lGat1+QWCMWLL8ehFJlgaWY5P43z00auya2FlJsGb375hLTn+3x5
+G3UA9xAZhldI6tUk6/XWQkNzNtuaFXMBddvlT9BoOjs1zhmrCOh1xH2w2Mlk+d7k
+rt+lJBnduNGIQEgqE2ytciNGRSx4DNRoFRF/4kctztDOrkOLCK9CEoVvTYs54KHZ
+ZQix3ADi6PDh9o8hjoHN3orQklgi0LAp+viYb8bgaDe0V5DCxHw4ZFHXYVo=
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/NewCerts/06.pem b/selftest/manage-ca/CA-samba.example.com/NewCerts/06.pem
new file mode 100644
index 0000000..6b25079
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/NewCerts/06.pem
@@ -0,0 +1,191 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 6 (0x6)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Feb 28 13:30:28 2020 GMT
+ Not After : Feb 23 13:30:28 2040 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Domain Controllers, CN=addcsmb1.addom2.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (4096 bit)
+ Modulus:
+ 00:de:fe:5d:7a:30:99:bb:1e:11:56:ac:b0:d4:01:
+ 50:30:83:e1:71:0f:aa:3e:1a:b4:f7:9d:ea:93:69:
+ fc:be:51:19:4c:37:f7:a3:b3:3c:90:13:62:63:14:
+ 9d:b8:54:66:17:65:4a:67:8e:ce:96:7f:4d:c2:c6:
+ 6e:fd:3c:ae:bb:e2:5b:6c:ee:51:7b:db:37:17:94:
+ 99:02:3a:2f:a9:cb:d0:23:29:b7:43:33:08:fc:3f:
+ 15:3b:ed:3c:eb:69:5b:95:45:18:1e:85:5e:aa:31:
+ b6:3e:18:c8:2f:3a:48:2d:cc:c6:69:28:b6:5c:ac:
+ 24:03:b1:83:e8:e6:96:a7:06:6d:fe:73:13:04:d2:
+ 18:0f:d4:72:f7:88:22:40:5b:ab:68:a4:89:e2:3d:
+ c0:ca:e5:a7:ae:b6:f8:ea:8a:8c:39:9c:6d:1b:89:
+ ab:72:2c:04:27:40:7e:f5:d3:3f:5d:d8:0d:71:67:
+ 65:1d:e3:3d:65:b0:97:7f:14:ad:92:43:2f:3f:04:
+ ab:1e:31:52:07:7f:df:48:ac:9a:c0:28:d1:ab:eb:
+ f2:79:b3:d2:44:5f:e8:2d:92:d7:d8:be:03:fe:db:
+ 55:2b:4b:f8:9c:b4:ce:02:78:07:72:0f:d5:32:cd:
+ 01:1e:3d:b2:6e:25:29:fa:09:49:49:ab:ed:dc:2b:
+ 10:c5:3d:19:3c:c4:1e:da:ee:95:c2:ff:f8:50:b4:
+ f7:47:9a:a4:7d:1c:9a:8d:77:da:b6:a2:e6:4f:cd:
+ 80:b9:b1:f2:1d:dc:90:60:37:6f:39:5e:a6:03:e2:
+ 8b:44:d7:a4:45:fd:7e:4f:43:14:f0:68:0d:e6:84:
+ 8f:21:20:53:f6:b4:67:bd:fc:5d:f4:48:2a:95:1d:
+ 7d:79:ba:a1:ee:b8:f0:83:83:7f:ab:b1:eb:38:4e:
+ 3c:4b:8a:93:80:15:63:4c:43:1d:81:4b:c1:e6:d5:
+ b0:9f:6c:49:9d:04:92:66:6c:9f:7c:d3:62:50:72:
+ fc:77:65:87:39:d9:d0:ef:5e:53:49:32:4a:d3:1b:
+ 4a:88:45:f0:0f:a2:5e:33:29:bd:ab:3d:6b:3d:23:
+ bc:c6:9c:9d:98:9c:9d:8d:cc:32:3e:e1:8c:98:19:
+ 1c:44:ee:17:43:b3:b0:47:a5:fe:15:49:aa:5a:b7:
+ 76:43:4c:df:9a:e8:33:3d:52:e8:6c:2c:dd:3e:d8:
+ a9:e9:2d:36:c2:3a:43:75:b2:bc:d5:bd:81:8b:fc:
+ 63:37:61:88:24:bb:76:35:19:00:44:7a:3e:30:a8:
+ 9e:8f:df:74:14:09:0b:f5:8b:c9:b0:ed:be:d0:cf:
+ c0:7f:61:41:07:f8:6c:7d:0a:05:96:4f:6e:5f:cc:
+ 40:f3:f5
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Server
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Domain Controller Certificate addcsmb1.addom2.samba.example.com
+ X509v3 Subject Key Identifier:
+ 5B:85:11:27:BF:F7:A6:2B:8F:51:93:D8:29:4E:0E:A2:67:AA:9D:80
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ DNS:addcsmb1.addom2.samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, TLS Web Server Authentication, msKDC
+ Signature Algorithm: sha256WithRSAEncryption
+ 73:de:7a:35:bc:15:ac:32:44:5b:98:60:64:12:af:ea:42:46:
+ 7d:fb:b2:88:b3:47:61:c3:0b:6d:d1:68:92:3d:44:cd:37:86:
+ da:10:d2:18:db:19:29:03:31:1a:26:cd:70:d1:ec:13:ac:59:
+ 84:cd:be:9f:2b:c6:2d:10:aa:4b:4d:78:39:d3:6b:e1:4d:e8:
+ 10:a0:3e:97:d3:1c:19:11:e4:0f:26:7f:96:d7:26:17:23:02:
+ d9:4b:47:0c:af:c7:ef:28:ae:1c:28:e5:d2:7a:61:46:70:3b:
+ 49:5e:d0:65:54:4c:ae:14:27:c0:e4:17:41:2c:1a:42:0d:86:
+ 6c:37:48:65:80:02:21:b3:2b:1f:4f:34:a5:ce:7b:b0:fe:06:
+ a6:fe:c5:1b:ca:e5:e6:7e:d5:dc:01:d2:50:c4:f8:5e:73:6c:
+ 2c:56:81:d0:a4:73:bf:82:cb:d8:76:ca:7e:44:99:3a:5f:a9:
+ 97:89:a8:5c:5b:1b:38:0d:4d:cb:02:49:69:82:13:68:a6:be:
+ 4b:a3:57:a6:a6:e3:f0:dc:ad:1c:30:00:bf:ed:15:ca:c3:3d:
+ 5c:7b:dc:6d:e6:cb:bb:bc:a1:22:e7:32:95:e0:0f:6a:ab:40:
+ 0c:43:ed:f3:98:63:7c:2f:15:63:49:4e:5c:82:65:13:f2:53:
+ 26:d7:4c:c6:f8:7e:fa:bc:a8:22:44:f1:fb:a6:bb:27:64:ec:
+ 94:28:19:4a:af:09:7e:01:8e:9d:3e:43:e5:79:fd:16:ed:24:
+ b4:ab:58:02:e2:9e:f8:a1:b0:45:25:6d:2f:be:bb:88:90:c7:
+ d8:45:31:48:65:26:33:86:cc:46:69:53:6b:f1:d6:35:df:b1:
+ 39:ed:81:e1:23:f1:01:de:99:10:11:f0:3f:4d:5d:d3:8a:0c:
+ 44:78:f6:27:4a:32:1d:ab:0c:63:d0:71:25:62:67:f5:0c:7e:
+ 2c:7c:a4:ec:8d:de:00:6d:5f:69:5d:bf:e6:c7:59:75:87:5e:
+ 2c:12:dc:a5:1b:dd:c1:7a:c9:56:63:6a:3b:c6:9a:b7:fc:15:
+ 01:53:4d:c8:ca:c7:c8:81:50:a0:65:43:33:fb:aa:55:64:a0:
+ c3:2e:e2:f9:08:64:e5:75:ab:98:b3:38:ba:8d:53:e8:08:47:
+ ef:cf:a9:f2:16:25:1b:20:78:2d:6f:f5:83:ee:35:d4:b5:c5:
+ d6:d7:81:17:bf:9c:45:43:d1:88:74:22:1a:32:b2:45:73:a2:
+ 28:d4:da:ff:85:f9:75:1c:4f:84:6a:a5:1a:41:eb:8b:e0:1d:
+ 49:69:07:2f:5b:5e:e3:7b:00:f8:4b:67:5b:42:d7:51:de:1c:
+ 18:89:2f:f8:36:e7:b5:a3:6c:39:e3:88:dc:5d:7f:2f:d9:52:
+ b6:6b:9c:e9:1d:df:d0:18:68:25:70:7e:71:fb:b3:40:28:75:
+ e9:24:38:6f:70:5b:1a:f9:bf:e9:43:bd:4b:51:e3:df:e3:25:
+ 11:ae:30:4e:7e:55:58:43:b3:65:05:11:2d:0e:a4:3c:b8:8a:
+ 0c:f9:93:ab:27:28:c0:b2:17:76:52:9b:18:82:b7:fd:a6:4f:
+ 6e:a1:74:2b:19:59:ac:b1:d8:5e:fb:f3:69:37:16:59:01:4c:
+ fa:a9:57:52:04:d4:45:8f:10:08:8a:ab:88:aa:96:46:9a:aa:
+ 94:b5:c6:bf:e9:9e:9a:cd:40:f3:2a:ed:23:ff:a6:f7:9b:18:
+ 02:d9:ab:76:96:ac:15:6f:04:5d:92:d2:49:4c:4b:62:da:3d:
+ 2a:a4:59:22:1a:75:cd:6e:fb:62:50:da:ae:9d:28:7d:4d:32:
+ 2f:d8:cd:37:67:f9:1d:c1:d5:76:40:ba:34:f6:8c:92:5b:c0:
+ 65:f6:3c:90:6c:5b:67:09:0d:d3:14:90:38:03:82:06:c3:b7:
+ 85:74:7f:15:f4:5b:de:66:5f:71:a9:f1:ed:15:9b:a0:72:ee:
+ 05:d7:b3:92:30:65:2e:82:90:21:fe:f0:07:34:11:d3:87:41:
+ f4:35:04:0c:b4:28:f5:73:b8:d5:0e:e3:2a:53:ab:9a:3f:4d:
+ 59:f9:18:68:f0:31:90:1d:d6:25:c6:8b:33:e8:dc:06:93:7b:
+ cb:01:de:8b:1e:87:5a:26:a0:0d:5e:f6:6a:36:43:54:53:6d:
+ 87:10:ca:a8:15:1a:4a:37:95:a5:67:93:74:ba:c3:59:9b:f8:
+ b5:ab:10:98:fc:ff:d6:d2:61:17:5d:90:7e:b1:2a:16:ec:d5:
+ da:80:67:02:13:41:d7:bc:a2:af:0b:54:08:b3:2e:1b:05:50:
+ 80:f6:c7:9a:8c:ac:89:49:4a:f4:4b:71:73:bc:e7:8c:6f:0c:
+ 70:62:73:3d:ed:07:14:35:f0:15:0c:bb:d8:c3:f6:19:43:b7:
+ 45:a5:33:80:17:1f:c3:39:28:3d:6a:7c:d6:e0:37:66:58:bd:
+ e8:64:2c:ad:b7:e0:25:f5:41:ac:ae:cb:ca:c1:eb:5b:8b:e1:
+ 3d:1e:cc:09:63:d6:6c:c8:eb:b8:ae:6f:4b:02:98:4a:2a:1a:
+ 94:26:e7:a3:23:7c:e9:e5:02:e0:1f:f5:88:f9:14:74:81:01:
+ 1d:cd:7e:46:35:7c:1d:e3:64:60:88:a4:ed:86:06:0e:af:3a:
+ 2b:1d:f8:45:fe:53:8e:56:89:95:98:ff:2c:8a:fb:3a:7a:0c:
+ 46:6a:3d:32:78:ad:58:69:ba:3b:d5:95:51:55:f3:72
+-----BEGIN CERTIFICATE-----
+MIIKAzCCBeugAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0yMDAy
+MjgxMzMwMjhaFw00MDAyMjMxMzMwMjhaMIG9MQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEbMBkGA1UE
+CwwSRG9tYWluIENvbnRyb2xsZXJzMSowKAYDVQQDDCFhZGRjc21iMS5hZGRvbTIu
+c2FtYmEuZXhhbXBsZS5jb20xNTAzBgkqhkiG9w0BCQEWJmNhLXNhbWJhLmV4YW1w
+bGUuY29tQHNhbWJhLmV4YW1wbGUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
+MIICCgKCAgEA3v5dejCZux4RVqyw1AFQMIPhcQ+qPhq0953qk2n8vlEZTDf3o7M8
+kBNiYxSduFRmF2VKZ47Oln9NwsZu/Tyuu+JbbO5Re9s3F5SZAjovqcvQIym3QzMI
+/D8VO+0862lblUUYHoVeqjG2PhjILzpILczGaSi2XKwkA7GD6OaWpwZt/nMTBNIY
+D9Ry94giQFuraKSJ4j3AyuWnrrb46oqMOZxtG4mrciwEJ0B+9dM/XdgNcWdlHeM9
+ZbCXfxStkkMvPwSrHjFSB3/fSKyawCjRq+vyebPSRF/oLZLX2L4D/ttVK0v4nLTO
+AngHcg/VMs0BHj2ybiUp+glJSavt3CsQxT0ZPMQe2u6Vwv/4ULT3R5qkfRyajXfa
+tqLmT82AubHyHdyQYDdvOV6mA+KLRNekRf1+T0MU8GgN5oSPISBT9rRnvfxd9Egq
+lR19ebqh7rjwg4N/q7HrOE48S4qTgBVjTEMdgUvB5tWwn2xJnQSSZmyffNNiUHL8
+d2WHOdnQ715TSTJK0xtKiEXwD6JeMym9qz1rPSO8xpydmJydjcwyPuGMmBkcRO4X
+Q7OwR6X+FUmqWrd2Q0zfmugzPVLobCzdPtip6S02wjpDdbK81b2Bi/xjN2GIJLt2
+NRkARHo+MKiej990FAkL9YvJsO2+0M/Af2FBB/hsfQoFlk9uX8xA8/UCAwEAAaOC
+AgEwggH9MAkGA1UdEwQCMAAwTwYDVR0fBEgwRjBEoEKgQIY+aHR0cDovL3d3dy5z
+YW1iYS5leGFtcGxlLmNvbS9jcmxzL0NBLXNhbWJhLmV4YW1wbGUuY29tLWNybC5j
+cmwwEQYJYIZIAYb4QgEBBAQDAgZAMAsGA1UdDwQEAwIF4DBOBglghkgBhvhCAQ0E
+QRY/RG9tYWluIENvbnRyb2xsZXIgQ2VydGlmaWNhdGUgYWRkY3NtYjEuYWRkb20y
+LnNhbWJhLmV4YW1wbGUuY29tMB0GA1UdDgQWBBRbhREnv/emK49Rk9gpTg6iZ6qd
+gDAfBgNVHSMEGDAWgBSiPgIqo6dNObQITZnMDHU26ifDPjBFBgNVHREEPjA8giFh
+ZGRjc21iMS5hZGRvbTIuc2FtYmEuZXhhbXBsZS5jb22gFwYJKwYBBAGCNxkBoAoE
+CAEjRWeJq83vMDEGA1UdEgQqMCiBJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJh
+LmV4YW1wbGUuY29tME0GCWCGSAGG+EIBBARAFj5odHRwOi8vd3d3LnNhbWJhLmV4
+YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAmBgNV
+HSUEHzAdBggrBgEFBQcDAgYIKwYBBQUHAwEGBysGAQUCAwUwDQYJKoZIhvcNAQEL
+BQADggQBAHPeejW8FawyRFuYYGQSr+pCRn37soizR2HDC23RaJI9RM03htoQ0hjb
+GSkDMRomzXDR7BOsWYTNvp8rxi0QqktNeDnTa+FN6BCgPpfTHBkR5A8mf5bXJhcj
+AtlLRwyvx+8orhwo5dJ6YUZwO0le0GVUTK4UJ8DkF0EsGkINhmw3SGWAAiGzKx9P
+NKXOe7D+Bqb+xRvK5eZ+1dwB0lDE+F5zbCxWgdCkc7+Cy9h2yn5EmTpfqZeJqFxb
+GzgNTcsCSWmCE2imvkujV6am4/DcrRwwAL/tFcrDPVx73G3my7u8oSLnMpXgD2qr
+QAxD7fOYY3wvFWNJTlyCZRPyUybXTMb4fvq8qCJE8fumuydk7JQoGUqvCX4Bjp0+
+Q+V5/RbtJLSrWALinvihsEUlbS++u4iQx9hFMUhlJjOGzEZpU2vx1jXfsTntgeEj
+8QHemRAR8D9NXdOKDER49idKMh2rDGPQcSViZ/UMfix8pOyN3gBtX2ldv+bHWXWH
+XiwS3KUb3cF6yVZjajvGmrf8FQFTTcjKx8iBUKBlQzP7qlVkoMMu4vkIZOV1q5iz
+OLqNU+gIR+/PqfIWJRsgeC1v9YPuNdS1xdbXgRe/nEVD0Yh0IhoyskVzoijU2v+F
++XUcT4RqpRpB64vgHUlpBy9bXuN7APhLZ1tC11HeHBiJL/g257WjbDnjiNxdfy/Z
+UrZrnOkd39AYaCVwfnH7s0AodekkOG9wWxr5v+lDvUtR49/jJRGuME5+VVhDs2UF
+ES0OpDy4igz5k6snKMCyF3ZSmxiCt/2mT26hdCsZWayx2F7782k3FlkBTPqpV1IE
+1EWPEAiKq4iqlkaaqpS1xr/pnprNQPMq7SP/pvebGALZq3aWrBVvBF2S0klMS2La
+PSqkWSIadc1u+2JQ2q6dKH1NMi/YzTdn+R3B1XZAujT2jJJbwGX2PJBsW2cJDdMU
+kDgDggbDt4V0fxX0W95mX3Gp8e0Vm6By7gXXs5IwZS6CkCH+8Ac0EdOHQfQ1BAy0
+KPVzuNUO4ypTq5o/TVn5GGjwMZAd1iXGizPo3AaTe8sB3oseh1omoA1e9mo2Q1RT
+bYcQyqgVGko3laVnk3S6w1mb+LWrEJj8/9bSYRddkH6xKhbs1dqAZwITQde8oq8L
+VAizLhsFUID2x5qMrIlJSvRLcXO854xvDHBicz3tBxQ18BUMu9jD9hlDt0WlM4AX
+H8M5KD1qfNbgN2ZYvehkLK234CX1Qayuy8rB61uL4T0ezAlj1mzI67iub0sCmEoq
+GpQm56MjfOnlAuAf9Yj5FHSBAR3NfkY1fB3jZGCIpO2GBg6vOisd+EX+U45WiZWY
+/yyK+zp6DEZqPTJ4rVhpujvVlVFV83I=
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/NewCerts/07.pem b/selftest/manage-ca/CA-samba.example.com/NewCerts/07.pem
new file mode 100644
index 0000000..2d0735a
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/NewCerts/07.pem
@@ -0,0 +1,169 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 7 (0x7)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Feb 28 13:31:01 2020 GMT
+ Not After : Feb 23 13:31:01 2040 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=administrator@addom2.samba.example.com/emailAddress=administrator@addom2.samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:eb:0e:b0:1d:53:4f:3c:0f:f8:90:d6:33:64:68:
+ 7e:ed:7c:46:96:c6:77:9c:0a:07:ed:8c:13:da:e7:
+ bb:b3:79:63:4b:ec:5a:2a:59:57:7c:38:69:50:c0:
+ a1:b4:ba:f8:1d:56:78:77:95:b3:44:13:12:83:df:
+ 20:95:12:01:e5:1e:1a:5b:38:69:48:86:e8:a6:0a:
+ 32:f4:38:36:f8:84:bd:5b:a9:70:48:c5:49:25:79:
+ 70:98:23:a7:58:3e:09:97:6d:67:b1:95:fa:08:86:
+ 2d:d6:b7:c5:d2:06:aa:5b:b8:f5:93:e6:c5:20:9a:
+ 9b:0c:90:2b:c7:2e:20:2f:e8:07:45:03:f3:4d:2c:
+ d9:eb:9c:91:d2:68:cc:fe:57:78:5c:2e:57:5b:a6:
+ 0e:10:6a:b8:05:ce:ab:12:31:49:e8:34:7c:3f:91:
+ 63:ce:3e:a6:ff:c0:7b:1b:95:b7:9b:99:a9:c7:ec:
+ d6:45:b7:9e:24:ee:c0:2b:a3:4c:a2:f9:04:5b:18:
+ 2f:0e:8b:2b:16:89:5d:cc:92:fa:49:dd:09:92:72:
+ 14:ba:8f:48:bd:6e:9b:88:14:98:6f:bc:0c:e3:bb:
+ a9:d1:0a:a8:93:6b:75:70:98:f9:a8:d8:0f:c5:e6:
+ a9:a4:e5:b3:72:81:76:07:73:c9:3e:d2:43:62:fe:
+ 1a:3b
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Client, S/MIME
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Smart Card Login Certificate for administrator@addom2.samba.example.com
+ X509v3 Subject Key Identifier:
+ 54:FB:DA:B4:F9:26:58:9A:8F:C2:D2:0A:95:B0:95:F6:D2:F6:1B:AE
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ email:administrator@addom2.samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, scardLogin
+ Signature Algorithm: sha256WithRSAEncryption
+ a3:8d:f9:4e:77:ba:67:28:63:6e:3e:70:91:64:3f:51:b3:69:
+ ab:ff:10:04:e4:39:d1:98:bf:7e:c7:da:d3:4e:d5:29:f7:ae:
+ ca:e2:b1:f7:ea:67:38:7e:bb:a8:55:33:c1:de:79:6a:49:56:
+ 6a:48:8c:3b:43:8b:03:f4:30:11:ac:ee:88:28:ed:11:6c:37:
+ 33:13:7f:25:aa:d6:71:99:d2:f8:fb:4f:7a:44:c7:20:78:b2:
+ 22:44:17:d8:56:10:a2:4c:48:1c:3a:ad:bf:82:d7:e5:e0:66:
+ e9:ac:a1:11:23:b3:f8:f7:a7:84:5f:b7:d2:30:89:b7:bc:3f:
+ 9c:61:d8:12:bb:a4:fe:af:53:f9:f7:26:8e:be:9a:79:53:47:
+ b6:2b:d3:31:60:e1:39:11:11:c3:32:b8:32:d2:e2:6d:8a:05:
+ ae:f5:7e:f7:03:33:1c:6c:07:8e:81:a4:26:f2:0d:22:af:fe:
+ 48:12:48:a8:09:e2:98:4e:b9:c5:07:16:5d:a3:b2:73:7c:4c:
+ a7:3e:24:e9:d8:cc:72:a3:87:dd:c7:69:8d:58:dd:2e:27:69:
+ 72:b4:fb:62:cf:66:c4:7a:8b:8b:c4:03:16:b6:9d:7f:7b:f5:
+ 44:c2:04:a7:17:80:9c:f7:32:ba:3a:05:e1:71:28:16:88:6a:
+ 9c:f8:0e:5e:c9:0b:81:eb:2c:05:3c:4c:ff:ba:72:10:da:99:
+ 95:e1:ef:d2:dd:95:7d:d0:24:f6:8f:e0:1c:75:25:64:80:0e:
+ 16:9f:c1:d7:76:7e:45:85:27:a8:85:80:c3:62:40:58:1b:75:
+ c3:8e:40:0c:d9:f1:5b:a0:6b:1e:47:99:4f:00:11:68:19:93:
+ 77:4b:1b:56:94:79:95:f6:b8:92:49:14:e0:8f:2b:40:4c:82:
+ 4c:5b:a0:e2:0f:d4:f3:d1:3c:f3:e6:4c:c4:3d:2a:4c:e8:ca:
+ 10:c0:39:81:64:db:68:80:12:07:3f:92:7c:e0:09:aa:42:77:
+ 51:1e:ee:ad:33:c8:8f:f4:f2:35:2b:c7:b7:57:7c:2e:c8:27:
+ 71:c8:5b:1a:f2:83:fa:4f:85:13:ea:ce:0b:2f:b7:76:86:77:
+ 00:82:46:2f:bf:1c:b2:de:5d:52:40:64:41:54:0b:9f:8c:84:
+ d9:dd:08:02:51:d0:06:d0:07:6f:a1:ef:74:f4:d9:f5:30:9c:
+ 15:c3:d6:89:b7:f5:81:5a:c0:44:3d:99:54:e8:25:56:1f:63:
+ be:5c:f7:be:f1:9c:24:e0:55:46:c4:a5:7e:3f:82:20:b9:4a:
+ d6:14:82:45:14:d8:91:75:33:c5:df:86:9c:19:17:a4:31:4a:
+ 37:a2:9e:b9:11:84:ab:df:bc:21:2b:9b:96:83:b7:1b:13:78:
+ 07:b2:c5:5f:97:48:3b:7e:43:10:34:68:e8:25:bd:51:a0:ae:
+ 17:52:62:47:3c:c9:f0:b5:55:95:cd:68:d3:5f:aa:85:be:ea:
+ fb:2a:8a:e4:50:3d:96:5b:b3:a9:e5:45:e4:2d:da:da:8d:f0:
+ ae:c0:98:47:8e:ca:46:c2:21:68:a6:f9:17:41:a2:c6:21:b9:
+ bc:73:a7:c3:84:a9:31:b7:54:04:33:2a:fb:57:32:47:93:e1:
+ b2:ff:58:5b:f3:19:66:bc:65:8e:00:29:9d:56:60:7d:28:b2:
+ 6d:a5:a9:eb:04:7c:d3:e7:d7:af:2d:fe:df:1e:9c:3b:a9:bb:
+ a0:14:e4:02:7f:e6:e7:0a:b2:37:bd:fd:67:32:82:4f:c0:41:
+ 89:96:9a:f2:9a:04:eb:82:ee:81:8a:00:15:5e:b2:d0:e1:72:
+ 74:47:2f:97:fb:33:f1:8c:b9:25:8f:02:71:75:b7:21:10:74:
+ 4f:5f:5f:61:51:4a:69:d1:03:6b:7a:51:e4:08:03:1f:c2:a7:
+ 2c:c2:10:b8:27:9f:aa:01:15:61:71:72:d6:ca:23:7f:d7:60:
+ b8:65:51:ca:65:8e:ef:74:2e:fc:89:23:0b:55:b5:83:d7:0b:
+ 8c:16:ab:1a:be:3a:79:62:b3:6e:64:d1:c2:48:af:81:0e:d4:
+ 1f:2e:2f:c7:47:16:79:a9:b9:cc:08:29:2e:da:d5:75:96:53:
+ b1:be:2c:5a:5a:9c:6b:40:16:e5:92:63:49:64:99:44:c1:bc:
+ 2a:40:fc:3c:50:c3:dd:07:31:ee:1d:46:38:1b:c8:12:a0:16:
+ 9d:1c:f6:0e:a7:66:8a:b0:2f:11:19:03:1d:66:6f:fe:cc:3a:
+ 6c:99:ce:60:b7:f1:e9:56:40:4d:fc:ac:eb:a5:04:de:85:7c:
+ 19:c7:16:c1:e1:26:43:03:da:f3:50:25:16:99:e0:fa:cd:59:
+ c7:8b:52:cf:fc:20:d0:68:50:b9:83:36:bb:44:7b:1f:92:5f:
+ f6:19:5b:91:de:33:2c:f9:80:25:b9:30:4c:fa:92:5b:6d:c2:
+ 65:10:98:1c:c6:61:51:9e:d0:c9:49:1b:c5:c5:8a:89:72:d0:
+ b7:ff:db:03:f9:95:f2:a0:de:d9:dc:32:c6:20:02:e1:7c:89:
+ 2d:6e:72:12:12:c3:97:56:eb:7c:58:88:1f:9d:ad:4c:b4:6a:
+ 97:4b:0c:87:f3:41:bb:2a:ff:a6:bf:90:70:91:9b:b7:b1:e1:
+ cc:0f:c6:33:a5:05:03:db:f9:fb:79:5c:20:78:f9:1c:88:d4:
+ 84:bd:2f:9b:12:30:02:36:cd:8a:f3:42:4a:9c:dc:c3
+-----BEGIN CERTIFICATE-----
+MIIJIDCCBQigAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0yMDAy
+MjgxMzMxMDFaFw00MDAyMjMxMzMxMDFaMIG1MQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
+CwwFVXNlcnMxLzAtBgNVBAMMJmFkbWluaXN0cmF0b3JAYWRkb20yLnNhbWJhLmV4
+YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkBFiZhZG1pbmlzdHJhdG9yQGFkZG9tMi5z
+YW1iYS5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AOsOsB1TTzwP+JDWM2Rofu18RpbGd5wKB+2ME9rnu7N5Y0vsWipZV3w4aVDAobS6
++B1WeHeVs0QTEoPfIJUSAeUeGls4aUiG6KYKMvQ4NviEvVupcEjFSSV5cJgjp1g+
+CZdtZ7GV+giGLda3xdIGqlu49ZPmxSCamwyQK8cuIC/oB0UD800s2euckdJozP5X
+eFwuV1umDhBquAXOqxIxSeg0fD+RY84+pv/AexuVt5uZqcfs1kW3niTuwCujTKL5
+BFsYLw6LKxaJXcyS+kndCZJyFLqPSL1um4gUmG+8DOO7qdEKqJNrdXCY+ajYD8Xm
+qaTls3KBdgdzyT7SQ2L+GjsCAwEAAaOCAiYwggIiMAkGA1UdEwQCMAAwTwYDVR0f
+BEgwRjBEoEKgQIY+aHR0cDovL3d3dy5zYW1iYS5leGFtcGxlLmNvbS9jcmxzL0NB
+LXNhbWJhLmV4YW1wbGUuY29tLWNybC5jcmwwEQYJYIZIAYb4QgEBBAQDAgWgMAsG
+A1UdDwQEAwIF4DBWBglghkgBhvhCAQ0ESRZHU21hcnQgQ2FyZCBMb2dpbiBDZXJ0
+aWZpY2F0ZSBmb3IgYWRtaW5pc3RyYXRvckBhZGRvbTIuc2FtYmEuZXhhbXBsZS5j
+b20wHQYDVR0OBBYEFFT72rT5Jliaj8LSCpWwlfbS9huuMB8GA1UdIwQYMBaAFKI+
+Aiqjp005tAhNmcwMdTbqJ8M+MGkGA1UdEQRiMGCBJmFkbWluaXN0cmF0b3JAYWRk
+b20yLnNhbWJhLmV4YW1wbGUuY29toDYGCisGAQQBgjcUAgOgKAwmYWRtaW5pc3Ry
+YXRvckBhZGRvbTIuc2FtYmEuZXhhbXBsZS5jb20wMQYDVR0SBCowKIEmY2Etc2Ft
+YmEuZXhhbXBsZS5jb21Ac2FtYmEuZXhhbXBsZS5jb20wTQYJYIZIAYb4QgEEBEAW
+Pmh0dHA6Ly93d3cuc2FtYmEuZXhhbXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFt
+cGxlLmNvbS1jcmwuY3JsMB8GA1UdJQQYMBYGCCsGAQUFBwMCBgorBgEEAYI3FAIC
+MA0GCSqGSIb3DQEBCwUAA4IEAQCjjflOd7pnKGNuPnCRZD9Rs2mr/xAE5DnRmL9+
+x9rTTtUp967K4rH36mc4fruoVTPB3nlqSVZqSIw7Q4sD9DARrO6IKO0RbDczE38l
+qtZxmdL4+096RMcgeLIiRBfYVhCiTEgcOq2/gtfl4GbprKERI7P496eEX7fSMIm3
+vD+cYdgSu6T+r1P59yaOvpp5U0e2K9MxYOE5ERHDMrgy0uJtigWu9X73AzMcbAeO
+gaQm8g0ir/5IEkioCeKYTrnFBxZdo7JzfEynPiTp2Mxyo4fdx2mNWN0uJ2lytPti
+z2bEeouLxAMWtp1/e/VEwgSnF4Cc9zK6OgXhcSgWiGqc+A5eyQuB6ywFPEz/unIQ
+2pmV4e/S3ZV90CT2j+AcdSVkgA4Wn8HXdn5FhSeohYDDYkBYG3XDjkAM2fFboGse
+R5lPABFoGZN3SxtWlHmV9riSSRTgjytATIJMW6DiD9Tz0Tzz5kzEPSpM6MoQwDmB
+ZNtogBIHP5J84AmqQndRHu6tM8iP9PI1K8e3V3wuyCdxyFsa8oP6T4UT6s4LL7d2
+hncAgkYvvxyy3l1SQGRBVAufjITZ3QgCUdAG0Advoe909Nn1MJwVw9aJt/WBWsBE
+PZlU6CVWH2O+XPe+8Zwk4FVGxKV+P4IguUrWFIJFFNiRdTPF34acGRekMUo3op65
+EYSr37whK5uWg7cbE3gHssVfl0g7fkMQNGjoJb1RoK4XUmJHPMnwtVWVzWjTX6qF
+vur7KorkUD2WW7Op5UXkLdrajfCuwJhHjspGwiFopvkXQaLGIbm8c6fDhKkxt1QE
+Myr7VzJHk+Gy/1hb8xlmvGWOACmdVmB9KLJtpanrBHzT59evLf7fHpw7qbugFOQC
+f+bnCrI3vf1nMoJPwEGJlprymgTrgu6BigAVXrLQ4XJ0Ry+X+zPxjLkljwJxdbch
+EHRPX19hUUpp0QNrelHkCAMfwqcswhC4J5+qARVhcXLWyiN/12C4ZVHKZY7vdC78
+iSMLVbWD1wuMFqsavjp5YrNuZNHCSK+BDtQfLi/HRxZ5qbnMCCku2tV1llOxvixa
+WpxrQBblkmNJZJlEwbwqQPw8UMPdBzHuHUY4G8gSoBadHPYOp2aKsC8RGQMdZm/+
+zDpsmc5gt/HpVkBN/KzrpQTehXwZxxbB4SZDA9rzUCUWmeD6zVnHi1LP/CDQaFC5
+gza7RHsfkl/2GVuR3jMs+YAluTBM+pJbbcJlEJgcxmFRntDJSRvFxYqJctC3/9sD
++ZXyoN7Z3DLGIALhfIktbnISEsOXVut8WIgfna1MtGqXSwyH80G7Kv+mv5BwkZu3
+seHMD8YzpQUD2/n7eVwgePkciNSEvS+bEjACNs2K80JKnNzD
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/NewCerts/08.pem b/selftest/manage-ca/CA-samba.example.com/NewCerts/08.pem
new file mode 100644
index 0000000..794f9c2
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/NewCerts/08.pem
@@ -0,0 +1,169 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 8 (0x8)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Feb 28 13:31:30 2020 GMT
+ Not After : Feb 23 13:31:30 2040 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=pkinit@addom2.samba.example.com/emailAddress=pkinit@addom2.samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:dc:33:db:43:5e:d5:91:27:95:35:d2:86:b2:e5:
+ 70:ac:b8:cf:74:01:2c:60:4d:67:b2:2c:2d:ef:c4:
+ 04:53:4d:08:9b:ce:55:ca:7a:ab:02:29:5d:3d:27:
+ ee:3e:a3:23:2e:3e:36:8d:f1:ca:8f:a7:4b:8b:a9:
+ 39:d3:33:39:d0:b9:f4:9b:c4:14:2c:41:67:be:6a:
+ 32:b6:86:0d:70:0e:eb:6c:b1:d1:ef:92:70:ec:70:
+ 70:2d:5f:4f:ea:6c:3e:9f:ee:9a:11:32:93:5f:b0:
+ e3:51:24:e2:33:08:22:ee:69:07:c6:10:a2:3f:43:
+ 67:3c:0b:48:b6:d1:92:99:22:de:fe:da:28:e9:12:
+ ba:a7:d6:54:76:c4:3c:56:a7:c9:e4:28:18:fd:89:
+ 8a:eb:02:42:88:27:59:61:f5:bd:5f:0d:eb:ce:80:
+ 4a:84:29:e5:38:93:1d:d9:0a:50:e3:eb:72:ec:b2:
+ 73:16:ab:75:33:3a:74:fd:6c:b8:a9:b9:09:c0:30:
+ 0a:74:d4:01:3e:00:0e:89:cf:87:aa:19:f5:7b:c4:
+ 0d:4f:b1:f1:40:59:54:67:28:aa:ca:18:75:7d:96:
+ d4:4d:99:e3:b1:84:bc:e7:65:80:ea:f6:dd:30:ce:
+ cf:14:67:b5:27:09:5f:83:a5:8c:87:62:8f:5a:22:
+ d5:75
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Client, S/MIME
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Smart Card Login Certificate for pkinit@addom2.samba.example.com
+ X509v3 Subject Key Identifier:
+ 6A:36:04:8E:C5:C3:2C:C9:17:BA:52:66:D3:AB:0D:C3:F2:25:1A:CD
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ email:pkinit@addom2.samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, scardLogin
+ Signature Algorithm: sha256WithRSAEncryption
+ 4d:5b:aa:28:b6:e0:a4:61:63:ed:09:7a:0e:2b:b2:c9:83:73:
+ f5:28:17:2b:d5:4e:c7:7b:01:99:5d:b9:c5:93:b3:a5:e2:64:
+ 33:96:38:55:c4:a4:84:9a:d1:dc:40:56:ec:da:a7:a5:3b:7c:
+ 91:c7:8d:03:44:44:9d:a5:0a:9e:de:6a:9d:c2:80:49:93:db:
+ 4d:74:fa:3c:fd:54:de:99:9c:f8:82:63:ba:5e:81:9e:4d:ae:
+ a2:a1:09:dd:81:5a:3e:81:31:8b:ff:85:32:ae:30:9e:1a:d6:
+ 04:d9:1c:bd:a5:0e:83:29:86:f4:be:0f:81:9a:84:f4:42:42:
+ 6d:20:18:16:ef:21:ac:51:b3:34:bd:0f:b5:2c:7e:c5:21:3d:
+ f7:77:95:1e:8f:45:3e:f8:79:93:ad:35:dd:cd:97:95:fe:b6:
+ 5f:88:e7:b8:38:54:15:29:61:2f:17:91:99:74:0c:66:9a:55:
+ 5c:dd:22:19:a1:8e:c1:a5:23:45:a4:85:f2:b2:98:3b:2c:85:
+ d8:2a:8e:9c:4d:6c:9e:9e:ef:80:24:2f:57:f3:a1:1f:09:c4:
+ 44:4d:11:d2:84:87:2a:57:f0:cc:9e:38:2c:3a:68:ee:0b:be:
+ e9:48:67:ff:87:2b:29:03:25:22:8e:00:33:f8:2a:7c:11:91:
+ 17:42:fc:6c:d1:94:c6:f0:7f:ad:c3:97:cf:9f:cc:a5:be:25:
+ 33:af:d4:c4:06:17:a7:be:11:bf:51:5e:6e:b8:26:56:1e:d5:
+ d6:ce:85:05:62:02:62:92:63:48:d9:d2:0b:e4:f9:2c:a2:53:
+ 4f:5e:3d:31:07:4d:5b:c4:48:bc:d5:f0:66:98:fd:85:45:26:
+ 4b:98:4f:a2:ac:05:a0:df:ee:4e:c9:9c:2f:3c:ee:74:9d:54:
+ 83:03:d8:42:a1:ba:57:a1:d4:43:93:a0:94:e3:0c:3b:cb:eb:
+ e6:05:73:60:18:32:81:25:21:55:14:99:2b:9d:0e:b2:72:31:
+ 63:73:5a:94:b2:30:e7:16:16:4c:33:68:cb:e6:87:aa:20:c6:
+ 9c:f1:26:3b:f5:76:7a:9b:07:f7:d9:c0:6c:50:04:d6:14:06:
+ 37:e5:fc:58:18:d5:a7:c8:29:56:9e:3c:fd:03:96:e8:4e:1a:
+ 7e:6e:e3:c9:aa:e6:3f:5d:1a:cd:86:f3:17:82:3b:ff:4c:8e:
+ 6b:d2:11:84:ce:36:cc:c8:fe:31:80:43:23:fa:fe:3c:8c:57:
+ a0:a1:1e:b9:08:c1:03:af:8f:3b:6b:cb:12:e4:6a:31:94:86:
+ 7a:17:c5:9f:80:bc:bc:e0:42:7b:5a:57:ef:b7:d3:0c:5f:98:
+ 71:aa:4e:cf:b4:c7:25:33:96:54:7b:ca:90:79:6f:f8:f0:c3:
+ e7:9d:e7:d0:67:4d:7b:20:7b:9d:d0:91:4f:ab:a3:a2:99:fa:
+ 9a:74:37:33:64:0c:bf:b6:94:3f:62:5f:a5:76:1e:60:54:e6:
+ bf:3a:11:5b:f0:ba:62:12:2e:9b:99:a2:37:9f:4c:b9:e8:8e:
+ d2:81:1f:0f:26:23:3b:9a:3b:69:70:09:e4:ae:05:65:04:3e:
+ 55:06:43:1f:5e:fb:2d:e6:03:b6:c4:ca:47:66:f0:d3:2b:a0:
+ 79:e8:45:a4:df:8f:31:fd:7e:67:ca:50:e0:b0:99:9d:2c:6a:
+ 16:f0:39:01:da:7f:d7:66:15:d1:99:3b:d7:7c:8a:bf:b7:d4:
+ b1:d3:fb:e2:fc:75:82:47:fc:96:42:57:ce:4a:d5:12:07:99:
+ 5b:ae:1a:c2:98:f1:fa:3d:a7:19:88:75:c8:fa:81:60:1f:19:
+ 21:0c:25:84:a1:c3:88:30:a7:80:da:85:85:e1:42:98:76:37:
+ ab:48:75:60:2d:1d:f9:05:6e:04:e2:2b:ce:37:75:17:27:0d:
+ 87:11:d6:2b:fa:37:bf:b7:e3:d2:96:b9:d8:92:18:4a:00:45:
+ 6d:9d:c6:20:d0:6b:2c:ed:33:06:08:d7:0f:56:44:5e:68:9f:
+ 9f:20:fc:57:a8:27:68:c9:f5:f5:2e:4d:0b:3c:a9:2e:92:2b:
+ d3:88:a9:18:27:24:0f:33:90:23:b3:41:99:5b:ec:bd:ef:ba:
+ 5b:4a:b6:a9:6c:b5:a5:d4:47:1e:9c:e7:32:0c:72:98:e7:8c:
+ a4:aa:72:8f:2b:90:5f:2d:23:bf:99:62:75:47:2f:9a:79:5e:
+ 4b:8a:8c:f2:28:df:30:59:6b:62:45:4b:b6:e5:39:ab:77:f0:
+ 51:4b:b7:6f:42:0a:81:a7:c0:c9:8a:c6:09:2a:e8:35:36:53:
+ c9:5b:93:dc:a5:1e:17:b1:cc:b4:13:b5:bb:b0:df:b8:cd:68:
+ 8a:10:18:8c:de:07:33:31:68:6b:f4:6a:dc:d0:17:10:c4:2d:
+ ec:66:51:c3:01:b3:2a:f0:0e:b9:c2:4d:7c:8d:d8:ab:c0:76:
+ 79:ca:e6:ff:a4:36:da:c1:8d:2e:13:7d:15:21:72:86:ad:4b:
+ 1b:73:4f:46:2f:fa:1e:ae:e8:8f:dd:79:6c:46:57:0a:05:ef:
+ 11:04:ae:a0:c5:13:86:6a:a3:cc:9c:b7:80:ef:18:5f:67:f7:
+ 43:ef:e2:94:4f:85:06:2f:d1:7a:97:07:ed:89:7d:aa:1e:e0:
+ cf:52:63:b9:28:95:aa:6d:ca:f2:20:c2:f3:07:83:c5:f4:a2:
+ ee:20:61:88:34:12:62:05:67:8d:f2:83:25:0b:9a:89
+-----BEGIN CERTIFICATE-----
+MIII/TCCBOWgAwIBAgIBCDANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0yMDAy
+MjgxMzMxMzBaFw00MDAyMjMxMzMxMzBaMIGnMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
+CwwFVXNlcnMxKDAmBgNVBAMMH3BraW5pdEBhZGRvbTIuc2FtYmEuZXhhbXBsZS5j
+b20xLjAsBgkqhkiG9w0BCQEWH3BraW5pdEBhZGRvbTIuc2FtYmEuZXhhbXBsZS5j
+b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcM9tDXtWRJ5U10oay
+5XCsuM90ASxgTWeyLC3vxARTTQibzlXKeqsCKV09J+4+oyMuPjaN8cqPp0uLqTnT
+MznQufSbxBQsQWe+ajK2hg1wDutssdHvknDscHAtX0/qbD6f7poRMpNfsONRJOIz
+CCLuaQfGEKI/Q2c8C0i20ZKZIt7+2ijpErqn1lR2xDxWp8nkKBj9iYrrAkKIJ1lh
+9b1fDevOgEqEKeU4kx3ZClDj63LssnMWq3UzOnT9bLipuQnAMAp01AE+AA6Jz4eq
+GfV7xA1PsfFAWVRnKKrKGHV9ltRNmeOxhLznZYDq9t0wzs8UZ7UnCV+DpYyHYo9a
+ItV1AgMBAAGjggIRMIICDTAJBgNVHRMEAjAAME8GA1UdHwRIMEYwRKBCoECGPmh0
+dHA6Ly93d3cuc2FtYmEuZXhhbXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFtcGxl
+LmNvbS1jcmwuY3JsMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBeAwTwYJ
+YIZIAYb4QgENBEIWQFNtYXJ0IENhcmQgTG9naW4gQ2VydGlmaWNhdGUgZm9yIHBr
+aW5pdEBhZGRvbTIuc2FtYmEuZXhhbXBsZS5jb20wHQYDVR0OBBYEFGo2BI7FwyzJ
+F7pSZtOrDcPyJRrNMB8GA1UdIwQYMBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+MFsG
+A1UdEQRUMFKBH3BraW5pdEBhZGRvbTIuc2FtYmEuZXhhbXBsZS5jb22gLwYKKwYB
+BAGCNxQCA6AhDB9wa2luaXRAYWRkb20yLnNhbWJhLmV4YW1wbGUuY29tMDEGA1Ud
+EgQqMCiBJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0G
+CWCGSAGG+EIBBARAFj5odHRwOi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMv
+Q0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAfBgNVHSUEGDAWBggrBgEFBQcD
+AgYKKwYBBAGCNxQCAjANBgkqhkiG9w0BAQsFAAOCBAEATVuqKLbgpGFj7Ql6Diuy
+yYNz9SgXK9VOx3sBmV25xZOzpeJkM5Y4VcSkhJrR3EBW7NqnpTt8kceNA0REnaUK
+nt5qncKASZPbTXT6PP1U3pmc+IJjul6Bnk2uoqEJ3YFaPoExi/+FMq4wnhrWBNkc
+vaUOgymG9L4PgZqE9EJCbSAYFu8hrFGzNL0PtSx+xSE993eVHo9FPvh5k6013c2X
+lf62X4jnuDhUFSlhLxeRmXQMZppVXN0iGaGOwaUjRaSF8rKYOyyF2CqOnE1snp7v
+gCQvV/OhHwnERE0R0oSHKlfwzJ44LDpo7gu+6Uhn/4crKQMlIo4AM/gqfBGRF0L8
+bNGUxvB/rcOXz5/Mpb4lM6/UxAYXp74Rv1FebrgmVh7V1s6FBWICYpJjSNnSC+T5
+LKJTT149MQdNW8RIvNXwZpj9hUUmS5hPoqwFoN/uTsmcLzzudJ1UgwPYQqG6V6HU
+Q5OglOMMO8vr5gVzYBgygSUhVRSZK50OsnIxY3NalLIw5xYWTDNoy+aHqiDGnPEm
+O/V2epsH99nAbFAE1hQGN+X8WBjVp8gpVp48/QOW6E4afm7jyarmP10azYbzF4I7
+/0yOa9IRhM42zMj+MYBDI/r+PIxXoKEeuQjBA6+PO2vLEuRqMZSGehfFn4C8vOBC
+e1pX77fTDF+YcapOz7THJTOWVHvKkHlv+PDD553n0GdNeyB7ndCRT6ujopn6mnQ3
+M2QMv7aUP2JfpXYeYFTmvzoRW/C6YhIum5miN59MueiO0oEfDyYjO5o7aXAJ5K4F
+ZQQ+VQZDH177LeYDtsTKR2bw0yugeehFpN+PMf1+Z8pQ4LCZnSxqFvA5Adp/12YV
+0Zk713yKv7fUsdP74vx1gkf8lkJXzkrVEgeZW64awpjx+j2nGYh1yPqBYB8ZIQwl
+hKHDiDCngNqFheFCmHY3q0h1YC0d+QVuBOIrzjd1FycNhxHWK/o3v7fj0pa52JIY
+SgBFbZ3GINBrLO0zBgjXD1ZEXmifnyD8V6gnaMn19S5NCzypLpIr04ipGCckDzOQ
+I7NBmVvsve+6W0q2qWy1pdRHHpznMgxymOeMpKpyjyuQXy0jv5lidUcvmnleS4qM
+8ijfMFlrYkVLtuU5q3fwUUu3b0IKgafAyYrGCSroNTZTyVuT3KUeF7HMtBO1u7Df
+uM1oihAYjN4HMzFoa/Rq3NAXEMQt7GZRwwGzKvAOucJNfI3Yq8B2ecrm/6Q22sGN
+LhN9FSFyhq1LG3NPRi/6Hq7oj915bEZXCgXvEQSuoMUThmqjzJy3gO8YX2f3Q+/i
+lE+FBi/RepcH7Yl9qh7gz1JjuSiVqm3K8iDC8weDxfSi7iBhiDQSYgVnjfKDJQua
+iQ==
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt
new file mode 100644
index 0000000..8a0f05e
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt
@@ -0,0 +1 @@
+01
diff --git a/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt.old b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt.old
new file mode 100644
index 0000000..4daddb7
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt.old
@@ -0,0 +1 @@
+00
diff --git a/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt
new file mode 100644
index 0000000..53eb2a5
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt
@@ -0,0 +1,9 @@
+V 360311232844Z 00 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Domain Controllers/CN=localdc.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+V 360311232904Z 01 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=administrator@samba.example.com/emailAddress=administrator@samba.example.com
+V 360311232925Z 02 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Domain Controllers/CN=addc.addom.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+V 360311232941Z 03 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=administrator@addom.samba.example.com/emailAddress=administrator@addom.samba.example.com
+V 360529193029Z 04 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=pkinit@samba.example.com/emailAddress=pkinit@samba.example.com
+V 360529193047Z 05 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=pkinit@addom.samba.example.com/emailAddress=pkinit@addom.samba.example.com
+V 400223133028Z 06 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Domain Controllers/CN=addcsmb1.addom2.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+V 400223133101Z 07 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=administrator@addom2.samba.example.com/emailAddress=administrator@addom2.samba.example.com
+V 400223133130Z 08 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=pkinit@addom2.samba.example.com/emailAddress=pkinit@addom2.samba.example.com
diff --git a/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr
new file mode 100644
index 0000000..8f7e63a
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr.old b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr.old
new file mode 100644
index 0000000..8f7e63a
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr.old
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old
new file mode 100644
index 0000000..28644e4
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old
@@ -0,0 +1,8 @@
+V 360311232844Z 00 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Domain Controllers/CN=localdc.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+V 360311232904Z 01 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=administrator@samba.example.com/emailAddress=administrator@samba.example.com
+V 360311232925Z 02 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Domain Controllers/CN=addc.addom.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+V 360311232941Z 03 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=administrator@addom.samba.example.com/emailAddress=administrator@addom.samba.example.com
+V 360529193029Z 04 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=pkinit@samba.example.com/emailAddress=pkinit@samba.example.com
+V 360529193047Z 05 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=pkinit@addom.samba.example.com/emailAddress=pkinit@addom.samba.example.com
+V 400223133028Z 06 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Domain Controllers/CN=addcsmb1.addom2.samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+V 400223133101Z 07 unknown /C=US/ST=SambaState/O=SambaSelfTesting/OU=Users/CN=administrator@addom2.samba.example.com/emailAddress=administrator@addom2.samba.example.com
diff --git a/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-openssl.cnf
new file mode 100644
index 0000000..17a5571
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-openssl.cnf
@@ -0,0 +1,203 @@
+#
+# Based on the OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
+CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
+scardLogin=1.3.6.1.4.1.311.20.2.2
+# Used in a smart card login certificate's subject alternative name
+msUPN=1.3.6.1.4.1.311.20.2.3
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
+msKDC=1.3.6.1.5.2.3.5
+# Identifies the AD GUID
+msADGUID=1.3.6.1.4.1.311.25.1
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = CA-samba.example.com # Where everything is kept
+certs = $dir/_none_certs # Where the issued certs are kept
+crl_dir = $dir/_none_crl # Where the issued crl are kept
+database = $dir/Private/CA-samba.example.com-index.txt # database index file.
+unique_subject = yes # Set to 'no' to allow creation of
+ # several certificates with same subject.
+new_certs_dir = $dir/NewCerts # default place for new certs.
+
+certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate
+serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number
+crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number
+ # must be commented out to leave a V1 CRL
+
+#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL
+crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL
+private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key
+RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file
+
+#x509_extensions = # The extensions to add to the cert
+x509_extensions = template_x509_extensions
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+crl_extensions = crl_ext
+
+default_days = 1 # how long to certify for
+default_crl_days= 7300 # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = match
+stateOrProvinceName = match
+localityName = match
+organizationName = match
+organizationalUnitName = match
+commonName = supplied
+emailAddress = supplied
+
+####################################################################
+[ req ]
+default_bits = 8192
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = SambaState
+
+localityName = Locality Name (eg, city)
+localityName_default = SambaCity
+
+organizationName = Organization Name (eg, company)
+organizationName_default = SambaSelfTesting
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default = CA Administration
+
+commonName = Common Name (eg, YOUR name)
+commonName_default = CA of samba.example.com
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_default = ca-samba.example.com@samba.example.com
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+#challengePassword = A challenge password
+#challengePassword_min = 4
+#challengePassword_max = 20
+#
+#unstructuredName = An optional company name
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate.
+keyUsage = cRLSign, keyCertSign
+
+crlDistributionPoints=URI:$CRLDISTPT
+
+# Some might want this also
+nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+subjectAltName=email:copy
+# Copy issuer details
+issuerAltName=issuer:copy
+
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ template_x509_extensions ]
+
diff --git a/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-private-key.pem
new file mode 100644
index 0000000..930b870
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-private-key.pem
@@ -0,0 +1,102 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIISljBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI8gnWGjK+GVYCAggA
+MBQGCCqGSIb3DQMHBAjV6Im8e0V05wSCElCDz2WaJB4sMLy3WQI/JoMnq+DDjyNC
+7+9th9jeu0Nzcax9NqQ2pKWav2eIwhjS61AM7Zw4+SIqV6mJmuv1IVohHgxAx+nN
+1Poq6bAbgbxk0uwS4nSYXQWOA6xhmjLuZcQcl8bZ6c50Vvc1GLkKiJ7T2x0xr2qt
+pkw86WzbBtrUDbg5IHR3AsgTpyg1Lhs/E1ZCJ3Kd5qXpJwoejvjMCeCqroEzEfo0
+TzIRQS3R/hbnsAzwP03p4HyNs7rY8qGY0K+xv6fTHHiiw+0KbJK0w8KLi7ru0pp8
+YPTTSWBLd96ws0nlhY0aVQzDhlbXSXtqMSQNgZYln7CcH2R8dycwcjDhX0JsPAql
+tIzvkl2goYU7jNI5QnpGPA9VH2U2ipMaEhiaY4yfDolnRaueo3YdmigFz7I4Tanx
+kB3BaF0WrUkIk9oXXH2yIbRm6UAgYhGvNkTcifu6Iv+xfxn2JPulNGWcsJlVsRof
+Hrdy3ZzcDp3bYDoA7gVWQgQKoz3ngIhrgH98zSiNCpKvjWXYx+oWYKHtxVFtFwij
+Pc6+AUdTTjVfQsfNBkE9B2sjmvif6lnKWaMS349zodVCjWQrjsUITJV9Hbqv/8lw
+GrCTFS4R1Wt+ABQDZXZDj4qXQ3Y8NhNI4Z/rkGN9rdaNJuDoyDYzm0tGvoRBP2uV
+GJrAWKt6amx0oSI18L1cqm2hoY7wiZSYFqdXbZm5fbhoELfeak0tMPkHEXx1HtCu
+cVQjcbHTakHcc1cW5TFRlmWZwar4RC//6YO5PENhMacPuW1ld0qF5AbwH303Gw1/
+k4+sYBe0IxiFQWnIFyfCoZI9swTojuUU/p+wxHjwCoxLoiYDN8EOCkHvgcgu7ddQ
+WVHpWyhcNeKcYH71PvyPXjJufbaBouMHrGAodAQXYuRZCwpXvfRG6rqs3yPYkFYn
+dBRdUKDIj2KBLg5n2ssy7ENpRcygUwfgK4H7Qn1yHmDMuq9VjgWNSn1ufCQa+M2L
+CAOMrzX6uRuzw04K2vvv9xhC/Vrr+ISbOL9CDJyvyD4Xzk09JXV9CL8zTDzlJf6s
+DnGhd4F/ejKn8MiOTOYuKugqoFDIw0D3WtbiAHYkXyB1Q13JXjc+N5E74xtGPVUW
+IezrC9yEnQWrrtCBFbAtAKehphfZrvseAB4tBSyToio9wXBVKupa/ghoKEuBIQtE
+OAsBY5Vd8JwZyaLFLBzkPfDqZE6mNSQuSm/x4HjciToQBYicNoGApRH0qneHXdUU
+YUA5QeRp/HRL+yawNPq47HgvmbJh1cpyOsBOGjwqo0Tf0Q6WcqhrZmceHJbpxFeR
+ySDEsuqdSp0prk5CCJ6HO3gsrE6DFLmLNNkZACycIndKO/I98ORY4dmR+zGUoMTS
+Y5Gqpxhuh2LleiquFv3c/mrXVRA4Vl6F43H8isv+7/avhoSkBdoVi17wCR3pdk9F
+naPHRqv6O+VT82S8BqYLR0xk3or+0wzFuaGkh6zPjlYr+DGrTr9qSW34+hJAUsSh
+pcmePlS4A08sM2aZ/z4NSBzGrtSAI0KaeZOZMEyHL7MwZGHvQYz4WbekZJMZR33L
+51ia/VkA2rMw6fgV/HYA3Zwd3NSTQ9jvwP8oAYmjrIbkApQTZQdbGQIh+8kcA4QE
+3seLJAQQ3/reJvkc4jzwbF+A6K53iu23s/FhP89fK93xz+2zxt4bfMb0RQYWSb4u
+aMsTHMC+Aenx93KrVYHvBi/O3PRxPUZQaPPQ+GQVerpmqhnrAtPh8xMjtxRpF3mI
+Hff9RJTCi9jAQWDYAuuWNo1nFi4q6tQU8vCX2T5o+AsvwIrRDxz9E3ELqwPD1Zl8
+YRSBVgQPpy9xS/eHCgBOa7Lch2/gmew0pE6JgHmGSAZbZGVa7QxIsWvrgvNwuDmQ
+pV9xVWttK5dup1un9Z9fiuozO+Iu6a8x0ECCxsUEO2C9bh+Qt1EzjirVy+1WWnKc
+fW2XrFHwQMqIMTjM8JOuWgL2R+YjhFFge0h8CGiXk4f6mnuuGfHhP858Mmxuw0rZ
+bdwwyBq1eiXPrkxm88yo8FYmLXCQExlyFsLbFZ+kJVhZbxeP9siedP14Tgqy2FC0
+2A+tcmypVLu5Vthu66I3wUvmgi9hucwe/s8qCRQwYciN1wzHH6f+uDz//kQIgA75
+AuNAHJYV3uWCKUESpnDL/9W2O6FvWY/j24QG0AkXsl+peovo8CucGUZxphLfsua6
+4x2WrTLehObG+G54CHdOLTrFQDIDRL9Kvmrw8/TGkXEles+WNnB8HxiUQKokA3ld
+fhXy+e/yjaGzwoNY84CV1WXowWJ2vA1Z9gdr1mFpl2uJm1s+RRquuyRI/yXBvGQ4
+x0pPSe8vbQ2OlCzuVMjFpG4dx4oqBwXUR69YigpsVi1A3n23qAPUSjJBflgPLWdG
+x/T+NiQ9TVhFKHqkgiL7e5s5VWaYREXjfDeiVowst/7vJdX3RugJTlVfnmPJ/pJZ
+JnObpWxm7jmJu72fek0bmNaOMvMf4YVB5G/z2gQ0bpwSbl91kxJvTJ6DG9Kb10h9
+ekfffdFdiZHD5V7BUibmt3aYAZSPRG3Scurrv/kKzkH1/cEMnMDb2ppxsfT+LrLu
+92P/7sCxqGJtk6JNiV9MhY3c9gBHsWTIbcJG/wZHzXhwZphoPyFf21I3x11jzQ86
+D3WTC4UQ8ez+PgMvl1ifP0wC0e7ANs8GsDZg9GEI+tBxx4GsAP1dcpr8c+v/wEDF
+/a2fXqtymxWUDc4qCcrE5Az/U7k4tMSIvOiH/QVBsYOybcuvHd4E+Yrx7bXapk0V
+KIgFQm8kVftR32h7KDx55Vcv5a11dEp4TUF1k1MH36GVxMzfqQnnTnwDs67Q2FCs
+YAGt9jF0imAU3KZUwHbJvPYpjNEV9g3pkd4shyB7ZqNXjOFG+rU7F6xOVcf33lBu
+yP653eMJjLR7hKrQ1UiWhgosc9zSUhl+Er6EqV0OoNtXzDI0uHsCzJ4BuLeKzOga
+wXS8JjzHR9Qb+Nf0OljkNgmfCUBk7BDGuvt6ZQwP4pift9+YKJQ9dTLz0QZxeEoA
+Ky9BOkhF4Q9cYACZiSnZGWq5Y+5I+zIPr1LxGfu8gOqhkvne5wAHmC97YbSXaHXI
+rHvFhAzbwdsX2Crgvgd+feIP3LU5T7YhGW3nZMbigaDsBOTUQQW0f8tXygc1QjzT
+dV/mbpoIDz/39PIYKC0BlQQ2S3clfr8SoRWR0bKEypPd7CZXAH4zAdPjKJih3yV/
+SqWxvMKuZFpSu3BJTcrXvN7nvKBzW17VGI0eSE9+SwrsMHZVUjXUolarSYczdC6v
+QKkNV7+Uu04GCNivnE6sYs3M0n5ZSvvBha1/8kUDIi1k6QhvtEauA3WuoMp8/iU2
+mlvT5Kev96glUo1SdCQRLZFh1HXtvKgYiqEZ8FVW3kHMrvDF3Nxh4XDGvuQ6nO8O
+w8TfE56kZVot8KTcYkOBDiyVX/qGLYNNvW2WHm+zygHKVQRkxnL5Y1/GOU10Wr2i
+7ynFFYyjHwj5vkKsqLytQmuIxig2L8eW2WSx74WyWJPLbeHUSVweHjO9DTh9TgUZ
+QEqPRuhTJMXq6VYpMWq9CUYAF/nal1vTab3Q7BbKcDFma89d4m+yv6FTnOnswS5q
+r22NvQwl+09grdVYaL14a+BtkkCYH+SL30B54Vws5W7JS+34OSkMzDZtwwuGUqC3
+P61oG3jsGyJt6knWTgnp83GHKo1jsrP6IooatP4BaPf7PmKcftPuzies10G7MGHm
+h7gAAYVrAW9lDvKKYc7UC/rgf4kJpkqcM6d3eU+9+ccVfmCIbHN4dEE/+VGKMHAA
+qKQS9j5dyoCZH14PXAotyHCmvst08pkKG9Oj7VPG/+rX6tBD3y1LOlMbMKet9Owy
+WA0yTBYXHxr22zcJD6k/7AgkBKbdkJPMR+X9IyINQojpvXJZIKZkVhoSCa4d9DYF
+2xLKo3W3Mqoi3U7sQ42mQsdaozlql+CBYqd3wq1bkGyyqZ4zgm+D9VI+mZ6hZGt/
+77Qlp2j8JeCdsPDy+igzCpz6fkVaQum5fZlg1II5uYR+4EOvn33LbCT+kcqp+YC8
+m32umo2Eg1In2xgfqCpPTEDIjLSxgvC+NtJ/CmGVo6gYebyFLXZlnDbzAhxaOIDO
+p59Tm9K3+wL31FnQOlXtkO9VihN9k5W1qR/MjPH3LaWCFSgMjed3LlOPEFBYmzeV
+oz1oBZcJGVA0aEMA/Oh8hqMjVjz3vaIQfCuJ6eTLob7RDfmnhVaCPHMT9sJDCqKU
+j4r1P0SRj+SRt+tO3kPD3dz8ejXRUb/lTLTSx3fQK0sB7XWu/LJpP3jGgoES6W/t
+Fj6Eai8LXjqr+1rMnc0NKCLlWZakYp8snikOI5b/+t4WsOwhKVFiMbMdtkf5u7J8
+yKLPpkUS/YBxk4Uhv7srkITCzGpE9keV9umQImwPKAtb25DcAXPp5IXuJViHtu6Y
+rKYYlmWgjobgCDvP7NFGKv+7hszZpWmSg/AS13QtPUZ9Fn9mM/Af8Swu5pp2HGUp
+Zme8CjltYjtAk5ChNL+9C5AlVEZoD0x1ag16Gp09ODzEjQ0JebojJuw1X4+q3syD
+BodCMFhwiO2nsnHrr5PALdoAy4YYmQop31HwjhsDShCuSc+8kWnvWRlzyVSI8/vV
+jD8TV68QBeKyU8PDhC2Bmogy/xVYAJthgfK9LYD619Xz8+0h0cTFSwK/WAO4C38l
+WV9SASyAj0O+JMUWheq/Qh4gP2NRDL2fyMFpf8uflwTjmg3Mu39oqcI3SQYk6ViI
+Mq+ClfbU1hYZrakAN8pt8HUM1XbXJRDXnE3hmrTiU+jdNucuunHDjkf9ZaRNgBWW
+yV309Ua9O91EEG0iGjkQ9Sy3ChscBolfvMpayzGtQRFDYWDX6UZnV5zI4ir21ikQ
+A04zphPlCdOWelU8Qs8GuYX8HeXCzc1hUKffARtY2DQqiQ6lmh4YXHM0ILK/kDYo
+ftmcBWpAZEntVRlnrCbPz29cwltn6DHQC6HWKGQyRxafp8fINUOINNMui+W4UR5f
+tNn9IederuOpDvgYDMAzEt59BT8QgRggJl+hlXjRxOXANLTOHWqWKejk8+LAAH3+
+DjBFTX84cfrbbLgrK57E9afEN84KM2EJCCGFXYvc5qBPgrS9oYQwIErvpy89k8fW
+bR7pU41CrHYZG2am774H80FCfofzzAFoJ2pZdPF2Lo95cLxNENy8RjYfePJR2tcf
+vlqNynUvBjabCW6XhtmRK8/fsakfqfaQkZfpHqtA+qAweLh1bcirz3rBeNvwsO3G
+JBxUgNkMel2F78Lg/EfMQL/hxeajDV+LilJkeZeRbHNL18M8dzzJaZkBm2oGylc5
+AS5r4r1EvSINjf1uXDA9CMBNydf6n62VPnDKrk1WK2R+pzFeeVvRayx7PVWacP3N
+JnKPY+t2eIq5JlNCfIHcL8MDHaau4ck/f2lnUJm1OfqhdfAf6wsf+XuEhfkzqsV/
+gRjrumWsuMs7B15eIZNoyP+x9XPfTXvKXtNpWaUbq2iC/rxgMzqzDN0XvHSr8eTL
+I5sg9nlAiezZYcDsGcjpK5EUY3/3zmZtO+OvXg2kA0dQx8QWg51B8MI/f9EprAAp
+O4ypSjvH+Hthnq4Cr1dXtJzOJru3wz0N37Hy/EhMrDYP3XJUjkYJqTrxM8dsT7TD
+RwvRjbJaZYi1mmIakXbHAhEAcIg/Z7hueIYHrOzYaW6akPdxy0yS252mZ83KtUC9
+oxNzYQdMi43bxbWgcTu5RxGPZ99IYUdKziBJiJlOpWFSzPwKcD0bkHeDAbWZ4Aex
+msyzLubI3nPnuszVWgG8cUP1w1HbCC5KAWIOSoRYS6SzcirAZAXuqvoBGGSCiKdJ
+kMIXRjSHgTfNPE0zSkuoYognqtPBQB+tCmEYUwmIidzp7iVe3muLJj1qHRcUNx1g
+XzbpRMOGRUSgMJJlcba5BRNmFnSEjgnFx+v/NEiMhjacOiDDypi58eYPvgLZ0v8I
+UlI0napiKxX1XS9XZE7SI8xXn5zte2de36xAfZTm1gMEYG/sOUndKUUrmsG4ag+u
+ttyW6veD/LMXzYX/vP6zBe8l2RkZp15xMPMSTovij4ELLOAsWmAB8MAQ7p2TThOa
+gmFx0AnWZ55GAXcM6/2dK54ZQjm12KgRz2uZD6RpHgxDlErzHBVY8VFWPHx4b60M
++BVqk94uAsprvWczcuowZwF41MsJ7wm3a1Jtd104mx1/0GokF6EG+NjpSFvHiDN8
+JVlZ24lBIBv/7Q==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt
new file mode 100644
index 0000000..86397e5
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt
@@ -0,0 +1 @@
+09
diff --git a/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old
new file mode 100644
index 0000000..adb9de8
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old
@@ -0,0 +1 @@
+08
diff --git a/selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.cer b/selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.cer
new file mode 100644
index 0000000..417a22d
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.cer
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.pem b/selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.pem
new file mode 100644
index 0000000..d6a1577
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.pem
@@ -0,0 +1,62 @@
+-----BEGIN CERTIFICATE-----
+MIILPDCCBySgAwIBAgIJAM6BrnFPnFmXMA0GCSqGSIb3DQEBCwUAMIHGMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKU2FtYmFTdGF0ZTESMBAGA1UEBwwJU2FtYmFDaXR5
+MRkwFwYDVQQKDBBTYW1iYVNlbGZUZXN0aW5nMRowGAYDVQQLDBFDQSBBZG1pbmlz
+dHJhdGlvbjEgMB4GA1UEAwwXQ0Egb2Ygc2FtYmEuZXhhbXBsZS5jb20xNTAzBgkq
+hkiG9w0BCQEWJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29t
+MB4XDTE2MDMxNjIzMjgzMVoXDTM2MDMxMTIzMjgzMVowgcYxCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIDApTYW1iYVN0YXRlMRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNV
+BAoMEFNhbWJhU2VsZlRlc3RpbmcxGjAYBgNVBAsMEUNBIEFkbWluaXN0cmF0aW9u
+MSAwHgYDVQQDDBdDQSBvZiBzYW1iYS5leGFtcGxlLmNvbTE1MDMGCSqGSIb3DQEJ
+ARYmY2Etc2FtYmEuZXhhbXBsZS5jb21Ac2FtYmEuZXhhbXBsZS5jb20wggQiMA0G
+CSqGSIb3DQEBAQUAA4IEDwAwggQKAoIEAQC3qPlXMRW0bS5QonEW4MMRiZlgWRc3
+DLtA1hSg0a0POKXIBTTb26kVWwJkdLdLPf9POdAWa+PtEDcgiTKeNeh3hdCaKQiR
+LGtmR2Ncy5jcLyAaJPHL3ZrYCzKPyfhVLtZqrS+5CmJRs1Ar1zEpRPIcT0Qdb6Jp
+gu43msIQnULTZPatF4Oi847jb/JIXnTYxto7cuk1I/2VFJ8OD2cYypNbCkthwAga
+ftJ0GNsM2Ii0q5aFnrHpCh/UhvQ1XGZfGVgBRrFjQQ75GlSCFXuwLLiyXwpj6c/p
+QPTQuWLe+21rnizpxmXBvP6d2LaX2Vsq/XP9iVN/jVigY4swgk61Z6XFkmsVJErB
++JEOrjdcO0kkkqlSY0aqqpoXgtV8lNxTeKrNllRmW/i/Wz174PPdvR6QQFMG0X/W
+NOtqwBGZqiafHlu1xrtC/RnzC2S3ygKssP9463bO8IDvhv2I3QnbsuQdKhQSE5rr
+VDJcSI1DHe+tGsko4QA2RBFvgO8+877K9qnBXpnVdYrnEk4UlZVk8L7TIngbA7RR
+bZ7j1mE28PIzcGN2ps1IY80CbO6V+60YegT2F7smjRAS9YJyfqM0fs4yoRuT5Day
+BHN9asy//gEVfebXytzfvZvh0Y+XTlxsXbZ24IsaW1IhsLNvny9BX2Ygrv5wnf7i
+zvEGf4rnO4v+d4mn2HrkkYLfIJe/iQAY3c8uABbEZgzrTHqC+oyRE4MQUtjQR+10
+8IOvbVeU716Q3SxyiGlq0Dici84J2izArVuZBGVoS2pytwbNFU7eL5SeirL1Xy/E
+3siV+y6Oxr3sigrAmMQbzr0YQT7yDjVaP61ct8krc5N4Z95SciIlvmEIzKkV8kql
+Uiom+XWP8aRnZmiuvfGnvEyB67MmggEkG1LGIhsp+ZsnTfo4nU716Djlq5pOZHY2
+VTiOLET7Omo/a+RmHwrog4hRm2BYifyt3RGmzoWF77klbow13ov0UrsTF7Sw6Uft
+EnaklsZU9cfFyNLsDjEwRTWQ4QMdq3dI6WSOYN9EWFtxLGY8FypH2QkTOOPsqgXY
+/SxZUBqa3r+MrGRJ2NCF6kr1/yanLicVzNSR4tymEFDfF2FJVOtQqbO370JGIrJE
+3kq89zUUMH9xNP6IJu+N11Xe63028KlJomWq6my8AUk7a0sk8z75FIa5PvUSYhQ8
+gbTYXM2AyYLTYxkLt+OzLLyvQI1l6KX3PWLaa94lqxkjGQWIt/ViL1OTineiTbYJ
+YR2SB4R3S3Y6N3AAT6l7D1/lxThrqzmWAAkbElBTZZrXGybjL3I9q8lzVt98X9HY
+LrVClydpw42drOIX5PQ68+s8lYNBA1/uYim3IgTjDPIqsNIkBOjreYnPAgMBAAGj
+ggEpMIIBJTAdBgNVHQ4EFgQUoj4CKqOnTTm0CE2ZzAx1Nuonwz4wHwYDVR0jBBgw
+FoAUoj4CKqOnTTm0CE2ZzAx1Nuonwz4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMC
+AQYwTwYDVR0fBEgwRjBEoEKgQIY+aHR0cDovL3d3dy5zYW1iYS5leGFtcGxlLmNv
+bS9jcmxzL0NBLXNhbWJhLmV4YW1wbGUuY29tLWNybC5jcmwwEQYJYIZIAYb4QgEB
+BAQDAgEGMDEGA1UdEQQqMCiBJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4
+YW1wbGUuY29tMDEGA1UdEgQqMCiBJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJh
+LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IEAQCa8zKgFnArq4GM+OJfiK95
+fYuTgbO+PaH19GWCyNkNCrtasxt6BIdxKYW+rC6VxXBRXSvaPLbiRCDhD9hL03IR
+daQ+R9JanYzoloN7m5q+mSdJpfsIfdlvqKr4hyti6sfC3jnQC1Tp696KrW1P1Ymi
+kOOxksmngZzTYr2q+JhydYsNAdpxeAIAILDZI0F4VzOVPXRy2+Gop+lwWYvtRjjn
+Z8HemYJ8jIGUlldMVInd5+XmS4/+kFLB6Ly+JAoqC9PBUfWiwXIFIPOIM5ia4sNH
+ZeViTG5Kw7MO/esPs7J8VKB6La4v+CYCT4ngT0ekRLXhRi/Dwa8Ok+hFmRtrikvU
+TEqZPOQT3sRqGdlongAZ1kmCkU4n4RhwbMh6WitDKJf7YToMsyrm6LQvGo4Bf1Ns
+mqnY93OSTyOblNGYwq45BMQbGhW21uW93SQg938ojuw4366KeGnHCD3zvyfWh6Yh
+duAWNQb8TNDqhik0lLNVMyrEPpk0f24XrVC2LBia3Z4hQvep/pI8tg1656XbI6/J
+GubM9KW6o0ndZLnMzFFga3JqztzL/Ooqu+yVaA9q89GlN2zv3hafXaC/AChG1b8k
+Esx37mA68jVaTh/1hX8T2hz14EV3LUB2N21W228HuUhZ33PEcR10XMJNJsOOwHUn
+5I902kznpUs3VTVvbWBsEfhZAD9uns07Z5b0b8UN3fZyNmXeE7gObt10obSFzoPt
+yhnTCULNJ0K3cwuQDAC4Y6HQK5hvLBazdvnYT5rZqGneG9ALdQqr9if2gZFeUPQv
+a63VZFwfyx5wQlFwLVbaH3tTl1dweJkZYjUC3BL1rngHNNvD1t//ERXqL2ngOe4C
+1xNNOBAC2Q4upBYAuH+zoT8KMRCxEh22SPNGrlmN+9MwY+ceP1Dxa97vY9FtSMIB
+dYEvoI8TyFhAjC6t4HOUxT4lvpc7Hma+1AlG5x/aSCY2A9ONdLLo5DyXSuLFHgtc
+gh0dJygZ85sd90k8hl+73muHHofG6HuzMNaQhN8sFoaiedhIHa5+Lv6FVyd7Y0dy
+QVHiPVcf5KG3o0y6OnXdfsGNUsak01fqQhIewVghdTU9liGW8PH1UVWO310q1K46
+U46Hp/JBamvvW5B2ZSg8Dj4arS7/TxxNqbIPAtNxtN7Hwg1dubGWMatCv2A8Cx29
+oWIeUG2HKY4XvbdOnpWvCGx+sUqBiK6Sf5zvJF+UigmZPKrZgbrFWSC1tf0RYn9d
+IyH4JGo4uP5OCxBWFvtj2d51qJJvdnlegKkPd9E0vzIZRHJsSoAx54MmqRZQkPzV
+56iQXA4iTfhv2sF7Uer379OV//ML5xIjsV+IkJepTUtAgimqkKKRktCPfFT6mOtw
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.crl b/selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.crl
new file mode 100644
index 0000000..27cfe39
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.crl
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.pem b/selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.pem
new file mode 100644
index 0000000..73b10cb
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.pem
@@ -0,0 +1,32 @@
+-----BEGIN X509 CRL-----
+MIIFdTCCAV0CAQEwDQYJKoZIhvcNAQELBQAwgcYxCzAJBgNVBAYTAlVTMRMwEQYD
+VQQIDApTYW1iYVN0YXRlMRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNh
+bWJhU2VsZlRlc3RpbmcxGjAYBgNVBAsMEUNBIEFkbWluaXN0cmF0aW9uMSAwHgYD
+VQQDDBdDQSBvZiBzYW1iYS5leGFtcGxlLmNvbTE1MDMGCSqGSIb3DQEJARYmY2Et
+c2FtYmEuZXhhbXBsZS5jb21Ac2FtYmEuZXhhbXBsZS5jb20XDTE2MDMxNjIzMjgz
+NFoXDTM2MDMxMTIzMjgzNFqgYjBgMDEGA1UdEgQqMCiBJmNhLXNhbWJhLmV4YW1w
+bGUuY29tQHNhbWJhLmV4YW1wbGUuY29tMB8GA1UdIwQYMBaAFKI+Aiqjp005tAhN
+mcwMdTbqJ8M+MAoGA1UdFAQDAgEAMA0GCSqGSIb3DQEBCwUAA4IEAQA13bwPRi4+
+CaG7MSTVA4Z4JZIU1CQagBJCah0XPXl+xIs/aWCxS3jdFnCUNLOxrKk5Onrsv0z7
+YWQJHsH2Lu0I38SPyWhftmhrqn74QQyfbGMGblDufbfJsHNyeME2z0ZtCoHUgaz2
+kMatR7ys6uvOY4Moghr/xNK2QYSzCFsetF/5ua2h547GK+VMqb4wH14WIx0ljVO0
+knpqT+uX5b+3KX2QcUFDIzRJZWBj0gDWzNxL5PSbZbcxtpUpUIgbFHD8HGRAu3R3
+MCJE3mKuKyaRKqLaF/qOWnskkHnIV3gObeKIgWFNLiyQKUAvu0m3QO7b5zqUeOep
+JMy/3dwixIoDU5QU1O7TAvJQhVscjt0baQaklqlI7jKwdd1xk6brIXKqLa55ALd2
+RIs7I01X/ZyukrY+NbvQOGh/Weqnxe2IM91DkVQGYNxaa52Fqlrop3U4qdZRgtuL
+Ye8RP3IPcVEoH/t/fW6IBTEN1uG9vVvyUUW2H4lI44yeNt2Pd+6qXXFyKZ9pfctx
+7zCOdo9/ikSzCddLFKL6bgJ4vxNuSt+4csq79BytK+69SrsGP/R87154uqA8nMPm
+TXpFhL3YBqOklphc1JVCccTp/824vkrgrEOSB7uIZOtdTpTuRabo6R5yv2pjC5GR
+om3sI8c7xKeUUsfxDF2jt4vJHlKgYEx8YgbAdKq3As0fkpsY0IcMSNR1KMq8H4ia
+0eNWy1YmkvcZzZTL1GBtL1XNPHkvmuBHV2rglBg7PAklr/9WX7IM6AZh2WKP0Spe
+ih1C7YlVzCgQgOaGEe28jegtgkr3I84j34GJmK5WO5fa7/au8wzUDEyGTJE1wZxv
+k1s4TKiNuCSiH26qVUKfwpzrqhiW/ElAeKsXxjg/V7anhPbQsd+sz4RNFi9RldlY
+tdXkPmKBTvupJkVa3ZUxl8gyXNW8t8bSpW2kYFOorxnEkvhwIxMhwSC9pyEyNFXa
+sxsMZ/BcvFBcJYORhxMYVNksCriyWRuYsNORC8s9wnygbQ2n3TuoloZ9rR8mc6XK
+3EgLwhOyENWToRurBdN7Vq6BuNtnl5P/Rd2WBTy62EcXkrnJCCUK4ouP3o0MRt/V
+LdQiCVf9nnHdkiWMQMH4pkgrEJb70IvS/MAAee3SFuMNa72zgD9Pgk4NX6upqt8s
+3+wo0gqmg1gJ9RQUyk/TuYMgdBVg68B6G1C8RifxffhZMj/rOm1xdXXwRfmDyrHZ
+aaNZv3VHTEIJjSCHMkDV7SD9d36gdX0F1lLP5HIu0QTWJeyE/fFTD+hQMY5Ryk+c
+nzW2ZYuTp14xWD3NTQzq/NS+BPpOcAtL3hSpyvP4UkIFGZc7OUPPBBwR2xTVLQfZ
+YqKrAHJKgPXZ
+-----END X509 CRL-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-cert.cer b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-cert.cer
new file mode 100644
index 0000000..9119678
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-cert.cer
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-cert.pem
new file mode 100644
index 0000000..7486a63
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-cert.pem
@@ -0,0 +1,169 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 3 (0x3)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Mar 16 23:29:41 2016 GMT
+ Not After : Mar 11 23:29:41 2036 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=administrator@addom.samba.example.com/emailAddress=administrator@addom.samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:be:91:64:f2:1b:2b:ed:9b:40:bc:0d:46:23:49:
+ 77:32:74:fe:cb:9a:46:86:33:1e:56:bd:c8:da:dd:
+ e6:2a:07:34:61:1c:f0:b8:71:29:24:2b:90:f3:43:
+ 99:6f:69:f6:ff:8d:b9:b7:3f:f3:36:6a:99:90:90:
+ d6:95:63:4e:88:5a:d7:41:89:7f:73:13:64:49:c7:
+ de:42:65:08:5d:ca:04:b2:68:3a:40:7f:6a:05:df:
+ 56:30:2f:ac:1b:8b:0f:c3:15:3c:38:0f:90:50:44:
+ 00:bb:59:40:f6:d2:e8:5b:73:03:0d:f6:7d:38:5d:
+ 2f:99:c3:0d:13:0f:74:d0:9e:ef:1e:92:42:c4:46:
+ 7c:dc:85:7e:e9:af:91:4e:9d:5f:82:af:58:60:18:
+ a5:ac:91:6e:dd:cf:a7:32:3c:d2:f4:e9:81:be:80:
+ 9e:0c:ca:1f:1a:be:98:c4:fe:e6:25:c1:89:fe:16:
+ 0a:30:90:d3:d4:e5:af:89:24:64:12:d0:4f:19:e2:
+ 1b:86:fb:06:a9:63:d1:47:10:89:dc:2b:52:24:dc:
+ 66:a9:56:c2:cb:f4:ec:35:12:f4:ad:5e:fc:ff:86:
+ e9:b1:f9:1f:b3:ce:44:fb:be:04:af:8d:42:9b:56:
+ a5:02:7f:c5:cf:5f:23:41:1c:69:ee:33:97:7a:81:
+ 50:8b
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Client, S/MIME
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Smart Card Login Certificate for administrator@addom.samba.example.com
+ X509v3 Subject Key Identifier:
+ 30:10:6E:1F:7E:52:33:8C:C8:85:E5:92:74:5D:76:7E:E9:33:5B:36
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ email:administrator@addom.samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, scardLogin
+ Signature Algorithm: sha256WithRSAEncryption
+ 53:3e:51:d2:5d:2c:69:23:5b:dd:05:1a:23:ff:39:5d:54:63:
+ e5:da:e1:4b:60:8c:09:7c:4e:8e:da:8a:bb:63:5d:bc:2d:a0:
+ d4:ce:9e:d2:ce:38:d7:32:67:ba:4a:a6:d1:1d:c4:c7:50:e8:
+ 9a:9e:44:56:1a:9c:f4:8f:b9:8e:39:84:21:db:0f:60:8a:60:
+ b4:0f:4f:3c:35:a0:d2:37:3d:88:e8:0a:18:a7:a7:2d:19:e3:
+ aa:d3:8e:18:8f:35:ef:3e:4a:95:c4:d3:9b:f4:cf:89:c2:70:
+ b9:8c:5c:ef:8a:9e:7a:56:73:13:eb:8b:b7:d9:e1:88:5b:c4:
+ 62:47:42:45:8d:7b:2d:cf:71:83:1b:48:9d:84:8f:65:66:97:
+ 61:fc:f6:30:34:e8:88:2a:34:91:48:dc:7a:b7:65:bc:9c:98:
+ 00:4c:e7:49:fe:4d:a9:56:ea:87:d6:6c:46:39:f2:98:5b:56:
+ 14:82:f2:9e:b8:ad:fd:89:36:48:87:4e:5c:ef:3f:e0:35:ff:
+ 72:5f:5b:e1:c2:fd:d9:6e:40:2b:35:ad:50:08:74:94:87:89:
+ c4:cd:c7:ab:a7:19:4e:ba:f2:1d:83:0f:b0:cf:9c:e6:df:73:
+ 36:88:cf:42:9c:a3:72:27:0f:f7:bf:5b:cc:6b:e5:20:03:b5:
+ 4a:1c:f3:7d:ae:92:43:aa:bb:13:07:a4:3a:77:3d:34:01:00:
+ f1:89:aa:e8:1b:09:7b:b8:b0:e1:54:03:ff:3d:8d:be:35:b9:
+ 13:b2:59:58:32:48:93:f8:e7:d7:3d:49:70:01:44:e6:2b:21:
+ b3:75:49:ae:44:7a:50:15:b8:65:f3:c3:48:96:df:c8:d9:2a:
+ f7:c5:2a:7e:2c:68:77:af:2d:78:1b:fc:1a:d8:f4:8b:a6:86:
+ 35:d2:f0:87:e9:d6:30:0a:76:65:f8:71:e9:80:0d:1f:16:86:
+ 89:92:81:34:d9:be:9b:41:25:ec:65:a9:0a:56:b2:03:91:54:
+ 02:21:97:99:74:61:8c:4a:2e:f4:d0:b1:8b:f1:e6:26:52:bc:
+ f6:f2:e0:bd:96:66:22:c3:4e:51:2f:c3:c4:65:65:c7:97:b5:
+ 1b:29:23:7a:c0:7b:fb:49:33:a0:a9:6a:b7:2f:f3:44:6b:5b:
+ 0c:2c:0d:75:f2:50:d5:82:ba:9a:ab:e0:89:0a:b6:b5:8a:5e:
+ 1a:67:ab:d9:a7:21:22:75:61:1e:d7:21:36:15:6a:da:a8:39:
+ 4d:95:50:2b:e6:ac:c4:f6:38:74:c9:c5:ac:ce:2f:b3:c8:d4:
+ ad:18:a7:93:d4:1a:be:c2:be:9e:39:e6:a7:b1:0e:93:d0:9e:
+ cf:b0:ac:53:7d:08:1f:9d:a5:98:2b:4e:f6:80:e4:df:ea:43:
+ a2:f9:64:bf:84:b2:ff:1c:93:36:60:74:08:4e:5b:d6:24:9a:
+ f8:ac:c7:81:f9:2a:a9:00:28:44:15:6a:31:b9:b5:08:89:c8:
+ 31:15:1e:8f:9d:2c:d0:e3:a8:32:2c:68:42:41:19:6c:43:8e:
+ 69:c0:44:01:ba:1c:c4:ea:f4:ff:c8:57:03:ba:df:3f:5e:a5:
+ 03:da:75:31:2e:07:67:a7:5c:02:55:c3:6f:8f:11:f5:8c:56:
+ a1:f7:4b:bb:46:d0:e5:ff:68:c1:77:3d:0d:35:12:f5:40:af:
+ cd:05:5c:53:74:ff:54:e0:c0:c6:10:5c:e8:33:06:0a:50:47:
+ 7e:71:3a:36:66:aa:f8:de:97:2a:ae:bf:8d:6d:d4:39:c4:fd:
+ b3:03:1d:a5:9c:47:39:8c:c0:b3:73:f8:3a:d6:34:ac:49:4f:
+ b3:87:74:11:20:8f:c0:aa:24:a7:30:20:0c:c0:d9:1c:44:ee:
+ ae:c8:b8:13:63:e5:f8:5e:8f:b0:5a:46:c5:83:3d:41:62:06:
+ e4:62:a6:0a:40:cc:8e:59:ad:8a:36:4e:20:e6:f2:32:04:6e:
+ ee:4e:7d:97:88:dc:ea:74:90:c4:ab:a8:b5:bc:6c:81:b1:64:
+ 77:a6:93:34:44:e4:60:38:b1:0c:2b:29:3a:4a:f7:17:d7:3a:
+ c8:42:7e:db:4d:5f:09:92:ae:6c:90:e1:7d:9f:96:9c:1a:82:
+ bd:45:02:76:29:62:e5:b9:14:53:01:53:c0:5a:d5:34:53:7a:
+ 25:49:3e:3d:db:19:7e:29:57:80:78:67:ea:21:3e:3d:59:36:
+ e0:8b:da:75:57:9b:c8:9d:a1:18:18:e2:5c:35:35:9e:62:2c:
+ f5:0f:c0:8f:55:16:a5:d4:9e:cd:0e:78:87:9d:53:d3:01:e1:
+ 18:61:36:1c:06:c3:3a:43:f3:8a:13:e6:4e:52:32:fd:46:21:
+ cd:62:18:1f:ae:f5:f2:1a:ea:7a:01:3b:a1:3f:1d:16:00:91:
+ 5e:94:78:f4:60:33:54:a9:fc:1c:0a:75:f9:17:aa:dd:12:91:
+ 66:4b:f0:d1:60:25:d4:06:d1:99:9c:c5:64:01:4b:ba:d9:66:
+ ba:9c:f7:68:75:fd:11:3a:eb:6e:fb:8f:a6:17:8a:cd:bc:1a:
+ 59:f9:a9:cd:33:db:7d:71:26:7d:c7:be:de:eb:2e:c0:7e:db:
+ 29:08:0e:82:63:1e:8c:8f:e6:21:1c:b1:49:13:9e:df:78:3b:
+ 68:01:17:0f:df:97:96:58:32:48:1e:5c:ff:fa:db:90:b5:05:
+ 84:68:fd:7c:c0:a5:35:d9:75:1e:ea:cc:25:25:3f:6e
+-----BEGIN CERTIFICATE-----
+MIIJGzCCBQOgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjAz
+MTYyMzI5NDFaFw0zNjAzMTEyMzI5NDFaMIGzMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
+CwwFVXNlcnMxLjAsBgNVBAMMJWFkbWluaXN0cmF0b3JAYWRkb20uc2FtYmEuZXhh
+bXBsZS5jb20xNDAyBgkqhkiG9w0BCQEWJWFkbWluaXN0cmF0b3JAYWRkb20uc2Ft
+YmEuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+
+kWTyGyvtm0C8DUYjSXcydP7LmkaGMx5Wvcja3eYqBzRhHPC4cSkkK5DzQ5lvafb/
+jbm3P/M2apmQkNaVY06IWtdBiX9zE2RJx95CZQhdygSyaDpAf2oF31YwL6wbiw/D
+FTw4D5BQRAC7WUD20uhbcwMN9n04XS+Zww0TD3TQnu8ekkLERnzchX7pr5FOnV+C
+r1hgGKWskW7dz6cyPNL06YG+gJ4Myh8avpjE/uYlwYn+FgowkNPU5a+JJGQS0E8Z
+4huG+wapY9FHEIncK1Ik3GapVsLL9Ow1EvStXvz/humx+R+zzkT7vgSvjUKbVqUC
+f8XPXyNBHGnuM5d6gVCLAgMBAAGjggIjMIICHzAJBgNVHRMEAjAAME8GA1UdHwRI
+MEYwRKBCoECGPmh0dHA6Ly93d3cuc2FtYmEuZXhhbXBsZS5jb20vY3Jscy9DQS1z
+YW1iYS5leGFtcGxlLmNvbS1jcmwuY3JsMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNV
+HQ8EBAMCBeAwVQYJYIZIAYb4QgENBEgWRlNtYXJ0IENhcmQgTG9naW4gQ2VydGlm
+aWNhdGUgZm9yIGFkbWluaXN0cmF0b3JAYWRkb20uc2FtYmEuZXhhbXBsZS5jb20w
+HQYDVR0OBBYEFDAQbh9+UjOMyIXlknRddn7pM1s2MB8GA1UdIwQYMBaAFKI+Aiqj
+p005tAhNmcwMdTbqJ8M+MGcGA1UdEQRgMF6BJWFkbWluaXN0cmF0b3JAYWRkb20u
+c2FtYmEuZXhhbXBsZS5jb22gNQYKKwYBBAGCNxQCA6AnDCVhZG1pbmlzdHJhdG9y
+QGFkZG9tLnNhbWJhLmV4YW1wbGUuY29tMDEGA1UdEgQqMCiBJmNhLXNhbWJhLmV4
+YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0GCWCGSAGG+EIBBARAFj5odHRw
+Oi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEuZXhhbXBsZS5j
+b20tY3JsLmNybDAfBgNVHSUEGDAWBggrBgEFBQcDAgYKKwYBBAGCNxQCAjANBgkq
+hkiG9w0BAQsFAAOCBAEAUz5R0l0saSNb3QUaI/85XVRj5drhS2CMCXxOjtqKu2Nd
+vC2g1M6e0s441zJnukqm0R3Ex1Domp5EVhqc9I+5jjmEIdsPYIpgtA9PPDWg0jc9
+iOgKGKenLRnjqtOOGI817z5KlcTTm/TPicJwuYxc74qeelZzE+uLt9nhiFvEYkdC
+RY17Lc9xgxtInYSPZWaXYfz2MDToiCo0kUjcerdlvJyYAEznSf5NqVbqh9ZsRjny
+mFtWFILynrit/Yk2SIdOXO8/4DX/cl9b4cL92W5AKzWtUAh0lIeJxM3Hq6cZTrry
+HYMPsM+c5t9zNojPQpyjcicP979bzGvlIAO1Shzzfa6SQ6q7EwekOnc9NAEA8Ymq
+6BsJe7iw4VQD/z2NvjW5E7JZWDJIk/jn1z1JcAFE5ishs3VJrkR6UBW4ZfPDSJbf
+yNkq98Uqfixod68teBv8Gtj0i6aGNdLwh+nWMAp2Zfhx6YANHxaGiZKBNNm+m0El
+7GWpClayA5FUAiGXmXRhjEou9NCxi/HmJlK89vLgvZZmIsNOUS/DxGVlx5e1Gykj
+esB7+0kzoKlqty/zRGtbDCwNdfJQ1YK6mqvgiQq2tYpeGmer2achInVhHtchNhVq
+2qg5TZVQK+asxPY4dMnFrM4vs8jUrRink9QavsK+njnmp7EOk9Cez7CsU30IH52l
+mCtO9oDk3+pDovlkv4Sy/xyTNmB0CE5b1iSa+KzHgfkqqQAoRBVqMbm1CInIMRUe
+j50s0OOoMixoQkEZbEOOacBEAbocxOr0/8hXA7rfP16lA9p1MS4HZ6dcAlXDb48R
+9YxWofdLu0bQ5f9owXc9DTUS9UCvzQVcU3T/VODAxhBc6DMGClBHfnE6Nmaq+N6X
+Kq6/jW3UOcT9swMdpZxHOYzAs3P4OtY0rElPs4d0ESCPwKokpzAgDMDZHETursi4
+E2Pl+F6PsFpGxYM9QWIG5GKmCkDMjlmtijZOIObyMgRu7k59l4jc6nSQxKuotbxs
+gbFkd6aTNETkYDixDCspOkr3F9c6yEJ+201fCZKubJDhfZ+WnBqCvUUCdili5bkU
+UwFTwFrVNFN6JUk+PdsZfilXgHhn6iE+PVk24IvadVebyJ2hGBjiXDU1nmIs9Q/A
+j1UWpdSezQ54h51T0wHhGGE2HAbDOkPzihPmTlIy/UYhzWIYH6718hrqegE7oT8d
+FgCRXpR49GAzVKn8HAp1+Req3RKRZkvw0WAl1AbRmZzFZAFLutlmupz3aHX9ETrr
+bvuPpheKzbwaWfmpzTPbfXEmfce+3usuwH7bKQgOgmMejI/mIRyxSROe33g7aAEX
+D9+XllgySB5c//rbkLUFhGj9fMClNdl1HurMJSU/bg==
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-key.pem
new file mode 100644
index 0000000..0d33211
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-key.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI06+E0Qn55PYCAggA
+MBQGCCqGSIb3DQMHBAgRIdE1BfEflgSCBMgjWcKNk0gmS+OepxYA2tMjMir2YwFb
+ht/PFx0llj4Zt2U2TgvSFhm7JcsNPXqqqElIvEeNrY5BTB6Jbkd5pt1EpKcBlgHQ
+cPtjslAxo5C5FgvLuzaFd1tRhHm7UWygTRcI+79zRmypOm0v57ZdS6Z218sJc0gk
+re7tBT+lF+S5uCRAUmWBgdVjEFjW+1r0dhVJWYftB8JoE4zW+B0wEz6PIv0cTt7K
+cnjHVMFKWPJStAbJ98RWchF0KWeu+cuWAWt/rJ2QrM+q1bBP4Mgn6XfRnKbcJofk
+BG5v4oo8B/TSe3woBMtf2BheaeXDa96D7lxF7gELTkdodNfJd9s66GLSRKCk6amk
+eJKO8fLZbXpiT0/TGeFvrihWa/ZpVG4I94KDn2a+U8Agq+B1WA6MqCt6txK6GFIN
+okCRyRUYb6TFDI2JA+jeEX+0tStVGp+qNyk4PT4tZOG2BJ2dq5F6+KF0VzE8I7V0
+zIFWQvvwO8N+osvmJgQgxI6JOq0ubiHEEiSrd4lKVO7NJ223I9GXao/z+0l5ywYn
+SL0LEsw2adblRDgzBnsLCqWEeC3Oczg790AaNkqWPolGKBEpOXlCPCjILJfG/7Ii
+GGvuAQaXOOM3fnxb2oTOpFMn6BQDmX77hiCKGTB4VCgTIhwBOpwLDeDxjyUjCp2C
+PPtped8Dne+kK9iGuHyu45sXrVtxfigfKh9+ncCsFVQfpmcYXDiUhn/RUP4qezco
+jkKeC+S4lM9mG/KzWeDUtMlYkEqFA6yxs05VzpxR3h7sizV0YAE2evSxn3w4aYWY
+GGKtVG4h30f7YbxI1N9+2iBTToAejF5gF5/WDPn8N+voohQCIQ6iAZ48vUDuQGme
+mzi73xu774u7M/BnmgtTr1ZG9gvT+F6q6rnJFAqj3k8j+mv2w4XCqytZJ4OGTijo
+j/s/eZDWmo4t/WXUMjePDzXl96hjBq4bZOpqNwKDLsqbVwQrhFzXTkGLhGQAyKb4
+wZywUkYfTdWa9f+A2NmWqry9Ef5KcOJTSHt6FeY5kwcY56iZT+cD4V2pgxTqQBGt
+YUy/j0V35l41OTKZ6x5P3ZSk45w6RPY3/BqcnfvhSFxON3jFivg1DKIcB8WaWjss
+40vP+TthOR2X4FQ/OHKwjs+tC6JpwDuSNCVwj9VBGSgjeXK/aV9BG1A0m4R7qxTV
+aT4tjSSfPfkOf16hTW2ncHTr9rvY3XcYm8eC5E/IEQ7gxpG/JI0+xK2tel0bochs
+aSBP+qGP85Sib3pcnepG6Zhkx4KgTvhbWRAfNS5rB1jLGSpeWQkMZmun91tTuVLK
+fRyfQZ2gkr2ixX/zlPb1bhIXHUBgnoUyUHwZ2lNCDp/dm+nGYqXeeg9lZfD3dYpQ
+Yd1zdR7Faj8aOsC9T4DRUDzgUIUCdvd2wdmnXF1YB43VgXjsAkfZkEVve1ltv4iG
+OAtp0n9aUz+4yS4kBLWEQfNsK7Tz5zjN2BJmm5qQWARxVbR/shhYKqXuY9HbmB95
+sGc1d37pK+n4HvXqQ701zEuvtwyP/P4gg7HjBI2pauuKfT+eVK+xpTBx4W8imY7j
+8IhJ4IBBUWzoMoADD132fVW7f3vpp1XGjvbq5fgDlU6beVsWS9KXBD2Wsl7FDkJ5
+49U=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-openssl.cnf
new file mode 100644
index 0000000..da136b8
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-openssl.cnf
@@ -0,0 +1,242 @@
+#
+# Based on the OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
+CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
+scardLogin=1.3.6.1.4.1.311.20.2.2
+# Used in a smart card login certificate's subject alternative name
+msUPN=1.3.6.1.4.1.311.20.2.3
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
+msKDC=1.3.6.1.5.2.3.5
+# Identifies the AD GUID
+msADGUID=1.3.6.1.4.1.311.25.1
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = CA-samba.example.com # Where everything is kept
+certs = $dir/_none_certs # Where the issued certs are kept
+crl_dir = $dir/_none_crl # Where the issued crl are kept
+database = $dir/Private/CA-samba.example.com-index.txt # database index file.
