summaryrefslogtreecommitdiffstats
path: root/testprogs/blackbox
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
commit4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree8ce7b00f7a76baa386372422adebbe64510812d4 /testprogs/blackbox
parentInitial commit. (diff)
downloadsamba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz
samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testprogs/blackbox')
-rwxr-xr-xtestprogs/blackbox/bogus.sh28
-rw-r--r--testprogs/blackbox/common-links.sh234
-rwxr-xr-xtestprogs/blackbox/common_test_fns.inc126
-rwxr-xr-xtestprogs/blackbox/dbcheck-links.sh991
-rwxr-xr-xtestprogs/blackbox/dbcheck-oldrelease.sh564
-rwxr-xr-xtestprogs/blackbox/dbcheck.sh71
-rwxr-xr-xtestprogs/blackbox/demote-saveddb.sh80
-rwxr-xr-xtestprogs/blackbox/dfree.sh8
-rwxr-xr-xtestprogs/blackbox/dom_parse.sh27
-rwxr-xr-xtestprogs/blackbox/functionalprep.sh134
-rwxr-xr-xtestprogs/blackbox/join_ldapcmp.sh51
-rwxr-xr-xtestprogs/blackbox/ldapcmp_restoredc.sh70
-rwxr-xr-xtestprogs/blackbox/nsstest.sh22
-rwxr-xr-xtestprogs/blackbox/renamedc.sh106
-rwxr-xr-xtestprogs/blackbox/runtime-links.sh82
-rwxr-xr-xtestprogs/blackbox/schemaupgrade.sh131
-rwxr-xr-xtestprogs/blackbox/subunit.sh209
-rwxr-xr-xtestprogs/blackbox/test_chgdcpass.sh115
-rwxr-xr-xtestprogs/blackbox/test_client_etypes.sh82
-rwxr-xr-xtestprogs/blackbox/test_client_kerberos.sh293
-rwxr-xr-xtestprogs/blackbox/test_export_keytab_heimdal.sh115
-rwxr-xr-xtestprogs/blackbox/test_export_keytab_mit.sh137
-rwxr-xr-xtestprogs/blackbox/test_kinit_heimdal.sh260
-rwxr-xr-xtestprogs/blackbox/test_kinit_mit.sh332
-rwxr-xr-xtestprogs/blackbox/test_kinit_trusts_heimdal.sh103
-rwxr-xr-xtestprogs/blackbox/test_kinit_trusts_mit.sh140
-rwxr-xr-xtestprogs/blackbox/test_kpasswd_heimdal.sh250
-rwxr-xr-xtestprogs/blackbox/test_kpasswd_mit.sh229
-rwxr-xr-xtestprogs/blackbox/test_ktpass.sh41
-rwxr-xr-xtestprogs/blackbox/test_ldb.sh231
-rwxr-xr-xtestprogs/blackbox/test_ldb_simple.sh41
-rwxr-xr-xtestprogs/blackbox/test_net_ads.sh325
-rwxr-xr-xtestprogs/blackbox/test_net_ads_dns.sh94
-rwxr-xr-xtestprogs/blackbox/test_net_ads_fips.sh43
-rwxr-xr-xtestprogs/blackbox/test_net_ads_search_server.sh37
-rwxr-xr-xtestprogs/blackbox/test_net_offline.sh69
-rwxr-xr-xtestprogs/blackbox/test_net_rpc_user.sh56
-rwxr-xr-xtestprogs/blackbox/test_offline_logon.sh43
-rwxr-xr-xtestprogs/blackbox/test_old_enctypes.sh68
-rwxr-xr-xtestprogs/blackbox/test_password_settings.sh254
-rwxr-xr-xtestprogs/blackbox/test_pdbtest.sh119
-rwxr-xr-xtestprogs/blackbox/test_pkinit_pac.sh63
-rwxr-xr-xtestprogs/blackbox/test_pkinit_simple.sh333
-rwxr-xr-xtestprogs/blackbox/test_primary_group.sh90
-rwxr-xr-xtestprogs/blackbox/test_rpcclient_schannel.sh94
-rwxr-xr-xtestprogs/blackbox/test_s4u_heimdal.sh94
-rwxr-xr-xtestprogs/blackbox/test_samba-tool_ntacl.sh132
-rwxr-xr-xtestprogs/blackbox/test_samba_upgradedns.sh38
-rwxr-xr-xtestprogs/blackbox/test_smbtorture_test_names.sh43
-rwxr-xr-xtestprogs/blackbox/test_special_group.sh52
-rwxr-xr-xtestprogs/blackbox/test_trust_ntlm.sh205
-rwxr-xr-xtestprogs/blackbox/test_trust_token.sh93
-rwxr-xr-xtestprogs/blackbox/test_trust_user_account.sh59
-rwxr-xr-xtestprogs/blackbox/test_trust_utils.sh144
-rwxr-xr-xtestprogs/blackbox/test_weak_crypto.sh51
-rwxr-xr-xtestprogs/blackbox/test_weak_crypto_server.sh64
-rwxr-xr-xtestprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh41
-rwxr-xr-xtestprogs/blackbox/test_wintest.sh44
-rwxr-xr-xtestprogs/blackbox/tfork.sh15
-rwxr-xr-xtestprogs/blackbox/tombstones-expunge.sh245
-rwxr-xr-xtestprogs/blackbox/upgradeprovision-oldrelease.sh225
-rw-r--r--testprogs/blackbox/wintest/wintest.conf7
62 files changed, 8543 insertions, 0 deletions
diff --git a/testprogs/blackbox/bogus.sh b/testprogs/blackbox/bogus.sh
new file mode 100755
index 0000000..1edd153
--- /dev/null
+++ b/testprogs/blackbox/bogus.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+ cat <<EOF
+Usage: bogus.sh SERVER SHARE USER PASSWORD DC_USER DC_PASSWORD SMBCLIENT
+EOF
+ exit 1
+fi
+
+. $(dirname $0)/subunit.sh
+
+SERVER=$1
+SHARE=$2
+USER=$3
+PWD=$4
+DC_USER=$5
+DC_PWD=$6
+smbclient=$7
+shift 7
+
+TEST_USER=bogus_testuser
+TEST_PWD=bogus_pass3#@
+net="$BINDIR/net"
+testit_expect_failure "smbclient" $smbclient "//$SERVER/$SHARE" -W POUET -U$DC_USER%$DC_PWD -c "dir" && failed=$(expr $failed + 1)
+testit "net.user.add" $net rpc user add $TEST_USER $TEST_PWD -W $SERVER -U$SERVER\\$USER%$PWD -S $SERVER
+testit "smbclient" $smbclient "//$SERVER/$SHARE" -W POUET -U$TEST_USER%$TEST_PWD -c "dir" || failed=$(expr $failed + 1)
+testit "net.user.delete" $net rpc user delete $TEST_USER -W $SERVER -U$SERVER\\$USER%$PWD -S $SERVER
+exit $failed
diff --git a/testprogs/blackbox/common-links.sh b/testprogs/blackbox/common-links.sh
new file mode 100644
index 0000000..92cf730
--- /dev/null
+++ b/testprogs/blackbox/common-links.sh
@@ -0,0 +1,234 @@
+release_dir=$SRCDIR_ABS/source4/selftest/provisions/$RELEASE
+
+ldbadd="ldbadd"
+if [ -x "$BINDIR/ldbadd" ]; then
+ ldbadd="$BINDIR/ldbadd"
+fi
+
+ldbmodify="ldbmodify"
+if [ -x "$BINDIR/ldbmodify" ]; then
+ ldbmodify="$BINDIR/ldbmodify"
+fi
+
+ldbdel="ldbdel"
+if [ -x "$BINDIR/ldbdel" ]; then
+ ldbdel="$BINDIR/ldbdel"
+fi
+
+ldbsearch="ldbsearch"
+if [ -x "$BINDIR/ldbsearch" ]; then
+ ldbsearch="$BINDIR/ldbsearch"
+fi
+
+ldbrename="ldbrename"
+if [ -x "$BINDIR/ldbrename" ]; then
+ ldbrename="$BINDIR/ldbrename"
+fi
+
+samba_tdbrestore="tdbrestore"
+if [ -x "$BINDIR/tdbrestore" ]; then
+ samba_tdbrestore="$BINDIR/tdbrestore"
+fi
+
+samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh"
+
+undump()
+{
+ $samba_undump $release_dir $PREFIX_ABS/$RELEASE $samba_tdbrestore
+}
+
+add_dangling_link()
+{
+ ldif=$release_dir/add-dangling-forwardlink-user.ldif
+ TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+
+ ldif=$release_dir/add-initially-normal-link.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+
+ ldif=$release_dir/delete-only-backlink.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+add_dangling_backlink()
+{
+ ldif=$release_dir/add-dangling-backlink-user.ldif
+ TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+
+ ldif=$release_dir/add-dangling-backlink.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+add_deleted_dangling_backlink()
+{
+ ldif=$release_dir/add-deleted-backlink-user.ldif
+ TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+
+ ldif=$release_dir/add-deleted-backlink.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+add_deleted_target_backlink()
+{
+ ldif=$release_dir/add-deleted-target-backlink-user.ldif
+ TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+
+ ldif=$release_dir/add-deleted-target-backlink.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+revive_links_on_deleted_group()
+{
+ ldif=$release_dir/revive-links-on-deleted-group.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+revive_backlink_on_deleted_group()
+{
+ ldif=$release_dir/revive-backlink-on-deleted-group.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+add_deleted_target_link()
+{
+ ldif=$release_dir/add-dangling-deleted-link.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+add_two_more_users()
+{
+ ldif=$release_dir/add-two-more-users.ldif
+ TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+add_four_more_links()
+{
+ ldif=$release_dir/add-four-more-links.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+remove_one_link()
+{
+ ldif=$release_dir/remove-one-more-link.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+remove_one_user()
+{
+ ldif=$release_dir/remove-one-more-user.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+move_one_user()
+{
+ TZ=UTC $ldbrename -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb 'cn=user1,cn=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' 'cn=user1x,cn=users,DC=release-4-5-0-pre1,DC=samba,DC=corp'
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+dangling_one_way_dn()
+{
+ ldif=$release_dir/dangling-one-way-dn.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+deleted_one_way_dn()
+{
+ ldif=$release_dir/deleted-one-way-dn.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+dangling_one_way_link()
+{
+ ldif=$release_dir/dangling-one-way-link.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/CN%3DCONFIGURATION,DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+add_dangling_multi_valued()
+{
+ # multi1 - All 4 backlinks
+ # multi2 - Missing all 4 backlinks
+ # multi3 - Missing 2 backlinks
+ # Administrator - Has 2 too many backlinks
+ # multi5 - Has 2 backlinks but no forward links
+ ldif=$release_dir/add-dangling-multilink-users.ldif
+ TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+
+ ldif=$release_dir/add-initially-normal-multilink.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+
+ ldif=$release_dir/delete-only-multi-backlink.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+
+ ldif=$release_dir/add-dangling-multi-backlink.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
diff --git a/testprogs/blackbox/common_test_fns.inc b/testprogs/blackbox/common_test_fns.inc
new file mode 100755
index 0000000..a253130
--- /dev/null
+++ b/testprogs/blackbox/common_test_fns.inc
@@ -0,0 +1,126 @@
+# Common tests
+# Pulled out of existing tests to prevent duplication.
+#
+test_smbclient()
+{
+ name="$1"
+ cmd="$2"
+ unc="$3"
+ shift
+ shift
+ shift
+ subunit_start_test "$name"
+ output=$($VALGRIND $smbclient $CONFIGURATION "$unc" -c "$cmd" $@ 2>&1)
+ status=$?
+ if [ x$status = x0 ]; then
+ subunit_pass_test "$name"
+ else
+ printf '%s' "$output" | subunit_fail_test "$name"
+ fi
+ return $status
+}
+
+test_smbclient_expect_failure()
+{
+ name="$1"
+ cmd="$2"
+ unc="$3"
+ shift
+ shift
+ shift
+ subunit_start_test "$name"
+ output=$($VALGRIND $smbclient $CONFIGURATION "$unc" -c "$cmd" $@ 2>&1)
+ status=$?
+ if [ x$status = x0 ]; then
+ printf '%s' "$output" | subunit_fail_test "$name"
+ else
+ subunit_pass_test "$name"
+ fi
+ return $status
+}
+
+test_rpcclient_grep()
+{
+ name="$1"
+ cmd="$2"
+ srv="$3"
+ grep="$4"
+ shift
+ shift
+ shift
+ shift
+ subunit_start_test "$name"
+ output=$($VALGRIND $rpcclient $CONFIGURATION "$srv" -c "$cmd" $@ 2>&1)
+ status=$?
+ if [ x$status != x0 ]; then
+ printf '%s' "$output" | subunit_fail_test "$name"
+ return $status
+ fi
+ printf '%s' "$output" | grep -q "$grep"
+ gstatus=$?
+ if [ x$gstatus = x0 ]; then
+ subunit_pass_test "$name"
+ else
+ printf '%s' "$output" | subunit_fail_test "$name"
+ fi
+ return $status
+}
+
+test_rpcclient_expect_failure_grep()
+{
+ name="$1"
+ cmd="$2"
+ srv="$3"
+ grep="$4"
+ shift
+ shift
+ shift
+ shift
+ subunit_start_test "$name"
+ output=$($VALGRIND $rpcclient $CONFIGURATION "$srv" -c "$cmd" $@ 2>&1)
+ status=$?
+ if [ x$status = x0 ]; then
+ printf '%s' "$output" | subunit_fail_test "$name"
+ return $status
+ fi
+ printf '%s' "$output" | grep -q "$grep"
+ gstatus=$?
+ if [ x$gstatus = x0 ]; then
+ subunit_pass_test "$name"
+ else
+ printf '%s' "$output" | subunit_fail_test "$name"
+ fi
+ return $status
+}
+
+kerberos_kinit()
+{
+ kinit_tool="${1}"
+ principal="${2}"
+ password="${3}"
+ shift 3
+ kbase=$(basename ${kinit_tool})
+ if [ "${kbase}" = "samba4kinit" ]; then
+ kpassfile=$(mktemp)
+ echo $password >${kpassfile}
+ $kinit_tool -c ${KRB5CCNAME} --password-file=${kpassfile} $@ $principal
+ status=$?
+ rm -f ${kpassfile}
+ else
+ echo $password | $kinit_tool $@ $principal
+ status=$?
+ fi
+ return $status
+}
+
+remove_directory()
+{
+ local xdir=${1}
+ shift
+
+ if [ "$xdir" == "/" ] || [ ! -d "$xdir" ] || [ ! $(ls -A "$xdir") ]; then
+ return
+ fi
+
+ rm -rf "$xdir"
+}
diff --git a/testprogs/blackbox/dbcheck-links.sh b/testprogs/blackbox/dbcheck-links.sh
new file mode 100755
index 0000000..29fb5b8
--- /dev/null
+++ b/testprogs/blackbox/dbcheck-links.sh
@@ -0,0 +1,991 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+ cat <<EOF
+Usage: dbcheck-links.sh PREFIX RELEASE
+EOF
+ exit 1
+fi
+
+PREFIX_ABS="$1"
+RELEASE="$2"
+shift 2
+
+. $(dirname $0)/subunit.sh
+
+. $(dirname $0)/common-links.sh
+. $(dirname $0)/common_test_fns.inc
+
+failed=0
+
+if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then
+ subunit_start_test $RELEASE
+ subunit_skip_test $RELEASE <<EOF
+no test provision
+EOF
+
+ subunit_start_test "tombstones_expunge"
+ subunit_skip_test "tombstones_expunge" <<EOF
+no test provision
+EOF
+
+ exit 0
+fi
+
+dbcheck()
+{
+ tmpfile=$PREFIX_ABS/$RELEASE/expected-dbcheck-link-output${1}.txt.tmp
+ tmpldif1=$PREFIX_ABS/$RELEASE/expected-dbcheck-output${1}2.txt.tmp1
+
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif1
+
+ $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $3 --fix --yes >$tmpfile
+ if [ "$?" != "$2" ]; then
+ return 1
+ fi
+ sort $tmpfile | grep -v "^INFO:" >$tmpfile.sorted
+ sort $release_dir/expected-dbcheck-link-output${1}.txt >$tmpfile.expected
+ diff -u $tmpfile.sorted $tmpfile.expected
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+
+ tmpldif2=$PREFIX_ABS/$RELEASE/expected-dbcheck-output${1}2.txt.tmp2
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif2
+
+ diff -u $tmpldif1 $tmpldif2
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+dbcheck_dangling()
+{
+ dbcheck "" "1" "--selftest-check-expired-tombstones"
+ return $?
+}
+
+dbcheck_one_way()
+{
+ dbcheck "_one_way" "0" "CN=Configuration,DC=release-4-5-0-pre1,DC=samba,DC=corp --selftest-check-expired-tombstones"
+ return $?
+}
+
+dbcheck_clean()
+{
+ tmpldif1=$PREFIX_ABS/$RELEASE/expected-dbcheck-output2.txt.tmp1
+
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif1
+
+ $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+ tmpldif2=$PREFIX_ABS/$RELEASE/expected-dbcheck-output2.txt.tmp2
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif2
+
+ diff -u $tmpldif1 $tmpldif2
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+check_expected_after_links()
+{
+ tmpldif=$PREFIX_ABS/$RELEASE/expected-links-after-link-dbcheck.ldif.tmp
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=swimmers)(cn=leaders)(cn=helpers))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted member >$tmpldif
+ diff -u $tmpldif $release_dir/expected-links-after-link-dbcheck.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+check_expected_after_deleted_links()
+{
+ tmpldif=$PREFIX_ABS/$RELEASE/expected-deleted-links-after-link-dbcheck.ldif.tmp
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=swimmers)(cn=leaders)(cn=helpers))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member >$tmpldif
+ diff -u $tmpldif $release_dir/expected-deleted-links-after-link-dbcheck.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+check_expected_after_objects()
+{
+ tmpldif=$PREFIX_ABS/$RELEASE/expected-objects-after-link-dbcheck.ldif.tmp
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(samaccountname=fred)(samaccountname=ddg)(samaccountname=usg)(samaccountname=user1)(samaccountname=user1x)(samaccountname=user2))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted samAccountName | grep sAMAccountName >$tmpldif
+ diff -u $tmpldif $release_dir/expected-objects-after-link-dbcheck.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+duplicate_member()
+{
+ # We use an existing group so we have a stable GUID in the
+ # dbcheck output
+ LDIF1=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb -b 'CN=Enterprise Admins,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' --scope=base --reveal --extended-dn member)
+ DN=$(echo "${LDIF1}" | grep '^dn: ')
+ MSG=$(echo "${LDIF1}" | grep -v '^dn: ' | grep -v '^#' | grep -v '^$')
+ ldif=$PREFIX_ABS/${RELEASE}/duplicate-member-multi.ldif
+ {
+ echo "${DN}"
+ echo "changetype: modify"
+ echo "replace: member"
+ echo "${MSG}"
+ echo "${MSG}" | sed -e 's!RMD_LOCAL_USN=[1-9][0-9]*!RMD_LOCAL_USN=0!'
+ } >$ldif
+
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+dbcheck_duplicate_member()
+{
+ dbcheck "_duplicate_member" "1" "--selftest-check-expired-tombstones"
+ return $?
+}
+
+check_expected_after_duplicate_links()
+{
+ tmpldif=$PREFIX_ABS/$RELEASE/expected-duplicates-after-link-dbcheck.ldif.tmp
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=administrator)(cn=enterprise admins))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted memberOf member >$tmpldif
+ diff -u $tmpldif $release_dir/expected-duplicates-after-link-dbcheck.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+missing_link_sid_corruption()
+{
+ # Step1: add user "missingsidu1"
+ #
+ ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption1.ldif
+ cat >$ldif <<EOF
+dn: CN=missingsidu1,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+changetype: add
+objectclass: user
+samaccountname: missingsidu1
+objectGUID: 0da8f25e-d110-11e8-80b7-3c970ec68461
+objectSid: S-1-5-21-4177067393-1453636373-93818738-771
+EOF
+
+ out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif)
+ if [ "$?" != "0" ]; then
+ echo "ldbmodify returned:\n$out"
+ return 1
+ fi
+
+ # Step2: add user "missingsidu2"
+ #
+ ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption2.ldif
+ cat >$ldif <<EOF
+dn: CN=missingsidu2,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+changetype: add
+objectclass: user
+samaccountname: missingsidu2
+objectGUID: 66eb8f52-d110-11e8-ab9b-3c970ec68461
+objectSid: S-1-5-21-4177067393-1453636373-93818738-772
+EOF
+
+ out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif)
+ if [ "$?" != "0" ]; then
+ echo "ldbmodify returned:\n$out"
+ return 1
+ fi
+
+ # Step3: add group "missingsidg3" and add users as members
+ #
+ ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption3.ldif
+ cat >$ldif <<EOF
+dn: CN=missingsidg3,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+changetype: add
+objectclass: group
+samaccountname: missingsidg3
+objectGUID: fd992424-d114-11e8-bb36-3c970ec68461
+objectSid: S-1-5-21-4177067393-1453636373-93818738-773
+member: CN=missingsidu1,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+member: CN=missingsidu2,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+EOF
+
+ out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif)
+ if [ "$?" != "0" ]; then
+ echo "ldbmodify returned:\n$out"
+ return 1
+ fi
+
+ # Step4: remove one user again, so that we have one deleted link
+ #
+ ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption4.ldif
+ cat >$ldif <<EOF
+dn: CN=missingsidg3,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+changetype: modify
+delete: member
+member: CN=missingsidu1,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+EOF
+
+ out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif)
+ if [ "$?" != "0" ]; then
+ echo "ldbmodify returned:\n$out"
+ return 1
+ fi
+
+ #
+ # Step5: remove the SIDS from the links
+ #
+ LDIF1=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb -b 'CN=missingsidg3,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' --scope=base --reveal --extended-dn --show-binary member)
+ DN=$(echo "${LDIF1}" | grep '^dn: ')
+ MSG=$(echo "${LDIF1}" | grep -v '^dn: ' | grep -v '^#' | grep -v '^$')
+ ldif=$PREFIX_ABS/${RELEASE}/missing_link_sid_corruption5.ldif
+ {
+ echo "${DN}"
+ echo "changetype: modify"
+ echo "replace: member"
+ #echo "${MSG}"
+ echo "${MSG}" | sed \
+ -e 's!<SID=S-1-5-21-4177067393-1453636373-93818738-771>;!!g' \
+ -e 's!<SID=S-1-5-21-4177067393-1453636373-93818738-772>;!!g' \
+ -e 's!RMD_ADDTIME=[1-9][0-9]*!RMD_ADDTIME=123456789000000000!g' \
+ -e 's!RMD_CHANGETIME=[1-9][0-9]*!RMD_CHANGETIME=123456789000000000!g' |
+ cat
+ } >$ldif
+
+ out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif)
+ if [ "$?" != "0" ]; then
+ echo "ldbmodify returned:\n$out"
+ return 1
+ fi
+
+ return 0
+}
+
+dbcheck_missing_link_sid_corruption()
+{
+ dbcheck "-missing-link-sid-corruption" "1" "--selftest-check-expired-tombstones"
+ return $?
+}
+
+add_lost_deleted_user1()
+{
+ ldif=$PREFIX_ABS/${RELEASE}/add_lost_deleted_user1.ldif
+ cat >$ldif <<EOF
+dn: CN=fred\0ADEL:2301a64c-1234-5678-851e-12d4a711cfb4,OU=removed,DC=release-4-5-0-pre1,DC=samba,DC=corp
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+instanceType: 4
+whenCreated: 20160629043638.0Z
+uSNCreated: 3740
+objectGUID: 2301a64c-1234-5678-851e-12d4a711cfb4
+objectSid: S-1-5-21-4177067393-1453636373-93818738-1011
+sAMAccountName: fred
+userAccountControl: 512
+isDeleted: TRUE
+lastKnownParent: <GUID=f28216e9-1234-5678-8b2d-6bb229563b62>;OU=removed,DC=rel
+ ease-4-5-0-pre1,DC=samba,DC=corp
+isRecycled: TRUE
+cn:: ZnJlZApERUw6MjMwMWE2NGMtMTIzNC01Njc4LTg1MWUtMTJkNGE3MTFjZmI0
+name:: ZnJlZApERUw6MjMwMWE2NGMtMTIzNC01Njc4LTg1MWUtMTJkNGE3MTFjZmI0
+replPropertyMetaData:: AQAAAAAAAAAXAAAAAAAAAAAAAAABAAAAVuGDDQMAAACjlkROuH+XT4o
+ z0jjbi14tnA4AAAAAAACcDgAAAAAAAAMAAAACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4A
+ AAAAAACiDgAAAAAAAAEAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAA
+ AAAAAIAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAADAAAgABAA
+ AAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAABkBAgABAAAAVuGDDQMAAAC
+ jlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAAEACQACAAAAV+GDDQMAAACjlkROuH+XT4oz
+ 0jjbi14tog4AAAAAAACiDgAAAAAAAAgACQADAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tng4AA
+ AAAAACeDgAAAAAAABAACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAA
+ AAABkACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAFoACQABAAA
+ AVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAF4ACQABAAAAVuGDDQMAAACj
+ lkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAGAACQADAAAAV+GDDQMAAACjlkROuH+XT4oz0
+ jjbi14tog4AAAAAAACiDgAAAAAAAGIACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAA
+ AAAACiDgAAAAAAAH0ACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAA
+ AAJIACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAJ8ACQACAAAA
+ V+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAN0ACQABAAAAVuGDDQMAAACjl
+ kROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAC4BCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0j
+ jbi14tog4AAAAAAACiDgAAAAAAAJACCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAA
+ AAACiDgAAAAAAAA0DCQABAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAA
+ AA4DCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAAoICQABAAAAV
+ +GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAA==
+whenChanged: 20160629043639.0Z
+uSNChanged: 3746
+nTSecurityDescriptor:: AQAXjBQAAAAwAAAATAAAAMQAAAABBQAAAAAABRUAAACB/fj4FbukVnK
+ PlwUAAgAAAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFAAIAAAQAeAACAAAAB1o4ACAAAAADAAAAvjsO
+ 8/Cf0RG2AwAA+ANnwaV6lr/mDdARooUAqgAwSeIBAQAAAAAAAQAAAAAHWjgAIAAAAAMAAAC/Ow7z8
+ J/REbYDAAD4A2fBpXqWv+YN0BGihQCqADBJ4gEBAAAAAAABAAAAAAQA1AcsAAAAAAAkAP8BDwABBQ
+ AAAAAABRUAAACB/fj4FbukVnKPlwUAAgAAAAAUAP8BDwABAQAAAAAABRIAAAAAABgA/wEPAAECAAA
+ AAAAFIAAAACQCAAAAABQAlAACAAEBAAAAAAAFCgAAAAUAKAAAAQAAAQAAAFMacqsvHtARmBkAqgBA
+ UpsBAQAAAAAABQoAAAAFACgAAAEAAAEAAABUGnKrLx7QEZgZAKoAQFKbAQEAAAAAAAUKAAAABQAoA
+ AABAAABAAAAVhpyqy8e0BGYGQCqAEBSmwEBAAAAAAAFCgAAAAUAKAAwAAAAAQAAAIa4tXdKlNERrr
+ 0AAPgDZ8EBAQAAAAAABQoAAAAFACgAMAAAAAEAAACylVfkVZTREa69AAD4A2fBAQEAAAAAAAUKAAA
+ ABQAoADAAAAABAAAAs5VX5FWU0RGuvQAA+ANnwQEBAAAAAAAFCgAAAAUAOAAQAAAAAQAAAPiIcAPh
+ CtIRtCIAoMlo+TkBBQAAAAAABRUAAACB/fj4FbukVnKPlwUpAgAABQA4ABAAAAABAAAAAEIWTMAg0
+ BGnaACqAG4FKQEFAAAAAAAFFQAAAIH9+PgVu6RWco+XBSkCAAAFADgAEAAAAAEAAABAwgq8qXnQEZ
+ AgAMBPwtTPAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFKQIAAAAAFAAAAAIAAQEAAAAAAAULAAAABQA
+ oABAAAAABAAAAQi+6WaJ50BGQIADAT8LTzwEBAAAAAAAFCwAAAAUAKAAQAAAAAQAAAIa4tXdKlNER
+ rr0AAPgDZ8EBAQAAAAAABQsAAAAFACgAEAAAAAEAAACzlVfkVZTREa69AAD4A2fBAQEAAAAAAAULA
+ AAABQAoABAAAAABAAAAVAGN5Pi80RGHAgDAT7lgUAEBAAAAAAAFCwAAAAUAKAAAAQAAAQAAAFMacq
+ svHtARmBkAqgBAUpsBAQAAAAAAAQAAAAAFADgAEAAAAAEAAAAQICBfpXnQEZAgAMBPwtTPAQUAAAA
+ AAAUVAAAAgf34+BW7pFZyj5cFKQIAAAUAOAAwAAAAAQAAAH96lr/mDdARooUAqgAwSeIBBQAAAAAA
+ BRUAAACB/fj4FbukVnKPlwUFAgAABQAsABAAAAABAAAAHbGpRq5gWkC36P+KWNRW0gECAAAAAAAFI
+ AAAADACAAAFACwAMAAAAAEAAAAcmrZtIpTREa69AAD4A2fBAQIAAAAAAAUgAAAAMQIAAAUALAAwAA
+ AAAQAAAGK8BVjJvShEpeKFag9MGF4BAgAAAAAABSAAAAAxAgAABRo8ABAAAAADAAAAAEIWTMAg0BG
+ naACqAG4FKRTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAAEIWTMAg
+ 0BGnaACqAG4FKbp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAECAgX
+ 6V50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAEC
+ AgX6V50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAA
+ AQMIKvKl50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAAD
+ AAAAQMIKvKl50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAA
+ AADAAAAQi+6WaJ50BGQIADAT8LTzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8AB
+ AAAAADAAAAQi+6WaJ50BGQIADAT8LTz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo
+ 8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5ORTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAA
+ BRI8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5Obp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqA
+ gAABRo4ABAAAAADAAAAbZ7Gt8cs0hGFTgCgyYP2CIZ6lr/mDdARooUAqgAwSeIBAQAAAAAABQkAAA
+ AFGjgAEAAAAAMAAABtnsa3xyzSEYVOAKDJg/YInHqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCQAAAAU
+ SOAAQAAAAAwAAAG2exrfHLNIRhU4AoMmD9gi6epa/5g3QEaKFAKoAMEniAQEAAAAAAAUJAAAABRos
+ AJQAAgACAAAAFMwoSDcUvEWbB61vAV5fKAECAAAAAAAFIAAAACoCAAAFGiwAlAACAAIAAACcepa/5
+ g3QEaKFAKoAMEniAQIAAAAAAAUgAAAAKgIAAAUSLACUAAIAAgAAALp6lr/mDdARooUAqgAwSeIBAg
+ AAAAAABSAAAAAqAgAABRIoADABAAABAAAA3kfmkW/ZcEuVV9Y/9PPM2AEBAAAAAAAFCgAAAAASJAD
+ /AQ8AAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFBwIAAAASGAAEAAAAAQIAAAAAAAUgAAAAKgIAAAAS
+ GAC9AQ8AAQIAAAAAAAUgAAAAIAIAAA==
+EOF
+
+ out=$(TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif)
+ if [ "$?" != "0" ]; then
+ echo "ldbadd returned:\n$out"
+ return 1
+ fi
+
+ return 0
+}
+
+dbcheck_lost_deleted_user1()
+{
+ dbcheck "-lost-deleted-user1" "1" "--selftest-check-expired-tombstones"
+ return $?
+}
+
+remove_lost_deleted_user1()
+{
+ out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "<GUID=2301a64c-1234-5678-851e-12d4a711cfb4>" --show-recycled --relax)
+ if [ "$?" != "0" ]; then
+ echo "ldbdel returned:\n$out"
+ return 1
+ fi
+
+ return 0
+}
+
+add_lost_deleted_user2()
+{
+ ldif=$PREFIX_ABS/${RELEASE}/add_lost_deleted_user2.ldif
+ cat >$ldif <<EOF
+dn: CN=fred\0ADEL:2301a64c-8765-4321-851e-12d4a711cfb4,CN=LostAndFound,DC=release-4-5-0-pre1,DC=samba,DC=corp
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+instanceType: 4
+whenCreated: 20160629043638.0Z
+uSNCreated: 3740
+objectGUID: 2301a64c-8765-4321-851e-12d4a711cfb4
+objectSid: S-1-5-21-4177067393-1453636373-93818738-1001
+sAMAccountName: fred
+userAccountControl: 512
+isDeleted: TRUE
+lastKnownParent: OU=removed,DC=release-4-5-0-pre1,DC=samba,DC=corp
+isRecycled: TRUE
+cn:: ZnJlZApERUw6MjMwMWE2NGMtODc2NS00MzIxLTg1MWUtMTJkNGE3MTFjZmI0
+name:: ZnJlZApERUw6MjMwMWE2NGMtODc2NS00MzIxLTg1MWUtMTJkNGE3MTFjZmI0
+replPropertyMetaData:: AQAAAAAAAAAXAAAAAAAAAAAAAAABAAAAVuGDDQMAAACjlkROuH+XT4o
+ z0jjbi14tnA4AAAAAAACcDgAAAAAAAAMAAAACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4A
+ AAAAAACiDgAAAAAAAAEAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAA
+ AAAAAIAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAADAAAgABAA
+ AAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAABkBAgABAAAAVuGDDQMAAAC
+ jlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAAEACQAEAAAAePOWEgMAAACjlkROuH+XT4oz
+ 0jjbi14tvA4AAAAAAAC8DgAAAAAAAAgACQADAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tng4AA
+ AAAAACeDgAAAAAAABAACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAA
+ AAABkACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAFoACQABAAA
+ AVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAF4ACQABAAAAVuGDDQMAAACj
+ lkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAGAACQADAAAAV+GDDQMAAACjlkROuH+XT4oz0
+ jjbi14tog4AAAAAAACiDgAAAAAAAGIACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAA
+ AAAACiDgAAAAAAAH0ACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAA
+ AAJIACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAJ8ACQACAAAA
+ V+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAN0ACQABAAAAVuGDDQMAAACjl
+ kROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAC4BCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0j
+ jbi14tog4AAAAAAACiDgAAAAAAAJACCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAA
+ AAACiDgAAAAAAAA0DCQADAAAAePOWEgMAAACjlkROuH+XT4oz0jjbi14tvQ4AAAAAAAC9DgAAAAAA
+ AA4DCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAAoICQABAAAAV
+ +GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAA==
+whenChanged: 20160629043639.0Z
+uSNChanged: 3746
+nTSecurityDescriptor:: AQAXjBQAAAAwAAAATAAAAMQAAAABBQAAAAAABRUAAACB/fj4FbukVnK
+ PlwUAAgAAAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFAAIAAAQAeAACAAAAB1o4ACAAAAADAAAAvjsO
+ 8/Cf0RG2AwAA+ANnwaV6lr/mDdARooUAqgAwSeIBAQAAAAAAAQAAAAAHWjgAIAAAAAMAAAC/Ow7z8
+ J/REbYDAAD4A2fBpXqWv+YN0BGihQCqADBJ4gEBAAAAAAABAAAAAAQA1AcsAAAAAAAkAP8BDwABBQ
+ AAAAAABRUAAACB/fj4FbukVnKPlwUAAgAAAAAUAP8BDwABAQAAAAAABRIAAAAAABgA/wEPAAECAAA
+ AAAAFIAAAACQCAAAAABQAlAACAAEBAAAAAAAFCgAAAAUAKAAAAQAAAQAAAFMacqsvHtARmBkAqgBA
+ UpsBAQAAAAAABQoAAAAFACgAAAEAAAEAAABUGnKrLx7QEZgZAKoAQFKbAQEAAAAAAAUKAAAABQAoA
+ AABAAABAAAAVhpyqy8e0BGYGQCqAEBSmwEBAAAAAAAFCgAAAAUAKAAwAAAAAQAAAIa4tXdKlNERrr
+ 0AAPgDZ8EBAQAAAAAABQoAAAAFACgAMAAAAAEAAACylVfkVZTREa69AAD4A2fBAQEAAAAAAAUKAAA
+ ABQAoADAAAAABAAAAs5VX5FWU0RGuvQAA+ANnwQEBAAAAAAAFCgAAAAUAOAAQAAAAAQAAAPiIcAPh
+ CtIRtCIAoMlo+TkBBQAAAAAABRUAAACB/fj4FbukVnKPlwUpAgAABQA4ABAAAAABAAAAAEIWTMAg0
+ BGnaACqAG4FKQEFAAAAAAAFFQAAAIH9+PgVu6RWco+XBSkCAAAFADgAEAAAAAEAAABAwgq8qXnQEZ
+ AgAMBPwtTPAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFKQIAAAAAFAAAAAIAAQEAAAAAAAULAAAABQA
+ oABAAAAABAAAAQi+6WaJ50BGQIADAT8LTzwEBAAAAAAAFCwAAAAUAKAAQAAAAAQAAAIa4tXdKlNER
+ rr0AAPgDZ8EBAQAAAAAABQsAAAAFACgAEAAAAAEAAACzlVfkVZTREa69AAD4A2fBAQEAAAAAAAULA
+ AAABQAoABAAAAABAAAAVAGN5Pi80RGHAgDAT7lgUAEBAAAAAAAFCwAAAAUAKAAAAQAAAQAAAFMacq
+ svHtARmBkAqgBAUpsBAQAAAAAAAQAAAAAFADgAEAAAAAEAAAAQICBfpXnQEZAgAMBPwtTPAQUAAAA
+ AAAUVAAAAgf34+BW7pFZyj5cFKQIAAAUAOAAwAAAAAQAAAH96lr/mDdARooUAqgAwSeIBBQAAAAAA
+ BRUAAACB/fj4FbukVnKPlwUFAgAABQAsABAAAAABAAAAHbGpRq5gWkC36P+KWNRW0gECAAAAAAAFI
+ AAAADACAAAFACwAMAAAAAEAAAAcmrZtIpTREa69AAD4A2fBAQIAAAAAAAUgAAAAMQIAAAUALAAwAA
+ AAAQAAAGK8BVjJvShEpeKFag9MGF4BAgAAAAAABSAAAAAxAgAABRo8ABAAAAADAAAAAEIWTMAg0BG
+ naACqAG4FKRTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAAEIWTMAg
+ 0BGnaACqAG4FKbp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAECAgX
+ 6V50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAEC
+ AgX6V50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAA
+ AQMIKvKl50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAAD
+ AAAAQMIKvKl50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAA
+ AADAAAAQi+6WaJ50BGQIADAT8LTzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8AB
+ AAAAADAAAAQi+6WaJ50BGQIADAT8LTz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo
+ 8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5ORTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAA
+ BRI8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5Obp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqA
+ gAABRo4ABAAAAADAAAAbZ7Gt8cs0hGFTgCgyYP2CIZ6lr/mDdARooUAqgAwSeIBAQAAAAAABQkAAA
+ AFGjgAEAAAAAMAAABtnsa3xyzSEYVOAKDJg/YInHqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCQAAAAU
+ SOAAQAAAAAwAAAG2exrfHLNIRhU4AoMmD9gi6epa/5g3QEaKFAKoAMEniAQEAAAAAAAUJAAAABRos
+ AJQAAgACAAAAFMwoSDcUvEWbB61vAV5fKAECAAAAAAAFIAAAACoCAAAFGiwAlAACAAIAAACcepa/5
+ g3QEaKFAKoAMEniAQIAAAAAAAUgAAAAKgIAAAUSLACUAAIAAgAAALp6lr/mDdARooUAqgAwSeIBAg
+ AAAAAABSAAAAAqAgAABRIoADABAAABAAAA3kfmkW/ZcEuVV9Y/9PPM2AEBAAAAAAAFCgAAAAASJAD
+ /AQ8AAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFBwIAAAASGAAEAAAAAQIAAAAAAAUgAAAAKgIAAAAS
+ GAC9AQ8AAQIAAAAAAAUgAAAAIAIAAA==
+EOF
+
+ out=$(TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif)
+ if [ "$?" != "0" ]; then
+ echo "ldbadd returned:\n$out"
+ return 1
+ fi
+
+ return 0
+}
+
+dbcheck_lost_deleted_user2()
+{
+ dbcheck "-lost-deleted-user2" "1" "--selftest-check-expired-tombstones"
+ return $?
+}
+
+add_lost_deleted_user3()
+{
+ ldif=$PREFIX_ABS/${RELEASE}/add_lost_deleted_user3.ldif
+ cat >$ldif <<EOF
+dn: CN=fred\0ADEL:2301a64c-1122-5566-851e-12d4a711cfb4,OU=removed,DC=release-4-5-0-pre1,DC=samba,DC=corp
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+instanceType: 4
+whenCreated: 20160629043638.0Z
+uSNCreated: 3740
+objectGUID: 2301a64c-1122-5566-851e-12d4a711cfb4
+objectSid: S-1-5-21-4177067393-1453636373-93818738-1010
+sAMAccountName: fred
+userAccountControl: 512
+isDeleted: TRUE
+lastKnownParent: <GUID=f28216e9-1234-5678-8b2d-6bb229563b62>;OU=removed,DC=rel
+ ease-4-5-0-pre1,DC=samba,DC=corp
+isRecycled: TRUE
+cn:: ZnJlZApERUw6MjMwMWE2NGMtMTEyMi01NTY2LTg1MWUtMTJkNGE3MTFjZmI0
+name:: ZnJlZApERUw6MjMwMWE2NGMtMTEyMi01NTY2LTg1MWUtMTJkNGE3MTFjZmI0
+replPropertyMetaData:: AQAAAAAAAAAXAAAAAAAAAAAAAAABAAAAVuGDDQMAAACjlkROuH+XT4o
+ z0jjbi14tnA4AAAAAAACcDgAAAAAAAAMAAAACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4A
+ AAAAAACiDgAAAAAAAAEAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAA
+ AAAAAIAAgABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAADAAAgABAA
+ AAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAABkBAgABAAAAVuGDDQMAAAC
+ jlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAAEACQACAAAAV+GDDQMAAACjlkROuH+XT4oz
+ 0jjbi14tog4AAAAAAACiDgAAAAAAAAgACQADAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tng4AA
+ AAAAACeDgAAAAAAABAACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAA
+ AAABkACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAFoACQABAAA
+ AVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAF4ACQABAAAAVuGDDQMAAACj
+ lkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAAAAGAACQADAAAAV+GDDQMAAACjlkROuH+XT4oz0
+ jjbi14tog4AAAAAAACiDgAAAAAAAGIACQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAA
+ AAAACiDgAAAAAAAH0ACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnQ4AAAAAAACdDgAAAAA
+ AAJIACQABAAAAVuGDDQMAAACjlkROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAJ8ACQACAAAA
+ V+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAN0ACQABAAAAVuGDDQMAAACjl
+ kROuH+XT4oz0jjbi14tnA4AAAAAAACcDgAAAAAAAC4BCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0j
+ jbi14tog4AAAAAAACiDgAAAAAAAJACCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAA
+ AAACiDgAAAAAAAA0DCQABAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAA
+ AA4DCQACAAAAV+GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAAoICQABAAAAV
+ +GDDQMAAACjlkROuH+XT4oz0jjbi14tog4AAAAAAACiDgAAAAAAAA==
+whenChanged: 20160629043639.0Z
+uSNChanged: 3746
+nTSecurityDescriptor:: AQAXjBQAAAAwAAAATAAAAMQAAAABBQAAAAAABRUAAACB/fj4FbukVnK
+ PlwUAAgAAAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFAAIAAAQAeAACAAAAB1o4ACAAAAADAAAAvjsO
+ 8/Cf0RG2AwAA+ANnwaV6lr/mDdARooUAqgAwSeIBAQAAAAAAAQAAAAAHWjgAIAAAAAMAAAC/Ow7z8
+ J/REbYDAAD4A2fBpXqWv+YN0BGihQCqADBJ4gEBAAAAAAABAAAAAAQA1AcsAAAAAAAkAP8BDwABBQ
+ AAAAAABRUAAACB/fj4FbukVnKPlwUAAgAAAAAUAP8BDwABAQAAAAAABRIAAAAAABgA/wEPAAECAAA
+ AAAAFIAAAACQCAAAAABQAlAACAAEBAAAAAAAFCgAAAAUAKAAAAQAAAQAAAFMacqsvHtARmBkAqgBA
+ UpsBAQAAAAAABQoAAAAFACgAAAEAAAEAAABUGnKrLx7QEZgZAKoAQFKbAQEAAAAAAAUKAAAABQAoA
+ AABAAABAAAAVhpyqy8e0BGYGQCqAEBSmwEBAAAAAAAFCgAAAAUAKAAwAAAAAQAAAIa4tXdKlNERrr
+ 0AAPgDZ8EBAQAAAAAABQoAAAAFACgAMAAAAAEAAACylVfkVZTREa69AAD4A2fBAQEAAAAAAAUKAAA
+ ABQAoADAAAAABAAAAs5VX5FWU0RGuvQAA+ANnwQEBAAAAAAAFCgAAAAUAOAAQAAAAAQAAAPiIcAPh
+ CtIRtCIAoMlo+TkBBQAAAAAABRUAAACB/fj4FbukVnKPlwUpAgAABQA4ABAAAAABAAAAAEIWTMAg0
+ BGnaACqAG4FKQEFAAAAAAAFFQAAAIH9+PgVu6RWco+XBSkCAAAFADgAEAAAAAEAAABAwgq8qXnQEZ
+ AgAMBPwtTPAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFKQIAAAAAFAAAAAIAAQEAAAAAAAULAAAABQA
+ oABAAAAABAAAAQi+6WaJ50BGQIADAT8LTzwEBAAAAAAAFCwAAAAUAKAAQAAAAAQAAAIa4tXdKlNER
+ rr0AAPgDZ8EBAQAAAAAABQsAAAAFACgAEAAAAAEAAACzlVfkVZTREa69AAD4A2fBAQEAAAAAAAULA
+ AAABQAoABAAAAABAAAAVAGN5Pi80RGHAgDAT7lgUAEBAAAAAAAFCwAAAAUAKAAAAQAAAQAAAFMacq
+ svHtARmBkAqgBAUpsBAQAAAAAAAQAAAAAFADgAEAAAAAEAAAAQICBfpXnQEZAgAMBPwtTPAQUAAAA
+ AAAUVAAAAgf34+BW7pFZyj5cFKQIAAAUAOAAwAAAAAQAAAH96lr/mDdARooUAqgAwSeIBBQAAAAAA
+ BRUAAACB/fj4FbukVnKPlwUFAgAABQAsABAAAAABAAAAHbGpRq5gWkC36P+KWNRW0gECAAAAAAAFI
+ AAAADACAAAFACwAMAAAAAEAAAAcmrZtIpTREa69AAD4A2fBAQIAAAAAAAUgAAAAMQIAAAUALAAwAA
+ AAAQAAAGK8BVjJvShEpeKFag9MGF4BAgAAAAAABSAAAAAxAgAABRo8ABAAAAADAAAAAEIWTMAg0BG
+ naACqAG4FKRTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAAEIWTMAg
+ 0BGnaACqAG4FKbp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAAAECAgX
+ 6V50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAADAAAAEC
+ AgX6V50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAAAADAAA
+ AQMIKvKl50BGQIADAT8LUzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8ABAAAAAD
+ AAAAQMIKvKl50BGQIADAT8LUz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo8ABAAA
+ AADAAAAQi+6WaJ50BGQIADAT8LTzxTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAABRI8AB
+ AAAAADAAAAQi+6WaJ50BGQIADAT8LTz7p6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqAgAABRo
+ 8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5ORTMKEg3FLxFmwetbwFeXygBAgAAAAAABSAAAAAqAgAA
+ BRI8ABAAAAADAAAA+IhwA+EK0hG0IgCgyWj5Obp6lr/mDdARooUAqgAwSeIBAgAAAAAABSAAAAAqA
+ gAABRo4ABAAAAADAAAAbZ7Gt8cs0hGFTgCgyYP2CIZ6lr/mDdARooUAqgAwSeIBAQAAAAAABQkAAA
+ AFGjgAEAAAAAMAAABtnsa3xyzSEYVOAKDJg/YInHqWv+YN0BGihQCqADBJ4gEBAAAAAAAFCQAAAAU
+ SOAAQAAAAAwAAAG2exrfHLNIRhU4AoMmD9gi6epa/5g3QEaKFAKoAMEniAQEAAAAAAAUJAAAABRos
+ AJQAAgACAAAAFMwoSDcUvEWbB61vAV5fKAECAAAAAAAFIAAAACoCAAAFGiwAlAACAAIAAACcepa/5
+ g3QEaKFAKoAMEniAQIAAAAAAAUgAAAAKgIAAAUSLACUAAIAAgAAALp6lr/mDdARooUAqgAwSeIBAg
+ AAAAAABSAAAAAqAgAABRIoADABAAABAAAA3kfmkW/ZcEuVV9Y/9PPM2AEBAAAAAAAFCgAAAAASJAD
+ /AQ8AAQUAAAAAAAUVAAAAgf34+BW7pFZyj5cFBwIAAAASGAAEAAAAAQIAAAAAAAUgAAAAKgIAAAAS
+ GAC9AQ8AAQIAAAAAAAUgAAAAIAIAAA==
+EOF
+
+ out=$(TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif)
+ if [ "$?" != "0" ]; then
+ echo "ldbadd returned:\n$out"
+ return 1
+ fi
+
+ return 0
+}
+
+dbcheck_lost_deleted_user3()
+{
+ # here we don't pass --selftest-check-expired-tombstones
+ # as we want to test the default
+ dbcheck "-lost-deleted-user3" "0" ""
+ return $?
+}
+
+remove_lost_deleted_user3()
+{
+ out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "<GUID=2301a64c-1122-5566-851e-12d4a711cfb4>" --show-recycled --relax)
+ if [ "$?" != "0" ]; then
+ echo "ldbdel returned:\n$out"
+ return 1
+ fi
+
+ return 0
+}
+
+forward_link_corruption()
+{
+ #
+ # Step1: add a duplicate forward link from
+ # "CN=Enterprise Admins" to "CN=Administrator"
+ #
+ LDIF1=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb -b 'CN=Enterprise Admins,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp' --scope=base --reveal --extended-dn member)
+ DN=$(echo "${LDIF1}" | grep '^dn: ')
+ MSG=$(echo "${LDIF1}" | grep -v '^dn: ' | grep -v '^#' | grep -v '^$')
+ ldif=$PREFIX_ABS/${RELEASE}/forward_link_corruption1.ldif
+ {
+ echo "${DN}"
+ echo "changetype: modify"
+ echo "replace: member"
+ echo "${MSG}"
+ echo "${MSG}" | sed -e 's!RMD_LOCAL_USN=[1-9][0-9]*!RMD_LOCAL_USN=0!'
+ } >$ldif
+
+ out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif)
+ if [ "$?" != "0" ]; then
+ echo "ldbmodify returned:\n$out"
+ return 1
+ fi
+
+ #
+ # Step2: add user "dangling"
+ #
+ ldif=$PREFIX_ABS/${RELEASE}/forward_link_corruption2.ldif
+ cat >$ldif <<EOF
+dn: CN=dangling,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp
+changetype: add
+objectclass: user
+samaccountname: dangling
+objectGUID: fd8a04ac-cea0-4921-b1a6-c173e1155c22
+EOF
+
+ out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif)
+ if [ "$?" != "0" ]; then
+ echo "ldbmodify returned:\n$out"
+ return 1
+ fi
+
+ #
+ # Step3: add a dangling backlink from
+ # "CN=dangling" to "CN=Enterprise Admins"
+ #
+ ldif=$PREFIX_ABS/${RELEASE}/forward_link_corruption3.ldif
+ {
+ echo "dn: CN=dangling,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp"
+ echo "changetype: modify"
+ echo "add: memberOf"
+ echo "memberOf: <GUID=304ad703-468b-465e-9787-470b3dfd7d75>;<SID=S-1-5-21-4177067393-1453636373-93818738-519>;CN=Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp"
+ } >$ldif
+
+ out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif)
+ if [ "$?" != "0" ]; then
+ echo "ldbmodify returned:\n$out"
+ return 1
+ fi
+}
+
+dbcheck_forward_link_corruption()
+{
+ dbcheck "-forward-link-corruption" "1" "--selftest-check-expired-tombstones"
+ return $?
+}
+
+check_expected_after_dbcheck_forward_link_corruption()
+{
+ tmpldif=$PREFIX_ABS/$RELEASE/expected-after-dbcheck-forward-link-corruption.ldif.tmp
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=dangling)(cn=enterprise admins))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted memberOf member >$tmpldif
+ diff -u $tmpldif $release_dir/expected-after-dbcheck-forward-link-corruption.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+oneway_link_corruption()
+{
+ #
+ # Step1: add OU "dangling-ou"
+ #
+ ldif=$PREFIX_ABS/${RELEASE}/oneway_link_corruption.ldif
+ cat >$ldif <<EOF
+dn: OU=dangling-ou,DC=release-4-5-0-pre1,DC=samba,DC=corp
+changetype: add
+objectclass: organizationalUnit
+objectGUID: 20600e7c-92bb-492e-9552-f3ed7f8a2cad
+EOF
+
+ out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif)
+ if [ "$?" != "0" ]; then
+ echo "ldbmodify returned:\n$out"
+ return 1
+ fi
+
+ #
+ # Step2: add msExchConfigurationContainer "dangling-msexch"
+ #
+ ldif=$PREFIX_ABS/${RELEASE}/oneway_link_corruption2.ldif
+ cat >$ldif <<EOF
+dn: OU=dangling-from,DC=release-4-5-0-pre1,DC=samba,DC=corp
+changetype: add
+objectclass: organizationalUnit
+seeAlso: OU=dangling-ou,DC=release-4-5-0-pre1,DC=samba,DC=corp
+EOF
+
+ out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif)
+ if [ "$?" != "0" ]; then
+ echo "ldbmodify returned:\n$out"
+ return 1
+ fi
+
+ #
+ # Step3: rename dangling-ou to dangling-ou2
+ #
+ # Because this is a one-way link we don't fix it at runtime
+ #
+ out=$(TZ=UTC $ldbrename -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb OU=dangling-ou,DC=release-4-5-0-pre1,DC=samba,DC=corp OU=dangling-ou2,DC=release-4-5-0-pre1,DC=samba,DC=corp)
+ if [ "$?" != "0" ]; then
+ echo "ldbmodify returned:\n$out"
+ return 1
+ fi
+}
+
+dbcheck_oneway_link_corruption()
+{
+ dbcheck "-oneway-link-corruption" "0" "--selftest-check-expired-tombstones"
+ return $?
+}
+
+check_expected_after_dbcheck_oneway_link_corruption()
+{
+ tmpldif=$PREFIX_ABS/$RELEASE/expected-after-dbcheck-oneway-link-corruption.ldif.tmp
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(ou=dangling-ou)(ou=dangling-ou2)(ou=dangling-from))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted seeAlso >$tmpldif
+ diff -u $tmpldif $release_dir/expected-after-dbcheck-oneway-link-corruption.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+dbcheck_dangling_multi_valued()
+{
+
+ $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --selftest-check-expired-tombstones --fix --yes
+ if [ "$?" != "1" ]; then
+ return 1
+ fi
+}
+
+dangling_multi_valued_check_missing()
+{
+ WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=dangling-multi2)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l)
+ if [ $WORDS -ne 4 ]; then
+ echo Got only $WORDS links for dangling-multi2
+ return 1
+ fi
+ WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=dangling-multi3)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l)
+ if [ $WORDS -ne 4 ]; then
+ echo Got only $WORDS links for dangling-multi3
+ return 1
+ fi
+}
+
+dangling_multi_valued_check_equal_or_too_many()
+{
+ WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=dangling-multi1)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l)
+ if [ $WORDS -ne 4 ]; then
+ echo Got $WORDS links for dangling-multi1
+ return 1
+ fi
+
+ WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=dangling-multi5)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l)
+
+ if [ $WORDS -ne 0 ]; then
+ echo Got $WORDS links for dangling-multi5
+ return 1
+ fi
+
+ WORDS=$(TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samaccountname=Administrator)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted msDS-RevealedDSAs | grep msDS-RevealedDSAs | wc -l)
+
+ if [ $WORDS -ne 2 ]; then
+ echo Got $WORDS links for Administrator
+ return 1
+ fi
+}
+
+dangling_link_does_not_prevent_delete()
+{
+
+ #
+ # Step1: add user "dangling"
+ #
+ ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished1.ldif
+ dn='CN=dangling-for-vanish,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp'
+ cat >$ldif <<EOF
+dn: $dn
+changetype: add
+objectclass: user
+samaccountname: dangling-v
+objectGUID: fd8a04ac-cea0-4921-b1a6-c173e1155c23
+EOF
+
+ out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif)
+ if [ "$?" != "0" ]; then
+ echo "ldbmodify returned:\n$out"
+ return 1
+ fi
+
+ #
+ # Step2: add a dangling backlink from
+ # "CN=dangling-for-vanish" to "CN=Enterprise Admins"
+ #
+ ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished2.ldif
+ {
+ echo "dn: $dn"
+ echo "changetype: modify"
+ echo "add: memberOf"
+ echo "memberOf: <GUID=304ad703-468b-465e-9787-470b3dfd7d75>;<SID=S-1-5-21-4177067393-1453636373-93818738-519>;CN=Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp"
+ } >$ldif
+
+ out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif)
+ if [ "$?" != "0" ]; then
+ echo "ldbmodify returned:\n$out"
+ return 1
+ fi
+
+ out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$dn")
+ if [ "$?" != "0" ]; then
+ echo "ldbdel returned:\n$out"
+ return 1
+ fi
+}
+
+dangling_link_to_unknown_does_not_prevent_delete()
+{
+
+ #
+ # Step1: add user "dangling"
+ #
+ ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished1.ldif
+ dn='CN=dangling-for-vanish,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp'
+ cat >$ldif <<EOF
+dn: $dn
+changetype: add
+objectclass: user
+samaccountname: dangling-v
+objectGUID: a4090081-ac2a-410c-8924-b255375160e8
+EOF
+
+ out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif)
+ if [ "$?" != "0" ]; then
+ echo "ldbmodify returned:\n$out"
+ return 1
+ fi
+
+ #
+ # Step2: add a dangling backlink from
+ # "CN=dangling-for-vanish" to "CN=NOT Enterprise Admins"
+ #
+ ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished2.ldif
+ {
+ echo "dn: $dn"
+ echo "changetype: modify"
+ echo "add: memberOf"
+ echo "memberOf: <GUID=09a47bff-0227-44e1-a8e4-63f9e726515d>;<SID=S-1-5-21-4177067393-1453636373-93818738-588>;CN=NOT Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp"
+ } >$ldif
+
+ out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif)
+ if [ "$?" != "0" ]; then
+ echo "ldbmodify returned:\n$out"
+ return 1
+ fi
+
+ out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$dn")
+ if [ "$?" != "0" ]; then
+ echo "ldbdel returned:\n$out"
+ return 1
+ fi
+}
+
+dangling_link_to_known_and_unknown_does_not_prevent_delete()
+{
+
+ #
+ # Step1: add user "dangling"
+ #
+ ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished1.ldif
+ dn='CN=dangling-for-vanish,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp'
+ cat >$ldif <<EOF
+dn: $dn
+changetype: add
+objectclass: user
+samaccountname: dangling-v
+objectGUID: 2882ffb1-31c3-485e-a7fc-184dfafc32d4
+EOF
+
+ out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --relax $ldif)
+ if [ "$?" != "0" ]; then
+ echo "ldbmodify returned:\n$out"
+ return 1
+ fi
+
+ #
+ # Step2: add a dangling backlink from
+ # "CN=dangling-for-vanish" to "CN=Enterprise Admins",
+ # "CN=dangling-for-vanish" to "CN=NOT Enterprise Admins" and
+ # back to ourselves
+ #
+ ldif=$PREFIX_ABS/${RELEASE}/backlink_can_be_vanished2.ldif
+ {
+ echo "dn: $dn"
+ echo "changetype: modify"
+ echo "add: memberOf"
+ echo "memberOf: <GUID=304ad703-468b-465e-9787-470b3dfd7d75>;<SID=S-1-5-21-4177067393-1453636373-93818738-519>;CN=Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp"
+ echo "memberOf: <GUID=09a47bff-0227-44e1-a8e4-63f9e726515d>;<SID=S-1-5-21-4177067393-1453636373-93818738-588>;CN=NOT Enterprise Admins,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp"
+ echo "memberOf: <GUID=2882ffb1-31c3-485e-a7fc-184dfafc32d4>;CN=dangling-for-vanish,CN=users,DC=release-4-5-0-pre1,DC=samba,DC=corp"
+ } >$ldif
+
+ out=$(TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif)
+ if [ "$?" != "0" ]; then
+ echo "ldbmodify returned:\n$out"
+ return 1
+ fi
+
+ out=$(TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$dn")
+ if [ "$?" != "0" ]; then
+ echo "ldbdel returned:\n$out"
+ return 1
+ fi
+}
+
+remove_directory $PREFIX_ABS/${RELEASE}
+
+testit $RELEASE undump || failed=$(expr $failed + 1)
+testit "add_two_more_users" add_two_more_users || failed=$(expr $failed + 1)
+testit "add_four_more_links" add_four_more_links || failed=$(expr $failed + 1)
+testit "remove_one_link" remove_one_link || failed=$(expr $failed + 1)
+testit "remove_one_user" remove_one_user || failed=$(expr $failed + 1)
+testit "move_one_user" move_one_user || failed=$(expr $failed + 1)
+testit "add_dangling_link" add_dangling_link || failed=$(expr $failed + 1)
+testit "add_dangling_backlink" add_dangling_backlink || failed=$(expr $failed + 1)
+testit "add_deleted_dangling_backlink" add_deleted_dangling_backlink || failed=$(expr $failed + 1)
+testit "revive_links_on_deleted_group" revive_links_on_deleted_group || failed=$(expr $failed + 1)
+testit "revive_backlink_on_deleted_group" revive_backlink_on_deleted_group || failed=$(expr $failed + 1)
+testit "add_deleted_target_link" add_deleted_target_link || failed=$(expr $failed + 1)
+testit "add_deleted_target_backlink" add_deleted_target_backlink || failed=$(expr $failed + 1)
+testit "dbcheck_dangling" dbcheck_dangling || failed=$(expr $failed + 1)
+testit "dbcheck_clean" dbcheck_clean || failed=$(expr $failed + 1)
+testit "check_expected_after_deleted_links" check_expected_after_deleted_links || failed=$(expr $failed + 1)
+testit "check_expected_after_links" check_expected_after_links || failed=$(expr $failed + 1)
+testit "check_expected_after_objects" check_expected_after_objects || failed=$(expr $failed + 1)
+testit "duplicate_member" duplicate_member || failed=$(expr $failed + 1)
+testit "dbcheck_duplicate_member" dbcheck_duplicate_member || failed=$(expr $failed + 1)
+testit "check_expected_after_duplicate_links" check_expected_after_duplicate_links || failed=$(expr $failed + 1)
+testit "duplicate_clean" dbcheck_clean || failed=$(expr $failed + 1)
+testit "forward_link_corruption" forward_link_corruption || failed=$(expr $failed + 1)
+testit "dbcheck_forward_link_corruption" dbcheck_forward_link_corruption || failed=$(expr $failed + 1)
+testit "check_expected_after_dbcheck_forward_link_corruption" check_expected_after_dbcheck_forward_link_corruption || failed=$(expr $failed + 1)
+testit "forward_link_corruption_clean" dbcheck_clean || failed=$(expr $failed + 1)
+testit "oneway_link_corruption" oneway_link_corruption || failed=$(expr $failed + 1)
+testit "dbcheck_oneway_link_corruption" dbcheck_oneway_link_corruption || failed=$(expr $failed + 1)
+testit "check_expected_after_dbcheck_oneway_link_corruption" check_expected_after_dbcheck_oneway_link_corruption || failed=$(expr $failed + 1)
+testit "oneway_link_corruption_clean" dbcheck_clean || failed=$(expr $failed + 1)
+testit "dangling_one_way_link" dangling_one_way_link || failed=$(expr $failed + 1)
+testit "dbcheck_one_way" dbcheck_one_way || failed=$(expr $failed + 1)
+testit "dbcheck_clean2" dbcheck_clean || failed=$(expr $failed + 1)
+testit "missing_link_sid_corruption" missing_link_sid_corruption || failed=$(expr $failed + 1)
+testit "dbcheck_missing_link_sid_corruption" dbcheck_missing_link_sid_corruption || failed=$(expr $failed + 1)
+testit "missing_link_sid_clean" dbcheck_clean || failed=$(expr $failed + 1)
+testit "add_lost_deleted_user1" add_lost_deleted_user1 || failed=$(expr $failed + 1)
+testit "dbcheck_lost_deleted_user1" dbcheck_lost_deleted_user1 || failed=$(expr $failed + 1)
+testit "lost_deleted_user1_clean_A" dbcheck_clean || failed=$(expr $failed + 1)
+testit "remove_lost_deleted_user1" remove_lost_deleted_user1 || failed=$(expr $failed + 1)
+testit "lost_deleted_user1_clean_B" dbcheck_clean || failed=$(expr $failed + 1)
+testit "add_lost_deleted_user2" add_lost_deleted_user2 || failed=$(expr $failed + 1)
+testit "dbcheck_lost_deleted_user2" dbcheck_lost_deleted_user2 || failed=$(expr $failed + 1)
+testit "lost_deleted_user2_clean" dbcheck_clean || failed=$(expr $failed + 1)
+testit "add_lost_deleted_user3" add_lost_deleted_user3 || failed=$(expr $failed + 1)
+testit "dbcheck_lost_deleted_user3" dbcheck_lost_deleted_user3 || failed=$(expr $failed + 1)
+testit "lost_deleted_user3_clean_A" dbcheck_clean || failed=$(expr $failed + 1)
+testit "remove_lost_deleted_user3" remove_lost_deleted_user3 || failed=$(expr $failed + 1)
+testit "lost_deleted_user3_clean_B" dbcheck_clean || failed=$(expr $failed + 1)
+testit "dangling_one_way_dn" dangling_one_way_dn || failed=$(expr $failed + 1)
+testit "deleted_one_way_dn" deleted_one_way_dn || failed=$(expr $failed + 1)
+testit "dbcheck_clean3" dbcheck_clean || failed=$(expr $failed + 1)
+testit "add_dangling_multi_valued" add_dangling_multi_valued || failed=$(expr $failed + 1)
+testit "dbcheck_dangling_multi_valued" dbcheck_dangling_multi_valued || failed=$(expr $failed + 1)
+testit "dangling_multi_valued_check_missing" dangling_multi_valued_check_missing || failed=$(expr $failed + 1)
+testit "dangling_multi_valued_check_equal_or_too_many" dangling_multi_valued_check_equal_or_too_many || failed=$(expr $failed + 1)
+# Currently this cannot pass
+testit "dbcheck_dangling_multi_valued_clean" dbcheck_clean || failed=$(expr $failed + 1)
+testit "dangling_link_does_not_prevent_delete" dangling_link_does_not_prevent_delete || failed=$(expr $failed + 1)
+testit "dangling_link_to_unknown_does_not_prevent_delete" dangling_link_to_unknown_does_not_prevent_delete || failed=$(expr $failed + 1)
+testit "dangling_link_to_known_and_unknown_does_not_prevent_delete" dangling_link_to_known_and_unknown_does_not_prevent_delete || failed=$(expr $failed + 1)
+
+remove_directory $PREFIX_ABS/${RELEASE}
+
+exit $failed
diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh
new file mode 100755
index 0000000..2df08ad
--- /dev/null
+++ b/testprogs/blackbox/dbcheck-oldrelease.sh
@@ -0,0 +1,564 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+ cat <<EOF
+Usage: dbcheck.sh PREFIX RELEASE
+EOF
+ exit 1
+fi
+
+PREFIX_ABS="$1"
+RELEASE="$2"
+shift 2
+
+failed=0
+
+. $(dirname $0)/subunit.sh
+. $(dirname $0)/common_test_fns.inc
+
+release_dir=$(dirname $0)/../../source4/selftest/provisions/$RELEASE
+
+ldbmodify="ldbmodify"
+if [ -x "$BINDIR/ldbmodify" ]; then
+ ldbmodify="$BINDIR/ldbmodify"
+fi
+
+ldbdel="ldbdel"
+if [ -x "$BINDIR/ldbdel" ]; then
+ ldbdel="$BINDIR/ldbdel"
+fi
+
+ldbsearch="ldbsearch"
+if [ -x "$BINDIR/ldbsearch" ]; then
+ ldbsearch="$BINDIR/ldbsearch"
+fi
+
+samba_tdbrestore="tdbrestore"
+if [ -x "$BINDIR/tdbrestore" ]; then
+ samba_tdbrestore="$BINDIR/tdbrestore"
+fi
+
+samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh"
+if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then
+ subunit_start_test $RELEASE
+ subunit_skip_test $RELEASE <<EOF
+no test provision
+EOF
+
+ subunit_start_test "reindex"
+ subunit_skip_test "reindex" <<EOF
+no test provision
+EOF
+ subunit_start_test check_expected_before_values
+ subunit_skip_test check_expected_before_values <<EOF
+no test provision
+EOF
+ subunit_start_test "dbcheck"
+ subunit_skip_test "dbcheck" <<EOF
+no test provision
+EOF
+ subunit_start_test "dbcheck_clean"
+ subunit_skip_test "dbcheck_clean" <<EOF
+no test provision
+EOF
+ subunit_start_test check_expected_after_values
+ subunit_skip_test check_expected_after_values <<EOF
+no test provision
+EOF
+ subunit_start_test "dbcheck_acl_reset"
+ subunit_skip_test "dbcheck_acl_reset" <<EOF
+no test provision
+EOF
+ subunit_start_test "dbcheck_clean_acl_reset"
+ subunit_skip_test "dbcheck_clean_acl_reset" <<EOF
+no test provision
+EOF
+ subunit_start_test add_userparameters0
+ subunit_skip_test add_userparameters0 <<EOF
+no test provision
+EOF
+
+ subunit_start_test add_userparameters1
+ subunit_skip_test add_userparameters1 <<EOF
+no test provision
+EOF
+
+ subunit_start_test add_userparameters2
+ subunit_skip_test add_userparameters2 <<EOF
+no test provision
+EOF
+
+ subunit_start_test add_userparameters3
+ subunit_skip_test add_userparameters3 <<EOF
+no test provision
+EOF
+
+ subunit_start_test check_expected_before_values
+ subunit_skip_test check_expected_before_values <<EOF
+no test provision
+EOF
+
+ subunit_start_test "dbcheck2"
+ subunit_skip_test "dbcheck2" <<EOF
+no test provision
+EOF
+
+ subunit_start_test "referenceprovision"
+ subunit_skip_test "referenceprovision" <<EOF
+no test provision
+EOF
+ subunit_start_test "ldapcmp"
+ subunit_skip_test "ldapcmp" <<EOF
+no test provision
+EOF
+ subunit_start_test "ldapcmp_sd"
+ subunit_skip_test "ldapcmp_sd" <<EOF
+no test provision
+EOF
+
+ exit 0
+fi
+
+undump()
+{
+ $samba_undump $release_dir $PREFIX_ABS/$RELEASE $samba_tdbrestore
+}
+
+add_userparameters0()
+{
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF
+dn: cn=localdc,cn=domain controllers,dc=release-4-1-0rc3,dc=samba,dc=corp
+changetype: modify
+replace: userParameters
+userParameters:: IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC
+ AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAQABoACAAB
+ AEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZw
+ BGAGwAYQBnAHMAMQAwMGUwMDAxMBYACAABAEMAdAB4AEMAYQBsAGwAYgBhAGMAawAwMDAw
+ MDAwMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKAAIAAEAQwB0AHgATQBhAH
+ gAQwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwLgAIAAEAQwB0AHgATQBh
+ AHgARABpAHMAYwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwHAAIAAEAQw
+ B0AHgATQBhAHgASQBkAGwAZQBUAGkAbQBlADAwMDAwMDAwIgAIAAEAQwB0AHgASwBlAHkA
+ YgBvAGEAcgBkAEwAYQB5AG8AdQB0ADAwMDAwMDAwKgACAAEAQwB0AHgATQBpAG4ARQBuAG
+ MAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDAgAAIAAQBDAHQAeABXAG8AcgBrAEQAaQBy
+ AGUAYwB0AG8AcgB5ADAwIAACAAEAQwB0AHgATgBXAEwAbwBnAG8AbgBTAGUAcgB2AGUAcg
+ AwMBgAJAABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByADVjNWM3MzYxNzQ3NTcyNmU2NTVj
+ NzAyZTYyNjk2NDZmNmUwMCIABgABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByAEQAcgBpAH
+ YAZQA1MDNhMDAgADoAAQBDAHQAeABXAEYAUAByAG8AZgBpAGwAZQBQAGEAdABoADVjNWM3
+ MzYxNzQ3NTcyNmU2NTVjNzA3MjZmNjY2OTZjNjU3NDczNjU1YzcwMmU2MjY5NjQ2ZjZlMD
+ AiAAIAAQBDAHQAeABJAG4AaQB0AGkAYQBsAFAAcgBvAGcAcgBhAG0AMDAiAAIAAQBDAHQA
+ eABDAGEAbABsAGIAYQBjAGsATgB1AG0AYgBlAHIAMDA=
+-
+EOF
+ fi
+}
+add_userparameters1()
+{
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF
+dn: cn=administrator,cn=users,dc=release-4-1-0rc3,dc=samba,dc=corp
+changetype: modify
+replace: userParameters
+userParameters: IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC
+ AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAQABoACAAB
+ AEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZw
+ BGAGwAYQBnAHMAMQAwMGUwMDAxMBYACAABAEMAdAB4AEMAYQBsAGwAYgBhAGMAawAwMDAw
+ MDAwMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKAAIAAEAQwB0AHgATQBhAH
+ gAQwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwLgAIAAEAQwB0AHgATQBh
+ AHgARABpAHMAYwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwHAAIAAEAQw
+ B0AHgATQBhAHgASQBkAGwAZQBUAGkAbQBlADAwMDAwMDAwIgAIAAEAQwB0AHgASwBlAHkA
+ YgBvAGEAcgBkAEwAYQB5AG8AdQB0ADAwMDAwMDAwKgACAAEAQwB0AHgATQBpAG4ARQBuAG
+ MAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDAgAAIAAQBDAHQAeABXAG8AcgBrAEQAaQBy
+ AGUAYwB0AG8AcgB5ADAwIAACAAEAQwB0AHgATgBXAEwAbwBnAG8AbgBTAGUAcgB2AGUAcg
+ AwMBgAJAABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByADVjNWM3MzYxNzQ3NTcyNmU2NTVj
+ NzAyZTYyNjk2NDZmNmUwMCIABgABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByAEQAcgBpAH
+ YAZQA1MDNhMDAgADoAAQBDAHQAeABXAEYAUAByAG8AZgBpAGwAZQBQAGEAdABoADVjNWM3
+ MzYxNzQ3NTcyNmU2NTVjNzA3MjZmNjY2OTZjNjU3NDczNjU1YzcwMmU2MjY5NjQ2ZjZlMD
+ AiAAIAAQBDAHQAeABJAG4AaQB0AGkAYQBsAFAAcgBvAGcAcgBhAG0AMDAiAAIAAQBDAHQA
+ eABDAGEAbABsAGIAYQBjAGsATgB1AG0AYgBlAHIAMDA=
+-
+EOF
+ fi
+}
+add_userparameters2()
+{
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF
+dn: cn=krbtgt,cn=users,dc=release-4-1-0rc3,dc=samba,dc=corp
+changetype: modify
+replace: userParameters
+userParameters:: Q3R4Q2ZnUHJlc2VudCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI
+ CAgUAsaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiIAIBQ3R4V0ZQcm9maWxlUGF0aOOAsBgCAU
+ N0eFdGSG9tZURpcuOAsCICAUN0eFdGSG9tZURpckRyaXZl44CwEggBQ3R4U2hhZG9344Sw44Cw44C
+ w44CwLggBQ3R4TWF4RGlzY29ubmVjdGlvblRpbWXjgaXjjLnjkLDjgLAoCAFDdHhNYXhDb25uZWN0
+ aW9uVGltZeOAtOOct+aIseOAsBwIAUN0eE1heElkbGVUaW1l44Gj45yy46Sw44CwIAIBQ3R4V29ya
+ 0RpcmVjdG9yeeOAsBgIAUN0eENmZ0ZsYWdzMeOAsOOBpuOYsuOAuCICAUN0eEluaXRpYWxQcm9ncm
+ Ft44Cw
+-
+EOF
+ fi
+}
+
+add_userparameters3()
+{
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF
+dn: cn=guest,cn=users,dc=release-4-1-0rc3,dc=samba,dc=corp
+changetype: modify
+replace: userParameters
+userParameters:: QwAAAHQAAAB4AAAAQwAAAGYAAABnAAAAUAAAAHIAAABlAAAAcwAAAGUAAABuA
+ AAAdAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAA
+ AgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACA
+ AAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAUAAAAAsAAAAaAAAACAAAAAEAAABDAAAAdAAA
+ AHgAAABDAAAAZgAAAGcAAABQAAAAcgAAAGUAAABzAAAAZQAAAG4AAAB0AAAANQA1ADEAZQAwAGIAY
+ gAwACAAAAACAAAAAQAAAEMAAAB0AAAAeAAAAFcAAABGAAAAUAAAAHIAAABvAAAAZgAAAGkAAABsAA
+ AAZQAAAFAAAABhAAAAdAAAAGgAAAAwADAAGAAAAAIAAAABAAAAQwAAAHQAAAB4AAAAVwAAAEYAAAB
+ IAAAAbwAAAG0AAABlAAAARAAAAGkAAAByAAAAMAAwACIAAAACAAAAAQAAAEMAAAB0AAAAeAAAAFcA
+ AABGAAAASAAAAG8AAABtAAAAZQAAAEQAAABpAAAAcgAAAEQAAAByAAAAaQAAAHYAAABlAAAAMAAwA
+ BIAAAAIAAAAAQAAAEMAAAB0AAAAeAAAAFMAAABoAAAAYQAAAGQAAABvAAAAdwAAADAAMQAwADAAMA
+ AwADAAMAAuAAAACAAAAAEAAABDAAAAdAAAAHgAAABNAAAAYQAAAHgAAABEAAAAaQAAAHMAAABjAAA
+ AbwAAAG4AAABuAAAAZQAAAGMAAAB0AAAAaQAAAG8AAABuAAAAVAAAAGkAAABtAAAAZQAAAGUAMAA5
+ ADMAMAA0ADAAMAAoAAAACAAAAAEAAABDAAAAdAAAAHgAAABNAAAAYQAAAHgAAABDAAAAbwAAAG4AA
+ ABuAAAAZQAAAGMAAAB0AAAAaQAAAG8AAABuAAAAVAAAAGkAAABtAAAAZQAAADQAMAA3ADcAMQBiAD
+ AAMAAcAAAACAAAAAEAAABDAAAAdAAAAHgAAABNAAAAYQAAAHgAAABJAAAAZAAAAGwAAABlAAAAVAA
+ AAGkAAABtAAAAZQAAAGMAMAAyADcAMAA5ADAAMAAgAAAAAgAAAAEAAABDAAAAdAAAAHgAAABXAAAA
+ bwAAAHIAAABrAAAARAAAAGkAAAByAAAAZQAAAGMAAAB0AAAAbwAAAHIAAAB5AAAAMAAwABgAAAAIA
+ AAAAQAAAEMAAAB0AAAAeAAAAEMAAABmAAAAZwAAAEYAAABsAAAAYQAAAGcAAABzAAAAMQAAADAAMA
+ BmADAAMgA2ADgAMAAiAAAAAgAAAAEAAABDAAAAdAAAAHgAAABJAAAAbgAAAGkAAAB0AAAAaQAAAGE
+ AAABsAAAAUAAAAHIAAABvAAAAZwAAAHIAAABhAAAAbQAAADAAMAA=
+-
+EOF
+ fi
+}
+
+check_expected_userparameters()
+{
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ tmpldif=$PREFIX_ABS/$RELEASE/expected-userParameters-after-dbcheck.ldif.tmp
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb userParameters=* --scope=sub -b DC=release-4-1-0rc3,DC=samba,DC=corp userParameters --sorted | grep -v \# >$tmpldif
+ diff -u $tmpldif $release_dir/expected-userParameters-after-dbcheck.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+ fi
+ return 0
+}
+
+reindex()
+{
+ $PYTHON $BINDIR/samba-tool dbcheck --reindex -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
+}
+
+do_current_version_mod()
+{
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ # Confirm (in combination with the ldbsearch below) that
+ # changing the attribute with current Samba fixes it, and that
+ # a fixed attriute isn't unfixed by dbcheck.
+ tmpldif=$release_dir/sudoers2-mod.ldif
+ $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $tmpldif
+ fi
+ return 0
+}
+
+check_expected_before_values()
+{
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ tmpldif=$PREFIX_ABS/$RELEASE/expected-replpropertymetadata-before-dbcheck.ldif.tmp
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary >$tmpldif
+ diff -u $tmpldif $release_dir/expected-replpropertymetadata-before-dbcheck.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything2 --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary | grep -v originating_change_time | grep -v whenChanged >$tmpldif
+
+ # Here we remove originating_change_time and whenChanged as
+ # these are time-dependent, caused by the ldbmodify above.
+
+ diff -u $tmpldif $release_dir/expected-replpropertymetadata-before-dbcheck2.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything3 --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary >$tmpldif
+ diff -u $tmpldif $release_dir/expected-replpropertymetadata-before-dbcheck3.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+ elif [ x$RELEASE = x"release-4-5-0-pre1" ]; then
+ tmpldif=$PREFIX_ABS/$RELEASE/rootdse-version.initial.txt.tmp
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpldif
+ diff -u $tmpldif $release_dir/rootdse-version.initial.txt
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+ fi
+ return 0
+}
+
+# This should 'fail', because it returns the number of modified records
+dbcheck_objectclass()
+{
+ if [ x$RELEASE = x"release-4-1-6-partial-object" ]; then
+ $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --attrs=objectclass $@
+ else
+ return 1
+ fi
+}
+
+# This should 'fail', because it returns the number of wrong records, which it must if we did not skip the deleted objects
+dbcheck_deleted_objects()
+{
+ if [ x$RELEASE = x"alpha13" ]; then
+ basedn=$($ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope base -b "" defaultNamingContext | grep -i defaultNamingContext | cut -d\ -f 2)
+
+ $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "cn=deleted objects,$basedn" --scope base $@
+ else
+ return 1
+ fi
+}
+
+# This should 'fail', because it returns the number of modified records
+dbcheck()
+{
+ $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
+}
+
+check_expected_after_values()
+{
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ tmpldif=$PREFIX_ABS/$RELEASE/expected-replpropertymetadata-after-dbcheck.ldif.tmp
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary >$tmpldif
+ diff -u $tmpldif $release_dir/expected-replpropertymetadata-after-dbcheck.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything2 --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary | grep -v originating_change_time | grep -v whenChanged >$tmpldif
+ diff -u $tmpldif $release_dir/expected-replpropertymetadata-after-dbcheck2.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=ops_run_anything3 --scope=one -b OU=SUDOers,DC=release-4-1-0rc3,DC=samba,DC=corp \* replpropertymetadata --sorted --show-binary >$tmpldif
+ diff -u $tmpldif $release_dir/expected-replpropertymetadata-after-dbcheck3.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+ # Check DomainDNS partition for replica locations
+ tmpldif=$PREFIX_ABS/$RELEASE/expected-replica-locations-after-dbcheck.ldif.tmp
+ $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=49a69498-9a85-48af-9be4-aa0b3e0054f9 --scope=one -b CN=Partitions,CN=Configuration,DC=release-4-1-0rc3,DC=samba,DC=corp msDS-NC-Replica-Locations >$tmpldif
+ diff -u $tmpldif $release_dir/expected-replica-locations-after-dbcheck.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+ # Check ForestDNS partition for replica locations
+ $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=7d2a15af-c0d4-487c-847e-e036292bcc65 --scope=one -b CN=Partitions,CN=Configuration,DC=release-4-1-0rc3,DC=samba,DC=corp msDS-NC-Replica-Locations >$tmpldif
+ diff -u $tmpldif $release_dir/expected-replica-locations-after-dbcheck2.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+ elif [ x$RELEASE = x"release-4-5-0-pre1" ]; then
+ echo $RELEASE checking after values
+ tmpldif=$PREFIX_ABS/$RELEASE/expected-links-after-dbcheck.ldif.tmp
+ $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --show-recycled --show-deleted --show-deactivated-link --reveal member memberOf lastKnownParent objectCategory lastKnownParent wellKnownObjects legacyExchangeDN sAMAccountType uSNChanged --sorted >$tmpldif
+ diff -u $tmpldif $release_dir/expected-links-after-dbcheck.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+
+ # If in the future dbcheck has to make a change recorded in replPropertyMetadata,
+ # this test will fail and can be removed.
+ tmpversion=$PREFIX_ABS/$RELEASE/rootdse-version.final.txt.tmp
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN >$tmpversion
+ diff -u $tmpversion $release_dir/rootdse-version.final.txt
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+ fi
+ return 0
+}
+
+check_forced_duplicate_values()
+{
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ ldif=$release_dir/forced-duplicate-value-for-dbcheck.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+ else
+ return 0
+ fi
+}
+
+# This should 'fail', because it returns the number of modified records
+dbcheck_after_dup()
+{
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=administrator,cn=users,DC=release-4-1-0rc3,DC=samba,DC=corp $@
+ else
+ return 1
+ fi
+}
+
+check_expected_after_dup_values()
+{
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ tmpldif=$PREFIX_ABS/$RELEASE/expected-otherphone-after-dbcheck.ldif.tmp
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=administrator --scope=base -b cn=administrator,cn=users,DC=release-4-1-0rc3,DC=samba,DC=corp otherHomePhone --sorted --show-binary | grep -v \# | sort >$tmpldif
+ diff -u $tmpldif $release_dir/expected-otherphone-after-dbcheck.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+ fi
+ return 0
+}
+
+# But having fixed it all up, this should pass
+dbcheck_clean()
+{
+ $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
+}
+
+# This should 'fail', because it returns the number of modified records.
+# We don't need to run this against 4.1 releases
+dbcheck_acl_reset()
+{
+ if [ x$RELEASE = x"release-4-0-0" -o x$RELEASE = x"alpha13" ]; then
+ $PYTHON $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
+ else
+ return 1
+ fi
+}
+# But having fixed it all up, this should pass.
+# We don't need to run this against 4.1.0rc3
+dbcheck_acl_reset_clean()
+{
+ if [ x$RELEASE != x"release-4-1-0rc3" ]; then
+ $PYTHON $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
+ fi
+}
+
+# This should 'fail', because it returns the number of modified records
+dbcheck2()
+{
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
+ else
+ exit 1
+ fi
+}
+# But having fixed it all up, this should pass
+dbcheck_clean2()
+{
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
+ fi
+}
+
+rm_deleted_objects()
+{
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-1-0RC3,DC%3DSAMBA,DC%3DCORP.ldb 'CN=Deleted Objects,DC=RELEASE-4-1-0RC3,DC=SAMBA,DC=CORP'
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+ else
+ return 0
+ fi
+}
+# This should 'fail', because it returns the number of modified records
+dbcheck3()
+{
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
+ else
+ exit 1
+ fi
+}
+# But having fixed it all up, this should pass
+dbcheck_clean3()
+{
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ $PYTHON $BINDIR/samba-tool dbcheck --selftest-check-expired-tombstones --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
+ fi
+}
+
+check_expected_after_deleted_objects()
+{
+ if [ x$RELEASE = x"release-4-1-0rc3" ]; then
+ tmpldif=$PREFIX_ABS/$RELEASE/expected-deleted_objects-after-dbcheck.ldif.tmp
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb cn=deleted\ objects --scope=base -b cn=deleted\ objects,DC=release-4-1-0rc3,DC=samba,DC=corp objectClass description isDeleted isCriticalSystemObject objectGUID showInAdvancedViewOnly systemFlags --sorted --show-binary --show-deleted | grep -v \# | sort >$tmpldif
+ diff -u $tmpldif $release_dir/expected-deleted_objects-after-dbcheck.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+ fi
+ return 0
+}
+
+referenceprovision()
+{
+ if [ x$RELEASE = x"release-4-0-0" ]; then
+ $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=SAMBA --host-name=ares --realm=${RELEASE}.samba.corp --targetdir=$PREFIX_ABS/${RELEASE}_reference --use-ntvfs --host-ip=127.0.0.1 --host-ip6=::1 --function-level=2003 --base-schema=2008_R2_old
+
+ # on top of this, also apply 2008R2 changes we accidentally missed in the past
+ $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --ldf-file=samba-4.7-missing-for-schema45.ldif,fix-forest-rev.ldf
+ fi
+}
+
+ldapcmp()
+{
+ if [ x$RELEASE = x"release-4-0-0" ]; then
+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes,servicePrincipalName
+ fi
+}
+
+ldapcmp_sd()
+{
+ if [ x$RELEASE = x"release-4-0-0" ]; then
+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --sd --skip-missing-dn --filter=servicePrincipalName
+ fi
+}
+
+remove_directory $PREFIX_ABS/${RELEASE}_reference
+
+testit $RELEASE undump || failed=$(expr $failed + 1)
+testit "reindex" reindex || failed=$(expr $failed + 1)
+testit "current_version_mod" do_current_version_mod || failed=$(expr $failed + 1)
+testit "check_expected_before_values" check_expected_before_values || failed=$(expr $failed + 1)
+testit_expect_failure "dbcheck_deleted_objects" dbcheck_deleted_objects || failed=$(expr $failed + 1)
+testit_expect_failure "dbcheck_objectclass" dbcheck_objectclass || failed=$(expr $failed + 1)
+testit_expect_failure "dbcheck" dbcheck || failed=$(expr $failed + 1)
+testit "check_expected_after_values" check_expected_after_values || failed=$(expr $failed + 1)
+testit "check_forced_duplicate_values" check_forced_duplicate_values || failed=$(expr $failed + 1)
+testit_expect_failure "dbcheck_after_dup" dbcheck_after_dup || failed=$(expr $failed + 1)
+testit "check_expected_after_dup_values" check_expected_after_dup_values || failed=$(expr $failed + 1)
+testit "dbcheck_clean" dbcheck_clean || failed=$(expr $failed + 1)
+testit_expect_failure "dbcheck_acl_reset" dbcheck_acl_reset || failed=$(expr $failed + 1)
+testit "dbcheck_acl_reset_clean" dbcheck_acl_reset_clean || failed=$(expr $failed + 1)
+testit "add_userparameters0" add_userparameters1 || failed=$(expr $failed + 1)
+testit "add_userparameters1" add_userparameters1 || failed=$(expr $failed + 1)
+testit "add_userparameters2" add_userparameters2 || failed=$(expr $failed + 1)
+testit "add_userparameters3" add_userparameters3 || failed=$(expr $failed + 1)
+testit_expect_failure "dbcheck2" dbcheck2 || failed=$(expr $failed + 1)
+testit "dbcheck_clean2" dbcheck_clean2 || failed=$(expr $failed + 1)
+testit "check_expected_userparameters" check_expected_userparameters || failed=$(expr $failed + 1)
+testit "rm_deleted_objects" rm_deleted_objects || failed=$(expr $failed + 1)
+# We must re-index again because rm_deleted_objects went behind
+# the back of the main sam.ldb.