+unique_subject = yes # Set to 'no' to allow creation of
+ # several certificates with same subject.
+new_certs_dir = $dir/NewCerts # default place for new certs.
+
+certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate
+serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number
+crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number
+ # must be commented out to leave a V1 CRL
+
+#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL
+crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL
+private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key
+RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file
+
+#x509_extensions = # The extensions to add to the cert
+x509_extensions = template_x509_extensions
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+crl_extensions = crl_ext
+
+default_days = 7300 # how long to certify for
+default_crl_days= 7300 # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = match
+stateOrProvinceName = match
+localityName = match
+organizationName = match
+organizationalUnitName = match
+commonName = supplied
+emailAddress = supplied
+
+####################################################################
+[ req ]
+default_bits = 2048
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = SambaState
+
+localityName = Locality Name (eg, city)
+localityName_default = SambaCity
+
+organizationName = Organization Name (eg, company)
+organizationName_default = SambaSelfTesting
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default = Users
+
+commonName = Common Name (eg, YOUR name)
+commonName_default = administrator@addom.samba.example.com
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_default = administrator@addom.samba.example.com
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+#challengePassword = A challenge password
+#challengePassword_min = 4
+#challengePassword_max = 20
+#
+#unstructuredName = An optional company name
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate.
+keyUsage = cRLSign, keyCertSign
+
+crlDistributionPoints=URI:$CRLDISTPT
+
+# Some might want this also
+nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+subjectAltName=email:copy
+# Copy issuer details
+issuerAltName=issuer:copy
+
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+#[ usr_cert_scarduser ]
+[ template_x509_extensions ]
+
+# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+crlDistributionPoints=URI:$CRLDISTPT
+
+# For normal client use this is typical
+nsCertType = client, email
+
+# This is typical in keyUsage for a client certificate.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "Smart Card Login Certificate for administrator@addom.samba.example.com"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+
+subjectAltName=email:copy,otherName:msUPN;UTF8:administrator@addom.samba.example.com
+
+# Copy subject details
+issuerAltName=issuer:copy
+
+nsCaRevocationUrl = $CRLDISTPT
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+#Extended Key requirements for client certs
+extendedKeyUsage = clientAuth,scardLogin
+
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-private-key.pem
new file mode 100644
index 0000000..1510760
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-private-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAvpFk8hsr7ZtAvA1GI0l3MnT+y5pGhjMeVr3I2t3mKgc0YRzw
+uHEpJCuQ80OZb2n2/425tz/zNmqZkJDWlWNOiFrXQYl/cxNkScfeQmUIXcoEsmg6
+QH9qBd9WMC+sG4sPwxU8OA+QUEQAu1lA9tLoW3MDDfZ9OF0vmcMNEw900J7vHpJC
+xEZ83IV+6a+RTp1fgq9YYBilrJFu3c+nMjzS9OmBvoCeDMofGr6YxP7mJcGJ/hYK
+MJDT1OWviSRkEtBPGeIbhvsGqWPRRxCJ3CtSJNxmqVbCy/TsNRL0rV78/4bpsfkf
+s85E+74Er41Cm1alAn/Fz18jQRxp7jOXeoFQiwIDAQABAoIBADkGUvmrrdJ1IcLk
+CffnNPbxUYllifMAevSj5+WufwBWlZL10QawPgpnywEwWkqfn9zK8SbnyQSgk4FS
+BhQ/2jEtVbpzxaKOy/TUDSs7BmziVdN5Iu1H81b8hNL4gPzg+P98bD+uUJXkM3/c
+bnctl4A+A0z7VG84W1Ucq93nQyJl18E64i57JMb3tI+423FM3sJBk2FUj64Mwg8r
+0p88gccSieB3GusffHazlJDKrlHdFyClLBnW3OQHegv42JOKZErIMHwlaV8fhF21
+GAARx/pDgnvIYUaGhLrf2pCyIkOZIdUedA84rLwAZT9akOtxpNCAxlVUn4xcpAC1
+EAKzGbECgYEA99Hzh3vDNGINYJjqsw01E71DelNTeUmBOuJKqdOG0YLHiG0tERcx
+9KLv+7Uo/qtuRzpkMHao7+zC4spQBk1yYkjVtPkXhWdgVUOztkkza72jlwtVu0eK
+VYfB7eubOMnSsPtVeYyyM6DFKBRUxo0VKsvvjD/84WdCGsgy+jDRDUkCgYEAxNur
+XMStYOnxdebOGFs5U8jc+/HNNuaCpSkk98uQ0/VfWp8TXA508FYnT6/BcoH+3hHy
+7W/7aMv//0IWgNQk8m1w33svDdq7jRJXrIpyb7QaX2OW8IfTfIMKVXOgxPvD/4IK
+lvmvf8T7K0W7rDYdcfy9bsDb0RQcH0Z3cp4lUzMCgYEAmLjmX6RB1FJo9BLI8Lc+
+8n88ynH3i1NlNKioYqhc+VijJsxBbbrhqmWPh4tJTEjRmUu+2q8FxXYfVCxhzMCF
+sVQ5f2HSwP/IOkOSyM+rxMYFvtvZZaTc94DGXp1H92NJWJBLSLEQUQjO97gv1nyz
+gsBTTBdS/IXqEx81a0ISUyECgYA80saClj4fmIjDbfm1qtHuojwtGAvY76XkE+9Z
+JKtt4f2BSW843TqiW2wwAdTaZXHy+Ua+t//M5GMHYksDqQh1Yv0h/7SNKk0SjF1M
+cUZkXxha6rFjRgRBD1ftCRneYw+u7WYKOcFQz/Lu7s/KqLm2U2nQQ4RneDgsLaCQ
+aG6N4wKBgArI0d3MlNFXLU7bT+q/2BaZ5VBwaF/6DlI4m1hDT8dKtOTja+y6vAm/
+aH82uJyoom8R/w2H/ICe3NuwYgTo/7Vy6xMt1TnskGOc0yjTZBMMU1nN8zrxlgD1
+1Xr8TzGOf//mK4H54B/POSq6WZ0PSXDVGToVWMdif+2Rq16+CcKp
+-----END RSA PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-private.p12 b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-private.p12
new file mode 100644
index 0000000..94d39b5
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-private.p12
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-req.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-req.pem
new file mode 100644
index 0000000..fbaf0fc
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-req.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDDTCCAfUCAQAwgccxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl
+MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx
+DjAMBgNVBAsMBVVzZXJzMS4wLAYDVQQDDCVhZG1pbmlzdHJhdG9yQGFkZG9tLnNh
+bWJhLmV4YW1wbGUuY29tMTQwMgYJKoZIhvcNAQkBFiVhZG1pbmlzdHJhdG9yQGFk
+ZG9tLnNhbWJhLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAvpFk8hsr7ZtAvA1GI0l3MnT+y5pGhjMeVr3I2t3mKgc0YRzwuHEpJCuQ
+80OZb2n2/425tz/zNmqZkJDWlWNOiFrXQYl/cxNkScfeQmUIXcoEsmg6QH9qBd9W
+MC+sG4sPwxU8OA+QUEQAu1lA9tLoW3MDDfZ9OF0vmcMNEw900J7vHpJCxEZ83IV+
+6a+RTp1fgq9YYBilrJFu3c+nMjzS9OmBvoCeDMofGr6YxP7mJcGJ/hYKMJDT1OWv
+iSRkEtBPGeIbhvsGqWPRRxCJ3CtSJNxmqVbCy/TsNRL0rV78/4bpsfkfs85E+74E
+r41Cm1alAn/Fz18jQRxp7jOXeoFQiwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEB
+ALQr9rGYIkhd/AXeVoFHs/66rwaq3GccdnJpi023/5LhOlRmMa2BWTuQm3jW/3Oc
+HgQOx9G0GTDpaBtAjOCGDCygw/k23oekVTQtDPiGigMnpuY2vnrjAeUFJo3us5pA
+9eVPzKTzJf5ftc/aoVC39t/1Uks103M8t5vJCcexBTYQONe56XC1krY50PHZNI/u
+stjOmleHZclLBU/BplId43nRlvvdkXihPiEbdV4XvhHRs/6w52DkQst6NH6jzeWk
+anYEP2Oo1ROX5v201414ZaWm7oDxtNuL8NzDt+DUGISwC/9ZcqadzlaoI9XVhOb2
+AfbQMY1Q/3OeR8uRROpnHjE=
+-----END CERTIFICATE REQUEST-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-cert.pem
new file mode 120000
index 0000000..a2eb210
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-cert.pem
@@ -0,0 +1 @@
+USER-administrator@addom.samba.example.com-S03-cert.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-private-key.pem
new file mode 120000
index 0000000..afbf12e
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-private-key.pem
@@ -0,0 +1 @@
+USER-administrator@addom.samba.example.com-S03-private-key.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.cer b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.cer
new file mode 100644
index 0000000..918ddc1
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.cer
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.pem
new file mode 100644
index 0000000..2d0735a
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-cert.pem
@@ -0,0 +1,169 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 7 (0x7)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Feb 28 13:31:01 2020 GMT
+ Not After : Feb 23 13:31:01 2040 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=administrator@addom2.samba.example.com/emailAddress=administrator@addom2.samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:eb:0e:b0:1d:53:4f:3c:0f:f8:90:d6:33:64:68:
+ 7e:ed:7c:46:96:c6:77:9c:0a:07:ed:8c:13:da:e7:
+ bb:b3:79:63:4b:ec:5a:2a:59:57:7c:38:69:50:c0:
+ a1:b4:ba:f8:1d:56:78:77:95:b3:44:13:12:83:df:
+ 20:95:12:01:e5:1e:1a:5b:38:69:48:86:e8:a6:0a:
+ 32:f4:38:36:f8:84:bd:5b:a9:70:48:c5:49:25:79:
+ 70:98:23:a7:58:3e:09:97:6d:67:b1:95:fa:08:86:
+ 2d:d6:b7:c5:d2:06:aa:5b:b8:f5:93:e6:c5:20:9a:
+ 9b:0c:90:2b:c7:2e:20:2f:e8:07:45:03:f3:4d:2c:
+ d9:eb:9c:91:d2:68:cc:fe:57:78:5c:2e:57:5b:a6:
+ 0e:10:6a:b8:05:ce:ab:12:31:49:e8:34:7c:3f:91:
+ 63:ce:3e:a6:ff:c0:7b:1b:95:b7:9b:99:a9:c7:ec:
+ d6:45:b7:9e:24:ee:c0:2b:a3:4c:a2:f9:04:5b:18:
+ 2f:0e:8b:2b:16:89:5d:cc:92:fa:49:dd:09:92:72:
+ 14:ba:8f:48:bd:6e:9b:88:14:98:6f:bc:0c:e3:bb:
+ a9:d1:0a:a8:93:6b:75:70:98:f9:a8:d8:0f:c5:e6:
+ a9:a4:e5:b3:72:81:76:07:73:c9:3e:d2:43:62:fe:
+ 1a:3b
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Client, S/MIME
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Smart Card Login Certificate for administrator@addom2.samba.example.com
+ X509v3 Subject Key Identifier:
+ 54:FB:DA:B4:F9:26:58:9A:8F:C2:D2:0A:95:B0:95:F6:D2:F6:1B:AE
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ email:administrator@addom2.samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, scardLogin
+ Signature Algorithm: sha256WithRSAEncryption
+ a3:8d:f9:4e:77:ba:67:28:63:6e:3e:70:91:64:3f:51:b3:69:
+ ab:ff:10:04:e4:39:d1:98:bf:7e:c7:da:d3:4e:d5:29:f7:ae:
+ ca:e2:b1:f7:ea:67:38:7e:bb:a8:55:33:c1:de:79:6a:49:56:
+ 6a:48:8c:3b:43:8b:03:f4:30:11:ac:ee:88:28:ed:11:6c:37:
+ 33:13:7f:25:aa:d6:71:99:d2:f8:fb:4f:7a:44:c7:20:78:b2:
+ 22:44:17:d8:56:10:a2:4c:48:1c:3a:ad:bf:82:d7:e5:e0:66:
+ e9:ac:a1:11:23:b3:f8:f7:a7:84:5f:b7:d2:30:89:b7:bc:3f:
+ 9c:61:d8:12:bb:a4:fe:af:53:f9:f7:26:8e:be:9a:79:53:47:
+ b6:2b:d3:31:60:e1:39:11:11:c3:32:b8:32:d2:e2:6d:8a:05:
+ ae:f5:7e:f7:03:33:1c:6c:07:8e:81:a4:26:f2:0d:22:af:fe:
+ 48:12:48:a8:09:e2:98:4e:b9:c5:07:16:5d:a3:b2:73:7c:4c:
+ a7:3e:24:e9:d8:cc:72:a3:87:dd:c7:69:8d:58:dd:2e:27:69:
+ 72:b4:fb:62:cf:66:c4:7a:8b:8b:c4:03:16:b6:9d:7f:7b:f5:
+ 44:c2:04:a7:17:80:9c:f7:32:ba:3a:05:e1:71:28:16:88:6a:
+ 9c:f8:0e:5e:c9:0b:81:eb:2c:05:3c:4c:ff:ba:72:10:da:99:
+ 95:e1:ef:d2:dd:95:7d:d0:24:f6:8f:e0:1c:75:25:64:80:0e:
+ 16:9f:c1:d7:76:7e:45:85:27:a8:85:80:c3:62:40:58:1b:75:
+ c3:8e:40:0c:d9:f1:5b:a0:6b:1e:47:99:4f:00:11:68:19:93:
+ 77:4b:1b:56:94:79:95:f6:b8:92:49:14:e0:8f:2b:40:4c:82:
+ 4c:5b:a0:e2:0f:d4:f3:d1:3c:f3:e6:4c:c4:3d:2a:4c:e8:ca:
+ 10:c0:39:81:64:db:68:80:12:07:3f:92:7c:e0:09:aa:42:77:
+ 51:1e:ee:ad:33:c8:8f:f4:f2:35:2b:c7:b7:57:7c:2e:c8:27:
+ 71:c8:5b:1a:f2:83:fa:4f:85:13:ea:ce:0b:2f:b7:76:86:77:
+ 00:82:46:2f:bf:1c:b2:de:5d:52:40:64:41:54:0b:9f:8c:84:
+ d9:dd:08:02:51:d0:06:d0:07:6f:a1:ef:74:f4:d9:f5:30:9c:
+ 15:c3:d6:89:b7:f5:81:5a:c0:44:3d:99:54:e8:25:56:1f:63:
+ be:5c:f7:be:f1:9c:24:e0:55:46:c4:a5:7e:3f:82:20:b9:4a:
+ d6:14:82:45:14:d8:91:75:33:c5:df:86:9c:19:17:a4:31:4a:
+ 37:a2:9e:b9:11:84:ab:df:bc:21:2b:9b:96:83:b7:1b:13:78:
+ 07:b2:c5:5f:97:48:3b:7e:43:10:34:68:e8:25:bd:51:a0:ae:
+ 17:52:62:47:3c:c9:f0:b5:55:95:cd:68:d3:5f:aa:85:be:ea:
+ fb:2a:8a:e4:50:3d:96:5b:b3:a9:e5:45:e4:2d:da:da:8d:f0:
+ ae:c0:98:47:8e:ca:46:c2:21:68:a6:f9:17:41:a2:c6:21:b9:
+ bc:73:a7:c3:84:a9:31:b7:54:04:33:2a:fb:57:32:47:93:e1:
+ b2:ff:58:5b:f3:19:66:bc:65:8e:00:29:9d:56:60:7d:28:b2:
+ 6d:a5:a9:eb:04:7c:d3:e7:d7:af:2d:fe:df:1e:9c:3b:a9:bb:
+ a0:14:e4:02:7f:e6:e7:0a:b2:37:bd:fd:67:32:82:4f:c0:41:
+ 89:96:9a:f2:9a:04:eb:82:ee:81:8a:00:15:5e:b2:d0:e1:72:
+ 74:47:2f:97:fb:33:f1:8c:b9:25:8f:02:71:75:b7:21:10:74:
+ 4f:5f:5f:61:51:4a:69:d1:03:6b:7a:51:e4:08:03:1f:c2:a7:
+ 2c:c2:10:b8:27:9f:aa:01:15:61:71:72:d6:ca:23:7f:d7:60:
+ b8:65:51:ca:65:8e:ef:74:2e:fc:89:23:0b:55:b5:83:d7:0b:
+ 8c:16:ab:1a:be:3a:79:62:b3:6e:64:d1:c2:48:af:81:0e:d4:
+ 1f:2e:2f:c7:47:16:79:a9:b9:cc:08:29:2e:da:d5:75:96:53:
+ b1:be:2c:5a:5a:9c:6b:40:16:e5:92:63:49:64:99:44:c1:bc:
+ 2a:40:fc:3c:50:c3:dd:07:31:ee:1d:46:38:1b:c8:12:a0:16:
+ 9d:1c:f6:0e:a7:66:8a:b0:2f:11:19:03:1d:66:6f:fe:cc:3a:
+ 6c:99:ce:60:b7:f1:e9:56:40:4d:fc:ac:eb:a5:04:de:85:7c:
+ 19:c7:16:c1:e1:26:43:03:da:f3:50:25:16:99:e0:fa:cd:59:
+ c7:8b:52:cf:fc:20:d0:68:50:b9:83:36:bb:44:7b:1f:92:5f:
+ f6:19:5b:91:de:33:2c:f9:80:25:b9:30:4c:fa:92:5b:6d:c2:
+ 65:10:98:1c:c6:61:51:9e:d0:c9:49:1b:c5:c5:8a:89:72:d0:
+ b7:ff:db:03:f9:95:f2:a0:de:d9:dc:32:c6:20:02:e1:7c:89:
+ 2d:6e:72:12:12:c3:97:56:eb:7c:58:88:1f:9d:ad:4c:b4:6a:
+ 97:4b:0c:87:f3:41:bb:2a:ff:a6:bf:90:70:91:9b:b7:b1:e1:
+ cc:0f:c6:33:a5:05:03:db:f9:fb:79:5c:20:78:f9:1c:88:d4:
+ 84:bd:2f:9b:12:30:02:36:cd:8a:f3:42:4a:9c:dc:c3
+-----BEGIN CERTIFICATE-----
+MIIJIDCCBQigAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0yMDAy
+MjgxMzMxMDFaFw00MDAyMjMxMzMxMDFaMIG1MQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
+CwwFVXNlcnMxLzAtBgNVBAMMJmFkbWluaXN0cmF0b3JAYWRkb20yLnNhbWJhLmV4
+YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkBFiZhZG1pbmlzdHJhdG9yQGFkZG9tMi5z
+YW1iYS5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AOsOsB1TTzwP+JDWM2Rofu18RpbGd5wKB+2ME9rnu7N5Y0vsWipZV3w4aVDAobS6
++B1WeHeVs0QTEoPfIJUSAeUeGls4aUiG6KYKMvQ4NviEvVupcEjFSSV5cJgjp1g+
+CZdtZ7GV+giGLda3xdIGqlu49ZPmxSCamwyQK8cuIC/oB0UD800s2euckdJozP5X
+eFwuV1umDhBquAXOqxIxSeg0fD+RY84+pv/AexuVt5uZqcfs1kW3niTuwCujTKL5
+BFsYLw6LKxaJXcyS+kndCZJyFLqPSL1um4gUmG+8DOO7qdEKqJNrdXCY+ajYD8Xm
+qaTls3KBdgdzyT7SQ2L+GjsCAwEAAaOCAiYwggIiMAkGA1UdEwQCMAAwTwYDVR0f
+BEgwRjBEoEKgQIY+aHR0cDovL3d3dy5zYW1iYS5leGFtcGxlLmNvbS9jcmxzL0NB
+LXNhbWJhLmV4YW1wbGUuY29tLWNybC5jcmwwEQYJYIZIAYb4QgEBBAQDAgWgMAsG
+A1UdDwQEAwIF4DBWBglghkgBhvhCAQ0ESRZHU21hcnQgQ2FyZCBMb2dpbiBDZXJ0
+aWZpY2F0ZSBmb3IgYWRtaW5pc3RyYXRvckBhZGRvbTIuc2FtYmEuZXhhbXBsZS5j
+b20wHQYDVR0OBBYEFFT72rT5Jliaj8LSCpWwlfbS9huuMB8GA1UdIwQYMBaAFKI+
+Aiqjp005tAhNmcwMdTbqJ8M+MGkGA1UdEQRiMGCBJmFkbWluaXN0cmF0b3JAYWRk
+b20yLnNhbWJhLmV4YW1wbGUuY29toDYGCisGAQQBgjcUAgOgKAwmYWRtaW5pc3Ry
+YXRvckBhZGRvbTIuc2FtYmEuZXhhbXBsZS5jb20wMQYDVR0SBCowKIEmY2Etc2Ft
+YmEuZXhhbXBsZS5jb21Ac2FtYmEuZXhhbXBsZS5jb20wTQYJYIZIAYb4QgEEBEAW
+Pmh0dHA6Ly93d3cuc2FtYmEuZXhhbXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFt
+cGxlLmNvbS1jcmwuY3JsMB8GA1UdJQQYMBYGCCsGAQUFBwMCBgorBgEEAYI3FAIC
+MA0GCSqGSIb3DQEBCwUAA4IEAQCjjflOd7pnKGNuPnCRZD9Rs2mr/xAE5DnRmL9+
+x9rTTtUp967K4rH36mc4fruoVTPB3nlqSVZqSIw7Q4sD9DARrO6IKO0RbDczE38l
+qtZxmdL4+096RMcgeLIiRBfYVhCiTEgcOq2/gtfl4GbprKERI7P496eEX7fSMIm3
+vD+cYdgSu6T+r1P59yaOvpp5U0e2K9MxYOE5ERHDMrgy0uJtigWu9X73AzMcbAeO
+gaQm8g0ir/5IEkioCeKYTrnFBxZdo7JzfEynPiTp2Mxyo4fdx2mNWN0uJ2lytPti
+z2bEeouLxAMWtp1/e/VEwgSnF4Cc9zK6OgXhcSgWiGqc+A5eyQuB6ywFPEz/unIQ
+2pmV4e/S3ZV90CT2j+AcdSVkgA4Wn8HXdn5FhSeohYDDYkBYG3XDjkAM2fFboGse
+R5lPABFoGZN3SxtWlHmV9riSSRTgjytATIJMW6DiD9Tz0Tzz5kzEPSpM6MoQwDmB
+ZNtogBIHP5J84AmqQndRHu6tM8iP9PI1K8e3V3wuyCdxyFsa8oP6T4UT6s4LL7d2
+hncAgkYvvxyy3l1SQGRBVAufjITZ3QgCUdAG0Advoe909Nn1MJwVw9aJt/WBWsBE
+PZlU6CVWH2O+XPe+8Zwk4FVGxKV+P4IguUrWFIJFFNiRdTPF34acGRekMUo3op65
+EYSr37whK5uWg7cbE3gHssVfl0g7fkMQNGjoJb1RoK4XUmJHPMnwtVWVzWjTX6qF
+vur7KorkUD2WW7Op5UXkLdrajfCuwJhHjspGwiFopvkXQaLGIbm8c6fDhKkxt1QE
+Myr7VzJHk+Gy/1hb8xlmvGWOACmdVmB9KLJtpanrBHzT59evLf7fHpw7qbugFOQC
+f+bnCrI3vf1nMoJPwEGJlprymgTrgu6BigAVXrLQ4XJ0Ry+X+zPxjLkljwJxdbch
+EHRPX19hUUpp0QNrelHkCAMfwqcswhC4J5+qARVhcXLWyiN/12C4ZVHKZY7vdC78
+iSMLVbWD1wuMFqsavjp5YrNuZNHCSK+BDtQfLi/HRxZ5qbnMCCku2tV1llOxvixa
+WpxrQBblkmNJZJlEwbwqQPw8UMPdBzHuHUY4G8gSoBadHPYOp2aKsC8RGQMdZm/+
+zDpsmc5gt/HpVkBN/KzrpQTehXwZxxbB4SZDA9rzUCUWmeD6zVnHi1LP/CDQaFC5
+gza7RHsfkl/2GVuR3jMs+YAluTBM+pJbbcJlEJgcxmFRntDJSRvFxYqJctC3/9sD
++ZXyoN7Z3DLGIALhfIktbnISEsOXVut8WIgfna1MtGqXSwyH80G7Kv+mv5BwkZu3
+seHMD8YzpQUD2/n7eVwgePkciNSEvS+bEjACNs2K80JKnNzD
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-key.pem
new file mode 100644
index 0000000..a02f6ed
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-key.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIxaygDRmw72ICAggA
+MBQGCCqGSIb3DQMHBAgu9NwWonUgGwSCBMjCCAaRQSglNmeXddY1GpRd9s7mCp0a
+vUHtfHk4qSiPpw/qURTJfeMtZU0XTFeMd9ZSIDIuV9CVUPaaCqASlUwbmJRaGPdS
+1O3xP+0V3VaB3k1c6rCdpERXf/moNSwEnnL2i6twOkW7I9+N7jIqFpeh8RHG1iEJ
+ys8jm6ojtvGRQpF0aT5eboydb5f4d3vq59HXvm/h55LlzC5uao7Kuk03oU5uUeZm
+CDWBwHkgBvsbD/fVaIjHrdMqsCeXQ7AMd8caJsm3GZqorCw/IzrVWXRz30Ianv/u
+WzajtVtYBA69gRHPiiZ9jHbf7DR2TDRA8azpCWFpBBcp37je5RkigBAsZQDhLuN0
+oe9rk/RkIEYEhteSFnkr6AaG/44ln3EEEM3QUKuGQMi5yTQ1qHXcqHRaivR6mO9A
+IOTxQ2dFdz+lbZwqas6TIEVarm1uBbeJUWtC3XRd1T1zOKmBHShUcOAyPC01Tbwc
+qjFDlx1DC3c+mCNHrBgKZ71KDld6GGOPjIbAuEn6Clvo618bFlofgRa9qHTJ08KG
+dxNpjpVkRCBmanTrZj5V0DFW2iEpNCoAi/eCirm82hvet4zofoS46wdoN2DBabCy
+WqqrP6VHq1YRC8K6z9jimhoNmamuVYsLDBr6uDcNqX8dkgMU/AGZH0iefuJgN9iZ
+sDaOU9RLTdFOlUGJ1VD5+VJVaikTQacEfsmgfz+sh8hshXGU5y1yHLC3wzXZ0ESc
+ZStyFbI/a+Loul7eTulnAnDLkmHJIBXQZ/ARiY1G07iydHGLY0NZjPfPEJ42d2aM
+C3DBN6AvZvZx9dAFMVLxIIfsdSiHRfiDLARO5N/frkSp8+5TFswBNLcz+1J/mVdw
+VGubugfKyqJLYPhCNhk46c77Fj/OaCOOaJZBW7hmyUZY67p/K/XUFK0zsrrnGRp8
+igPM8KEOHsdcZsgDXI1gXOc33lBcOa0u9gIT7Ec8TtBo/5sqOBdPKuYniOKiO9Oy
+dPeyPUqIikzgp5n/SbdHA5V35hvE1Nf8RwiR1xrFkeHOnLHlmDXNOuw/oKr2P6jw
+KsvooGxZT4yT8g8D58jVs2yIn/dFjfk380hxB7aMaxyYf+4MjCYT/zYnP2/bEdcz
+/k86GfmHUqT322n6SiHw4QH1blJRkOPNUehMBt3Sr5G1Mq0cCWsFuaBfmy3CcCqW
+jx7DSYLaHRZxnELFceXWrJe8qCyLoFKETIMKw8g6lsvKMmAePD6DN284tJPxzXs9
+1FfRTeDgpBsbx19/vv5CgIzvcUqcFkGHHtlo2LYYYLYzflWcYtdYrfsHeNGjjk6Z
+SfQcHDuQ4NeS8cgt8AyOyj5pWaD4Xiz0anrM1sry1NT82aQzEU+bIiMSnBxHGVhX
+1hHDR4JATfbU7PDGpy648MIN6Ox7cHW+maRLH/MyLtavnrkFSnvf6aFt58IfKga3
+GwsCzUoXWLdSEicGPPcgW0+S9NL/C8xu67n//oijIe/9eHuw9R9J7u6hhjmWTk/S
+Osq7ilvRc6ueKkFjysR+HBtQgfwXoTHXb2X5tpCBUKVJkOlin6JJW0CIfdeBKgjQ
+R4hEhQ4aXHCG+IZ29IAXRvAPyrdw5Zv7lBZl5hKXk+KKMshAkR0nLBkiRJw45fR5
+SJk=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-openssl.cnf
new file mode 100644
index 0000000..35a120e
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-openssl.cnf
@@ -0,0 +1,242 @@
+#
+# Based on the OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
+CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
+scardLogin=1.3.6.1.4.1.311.20.2.2
+# Used in a smart card login certificate's subject alternative name
+msUPN=1.3.6.1.4.1.311.20.2.3
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
+msKDC=1.3.6.1.5.2.3.5
+# Identifies the AD GUID
+msADGUID=1.3.6.1.4.1.311.25.1
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = CA-samba.example.com # Where everything is kept
+certs = $dir/_none_certs # Where the issued certs are kept
+crl_dir = $dir/_none_crl # Where the issued crl are kept
+database = $dir/Private/CA-samba.example.com-index.txt # database index file.
+unique_subject = yes # Set to 'no' to allow creation of
+ # several certificates with same subject.
+new_certs_dir = $dir/NewCerts # default place for new certs.
+
+certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate
+serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number
+crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number
+ # must be commented out to leave a V1 CRL
+
+#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL
+crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL
+private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key
+RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file
+
+#x509_extensions = # The extensions to add to the cert
+x509_extensions = template_x509_extensions
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+crl_extensions = crl_ext
+
+default_days = 7300 # how long to certify for
+default_crl_days= 7300 # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = match
+stateOrProvinceName = match
+localityName = match
+organizationName = match
+organizationalUnitName = match
+commonName = supplied
+emailAddress = supplied
+
+####################################################################
+[ req ]
+default_bits = 2048
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = SambaState
+
+localityName = Locality Name (eg, city)
+localityName_default = SambaCity
+
+organizationName = Organization Name (eg, company)
+organizationName_default = SambaSelfTesting
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default = Users
+
+commonName = Common Name (eg, YOUR name)
+commonName_default = administrator@addom2.samba.example.com
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_default = administrator@addom2.samba.example.com
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+#challengePassword = A challenge password
+#challengePassword_min = 4
+#challengePassword_max = 20
+#
+#unstructuredName = An optional company name
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate.
+keyUsage = cRLSign, keyCertSign
+
+crlDistributionPoints=URI:$CRLDISTPT
+
+# Some might want this also
+nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+subjectAltName=email:copy
+# Copy issuer details
+issuerAltName=issuer:copy
+
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+#[ usr_cert_scarduser ]
+[ template_x509_extensions ]
+
+# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+crlDistributionPoints=URI:$CRLDISTPT
+
+# For normal client use this is typical
+nsCertType = client, email
+
+# This is typical in keyUsage for a client certificate.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "Smart Card Login Certificate for administrator@addom2.samba.example.com"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+
+subjectAltName=email:copy,otherName:msUPN;UTF8:administrator@addom2.samba.example.com
+
+# Copy subject details
+issuerAltName=issuer:copy
+
+nsCaRevocationUrl = $CRLDISTPT
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+#Extended Key requirements for client certs
+extendedKeyUsage = clientAuth,scardLogin
+
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private-key.pem
new file mode 100644
index 0000000..bfd9bf6
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA6w6wHVNPPA/4kNYzZGh+7XxGlsZ3nAoH7YwT2ue7s3ljS+xa
+KllXfDhpUMChtLr4HVZ4d5WzRBMSg98glRIB5R4aWzhpSIbopgoy9Dg2+IS9W6lw
+SMVJJXlwmCOnWD4Jl21nsZX6CIYt1rfF0gaqW7j1k+bFIJqbDJArxy4gL+gHRQPz
+TSzZ65yR0mjM/ld4XC5XW6YOEGq4Bc6rEjFJ6DR8P5Fjzj6m/8B7G5W3m5mpx+zW
+RbeeJO7AK6NMovkEWxgvDosrFoldzJL6Sd0JknIUuo9IvW6biBSYb7wM47up0Qqo
+k2t1cJj5qNgPxeappOWzcoF2B3PJPtJDYv4aOwIDAQABAoIBAGEgSJVVf0AKOWNf
+nwy2QPxQhbp3d6T6YBw/7VRevKiEWAtfNkKZeBTUGnBLqIXNXAiDWnPPX6uZVeU3
+pXbzYeUSc0GOJbLaS/eP704KjGxULQpbERKAsqDRdTzoPpWvzLbNdjNjDVXIW9iF
+RzBpoKsV2iOrD3lRaQ/f4rcC0Dn6k3ViM14twahAZI9TU/LcUQhmjI4xkmEOZtxi
+yocK+aibj4NYiOPfDFOVmNUJnKzsBiMFH++1YlzC1BlWL+ILwA/paBxGMz7/dMPO
+3kHJttV9IAZ9EoxDCRxREXOFjKEIdo/mVAIoh+IlELo9z5SDsgL/5ny/8+X3+cK+
+a9BCQcECgYEA/NHSgTC/Bf/REb+nqYhF2QLe0EUIbJAaVy9QZEkWouwdjpV4GFZ+
+cnDYP2V2NP0D3jrWr9Nfhr3vb2liraFZaMcHLJ11Ke+vUEsSLut5qTpp+L66OhDO
+m7kHk1ilH2Y5GbgfV4w7QgWKXymk+OT+1G5M22Ssc79vGo+qfd/A+oUCgYEA7gOq
+EJ+Ok4FKqSRNGDW1BGspqr1khsefow+6VdFyX7WhejDxUsMTnvENx0udt39ExNRM
+C3o8Fu2kLQXq7F8QpryWy3t2gpPOS31ihhZkDRXR6F8VVMTF6eIDSPXl/r8usgz/
+2a7P6Etl2c3KZz+2PCeuKCzuCRuDNc4pONuDvb8CgYA70xrQ30wUi1hZrtRp1YlR
+tNAs0GkR53eUMeoAERt+KglEeDIW8ECzq+g/+C5kk4qax6mNqaLtK3zBDFsBYzDZ
+Dl+wOwJCjikaAummmKoNVXlGFzvSCbAaQUp9n3hTWckhQOSJvvE2ykDYC+6xxt5W
+PlOJhuUX7rDHxD8/0fbEUQKBgQChZDyyTu8n2DjfHm1kaC6Zk2zKiOgceEooEKci
+QAaVHZ0kNQG+Q+cPFJdqNzz3y0W/TdFOyxDp3zQ/D08v/npVBXYe/lXqzvzItXnU
+QGSRduVB8w+Mzm0BXa8qjwroxYyNUUE/w0jZVB75JJEFl+8jNSjjtyulY1GCb4wG
+MNtREwKBgCxPG7IYC5YTubvUE6AH9ZVm1e1QxEKF8v8YYlVwLTlmZQYVBNEQw0+M
+WPScm27j3qUJG7AHG9R+nSSj3A9IeUY0trD5KCMTNuQQcXK1e0kdOlR2uGd2YUL5
+hZ9g7PjNolIpCV5Ifi6Lb8JbAOyvbcgEljGse9hN1gppmbnNndU1
+-----END RSA PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private.p12 b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private.p12
new file mode 100644
index 0000000..8c5f769
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-private.p12
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-req.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-req.pem
new file mode 100644
index 0000000..db7f078
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-S07-req.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDDzCCAfcCAQAwgckxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl
+MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx
+DjAMBgNVBAsMBVVzZXJzMS8wLQYDVQQDDCZhZG1pbmlzdHJhdG9yQGFkZG9tMi5z
+YW1iYS5leGFtcGxlLmNvbTE1MDMGCSqGSIb3DQEJARYmYWRtaW5pc3RyYXRvckBh
+ZGRvbTIuc2FtYmEuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDrDrAdU088D/iQ1jNkaH7tfEaWxnecCgftjBPa57uzeWNL7FoqWVd8
+OGlQwKG0uvgdVnh3lbNEExKD3yCVEgHlHhpbOGlIhuimCjL0ODb4hL1bqXBIxUkl
+eXCYI6dYPgmXbWexlfoIhi3Wt8XSBqpbuPWT5sUgmpsMkCvHLiAv6AdFA/NNLNnr
+nJHSaMz+V3hcLldbpg4QargFzqsSMUnoNHw/kWPOPqb/wHsblbebmanH7NZFt54k
+7sAro0yi+QRbGC8OiysWiV3MkvpJ3QmSchS6j0i9bpuIFJhvvAzju6nRCqiTa3Vw
+mPmo2A/F5qmk5bNygXYHc8k+0kNi/ho7AgMBAAGgADANBgkqhkiG9w0BAQsFAAOC
+AQEAJndP6nZGzsmKplQ/4elWObJD5ye2mN64G9+Tcd+A1Y1j9XpizETi+IrikScJ
+T1BDqUhCVT5fjCy3qgKBD5zeHmakZltcRki8HJT7eWWZFXhEB+buQ9KBgrrS/dX+
+6wflVgrSfe3x+506Dx6y8UDWDVy2P1r/X64uqcxOLUdrG+p8T8OYalNYcO5qQ4Dn
+b5ei4bIAeE9UebUvPxfdN5UT/S/fL33fVCr8OTT60/QL4ez0KjFCLeeEv94qVaqW
+Hxe9ykS7S446RhANWvH6VAeSY2Bhm+WPu9urtRe4m8qR6JC27cOAubHID9szA0ID
+eHTbyblfQdALQ08lUDpNuJDVCQ==
+-----END CERTIFICATE REQUEST-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-cert.pem
new file mode 120000
index 0000000..0e23e5b
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-cert.pem
@@ -0,0 +1 @@
+USER-administrator@addom2.samba.example.com-S07-cert.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-private-key.pem
new file mode 120000
index 0000000..5a874f3
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@addom2.samba.example.com/USER-administrator@addom2.samba.example.com-private-key.pem
@@ -0,0 +1 @@
+USER-administrator@addom2.samba.example.com-S07-private-key.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-cert.cer b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-cert.cer
new file mode 100644
index 0000000..8f6b393
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-cert.cer
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-cert.pem
new file mode 100644
index 0000000..4ab5d5a
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-cert.pem
@@ -0,0 +1,169 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 1 (0x1)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Mar 16 23:29:04 2016 GMT
+ Not After : Mar 11 23:29:04 2036 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=administrator@samba.example.com/emailAddress=administrator@samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:af:87:9e:1e:7f:c0:ab:da:47:22:74:d0:df:01:
+ f1:67:6c:ac:c4:b7:d9:18:97:e5:7a:62:76:33:b6:
+ 52:f2:92:90:75:ac:a3:94:7e:0c:29:75:c9:83:2f:
+ 19:66:60:84:45:ff:d5:a9:bd:c5:3a:a2:d8:25:cf:
+ 15:8a:23:3e:09:73:2f:99:1d:24:1f:e6:96:7e:7b:
+ c4:1e:8d:55:5b:c1:18:69:cd:1d:b4:22:d5:7b:db:
+ 5e:7c:91:f2:8e:c1:03:30:ee:63:46:5a:54:d5:40:
+ ac:79:55:00:71:07:8d:3e:0e:ed:ff:93:6c:f1:2d:
+ 84:c1:51:a3:7c:49:cf:ff:85:7b:c0:64:c1:ba:c8:
+ 66:7a:ff:17:2a:74:ea:16:6a:1d:97:c0:27:57:10:
+ be:76:f5:9a:63:56:c7:25:c6:fc:a7:5e:00:a6:1a:
+ 3d:21:bd:7a:f9:e3:03:60:ce:df:16:06:fc:05:bc:
+ d1:c8:5d:e7:33:ed:52:8b:60:5b:60:c5:70:13:1d:
+ c1:b3:08:13:09:3b:05:e8:02:40:12:45:89:af:87:
+ 1f:6a:8f:62:ce:1e:17:13:34:82:81:86:e9:bb:85:
+ 5b:75:1d:f4:3a:02:b4:a6:58:23:fe:c3:3a:35:09:
+ 95:bb:f7:79:bc:e3:97:e6:6d:77:24:aa:2d:51:50:
+ 37:69
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Client, S/MIME
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Smart Card Login Certificate for administrator@samba.example.com
+ X509v3 Subject Key Identifier:
+ 45:DA:4B:8D:05:9C:62:4E:62:C3:D7:5C:5F:D3:D9:85:B4:9B:F2:2C
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ email:administrator@samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, scardLogin
+ Signature Algorithm: sha256WithRSAEncryption
+ a2:bb:e6:97:67:3c:b6:6e:6e:dd:34:99:16:c6:80:91:08:bf:
+ 91:ba:51:62:5d:76:2f:e5:53:91:3d:99:03:18:a9:84:69:73:
+ 76:66:c3:eb:56:d7:c5:40:91:15:da:de:b2:76:48:7d:8a:8c:
+ 80:79:3c:e6:da:0e:a6:c3:53:d6:74:ee:5f:29:b7:03:46:de:
+ 89:32:14:22:03:30:68:2e:7e:06:d4:ac:9e:82:c0:02:16:7f:
+ 81:ba:ee:7a:e7:8b:f7:fb:99:7f:8c:eb:78:54:97:4e:28:44:
+ da:f4:e2:1b:f8:3e:ac:ca:cc:e3:e3:71:90:91:47:9c:78:ed:
+ 6f:bc:b7:98:12:ea:75:e5:15:f7:26:56:a7:5c:d6:74:a8:13:
+ 7b:23:35:4e:6a:01:f6:a9:f5:5b:9b:d0:ea:ba:0f:c3:c4:1a:
+ e0:b9:a3:ed:5d:28:cb:7f:1d:3e:8a:9a:af:4c:88:00:3c:10:
+ f0:49:85:24:60:e6:cb:d6:9e:00:46:78:4d:90:22:68:4f:10:
+ 39:84:3b:e2:7c:3d:ed:23:41:19:7e:6f:45:59:89:a9:9f:26:
+ c1:f9:7d:4d:0a:b4:10:f9:31:7d:cc:87:d0:4b:62:14:70:86:
+ c8:7d:14:ff:e4:68:e2:de:42:ca:01:c7:aa:2d:5a:a5:72:64:
+ f1:4c:fa:6e:60:15:22:08:68:e6:c6:6a:75:63:24:b5:54:76:
+ d1:97:4f:e0:e8:bc:eb:d0:62:84:4a:b4:3a:07:38:5f:b9:a6:
+ 6a:31:14:47:33:81:bd:d0:a4:a2:da:2b:92:0d:dc:42:c4:0f:
+ 28:0d:b6:1b:33:b5:88:df:1b:a8:d8:90:9a:11:ce:df:d4:14:
+ e9:ac:94:94:95:bb:bc:6e:f1:be:85:29:3f:17:ab:41:14:d8:
+ 20:ba:e0:a2:a3:d3:d4:8b:1e:4b:32:22:8d:0d:c1:e6:39:1a:
+ ce:cd:f3:1d:f1:82:85:d5:e7:80:34:90:a4:0e:d4:af:32:c8:
+ 79:4e:25:32:b6:1e:06:3a:26:42:38:47:1a:32:96:71:5b:fe:
+ 5b:b0:ef:7d:fe:58:ca:eb:b5:c9:4b:2f:12:cb:89:36:22:7c:
+ a6:39:ab:20:c1:2d:cd:6b:34:e1:cd:bc:ed:45:45:12:4a:65:
+ 4b:ab:45:f2:6d:7a:9d:f8:b5:52:78:1b:da:2f:e0:ce:f7:e2:
+ b0:fa:6f:40:3d:dd:e9:39:c3:63:68:ab:77:53:be:3b:dd:9a:
+ bc:d7:d7:fa:6a:bf:bf:74:f7:11:80:87:f9:d3:45:eb:1e:8e:
+ d1:a9:a0:2e:66:e7:20:67:1c:4c:22:43:77:85:ff:1a:23:37:
+ cc:49:de:51:ee:f2:04:2f:a8:98:88:0f:b6:18:53:eb:e2:49:
+ 15:5e:02:8b:1e:7b:e6:c5:d1:0c:df:84:4e:d9:bd:fe:21:48:
+ d4:a4:11:01:27:57:51:d6:c1:b2:a1:1c:11:9a:a7:d1:ab:f0:
+ 99:16:b2:c8:3f:74:25:68:0b:1a:cf:58:0d:cd:cc:1a:6d:8b:
+ ec:1f:70:82:02:40:97:0f:75:2c:53:87:c1:42:5c:d1:7e:19:
+ 78:2c:2c:88:73:33:81:63:38:84:07:0f:16:bb:7c:54:59:03:
+ 94:e7:b8:85:d7:f8:5e:53:35:65:2e:e5:27:65:be:f0:89:65:
+ f6:ab:3f:6e:a5:bd:c1:1a:9e:31:30:68:6e:50:af:54:4c:33:
+ f8:73:2f:41:60:4f:4c:85:1b:ad:7d:db:62:42:dc:87:96:b4:
+ cf:ce:12:50:ed:6c:01:5f:e2:f9:03:f5:f7:4c:6c:8f:2b:5b:
+ 7a:64:7d:19:e8:20:f2:e9:10:58:f3:71:0e:1e:58:68:f2:59:
+ 3c:06:53:7a:f3:60:62:5b:c7:b7:83:58:1d:3d:a6:17:db:33:
+ cc:91:14:af:d6:b9:08:bf:60:af:ac:3e:fe:8b:74:71:20:c7:
+ e7:31:5e:26:6c:28:52:67:12:1e:c3:9b:89:23:5d:88:ee:b0:
+ 6b:db:cc:94:8b:9b:1b:40:b7:66:bc:7d:1d:e1:08:00:20:ba:
+ 41:cd:17:d6:4c:7b:c4:5a:fd:cf:6b:20:e2:b8:86:9c:31:17:
+ c2:d7:7f:1c:3a:d0:fc:1d:f5:7f:c9:96:04:27:de:b8:ef:8d:
+ 38:9a:b3:56:60:ac:c2:07:38:64:19:39:9e:73:6f:ba:59:15:
+ ac:45:42:4d:bb:79:60:7f:ae:c3:8d:63:4a:27:16:0a:ca:92:
+ 7f:f7:a2:02:76:f5:e6:7c:ec:ba:ea:18:cd:9c:3b:ee:37:2c:
+ 9d:78:4e:c9:40:6d:94:cc:ce:ca:f4:33:fc:a4:dd:05:62:d6:
+ 0f:1e:19:63:af:10:c3:ff:02:1a:0a:48:fd:af:f2:a4:0e:64:
+ dd:90:f4:4f:14:1b:90:1f:9e:29:b0:0b:94:a4:d1:2a:87:b9:
+ 3a:76:c2:b6:af:c3:d4:84:6e:85:1c:64:73:46:d0:df:72:c0:
+ 3c:42:91:c4:30:10:11:18:36:bc:e5:17:36:22:5f:c2:3f:ac:
+ 1d:2e:9d:87:11:be:a7:ac:b2:62:35:74:b9:27:27:95:bc:c1:
+ 11:44:f8:64:36:60:74:06:a2:e7:e9:76:be:a7:86:5e:18:1e:
+ bd:dc:b0:aa:ae:92:d6:dd:d6:25:80:d6:c1:be:c1:21:1c:01:
+ 6f:83:20:ae:b7:54:4f:3d:2d:12:fc:a2:cc:49:fd:59
+-----BEGIN CERTIFICATE-----
+MIII/TCCBOWgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjAz
+MTYyMzI5MDRaFw0zNjAzMTEyMzI5MDRaMIGnMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
+CwwFVXNlcnMxKDAmBgNVBAMMH2FkbWluaXN0cmF0b3JAc2FtYmEuZXhhbXBsZS5j
+b20xLjAsBgkqhkiG9w0BCQEWH2FkbWluaXN0cmF0b3JAc2FtYmEuZXhhbXBsZS5j
+b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvh54ef8Cr2kcidNDf
+AfFnbKzEt9kYl+V6YnYztlLykpB1rKOUfgwpdcmDLxlmYIRF/9WpvcU6otglzxWK
+Iz4Jcy+ZHSQf5pZ+e8QejVVbwRhpzR20ItV72158kfKOwQMw7mNGWlTVQKx5VQBx
+B40+Du3/k2zxLYTBUaN8Sc//hXvAZMG6yGZ6/xcqdOoWah2XwCdXEL529ZpjVscl
+xvynXgCmGj0hvXr54wNgzt8WBvwFvNHIXecz7VKLYFtgxXATHcGzCBMJOwXoAkAS
+RYmvhx9qj2LOHhcTNIKBhum7hVt1HfQ6ArSmWCP+wzo1CZW793m845fmbXckqi1R
+UDdpAgMBAAGjggIRMIICDTAJBgNVHRMEAjAAME8GA1UdHwRIMEYwRKBCoECGPmh0
+dHA6Ly93d3cuc2FtYmEuZXhhbXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFtcGxl
+LmNvbS1jcmwuY3JsMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBeAwTwYJ
+YIZIAYb4QgENBEIWQFNtYXJ0IENhcmQgTG9naW4gQ2VydGlmaWNhdGUgZm9yIGFk
+bWluaXN0cmF0b3JAc2FtYmEuZXhhbXBsZS5jb20wHQYDVR0OBBYEFEXaS40FnGJO
+YsPXXF/T2YW0m/IsMB8GA1UdIwQYMBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+MFsG
+A1UdEQRUMFKBH2FkbWluaXN0cmF0b3JAc2FtYmEuZXhhbXBsZS5jb22gLwYKKwYB
+BAGCNxQCA6AhDB9hZG1pbmlzdHJhdG9yQHNhbWJhLmV4YW1wbGUuY29tMDEGA1Ud
+EgQqMCiBJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0G
+CWCGSAGG+EIBBARAFj5odHRwOi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMv
+Q0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAfBgNVHSUEGDAWBggrBgEFBQcD
+AgYKKwYBBAGCNxQCAjANBgkqhkiG9w0BAQsFAAOCBAEAorvml2c8tm5u3TSZFsaA
+kQi/kbpRYl12L+VTkT2ZAxiphGlzdmbD61bXxUCRFdresnZIfYqMgHk85toOpsNT
+1nTuXym3A0beiTIUIgMwaC5+BtSsnoLAAhZ/gbrueueL9/uZf4zreFSXTihE2vTi
+G/g+rMrM4+NxkJFHnHjtb7y3mBLqdeUV9yZWp1zWdKgTeyM1TmoB9qn1W5vQ6roP
+w8Qa4Lmj7V0oy38dPoqar0yIADwQ8EmFJGDmy9aeAEZ4TZAiaE8QOYQ74nw97SNB
+GX5vRVmJqZ8mwfl9TQq0EPkxfcyH0EtiFHCGyH0U/+Ro4t5CygHHqi1apXJk8Uz6
+bmAVIgho5sZqdWMktVR20ZdP4Oi869BihEq0Ogc4X7mmajEURzOBvdCkotorkg3c
+QsQPKA22GzO1iN8bqNiQmhHO39QU6ayUlJW7vG7xvoUpPxerQRTYILrgoqPT1Ise
+SzIijQ3B5jkazs3zHfGChdXngDSQpA7UrzLIeU4lMrYeBjomQjhHGjKWcVv+W7Dv
+ff5Yyuu1yUsvEsuJNiJ8pjmrIMEtzWs04c287UVFEkplS6tF8m16nfi1Ungb2i/g
+zvfisPpvQD3d6TnDY2ird1O+O92avNfX+mq/v3T3EYCH+dNF6x6O0amgLmbnIGcc
+TCJDd4X/GiM3zEneUe7yBC+omIgPthhT6+JJFV4Cix575sXRDN+ETtm9/iFI1KQR
+ASdXUdbBsqEcEZqn0avwmRayyD90JWgLGs9YDc3MGm2L7B9wggJAlw91LFOHwUJc
+0X4ZeCwsiHMzgWM4hAcPFrt8VFkDlOe4hdf4XlM1ZS7lJ2W+8Ill9qs/bqW9wRqe
+MTBoblCvVEwz+HMvQWBPTIUbrX3bYkLch5a0z84SUO1sAV/i+QP190xsjytbemR9
+Gegg8ukQWPNxDh5YaPJZPAZTevNgYlvHt4NYHT2mF9szzJEUr9a5CL9gr6w+/ot0
+cSDH5zFeJmwoUmcSHsObiSNdiO6wa9vMlIubG0C3Zrx9HeEIACC6Qc0X1kx7xFr9
+z2sg4riGnDEXwtd/HDrQ/B31f8mWBCfeuO+NOJqzVmCswgc4ZBk5nnNvulkVrEVC
+Tbt5YH+uw41jSicWCsqSf/eiAnb15nzsuuoYzZw77jcsnXhOyUBtlMzOyvQz/KTd
+BWLWDx4ZY68Qw/8CGgpI/a/ypA5k3ZD0TxQbkB+eKbALlKTRKoe5OnbCtq/D1IRu
+hRxkc0bQ33LAPEKRxDAQERg2vOUXNiJfwj+sHS6dhxG+p6yyYjV0uScnlbzBEUT4
+ZDZgdAai5+l2vqeGXhgevdywqq6S1t3WJYDWwb7BIRwBb4MgrrdUTz0tEvyizEn9
+WQ==
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-key.pem
new file mode 100644
index 0000000..652e3bd
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-key.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI7Afo/WihRO4CAggA
+MBQGCCqGSIb3DQMHBAiyzMez8ikVKgSCBMikJkx4Qhm0cLRQXJfIPsHX0YQfinoJ
+qLGWMQ5KWTpwFZHoeqarmCVLJwReF75E8nD5tJdKt5J+lN0gBQMbppAzlSOJvMne
+1E5sDoBHY3jYUViF3p+ZZt4YoDxaGFYxcGL9M6Uo/Yb1791riMisQjgn7inpRe0i
+JuHngJH9Dblg0+vGM3JkMKdizWHSW4RyeYXa8d3rh62Y5RD7exUHKkz3pPucSsyy
+dnkhvbhdXSYzPxcUarrjx3pNMzWhamLWP3V6UwupCB8dygLm4QV+Fc3Jw7wR3Efj
+cewWjmXHuHzAGfDhr1r6yeWaAQCYezSp18UwMRv9AWgiTAayxDI+IroBigvU3PfA
+KE0RlWBnvoy2ggNEsCvk2QXYpQiIJMTS9u1oi2aOdvXaaVxuKBPJGgzAFGSnM44k
+gE1Pe+snVxzRuzHCNXnWoCxSa9xAvRt/dnQ9n1p2m3lwlt+kP0kO4ieMhT+SnBNh
+QY/WRfJ8E5ldYyfJ0y2eRd1hCu+42tj72rAuQkhPEUJzWuU6N1xzChXPwXVnhIh4
+HS4bpd9uL1wA5sNw2zfXdanagmSrXC5EFVdj4rJzHWzkalg0GTMhYd4QsbqI5d8O
+lO5ECnZUJwIcYa5Hy7OVDymRh3BxPMDGYqiO1+6QHUrqRm/XiSDUSaBfLat9ckHY
+0JT5nbBMg0TJ3VIhUbsZaQ4fwZNr9zgeS+yoFuLcPYPCHBz2fDNq6MFb0BqbHcYY
+qmf++nxF/jW21UKTryBeiLdkq1TjExOEXdmjSL4vwmUjyx+ycM4w8GvdU4xkdkQl
+1jNlx20WSocZ0hzreCMXglUb1q7tzZvaVJrSS9TX2PV38Fcz6jpmOeKtnkRBMUis
+Ge20QO7D8zCJM0jL+mNAnuZCA7zHc8aenbR6hK8i3Kd8G0XhWLNVWI5KfFtgrRaW
+UCM8mSdEIvWZfPrdvxo/kYEXBBA8i+3oO0nSUTyHpqmsIH3nYvaWnVmibnKMigO3
++3d+6Db5R117EbXDdRWm85jiN7PQ1SdNVxtKN4Wu188r/KfchXAeBQcBy9Kh1vVY
+qYTqP4Mp7dbm864iiZQZwTLJeq346+xUze5NY7nFHWl0ps7ujk+i9WA9I+M2TAj9
+Zmywy4Xvjwpj7PO5zA9O5TRxnnBbz7VrTcxBLK+6T/2yZZceJ29Bv7wy61eK9LNk
+AYy+MFXlY64L6HauTk9Ne/VnNnTvYYqrqPNy6CehQc0+LKvmYLCHUZabhWi7P1rj
+gUkkypfBH0j8k1lDnjnYu5bml32GK7eBix9C+5kNDadnvCEVDiYFT59SDyKCUHMZ
+19EKywqkWVPu5ez+60zSEJACpvIqDxlamusN3O9tQZD/t2c2lJiBeBPszXgj8Gin
+++tuCwkz/3KNy+u3SCZg9SUk5+XVZDOQOMh9EmUT5oqoPUTm9pblU2B8lRZaw/wl
+B97E4q4TUOtXZXHJdCkU8Sxr8/l8fOFYqIeiFx8PhSHaFgpEKgs89G9AefIb+l1u
+Z36bqMs0y4rIiSHR++0ZO5NJIi33zhPHvifmPzBTDXRn9cWdfqwetq1ts9ZD27oE
+4UhJyRU0gprmtpQWoVnd6ghiM1zk7lZmRQEDDXy4+puztzgZNLKJbSeXbufe49nX
+DcU=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-openssl.cnf
new file mode 100644
index 0000000..db72360
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-openssl.cnf
@@ -0,0 +1,242 @@
+#
+# Based on the OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
+CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
+scardLogin=1.3.6.1.4.1.311.20.2.2
+# Used in a smart card login certificate's subject alternative name
+msUPN=1.3.6.1.4.1.311.20.2.3
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
+msKDC=1.3.6.1.5.2.3.5
+# Identifies the AD GUID
+msADGUID=1.3.6.1.4.1.311.25.1
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = CA-samba.example.com # Where everything is kept
+certs = $dir/_none_certs # Where the issued certs are kept
+crl_dir = $dir/_none_crl # Where the issued crl are kept
+database = $dir/Private/CA-samba.example.com-index.txt # database index file.
+unique_subject = yes # Set to 'no' to allow creation of
+ # several certificates with same subject.
+new_certs_dir = $dir/NewCerts # default place for new certs.
+
+certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate
+serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number
+crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number
+ # must be commented out to leave a V1 CRL
+
+#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL
+crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL
+private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key
+RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file
+
+#x509_extensions = # The extensions to add to the cert
+x509_extensions = template_x509_extensions
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+crl_extensions = crl_ext
+
+default_days = 7300 # how long to certify for
+default_crl_days= 7300 # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = match
+stateOrProvinceName = match
+localityName = match
+organizationName = match
+organizationalUnitName = match
+commonName = supplied
+emailAddress = supplied
+
+####################################################################
+[ req ]
+default_bits = 2048
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = SambaState
+
+localityName = Locality Name (eg, city)
+localityName_default = SambaCity
+
+organizationName = Organization Name (eg, company)
+organizationName_default = SambaSelfTesting
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default = Users
+
+commonName = Common Name (eg, YOUR name)
+commonName_default = administrator@samba.example.com
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_default = administrator@samba.example.com
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+#challengePassword = A challenge password
+#challengePassword_min = 4
+#challengePassword_max = 20
+#
+#unstructuredName = An optional company name
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate.
+keyUsage = cRLSign, keyCertSign
+
+crlDistributionPoints=URI:$CRLDISTPT
+
+# Some might want this also
+nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+subjectAltName=email:copy
+# Copy issuer details
+issuerAltName=issuer:copy
+
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+#[ usr_cert_scarduser ]
+[ template_x509_extensions ]
+
+# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+crlDistributionPoints=URI:$CRLDISTPT
+
+# For normal client use this is typical
+nsCertType = client, email
+
+# This is typical in keyUsage for a client certificate.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "Smart Card Login Certificate for administrator@samba.example.com"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+
+subjectAltName=email:copy,otherName:msUPN;UTF8:administrator@samba.example.com
+
+# Copy subject details
+issuerAltName=issuer:copy
+
+nsCaRevocationUrl = $CRLDISTPT
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+#Extended Key requirements for client certs
+extendedKeyUsage = clientAuth,scardLogin
+
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-private-key.pem
new file mode 100644
index 0000000..cc8f150
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-private-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAr4eeHn/Aq9pHInTQ3wHxZ2ysxLfZGJflemJ2M7ZS8pKQdayj
+lH4MKXXJgy8ZZmCERf/Vqb3FOqLYJc8ViiM+CXMvmR0kH+aWfnvEHo1VW8EYac0d
+tCLVe9tefJHyjsEDMO5jRlpU1UCseVUAcQeNPg7t/5Ns8S2EwVGjfEnP/4V7wGTB
+ushmev8XKnTqFmodl8AnVxC+dvWaY1bHJcb8p14Apho9Ib16+eMDYM7fFgb8BbzR
+yF3nM+1Si2BbYMVwEx3BswgTCTsF6AJAEkWJr4cfao9izh4XEzSCgYbpu4VbdR30
+OgK0plgj/sM6NQmVu/d5vOOX5m13JKotUVA3aQIDAQABAoIBAQCEj7E0a1rA7ooG
+VZ5grQD5ELOxpP7Jef2OXcnS6ADgvRtoI0cun7rjnNbgwbM3A/EhRELCfFT1IYKH
+m0szFcaGMH1j7wQXK3fAcgv83tP2BXBAhu3F2wDLFzLWdQpwEQgt7fr/aLzkiIE4
+6J76va9HjNLkzxvZUH0P2m3TMZNp7s2NLjxNQwivNXSgKXcT9fPX7IaBd063W41I
+iYQZ7M8Q3C1vk34uC9V1LxjFxOAe42G/ITkjt3CJbg0CjMXG3P3TKIXG94ufpFQO
+mkEzUSGxTCkwlqHKcxsa+7f72TocuhLuwpFBSeRmiIsa5ZHxJiC6XOkz2CAboNkI
+UMSVjoxZAoGBAOlOGjiF7ChheDLhtj3/VcxfyHkcNoUFAtKuoT/FD8JMQiEUTifr
+V7eA8pfAQubVVRNLmZEA40gsJsTPbCRQymwcYDFRATlTd6nZ1s53z99E/v/1QjIa
+ZpQXRD+Nt1xmID/MuX34qpIA6ZEE2zTFoMo1STeNf4eC9mESW9DkA05rAoGBAMCa
+wrvLa5whtXbhdoWfCMYKtSQuGTEKslb4Ec97sKIdZXloGnH0eyiwnynCDhX2wPJt
+gnQtVxNXb9+MFxh+6bnX5rMyB+myXszpPNBCbLO0FU3+vfIEmOoULqU1Xn7Eu97m
+LGoR6G9cN7p8RuX7zp5ROKGfDg77oW8XhVah2x57AoGAY1BmBQ2tW/sx6ab/pyCc
+a2WSt0t1QebCLuE7ryO586H2vJIiOwgJzQnNOyAS2qSRlKcn9fwExGJXFoydok/p
++1+Q6y1qcfbAB8O9lyKVkJuUWW0UArQOWpgU62DuXxzyOXZyt9c09PYCd0Mz9SDz
+s2A/jLBlS1BKhUQFZcTKS4UCgYBaT7cD66x3t26pYar7mMi6ZAbwAhWZ41QgZ42i
+ZnM6cOJF/UR5LpQZTkgzgmSsc9mhUywaYbA0x4kTn1KtD8V0eQIaAFmpgRPmrW7w
+kFT8JnLe8ZYLR5CUIgaFPPMkKgeVywQEcIU2wlz3OpLcACiwH5GYZ0ZmTCM0Pikt
+qBNgxQKBgEVgpIHZi2xdfvwtCrEfomnlImj94HySKIFenCRoc/d34+KO4jKho1zN
+dqbSDqz/lB/7GWFjRszTMZMVJkl8TbE050UEe8EDPt93BSeGHNCUXUesZQVddGhn
+iH8OLIkoW3xIlNgflwi4+7gLjWrAHHPwEG3Iys83DVCA5D/4C02m
+-----END RSA PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-private.p12 b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-private.p12
new file mode 100644
index 0000000..c2c70e3
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-private.p12
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-req.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-req.pem
new file mode 100644
index 0000000..72cd979
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-req.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDATCCAekCAQAwgbsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl
+MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx
+DjAMBgNVBAsMBVVzZXJzMSgwJgYDVQQDDB9hZG1pbmlzdHJhdG9yQHNhbWJhLmV4
+YW1wbGUuY29tMS4wLAYJKoZIhvcNAQkBFh9hZG1pbmlzdHJhdG9yQHNhbWJhLmV4
+YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr4eeHn/A
+q9pHInTQ3wHxZ2ysxLfZGJflemJ2M7ZS8pKQdayjlH4MKXXJgy8ZZmCERf/Vqb3F
+OqLYJc8ViiM+CXMvmR0kH+aWfnvEHo1VW8EYac0dtCLVe9tefJHyjsEDMO5jRlpU
+1UCseVUAcQeNPg7t/5Ns8S2EwVGjfEnP/4V7wGTBushmev8XKnTqFmodl8AnVxC+
+dvWaY1bHJcb8p14Apho9Ib16+eMDYM7fFgb8BbzRyF3nM+1Si2BbYMVwEx3BswgT
+CTsF6AJAEkWJr4cfao9izh4XEzSCgYbpu4VbdR30OgK0plgj/sM6NQmVu/d5vOOX
+5m13JKotUVA3aQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAGrgBV0TkeQ3fHEJ
+vTabQG/aKSgzkkzaiBdY5GBX3FGtmKl0E9DNImc3bcw4QBC8GDObGoqct31QpHnT
+H51MN/Vix3YAUsKbGtvopGygn22sLtm21Iy1lOS2QsEikPxrDedmKjGzsyi8fWFF
+fWOEW1+mhS7L6oiNDm18MbAaYN6wdgkPVW0Uc+P/ftRZ1y2T2mli+99IgNQQW9Rb
+7ZrHBTyCq9IK73UniVCA3yEN2ibHxaZQsvl3DpUfkKdPV1FOsvj33nTMtcubY7/P
+c4n3w2M0HVSu6Ch+cJj0dy3FzYU76eInzT6B+hs2lGCIm6H4pUH8Vjx9dNMjcC4d
+vctx/Mw=
+-----END CERTIFICATE REQUEST-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-cert.pem
new file mode 120000
index 0000000..3b134b6
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-cert.pem
@@ -0,0 +1 @@
+USER-administrator@samba.example.com-S01-cert.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-private-key.pem
new file mode 120000
index 0000000..964892e
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-private-key.pem
@@ -0,0 +1 @@
+USER-administrator@samba.example.com-S01-private-key.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.cer b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.cer
new file mode 100644
index 0000000..85773b0
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.cer
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.pem
new file mode 100644
index 0000000..997dfd3
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-cert.pem
@@ -0,0 +1,168 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 5 (0x5)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Jun 3 19:30:47 2016 GMT
+ Not After : May 29 19:30:47 2036 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=pkinit@addom.samba.example.com/emailAddress=pkinit@addom.samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:b3:a4:e8:bd:c8:4f:6a:71:c6:15:a8:dd:00:d6:
+ 61:74:00:e4:8f:b5:c4:0e:98:d9:51:aa:aa:4f:c7:
+ 8c:f9:6c:37:5c:60:55:da:7c:55:9c:d3:cd:e2:f1:
+ ed:51:39:25:d5:fa:69:7e:a7:67:9c:a9:61:1b:5c:
+ 73:50:d0:6f:ba:ce:3a:df:fe:ae:95:95:8e:97:ab:
+ c6:bb:6a:c3:60:0b:ca:c2:9c:31:ff:c6:2f:52:bb:
+ cb:2f:f6:2c:4d:be:20:e1:16:49:d3:22:36:66:4f:
+ 5c:c4:30:12:07:34:8b:00:4e:5b:51:7d:40:35:81:
+ dc:5c:0e:af:be:78:63:80:69:67:87:53:97:d0:3f:
+ d7:66:8d:26:8a:0a:24:95:f9:db:dd:93:0e:48:54:
+ c8:30:e4:77:0d:65:ef:a4:6a:de:29:91:77:97:40:
+ 5c:2e:ed:35:5e:b9:0f:37:ad:d9:70:76:99:77:45:
+ 8c:4a:65:63:13:72:d5:c4:53:37:57:85:0a:6d:74:
+ 30:8c:69:7f:83:f0:7f:f5:67:05:79:80:27:d4:38:
+ 6d:49:2f:8d:2a:97:2e:33:1f:d0:e0:c1:76:1b:bf:
+ bf:b1:75:8a:c9:b1:3f:3f:f2:4e:c5:b0:68:5e:76:
+ 8a:7e:9c:57:b2:ec:3d:18:83:e2:65:d5:30:5e:b5:
+ f4:c7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Client, S/MIME
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Smart Card Login Certificate for pkinit@addom.samba.example.com
+ X509v3 Subject Key Identifier:
+ 3E:81:65:A1:E3:7E:18:BE:80:FE:15:93:CC:20:15:FD:08:D4:A4:3D
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ email:pkinit@addom.samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, scardLogin
+ Signature Algorithm: sha256WithRSAEncryption
+ 7b:47:4c:55:7c:77:8b:8f:ca:23:3e:51:6a:51:c1:49:44:0d:
+ 72:56:27:79:f7:54:48:ef:74:37:5e:2a:33:68:dc:04:8a:de:
+ b2:8e:7b:26:6f:67:f5:bc:0a:e1:ec:74:12:86:5a:6b:56:7d:
+ 75:24:d0:df:c7:1e:c4:28:e8:a5:c0:e5:3a:a0:74:f8:95:70:
+ 61:44:a1:9c:e3:54:d8:cf:1b:e2:2f:35:d3:ca:1a:5f:07:e9:
+ ce:fe:79:e1:20:ac:9e:94:74:a5:80:2e:38:75:bc:bc:d7:2d:
+ e0:54:c1:17:9a:8e:07:42:7e:5f:2e:17:93:63:ab:ae:ed:c6:
+ 29:0f:91:c8:8a:99:ad:21:5b:52:a7:dd:0c:2f:32:dc:0d:36:
+ 9c:98:02:aa:eb:8f:2d:3a:86:1a:cf:f8:f5:da:0b:70:7e:14:
+ 9c:79:bc:8a:6c:c7:06:8d:3e:3b:26:2a:50:a1:05:ca:47:79:
+ d1:ba:55:06:cd:d2:3a:10:27:8d:cb:ee:b4:f7:90:ff:f2:fb:
+ 67:f0:73:0b:4f:51:5e:0b:8d:e4:94:cb:da:56:2d:18:91:b8:
+ 51:0f:ee:48:99:cc:ae:8b:6b:ac:d8:38:1e:5e:5e:d9:1a:29:
+ 52:04:52:49:49:30:60:3b:fa:4e:c9:0c:a0:67:20:e1:4a:9f:
+ 84:44:c8:ca:35:d5:28:a6:06:7e:dc:c3:81:8d:40:12:3d:ae:
+ 0d:51:42:5a:16:92:78:2e:70:0b:ba:7f:8e:52:b7:2e:a8:f1:
+ 72:32:ba:6f:30:92:1e:40:0f:bf:09:14:5b:63:c6:1d:b3:ac:
+ eb:e7:69:f0:1b:3c:b8:4a:ec:a2:22:e2:58:ad:ef:22:77:9c:
+ e2:51:ec:38:bf:47:d8:1e:43:77:61:3d:60:54:c7:ba:6a:be:
+ 87:ea:f7:9e:46:74:90:70:c3:d9:74:21:be:90:78:12:2f:30:
+ d2:56:3b:9a:24:27:17:1b:d0:8c:49:e7:65:a8:d2:d9:0f:f8:
+ e9:5e:51:8c:97:cf:90:37:e5:ad:dc:88:ac:c1:54:57:7a:9a:
+ f4:5a:80:25:85:7c:d0:b7:17:03:8c:b3:43:20:59:c7:f3:68:
+ 72:f5:53:75:df:a0:00:12:f0:28:d5:dc:70:ec:9e:c2:33:bd:
+ 73:e9:8c:62:b8:2f:0d:55:a3:3d:d2:21:59:4f:3a:d7:50:aa:
+ 43:72:25:05:a0:2f:e0:f1:79:59:2a:57:e6:b9:91:21:b9:9f:
+ 07:f9:49:fc:d7:97:f7:be:a7:81:69:ac:6c:9a:7c:25:5e:6b:
+ 48:37:90:89:ac:37:02:b5:be:41:01:56:93:71:f4:e9:75:3c:
+ aa:0a:9b:d6:a3:09:64:51:30:d7:2c:1a:dd:bc:83:2e:45:b5:
+ 90:a5:ad:16:ba:18:56:1c:88:73:b5:ee:77:6d:65:3e:11:dc:
+ 36:45:6a:08:99:5d:24:86:93:da:45:95:2a:de:80:96:2e:db:
+ d7:87:b3:f1:70:3c:b5:56:eb:ca:62:dc:3c:49:84:3c:f8:6d:
+ d9:44:e0:81:33:5e:f7:22:27:8b:09:05:12:a6:c1:79:56:c7:
+ 7f:e2:80:d6:ab:4d:e5:1a:ff:ae:9a:fd:3b:7b:aa:15:ca:10:
+ c2:6a:98:c4:70:63:6e:7d:94:8e:87:0a:24:bd:b1:59:85:67:
+ 5b:e8:2e:ff:d7:43:8c:46:06:1a:a8:ba:72:e7:0d:ef:5f:6c:
+ 2d:5c:14:56:ad:5d:56:a5:21:09:7b:16:44:4a:74:9d:1a:03:
+ aa:1a:41:29:e5:78:e4:7c:9e:53:18:61:d8:5a:d1:e8:a8:0e:
+ f4:d3:40:d6:6b:cd:c9:e4:a3:3d:51:54:c3:d6:09:4c:48:9e:
+ 34:2a:23:ad:83:ab:9a:99:c2:bf:7b:85:98:d7:b6:21:fc:c4:
+ 17:6c:56:46:95:98:da:e8:6c:f3:67:4e:33:fc:68:b8:af:86:
+ 07:8b:8e:f3:16:2c:ec:82:e7:b8:47:64:5c:f5:bd:37:75:b5:
+ 94:d3:09:3c:3d:6a:6d:47:81:e0:1b:df:5e:d7:6c:92:7d:23:
+ 91:3e:29:06:21:5b:52:62:47:87:e8:7e:20:ab:fa:cb:3f:9e:
+ ab:7e:55:7e:d2:76:7d:3e:ce:49:f5:ad:a1:f8:13:ba:9a:d6:
+ 54:bb:e9:f0:e0:a6:77:27:95:33:84:48:ff:29:87:fc:65:94:
+ d4:56:44:88:fc:40:0a:64:32:15:13:36:bf:fb:10:65:35:94:
+ 66:ad:d7:e4:16:08:c5:8b:2f:c7:a1:14:99:60:69:66:39:3f:
+ 8d:f3:d3:46:ae:c9:ad:85:94:9b:06:6f:7e:f9:84:b4:e7:fb:
+ 7c:79:1b:75:00:f7:10:19:86:57:48:ea:d5:24:eb:f5:d6:42:
+ 43:73:36:db:9a:15:73:01:75:db:e5:4f:d0:68:3a:3b:35:ce:
+ 19:ab:08:e8:75:c4:7d:b0:d8:c9:64:f9:de:e4:ae:df:a5:24:
+ 19:dd:b8:d1:88:40:48:2a:13:6c:ad:72:23:46:45:2c:78:0c:
+ d4:68:15:11:7f:e2:47:2d:ce:d0:ce:ae:43:8b:08:af:42:12:
+ 85:6f:4d:8b:39:e0:a1:d9:65:08:b1:dc:00:e2:e8:f0:e1:f6:
+ 8f:21:8e:81:cd:de:8a:d0:92:58:22:d0:b0:29:fa:f8:98:6f:
+ c6:e0:68:37:b4:57:90:c2:c4:7c:38:64:51:d7:61:5a
+-----BEGIN CERTIFICATE-----
+MIII+DCCBOCgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjA2
+MDMxOTMwNDdaFw0zNjA1MjkxOTMwNDdaMIGlMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
+CwwFVXNlcnMxJzAlBgNVBAMMHnBraW5pdEBhZGRvbS5zYW1iYS5leGFtcGxlLmNv
+bTEtMCsGCSqGSIb3DQEJARYecGtpbml0QGFkZG9tLnNhbWJhLmV4YW1wbGUuY29t
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs6TovchPanHGFajdANZh
+dADkj7XEDpjZUaqqT8eM+Ww3XGBV2nxVnNPN4vHtUTkl1fppfqdnnKlhG1xzUNBv
+us463/6ulZWOl6vGu2rDYAvKwpwx/8YvUrvLL/YsTb4g4RZJ0yI2Zk9cxDASBzSL
+AE5bUX1ANYHcXA6vvnhjgGlnh1OX0D/XZo0migoklfnb3ZMOSFTIMOR3DWXvpGre
+KZF3l0BcLu01XrkPN63ZcHaZd0WMSmVjE3LVxFM3V4UKbXQwjGl/g/B/9WcFeYAn
+1DhtSS+NKpcuMx/Q4MF2G7+/sXWKybE/P/JOxbBoXnaKfpxXsuw9GIPiZdUwXrX0
+xwIDAQABo4ICDjCCAgowCQYDVR0TBAIwADBPBgNVHR8ESDBGMESgQqBAhj5odHRw
+Oi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEuZXhhbXBsZS5j
+b20tY3JsLmNybDARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgME4GCWCG
+SAGG+EIBDQRBFj9TbWFydCBDYXJkIExvZ2luIENlcnRpZmljYXRlIGZvciBwa2lu
+aXRAYWRkb20uc2FtYmEuZXhhbXBsZS5jb20wHQYDVR0OBBYEFD6BZaHjfhi+gP4V
+k8wgFf0I1KQ9MB8GA1UdIwQYMBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+MFkGA1Ud
+EQRSMFCBHnBraW5pdEBhZGRvbS5zYW1iYS5leGFtcGxlLmNvbaAuBgorBgEEAYI3
+FAIDoCAMHnBraW5pdEBhZGRvbS5zYW1iYS5leGFtcGxlLmNvbTAxBgNVHRIEKjAo
+gSZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTBNBglghkgB
+hvhCAQQEQBY+aHR0cDovL3d3dy5zYW1iYS5leGFtcGxlLmNvbS9jcmxzL0NBLXNh
+bWJhLmV4YW1wbGUuY29tLWNybC5jcmwwHwYDVR0lBBgwFgYIKwYBBQUHAwIGCisG
+AQQBgjcUAgIwDQYJKoZIhvcNAQELBQADggQBAHtHTFV8d4uPyiM+UWpRwUlEDXJW
+J3n3VEjvdDdeKjNo3ASK3rKOeyZvZ/W8CuHsdBKGWmtWfXUk0N/HHsQo6KXA5Tqg
+dPiVcGFEoZzjVNjPG+IvNdPKGl8H6c7+eeEgrJ6UdKWALjh1vLzXLeBUwReajgdC
+fl8uF5Njq67txikPkciKma0hW1Kn3QwvMtwNNpyYAqrrjy06hhrP+PXaC3B+FJx5
+vIpsxwaNPjsmKlChBcpHedG6VQbN0joQJ43L7rT3kP/y+2fwcwtPUV4LjeSUy9pW
+LRiRuFEP7kiZzK6La6zYOB5eXtkaKVIEUklJMGA7+k7JDKBnIOFKn4REyMo11Sim
+Bn7cw4GNQBI9rg1RQloWkngucAu6f45Sty6o8XIyum8wkh5AD78JFFtjxh2zrOvn
+afAbPLhK7KIi4lit7yJ3nOJR7Di/R9geQ3dhPWBUx7pqvofq955GdJBww9l0Ib6Q
+eBIvMNJWO5okJxcb0IxJ52Wo0tkP+OleUYyXz5A35a3ciKzBVFd6mvRagCWFfNC3
+FwOMs0MgWcfzaHL1U3XfoAAS8CjV3HDsnsIzvXPpjGK4Lw1Voz3SIVlPOtdQqkNy
+JQWgL+DxeVkqV+a5kSG5nwf5SfzXl/e+p4FprGyafCVea0g3kImsNwK1vkEBVpNx
+9Ol1PKoKm9ajCWRRMNcsGt28gy5FtZClrRa6GFYciHO17ndtZT4R3DZFagiZXSSG
+k9pFlSregJYu29eHs/FwPLVW68pi3DxJhDz4bdlE4IEzXvciJ4sJBRKmwXlWx3/i
+gNarTeUa/66a/Tt7qhXKEMJqmMRwY259lI6HCiS9sVmFZ1voLv/XQ4xGBhqounLn
+De9fbC1cFFatXValIQl7FkRKdJ0aA6oaQSnleOR8nlMYYdha0eioDvTTQNZrzcnk
+oz1RVMPWCUxInjQqI62Dq5qZwr97hZjXtiH8xBdsVkaVmNrobPNnTjP8aLivhgeL
+jvMWLOyC57hHZFz1vTd1tZTTCTw9am1HgeAb317XbJJ9I5E+KQYhW1JiR4fofiCr
++ss/nqt+VX7Sdn0+zkn1raH4E7qa1lS76fDgpncnlTOESP8ph/xllNRWRIj8QApk
+MhUTNr/7EGU1lGat1+QWCMWLL8ehFJlgaWY5P43z00auya2FlJsGb375hLTn+3x5
+G3UA9xAZhldI6tUk6/XWQkNzNtuaFXMBddvlT9BoOjs1zhmrCOh1xH2w2Mlk+d7k
+rt+lJBnduNGIQEgqE2ytciNGRSx4DNRoFRF/4kctztDOrkOLCK9CEoVvTYs54KHZ
+ZQix3ADi6PDh9o8hjoHN3orQklgi0LAp+viYb8bgaDe0V5DCxHw4ZFHXYVo=
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-key.pem
new file mode 100644
index 0000000..542cd3d
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-key.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIEaGZ7BvOYu4CAggA
+MBQGCCqGSIb3DQMHBAhSIfRjeKrXNgSCBMh+g3dZyu/ZZ1DgB1U3qiUMIIA/hurX
+2FjSuDIrn5+g7uPIxtBjQgz2+2f4kUsiqx/UBOodAwtSzjpP3HX91zyRoMke4jA1
+cx3PlsaSCwXXBmbLhI8+IAiQZ7zo4r5C91nNXVBUC+Z4bDydjXRnZHBAiGo674mB
+ZbpixlAjDQWiJCZJvqDy7uqjIK9un12fU/hBWc6mLJZ8MSTWaJ9/ONGTImhbI7f7
+jtM04HihoDsh8ExeVSSWYt+vM3VIjXlbZqTi0d2ijgb4MnGsIuVVZtnvLbMSe7Ow
+lGLNsbkUq3y8JsF2rkZWHE+7J33Ko9fgUr9kVaIVJpChWnOSsxVUuRydrCUS4g3L
+1wmVPEW59t0jFwMt7qcQS7K1ivkjmNplyld5pBssLX4BuzKMxEsGG6c8MwSLGqcJ
+g70xbraCWzn0ggKCROGvbFmIn9o7GXCnYLj3e4LfHbV0XgINiw7ufCUgRTTHEn+L
+PAaGd13BxdYlquIzbSLhdijDzU+41tXI/g1bw4tAlxcKHPh9XmKRYf8DusVWRKB1
+uyouHQxEVYyJw5atQJZLlzTUWpZ0V4q2UVckN2LSFMtwTu8ZL9iNSL4l75iRaMdI
++V9a+QaAifd7qF8eujvfVgpzuiMuEonQ9iRJOErJ6/BaCO9WaZ+jE0ojZtllWjLQ
+rXGRcxkROFcE36GC7YSWzKDq9WlgQKne9EDp0WevcSNTc698cz09D1/z8N1pkk1K
+Ako3BKs9FUSmynSuTz52CEJ+XOd9FESsJkcu8FqUfmXM5Ubq9jhSU91skmuJHG8r
+BlzkuO2va91T1Muu/RHaFhBYmaomkw2kvJ57oay7wZ/9Fm+j6PjdgAH81w3RfS+G
+m+Vivp6wRmE438yy2QDgywjvk7anjZMX1R2PhXWgmKTSL1EosAFx6AZytd+xTDFa
+tEIkfwVkr6fKLI1FFq2artDZAYqSpkFCmRFOMNoqc6UAzuET88y5oPDjY9RS3Ikd
+Ru9VvuT2LcaWjCj3ofqV0ATYgkbGSsj6n66kZFoPBEv7dpD33mN9A0R7U8nzeXUT
+0ImG4xsXv4vfumrfgG6sr17Ylsm/ntmUtcFy+ZbJCLypL2UnZya1+EC6a20kVt7X
+DDpFH/qct3iBeRJnTdoTxWGbQKHRQ5Ro/GnZ02fCN0DBEyb4WHbP6T+Gy3DHF6TA
+rBlC5nVNQD49d5brbPyBnBG4585mzPZI57npo3MpgEHv9+LC48LfJZaX5w7uevg+
+RnkjjIwrEIUZMrUvFxeNYKtdp9IggRGjDCPz8Y8TNBnvWuet0xRODhZTVs6zFeQw
+s+NZirzyN6XSu9Wpc+CGbFx55eMOGog8t2e2HjBbeNCvri9wKP1t1CdCD+CTqJ6E
+BaoP0Wippj8VGOB87djnT+7X2bJLjnYkmspk/Mhlz1EKh+j6SXh5VFCSoO3o1JbW
+iyAI2vpT3+Bt4RXrUDTYV9OHpWSQXM/TYhHnVBdeq53h5UkBYsK+vSjHyjF9Jspt
+ORWsCUBiaVBy3X9AMEubsITKCVAjlCacFDOraO6h7Y6LkOyuNvJ2aDo02L3sfDPY
+sa43P1ERP5C4OOUzhLmavkwhJnzAHVAVCfNMCDzYe7UsSrweQ+OVfcp70uAdKfK5
+jzQ=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-openssl.cnf
new file mode 100644
index 0000000..8bb8714
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-openssl.cnf
@@ -0,0 +1,242 @@
+#
+# Based on the OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
+CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
+scardLogin=1.3.6.1.4.1.311.20.2.2
+# Used in a smart card login certificate's subject alternative name
+msUPN=1.3.6.1.4.1.311.20.2.3
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
+msKDC=1.3.6.1.5.2.3.5
+# Identifies the AD GUID
+msADGUID=1.3.6.1.4.1.311.25.1
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = CA-samba.example.com # Where everything is kept
+certs = $dir/_none_certs # Where the issued certs are kept
+crl_dir = $dir/_none_crl # Where the issued crl are kept
+database = $dir/Private/CA-samba.example.com-index.txt # database index file.
+unique_subject = yes # Set to 'no' to allow creation of
+ # several certificates with same subject.
+new_certs_dir = $dir/NewCerts # default place for new certs.
+
+certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate
+serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number
+crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number
+ # must be commented out to leave a V1 CRL
+
+#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL
+crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL
+private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key
+RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file
+
+#x509_extensions = # The extensions to add to the cert
+x509_extensions = template_x509_extensions
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+crl_extensions = crl_ext
+
+default_days = 7300 # how long to certify for
+default_crl_days= 7300 # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = match
+stateOrProvinceName = match
+localityName = match
+organizationName = match
+organizationalUnitName = match
+commonName = supplied
+emailAddress = supplied
+
+####################################################################
+[ req ]
+default_bits = 2048
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = SambaState
+
+localityName = Locality Name (eg, city)
+localityName_default = SambaCity
+
+organizationName = Organization Name (eg, company)
+organizationName_default = SambaSelfTesting
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default = Users
+
+commonName = Common Name (eg, YOUR name)
+commonName_default = pkinit@addom.samba.example.com
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_default = pkinit@addom.samba.example.com
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+#challengePassword = A challenge password
+#challengePassword_min = 4
+#challengePassword_max = 20
+#
+#unstructuredName = An optional company name
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate.
+keyUsage = cRLSign, keyCertSign
+
+crlDistributionPoints=URI:$CRLDISTPT
+
+# Some might want this also
+nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+subjectAltName=email:copy
+# Copy issuer details
+issuerAltName=issuer:copy
+
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+#[ usr_cert_scarduser ]
+[ template_x509_extensions ]
+
+# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+crlDistributionPoints=URI:$CRLDISTPT
+
+# For normal client use this is typical
+nsCertType = client, email
+
+# This is typical in keyUsage for a client certificate.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "Smart Card Login Certificate for pkinit@addom.samba.example.com"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+
+subjectAltName=email:copy,otherName:msUPN;UTF8:pkinit@addom.samba.example.com
+
+# Copy subject details
+issuerAltName=issuer:copy
+
+nsCaRevocationUrl = $CRLDISTPT
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+#Extended Key requirements for client certs
+extendedKeyUsage = clientAuth,scardLogin
+
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private-key.pem
new file mode 100644
index 0000000..8ab8683
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAs6TovchPanHGFajdANZhdADkj7XEDpjZUaqqT8eM+Ww3XGBV
+2nxVnNPN4vHtUTkl1fppfqdnnKlhG1xzUNBvus463/6ulZWOl6vGu2rDYAvKwpwx
+/8YvUrvLL/YsTb4g4RZJ0yI2Zk9cxDASBzSLAE5bUX1ANYHcXA6vvnhjgGlnh1OX
+0D/XZo0migoklfnb3ZMOSFTIMOR3DWXvpGreKZF3l0BcLu01XrkPN63ZcHaZd0WM
+SmVjE3LVxFM3V4UKbXQwjGl/g/B/9WcFeYAn1DhtSS+NKpcuMx/Q4MF2G7+/sXWK
+ybE/P/JOxbBoXnaKfpxXsuw9GIPiZdUwXrX0xwIDAQABAoIBAB3OjPeAVvz4Z7+M
+Ry8uYvkWdNYLeL5bSiOsx5l5KMDx3bWsHlKkMqhU1GKFdbT2YHrCk+J58E0kJYKe
+sluEWiWKtmYYIeub5w7vZ4gNTOGQ01G7DOi9f3igxDPvCqbTly0Bv7oSgSg0ntXG
+jBc59p5UYf6BY7f9Fg0IOszFuOzDSSHoX8Ld/8rO+2d7k0cvS2xG3FViqMifqAN+
+b1GVm9MtPB5B4iM9dAsgy7NK8kKoY3xUFeYwC8yzBCeG35F+Bq6x+vTUoNfESwwg
+/qvJwRNgChlJgLVbrcR/F0wDuvINwELUeDipP1Ca8dmaQgYLlYqrbYJlJEfsHX9w
+IkuW1CECgYEA5Sn1mTKK4RnHGWE84kqAayiCEifap/FcPpA5M5AZ8t0HxDUGZ/aO
+glhFOsA0bKpmK+U7Hv+uZtD7YDI2syzwk3RnLn3sHaNSMKYkogGOds4U8wYalLYe
+AhTGPhukip+6SAZEJicRZDYxy4xczOLmwmGeTMFPQ7mWljbYTVvo7dkCgYEAyK5p
+ZZu8Jor0VKuUjQwtzsr0P7AP8h84uf38+Llfn51/sDGihR7oHA7ER0HgaOwL238f
+a990+QpShlH1LLik8LeWXNEl6A9MvWJH1OCahGh48ui8T1ptI6OgcNfIDOt0ZE2e
+RoV90FpzABR057SvSog6iuCZqYl7ddEoEd3oM58CgYBqrJSJ4rApRqGam9wGjp2m
+xC2AHBM5uC2zZdlqujqKBf+2guRfgrMl08cuKQh+SPfUmRljPavGaqOJTPaPg2zd
+hwL87lr6FOuOf9hvnX/ep+GymvXGodvoJhl+EcoPSXkiS+BvTiJXXq7hTI5qRXkb
+pOtWWWn3Ya3KcO9RW2ZbSQKBgFnRVfLYJPnLL1fGA5KtZMMtKuxmTHy9ZJI6D0Lz
+FM1HnKKrVGXoU1JbeZW68kmDfDsdRl7tgFkGObFMdUMy0P+761xXb3PRhTMuDaBF
+dmLUr21opP+PJVHSJjjbGvpNV6ac5r4BeTILiXT7sucRg3METc9ifuPWWJ9+oUR9
+4TNZAoGBAMH9sFqsXKXgLjnPEtdy2GJV51oytQRBxWtB/E2minj+U1b8F336vnUp
+JEmY08KXj8weSSs+BUXKqxRWxLo2aWKXcvtpyHttdvJvHroG4Rb5xuvZWNtOFyhV
+IHA/pdwvhgvUWoM12U2DZfznKHTDrUNpo6bs7lkPqVOSemlDucpU
+-----END RSA PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private.p12 b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private.p12
new file mode 100644
index 0000000..4b77b58
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-private.p12
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-req.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-req.pem
new file mode 100644
index 0000000..dc60d63
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-S05-req.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIC/zCCAecCAQAwgbkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl
+MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx
+DjAMBgNVBAsMBVVzZXJzMScwJQYDVQQDDB5wa2luaXRAYWRkb20uc2FtYmEuZXhh
+bXBsZS5jb20xLTArBgkqhkiG9w0BCQEWHnBraW5pdEBhZGRvbS5zYW1iYS5leGFt
+cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALOk6L3IT2px
+xhWo3QDWYXQA5I+1xA6Y2VGqqk/HjPlsN1xgVdp8VZzTzeLx7VE5JdX6aX6nZ5yp
+YRtcc1DQb7rOOt/+rpWVjperxrtqw2ALysKcMf/GL1K7yy/2LE2+IOEWSdMiNmZP
+XMQwEgc0iwBOW1F9QDWB3FwOr754Y4BpZ4dTl9A/12aNJooKJJX5292TDkhUyDDk
+dw1l76Rq3imRd5dAXC7tNV65Dzet2XB2mXdFjEplYxNy1cRTN1eFCm10MIxpf4Pw
+f/VnBXmAJ9Q4bUkvjSqXLjMf0ODBdhu/v7F1ismxPz/yTsWwaF52in6cV7LsPRiD
+4mXVMF619McCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBQjwN3+bsWLHsr7k9K
+bfranU8U1dKD05siA3w+Dop43G1eLzBjBrQvSUB4AMzd8a0KKD8dt0xm2s504wxU
+SAyGgUcE+a1nPazZUPw5tJVRt41S808Gzd7zU+12UZiUjpE0Y8NayAyn+n/IhNPN
+UHOFnZfgBJqWUOEO6+JyJXxYuqaXzmrYg5Kr4vr2tr9d6+hLsp3g3nJKoefPR1RS
+2PMk1zubbbjsi9VF/yK6W4QNkfcZN74tMm+kNPAhid422L4FdZSupmfGts45uFWw
+zHOOyKOGLkZ4pxNlMRKIL1aYtoyR4UetudX2CUkQsBs/w04DLehk6rjbtQPO4nTI
+QYxm
+-----END CERTIFICATE REQUEST-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-cert.pem
new file mode 120000
index 0000000..e8d6f50
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-cert.pem
@@ -0,0 +1 @@
+USER-pkinit@addom.samba.example.com-S05-cert.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-private-key.pem
new file mode 120000
index 0000000..aac9cfc
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom.samba.example.com/USER-pkinit@addom.samba.example.com-private-key.pem
@@ -0,0 +1 @@
+USER-pkinit@addom.samba.example.com-S05-private-key.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-cert.cer b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-cert.cer
new file mode 100644
index 0000000..857f73d
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-cert.cer
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-cert.pem
new file mode 100644
index 0000000..794f9c2
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-cert.pem
@@ -0,0 +1,169 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 8 (0x8)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Feb 28 13:31:30 2020 GMT
+ Not After : Feb 23 13:31:30 2040 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=pkinit@addom2.samba.example.com/emailAddress=pkinit@addom2.samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:dc:33:db:43:5e:d5:91:27:95:35:d2:86:b2:e5:
+ 70:ac:b8:cf:74:01:2c:60:4d:67:b2:2c:2d:ef:c4:
+ 04:53:4d:08:9b:ce:55:ca:7a:ab:02:29:5d:3d:27:
+ ee:3e:a3:23:2e:3e:36:8d:f1:ca:8f:a7:4b:8b:a9:
+ 39:d3:33:39:d0:b9:f4:9b:c4:14:2c:41:67:be:6a:
+ 32:b6:86:0d:70:0e:eb:6c:b1:d1:ef:92:70:ec:70:
+ 70:2d:5f:4f:ea:6c:3e:9f:ee:9a:11:32:93:5f:b0:
+ e3:51:24:e2:33:08:22:ee:69:07:c6:10:a2:3f:43:
+ 67:3c:0b:48:b6:d1:92:99:22:de:fe:da:28:e9:12:
+ ba:a7:d6:54:76:c4:3c:56:a7:c9:e4:28:18:fd:89:
+ 8a:eb:02:42:88:27:59:61:f5:bd:5f:0d:eb:ce:80:
+ 4a:84:29:e5:38:93:1d:d9:0a:50:e3:eb:72:ec:b2:
+ 73:16:ab:75:33:3a:74:fd:6c:b8:a9:b9:09:c0:30:
+ 0a:74:d4:01:3e:00:0e:89:cf:87:aa:19:f5:7b:c4:
+ 0d:4f:b1:f1:40:59:54:67:28:aa:ca:18:75:7d:96:
+ d4:4d:99:e3:b1:84:bc:e7:65:80:ea:f6:dd:30:ce:
+ cf:14:67:b5:27:09:5f:83:a5:8c:87:62:8f:5a:22:
+ d5:75
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Client, S/MIME
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Smart Card Login Certificate for pkinit@addom2.samba.example.com
+ X509v3 Subject Key Identifier:
+ 6A:36:04:8E:C5:C3:2C:C9:17:BA:52:66:D3:AB:0D:C3:F2:25:1A:CD
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ email:pkinit@addom2.samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, scardLogin
+ Signature Algorithm: sha256WithRSAEncryption
+ 4d:5b:aa:28:b6:e0:a4:61:63:ed:09:7a:0e:2b:b2:c9:83:73:
+ f5:28:17:2b:d5:4e:c7:7b:01:99:5d:b9:c5:93:b3:a5:e2:64:
+ 33:96:38:55:c4:a4:84:9a:d1:dc:40:56:ec:da:a7:a5:3b:7c:
+ 91:c7:8d:03:44:44:9d:a5:0a:9e:de:6a:9d:c2:80:49:93:db:
+ 4d:74:fa:3c:fd:54:de:99:9c:f8:82:63:ba:5e:81:9e:4d:ae:
+ a2:a1:09:dd:81:5a:3e:81:31:8b:ff:85:32:ae:30:9e:1a:d6:
+ 04:d9:1c:bd:a5:0e:83:29:86:f4:be:0f:81:9a:84:f4:42:42:
+ 6d:20:18:16:ef:21:ac:51:b3:34:bd:0f:b5:2c:7e:c5:21:3d:
+ f7:77:95:1e:8f:45:3e:f8:79:93:ad:35:dd:cd:97:95:fe:b6:
+ 5f:88:e7:b8:38:54:15:29:61:2f:17:91:99:74:0c:66:9a:55:
+ 5c:dd:22:19:a1:8e:c1:a5:23:45:a4:85:f2:b2:98:3b:2c:85:
+ d8:2a:8e:9c:4d:6c:9e:9e:ef:80:24:2f:57:f3:a1:1f:09:c4:
+ 44:4d:11:d2:84:87:2a:57:f0:cc:9e:38:2c:3a:68:ee:0b:be:
+ e9:48:67:ff:87:2b:29:03:25:22:8e:00:33:f8:2a:7c:11:91:
+ 17:42:fc:6c:d1:94:c6:f0:7f:ad:c3:97:cf:9f:cc:a5:be:25:
+ 33:af:d4:c4:06:17:a7:be:11:bf:51:5e:6e:b8:26:56:1e:d5:
+ d6:ce:85:05:62:02:62:92:63:48:d9:d2:0b:e4:f9:2c:a2:53:
+ 4f:5e:3d:31:07:4d:5b:c4:48:bc:d5:f0:66:98:fd:85:45:26:
+ 4b:98:4f:a2:ac:05:a0:df:ee:4e:c9:9c:2f:3c:ee:74:9d:54:
+ 83:03:d8:42:a1:ba:57:a1:d4:43:93:a0:94:e3:0c:3b:cb:eb:
+ e6:05:73:60:18:32:81:25:21:55:14:99:2b:9d:0e:b2:72:31:
+ 63:73:5a:94:b2:30:e7:16:16:4c:33:68:cb:e6:87:aa:20:c6:
+ 9c:f1:26:3b:f5:76:7a:9b:07:f7:d9:c0:6c:50:04:d6:14:06:
+ 37:e5:fc:58:18:d5:a7:c8:29:56:9e:3c:fd:03:96:e8:4e:1a:
+ 7e:6e:e3:c9:aa:e6:3f:5d:1a:cd:86:f3:17:82:3b:ff:4c:8e:
+ 6b:d2:11:84:ce:36:cc:c8:fe:31:80:43:23:fa:fe:3c:8c:57:
+ a0:a1:1e:b9:08:c1:03:af:8f:3b:6b:cb:12:e4:6a:31:94:86:
+ 7a:17:c5:9f:80:bc:bc:e0:42:7b:5a:57:ef:b7:d3:0c:5f:98:
+ 71:aa:4e:cf:b4:c7:25:33:96:54:7b:ca:90:79:6f:f8:f0:c3:
+ e7:9d:e7:d0:67:4d:7b:20:7b:9d:d0:91:4f:ab:a3:a2:99:fa:
+ 9a:74:37:33:64:0c:bf:b6:94:3f:62:5f:a5:76:1e:60:54:e6:
+ bf:3a:11:5b:f0:ba:62:12:2e:9b:99:a2:37:9f:4c:b9:e8:8e:
+ d2:81:1f:0f:26:23:3b:9a:3b:69:70:09:e4:ae:05:65:04:3e:
+ 55:06:43:1f:5e:fb:2d:e6:03:b6:c4:ca:47:66:f0:d3:2b:a0:
+ 79:e8:45:a4:df:8f:31:fd:7e:67:ca:50:e0:b0:99:9d:2c:6a:
+ 16:f0:39:01:da:7f:d7:66:15:d1:99:3b:d7:7c:8a:bf:b7:d4:
+ b1:d3:fb:e2:fc:75:82:47:fc:96:42:57:ce:4a:d5:12:07:99:
+ 5b:ae:1a:c2:98:f1:fa:3d:a7:19:88:75:c8:fa:81:60:1f:19:
+ 21:0c:25:84:a1:c3:88:30:a7:80:da:85:85:e1:42:98:76:37:
+ ab:48:75:60:2d:1d:f9:05:6e:04:e2:2b:ce:37:75:17:27:0d:
+ 87:11:d6:2b:fa:37:bf:b7:e3:d2:96:b9:d8:92:18:4a:00:45:
+ 6d:9d:c6:20:d0:6b:2c:ed:33:06:08:d7:0f:56:44:5e:68:9f:
+ 9f:20:fc:57:a8:27:68:c9:f5:f5:2e:4d:0b:3c:a9:2e:92:2b:
+ d3:88:a9:18:27:24:0f:33:90:23:b3:41:99:5b:ec:bd:ef:ba:
+ 5b:4a:b6:a9:6c:b5:a5:d4:47:1e:9c:e7:32:0c:72:98:e7:8c:
+ a4:aa:72:8f:2b:90:5f:2d:23:bf:99:62:75:47:2f:9a:79:5e:
+ 4b:8a:8c:f2:28:df:30:59:6b:62:45:4b:b6:e5:39:ab:77:f0:
+ 51:4b:b7:6f:42:0a:81:a7:c0:c9:8a:c6:09:2a:e8:35:36:53:
+ c9:5b:93:dc:a5:1e:17:b1:cc:b4:13:b5:bb:b0:df:b8:cd:68:
+ 8a:10:18:8c:de:07:33:31:68:6b:f4:6a:dc:d0:17:10:c4:2d:
+ ec:66:51:c3:01:b3:2a:f0:0e:b9:c2:4d:7c:8d:d8:ab:c0:76:
+ 79:ca:e6:ff:a4:36:da:c1:8d:2e:13:7d:15:21:72:86:ad:4b:
+ 1b:73:4f:46:2f:fa:1e:ae:e8:8f:dd:79:6c:46:57:0a:05:ef:
+ 11:04:ae:a0:c5:13:86:6a:a3:cc:9c:b7:80:ef:18:5f:67:f7:
+ 43:ef:e2:94:4f:85:06:2f:d1:7a:97:07:ed:89:7d:aa:1e:e0:
+ cf:52:63:b9:28:95:aa:6d:ca:f2:20:c2:f3:07:83:c5:f4:a2:
+ ee:20:61:88:34:12:62:05:67:8d:f2:83:25:0b:9a:89
+-----BEGIN CERTIFICATE-----
+MIII/TCCBOWgAwIBAgIBCDANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0yMDAy
+MjgxMzMxMzBaFw00MDAyMjMxMzMxMzBaMIGnMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
+CwwFVXNlcnMxKDAmBgNVBAMMH3BraW5pdEBhZGRvbTIuc2FtYmEuZXhhbXBsZS5j
+b20xLjAsBgkqhkiG9w0BCQEWH3BraW5pdEBhZGRvbTIuc2FtYmEuZXhhbXBsZS5j
+b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcM9tDXtWRJ5U10oay
+5XCsuM90ASxgTWeyLC3vxARTTQibzlXKeqsCKV09J+4+oyMuPjaN8cqPp0uLqTnT
+MznQufSbxBQsQWe+ajK2hg1wDutssdHvknDscHAtX0/qbD6f7poRMpNfsONRJOIz
+CCLuaQfGEKI/Q2c8C0i20ZKZIt7+2ijpErqn1lR2xDxWp8nkKBj9iYrrAkKIJ1lh
+9b1fDevOgEqEKeU4kx3ZClDj63LssnMWq3UzOnT9bLipuQnAMAp01AE+AA6Jz4eq
+GfV7xA1PsfFAWVRnKKrKGHV9ltRNmeOxhLznZYDq9t0wzs8UZ7UnCV+DpYyHYo9a
+ItV1AgMBAAGjggIRMIICDTAJBgNVHRMEAjAAME8GA1UdHwRIMEYwRKBCoECGPmh0
+dHA6Ly93d3cuc2FtYmEuZXhhbXBsZS5jb20vY3Jscy9DQS1zYW1iYS5leGFtcGxl
+LmNvbS1jcmwuY3JsMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBeAwTwYJ
+YIZIAYb4QgENBEIWQFNtYXJ0IENhcmQgTG9naW4gQ2VydGlmaWNhdGUgZm9yIHBr
+aW5pdEBhZGRvbTIuc2FtYmEuZXhhbXBsZS5jb20wHQYDVR0OBBYEFGo2BI7FwyzJ
+F7pSZtOrDcPyJRrNMB8GA1UdIwQYMBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+MFsG
+A1UdEQRUMFKBH3BraW5pdEBhZGRvbTIuc2FtYmEuZXhhbXBsZS5jb22gLwYKKwYB
+BAGCNxQCA6AhDB9wa2luaXRAYWRkb20yLnNhbWJhLmV4YW1wbGUuY29tMDEGA1Ud
+EgQqMCiBJmNhLXNhbWJhLmV4YW1wbGUuY29tQHNhbWJhLmV4YW1wbGUuY29tME0G
+CWCGSAGG+EIBBARAFj5odHRwOi8vd3d3LnNhbWJhLmV4YW1wbGUuY29tL2NybHMv
+Q0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAfBgNVHSUEGDAWBggrBgEFBQcD
+AgYKKwYBBAGCNxQCAjANBgkqhkiG9w0BAQsFAAOCBAEATVuqKLbgpGFj7Ql6Diuy
+yYNz9SgXK9VOx3sBmV25xZOzpeJkM5Y4VcSkhJrR3EBW7NqnpTt8kceNA0REnaUK
+nt5qncKASZPbTXT6PP1U3pmc+IJjul6Bnk2uoqEJ3YFaPoExi/+FMq4wnhrWBNkc
+vaUOgymG9L4PgZqE9EJCbSAYFu8hrFGzNL0PtSx+xSE993eVHo9FPvh5k6013c2X
+lf62X4jnuDhUFSlhLxeRmXQMZppVXN0iGaGOwaUjRaSF8rKYOyyF2CqOnE1snp7v
+gCQvV/OhHwnERE0R0oSHKlfwzJ44LDpo7gu+6Uhn/4crKQMlIo4AM/gqfBGRF0L8
+bNGUxvB/rcOXz5/Mpb4lM6/UxAYXp74Rv1FebrgmVh7V1s6FBWICYpJjSNnSC+T5
+LKJTT149MQdNW8RIvNXwZpj9hUUmS5hPoqwFoN/uTsmcLzzudJ1UgwPYQqG6V6HU
+Q5OglOMMO8vr5gVzYBgygSUhVRSZK50OsnIxY3NalLIw5xYWTDNoy+aHqiDGnPEm
+O/V2epsH99nAbFAE1hQGN+X8WBjVp8gpVp48/QOW6E4afm7jyarmP10azYbzF4I7
+/0yOa9IRhM42zMj+MYBDI/r+PIxXoKEeuQjBA6+PO2vLEuRqMZSGehfFn4C8vOBC
+e1pX77fTDF+YcapOz7THJTOWVHvKkHlv+PDD553n0GdNeyB7ndCRT6ujopn6mnQ3
+M2QMv7aUP2JfpXYeYFTmvzoRW/C6YhIum5miN59MueiO0oEfDyYjO5o7aXAJ5K4F
+ZQQ+VQZDH177LeYDtsTKR2bw0yugeehFpN+PMf1+Z8pQ4LCZnSxqFvA5Adp/12YV
+0Zk713yKv7fUsdP74vx1gkf8lkJXzkrVEgeZW64awpjx+j2nGYh1yPqBYB8ZIQwl
+hKHDiDCngNqFheFCmHY3q0h1YC0d+QVuBOIrzjd1FycNhxHWK/o3v7fj0pa52JIY
+SgBFbZ3GINBrLO0zBgjXD1ZEXmifnyD8V6gnaMn19S5NCzypLpIr04ipGCckDzOQ
+I7NBmVvsve+6W0q2qWy1pdRHHpznMgxymOeMpKpyjyuQXy0jv5lidUcvmnleS4qM
+8ijfMFlrYkVLtuU5q3fwUUu3b0IKgafAyYrGCSroNTZTyVuT3KUeF7HMtBO1u7Df
+uM1oihAYjN4HMzFoa/Rq3NAXEMQt7GZRwwGzKvAOucJNfI3Yq8B2ecrm/6Q22sGN
+LhN9FSFyhq1LG3NPRi/6Hq7oj915bEZXCgXvEQSuoMUThmqjzJy3gO8YX2f3Q+/i
+lE+FBi/RepcH7Yl9qh7gz1JjuSiVqm3K8iDC8weDxfSi7iBhiDQSYgVnjfKDJQua
+iQ==
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-key.pem
new file mode 100644
index 0000000..1e61500
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-key.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIV6+MM3EXFiACAggA
+MBQGCCqGSIb3DQMHBAjsohDWEPj6zgSCBMgedcAX42Jx6DI9zhBX9GTM5t734KMA
+5QsAoALazfaMdUZ2oULJJeFon4s497Wc8amj661+TkvhIJNi1zRZA1ZC1xphQDsr
+yjJx8elNBHUvaJDKEE9aN+EEJ2+TkExTX6BAYeewNN0VgjV9Kpwy0ejD8gZZKBa0
+oGtmqCQTMrGdmKTuPa2H463oexgr+6futCbR/qxp9k/lRBGy6z7+sM7FvS9NVLN5
+gRrXjwFGA01Rb4Ch4ZmbU04EyJh+0EvjXC5e2t76GLp3EtjVpOuNuaZOiHQ7t/ah
+xaU5fHwoBWwuXjZc2diFvcuNNnJ0e7K9AMkfIuk/Bn4wEyo8jSAZPzEzatZf6gxg
+DoGkXaoB7Yf2+Mb0qg8IiMf/1IICHF046liDxNmnbAHOsREXJtwtV2H6gUuh+zX1
++B/jwhAXt62FUwnd4WdCHyo4NjOBwQADibiTTcgvdnkn+XKYzyNii6RGjA95mpbp
+loA71aV2QoBZH4bQ18YrCNshAf1tanZvxByjB/61IeMxz4m0BlwZbIT06rrpNLqh
+k6w7wmW2sdgN9kWb772+zUJFahNmJU4qfr8Kg/NIvqj63HMXwgCfuGLI7vUFmmhp
+dkqfadcu32XxitWYHZkvJPtCFb3AKcIR7OzWc117VuHu+kWSVhfst70LROSOXiwa
+TajBA0P83LccmR6z67/JWRvQwDc9uF+6xVM3tZga+odi/Fee/N0c2yYqxlrebmqU
+Qlp6xzjIrpTpwCBEBXgJQsv+kcIQIpDPhG8+y44OHBcHoGaDFVYX8KNcO98b1EYC
+EW6cy6PrmaE5AkC+jlPPQqcTRJvCVeq3MIUmJg2M3ivsTdlSqbCVfnJgYTnGD9sS
+pAtc1I+7OqOfp5jqHgCmnK0pdbmFLDuKJNuzNb356nNFA+CUejWzZGPth6pVFGyq
+9234oSwUCjP3kKG89JVSEflvTAEsySWHO3Vs4lyu0/1Dd1k1Bfc6YYgGH0JiXvtf
+y2Ys7u51m9NL4BgpbMvLpNmKvZlztJhGqw9Og1g/GdcURhqgajK8HGNJz1hpgzq5
+frlMKP8NnCwhID7IZzaQbcBMA9OUQds6XrB6Fd60vmTx4UMg6fIBCzLOR1lSmxcn
+64QUkepM9+jBKlWla9MlMECB2csxdlRCpSYIdguyd+i0ftEmq1ZG77+c5/9LNFSh
+SMDUJ5qg6UsFBVCmJezG0yrkPcTEmTQxAAcWN+C37cMq/3htAw3njfOGaiJliYUn
+vKc4+yZH9PQxaZB+l2pVOjJYmetcmEDnfrrUVst+xzusVzT/IyYEyC+DTi3U2Suh
+AOUoAZP2QnAEYRWsN4dcClKJt/fSBcQIIqYeljAxzi+DmxOBALHkuUd7AhozpV7P
+3F0hHD2lD3/9ncIHjHZ+DshiWVmxgvPcKFi2spbeb/CBpJ7YmkFww7C9YOctP5eq
+vIsesf2ZsGaKNbogfBRKuQP1o0FkWGqUnzVe0Ww56uGerz5EU+I/LecLAmS0e5jt
+FtAlVXcRKo7UtXMJHekQRnF70xk9gYV3qZIP7bXDh01gX/TVEL7PHeBZBkej5Mrk
+debSOuvlVxnnAYyreZl1MtnneT8L7nwi+lKRkq5aps82iUa2sKPgoFQODZrLBAyM
+HOE=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-openssl.cnf
new file mode 100644
index 0000000..effde23
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-openssl.cnf
@@ -0,0 +1,242 @@
+#
+# Based on the OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
+CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
+scardLogin=1.3.6.1.4.1.311.20.2.2
+# Used in a smart card login certificate's subject alternative name
+msUPN=1.3.6.1.4.1.311.20.2.3
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
+msKDC=1.3.6.1.5.2.3.5
+# Identifies the AD GUID
+msADGUID=1.3.6.1.4.1.311.25.1
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = CA-samba.example.com # Where everything is kept
+certs = $dir/_none_certs # Where the issued certs are kept
+crl_dir = $dir/_none_crl # Where the issued crl are kept
+database = $dir/Private/CA-samba.example.com-index.txt # database index file.
+unique_subject = yes # Set to 'no' to allow creation of
+ # several certificates with same subject.
+new_certs_dir = $dir/NewCerts # default place for new certs.
+
+certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate
+serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number
+crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number
+ # must be commented out to leave a V1 CRL
+
+#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL
+crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL
+private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key
+RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file
+
+#x509_extensions = # The extensions to add to the cert
+x509_extensions = template_x509_extensions
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+crl_extensions = crl_ext
+
+default_days = 7300 # how long to certify for
+default_crl_days= 7300 # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = match
+stateOrProvinceName = match
+localityName = match
+organizationName = match
+organizationalUnitName = match
+commonName = supplied
+emailAddress = supplied
+
+####################################################################
+[ req ]
+default_bits = 2048
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = SambaState
+
+localityName = Locality Name (eg, city)
+localityName_default = SambaCity
+
+organizationName = Organization Name (eg, company)
+organizationName_default = SambaSelfTesting
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default = Users
+
+commonName = Common Name (eg, YOUR name)
+commonName_default = pkinit@addom2.samba.example.com
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_default = pkinit@addom2.samba.example.com
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+#challengePassword = A challenge password
+#challengePassword_min = 4
+#challengePassword_max = 20
+#
+#unstructuredName = An optional company name
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate.
+keyUsage = cRLSign, keyCertSign
+
+crlDistributionPoints=URI:$CRLDISTPT
+
+# Some might want this also
+nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+subjectAltName=email:copy
+# Copy issuer details
+issuerAltName=issuer:copy
+
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+#[ usr_cert_scarduser ]
+[ template_x509_extensions ]
+
+# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+crlDistributionPoints=URI:$CRLDISTPT
+
+# For normal client use this is typical
+nsCertType = client, email
+
+# This is typical in keyUsage for a client certificate.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "Smart Card Login Certificate for pkinit@addom2.samba.example.com"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+
+subjectAltName=email:copy,otherName:msUPN;UTF8:pkinit@addom2.samba.example.com
+
+# Copy subject details
+issuerAltName=issuer:copy
+
+nsCaRevocationUrl = $CRLDISTPT
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+#Extended Key requirements for client certs
+extendedKeyUsage = clientAuth,scardLogin
+
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-private-key.pem
new file mode 100644
index 0000000..a0b894c
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-private-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA3DPbQ17VkSeVNdKGsuVwrLjPdAEsYE1nsiwt78QEU00Im85V
+ynqrAildPSfuPqMjLj42jfHKj6dLi6k50zM50Ln0m8QULEFnvmoytoYNcA7rbLHR
+75Jw7HBwLV9P6mw+n+6aETKTX7DjUSTiMwgi7mkHxhCiP0NnPAtIttGSmSLe/too
+6RK6p9ZUdsQ8VqfJ5CgY/YmK6wJCiCdZYfW9Xw3rzoBKhCnlOJMd2QpQ4+ty7LJz
+Fqt1Mzp0/Wy4qbkJwDAKdNQBPgAOic+Hqhn1e8QNT7HxQFlUZyiqyhh1fZbUTZnj
+sYS852WA6vbdMM7PFGe1Jwlfg6WMh2KPWiLVdQIDAQABAoIBAHKz6HEtgx37enPw
+2A10Cr9N/XI18kGv0GY1MTCF8KLbq7JNRs8UGuQjW9gxZp7mJ7s82PoTiypNQMLd
+QavMMT+SveItvzxWTY4Yj5YYOgO3IdcawXqD06K15xkbXuuDuxNgHIz8xVvBLofk
+KJfgkyGRQGVh4MIHgEz8q8HfZPezBGIxxfjXPkZ7NEJGcVUKyhSaEn0uJ2wcWkzf
+eCx4ZNNp82MHR9OO7sMc87oJDKm38JbZPKnONU75L8Kjk+qBljCLNT71pqIFQfVD
+QFUsGDLs2aBqsP/AZjeUX6+AinBV7CQ43EB4Y8t1U62k+AaNqocg+QjdspUGsTVd
+V3XRxoECgYEA/6JFdxUnOtV0DRi/TGCN27nfASsa7JkVZLY+mJMBrPOKqK1IfXmC
+isqykMY0NLKK5pgjQqWuoiri9uuzPNwK8OfNOvJUZAsElr4OlH15yz3vjG4Jr9Hx
+EPIL1J95Nuo4mCtNx/DUHiDCWR5qvTXteKRa5Zb0FpT7BwSnzhC9KaUCgYEA3ISY
+HOiXzWiEbG5cnklPGsnkfl5br77jFbFwu1HSO+pcDTRs4yRt9CSRvtv/f82yPVw1
+p7ZU4kqos2sSgdyqr/LYzRBXpcfK8yKZB0S1irNgS5G7FRgRj4MhnIfB8zwAmWAJ
+TdIkiZHpP1LRs/A4EAveE3HbVkKR8CkgrMabE5ECgYEA9ONA5IkxIZ1mJT211LcS
+bpGq3nWqv0kPQ4GKiaMakdJk3J3Tuc/zjH4Nfb9CN9FqWukXrjsGBnhLIPw+omix
+WoLVCkknKwebB8VeNkXVrSvSFZc8VGAsLW2Sg8eZ2U+bk7q4Mne03H/JbpJC8qt8
+qHvaT+LCRffGWrzM/AzxCbkCgYEAu2wCsQdLBi0f59zA4VNjZVxU1Maz3KI79VMT
+glHfgkcFJ7/4D/IFdeyi5vmqpWAZbqdxfvKsIIzd52hImZEIjXS0qU2LgP5XUuCD
++bZ/KbydSn046YvEWRpVtel4gZfs1m7WWYsSvM4D1Ws5ilrP+2tqu1IY3q7DxL/f
+4pkGctECgYBa4TCPS3pxG6trEA5J2U4GaL5poK1MXXSd1CAkdij3npxYP2siRNz5
+SMA/TvJEA6wzhsbA6kqpESmPFim6IfywGdE6WbNu/dEA00EmLW+YeBGVBGVaUro4
+gz3ruHdztghRJFNrN4sjYGiPjKTG74U/aUNIGZXsxTJA8R8U0Y8KPw==
+-----END RSA PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-private.p12 b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-private.p12
new file mode 100644
index 0000000..ea4d241
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-private.p12
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-req.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-req.pem
new file mode 100644
index 0000000..7c0934a
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-S08-req.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDATCCAekCAQAwgbsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl
+MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx
+DjAMBgNVBAsMBVVzZXJzMSgwJgYDVQQDDB9wa2luaXRAYWRkb20yLnNhbWJhLmV4
+YW1wbGUuY29tMS4wLAYJKoZIhvcNAQkBFh9wa2luaXRAYWRkb20yLnNhbWJhLmV4
+YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3DPbQ17V
+kSeVNdKGsuVwrLjPdAEsYE1nsiwt78QEU00Im85VynqrAildPSfuPqMjLj42jfHK
+j6dLi6k50zM50Ln0m8QULEFnvmoytoYNcA7rbLHR75Jw7HBwLV9P6mw+n+6aETKT
+X7DjUSTiMwgi7mkHxhCiP0NnPAtIttGSmSLe/too6RK6p9ZUdsQ8VqfJ5CgY/YmK
+6wJCiCdZYfW9Xw3rzoBKhCnlOJMd2QpQ4+ty7LJzFqt1Mzp0/Wy4qbkJwDAKdNQB
+PgAOic+Hqhn1e8QNT7HxQFlUZyiqyhh1fZbUTZnjsYS852WA6vbdMM7PFGe1Jwlf
+g6WMh2KPWiLVdQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAFdpb3Rsn94pfog0
+u423+MP/Y3Kt/mjLUV++hmGzIi8rAFLAjQTSlM+uGF3895+kIzH9k+y0d8nYiN2n
+GPhsj4KKKurtiAsykKdE3+da0sQ/DdL7FXq7AvjzQOcoUpU3tRncNApW8mD91Yuk
+YpOMysX1PhNbUK8+E+jzP8lngs6cu5yKbeK8JF/0GI74XoCB4+oVKO23SgjXOrmw
+4lDKMYD7L9+N8/a6g29JEhwjxx+BTKjwjehQlkO0zT2ZRzEGk9LPoJY8CWiS31l0
+FHlUhO+drJygaFDqSd82hmo6oBSO81evk3Vow7po/E9UGVJY2X9nfGXS9+HlV/kW
+IYOVlmQ=
+-----END CERTIFICATE REQUEST-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-cert.pem
new file mode 120000
index 0000000..aa6521d
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-cert.pem
@@ -0,0 +1 @@
+USER-pkinit@addom2.samba.example.com-S08-cert.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-private-key.pem
new file mode 120000
index 0000000..3784f3f
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@addom2.samba.example.com/USER-pkinit@addom2.samba.example.com-private-key.pem
@@ -0,0 +1 @@
+USER-pkinit@addom2.samba.example.com-S08-private-key.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.cer b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.cer
new file mode 100644
index 0000000..9a8d7ae
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.cer
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.pem
new file mode 100644
index 0000000..730b824
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-cert.pem
@@ -0,0 +1,168 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4 (0x4)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=SambaState, L=SambaCity, O=SambaSelfTesting, OU=CA Administration, CN=CA of samba.example.com/emailAddress=ca-samba.example.com@samba.example.com
+ Validity
+ Not Before: Jun 3 19:30:29 2016 GMT
+ Not After : May 29 19:30:29 2036 GMT
+ Subject: C=US, ST=SambaState, O=SambaSelfTesting, OU=Users, CN=pkinit@samba.example.com/emailAddress=pkinit@samba.example.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:dd:c4:48:44:a5:e9:6b:b4:41:03:6a:dc:34:1f:
+ d6:41:ce:f7:cb:b2:44:a7:a3:0e:89:16:ff:0d:62:
+ 23:e0:8b:24:db:82:82:68:29:22:1b:57:44:12:c6:
+ ea:10:2d:6f:3a:4b:75:b1:2e:76:62:01:62:ff:ba:
+ 3d:67:e1:39:0d:12:38:b0:fc:b3:e5:0e:dd:77:73:
+ 2b:99:25:86:d5:15:84:08:be:b0:8b:38:d7:64:9d:
+ d6:e7:dc:4d:9a:fb:ea:17:41:bb:d1:cf:1a:b9:5b:
+ 0b:8a:e5:8c:5a:b7:2d:ab:bd:f7:c3:91:ae:26:c2:
+ e3:97:27:ea:3f:be:c9:22:af:d6:76:35:45:b0:72:
+ 86:f2:bd:bf:e2:d3:e3:e3:68:52:26:db:f0:a6:6a:
+ 0e:63:05:9b:17:6d:13:ee:c4:15:41:96:27:06:90:
+ fd:10:b5:f9:6c:74:be:b0:a8:bb:70:f7:a2:25:da:
+ f7:f1:91:c2:69:6c:40:c4:63:e8:06:83:e0:1d:b7:
+ 2b:29:d3:75:d1:df:c1:d2:90:af:b9:81:47:78:f3:
+ f1:1a:c9:20:e3:1b:6f:e4:fd:2e:0b:65:a7:6f:b1:
+ b2:a0:d3:e3:d2:2f:2b:ef:fd:01:5b:27:e7:1b:c1:
+ 0e:bc:bd:f0:7b:b2:34:a9:9b:4d:2c:c8:65:33:c8:
+ 33:17
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 CRL Distribution Points:
+
+ Full Name:
+ URI:http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+ Netscape Cert Type:
+ SSL Client, S/MIME
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Netscape Comment:
+ Smart Card Login Certificate for pkinit@samba.example.com
+ X509v3 Subject Key Identifier:
+ E9:67:66:B8:3D:F1:39:AB:1A:4D:00:9D:EC:CE:FF:4B:50:D8:5D:A2
+ X509v3 Authority Key Identifier:
+ keyid:A2:3E:02:2A:A3:A7:4D:39:B4:08:4D:99:CC:0C:75:36:EA:27:C3:3E
+
+ X509v3 Subject Alternative Name:
+ email:pkinit@samba.example.com, othername:<unsupported>
+ X509v3 Issuer Alternative Name:
+ email:ca-samba.example.com@samba.example.com
+ Netscape CA Revocation Url:
+ http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+ X509v3 Extended Key Usage:
+ TLS Web Client Authentication, scardLogin
+ Signature Algorithm: sha256WithRSAEncryption
+ 88:3e:f3:98:08:ef:cd:53:3a:07:d5:1c:fd:26:7c:f1:96:2e:
+ b9:06:87:f2:5b:e2:be:d1:04:6e:38:59:14:49:9d:46:ef:7e:
+ 6c:08:02:3e:18:09:09:61:a8:1d:a9:da:59:40:58:5f:d2:ca:
+ 4f:76:0e:7e:01:db:05:03:fb:78:c7:89:86:aa:1b:dc:02:bb:
+ 86:a5:02:7c:01:54:dd:ad:e0:43:c5:d9:ec:86:c2:47:b5:5a:
+ 1c:8c:06:0e:fe:11:ad:a5:57:37:f5:0a:35:65:a4:f2:27:14:
+ 2f:bf:53:48:66:e1:da:b9:58:95:a2:d1:95:9c:ae:0a:ca:29:
+ a6:ef:7a:58:74:86:40:ea:2a:c6:18:9f:1a:d9:70:e2:a8:aa:
+ 8d:f1:22:bf:b6:e4:61:d4:21:ee:bf:17:e1:aa:d1:cf:0b:35:
+ 82:c7:3f:a1:be:d1:a5:bd:4e:04:0d:cf:11:2d:d6:0c:7e:47:
+ 5c:5e:84:d2:10:60:7e:97:d7:52:be:a1:cd:2d:85:da:b2:dd:
+ 68:88:12:a4:88:5f:16:0c:ae:6f:60:7f:da:58:5f:91:bd:8d:
+ 15:20:c2:74:94:0b:93:65:80:7c:77:15:a2:70:bb:98:be:41:
+ 1a:2e:c5:78:52:64:e7:44:03:3f:64:97:10:a9:1b:17:f3:79:
+ f9:51:0c:4c:58:e7:03:e7:bb:fd:34:ff:c0:4a:ad:b1:7a:ba:
+ 97:3c:f8:e0:9e:30:3d:e7:5f:be:ac:6a:b3:c1:1e:50:7c:cd:
+ ce:18:bd:96:73:fb:9c:90:e7:ae:e0:be:c5:65:29:9a:1c:da:
+ c3:64:2a:99:dc:93:61:32:9a:70:1a:45:83:72:38:0f:57:de:
+ 0d:f5:64:71:97:de:b5:64:99:43:30:6d:3f:25:82:b5:3e:a1:
+ ba:39:d2:fc:b8:df:7e:57:da:fc:be:c2:84:2e:99:41:52:a2:
+ 18:f4:99:c7:e2:b9:af:2a:84:32:5c:cb:ba:26:86:6b:8e:58:
+ 30:d8:4f:5b:60:34:fd:30:de:c5:a0:7a:8c:e7:34:2b:bc:81:
+ 6d:4c:a8:b5:ba:b5:52:b9:42:e5:d8:7e:be:31:a3:8e:b0:c3:
+ f6:16:28:92:e7:9d:3f:c8:cf:a0:4a:b0:3a:ae:75:59:ab:19:
+ 91:e4:2e:76:57:3f:58:88:5f:2e:7b:c5:8f:11:25:0f:cd:8f:
+ e3:91:80:2f:d4:7b:5a:80:c3:c9:7c:0a:aa:01:bf:5c:8c:0e:
+ 57:84:bf:72:ad:7b:0a:b9:95:27:0f:aa:9b:96:08:8e:bb:63:
+ 56:5a:1d:ad:0c:5b:1c:04:38:ae:2b:88:d4:d1:68:20:f2:a0:
+ 9b:77:9c:95:db:17:cb:cf:79:4a:13:66:c9:34:36:f6:c6:f9:
+ 8b:4b:92:5e:59:a3:5d:75:4e:fa:f2:fa:d5:d9:66:80:82:a4:
+ 8d:e2:d8:b6:ed:c5:a3:ca:a2:70:64:9c:b9:1c:49:b2:2f:46:
+ b3:13:3b:88:a7:5a:8e:22:b7:90:f5:74:27:21:06:a4:94:bb:
+ b1:cb:e7:e4:92:f0:e9:80:15:94:82:1a:97:34:d0:cf:aa:37:
+ b1:27:a5:38:39:7c:8d:ba:a1:12:dd:30:48:44:90:0c:35:0f:
+ cc:e6:13:e7:c9:06:36:1d:b0:c9:be:28:0f:47:1c:b0:47:a3:
+ 20:d1:bb:a1:85:1a:80:c2:9b:70:61:9f:a7:82:46:3c:80:28:
+ 0c:17:f6:fc:75:83:be:ff:5c:da:bc:be:2c:65:a6:c0:fc:c1:
+ 32:ae:9a:bf:d1:7c:fb:b3:26:3b:77:03:fe:a9:e9:ae:4c:72:
+ 58:a9:6e:ce:ad:c0:1f:30:b2:06:32:65:af:5f:db:3d:2b:ab:
+ c5:46:5c:0a:df:50:b5:7e:31:c8:b0:7e:50:e2:aa:d8:01:8e:
+ ea:e7:3c:8b:90:73:de:77:9f:47:ea:af:16:0d:a5:c0:89:6f:
+ 86:a4:84:f7:1f:03:fd:7d:f8:a8:7d:9c:9a:f1:13:c8:d5:5b:
+ 9c:2f:71:c1:c0:c2:17:89:39:6d:28:2d:20:31:ca:60:cf:7f:
+ 78:42:5c:a3:28:76:19:a8:ca:e6:07:22:6d:7f:04:b1:20:ab:
+ 70:40:33:e9:a3:fa:da:b5:7c:ee:70:0b:c6:a2:6a:90:1a:10:
+ fe:8a:9b:56:5c:44:85:f1:b4:41:67:0b:c1:a3:68:2f:ff:b1:
+ 48:f3:38:4b:28:4e:52:36:0c:9b:37:aa:7e:82:63:c3:61:33:
+ a9:05:b3:af:13:07:b3:9e:4d:4c:3c:c4:47:34:ce:f3:6e:55:
+ 69:d7:af:dc:e4:82:34:9b:fe:cc:d9:db:1f:08:3e:3c:3a:9b:
+ ac:a7:7e:61:3f:5f:01:0c:d8:f3:63:31:31:07:e2:05:84:30:
+ 65:f4:b0:a6:cc:ad:63:fe:06:db:d7:e9:2f:9d:db:2c:64:af:
+ d6:d1:cc:9e:c3:11:09:ad:7d:e2:06:6d:21:ad:a5:4f:a6:87:
+ 9b:ee:db:6c:e9:69:a7:6a:eb:93:67:e2:e9:6f:23:f8:2e:95:
+ 78:5f:a8:66:ae:7e:2c:5e:6b:07:3e:02:ad:20:af:61:9c:0e:
+ 1d:c6:7a:31:5a:33:bd:61:1a:67:5b:a9:42:3c:17:67:f8:dd:
+ 80:e3:ab:62:a0:42:53:33:1f:f7:79:ea:32:d1:26:dd:bb:c6:
+ 26:aa:2c:ac:16:7e:24:b4:ae:7d:ce:77:e8:5f:2d:97
+-----BEGIN CERTIFICATE-----
+MIII2jCCBMKgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBxjELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMClNhbWJhU3RhdGUxEjAQBgNVBAcMCVNhbWJhQ2l0eTEZMBcGA1UE
+CgwQU2FtYmFTZWxmVGVzdGluZzEaMBgGA1UECwwRQ0EgQWRtaW5pc3RyYXRpb24x
+IDAeBgNVBAMMF0NBIG9mIHNhbWJhLmV4YW1wbGUuY29tMTUwMwYJKoZIhvcNAQkB
+FiZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5leGFtcGxlLmNvbTAeFw0xNjA2
+MDMxOTMwMjlaFw0zNjA1MjkxOTMwMjlaMIGZMQswCQYDVQQGEwJVUzETMBEGA1UE
+CAwKU2FtYmFTdGF0ZTEZMBcGA1UECgwQU2FtYmFTZWxmVGVzdGluZzEOMAwGA1UE
+CwwFVXNlcnMxITAfBgNVBAMMGHBraW5pdEBzYW1iYS5leGFtcGxlLmNvbTEnMCUG
+CSqGSIb3DQEJARYYcGtpbml0QHNhbWJhLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3cRIRKXpa7RBA2rcNB/WQc73y7JEp6MOiRb/
+DWIj4Isk24KCaCkiG1dEEsbqEC1vOkt1sS52YgFi/7o9Z+E5DRI4sPyz5Q7dd3Mr
+mSWG1RWECL6wizjXZJ3W59xNmvvqF0G70c8auVsLiuWMWrctq733w5GuJsLjlyfq
+P77JIq/WdjVFsHKG8r2/4tPj42hSJtvwpmoOYwWbF20T7sQVQZYnBpD9ELX5bHS+
+sKi7cPeiJdr38ZHCaWxAxGPoBoPgHbcrKdN10d/B0pCvuYFHePPxGskg4xtv5P0u
+C2Wnb7GyoNPj0i8r7/0BWyfnG8EOvL3we7I0qZtNLMhlM8gzFwIDAQABo4IB/DCC
+AfgwCQYDVR0TBAIwADBPBgNVHR8ESDBGMESgQqBAhj5odHRwOi8vd3d3LnNhbWJh
+LmV4YW1wbGUuY29tL2NybHMvQ0Etc2FtYmEuZXhhbXBsZS5jb20tY3JsLmNybDAR
+BglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMEgGCWCGSAGG+EIBDQQ7FjlT
+bWFydCBDYXJkIExvZ2luIENlcnRpZmljYXRlIGZvciBwa2luaXRAc2FtYmEuZXhh
+bXBsZS5jb20wHQYDVR0OBBYEFOlnZrg98TmrGk0AnezO/0tQ2F2iMB8GA1UdIwQY
+MBaAFKI+Aiqjp005tAhNmcwMdTbqJ8M+ME0GA1UdEQRGMESBGHBraW5pdEBzYW1i
+YS5leGFtcGxlLmNvbaAoBgorBgEEAYI3FAIDoBoMGHBraW5pdEBzYW1iYS5leGFt
+cGxlLmNvbTAxBgNVHRIEKjAogSZjYS1zYW1iYS5leGFtcGxlLmNvbUBzYW1iYS5l
+eGFtcGxlLmNvbTBNBglghkgBhvhCAQQEQBY+aHR0cDovL3d3dy5zYW1iYS5leGFt
+cGxlLmNvbS9jcmxzL0NBLXNhbWJhLmV4YW1wbGUuY29tLWNybC5jcmwwHwYDVR0l
+BBgwFgYIKwYBBQUHAwIGCisGAQQBgjcUAgIwDQYJKoZIhvcNAQELBQADggQBAIg+
+85gI781TOgfVHP0mfPGWLrkGh/Jb4r7RBG44WRRJnUbvfmwIAj4YCQlhqB2p2llA
+WF/Syk92Dn4B2wUD+3jHiYaqG9wCu4alAnwBVN2t4EPF2eyGwke1WhyMBg7+Ea2l
+Vzf1CjVlpPInFC+/U0hm4dq5WJWi0ZWcrgrKKabvelh0hkDqKsYYnxrZcOKoqo3x
+Ir+25GHUIe6/F+Gq0c8LNYLHP6G+0aW9TgQNzxEt1gx+R1xehNIQYH6X11K+oc0t
+hdqy3WiIEqSIXxYMrm9gf9pYX5G9jRUgwnSUC5NlgHx3FaJwu5i+QRouxXhSZOdE
+Az9klxCpGxfzeflRDExY5wPnu/00/8BKrbF6upc8+OCeMD3nX76sarPBHlB8zc4Y
+vZZz+5yQ567gvsVlKZoc2sNkKpnck2EymnAaRYNyOA9X3g31ZHGX3rVkmUMwbT8l
+grU+obo50vy4335X2vy+woQumUFSohj0mcfiua8qhDJcy7omhmuOWDDYT1tgNP0w
+3sWgeoznNCu8gW1MqLW6tVK5QuXYfr4xo46ww/YWKJLnnT/Iz6BKsDqudVmrGZHk
+LnZXP1iIXy57xY8RJQ/Nj+ORgC/Ue1qAw8l8CqoBv1yMDleEv3Ktewq5lScPqpuW
+CI67Y1ZaHa0MWxwEOK4riNTRaCDyoJt3nJXbF8vPeUoTZsk0NvbG+YtLkl5Zo111
+Tvry+tXZZoCCpI3i2LbtxaPKonBknLkcSbIvRrMTO4inWo4it5D1dCchBqSUu7HL
+5+SS8OmAFZSCGpc00M+qN7EnpTg5fI26oRLdMEhEkAw1D8zmE+fJBjYdsMm+KA9H
+HLBHoyDRu6GFGoDCm3Bhn6eCRjyAKAwX9vx1g77/XNq8vixlpsD8wTKumr/RfPuz
+Jjt3A/6p6a5Mclipbs6twB8wsgYyZa9f2z0rq8VGXArfULV+MciwflDiqtgBjurn
+PIuQc953n0fqrxYNpcCJb4akhPcfA/19+Kh9nJrxE8jVW5wvccHAwheJOW0oLSAx
+ymDPf3hCXKModhmoyuYHIm1/BLEgq3BAM+mj+tq1fO5wC8aiapAaEP6Km1ZcRIXx
+tEFnC8GjaC//sUjzOEsoTlI2DJs3qn6CY8NhM6kFs68TB7OeTUw8xEc0zvNuVWnX
+r9zkgjSb/szZ2x8IPjw6m6ynfmE/XwEM2PNjMTEH4gWEMGX0sKbMrWP+BtvX6S+d
+2yxkr9bRzJ7DEQmtfeIGbSGtpU+mh5vu22zpaadq65Nn4ulvI/gulXhfqGaufixe
+awc+Aq0gr2GcDh3GejFaM71hGmdbqUI8F2f43YDjq2KgQlMzH/d56jLRJt27xiaq
+LKwWfiS0rn3Od+hfLZc=
+-----END CERTIFICATE-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-key.pem
new file mode 100644
index 0000000..44f2dca
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-key.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI3lMKoRxwFl4CAggA
+MBQGCCqGSIb3DQMHBAh3N+m1jtZvYgSCBMjc0ubJOkfSna22cqDmoGRkN/3T/nfk
+zjaeXgq95J/FKJjrDL8t+ywAM/Xrs5CIRraaiJQ2ddYy6ViaKsoK00lVxx1zelFA
+7HZke3gXQnmJEXxnb2cCJhYwX5ElT/QoSgxh9cLuLnw/4HVp4K0wCAjmCkYtCc32
+HvqCJJU2Gj97rVMr43jz/GISBKdFtzBSP059SRNgutczONs4zBV3YZNYMOO+GZWF
+Gt46vy0rzEgEku9PdNSBG48j2VCidj6VzJSDzrS8gMcNVd65quzCoCLoaUZ+Xgf0
+T28rwElhRe0Khji1fW2KyeyMNwtivKZPVOzOkS4gdmRZq64WdZBSC0yL4VepXXML
+wUtPORgYZ0VkkLZHJ5exLQJESQz68CX9kiryoZgDbZMcYzDBI4lkFwtqRTKRbmM+
+K4VPVxqWREAmnMPBfdDBRKi0yml2Y53Eq5PAhCqkhbFe5JiZ5OGlwGY+zPiFZ+65
+EYHTcjCW1NIY1GTKYp7AYQ0JX4tNqFQon+9GLmowODQeW0DkcCKabHNTNUnCwW0d
+qxyzC+gUEMCas1ZjVlkxeTEzYm7820DierzEc2pdvWRm6p8EHlFOboD65HpxpG4h
+wYbe2ctNoB0gpaFDgaEsECxJ6ZxkMk2x39UPlAawkVshGs9W8StIxHgSUv4H9T/S
+9SAiQKQOGOpyj0V+zfq6IW/XXK+lbV5CRSYwSAmC1JuEeR8Hy6guPmjNC4Otp/5j
+NjiYDHWtQKvnYJDZOZraW1QqHlrwB6SNt3EAWYHR+d/OOPedeUh/WvtT7brnPu1Z
+fQPkQLJtKyvG6rkNvAJl3Zl67cz3D3G1J/MSpFXc4dUcTKfldR5uSQSpVqFEWqmw
+hgBxsv7OI0c/NMFt1JmUpQTMxhFqLKCjwVI9LZgJfl+EFPI5PCJY7mHBMfhDgZek
+epAS7V+zaVOXZw41unk8HGgTx+u64g5cM8QEfs23RSu8t2122p7q4n1qgZ9pWtQZ
+hwxhqvI4I4fnFVqgBRih9xQ3Vg/jCCtRLEPtrtlYYHGhejZ+6oSNN11aacOoVoBj
+15rdwA45ch/W62ktHwvjoE8welXUOmjLLYh3zZH0tqdwOMDv0MRAjC0k4tACYClC
+TqHipCjqead5vZRM40hCzE70AB4pLm6utAseJb8C/EweqlbhBaYqqPFZo/GdqD8s
+9hQ3NU29ynrtIeuj359y9gLQU4Tc+dU8f6bxTE5IKrTwk552695lODKb5R4J1rN9
+weY1fcXWCHPiVJhmFnWo11nNPt7vS+m0eUCVdAAOdPoZwBLswTD6wCxquXXLi7wR
+1a4vA8inf/nV+8kHebyhrQdS3uekqQZbPbfE545csLXnJdb+N418q/Vxw9lIH+N0
+90GeOdWGM34fXRzrPFlDSW5IhKDSR8+4tU71Fq4kwI1Z1AFN4oJUgcRRNm/fdd3w
+V1PLnYYpTIFpunuerCDqYtHiIh2uwtWUWzPgIK7mm/UV5VSDsWTYktPlkTxEAwzm
+ktuharKIvzLA13p5PXBHpjv27wJjgs6kPuWgBpG1IosC4nDq2355lBLqFSgK1pUt
+Px6tls4RkaOTk8+t6J6W2ZeaF4Nu7kG6qnTqUuBkshcqcS3A53i2m0O/ug7n3vfU
+QHM=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-openssl.cnf b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-openssl.cnf
new file mode 100644
index 0000000..3ece25f
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-openssl.cnf
@@ -0,0 +1,242 @@
+#
+# Based on the OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
+CRLDISTPT = http://www.samba.example.com/crls/CA-samba.example.com-crl.crl
+
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
+scardLogin=1.3.6.1.4.1.311.20.2.2
+# Used in a smart card login certificate's subject alternative name
+msUPN=1.3.6.1.4.1.311.20.2.3
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
+msKDC=1.3.6.1.5.2.3.5
+# Identifies the AD GUID
+msADGUID=1.3.6.1.4.1.311.25.1
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = CA-samba.example.com # Where everything is kept
+certs = $dir/_none_certs # Where the issued certs are kept
+crl_dir = $dir/_none_crl # Where the issued crl are kept
+database = $dir/Private/CA-samba.example.com-index.txt # database index file.
+unique_subject = yes # Set to 'no' to allow creation of
+ # several certificates with same subject.
+new_certs_dir = $dir/NewCerts # default place for new certs.
+
+certificate = $dir/Public/CA-samba.example.com-cert.pem # The CA certificate
+serial = $dir/Private/CA-samba.example.com-serial.txt # The current serial number
+crlnumber = $dir/Private/CA-samba.example.com-crlnumber.txt # the current crl number
+ # must be commented out to leave a V1 CRL
+
+#crl = $dir/Public/CA-samba.example.com-crl.pem # The current CRL
+crl = $dir/Public/CA-samba.example.com-crl.crl # The current CRL
+private_key = $dir/Private/CA-samba.example.com-private-key.pem # The private key
+RANDFILE = $dir/Private/CA-samba.example.com.rand # private random number file
+
+#x509_extensions = # The extensions to add to the cert
+x509_extensions = template_x509_extensions
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+crl_extensions = crl_ext
+
+default_days = 7300 # how long to certify for
+default_crl_days= 7300 # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = match
+stateOrProvinceName = match
+localityName = match
+organizationName = match
+organizationalUnitName = match
+commonName = supplied
+emailAddress = supplied
+
+####################################################################
+[ req ]
+default_bits = 2048
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = SambaState
+
+localityName = Locality Name (eg, city)
+localityName_default = SambaCity
+
+organizationName = Organization Name (eg, company)
+organizationName_default = SambaSelfTesting
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default = Users
+
+commonName = Common Name (eg, YOUR name)
+commonName_default = pkinit@samba.example.com
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_default = pkinit@samba.example.com
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+#challengePassword = A challenge password
+#challengePassword_min = 4
+#challengePassword_max = 20
+#
+#unstructuredName = An optional company name
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate.
+keyUsage = cRLSign, keyCertSign
+
+crlDistributionPoints=URI:$CRLDISTPT
+
+# Some might want this also
+nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+subjectAltName=email:copy
+# Copy issuer details
+issuerAltName=issuer:copy
+
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+#[ usr_cert_scarduser ]
+[ template_x509_extensions ]
+
+# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+crlDistributionPoints=URI:$CRLDISTPT
+
+# For normal client use this is typical
+nsCertType = client, email
+
+# This is typical in keyUsage for a client certificate.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "Smart Card Login Certificate for pkinit@samba.example.com"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+
+subjectAltName=email:copy,otherName:msUPN;UTF8:pkinit@samba.example.com
+
+# Copy subject details
+issuerAltName=issuer:copy
+
+nsCaRevocationUrl = $CRLDISTPT
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+#Extended Key requirements for client certs
+extendedKeyUsage = clientAuth,scardLogin
+
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private-key.pem
new file mode 100644
index 0000000..5492ba3
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA3cRIRKXpa7RBA2rcNB/WQc73y7JEp6MOiRb/DWIj4Isk24KC
+aCkiG1dEEsbqEC1vOkt1sS52YgFi/7o9Z+E5DRI4sPyz5Q7dd3MrmSWG1RWECL6w
+izjXZJ3W59xNmvvqF0G70c8auVsLiuWMWrctq733w5GuJsLjlyfqP77JIq/WdjVF
+sHKG8r2/4tPj42hSJtvwpmoOYwWbF20T7sQVQZYnBpD9ELX5bHS+sKi7cPeiJdr3
+8ZHCaWxAxGPoBoPgHbcrKdN10d/B0pCvuYFHePPxGskg4xtv5P0uC2Wnb7GyoNPj
+0i8r7/0BWyfnG8EOvL3we7I0qZtNLMhlM8gzFwIDAQABAoIBAQCgUBQuDAIBafzV
+i5pD0//+8q8PAX+/74/Cam1WL2vgFrY+OMosog+V1C/RoxnxN+cALSyXOQ87KeV3
+GBrrzVSArnts9kDVhTlz8D3EJ+ygfT1FVRQqkJykj7WbRxaSwykmRs6PjTe0Zqyh
+a+9aZLEPRfSl29oZCymbS697BWBBQaKT/KKbVct9ViJhr8LjXjRYu1HGJuBY/kl4
+NFJFnmgL9KDlbkh9kNxVdLU1P4Ln9Yur13aV2OnVKkbgeTxFSsQrQbnyRjjtEtpE
+ePTimmtbE8Epvd8BM8Pq1geD7NlBH1+Nmi+1mD3r0YNqnvRcqCpEWDS9dL/Mgs4B
+/OgjX90BAoGBAP1VQLWZBgy1aSu7AIUtdAFsxmU6ecjh4ISczoHOe7b6xITEWYtB
+S3ai7gA0+g/iPiKzIAVmyI5/pWBa/h8UnMFm5UoZYSBtI2o8nRAxMnlXJ3Ny7OM5
+QBluT0uEKtj7N/KEpbe61hNH7sVoyq+RJgGCGq9bbxZjAdlqgdkN0w7ZAoGBAOAZ
+9N+Aru0f1vU0b9U6Dh/XTvtgOFd9AJbrXyQZRqbYQguYgWB0aZfDH3TarGDRbIf/
+/Alhoo7gatIstDgjDxk8GuhOFvlimNrf8RC6oTXDvPLnwekdAL7/fMOyFsTegxWL
+1J305SNa8FL3G0Fr2HxCUa0UoCk/wVau78atpvtvAoGAEYmqXigG1DBm5IEgqxeX
+dVXLckyXC8IfYe7dGP1rcSJxImPZcxuFFuR2p4sDWMAn3w0ZhWY1MjBCCaai+xHZ
+PEZcT0HsiGslzX/+u5U8UkwnTgXBwoU/G8OYN7khoj3aBK8MLekAUvti20XC6l6Z
+C/eu0z74NMuL4DpQXO9pEhkCgYBNtfKKRo9iPvZFlWdqY3VeaUVEOjuPaxN3Qit9
+0x4C4V8Vsk666eNr8wfHd8Tq1fRyvLvjbO336a5hL4tXJCEqOQODpwCkfiJPU/S+
+PlmE0VmGSgOeGKaXlPToz6rBnf+KyzBxjeifd/t6aaIT75fkjwLPqCVZ6Hfc3VDc
+bn9HFQKBgF8+kghkOG15fchOAaqRq+nqmfJNKQPf9VxGBF+LPaXJdK1XOjnfUIxd
+wVkPpic5HfAbZfYCChSPYWV07s3V7Muqz5mJ/TxijMVjLwRZQqcXNqA9rufoaz7i
+3lHgGTaPLBVnz06lPMHTuyXid+QK3xHsFeT+NQ2NSfRucTCTnSJ3
+-----END RSA PRIVATE KEY-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private.p12 b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private.p12
new file mode 100644
index 0000000..f83f831
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-private.p12
Binary files differ
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-req.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-req.pem
new file mode 100644
index 0000000..72e7383
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-S04-req.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIC8zCCAdsCAQAwga0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTYW1iYVN0YXRl
+MRIwEAYDVQQHDAlTYW1iYUNpdHkxGTAXBgNVBAoMEFNhbWJhU2VsZlRlc3Rpbmcx
+DjAMBgNVBAsMBVVzZXJzMSEwHwYDVQQDDBhwa2luaXRAc2FtYmEuZXhhbXBsZS5j
+b20xJzAlBgkqhkiG9w0BCQEWGHBraW5pdEBzYW1iYS5leGFtcGxlLmNvbTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3ESESl6Wu0QQNq3DQf1kHO98uy
+RKejDokW/w1iI+CLJNuCgmgpIhtXRBLG6hAtbzpLdbEudmIBYv+6PWfhOQ0SOLD8
+s+UO3XdzK5klhtUVhAi+sIs412Sd1ufcTZr76hdBu9HPGrlbC4rljFq3Lau998OR
+ribC45cn6j++ySKv1nY1RbByhvK9v+LT4+NoUibb8KZqDmMFmxdtE+7EFUGWJwaQ
+/RC1+Wx0vrCou3D3oiXa9/GRwmlsQMRj6AaD4B23KynTddHfwdKQr7mBR3jz8RrJ
+IOMbb+T9Lgtlp2+xsqDT49IvK+/9AVsn5xvBDry98HuyNKmbTSzIZTPIMxcCAwEA
+AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAS1xXnu2962UGX+uGRd546a81d3UBr6fbe
+0fFemBBdXqLcOS7dIksjrn0Nuf+L9RFBFX8J+j5W769GvbctoVriuyC6BUU6UmKd
+WMUgg6DpqhqOUW9Ze7bnHJc7JKwsgUQCmK1lEveS2ZyA9eUMOB4Wt6w+Fa4aJ51u
+vm590qbs5gmeWHMTE7svG0oxwoT0bhT95sKSlfbuMM5v9XS72ZNkkcmmg/i0/Kpw
+XXevmng9bVtZS4ajyGyFMQ45u5OauJwYJDFOjOqzo+YyglCyyrj5XJBYy7aajRPz
+Bre7Pub8WwLFJyw6Chc++8VSgqBXN57RS64eSY58ChNyQYcj8vB2
+-----END CERTIFICATE REQUEST-----
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-cert.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-cert.pem
new file mode 120000
index 0000000..e8fe413
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-cert.pem
@@ -0,0 +1 @@
+USER-pkinit@samba.example.com-S04-cert.pem \ No newline at end of file
diff --git a/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-private-key.pem b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-private-key.pem
new file mode 120000
index 0000000..53e9e41
--- /dev/null
+++ b/selftest/manage-ca/CA-samba.example.com/Users/pkinit@samba.example.com/USER-pkinit@samba.example.com-private-key.pem
@@ -0,0 +1 @@
+USER-pkinit@samba.example.com-S04-private-key.pem \ No newline at end of file
diff --git a/selftest/manage-ca/manage-CA-samba.example.com.cnf b/selftest/manage-ca/manage-CA-samba.example.com.cnf
new file mode 100644
index 0000000..65c9b95
--- /dev/null
+++ b/selftest/manage-ca/manage-CA-samba.example.com.cnf
@@ -0,0 +1,21 @@
+#
+# All passwords are "1234"
+#
+
+CRL_HTTP_BASE="http://www.samba.example.com/crls"
+CRL_SSH_BASE="none@samba.example.com:/none/crls"
+DNS_DOMAIN="samba.example.com"
+
+CA_BITS="8192"
+DC_BITS="4096"
+USER_BITS="2048"
+# 20 years should be enough
+CA_DAYS="7300"
+CRL_DAYS="7300"
+DC_DAYS="7300"
+USER_DAYS="7300"
+
+COUNTRY_NAME="US"
+STATE_NAME="SambaState"
+LOCALITY_NAME="SambaCity"
+ORGANIZATION_NAME="SambaSelfTesting"
diff --git a/selftest/manage-ca/manage-CA-samba.example.com.sh b/selftest/manage-ca/manage-CA-samba.example.com.sh
new file mode 100644
index 0000000..12762fe
--- /dev/null
+++ b/selftest/manage-ca/manage-CA-samba.example.com.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+
+set -e
+set -u
+set -x
+
+#
+# All passwords are "1234"
+#
+
+# DONE # ./manage-ca.sh manage-CA-samba.example.com.cnf init_ca
+# DONE #
+# DONE # ./manage-ca.sh manage-CA-samba.example.com.cnf create_dc localdc.samba.example.com 0123456789ABCDEF
+# DONE # ./manage-ca.sh manage-CA-samba.example.com.cnf create_user administrator@samba.example.com
+# DONE #
+# DONE # ./manage-ca.sh manage-CA-samba.example.com.cnf create_dc addc.addom.samba.example.com 0123456789ABCDEF
+# DONE # ./manage-ca.sh manage-CA-samba.example.com.cnf create_user administrator@addom.samba.example.com
+
+# DONE # ./manage-ca.sh manage-CA-samba.example.com.cnf create_user pkinit@samba.example.com
+# DONE # ./manage-ca.sh manage-CA-samba.example.com.cnf create_user pkinit@addom.samba.example.com
+
+#DONE # ./manage-ca.sh manage-CA-samba.example.com.cnf create_dc addcsmb1.addom2.samba.example.com 0123456789ABCDEF
+#DONE # ./manage-ca.sh manage-CA-samba.example.com.cnf create_user administrator@addom2.samba.example.com
+#DONE # ./manage-ca.sh manage-CA-samba.example.com.cnf create_user pkinit@addom2.samba.example.com
diff --git a/selftest/manage-ca/manage-ca.sh b/selftest/manage-ca/manage-ca.sh
new file mode 100755
index 0000000..8e09a93
--- /dev/null
+++ b/selftest/manage-ca/manage-ca.sh
@@ -0,0 +1,387 @@
+#!/bin/bash
+#
+
+set -e
+set -u
+#set -x
+
+umask 022
+
+function print_usage()
+{
+ echo "Usage:"
+ echo ""
+ echo "${0} <CNF_FILE> <CMD> [<ARG1> [<ARG2>]]"
+ echo ""
+ echo "${0} <CNF_FILE> init_ca"
+ echo "${0} <CNF_FILE> update_crl"
+ echo "${0} <CNF_FILE> publish_crl"
+ echo "${0} <CNF_FILE> create_dc <DC_DNS_NAME> <DC_OBJECTGUID_HEX>"
+ echo "${0} <CNF_FILE> revoke_dc <DC_DNS_NAME> <REVOKE_RESON>"
+ echo "${0} <CNF_FILE> create_user <USER_PRINCIPAL_NAME>"
+ echo "${0} <CNF_FILE> revoke_user <USER_PRINCIPAL_NAME> <REVOKE_RESON>"
+ echo ""
+}
+
+function check_arg()
+{
+ local k="${1}"
+ local v="${2}"
+
+ test -n "${v}" || {
+ print_usage
+ echo "ERROR: CMD[${CMD}] argument <${k}> missing"
+ return 1
+ }
+
+ return 0
+}
+CNF="${1-}"
+test -n "${CNF}" || {
+ print_usage
+ echo "ERROR: speficy <CNF_FILE> see manage-ca.templates.d/manage-CA-example.com.cnf"
+ exit 1
+}
+test -e "${CNF}" || {
+ print_usage
+ echo "ERROR: CNF_FILE[${CNF}] does not exist"
+ exit 1
+}
+CMD="${2-}"
+CMDARG1="${3-}"
+CMDARG2="${4-}"
+
+TEMPLATE_DIR="manage-ca.templates.d"
+DEFAULT_VARS=""
+DEFAULT_VARS="${DEFAULT_VARS} CRL_HTTP_BASE DNS_DOMAIN DEFAULT_BITS"
+DEFAULT_VARS="${DEFAULT_VARS} DEFAULT_BITS DEFAULT_DAYS DEFAULT_CRL_DAYS"
+DEFAULT_VARS="${DEFAULT_VARS} COUNTRY_NAME STATE_NAME LOCALITY_NAME ORGANIZATION_NAME"
+DEFAULT_VARS="${DEFAULT_VARS} ORGANIZATIONAL_UNIT_NAME COMMON_NAME EMAIL_ADDRESS"
+
+source "${CNF}"
+
+DEFAULT_BITS=${DEFAULT_BITS:=8192}
+CA_BITS=${CA_BITS:=${DEFAULT_BITS}}
+DC_BITS=${DC_BITS:=${DEFAULT_BITS}}
+USER_BITS=${USER_BITS:=${DEFAULT_BITS}}
+
+CA_DAYS=${CA_DAYS:=3650}
+CRL_DAYS=${CRL_DAYS:=30}
+DC_DAYS=${DC_DAYS:=730}
+USER_DAYS=${USER_DAYS:=730}
+
+CA_DIR="CA-${DNS_DOMAIN}"
+DEFAULT_VARS="${DEFAULT_VARS} CA_DIR"
+
+CACERT_PEM="${CA_DIR}/Public/CA-${DNS_DOMAIN}-cert.pem"
+CACERT_CER="${CA_DIR}/Public/CA-${DNS_DOMAIN}-cert.cer"
+CACRL_PEM="${CA_DIR}/Public/CA-${DNS_DOMAIN}-crl.pem"
+CACRL_CRL="${CA_DIR}/Public/CA-${DNS_DOMAIN}-crl.crl"
+CA_SERIAL="${CA_DIR}/Private/CA-${DNS_DOMAIN}-serial.txt"
+
+function generate_from_template()
+{
+ local base_template="${TEMPLATE_DIR}/$1"
+ local cmd_template="${TEMPLATE_DIR}/$2"
+ local cnf_file="$3"
+ shift 3
+ local vars="$@"
+
+ test -f "${base_template}" || {
+ echo "base_template[${base_template}] does not exists"
+ return 1
+ }
+ test -f "${cmd_template}" || {
+ echo "cmd_template[${cmd_template}] does not exists"
+ return 1
+ }
+ test -e "${cnf_file}" && {
+ echo "cnf_file[${cnf_file}] already exists"
+ return 1
+ }
+
+ local sedargs=""
+ for k in $vars; do
+ v=$(eval echo "\${${k}}")
+ sedargs="${sedargs} -e 's!@@${k}@@!${v}!g'"
+ done
+
+ #echo "sedargs[${sedargs}]"
+ cat "${base_template}" "${cmd_template}" | eval sed ${sedargs} > "${cnf_file}"
+ grep '@@' "${cnf_file}" | wc -l | grep -q '^0' || {
+ echo "invalid context in cnf_file[${cnf_file}]"
+ grep '@@' "${cnf_file}"
+ return 1
+ }
+
+ return 0
+}
+
+case "${CMD}" in
+init_ca)
+ test -e "${CA_DIR}" && {
+ echo "CA with CA_DIR[${CA_DIR}] already exists"
+ exit 1
+ }
+
+ OPENSSLCNF="${CA_DIR}/Private/CA-${DNS_DOMAIN}-openssl.cnf"
+ CA_INDEX="${CA_DIR}/Private/CA-${DNS_DOMAIN}-index.txt"
+ CA_CRLNUMBER="${CA_DIR}/Private/CA-${DNS_DOMAIN}-crlnumber.txt"
+ PRIVATEKEY="${CA_DIR}/Private/CA-${DNS_DOMAIN}-private-key.pem"
+
+ ORGANIZATIONAL_UNIT_NAME="CA Administration"
+ COMMON_NAME="CA of ${DNS_DOMAIN}"
+ EMAIL_ADDRESS="ca-${DNS_DOMAIN}@${DNS_DOMAIN}"
+
+ DEFAULT_BITS="${CA_BITS}"
+ DEFAULT_DAYS="1"
+ DEFAULT_CRL_DAYS="${CRL_DAYS}"
+
+ mkdir -p "${CA_DIR}/"{,Public}
+ umask 077
+ mkdir -p "${CA_DIR}/"{,Private,NewCerts,DCs,Users}
+ umask 022
+ touch "${CA_INDEX}"
+ echo "00" > "${CA_SERIAL}"
+ echo "00" > "${CA_CRLNUMBER}"
+
+ generate_from_template \
+ "openssl-BASE-template.cnf" \
+ "openssl-CA-template.cnf" \
+ "${OPENSSLCNF}" \
+ ${DEFAULT_VARS}
+ openssl req -new -x509 -sha256 -extensions v3_ca -days "${CA_DAYS}" -keyout "${PRIVATEKEY}" -out "${CACERT_PEM}" -config "${OPENSSLCNF}"
+ openssl x509 -in "${CACERT_PEM}" -inform PEM -out "${CACERT_CER}" -outform DER
+ echo -n "Generate CRL [ENTER] to continue"
+ read
+ openssl ca -config "${OPENSSLCNF}" -gencrl -out "${CACRL_PEM}"
+ openssl crl -in "${CACRL_PEM}" -inform PEM -out "${CACRL_CRL}" -outform DER
+ ls -la "${CA_DIR}"/Public/CA-*
+ echo "Please run: '${0} ${CNF} publish_crl'"
+ exit 0
+ ;;
+update_crl)
+ test -e "${CA_DIR}" || {
+ echo "CA with CA_DIR[${CA_DIR}] does not exists"
+ exit 1
+ }
+
+ OPENSSLCNF="${CA_DIR}/Private/CA-${DNS_DOMAIN}-openssl.cnf"
+ openssl ca -config "${OPENSSLCNF}" -gencrl -out "${CACRL_PEM}"
+ openssl crl -in "${CACRL_PEM}" -inform PEM -out "${CACRL_CRL}" -outform DER
+ ls -la "${CACRL_PEM}" "${CACRL_CRL}"
+ echo "Please run: '${0} ${CNF} publish_crl'"
+ exit 0
+ ;;
+publish_crl)
+ test -e "${CA_DIR}" || {
+ echo "CA with CA_DIR[${CA_DIR}] does not exists"
+ exit 1
+ }
+
+ echo "Upload ${CACRL_CRL} to ${CRL_SSH_BASE}/"
+ rsync -a -P "${CACRL_CRL}" "${CRL_SSH_BASE}/"
+ echo "Check ${CRL_HTTP_BASE}/CA-${DNS_DOMAIN}-crl.crl"
+ exit 0
+ ;;
+create_dc)
+ test -e "${CA_DIR}" || {
+ echo "CA with CA_DIR[${CA_DIR}] does not exists"
+ exit 1
+ }
+ #
+ #
+ # ldbsearch -H ldap://DC_DNS_NAME '(dnsHostName=DC_DNS_NAME)' distinguishedName --controls=search_options:1:1 --controls=extended_dn:1:0
+ DC_DNS_NAME="${CMDARG1}"
+ check_arg "DC_DNS_NAME" "${DC_DNS_NAME}"
+ DC_OBJECTGUID_HEX=$(echo "${CMDARG2}" | tr a-z A-Z)
+ check_arg "DC_OBJECTGUID_HEX" "${DC_OBJECTGUID_HEX}"
+
+ DC_DIR="${CA_DIR}/DCs/${DC_DNS_NAME}"
+ test -e "${DC_DIR}" && {
+ echo "DC with DC_DIR[${DC_DIR}] already exists"
+ exit 1
+ }
+
+ NEXT_SERIAL=$(cat "${CA_SERIAL}" | xargs)
+ DCFILE_BASE="DC-${DC_DNS_NAME}-S${NEXT_SERIAL}"
+ OPENSSLCNF="${DC_DIR}/${DCFILE_BASE}-openssl.cnf"
+ DCKEY_PEM="${DC_DIR}/${DCFILE_BASE}-key.pem"
+ DCKEY_PRIVATE_PEM="${DC_DIR}/${DCFILE_BASE}-private-key.pem"
+ DCKEY_PRIVATE_PEM_BASE="${DCFILE_BASE}-private-key.pem"
+ DCKEY_PRIVATE_PEM_LINK="${DC_DIR}/DC-${DC_DNS_NAME}-private-key.pem"
+ DCREQ_PEM="${DC_DIR}/${DCFILE_BASE}-req.pem"
+ DCCERT_PEM="${DC_DIR}/${DCFILE_BASE}-cert.pem"
+ DCCERT_PEM_BASE="${DCFILE_BASE}-cert.pem"
+ DCCERT_PEM_LINK="${DC_DIR}/DC-${DC_DNS_NAME}-cert.pem"
+ DCCERT_CER="${DC_DIR}/${DCFILE_BASE}-cert.cer"
+ DCCERT_P12="${DC_DIR}/${DCFILE_BASE}-private.p12"
+
+ ORGANIZATIONAL_UNIT_NAME="Domain Controllers"
+ COMMON_NAME="${DC_DNS_NAME}"
+ EMAIL_ADDRESS="ca-${DNS_DOMAIN}@${DNS_DOMAIN}"
+
+ DEFAULT_BITS="${DC_BITS}"
+ DEFAULT_DAYS="${DC_DAYS}"
+ DEFAULT_CRL_DAYS="${CRL_DAYS}"
+
+ umask 077
+ mkdir -p "${DC_DIR}/"
+
+ generate_from_template \
+ "openssl-BASE-template.cnf" \
+ "openssl-DC-template.cnf" \
+ "${OPENSSLCNF}" \
+ ${DEFAULT_VARS} DC_DNS_NAME DC_OBJECTGUID_HEX
+
+ openssl req -new -newkey rsa:${DC_BITS} -keyout "${DCKEY_PEM}" -out "${DCREQ_PEM}" -config "${OPENSSLCNF}"
+ openssl rsa -in "${DCKEY_PEM}" -inform PEM -out "${DCKEY_PRIVATE_PEM}" -outform PEM
+ openssl ca -config "${OPENSSLCNF}" -in "${DCREQ_PEM}" -out "${DCCERT_PEM}"
+ ln -s "${DCKEY_PRIVATE_PEM_BASE}" "${DCKEY_PRIVATE_PEM_LINK}"
+ ln -s "${DCCERT_PEM_BASE}" "${DCCERT_PEM_LINK}"
+ openssl x509 -in "${DCCERT_PEM}" -inform PEM -out "${DCCERT_CER}" -outform DER
+ echo "Generate ${DCCERT_P12}"
+ openssl pkcs12 -in "${DCCERT_PEM}" -inkey "${DCKEY_PRIVATE_PEM}" -export -out "${DCCERT_P12}"
+ ls -la "${DC_DIR}"/*.*
+ exit 0
+ ;;
+revoke_dc)
+ test -e "${CA_DIR}" || {
+ echo "CA with CA_DIR[${CA_DIR}] does not exists"
+ exit 1
+ }
+ DC_DNS_NAME="${CMDARG1}"
+ check_arg "DC_DNS_NAME" "${DC_DNS_NAME}"
+ REVOKE_REASON="${CMDARG2}"
+ check_arg "REVOKE_REASON" "${REVOKE_REASON}"
+
+ DC_DIR="${CA_DIR}/DCs/${DC_DNS_NAME}"
+ test -e "${DC_DIR}" || {
+ echo "DC with DC_DIR[${DC_DIR}] does not exists"
+ exit 1
+ }
+
+ OPENSSLCNF="${CA_DIR}/Private/CA-${DNS_DOMAIN}-openssl.cnf"
+ DCKEY_PRIVATE_PEM_LINK="${DC_DIR}/DC-${DC_DNS_NAME}-private-key.pem"
+ DCCERT_PEM_LINK="${DC_DIR}/DC-${DC_DNS_NAME}-cert.pem"
+
+ REVOKE_DATE=$(date +%Y%m%d-%H%M%S)
+ REVOKE_DC_DIR="${DC_DIR}.${REVOKE_DATE}.revoked-${REVOKE_REASON}"
+
+ openssl ca -config "${OPENSSLCNF}" -revoke "${DCCERT_PEM_LINK}" -crl_reason "${REVOKE_REASON}"
+
+ mv "${DCKEY_PRIVATE_PEM_LINK}" "${DCKEY_PRIVATE_PEM_LINK}.revoked"
+ mv "${DCCERT_PEM_LINK}" "${DCCERT_PEM_LINK}.revoked"
+ mv "${DC_DIR}" "${REVOKE_DC_DIR}"
+ echo "${REVOKE_DC_DIR}"
+
+ openssl ca -config "${OPENSSLCNF}" -gencrl -out "${CACRL_PEM}"
+ openssl crl -in "${CACRL_PEM}" -inform PEM -out "${CACRL_CRL}" -outform DER
+ ls -la "${CACRL_PEM}" "${CACRL_CRL}"
+ echo "Please run: '${0} ${CNF} publish_crl'"
+ exit 0
+ ;;
+create_user)
+ test -e "${CA_DIR}" || {
+ echo "CA with CA_DIR[${CA_DIR}] does not exists"
+ exit 1
+ }
+ USER_PRINCIPAL_NAME="${CMDARG1}"
+ check_arg "USER_PRINCIPAL_NAME" "${USER_PRINCIPAL_NAME}"
+
+ USER_DIR="${CA_DIR}/Users/${USER_PRINCIPAL_NAME}"
+ test -e "${USER_DIR}" && {
+ echo "USER with USER_DIR[${USER_DIR}] already exists"
+ exit 1
+ }
+
+ NEXT_SERIAL=$(cat "${CA_SERIAL}" | xargs)
+ USERFILE_BASE="USER-${USER_PRINCIPAL_NAME}-S${NEXT_SERIAL}"
+ OPENSSLCNF="${USER_DIR}/${USERFILE_BASE}-openssl.cnf"
+ USERKEY_PEM="${USER_DIR}/${USERFILE_BASE}-key.pem"
+ USERKEY_PRIVATE_PEM="${USER_DIR}/${USERFILE_BASE}-private-key.pem"
+ USERKEY_PRIVATE_PEM_BASE="${USERFILE_BASE}-private-key.pem"
+ USERKEY_PRIVATE_PEM_LINK="${USER_DIR}/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
+ USERREQ_PEM="${USER_DIR}/${USERFILE_BASE}-req.pem"
+ USERCERT_PEM="${USER_DIR}/${USERFILE_BASE}-cert.pem"
+ USERCERT_PEM_BASE="${USERFILE_BASE}-cert.pem"
+ USERCERT_PEM_LINK="${USER_DIR}/USER-${USER_PRINCIPAL_NAME}-cert.pem"
+ USERCERT_CER="${USER_DIR}/${USERFILE_BASE}-cert.cer"
+ USERCERT_P12="${USER_DIR}/${USERFILE_BASE}-private.p12"
+
+ ORGANIZATIONAL_UNIT_NAME="Users"
+ COMMON_NAME="${USER_PRINCIPAL_NAME}"
+ EMAIL_ADDRESS="${USER_PRINCIPAL_NAME}"
+
+ DEFAULT_BITS="${USER_BITS}"
+ DEFAULT_DAYS="${USER_DAYS}"
+ DEFAULT_CRL_DAYS="${CRL_DAYS}"
+
+ umask 077
+ mkdir -p "${USER_DIR}/"
+
+ generate_from_template \
+ "openssl-BASE-template.cnf" \
+ "openssl-USER-template.cnf" \
+ "${OPENSSLCNF}" \
+ ${DEFAULT_VARS} USER_PRINCIPAL_NAME
+
+ openssl req -new -newkey rsa:${USER_BITS} -keyout "${USERKEY_PEM}" -out "${USERREQ_PEM}" -config "${OPENSSLCNF}"
+ openssl rsa -in "${USERKEY_PEM}" -inform PEM -out "${USERKEY_PRIVATE_PEM}" -outform PEM
+ openssl ca -config "${OPENSSLCNF}" -in "${USERREQ_PEM}" -out "${USERCERT_PEM}"
+ ln -s "${USERKEY_PRIVATE_PEM_BASE}" "${USERKEY_PRIVATE_PEM_LINK}"
+ ln -s "${USERCERT_PEM_BASE}" "${USERCERT_PEM_LINK}"
+ openssl x509 -in "${USERCERT_PEM}" -inform PEM -out "${USERCERT_CER}" -outform DER
+ echo "Generate ${USERCERT_P12}"
+ openssl pkcs12 -in "${USERCERT_PEM}" -inkey "${USERKEY_PRIVATE_PEM}" -export -out "${USERCERT_P12}"
+ ls -la "${USER_DIR}"/*.*
+ exit 0
+ ;;
+revoke_user)
+ test -e "${CA_DIR}" || {
+ echo "CA with CA_DIR[${CA_DIR}] does not exists"
+ exit 1
+ }
+ USER_PRINCIPAL_NAME="${CMDARG1}"
+ check_arg "USER_PRINCIPAL_NAME" "${USER_PRINCIPAL_NAME}"
+ REVOKE_REASON="${CMDARG2}"
+ check_arg "REVOKE_REASON" "${REVOKE_REASON}"
+
+ USER_DIR="${CA_DIR}/Users/${USER_PRINCIPAL_NAME}"
+ test -e "${USER_DIR}" || {
+ echo "USER with USER_DIR[${USER_DIR}] does not exists"
+ exit 1
+ }
+
+ OPENSSLCNF="${CA_DIR}/Private/CA-${DNS_DOMAIN}-openssl.cnf"
+ USERKEY_PRIVATE_PEM_LINK="${USER_DIR}/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
+ USERCERT_PEM_LINK="${USER_DIR}/USER-${USER_PRINCIPAL_NAME}-cert.pem"
+
+ REVOKE_DATE=$(date +%Y%m%d-%H%M%S)
+ REVOKE_USER_DIR="${USER_DIR}.${REVOKE_DATE}.revoked-${REVOKE_REASON}"
+
+ openssl ca -config "${OPENSSLCNF}" -revoke "${USERCERT_PEM_LINK}" -crl_reason "${REVOKE_REASON}"
+
+ mv "${USERKEY_PRIVATE_PEM_LINK}" "${USERKEY_PRIVATE_PEM_LINK}.revoked"
+ mv "${USERCERT_PEM_LINK}" "${USERCERT_PEM_LINK}.revoked"
+ mv "${USER_DIR}" "${REVOKE_USER_DIR}.revoked"
+ echo "${REVOKE_USER_DIR}"
+
+ openssl ca -config "${OPENSSLCNF}" -gencrl -out "${CACRL_PEM}"
+ openssl crl -in "${CACRL_PEM}" -inform PEM -out "${CACRL_CRL}" -outform DER
+ ls -la "${CACRL_PEM}" "${CACRL_CRL}"
+ echo "Please run: '${0} ${CNF} publish_crl'"
+ exit 0
+ ;;
+usage)
+ print_usage
+ exit 1
+ ;;
+*)
+ print_usage
+ echo "ERROR: CMD[${CMD}] - unknown"
+ exit 1
+ ;;
+esac
+
+exit 1
diff --git a/selftest/manage-ca/manage-ca.templates.d/manage-CA-example.com.cnf b/selftest/manage-ca/manage-ca.templates.d/manage-CA-example.com.cnf
new file mode 100644
index 0000000..1f3d24e
--- /dev/null
+++ b/selftest/manage-ca/manage-ca.templates.d/manage-CA-example.com.cnf
@@ -0,0 +1,17 @@
+
+CRL_HTTP_BASE="http://www.example.com/crls"
+CRL_SSH_BASE="www.example.com:/path/to/crls"
+DNS_DOMAIN="example.com"
+
+#CA_BITS="8192"
+#DC_BITS="8192"
+#USER_BITS="8192"
+#CA_DAYS="3650"
+#CRL_DAYS="30"
+#DC_DAYS="730"
+#USER_DAYS="730"
+
+COUNTRY_NAME="US"
+STATE_NAME="ExampleState"
+LOCALITY_NAME="ExampleCity"
+ORGANIZATION_NAME="ExampleOrganization"
diff --git a/selftest/manage-ca/manage-ca.templates.d/openssl-BASE-template.cnf b/selftest/manage-ca/manage-ca.templates.d/openssl-BASE-template.cnf
new file mode 100644
index 0000000..ca8415b
--- /dev/null
+++ b/selftest/manage-ca/manage-ca.templates.d/openssl-BASE-template.cnf
@@ -0,0 +1,201 @@
+#
+# Based on the OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+#CRLDISTPT = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
+CRLDISTPT = @@CRL_HTTP_BASE@@/CA-@@DNS_DOMAIN@@-crl.crl
+
+# Extra OBJECT IDENTIFIER info:
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions =
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
+scardLogin=1.3.6.1.4.1.311.20.2.2
+# Used in a smart card login certificate's subject alternative name
+msUPN=1.3.6.1.4.1.311.20.2.3
+# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
+msKDC=1.3.6.1.5.2.3.5
+# Identifies the AD GUID
+msADGUID=1.3.6.1.4.1.311.25.1
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir = @@CA_DIR@@ # Where everything is kept
+certs = $dir/_none_certs # Where the issued certs are kept
+crl_dir = $dir/_none_crl # Where the issued crl are kept
+database = $dir/Private/CA-@@DNS_DOMAIN@@-index.txt # database index file.
+unique_subject = yes # Set to 'no' to allow creation of
+ # several certificates with same subject.
+new_certs_dir = $dir/NewCerts # default place for new certs.
+
+certificate = $dir/Public/CA-@@DNS_DOMAIN@@-cert.pem # The CA certificate
+serial = $dir/Private/CA-@@DNS_DOMAIN@@-serial.txt # The current serial number
+crlnumber = $dir/Private/CA-@@DNS_DOMAIN@@-crlnumber.txt # the current crl number
+ # must be commented out to leave a V1 CRL
+
+#crl = $dir/Public/CA-@@DNS_DOMAIN@@-crl.pem # The current CRL
+crl = $dir/Public/CA-@@DNS_DOMAIN@@-crl.crl # The current CRL
+private_key = $dir/Private/CA-@@DNS_DOMAIN@@-private-key.pem # The private key
+RANDFILE = $dir/Private/CA-@@DNS_DOMAIN@@.rand # private random number file
+
+#x509_extensions = # The extensions to add to the cert
+x509_extensions = template_x509_extensions
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+crl_extensions = crl_ext
+
+default_days = @@DEFAULT_DAYS@@ # how long to certify for
+default_crl_days= @@DEFAULT_CRL_DAYS@@ # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName = match
+stateOrProvinceName = match
+localityName = match
+organizationName = match
+organizationalUnitName = match
+commonName = supplied
+emailAddress = supplied
+
+####################################################################
+[ req ]
+default_bits = @@DEFAULT_BITS@@
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = @@COUNTRY_NAME@@
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = @@STATE_NAME@@
+
+localityName = Locality Name (eg, city)
+localityName_default = @@LOCALITY_NAME@@
+
+organizationName = Organization Name (eg, company)
+organizationName_default = @@ORGANIZATION_NAME@@
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default = @@ORGANIZATIONAL_UNIT_NAME@@
+
+commonName = Common Name (eg, YOUR name)
+commonName_default = @@COMMON_NAME@@
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_default = @@EMAIL_ADDRESS@@
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+#challengePassword = A challenge password
+#challengePassword_min = 4
+#challengePassword_max = 20
+#
+#unstructuredName = An optional company name
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate.
+keyUsage = cRLSign, keyCertSign
+
+crlDistributionPoints=URI:$CRLDISTPT
+
+# Some might want this also
+nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+subjectAltName=email:copy
+# Copy issuer details
+issuerAltName=issuer:copy
+
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
diff --git a/selftest/manage-ca/manage-ca.templates.d/openssl-CA-template.cnf b/selftest/manage-ca/manage-ca.templates.d/openssl-CA-template.cnf
new file mode 100644
index 0000000..4c6bb4a
--- /dev/null
+++ b/selftest/manage-ca/manage-ca.templates.d/openssl-CA-template.cnf
@@ -0,0 +1,2 @@
+[ template_x509_extensions ]
+
diff --git a/selftest/manage-ca/manage-ca.templates.d/openssl-DC-template.cnf b/selftest/manage-ca/manage-ca.templates.d/openssl-DC-template.cnf
new file mode 100644
index 0000000..0b0424d
--- /dev/null
+++ b/selftest/manage-ca/manage-ca.templates.d/openssl-DC-template.cnf
@@ -0,0 +1,49 @@
+#[ usr_cert_mskdc ]
+[ template_x509_extensions ]
+
+# These extensions are added when 'ca' signs a request for a domain controller certificate.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+crlDistributionPoints=URI:$CRLDISTPT
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+nsCertType = server
+
+# This is typical in keyUsage for a client certificate.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "Domain Controller Certificate @@DC_DNS_NAME@@"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+
+subjectAltName=@dc_subjalt
+
+# Copy subject details
+issuerAltName=issuer:copy
+
+nsCaRevocationUrl = $CRLDISTPT
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+#Extended Key requirements for our domain controller certs
+# serverAuth - says cert can be used to identify an ssl/tls server
+# msKDC - says cert can be used to identify a Kerberos Domain Controller.
+extendedKeyUsage = clientAuth,serverAuth,msKDC
+
+[dc_subjalt]
+DNS=@@DC_DNS_NAME@@
+otherName=msADGUID;FORMAT:HEX,OCTETSTRING:@@DC_OBJECTGUID_HEX@@
diff --git a/selftest/manage-ca/manage-ca.templates.d/openssl-USER-template.cnf b/selftest/manage-ca/manage-ca.templates.d/openssl-USER-template.cnf
new file mode 100644
index 0000000..71674b9
--- /dev/null
+++ b/selftest/manage-ca/manage-ca.templates.d/openssl-USER-template.cnf
@@ -0,0 +1,41 @@
+#[ usr_cert_scarduser ]
+[ template_x509_extensions ]
+
+# These extensions are added when 'ca' signs a request for a certificate that will be used to login from a smart card
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+crlDistributionPoints=URI:$CRLDISTPT
+
+# For normal client use this is typical
+nsCertType = client, email
+
+# This is typical in keyUsage for a client certificate.
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment = "Smart Card Login Certificate for @@USER_PRINCIPAL_NAME@@"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+
+subjectAltName=email:copy,otherName:msUPN;UTF8:@@USER_PRINCIPAL_NAME@@
+
+# Copy subject details
+issuerAltName=issuer:copy
+
+nsCaRevocationUrl = $CRLDISTPT
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+#Extended Key requirements for client certs
+extendedKeyUsage = clientAuth,scardLogin
+
diff --git a/selftest/no-python-tests.txt b/selftest/no-python-tests.txt
new file mode 100644
index 0000000..33c2f01
--- /dev/null
+++ b/selftest/no-python-tests.txt
@@ -0,0 +1,32 @@
+# A small subset of tests/testenvs to run as a sanity-check when samba
+# is built with --disable-python. One test-suite for each s3 testenv was
+# selected from 'python source3/selftest/tests.py' (and manually edited to
+# remove the filter-subunit portion of the command).
+# Notes:
+# - you cannot add knownfail tests to this list.
+# - only .sh tests supported here, and they must set and return $failed
+# appropriately
+-- TEST --
+samba3.blackbox.smb2.not_casesensitive (fileserver)(fileserver)
+fileserver
+./source3/script/tests/test_smb2_not_casesensitive.sh //$SERVER/tmp $SERVER_IP $USERNAME $PASSWORD $LOCAL_PATH bin/smbclient || exit 1
+-- TEST --
+samba3.blackbox.rpcclient_srvsvc(simpleserver)
+simpleserver
+./source3/script/tests/test_rpcclientsrvsvc.sh $USERNAME $PASSWORD $SERVER bin/rpcclient tmp || exit 1
+-- TEST --
+samba3.blackbox.smbclient_large_file krb5(ktest:local)
+ktest:local
+./source3/script/tests/test_smbclient_large_file.sh $PREFIX/ktest/krb5_ccache-3 bin/smbclient $SERVER $PREFIX -k --configfile=$SMB_CONF_PATH || exit 1
+-- TEST --
+samba3.blackbox.smbclient_auth.plain (maptoguest) local creds(maptoguest)
+maptoguest
+./source3/script/tests/test_smbclient_auth.sh $SERVER $SERVER_IP $USERNAME $PASSWORD bin/smbclient --configfile=$SMB_CONF_PATH --option=clientntlmv2auth=no --option=clientlanmanauth=yes || exit 1
+-- TEST --
+samba3.blackbox.smbclient_auth.plain (nt4_dc) (nt4_dc)
+nt4_dc
+./source3/script/tests/test_smbclient_auth.sh $SERVER $SERVER_IP $DC_USERNAME $DC_PASSWORD bin/smbclient --configfile=$SMB_CONF_PATH || exit 1
+-- TEST --
+samba3.blackbox.net_cred_change.(nt4_member:local)(nt4_member:local)
+nt4_member:local
+./source3/script/tests/test_net_cred_change.sh --configfile=$SMB_CONF_PATH || exit 1
diff --git a/selftest/ns/README b/selftest/ns/README
new file mode 100644
index 0000000..896fe15
--- /dev/null
+++ b/selftest/ns/README
@@ -0,0 +1,162 @@
+The scripts in this directory are experimental and are used to create testenvs
+in separate linux namespaces. This avoids the need for socket-wrapper.
+
+What are Namespaces
+===================
+Namespaces allow the kernel to segregate its system resources (files, CPU,
+etc), so that different processes only see the set of resources they are
+allowed to use. There are several different types of namespace: network,
+user, process, file, IPC, and so on.
+
+Key points to grasp are:
+* Each type of namespace gets managed separately by the kernel, i.e. process
+namespaces are managed separately to network namespaces, which are separate
+to user namespaces. These scripts give each testenv its own network namespace,
+but otherwise they all still share the same user/process/etc namespace.
+(In future, we may want to give each testenv its own process and user
+namespace, to better mimic a production DC).
+* Namespaces are created using the 'unshare' utility. The new selftest
+namespaces are anonymous/nameless, and so the different namespaces are
+identified by the PID of the processes running within the namespace
+(typically samba).
+* Linux supports nesting namespaces within namespaces. In this case, each
+testenv DC has its own network namespace, which is a child of the overarching
+selftest namespace (which itself is a child of whatever namespace you run
+'make test' from - usually this would be the root namespace).
+
+How does it work?
+=================
+Normally when 'make test' is run, every testenv uses a 10.53.57.x IP address
+and socket-wrapper passes the packets between them.
+
+With namespaces, we also use 10.53.57.x IP addresses but have the packets pass through
+the kernel's IP stack normally, as it forwards them between namespaces.
+
+We use veth interfaces for this. veth is a type of virtual interface supported
+by the kernel. veth interfaces come in pairs, and act as a tunnel - any packets
+sent on a veth interface simply end up as received packets on the pair veth
+interface.
+
+We create a new veth interface pair for each testenv, and use them to connect
+up the namespaces. One end of the veth pair is added to the main selftest
+namespace, and the other end is added to a new namespace that we'll run
+samba in. E.g.
+
+selftest.pl veth21-br ------------------------ veth21 samba (ad_dc_ntvfs)
+ 10.53.57.11 10.53.57.21
+ Namespace 1 Namespace 2
+
+However, we need to run multiple different testenvs and have them talk to
+each other. So to do this, we need a bridge interface ('selftest0') to connect
+up the namespaces, which essentially just acts as a hub. So connecting together
+multiple testenvs looks more like this:
+
+selftest.pl +-- veth21-br ------------------------ veth21 samba (ad_dc_ntvfs)
+ | 10.53.57.21
+ selftest0 --+ Namespace 2
+ 10.53.57.11 |
+ +-- veth22-br ------------------------ veth22 samba (vampire_dc)
+ 10.53.57.22
+ Namespace 1 Namespace 3
+
+The veth interfaces are named vethX and vethX-br, where X is the
+SOCKET_WRAPPER_DEFAULT_IFACE for the testenv. The vethX-br interface is always
+added to the selftest0 bridge interface.
+
+How do I use it?
+================
+To use namespaces instead of socket-wrapper, just add 'USE_NAMESPACES=1' to the
+make command, e.g.
+
+To run the 'quick' test cases using namespaces:
+USE_NAMESPACES=1 make test TESTS=quick
+
+To setup an ad_dc testenv using namespaces:
+USE_NAMESPACES=1 SELFTEST_TESTENV=ad_dc make testenv
+
+You can connect secondary shells to the namespace your testenv is running in.
+The command to do this is a little complicated, so a helper 'nsenter.sh' script
+gets autogenerated when the testenv is created. E.g. to connect to the testenv
+that the ad_dc is running in, use:
+./st/ad_dc/nsenter.sh
+
+This script also sets up the shell with all the same $SERVER/$USERNAME/etc
+variables that you normally get in xterm.
+
+To run the ad-dc-backup autobuild job using namespaces:
+USE_NAMESPACES=1 script/autobuild.py samba-ad-dc-backup --verbose --nocleanup \
+ --keeplogs --tail --testbase /tmp/samba-testbase
+
+Using the customdc testenv, you can basically now essentially your own
+light-weight samba VM. E.g.