+testit "reindex2" reindex || failed=$(expr $failed + 1)
+testit_expect_failure "dbcheck3" dbcheck3 || failed=$(expr $failed + 1)
+testit "dbcheck_clean3" dbcheck_clean3 || failed=$(expr $failed + 1)
+testit "check_expected_after_deleted_objects" check_expected_after_deleted_objects || failed=$(expr $failed + 1)
+testit "referenceprovision" referenceprovision || failed=$(expr $failed + 1)
+testit "ldapcmp" ldapcmp || failed=$(expr $failed + 1)
+testit "ldapcmp_sd" ldapcmp_sd || failed=$(expr $failed + 1)
+
+if [ -d $PREFIX_ABS/${RELEASE} ]; then
+ rm -fr $PREFIX_ABS/${RELEASE}
+fi
+
+remove_directory $PREFIX_ABS/${RELEASE}_reference
+
+exit $failed
diff --git a/testprogs/blackbox/dbcheck.sh b/testprogs/blackbox/dbcheck.sh
new file mode 100755
index 0000000..1f1d432
--- /dev/null
+++ b/testprogs/blackbox/dbcheck.sh
@@ -0,0 +1,71 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+ cat <<EOF
+Usage: dbcheck.sh PREFIX
+EOF
+ exit 1
+fi
+
+PREFIX="$1"
+shift 1
+ARGS=$@
+
+. $(dirname $0)/subunit.sh
+
+dbcheck()
+{
+ $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs $ARGS
+}
+
+# This list of attributes can be freely extended
+dbcheck_fix_one_way_links()
+{
+ $PYTHON $BINDIR/samba-tool dbcheck --quiet --fix --yes fix_all_old_dn_string_component_mismatch --attrs="lastKnownParent defaultObjectCategory fromServer rIDSetReferences" --cross-ncs $ARGS
+}
+
+# This list of attributes can be freely extended
+dbcheck_fix_stale_links()
+{
+ $PYTHON $BINDIR/samba-tool dbcheck --quiet --fix --yes remove_plausible_deleted_DN_links --attrs="member msDS-NC-Replica-Locations msDS-NC-RO-Replica-Locations msDS-RevealOnDemandGroup msDS-NeverRevealGroup msDS-RevealedUsers" --cross-ncs $ARGS
+}
+
+# This list of attributes can be freely extended
+dbcheck_fix_crosspartition_backlinks()
+{
+ # we may not know the target yet when we receive a cross-partition link,
+ # which can result in a missing backlink
+ $PYTHON $BINDIR/samba-tool dbcheck --quiet --fix --yes fix_all_missing_backlinks --attrs="serverReference" --cross-ncs $ARGS
+}
+
+# This test shows that this does not do anything to a current
+# provision (that would be a bug)
+dbcheck_reset_well_known_acls()
+{
+ $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --reset-well-known-acls $ARGS
+}
+
+reindex()
+{
+ $PYTHON $BINDIR/samba-tool dbcheck --reindex $ARGS
+}
+
+fixed_attrs()
+{
+ $PYTHON $BINDIR/samba-tool dbcheck --attrs=cn $ARGS
+}
+
+force_modules()
+{
+ $PYTHON $BINDIR/samba-tool dbcheck --force-modules $ARGS
+}
+
+dbcheck_fix_one_way_links
+dbcheck_fix_stale_links
+dbcheck_fix_crosspartition_backlinks
+testit "dbcheck" dbcheck
+testit "reindex" reindex
+testit "fixed_attrs" fixed_attrs
+testit "force_modules" force_modules
+
+exit $failed
diff --git a/testprogs/blackbox/demote-saveddb.sh b/testprogs/blackbox/demote-saveddb.sh
new file mode 100755
index 0000000..56ad136
--- /dev/null
+++ b/testprogs/blackbox/demote-saveddb.sh
@@ -0,0 +1,80 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+ cat <<EOF
+Usage: demote.sh PREFIX RELEASE
+EOF
+ exit 1
+fi
+
+PREFIX_ABS="$1"
+shift 1
+
+failed=0
+
+. $(dirname $0)/subunit.sh
+. $(dirname $0)/common_test_fns.inc
+
+samba_tree_dir="$SRCDIR_ABS/source4/selftest/provisions/multi-dc-samba-master-c596ac6"
+
+samba_tdbrestore="tdbrestore"
+if [ -x $BINDIR/tdbrestore ]; then
+ samba_tdbrestore="$BINDIR/tdbrestore"
+fi
+
+# The undump script and the provision data is not part of release tarballs,
+# skip the tests in this case!
+samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh"
+if [ ! -x $samba_undump ] || [ ! -d $samba_tree_dir ]; then
+ subunit_start_test "undump"
+ subunit_skip_test "undump" <<EOF
+EOF
+
+ subunit_start_test "undump"
+ subunit_skip_test "undump" <<EOF
+Skipping tests - no provision!
+EOF
+
+ subunit_start_test "demote-q-0-0"
+ subunit_skip_test "demote-q-0-0" <<EOF
+Skipping tests - no provision!
+EOF
+ subunit_start_test "demote-q-0-1"
+ subunit_skip_test "demote-q-0-1" <<EOF
+Skipping tests - no provision!
+EOF
+ subunit_start_test "demote-q-1-0"
+ subunit_skip_test "demote-q-1-0" <<EOF
+Skipping tests - no provision!
+EOF
+ subunit_start_test "demote-q-1-1"
+ subunit_skip_test "demote-q-1-1" <<EOF
+Skipping tests - no provision!
+EOF
+
+ exit 0
+fi
+
+undump()
+{
+ $SRCDIR_ABS/source4/selftest/provisions/undump.sh $samba_tree_dir $PREFIX_ABS $samba_tdbrestore
+}
+
+demote()
+{
+ $PYTHON $BINDIR/samba-tool domain demote -H tdb://$PREFIX_ABS/private/sam.ldb --remove-other-dead-server=$1
+}
+
+remove_directory $PREFIX_ABS
+
+testit "undump" undump || failed=$(expr $failed + 1)
+testit "demote-q-0-0" demote "q-0-0" || failed=$(expr $failed + 1)
+# The database was copied of q-0-1 so this will fail
+# as we can't remove our own name
+testit_expect_failure "demote-q-0-1" demote "q-0-1" || failed=$(expr $failed + 1)
+testit "demote-q-1-0" demote "q-1-0" || failed=$(expr $failed + 1)
+testit "demote-q-1-1" demote "q-1-1" || failed=$(expr $failed + 1)
+
+remove_directory $PREFIX_ABS
+
+exit $failed
diff --git a/testprogs/blackbox/dfree.sh b/testprogs/blackbox/dfree.sh
new file mode 100755
index 0000000..893bc59
--- /dev/null
+++ b/testprogs/blackbox/dfree.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+if [ "$1" = "." ]; then
+ echo "1000 10 2048"
+elif [ "$1" = "subdir1" ]; then
+ echo "2000 20 4096"
+else
+ echo "4000 40 8192"
+fi
diff --git a/testprogs/blackbox/dom_parse.sh b/testprogs/blackbox/dom_parse.sh
new file mode 100755
index 0000000..8a22ce2
--- /dev/null
+++ b/testprogs/blackbox/dom_parse.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+# Blackbox wrapper for nsstest
+# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
+# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
+
+if [ $# -lt 2 ]; then
+ cat <<EOF
+Usage: dom_parse.sh [id|getent] $USER
+EOF
+ exit 1
+fi
+
+USER=$2
+CMD=$1
+EXTRA=""
+shift 2
+failed=0
+
+. $(dirname $0)/subunit.sh
+
+if [ "$CMD" = "getent" ]; then
+ EXTRA="passwd"
+fi
+
+testit "samba4.winbind.dom_name_parse.cmd.$CMD" $CMD $EXTRA $USER || failed=$(expr $failed + 1)
+
+exit $failed
diff --git a/testprogs/blackbox/functionalprep.sh b/testprogs/blackbox/functionalprep.sh
new file mode 100755
index 0000000..9c68047
--- /dev/null
+++ b/testprogs/blackbox/functionalprep.sh
@@ -0,0 +1,134 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+ cat <<EOF
+Usage: $0 PREFIX
+EOF
+ exit 1
+fi
+
+PREFIX_ABS="$1"
+shift 1
+
+failed=0
+
+. $(dirname $0)/subunit.sh
+. $(dirname $0)/common_test_fns.inc
+
+RELEASE="release-4-8-0-pre1"
+release_dir="$SRCDIR_ABS/source4/selftest/provisions/$RELEASE"
+
+OLD_RELEASE="release-4-1-0rc3"
+old_release_dir="$SRCDIR_ABS/source4/selftest/provisions/$OLD_RELEASE"
+
+samba_tdbrestore="tdbrestore"
+if [ -x "$BINDIR/tdbrestore" ]; then
+ samba_tdbrestore="$BINDIR/tdbrestore"
+fi
+
+samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh"
+
+if [ ! -x $samba_undump ] || [ ! -d $release_dir ] || [ ! -d $old_release_dir ]; then
+ subunit_start_test $RELEASE
+ subunit_skip_test $RELEASE <<EOF
+no test provision
+EOF
+
+ subunit_start_test "functional_prep"
+ subunit_skip_test "functional_prep" <<EOF
+no test provision
+EOF
+
+ subunit_start_test "functional_prep_old"
+ subunit_skip_test "functional_prep_old" <<EOF
+no test provision
+EOF
+
+ exit 0
+fi
+
+cleanup_output_directories()
+{
+ remove_directory $PREFIX_ABS/2012R2_schema
+ remove_directory $PREFIX_ABS/$RELEASE
+ remove_directory $PREFIX_ABS/$OLD_RELEASE
+}
+
+undump()
+{
+ $samba_undump $release_dir $PREFIX_ABS/$RELEASE $samba_tdbrestore
+}
+
+undump_old()
+{
+ $samba_undump $old_release_dir $PREFIX_ABS/$OLD_RELEASE $samba_tdbrestore
+}
+
+PROVISION_OPTS="--use-ntvfs --host-ip6=::1 --host-ip=127.0.0.1"
+
+provision_2012r2()
+{
+ $PYTHON $BINDIR/samba-tool domain provision $PROVISION_OPTS --domain=REALM --realm=REALM.COM --targetdir=$PREFIX_ABS/2012R2_schema --base-schema=2012_R2 --host-name=FLPREP
+}
+
+ldapcmp_ignore()
+{
+ # At some point we will need to ignore, but right now, it should be perfect
+ IGNORE_ATTRS=$1
+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn --filter msDS-SupportedEncryptionTypes,servicePrincipalName
+}
+
+ldapcmp()
+{
+ # Our functional prep doesn't set these values as they were not provided
+ # These are XML schema based enumerations which are used for claims
+ ldapcmp_ignore "msDS-ClaimPossibleValues" "$RELEASE" "2012R2_schema"
+}
+
+functional_prep()
+{
+ $PYTHON $BINDIR/samba-tool domain functionalprep -H tdb://$PREFIX_ABS/2012R2_schema/private/sam.ldb --function-level=2012_R2
+}
+
+functional_prep_old()
+{
+ $PYTHON $BINDIR/samba-tool domain functionalprep -H tdb://$PREFIX_ABS/$OLD_RELEASE/private/sam.ldb --function-level=2012_R2
+}
+
+steal_roles()
+{
+ # Must steal schema master and infrastructure roles first
+ $PYTHON $BINDIR/samba-tool fsmo seize --role=schema -H tdb://$PREFIX_ABS/$OLD_RELEASE/private/sam.ldb --force
+ $PYTHON $BINDIR/samba-tool fsmo seize --role=infrastructure -H tdb://$PREFIX_ABS/$OLD_RELEASE/private/sam.ldb --force
+}
+
+schema_upgrade()
+{
+ $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/$OLD_RELEASE/private/sam.ldb --schema=2012_R2
+}
+
+# double-check we cleaned up from the last test run
+cleanup_output_directories
+
+testit $RELEASE undump || failed=$(expr $failed + 1)
+
+# Provision a DC based on 2012R2 schema
+testit "provision_2012R2_schema" provision_2012r2 || failed=$(expr $failed + 1)
+
+# Perform functional prep up to 2012 R2 level
+testit "functional_prep" functional_prep || failed=$(expr $failed + 1)
+
+# check that the databases are now the same
+testit "check_databases_same" ldapcmp || failed=$(expr $failed + 1)
+
+testit $OLD_RELEASE undump_old || failed=$(expr $failed + 1)
+
+testit "steal_roles" steal_roles || failed=$(expr $failed + 1)
+
+testit "schema_upgrade" schema_upgrade || failed=$(expr $failed + 1)
+
+testit "functional_prep_old" functional_prep_old || failed=$(expr $failed + 1)
+
+cleanup_output_directories
+
+exit $failed
diff --git a/testprogs/blackbox/join_ldapcmp.sh b/testprogs/blackbox/join_ldapcmp.sh
new file mode 100755
index 0000000..3e5b264
--- /dev/null
+++ b/testprogs/blackbox/join_ldapcmp.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+# Does a join against the testenv's DC and then runs ldapcmp on the resulting DB
+
+. $(dirname $0)/subunit.sh
+
+TARGET_DIR="$PREFIX_ABS/join_$SERVER"
+
+cleanup_output_dir()
+{
+ if [ -d $TARGET_DIR ]; then
+ rm -fr $TARGET_DIR
+ fi
+}
+
+SAMBA_TOOL="$PYTHON $BINDIR/samba-tool"
+
+join_dc()
+{
+ JOIN_ARGS="--targetdir=$TARGET_DIR --server=$SERVER -U$USERNAME%$PASSWORD"
+ $SAMBA_TOOL domain join $REALM dc $JOIN_ARGS --option="netbios name = TESTJOINDC"
+}
+
+demote_joined_dc()
+{
+ DEMOTE_ARGS="--remove-other-dead-server=TESTJOINDC --server=$SERVER -U$USERNAME%$PASSWORD"
+ $SAMBA_TOOL domain demote $DEMOTE_ARGS
+}
+
+ldapcmp_result()
+{
+ DB1_PATH="tdb://$PREFIX_ABS/$SERVER/private/sam.ldb"
+ DB2_PATH="tdb://$TARGET_DIR/private/sam.ldb"
+
+ # interSiteTopologyGenerator gets periodically updated. With the restored
+ # testenvs, it can sometimes point to the old/deleted DC object still
+ $SAMBA_TOOL ldapcmp $DB1_PATH $DB2_PATH --filter=interSiteTopologyGenerator
+}
+
+cleanup_output_dir
+
+# check that we can join this DC
+testit "check_dc_join" join_dc
+
+# check resulting DB matches server DC
+testit "new_db_matches" ldapcmp_result
+
+testit "demote_joined_dc" demote_joined_dc
+
+cleanup_output_dir
+
+exit $failed
diff --git a/testprogs/blackbox/ldapcmp_restoredc.sh b/testprogs/blackbox/ldapcmp_restoredc.sh
new file mode 100755
index 0000000..831b992
--- /dev/null
+++ b/testprogs/blackbox/ldapcmp_restoredc.sh
@@ -0,0 +1,70 @@
+#!/bin/sh
+# Does an ldapcmp between a newly restored testenv and the original testenv it
+# was based on
+
+if [ $# -lt 2 ]; then
+ cat <<EOF
+Usage: $0 ORIG_DC_PREFIX RESTORED_DC_PREFIX
+EOF
+ exit 1
+fi
+
+ORIG_DC_PREFIX_ABS="$1"
+RESTORED_DC_PREFIX_ABS="$2"
+shift 2
+
+. $(dirname $0)/subunit.sh
+
+basedn()
+{
+ SAMDB_PATH=$1
+ $BINDIR/ldbsearch -H $SAMDB_PATH --basedn='' --scope=base defaultNamingContext | grep defaultNamingContext | awk '{print $2}'
+}
+
+ldapcmp_with_orig()
+{
+
+ DB1_PATH="tdb://$ORIG_DC_PREFIX_ABS/private/sam.ldb"
+ DB2_PATH="tdb://$RESTORED_DC_PREFIX_ABS/private/sam.ldb"
+
+ # check if the 2 DCs are in different domains
+ DC1_BASEDN=$(basedn $DB1_PATH)
+ DC2_BASEDN=$(basedn $DB2_PATH)
+ BASE_DN_OPTS=""
+
+ # if necessary, pass extra args to ldapcmp to handle the difference in base DNs
+ if [ "$DC1_BASEDN" != "$DC2_BASEDN" ]; then
+ BASE_DN_OPTS="--base=$DC1_BASEDN --base2=$DC2_BASEDN"
+ fi
+
+ # the restored DC will remove DNS entries for the old DC(s)
+ IGNORE_ATTRS="dnsRecord,dNSTombstoned"
+
+ # DC2 joined DC1, so it will have different DRS info
+ IGNORE_ATTRS="$IGNORE_ATTRS,msDS-NC-Replica-Locations,msDS-HasInstantiatedNCs"
+ IGNORE_ATTRS="$IGNORE_ATTRS,interSiteTopologyGenerator"
+
+ # there's a servicePrincipalName that uses the objectGUID of the DC's NTDS
+ # Settings that will differ between the two DCs
+ IGNORE_ATTRS="$IGNORE_ATTRS,servicePrincipalName"
+
+ # the restore changes the new DC's password twice
+ IGNORE_ATTRS="$IGNORE_ATTRS,lastLogonTimestamp"
+
+ # The RID pools get bumped during the restore process
+ IGNORE_ATTRS="$IGNORE_ATTRS,rIDAllocationPool,rIDAvailablePool"
+
+ # these are just differences between provisioning a domain and joining a DC
+ IGNORE_ATTRS="$IGNORE_ATTRS,localPolicyFlags,operatingSystem,displayName"
+
+ # the restored DC may use a different side compared to the original DC
+ IGNORE_ATTRS="$IGNORE_ATTRS,serverReferenceBL,msDS-IsDomainFor"
+
+ LDAPCMP_CMD="$PYTHON $BINDIR/samba-tool ldapcmp"
+ $LDAPCMP_CMD $DB1_PATH $DB2_PATH --two --skip-missing-dn --filter=$IGNORE_ATTRS $BASE_DN_OPTS
+}
+
+# check that the restored testenv DC basically matches the original
+testit "orig_dc_matches" ldapcmp_with_orig
+
+exit $failed
diff --git a/testprogs/blackbox/nsstest.sh b/testprogs/blackbox/nsstest.sh
new file mode 100755
index 0000000..6bf6705
--- /dev/null
+++ b/testprogs/blackbox/nsstest.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+# Blackbox wrapper for nsstest
+# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
+# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
+
+if [ $# -lt 2 ]; then
+ cat <<EOF
+Usage: nsstest.sh NSSTEST LIBNSS_WINBIND
+EOF
+ exit 1
+fi
+
+nsstest=$1
+libnss_winbind=$2
+shift 2
+failed=0
+
+. $(dirname $0)/subunit.sh
+
+testit "run nsstest" $VALGRIND $nsstest $libnss_winbind || failed=$(expr $failed + 1)
+
+exit $failed
diff --git a/testprogs/blackbox/renamedc.sh b/testprogs/blackbox/renamedc.sh
new file mode 100755
index 0000000..6e24cdf
--- /dev/null
+++ b/testprogs/blackbox/renamedc.sh
@@ -0,0 +1,106 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+ cat <<EOF
+Usage: renamedc.sh PREFIX
+EOF
+ exit 1
+fi
+
+PREFIX="$1"
+shift 1
+
+samba4bindir="$BINDIR"
+ldbsearch="ldbsearch"
+if [ -x "$samba4bindir/ldbsearch" ]; then
+ ldbsearch="$samba4bindir/ldbsearch"
+fi
+
+. $(dirname $0)/subunit.sh
+
+if [ ! -d $PREFIX/renamedc_test ]; then
+ mkdir -p $PREFIX/renamedc_test
+fi
+
+testprovision()
+{
+ $PYTHON $BINDIR/samba-tool domain provision --host-name=bar --domain=FOO --realm=foo.example.com --targetdir="$PREFIX/renamedc_test" --server-role="dc" --use-ntvfs
+}
+
+testrenamedc()
+{
+ $PYTHON $SRCDIR/source4/scripting/bin/renamedc \
+ --oldname="BAR" \
+ --newname="RAYMONBAR" \
+ --configfile=$PREFIX/renamedc_test/etc/smb.conf
+}
+
+confirmrenamedc()
+{
+ $ldbsearch -H $PREFIX/renamedc_test/private/sam.ldb --scope=base -b 'cn=RAYMONBAR,ou=domain controllers,dc=foo,dc=example,dc=com'
+}
+
+confirmrenamedc_server()
+{
+ $ldbsearch -H $PREFIX/renamedc_test/private/sam.ldb --scope=base -b 'cn=RAYMONBAR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=configuration,dc=foo,dc=example,dc=com'
+}
+
+confirmrenamedc_sAMAccountName()
+{
+ $ldbsearch -H $PREFIX/renamedc_test/private/sam.ldb --scope=base -b 'cn=RAYMONBAR,ou=domain controllers,dc=foo,dc=example,dc=com' sAMAccountName | grep 'sAMAccountName: RAYMONBAR\$'
+}
+
+confirmrenamedc_dNSHostName()
+{
+ $ldbsearch -H $PREFIX/renamedc_test/private/sam.ldb --scope=base -b 'cn=RAYMONBAR,ou=domain controllers,dc=foo,dc=example,dc=com' dNSHostName | grep 'dNSHostName: RAYMONBAR.foo.example.com'
+}
+
+confirmrenamedc_rootdse_dnsHostName()
+{
+ $ldbsearch -H $PREFIX/renamedc_test/private/sam.ldb --scope=base -b '' dNSHostName | grep 'dnsHostName: RAYMONBAR.foo.example.com'
+}
+
+confirmrenamedc_rootdse_dsServiceName()
+{
+ $ldbsearch -H $PREFIX/renamedc_test/private/sam.ldb --show-binary --scope=base -b '' dsServiceName | grep 'dsServiceName: CN=NTDS Settings,CN=RAYMONBAR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=foo,DC=example,DC=com'
+}
+
+testrenamedc2()
+{
+ $PYTHON $SRCDIR/source4/scripting/bin/renamedc \
+ --oldname="RAYMONBAR" \
+ --newname="BAR" \
+ --configfile=$PREFIX/renamedc_test/etc/smb.conf
+}
+
+dbcheck_fix()
+{
+ # Unlike most calls to dbcheck --fix, this will not trigger an error, as
+ # we do not flag an error count for this old DN string case.
+ $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --configfile=$PREFIX/renamedc_test/etc/smb.conf --fix \
+ --quiet --yes fix_all_old_dn_string_component_mismatch \
+ --attrs="fsmoRoleOwner interSiteTopologyGenerator msDS-NC-Replica-Locations"
+}
+
+dbcheck()
+{
+ $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --configfile=$PREFIX/renamedc_test/etc/smb.conf
+}
+
+testit "renameprovision" testprovision || failed=$(expr $failed + 1)
+testit "renamedc" testrenamedc || failed=$(expr $failed + 1)
+testit "confirmrenamedc" confirmrenamedc || failed=$(expr $failed + 1)
+testit "confirmrenamedc_server" confirmrenamedc_server || failed=$(expr $failed + 1)
+testit "confirmrenamedc_sAMAccountName" confirmrenamedc_sAMAccountName || failed=$(expr $failed + 1)
+testit "confirmrenamedc_dNSHostName" confirmrenamedc_dNSHostName || failed=$(expr $failed + 1)
+testit "confirmrenamedc_rootdse_dnsHostName" confirmrenamedc_rootdse_dnsHostName || failed=$(expr $failed + 1)
+testit "confirmrenamedc_rootdse_dsServiceName" confirmrenamedc_rootdse_dsServiceName || failed=$(expr $failed + 1)
+testit "dbcheck_fix" dbcheck_fix || failed=$(expr $failed + 1)
+testit "dbcheck" dbcheck || failed=$(expr $failed + 1)
+testit "renamedc2" testrenamedc2 || failed=$(expr $failed + 1)
+
+if [ $failed -eq 0 ]; then
+ rm -rf $PREFIX/renamedc_test
+fi
+
+exit $failed
diff --git a/testprogs/blackbox/runtime-links.sh b/testprogs/blackbox/runtime-links.sh
new file mode 100755
index 0000000..3862dd9
--- /dev/null
+++ b/testprogs/blackbox/runtime-links.sh
@@ -0,0 +1,82 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+ cat <<EOF
+Usage: dbcheck-links.sh PREFIX RELEASE
+EOF
+ exit 1
+fi
+
+PREFIX_ABS="$1"
+RELEASE="$2"
+shift 2
+
+failed=0
+
+. $(dirname $0)/subunit.sh
+
+. $(dirname $0)/common-links.sh
+
+. $(dirname $0)/common_test_fns.inc
+
+if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then
+ subunit_start_test $RELEASE
+ subunit_skip_test $RELEASE <<EOF
+no test provision
+EOF
+
+ subunit_start_test "tombstones_expunge"
+ subunit_skip_test "tombstones_expunge" <<EOF
+no test provision
+EOF
+
+ exit 0
+fi
+
+delete_member_of_deleted_group()
+{
+ TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb 'CN=User1 UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp'
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+delete_backlink_memberof_deleted_group()
+{
+ TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb 'CN=User UT. Tester,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp'
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+delete_dangling_backlink_memberof_group()
+{
+ TZ=UTC $ldbdel -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb 'CN=dangling-back,CN=Users,DC=release-4-5-0-pre1,DC=samba,DC=corp'
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+remove_directory $PREFIX_ABS/${RELEASE}
+
+testit $RELEASE undump || failed=$(expr $failed + 1)
+testit "add_dangling_link" add_dangling_link || failed=$(expr $failed + 1)
+testit "add_dangling_backlink" add_dangling_backlink || failed=$(expr $failed + 1)
+testit "add_deleted_dangling_backlink" add_deleted_dangling_backlink || failed=$(expr $failed + 1)
+testit "revive_links_on_deleted_group" revive_links_on_deleted_group || failed=$(expr $failed + 1)
+testit "revive_backlink_on_deleted_group" revive_backlink_on_deleted_group || failed=$(expr $failed + 1)
+testit "add_deleted_target_link" add_deleted_target_link || failed=$(expr $failed + 1)
+testit "add_deleted_target_backlink" add_deleted_target_backlink || failed=$(expr $failed + 1)
+testit "dangling_one_way_link" dangling_one_way_link || failed=$(expr $failed + 1)
+testit "dangling_one_way_dn" dangling_one_way_dn || failed=$(expr $failed + 1)
+testit "deleted_one_way_dn" deleted_one_way_dn || failed=$(expr $failed + 1)
+testit "add_dangling_multi_valued" add_dangling_multi_valued || failed=$(expr $failed + 1)
+
+#Now things are set up, work with the DB
+testit "delete_member_of_deleted_group" delete_member_of_deleted_group || failed=$(expr $failed + 1)
+testit "delete_backlink_memberof_deleted_group" delete_backlink_memberof_deleted_group || failed=$(expr $failed + 1)
+testit "delete_dangling_backlink_memberof_group" delete_dangling_backlink_memberof_group || failed=$(expr $failed + 1)
+
+remove_directory $PREFIX_ABS/${RELEASE}
+
+exit $failed
diff --git a/testprogs/blackbox/schemaupgrade.sh b/testprogs/blackbox/schemaupgrade.sh
new file mode 100755
index 0000000..b5b638d
--- /dev/null
+++ b/testprogs/blackbox/schemaupgrade.sh
@@ -0,0 +1,131 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+ cat <<EOF
+Usage: $0 PREFIX
+EOF
+ exit 1
+fi
+
+PREFIX_ABS="$1"
+shift 1
+
+. $(dirname $0)/subunit.sh
+
+cleanup_output_directories()
+{
+ if [ -d $PREFIX_ABS/2012R2_schema ]; then
+ rm -fr $PREFIX_ABS/2012R2_schema
+ fi
+
+ if [ -d $PREFIX_ABS/2008R2_schema ]; then
+ rm -fr $PREFIX_ABS/2008R2_schema
+ fi
+}
+
+PROVISION_OPTS="--use-ntvfs --host-ip6=::1 --host-ip=127.0.0.1"
+
+provision_2012r2()
+{
+ $PYTHON $BINDIR/samba-tool domain provision $PROVISION_OPTS --domain=SAMBA --realm=w2012r2.samba.corp --targetdir=$PREFIX_ABS/2012R2_schema --base-schema=2012_R2
+}
+
+provision_2008r2()
+{
+ $PYTHON $BINDIR/samba-tool domain provision $PROVISION_OPTS --domain=SAMBA --realm=w2008r2.samba.corp --targetdir=$PREFIX_ABS/2008R2_schema --base-schema=2008_R2
+}
+
+provision_2008r2_old()
+{
+ $PYTHON $BINDIR/samba-tool domain provision $PROVISION_OPTS --domain=SAMBA --realm=w2008r2.samba.corp --targetdir=$PREFIX_ABS/2008R2_old_schema --base-schema=2008_R2_old
+}
+
+ldapcmp_ignore()
+{
+
+ IGNORE_ATTRS=$1
+
+ # there's discrepancies between the SDDL strings in the adprep LDIF files
+ # vs the 2012 schema, where one source will have ACE rights repeated, e.g.
+ # "LOLO" in adprep vs "LO" in the schema
+ IGNORE_ATTRS="$IGNORE_ATTRS,defaultSecurityDescriptor"
+
+ # the adprep LDIF files updates these attributes for the DisplaySpecifiers
+ # objects, but we don't have the 2012 DisplaySpecifiers documentation...
+ IGNORE_ATTRS="$IGNORE_ATTRS,adminContextMenu,adminPropertyPages"
+
+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2_schema/private/sam.ldb tdb://$PREFIX_ABS/$3_schema/private/sam.ldb --two --filter=$IGNORE_ATTRS --skip-missing-dn
+}
+
+ldapcmp_old()
+{
+ # the original 2008 schema we received from Microsoft was missing
+ # descriptions and display names. This has been fixed up in the current
+ # Microsoft schemas
+ IGNORE_ATTRS="adminDescription,description,adminDisplayName,displayName"
+
+ # we didn't get showInAdvancedViewOnly right on Samba
+ IGNORE_ATTRS="$IGNORE_ATTRS,showInAdvancedViewOnly"
+
+ ldapcmp_ignore "$IGNORE_ATTRS" "2008R2_old" "2012R2"
+}
+
+ldapcmp()
+{
+ # The adminDescription and adminDisplayName have been editorially
+ # corrected in the 2012R2 schema but not in the adprep files.
+ ldapcmp_ignore "adminDescription,adminDisplayName" "2008R2" "2012R2"
+}
+
+ldapcmp_2008R2_2008R2_old()
+{
+ # the original 2008 schema we received from Microsoft was missing
+ # descriptions and display names. This has been fixed up in the current
+ # Microsoft schemas
+ IGNORE_ATTRS="adminDescription,description,adminDisplayName,displayName"
+
+ # we didn't get showInAdvancedViewOnly right on Samba
+ IGNORE_ATTRS="$IGNORE_ATTRS,showInAdvancedViewOnly"
+
+ ldapcmp_ignore $IGNORE_ATTRS "2008R2" "2008R2_old"
+}
+
+schema_upgrade()
+{
+ $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/2008R2_schema/private/sam.ldb --schema=2012_R2
+}
+
+schema_upgrade_old()
+{
+ $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/2008R2_old_schema/private/sam.ldb --schema=2012_R2
+}
+
+# double-check we cleaned up from the last test run
+cleanup_output_directories
+
+# Provision 2 DCs, one based on the 2008R2 schema and one using 2012R2
+testit "provision_2008R2_schema" provision_2008r2
+testit "provision_2008R2_old_schema" provision_2008r2_old
+testit "provision_2012R2_schema" provision_2012r2
+
+# we expect the 2 schemas to be different
+testit_expect_failure "expect_schema_differences" ldapcmp
+
+# check that the 2 schemas are now the same, ignoring Samba bugs
+testit "check_2008R2_2008R2_schemas_same" ldapcmp_2008R2_2008R2_old
+
+# upgrade the 2008 schema to 2012
+testit "schema_upgrade" schema_upgrade
+
+# check that the 2 schemas are now the same
+testit "check_schemas_same" ldapcmp
+
+# upgrade the 2008 schema to 2012
+testit "schema_upgrade_old" schema_upgrade_old
+
+# check that the 2 schemas are now the same, ignoring Samba bugs
+testit "check_schemas_same_old" ldapcmp_old
+
+cleanup_output_directories
+
+exit $failed
diff --git a/testprogs/blackbox/subunit.sh b/testprogs/blackbox/subunit.sh
new file mode 100755
index 0000000..ba4e997
--- /dev/null
+++ b/testprogs/blackbox/subunit.sh
@@ -0,0 +1,209 @@
+#
+# subunit.sh: shell functions to report test status via the subunit protocol.
+# Copyright (C) 2006 Robert Collins <robertc@robertcollins.net>
+# Copyright (C) 2008 Jelmer Vernooij <jelmer@samba.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+timestamp()
+{
+ # mark the start time. With Gnu date, you get nanoseconds from %N
+ # (here truncated to microseconds with %6N), but not on BSDs,
+ # Solaris, etc, which will apparently leave either %N or N at the end.
+ date -u +'time: %Y-%m-%d %H:%M:%S.%6NZ' | sed 's/\..*NZ$/.000000Z/'
+}
+
+subunit_start_test()
+{
+ # emit the current protocol start-marker for test $1
+ timestamp
+ printf 'test: %s\n' "$1"
+}
+
+subunit_pass_test()
+{
+ # emit the current protocol test passed marker for test $1
+ timestamp
+ printf 'success: %s\n' "$1"
+}
+
+# This is just a hack as we have some broken scripts
+# which use "exit $failed", without initializing failed.
+failed=0
+
+subunit_fail_test()
+{
+ # emit the current protocol fail-marker for test $1, and emit stdin as
+ # the error text.
+ # we use stdin because the failure message can be arbitrarily long, and this
+ # makes it convenient to write in scripts (using <<END syntax.
+ timestamp
+ printf 'failure: %s [\n' "$1"
+ cat -
+ printf '\n]\n'
+}
+
+subunit_error_test()
+{
+ # emit the current protocol error-marker for test $1, and emit stdin as
+ # the error text.
+ # we use stdin because the failure message can be arbitrarily long, and this
+ # makes it convenient to write in scripts (using <<END syntax.
+ timestamp
+ printf 'error: %s [\n' "$1"
+ cat -
+ printf '\n]\n'
+}
+
+subunit_skip_test()
+{
+ # emit the current protocol skip-marker for test $1, and emit stdin as
+ # the error text.
+ # we use stdin because the failure message can be arbitrarily long, and this
+ # makes it convenient to write in scripts (using <<END syntax.
+ printf 'skip: %s [\n' "$1"
+ cat -
+ printf '\n]\n'
+}
+
+testit()
+{
+ name="$1"
+ shift
+ cmdline="$@"
+ subunit_start_test "$name"
+ output=$($cmdline 2>&1)
+ status=$?
+ if [ x$status = x0 ]; then
+ subunit_pass_test "$name"
+ else
+ echo "$output" | subunit_fail_test "$name"
+ fi
+ return $status
+}
+
+# This returns 0 if the command gave success and the grep value was found
+# all other cases return != 0
+testit_grep()
+{
+ name="$1"
+ shift
+ grep="$1"
+ shift
+ cmdline="$@"
+ subunit_start_test "$name"
+ output=$($cmdline 2>&1)
+ status=$?
+ if [ x$status != x0 ]; then
+ printf '%s' "$output" | subunit_fail_test "$name"
+ return $status
+ fi
+ printf '%s' "$output" | grep -q "$grep"
+ gstatus=$?
+ if [ x$gstatus = x0 ]; then
+ subunit_pass_test "$name"
+ else
+ printf 'GREP: "%s" not found in output:\n%s' "$grep" "$output" | subunit_fail_test "$name"
+ fi
+ return $status
+}
+
+# This returns 0 if the command gave success and the grep value was found
+# num times all other cases return != 0
+testit_grep_count()
+{
+ name="$1"
+ shift
+ grep="$1"
+ shift
+ num="$1"
+ shift
+ cmdline="$@"
+ subunit_start_test "$name"
+ output=$($cmdline 2>&1)
+ status=$?
+ if [ x$status != x0 ]; then
+ printf '%s' "$output" | subunit_fail_test "$name"
+ return $status
+ fi
+ found=$(printf '%s' "$output" | grep -c "$grep")
+ if [ x"$found" = x"$num" ]; then
+ subunit_pass_test "$name"
+ else
+ printf 'GREP: "%s" found "%d" times, expected "%d" in output:\n%s'\
+ "$grep" "$found" "$num" "$output" |
+ subunit_fail_test "$name"
+ fi
+ return $status
+}
+
+testit_expect_failure()
+{
+ name="$1"
+ shift
+ cmdline="$@"
+ subunit_start_test "$name"
+ output=$($cmdline 2>&1)
+ status=$?
+ if [ x$status = x0 ]; then
+ echo "$output" | subunit_fail_test "$name"
+ else
+ subunit_pass_test "$name"
+ fi
+ return $status
+}
+
+# This returns 0 if the command gave a failure and the grep value was found
+# all other cases return != 0
+testit_expect_failure_grep()
+{
+ name="$1"
+ shift
+ grep="$1"
+ shift
+ cmdline="$@"
+ subunit_start_test "$name"
+ output=$($cmdline 2>&1)
+ status=$?
+ if [ x$status = x0 ]; then
+ printf '%s' "$output" | subunit_fail_test "$name"
+ return 1
+ fi
+ printf '%s' "$output" | grep -q "$grep"
+ gstatus=$?
+ if [ x$gstatus = x0 ]; then
+ subunit_pass_test "$name"
+ else
+ printf 'GREP: "%s" not found in output:\n%s' "$grep" "$output" | subunit_fail_test "$name"
+ fi
+ return $status
+}
+
+testok()
+{
+ name=$(basename $1)
+ failed=$2
+
+ exit $failed
+}
+
+# work out the top level source directory
+if [ -d source4 ]; then
+ SRCDIR="."
+else
+ SRCDIR=".."
+fi
+export SRCDIR
diff --git a/testprogs/blackbox/test_chgdcpass.sh b/testprogs/blackbox/test_chgdcpass.sh
new file mode 100755
index 0000000..8b0ef45
--- /dev/null
+++ b/testprogs/blackbox/test_chgdcpass.sh
@@ -0,0 +1,115 @@
+#!/bin/sh
+# Blackbox tests for kinit and kerberos integration with smbclient etc
+# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
+# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
+
+if [ $# -lt 4 ]; then
+ cat <<EOF
+Usage: test_kinit.sh SERVER USERNAME REALM DOMAIN PREFIX SMBCLIENT
+EOF
+ exit 1
+fi
+
+SERVER=$1
+USERNAME=$2
+REALM=$3
+DOMAIN=$4
+PREFIX=$5
+ENCTYPE=$6
+PROVDIR=$7
+smbclient=$8
+shift 8
+failed=0
+
+samba4bindir="$BINDIR"
+samba4srcdir="$SRCDIR/source4"
+
+samba4kinit_binary=kinit
+heimdal=0
+if test -x $BINDIR/samba4kinit; then
+ heimdal=1
+ samba4kinit_binary=bin/samba4kinit
+fi
+
+machineaccountccache="$samba4srcdir/scripting/bin/machineaccountccache"
+
+unc="//$SERVER/tmp"
+
+. $(dirname $0)/subunit.sh
+. $(dirname $0)/common_test_fns.inc
+
+test_drs()
+{
+ function="$1"
+ name="$2"
+ shift
+ shift
+ echo "test: $name"
+ echo $VALGRIND $PYTHON $samba4bindir/samba-tool drs $function $SERVER -k yes $@
+ $VALGRIND $PYTHON $samba4bindir/samba-tool drs $function $SERVER -k yes $@
+ status=$?
+ if [ x$status = x0 ]; then
+ echo "success: $name"
+ else
+ echo "failure: $name"
+ fi
+ return $status
+}
+
+enctype="-e $ENCTYPE"
+
+KRB5CCNAME="$PREFIX/tmpccache"
+samba4kinit="$samba4kinit_binary -c $KRB5CCNAME"
+export KRB5CCNAME
+rm -f $KRB5CCNAME
+
+if [ $heimdal -eq 1 ]; then
+ testit "kinit with keytab" $samba4kinit $enctype -t $PROVDIR/private/secrets.keytab --use-keytab $USERNAME || failed=$(expr $failed + 1)
+else
+ testit "kinit with keytab" $samba4kinit -k -t $PROVDIR/private/secrets.keytab $USERNAME || failed=$(expr $failed + 1)
+fi
+
+#This is important because it puts the ticket for the old KVNO and password into a local ccache
+test_smbclient "Test login with kerberos ccache before password change" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+#check that drs bind works before we change the password (prime the ccache)
+test_drs bind "Test drs bind with with kerberos ccache" || failed=$(expr $failed + 1)
+
+#check that drs options works before we change the password (prime the ccache)
+test_drs options "Test drs options with with kerberos ccache" || failed=$(expr $failed + 1)
+
+testit "change dc password" $PYTHON $samba4srcdir/scripting/devel/chgtdcpass --configfile=$PROVDIR/etc/smb.conf || failed=$(expr $failed + 1)
+
+#This is important because it shows that the old ticket remains valid (as it must) for incoming connections after the DC password is changed
+test_smbclient "Test login with kerberos ccache after password change" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+#check that drs bind works after we change the password
+test_drs bind "Test drs bind with new password" || failed=$(expr $failed + 1)
+
+#check that drs options works after we change the password
+test_drs options "Test drs options with new password" || failed=$(expr $failed + 1)
+
+testit "change dc password (2nd time)" $PYTHON $samba4srcdir/scripting/devel/chgtdcpass --configfile=$PROVDIR/etc/smb.conf || failed=$(expr $failed + 1)
+
+# This is important because it shows that the old ticket is discarded if the server rejects it (as it must) after the password was changed twice in succession.
+# This also ensures we handle the case where the domain is re-provisioned etc
+test_smbclient "Test login with kerberos ccache after 2nd password change" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+#check that drs bind works after we change the password a 2nd time
+test_drs bind "Test drs bind after 2nd password change" || failed=$(expr $failed + 1)
+
+#check that drs options works after we change the password a 2nd time
+test_drs options "Test drs options after 2nd password change" || failed=$(expr $failed + 1)
+
+#This confirms that the DC password is valid for a kinit too
+if [ $heimdal -eq 1 ]; then
+ testit "kinit with keytab" $samba4kinit $enctype -t $PROVDIR/private/secrets.keytab --use-keytab $USERNAME || failed=$(expr $failed + 1)
+else
+ testit "kinit with keytab" $samba4kinit -k -t $PROVDIR/private/secrets.keytab $USERNAME || failed=$(expr $failed + 1)
+fi
+test_smbclient "Test login with kerberos ccache with fresh kinit" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+rm -f $KRB5CCNAME
+
+rm -f $PREFIX/tmpccache tmpccfile tmppassfile tmpuserpassfile tmpuserccache
+exit $failed
diff --git a/testprogs/blackbox/test_client_etypes.sh b/testprogs/blackbox/test_client_etypes.sh
new file mode 100755
index 0000000..0389cb3
--- /dev/null
+++ b/testprogs/blackbox/test_client_etypes.sh
@@ -0,0 +1,82 @@
+if [ $# -lt 6 ]; then
+ cat <<EOF
+Usage: test_client_etypes.sh DC_SERVER DC_USERNAME DC_PASSWORD PREFIX_ABS ETYPE_CONF EXPECTED
+EOF
+ exit 1
+fi
+
+DC_SERVER=$1
+DC_USERNAME=$2
+DC_PASSWORD=$3
+BASEDIR=$4
+ETYPE_CONF=$5
+EXPECTED_ETYPES="$6"
+
+# Load test functions
+. $(dirname $0)/subunit.sh
+
+KRB5CCNAME_PATH="$PREFIX/test_client_etypes_krb5ccname"
+rm -f $KRB5CCNAME_PATH
+
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+export KRB5CCNAME
+
+#requires tshark and sha1sum
+if ! which tshark >/dev/null 2>&1 || ! which sha1sum >/dev/null 2>&1; then
+ subunit_start_test "client encryption types"
+ subunit_skip_test "client encryption types" <<EOF
+Skipping tests - tshark or sha1sum not installed
+EOF
+ exit 0
+fi
+
+HOSTNAME=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10)
+
+RUNDIR=$(pwd)
+cd $BASEDIR
+WORKDIR=$(mktemp -d -p .)
+WORKDIR=$(basename $WORKDIR)
+cp -a client/* $WORKDIR/
+sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf
+sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf
+rm -f $WORKDIR/private/secrets.tdb
+cd $RUNDIR
+
+failed=0
+
+net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=security=ads --option=kerberosencryptiontypes=$ETYPE_CONF"
+pcap_file=$BASEDIR/$WORKDIR/test.pcap
+
+export SOCKET_WRAPPER_PCAP_FILE=$pcap_file
+testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --use-kerberos=required || failed=$(expr $failed + 1)
+
+testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=$(expr $failed + 1)
+
+#The leave command does not use the locally-generated
+#krb5.conf
+export SOCKET_WRAPPER_PCAP_FILE=
+testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=$(expr $failed + 1)
+
+#
+# Older versions of tshark do not support -Y option,
+# They use -R which cannot be used with recent versions...
+#
+if ! tshark -r $pcap_file -nVY "kerberos" >/dev/null 2>&1; then
+ subunit_start_test "client encryption types"
+ subunit_skip_test "client encryption types" <<EOF
+Skipping tests - old version of tshark detected
+EOF
+ exit 0
+fi
+
+actual_types="$(tshark -r $pcap_file -nVY "kerberos" |
+ sed -rn -e 's/[[:space:]]*ENCTYPE:.*\(([^\)]*)\)$/\1/p' \
+ -e 's/[[:space:]]*Encryption type:.*\(([^\)]*)\)$/\1/p' |
+ sort -u | tr '\n' '_' | sed s/_$//)"
+
+testit "verify types" test "x$actual_types" = "x$EXPECTED_ETYPES" || failed=$(expr $failed + 1)
+
+rm -rf $BASEDIR/$WORKDIR
+rm -f $KRB5CCNAME_PATH
+
+exit $failed
diff --git a/testprogs/blackbox/test_client_kerberos.sh b/testprogs/blackbox/test_client_kerberos.sh
new file mode 100755
index 0000000..b436192
--- /dev/null
+++ b/testprogs/blackbox/test_client_kerberos.sh
@@ -0,0 +1,293 @@
+#!/bin/sh
+# Blackbox tests for kerberos client options
+# Copyright (c) 2019 Andreas Schneider <asn@samba.org>
+
+if [ $# -lt 6 ]; then
+ cat <<EOF
+Usage: test_client_kerberos.sh DOMAIN REALM USERNAME PASSWORD SERVER PREFIX CONFIGURATION
+EOF
+ exit 1
+fi
+
+DOMAIN=$1
+REALM=$2
+USERNAME=$3
+PASSWORD=$4
+SERVER=$5
+PREFIX=$6
+CONFIGURATION=$7
+shift 7
+
+failed=0
+
+. $(dirname $0)/subunit.sh
+. $(dirname $0)/common_test_fns.inc
+
+samba_bindir="$BINDIR"
+samba_rpcclient="$samba_bindir/rpcclient"
+samba_smbclient="$samba_bindir/smbclient"
+samba_smbtorture="$samba_bindir/smbtorture"
+
+samba_kinit=kinit
+if test -x ${samba_bindir}/samba4kinit; then
+ samba_kinit=${samba_bindir}/samba4kinit
+fi
+
+samba_kdestroy=kdestroy
+if test -x ${samba_bindir}/samba4kdestroy; then
+ samba_kinit=${samba_bindir}/samba4kdestroy
+fi
+
+test_rpc_getusername()
+{
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ echo "Failed to connect! Error: $ret"
+ echo "$out"
+ return 1
+ fi
+
+ echo "$out" | grep -q "Account Name: $USERNAME, Authority Name: $DOMAIN"
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ echo "Incorrect account/authority name! Error: $ret"
+ echo "$out"
+ return 1
+ fi
+
+ return 0
+}
+
+test_smbclient()
+{
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ echo "Failed to connect! Error: $ret"
+ echo "$out"
+ fi
+
+ return $ret
+}
+
+test_smbclient_kerberos()
+{
+ eval echo "$cmd -d5"
+ out=$(eval $cmd)
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ echo "Failed to connect! Error: $ret"
+ echo "$out"
+ return 1
+ fi
+
+ echo "$out" | grep "Doing init for" >/dev/null 2>&1
+ ret=$?
+ if [ $ret -eq 0 ]; then
+ echo "Kinit failed for smbclient"
+ echo "$out"
+ return 1
+ fi
+
+ return 0
+}
+
+KRB5CCNAME_PATH="$PREFIX/ccache_client_kerberos"
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+export KRB5CCNAME
+
+### RPCCLIENT (legacy)
+cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} -c getusername 2>&1'
+testit "test rpcclient legacy ntlm" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+
+cmd='echo ${PASSWORD} | USER=${USERNAME} $samba_rpcclient ncacn_np:${SERVER} --configfile=${CONFIGURATION} -c getusername 2>&1'
+testit "test rpcclient legacy ntlm interactive" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+
+cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} --configfile=${CONFIGURATION} -c getusername 2>&1'
+testit "test rpcclient legacy ntlm interactive with -U" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+
+cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} -k --configfile=${CONFIGURATION} -c getusername 2>&1'
+testit "test rpcclient legacy kerberos" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+
+cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} -k --configfile=${CONFIGURATION} -c getusername 2>&1'
+testit_expect_failure "test rpcclient legacy kerberos interactive (negative test)" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+
+kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD}
+cmd='$samba_rpcclient ncacn_np:${SERVER} -k --configfile=${CONFIGURATION} -c getusername 2>&1'
+testit "test rpcclient legacy kerberos ccache" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+$samba_kdestroy
+
+### RPCCLIENT
+cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} --use-kerberos=disabled --configfile=${CONFIGURATION} -c getusername 2>&1'
+testit "test rpcclient ntlm" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+
+cmd='echo ${PASSWORD} | USER=${USERNAME} $samba_rpcclient ncacn_np:${SERVER} --use-kerberos=disabled --configfile=${CONFIGURATION} -c getusername 2>&1'
+testit "test rpcclient ntlm interactive" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+
+cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} --use-kerberos=disabled --configfile=${CONFIGURATION} -c getusername 2>&1'
+testit "test rpcclient ntlm interactive with -U" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+
+cmd='$samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}%${PASSWORD} --use-kerberos=required --configfile=${CONFIGURATION} -c getusername 2>&1'
+testit "test rpcclient kerberos" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+
+cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME} --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} -c getusername 2>&1'
+testit_expect_failure "test rpcclient kerberos interactive (negative test)" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+
+kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD}
+cmd='$samba_rpcclient ncacn_np:${SERVER} --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} -c getusername 2>&1'
+testit "test rpcclient kerberos ccache" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+$samba_kdestroy
+
+### SMBTORTURE (legacy)
+
+cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
+testit "test smbtorture legacy default" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+
+cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} -k no --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
+testit "test smbtorture legacy ntlm (kerberos=no)" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+
+cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} -k yes --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
+testit "test smbtorture legacy kerberos=yes" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+
+kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD}
+cmd='$samba_smbtorture -k yes --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
+testit "test smbtorture legacy kerberos=yes ccache" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+$samba_kdestroy
+
+kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD}
+cmd='$samba_smbtorture -k no --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
+testit_expect_failure "test smbtorture legacy kerberos=no ccache (negative test)" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+$samba_kdestroy
+
+### SMBTORTURE
+
+cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
+testit "test smbtorture default" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+
+cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --use-kerberos=disabled --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
+testit "test smbtorture ntlm (kerberos=no)" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+
+cmd='$samba_smbtorture -U${USERNAME}%${PASSWORD} --use-kerberos=required --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
+testit "test smbtorture kerberos=yes" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+
+kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD}
+cmd='$samba_smbtorture --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
+testit "test smbtorture kerberos=yes ccache" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+$samba_kdestroy
+
+kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD}
+cmd='$samba_smbtorture --use-kerbers=required --configfile=${CONFIGURATION} --maximum-runtime=30 --basedir=$PREFIX --option=torture:progress=no --target=samba4 ncacn_np:${SERVER} rpc.lsa-getuser 2>&1'
+testit_expect_failure "test smbtorture kerberos=no ccache (negative test)" \
+ test_rpc_getusername ||
+ failed=$(expr $failed + 1)
+$samba_kdestroy
+
+### SMBCLIENT (legacy)
+cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --configfile=${CONFIGURATION} -c "ls; quit"'
+testit "test smbclient legacy ntlm" \
+ test_smbclient ||
+ failed=$(expr $failed + 1)
+
+cmd='echo ${PASSWORD} | USER=$USERNAME $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} --configfile=${CONFIGURATION} -c "ls; quit"'
+testit "test smbclient legacy ntlm interactive" \
+ test_smbclient ||
+ failed=$(expr $failed + 1)
+
+cmd='echo ${PASSWORD} | $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME} --configfile=${CONFIGURATION} -c "ls; quit"'
+testit "test smbclient legacy ntlm interactive with -U" \
+ test_smbclient ||
+ failed=$(expr $failed + 1)
+
+cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} -k --configfile=${CONFIGURATION} -c "ls; quit"'
+testit "test smbclient legacy kerberos" \
+ test_smbclient ||
+ failed=$(expr $failed + 1)
+
+kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD}
+cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -k --configfile=${CONFIGURATION} -c "ls; quit"'
+testit "test smbclient legacy kerberos ccache" \
+ test_smbclient ||
+ failed=$(expr $failed + 1)
+$samba_kdestroy
+
+### SMBCLIENT tests for --use-kerberos=desired|required|disabled
+cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --use-kerberos=disabled --configfile=${CONFIGURATION} -c "ls; quit"'
+testit "test smbclient ntlm" \
+ test_smbclient ||
+ failed=$(expr $failed + 1)
+
+cmd='echo ${PASSWORD} | USER=$USERNAME $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} --use-kerberos=disabled --configfile=${CONFIGURATION} -c "ls; quit"'
+testit "test smbclient ntlm interactive" \
+ test_smbclient ||
+ failed=$(expr $failed + 1)
+
+cmd='echo ${PASSWORD} | $samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME} --use-kerberos=disabled --configfile=${CONFIGURATION} -c "ls; quit"'
+testit "test smbclient ntlm interactive with -U" \
+ test_smbclient ||
+ failed=$(expr $failed + 1)
+
+cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --use-kerberos=desired --configfile=${CONFIGURATION} -c "ls; quit"'
+testit "test smbclient kerberos=desired" \
+ test_smbclient_kerberos ||
+ failed=$(expr $failed + 1)
+
+cmd='$samba_smbclient //${SERVER}/tmp -W ${DOMAIN} -U${USERNAME}%${PASSWORD} --use-kerberos=required --configfile=${CONFIGURATION} -c "ls; quit"'
+testit "test smbclient kerberos=required" \
+ test_smbclient_kerberos ||
+ failed=$(expr $failed + 1)
+
+kerberos_kinit $samba_kinit ${USERNAME}@${REALM} ${PASSWORD}
+cmd='$samba_smbclient //${SERVER}/tmp --use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} -c "ls; quit"'
+testit "test smbclient kerberos=required ccache" \
+ test_smbclient ||
+ failed=$(expr $failed + 1)
+$samba_kdestroy
+
+rm -rf $KRB5CCNAME_PATH
+
+exit $failed
diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh
new file mode 100755
index 0000000..f2cec4c
--- /dev/null
+++ b/testprogs/blackbox/test_export_keytab_heimdal.sh
@@ -0,0 +1,115 @@
+#!/bin/sh
+# Blackbox tests for kinit and kerberos integration with smbclient etc
+# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
+# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
+
+if [ $# -lt 5 ]; then
+ cat <<EOF
+Usage: test_extract_keytab.sh SERVER USERNAME REALM DOMAIN PREFIX SMBCLIENT
+EOF
+ exit 1
+fi
+
+SERVER=$1
+USERNAME=$2
+REALM=$3
+DOMAIN=$4
+PREFIX=$5
+smbclient=$6
+shift 6
+failed=0
+
+samba4bindir="$BINDIR"
+samba_tool="$samba4bindir/samba-tool"
+samba4ktutil="$BINDIR/samba4ktutil"
+newuser="$samba_tool user create"
+
+DNSDOMAIN=$(echo $REALM | tr '[:upper:]' '[:lower:]')
+SERVER_FQDN="$SERVER.$DNSDOMAIN"
+
+samba4kinit_binary=kinit
+if test -x $BINDIR/samba4kinit; then
+ samba4kinit_binary=$BINDIR/samba4kinit
+fi
+
+. $(dirname $0)/subunit.sh
+. $(dirname $0)/common_test_fns.inc
+
+test_keytab()
+{
+ testname="$1"
+ keytab="$2"
+ principal="$3"
+ expected_nkeys="$4"
+
+ echo "test: $testname"
+
+ NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "aes|arcfour")
+ status=$?
+ if [ x$status != x0 ]; then
+ echo "failure: $testname"
+ return $status
+ fi
+
+ if [ x$NKEYS != x$expected_nkeys ]; then
+ echo "failure: $testname"
+ return 1
+ fi
+ echo "success: $testname"
+ return 0
+}
+
+USERPASS=testPaSS@01%
+unc="//$SERVER/tmp"
+
+testit "create user locally" $VALGRIND $PYTHON $newuser nettestuser $USERPASS $@ || failed=$(expr $failed + 1)
+
+testit "dump keytab from domain" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=$(expr $failed + 1)
+test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3
+testit "dump keytab from domain (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=$(expr $failed + 1)
+test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3
+
+testit "dump keytab from domain for cifs principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=$(expr $failed + 1)
+test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3
+testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=$(expr $failed + 1)
+test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3
+
+testit "dump keytab from domain for user principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser $@ || failed=$(expr $failed + 1)
+test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3
+testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser@$REALM $@ || failed=$(expr $failed + 1)
+test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3
+
+testit "dump keytab from domain for user principal with SPN as UPN" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-3 --principal=http/testupnspn.$DNSDOMAIN $@ || failed=$(expr $failed + 1)
+test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 3
+
+KRB5CCNAME="$PREFIX/tmpuserccache"
+samba4kinit="$samba4kinit_binary -c $KRB5CCNAME"
+export KRB5CCNAME
+
+testit "kinit with keytab as user" $VALGRIND $samba4kinit --keytab=$PREFIX/tmpkeytab --request-pac nettestuser@$REALM || failed=$(expr $failed + 1)
+
+test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+testit "kinit with keytab as user (2)" $VALGRIND $samba4kinit --keytab=$PREFIX/tmpkeytab-2 --request-pac nettestuser@$REALM || failed=$(expr $failed + 1)
+
+test_smbclient "Test login with user kerberos ccache as user (2)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+KRB5CCNAME="$PREFIX/tmpadminccache"
+samba4kinit="$samba4kinit_binary -c $KRB5CCNAME"
+export KRB5CCNAME
+
+testit "kinit with keytab as $USERNAME" $VALGRIND $samba4kinit --keytab=$PREFIX/tmpkeytab --request-pac $USERNAME@$REALM || failed=$(expr $failed + 1)
+
+KRB5CCNAME="$PREFIX/tmpspnupnccache"
+samba4kinit="$samba4kinit_binary -c $KRB5CCNAME"
+export KRB5CCNAME
+testit "kinit with SPN from keytab" $VALGRIND $samba4kinit -k -t $PREFIX/tmpkeytab-3 http/testupnspn.$DNSDOMAIN || failed=$(expr $failed + 1)
+
+KRB5CCNAME="$PREFIX/tmpadminccache"
+samba4kinit="$samba4kinit_binary -c $KRB5CCNAME"
+export KRB5CCNAME
+
+testit "del user" $VALGRIND $PYTHON $samba_tool user delete nettestuser -k yes $@ || failed=$(expr $failed + 1)
+
+rm -f $PREFIX/tmpadminccache $PREFIX/tmpuserccache $PREFIX/tmpkeytab $PREFIX/tmpkeytab-2 $PREFIX/tmpkeytab-2 $PREFIX/tmpkeytab-server $PREFIX/tmpspnupnccache
+exit $failed
diff --git a/testprogs/blackbox/test_export_keytab_mit.sh b/testprogs/blackbox/test_export_keytab_mit.sh
new file mode 100755
index 0000000..abc6040
--- /dev/null
+++ b/testprogs/blackbox/test_export_keytab_mit.sh
@@ -0,0 +1,137 @@
+#!/bin/sh
+#
+# Blackbox tests for an exported keytab with kinit
+#
+# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
+# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
+# Copyright (C) 2016 Andreas Schneider <asn@cryptomilk.org>
+
+if [ $# -lt 5 ]; then
+ cat <<EOF
+Usage: test_extract_keytab.sh SERVER USERNAME REALM DOMAIN PREFIX SMBCLIENT
+EOF
+ exit 1
+fi
+
+SERVER=$1
+USERNAME=$2
+REALM=$3
+DOMAIN=$4
+PREFIX=$5
+smbclient=$6
+shift 6
+failed=0
+
+samba_bindir="$BINDIR"
+samba_tool="$samba_bindir/samba-tool"
+samba_newuser="$samba_tool user create"
+samba_texpect="$samba_bindir/texpect"
+samba_ktutil="$BINDIR/samba4ktutil"
+
+samba_kinit=kinit
+samba_kdestroy=kdestroy
+
+SERVER_FQDN="$SERVER.$(echo $REALM | tr '[:upper:]' '[:lower:]')"
+
+source $(dirname $0)/subunit.sh
+
+test_smbclient()
+{
+ name="$1"
+ cmd="$2"
+ shift
+ shift
+ echo "test: $name"
+ $VALGRIND $smbclient //$SERVER/tmp -c "$cmd" $@
+ status=$?
+ if [ x$status = x0 ]; then
+ echo "success: $name"
+ else
+ echo "failure: $name"
+ fi
+ return $status
+}
+
+test_keytab()
+{
+ testname="$1"
+ keytab="$2"
+ principal="$3"
+ expected_nkeys="$4"
+
+ echo "test: $testname"
+
+ NKEYS=$($VALGRIND $samba_ktutil $keytab | grep -i "$principal" | egrep -c "DES|AES|ArcFour")
+ status=$?
+ if [ x$status != x0 ]; then
+ echo "failure: $testname"
+ return $status
+ fi
+
+ if [ x$NKEYS != x$expected_nkeys ]; then
+ echo "failure: $testname"
+ return 1
+ fi
+ echo "success: $testname"
+ return 0
+}
+
+TEST_USER=nettestuser
+TEST_PASSWORD=testPaSS@01%
+
+EXPECTED_NKEYS=3
+krb5_version="$(krb5-config --version | cut -d ' ' -f 4)"
+krb5_major_version="$(echo $krb5_version | awk -F. '{ print $1; }')"
+krb5_minor_version="$(echo $krb5_version | awk -F. '{ print $2; }')"
+
+# MIT Kerberos < 1.18 has support for DES keys
+if [ $krb5_major_version -eq 1 ] && [ $krb5_minor_version -lt 18 ]; then
+ EXPECTED_NKEYS=5
+fi
+
+testit "create local user $TEST_USER" $VALGRIND $PYTHON $samba_newuser $TEST_USER $TEST_PASSWORD $@ || failed=$(expr $failed + 1)
+
+testit "dump keytab from domain" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-all $@ || failed=$(expr $failed + 1)
+test_keytab "read keytab from domain" "$PREFIX/tmpkeytab-all" "$SERVER\\\$" $EXPECTED_NKEYS
+
+testit "dump keytab from domain (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-all $@ || failed=$(expr $failed + 1)
+test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab-all" "$SERVER\\\$" $EXPECTED_NKEYS
+
+testit "dump keytab from domain for cifs service principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=$(expr $failed + 1)
+test_keytab "read keytab from domain for cifs service principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" $EXPECTED_NKEYS
+testit "dump keytab from domain for cifs service principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=$(expr $failed + 1)
+test_keytab "read keytab from domain for cifs service principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" $EXPECTED_NKEYS
+
+testit "dump keytab from domain for user principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-user-princ --principal=$TEST_USER $@ || failed=$(expr $failed + 1)
+test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-user-princ" "$TEST_USER@$REALM" $EXPECTED_NKEYS
+testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-user-princ --principal=$TEST_USER@$REALM $@ || failed=$(expr $failed + 1)
+test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-user-princ" "$TEST_USER@$REALM" $EXPECTED_NKEYS
+
+KRB5CCNAME="$PREFIX/tmpuserccache"
+export KRB5CCNAME
+
+testit "kinit with keytab as user" $VALGRIND $samba_kinit -k -t $PREFIX/tmpkeytab-all $TEST_USER@$REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache" 'ls' --use-kerberos=required || failed=$(expr $failed + 1)
+$samba_kdestroy
+
+testit "kinit with keytab as user (one princ)" $VALGRIND $samba_kinit -k -t $PREFIX/tmpkeytab-user-princ $TEST_USER@$REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache (one princ)" 'ls' --use-kerberos=required || failed=$(expr $failed + 1)
+$samba_kdestroy
+
+KRB5CCNAME="$PREFIX/tmpadminccache"
+export KRB5CCNAME
+
+testit "kinit with keytab as $USERNAME" $VALGRIND $samba_kinit -k -t $PREFIX/tmpkeytab-all $USERNAME@$REALM || failed=$(expr $failed + 1)
+
+KRB5CCNAME="$PREFIX/tmpserverccache"
+export KRB5CCNAME
+echo "$samba_kinit -k -t $PREFIX/tmpkeytab-server cifs/$SERVER_FQDN"
+testit "kinit with SPN from keytab" $VALGRIND $samba_kinit -k -t $PREFIX/tmpkeytab-server cifs/$SERVER_FQDN || failed=$(expr $failed + 1)
+
+# cleanup
+testit "delete user $TEST_USER" $VALGRIND $PYTHON $samba_tool user delete nettestuser -k yes $@ || failed=$(expr $failed + 1)
+
+$samba_kdestroy
+rm -f $PREFIX/tmpadminccache $PREFIX/tmpuserccache $PREFIX/tmpkeytab $PREFIX/tmpkeytab-2 $PREFIX/tmpkeytab-server
+
+exit $failed
diff --git a/testprogs/blackbox/test_kinit_heimdal.sh b/testprogs/blackbox/test_kinit_heimdal.sh
new file mode 100755
index 0000000..2db03da
--- /dev/null
+++ b/testprogs/blackbox/test_kinit_heimdal.sh
@@ -0,0 +1,260 @@
+#!/bin/sh
+# Blackbox tests for kinit and kerberos integration with smbclient etc
+# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
+# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
+
+if [ $# -lt 5 ]; then
+ cat <<EOF
+Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX ENCTYPE SMBCLIENT
+EOF
+ exit 1
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+REALM=$4
+DOMAIN=$5
+PREFIX=$6
+ENCTYPE=$7
+smbclient=$8
+shift 8
+failed=0
+
+samba4bindir="$BINDIR"
+samba4srcdir="$SRCDIR/source4"
+samba4kinit_binary=kinit
+if test -x $BINDIR/samba4kinit; then
+ samba4kinit_binary=$BINDIR/samba4kinit
+fi
+
+samba_tool="$samba4bindir/samba-tool"
+texpect="$samba4bindir/texpect"
+samba4kpasswd=kpasswd
+if test -x $BINDIR/samba4kpasswd; then
+ samba4kpasswd=$BINDIR/samba4kpasswd
+fi
+
+enableaccount="$samba_tool user enable"
+machineaccountccache="$samba4srcdir/scripting/bin/machineaccountccache"
+
+ldbmodify="ldbmodify"
+if [ -x "$samba4bindir/ldbmodify" ]; then
+ ldbmodify="$samba4bindir/ldbmodify"
+fi
+
+ldbsearch="ldbsearch"
+if [ -x "$samba4bindir/ldbsearch" ]; then
+ ldbsearch="$samba4bindir/ldbsearch"
+fi
+
+. $(dirname $0)/subunit.sh
+. $(dirname $0)/common_test_fns.inc
+
+enctype="-e $ENCTYPE"
+unc="//$SERVER/tmp"
+
+ADMIN_LDBMODIFY_CONFIG="-H ldap://$SERVER -U$USERNAME%$PASSWORD"
+export ADMIN_LDBMODIFY_CONFIG
+
+KRB5CCNAME_PATH="$PREFIX/tmpccache"
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+samba4kinit="$samba4kinit_binary -c $KRB5CCNAME"
+ADMIN_KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+export KRB5CCNAME
+rm -rf $KRB5CCNAME_PATH
+
+testit "reset password policies beside of minimum password age of 0 days" $VALGRIND $PYTHON $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=$(expr $failed + 1)
+
+echo $PASSWORD >$PREFIX/tmppassfile
+testit "kinit with password (initial)" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $USERNAME@$REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+testit "kinit with password (enterprise style)" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmppassfile --request-pac $USERNAME@$REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+testit "kinit with password (windows style)" $samba4kinit $enctype --renewable --windows --password-file=$PREFIX/tmppassfile --request-pac $USERNAME@$REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+testit "kinit renew ticket" $samba4kinit $enctype --request-pac -R
+
+test_smbclient "Test login with kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+testit "check time with kerberos ccache" $VALGRIND $PYTHON $samba_tool time $SERVER $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1)
+
+USERPASS=testPass@12%
+echo $USERPASS >$PREFIX/tmpuserpassfile
+testit "add user with kerberos ccache" $VALGRIND $PYTHON $samba_tool user create nettestuser $USERPASS $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1)
+
+echo "Getting defaultNamingContext"
+BASEDN=$($ldbsearch $options --basedn='' -H ldap://$SERVER --scope=base DUMMY=x defaultNamingContext | grep defaultNamingContext | awk '{print $2}')
+
+cat >$PREFIX/tmpldbmodify <<EOF
+dn: cn=nettestuser,cn=users,$BASEDN
+changetype: modify
+add: servicePrincipalName
+servicePrincipalName: host/nettestuser
+replace: userPrincipalName
+userPrincipalName: nettest@$REALM
+EOF
+
+testit "modify servicePrincipalName and userPrincpalName" $VALGRIND $ldbmodify -H ldap://$SERVER $PREFIX/tmpldbmodify -k yes $@ || failed=$(expr $failed + 1)
+
+testit "set user password with kerberos ccache" $VALGRIND $PYTHON $samba_tool user setpassword nettestuser --newpassword=$USERPASS $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1)
+
+testit "enable user with kerberos cache" $VALGRIND $PYTHON $enableaccount nettestuser -H ldap://$SERVER -k yes $@ || failed=$(expr $failed + 1)
+
+KRB5CCNAME_PATH="$PREFIX/tmpuserccache"
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+samba4kinit="$samba4kinit_binary -c $KRB5CCNAME"
+export KRB5CCNAME
+
+rm -f $KRB5CCNAME_PATH
+testit "kinit with user password (after enable of user and password change)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM || failed=$(expr $failed + 1)
+
+test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+NEWUSERPASS=testPaSS@34%
+testit "change user password with 'samba-tool user password' (rpc)" $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -Unettestuser%$USERPASS $CONFIGURATION -k no --newpassword=$NEWUSERPASS $@ || failed=$(expr $failed + 1)
+
+echo $NEWUSERPASS >$PREFIX/tmpuserpassfile
+rm -f $KRB5CCNAME_PATH
+testit "kinit with user password (after rpc password change)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM || failed=$(expr $failed + 1)
+
+test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+rm -f $KRB5CCNAME_PATH
+testit "kinit with password (NT-Principal style) using UPN" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac nettest@$REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache from enterprise UPN" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+rm -f $KRB5CCNAME_PATH
+testit "kinit with password (enterprise style) using UPN" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmpuserpassfile --request-pac nettest@$REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache from enterprise UPN" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+rm -f $KRB5CCNAME_PATH
+testit "kinit with password (windows style) using UPN" $samba4kinit $enctype --renewable --windows --password-file=$PREFIX/tmpuserpassfile --request-pac nettest@$REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache from windows UPN" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+cat >$PREFIX/tmpldbmodify <<EOF
+dn: cn=nettestuser,cn=users,$BASEDN
+changetype: modify
+replace: userPrincipalName
+userPrincipalName: nettest@$REALM.org
+EOF
+
+testit "modify userPrincipalName to be a different domain" $VALGRIND $ldbmodify $ADMIN_LDBMODIFY_CONFIG $PREFIX/tmpldbmodify $PREFIX/tmpldbmodify -k yes $@ || failed=$(expr $failed + 1)
+
+rm -f $KRB5CCNAME_PATH
+testit "kinit with password (enterprise style) using UPN" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmpuserpassfile --request-pac nettest@$REALM.org || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache from enterprise UPN, different domain" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+USERPASS=$NEWUSERPASS
+NEWUSERPASS=testPaSS@56%
+echo $NEWUSERPASS >$PREFIX/tmpuserpassfile
+
+cat >$PREFIX/tmpkpasswdscript <<EOF
+expect Password
+password ${USERPASS}\n
+expect New password
+send ${NEWUSERPASS}\n
+expect Verify password
+send ${NEWUSERPASS}\n
+expect Success
+EOF
+
+testit "change user password with kpasswd" $texpect $PREFIX/tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=$(expr $failed + 1)
+
+rm -f $KRB5CCNAME_PATH
+testit "kinit with user password (after kpasswd change)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM || failed=$(expr $failed + 1)
+
+NEWUSERPASS=testPaSS@78%
+echo $NEWUSERPASS >$PREFIX/tmpuserpassfile
+
+test_smbclient "Test login with user kerberos ccache (after kpasswd change)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+cat >$PREFIX/tmpkpasswdscript <<EOF
+expect New password
+send ${NEWUSERPASS}\n
+expect Verify password
+send ${NEWUSERPASS}\n
+expect Success
+EOF
+
+testit "set user password with kpasswd" $texpect $PREFIX/tmpkpasswdscript $samba4kpasswd --cache=$ADMIN_KRB5CCNAME nettestuser@$REALM || failed=$(expr $failed + 1)
+
+rm -f $KRB5CCNAME_PATH
+testit "kinit with user password (after kpasswd set)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM || failed=$(expr $failed + 1)
+
+test_smbclient "Test login with user kerberos ccache (after kpasswd set)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+NEWUSERPASS=testPaSS@910%
+echo $NEWUSERPASS >$PREFIX/tmpuserpassfile
+
+cat >$PREFIX/tmpkpasswdscript <<EOF
+expect New password
+send ${NEWUSERPASS}\n
+expect Verify password
+send ${NEWUSERPASS}\n
+expect Success
+EOF
+
+testit "set user password with kpasswd and servicePrincipalName" $texpect $PREFIX/tmpkpasswdscript $samba4kpasswd --cache=$PREFIX/tmpccache host/nettestuser@$REALM || failed=$(expr $failed + 1)
+
+testit "kinit with user password (after set with kpasswd and spn)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM || failed=$(expr $failed + 1)
+
+test_smbclient "Test login with user kerberos ccache (after set with kpasswd and spn)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+cat >$PREFIX/tmpldbmodify <<EOF
+dn: cn=nettestuser,cn=users,$BASEDN
+changetype: modify
+replace: pwdLastSet
+pwdLastSet: 0
+EOF
+
+USERPASS=$NEWUSERPASS
+NEWUSERPASS=testPaSS@911%
+
+testit "modify pwdLastSet" $VALGRIND $ldbmodify $ADMIN_LDBMODIFY_CONFIG $PREFIX/tmpldbmodify $PREFIX/tmpldbmodify -k yes $@ || failed=$(expr $failed + 1)
+
+cat >$PREFIX/tmppasswordchange <<EOF
+expect nettestuser@${REALM}'s Password:
+send ${USERPASS}\n
+expect Your password will expire at
+expect Changing password
+expect New password:
+send ${NEWUSERPASS}\n
+expect Repeat new password:
+send ${NEWUSERPASS}\n
+expect Success: Password changed
+EOF
+
+testit "kinit with user password for expired password" $texpect $PREFIX/tmppasswordchange $samba4kinit $enctype --request-pac nettestuser@$REALM && failed=$(expr $failed + 1)
+
+test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+echo $NEWUSERPASS >$PREFIX/tmpuserpassfile
+testit "kinit with user password (after password change forced by expiration)" $samba4kinit $enctype --password-file=$PREFIX/tmpuserpassfile --request-pac nettestuser@$REALM || failed=$(expr $failed + 1)
+
+test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+KRB5CCNAME_PATH="$PREFIX/tmpccache"
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+samba4kinit="$samba4kinit_binary -c $KRB5CCNAME"
+export KRB5CCNAME
+
+rm -rf $KRB5CCNAME_PATH
+
+lowerrealm=$(echo $REALM | tr '[A-Z]' '[a-z]')
+test_smbclient "Test login with user kerberos lowercase realm" 'ls' "$unc" --use-kerberos=required -Unettestuser@$lowerrealm%$NEWUSERPASS || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos lowercase realm 2" 'ls' "$unc" --use-kerberos=required -Unettestuser@$REALM%$NEWUSERPASS --realm=$lowerrealm || failed=$(expr $failed + 1)
+
+testit "del user with kerberos ccache" $VALGRIND $PYTHON $samba_tool user delete nettestuser $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1)
+
+rm -f $KRB5CCNAME_PATH
+testit "kinit with machineaccountccache script" $PYTHON $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=$(expr $failed + 1)
+test_smbclient "Test machine account login with kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+testit "reset password policies" $VALGRIND $PYTHON $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=$(expr $failed + 1)
+
+rm -f $PREFIX/tmpccache tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript
+exit $failed
diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh
new file mode 100755
index 0000000..bde140a
--- /dev/null
+++ b/testprogs/blackbox/test_kinit_mit.sh
@@ -0,0 +1,332 @@
+#!/bin/sh
+# Blackbox tests for kinit and kerberos integration with smbclient etc
+# Copyright (c) 2015-2016 Andreas Schneider <asn@samba.org>
+
+if [ $# -lt 5 ]; then
+ cat <<EOF
+Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT
+EOF
+ exit 1
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+REALM=$4
+DOMAIN=$5
+PREFIX=$6
+smbclient=$7
+shift 7
+failed=0
+
+samba_bindir="$BINDIR"
+samba_srcdir="$SRCDIR/source4"
+samba_kinit=kinit
+samba_kdestroy=kdestroy
+samba_kpasswd=kpasswd
+samba_kvno=kvno
+
+samba_tool="$samba_bindir/samba-tool"
+samba_texpect="$samba_bindir/texpect"
+
+samba_enableaccount="$samba_tool user enable"
+machineaccountccache="$samba_srcdir/scripting/bin/machineaccountccache"
+
+ldbmodify="ldbmodify"
+if [ -x "$samba_bindir/ldbmodify" ]; then
+ ldbmodify="$samba_bindir/ldbmodify"
+fi
+
+ldbsearch="ldbsearch"
+if [ -x "$samba_bindir/ldbsearch" ]; then
+ ldbsearch="$samba_bindir/ldbsearch"
+fi
+
+. $(dirname $0)/subunit.sh
+
+test_smbclient()
+{
+ name="$1"
+ cmd="$2"
+ shift
+ shift
+ echo "test: $name"
+ $VALGRIND $smbclient $CONFIGURATION //$SERVER/tmp -c "$cmd" $@
+ status=$?
+ if [ x$status = x0 ]; then
+ echo "success: $name"
+ else
+ echo "failure: $name"
+ fi
+ return $status
+}
+
+ADMIN_LDBMODIFY_CONFIG="-H ldap://$SERVER -U$USERNAME%$PASSWORD"
+export ADMIN_LDBMODIFY_CONFIG
+
+KRB5CCNAME_PATH="$PREFIX/tmpccache"
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+ADMIN_KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+export KRB5CCNAME
+rm -rf $KRB5CCNAME_PATH
+
+testit "reset password policies beside of minimum password age of 0 days" $VALGRIND $PYTHON $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=$(expr $failed + 1)
+
+cat >$PREFIX/tmpkinitscript <<EOF
+expect Password for
+send ${PASSWORD}\n
+EOF
+
+###########################################################
+### Test kinit defaults
+###########################################################
+
+testit "kinit with password" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit $USERNAME@$REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+testit "kinit renew ticket" $samba_kinit -R || failed=$(expr $failed + 1)
+test_smbclient "Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+$samba_kdestroy
+
+###########################################################
+### Test kinit with enterprice principal
+###########################################################
+
+testit "kinit with password (enterprise style)" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -E $USERNAME@$REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+# This does not work with MIT Kerberos 1.14 or older
+testit "kinit renew ticket (enterprise style)" $samba_kinit -R || failed=$(expr $failed + 1)
+test_smbclient "Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+$samba_kdestroy
+
+###########################################################
+### Tests with kinit default again
+###########################################################
+
+testit "kinit with password" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit $USERNAME@$REALM || failed=$(expr $failed + 1)
+testit "check time with kerberos ccache" $VALGRIND $PYTHON $samba_tool time $SERVER $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1)
+
+USERPASS="testPass@12%"
+
+testit "add user with kerberos ccache" $VALGRIND $PYTHON $samba_tool user create nettestuser $USERPASS $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1)
+
+echo "Getting defaultNamingContext"
+BASEDN=$($ldbsearch $options --basedn='' -H ldap://$SERVER --scope=base DUMMY=x defaultNamingContext | grep defaultNamingContext | awk '{print $2}')
+
+cat >$PREFIX/tmpldbmodify <<EOF
+dn: cn=nettestuser,cn=users,$BASEDN
+changetype: modify
+add: servicePrincipalName
+servicePrincipalName: host/nettestuser
+replace: userPrincipalName
+userPrincipalName: nettest@$REALM
+EOF
+
+testit "modify servicePrincipalName and userPrincpalName" $VALGRIND $ldbmodify -H ldap://$SERVER $PREFIX/tmpldbmodify -k yes $@ || failed=$(expr $failed + 1)
+
+testit "set user password with kerberos ccache" $VALGRIND $PYTHON $samba_tool user setpassword nettestuser --newpassword=$USERPASS $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1)
+
+testit "enable user with kerberos cache" $VALGRIND $PYTHON $samba_enableaccount nettestuser -H ldap://$SERVER -k yes $@ || failed=$(expr $failed + 1)
+
+###########################################################
+### Test kinit with canonicalization
+###########################################################
+
+upperusername=$(echo $USERNAME | tr '[a-z]' '[A-Z]')
+testit "kinit with canonicalize" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -C $upperusername@$REALM -S kadmin/changepw@$REALM || failed=$(expr $failed + 1)
+
+$samba_kdestroy
+
+###########################################################
+### Test kinit with user credentials
+###########################################################
+
+KRB5CCNAME_PATH="$PREFIX/tmpuserccache"
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+export KRB5CCNAME
+
+rm -f $KRB5CCNAME_PATH
+
+cat >$PREFIX/tmpkinituserpassscript <<EOF
+expect Password for
+send ${USERPASS}\n
+EOF
+
+testit "kinit with user password" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettestuser@$REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+### Change password
+
+NEWUSERPASS="testPaSS@34%"
+testit "change user password with 'samba-tool user password' (rpc)" $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -Unettestuser%$USERPASS $CONFIGURATION -k no --newpassword=$NEWUSERPASS $@ || failed=$(expr $failed + 1)
+
+cat >$PREFIX/tmpkinituserpassscript <<EOF
+expect Password for
+send ${NEWUSERPASS}\n
+EOF
+
+testit "kinit with new user password" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettestuser@$REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+$samba_kdestroy
+
+###########################################################
+### Test kinit with user credentials in special formats
+###########################################################
+
+testit "kinit with new (NT-Principal style) using UPN" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettest@$REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache from NT UPN" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+$samba_kdestroy
+
+testit "kinit with new (enterprise style) using UPN" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit -E nettest@$REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache from enterprise UPN" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+$samba_kdestroy
+
+###########################################################
+### Test kinit with user credentials and changed realm
+###########################################################
+
+cat >$PREFIX/tmpldbmodify <<EOF
+dn: cn=nettestuser,cn=users,$BASEDN
+changetype: modify
+replace: userPrincipalName
+userPrincipalName: nettest@$REALM.org
+EOF
+
+testit "modify userPrincipalName to be a different domain" $VALGRIND $ldbmodify $ADMIN_LDBMODIFY_CONFIG $PREFIX/tmpldbmodify $PREFIX/tmpldbmodify -k yes $@ || failed=$(expr $failed + 1)
+
+testit "kinit with new (enterprise style) using UPN" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit -E nettest@$REALM.org || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache from enterprise UPN" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+$samba_kdestroy
+
+###########################################################
+### Test password change with kpasswd
+###########################################################
+
+testit "kinit with user password" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettestuser@$REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+USERPASS=$NEWUSERPASS
+NEWUSERPASS=testPaSS@56%
+
+cat >$PREFIX/tmpkpasswdscript <<EOF
+expect Password for
+password ${USERPASS}\n
+expect Enter new password
+send ${NEWUSERPASS}\n
+expect Enter it again
+send ${NEWUSERPASS}\n
+expect Password changed
+EOF
+
+testit "change user password with kpasswd" $samba_texpect $PREFIX/tmpkpasswdscript $samba_kpasswd nettestuser@$REALM || failed=$(expr $failed + 1)
+
+$samba_kdestroy
+
+USERPASS=$NEWUSERPASS
+cat >$PREFIX/tmpkinituserpassscript <<EOF
+expect Password for
+send ${USERPASS}\n
+EOF
+
+testit "kinit with user password" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettestuser@$REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+$samba_kdestroy
+
+###########################################################
+### TODO Test set password with kpasswd
+###########################################################
+
+# This is not implemented in kpasswd
+
+###########################################################
+### Test password expiry
+###########################################################
+
+cat >$PREFIX/tmpldbmodify <<EOF
+dn: cn=nettestuser,cn=users,$BASEDN
+changetype: modify
+replace: pwdLastSet
+pwdLastSet: 0
+EOF
+
+USERPASS=$NEWUSERPASS
+NEWUSERPASS=testPaSS@911%
+
+testit "modify pwdLastSet" $VALGRIND $ldbmodify $ADMIN_LDBMODIFY_CONFIG $PREFIX/tmpldbmodify $PREFIX/tmpldbmodify -k yes $@ || failed=$(expr $failed + 1)
+
+cat >$PREFIX/tmpkinituserpassscript <<EOF
+expect Password for
+send ${USERPASS}\n
+expect Password expired. You must change it now.
+expect Enter new password
+send ${NEWUSERPASS}\n
+expect Enter it again
+send ${NEWUSERPASS}\n
+EOF
+
+testit "kinit (MIT) with user password for expired password" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettestuser@$REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+USERPASS=$NEWUSERPASS
+cat >$PREFIX/tmpkinituserpassscript <<EOF
+expect Password for
+send ${USERPASS}\n
+EOF
+
+testit "kinit with user password" $samba_texpect $PREFIX/tmpkinituserpassscript $samba_kinit nettestuser@$REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+###########################################################
+### Test login with lowercase realm
+###########################################################
+
+KRB5CCNAME_PATH="$PREFIX/tmpccache"
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+export KRB5CCNAME
+
+rm -rf $KRB5CCNAME_PATH
+
+lowerrealm=$(echo $REALM | tr '[A-Z]' '[a-z]')
+test_smbclient "Test login with user kerberos lowercase realm" 'ls' --use-kerberos=required -Unettestuser@$lowerrealm%$NEWUSERPASS || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos lowercase realm 2" 'ls' --use-kerberos=required -Unettestuser@$REALM%$NEWUSERPASS --realm=$lowerrealm || failed=$(expr $failed + 1)
+
+testit "del user with kerberos ccache" $VALGRIND $PYTHON $samba_tool user delete nettestuser $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1)
+
+###########################################################
+### Test login with machine account
+###########################################################
+
+rm -f $KRB5CCNAME_PATH
+testit "kinit with machineaccountccache script" $PYTHON $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=$(expr $failed + 1)
+test_smbclient "Test machine account login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+testit "reset password policies" $VALGRIND $PYTHON $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=$(expr $failed + 1)
+
+###########################################################
+### Test basic s4u2self request
+###########################################################
+
+# Use previous acquired machine creds to request a ticket for self.
+# We expect it to fail for now.