+MY_BACKUP=/home/$USER/samba-backup-prod-domain.tar.bz2
+USE_NAMESPACES=1 BACKUP_FILE=$MY_BACKUP SELFTEST_TESTENV=customdc make testenv
+
+You can then talk to that DC in any other shell by using
+./st/customdc/nsenter.sh which enters the DC's network namespace (with
+all the $SERVER/etc env variables defined).
+
+How to join VMs to the testenv
+----------------------------------------
+I haven't tried this (beyond basic IP connectivity), but using namespaces it
+should now be possible to connect a Windows VM to a Samba testenv.
+
+1. Work out the main selftest.pl namespace PID manually, e.g.
+SELFTEST_PID= ps waux | grep selftest.pl
+
+2. Create a new veth to bridge between the selftest namespace and your PC's
+default namespace:
+sudo ip link add dev testenv-veth0 type veth peer name testenv-veth1
+
+3. Move one end of the veth tunnel into the selftest namespace:
+sudo ip link set testenv-veth1 netns $SELFTEST_PID
+
+4. Configure the veth end in the default namespace to be in the same subnet
+as the selftest network:
+sudo ip link set dev testenv-veth0 up
+sudo ip addr add 10.53.57.63/24 dev testenv-veth0
+
+5. Enter the selftest namespace, bring that end of the pipe up, and add it to
+to the main selftest0 bridge (that connects all the DCs together). We also need
+to add a default route from selftest back to your PC's default namespace.
+nsenter -t $SELFTEST_PID --net --user --preserve-credentials
+ip link set dev testenv-veth1 up
+ip link set testenv-veth1 master selftest0
+ip route add default via 10.53.57.63
+logout
+
+Your Windows VM and samba testenv should now be able to talk to each
+other over IP!
+
+6. The other step is to get DNS working. You probably need to add dns_hub
+(10.53.57.64) as a nameserver (at least on your Windows VM).
+
+This should work for using RSAT tools on samba, or joining Windows to Samba
+(depending on the schema version). Joining samba to Windows is a bit more
+tricky, as the namespaces are tied to the *running* samba process.
+
+What you'd probably want to do is run the join command to the windows VM
+outside of testenv, create an offline backup-file of the resulting DB, and
+then plug that backup-file into the customdc testenv. (And then follow the
+above veth/bridge steps to join samba to the VM).
+
+Note that the namespace disappears once you stop the testenv, so you'd
+need to do the above steps with creating the veth interface every time
+you restarted the testenv.
+
+Known limitations
+=================
+- When running a testenv, sometimes xterm can fail to startup, due to a
+ permissions problem with /dev/pts. This seems to be a particular problem
+ with the 'none' testenv.
+ A short-term work-around is to use a terminal that doesn't try to access
+ /dev/pts, e.g. just use bash as the terminal:
+ TERMINAL=bash TERMINAL_ARGS='--norc' USE_NAMESPACES=1 \
+ SELFTEST_TESTENV=none make testenv
+- Some test cases rely on socket-wrapper, so will fail when run using
+ namespaces.
+- Currently USE_NAMESPACES maps you (i.e. $USER) to root in the new namespace.
+ This means any test cases that rely on being a non-root user will fail (i.e.
+ anything that fails under 'sudo make test' will also fail with namespaces).
+- Namespaces should work within docker, but currently the 'unshare' system
+ call is disallowed on the gitlab CI runners.
diff --git a/selftest/ns/add_bridge_iface.sh b/selftest/ns/add_bridge_iface.sh
new file mode 100755
index 0000000..4090319
--- /dev/null
+++ b/selftest/ns/add_bridge_iface.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# Configures the interfaces needed for communication between namespaces.
+# This handles the bridge-end of the veth pair.
+interface=$1
+
+# the main bridge interface is called 'selftest0' (although in future we may
+# want to segregate the different domains by using different bridges)
+bridge=$2
+
+# we need to wait for the child namespace to start up and add the new
+# interface back to our new namespace
+while ! ip link show $interface >/dev/null 2>&1; do
+ sleep 0.1
+ echo "Waiting for $interface to be created..."
+done
+
+# bring the bridge-end of the link up and add it to the bridge
+ip link set dev $interface up
+ip link set $interface master $bridge
diff --git a/selftest/ns/create_bridge.sh b/selftest/ns/create_bridge.sh
new file mode 100755
index 0000000..74f7eca
--- /dev/null
+++ b/selftest/ns/create_bridge.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# creates a bridge interface (i.e. 'selftest0') that connects together the
+# veth interfaces for the various testenvs
+
+br_name=$1
+ip_addr=$2
+ipv6_addr=$3
+
+# make sure the loopback is up (needed for pinging between namespaces, etc)
+ip link set dev lo up
+
+# create the bridge interface and enable it
+ip link add $br_name type bridge
+ip addr add $ip_addr/24 dev $br_name
+ip addr add $ipv6_addr/112 dev $br_name
+ip link set $br_name up
diff --git a/selftest/ns/mk_nsenter.sh b/selftest/ns/mk_nsenter.sh
new file mode 100755
index 0000000..c97fda9
--- /dev/null
+++ b/selftest/ns/mk_nsenter.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+#
+# Helper script. If you want a 2nd shell that communicates with the testenv DC
+# you can use the nsenter command to change the namespace you're in. However,
+# this command is a bit unwieldly and changes depending on the testenv PID.
+# We can generate a helper script on the fly that abstracts all this
+# complexity, allowing you to use the same, simple command to change the
+# namespace that you're in, e.g.
+# st/ad_dc/nsenter.sh
+
+pid=$1
+exports_file=$2
+
+# The basic command to enter the testenv's network namespace.
+# We enter the user namespace as well (as ourself, which is really the root
+# user for the namespace), otherwise we need sudo to make this work.
+nsenter_cmd="nsenter -t $pid --net --user --preserve-credentials"
+
+# By default, the nsenter command will just start a new shell in the namespace.
+# we use a wrapper helper script, which first loads all the environment
+# variables that are usually defined in selftest (and prints some basic help).
+helper_script="$(dirname $0)/nsenter-helper.sh $exports_file"
+
+# generate the dynamic script
+dyn_script="$(dirname $2)/nsenter.sh"
+echo "#!/bin/sh" >$dyn_script
+echo "$nsenter_cmd $helper_script" >>$dyn_script
+chmod 755 $dyn_script
+
+# return the script we created
+echo "$dyn_script"
diff --git a/selftest/ns/nsenter-helper.sh b/selftest/ns/nsenter-helper.sh
new file mode 100755
index 0000000..4242227
--- /dev/null
+++ b/selftest/ns/nsenter-helper.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+#
+# Helper script that gets run with nsenter to manually setup a secondary shell
+# session to a given namespace testenv. This basically just sets up the same
+# environment variables as you normally get with selftest, for convenience.
+
+if [ $# -lt 1 ]; then
+ echo "Usage: $0 <exports-file>"
+ exit 1
+fi
+
+# we get passed a exports file with all the environment variables defined
+exports_file=$1
+
+# read the exports file so the new shell has appropriate variables setup
+# (we export rather than sourcing here so they get inherited by the subshell)
+while read -r line; do
+ export $line
+ # dump them for the user too
+ echo $line
+done <$exports_file
+
+echo ""
+echo "Entered $NETBIOSNAME namespace, with above variables defined."
+echo "Use CTRL+D or exit to leave the namespace."
+echo ""
+
+# start a shell session in the new namespace
+$SHELL
diff --git a/selftest/ns/start_in_ns.sh b/selftest/ns/start_in_ns.sh
new file mode 100755
index 0000000..f16767d
--- /dev/null
+++ b/selftest/ns/start_in_ns.sh
@@ -0,0 +1,61 @@
+#!/bin/sh
+#
+# Starts samba in a separate namespace. This gets passed the interface/IP
+# to use, as well as the Samba command to run. The whole script gets run
+# (via unshare) in a separate namespace.
+
+# the first 3 args are our interface-name, parent-PID, and a exports file
+# containing environment variables ($SERVER, $SERVER_IP, etc)
+interface=$1
+exports_file=$2
+parent_pid=$3
+
+# we write the testenv environment variables to file, which makes it easier
+# to work out the $SERVER, $SERVER_IP, etc
+. $exports_file
+
+# The namespaces we use are anonymous, which means other processes would need
+# to use our PID to access the new namespace
+echo "-------------------------------------------------------------"
+echo "Created namespace for $NETBIOSNAME ($ENVNAME) PID $$"
+
+# generate a helper script if the developer wants to talk to this namespace
+# in another shell
+mk_nsenter_script="$(dirname $0)/mk_nsenter.sh"
+helper_script=$($mk_nsenter_script $$ $exports_file)
+
+echo "To communicate with this testenv, use: $helper_script"
+echo "-------------------------------------------------------------"
+
+# the rest of the args are the samba command to run
+shift 3
+SAMBA_CMD=$@
+
+# make sure namespace loopback is up (it's needed for ping, etc)
+ip link set dev lo up
+
+# Create the interfaces needed for communication between namespaces.
+# We use a veth pair, which acts as a tunnel between the namespaces.
+# One end of the veth link is added to a common bridge in the top-level (i.e.
+# selftest) namespace, and the other end is added to the testenv's namespace.
+# This means each testenv DC is in its own namespace, but they can talk to
+# each other via the common bridge interface.
+# The new veth interfaces are named "vethX" and "vethX-br", where
+# X = the testenv IP (i.e. Samba::get_interface()). E.g. ad_dc = veth30,
+# and veth30-br.
+# The "vethX" interface will live in the new testenv's namespace.
+# The "vethX-br" end is added to the bridge in the main selftest namespace.
+ip link add dev $interface-br type veth peer name $interface
+
+# move the bridge end of the link back into the parent namespace.
+ip link set $interface-br netns $parent_pid
+
+# configure our IP address and bring the interface up
+ip addr add $SERVER_IP/24 dev $interface
+# Note that samba can't bind to the IPv6 address while DAD is in progress,
+# so we use 'nodad' when configuring the address
+ip addr add $SERVER_IPV6/112 dev $interface nodad
+ip link set dev $interface up
+
+# start samba
+$SAMBA_CMD
diff --git a/selftest/perf_tests.py b/selftest/perf_tests.py
new file mode 100644
index 0000000..2aed9de
--- /dev/null
+++ b/selftest/perf_tests.py
@@ -0,0 +1,104 @@
+#!/usr/bin/python
+
+# This script generates a list of testsuites that should be run to
+# test Samba performance.
+#
+# These tests are not intended to exercise aspect of Samba, but
+# perform common simple functions or to ascertain performance.
+#
+
+# The syntax for a testsuite is "-- TEST --" on a single line, followed
+# by the name of the test, the environment it needs and the command to run, all
+# three separated by newlines. All other lines in the output are considered
+# comments.
+
+import os
+from selftesthelpers import source4dir, bindir, python, plantestsuite_loadlist
+
+samba4srcdir = source4dir()
+samba4bindir = bindir()
+
+plantestsuite_loadlist("samba4.ldap.ad_dc_performance.python(ad_dc_ntvfs)",
+ "ad_dc_ntvfs",
+ [python, os.path.join(samba4srcdir,
+ "dsdb/tests/python/ad_dc_performance.py"),
+ '$SERVER', '-U"$USERNAME%$PASSWORD"',
+ '--workgroup=$DOMAIN',
+ '$LOADLIST', '$LISTOPT'])
+
+plantestsuite_loadlist("samba4.ndr_pack_performance.python(ad_dc_ntvfs)",
+ "ad_dc_ntvfs",
+ [python, os.path.join(samba4srcdir,
+ "dsdb/tests/python/ndr_pack_performance.py"),
+ '$SERVER', '-U"$USERNAME%$PASSWORD"',
+ '--workgroup=$DOMAIN',
+ '$LOADLIST', '$LISTOPT'])
+
+plantestsuite_loadlist("samba4.provision_performance.python(ad_dc_ntvfs)",
+ "ad_dc_ntvfs",
+ [python, os.path.join(samba4srcdir,
+ "dsdb/tests/python/ad_dc_provision_performance.py"),
+ '$SERVER', '-U"$USERNAME%$PASSWORD"',
+ '--workgroup=$DOMAIN',
+ '$LOADLIST', '$LISTOPT'])
+
+plantestsuite_loadlist("samba4.ldap.ad_dc_search_performance.python(ad_dc_ntvfs)",
+ "ad_dc_ntvfs",
+ [python,
+ os.path.join(samba4srcdir,
+ "dsdb/tests/python/ad_dc_search_performance.py"),
+ '$SERVER', '-U"$USERNAME%$PASSWORD"',
+ '--workgroup=$DOMAIN',
+ '$LOADLIST', '$LISTOPT'])
+
+plantestsuite_loadlist("samba4.ldap.ad_dc_multi_bind.ntlm.python(ad_dc_ntvfs)",
+ "ad_dc_ntvfs",
+ [python, os.path.join(samba4srcdir,
+ "dsdb/tests/python/ad_dc_multi_bind.py"),
+ '$SERVER', '-U"$USERNAME%$PASSWORD"', '-k no',
+ '--workgroup=$DOMAIN',
+ '$LOADLIST', '$LISTOPT'])
+
+plantestsuite_loadlist("samba4.ldap.ad_dc_multi_bind.krb5.python(ad_dc_ntvfs)",
+ "ad_dc_ntvfs",
+ [python, os.path.join(samba4srcdir,
+ "dsdb/tests/python/ad_dc_multi_bind.py"),
+ '$SERVER', '-U"$USERNAME%$PASSWORD"', '-k yes',
+ '--realm=$REALM',
+ '$LOADLIST', '$LISTOPT'])
+
+plantestsuite_loadlist("samba4.ldb.multi_connect.python(ad_dc_ntvfs)",
+ "ad_dc_ntvfs",
+ [python, os.path.join(samba4srcdir,
+ "dsdb/tests/python/ad_dc_multi_bind.py"),
+ 'tdb://$PREFIX_ABS/ad_dc_ntvfs/private/sam.ldb',
+ '$LOADLIST', '$LISTOPT'])
+
+plantestsuite_loadlist("samba4.ldap.vlv.python(ad_dc_ntvfs)", "ad_dc_ntvfs",
+ [python,
+ os.path.join(samba4srcdir, "dsdb/tests/python/vlv.py"),
+ '$SERVER', '-U"$USERNAME%$PASSWORD"',
+ '--workgroup=$DOMAIN', '$LOADLIST', '$LISTOPT'])
+
+# this one doesn't tidy itself up fully, so leave it as last unless
+# you want a messy database.
+plantestsuite_loadlist("samba4.ldap.ad_dc_medley_performance.python(ad_dc_ntvfs)",
+ "ad_dc_ntvfs",
+ [python,
+ os.path.join(samba4srcdir,
+ "dsdb/tests/python/ad_dc_medley_performance.py"),
+ '$SERVER', '-U"$USERNAME%$PASSWORD"',
+ '--workgroup=$DOMAIN',
+ '$LOADLIST', '$LISTOPT'])
+
+# again with paged search module
+plantestsuite_loadlist("samba4.ldap.ad_dc_performance.paged_search."+\
+ "python(ad_dc_ntvfs)",
+ "ad_dc_ntvfs",
+ [python,
+ os.path.join(samba4srcdir,
+ "dsdb/tests/python/ad_dc_medley_performance.py"),
+ '$SERVER', '-U"$USERNAME%$PASSWORD"',
+ '--workgroup=$DOMAIN',
+ '--use-paged-search',
+ '$LOADLIST', '$LISTOPT'])
diff --git a/selftest/quick b/selftest/quick
new file mode 100644
index 0000000..6700180
--- /dev/null
+++ b/selftest/quick
@@ -0,0 +1,41 @@
+# This file contains regexes matching the tests that should be run
+# when doing a "quicktest" - verifying whether the build is working
+# rather than trying to see what exactly is broken.
+#
+# This should be as quick as possible but cover as much code as possible.
+base.unlink
+base.attr
+base.delete
+base.tcon
+base.open
+base.chkpath
+raw.qfsinfo
+raw.qfileinfo
+raw.mkdir
+raw.seek
+raw.open
+raw.write
+raw.read
+raw.close
+raw.ioctl
+raw.rename
+raw.eas
+base.open
+rpc.altercontext
+rpc.join
+rpc.echo
+rpc.schannel
+rpc.netlogon
+rpc.unixinfo
+rpc.handles
+rpc.altercontext
+rpc.join
+rpc.handles
+rpc.echo
+smb.signing
+smb2.session
+drs.unit
+samba4.blackbox.dbcheck.dc
+# This needs to be here to get testing of crypt_r()
+# behaviour on multiple OS distributions.
+samba.tests.samba_tool.user_virtualCryptSHA_userPassword \ No newline at end of file
diff --git a/selftest/save.env.sh b/selftest/save.env.sh
new file mode 100755
index 0000000..ff9ba32
--- /dev/null
+++ b/selftest/save.env.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+{
+ vars=$(set |
+ grep "^[a-zA-Z][^=]*='[^']*'$" |
+ grep -v '^IFS=' |
+ grep -v '^TERM' |
+ grep -v '^PPID' |
+ grep -v '^PS[1-9]=' |
+ cat)
+ echo "${vars}"
+ echo "${vars}" | sed -e 's!^\([a-zA-Z][^=]*\)=.*$!export \1!'
+} >bin/restore.env.source
+
+echo "RUN: '. bin/restore.env.source'"
diff --git a/selftest/selftest.pl b/selftest/selftest.pl
new file mode 100755
index 0000000..75763ef
--- /dev/null
+++ b/selftest/selftest.pl
@@ -0,0 +1,1017 @@
+#!/usr/bin/perl
+# Bootstrap Samba and run a number of tests against it.
+# Copyright (C) 2005-2010 Jelmer Vernooij <jelmer@samba.org>
+# Copyright (C) 2007-2009 Stefan Metzmacher <metze@samba.org>
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+use strict;
+use warnings;
+
+use FindBin qw($RealBin $Script);
+use File::Spec;
+use File::Temp qw(tempfile);
+use File::Path qw(remove_tree);
+use Getopt::Long;
+use POSIX;
+use Cwd qw(abs_path);
+use lib "$RealBin";
+use Subunit;
+use SocketWrapper;
+use target::Samba;
+use Time::HiRes qw(time);
+
+eval {
+require Time::HiRes;
+Time::HiRes->import("time");
+};
+if ($@) {
+ print "You don't have Time::Hires installed !\n";
+}
+
+my $opt_help = 0;
+my $opt_target = "samba";
+my $opt_quick = 0;
+my $opt_socket_wrapper = 0;
+my $opt_socket_wrapper_pcap = undef;
+my $opt_socket_wrapper_keep_pcap = undef;
+my $opt_random_order = 0;
+my $opt_one = 0;
+my @opt_exclude = ();
+my @opt_include = ();
+my @opt_exclude_env = ();
+my @opt_include_env = ();
+my $opt_testenv = 0;
+my $opt_list = 0;
+my $opt_mitkrb5 = 0;
+my $opt_resetup_env = undef;
+my $opt_load_list = undef;
+my $opt_libnss_wrapper_so_path = "";
+my $opt_libresolv_wrapper_so_path = "";
+my $opt_libsocket_wrapper_so_path = "";
+my $opt_libuid_wrapper_so_path = "";
+my $opt_libasan_so_path = "";
+my $opt_use_dns_faking = 0;
+my @testlists = ();
+
+my $srcdir = ".";
+my $bindir = "./bin";
+my $prefix = "./st";
+
+my @includes = ();
+my @excludes = ();
+
+sub find_in_list($$)
+{
+ my ($list, $fullname) = @_;
+
+ foreach (@$list) {
+ if ($fullname =~ /$$_[0]/) {
+ return ($$_[1]) if ($$_[1]);
+ return "";
+ }
+ }
+
+ return undef;
+}
+
+sub skip
+{
+ my ($name, $envname) = @_;
+ my ($env_basename, $env_localpart) = split(/:/, $envname);
+
+ if ($opt_target eq "samba3" && $Samba::ENV_NEEDS_AD_DC{$env_basename}) {
+ return "environment $envname is disabled as this build does not include an AD DC";
+ }
+
+ if (@opt_include_env && !(grep {$_ eq $env_basename} @opt_include_env)) {
+ return "environment $envname is disabled (via --include-env command line option) in this test run - skipping";
+ } elsif (@opt_exclude_env && grep {$_ eq $env_basename} @opt_exclude_env) {
+ return "environment $envname is disabled (via --exclude-env command line option) in this test run - skipping";
+ }
+
+ return find_in_list(\@excludes, $name);
+}
+
+sub getlog_env($);
+
+# expand strings from %ENV
+sub expand_environment_strings($)
+{
+ my $s = shift;
+ # we use a reverse sort so we do the longer ones first
+ foreach my $k (sort { $b cmp $a } keys %ENV) {
+ $s =~ s/\$$k/$ENV{$k}/g;
+ }
+ return $s;
+}
+
+my $target;
+
+sub run_testsuite($$$$$)
+{
+ my ($envname, $name, $cmd, $i, $totalsuites) = @_;
+ my $pcap_file = $target->setup_pcap($name);
+
+ Subunit::start_testsuite($name);
+ Subunit::progress_push();
+ Subunit::report_time();
+ system($cmd);
+ Subunit::report_time();
+ Subunit::progress_pop();
+
+ if ($? == -1) {
+ print "command: $cmd\n";
+ printf "expanded command: %s\n", expand_environment_strings($cmd);
+ Subunit::end_testsuite($name, "error", "Unable to run $cmd: $!");
+ exit(1);
+ } elsif ($? & 127) {
+ print "command: $cmd\n";
+ printf "expanded command: %s\n", expand_environment_strings($cmd);
+ Subunit::end_testsuite($name, "error",
+ sprintf("%s died with signal %d, %s coredump\n", $cmd, ($? & 127), ($? & 128) ? 'with' : 'without'));
+ exit(1);
+ }
+
+ my $exitcode = $? >> 8;
+
+ my $envlog = getlog_env($envname);
+ if ($envlog ne "") {
+ print "envlog: $envlog\n";
+ }
+
+ print "command: $cmd\n";
+ printf "expanded command: %s\n", expand_environment_strings($cmd);
+
+ if ($exitcode == 0) {
+ Subunit::end_testsuite($name, "success");
+ } else {
+ Subunit::end_testsuite($name, "failure", "Exit code was $exitcode");
+ }
+
+ $target->cleanup_pcap($pcap_file, $exitcode);
+
+ if (not $opt_socket_wrapper_keep_pcap and defined($pcap_file)) {
+ print "PCAP FILE: $pcap_file\n";
+ }
+
+ if ($exitcode != 0) {
+ exit(1) if ($opt_one);
+ }
+
+ return $exitcode;
+}
+
+sub ShowHelp()
+{
+ print "Samba test runner
+Copyright (C) Jelmer Vernooij <jelmer\@samba.org>
+Copyright (C) Stefan Metzmacher <metze\@samba.org>
+
+Usage: $Script [OPTIONS] TESTNAME-REGEX [TESTNAME-REGEX...]
+
+Generic options:
+ --help this help page
+ --target=samba[3]|win Samba version to target
+ --testlist=FILE file to read available tests from
+ --exclude=FILE Exclude tests listed in the file
+ --include=FILE Include tests listed in the file
+ --exclude-env=ENV Exclude tests for the specified environment
+ --include-env=ENV Include tests for the specified environment
+
+Paths:
+ --prefix=DIR prefix to run tests in [st]
+ --srcdir=DIR source directory [.]
+ --bindir=DIR binaries directory [./bin]
+
+Preload cwrap:
+ --nss_wrapper_so_path=FILE the nss_wrapper library to preload
+ --resolv_wrapper_so_path=FILE the resolv_wrapper library to preload
+ --socket_wrapper_so_path=FILE the socket_wrapper library to preload
+ --uid_wrapper_so_path=FILE the uid_wrapper library to preload
+ --asan_so_path=FILE the asan library to preload
+
+DNS:
+ --use-dns-faking Fake DNS entries rather than talking to our
+ DNS implementation.
+
+Target Specific:
+ --socket-wrapper-pcap save traffic to pcap directories
+ --socket-wrapper-keep-pcap keep all pcap files, not just those for tests that
+ failed
+ --socket-wrapper enable socket wrapper
+
+Behaviour:
+ --quick run quick overall test
+ --one abort when the first test fails
+ --testenv run a shell in the requested test environment
+ --list list available tests
+";
+ exit(0);
+}
+
+my $result = GetOptions (
+ 'help|h|?' => \$opt_help,
+ 'target=s' => \$opt_target,
+ 'prefix=s' => \$prefix,
+ 'socket-wrapper' => \$opt_socket_wrapper,
+ 'socket-wrapper-pcap' => \$opt_socket_wrapper_pcap,
+ 'socket-wrapper-keep-pcap' => \$opt_socket_wrapper_keep_pcap,
+ 'quick' => \$opt_quick,
+ 'one' => \$opt_one,
+ 'exclude=s' => \@opt_exclude,
+ 'include=s' => \@opt_include,
+ 'exclude-env=s' => \@opt_exclude_env,
+ 'include-env=s' => \@opt_include_env,
+ 'srcdir=s' => \$srcdir,
+ 'bindir=s' => \$bindir,
+ 'testenv' => \$opt_testenv,
+ 'list' => \$opt_list,
+ 'mitkrb5' => \$opt_mitkrb5,
+ 'resetup-environment' => \$opt_resetup_env,
+ 'testlist=s' => \@testlists,
+ 'random-order' => \$opt_random_order,
+ 'load-list=s' => \$opt_load_list,
+ 'nss_wrapper_so_path=s' => \$opt_libnss_wrapper_so_path,
+ 'resolv_wrapper_so_path=s' => \$opt_libresolv_wrapper_so_path,
+ 'socket_wrapper_so_path=s' => \$opt_libsocket_wrapper_so_path,
+ 'uid_wrapper_so_path=s' => \$opt_libuid_wrapper_so_path,
+ 'asan_so_path=s' => \$opt_libasan_so_path,
+ 'use-dns-faking' => \$opt_use_dns_faking
+ );
+
+exit(1) if (not $result);
+
+ShowHelp() if ($opt_help);
+
+die("--list and --testenv are mutually exclusive") if ($opt_list and $opt_testenv);
+
+# we want unbuffered output
+$| = 1;
+
+my @tests = @ARGV;
+
+# quick hack to disable rpc validation when using valgrind - its way too slow
+unless (defined($ENV{VALGRIND})) {
+ $ENV{VALIDATE} = "validate";
+ $ENV{MALLOC_CHECK_} = 3;
+}
+
+# make all our python scripts unbuffered
+$ENV{PYTHONUNBUFFERED} = 1;
+
+$ENV{SAMBA_DEPRECATED_SUPPRESS} = 1;
+
+# do not depend on the users setup
+# see also bootstrap/config.py
+$ENV{TZ} = "UTC";
+$ENV{LC_ALL} = $ENV{LANG} = "en_US.utf8";
+
+my $bindir_abs = abs_path($bindir);
+
+my $torture_maxtime = ($ENV{TORTURE_MAXTIME} or 1200);
+
+$prefix =~ s+//+/+;
+$prefix =~ s+/\./+/+;
+$prefix =~ s+/$++;
+
+die("using an empty prefix isn't allowed") unless $prefix ne "";
+
+# Ensure we have the test prefix around.
+#
+# We need restrictive
+# permissions on this as some subdirectories in this tree will have
+# wider permissions (ie 0777) and this would allow other users on the
+# host to subvert the test process.
+umask 0077;
+mkdir($prefix, 0700) unless -d $prefix;
+chmod 0700, $prefix;
+# We need to have no umask limitations for the tests.
+umask 0000;
+
+my $prefix_abs = abs_path($prefix);
+my $tmpdir_abs = abs_path("$prefix/tmp");
+mkdir($tmpdir_abs, 0777) unless -d $tmpdir_abs;
+
+my $srcdir_abs = abs_path($srcdir);
+
+die("using an empty absolute prefix isn't allowed") unless $prefix_abs ne "";
+die("using '/' as absolute prefix isn't allowed") unless $prefix_abs ne "/";
+
+$ENV{SAMBA_SELFTEST} = "1";
+
+$ENV{PREFIX} = $prefix;
+$ENV{PREFIX_ABS} = $prefix_abs;
+$ENV{SRCDIR} = $srcdir;
+$ENV{SRCDIR_ABS} = $srcdir_abs;
+$ENV{BINDIR} = $bindir_abs;
+
+my $tls_enabled = not $opt_quick;
+$ENV{TLS_ENABLED} = ($tls_enabled?"yes":"no");
+
+sub prefix_pathvar($$)
+{
+ my ($name, $newpath) = @_;
+ if (defined($ENV{$name})) {
+ $ENV{$name} = "$newpath:$ENV{$name}";
+ } else {
+ $ENV{$name} = $newpath;
+ }
+}
+prefix_pathvar("PKG_CONFIG_PATH", "$bindir_abs/pkgconfig");
+prefix_pathvar("PYTHONPATH", "$bindir_abs/python");
+
+if ($opt_socket_wrapper_keep_pcap) {
+ # Socket wrapper keep pcap implies socket wrapper pcap
+ $opt_socket_wrapper_pcap = 1;
+}
+
+if ($opt_socket_wrapper_pcap) {
+ # Socket wrapper pcap implies socket wrapper
+ $opt_socket_wrapper = 1;
+}
+
+my $ld_preload = $ENV{LD_PRELOAD};
+
+if ($opt_libasan_so_path) {
+ if ($ld_preload) {
+ $ld_preload = "$opt_libasan_so_path:$ld_preload";
+ } else {
+ $ld_preload = "$opt_libasan_so_path";
+ }
+}
+
+if ($opt_libnss_wrapper_so_path) {
+ if ($ld_preload) {
+ $ld_preload = "$ld_preload:$opt_libnss_wrapper_so_path";
+ } else {
+ $ld_preload = "$opt_libnss_wrapper_so_path";
+ }
+}
+
+if ($opt_libresolv_wrapper_so_path) {
+ if ($ld_preload) {
+ $ld_preload = "$ld_preload:$opt_libresolv_wrapper_so_path";
+ } else {
+ $ld_preload = "$opt_libresolv_wrapper_so_path";
+ }
+}
+
+if ($opt_libsocket_wrapper_so_path) {
+ if ($ld_preload) {
+ $ld_preload = "$ld_preload:$opt_libsocket_wrapper_so_path";
+ } else {
+ $ld_preload = "$opt_libsocket_wrapper_so_path";
+ }
+}
+
+if ($opt_libuid_wrapper_so_path) {
+ if ($ld_preload) {
+ $ld_preload = "$ld_preload:$opt_libuid_wrapper_so_path";
+ } else {
+ $ld_preload = "$opt_libuid_wrapper_so_path";
+ }
+}
+
+if (defined($ENV{USE_NAMESPACES})) {
+ print "Using linux containerization for selftest testenv(s)...\n";
+
+ # Create a common bridge to connect up the testenv namespaces. We give
+ # it the client's IP address, as this is where the tests will run from
+ my $ipv4_addr = Samba::get_ipv4_addr("client");
+ my $ipv6_addr = Samba::get_ipv6_addr("client");
+ system "$ENV{SRCDIR_ABS}/selftest/ns/create_bridge.sh selftest0 $ipv4_addr $ipv6_addr";
+}
+
+$ENV{LD_PRELOAD} = $ld_preload;
+print "LD_PRELOAD=$ENV{LD_PRELOAD}\n";
+
+# Enable uid_wrapper globally
+$ENV{UID_WRAPPER} = 1;
+
+# We are already hitting the limit, so double it.
+$ENV{NSS_WRAPPER_MAX_HOSTENTS} = 200;
+
+# Disable RTLD_DEEPBIND hack for Samba bind dlz module
+#
+# This is needed in order to allow the ldb_*ldap module
+# to work with a preloaded socket wrapper.
+$ENV{LDB_MODULES_DISABLE_DEEPBIND} = 1;
+
+my $socket_wrapper_dir;
+if ($opt_socket_wrapper) {
+ $socket_wrapper_dir = SocketWrapper::setup_dir("$prefix_abs/w", $opt_socket_wrapper_pcap);
+ print "SOCKET_WRAPPER_DIR=$socket_wrapper_dir\n";
+} elsif (not $opt_list) {
+ unless ($< == 0) {
+ warn("not using socket wrapper, but also not running as root. Will not be able to listen on proper ports");
+ }
+}
+
+if ($opt_use_dns_faking) {
+ print "DNS: Faking nameserver\n";
+ $ENV{SAMBA_DNS_FAKING} = 1;
+}
+
+my $testenv_default = "none";
+
+if ($opt_mitkrb5 == 1) {
+ $ENV{MITKRB5} = $opt_mitkrb5;
+ $ENV{KRB5RCACHETYPE} = "none";
+}
+
+# After this many seconds, the server will self-terminate. All tests
+# must terminate in this time, and testenv will only stay alive this
+# long
+
+my $server_maxtime;
+if ($opt_testenv) {
+ # 1 year should be enough :-)
+ $server_maxtime = 365 * 24 * 60 * 60;
+} else {
+ # make test should run under 5 hours
+ $server_maxtime = 5 * 60 * 60;
+}
+
+if (defined($ENV{SMBD_MAXTIME}) and $ENV{SMBD_MAXTIME} ne "") {
+ $server_maxtime = $ENV{SMBD_MAXTIME};
+}
+
+$target = new Samba($bindir, $srcdir, $server_maxtime,
+ $opt_socket_wrapper_pcap,
+ $opt_socket_wrapper_keep_pcap);
+unless ($opt_list) {
+ if ($opt_target eq "samba") {
+ $testenv_default = "ad_dc";
+ } elsif ($opt_target eq "samba3") {
+ $testenv_default = "nt4_member";
+ }
+}
+
+sub read_test_regexes($)
+{
+ my ($name) = @_;
+ my @ret = ();
+ open(LF, "<$name") or die("unable to read $name: $!");
+ while (<LF>) {
+ chomp;
+ next if (/^#/);
+ if (/^(.*?)([ \t]+)\#([\t ]*)(.*?)$/) {
+ push (@ret, [$1, $4]);
+ } else {
+ s/^(.*?)([ \t]+)\#([\t ]*)(.*?)$//;
+ push (@ret, [$_, undef]);
+ }
+ }
+ close(LF);
+ return @ret;
+}
+
+foreach (@opt_exclude) {
+ push (@excludes, read_test_regexes($_));
+}
+
+foreach (@opt_include) {
+ push (@includes, read_test_regexes($_));
+}
+
+# We give the selftest client 6 different IPv4 addresses to use. Most tests
+# only use the first (.11) IP. Note that winsreplication.c is one test that
+# uses the other IPs (search for iface_list_count()).
+$ENV{SOCKET_WRAPPER_IPV4_NETWORK} = "10.53.57.0";
+my $interfaces = Samba::get_interfaces_config("client", 6);
+
+my $clientdir = "$prefix_abs/client";
+
+my $conffile = "$clientdir/client.conf";
+$ENV{SMB_CONF_PATH} = $conffile;
+
+sub write_clientconf($$$)
+{
+ my ($conffile, $clientdir, $vars) = @_;
+
+ mkdir("$clientdir", 0777) unless -d "$clientdir";
+
+ my @subdirs = (
+ { name => "private", mask => 0777 },
+ { name => "bind-dns", mask => 0777 },
+ { name => "lockdir", mask => 0777 },
+ { name => "statedir", mask => 0777 },
+ { name => "cachedir", mask => 0777 },
+ { name => "pkinit", mask => 0700 },
+ { name => "pid", mask => 0777 },
+ # the ncalrpcdir needs exactly 0755 otherwise tests fail.
+ { name => "ncalrpcdir", mask => 0755, umask => 0022 },
+ );
+
+ foreach my $sub (@subdirs) {
+ my $dir = "$clientdir/$sub->{name}";
+ remove_tree($dir);
+ my $mask = umask;
+ if (defined($sub->{umask})) {
+ umask $sub->{umask};
+ }
+ mkdir($dir, $sub->{mask});
+ umask $mask;
+ }
+
+ my $cadir = "$ENV{SRCDIR_ABS}/selftest/manage-ca/CA-samba.example.com";
+ my $cacert = "$cadir/Public/CA-samba.example.com-cert.pem";
+ my $cacrl_pem = "$cadir/Public/CA-samba.example.com-crl.pem";
+ my $ca_users_dir = "$cadir/Users";
+ my $client_loglevel = $ENV{CLIENT_LOG_LEVEL} || 1;
+
+ # each user has a USER-${USER_PRINCIPAL_NAME}-cert.pem and
+ # USER-${USER_PRINCIPAL_NAME}-private-key.pem symlink
+ # We make a copy here and make the certificated easily
+ # accessable in the client environment.
+ my $mask = umask;
+ umask 0077;
+ opendir USERS, "${ca_users_dir}" or die "Could not open dir '${ca_users_dir}': $!";
+ for my $d (readdir USERS) {
+ my $user_dir = "${ca_users_dir}/${d}";
+ next if ${d} =~ /^\./;
+ next if (! -d "${user_dir}");
+ opendir USER, "${user_dir}" or die "Could not open dir '${user_dir}': $!";
+ for my $l (readdir USER) {
+ my $user_link = "${user_dir}/${l}";
+ next if ${l} =~ /^\./;
+ next if (! -l "${user_link}");
+
+ my $dest = "${clientdir}/pkinit/${l}";
+ Samba::copy_file_content(${user_link}, ${dest});
+ }
+ closedir USER;
+ }
+ closedir USERS;
+ umask $mask;
+
+ open(CF, ">$conffile");
+ print CF "[global]\n";
+ print CF "\tnetbios name = client\n";
+ if (defined($vars->{DOMAIN})) {
+ print CF "\tworkgroup = $vars->{DOMAIN}\n";
+ }
+ if (defined($vars->{REALM})) {
+ print CF "\trealm = $vars->{REALM}\n";
+ }
+ if ($opt_socket_wrapper) {
+ print CF "\tinterfaces = $interfaces\n";
+ }
+ print CF "
+ private dir = $clientdir/private
+ binddns dir = $clientdir/bind-dns
+ lock dir = $clientdir/lockdir
+ state directory = $clientdir/statedir
+ cache directory = $clientdir/cachedir
+ ncalrpc dir = $clientdir/ncalrpcdir
+ pid directory = $clientdir/pid
+ panic action = $RealBin/gdb_backtrace \%d
+ max xmit = 32K
+ notify:inotify = false
+ ldb:nosync = true
+ system:anonymous = true
+ client lanman auth = Yes
+ client min protocol = CORE
+ log level = $client_loglevel
+ torture:basedir = $clientdir
+#We don't want to run 'speed' tests for very long
+ torture:timelimit = 1
+ winbind separator = /
+ tls cafile = ${cacert}
+ tls crlfile = ${cacrl_pem}
+ tls verify peer = no_check
+ include system krb5 conf = no
+ elasticsearch:mappings = $srcdir_abs/source3/rpc_server/mdssvc/elasticsearch_mappings.json
+";
+ close(CF);
+}
+
+my @todo = ();
+
+sub should_run_test($)
+{
+ my $name = shift;
+ if ($#tests == -1) {
+ return 1;
+ }
+ for (my $i=0; $i <= $#tests; $i++) {
+ if ($name =~ /$tests[$i]/i) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
+sub read_testlist($)
+{
+ my ($filename) = @_;
+
+ my @ret = ();
+ open(IN, $filename) or die("Unable to open $filename: $!");
+
+ while (<IN>) {
+ if (/-- TEST(-LOADLIST|) --\n/) {
+ my $supports_loadlist = (defined($1) and $1 eq "-LOADLIST");
+ my $name = <IN>;
+ $name =~ s/\n//g;
+ my $env = <IN>;
+ $env =~ s/\n//g;
+ my $loadlist;
+ if ($supports_loadlist) {
+ $loadlist = <IN>;
+ $loadlist =~ s/\n//g;
+ }
+ my $cmdline = <IN>;
+ $cmdline =~ s/\n//g;
+ if (should_run_test($name) == 1) {
+ push (@ret, [$name, $env, $cmdline, $loadlist]);
+ }
+ } else {
+ print;
+ }
+ }
+ close(IN) or die("Error creating recipe from $filename");
+ return @ret;
+}
+
+if ($#testlists == -1) {
+ die("No testlists specified");
+}
+
+$ENV{SELFTEST_PREFIX} = "$prefix_abs";
+$ENV{SELFTEST_TMPDIR} = "$tmpdir_abs";
+$ENV{TMPDIR} = "$tmpdir_abs";
+$ENV{TEST_DATA_PREFIX} = "$tmpdir_abs";
+if ($opt_quick) {
+ $ENV{SELFTEST_QUICK} = "1";
+} else {
+ $ENV{SELFTEST_QUICK} = "";
+}
+$ENV{SELFTEST_MAXTIME} = $torture_maxtime;
+
+my $selftest_resolv_conf_path = "$tmpdir_abs/selftest.resolv.conf";
+$ENV{RESOLV_CONF} = "${selftest_resolv_conf_path}.global";
+
+my $selftest_krbt_ccache_path = "$tmpdir_abs/selftest.krb5_ccache";
+$ENV{KRB5CCNAME} = "FILE:${selftest_krbt_ccache_path}.global";
+
+my $selftest_gnupghome_path = "$tmpdir_abs/selftest.no.gnupg";
+$ENV{GNUPGHOME} = "${selftest_gnupghome_path}.global";
+
+my @available = ();
+foreach my $fn (@testlists) {
+ foreach (read_testlist($fn)) {
+ my $name = $$_[0];
+ next if (@includes and not defined(find_in_list(\@includes, $name)));
+ push (@available, $_);
+ }
+}
+
+my $restricted = undef;
+my $restricted_used = {};
+
+if ($opt_load_list) {
+ $restricted = [];
+ open(LOAD_LIST, "<$opt_load_list") or die("Unable to open $opt_load_list");
+ while (<LOAD_LIST>) {
+ chomp;
+ push (@$restricted, $_);
+ }
+ close(LOAD_LIST);
+}
+
+my $individual_tests = undef;
+$individual_tests = {};
+
+foreach my $testsuite (@available) {
+ my $name = $$testsuite[0];
+ my $skipreason = skip(@$testsuite);
+ if (defined($restricted)) {
+ # Find the testsuite for this test
+ my $match = undef;
+ foreach my $r (@$restricted) {
+ if ($r eq $name) {
+ $individual_tests->{$name} = [];
+ $match = $r;
+ $restricted_used->{$r} = 1;
+ } elsif (substr($r, 0, length($name)+1) eq "$name.") {
+ push(@{$individual_tests->{$name}}, $r);
+ $match = $r;
+ $restricted_used->{$r} = 1;
+ }
+ }
+ if ($match) {
+ if (defined($skipreason)) {
+ if (not $opt_list) {
+ Subunit::skip_testsuite($name, $skipreason);
+ }
+ } else {
+ push(@todo, $testsuite);
+ }
+ }
+ } elsif (defined($skipreason)) {
+ if (not $opt_list) {
+ Subunit::skip_testsuite($name, $skipreason);
+ }
+ } else {
+ push(@todo, $testsuite);
+ }
+}
+
+if (defined($restricted)) {
+ foreach (@$restricted) {
+ unless (defined($restricted_used->{$_})) {
+ print "No test or testsuite found matching $_\n";
+ }
+ }
+} elsif ($#todo == -1) {
+ print STDERR "No tests to run\n";
+ exit(1);
+}
+
+my $suitestotal = $#todo + 1;
+
+unless ($opt_list) {
+ Subunit::progress($suitestotal);
+ Subunit::report_time();
+}
+
+my $i = 0;
+$| = 1;
+
+my %running_envs = ();
+
+sub get_running_env($)
+{
+ my ($name) = @_;
+
+ my $envname = $name;
+
+ $envname =~ s/:.*//;
+
+ return $running_envs{$envname};
+}
+
+sub sighandler($)
+{
+ my $signame = shift;
+
+ $SIG{INT} = $SIG{QUIT} = $SIG{TERM} = 'DEFAULT';
+ $SIG{PIPE} = 'IGNORE';
+
+ open(STDOUT, ">&STDERR") or die "can't dup STDOUT to STDERR: $!";
+
+ print "$0: PID[$$]: Got SIG${signame} teardown environments.\n";
+ teardown_env($_) foreach(keys %running_envs);
+ system("pstree -p $$");
+ print "$0: PID[$$]: Exiting...\n";
+ exit(1);
+};
+
+$SIG{INT} = $SIG{QUIT} = $SIG{TERM} = $SIG{PIPE} = \&sighandler;
+
+sub setup_env($$)
+{
+ my ($name, $prefix) = @_;
+
+ my $testenv_vars = undef;
+
+ my $envname = $name;
+ my $option = $name;
+
+ $envname =~ s/:.*//;
+ $option =~ s/^[^:]*//;
+ $option =~ s/^://;
+
+ $option = "client" if $option eq "";
+
+ # Initially clear out the environment for the provision, so previous envs'
+ # variables don't leak in. Provisioning steps must explicitly set their
+ # necessary variables when calling out to other executables
+ Samba::clear_exported_envvars();
+ delete $ENV{SOCKET_WRAPPER_DEFAULT_IFACE};
+ delete $ENV{SMB_CONF_PATH};
+
+ $ENV{RESOLV_CONF} = "${selftest_resolv_conf_path}.${envname}/ignore";
+ $ENV{KRB5CCNAME} = "FILE:${selftest_krbt_ccache_path}.${envname}/ignore";
+ $ENV{GNUPGHOME} = "${selftest_gnupghome_path}.${envname}/ignore";
+
+ if (defined(get_running_env($envname))) {
+ $testenv_vars = get_running_env($envname);
+ if (not $testenv_vars->{target}->check_env($testenv_vars)) {
+ print $testenv_vars->{target}->getlog_env($testenv_vars);
+ $testenv_vars = undef;
+ }
+ } else {
+ $testenv_vars = $target->setup_env($envname, $prefix);
+ if (not defined($testenv_vars)) {
+ my $msg = "$opt_target can't start up known environment '$envname'";
+ if ($opt_one) {
+ die($msg);
+ }
+ warn $msg;
+ return;
+ }
+ if (ref $testenv_vars ne "HASH") {
+ return $testenv_vars;
+ }
+ if (defined($testenv_vars->{target})) {
+ $testenv_vars->{target} = $target;
+ }
+ }
+
+ return undef unless defined($testenv_vars);
+
+ $running_envs{$envname} = $testenv_vars;
+
+ if ($option eq "local") {
+ SocketWrapper::set_default_iface($testenv_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
+ $ENV{SMB_CONF_PATH} = $testenv_vars->{SERVERCONFFILE};
+ } elsif ($option eq "client") {
+ SocketWrapper::set_default_iface(11);
+ write_clientconf($conffile, $clientdir, $testenv_vars);
+ $ENV{SMB_CONF_PATH} = $conffile;
+ } else {
+ die("Unknown option[$option] for envname[$envname]");
+ }
+
+ # export the environment variables for the testenv (SERVER, SERVER_IP, etc)
+ Samba::export_envvars($testenv_vars);
+
+ my $krb5_ccache_path = "${selftest_krbt_ccache_path}.${envname}.${option}";
+ unlink($krb5_ccache_path);
+ $ENV{KRB5CCNAME} = "FILE:${krb5_ccache_path}";
+ return $testenv_vars;
+}
+
+sub getlog_env($)
+{
+ my ($envname) = @_;
+ return "" if ($envname eq "none");
+ my $env = get_running_env($envname);
+ return $env->{target}->getlog_env($env);
+}
+
+sub check_env($)
+{
+ my ($envname) = @_;
+ my $env = get_running_env($envname);
+ return $env->{target}->check_env($env);
+}
+
+sub teardown_env($)
+{
+ my ($envname) = @_;
+ return if ($envname eq "none");
+ print STDERR "teardown_env($envname)\n";
+ my $env = get_running_env($envname);
+ $env->{target}->teardown_env($env);
+ delete $running_envs{$envname};
+}
+
+# This 'global' file needs to be empty when we start
+unlink("$prefix_abs/dns_host_file");
+unlink("$prefix_abs/hosts");
+
+if ($opt_random_order) {
+ require List::Util;
+ my @newtodo = List::Util::shuffle(@todo);
+ @todo = @newtodo;
+}
+
+if ($opt_testenv) {
+ my $testenv_name = $ENV{SELFTEST_TESTENV};
+ $testenv_name = $testenv_default unless defined($testenv_name);
+
+ my $testenv_vars = setup_env($testenv_name, $prefix);
+
+ if (not $testenv_vars or $testenv_vars eq "UNKNOWN") {
+ die("Unable to setup environment $testenv_name");
+ }
+
+ $ENV{PIDDIR} = $testenv_vars->{PIDDIR};
+ $ENV{ENVNAME} = $testenv_name;
+
+ my $envvarstr = Samba::exported_envvars_str($testenv_vars);
+
+ my @term_args = ("echo -e \"
+Welcome to the Samba4 Test environment '$testenv_name'
+
+This matches the client environment used in make test
+server is pid `cat \$PIDDIR/samba.pid`
+
+Some useful environment variables:
+TORTURE_OPTIONS=\$TORTURE_OPTIONS
+SMB_CONF_PATH=\$SMB_CONF_PATH
+
+$envvarstr
+\" && LD_LIBRARY_PATH=$ENV{LD_LIBRARY_PATH} bash");
+ my @term = ();
+ if ($ENV{TERMINAL}) {
+ @term = ($ENV{TERMINAL});
+ # override the default terminal args (if specified)
+ if (defined($ENV{TERMINAL_ARGS})) {
+ @term_args = split(/ /, $ENV{TERMINAL_ARGS});
+ }
+ } else {
+ @term = ("xterm", "-e");
+ unshift(@term_args, ("bash", "-c"));
+ }
+
+ system(@term, @term_args);
+
+ teardown_env($testenv_name);
+} elsif ($opt_list) {
+ foreach (@todo) {
+ my $name = $$_[0];
+ my $envname = $$_[1];
+ my $cmd = $$_[2];
+ my $listcmd = $$_[3];
+
+ unless (defined($listcmd)) {
+ warn("Unable to list tests in $name");
+ # Rather than ignoring this testsuite altogether, just pretend the entire testsuite is
+ # a single "test".
+ print "$name\n";
+ next;
+ }
+
+ system($listcmd);
+
+ if ($? == -1) {
+ die("Unable to run $listcmd: $!");
+ } elsif ($? & 127) {
+ die(sprintf("%s died with signal %d, %s coredump\n", $listcmd, ($? & 127), ($? & 128) ? 'with' : 'without'));
+ }
+
+ my $exitcode = $? >> 8;
+ if ($exitcode != 0) {
+ die("$cmd exited with exit code $exitcode");
+ }
+ }
+} else {
+ foreach (@todo) {
+ $i++;
+ my $cmd = $$_[2];
+ my $name = $$_[0];
+ my $envname = $$_[1];
+ my $envvars = setup_env($envname, $prefix);
+
+ if (not defined($envvars)) {
+ Subunit::start_testsuite($name);
+ Subunit::end_testsuite($name, "error",
+ "unable to set up environment $envname - exiting");
+ next;
+ } elsif ($envvars eq "UNKNOWN") {
+ Subunit::start_testsuite($name);
+ Subunit::end_testsuite($name, "error",
+ "environment $envname is unknown - exiting");
+ next;
+ }
+
+ # Generate a file with the individual tests to run, if the
+ # test runner for this test suite supports it.
+ if ($individual_tests and $individual_tests->{$name}) {
+ if ($$_[3]) {
+ my ($fh, $listid_file) = tempfile(UNLINK => 0);
+ foreach my $test (@{$individual_tests->{$name}}) {
+ print $fh substr($test, length($name)+1) . "\n";
+ }
+ $cmd =~ s/\$LOADLIST/--load-list=$listid_file/g;
+ } else {
+ warn("Unable to run individual tests in $name, it does not support --loadlist.");
+ }
+ }
+
+ run_testsuite($envname, $name, $cmd, $i, $suitestotal);
+
+ teardown_env($envname) if ($opt_resetup_env);
+ }
+}
+
+print "\n";
+
+teardown_env($_) foreach (keys %running_envs);
+
+my $failed = 0;
+
+# if there were any valgrind failures, show them
+foreach (<$prefix/valgrind.log*>) {
+ next unless (-s $_);
+ print "VALGRIND FAILURE\n";
+ $failed++;
+ system("cat $_");
+}
+exit 0;
diff --git a/selftest/selftest.pl.1 b/selftest/selftest.pl.1
new file mode 100644
index 0000000..f33b810
--- /dev/null
+++ b/selftest/selftest.pl.1
@@ -0,0 +1,78 @@
+.IX Title "SELFTEST 1"
+.TH SELFTEST 1 "2012-02-24" "selftest" "Samba"
+.if n .ad l
+.nh
+.SH "NAME"
+selftest \- Samba test runner
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+selftest \-\-help
+.PP
+selftest [\-\-srcdir=DIR] [\-\-bindir=DIR] [\-\-target=samba|samba3|win] [\-\-socket\-wrapper] [\-\-quick] [\-\-exclude=FILE] [\-\-include=FILE] [\-\-one] [\-\-prefix=prefix] [\-\-testlist=FILE] [\s-1TESTS\s0]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+A simple test runner. \s-1TESTS\s0 is a regular expression with tests to run.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.IP "\fI\-\-help\fR" 4
+.IX Item "--help"
+Show list of available options.
+.IP "\fI\-\-srcdir=DIR\fR" 4
+.IX Item "--srcdir=DIR"
+Source directory.
+.IP "\fI\-\-bindir=DIR\fR" 4
+.IX Item "--bindir=DIR"
+Built binaries directory.
+.IP "\fI\-\-prefix=DIR\fR" 4
+.IX Item "--prefix=DIR"
+Change directory to run tests in. Default is 'st'.
+.IP "\fI\-\-target samba|samba3|win\fR" 4
+.IX Item "--target samba|samba3|win"
+Specify test target against which to run. Default is 'samba4'.
+.IP "\fI\-\-quick\fR" 4
+.IX Item "--quick"
+Run only a limited number of tests. Intended to run in about 30 seconds on
+moderately recent systems.
+.IP "\fI\-\-socket\-wrapper\fR" 4
+.IX Item "--socket-wrapper"
+Use socket wrapper library for communication with server. Only works
+when the server is running locally.
+.Sp
+Will prevent \s-1TCP\s0 and \s-1UDP\s0 ports being opened on the local host but
+(transparently) redirects these calls to use unix domain sockets.
+.IP "\fI\-\-exclude\fR" 4
+.IX Item "--exclude"
+Specify a file containing a list of tests that should be skipped. Possible
+candidates are tests that segfault the server, flip or don't end.
+.IP "\fI\-\-include\fR" 4
+.IX Item "--include"
+Specify a file containing a list of tests that should be run. Same format
+as the \-\-exclude flag.
+.Sp
+Not includes specified means all tests will be run.
+.IP "\fI\-\-one\fR" 4
+.IX Item "--one"
+Abort as soon as one test fails.
+.IP "\fI\-\-testlist\fR" 4
+.IX Item "--testlist"
+Load a list of tests from the specified location.
+.SH "ENVIRONMENT"
+.IX Header "ENVIRONMENT"
+.IP "\fI\s-1SMBD_VALGRIND\s0\fR" 4
+.IX Item "SMBD_VALGRIND"
+.PD 0
+.IP "\fI\s-1TORTURE_MAXTIME\s0\fR" 4
+.IX Item "TORTURE_MAXTIME"
+.IP "\fI\s-1VALGRIND\s0\fR" 4
+.IX Item "VALGRIND"
+.IP "\fI\s-1TLS_ENABLED\s0\fR" 4
+.IX Item "TLS_ENABLED"
+.IP "\fIsrcdir\fR" 4
+.IX Item "srcdir"
+.PD
+.SH "LICENSE"
+.IX Header "LICENSE"
+selftest is licensed under the \s-1GNU\s0 General Public License <http://www.gnu.org/licenses/gpl.html>.
+.SH "AUTHOR"
+.IX Header "AUTHOR"
+Pidl was written by Jelmer Vernooij.
diff --git a/selftest/selftesthelpers.py b/selftest/selftesthelpers.py
new file mode 100644
index 0000000..1af8f5f
--- /dev/null
+++ b/selftest/selftesthelpers.py
@@ -0,0 +1,229 @@
+#!/usr/bin/env python3
+#
+# This script generates a list of testsuites that should be run as part of
+# the Samba 4 test suite.
+
+# The output of this script is parsed by selftest.pl, which then decides
+# which of the tests to actually run. It will, for example, skip all tests
+# listed in selftest/skip or only run a subset during "make quicktest".
+
+# The idea is that this script outputs all of the tests of Samba 4, not
+# just those that are known to pass, and list those that should be skipped
+# or are known to fail in selftest/skip or selftest/knownfail. This makes it
+# very easy to see what functionality is still missing in Samba 4 and makes
+# it possible to run the testsuite against other servers, such as Samba 3 or
+# Windows that have a different set of features.
+
+# The syntax for a testsuite is "-- TEST --" on a single line, followed
+# by the name of the test, the environment it needs and the command to run, all
+# three separated by newlines. All other lines in the output are considered
+# comments.
+
+import os
+import subprocess
+import sys
+
+
+def srcdir():
+ alternate_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), "..")
+ return os.path.normpath(os.getenv("SRCDIR", alternate_path))
+
+
+def source4dir():
+ return os.path.normpath(os.path.join(srcdir(), "source4"))
+
+
+def source3dir():
+ return os.path.normpath(os.path.join(srcdir(), "source3"))
+
+
+def bindir():
+ return os.path.normpath(os.getenv("BINDIR", "./bin"))
+
+
+def binpath(name):
+ return os.path.join(bindir(), name)
+
+
+# Split perl variable to allow $PERL to be set to e.g. "perl -W"
+perl = os.getenv("PERL", "perl").split()
+
+if subprocess.call(perl + ["-e", "eval require Test::More;"]) == 0:
+ has_perl_test_more = True
+else:
+ has_perl_test_more = False
+
+python = os.getenv("PYTHON", "python")
+
+tap2subunit = python + " " + os.path.join(srcdir(), "selftest", "tap2subunit")
+
+
+def valgrindify(cmdline):
+ """Run a command under valgrind, if $VALGRIND was set."""
+ valgrind = os.getenv("VALGRIND")
+ if valgrind is None:
+ return cmdline
+ return valgrind + " " + cmdline
+
+
+def plantestsuite(name, env, cmd, environ={}):
+ """Plan a test suite.
+
+ :param name: Testsuite name
+ :param env: Environment to run the testsuite in
+ :param cmdline: Command line to run
+ """
+ print("-- TEST --")
+ if env == "none":
+ fullname = name
+ else:
+ fullname = "%s(%s)" % (name, env)
+ print(fullname)
+ print(env)
+
+ cmdline = ""
+ if environ:
+ environ = dict(environ)
+ cmdline_env = ["%s=%s" % item for item in environ.items()]
+ cmdline = " ".join(cmdline_env) + " "
+
+ if isinstance(cmd, list):
+ cmdline += " ".join(cmd)
+ else:
+ cmdline += cmd
+
+ if "$LISTOPT" in cmdline:
+ raise AssertionError("test %s supports --list, but not --load-list" % name)
+ print(cmdline + " 2>&1 " + " | " + add_prefix(name, env))
+
+
+def add_prefix(prefix, env, support_list=False):
+ if support_list:
+ listopt = "$LISTOPT "
+ else:
+ listopt = ""
+ return ("%s %s/selftest/filter-subunit %s--fail-on-empty --prefix=\"%s.\" --suffix=\"(%s)\"" %
+ (python, srcdir(), listopt, prefix, env))
+
+
+def plantestsuite_loadlist(name, env, cmdline):
+ print("-- TEST-LOADLIST --")
+ if env == "none":
+ fullname = name
+ else:
+ fullname = "%s(%s)" % (name, env)
+ print(fullname)
+ print(env)
+ if isinstance(cmdline, list):
+ cmdline = " ".join(cmdline)
+ support_list = ("$LISTOPT" in cmdline)
+ if "$LISTOPT" not in cmdline:
+ raise AssertionError("loadlist test %s does not support not --list" % name)
+ if "$LOADLIST" not in cmdline:
+ raise AssertionError("loadlist test %s does not support --load-list" % name)
+ print(("%s | %s" %
+ (cmdline.replace("$LOADLIST", ""),
+ add_prefix(name, env, support_list))).replace("$LISTOPT", "--list "))
+ print(cmdline.replace("$LISTOPT", "") + " 2>&1 " + " | " + add_prefix(name, env, False))
+
+
+def skiptestsuite(name, reason):
+ """Indicate that a testsuite was skipped.
+
+ :param name: Test suite name
+ :param reason: Reason the test suite was skipped
+ """
+ # FIXME: Report this using subunit, but re-adjust the testsuite count somehow
+ print("skipping %s (%s)" % (name, reason), file=sys.stderr)
+
+
+def planperltestsuite(name, path):
+ """Run a perl test suite.
+
+ :param name: Name of the test suite
+ :param path: Path to the test runner
+ """
+ if has_perl_test_more:
+ plantestsuite(name, "none", "%s %s | %s" % (" ".join(perl), path, tap2subunit))
+ else:
+ skiptestsuite(name, "Test::More not available")
+
+
+def planpythontestsuite(env, module, name=None, extra_path=[], environ={}, extra_args=[]):
+ environ = dict(environ)
+ py_path = list(extra_path)
+ if py_path is not None:
+ environ["PYTHONPATH"] = ":".join(["$PYTHONPATH"] + py_path)
+ args = ["%s=%s" % item for item in environ.items()]
+ args += [python, "-m", "samba.subunit.run", "$LISTOPT", "$LOADLIST", module]
+ args += extra_args
+ if name is None:
+ name = module
+
+ plantestsuite_loadlist(name, env, args)
+
+
+def get_env_torture_options():
+ ret = []
+ if not os.getenv("SELFTEST_VERBOSE"):
+ ret.append("--option=torture:progress=no")
+ if os.getenv("SELFTEST_QUICK"):
+ ret.append("--option=torture:quick=yes")
+ return ret
+
+
+samba4srcdir = source4dir()
+samba3srcdir = source3dir()
+bbdir = os.path.join(srcdir(), "testprogs/blackbox")
+configuration = "--configfile=$SMB_CONF_PATH"
+
+smbtorture4 = binpath("smbtorture")
+smbtorture4_testsuite_list = subprocess.Popen(
+ [smbtorture4, "--list-suites"],
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE).communicate("")[0].decode('utf8').splitlines()
+
+smbtorture4_options = [
+ configuration,
+ "--option=\'fss:sequence timeout=1\'",
+ "--maximum-runtime=$SELFTEST_MAXTIME",
+ "--basedir=$SELFTEST_TMPDIR",
+ "--format=subunit"
+] + get_env_torture_options()
+
+
+def plansmbtorture4testsuite(name, env, options, target, modname=None, environ={}):
+ if modname is None:
+ modname = "samba4.%s" % name
+ if isinstance(options, list):
+ options = " ".join(options)
+ options = " ".join(smbtorture4_options + ["--target=%s" % target]) + " " + options
+ cmdline = ""
+ if environ:
+ environ = dict(environ)
+ cmdline_env = ["%s=%s" % item for item in environ.items()]
+ cmdline += " ".join(cmdline_env) + " "
+ cmdline += " %s $LISTOPT $LOADLIST %s %s" % (valgrindify(smbtorture4), options, name)
+ plantestsuite_loadlist(modname, env, cmdline)
+
+
+def smbtorture4_testsuites(prefix):
+ return list(filter(lambda x: x.startswith(prefix), smbtorture4_testsuite_list))
+
+
+smbclient3 = binpath('smbclient')
+smbtorture3 = binpath('smbtorture3')
+ntlm_auth3 = binpath('ntlm_auth')
+net = binpath('net')
+scriptdir = os.path.join(srcdir(), "script/tests")
+
+wbinfo = binpath('wbinfo')
+dbwrap_tool = binpath('dbwrap_tool')
+vfstest = binpath('vfstest')
+smbcquotas = binpath('smbcquotas')
+smbget = binpath('smbget')
+rpcclient = binpath('rpcclient')
+smbcacls = binpath('smbcacls')
+smbcontrol = binpath('smbcontrol')
+smbstatus = binpath('smbstatus')
+timelimit = binpath('timelimit')
diff --git a/selftest/skip b/selftest/skip
new file mode 100644
index 0000000..d5cc786
--- /dev/null
+++ b/selftest/skip
@@ -0,0 +1,150 @@
+# This file contains a list of regular expressions matching testsuites that
+# should be skipped during "make test".
+#
+# Possible reasons for adding a testsuite here:
+# * Testsuite functionality not implemented on the server side
+# * Testsuite crashes during run
+# * Testsuite crashes server
+# * Testsuite contains "flapping" tests (sometimes success, sometimes failure)
+# * Testsuite hangs indefinitely
+#
+# If a testsuite is partially succeeding, please list the failing bits
+# in the selftest/knownfail file rather than disabling the testsuite completely.
+# That way those tests that do succeed still get run and we will be notified
+# if a known failing test suddenly starts succeeding.
+#
+# If a testsuite is very slow, please add it to selftest/slow instead.
+# This way it will still get run in "make slowtest"
+#
+# Please add a comment for each testsuite you disable explaining why
+# it is being skipped.
+^samba3.smbtorture_s3.*.randomipc
+^samba3.smbtorture_s3.*.negnowait
+^samba3.smbtorture_s3.*.nbench
+^samba3.smbtorture_s3.*.errmapextract
+^samba3.smbtorture_s3.*.trans2scan
+^samba3.smbtorture_s3.*.nttransscan
+^samba3.smbtorture_s3.*.deny1
+^samba3.smbtorture_s3.*.deny2
+^samba3.smbtorture_s3.*.openattr
+^samba3.smbtorture_s3.*.casetable
+^samba3.smbtorture_s3.*.eatest
+^samba3.smbtorture_s3.*.mangle
+^samba3.smbtorture_s3.*.utable
+^samba3.smbtorture_s3.*.pipe_number
+^samba3.smbtorture_s3.LOCAL-DBTRANS #hangs for some reason
+^samba3.smbtorture_s3.*.DIR1 #loops on 64 bit linux with ext4
+^samba3.smbtorture_s3.plain.LOCK9.*\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain.OPLOCK2\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain.STREAMERROR\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain.DIR1\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain.DIR-CREATETIME\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain.DELETE-LN\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain.UID-REGRESSION-TEST\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain.SHORTNAME-TEST\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain.RENAME-ACCESS\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain.OWNER-RIGHTS\(ad_dc_ntvfs\) # Don't test against the s4 ntvfs server anymore
+^samba3.smbtorture_s3.plain.PIDHIGH\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain.NTTRANS-FSCTL\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain.SMB2-NEGPROT\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain.BAD-NBT-SESSION\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain.SMB2-SESSION-REAUTH\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain.SMB2-SESSION-RECONNECT\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain.SMB1-WILD-MANGLE-UNLINK\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
+^samba3.smbtorture_s3.plain.SMB1-WILD-MANGLE-RENAME\(ad_dc_ntvfs\) # Fails against the s4 ntvfs server
+^samba3.*base.charset
+^samba3.*raw.context
+^samba3.*raw.ioctl
+^samba3.*raw.qfileinfo
+^samba3.*raw.qfsinfo
+^samba3.*raw.sfileinfo.base
+^samba3.smb2.hold-oplock # Not a test, but a way to block other clients for a test
+^samba3.smb2.hold-sharemode # Not a test, but a way to block other clients for a test
+^samba3.smb2.check-sharemode # Not a test, but a way to test sharemodes outside of Samba
+^samba3.smb2.set-sparse-ioctl # For manual testing, needs additional parameters.
+^samba3.smb2.zero-data-ioctl # For manual testing, needs additional parameters.
+^samba3.smb2.durable-open-disconnect # Not a test, but a way to create a disconnected durable
+^samba3.smb2.scan # No tests
+^samba3.smb2.oplock.levelii501 # No test yet
+^samba3.smb2.timestamp_resolution # See the comment on the test
+^samba4.smb2.timestamp_resolution
+^samba3.rpc.samr.passwords.lockout\(ad_dc\) # No point running this version, it just waits 12 times longer the samba4 version of this test, covering the same code
+^samba4.base.iometer
+^samba4.base.casetable
+^samba4.base.nttrans
+^samba4.base.scan.maxfid
+^samba4.raw.eas
+^samba4.raw.hold-oplock # Not a test, but a way to block other clients for a test
+^samba4.smb2.hold-oplock # Not a test, but a way to block other clients for a test
+^samba4.smb2.hold-sharemode # Not a test, but a way to block other clients for a test
+^samba4.smb2.check-sharemode # Not a test, but a way to test sharemodes outside of Samba
+^samba4.smb2.set-sparse-ioctl # For manual testing, needs additional parameters.
+^samba4.smb2.zero-data-ioctl # For manual testing, needs additional parameters.
+^samba4.raw.ping.pong # Needs second server to test
+^samba4.rpc.samr.accessmask
+^samba4.raw.scan.eamax
+^samba4.smb2.samba3misc
+^samba4.smb2.notify
+^samba4.smb2.scan
+^samba4.smb2.lease
+^samba4.smb2.durable-open
+^samba4.smb2.durable-v2-open
+^samba4.smb2.dir
+^samba4.smb2.session
+^samba4.smb2.compound
+^samba4.smb2.multichannel
+^samba4.smb2.oplock.levelii501 # No test yet
+# SMB2 in s4 does not seem to support rename correctly
+^samba4.smb2.rename.*\(ad_dc_ntvfs\)$
+# some operations don't work over the CIFS NTVFS backend yet (eg. root_fid)
+^samba4.ntvfs.cifs.*.base.createx_sharemodes_dir
+^samba4.ntvfs.cifs.*.base.charset
+^samba4.ntvfs.cifs.*.base.iometer
+^samba4.ntvfs.cifs.*.base.casetable
+^samba4.ntvfs.cifs.*.base.nttrans
+^samba4.ntvfs.cifs.*.base.scan-maxfid
+^samba4.ntvfs.cifs.*.base.utable
+^samba4.ntvfs.cifs.*.base.smb
+^samba4.ntvfs.cifs.*.raw.
+^samba4.rpc.samsync
+^samba4.rpc.remact # Not provided by Samba 4
+^samba4.rpc.oxidresolve # Not provided by Samba 4
+^samba4.rpc.eventlog # Not provided by Samba 4
+^samba4.rpc.initshutdown # Not provided by Samba 4
+^samba4.rpc.spoolss # Not provided by Samba 4
+^samba4.rpc.svcctl # Not provided by Samba 4
+^samba4.rpc.atsvc # Not provided by Samba 4
+^samba4.rpc.frsapi # Not provided by Samba 4
+^samba4.rpc.ntsvcs # Not provided by Samba 4
+^samba4.rpc.dfs # Not provided by Samba 4
+^samba4.rpc.witness # Not provided by Samba 4
+^samba4.rpc.clusapi # clusapi server support not yet provided
+^samba4.rpc.iremotewinspool.*\(ad_dc_default\)$ # Not provided by Samba 4
+^samba4.*.base.samba3.* # Samba3-specific test
+^samba4.*.raw.samba3.* # Samba3-specific test
+^samba4.rpc..*samba3.* # Samba3-specific test
+^samba4.raw.offline # Samba 4 doesn't have much offline support yet
+^samba4.rpc.countcalls # this is not useful now we have full IDL
+^samba4.rap.basic
+^samba4.rap.scan # same thing here - we have docs now
+^samba4.rap.printing # Not provided by Samba 4
+^samba4.rap.rpc
+^samba4.rap.sam # Not provided by Samba 4
+bench # don't run benchmarks in our selftest
+^samba4..*trans2.scan # uses huge number of file descriptors
+^samba4.*.base.scan.ioctl # bad idea in make test
+^samba4.*.base.scan.pipe_number # bad idea in make test
+^samba4.*.base.secleak # no point on build farm
+^samba4.*.base.delaywrite # This is randomly failing, depending on timing and filesystem features
+^samba4.*.base.winattr
+^samba4.*.base.birthtime
+^samba4.*base.defer_open
+^samba4.smb2.acls # new test which doesn't pass yet
+^samba4.smb2.sdread
+# ktutil might not be installed or from mit...
+# we should build a samba4ktutil and use that instead
+^samba4.blackbox.ktpass # this test isn't portable ...
+^samba.tests.dcerpc.unix # This contains a server-side getpwuid call which hangs the server when nss_winbindd is in use
+^samba4.smb2.mangle.*\(ad_dc_ntvfs\)$ # Ignore ad_dc_ntvfs since this is a new test
+^samba4.smb2.tcon.*\(ad_dc_ntvfs\)$ # Ignore ad_dc_ntvfs since this is a new test
+^samba4.smb2.mkdir.*\(ad_dc_ntvfs\)$ # Ignore ad_dc_ntvfs since this is a new test
diff --git a/selftest/skip.no-GSS_KRB5_CRED_NO_CI_FLAGS_X b/selftest/skip.no-GSS_KRB5_CRED_NO_CI_FLAGS_X
new file mode 100644
index 0000000..9ec679d
--- /dev/null
+++ b/selftest/skip.no-GSS_KRB5_CRED_NO_CI_FLAGS_X
@@ -0,0 +1,6 @@
+# GSS_KRB5_CRED_NO_CI_FLAGS_X is not available in older MIT releases (< 1.14)
+^samba3.rpc.lsa.lookupsids.krb5.*ncacn.*packet.*ktest
+^samba3.rpc.lsa.lookupsids.krb5.*ncacn.*sign.*ktest
+^samba3.blackbox.rpcclient.krb5.*ncacn.*krb5\].*ktest
+^samba3.blackbox.rpcclient.krb5.*ncacn.*packet\].*ktest
+^samba3.blackbox.rpcclient.krb5.*ncacn.*sign\].*ktest
diff --git a/selftest/skip.opath-required b/selftest/skip.opath-required
new file mode 100644
index 0000000..0faf0c4
--- /dev/null
+++ b/selftest/skip.opath-required
@@ -0,0 +1,9 @@
+# Opening O_RDONLY screws kernel oplocks which is not a problem
+# as only Linux has kernel oplocks and as Linux has O_PATH, we
+# don't need O_RDONLY in the first place.
+^samba3.smb2.kernel-oplocks.*
+^samba3.smbtorture_s3.plain.OPLOCK5.*
+#
+# These fail because become_root() doesn't work in make test
+^samba3.blackbox.dropbox.*
+^samba3.raw.samba3hide.*
diff --git a/selftest/skip_mit_kdc b/selftest/skip_mit_kdc
new file mode 100644
index 0000000..4a51c98
--- /dev/null
+++ b/selftest/skip_mit_kdc
@@ -0,0 +1,5 @@
+# We do not support RODC yet
+.*rodc
+.*RODC
+^samba4.ntvfs.cifs.ntlm.base.unlink
+^samba4.ntvfs.cifs.krb5.base.unlink
diff --git a/selftest/skip_mit_kdc_pre_1_20 b/selftest/skip_mit_kdc_pre_1_20
new file mode 100644
index 0000000..aa6c418
--- /dev/null
+++ b/selftest/skip_mit_kdc_pre_1_20
@@ -0,0 +1,2 @@
+^samba4.blackbox.pkinit_simple
+^samba4.blackbox.pkinit_pac
diff --git a/selftest/slow b/selftest/slow
new file mode 100644
index 0000000..7c2090c
--- /dev/null
+++ b/selftest/slow
@@ -0,0 +1,9 @@
+# This file contains regexes matching tests that are very slow and
+# should be skipped during a normal test run.
+.*base.bench.holdcon.* # Slow
+raw.bench.lookup # Slow
+base.utable # Slow
+base.smb # Slow
+rpc.scanner # Slow
+ntvfs.cifs.base.delaywrite # It's a slow test and having it on the proxy share is not needed
+.*stress.* # Slow
diff --git a/selftest/slow-none b/selftest/slow-none
new file mode 100644
index 0000000..34b2608
--- /dev/null
+++ b/selftest/slow-none
@@ -0,0 +1,23 @@
+# This file to have control over where in autobuild the slower "none"
+# tests are running, to avoid really slow tests being run on multiple
+# hosts that host the samba-o3 job.
+^samba.tests.docs
+^ldb.python
+^samba.tests.dsdb_lock
+^samba4.blackbox.upgradeprovision.alpha13
+^samba4.blackbox.upgradeprovision.release-4-0-0
+^samba.tests.domain_backup_offline
+^samba.tests.samba_tool.help
+^samba4.blackbox.schemaupgrade
+^samba4.blackbox.group.py
+^samba4.blackbox.provision.py
+^samba4.blackbox.upgradeprovision.current
+^samba.tests.usage
+^samba4.blackbox.dbcheck.release-4-0-0
+^samba4.blackbox.dbcheck.release-4-0-0.quick
+^samba4.blackbox.dbcheck-links.release-4-5-0-pre1
+^samba4.blackbox.dbcheck.release-4-1-0rc3
+^samba4.blackbox.dbcheck.release-4-1-0rc3.quick
+^samba.tests.samba_tool.visualize
+^samba4.blackbox.functionalprep
+^samba4.blackbox.dbcheck.alpha13.quick
diff --git a/selftest/subunithelper.py b/selftest/subunithelper.py
new file mode 100644
index 0000000..801149f
--- /dev/null
+++ b/selftest/subunithelper.py
@@ -0,0 +1,729 @@
+# Python module for parsing and generating the Subunit protocol
+# (Samba-specific)
+# Copyright (C) 2008-2009 Jelmer Vernooij <jelmer@samba.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+__all__ = ['parse_results']
+
+import datetime
+import re
+import sys
+import os
+from samba import subunit
+from samba.subunit.run import TestProtocolClient
+import unittest
+try:
+ from dateutil.parser import isoparse as iso_parse_date
+except ImportError:
+ try:
+ from iso8601 import parse_date as iso_parse_date;
+ except ImportError:
+ print('Install either python-dateutil >= 2.7.1 or python-iso8601')
+
+
+VALID_RESULTS = set(['success', 'successful', 'failure', 'fail', 'skip',
+ 'knownfail', 'error', 'xfail', 'skip-testsuite',
+ 'testsuite-failure', 'testsuite-xfail',
+ 'testsuite-success', 'testsuite-error',
+ 'uxsuccess', 'testsuite-uxsuccess'])
+
+
+class TestsuiteEnabledTestResult(unittest.TestResult):
+
+ def start_testsuite(self, name):
+ raise NotImplementedError(self.start_testsuite)
+
+
+def parse_results(msg_ops, statistics, fh):
+ exitcode = 0
+ open_tests = {}
+
+ for l in fh:
+ parts = l.split(None, 1)
+ if not len(parts) == 2 or not l.startswith(parts[0]):
+ msg_ops.output_msg(l)
+ continue
+ command = parts[0].rstrip(":")
+ arg = parts[1]
+ if command in ("test", "testing"):
+ msg_ops.control_msg(l)
+ name = arg.rstrip()
+ test = subunit.RemotedTestCase(name)
+ if name in open_tests:
+ msg_ops.addError(open_tests.pop(name), subunit.RemoteError(u"Test already running"))
+ msg_ops.startTest(test)
+ open_tests[name] = test
+ elif command == "time":
+ msg_ops.control_msg(l)
+ try:
+ dt = iso_parse_date(arg.rstrip("\n"))
+ except TypeError as e:
+ print("Unable to parse time line: %s" % arg.rstrip("\n"))
+ else:
+ msg_ops.time(dt)
+ elif command in VALID_RESULTS:
+ msg_ops.control_msg(l)
+ result = command
+ grp = re.match("(.*?)( \[)?([ \t]*)( multipart)?\n", arg)
+ (testname, hasreason) = (grp.group(1), grp.group(2))
+ if hasreason:
+ reason = ""
+ # reason may be specified in next lines
+ terminated = False
+ for l in fh:
+ msg_ops.control_msg(l)
+ if l == "]\n":
+ terminated = True
+ break
+ else:
+ reason += l
+
+ if isinstance(reason, bytes):
+ remote_error = subunit.RemoteError(reason.decode("utf-8"))
+ else:
+ remote_error = subunit.RemoteError(reason)
+
+ if not terminated:
+ statistics['TESTS_ERROR'] += 1
+ msg_ops.addError(subunit.RemotedTestCase(testname),
+ subunit.RemoteError(u"result (%s) reason (%s) interrupted" % (result, reason)))
+ return 1
+ else:
+ reason = None
+ remote_error = subunit.RemoteError(u"No reason specified")
+ if result in ("success", "successful"):
+ try:
+ test = open_tests.pop(testname)
+ except KeyError:
+ statistics['TESTS_ERROR'] += 1
+ exitcode = 1
+ msg_ops.addError(subunit.RemotedTestCase(testname), subunit.RemoteError(u"Test was never started"))
+ else:
+ statistics['TESTS_EXPECTED_OK'] += 1
+ msg_ops.addSuccess(test)
+ elif result in ("xfail", "knownfail"):
+ try:
+ test = open_tests.pop(testname)
+ except KeyError:
+ statistics['TESTS_ERROR'] += 1
+ exitcode = 1
+ msg_ops.addError(subunit.RemotedTestCase(testname), subunit.RemoteError(u"Test was never started"))
+ else:
+ statistics['TESTS_EXPECTED_FAIL'] += 1
+ msg_ops.addExpectedFailure(test, remote_error)
+ elif result in ("uxsuccess", ):
+ try:
+ test = open_tests.pop(testname)
+ except KeyError:
+ statistics['TESTS_ERROR'] += 1
+ exitcode = 1
+ msg_ops.addError(subunit.RemotedTestCase(testname), subunit.RemoteError(u"Test was never started"))
+ else:
+ statistics['TESTS_UNEXPECTED_OK'] += 1
+ msg_ops.addUnexpectedSuccess(test)
+ exitcode = 1
+ elif result in ("failure", "fail"):
+ try:
+ test = open_tests.pop(testname)
+ except KeyError:
+ statistics['TESTS_ERROR'] += 1
+ exitcode = 1
+ msg_ops.addError(subunit.RemotedTestCase(testname), subunit.RemoteError(u"Test was never started"))
+ else:
+ statistics['TESTS_UNEXPECTED_FAIL'] += 1
+ exitcode = 1
+ msg_ops.addFailure(test, remote_error)
+ elif result == "skip":
+ statistics['TESTS_SKIP'] += 1
+ # Allow tests to be skipped without prior announcement of test
+ try:
+ test = open_tests.pop(testname)
+ except KeyError:
+ test = subunit.RemotedTestCase(testname)
+ msg_ops.addSkip(test, reason)
+ elif result == "error":
+ statistics['TESTS_ERROR'] += 1
+ exitcode = 1
+ try:
+ test = open_tests.pop(testname)
+ except KeyError:
+ test = subunit.RemotedTestCase(testname)
+ msg_ops.addError(test, remote_error)
+ elif result == "skip-testsuite":
+ msg_ops.skip_testsuite(testname)
+ elif result == "testsuite-success":
+ msg_ops.end_testsuite(testname, "success", reason)
+ elif result == "testsuite-failure":
+ msg_ops.end_testsuite(testname, "failure", reason)
+ exitcode = 1
+ elif result == "testsuite-xfail":
+ msg_ops.end_testsuite(testname, "xfail", reason)
+ elif result == "testsuite-uxsuccess":
+ msg_ops.end_testsuite(testname, "uxsuccess", reason)
+ exitcode = 1
+ elif result == "testsuite-error":
+ msg_ops.end_testsuite(testname, "error", reason)
+ exitcode = 1
+ else:
+ raise AssertionError("Recognized but unhandled result %r" %
+ result)
+ elif command == "testsuite":
+ msg_ops.start_testsuite(arg.strip())
+ elif command == "progress":
+ arg = arg.strip()
+ if arg == "pop":
+ msg_ops.progress(None, subunit.PROGRESS_POP)
+ elif arg == "push":
+ msg_ops.progress(None, subunit.PROGRESS_PUSH)
+ elif arg[0] in '+-':
+ msg_ops.progress(int(arg), subunit.PROGRESS_CUR)
+ else:
+ msg_ops.progress(int(arg), subunit.PROGRESS_SET)
+ else:
+ msg_ops.output_msg(l)
+
+ while open_tests:
+ test = subunit.RemotedTestCase(open_tests.popitem()[1])
+ msg_ops.addError(test, subunit.RemoteError(u"was started but never finished!"))
+ statistics['TESTS_ERROR'] += 1
+ exitcode = 1
+
+ return exitcode
+
+
+class SubunitOps(TestProtocolClient, TestsuiteEnabledTestResult):
+
+ def progress(self, count, whence):
+ if whence == subunit.PROGRESS_POP:
+ self._stream.write("progress: pop\n")
+ elif whence == subunit.PROGRESS_PUSH:
+ self._stream.write("progress: push\n")
+ elif whence == subunit.PROGRESS_SET:
+ self._stream.write("progress: %d\n" % count)
+ elif whence == subunit.PROGRESS_CUR:
+ raise NotImplementedError
+
+ # The following are Samba extensions:
+ def start_testsuite(self, name):
+ self._stream.write("testsuite: %s\n" % name)
+
+ def skip_testsuite(self, name, reason=None):
+ if reason:
+ self._stream.write("skip-testsuite: %s [\n%s\n]\n" % (name, reason))
+ else:
+ self._stream.write("skip-testsuite: %s\n" % name)
+
+ def end_testsuite(self, name, result, reason=None):
+ if reason:
+ self._stream.write("testsuite-%s: %s [\n%s\n]\n" % (result, name, reason))
+ else:
+ self._stream.write("testsuite-%s: %s\n" % (result, name))
+
+ def output_msg(self, msg):
+ self._stream.write(msg)
+
+
+def read_test_regexes(*names):
+ ret = []
+ files = []
+ for name in names:
+ # if we are given a directory, we read all the files it contains
+ # (except the ones that end with "~").
+ if os.path.isdir(name):
+ files.extend([os.path.join(name, x)
+ for x in os.listdir(name)
+ if x[-1] != '~'])
+ else:
+ files.append(name)
+
+ for filename in files:
+ with open(filename, 'r') as f:
+ for l in f:
+ l = l.strip()
+ if l == "" or l[0] == "#":
+ continue
+ if "#" in l:
+ (regex, reason) = l.split("#", 1)
+ ret.append(re.compile(regex.strip()))
+ else:
+ ret.append(re.compile(l))
+
+ return ret
+
+
+def find_in_list(regexes, fullname):
+ for regex in regexes:
+ if regex.match(fullname):
+ return True
+ return False
+
+
+class ImmediateFail(Exception):
+ """Raised to abort immediately."""
+
+ def __init__(self):
+ super(ImmediateFail, self).__init__("test failed and fail_immediately set")
+
+
+class FilterOps(unittest.TestResult):
+
+ def control_msg(self, msg):
+ pass # We regenerate control messages, so ignore this
+
+ def time(self, time):
+ self._ops.time(time)
+
+ def progress(self, delta, whence):
+ self._ops.progress(delta, whence)
+
+ def output_msg(self, msg):
+ if self.output is None:
+ sys.stdout.write(msg)
+ else:
+ self.output += msg
+
+ def startTest(self, test):
+ self.seen_output = True
+ test = self._add_prefix(test)
+ if self.strip_ok_output:
+ self.output = ""
+
+ self._ops.startTest(test)
+
+ def _add_prefix(self, test):
+ return subunit.RemotedTestCase(self.prefix + test.id() + self.suffix)
+
+ def addError(self, test, err=None):
+ test = self._add_prefix(test)
+ self.error_added += 1
+ self.total_error += 1
+ self._ops.addError(test, err)
+ self._ops.writeOutcome(test)
+ self.output = None
+ if self.fail_immediately:
+ raise ImmediateFail()
+
+ def addSkip(self, test, reason=None):
+ self.seen_output = True
+ test = self._add_prefix(test)
+ self._ops.addSkip(test, reason)
+ self._ops.writeOutcome(test)
+ self.output = None
+
+ def addExpectedFailure(self, test, err=None):
+ test = self._add_prefix(test)
+ self._ops.addExpectedFailure(test, err)
+ self._ops.writeOutcome(test)
+ self.output = None
+
+ def addUnexpectedSuccess(self, test):
+ test = self._add_prefix(test)
+ self.uxsuccess_added += 1
+ self.total_uxsuccess += 1
+ self._ops.addUnexpectedSuccess(test)
+ self._ops.writeOutcome(test)
+ if self.output:
+ self._ops.output_msg(self.output)
+ self.output = None
+ if self.fail_immediately:
+ raise ImmediateFail()
+
+ def addFailure(self, test, err=None):
+ test = self._add_prefix(test)
+ xfail = find_in_list(self.expected_failures, test.id())
+ if not xfail:
+ xfail = find_in_list(self.flapping, test.id())
+ if xfail:
+ self.xfail_added += 1
+ self.total_xfail += 1
+ self._ops.addExpectedFailure(test, err)
+ self._ops.writeOutcome(test)
+ else:
+ self.fail_added += 1
+ self.total_fail += 1
+ self._ops.addFailure(test, err)
+ self._ops.writeOutcome(test)
+ if self.output:
+ self._ops.output_msg(self.output)
+ if self.fail_immediately:
+ raise ImmediateFail()
+ self.output = None
+
+ def addSuccess(self, test):
+ test = self._add_prefix(test)
+ xfail = find_in_list(self.expected_failures, test.id())
+ if xfail:
+ self.uxsuccess_added += 1
+ self.total_uxsuccess += 1
+ self._ops.addUnexpectedSuccess(test)
+ self._ops.writeOutcome(test)
+ if self.output:
+ self._ops.output_msg(self.output)
+ if self.fail_immediately:
+ raise ImmediateFail()
+ else:
+ self._ops.addSuccess(test)
+ self._ops.writeOutcome(test)
+ self.output = None
+
+ def skip_testsuite(self, name, reason=None):
+ self._ops.skip_testsuite(name, reason)
+
+ def start_testsuite(self, name):
+ self._ops.start_testsuite(name)
+ self.error_added = 0
+ self.fail_added = 0
+ self.xfail_added = 0
+ self.uxsuccess_added = 0
+
+ def end_testsuite(self, name, result, reason=None):
+ xfail = False
+
+ if self.xfail_added > 0:
+ xfail = True
+ if self.fail_added > 0 or self.error_added > 0 or self.uxsuccess_added > 0:
+ xfail = False
+
+ if xfail and result in ("fail", "failure"):
+ result = "xfail"
+
+ if self.uxsuccess_added > 0 and result != "uxsuccess":
+ result = "uxsuccess"
+ if reason is None:
+ reason = "Subunit/Filter Reason"
+ reason += "\n uxsuccess[%d]" % self.uxsuccess_added
+
+ if self.fail_added > 0 and result != "failure":
+ result = "failure"
+ if reason is None:
+ reason = "Subunit/Filter Reason"
+ reason += "\n failures[%d]" % self.fail_added
+
+ if self.error_added > 0 and result != "error":
+ result = "error"
+ if reason is None:
+ reason = "Subunit/Filter Reason"
+ reason += "\n errors[%d]" % self.error_added
+
+ self._ops.end_testsuite(name, result, reason)
+ if result not in ("success", "xfail"):
+ if self.output:
+ self._ops.output_msg(self.output)
+ if self.fail_immediately:
+ raise ImmediateFail()
+ self.output = None
+
+ def __init__(self, out, prefix=None, suffix=None, expected_failures=None,
+ strip_ok_output=False, fail_immediately=False,
+ flapping=None):
+ self._ops = out
+ self.seen_output = False
+ self.output = None
+ self.prefix = prefix
+ self.suffix = suffix
+ if expected_failures is not None:
+ self.expected_failures = expected_failures
+ else:
+ self.expected_failures = []
+ if flapping is not None:
+ self.flapping = flapping
+ else:
+ self.flapping = []
+ self.strip_ok_output = strip_ok_output
+ self.xfail_added = 0
+ self.fail_added = 0
+ self.uxsuccess_added = 0
+ self.total_xfail = 0
+ self.total_error = 0
+ self.total_fail = 0
+ self.total_uxsuccess = 0
+ self.error_added = 0
+ self.fail_immediately = fail_immediately
+
+
+class PerfFilterOps(unittest.TestResult):
+
+ def progress(self, delta, whence):
+ pass
+
+ def output_msg(self, msg):
+ pass
+
+ def control_msg(self, msg):
+ pass
+
+ def skip_testsuite(self, name, reason=None):
+ self._ops.skip_testsuite(name, reason)
+
+ def start_testsuite(self, name):
+ self.suite_has_time = False
+
+ def end_testsuite(self, name, result, reason=None):
+ pass
+
+ def _add_prefix(self, test):
+ return subunit.RemotedTestCase(self.prefix + test.id() + self.suffix)
+
+ def time(self, time):
+ self.latest_time = time
+ #self._ops.output_msg("found time %s\n" % time)
+ self.suite_has_time = True
+
+ def get_time(self):
+ if self.suite_has_time:
+ return self.latest_time
+ return datetime.datetime.utcnow()
+
+ def startTest(self, test):
+ self.seen_output = True
+ test = self._add_prefix(test)
+ self.starts[test.id()] = self.get_time()
+
+ def addSuccess(self, test):
+ test = self._add_prefix(test)
+ tid = test.id()
+ if tid not in self.starts:
+ self._ops.addError(test, "%s succeeded without ever starting!" % tid)
+ delta = self.get_time() - self.starts[tid]
+ self._ops.output_msg("elapsed-time: %s: %f\n" % (tid, delta.total_seconds()))
+
+ def addFailure(self, test, err=''):
+ tid = test.id()
+ delta = self.get_time() - self.starts[tid]
+ self._ops.output_msg("failure: %s failed after %f seconds (%s)\n" %
+ (tid, delta.total_seconds(), err))
+
+ def addError(self, test, err=''):
+ tid = test.id()
+ delta = self.get_time() - self.starts[tid]
+ self._ops.output_msg("error: %s failed after %f seconds (%s)\n" %
+ (tid, delta.total_seconds(), err))
+
+ def __init__(self, out, prefix='', suffix=''):
+ self._ops = out
+ self.prefix = prefix or ''
+ self.suffix = suffix or ''
+ self.starts = {}
+ self.seen_output = False
+ self.suite_has_time = False
+
+
+class PlainFormatter(TestsuiteEnabledTestResult):
+
+ def __init__(self, verbose, immediate, statistics,
+ totaltests=None):
+ super(PlainFormatter, self).__init__()
+ self.verbose = verbose
+ self.immediate = immediate
+ self.statistics = statistics
+ self.start_time = None
+ self.test_output = {}
+ self.suitesfailed = []
+ self.suites_ok = 0
+ self.skips = {}
+ self.index = 0
+ self.name = None
+ self._progress_level = 0
+ self.totalsuites = totaltests
+ self.last_time = None
+
+ @staticmethod
+ def _format_time(delta):
+ minutes, seconds = divmod(delta.seconds, 60)
+ hours, minutes = divmod(minutes, 60)
+ ret = ""
+ if hours:
+ ret += "%dh" % hours
+ if minutes:
+ ret += "%dm" % minutes
+ ret += "%ds" % seconds
+ return ret
+
+ def progress(self, offset, whence):
+ if whence == subunit.PROGRESS_POP:
+ self._progress_level -= 1
+ elif whence == subunit.PROGRESS_PUSH:
+ self._progress_level += 1
+ elif whence == subunit.PROGRESS_SET:
+ if self._progress_level == 0:
+ self.totalsuites = offset
+ elif whence == subunit.PROGRESS_CUR:
+ raise NotImplementedError
+
+ def time(self, dt):
+ if self.start_time is None:
+ self.start_time = dt
+ self.last_time = dt
+
+ def start_testsuite(self, name):
+ self.index += 1
+ self.name = name
+
+ if not self.verbose:
+ self.test_output[name] = ""
+
+ total_tests = (self.statistics['TESTS_EXPECTED_OK'] +
+ self.statistics['TESTS_EXPECTED_FAIL'] +
+ self.statistics['TESTS_ERROR'] +
+ self.statistics['TESTS_UNEXPECTED_FAIL'] +
+ self.statistics['TESTS_UNEXPECTED_OK'])
+
+ out = "[%d(%d)" % (self.index, total_tests)
+ if self.totalsuites is not None:
+ out += "/%d" % self.totalsuites
+ if self.start_time is not None:
+ out += " at " + self._format_time(self.last_time - self.start_time)
+ if self.suitesfailed:
+ out += ", %d errors" % (len(self.suitesfailed),)
+ out += "] %s" % name
+ if self.immediate:
+ sys.stdout.write(out + "\n")
+ else:
+ sys.stdout.write(out + ": ")
+
+ def output_msg(self, output):
+ if self.verbose:
+ sys.stdout.write(output)
+ elif self.name is not None:
+ self.test_output[self.name] += output
+ else:
+ sys.stdout.write(output)
+
+ def control_msg(self, output):
+ pass
+
+ def end_testsuite(self, name, result, reason):
+ out = ""
+ unexpected = False
+
+ if name not in self.test_output:
+ print("no output for name[%s]" % name)
+
+ if result in ("success", "xfail"):
+ self.suites_ok += 1
+ else:
+ self.output_msg("ERROR: Testsuite[%s]\n" % name)
+ if reason is not None:
+ self.output_msg("REASON: %s\n" % (reason,))
+ self.suitesfailed.append(name)
+ if self.immediate and not self.verbose and name in self.test_output:
+ out += self.test_output[name]
+ unexpected = True
+
+ if not self.immediate:
+ if not unexpected:
+ out += " ok\n"
+ else:
+ out += " " + result.upper() + "\n"
+
+ sys.stdout.write(out)
+
+ def startTest(self, test):
+ pass
+
+ def addSuccess(self, test):
+ self.end_test(test.id(), "success", False)
+
+ def addError(self, test, err=None):
+ self.end_test(test.id(), "error", True, err)
+
+ def addFailure(self, test, err=None):
+ self.end_test(test.id(), "failure", True, err)
+
+ def addSkip(self, test, reason=None):
+ self.end_test(test.id(), "skip", False, reason)
+
+ def addExpectedFailure(self, test, err=None):
+ self.end_test(test.id(), "xfail", False, err)
+
+ def addUnexpectedSuccess(self, test):
+ self.end_test(test.id(), "uxsuccess", True)
+
+ def end_test(self, testname, result, unexpected, err=None):
+ if not unexpected:
+ self.test_output[self.name] = ""
+ if not self.immediate:
+ sys.stdout.write({
+ 'failure': 'f',
+ 'xfail': 'X',
+ 'skip': 's',
+ 'success': '.'}.get(result, "?(%s)" % result))
+ return
+
+ if self.name not in self.test_output:
+ self.test_output[self.name] = ""
+
+ self.test_output[self.name] += "UNEXPECTED(%s): %s\n" % (result, testname)
+ if err is not None:
+ self.test_output[self.name] += "REASON: %s\n" % str(err[1]).strip()
+
+ if self.immediate and not self.verbose:
+ sys.stdout.write(self.test_output[self.name])
+ self.test_output[self.name] = ""
+
+ if not self.immediate:
+ sys.stdout.write({
+ 'error': 'E',
+ 'failure': 'F',
+ 'uxsuccess': 'U',
+ 'success': 'S'}.get(result, "?"))