+MACHINE_ACCOUNT="$(hostname -s | tr [a-z] [A-Z])\$@$REALM"
+$samba_kvno -U$MACHINE_ACCOUNT $MACHINE_ACCOUNT
+# But we expect the KDC to be up and running still
+testit "kinit with machineaccountccache after s4u2self" $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=$(expr $failed + 1)
+
+### Cleanup
+
+$samba_kdestroy
+
+rm -f $KRB5CCNAME_PATH
+rm -f $PREFIX/tmpkinituserpassscript
+rm -f $PREFIX/tmpkinitscript
+rm -f $PREFIX/tmpkpasswdscript
+exit $failed
diff --git a/testprogs/blackbox/test_kinit_trusts_heimdal.sh b/testprogs/blackbox/test_kinit_trusts_heimdal.sh
new file mode 100755
index 0000000..552808d
--- /dev/null
+++ b/testprogs/blackbox/test_kinit_trusts_heimdal.sh
@@ -0,0 +1,103 @@
+#!/bin/sh
+# Copyright (C) 2015 Stefan Metzmacher <metze@samba.org>
+
+if [ $# -lt 13 ]; then
+ cat <<EOF
+Usage: test_kinit_trusts.sh SERVER USERNAME PASSWORD REALM DOMAIN TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN PREFIX TYPE ENCTYPE
+EOF
+ exit 1
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+REALM=$4
+DOMAIN=$5
+shift 5
+TRUST_SERVER=$1
+TRUST_USERNAME=$2
+TRUST_PASSWORD=$3
+TRUST_REALM=$4
+TRUST_DOMAIN=$5
+shift 5
+PREFIX=$1
+TYPE=$2
+ENCTYPE=$3
+shift 3
+failed=0
+
+samba4bindir="$BINDIR"
+samba4kinit_binary=kinit
+if test -x $BINDIR/samba4kinit; then
+ samba4kinit_binary=$BINDIR/samba4kinit
+fi
+
+smbclient="$samba4bindir/smbclient"
+wbinfo="$samba4bindir/wbinfo"
+rpcclient="$samba4bindir/rpcclient"
+samba_tool="$samba4bindir/samba-tool"
+
+. $(dirname $0)/subunit.sh
+. $(dirname $0)/common_test_fns.inc
+
+unc="//$SERVER.$REALM/tmp"
+
+enctype="-e $ENCTYPE"
+
+KRB5CCNAME_PATH="$PREFIX/tmpccache"
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+samba4kinit="$samba4kinit_binary -c $KRB5CCNAME"
+export KRB5CCNAME
+rm -rf $KRB5CCNAME_PATH
+
+echo $TRUST_PASSWORD >$PREFIX/tmppassfile
+testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+rm -rf $KRB5CCNAME_PATH
+
+testit "kinit with password and two minute lifetime" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac --server=krbtgt/$REALM@$TRUST_REALM --lifetime=2m $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
+test_smbclient "Test login with user kerberos ccache and two minute lifetime" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
+rm -rf $KRB5CCNAME_PATH
+
+# Test with smbclient4
+smbclient="$samba4bindir/smbclient4"
+testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache (smbclient4)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+rm -rf $KRB5CCNAME_PATH
+
+testit "kinit with password (enterprise style)" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1)
+smbclient="$samba4bindir/smbclient"
+test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+if test x"${TYPE}" = x"forest"; then
+ testit "kinit with password (upn enterprise style)" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmppassfile --request-pac testdenied_upn@${TRUST_REALM}.upn || failed=$(expr $failed + 1)
+ test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+fi
+
+testit "kinit with password (windows style)" $samba4kinit $enctype --renewable --windows --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+testit "kinit renew ticket" $samba4kinit $enctype --request-pac -R
+
+test_smbclient "Test login with kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+testit "check time with kerberos ccache" $VALGRIND $PYTHON $samba_tool time $SERVER.$REALM $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1)
+
+lowerrealm=$(echo $TRUST_REALM | tr '[A-Z]' '[a-z]')
+test_smbclient "Test login with user kerberos lowercase realm" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME -U$TRUST_USERNAME@$lowerrealm%$TRUST_PASSWORD || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos lowercase realm 2" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME -U$TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD --realm=$lowerrealm || failed=$(expr $failed + 1)
+
+# Test the outgoing direction
+unc="//$TRUST_SERVER.$TRUST_REALM/tmp"
+test_smbclient "Test user login with the first outgoing secret" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME -U$USERNAME@$REALM%$PASSWORD || failed=$(expr $failed + 1)
+
+testit_expect_failure "setpassword should not work" $VALGRIND $PYTHON $samba_tool user setpassword "${TRUST_DOMAIN}\$" --random-password || failed=$(expr $failed + 1)
+
+testit "wbinfo ping dc" $VALGRIND $wbinfo --ping-dc --domain=$TRUST_DOMAIN || failed=$(expr $failed + 1)
+testit "wbinfo change outgoing trust pw" $VALGRIND $wbinfo --change-secret --domain=$TRUST_DOMAIN || failed=$(expr $failed + 1)
+testit "wbinfo check outgoing trust pw" $VALGRIND $wbinfo --check-secret --domain=$TRUST_DOMAIN || failed=$(expr $failed + 1)
+
+test_smbclient "Test user login with the changed outgoing secret" 'ls' "$unc" --use-kerberos=required -U$USERNAME@$REALM%$PASSWORD || failed=$(expr $failed + 1)
+
+rm -f $PREFIX/tmpccache $PREFIX/tmppassfile
+exit $failed
diff --git a/testprogs/blackbox/test_kinit_trusts_mit.sh b/testprogs/blackbox/test_kinit_trusts_mit.sh
new file mode 100755
index 0000000..35fcb6d
--- /dev/null
+++ b/testprogs/blackbox/test_kinit_trusts_mit.sh
@@ -0,0 +1,140 @@
+#!/bin/sh
+# Blackbox tests for kinit and trust validation
+# Copyright (c) 2015 Stefan Metzmacher <metze@samba.org>
+# Copyright (c) 2016 Andreas Schneider <asn@samba.org>
+
+if [ $# -lt 5 ]; then
+ cat <<EOF
+Usage: test_kinit_trusts.sh SERVER USERNAME PASSWORD REALM DOMAIN TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN PREFIX TYPE
+EOF
+ exit 1
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+REALM=$4
+DOMAIN=$5
+shift 5
+TRUST_SERVER=$1
+TRUST_USERNAME=$2
+TRUST_PASSWORD=$3
+TRUST_REALM=$4
+TRUST_DOMAIN=$5
+shift 5
+PREFIX=$1
+TYPE=$2
+shift 2
+
+failed=0
+
+samba_bindir="$BINDIR"
+samba_srcdir="$SRCDIR/source4"
+samba_kinit=kinit
+samba_kdestroy=kdestroy
+samba_kpasswd=kpasswd
+
+samba_tool="$samba_bindir/samba-tool"
+samba_texpect="$samba_bindir/texpect"
+
+smbclient="$samba_bindir/smbclient"
+wbinfo="$samba_bindir/wbinfo"
+rpcclient="$samba_bindir/rpcclient"
+
+SMBCLIENT_UNC="//$SERVER.$REALM/tmp"
+
+. $(dirname $0)/subunit.sh
+
+test_smbclient()
+{
+ name="$1"
+ cmd="$2"
+ shift
+ shift
+ echo "test: $name"
+ $VALGRIND $smbclient $CONFIGURATION $SMBCLIENT_UNC -c "$cmd" $@
+ status=$?
+ if [ x$status = x0 ]; then
+ echo "success: $name"
+ else
+ echo "failure: $name"
+ fi
+ return $status
+}
+
+KRB5CCNAME_PATH="$PREFIX/test_kinit_trusts_ccache"
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+export KRB5CCNAME
+rm -rf $KRB5CCNAME_PATH
+
+cat >$PREFIX/tmpkinitscript <<EOF
+expect Password for
+send ${TRUST_PASSWORD}\n
+EOF
+
+###########################################################
+### Test incoming trust direction
+###########################################################
+
+testit "kinit with password" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+$samba_kdestroy
+
+smbclient="$samba_bindir/smbclient4"
+
+testit "kinit with password" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos ccache (smbclient4)" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+$samba_kdestroy
+
+smbclient="$samba_bindir/smbclient"
+
+testit "kinit with password (enterprise)" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -E $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+$samba_kdestroy
+
+if test x"${TYPE}" = x"forest"; then
+ testit "kinit with password (enterprise UPN)" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -E testdenied_upn@${TRUST_REALM}.upn || failed=$(expr $failed + 1)
+ test_smbclient "Test login with user kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+fi
+
+$samba_kdestroy
+
+testit "kinit with password (enterprise)" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -E $TRUST_USERNAME@$TRUST_REALM || failed=$(expr $failed + 1)
+test_smbclient "Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+testit "kinit renew ticket" $samba_kinit -R
+test_smbclient "Test login with kerberos ccache" 'ls' --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+testit "check time with kerberos ccache" $VALGRIND $samba_tool time $SERVER.$REALM $CONFIGURATION -k yes $@ || failed=$(expr $failed + 1)
+
+$samba_kdestroy
+
+lowerrealm=$(echo $TRUST_REALM | tr '[A-Z]' '[a-z]')
+test_smbclient "Test login with user kerberos lowercase realm" 'ls' --use-kerberos=required -U$TRUST_USERNAME@$lowerrealm%$TRUST_PASSWORD || failed=$(expr $failed + 1)
+test_smbclient "Test login with user kerberos lowercase realm 2" 'ls' --use-kerberos=required -U$TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD --realm=$lowerrealm || failed=$(expr $failed + 1)
+
+###########################################################
+### Test outgoing trust direction
+###########################################################
+
+SMBCLIENT_UNC="//$TRUST_SERVER.$TRUST_REALM/tmp"
+test_smbclient "Test user login with the first outgoing secret" 'ls' --use-kerberos=required -U$USERNAME@$REALM%$PASSWORD || failed=$(expr $failed + 1)
+
+testit_expect_failure "setpassword should not work" $VALGRIND $samba_tool user setpassword "${TRUST_DOMAIN}\$" --random-password || failed=$(expr $failed + 1)
+
+testit "wbinfo ping dc" $VALGRIND $wbinfo --ping-dc --domain=$TRUST_DOMAIN || failed=$(expr $failed + 1)
+testit "wbinfo change outgoing trust pw" $VALGRIND $wbinfo --change-secret --domain=$TRUST_DOMAIN || failed=$(expr $failed + 1)
+testit "wbinfo check outgoing trust pw" $VALGRIND $wbinfo --check-secret --domain=$TRUST_DOMAIN || failed=$(expr $failed + 1)
+
+test_smbclient "Test user login with the changed outgoing secret" 'ls' --use-kerberos=required -U$USERNAME@$REALM%$PASSWORD || failed=$(expr $failed + 1)
+
+### Cleanup
+
+$samba_kdestroy
+
+rm -f $KRB5CCNAME_PATH
+rm -f $PREFIX/tmpkinituserpassscript
+rm -f $PREFIX/tmpkinitscript
+
+exit $failed
diff --git a/testprogs/blackbox/test_kpasswd_heimdal.sh b/testprogs/blackbox/test_kpasswd_heimdal.sh
new file mode 100755
index 0000000..0585e7b
--- /dev/null
+++ b/testprogs/blackbox/test_kpasswd_heimdal.sh
@@ -0,0 +1,250 @@
+#!/bin/sh
+# Blackbox tests for chainging passwords with kinit and kpasswd
+#
+# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
+# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
+# Copyright (C) 2016 Andreas Schneider <asn@samba.org>
+
+if [ $# -lt 6 ]; then
+ cat <<EOF
+Usage: test_kpasswd_heimdal.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT
+EOF
+ exit 1
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+REALM=$4
+DOMAIN=$5
+PREFIX=$6
+shift 6
+failed=0
+
+samba_bindir="$BINDIR"
+
+smbclient="$samba_bindir/smbclient"
+samba_kinit=$samba_bindir/samba4kinit
+samba_kpasswd=$samba_bindir/samba4kpasswd
+
+mit_kpasswd="$(command -v kpasswd)"
+
+samba_tool="$samba_bindir/samba-tool"
+net_tool="$samba_bindir/net"
+texpect="$samba_bindir/texpect"
+
+newuser="$samba_tool user create"
+SMB_UNC="//$SERVER/tmp"
+
+. $(dirname $0)/subunit.sh
+. $(dirname $0)/common_test_fns.inc
+
+do_kinit()
+{
+ principal="$1"
+ password="$2"
+ shift
+ shift
+ kerberos_kinit "$samba_kinit" "$principal" "$password" $@
+}
+
+UID_WRAPPER_ROOT=1
+export UID_WRAPPER_ROOT
+
+CONFIG="--configfile=$PREFIX/etc/smb.conf"
+export CONFIG
+
+testit "reset password policies beside of minimum password age of 0 days" \
+ $VALGRIND $PYTHON $samba_tool domain passwordsettings set $CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=$(expr $failed + 1)
+
+TEST_USERNAME="$(mktemp -u alice-XXXXXX)"
+TEST_PRINCIPAL="$TEST_USERNAME@$REALM"
+TEST_PASSWORD="testPaSS@00%"
+TEST_PASSWORD_NEW="testPaSS@01%"
+TEST_PASSWORD_SHORT="secret"
+TEST_PASSWORD_WEAK="Supersecret"
+
+testit "create user locally" \
+ $VALGRIND $PYTHON $newuser $CONFIG $TEST_USERNAME $TEST_PASSWORD || failed=$(expr $failed + 1)
+
+KRB5CCNAME="$PREFIX/tmpuserccache"
+export KRB5CCNAME
+
+testit "kinit with user password" \
+ do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=$(expr $failed + 1)
+
+test_smbclient "Test login with user kerberos ccache" \
+ "ls" "$SMB_UNC" --use-krb5-ccache=${KRB5CCNAME} || failed=$(expr $failed + 1)
+
+testit "change user password with 'samba-tool user password' (unforced)" \
+ $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -U$TEST_USERNAME%$TEST_PASSWORD --use-kerberos=off --newpassword=$TEST_PASSWORD_NEW || failed=$(expr $failed + 1)
+
+TEST_PASSWORD_OLD=$TEST_PASSWORD
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@02%"
+
+testit "kinit with user password" \
+ do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=$(expr $failed + 1)
+
+test_smbclient "Test login with user kerberos ccache" \
+ "ls" "$SMB_UNC" --use-krb5-ccache=${KRB5CCNAME} || failed=$(expr $failed + 1)
+
+###########################################################
+### check that a short password is rejected
+###########################################################
+
+cat >$PREFIX/tmpkpasswdscript <<EOF
+expect Password
+password ${TEST_PASSWORD}\n
+expect New password
+send ${TEST_PASSWORD_SHORT}\n
+expect Verify password
+send ${TEST_PASSWORD_SHORT}\n
+expect Password too short
+EOF
+
+testit "kpasswd check short user password" \
+ $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=$(expr $failed + 1)
+
+###########################################################
+### check that a weak password is rejected
+###########################################################
+
+echo "check that a short password is rejected"
+cat >$PREFIX/tmpkpasswdscript <<EOF
+expect Password
+password ${TEST_PASSWORD}\n
+expect New password
+send $TEST_PASSWORD_WEAK\n
+expect Verify password
+send $TEST_PASSWORD_WEAK\n
+expect Password does not meet complexity requirements
+EOF
+
+testit "kpasswd check weak user password" \
+ $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=$(expr $failed + 1)
+
+###########################################################
+### check that a strong password is accepted
+###########################################################
+
+cat >$PREFIX/tmpkpasswdscript <<EOF
+expect Password
+password ${TEST_PASSWORD}\n
+expect New password
+send ${TEST_PASSWORD_NEW}\n
+expect Verify password
+send ${TEST_PASSWORD_NEW}\n
+expect Success
+EOF
+
+testit "kpasswd change user password" \
+ $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=$(expr $failed + 1)
+
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@03%"
+
+###########################################################
+### CVE-2022-XXXXX
+###########################################################
+
+if [ -n "${mit_kpasswd}" ]; then
+ cat > "${PREFIX}/tmpkpasswdscript" <<EOF
+expect Password for ${TEST_PRINCIPAL}
+password ${TEST_PASSWORD}\n
+expect Enter new password
+send ${TEST_PASSWORD_NEW}\n
+expect Enter it again
+send ${TEST_PASSWORD_NEW}\n
+expect Password changed.
+EOF
+
+ SAVE_KRB5_CONFIG="${KRB5_CONFIG}"
+ KRB5_CONFIG="${PREFIX}/tmpkrb5.conf"
+ export KRB5_CONFIG
+ sed -e 's/\[libdefaults\]/[libdefaults]\n canonicalize = yes/' \
+ "${SAVE_KRB5_CONFIG}" > "${KRB5_CONFIG}"
+ testit "MIT kpasswd change user password" \
+ "${texpect}" "${PREFIX}/tmpkpasswdscript" "${mit_kpasswd}" \
+ "${TEST_PRINCIPAL}" ||
+ failed=$((failed + 1))
+ KRB5_CONFIG="${SAVE_KRB5_CONFIG}"
+ export KRB5_CONFIG
+fi
+
+TEST_PASSWORD="${TEST_PASSWORD_NEW}"
+TEST_PASSWORD_NEW="testPaSS@03force%"
+
+###########################################################
+### Force password change at login
+###########################################################
+
+testit "set password on user locally" \
+ $VALGRIND $PYTHON $samba_tool user setpassword $TEST_USERNAME $CONFIG --newpassword=$TEST_PASSWORD_NEW --must-change-at-next-login || failed=$(expr $failed + 1)
+
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@04%"
+
+rm -f $PREFIX/tmpuserccache
+
+cat >$PREFIX/tmpkinitscript <<EOF
+expect Password
+password ${TEST_PASSWORD}\n
+expect Changing password
+expect New password
+send ${TEST_PASSWORD_NEW}\n
+expect Repeat new password
+send ${TEST_PASSWORD_NEW}\n
+expect Success
+EOF
+
+testit "kinit and change user password" \
+ $texpect $PREFIX/tmpkinitscript $samba_kinit $TEST_PRINCIPAL || failed=$(expr $failed + 1)
+
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@07%"
+
+test_smbclient "Test login with user (kerberos)" \
+ "ls" "$SMB_UNC" -k yes -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1)
+
+###########################################################
+### Test kpasswd service via 'net ads password'
+###########################################################
+
+# NOTE: This works with heimdal because the krb5_set_password function tries
+# set_password call first and falls back to change_password if it doesn't
+# succeed.
+testit "change user password with 'net ads password', admin: $DOMAIN/$TEST_USERNAME, target: $TEST_PRINCIPAL" \
+ $VALGRIND $net_tool ads password -W$DOMAIN -U$TEST_PRINCIPAL%$TEST_PASSWORD $TEST_PRINCIPAL "$TEST_PASSWORD_NEW" || failed=$(expr $failed + 1)
+
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@08%"
+
+test_smbclient "Test login with smbclient (ntlm)" \
+ "ls" "$SMB_UNC" -k no -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1)
+
+###########################################################
+### Test kpasswd service via 'net ads password' as admin
+###########################################################
+
+testit "set user password with 'net ads password', admin: $DOMAIN/$USERNAME, target: $TEST_PRINCIPAL" \
+ $VALGRIND $net_tool ads password -W$DOMAIN -U$USERNAME@$REALM%$PASSWORD $TEST_PRINCIPAL "$TEST_PASSWORD_NEW" || failed=$(expr $failed + 1)
+
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@07%"
+
+test_smbclient "Test login with smbclient (ntlm)" \
+ "ls" "$SMB_UNC" -k no -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1)
+
+###########################################################
+### Cleanup
+###########################################################
+
+testit "reset password policies" \
+ $VALGRIND $PYTHON $samba_tool domain passwordsettings set $CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=$(expr $failed + 1)
+
+testit "delete user" \
+ $VALGRIND $PYTHON $samba_tool user delete $TEST_USERNAME -U"$USERNAME%$PASSWORD" $CONFIG -k no || failed=$(expr $failed + 1)
+
+rm -f $PREFIX/tmpuserccache $PREFIX/tmpkpasswdscript $PREFIX/tmpkinitscript
+exit $failed
diff --git a/testprogs/blackbox/test_kpasswd_mit.sh b/testprogs/blackbox/test_kpasswd_mit.sh
new file mode 100755
index 0000000..ad577a6
--- /dev/null
+++ b/testprogs/blackbox/test_kpasswd_mit.sh
@@ -0,0 +1,229 @@
+#!/bin/sh
+# Blackbox tests for chainging passwords with kinit and kpasswd
+#
+# Copyright (c) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
+# Copyright (c) 2006-2008 Andrew Bartlett <abartlet@samba.org>
+# Copyright (c) 2016 Andreas Schneider <asn@samba.org>
+
+if [ $# -lt 6 ]; then
+ cat <<EOF
+Usage: test_kpasswd_mit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX
+EOF
+ exit 1
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+REALM=$4
+DOMAIN=$5
+PREFIX=$6
+shift 6
+failed=0
+
+samba_bindir="$BINDIR"
+
+samba_kinit=kinit
+samba_kpasswd=kpasswd
+
+smbclient="$samba_bindir/smbclient"
+samba_tool="$samba_bindir/samba-tool"
+net_tool="$samba_bindir/net"
+texpect="$samba_bindir/texpect"
+
+newuser="$samba_tool user create"
+SMB_UNC="//$SERVER/tmp"
+
+. $(dirname $0)/subunit.sh
+. $(dirname $0)/common_test_fns.inc
+
+do_kinit()
+{
+ principal="$1"
+ password="$2"
+ shift
+ shift
+ echo $password | $samba_kinit $principal
+}
+
+UID_WRAPPER_ROOT=1
+export UID_WRAPPER_ROOT
+
+CONFIG="--configfile=$PREFIX/etc/smb.conf"
+export CONFIG
+
+testit "reset password policies beside of minimum password age of 0 days" \
+ $VALGRIND $PYTHON $samba_tool domain passwordsettings set $CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=$(expr $failed + 1)
+
+TEST_USERNAME="samson"
+TEST_PASSWORD="testPaSS@00%"
+TEST_PASSWORD_NEW="testPaSS@01%"
+TEST_PASSWORD_SHORT="secret"
+TEST_PASSWORD_WEAK="Supersecret"
+TEST_PRINCIPAL="$TEST_USERNAME@$REALM"
+
+testit "create user locally" \
+ $VALGRIND $PYTHON $newuser $CONFIG $TEST_USERNAME $TEST_PASSWORD || failed=$(expr $failed + 1)
+
+KRB5CCNAME="$PREFIX/tmpuserccache"
+export KRB5CCNAME
+
+testit "kinit with user password" \
+ do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=$(expr $failed + 1)
+
+test_smbclient "Test login with user kerberos ccache" \
+ "ls" "$SMB_UNC" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+testit "change user password with 'samba-tool user password' (unforced)" \
+ $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -U$TEST_USERNAME%$TEST_PASSWORD --use-kerberos=off --newpassword=$TEST_PASSWORD_NEW || failed=$(expr $failed + 1)
+
+TEST_PASSWORD_OLD=$TEST_PASSWORD
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@02%"
+
+testit "kinit with user password" \
+ do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=$(expr $failed + 1)
+
+test_smbclient "Test login with user kerberos ccache" \
+ "ls" "$SMB_UNC" --use-krb5-ccache=$KRB5CCNAME || failed=$(expr $failed + 1)
+
+###########################################################
+### check that a password mismatch is detected
+###########################################################
+
+cat >$PREFIX/tmpkpasswdscript <<EOF
+expect Password for $TEST_PRINCIPAL
+password ${TEST_PASSWORD}\n
+expect Enter new password
+send ${TEST_PASSWORD_WEAK}\n
+expect Enter it again
+send ${TEST_PASSWORD_NEW}\n
+expect kpasswd: Password mismatch while reading password
+EOF
+
+testit_expect_failure "kpasswd check password mismatch" \
+ $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL && failed=$(expr $failed + 1)
+
+###########################################################
+### check that a short password is rejected
+###########################################################
+
+cat >$PREFIX/tmpkpasswdscript <<EOF
+expect Password for $TEST_PRINCIPAL
+password ${TEST_PASSWORD}\n
+expect Enter new password
+send ${TEST_PASSWORD_SHORT}\n
+expect Enter it again
+send ${TEST_PASSWORD_SHORT}\n
+expect Password change rejected: Password too short, password must be at least 7 characters long
+EOF
+
+testit_expect_failure "kpasswd check short user password" \
+ $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL && failed=$(expr $failed + 1)
+
+###########################################################
+### check that a weak password is rejected
+###########################################################
+
+cat >$PREFIX/tmpkpasswdscript <<EOF
+expect Password for $TEST_PRINCIPAL
+password ${TEST_PASSWORD}\n
+expect Enter new password
+send ${TEST_PASSWORD_WEAK}\n
+expect Enter it again
+send ${TEST_PASSWORD_WEAK}\n
+expect Password change rejected: Password does not meet complexity requirement
+EOF
+
+testit_expect_failure "kpasswd check weak user password" \
+ $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL && failed=$(expr $failed + 1)
+
+###########################################################
+### check that a strong password is accepted
+###########################################################
+
+cat >$PREFIX/tmpkpasswdscript <<EOF
+expect Password for $TEST_PRINCIPAL
+password ${TEST_PASSWORD}\n
+expect Enter new password
+send ${TEST_PASSWORD_NEW}\n
+expect Enter it again
+send ${TEST_PASSWORD_NEW}\n
+expect Password changed.
+EOF
+
+testit "kpasswd change user password" \
+ $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd $TEST_PRINCIPAL || failed=$(expr $failed + 1)
+
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@03%"
+
+test_smbclient "Test login with user kerberos" 'ls' "$SMB_UNC" --use-kerberos=required -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1)
+
+###########################################################
+### Force password change at login
+###########################################################
+
+testit "set password on user locally" \
+ $VALGRIND $PYTHON $samba_tool user setpassword $TEST_USERNAME $CONFIG --newpassword=$TEST_PASSWORD_NEW --must-change-at-next-login || failed=$(expr $failed + 1)
+
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@04%"
+
+cat >$PREFIX/tmpkinitscript <<EOF
+expect Password for $TEST_PRINCIPAL
+password ${TEST_PASSWORD}\n
+expect Password expired
+expect Enter new password
+send ${TEST_PASSWORD_NEW}\n
+expect Enter it again
+send ${TEST_PASSWORD_NEW}\n
+EOF
+
+testit "kinit and change user password" \
+ $texpect $PREFIX/tmpkinitscript $samba_kinit $TEST_PRINCIPAL || failed=$(expr $failed + 1)
+
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@05%"
+
+test_smbclient "Test login with user kerberos" \
+ "ls" "$SMB_UNC" --use-kerberos=required -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1)
+
+###########################################################
+### Test kpasswd service via 'net ads password'
+###########################################################
+
+testit "change user password with 'net ads password', admin: $DOMAIN/$TEST_USERNAME, target: $TEST_PRINCIPAL" \
+ $VALGRIND $net_tool ads password -W$DOMAIN -U$TEST_PRINCIPAL%$TEST_PASSWORD $TEST_PRINCIPAL "$TEST_PASSWORD_NEW" || failed=$(expr $failed + 1)
+
+#TEST_PASSWORD=$TEST_PASSWORD_NEW
+#TEST_PASSWORD_NEW="testPaSS@06%"
+
+#test_smbclient "Test login with smbclient (ntlm)" \
+# "ls" "$SMB_UNC" --use-kerberos=disabled -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=`expr $failed + 1`
+
+###########################################################
+### Test kpasswd service via 'net ads password' as admin
+###########################################################
+
+testit "set user password with 'net ads password', admin: $DOMAIN/$USERNAME, target: $TEST_PRINCIPAL" \
+ $VALGRIND $net_tool ads password -W$DOMAIN -U$USERNAME@$REALM%$PASSWORD $TEST_PRINCIPAL "$TEST_PASSWORD_NEW" || failed=$(expr $failed + 1)
+
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@07%"
+
+test_smbclient "Test login with smbclient (ntlm)" \
+ "ls" "$SMB_UNC" --use-kerberos=disabled -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=$(expr $failed + 1)
+
+###########################################################
+### Cleanup
+###########################################################
+
+testit "reset password policies" \
+ $VALGRIND $PYTHON $samba_tool domain passwordsettings set $CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=$(expr $failed + 1)
+
+testit "delete user" \
+ $VALGRIND $PYTHON $samba_tool user delete $TEST_USERNAME -U"$USERNAME%$PASSWORD" $CONFIG -k no || failed=$(expr $failed + 1)
+
+rm -f $PREFIX/tmpuserccache $PREFIX/tmpkpasswdscript $PREFIX/tmpkinitscript
+exit $failed
diff --git a/testprogs/blackbox/test_ktpass.sh b/testprogs/blackbox/test_ktpass.sh
new file mode 100755
index 0000000..81b7544
--- /dev/null
+++ b/testprogs/blackbox/test_ktpass.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+ cat <<EOF
+Usage: blackbox_newuser.sh PREFIX
+EOF
+ exit 1
+fi
+
+PREFIX="$1"
+shift 1
+
+. $(dirname $0)/subunit.sh
+
+samba_tool="$BINDIR/samba-tool"
+samba4bindir="$BINDIR"
+samba4srcdir="$SRCDIR/source4"
+samba4kinit_binary=kinit
+if test -x $BINDIR/samba4kinit; then
+ samba4kinit_binary=$BINDIR/samba4kinit
+fi
+
+CONFIG="--configfile=$PREFIX/etc/smb.conf"
+
+TESTUSER="ktpassUser"
+
+testit "user create" $PYTHON $samba_tool user create $CONFIG $TESTUSER testp@ssw0Rd || failed=$(expr $failed + 1)
+
+KRB5CCNAME="$PREFIX/tmpccache"
+samba4kinit="$samba4kinit_binary -c $KRB5CCNAME"
+export KRB5CCNAME
+echo "testp@ssw0Rd" >$PREFIX/tmppassfile
+testit "kinit with passwd" $samba4kinit -e arcfour-hmac-md5 --password-file=$PREFIX/tmppassfile $TESTUSER@SAMBA.EXAMPLE.COM || failed=$(expr $failed + 1)
+testit "ktpass" $samba4srcdir/scripting/bin/ktpass.sh --host LOCALDC --out $PREFIX/testuser.kt --princ $TESTUSER --pass "testp@ssw0Rd" --path-to-ldbsearch=$BINDIR/bin || failed=$(expr $failed + 1)
+
+rm -f $KRB5CCNAME
+
+testit "kinit with keytab" $samba4kinit -e arcfour-hmac-md5 --use-keytab -t $PREFIX/testuser.kt $TESTUSER@SAMBA.EXAMPLE.COM || failed=$(expr $failed + 1)
+
+rm -f $PREFIX/tmpccache $PREFIX/testuser.kt
+exit $failed
diff --git a/testprogs/blackbox/test_ldb.sh b/testprogs/blackbox/test_ldb.sh
new file mode 100755
index 0000000..d9485d7
--- /dev/null
+++ b/testprogs/blackbox/test_ldb.sh
@@ -0,0 +1,231 @@
+#!/bin/sh
+
+if [ $# -lt 2 ]; then
+cat <<EOF
+Usage: test_ldb.sh PROTOCOL SERVER [OPTIONS]
+EOF
+exit 1;
+fi
+
+
+p=$1
+SERVER=$2
+PREFIX=$3
+shift 2
+options="$*"
+
+. `dirname $0`/subunit.sh
+
+check() {
+ name="$1"
+ shift
+ cmdline="$*"
+ echo "test: $name"
+ $cmdline
+ status=$?
+ if [ x$status = x0 ]; then
+ echo "success: $name"
+ else
+ echo "failure: $name"
+ failed=`expr $failed + 1`
+ fi
+ return $status
+}
+
+export PATH="$BINDIR:$PATH"
+
+ldbsearch="$VALGRIND ldbsearch"
+
+check "RootDSE" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER --scope=base DUMMY=x dnsHostName highestCommittedUSN || failed=`expr $failed + 1`
+check "RootDSE (full)" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER --scope=base '(objectClass=*)' || failed=`expr $failed + 1`
+check "RootDSE (extended)" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER --scope=base '(objectClass=*)' --extended-dn || failed=`expr $failed + 1`
+if [ x$p = x"ldaps" ]; then
+ testit_expect_failure "RootDSE over SSLv3 should fail" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER --scope=base DUMMY=x dnsHostName highestCommittedUSN --option='tlspriority=NONE:+VERS-SSL3.0:+MAC-ALL:+CIPHER-ALL:+RSA:+SIGN-ALL:+COMP-NULL' && failed=`expr $failed + 1`
+fi
+
+echo "Getting defaultNamingContext"
+BASEDN=`$ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER --scope=base DUMMY=x defaultNamingContext | grep defaultNamingContext | awk '{print $2}'`
+echo "BASEDN is $BASEDN"
+
+check "Listing Users" $ldbsearch $options $CONFIGURATION -H $p://$SERVER '(objectclass=user)' sAMAccountName || failed=`expr $failed + 1`
+
+check "Listing Users (sorted)" $ldbsearch -S $options $CONFIGURATION -H $p://$SERVER '(objectclass=user)' sAMAccountName || failed=`expr $failed + 1`
+
+check "Listing Groups" $ldbsearch $options $CONFIGURATION -H $p://$SERVER '(objectclass=group)' sAMAccountName || failed=`expr $failed + 1`
+
+nentries=`$ldbsearch $options -H $p://$SERVER $CONFIGURATION '(|(|(&(!(groupType:1.2.840.113556.1.4.803:=1))(groupType:1.2.840.113556.1.4.803:=2147483648)(groupType:1.2.840.113556.1.4.804:=10))(samAccountType=805306368))(samAccountType=805306369))' sAMAccountName | grep sAMAccountName | wc -l`
+echo "Found $nentries entries"
+if [ $nentries -lt 10 ]; then
+echo "Should have found at least 10 entries"
+failed=`expr $failed + 1`
+fi
+
+echo "Check rootDSE for Controls"
+nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --scope=base -b "" '(objectclass=*)' | grep -i supportedControl | wc -l`
+if [ $nentries -lt 4 ]; then
+echo "Should have found at least 4 entries"
+failed=`expr $failed + 1`
+fi
+
+echo "Test Paged Results Control"
+nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=paged_results:1:5 '(objectclass=user)' | grep sAMAccountName | wc -l`
+if [ $nentries -lt 1 ]; then
+echo "Paged Results Control test returned 0 items"
+failed=`expr $failed + 1`
+fi
+
+echo "Test Server Sort Control"
+nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=server_sort:1:0:sAMAccountName '(objectclass=user)' | grep sAMAccountName | wc -l`
+if [ $nentries -lt 1 ]; then
+echo "Server Sort Control test returned 0 items"
+failed=`expr $failed + 1`
+fi
+
+echo "Test Extended DN Control"
+nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=extended_dn:1 '(objectclass=user)' | grep sAMAccountName | wc -l`
+if [ $nentries -lt 1 ]; then
+echo "Extended DN Control test returned 0 items"
+failed=`expr $failed + 1`
+fi
+nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=extended_dn:1:0 '(objectclass=user)' | grep sAMAccountName | wc -l`
+if [ $nentries -lt 1 ]; then
+echo "Extended DN Control test returned 0 items"
+failed=`expr $failed + 1`
+fi
+nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=extended_dn:1:1 '(objectclass=user)' | grep sAMAccountName | wc -l`
+if [ $nentries -lt 1 ]; then
+echo "Extended DN Control test returned 0 items"
+failed=`expr $failed + 1`
+fi
+
+echo "Test Domain scope Control"
+nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=domain_scope:1 '(objectclass=user)' | grep sAMAccountName | wc -l`
+if [ $nentries -lt 1 ]; then
+echo "Extended Domain scope Control test returned 0 items"
+failed=`expr $failed + 1`
+fi
+
+echo "Test Attribute Scope Query Control"
+nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=asq:1:member --scope=base -b "CN=Administrators,CN=Builtin,$BASEDN" | grep sAMAccountName | wc -l`
+if [ $nentries -lt 1 ]; then
+echo "Attribute Scope Query test returned 0 items"
+failed=`expr $failed + 1`
+fi
+
+echo "Test Search Options Control"
+nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=search_options:1:2 '(objectclass=crossRef)' | grep crossRef | wc -l`
+if [ $nentries -lt 1 ]; then
+echo "Search Options Control Query test returned 0 items"
+failed=`expr $failed + 1`
+fi
+
+echo "Test Search Options Control with Domain Scope Control"
+nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --controls=search_options:1:2,domain_scope:1 '(objectclass=crossRef)' | grep crossRef | wc -l`
+if [ $nentries -lt 1 ]; then
+echo "Search Options Control Query test returned 0 items"
+failed=`expr $failed + 1`
+fi
+
+wellknown_object_test()
+(
+ guid=$1
+ object=$2
+ failed=0
+
+ basedns="<WKGUID=${guid},${BASEDN}> <wkGuId=${guid},${BASEDN}>"
+ for dn in ${basedns}; do
+ echo "Test ${dn} => ${object}"
+ r=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER '(objectClass=*)' -b "${dn}" | grep 'dn: '`
+ n=`echo "${r}" | grep 'dn: ' | wc -l`
+ c=`echo "${r}" | grep "${object}" | wc -l`
+
+ if [ $n -lt 1 ]; then
+ echo "Object not found by WKGUID"
+ failed=`expr $failed + 1`
+ continue
+ fi
+ if [ $c -lt 1 ]; then
+ echo "Wrong object found by WKGUID: [${r}]"
+ failed=`expr $failed + 1`
+ continue
+ fi
+ done
+
+ return $failed
+)
+
+wellknown_object_test 22B70C67D56E4EFB91E9300FCA3DC1AA ForeignSecurityPrincipals
+st=$?
+if [ x"$st" != x"0" ]; then
+ failed=`expr $failed + $st`
+fi
+wellknown_object_test 2FBAC1870ADE11D297C400C04FD8D5CD Infrastructure
+st=$?
+if [ x"$st" != x"0" ]; then
+ failed=`expr $failed + $st`
+fi
+wellknown_object_test AB1D30F3768811D1ADED00C04FD8D5CD System
+st=$?
+if [ x"$st" != x"0" ]; then
+ failed=`expr $failed + $st`
+fi
+wellknown_object_test A361B2FFFFD211D1AA4B00C04FD7D83A Domain Controllers
+st=$?
+if [ x"$st" != x"0" ]; then
+ failed=`expr $failed + $st`
+fi
+wellknown_object_test AA312825768811D1ADED00C04FD8D5CD Computers
+st=$?
+if [ x"$st" != x"0" ]; then
+ failed=`expr $failed + $st`
+fi
+wellknown_object_test A9D1CA15768811D1ADED00C04FD8D5CD Users
+st=$?
+if [ x"$st" != x"0" ]; then
+ failed=`expr $failed + $st`
+fi
+
+echo "Getting HEX GUID/SID of $BASEDN"
+HEXDN=`$ldbsearch $CONFIGURATION $options -b "$BASEDN" -H $p://$SERVER --scope=base "(objectClass=*)" --controls=extended_dn:1:0 distinguishedName | grep 'distinguishedName: ' | cut -d ' ' -f2-`
+HEXGUID=`echo "$HEXDN" | cut -d ';' -f1`
+echo "HEXGUID[$HEXGUID]"
+
+echo "Getting STR GUID/SID of $BASEDN"
+STRDN=`$ldbsearch $CONFIGURATION $options -b "$BASEDN" -H $p://$SERVER --scope=base "(objectClass=*)" --controls=extended_dn:1:1 distinguishedName | grep 'distinguishedName: ' | cut -d ' ' -f2-`
+echo "STRDN: $STRDN"
+STRGUID=`echo "$STRDN" | cut -d ';' -f1`
+echo "STRGUID[$STRGUID]"
+
+echo "Getting STR GUID/SID of $BASEDN"
+STRDN=`$ldbsearch $CONFIGURATION $options -b "$BASEDN" -H $p://$SERVER --scope=base "(objectClass=*)" --controls=extended_dn:1:1 | grep 'dn: ' | cut -d ' ' -f2-`
+echo "STRDN: $STRDN"
+STRSID=`echo "$STRDN" | cut -d ';' -f2`
+echo "STRSID[$STRSID]"
+
+SPECIALDNS="$HEXGUID $STRGUID $STRSID"
+for SPDN in $SPECIALDNS; do
+ echo "Search for $SPDN"
+ nentries=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER --scope=base -b "$SPDN" '(objectClass=*)' | grep "dn: $BASEDN" | wc -l`
+ if [ $nentries -lt 1 ]; then
+ echo "Special search returned 0 items"
+ failed=`expr $failed + 1`
+ fi
+done
+
+echo "Search using OIDs instead of names"
+nentries1=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER '(objectClass=user)' name | grep "^name: " | wc -l`
+nentries2=`$ldbsearch $options $CONFIGURATION -H $p://$SERVER '(2.5.4.0=1.2.840.113556.1.5.9)' name | grep "^name: " | wc -l`
+if [ $nentries1 -lt 1 ]; then
+ echo "Error: Searching user via (objectClass=user): '$nentries1' < 1"
+ failed=`expr $failed + 1`
+fi
+if [ $nentries2 -lt 1 ]; then
+ echo "Error: Searching user via (2.5.4.0=1.2.840.113556.1.5.9) '$nentries2' < 1"
+ failed=`expr $failed + 1`
+fi
+if [ x"$nentries1" != x"$nentries2" ]; then
+ echo "Error: Searching user with OIDS[$nentries1] doesn't return the same as STRINGS[$nentries2]"
+ failed=`expr $failed + 1`
+fi
+
+exit $failed
diff --git a/testprogs/blackbox/test_ldb_simple.sh b/testprogs/blackbox/test_ldb_simple.sh
new file mode 100755
index 0000000..604c4a6
--- /dev/null
+++ b/testprogs/blackbox/test_ldb_simple.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+if [ $# -lt 2 ]; then
+cat <<EOF
+Usage: test_ldb_simple.sh PROTOCOL SERVER [OPTIONS]
+EOF
+exit 1;
+fi
+
+
+p=$1
+SERVER=$2
+PREFIX=$3
+shift 2
+options="$*"
+
+. `dirname $0`/subunit.sh
+
+check() {
+ name="$1"
+ shift
+ cmdline="$*"
+ echo "test: $name"
+ $cmdline
+ status=$?
+ if [ x$status = x0 ]; then
+ echo "success: $name"
+ else
+ echo "failure: $name"
+ failed=`expr $failed + 1`
+ fi
+ return $status
+}
+
+export PATH="$BINDIR:$PATH"
+
+ldbsearch="$VALGRIND ldbsearch"
+
+check "currentTime" $ldbsearch $CONFIGURATION $options --basedn='' -H $p://$SERVER --scope=base currentTime || failed=`expr $failed + 1`
+
+exit $failed
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
new file mode 100755
index 0000000..cfafb94
--- /dev/null
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -0,0 +1,325 @@
+if [ $# -lt 4 ]; then
+cat <<EOF
+Usage: test_net.sh DC_SERVER DC_USERNAME DC_PASSWORD PREFIX_ABS
+EOF
+exit 1;
+fi
+
+DC_SERVER=$1
+DC_USERNAME=$2
+DC_PASSWORD=$3
+BASEDIR=$4
+
+HOSTNAME=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10`
+
+RUNDIR=`pwd`
+cd $BASEDIR
+WORKDIR=`mktemp -d -p .`
+WORKDIR=`basename $WORKDIR`
+cp -a client/* $WORKDIR/
+sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf
+sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf
+rm -f $WORKDIR/private/secrets.tdb
+cd $RUNDIR
+
+failed=0
+
+net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=security=ads"
+
+ldbsearch="ldbsearch"
+if [ -x "$BINDIR/ldbsearch" ]; then
+ ldbsearch="$BINDIR/ldbsearch"
+fi
+
+ldbadd="ldbadd"
+if [ -x "$BINDIR/ldbadd" ]; then
+ ldbadd="$BINDIR/ldbadd"
+fi
+
+ldbdel="ldbdel"
+if [ -x "$BINDIR/ldbdel" ]; then
+ ldbdel="$BINDIR/ldbdel"
+fi
+
+ldbmodify="ldbmodify"
+if [ -x "$BINDIR/ldbmodify" ]; then
+ ldbmodify="$BINDIR/ldbmodify"
+fi
+
+# Load test functions
+. `dirname $0`/subunit.sh
+
+testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+workgroup=$(awk '/workgroup =/ { print $NR }' "${BASEDIR}/${WORKDIR}/client.conf")
+testit "local krb5.conf created" \
+ test -r \
+ "${BASEDIR}/${WORKDIR}/lockdir/smb_krb5/krb5.conf.${workgroup}" ||
+ failed=$((failed + 1))
+
+testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
+
+netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
+
+testit "test setspn list $netbios" $VALGRIND $net_tool ads setspn list $netbios -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+spn="foo"
+testit_expect_failure "test setspn add illegal windows spn ($spn)" $VALGRIND $net_tool ads setspn add $spn -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+spn="foo/somehost.domain.com"
+testit "test setspn add ($spn)" $VALGRIND $net_tool ads setspn add $spn -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $spn | wc -l)
+testit "test setspn list shows the newly added spn ($spn)" test $found -eq 1 || failed=`expr $failed + 1`
+
+up_spn=$(echo $spn | tr '[:lower:]' '[:upper:]')
+testit_expect_failure "test setspn add existing (case-insensitive) spn ($spn)" $VALGRIND $net_tool ads setspn add $up_spn -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+testit "test setspn delete existing (case-insensitive) ($spn)" $VALGRIND $net_tool ads setspn delete $spn -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $spn | wc -l)
+testit "test setspn list shows the newly deleted spn ($spn) is gone" test $found -eq 0 || failed=`expr $failed + 1`
+
+testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
+
+testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+# Test with kerberos method = secrets and keytab
+dedicated_keytab_file="$PREFIX_ABS/test_net_ads_dedicated_krb5.keytab"
+testit "join (dedicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
+
+netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
+uc_netbios=$(echo $netbios | tr '[:lower:]' '[:upper:]')
+lc_realm=$(echo $REALM | tr '[:upper:]' '[:lower:]')
+fqdn="$netbios.$lc_realm"
+
+krb_princ="primary/instance@$REALM"
+testit "test (dedicated keytab) add a fully qualified krb5 principal" $VALGRIND $net_tool ads keytab add $krb_princ -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $krb_princ | wc -l`
+
+testit "test (dedicated keytab) at least one fully qualified krb5 principal that was added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1`
+
+machinename="machine123"
+testit "test (dedicated keytab) add a kerberos prinicple created from machinename to keytab" $VALGRIND $net_tool ads keytab add $machinename'$' -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+search_str="$machinename\$@$REALM"
+found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
+testit "test (dedicated keytab) at least one krb5 principal created from $machinename added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1`
+
+service="nfs"
+testit "test (dedicated keytab) add a $service service to keytab" $VALGRIND $net_tool ads keytab add $service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+search_str="$service/$fqdn@$REALM"
+found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
+testit "test (dedicated keytab) at least one (long form) krb5 principal created from service added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1`
+
+search_str="$service/$uc_netbios@$REALM"
+found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
+testit "test (dedicated keytab) at least one (shorter form) krb5 principal created from service added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1`
+
+spn_service="random_srv"
+spn_host="somehost.subdomain.domain"
+spn_port="12345"
+
+windows_spn="$spn_service/$spn_host"
+testit "test (dedicated keytab) add a $windows_spn windows style SPN to keytab" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+search_str="$spn_service/$spn_host@$REALM"
+found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
+testit "test (dedicated keytab) at least one krb5 principal created from windown SPN added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1`
+
+windows_spn="$spn_service/$spn_host:$spn_port"
+testit "test (dedicated keytab) add a $windows_spn windows style SPN to keytab" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+search_str="$spn_service/$spn_host@$REALM"
+found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
+testit "test (dedicated keytab) at least one krb5 principal created from windown SPN (with port) added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1`
+
+# keytab add shouldn't have written spn to AD
+found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $service | wc -l)
+testit "test (dedicated keytab) spn is not written to AD (using keytab add)" test $found -eq 0 || failed=`expr $failed + 1`
+
+ad_service="writetoad"
+testit "test (dedicated keytab) add a $ad_service service to keytab (using add_update_ads" $VALGRIND $net_tool ads keytab add_update_ads $ad_service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $ad_service | wc -l)
+testit "test (dedicated keytab) spn is written to AD (using keytab add_update_ads)" test $found -eq 2 || failed=`expr $failed + 1`
+
+
+# test existence in keytab of service (previously added) pulled from SPN post
+# 'keytab create' is now present in keytab file
+testit "test (dedicated keytab) keytab created succeeds" $VALGRIND $net_tool ads keytab create -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+found=$($net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $ad_service | wc -l)
+testit "test (dedicated keytab) spn service that exists in AD (created via add_update_ads) is added to keytab file" test $found -gt 1 || failed=`expr $failed + 1`
+
+found_ad=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $service | wc -l)
+found_keytab=$($net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $service | wc -l)
+# test after create that a spn that exists in the keytab but shouldn't
+# be written to the AD.
+testit "test spn service doensn't exist in AD but is present in keytab file after keytab create" test $found_ad -eq 0 -a $found_keytab -gt 1 || failed=`expr $failed + 1`
+
+# SPN parser is very basic but does detect some illegal combination
+
+windows_spn="$spn_service/$spn_host:"
+testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing port" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+windows_spn="$spn_service/$spn_host/"
+testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing servicename" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
+
+testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+# if there is no keytab, try and create it
+if [ ! -f $dedicated_keytab_file ]; then
+ if [ $(command -v ktutil) >/dev/null ]; then
+ printf "addent -password -p $DC_USERNAME@$REALM -k 1 -e rc4-hmac\n$DC_PASSWORD\nwkt $dedicated_keytab_file\n" | ktutil
+ fi
+fi
+
+if [ -f $dedicated_keytab_file ]; then
+ testit "keytab list (dedicated keytab)" $VALGRIND $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+ testit "keytab list keytab specified on cmdline" $VALGRIND $net_tool ads keytab list $dedicated_keytab_file || failed=`expr $failed + 1`
+fi
+
+rm -f $dedicated_keytab_file
+
+testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
+
+testit "join+kerberos" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --use-kerberos=required || failed=`expr $failed + 1`
+
+testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
+
+testit "leave+kerberos" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD --use-kerberos=required || failed=`expr $failed + 1`
+
+testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
+
+testit "join+server" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD -S$DC_SERVER || failed=`expr $failed + 1`
+
+testit "leave+server" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD -S$DC_SERVER || failed=`expr $failed + 1`
+
+testit_expect_failure "join+invalid_server" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD -SINVALID && failed=`expr $failed + 1`
+
+testit "join+server" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+testit_expect_failure "leave+invalid_server" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD -SINVALID && failed=`expr $failed + 1`
+
+testit "testjoin user+password" $VALGRIND $net_tool ads testjoin -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+testit "leave+keep_account" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD --keep-account || failed=`expr $failed + 1`
+
+base_dn="DC=addom,DC=samba,DC=example,DC=com"
+computers_dn="CN=Computers,$base_dn"
+testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM --scope=base -b "cn=$HOSTNAME,$computers_dn" || failed=`expr $failed + 1`
+
+dns_alias1="${netbios}_alias1.other.${lc_realm}"
+dns_alias2="${netbios}_alias2.other2.${lc_realm}"
+testit "join" $VALGRIND $net_tool --option=additionaldnshostnames=$dns_alias1,$dns_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1`
+
+testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1`
+testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
+
+testit_grep "dns alias SPN" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
+testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
+
+testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
+testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
+
+# Test binary msDS-AdditionalDnsHostName like ones added by Windows DC
+short_alias_file="$PREFIX_ABS/short_alias_file"
+printf 'short_alias\0$' > $short_alias_file
+cat > $PREFIX_ABS/tmpldbmodify <<EOF
+dn: CN=$HOSTNAME,$computers_dn
+changetype: modify
+add: msDS-AdditionalDnsHostName
+msDS-AdditionalDnsHostName:< file://$short_alias_file
+EOF
+
+testit "add binary msDS-AdditionalDnsHostName" $VALGRIND $ldbmodify -k yes -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM $PREFIX_ABS/tmpldbmodify || failed=`expr $failed + 1`
+
+testit_grep "addl short alias" short_alias $ldbsearch --show-binary -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM --scope=base -b "CN=$HOSTNAME,CN=Computers,$base_dn" msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
+
+rm -f $PREFIX_ABS/tmpldbmodify $short_alias_file
+
+dedicated_keytab_file="$PREFIX_ABS/test_dns_aliases_dedicated_krb5.keytab"
+
+testit "dns alias create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+testit_grep "dns alias1 check keytab" "host/${dns_alias1}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+testit_grep "dns alias2 check keytab" "host/${dns_alias2}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+testit_grep "addl short check keytab" "host/short_alias@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+rm -f $dedicated_keytab_file
+
+##Goodbye...
+testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+# netbios aliases tests
+testit "join nb_alias" $VALGRIND $net_tool --option=netbiosaliases=nb_alias1,nb_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+testit "testjoin nb_alias" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1`
+
+testit_grep "nb_alias check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1`
+testit_grep "nb_alias check main SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
+
+testit_grep "nb_alias1 SPN" nb_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
+testit_grep "nb_alias2 SPN" nb_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
+
+##Goodbye...
+testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+#
+# Test createcomputer option of 'net ads join'
+#
+testit "Create OU=Servers,$base_dn" $VALGRIND $ldbadd -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER <<EOF
+dn: OU=Servers,$base_dn
+objectClass: organizationalUnit
+EOF
+
+testit "join+createcomputer" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD createcomputer=Servers || failed=`expr $failed + 1`
+
+testit "ldb check for existence of machine account in OU=Servers" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM --scope=base -b "cn=$HOSTNAME,OU=Servers,$base_dn" || failed=`expr $failed + 1`
+
+## Goodbye...
+testit "leave+createcomputer" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+testit "Remove OU=Servers" $VALGRIND $ldbdel -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER "OU=Servers,$base_dn"
+
+#
+# Test createupn option of 'net ads join'
+#
+testit "join+createupn" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD createupn="host/test-$HOSTNAME@$REALM" || failed=`expr $failed + 1`
+
+testit_grep "checkupn" "userPrincipalName: host/test-$HOSTNAME@$REALM" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM --scope=base -b "CN=$HOSTNAME,CN=Computers,$base_dn" || failed=`expr $failed + 1`
+
+dedicated_keytab_file="$PREFIX_ABS/test_net_create_dedicated_krb5.keytab"
+
+testit "create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+testit_grep "checkupn+keytab" "host/test-$HOSTNAME@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+rm -f $dedicated_keytab_file
+
+testit "leave+createupn" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+#
+# Test dnshostname option of 'net ads join'
+#
+testit "join+dnshostname" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD dnshostname="alt.hostname.$HOSTNAME" || failed=`expr $failed + 1`
+
+testit_grep "check dnshostname opt" "dNSHostName: alt.hostname.$HOSTNAME" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM --scope=base -b "CN=$HOSTNAME,CN=Computers,$base_dn" || failed=`expr $failed + 1`
+
+testit "create_keytab+dnshostname" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+testit_grep "check dnshostname+keytab" "host/alt.hostname.$HOSTNAME@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+rm -f $dedicated_keytab_file
+
+testit "leave+dnshostname" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+rm -rf $BASEDIR/$WORKDIR
+
+exit $failed
diff --git a/testprogs/blackbox/test_net_ads_dns.sh b/testprogs/blackbox/test_net_ads_dns.sh
new file mode 100755
index 0000000..1d2c090
--- /dev/null
+++ b/testprogs/blackbox/test_net_ads_dns.sh
@@ -0,0 +1,94 @@
+#!/bin/sh
+# Blackbox tests for net ads dns register etc.
+# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
+# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
+
+if [ $# -lt 6 ]; then
+cat <<EOF
+Usage: test_net_ads_dns.sh SERVER DC_USERNAME DC_PASSWORD REALM USER PASS
+EOF
+exit 1;
+fi
+
+SERVER=$1
+DC_USERNAME=$2
+DC_PASSWORD=$3
+REALM=$4
+USERNAME=$5
+PASSWORD=$6
+shift 6
+failed=0
+
+samba4bindir="$BINDIR"
+
+samba_tool="$samba4bindir/samba-tool"
+net_tool="$samba4bindir/net"
+smbpasswd="$samba4bindir/smbpasswd"
+texpect="$samba4bindir/texpect"
+ldbsearch="$samba4bindir/ldbsearch"
+ldbmodify="$samba4bindir/ldbmodify"
+
+newuser="$samba_tool user create"
+groupaddmem="$samba_tool group addmembers"
+
+. `dirname $0`/subunit.sh
+
+UID_WRAPPER_ROOT=1
+export UID_WRAPPER_ROOT
+
+IPADDRESS=10.1.4.111
+IP6ADDRESS=fd00:1a1a::1:5ee:bad:c0de
+IPADDRMAC=10.1.4.124
+UNPRIVIP=10.1.4.130
+NAME=testname
+UNPRIVNAME=unprivname
+UNPRIVUSER=unprivuser
+UNPRIVPASS=UnPrivPass1
+
+# These tests check that privileged users can add DNS names and that
+# unprivileged users cannot do so.
+echo "Starting ..."
+
+testit "admin user should be able to add a DNS entry $NAME.$REALM $IPADDRESS $IP6ADDRESS" $VALGRIND $net_tool ads dns register $NAME.$REALM $IPADDRESS $IP6ADDRESS -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+testit "We should be able to see the new name $NAME.$REALM $IPADDRESS" dig @$SERVER +short -t a $NAME.$REALM | grep -q $IPADDRESS || failed=`expr $failed + 1`
+testit "We should be able to see the new name $NAME.$REALM $IP6ADDRESS" dig @$SERVER +short -t aaaa $NAME.$REALM | grep -q $IP6ADDRESS || failed=`expr $failed + 1`
+
+testit "We should be able to unregister the name $NAME.$REALM" $VALGRIND $net_tool ads dns unregister $NAME.$REALM -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+testit "The name $NAME.$REALM $IPADDRESS should not be there any longer" dig @$SERVER +short -t a $NAME.$REALM | grep -q $IPADDRESS && failed=`expr $failed + 1`
+testit "The name $NAME.$REALM $IP6ADDRESS should not be there any longer" dig @$SERVER +short -t aaaa $NAME.$REALM | grep -q $IP6ADDRESS && failed=`expr $failed + 1`
+
+# prime the kpasswd server, see "git blame" for an explanation
+$VALGRIND $net_tool user add $UNPRIVUSER $UNPRIVPASS -U$DC_USERNAME%$DC_PASSWORD
+$VALGRIND $net_tool user delete $UNPRIVUSER -U$DC_USERNAME%$DC_PASSWORD
+
+# This should be an expect_failure test ...
+testit "Adding an unprivileged user" $VALGRIND $net_tool user add $UNPRIVUSER $UNPRIVPASS -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+BASEDN=$($VALGRIND $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -b '' --scope=base defaultNamingContext | grep defaultNamingContext | sed -e 's!^defaultNamingContext: !!')
+
+LDIF="dn: CN=$UNPRIVUSER,CN=users,${BASEDN}+changetype: modify+replace: userAccountControl+userAccountControl: 512"
+
+echo $LDIF | tr '+' '\n' | $VALGRIND $ldbmodify -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -i
+STATUS=$?
+
+testit "We should have enabled the account" test $STATUS -eq 0 || failed=`expr $failed + 1`
+
+#Unprivileged users should be able to add new names
+testit "Unprivileged users should be able to add new names" $net_tool ads dns register $UNPRIVNAME.$REALM $UNPRIVIP -U$UNPRIVUSER%$UNPRIVPASS || failed=`expr $failed + 1`
+
+# This should work as well
+testit "machine account should be able to add a DNS entry net ads dns register membername.$REALM $IPADDRMAC -P " $net_tool ads dns register membername.$REALM $IPADDRMAC -P || failed=`expr $failed + 1`
+
+testit "We should be able to see the new name membername.$REALM" dig @$SERVER +short -t a membername.$REALM | grep -q $IPADDRMAC || failed=`expr $failed + 1`
+
+#Unprivileged users should not be able to overwrite other's names
+testit_expect_failure "Unprivileged users should not be able to modify existing names" $net_tool ads dns register membername.$REALM $UNPRIVIP -U$UNPRIVUSER%$UNPRIVPASS || failed=`expr $failed + 1`
+
+testit "We should be able to unregister the name $NAME.$REALM $IPADDRESS" $VALGRIND $net_tool ads dns unregister $NAME.$REALM -P || failed=`expr $failed + 1`
+
+testit "The name $NAME.$REALM ($IPADDRESS) should not be there any longer" dig @$SERVER +short -t a $NAME.$REALM | grep -q $IPADDRESS && failed=`expr $failed + 1`
+testit "The name $NAME.$REALM ($IP6ADDRESS) should not be there any longer" dig @$SERVER +short -t aaaa $NAME.$REALM | grep -q $IP6ADDRESS && failed=`expr $failed + 1`
+
+exit $failed
diff --git a/testprogs/blackbox/test_net_ads_fips.sh b/testprogs/blackbox/test_net_ads_fips.sh
new file mode 100755
index 0000000..57df650
--- /dev/null
+++ b/testprogs/blackbox/test_net_ads_fips.sh
@@ -0,0 +1,43 @@
+if [ $# -lt 4 ]; then
+cat <<EOF
+Usage: test_net_ads_fips.sh DC_SERVER DC_USERNAME DC_PASSWORD PREFIX_ABS
+EOF
+exit 1;
+fi
+
+DC_SERVER=$1
+DC_USERNAME=$2
+DC_PASSWORD=$3
+BASEDIR=$4
+
+HOSTNAME=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10`
+
+RUNDIR=`pwd`
+cd $BASEDIR
+WORKDIR=`mktemp -d -p .`
+WORKDIR=`basename $WORKDIR`
+cp -a client/* $WORKDIR/
+sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf
+sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf
+rm -f $WORKDIR/private/secrets.tdb
+cd $RUNDIR
+
+failed=0
+
+net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=security=ads"
+
+# Load test functions
+. `dirname $0`/subunit.sh
+
+# This make sure we are able to join AD in FIPS mode with Kerberos (NTLM doesn't work in FIPS mode).
+testit "join" $VALGRIND $net_tool ads join --use-kerberos=required -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
+
+testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
+
+testit "leave" $VALGRIND $net_tool ads leave --use-kerberos=required -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+rm -rf $BASEDIR/$WORKDIR
+
+exit $failed
diff --git a/testprogs/blackbox/test_net_ads_search_server.sh b/testprogs/blackbox/test_net_ads_search_server.sh
new file mode 100755
index 0000000..f8350c9
--- /dev/null
+++ b/testprogs/blackbox/test_net_ads_search_server.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+
+if [ $# -lt 2 ]; then
+cat <<EOF
+Usage: $0 SERVER REALM
+EOF
+exit 1;
+fi
+
+SERVER=$1
+REALM=$2
+shift 2
+
+failed=0
+. `dirname $0`/subunit.sh
+
+samba_net="$BINDIR/net"
+
+DN=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]' | sed -e 's!^!DC=!' -e 's!\.!,DC=!g')
+testit_grep_count \
+ "net_ads_search.ntlmssp" \
+ "distinguishedName: ${DN}" \
+ 1 \
+ $samba_net ads search --use-kerberos=off -P \
+ --server "${SERVER}.${REALM}" \
+ '(objectClass=domain)' distinguishedName || \
+ failed=$((failed + 1))
+testit_grep_count \
+ "net_ads_search.krb5" \
+ "distinguishedName: ${DN}" \
+ 1 \
+ $samba_net ads search --use-kerberos=required -P \
+ --server "${SERVER}.${REALM}" \
+ '(objectClass=domain)' distinguishedName || \
+ failed=$((failed + 1))
+
+exit $failed
diff --git a/testprogs/blackbox/test_net_offline.sh b/testprogs/blackbox/test_net_offline.sh
new file mode 100755
index 0000000..a174520
--- /dev/null
+++ b/testprogs/blackbox/test_net_offline.sh
@@ -0,0 +1,69 @@
+if [ $# -lt 4 ]; then
+cat <<EOF
+Usage: test_net.sh DC_SERVER DC_USERNAME DC_PASSWORD PREFIX_ABS
+EOF
+exit 1;
+fi
+
+DC_SERVER=$1
+DC_USERNAME=$2
+DC_PASSWORD=$3
+BASEDIR=$4
+
+HOSTNAME=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10`
+
+RUNDIR=`pwd`
+cd $BASEDIR
+WORKDIR=`mktemp -d -p .`
+WORKDIR=`basename $WORKDIR`
+ODJFILE="$BASEDIR/$WORKDIR/odj_provision.txt"
+
+
+cp -a client/* $WORKDIR/
+sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf
+sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf
+rm -f $WORKDIR/private/secrets.tdb
+cd $RUNDIR
+
+failed=0
+
+net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=security=ads"
+
+# Load test functions
+. `dirname $0`/subunit.sh
+
+netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
+
+# 1. Test w/o dcname
+
+testit "provision without dcname" $VALGRIND $net_tool offlinejoin provision domain=$REALM machine_name=$netbios savefile=$ODJFILE -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+testit "requestodj" $VALGRIND $net_tool offlinejoin requestodj loadfile=$ODJFILE || failed=`expr $failed + 1`
+
+testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
+
+rm -f $ODJFILE
+
+# 2. Test with dcname
+
+testit "provision with dcname" $VALGRIND $net_tool offlinejoin provision domain=$REALM machine_name=$netbios savefile=$ODJFILE dcname=$DC_SERVER -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+testit "requestodj" $VALGRIND $net_tool offlinejoin requestodj loadfile=$ODJFILE || failed=`expr $failed + 1`
+
+testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
+
+rm -f $ODJFILE
+
+# 3. Test with defpwd
+
+testit "provision with dcname and default password" $VALGRIND $net_tool offlinejoin provision domain=$REALM machine_name=$netbios savefile=$ODJFILE dcname=$DC_SERVER defpwd -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+testit "requestodj" $VALGRIND $net_tool offlinejoin requestodj loadfile=$ODJFILE || failed=`expr $failed + 1`
+
+testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
+
+rm -f $ODJFILE
+
+rm -rf $BASEDIR/$WORKDIR
+
+exit $failed
diff --git a/testprogs/blackbox/test_net_rpc_user.sh b/testprogs/blackbox/test_net_rpc_user.sh
new file mode 100755
index 0000000..64ab01b
--- /dev/null
+++ b/testprogs/blackbox/test_net_rpc_user.sh
@@ -0,0 +1,56 @@
+#!/bin/sh
+# Blackbox tests for 'net rpc'
+#
+# Copyright (c) 2017 Andreas Schneider <asn@samba.org>
+
+if [ $# -lt 4 ]; then
+cat << EOF
+Usage: net_rpc.sh SERVER ADMIN_ACCOUNT ADMIN_PASSWORD ADMIN_DOMAIN
+EOF
+exit 1
+fi
+
+SERVER=$1
+ADMIN_ACCOUNT=$2
+ADMIN_PASSWORD=$3
+ADMIN_DOMAIN=$4
+shift 4
+
+failed=0
+samba_bindir="$BINDIR"
+
+samba_tool="$samba_bindir/samba-tool"
+net_tool="$samba_bindir/net"
+
+TEST_USERNAME="$(mktemp -u samson-XXXXXX)"
+TEST_PASSWORD="Passw0rd~01"
+
+newuser="$samba_tool user create"
+
+. `dirname $0`/subunit.sh
+. `dirname $0`/common_test_fns.inc
+
+###########################################################
+### Setup
+###########################################################
+
+testit "net rpc user add" \
+ $VALGRIND $net_tool rpc user add $TEST_USERNAME $TEST_PASSWORD -U$ADMIN_ACCOUNT%$ADMIN_PASSWORD -S $SERVER || failed=$(expr $failed + 1)
+
+###########################################################
+### Tests
+###########################################################
+
+TEST_PASSWORD_NEW="Passw0rd~02"
+
+testit "net rpc user password" \
+ $VALGRIND $net_tool rpc user password $TEST_USERNAME $TEST_PASSWORD_NEW -U$ADMIN_ACCOUNT%$ADMIN_PASSWORD -S $SERVER || failed=$(expr $failed + 1)
+
+###########################################################
+### Teardown
+###########################################################
+
+testit "net rpc user delete" \
+ $VALGRIND $net_tool rpc user delete $TEST_USERNAME -U$ADMIN_ACCOUNT%$ADMIN_PASSWORD -S $SERVER || failed=$(expr $failed + 1)
+
+exit $failed
diff --git a/testprogs/blackbox/test_offline_logon.sh b/testprogs/blackbox/test_offline_logon.sh
new file mode 100755
index 0000000..6b54a38
--- /dev/null
+++ b/testprogs/blackbox/test_offline_logon.sh
@@ -0,0 +1,43 @@
+#!/bin/sh
+# Blackbox tests for winbind offline logon support
+# Copyright (c) 2021 Andreas Schneider <asn@samba.org>
+
+if [ $# -lt 9 ]; then
+cat <<EOF
+Usage: test_offline_logon.sh DOMAIN CACHED_USER_NAME_1 CACHED_USER_PASS_1 CACHED_USER_NAME_2 CACHED_USER_PASS_2 ONLINE_USER_NAME_1 ONLINE_USER_PASS_1 ONLINE_USER_NAME_2 ONLINE_USER_PASS_2
+EOF
+ exit 1;
+fi
+
+DOMAIN=$1
+CACHED_USER_NAME_1=$2
+CACHED_USER_PASS_1=$3
+CACHED_USER_NAME_2=$4
+CACHED_USER_PASS_2=$5
+ONLINE_USER_NAME_1=$6
+ONLINE_USER_PASS_1=$7
+ONLINE_USER_NAME_2=$8
+ONLINE_USER_PASS_2=$9
+shift 9
+
+. `dirname $0`/subunit.sh
+
+samba_bindir="$BINDIR"
+wbinfo="$samba_bindir/wbinfo"
+
+# Check that the DC is offline
+testit_expect_failure "wbinfo.ping-dc" $VALGRIND $wbinfo --ping-dc || failed=`expr $failed + 1`
+
+# We should have cached credentials for alice and bob
+# --pam-logon sets always the WBFLAG_PAM_CACHED_LOGIN flag
+testit "wbinfo.pam_logon_$CACHED_USER_NAME_1" $VALGRIND $wbinfo --pam-logon=$DOMAIN/$CACHED_USER_NAME_1%$CACHED_USER_PASS_1 || failed=`expr $failed + 1`
+testit "wbinfo.kerberos_logon_$CACHED_USER_NAME_1" $VALGRIND $wbinfo --krb5auth=$DOMAIN/$CACHED_USER_NAME_2%$CACHED_USER_PASS_2 || failed=`expr $failed + 1`
+
+testit "wbinfo.pam_logon_$CACHED_USER_NAME_2" $VALGRIND $wbinfo --pam-logon=$DOMAIN/$CACHED_USER_NAME_2%$CACHED_USER_PASS_2 || failed=`expr $failed + 1`
+testit "wbinfo.kerberos_logon_$CACHED_USER_NAME_2" $VALGRIND $wbinfo --krb5auth=$DOMAIN/$CACHED_USER_NAME_2%$CACHED_USER_PASS_2 || failed=`expr $failed + 1`
+
+# We should not be able to auth with jane or joe
+testit_expect_failure "wbinfo.pam_logon_$ONLINE_USER_NAME_1" $VALGRIND $wbinfo --pam-logon=$DOMAIN/$ONLINE_USER_NAME_1%$ONLINE_USER_PASS_1 || failed=`expr $failed + 1`
+testit_expect_failure "wbinfo.pam_logon_$ONLINE_USER_NAME_2" $VALGRIND $wbinfo --pam-logon=$DOMAIN/$ONLINE_USER_NAME_2%$ONLINE_USER_PASS_2 || failed=`expr $failed + 1`
+
+exit $failed
diff --git a/testprogs/blackbox/test_old_enctypes.sh b/testprogs/blackbox/test_old_enctypes.sh
new file mode 100755
index 0000000..794a265
--- /dev/null
+++ b/testprogs/blackbox/test_old_enctypes.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+if [ $# -lt 5 ]; then
+cat <<EOF
+Usage: test_primary_group.sh SERVER USERNAME PASSWORD NETBIOSNAME PREFIX_ABS
+EOF
+exit 1;
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+NETBIOSNAME=$4
+PREFIX_ABS=$5
+shift 5
+failed=0
+
+samba4bindir="$BINDIR"
+samba4srcdir="$SRCDIR/source4"
+
+samba_tool="$samba4bindir/samba-tool"
+
+ldbmodify="ldbmodify"
+if [ -x "$samba4bindir/ldbmodify" ]; then
+ ldbmodify="$samba4bindir/ldbmodify"
+fi
+
+ldbsearch="ldbsearch"
+if [ -x "$samba4bindir/ldbsearch" ]; then
+ ldbsearch="$samba4bindir/ldbsearch"
+fi
+
+. `dirname $0`/subunit.sh
+. `dirname $0`/common_test_fns.inc
+
+out="${PREFIX_ABS}/tmpldbsearch.out"
+$ldbsearch -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 sAMAccountName="$NETBIOSNAME\$" dn msDS-SupportedEncryptionTypes > $out
+testit_grep "find my dn" msDS-SupportedEncryptionTypes cat $out || failed=`expr $failed + 1`
+
+my_dn=$(cat $out | sed -n 's/^dn: //p')
+my_encs=$(cat $out | sed -n 's/^msDS-SupportedEncryptionTypes: //p')
+my_test_encs=`expr $my_encs + 3`
+
+ldif="${PREFIX_ABS}/tmpldbmodify.ldif"
+
+cat > $ldif <<EOF
+dn: $my_dn
+changetype: modify
+replace: msDS-SupportedEncryptionTypes
+msDS-SupportedEncryptionTypes: $my_test_encs
+EOF
+
+testit "Change msDS-SupportedEncryptionTypes to $my_test_encs" $VALGRIND $ldbmodify -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 < $ldif || failed=`expr $failed + 1`
+kt=${PREFIX_ABS}/tmp_host_out_keytab
+testit "Export keytab while old enctypes are supported" $samba_tool domain exportkeytab --principal=$NETBIOSNAME\$ $kt
+
+cat > $ldif <<EOF
+dn: $my_dn
+changetype: modify
+replace: msDS-SupportedEncryptionTypes
+msDS-SupportedEncryptionTypes: $my_encs
+EOF
+
+testit "Change msDS-SupportedEncryptionTypes back to $my_encs" $VALGRIND $ldbmodify -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 < $ldif || failed=`expr $failed + 1`
+
+rm -rf $kt $out $ldif
+
+exit $failed
diff --git a/testprogs/blackbox/test_password_settings.sh b/testprogs/blackbox/test_password_settings.sh
new file mode 100755
index 0000000..9a4846a
--- /dev/null
+++ b/testprogs/blackbox/test_password_settings.sh
@@ -0,0 +1,254 @@
+#!/bin/sh
+# Blackbox tests for different password settings
+#
+# Copyright (c) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
+# Copyright (c) 2006-2008 Andrew Bartlett <abartlet@samba.org>
+# Copyright (c) 2016 Andreas Schneider <asn@samba.org>
+
+if [ $# -lt 6 ]; then
+cat <<EOF
+Usage: test_passwords_settings.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX
+EOF
+exit 1;
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+REALM=$4
+DOMAIN=$5
+PREFIX=$6
+shift 6
+failed=0
+
+samba_bindir="$BINDIR"
+
+samba_kinit=kinit
+if test -x $samba_bindir/samba4kinit; then
+ samba_kinit=$samba_bindir/samba4kinit
+fi
+
+smbclient="$samba_bindir/smbclient"
+samba_tool="$samba_bindir/samba-tool"
+smbpasswd="$samba_bindir/smbpasswd"
+texpect="$samba_bindir/texpect"
+
+newuser="$samba_tool user create"
+SMB_UNC="//$SERVER/tmp"
+
+. `dirname $0`/subunit.sh
+. `dirname $0`/common_test_fns.inc
+
+do_kinit() {
+ principal="$1"
+ password="$2"
+ shift
+ shift
+ kerberos_kinit "$samba_kinit" "$principal" "$password" $@
+}
+
+test_smbpasswd()
+{
+ user=$1
+ newpass=$2
+
+ tmpfile=$PREFIX/smbpasswd_change_password_script
+ cat > $tmpfile <<EOF
+expect New SMB password:
+send ${newpass}\n
+expect Retype new SMB password:
+send ${newpass}\n
+EOF
+
+ cmd='UID_WRAPPER_INITIAL_RUID=0 UID_WRAPPER_INITIAL_EUID=0 $texpect $tmpfile $smbpasswd -L -c $PREFIX/etc/smb.conf $user'
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret -ne 0 ]; then
+ echo "Failed to change user password $user"
+ return 1
+ fi
+}
+
+UID_WRAPPER_ROOT=1
+export UID_WRAPPER_ROOT
+
+CONFIG="--configfile=$PREFIX/etc/smb.conf"
+export CONFIG
+
+testit "reset password policies beside of minimum password age of 0 days" \
+ $VALGRIND $PYTHON $samba_tool domain passwordsettings set $CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=`expr $failed + 1`
+
+TEST_USERNAME="$(mktemp -u alice-XXXXXX)"
+TEST_PASSWORD="testPaSS@00%"
+TEST_PASSWORD_NEW="testPaSS@01%"
+TEST_PASSWORD_NON_ASCII="Täst123"
+TEST_PASSWORD_SHORT="secret"
+TEST_PASSWORD_WEAK="Supersecret"
+TEST_PRINCIPAL="$TEST_USERNAME@$REALM"
+
+testit "create user locally" \
+ $VALGRIND $PYTHON $newuser $CONFIG $TEST_USERNAME $TEST_PASSWORD || failed=`expr $failed + 1`
+
+###########################################################
+### Test normal operation as user
+###########################################################
+
+KRB5CCNAME_PATH="$PREFIX/test_password_settings_krb5ccache"
+rm -f $KRB5CCNAME_PATH
+
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+export KRB5CCNAME
+
+testit "kinit with user password" \
+ do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=`expr $failed + 1`
+
+test_smbclient "Test login with user kerberos ccache" \
+ "ls" "$SMB_UNC" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
+
+rm -f $KRB5CCNAME_PATH
+
+###########################################################
+### Change the users password
+###########################################################
+
+testit "change user password with 'samba-tool user password' (unforced)" \
+ $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -U$TEST_USERNAME%$TEST_PASSWORD -k no --newpassword=$TEST_PASSWORD_NEW || failed=`expr $failed + 1`
+
+TEST_PASSWORD_OLD=$TEST_PASSWORD
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@02%"
+
+testit "kinit with user password" \
+ do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=`expr $failed + 1`
+
+test_smbclient "Test login with user kerberos ccache" \
+ "ls" "$SMB_UNC" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
+
+###########################################################
+### Change the users password
+###########################################################
+
+testit "change user (non-ascii) password with 'samba-tool user password' (unforced)" \
+ $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -U$TEST_USERNAME%$TEST_PASSWORD -k no --newpassword=$TEST_PASSWORD_NON_ASCII || failed=`expr $failed + 1`
+
+TEST_PASSWORD_OLD=$TEST_PASSWORD_NEW
+TEST_PASSWORD=$TEST_PASSWORD_NON_ASCII
+
+testit "kinit with user password" \
+ do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=`expr $failed + 1`
+
+test_smbclient "Test login with user kerberos ccache" \
+ "ls" "$SMB_UNC" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
+
+#
+# These tests demonstrate that a credential cache in the environment does not
+# override a username/password, even an incorrect one, on the command line
+#
+
+testit_expect_failure "Test login with user kerberos ccache, but wrong password specified" \
+ $VALGRIND $smbclient //$SERVER/tmp -c 'ls' --use-krb5-ccache=$KRB5CCNAME -U$TEST_PRINCIPAL%invalidpass && failed=`expr $failed + 1`
+testit_expect_failure "Test login with user kerberos ccache, but old password specified" \
+ $VALGRIND $smbclient //$SERVER/tmp -c 'ls' --use-krb5-ccache=$KRB5CCNAME -U$TEST_PRINCIPAL%$TEST_PASSWORD_OLD && failed=`expr $failed + 1`
+
+rm -f $KRB5CCNAME_PATH
+
+###########################################################
+### Set the password with smbpasswd
+###########################################################
+
+testit "set user password with smbpasswd" \
+ test_smbpasswd $TEST_USERNAME $TEST_PASSWORD_NEW \
+ || failed=$(expr $failed + 1)
+
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@03%"
+
+test_smbclient "Test login with user (ntlm)" \
+ "ls" "$SMB_UNC" --use-kerberos=disabled -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=`expr $failed + 1`
+
+testit "set password on user locally" $VALGRIND $PYTHON $samba_tool user setpassword $TEST_USERNAME $CONFIG --newpassword=$TEST_PASSWORD_NEW --must-change-at-next-login || failed=`expr $failed + 1`
+
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@04%"
+
+test_smbclient_expect_failure "Test login with user (NT_STATUS_PASSWORD_MUST_CHANGE)" \
+ "ls" "$SMB_UNC" --use-kerberos=disabled -U$TEST_PRINCIPAL%$TEST_PASSWORD && failed=`expr $failed + 1`
+
+testit "change user password with 'samba-tool user password' (after must change flag set)" \
+ $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD -k no --newpassword=$TEST_PASSWORD_NEW || failed=`expr $failed + 1`
+
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@05%"
+
+test_smbclient "Test login with user kerberos" 'ls' "$SMB_UNC" --use-kerberos=required -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=`expr $failed + 1`
+
+rm -f $KRB5CCNAME_PATH
+
+cat > $PREFIX/tmpsmbpasswdscript <<EOF
+expect Old SMB password:
+password ${TEST_PASSWORD}\n
+expect New SMB password:
+send ${TEST_PASSWORD_NEW}\n
+expect Retype new SMB password:
+send ${TEST_PASSWORD_NEW}\n
+EOF
+
+testit "change user password with smbpasswd (after must change flag set)" \
+ $texpect $PREFIX/tmpsmbpasswdscript $smbpasswd -r $SERVER -c $PREFIX/etc/smb.conf -U $TEST_USERNAME || failed=`expr $failed + 1`
+
+TEST_PASSWORD=$TEST_PASSWORD_NEW
+TEST_PASSWORD_NEW="testPaSS@06%"
+
+test_smbclient "Test login with user kerberos" \
+ "ls" "$SMB_UNC" --use-kerberos=required -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=`expr $failed + 1`
+
+rm -f $KRB5CCNAME_PATH
+
+testit_expect_failure "try to set a non-complex password (command should not succeed)" \
+ $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN "-U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD" -k no --newpassword="$TEST_PASSWORD_WEAK" && failed=`expr $failed + 1`
+
+testit "allow non-complex passwords" \
+ $VALGRIND $PYTHON $samba_tool domain passwordsettings set $CONFIG --complexity=off || failed=`expr $failed + 1`
+
+testit "try to set a non-complex password (command should succeed)" \
+ $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN "-U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD" -k no --newpassword="$TEST_PASSWORD_WEAK" || failed=`expr $failed + 1`
+
+TEST_PASSWORD=$TEST_PASSWORD_WEAK
+
+test_smbclient "test login with non-complex password" \
+ "ls" "$SMB_UNC" --use-kerberos=disabled -U$TEST_PRINCIPAL%$TEST_PASSWORD || failed=`expr $failed + 1`
+
+testit_expect_failure "try to set a short password (command should not succeed)" \
+ $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN "-U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD" -k no --newpassword="$TEST_PASSWORD_SHORT" && failed=`expr $failed + 1`
+
+testit "allow short passwords (length 1)" \
+ $VALGRIND $PYTHON $samba_tool domain passwordsettings set $CONFIG --min-pwd-length=1 || failed=`expr $failed + 1`
+
+testit "try to set a short password (command should succeed)" \
+ $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN "-U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD" -k no --newpassword="$TEST_PASSWORD_SHORT" || failed=`expr $failed + 1`
+
+TEST_PASSWORD=$TEST_PASSWORD_SHORT
+TEST_PASSWORD_NEW="testPaSS@07%"
+
+testit "require minimum password age of 1 day" \
+ $VALGRIND $PYTHON $samba_tool domain passwordsettings set $CONFIG --min-pwd-age=1 || failed=`expr $failed + 1`
+
+testit "show password settings" \
+ $VALGRIND $PYTHON $samba_tool domain passwordsettings show $CONFIG || failed=`expr $failed + 1`
+
+testit_expect_failure "try to change password too quickly (command should not succeed)" \
+ $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN "-U$DOMAIN/$TEST_USERNAME%$TEST_PASSWORD" -k no --newpassword="$TEST_PASSWORD_NEW" && failed=`expr $failed + 1`
+
+testit "reset password policies" \
+ $VALGRIND $PYTHON $samba_tool domain passwordsettings set $CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
+
+testit "delete user $TEST_USERNAME" \
+ $VALGRIND $PYTHON $samba_tool user delete $TEST_USERNAME -U"$USERNAME%$PASSWORD" $CONFIG -k no || failed=`expr $failed + 1`
+
+rm -f $PREFIX/tmpuserpassfile $PREFIX/tmpsmbpasswdscript
+rm -f $KRB5CCNAME_PATH
+
+exit $failed
diff --git a/testprogs/blackbox/test_pdbtest.sh b/testprogs/blackbox/test_pdbtest.sh
new file mode 100755
index 0000000..43852b3
--- /dev/null
+++ b/testprogs/blackbox/test_pdbtest.sh
@@ -0,0 +1,119 @@
+#!/bin/sh
+# Blackbox tests for pdbtest
+# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
+# Copyright (C) 2006-2012 Andrew Bartlett <abartlet@samba.org>
+
+if [ $# -lt 2 ]; then
+cat <<EOF
+Usage: test_pdbtest.sh SERVER PREFIX USER SMBCLIENT SMB_CONF
+EOF
+exit 1;
+fi
+
+SERVER=$1
+PREFIX=$2
+USER=$3
+smbclient=$4
+SMB_CONF=$5
+shift 5
+failed=0
+
+samba4bindir="$BINDIR"
+pdbtest="$samba4bindir/pdbtest"
+pdbedit="$samba4bindir/pdbedit"
+net="$samba4bindir/net"
+smbpasswd="$samba4bindir/smbpasswd"
+texpect="$samba4bindir/texpect"
+unc="//$SERVER/tmp"
+
+. `dirname $0`/subunit.sh
+. `dirname $0`/common_test_fns.inc
+
+UID_WRAPPER_ROOT=1
+export UID_WRAPPER_ROOT
+
+test_smbpasswd()
+{
+ user=$1
+ newpass=$2
+
+ echo "set password with smbpasswd"
+ tmpfile=$PREFIX/smbpasswd_change_password_script
+ cat > $tmpfile <<EOF
+expect New SMB password:
+send ${newpass}\n
+expect Retype new SMB password:
+send ${newpass}\n
+EOF
+
+ cmd='UID_WRAPPER_INITIAL_RUID=0 UID_WRAPPER_INITIAL_EUID=0 $texpect $tmpfile $smbpasswd -L $user -c $SMB_CONF'
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret -ne 0 ]; then
+ echo "Failed to change user password $user"
+ return 1
+ fi
+}
+
+testit "pdbtest" $VALGRIND $BINDIR/pdbtest -u $USER $@ || failed=`expr $failed + 1`
+
+NEWUSERPASS=testPaSS@01%
+
+echo "set password with pdbedit"
+cat > $PREFIX/tmpsmbpasswdscript <<EOF
+expect new password:
+send ${NEWUSERPASS}\n
+expect retype new password:
+send ${NEWUSERPASS}\n
+EOF
+
+testit "create user with pdbedit" $texpect $PREFIX/tmpsmbpasswdscript $VALGRIND $pdbedit --configfile=$SMB_CONF -a $USER --account-desc="pdbedit-test-user" $@ || failed=`expr $failed + 1`
+USERPASS=$NEWUSERPASS
+
+test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -U$USER%$NEWUSERPASS $@ || failed=`expr $failed + 1`
+
+testit "modify user" $VALGRIND $pdbedit --configfile=$SMB_CONF --modify $USER --drive="D:" $@ || failed=`expr $failed + 1`
+
+test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -U$USER%$NEWUSERPASS $@|| failed=`expr $failed + 1`
+
+NEWUSERPASS=testPaSS@02%
+
+testit "set user password with smbpasswd" \
+ test_smbpasswd $USER $NEWUSERPASS \
+ || failed=$(expr $failed + 1)
+
+USERPASS=$NEWUSERPASS
+
+test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -U$USER%$NEWUSERPASS $@|| failed=`expr $failed + 1`
+
+testit "modify user - disabled" $VALGRIND $net sam set disabled $USER yes $@ || failed=`expr $failed + 1`
+
+testit_expect_failure "Test login with disabled suer" $VALGRIND $smbclient //$SERVER/tmp -c 'ls' -U$USER@%$USERPASS && failed=`expr $failed + 1`
+
+testit "modify user - enabled" $VALGRIND $net sam set disabled $USER no $@ || failed=`expr $failed + 1`
+
+test_smbclient "Test login with re-enabled user (ntlm)" 'ls' "$unc" -U$USER%$NEWUSERPASS || failed=`expr $failed + 1`
+
+testit "modify user - must change password now" $VALGRIND $net sam set pwdmustchangenow $USER yes $@ || failed=`expr $failed + 1`
+
+testit_expect_failure "Test login with expired password" $VALGRIND $smbclient //$SERVER/tmp -c 'ls' -U$USER@%$USERPASS && failed=`expr $failed + 1`
+
+testit "modify user - disable password expiry" $VALGRIND $net sam set pwnoexp $USER yes $@ || failed=`expr $failed + 1`
+
+test_smbclient "Test login with no expiry (ntlm)" 'ls' "$unc" -U$USER%$NEWUSERPASS || failed=`expr $failed + 1`
+
+NEWUSERPASS=testPaSS@03%
+NEWUSERHASH=062519096c45739c1938800f80906731
+
+testit "Set user password with password hash" $VALGRIND $pdbedit --configfile=$SMB_CONF -u $USER --set-nt-hash $NEWUSERHASH $@ || failed=`expr $failed + 1`
+
+test_smbclient "Test login with new password (from hash)" 'ls' "$unc" -U$USER%$NEWUSERPASS || failed=`expr $failed + 1`
+
+testit "del user" $VALGRIND $pdbedit --configfile=$SMB_CONF -x $USER $@ || failed=`expr $failed + 1`
+
+rm $PREFIX/tmpsmbpasswdscript
+
+exit $failed
diff --git a/testprogs/blackbox/test_pkinit_pac.sh b/testprogs/blackbox/test_pkinit_pac.sh
new file mode 100755
index 0000000..8047517
--- /dev/null
+++ b/testprogs/blackbox/test_pkinit_pac.sh
@@ -0,0 +1,63 @@
+#!/bin/sh
+# Blackbox tests for pkinit and pac verification
+#
+# Copyright (C) 2006-2008 Stefan Metzmacher
+# Copyright (C) 2022 Andreas Schneider
+
+if [ $# -lt 6 ]; then
+ cat <<EOF
+Usage: test_pkinit_pac.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX
+EOF
+ exit 1
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+REALM=$4
+DOMAIN=$5
+PREFIX=$6
+shift 6
+failed=0
+
+samba_bindir="$BINDIR"
+
+samba_kinit="$(command -v kinit)"
+if [ -x "${samba_bindir}/samba4kinit" ]; then
+ samba_kinit="${samba_bindir}/samba4kinit"
+fi
+samba_smbtorture="${samba_bindir}/smbtorture --basedir=$SELFTEST_TMPDIR"
+
+. "$(dirname "$0")"/subunit.sh
+. "$(dirname "$0")"/common_test_fns.inc
+
+KRB5CCNAME_PATH="$PREFIX/tmpccache"
+rm -f "${KRB5CCNAME_PATH}"
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+export KRB5CCNAME
+
+USER_PRINCIPAL_NAME="$(echo "${USERNAME}@${REALM}" | tr "[:upper:]" "[:lower:]")"
+
+kbase="$(basename "${samba_kinit}")"
+if [ "${kbase}" = "samba4kinit" ]; then
+ # HEIMDAL
+ X509_USER_IDENTITY="--pk-user=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
+ OPTION_RENEWABLE="--renewable"
+else
+ X509_USER_IDENTITY="-X X509_user_identity=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
+ OPTION_RENEWABLE="-r 1h"
+fi
+OPTION_REQUEST_PAC="--request-pac"
+
+testit "STEP1 kinit with pkinit (name specified)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
+ failed=$((failed + 1))
+testit "STEP1 remote.pac verification" \
+ "${samba_smbtorture}" ncacn_np:"${SERVER}" rpc.pac \
+ --workgroup="${DOMAIN}" -U"${USERNAME}%${PASSWORD}" \
+ --option=torture:pkinit_ccache="${KRB5CCNAME}" ||
+ failed=$((failed + 1))
+
+rm -f "${KRB5CCNAME_PATH}"
+exit ${failed}
diff --git a/testprogs/blackbox/test_pkinit_simple.sh b/testprogs/blackbox/test_pkinit_simple.sh
new file mode 100755
index 0000000..c63d1da
--- /dev/null
+++ b/testprogs/blackbox/test_pkinit_simple.sh
@@ -0,0 +1,333 @@
+#!/bin/sh
+# Blackbox tests for kinit and kerberos integration with smbclient etc
+#
+# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
+# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
+# Copyright (C) 2022 Andreas Schneider <asn@samba.org>
+
+if [ $# -lt 7 ]; then
+ cat <<EOF
+Usage: test_pkinit_mit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLINET
+EOF
+ exit 1
+fi
+
+SERVER="${1}"
+USERNAME="${2}"
+PASSWORD="${3}"
+REALM="${4}"
+DOMAIN="${5}"
+PREFIX="${6}"
+smbclient="${7}"
+shift 7
+failed=0
+
+samba_bindir="${BINDIR}"
+
+samba_kinit="$(command -v kinit)"
+if [ -x "${samba_bindir}/samba4kinit" ]; then
+ samba_kinit="${samba_bindir}/samba4kinit"
+fi
+samba_tool="${PYTHON} ${samba_bindir}/samba-tool"
+wbinfo="${samba_bindir}/wbinfo"
+
+. "$(dirname "$0")"/subunit.sh
+. "$(dirname "$0")"/common_test_fns.inc
+