+
+ def write_summary(self, path):
+ f = open(path, 'w+')
+
+ if self.suitesfailed:
+ f.write("= Failed tests =\n")
+
+ for suite in self.suitesfailed:
+ f.write("== %s ==\n" % suite)
+ if suite in self.test_output:
+ f.write(self.test_output[suite] + "\n\n")
+
+ f.write("\n")
+
+ if not self.immediate and not self.verbose:
+ for suite in self.suitesfailed:
+ print("=" * 78)
+ print("FAIL: %s" % suite)
+ if suite in self.test_output:
+ print(self.test_output[suite])
+ print("")
+
+ f.write("= Skipped tests =\n")
+ for reason in self.skips.keys():
+ f.write(reason + "\n")
+ for name in self.skips[reason]:
+ f.write("\t%s\n" % name)
+ f.write("\n")
+ f.close()
+
+ if (not self.suitesfailed and
+ not self.statistics['TESTS_UNEXPECTED_FAIL'] and
+ not self.statistics['TESTS_UNEXPECTED_OK'] and
+ not self.statistics['TESTS_ERROR']):
+ ok = (self.statistics['TESTS_EXPECTED_OK'] +
+ self.statistics['TESTS_EXPECTED_FAIL'])
+ print("\nALL OK (%d tests in %d testsuites)" % (ok, self.suites_ok))
+ else:
+ print("\nFAILED (%d failures, %d errors and %d unexpected successes in %d testsuites)" % (
+ self.statistics['TESTS_UNEXPECTED_FAIL'],
+ self.statistics['TESTS_ERROR'],
+ self.statistics['TESTS_UNEXPECTED_OK'],
+ len(self.suitesfailed)))
+
+ def skip_testsuite(self, name, reason="UNKNOWN"):
+ self.skips.setdefault(reason, []).append(name)
+ if self.totalsuites:
+ self.totalsuites -= 1
diff --git a/selftest/tap2subunit b/selftest/tap2subunit
new file mode 100755
index 0000000..e569e7f
--- /dev/null
+++ b/selftest/tap2subunit
@@ -0,0 +1,128 @@
+#!/usr/bin/python
+#
+# tap2subunit: convert a tap stream to a subunit stream.
+# Extract from the subunit source:
+# Copyright (C) 2005 Robert Collins <robertc@robertcollins.net>
+#
+# Licensed under either the Apache License, Version 2.0 or the BSD 3-clause
+# license at the users choice. A copy of both licenses are available in the
+# project source as Apache-2.0 and BSD. You may not use this file except in
+# compliance with one of these two licences.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under these licenses is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# license you chose for the specific language governing permissions and
+# limitations under that license.
+#
+
+
+import re
+import sys
+
+def TAP2SubUnit(tap, subunit):
+ """Filter a TAP pipe into a subunit pipe.
+
+ :param tap: A tap pipe/stream/file object.
+ :param subunit: A pipe/stream/file object to write subunit results to.
+ :return: The exit code to exit with.
+ """
+ BEFORE_PLAN = 0
+ AFTER_PLAN = 1
+ SKIP_STREAM = 2
+ state = BEFORE_PLAN
+ plan_start = 1
+ plan_stop = 0
+ def _skipped_test(subunit, plan_start):
+ # Some tests were skipped.
+ subunit.write('test: test %d\n' % plan_start)
+ subunit.write('error: test %d [\n' % plan_start)
+ subunit.write('test missing from TAP output\n')
+ subunit.write(']\n')
+ return plan_start + 1
+ # Test data for the next test to emit
+ test_name = None
+ log = []
+ result = None
+ def _emit_test():
+ "write out a test"
+ if test_name is None:
+ return
+ subunit.write("test: %s\n" % test_name)
+ if not log:
+ subunit.write("%s: %s\n" % (result, test_name))
+ else:
+ subunit.write("%s: %s [\n" % (result, test_name))
+ if log:
+ for line in log:
+ subunit.write("%s\n" % line)
+ subunit.write("]\n")
+ del log[:]
+ for line in tap:
+ if state == BEFORE_PLAN:
+ match = re.match("(\d+)\.\.(\d+)\s*(?:\#\s+(.*))?\n", line)
+ if match:
+ state = AFTER_PLAN
+ _, plan_stop, comment = match.groups()
+ plan_stop = int(plan_stop)
+ if plan_start > plan_stop and plan_stop == 0:
+ # skipped file
+ state = SKIP_STREAM
+ subunit.write("test: file skip\n")
+ subunit.write("skip: file skip [\n")
+ subunit.write("%s\n" % comment)
+ subunit.write("]\n")
+ continue
+ # not a plan line, or have seen one before
+ match = re.match("(ok|not ok)(?:\s+(\d+)?)?(?:\s+([^#]*[^#\s]+)\s*)?(?:\s+#\s+(TODO|SKIP|skip|todo)(?:\s+(.*))?)?\n", line)
+ if match:
+ # new test, emit current one.
+ _emit_test()
+ status, number, description, directive, directive_comment = match.groups()
+ if status == 'ok':
+ result = 'success'
+ else:
+ result = "failure"
+ if description is None:
+ description = ''
+ else:
+ description = ' ' + description
+ if directive is not None:
+ if directive.upper() == 'TODO':
+ result = 'xfail'
+ elif directive.upper() == 'SKIP':
+ result = 'skip'
+ if directive_comment is not None:
+ log.append(directive_comment)
+ if number is not None:
+ number = int(number)
+ while plan_start < number:
+ plan_start = _skipped_test(subunit, plan_start)
+ test_name = "test %d%s" % (plan_start, description)
+ plan_start += 1
+ continue
+ match = re.match("Bail out\!(?:\s*(.*))?\n", line)
+ if match:
+ reason, = match.groups()
+ if reason is None:
+ extra = ''
+ else:
+ extra = ' %s' % reason
+ _emit_test()
+ test_name = "Bail out!%s" % extra
+ result = "error"
+ state = SKIP_STREAM
+ continue
+ match = re.match("\#.*\n", line)
+ if match:
+ log.append(line[:-1])
+ continue
+ subunit.write(line)
+ _emit_test()
+ while plan_start <= plan_stop:
+ # record missed tests
+ plan_start = _skipped_test(subunit, plan_start)
+ return 0
+
+
+sys.exit(TAP2SubUnit(sys.stdin, sys.stdout))
diff --git a/selftest/target/README b/selftest/target/README
new file mode 100644
index 0000000..81d7447
--- /dev/null
+++ b/selftest/target/README
@@ -0,0 +1,137 @@
+Selftest target environments (testenvs)
+=======================================
+Samba's integration testing heavily relies on the automatic creation of a Samba
+network. This specialized test environment is generally referred to as a Samba
+'testenv'.
+
+A testenv involves starting the Samba server listening on a fake network, which
+is established using the socket_wrapper library from cwrap (https://cwrap.org).
+All testing is also done as a non-root user using the uid_wrapper library, also
+from cwrap.
+
+Samba's test framework uses many different types of testenv. Each testenv is
+customized to test a particular Samba feature or configuration. Using cwrap
+allows multiple different Samba servers to run at the same time, without
+interference.
+
+Some of the different testenvs are described in more detail below.
+
+Important notes if adding a new testenv
+---------------------------------------
+- When adding a new testenv, in the Perl code it is recommended to always
+explicitly specify the --configfile option in the samba-tool command, i.e. add
+"env->{CONFIGURATION}" to the samba-tool command. Otherwise, the samba-tool
+can try to load smb.conf from the default install location (i.e.
+/usr/local/samba/etc/smb.conf). Loading a host-specific smb.conf that's outside
+of the testenv is obviously not ideal and something we want to avoid in a
+reliable test framework.
+
+'local' disambiguation
+----------------------
+You may notice some variation in the target testenv that test suites are run
+against, for example "ad_dc" and "ad_dc:local". The main difference is the
+":local" changes the smb.conf that the testenv uses. By default, the testenvs
+use the st/client/client.conf config-file, so that they simulate a client
+talking to the Samba server. However, some tests may want to simulate running
+a command on the Samba server itself. In these cases, the ":local" is used,
+which means the testenv uses the Samba server's smb.conf instead (i.e.
+st/ad_dc/etc/smb.conf).
+
+Note that several of the testenvs also use local in their name, e.g.
+'localvampiredc'. In particular, there's the 'localdc', which is the NetBIOS
+name of the DC in the 'ad_dc_ntvfs' testenv.
+
+dns_hub
+-------
+dns_hub doesn't run a Samba/smbd server like the other testenvs do. It's there
+to solve the problem of how to do DNS more nicely in selftest. Running
+autobuild can start up a lot of different testenvs, and so we end up with
+different DCs running in different domains. Each test suite only wants to talk
+to a specific domain at a time. However, by default the tests all use a common
+client.conf - essentially the tests are simulating a single client that's
+pretending to be in several different domains. The problem is when the test
+wants to resolve a DNS host, which DC should it ask? Each DC only knows about its
+own realm. dns_hub.py acts as a proxy, so it works out the correct DC to forward
+the query to, based on the queried host's realm.
+
+Vampire DC
+----------
+Vampire DC gets its name for historic reasons. It's one of the few testenvs
+where 2 DCs are joined together, so it's used for a lot of DRS replication
+testing. Basically its main job is to 'suck' the database changes out of
+another DC (the 'ad_dc_ntfvs' DC).
+
+There's also a 'vampire_2000_dc' that joins the 'fl2000dc' DC, although that's
+not used very much.
+
+Backup/restore testenvs
+-----------------------
+Several testenvs are created to test the domain backup/restore commands. These
+testenvs verify that we can backup and restore a domain's database, start
+Samba against it, and the restored database is actually functional. There are
+several different flavours of backups (to cover different use-cases), so there
+are separate testenvs for each one.
+
+- backupfromdc: A fairly plain AD DC used as the base to generate the
+ backup-files. These backup-files will then seed the domain database
+ for the separate testenvs below.
+ Backupfromdc's other unique feature is that it's the only testenv that gets
+ provisioned with a non-default site, i.e. Default-First-Site-Name doesn't
+ exist.
+- restoredc: tests the 'backup online' option. Online backups are similar to
+ doing a DC join.
+ Restoredc's other unique feature is that is has SMBv1 disabled.
+- offlinebackupdc: tests the 'backup offline' option. Offline backups capture
+ the raw DB files on disk (safely).
+- renamedc: tests the 'backup rename' option, where the domain and realm are
+ renamed.
+- labdc: one of the use-cases for the backup tool is to create a realistic
+ pre-production testbed, based off a production DC. This testenv simulates
+ that process. It uses the 'backup rename --no-secrets' option.
+
+customdc testenv
+----------------
+The customdc is a special testenv that's only used for manual testing, rather
+than the automated tests most testenvs are primarily used for.
+
+The customdc testenv also uses the backup/restore tool, however, it is quite
+special. Instead of the backup-file being automatically generated from a
+vanilla AD DC (i.e. backupfromdc), you can specify any backup-file you like.
+
+To run the testenv, you need to specify a 'BACKUP_FILE' shell variable, e.g.
+
+BACKUP_FILE=/tmp/samba-backup-50k-dc-0-mdb-50k-offline.tar.bz2 \
+ SELFTEST_TESTENV=customdc make testenv
+
+The main use-case for the customdc is testing changes against a large
+database. Adding users is very time-consuming, so it's much quicker to populate
+a domain with users once, take a backup, and then you can spin up a testenv
+based on the backup multiple times.
+
+Another use-case is that if you get a database that's corrupted or in a bad
+state, then you could save a backup and be able to easily get the database back
+into the bad state. This allows you to try different commands to diagnose/fix
+the issue, without fear of never seeing the problem again.
+
+You could even spin up a 'lab DC' inside a testenv, by taking a backup of a
+real network DC.
+
+preforkrestartdc testenv
+------------------------
+Used to test killing and restarting processes under the pre-fork model. Due to
+the destructive nature of the tests, it's not recommended to use this testenv
+for anything else.
+
+proclimitdc testenv
+-------------------
+Used to test process limits on the standard model. It sets the number of
+allowed processes artificially low, to test that new connections are refused
+correctly. Due to the limited number of connections accepted, it's not
+recommended to use this testenv for anything else.
+
+schema_dc
+----------------
+This is a 2-DC testenv setup (schema_dc and schema_pair_dc).
+We provision the first DC, and join the second, using an older version of the
+schema (2008R2), then start-up Samba. Then, we run a schema upgrade (i.e.
+'samba-tool domain schemaupgrade') on the PDC.
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
new file mode 100644
index 0000000..2131e4a
--- /dev/null
+++ b/selftest/target/Samba.pm
@@ -0,0 +1,1108 @@
+#!/usr/bin/perl
+# Bootstrap Samba and run a number of tests against it.
+# Copyright (C) 2005-2007 Jelmer Vernooij <jelmer@samba.org>
+# Published under the GNU GPL, v3 or later.
+
+package Samba;
+
+use strict;
+use warnings;
+use target::Samba3;
+use target::Samba4;
+use POSIX;
+use Cwd qw(abs_path);
+use IO::Poll qw(POLLIN);
+
+sub new($$$$$) {
+ my ($classname, $bindir, $srcdir, $server_maxtime,
+ $opt_socket_wrapper_pcap, $opt_socket_wrapper_keep_pcap) = @_;
+
+ my $self = {
+ opt_socket_wrapper_pcap => $opt_socket_wrapper_pcap,
+ opt_socket_wrapper_keep_pcap => $opt_socket_wrapper_keep_pcap,
+ };
+ $self->{samba3} = new Samba3($self, $bindir, $srcdir, $server_maxtime);
+ $self->{samba4} = new Samba4($self, $bindir, $srcdir, $server_maxtime);
+ bless $self;
+ return $self;
+}
+
+%Samba::ENV_DEPS = (%Samba3::ENV_DEPS, %Samba4::ENV_DEPS);
+our %ENV_DEPS;
+
+%Samba::ENV_DEPS_POST = (%Samba3::ENV_DEPS_POST, %Samba4::ENV_DEPS_POST);
+our %ENV_DEPS_POST;
+
+%Samba::ENV_TARGETS = (
+ (map { $_ => "Samba3" } keys %Samba3::ENV_DEPS),
+ (map { $_ => "Samba4" } keys %Samba4::ENV_DEPS),
+);
+our %ENV_TARGETS;
+
+%Samba::ENV_NEEDS_AD_DC = (
+ (map { $_ => 1 } keys %Samba4::ENV_DEPS)
+);
+our %ENV_NEEDS_AD_DC;
+foreach my $env (keys %Samba3::ENV_DEPS) {
+ $ENV_NEEDS_AD_DC{$env} = ($env =~ /^ad_/);
+}
+
+sub setup_pcap($$)
+{
+ my ($self, $name) = @_;
+
+ return unless ($self->{opt_socket_wrapper_pcap});
+ return unless defined($ENV{SOCKET_WRAPPER_PCAP_DIR});
+
+ my $fname = $name;
+ $fname =~ s%[^abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\-]%_%g;
+
+ my $pcap_file = "$ENV{SOCKET_WRAPPER_PCAP_DIR}/$fname.pcap";
+
+ SocketWrapper::setup_pcap($pcap_file);
+
+ return $pcap_file;
+}
+
+sub cleanup_pcap($$$)
+{
+ my ($self, $pcap_file, $exitcode) = @_;
+
+ return unless ($self->{opt_socket_wrapper_pcap});
+ return if ($self->{opt_socket_wrapper_keep_pcap});
+ return unless ($exitcode == 0);
+ return unless defined($pcap_file);
+
+ unlink($pcap_file);
+}
+
+sub setup_env($$$)
+{
+ my ($self, $envname, $path) = @_;
+
+ my $targetname = $ENV_TARGETS{$envname};
+ if (not defined($targetname)) {
+ warn("Samba can't provide environment '$envname'");
+ return "UNKNOWN";
+ }
+
+ my %targetlookup = (
+ "Samba3" => $self->{samba3},
+ "Samba4" => $self->{samba4}
+ );
+ my $target = $targetlookup{$targetname};
+
+ if (defined($target->{vars}->{$envname})) {
+ return $target->{vars}->{$envname};
+ }
+
+ $target->{vars}->{$envname} = "";
+
+ my @dep_vars;
+ foreach(@{$ENV_DEPS{$envname}}) {
+ my $vars = $self->setup_env($_, $path);
+ if (defined($vars)) {
+ push(@dep_vars, $vars);
+ } else {
+ warn("Failed setting up $_ as a dependency of $envname");
+ return undef;
+ }
+ }
+
+ $ENV{ENVNAME} = $envname;
+ # Avoid hitting system krb5.conf -
+ # An env that needs Kerberos will reset this to the real value.
+ $ENV{KRB5_CONFIG} = "$path/no_krb5.conf";
+ $ENV{RESOLV_CONF} = "$path/no_resolv.conf";
+
+ my $setup_name = $ENV_TARGETS{$envname}."::setup_".$envname;
+ my $setup_sub = \&$setup_name;
+ my $setup_pcap_file = $self->setup_pcap("env-$ENV{ENVNAME}-setup");
+ my $env = &$setup_sub($target, "$path/$envname", @dep_vars);
+ $self->cleanup_pcap($setup_pcap_file, not defined($env));
+ SocketWrapper::setup_pcap(undef);
+
+ if (not defined($env)) {
+ warn("failed to start up environment '$envname'");
+ return undef;
+ }
+
+ $target->{vars}->{$envname} = $env;
+ $target->{vars}->{$envname}->{target} = $target;
+
+ foreach(@{$ENV_DEPS_POST{$envname}}) {
+ if (not defined $_) {
+ continue;
+ }
+ my $vars = $self->setup_env($_, $path);
+ if (not defined($vars)) {
+ return undef;
+ }
+ }
+
+ return $env;
+}
+
+sub bindir_path($$) {
+ my ($object, $path) = @_;
+
+ my $valpath = "$object->{bindir}/$path";
+ my $python_cmd = "";
+ my $result = $path;
+ if (defined $ENV{'PYTHON'}) {
+ $python_cmd = $ENV{'PYTHON'} . " ";
+ }
+
+ if (-f $valpath or -d $valpath) {
+ $result = $valpath;
+ }
+ # make sure we prepend samba-tool with calling $PYTHON python version
+ if ($path eq "samba-tool") {
+ $result = $python_cmd . $result;
+ }
+ return $result;
+}
+
+sub nss_wrapper_winbind_so_path($) {
+ my ($object) = @_;
+ my $ret = $ENV{NSS_WRAPPER_WINBIND_SO_PATH};
+ if (not defined($ret)) {
+ $ret = bindir_path($object, "plugins/libnss_wrapper_winbind.so.2");
+ $ret = abs_path($ret);
+ }
+ return $ret;
+}
+
+sub copy_file_content($$)
+{
+ my ($in, $out) = @_;
+ open(IN, "${in}") or die("failed to open in[${in}] for reading: $!");
+ open(OUT, ">${out}") or die("failed to open out[${out}] for writing: $!");
+ while(<IN>) {
+ print OUT $_;
+ }
+ close(OUT);
+ close(IN);
+}
+
+sub prepare_keyblobs($)
+{
+ my ($ctx) = @_;
+
+ my $cadir = "$ENV{SRCDIR_ABS}/selftest/manage-ca/CA-samba.example.com";
+ my $cacert = "$cadir/Public/CA-samba.example.com-cert.pem";
+ my $cacrl_pem = "$cadir/Public/CA-samba.example.com-crl.pem";
+ my $dcdnsname = "$ctx->{hostname}.$ctx->{dnsname}";
+ my $dcdir = "$cadir/DCs/$dcdnsname";
+ my $dccert = "$dcdir/DC-$dcdnsname-cert.pem";
+ my $dckey_private = "$dcdir/DC-$dcdnsname-private-key.pem";
+ my $adminprincipalname = "administrator\@$ctx->{dnsname}";
+ my $admindir = "$cadir/Users/$adminprincipalname";
+ my $admincert = "$admindir/USER-$adminprincipalname-cert.pem";
+ my $adminkey_private = "$admindir/USER-$adminprincipalname-private-key.pem";
+ my $pkinitprincipalname = "pkinit\@$ctx->{dnsname}";
+ my $ca_pkinitdir = "$cadir/Users/$pkinitprincipalname";
+ my $pkinitcert = "$ca_pkinitdir/USER-$pkinitprincipalname-cert.pem";
+ my $pkinitkey_private = "$ca_pkinitdir/USER-$pkinitprincipalname-private-key.pem";
+
+ my $tlsdir = "$ctx->{tlsdir}";
+ my $pkinitdir = "$ctx->{prefix_abs}/pkinit";
+ #TLS and PKINIT crypto blobs
+ my $dhfile = "$tlsdir/dhparms.pem";
+ my $cafile = "$tlsdir/ca.pem";
+ my $crlfile = "$tlsdir/crl.pem";
+ my $certfile = "$tlsdir/cert.pem";
+ my $keyfile = "$tlsdir/key.pem";
+ my $admincertfile = "$pkinitdir/USER-$adminprincipalname-cert.pem";
+ my $adminkeyfile = "$pkinitdir/USER-$adminprincipalname-private-key.pem";
+ my $pkinitcertfile = "$pkinitdir/USER-$pkinitprincipalname-cert.pem";
+ my $pkinitkeyfile = "$pkinitdir/USER-$pkinitprincipalname-private-key.pem";
+
+ mkdir($tlsdir, 0700);
+ mkdir($pkinitdir, 0700);
+ my $oldumask = umask;
+ umask 0077;
+
+ # This is specified here to avoid draining entropy on every run
+ # generate by
+ # openssl dhparam -out dhparms.pem -text -2 8192
+ open(DHFILE, ">$dhfile");
+ print DHFILE <<EOF;
+-----BEGIN DH PARAMETERS-----
+MIIECAKCBAEAlcpjuJptCzC2bIIApLuyFLw2nODQUztqs/peysY9e3LgWh/xrc87
+SWJNSUrqFJFh2m357WH0XGcTdTk0b/8aIYIWjbwEhWR/5hZ+1x2TDrX1awkYayAe
+pr0arycmWHaAmhw+m+dBdj2O2jRMe7gn0ha85JALNl+Z3wv2q2eys8TIiQ2dbHPx
+XvpMmlAv7QHZnpSpX/XgueQr6T3EYggljppZwk1fe4W2cxBjCv9w/Q83pJXMEVVB
+WESEQPZC38v6hVIXIlF4J7jXjV3+NtCLL4nvsy0jrLEntyKz5OB8sNPRzJr0Ju2Y
+yXORCSMMXMygP+dxJtQ6txzQYWyaCYN1HqHDZy3cFL9Qy8kTFqIcW56Lti2GsW/p
+jSMzEOa1NevhKNFL3dSZJx5m+5ZeMvWXlCqXSptmVdbs5wz5jkMUm/E6pVfM5lyb
+Ttlcq2iYPqnJz1jcL5xwhoufID8zSJCPJ7C0jb0Ngy5wLIUZfjXJUXxUyxTnNR9i
+N9Sc+UkDvLxnCW+qzjyPXGlQU1SsJwMLWa2ZecL/uYE4bOdcN3g+5WHkevyDnXqR
++yy9x7sGXjBT3bRWK5tVHJWOi6eBu1hp39U6aK8oOJWiUt3vmC2qEdIsT6JaLNNi
+YKrSfRGBf19IJBaagen1S19bb3dnmwoU1RaWM0EeJQW1oXOBg7zLisB2yuu5azBn
+tse00+0nc+GbH2y+jP0sE7xil1QeilZl+aQ3tX9vL0cnCa+8602kXxU7P5HaX2+d
+05pvoHmeZbDV85io36oF976gBYeYN+qAkTUMsIZhuLQDuyn0963XOLyn1Pm6SBrU
+OkIZXW7WoKEuO/YSfizUIqXwmAMJjnEMJCWG51MZZKx//9Hsdp1RXSm/bRSbvXB7
+MscjvQYWmfCFnIk8LYnEt3Yey40srEiS9xyZqdrvobxz+sU1XcqR38kpVf4gKASL
+xURia64s4emuJF+YHIObyydazQ+6/wX/C+m+nyfhuxSO6j1janPwtYbU+Uj3TzeM
+04K1mpPQpZcaMdZZiNiu7i8VJlOPKAz7aJT8TnMMF5GMyzyLpSMpc+NF9L/BSocV
+/cUM4wQT2PTHrcyYzmTVH7c9bzBkuxqrwVB1BY1jitDV9LIYIVBglKcX88qrfHIM
+XiXPAIwGclD59qm2cG8OdM9NA5pNMI119KuUAIJsUdgPbR1LkT2XTT15YVoHmFSQ
+DlaWOXn4td031jr0EisX8QtFR7+/0Nfoni6ydFGs5fNH/L1ckq6FEO4OhgucJw9H
+YRmiFlsQBQNny78vNchwZne3ZixkShtGW0hWDdi2n+h7St1peNJCNJjMbEhRsPRx
+RmNGWh4AL8rho4RO9OBao0MnUdjbbffD+wIBAg==
+-----END DH PARAMETERS-----
+EOF
+ close(DHFILE);
+
+ if (! -e ${dckey_private}) {
+ umask $oldumask;
+ return;
+ }
+
+ copy_file_content(${cacert}, ${cafile});
+ copy_file_content(${cacrl_pem}, ${crlfile});
+ copy_file_content(${dccert}, ${certfile});
+ copy_file_content(${dckey_private}, ${keyfile});
+ if (-e ${adminkey_private}) {
+ copy_file_content(${admincert}, ${admincertfile});
+ copy_file_content(${adminkey_private}, ${adminkeyfile});
+ }
+ if (-e ${pkinitkey_private}) {
+ copy_file_content(${pkinitcert}, ${pkinitcertfile});
+ copy_file_content(${pkinitkey_private}, ${pkinitkeyfile});
+ }
+
+ # COMPAT stuff to be removed in a later commit
+ my $kdccertfile = "$tlsdir/kdc.pem";
+ copy_file_content(${dccert}, ${kdccertfile});
+
+ umask $oldumask;
+}
+
+sub copy_gnupg_home($)
+{
+ my ($ctx) = @_;
+
+ my $gnupg_srcdir = "$ENV{SRCDIR_ABS}/selftest/gnupg";
+ my @files = (
+ "gpg.conf",
+ "pubring.gpg",
+ "secring.gpg",
+ "trustdb.gpg",
+ );
+
+ my $oldumask = umask;
+ umask 0077;
+ mkdir($ctx->{gnupghome}, 0777);
+ umask 0177;
+ foreach my $file (@files) {
+ my $srcfile = "${gnupg_srcdir}/${file}";
+ my $dstfile = "$ctx->{gnupghome}/${file}";
+ copy_file_content(${srcfile}, ${dstfile});
+ }
+ umask $oldumask;
+}
+
+sub mk_krb5_conf($$)
+{
+ my ($ctx) = @_;
+
+ unless (open(KRB5CONF, ">$ctx->{krb5_conf}")) {
+ warn("can't open $ctx->{krb5_conf}$?");
+ return undef;
+ }
+
+ my $our_realms_stanza = mk_realms_stanza($ctx->{realm},
+ $ctx->{dnsname},
+ $ctx->{domain},
+ $ctx->{kdc_ipv4});
+ print KRB5CONF "
+#Generated krb5.conf for $ctx->{realm}
+
+[libdefaults]
+ default_realm = $ctx->{realm}
+ dns_lookup_realm = false
+ dns_lookup_kdc = true
+ ticket_lifetime = 24h
+ forwardable = yes
+
+ # We are running on the same machine, do not correct
+ # system clock differences
+ kdc_timesync = 0
+
+ fcache_strict_checking = false
+";
+
+ if (defined($ENV{MITKRB5})) {
+ print KRB5CONF "
+ # Set the grace clocskew to 5 seconds
+ # This is especially required by samba3.raw.session krb5 and
+ # reauth tests when not using Heimdal
+ clockskew = 5
+ ";
+ }
+
+ if (defined($ctx->{krb5_ccname})) {
+ print KRB5CONF "
+ default_ccache_name = $ctx->{krb5_ccname}
+";
+ }
+
+
+ if (defined($ctx->{supported_enctypes})) {
+ print KRB5CONF "
+ default_etypes = $ctx->{supported_enctypes}
+ default_as_etypes = $ctx->{supported_enctypes}
+ default_tgs_enctypes = $ctx->{supported_enctypes}
+ default_tkt_enctypes = $ctx->{supported_enctypes}
+ permitted_enctypes = $ctx->{supported_enctypes}
+";
+ }
+
+ if (defined($ctx->{tlsdir})) {
+ if (defined($ENV{MITKRB5})) {
+ print KRB5CONF "
+ pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+ pkinit_kdc_hostname = $ctx->{hostname}.$ctx->{dnsname}
+
+";
+ } else {
+ print KRB5CONF "
+
+[appdefaults]
+ pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+
+[kdc]
+ enable-pkinit = true
+ pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
+ pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+
+";
+ }
+ }
+
+ print KRB5CONF "
+[realms]
+ $our_realms_stanza
+";
+
+ close(KRB5CONF);
+}
+
+sub append_krb5_conf_trust_realms($$)
+{
+ my ($ctx) = @_;
+
+ unless (open(KRB5CONF, ">>$ctx->{KRB5_CONFIG}")) {
+ warn("can't open $ctx->{KRB5_CONFIG}$?");
+ return undef;
+ }
+
+ my $trust_realms_stanza = mk_realms_stanza($ctx->{TRUST_REALM},
+ $ctx->{TRUST_DNSNAME},
+ $ctx->{TRUST_DOMAIN},
+ $ctx->{TRUST_SERVER_IP});
+
+ print KRB5CONF " $trust_realms_stanza";
+
+ close(KRB5CONF)
+}
+
+sub mk_realms_stanza($$$$)
+{
+ my ($realm, $dnsname, $domain, $kdc_ipv4) = @_;
+ my $lc_domain = lc($domain);
+
+ # The pkinit_require_krbtgt_otherName = false
+ # is just because the certificates we have saved
+ # do not have the realm in the subjectAltName
+ # (specially encoded as a principal)
+ # per
+ # https://github.com/heimdal/heimdal/wiki/Setting-up-PK-INIT-and-Certificates
+ my $realms_stanza = "
+ $realm = {
+ kdc = $kdc_ipv4:88
+ admin_server = $kdc_ipv4:88
+ default_domain = $dnsname
+ pkinit_require_krbtgt_otherName = false
+ }
+ $dnsname = {
+ kdc = $kdc_ipv4:88
+ admin_server = $kdc_ipv4:88
+ default_domain = $dnsname
+ pkinit_require_krbtgt_otherName = false
+ }
+ $domain = {
+ kdc = $kdc_ipv4:88
+ admin_server = $kdc_ipv4:88
+ default_domain = $dnsname
+ pkinit_require_krbtgt_otherName = false
+ }
+ $lc_domain = {
+ kdc = $kdc_ipv4:88
+ admin_server = $kdc_ipv4:88
+ default_domain = $dnsname
+ pkinit_require_krbtgt_otherName = false
+ }
+
+";
+ return $realms_stanza;
+}
+
+sub mk_mitkdc_conf($$)
+{
+ # samba_kdb_dir is the path to mit_samba.so
+ my ($ctx, $samba_kdb_dir) = @_;
+
+ unless (open(KDCCONF, ">$ctx->{mitkdc_conf}")) {
+ warn("can't open $ctx->{mitkdc_conf}$?");
+ return undef;
+ }
+
+ print KDCCONF "
+# Generated kdc.conf for $ctx->{realm}
+
+[kdcdefaults]
+ kdc_ports = 88
+ kdc_tcp_ports = 88
+ restrict_anonymous_to_tgt = true
+
+[realms]
+ $ctx->{realm} = {
+ master_key_type = aes256-cts
+ default_principal_flags = +preauth
+ pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
+ pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+ pkinit_eku_checking = scLogin
+ pkinit_indicator = pkinit
+ pkinit_allow_upn = true
+ }
+
+ $ctx->{dnsname} = {
+ master_key_type = aes256-cts
+ default_principal_flags = +preauth
+ pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
+ pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+ pkinit_eku_checking = scLogin
+ pkinit_indicator = pkinit
+ pkinit_allow_upn = true
+ }
+
+ $ctx->{domain} = {
+ master_key_type = aes256-cts
+ default_principal_flags = +preauth
+ pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
+ pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
+ pkinit_eku_checking = scLogin
+ pkinit_indicator = pkinit
+ pkinit_allow_upn = true
+ }
+
+[dbmodules]
+ db_module_dir = $samba_kdb_dir
+
+ $ctx->{realm} = {
+ db_library = samba
+ }
+
+ $ctx->{dnsname} = {
+ db_library = samba
+ }
+
+ $ctx->{domain} = {
+ db_library = samba
+ }
+
+[logging]
+ kdc = FILE:$ctx->{logdir}/mit_kdc.log
+";
+
+ close(KDCCONF);
+}
+
+sub mk_resolv_conf($$)
+{
+ my ($ctx) = @_;
+
+ unless (open(RESOLV_CONF, ">$ctx->{resolv_conf}")) {
+ warn("can't open $ctx->{resolv_conf}$?");
+ return undef;
+ }
+
+ print RESOLV_CONF "nameserver $ctx->{dns_ipv4}\n";
+ print RESOLV_CONF "nameserver $ctx->{dns_ipv6}\n";
+ close(RESOLV_CONF);
+}
+
+sub realm_to_ip_mappings
+{
+ # this maps the DNS realms for the various testenvs to the corresponding
+ # PDC (i.e. the first DC created for that realm).
+ my %realm_to_pdc_mapping = (
+ 'adnonssdom.samba.example.com' => 'addc_no_nss',
+ 'adnontlmdom.samba.example.com' => 'addc_no_ntlm',
+ 'samba2000.example.com' => 'dc5',
+ 'samba2003.example.com' => 'dc6',
+ 'samba2008r2.example.com' => 'dc7',
+ 'addom.samba.example.com' => 'addc',
+ 'addom2.samba.example.com' => 'addcsmb1',
+ 'sub.samba.example.com' => 'localsubdc',
+ 'chgdcpassword.samba.example.com' => 'chgdcpass',
+ 'backupdom.samba.example.com' => 'backupfromdc',
+ 'renamedom.samba.example.com' => 'renamedc',
+ 'labdom.samba.example.com' => 'labdc',
+ 'schema.samba.example.com' => 'liveupgrade1dc',
+ 'prockilldom.samba.example.com' => 'prockilldc',
+ 'proclimit.samba.example.com' => 'proclimitdc',
+ 'samba.example.com' => 'localdc',
+ 'fips.samba.example.com' => 'fipsdc',
+ );
+
+ my @mapping = ();
+
+ # convert the hashmap to a list of key=value strings, where key is the
+ # realm and value is the IP address
+ foreach my $realm (sort(keys %realm_to_pdc_mapping)) {
+ my $pdc = $realm_to_pdc_mapping{$realm};
+ my $ipaddr = get_ipv4_addr($pdc);
+ push(@mapping, "$realm=$ipaddr");
+ }
+ # return the mapping as a single comma-separated string
+ return join(',', @mapping);
+}
+
+sub get_interface($)
+{
+ my ($netbiosname) = @_;
+ $netbiosname = lc($netbiosname);
+
+ # this maps the SOCKET_WRAPPER_DEFAULT_IFACE value for each possible
+ # testenv to the DC's NETBIOS name. This value also corresponds to last
+ # digit of the DC's IP address. Note that the NETBIOS name may differ from
+ # the testenv name.
+ # Note that when adding a DC with a new realm, also update
+ # get_realm_ip_mappings() above.
+ my %testenv_iface_mapping = (
+ localnt4dc2 => 3,
+ localnt4member3 => 4,
+ localshare4 => 5,
+ # 6 is spare
+ localktest6 => 7,
+ maptoguest => 8,
+ localnt4dc9 => 9,
+ # 10 is spare
+
+ # 11-16 are used by selftest.pl for the client.conf. Most tests only
+ # use the first .11 IP. However, some tests (like winsreplication) rely
+ # on the client having multiple IPs.
+ client => 11,
+
+ addc_no_nss => 17,
+ addc_no_ntlm => 18,
+ idmapadmember => 19,
+ idmapridmember => 20,
+ localdc => 21,
+ localvampiredc => 22,
+ s4member => 23,
+ localrpcproxy => 24,
+ dc5 => 25,
+ dc6 => 26,
+ dc7 => 27,
+ rodc => 28,
+ localadmember => 29,
+ addc => 30,
+ localsubdc => 31,
+ chgdcpass => 32,
+ promotedvdc => 33,
+ rfc2307member => 34,
+ fileserver => 35,
+ fakednsforwarder1 => 36,
+ fakednsforwarder2 => 37,
+ s4member_dflt => 38,
+ vampire2000dc => 39,
+ backupfromdc => 40,
+ restoredc => 41,
+ renamedc => 42,
+ labdc => 43,
+ offlinebackupdc => 44,
+ customdc => 45,
+ prockilldc => 46,
+ proclimitdc => 47,
+ liveupgrade1dc => 48,
+ liveupgrade2dc => 49,
+ ctdb0 => 50,
+ ctdb1 => 51,
+ ctdb2 => 52,
+ fileserversmb1 => 53,
+ addcsmb1 => 54,
+ lclnt4dc2smb1 => 55,
+ fipsdc => 56,
+ fipsadmember => 57,
+ offlineadmem => 58,
+ s2kmember => 59,
+ admemidmapnss => 60,
+ localadmember2 => 61,
+ admemautorid => 62,
+
+ rootdnsforwarder => 64,
+
+ # Note: that you also need to update dns_hub.py when adding a new
+ # multi-DC testenv
+ # update lib/socket_wrapper/socket_wrapper.c
+ # #define MAX_WRAPPED_INTERFACES 64
+ # if you wish to have more than 64 interfaces
+ );
+
+ if (not defined($testenv_iface_mapping{$netbiosname})) {
+ die();
+ }
+
+ return $testenv_iface_mapping{$netbiosname};
+}
+
+sub get_ipv4_addr
+{
+ my ($hostname, $iface_num) = @_;
+ my $swiface = Samba::get_interface($hostname);
+
+ # Handle testenvs with multiple different addresses, i.e. IP multihoming.
+ # Currently only the selftest client has multiple IPv4 addresses.
+ if (defined($iface_num)) {
+ $swiface += $iface_num;
+ }
+
+ return "10.53.57.$swiface";
+}
+
+sub get_ipv6_addr
+{
+ (my $hostname) = @_;
+ my $swiface = Samba::get_interface($hostname);
+
+ return sprintf("fd00:0000:0000:0000:0000:0000:5357:5f%02x", $swiface);
+}
+
+# returns the 'interfaces' setting for smb.conf, i.e. the IPv4/IPv6
+# addresses for testenv
+sub get_interfaces_config
+{
+ my ($hostname, $num_ips) = @_;
+ my $interfaces = "";
+
+ # We give the client.conf multiple different IPv4 addresses.
+ # All other testenvs generally just have one IPv4 address.
+ if (! defined($num_ips)) {
+ $num_ips = 1;
+ }
+ for (my $i = 0; $i < $num_ips; $i++) {
+ my $ipv4_addr = Samba::get_ipv4_addr($hostname, $i);
+ if (use_namespaces()) {
+ # use a /24 subnet with network namespaces
+ $interfaces .= "$ipv4_addr/24 ";
+ } else {
+ $interfaces .= "$ipv4_addr/8 ";
+ }
+ }
+
+ my $ipv6_addr = Samba::get_ipv6_addr($hostname);
+ $interfaces .= "$ipv6_addr/64";
+
+ return $interfaces;
+}
+
+sub cleanup_child($$)
+{
+ my ($pid, $name) = @_;
+
+ if (!defined($pid)) {
+ print STDERR "cleanup_child: pid not defined ... not calling waitpid\n";
+ return -1;
+ }
+
+ my $childpid = waitpid($pid, WNOHANG);
+
+ if ($childpid == 0) {
+ } elsif ($childpid < 0) {
+ printf STDERR "%s child process %d isn't here any more\n", $name, $pid;
+ return $childpid;
+ } elsif ($? & 127) {
+ printf STDERR "%s child process %d, died with signal %d, %s coredump\n",
+ $name, $childpid, ($? & 127), ($? & 128) ? 'with' : 'without';
+ } else {
+ printf STDERR "%s child process %d exited with value %d\n", $name, $childpid, $? >> 8;
+ }
+ return $childpid;
+}
+
+sub random_domain_sid()
+{
+ my $domain_sid = "S-1-5-21-". int(rand(4294967295)) . "-" . int(rand(4294967295)) . "-" . int(rand(4294967295));
+ return $domain_sid;
+}
+
+# sets the environment variables ready for running a given process
+sub set_env_for_process
+{
+ my ($proc_name, $env_vars, $proc_envs) = @_;
+
+ if (not defined($proc_envs)) {
+ $proc_envs = get_env_for_process($proc_name, $env_vars);
+ }
+
+ foreach my $key (keys %{ $proc_envs }) {
+ $ENV{$key} = $proc_envs->{$key};
+ }
+}
+
+sub get_env_for_process
+{
+ my ($proc_name, $env_vars) = @_;
+ my $proc_envs = {
+ RESOLV_CONF => $env_vars->{RESOLV_CONF},
+ KRB5_CONFIG => $env_vars->{KRB5_CONFIG},
+ KRB5CCNAME => "$env_vars->{KRB5_CCACHE}.$proc_name",
+ GNUPGHOME => $env_vars->{GNUPGHOME},
+ SELFTEST_WINBINDD_SOCKET_DIR => $env_vars->{SELFTEST_WINBINDD_SOCKET_DIR},
+ NMBD_SOCKET_DIR => $env_vars->{NMBD_SOCKET_DIR},
+ NSS_WRAPPER_PASSWD => $env_vars->{NSS_WRAPPER_PASSWD},
+ NSS_WRAPPER_GROUP => $env_vars->{NSS_WRAPPER_GROUP},
+ NSS_WRAPPER_HOSTS => $env_vars->{NSS_WRAPPER_HOSTS},
+ NSS_WRAPPER_HOSTNAME => $env_vars->{NSS_WRAPPER_HOSTNAME},
+ NSS_WRAPPER_MODULE_SO_PATH => $env_vars->{NSS_WRAPPER_MODULE_SO_PATH},
+ NSS_WRAPPER_MODULE_FN_PREFIX => $env_vars->{NSS_WRAPPER_MODULE_FN_PREFIX},
+ UID_WRAPPER_ROOT => "1",
+ ENVNAME => "$ENV{ENVNAME}.$proc_name",
+ };
+
+ if (defined($env_vars->{RESOLV_WRAPPER_CONF})) {
+ $proc_envs->{RESOLV_WRAPPER_CONF} = $env_vars->{RESOLV_WRAPPER_CONF};
+ } else {
+ $proc_envs->{RESOLV_WRAPPER_HOSTS} = $env_vars->{RESOLV_WRAPPER_HOSTS};
+ }
+ if (defined($env_vars->{GNUTLS_FORCE_FIPS_MODE})) {
+ $proc_envs->{GNUTLS_FORCE_FIPS_MODE} = $env_vars->{GNUTLS_FORCE_FIPS_MODE};
+ }
+ if (defined($env_vars->{OPENSSL_FORCE_FIPS_MODE})) {
+ $proc_envs->{OPENSSL_FORCE_FIPS_MODE} = $env_vars->{OPENSSL_FORCE_FIPS_MODE};
+ }
+ return $proc_envs;
+}
+
+sub fork_and_exec
+{
+ my ($self, $env_vars, $daemon_ctx, $STDIN_READER, $child_cleanup) = @_;
+ my $SambaCtx = $self;
+ $SambaCtx = $self->{SambaCtx} if defined($self->{SambaCtx});
+
+ # we close the child's write-end of the pipe and redirect the
+ # read-end to its stdin. That way the daemon will receive an
+ # EOF on stdin when parent selftest process closes its
+ # write-end.
+ $child_cleanup //= sub { close($env_vars->{STDIN_PIPE}) };
+
+ unlink($daemon_ctx->{LOG_FILE});
+ print "STARTING $daemon_ctx->{NAME} for $ENV{ENVNAME}...";
+
+ my $parent_pid = $$;
+ my $pid = fork();
+
+ # exec the daemon in the child process
+ if ($pid == 0) {
+ my @preargs = ();
+
+ # redirect the daemon's stdout/stderr to a log file
+ if (defined($daemon_ctx->{TEE_STDOUT})) {
+ # in some cases, we want out from samba to go to the log file,
+ # but also to the users terminal when running 'make test' on the
+ # command line. This puts it on stderr on the terminal
+ open STDOUT, "| tee $daemon_ctx->{LOG_FILE} 1>&2";
+ } else {
+ open STDOUT, ">$daemon_ctx->{LOG_FILE}";
+ }
+ open STDERR, '>&STDOUT';
+
+ SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
+ if (defined($daemon_ctx->{PCAP_FILE})) {
+ $SambaCtx->setup_pcap("$daemon_ctx->{PCAP_FILE}");
+ }
+
+ # setup ENV variables in the child process
+ set_env_for_process($daemon_ctx->{NAME}, $env_vars,
+ $daemon_ctx->{ENV_VARS});
+
+ $child_cleanup->();
+
+ # not all s3 daemons run in all testenvs (e.g. fileserver doesn't
+ # run winbindd). In which case, the child process just sleeps
+ if (defined($daemon_ctx->{SKIP_DAEMON})) {
+ $SIG{USR1} = $SIG{ALRM} = $SIG{INT} = $SIG{QUIT} = $SIG{TERM} = sub {
+ my $signame = shift;
+ print("Skip $daemon_ctx->{NAME} received signal $signame");
+ exit 0;
+ };
+ my $poll = IO::Poll->new();
+ $poll->mask($STDIN_READER, POLLIN);
+ $poll->poll($self->{server_maxtime});
+ exit 0;
+ }
+
+ $ENV{MAKE_TEST_BINARY} = $daemon_ctx->{BINARY_PATH};
+
+ open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
+
+ # if using kernel namespaces, prepend the command so the process runs in
+ # its own namespace
+ if (Samba::use_namespaces()) {
+ @preargs = ns_exec_preargs($parent_pid, $env_vars);
+ }
+
+ # the command args are stored as an array reference (because...Perl),
+ # so convert the reference back to an array
+ my @full_cmd = @{ $daemon_ctx->{FULL_CMD} };
+
+ exec(@preargs, @full_cmd) or die("Unable to start $ENV{MAKE_TEST_BINARY}: $!");
+ }
+
+ print "DONE ($pid)\n";
+
+ # if using kernel namespaces, we now establish a connection between the
+ # main selftest namespace (i.e. this process) and the new child namespace
+ if (use_namespaces()) {
+ ns_child_forked($pid, $env_vars);
+ }
+
+ return $pid;
+}
+
+my @exported_envvars = (
+ # domain stuff
+ "DOMAIN",
+ "DNSNAME",
+ "REALM",
+ "DOMSID",
+
+ # stuff related to a trusted domain
+ "TRUST_SERVER",
+ "TRUST_USERNAME",
+ "TRUST_PASSWORD",
+ "TRUST_DOMAIN",
+ "TRUST_REALM",
+ "TRUST_DOMSID",
+
+ # stuff related to a trusted domain, on a trust_member
+ # the domain behind a forest trust (two-way)
+ "TRUST_F_BOTH_SERVER",
+ "TRUST_F_BOTH_SERVER_IP",
+ "TRUST_F_BOTH_SERVER_IPV6",
+ "TRUST_F_BOTH_NETBIOSNAME",
+ "TRUST_F_BOTH_USERNAME",
+ "TRUST_F_BOTH_PASSWORD",
+ "TRUST_F_BOTH_DOMAIN",
+ "TRUST_F_BOTH_REALM",
+
+ # stuff related to a trusted domain, on a trust_member
+ # the domain behind an external trust (two-way)
+ "TRUST_E_BOTH_SERVER",
+ "TRUST_E_BOTH_SERVER_IP",
+ "TRUST_E_BOTH_SERVER_IPV6",
+ "TRUST_E_BOTH_NETBIOSNAME",
+ "TRUST_E_BOTH_USERNAME",
+ "TRUST_E_BOTH_PASSWORD",
+ "TRUST_E_BOTH_DOMAIN",
+ "TRUST_E_BOTH_REALM",
+
+ # domain controller stuff
+ "DC_SERVER",
+ "DC_SERVER_IP",
+ "DC_SERVER_IPV6",
+ "DC_NETBIOSNAME",
+ "DC_NETBIOSALIAS",
+
+ # server stuff
+ "SERVER",
+ "SERVER_IP",
+ "SERVER_IPV6",
+ "NETBIOSNAME",
+ "NETBIOSALIAS",
+ "SAMSID",
+
+ # only use these 2 as a last resort. Some tests need to test both client-
+ # side and server-side. In this case, run as default client, ans access
+ # server's smb.conf as needed, typically using:
+ # param.LoadParm(filename_for_non_global_lp=os.environ['SERVERCONFFILE'])
+ "SERVERCONFFILE",
+ "DC_SERVERCONFFILE",
+
+ # user stuff
+ "USERNAME",
+ "USERID",
+ "PASSWORD",
+ "DC_USERNAME",
+ "DC_PASSWORD",
+
+ # UID/GID for rfc2307 mapping tests
+ "UID_RFC2307TEST",
+ "GID_RFC2307TEST",
+
+ # misc stuff
+ "KRB5_CONFIG",
+ "KRB5CCNAME",
+ "GNUPGHOME",
+ "SELFTEST_WINBINDD_SOCKET_DIR",
+ "NMBD_SOCKET_DIR",
+ "LOCAL_PATH",
+ "DNS_FORWARDER1",
+ "DNS_FORWARDER2",
+ "RESOLV_CONF",
+ "UNACCEPTABLE_PASSWORD",
+ "LOCK_DIR",
+ "SMBD_TEST_LOG",
+
+ # nss_wrapper
+ "NSS_WRAPPER_PASSWD",
+ "NSS_WRAPPER_GROUP",
+ "NSS_WRAPPER_HOSTS",
+ "NSS_WRAPPER_HOSTNAME",
+ "NSS_WRAPPER_MODULE_SO_PATH",
+ "NSS_WRAPPER_MODULE_FN_PREFIX",
+
+ # resolv_wrapper
+ "RESOLV_WRAPPER_CONF",
+ "RESOLV_WRAPPER_HOSTS",
+);
+
+sub exported_envvars_str
+{
+ my ($testenv_vars) = @_;
+ my $out = "";
+
+ foreach (@exported_envvars) {
+ next unless defined($testenv_vars->{$_});
+ $out .= $_."=".$testenv_vars->{$_}."\n";
+ }
+
+ return $out;
+}
+
+sub clear_exported_envvars
+{
+ foreach (@exported_envvars) {
+ delete $ENV{$_};
+ }
+}
+
+sub export_envvars
+{
+ my ($testenv_vars) = @_;
+
+ foreach (@exported_envvars) {
+ if (defined($testenv_vars->{$_})) {
+ $ENV{$_} = $testenv_vars->{$_};
+ } else {
+ delete $ENV{$_};
+ }
+ }
+}
+
+sub export_envvars_to_file
+{
+ my ($filepath, $testenv_vars) = @_;
+ my $env_str = exported_envvars_str($testenv_vars);
+
+ open(FILE, "> $filepath");
+ print FILE "$env_str";
+ close(FILE);
+}
+
+# Returns true if kernel namespaces are being used instead of socket-wrapper.
+# The default is false.
+sub use_namespaces
+{
+ return defined($ENV{USE_NAMESPACES});
+}
+
+# returns a given testenv's interface-name (only when USE_NAMESPACES=1)
+sub ns_interface_name
+{
+ my ($hostname) = @_;
+
+ # when using namespaces, each testenv has its own vethX interface,
+ # where X = Samba::get_interface(testenv_name)
+ my $iface = get_interface($hostname);
+ return "veth$iface";
+}
+
+# Called after a new child namespace has been forked
+sub ns_child_forked
+{
+ my ($child_pid, $env_vars) = @_;
+
+ # we only need to do this for the first child forked for this testenv
+ if (defined($env_vars->{NS_PID})) {
+ return;
+ }
+
+ # store the child PID. It's the only way the main (selftest) namespace can
+ # access the new child (testenv) namespace.
+ $env_vars->{NS_PID} = $child_pid;
+
+ # Add the new child namespace's interface to the main selftest bridge.
+ # This connects together the various testenvs so that selftest can talk to
+ # them all
+ my $iface = ns_interface_name($env_vars->{NETBIOSNAME});
+ system "$ENV{SRCDIR}/selftest/ns/add_bridge_iface.sh $iface-br selftest0";
+}
+
+# returns args to prepend to a command in order to execute it the correct
+# namespace for the testenv (creating a new namespace if needed).
+# This should only used when USE_NAMESPACES=1 is set.
+sub ns_exec_preargs
+{
+ my ($parent_pid, $env_vars) = @_;
+
+ # NS_PID stores the pid of the first child daemon run in this namespace
+ if (defined($env_vars->{NS_PID})) {
+
+ # the namespace has already been created previously. So we use nsenter
+ # to execute the command in the given testenv's namespace. We need to
+ # use the NS_PID to identify this particular namespace
+ return ("nsenter", "-t", "$env_vars->{NS_PID}", "--net");
+ } else {
+
+ # We need to create a new namespace for this daemon (i.e. we're
+ # setting up a new testenv). First, write the environment variables to
+ # an exports.sh file for this testenv (for convenient access by the
+ # namespace scripts).
+ my $exports_file = "$env_vars->{TESTENV_DIR}/exports.sh";
+ export_envvars_to_file($exports_file, $env_vars);
+
+ # when using namespaces, each testenv has its own veth interface
+ my $interface = ns_interface_name($env_vars->{NETBIOSNAME});
+
+ # we use unshare to create a new network namespace. The start_in_ns.sh
+ # helper script gets run first to setup the new namespace's interfaces.
+ # (This all gets prepended around the actual command to run in the new
+ # namespace)
+ return ("unshare", "--net", "$ENV{SRCDIR}/selftest/ns/start_in_ns.sh",
+ $interface, $exports_file, $parent_pid);
+ }
+}
+
+
+sub check_env {
+ my ($self, $envvars) = @_;
+ return 1;
+}
+
+sub teardown_env {
+ my ($self, $env) = @_;
+ return 1;
+}
+
+
+sub getlog_env {
+ return '';
+}
+
+1;
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
new file mode 100755
index 0000000..8f680b7
--- /dev/null
+++ b/selftest/target/Samba3.pm
@@ -0,0 +1,4182 @@
+#!/usr/bin/perl
+# Bootstrap Samba and run a number of tests against it.
+# Copyright (C) 2005-2007 Jelmer Vernooij <jelmer@samba.org>
+# Published under the GNU GPL, v3 or later.
+
+# NOTE: Refer to the README for more details about the various testenvs,
+# and tips about adding new testenvs.
+
+package Samba3;
+
+use strict;
+use warnings;
+use Cwd qw(abs_path);
+use FindBin qw($RealBin);
+use POSIX;
+use target::Samba;
+use File::Path 'remove_tree';
+
+sub return_alias_env
+{
+ my ($self, $path, $env) = @_;
+
+ # just an alias
+ return $env;
+}
+
+sub have_ads($) {
+ my ($self) = @_;
+ my $found_ads = 0;
+ my $smbd_build_options = Samba::bindir_path($self, "smbd") . " --configfile=/dev/null -b|";
+ open(IN, $smbd_build_options) or die("Unable to run $smbd_build_options: $!");
+
+ while (<IN>) {
+ if (/WITH_ADS/) {
+ $found_ads = 1;
+ }
+ }
+ close IN;
+
+ # If we were not built with ADS support, pretend we were never even available
+ print "smbd does not have ADS support\n" unless $found_ads;
+ return $found_ads;
+}
+
+# return smb.conf parameters applicable to @path, based on the underlying
+# filesystem type
+sub get_fs_specific_conf($$)
+{
+ my ($self, $path) = @_;
+ my $mods = "";
+ my $stat_out = `stat --file-system $path` or return "";
+
+ if ($stat_out =~ m/Type:\s+btrfs/) {
+ $mods .= "streams_xattr btrfs";
+ }
+
+ if ($mods) {
+ return "vfs objects = $mods";
+ }
+
+ return '';
+}
+
+sub new($$) {
+ my ($classname, $SambaCtx, $bindir, $srcdir, $server_maxtime) = @_;
+ my $self = { vars => {},
+ SambaCtx => $SambaCtx,
+ bindir => $bindir,
+ srcdir => $srcdir,
+ server_maxtime => $server_maxtime
+ };
+ bless $self;
+ return $self;
+}
+
+sub teardown_env($$)
+{
+ my ($self, $envvars) = @_;
+
+ if (defined($envvars->{CTDB_PREFIX})) {
+ $self->teardown_env_ctdb($envvars);
+ } else {
+ $self->teardown_env_samba($envvars);
+ }
+
+ return;
+}
+
+sub teardown_env_samba($$)
+{
+ my ($self, $envvars) = @_;
+ my $count = 0;
+
+ # This should cause smbd to terminate gracefully
+ close($envvars->{STDIN_PIPE});
+
+ my $smbdpid = $envvars->{SMBD_TL_PID};
+ my $nmbdpid = $envvars->{NMBD_TL_PID};
+ my $winbinddpid = $envvars->{WINBINDD_TL_PID};
+ my $samba_dcerpcdpid = $envvars->{SAMBA_DCERPCD_TL_PID};
+
+ # This should give it time to write out the gcov data
+ until ($count > 20) {
+ my $smbdchild = Samba::cleanup_child($smbdpid, "smbd");
+ my $nmbdchild = Samba::cleanup_child($nmbdpid, "nmbd");
+ my $winbinddchild = Samba::cleanup_child($winbinddpid, "winbindd");
+ my $samba_dcerpcdchild = Samba::cleanup_child(
+ $samba_dcerpcdpid, "samba-dcerpcd");
+ if ($smbdchild == -1
+ && $nmbdchild == -1
+ && $winbinddchild == -1
+ && $samba_dcerpcdpid == -1) {
+ last;
+ }
+ sleep(1);
+ $count++;
+ }
+
+ if ($count <= 20 &&
+ kill(0, $smbdpid, $nmbdpid, $winbinddpid, $samba_dcerpcdpid) == 0) {
+ return;
+ }
+
+ $self->stop_sig_term($smbdpid);
+ $self->stop_sig_term($nmbdpid);
+ $self->stop_sig_term($winbinddpid);
+ $self->stop_sig_term($samba_dcerpcdpid);
+
+ $count = 0;
+ until ($count > 10) {
+ my $smbdchild = Samba::cleanup_child($smbdpid, "smbd");
+ my $nmbdchild = Samba::cleanup_child($nmbdpid, "nmbd");
+ my $winbinddchild = Samba::cleanup_child($winbinddpid, "winbindd");
+ my $samba_dcerpcdpid = Samba::cleanup_child(
+ $samba_dcerpcdpid, "samba-dcerpcd");
+ if ($smbdchild == -1
+ && $nmbdchild == -1
+ && $winbinddchild == -1
+ && $samba_dcerpcdpid == -1) {
+ last;
+ }
+ sleep(1);
+ $count++;
+ }
+
+ if ($count <= 10 &&
+ kill(0, $smbdpid, $nmbdpid, $winbinddpid, $samba_dcerpcdpid) == 0) {
+ return;
+ }
+
+ warn("timelimit process did not quit on SIGTERM, sending SIGKILL");
+ $self->stop_sig_kill($smbdpid);
+ $self->stop_sig_kill($nmbdpid);
+ $self->stop_sig_kill($winbinddpid);
+ $self->stop_sig_kill($samba_dcerpcdpid);
+
+ return 0;
+}
+
+sub teardown_env_ctdb($$)
+{
+ my ($self, $data) = @_;
+
+ if (defined($data->{SAMBA_NODES})) {
+ my $num_nodes = $data->{NUM_NODES};
+ my $nodes = $data->{SAMBA_NODES};
+
+ for (my $i = 0; $i < $num_nodes; $i++) {
+ if (defined($nodes->[$i])) {
+ $self->teardown_env_samba($nodes->[$i]);
+ }
+ }
+ }
+
+ close($data->{CTDB_STDIN_PIPE});
+
+ if (not defined($data->{SAMBA_NODES})) {
+ # Give waiting children time to exit
+ sleep(5);
+ }
+
+ return 0;
+}
+
+sub getlog_env_app($$$)
+{
+ my ($self, $envvars, $name) = @_;
+
+ my $title = "$name LOG of: $envvars->{NETBIOSNAME}\n";
+ my $out = $title;
+
+ open(LOG, "<".$envvars->{$name."_TEST_LOG"});
+
+ seek(LOG, $envvars->{$name."_TEST_LOG_POS"}, SEEK_SET);
+ while (<LOG>) {
+ $out .= $_;
+ }
+ $envvars->{$name."_TEST_LOG_POS"} = tell(LOG);
+ close(LOG);
+
+ return "" if $out eq $title;
+
+ return $out;
+}
+
+sub getlog_env($$)
+{
+ my ($self, $envvars) = @_;
+ my $ret = "";
+
+ $ret .= $self->getlog_env_app($envvars, "SMBD");
+ $ret .= $self->getlog_env_app($envvars, "NMBD");
+ $ret .= $self->getlog_env_app($envvars, "WINBINDD");
+
+ return $ret;
+}
+
+sub check_env($$)
+{
+ my ($self, $envvars) = @_;
+
+ my $childpid = waitpid(-1, WNOHANG);
+
+ # TODO ...
+ return 1;
+}
+
+# Declare the environments Samba3 makes available.
+# To be set up, they will be called as
+# samba3->setup_$envname($self, $path, $dep_1_vars, $dep_2_vars, ...)
+%Samba3::ENV_DEPS = (
+ # name => [dep_1, dep_2, ...],
+ nt4_dc => [],
+ nt4_dc_smb1 => [],
+ nt4_dc_smb1_done => ["nt4_dc_smb1"],
+ nt4_dc_schannel => [],
+
+ simpleserver => [],
+ fileserver => [],
+ fileserver_smb1 => [],
+ fileserver_smb1_done => ["fileserver_smb1"],
+ maptoguest => [],
+ ktest => [],
+
+ nt4_member => ["nt4_dc"],
+
+ ad_member => ["ad_dc", "fl2008r2dc", "fl2003dc"],
+ ad_member_rfc2307 => ["ad_dc_ntvfs"],
+ ad_member_idmap_rid => ["ad_dc"],
+ admem_idmap_autorid => ["ad_dc"],
+ ad_member_idmap_ad => ["fl2008r2dc"],
+ ad_member_fips => ["ad_dc_fips"],
+ ad_member_offlogon => ["ad_dc"],
+ ad_member_oneway => ["fl2000dc"],
+ ad_member_idmap_nss => ["ad_dc"],
+ ad_member_s3_join => ["ad_dc"],
+
+ clusteredmember => ["nt4_dc"],
+);
+
+%Samba3::ENV_DEPS_POST = ();
+
+sub setup_nt4_dc
+{
+ my ($self, $path, $more_conf, $server) = @_;
+
+ print "PROVISIONING NT4 DC...";
+
+ my $nt4_dc_options = "
+ domain master = yes
+ domain logons = yes
+ lanman auth = yes
+ ntlm auth = yes
+ raw NTLMv2 auth = yes
+ rpc start on demand helpers = false
+
+ CVE_2020_1472:warn_about_unused_debug_level = 3
+ server require schannel:schannel0\$ = no
+ server require schannel:schannel1\$ = no
+ server require schannel:schannel2\$ = no
+ server require schannel:schannel3\$ = no
+ server require schannel:schannel4\$ = no
+ server require schannel:schannel5\$ = no
+ server require schannel:schannel6\$ = no
+ server require schannel:schannel7\$ = no
+ server require schannel:schannel8\$ = no
+ server require schannel:schannel9\$ = no
+ server require schannel:schannel10\$ = no
+ server require schannel:schannel11\$ = no
+ server require schannel:torturetest\$ = no
+
+ server schannel require seal:schannel0\$ = no
+ server schannel require seal:schannel1\$ = no
+ server schannel require seal:schannel2\$ = no
+ server schannel require seal:schannel3\$ = no
+ server schannel require seal:schannel4\$ = no
+ server schannel require seal:schannel5\$ = no
+ server schannel require seal:schannel6\$ = no
+ server schannel require seal:schannel7\$ = no
+ server schannel require seal:schannel8\$ = no
+ server schannel require seal:schannel9\$ = no
+ server schannel require seal:schannel10\$ = no
+ server schannel require seal:schannel11\$ = no
+ server schannel require seal:torturetest\$ = no
+
+ vfs_default:VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS = no
+
+ fss: sequence timeout = 1
+ check parent directory delete on close = yes
+";
+
+ if (defined($more_conf)) {
+ $nt4_dc_options = $nt4_dc_options . $more_conf;
+ }
+ if (!defined($server)) {
+ $server = "LOCALNT4DC2";
+ }
+ my $vars = $self->provision(
+ prefix => $path,
+ domain => "SAMBA-TEST",
+ server => $server,
+ password => "localntdc2pass",
+ extra_options => $nt4_dc_options);
+
+ $vars or return undef;
+
+ if (not $self->check_or_start(
+ env_vars => $vars,
+ samba_dcerpcd => "yes",
+ nmbd => "yes",
+ winbindd => "yes",
+ smbd => "yes")) {
+ return undef;
+ }
+
+ $vars->{DOMSID} = $vars->{SAMSID};
+ $vars->{DC_SERVER} = $vars->{SERVER};
+ $vars->{DC_SERVER_IP} = $vars->{SERVER_IP};
+ $vars->{DC_SERVER_IPV6} = $vars->{SERVER_IPV6};
+ $vars->{DC_NETBIOSNAME} = $vars->{NETBIOSNAME};
+ $vars->{DC_USERNAME} = $vars->{USERNAME};
+ $vars->{DC_PASSWORD} = $vars->{PASSWORD};
+
+ return $vars;
+}
+
+sub setup_nt4_dc_smb1
+{
+ my ($self, $path) = @_;
+ my $conf = "
+[global]
+ client min protocol = CORE
+ server min protocol = LANMAN1
+";
+ return $self->setup_nt4_dc($path, $conf, "LCLNT4DC2SMB1");
+}
+
+sub setup_nt4_dc_smb1_done
+{
+ my ($self, $path, $dep_env) = @_;
+ return $self->return_alias_env($path, $dep_env);
+}
+
+sub setup_nt4_dc_schannel
+{
+ my ($self, $path) = @_;
+
+ print "PROVISIONING NT4 DC WITH SERVER SCHANNEL ...";
+
+ my $pdc_options = "
+ domain master = yes
+ domain logons = yes
+ lanman auth = yes
+
+ server schannel = yes
+ # used to reproduce bug #12772
+ server max protocol = SMB2_02
+";
+
+ my $vars = $self->provision(
+ prefix => $path,
+ domain => "NT4SCHANNEL",
+ server => "LOCALNT4DC9",
+ password => "localntdc9pass",
+ extra_options => $pdc_options);
+
+ $vars or return undef;
+
+ if (not $self->check_or_start(
+ env_vars => $vars,
+ nmbd => "yes",
+ winbindd => "yes",
+ smbd => "yes")) {
+ return undef;
+ }
+
+ $vars->{DOMSID} = $vars->{SAMSID};
+ $vars->{DC_SERVER} = $vars->{SERVER};
+ $vars->{DC_SERVER_IP} = $vars->{SERVER_IP};
+ $vars->{DC_SERVER_IPV6} = $vars->{SERVER_IPV6};
+ $vars->{DC_NETBIOSNAME} = $vars->{NETBIOSNAME};
+ $vars->{DC_USERNAME} = $vars->{USERNAME};
+ $vars->{DC_PASSWORD} = $vars->{PASSWORD};
+
+ return $vars;
+}
+
+sub setup_nt4_member
+{
+ my ($self, $prefix, $nt4_dc_vars) = @_;
+ my $count = 0;
+ my $rc;
+
+ print "PROVISIONING MEMBER...";
+
+ my $require_mutexes = "dbwrap_tdb_require_mutexes:* = yes";
+ if ($ENV{SELFTEST_DONT_REQUIRE_TDB_MUTEX_SUPPORT} // '' eq "1") {
+ $require_mutexes = "";
+ }
+
+ my $member_options = "
+ security = domain
+ dbwrap_tdb_mutexes:* = yes
+ ${require_mutexes}
+";
+ my $ret = $self->provision(
+ prefix => $prefix,
+ domain => $nt4_dc_vars->{DOMAIN},
+ server => "LOCALNT4MEMBER3",
+ password => "localnt4member3pass",
+ extra_options => $member_options);
+
+ $ret or return undef;
+
+ my $nmblookup = Samba::bindir_path($self, "nmblookup");
+ do {
+ print "Waiting for the LOGON SERVER registration ...\n";
+ $rc = system("$nmblookup $ret->{CONFIGURATION} $ret->{DOMAIN}\#1c");
+ if ($rc != 0) {
+ sleep(1);
+ }
+ $count++;
+ } while ($rc != 0 && $count < 10);
+ if ($count == 10) {
+ print "NMBD not reachable after 10 retries\n";
+ teardown_env($self, $ret);
+ return 0;
+ }
+
+ my $net = Samba::bindir_path($self, "net");
+ # Add hosts file for name lookups
+ my $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' ";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$net rpc join $ret->{CONFIGURATION} $nt4_dc_vars->{DOMAIN} member";
+ $cmd .= " -U$nt4_dc_vars->{USERNAME}\%$nt4_dc_vars->{PASSWORD}";
+
+ if (system($cmd) != 0) {
+ warn("Join failed\n$cmd");
+ return undef;
+ }
+
+ # Add hosts file for name lookups
+ $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' ";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$net $ret->{CONFIGURATION} primarytrust dumpinfo | grep -q 'REDACTED SECRET VALUES'";
+
+ if (system($cmd) != 0) {
+ warn("check failed\n$cmd");
+ return undef;
+ }
+
+ if (not $self->check_or_start(
+ env_vars => $ret,
+ nmbd => "yes",
+ winbindd => "yes",
+ smbd => "yes")) {
+ return undef;
+ }
+
+ $ret->{DOMSID} = $nt4_dc_vars->{DOMSID};
+ $ret->{DC_SERVER} = $nt4_dc_vars->{SERVER};
+ $ret->{DC_SERVER_IP} = $nt4_dc_vars->{SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $nt4_dc_vars->{SERVER_IPV6};
+ $ret->{DC_NETBIOSNAME} = $nt4_dc_vars->{NETBIOSNAME};
+ $ret->{DC_USERNAME} = $nt4_dc_vars->{USERNAME};
+ $ret->{DC_PASSWORD} = $nt4_dc_vars->{PASSWORD};
+
+ return $ret;
+}
+
+sub setup_clusteredmember
+{
+ my ($self, $prefix, $nt4_dc_vars) = @_;
+ my $count = 0;
+ my $rc;
+ my @retvals = ();
+ my $ret;
+
+ print "PROVISIONING CLUSTEREDMEMBER...\n";
+
+ my $prefix_abs = abs_path($prefix);
+ mkdir($prefix_abs, 0777);
+
+ my $server_name = "CLUSTEREDMEMBER";
+
+ my $ctdb_data = $self->setup_ctdb($prefix);
+
+ if (not $ctdb_data) {
+ print "No ctdb data\n";
+ return undef;
+ }
+
+ print "PROVISIONING CLUSTERED SAMBA...\n";
+
+ my $num_nodes = $ctdb_data->{NUM_NODES};
+ my $nodes = $ctdb_data->{CTDB_NODES};
+
+ # Enable cleanup of earlier nodes if a later node fails
+ $ctdb_data->{SAMBA_NODES} = \@retvals;
+
+ for (my $i = 0; $i < $num_nodes; $i++) {
+ my $node = $nodes->[$i];
+ my $socket = $node->{SOCKET_FILE};
+ my $server_name = $node->{SERVER_NAME};
+ my $pub_iface = $node->{SOCKET_WRAPPER_DEFAULT_IFACE};
+ my $node_prefix = $node->{NODE_PREFIX};
+
+ print "NODE_PREFIX=${node_prefix}\n";
+ print "SOCKET=${socket}\n";
+
+ my $require_mutexes = "dbwrap_tdb_require_mutexes:* = yes";
+ if ($ENV{SELFTEST_DONT_REQUIRE_TDB_MUTEX_SUPPORT} // '' eq "1") {
+ $require_mutexes = "" ;
+ }
+
+ my $member_options = "
+ security = domain
+ server signing = on
+ clustering = yes
+ ctdbd socket = ${socket}
+ include = registry
+ dbwrap_tdb_mutexes:* = yes
+ ${require_mutexes}
+";
+
+ my $node_ret = $self->provision(
+ prefix => "$node_prefix",
+ domain => $nt4_dc_vars->{DOMAIN},
+ server => "$server_name",
+ password => "clustermember8pass",
+ netbios_name => "CLUSTEREDMEMBER",
+ share_dir => "${prefix_abs}/shared",
+ extra_options => $member_options,
+ no_delete_prefix => 1);
+ if (not $node_ret) {
+ print "Provision node $i failed\n";
+ teardown_env($self, $ctdb_data);
+ return undef;
+ }
+
+ my $registry_share_template = "$node_ret->{SERVERCONFFILE}.registry_share_template";
+ unless (open(REGISTRYCONF, ">$registry_share_template")) {
+ warn("Unable to open $registry_share_template");
+ teardown_env($self, $node_ret);
+ teardown_env($self, $ctdb_data);
+ return undef;
+ }
+
+ print REGISTRYCONF "
+[registry_share]
+ copy = tmp
+ comment = smb username is [%U]
+";
+
+ close(REGISTRYCONF);
+
+ my $net = Samba::bindir_path($self, "net");
+ my $cmd = "";
+
+ $cmd .= "UID_WRAPPER_ROOT=1 ";
+ $cmd .= "$net conf import $node_ret->{CONFIGURATION} ${registry_share_template}";
+
+ my $net_ret = system($cmd);
+ if ($net_ret != 0) {
+ warn("net conf import failed: $net_ret\n$cmd");
+ teardown_env($self, $node_ret);
+ teardown_env($self, $ctdb_data);
+ return undef;
+ }
+
+ my $nmblookup = Samba::bindir_path($self, "nmblookup");
+ do {
+ print "Waiting for the LOGON SERVER registration ...\n";
+ $rc = system("$nmblookup $node_ret->{CONFIGURATION} " .
+ "$node_ret->{DOMAIN}\#1c");
+ if ($rc != 0) {
+ sleep(1);
+ }
+ $count++;
+ } while ($rc != 0 && $count < 10);
+
+ if ($count == 10) {
+ print "NMBD not reachable after 10 retries\n";
+ teardown_env($self, $node_ret);
+ teardown_env($self, $ctdb_data);
+ return undef;
+ }
+
+ push(@retvals, $node_ret);
+ }
+
+ $ret = {%$ctdb_data, %{$retvals[0]}};
+
+ my $net = Samba::bindir_path($self, "net");
+ my $cmd = "";
+ $cmd .= "UID_WRAPPER_ROOT=1 ";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$net join $ret->{CONFIGURATION} $nt4_dc_vars->{DOMAIN} member";
+ $cmd .= " -U$nt4_dc_vars->{USERNAME}\%$nt4_dc_vars->{PASSWORD}";
+
+ if (system($cmd) != 0) {
+ warn("Join failed\n$cmd");
+ teardown_env($self, $ret);
+ return undef;
+ }
+
+ for (my $i=0; $i<@retvals; $i++) {
+ my $node_provision = $retvals[$i];
+ my $ok;
+ $ok = $self->check_or_start(
+ env_vars => $node_provision,
+ winbindd => "yes",
+ smbd => "yes",
+ child_cleanup => sub {
+ map {
+ my $fh = $_->{STDIN_PIPE};
+ close($fh) if defined($fh);
+ } @retvals });
+ if (not $ok) {
+ teardown_env($self, $ret);
+ return undef;
+ }
+ }
+
+ #
+ # Build a unclist for every share
+ #
+ unless (open(NODES, "<$ret->{CTDB_NODES_FILE}")) {
+ warn("Unable to open CTDB nodes file");
+ teardown_env($self, $ret);
+ return undef;
+ }
+ my @nodes = <NODES>;
+ close(NODES);
+ chomp @nodes;
+
+ my $conffile = $ret->{SERVERCONFFILE};
+ $cmd = "";
+ $cmd .= 'sed -n -e \'s|^\[\(.*\)\]$|\1|p\'';
+ $cmd .= " \"$conffile\"";
+ $cmd .= " | grep -vx 'global'";
+
+ my @shares = `$cmd`;
+ $rc = $?;
+ if ($rc != 0) {
+ warn("Listing shares failed\n$cmd");
+ teardown_env($self, $ret);
+ return undef;
+ }
+ chomp @shares;
+
+ my $unclistdir = "${prefix_abs}/unclists";
+ mkdir($unclistdir, 0777);
+ foreach my $share (@shares) {
+ my $l = "${unclistdir}/${share}.txt";
+ unless (open(UNCLIST, ">${l}")) {
+ warn("Unable to open UNC list ${l}");
+ teardown_env($self, $ret);
+ return undef;
+ }
+ foreach my $node (@nodes) {
+ print UNCLIST "//${node}/${share}\n";
+ }
+ close(UNCLIST);
+ }
+
+ $ret->{DOMSID} = $nt4_dc_vars->{DOMSID};
+ $ret->{DC_SERVER} = $nt4_dc_vars->{SERVER};
+ $ret->{DC_SERVER_IP} = $nt4_dc_vars->{SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $nt4_dc_vars->{SERVER_IPV6};
+ $ret->{DC_NETBIOSNAME} = $nt4_dc_vars->{NETBIOSNAME};
+ $ret->{DC_USERNAME} = $nt4_dc_vars->{USERNAME};
+ $ret->{DC_PASSWORD} = $nt4_dc_vars->{PASSWORD};
+
+ return $ret;
+}
+
+sub provision_ad_member
+{
+ my ($self,
+ $prefix,
+ $machine_account,
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e,
+ $extra_member_options,
+ $force_fips_mode,
+ $offline_logon,
+ $no_nss_winbind) = @_;
+
+ if (defined($offline_logon) && defined($no_nss_winbind)) {
+ warn ("Offline logon incompatible with no nss winbind\n");
+ return undef;
+ }
+
+ my $prefix_abs = abs_path($prefix);
+ my @dirs = ();
+
+ mkdir($prefix_abs, 0777);
+
+ my $share_dir="$prefix_abs/share";
+ push(@dirs, $share_dir);
+
+ my $substitution_path = "$share_dir/D_$dcvars->{DOMAIN}";
+ push(@dirs, $substitution_path);
+
+ $substitution_path = "$share_dir/D_$dcvars->{DOMAIN}/U_alice";
+ push(@dirs, $substitution_path);
+
+ $substitution_path = "$share_dir/D_$dcvars->{DOMAIN}/U_alice/G_domain users";
+ push(@dirs, $substitution_path);
+
+ # Using '/' as the winbind separator is a bad idea ...
+ $substitution_path = "$share_dir/D_$dcvars->{DOMAIN}/u_$dcvars->{DOMAIN}";
+ push(@dirs, $substitution_path);
+
+ $substitution_path = "$share_dir/D_$dcvars->{DOMAIN}/u_$dcvars->{DOMAIN}/alice";
+ push(@dirs, $substitution_path);
+
+ $substitution_path = "$share_dir/D_$dcvars->{DOMAIN}/u_$dcvars->{DOMAIN}/alice/g_$dcvars->{DOMAIN}";
+ push(@dirs, $substitution_path);
+
+ $substitution_path = "$share_dir/D_$dcvars->{DOMAIN}/u_$dcvars->{DOMAIN}/alice/g_$dcvars->{DOMAIN}/domain users";
+ push(@dirs, $substitution_path);
+
+ my $option_offline_logon = "no";
+ if (defined($offline_logon)) {
+ $option_offline_logon = "yes";
+ }
+
+ my $netbios_aliases = "";
+ if ($machine_account eq "LOCALADMEMBER") {
+ $netbios_aliases = "netbios aliases = foo bar";
+ }
+
+ unless (defined($extra_member_options)) {
+ $extra_member_options = "";
+ }
+
+ my $member_options = "
+ security = ads
+ workgroup = $dcvars->{DOMAIN}
+ realm = $dcvars->{REALM}
+ $netbios_aliases
+ template homedir = /home/%D/%G/%U
+ auth event notification = true
+ password server = $dcvars->{SERVER}
+ winbind scan trusted domains = no
+ winbind offline logon = $option_offline_logon
+
+ allow dcerpc auth level connect:lsarpc = yes
+ dcesrv:max auth states = 8
+ rpc start on demand helpers = false
+
+ # Begin extra member options
+ $extra_member_options
+ # End extra member options
+
+[sub_dug]
+ path = $share_dir/D_%D/U_%U/G_%G
+ writeable = yes
+
+[sub_dug2]
+ path = $share_dir/D_%D/u_%u/g_%g
+ writeable = yes
+
+[sub_valid_users]
+ path = $share_dir
+ valid users = ADDOMAIN/%U
+
+[sub_valid_users_domain]
+ path = $share_dir
+ valid users = %D/%U
+
+[sub_valid_users_group]
+ path = $share_dir
+ valid users = \@$dcvars->{DOMAIN}/%G
+
+[valid_users]
+ path = $share_dir
+ valid users = $dcvars->{DOMAIN}/$dcvars->{DC_USERNAME}
+
+[valid_users_group]
+ path = $share_dir
+ valid users = \"\@$dcvars->{DOMAIN}/domain users\"
+
+[valid_users_unix_group]
+ path = $share_dir
+ valid users = \"+$dcvars->{DOMAIN}/domain users\"
+
+[valid_users_nis_group]
+ path = $share_dir
+ valid users = \"&$dcvars->{DOMAIN}/domain users\"
+
+[valid_users_unix_nis_group]
+ path = $share_dir
+ valid users = \"+&$dcvars->{DOMAIN}/domain users\"
+
+[valid_users_nis_unix_group]
+ path = $share_dir
+ valid users = \"&+$dcvars->{DOMAIN}/domain users\"
+
+[invalid_users]
+ path = $share_dir
+ invalid users = $dcvars->{DOMAIN}/$dcvars->{DC_USERNAME}
+
+[valid_and_invalid_users]
+ path = $share_dir
+ valid users = $dcvars->{DOMAIN}/$dcvars->{DC_USERNAME} $dcvars->{DOMAIN}/alice
+ invalid users = $dcvars->{DOMAIN}/$dcvars->{DC_USERNAME}
+";
+
+ my $ret = $self->provision(
+ prefix => $prefix,
+ domain => $dcvars->{DOMAIN},
+ realm => $dcvars->{REALM},
+ server => $machine_account,
+ password => "loCalMemberPass",
+ extra_options => $member_options,
+ resolv_conf => $dcvars->{RESOLV_CONF});
+
+ $ret or return undef;
+
+ mkdir($_, 0777) foreach(@dirs);
+
+ $ret->{DOMAIN} = $dcvars->{DOMAIN};
+ $ret->{REALM} = $dcvars->{REALM};
+ $ret->{DOMSID} = $dcvars->{DOMSID};
+
+ my $ctx;
+ $ctx = {};
+ $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+ $ctx->{domain} = $dcvars->{DOMAIN};
+ $ctx->{realm} = $dcvars->{REALM};
+ $ctx->{dnsname} = lc($dcvars->{REALM});
+ $ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
+ $ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
+ $ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
+ Samba::mk_krb5_conf($ctx, "");
+
+ $ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+
+ if (defined($force_fips_mode)) {
+ $ret->{GNUTLS_FORCE_FIPS_MODE} = "1";
+ $ret->{OPENSSL_FORCE_FIPS_MODE} = "1";
+ }
+
+ my $net = Samba::bindir_path($self, "net");
+ # Add hosts file for name lookups
+ my $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' ";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+ $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
+ if (defined($force_fips_mode)) {
+ $cmd .= "GNUTLS_FORCE_FIPS_MODE=1 ";
+ $cmd .= "OPENSSL_FORCE_FIPS_MODE=1 ";
+ }
+ $cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" ";
+ $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$net join $ret->{CONFIGURATION}";
+ $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD} --use-kerberos=required";
+
+ if (system($cmd) != 0) {
+ warn("Join failed\n$cmd");
+ return undef;
+ }
+
+ # We need world access to this share, as otherwise the domain
+ # administrator from the AD domain provided by Samba4 can't
+ # access the share for tests.
+ chmod 0777, "$prefix/share";
+
+ if (defined($offline_logon)) {
+ my $wbinfo = Samba::bindir_path($self, "wbinfo");
+
+ if (not $self->check_or_start(
+ env_vars => $ret,
+ winbindd => "yes")) {
+ return undef;
+ }
+
+ # Fill samlogoncache for alice
+ $cmd = "NSS_WRAPPER_PASSWD='$ret->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$ret->{NSS_WRAPPER_GROUP}' ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$wbinfo --pam-logon=ADDOMAIN/alice%Secret007";
+ if (system($cmd) != 0) {
+ warn("Filling the cache failed\n$cmd");
+ return undef;
+ }
+
+ $cmd = "NSS_WRAPPER_PASSWD='$ret->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$ret->{NSS_WRAPPER_GROUP}' ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$wbinfo --ccache-save=ADDOMAIN/alice%Secret007";
+ if (system($cmd) != 0) {
+ warn("Filling the cache failed\n$cmd");
+ return undef;
+ }
+
+ # Fill samlogoncache for bob
+ $cmd = "NSS_WRAPPER_PASSWD='$ret->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$ret->{NSS_WRAPPER_GROUP}' ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$wbinfo --pam-logon=ADDOMAIN/bob%Secret007";
+ if (system($cmd) != 0) {
+ warn("Filling the cache failed\n$cmd");
+ return undef;
+ }
+
+ $cmd = "NSS_WRAPPER_PASSWD='$ret->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$ret->{NSS_WRAPPER_GROUP}' ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$wbinfo --ccache-save=ADDOMAIN/bob%Secret007";
+ if (system($cmd) != 0) {
+ warn("Filling the cache failed\n$cmd");
+ return undef;
+ }
+
+ # Set windindd offline
+ my $smbcontrol = Samba::bindir_path($self, "smbcontrol");
+ $cmd = "NSS_WRAPPER_PASSWD='$ret->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$ret->{NSS_WRAPPER_GROUP}' ";
+ $cmd .= "UID_WRAPPER_ROOT='1' ";
+ $cmd .= "$smbcontrol $ret->{CONFIGURATION} winbindd offline";
+ if (system($cmd) != 0) {
+ warn("Setting winbindd offline failed\n$cmd");
+ return undef;
+ }
+
+ # Validate the offline cache
+ $cmd = "NSS_WRAPPER_PASSWD='$ret->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$ret->{NSS_WRAPPER_GROUP}' ";
+ $cmd .= "UID_WRAPPER_ROOT='1' ";
+ $cmd .= "$smbcontrol $ret->{CONFIGURATION} winbindd validate-cache";
+ if (system($cmd) != 0) {
+ warn("Validation of winbind credential cache failed\n$cmd");
+ teardown_env($self, $ret);
+ return undef;
+ }
+
+ # Shut down winbindd
+ teardown_env($self, $ret);
+
+ ### Change SOCKET_WRAPPER_DIR so it can't connect to AD
+ my $swrap_env = $ENV{SOCKET_WRAPPER_DIR};
+ $ENV{SOCKET_WRAPPER_DIR} = "$prefix_abs";
+
+ # Start winbindd in offline mode
+ if (not $self->check_or_start(
+ env_vars => $ret,
+ winbindd => "offline")) {
+ return undef;
+ }
+
+ # Set socket dir again
+ $ENV{SOCKET_WRAPPER_DIR} = $swrap_env;
+
+ } else {
+ if (defined($no_nss_winbind)) {
+ $ret->{NSS_WRAPPER_MODULE_SO_PATH} = "";
+ $ret->{NSS_WRAPPER_MODULE_FN_PREFIX} = "";
+ }
+
+ if (not $self->check_or_start(
+ env_vars => $ret,
+ samba_dcerpcd => "yes",
+ nmbd => "yes",
+ winbindd => "yes",
+ smbd => "yes")) {
+ return undef;
+ }
+ }
+
+ $ret->{DC_SERVER} = $dcvars->{SERVER};
+ $ret->{DC_SERVER_IP} = $dcvars->{SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $dcvars->{SERVER_IPV6};
+ $ret->{DC_SERVERCONFFILE} = $dcvars->{SERVERCONFFILE};
+ $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
+ $ret->{DC_USERNAME} = $dcvars->{USERNAME};
+ $ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+
+ # forest trust
+ $ret->{TRUST_F_BOTH_SERVER} = $trustvars_f->{SERVER};
+ $ret->{TRUST_F_BOTH_SERVER_IP} = $trustvars_f->{SERVER_IP};
+ $ret->{TRUST_F_BOTH_SERVER_IPV6} = $trustvars_f->{SERVER_IPV6};
+ $ret->{TRUST_F_BOTH_NETBIOSNAME} = $trustvars_f->{NETBIOSNAME};
+ $ret->{TRUST_F_BOTH_USERNAME} = $trustvars_f->{USERNAME};
+ $ret->{TRUST_F_BOTH_PASSWORD} = $trustvars_f->{PASSWORD};
+ $ret->{TRUST_F_BOTH_DOMAIN} = $trustvars_f->{DOMAIN};
+ $ret->{TRUST_F_BOTH_REALM} = $trustvars_f->{REALM};
+
+ # external trust
+ $ret->{TRUST_E_BOTH_SERVER} = $trustvars_e->{SERVER};
+ $ret->{TRUST_E_BOTH_SERVER_IP} = $trustvars_e->{SERVER_IP};
+ $ret->{TRUST_E_BOTH_SERVER_IPV6} = $trustvars_e->{SERVER_IPV6};
+ $ret->{TRUST_E_BOTH_NETBIOSNAME} = $trustvars_e->{NETBIOSNAME};
+ $ret->{TRUST_E_BOTH_USERNAME} = $trustvars_e->{USERNAME};
+ $ret->{TRUST_E_BOTH_PASSWORD} = $trustvars_e->{PASSWORD};
+ $ret->{TRUST_E_BOTH_DOMAIN} = $trustvars_e->{DOMAIN};
+ $ret->{TRUST_E_BOTH_REALM} = $trustvars_e->{REALM};
+
+ return $ret;
+}
+
+sub setup_ad_member
+{
+ my ($self,
+ $prefix,
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING AD MEMBER...";
+
+ return $self->provision_ad_member($prefix,
+ "LOCALADMEMBER",
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e);
+}
+
+sub setup_ad_member_s3_join
+{
+ my ($self,
+ $prefix,
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING AD MEMBER...";
+
+ return $self->provision_ad_member($prefix,
+ "LOCALADMEMBER2",
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e);
+}
+
+sub setup_ad_member_rfc2307
+{
+ my ($self, $prefix, $dcvars) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING S3 AD MEMBER WITH idmap_rfc2307 config...";
+
+ my $member_options = "
+ security = ads
+ workgroup = $dcvars->{DOMAIN}
+ realm = $dcvars->{REALM}
+ idmap cache time = 0
+ idmap negative cache time = 0
+ idmap config * : backend = autorid
+ idmap config * : range = 1000000-1999999
+ idmap config * : rangesize = 100000
+ idmap config $dcvars->{DOMAIN} : backend = rfc2307
+ idmap config $dcvars->{DOMAIN} : range = 2000000-2999999
+ idmap config $dcvars->{DOMAIN} : ldap_server = ad
+ idmap config $dcvars->{DOMAIN} : bind_path_user = ou=idmap,dc=samba,dc=example,dc=com
+ idmap config $dcvars->{DOMAIN} : bind_path_group = ou=idmap,dc=samba,dc=example,dc=com
+
+ password server = $dcvars->{SERVER}
+";
+
+ my $ret = $self->provision(
+ prefix => $prefix,
+ domain => $dcvars->{DOMAIN},
+ realm => $dcvars->{REALM},
+ server => "RFC2307MEMBER",
+ password => "loCalMemberPass",
+ extra_options => $member_options,
+ resolv_conf => $dcvars->{RESOLV_CONF});
+
+ $ret or return undef;
+
+ $ret->{DOMAIN} = $dcvars->{DOMAIN};
+ $ret->{REALM} = $dcvars->{REALM};
+ $ret->{DOMSID} = $dcvars->{DOMSID};
+
+ my $ctx;
+ my $prefix_abs = abs_path($prefix);
+ $ctx = {};
+ $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+ $ctx->{domain} = $dcvars->{DOMAIN};
+ $ctx->{realm} = $dcvars->{REALM};
+ $ctx->{dnsname} = lc($dcvars->{REALM});
+ $ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
+ $ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
+ $ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
+ Samba::mk_krb5_conf($ctx, "");
+
+ $ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+
+ my $net = Samba::bindir_path($self, "net");
+ # Add hosts file for name lookups
+ my $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' ";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+ $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
+ $cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" ";
+ $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$net join $ret->{CONFIGURATION}";
+ $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD}";
+
+ if (system($cmd) != 0) {
+ warn("Join failed\n$cmd");
+ return undef;
+ }
+
+ # We need world access to this share, as otherwise the domain
+ # administrator from the AD domain provided by Samba4 can't
+ # access the share for tests.
+ chmod 0777, "$prefix/share";
+
+ if (not $self->check_or_start(
+ env_vars => $ret,
+ nmbd => "yes",
+ winbindd => "yes",
+ smbd => "yes")) {
+ return undef;
+ }
+
+ $ret->{DC_SERVER} = $dcvars->{SERVER};
+ $ret->{DC_SERVER_IP} = $dcvars->{SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $dcvars->{SERVER_IPV6};
+ $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
+ $ret->{DC_USERNAME} = $dcvars->{USERNAME};
+ $ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+
+ return $ret;
+}
+
+sub setup_admem_idmap_autorid
+{
+ my ($self, $prefix, $dcvars) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING S3 AD MEMBER WITH idmap_autorid config...";
+
+ my $member_options = "
+ security = ads
+ workgroup = $dcvars->{DOMAIN}
+ realm = $dcvars->{REALM}
+ idmap config * : backend = autorid
+ idmap config * : range = 1000000-19999999
+ idmap config * : rangesize = 1000000
+
+ # Prevent overridding the provisioned lib/krb5.conf which sets certain
+ # values required for tests to succeed
+ create krb5 conf = no
+";
+
+ my $ret = $self->provision(
+ prefix => $prefix,
+ domain => $dcvars->{DOMAIN},
+ realm => $dcvars->{REALM},
+ server => "ADMEMAUTORID",
+ password => "loCalMemberPass",
+ extra_options => $member_options,
+ resolv_conf => $dcvars->{RESOLV_CONF});
+
+ $ret or return undef;
+
+ $ret->{DOMAIN} = $dcvars->{DOMAIN};
+ $ret->{REALM} = $dcvars->{REALM};
+ $ret->{DOMSID} = $dcvars->{DOMSID};
+
+ my $ctx;
+ my $prefix_abs = abs_path($prefix);
+ $ctx = {};
+ $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+ $ctx->{domain} = $dcvars->{DOMAIN};
+ $ctx->{realm} = $dcvars->{REALM};
+ $ctx->{dnsname} = lc($dcvars->{REALM});
+ $ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
+ $ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
+ $ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
+ Samba::mk_krb5_conf($ctx, "");
+
+ $ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+
+ my $net = Samba::bindir_path($self, "net");
+ # Add hosts file for name lookups
+ my $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' ";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+ $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
+ $cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" ";
+ $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$net join $ret->{CONFIGURATION}";
+ $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD}";
+
+ if (system($cmd) != 0) {
+ warn("Join failed\n$cmd");
+ return undef;
+ }
+
+ # We need world access to this share, as otherwise the domain
+ # administrator from the AD domain provided by Samba4 can't
+ # access the share for tests.
+ chmod 0777, "$prefix/share";
+
+ if (not $self->check_or_start(
+ env_vars => $ret,
+ nmbd => "yes",
+ winbindd => "yes",
+ smbd => "yes")) {
+ return undef;
+ }
+
+ $ret->{DC_SERVER} = $dcvars->{SERVER};
+ $ret->{DC_SERVER_IP} = $dcvars->{SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $dcvars->{SERVER_IPV6};
+ $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
+ $ret->{DC_USERNAME} = $dcvars->{USERNAME};
+ $ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+
+ return $ret;
+}
+
+sub setup_ad_member_idmap_rid
+{
+ my ($self, $prefix, $dcvars) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING S3 AD MEMBER WITH idmap_rid config...";
+
+ my $member_options = "
+ security = ads
+ workgroup = $dcvars->{DOMAIN}
+ realm = $dcvars->{REALM}
+ idmap config * : backend = tdb
+ idmap config * : range = 1000000-1999999
+ idmap config $dcvars->{DOMAIN} : backend = rid
+ idmap config $dcvars->{DOMAIN} : range = 2000000-2999999
+ # Prevent overridding the provisioned lib/krb5.conf which sets certain
+ # values required for tests to succeed
+ create krb5 conf = no
+ map to guest = bad user
+ server signing = required
+";
+
+ my $ret = $self->provision(
+ prefix => $prefix,
+ domain => $dcvars->{DOMAIN},
+ realm => $dcvars->{REALM},
+ server => "IDMAPRIDMEMBER",
+ password => "loCalMemberPass",
+ extra_options => $member_options,
+ resolv_conf => $dcvars->{RESOLV_CONF});
+
+ $ret or return undef;
+
+ $ret->{DOMAIN} = $dcvars->{DOMAIN};
+ $ret->{REALM} = $dcvars->{REALM};
+ $ret->{DOMSID} = $dcvars->{DOMSID};
+
+ my $ctx;
+ my $prefix_abs = abs_path($prefix);
+ $ctx = {};
+ $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+ $ctx->{domain} = $dcvars->{DOMAIN};
+ $ctx->{realm} = $dcvars->{REALM};
+ $ctx->{dnsname} = lc($dcvars->{REALM});
+ $ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
+ $ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
+ $ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
+ Samba::mk_krb5_conf($ctx, "");
+
+ $ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+
+ my $net = Samba::bindir_path($self, "net");
+ # Add hosts file for name lookups
+ my $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' ";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+ $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
+ $cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" ";
+ $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$net join $ret->{CONFIGURATION}";
+ $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD}";
+
+ if (system($cmd) != 0) {
+ warn("Join failed\n$cmd");
+ return undef;
+ }
+
+ # We need world access to this share, as otherwise the domain
+ # administrator from the AD domain provided by Samba4 can't
+ # access the share for tests.
+ chmod 0777, "$prefix/share";
+
+ if (not $self->check_or_start(
+ env_vars => $ret,
+ nmbd => "yes",
+ winbindd => "yes",
+ smbd => "yes")) {
+ return undef;
+ }
+
+ $ret->{DC_SERVER} = $dcvars->{SERVER};
+ $ret->{DC_SERVER_IP} = $dcvars->{SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $dcvars->{SERVER_IPV6};
+ $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
+ $ret->{DC_USERNAME} = $dcvars->{USERNAME};
+ $ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+
+ return $ret;
+}
+
+sub setup_ad_member_idmap_ad
+{
+ my ($self, $prefix, $dcvars) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING S3 AD MEMBER WITH idmap_ad config...";
+
+ my $member_options = "
+ security = ads
+ workgroup = $dcvars->{DOMAIN}
+ realm = $dcvars->{REALM}
+ password server = $dcvars->{SERVER}
+ idmap config * : backend = tdb
+ idmap config * : range = 1000000-1999999
+ idmap config $dcvars->{DOMAIN} : backend = ad
+ idmap config $dcvars->{DOMAIN} : range = 2000000-2999999
+ idmap config $dcvars->{DOMAIN} : unix_primary_group = yes
+ idmap config $dcvars->{DOMAIN} : unix_nss_info = yes
+ idmap config $dcvars->{TRUST_DOMAIN} : backend = ad
+ idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999
+ gensec_gssapi:requested_life_time = 5
+";
+
+ my $ret = $self->provision(
+ prefix => $prefix,
+ domain => $dcvars->{DOMAIN},
+ realm => $dcvars->{REALM},
+ server => "IDMAPADMEMBER",
+ password => "loCalMemberPass",
+ extra_options => $member_options,
+ resolv_conf => $dcvars->{RESOLV_CONF});
+
+ $ret or return undef;
+
+ $ret->{DOMAIN} = $dcvars->{DOMAIN};
+ $ret->{REALM} = $dcvars->{REALM};
+ $ret->{DOMSID} = $dcvars->{DOMSID};
+
+ my $ctx;
+ my $prefix_abs = abs_path($prefix);
+ $ctx = {};
+ $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+ $ctx->{domain} = $dcvars->{DOMAIN};
+ $ctx->{realm} = $dcvars->{REALM};
+ $ctx->{dnsname} = lc($dcvars->{REALM});
+ $ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
+ $ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
+ $ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
+ Samba::mk_krb5_conf($ctx, "");
+
+ $ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+
+ my $net = Samba::bindir_path($self, "net");
+ # Add hosts file for name lookups
+ my $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' ";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+ $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
+ $cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" ";
+ $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$net join $ret->{CONFIGURATION}";
+ $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD}";
+
+ if (system($cmd) != 0) {
+ warn("Join failed\n$cmd");
+ return undef;
+ }
+
+ # We need world access to this share, as otherwise the domain
+ # administrator from the AD domain provided by Samba4 can't
+ # access the share for tests.
+ chmod 0777, "$prefix/share";
+
+ if (not $self->check_or_start(
+ env_vars => $ret,
+ nmbd => "yes",
+ winbindd => "yes",
+ smbd => "yes")) {
+ return undef;
+ }
+
+ $ret->{DC_SERVER} = $dcvars->{SERVER};
+ $ret->{DC_SERVER_IP} = $dcvars->{SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $dcvars->{SERVER_IPV6};
+ $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
+ $ret->{DC_USERNAME} = $dcvars->{USERNAME};
+ $ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+
+ $ret->{TRUST_SERVER} = $dcvars->{TRUST_SERVER};
+ $ret->{TRUST_USERNAME} = $dcvars->{TRUST_USERNAME};
+ $ret->{TRUST_PASSWORD} = $dcvars->{TRUST_PASSWORD};
+ $ret->{TRUST_DOMAIN} = $dcvars->{TRUST_DOMAIN};
+ $ret->{TRUST_REALM} = $dcvars->{TRUST_REALM};
+ $ret->{TRUST_DOMSID} = $dcvars->{TRUST_DOMSID};
+
+ return $ret;
+}
+
+sub setup_ad_member_oneway
+{
+ my ($self, $prefix, $dcvars) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING S3 AD MEMBER WITH one-way trust...";
+
+ my $member_options = "
+ security = ads
+ workgroup = $dcvars->{DOMAIN}
+ realm = $dcvars->{REALM}
+ password server = $dcvars->{SERVER}
+ idmap config * : backend = tdb
+ idmap config * : range = 1000000-1999999
+ gensec_gssapi:requested_life_time = 5
+";
+
+ my $ret = $self->provision(
+ prefix => $prefix,
+ domain => $dcvars->{DOMAIN},
+ server => "S2KMEMBER",
+ password => "loCalS2KMemberPass",
+ extra_options => $member_options,
+ resolv_conf => $dcvars->{RESOLV_CONF});
+
+ $ret or return undef;
+
+ $ret->{DOMAIN} = $dcvars->{DOMAIN};
+ $ret->{REALM} = $dcvars->{REALM};
+ $ret->{DOMSID} = $dcvars->{DOMSID};
+
+ my $ctx;
+ my $prefix_abs = abs_path($prefix);
+ $ctx = {};
+ $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+ $ctx->{domain} = $dcvars->{DOMAIN};
+ $ctx->{realm} = $dcvars->{REALM};
+ $ctx->{dnsname} = lc($dcvars->{REALM});
+ $ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
+ $ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
+ $ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
+ Samba::mk_krb5_conf($ctx, "");
+
+ $ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+
+ my $net = Samba::bindir_path($self, "net");
+ # Add hosts file for name lookups
+ my $cmd = "NSS_WRAPPER_HOSTS='$ret->{NSS_WRAPPER_HOSTS}' ";
+ $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+ $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
+ $cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" ";
+ $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
+ $cmd .= "$net join $ret->{CONFIGURATION}";
+ $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD}";
+
+ if (system($cmd) != 0) {
+ warn("Join failed\n$cmd");
+ return undef;
+ }
+
+ if (not $self->check_or_start(
+ env_vars => $ret,
+ winbindd => "yes")) {
+ return undef;
+ }
+
+ $ret->{DC_SERVER} = $dcvars->{SERVER};
+ $ret->{DC_SERVER_IP} = $dcvars->{SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $dcvars->{SERVER_IPV6};
+ $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
+ $ret->{DC_USERNAME} = $dcvars->{USERNAME};
+ $ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+
+ $ret->{TRUST_SERVER} = $dcvars->{TRUST_SERVER};
+ $ret->{TRUST_USERNAME} = $dcvars->{TRUST_USERNAME};
+ $ret->{TRUST_PASSWORD} = $dcvars->{TRUST_PASSWORD};
+ $ret->{TRUST_DOMAIN} = $dcvars->{TRUST_DOMAIN};
+ $ret->{TRUST_REALM} = $dcvars->{TRUST_REALM};
+ $ret->{TRUST_DOMSID} = $dcvars->{TRUST_DOMSID};
+
+ return $ret;
+}
+
+sub setup_ad_member_fips
+{
+ my ($self,
+ $prefix,
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING AD FIPS MEMBER...";
+
+ return $self->provision_ad_member($prefix,
+ "FIPSADMEMBER",
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e,
+ undef,
+ 1);
+}
+
+sub setup_ad_member_offlogon
+{
+ my ($self,
+ $prefix,
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING AD MEMBER OFFLINE LOGON...";
+
+ return $self->provision_ad_member($prefix,
+ "OFFLINEADMEM",
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e,
+ undef,
+ undef,
+ 1);
+}
+
+sub setup_ad_member_idmap_nss
+{
+ my ($self,
+ $prefix,
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING AD MEMBER WITHOUT NSS WINBIND WITH idmap_nss config...";
+
+ my $extra_member_options = "
+ # bob:x:65521:65531:localbob gecos:/:/bin/false
+ # jane:x:65520:65531:localjane gecos:/:/bin/false
+ # jackthemapper:x:65519:65531:localjackthemaper gecos:/:/bin/false
+ # jacknomapper:x:65518:65531:localjacknomaper gecos:/:/bin/false
+ idmap config $dcvars->{DOMAIN} : backend = nss
+ idmap config $dcvars->{DOMAIN} : range = 65518-65521
+
+ # Support SMB1 so that we can use posix_whoami().
+ client min protocol = CORE
+ server min protocol = LANMAN1
+
+ username map = $prefix/lib/username.map
+";
+
+ my $ret = $self->provision_ad_member($prefix,
+ "ADMEMIDMAPNSS",
+ $dcvars,
+ $trustvars_f,
+ $trustvars_e,
+ $extra_member_options,
+ undef,
+ undef,
+ 1);
+
+ open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
+ print USERMAP "
+!jacknomapper = \@jackthemappergroup
+!root = jacknomappergroup
+root = $dcvars->{DOMAIN}/root
+bob = $dcvars->{DOMAIN}/bob
+";
+ close(USERMAP);
+
+ return $ret;
+}
+
+sub setup_simpleserver
+{
+ my ($self, $path) = @_;
+
+ print "PROVISIONING simple server...";
+
+ my $prefix_abs = abs_path($path);
+ mkdir($prefix_abs, 0777);
+
+ my $external_streams_depot="$prefix_abs/external_streams_depot";
+ remove_tree($external_streams_depot);
+ mkdir($external_streams_depot, 0777);
+
+ my $simpleserver_options = "
+ lanman auth = yes
+ ntlm auth = yes
+ vfs objects = xattr_tdb streams_depot
+ change notify = no
+ server smb encrypt = off
+
+[vfs_aio_pthread]
+ path = $prefix_abs/share
+ read only = no
+ vfs objects = aio_pthread
+ aio_pthread:aio open = yes
+ smbd async dosmode = no
+
+[vfs_aio_pthread_async_dosmode_default1]
+ path = $prefix_abs/share
+ read only = no
+ vfs objects = aio_pthread
+ store dos attributes = yes
+ aio_pthread:aio open = yes
+ smbd async dosmode = yes
+
+[vfs_aio_pthread_async_dosmode_default2]
+ path = $prefix_abs/share
+ read only = no
+ vfs objects = aio_pthread xattr_tdb
+ store dos attributes = yes
+ aio_pthread:aio open = yes
+ smbd async dosmode = yes
+
+[async_dosmode_shadow_copy2]
+ path = $prefix_abs/share
+ read only = no
+ vfs objects = shadow_copy2 xattr_tdb
+ smbd async dosmode = yes
+
+[vfs_aio_fork]
+ path = $prefix_abs/share
+ vfs objects = aio_fork
+ read only = no
+ vfs_aio_fork:erratic_testing_mode=yes
+
+[dosmode]
+ path = $prefix_abs/share
+ vfs objects =
+ store dos attributes = yes
+ hide files = /hidefile/
+ hide dot files = yes
+
+[hidenewfiles]
+ path = $prefix_abs/share
+ hide new files timeout = 5
+
+[external_streams_depot]
+ path = $prefix_abs/share
+ read only = no
+ streams_depot:directory = $external_streams_depot
+";
+
+ my $vars = $self->provision(
+ prefix => $path,
+ domain => "WORKGROUP",
+ server => "LOCALSHARE4",
+ password => "local4pass",
+ extra_options => $simpleserver_options);
+
+ $vars or return undef;
+
+ if (not $self->check_or_start(
+ env_vars => $vars,
+ nmbd => "yes",
+ smbd => "yes")) {
+ return undef;
+ }
+
+ return $vars;
+}
+
+sub create_file_chmod($$)
+{
+ my ($name, $mode) = @_;
+ my $fh;
+
+ unless (open($fh, '>', $name)) {
+ warn("Unable to open $name");
+ return undef;
+ }
+ chmod($mode, $fh);
+}
+
+sub setup_fileserver
+{
+ my ($self, $path, $more_conf, $server) = @_;
+ my $prefix_abs = abs_path($path);
+ my $srcdir_abs = abs_path($self->{srcdir});
+
+ print "PROVISIONING file server ...\n";
+
+ my @dirs = ();
+
+ mkdir($prefix_abs, 0777);
+
+ my $usershare_dir="$prefix_abs/lib/usershare";
+
+ mkdir("$prefix_abs/lib", 0755);
+ remove_tree($usershare_dir);
+ mkdir($usershare_dir, 01770);
+
+ my $share_dir="$prefix_abs/share";
+
+ # Create share directory structure
+ my $lower_case_share_dir="$share_dir/lower-case";
+ push(@dirs, $lower_case_share_dir);
+
+ my $lower_case_share_dir_30000="$share_dir/lower-case-30000";
+ push(@dirs, $lower_case_share_dir_30000);
+
+ my $dfree_share_dir="$share_dir/dfree";
+ push(@dirs, $dfree_share_dir);
+ push(@dirs, "$dfree_share_dir/subdir1");
+ push(@dirs, "$dfree_share_dir/subdir2");
+ push(@dirs, "$dfree_share_dir/subdir3");
+
+ my $quotadir_dir="$share_dir/quota";
+ push(@dirs, $quotadir_dir);
+
+ my $valid_users_sharedir="$share_dir/valid_users";
+ push(@dirs,$valid_users_sharedir);
+
+ my $offline_sharedir="$share_dir/offline";
+ push(@dirs,$offline_sharedir);
+
+ my $force_user_valid_users_dir = "$share_dir/force_user_valid_users";
+ push(@dirs, $force_user_valid_users_dir);
+
+ my $smbget_sharedir="$share_dir/smbget";
+ push(@dirs,$smbget_sharedir);
+
+ my $tarmode_sharedir="$share_dir/tarmode";
+ push(@dirs,$tarmode_sharedir);
+
+ my $tarmode2_sharedir="$share_dir/tarmode2";
+ push(@dirs,$tarmode2_sharedir);
+
+ my $smbcacls_sharedir="$share_dir/smbcacls";
+ push(@dirs,$smbcacls_sharedir);
+
+ my $usershare_sharedir="$share_dir/usershares";
+ push(@dirs,$usershare_sharedir);
+
+ my $dropbox_sharedir="$share_dir/dropbox";
+ push(@dirs,$dropbox_sharedir);
+
+ my $bad_iconv_sharedir="$share_dir/bad_iconv";
+ push(@dirs, $bad_iconv_sharedir);
+
+ my $veto_sharedir="$share_dir/veto";
+ push(@dirs,$veto_sharedir);
+
+ my $virusfilter_sharedir="$share_dir/virusfilter";
+ push(@dirs,$virusfilter_sharedir);
+
+ my $delete_unwrite_sharedir="$share_dir/delete_unwrite";
+ push(@dirs,$delete_unwrite_sharedir);
+ push(@dirs, "$delete_unwrite_sharedir/delete_veto_yes");
+ push(@dirs, "$delete_unwrite_sharedir/delete_veto_no");
+
+ my $volume_serial_number_sharedir="$share_dir/volume_serial_number";
+ push(@dirs, $volume_serial_number_sharedir);
+
+ my $ip4 = Samba::get_ipv4_addr("FILESERVER");
+ my $fileserver_options = "
+ kernel change notify = yes
+ spotlight backend = elasticsearch
+ elasticsearch:address = $ip4
+ elasticsearch:port = 8080
+ elasticsearch:mappings = $srcdir_abs/source3/rpc_server/mdssvc/elasticsearch_mappings.json
+
+ usershare path = $usershare_dir
+ usershare max shares = 10
+ usershare allow guests = yes
+ usershare prefix allow list = $usershare_sharedir
+
+ get quota command = $prefix_abs/getset_quota.py
+ set quota command = $prefix_abs/getset_quota.py
+[tarmode]
+ path = $tarmode_sharedir
+ comment = tar test share
+ xattr_tdb:file = $prefix_abs/tarmode-xattr.tdb
+[tarmode2]
+ path = $tarmode2_sharedir
+ comment = tar test share
+ xattr_tdb:file = $prefix_abs/tarmode2-xattr.tdb
+[spotlight]
+ path = $share_dir
+ spotlight = yes
+ read only = no
+[no_spotlight]
+ path = $share_dir
+ spotlight = no
+ read only = no
+[lowercase]
+ path = $lower_case_share_dir
+ comment = smb username is [%U]
+ case sensitive = True
+ default case = lower
+ preserve case = no
+ short preserve case = no
+[lowercase-30000]
+ path = $lower_case_share_dir_30000
+ comment = smb username is [%U]
+ case sensitive = True
+ default case = lower
+ preserve case = no
+ short preserve case = no
+[dfree]
+ path = $dfree_share_dir
+ comment = smb username is [%U]
+ dfree command = $srcdir_abs/testprogs/blackbox/dfree.sh
+[valid-users-access]
+ path = $valid_users_sharedir
+ valid users = +userdup
+[offline]
+ path = $offline_sharedir
+ vfs objects = offline
+
+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=9878
+# RH BUG: https://bugzilla.redhat.com/show_bug.cgi?id=1077651
+[force_user_valid_users]
+ path = $force_user_valid_users_dir
+ comment = force user with valid users combination test share
+ valid users = +force_user
+ force user = force_user
+ force group = everyone
+ write list = force_user
+
+[smbget]
+ path = $smbget_sharedir
+ comment = smb username is [%U]
+ guest ok = yes
+[ign_sysacls]
+ path = $share_dir
+ comment = ignore system acls
+ acl_xattr:ignore system acls = yes
+[inherit_owner]
+ path = $share_dir
+ comment = inherit owner
+ inherit owner = yes
+[inherit_owner_u]
+ path = $share_dir
+ comment = inherit only unix owner
+ inherit owner = unix only
+ acl_xattr:ignore system acls = yes
+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
+[force_group_test]
+ path = $share_dir
+ comment = force group test
+# force group = everyone
+
+[create_mode_664]
+ path = $share_dir
+ comment = smb username is [%U]
+ create mask = 0644
+ force create mode = 0664
+ vfs objects = dirsort
+
+[dropbox]
+ path = $dropbox_sharedir
+ comment = smb username is [%U]
+ writeable = yes
+ vfs objects =
+
+[bad_iconv]
+ path = $bad_iconv_sharedir
+ comment = smb username is [%U]
+ vfs objects =
+
+[veto_files_nodelete]
+ path = $veto_sharedir
+ read only = no
+ msdfs root = yes
+ veto files = /veto_name*/
+ delete veto files = no
+
+[veto_files_delete]
+ path = $veto_sharedir
+ msdfs root = yes
+ veto files = /veto_name*/
+ delete veto files = yes
+
+[delete_veto_files_only]
+ path = $veto_sharedir
+ delete veto files = yes
+
+[veto_files_nohidden]
+ path = $veto_sharedir
+ veto files = /.*/
+
+[veto_files]
+ path = $veto_sharedir
+ veto files = /veto_name*/
+
+[delete_yes_unwrite]
+ read only = no
+ path = $delete_unwrite_sharedir
+ hide unwriteable files = yes
+ delete veto files = yes
+
+[delete_no_unwrite]
+ read only = no
+ path = $delete_unwrite_sharedir
+ hide unwriteable files = yes
+ delete veto files = no
+
+[virusfilter]
+ path = $virusfilter_sharedir
+ vfs objects = acl_xattr virusfilter
+ virusfilter:scanner = dummy
+ virusfilter:min file size = 0
+ virusfilter:infected files = *infected*
+ virusfilter:infected file action = rename
+ virusfilter:scan on close = yes
+ vfs_default:VFS_OPEN_HOW_RESOLVE_NO_SYMLINKS = no
+
+[volumeserialnumber]
+ path = $volume_serial_number_sharedir
+ volume serial number = 0xdeadbeef
+
+[ea_acl_xattr]
+ path = $share_dir
+ vfs objects = acl_xattr
+ acl_xattr:security_acl_name = user.hackme
+ read only = no
+
+[homes]
+ comment = Home directories
+ browseable = No
+ read only = No
+";
+
+ if (defined($more_conf)) {
+ $fileserver_options = $fileserver_options . $more_conf;
+ }
+ if (!defined($server)) {
+ $server = "FILESERVER";
+ }
+
+ my $vars = $self->provision(
+ prefix => $path,
+ domain => "WORKGROUP",
+ server => $server,
+ password => "fileserver",
+ extra_options => $fileserver_options,
+ no_delete_prefix => 1);
+
+ $vars or return undef;
+
+ if (not $self->check_or_start(
+ env_vars => $vars,
+ nmbd => "yes",
+ smbd => "yes")) {
+ return undef;
+ }
+
+
+ mkdir($_, 0777) foreach(@dirs);
+
+ ## Create case sensitive lower case share dir
+ foreach my $file ('a'..'z') {
+ my $full_path = $lower_case_share_dir . '/' . $file;
+ open my $fh, '>', $full_path;
+ # Add some content to file
+ print $fh $full_path;
+ close $fh;
+ }
+
+ for (my $file = 1; $file < 51; ++$file) {
+ my $full_path = $lower_case_share_dir . '/' . $file;
+ open my $fh, '>', $full_path;
+ # Add some content to file
+ print $fh $full_path;
+ close $fh;
+ }
+
+ # Create content for 30000 share
+ foreach my $file ('a'..'z') {
+ my $full_path = $lower_case_share_dir_30000 . '/' . $file;
+ open my $fh, '>', $full_path;
+ # Add some content to file
+ print $fh $full_path;
+ close $fh;
+ }
+
+ for (my $file = 1; $file < 30001; ++$file) {
+ my $full_path = $lower_case_share_dir_30000 . '/' . $file;
+ open my $fh, '>', $full_path;
+ # Add some content to file
+ print $fh $full_path;
+ close $fh;
+ }
+
+ ##
+ ## create a listable file in valid_users_share
+ ##
+ create_file_chmod("$valid_users_sharedir/foo", 0644) or return undef;
+
+ ##
+ ## create a valid utf8 filename which is invalid as a CP850 conversion
+ ##
+ create_file_chmod("$bad_iconv_sharedir/\xED\x9F\xBF", 0644) or return undef;
+
+ ##
+ ## create unwritable files inside inside the delete unwrite veto share dirs.
+ ##
+ unlink("$delete_unwrite_sharedir/delete_veto_yes/file_444");
+ create_file_chmod("$delete_unwrite_sharedir/delete_veto_yes/file_444", 0444) or return undef;
+ unlink("$delete_unwrite_sharedir/delete_veto_no/file_444");
+ create_file_chmod("$delete_unwrite_sharedir/delete_veto_no/file_444", 0444) or return undef;
+
+ return $vars;
+}
+
+sub setup_fileserver_smb1
+{
+ my ($self, $path) = @_;
+ my $prefix_abs = abs_path($path);
+ my $conf = "
+[global]
+ client min protocol = CORE
+ server min protocol = LANMAN1
+
+[hidenewfiles]
+ path = $prefix_abs/share
+ hide new files timeout = 5
+[vfs_aio_pthread]
+ path = $prefix_abs/share
+ read only = no
+ vfs objects = aio_pthread
+ aio_pthread:aio open = yes
+ smbd async dosmode = no
+
+[vfs_aio_pthread_async_dosmode_default1]
+ path = $prefix_abs/share
+ read only = no
+ vfs objects = aio_pthread
+ store dos attributes = yes
+ aio_pthread:aio open = yes
+ smbd async dosmode = yes
+
+[vfs_aio_pthread_async_dosmode_default2]
+ path = $prefix_abs/share
+ read only = no
+ vfs objects = aio_pthread xattr_tdb
+ store dos attributes = yes
+ aio_pthread:aio open = yes
+ smbd async dosmode = yes
+
+[vfs_aio_fork]
+ path = $prefix_abs/share
+ vfs objects = aio_fork
+ read only = no
+ vfs_aio_fork:erratic_testing_mode=yes
+";
+ return $self->setup_fileserver($path, $conf, "FILESERVERSMB1");
+}
+
+sub setup_fileserver_smb1_done
+{
+ my ($self, $path, $dep_env) = @_;
+ return $self->return_alias_env($path, $dep_env);
+}
+
+sub setup_ktest
+{
+ my ($self, $prefix) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ print "PROVISIONING server with security=ads...";
+
+ my $ktest_options = "
+ workgroup = KTEST
+ realm = ktest.samba.example.com
+ security = ads
+ server signing = required
+ server min protocol = SMB3_00
+ client max protocol = SMB3
+
+ # This disables NTLM auth against the local SAM, which
+ # we use can then test this setting by.
+ ntlm auth = disabled
+
+ idmap config * : backend = autorid
+ idmap config * : range = 1000000-1999999
+ idmap config * : rangesize = 100000
+";
+
+ my $ret = $self->provision(
+ prefix => $prefix,
+ domain => "KTEST",
+ server => "LOCALKTEST6",
+ password => "localktest6pass",
+ extra_options => $ktest_options);
+
+ $ret or return undef;
+
+ my $ctx;
+ my $prefix_abs = abs_path($prefix);
+ $ctx = {};
+ $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+ $ctx->{domain} = "KTEST";
+ $ctx->{realm} = "KTEST.SAMBA.EXAMPLE.COM";
+ $ctx->{dnsname} = lc($ctx->{realm});
+ $ctx->{kdc_ipv4} = "0.0.0.0";
+ $ctx->{kdc_ipv6} = "::";
+ $ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
+ Samba::mk_krb5_conf($ctx, "");
+
+ $ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+
+#This is the secrets.tdb created by 'net ads join' from Samba3 to a
+#Samba4 DC with the same parameters as are being used here. The
+#domain SID is S-1-5-21-1071277805-689288055-3486227160
+ $ret->{SAMSID} = "S-1-5-21-1911091480-1468226576-2729736297";
+ $ret->{DOMSID} = "S-1-5-21-1071277805-689288055-3486227160";
+
+ system("cp $self->{srcdir}/source3/selftest/ktest-secrets.tdb $prefix/private/secrets.tdb");
+ chmod 0600, "$prefix/private/secrets.tdb";
+
+#Make sure there's no old ntdb file.
+ system("rm -f $prefix/private/secrets.ntdb");
+
+#This uses a pre-calculated krb5 credentials cache, obtained by running Samba4 with:
+# "--option=kdc:service ticket lifetime=239232" "--option=kdc:user ticket lifetime=239232" "--option=kdc:renewal lifetime=239232"
+#
+#and having in krb5.conf:
+# ticket_lifetime = 799718400
+# renew_lifetime = 799718400
+#
+# The commands for the -2 keytab where were:
+# kinit administrator@KTEST.SAMBA.EXAMPLE.COM
+# kvno host/localktest6@KTEST.SAMBA.EXAMPLE.COM
+# kvno cifs/localktest6@KTEST.SAMBA.EXAMPLE.COM
+# kvno host/LOCALKTEST6@KTEST.SAMBA.EXAMPLE.COM
+# kvno cifs/LOCALKTEST6@KTEST.SAMBA.EXAMPLE.COM
+#
+# and then for the -3 keytab, I did
+#
+# net changetrustpw; kdestroy and the same again.
+#
+# This creates a credential cache with a very long lifetime (2036 at
+# at 2011-04), and shows that running 'net changetrustpw' does not
+# break existing logins (for the secrets.tdb method at least).
+#
+
+ $ret->{KRB5_CCACHE}="FILE:$prefix/krb5_ccache";
+
+ system("cp $self->{srcdir}/source3/selftest/ktest-krb5_ccache-2 $prefix/krb5_ccache-2");
+ chmod 0600, "$prefix/krb5_ccache-2";
+
+ system("cp $self->{srcdir}/source3/selftest/ktest-krb5_ccache-3 $prefix/krb5_ccache-3");
+ chmod 0600, "$prefix/krb5_ccache-3";
+
+ # We need world access to this share, as otherwise the domain
+ # administrator from the AD domain provided by ktest can't
+ # access the share for tests.
+ chmod 0777, "$prefix/share";
+
+ if (not $self->check_or_start(
+ env_vars => $ret,
+ nmbd => "yes",
+ winbindd => "offline",
+ smbd => "yes")) {
+ return undef;
+ }
+ return $ret;
+}
+
+sub setup_maptoguest
+{
+ my ($self, $path) = @_;
+ my $prefix_abs = abs_path($path);
+ my $libdir="$prefix_abs/lib";
+ my $share_dir="$prefix_abs/share";
+ my $errorinjectconf="$libdir/error_inject.conf";
+
+ print "PROVISIONING maptoguest...";
+
+ my $options = "
+map to guest = bad user
+ntlm auth = yes
+server min protocol = LANMAN1
+
+[force_user_error_inject]
+ path = $share_dir
+ vfs objects = acl_xattr fake_acls xattr_tdb error_inject
+ force user = user1
+ include = $errorinjectconf
+";
+
+ my $vars = $self->provision(
+ prefix => $path,
+ domain => "WORKGROUP",
+ server => "maptoguest",
+ password => "maptoguestpass",
+ extra_options => $options);
+
+ $vars or return undef;
+
+ if (not $self->check_or_start(
+ env_vars => $vars,
+ nmbd => "yes",
+ smbd => "yes")) {
+ return undef;
+ }
+
+ return $vars;
+}
+
+sub stop_sig_term($$) {
+ my ($self, $pid) = @_;
+ kill("USR1", $pid) or kill("ALRM", $pid) or warn("Unable to kill $pid: $!");
+}
+
+sub stop_sig_kill($$) {
+ my ($self, $pid) = @_;
+ kill("ALRM", $pid) or warn("Unable to kill $pid: $!");
+}
+
+sub write_pid($$$)
+{
+ my ($env_vars, $app, $pid) = @_;
+
+ open(PID, ">$env_vars->{PIDDIR}/timelimit.$app.pid");
+ print PID $pid;
+ close(PID);
+}
+
+sub read_pid($$)
+{
+ my ($env_vars, $app) = @_;
+
+ open(PID, "<$env_vars->{PIDDIR}/timelimit.$app.pid");
+ my $pid = <PID>;
+ close(PID);
+ return $pid;
+}
+
+# builds up the cmd args to run an s3 binary (i.e. smbd, nmbd, etc)
+sub make_bin_cmd
+{
+ my ($self, $binary, $env_vars, $options, $valgrind, $dont_log_stdout) = @_;
+
+ my @optargs = ();
+ if (defined($options)) {
+ @optargs = split(/ /, $options);
+ }
+ my @preargs = (Samba::bindir_path($self, "timelimit"), $self->{server_maxtime});
+
+ if (defined($valgrind)) {
+ @preargs = split(/ /, $valgrind);
+ }
+ my @args = ("-F", "--no-process-group",
+ "--configfile=$env_vars->{SERVERCONFFILE}",
+ "-l", $env_vars->{LOGDIR});
+
+ if (not defined($dont_log_stdout)) {
+ push(@args, "--debug-stdout");
+ }
+ return (@preargs, $binary, @args, @optargs);
+}
+
+sub check_or_start($$) {
+ my ($self, %args) = @_;
+ my $env_vars = $args{env_vars};
+ my $nmbd = $args{nmbd} // "no";
+ my $winbindd = $args{winbindd} // "no";
+ my $smbd = $args{smbd} // "no";
+ my $samba_dcerpcd = $args{samba_dcerpcd} // "no";
+ my $child_cleanup = $args{child_cleanup};
+
+ my $STDIN_READER;
+
+ # use a pipe for stdin in the child processes. This allows
+ # those processes to monitor the pipe for EOF to ensure they
+ # exit when the test script exits
+ pipe($STDIN_READER, $env_vars->{STDIN_PIPE});
+
+ my $binary = Samba::bindir_path($self, "samba-dcerpcd");
+ my @full_cmd = $self->make_bin_cmd(
+ $binary,
+ $env_vars,
+ $ENV{SAMBA_DCERPCD_OPTIONS},
+ $ENV{SAMBA_DCERPCD_VALGRIND},
+ $ENV{SAMBA_DCERPCD_DONT_LOG_STDOUT});
+ push(@full_cmd, '--libexec-rpcds');
+
+ my $samba_dcerpcd_envs = Samba::get_env_for_process(
+ "samba_dcerpcd", $env_vars);
+
+ # fork and exec() samba_dcerpcd in the child process
+ my $daemon_ctx = {
+ NAME => "samba_dcerpcd",
+ BINARY_PATH => $binary,
+ FULL_CMD => [ @full_cmd ],
+ LOG_FILE => $env_vars->{SAMBA_DCERPCD_TEST_LOG},
+ PCAP_FILE => "env-$ENV{ENVNAME}-samba_dcerpcd",
+ ENV_VARS => $samba_dcerpcd_envs,
+ };
+ if ($samba_dcerpcd ne "yes") {
+ $daemon_ctx->{SKIP_DAEMON} = 1;
+ }
+
+ my $pid = Samba::fork_and_exec(
+ $self, $env_vars, $daemon_ctx, $STDIN_READER, $child_cleanup);
+
+ $env_vars->{SAMBA_DCERPCD_TL_PID} = $pid;
+ write_pid($env_vars, "samba_dcerpcd", $pid);
+
+ $binary = Samba::bindir_path($self, "nmbd");
+ @full_cmd = $self->make_bin_cmd($binary, $env_vars,
+ $ENV{NMBD_OPTIONS}, $ENV{NMBD_VALGRIND},
+ $ENV{NMBD_DONT_LOG_STDOUT});
+ my $nmbd_envs = Samba::get_env_for_process("nmbd", $env_vars);
+ delete $nmbd_envs->{RESOLV_WRAPPER_CONF};
+ delete $nmbd_envs->{RESOLV_WRAPPER_HOSTS};
+
+ # fork and exec() nmbd in the child process
+ $daemon_ctx = {
+ NAME => "nmbd",
+ BINARY_PATH => $binary,
+ FULL_CMD => [ @full_cmd ],
+ LOG_FILE => $env_vars->{NMBD_TEST_LOG},
+ PCAP_FILE => "env-$ENV{ENVNAME}-nmbd",
+ ENV_VARS => $nmbd_envs,
+ };
+ if ($nmbd ne "yes") {
+ $daemon_ctx->{SKIP_DAEMON} = 1;
+ }
+ $pid = Samba::fork_and_exec(
+ $self, $env_vars, $daemon_ctx, $STDIN_READER, $child_cleanup);
+
+ $env_vars->{NMBD_TL_PID} = $pid;
+ write_pid($env_vars, "nmbd", $pid);
+
+ $binary = Samba::bindir_path($self, "winbindd");
+ @full_cmd = $self->make_bin_cmd($binary, $env_vars,
+ $ENV{WINBINDD_OPTIONS},
+ $ENV{WINBINDD_VALGRIND},
+ $ENV{WINBINDD_DONT_LOG_STDOUT});
+
+ # fork and exec() winbindd in the child process
+ $daemon_ctx = {
+ NAME => "winbindd",
+ BINARY_PATH => $binary,
+ FULL_CMD => [ @full_cmd ],
+ LOG_FILE => $env_vars->{WINBINDD_TEST_LOG},
+ PCAP_FILE => "env-$ENV{ENVNAME}-winbindd",
+ };
+ if ($winbindd ne "yes" and $winbindd ne "offline") {
+ $daemon_ctx->{SKIP_DAEMON} = 1;
+ }
+
+ $pid = Samba::fork_and_exec(
+ $self, $env_vars, $daemon_ctx, $STDIN_READER, $child_cleanup);
+
+ $env_vars->{WINBINDD_TL_PID} = $pid;
+ write_pid($env_vars, "winbindd", $pid);
+
+ $binary = Samba::bindir_path($self, "smbd");
+ @full_cmd = $self->make_bin_cmd($binary, $env_vars,
+ $ENV{SMBD_OPTIONS}, $ENV{SMBD_VALGRIND},
+ $ENV{SMBD_DONT_LOG_STDOUT});
+
+ # fork and exec() smbd in the child process
+ $daemon_ctx = {
+ NAME => "smbd",
+ BINARY_PATH => $binary,
+ FULL_CMD => [ @full_cmd ],
+ LOG_FILE => $env_vars->{SMBD_TEST_LOG},
+ PCAP_FILE => "env-$ENV{ENVNAME}-smbd",
+ };
+ if ($smbd ne "yes") {
+ $daemon_ctx->{SKIP_DAEMON} = 1;
+ }
+
+ $pid = Samba::fork_and_exec(
+ $self, $env_vars, $daemon_ctx, $STDIN_READER, $child_cleanup);
+
+ $env_vars->{SMBD_TL_PID} = $pid;
+ write_pid($env_vars, "smbd", $pid);
+
+ # close the parent's read-end of the pipe
+ close($STDIN_READER);
+
+ return $self->wait_for_start($env_vars,
+ $nmbd,
+ $winbindd,
+ $smbd,
+ $samba_dcerpcd);
+}
+
+sub createuser($$$$$)
+{
+ my ($self, $username, $password, $conffile, $env) = @_;
+ my $cmd = "UID_WRAPPER_ROOT=1 " . Samba::bindir_path($self, "smbpasswd")." -c $conffile -L -s -a $username > /dev/null";
+
+ keys %$env;
+ while(my($var, $val) = each %$env) {
+ $cmd = "$var=\"$val\" $cmd";
+ }
+
+ unless (open(PWD, "|$cmd")) {
+ warn("Unable to set password for $username account\n$cmd");
+ return undef;
+ }
+ print PWD "$password\n$password\n";
+ unless (close(PWD)) {
+ warn("Unable to set password for $username account\n$cmd");
+ return undef;
+ }
+}
+
+sub provision($$)
+{
+ my ($self, %args) = @_;
+
+ my $prefix = $args{prefix};
+ my $domain = $args{domain};
+ my $realm = $args{realm};
+ my $server = $args{server};
+ my $password = $args{password};
+ my $extra_options = $args{extra_options};
+ my $resolv_conf = $args{resolv_conf};
+ my $no_delete_prefix= $args{no_delete_prefix};
+ my $netbios_name = $args{netbios_name} // $server;
+ my $server_log_level = $ENV{SERVER_LOG_LEVEL} || 1;
+
+ ##
+ ## setup the various environment variables we need
+ ##
+
+ my $samsid = Samba::random_domain_sid();
+ my $swiface = Samba::get_interface($server);
+ my %ret = ();
+ my %createuser_env = ();
+ my $server_ip = Samba::get_ipv4_addr($server);
+ my $server_ipv6 = Samba::get_ipv6_addr($server);
+ my $dns_domain;
+ if (defined($realm)) {
+ $dns_domain = lc($realm);
+ } else {
+ $dns_domain = "samba.example.com";
+ }
+
+ my $unix_name = ($ENV{USER} or $ENV{LOGNAME} or `PATH=/usr/ucb:$ENV{PATH} whoami`);
+ chomp $unix_name;
+ my $unix_uid = $>;
+ my $unix_gids_str = $);
+ my @unix_gids = split(" ", $unix_gids_str);
+
+ my $prefix_abs = abs_path($prefix);
+ my $bindir_abs = abs_path($self->{bindir});
+
+ my @dirs = ();
+
+ my $shrdir=$args{share_dir} // "$prefix_abs/share";
+ push(@dirs,$shrdir);
+
+ my $libdir="$prefix_abs/lib";
+ push(@dirs,$libdir);
+
+ my $piddir="$prefix_abs/pid";
+ push(@dirs,$piddir);
+
+ my $privatedir="$prefix_abs/private";
+ push(@dirs,$privatedir);
+
+ my $cachedir = "$prefix_abs/cachedir";
+ push(@dirs, $cachedir);
+
+ my $binddnsdir = "$prefix_abs/bind-dns";
+ push(@dirs, $binddnsdir);
+
+ my $lockdir="$prefix_abs/lockdir";
+ push(@dirs,$lockdir);
+
+ my $eventlogdir="$prefix_abs/lockdir/eventlog";
+ push(@dirs,$eventlogdir);
+
+ my $logdir="$prefix_abs/logs";
+ push(@dirs,$logdir);
+
+ my $driver32dir="$shrdir/W32X86";
+ push(@dirs,$driver32dir);
+
+ my $driver64dir="$shrdir/x64";
+ push(@dirs,$driver64dir);
+
+ my $driver40dir="$shrdir/WIN40";
+ push(@dirs,$driver40dir);
+
+ my $ro_shrdir="$shrdir/root-tmp";
+ push(@dirs,$ro_shrdir);
+
+ my $noperm_shrdir="$shrdir/noperm-tmp";
+ push(@dirs,$noperm_shrdir);
+
+ my $msdfs_shrdir="$shrdir/msdfsshare";
+ push(@dirs,$msdfs_shrdir);
+
+ my $msdfs_shrdir2="$shrdir/msdfsshare2";
+ push(@dirs,$msdfs_shrdir2);
+
+ my $msdfs_deeppath="$msdfs_shrdir/deeppath";
+ push(@dirs,$msdfs_deeppath);
+
+ my $smbcacls_sharedir_dfs="$shrdir/smbcacls_sharedir_dfs";
+ push(@dirs,$smbcacls_sharedir_dfs);
+
+ my $smbcacls_share="$shrdir/smbcacls_share";
+ push(@dirs,$smbcacls_share);
+
+ my $smbcacls_share_testdir="$shrdir/smbcacls_share/smbcacls";
+ push(@dirs,$smbcacls_share_testdir);
+
+ my $badnames_shrdir="$shrdir/badnames";
+ push(@dirs,$badnames_shrdir);
+
+ my $lease1_shrdir="$shrdir/dynamic";
+ push(@dirs,$lease1_shrdir);
+
+ my $manglenames_shrdir="$shrdir/manglenames";
+ push(@dirs,$manglenames_shrdir);
+
+ my $widelinks_shrdir="$shrdir/widelinks";
+ push(@dirs,$widelinks_shrdir);
+
+ my $widelinks_linkdir="$shrdir/widelinks_foo";
+ push(@dirs,$widelinks_linkdir);
+
+ my $fsrvp_shrdir="$shrdir/fsrvp";
+ push(@dirs,$fsrvp_shrdir);
+
+ my $shadow_tstdir="$shrdir/shadow";
+ push(@dirs,$shadow_tstdir);
+ my $shadow_mntdir="$shadow_tstdir/mount";
+ push(@dirs,$shadow_mntdir);
+ my $shadow_basedir="$shadow_mntdir/base";
+ push(@dirs,$shadow_basedir);
+ my $shadow_shrdir="$shadow_basedir/share";
+ push(@dirs,$shadow_shrdir);
+
+ my $nosymlinks_shrdir="$shrdir/nosymlinks";
+ push(@dirs,$nosymlinks_shrdir);
+
+ my $local_symlinks_shrdir="$shrdir/local_symlinks";
+ push(@dirs,$local_symlinks_shrdir);
+
+ my $fruit_resource_stream_shrdir="$shrdir/fruit_resource_stream";
+ push(@dirs,$fruit_resource_stream_shrdir);
+
+ # this gets autocreated by winbindd
+ my $wbsockdir="$prefix_abs/wbsock";
+
+ my $nmbdsockdir="$prefix_abs/nmbd";
+ unlink($nmbdsockdir);
+
+ ##
+ ## create the test directory layout
+ ##
+ die ("prefix_abs = ''") if $prefix_abs eq "";
+ die ("prefix_abs = '/'") if $prefix_abs eq "/";
+
+ mkdir($prefix_abs, 0777);
+ print "CREATE TEST ENVIRONMENT IN '$prefix'...";
+ if (not defined($no_delete_prefix) or not $no_delete_prefix) {
+ system("rm -rf $prefix_abs/*");
+ }
+ mkdir($_, 0777) foreach(@dirs);
+
+ my $fs_specific_conf = $self->get_fs_specific_conf($shrdir);
+
+ ##
+ ## lockdir and piddir must be 0755
+ ##
+ chmod 0755, $lockdir;
+ chmod 0755, $piddir;
+
+
+ ##
+ ## Create a directory without permissions to enter
+ ##
+ chmod 0000, $noperm_shrdir;
+
+ ##
+ ## create ro and msdfs share layout
+ ##
+
+ chmod 0755, $ro_shrdir;
+
+ create_file_chmod("$ro_shrdir/readable_file", 0644) or return undef;
+ create_file_chmod("$ro_shrdir/unreadable_file", 0600) or return undef;
+
+ create_file_chmod("$ro_shrdir/msdfs-target", 0600) or return undef;
+ symlink "msdfs:$server_ip\\ro-tmp,$server_ipv6\\ro-tmp",
+ "$msdfs_shrdir/msdfs-src1";
+ symlink "msdfs:$server_ipv6\\ro-tmp", "$msdfs_shrdir/deeppath/msdfs-src2";
+ symlink "msdfs:$server_ip\\smbcacls_sharedir_dfs,$server_ipv6\\smbcacls_sharedir_dfs",
+ "$msdfs_shrdir/smbcacls_sharedir_dfs";
+
+ symlink "msdfs:$server_ip\\msdfs-share2,$server_ipv6\\msdfs-share2", "$msdfs_shrdir/dfshop1";
+ symlink "msdfs:$server_ip\\tmp,$server_ipv6\\tmp", "$msdfs_shrdir2/dfshop2";
+ ##
+ ## create bad names in $badnames_shrdir
+ ##
+ ## (An invalid name, would be mangled to 8.3).
+ create_file_chmod("$badnames_shrdir/\340|\231\216\377\177",
+ 0600) or return undef;
+
+ ## (A bad name, would not be mangled to 8.3).
+ create_file_chmod("$badnames_shrdir/\240\276\346\327\377\177",
+ 0666) or return undef;
+
+ ## (A bad good name).
+ create_file_chmod("$badnames_shrdir/blank.txt",
+ 0666) or return undef;
+
+ ##
+ ## create mangleable directory names in $manglenames_shrdir
+ ##
+ my $manglename_target = "$manglenames_shrdir/foo:bar";
+ mkdir($manglename_target, 0777);
+
+ ##
+ ## create symlinks for widelinks tests.
+ ##
+ my $widelinks_target = "$widelinks_linkdir/target";
+ create_file_chmod("$widelinks_target", 0666) or return undef;
+
+ ##
+ ## This link should get an error
+ ##
+ symlink "$widelinks_target", "$widelinks_shrdir/source";
+ ##
+ ## This link should be allowed
+ ##
+ symlink "$widelinks_shrdir", "$widelinks_shrdir/dot";
+
+ my $conffile="$libdir/server.conf";
+ my $dfqconffile="$libdir/dfq.conf";
+ my $errorinjectconf="$libdir/error_inject.conf";
+ my $delayinjectconf="$libdir/delay_inject.conf";
+ my $globalinjectconf="$libdir/global_inject.conf";
+ my $aliceconfdir="$libdir";
+ my $aliceconffile="$libdir/alice.conf";
+
+ my $nss_wrapper_pl = "$ENV{PERL} $self->{srcdir}/third_party/nss_wrapper/nss_wrapper.pl";
+ my $nss_wrapper_passwd = "$privatedir/passwd";
+ my $nss_wrapper_group = "$privatedir/group";
+ my $nss_wrapper_hosts = "$ENV{SELFTEST_PREFIX}/hosts";
+ my $dns_host_file = "$ENV{SELFTEST_PREFIX}/dns_host_file";
+
+ my $mod_printer_pl = "$ENV{PERL} $self->{srcdir}/source3/script/tests/printing/modprinter.pl";
+
+ my $fake_snap_pl = "$ENV{PERL} $self->{srcdir}/source3/script/tests/fake_snap.pl";
+
+ my @eventlog_list = ("dns server", "application");
+
+ ##
+ ## calculate uids and gids
+ ##
+
+ my ($max_uid, $max_gid);
+ my ($uid_nobody, $uid_root, $uid_pdbtest, $uid_pdbtest2, $uid_userdup);
+ my ($uid_pdbtest_wkn);
+ my ($uid_smbget);
+ my ($uid_force_user);
+ my ($gid_nobody, $gid_nogroup, $gid_root, $gid_domusers, $gid_domadmins);
+ my ($gid_userdup, $gid_everyone);
+ my ($gid_force_user);
+ my ($gid_jackthemapper);
+ my ($gid_jacknomapper);
+ my ($uid_user1);
+ my ($uid_user2);
+ my ($uid_gooduser);
+ my ($uid_eviluser);
+ my ($uid_slashuser);
+ my ($uid_localbob);
+ my ($uid_localjane);
+ my ($uid_localjackthemapper);
+ my ($uid_localjacknomapper);
+
+ if ($unix_uid < 0xffff - 13) {
+ $max_uid = 0xffff;
+ } else {
+ $max_uid = $unix_uid;
+ }
+
+ $uid_root = $max_uid - 1;
+ $uid_nobody = $max_uid - 2;
+ $uid_pdbtest = $max_uid - 3;
+ $uid_pdbtest2 = $max_uid - 4;
+ $uid_userdup = $max_uid - 5;
+ $uid_pdbtest_wkn = $max_uid - 6;
+ $uid_force_user = $max_uid - 7;
+ $uid_smbget = $max_uid - 8;
+ $uid_user1 = $max_uid - 9;
+ $uid_user2 = $max_uid - 10;
+ $uid_gooduser = $max_uid - 11;
+ $uid_eviluser = $max_uid - 12;
+ $uid_slashuser = $max_uid - 13;
+ $uid_localbob = $max_uid - 14;
+ $uid_localjane = $max_uid - 15;
+ $uid_localjackthemapper = $max_uid - 16;
+ $uid_localjacknomapper = $max_uid - 17;
+
+ if ($unix_gids[0] < 0xffff - 8) {
+ $max_gid = 0xffff;
+ } else {
+ $max_gid = $unix_gids[0];
+ }
+
+ $gid_nobody = $max_gid - 1;
+ $gid_nogroup = $max_gid - 2;
+ $gid_root = $max_gid - 3;
+ $gid_domusers = $max_gid - 4;
+ $gid_domadmins = $max_gid - 5;
+ $gid_userdup = $max_gid - 6;
+ $gid_everyone = $max_gid - 7;
+ $gid_force_user = $max_gid - 8;
+ $gid_jackthemapper = $max_gid - 9;
+ $gid_jacknomapper = $max_gid - 10;
+
+ ##
+ ## create conffile
+ ##
+
+ unless (open(CONF, ">$conffile")) {
+ warn("Unable to open $conffile");
+ return undef;
+ }
+
+ my $interfaces = Samba::get_interfaces_config($server);
+
+ print CONF "
+[global]
+ dcesrv:fuzz directory = $cachedir/fuzz
+ netbios name = $netbios_name
+ interfaces = $interfaces
+ bind interfaces only = yes
+ panic action = cd $self->{srcdir} && $self->{srcdir}/selftest/gdb_backtrace %d %\$(MAKE_TEST_BINARY)
+ smbd:suicide mode = yes
+ smbd:FSCTL_SMBTORTURE = yes
+ smbd:validate_oplock_types = yes
+
+ client min protocol = SMB2_02
+ server min protocol = SMB2_02
+
+ server multi channel support = yes
+
+ workgroup = $domain
+
+ private dir = $privatedir
+ binddns dir = $binddnsdir
+ pid directory = $piddir
+ lock directory = $lockdir
+ log file = $logdir/log.\%m
+ log level = $server_log_level
+ debug pid = yes
+ max log size = 0
+
+ state directory = $lockdir
+ cache directory = $lockdir
+
+ passdb backend = tdbsam
+
+ time server = yes
+
+ add user script = $nss_wrapper_pl --passwd_path $nss_wrapper_passwd --type passwd --action add --name %u --gid $gid_nogroup
+ add group script = $nss_wrapper_pl --group_path $nss_wrapper_group --type group --action add --name %g
+ add machine script = $nss_wrapper_pl --passwd_path $nss_wrapper_passwd --type passwd --action add --name %u --gid $gid_nogroup
+ add user to group script = $nss_wrapper_pl --passwd_path $nss_wrapper_passwd --type member --action add --member %u --name %g --group_path $nss_wrapper_group
+ delete user script = $nss_wrapper_pl --passwd_path $nss_wrapper_passwd --type passwd --action delete --name %u
+ delete group script = $nss_wrapper_pl --group_path $nss_wrapper_group --type group --action delete --name %g
+ delete user from group script = $nss_wrapper_pl --passwd_path $nss_wrapper_passwd --type member --action delete --member %u --name %g --group_path $nss_wrapper_group
+
+ addprinter command = $mod_printer_pl -a -s $conffile --
+ deleteprinter command = $mod_printer_pl -d -s $conffile --
+
+ eventlog list = application \"dns server\"
+
+ kernel oplocks = no
+ kernel change notify = no
+
+ logging = file
+ printing = bsd
+ printcap name = /dev/null
+
+ winbindd socket directory = $wbsockdir
+ nmbd:socket dir = $nmbdsockdir
+ idmap config * : range = 100000-200000
+ winbind enum users = yes
+ winbind enum groups = yes
+ winbind separator = /
+ include system krb5 conf = no
+
+# min receivefile size = 4000
+
+ read only = no
+
+ smbd:sharedelay = 100000
+ smbd:writetimeupdatedelay = 500000
+ map hidden = no
+ map system = no
+ map readonly = no
+ store dos attributes = yes
+ create mask = 755
+ dos filemode = yes
+ strict rename = yes
+ strict sync = yes
+ mangled names = yes
+ vfs objects = acl_xattr fake_acls xattr_tdb streams_depot time_audit full_audit
+
+ full_audit:syslog = no
+ full_audit:success = none
+ full_audit:failure = none
+
+ printing = vlp
+ print command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb print %p %s
+ lpq command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lpq %p
+ lp rm command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lprm %p %j
+ lp pause command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lppause %p %j
+ lp resume command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lpresume %p %j
+ queue pause command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb queuepause %p
+ queue resume command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb queueresume %p
+ lpq cache time = 0
+ print notify backchannel = yes
+
+ ncalrpc dir = $prefix_abs/ncalrpc
+
+ # The samba3.blackbox.smbclient_s3 test uses this to test that
+ # sending messages works, and that the %m sub works.
+ message command = mv %s $shrdir/message.%m
+
+ # fsrvp server requires registry shares
+ registry shares = yes
+
+ # Used by RPC SRVSVC tests
+ add share command = $bindir_abs/smbaddshare
+ change share command = $bindir_abs/smbchangeshare
+ delete share command = $bindir_abs/smbdeleteshare
+
+ # fruit:copyfile is a global option
+ fruit:copyfile = yes
+
+ #this does not mean that we use non-secure test env,
+ #it just means we ALLOW one to be configured.
+ allow insecure wide links = yes
+
+ include = $globalinjectconf
+
+ # Begin extra options
+ $extra_options
+ # End extra options
+
+ #Include user defined custom parameters if set
+";
+
+ if (defined($ENV{INCLUDE_CUSTOM_CONF})) {
+ print CONF "\t$ENV{INCLUDE_CUSTOM_CONF}\n";
+ }
+
+ print CONF "
+[smbcacls_share]
+ path = $smbcacls_share
+ comment = smb username is [%U]
+ msdfs root = yes
+
+[smbcacls_sharedir_dfs]
+ path = $smbcacls_sharedir_dfs
+ comment = smb username is [%U]
+[tmp]
+ path = $shrdir
+ comment = smb username is [%U]
+[tmpsort]
+ path = $shrdir
+ comment = Load dirsort module
+ vfs objects = dirsort acl_xattr fake_acls xattr_tdb streams_depot
+[tmpenc]
+ path = $shrdir
+ comment = encrypt smb username is [%U]
+ server smb encrypt = required
+ vfs objects = dirsort
+[tmpguest]
+ path = $shrdir
+ guest ok = yes
+[guestonly]
+ path = $shrdir
+ guest only = yes
+ guest ok = yes
+[forceuser]
+ path = $shrdir
+ force user = $unix_name
+ guest ok = yes
+[forceuser_unixonly]
+ comment = force a user with unix user SID and group SID
+ path = $shrdir
+ force user = pdbtest
+ guest ok = yes
+[forceuser_wkngroup]
+ comment = force a user with well-known group SID
+ path = $shrdir
+ force user = pdbtest_wkn
+ guest ok = yes
+[forcegroup]
+ path = $shrdir
+ force group = nogroup
+ guest ok = yes
+[ro-tmp]
+ path = $ro_shrdir
+ guest ok = yes
+[noperm]
+ path = $noperm_shrdir
+ wide links = yes
+ guest ok = yes
+[write-list-tmp]
+ path = $shrdir
+ read only = yes
+ write list = $unix_name
+[valid-users-tmp]
+ path = $shrdir
+ valid users = $unix_name
+ access based share enum = yes
+[msdfs-share]
+ path = $msdfs_shrdir
+ msdfs root = yes
+ msdfs shuffle referrals = yes
+ guest ok = yes
+[msdfs-share-wl]
+ path = $msdfs_shrdir
+ msdfs root = yes
+ wide links = yes
+ guest ok = yes
+[msdfs-share2]
+ path = $msdfs_shrdir2
+ msdfs root = yes
+ guest ok = yes
+[hideunread]
+ copy = tmp
+ hide unreadable = yes
+[tmpcase]
+ copy = tmp
+ case sensitive = yes
+[hideunwrite]
+ copy = tmp
+ hide unwriteable files = yes
+[durable]
+ copy = tmp
+ kernel share modes = no
+ kernel oplocks = no
+ posix locking = no
+[fs_specific]
+ copy = tmp
+ $fs_specific_conf
+[print1]
+ copy = tmp
+ printable = yes
+
+[print2]
+ copy = print1
+[print3]
+ copy = print1
+ default devmode = no
+
+[print_var_exp]
+ copy = print1
+ print command = $self->{srcdir}/source3/script/tests/printing/printing_var_exp_lpr_cmd.sh \"Windows user: %U\" \"UNIX user: %u\" \"Domain: %D\"
+
+[lp]
+ copy = print1
+
+[nfs4acl_simple_40]
+ path = $shrdir
+ comment = smb username is [%U]
+ nfs4:mode = simple
+ nfs4acl_xattr:version = 40
+ vfs objects = nfs4acl_xattr xattr_tdb
+
+[nfs4acl_special_40]
+ path = $shrdir
+ comment = smb username is [%U]
+ nfs4:mode = special
+ nfs4acl_xattr:version = 40
+ vfs objects = nfs4acl_xattr xattr_tdb
+
+[nfs4acl_simple_41]
+ path = $shrdir
+ comment = smb username is [%U]
+ nfs4:mode = simple
+ vfs objects = nfs4acl_xattr xattr_tdb
+
+[nfs4acl_xdr_40]
+ path = $shrdir
+ comment = smb username is [%U]
+ vfs objects = nfs4acl_xattr xattr_tdb
+ nfs4:mode = simple
+ nfs4acl_xattr:encoding = xdr
+ nfs4acl_xattr:version = 40
+
+[nfs4acl_xdr_41]
+ path = $shrdir
+ comment = smb username is [%U]
+ vfs objects = nfs4acl_xattr xattr_tdb
+ nfs4:mode = simple
+ nfs4acl_xattr:encoding = xdr
+ nfs4acl_xattr:version = 41
+
+[nfs4acl_nfs_40]
+ path = $shrdir
+ comment = smb username is [%U]
+ vfs objects = nfs4acl_xattr xattr_tdb
+ nfs4:mode = simple
+ nfs4acl_xattr:encoding = nfs
+ nfs4acl_xattr:version = 40
+ nfs4acl_xattr:xattr_name = security.nfs4acl_xdr
+
+[nfs4acl_nfs_41]
+ path = $shrdir
+ comment = smb username is [%U]
+ vfs objects = nfs4acl_xattr xattr_tdb
+ nfs4:mode = simple
+ nfs4acl_xattr:encoding = nfs
+ nfs4acl_xattr:version = 41
+ nfs4acl_xattr:xattr_name = security.nfs4acl_xdr
+
+[xcopy_share]
+ path = $shrdir
+ comment = smb username is [%U]
+ create mask = 777
+ force create mode = 777
+[posix_share]
+ path = $shrdir
+ comment = smb username is [%U]
+ create mask = 0777
+ force create mode = 0
+ directory mask = 0777
+ force directory mode = 0
+ vfs objects = xattr_tdb streams_depot
+[aio]
+ copy = durable
+ aio read size = 1
+ aio write size = 1
+
+[print\$]
+ copy = tmp
+
+[vfs_fruit]
+ path = $shrdir
+ vfs objects = catia fruit streams_xattr acl_xattr xattr_tdb
+ fruit:resource = file
+ fruit:metadata = netatalk
+ fruit:locking = netatalk
+ fruit:encoding = native
+ fruit:veto_appledouble = no
+
+[vfs_fruit_xattr]
+ path = $shrdir
+ # This is used by vfs.fruit tests that require real fs xattr
+ vfs objects = catia fruit streams_xattr acl_xattr
+ fruit:resource = file
+ fruit:metadata = netatalk
+ fruit:locking = netatalk
+ fruit:encoding = native
+ fruit:veto_appledouble = no
+
+[vfs_fruit_metadata_stream]
+ path = $shrdir
+ vfs objects = fruit streams_xattr acl_xattr xattr_tdb
+ fruit:resource = file
+ fruit:metadata = stream
+ fruit:veto_appledouble = no
+
+[vfs_fruit_stream_depot]
+ path = $shrdir
+ vfs objects = fruit streams_depot acl_xattr xattr_tdb
+ fruit:resource = stream
+ fruit:metadata = stream
+ fruit:veto_appledouble = no
+
+[vfs_wo_fruit]
+ path = $shrdir
+ vfs objects = streams_xattr acl_xattr xattr_tdb
+
+[vfs_wo_fruit_stream_depot]
+ path = $shrdir
+ vfs objects = streams_depot acl_xattr xattr_tdb
+
+[vfs_fruit_timemachine]
+ path = $shrdir
+ vfs objects = fruit streams_xattr acl_xattr xattr_tdb
+ fruit:resource = file
+ fruit:metadata = stream
+ fruit:time machine = yes
+ fruit:time machine max size = 32K
+
+[vfs_fruit_wipe_intentionally_left_blank_rfork]
+ path = $shrdir
+ vfs objects = fruit streams_xattr acl_xattr xattr_tdb
+ fruit:resource = file
+ fruit:metadata = stream
+ fruit:wipe_intentionally_left_blank_rfork = true
+ fruit:delete_empty_adfiles = false
+ fruit:veto_appledouble = no
+
+[vfs_fruit_delete_empty_adfiles]
+ path = $shrdir
+ vfs objects = fruit streams_xattr acl_xattr xattr_tdb
+ fruit:resource = file
+ fruit:metadata = stream
+ fruit:wipe_intentionally_left_blank_rfork = true
+ fruit:delete_empty_adfiles = true
+ fruit:veto_appledouble = no
+
+[vfs_fruit_zero_fileid]
+ path = $shrdir
+ vfs objects = fruit streams_xattr acl_xattr xattr_tdb
+ fruit:resource = file
+ fruit:metadata = stream
+ fruit:zero_file_id=yes
+
+[fruit_resource_stream]
+ path = $fruit_resource_stream_shrdir
+ vfs objects = fruit streams_xattr acl_xattr xattr_tdb
+ fruit:resource = stream
+ fruit:metadata = stream
+
+[badname-tmp]
+ path = $badnames_shrdir
+ guest ok = yes
+
+[manglenames_share]
+ path = $manglenames_shrdir
+ guest ok = yes
+
+[dynamic_share]
+ path = $shrdir/dynamic/%t
+ guest ok = yes
+ root preexec = mkdir %P
+
+[widelinks_share]
+ path = $widelinks_shrdir
+ wide links = no
+ guest ok = yes
+
+[fsrvp_share]
+ path = $fsrvp_shrdir
+ comment = fake shapshots using rsync
+ vfs objects = shell_snap shadow_copy2
+ shell_snap:check path command = $fake_snap_pl --check
+ shell_snap:create command = $fake_snap_pl --create
+ shell_snap:delete command = $fake_snap_pl --delete
+ # a relative path here fails, the snapshot dir is no longer found
+ shadow:snapdir = $fsrvp_shrdir/.snapshots
+
+[shadow1]
+ path = $shadow_shrdir
+ comment = previous versions snapshots under mount point
+ vfs objects = shadow_copy2
+ shadow:mountpoint = $shadow_mntdir
+
+[shadow2]
+ path = $shadow_shrdir
+ comment = previous versions snapshots outside mount point
+ vfs objects = shadow_copy2
+ shadow:mountpoint = $shadow_mntdir
+ shadow:snapdir = $shadow_tstdir/.snapshots
+
+[shadow3]
+ path = $shadow_shrdir
+ comment = previous versions with subvolume snapshots, snapshots under base dir
+ vfs objects = shadow_copy2
+ shadow:mountpoint = $shadow_mntdir
+ shadow:basedir = $shadow_basedir
+ shadow:snapdir = $shadow_basedir/.snapshots
+
+[shadow4]
+ path = $shadow_shrdir
+ comment = previous versions with subvolume snapshots, snapshots outside mount point
+ vfs objects = shadow_copy2
+ shadow:mountpoint = $shadow_mntdir
+ shadow:basedir = $shadow_basedir
+ shadow:snapdir = $shadow_tstdir/.snapshots
+
+[shadow5]
+ path = $shadow_shrdir
+ comment = previous versions at volume root snapshots under mount point
+ vfs objects = shadow_copy2
+ shadow:mountpoint = $shadow_shrdir
+
+[shadow6]
+ path = $shadow_shrdir
+ comment = previous versions at volume root snapshots outside mount point
+ vfs objects = shadow_copy2
+ shadow:mountpoint = $shadow_shrdir
+ shadow:snapdir = $shadow_tstdir/.snapshots
+
+[shadow7]
+ path = $shadow_shrdir
+ comment = previous versions snapshots everywhere
+ vfs objects = shadow_copy2
+ shadow:mountpoint = $shadow_mntdir
+ shadow:snapdirseverywhere = yes
+
+[shadow8]
+ path = $shadow_shrdir
+ comment = previous versions using snapsharepath
+ vfs objects = shadow_copy2
+ shadow:mountpoint = $shadow_mntdir
+ shadow:snapdir = $shadow_tstdir/.snapshots
+ shadow:snapsharepath = share
+
+[shadow_fmt0]
+ comment = Testing shadow:format with default option
+ vfs object = shadow_copy2
+ path = $shadow_shrdir
+ read only = no
+ guest ok = yes
+ shadow:mountpoint = $shadow_mntdir
+ shadow:basedir = $shadow_basedir
+ shadow:snapdir = $shadow_basedir/.snapshots
+ shadow:format = \@GMT-%Y.%m.%d-%H.%M.%S
+
+[shadow_fmt1]
+ comment = Testing shadow:format with only date component
+ vfs object = shadow_copy2
+ path = $shadow_shrdir
+ read only = no
+ guest ok = yes
+ shadow:mountpoint = $shadow_mntdir
+ shadow:basedir = $shadow_basedir
+ shadow:snapdir = $shadow_basedir/.snapshots
+ shadow:format = \@GMT-%Y-%m-%d
+
+[shadow_fmt2]
+ comment = Testing shadow:format with some hardcoded prefix
+ vfs object = shadow_copy2
+ path = $shadow_shrdir
+ read only = no
+ guest ok = yes
+ shadow:mountpoint = $shadow_mntdir
+ shadow:basedir = $shadow_basedir
+ shadow:snapdir = $shadow_basedir/.snapshots
+ shadow:format = snap\@GMT-%Y.%m.%d-%H.%M.%S
+
+[shadow_fmt3]
+ comment = Testing shadow:format with modified format
+ vfs object = shadow_copy2
+ path = $shadow_shrdir
+ read only = no
+ guest ok = yes
+ shadow:mountpoint = $shadow_mntdir
+ shadow:basedir = $shadow_basedir
+ shadow:snapdir = $shadow_basedir/.snapshots
+ shadow:format = \@GMT-%Y.%m.%d-%H_%M_%S-snap
+
+[shadow_fmt4]
+ comment = Testing shadow:snapprefix regex
+ vfs object = shadow_copy2
+ path = $shadow_shrdir
+ read only = no
+ guest ok = yes
+ shadow:mountpoint = $shadow_mntdir
+ shadow:basedir = $shadow_basedir
+ shadow:snapdir = $shadow_basedir/.snapshots
+ shadow:snapprefix = \^s[a-z]*p\$
+ shadow:format = _GMT-%Y.%m.%d-%H.%M.%S
+
+[shadow_fmt5]
+ comment = Testing shadow:snapprefix with delim regex
+ vfs object = shadow_copy2
+ path = $shadow_shrdir
+ read only = no
+ guest ok = yes
+ shadow:mountpoint = $shadow_mntdir
+ shadow:basedir = $shadow_basedir
+ shadow:snapdir = $shadow_basedir/.snapshots
+ shadow:delimiter = \@GMT
+ shadow:snapprefix = [a-z]*
+ shadow:format = \@GMT-%Y.%m.%d-%H.%M.%S
+
+[shadow_wl]
+ path = $shadow_shrdir
+ comment = previous versions with wide links allowed
+ vfs objects = shadow_copy2
+ shadow:mountpoint = $shadow_mntdir
+ wide links = yes
+
+[shadow_write]
+ path = $shadow_tstdir
+ comment = previous versions snapshots under mount point
+ vfs objects = shadow_copy2 streams_xattr error_inject
+ aio write size = 0
+ error_inject:pwrite = EBADF
+ shadow:mountpoint = $shadow_tstdir
+ shadow:fixinodes = yes
+ smbd async dosmode = yes
+
+[dfq]
+ path = $shrdir/dfree
+ vfs objects = acl_xattr fake_acls xattr_tdb fake_dfq
+ admin users = $unix_name
+ include = $dfqconffile
+[dfq_cache]
+ path = $shrdir/dfree
+ vfs objects = acl_xattr fake_acls xattr_tdb fake_dfq
+ admin users = $unix_name
+ include = $dfqconffile
+ dfree cache time = 60
+[dfq_owner]
+ path = $shrdir/dfree
+ vfs objects = acl_xattr fake_acls xattr_tdb fake_dfq
+ inherit owner = yes
+ include = $dfqconffile
+[quotadir]
+ path = $shrdir/quota
+ admin users = $unix_name
+
+[acl_xattr_ign_sysacl_posix]
+ copy = tmp
+ acl_xattr:ignore system acls = yes
+ acl_xattr:default acl style = posix
+[acl_xattr_ign_sysacl_windows]
+ copy = tmp
+ acl_xattr:ignore system acls = yes
+ acl_xattr:default acl style = windows
+
+[mangle_illegal]
+ copy = tmp
+ mangled names = illegal
+
+[nosymlinks]
+ copy = tmp
+ path = $nosymlinks_shrdir
+ follow symlinks = no
+
+[local_symlinks]
+ copy = tmp
+ path = $local_symlinks_shrdir
+ follow symlinks = yes
+
+[kernel_oplocks]
+ copy = tmp
+ kernel oplocks = yes
+ vfs objects = streams_xattr xattr_tdb
+
+[streams_xattr]
+ copy = tmp
+ vfs objects = streams_xattr xattr_tdb
+
+[streams_xattr_nostrict]
+ copy = tmp
+ strict rename = no
+ vfs objects = streams_xattr xattr_tdb
+
+[acl_streams_xattr]
+ copy = tmp
+ vfs objects = acl_xattr streams_xattr fake_acls xattr_tdb
+ acl_xattr:ignore system acls = yes
+ acl_xattr:security_acl_name = user.acl
+ xattr_tdb:ignore_user_xattr = yes
+
+[compound_find]
+ copy = tmp
+ smbd:find async delay usec = 10000
+[error_inject]
+ copy = tmp
+ vfs objects = error_inject
+ include = $errorinjectconf
+
+[delay_inject]
+ copy = tmp
+ vfs objects = delay_inject
+ kernel share modes = no
+ kernel oplocks = no
+ posix locking = no
+ include = $delayinjectconf
+
+[aio_delay_inject]
+ copy = tmp
+ vfs objects = delay_inject
+ delay_inject:pread_send = 2000
+ delay_inject:pwrite_send = 2000
+
+[brl_delay_inject1]
+ copy = tmp
+ vfs objects = delay_inject
+ delay_inject:brl_lock_windows = 90
+ delay_inject:brl_lock_windows_use_timer = yes
+
+[brl_delay_inject2]
+ copy = tmp
+ vfs objects = delay_inject
+ delay_inject:brl_lock_windows = 90
+ delay_inject:brl_lock_windows_use_timer = no
+
+[delete_readonly]
+ path = $prefix_abs/share
+ delete readonly = yes
+
+[enc_desired]
+ path = $prefix_abs/share
+ vfs objects =
+ server smb encrypt = desired
+
+[enc_off]
+ path = $prefix_abs/share
+ vfs objects =
+ server smb encrypt = off
+
+[notify_priv]
+ copy = tmp
+ honor change notify privilege = yes
+
+[acls_non_canonical]
+ copy = tmp
+ acl flag inherited canonicalization = no
+
+[full_audit_success_bad_name]
+ copy = tmp
+ full_audit:success = badname
+
+[full_audit_fail_bad_name]
+ copy = tmp
+ full_audit:failure = badname
+
+include = $aliceconfdir/%U.conf
+ ";
+
+ close(CONF);
+
+ my $net = Samba::bindir_path($self, "net");
+ my $cmd = "";
+ $cmd .= "UID_WRAPPER_ROOT=1 ";
+ $cmd .= "SMB_CONF_PATH=\"$conffile\" ";
+ $cmd .= "$net setlocalsid $samsid";
+
+ my $net_ret = system($cmd);
+ if ($net_ret != 0) {
+ warn("net setlocalsid failed: $net_ret\n$cmd");
+ return undef;
+ }
+
+ unless (open(ERRORCONF, ">$errorinjectconf")) {
+ warn("Unable to open $errorinjectconf");
+ return undef;
+ }
+ close(ERRORCONF);
+
+ unless (open(DELAYCONF, ">$delayinjectconf")) {
+ warn("Unable to open $delayinjectconf");
+ return undef;
+ }
+ close(DELAYCONF);
+
+ unless (open(DFQCONF, ">$dfqconffile")) {
+ warn("Unable to open $dfqconffile");
+ return undef;
+ }
+ close(DFQCONF);
+
+ unless (open(DELAYCONF, ">$globalinjectconf")) {
+ warn("Unable to open $globalinjectconf");
+ return undef;
+ }
+ close(DELAYCONF);
+
+ unless (open(ALICECONF, ">$aliceconffile")) {
+ warn("Unable to open $aliceconffile");
+ return undef;
+ }
+
+ print ALICECONF "
+[alice_share]
+ path = $shrdir
+ comment = smb username is [%U]
+ ";
+
+ close(ALICECONF);
+
+ ##
+ ## create a test account
+ ##
+
+ unless (open(PASSWD, ">$nss_wrapper_passwd")) {
+ warn("Unable to open $nss_wrapper_passwd");
+ return undef;
+ }
+ print PASSWD "nobody:x:$uid_nobody:$gid_nobody:nobody gecos:$prefix_abs:/bin/false
+$unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false
+pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
+pdbtest2:x:$uid_pdbtest2:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
+userdup:x:$uid_userdup:$gid_userdup:userdup gecos:$prefix_abs:/bin/false
+pdbtest_wkn:x:$uid_pdbtest_wkn:$gid_everyone:pdbtest_wkn gecos:$prefix_abs:/bin/false
+force_user:x:$uid_force_user:$gid_force_user:force user gecos:$prefix_abs:/bin/false
+smbget_user:x:$uid_smbget:$gid_domusers:smbget_user gecos:$prefix_abs:/bin/false
+user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false
+user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false
+gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false
+eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
+slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false
+bob:x:$uid_localbob:$gid_domusers:localbob gecos:/:/bin/false
+jane:x:$uid_localjane:$gid_domusers:localjane gecos:/:/bin/false
+jackthemapper:x:$uid_localjackthemapper:$gid_domusers:localjackthemaper gecos:/:/bin/false
+jacknomapper:x:$uid_localjacknomapper:$gid_domusers:localjacknomaper gecos:/:/bin/false
+";
+ if ($unix_uid != 0) {
+ print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
+";
+ }
+ close(PASSWD);
+
+ unless (open(GROUP, ">$nss_wrapper_group")) {
+ warn("Unable to open $nss_wrapper_group");
+ return undef;
+ }
+ print GROUP "nobody:x:$gid_nobody:
+nogroup:x:$gid_nogroup:nobody
+$unix_name-group:x:$unix_gids[0]:
+domusers:X:$gid_domusers:
+domadmins:X:$gid_domadmins:
+userdup:x:$gid_userdup:$unix_name
+everyone:x:$gid_everyone:
+force_user:x:$gid_force_user:
+jackthemappergroup:x:$gid_jackthemapper:jackthemapper
+jacknomappergroup:x:$gid_jacknomapper:jacknomapper
+";
+ if ($unix_gids[0] != 0) {
+ print GROUP "root:x:$gid_root:
+";
+ }
+
+ close(GROUP);
+
+ ## hosts
+ my $hostname = lc($server);
+ unless (open(HOSTS, ">>$nss_wrapper_hosts")) {
+ warn("Unable to open $nss_wrapper_hosts");
+ return undef;
+ }
+ print HOSTS "${server_ip} ${hostname}.${dns_domain} ${hostname}\n";
+ print HOSTS "${server_ipv6} ${hostname}.${dns_domain} ${hostname}\n";
+ close(HOSTS);
+
+ $resolv_conf = "$privatedir/no_resolv.conf" unless defined($resolv_conf);
+
+ foreach my $evlog (@eventlog_list) {
+ my $evlogtdb = "$eventlogdir/$evlog.tdb";
+ open(EVENTLOG, ">$evlogtdb") or die("Unable to open $evlogtdb");
+ close(EVENTLOG);
+ }
+
+ $createuser_env{NSS_WRAPPER_PASSWD} = $nss_wrapper_passwd;
+ $createuser_env{NSS_WRAPPER_GROUP} = $nss_wrapper_group;
+ $createuser_env{NSS_WRAPPER_HOSTS} = $nss_wrapper_hosts;
+ $createuser_env{NSS_WRAPPER_HOSTNAME} = "${hostname}.samba.example.com";
+ if ($ENV{SAMBA_DNS_FAKING}) {
+ $createuser_env{RESOLV_WRAPPER_HOSTS} = $dns_host_file;
+ } else {
+ $createuser_env{RESOLV_WRAPPER_CONF} = $resolv_conf;
+ }
+ $createuser_env{RESOLV_CONF} = $resolv_conf;
+
+ createuser($self, $unix_name, $password, $conffile, \%createuser_env) || die("Unable to create user");
+ createuser($self, "force_user", $password, $conffile, \%createuser_env) || die("Unable to create force_user");
+ createuser($self, "smbget_user", $password, $conffile, \%createuser_env) || die("Unable to create smbget_user");
+ createuser($self, "user1", $password, $conffile, \%createuser_env) || die("Unable to create user1");
+ createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2");
+ createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser");
+ createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser");
+ createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser");
+ createuser($self, "jackthemapper", "mApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jackthemapper");
+ createuser($self, "jacknomapper", "nOmApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jacknomapper");
+
+ open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
+ print DNS_UPDATE_LIST "A $server. $server_ip\n";
+ print DNS_UPDATE_LIST "AAAA $server. $server_ipv6\n";
+ close(DNS_UPDATE_LIST);
+
+ print "DONE\n";
+
+ $ret{SERVER_IP} = $server_ip;
+ $ret{SERVER_IPV6} = $server_ipv6;
+ $ret{SAMBA_DCERPCD_TEST_LOG} = "$prefix/samba_dcerpcd_test.log";
+ $ret{SAMBA_DCERPCD_LOG_POS} = 0;
+ $ret{NMBD_TEST_LOG} = "$prefix/nmbd_test.log";
+ $ret{NMBD_TEST_LOG_POS} = 0;
+ $ret{WINBINDD_TEST_LOG} = "$prefix/winbindd_test.log";
+ $ret{WINBINDD_TEST_LOG_POS} = 0;
+ $ret{SMBD_TEST_LOG} = "$prefix/smbd_test.log";
+ $ret{SMBD_TEST_LOG_POS} = 0;
+ $ret{SERVERCONFFILE} = $conffile;
+ $ret{TESTENV_DIR} = $prefix_abs;
+ $ret{CONFIGURATION} ="--configfile=$conffile";
+ $ret{LOCK_DIR} = $lockdir;
+ $ret{SERVER} = $server;
+ $ret{USERNAME} = $unix_name;
+ $ret{USERID} = $unix_uid;
+ $ret{DOMAIN} = $domain;
+ $ret{SAMSID} = $samsid;
+ $ret{NETBIOSNAME} = $server;
+ $ret{PASSWORD} = $password;
+ $ret{PIDDIR} = $piddir;
+ $ret{SELFTEST_WINBINDD_SOCKET_DIR} = $wbsockdir;
+ $ret{NMBD_SOCKET_DIR} = $nmbdsockdir;
+ $ret{SOCKET_WRAPPER_DEFAULT_IFACE} = $swiface;
+ $ret{NSS_WRAPPER_PASSWD} = $nss_wrapper_passwd;
+ $ret{NSS_WRAPPER_GROUP} = $nss_wrapper_group;
+ $ret{NSS_WRAPPER_HOSTS} = $nss_wrapper_hosts;
+ $ret{NSS_WRAPPER_HOSTNAME} = "${hostname}.samba.example.com";
+ $ret{NSS_WRAPPER_MODULE_SO_PATH} = Samba::nss_wrapper_winbind_so_path($self);
+ $ret{NSS_WRAPPER_MODULE_FN_PREFIX} = "winbind";
+ if ($ENV{SAMBA_DNS_FAKING}) {
+ $ret{RESOLV_WRAPPER_HOSTS} = $dns_host_file;
+ } else {
+ $ret{RESOLV_WRAPPER_CONF} = $resolv_conf;
+ }
+ $ret{RESOLV_CONF} = $resolv_conf;
+ $ret{LOCAL_PATH} = "$shrdir";
+ $ret{LOGDIR} = $logdir;
+
+ #
+ # Avoid hitting system krb5.conf -
+ # An env that needs Kerberos will reset this to the real
+ # value.
+ #
+ $ret{KRB5_CONFIG} = abs_path($prefix) . "/no_krb5.conf";
+
+ # Define KRB5CCNAME for each environment we set up
+ $ret{KRB5_CCACHE} = abs_path($prefix) . "/krb5ccache";
+ $ENV{KRB5CCNAME} = $ret{KRB5_CCACHE};
+
+ return \%ret;
+}
+
+sub wait_for_start($$$$$)
+{
+ my ($self, $envvars, $nmbd, $winbindd, $smbd, $samba_dcerpcd) = @_;
+ my $cmd;
+ my $netcmd;
+ my $ret;
+
+ if ($samba_dcerpcd eq "yes") {
+ my $count = 0;
+ my $rpcclient = Samba::bindir_path($self, "rpcclient");
+
+ print "checking for samba_dcerpcd\n";
+
+ do {
+ $ret = system("$rpcclient $envvars->{CONFIGURATION} ncalrpc: -c epmmap");
+
+ if ($ret != 0) {
+ sleep(1);
+ }
+ $count++
+ } while ($ret != 0 && $count < 10);
+
+ if ($count == 10) {
+ print "samba_dcerpcd not reachable after 10 retries\n";
+ teardown_env($self, $envvars);
+ return 0;
+ }
+ }
+
+ if ($nmbd eq "yes") {
+ my $count = 0;
+
+ # give time for nbt server to register its names
+ print "checking for nmbd\n";
+
+ # This will return quickly when things are up, but be slow if we need to wait for (eg) SSL init
+ my $nmblookup = Samba::bindir_path($self, "nmblookup");
+
+ do {
+ $ret = system("$nmblookup $envvars->{CONFIGURATION} $envvars->{SERVER}");
+ if ($ret != 0) {
+ sleep(1);
+ } else {
+ system("$nmblookup $envvars->{CONFIGURATION} -U $envvars->{SERVER_IP} __SAMBA__");
+ system("$nmblookup $envvars->{CONFIGURATION} __SAMBA__");
+ system("$nmblookup $envvars->{CONFIGURATION} -U 10.255.255.255 __SAMBA__");
+ system("$nmblookup $envvars->{CONFIGURATION} -U $envvars->{SERVER_IP} $envvars->{SERVER}");
+ }
+ $count++;
+ } while ($ret != 0 && $count < 10);
+ if ($count == 10) {
+ print "NMBD not reachable after 10 retries\n";
+ teardown_env($self, $envvars);
+ return 0;
+ }
+ }
+
+ if ($winbindd eq "yes" or $winbindd eq "offline") {
+ print "checking for winbindd\n";
+ my $count = 0;
+ $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
+ $cmd .= "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
+ if ($winbindd eq "yes") {
+ $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping-dc";
+ } elsif ($winbindd eq "offline") {
+ $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping";
+ }
+
+ do {
+ $ret = system($cmd);
+ if ($ret != 0) {
+ sleep(1);
+ }
+ $count++;
+ } while ($ret != 0 && $count < 20);
+ if ($count == 20) {
+ print "WINBINDD not reachable after 20 seconds\n";
+ teardown_env($self, $envvars);
+ return 0;
+ }
+ }
+
+ if ($smbd eq "yes") {
+ # make sure smbd is also up set
+ print "wait for smbd\n";
+
+ my $count = 0;
+ do {
+ if (defined($envvars->{GNUTLS_FORCE_FIPS_MODE})) {
+ # We don't have NTLM in FIPS mode, so lets use
+ # smbcontrol instead of smbclient.
+ $cmd = Samba::bindir_path($self, "smbcontrol");
+ $cmd .= " $envvars->{CONFIGURATION}";
+ $cmd .= " smbd ping";
+ } else {
+ # This uses NTLM which is not available in FIPS
+ $cmd = Samba::bindir_path($self, "smbclient");
+ $cmd .= " $envvars->{CONFIGURATION}";
+ $cmd .= " -L $envvars->{SERVER}";
+ $cmd .= " -U%";
+ $cmd .= " -I $envvars->{SERVER_IP}";
+ $cmd .= " -p 139";
+ }
+
+ $ret = system($cmd);
+ if ($ret != 0) {
+ sleep(1);
+ }
+ $count++
+ } while ($ret != 0 && $count < 20);
+ if ($count == 20) {
+ print "SMBD failed to start up in a reasonable time (20sec)\n";
+ teardown_env($self, $envvars);
+ return 0;
+ }
+ }
+
+ # Ensure we have domain users mapped.
+ $netcmd = "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
+ $netcmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
+ $netcmd .= "UID_WRAPPER_ROOT='1' ";
+ $netcmd .= Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} ";
+
+ $cmd = $netcmd . "groupmap delete ntgroup=domusers";
+ $ret = system($cmd);
+
+ $cmd = $netcmd . "groupmap add rid=513 unixgroup=domusers type=domain";
+ $ret = system($cmd);
+ if ($ret != 0) {
+ print("\"$cmd\" failed\n");
+ return 1;
+ }
+
+ $cmd = $netcmd . "groupmap delete ntgroup=domadmins";
+ $ret = system($cmd);
+
+ $cmd = $netcmd . "groupmap add rid=512 unixgroup=domadmins type=domain";
+ $ret = system($cmd);
+ if ($ret != 0) {
+ print("\"$cmd\" failed\n");
+ return 1;
+ }
+
+ $cmd = $netcmd . "groupmap delete ntgroup=everyone";
+ $ret = system($cmd);
+
+ $cmd = $netcmd . "groupmap add sid=S-1-1-0 unixgroup=everyone type=builtin";
+ $ret = system($cmd);
+ if ($ret != 0) {
+ print("\"$cmd\" failed\n");
+ return 1;
+ }
+
+ # note: creating builtin groups requires winbindd for the
+ # unix id allocator
+ my $create_builtin_users = "no";
+ if ($winbindd eq "yes") {
+ $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
+ $cmd .= "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
+ $cmd .= Samba::bindir_path($self, "wbinfo") . " --sid-to-gid=S-1-5-32-545";
+ my $wbinfo_out = qx($cmd 2>&1);
+ if ($? != 0) {
+ # wbinfo doesn't give us a better error code then
+ # WBC_ERR_DOMAIN_NOT_FOUND, but at least that's
+ # different then WBC_ERR_WINBIND_NOT_AVAILABLE
+ if ($wbinfo_out !~ /WBC_ERR_DOMAIN_NOT_FOUND/) {
+ print("Failed to run \"wbinfo --sid-to-gid=S-1-5-32-545\": $wbinfo_out");
+ teardown_env($self, $envvars);
+ return 0;
+ }
+ $create_builtin_users = "yes";
+ }
+ }
+ if ($create_builtin_users eq "yes") {
+ $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
+ $cmd .= "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
+ $cmd .= Samba::bindir_path($self, "net") . " $envvars->{CONFIGURATION} ";
+ $cmd .= "sam createbuiltingroup Users";
+ $ret = system($cmd);
+ if ($ret != 0) {
+ print "Failed to create BUILTIN\\Users group\n";
+ teardown_env($self, $envvars);
+ return 0;
+ }
+
+ $cmd = Samba::bindir_path($self, "net") . " $envvars->{CONFIGURATION} ";
+ $cmd .= "cache del IDMAP/SID2XID/S-1-5-32-545";
+ system($cmd);
+
+ $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' ";
+ $cmd .= "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' ";
+ $cmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' ";
+ $cmd .= Samba::bindir_path($self, "wbinfo") . " --sid-to-gid=S-1-5-32-545";
+ $ret = system($cmd);
+ if ($ret != 0) {
+ print "Missing \"BUILTIN\\Users\", did net sam createbuiltingroup Users fail?\n";
+ teardown_env($self, $envvars);
+ return 0;
+ }
+ }
+
+ print $self->getlog_env($envvars);
+
+ return 1;
+}
+
+##
+## provision and start of ctdb
+##
+sub setup_ctdb($$)
+{
+ my ($self, $prefix) = @_;
+ my $num_nodes = 3;
+
+ my $data = $self->provision_ctdb($prefix, $num_nodes);
+ $data or return undef;
+
+ my $rc = $self->check_or_start_ctdb($data);
+ if (not $rc) {
+ print("check_or_start_ctdb() failed\n");
+ return undef;
+ }
+
+ $rc = $self->wait_for_start_ctdb($data);
+ if (not $rc) {
+ print "Cluster startup failed\n";
+ return undef;
+ }
+
+ return $data;
+}
+
+sub provision_ctdb($$$$)
+{
+ my ($self, $prefix, $num_nodes, $no_delete_prefix) = @_;
+ my $rc;
+
+ print "PROVISIONING CTDB...\n";
+
+ my $prefix_abs = abs_path($prefix);
+
+ #
+ # check / create directories:
+ #
+ die ("prefix_abs = ''") if $prefix_abs eq "";
+ die ("prefix_abs = '/'") if $prefix_abs eq "/";
+
+ mkdir ($prefix_abs, 0777);
+
+ print "CREATE CTDB TEST ENVIRONMENT in '$prefix_abs'...\n";
+
+ if (not defined($no_delete_prefix) or not $no_delete_prefix) {
+ system("rm -rf $prefix_abs/*");
+ }
+
+ #
+ # Per-node data
+ #
+ my @nodes = ();
+ for (my $i = 0; $i < $num_nodes; $i++) {
+ my %node = ();
+ my $server_name = "ctdb${i}";
+ my $pub_iface = Samba::get_interface($server_name);
+ my $ip = Samba::get_ipv4_addr($server_name);
+
+ $node{NODE_NUMBER} = "$i";
+ $node{SERVER_NAME} = "$server_name";
+ $node{SOCKET_WRAPPER_DEFAULT_IFACE} = "$pub_iface";
+ $node{IP} = "$ip";
+
+ push(@nodes, \%node);
+ }
+
+ #
+ # nodes
+ #
+ my $nodes_file = "$prefix/nodes.in";
+ unless (open(NODES, ">$nodes_file")) {
+ warn("Unable to open nodesfile '$nodes_file'");
+ return undef;
+ }
+ for (my $i = 0; $i < $num_nodes; $i++) {
+ my $ip = $nodes[$i]->{IP};
+ print NODES "${ip}\n";
+ }
+ close(NODES);
+
+ #
+ # local_daemons.sh setup
+ #
+ # Socket wrapper setup is done by selftest.pl, so don't use
+ # the CTDB-specific setup
+ #
+ my $cmd;
+ $cmd .= "ctdb/tests/local_daemons.sh " . $prefix_abs . " setup";
+ $cmd .= " -n " . $num_nodes;
+ $cmd .= " -N " . $nodes_file;
+ # CTDB should not attempt to manage public addresses -
+ # clients should just connect to CTDB private addresses
+ $cmd .= " -P " . "/dev/null";
+
+ my $ret = system($cmd);
+ if ($ret != 0) {
+ print("\"$cmd\" failed\n");
+ return undef;
+ }
+
+ #
+ # Unix domain socket and node directory for each daemon
+ #
+ for (my $i = 0; $i < $num_nodes; $i++) {
+ my ($cmd, $ret, $out);
+
+ my $cmd_prefix = "ctdb/tests/local_daemons.sh ${prefix_abs}";
+
+ #
+ # socket
+ #
+
+ $cmd = "${cmd_prefix} print-socket ${i}";
+
+ $out = `$cmd`;
+ $ret = $?;
+ if ($ret != 0) {
+ print("\"$cmd\" failed\n");
+ return undef;
+ }
+ chomp $out;
+ $nodes[$i]->{SOCKET_FILE} = "$out";
+
+ #
+ # node directory
+ #
+
+ $cmd = "${cmd_prefix} onnode ${i} 'echo \$CTDB_BASE'";
+
+ $out = `$cmd`;
+ $ret = $?;
+ if ($ret != 0) {
+ print("\"$cmd\" failed\n");
+ return undef;
+ }
+ chomp $out;
+ $nodes[$i]->{NODE_PREFIX} = "$out";
+ }
+
+ my %ret = ();
+
+ $ret{CTDB_PREFIX} = "$prefix";
+ $ret{NUM_NODES} = $num_nodes;
+ $ret{CTDB_NODES} = \@nodes;
+ $ret{CTDB_NODES_FILE} = $nodes_file;
+
+ return \%ret;
+}
+
+sub check_or_start_ctdb($$) {
+ my ($self, $data) = @_;
+
+ my $prefix = $data->{CTDB_PREFIX};
+ my $num_nodes = $data->{NUM_NODES};
+ my $nodes = $data->{CTDB_NODES};
+ my $STDIN_READER;
+
+ # Share a single stdin pipe for all nodes
+ pipe($STDIN_READER, $data->{CTDB_STDIN_PIPE});
+
+ for (my $i = 0; $i < $num_nodes; $i++) {
+ my $node = $nodes->[$i];
+
+ $node->{STDIN_PIPE} = $data->{CTDB_STDIN_PIPE};
+
+ my $cmd = "ctdb/tests/local_daemons.sh";
+ my @full_cmd = ("$cmd", "$prefix", "start", "$i");
+ my $daemon_ctx = {
+ NAME => "ctdbd",
+ BINARY_PATH => $cmd,
+ FULL_CMD => [ @full_cmd ],
+ TEE_STDOUT => 1,
+ LOG_FILE => "/dev/null",
+ ENV_VARS => {},
+ };
+
+ print "STARTING CTDBD (node ${i})\n";
+
+ # This does magic with $STDIN_READER, so use it
+ my $ret = Samba::fork_and_exec($self,
+ $node,
+ $daemon_ctx,
+ $STDIN_READER);
+
+ if ($ret == 0) {
+ print("\"$cmd\" failed\n");
+ teardown_env_ctdb($self, $data);
+ return 0;
+ }
+ }
+
+ close($STDIN_READER);
+
+ return 1;
+}
+
+sub wait_for_start_ctdb($$)
+{
+ my ($self, $data) = @_;
+
+ my $prefix = $data->{CTDB_PREFIX};
+
+ print "Wait for ctdbd...\n";
+
+ my $ctdb = Samba::bindir_path($self, "ctdb");
+ my $cmd;
+ $cmd .= "ctdb/tests/local_daemons.sh ${prefix} onnode all";
+ $cmd .= " ${ctdb} nodestatus all 2>&1";
+
+ my $count = 0;
+ my $wait_seconds = 60;
+ my $out;
+
+ until ($count > $wait_seconds) {
+ $out = `$cmd`;
+ my $ret = $?;
+ if ($ret == 0) {
+ print "\ncluster became healthy\n";
+ last;
+ }
+ print "Waiting for CTDB...\n";
+ sleep(1);
+ $count++;
+ }
+
+ if ($count > $wait_seconds) {
+ print "\nGiving up to wait for CTDB...\n";
+ print "${out}\n\n";
+ print "CTDB log:\n";
+ $cmd = "ctdb/tests/local_daemons.sh ${prefix} print-log all >&2";
+ system($cmd);
+ teardown_env_ctdb($self, $data);
+ return 0;
+ }
+
+ print "\nCTDB initialized\n";
+
+ return 1;
+}
+
+1;
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
new file mode 100755
index 0000000..7033146
--- /dev/null
+++ b/selftest/target/Samba4.pm
@@ -0,0 +1,3662 @@
+#!/usr/bin/perl
+# Bootstrap Samba and run a number of tests against it.
+# Copyright (C) 2005-2007 Jelmer Vernooij <jelmer@samba.org>
+# Published under the GNU GPL, v3 or later.
+
+# NOTE: Refer to the README for more details about the various testenvs,
+# and tips about adding new testenvs.
+
+package Samba4;
+
+use strict;
+use warnings;
+use Cwd qw(abs_path);
+use FindBin qw($RealBin);
+use POSIX;
+use SocketWrapper;
+use target::Samba;
+use target::Samba3;
+use Archive::Tar;
+
+sub new($$$$$) {
+ my ($classname, $SambaCtx, $bindir, $srcdir, $server_maxtime) = @_;
+
+ my $self = {
+ vars => {},
+ SambaCtx => $SambaCtx,
+ bindir => $bindir,
+ srcdir => $srcdir,
+ server_maxtime => $server_maxtime,
+ target3 => new Samba3($SambaCtx, $bindir, $srcdir, $server_maxtime)
+ };
+ bless $self;
+ return $self;
+}
+
+sub scriptdir_path($$) {
+ my ($self, $path) = @_;
+ return "$self->{srcdir}/source4/scripting/$path";
+}
+
+sub check_or_start($$$)
+{
+ my ($self, $env_vars, $process_model) = @_;
+ my $STDIN_READER;
+
+ my $env_ok = $self->check_env($env_vars);
+ if ($env_ok) {
+ return $env_vars->{SAMBA_PID};
+ } elsif (defined($env_vars->{SAMBA_PID})) {
+ warn("SAMBA PID $env_vars->{SAMBA_PID} is not running (died)");
+ return undef;
+ }
+
+ # use a pipe for stdin in the child processes. This allows
+ # those processes to monitor the pipe for EOF to ensure they
+ # exit when the test script exits
+ pipe($STDIN_READER, $env_vars->{STDIN_PIPE});
+
+ # build up the command to run samba
+ my @preargs = ();
+ my @optargs = ();
+ if (defined($ENV{SAMBA_OPTIONS})) {
+ @optargs = split(/ /, $ENV{SAMBA_OPTIONS});
+ }
+ if(defined($ENV{SAMBA_VALGRIND})) {
+ @preargs = split(/ /,$ENV{SAMBA_VALGRIND});
+ }
+
+ if (defined($process_model)) {
+ push @optargs, ("-M", $process_model);
+ }
+ my $binary = Samba::bindir_path($self, "samba");
+ my @full_cmd = (@preargs, $binary, "-i",
+ "--no-process-group", "--maximum-runtime=$self->{server_maxtime}",
+ $env_vars->{CONFIGURATION}, @optargs);
+
+ # the samba process takes some additional env variables (compared to s3)
+ my $samba_envs = Samba::get_env_for_process("samba", $env_vars);
+ if (defined($ENV{MITKRB5})) {
+ $samba_envs->{KRB5_KDC_PROFILE} = $env_vars->{MITKDC_CONFIG};
+ }
+
+ # fork a child process and exec() samba
+ my $daemon_ctx = {
+ NAME => "samba",
+ BINARY_PATH => $binary,
+ FULL_CMD => [ @full_cmd ],
+ LOG_FILE => $env_vars->{SAMBA_TEST_LOG},
+ TEE_STDOUT => 1,
+ PCAP_FILE => "env-$ENV{ENVNAME}-samba",
+ ENV_VARS => $samba_envs,
+ };
+ my $pid = Samba::fork_and_exec($self, $env_vars, $daemon_ctx, $STDIN_READER);
+
+ $env_vars->{SAMBA_PID} = $pid;
+
+ # close the parent's read-end of the pipe
+ close($STDIN_READER);
+
+ if ($self->wait_for_start($env_vars) != 0) {
+ warn("Samba $pid failed to start up");
+ return undef;
+ }
+
+ return $pid;
+}
+
+sub wait_for_start($$)
+{
+ my ($self, $testenv_vars) = @_;
+ my $count = 0;
+ my $ret = 0;
+
+ if (not $self->check_env($testenv_vars)) {
+ warn("unable to confirm Samba $testenv_vars->{SAMBA_PID} is running");
+ return -1;
+ }
+
+ # This will return quickly when things are up, but be slow if we
+ # need to wait for (eg) SSL init
+ my $nmblookup = Samba::bindir_path($self, "nmblookup4");
+
+ do {
+ $ret = system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{SERVER}");
+ if ($ret != 0) {
+ sleep(1);
+ } else {
+ system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{SERVER}");
+ system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}");
+ system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}");
+ system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}");
+ system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}");
+ system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{SERVER}");
+ system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{SERVER}");
+ system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}");
+ system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}");
+ system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}");
+ system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}");
+ }
+ $count++;
+ } while ($ret != 0 && $count < 20);
+ if ($count == 20) {
+ teardown_env($self, $testenv_vars);
+ warn("nbt not reachable after 20 retries\n");
+ return -1;
+ }
+
+ # Ensure we have the first RID Set before we start tests. This makes the tests more reliable.