+unc="//${SERVER}/tmp"
+
+KRB5CCNAME_PATH="$PREFIX/tmpccache"
+rm -f "${KRB5CCNAME_PATH}"
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+export KRB5CCNAME
+
+USER_PRINCIPAL_NAME="$(echo "${USERNAME}@${REALM}" | tr "[:upper:]" "[:lower:]")"
+
+kbase="$(basename "${samba_kinit}")"
+if [ "${kbase}" = "samba4kinit" ]; then
+ # HEIMDAL
+ X509_USER_IDENTITY="--pk-user=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
+ OPTION_RENEWABLE="--renewable"
+ OPTION_RENEW_TICKET="--renew"
+ OPTION_ENTERPRISE_NAME="--enterprise"
+else
+ # MIT
+ X509_USER_IDENTITY="-X X509_user_identity=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem"
+ OPTION_RENEWABLE="-r 1h"
+ OPTION_RENEW_TICKET="-R"
+ OPTION_ENTERPRISE_NAME="-E"
+fi
+OPTION_REQUEST_PAC="--request-pac"
+
+# STEP0:
+# Now we set the UF_SMARTCARD_REQUIRED bit
+# This means we have a normal enabled account *without* a known password
+testit "STEP0 samba-tool user create ${USERNAME} --smartcard-required" \
+ "${samba_tool}" user create "${USERNAME}" --smartcard-required ||
+ failed=$((failed + 1))
+
+testit_expect_failure "STEP1 kinit with password" \
+ kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
+ "${OPTION_REQUEST_PAC}" ||
+ failed=$((failed + 1))
+testit_expect_failure "STEP1 Test login with NTLM" \
+ "${smbclient}" "${unc}" -c 'ls' "-U${USERNAME}%${PASSWORD}" ||
+ failed=$((failed + 1))
+testit_expect_failure "STEP1 Test wbinfo with password" \
+ "${wbinfo}" "--authenticate=$DOMAIN/$USERNAME%$PASSWORD" ||
+ failed=$((failed + 1))
+
+testit "STEP1 kinit with pkinit (name specified: ${USERNAME})" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
+ failed=$((failed + 1))
+
+testit "STEP1 kinit renew ticket (name specified)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
+ failed=$((failed + 1))
+test_smbclient "STEP1 Test login with kerberos ccache (name specified)" \
+ 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
+ failed=$((failed + 1))
+
+# OK
+testit_expect_failure "STEP1 kinit with pkinit (wrong name specified)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "not${USERNAME}@${REALM}" ||
+ failed=$((failed + 1))
+
+testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "${SERVER}@${REALM}" ||
+ failed=$((failed + 1))
+
+testit "STEP1 kinit with pkinit (enterprise name specified)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
+ "${USERNAME}@${REALM}" ||
+ failed=$((failed + 1))
+testit "STEP1 kinit renew ticket (enterprise name specified)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
+ failed=$((failed + 1))
+test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" \
+ 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
+ failed=$((failed + 1))
+testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
+ "not${USERNAME}@${REALM}" ||
+ failed=$((failed + 1))
+testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
+ "${SERVER}@${REALM}" ||
+ failed=$((failed + 1))
+
+testit "STEP1 kinit with pkinit (enterprise name in cert)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
+ failed=$((failed + 1))
+testit "STEP1 kinit renew ticket (enterprise name in cert)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
+ failed=$((failed + 1))
+test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" \
+ 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
+ failed=$((failed + 1))
+
+# STEP2:
+# We still have UF_SMARTCARD_REQUIRED, but with a known password
+testit "STEP2 samba-tool user setpassword ${USERNAME} --newpassword" \
+ "${samba_tool}" user setpassword "${USERNAME}" \
+ --newpassword="${PASSWORD}" ||
+ failed=$((failed + 1))
+
+testit_expect_failure "STEP2 kinit with password" \
+ kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
+ "${OPTION_REQUEST_PAC}" ||
+ failed=$((failed + 1))
+test_smbclient "STEP2 Test login with NTLM" \
+ 'ls' "$unc" -U"${USERNAME}%${PASSWORD}" ||
+ failed=$((failed + 1))
+testit_expect_failure "STEP2 Test wbinfo with password" \
+ "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" ||
+ failed=$((failed + 1))
+
+testit "STEP2 kinit with pkinit (name specified) " \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
+ failed=$((failed + 1))
+testit "STEP2 kinit renew ticket (name specified)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
+ failed=$((failed + 1))
+test_smbclient "STEP2 Test login with kerberos ccache (name specified)" \
+ 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
+ failed=$((failed + 1))
+
+testit "STEP2 kinit with pkinit (enterprise name specified)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
+ "${USERNAME}@${REALM}" ||
+ failed=$((failed + 1))
+testit "STEP2 kinit renew ticket (enterprise name specified)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
+ failed=$((failed + 1))
+test_smbclient "STEP2 Test login with kerberos ccache (enterprise name specified)" \
+ 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
+ failed=$((failed + 1))
+
+testit "STEP2 kinit with pkinit (enterprise name in cert)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
+ failed=$((failed + 1))
+testit "STEP2 kinit renew ticket (enterprise name in cert)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
+ failed=$((failed + 1))
+test_smbclient "STEP2 Test login with kerberos ccache (enterprise name in cert)" \
+ 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
+ failed=$((failed + 1))
+
+# STEP3:
+# The account is a normal account without the UF_SMARTCARD_REQUIRED bit set
+testit "STEP3 samba-tool user setpassword ${USERNAME} --clear-smartcard-required" \
+ "${samba_tool}" user setpassword "${USERNAME}" \
+ --newpassword="${PASSWORD}" --clear-smartcard-required ||
+ failed=$((failed + 1))
+
+testit "STEP3 kinit with password" \
+ kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
+ "${OPTION_REQUEST_PAC}" ||
+ failed=$((failed + 1))
+test_smbclient "STEP3 Test login with user kerberos ccache" \
+ 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
+ failed=$((failed + 1))
+test_smbclient "STEP3 Test login with NTLM" \
+ 'ls' "$unc" -U"${USERNAME}%${PASSWORD}" ||
+ failed=$((failed + 1))
+testit "STEP3 Test wbinfo with password" \
+ "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" ||
+ failed=$((failed + 1))
+
+testit "STEP3 kinit with pkinit (name specified) " \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
+ failed=$((failed + 1))
+testit "STEP3 kinit renew ticket (name specified)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
+ failed=$((failed + 1))
+test_smbclient "STEP3 Test login with kerberos ccache (name specified)" \
+ 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
+ failed=$((failed + 1))
+
+testit "STEP3 kinit with pkinit (enterprise name specified)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
+ "${USERNAME}@${REALM}" ||
+ failed=$((failed + 1))
+testit "STEP3 kinit renew ticket (enterprise name specified)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
+ failed=$((failed + 1))
+test_smbclient "STEP3 Test login with kerberos ccache (enterprise name specified)" \
+ 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
+ failed=$((failed + 1))
+
+testit "STEP3 kinit with pkinit (enterprise name in cert)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
+ failed=$((failed + 1))
+testit "STEP3 kinit renew ticket (enterprise name in cert)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
+ failed=$((failed + 1))
+test_smbclient "STEP3 Test login with kerberos ccache (enterprise name in cert)" \
+ 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
+ failed=$((failed + 1))
+
+# STEP4:
+# Now we set the UF_SMARTCARD_REQUIRED bit
+# This means we have a normal enabled account *without* a known password
+testit "STEP4 samba-tool user setpassword $USERNAME --smartcard-required" \
+ "${samba_tool}" user setpassword "${USERNAME}" --smartcard-required ||
+ failed=$((failed + 1))
+
+testit_expect_failure "STEP4 kinit with password" \
+ kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
+ "${OPTION_REQUEST_PAC}" ||
+ failed=$((failed + 1))
+testit_expect_failure "STEP4 Test login with NTLM" \
+ "${smbclient}" "${unc}" -c 'ls' -U"${USERNAME}%${PASSWORD}" ||
+ failed=$((failed + 1))
+testit_expect_failure "STEP4 Test wbinfo with password" \
+ "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" ||
+ failed=$((failed + 1))
+
+testit "STEP4 kinit with pkinit (name specified)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
+ failed=$((failed + 1))
+testit "STEP4 kinit renew ticket (name specified)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
+ failed=$((failed + 1))
+test_smbclient "STEP4 Test login with kerberos ccache (name specified)" \
+ 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" ||
+ failed=$((failed + 1))
+
+testit "STEP4 kinit with pkinit (enterprise name specified)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
+ "${USERNAME}@${REALM}" ||
+ failed=$((failed + 1))
+testit "STEP4 kinit renew ticket (enterprise name specified)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
+ failed=$((failed + 1))
+test_smbclient "STEP4 Test login with kerberos ccache (enterprise name specified)" \
+ 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
+ failed=$((failed + 1))
+
+testit "STEP4 kinit with pkinit (enterprise name in cert)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
+ failed=$((failed + 1))
+testit "STEP4 kinit renew ticket (enterprise name in cert)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" ||
+ failed=$((failed + 1))
+test_smbclient "STEP4 Test login with kerberos ccache (enterprise name in cert)" \
+ 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" ||
+ failed=$((failed + 1))
+
+# STEP5:
+# disable the account
+testit "STEP5 samba-tool user disable $USERNAME" \
+ "${samba_tool}" user disable "${USERNAME}" ||
+ failed=$((failed + 1))
+
+testit_expect_failure "STEP5 kinit with password" \
+ kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
+ "${OPTION_REQUEST_PAC}" ||
+ failed=$((failed + 1))
+testit_expect_failure "STEP5 Test login with NTLM" \
+ "${smbclient}" "${unc}" -c 'ls' -U"${USERNAME}%${PASSWORD}" ||
+ failed=$((failed + 1))
+testit_expect_failure "STEP5 Test wbinfo with password" \
+ "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" ||
+ failed=$((failed + 1))
+
+testit_expect_failure "STEP5 kinit with pkinit (name specified)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" ||
+ failed=$((failed + 1))
+testit_expect_failure "STEP5 kinit with pkinit (enterprise name specified)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \
+ "${USERNAME}@${REALM}" ||
+ failed=$((failed + 1))
+testit_expect_failure "STEP5 kinit with pkinit (enterprise name in cert)" \
+ "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \
+ "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" ||
+ failed=$((failed + 1))
+
+# STEP6:
+# cleanup
+testit "STEP6 samba-tool user delete ${USERNAME}" \
+ "${samba_tool}" user delete "${USERNAME}" ||
+ failed=$((failed + 1))
+
+rm -f "${KRB5CCNAME_PATH}"
+exit ${failed}
diff --git a/testprogs/blackbox/test_primary_group.sh b/testprogs/blackbox/test_primary_group.sh
new file mode 100755
index 0000000..0fbc287
--- /dev/null
+++ b/testprogs/blackbox/test_primary_group.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+
+if [ $# -lt 5 ]; then
+cat <<EOF
+Usage: test_primary_group.sh SERVER USERNAME PASSWORD DOMAIN PREFIX_ABS
+EOF
+exit 1;
+fi
+
+TMPDIR="$PREFIX_ABS/$(basename $0)"
+export TMPDIR
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+DOMAIN=$4
+PREFIX_ABS=$5
+shift 5
+failed=0
+
+. `dirname $0`/subunit.sh
+. `dirname $0`/common_test_fns.inc
+
+TZ=UTC
+export TZ
+
+N=$(date +%H%M%S)
+
+testuser="testuser$N"
+testgroup="testgroup$N"
+
+echo "testuser: $testuser"
+echo "testgroup: $testgroup"
+
+testit "mkdir -p '${TMPDIR}'" mkdir -p ${TMPDIR} || failed=`expr $failed + 1`
+
+testit "create '$testuser'" $VALGRIND $PYTHON $BINDIR/samba-tool user create "$testuser" Password.1 || failed=`expr $failed + 1`
+testit "add '$testgroup'" $VALGRIND $PYTHON $BINDIR/samba-tool group add "$testgroup" || failed=`expr $failed + 1`
+testit "addmembers '$testgroup' '$testuser'" $VALGRIND $PYTHON $BINDIR/samba-tool group addmembers "$testgroup" "$testuser" || failed=`expr $failed + 1`
+
+testit "search1" $VALGRIND $BINDIR/ldbsearch -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 sAMAccountName="$testgroup" objectSid || failed=`expr $failed + 1`
+ldif="${TMPDIR}/search1.ldif"
+$VALGRIND $BINDIR/ldbsearch -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 sAMAccountName=$testgroup objectSid > $ldif
+rid=$(cat $ldif | sed -n 's/^objectSid: S-1-5-21-.*-.*-.*-//p')
+
+testit "search2" $VALGRIND $BINDIR/ldbsearch -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 sAMAccountName="$testuser" dn || failed=`expr $failed + 1`
+ldif="${TMPDIR}/search2.ldif"
+$VALGRIND $BINDIR/ldbsearch -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 sAMAccountName=$testuser dn > $ldif
+user_dn=$(cat $ldif | sed -n 's/^dn: //p')
+
+ldif="${TMPDIR}/modify1.ldif"
+cat > $ldif <<EOF
+dn: $user_dn
+changetype: modify
+replace: primaryGroupID
+primaryGroupID: $rid
+EOF
+testit "Change primaryGroupID to $rid" $VALGRIND $BINDIR/ldbmodify -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 --verbose < $ldif || failed=`expr $failed + 1`
+
+testit "dbcheck run1" $VALGRIND $PYTHON $BINDIR/samba-tool dbcheck --attrs=member || failed=`expr $failed + 1`
+
+ldif="${TMPDIR}/modify2.ldif"
+cat > $ldif <<EOF
+dn: $user_dn
+changetype: modify
+replace: primaryGroupID
+primaryGroupID: 513
+EOF
+testit "Change primaryGroupID to 513" $VALGRIND $BINDIR/ldbmodify -H ldap://$SERVER_IP -U$USERNAME%$PASSWORD -d0 < $ldif || failed=`expr $failed + 1`
+
+testit "dbcheck run2" $VALGRIND $PYTHON $BINDIR/samba-tool dbcheck --attrs=member || failed=`expr $failed + 1`
+
+testit "delete '$testuser'" $VALGRIND $PYTHON $BINDIR/samba-tool user delete "$testuser" || failed=`expr $failed + 1`
+testit "delete '$testgroup'" $VALGRIND $PYTHON $BINDIR/samba-tool group delete "$testgroup" || failed=`expr $failed + 1`
+
+#
+# As we don't support phantom objects and virtual backlinks
+# the deletion of the user prior to the group causes dangling links,
+# which are detected like this:
+#
+# WARNING: target DN is deleted for member in object
+#
+# Specifically, this happens because after the member link is
+# deactivated the memberOf is gone, and so there is no way to find the
+# now redundant forward link to clean it up.
+#
+testit_expect_failure "dbcheck run3" $VALGRIND $PYTHON $BINDIR/samba-tool dbcheck --attrs=member --fix --yes || failed=`expr $failed + 1`
+testit "dbcheck run4" $VALGRIND $PYTHON $BINDIR/samba-tool dbcheck --attrs=member || failed=`expr $failed + 1`
+
+exit $failed
diff --git a/testprogs/blackbox/test_rpcclient_schannel.sh b/testprogs/blackbox/test_rpcclient_schannel.sh
new file mode 100755
index 0000000..9981d4d
--- /dev/null
+++ b/testprogs/blackbox/test_rpcclient_schannel.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+# Blackbox tests rpcclient with schannel
+# Copyright (c) 2021 Andreas Schneider <asn@samba.org>
+
+if [ $# -lt 8 ]; then
+ cat << EOF
+Usage: test_rpcclient_schannel.sh DOMAIN REALM USERNAME PASSWORD SERVER PREFIX CONFIGURATION TESTENV
+EOF
+ exit 1
+fi
+
+DOMAIN=$1
+REALM=$2
+USERNAME=$3
+PASSWORD=$4
+SERVER=$5
+PREFIX=$6
+CONFIGURATION=$7
+TESTENV=$8
+shift 8
+
+failed=0
+
+samba_subunit_dir=$(dirname "$0")
+. "${samba_subunit_dir}/subunit.sh"
+. "${samba_subunit_dir}/common_test_fns.inc"
+
+samba_bindir="${BINDIR}"
+samba_rpcclient="${samba_bindir}/rpcclient"
+
+test_rpc_getusername()
+{
+ cmd="$samba_rpcclient ncacn_np:${SERVER}[schannel] --machine-pass --configfile=${CONFIGURATION} -c getusername 2>&1"
+ out=$(eval "$cmd")
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ echo "Failed to connect! Error: $ret"
+ echo "$out"
+ return 1
+ fi
+
+ echo "$out" | grep -q "Account Name: ANONYMOUS LOGON, Authority Name: NT AUTHORITY"
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ echo "Incorrect account/authority name! Error: $ret"
+ echo "$out"
+ return 1
+ fi
+
+ return 0
+}
+
+test_rpc_lookupsids()
+{
+ cmd="$samba_rpcclient ncacn_ip_tcp:${SERVER}[schannel] --machine-pass --configfile=${CONFIGURATION} -c 'lookupsids3 S-1-1-0' 2>&1"
+ out=$(eval "$cmd")
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ echo "Failed to connect! Error: $ret"
+ echo "$out"
+ return 1
+ fi
+
+ echo "$out" | grep -q "S-1-1-0 Everyone"
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ echo "Incorrect account/authority name! Error: $ret"
+ echo "$out"
+ return 1
+ fi
+
+ return 0
+}
+
+testit "ncacn_np.getusername" \
+ test_rpc_getusername || \
+ failed=$((failed + 1))
+
+if [[ "$TESTENV" == "ad_member_fips"* ]]; then
+ unset GNUTLS_FORCE_FIPS_MODE
+
+ testit "ncacn_np.getusername.fips" \
+ test_rpc_getusername || \
+ failed=$((failed + 1))
+
+ GNUTLS_FORCE_FIPS_MODE=1
+ export GNUTLS_FORCE_FIPS_MODE
+fi
+
+testit "ncacn_ip_tcp.lookupsids" \
+ test_rpc_lookupsids || \
+ failed=$((failed + 1))
+
+exit ${failed}
diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh
new file mode 100755
index 0000000..f27c7d6
--- /dev/null
+++ b/testprogs/blackbox/test_s4u_heimdal.sh
@@ -0,0 +1,94 @@
+#!/bin/sh
+
+if [ $# -lt 5 ]; then
+cat <<EOF
+Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX
+EOF
+exit 1;
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+REALM=$4
+DOMAIN=$5
+TRUST_SERVER=$6
+TRUST_USERNAME=$7
+TRUST_PASSWORD=$8
+TRUST_REALM=$9
+TRUST_DOMAIN=${10}
+PREFIX=${11}
+shift 11
+failed=0
+
+
+samba_tool="$VALGRIND $PYTHON $BINDIR/samba-tool"
+
+samba4kinit_binary=kinit
+if test -x $BINDIR/samba4kinit; then
+ samba4kinit_binary=$BINDIR/samba4kinit
+fi
+
+samba4kgetcred=kgetcred
+if test -x $BINDIR/samba4kgetcred; then
+ samba4kgetcred=$BINDIR/samba4kgetcred
+fi
+
+. `dirname $0`/subunit.sh
+. `dirname $0`/common_test_fns.inc
+
+ocache="$PREFIX/tmpoutcache"
+KRB5CCNAME_PATH="$PREFIX/tmpccache"
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+samba4kinit="$samba4kinit_binary -c $KRB5CCNAME"
+export KRB5CCNAME
+rm -rf $KRB5CCNAME_PATH
+
+princ=test_impersonate_princ
+impersonator=test_impersonator.$REALM
+target="CIFS/$SERVER.$REALM"
+
+
+testit "add impersonator principal" $samba_tool user add $impersonator $PASSWORD || failed=`expr $failed + 1`
+testit "become a service" $samba_tool spn add "HOST/$impersonator" $impersonator || failed=`expr $failed + 1`
+
+testit "set TrustedToAuthForDelegation" $samba_tool delegation for-any-protocol $impersonator on || failed=`expr $failed + 1`
+testit "add msDS-AllowedToDelegateTo" $samba_tool delegation add-service $impersonator $target || failed=`expr $failed + 1`
+
+testit "add a new principal" $samba_tool user add $princ --random-password || failed=`expr $failed + 1`
+testit "set not-delegated flag" $samba_tool user sensitive $princ on || failed=`expr $failed + 1`
+
+
+echo $PASSWORD > $PREFIX/tmppassfile
+testit "kinit impersonator" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1`
+
+testit "test S4U2Self with normal user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=${USERNAME} $impersonator || failed=`expr $failed + 1`
+testit "test S4U2Proxy with normal user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
+
+testit "test S4U2Self with sensitive user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1`
+testit_expect_failure "test S4U2Proxy with sensitive user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
+
+rm -f $ocache
+testit "unset not-delegated flag" $samba_tool user sensitive $princ off || failed=`expr $failed + 1`
+
+testit "test S4U2Self after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1`
+testit "test S4U2Proxy after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
+
+testit "kinit user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1`
+testit "get a ticket to impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1`
+testit "test S4U2Proxy evidence ticket obtained by TGS" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
+
+echo $TRUST_PASSWORD > $PREFIX/tmppassfile
+testit "kinit trust user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
+testit "get a ticket to impersonator for trust user" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1`
+testit "test S4U2Proxy evidence ticket obtained by TGS of trust user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
+
+echo $PASSWORD > $PREFIX/tmppassfile
+testit "set not-delegated on impersonator" $samba_tool user sensitive $impersonator on || failed=`expr $failed + 1`
+testit "kinit user cache again" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1`
+testit "get a ticket to sensitive impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1`
+testit_expect_failure "test S4U2Proxy using received ticket" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
+
+
+rm -f $ocache $PREFIX/tmpccache $PREFIX/tmppassfile
+exit $failed
diff --git a/testprogs/blackbox/test_samba-tool_ntacl.sh b/testprogs/blackbox/test_samba-tool_ntacl.sh
new file mode 100755
index 0000000..4648fa6
--- /dev/null
+++ b/testprogs/blackbox/test_samba-tool_ntacl.sh
@@ -0,0 +1,132 @@
+#!/bin/sh
+# Blackbox tests for samba-tool ntacl get/set on member server
+# Copyright (C) 2018 Björn Baumbach <bb@sernet.de>
+
+if [ $# -ne 2 ]; then
+ echo "Usage: test_samba-tool_ntacl.sh PREFIX DOMSID"
+ exit 1
+fi
+
+PREFIX=$1
+domain_sid=$2
+
+failed=0
+
+samba4bindir="$BINDIR"
+samba_tool="$samba4bindir/samba-tool"
+
+testfile="$PREFIX/ntacl_testfile"
+
+# acl from samba_tool/ntacl.py tests
+acl="O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
+new_acl="O:S-1-5-21-2212615479-2695158682-2101375468-512G:S-1-5-21-2212615479-2695158682-2101375468-513D:P(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-519)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375468-512)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)"
+new_domain_sid="S-1-5-21-2212615479-2695158682-2101375468"
+
+. `dirname $0`/subunit.sh
+
+UID_WRAPPER_ROOT=1
+export UID_WRAPPER_ROOT
+
+test_get_acl()
+{
+ testfile="$1"
+ exptextedacl="$2"
+
+ retacl=$($PYTHON $samba_tool ntacl get "$testfile" --as-sddl) || return $?
+
+ test "$retacl" = "$exptextedacl"
+}
+
+test_set_acl()
+{
+ testfile="$1"
+ acl="$2"
+
+ $PYTHON $samba_tool ntacl set "$acl" "$testfile"
+}
+
+test_get_acl_ntvfs()
+{
+ testfile="$1"
+ exptextedacl="$2"
+
+ retacl=$($PYTHON $samba_tool ntacl get "$testfile" --as-sddl --use-ntvfs --xattr-backend=tdb --configfile=$PREFIX/ad_member/lib/server.conf) || return $?
+
+ test "$retacl" = "$exptextedacl"
+}
+
+test_set_acl_ntvfs()
+{
+ testfile="$1"
+ acl="$2"
+
+ $PYTHON $samba_tool ntacl set "$acl" "$testfile" --use-ntvfs --xattr-backend=tdb --configfile=$PREFIX/ad_member/lib/server.conf
+}
+
+test_changedomsid()
+{
+ testfile="$1"
+
+ $PYTHON $samba_tool ntacl changedomsid \
+ "$domain_sid" "$new_domain_sid" "$testfile" \
+ --service=tmp \
+ --configfile=$PREFIX/ad_member/lib/server.conf
+
+ retacl=$($PYTHON $samba_tool ntacl get \
+ "$testfile" \
+ --as-sddl \
+ --service=tmp \
+ --configfile=$PREFIX/ad_member/lib/server.conf) || return $?
+
+ test "$retacl" = "$new_acl"
+}
+
+test_changedomsid_ntvfs()
+{
+ testfile="$1"
+
+ $PYTHON $samba_tool ntacl changedomsid \
+ "$domain_sid" "$new_domain_sid" "$testfile" \
+ --use-ntvfs \
+ --xattr-backend=tdb \
+ --configfile=$PREFIX/ad_member/lib/server.conf
+
+ retacl=$($PYTHON $samba_tool ntacl get \
+ "$testfile" \
+ --as-sddl \
+ --xattr-backend=tdb \
+ --use-ntvfs \
+ --configfile=$PREFIX/ad_member/lib/server.conf) || return $?
+
+ test "$retacl" = "$new_acl"
+}
+
+# work around include error - s4-loadparm does not allow missing include files
+#
+# Unable to load file /home/bbaumba/src/git/samba/st/ad_member/lib/server.conf
+# File "bin/python/samba/netcmd/__init__.py", line 183, in _run
+# return self.run(*args, **kwargs)
+# File "bin/python/samba/netcmd/ntacl.py", line 175, in run
+# lp = sambaopts.get_loadparm()
+# File "bin/python/samba/getopt.py", line 92, in get_loadparm
+# self._lp.load(os.getenv("SMB_CONF_PATH"))
+# Processing section "[global]"
+touch "$(dirname $SMB_CONF_PATH)/error_inject.conf"
+touch "$(dirname $SMB_CONF_PATH)/delay_inject.conf"
+
+touch "$testfile"
+
+testit "set_ntacl" test_set_acl "$testfile" "$acl" || failed=`expr $failed + 1`
+
+testit "get_ntacl" test_get_acl "$testfile" "$acl" || failed=`expr $failed + 1`
+
+testit "changedomsid" test_changedomsid "$testfile" || failed=`expr $failed + 1`
+
+testit "set_ntacl_ntvfs" test_set_acl_ntvfs "$testfile" "$acl" || failed=`expr $failed + 1`
+testit "get_ntacl_ntvfs" test_get_acl_ntvfs "$testfile" "$acl" || failed=`expr $failed + 1`
+
+testit "changedomsid_ntvfs" test_changedomsid_ntvfs "$testfile" || failed=`expr $failed + 1`
+
+rm -f "$testfile"
+
+exit $failed
diff --git a/testprogs/blackbox/test_samba_upgradedns.sh b/testprogs/blackbox/test_samba_upgradedns.sh
new file mode 100755
index 0000000..93799d4
--- /dev/null
+++ b/testprogs/blackbox/test_samba_upgradedns.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+# Blackbox tests for the samba_upgradedns
+# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
+# Copyright (C) 2006-2012 Andrew Bartlett <abartlet@samba.org>
+
+if [ $# -lt 4 ]; then
+cat <<EOF
+Usage: test_samba_upgradedns.sh SERVER REALM PREFIX PROVDIR
+EOF
+exit 1;
+fi
+
+SERVER=$1
+REALM=$2
+PREFIX=$3
+PROVDIR=$4
+shift 4
+failed=0
+
+samba4bindir="$BINDIR"
+samba4srcdir="$SRCDIR/source4"
+
+
+. `dirname $0`/subunit.sh
+
+testit "run samba_upgradedns converting to bind9 DLZ" $PYTHON $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=BIND9_DLZ --configfile=$PROVDIR/etc/smb.conf || failed=`expr $failed + 1`
+testit "check that dns.keytab is present" test -f $PROVDIR/bind-dns/dns.keytab
+
+testit "run samba_upgradedns converting to internal" $PYTHON $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=SAMBA_INTERNAL --configfile=$PROVDIR/etc/smb.conf || failed=`expr $failed + 1`
+
+testit "run samba_upgradedns converting to internal (2nd time)" $PYTHON $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=SAMBA_INTERNAL --configfile=$PROVDIR/etc/smb.conf || failed=`expr $failed + 1`
+
+testit "run samba_upgradedns converting to bind9 DLZ (2nd time)" $PYTHON $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=BIND9_DLZ --configfile=$PROVDIR/etc/smb.conf || failed=`expr $failed + 1`
+
+testit "run samba_upgradedns converting to bind9 DLZ (3rd time)" $PYTHON $samba4srcdir/scripting/bin/samba_upgradedns --dns-backend=BIND9_DLZ --configfile=$PROVDIR/etc/smb.conf || failed=`expr $failed + 1`
+
+
+exit $failed
diff --git a/testprogs/blackbox/test_smbtorture_test_names.sh b/testprogs/blackbox/test_smbtorture_test_names.sh
new file mode 100755
index 0000000..a451310
--- /dev/null
+++ b/testprogs/blackbox/test_smbtorture_test_names.sh
@@ -0,0 +1,43 @@
+#!/bin/sh
+
+#Tests if the --fullname parameter passed to smbtorture is working as expected.
+
+if [ $# -ne 1 ]; then
+cat <<EOF
+Usage: test_smbtorture_test_names.sh SMBTORTURE
+EOF
+exit 1;
+fi
+
+SMBTORTURE="$1 //a/b"
+
+. `dirname $0`/subunit.sh
+
+failed=0
+
+testit_grep "with_shortname local.smbtorture.level1.level2.level3.always_pass" \
+ '^success: always_pass$' \
+ $SMBTORTURE local.smbtorture.level1.level2.level3.always_pass || failed=`expr $failed + 1`
+testit_grep "with_shortname local.smbtorture.level1.level2.level3" \
+ '^success: always_pass$' \
+ $SMBTORTURE local.smbtorture.level1.level2.level3 || failed=`expr $failed + 1`
+testit_grep "with_shortname local.smbtorture.level1.level2"\
+ '^success: level3.always_pass$' \
+ $SMBTORTURE local.smbtorture.level1.level2 || failed=`expr $failed + 1`
+testit_grep "with_shortname local.smbtorture.level1" \
+ '^success: level2.level3.always_pass$' \
+ $SMBTORTURE local.smbtorture.level1 || failed=`expr $failed + 1`
+testit_grep "with_fullname local.smbtorture.level1.level2.level3.always_pass" \
+ '^success: local.smbtorture.level1.level2.level3.always_pass$' \
+ $SMBTORTURE --fullname local.smbtorture.level1.level2.level3.always_pass || failed=`expr $failed + 1`
+testit_grep "with_fullname local.smbtorture.level1.level2.level3" \
+ '^success: local.smbtorture.level1.level2.level3.always_pass$' \
+ $SMBTORTURE --fullname local.smbtorture.level1.level2.level3 || failed=`expr $failed + 1`
+testit_grep "with_fullname local.smbtorture.level1.level2" \
+ '^success: local.smbtorture.level1.level2.level3.always_pass$' \
+ $SMBTORTURE --fullname local.smbtorture.level1.level2 || failed=`expr $failed + 1`
+testit_grep "with_fullname local.smbtorture.level1" \
+ '^success: local.smbtorture.level1.level2.level3.always_pass$' \
+ $SMBTORTURE --fullname local.smbtorture.level1 || failed=`expr $failed + 1`
+
+testok $0 $failed
diff --git a/testprogs/blackbox/test_special_group.sh b/testprogs/blackbox/test_special_group.sh
new file mode 100755
index 0000000..84bb95f
--- /dev/null
+++ b/testprogs/blackbox/test_special_group.sh
@@ -0,0 +1,52 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+cat <<EOF
+Usage: $0 PREFIX
+EOF
+exit 1;
+fi
+
+PREFIX_ABS="$1"
+shift 1
+
+failed=0
+
+. `dirname $0`/subunit.sh
+. `dirname $0`/common_test_fns.inc
+
+OLD_RELEASE="release-4-5-0-pre1"
+old_release_dir="$SRCDIR_ABS/source4/selftest/provisions/$OLD_RELEASE"
+
+samba_tdbrestore="tdbrestore"
+if [ -x "$BINDIR/tdbrestore" ]; then
+ samba_tdbrestore="$BINDIR/tdbrestore"
+fi
+
+samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh"
+
+cleanup_output_directories()
+{
+ remove_directory $PREFIX_ABS/$OLD_RELEASE
+}
+
+undump_old() {
+ $samba_undump $old_release_dir $PREFIX_ABS/$OLD_RELEASE $samba_tdbrestore
+}
+
+add_special_group() {
+ $PYTHON $BINDIR/samba-tool group add 'protected users' --special -H tdb://$PREFIX_ABS/$OLD_RELEASE/private/sam.ldb
+}
+
+# double-check we cleaned up from the last test run
+cleanup_output_directories
+
+testit $OLD_RELEASE undump_old || failed=`expr $failed + 1`
+
+testit "add_special_group" add_special_group || failed=`expr $failed + 1`
+
+testit_expect_failure_grep "add_duplicate_special_group" "Failed to add group.*already exists" add_special_group || failed=`expr $failed + 1`
+
+cleanup_output_directories
+
+exit $failed
diff --git a/testprogs/blackbox/test_trust_ntlm.sh b/testprogs/blackbox/test_trust_ntlm.sh
new file mode 100755
index 0000000..101303e
--- /dev/null
+++ b/testprogs/blackbox/test_trust_ntlm.sh
@@ -0,0 +1,205 @@
+#!/bin/sh
+# Copyright (C) 2017 Stefan Metzmacher <metze@samba.org>
+
+if [ $# -lt 12 ]; then
+cat <<EOF
+Usage: $# test_trust_ntlm.sh SERVER USERNAME PASSWORD REALM DOMAIN TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN TYPE UNTRUSTED TRUST_ERROR
+EOF
+exit 1;
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+REALM=$4
+DOMAIN=$5
+shift 5
+TRUST_USERNAME=$1
+TRUST_PASSWORD=$2
+TRUST_REALM=$3
+TRUST_DOMAIN=$4
+shift 4
+TYPE=$1
+UNTRUSTED=$2
+TRUST_ERROR=$3
+shift 3
+failed=0
+
+samba4bindir="$BINDIR"
+
+rpcclient="$samba4bindir/rpcclient"
+smbclient="$samba4bindir/smbclient"
+wbinfo="$samba4bindir/wbinfo"
+
+unc="//$SERVER/tmp"
+
+. `dirname $0`/subunit.sh
+. `dirname $0`/common_test_fns.inc
+
+DNAME="$DOMAIN"
+NAME="$DNAME\\$USERNAME"
+WBNAME="$DNAME/$USERNAME"
+CREDS="$NAME%$PASSWORD"
+WBCREDS="$WBNAME%$PASSWORD"
+EXPCREDS="Account Name: $USERNAME, Authority Name: $DOMAIN"
+EXPSID="(User: 1)"
+EXPDSID="(Domain: 3)"
+test_rpcclient_grep "Test01 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1`
+test_smbclient "Test01 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=`expr $failed + 1`
+testit "Test01 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1`
+test_rpcclient_grep "Test01 rpcclient lookupnames with $NAME" "lookupnames_level 1 '$NAME'" "$SERVER" "$EXPSID" -U$CREDS || failed=`expr $failed + 1`
+testit "Test01 wbinfo -n with $WBNAME" $VALGRIND $wbinfo -n "$WBNAME" || failed=`expr $failed + 1`
+test_rpcclient_grep "Test01 rpcclient lookupnames with $DNAME" "lookupnames_level 1 '$DNAME'" "$SERVER" "$EXPDSID" -U$CREDS || failed=`expr $failed + 1`
+
+DNAME="$REALM"
+NAME="$DNAME\\$USERNAME"
+WBNAME="$DNAME/$USERNAME"
+CREDS="$NAME%$PASSWORD"
+WBCREDS="$WBNAME%$PASSWORD"
+EXPCREDS="Account Name: $USERNAME, Authority Name: $DOMAIN"
+EXPSID="(User: 1)"
+EXPDSID="(Domain: 3)"
+test_rpcclient_grep "Test02 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1`
+test_smbclient "Test02 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=`expr $failed + 1`
+testit "Test02 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1`
+test_rpcclient_grep "Test02 rpcclient lookupnames with $NAME" "lookupnames_level 1 '$NAME'" "$SERVER" "$EXPSID" -U$CREDS || failed=`expr $failed + 1`
+testit "Test02 wbinfo -n with $WBNAME" $VALGRIND $wbinfo -n "$WBNAME" || failed=`expr $failed + 1`
+test_rpcclient_grep "Test02 rpcclient lookupnames with $DNAME" "lookupnames_level 1 '$DNAME'" "$SERVER" "$EXPDSID" -U$CREDS || failed=`expr $failed + 1`
+
+CREDS="$USERNAME@$DOMAIN%$PASSWORD"
+WBCREDS="$USERNAME@$DOMAIN%$PASSWORD"
+if [ x"$TYPE" = x"member" ]; then
+ EXPFAIL="NT_STATUS_LOGON_FAILURE"
+ # rpcclient doesn't handle -Uuser@domain yet
+ #test_rpcclient_expect_failure_grep "Fail03 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPFAIL" -U$CREDS && failed=`expr $failed + 1`
+ test_smbclient_expect_failure "Fail03 smbclient with $CREDS" 'ls' "$unc" -U$CREDS && failed=`expr $failed + 1`
+ # winbindd doesn't handle user@domain yet
+ #testit_expect_failure "Fail03 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS && failed=`expr $failed + 1`
+else
+ EXPCREDS="Account Name: $USERNAME, Authority Name: $DOMAIN"
+ # rpcclient doesn't handle -Uuser@domain yet
+ #test_rpcclient_grep "Test03 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1`
+ test_smbclient "Test03 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=`expr $failed + 1`
+ # winbindd doesn't handle user@domain yet
+ #testit "Test03 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1`
+fi
+
+CREDS="$USERNAME@$REALM%$PASSWORD"
+WBCREDS="$USERNAME@$REALM%$PASSWORD"
+if [ x"$TYPE" = x"member" ]; then
+ EXPFAIL="NT_STATUS_LOGON_FAILURE"
+ # rpcclient doesn't handle -Uuser@domain yet
+ #test_rpcclient_expect_failure_grep "Fail04 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPFAIL" -U$CREDS && failed=`expr $failed + 1`
+ test_smbclient_expect_failure "Fail04 smbclient with $CREDS" 'ls' "$unc" -U$CREDS && failed=`expr $failed + 1`
+ # winbindd doesn't handle user@domain yet
+ #testit_expect_failure "Fail04 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS && failed=`expr $failed + 1`
+else
+ EXPCREDS="Account Name: $USERNAME, Authority Name: $DOMAIN"
+ # rpcclient doesn't handle -Uuser@domain yet
+ #test_rpcclient_grep "Test04 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1`
+ test_smbclient "Test04 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=`expr $failed + 1`
+ # winbindd doesn't handle user@domain yet
+ #testit "Test04 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1`
+fi
+
+DNAME="UNKNOWNDOMAIN"
+NAME="$DNAME\\$USERNAME"
+WBNAME="$DNAME/$USERNAME"
+CREDS="$NAME%$PASSWORD"
+WBCREDS="$WBNAME%$PASSWORD"
+EXPCREDS="Account Name: $USERNAME, Authority Name: $DOMAIN"
+EXPSID="NT_STATUS_NONE_MAPPED"
+EXPDSID="NT_STATUS_NONE_MAPPED"
+test_rpcclient_grep "Test05 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1`
+test_smbclient "Test05 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=`expr $failed + 1`
+testit_expect_failure "Fail05 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1`
+test_rpcclient_expect_failure_grep "Test05 rpcclient lookupnames with $NAME" "lookupnames_level 1 '$NAME'" "$SERVER" "$EXPSID" -U$CREDS || failed=`expr $failed + 1`
+testit_expect_failure "Test05 wbinfo -n with $WBNAME" $VALGRIND $wbinfo -n "$WBNAME" || failed=`expr $failed + 1`
+test_rpcclient_expect_failure_grep "Test05 rpcclient lookupnames with $DNAME" "lookupnames_level 1 '$DNAME'" "$SERVER" "$EXPDSID" -U$CREDS || failed=`expr $failed + 1`
+
+CREDS="$TRUST_DOMAIN\\$USERNAME%$PASSWORD"
+WBCREDS="$TRUST_DOMAIN/$USERNAME%$PASSWORD"
+EXPFAIL="$TRUST_ERROR"
+test_rpcclient_expect_failure_grep "Fail06 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPFAIL" -U$CREDS && failed=`expr $failed + 1`
+test_smbclient_expect_failure "Fail06 smbclient with $CREDS" 'ls' "$unc" -U$CREDS && failed=`expr $failed + 1`
+testit_expect_failure "Fail06 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS && failed=`expr $failed + 1`
+
+DNAME="$TRUST_DOMAIN"
+NAME="$DNAME\\$TRUST_USERNAME"
+WBNAME="$DNAME/$TRUST_USERNAME"
+CREDS="$NAME%$TRUST_PASSWORD"
+WBCREDS="$WBNAME%$TRUST_PASSWORD"
+EXPCREDS="Account Name: $TRUST_USERNAME, Authority Name: $TRUST_DOMAIN"
+EXPSID="(User: 1)"
+EXPDSID="(Domain: 3)"
+test_rpcclient_grep "Test07 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1`
+test_smbclient "Test07 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=`expr $failed + 1`
+testit "Test07 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1`
+test_rpcclient_grep "Test07 rpcclient lookupnames with $NAME" "lookupnames_level 1 '$NAME'" "$SERVER" "$EXPSID" -U$CREDS || failed=`expr $failed + 1`
+testit "Test07 wbinfo -n with $WBNAME" $VALGRIND $wbinfo -n "$WBNAME" || failed=`expr $failed + 1`
+test_rpcclient_grep "Test07 rpcclient lookupnames with $DNAME" "lookupnames_level 1 '$DNAME'" "$SERVER" "$EXPDSID" -U$CREDS || failed=`expr $failed + 1`
+
+DNAME="$TRUST_REALM"
+NAME="$DNAME\\$TRUST_USERNAME"
+WBNAME="$DNAME/$TRUST_USERNAME"
+CREDS="$NAME%$TRUST_PASSWORD"
+WBCREDS="$WBNAME%$TRUST_PASSWORD"
+EXPCREDS="Account Name: $TRUST_USERNAME, Authority Name: $TRUST_DOMAIN"
+EXPSID="(User: 1)"
+EXPDSID="(Domain: 3)"
+test_rpcclient_grep "Test08 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1`
+test_smbclient "Test08 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=`expr $failed + 1`
+testit "Test08 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1`
+test_rpcclient_grep "Test08 rpcclient lookupnames with $NAME" "lookupnames_level 1 '$NAME'" "$SERVER" "$EXPSID" -U$CREDS || failed=`expr $failed + 1`
+testit "Test08 wbinfo -n with $WBNAME" $VALGRIND $wbinfo -n "$WBNAME" || failed=`expr $failed + 1`
+test_rpcclient_grep "Test08 rpcclient lookupnames with $DNAME" "lookupnames_level 1 '$DNAME'" "$SERVER" "$EXPDSID" -U$CREDS || failed=`expr $failed + 1`
+
+CREDS="$TRUST_USERNAME@$TRUST_DOMAIN%$TRUST_PASSWORD"
+WBCREDS="$TRUST_USERNAME@$TRUST_DOMAIN%$TRUST_PASSWORD"
+if [ x"$TRUST_REALM" = x"$TRUST_DOMAIN" ]; then
+ # NT4 domain
+ EXPFAIL="NT_STATUS_LOGON_FAILURE"
+ # rpcclient doesn't handle -Uuser@domain yet
+ #test_rpcclient_expect_failure_grep "Fail09 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPFAIL" -U$CREDS && failed=`expr $failed + 1`
+ test_smbclient_expect_failure "Fail09 smbclient with $CREDS" 'ls' "$unc" -U$CREDS && failed=`expr $failed + 1`
+ # winbindd doesn't handle user@domain yet
+ #testit_expect_failure "Fail09 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS && failed=`expr $failed + 1`
+else
+ EXPCREDS="Account Name: $TRUST_USERNAME, Authority Name: $TRUST_DOMAIN"
+ # rpcclient doesn't handle -Uuser@domain yet
+ #test_rpcclient_grep "Test09 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1`
+ test_smbclient "Test09 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=`expr $failed + 1`
+ # winbindd doesn't handle user@domain yet
+ #testit "Test09 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1`
+fi
+
+CREDS="$TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD"
+WBCREDS="$TRUST_USERNAME@$TRUST_REALM%$TRUST_PASSWORD"
+if [ x"$TRUST_REALM" = x"$TRUST_DOMAIN" ]; then
+ # NT4 domain
+ EXPFAIL="NT_STATUS_LOGON_FAILURE"
+ # rpcclient doesn't handle -Uuser@domain yet
+ #test_rpcclient_expect_failure_grep "Fail10 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPFAIL" -U$CREDS && failed=`expr $failed + 1`
+ test_smbclient_expect_failure "Fail10 smbclient with $CREDS" 'ls' "$unc" -U$CREDS && failed=`expr $failed + 1`
+ # winbindd doesn't handle user@domain yet
+ #testit_expect_failure "Fail10 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS && failed=`expr $failed + 1`
+else
+ EXPCREDS="Account Name: $TRUST_USERNAME, Authority Name: $TRUST_DOMAIN"
+ # rpcclient doesn't handle -Uuser@domain yet, maybe smbclient for now?