+ if ($testenv_vars->{SERVER_ROLE} eq "domain controller") {
+ print "waiting for working LDAP and a RID Set to be allocated\n";
+ my $ldbsearch = Samba::bindir_path($self, "ldbsearch");
+ my $count = 0;
+ my $base_dn = "DC=".join(",DC=", split(/\./, $testenv_vars->{REALM}));
+
+ my $search_dn = $base_dn;
+ if ($testenv_vars->{NETBIOSNAME} ne "RODC") {
+ # TODO currently no check for actual rIDAllocationPool
+ $search_dn = "cn=RID Set,cn=$testenv_vars->{NETBIOSNAME},ou=domain controllers,$base_dn";
+ }
+ my $max_wait = 60;
+
+ # Add hosts file for name lookups
+ my $cmd = $self->get_cmd_env_vars($testenv_vars);
+
+ $cmd .= "$ldbsearch ";
+ $cmd .= "$testenv_vars->{CONFIGURATION} ";
+ $cmd .= "-H ldap://$testenv_vars->{SERVER} ";
+ $cmd .= "-U$testenv_vars->{USERNAME}%$testenv_vars->{PASSWORD} ";
+ $cmd .= "--scope base ";
+ $cmd .= "-b '$search_dn' ";
+ while (system("$cmd >/dev/null") != 0) {
+ $count++;
+ if ($count > $max_wait) {
+ teardown_env($self, $testenv_vars);
+ warn("Timed out ($max_wait sec) waiting for working LDAP and a RID Set to be allocated by $testenv_vars->{NETBIOSNAME} PID $testenv_vars->{SAMBA_PID}");
+ return -1;
+ }
+ print "Waiting for working LDAP...\n";
+ sleep(1);
+ }
+ }
+
+ my $wbinfo = Samba::bindir_path($self, "wbinfo");
+
+ $count = 0;
+ do {
+ my $cmd = "NSS_WRAPPER_PASSWD=$testenv_vars->{NSS_WRAPPER_PASSWD} ";
+ $cmd .= "NSS_WRAPPER_GROUP=$testenv_vars->{NSS_WRAPPER_GROUP} ";
+ $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=$testenv_vars->{SELFTEST_WINBINDD_SOCKET_DIR} ";
+ $cmd .= "$wbinfo -P";
+ $ret = system($cmd);
+
+ if ($ret != 0) {
+ sleep(1);
+ }
+ $count++;
+ } while ($ret != 0 && $count < 20);
+ if ($count == 20) {
+ teardown_env($self, $testenv_vars);
+ warn("winbind not reachable after 20 retries\n");
+ return -1;
+ }
+
+ # Ensure we registered all our names
+ if ($testenv_vars->{SERVER_ROLE} eq "domain controller") {
+ my $max_wait = 120;
+ my $dns_update_cache = "$testenv_vars->{PRIVATEDIR}/dns_update_cache";
+ print "Waiting for $dns_update_cache to be created.\n";
+ $count = 0;
+ while (not -e $dns_update_cache) {
+ $count++;
+ if ($count > $max_wait) {
+ teardown_env($self, $testenv_vars);
+ warn("Timed out ($max_wait sec) waiting for $dns_update_cache PID $testenv_vars->{SAMBA_PID}");
+ return -1;
+ }
+ print "Waiting for $dns_update_cache to be created...\n";
+ sleep(1);
+ }
+ print "Waiting for $dns_update_cache to be filled.\n";
+ $count = 0;
+ while ((-s "$dns_update_cache") == 0) {
+ $count++;
+ if ($count > $max_wait) {
+ teardown_env($self, $testenv_vars);
+ warn("Timed out ($max_wait sec) waiting for $dns_update_cache PID $testenv_vars->{SAMBA_PID}");
+ return -1;
+ }
+ print "Waiting for $dns_update_cache to be filled...\n";
+ sleep(1);
+ }
+ }
+
+ print $self->getlog_env($testenv_vars);
+
+ print "READY ($testenv_vars->{SAMBA_PID})\n";
+
+ return 0
+}
+
+sub write_ldb_file($$$)
+{
+ my ($self, $file, $ldif_in) = @_;
+
+ my $ldbadd = Samba::bindir_path($self, "ldbadd");
+ open(my $ldif, "|$ldbadd -H $file > /dev/null")
+ or die "Failed to run $ldbadd: $!";
+ print $ldif $ldif_in;
+ close($ldif);
+
+ unless ($? == 0) {
+ warn("$ldbadd failed: $?");
+ return undef;
+ }
+ return 1;
+}
+
+sub add_wins_config($$)
+{
+ my ($self, $privatedir) = @_;
+ my $client_ip = Samba::get_ipv4_addr("client");
+
+ return $self->write_ldb_file("$privatedir/wins_config.ldb", "
+dn: name=TORTURE_11,CN=PARTNERS
+objectClass: wreplPartner
+name: TORTURE_11
+address: $client_ip
+pullInterval: 0
+pushChangeCount: 0
+type: 0x3
+");
+}
+
+sub setup_dns_hub_internal($$$)
+{
+ my ($self, $hostname, $prefix) = @_;
+ my $STDIN_READER;
+
+ unless(-d $prefix or mkdir($prefix, 0777)) {
+ warn("Unable to create $prefix");
+ return undef;
+ }
+ my $prefix_abs = abs_path($prefix);
+
+ die ("prefix=''") if $prefix_abs eq "";
+ die ("prefix='/'") if $prefix_abs eq "/";
+
+ unless (system("rm -rf $prefix_abs/*") == 0) {
+ warn("Unable to clean up");
+ }
+
+ my $env = undef;
+ $env->{NETBIOSNAME} = $hostname;
+
+ $env->{SERVER_IP} = Samba::get_ipv4_addr($hostname);
+ $env->{SERVER_IPV6} = Samba::get_ipv6_addr($hostname);
+ $env->{SOCKET_WRAPPER_DEFAULT_IFACE} = Samba::get_interface($hostname);
+ $env->{DNS_HUB_LOG} = "$prefix_abs/dns_hub.log";
+ $env->{RESOLV_CONF} = "$prefix_abs/resolv.conf";
+ $env->{TESTENV_DIR} = $prefix_abs;
+
+ my $ctx = undef;
+ $ctx->{resolv_conf} = $env->{RESOLV_CONF};
+ $ctx->{dns_ipv4} = $env->{SERVER_IP};
+ $ctx->{dns_ipv6} = $env->{SERVER_IPV6};
+ Samba::mk_resolv_conf($ctx);
+
+ my @preargs = ();
+ my @args = ();
+ if (!defined($ENV{PYTHON})) {
+ push (@preargs, "env");
+ push (@preargs, "python");
+ } else {
+ push (@preargs, $ENV{PYTHON});
+ }
+ my $binary = "$self->{srcdir}/selftest/target/dns_hub.py";
+ push (@args, "$self->{server_maxtime}");
+ push (@args, "$env->{SERVER_IP},$env->{SERVER_IPV6}");
+ push (@args, Samba::realm_to_ip_mappings());
+ my @full_cmd = (@preargs, $binary, @args);
+
+ my $daemon_ctx = {
+ NAME => "dnshub",
+ BINARY_PATH => $binary,
+ FULL_CMD => [ @full_cmd ],
+ LOG_FILE => $env->{DNS_HUB_LOG},
+ TEE_STDOUT => 1,
+ PCAP_FILE => "env-$ENV{ENVNAME}-dns_hub",
+ ENV_VARS => {},
+ };
+
+ # use a pipe for stdin in the child processes. This allows
+ # those processes to monitor the pipe for EOF to ensure they
+ # exit when the test script exits
+ pipe($STDIN_READER, $env->{STDIN_PIPE});
+
+ my $pid = Samba::fork_and_exec($self, $env, $daemon_ctx, $STDIN_READER);
+
+ $env->{SAMBA_PID} = $pid;
+ $env->{KRB5_CONFIG} = "$prefix_abs/no_krb5.conf";
+
+ # close the parent's read-end of the pipe
+ close($STDIN_READER);
+
+ return $env;
+}
+
+sub setup_dns_hub
+{
+ my ($self, $prefix) = @_;
+
+ my $hostname = "rootdnsforwarder";
+
+ unless(-d $prefix or mkdir($prefix, 0777)) {
+ warn("Unable to create $prefix");
+ return undef;
+ }
+ my $env = $self->setup_dns_hub_internal("$hostname", "$prefix/$hostname");
+
+ $self->{dns_hub_env} = $env;
+
+ return $env;
+}
+
+sub get_dns_hub_env($)
+{
+ my ($self, $prefix) = @_;
+
+ if (defined($self->{dns_hub_env})) {
+ return $self->{dns_hub_env};
+ }
+
+ die("get_dns_hub_env() not setup 'dns_hub_env'");
+ return undef;
+}
+
+sub return_env_value
+{
+ my ($env, $overwrite, $key) = @_;
+
+ if (defined($overwrite) and defined($overwrite->{$key})) {
+ return $overwrite->{$key};
+ }
+
+ if (defined($env->{$key})) {
+ return $env->{$key};
+ }
+
+ return undef;
+}
+
+# Returns the environmental variables that we pass to samba-tool commands
+sub get_cmd_env_vars
+{
+ my ($self, $givenenv, $overwrite) = @_;
+
+ my @keys = (
+ "NSS_WRAPPER_HOSTS",
+ "SOCKET_WRAPPER_DEFAULT_IFACE",
+ "RESOLV_CONF",
+ "RESOLV_WRAPPER_CONF",
+ "RESOLV_WRAPPER_HOSTS",
+ "GNUTLS_FORCE_FIPS_MODE",
+ "OPENSSL_FORCE_FIPS_MODE",
+ "KRB5_CONFIG",
+ "KRB5_CCACHE",
+ "GNUPGHOME",
+ );
+
+ my $localenv = undef;
+ foreach my $key (@keys) {
+ my $v = return_env_value($givenenv, $overwrite, $key);
+ $localenv->{$key} = $v if defined($v);
+ }
+
+ my $cmd_env = "NSS_WRAPPER_HOSTS='$localenv->{NSS_WRAPPER_HOSTS}' ";
+ $cmd_env .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$localenv->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+ if (defined($localenv->{RESOLV_WRAPPER_CONF})) {
+ $cmd_env .= "RESOLV_WRAPPER_CONF=\"$localenv->{RESOLV_WRAPPER_CONF}\" ";
+ } else {
+ $cmd_env .= "RESOLV_WRAPPER_HOSTS=\"$localenv->{RESOLV_WRAPPER_HOSTS}\" ";
+ }
+ if (defined($localenv->{GNUTLS_FORCE_FIPS_MODE})) {
+ $cmd_env .= "GNUTLS_FORCE_FIPS_MODE=$localenv->{GNUTLS_FORCE_FIPS_MODE} ";
+ }
+ if (defined($localenv->{OPENSSL_FORCE_FIPS_MODE})) {
+ $cmd_env .= "OPENSSL_FORCE_FIPS_MODE=$localenv->{OPENSSL_FORCE_FIPS_MODE} ";
+ }
+ $cmd_env .= "KRB5_CONFIG=\"$localenv->{KRB5_CONFIG}\" ";
+ $cmd_env .= "KRB5CCNAME=\"$localenv->{KRB5_CCACHE}\" ";
+ $cmd_env .= "RESOLV_CONF=\"$localenv->{RESOLV_CONF}\" ";
+ $cmd_env .= "GNUPGHOME=\"$localenv->{GNUPGHOME}\" ";
+
+ return $cmd_env;
+}
+
+# Sets up a forest trust namespace.
+# (Note this is different to kernel namespaces, setup by the
+# USE_NAMESPACES=1 option)
+sub setup_namespaces
+{
+ my ($self, $localenv, $upn_array, $spn_array) = @_;
+
+ @{$upn_array} = [] unless defined($upn_array);
+ my $upn_args = "";
+ foreach my $upn (@{$upn_array}) {
+ $upn_args .= " --add-upn-suffix=$upn";
+ }
+
+ @{$spn_array} = [] unless defined($spn_array);
+ my $spn_args = "";
+ foreach my $spn (@{$spn_array}) {
+ $spn_args .= " --add-spn-suffix=$spn";
+ }
+
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+
+ my $cmd_env = $self->get_cmd_env_vars($localenv);
+
+ my $cmd_config = " $localenv->{CONFIGURATION}";
+
+ my $namespaces = $cmd_env;
+ $namespaces .= " $samba_tool domain trust namespaces $upn_args $spn_args";
+ $namespaces .= $cmd_config;
+ unless (system($namespaces) == 0) {
+ warn("Failed to add namespaces \n$namespaces");
+ return -1;
+ }
+
+ return 0;
+}
+
+sub setup_trust($$$$$)
+{
+ my ($self, $localenv, $remoteenv, $type, $extra_args) = @_;
+
+ $localenv->{TRUST_SERVER} = $remoteenv->{SERVER};
+ $localenv->{TRUST_SERVER_IP} = $remoteenv->{SERVER_IP};
+ $localenv->{TRUST_DNSNAME} = $remoteenv->{DNSNAME};
+
+ $localenv->{TRUST_USERNAME} = $remoteenv->{USERNAME};
+ $localenv->{TRUST_PASSWORD} = $remoteenv->{PASSWORD};
+ $localenv->{TRUST_DOMAIN} = $remoteenv->{DOMAIN};
+ $localenv->{TRUST_REALM} = $remoteenv->{REALM};
+ $localenv->{TRUST_DOMSID} = $remoteenv->{DOMSID};
+
+ # Add trusted domain realms to krb5.conf
+ Samba::append_krb5_conf_trust_realms($localenv);
+
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+
+ # setup the trust
+ my $cmd_env = $self->get_cmd_env_vars($localenv);
+
+ my $cmd_config = " $localenv->{CONFIGURATION}";
+ my $cmd_creds = $cmd_config;
+ $cmd_creds .= " -U$localenv->{TRUST_DOMAIN}\\\\$localenv->{TRUST_USERNAME}\%$localenv->{TRUST_PASSWORD}";
+
+ my $create = $cmd_env;
+ $create .= " $samba_tool domain trust create --type=${type} $localenv->{TRUST_REALM}";
+ $create .= " $extra_args";
+ $create .= $cmd_creds;
+ unless (system($create) == 0) {
+ warn("Failed to create trust \n$create");
+ return undef;
+ }
+
+ my $groupname = "g_$localenv->{TRUST_DOMAIN}";
+ my $groupadd = $cmd_env;
+ $groupadd .= " $samba_tool group add '$groupname' --group-scope=Domain $cmd_config";
+ unless (system($groupadd) == 0) {
+ warn("Failed to create group \n$groupadd");
+ return undef;
+ }
+ my $groupmem = $cmd_env;
+ $groupmem .= " $samba_tool group addmembers '$groupname' '$localenv->{TRUST_DOMSID}-513' $cmd_config";
+ unless (system($groupmem) == 0) {
+ warn("Failed to add group member \n$groupmem");
+ return undef;
+ }
+
+ return $localenv
+}
+
+sub provision_raw_prepare($$$$$$$$$$$$$$)
+{
+ my ($self,
+ $prefix,
+ $server_role,
+ $hostname,
+ $domain,
+ $realm,
+ $samsid,
+ $functional_level,
+ $password,
+ $kdc_ipv4,
+ $kdc_ipv6,
+ $force_fips_mode,
+ $extra_provision_options) = @_;
+ my $ctx;
+ my $python_cmd = "";
+ if (defined $ENV{PYTHON}) {
+ $python_cmd = $ENV{PYTHON} . " ";
+ }
+ $ctx->{python} = $python_cmd;
+ my $netbiosname = uc($hostname);
+
+ unless(-d $prefix or mkdir($prefix, 0777)) {
+ warn("Unable to create $prefix");
+ return undef;
+ }
+ my $prefix_abs = abs_path($prefix);
+
+ die ("prefix=''") if $prefix_abs eq "";
+ die ("prefix='/'") if $prefix_abs eq "/";
+
+ unless (system("rm -rf $prefix_abs/*") == 0) {
+ warn("Unable to clean up");
+ }
+
+
+ my $swiface = Samba::get_interface($hostname);
+
+ $ctx->{prefix} = $prefix;
+ $ctx->{prefix_abs} = $prefix_abs;
+
+ $ctx->{server_role} = $server_role;
+ $ctx->{hostname} = $hostname;
+ $ctx->{netbiosname} = $netbiosname;
+ $ctx->{swiface} = $swiface;
+ $ctx->{password} = $password;
+ $ctx->{kdc_ipv4} = $kdc_ipv4;
+ $ctx->{kdc_ipv6} = $kdc_ipv6;
+ $ctx->{force_fips_mode} = $force_fips_mode;
+ $ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
+ if ($functional_level eq "2000") {
+ $ctx->{supported_enctypes} = "arcfour-hmac-md5 des-cbc-md5 des-cbc-crc";
+ }
+
+#
+# Set smbd log level here.
+#
+ $ctx->{server_loglevel} =$ENV{SERVER_LOG_LEVEL} || 1;
+ $ctx->{username} = "Administrator";
+ $ctx->{domain} = $domain;
+ $ctx->{realm} = uc($realm);
+ $ctx->{dnsname} = lc($realm);
+ $ctx->{samsid} = $samsid;
+
+ $ctx->{functional_level} = $functional_level;
+
+ my $unix_name = ($ENV{USER} or $ENV{LOGNAME} or `whoami`);
+ chomp $unix_name;
+ $ctx->{unix_name} = $unix_name;
+ $ctx->{unix_uid} = $>;
+ my @mygid = split(" ", $();
+ $ctx->{unix_gid} = $mygid[0];
+ $ctx->{unix_gids_str} = $);
+ @{$ctx->{unix_gids}} = split(" ", $ctx->{unix_gids_str});
+
+ $ctx->{etcdir} = "$prefix_abs/etc";
+ $ctx->{piddir} = "$prefix_abs/pid";
+ $ctx->{smb_conf} = "$ctx->{etcdir}/smb.conf";
+ $ctx->{krb5_conf} = "$ctx->{etcdir}/krb5.conf";
+ $ctx->{krb5_ccache} = "$prefix_abs/krb5_ccache";
+ $ctx->{mitkdc_conf} = "$ctx->{etcdir}/mitkdc.conf";
+ $ctx->{gnupghome} = "$prefix_abs/gnupg";
+ $ctx->{privatedir} = "$prefix_abs/private";
+ $ctx->{binddnsdir} = "$prefix_abs/bind-dns";
+ $ctx->{ncalrpcdir} = "$prefix_abs/ncalrpc";
+ $ctx->{lockdir} = "$prefix_abs/lockdir";
+ $ctx->{logdir} = "$prefix_abs/logs";
+ $ctx->{statedir} = "$prefix_abs/statedir";
+ $ctx->{cachedir} = "$prefix_abs/cachedir";
+ $ctx->{winbindd_socket_dir} = "$prefix_abs/wbsock";
+ $ctx->{ntp_signd_socket_dir} = "$prefix_abs/ntp_signd_socket";
+ $ctx->{nsswrap_passwd} = "$ctx->{etcdir}/passwd";
+ $ctx->{nsswrap_group} = "$ctx->{etcdir}/group";
+ $ctx->{nsswrap_hosts} = "$ENV{SELFTEST_PREFIX}/hosts";
+ $ctx->{nsswrap_hostname} = "$ctx->{hostname}.$ctx->{dnsname}";
+ if ($ENV{SAMBA_DNS_FAKING}) {
+ $ctx->{dns_host_file} = "$ENV{SELFTEST_PREFIX}/dns_host_file";
+ $ctx->{samba_dnsupdate} = "$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate --configfile=$ctx->{smb_conf} --all-interfaces --use-file=$ctx->{dns_host_file}";
+ $ctx->{samba_dnsupdate} = $python_cmd . $ctx->{samba_dnsupdate};
+ } else {
+ $ctx->{samba_dnsupdate} = "$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate --configfile=$ctx->{smb_conf} --all-interfaces";
+ $ctx->{samba_dnsupdate} = $python_cmd . $ctx->{samba_dnsupdate};
+ $ctx->{use_resolv_wrapper} = 1;
+ }
+
+ my $dns_hub = $self->get_dns_hub_env();
+ $ctx->{resolv_conf} = $dns_hub->{RESOLV_CONF};
+
+ $ctx->{tlsdir} = "$ctx->{privatedir}/tls";
+
+ $ctx->{ipv4} = Samba::get_ipv4_addr($hostname);
+ $ctx->{ipv6} = Samba::get_ipv6_addr($hostname);
+
+ push(@{$ctx->{directories}}, $ctx->{privatedir});
+ push(@{$ctx->{directories}}, $ctx->{binddnsdir});
+ push(@{$ctx->{directories}}, $ctx->{etcdir});
+ push(@{$ctx->{directories}}, $ctx->{piddir});
+ push(@{$ctx->{directories}}, $ctx->{lockdir});
+ push(@{$ctx->{directories}}, $ctx->{logdir});
+ push(@{$ctx->{directories}}, $ctx->{statedir});
+ push(@{$ctx->{directories}}, $ctx->{cachedir});
+
+ $ctx->{smb_conf_extra_options} = "";
+
+ my @provision_options = ();
+ push (@provision_options, "GNUPGHOME=\"$ctx->{gnupghome}\"");
+ push (@provision_options, "KRB5_CONFIG=\"$ctx->{krb5_conf}\"");
+ push (@provision_options, "KRB5CCNAME=\"$ctx->{krb5_ccache}\"");
+ push (@provision_options, "NSS_WRAPPER_PASSWD=\"$ctx->{nsswrap_passwd}\"");
+ push (@provision_options, "NSS_WRAPPER_GROUP=\"$ctx->{nsswrap_group}\"");
+ push (@provision_options, "NSS_WRAPPER_HOSTS=\"$ctx->{nsswrap_hosts}\"");
+ push (@provision_options, "NSS_WRAPPER_HOSTNAME=\"$ctx->{nsswrap_hostname}\"");
+ if (defined($ctx->{use_resolv_wrapper})) {
+ push (@provision_options, "RESOLV_WRAPPER_CONF=\"$ctx->{resolv_conf}\"");
+ push (@provision_options, "RESOLV_CONF=\"$ctx->{resolv_conf}\"");
+ } else {
+ push (@provision_options, "RESOLV_WRAPPER_HOSTS=\"$ctx->{dns_host_file}\"");
+ }
+ if (defined($ctx->{force_fips_mode})) {
+ push (@provision_options, "GNUTLS_FORCE_FIPS_MODE=1");
+ push (@provision_options, "OPENSSL_FORCE_FIPS_MODE=1");
+ }
+
+ if (defined($ENV{GDB_PROVISION})) {
+ push (@provision_options, "gdb --args");
+ if (!defined($ENV{PYTHON})) {
+ push (@provision_options, "env");
+ push (@provision_options, "python");
+ }
+ }
+ if (defined($ENV{VALGRIND_PROVISION})) {
+ push (@provision_options, "valgrind");
+ if (!defined($ENV{PYTHON})) {
+ push (@provision_options, "env");
+ push (@provision_options, "python");
+ }
+ }
+
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+
+ push (@provision_options, $samba_tool);
+ push (@provision_options, "domain");
+ push (@provision_options, "provision");
+ push (@provision_options, "--configfile=$ctx->{smb_conf}");
+ push (@provision_options, "--host-name=$ctx->{hostname}");
+ push (@provision_options, "--host-ip=$ctx->{ipv4}");
+ push (@provision_options, "--quiet");
+ push (@provision_options, "--domain=$ctx->{domain}");
+ push (@provision_options, "--realm=$ctx->{realm}");
+ if (defined($ctx->{samsid})) {
+ push (@provision_options, "--domain-sid=$ctx->{samsid}");
+ }
+ push (@provision_options, "--adminpass=$ctx->{password}");
+ push (@provision_options, "--krbtgtpass=krbtgt$ctx->{password}");
+ push (@provision_options, "--machinepass=machine$ctx->{password}");
+ push (@provision_options, "--root=$ctx->{unix_name}");
+ push (@provision_options, "--server-role=\"$ctx->{server_role}\"");
+ push (@provision_options, "--function-level=\"$ctx->{functional_level}\"");
+
+ @{$ctx->{provision_options}} = @provision_options;
+
+ if (defined($extra_provision_options)) {
+ push (@{$ctx->{provision_options}}, @{$extra_provision_options});
+ }
+
+ return $ctx;
+}
+
+sub has_option
+{
+ my ($self, $keyword, @options_list) = @_;
+
+ # convert the options-list to a hash-map for easy keyword lookup
+ my %options_dict = map { $_ => 1 } @options_list;
+
+ return exists $options_dict{$keyword};
+}
+
+#
+# Step1 creates the basic configuration
+#
+sub provision_raw_step1($$)
+{
+ my ($self, $ctx) = @_;
+
+ mkdir($_, 0777) foreach (@{$ctx->{directories}});
+
+ ##
+ ## lockdir and piddir must be 0755
+ ##
+ chmod 0755, $ctx->{lockdir};
+ chmod 0755, $ctx->{piddir};
+
+ unless (open(CONFFILE, ">$ctx->{smb_conf}")) {
+ warn("can't open $ctx->{smb_conf}$?");
+ return undef;
+ }
+
+ Samba::copy_gnupg_home($ctx);
+ Samba::prepare_keyblobs($ctx);
+ my $crlfile = "$ctx->{tlsdir}/crl.pem";
+ $crlfile = "" unless -e ${crlfile};
+
+ # work out which file server to use. Default to source3 smbd (s3fs),
+ # unless the source4 NTVFS (smb) file server has been specified
+ my $services = "-smb +s3fs";
+ if ($self->has_option("--use-ntvfs", @{$ctx->{provision_options}})) {
+ $services = "+smb -s3fs";
+ }
+
+ my $interfaces = Samba::get_interfaces_config($ctx->{netbiosname});
+
+ print CONFFILE "
+[global]
+ netbios name = $ctx->{netbiosname}
+ posix:eadb = $ctx->{statedir}/eadb.tdb
+ workgroup = $ctx->{domain}
+ realm = $ctx->{realm}
+ private dir = $ctx->{privatedir}
+ binddns dir = $ctx->{binddnsdir}
+ pid directory = $ctx->{piddir}
+ ncalrpc dir = $ctx->{ncalrpcdir}
+ lock dir = $ctx->{lockdir}
+ state directory = $ctx->{statedir}
+ cache directory = $ctx->{cachedir}
+ winbindd socket directory = $ctx->{winbindd_socket_dir}
+ ntp signd socket directory = $ctx->{ntp_signd_socket_dir}
+ winbind separator = /
+ interfaces = $interfaces
+ tls dh params file = $ctx->{tlsdir}/dhparms.pem
+ tls crlfile = ${crlfile}
+ tls verify peer = no_check
+ panic action = $RealBin/gdb_backtrace \%d
+ smbd:suicide mode = yes
+ smbd:FSCTL_SMBTORTURE = yes
+ smbd:validate_oplock_types = yes
+ wins support = yes
+ server role = $ctx->{server_role}
+ server services = +echo $services
+ dcerpc endpoint servers = +winreg +srvsvc +rpcecho
+ notify:inotify = false
+ ldb:nosync = true
+ ldap server require strong auth = yes
+ log file = $ctx->{logdir}/log.\%m
+ log level = $ctx->{server_loglevel}
+ lanman auth = Yes
+ ntlm auth = Yes
+ client min protocol = SMB2_02
+ server min protocol = SMB2_02
+ mangled names = yes
+ dns update command = $ctx->{samba_dnsupdate}
+ spn update command = $ctx->{python} $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_spnupdate --configfile $ctx->{smb_conf}
+ gpo update command = $ctx->{python} $ENV{SRCDIR_ABS}/source4/scripting/bin/samba-gpupdate --configfile $ctx->{smb_conf} --target=Computer
+ samba kcc command = $ctx->{python} $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_kcc
+ dreplsrv:periodic_startup_interval = 0
+ dsdb:schema update allowed = yes
+
+ vfs objects = dfs_samba4 acl_xattr fake_acls xattr_tdb streams_depot
+
+ idmap_ldb:use rfc2307=yes
+ winbind enum users = yes
+ winbind enum groups = yes
+
+ rpc server port:netlogon = 1026
+ include system krb5 conf = no
+
+";
+
+ print CONFFILE "
+
+ # Begin extra options
+ $ctx->{smb_conf_extra_options}
+ # End extra options
+";
+ close(CONFFILE);
+
+ #Default the KDC IP to the server's IP
+ if (not defined($ctx->{kdc_ipv4})) {
+ $ctx->{kdc_ipv4} = $ctx->{ipv4};
+ }
+ if (not defined($ctx->{kdc_ipv6})) {
+ $ctx->{kdc_ipv6} = $ctx->{ipv6};
+ }
+
+ Samba::mk_krb5_conf($ctx);
+ Samba::mk_mitkdc_conf($ctx, abs_path(Samba::bindir_path($self, "shared")));
+
+ open(PWD, ">$ctx->{nsswrap_passwd}");
+ if ($ctx->{unix_uid} != 0) {
+ print PWD "root:x:0:0:root gecos:$ctx->{prefix_abs}:/bin/false\n";
+ }
+ print PWD "$ctx->{unix_name}:x:$ctx->{unix_uid}:65531:$ctx->{unix_name} gecos:$ctx->{prefix_abs}:/bin/false\n";
+ print PWD "nobody:x:65534:65533:nobody gecos:$ctx->{prefix_abs}:/bin/false
+pdbtest:x:65533:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
+pdbtest2:x:65532:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
+pdbtest3:x:65531:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
+pdbtest4:x:65530:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
+";
+ close(PWD);
+ my $uid_rfc2307test = 65533;
+
+ open(GRP, ">$ctx->{nsswrap_group}");
+ if ($ctx->{unix_gid} != 0) {
+ print GRP "root:x:0:\n";
+ }
+ print GRP "$ctx->{unix_name}:x:$ctx->{unix_gid}:\n";
+ print GRP "wheel:x:10:
+users:x:65531:
+nobody:x:65533:
+nogroup:x:65534:nobody
+";
+ close(GRP);
+ my $gid_rfc2307test = 65532;
+
+ my $hostname = lc($ctx->{hostname});
+ open(HOSTS, ">>$ctx->{nsswrap_hosts}");
+ if ($hostname eq "localdc") {
+ print HOSTS "$ctx->{ipv4} ${hostname}.$ctx->{dnsname} $ctx->{dnsname} ${hostname}\n";
+ print HOSTS "$ctx->{ipv6} ${hostname}.$ctx->{dnsname} $ctx->{dnsname} ${hostname}\n";
+ } else {
+ print HOSTS "$ctx->{ipv4} ${hostname}.$ctx->{dnsname} ${hostname}\n";
+ print HOSTS "$ctx->{ipv6} ${hostname}.$ctx->{dnsname} ${hostname}\n";
+ }
+ close(HOSTS);
+
+ my $configuration = "--configfile=$ctx->{smb_conf}";
+
+#Ensure the config file is valid before we start
+ my $testparm = Samba::bindir_path($self, "samba-tool") . " testparm";
+ if (system("$testparm $configuration -v --suppress-prompt >/dev/null 2>&1") != 0) {
+ system("$testparm -v --suppress-prompt $configuration >&2");
+ warn("Failed to create a valid smb.conf configuration $testparm!");
+ return undef;
+ }
+ unless (system("($testparm $configuration -v --suppress-prompt --parameter-name=\"netbios name\" --section-name=global 2> /dev/null | grep -i \"^$ctx->{netbiosname}\" ) >/dev/null 2>&1") == 0) {
+ warn("Failed to create a valid smb.conf configuration! $testparm $configuration -v --suppress-prompt --parameter-name=\"netbios name\" --section-name=global");
+ return undef;
+ }
+
+ # Return the environment variables for the new testenv DC.
+ # Note that we have SERVER_X and DC_SERVER_X variables (which have the same
+ # value initially). In a 2 DC setup, $DC_SERVER_X will always be the PDC.
+ my $ret = {
+ GNUPGHOME => $ctx->{gnupghome},
+ KRB5_CONFIG => $ctx->{krb5_conf},
+ KRB5_CCACHE => $ctx->{krb5_ccache},
+ MITKDC_CONFIG => $ctx->{mitkdc_conf},
+ PIDDIR => $ctx->{piddir},
+ SERVER => $ctx->{hostname},
+ DC_SERVER => $ctx->{hostname},
+ SERVER_IP => $ctx->{ipv4},
+ DC_SERVER_IP => $ctx->{ipv4},
+ SERVER_IPV6 => $ctx->{ipv6},
+ DC_SERVER_IPV6 => $ctx->{ipv6},
+ NETBIOSNAME => $ctx->{netbiosname},
+ DC_NETBIOSNAME => $ctx->{netbiosname},
+ DOMAIN => $ctx->{domain},
+ USERNAME => $ctx->{username},
+ DC_USERNAME => $ctx->{username},
+ REALM => $ctx->{realm},
+ DNSNAME => $ctx->{dnsname},
+ SAMSID => $ctx->{samsid},
+ PASSWORD => $ctx->{password},
+ DC_PASSWORD => $ctx->{password},
+ LDAPDIR => $ctx->{ldapdir},
+ LDAP_INSTANCE => $ctx->{ldap_instance},
+ SELFTEST_WINBINDD_SOCKET_DIR => $ctx->{winbindd_socket_dir},
+ NCALRPCDIR => $ctx->{ncalrpcdir},
+ LOCKDIR => $ctx->{lockdir},
+ STATEDIR => $ctx->{statedir},
+ CACHEDIR => $ctx->{cachedir},
+ PRIVATEDIR => $ctx->{privatedir},
+ BINDDNSDIR => $ctx->{binddnsdir},
+ SERVERCONFFILE => $ctx->{smb_conf},
+ TESTENV_DIR => $ctx->{prefix_abs},
+ CONFIGURATION => $configuration,
+ SOCKET_WRAPPER_DEFAULT_IFACE => $ctx->{swiface},
+ NSS_WRAPPER_PASSWD => $ctx->{nsswrap_passwd},
+ NSS_WRAPPER_GROUP => $ctx->{nsswrap_group},
+ NSS_WRAPPER_HOSTS => $ctx->{nsswrap_hosts},
+ NSS_WRAPPER_HOSTNAME => $ctx->{nsswrap_hostname},
+ SAMBA_TEST_FIFO => "$ctx->{prefix}/samba_test.fifo",
+ SAMBA_TEST_LOG => "$ctx->{prefix}/samba_test.log",
+ SAMBA_TEST_LOG_POS => 0,
+ NSS_WRAPPER_MODULE_SO_PATH => Samba::nss_wrapper_winbind_so_path($self),
+ NSS_WRAPPER_MODULE_FN_PREFIX => "winbind",
+ LOCAL_PATH => $ctx->{share},
+ UID_RFC2307TEST => $uid_rfc2307test,
+ GID_RFC2307TEST => $gid_rfc2307test,
+ SERVER_ROLE => $ctx->{server_role},
+ RESOLV_CONF => $ctx->{resolv_conf},
+ };
+
+ if (defined($ctx->{use_resolv_wrapper})) {
+ $ret->{RESOLV_WRAPPER_CONF} = $ctx->{resolv_conf};
+ } else {
+ $ret->{RESOLV_WRAPPER_HOSTS} = $ctx->{dns_host_file};
+ }
+ if (defined($ctx->{force_fips_mode})) {
+ $ret->{GNUTLS_FORCE_FIPS_MODE} = "1",
+ $ret->{OPENSSL_FORCE_FIPS_MODE} = "1",
+ }
+
+ if ($ctx->{server_role} eq "domain controller") {
+ $ret->{DOMSID} = $ret->{SAMSID};
+ }
+
+ return $ret;
+}
+
+#
+# Step2 runs the provision script
+#
+sub provision_raw_step2($$$)
+{
+ my ($self, $ctx, $ret) = @_;
+
+ my $ldif;
+
+ my $provision_cmd = join(" ", @{$ctx->{provision_options}});
+ unless (system($provision_cmd) == 0) {
+ warn("Unable to provision: \n$provision_cmd\n");
+ return undef;
+ }
+
+ my $cmd_env = $self->get_cmd_env_vars($ret);
+
+ my $testallowed_account = "testallowed";
+ my $samba_tool_cmd = ${cmd_env};
+ $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+ . " user create --configfile=$ctx->{smb_conf} $testallowed_account $ctx->{password}";
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to add testallowed user: \n$samba_tool_cmd\n");
+ return undef;
+ }
+
+ my $srv_account = "srv_account";
+ $samba_tool_cmd = ${cmd_env};
+ $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+ . " user create --configfile=$ctx->{smb_conf} $srv_account $ctx->{password}";
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to add $srv_account user: \n$samba_tool_cmd\n");
+ return undef;
+ }
+
+ $samba_tool_cmd = ${cmd_env};
+ $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+ . " spn add HOST/$srv_account --configfile=$ctx->{smb_conf} $srv_account";
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to add spn for $srv_account: \n$samba_tool_cmd\n");
+ return undef;
+ }
+
+ my $ldbmodify = ${cmd_env};
+ $ldbmodify .= Samba::bindir_path($self, "ldbmodify");
+ $ldbmodify .= " --configfile=$ctx->{smb_conf}";
+ my $base_dn = "DC=".join(",DC=", split(/\./, $ctx->{realm}));
+
+ if ($ctx->{server_role} ne "domain controller") {
+ $base_dn = "DC=$ctx->{netbiosname}";
+ }
+
+ my $user_dn = "cn=$testallowed_account,cn=users,$base_dn";
+ $testallowed_account = "testallowed account";
+ open($ldif, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb")
+ or die "Failed to run $ldbmodify: $!";
+ print $ldif "dn: $user_dn
+changetype: modify
+replace: samAccountName
+samAccountName: $testallowed_account
+-
+";
+ close($ldif);
+ unless ($? == 0) {
+ warn("$ldbmodify failed: $?");
+ return undef;
+ }
+
+ open($ldif, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb")
+ or die "Failed to run $ldbmodify: $!";
+ print $ldif "dn: $user_dn
+changetype: modify
+replace: userPrincipalName
+userPrincipalName: testallowed upn\@$ctx->{realm}
+replace: servicePrincipalName
+servicePrincipalName: host/testallowed
+-
+";
+ close($ldif);
+ unless ($? == 0) {
+ warn("$ldbmodify failed: $?");
+ return undef;
+ }
+
+ $samba_tool_cmd = ${cmd_env};
+ $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+ . " user create --configfile=$ctx->{smb_conf} testdenied $ctx->{password}";
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to add testdenied user: \n$samba_tool_cmd\n");
+ return undef;
+ }
+
+ $user_dn = "cn=testdenied,cn=users,$base_dn";
+ open($ldif, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb")
+ or die "Failed to run $ldbmodify: $!";
+ print $ldif "dn: $user_dn
+changetype: modify
+replace: userPrincipalName
+userPrincipalName: testdenied_upn\@$ctx->{realm}.upn
+-
+";
+ close($ldif);
+ unless ($? == 0) {
+ warn("$ldbmodify failed: $?");
+ return undef;
+ }
+
+ $samba_tool_cmd = ${cmd_env};
+ $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+ . " user create --configfile=$ctx->{smb_conf} testupnspn $ctx->{password}";
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to add testupnspn user: \n$samba_tool_cmd\n");
+ return undef;
+ }
+
+ $user_dn = "cn=testupnspn,cn=users,$base_dn";
+ open($ldif, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb")
+ or die "Failed to run $ldbmodify: $!";
+ print $ldif "dn: $user_dn
+changetype: modify
+replace: userPrincipalName
+userPrincipalName: http/testupnspn.$ctx->{dnsname}\@$ctx->{realm}
+replace: servicePrincipalName
+servicePrincipalName: http/testupnspn.$ctx->{dnsname}
+-
+";
+ close($ldif);
+ unless ($? == 0) {
+ warn("$ldbmodify failed: $?");
+ return undef;
+ }
+
+ $samba_tool_cmd = ${cmd_env};
+ $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+ . " group addmembers --configfile=$ctx->{smb_conf} 'Allowed RODC Password Replication Group' '$testallowed_account'";
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to add '$testallowed_account' user to 'Allowed RODC Password Replication Group': \n$samba_tool_cmd\n");
+ return undef;
+ }
+
+ # Create to users alice and bob!
+ my $user_account_array = ["alice", "bob", "jane", "joe"];
+
+ foreach my $user_account (@{$user_account_array}) {
+ my $samba_tool_cmd = ${cmd_env};
+
+ $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+ . " user create --configfile=$ctx->{smb_conf} $user_account Secret007";
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to create user: $user_account\n$samba_tool_cmd\n");
+ return undef;
+ }
+ }
+
+ my $group_array = ["Samba Users"];
+
+ foreach my $group (@{$group_array}) {
+ my $samba_tool_cmd = ${cmd_env};
+
+ $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+ . " group add --configfile=$ctx->{smb_conf} \"$group\"";
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to create group: $group\n$samba_tool_cmd\n");
+ return undef;
+ }
+ }
+
+ # Add user joe to group "Samba Users"
+ my $group = "Samba Users";
+ my $user_account = "joe";
+
+ $samba_tool_cmd = ${cmd_env};
+ $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+ . " group addmembers --configfile=$ctx->{smb_conf} \"$group\" $user_account";
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to add " . $user_account . "to group group : $group\n$samba_tool_cmd\n");
+ return undef;
+ }
+
+ $group = "Samba Users";
+ $user_account = "joe";
+
+ $samba_tool_cmd = ${cmd_env};
+ $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+ . " user setprimarygroup --configfile=$ctx->{smb_conf} $user_account \"$group\"";
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to set primary group of user: $user_account\n$samba_tool_cmd\n");
+ return undef;
+ }
+
+ # Change the userPrincipalName for jane
+ $user_dn = "cn=jane,cn=users,$base_dn";
+
+ open($ldif, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb")
+ or die "Failed to run $ldbmodify: $!";
+ print $ldif "dn: $user_dn
+changetype: modify
+replace: userPrincipalName
+userPrincipalName: jane.doe\@$ctx->{realm}
+-
+";
+ close($ldif);
+ unless ($? == 0) {
+ warn("$ldbmodify failed: $?");
+ return undef;
+ }
+
+ return $ret;
+}
+
+sub provision($$$$$$$$$$$)
+{
+ my ($self,
+ $prefix,
+ $server_role,
+ $hostname,
+ $domain,
+ $realm,
+ $functional_level,
+ $password,
+ $kdc_ipv4,
+ $kdc_ipv6,
+ $force_fips_mode,
+ $extra_smbconf_options,
+ $extra_smbconf_shares,
+ $extra_provision_options) = @_;
+
+ my $samsid = Samba::random_domain_sid();
+
+ my $ctx = $self->provision_raw_prepare($prefix, $server_role,
+ $hostname,
+ $domain, $realm,
+ $samsid,
+ $functional_level,
+ $password,
+ $kdc_ipv4,
+ $kdc_ipv6,
+ $force_fips_mode,
+ $extra_provision_options);
+
+ $ctx->{share} = "$ctx->{prefix_abs}/share";
+ push(@{$ctx->{directories}}, "$ctx->{share}");
+ push(@{$ctx->{directories}}, "$ctx->{share}/test1");
+ push(@{$ctx->{directories}}, "$ctx->{share}/test2");
+
+ # precreate directories for printer drivers
+ push(@{$ctx->{directories}}, "$ctx->{share}/W32X86");
+ push(@{$ctx->{directories}}, "$ctx->{share}/x64");
+ push(@{$ctx->{directories}}, "$ctx->{share}/WIN40");
+
+ my $msdfs = "no";
+ $msdfs = "yes" if ($server_role eq "domain controller");
+ $ctx->{smb_conf_extra_options} = "
+
+ max xmit = 32K
+ server max protocol = SMB2
+ host msdfs = $msdfs
+ lanman auth = yes
+
+ # fruit:copyfile is a global option
+ fruit:copyfile = yes
+
+ $extra_smbconf_options
+
+[tmp]
+ path = $ctx->{share}
+ read only = no
+ posix:sharedelay = 100000
+ posix:oplocktimeout = 3
+ posix:writetimeupdatedelay = 500000
+
+[xcopy_share]
+ path = $ctx->{share}
+ read only = no
+ posix:sharedelay = 100000
+ posix:oplocktimeout = 3
+ posix:writetimeupdatedelay = 500000
+ create mask = 777
+ force create mode = 777
+
+[posix_share]
+ path = $ctx->{share}
+ read only = no
+ create mask = 0777
+ force create mode = 0
+ directory mask = 0777
+ force directory mode = 0
+
+[test1]
+ path = $ctx->{share}/test1
+ read only = no
+ posix:sharedelay = 100000
+ posix:oplocktimeout = 3
+ posix:writetimeupdatedelay = 500000
+
+[test2]
+ path = $ctx->{share}/test2
+ read only = no
+ posix:sharedelay = 100000
+ posix:oplocktimeout = 3
+ posix:writetimeupdatedelay = 500000
+
+[cifs]
+ path = $ctx->{share}/_ignore_cifs_
+ read only = no
+ ntvfs handler = cifs
+ cifs:server = $ctx->{netbiosname}
+ cifs:share = tmp
+ cifs:use-s4u2proxy = yes
+ # There is no username specified here, instead the client is expected
+ # to log in with kerberos, and the serverwill use delegated credentials.
+ # Or the server tries s4u2self/s4u2proxy to impersonate the client
+
+[simple]
+ path = $ctx->{share}
+ read only = no
+ ntvfs handler = simple
+
+[sysvol]
+ path = $ctx->{statedir}/sysvol
+ read only = no
+
+[netlogon]
+ path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
+ read only = no
+
+[cifsposix]
+ copy = simple
+ ntvfs handler = cifsposix
+
+[vfs_fruit]
+ path = $ctx->{share}
+ vfs objects = catia fruit streams_xattr acl_xattr
+ ea support = yes
+ fruit:resource = file
+ fruit:metadata = netatalk
+ fruit:locking = netatalk
+ fruit:encoding = native
+
+[xattr]
+ path = $ctx->{share}
+ # This can be used for testing real fs xattr stuff
+ vfs objects = streams_xattr acl_xattr
+
+$extra_smbconf_shares
+";
+
+ my $ret = $self->provision_raw_step1($ctx);
+ unless (defined $ret) {
+ return undef;
+ }
+
+ return $self->provision_raw_step2($ctx, $ret);
+}
+
+# For multi-DC testenvs, we want $DC_SERVER to always be the PDC (i.e. the
+# original DC) in the testenv. $SERVER is always the joined DC that we are
+# actually running the test against
+sub set_pdc_env_vars
+{
+ my ($self, $env, $dcvars) = @_;
+
+ $env->{DC_SERVER} = $dcvars->{DC_SERVER};
+ $env->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
+ $env->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
+ $env->{DC_SERVERCONFFILE} = $dcvars->{SERVERCONFFILE};
+ $env->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
+ $env->{DC_USERNAME} = $dcvars->{DC_USERNAME};
+ $env->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
+}
+
+sub provision_s4member($$$$$)
+{
+ my ($self, $prefix, $dcvars, $hostname, $more_conf) = @_;
+ print "PROVISIONING MEMBER...\n";
+ my $extra_smb_conf = "
+ passdb backend = samba_dsdb
+winbindd:use external pipes = true
+
+# the source4 smb server doesn't allow signing by default
+server signing = enabled
+raw NTLMv2 auth = yes
+
+# override the new SMB2 only default
+client min protocol = CORE
+server min protocol = LANMAN1
+";
+ if ($more_conf) {
+ $extra_smb_conf = $extra_smb_conf . $more_conf . "\n";
+ }
+ my $extra_provision_options = ["--use-ntvfs"];
+ my $ret = $self->provision($prefix,
+ "member server",
+ $hostname,
+ $dcvars->{DOMAIN},
+ $dcvars->{REALM},
+ "2008",
+ "locMEMpass3",
+ $dcvars->{SERVER_IP},
+ $dcvars->{SERVER_IPV6},
+ undef,
+ $extra_smb_conf, "",
+ $extra_provision_options);
+ unless ($ret) {
+ return undef;
+ }
+
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+ my $cmd = $self->get_cmd_env_vars($ret);
+ $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} --experimental-s4-member member";
+ $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
+ $cmd .= " --machinepass=machine$ret->{PASSWORD}";
+
+ unless (system($cmd) == 0) {
+ warn("Join failed\n$cmd");
+ return undef;
+ }
+
+ $ret->{DOMSID} = $dcvars->{DOMSID};
+ $self->set_pdc_env_vars($ret, $dcvars);
+
+ return $ret;
+}
+
+sub provision_rpc_proxy($$$)
+{
+ my ($self, $prefix, $dcvars) = @_;
+ print "PROVISIONING RPC PROXY...\n";
+
+ my $extra_smbconf_options = "
+ passdb backend = samba_dsdb
+
+ # rpc_proxy
+ dcerpc_remote:binding = ncacn_ip_tcp:$dcvars->{SERVER}
+ dcerpc endpoint servers = epmapper, remote
+ dcerpc_remote:interfaces = rpcecho
+ dcerpc_remote:allow_anonymous_fallback = yes
+ # override the new SMB2 only default
+ client min protocol = CORE
+ server min protocol = LANMAN1
+[cifs_to_dc]
+ path = /tmp/_ignore_cifs_to_dc_/_none_
+ read only = no
+ ntvfs handler = cifs
+ cifs:server = $dcvars->{SERVER}
+ cifs:share = cifs
+ cifs:use-s4u2proxy = yes
+ # There is no username specified here, instead the client is expected
+ # to log in with kerberos, and the serverwill use delegated credentials.
+ # Or the server tries s4u2self/s4u2proxy to impersonate the client
+
+";
+
+ my $extra_provision_options = ["--use-ntvfs"];
+ my $ret = $self->provision($prefix,
+ "member server",
+ "localrpcproxy",
+ $dcvars->{DOMAIN},
+ $dcvars->{REALM},
+ "2008",
+ "locRPCproxypass4",
+ $dcvars->{SERVER_IP},
+ $dcvars->{SERVER_IPV6},
+ undef,
+ $extra_smbconf_options, "",
+ $extra_provision_options);
+ unless ($ret) {
+ return undef;
+ }
+
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+
+ # The joind runs in the context of the rpc_proxy/member for now
+ my $cmd = $self->get_cmd_env_vars($ret);
+ $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} --experimental-s4-member member";
+ $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
+ $cmd .= " --machinepass=machine$ret->{PASSWORD}";
+
+ unless (system($cmd) == 0) {
+ warn("Join failed\n$cmd");
+ return undef;
+ }
+
+ # Prepare a context of the DC, but using the local CCACHE.
+ my $overwrite = undef;
+ $overwrite->{KRB5_CCACHE} = $ret->{KRB5_CCACHE};
+ my $dc_cmd_env = $self->get_cmd_env_vars($dcvars, $overwrite);
+
+ # Setting up delegation runs in the context of the DC for now
+ $cmd = $dc_cmd_env;
+ $cmd .= "$samba_tool delegation for-any-protocol '$ret->{NETBIOSNAME}\$' on";
+ $cmd .= " $dcvars->{CONFIGURATION}";
+ print $cmd;
+
+ unless (system($cmd) == 0) {
+ warn("Delegation failed\n$cmd");
+ return undef;
+ }
+
+ # Setting up delegation runs in the context of the DC for now
+ $cmd = $dc_cmd_env;
+ $cmd .= "$samba_tool delegation add-service '$ret->{NETBIOSNAME}\$' cifs/$dcvars->{SERVER}";
+ $cmd .= " $dcvars->{CONFIGURATION}";
+
+ unless (system($cmd) == 0) {
+ warn("Delegation failed\n$cmd");
+ return undef;
+ }
+
+ $ret->{DOMSID} = $dcvars->{DOMSID};
+ $self->set_pdc_env_vars($ret, $dcvars);
+
+ return $ret;
+}
+
+sub provision_promoted_dc($$$)
+{
+ my ($self, $prefix, $dcvars) = @_;
+ print "PROVISIONING PROMOTED DC...\n";
+
+ # We do this so that we don't run the provision. That's the job of 'samba-tool domain dcpromo'.
+ my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
+ "promotedvdc",
+ $dcvars->{DOMAIN},
+ $dcvars->{REALM},
+ $dcvars->{SAMSID},
+ "2008",
+ $dcvars->{PASSWORD},
+ $dcvars->{SERVER_IP},
+ $dcvars->{SERVER_IPV6});
+
+ $ctx->{smb_conf_extra_options} = "
+ max xmit = 32K
+ server max protocol = SMB2
+
+ ntlm auth = ntlmv2-only
+
+ kdc force enable rc4 weak session keys = yes
+
+[sysvol]
+ path = $ctx->{statedir}/sysvol
+ read only = yes
+
+[netlogon]
+ path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
+ read only = no
+
+";
+
+ my $ret = $self->provision_raw_step1($ctx);
+ unless ($ret) {
+ return undef;
+ }
+
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+ my $cmd = $self->get_cmd_env_vars($ret);
+ $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} --experimental-s4-member MEMBER --realm=$dcvars->{REALM}";
+ $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
+ $cmd .= " --machinepass=machine$ret->{PASSWORD}";
+
+ unless (system($cmd) == 0) {
+ warn("Join failed\n$cmd");
+ return undef;
+ }
+
+ $samba_tool = Samba::bindir_path($self, "samba-tool");
+ $cmd = $self->get_cmd_env_vars($ret);
+ $cmd .= "$samba_tool domain dcpromo $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
+ $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
+ $cmd .= " --machinepass=machine$ret->{PASSWORD} --dns-backend=BIND9_DLZ";
+
+ unless (system($cmd) == 0) {
+ warn("Join failed\n$cmd");
+ return undef;
+ }
+
+ $self->set_pdc_env_vars($ret, $dcvars);
+
+ return $ret;
+}
+
+sub provision_vampire_dc($$$)
+{
+ my ($self, $prefix, $dcvars, $fl) = @_;
+ print "PROVISIONING VAMPIRE DC @ FL $fl...\n";
+ my $name = "localvampiredc";
+ my $extra_conf = "";
+
+ if ($fl == "2000") {
+ $name = "vampire2000dc";
+ } else {
+ $extra_conf = "drs: immediate link sync = yes
+ drs: max link sync = 250";
+ }
+
+ # We do this so that we don't run the provision. That's the job of 'net vampire'.
+ my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
+ $name,
+ $dcvars->{DOMAIN},
+ $dcvars->{REALM},
+ $dcvars->{DOMSID},
+ $fl,
+ $dcvars->{PASSWORD},
+ $dcvars->{SERVER_IP},
+ $dcvars->{SERVER_IPV6});
+
+ $ctx->{smb_conf_extra_options} = "
+ max xmit = 32K
+ server max protocol = SMB2
+
+ ntlm auth = mschapv2-and-ntlmv2-only
+ $extra_conf
+
+[sysvol]
+ path = $ctx->{statedir}/sysvol
+ read only = yes
+
+[netlogon]
+ path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
+ read only = no
+
+";
+
+ my $ret = $self->provision_raw_step1($ctx);
+ unless ($ret) {
+ return undef;
+ }
+
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+ my $cmd = $self->get_cmd_env_vars($ret);
+ $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
+ $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} --domain-critical-only";
+ $cmd .= " --machinepass=machine$ret->{PASSWORD}";
+ $cmd .= " --backend-store=mdb";
+
+ unless (system($cmd) == 0) {
+ warn("Join failed\n$cmd");
+ return undef;
+ }
+
+ $self->set_pdc_env_vars($ret, $dcvars);
+ $ret->{DC_REALM} = $dcvars->{DC_REALM};
+
+ return $ret;
+}
+
+sub provision_ad_dc_ntvfs($$$)
+{
+ my ($self, $prefix, $extra_provision_options) = @_;
+
+ # We keep the old 'winbind' name here in server services to
+ # ensure upgrades which used that name still work with the now
+ # alias.
+
+ print "PROVISIONING AD DC (NTVFS)...\n";
+ my $extra_conf_options = "netbios aliases = localDC1-a
+ server services = +winbind -winbindd
+ ldap server require strong auth = allow_sasl_over_tls
+ raw NTLMv2 auth = yes
+ lsa over netlogon = yes
+ rpc server port = 1027
+ auth event notification = true
+ dsdb event notification = true
+ dsdb password event notification = true
+ dsdb group change notification = true
+ # override the new SMB2 only default
+ client min protocol = CORE
+ server min protocol = LANMAN1
+
+ CVE_2020_1472:warn_about_unused_debug_level = 3
+ CVE_2022_38023:warn_about_unused_debug_level = 3
+ allow nt4 crypto:torturetest\$ = yes
+ server reject md5 schannel:schannel2\$ = no
+ server reject md5 schannel:schannel3\$ = no
+ server reject md5 schannel:schannel8\$ = no
+ server reject md5 schannel:schannel9\$ = no
+ server reject md5 schannel:torturetest\$ = no
+ server reject md5 schannel:tests4u2proxywk\$ = no
+ server reject md5 schannel:tests4u2selfbdc\$ = no
+ server reject md5 schannel:tests4u2selfwk\$ = no
+ server reject md5 schannel:torturepacbdc\$ = no
+ server reject md5 schannel:torturepacwksta\$ = no
+ server require schannel:schannel0\$ = no
+ server require schannel:schannel1\$ = no
+ server require schannel:schannel2\$ = no
+ server require schannel:schannel3\$ = no
+ server require schannel:schannel4\$ = no
+ server require schannel:schannel5\$ = no
+ server require schannel:schannel6\$ = no
+ server require schannel:schannel7\$ = no
+ server require schannel:schannel8\$ = no
+ server require schannel:schannel9\$ = no
+ server require schannel:schannel10\$ = no
+ server require schannel:schannel11\$ = no
+ server require schannel:torturetest\$ = no
+ server schannel require seal:schannel0\$ = no
+ server schannel require seal:schannel1\$ = no
+ server schannel require seal:schannel2\$ = no
+ server schannel require seal:schannel3\$ = no
+ server schannel require seal:schannel4\$ = no
+ server schannel require seal:schannel5\$ = no
+ server schannel require seal:schannel6\$ = no
+ server schannel require seal:schannel7\$ = no
+ server schannel require seal:schannel8\$ = no
+ server schannel require seal:schannel9\$ = no
+ server schannel require seal:schannel10\$ = no
+ server schannel require seal:schannel11\$ = no
+ server schannel require seal:torturetest\$ = no
+
+ # needed for 'samba.tests.auth_log' tests
+ server require schannel:LOCALDC\$ = no
+ server schannel require seal:LOCALDC\$ = no
+ ";
+ push (@{$extra_provision_options}, "--use-ntvfs");
+ my $ret = $self->provision($prefix,
+ "domain controller",
+ "localdc",
+ "SAMBADOMAIN",
+ "samba.example.com",
+ "2008",
+ "locDCpass1",
+ undef,
+ undef,
+ undef,
+ $extra_conf_options,
+ "",
+ $extra_provision_options);
+ unless ($ret) {
+ return undef;
+ }
+
+ unless($self->add_wins_config("$prefix/private")) {
+ warn("Unable to add wins configuration");
+ return undef;
+ }
+ $ret->{NETBIOSALIAS} = "localdc1-a";
+ $ret->{DC_REALM} = $ret->{REALM};
+
+ return $ret;
+}
+
+sub provision_fl2000dc($$)
+{
+ my ($self, $prefix) = @_;
+
+ print "PROVISIONING DC WITH FOREST LEVEL 2000...\n";
+ my $extra_conf_options = "
+ kdc enable fast = no
+ spnego:simulate_w2k=yes
+ ntlmssp_server:force_old_spnego=yes
+
+ CVE_2022_38023:warn_about_unused_debug_level = 3
+ server reject md5 schannel:tests4u2proxywk\$ = no
+ server reject md5 schannel:tests4u2selfbdc\$ = no
+ server reject md5 schannel:tests4u2selfwk\$ = no
+ server reject md5 schannel:torturepacbdc\$ = no
+ server reject md5 schannel:torturepacwksta\$ = no
+";
+ my $extra_provision_options = ["--base-schema=2008_R2"];
+ # This environment uses plain text secrets
+ # i.e. secret attributes are not encrypted on disk.
+ # This allows testing of the --plaintext-secrets option for
+ # provision
+ push (@{$extra_provision_options}, "--plaintext-secrets");
+ my $ret = $self->provision($prefix,
+ "domain controller",
+ "dc5",
+ "SAMBA2000",
+ "samba2000.example.com",
+ "2000",
+ "locDCpass5",
+ undef,
+ undef,
+ undef,
+ $extra_conf_options,
+ "",
+ $extra_provision_options);
+ unless ($ret) {
+ return undef;
+ }
+
+ unless($self->add_wins_config("$prefix/private")) {
+ warn("Unable to add wins configuration");
+ return undef;
+ }
+ $ret->{DC_REALM} = $ret->{REALM};
+
+ return $ret;
+}
+
+sub provision_fl2003dc($$$)
+{
+ my ($self, $prefix, $dcvars) = @_;
+ my $ip_addr1 = Samba::get_ipv4_addr("fakednsforwarder1");
+ my $ip_addr2 = Samba::get_ipv6_addr("fakednsforwarder2");
+
+ print "PROVISIONING DC WITH FOREST LEVEL 2003...\n";
+ my $extra_conf_options = "
+ allow dns updates = nonsecure and secure
+
+ kdc enable fast = no
+ dcesrv:header signing = no
+ dcesrv:max auth states = 0
+
+ dns forwarder = $ip_addr1 [$ip_addr2]:54
+
+ CVE_2022_38023:warn_about_unused_debug_level = 3
+ server reject md5 schannel:tests4u2proxywk\$ = no
+ server reject md5 schannel:tests4u2selfbdc\$ = no
+ server reject md5 schannel:tests4u2selfwk\$ = no
+ server reject md5 schannel:torturepacbdc\$ = no
+ server reject md5 schannel:torturepacwksta\$ = no
+";
+
+ my $extra_provision_options = ["--base-schema=2008_R2"];
+ my $ret = $self->provision($prefix,
+ "domain controller",
+ "dc6",
+ "SAMBA2003",
+ "samba2003.example.com",
+ "2003",
+ "locDCpass6",
+ undef,
+ undef,
+ undef,
+ $extra_conf_options,
+ "",
+ $extra_provision_options);
+ unless (defined $ret) {
+ return undef;
+ }
+
+ $ret->{DNS_FORWARDER1} = $ip_addr1;
+ $ret->{DNS_FORWARDER2} = $ip_addr2;
+
+ my @samba_tool_options;
+ push (@samba_tool_options, Samba::bindir_path($self, "samba-tool"));
+ push (@samba_tool_options, "domain");
+ push (@samba_tool_options, "passwordsettings");
+ push (@samba_tool_options, "set");
+ push (@samba_tool_options, "--configfile=$ret->{SERVERCONFFILE}");
+ push (@samba_tool_options, "--min-pwd-age=0");
+ push (@samba_tool_options, "--history-length=1");
+
+ my $samba_tool_cmd = join(" ", @samba_tool_options);
+
+ unless (system($samba_tool_cmd) == 0) {
+ warn("Unable to set min password age to 0: \n$samba_tool_cmd\n");
+ return undef;
+ }
+
+ unless($self->add_wins_config("$prefix/private")) {
+ warn("Unable to add wins configuration");
+ return undef;
+ }
+
+ return $ret;
+}
+
+sub provision_fl2008r2dc($$$)
+{
+ my ($self, $prefix, $dcvars) = @_;
+
+ print "PROVISIONING DC WITH FOREST LEVEL 2008r2...\n";
+ my $extra_conf_options = "
+ ldap server require strong auth = no
+ # delay by 10 seconds, 10^7 usecs
+ ldap_server:delay_expire_disconnect = 10000
+
+ CVE_2022_38023:warn_about_unused_debug_level = 3
+ server reject md5 schannel:tests4u2proxywk\$ = no
+ server reject md5 schannel:tests4u2selfbdc\$ = no
+ server reject md5 schannel:tests4u2selfwk\$ = no
+ server reject md5 schannel:torturepacbdc\$ = no
+ server reject md5 schannel:torturepacwksta\$ = no
+";
+ my $extra_provision_options = ["--base-schema=2008_R2"];
+ my $ret = $self->provision($prefix,
+ "domain controller",
+ "dc7",
+ "SAMBA2008R2",
+ "samba2008R2.example.com",
+ "2008_R2",
+ "locDCpass7",
+ undef,
+ undef,
+ undef,
+ $extra_conf_options,
+ "",
+ $extra_provision_options);
+ unless (defined $ret) {
+ return undef;
+ }
+
+ unless ($self->add_wins_config("$prefix/private")) {
+ warn("Unable to add wins configuration");
+ return undef;
+ }
+ $ret->{DC_REALM} = $ret->{REALM};
+
+ return $ret;
+}
+
+
+sub provision_rodc($$$)
+{
+ my ($self, $prefix, $dcvars) = @_;
+ print "PROVISIONING RODC...\n";
+
+ # We do this so that we don't run the provision. That's the job of 'net join RODC'.
+ my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
+ "rodc",
+ $dcvars->{DOMAIN},
+ $dcvars->{REALM},
+ $dcvars->{DOMSID},
+ "2008",
+ $dcvars->{PASSWORD},
+ $dcvars->{SERVER_IP},
+ $dcvars->{SERVER_IPV6});
+ unless ($ctx) {
+ return undef;
+ }
+
+ $ctx->{share} = "$ctx->{prefix_abs}/share";
+ push(@{$ctx->{directories}}, "$ctx->{share}");
+
+ $ctx->{smb_conf_extra_options} = "
+ max xmit = 32K
+ server max protocol = SMB2
+ password server = $dcvars->{DC_SERVER}
+
+[sysvol]
+ path = $ctx->{statedir}/sysvol
+ read only = yes
+
+[netlogon]
+ path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
+ read only = yes
+
+[tmp]
+ path = $ctx->{share}
+ read only = no
+ posix:sharedelay = 10000
+ posix:oplocktimeout = 3
+ posix:writetimeupdatedelay = 50000
+
+";
+
+ my $ret = $self->provision_raw_step1($ctx);
+ unless ($ret) {
+ return undef;
+ }
+
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+ my $cmd = $self->get_cmd_env_vars($ret);
+ $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} RODC";
+ $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
+ $cmd .= " --server=$dcvars->{DC_SERVER}";
+
+ unless (system($cmd) == 0) {
+ warn("RODC join failed\n$cmd");
+ return undef;
+ }
+
+ # This ensures deterministic behaviour for tests that want to have the 'testallowed account'
+ # user password verified on the RODC
+ my $testallowed_account = "testallowed account";
+ $cmd = $self->get_cmd_env_vars($ret);
+ $cmd .= "$samba_tool rodc preload '$testallowed_account' $ret->{CONFIGURATION}";
+ $cmd .= " --server=$dcvars->{DC_SERVER}";
+
+ unless (system($cmd) == 0) {
+ warn("RODC join failed\n$cmd");
+ return undef;
+ }
+
+ # we overwrite the kdc after the RODC join
+ # so that use the RODC as kdc and test
+ # the proxy code
+ $ctx->{kdc_ipv4} = $ret->{SERVER_IP};
+ $ctx->{kdc_ipv6} = $ret->{SERVER_IPV6};
+ Samba::mk_krb5_conf($ctx);
+ Samba::mk_mitkdc_conf($ctx, abs_path(Samba::bindir_path($self, "shared")));
+
+ $self->set_pdc_env_vars($ret, $dcvars);
+
+ return $ret;
+}
+
+sub read_config_h($)
+{
+ my ($name) = @_;
+ my %ret;
+ open(LF, "<$name") or die("unable to read $name: $!");
+ while (<LF>) {
+ chomp;
+ next if not (/^#define /);
+ if (/^#define (.*?)[ \t]+(.*?)$/) {
+ $ret{$1} = $2;
+ next;
+ }
+ if (/^#define (.*?)[ \t]+$/) {
+ $ret{$1} = 1;;
+ next;
+ }
+ }
+ close(LF);
+ return \%ret;
+}
+
+sub provision_ad_dc($$$$$$$)
+{
+ my ($self,
+ $prefix,
+ $hostname,
+ $domain,
+ $realm,
+ $force_fips_mode,
+ $smbconf_args,
+ $extra_provision_options) = @_;
+
+ my $prefix_abs = abs_path($prefix);
+
+ my $bindir_abs = abs_path($self->{bindir});
+ my $lockdir="$prefix_abs/lockdir";
+ my $conffile="$prefix_abs/etc/smb.conf";
+
+ my $require_mutexes = "dbwrap_tdb_require_mutexes:* = yes";
+ if ($ENV{SELFTEST_DONT_REQUIRE_TDB_MUTEX_SUPPORT} // '' eq "1") {
+ $require_mutexes = "";
+ }
+
+ my $config_h = {};
+
+ if (defined($ENV{CONFIG_H})) {
+ $config_h = read_config_h($ENV{CONFIG_H});
+ }
+
+ my $password_hash_gpg_key_ids = "password hash gpg key ids = 4952E40301FAB41A";
+ $password_hash_gpg_key_ids = "" unless defined($config_h->{HAVE_GPGME});
+
+ my $extra_smbconf_options = "
+ xattr_tdb:file = $prefix_abs/statedir/xattr.tdb
+
+ dbwrap_tdb_mutexes:* = yes
+ ${require_mutexes}
+
+ ${password_hash_gpg_key_ids}
+
+ kernel oplocks = no
+ kernel change notify = no
+ smb2 leases = no
+ smb2 disable oplock break retry = yes
+ server multi channel support = yes
+
+ logging = file
+ printing = bsd
+ printcap name = /dev/null
+
+ max protocol = SMB3
+ read only = no
+
+ smbd:sharedelay = 100000
+ smbd:writetimeupdatedelay = 500000
+ create mask = 755
+ dos filemode = yes
+ check parent directory delete on close = yes
+
+ dcerpc endpoint servers = -winreg -srvsvc
+
+ printcap name = /dev/null
+
+ addprinter command = $ENV{SRCDIR_ABS}/source3/script/tests/printing/modprinter.pl -a -s $conffile --
+ deleteprinter command = $ENV{SRCDIR_ABS}/source3/script/tests/printing/modprinter.pl -d -s $conffile --
+
+ printing = vlp
+ print command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb print %p %s
+ lpq command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lpq %p
+ lp rm command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lprm %p %j
+ lp pause command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lppause %p %j
+ lp resume command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lpresume %p %j
+ queue pause command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb queuepause %p
+ queue resume command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb queueresume %p
+ lpq cache time = 0
+ print notify backchannel = yes
+
+ CVE_2020_1472:warn_about_unused_debug_level = 3
+ CVE_2022_38023:warn_about_unused_debug_level = 3
+ CVE_2022_38023:error_debug_level = 2
+ server reject md5 schannel:schannel2\$ = no
+ server reject md5 schannel:schannel3\$ = no
+ server reject md5 schannel:schannel8\$ = no
+ server reject md5 schannel:schannel9\$ = no
+ server reject md5 schannel:torturetest\$ = no
+ server reject md5 schannel:tests4u2proxywk\$ = no
+ server reject md5 schannel:tests4u2selfbdc\$ = no
+ server reject md5 schannel:tests4u2selfwk\$ = no
+ server reject md5 schannel:torturepacbdc\$ = no
+ server reject md5 schannel:torturepacwksta\$ = no
+ server reject md5 schannel:samlogontest\$ = no
+ server require schannel:schannel0\$ = no
+ server require schannel:schannel1\$ = no
+ server require schannel:schannel2\$ = no
+ server require schannel:schannel3\$ = no
+ server require schannel:schannel4\$ = no
+ server require schannel:schannel5\$ = no
+ server require schannel:schannel6\$ = no
+ server require schannel:schannel7\$ = no
+ server require schannel:schannel8\$ = no
+ server require schannel:schannel9\$ = no
+ server require schannel:schannel10\$ = no
+ server require schannel:schannel11\$ = no
+ server require schannel:torturetest\$ = no
+ server schannel require seal:schannel0\$ = no
+ server schannel require seal:schannel1\$ = no
+ server schannel require seal:schannel2\$ = no
+ server schannel require seal:schannel3\$ = no
+ server schannel require seal:schannel4\$ = no
+ server schannel require seal:schannel5\$ = no
+ server schannel require seal:schannel6\$ = no
+ server schannel require seal:schannel7\$ = no
+ server schannel require seal:schannel8\$ = no
+ server schannel require seal:schannel9\$ = no
+ server schannel require seal:schannel10\$ = no
+ server schannel require seal:schannel11\$ = no
+ server schannel require seal:torturetest\$ = no
+
+ auth event notification = true
+ dsdb event notification = true
+ dsdb password event notification = true
+ dsdb group change notification = true
+ $smbconf_args
+";
+
+ my $extra_smbconf_shares = "
+
+[tmpenc]
+ copy = tmp
+ smb encrypt = required
+
+[tmpcase]
+ copy = tmp
+ case sensitive = yes
+
+[tmpguest]
+ copy = tmp
+ guest ok = yes
+
+[hideunread]
+ copy = tmp
+ hide unreadable = yes
+
+[durable]
+ copy = tmp
+ kernel share modes = no
+ kernel oplocks = no
+ posix locking = no
+
+[print\$]
+ copy = tmp
+
+[print1]
+ copy = tmp
+ printable = yes
+
+[print2]
+ copy = print1
+[print3]
+ copy = print1
+[print4]
+ copy = print1
+ guest ok = yes
+[lp]
+ copy = print1
+";
+
+ push (@{$extra_provision_options}, "--backend-store=mdb");
+ print "PROVISIONING AD DC...\n";
+ my $ret = $self->provision($prefix,
+ "domain controller",
+ $hostname,
+ $domain,
+ $realm,
+ "2008",
+ "locDCpass1",
+ undef,
+ undef,
+ $force_fips_mode,
+ $extra_smbconf_options,
+ $extra_smbconf_shares,
+ $extra_provision_options);
+ unless (defined $ret) {
+ return undef;
+ }
+
+ unless($self->add_wins_config("$prefix/private")) {
+ warn("Unable to add wins configuration");
+ return undef;
+ }
+
+ return $ret;
+}
+
+sub provision_chgdcpass($$)
+{
+ my ($self, $prefix) = @_;
+
+ print "PROVISIONING CHGDCPASS...\n";
+ # This environment disallows the use of this password
+ # (and also removes the default AD complexity checks)
+ my $unacceptable_password = "Paßßword-widk3Dsle32jxdBdskldsk55klASKQ";
+
+ # This environment also sets some settings that are unusual,
+ # to test specific behaviours. In particular, this
+ # environment fails to correctly support DRSUAPI_DRS_GET_ANC
+ # like Samba before 4.5 and DRSUAPI_DRS_GET_TGT before 4.8
+ #
+ # Additionally, disabling DRSUAPI_DRS_GET_TGT causes all links
+ # to be sent last (in the final chunk), which is like Samba
+ # before 4.8.
+
+ my $extra_smb_conf = "
+ check password script = $self->{srcdir}/selftest/checkpassword_arg1.sh ${unacceptable_password}
+ allow dcerpc auth level connect:lsarpc = yes
+ dcesrv:max auth states = 8
+ drs:broken_samba_4.5_get_anc_emulation = true
+ drs:get_tgt_support = false
+";
+ my $extra_provision_options = ["--dns-backend=BIND9_DLZ"];
+ my $ret = $self->provision($prefix,
+ "domain controller",
+ "chgdcpass",
+ "CHDCDOMAIN",
+ "chgdcpassword.samba.example.com",
+ "2008",
+ "chgDCpass1",
+ undef,
+ undef,
+ undef,
+ $extra_smb_conf,
+ "",
+ $extra_provision_options);
+ unless (defined $ret) {
+ return undef;
+ }
+
+ unless($self->add_wins_config("$prefix/private")) {
+ warn("Unable to add wins configuration");
+ return undef;
+ }
+
+ # Remove secrets.tdb from this environment to test that we
+ # still start up on systems without the new matching
+ # secrets.tdb records.
+ unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") || unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) {
+ warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision");
+ return undef;
+ }
+
+ $ret->{UNACCEPTABLE_PASSWORD} = $unacceptable_password;
+
+ return $ret;
+}
+
+sub teardown_env_terminate($$)
+{
+ my ($self, $envvars) = @_;
+ my $pid;
+
+ # This should cause samba to terminate gracefully
+ my $smbcontrol = Samba::bindir_path($self, "smbcontrol");
+ my $cmd = "";
+ $cmd .= "$smbcontrol samba shutdown $envvars->{CONFIGURATION}";
+ my $ret = system($cmd);
+ if ($ret != 0) {
+ warn "'$cmd' failed with '$ret'\n";
+ }
+
+ # This should cause samba to terminate gracefully
+ close($envvars->{STDIN_PIPE});
+
+ $pid = $envvars->{SAMBA_PID};
+ my $count = 0;
+ my $childpid;
+
+ # This should give it time to write out the gcov data
+ until ($count > 15) {
+ if (Samba::cleanup_child($pid, "samba") != 0) {
+ return;
+ }
+ sleep(1);
+ $count++;
+ }
+
+ # After 15 Seconds, work out why this thing is still alive
+ warn "server process $pid took more than $count seconds to exit, showing backtrace:\n";
+ system("$self->{srcdir}/selftest/gdb_backtrace $pid");
+
+ until ($count > 30) {
+ if (Samba::cleanup_child($pid, "samba") != 0) {
+ return;
+ }
+ sleep(1);
+ $count++;
+ }
+
+ if (kill(0, $pid)) {
+ warn "server process $pid took more than $count seconds to exit, sending SIGTERM\n";
+ kill "TERM", $pid;
+ }
+
+ until ($count > 40) {
+ if (Samba::cleanup_child($pid, "samba") != 0) {
+ return;
+ }
+ sleep(1);
+ $count++;
+ }
+ # If it is still around, kill it
+ if (kill(0, $pid)) {
+ warn "server process $pid took more than $count seconds to exit, killing\n with SIGKILL\n";
+ kill 9, $pid;
+ }
+ return;
+}
+
+sub teardown_env($$)
+{
+ my ($self, $envvars) = @_;
+ teardown_env_terminate($self, $envvars);
+
+ print $self->getlog_env($envvars);
+
+ return;
+}
+
+sub getlog_env($$)
+{
+ my ($self, $envvars) = @_;
+ my $title = "SAMBA LOG of: $envvars->{NETBIOSNAME} pid $envvars->{SAMBA_PID}\n";
+ my $out = $title;
+
+ open(LOG, "<$envvars->{SAMBA_TEST_LOG}");
+
+ seek(LOG, $envvars->{SAMBA_TEST_LOG_POS}, SEEK_SET);
+ while (<LOG>) {
+ $out .= $_;
+ }
+ $envvars->{SAMBA_TEST_LOG_POS} = tell(LOG);
+ close(LOG);
+
+ return "" if $out eq $title;
+
+ return $out;
+}
+
+sub check_env($$)
+{
+ my ($self, $envvars) = @_;
+ my $samba_pid = $envvars->{SAMBA_PID};
+
+ if (not defined($samba_pid)) {
+ return 0;
+ } elsif ($samba_pid > 0) {
+ my $childpid = Samba::cleanup_child($samba_pid, "samba");
+
+ if ($childpid == 0) {
+ return 1;
+ }
+ return 0;
+ } else {
+ return 1;
+ }
+}
+
+# Declare the environments Samba4 makes available.
+# To be set up, they will be called as
+# samba4->setup_$envname($self, $path, $dep_1_vars, $dep_2_vars, ...)
+# The interdependencies between the testenvs are declared below. Some testenvs
+# are dependent on another testenv running first, e.g. vampire_dc is dependent
+# on ad_dc_ntvfs because vampire_dc joins ad_dc_ntvfs's domain. All DCs are
+# dependent on dns_hub, which handles resolving DNS queries for the realm.
+%Samba4::ENV_DEPS = (
+ # name => [dep_1, dep_2, ...],
+ dns_hub => [],
+ ad_dc_ntvfs => ["dns_hub"],
+ ad_dc_fips => ["dns_hub"],
+ ad_dc => ["dns_hub"],
+ ad_dc_smb1 => ["dns_hub"],
+ ad_dc_smb1_done => ["ad_dc_smb1"],
+ ad_dc_no_nss => ["dns_hub"],
+ ad_dc_no_ntlm => ["dns_hub"],
+
+ fl2008r2dc => ["ad_dc"],
+ fl2003dc => ["ad_dc"],
+ fl2000dc => ["ad_dc"],
+
+ vampire_2000_dc => ["fl2000dc"],
+ vampire_dc => ["ad_dc_ntvfs"],
+ promoted_dc => ["ad_dc_ntvfs"],
+
+ rodc => ["ad_dc_ntvfs"],
+ rpc_proxy => ["ad_dc_ntvfs"],
+ chgdcpass => ["dns_hub"],
+
+ s4member_dflt_domain => ["ad_dc_ntvfs"],
+ s4member => ["ad_dc_ntvfs"],
+
+ # envs that test the server process model
+ proclimitdc => ["dns_hub"],
+ preforkrestartdc => ["dns_hub"],
+
+ # backup/restore testenvs
+ backupfromdc => ["dns_hub"],
+ customdc => ["dns_hub"],
+ restoredc => ["backupfromdc"],
+ renamedc => ["backupfromdc"],
+ offlinebackupdc => ["backupfromdc"],
+ labdc => ["backupfromdc"],
+
+ # aliases in order to split autbuild tasks
+ fl2008dc => ["ad_dc"],
+ ad_dc_default => ["ad_dc"],
+ ad_dc_default_smb1 => ["ad_dc_smb1"],
+ ad_dc_default_smb1_done => ["ad_dc_default_smb1"],
+ ad_dc_slowtests => ["ad_dc"],
+ ad_dc_backup => ["ad_dc"],
+
+ schema_dc => ["dns_hub"],
+ schema_pair_dc => ["schema_dc"],
+
+ none => [],
+);
+
+%Samba4::ENV_DEPS_POST = (
+ schema_dc => ["schema_pair_dc"],
+);
+
+sub return_alias_env
+{
+ my ($self, $path, $env) = @_;
+
+ # just an alias
+ return $env;
+}
+
+sub setup_fl2008dc
+{
+ my ($self, $path) = @_;
+
+ my $extra_args = ["--base-schema=2008_R2"];
+ my $env = $self->provision_ad_dc_ntvfs($path, $extra_args);
+ if (defined $env) {
+ if (not defined($self->check_or_start($env, "standard"))) {
+ warn("Failed to start fl2008dc");
+ return undef;
+ }
+ }
+ return $env;
+}
+
+sub setup_ad_dc_default
+{
+ my ($self, $path, $dep_env) = @_;
+ return $self->return_alias_env($path, $dep_env)
+}
+
+sub setup_ad_dc_default_smb1
+{
+ my ($self, $path, $dep_env) = @_;
+ return $self->return_alias_env($path, $dep_env)
+}
+
+sub setup_ad_dc_default_smb1_done
+{
+ my ($self, $path, $dep_env) = @_;
+ return $self->return_alias_env($path, $dep_env)
+}
+
+sub setup_ad_dc_slowtests
+{
+ my ($self, $path, $dep_env) = @_;
+ return $self->return_alias_env($path, $dep_env)
+}
+
+sub setup_ad_dc_backup
+{
+ my ($self, $path, $dep_env) = @_;
+ return $self->return_alias_env($path, $dep_env)
+}
+
+sub setup_s4member
+{
+ my ($self, $path, $dc_vars) = @_;
+
+ my $env = $self->provision_s4member($path, $dc_vars, "s4member");
+
+ if (defined $env) {
+ if (not defined($self->check_or_start($env, "standard"))) {
+ return undef;
+ }
+ }
+
+ return $env;
+}
+
+sub setup_s4member_dflt_domain
+{
+ my ($self, $path, $dc_vars) = @_;
+
+ my $env = $self->provision_s4member($path, $dc_vars, "s4member_dflt",
+ "winbind use default domain = yes");
+
+ if (defined $env) {
+ if (not defined($self->check_or_start($env, "standard"))) {
+ return undef;
+ }
+ }
+
+ return $env;
+}
+
+sub setup_rpc_proxy
+{
+ my ($self, $path, $dc_vars) = @_;
+
+ my $env = $self->provision_rpc_proxy($path, $dc_vars);
+
+ if (defined $env) {
+ if (not defined($self->check_or_start($env, "standard"))) {
+ return undef;
+ }
+ }
+ return $env;
+}
+
+sub setup_ad_dc_ntvfs
+{
+ my ($self, $path) = @_;
+
+ my $env = $self->provision_ad_dc_ntvfs($path, undef);
+ if (defined $env) {
+ if (not defined($self->check_or_start($env, "standard"))) {
+ warn("Failed to start ad_dc_ntvfs");
+ return undef;
+ }
+ }
+ return $env;
+}
+
+sub setup_chgdcpass
+{
+ my ($self, $path) = @_;
+
+ my $env = $self->provision_chgdcpass($path);
+ if (defined $env) {
+ if (not defined($self->check_or_start($env, "standard"))) {
+ return undef;
+ }
+ }
+ return $env;
+}
+
+sub setup_fl2000dc
+{
+ my ($self, $path, $dc_vars) = @_;
+
+ my $env = $self->provision_fl2000dc($path);
+ if (defined $env) {
+ if (not defined($self->check_or_start($env, "standard"))) {
+ return undef;
+ }
+
+ $env = $self->setup_trust($env, $dc_vars, "external", "--no-aes-keys --direction=outgoing");
+ }
+
+ return $env;
+}
+
+sub setup_fl2003dc
+{
+ my ($self, $path, $dc_vars) = @_;
+
+ my $env = $self->provision_fl2003dc($path);
+
+ if (defined $env) {
+ if (not defined($self->check_or_start($env, "standard"))) {
+ return undef;
+ }
+
+ $env = $self->setup_trust($env, $dc_vars, "external", "--no-aes-keys");
+ }
+ return $env;
+}
+
+sub setup_fl2008r2dc
+{
+ my ($self, $path, $dc_vars) = @_;
+
+ my $env = $self->provision_fl2008r2dc($path);
+
+ if (defined $env) {
+ if (not defined($self->check_or_start($env, "standard"))) {
+ return undef;
+ }
+
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
+
+ if ($self->setup_namespaces($env, $upn_array, $spn_array) != 0) {
+ return undef;
+ }
+
+ $env = $self->setup_trust($env, $dc_vars, "forest", "");
+ }
+
+ return $env;
+}
+
+sub setup_vampire_dc
+{
+ return setup_generic_vampire_dc(@_, "2008");
+}
+
+sub setup_vampire_2000_dc
+{
+ return setup_generic_vampire_dc(@_, "2000");
+}
+
+sub setup_generic_vampire_dc
+{
+ my ($self, $path, $dc_vars, $fl) = @_;
+
+ my $env = $self->provision_vampire_dc($path, $dc_vars, $fl);
+
+ if (defined $env) {
+ if (not defined($self->check_or_start($env, "single"))) {
+ return undef;
+ }
+
+ # force replicated DC to update repsTo/repsFrom
+ # for vampired partitions
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+
+ # as 'vampired' dc may add data in its local replica
+ # we need to synchronize data between DCs
+ my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
+ my $cmd = $self->get_cmd_env_vars($env);
+ $cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{SERVER}";
+ $cmd .= " $dc_vars->{CONFIGURATION}";
+ $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
+ # replicate Configuration NC
+ my $cmd_repl = "$cmd \"CN=Configuration,$base_dn\"";
+ unless(system($cmd_repl) == 0) {
+ warn("Failed to replicate\n$cmd_repl");
+ return undef;
+ }
+ # replicate Default NC
+ $cmd_repl = "$cmd \"$base_dn\"";
+ unless(system($cmd_repl) == 0) {
+ warn("Failed to replicate\n$cmd_repl");
+ return undef;
+ }
+
+ # Pull in a full set of changes from the main DC
+ $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
+ $cmd = $self->get_cmd_env_vars($env);
+ $cmd .= " $samba_tool drs replicate $env->{SERVER} $env->{DC_SERVER}";
+ $cmd .= " $dc_vars->{CONFIGURATION}";
+ $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
+ # replicate Configuration NC
+ $cmd_repl = "$cmd \"CN=Configuration,$base_dn\"";
+ unless(system($cmd_repl) == 0) {
+ warn("Failed to replicate\n$cmd_repl");
+ return undef;
+ }
+ # replicate Default NC
+ $cmd_repl = "$cmd \"$base_dn\"";
+ unless(system($cmd_repl) == 0) {
+ warn("Failed to replicate\n$cmd_repl");
+ return undef;
+ }
+ }
+
+ return $env;
+}
+
+sub setup_promoted_dc
+{
+ my ($self, $path, $dc_vars) = @_;
+
+ my $env = $self->provision_promoted_dc($path, $dc_vars);
+
+ if (defined $env) {
+ if (not defined($self->check_or_start($env, "single"))) {
+ return undef;
+ }
+
+ # force source and replicated DC to update repsTo/repsFrom
+ # for vampired partitions
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+ my $cmd = $self->get_cmd_env_vars($env);
+ # as 'vampired' dc may add data in its local replica
+ # we need to synchronize data between DCs
+ my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
+ $cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{SERVER}";
+ $cmd .= " $dc_vars->{CONFIGURATION}";
+ $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
+ # replicate Configuration NC
+ my $cmd_repl = "$cmd \"CN=Configuration,$base_dn\"";
+ unless(system($cmd_repl) == 0) {
+ warn("Failed to replicate\n$cmd_repl");
+ return undef;
+ }
+ # replicate Default NC
+ $cmd_repl = "$cmd \"$base_dn\"";
+ unless(system($cmd_repl) == 0) {
+ warn("Failed to replicate\n$cmd_repl");
+ return undef;
+ }
+ }
+
+ return $env;
+}
+
+sub setup_rodc
+{
+ my ($self, $path, $dc_vars) = @_;
+
+ my $env = $self->provision_rodc($path, $dc_vars);
+
+ unless ($env) {
+ return undef;
+ }
+
+ if (not defined($self->check_or_start($env, "standard"))) {
+ return undef;
+ }
+
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+ my $cmd = $self->get_cmd_env_vars($env);
+
+ my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
+ $cmd .= " $samba_tool drs replicate $env->{SERVER} $env->{DC_SERVER}";
+ $cmd .= " $dc_vars->{CONFIGURATION}";
+ $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
+ # replicate Configuration NC
+ my $cmd_repl = "$cmd \"CN=Configuration,$base_dn\"";
+ unless(system($cmd_repl) == 0) {
+ warn("Failed to replicate\n$cmd_repl");
+ return undef;
+ }
+ # replicate Default NC
+ $cmd_repl = "$cmd \"$base_dn\"";
+ unless(system($cmd_repl) == 0) {
+ warn("Failed to replicate\n$cmd_repl");
+ return undef;
+ }
+
+ return $env;
+}
+
+sub _setup_ad_dc
+{
+ my ($self, $path, $conf_opts, $server, $dom) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->{target3}->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ if (!defined($conf_opts)) {
+ $conf_opts = "";
+ }
+ if (!defined($server)) {
+ $server = "addc";
+ }
+ if (!defined($dom)) {
+ $dom = "addom.samba.example.com";
+ }
+ my $env = $self->provision_ad_dc($path, $server, "ADDOMAIN",
+ $dom,
+ undef,
+ $conf_opts,
+ undef);
+ unless ($env) {
+ return undef;
+ }
+
+ if (not defined($self->check_or_start($env, "prefork"))) {
+ return undef;
+ }
+
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
+
+ if ($self->setup_namespaces($env, $upn_array, $spn_array) != 0) {
+ return undef;
+ }
+
+ return $env;
+}
+
+sub setup_ad_dc
+{
+ my ($self, $path) = @_;
+ return _setup_ad_dc($self, $path, undef, undef, undef);
+}
+
+sub setup_ad_dc_smb1
+{
+ my ($self, $path) = @_;
+ my $conf_opts = "
+[global]
+ client min protocol = CORE
+ server min protocol = LANMAN1
+
+ # needed for 'samba.tests.auth_log' tests
+ server require schannel:ADDCSMB1\$ = no
+ server schannel require seal:ADDCSMB1\$ = no
+";
+ return _setup_ad_dc($self, $path, $conf_opts, "addcsmb1", "addom2.samba.example.com");
+}
+
+sub setup_ad_dc_smb1_done
+{
+ my ($self, $path, $dep_env) = @_;
+ return $self->return_alias_env($path, $dep_env);
+}
+
+sub setup_ad_dc_no_nss
+{
+ my ($self, $path) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->{target3}->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ my $env = $self->provision_ad_dc($path,
+ "addc_no_nss",
+ "ADNONSSDOMAIN",
+ "adnonssdom.samba.example.com",
+ undef,
+ "",
+ undef);
+ unless ($env) {
+ return undef;
+ }
+
+ $env->{NSS_WRAPPER_MODULE_SO_PATH} = undef;
+ $env->{NSS_WRAPPER_MODULE_FN_PREFIX} = undef;
+
+ if (not defined($self->check_or_start($env, "single"))) {
+ return undef;
+ }
+
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
+
+ if ($self->setup_namespaces($env, $upn_array, $spn_array) != 0) {
+ return undef;
+ }
+
+ return $env;
+}
+
+sub setup_ad_dc_no_ntlm
+{
+ my ($self, $path) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->{target3}->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ my $env = $self->provision_ad_dc($path,
+ "addc_no_ntlm",
+ "ADNONTLMDOMAIN",
+ "adnontlmdom.samba.example.com",
+ undef,
+ "ntlm auth = disabled\nnt hash store = never",
+ undef);
+ unless ($env) {
+ return undef;
+ }
+
+ if (not defined($self->check_or_start($env, "prefork"))) {
+ return undef;
+ }
+
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
+
+ if ($self->setup_namespaces($env, $upn_array, $spn_array) != 0) {
+ return undef;
+ }
+
+ return $env;
+}
+
+sub setup_ad_dc_fips
+{
+ my ($self, $path) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->{target3}->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ my $env = $self->provision_ad_dc($path,
+ "fipsdc",
+ "FIPSDOMAIN",
+ "fips.samba.example.com",
+ 1,
+ "",
+ undef);
+ unless ($env) {
+ return undef;
+ }
+
+ if (not defined($self->check_or_start($env, "prefork"))) {
+ return undef;
+ }
+
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
+
+ if ($self->setup_namespaces($env, $upn_array, $spn_array) != 0) {
+ return undef;
+ }
+
+ return $env;
+}
+
+#
+# AD DC test environment used solely to test pre-fork process restarts.
+# As processes get killed off and restarted it should not be used for other
+sub setup_preforkrestartdc
+{
+ my ($self, $path) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->{target3}->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ # note DC name must be <= 15 chars so we use 'prockill' instead of
+ # 'preforkrestart'
+ my $env = $self->provision_ad_dc($path,
+ "prockilldc",
+ "PROCKILLDOMAIN",
+ "prockilldom.samba.example.com",
+ undef,
+ "prefork backoff increment = 5\nprefork maximum backoff=10",
+ undef);
+ unless ($env) {
+ return undef;
+ }
+
+ # We treat processes in this environment cruelly, sometimes
+ # sending them SIGSEGV signals. We don't need gdb_backtrace
+ # dissecting these fake crashes in precise detail.
+ $env->{PLEASE_NO_GDB_BACKTRACE} = '1';
+
+ $env->{NSS_WRAPPER_MODULE_SO_PATH} = undef;
+ $env->{NSS_WRAPPER_MODULE_FN_PREFIX} = undef;
+
+ if (not defined($self->check_or_start($env, "prefork"))) {
+ return undef;
+ }
+
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
+
+ if ($self->setup_namespaces($env, $upn_array, $spn_array) != 0) {
+ return undef;
+ }
+
+ return $env;
+}
+
+#
+# ad_dc test environment used solely to test standard process model connection
+# process limits. As the limit is set artificially low it should not be used
+# for other tests.
+sub setup_proclimitdc
+{
+ my ($self, $path) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->{target3}->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ my $env = $self->provision_ad_dc($path,
+ "proclimitdc",
+ "PROCLIMITDOM",
+ "proclimit.samba.example.com",
+ undef,
+ "max smbd processes = 20",
+ undef);
+ unless ($env) {
+ return undef;
+ }
+
+ $env->{NSS_WRAPPER_MODULE_SO_PATH} = undef;
+ $env->{NSS_WRAPPER_MODULE_FN_PREFIX} = undef;
+
+ if (not defined($self->check_or_start($env, "standard"))) {
+ return undef;
+ }
+
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
+
+ if ($self->setup_namespaces($env, $upn_array, $spn_array) != 0) {
+ return undef;
+ }
+
+ return $env;
+}
+
+# Used to test a live upgrade of the schema on a 2 DC network.
+sub setup_schema_dc
+{
+ my ($self, $path) = @_;
+
+ # provision the PDC using an older base schema
+ my $provision_args = ["--base-schema=2008_R2", "--backend-store=mdb"];
+
+ my $env = $self->provision_ad_dc($path,
+ "liveupgrade1dc",
+ "SCHEMADOMAIN",
+ "schema.samba.example.com",
+ undef,
+ "drs: max link sync = 2",
+ $provision_args);
+ unless ($env) {
+ return undef;
+ }
+
+ if (not defined($self->check_or_start($env, "prefork"))) {
+ return undef;
+ }
+
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
+
+ if ($self->setup_namespaces($env, $upn_array, $spn_array) != 0) {
+ return undef;
+ }
+
+ return $env;
+}
+
+# the second DC in the live schema upgrade pair
+sub setup_schema_pair_dc
+{
+ # note: dcvars contains the env info for the dependent testenv ('schema_dc')
+ my ($self, $prefix, $dcvars) = @_;
+ print "Preparing SCHEMA UPGRADE PAIR DC...\n";
+
+ my ($env, $ctx) = $self->prepare_dc_testenv($prefix, "liveupgrade2dc",
+ $dcvars->{DOMAIN},
+ $dcvars->{REALM},
+ $dcvars->{PASSWORD},
+ "");
+
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+ my $cmd_vars = $self->get_cmd_env_vars($env);
+
+ my $join_cmd = $cmd_vars;
+ $join_cmd .= "$samba_tool domain join $env->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
+ $join_cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} ";
+ $join_cmd .= " --backend-store=mdb";
+
+ my $upgrade_cmd = $cmd_vars;
+ $upgrade_cmd .= "$samba_tool domain schemaupgrade $dcvars->{CONFIGURATION}";
+ $upgrade_cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD}";
+
+ my $repl_cmd = $cmd_vars;
+ $repl_cmd .= "$samba_tool drs replicate $env->{SERVER} $dcvars->{SERVER}";
+ $repl_cmd .= " CN=Schema,CN=Configuration,DC=schema,DC=samba,DC=example,DC=com";
+ $repl_cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
+
+ unless (system($join_cmd) == 0) {
+ warn("Join failed\n$join_cmd");
+ return undef;
+ }
+
+ $env->{DC_SERVER} = $dcvars->{SERVER};
+ $env->{DC_SERVER_IP} = $dcvars->{SERVER_IP};
+ $env->{DC_SERVER_IPV6} = $dcvars->{SERVER_IPV6};
+ $env->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
+
+ # start samba for the new DC
+ if (not defined($self->check_or_start($env, "standard"))) {
+ return undef;
+ }
+
+ unless (system($upgrade_cmd) == 0) {
+ warn("Schema upgrade failed\n$upgrade_cmd");
+ return undef;
+ }
+
+ unless (system($repl_cmd) == 0) {
+ warn("Post-update schema replication failed\n$repl_cmd");
+ return undef;
+ }
+
+ return $env;
+}
+
+# Sets up a DC that's solely used to do a domain backup from. We then use the
+# backupfrom-DC to create the restore-DC - this proves that the backup/restore
+# process will create a Samba DC that will actually start up.