+ #test_rpcclient_grep "Test10 rpcclient getusername with $CREDS" getusername "$SERVER" "$EXPCREDS" -U$CREDS || failed=`expr $failed + 1`
+ test_smbclient "Test10 smbclient with $CREDS" 'ls' "$unc" -U$CREDS || failed=`expr $failed + 1`
+ # winbindd doesn't handle user@domain yet
+ #testit "Test10 wbinfo -a with $WBCREDS" $VALGRIND $wbinfo -a $WBCREDS || failed=`expr $failed + 1`
+fi
+
+lowerrealm=$(echo $TRUST_REALM | tr '[A-Z]' '[a-z]')
+
+#if test x$TYPE = x"forest"; then
+#
+#fi
+#
+#if test x$UNTRUSTED = x"yes"; then
+#
+#fi
+
+exit $failed
diff --git a/testprogs/blackbox/test_trust_token.sh b/testprogs/blackbox/test_trust_token.sh
new file mode 100755
index 0000000..21de224
--- /dev/null
+++ b/testprogs/blackbox/test_trust_token.sh
@@ -0,0 +1,93 @@
+#!/bin/bash
+# Copyright (C) 2017 Stefan Metzmacher <metze@samba.org>
+
+if [ $# -lt 12 ]; then
+cat <<EOF
+Usage: $# test_trust_token.sh SERVER USERNAME PASSWORD REALM DOMAIN DOMSID TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN TRUST_DOMSID TYPE
+EOF
+exit 1;
+fi
+
+SERVER=$1
+shift 1
+USERNAME=$1
+PASSWORD=$2
+REALM=$3
+DOMAIN=$4
+DOMSID=$5
+shift 5
+TRUST_USERNAME=$1
+TRUST_PASSWORD=$2
+TRUST_REALM=$3
+TRUST_DOMAIN=$4
+TRUST_DOMSID=$5
+shift 5
+TYPE=$1
+shift 1
+failed=0
+
+samba4bindir="$BINDIR"
+
+ldbsearch="$samba4bindir/ldbsearch"
+
+. `dirname $0`/subunit.sh
+. `dirname $0`/common_test_fns.inc
+
+test_token()
+{
+ auth_args="${1}"
+ auth_sid="${2-}"
+
+ out=$($VALGRIND $ldbsearch -H ldap://$SERVER.$REALM -U$TRUST_REALM\\$TRUST_USERNAME%$TRUST_PASSWORD -b '' --scope=base -k ${auth_args} tokenGroups 2>&1)
+ ret=$?
+ test x"$ret" = x"0" || {
+ echo "$out"
+ return 1
+ }
+
+ trust_sids=$(echo "$out" | grep '^tokenGroups' | grep "${TRUST_DOMSID}-" | wc -l)
+ test "$trust_sids" -ge "2" || {
+ echo "$out"
+ echo "Less than 2 sids from $TRUST_DOMAIN $TRUST_DOMSID"
+ return 1
+ }
+
+ domain_sids=$(echo "$out" | grep '^tokenGroups' | grep "${DOMSID}-" | wc -l)
+ test "$domain_sids" -ge "1" || {
+ echo "$out"
+ echo "Less than 1 sid from $DOMAIN $DOMSID"
+ return 1
+ }
+
+ builtin_sids=$(echo "$out" | grep '^tokenGroups' | grep "S-1-5-32-" | wc -l)
+ test "$builtin_sids" -ge "1" || {
+ echo "$out"
+ echo "Less than 1 sid from BUILTIN S-1-5-32"
+ return 1
+ }
+
+ #
+ # The following should always be present
+ #
+ # SID_WORLD(S-1-1-0)
+ # SID_NT_NETWORK(S-1-5-2)
+ # SID_NT_AUTHENTICATED_USERS(S-1-5-11)
+ #
+ required_sids="S-1-1-0 S-1-5-2 S-1-5-11 ${auth_sid}"
+ for sid in $required_sids; do
+ found=$(echo "$out" | grep "^tokenGroups: ${sid}$" | wc -l)
+ test x"$found" = x"1" || {
+ echo "$out"
+ echo "SID: ${sid} not found"
+ return 1
+ }
+ done
+
+ return 0
+}
+
+testit "Test token with kerberos" test_token "yes" "" || failed=`expr $failed + 1`
+# Check that SID_NT_NTLM_AUTHENTICATION(S-1-5-64-10) is added for NTLMSSP
+testit "Test token with NTLMSSP" test_token "no" "S-1-5-64-10" || failed=`expr $failed + 1`
+
+exit $failed
diff --git a/testprogs/blackbox/test_trust_user_account.sh b/testprogs/blackbox/test_trust_user_account.sh
new file mode 100755
index 0000000..63024a9
--- /dev/null
+++ b/testprogs/blackbox/test_trust_user_account.sh
@@ -0,0 +1,59 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+cat <<EOF
+Usage: test_trust_user_account.sh PREFIX OUR_REALM OUR_FLAT REMOTE_REALM REMOTE_FLAT
+EOF
+exit 1;
+fi
+
+PREFIX="$1"
+OUR_REALM="$2"
+OUR_FLAT="$3"
+REMOTE_REALM="$4"
+REMOTE_FLAT="$5"
+shift 5
+
+. `dirname $0`/subunit.sh
+
+
+samba_tool="$BINDIR/samba-tool"
+samba4bindir="$BINDIR"
+samba4srcdir="$SRCDIR/source4"
+samba4kinit_binary="kinit -k"
+if test -x $BINDIR/samba4kinit; then
+ samba4kinit_binary="$BINDIR/samba4kinit --use-keytab"
+fi
+
+KEYTAB="$PREFIX/tmptda.keytab"
+
+KRB5_TRACE=/dev/stderr
+export KRB5_TRACE
+
+testit "retrieve keytab for TDA of $REMOTE_REALM" $PYTHON $samba_tool domain exportkeytab $KEYTAB $CONFIGURATION --principal "$REMOTE_FLAT\$@$OUR_REALM" || failed=`expr $failed + 1`
+
+KRB5CCNAME="$PREFIX/tmptda.ccache"
+samba4kinit="$samba4kinit_binary -c $KRB5CCNAME"
+export KRB5CCNAME
+
+rm -f $KRB5CCNAME
+
+EXPECTED_SALT="${OUR_REALM}krbtgt${REMOTE_FLAT}"
+#
+# Note the \$ is for the end of line in grep
+#
+# There must be no trailing '$' in the SALT string itself,
+# it's removed from the sAMAccountName value (which includes the trailing '$')
+# before construting the salt!
+#
+# Otherwise this would be:
+# "^virtualKerberosSalt: ${EXPECTED_SALT}\\\$\$"
+#
+EXPECTED_GREP="^virtualKerberosSalt: ${EXPECTED_SALT}\$"
+testit_grep "get virtualKerberosSalt for TDA of $REMOTE_FLAT\$" "$EXPECTED_GREP" $PYTHON $samba_tool user getpassword "$REMOTE_FLAT\$" $CONFIGURATION --attributes=virtualKerberosSalt || failed=`expr $failed + 1`
+
+testit "kinit with keytab for TDA of $REMOTE_REALM" $samba4kinit -t $KEYTAB "$REMOTE_FLAT\$@$OUR_REALM" || failed=`expr $failed + 1`
+
+rm -f $KRB5CCNAME $KEYTAB
+
+exit $failed
diff --git a/testprogs/blackbox/test_trust_utils.sh b/testprogs/blackbox/test_trust_utils.sh
new file mode 100755
index 0000000..7da1e05
--- /dev/null
+++ b/testprogs/blackbox/test_trust_utils.sh
@@ -0,0 +1,144 @@
+#!/bin/sh
+# Copyright (C) 2015 Stefan Metzmacher <metze@samba.org>
+
+if [ $# -lt 12 ]; then
+cat <<EOF
+Usage: $# test_trust_utils.sh SERVER USERNAME PASSWORD REALM DOMAIN TRUST_USERNAME TRUST_PASSWORD TRUST_REALM TRUST_DOMAIN PREFIX TYPE
+EOF
+exit 1;
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+REALM=$4
+DOMAIN=$5
+shift 5
+TRUST_SERVER=$1
+TRUST_USERNAME=$2
+TRUST_PASSWORD=$3
+TRUST_REALM=$4
+TRUST_DOMAIN=$5
+shift 5
+PREFIX=$1
+TYPE=$2
+shift 2
+failed=0
+
+samba4bindir="$BINDIR"
+
+samba_tool="$samba4bindir/samba-tool"
+
+. `dirname $0`/subunit.sh
+
+CREDS="${DOMAIN}\\${USERNAME}%${PASSWORD}"
+TRUST_CREDS_DOMAIN="${TRUST_DOMAIN}\\${TRUST_USERNAME}%${TRUST_PASSWORD}"
+TRUST_SERVER_CREDS_DOMAIN_ARGS="--local-dc-ipaddress ${TRUST_SERVER} --local-dc-username ${TRUST_CREDS_DOMAIN}"
+
+TRUST_CREDS_REALM="${TRUST_REALM}\\${TRUST_USERNAME}%${TRUST_PASSWORD}"
+TRUST_SERVER_CREDS_REALM_ARGS="--local-dc-ipaddress ${TRUST_SERVER} --local-dc-username ${TRUST_CREDS_REALM}"
+
+list="$VALGRIND $PYTHON $samba_tool domain trust list"
+testit "list domains default" $list || failed=`expr $failed + 1`
+
+# Show that the domain name and realm work
+testit "list domains reverse (DOMAIN)" $list ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=`expr $failed + 1`
+testit "list domains reverse (REALM)" $list ${TRUST_SERVER_CREDS_REALM_ARGS} || failed=`expr $failed + 1`
+
+show="$VALGRIND $PYTHON $samba_tool domain trust show"
+testit "show domains default realm" $show ${TRUST_REALM} || failed=`expr $failed + 1`
+testit "show domains reverse realm" $show ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=`expr $failed + 1`
+testit "show domains default netbios" $show ${TRUST_DOMAIN} || failed=`expr $failed + 1`
+testit "show domains reverse netbios" $show ${DOMAIN} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=`expr $failed + 1`
+
+validate="$VALGRIND $PYTHON $samba_tool domain trust validate"
+testit "validate trust default both" $validate ${TRUST_REALM} -U${TRUST_CREDS_DOMAIN}|| failed=`expr $failed + 1`
+testit "validate trust default local" $validate ${TRUST_REALM} --validate-location=local || failed=`expr $failed + 1`
+testit "validate trust reverse both" $validate ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} -U${CREDS} || failed=`expr $failed + 1`
+testit "validate trust reverse local" $validate ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --validate-location=local || failed=`expr $failed + 1`
+
+namespaces="$VALGRIND $PYTHON $samba_tool domain trust namespaces"
+testit "namespaces own default" $namespaces || failed=`expr $failed + 1`
+testit "namespaces own reverse" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=`expr $failed + 1`
+
+DOMSID=`$namespaces | grep LocalDomain | sed -e 's!.*SID\[\(.*\)\].*!\1!'`
+#testit_expect_failure "namespaces domsid default" echo ${DOMSID} || failed=`expr $failed + 1`
+
+TRUST_DOMSID=`$namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} | grep LocalDomain | sed -e 's!.*SID\[\(.*\)\].*!\1!'`
+#testit_expect_failure "namespaces domsid reverse" echo ${TRUST_DOMSID} || failed=`expr $failed + 1`
+
+if test x$TYPE = x"forest"; then
+ testit "namespaces trust default realm 1" $namespaces ${TRUST_REALM} || failed=`expr $failed + 1`
+ testit "namespaces trust reverse realm 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=`expr $failed + 1`
+
+ testit "namespaces trust default domain 1" $namespaces ${TRUST_DOMAIN} || failed=`expr $failed + 1`
+ testit "namespaces trust reverse domain 1" $namespaces ${DOMAIN} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=`expr $failed + 1`
+
+ testit "namespaces own default add-upn-suffix 1" $namespaces --add-upn-suffix=default.test_trust_utils.example.com || failed=`expr $failed + 1`
+ testit "namespaces own reverse add-upn-suffix 1" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --add-upn-suffix=reverse.test_trust_utils.example.com || failed=`expr $failed + 1`
+
+ testit "namespaces own default add-upn-suffix 2" $namespaces --add-upn-suffix=${TRUST_REALM} || failed=`expr $failed + 1`
+ testit "namespaces own reverse add-upn-suffix 2" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --add-upn-suffix=${REALM} || failed=`expr $failed + 1`
+
+ testit "namespaces own default add-spn-suffix 1" $namespaces --add-spn-suffix=spn.test_trust_utils.example.com || failed=`expr $failed + 1`
+ testit "namespaces own reverse add-spn-suffix 1" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --add-spn-suffix=spn.test_trust_utils.example.com || failed=`expr $failed + 1`
+
+ testit "namespaces trust default check 1" $namespaces ${TRUST_REALM} --refresh=check || failed=`expr $failed + 1`
+ testit "namespaces trust reverse check 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --refresh=check || failed=`expr $failed + 1`
+
+ testit "namespaces trust default store 1" $namespaces ${TRUST_REALM} --refresh=store || failed=`expr $failed + 1`
+ testit "namespaces trust reverse store 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --refresh=store || failed=`expr $failed + 1`
+
+ testit "namespaces trust default enable-tln 1" $namespaces ${TRUST_REALM} --enable-tln=reverse.test_trust_utils.example.com || failed=`expr $failed + 1`
+ testit "namespaces trust reverse enable-tln 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --enable-tln=default.test_trust_utils.example.com || failed=`expr $failed + 1`
+
+ testit "namespaces trust default enable-tln 2" $namespaces ${TRUST_REALM} --enable-tln=spn.test_trust_utils.example.com || failed=`expr $failed + 1`
+ testit "namespaces trust reverse enable-tln 2" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --enable-tln=spn.test_trust_utils.example.com || failed=`expr $failed + 1`
+
+ testit "namespaces trust default enable-tln 3" $namespaces ${TRUST_REALM} --enable-tln=${TRUST_REALM} || failed=`expr $failed + 1`
+ testit "namespaces trust reverse enable-tln 3" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --enable-tln=${REALM} || failed=`expr $failed + 1`
+
+ testit "namespaces trust default disable-nb 1" $namespaces ${TRUST_REALM} --disable-nb=${TRUST_DOMAIN} || failed=`expr $failed + 1`
+ testit "namespaces trust reverse disable-nb 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --disable-nb=${DOMAIN} || failed=`expr $failed + 1`
+
+ testit "namespaces trust default disable-sid 1" $namespaces ${TRUST_REALM} --disable-sid=${TRUST_DOMSID} || failed=`expr $failed + 1`
+ testit "namespaces trust reverse disable-sid 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --disable-sid=${DOMSID} || failed=`expr $failed + 1`
+
+ testit "namespaces trust default disable-tln 1" $namespaces ${TRUST_REALM} --disable-tln=reverse.test_trust_utils.example.com || failed=`expr $failed + 1`
+ testit "namespaces trust reverse disable-tln 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --disable-tln=default.test_trust_utils.example.com || failed=`expr $failed + 1`
+
+ testit "namespaces trust default add-tln-ex 1" $namespaces ${TRUST_REALM} --add-tln-ex=exclude.${TRUST_REALM} || failed=`expr $failed + 1`
+ testit "namespaces trust reverse add-tln-ex 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --add-tln-ex=exclude.${REALM} || failed=`expr $failed + 1`
+
+ testit "namespaces trust default add-tln-ex 2" $namespaces ${TRUST_REALM} --add-tln-ex=sub.exclude.${TRUST_REALM} || failed=`expr $failed + 1`
+ testit "namespaces trust reverse add-tln-ex 2" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --add-tln-ex=sub.exclude.${REALM} || failed=`expr $failed + 1`
+
+ testit "namespaces trust default realm 2" $namespaces ${TRUST_REALM} || failed=`expr $failed + 1`
+ testit "namespaces trust reverse realm 2" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} || failed=`expr $failed + 1`
+
+ testit "namespaces trust default delete-tln-ex 1" $namespaces ${TRUST_REALM} --delete-tln-ex=exclude.${TRUST_REALM} || failed=`expr $failed + 1`
+ testit "namespaces trust reverse delete-tln-ex 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --delete-tln-ex=exclude.${REALM} || failed=`expr $failed + 1`
+
+ testit "namespaces trust default delete-tln-ex 2" $namespaces ${TRUST_REALM} --delete-tln-ex=sub.exclude.${TRUST_REALM} || failed=`expr $failed + 1`
+ testit "namespaces trust reverse delete-tln-ex 2" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --delete-tln-ex=sub.exclude.${REALM} || failed=`expr $failed + 1`
+
+ testit "namespaces own default delete-upn-suffix 1" $namespaces --delete-upn-suffix=default.test_trust_utils.example.com || failed=`expr $failed + 1`
+ testit "namespaces own reverse delete-upn-suffix 1" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --delete-upn-suffix=reverse.test_trust_utils.example.com || failed=`expr $failed + 1`
+
+ testit "namespaces own default delete-upn-suffix 2" $namespaces --delete-upn-suffix=${TRUST_REALM} || failed=`expr $failed + 1`
+ testit "namespaces own reverse delete-upn-suffix 2" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --delete-upn-suffix=${REALM} || failed=`expr $failed + 1`
+
+ testit "namespaces own default delete-spn-suffix 1" $namespaces --delete-spn-suffix=spn.test_trust_utils.example.com || failed=`expr $failed + 1`
+ testit "namespaces own reverse delete-spn-suffix 1" $namespaces ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --delete-spn-suffix=spn.test_trust_utils.example.com || failed=`expr $failed + 1`
+
+ testit "namespaces trust default enable-nb 1" $namespaces ${TRUST_REALM} --enable-nb=${TRUST_DOMAIN} || failed=`expr $failed + 1`
+ testit "namespaces trust reverse enable-nb 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --enable-nb=${DOMAIN} || failed=`expr $failed + 1`
+
+ testit "namespaces trust default enable-sid 1" $namespaces ${TRUST_REALM} --enable-sid=${TRUST_DOMSID} || failed=`expr $failed + 1`
+ testit "namespaces trust reverse enable-sid 1" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --enable-sid=${DOMSID} || failed=`expr $failed + 1`
+
+ testit "namespaces trust default reset final" $namespaces ${TRUST_REALM} --refresh=store --enable-all || failed=`expr $failed + 1`
+ testit "namespaces trust reverse reset final" $namespaces ${REALM} ${TRUST_SERVER_CREDS_DOMAIN_ARGS} --refresh=store --enable-all || failed=`expr $failed + 1`
+fi
+
+exit $failed
diff --git a/testprogs/blackbox/test_weak_crypto.sh b/testprogs/blackbox/test_weak_crypto.sh
new file mode 100755
index 0000000..e2cdfa7
--- /dev/null
+++ b/testprogs/blackbox/test_weak_crypto.sh
@@ -0,0 +1,51 @@
+#!/bin/sh
+
+#
+# Blackbox tests for weak crytpo
+# Copyright (c) 2020 Andreas Schneider <asn@samba.org>
+#
+
+if [ $# -lt 6 ]; then
+cat <<EOF
+Usage: $0 SERVER USERNAME PASSWORD REALM DOMAIN PREFIX
+EOF
+exit 1;
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+REALM=$4
+DOMAIN=$5
+PREFIX=$6
+shift 6
+
+failed=0
+. `dirname $0`/subunit.sh
+
+samba_bindir="$BINDIR"
+samba_testparm="$BINDIR/testparm"
+samba_rpcclient="$samba_bindir/rpcclient"
+
+opt="--option=gensec:gse_krb5=no -U${USERNAME}%${PASSWORD}"
+
+unset GNUTLS_FORCE_FIPS_MODE
+
+# Checks that testparm reports: Weak crypto is allowed
+testit_grep "testparm" "Weak crypto is allowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
+
+# We should be allowed to use NTLM for connecting
+testit "rpclient.ntlm" $samba_rpcclient ncacn_np:$SERVER $opt -c "getusername" || failed=`expr $failed + 1`
+
+GNUTLS_FORCE_FIPS_MODE=1
+export GNUTLS_FORCE_FIPS_MODE
+
+# Checks that testparm reports: Weak crypto is disallowed
+testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
+
+# We should not be allowed to use NTLM for connecting
+testit_expect_failure "rpclient.ntlm" $samba_rpcclient ncacn_np:$SERVER $opt -c "getusername" || failed=`expr $failed + 1`
+
+unset GNUTLS_FORCE_FIPS_MODE
+
+exit $failed
diff --git a/testprogs/blackbox/test_weak_crypto_server.sh b/testprogs/blackbox/test_weak_crypto_server.sh
new file mode 100755
index 0000000..fcd266d
--- /dev/null
+++ b/testprogs/blackbox/test_weak_crypto_server.sh
@@ -0,0 +1,64 @@
+#!/bin/sh
+
+#
+# Blackbox tests for weak crytpo
+# Copyright (c) 2020 Andreas Schneider <asn@samba.org>
+#
+
+if [ $# -lt 7 ]; then
+cat <<EOF
+Usage: $0 SERVER USERNAME PASSWORD REALM DOMAIN PREFIX
+EOF
+exit 1;
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+REALM=$4
+DOMAIN=$5
+PREFIX=$6
+CONFIGURATION=$7
+shift 7
+
+failed=0
+. `dirname $0`/subunit.sh
+
+samba_bindir="$BINDIR"
+samba_testparm="$BINDIR/testparm"
+samba_rpcclient="$samba_bindir/rpcclient"
+
+# remove the --configfile=
+configuration="${CONFIGURATION##*=}"
+
+test_weak_crypto_allowed()
+{
+ local testparm_stderr_output_path="$PREFIX/testparm_stderr_output"
+
+ $samba_testparm --suppress-prompt $configuration 2>$testparm_stderr_output_path >/dev/null
+
+ grep "Weak crypto is allowed" $testparm_stderr_output_path >/dev/null 2>&1
+ if [ $ret -ne 0 ]; then
+ echo "Invalid crypto state:"
+ cat $testparm_stderr_output_path
+ rm -f $testparm_stderr_output_path
+ return 1
+ fi
+
+ rm -f $testparm_stderr_output_path
+
+ return 0
+}
+
+unset GNUTLS_FORCE_FIPS_MODE
+
+# Checks that testparm reports: Weak crypto is disallowed
+testit "testparm-weak-crypto" test_weak_crypto_allowed || failed=`expr $failed + 1`
+
+# We should not be allowed to use NTLM for connecting
+testit_expect_failure "rpclient.ntlm" $samba_rpcclient ncacn_np:$SERVER_IP[ntlm] -U$USERNAME%$PASSWORD -c "getusername" && failed=`expr $failed + 1`
+
+GNUTLS_FORCE_FIPS_MODE=1
+export GNUTLS_FORCE_FIPS_MODE
+
+exit $failed
diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
new file mode 100755
index 0000000..2822ab2
--- /dev/null
+++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+# Blackbox tests for diabing NTLMSSP for ldap clinet connections
+# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com>
+
+if [ $# -lt 2 ]; then
+cat <<EOF
+Usage: $0 USERNAME PASSWORD
+EOF
+exit 1;
+fi
+
+USERNAME=$1
+PASSWORD=$2
+shift 2
+
+failed=0
+. `dirname $0`/subunit.sh
+
+samba_testparm="$BINDIR/testparm"
+samba_net="$BINDIR/net"
+
+unset GNUTLS_FORCE_FIPS_MODE
+
+# Checks that testparm reports: Weak crypto is allowed
+testit_grep "testparm" "Weak crypto is allowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
+
+# We should be allowed to use NTLM for connecting
+testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
+
+GNUTLS_FORCE_FIPS_MODE=1
+export GNUTLS_FORCE_FIPS_MODE
+
+# Checks that testparm reports: Weak crypto is disallowed
+testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
+
+# We should not be allowed to use NTLM for connecting
+testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
+
+unset GNUTLS_FORCE_FIPS_MODE
+
+exit $failed
diff --git a/testprogs/blackbox/test_wintest.sh b/testprogs/blackbox/test_wintest.sh
new file mode 100755
index 0000000..5019900
--- /dev/null
+++ b/testprogs/blackbox/test_wintest.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+# Blackbox tests for testing against windows machines
+# Copyright (C) 2008 Jim McDonough
+
+
+testwithconf() {
+# define test variables, startup/shutdown scripts
+. $1
+shift 1
+
+if [ -n "$WINTEST_STARTUP" ]; then
+. $WINTEST_STARTUP;
+fi
+
+testit "smbtorture" $smbtorture //$SERVER/$SHARE RAW-OPEN -W "$DOMAIN" -U"$USERNAME%$PASSWORD" $@ || failed=`expr $failed + 1`
+
+if [ -n "$WINTEST_SHUTDOWN" ]; then
+. $WINTEST_SHUTDOWN;
+fi
+}
+
+
+# main
+# skip without WINTEST_CONF_DIR
+if [ -z "$WINTEST_CONF_DIR" ]; then
+exit 0;
+fi
+
+unset SOCKET_WRAPPER_DIR
+
+failed=0
+
+$basedir=`pwd`
+
+samba4bindir=`dirname $0`/../../source4/bin
+smbtorture=$samba4bindir/smbtorture
+
+. `dirname $0`/subunit.sh
+
+for wintest_conf in $WINTEST_CONF_DIR/*.conf; do
+testwithconf "$wintest_conf" $@;
+done
+
+exit $failed
diff --git a/testprogs/blackbox/tfork.sh b/testprogs/blackbox/tfork.sh
new file mode 100755
index 0000000..0f75a8c
--- /dev/null
+++ b/testprogs/blackbox/tfork.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+sleep 1
+
+echo stdout >&1
+echo $1 >&1
+echo stderror >&2
+
+# close stdout and stderror, but don't exit yet
+exec 1>&-
+exec 2>&-
+
+sleep 1
+
+exit 0
diff --git a/testprogs/blackbox/tombstones-expunge.sh b/testprogs/blackbox/tombstones-expunge.sh
new file mode 100755
index 0000000..e2b064d
--- /dev/null
+++ b/testprogs/blackbox/tombstones-expunge.sh
@@ -0,0 +1,245 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+cat <<EOF
+Usage: tombstones-expunge.sh PREFIX RELEASE
+EOF
+exit 1;
+fi
+
+PREFIX_ABS="$1"
+RELEASE="$2"
+shift 2
+
+failed=0
+
+. `dirname $0`/subunit.sh
+. `dirname $0`/common_test_fns.inc
+
+release_dir="$SRCDIR_ABS/source4/selftest/provisions/$RELEASE"
+
+ldbadd="ldbadd"
+if [ -x "$BINDIR/ldbadd" ]; then
+ ldbadd="$BINDIR/ldbadd"
+fi
+
+ldbmodify="ldbmodify"
+if [ -x "$BINDIR/ldbmodify" ]; then
+ ldbmodify="$BINDIR/ldbmodify"
+fi
+
+ldbdel="ldbdel"
+if [ -x "$BINDIR/ldbdel" ]; then
+ ldbdel="$BINDIR/ldbdel"
+fi
+
+ldbsearch="ldbsearch"
+if [ -x "$BINDIR/ldbsearch" ]; then
+ ldbsearch="$BINDIR/ldbsearch"
+fi
+
+samba_tdbrestore="tdbrestore"
+if [ -x "$BINDIR/tdbrestore" ]; then
+ samba_tdbrestore="$BINDIR/tdbrestore"
+fi
+
+samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh"
+if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then
+ subunit_start_test $RELEASE
+ subunit_skip_test $RELEASE <<EOF
+no test provision
+EOF
+
+ subunit_start_test "tombstones_expunge"
+ subunit_skip_test "tombstones_expunge" <<EOF
+no test provision
+EOF
+
+ exit 0
+fi
+
+undump() {
+ $samba_undump $release_dir $PREFIX_ABS/$RELEASE $samba_tdbrestore
+}
+
+tombstones_expunge() {
+ tmpfile=$PREFIX_ABS/$RELEASE/expected-expunge-output.txt.tmp
+ tmpldif1=$PREFIX_ABS/$RELEASE/expected-expunge-output2.txt.tmp1
+
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN > $tmpldif1
+
+ $PYTHON $BINDIR/samba-tool domain tombstones expunge -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --current-time=2016-07-30 --tombstone-lifetime=4 > $tmpfile
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+ diff -u $tmpfile $release_dir/expected-expunge-output.txt
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+
+ tmpldif2=$PREFIX_ABS/$RELEASE/expected-expunge-output2.txt.tmp2
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --scope=base -b '' | grep highestCommittedUSN > $tmpldif2
+
+ diff -u $tmpldif1 $tmpldif2
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+add_dangling_link() {
+ ldif=$release_dir/add-dangling-link.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+add_two_more_users() {
+ ldif=$release_dir/add-two-more-users.ldif
+ TZ=UTC $ldbadd -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+add_four_more_links() {
+ ldif=$release_dir/add-four-more-links.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+add_unsorted_links() {
+ ldif=$release_dir/add-unsorted-links-step1.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif --relax
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+ ldif=$release_dir/add-unsorted-links-step2.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb.d/DC%3DRELEASE-4-5-0-PRE1,DC%3DSAMBA,DC%3DCORP.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+remove_one_link() {
+ ldif=$release_dir/remove-one-more-link.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+remove_one_user() {
+ ldif=$release_dir/remove-one-more-user.ldif
+ TZ=UTC $ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+check_match_rule_links() {
+ tmpldif=$PREFIX_ABS/$RELEASE/expected-match-rule-links.ldif.tmp
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=131139216000000000)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted no_attrs > $tmpldif
+ diff -u $tmpldif $release_dir/expected-match-rule-links.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+check_match_rule_links_negative() {
+ $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=-131139216000000000)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member
+}
+
+check_match_rule_links_overflow() {
+ $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=18446744073709551617)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member
+}
+
+check_match_rule_links_null() {
+ $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=18446744\073709551617)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member
+}
+
+check_match_rule_links_hex() {
+ $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=abcd)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member
+}
+
+check_match_rule_links_hex2() {
+ $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=0xabcd)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member
+}
+
+check_match_rule_links_decimal() {
+ $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(member:1.3.6.1.4.1.7165.4.5.2:=131139216000000000.00)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member
+}
+
+check_match_rule_links_backlink() {
+ $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(memberOf:1.3.6.1.4.1.7165.4.5.2:=131139216000000000)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted memberOf
+}
+
+check_match_rule_links_notlink() {
+ $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(samAccountName:1.3.6.1.4.1.7165.4.5.2:=131139216000000000)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted samAccountName
+}
+
+check_expected_after_links() {
+ tmpldif=$PREFIX_ABS/$RELEASE/expected-links-after-expunge.ldif.tmp
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=swimmers)(cn=leaders)(cn=helpers))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --sorted member > $tmpldif
+ diff -u $tmpldif $release_dir/expected-links-after-expunge.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+check_expected_after_deleted_links() {
+ tmpldif=$PREFIX_ABS/$RELEASE/expected-deleted-links-after-expunge.ldif.tmp
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(cn=swimmers)(cn=leaders)(cn=helpers))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member > $tmpldif
+ diff -u $tmpldif $release_dir/expected-deleted-links-after-expunge.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+check_expected_after_objects() {
+ tmpldif=$PREFIX_ABS/$RELEASE/expected-objects-after-expunge.ldif.tmp
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(|(samaccountname=fred)(samaccountname=ddg)(samaccountname=usg)(samaccountname=user1)(samaccountname=user2))' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted samAccountName | grep sAMAccountName > $tmpldif
+ diff -u $tmpldif $release_dir/expected-objects-after-expunge.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+check_expected_unsorted_links() {
+ tmpldif=$PREFIX_ABS/$RELEASE/expected-unsorted-links-after-expunge.ldif.tmp
+ TZ=UTC $ldbsearch -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb '(name=unsorted-g)' --scope=sub -b DC=release-4-5-0-pre1,DC=samba,DC=corp --show-deleted --reveal --sorted member > $tmpldif
+ diff -u $tmpldif $release_dir/expected-unsorted-links-after-expunge.ldif
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+}
+
+remove_directory $PREFIX_ABS/${RELEASE}
+
+testit $RELEASE undump || failed=`expr $failed + 1`
+testit "add_two_more_users" add_two_more_users || failed=`expr $failed + 1`
+testit "add_four_more_links" add_four_more_links || failed=`expr $failed + 1`
+testit "add_dangling_link" add_dangling_link || failed=`expr $failed + 1`
+testit "remove_one_link" remove_one_link || failed=`expr $failed + 1`
+testit "remove_one_user" remove_one_user || failed=`expr $failed + 1`
+testit "check_match_rule_links" check_match_rule_links || failed=`expr $failed + 1`
+testit_expect_failure "check_match_rule_links_negative" check_match_rule_links_negative || failed=`expr $failed + 1`
+testit_expect_failure "check_match_rule_links_overflow" check_match_rule_links_overflow || failed=`expr $failed + 1`
+testit_expect_failure "check_match_rule_links_null" check_match_rule_links_null || failed=`expr $failed + 1`
+testit_expect_failure "check_match_rule_links_hex" check_match_rule_links_hex || failed=`expr $failed + 1`
+testit_expect_failure "check_match_rule_links_hex2" check_match_rule_links_hex2 || failed=`expr $failed + 1`
+testit_expect_failure "check_match_rule_links_decimal" check_match_rule_links_decimal || failed=`expr $failed + 1`
+testit_expect_failure "check_match_rule_links_backlink" check_match_rule_links_backlink || failed=`expr $failed + 1`
+testit_expect_failure "check_match_rule_links_notlink" check_match_rule_links_notlink || failed=`expr $failed + 1`
+testit "add_unsorted_links" add_unsorted_links || failed=`expr $failed + 1`
+testit "tombstones_expunge" tombstones_expunge || failed=`expr $failed + 1`
+testit "check_expected_after_deleted_links" check_expected_after_deleted_links || failed=`expr $failed + 1`
+testit "check_expected_after_links" check_expected_after_links || failed=`expr $failed + 1`
+testit "check_expected_after_objects" check_expected_after_objects || failed=`expr $failed + 1`
+testit "check_expected_unsorted_links" check_expected_unsorted_links || failed=`expr $failed + 1`
+
+remove_directory $PREFIX_ABS/${RELEASE}
+
+exit $failed
diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh
new file mode 100755
index 0000000..c625179
--- /dev/null
+++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh
@@ -0,0 +1,225 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+cat <<EOF
+Usage: dbcheck.sh PREFIX RELEASE
+EOF
+exit 1;
+fi
+
+PREFIX_ABS="$1"
+RELEASE="$2"
+shift 2
+
+failed=0
+
+. `dirname $0`/subunit.sh
+. `dirname $0`/common_test_fns.inc
+
+release_dir="$SRCDIR_ABS/source4/selftest/provisions/${RELEASE}"
+
+LDBDEL_BIN=ldbdel
+if [ -x "$BINDIR/ldbdel" ]; then
+ LDBDEL_BIN=$BINDIR/ldbdel
+fi
+
+samba_tdbrestore="tdbrestore"
+if [ -x "$BINDIR/tdbrestore" ]; then
+ samba_tdbrestore="$BINDIR/tdbrestore"
+fi
+
+samba_undump="$SRCDIR_ABS/source4/selftest/provisions/undump.sh"
+if [ ! -x $samba_undump ] || [ ! -d $release_dir ]; then
+ subunit_start_test "${RELEASE}"
+ subunit_skip_test "${RELEASE}" <<EOF
+no test provision
+EOF
+
+ subunit_start_test "remove_dns_user"
+ subunit_skip_test "remove_dns_user" <<EOF
+no test provision
+EOF
+
+ subunit_start_test "upgradeprovision"
+ subunit_skip_test "upgradeprovision" <<EOF
+no test provision
+EOF
+ subunit_start_test "upgradeprovision_full"
+ subunit_skip_test "upgradeprovision_full" <<EOF
+no test provision
+EOF
+ subunit_start_test "reindex"
+ subunit_skip_test "reindex" <<EOF
+no test provision
+EOF
+ subunit_start_test "dbcheck"
+ subunit_skip_test "dbcheck" <<EOF
+no test provision
+EOF
+ subunit_start_test "dbcheck_clean"
+ subunit_skip_test "dbcheck_clean" <<EOF
+no test provision
+EOF
+ # So far, only releases before 4.0.0rc6 need a dbcheck if upgradeprovision has already been run
+ if [ x$RELEASE != x"release-4-0-0" ]; then
+ subunit_start_test "dbcheck_full"
+ subunit_skip_test "dbcheck_full" <<EOF
+no test provision
+EOF
+ fi
+ subunit_start_test "dbcheck_full_clean"
+ subunit_skip_test "dbcheck_full_clean" <<EOF
+no test provision
+EOF
+ subunit_start_test "dbcheck_full_clean_well_known_acls"
+ subunit_skip_test "dbcheck_full_clean_well_known_acls" <<EOF
+no test provision
+EOF
+ subunit_start_test "samba_dnsupgrade"
+ subunit_skip_test "samba_dnsupgrade" <<EOF
+no test provision
+EOF
+ subunit_start_test "referenceprovision"
+ subunit_skip_test "referenceprovision" <<EOF
+no test provision
+EOF
+ subunit_start_test "ldapcmp"
+ subunit_skip_test "ldapcmp" <<EOF
+no test provision
+EOF
+ subunit_start_test "ldapcmp_full"
+ subunit_skip_test "ldapcmp_full" <<EOF
+no test provision
+EOF
+ subunit_start_test "ldapcmp_sd"
+ subunit_skip_test "ldapcmp_sd" <<EOF
+no test provision
+EOF
+ subunit_start_test "ldapcmp_full_sd"
+ subunit_skip_test "ldapcmp_full_sd" <<EOF
+no test provision
+EOF
+
+ exit 0
+fi
+
+undump() {
+ $samba_undump $release_dir $PREFIX_ABS/${RELEASE}_upgrade $samba_tdbrestore
+ $samba_undump $release_dir $PREFIX_ABS/${RELEASE}_upgrade_full $samba_tdbrestore
+
+ cp -a $release_dir/private/*.keytab $PREFIX_ABS/${RELEASE}_upgrade/private/
+ cp -a $release_dir/sysvol $PREFIX_ABS/${RELEASE}_upgrade/
+ mkdir $PREFIX_ABS/${RELEASE}_upgrade/etc/
+ sed -e "s|@@PREFIX@@|$PREFIX_ABS/${RELEASE}_upgrade|g" $release_dir/etc/smb.conf.template \
+ > $PREFIX_ABS/${RELEASE}_upgrade/etc/smb.conf
+
+ cp -a $release_dir/private/*.keytab $PREFIX_ABS/${RELEASE}_upgrade_full/private/
+ cp -a $release_dir/sysvol $PREFIX_ABS/${RELEASE}_upgrade_full/
+ mkdir $PREFIX_ABS/${RELEASE}_upgrade_full/etc/
+ sed -e "s|@@PREFIX@@|$PREFIX_ABS/${RELEASE}_upgrade_full|g" $release_dir/etc/smb.conf.template \
+ > $PREFIX_ABS/${RELEASE}_upgrade_full/etc/smb.conf
+}
+
+remove_dns_user() {
+ if [ x$RELEASE != x"release-4-0-0" ]; then
+ # This is done, because otherwise the upgrdeprovision will not run without --full
+ ${LDBDEL_BIN} -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb cn=dns,cn=users,dc=${RELEASE},dc=samba,dc=corp
+ fi
+}
+
+reindex() {
+ $PYTHON $BINDIR/samba-tool dbcheck --reindex -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb $@
+}
+
+# This should 'fail', because it returns the number of modified records
+dbcheck() {
+ $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb $@
+}
+
+dbcheck_clean() {
+ $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb $@
+}
+
+# This should 'fail', because it returns the number of modified records
+dbcheck_full() {
+ $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb $@
+}
+
+dbcheck_full_clean() {
+ $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb $@
+}
+
+# This checks that after the upgrade, the well known ACLs are correct, so this reset should not want to do anything
+dbcheck_full_clean_well_known_acls() {
+ $PYTHON $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb $@
+}
+
+upgradeprovision() {
+ # bring the really old Samba schema in line with a more recent 2008R2 schema
+ $PYTHON $BINDIR/samba_upgradeprovision --configfile="$PREFIX_ABS/${RELEASE}_upgrade/etc/smb.conf" --debugchange
+
+ # on top of this, also apply 2008R2 changes we accidentally missed in the past
+ $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --ldf-file=samba-4.7-missing-for-schema45.ldif,fix-forest-rev.ldf
+
+ # add missing domain prep for 2008R2
+ $PYTHON $BINDIR/samba-tool domain functionalprep -H tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --domain --function-level 2008_R2
+}
+
+upgradeprovision_full() {
+ # add missing domain prep for 2008R2
+ $PYTHON $BINDIR/samba-tool domain functionalprep -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb --domain --function-level 2008_R2
+
+ $PYTHON $BINDIR/samba_upgradeprovision --configfile="$PREFIX_ABS/${RELEASE}_upgrade_full/etc/smb.conf" --full --debugchange
+}
+
+samba_upgradedns() {
+ $PYTHON $BINDIR/samba_upgradedns --dns-backend=SAMBA_INTERNAL --configfile="$PREFIX_ABS/${RELEASE}_upgrade_full/etc/smb.conf"
+}
+
+referenceprovision() {
+ $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=SAMBA --host-name=ares --realm=${RELEASE}.samba.corp --targetdir=$PREFIX_ABS/${RELEASE}_upgrade_reference --use-ntvfs --host-ip=127.0.0.1 --host-ip6=::1 --function-level=2003 --base-schema=2008_R2_old
+}
+
+ldapcmp() {
+ if [ x$RELEASE != x"alpha13" ]; then
+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes,servicePrincipalName
+ fi
+}
+
+ldapcmp_full() {
+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb --two --filter=dNSProperty,dnsRecord,cn,displayName,versionNumber,systemFlags,msDS-HasInstantiatedNCs,servicePrincipalName --skip-missing-dn
+}
+
+ldapcmp_sd() {
+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --sd --skip-missing-dn
+}
+
+ldapcmp_full_sd() {
+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb --two --sd --skip-missing-dn
+}
+
+remove_directory $PREFIX_ABS/${RELEASE}_upgrade
+remove_directory $PREFIX_ABS/${RELEASE}_upgrade_full
+remove_directory $PREFIX_ABS/${RELEASE}_upgrade_reference
+
+testit $RELEASE undump || failed=`expr $failed + 1`
+testit "remove_dns_user" remove_dns_user || failed=`expr $failed + 1`
+testit "upgradeprovision" upgradeprovision || failed=`expr $failed + 1`
+testit "upgradeprovision_full" upgradeprovision_full || failed=`expr $failed + 1`
+testit "reindex" reindex || failed=`expr $failed + 1`
+testit_expect_failure "dbcheck" dbcheck || failed=`expr $failed + 1`
+testit_expect_failure "dbcheck_full" dbcheck_full || failed=`expr $failed + 1`
+testit "dbcheck_clean" dbcheck_clean || failed=`expr $failed + 1`
+testit "dbcheck_full_clean" dbcheck_full_clean || failed=`expr $failed + 1`
+testit "dbcheck_full_clean_well_known_acls" dbcheck_full_clean_well_known_acls || failed=`expr $failed + 1`
+testit "referenceprovision" referenceprovision || failed=`expr $failed + 1`
+testit "samba_upgradedns" samba_upgradedns || failed=`expr $failed + 1`
+testit "ldapcmp" ldapcmp || failed=`expr $failed + 1`
+testit "ldapcmp_sd" ldapcmp_sd || failed=`expr $failed + 1`
+testit "ldapcmp_full_sd" ldapcmp_full_sd || failed=`expr $failed + 1`
+
+remove_directory $PREFIX_ABS/${RELEASE}_upgrade
+remove_directory $PREFIX_ABS/${RELEASE}_upgrade_full
+remove_directory $PREFIX_ABS/${RELEASE}_upgrade_reference
+
+exit $failed
diff --git a/testprogs/blackbox/wintest/wintest.conf b/testprogs/blackbox/wintest/wintest.conf
new file mode 100644
index 0000000..d140366
--- /dev/null
+++ b/testprogs/blackbox/wintest/wintest.conf
@@ -0,0 +1,7 @@
+#export WINTEST_STARTUP="/tmp/startup client"
+#export WINTEST_SHUTDOWN=/tmp/shutdown client"
+export DOMAIN="client"
+export USERNAME="administrator"
+export PASSWORD="samba"
+export SERVER="192.168.213.161"
+export SHARE="c\$" \ No newline at end of file