+# We don't use the backup-DC for anything else because its domain will conflict
+# with the restore DC.
+sub setup_backupfromdc
+{
+ my ($self, $path) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->{target3}->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ my $provision_args = ["--site=Backup-Site"];
+
+ my $env = $self->provision_ad_dc($path,
+ "backupfromdc",
+ "BACKUPDOMAIN",
+ "backupdom.samba.example.com",
+ undef,
+ "samba kcc command = /bin/true",
+ $provision_args);
+ unless ($env) {
+ return undef;
+ }
+
+ if (not defined($self->check_or_start($env))) {
+ return undef;
+ }
+
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
+
+ if ($self->setup_namespaces($env, $upn_array, $spn_array) != 0) {
+ return undef;
+ }
+
+ # Set up a dangling forward link to an expunged object
+ #
+ # We need this to ensure that the "samba-tool domain backup rename"
+ # that is part of the creation of the labdc environment can
+ # cope with this situation on the source DC.
+
+ if (not $self->write_ldb_file("$env->{PRIVATEDIR}/sam.ldb", "
+dn: ou=linktest,dc=backupdom,dc=samba,dc=example,dc=com
+objectclass: organizationalUnit
+-
+
+dn: cn=linkto,ou=linktest,dc=backupdom,dc=samba,dc=example,dc=com
+objectclass: msExchConfigurationContainer
+-
+
+dn: cn=linkfrom,ou=linktest,dc=backupdom,dc=samba,dc=example,dc=com
+objectclass: msExchConfigurationContainer
+addressBookRoots: cn=linkto,ou=linktest,dc=backupdom,dc=samba,dc=example,dc=com
+-
+
+")) {
+ return undef;
+ }
+ my $ldbdel = Samba::bindir_path($self, "ldbdel");
+ my $cmd = "$ldbdel -H $env->{PRIVATEDIR}/sam.ldb cn=linkto,ou=linktest,dc=backupdom,dc=samba,dc=example,dc=com";
+
+ unless(system($cmd) == 0) {
+ warn("Failed to delete link target: \n$cmd");
+ return undef;
+ }
+
+ # Expunge will ensure that linkto is totally wiped from the DB
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+ $cmd = "$samba_tool domain tombstones expunge --tombstone-lifetime=0 $env->{CONFIGURATION}";
+
+ unless(system($cmd) == 0) {
+ warn("Failed to expunge link target: \n$cmd");
+ return undef;
+ }
+ return $env;
+}
+
+# returns the server/user-auth params needed to run an online backup cmd
+sub get_backup_server_args
+{
+ # dcvars contains the env info for the backup DC testenv
+ my ($self, $dcvars) = @_;
+ my $server = $dcvars->{DC_SERVER_IP};
+ my $server_args = "--server=$server ";
+ $server_args .= "-U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
+ $server_args .= " $dcvars->{CONFIGURATION}";
+
+ return $server_args;
+}
+
+# Creates a backup of a running testenv DC
+sub create_backup
+{
+ # note: dcvars contains the env info for the backup DC testenv
+ my ($self, $env, $dcvars, $backupdir, $backup_cmd) = @_;
+
+ # get all the env variables we pass in with the samba-tool command
+ # Note: use the backupfrom-DC's krb5.conf to do the backup
+ my $overwrite = undef;
+ $overwrite->{KRB5_CONFIG} = $dcvars->{KRB5_CONFIG};
+ my $cmd_env = $self->get_cmd_env_vars($env, $overwrite);
+
+ # use samba-tool to create a backup from the 'backupfromdc' DC
+ my $cmd = "";
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+
+ $cmd .= "$cmd_env $samba_tool domain backup $backup_cmd";
+ $cmd .= " --targetdir=$backupdir";
+
+ print "Executing: $cmd\n";
+ unless(system($cmd) == 0) {
+ warn("Failed to create backup using: \n$cmd");
+ return undef;
+ }
+
+ # get the name of the backup file created
+ opendir(DIR, $backupdir);
+ my @files = grep(/\.tar/, readdir(DIR));
+ closedir(DIR);
+
+ if(scalar @files != 1) {
+ warn("Backup file not found in directory $backupdir\n");
+ return undef;
+ }
+ my $backup_file = "$backupdir/$files[0]";
+ print "Using backup file $backup_file...\n";
+
+ return $backup_file;
+}
+
+# Restores a backup-file to populate a testenv for a new DC
+sub restore_backup_file
+{
+ my ($self, $backup_file, $restore_opts, $restoredir, $smbconf) = @_;
+
+ # pass the restore command the testenv's smb.conf that we've already
+ # generated. But move it to a temp-dir first, so that the restore doesn't
+ # overwrite it
+ my $tmpdir = File::Temp->newdir();
+ my $tmpconf = "$tmpdir/smb.conf";
+ my $cmd = "cp $smbconf $tmpconf";
+ unless(system($cmd) == 0) {
+ warn("Failed to backup smb.conf using: \n$cmd");
+ return -1;
+ }
+
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+ $cmd = "$samba_tool domain backup restore --backup-file=$backup_file";
+ $cmd .= " --targetdir=$restoredir $restore_opts --configfile=$tmpconf";
+
+ print "Executing: $cmd\n";
+ unless(system($cmd) == 0) {
+ warn("Failed to restore backup using: \n$cmd");
+ return -1;
+ }
+
+ print "Restore complete\n";
+ return 0
+}
+
+# sets up the initial directory and returns the new testenv's env info
+# (without actually doing a 'domain join')
+sub prepare_dc_testenv
+{
+ my ($self, $prefix, $dcname, $domain, $realm,
+ $password, $conf_options, $dnsupdate_options) = @_;
+
+ my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
+ $dcname,
+ $domain,
+ $realm,
+ undef,
+ "2008",
+ $password,
+ undef,
+ undef);
+
+ # the restore uses a slightly different state-dir location to other testenvs
+ $ctx->{statedir} = "$ctx->{prefix_abs}/state";
+ push(@{$ctx->{directories}}, "$ctx->{statedir}");
+
+ # add support for sysvol/netlogon/tmp shares
+ $ctx->{share} = "$ctx->{prefix_abs}/share";
+ push(@{$ctx->{directories}}, "$ctx->{share}");
+ push(@{$ctx->{directories}}, "$ctx->{share}/test1");
+
+ if (defined($dnsupdate_options)) {
+ $ctx->{samba_dnsupdate} .= $dnsupdate_options;
+ }
+
+ $ctx->{smb_conf_extra_options} = "
+ $conf_options
+ max xmit = 32K
+ server max protocol = SMB2
+ samba kcc command = /bin/true
+ xattr_tdb:file = $ctx->{statedir}/xattr.tdb
+
+[sysvol]
+ path = $ctx->{statedir}/sysvol
+ read only = no
+
+[netlogon]
+ path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
+ read only = no
+
+[tmp]
+ path = $ctx->{share}
+ read only = no
+ posix:sharedelay = 10000
+ posix:oplocktimeout = 3
+ posix:writetimeupdatedelay = 50000
+
+[test1]
+ path = $ctx->{share}/test1
+ read only = no
+ posix:sharedelay = 100000
+ posix:oplocktimeout = 3
+ posix:writetimeupdatedelay = 500000
+";
+
+ my $env = $self->provision_raw_step1($ctx);
+
+ return ($env, $ctx);
+}
+
+
+# Set up a DC testenv solely by using the samba-tool domain backup/restore
+# commands. This proves that we can backup an online DC ('backupfromdc') and
+# use the backup file to create a valid, working samba DC.
+sub setup_restoredc
+{
+ # note: dcvars contains the env info for the dependent testenv ('backupfromdc')
+ my ($self, $prefix, $dcvars) = @_;
+ print "Preparing RESTORE DC...\n";
+
+ # we arbitrarily designate the restored DC as having SMBv1 disabled
+ my $extra_conf = "
+ server min protocol = SMB2
+ client min protocol = SMB2
+ prefork children = 1";
+ my $dnsupdate_options = " --use-samba-tool --no-credentials";
+
+ my ($env, $ctx) = $self->prepare_dc_testenv($prefix, "restoredc",
+ $dcvars->{DOMAIN},
+ $dcvars->{REALM},
+ $dcvars->{PASSWORD},
+ $extra_conf,
+ $dnsupdate_options);
+
+ # create a backup of the 'backupfromdc'
+ my $backupdir = File::Temp->newdir();
+ my $server_args = $self->get_backup_server_args($dcvars);
+ my $backup_args = "online $server_args";
+ my $backup_file = $self->create_backup($env, $dcvars, $backupdir,
+ $backup_args);
+ unless($backup_file) {
+ return undef;
+ }
+
+ # restore the backup file to populate the restore-DC testenv
+ my $restore_dir = abs_path($prefix);
+ my $ret = $self->restore_backup_file($backup_file,
+ "--newservername=$env->{SERVER}",
+ $restore_dir, $env->{SERVERCONFFILE});
+ unless ($ret == 0) {
+ return undef;
+ }
+
+ #
+ # As we create a the same domain as a clone
+ # we need a separate resolv.conf!
+ #
+ $ctx->{resolv_conf} = "$ctx->{etcdir}/resolv.conf";
+ $ctx->{dns_ipv4} = $ctx->{ipv4};
+ $ctx->{dns_ipv6} = $ctx->{ipv6};
+ Samba::mk_resolv_conf($ctx);
+ $env->{RESOLV_CONF} = $ctx->{resolv_conf};
+
+ # start samba for the restored DC
+ if (not defined($self->check_or_start($env))) {
+ return undef;
+ }
+
+ return $env;
+}
+
+# Set up a DC testenv solely by using the 'samba-tool domain backup rename' and
+# restore commands. This proves that we can backup and rename an online DC
+# ('backupfromdc') and use the backup file to create a valid, working samba DC.
+sub setup_renamedc
+{
+ # note: dcvars contains the env info for the dependent testenv ('backupfromdc')
+ my ($self, $prefix, $dcvars) = @_;
+ print "Preparing RENAME DC...\n";
+ my $extra_conf = "prefork children = 1";
+
+ my $realm = "renamedom.samba.example.com";
+ my ($env, $ctx) = $self->prepare_dc_testenv($prefix, "renamedc",
+ "RENAMEDOMAIN", $realm,
+ $dcvars->{PASSWORD}, $extra_conf);
+
+ # create a backup of the 'backupfromdc' which renames the domain
+ my $backupdir = File::Temp->newdir();
+ my $server_args = $self->get_backup_server_args($dcvars);
+ my $backup_args = "rename $env->{DOMAIN} $env->{REALM} $server_args";
+ $backup_args .= " --backend-store=tdb";
+ my $backup_file = $self->create_backup($env, $dcvars, $backupdir,
+ $backup_args);
+ unless($backup_file) {
+ return undef;
+ }
+
+ # restore the backup file to populate the rename-DC testenv
+ my $restore_dir = abs_path($prefix);
+ my $restore_opts = "--newservername=$env->{SERVER} --host-ip=$env->{SERVER_IP}";
+ my $ret = $self->restore_backup_file($backup_file, $restore_opts,
+ $restore_dir, $env->{SERVERCONFFILE});
+ unless ($ret == 0) {
+ return undef;
+ }
+
+ # start samba for the restored DC
+ if (not defined($self->check_or_start($env))) {
+ return undef;
+ }
+
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
+
+ if ($self->setup_namespaces($env, $upn_array, $spn_array) != 0) {
+ return undef;
+ }
+
+ return $env;
+}
+
+# Set up a DC testenv solely by using the 'samba-tool domain backup offline' and
+# restore commands. This proves that we do an offline backup of a local DC
+# ('backupfromdc') and use the backup file to create a valid, working samba DC.
+sub setup_offlinebackupdc
+{
+ # note: dcvars contains the env info for the dependent testenv ('backupfromdc')
+ my ($self, $prefix, $dcvars) = @_;
+ print "Preparing OFFLINE BACKUP DC...\n";
+ my $extra_conf = "prefork children = 1";
+ my $dnsupdate_options = " --use-samba-tool --no-credentials";
+
+ my ($env, $ctx) = $self->prepare_dc_testenv($prefix, "offlinebackupdc",
+ $dcvars->{DOMAIN},
+ $dcvars->{REALM},
+ $dcvars->{PASSWORD},
+ $extra_conf,
+ $dnsupdate_options);
+
+ # create an offline backup of the 'backupfromdc' target
+ my $backupdir = File::Temp->newdir();
+ my $cmd = "offline --configfile $dcvars->{SERVERCONFFILE}";
+ my $backup_file = $self->create_backup($env, $dcvars,
+ $backupdir, $cmd);
+
+ unless($backup_file) {
+ return undef;
+ }
+
+ # restore the backup file to populate the rename-DC testenv
+ my $restore_dir = abs_path($prefix);
+ my $restore_opts = "--newservername=$env->{SERVER} --host-ip=$env->{SERVER_IP}";
+ my $ret = $self->restore_backup_file($backup_file, $restore_opts,
+ $restore_dir, $env->{SERVERCONFFILE});
+ unless ($ret == 0) {
+ return undef;
+ }
+
+ #
+ # As we create a the same domain as a clone
+ # we need a separate resolv.conf!
+ #
+ $ctx->{resolv_conf} = "$ctx->{etcdir}/resolv.conf";
+ $ctx->{dns_ipv4} = $ctx->{ipv4};
+ $ctx->{dns_ipv6} = $ctx->{ipv6};
+ Samba::mk_resolv_conf($ctx);
+ $env->{RESOLV_CONF} = $ctx->{resolv_conf};
+
+ # re-create the testenv's krb5.conf (the restore may have overwritten it)
+ Samba::mk_krb5_conf($ctx);
+
+ # start samba for the restored DC
+ if (not defined($self->check_or_start($env))) {
+ return undef;
+ }
+
+ return $env;
+}
+
+# Set up a DC testenv solely by using the samba-tool 'domain backup rename' and
+# restore commands, using the --no-secrets option. This proves that we can
+# create a realistic lab environment from an online DC ('backupfromdc').
+sub setup_labdc
+{
+ # note: dcvars contains the env info for the dependent testenv ('backupfromdc')
+ my ($self, $prefix, $dcvars) = @_;
+ print "Preparing LAB-DOMAIN DC...\n";
+ my $extra_conf = "prefork children = 1";
+
+ my ($env, $ctx) = $self->prepare_dc_testenv($prefix, "labdc",
+ "LABDOMAIN",
+ "labdom.samba.example.com",
+ $dcvars->{PASSWORD}, $extra_conf);
+
+ # create a backup of the 'backupfromdc' which renames the domain and uses
+ # the --no-secrets option to scrub any sensitive info
+ my $backupdir = File::Temp->newdir();
+ my $server_args = $self->get_backup_server_args($dcvars);
+ my $backup_args = "rename $env->{DOMAIN} $env->{REALM} $server_args";
+ $backup_args .= " --no-secrets --backend-store=mdb";
+ my $backup_file = $self->create_backup($env, $dcvars, $backupdir,
+ $backup_args);
+ unless($backup_file) {
+ return undef;
+ }
+
+ # restore the backup file to populate the lab-DC testenv
+ my $restore_dir = abs_path($prefix);
+ my $restore_opts = "--newservername=$env->{SERVER} --host-ip=$env->{SERVER_IP}";
+ my $ret = $self->restore_backup_file($backup_file, $restore_opts,
+ $restore_dir, $env->{SERVERCONFFILE});
+ unless ($ret == 0) {
+ return undef;
+ }
+
+ # because we don't include any secrets in the backup, we need to reset the
+ # admin user's password back to what the testenv expects
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+ my $cmd = "$samba_tool user setpassword $env->{USERNAME} ";
+ $cmd .= "--newpassword=$env->{PASSWORD} -H $restore_dir/private/sam.ldb";
+ $cmd .= " $env->{CONFIGURATION}";
+
+ unless(system($cmd) == 0) {
+ warn("Failed to reset admin's password: \n$cmd");
+ return undef;
+ }
+
+ # start samba for the restored DC
+ if (not defined($self->check_or_start($env))) {
+ return undef;
+ }
+
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
+
+ if ($self->setup_namespaces($env, $upn_array, $spn_array) != 0) {
+ return undef;
+ }
+
+ return $env;
+}
+
+# Inspects a backup *.tar.bz2 file and determines the realm/domain it contains
+sub get_backup_domain_realm
+{
+ my ($self, $backup_file) = @_;
+
+ print "Determining REALM/DOMAIN values in backup...\n";
+
+ # The backup will have the correct domain/realm values in the smb.conf.
+ # So we can work out the env variables the testenv should use based on
+ # that. Let's start by extracting the smb.conf
+ my $tar = Archive::Tar->new($backup_file);
+ my $tmpdir = File::Temp->newdir();
+ my $smbconf = "$tmpdir/smb.conf";
+
+ # note that the filepaths within the tar-file differ slightly for online
+ # and offline backups
+ if ($tar->contains_file("etc/smb.conf")) {
+ $tar->extract_file("etc/smb.conf", $smbconf);
+ } elsif ($tar->contains_file("./etc/smb.conf")) {
+ $tar->extract_file("./etc/smb.conf", $smbconf);
+ } else {
+ warn("Could not find smb.conf in $backup_file");
+ return undef, undef;
+ }
+
+ # make sure we don't try to create locks/sockets in the default install
+ # location (i.e. /usr/local/samba/)
+ my $options = "--option=\"private dir = $tmpdir\"";
+ $options .= " --option=\"lock dir = $tmpdir\"";
+
+ # now use testparm to read the values we're interested in
+ my $testparm = Samba::bindir_path($self, "testparm");
+ my $domain = `$testparm $smbconf -sl --parameter-name=WORKGROUP $options`;
+ my $realm = `$testparm $smbconf -sl --parameter-name=REALM $options`;
+ chomp $realm;
+ chomp $domain;
+ print "Backup-file REALM is $realm, DOMAIN is $domain\n";
+
+ return ($domain, $realm);
+}
+
+# This spins up a custom testenv that can be based on any backup-file you want.
+# This is just intended for manual testing (rather than automated test-cases)
+sub setup_customdc
+{
+ my ($self, $prefix) = @_;
+ print "Preparing CUSTOM RESTORE DC...\n";
+ my $dc_name = "customdc";
+ my $password = "locDCpass1";
+ my $backup_file = $ENV{'BACKUP_FILE'};
+ my $dnsupdate_options = " --use-samba-tool --no-credentials";
+
+ # user must specify a backup file to restore via an ENV variable, i.e.
+ # BACKUP_FILE=backup-blah.tar.bz2 SELFTEST_TESTENV=customdc make testenv
+ if (not defined($backup_file)) {
+ warn("Please specify BACKUP_FILE");
+ return undef;
+ }
+
+ # work out the correct domain/realm env values from the backup-file
+ my ($domain, $realm) = $self->get_backup_domain_realm($backup_file);
+ if ($domain eq '' or $realm eq '') {
+ warn("Could not determine domain or realm");
+ return undef;
+ }
+
+ # create a placeholder directory and smb.conf, as well as the env vars.
+ my ($env, $ctx) = $self->prepare_dc_testenv($prefix, $dc_name,
+ $domain, $realm, $password, "",
+ $dnsupdate_options);
+
+ # restore the specified backup file to populate the testenv
+ my $restore_dir = abs_path($prefix);
+ my $ret = $self->restore_backup_file($backup_file,
+ "--newservername=$env->{SERVER}",
+ $restore_dir, $env->{SERVERCONFFILE});
+ unless ($ret == 0) {
+ return undef;
+ }
+
+ #
+ # As we create a the same domain as a clone
+ # we need a separate resolv.conf!
+ #
+ $ctx->{resolv_conf} = "$ctx->{etcdir}/resolv.conf";
+ $ctx->{dns_ipv4} = $ctx->{ipv4};
+ $ctx->{dns_ipv6} = $ctx->{ipv6};
+ Samba::mk_resolv_conf($ctx);
+ $env->{RESOLV_CONF} = $ctx->{resolv_conf};
+
+ # Change the admin password to the testenv default, just in case it's
+ # different, or in case this was a --no-secrets backup
+ my $samba_tool = Samba::bindir_path($self, "samba-tool");
+ my $cmd = "$samba_tool user setpassword $env->{USERNAME} ";
+ $cmd .= "--newpassword=$password -H $restore_dir/private/sam.ldb";
+ $cmd .= " $env->{CONFIGURATION}";
+
+ unless(system($cmd) == 0) {
+ warn("Failed to reset admin's password: \n$cmd");
+ return undef;
+ }
+
+ # re-create the testenv's krb5.conf (the restore may have overwritten it,
+ # if the backup-file was an offline backup)
+ Samba::mk_krb5_conf($ctx);
+
+ # start samba for the restored DC
+ if (not defined($self->check_or_start($env))) {
+ return undef;
+ }
+
+ # if this was a backup-rename, then we may need to setup namespaces
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
+
+ if ($self->setup_namespaces($env, $upn_array, $spn_array) != 0) {
+ return undef;
+ }
+
+ return $env;
+}
+
+sub setup_none
+{
+ my ($self, $path) = @_;
+
+ my $ret = {
+ KRB5_CONFIG => abs_path($path) . "/no_krb5.conf",
+ SAMBA_PID => -1,
+ }
+}
+
+1;
diff --git a/selftest/target/dns_hub.py b/selftest/target/dns_hub.py
new file mode 100755
index 0000000..993c56e
--- /dev/null
+++ b/selftest/target/dns_hub.py
@@ -0,0 +1,250 @@
+#!/usr/bin/env python3
+#
+# Unix SMB/CIFS implementation.
+# Copyright (C) Volker Lendecke 2017
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# Used by selftest to proxy DNS queries to the correct testenv DC.
+# See selftest/target/README for more details.
+# Based on the EchoServer example from python docs
+
+import threading
+import sys
+import select
+import socket
+import collections
+import time
+from samba.dcerpc import dns
+import samba.ndr as ndr
+
+if sys.version_info[0] < 3:
+ import SocketServer
+ sserver = SocketServer
+else:
+ import socketserver
+ sserver = socketserver
+
+DNS_REQUEST_TIMEOUT = 10
+
+# make sure the script dies immediately when hitting control-C,
+# rather than raising KeyboardInterrupt. As we do all database
+# operations using transactions, this is safe.
+import signal
+signal.signal(signal.SIGINT, signal.SIG_DFL)
+
+class DnsHandler(sserver.BaseRequestHandler):
+ dns_qtype_strings = dict((v, k) for k, v in vars(dns).items() if k.startswith('DNS_QTYPE_'))
+ def dns_qtype_string(self, qtype):
+ "Return a readable qtype code"
+ return self.dns_qtype_strings[qtype]
+
+ dns_rcode_strings = dict((v, k) for k, v in vars(dns).items() if k.startswith('DNS_RCODE_'))
+ def dns_rcode_string(self, rcode):
+ "Return a readable error code"
+ return self.dns_rcode_strings[rcode]
+
+ def dns_transaction_udp(self, packet, host):
+ "send a DNS query and read the reply"
+ s = None
+ flags = socket.AddressInfo.AI_NUMERICHOST
+ flags |= socket.AddressInfo.AI_NUMERICSERV
+ flags |= socket.AddressInfo.AI_PASSIVE
+ addr_info = socket.getaddrinfo(host, int(53),
+ type=socket.SocketKind.SOCK_DGRAM,
+ flags=flags)
+ assert len(addr_info) == 1
+ try:
+ send_packet = ndr.ndr_pack(packet)
+ s = socket.socket(addr_info[0][0], addr_info[0][1], 0)
+ s.settimeout(DNS_REQUEST_TIMEOUT)
+ s.connect(addr_info[0][4])
+ s.sendall(send_packet, 0)
+ recv_packet = s.recv(2048, 0)
+ return ndr.ndr_unpack(dns.name_packet, recv_packet)
+ except socket.error as err:
+ print("Error sending to host %s for name %s: %s\n" %
+ (host, packet.questions[0].name, err.errno))
+ raise
+ finally:
+ if s is not None:
+ s.close()
+
+ def get_pdc_ipv4_addr(self, lookup_name):
+ """Maps a DNS realm to the IPv4 address of the PDC for that testenv"""
+
+ realm_to_ip_mappings = self.server.realm_to_ip_mappings
+
+ # sort the realms so we find the longest-match first
+ testenv_realms = sorted(realm_to_ip_mappings.keys(), key=len)
+ testenv_realms.reverse()
+
+ for realm in testenv_realms:
+ if lookup_name.endswith(realm):
+ # return the corresponding IP address for this realm's PDC
+ return realm_to_ip_mappings[realm]
+
+ return None
+
+ def forwarder(self, name):
+ lname = name.lower()
+
+ # check for special cases used by tests (e.g. dns_forwarder.py)
+ if lname.endswith('an-address-that-will-not-resolve'):
+ return 'ignore'
+ if lname.endswith('dsfsdfs'):
+ return 'fail'
+ if lname.endswith("torture1", 0, len(lname)-2):
+ # CATCH TORTURE100, TORTURE101, ...
+ return 'torture'
+ if lname.endswith('_none_.example.com'):
+ return 'torture'
+ if lname.endswith('torturedom.samba.example.com'):
+ return 'torture'
+
+ # return the testenv PDC matching the realm being requested
+ return self.get_pdc_ipv4_addr(lname)
+
+ def handle(self):
+ start = time.monotonic()
+ data, sock = self.request
+ query = ndr.ndr_unpack(dns.name_packet, data)
+ name = query.questions[0].name
+ forwarder = self.forwarder(name)
+ response = None
+
+ if forwarder == 'ignore':
+ return
+ elif forwarder == 'fail':
+ pass
+ elif forwarder in ['torture', None]:
+ response = query
+ response.operation |= dns.DNS_FLAG_REPLY
+ response.operation |= dns.DNS_FLAG_RECURSION_AVAIL
+ response.operation |= dns.DNS_RCODE_NXDOMAIN
+ else:
+ try:
+ response = self.dns_transaction_udp(query, forwarder)
+ except OSError as err:
+ print("dns_hub: Error sending dns query to forwarder[%s] for name[%s]: %s" %
+ (forwarder, name, err))
+
+ if response is None:
+ response = query
+ response.operation |= dns.DNS_FLAG_REPLY
+ response.operation |= dns.DNS_FLAG_RECURSION_AVAIL
+ response.operation |= dns.DNS_RCODE_SERVFAIL
+
+ send_packet = ndr.ndr_pack(response)
+
+ end = time.monotonic()
+ tdiff = end - start
+ errcode = response.operation & dns.DNS_RCODE
+ if tdiff > (DNS_REQUEST_TIMEOUT/5):
+ debug = True
+ else:
+ debug = False
+ if debug:
+ print("dns_hub: forwarder[%s] client[%s] name[%s][%s] %s response.operation[0x%x] tdiff[%s]\n" %
+ (forwarder, self.client_address, name,
+ self.dns_qtype_string(query.questions[0].question_type),
+ self.dns_rcode_string(errcode), response.operation, tdiff))
+
+ try:
+ sock.sendto(send_packet, self.client_address)
+ except socket.error as err:
+ print("dns_hub: Error sending response to client[%s] for name[%s] tdiff[%s]: %s\n" %
+ (self.client_address, name, tdiff, err))
+
+
+class server_thread(threading.Thread):
+ def __init__(self, server, name):
+ threading.Thread.__init__(self, name=name)
+ self.server = server
+
+ def run(self):
+ print("dns_hub[%s]: before serve_forever()" % self.name)
+ self.server.serve_forever()
+ print("dns_hub[%s]: after serve_forever()" % self.name)
+
+ def stop(self):
+ print("dns_hub[%s]: before shutdown()" % self.name)
+ self.server.shutdown()
+ print("dns_hub[%s]: after shutdown()" % self.name)
+
+class UDPV4Server(sserver.UDPServer):
+ address_family = socket.AF_INET
+
+class UDPV6Server(sserver.UDPServer):
+ address_family = socket.AF_INET6
+
+def main():
+ if len(sys.argv) < 4:
+ print("Usage: dns_hub.py TIMEOUT LISTENADDRESS[,LISTENADDRESS,...] MAPPING[,MAPPING,...]")
+ sys.exit(1)
+
+ timeout = int(sys.argv[1]) * 1000
+ timeout = min(timeout, 2**31 - 1) # poll with 32-bit int can't take more
+ # we pass in the listen addresses as a comma-separated string.
+ listenaddresses = sys.argv[2].split(',')
+ # we pass in the realm-to-IP mappings as a comma-separated key=value
+ # string. Convert this back into a dictionary that the DnsHandler can use
+ realm_mappings = collections.OrderedDict(kv.split('=') for kv in sys.argv[3].split(','))
+
+ def prepare_server_thread(listenaddress, realm_mappings):
+
+ flags = socket.AddressInfo.AI_NUMERICHOST
+ flags |= socket.AddressInfo.AI_NUMERICSERV
+ flags |= socket.AddressInfo.AI_PASSIVE
+ addr_info = socket.getaddrinfo(listenaddress, int(53),
+ type=socket.SocketKind.SOCK_DGRAM,
+ flags=flags)
+ assert len(addr_info) == 1
+ if addr_info[0][0] == socket.AddressFamily.AF_INET6:
+ server = UDPV6Server(addr_info[0][4], DnsHandler)
+ else:
+ server = UDPV4Server(addr_info[0][4], DnsHandler)
+
+ # we pass in the realm-to-IP mappings as a comma-separated key=value
+ # string. Convert this back into a dictionary that the DnsHandler can use
+ server.realm_to_ip_mappings = realm_mappings
+ t = server_thread(server, name="UDP[%s]" % listenaddress)
+ return t
+
+ print("dns_hub will proxy DNS requests for the following realms:")
+ for realm, ip in realm_mappings.items():
+ print(" {0} ==> {1}".format(realm, ip))
+
+ print("dns_hub will listen on the following UDP addresses:")
+ threads = []
+ for listenaddress in listenaddresses:
+ print(" %s" % listenaddress)
+ t = prepare_server_thread(listenaddress, realm_mappings)
+ threads.append(t)
+
+ for t in threads:
+ t.start()
+ p = select.poll()
+ stdin = sys.stdin.fileno()
+ p.register(stdin, select.POLLIN)
+ p.poll(timeout)
+ print("dns_hub: after poll()")
+ for t in threads:
+ t.stop()
+ for t in threads:
+ t.join()
+ print("dns_hub: before exit()")
+ sys.exit(0)
+
+main()
diff --git a/selftest/tests.py b/selftest/tests.py
new file mode 100644
index 0000000..58dffe4
--- /dev/null
+++ b/selftest/tests.py
@@ -0,0 +1,477 @@
+#!/usr/bin/python
+# This script generates a list of testsuites that should be run as part of
+# the Samba test suite.
+
+# The output of this script is parsed by selftest.pl, which then decides
+# which of the tests to actually run. It will, for example, skip all tests
+# listed in selftest/skip or only run a subset during "make quicktest".
+
+# The idea is that this script outputs all of the tests of Samba, not
+# just those that are known to pass, and list those that should be skipped
+# or are known to fail in selftest/skip or selftest/knownfail. This makes it
+# very easy to see what functionality is still missing in Samba and makes
+# it possible to run the testsuite against other servers, such as
+# Windows that have a different set of features.
+
+# The syntax for a testsuite is "-- TEST --" on a single line, followed
+# by the name of the test, the environment it needs and the command to run, all
+# three separated by newlines. All other lines in the output are considered
+# comments.
+
+import os, tempfile
+from selftesthelpers import bindir, srcdir, python
+from selftesthelpers import planpythontestsuite, samba4srcdir
+from selftesthelpers import plantestsuite, bbdir
+from selftesthelpers import configuration, valgrindify
+from selftesthelpers import skiptestsuite
+
+try:
+ config_h = os.environ["CONFIG_H"]
+except KeyError:
+ samba4bindir = bindir()
+ config_h = os.path.join(samba4bindir, "default/include/config.h")
+
+# check available features
+config_hash = dict()
+f = open(config_h, 'r')
+try:
+ lines = f.readlines()
+ config_hash = dict((x[0], ' '.join(x[1:]))
+ for x in map(lambda line: line.strip().split(' ')[1:],
+ list(filter(lambda line: (line[0:7] == '#define') and (len(line.split(' ')) > 2), lines))))
+finally:
+ f.close()
+
+have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash)
+with_pam = ("WITH_PAM" in config_hash)
+with_elasticsearch_backend = ("HAVE_SPOTLIGHT_BACKEND_ES" in config_hash)
+pam_wrapper_so_path = config_hash.get("LIBPAM_WRAPPER_SO_PATH")
+pam_set_items_so_path = config_hash.get("PAM_SET_ITEMS_SO_PATH")
+have_heimdal_support = "SAMBA4_USES_HEIMDAL" in config_hash
+using_system_gssapi = "USING_SYSTEM_GSSAPI" in config_hash
+
+planpythontestsuite("none", "samba.tests.source")
+planpythontestsuite("none", "samba.tests.source_chars")
+
+if have_man_pages_support:
+ planpythontestsuite("none", "samba.tests.docs")
+
+try:
+ import testscenarios
+except ImportError:
+ skiptestsuite("subunit", "testscenarios not available")
+else:
+ planpythontestsuite("none", "subunit.tests.test_suite")
+planpythontestsuite("none", "samba.tests.blackbox.ndrdump")
+planpythontestsuite("none", "samba.tests.blackbox.check_output")
+planpythontestsuite("none", "api", name="ldb.python", extra_path=['lib/ldb/tests/python'])
+planpythontestsuite("none", "samba.tests.credentials")
+planpythontestsuite("none", "samba.tests.registry")
+planpythontestsuite("ad_dc_ntvfs:local", "samba.tests.auth")
+planpythontestsuite("none", "samba.tests.get_opt")
+planpythontestsuite("none", "samba.tests.cred_opt")
+planpythontestsuite("none", "samba.tests.security")
+planpythontestsuite("none", "samba.tests.dcerpc.misc")
+planpythontestsuite("none", "samba.tests.dcerpc.integer")
+planpythontestsuite("none", "samba.tests.param")
+planpythontestsuite("none", "samba.tests.upgrade")
+planpythontestsuite("none", "samba.tests.core")
+planpythontestsuite("none", "samba.tests.common")
+planpythontestsuite("none", "samba.tests.provision")
+planpythontestsuite("none", "samba.tests.password_quality")
+planpythontestsuite("none", "samba.tests.strings")
+planpythontestsuite("none", "samba.tests.netcmd")
+planpythontestsuite("none", "samba.tests.dcerpc.rpc_talloc")
+planpythontestsuite("none", "samba.tests.dcerpc.array")
+planpythontestsuite("none", "samba.tests.dcerpc.string_tests")
+planpythontestsuite("none", "samba.tests.hostconfig")
+planpythontestsuite("ad_dc_ntvfs:local", "samba.tests.messaging")
+planpythontestsuite("none", "samba.tests.s3param")
+planpythontestsuite("none", "samba.tests.s3passdb")
+planpythontestsuite("none", "samba.tests.s3registry")
+planpythontestsuite("none", "samba.tests.s3windb")
+planpythontestsuite("none", "samba.tests.s3idmapdb")
+planpythontestsuite("none", "samba.tests.samba3sam")
+planpythontestsuite("none", "samba.tests.dsdb_api")
+planpythontestsuite("none", "samba.tests.smbconf")
+planpythontestsuite("none", "samba.tests.logfiles")
+planpythontestsuite(
+ "none", "wafsamba.tests.test_suite",
+ extra_path=[os.path.join(samba4srcdir, "..", "buildtools"),
+ os.path.join(samba4srcdir, "..", "third_party", "waf")])
+planpythontestsuite("fileserver", "samba.tests.smbd_fuzztest")
+planpythontestsuite("nt4_dc_smb1", "samba.tests.dcerpc.binding")
+planpythontestsuite('ad_dc:local', "samba.tests.dcerpc.samr_change_password")
+planpythontestsuite('ad_dc_fips:local',
+ "samba.tests.dcerpc.samr_change_password",
+ environ={'GNUTLS_FORCE_FIPS_MODE': '1',
+ 'OPENSSL_FORCE_FIPS_MODE': '1'})
+
+
+def cmdline(script, *args):
+ """
+ Prefix PYTHON env var and append --configurefile option to abs script path.
+
+ script.sh arg1 arg2
+ -->
+ PYTHON=python /path/to/bbdir/script.sh arg1 arg2 \
+ --configurefile $SMB_CONF_FILE
+ """
+ return [
+ "PYTHON=%s" % python,
+ os.path.join(bbdir, script),
+ ] + list(args) + [configuration]
+
+
+plantestsuite(
+ "samba4.blackbox.demote-saveddb", "none",
+ cmdline('demote-saveddb.sh', '$PREFIX_ABS/demote'))
+
+plantestsuite(
+ "samba4.blackbox.dbcheck.alpha13", "none",
+ cmdline('dbcheck-oldrelease.sh', '$PREFIX_ABS/provision',
+ 'alpha13'))
+
+# same test as above but skip member link checks
+plantestsuite(
+ "samba4.blackbox.dbcheck.alpha13.quick", "none",
+ cmdline('dbcheck-oldrelease.sh', '$PREFIX_ABS/provision',
+ 'alpha13', '--quick-membership-checks'))
+
+plantestsuite(
+ "samba4.blackbox.dbcheck.release-4-0-0", "none",
+ cmdline('dbcheck-oldrelease.sh', '$PREFIX_ABS/provision',
+ 'release-4-0-0'))
+
+# same test as above but skip member link checks
+plantestsuite(
+ "samba4.blackbox.dbcheck.release-4-0-0.quick", "none",
+ cmdline('dbcheck-oldrelease.sh', '$PREFIX_ABS/provision',
+ 'release-4-0-0', '--quick-membership-checks'))
+
+plantestsuite(
+ "samba4.blackbox.dbcheck.release-4-1-0rc3", "none",
+ cmdline('dbcheck-oldrelease.sh', '$PREFIX_ABS/provision',
+ 'release-4-1-0rc3'))
+
+# same test as above but skip member link checks
+plantestsuite(
+ "samba4.blackbox.dbcheck.release-4-1-0rc3.quick", "none",
+ cmdline('dbcheck-oldrelease.sh', '$PREFIX_ABS/provision',
+ 'release-4-1-0rc3', '--quick-membership-checks'))
+
+plantestsuite(
+ "samba4.blackbox.dbcheck.release-4-1-6-partial-object", "none",
+ cmdline('dbcheck-oldrelease.sh', '$PREFIX_ABS/provision',
+ 'release-4-1-6-partial-object'))
+
+# same test as above but skip member link checks
+plantestsuite(
+ "samba4.blackbox.dbcheck.release-4-1-6-partial-object.quick", "none",
+ cmdline('dbcheck-oldrelease.sh', '$PREFIX_ABS/provision',
+ 'release-4-1-6-partial-object', '--quick-membership-checks'))
+
+plantestsuite(
+ "samba4.blackbox.dbcheck.release-4-5-0-pre1", "none",
+ cmdline('dbcheck-oldrelease.sh', '$PREFIX_ABS/provision',
+ 'release-4-5-0-pre1'))
+
+# same test as above but skip member link checks
+plantestsuite(
+ "samba4.blackbox.dbcheck.release-4-5-0-pre1.quick", "none",
+ cmdline('dbcheck-oldrelease.sh', '$PREFIX_ABS/provision',
+ 'release-4-5-0-pre1', '--quick-membership-checks'))
+
+plantestsuite(
+ "samba4.blackbox.upgradeprovision.alpha13", "none",
+ cmdline('upgradeprovision-oldrelease.sh', '$PREFIX_ABS/provision',
+ 'alpha13'))
+
+plantestsuite(
+ "samba4.blackbox.upgradeprovision.release-4-0-0", "none",
+ cmdline('upgradeprovision-oldrelease.sh', '$PREFIX_ABS/provision',
+ 'release-4-0-0'))
+
+plantestsuite(
+ "samba4.blackbox.tombstones-expunge.release-4-5-0-pre1", "none",
+ cmdline('tombstones-expunge.sh', '$PREFIX_ABS/provision',
+ 'release-4-5-0-pre1'))
+
+plantestsuite(
+ "samba4.blackbox.dbcheck-links.release-4-5-0-pre1", "none",
+ cmdline('dbcheck-links.sh', '$PREFIX_ABS/provision',
+ 'release-4-5-0-pre1'))
+
+plantestsuite(
+ "samba4.blackbox.runtime-links.release-4-5-0-pre1", "none",
+ cmdline('runtime-links.sh', '$PREFIX_ABS/provision',
+ 'release-4-5-0-pre1'))
+
+plantestsuite(
+ "samba4.blackbox.schemaupgrade", "none",
+ cmdline('schemaupgrade.sh', '$PREFIX_ABS/provision'))
+
+plantestsuite(
+ "samba4.blackbox.functionalprep", "none",
+ cmdline('functionalprep.sh', '$PREFIX_ABS/provision'))
+
+plantestsuite(
+ "samba4.blackbox.test_special_group", "none",
+ cmdline('test_special_group.sh', '$PREFIX_ABS/provision'))
+
+planpythontestsuite("none", "samba.tests.upgradeprovision")
+planpythontestsuite("none", "samba.tests.xattr")
+planpythontestsuite("none", "samba.tests.ntacls")
+planpythontestsuite("none", "samba.tests.policy")
+planpythontestsuite("none", "samba.tests.kcc.graph")
+planpythontestsuite("none", "samba.tests.kcc.graph_utils")
+planpythontestsuite("none", "samba.tests.kcc.ldif_import_export")
+planpythontestsuite("none", "samba.tests.graph")
+plantestsuite("wafsamba.duplicate_symbols", "none", [os.path.join(srcdir(), "buildtools/wafsamba/test_duplicate_symbol.sh")])
+planpythontestsuite("none", "samba.tests.glue")
+planpythontestsuite("none", "samba.tests.tdb_util")
+planpythontestsuite("none", "samba.tests.samdb")
+planpythontestsuite("none", "samba.tests.samdb_api")
+planpythontestsuite("none", "samba.tests.ndr")
+
+if with_pam:
+ env = "ad_member"
+ options = [
+ {
+ "description": "krb5",
+ "pam_options": "krb5_auth krb5_ccache_type=FILE:%s/krb5cc_pam_test_%%u" % (tempfile.gettempdir()),
+ },
+ {
+ "description": "default",
+ "pam_options": "",
+ },
+ ]
+ for o in options:
+ description = o["description"]
+ pam_options = "'%s'" % o["pam_options"]
+
+ plantestsuite("samba.tests.pam_winbind(local+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$SERVER", "$USERNAME", "$PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain1+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain2+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$REALM", "$DC_USERNAME", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain3+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "''", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain4+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "''", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain5+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$REALM", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(domain6+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$DOMAIN", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_f_both1+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$TRUST_F_BOTH_DOMAIN",
+ "$TRUST_F_BOTH_USERNAME",
+ "$TRUST_F_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_f_both2+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$TRUST_F_BOTH_REALM",
+ "$TRUST_F_BOTH_USERNAME",
+ "$TRUST_F_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_f_both3+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "''",
+ "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_DOMAIN}",
+ "$TRUST_F_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_f_both4+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "''",
+ "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_REALM}",
+ "$TRUST_F_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_f_both5+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "${TRUST_F_BOTH_REALM}",
+ "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_DOMAIN}",
+ "$TRUST_F_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_f_both6+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "${TRUST_F_BOTH_DOMAIN}",
+ "${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_REALM}",
+ "$TRUST_F_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_e_both1+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$TRUST_E_BOTH_DOMAIN",
+ "$TRUST_E_BOTH_USERNAME",
+ "$TRUST_E_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_e_both2+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$TRUST_E_BOTH_REALM",
+ "$TRUST_E_BOTH_USERNAME",
+ "$TRUST_E_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_e_both3+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "''",
+ "${TRUST_E_BOTH_USERNAME}@${TRUST_E_BOTH_DOMAIN}",
+ "$TRUST_E_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_e_both4+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "''",
+ "${TRUST_E_BOTH_USERNAME}@${TRUST_E_BOTH_REALM}",
+ "$TRUST_E_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_e_both5+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "${TRUST_E_BOTH_REALM}",
+ "${TRUST_E_BOTH_USERNAME}@${TRUST_E_BOTH_DOMAIN}",
+ "$TRUST_E_BOTH_PASSWORD",
+ pam_options])
+ plantestsuite("samba.tests.pam_winbind(trust_e_both6+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "${TRUST_E_BOTH_DOMAIN}",
+ "${TRUST_E_BOTH_USERNAME}@${TRUST_E_BOTH_REALM}",
+ "$TRUST_E_BOTH_PASSWORD",
+ pam_options])
+
+ for authtok_options in ["", "use_authtok", "try_authtok"]:
+ _pam_options = "'%s %s'" % (o["pam_options"], authtok_options)
+ _description = "%s %s" % (description, authtok_options)
+ plantestsuite("samba.tests.pam_winbind_chauthtok(domain+%s)" % _description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_chauthtok.sh"),
+ valgrindify(python), pam_wrapper_so_path, pam_set_items_so_path,
+ "$DOMAIN", "TestPamOptionsUser", "oldp@ssword0", "newp@ssword0",
+ _pam_options, 'yes',
+ "$DC_SERVER", "$DC_USERNAME", "$DC_PASSWORD"])
+
+ plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain+%s)" % description, env,
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "$DOMAIN", "alice", "Secret007",
+ pam_options])
+
+ description = "krb5"
+ pam_options = "'krb5_auth krb5_ccache_type=FILE:%s/krb5cc_pam_test_setcred_%%u'" % (tempfile.gettempdir())
+ plantestsuite("samba.tests.pam_winbind_setcred(domain+%s)" % description, "ad_dc:local",
+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_setcred.sh"),
+ valgrindify(python), pam_wrapper_so_path,
+ "${DOMAIN}", "${DC_USERNAME}", "${DC_PASSWORD}",
+ pam_options])
+
+
+plantestsuite("samba.unittests.krb5samba", "none",
+ [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
+plantestsuite("samba.unittests.lib_util_modules", "none",
+ [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])
+plantestsuite("samba.unittests.background_send",
+ "none",
+ [os.path.join(
+ bindir(),
+ "default/testsuite/unittests/test_background_send"),
+ "$SMB_CONF_PATH"])
+
+plantestsuite("samba.unittests.smb1cli_session", "none",
+ [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
+plantestsuite("samba.unittests.smb_util_translate", "none",
+ [os.path.join(bindir(), "default/libcli/smb/test_util_translate")])
+
+plantestsuite("samba.unittests.talloc_keep_secret", "none",
+ [os.path.join(bindir(), "default/lib/util/test_talloc_keep_secret")])
+
+plantestsuite("samba.unittests.tldap", "none",
+ [os.path.join(bindir(), "default/source3/test_tldap")])
+plantestsuite("samba.unittests.rfc1738", "none",
+ [os.path.join(bindir(), "default/lib/util/test_rfc1738")])
+plantestsuite("samba.unittests.kerberos", "none",
+ [os.path.join(bindir(), "test_kerberos")])
+plantestsuite("samba.unittests.ms_fnmatch", "none",
+ [os.path.join(bindir(), "default/lib/util/test_ms_fnmatch")])
+plantestsuite("samba.unittests.byteorder", "none",
+ [os.path.join(bindir(), "default/lib/util/test_byteorder")])
+plantestsuite("samba.unittests.bytearray", "none",
+ [os.path.join(bindir(), "default/lib/util/test_bytearray")])
+plantestsuite("samba.unittests.byteorder_verify", "none",
+ [os.path.join(bindir(), "default/lib/util/test_byteorder_verify")])
+plantestsuite("samba.unittests.util_paths", "none",
+ [os.path.join(bindir(), "default/lib/util/test_util_paths")])
+plantestsuite("samba.unittests.util", "none",
+ [os.path.join(bindir(), "default/lib/util/test_util")])
+plantestsuite("samba.unittests.memcache", "none",
+ [os.path.join(bindir(), "default/lib/util/test_memcache")])
+plantestsuite("samba.unittests.sys_rw", "none",
+ [os.path.join(bindir(), "default/lib/util/test_sys_rw")])
+plantestsuite("samba.unittests.ntlm_check", "none",
+ [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
+plantestsuite("samba.unittests.gnutls", "none",
+ [os.path.join(bindir(), "default/libcli/auth/test_gnutls")])
+plantestsuite("samba.unittests.rc4_passwd_buffer", "none",
+ [os.path.join(bindir(), "default/libcli/auth/test_rc4_passwd_buffer")])
+plantestsuite("samba.unittests.schannel", "none",
+ [os.path.join(bindir(), "default/libcli/auth/test_schannel")])
+plantestsuite("samba.unittests.test_registry_regfio", "none",
+ [os.path.join(bindir(), "default/source3/test_registry_regfio")])
+plantestsuite("samba.unittests.test_oLschema2ldif", "none",
+ [os.path.join(bindir(), "default/source4/utils/oLschema2ldif/test_oLschema2ldif")])
+plantestsuite("samba.unittests.auth.sam", "none",
+ [os.path.join(bindir(), "test_auth_sam")])
+if have_heimdal_support and not using_system_gssapi:
+ plantestsuite("samba.unittests.auth.heimdal_gensec_unwrap_des", "none",
+ [valgrindify(os.path.join(bindir(), "test_heimdal_gensec_unwrap_des"))])
+if with_elasticsearch_backend:
+ plantestsuite("samba.unittests.mdsparser_es", "none",
+ [os.path.join(bindir(), "default/source3/test_mdsparser_es")] + [configuration])
+ plantestsuite("samba.unittests.mdsparser_es_failures", "none",
+ [os.path.join(bindir(), "default/source3/test_mdsparser_es"),
+ " --option=elasticsearch:testmappingfailures=yes",
+ " --option=elasticsearch:ignoreunknownattribute=yes",
+ " --option=elasticsearch:ignoreunknowntype=yes"] +
+ [configuration])
+plantestsuite("samba.unittests.credentials", "none",
+ [os.path.join(bindir(), "default/auth/credentials/test_creds")])
+plantestsuite("samba.unittests.tsocket_bsd_addr", "none",
+ [os.path.join(bindir(), "default/lib/tsocket/test_tsocket_bsd_addr")])
+plantestsuite("samba.unittests.tsocket_tstream", "none",
+ [os.path.join(bindir(), "default/lib/tsocket/test_tstream")],
+ environ={'SOCKET_WRAPPER_DIR': ''})
+plantestsuite("samba.unittests.adouble", "none",
+ [os.path.join(bindir(), "test_adouble")])
+plantestsuite("samba.unittests.gnutls_aead_aes_256_cbc_hmac_sha512", "none",
+ [os.path.join(bindir(), "test_gnutls_aead_aes_256_cbc_hmac_sha512")])
+plantestsuite("samba.unittests.encode_decode", "none",
+ [os.path.join(bindir(), "test_encode_decode")])
diff --git a/selftest/todo_smb2_tests_to_port.list b/selftest/todo_smb2_tests_to_port.list
new file mode 100644
index 0000000..dc1df96
--- /dev/null
+++ b/selftest/todo_smb2_tests_to_port.list
@@ -0,0 +1,404 @@
+# entries generated from the output of the following command(s)
+# saved to a file and the results sorted
+#
+# python3 source3/selftest/tests.py | grep "^samba" \
+# | grep _smb1 | grep -v _done
+# python3 source4/selftest/tests.py | grep "^samba" \
+# | grep _smb1 | grep -v _done
+# python3 selftest/tests.py | grep "^samba" \
+# | grep _smb1 | grep -v _done
+#
+# Tests that are ported should be moved to approriate _smb1_done
+# test environment and the entry removed from here
+samba3.base.attr(ad_dc_smb1)
+samba3.base.attr(nt4_dc_smb1)
+samba3.base.chkpath(ad_dc_smb1)
+samba3.base.chkpath(nt4_dc_smb1)
+samba3.base.createx_access(ad_dc_smb1)
+samba3.base.defer_open(ad_dc_smb1)
+samba3.base.defer_open(nt4_dc_smb1)
+samba3.base.delaywrite(fileserver_smb1)
+samba3.base.delete(ad_dc_smb1)
+samba3.base.delete(nt4_dc_smb1)
+samba3.base.deny1(fileserver_smb1)
+samba3.base.deny2(fileserver_smb1)
+samba3.base.deny3(ad_dc_smb1)
+samba3.base.deny3(nt4_dc_smb1)
+samba3.base.denydos(ad_dc_smb1)
+samba3.base.denydos(nt4_dc_smb1)
+samba3.base.dir1(ad_dc_smb1)
+samba3.base.dir1(nt4_dc_smb1)
+samba3.base.dir2(ad_dc_smb1)
+samba3.base.dir2(nt4_dc_smb1)
+samba3.base.disconnect(ad_dc_smb1)
+samba3.base.disconnect(nt4_dc_smb1)
+samba3.base.fdpass(ad_dc_smb1)
+samba3.base.fdpass(nt4_dc_smb1)
+samba3.base.lock(nt4_dc_smb1)
+samba3.base.negnowait(ad_dc_smb1)
+samba3.base.negnowait(nt4_dc_smb1)
+samba3.base.ntdeny1(ad_dc_smb1)
+samba3.base.ntdeny1(nt4_dc_smb1)
+samba3.base.ntdeny2(ad_dc_smb1)
+samba3.base.ntdeny2(nt4_dc_smb1)
+samba3.base.open(ad_dc_smb1)
+samba3.base.openattr(ad_dc_smb1)
+samba3.base.openattr(nt4_dc_smb1)
+samba3.base.open(nt4_dc_smb1)
+samba3.base.properties(ad_dc_smb1)
+samba3.base.properties(nt4_dc_smb1)
+samba3.base.rename(ad_dc_smb1)
+samba3.base.rename(nt4_dc_smb1)
+samba3.base.rw1(ad_dc_smb1)
+samba3.base.rw1(nt4_dc_smb1)
+samba3.base.samba3error(ad_dc_smb1)
+samba3.base.samba3error(nt4_dc_smb1)
+samba3.base.secleak(ad_dc_smb1)
+samba3.base.secleak(nt4_dc_smb1)
+samba3.base.tcondev(ad_dc_smb1)
+samba3.base.tcondev(nt4_dc_smb1)
+samba3.base.trans2(ad_dc_smb1)
+samba3.base.trans2(nt4_dc_smb1)
+samba3.base.unlink(ad_dc_smb1)
+samba3.base.unlink(nt4_dc_smb1)
+samba3.base.vuid(ad_dc_smb1)
+samba3.base.vuid(nt4_dc_smb1)
+samba3.base.xcopy(ad_dc_smb1)
+samba3.base.xcopy(nt4_dc_smb1)
+samba3.blackbox.smbclient_auth.plain..member_creds(nt4_dc_smb1)
+samba3.blackbox.smbclient_auth.plain.(nt4_dc_smb1)
+samba3.blackbox.smbclient_auth.plain.--option=clientntlmv2auth=no.member_creds(nt4_dc_smb1)
+samba3.blackbox.smbclient_auth.plain.--option=clientntlmv2auth=no(nt4_dc_smb1)
+samba3.blackbox.smbclient_auth.plain.--option=clientusespnego=no --option=clientntlmv2auth=no.member_creds(nt4_dc_smb1)
+samba3.blackbox.smbclient_auth.plain.--option=clientusespnego=no --option=clientntlmv2auth=no -mNT1.member_creds(nt4_dc_smb1)
+samba3.blackbox.smbclient_auth.plain.--option=clientusespnego=no --option=clientntlmv2auth=no -mNT1(nt4_dc_smb1)
+samba3.blackbox.smbclient_auth.plain.--option=clientusespnego=no --option=clientntlmv2auth=no(nt4_dc_smb1)
+samba3.blackbox.smbclient_basic.NT1(nt4_dc_smb1)
+samba3.blackbox.smbspool(ad_dc_smb1)
+samba3.nbt.dgram(nt4_dc_smb1)
+samba3.rap.basic(ad_dc_smb1)
+samba3.rap.basic(nt4_dc_smb1)
+samba3.rap.rpc(ad_dc_smb1)
+samba3.rap.rpc(nt4_dc_smb1)
+samba3.rap.sam(ad_dc_smb1)
+samba3.rap.sam(nt4_dc_smb1)
+samba3.raw.acls(ad_dc_smb1)
+samba3.raw.acls nfs4acl_xattr-nfs-40(nt4_dc_smb1)
+samba3.raw.acls nfs4acl_xattr-nfs-41(nt4_dc_smb1)
+samba3.raw.acls nfs4acl_xattr-simple-40(nt4_dc_smb1)
+samba3.raw.acls nfs4acl_xattr-simple-41(nt4_dc_smb1)
+samba3.raw.acls nfs4acl_xattr-special-40(nt4_dc_smb1)
+samba3.raw.acls nfs4acl_xattr-xdr-40(nt4_dc_smb1)
+samba3.raw.acls nfs4acl_xattr-xdr-41(nt4_dc_smb1)
+samba3.raw.acls(nt4_dc_smb1)
+samba3.raw.chkpath(ad_dc_smb1)
+samba3.raw.chkpath(nt4_dc_smb1)
+samba3.raw.close(ad_dc_smb1)
+samba3.raw.close(nt4_dc_smb1)
+samba3.raw.composite(ad_dc_smb1)
+samba3.raw.composite(nt4_dc_smb1)
+samba3.raw.eas(ad_dc_smb1)
+samba3.raw.eas(nt4_dc_smb1)
+samba3.raw.lock(nt4_dc_smb1)
+samba3.raw.notify(nt4_dc_smb1)
+samba3.raw.open(ad_dc_smb1)
+samba3.raw.open(nt4_dc_smb1)
+samba3.raw.oplock(nt4_dc_smb1)
+samba3.raw.read(ad_dc_smb1)
+samba3.raw.read aio(nt4_dc_smb1)
+samba3.raw.read(nt4_dc_smb1)
+samba3.raw.rename(ad_dc_smb1)
+samba3.raw.rename(nt4_dc_smb1)
+samba3.raw.samba3badnameblob(ad_dc_smb1)
+samba3.raw.samba3badnameblob(nt4_dc_smb1)
+samba3.raw.samba3badpath(ad_dc_smb1)
+samba3.raw.samba3badpath(nt4_dc_smb1)
+samba3.raw.samba3caseinsensitive(ad_dc_smb1)
+samba3.raw.samba3caseinsensitive(nt4_dc_smb1)
+samba3.raw.samba3checkfsp(ad_dc_smb1)
+samba3.raw.samba3checkfsp(fileserver_smb1)
+samba3.raw.samba3checkfsp(nt4_dc_smb1)
+samba3.raw.samba3closeerr(ad_dc_smb1)
+samba3.raw.samba3closeerr(fileserver_smb1)
+samba3.raw.samba3closeerr(nt4_dc_smb1)
+samba3.raw.samba3hide(ad_dc_smb1)
+samba3.raw.samba3hide(fileserver_smb1)
+samba3.raw.samba3hide(nt4_dc_smb1)
+samba3.raw.samba3oplocklogoff(ad_dc_smb1)
+samba3.raw.samba3oplocklogoff(nt4_dc_smb1)
+samba3.raw.samba3posixtimedlock(ad_dc_smb1)
+samba3.raw.samba3posixtimedlock brl_delay_inject1(nt4_dc_smb1)
+samba3.raw.samba3posixtimedlock brl_delay_inject2(nt4_dc_smb1)
+samba3.raw.samba3posixtimedlock(nt4_dc_smb1)
+samba3.raw.samba3rootdirfid(ad_dc_smb1)
+samba3.raw.samba3rootdirfid(nt4_dc_smb1)
+samba3.raw.search(ad_dc_smb1)
+samba3.raw.search(nt4_dc_smb1)
+samba3.raw.seek(ad_dc_smb1)
+samba3.raw.seek(nt4_dc_smb1)
+samba3.raw.session enc(nt4_dc_smb1)
+samba3.raw.session krb5(ad_dc_smb1)
+samba3.raw.session ntlm(ad_dc_smb1)
+samba3.raw.session plain(nt4_dc_smb1)
+samba3.raw.sfileinfo.bug(ad_dc_smb1)
+samba3.raw.sfileinfo.bug(nt4_dc_smb1)
+samba3.raw.sfileinfo.end-of-file(ad_dc_smb1)
+samba3.raw.sfileinfo.end-of-file(nt4_dc_smb1)
+samba3.raw.sfileinfo.rename(ad_dc_smb1)
+samba3.raw.sfileinfo.rename(nt4_dc_smb1)
+samba3.raw.streams(ad_dc_smb1)
+samba3.raw.streams(nt4_dc_smb1)
+samba3.raw.unlink(ad_dc_smb1)
+samba3.raw.unlink(nt4_dc_smb1)
+samba3.raw.write(ad_dc_smb1)
+samba3.raw.write(nt4_dc_smb1)
+samba3.rpc.authcontext(ad_dc_smb1)
+samba3.rpc.authcontext(nt4_dc_smb1)
+samba3.rpc.join(ad_dc_smb1)
+samba3.rpc.join(nt4_dc_smb1)
+samba3.rpc.samba3.bind(ad_dc_smb1)
+samba3.rpc.samba3.bind(nt4_dc_smb1)
+samba3.rpc.samba3.getusername(ad_dc_smb1)
+samba3.rpc.samba3.getusername(nt4_dc_smb1)
+samba3.rpc.samba3.netlogon(ad_dc_smb1)
+samba3.rpc.samba3.netlogon(nt4_dc_smb1)
+samba3.rpc.samba3.sessionkey(ad_dc_smb1)
+samba3.rpc.samba3.sessionkey(nt4_dc_smb1)
+samba3.rpc.samba3.sharesec(ad_dc_smb1)
+samba3.rpc.samba3.sharesec(nt4_dc_smb1)
+samba3.rpc.samba3.smb1-pipe-name(ad_dc_smb1)
+samba3.rpc.samba3.smb1-pipe-name(nt4_dc_smb1)
+samba3.rpc.samba3.smb-reauth1(ad_dc_smb1)
+samba3.rpc.samba3.smb-reauth1(nt4_dc_smb1)
+samba3.rpc.samba3.smb-reauth2(ad_dc_smb1)
+samba3.rpc.samba3.smb-reauth2(nt4_dc_smb1)
+samba3.rpc.samba3.spoolss(ad_dc_smb1)
+samba3.rpc.samba3.spoolss(nt4_dc_smb1)
+samba3.rpc.samba3.wkssvc(ad_dc_smb1)
+samba3.rpc.samba3.wkssvc(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.ATTR(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.BAD-NBT-SESSION(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.BROWSE(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.CASE-INSENSITIVE-CREATE(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.CHAIN1(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.CHAIN2(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.CHAIN3(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.CHKPATH(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.CLEANUP1(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.CLEANUP2(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.CLEANUP4(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.CLI_SPLICE(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.DELETE-LN(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.DELETE(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.DELETE-STREAM(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.DIR1(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.DIR-CREATETIME(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.DIR(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.FDPASS(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.FDSESS(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.IOCTL(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.LARGE_READX(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.LOCK10(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.LOCK11(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.LOCK12(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.LOCK13(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.LOCK1(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.LOCK2(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.LOCK3(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.LOCK4(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.LOCK5(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.LOCK6(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.LOCK7(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.LOCK9A(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.LOCK9B(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.NTTRANS-FSCTL(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.OPEN(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.OPLOCK1(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.OPLOCK2(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.OPLOCK4(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.OWNER-RIGHTS(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.PIDHIGH(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.PROPERTIES(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.RENAME-ACCESS(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.RENAME(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.RW1(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.RW2(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.RW3(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.RW-SIGNING(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.SMB2-ANONYMOUS(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.SMB2-BASIC(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.SMB2-DIR-FSYNC(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.SMB2-FTRUNCATE(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.SMB2-NEGPROT(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.SMB2-PATH-SLASH(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.SMB2-SESSION-REAUTH(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.SMB2-SESSION-RECONNECT(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.STREAMERROR(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.TCON2(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.TCONDEV(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.TCON(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.TORTURE(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.TRANS2(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.UID-REGRESSION-TEST(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.UNLINK(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.W2K(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_client.XCOPY(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt.POSIX-ACL-OPLOCK(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt.POSIX-ACL-SHAREROOT(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt.POSIX-APPEND(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt.POSIX-BLOCKING-LOCK(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt.POSIX-MKDIR(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt.POSIX(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt.POSIX-OFD-LOCK(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt.POSIX-STREAM-DELETE(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt.POSIX-SYMLINK-ACL(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt.POSIX-SYMLINK-EA(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt_server.TORTURE(nt4_dc_smb1)
+samba3.smbtorture_s3.crypt.WINDOWS-BAD-SYMLINK(nt4_dc_smb1)
+samba3.smbtorture_s3.hidenewfiles(fileserver_smb1)(fileserver_smb1)
+samba3.smbtorture_s3.plain.ATTR(fileserver_smb1)
+samba3.smbtorture_s3.plain.BAD-NBT-SESSION(fileserver_smb1)
+samba3.smbtorture_s3.plain.BROWSE(fileserver_smb1)
+samba3.smbtorture_s3.plain.CASE-INSENSITIVE-CREATE(fileserver_smb1)
+samba3.smbtorture_s3.plain.CHAIN1(fileserver_smb1)
+samba3.smbtorture_s3.plain.CHAIN2(fileserver_smb1)
+samba3.smbtorture_s3.plain.CHAIN3(fileserver_smb1)
+samba3.smbtorture_s3.plain.CHKPATH(fileserver_smb1)
+samba3.smbtorture_s3.plain.CLEANUP1(fileserver_smb1)
+samba3.smbtorture_s3.plain.CLEANUP2(fileserver_smb1)
+samba3.smbtorture_s3.plain.CLEANUP4(fileserver_smb1)
+samba3.smbtorture_s3.plain.CLI_SPLICE(fileserver_smb1)
+samba3.smbtorture_s3.plain.DELETE(fileserver_smb1)
+samba3.smbtorture_s3.plain.DELETE-LN(fileserver_smb1)
+samba3.smbtorture_s3.plain.DELETE-STREAM(fileserver_smb1)
+samba3.smbtorture_s3.plain.DIR1(fileserver_smb1)
+samba3.smbtorture_s3.plain.DIR-CREATETIME(fileserver_smb1)
+samba3.smbtorture_s3.plain.DIR(fileserver_smb1)
+samba3.smbtorture_s3.plain.FDPASS(fileserver_smb1)
+samba3.smbtorture_s3.plain.FDSESS(fileserver_smb1)
+samba3.smbtorture_s3.plain.IOCTL(fileserver_smb1)
+samba3.smbtorture_s3.plain.LARGE_READX(fileserver_smb1)
+samba3.smbtorture_s3.plain.LOCK10(fileserver_smb1)
+samba3.smbtorture_s3.plain.LOCK11(fileserver_smb1)
+samba3.smbtorture_s3.plain.LOCK12(fileserver_smb1)
+samba3.smbtorture_s3.plain.LOCK13(fileserver_smb1)
+samba3.smbtorture_s3.plain.LOCK1(fileserver_smb1)
+samba3.smbtorture_s3.plain.LOCK2(fileserver_smb1)
+samba3.smbtorture_s3.plain.LOCK3(fileserver_smb1)
+samba3.smbtorture_s3.plain.LOCK4(fileserver_smb1)
+samba3.smbtorture_s3.plain.LOCK5(fileserver_smb1)
+samba3.smbtorture_s3.plain.LOCK6(fileserver_smb1)
+samba3.smbtorture_s3.plain.LOCK7(fileserver_smb1)
+samba3.smbtorture_s3.plain.LOCK9A(fileserver_smb1)
+samba3.smbtorture_s3.plain.LOCK9B(fileserver_smb1)
+samba3.smbtorture_s3.plain.MANGLE-ILLEGAL(nt4_dc_smb1)
+samba3.smbtorture_s3.plain.NTTRANS-FSCTL(fileserver_smb1)
+samba3.smbtorture_s3.plain.OPEN(fileserver_smb1)
+samba3.smbtorture_s3.plain.OPLOCK1(fileserver_smb1)
+samba3.smbtorture_s3.plain.OPLOCK2(fileserver_smb1)
+samba3.smbtorture_s3.plain.OPLOCK4(fileserver_smb1)
+samba3.smbtorture_s3.plain.OPLOCK5(fileserver_smb1)
+samba3.smbtorture_s3.plain.OWNER-RIGHTS(fileserver_smb1)
+samba3.smbtorture_s3.plain.PIDHIGH(fileserver_smb1)
+samba3.smbtorture_s3.plain.POSIX-ACL-OPLOCK(nt4_dc_smb1)
+samba3.smbtorture_s3.plain.POSIX-ACL-SHAREROOT(nt4_dc_smb1)
+samba3.smbtorture_s3.plain.POSIX-APPEND(nt4_dc_smb1)
+samba3.smbtorture_s3.plain.POSIX-BLOCKING-LOCK(nt4_dc_smb1)
+samba3.smbtorture_s3.plain.POSIX-MKDIR(nt4_dc_smb1)
+samba3.smbtorture_s3.plain.POSIX(nt4_dc_smb1)
+samba3.smbtorture_s3.plain.POSIX-OFD-LOCK(nt4_dc_smb1)
+samba3.smbtorture_s3.plain.POSIX-STREAM-DELETE(nt4_dc_smb1)
+samba3.smbtorture_s3.plain.POSIX-SYMLINK-ACL(nt4_dc_smb1)
+samba3.smbtorture_s3.plain.POSIX-SYMLINK-EA(nt4_dc_smb1)
+samba3.smbtorture_s3.plain.PROPERTIES(fileserver_smb1)
+samba3.smbtorture_s3.plain.RENAME-ACCESS(nt4_dc_smb1)
+samba3.smbtorture_s3.plain.RENAME(fileserver_smb1)
+samba3.smbtorture_s3.plain.RW1(fileserver_smb1)
+samba3.smbtorture_s3.plain.RW2(fileserver_smb1)
+samba3.smbtorture_s3.plain.RW3(fileserver_smb1)
+samba3.smbtorture_s3.plain.RW-SIGNING(fileserver_smb1)
+samba3.smbtorture_s3.plain.STREAMERROR(fileserver_smb1)
+samba3.smbtorture_s3.plain.TCON2(fileserver_smb1)
+samba3.smbtorture_s3.plain.TCONDEV(fileserver_smb1)
+samba3.smbtorture_s3.plain.TCON(fileserver_smb1)
+samba3.smbtorture_s3.plain.TORTURE(fileserver_smb1)
+samba3.smbtorture_s3.plain.TRANS2(fileserver_smb1)
+samba3.smbtorture_s3.plain.UID-REGRESSION-TEST(fileserver_smb1)
+samba3.smbtorture_s3.plain.UNLINK(fileserver_smb1)
+samba3.smbtorture_s3.plain.W2K(fileserver_smb1)
+samba3.smbtorture_s3.plain.WINDOWS-BAD-SYMLINK(nt4_dc_smb1)
+samba3.smbtorture_s3.plain.XCOPY(fileserver_smb1)
+samba3.smbtorture_s3.vfs_aio_fork(fileserver_smb1).RW1(fileserver_smb1)
+samba3.smbtorture_s3.vfs_aio_fork(fileserver_smb1).RW2(fileserver_smb1)
+samba3.smbtorture_s3.vfs_aio_fork(fileserver_smb1).RW3(fileserver_smb1)
+samba3.smbtorture_s3.vfs_aio_pthread(fileserver_smb1).RW1(fileserver_smb1)
+samba3.smbtorture_s3.vfs_aio_pthread(fileserver_smb1).RW2(fileserver_smb1)
+samba3.smbtorture_s3.vfs_aio_pthread(fileserver_smb1).RW3(fileserver_smb1)
+samba3.unix.info2(ad_dc_smb1)
+samba3.unix.info2(nt4_dc_smb1)
+samba3.unix.whoami(ad_dc_smb1)
+samba3.unix.whoami anonymous connection(ad_dc_smb1)
+samba3.unix.whoami anonymous connection(nt4_dc_smb1)
+samba3.unix.whoami kerberos connection(ad_dc_smb1)
+samba3.unix.whoami machine account(ad_dc_smb1:local)
+samba3.unix.whoami(nt4_dc_smb1)
+samba3.unix.whoami ntlm user@realm(ad_dc_smb1)
+samba4.dfs.domain(ad_dc_smb1)
+samba4.ldap.nested-search(ad_dc_default_smb1)
+samba4.ldap.passwordsettings.python(ad_dc_default_smb1)
+samba4.non_unix_ext.libsmbclient.configuration.NT1(nt4_dc_smb1)
+samba4.non_unix_ext.libsmbclient.initialize.NT1(nt4_dc_smb1)
+samba4.non_unix_ext.libsmbclient.list_shares.NT1(nt4_dc_smb1)
+samba4.non_unix_ext.libsmbclient.opendir.NT1(nt4_dc_smb1)
+samba4.non_unix_ext.libsmbclient.options.NT1(nt4_dc_smb1)
+samba4.non_unix_ext.libsmbclient.readdirplus2.NT1(nt4_dc_smb1)
+samba4.non_unix_ext.libsmbclient.readdirplus.NT1(nt4_dc_smb1)
+samba4.non_unix_ext.libsmbclient.readdirplus_seek.NT1(nt4_dc_smb1)
+samba4.non_unix_ext.libsmbclient.setConfiguration.NT1(nt4_dc_smb1)
+samba4.non_unix_ext.libsmbclient.version.NT1(nt4_dc_smb1)
+samba4.rpc.altercontext on ncacn_np with bigendian(ad_dc_default_smb1)
+samba4.rpc.altercontext on ncacn_np with seal,padcheck(ad_dc_default_smb1)
+samba4.rpc.altercontext on ncalrpc with bigendian(ad_dc_default_smb1:local)
+samba4.rpc.altercontext on ncalrpc with seal,padcheck(ad_dc_default_smb1:local)
+samba4.rpc.authcontext with bigendian(ad_dc_smb1)
+samba4.rpc.authcontext with seal,padcheck(ad_dc_smb1)
+samba4.rpc.drsuapi on ncacn_ip_tcp with bigendian(ad_dc_default_smb1)
+samba4.rpc.drsuapi on ncacn_ip_tcp with seal,padcheck(ad_dc_default_smb1)
+samba4.rpc.drsuapi_w2k8 on ncacn_ip_tcp with bigendian(ad_dc_default_smb1)
+samba4.rpc.drsuapi_w2k8 on ncacn_ip_tcp with seal,padcheck(ad_dc_default_smb1)
+samba4.rpc.dssetup on ncacn_ip_tcp with bigendian(ad_dc_default_smb1)
+samba4.rpc.dssetup on ncacn_ip_tcp with seal,padcheck(ad_dc_default_smb1)
+samba4.rpc.dssetup on ncacn_np with bigendian(ad_dc_default_smb1)
+samba4.rpc.dssetup on ncacn_np with seal,padcheck(ad_dc_default_smb1)
+samba4.rpc.dssetup on ncalrpc with bigendian(ad_dc_default_smb1:local)
+samba4.rpc.dssetup on ncalrpc with seal,padcheck(ad_dc_default_smb1:local)
+samba4.rpc.join on ncacn_ip_tcp with bigendian(ad_dc_default_smb1)
+samba4.rpc.join on ncacn_ip_tcp with seal,padcheck(ad_dc_default_smb1)
+samba4.rpc.join on ncacn_np with bigendian(ad_dc_default_smb1)
+samba4.rpc.join on ncacn_np with seal,padcheck(ad_dc_default_smb1)
+samba4.rpc.join on ncalrpc with bigendian(ad_dc_default_smb1:local)
+samba4.rpc.join on ncalrpc with seal,padcheck(ad_dc_default_smb1:local)
+samba4.rpc.join with bigendian(ad_dc_smb1)
+samba4.rpc.join with seal,padcheck(ad_dc_smb1)
+samba4.rpc.lsa on ncacn_ip_tcp with bigendian(ad_dc_default_smb1)
+samba4.rpc.lsa on ncacn_ip_tcp with seal,padcheck(ad_dc_default_smb1)
+samba4.rpc.lsa on ncacn_np with bigendian(ad_dc_default_smb1)
+samba4.rpc.lsa on ncacn_np with seal,padcheck(ad_dc_default_smb1)
+samba4.rpc.lsa on ncalrpc with bigendian(ad_dc_default_smb1:local)
+samba4.rpc.lsa on ncalrpc with seal,padcheck(ad_dc_default_smb1:local)
+samba4.smb.spnego.krb5.no_optimistic(ad_dc_smb1)
+samba4.smb.spnego.ntlmssp.no_optimistic(ad_dc_smb1)
+samba4.unix_ext.libsmbclient.configuration.NT1(nt4_dc_smb1)
+samba4.unix_ext.libsmbclient.initialize.NT1(nt4_dc_smb1)
+samba4.unix_ext.libsmbclient.list_shares.NT1(nt4_dc_smb1)
+samba4.unix_ext.libsmbclient.opendir.NT1(nt4_dc_smb1)
+samba4.unix_ext.libsmbclient.options.NT1(nt4_dc_smb1)
+samba4.unix_ext.libsmbclient.readdirplus2.NT1(nt4_dc_smb1)
+samba4.unix_ext.libsmbclient.readdirplus.NT1(nt4_dc_smb1)
+samba4.unix_ext.libsmbclient.readdirplus_seek.NT1(nt4_dc_smb1)
+samba4.unix_ext.libsmbclient.setConfiguration.NT1(nt4_dc_smb1)
+samba4.unix_ext.libsmbclient.version.NT1(nt4_dc_smb1)
+samba.tests.auth_log(ad_dc_smb1:local)
+samba.tests.auth_log_pass_change(ad_dc_smb1)
+samba.tests.libsmb(nt4_dc_smb1)
+samba.tests.net_join_no_spnego(ad_dc_smb1)
diff --git a/selftest/ubsan.supp b/selftest/ubsan.supp
new file mode 100644
index 0000000..5b7730c
--- /dev/null
+++ b/selftest/ubsan.supp
@@ -0,0 +1,6 @@
+# Suppress the
+# "left shift of x by y places cannot be represented in type 'int'"
+# in the heimdal code for now.
+shift-base:../../third_party/heimdal/lib/hcrypto/des.c
+shift-base:../../third_party/heimdal/lib/krb5/crypto.c
+
diff --git a/selftest/valgrind_run b/selftest/valgrind_run
new file mode 100755
index 0000000..f06fa86
--- /dev/null
+++ b/selftest/valgrind_run
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+ENV="$1"
+
+shift 1
+
+CMD="$ENV valgrind --num-callers=30
+--trace-children=yes --log-file=valgrind.%p.log
+${VALGRIND_OPT- --time-stamp=yes --track-fds=yes --read-var-info=yes --track-origins=yes --leak-check=yes}
+$@"
+
+echo $CMD
+eval $CMD
diff --git a/selftest/wscript b/selftest/wscript
new file mode 100644
index 0000000..a8b6d45
--- /dev/null
+++ b/selftest/wscript
@@ -0,0 +1,381 @@
+#!/usr/bin/env python
+# vim: expandtab ft=python
+
+# selftest main code.
+
+import sys
+import os
+import optparse
+from waflib import Scripting, Options, Utils
+from waflib.ConfigSet import ConfigSet as Environment
+
+from samba_utils import *
+from samba_autoconf import *
+import types
+
+DEFAULT_SELFTEST_PREFIX="./st"
+
+def options(opt):
+
+ opt.add_option('--enable-selftest',
+ help=("enable options necessary for selftest (default=no)"),
+ action="store_true", dest='enable_selftest', default=False)
+ opt.add_option('--with-selftest-prefix',
+ help=("specify location of selftest directory "
+ "(default=%s)" % DEFAULT_SELFTEST_PREFIX),
+ action="store", dest='SELFTEST_PREFIX', default=DEFAULT_SELFTEST_PREFIX)
+
+ opt.ADD_COMMAND('test', cmd_test)
+ opt.ADD_COMMAND('testonly', cmd_testonly)
+
+ gr = opt.add_option_group('test options')
+
+ gr.add_option('--load-list',
+ help=("Load a test id list from a text file"),
+ action="store", dest='LOAD_LIST', default=None)
+ gr.add_option('--list',
+ help=("List available tests"),
+ action="store_true", dest='LIST', default=False)
+ gr.add_option('--tests',
+ help=("wildcard pattern of tests to run"),
+ action="store", dest='TESTS', default='')
+ gr.add_option('--filtered-subunit',
+ help=("output (xfail) filtered subunit"),
+ action="store_true", dest='FILTERED_SUBUNIT', default=False)
+ gr.add_option('--quick',
+ help=("enable only quick tests"),
+ action="store_true", dest='QUICKTEST', default=False)
+ gr.add_option('--slow',
+ help=("enable the really slow tests"),
+ action="store_true", dest='SLOWTEST', default=False)
+ gr.add_option('--nb-slowest',
+ help=("Show the n slowest tests (default=10)"),
+ type=int, default=10, dest='NB_SLOWEST')
+ gr.add_option('--testenv',
+ help=("start a terminal with the test environment setup"),
+ action="store_true", dest='TESTENV', default=False)
+ gr.add_option('--valgrind',
+ help=("use valgrind on client programs in the tests"),
+ action="store_true", dest='VALGRIND', default=False)
+ gr.add_option('--valgrind-log',
+ help=("where to put the valgrind log"),
+ action="store", dest='VALGRINDLOG', default=None)
+ gr.add_option('--valgrind-server',
+ help=("use valgrind on the server in the tests (opens an xterm)"),
+ action="store_true", dest='VALGRIND_SERVER', default=False)
+ gr.add_option('--screen',
+ help=("run the samba servers in screen sessions"),
+ action="store_true", dest='SCREEN', default=False)
+ gr.add_option('--gdbtest',
+ help=("run the servers within a gdb window"),
+ action="store_true", dest='GDBTEST', default=False)
+ gr.add_option('--fail-immediately',
+ help=("stop tests on first failure"),
+ action="store_true", dest='FAIL_IMMEDIATELY', default=False)
+ gr.add_option('--socket-wrapper-pcap',
+ help=("create a pcap file for each failing test"),
+ action="store_true", dest='SOCKET_WRAPPER_PCAP', default=False)
+ gr.add_option('--socket-wrapper-keep-pcap',
+ help=("create a pcap file for all individual test"),
+ action="store_true", dest='SOCKET_WRAPPER_KEEP_PCAP', default=False)
+ gr.add_option('--random-order', dest='RANDOM_ORDER', default=False,
+ action="store_true", help="Run testsuites in random order")
+ gr.add_option('--perf-test', dest='PERF_TEST', default=False,
+ action="store_true", help="run performance tests only")
+ gr.add_option('--test-list', dest='TEST_LIST', default='',
+ help=("use tests listed here, not defaults "
+ "(--test-list='FOO|' will execute FOO; "
+ "--test-list='FOO' will read it)"))
+ gr.add_option('--no-subunit-filter',
+ help=("no (xfail) subunit filtering"),
+ action="store_true", dest='NO_SUBUNIT_FILTER', default=False)
+
+
+def configure(conf):
+ conf.env.SELFTEST_PREFIX = Options.options.SELFTEST_PREFIX
+ if Options.options.enable_selftest or Options.options.developer:
+ conf.DEFINE('ENABLE_SELFTEST', 1)
+
+
+def cmd_testonly(opt):
+ '''run tests without doing a build first'''
+ env = LOAD_ENVIRONMENT()
+ opt.env = env
+
+ if Options.options.SELFTEST_PREFIX != DEFAULT_SELFTEST_PREFIX:
+ env.SELFTEST_PREFIX = Options.options.SELFTEST_PREFIX
+
+ if (not CONFIG_SET(opt, 'NSS_WRAPPER') or
+ not CONFIG_SET(opt, 'UID_WRAPPER') or
+ not CONFIG_SET(opt, 'SOCKET_WRAPPER')):
+ print("ERROR: You must use --enable-selftest to enable selftest")
+ sys.exit(1)
+
+ os.environ['SAMBA_SELFTEST'] = '1'
+
+ env.TESTS = Options.options.TESTS
+
+ env.SUBUNIT_FORMATTER = os.getenv('SUBUNIT_FORMATTER')
+
+ # Lots of test scripts need to run with the correct version
+ # of python. With the correct shebang the script should run with the
+ # correct version, the problem is that not all scripts are part
+ # of the installation, some scripts are part of the source code,
+ # and the shebang is not dynamically generated as yet.
+ # It is safer if we are somewhat version neutral at the moment and
+ # ignore the shebang and always run scripts from the test environment
+ # with the python version (determined by PYTHON env variable) If this
+ # env variable isn't set then set it according to the python version
+ # that is running the tests
+ if not os.getenv('PYTHON', None):
+ from sys import executable as exe
+ os.environ['PYTHON'] = os.path.basename(exe)
+
+ if not env.SUBUNIT_FORMATTER:
+ if Options.options.PERF_TEST:
+ env.SUBUNIT_FORMATTER = '${PYTHON} -u ${srcdir}/selftest/format-subunit-json --prefix=${SELFTEST_PREFIX}'
+ else:
+ env.SUBUNIT_FORMATTER = '${PYTHON} -u ${srcdir}/selftest/format-subunit --prefix=${SELFTEST_PREFIX} --immediate'
+ env.FILTER_XFAIL = ('${PYTHON} -u ${srcdir}/selftest/filter-subunit '
+ '--expected-failures=${srcdir}/selftest/knownfail '
+ '--expected-failures=${srcdir}/selftest/knownfail.d '
+ '--flapping=${srcdir}/selftest/flapping '
+ '--flapping=${srcdir}/selftest/flapping.d')
+
+ if Options.options.FAIL_IMMEDIATELY:
+ env.FILTER_XFAIL += ' --fail-immediately'
+
+ env.FORMAT_TEST_OUTPUT = '${SUBUNIT_FORMATTER}'
+
+ # clean any previous temporary files
+ os.system("rm -rf %s/tmp" % env.SELFTEST_PREFIX);
+
+ # put all command line options in the environment as TESTENV_*=*
+ for o in dir(Options.options):
+ if o[0:1] != '_':
+ val = getattr(Options.options, o, '')
+ if not issubclass(type(val), types.FunctionType) \
+ and not issubclass(type(val), types.MethodType):
+ os.environ['TESTENV_%s' % o.upper()] = str(getattr(Options.options, o, ''))
+
+ env.OPTIONS = ''
+ if not Options.options.SLOWTEST:
+ env.OPTIONS += ' --exclude=${srcdir}/selftest/slow'
+ if Options.options.QUICKTEST:
+ env.OPTIONS += ' --quick --include=${srcdir}/selftest/quick'
+ if Options.options.LOAD_LIST:
+ env.OPTIONS += ' --load-list=%s' % Options.options.LOAD_LIST
+ if Options.options.TESTENV:
+ env.OPTIONS += ' --testenv'
+ if Options.options.SOCKET_WRAPPER_PCAP:
+ env.OPTIONS += ' --socket-wrapper-pcap'
+ if Options.options.SOCKET_WRAPPER_KEEP_PCAP:
+ env.OPTIONS += ' --socket-wrapper-keep-pcap'
+ if Options.options.RANDOM_ORDER:
+ env.OPTIONS += ' --random-order'
+ if Options.options.PERF_TEST:
+ env.FILTER_OPTIONS = ('${PYTHON} -u ${srcdir}/selftest/filter-subunit '
+ '--perf-test-output')
+ else:
+ env.FILTER_OPTIONS = '${FILTER_XFAIL}'
+
+ if Options.options.VALGRIND:
+ os.environ['VALGRIND'] = 'valgrind -q --num-callers=30'
+ if Options.options.VALGRINDLOG is not None:
+ os.environ['VALGRIND'] += ' --log-file=%s' % Options.options.VALGRINDLOG
+
+ server_wrapper=''
+
+ if Options.options.VALGRIND_SERVER:
+ server_wrapper = '${srcdir}/selftest/valgrind_run _DUMMY=X'
+ elif Options.options.GDBTEST:
+ server_wrapper = '${srcdir}/selftest/gdb_run _DUMMY=X'
+
+ if Options.options.SCREEN:
+ server_wrapper = '${srcdir}/selftest/in_screen %s' % server_wrapper
+ os.environ['TERMINAL'] = EXPAND_VARIABLES(opt, '${srcdir}/selftest/in_screen')
+ elif server_wrapper != '':
+ server_wrapper = 'xterm -n server -l -e %s' % server_wrapper
+
+ if server_wrapper != '':
+ os.environ['SAMBA_VALGRIND'] = EXPAND_VARIABLES(opt, server_wrapper)
+ os.environ['NMBD_VALGRIND'] = EXPAND_VARIABLES(opt, server_wrapper)
+ os.environ['WINBINDD_VALGRIND'] = EXPAND_VARIABLES(opt, server_wrapper)
+ os.environ['SMBD_VALGRIND'] = EXPAND_VARIABLES(opt, server_wrapper)
+ os.environ['SAMBA_DCERPCD_VALGRIND'] = EXPAND_VARIABLES(opt, server_wrapper)
+
+ # this is needed for systems without rpath, or with rpath disabled
+ ADD_LD_LIBRARY_PATH('bin/shared')
+ ADD_LD_LIBRARY_PATH('bin/shared/private')
+
+ # if we are using a system version of ldb then we need to tell it to
+ # load modules from our modules path
+ if env.USING_SYSTEM_LDB:
+ os.environ['LDB_MODULES_PATH'] = os.path.abspath(
+ os.path.join(*(env.cwd + ['bin/modules/ldb'])))
+
+ # tell build system where to find config.h
+ os.environ['CONFIG_H'] = 'bin/default/include/config.h'
+
+ # tell the test system where perl is
+ if isinstance(env.PERL, list):
+ perl = ' '.join(env.PERL)
+ else:
+ perl = env.PERL
+ os.environ['PERL'] = perl
+
+ st_done = os.path.join(env.SELFTEST_PREFIX, 'st_done')
+ if os.path.exists(st_done):
+ os.unlink(st_done)
+
+ if not os.path.isdir(env.SELFTEST_PREFIX):
+ os.makedirs(env.SELFTEST_PREFIX, int('755', 8))
+
+ if Options.options.TEST_LIST:
+ env.TESTLISTS = '--testlist=%r' % Options.options.TEST_LIST
+ elif Options.options.PERF_TEST:
+ env.TESTLISTS = '--testlist="${PYTHON} ${srcdir}/selftest/perf_tests.py|" '
+ else:
+ env.TESTLISTS = ('--testlist="${PYTHON} ${srcdir}/selftest/tests.py|" ' +
+ '--testlist="${PYTHON} ${srcdir}/source3/selftest/tests.py|" ' +
+ '--testlist="${PYTHON} ${srcdir}/source4/selftest/tests.py|"')
+
+ if CONFIG_SET(opt, 'AD_DC_BUILD_IS_ENABLED'):
+ env.SELFTEST_TARGET = "samba"
+ else:
+ env.SELFTEST_TARGET = "samba3"
+
+ env.OPTIONS += " --nss_wrapper_so_path=" + CONFIG_GET(opt, 'LIBNSS_WRAPPER_SO_PATH')
+ env.OPTIONS += " --resolv_wrapper_so_path=" + CONFIG_GET(opt, 'LIBRESOLV_WRAPPER_SO_PATH')
+ env.OPTIONS += " --uid_wrapper_so_path=" + CONFIG_GET(opt, 'LIBUID_WRAPPER_SO_PATH')
+
+ # selftest can optionally use kernel namespaces instead of socket-wrapper
+ if os.environ.get('USE_NAMESPACES') is None:
+ env.OPTIONS += " --socket_wrapper_so_path=" + CONFIG_GET(opt, 'LIBSOCKET_WRAPPER_SO_PATH')
+
+ if not CONFIG_SET(opt, 'HAVE_RESOLV_CONF_SUPPORT'):
+ env.OPTIONS += " --use-dns-faking"
+
+ if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'):
+ env.OPTIONS += " --mitkrb5 --exclude=${srcdir}/selftest/skip_mit_kdc"
+ if CONFIG_GET(opt, 'HAVE_MIT_KRB5_PRE_1_20'):
+ env.OPTIONS += " --mitkrb5 --exclude=${srcdir}/selftest/skip_mit_kdc_pre_1_20"
+
+ env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\
+ "knownfail_mit_kdc"
+
+ if CONFIG_GET(opt, 'HAVE_MIT_KRB5_PRE_1_20'):
+ env.FILTER_XFAIL += ' --expected-failures=${srcdir}/selftest/knownfail_mit_kdc_pre_1_20'
+
+ if CONFIG_GET(opt, 'HAVE_MIT_KRB5_1_20'):
+ env.FILTER_XFAIL += ' --expected-failures=${srcdir}/selftest/knownfail_mit_kdc_1_20'
+ else:
+ env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\
+ "knownfail_heimdal_kdc"
+
+ if not CONFIG_GET(opt, 'HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X'):
+ # older MIT krb5 libraries (< 1.14) don't have
+ # GSS_KRB5_CRED_NO_CI_FLAGS_X
+ env.OPTIONS += " --exclude=${srcdir}/selftest/skip.no-GSS_KRB5_CRED_NO_CI_FLAGS_X"
+
+ if os.environ.get('DISABLE_OPATH'):
+ env.OPTIONS += " --exclude=${srcdir}/selftest/skip.opath-required"
+
+ if env.ADDRESS_SANITIZER:
+ # We try to find the correct libasan automatically
+ libasan = Utils.cmd_output(
+ 'ldd bin/texpect | grep libasan| cut -f 3 -d \ ',
+ silent=True).strip()
+ libasan = libasan.decode('utf8')
+
+ # Have the selftest.pl LD_PRELOAD libasan in the right spot
+ env.OPTIONS += " --asan_so_path=" + libasan
+
+ subunit_cache = None
+ # We use the full path rather than relative path to avoid problems on some platforms (ie. solaris 8).
+ env.CORE_COMMAND = '${PERL} ${srcdir}/selftest/selftest.pl --target=${SELFTEST_TARGET} --prefix=${SELFTEST_PREFIX} --srcdir=${srcdir} --exclude=${srcdir}/selftest/skip ${TESTLISTS} ${OPTIONS} ${TESTS}'
+
+ # If using namespaces (rather than socket-wrapper), run the selftest script
+ # in its own network namespace (by doing an 'unshare'). (To create a new
+ # namespace as a non-root user, we have to also unshare the current user
+ # namespace, and remap ourself as root in the namespace created)
+ if os.environ.get('USE_NAMESPACES') is not None:
+ env.CORE_COMMAND = 'unshare --net --user --map-root-user ' + env.CORE_COMMAND
+
+ if env.ADDRESS_SANITIZER:
+ # For now we cannot run with leak and odr detection
+ no_leak_check = "ASAN_OPTIONS=detect_leaks=0:detect_odr_violation=0 "
+ # And we need to disable RTLD_DEEPBIND in ldb and socket wrapper
+ no_leak_check += "LDB_MODULES_DISABLE_DEEPBIND=1 "
+ no_leak_check += "SOCKET_WRAPPER_DISABLE_DEEP_BIND=1"
+ env.CORE_COMMAND = no_leak_check + " " + env.CORE_COMMAND
+
+ # We need to have the subunit filter and formatter preload
+ # libasan otherwise the tests fail at startup.
+ #
+ # Also, we do not care about leaks in python
+
+ asan_envs = no_leak_check + " LD_PRELOAD=" + libasan + ' '
+ env.FILTER_OPTIONS = asan_envs + env.FILTER_OPTIONS
+ env.SUBUNIT_FORMATTER = asan_envs + env.SUBUNIT_FORMATTER
+
+ if env.UNDEFINED_SANITIZER:
+ # print a stack trace with the error.
+ print_stack_trace = "UBSAN_OPTIONS=print_stacktrace=1"
+ print_stack_trace += ",suppressions=${srcdir}/selftest/ubsan.supp"
+ env.CORE_COMMAND = print_stack_trace + " " + env.CORE_COMMAND
+
+ if Options.options.LIST:
+ cmd = '${CORE_COMMAND} --list'
+ else:
+ env.OPTIONS += ' --socket-wrapper'
+ cmd = '(${CORE_COMMAND} && touch ${SELFTEST_PREFIX}/st_done) | ${FILTER_OPTIONS}'
+
+ if Options.options.NO_SUBUNIT_FILTER:
+ # Skip subunit filtering (i.e. because python is disabled).
+ # Use --one to bail out upon any failure
+ cmd = '(${CORE_COMMAND} --one && touch ${SELFTEST_PREFIX}/st_done)'
+ elif not Options.options.FILTERED_SUBUNIT:
+ subunit_cache = os.path.join(env.SELFTEST_PREFIX, "subunit")
+ cmd += ' | tee %s | ${FORMAT_TEST_OUTPUT}' % subunit_cache
+ else:
+ cmd += ' | ${FILTER_OPTIONS}'
+
+ runcmd = EXPAND_VARIABLES(opt, cmd)
+
+ print("test: running %s" % runcmd)
+ ret = RUN_COMMAND(cmd, env=env)
+
+ if (os.path.exists(".testrepository") and
+ not Options.options.LIST and
+ not Options.options.LOAD_LIST and
+ subunit_cache is not None):
+ testrcmd = 'testr load -q < %s > /dev/null' % subunit_cache
+ runcmd = EXPAND_VARIABLES(opt, testrcmd)
+ RUN_COMMAND(runcmd, env=env)
+
+ if subunit_cache is not None:
+ nb = Options.options.NB_SLOWEST
+ cmd = "./script/show_testsuite_time %s %d" % (subunit_cache, nb)
+ runcmd = EXPAND_VARIABLES(opt, cmd)
+ RUN_COMMAND(runcmd, env=env)
+
+ if ret != 0:
+ print("ERROR: test failed with exit code %d" % ret)
+ sys.exit(ret)
+
+ if not Options.options.LIST and not os.path.exists(st_done):
+ print("ERROR: test command failed to complete")
+ sys.exit(1)
+
+
+########################################################################
+# main test entry point
+def cmd_test(opt):
+ '''Run the test suite (see test options below)'''
+
+ # if running all tests, then force a symbol check
+ env = LOAD_ENVIRONMENT()
+ CHECK_MAKEFLAGS(env)
+ Options.commands.append('build')
+ Options.commands.append('testonly')